From d87f54fe28d1d79b8c07f978140f90a566d5061b Mon Sep 17 00:00:00 2001 From: nic-chen <33000667+nic-chen@users.noreply.github.com> Date: Mon, 6 Jul 2020 19:04:41 +0800 Subject: [PATCH] sync (#11) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feature: implemented plugin `sys logger`. (#1414) * bugfix(CORS): using rewrite phase and add lru cache for multiple origin (#1531) * change: updated the dashboard submodule to latest version. (#1540) * doc: alter logger plugins documentations. (#1541) * bugfix: Adding function to remove stale objects from kafka logger (#1526) * bugfix: removed stale objects from tcp logger (#1543) * bugfix: removing stale objects from udp logger (#1544) * optimize: use buffer for plugin `syslog`. (#1551) * plugin: add HTTP logger for APISIX (#1396) * bugfix: got 500 error when using post method in grpc-transcode plugin(#1566) * bugfix: removed stale object in sys log. (#1557) * feature(prometheus): support to collect metric `overhead` (#1576) Fix #1534 . * feature: support new field `exptime` for SSL object. (#1575) fix #1571. * doc: Added FAQ about how to reload your own plugin (#1568) * doc: repair the white paper's url of README (#1582) * chore: fix function name typo in ip-restriction (#1586) * doc: added http logger Chinese docs (#1581) * feature: support discovery center (#1440) * doc:add chinese version for install doc (#1590) * bugfix: incorrect variable name `hostCount` (#1585) * doc: update kakfa logger plugin's cn version (#1594) * doc: fix the doc style for *_logger.md (#1605) * bugfix: raise error when none of the configured etcd can be connected (#1608) Close #1561. * test: updated style. (#1606) * release: released 1.3 version. (#1558) * bugfix(CLI): fixed garbled Chinese response in browser. (#1598) fix #1559 * change: updated prometheus to version 1.1 . (#1607) * doc: add asf.yaml. (#1612) * fix some doc style for response-rewrite* and health-check.md (#1611) * makefile: add default check for install command (#1591) * test cases: add doc and test cases for how to redirect http to https. (#1595) * add FAQ about redirect http To https * add test cases for serverless plugin and redirect plugin Co-authored-by: rhubard <18734141014@163.com> * feature: add skywalking plugin. (#1241) * doc: removed external links and docs. (#1619) * doc: add coc file (#1589) * bugfix: change the version of skywalking to 1.0-0 (#1624) * bugfix(prometheus): the `overhead` should use milliseconds. #1615 (#1616) Fix #1615 * feature: add option to include request body in log util (#1545) * bugfix: fix typo of `instance_id` in skywalking plugin. (#1629) * doc: added the link to discovery.md (#1631) * change(ASF): add notifications to mailing list. (#1635) * change(doc): style for HttpResponse section (#1634) * doc(limit-count): fixed document description does not match source code. (#1628) close #1627 * bugfix(batch-requests): support cookie (#1599) * feat(admin api): enhance `PATCH` method, allow to update partial data. (#1609) * test: added test tests for skywalking. (#1621) * doc: add skywalking plugin instructions (#1636) * feature: support http_to_https in redirect plugin. (#1642) * test: add test case for #1625 to test the filed of overhead (#1645) * CLI: compatibility of benchmark script and apisix reload command on OSX (#1650) * feature: support to enable HTTPS for admin API (#1648) * [log] Optimize the buffer size and flush time (#1570) * yousali:Optimize the buffer size and flush time 1. buffer=4096 is better for Writes of more than PIPE_BUF bytes may be nonatomic 2. flush=1. Since the log buffer is lowered, the flush time should also be lowered. * yousali: hi, I also made a test. ``` 4096 Requests/sec: 16079.75 8192 Requests/sec: 16389.52 16384 Requests/sec: 16395.30 32768 Requests/sec: 16459.71 ``` I think a log buffer size of 8192 or 16384 would be appropriate. On the other hand, the refresh time of 3 seconds is still relatively long, and 1 or 3 seconds doesn't particularly affect QPS. So I also agree with `buffer=16384 flush=1; ` * doc: add 'X-API-KEY' parameter for each interface of Admin API. (#1661) * bugfix: wildcard certificates cannot match multi-level subdomains in … (#810) * plugin: add consumer-restriction (#1437) * feat: support resource name for route, service and upstream object. (#1655) * [bugfix(CLI)]: check whether the user has enabled etcd v2 protocol. (#1665) * bugfix(CLI): generate the 'worker_cpu_affinity' config for Linux OS (#1658) Fix #1657 * test case: formatted by `reindex`. (#1651) * change: disable reuseport in development mode, it more easy to manage worker process. (#1175) * test: add test case for route with `filter_func`. (#1683) * doc: rename grpc-transcoding-cn.md to grpc-transcode-cn.md (#1694) * fix bug: Execute command 'make run' multiple times, will start multiple processes (#1692) Fix #1690 * doc(FAQ): added example for gray release. (#1687) * change: set default reject code for some plugins (#1696) plugin list: limit-count limit-conn limit-req * feature: ssl enhance (#1678) support enable or disable ssl by patch method support encrypted storage of the SSL private key in etcd support multi snis Fix #1668 * feature: support body filter plugin `echo`. (#1632) * doc: Update README_CN.md (#1705) * change: use `iterate` to scan items in etcd. (#1717) related issue: #1685 * doc: added doc of key for limit-* plugins. (#1714) * feature: support authorization Plugin for Keycloak Identity Server (#1701) * feat[batch-request]: cp all header to every request (#1697) * doc: updated main picture. (#1719) * doc: update echo-cn.md (#1726) * update `resty-etcd` to version 1.0 . (#1725) * doc: health-check-cn.md (#1723) * doc: add Chinese translation of authz-keycloak plugin (#1729) * doc: Refactoring docs to support docsify (#1724) * change: update `resty-radixtree` to version 1.9 . (#1730) * feature: support the use of independent files to implement the load a… (#1732) * feature: support the use of independent files to implement the load algorithm, which is convenient for expanding different algorithms in the future. * feature(echo): support header filter and access phases. (#1708) * bugfix: id can be string object, which contains `^[a-zA-Z0-9-_]+$`. (#1739) Fix #1654 * test: add test cases about the string id in `service` #1659 (#1750) * update `lua-resty-raditree` to ver 2.0 . (#1748) * refactory: collect `upstream` logic and put them in a single file. (#1734) feature: support dynamic upstream in plugin. here is a mini example in `access` phase of plugin: ```lua local up_conf = { type = "roundrobin", nodes = { {host = conf.upstream.ip, port = conf.upstream.port, weight = 1}, } } local ok, err = upstream.check_schema(up_conf) if not ok then return 500, err end local matched_route = ctx.matched_route upstream.set(ctx, up_conf.type .. "#route_" .. matched_route.value.id, ctx.conf_version, up_conf, matched_route) return ``` * feature: implemented plugin `uri-blocklist` . (#1727) first step: #1617 * doc: update `http-logger` plugins Chinese docs. (#1755) * doc: update admin-api docs (#1753) * doc: add oauth plugins Chinese docs. (#1754) * bugfix: fixed configures of nginx.conf for security reasons (#1759) removed working_directory and removed TLSv1 TLSv1.1 from ssl_protocols * doc: update Chinese README.md (#1758) * test: use longer ttl, avoid the cached item expired. (#1760) * doc: updated k8s doc (#1757) * bugfix: Fix for remote open ID connect introspection (#1743) fix #1741 * test: added test cases. (#1752) * bugfix: added `content-type` for admin API responses (#1746) * feature: support etcd auth (#1769) Fix #1713 , #1770 * plugin(heartbeat): use `info` log level when failed to report heartbeat. (#1771) * optimize: Use lru to avoid resolving IP addresses repeatedly . (#1772) * optimize: Use lru to avoid resolving IP addresses repeatedly . Cached the global rules to `ctx` . * optimzie: used a longer time interval for etcd and flush access log. * optimize: return upstream node directly if the count is 1 . * optimize: avoid to cache useless variable. * doc: update Chinese README.md (#1763) * doc: remove router `r3` . (#1764) * release: released 1.4-0 version (#1742) * bugfix(config etcd): when we reset the fetched data, `sync_times` also needs to be reset. (#1785) * change: remove authentication type for cors plugin (#1788) fix #1787 * rocks: fixed wrong source of 1.4. (#1783) * change: 'get_plugin_list' API sorts the return list base on priority (#1779) * test: format by tool `reindex`. (#1775) * bugfix: missing argument `premature` because it was called by ngx.timer . (#1796) * bugfix: return `404 Not Found` when the dashboard folder is empty. (#1799) close #1794 * doc: add guides for installing dependencies on fedora (#1800) * doc: fixed some punctuation error in the document sample shell (#1803) Co-authored-by: Ayeshmantha Perera Co-authored-by: Vinci Xu <277040271@qq.com> Co-authored-by: Nirojan Selvanathan Co-authored-by: YuanSheng Wang Co-authored-by: Yousa Co-authored-by: hiproz Co-authored-by: 罗泽轩 Co-authored-by: Scaat Feng Co-authored-by: qiujiayu <153163285@qq.com> Co-authored-by: dengliming Co-authored-by: dabue <53054094+dabue@users.noreply.github.com> Co-authored-by: Wen Ming Co-authored-by: xxm404 <46340314+xxm404@users.noreply.github.com> Co-authored-by: rhubard <18734141014@163.com> Co-authored-by: Gerrard-YNWA Co-authored-by: 月夜枫 Co-authored-by: 仇柯人 Co-authored-by: stone4774 <25053818+stone4774@users.noreply.github.com> Co-authored-by: 琚致远 Co-authored-by: Kev.Hu Co-authored-by: QuakeWang <45645138+QuakeWang@users.noreply.github.com> Co-authored-by: agile6v Co-authored-by: Corey.Wang Co-authored-by: hellmage Co-authored-by: Eric Shi Co-authored-by: Shenal Silva Co-authored-by: jackstraw <932698529@qq.com> Co-authored-by: morrme Co-authored-by: ko han Co-authored-by: Joey Co-authored-by: YuanYingdong <1975643103@qq.com> --- .asf.yaml | 48 + .travis.yml | 2 +- .travis/apisix_cli_test.sh | 77 ++ .../linux_apisix_current_luarocks_runner.sh | 5 + .../linux_apisix_master_luarocks_runner.sh | 9 +- .travis/linux_openresty_runner.sh | 13 +- .travis/linux_tengine_runner.sh | 13 +- .travis/osx_openresty_runner.sh | 2 +- CHANGELOG.md | 33 + CHANGELOG_CN.md | 32 + CODE_OF_CONDUCT.md | 127 +++ CODE_STYLE.md | 393 -------- FAQ.md | 108 ++- FAQ_CN.md | 107 ++- Makefile | 15 +- README.md | 17 +- README_CN.md | 75 +- apisix/admin/global_rules.lua | 37 +- apisix/admin/plugins.lua | 22 +- apisix/admin/routes.lua | 50 +- apisix/admin/services.lua | 39 +- apisix/admin/ssl.lua | 125 ++- apisix/admin/stream_routes.lua | 10 +- apisix/admin/upstreams.lua | 39 +- apisix/balancer.lua | 250 ++--- apisix/balancer/chash.lua | 80 ++ apisix/balancer/roundrobin.lua | 34 + apisix/core/config_etcd.lua | 1 + apisix/core/config_yaml.lua | 5 +- apisix/core/table.lua | 22 +- apisix/core/version.lua | 2 +- apisix/discovery/eureka.lua | 253 +++++ apisix/discovery/init.lua | 33 + apisix/http/router/radixtree_sni.lua | 78 +- apisix/http/service.lua | 36 +- apisix/init.lua | 198 ++-- apisix/plugin.lua | 3 +- apisix/plugins/authz-keycloak.lua | 165 ++++ apisix/plugins/batch-requests.lua | 57 +- apisix/plugins/consumer-restriction.lua | 94 ++ apisix/plugins/cors.lua | 98 +- apisix/plugins/echo.lua | 119 +++ apisix/plugins/example-plugin.lua | 26 +- apisix/plugins/grpc-transcode/util.lua | 2 +- apisix/plugins/heartbeat.lua | 2 +- apisix/plugins/http-logger.lua | 176 ++++ apisix/plugins/ip-restriction.lua | 6 +- apisix/plugins/kafka-logger.lua | 29 +- apisix/plugins/limit-conn.lua | 4 +- apisix/plugins/limit-count.lua | 5 +- apisix/plugins/limit-req.lua | 4 +- apisix/plugins/openid-connect.lua | 5 +- apisix/plugins/prometheus/exporter.lua | 57 +- apisix/plugins/redirect.lua | 37 +- apisix/plugins/skywalking.lua | 80 ++ apisix/plugins/skywalking/client.lua | 232 +++++ apisix/plugins/skywalking/tracer.lua | 101 ++ apisix/plugins/syslog.lua | 189 ++++ apisix/plugins/tcp-logger.lua | 28 +- apisix/plugins/udp-logger.lua | 28 +- apisix/plugins/uri-blocker.lua | 86 ++ apisix/plugins/zipkin.lua | 2 +- apisix/router.lua | 48 +- apisix/schema_def.lua | 74 +- apisix/stream/plugins/mqtt-proxy.lua | 35 +- apisix/upstream.lua | 154 +++ apisix/utils/log-util.lua | 18 +- benchmark/fake-apisix/conf/nginx.conf | 10 +- benchmark/fake-apisix/lua/apisix.lua | 8 +- benchmark/run.sh | 7 +- bin/apisix | 58 +- conf/cert/apisix_admin_ssl.crt | 33 + conf/cert/apisix_admin_ssl.key | 51 + conf/cert/openssl-test2.conf | 40 + conf/cert/test2.crt | 28 + conf/cert/test2.key | 39 + conf/config.yaml | 33 +- dashboard | 2 +- doc/README.md | 21 +- doc/README_CN.md | 68 -- doc/_navbar.md | 22 + doc/_sidebar.md | 103 ++ doc/admin-api.md | 44 +- doc/architecture-design.md | 43 +- doc/benchmark.md | 12 +- doc/discovery.md | 244 +++++ doc/getting-started.md | 2 +- doc/grpc-proxy.md | 2 +- doc/health-check.md | 37 +- doc/how-to-build.md | 14 +- doc/https.md | 2 +- doc/images/apache.png | Bin 0 -> 8491 bytes doc/images/apisix.png | Bin 202492 -> 277679 bytes doc/images/discovery-cn.png | Bin 0 -> 42581 bytes doc/images/discovery.png | Bin 0 -> 46310 bytes doc/images/plugin/authz-keycloak.png | Bin 0 -> 51957 bytes doc/images/plugin/skywalking-1.png | Bin 0 -> 22230 bytes doc/images/plugin/skywalking-2.png | Bin 0 -> 30629 bytes doc/images/plugin/skywalking-3.png | Bin 0 -> 62575 bytes doc/images/plugin/skywalking-4.png | Bin 0 -> 30340 bytes doc/images/plugin/skywalking-5.png | Bin 0 -> 49605 bytes doc/index.html | 52 ++ doc/install-dependencies.md | 16 + doc/plugin-develop.md | 8 +- doc/plugins.md | 2 +- doc/plugins/authz-keycloak.md | 135 +++ doc/plugins/basic-auth.md | 2 +- doc/plugins/batch-requests.md | 10 +- doc/plugins/consumer-restriction.md | 134 +++ doc/plugins/cors.md | 2 +- doc/plugins/echo.md | 95 ++ doc/plugins/fault-injection.md | 2 +- ...{grpc-transcoding.md => grpc-transcode.md} | 2 +- doc/plugins/http-logger.md | 100 ++ doc/plugins/ip-restriction.md | 4 +- doc/plugins/jwt-auth.md | 2 +- doc/plugins/kafka-logger-cn.md | 129 --- doc/plugins/kafka-logger.md | 27 +- doc/plugins/key-auth.md | 2 +- doc/plugins/limit-conn.md | 8 +- doc/plugins/limit-count.md | 7 +- doc/plugins/limit-req.md | 6 +- doc/plugins/mqtt-proxy.md | 2 +- doc/plugins/prometheus.md | 2 +- doc/plugins/proxy-cache.md | 6 +- doc/plugins/proxy-mirror.md | 6 +- doc/plugins/proxy-rewrite.md | 2 +- doc/plugins/redirect.md | 20 +- doc/plugins/response-rewrite.md | 14 +- doc/plugins/serverless.md | 2 +- doc/plugins/skywalking.md | 187 ++++ doc/plugins/syslog.md | 105 +++ doc/plugins/tcp-logger.md | 10 +- doc/plugins/udp-logger.md | 9 +- doc/plugins/uri-blocker.md | 96 ++ doc/plugins/wolf-rbac.md | 2 +- doc/plugins/zipkin.md | 4 +- doc/stand-alone.md | 2 +- doc/stream-proxy.md | 2 +- doc/zh-cn/README.md | 83 ++ doc/zh-cn/_sidebar.md | 103 ++ doc/{admin-api-cn.md => zh-cn/admin-api.md} | 60 +- .../architecture-design.md} | 60 +- doc/zh-cn/batch-processor.md | 69 ++ doc/{benchmark-cn.md => zh-cn/benchmark.md} | 4 +- doc/zh-cn/discovery.md | 253 +++++ .../getting-started.md} | 8 +- doc/{grpc-proxy-cn.md => zh-cn/grpc-proxy.md} | 4 +- doc/zh-cn/health-check.md | 103 ++ .../how-to-build.md} | 14 +- doc/{https-cn.md => zh-cn/https.md} | 2 +- doc/zh-cn/install-dependencies.md | 153 +++ .../plugin-develop.md} | 8 +- doc/{plugins-cn.md => zh-cn/plugins.md} | 2 +- doc/zh-cn/plugins/authz-keycloak-cn.md | 124 +++ .../plugins/basic-auth.md} | 6 +- .../plugins/batch-requests.md} | 8 +- doc/zh-cn/plugins/consumer-restriction.md | 128 +++ .../cors-cn.md => zh-cn/plugins/cors.md} | 2 +- doc/zh-cn/plugins/echo.md | 92 ++ .../plugins/fault-injection.md} | 2 +- .../plugins/grpc-transcode.md} | 4 +- doc/zh-cn/plugins/http-logger.md | 97 ++ .../plugins/ip-restriction.md} | 4 +- .../plugins/jwt-auth.md} | 6 +- doc/zh-cn/plugins/kafka-logger.md | 127 +++ .../plugins/key-auth.md} | 6 +- .../plugins/limit-conn.md} | 15 +- .../plugins/limit-count.md} | 11 +- .../plugins/limit-req.md} | 18 +- .../plugins/mqtt-proxy.md} | 2 +- doc/zh-cn/plugins/oauth.md | 129 +++ .../plugins/prometheus.md} | 16 +- .../plugins/proxy-cache.md} | 6 +- .../plugins/proxy-mirror.md} | 6 +- .../plugins/proxy-rewrite.md} | 2 +- .../plugins/redirect.md} | 22 +- .../plugins/response-rewrite.md} | 20 +- .../plugins/serverless.md} | 2 +- doc/zh-cn/plugins/skywalking.md | 192 ++++ doc/zh-cn/plugins/syslog.md | 105 +++ .../plugins/tcp-logger.md} | 11 +- .../plugins/udp-logger.md} | 11 +- .../plugins/wolf-rbac.md} | 6 +- .../zipkin-cn.md => zh-cn/plugins/zipkin.md} | 12 +- doc/{profile-cn.md => zh-cn/profile.md} | 0 .../stand-alone.md} | 2 +- .../stream-proxy.md} | 4 +- kubernetes/README.md | 6 + kubernetes/apisix-gw-config-cm.yaml | 1 + rockspec/apisix-1.3-0.rockspec | 72 ++ rockspec/apisix-1.4-0.rockspec | 74 ++ rockspec/apisix-master-0.rockspec | 8 +- t/APISIX.pm | 17 +- t/admin/balancer.t | 161 ++-- t/admin/global-rules.t | 61 +- t/admin/plugins.t | 4 +- t/admin/routes-array-nodes.t | 125 +++ t/admin/routes.t | 184 +++- t/admin/schema.t | 20 +- t/admin/services-array-nodes.t | 115 +++ t/admin/services-string-id.t | 884 ++++++++++++++++++ t/admin/services.t | 100 +- t/admin/ssl.t | 174 +++- t/admin/stream-routes.t | 86 ++ t/admin/upstream-array-nodes.t | 409 ++++++++ t/admin/upstream.t | 161 +++- t/apisix.luacov | 1 + t/core/etcd-auth-fail.t | 56 ++ t/core/etcd-auth.t | 59 ++ t/core/lrucache.t | 2 +- t/debug/debug-mode.t | 8 +- t/discovery/eureka.t | 131 +++ t/lib/server.lua | 24 +- t/lib/test_admin.lua | 44 +- t/node/filter_func.t | 81 ++ t/node/not-exist-upstream.t | 2 +- t/node/upstream-array-nodes.t | 215 +++++ t/node/vars.t | 8 +- t/plugin/authz-keycloak.t | 353 +++++++ t/plugin/batch-requests.t | 106 ++- t/plugin/consumer-restriction.t | 542 +++++++++++ t/plugin/cors.t | 65 ++ t/plugin/echo.t | 469 ++++++++++ t/plugin/grpc-transcode.t | 50 +- t/plugin/http-logger.t | 597 ++++++++++++ t/plugin/limit-conn.t | 61 ++ t/plugin/limit-count.t | 52 ++ t/plugin/limit-req.t | 53 ++ t/plugin/prometheus.t | 139 +++ t/plugin/redirect.t | 349 ++++++- t/plugin/serverless.t | 59 ++ t/plugin/skywalking.t | 328 +++++++ t/plugin/syslog.t | 267 ++++++ t/plugin/uri-blocker.t | 332 +++++++ t/router/radixtree-sni.t | 509 +++++++++- t/stream-plugin/mqtt-proxy.t | 3 - 237 files changed, 14521 insertions(+), 1723 deletions(-) create mode 100644 .asf.yaml create mode 100644 CODE_OF_CONDUCT.md delete mode 100644 CODE_STYLE.md create mode 100644 apisix/balancer/chash.lua create mode 100644 apisix/balancer/roundrobin.lua create mode 100644 apisix/discovery/eureka.lua create mode 100644 apisix/discovery/init.lua create mode 100644 apisix/plugins/authz-keycloak.lua create mode 100644 apisix/plugins/consumer-restriction.lua create mode 100644 apisix/plugins/echo.lua create mode 100644 apisix/plugins/http-logger.lua create mode 100644 apisix/plugins/skywalking.lua create mode 100644 apisix/plugins/skywalking/client.lua create mode 100644 apisix/plugins/skywalking/tracer.lua create mode 100644 apisix/plugins/syslog.lua create mode 100644 apisix/plugins/uri-blocker.lua create mode 100644 apisix/upstream.lua create mode 100644 conf/cert/apisix_admin_ssl.crt create mode 100644 conf/cert/apisix_admin_ssl.key create mode 100644 conf/cert/openssl-test2.conf create mode 100644 conf/cert/test2.crt create mode 100644 conf/cert/test2.key delete mode 100644 doc/README_CN.md create mode 100644 doc/_navbar.md create mode 100644 doc/_sidebar.md create mode 100644 doc/discovery.md create mode 100644 doc/images/apache.png create mode 100644 doc/images/discovery-cn.png create mode 100644 doc/images/discovery.png create mode 100644 doc/images/plugin/authz-keycloak.png create mode 100644 doc/images/plugin/skywalking-1.png create mode 100644 doc/images/plugin/skywalking-2.png create mode 100644 doc/images/plugin/skywalking-3.png create mode 100644 doc/images/plugin/skywalking-4.png create mode 100644 doc/images/plugin/skywalking-5.png create mode 100644 doc/index.html create mode 100644 doc/plugins/authz-keycloak.md create mode 100644 doc/plugins/consumer-restriction.md create mode 100644 doc/plugins/echo.md rename doc/plugins/{grpc-transcoding.md => grpc-transcode.md} (98%) create mode 100644 doc/plugins/http-logger.md delete mode 100644 doc/plugins/kafka-logger-cn.md create mode 100644 doc/plugins/skywalking.md create mode 100644 doc/plugins/syslog.md create mode 100644 doc/plugins/uri-blocker.md create mode 100644 doc/zh-cn/README.md create mode 100644 doc/zh-cn/_sidebar.md rename doc/{admin-api-cn.md => zh-cn/admin-api.md} (86%) rename doc/{architecture-design-cn.md => zh-cn/architecture-design.md} (89%) create mode 100644 doc/zh-cn/batch-processor.md rename doc/{benchmark-cn.md => zh-cn/benchmark.md} (96%) create mode 100644 doc/zh-cn/discovery.md rename doc/{getting-started-cn.md => zh-cn/getting-started.md} (97%) rename doc/{grpc-proxy-cn.md => zh-cn/grpc-proxy.md} (96%) create mode 100644 doc/zh-cn/health-check.md rename doc/{how-to-build-cn.md => zh-cn/how-to-build.md} (93%) rename doc/{https-cn.md => zh-cn/https.md} (99%) create mode 100644 doc/zh-cn/install-dependencies.md rename doc/{plugin-develop-cn.md => zh-cn/plugin-develop.md} (95%) rename doc/{plugins-cn.md => zh-cn/plugins.md} (97%) create mode 100644 doc/zh-cn/plugins/authz-keycloak-cn.md rename doc/{plugins/basic-auth-cn.md => zh-cn/plugins/basic-auth.md} (96%) rename doc/{plugins/batch-requests-cn.md => zh-cn/plugins/batch-requests.md} (94%) create mode 100644 doc/zh-cn/plugins/consumer-restriction.md rename doc/{plugins/cors-cn.md => zh-cn/plugins/cors.md} (99%) create mode 100644 doc/zh-cn/plugins/echo.md rename doc/{plugins/fault-injection-cn.md => zh-cn/plugins/fault-injection.md} (98%) rename doc/{plugins/grpc-transcoding-cn.md => zh-cn/plugins/grpc-transcode.md} (98%) create mode 100644 doc/zh-cn/plugins/http-logger.md rename doc/{plugins/ip-restriction-cn.md => zh-cn/plugins/ip-restriction.md} (94%) rename doc/{plugins/jwt-auth-cn.md => zh-cn/plugins/jwt-auth.md} (97%) create mode 100644 doc/zh-cn/plugins/kafka-logger.md rename doc/{plugins/key-auth-cn.md => zh-cn/plugins/key-auth.md} (96%) rename doc/{plugins/limit-conn-cn.md => zh-cn/plugins/limit-conn.md} (84%) rename doc/{plugins/limit-count-cn.md => zh-cn/plugins/limit-count.md} (94%) rename doc/{plugins/limit-req-cn.md => zh-cn/plugins/limit-req.md} (75%) rename doc/{plugins/mqtt-proxy-cn.md => zh-cn/plugins/mqtt-proxy.md} (98%) create mode 100644 doc/zh-cn/plugins/oauth.md rename doc/{plugins/prometheus-cn.md => zh-cn/plugins/prometheus.md} (93%) rename doc/{plugins/proxy-cache-cn.md => zh-cn/plugins/proxy-cache.md} (94%) rename doc/{plugins/proxy-mirror-cn.md => zh-cn/plugins/proxy-mirror.md} (89%) rename doc/{plugins/proxy-rewrite-cn.md => zh-cn/plugins/proxy-rewrite.md} (98%) rename doc/{plugins/redirect-cn.md => zh-cn/plugins/redirect.md} (74%) rename doc/{plugins/response-rewrite-cn.md => zh-cn/plugins/response-rewrite.md} (91%) rename doc/{plugins/serverless-cn.md => zh-cn/plugins/serverless.md} (98%) create mode 100644 doc/zh-cn/plugins/skywalking.md create mode 100644 doc/zh-cn/plugins/syslog.md rename doc/{plugins/tcp-logger-cn.md => zh-cn/plugins/tcp-logger.md} (84%) rename doc/{plugins/udp-logger-cn.md => zh-cn/plugins/udp-logger.md} (84%) rename doc/{plugins/wolf-rbac-cn.md => zh-cn/plugins/wolf-rbac.md} (98%) rename doc/{plugins/zipkin-cn.md => zh-cn/plugins/zipkin.md} (93%) rename doc/{profile-cn.md => zh-cn/profile.md} (100%) rename doc/{stand-alone-cn.md => zh-cn/stand-alone.md} (99%) rename doc/{stream-proxy-cn.md => zh-cn/stream-proxy.md} (96%) create mode 100644 rockspec/apisix-1.3-0.rockspec create mode 100644 rockspec/apisix-1.4-0.rockspec create mode 100644 t/admin/routes-array-nodes.t create mode 100644 t/admin/services-array-nodes.t create mode 100644 t/admin/services-string-id.t create mode 100644 t/admin/upstream-array-nodes.t create mode 100644 t/core/etcd-auth-fail.t create mode 100644 t/core/etcd-auth.t create mode 100644 t/discovery/eureka.t create mode 100644 t/node/filter_func.t create mode 100644 t/node/upstream-array-nodes.t create mode 100644 t/plugin/authz-keycloak.t create mode 100644 t/plugin/consumer-restriction.t create mode 100644 t/plugin/echo.t create mode 100644 t/plugin/http-logger.t create mode 100644 t/plugin/skywalking.t create mode 100644 t/plugin/syslog.t create mode 100644 t/plugin/uri-blocker.t diff --git a/.asf.yaml b/.asf.yaml new file mode 100644 index 0000000000000..ad1e99e2a4d56 --- /dev/null +++ b/.asf.yaml @@ -0,0 +1,48 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +github: + description: The Cloud-Native API Gateway + homepage: https://apisix.apache.org/ + labels: + - api-gateway + - cloud-native + - nginx + - lua + - luajit + - apigateway + - microservices + - api + - loadbalancing + - reverse-proxy + - api-management + - apisix + - serverless + - iot + - devops + - kubernetes + - docker + + enabled_merge_buttons: + squash: true + merge: false + rebase: false + + notifications: + commits: notifications@apisix.apache.org + issues: notifications@apisix.apache.org + pullrequests: notifications@apisix.apache.org diff --git a/.travis.yml b/.travis.yml index d33d27cc2bce7..ddc6b898c1b0a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,4 @@ -dist: xenial +dist: bionic sudo: required matrix: diff --git a/.travis/apisix_cli_test.sh b/.travis/apisix_cli_test.sh index d67c7f837b7d2..ca31995c73f25 100755 --- a/.travis/apisix_cli_test.sh +++ b/.travis/apisix_cli_test.sh @@ -23,6 +23,8 @@ set -ex +git checkout conf/config.yaml + # check whether the 'reuseport' is in nginx.conf . make init @@ -72,3 +74,78 @@ done sed -i '/dns_resolver:/,+4s/^#//' conf/config.yaml echo "passed: system nameserver imported" + +# enable enable_dev_mode +sed -i 's/enable_dev_mode: false/enable_dev_mode: true/g' conf/config.yaml + +make init + +count=`grep -c "worker_processes 1;" conf/nginx.conf` +if [ $count -ne 1 ]; then + echo "failed: worker_processes is not 1 when enable enable_dev_mode" + exit 1 +fi + +count=`grep -c "listen 9080.*reuseport" conf/nginx.conf || true` +if [ $count -ne 0 ]; then + echo "failed: reuseport should be disabled when enable enable_dev_mode" + exit 1 +fi + +git checkout conf/config.yaml + +# check whether the 'worker_cpu_affinity' is in nginx.conf . + +make init + +grep -E "worker_cpu_affinity" conf/nginx.conf > /dev/null +if [ ! $? -eq 0 ]; then + echo "failed: nginx.conf file is missing worker_cpu_affinity configuration" + exit 1 +fi + +echo "passed: nginx.conf file contains worker_cpu_affinity configuration" + +# check admin https enabled + +sed -i 's/\# port_admin: 9180/port_admin: 9180/' conf/config.yaml +sed -i 's/\# https_admin: true/https_admin: true/' conf/config.yaml + +make init + +grep "listen 9180 ssl" conf/nginx.conf > /dev/null +if [ ! $? -eq 0 ]; then + echo "failed: failed to enabled https for admin" + exit 1 +fi + +make run + +code=$(curl -k -i -m 20 -o /dev/null -s -w %{http_code} https://127.0.0.1:9180/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1') +if [ ! $code -eq 200 ]; then + echo "failed: failed to enabled https for admin" + exit 1 +fi + +echo "passed: admin https enabled" + +# rollback to the default + +make stop + +sed -i 's/port_admin: 9180/\# port_admin: 9180/' conf/config.yaml +sed -i 's/https_admin: true/\# https_admin: true/' conf/config.yaml + +make init + +set +ex + +grep "listen 9180 ssl" conf/nginx.conf > /dev/null +if [ ! $? -eq 1 ]; then + echo "failed: failed to rollback to the default admin config" + exit 1 +fi + +set -ex + +echo "passed: rollback to the default admin config" diff --git a/.travis/linux_apisix_current_luarocks_runner.sh b/.travis/linux_apisix_current_luarocks_runner.sh index b67e115fa7f53..0264fc5ba826d 100755 --- a/.travis/linux_apisix_current_luarocks_runner.sh +++ b/.travis/linux_apisix_current_luarocks_runner.sh @@ -47,6 +47,11 @@ script() { export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH openresty -V sudo service etcd start + sudo service etcd stop + mkdir -p ~/etcd-data + /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379' --advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data > /dev/null 2>&1 & + etcd --version + sleep 5 sudo rm -rf /usr/local/apisix diff --git a/.travis/linux_apisix_master_luarocks_runner.sh b/.travis/linux_apisix_master_luarocks_runner.sh index 2c76087fa20b8..7705c97559eae 100755 --- a/.travis/linux_apisix_master_luarocks_runner.sh +++ b/.travis/linux_apisix_master_luarocks_runner.sh @@ -20,6 +20,7 @@ set -ex export_or_prefix() { export OPENRESTY_PREFIX="/usr/local/openresty-debug" + export APISIX_MAIN="https://raw.githubusercontent.com/apache/incubator-apisix/master/rockspec/apisix-master-0.rockspec" } do_install() { @@ -46,7 +47,11 @@ script() { export_or_prefix export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH openresty -V - sudo service etcd start + sudo service etcd stop + mkdir -p ~/etcd-data + /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379' --advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data > /dev/null 2>&1 & + etcd --version + sleep 5 sudo rm -rf /usr/local/apisix @@ -62,7 +67,7 @@ script() { sudo PATH=$PATH ./utils/install-apisix.sh remove > build.log 2>&1 || (cat build.log && exit 1) # install APISIX by luarocks - sudo luarocks install rockspec/apisix-master-0.rockspec > build.log 2>&1 || (cat build.log && exit 1) + sudo luarocks install $APISIX_MAIN > build.log 2>&1 || (cat build.log && exit 1) # show install files luarocks show apisix diff --git a/.travis/linux_openresty_runner.sh b/.travis/linux_openresty_runner.sh index 384d10ec4a824..86505cfce3c62 100755 --- a/.travis/linux_openresty_runner.sh +++ b/.travis/linux_openresty_runner.sh @@ -37,12 +37,17 @@ before_install() { sudo cpanm --notest Test::Nginx >build.log 2>&1 || (cat build.log && exit 1) docker pull redis:3.0-alpine docker run --rm -itd -p 6379:6379 --name apisix_redis redis:3.0-alpine + docker run --rm -itd -e HTTP_PORT=8888 -e HTTPS_PORT=9999 -p 8888:8888 -p 9999:9999 mendhak/http-https-echo + # Runs Keycloak version 10.0.2 with inbuilt policies for unit tests + docker run --rm -itd -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -p 8090:8080 sshniro/keycloak-apisix # spin up kafka cluster for tests (1 zookeper and 1 kafka instance) docker pull bitnami/zookeeper:3.6.0 docker pull bitnami/kafka:latest docker network create kafka-net --driver bridge docker run --name zookeeper-server -d -p 2181:2181 --network kafka-net -e ALLOW_ANONYMOUS_LOGIN=yes bitnami/zookeeper:3.6.0 docker run --name kafka-server1 -d --network kafka-net -e ALLOW_PLAINTEXT_LISTENER=yes -e KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper-server:2181 -e KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://127.0.0.1:9092 -p 9092:9092 -e KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true bitnami/kafka:latest + docker pull bitinit/eureka + docker run --name eureka -d -p 8761:8761 --env ENVIRONMENT=apisix --env spring.application.name=apisix-eureka --env server.port=8761 --env eureka.instance.ip-address=127.0.0.1 --env eureka.client.registerWithEureka=true --env eureka.client.fetchRegistry=false --env eureka.client.serviceUrl.defaultZone=http://127.0.0.1:8761/eureka/ bitinit/eureka sleep 5 docker exec -it kafka-server1 /opt/bitnami/kafka/bin/kafka-topics.sh --create --zookeeper zookeeper-server:2181 --replication-factor 1 --partitions 1 --topic test2 } @@ -123,7 +128,11 @@ script() { export_or_prefix export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH openresty -V - sudo service etcd start + sudo service etcd stop + mkdir -p ~/etcd-data + /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379' --advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data > /dev/null 2>&1 & + etcd --version + sleep 5 ./build-cache/grpc_server_example & @@ -142,7 +151,7 @@ script() { sleep 1 make lint && make license-check || exit 1 - APISIX_ENABLE_LUACOV=1 prove -Itest-nginx/lib -r t + APISIX_ENABLE_LUACOV=1 PERL5LIB=.:$PERL5LIB prove -Itest-nginx/lib -r t } after_success() { diff --git a/.travis/linux_tengine_runner.sh b/.travis/linux_tengine_runner.sh index 45a9ec448e298..fb9b6fd657242 100755 --- a/.travis/linux_tengine_runner.sh +++ b/.travis/linux_tengine_runner.sh @@ -38,12 +38,17 @@ before_install() { sudo cpanm --notest Test::Nginx >build.log 2>&1 || (cat build.log && exit 1) docker pull redis:3.0-alpine docker run --rm -itd -p 6379:6379 --name apisix_redis redis:3.0-alpine + docker run --rm -itd -e HTTP_PORT=8888 -e HTTPS_PORT=9999 -p 8888:8888 -p 9999:9999 mendhak/http-https-echo + # Runs Keycloak version 10.0.2 with inbuilt policies for unit tests + docker run --rm -itd -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -p 8090:8080 sshniro/keycloak-apisix # spin up kafka cluster for tests (1 zookeper and 1 kafka instance) docker pull bitnami/zookeeper:3.6.0 docker pull bitnami/kafka:latest docker network create kafka-net --driver bridge docker run --name zookeeper-server -d -p 2181:2181 --network kafka-net -e ALLOW_ANONYMOUS_LOGIN=yes bitnami/zookeeper:3.6.0 docker run --name kafka-server1 -d --network kafka-net -e ALLOW_PLAINTEXT_LISTENER=yes -e KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper-server:2181 -e KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://127.0.0.1:9092 -p 9092:9092 -e KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true bitnami/kafka:latest + docker pull bitinit/eureka + docker run --name eureka -d -p 8761:8761 --env ENVIRONMENT=apisix --env spring.application.name=apisix-eureka --env server.port=8761 --env eureka.instance.ip-address=127.0.0.1 --env eureka.client.registerWithEureka=true --env eureka.client.fetchRegistry=false --env eureka.client.serviceUrl.defaultZone=http://127.0.0.1:8761/eureka/ bitinit/eureka sleep 5 docker exec -it kafka-server1 /opt/bitnami/kafka/bin/kafka-topics.sh --create --zookeeper zookeeper-server:2181 --replication-factor 1 --partitions 1 --topic test2 } @@ -266,7 +271,11 @@ script() { export_or_prefix export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH openresty -V - sudo service etcd start + sudo service etcd stop + mkdir -p ~/etcd-data + /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379' --advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data > /dev/null 2>&1 & + etcd --version + sleep 5 ./build-cache/grpc_server_example & @@ -279,7 +288,7 @@ script() { ./bin/apisix stop sleep 1 make lint && make license-check || exit 1 - APISIX_ENABLE_LUACOV=1 prove -Itest-nginx/lib -r t + APISIX_ENABLE_LUACOV=1 PERL5LIB=.:$PERL5LIB prove -Itest-nginx/lib -r t } after_success() { diff --git a/.travis/osx_openresty_runner.sh b/.travis/osx_openresty_runner.sh index 1cfce27285859..0f60eb987b406 100755 --- a/.travis/osx_openresty_runner.sh +++ b/.travis/osx_openresty_runner.sh @@ -43,7 +43,7 @@ do_install() { git clone https://github.com/iresty/test-nginx.git test-nginx wget -P utils https://raw.githubusercontent.com/openresty/openresty-devel-utils/master/lj-releng - chmod a+x utils/lj-releng + chmod a+x utils/lj-releng wget https://github.com/iresty/grpc_server_example/releases/download/20200314/grpc_server_example-darwin-amd64.tar.gz tar -xvf grpc_server_example-darwin-amd64.tar.gz diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e5494df6f292..8770248b0d354 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,8 @@ # Table of Contents +- [1.4.0](#140) +- [1.3.0](#130) - [1.2.0](#120) - [1.1.0](#110) - [1.0.0](#100) @@ -27,6 +29,37 @@ - [0.7.0](#070) - [0.6.0](#060) +## 1.4.0 + +### Core +- Admin API: Support unique names for routes [1655](https://github.com/apache/incubator-apisix/pull/1655) +- Optimization of log buffer size and flush time [1570](https://github.com/apache/incubator-apisix/pull/1570) + +### New plugins +- :sunrise: **Apache Skywalking plugin** [1241](https://github.com/apache/incubator-apisix/pull/1241) +- :sunrise: **Keycloak Identity Server Plugin** [1701](https://github.com/apache/incubator-apisix/pull/1701) +- :sunrise: **Echo Plugin** [1632](https://github.com/apache/incubator-apisix/pull/1632) +- :sunrise: **Consume Restriction Plugin** [1437](https://github.com/apache/incubator-apisix/pull/1437) + +### Improvements +- Batch Request : Copy all headers to every request [1697](https://github.com/apache/incubator-apisix/pull/1697) +- SSL private key encryption [1678](https://github.com/apache/incubator-apisix/pull/1678) +- Improvement of docs for multiple plugins + + +## 1.3.0 + +The 1.3 version is mainly for security update. + +### Security +- reject invalid header[#1462](https://github.com/apache/incubator-apisix/pull/1462) and uri safe encode[#1461](https://github.com/apache/incubator-apisix/pull/1461) +- only allow 127.0.0.1 access admin API and dashboard by default. [#1458](https://github.com/apache/incubator-apisix/pull/1458) + +### Plugin +- :sunrise: **add batch request plugin**. [#1388](https://github.com/apache/incubator-apisix/pull/1388) +- implemented plugin `sys logger`. [#1414](https://github.com/apache/incubator-apisix/pull/1414) + + ## 1.2.0 The 1.2 version brings many new features, including core and plugins. diff --git a/CHANGELOG_CN.md b/CHANGELOG_CN.md index 8e19e84721ea4..d64e260295b84 100644 --- a/CHANGELOG_CN.md +++ b/CHANGELOG_CN.md @@ -19,6 +19,8 @@ # Table of Contents +- [1.4.0](#140) +- [1.3.0](#130) - [1.2.0](#120) - [1.1.0](#110) - [1.0.0](#100) @@ -27,6 +29,36 @@ - [0.7.0](#070) - [0.6.0](#060) +## 1.4.0 + +### Core +- Admin API: 路由支持唯一 name 字段 [1655](https://github.com/apache/incubator-apisix/pull/1655) +- 优化 log 缓冲区大小和刷新时间 [1570](https://github.com/apache/incubator-apisix/pull/1570) + +### New plugins +- :sunrise: **Apache Skywalking plugin** [1241](https://github.com/apache/incubator-apisix/pull/1241) +- :sunrise: **Keycloak Identity Server Plugin** [1701](https://github.com/apache/incubator-apisix/pull/1701) +- :sunrise: **Echo Plugin** [1632](https://github.com/apache/incubator-apisix/pull/1632) +- :sunrise: **Consume Restriction Plugin** [1437](https://github.com/apache/incubator-apisix/pull/1437) + +### Improvements +- Batch Request : 对每个请求拷贝头 [1697](https://github.com/apache/incubator-apisix/pull/1697) +- SSL 私钥加密 [1678](https://github.com/apache/incubator-apisix/pull/1678) +- 众多插件文档改善 + +## 1.3.0 + +1.3 版本主要带来安全更新。 + +## Security +- 拒绝无效的 header [#1462](https://github.com/apache/incubator-apisix/pull/1462) 并对 uri 进行安全编码 [#1461](https://github.com/apache/incubator-apisix/pull/1461) +- 默认只允许本地环回地址 127.0.0.1 访问 admin API 和 dashboard. [#1458](https://github.com/apache/incubator-apisix/pull/1458) + +### Plugin +- :sunrise: **新增 batch request 插件**. [#1388](https://github.com/apache/incubator-apisix/pull/1388) +- 实现完成 `sys logger` 插件. [#1414](https://github.com/apache/incubator-apisix/pull/1414) + + ## 1.2.0 1.2 版本在内核以及插件上带来了非常多的更新。 diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000000000..732f5ae2eb464 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,127 @@ + + +*The following is copied for your convenience from . If there's a discrepancy between the two, let us know or submit a PR to fix it.* + +# Code of Conduct # + +## Introduction ## + +This code of conduct applies to all spaces managed by the Apache +Software Foundation, including IRC, all public and private mailing +lists, issue trackers, wikis, blogs, Twitter, and any other +communication channel used by our communities. A code of conduct which +is specific to in-person events (ie., conferences) is codified in the +published ASF anti-harassment policy. + +We expect this code of conduct to be honored by everyone who +participates in the Apache community formally or informally, or claims +any affiliation with the Foundation, in any Foundation-related +activities and especially when representing the ASF, in any role. + +This code __is not exhaustive or complete__. It serves to distill our +common understanding of a collaborative, shared environment and goals. +We expect it to be followed in spirit as much as in the letter, so that +it can enrich all of us and the technical communities in which we participate. + +## Specific Guidelines ## + +We strive to: + + +1. __Be open.__ We invite anyone to participate in our community. We preferably use public methods of communication for project-related messages, unless discussing something sensitive. This applies to messages for help or project-related support, too; not only is a public support request much more likely to result in an answer to a question, it also makes sure that any inadvertent mistakes made by people answering will be more easily detected and corrected. + +2. __Be `empathetic`, welcoming, friendly, and patient.__ We work together to resolve conflict, assume good intentions, and do our best to act in an empathetic fashion. We may all experience some frustration from time to time, but we do not allow frustration to turn into a personal attack. A community where people feel uncomfortable or threatened is not a productive one. We should be respectful when dealing with other community members as well as with people outside our community. + +3. __Be collaborative.__ Our work will be used by other people, and in turn we will depend on the work of others. When we make something for the benefit of the project, we are willing to explain to others how it works, so that they can build on the work to make it even better. Any decision we make will affect users and colleagues, and we take those consequences seriously when making decisions. + +4. __Be inquisitive.__ Nobody knows everything! Asking questions early avoids many problems later, so questions are encouraged, though they may be directed to the appropriate forum. Those who are asked should be responsive and helpful, within the context of our shared goal of improving Apache project code. + +5. __Be careful in the words that we choose.__ Whether we are participating as professionals or volunteers, we value professionalism in all interactions, and take responsibility for our own speech. Be kind to others. Do not insult or put down other participants. Harassment and other exclusionary behaviour are not acceptable. This includes, but is not limited to: + + * Violent threats or language directed against another person. + * Sexist, racist, or otherwise discriminatory jokes and language. + * Posting sexually explicit or violent material. + * Posting (or threatening to post) other people's personally identifying information ("doxing"). + * Sharing private content, such as emails sent privately or non-publicly, or unlogged forums such as IRC channel history. + * Personal insults, especially those using racist or sexist terms. + * Unwelcome sexual attention. + * Excessive or unnecessary profanity. + * Repeated harassment of others. In general, if someone asks you to stop, then stop. + * Advocating for, or encouraging, any of the above behaviour. + +6. __Be concise.__ Keep in mind that what you write once will be read by hundreds of persons. Writing a short email means people can understand the conversation as efficiently as possible. Short emails should always strive to be empathetic, welcoming, friendly and patient. When a long explanation is necessary, consider adding a summary.

+ + Try to bring new ideas to a conversation so that each mail adds something unique to the thread, keeping in mind that the rest of the thread still contains the other messages with arguments that have already been made. + + Try to stay on topic, especially in discussions that are already fairly large. + +7. __Step down considerately.__ Members of every project come and go. When somebody leaves or disengages from the project they should tell people they are leaving and take the proper steps to ensure that others can pick up where they left off. In doing so, they should remain respectful of those who continue to participate in the project and should not misrepresent the project's goals or achievements. Likewise, community members should respect any individual's choice to leave the project.

+ + +## Diversity Statement ## + +Apache welcomes and encourages participation by everyone. We are committed to being a community that everyone feels good about joining. Although we may not be able to satisfy everyone, we will always work to treat everyone well. + +No matter how you identify yourself or how others perceive you: we welcome you. Though no list can hope to be comprehensive, we explicitly honour diversity in: age, culture, ethnicity, genotype, gender identity or expression, language, national origin, neurotype, phenotype, political beliefs, profession, race, religion, sexual orientation, socioeconomic status, subculture and technical ability. + +Though we welcome people fluent in all languages, Apache development is conducted in English. + +Standards for behaviour in the Apache community are detailed in the Code of Conduct above. We expect participants in our community to meet these standards in all their interactions and to help others to do so as well. + +## Reporting Guidelines ## + +While this code of conduct should be adhered to by participants, we recognize that sometimes people may have a bad day, or be unaware of some of the guidelines in this code of conduct. When that happens, you may reply to them and point out this code of conduct. Such messages may be in public or in private, whatever is most appropriate. However, regardless of whether the message is public or not, it should still adhere to the relevant parts of this code of conduct; in particular, it should not be abusive or disrespectful. + +If you believe someone is violating this code of conduct, you may reply to +them and point out this code of conduct. Such messages may be in public or in +private, whatever is most appropriate. Assume good faith; it is more likely +that participants are unaware of their bad behaviour than that they +intentionally try to degrade the quality of the discussion. Should there be +difficulties in dealing with the situation, you may report your compliance +issues in confidence to either: + + * President of the Apache Software Foundation: Sam Ruby (rubys at intertwingly dot net) + +or one of our volunteers: + + * [Mark Thomas](http://home.apache.org/~markt/coc.html) + * [Joan Touzet](http://home.apache.org/~wohali/) + * [Sharan Foga](http://home.apache.org/~sharan/coc.html) + +If the violation is in documentation or code, for example inappropriate pronoun usage or word choice within official documentation, we ask that people report these privately to the project in question at private@project.apache.org, and, if they have sufficient ability within the project, to resolve or remove the concerning material, being mindful of the perspective of the person originally reporting the issue. + + +## End Notes ## + +This Code defines __empathy__ as "a vicarious participation in the emotions, ideas, or opinions of others; the ability to imagine oneself in the condition or predicament of another." __Empathetic__ is the adjectival form of empathy. + + +This statement thanks the following, on which it draws for content and inspiration: + + + * [CouchDB Project Code of conduct](http://couchdb.apache.org/conduct.html) + * [Fedora Project Code of Conduct](http://fedoraproject.org/code-of-conduct) + * [Speak Up! Code of Conduct](http://speakup.io/coc.html) + * [Django Code of Conduct](https://www.djangoproject.com/conduct/) + * [Debian Code of Conduct](http://www.debian.org/vote/2014/vote_002) + * [Twitter Open Source Code of Conduct](https://github.com/twitter/code-of-conduct/blob/master/code-of-conduct.md) + * [Mozilla Code of Conduct/Draft](https://wiki.mozilla.org/Code_of_Conduct/Draft#Conflicts_of_Interest) + * [Python Diversity Appendix](https://www.python.org/community/diversity/) + * [Python Mentors Home Page](http://pythonmentors.com/) diff --git a/CODE_STYLE.md b/CODE_STYLE.md deleted file mode 100644 index 8b7a4ca2ef659..0000000000000 --- a/CODE_STYLE.md +++ /dev/null @@ -1,393 +0,0 @@ - - -# OpenResty Lua Coding Style Guide - -## indentation -Use 4 spaces as an indent in OpenResty, although Lua does not have such a grammar requirement. - -``` ---No -if a then -ngx.say("hello") -end -``` - -``` ---yes -if a then - ngx.say("hello") -end -``` - -You can simplify the operation by changing the tab to 4 spaces in the editor you are using. - -## Space -On both sides of the operator, you need to use a space to separate: - -``` ---No -local i=1 -local s = "apisix" -``` - -``` ---Yes -local i = 1 -local s = "apisix" -``` - -## Blank line -Many developers will bring the development habits of other languages to OpenResty, such as adding a semicolon at the end of the line. - -``` ---No -if a then -    ngx.say("hello"); -end; -``` - -Adding a semicolon will make the Lua code look ugly and unnecessary. Also, don't want to save the number of lines in the code, the latter turns the multi-line code into one line in order to appear "simple". This will not know when the positioning error is in the end of the code: - -``` ---No -if a then ngx.say("hello") end -``` - -``` ---yes -if a then - ngx.say("hello") -end -``` - -The functions needs to be separated by two blank lines: -``` ---No -local function foo() -end -local function bar() -end -``` - -``` ---Yes -local function foo() -end - - -local function bar() -end -``` - -If there are multiple if elseif branches, they need a blank line to separate them: -``` ---No -if a == 1 then - foo() -elseif a== 2 then - bar() -elseif a == 3 then - run() -else - error() -end -``` - -``` ---Yes -if a == 1 then - foo() - -elseif a== 2 then - bar() - -elseif a == 3 then - run() - -else - error() -end -``` - -## Maximum length per line -Each line cannot exceed 80 characters. If it exceeds, you need to wrap and align: - -``` ---No -return limit_conn_new("plugin-limit-conn", conf.conn, conf.burst, conf.default_conn_delay) -``` - -``` ---Yes -return limit_conn_new("plugin-limit-conn", conf.conn, conf.burst, - conf.default_conn_delay) -``` - -When the linefeed is aligned, the correspondence between the upper and lower lines should be reflected. For the example above, the parameters of the second line of functions are to the right of the left parenthesis of the first line. - -If it is a string stitching alignment, you need to put `..` in the next line: -``` ---No -return limit_conn_new("plugin-limit-conn" .. "plugin-limit-conn" .. - "plugin-limit-conn") -``` - -``` ---Yes -return limit_conn_new("plugin-limit-conn" .. "plugin-limit-conn" - .. "plugin-limit-conn") -``` - -``` ---Yes -return "param1", "plugin-limit-conn" - .. "plugin-limit-conn") -``` - -## Variable -Local variables should always be used, not global variables: -``` ---No -i = 1 -s = "apisix" -``` - -``` ---Yes -local i = 1 -local s = "apisix" -``` - -Variable naming uses the `snake_case` style: -``` ---No -local IndexArr = 1 -local str_Name = "apisix" -``` - -``` ---Yes -local index_arr = 1 -local str_name = "apisix" -``` - -Use all capitalization for constants: -``` ---No -local max_int = 65535 -local server_name = "apisix" -``` - -``` ---Yes -local MAX_INT = 65535 -local SERVER_NAME = "apisix" -``` - -## Table -Use `table.new` to pre-allocate the table: -``` ---No -local t = {} -for i = 1, 100 do - t[i] = i -end -``` - -``` ---Yes -local new_tab = require "table.new" -local t = new_tab(100, 0) -for i = 1, 100 do - t[i] = i -end -``` - -Don't use `nil` in an array: -``` ---No -local t = {1, 2, nil, 3} -``` - -If you must use null values, use `ngx.null` to indicate: -``` ---Yes -local t = {1, 2, ngx.null, 3} -``` - -## String -Do not splicing strings on the hot code path: -``` ---No -local s = "" -for i = 1, 100000 do - s = s .. "a" -end -``` - -``` ---Yes -local t = {} -for i = 1, 100000 do - t[i] = "a" -end -local s = table.concat(t, "") -``` - -## Function -The naming of functions also follows `snake_case`: -``` ---No -local function testNginx() -end -``` - -``` ---Yes -local function test_nginx() -end -``` - -The function should return as early as possible: -``` ---No -local function check(age, name) - local ret = true - if age < 20 then - ret = false - end - - if name == "a" then - ret = false - end - -- do something else - return ret -end -``` - -``` ---Yes -local function check(age, name) - if age < 20 then - return false - end - - if name == "a" then - return false - end - -- do something else - return true -end -``` - -## Module -All require libraries must be localized: -``` ---No -local function foo() - local ok, err = ngx.timer.at(delay, handler) -end -``` - -``` ---Yes -local timer_at = ngx.timer.at - -local function foo() - local ok, err = timer_at(delay, handler) -end -``` - -For style unification, `require` and `ngx` also need to be localized: -``` ---No -local core = require("apisix.core") -local timer_at = ngx.timer.at - -local function foo() - local ok, err = timer_at(delay, handler) -end -``` - -``` ---Yes -local ngx = ngx -local require = require -local core = require("apisix.core") -local timer_at = ngx.timer.at - -local function foo() - local ok, err = timer_at(delay, handler) -end -``` - -## Error handling -For functions that return with error information, the error information must be judged and processed: -``` ---No -local sock = ngx.socket.tcp() -local ok = sock:connect("www.google.com", 80) -ngx.say("successfully connected to google!") -``` - -``` ---Yes -local sock = ngx.socket.tcp() -local ok, err = sock:connect("www.google.com", 80) -if not ok then - ngx.say("failed to connect to google: ", err) - return -end -ngx.say("successfully connected to google!") -``` - -The function you wrote yourself, the error message is to be returned as a second parameter in the form of a string: -``` ---No -local function foo() - local ok, err = func() - if not ok then - return false - end - return true -end -``` - -``` ---No -local function foo() - local ok, err = func() - if not ok then - return false, {msg = err} - end - return true -end -``` - -``` ---Yes -local function foo() - local ok, err = func() - if not ok then - return false, "failed to call func(): " .. err - end - return true -end -``` diff --git a/FAQ.md b/FAQ.md index 4b56fce0355d0..dbf365e1f5c0f 100644 --- a/FAQ.md +++ b/FAQ.md @@ -71,14 +71,14 @@ Run the `luarocks config rocks_servers` command(this command is supported after If using a proxy doesn't solve this problem, you can add `--verbose` option during installation to see exactly how slow it is. Excluding the first case, only the second that the `git` protocol is blocked. Then we can run `git config --global url."https://".insteadOf git://` to using the 'HTTPS' protocol instead of `git`. -## How to support A/B testing via APISIX? +## How to support gray release via APISIX? -An example, if you want to group by the request param `arg_id`: +An example, `foo.com/product/index.html?id=204&page=2`, gray release based on `id` in the query string in uri as a condition: -1. Group A:arg_id <= 1000 -2. Group B:arg_id > 1000 +1. Group A:id <= 1000 +2. Group B:id > 1000 -here is the way: +here is the way: ```shell curl -i http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { @@ -107,11 +107,95 @@ curl -i http://127.0.0.1:9080/apisix/admin/routes/2 -H 'X-API-KEY: edd1c9f034335 }' ``` + Here is the operator list of current `lua-resty-radixtree`: https://github.com/iresty/lua-resty-radixtree#operator-list +## How to redirect http to https via APISIX? + +An example, redirect `http://foo.com` to `https://foo.com` + +There are several different ways to do this. +1. Directly use the `http_to_https` in `redirect` plugin: +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/hello", + "host": "foo.com", + "plugins": { + "redirect": { + "http_to_https": true + } + } +}' +``` + +2. Use with advanced routing rule `vars` with `redirect` plugin: + +```shell +curl -i http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/hello", + "host": "foo.com", + "vars": [ + [ + "scheme", + "==", + "http" + ] + ], + "plugins": { + "redirect": { + "uri": "https://$host$request_uri", + "ret_code": 301 + } + } +}' +``` + +3. `serverless` plugin: + +```shell +curl -i http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/hello", + "plugins": { + "serverless-pre-function": { + "phase": "rewrite", + "functions": ["return function() if ngx.var.scheme == \"http\" and ngx.var.host == \"foo.com\" then ngx.header[\"Location\"] = \"https://foo.com\" .. ngx.var.request_uri; ngx.exit(ngx.HTTP_MOVED_PERMANENTLY); end; end"] + } + } +}' +``` + +Then test it to see if it works: +```shell +curl -i -H 'Host: foo.com' http://127.0.0.1:9080/hello +``` + +The response body should be: +``` +HTTP/1.1 301 Moved Permanently +Date: Mon, 18 May 2020 02:56:04 GMT +Content-Type: text/html +Content-Length: 166 +Connection: keep-alive +Location: https://foo.com/hello +Server: APISIX web server + + +301 Moved Permanently + +

301 Moved Permanently

+
openresty
+ + +``` + + ## How to fix OpenResty Installation Failure on MacOS 10.15 When you install the OpenResty on MacOs 10.15, you may face this error + ```shell > brew install openresty Updating Homebrew... @@ -172,3 +256,17 @@ Steps: 2. Restart APISIX Now you can trace the info level log in logs/error.log. + +## How to reload your own plugin + +The Apache APISIX plugin supports hot reloading. If your APISIX node has the Admin API turned on, then for scenarios such as adding / deleting / modifying plugins, you can hot reload the plugin by calling the HTTP interface without restarting the service. + +```shell +curl http://127.0.0.1:9080/apisix/admin/plugins/reload -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT +``` + +If your APISIX node does not open the Admin API, then you can manually load the plug-in by reloading APISIX. + +```shell +apisix reload +``` diff --git a/FAQ_CN.md b/FAQ_CN.md index 8d1e52824b514..334fc693c7397 100644 --- a/FAQ_CN.md +++ b/FAQ_CN.md @@ -45,7 +45,7 @@ APISIX 是当前性能最好的 API 网关,单核 QPS 达到 2.3 万,平均 当然可以,APISIX 提供了灵活的自定义插件,方便开发者和企业编写自己的逻辑。 -[如何开发插件](doc/plugin-develop-cn.md) +[如何开发插件](doc/zh-cn/plugin-develop.md) ## 我们为什么选择 etcd 作为配置中心? @@ -73,14 +73,15 @@ luarocks 服务。 运行 `luarocks config rocks_servers` 命令(这个命令 如果使用代理仍然解决不了这个问题,那可以在安装的过程中添加 `--verbose` 选项来查看具体是慢在什么地方。排除前面的 第一种情况,只可能是第二种,`git` 协议被封。这个时候可以执行 `git config --global url."https://".insteadOf git://` 命令使用 `https` 协议替代。 -## 如何通过APISIX支持A/B测试? +## 如何通过 APISIX 支持灰度发布? -比如,根据入参`arg_id`分组: +比如,`foo.com/product/index.html?id=204&page=2`, 根据 uri 中 query string 中的 `id` 作为条件来灰度发布: -1. A组:arg_id <= 1000 -2. B组:arg_id > 1000 +1. A组:id <= 1000 +2. B组:id > 1000 可以这么做: + ```shell curl -i http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { @@ -109,9 +110,91 @@ curl -i http://127.0.0.1:9080/apisix/admin/routes/2 -H 'X-API-KEY: edd1c9f034335 }' ``` + 更多的 lua-resty-radixtree 匹配操作,可查看操作列表: https://github.com/iresty/lua-resty-radixtree#operator-list +## 如何支持 http 自动跳转到 https? + +比如,将 `http://foo.com` 重定向到 `https://foo.com` + +有几种不同的方法来实现: +1. 直接使用 `redirect` 插件的 `http_to_https` 功能: +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/hello", + "host": "foo.com", + "plugins": { + "redirect": { + "http_to_https": true + } + } +}' +``` + +2. 结合高级路由规则 `vars` 和 `redirect` 插件一起使用: + +```shell +curl -i http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/hello", + "host": "foo.com", + "vars": [ + [ + "scheme", + "==", + "http" + ] + ], + "plugins": { + "redirect": { + "uri": "https://$host$request_uri", + "ret_code": 301 + } + } +}' +``` + +3. 使用`serverless`插件: + +```shell +curl -i http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/hello", + "plugins": { + "serverless-pre-function": { + "phase": "rewrite", + "functions": ["return function() if ngx.var.scheme == \"http\" and ngx.var.host == \"foo.com\" then ngx.header[\"Location\"] = \"https://foo.com\" .. ngx.var.request_uri; ngx.exit(ngx.HTTP_MOVED_PERMANENTLY); end; end"] + } + } +}' +``` + +然后测试下是否生效: +```shell +curl -i -H 'Host: foo.com' http://127.0.0.1:9080/hello +``` + +响应体应该是: +``` +HTTP/1.1 301 Moved Permanently +Date: Mon, 18 May 2020 02:56:04 GMT +Content-Type: text/html +Content-Length: 166 +Connection: keep-alive +Location: https://foo.com/hello +Server: APISIX web server + + +301 Moved Permanently + +

301 Moved Permanently

+
openresty
+ + +``` + ## 如何修改日志等级 默认的APISIX日志等级为`warn`,如果需要查看`core.log.info`的打印结果需要将日志等级调整为`info`。 @@ -123,3 +206,17 @@ https://github.com/iresty/lua-resty-radixtree#operator-list 2、重启APISIX 之后便可以在logs/error.log中查看到info的日志了。 + +## 如何加载自己编写的插件 + +Apache APISIX 的插件支持热加载,如果你的 APISIX 节点打开了 Admin API,那么对于新增/删除/修改插件等场景,均可以通过调用 HTTP 接口的方式热加载插件,不需要重启服务。 + +```shell +curl http://127.0.0.1:9080/apisix/admin/plugins/reload -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT +``` + +如果你的 APISIX 节点并没有打开 Admin API,那么你可以通过手动 reload APISIX 的方式加载插件。 + +```shell +apisix reload +``` diff --git a/Makefile b/Makefile index 1ecc3074276a8..5836e3690988a 100644 --- a/Makefile +++ b/Makefile @@ -79,9 +79,13 @@ init: default ### run: Start the apisix server .PHONY: run run: default +ifeq ("$(wildcard logs/nginx.pid)", "") mkdir -p logs mkdir -p /tmp/apisix_cores/ $(OR_EXEC) -p $$PWD/ -c $$PWD/conf/nginx.conf +else + @echo "APISIX is running..." +endif ### stop: Stop the apisix server @@ -110,7 +114,7 @@ reload: default ### install: Install the apisix .PHONY: install -install: +install: default $(INSTALL) -d /usr/local/apisix/ $(INSTALL) -d /usr/local/apisix/logs/ $(INSTALL) -d /usr/local/apisix/conf/cert @@ -124,6 +128,9 @@ install: $(INSTALL) -d $(INST_LUADIR)/apisix/admin $(INSTALL) apisix/admin/*.lua $(INST_LUADIR)/apisix/admin/ + $(INSTALL) -d $(INST_LUADIR)/apisix/balancer + $(INSTALL) apisix/balancer/*.lua $(INST_LUADIR)/apisix/balancer/ + $(INSTALL) -d $(INST_LUADIR)/apisix/core $(INSTALL) apisix/core/*.lua $(INST_LUADIR)/apisix/core/ @@ -133,6 +140,9 @@ install: $(INSTALL) -d $(INST_LUADIR)/apisix/http/router $(INSTALL) apisix/http/router/*.lua $(INST_LUADIR)/apisix/http/router/ + $(INSTALL) -d $(INST_LUADIR)/apisix/discovery + $(INSTALL) apisix/discovery/*.lua $(INST_LUADIR)/apisix/discovery/ + $(INSTALL) -d $(INST_LUADIR)/apisix/plugins $(INSTALL) apisix/plugins/*.lua $(INST_LUADIR)/apisix/plugins/ @@ -148,6 +158,9 @@ install: $(INSTALL) -d $(INST_LUADIR)/apisix/plugins/zipkin $(INSTALL) apisix/plugins/zipkin/*.lua $(INST_LUADIR)/apisix/plugins/zipkin/ + $(INSTALL) -d $(INST_LUADIR)/apisix/plugins/skywalking + $(INSTALL) apisix/plugins/skywalking/*.lua $(INST_LUADIR)/apisix/plugins/skywalking/ + $(INSTALL) -d $(INST_LUADIR)/apisix/stream/plugins $(INSTALL) apisix/stream/plugins/*.lua $(INST_LUADIR)/apisix/stream/plugins/ diff --git a/README.md b/README.md index a0102b429f025..3572484d373be 100644 --- a/README.md +++ b/README.md @@ -39,8 +39,6 @@ APISIX is a cloud-based microservices API gateway that handles traditional north APISIX provides dynamic load balancing, authentication, rate limiting, other plugins through plugin mechanisms, and supports plugins you develop yourself. -For more detailed information, see the [White Paper](https://www.iresty.com/download/Choosing%20the%20Right%20Microservice%20API%20Gateway%20for%20the%20Enterprise%20User.pdf). - ![](doc/images/apisix.png) ## Features @@ -50,7 +48,7 @@ A/B testing, canary release, blue-green deployment, limit rate, defense against - **All platforms** - Cloud-Native: Platform agnostic, No vendor lock-in, APISIX can run from bare-metal to Kubernetes. - Run Environment: Both OpenResty and Tengine are supported. - - Supports [ARM64](https://zhuanlan.zhihu.com/p/84467919): Don't worry about the lock-in of the infra technology. + - Supports ARM64: Don't worry about the lock-in of the infra technology. - **Multi protocols** - [TCP/UDP Proxy](doc/stream-proxy.md): Dynamic TCP/UDP proxy. @@ -72,6 +70,7 @@ A/B testing, canary release, blue-green deployment, limit rate, defense against - Hash-based Load Balancing: Load balance with consistent hashing sessions. - [Health Checks](doc/health-check.md): Enable health check on the upstream node, and will automatically filter unhealthy nodes during load balancing to ensure system stability. - Circuit-Breaker: Intelligent tracking of unhealthy upstream services. + - [Dynamic service discovery](doc/discovery.md):Support service discovery based on registry, reduce the reverse proxy maintenance costs. - **Fine-grained routing** - [Supports full path matching and prefix matching](doc/router-radixtree.md#how-to-use-libradixtree-in-apisix) @@ -79,7 +78,7 @@ A/B testing, canary release, blue-green deployment, limit rate, defense against - Support [various operators as judgment conditions for routing](https://github.com/iresty/lua-resty-radixtree#operator-list), for example `{"arg_age", ">", 24}` - Support [custom route matching function](https://github.com/iresty/lua-resty-radixtree/blob/master/t/filter-fun.t#L10) - IPv6: Use IPv6 to match route. - - Support [TTL](doc/admin-api-cn.md#route) + - Support [TTL](doc/zh-cn/admin-api.md#route) - [Support priority](doc/router-radixtree.md#3-match-priority) - [Support Batch Http Requests](doc/plugins/batch-requests.md) @@ -91,10 +90,11 @@ A/B testing, canary release, blue-green deployment, limit rate, defense against - [Limit-count](doc/plugins/limit-count.md) - [Limit-concurrency](doc/plugins/limit-conn.md) - Anti-ReDoS(Regular expression Denial of Service): Built-in policies to Anti ReDoS without configuration. - - [CORS](doc/plugins/cors.md) + - [CORS](doc/plugins/cors.md) Enable CORS(Cross-origin resource sharing) for your API. + - [uri-blocker](plugins/uri-blocker.md): Block client request by URI. - **OPS friendly** - - OpenTracing: [support Apache Skywalking and Zipkin](doc/plugins/zipkin.md) + - OpenTracing: support [Apache Skywalking](doc/plugins/skywalking.md) and [Zipkin](doc/plugins/zipkin.md) - Monitoring And Metrics: [Prometheus](doc/plugins/prometheus.md) - Clustering: APISIX nodes are stateless, creates clustering of the configuration center, please refer to [etcd Clustering Guide](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/clustering.md). - High availability: support to configure multiple etcd addresses in the same cluster. @@ -106,7 +106,6 @@ A/B testing, canary release, blue-green deployment, limit rate, defense against - High performance: The single-core QPS reaches 18k with an average delay of less than 0.2 milliseconds. - [Fault Injection](doc/plugins/fault-injection.md) - [REST Admin API](doc/admin-api.md): Using the REST Admin API to control Apache APISIX, which only allows 127.0.0.1 access by default, you can modify the `allow_admin` field in `conf/config.yaml` to specify a list of IPs that are allowed to call the Admin API. Also note that the Admin API uses key auth to verify the identity of the caller. **The `admin_key` field in `conf/config.yaml` needs to be modified before deployment to ensure security**. - - [Python SDK](https://github.com/api7/apache-apisix-python-sdk) - External Loggers: Export access logs to external log management tools. ([HTTP Logger](doc/plugins/http-logger.md), [TCP Logger](doc/plugins/tcp-logger.md), [Kafka Logger](doc/plugins/kafka-logger.md), [UDP Logger](doc/plugins/udp-logger.md)) - **Highly scalable** @@ -121,7 +120,7 @@ APISIX Installed and tested in the following systems(OpenResty MUST >= 1.15.8.1, CentOS 7, Ubuntu 16.04, Ubuntu 18.04, Debian 9, Debian 10, macOS, **ARM64** Ubuntu 18.04 Steps to install APISIX: -1. Installation runtime dependencies: OpenResty and etcd, refer to [documentation](doc/install-dependencies.md) +1. Installation runtime dependencies: Nginx and etcd, refer to [documentation](doc/install-dependencies.md) 2. There are several ways to install Apache APISIX: - [Source Release](doc/how-to-build.md#installation-via-source-release) - [RPM package](doc/how-to-build.md#installation-via-rpm-package-centos-7) for CentOS 7 @@ -171,8 +170,6 @@ Do not need to fill the user name and password, log in directly. The dashboard only allows 127.0.0.1 by default, and you can modify `allow_admin` in `conf/config.yaml` by yourself, to list the list of IPs allowed to access. -We provide an online dashboard [demo version](http://apisix.iresty.com), make it easier for you to understand APISIX. - ## Benchmark Using AWS's 8 core server, APISIX's QPS reach to 140,000 with a latency of only 0.2 ms. diff --git a/README_CN.md b/README_CN.md index d3e79098cbceb..408fc2227a1b0 100644 --- a/README_CN.md +++ b/README_CN.md @@ -29,7 +29,7 @@ APISIX 是一个云原生、高性能、可扩展的微服务 API 网关。 -它是基于 OpenResty 和 etcd 来实现,和传统 API 网关相比,APISIX 具备动态路由和插件热加载,特别适合微服务体系下的 API 管理。 +它是基于 Nginx 和 etcd 来实现,和传统 API 网关相比,APISIX 具备动态路由和插件热加载,特别适合微服务体系下的 API 管理。 ## 为什么选择 APISIX? @@ -39,8 +39,6 @@ APISIX 是基于云原生的微服务 API 网关,它是所有业务流量的 APISIX 通过插件机制,提供动态负载平衡、身份验证、限流限速等功能,并且支持你自己开发的插件。 -更多详细的信息,可以查阅[ APISIX 的白皮书](https://www.iresty.com/download/%E4%BC%81%E4%B8%9A%E7%94%A8%E6%88%B7%E5%A6%82%E4%BD%95%E9%80%89%E6%8B%A9%E5%BE%AE%E6%9C%8D%E5%8A%A1%20API%20%E7%BD%91%E5%85%B3.pdf) - ![](doc/images/apisix.png) ## 功能 @@ -50,28 +48,29 @@ A/B 测试、金丝雀发布(灰度发布)、蓝绿部署、限流限速、抵 - **全平台** - 云原生: 平台无关,没有供应商锁定,无论裸机还是 Kubernetes,APISIX 都可以运行。 - 运行环境: OpenResty 和 Tengine 都支持。 - - 支持 [ARM64](https://zhuanlan.zhihu.com/p/84467919): 不用担心底层技术的锁定。 + - 支持 ARM64: 不用担心底层技术的锁定。 - **多协议** - - [TCP/UDP 代理](doc/stream-proxy-cn.md): 动态 TCP/UDP 代理。 - - [动态 MQTT 代理](doc/plugins/mqtt-proxy-cn.md): 支持用 `client_id` 对 MQTT 进行负载均衡,同时支持 MQTT [3.1.*](http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html) 和 [5.0](https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html) 两个协议标准。 - - [gRPC 代理](doc/grpc-proxy-cn.md):通过 APISIX 代理 gRPC 连接,并使用 APISIX 的大部分特性管理你的 gRPC 服务。 + - [TCP/UDP 代理](doc/zh-cn/stream-proxy.md): 动态 TCP/UDP 代理。 + - [动态 MQTT 代理](doc/zh-cn/plugins/mqtt-proxy.md): 支持用 `client_id` 对 MQTT 进行负载均衡,同时支持 MQTT [3.1.*](http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html) 和 [5.0](https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html) 两个协议标准。 + - [gRPC 代理](doc/zh-cn/grpc-proxy.md):通过 APISIX 代理 gRPC 连接,并使用 APISIX 的大部分特性管理你的 gRPC 服务。 - [gRPC 协议转换](doc/plugins/grpc-transcoding-cn.md):支持协议的转换,这样客户端可以通过 HTTP/JSON 来访问你的 gRPC API。 - Websocket 代理 - Proxy Protocol - Dubbo 代理:基于 Tengine,可以实现 Dubbo 请求的代理。 - HTTP(S) 反向代理 - - [SSL](doc/https-cn.md):动态加载 SSL 证书。 + - [SSL](doc/zh-cn/https.md):动态加载 SSL 证书。 - **全动态能力** - - [热更新和热插件](doc/plugins-cn.md): 无需重启服务,就可以持续更新配置和插件。 - - [代理请求重写](doc/plugins/proxy-rewrite-cn.md): 支持重写请求上游的`host`、`uri`、`schema`、`enable_websocket`、`headers`信息。 - - [输出内容重写](doc/plugins/response-rewrite-cn.md): 支持自定义修改返回内容的 `status code`、`body`、`headers`。 - - [Serverless](doc/plugins/serverless-cn.md): 在 APISIX 的每一个阶段,你都可以添加并调用自己编写的函数。 + - [热更新和热插件](doc/zh-cn/plugins.md): 无需重启服务,就可以持续更新配置和插件。 + - [代理请求重写](doc/zh-cn/plugins/proxy-rewrite.md): 支持重写请求上游的`host`、`uri`、`schema`、`enable_websocket`、`headers`信息。 + - [输出内容重写](doc/zh-cn/plugins/response-rewrite.md): 支持自定义修改返回内容的 `status code`、`body`、`headers`。 + - [Serverless](doc/zh-cn/plugins/serverless.md): 在 APISIX 的每一个阶段,你都可以添加并调用自己编写的函数。 - 动态负载均衡:动态支持有权重的 round-robin 负载平衡。 - 支持一致性 hash 的负载均衡:动态支持一致性 hash 的负载均衡。 - [健康检查](doc/health-check.md):启用上游节点的健康检查,将在负载均衡期间自动过滤不健康的节点,以确保系统稳定性。 - 熔断器: 智能跟踪不健康上游服务。 + - [动态服务发现](doc/zh-cn/discovery.md):支持基于注册中心的服务发现功能,降低反向代理维护成本。 - **精细化路由** - [支持全路径匹配和前缀匹配](doc/router-radixtree.md#how-to-use-libradixtree-in-apisix) @@ -79,38 +78,38 @@ A/B 测试、金丝雀发布(灰度发布)、蓝绿部署、限流限速、抵 - 支持[各类操作符做为路由的判断条件](https://github.com/iresty/lua-resty-radixtree#operator-list),比如 `{"arg_age", ">", 24}` - 支持[自定义路由匹配函数](https://github.com/iresty/lua-resty-radixtree/blob/master/t/filter-fun.t#L10) - IPv6:支持使用 IPv6 格式匹配路由 - - 支持路由的[自动过期(TTL)](doc/admin-api-cn.md#route) + - 支持路由的[自动过期(TTL)](doc/zh-cn/admin-api.md#route) - [支持路由的优先级](doc/router-radixtree.md#3-match-priority) - - [支持批量 Http 请求](doc/plugins/batch-requests-cn.md) + - [支持批量 Http 请求](doc/zh-cn/plugins/batch-requests.md) - **安全防护** - - 多种身份认证方式: [key-auth](doc/plugins/key-auth-cn.md), [JWT](doc/plugins/jwt-auth-cn.md), [basic-auth](doc/plugins/basic-auth-cn.md), [wolf-rbac](doc/plugins/wolf-rbac-cn.md)。 - - [IP 黑白名单](doc/plugins/ip-restriction-cn.md) + - 多种身份认证方式: [key-auth](doc/zh-cn/plugins/key-auth.md), [JWT](doc/zh-cn/plugins/jwt-auth.md), [basic-auth](doc/zh-cn/plugins/basic-auth.md), [wolf-rbac](doc/zh-cn/plugins/wolf-rbac.md)。 + - [IP 黑白名单](doc/zh-cn/plugins/ip-restriction.md) - [IdP 支持](doc/plugins/oauth.md): 支持外部的身份认证服务,比如 Auth0,Okta,Authing 等,用户可以借此来对接 Oauth2.0 等认证方式。 - - [限制速率](doc/plugins/limit-req-cn.md) - - [限制请求数](doc/plugins/limit-count-cn.md) - - [限制并发](doc/plugins/limit-conn-cn.md) + - [限制速率](doc/zh-cn/plugins/limit-req.md) + - [限制请求数](doc/zh-cn/plugins/limit-count.md) + - [限制并发](doc/zh-cn/plugins/limit-conn.md) - 防御 ReDoS(正则表达式拒绝服务):内置策略,无需配置即可抵御 ReDoS。 - - [CORS](doc/plugins/cors-cn.md) + - [CORS](doc/zh-cn/plugins/cors.md):为你的API启用 CORS。 + - [uri-blocker](plugins/uri-blocker.md):根据 URI 拦截用户请求。 - **运维友好** - - OpenTracing 可观测性: [支持 Apache Skywalking 和 Zipkin](doc/plugins/zipkin-cn.md)。 - - 监控和指标: [Prometheus](doc/plugins/prometheus-cn.md) + - OpenTracing 可观测性: 支持 [Apache Skywalking](doc/zh-cn/plugins/skywalking.md) 和 [Zipkin](doc/zh-cn/plugins/zipkin.md)。 + - 监控和指标: [Prometheus](doc/zh-cn/plugins/prometheus.md) - 集群:APISIX 节点是无状态的,创建配置中心集群请参考 [etcd Clustering Guide](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/clustering.md)。 - 高可用:支持配置同一个集群内的多个 etcd 地址。 - 控制台: 内置控制台来操作 APISIX 集群。 - 版本控制:支持操作的多次回滚。 - CLI: 使用命令行来启动、关闭和重启 APISIX。 - - [单机模式](doc/stand-alone-cn.md): 支持从本地配置文件中加载路由规则,在 kubernetes(k8s) 等环境下更友好。 - - [全局规则](doc/architecture-design-cn.md#Global-Rule):允许对所有请求执行插件,比如黑白名单、限流限速等。 + - [单机模式](doc/zh-cn/stand-alone.md): 支持从本地配置文件中加载路由规则,在 kubernetes(k8s) 等环境下更友好。 + - [全局规则](doc/zh-cn/architecture-design.md#Global-Rule):允许对所有请求执行插件,比如黑白名单、限流限速等。 - 高性能:在单核上 QPS 可以达到 18k,同时延迟只有 0.2 毫秒。 - - [故障注入](doc/plugins/fault-injection-cn.md) - - [REST Admin API](doc/admin-api-cn.md): 使用 REST Admin API 来控制 Apache APISIX,默认只允许 127.0.0.1 访问,你可以修改 `conf/config.yaml` 中的 `allow_admin` 字段,指定允许调用 Admin API 的 IP 列表。同时需要注意的是,Admin API 使用 key auth 来校验调用者身份,**在部署前需要修改 `conf/config.yaml` 中的 `admin_key` 字段,来保证安全。** - - [Python SDK](https://github.com/api7/apache-apisix-python-sdk) + - [故障注入](doc/zh-cn/plugins/fault-injection.md) + - [REST Admin API](doc/zh-cn/admin-api.md): 使用 REST Admin API 来控制 Apache APISIX,默认只允许 127.0.0.1 访问,你可以修改 `conf/config.yaml` 中的 `allow_admin` 字段,指定允许调用 Admin API 的 IP 列表。同时需要注意的是,Admin API 使用 key auth 来校验调用者身份,**在部署前需要修改 `conf/config.yaml` 中的 `admin_key` 字段,来保证安全。** - 外部日志记录器:将访问日志导出到外部日志管理工具。([HTTP Logger](doc/plugins/http-logger.md), [TCP Logger](doc/plugins/tcp-logger.md), [Kafka Logger](doc/plugins/kafka-logger.md), [UDP Logger](doc/plugins/udp-logger.md)) - **高度可扩展** - - [自定义插件](doc/plugin-develop-cn.md): 允许挂载常见阶段,例如`init`, `rewrite`,`access`,`balancer`,`header filer`,`body filter` 和 `log` 阶段。 + - [自定义插件](doc/zh-cn/plugin-develop.md): 允许挂载常见阶段,例如`init`, `rewrite`,`access`,`balancer`,`header filer`,`body filter` 和 `log` 阶段。 - 自定义负载均衡算法:可以在 `balancer` 阶段使用自定义负载均衡算法。 - 自定义路由: 支持用户自己实现路由算法。 @@ -118,14 +117,14 @@ A/B 测试、金丝雀发布(灰度发布)、蓝绿部署、限流限速、抵 APISIX 在以下操作系统中可顺利安装并做过运行测试,需要注意的是:OpenResty 的版本必须 >= 1.15.8.1: -CentOS 7, Ubuntu 16.04, Ubuntu 18.04, Debian 9, Debian 10, macOS, **[ARM64](https://zhuanlan.zhihu.com/p/84467919)** Ubuntu 18.04 +CentOS 7, Ubuntu 16.04, Ubuntu 18.04, Debian 9, Debian 10, macOS, **ARM64** Ubuntu 18.04 安装 APISIX 的步骤: -1. 安装运行时依赖:OpenResty 和 etcd,参考[依赖安装文档](doc/install-dependencies.md) +1. 安装运行时依赖:OpenResty 和 etcd,参考[依赖安装文档](doc/zh-cn/install-dependencies.md) 2. 有以下几种方式来安装 Apache APISIX: - - 通过[源码包安装](doc/how-to-build-cn.md#通过源码包安装); - - 如果你在使用 CentOS 7,可以使用 [RPM 包安装](doc/how-to-build-cn.md#通过-rpm-包安装centos-7); - - 其它 Linux 操作系统,可以使用 [Luarocks 安装方式](doc/how-to-build-cn.md#通过-luarocks-安装-不支持-macos); + - 通过[源码包安装](doc/zh-cn/how-to-build.md#通过源码包安装); + - 如果你在使用 CentOS 7,可以使用 [RPM 包安装](doc/zh-cn/how-to-build.md#通过-rpm-包安装centos-7); + - 其它 Linux 操作系统,可以使用 [Luarocks 安装方式](doc/zh-cn/how-to-build.md#通过-luarocks-安装-不支持-macos); - 你也可以使用 [Docker 镜像](https://github.com/apache/incubator-apisix-docker) 来安装。 ## 快速上手 @@ -138,9 +137,9 @@ sudo apisix start 2. 入门指南 -入门指南是学习 APISIX 基础知识的好方法。按照 [入门指南](doc/getting-started-cn.md)的步骤即可。 +入门指南是学习 APISIX 基础知识的好方法。按照 [入门指南](doc/zh-cn/getting-started.md)的步骤即可。 -更进一步,你可以跟着文档来尝试更多的[插件](doc/README_CN.md#插件)。 +更进一步,你可以跟着文档来尝试更多的[插件](doc/zh-cn/README.md#插件)。 ## 控制台 @@ -172,15 +171,13 @@ cp -r dist/* . Dashboard 默认只允许 127.0.0.1 访问。你可以自行修改 `conf/config.yaml` 中的 `allow_admin` 字段,指定允许访问 dashboard 的 IP 列表。 -我们部署了一个在线的 [Dashboard](http://apisix.iresty.com) ,方便你了解 APISIX。 - ## 性能测试 使用 AWS 的 8 核心服务器来压测 APISIX,QPS 可以达到 140000,同时延时只有 0.2 毫秒。 ## 文档 -[Apache APISIX 文档索引](doc/README_CN.md) +[Apache APISIX 文档索引](doc/zh-cn/README.md) ## Apache APISIX 和 Kong 的比较 @@ -241,7 +238,7 @@ Dashboard 默认只允许 127.0.0.1 访问。你可以自行修改 `conf/config. - [思必驰:为什么我们重新写了一个 k8s ingress controller?](https://mp.weixin.qq.com/s/bmm2ibk2V7-XYneLo9XAPQ) ## APISIX 的用户有哪些? -有很多公司和组织把 APISIX 用户学习、研究、生产环境和商业产品中,包括: +有很多公司和组织把 APISIX 用于学习、研究、生产环境和商业产品中,包括: diff --git a/apisix/admin/global_rules.lua b/apisix/admin/global_rules.lua index c74d7739d2cf6..a768012f99604 100644 --- a/apisix/admin/global_rules.lua +++ b/apisix/admin/global_rules.lua @@ -43,6 +43,8 @@ local function check_conf(id, conf, need_id) return nil, {error_msg = "wrong route id"} end + conf.id = id + core.log.info("schema: ", core.json.delay_encode(core.schema.global_rule)) core.log.info("conf : ", core.json.delay_encode(conf)) local ok, err = core.schema.check(core.schema.global_rule, conf) @@ -104,19 +106,19 @@ function _M.delete(id) end -function _M.patch(id, conf, sub_path) +function _M.patch(id, conf) if not id then return 400, {error_msg = "missing global rule id"} end - if not sub_path then - return 400, {error_msg = "missing sub-path"} - end - if not conf then return 400, {error_msg = "missing new configuration"} end + if type(conf) ~= "table" then + return 400, {error_msg = "invalid configuration"} + end + local key = "/global_rules/" .. id local res_old, err = core.etcd.get(key) if not res_old then @@ -131,32 +133,9 @@ function _M.patch(id, conf, sub_path) core.json.delay_encode(res_old, true)) local node_value = res_old.body.node.value - local sub_value = node_value - local sub_paths = core.utils.split_uri(sub_path) - for i = 1, #sub_paths - 1 do - local sub_name = sub_paths[i] - if sub_value[sub_name] == nil then - sub_value[sub_name] = {} - end - sub_value = sub_value[sub_name] + node_value = core.table.merge(node_value, conf); - if type(sub_value) ~= "table" then - return 400, "invalid sub-path: /" - .. core.table.concat(sub_paths, 1, i) - end - end - - if type(sub_value) ~= "table" then - return 400, "invalid sub-path: /" .. sub_path - end - - local sub_name = sub_paths[#sub_paths] - if sub_name and sub_name ~= "" then - sub_value[sub_name] = conf - else - node_value = conf - end core.log.info("new conf: ", core.json.delay_encode(node_value, true)) local ok, err = check_conf(id, node_value, true) diff --git a/apisix/admin/plugins.lua b/apisix/admin/plugins.lua index 7d6262c59c103..7b835e10ca436 100644 --- a/apisix/admin/plugins.lua +++ b/apisix/admin/plugins.lua @@ -18,9 +18,13 @@ local core = require("apisix.core") local local_plugins = require("apisix.plugin").plugins_hash local stream_local_plugins = require("apisix.plugin").stream_plugins_hash local pairs = pairs +local ipairs = ipairs local pcall = pcall local require = require local table_remove = table.remove +local table_sort = table.sort +local table_insert = table.insert + local _M = { version = 0.1, @@ -114,7 +118,23 @@ function _M.get_plugins_list() table_remove(plugins, 1) end - return plugins + local priorities = {} + local success = {} + for i, name in ipairs(plugins) do + local plugin_name = "apisix.plugins." .. name + local ok, plugin = pcall(require, plugin_name) + if ok and plugin.priority then + priorities[name] = plugin.priority + table_insert(success, name) + end + end + + local function cmp(x, y) + return priorities[x] > priorities[y] + end + + table_sort(success, cmp) + return success end diff --git a/apisix/admin/routes.lua b/apisix/admin/routes.lua index 3303e8dc0d0cf..2ce284be71c93 100644 --- a/apisix/admin/routes.lua +++ b/apisix/admin/routes.lua @@ -45,6 +45,8 @@ local function check_conf(id, conf, need_id) return nil, {error_msg = "wrong route id"} end + conf.id = id + core.log.info("schema: ", core.json.delay_encode(core.schema.route)) core.log.info("conf : ", core.json.delay_encode(conf)) local ok, err = core.schema.check(core.schema.route, conf) @@ -135,7 +137,7 @@ function _M.put(id, conf, sub_path, args) local key = "/routes/" .. id local res, err = core.etcd.set(key, conf, args.ttl) if not res then - core.log.error("failed to put route[", key, "]: ", err) + core.log.error("failed to put route[", key, "] to etcd: ", err) return 500, {error_msg = err} end @@ -151,7 +153,7 @@ function _M.get(id) local res, err = core.etcd.get(key) if not res then - core.log.error("failed to get route[", key, "]: ", err) + core.log.error("failed to get route[", key, "] from etcd: ", err) return 500, {error_msg = err} end @@ -169,7 +171,7 @@ function _M.post(id, conf, sub_path, args) -- core.log.info("key: ", key) local res, err = core.etcd.push("/routes", conf, args.ttl) if not res then - core.log.error("failed to post route[", key, "]: ", err) + core.log.error("failed to post route[", key, "] to etcd: ", err) return 500, {error_msg = err} end @@ -186,7 +188,7 @@ function _M.delete(id) -- core.log.info("key: ", key) local res, err = core.etcd.delete(key) if not res then - core.log.error("failed to delete route[", key, "]: ", err) + core.log.error("failed to delete route[", key, "] in etcd: ", err) return 500, {error_msg = err} end @@ -194,19 +196,19 @@ function _M.delete(id) end -function _M.patch(id, conf, sub_path, args) +function _M.patch(id, conf, args) if not id then return 400, {error_msg = "missing route id"} end - if not sub_path then - return 400, {error_msg = "missing sub-path"} - end - if not conf then return 400, {error_msg = "missing new configuration"} end + if type(conf) ~= "table" then + return 400, {error_msg = "invalid configuration"} + end + local key = "/routes" if id then key = key .. "/" .. id @@ -214,7 +216,7 @@ function _M.patch(id, conf, sub_path, args) local res_old, err = core.etcd.get(key) if not res_old then - core.log.error("failed to get route [", key, "]: ", err) + core.log.error("failed to get route [", key, "] in etcd: ", err) return 500, {error_msg = err} end @@ -224,33 +226,11 @@ function _M.patch(id, conf, sub_path, args) core.log.info("key: ", key, " old value: ", core.json.delay_encode(res_old, true)) - local node_value = res_old.body.node.value - local sub_value = node_value - local sub_paths = core.utils.split_uri(sub_path) - for i = 1, #sub_paths - 1 do - local sub_name = sub_paths[i] - if sub_value[sub_name] == nil then - sub_value[sub_name] = {} - end - sub_value = sub_value[sub_name] - - if type(sub_value) ~= "table" then - return 400, "invalid sub-path: /" - .. core.table.concat(sub_paths, 1, i) - end - end + local node_value = res_old.body.node.value - if type(sub_value) ~= "table" then - return 400, "invalid sub-path: /" .. sub_path - end + node_value = core.table.merge(node_value, conf); - local sub_name = sub_paths[#sub_paths] - if sub_name and sub_name ~= "" then - sub_value[sub_name] = conf - else - node_value = conf - end core.log.info("new conf: ", core.json.delay_encode(node_value, true)) local id, err = check_conf(id, node_value, true) @@ -261,7 +241,7 @@ function _M.patch(id, conf, sub_path, args) -- TODO: this is not safe, we need to use compare-set local res, err = core.etcd.set(key, node_value, args.ttl) if not res then - core.log.error("failed to set new route[", key, "]: ", err) + core.log.error("failed to set new route[", key, "] to etcd: ", err) return 500, {error_msg = err} end diff --git a/apisix/admin/services.lua b/apisix/admin/services.lua index e26ea41e63362..c10a215fd6102 100644 --- a/apisix/admin/services.lua +++ b/apisix/admin/services.lua @@ -20,7 +20,6 @@ local schema_plugin = require("apisix.admin.plugins").check_schema local upstreams = require("apisix.admin.upstreams") local tostring = tostring local ipairs = ipairs -local tonumber = tonumber local type = type @@ -47,6 +46,7 @@ local function check_conf(id, conf, need_id) return nil, {error_msg = "wrong service id"} end + conf.id = id core.log.info("schema: ", core.json.delay_encode(core.schema.service)) core.log.info("conf : ", core.json.delay_encode(conf)) @@ -55,7 +55,7 @@ local function check_conf(id, conf, need_id) return nil, {error_msg = "invalid configuration: " .. err} end - if need_id and not tonumber(id) then + if need_id and not id then return nil, {error_msg = "wrong type of service id"} end @@ -177,19 +177,19 @@ function _M.delete(id) end -function _M.patch(id, conf, sub_path) +function _M.patch(id, conf) if not id then return 400, {error_msg = "missing service id"} end - if not sub_path then - return 400, {error_msg = "missing sub-path"} - end - if not conf then return 400, {error_msg = "missing new configuration"} end + if type(conf) ~= "table" then + return 400, {error_msg = "invalid configuration"} + end + local key = "/services" .. "/" .. id local res_old, err = core.etcd.get(key) if not res_old then @@ -204,32 +204,9 @@ function _M.patch(id, conf, sub_path) core.json.delay_encode(res_old, true)) local new_value = res_old.body.node.value - local sub_value = new_value - local sub_paths = core.utils.split_uri(sub_path) - for i = 1, #sub_paths - 1 do - local sub_name = sub_paths[i] - if sub_value[sub_name] == nil then - sub_value[sub_name] = {} - end - sub_value = sub_value[sub_name] + new_value = core.table.merge(new_value, conf); - if type(sub_value) ~= "table" then - return 400, "invalid sub-path: /" - .. core.table.concat(sub_paths, 1, i) - end - end - - if type(sub_value) ~= "table" then - return 400, "invalid sub-path: /" .. sub_path - end - - local sub_name = sub_paths[#sub_paths] - if sub_name and sub_name ~= "" then - sub_value[sub_name] = conf - else - new_value = conf - end core.log.info("new value ", core.json.delay_encode(new_value, true)) local id, err = check_conf(id, new_value, true) diff --git a/apisix/admin/ssl.lua b/apisix/admin/ssl.lua index 898d9c1a988f3..6d9307d95d1da 100644 --- a/apisix/admin/ssl.lua +++ b/apisix/admin/ssl.lua @@ -14,10 +14,13 @@ -- See the License for the specific language governing permissions and -- limitations under the License. -- -local core = require("apisix.core") -local schema_plugin = require("apisix.admin.plugins").check_schema -local tostring = tostring - +local core = require("apisix.core") +local tostring = tostring +local aes = require "resty.aes" +local ngx_encode_base64 = ngx.encode_base64 +local str_find = string.find +local type = type +local assert = assert local _M = { version = 0.1, @@ -42,6 +45,8 @@ local function check_conf(id, conf, need_id) return nil, {error_msg = "wrong ssl id"} end + conf.id = id + core.log.info("schema: ", core.json.delay_encode(core.schema.ssl)) core.log.info("conf : ", core.json.delay_encode(conf)) local ok, err = core.schema.check(core.schema.ssl, conf) @@ -49,48 +54,31 @@ local function check_conf(id, conf, need_id) return nil, {error_msg = "invalid configuration: " .. err} end - local upstream_id = conf.upstream_id - if upstream_id then - local key = "/upstreams/" .. upstream_id - local res, err = core.etcd.get(key) - if not res then - return nil, {error_msg = "failed to fetch upstream info by " - .. "upstream id [" .. upstream_id .. "]: " - .. err} - end - - if res.status ~= 200 then - return nil, {error_msg = "failed to fetch upstream info by " - .. "upstream id [" .. upstream_id .. "], " - .. "response code: " .. res.status} - end - end + return need_id and id or true +end - local service_id = conf.service_id - if service_id then - local key = "/services/" .. service_id - local res, err = core.etcd.get(key) - if not res then - return nil, {error_msg = "failed to fetch service info by " - .. "service id [" .. service_id .. "]: " - .. err} - end - if res.status ~= 200 then - return nil, {error_msg = "failed to fetch service info by " - .. "service id [" .. service_id .. "], " - .. "response code: " .. res.status} - end +local function aes_encrypt(origin) + local local_conf = core.config.local_conf() + local iv + if local_conf and local_conf.apisix + and local_conf.apisix.ssl.key_encrypt_salt then + iv = local_conf.apisix.ssl.key_encrypt_salt end + local aes_128_cbc_with_iv = (type(iv)=="string" and #iv == 16) and + assert(aes:new(iv, nil, aes.cipher(128, "cbc"), {iv=iv})) or nil - if conf.plugins then - local ok, err = schema_plugin(conf.plugins) - if not ok then - return nil, {error_msg = err} + if aes_128_cbc_with_iv ~= nil and str_find(origin, "---") then + local encrypted = aes_128_cbc_with_iv:encrypt(origin) + if encrypted == nil then + core.log.error("failed to encrypt key[", origin, "] ") + return origin end + + return ngx_encode_base64(encrypted) end - return need_id and id or true + return origin end @@ -100,6 +88,9 @@ function _M.put(id, conf) return 400, err end + -- encrypt private key + conf.key = aes_encrypt(conf.key) + local key = "/ssl/" .. id local res, err = core.etcd.set(key, conf) if not res then @@ -138,6 +129,9 @@ function _M.post(id, conf) return 400, err end + -- encrypt private key + conf.key = aes_encrypt(conf.key) + local key = "/ssl" -- core.log.info("key: ", key) local res, err = core.etcd.push("/ssl", conf) @@ -167,4 +161,57 @@ function _M.delete(id) end +function _M.patch(id, conf) + if not id then + return 400, {error_msg = "missing route id"} + end + + if not conf then + return 400, {error_msg = "missing new configuration"} + end + + if type(conf) ~= "table" then + return 400, {error_msg = "invalid configuration"} + end + + local key = "/ssl" + if id then + key = key .. "/" .. id + end + + local res_old, err = core.etcd.get(key) + if not res_old then + core.log.error("failed to get ssl [", key, "] in etcd: ", err) + return 500, {error_msg = err} + end + + if res_old.status ~= 200 then + return res_old.status, res_old.body + end + core.log.info("key: ", key, " old value: ", + core.json.delay_encode(res_old, true)) + + + local node_value = res_old.body.node.value + + node_value = core.table.merge(node_value, conf); + + core.log.info("new ssl conf: ", core.json.delay_encode(node_value, true)) + + local id, err = check_conf(id, node_value, true) + if not id then + return 400, err + end + + -- TODO: this is not safe, we need to use compare-set + local res, err = core.etcd.set(key, node_value) + if not res then + core.log.error("failed to set new ssl[", key, "] to etcd: ", err) + return 500, {error_msg = err} + end + + return res.status, res.body +end + + return _M diff --git a/apisix/admin/stream_routes.lua b/apisix/admin/stream_routes.lua index e806da5e01d6b..969f775164e63 100644 --- a/apisix/admin/stream_routes.lua +++ b/apisix/admin/stream_routes.lua @@ -31,17 +31,19 @@ local function check_conf(id, conf, need_id) id = id or conf.id if need_id and not id then - return nil, {error_msg = "missing stream stream route id"} + return nil, {error_msg = "missing stream route id"} end if not need_id and id then - return nil, {error_msg = "wrong stream stream route id, do not need it"} + return nil, {error_msg = "wrong stream route id, do not need it"} end if need_id and conf.id and tostring(conf.id) ~= tostring(id) then - return nil, {error_msg = "wrong stream stream route id"} + return nil, {error_msg = "wrong stream route id"} end + conf.id = id + core.log.info("schema: ", core.json.delay_encode(core.schema.stream_route)) core.log.info("conf : ", core.json.delay_encode(conf)) local ok, err = core.schema.check(core.schema.stream_route, conf) @@ -129,7 +131,7 @@ end function _M.delete(id) if not id then - return 400, {error_msg = "missing stream stream route id"} + return 400, {error_msg = "missing stream route id"} end local key = "/stream_routes/" .. id diff --git a/apisix/admin/upstreams.lua b/apisix/admin/upstreams.lua index e989cd5527831..f09093ec8aae8 100644 --- a/apisix/admin/upstreams.lua +++ b/apisix/admin/upstreams.lua @@ -100,9 +100,7 @@ local function check_conf(id, conf, need_id) end -- let schema check id - if id and not conf.id then - conf.id = id - end + conf.id = id core.log.info("schema: ", core.json.delay_encode(core.schema.upstream)) core.log.info("conf : ", core.json.delay_encode(conf)) @@ -213,19 +211,19 @@ function _M.delete(id) end -function _M.patch(id, conf, sub_path) +function _M.patch(id, conf) if not id then return 400, {error_msg = "missing upstream id"} end - if not sub_path then - return 400, {error_msg = "missing sub-path"} - end - if not conf then return 400, {error_msg = "missing new configuration"} end + if type(conf) ~= "table" then + return 400, {error_msg = "invalid configuration"} + end + local key = "/upstreams" .. "/" .. id local res_old, err = core.etcd.get(key) if not res_old then @@ -240,32 +238,9 @@ function _M.patch(id, conf, sub_path) core.json.delay_encode(res_old, true)) local new_value = res_old.body.node.value - local sub_value = new_value - local sub_paths = core.utils.split_uri(sub_path) - for i = 1, #sub_paths - 1 do - local sub_name = sub_paths[i] - if sub_value[sub_name] == nil then - sub_value[sub_name] = {} - end - sub_value = sub_value[sub_name] + new_value = core.table.merge(new_value, conf); - if type(sub_value) ~= "table" then - return 400, "invalid sub-path: /" - .. core.table.concat(sub_paths, 1, i) - end - end - - if type(sub_value) ~= "table" then - return 400, "invalid sub-path: /" .. sub_path - end - - local sub_name = sub_paths[#sub_paths] - if sub_name and sub_name ~= "" then - sub_value[sub_name] = conf - else - new_value = conf - end core.log.info("new value ", core.json.delay_encode(new_value, true)) local id, err = check_conf(id, new_value, true) diff --git a/apisix/balancer.lua b/apisix/balancer.lua index a5134bcbd9280..1675128db0a81 100644 --- a/apisix/balancer.lua +++ b/apisix/balancer.lua @@ -14,23 +14,23 @@ -- See the License for the specific language governing permissions and -- limitations under the License. -- -local healthcheck = require("resty.healthcheck") -local roundrobin = require("resty.roundrobin") -local resty_chash = require("resty.chash") +local healthcheck +local require = require +local discovery = require("apisix.discovery.init").discovery local balancer = require("ngx.balancer") local core = require("apisix.core") -local error = error -local str_char = string.char -local str_gsub = string.gsub -local pairs = pairs +local ipairs = ipairs local tostring = tostring local set_more_tries = balancer.set_more_tries local get_last_failure = balancer.get_last_failure local set_timeouts = balancer.set_timeouts -local upstreams_etcd local module_name = "balancer" +local pickers = { + roundrobin = require("apisix.balancer.roundrobin"), + chash = require("apisix.balancer.chash"), +} local lrucache_server_picker = core.lrucache.new({ @@ -39,33 +39,43 @@ local lrucache_server_picker = core.lrucache.new({ local lrucache_checker = core.lrucache.new({ ttl = 300, count = 256 }) +local lrucache_addr = core.lrucache.new({ + ttl = 300, count = 1024 * 4 +}) local _M = { - version = 0.1, + version = 0.2, name = module_name, } local function fetch_health_nodes(upstream, checker) + local nodes = upstream.nodes if not checker then - return upstream.nodes + local new_nodes = core.table.new(0, #nodes) + for _, node in ipairs(nodes) do + -- TODO filter with metadata + new_nodes[node.host .. ":" .. node.port] = node.weight + end + return new_nodes end local host = upstream.checks and upstream.checks.host - local up_nodes = core.table.new(0, core.table.nkeys(upstream.nodes)) - - for addr, weight in pairs(upstream.nodes) do - local ip, port = core.utils.parse_addr(addr) - local ok = checker:get_target_status(ip, port, host) + local up_nodes = core.table.new(0, #nodes) + for _, node in ipairs(nodes) do + local ok = checker:get_target_status(node.host, node.port, host) if ok then - up_nodes[addr] = weight + -- TODO filter with metadata + up_nodes[node.host .. ":" .. node.port] = node.weight end end if core.table.nkeys(up_nodes) == 0 then core.log.warn("all upstream nodes is unhealth, use default") - up_nodes = upstream.nodes + for _, node in ipairs(nodes) do + up_nodes[node.host .. ":" .. node.port] = node.weight + end end return up_nodes @@ -73,18 +83,19 @@ end local function create_checker(upstream, healthcheck_parent) + if healthcheck == nil then + healthcheck = require("resty.healthcheck") + end local checker = healthcheck.new({ name = "upstream#" .. healthcheck_parent.key, shm_name = "upstream-healthcheck", checks = upstream.checks, }) - - for addr, weight in pairs(upstream.nodes) do - local ip, port = core.utils.parse_addr(addr) - local ok, err = checker:add_target(ip, port, upstream.checks.host) + for _, node in ipairs(upstream.nodes) do + local ok, err = checker:add_target(node.host, node.port, upstream.checks.host) if not ok then - core.log.error("failed to add new health check target: ", addr, - " err: ", err) + core.log.error("failed to add new health check target: ", node.host, ":", node.port, + " err: ", err) end end @@ -122,118 +133,60 @@ local function fetch_healthchecker(upstream, healthcheck_parent, version) end -local function fetch_chash_hash_key(ctx, upstream) - local key = upstream.key - local hash_on = upstream.hash_on or "vars" - local chash_key - - if hash_on == "consumer" then - chash_key = ctx.consumer_id - elseif hash_on == "vars" then - chash_key = ctx.var[key] - elseif hash_on == "header" then - chash_key = ctx.var["http_" .. key] - elseif hash_on == "cookie" then - chash_key = ctx.var["cookie_" .. key] - end - - if not chash_key then - chash_key = ctx.var["remote_addr"] - core.log.warn("chash_key fetch is nil, use default chash_key ", - "remote_addr: ", chash_key) - end - core.log.info("upstream key: ", key) - core.log.info("hash_on: ", hash_on) - core.log.info("chash_key: ", core.json.delay_encode(chash_key)) - - return chash_key -end - - local function create_server_picker(upstream, checker) - if upstream.type == "roundrobin" then + local picker = pickers[upstream.type] + if picker then local up_nodes = fetch_health_nodes(upstream, checker) core.log.info("upstream nodes: ", core.json.delay_encode(up_nodes)) - local picker = roundrobin:new(up_nodes) - return { - upstream = upstream, - get = function () - return picker:find() - end - } + return picker.new(up_nodes, upstream) end - if upstream.type == "chash" then - local up_nodes = fetch_health_nodes(upstream, checker) - core.log.info("upstream nodes: ", core.json.delay_encode(up_nodes)) - - local str_null = str_char(0) - - local servers, nodes = {}, {} - for serv, weight in pairs(up_nodes) do - local id = str_gsub(serv, ":", str_null) - - servers[id] = serv - nodes[id] = weight - end + return nil, "invalid balancer type: " .. upstream.type, 0 +end - local picker = resty_chash:new(nodes) - return { - upstream = upstream, - get = function (ctx) - local chash_key = fetch_chash_hash_key(ctx, upstream) - local id = picker:find(chash_key) - -- core.log.warn("chash id: ", id, " val: ", servers[id]) - return servers[id] - end - } - end - return nil, "invalid balancer type: " .. upstream.type, 0 +local function parse_addr(addr) + local host, port, err = core.utils.parse_addr(addr) + return {host = host, port = port}, err end local function pick_server(route, ctx) core.log.info("route: ", core.json.delay_encode(route, true)) core.log.info("ctx: ", core.json.delay_encode(ctx, true)) - local healthcheck_parent = route - local up_id = route.value.upstream_id - local up_conf = (route.dns_value and route.dns_value.upstream) - or route.value.upstream - if not up_id and not up_conf then - return nil, nil, "missing upstream configuration" + local up_conf = ctx.upstream_conf + if up_conf.service_name then + if not discovery then + return nil, "discovery is uninitialized" + end + up_conf.nodes = discovery.nodes(up_conf.service_name) end - local version - local key - - if up_id then - if not upstreams_etcd then - return nil, nil, "need to create a etcd instance for fetching " - .. "upstream information" - end + local nodes_count = up_conf.nodes and #up_conf.nodes or 0 + if nodes_count == 0 then + return nil, "no valid upstream node" + end - local up_obj = upstreams_etcd:get(tostring(up_id)) - if not up_obj then - return nil, nil, "failed to find upstream by id: " .. up_id + if up_conf.timeout then + local timeout = up_conf.timeout + local ok, err = set_timeouts(timeout.connect, timeout.send, + timeout.read) + if not ok then + core.log.error("could not set upstream timeouts: ", err) end - core.log.info("upstream: ", core.json.delay_encode(up_obj)) - - healthcheck_parent = up_obj - up_conf = up_obj.dns_value or up_obj.value - version = up_obj.modifiedIndex - key = up_conf.type .. "#upstream_" .. up_id - - else - version = ctx.conf_version - key = up_conf.type .. "#route_" .. route.value.id end - if core.table.nkeys(up_conf.nodes) == 0 then - return nil, nil, "no valid upstream node" + if nodes_count == 1 then + local node = up_conf.nodes[1] + ctx.balancer_ip = node.host + ctx.balancer_port = node.port + return node end + local healthcheck_parent = ctx.upstream_healthcheck_parent + local version = ctx.upstream_version + local key = ctx.upstream_key local checker = fetch_healthchecker(up_conf, healthcheck_parent, version) ctx.balancer_try_count = (ctx.balancer_try_count or 0) + 1 @@ -256,11 +209,10 @@ local function pick_server(route, ctx) if ctx.balancer_try_count == 1 then local retries = up_conf.retries - if retries and retries > 0 then - set_more_tries(retries) - else - set_more_tries(core.table.nkeys(up_conf.nodes)) + if not retries or retries <= 0 then + retries = #up_conf.nodes end + set_more_tries(retries) end if checker then @@ -270,45 +222,43 @@ local function pick_server(route, ctx) local server_picker = lrucache_server_picker(key, version, create_server_picker, up_conf, checker) if not server_picker then - return nil, nil, "failed to fetch server picker" + return nil, "failed to fetch server picker" end local server, err = server_picker.get(ctx) if not server then err = err or "no valid upstream node" - return nil, nil, "failed to find valid upstream server, " .. err + return nil, "failed to find valid upstream server, " .. err end - if up_conf.timeout then - local timeout = up_conf.timeout - local ok, err = set_timeouts(timeout.connect, timeout.send, - timeout.read) - if not ok then - core.log.error("could not set upstream timeouts: ", err) - end + local res, err = lrucache_addr(server, nil, parse_addr, server) + ctx.balancer_ip = res.host + ctx.balancer_port = res.port + -- core.log.info("proxy to ", host, ":", port) + if err then + core.log.error("failed to parse server addr: ", server, " err: ", err) + return core.response.exit(502) end - local ip, port, err = core.utils.parse_addr(server) - ctx.balancer_ip = ip - ctx.balancer_port = port - - return ip, port, err + return res end + + -- for test _M.pick_server = pick_server function _M.run(route, ctx) - local ip, port, err = pick_server(route, ctx) - if err then + local server, err = pick_server(route, ctx) + if not server then core.log.error("failed to pick server: ", err) return core.response.exit(502) end - local ok, err = balancer.set_current_peer(ip, port) + local ok, err = balancer.set_current_peer(server.host, server.port) if not ok then - core.log.error("failed to set server peer [", ip, ":", port, - "] err: ", err) + core.log.error("failed to set server peer [", server.host, ":", + server.port, "] err: ", err) return core.response.exit(502) end @@ -317,34 +267,6 @@ end function _M.init_worker() - local err - upstreams_etcd, err = core.config.new("/upstreams", { - automatic = true, - item_schema = core.schema.upstream, - filter = function(upstream) - upstream.has_domain = false - if not upstream.value then - return - end - - for addr, _ in pairs(upstream.value.nodes or {}) do - local host = core.utils.parse_addr(addr) - if not core.utils.parse_ipv4(host) and - not core.utils.parse_ipv6(host) then - upstream.has_domain = true - break - end - end - - core.log.info("filter upstream: ", - core.json.delay_encode(upstream)) - end, - }) - if not upstreams_etcd then - error("failed to create etcd instance for fetching upstream: " .. err) - return - end end - return _M diff --git a/apisix/balancer/chash.lua b/apisix/balancer/chash.lua new file mode 100644 index 0000000000000..38831cdb4e489 --- /dev/null +++ b/apisix/balancer/chash.lua @@ -0,0 +1,80 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +local core = require("apisix.core") +local resty_chash = require("resty.chash") +local str_char = string.char +local str_gsub = string.gsub +local pairs = pairs + + +local _M = {} + + +local function fetch_chash_hash_key(ctx, upstream) + local key = upstream.key + local hash_on = upstream.hash_on or "vars" + local chash_key + + if hash_on == "consumer" then + chash_key = ctx.consumer_id + elseif hash_on == "vars" then + chash_key = ctx.var[key] + elseif hash_on == "header" then + chash_key = ctx.var["http_" .. key] + elseif hash_on == "cookie" then + chash_key = ctx.var["cookie_" .. key] + end + + if not chash_key then + chash_key = ctx.var["remote_addr"] + core.log.warn("chash_key fetch is nil, use default chash_key ", + "remote_addr: ", chash_key) + end + core.log.info("upstream key: ", key) + core.log.info("hash_on: ", hash_on) + core.log.info("chash_key: ", core.json.delay_encode(chash_key)) + + return chash_key +end + + +function _M.new(up_nodes, upstream) + local str_null = str_char(0) + + local servers, nodes = {}, {} + for serv, weight in pairs(up_nodes) do + local id = str_gsub(serv, ":", str_null) + + servers[id] = serv + nodes[id] = weight + end + + local picker = resty_chash:new(nodes) + return { + upstream = upstream, + get = function (ctx) + local chash_key = fetch_chash_hash_key(ctx, upstream) + local id = picker:find(chash_key) + -- core.log.warn("chash id: ", id, " val: ", servers[id]) + return servers[id] + end + } +end + + +return _M diff --git a/apisix/balancer/roundrobin.lua b/apisix/balancer/roundrobin.lua new file mode 100644 index 0000000000000..dac4f03ea10d6 --- /dev/null +++ b/apisix/balancer/roundrobin.lua @@ -0,0 +1,34 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +local roundrobin = require("resty.roundrobin") + +local _M = {} + + +function _M.new(up_nodes, upstream) + local picker = roundrobin:new(up_nodes) + return { + upstream = upstream, + get = function () + return picker:find() + end + } +end + + +return _M diff --git a/apisix/core/config_etcd.lua b/apisix/core/config_etcd.lua index dd0a5487bac1f..fbb6df8dbf5d5 100644 --- a/apisix/core/config_etcd.lua +++ b/apisix/core/config_etcd.lua @@ -308,6 +308,7 @@ local function sync_data(self) key = short_key(self, self.values[i].key) self.values_hash[key] = i end + self.sync_times = 0 end self.conf_version = self.conf_version + 1 diff --git a/apisix/core/config_yaml.lua b/apisix/core/config_yaml.lua index 7803deccf4e16..eed861fafaf35 100644 --- a/apisix/core/config_yaml.lua +++ b/apisix/core/config_yaml.lua @@ -58,7 +58,10 @@ local mt = { local apisix_yaml local apisix_yaml_ctime -local function read_apisix_yaml(pre_mtime) +local function read_apisix_yaml(premature, pre_mtime) + if premature then + return + end local attributes, err = lfs.attributes(apisix_yaml_path) if not attributes then log.error("failed to fetch ", apisix_yaml_path, " attributes: ", err) diff --git a/apisix/core/table.lua b/apisix/core/table.lua index 0fc64acc34440..e666e162a2293 100644 --- a/apisix/core/table.lua +++ b/apisix/core/table.lua @@ -25,13 +25,14 @@ local type = type local _M = { - version = 0.1, + version = 0.2, new = new_tab, clear = require("table.clear"), nkeys = nkeys, insert = table.insert, concat = table.concat, clone = require("table.clone"), + isarray = require("table.isarray"), } @@ -84,5 +85,24 @@ local function deepcopy(orig) end _M.deepcopy = deepcopy +local ngx_null = ngx.null +local function merge(origin, extend) + for k,v in pairs(extend) do + if type(v) == "table" then + if type(origin[k] or false) == "table" then + merge(origin[k] or {}, extend[k] or {}) + else + origin[k] = v + end + elseif v == ngx_null then + origin[k] = nil + else + origin[k] = v + end + end + + return origin +end +_M.merge = merge return _M diff --git a/apisix/core/version.lua b/apisix/core/version.lua index dfd10502979b8..c3606c206e533 100644 --- a/apisix/core/version.lua +++ b/apisix/core/version.lua @@ -15,5 +15,5 @@ -- limitations under the License. -- return { - VERSION = "1.2" + VERSION = "1.4" } diff --git a/apisix/discovery/eureka.lua b/apisix/discovery/eureka.lua new file mode 100644 index 0000000000000..d4b4368536170 --- /dev/null +++ b/apisix/discovery/eureka.lua @@ -0,0 +1,253 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +local local_conf = require("apisix.core.config_local").local_conf() +local http = require("resty.http") +local core = require("apisix.core") +local ipmatcher = require("resty.ipmatcher") +local ipairs = ipairs +local tostring = tostring +local type = type +local math_random = math.random +local error = error +local ngx = ngx +local ngx_timer_at = ngx.timer.at +local ngx_timer_every = ngx.timer.every +local string_sub = string.sub +local string_find = string.find +local log = core.log + +local default_weight +local applications + +local schema = { + type = "object", + properties = { + host = { + type = "array", + minItems = 1, + items = { + type = "string", + }, + }, + fetch_interval = {type = "integer", minimum = 1, default = 30}, + prefix = {type = "string"}, + weight = {type = "integer", minimum = 0}, + timeout = { + type = "object", + properties = { + connect = {type = "integer", minimum = 1, default = 2000}, + send = {type = "integer", minimum = 1, default = 2000}, + read = {type = "integer", minimum = 1, default = 5000}, + } + }, + }, + required = {"host"} +} + + +local _M = { + version = 0.1, +} + + +local function service_info() + local host = local_conf.eureka and local_conf.eureka.host + if not host then + log.error("do not set eureka.host") + return + end + + local basic_auth + -- TODO Add health check to get healthy nodes. + local url = host[math_random(#host)] + local auth_idx = string_find(url, "@", 1, true) + if auth_idx then + local protocol_idx = string_find(url, "://", 1, true) + local protocol = string_sub(url, 1, protocol_idx + 2) + local user_and_password = string_sub(url, protocol_idx + 3, auth_idx - 1) + local other = string_sub(url, auth_idx + 1) + url = protocol .. other + basic_auth = "Basic " .. ngx.encode_base64(user_and_password) + end + if local_conf.eureka.prefix then + url = url .. local_conf.eureka.prefix + end + if string_sub(url, #url) ~= "/" then + url = url .. "/" + end + + return url, basic_auth +end + + +local function request(request_uri, basic_auth, method, path, query, body) + log.info("eureka uri:", request_uri, ".") + local url = request_uri .. path + local headers = core.table.new(0, 5) + headers['Connection'] = 'Keep-Alive' + headers['Accept'] = 'application/json' + + if basic_auth then + headers['Authorization'] = basic_auth + end + + if body and 'table' == type(body) then + local err + body, err = core.json.encode(body) + if not body then + return nil, 'invalid body : ' .. err + end + -- log.warn(method, url, body) + headers['Content-Type'] = 'application/json' + end + + local httpc = http.new() + local timeout = local_conf.eureka.timeout + local connect_timeout = timeout and timeout.connect or 2000 + local send_timeout = timeout and timeout.send or 2000 + local read_timeout = timeout and timeout.read or 5000 + log.info("connect_timeout:", connect_timeout, ", send_timeout:", send_timeout, + ", read_timeout:", read_timeout, ".") + httpc:set_timeouts(connect_timeout, send_timeout, read_timeout) + return httpc:request_uri(url, { + version = 1.1, + method = method, + headers = headers, + query = query, + body = body, + ssl_verify = false, + }) +end + + +local function parse_instance(instance) + local status = instance.status + local overridden_status = instance.overriddenstatus or instance.overriddenStatus + if overridden_status and overridden_status ~= "UNKNOWN" then + status = overridden_status + end + + if status ~= "UP" then + return + end + local port + if tostring(instance.port["@enabled"]) == "true" and instance.port["$"] then + port = instance.port["$"] + -- secure = false + end + if tostring(instance.securePort["@enabled"]) == "true" and instance.securePort["$"] then + port = instance.securePort["$"] + -- secure = true + end + local ip = instance.ipAddr + if not ipmatcher.parse_ipv4(ip) and + not ipmatcher.parse_ipv6(ip) then + log.error(instance.app, " service ", instance.hostName, " node IP ", ip, + " is invalid(must be IPv4 or IPv6).") + return + end + return ip, port, instance.metadata +end + + +local function fetch_full_registry(premature) + if premature then + return + end + + local request_uri, basic_auth = service_info() + if not request_uri then + return + end + + local res, err = request(request_uri, basic_auth, "GET", "apps") + if not res then + log.error("failed to fetch registry", err) + return + end + + if not res.body or res.status ~= 200 then + log.error("failed to fetch registry, status = ", res.status) + return + end + + local json_str = res.body + local data, err = core.json.decode(json_str) + if not data then + log.error("invalid response body: ", json_str, " err: ", err) + return + end + local apps = data.applications.application + local up_apps = core.table.new(0, #apps) + for _, app in ipairs(apps) do + for _, instance in ipairs(app.instance) do + local ip, port, metadata = parse_instance(instance) + if ip and port then + local nodes = up_apps[app.name] + if not nodes then + nodes = core.table.new(#app.instance, 0) + up_apps[app.name] = nodes + end + core.table.insert(nodes, { + host = ip, + port = port, + weight = metadata and metadata.weight or default_weight, + metadata = metadata, + }) + if metadata then + -- remove useless data + metadata.weight = nil + end + end + end + end + applications = up_apps +end + + +function _M.nodes(service_name) + if not applications then + log.error("failed to fetch nodes for : ", service_name) + return + end + + return applications[service_name] +end + + +function _M.init_worker() + if not local_conf.eureka or not local_conf.eureka.host or #local_conf.eureka.host == 0 then + error("do not set eureka.host") + return + end + + local ok, err = core.schema.check(schema, local_conf.eureka) + if not ok then + error("invalid eureka configuration: " .. err) + return + end + default_weight = local_conf.eureka.weight or 100 + log.info("default_weight:", default_weight, ".") + local fetch_interval = local_conf.eureka.fetch_interval or 30 + log.info("fetch_interval:", fetch_interval, ".") + ngx_timer_at(0, fetch_full_registry) + ngx_timer_every(fetch_interval, fetch_full_registry) +end + + +return _M diff --git a/apisix/discovery/init.lua b/apisix/discovery/init.lua new file mode 100644 index 0000000000000..16aafe62c50d5 --- /dev/null +++ b/apisix/discovery/init.lua @@ -0,0 +1,33 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +local log = require("apisix.core.log") +local local_conf = require("apisix.core.config_local").local_conf() + +local discovery_type = local_conf.apisix and local_conf.apisix.discovery +local discovery + +if discovery_type then + log.info("use discovery: ", discovery_type) + discovery = require("apisix.discovery." .. discovery_type) +end + + +return { + version = 0.1, + discovery = discovery +} diff --git a/apisix/http/router/radixtree_sni.lua b/apisix/http/router/radixtree_sni.lua index 0ecc3bf3cbb2a..1eb7aa54508b4 100644 --- a/apisix/http/router/radixtree_sni.lua +++ b/apisix/http/router/radixtree_sni.lua @@ -18,9 +18,14 @@ local get_request = require("resty.core.base").get_request local radixtree_new = require("resty.radixtree").new local core = require("apisix.core") local ngx_ssl = require("ngx.ssl") -local ipairs = ipairs +local config_util = require("apisix.core.config_util") +local ipairs = ipairs local type = type local error = error +local str_find = string.find +local aes = require "resty.aes" +local assert = assert +local ngx_decode_base64 = ngx.decode_base64 local ssl_certificates local radixtree_router local radixtree_router_ver @@ -38,9 +43,44 @@ local function create_router(ssl_items) local route_items = core.table.new(#ssl_items, 0) local idx = 0 - for _, ssl in ipairs(ssl_items) do - if type(ssl) == "table" then - local sni = ssl.value.sni:reverse() + local local_conf = core.config.local_conf() + local iv + if local_conf and local_conf.apisix + and local_conf.apisix.ssl + and local_conf.apisix.ssl.key_encrypt_salt then + iv = local_conf.apisix.ssl.key_encrypt_salt + end + local aes_128_cbc_with_iv = (type(iv)=="string" and #iv == 16) and + assert(aes:new(iv, nil, aes.cipher(128, "cbc"), {iv=iv})) or nil + + for _, ssl in config_util.iterate_values(ssl_items) do + if ssl.value ~= nil and + (ssl.value.status == nil or ssl.value.status == 1) then -- compatible with old version + + local j = 0 + local sni + if type(ssl.value.snis) == "table" and #ssl.value.snis > 0 then + sni = core.table.new(0, #ssl.value.snis) + for _, s in ipairs(ssl.value.snis) do + j = j + 1 + sni[j] = s:reverse() + end + else + sni = ssl.value.sni:reverse() + end + + -- decrypt private key + if aes_128_cbc_with_iv ~= nil and + not str_find(ssl.value.key, "---") then + local decrypted = aes_128_cbc_with_iv:decrypt(ngx_decode_base64(ssl.value.key)) + if decrypted == nil then + core.log.error("decrypt ssl key failed. key[", ssl.value.key, "] ") + else + ssl.value.key = decrypted + end + end + + local idx = idx + 1 route_items[idx] = { paths = sni, @@ -49,6 +89,7 @@ local function create_router(ssl_items) return end api_ctx.matched_ssl = ssl + api_ctx.matched_sni = sni end } end @@ -114,14 +155,37 @@ function _M.match_and_set(api_ctx) end core.log.debug("sni: ", sni) - local ok = radixtree_router:dispatch(sni:reverse(), nil, api_ctx) + + local sni_rev = sni:reverse() + local ok = radixtree_router:dispatch(sni_rev, nil, api_ctx) if not ok then core.log.warn("not found any valid sni configuration") return false end + + if type(api_ctx.matched_sni) == "table" then + local matched = false + for _, msni in ipairs(api_ctx.matched_sni) do + if sni_rev == msni or not str_find(sni_rev, ".", #msni, true) then + matched = true + end + end + if not matched then + core.log.warn("not found any valid sni configuration, matched sni: ", + core.json.delay_encode(api_ctx.matched_sni, true), " current sni: ", sni) + return false + end + else + if str_find(sni_rev, ".", #api_ctx.matched_sni, true) then + core.log.warn("not found any valid sni configuration, matched sni: ", + api_ctx.matched_sni:reverse(), " current sni: ", sni) + return false + end + end + local matched_ssl = api_ctx.matched_ssl - core.log.info("debug: ", core.json.delay_encode(matched_ssl, true)) + core.log.info("debug - matched: ", core.json.delay_encode(matched_ssl, true)) ok, err = set_pem_ssl_key(matched_ssl.value.cert, matched_ssl.value.key) if not ok then return false, err @@ -135,7 +199,7 @@ function _M.init_worker() local err ssl_certificates, err = core.config.new("/ssl", { automatic = true, - item_schema = core.schema.ssl + item_schema = core.schema.ssl, }) if not ssl_certificates then error("failed to create etcd instance for fetching ssl certificates: " diff --git a/apisix/http/service.lua b/apisix/http/service.lua index 42d31dd58b3c0..161d82fe23588 100644 --- a/apisix/http/service.lua +++ b/apisix/http/service.lua @@ -14,7 +14,8 @@ -- See the License for the specific language governing permissions and -- limitations under the License. -- -local core = require("apisix.core") +local core = require("apisix.core") +local ipairs = ipairs local services local error = error local pairs = pairs @@ -45,17 +46,36 @@ local function filter(service) return end - if not service.value.upstream then + if not service.value.upstream or not service.value.upstream.nodes then return end - for addr, _ in pairs(service.value.upstream.nodes or {}) do - local host = core.utils.parse_addr(addr) - if not core.utils.parse_ipv4(host) and - not core.utils.parse_ipv6(host) then - service.has_domain = true - break + local nodes = service.value.upstream.nodes + if core.table.isarray(nodes) then + for _, node in ipairs(nodes) do + local host = node.host + if not core.utils.parse_ipv4(host) and + not core.utils.parse_ipv6(host) then + service.has_domain = true + break + end end + else + local new_nodes = core.table.new(core.table.nkeys(nodes), 0) + for addr, weight in pairs(nodes) do + local host, port = core.utils.parse_addr(addr) + if not core.utils.parse_ipv4(host) and + not core.utils.parse_ipv6(host) then + service.has_domain = true + end + local node = { + host = host, + port = port, + weight = weight, + } + core.table.insert(new_nodes, node) + end + service.value.upstream.nodes = new_nodes end core.log.info("filter service: ", core.json.delay_encode(service)) diff --git a/apisix/init.lua b/apisix/init.lua index 48c5b8098bdf9..41295f095dd6c 100644 --- a/apisix/init.lua +++ b/apisix/init.lua @@ -22,13 +22,14 @@ local service_fetch = require("apisix.http.service").get local admin_init = require("apisix.admin.init") local get_var = require("resty.ngxvar").fetch local router = require("apisix.router") +local set_upstream = require("apisix.upstream").set_by_route local ipmatcher = require("resty.ipmatcher") local ngx = ngx local get_method = ngx.req.get_method local ngx_exit = ngx.exit local math = math local error = error -local pairs = pairs +local ipairs = ipairs local tostring = tostring local load_balancer @@ -42,7 +43,7 @@ local function parse_args(args) end -local _M = {version = 0.3} +local _M = {version = 0.4} function _M.http_init(args) @@ -74,7 +75,10 @@ function _M.http_init_worker() if not ok then error("failed to init worker event: " .. err) end - + local discovery = require("apisix.discovery.init").discovery + if discovery and discovery.init_worker then + discovery.init_worker() + end require("apisix.balancer").init_worker() load_balancer = require("apisix.balancer").run require("apisix.admin.init").init_worker() @@ -89,6 +93,7 @@ function _M.http_init_worker() end require("apisix.debug").init_worker() + require("apisix.upstream").init_worker() local local_conf = core.config.local_conf() local dns_resolver_valid = local_conf and local_conf.apisix and @@ -107,30 +112,7 @@ local function run_plugin(phase, plugins, api_ctx) end plugins = plugins or api_ctx.plugins - if not plugins then - return api_ctx - end - - if phase == "balancer" then - local balancer_name = api_ctx.balancer_name - local balancer_plugin = api_ctx.balancer_plugin - if balancer_name and balancer_plugin then - local phase_fun = balancer_plugin[phase] - phase_fun(balancer_plugin, api_ctx) - return api_ctx - end - - for i = 1, #plugins, 2 do - local phase_fun = plugins[i][phase] - if phase_fun and - (not balancer_name or balancer_name == plugins[i].name) then - phase_fun(plugins[i + 1], api_ctx) - if api_ctx.balancer_name == plugins[i].name then - api_ctx.balancer_plugin = plugins[i] - return api_ctx - end - end - end + if not plugins or #plugins == 0 then return api_ctx end @@ -179,71 +161,71 @@ function _M.http_ssl_phase() end -local function parse_domain_in_up(up, ver) - local new_nodes = core.table.new(0, 8) - for addr, weight in pairs(up.value.nodes) do - local host, port = core.utils.parse_addr(addr) +local function parse_domain(host) + local ip_info, err = core.utils.dns_parse(dns_resolver, host) + if not ip_info then + core.log.error("failed to parse domain for ", host, ", error:",err) + return nil, err + end + + core.log.info("parse addr: ", core.json.delay_encode(ip_info)) + core.log.info("resolver: ", core.json.delay_encode(dns_resolver)) + core.log.info("host: ", host) + if ip_info.address then + core.log.info("dns resolver domain: ", host, " to ", ip_info.address) + return ip_info.address + else + return nil, "failed to parse domain" + end +end + + +local function parse_domain_for_nodes(nodes) + local new_nodes = core.table.new(#nodes, 0) + for _, node in ipairs(nodes) do + local host = node.host if not ipmatcher.parse_ipv4(host) and - not ipmatcher.parse_ipv6(host) then - local ip_info, err = core.utils.dns_parse(dns_resolver, host) - if not ip_info then - return nil, err + not ipmatcher.parse_ipv6(host) then + local ip, err = parse_domain(host) + if ip then + local new_node = core.table.clone(node) + new_node.host = ip + core.table.insert(new_nodes, new_node) end - core.log.info("parse addr: ", core.json.delay_encode(ip_info)) - core.log.info("resolver: ", core.json.delay_encode(dns_resolver)) - core.log.info("host: ", host) - if ip_info.address then - new_nodes[ip_info.address .. ":" .. port] = weight - core.log.info("dns resolver domain: ", host, " to ", - ip_info.address) - else - return nil, "failed to parse domain in route" + if err then + return nil, err end else - new_nodes[addr] = weight + core.table.insert(new_nodes, node) end end + return new_nodes +end + +local function parse_domain_in_up(up, ver) + local nodes = up.value.nodes + local new_nodes, err = parse_domain_for_nodes(nodes) + if not new_nodes then + return nil, err + end up.dns_value = core.table.clone(up.value) up.dns_value.nodes = new_nodes - core.log.info("parse upstream which contain domain: ", - core.json.delay_encode(up)) + core.log.info("parse upstream which contain domain: ", core.json.delay_encode(up)) return up end local function parse_domain_in_route(route, ver) - local new_nodes = core.table.new(0, 8) - for addr, weight in pairs(route.value.upstream.nodes) do - local host, port = core.utils.parse_addr(addr) - if not ipmatcher.parse_ipv4(host) and - not ipmatcher.parse_ipv6(host) then - local ip_info, err = core.utils.dns_parse(dns_resolver, host) - if not ip_info then - return nil, err - end - - core.log.info("parse addr: ", core.json.delay_encode(ip_info)) - core.log.info("resolver: ", core.json.delay_encode(dns_resolver)) - core.log.info("host: ", host) - if ip_info and ip_info.address then - new_nodes[ip_info.address .. ":" .. port] = weight - core.log.info("dns resolver domain: ", host, " to ", - ip_info.address) - else - return nil, "failed to parse domain in route" - end - - else - new_nodes[addr] = weight - end + local nodes = route.value.upstream.nodes + local new_nodes, err = parse_domain_for_nodes(nodes) + if not new_nodes then + return nil, err end - route.dns_value = core.table.deepcopy(route.value) route.dns_value.upstream.nodes = new_nodes - core.log.info("parse route which contain domain: ", - core.json.delay_encode(route)) + core.log.info("parse route which contain domain: ", core.json.delay_encode(route)) return route end @@ -280,6 +262,8 @@ function _M.http_access_phase() api_ctx.conf_type = nil api_ctx.conf_version = nil api_ctx.conf_id = nil + + api_ctx.global_rules = router.global_rules end router.router_http.match(api_ctx) @@ -380,6 +364,12 @@ function _M.http_access_phase() end end run_plugin("access", plugins, api_ctx) + + local ok, err = set_upstream(route, api_ctx) + if not ok then + core.log.error("failed to parse upstream: ", err) + core.response.exit(500) + end end @@ -440,38 +430,43 @@ function _M.grpc_access_phase() run_plugin("rewrite", plugins, api_ctx) run_plugin("access", plugins, api_ctx) + + set_upstream(route, api_ctx) end -local function common_phase(plugin_name) + +local function common_phase(phase_name) local api_ctx = ngx.ctx.api_ctx if not api_ctx then return end - if router.global_rules and router.global_rules.values - and #router.global_rules.values > 0 - then + if api_ctx.global_rules then local plugins = core.tablepool.fetch("plugins", 32, 0) - local values = router.global_rules.values + local values = api_ctx.global_rules.values for _, global_rule in config_util.iterate_values(values) do core.table.clear(plugins) plugins = plugin.filter(global_rule, plugins) - run_plugin(plugin_name, plugins, api_ctx) + run_plugin(phase_name, plugins, api_ctx) end core.tablepool.release("plugins", plugins) end - run_plugin(plugin_name, nil, api_ctx) + + run_plugin(phase_name, nil, api_ctx) return api_ctx end + function _M.http_header_filter_phase() common_phase("header_filter") end + function _M.http_body_filter_phase() common_phase("body_filter") end + function _M.http_log_phase() local api_ctx = common_phase("log") @@ -488,6 +483,7 @@ function _M.http_log_phase() core.tablepool.release("api_ctx", api_ctx) end + function _M.http_balancer_phase() local api_ctx = ngx.ctx.api_ctx if not api_ctx then @@ -495,22 +491,10 @@ function _M.http_balancer_phase() return core.response.exit(500) end - -- first time - if not api_ctx.balancer_name then - run_plugin("balancer", nil, api_ctx) - if api_ctx.balancer_name then - return - end - end - - if api_ctx.balancer_name and api_ctx.balancer_name ~= "default" then - return run_plugin("balancer", nil, api_ctx) - end - - api_ctx.balancer_name = "default" load_balancer(api_ctx.matched_route, api_ctx) end + local function cors_admin() local local_conf = core.config.local_conf() if local_conf.apisix and not local_conf.apisix.enable_admin_cors then @@ -536,6 +520,10 @@ local function cors_admin() "Access-Control-Max-Age", "3600") end +local function add_content_type() + core.response.set_header("Content-Type", "application/json") +end + do local router @@ -547,6 +535,9 @@ function _M.http_admin() -- add cors rsp header cors_admin() + -- add content type to rsp header + add_content_type() + -- core.log.info("uri: ", get_var("uri"), " method: ", get_method()) local ok = router:dispatch(get_var("uri"), {method = get_method()}) if not ok then @@ -606,7 +597,13 @@ function _M.stream_preread_phase() api_ctx.plugins = plugin.stream_filter(matched_route, plugins) -- core.log.info("valid plugins: ", core.json.delay_encode(plugins, true)) + api_ctx.conf_type = "stream/route" + api_ctx.conf_version = matched_route.modifiedIndex + api_ctx.conf_id = matched_route.value.id + run_plugin("preread", plugins, api_ctx) + + set_upstream(matched_route, api_ctx) end @@ -618,19 +615,6 @@ function _M.stream_balancer_phase() return ngx_exit(1) end - -- first time - if not api_ctx.balancer_name then - run_plugin("balancer", nil, api_ctx) - if api_ctx.balancer_name then - return - end - end - - if api_ctx.balancer_name and api_ctx.balancer_name ~= "default" then - return run_plugin("balancer", nil, api_ctx) - end - - api_ctx.balancer_name = "default" load_balancer(api_ctx.matched_route, api_ctx) end diff --git a/apisix/plugin.lua b/apisix/plugin.lua index 8186d155af615..075d0584358be 100644 --- a/apisix/plugin.lua +++ b/apisix/plugin.lua @@ -235,7 +235,8 @@ end function _M.filter(user_route, plugins) plugins = plugins or core.table.new(#local_plugins * 2, 0) local user_plugin_conf = user_route.value.plugins - if user_plugin_conf == nil then + if user_plugin_conf == nil or + core.table.nkeys(user_plugin_conf) == 0 then if local_conf and local_conf.apisix.enable_debug then core.response.set_header("Apisix-Plugins", "no plugin") end diff --git a/apisix/plugins/authz-keycloak.lua b/apisix/plugins/authz-keycloak.lua new file mode 100644 index 0000000000000..2704f4ef03563 --- /dev/null +++ b/apisix/plugins/authz-keycloak.lua @@ -0,0 +1,165 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local http = require "resty.http" +local sub_str = string.sub +local url = require "net.url" +local tostring = tostring +local ngx = ngx +local plugin_name = "authz-keycloak" + + +local schema = { + type = "object", + properties = { + token_endpoint = {type = "string", minLength = 1, maxLength = 4096}, + permissions = { + type = "array", + items = { + type = "string", + minLength = 1, maxLength = 100 + }, + uniqueItems = true + }, + grant_type = { + type = "string", + default="urn:ietf:params:oauth:grant-type:uma-ticket", + enum = {"urn:ietf:params:oauth:grant-type:uma-ticket"}, + minLength = 1, maxLength = 100 + }, + audience = {type = "string", minLength = 1, maxLength = 100}, + timeout = {type = "integer", minimum = 1000, default = 3000}, + policy_enforcement_mode = { + type = "string", + enum = {"ENFORCING", "PERMISSIVE"}, + default = "ENFORCING" + }, + keepalive = {type = "boolean", default = true}, + keepalive_timeout = {type = "integer", minimum = 1000, default = 60000}, + keepalive_pool = {type = "integer", minimum = 1, default = 5}, + + }, + required = {"token_endpoint"} +} + + +local _M = { + version = 0.1, + priority = 2000, + type = 'auth', + name = plugin_name, + schema = schema, +} + +function _M.check_schema(conf) + return core.schema.check(schema, conf) +end + +local function is_path_protected(conf) + -- TODO if permissions are empty lazy load paths from Keycloak + if conf.permissions == nil then + return false + end + return true +end + + +local function evaluate_permissions(conf, token) + local url_decoded = url.parse(conf.token_endpoint) + local host = url_decoded.host + local port = url_decoded.port + + if not port then + if url_decoded.scheme == "https" then + port = 443 + else + port = 80 + end + end + + if not is_path_protected(conf) and conf.policy_enforcement_mode == "ENFORCING" then + core.response.exit(403) + return + end + + local httpc = http.new() + httpc:set_timeout(conf.timeout) + + local params = { + method = "POST", + body = ngx.encode_args({ + grant_type = conf.grant_type, + audience = conf.audience, + response_mode = "decision", + permission = conf.permissions + }), + headers = { + ["Content-Type"] = "application/x-www-form-urlencoded", + ["Authorization"] = token + } + } + + if conf.keepalive then + params.keepalive_timeout = conf.keepalive_timeout + params.keepalive_pool = conf.keepalive_pool + else + params.keepalive = conf.keepalive + end + + local httpc_res, httpc_err = httpc:request_uri(conf.token_endpoint, params) + + if not httpc_res then + core.log.error("error while sending authz request to [", host ,"] port[", + tostring(port), "] ", httpc_err) + core.response.exit(500, httpc_err) + return + end + + if httpc_res.status >= 400 then + core.log.error("status code: ", httpc_res.status, " msg: ", httpc_res.body) + core.response.exit(httpc_res.status, httpc_res.body) + end +end + + +local function fetch_jwt_token(ctx) + local token = core.request.header(ctx, "authorization") + if not token then + return nil, "authorization header not available" + end + + local prefix = sub_str(token, 1, 7) + if prefix ~= 'Bearer ' and prefix ~= 'bearer ' then + return "Bearer " .. token + end + return token +end + + +function _M.rewrite(conf, ctx) + core.log.debug("hit keycloak-auth rewrite") + local jwt_token, err = fetch_jwt_token(ctx) + if not jwt_token then + core.log.error("failed to fetch JWT token: ", err) + return 401, {message = "Missing JWT token in request"} + end + + evaluate_permissions(conf, jwt_token) +end + + +return _M diff --git a/apisix/plugins/batch-requests.lua b/apisix/plugins/batch-requests.lua index 34d784a89f970..71878218d8d7e 100644 --- a/apisix/plugins/batch-requests.lua +++ b/apisix/plugins/batch-requests.lua @@ -14,12 +14,15 @@ -- See the License for the specific language governing permissions and -- limitations under the License. -- -local core = require("apisix.core") -local http = require("resty.http") -local ngx = ngx -local io_open = io.open -local ipairs = ipairs -local pairs = pairs +local core = require("apisix.core") +local http = require("resty.http") +local ngx = ngx +local io_open = io.open +local ipairs = ipairs +local pairs = pairs +local str_find = string.find +local str_lower = string.lower + local plugin_name = "batch-requests" @@ -112,18 +115,42 @@ local function check_input(data) end end +local function lowercase_key_or_init(obj) + if not obj then + return {} + end -local function set_common_header(data) - if not data.headers then - return + local lowercase_key_obj = {} + for k, v in pairs(obj) do + lowercase_key_obj[str_lower(k)] = v end + return lowercase_key_obj +end + +local function ensure_header_lowercase(data) + data.headers = lowercase_key_or_init(data.headers) + for i,req in ipairs(data.pipeline) do - if not req.headers then - req.headers = data.headers - else - for k, v in pairs(data.headers) do - if not req.headers[k] then + req.headers = lowercase_key_or_init(req.headers) + end +end + + +local function set_common_header(data) + local outer_headers = core.request.headers(nil) + for i,req in ipairs(data.pipeline) do + for k, v in pairs(data.headers) do + if not req.headers[k] then + req.headers[k] = v + end + end + + if outer_headers then + for k, v in pairs(outer_headers) do + local is_content_header = str_find(k, "content-", 1, true) == 1 + -- skip header start with "content-" + if not req.headers[k] and not is_content_header then req.headers[k] = v end end @@ -198,8 +225,10 @@ local function batch_requests() core.response.exit(500, {error_msg = "connect to apisix failed: " .. err}) end + ensure_header_lowercase(data) set_common_header(data) set_common_query(data) + local responses, err = httpc:request_pipeline(data.pipeline) if not responses then core.response.exit(400, {error_msg = "request failed: " .. err}) diff --git a/apisix/plugins/consumer-restriction.lua b/apisix/plugins/consumer-restriction.lua new file mode 100644 index 0000000000000..912e2129a8cc2 --- /dev/null +++ b/apisix/plugins/consumer-restriction.lua @@ -0,0 +1,94 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local ipairs = ipairs +local core = require("apisix.core") + +local schema = { + type = "object", + properties = { + whitelist = { + type = "array", + items = {type = "string"}, + minItems = 1 + }, + blacklist = { + type = "array", + items = {type = "string"}, + minItems = 1 + } + }, + oneOf = { + {required = {"whitelist"}}, + {required = {"blacklist"}} + } +} + + +local plugin_name = "consumer-restriction" + + +local _M = { + version = 0.1, + priority = 2400, + name = plugin_name, + schema = schema, +} + +local function is_include(value, tab) + for k,v in ipairs(tab) do + if v == value then + return true + end + end + return false +end + +function _M.check_schema(conf) + local ok, err = core.schema.check(schema, conf) + + if not ok then + return false, err + end + + return true +end + +function _M.access(conf, ctx) + if not ctx.consumer then + return 401, { message = "Missing authentication or identity verification." } + end + + local block = false + if conf.blacklist and #conf.blacklist > 0 then + if is_include(ctx.consumer.username, conf.blacklist) then + block = true + end + end + + if conf.whitelist and #conf.whitelist > 0 then + if not is_include(ctx.consumer.username, conf.whitelist) then + block = true + end + end + + if block then + return 403, { message = "The consumer is not allowed" } + end +end + + +return _M diff --git a/apisix/plugins/cors.lua b/apisix/plugins/cors.lua index b64010e299771..9fe91c94dd582 100644 --- a/apisix/plugins/cors.lua +++ b/apisix/plugins/cors.lua @@ -71,11 +71,34 @@ local schema = { local _M = { version = 0.1, priority = 4000, - type = 'auth', name = plugin_name, schema = schema, } +local function create_mutiple_origin_cache(conf) + if not str_find(conf.allow_origins, ",", 1, true) then + return nil + end + local origin_cache = {} + local iterator, err = re_gmatch(conf.allow_origins, "([^,]+)", "jiox") + if not iterator then + core.log.error("match origins failed: ", err) + return nil + end + while true do + local origin, err = iterator() + if err then + core.log.error("iterate origins failed: ", err) + return nil + end + if not origin then + break + end + origin_cache[origin[0]] = true + end + return origin_cache +end + function _M.check_schema(conf) local ok, err = core.schema.check(schema, conf) if not ok then @@ -85,63 +108,48 @@ function _M.check_schema(conf) return true end -function _M.access(conf, ctx) +local function set_cors_headers(conf, ctx) + local allow_methods = conf.allow_methods + if allow_methods == "**" then + allow_methods = "GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE" + end + + ngx.header["Access-Control-Allow-Origin"] = ctx.cors_allow_origins + ngx.header["Access-Control-Allow-Methods"] = allow_methods + ngx.header["Access-Control-Allow-Headers"] = conf.allow_headers + ngx.header["Access-Control-Max-Age"] = conf.max_age + if conf.allow_credential then + ngx.header["Access-Control-Allow-Credentials"] = true + end + ngx.header["Access-Control-Expose-Headers"] = conf.expose_headers +end + +function _M.rewrite(conf, ctx) local allow_origins = conf.allow_origins + local req_origin = core.request.header(ctx, "Origin") if allow_origins == "**" then - allow_origins = ngx.var.http_origin or '*' + allow_origins = req_origin or '*' + end + local multiple_origin, err = core.lrucache.plugin_ctx(plugin_name, ctx, + create_mutiple_origin_cache, conf) + if err then + return 500, {message = "get mutiple origin cache failed: " .. err} end - if str_find(allow_origins, ",", 1, true) then - local finded = false - local iterator, err = re_gmatch(allow_origins, "([^,]+)", "jiox") - if not iterator then - return 500, {message = "match origins failed", error = err} - end - while true do - local origin, err = iterator() - if err then - return 500, {message = "iterate origins failed", error = err} - end - if not origin then - break - end - if origin[0] == ngx.var.http_origin then - allow_origins = origin[0] - finded = true - break - end - end - if not finded then + if multiple_origin then + if multiple_origin[req_origin] then + allow_origins = req_origin + else return end end ctx.cors_allow_origins = allow_origins + set_cors_headers(conf, ctx) if ctx.var.request_method == "OPTIONS" then return 200 end end -function _M.header_filter(conf, ctx) - if not ctx.cors_allow_origins then - -- no origin matched, don't add headers - return - end - - local allow_methods = conf.allow_methods - if allow_methods == "**" then - allow_methods = "GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE" - end - - ngx.header["Access-Control-Allow-Origin"] = ctx.cors_allow_origins - ngx.header["Access-Control-Allow-Methods"] = allow_methods - ngx.header["Access-Control-Allow-Headers"] = conf.allow_headers - ngx.header["Access-Control-Expose-Headers"] = conf.expose_headers - ngx.header["Access-Control-Max-Age"] = conf.max_age - if conf.allow_credential then - ngx.header["Access-Control-Allow-Credentials"] = true - end -end - return _M diff --git a/apisix/plugins/echo.lua b/apisix/plugins/echo.lua new file mode 100644 index 0000000000000..76ab4e57e5c62 --- /dev/null +++ b/apisix/plugins/echo.lua @@ -0,0 +1,119 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local pairs = pairs +local type = type +local ngx = ngx + + +local schema = { + type = "object", + properties = { + before_body = { + description = "body before the filter phase.", + type = "string" + }, + body = { + description = "body to replace upstream response.", + type = "string" + }, + after_body = { + description = "body after the modification of filter phase.", + type = "string" + }, + headers = { + description = "new headers for repsonse", + type = "object", + minProperties = 1, + }, + auth_value = { + description = "auth value", + type = "string" + } + }, + anyOf = { + {required = {"before_body"}}, + {required = {"body"}}, + {required = {"after_body"}} + }, + minProperties = 1 +} + +local plugin_name = "echo" + +local _M = { + version = 0.1, + priority = 412, + name = plugin_name, + schema = schema, +} + +function _M.check_schema(conf) + if conf.headers then + conf.headers_arr = {} + + for field, value in pairs(conf.headers) do + if type(field) == 'string' + and (type(value) == 'string' or type(value) == 'number') then + if #field == 0 then + return false, 'invalid field length in header' + end + core.table.insert(conf.headers_arr, field) + core.table.insert(conf.headers_arr, value) + else + return false, 'invalid type as header value' + end + end + end + + return core.schema.check(schema, conf) +end + +function _M.body_filter(conf, ctx) + if conf.body then + ngx.arg[1] = conf.body + end + + if conf.before_body then + ngx.arg[1] = conf.before_body .. ngx.arg[1] + end + + if conf.after_body then + ngx.arg[1] = ngx.arg[1] .. conf.after_body + end + ngx.arg[2] = true +end + +function _M.access(conf, ctx) + local value = core.request.header(ctx, "Authorization") + + if value ~= conf.auth_value then + return 401, "unauthorized body" + end + +end + +function _M.header_filter(conf, ctx) + if conf.headers_arr then + local field_cnt = #conf.headers_arr + for i = 1, field_cnt, 2 do + ngx.header[conf.headers_arr[i]] = conf.headers_arr[i+1] + end + end +end + +return _M diff --git a/apisix/plugins/example-plugin.lua b/apisix/plugins/example-plugin.lua index 025ade4fd8e06..bf36837985110 100644 --- a/apisix/plugins/example-plugin.lua +++ b/apisix/plugins/example-plugin.lua @@ -15,7 +15,7 @@ -- limitations under the License. -- local core = require("apisix.core") -local balancer = require("ngx.balancer") +local upstream = require("apisix.upstream") local schema = { type = "object", @@ -60,25 +60,27 @@ end function _M.access(conf, ctx) core.log.warn("plugin access phase, conf: ", core.json.encode(conf)) -- return 200, {message = "hit example plugin"} -end - - -function _M.balancer(conf, ctx) - core.log.warn("plugin balancer phase, conf: ", core.json.encode(conf)) if not conf.ip then return end - -- NOTE: update `ctx.balancer_name` is important, APISIX will skip other - -- balancer handler. - ctx.balancer_name = plugin_name + local up_conf = { + type = "roundrobin", + nodes = { + {host = conf.ip, port = conf.port, weight = 1} + } + } - local ok, err = balancer.set_current_peer(conf.ip, conf.port) + local ok, err = upstream.check_schema(up_conf) if not ok then - core.log.error("failed to set server peer: ", err) - return core.response.exit(502) + return 500, err end + + local matched_route = ctx.matched_route + upstream.set(ctx, up_conf.type .. "#route_" .. matched_route.value.id, + ctx.conf_version, up_conf, matched_route) + return end diff --git a/apisix/plugins/grpc-transcode/util.lua b/apisix/plugins/grpc-transcode/util.lua index 83d89abaf2a01..d705a1ed7126e 100644 --- a/apisix/plugins/grpc-transcode/util.lua +++ b/apisix/plugins/grpc-transcode/util.lua @@ -51,7 +51,7 @@ local function get_from_request(name, kind) local request_table if ngx.req.get_method() == "POST" then if string.find(ngx.req.get_headers()["Content-Type"] or "", - "application/json", true) then + "application/json", 1, true) then request_table = json.decode(ngx.req.get_body_data()) else request_table = ngx.req.get_post_args() diff --git a/apisix/plugins/heartbeat.lua b/apisix/plugins/heartbeat.lua index 0a6cf76cbdc53..ed4fa2c208a21 100644 --- a/apisix/plugins/heartbeat.lua +++ b/apisix/plugins/heartbeat.lua @@ -114,7 +114,7 @@ local function report() local res res, err = request_apisix_svr(args) if not res then - core.log.error("failed to report heartbeat information: ", err) + core.log.info("failed to report heartbeat information: ", err) return end diff --git a/apisix/plugins/http-logger.lua b/apisix/plugins/http-logger.lua new file mode 100644 index 0000000000000..44df6aeff99cb --- /dev/null +++ b/apisix/plugins/http-logger.lua @@ -0,0 +1,176 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local log_util = require("apisix.utils.log-util") +local batch_processor = require("apisix.utils.batch-processor") +local plugin_name = "http-logger" +local ngx = ngx +local tostring = tostring +local http = require "resty.http" +local url = require "net.url" +local buffers = {} + +local schema = { + type = "object", + properties = { + uri = {type = "string"}, + auth_header = {type = "string", default = ""}, + timeout = {type = "integer", minimum = 1, default = 3}, + name = {type = "string", default = "http logger"}, + max_retry_count = {type = "integer", minimum = 0, default = 0}, + retry_delay = {type = "integer", minimum = 0, default = 1}, + buffer_duration = {type = "integer", minimum = 1, default = 60}, + inactive_timeout = {type = "integer", minimum = 1, default = 5}, + batch_max_size = {type = "integer", minimum = 1, default = 1000}, + include_req_body = {type = "boolean", default = false} + }, + required = {"uri"} +} + + +local _M = { + version = 0.1, + priority = 410, + name = plugin_name, + schema = schema, +} + + +function _M.check_schema(conf) + return core.schema.check(schema, conf) +end + + +local function send_http_data(conf, log_message) + local err_msg + local res = true + local url_decoded = url.parse(conf.uri) + local host = url_decoded.host + local port = url_decoded.port + + if ((not port) and url_decoded.scheme == "https") then + port = 443 + elseif not port then + port = 80 + end + + local httpc = http.new() + httpc:set_timeout(conf.timeout * 1000) + local ok, err = httpc:connect(host, port) + + if not ok then + return false, "failed to connect to host[" .. host .. "] port[" + .. tostring(port) .. "] " .. err + end + + if url_decoded.scheme == "https" then + ok, err = httpc:ssl_handshake(true, host, false) + if not ok then + return nil, "failed to perform SSL with host[" .. host .. "] " + .. "port[" .. tostring(port) .. "] " .. err + end + end + + local httpc_res, httpc_err = httpc:request({ + method = "POST", + path = url_decoded.path, + query = url_decoded.query, + body = log_message, + headers = { + ["Host"] = url_decoded.host, + ["Content-Type"] = "application/json", + ["Authorization"] = conf.auth_header + } + }) + + if not httpc_res then + return false, "error while sending data to [" .. host .. "] port[" + .. tostring(port) .. "] " .. httpc_err + end + + -- some error occurred in the server + if httpc_res.status >= 400 then + res = false + err_msg = "server returned status code[" .. httpc_res.status .. "] host[" + .. host .. "] port[" .. tostring(port) .. "] " + .. "body[" .. httpc_res:read_body() .. "]" + end + + -- keep the connection alive + ok, err = httpc:set_keepalive(conf.keepalive) + + if not ok then + core.log.debug("failed to keep the connection alive", err) + end + + return res, err_msg +end + + +function _M.log(conf) + local entry = log_util.get_full_log(ngx, conf) + + if not entry.route_id then + core.log.error("failed to obtain the route id for http logger") + return + end + + local log_buffer = buffers[entry.route_id] + + if log_buffer then + log_buffer:push(entry) + return + end + + -- Generate a function to be executed by the batch processor + local func = function(entries, batch_max_size) + local data, err + if batch_max_size == 1 then + data, err = core.json.encode(entries[1]) -- encode as single {} + else + data, err = core.json.encode(entries) -- encode as array [{}] + end + + if not data then + return false, 'error occurred while encoding the data: ' .. err + end + + return send_http_data(conf, data) + end + + local config = { + name = conf.name, + retry_delay = conf.retry_delay, + batch_max_size = conf.batch_max_size, + max_retry_count = conf.max_retry_count, + buffer_duration = conf.buffer_duration, + inactive_timeout = conf.inactive_timeout, + } + + local err + log_buffer, err = batch_processor:new(func, config) + + if not log_buffer then + core.log.error("error when creating the batch processor: ", err) + return + end + + buffers[entry.route_id] = log_buffer + log_buffer:push(entry) +end + +return _M diff --git a/apisix/plugins/ip-restriction.lua b/apisix/plugins/ip-restriction.lua index ab4deed3a0d86..f08c9c7ccbd01 100644 --- a/apisix/plugins/ip-restriction.lua +++ b/apisix/plugins/ip-restriction.lua @@ -110,7 +110,7 @@ function _M.check_schema(conf) end -local function create_ip_mather(ip_list) +local function create_ip_matcher(ip_list) local ip, err = ipmatcher.new(ip_list) if not ip then core.log.error("failed to create ip matcher: ", err, @@ -128,7 +128,7 @@ function _M.access(conf, ctx) if conf.blacklist and #conf.blacklist > 0 then local matcher = lrucache(conf.blacklist, nil, - create_ip_mather, conf.blacklist) + create_ip_matcher, conf.blacklist) if matcher then block = matcher:match(remote_addr) end @@ -136,7 +136,7 @@ function _M.access(conf, ctx) if conf.whitelist and #conf.whitelist > 0 then local matcher = lrucache(conf.whitelist, nil, - create_ip_mather, conf.whitelist) + create_ip_matcher, conf.whitelist) if matcher then block = not matcher:match(remote_addr) end diff --git a/apisix/plugins/kafka-logger.lua b/apisix/plugins/kafka-logger.lua index a9050b9d6080f..fc7d90cde719f 100644 --- a/apisix/plugins/kafka-logger.lua +++ b/apisix/plugins/kafka-logger.lua @@ -21,7 +21,11 @@ local batch_processor = require("apisix.utils.batch-processor") local pairs = pairs local type = type local table = table +local ipairs = ipairs local plugin_name = "kafka-logger" +local stale_timer_running = false; +local timer_at = ngx.timer.at +local tostring = tostring local ngx = ngx local buffers = {} @@ -40,6 +44,7 @@ local schema = { buffer_duration = {type = "integer", minimum = 1, default = 60}, inactive_timeout = {type = "integer", minimum = 1, default = 5}, batch_max_size = {type = "integer", minimum = 1, default = 1000}, + include_req_body = {type = "boolean", default = false} }, required = {"broker_list", "kafka_topic", "key"} } @@ -89,9 +94,25 @@ local function send_kafka_data(conf, log_message) end end +-- remove stale objects from the memory after timer expires +local function remove_stale_objects(premature) + if premature then + return + end + + for key, batch in ipairs(buffers) do + if #batch.entry_buffer.entries == 0 and #batch.batch_to_process == 0 then + core.log.debug("removing batch processor stale object, route id:", tostring(key)) + buffers[key] = nil + end + end + + stale_timer_running = false +end + function _M.log(conf) - local entry = log_util.get_full_log(ngx) + local entry = log_util.get_full_log(ngx, conf) if not entry.route_id then core.log.error("failed to obtain the route id for kafka logger") @@ -100,6 +121,12 @@ function _M.log(conf) local log_buffer = buffers[entry.route_id] + if not stale_timer_running then + -- run the timer every 30 mins if any log is present + timer_at(1800, remove_stale_objects) + stale_timer_running = true + end + if log_buffer then log_buffer:push(entry) return diff --git a/apisix/plugins/limit-conn.lua b/apisix/plugins/limit-conn.lua index dbffbabb8277c..6ca46d5d1df7f 100644 --- a/apisix/plugins/limit-conn.lua +++ b/apisix/plugins/limit-conn.lua @@ -30,9 +30,9 @@ local schema = { enum = {"remote_addr", "server_addr", "http_x_real_ip", "http_x_forwarded_for"}, }, - rejected_code = {type = "integer", minimum = 200}, + rejected_code = {type = "integer", minimum = 200, default = 503}, }, - required = {"conn", "burst", "default_conn_delay", "key", "rejected_code"} + required = {"conn", "burst", "default_conn_delay", "key"} } diff --git a/apisix/plugins/limit-count.lua b/apisix/plugins/limit-count.lua index 42db2d54784b4..3e9d4af28adee 100644 --- a/apisix/plugins/limit-count.lua +++ b/apisix/plugins/limit-count.lua @@ -34,7 +34,8 @@ local schema = { enum = {"remote_addr", "server_addr", "http_x_real_ip", "http_x_forwarded_for"}, }, - rejected_code = {type = "integer", minimum = 200, maximum = 600}, + rejected_code = {type = "integer", minimum = 200, maximum = 600, + default = 503}, policy = { type = "string", enum = {"local", "redis"}, @@ -53,7 +54,7 @@ local schema = { }, }, additionalProperties = false, - required = {"count", "time_window", "key", "rejected_code"}, + required = {"count", "time_window", "key"}, } diff --git a/apisix/plugins/limit-req.lua b/apisix/plugins/limit-req.lua index e35c4b328e514..1caadce8b2f11 100644 --- a/apisix/plugins/limit-req.lua +++ b/apisix/plugins/limit-req.lua @@ -29,9 +29,9 @@ local schema = { enum = {"remote_addr", "server_addr", "http_x_real_ip", "http_x_forwarded_for"}, }, - rejected_code = {type = "integer", minimum = 200}, + rejected_code = {type = "integer", minimum = 200, default = 503}, }, - required = {"rate", "burst", "key", "rejected_code"} + required = {"rate", "burst", "key"} } diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 6a93226f9baac..2572c856ca955 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -116,11 +116,12 @@ local function introspect(ctx, conf) end else res, err = openidc.introspect(conf) - if res then + if err then + return ngx.HTTP_UNAUTHORIZED, err + else return res end end - if conf.bearer_only then ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. conf.realm .. '",error="' .. err .. '"' diff --git a/apisix/plugins/prometheus/exporter.lua b/apisix/plugins/prometheus/exporter.lua index 538deaba3a496..2c0b6fc618abf 100644 --- a/apisix/plugins/prometheus/exporter.lua +++ b/apisix/plugins/prometheus/exporter.lua @@ -14,26 +14,48 @@ -- See the License for the specific language governing permissions and -- limitations under the License. -- -local base_prometheus = require("resty.prometheus") +local base_prometheus = require("prometheus") local core = require("apisix.core") local ipairs = ipairs local ngx = ngx local ngx_capture = ngx.location.capture local re_gmatch = ngx.re.gmatch +local tonumber = tonumber +local select = select local prometheus -- Default set of latency buckets, 1ms to 60s: local DEFAULT_BUCKETS = { 1, 2, 5, 7, 10, 15, 20, 25, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 1000, - 2000, 5000, 10000, 30000, 60000 } + 2000, 5000, 10000, 30000, 60000 +} local metrics = {} -local _M = {version = 0.3} + local inner_tab_arr = {} + local clear_tab = core.table.clear +local function gen_arr(...) + clear_tab(inner_tab_arr) + + for i = 1, select('#', ...) do + inner_tab_arr[i] = select(i, ...) + end + + return inner_tab_arr +end + + +local _M = {} function _M.init() + -- todo: support hot reload, we may need to update the lua-prometheus + -- library + if ngx.get_phase() ~= "init" and ngx.get_phase() ~= "init_worker" then + return + end + core.table.clear(metrics) -- across all services @@ -54,6 +76,10 @@ function _M.init() "HTTP request latency per service in APISIX", {"type", "service", "node"}, DEFAULT_BUCKETS) + metrics.overhead = prometheus:histogram("http_overhead", + "HTTP request overhead per service in APISIX", + {"type", "service", "node"}, DEFAULT_BUCKETS) + metrics.bandwidth = prometheus:counter("bandwidth", "Total bandwidth in bytes consumed per service in APISIX", {"type", "route", "service", "node"}) @@ -75,21 +101,31 @@ function _M.log(conf, ctx) service_id = vars.host end - metrics.status:inc(1, vars.status, route_id, service_id, balancer_ip) + metrics.status:inc(1, + gen_arr(vars.status, route_id, service_id, balancer_ip)) local latency = (ngx.now() - ngx.req.start_time()) * 1000 - metrics.latency:observe(latency, "request", service_id, balancer_ip) + metrics.latency:observe(latency, + gen_arr("request", service_id, balancer_ip)) + + local overhead = latency + if ctx.var.upstream_response_time then + overhead = overhead - tonumber(ctx.var.upstream_response_time) * 1000 + end + metrics.overhead:observe(overhead, + gen_arr("request", service_id, balancer_ip)) - metrics.bandwidth:inc(vars.request_length, "ingress", route_id, service_id, - balancer_ip) + metrics.bandwidth:inc(vars.request_length, + gen_arr("ingress", route_id, service_id, balancer_ip)) - metrics.bandwidth:inc(vars.bytes_sent, "egress", route_id, service_id, - balancer_ip) + metrics.bandwidth:inc(vars.bytes_sent, + gen_arr("egress", route_id, service_id, balancer_ip)) end local ngx_statu_items = {"active", "accepted", "handled", "total", "reading", "writing", "waiting"} + local label_values = {} local function nginx_status() local res = ngx_capture("/apisix/nginx_status") if not res or res.status ~= 200 then @@ -114,7 +150,8 @@ local function nginx_status() break end - metrics.connections:set(val[0], name) + label_values[1] = name + metrics.connections:set(val[0], label_values) end end diff --git a/apisix/plugins/redirect.lua b/apisix/plugins/redirect.lua index 6cc28ac31307d..a9df21f26b5a0 100644 --- a/apisix/plugins/redirect.lua +++ b/apisix/plugins/redirect.lua @@ -30,8 +30,12 @@ local schema = { properties = { ret_code = {type = "integer", minimum = 200, default = 302}, uri = {type = "string", minLength = 2}, + http_to_https = {type = "boolean"}, -- default is false }, - required = {"uri"}, + oneOf = { + {required = {"uri"}}, + {required = {"http_to_https"}} + } } @@ -80,11 +84,13 @@ function _M.check_schema(conf) return false, err end - local uri_segs, err = parse_uri(conf.uri) - if not uri_segs then - return false, err + if conf.uri then + local uri_segs, err = parse_uri(conf.uri) + if not uri_segs then + return false, err + end + core.log.info(core.json.delay_encode(uri_segs)) end - core.log.info(core.json.delay_encode(uri_segs)) return true end @@ -120,15 +126,22 @@ end function _M.rewrite(conf, ctx) core.log.info("plugin rewrite phase, conf: ", core.json.delay_encode(conf)) - local new_uri, err = concat_new_uri(conf.uri, ctx) - if not new_uri then - core.log.error("failed to generate new uri by: ", conf.uri, " error: ", - err) - core.response.exit(500) + if conf.http_to_https and ctx.var.scheme == "http" then + conf.uri = "https://$host$request_uri" + conf.ret_code = 301 end - core.response.set_header("Location", new_uri) - core.response.exit(conf.ret_code) + if conf.uri and conf.ret_code then + local new_uri, err = concat_new_uri(conf.uri, ctx) + if not new_uri then + core.log.error("failed to generate new uri by: ", conf.uri, " error: ", + err) + core.response.exit(500) + end + + core.response.set_header("Location", new_uri) + core.response.exit(conf.ret_code) + end end diff --git a/apisix/plugins/skywalking.lua b/apisix/plugins/skywalking.lua new file mode 100644 index 0000000000000..f95286bd8d143 --- /dev/null +++ b/apisix/plugins/skywalking.lua @@ -0,0 +1,80 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local ngx = ngx +local math = math + +local sw_client = require("apisix.plugins.skywalking.client") +local sw_tracer = require("apisix.plugins.skywalking.tracer") + +local plugin_name = "skywalking" + + +local schema = { + type = "object", + properties = { + endpoint = {type = "string"}, + sample_ratio = {type = "number", minimum = 0.00001, maximum = 1, default = 1} + }, + service_name = { + type = "string", + description = "service name for skywalking", + default = "APISIX", + }, + required = {"endpoint"} +} + + +local _M = { + version = 0.1, + priority = -1100, -- last running plugin, but before serverless post func + name = plugin_name, + schema = schema, +} + + +function _M.check_schema(conf) + return core.schema.check(schema, conf) +end + + +function _M.rewrite(conf, ctx) + core.log.debug("rewrite phase of skywalking plugin") + ctx.skywalking_sample = false + if conf.sample_ratio == 1 or math.random() < conf.sample_ratio then + ctx.skywalking_sample = true + sw_client.heartbeat(conf) + -- Currently, we can not have the upstream real network address + sw_tracer.start(ctx, conf.endpoint, "upstream service") + end +end + + +function _M.body_filter(conf, ctx) + if ctx.skywalking_sample and ngx.arg[2] then + sw_tracer.finish(ctx) + end +end + + +function _M.log(conf, ctx) + if ctx.skywalking_sample then + sw_tracer.prepareForReport(ctx, conf.endpoint) + end +end + +return _M diff --git a/apisix/plugins/skywalking/client.lua b/apisix/plugins/skywalking/client.lua new file mode 100644 index 0000000000000..f83a6e35bf803 --- /dev/null +++ b/apisix/plugins/skywalking/client.lua @@ -0,0 +1,232 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local http = require("resty.http") +local cjson = require('cjson') +local ngx = ngx +local ipairs = ipairs + +local register = require("skywalking.register") + +local _M = {} + +local function register_service(conf) + local endpoint = conf.endpoint + + local tracing_buffer = ngx.shared['skywalking-tracing-buffer'] + local service_id = tracing_buffer:get(endpoint .. '_service_id') + if service_id then + return service_id + end + + local service_name = conf.service_name + local service = register.newServiceRegister(service_name) + + local httpc = http.new() + local res, err = httpc:request_uri(endpoint .. '/v2/service/register', + { + method = "POST", + body = core.json.encode(service), + headers = { + ["Content-Type"] = "application/json", + }, + }) + if not res then + core.log.error("skywalking service register failed, request uri: ", + endpoint .. '/v2/service/register', ", err: ", err) + + elseif res.status == 200 then + core.log.debug("skywalking service register response: ", res.body) + local register_results = cjson.decode(res.body) + + for _, result in ipairs(register_results) do + if result.key == service_name then + service_id = result.value + core.log.debug("skywalking service registered, service id:" + .. service_id) + end + end + + else + core.log.error("skywalking service register failed, request uri:", + endpoint .. "/v2/service/register", + ", response code:", res.status) + end + + if service_id then + tracing_buffer:set(endpoint .. '_service_id', service_id) + end + + return service_id +end + +local function register_service_instance(conf, service_id) + local endpoint = conf.endpoint + + local tracing_buffer = ngx.shared['skywalking-tracing-buffer'] + local instance_id = tracing_buffer:get(endpoint .. '_instance_id') + if instance_id then + return instance_id + end + + local service_instance_name = core.id.get() + local service_instance = register.newServiceInstanceRegister( + service_id, + service_instance_name, + ngx.now() * 1000) + + local httpc = http.new() + local res, err = httpc:request_uri(endpoint .. '/v2/instance/register', + { + method = "POST", + body = core.json.encode(service_instance), + headers = { + ["Content-Type"] = "application/json", + }, + }) + + if not res then + core.log.error("skywalking service Instance register failed", + ", request uri: ", conf.endpoint .. '/v2/instance/register', + ", err: ", err) + + elseif res.status == 200 then + core.log.debug("skywalking service instance register response: ", res.body) + local register_results = cjson.decode(res.body) + + for _, result in ipairs(register_results) do + if result.key == service_instance_name then + instance_id = result.value + end + end + + else + core.log.error("skywalking service instance register failed, ", + "response code:", res.status) + end + + if instance_id then + tracing_buffer:set(endpoint .. '_instance_id', instance_id) + end + + return instance_id +end + +local function ping(endpoint) + local tracing_buffer = ngx.shared['skywalking-tracing-buffer'] + local ping_pkg = register.newServiceInstancePingPkg( + tracing_buffer:get(endpoint .. '_instance_id'), + core.id.get(), + ngx.now() * 1000) + + local httpc = http.new() + local res, err = httpc:request_uri(endpoint .. '/v2/instance/heartbeat', { + method = "POST", + body = core.json.encode(ping_pkg), + headers = { + ["Content-Type"] = "application/json", + }, + }) + + if err then + core.log.error("skywalking agent ping failed, err: ", err) + else + core.log.debug(res.body) + end +end + +-- report trace segments to the backend +local function report_traces(endpoint) + local tracing_buffer = ngx.shared['skywalking-tracing-buffer'] + local segment = tracing_buffer:rpop(endpoint .. '_segment') + + local count = 0 + + local httpc = http.new() + + while segment ~= nil do + local res, err = httpc:request_uri(endpoint .. '/v2/segments', { + method = "POST", + body = segment, + headers = { + ["Content-Type"] = "application/json", + }, + }) + + if err == nil then + if res.status ~= 200 then + core.log.error("skywalking segment report failed, response code ", res.status) + break + else + count = count + 1 + core.log.debug(res.body) + end + else + core.log.error("skywalking segment report failed, err: ", err) + break + end + + segment = tracing_buffer:rpop('segment') + end + + if count > 0 then + core.log.debug(count, " skywalking segments reported") + end +end + +do + local heartbeat_timer + +function _M.heartbeat(conf) + local sw_heartbeat = function() + local service_id = register_service(conf) + if not service_id then + return + end + + core.log.debug("skywalking service registered, ", + "service id: ", service_id) + + local service_instance_id = register_service_instance(conf, service_id) + if not service_instance_id then + return + end + + core.log.debug("skywalking service Instance registered, ", + "service instance id: ", service_instance_id) + report_traces(conf.endpoint) + ping(conf.endpoint) + end + + local err + if ngx.worker.id() == 0 and not heartbeat_timer then + heartbeat_timer, err = core.timer.new("skywalking_heartbeat", + sw_heartbeat, + {check_interval = 3} + ) + if not heartbeat_timer then + core.log.error("failed to create skywalking_heartbeat timer: ", err) + else + core.log.info("succeed to create timer: skywalking heartbeat") + end + end +end + +end -- do + + +return _M diff --git a/apisix/plugins/skywalking/tracer.lua b/apisix/plugins/skywalking/tracer.lua new file mode 100644 index 0000000000000..187b941edf46d --- /dev/null +++ b/apisix/plugins/skywalking/tracer.lua @@ -0,0 +1,101 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local span = require("skywalking.span") +local tracing_context = require("skywalking.tracing_context") +local span_layer = require("skywalking.span_layer") +local sw_segment = require('skywalking.segment') + +local pairs = pairs +local ngx = ngx + +-- Constant pre-defined in SkyWalking main repo +-- 84 represents Nginx +local NGINX_COMPONENT_ID = 6000 + +local _M = {} + +function _M.start(ctx, endpoint, upstream_name) + local context + -- TODO: use lrucache for better performance + local tracing_buffer = ngx.shared['skywalking-tracing-buffer'] + local instance_id = tracing_buffer:get(endpoint .. '_instance_id') + local service_id = tracing_buffer:get(endpoint .. '_service_id') + + if service_id and instance_id then + context = tracing_context.new(service_id, instance_id) + else + context = tracing_context.newNoOP() + end + + local context_carrier = {} + context_carrier["sw6"] = ngx.req.get_headers()["sw6"] + local entry_span = tracing_context.createEntrySpan(context, ctx.var.uri, nil, context_carrier) + span.start(entry_span, ngx.now() * 1000) + span.setComponentId(entry_span, NGINX_COMPONENT_ID) + span.setLayer(entry_span, span_layer.HTTP) + + span.tag(entry_span, 'http.method', ngx.req.get_method()) + span.tag(entry_span, 'http.params', ctx.var.scheme .. '://' + .. ctx.var.host .. ctx.var.request_uri) + + context_carrier = {} + local exit_span = tracing_context.createExitSpan(context, + ctx.var.upstream_uri, + entry_span, + upstream_name, + context_carrier) + span.start(exit_span, ngx.now() * 1000) + span.setComponentId(exit_span, NGINX_COMPONENT_ID) + span.setLayer(exit_span, span_layer.HTTP) + + for name, value in pairs(context_carrier) do + ngx.req.set_header(name, value) + end + + -- Push the data in the context + ctx.sw_tracing_context = context + ctx.sw_entry_span = entry_span + ctx.sw_exit_span = exit_span + + core.log.debug("push data into skywalking context") +end + +function _M.finish(ctx) + -- Finish the exit span when received the first response package from upstream + if ctx.sw_exit_span then + span.finish(ctx.sw_exit_span, ngx.now() * 1000) + ctx.sw_exit_span = nil + end +end + +function _M.prepareForReport(ctx, endpoint) + if ctx.sw_entry_span then + span.finish(ctx.sw_entry_span, ngx.now() * 1000) + local status, segment = tracing_context.drainAfterFinished(ctx.sw_tracing_context) + if status then + local segment_json = core.json.encode(sw_segment.transform(segment)) + core.log.debug('segment = ', segment_json) + + local tracing_buffer = ngx.shared['skywalking-tracing-buffer'] + local length = tracing_buffer:lpush(endpoint .. '_segment', segment_json) + core.log.debug('segment buffer size = ', length) + end + end +end + +return _M diff --git a/apisix/plugins/syslog.lua b/apisix/plugins/syslog.lua new file mode 100644 index 0000000000000..7b96a2e010b67 --- /dev/null +++ b/apisix/plugins/syslog.lua @@ -0,0 +1,189 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local log_util = require("apisix.utils.log-util") +local batch_processor = require("apisix.utils.batch-processor") +local logger_socket = require("resty.logger.socket") +local plugin_name = "syslog" +local ngx = ngx +local buffers = {} +local ipairs = ipairs +local stale_timer_running = false; +local timer_at = ngx.timer.at +local tostring = tostring + +local schema = { + type = "object", + properties = { + host = {type = "string"}, + port = {type = "integer"}, + name = {type = "string", default = "sys logger"}, + flush_limit = {type = "integer", minimum = 1, default = 4096}, + drop_limit = {type = "integer", default = 1048576}, + timeout = {type = "integer", minimum = 1, default = 3}, + sock_type = {type = "string", default = "tcp"}, + max_retry_times = {type = "integer", minimum = 1, default = 1}, + retry_interval = {type = "integer", minimum = 0, default = 1}, + pool_size = {type = "integer", minimum = 5, default = 5}, + tls = {type = "boolean", default = false}, + batch_max_size = {type = "integer", minimum = 1, default = 1000}, + buffer_duration = {type = "integer", minimum = 1, default = 60}, + include_req_body = {type = "boolean", default = false} + }, + required = {"host", "port"} +} + +local lrucache = core.lrucache.new({ + ttl = 300, count = 512 +}) + +local _M = { + version = 0.1, + priority = 401, + name = plugin_name, + schema = schema, +} + +function _M.check_schema(conf) + return core.schema.check(schema, conf) +end + +function _M.flush_syslog(logger) + local ok, err = logger:flush(logger) + if not ok then + core.log.error("failed to flush message:", err) + end +end + +local function send_syslog_data(conf, log_message) + local err_msg + local res = true + + -- fetch api_ctx + local api_ctx = ngx.ctx.api_ctx + if not api_ctx then + core.log.error("invalid api_ctx cannot proceed with sys logger plugin") + return core.response.exit(500) + end + + -- fetch it from lrucache + local logger, err = lrucache(api_ctx.conf_type .. "#" .. api_ctx.conf_id, api_ctx.conf_version, + logger_socket.new, logger_socket, { + host = conf.host, + port = conf.port, + flush_limit = conf.flush_limit, + drop_limit = conf.drop_limit, + timeout = conf.timeout, + sock_type = conf.sock_type, + max_retry_times = conf.max_retry_times, + retry_interval = conf.retry_interval, + pool_size = conf.pool_size, + tls = conf.tls, + }) + + if not logger then + res = false + err_msg = "failed when initiating the sys logger processor".. err + end + + -- reuse the logger object + local ok, err = logger:log(core.json.encode(log_message)) + if not ok then + res = false + err_msg = "failed to log message" .. err + end + + return res, err_msg +end + +-- remove stale objects from the memory after timer expires +local function remove_stale_objects(premature) + if premature then + return + end + + for key, batch in ipairs(buffers) do + if #batch.entry_buffer.entries == 0 and #batch.batch_to_process == 0 then + core.log.debug("removing batch processor stale object, route id:", tostring(key)) + buffers[key] = nil + end + end + + stale_timer_running = false +end + +-- log phase in APISIX +function _M.log(conf) + local entry = log_util.get_full_log(ngx, conf) + + if not entry.route_id then + core.log.error("failed to obtain the route id for sys logger") + return + end + + local log_buffer = buffers[entry.route_id] + + if not stale_timer_running then + -- run the timer every 30 mins if any log is present + timer_at(1800, remove_stale_objects) + stale_timer_running = true + end + + if log_buffer then + log_buffer:push(entry) + return + end + + -- Generate a function to be executed by the batch processor + local func = function(entries, batch_max_size) + local data, err + if batch_max_size == 1 then + data, err = core.json.encode(entries[1]) -- encode as single {} + else + data, err = core.json.encode(entries) -- encode as array [{}] + end + + if not data then + return false, 'error occurred while encoding the data: ' .. err + end + + return send_syslog_data(conf, data) + end + + local config = { + name = conf.name, + retry_delay = conf.retry_interval, + batch_max_size = conf.batch_max_size, + max_retry_count = conf.max_retry_times, + buffer_duration = conf.buffer_duration, + inactive_timeout = conf.timeout, + } + + local err + log_buffer, err = batch_processor:new(func, config) + + if not log_buffer then + core.log.error("error when creating the batch processor: ", err) + return + end + + buffers[entry.route_id] = log_buffer + log_buffer:push(entry) + +end + +return _M diff --git a/apisix/plugins/tcp-logger.lua b/apisix/plugins/tcp-logger.lua index 9eeef3320b778..ced5f8f23dad3 100644 --- a/apisix/plugins/tcp-logger.lua +++ b/apisix/plugins/tcp-logger.lua @@ -22,6 +22,9 @@ local tostring = tostring local buffers = {} local ngx = ngx local tcp = ngx.socket.tcp +local ipairs = ipairs +local stale_timer_running = false; +local timer_at = ngx.timer.at local schema = { type = "object", @@ -37,6 +40,7 @@ local schema = { buffer_duration = {type = "integer", minimum = 1, default = 60}, inactive_timeout = {type = "integer", minimum = 1, default = 5}, batch_max_size = {type = "integer", minimum = 1, default = 1000}, + include_req_body = {type = "boolean", default = false} }, required = {"host", "port"} } @@ -94,9 +98,25 @@ local function send_tcp_data(conf, log_message) return res, err_msg end +-- remove stale objects from the memory after timer expires +local function remove_stale_objects(premature) + if premature then + return + end + + for key, batch in ipairs(buffers) do + if #batch.entry_buffer.entries == 0 and #batch.batch_to_process == 0 then + core.log.debug("removing batch processor stale object, route id:", tostring(key)) + buffers[key] = nil + end + end + + stale_timer_running = false +end + function _M.log(conf) - local entry = log_util.get_full_log(ngx) + local entry = log_util.get_full_log(ngx, conf) if not entry.route_id then core.log.error("failed to obtain the route id for tcp logger") @@ -105,6 +125,12 @@ function _M.log(conf) local log_buffer = buffers[entry.route_id] + if not stale_timer_running then + -- run the timer every 30 mins if any log is present + timer_at(1800, remove_stale_objects) + stale_timer_running = true + end + if log_buffer then log_buffer:push(entry) return diff --git a/apisix/plugins/udp-logger.lua b/apisix/plugins/udp-logger.lua index b1b565fb1b2d0..cec782a347624 100644 --- a/apisix/plugins/udp-logger.lua +++ b/apisix/plugins/udp-logger.lua @@ -22,6 +22,9 @@ local tostring = tostring local buffers = {} local ngx = ngx local udp = ngx.socket.udp +local ipairs = ipairs +local stale_timer_running = false; +local timer_at = ngx.timer.at local schema = { type = "object", @@ -33,6 +36,7 @@ local schema = { buffer_duration = {type = "integer", minimum = 1, default = 60}, inactive_timeout = {type = "integer", minimum = 1, default = 5}, batch_max_size = {type = "integer", minimum = 1, default = 1000}, + include_req_body = {type = "boolean", default = false} }, required = {"host", "port"} } @@ -77,9 +81,25 @@ local function send_udp_data(conf, log_message) return res, err_msg end +-- remove stale objects from the memory after timer expires +local function remove_stale_objects(premature) + if premature then + return + end + + for key, batch in ipairs(buffers) do + if #batch.entry_buffer.entries == 0 and #batch.batch_to_process == 0 then + core.log.debug("removing batch processor stale object, route id:", tostring(key)) + buffers[key] = nil + end + end + + stale_timer_running = false +end + function _M.log(conf) - local entry = log_util.get_full_log(ngx) + local entry = log_util.get_full_log(ngx, conf) if not entry.route_id then core.log.error("failed to obtain the route id for udp logger") @@ -88,6 +108,12 @@ function _M.log(conf) local log_buffer = buffers[entry.route_id] + if not stale_timer_running then + -- run the timer every 30 mins if any log is present + timer_at(1800, remove_stale_objects) + stale_timer_running = true + end + if log_buffer then log_buffer:push(entry) return diff --git a/apisix/plugins/uri-blocker.lua b/apisix/plugins/uri-blocker.lua new file mode 100644 index 0000000000000..ab5b6828e7724 --- /dev/null +++ b/apisix/plugins/uri-blocker.lua @@ -0,0 +1,86 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local re_compile = require("resty.core.regex").re_match_compile +local re_find = ngx.re.find +local ipairs = ipairs + +local schema = { + type = "object", + properties = { + block_rules = { + type = "array", + items = { + type = "string", + minLength = 1, + maxLength = 4096, + }, + uniqueItems = true + }, + rejected_code = { + type = "integer", + minimum = 200, + default = 403 + }, + }, + required = {"block_rules"}, +} + + +local plugin_name = "uri-blocker" + +local _M = { + version = 0.1, + priority = 2900, + name = plugin_name, + schema = schema, +} + + +function _M.check_schema(conf) + local ok, err = core.schema.check(schema, conf) + if not ok then + return false, err + end + + local block_rules = {} + for i, re_rule in ipairs(conf.block_rules) do + local ok, err = re_compile(re_rule, "j") + -- core.log.warn("ok: ", tostring(ok), " err: ", tostring(err), " re_rule: ", re_rule) + if not ok then + return false, err + end + block_rules[i] = re_rule + end + + conf.block_rules_concat = core.table.concat(block_rules, "|") + core.log.info("concat block_rules: ", conf.block_rules_concat) + return true +end + + +function _M.rewrite(conf, ctx) + core.log.info("uri: ", ctx.var.request_uri) + core.log.info("block uri rules: ", conf.block_rules_concat) + local from = re_find(ctx.var.request_uri, conf.block_rules_concat, "jo") + if from then + core.response.exit(conf.rejected_code) + end +end + + +return _M diff --git a/apisix/plugins/zipkin.lua b/apisix/plugins/zipkin.lua index 56412390e3794..934d88398ac15 100644 --- a/apisix/plugins/zipkin.lua +++ b/apisix/plugins/zipkin.lua @@ -48,7 +48,7 @@ local schema = { local _M = { version = 0.1, - priority = -1000, -- last running plugin, but before serverless post func + priority = -1000, name = plugin_name, schema = schema, } diff --git a/apisix/router.lua b/apisix/router.lua index d3b45941d9950..4ba8709937171 100644 --- a/apisix/router.lua +++ b/apisix/router.lua @@ -15,12 +15,13 @@ -- limitations under the License. -- local require = require -local core = require("apisix.core") -local error = error -local pairs = pairs +local core = require("apisix.core") +local error = error +local pairs = pairs +local ipairs = ipairs -local _M = {version = 0.2} +local _M = {version = 0.3} local function filter(route) @@ -29,17 +30,36 @@ local function filter(route) return end - if not route.value.upstream then + if not route.value.upstream or not route.value.upstream.nodes then return end - for addr, _ in pairs(route.value.upstream.nodes or {}) do - local host = core.utils.parse_addr(addr) - if not core.utils.parse_ipv4(host) and - not core.utils.parse_ipv6(host) then - route.has_domain = true - break + local nodes = route.value.upstream.nodes + if core.table.isarray(nodes) then + for _, node in ipairs(nodes) do + local host = node.host + if not core.utils.parse_ipv4(host) and + not core.utils.parse_ipv6(host) then + route.has_domain = true + break + end end + else + local new_nodes = core.table.new(core.table.nkeys(nodes), 0) + for addr, weight in pairs(nodes) do + local host, port = core.utils.parse_addr(addr) + if not core.utils.parse_ipv4(host) and + not core.utils.parse_ipv6(host) then + route.has_domain = true + end + local node = { + host = host, + port = port, + weight = weight, + } + core.table.insert(new_nodes, node) + end + route.value.upstream.nodes = new_nodes end core.log.info("filter route: ", core.json.delay_encode(route)) @@ -78,7 +98,7 @@ end function _M.stream_init_worker() local router_stream = require("apisix.stream.router.ip_port") - router_stream.stream_init_worker() + router_stream.stream_init_worker(filter) _M.router_stream = router_stream end @@ -88,4 +108,8 @@ function _M.http_routes() end +-- for test +_M.filter_test = filter + + return _M diff --git a/apisix/schema_def.lua b/apisix/schema_def.lua index e261c98c1ec40..d580be6982ed3 100644 --- a/apisix/schema_def.lua +++ b/apisix/schema_def.lua @@ -18,7 +18,7 @@ local schema = require('apisix.core.schema') local setmetatable = setmetatable local error = error -local _M = {version = 0.4} +local _M = {version = 0.5} local plugins_schema = { @@ -225,11 +225,9 @@ local health_checker = { } -local upstream_schema = { - type = "object", - properties = { - nodes = { - description = "nodes of upstream", +local nodes_schema = { + anyOf = { + { type = "object", patternProperties = { [".*"] = { @@ -240,6 +238,39 @@ local upstream_schema = { }, minProperties = 1, }, + { + type = "array", + minItems = 1, + items = { + type = "object", + properties = { + host = host_def, + port = { + description = "port of node", + type = "integer", + minimum = 1, + }, + weight = { + description = "weight of node", + type = "integer", + minimum = 0, + }, + metadata = { + description = "metadata of node", + type = "object", + } + }, + required = {"host", "port", "weight"}, + }, + } + } +} + + +local upstream_schema = { + type = "object", + properties = { + nodes = nodes_schema, retries = { type = "integer", minimum = 1, @@ -296,12 +327,15 @@ local upstream_schema = { description = "enable websocket for request", type = "boolean" }, + name = {type = "string", maxLength = 50}, desc = {type = "string", maxLength = 256}, + service_name = {type = "string", maxLength = 50}, id = id_schema }, anyOf = { {required = {"type", "nodes"}}, {required = {"type", "k8s_deployment_info"}}, + {required = {"type", "service_name"}}, }, additionalProperties = false, } @@ -336,6 +370,7 @@ _M.route = { }, uniqueItems = true, }, + name = {type = "string", maxLength = 50}, desc = {type = "string", maxLength = 256}, priority = {type = "integer", default = 0}, @@ -413,6 +448,7 @@ _M.service = { plugins = plugins_schema, upstream = upstream_schema, upstream_id = id_schema, + name = {type = "string", maxLength = 50}, desc = {type = "string", maxLength = 256}, }, anyOf = { @@ -445,6 +481,7 @@ _M.upstream = upstream_schema _M.ssl = { type = "object", properties = { + id = id_schema, cert = { type = "string", minLength = 128, maxLength = 64*1024 }, @@ -454,13 +491,34 @@ _M.ssl = { sni = { type = "string", pattern = [[^\*?[0-9a-zA-Z-.]+$]], + }, + snis = { + type = "array", + items = { + type = "string", + pattern = [[^\*?[0-9a-zA-Z-.]+$]], + } + }, + exptime = { + type = "integer", + minimum = 1588262400, -- 2020/5/1 0:0:0 + }, + status = { + description = "ssl status, 1 to enable, 0 to disable", + type = "integer", + enum = {1, 0}, + default = 1 } }, - required = {"sni", "key", "cert"}, + oneOf = { + {required = {"sni", "key", "cert"}}, + {required = {"snis", "key", "cert"}} + }, additionalProperties = false, } + _M.proto = { type = "object", properties = { @@ -476,6 +534,7 @@ _M.proto = { _M.global_rule = { type = "object", properties = { + id = id_schema, plugins = plugins_schema }, required = {"plugins"}, @@ -486,6 +545,7 @@ _M.global_rule = { _M.stream_route = { type = "object", properties = { + id = id_schema, remote_addr = remote_addr_def, server_addr = { description = "server IP", diff --git a/apisix/stream/plugins/mqtt-proxy.lua b/apisix/stream/plugins/mqtt-proxy.lua index f8d3552c66c42..b5334306b1697 100644 --- a/apisix/stream/plugins/mqtt-proxy.lua +++ b/apisix/stream/plugins/mqtt-proxy.lua @@ -15,8 +15,8 @@ -- limitations under the License. -- local core = require("apisix.core") -local balancer = require("ngx.balancer") -local bit = require "bit" +local upstream = require("apisix.upstream") +local bit = require("bit") local ngx = ngx local ngx_exit = ngx.exit local str_byte = string.byte @@ -158,25 +158,28 @@ function _M.preread(conf, ctx) end core.log.info("mqtt client id: ", res.client_id) -end + local up_conf = { + type = "roundrobin", + nodes = { + {host = conf.upstream.ip, port = conf.upstream.port, weight = 1}, + } + } -function _M.log(conf, ctx) - core.log.info("plugin log phase, conf: ", core.json.encode(conf)) -end + local ok, err = upstream.check_schema(up_conf) + if not ok then + return 500, err + end + local matched_route = ctx.matched_route + upstream.set(ctx, up_conf.type .. "#route_" .. matched_route.value.id, + ctx.conf_version, up_conf, matched_route) + return +end -function _M.balancer(conf, ctx) - core.log.info("plugin balancer phase, conf: ", core.json.encode(conf)) - -- ctx.balancer_name = plugin_name - local up = conf.upstream - ctx.balancer_name = plugin_name - local ok, err = balancer.set_current_peer(up.ip, up.port) - if not ok then - core.log.error("failed to set server peer: ", err) - return ngx_exit(1) - end +function _M.log(conf, ctx) + core.log.info("plugin log phase, conf: ", core.json.encode(conf)) end diff --git a/apisix/upstream.lua b/apisix/upstream.lua new file mode 100644 index 0000000000000..203b713d01070 --- /dev/null +++ b/apisix/upstream.lua @@ -0,0 +1,154 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +local core = require("apisix.core") +local error = error +local tostring = tostring +local ipairs = ipairs +local pairs = pairs +local upstreams + + +local _M = {} + + +local function set_directly(ctx, key, ver, conf, parent) + if not ctx then + error("missing argument ctx", 2) + end + if not key then + error("missing argument key", 2) + end + if not ver then + error("missing argument ver", 2) + end + if not conf then + error("missing argument conf", 2) + end + if not parent then + error("missing argument parent", 2) + end + + ctx.upstream_conf = conf + ctx.upstream_version = ver + ctx.upstream_key = key + ctx.upstream_healthcheck_parent = parent + return +end +_M.set = set_directly + + +function _M.set_by_route(route, api_ctx) + if api_ctx.upstream_conf then + return true + end + + local up_id = route.value.upstream_id + if up_id then + if not upstreams then + return false, "need to create a etcd instance for fetching " + .. "upstream information" + end + + local up_obj = upstreams:get(tostring(up_id)) + if not up_obj then + return false, "failed to find upstream by id: " .. up_id + end + core.log.info("upstream: ", core.json.delay_encode(up_obj)) + + local up_conf = up_obj.dns_value or up_obj.value + set_directly(api_ctx, up_conf.type .. "#upstream_" .. up_id, + up_obj.modifiedIndex, up_conf, up_obj) + return true + end + + local up_conf = (route.dns_value and route.dns_value.upstream) + or route.value.upstream + if not up_conf then + return false, "missing upstream configuration in Route or Service" + end + + set_directly(api_ctx, up_conf.type .. "#route_" .. route.value.id, + api_ctx.conf_version, up_conf, route) + return true +end + + +function _M.upstreams() + if not upstreams then + return nil, nil + end + + return upstreams.values, upstreams.conf_version +end + + +function _M.check_schema(conf) + return core.schema.check(core.schema.upstream, conf) +end + + +function _M.init_worker() + local err + upstreams, err = core.config.new("/upstreams", { + automatic = true, + item_schema = core.schema.upstream, + filter = function(upstream) + upstream.has_domain = false + if not upstream.value or not upstream.value.nodes then + return + end + + local nodes = upstream.value.nodes + if core.table.isarray(nodes) then + for _, node in ipairs(nodes) do + local host = node.host + if not core.utils.parse_ipv4(host) and + not core.utils.parse_ipv6(host) then + upstream.has_domain = true + break + end + end + else + local new_nodes = core.table.new(core.table.nkeys(nodes), 0) + for addr, weight in pairs(nodes) do + local host, port = core.utils.parse_addr(addr) + if not core.utils.parse_ipv4(host) and + not core.utils.parse_ipv6(host) then + upstream.has_domain = true + end + local node = { + host = host, + port = port, + weight = weight, + } + core.table.insert(new_nodes, node) + end + upstream.value.nodes = new_nodes + end + + core.log.info("filter upstream: ", core.json.delay_encode(upstream)) + end, + }) + if not upstreams then + error("failed to create etcd instance for fetching upstream: " .. err) + return + end +end + + +return _M diff --git a/apisix/utils/log-util.lua b/apisix/utils/log-util.lua index 6ee03b288db6f..b11a435808f88 100644 --- a/apisix/utils/log-util.lua +++ b/apisix/utils/log-util.lua @@ -18,7 +18,7 @@ local core = require("apisix.core") local _M = {} -local function get_full_log(ngx) +local function get_full_log(ngx, conf) local ctx = ngx.ctx.api_ctx local var = ctx.var local service_id @@ -34,7 +34,7 @@ local function get_full_log(ngx) service_id = var.host end - return { + local log = { request = { url = url, uri = var.request_uri, @@ -56,6 +56,20 @@ local function get_full_log(ngx) start_time = ngx.req.start_time() * 1000, latency = (ngx.now() - ngx.req.start_time()) * 1000 } + + if conf.include_req_body then + local body = ngx.req.get_body_data() + if body then + log.request.body = body + else + local body_file = ngx.req.get_body_file() + if body_file then + log.request.body_file = body_file + end + end + end + + return log end _M.get_full_log = get_full_log diff --git a/benchmark/fake-apisix/conf/nginx.conf b/benchmark/fake-apisix/conf/nginx.conf index 327169adf189b..8666c29979772 100644 --- a/benchmark/fake-apisix/conf/nginx.conf +++ b/benchmark/fake-apisix/conf/nginx.conf @@ -24,7 +24,6 @@ pid logs/nginx.pid; worker_rlimit_nofile 20480; events { - accept_mutex off; worker_connections 10620; } @@ -33,6 +32,9 @@ worker_shutdown_timeout 3; http { lua_package_path "$prefix/lua/?.lua;;"; + log_format main '$remote_addr - $remote_user [$time_local] $http_host "$request" $status $body_bytes_sent $request_time "$http_referer" "$http_user_agent" $upstream_addr $upstream_status $upstream_response_time'; + access_log logs/access.log main buffer=16384 flush=5; + init_by_lua_block { require "resty.core" apisix = require("apisix") @@ -60,8 +62,6 @@ http { listen 9080; - access_log off; - server_tokens off; more_set_headers 'Server: APISIX web server'; @@ -106,6 +106,10 @@ http { apisix.http_header_filter_phase() } + body_filter_by_lua_block { + apisix.http_body_filter_phase() + } + log_by_lua_block { apisix.http_log_phase() } diff --git a/benchmark/fake-apisix/lua/apisix.lua b/benchmark/fake-apisix/lua/apisix.lua index 30671f7fa41b6..ea5bf15bf1117 100644 --- a/benchmark/fake-apisix/lua/apisix.lua +++ b/benchmark/fake-apisix/lua/apisix.lua @@ -25,7 +25,7 @@ end local function fake_fetch() ngx.ctx.ip = "127.0.0.1" - ngx.ctx.port = 80 + ngx.ctx.port = 1980 end function _M.http_access_phase() @@ -42,6 +42,12 @@ function _M.http_header_filter_phase() end end +function _M.http_body_filter_phase() + if ngx.ctx then + -- do something + end +end + function _M.http_log_phase() if ngx.ctx then -- do something diff --git a/benchmark/run.sh b/benchmark/run.sh index ff068d64f57b1..c41b554d2ce5e 100755 --- a/benchmark/run.sh +++ b/benchmark/run.sh @@ -36,7 +36,12 @@ function onCtrlC () { sudo openresty -p $PWD/benchmark/server -s stop || exit 1 } -sed -i "s/worker_processes [0-9]*/worker_processes $worker_cnt/g" conf/nginx.conf +if [[ "$(uname)" == "Darwin" ]]; then + sed -i "" "s/worker_processes .*/worker_processes $worker_cnt;/g" conf/nginx.conf +else + sed -i "s/worker_processes .*/worker_processes $worker_cnt;/g" conf/nginx.conf +fi + make run sleep 3 diff --git a/bin/apisix b/bin/apisix index 1659de218ddce..4d7857ada7227 100755 --- a/bin/apisix +++ b/bin/apisix @@ -21,6 +21,8 @@ local function trim(s) return (s:gsub("^%s*(.-)%s*$", "%1")) end +-- Note: The `excute_cmd` return value will have a line break at the end, +-- it is recommended to use the `trim` function to handle the return value. local function excute_cmd(cmd) local t, err = io.popen(cmd) if not t then @@ -103,7 +105,6 @@ events { } worker_rlimit_core {* worker_rlimit_core *}; -working_directory /tmp/apisix_cores/; worker_shutdown_timeout 3; @@ -179,6 +180,7 @@ http { lua_shared_dict upstream-healthcheck 10m; lua_shared_dict worker-events 10m; lua_shared_dict lrucache-lock 10m; + lua_shared_dict skywalking-tracing-buffer 100m; # for openid-connect plugin lua_shared_dict discovery 1m; # cache for discovery metadata documents @@ -227,7 +229,7 @@ http { log_format main '$remote_addr - $remote_user [$time_local] $http_host "$request" $status $body_bytes_sent $request_time "$http_referer" "$http_user_agent" $upstream_addr $upstream_status $upstream_response_time'; - access_log {* http.access_log *} main buffer=32768 flush=3; + access_log {* http.access_log *} main buffer=16384 flush=3; open_file_cache max=1000 inactive=60; client_max_body_size 0; keepalive_timeout {* http.keepalive_timeout *}; @@ -239,6 +241,7 @@ http { more_set_headers 'Server: APISIX web server'; include mime.types; + charset utf-8; {% if real_ip_header then %} real_ip_header {* real_ip_header *}; @@ -284,7 +287,18 @@ http { {% if enable_admin and port_admin then %} server { + {%if https_admin then%} + listen {* port_admin *} ssl; + ssl_certificate cert/apisix_admin_ssl.crt; + ssl_certificate_key cert/apisix_admin_ssl.key; + ssl_session_cache shared:SSL:1m; + + ssl_protocols {* ssl.ssl_protocols *}; + ssl_ciphers {* ssl.ssl_ciphers *}; + ssl_prefer_server_ciphers on; + {% else %} listen {* port_admin *}; + {%end%} log_not_found off; location /apisix/admin { {%if allow_admin then%} @@ -309,7 +323,7 @@ http { alias dashboard/; - try_files $uri $uri/index.html /index.html; + try_files $uri $uri/index.html /index.html =404; } location /robots.txt { @@ -379,7 +393,7 @@ http { alias dashboard/; - try_files $uri $uri/index.html /index.html; + try_files $uri $uri/index.html /index.html =404; } {% end %} @@ -663,7 +677,7 @@ local function init() local sys_conf = { lua_path = pkg_path_org, lua_cpath = pkg_cpath_org, - os_name = excute_cmd("uname"), + os_name = trim(excute_cmd("uname")), apisix_lua_home = apisix_home, with_module_status = with_module_status, error_log = {level = "warn"}, @@ -699,6 +713,7 @@ local function init() if(sys_conf["enable_dev_mode"] == true) then sys_conf["worker_processes"] = 1 + sys_conf["enable_reuseport"] = false else sys_conf["worker_processes"] = "auto" end @@ -768,6 +783,18 @@ local function init_etcd(show_output) local host_count = #(yaml_conf.etcd.host) + -- check whether the user has enabled etcd v2 protocol + for index, host in ipairs(yaml_conf.etcd.host) do + uri = host .. "/v2/keys" + local cmd = "curl -i -m ".. timeout * 2 .. " -o /dev/null -s -w %{http_code} " .. uri + local res = excute_cmd(cmd) + if res == "404" then + io.stderr:write(string.format("failed: please make sure that you have enabled the v2 protocol of etcd on %s.\n", host)) + return + end + end + + local etcd_ok = false for index, host in ipairs(yaml_conf.etcd.host) do local is_success = true @@ -786,7 +813,7 @@ local function init_etcd(show_output) if not res:find("index", 1, true) and not res:find("createdIndex", 1, true) then is_success = false - if (index == hostCount) then + if (index == host_count) then error(cmd .. "\n" .. res) end break @@ -799,9 +826,14 @@ local function init_etcd(show_output) end if is_success then + etcd_ok = true break end end + + if not etcd_ok then + error("none of the configured etcd works well") + end end _M.init_etcd = init_etcd @@ -830,13 +862,17 @@ end function _M.reload() local test_cmd = openresty_args .. [[ -t -q ]] - if os.execute((test_cmd)) ~= 0 then + -- When success, + -- On linux, os.execute returns 0, + -- On macos, os.execute returns 3 values: true, exit, 0, and we need the first. + local test_ret = os.execute((test_cmd)) + if (test_ret == 0 or test_ret == true) then + local cmd = openresty_args .. [[ -s reload]] + -- print(cmd) + os.execute(cmd) return end - - local cmd = openresty_args .. [[ -s reload]] - -- print(cmd) - os.execute(cmd) + print("test openresty failed") end function _M.version() diff --git a/conf/cert/apisix_admin_ssl.crt b/conf/cert/apisix_admin_ssl.crt new file mode 100644 index 0000000000000..82d7fc3aa31a5 --- /dev/null +++ b/conf/cert/apisix_admin_ssl.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFsTCCA5mgAwIBAgIUODyT8W4gAxf8uwMNmtj5M1ANoUwwDQYJKoZIhvcNAQEL +BQAwVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzEPMA0GA1UEBwwG +Wmh1SGFpMQ0wCwYDVQQKDARhcGk3MRMwEQYDVQQDDAphcGlzaXguZGV2MCAXDTIw +MDYwNDAzMzc1MFoYDzIxMjAwNTExMDMzNzUwWjBWMQswCQYDVQQGEwJDTjESMBAG +A1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDTALBgNVBAoMBGFwaTcx +EzARBgNVBAMMCmFwaXNpeC5kZXYwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQDQveSdplH49Lr+LsLWpGJbNRhf2En0V4SuFKpzGFP7mXaI7rMnpdH3BUVY +S3juMgPOdNh6ho4BeSbGZGfU3lG1NwIOXiPNA1mrTWGNGV97crJDVZeWTuDpqNHJ +4ATrnF6RnRbg0en8rjVtce6LBMrDJVyGbi9VAqBUPrCmzT/l0V1jPL6KNSN8mQog +ladrJuzUanfhWM9K9xyM+/SUt1MNUYFLNsVHasPzsi5/YDRBiwuzTtiT56O6yge2 +lvrdPFvULrCxlGteyvhtrFJwqjN//YtnQFooNR0CXBfXs0a7WGgMjawupuP1JKiY +t9KEcGHWGZDeLfsGGKgQ9G+PaP4y+gHjLr5xQvwt68otpoafGy+BpOoHZZFoLBpx +TtJKA3qnwyZg9zr7lrtqr8CISO/SEyh6xkAOUzb7yc2nHu9UpruzVIR7xI7pjc7f +2T6WyCVy6gFYQwzFLwkN/3O+ZJkioxXsnwaYWDj61k3d9ozVDkVkTuxmNJjXV8Ta +htGRAHo0/uHmpFTcaQfDf5o+iWi4z9B5kgfA/A1XWFQlCH1kl3mHKg7JNCN9qGF8 +rG+YzdiLQfo5OqJSvzGHRXbdGI2JQe/zyJHsMO7d0AhwXuPOWGTTAODOPlaBCxNB +AgjuUgt+3saqCrK4eaOo8sPt055AYJhZlaTH4EeD4sv7rJGm7wIDAQABo3UwczAd +BgNVHQ4EFgQUPS1LXZMqgQvH/zQHHzgTzrd7PIIwHwYDVR0jBBgwFoAUPS1LXZMq +gQvH/zQHHzgTzrd7PIIwDAYDVR0TBAUwAwEB/zAjBgNVHREEHDAaggphcGlzaXgu +ZGV2ggwqLmFwaXNpeC5kZXYwDQYJKoZIhvcNAQELBQADggIBAMlwNS8uo3JkkshI +rpYobdjCZfr74PBl+LhoihvzHs25/in3+CxETRA8cYo5pRotqdA63po3wiCCPs6a +mZiELQxyGHhFcqoYxnoURR4nyogRZLA6jjLGkbG4H+CA4ApmZmvGnP3X5uQW4v5q +IdqIXL3BvoUBln8GMEC7Rz5SGUjWG03JPkl6MdeziFyHkwdBCOrtK5m7icRncvq+ +iL8CMUx024LLI6A5hTBPwfVfgbWJTSv7tEu85q54ZZoYQhiD8dde4D7g5/noPvXM +ZyA9C3Sl981+pUhhazad9j9k8DCcqf9e8yH9lPY26tjiEcShv4YnwbErWzJU1F9s +ZI5Z6nj5PU66upnBWAWV7fWCOrlouB4GjNaznSNrmpn4Bb2+FinDK3t4AfWDPS5s +ljQBGQNXOd30DC7BdNAF5dQAUhVfz1EgQGqYa+frMQLiv8rNMs7h6gKQEqU+jC/1 +jbGe4/iwc0UeTtSgTPHMofqjqc99/R/ZqtJ3qFPJmoWpyu0NlNINw2KWRQaMoGLo +WgDCS0YA5/hNXVFcWnZ73jY62yrVSoj+sFbkUpGWhEFnO+uSmBv8uwY3UeCOQDih +X7Yazs3TZRqEPU+25QATf0kbxyzlWbGkwvyRD8x+n3ZHs5Ilhrc6jWHqM/S3ir7i +m9GcWiwg++EbusQsqs3w3uKAHAdT +-----END CERTIFICATE----- diff --git a/conf/cert/apisix_admin_ssl.key b/conf/cert/apisix_admin_ssl.key new file mode 100644 index 0000000000000..ec889056ffb63 --- /dev/null +++ b/conf/cert/apisix_admin_ssl.key @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEA0L3knaZR+PS6/i7C1qRiWzUYX9hJ9FeErhSqcxhT+5l2iO6z +J6XR9wVFWEt47jIDznTYeoaOAXkmxmRn1N5RtTcCDl4jzQNZq01hjRlfe3KyQ1WX +lk7g6ajRyeAE65xekZ0W4NHp/K41bXHuiwTKwyVchm4vVQKgVD6wps0/5dFdYzy+ +ijUjfJkKIJWnaybs1Gp34VjPSvccjPv0lLdTDVGBSzbFR2rD87Iuf2A0QYsLs07Y +k+ejusoHtpb63Txb1C6wsZRrXsr4baxScKozf/2LZ0BaKDUdAlwX17NGu1hoDI2s +Lqbj9SSomLfShHBh1hmQ3i37BhioEPRvj2j+MvoB4y6+cUL8LevKLaaGnxsvgaTq +B2WRaCwacU7SSgN6p8MmYPc6+5a7aq/AiEjv0hMoesZADlM2+8nNpx7vVKa7s1SE +e8SO6Y3O39k+lsglcuoBWEMMxS8JDf9zvmSZIqMV7J8GmFg4+tZN3faM1Q5FZE7s +ZjSY11fE2obRkQB6NP7h5qRU3GkHw3+aPolouM/QeZIHwPwNV1hUJQh9ZJd5hyoO +yTQjfahhfKxvmM3Yi0H6OTqiUr8xh0V23RiNiUHv88iR7DDu3dAIcF7jzlhk0wDg +zj5WgQsTQQII7lILft7GqgqyuHmjqPLD7dOeQGCYWZWkx+BHg+LL+6yRpu8CAwEA +AQKCAgBNsbBLAWHXYPfMrgj1LUAypIOLAQ0dtgl7ZdO/fRmdNxSIiRgDtNN+tuaF +o6nCNrl1+cWtbTGj2L0W8L442/rbkTrhsCZxI0MX4HhjtUL1xs4VA+GlH3zVW3Gi +SxBpxczpM+gVC+ykkQ7vyo04DzONCPX0T0Ssxop4cND9dL3Iw3GYAz8EYBzyPmAn +mqwy1M0nju1J4e1eALYOv6TcSZPPDDwsi5lIKLQAm5x06pDoqGFVfw5blsc5OgM+ +8dkzyUiApFQ99Hk2UiO/ZnlU1/TNOcjOSISGHKbMfwycy2yTRKeNrJmez51fXCKo +nRrtEotHzkI+gCzDqx+7F9ACN9kM4f4JO5ca0/My6tCY+mH8TA/nVzMnUpL7329w +NobuNTpyA6x5nmB3QqElrzQCRtTj7Nw5ytMdRbByJhXww9C5tajUysdq8oGoZdz5 +94kXr6qCC5Qm3CkgyF2RjqZyg9tHUEEdaFKouHgziiqG9P2Nk1SHk7Jd7bF4rleI +i93u/f0fdVK7aMksofgUbOmfhnS+o1NxerVcbdX+E/iv6yfkrYDb46y3//4dcpwk +TeUEMCjc7ShwvYPq350q3jmzgwxeTK8ZdXwJymdJ7MaGcnMXPqd9A43evYM6nG6f +i3l2tYhH4cp6misGChnGORR68qsRkY8ssvSFNFzjcFHhnPyoCQKCAQEA8isIC1IJ +Iq9kB4mDVh0QdiuoBneNOEHy/8fASeZsqedu0OZPyoXU96iOhXuqf8sQ33ydvPef +iRwasLLkgw8sDeWILUjS36ZzwGP2QNxWfrapCFS8VfKl7hTPMVp0Wzxh8qqpGLSh +O0W7EEAJCgzzULagfupaO0Chmb3LZqXRp8m5oubnmE+9z0b5GrCIT1S8Yay2mEw9 +jxqZJGBhV7QnupyC2DIxLXlGmQk7Qs1+1mCCFwyfugHXclWYa+fet/79SkkADK0/ +ysxfy+FdZgGT/Ba5odsEpt1zH+tw4WXioJsX9mU3zAHbpPqtcfuVU+2xyKfQYrRG +NSm9MMNmart0wwKCAQEA3Koaj/0gNxLLslLIES50KmmagzU8CkEmCa/WLoVy02xr +qp42hvj+PzBTf3rIno3KEpRhMmnAtswozbV3P4l/VSZdfY+pwWsx7/5+Cf1R9nAP +vp6YCjGcLcbASazYNOWf0FRInt3pxdgT9DWjJDi99FGKA+UbI2yxHwzE+cE8r9Od +Iy42uhzCjJBqdg+an+q63k6yrOwv18KP69LlU/4vknhw4g3WxF4yTwVmXU8WKmux +aOrJv2ED8pfA7k+zwv0rPyN+F2nOySxoChaFfeu6ntBCX7zK/nV0DsMQImOycfzO +yN8WB9lRZTJVzU2r6PaGAI359uLHEmURy0069g+yZQKCAQAbECwJ99UFh0xKe1eu +G/lm+2H/twSVMOmTJCOdHp8uLar4tYRdQa+XLcMfr75SIcN09lw6bgHqNLXW4Wcg +LmXh97DMPsMyM0vkSEeQ4A7agldJkw6pHEDm5nRxM4alW44mrGPRWv5ZvWU2X7Gi +6eeXMZGmHVKQJJzqrYc5pXZUpfqU9fET2HWB4JCeJvRUyUd0MvUE+CA5CePraMn4 +Hy4BcNQ+jP1p84+sMpfo00ZFduuS39pJ00LciCxMgtElBt4PmzDiOcpTQ5vBESJ6 +79o15eRA7lUKwNzIyGsJBXXaNPrskks2BU8ilNElV9RMWNfxcK+dGEBwWIXIGU4s +x145AoIBAQCst9R8udNaaDLaTGNe126DuA8B/kwVdrLwSBqsZTXgeO+5J4dklEZl +bU0d7hxTxoXRjySZEh+OtTSG9y/0oonxO0tYOXfU9jOrNxaueQKLk2EvgfFdoUEu +r2/Y+xpsJQO3TBFfkDEn856Cuu0MMAG214/gxpY8XxowRI11NCRtN4S6gbTCbjp1 +TaCW8lXEMDW+Rfki0ugLyLVgD74CxWW1DuLEfbKKF3TnV0GtbXbbE1pU1dm+G5C8 +dL3FissYp5MPI5fRebcqzcBNjR1F15pGLpqVVy/IhmSmHVZmpISLJicxITScRiSo +wgJY5R/XBAcVLgvmi9Dn/AY2jCfHa7flAoIBAQCbnZ6ivZg81g6/X9qdo9J61hX0 +Y7Fn7bLvcs1L0ARGTsfXMvegA806XyZThqjpY47nHpQtoz4z62kiTTsdpAZUeA3z +9HUWr0b3YEpsvZpgyMNHgwq1vRDPjw4AWz0pBoDWMxx8Ck5nP1A//c1zyu9pgYEU +R+OutDeCJ+0VAc6JSH9WMA08utGPGs3t02Zhtyt2sszE9vzz4hTi5340/AYG72p7 +YGlikUxvbyylYh9wR4YUYa/klikvKLHEML1P0BCr8Vex+wLSGS1h1F5tW1Xr2CZQ +dVxFmfGmPDmwWbCQR6Rvt6FHRwNMpMrLr011h2RBcHBpdQl7XpUENDoopIh0 +-----END RSA PRIVATE KEY----- diff --git a/conf/cert/openssl-test2.conf b/conf/cert/openssl-test2.conf new file mode 100644 index 0000000000000..1e5beec911dff --- /dev/null +++ b/conf/cert/openssl-test2.conf @@ -0,0 +1,40 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = CN +ST = GuangDong +L = ZhuHai +O = iresty +CN = test2.com + +[v3_req] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +basicConstraints = CA:TRUE +subjectAltName = @alt_names + +[alt_names] +DNS.1 = test2.com +DNS.2 = *.test2.com + +## openssl genrsa -out test2.key 3072 +## openssl req -new -x509 -key test2.key -sha256 -config openssl-test2.conf -out test2.crt -days 36500 diff --git a/conf/cert/test2.crt b/conf/cert/test2.crt new file mode 100644 index 0000000000000..922a8f8b6896f --- /dev/null +++ b/conf/cert/test2.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEsTCCAxmgAwIBAgIUMbgUUCYHkuKDaPy0bzZowlK0JG4wDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzEPMA0GA1UEBwwG +Wmh1SGFpMQ8wDQYDVQQKDAZpcmVzdHkxEjAQBgNVBAMMCXRlc3QyLmNvbTAgFw0y +MDA0MDQyMjE3NTJaGA8yMTIwMDMxMTIyMTc1MlowVzELMAkGA1UEBhMCQ04xEjAQ +BgNVBAgMCUd1YW5nRG9uZzEPMA0GA1UEBwwGWmh1SGFpMQ8wDQYDVQQKDAZpcmVz +dHkxEjAQBgNVBAMMCXRlc3QyLmNvbTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC +AYoCggGBAMQGBk35V3zaNVDWzEzVGd+EkZnUOrRpXQg5mmcnoKnrQ5rQQMsQCbMO +gFvLt/9OEZQmbE2HuEKsPzL79Yjdu8rGjSoQdbJZ9ccO32uvln1gn68iK79o7Tvm +TCi+BayyNA+lo9IxrBm1wGBkOU1ZPasGYzgBAbMLTSDps1EYxNR8t4l9PrTTRsh6 +NZyTYoDeVIsKZ9SckpjWVnxHOkF+AzZzIJJSe2pj572TDLYA/Xw9I4X3L+SHzwTl +iGWNXb2tU367LHERHvensQzdle7mQN2kE5GpB7QPWB+t9V4mn30jc/LyDvOaei6L ++pbl5CriGBTjaR80oXhK765K720BQeKUezri15bQlMaUGQRnzr53ZsqA4PEh6WCX +hUT2ibO32+uZFXzVQw8y/JUkPf76pZagi8DoLV+sfSbUtnpbQ8wyV2qqTM2eCuPi +RgUwXQi2WssKKzrqcgKil3vksHZozLtOmyZiNE4qfNxv+UGoIybJtZmB+9spY0Rw +5zBRuULycQIDAQABo3MwcTAdBgNVHQ4EFgQUCmZefzpizPrb3VbiIDhrA48ypB8w +HwYDVR0jBBgwFoAUCmZefzpizPrb3VbiIDhrA48ypB8wDAYDVR0TBAUwAwEB/zAh +BgNVHREEGjAYggl0ZXN0Mi5jb22CCyoudGVzdDIuY29tMA0GCSqGSIb3DQEBCwUA +A4IBgQA0nRTv1zm1ACugJFfYZfxZ0mLJfRUCFMmFfhy+vGiIu6QtnOFVw/tEOyMa +m78lBiqac15n3YWYiHiC5NFffTZ7XVlOjN2i4x2z2IJsHNa8tU80AX0Q/pizGK/d ++dzlcsGBb9MGT18h/B3/EYQFKLjUsr0zvDb1T0YDlRUsN3Bq6CvZmvfe9F7Yh4Z/ +XO5R+rX8w9c9A2jzM5isBw2qp/Ggn5RQodMwApEYkJdu80MuxaY6s3dssS4Ay8wP +VNFEeLcdauJ00ES1OnbnuNiYSiSMOgWBsnR+c8AaSRB/OZLYQQKGGYbq0tspwRjM +MGJRrI/jdKnvJQ8p02abdvA9ZuFChoD3Wg03qQ6bna68ZKPd9peBPpMrDDGDLkGI +NzZ6bLJKILnQkV6b1OHVnPDsKXfXjUTTNK/QLJejTXu9RpMBakYZMzs/SOSDtFlS +A+q25t6+46nvA8msUSBKyOGBX42mJcKvR4OgG44PfDjYfmjn2l+Dz/jNXDclpb+Q +XAzBnfM= +-----END CERTIFICATE----- diff --git a/conf/cert/test2.key b/conf/cert/test2.key new file mode 100644 index 0000000000000..c25d4e5bde9e4 --- /dev/null +++ b/conf/cert/test2.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5QIBAAKCAYEAxAYGTflXfNo1UNbMTNUZ34SRmdQ6tGldCDmaZyegqetDmtBA +yxAJsw6AW8u3/04RlCZsTYe4Qqw/Mvv1iN27ysaNKhB1sln1xw7fa6+WfWCfryIr +v2jtO+ZMKL4FrLI0D6Wj0jGsGbXAYGQ5TVk9qwZjOAEBswtNIOmzURjE1Hy3iX0+ +tNNGyHo1nJNigN5Uiwpn1JySmNZWfEc6QX4DNnMgklJ7amPnvZMMtgD9fD0jhfcv +5IfPBOWIZY1dva1TfrsscREe96exDN2V7uZA3aQTkakHtA9YH631XiaffSNz8vIO +85p6Lov6luXkKuIYFONpHzSheErvrkrvbQFB4pR7OuLXltCUxpQZBGfOvndmyoDg +8SHpYJeFRPaJs7fb65kVfNVDDzL8lSQ9/vqllqCLwOgtX6x9JtS2eltDzDJXaqpM +zZ4K4+JGBTBdCLZayworOupyAqKXe+SwdmjMu06bJmI0Tip83G/5QagjJsm1mYH7 +2yljRHDnMFG5QvJxAgMBAAECggGBAIELlkruwvGmlULKpWRPReEn3NJwLNVoJ56q +jUMri1FRWAgq4PzNahU+jrHfwxmHw3rMcK/5kQwTaOefh1y63E35uCThARqQroSE +/gBeb6vKWFVrIXG5GbQ9QBXyQroV9r/2Q4q0uJ+UTzklwbNx9G8KnXbY8s1zuyrX +rvzMWYepMwqIMSfJjuebzH9vZ4F+3BlMmF4XVUrYj8bw/SDwXB0UXXT2Z9j6PC1J +CS0oKbgIZ8JhoF3KKjcHBGwWTIf5+byRxeG+z99PBEBafm1Puw1vLfOjD3DN/fso +8xCEtD9pBPBJ+W97x/U+10oKetmP1VVEr2Ph8+s2VH1zsRF5jo5d0GtvJqOwIQJ7 +z3OHJ7lLODw0KAjB1NRXW4dTTUDm6EUuUMWFkGAV6YTyhNLAT0DyrUFJck9RiY48 +3QN8vSf3n/+3wwg1gzcJ9w3W4DUbvGqu86CaUQ4UegfYJlusY/3YGp5bGNQdxmws +lgIoSRrHp6UJKsP8Yl08MIvT/oNLgQKBwQD75SuDeyE0ukhEp0t6v+22d18hfSef +q3lLWMI1SQR9Kiem9Z1KdRkIVY8ZAHANm6D8wgjOODT4QZtiqJd2BJn3Xf+aLfCd +CW0hPvmGTcp/E4sDZ2u0HbIrUStz7ZcgXpjD2JJAJGEKY2Z7J65gnTqbqoBDrw1q +1+FqtikkHRte1UqxjwnWBpSdoRQFgNPHxPWffhML1xsD9Pk1B1b7JoakYcKsNoQM +oXUKPLxSZEtd0hIydqmhGYTa9QWBPNDlA5UCgcEAxzfGbOrPBAOOYZd3jORXQI6p +H7SddTHMQyG04i+OWUd0HZFkK7/k6r26GFmImNIsQMB26H+5XoKRFKn+sUl14xHY +FwB140j0XSav2XzT38UpJ9CptbgK1eKGQVp41xwRYjHVScE5hJuA3a1TKM0l26rp +hny/KaP+tXuqt9QbxcUN6efubNYyFP+m6nq2/XdX74bJuGpXLq8W0oFdiocO6tmF +4/Hsc4dCVrcwULqXQa0lJ57zZpfIPARqWM2847xtAoHBANVUNbDpg6rTJMc34722 +dAy3NhL3mqooH9aG+hsEls+l9uT4WFipqSScyU8ERuHPbt0BO1Hi2kFx1rYMUBG8 +PeT4b7NUutVUGV8xpUNv+FH87Bta6CUnjTAQUzuf+QCJ/NjIPrwh0yloG2+roIvk +PLF/CZfI1hUpdZfZZChYmkiLXPHZURw4gH6q33j1rOYf0WFc9aZua0vDmZame6zB +6P+oZ6VPmi/UQXoFC/y/QfDYK18fjfOI2DJTlnDoX4XErQKBwGc3M5xMz/MRcJyJ +oIwj5jzxbRibOJV2tpD1jsU9xG/nQHbtVEwCgTVKFXf2M3qSMhFeZn0xZ7ZayZY+ +OVJbcDO0lBPezjVzIAB/Qc7aCOBAQ4F4b+VRtHN6iPqlSESTK0KH9Szgas+UzeCM +o7BZEctNMu7WBSkq6ZXXu+zAfZ8q6HmPDA3hsFMG3dFQwSxzv+C/IhZlKkRqvNVV +50QVk5oEF4WxW0PECY/qG6NH+YQylDSB+zPlYf4Of5cBCWOoxQKBwQCeo37JpEAR +kYtqSjXkC5GpPTz8KR9lCY4SDuC1XoSVCP0Tk23GX6GGyEf4JWE+fb/gPEFx4Riu +7pvxRwq+F3LaAa/FFTNUpY1+8UuiMO7J0B1RkVXkyJjFUF/aQxAnOoZPmzrdZhWy +bpe2Ka+JS/aXSd1WRN1nmo/DarpWFvdLWZFwUt6zMziH40o1gyPHEuXOqVtf2QCe +Q6WC9xnEz4lbb/fR2TF9QRA4FtoRpDe/f3ZGIpWE0RdwyZZ6uA7T1+Q= +-----END RSA PRIVATE KEY----- diff --git a/conf/config.yaml b/conf/config.yaml index 8f691d59253b2..eba48dfa992c8 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -54,6 +54,8 @@ apisix: # - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default. # - "::/64" # port_admin: 9180 # use a separate port + # https_admin: true # enable HTTPS when use a separate port for Admin API. + # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. # Default token when use API to call for Admin API. # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. @@ -89,9 +91,12 @@ apisix: enable: true enable_http2: true listen_port: 9443 - ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" - ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" - + ssl_protocols: "TLSv1.2 TLSv1.3" + ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" + key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd. + # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC + # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! +# discovery: eureka # service discovery center nginx_config: # config for render the template to genarate nginx.conf error_log: "logs/error.log" error_log_level: "warn" # warn,error @@ -116,7 +121,19 @@ etcd: host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. - "http://etcd:2379" # multiple etcd address prefix: "/apisix" # apisix configurations prefix - timeout: 3 # 3 seconds + timeout: 30 # 3 seconds + # user: root # root username for etcd + # password: 5tHkHhYkjr6cQY # root password for etcd +#eureka: +# host: # it's possible to define multiple eureka hosts addresses of the same eureka cluster. +# - "http://127.0.0.1:8761" +# prefix: "/eureka/" +# fetch_interval: 30 # default 30s +# weight: 100 # default weight for node +# timeout: +# connect: 2000 # default 2000ms +# send: 2000 # default 2000ms +# read: 5000 # default 5000ms plugins: # plugin list - example-plugin @@ -145,6 +162,14 @@ plugins: # plugin list - proxy-mirror - kafka-logger - cors + - consumer-restriction + - syslog - batch-requests + - http-logger + - skywalking + - echo + - authz-keycloak + - uri-blocker + stream_plugins: - mqtt-proxy diff --git a/dashboard b/dashboard index cfb3ee7b87210..329b092dcaa7a 160000 --- a/dashboard +++ b/dashboard @@ -1 +1 @@ -Subproject commit cfb3ee7b8721076975c1deaff3e52da3ea4a312a +Subproject commit 329b092dcaa7a505dcdec86c667b6803f5863d94 diff --git a/doc/README.md b/doc/README.md index 238e1983cb1f1..c9a8f95b41f64 100644 --- a/doc/README.md +++ b/doc/README.md @@ -16,19 +16,19 @@ # limitations under the License. # --> -[Chinese](README_CN.md) + +[Chinese](./zh-cn/README.md) Reference Documentation ================== -* [APISIX Readme](../README.md) +* [APISIX Readme](./README.md) * [Architecture Design](architecture-design.md) * [Benchmark](benchmark.md) * [Getting Started Guide](getting-started.md) * [How to build Apache APISIX](how-to-build.md) * [Health Check](health-check.md): Enable health check on the upstream node, and will automatically filter unhealthy nodes during load balancing to ensure system stability. -* Router - * [radixtree](router-radixtree.md) +* [Router radixtree](router-radixtree.md) * [Stand Alone Model](stand-alone.md): Supports to load route rules from local yaml file, it is more friendly such as under the kubernetes(k8s). * [Stream Proxy](stream-proxy.md) * [Admin API](admin-api.md) @@ -51,7 +51,7 @@ Plugins * [proxy-rewrite](plugins/proxy-rewrite.md): Rewrite upstream request information. * [prometheus](plugins/prometheus.md): Expose metrics related to APISIX and proxied upstream services in Prometheus exposition format, which can be scraped by a Prometheus Server. * [OpenTracing](plugins/zipkin.md): Supports Zikpin and Apache SkyWalking. -* [grpc-transcode](plugins/grpc-transcoding.md): REST <--> gRPC transcoding. +* [grpc-transcode](plugins/grpc-transcode.md): REST <--> gRPC transcoding. * [serverless](plugins/serverless.md):Allows to dynamically run Lua code at *different* phase in APISIX. * [ip-restriction](plugins/ip-restriction.md): IP whitelist/blacklist. * [openid-connect](plugins/oauth.md) @@ -65,11 +65,20 @@ Plugins * [kafka-logger](plugins/kafka-logger.md): Log requests to External Kafka servers. * [cors](plugins/cors.md): Enable CORS(Cross-origin resource sharing) for your API. * [batch-requests](plugins/batch-requests.md): Allow you send mutiple http api via **http pipeline**. +* [authz-keycloak](plugins/authz-keycloak.md): Authorization with Keycloak Identity Server. +* [uri-blocker](plugins/uri-blocker.md): Block client request by URI. +* [oauth](plugins/oauth.md): Provides OAuth 2 authentication and introspection. -Deploy to the Cloud +Deploy ======= + ### AWS The recommended approach is to deploy APISIX with [AWS CDK](https://aws.amazon.com/cdk/) on [AWS Fargate](https://aws.amazon.com/fargate/) which helps you decouple the APISIX layer and the upstream layer on top of a fully-managed and secure serverless container compute environment with autoscaling capabilities. See [this guide](https://github.com/pahud/cdk-samples/blob/master/typescript/apisix/README.md) by [Pahud Hsieh](https://github.com/pahud) and learn how to provision the recommended architecture 100% in AWS CDK. + +### Kubernetes + +See [this guide](../kubernetes/README.md) and learn how to deploy apisix in Kubernetes. + diff --git a/doc/README_CN.md b/doc/README_CN.md deleted file mode 100644 index 1fc08c5abccd9..0000000000000 --- a/doc/README_CN.md +++ /dev/null @@ -1,68 +0,0 @@ - -[English](README.md) - -Reference document -================== - -* [APISIX 说明](../README_CN.md) -* [架构设计](architecture-design-cn.md) -* [压力测试](benchmark-cn.md) -* [如何构建 Apache APISIX](how-to-build-cn.md) -* [健康检查](health-check.md): 支持对上游节点的主动和被动健康检查,在负载均衡时自动过滤掉不健康的节点。 -* Router(路由) - * [radixtree](router-radixtree.md) - * [r3](router-r3.md) -* [独立运行模型](stand-alone-cn.md): 支持从本地 yaml 格式的配置文件启动,更适合 Kubernetes(k8s) 体系。 -* [TCP/UDP 动态代理](stream-proxy-cn.md) -* [管理 API](admin-api-cn.md) -* [变更日志](../CHANGELOG_CN.md) -* [代码风格](../CODE_STYLE.md) -* [常见问答](../FAQ_CN.md) - -插件 -=== - -* [插件热加载](plugins-cn.md):无需重启服务,完成插件热加载或卸载。 -* [HTTPS](https-cn.md):根据 TLS 扩展字段 SNI(Server Name Indication) 动态加载证书。 -* [动态负载均衡](architecture-design-cn.md#upstream):跨多个上游服务的动态负载均衡,目前已支持 round-robin 和一致性哈希算法。 -* [key-auth](plugins/key-auth-cn.md):基于 Key Authentication 的用户认证。 -* [JWT-auth](plugins/jwt-auth-cn.md):基于 [JWT](https://jwt.io/) (JSON Web Tokens) Authentication 的用户认证。 -* [basic-auth](plugins/basic-auth-cn.md):基于 basic auth 的用户认证。 -* [wolf-rbac](plugins/wolf-rbac-cn.md) 基于 *RBAC* 的用户认证及授权。 -* [limit-count](plugins/limit-count-cn.md):基于“固定窗口”的限速实现。 -* [limit-req](plugins/limit-req-cn.md):基于漏桶原理的请求限速实现。 -* [limit-conn](plugins/limit-conn-cn.md):限制并发请求(或并发连接)。 -* [proxy-rewrite](plugins/proxy-rewrite-cn.md): 支持自定义修改 proxy 到上游的信息。 -* [prometheus](plugins/prometheus-cn.md):以 Prometheus 格式导出 APISIX 自身的状态信息,方便被外部 Prometheus 服务抓取。 -* [OpenTracing](plugins/zipkin-cn.md):支持 Zikpin 和 Apache SkyWalking。 -* [grpc-transcode](plugins/grpc-transcoding-cn.md):REST <--> gRPC 转码。 -* [serverless](plugins/serverless-cn.md):允许在 APISIX 中的不同阶段动态运行 Lua 代码。 -* [ip-restriction](plugins/ip-restriction-cn.md): IP 黑白名单。 -* [openid-connect](plugins/oauth.md) -* [redirect](plugins/redirect-cn.md): URI 重定向。 -* [response-rewrite](plugins/response-rewrite-cn.md): 支持自定义修改返回内容的 `status code`、`body`、`headers`。 -* [fault-injection](plugins/fault-injection-cn.md):故障注入,可以返回指定的响应体、响应码和响应时间,从而提供了不同的失败场景下处理的能力,例如服务失败、服务过载、服务高延时等。 -* [proxy-cache](plugins/proxy-cache-cn.md):代理缓存插件提供缓存后端响应数据的能力。 -* [proxy-mirror](plugins/proxy-mirror-cn.md):代理镜像插件提供镜像客户端请求的能力。 -* [udp-logger](plugins/udp-logger.md): 将请求记录到UDP服务器 -* [tcp-logger](plugins/tcp-logger.md): 将请求记录到TCP服务器 -* [kafka-logger](plugins/kafka-logger-cn.md): 将请求记录到外部Kafka服务器。 -* [cors](plugins/cors-cn.md): 为你的API启用CORS. -* [batch-requests](plugins/batch-requests-cn.md): 以 **http pipeline** 的方式在网关一次性发起多个 `http` 请求。 diff --git a/doc/_navbar.md b/doc/_navbar.md new file mode 100644 index 0000000000000..1612e7d8a96ec --- /dev/null +++ b/doc/_navbar.md @@ -0,0 +1,22 @@ + + +- Translations + - [:uk: English](/) + - [:cn: 中文](/zh-cn/) diff --git a/doc/_sidebar.md b/doc/_sidebar.md new file mode 100644 index 0000000000000..6a9c1e5511679 --- /dev/null +++ b/doc/_sidebar.md @@ -0,0 +1,103 @@ + + +- Getting started + + - [Introduction](README.md) + - [Quick start](getting-started.md) + +- General + + - [Architecture](architecture-design.md) + + - [Benchmark](benchmark.md) + + - Installation + + - [How to build](how-to-build.md) + - [Install Dependencies](install-dependencies.md) + + - [HTTPS](https.md) + + - [Router](router-radixtree.md) + + - Plugins + + - [Develop Plugins](plugin-develop.md) + - [Hot Reload](plugins.md) + + - Proxy Modes + + - [GRPC Proxy](grpc-proxy.md) + - [Stream Proxy](stream-proxy.md) + +- Plugins + + - Authentication + + - [Key Auth](plugins/key-auth.md) + - [Basic Auth](plugins/basic-auth.md) + - [JWT Auth](plugins/jwt-auth.md) + - [Opend ID Connect](plugins/oauth.md) + + - General + + - [Redirect](plugins/redirect.md) + - [Serverless](plugins/serverless.md) + - [Batch Request](plugins/batch-requests.md) + - [Fault Injection](plugins/fault-injection.md) + - [MQTT Proxy](plugins/mqtt-proxy.md) + - [Proxy Cache](plugins/proxy-cache.md) + - [Proxy Mirror](plugins/proxy-mirror.md) + - [Echo](plugins/echo.md) + + - Transformations + + - [Response Rewrite](plugins/response-rewrite.md) + - [Proxy Rewrite](plugins/proxy-rewrite.md) + - [GRPC Transcoding](plugins/grpc-transcode.md) + + - Security + + - [Consumer Restriction](plugins/consumer-restriction.md) + - [Limit Connection](plugins/limit-conn.md) + - [Limit Count](plugins/limit-count.md) + - [Limit Request](plugins/limit-req.md) + - [CORS](plugins/cors.md) + - [IP Restriction](plugins/ip-restriction.md) + - [Keycloak Authorization](plugins/authz-keycloak.md) + - [RBAC Wolf](plugins/wolf-rbac.md) + + - Monitoring + + - [Prometheus](plugins/prometheus.md) + - [SKywalking](plugins/skywalking.md) + - [Zipkin](plugins/zipkin.md) + + - Loggers + + - [HTTP Logger](plugins/http-logger.md) + - [Kafka Logger](plugins/kafka-logger.md) + - [Syslog](plugins/syslog.md) + - [TCP Logger](plugins/tcp-logger.md) + - [UDP Logger](plugins/udp-logger.md) + +- Admin API + + - [Admin API](admin-api.md) diff --git a/doc/admin-api.md b/doc/admin-api.md index f60ccb6aef0ea..b1112e9ab2385 100644 --- a/doc/admin-api.md +++ b/doc/admin-api.md @@ -19,8 +19,6 @@ # Table of Contents -=== - * [Route](#route) * [Service](#service) * [Consumer](#consumer) @@ -41,7 +39,7 @@ |PUT |/apisix/admin/routes/{id}|{...}|Create resource by ID| |POST |/apisix/admin/routes |{...}|Create resource, and ID is generated by server| |DELETE |/apisix/admin/routes/{id}|NULL|Remove resource| -|PATCH |/apisix/admin/routes/{id}/{path}|{...}|Update targeted content| +|PATCH |/apisix/admin/routes/{id}|{...}|Update targeted content, if you want to remove an attribute, set the attribute value to null to remove| > URI Request Parameters: @@ -53,7 +51,8 @@ |Parameter |Required |Type |Description |Example| |---------|---------|----|-----------|----| -|desc |False |Auxiliary |Identifies route names, usage scenarios, and more.|customer xxxx| +|name |False |Auxiliary |Identifies route names.|customer-xxxx| +|desc |False |Auxiliary |route description, usage scenarios, and more.|customer xxxx| |uri |True |Match Rules|In addition to full matching such as `/foo/bar`、`/foo/gloo`, using different [Router](architecture-design.md#router) allows more advanced matching, see [Router](architecture-design.md#router) for more.|"/hello"| |host |False |Match Rules|Currently requesting a domain name, such as `foo.com`; pan-domain names such as `*.foo.com` are also supported.|"foo.com"| |hosts |False |Match Rules|The `host` in the form of a list means that multiple different hosts are allowed, and match any one of them.|{"foo.com", "*.bar.com"}| @@ -61,7 +60,7 @@ |remote_addrs|False |Match Rules|The `remote_addr` in the form of a list indicates that multiple different IP addresses are allowed, and match any one of them.|{"127.0.0.1", "192.0.0.0/8", "::1"}| |methods |False |Match Rules|If empty or without this option, there are no `method` restrictions, and it can be a combination of one or more: `GET`,`POST`,`PUT`,`DELETE`,`PATCH`, `HEAD`,`OPTIONS`,`CONNECT`,`TRACE`.|{"GET", "POST"}| |priority |False |Match Rules|If different routes contain the same `uri`, determine which route is matched first based on the attribute` priority`. Larger value means higher priority. The default value is 0.|priority = 10| -|vars |False |Match Rules |A list of one or more `{var, operator, val}` elements, like this: `{{var, operator, val}, {var, operator, val}, ...}`. For example: `{"arg_name", "==", "json"}` means that the current request parameter `name` is `json`. The `var` here is consistent with the internal variable name of Nginx, so you can also use `request_uri`, `host`, etc. For the operator part, the currently supported operators are `==`, `~=`,`>`, `<`, and `~~`. For the `>` and `<` operators, the result is first converted to `number` and then compared. See a list of [supported operators](#available-operators) |{{"arg_name", "==", "json"}, {"arg_age", ">", 18}}| +|vars |False |Match Rules |A list of one or more `{var, operator, val}` elements, like this: `{{var, operator, val}, {var, operator, val}, ...}}`. For example: `{"arg_name", "==", "json"}` means that the current request parameter `name` is `json`. The `var` here is consistent with the internal variable name of Nginx, so you can also use `request_uri`, `host`, etc. For the operator part, the currently supported operators are `==`, `~=`,`>`, `<`, and `~~`. For the `>` and `<` operators, the result is first converted to `number` and then compared. See a list of [supported operators](#available-operators) |{{"arg_name", "==", "json"}, {"arg_age", ">", 18}}| |filter_func|False|Match Rules|User-defined filtering function. You can use it to achieve matching requirements for special scenarios. This function accepts an input parameter named `vars` by default, which you can use to get Nginx variables.|function(vars) return vars["arg_name"] == "json" end| |plugins |False |Plugin|See [Plugin](architecture-design.md#plugin) for more || |upstream |False |Upstream|Enabled Upstream configuration, see [Upstream](architecture-design.md#upstream) for more|| @@ -83,6 +82,7 @@ Config Example: "hosts": ["a.com","b.com"], # A set of host. Host and hosts only need to be non-empty one. "plugins": {}, # Bound plugin "priority": 0, # If different routes contain the same `uri`, determine which route is matched first based on the attribute` priority`, the default value is 0. + "name": "route-xxx", "desc": "hello world", "remote_addr": "127.0.0.1", # Client IP "remote_addrs": ["127.0.0.1"], # A set of Client IP. Remote_addr and remo-te_addrs only need to be non-empty one. @@ -183,7 +183,7 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13 |PUT |/apisix/admin/services/{id}|{...}|Create resource by ID| |POST |/apisix/admin/services |{...}|Create resource, and ID is generated by server| |DELETE |/apisix/admin/services/{id}|NULL|Remove resource| -|PATCH |/apisix/admin/routes/{id}/{path}|{...}|Update targeted content| +|PATCH |/apisix/admin/routes/{id}|{...}|Update targeted content, if you want to remove an attribute, set the attribute value to null to remove| > Request Body Parameters: @@ -192,7 +192,8 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13 |plugins |False |Plugin|See [Plugin](architecture-design.md#plugin) for more || |upstream |False |Upstream|Enabled Upstream configuration, see [Upstream](architecture-design.md#upstream) for more|| |upstream_id|False |Upstream|Enabled upstream id, see [Upstream](architecture-design.md#upstream) for more || -|desc |False |Auxiliary |Identifies route names, usage scenarios, and more.|customer xxxx| +|name |False |Auxiliary |Identifies service names.|customer-xxxx| +|desc |False |Auxiliary |service usage scenarios, and more.|customer xxxx| Config Example: @@ -202,6 +203,7 @@ Config Example: "plugins": {}, # Bound plugin "upstream_id": "1", # upstream id, recommended "upstream": {}, # upstream, not recommended + "name": "service-test", "desc": "hello world", } ``` @@ -209,7 +211,7 @@ Config Example: Example: ```shell -$ curl http://127.0.0.1:9080/apisix/admin/services/201 -X PUT -i -d ' +$ curl http://127.0.0.1:9080/apisix/admin/services/201 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' { "plugins": { "limit-count": { @@ -286,7 +288,7 @@ The binding authentication and authorization plug-in is a bit special. When it n Example: ```shell -$ curl http://127.0.0.1:9080/apisix/admin/consumers/2 -X PUT -i -d ' +$ curl http://127.0.0.1:9080/apisix/admin/consumers/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' { "username": "jack", "plugins": { @@ -328,7 +330,7 @@ Return response from etcd currently. |PUT |/apisix/admin/upstreams/{id}|{...}|Create resource by ID| |POST |/apisix/admin/upstreams |{...}|Create resource, and ID is generated by server| |DELETE |/apisix/admin/upstreams/{id}|NULL|Remove resource| -|PATCH |/apisix/admin/upstreams/{id}/{path}|{...}|Update targeted content| +|PATCH |/apisix/admin/upstreams/{id}|{...}|Update targeted content, if you want to remove an attribute, set the attribute value to null to remove| > Request Body Parameters: @@ -345,7 +347,8 @@ In addition to the basic complex equalization algorithm selection, APISIX's Upst |retries |optional|Pass the request to the next upstream using the underlying Nginx retry mechanism, the retry mechanism is enabled by default and set the number of retries according to the number of backend nodes. If `retries` option is explicitly set, it will override the default value.| |enable_websocket|optional| enable `websocket`(boolean), default `false`.| |timeout|optional| Set the timeout for connection, sending and receiving messages. | -|desc |optional|Identifies route names, usage scenarios, and more.| +|name |optional|Identifies upstream names| +|desc |optional|upstream usage scenarios, and more.| Config Example: @@ -371,6 +374,7 @@ Config Example: "checks": {}, # Health check parameters "hash_on": "", "key": "", + "name": "upstream-for-test", "desc": "hello world", } ``` @@ -378,15 +382,15 @@ Config Example: Example: ```shell -$ curl http://127.0.0.1:9080/apisix/admin/upstreams/100 -i -X PUT -d ' -> { -> "type": "roundrobin", -> "nodes": { -> "127.0.0.1:80": 1, -> "127.0.0.2:80": 2, -> "foo.com:80": 3 -> } -> }' +$ curl http://127.0.0.1:9080/apisix/admin/upstreams/100 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -i -X PUT -d ' +{ + "type":"roundrobin", + "nodes":{ + "127.0.0.1:80":1, + "127.0.0.2:80":2, + "foo.com:80":3 + } +}' HTTP/1.1 201 Created Date: Thu, 26 Dec 2019 04:19:34 GMT Content-Type: text/plain diff --git a/doc/architecture-design.md b/doc/architecture-design.md index 9edaadb378b45..098808e1616d8 100644 --- a/doc/architecture-design.md +++ b/doc/architecture-design.md @@ -17,7 +17,7 @@ # --> -[Chinese](architecture-design-cn.md) +[Chinese](zh-cn/architecture-design.md) ## Table of Contents @@ -106,7 +106,7 @@ Server: APISIX web server When we receive a successful response, it indicates that the route was successfully created. -For specific options of Route, please refer to [Admin API](admin-api-cn.md#route). +For specific options of Route, please refer to [Admin API](zh-cn/admin-api.md#route). [Back to top](#Table-of-contents) @@ -233,8 +233,9 @@ In addition to the basic complex equalization algorithm selection, APISIX's Upst |Name |Optional|Description| |------- |-----|------| |type |required|`roundrobin` supports the weight of the load, `chash` consistency hash, pick one of them.| -|nodes |required if `k8s_deployment_info` not configured|Hash table, the key of the internal element is the upstream machine address list, the format is `Address + Port`, where the address part can be IP or domain name, such as `192.168.1.100:80`, `foo.com:80`, etc. Value is the weight of the node. In particular, when the weight value is `0`, it has a special meaning, which usually means that the upstream node is invalid and never wants to be selected.| -|k8s_deployment_info |required if `nodes` not configured|fields: `namespace`、`deploy_name`、`service_name`、`port`、`backend_type`, `port` is number, `backend_type` is `pod` or `service`, others is string. | +|nodes |required if `service_name` and `k8s_deployment_info` not configured|Hash table, the key of the internal element is the upstream machine address list, the format is `Address + Port`, where the address part can be IP or domain name, such as `192.168.1.100:80`, `foo.com:80`, etc. Value is the weight of the node. In particular, when the weight value is `0`, it has a special meaning, which usually means that the upstream node is invalid and never wants to be selected.| +|service_name |required if `nodes` and `k8s_deployment_info` not configured |The name of the upstream service and used with the registry, refer to [Integration service discovery registry](discovery.md).| +|k8s_deployment_info |required if `nodes` and `service_name` not configured|fields: `namespace`、`deploy_name`、`service_name`、`port`、`backend_type`, `port` is number, `backend_type` is `pod` or `service`, others is string. | |hash_on |optional|This option is only valid if the `type` is `chash`. Supported types `vars`(Nginx variables), `header`(custom header), `cookie`, `consumer`, the default value is `vars`.| |key |required|This option is only valid if the `type` is `chash`. Find the corresponding node `id` according to `hash_on` and `key`. When `hash_on` is set as `vars`, `key` is the required parameter, for now, it support nginx built-in variables like `uri, server_name, server_addr, request_uri, remote_port, remote_addr, query_string, host, hostname, arg_***`, `arg_***` is arguments in the request line, [Nginx variables list](http://nginx.org/en/docs/varindex.html). When `hash_on` is set as `header`, `key` is the required parameter, and `header name` is customized. When `hash_on` is set to `cookie`, `key` is the required parameter, and `cookie name` is customized. When `hash_on` is set to `consumer`, `key` does not need to be set. In this case, the `key` adopted by the hash algorithm is the `consumer_id` authenticated. If the specified `hash_on` and `key` can not fetch values, it will be fetch `remote_addr` by default.| |checks |optional|Configure the parameters of the health check. For details, refer to [health-check](health-check.md).| @@ -350,7 +351,7 @@ Here are some examples of configurations using different `hash_on` types: Create a consumer object: ```shell -curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ` +curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "username": "jack", "plugins": { @@ -358,7 +359,7 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1 "key": "auth-jack" } } -}` +}' ``` Create route object and enable `key-auth` plugin authentication: @@ -536,6 +537,35 @@ HTTP/1.1 503 Service Temporarily Unavailable ``` +Use the [consumer-restriction](zh-cn/plugins/consumer-restriction.md) plug-in to restrict the access of Jack to this API. + +# Add Jack to the blacklist +$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "plugins": { + "key-auth": {}, + "consumer-restriction": { + "blacklist": [ + "jack" + ] + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" +}' + +# Repeated tests, all return 403; Jack is forbidden to access this API +$ curl http://127.0.0.1:9080/hello -H 'apikey: auth-one' -I +HTTP/1.1 403 +... + +``` + [Back to top](#Table-of-contents) ## Global Rule @@ -547,6 +577,7 @@ We can register a global [Plugin](#Plugin) with `GlobalRule`: curl -X PUT \ https://{apisix_listen_address}/apisix/admin/global_rules/1 \ -H 'Content-Type: application/json' \ + -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \ -d '{ "plugins": { "limit-count": { diff --git a/doc/benchmark.md b/doc/benchmark.md index eaf4e4cc6cdac..9c3c016d0fcff 100644 --- a/doc/benchmark.md +++ b/doc/benchmark.md @@ -17,7 +17,7 @@ # --> -[Chinese](benchmark-cn.md) +[Chinese](zh-cn/benchmark.md) ### Benchmark Environments @@ -35,13 +35,13 @@ and the response size was 1KB. The x-axis means the size of CPU core, and the y-axis is QPS. - + #### Latency Note the y-axis latency in **microsecond(μs)** not millisecond. - + #### Flame Graph @@ -80,18 +80,18 @@ and the response size was 1KB. The x-axis means the size of CPU core, and the y-axis is QPS. - + #### Latency Note the y-axis latency in **microsecond(μs)** not millisecond. - + #### Flame Graph The result of Flame Graph: -![flamegraph-2](../doc/images/flamegraph-2.jpg) +![flamegraph-2](./images/flamegraph-2.jpg) And if you want to run the benchmark test in your machine, you should run another Nginx to listen 80 port. diff --git a/doc/discovery.md b/doc/discovery.md new file mode 100644 index 0000000000000..96d36e8e3663c --- /dev/null +++ b/doc/discovery.md @@ -0,0 +1,244 @@ + +[Chinese](zh-cn/discovery.md) + +# Integration service discovery registry + +* [**Summary**](#Summary) +* [**How extend the discovery client?**](#how-extend-the-discovery-client) + * [**Basic steps**](#basic-steps) + * [**the example of Eureka**](#the-example-of-eureka) + * [**Implementation of eureka.lua**](#implementation-of-eurekalua) + * [**How convert Eureka's instance data to APISIX's node?**](#how-convert-eurekas-instance-data-to-apisixs-node) +* [**Configuration for discovery client**](#configuration-for-discovery-client) + * [**Select discovery client**](#select-discovery-client) + * [**Configuration for Eureka**](#configuration-for-eureka) +* [**Upstream setting**](#upstream-setting) + +## Summary + +When system traffic changes, the number of servers of the upstream service also increases or decreases, or the server needs to be replaced due to its hardware failure. If the gateway maintains upstream service information through configuration, the maintenance costs in the microservices architecture pattern are unpredictable. Furthermore, due to the untimely update of these information, will also bring a certain impact for the business, and the impact of human error operation can not be ignored. So it is very necessary for the gateway to automatically get the latest list of service instances through the service registry。As shown in the figure below: + +![](./images/discovery.png) + +1. When the service starts, it will report some of its information, such as the service name, IP, port and other information to the registry. The services communicate with the registry using a mechanism such as a heartbeat, and if the registry and the service are unable to communicate for a long time, the instance will be cancel.When the service goes offline, the registry will delete the instance information. +2. The gateway gets service instance information from the registry in near-real time. +3. When the user requests the service through the gateway, the gateway selects one instance from the registry for proxy. + +Common registries: Eureka, Etcd, Consul, Zookeeper, Nacos etc. + +## How extend the discovery client? + +### Basic steps + +It is very easy for APISIX to extend the discovery client. , the basic steps are as follows + +1. Add the implementation of registry client in the 'apisix/discovery/' directory; + +2. Implement the `_M. init_worker()` function for initialization and the `_M. nodes(service_name)` function for obtaining the list of service instance nodes; + +3. Convert the registry data into data in APISIX; + + +### the example of Eureka + +#### Implementation of eureka.lua + +First, add [`eureka.lua`](../apisix/discovery/eureka.lua) in the `apisix/discovery/` directory; + +Then implement the `_M.init_worker()` function for initialization and the `_M.nodes(service_name)` function for obtaining the list of service instance nodes in ` eureka.lua`: + + ```lua + local _M = { + version = 1.0, + } + + + function _M.nodes(service_name) + ... ... + end + + + function _M.init_worker() + ... ... + end + + + return _M + ``` + +#### How convert Eureka's instance data to APISIX's node? + +Here's an example of Eureka's data: + +```json +{ + "applications": { + "application": [ + { + "name": "USER-SERVICE", # service name + "instance": [ + { + "instanceId": "192.168.1.100:8761", + "hostName": "192.168.1.100", + "app": "USER-SERVICE", # service name + "ipAddr": "192.168.1.100", # IP address + "status": "UP", + "overriddenStatus": "UNKNOWN", + "port": { + "$": 8761, + "@enabled": "true" + }, + "securePort": { + "$": 443, + "@enabled": "false" + }, + "metadata": { + "management.port": "8761", + "weight": 100 # Setting by 'eureka.instance.metadata-map.weight' of the spring boot application + }, + "homePageUrl": "http://192.168.1.100:8761/", + "statusPageUrl": "http://192.168.1.100:8761/actuator/info", + "healthCheckUrl": "http://192.168.1.100:8761/actuator/health", + ... ... + } + ] + } + ] + } +} +``` + +Deal with the Eureka's instance data need the following steps : + +1. select the UP instance. When the value of `overriddenStatus` is "UP" or the value of `overriddenStatus` is "UNKNOWN" and the value of `status` is "UP". +2. Host. The `ipAddr` is the IP address of instance; and must be IPv4 or IPv6. +3. Port. If the value of `port["@enabled"]` is equal to "true", using the value of `port["\$"]`, If the value of `securePort["@enabled"]` is equal to "true", using the value of `securePort["\$"]`. +4. Weight. `local weight = metadata.weight or local_conf.eureka.weight or 100` + +The result of this example is as follows: + +```json +[ + { + "host" : "192.168.1.100", + "port" : 8761, + "weight" : 100, + "metadata" : { + "management.port": "8761", + } + } +] +``` + +## Configuration for discovery client + +### Select discovery client + +Add the following configuration to `conf/config.yaml` and select one discovery client type which you want: + +```yaml +apisix: + discovery: eureka +``` + +This name should be consistent with the file name of the implementation registry in the `apisix/discovery/` directory. + +The supported discovery client: Eureka. + +### Configuration for Eureka + +Add following configuration in `conf/config.yaml` : + +```yaml +eureka: + host: # it's possible to define multiple eureka hosts addresses of the same eureka cluster. + - "http://${usename}:${passowrd}@${eureka_host1}:${eureka_port1}" + - "http://${usename}:${passowrd}@${eureka_host2}:${eureka_port2}" + prefix: "/eureka/" + fetch_interval: 30 # 30s + weight: 100 # default weight for node + timeout: + connect: 2000 # 2000ms + send: 2000 # 2000ms + read: 5000 # 5000ms +``` + + +## Upstream setting + +Here is an example of routing a request with a uri of "/user/*" to a service which named "user-service" in the registry : + +```shell +$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' +{ + "uri": "/user/*", + "upstream": { + "service_name": "USER-SERVICE", + "type": "roundrobin" + } +}' + +HTTP/1.1 201 Created +Date: Sat, 31 Aug 2019 01:17:15 GMT +Content-Type: text/plain +Transfer-Encoding: chunked +Connection: keep-alive +Server: APISIX web server + +{"node":{"value":{"uri":"\/user\/*","upstream": {"service_name": "USER-SERVICE", "type": "roundrobin"}},"createdIndex":61925,"key":"\/apisix\/routes\/1","modifiedIndex":61925},"action":"create"} +``` + +Because the upstream interface URL may have conflict, usually in the gateway by prefix to distinguish: + +```shell +$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' +{ + "uri": "/a/*", + "plugins": { + "proxy-rewrite" : { + regex_uri: ["^/a/(.*)", "/${1}"] + } + } + "upstream": { + "service_name": "A-SERVICE", + "type": "roundrobin" + } +}' + +$ curl http://127.0.0.1:9080/apisix/admin/routes/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' +{ + "uri": "/b/*", + "plugins": { + "proxy-rewrite" : { + regex_uri: ["^/b/(.*)", "/${1}"] + } + } + "upstream": { + "service_name": "B-SERVICE", + "type": "roundrobin" + } +}' +``` + +Suppose both A-SERVICE and B-SERVICE provide a `/test` API. The above configuration allows access to A-SERVICE's `/test` API through `/a/test` and B-SERVICE's `/test` API through `/b/test`. + +**Notice**:When configuring `upstream.service_name`, `upstream.nodes` will no longer take effect, but will be replaced by 'nodes' obtained from the registry. + + diff --git a/doc/getting-started.md b/doc/getting-started.md index a576329f155a5..ae432d4643422 100644 --- a/doc/getting-started.md +++ b/doc/getting-started.md @@ -17,7 +17,7 @@ # --> -[Chinese](getting-started-cn.md) +[Chinese](zh-cn/getting-started.md) # Quick Start Guide diff --git a/doc/grpc-proxy.md b/doc/grpc-proxy.md index 22e3297340f00..50404aef49d88 100644 --- a/doc/grpc-proxy.md +++ b/doc/grpc-proxy.md @@ -17,7 +17,7 @@ # --> -[中文](grpc-proxy-cn.md) +[中文](zh-cn/grpc-proxy.md) # grpc-proxy diff --git a/doc/health-check.md b/doc/health-check.md index b0b062deb175a..1b78831e95700 100644 --- a/doc/health-check.md +++ b/doc/health-check.md @@ -16,7 +16,8 @@ # limitations under the License. # --> -## Health Checks for Upstream + +# Health Checks for Upstream Health Check of APISIX is based on [lua-resty-healthcheck](https://github.com/Kong/lua-resty-healthcheck), you can use it for upstream. @@ -77,26 +78,26 @@ contains: `active` or `passive`. * `active`: To enable active health checks, you need to specify the configuration items under `checks.active` in the Upstream object configuration. - * `active.http_path`: The HTTP GET request path used to detect if the upstream is healthy. - * `active.host`: The HTTP request host used to detect if the upstream is healthy. + * `active.http_path`: The HTTP GET request path used to detect if the upstream is healthy. + * `active.host`: The HTTP request host used to detect if the upstream is healthy. - The threshold fields of `healthy` are: - * `active.healthy.interval`: Interval between health checks for healthy targets (in seconds), the minimum is 1. - * `active.healthy.successes`: The number of success times to determine the target is healthy, the minimum is 1. + The threshold fields of `healthy` are: + * `active.healthy.interval`: Interval between health checks for healthy targets (in seconds), the minimum is 1. + * `active.healthy.successes`: The number of success times to determine the target is healthy, the minimum is 1. - The threshold fields of `unhealthy` are: - * `active.unhealthy.interval`: Interval between health checks for unhealthy targets (in seconds), the minimum is 1. - * `active.unhealthy.http_failures`: The number of http failures times to determine the target is unhealthy, the minimum is 1. - * `active.req_headers`: Additional request headers. Array format, so you can fill in multiple headers. + The threshold fields of `unhealthy` are: + * `active.unhealthy.interval`: Interval between health checks for unhealthy targets (in seconds), the minimum is 1. + * `active.unhealthy.http_failures`: The number of http failures times to determine the target is unhealthy, the minimum is 1. + * `active.req_headers`: Additional request headers. Array format, so you can fill in multiple headers. * `passive`: To enable passive health checks, you need to specify the configuration items under `checks.passive` in the Upstream object configuration. - The threshold fields of `healthy` are: - * `passive.healthy.http_statuses`: If the current response code is equal to any of these, set the upstream node to the `healthy` state. Otherwise ignore this request. - * `passive.healthy.successes`: Number of successes in proxied traffic (as defined by `passive.healthy.http_statuses`) to consider a target healthy, as observed by passive health checks. + The threshold fields of `healthy` are: + * `passive.healthy.http_statuses`: If the current response code is equal to any of these, set the upstream node to the `healthy` state. Otherwise ignore this request. + * `passive.healthy.successes`: Number of successes in proxied traffic (as defined by `passive.healthy.http_statuses`) to consider a target healthy, as observed by passive health checks. - The threshold fields of `unhealthy` are: - * `passive.unhealthy.http_statuses`: If the current response code is equal to any of these, set the upstream node to the `unhealthy` state. Otherwise ignore this request. - * `passive.unhealthy.tcp_failures`: Number of TCP failures in proxied traffic to consider a target unhealthy, as observed by passive health checks. - * `passive.unhealthy.timeouts`: Number of timeouts in proxied traffic to consider a target unhealthy, as observed by passive health checks. - * `passive.unhealthy.http_failures`: Number of HTTP failures in proxied traffic (as defined by `passive.unhealthy.http_statuses`) to consider a target unhealthy, as observed by passive health checks. + The threshold fields of `unhealthy` are: + * `passive.unhealthy.http_statuses`: If the current response code is equal to any of these, set the upstream node to the `unhealthy` state. Otherwise ignore this request. + * `passive.unhealthy.tcp_failures`: Number of TCP failures in proxied traffic to consider a target unhealthy, as observed by passive health checks. + * `passive.unhealthy.timeouts`: Number of timeouts in proxied traffic to consider a target unhealthy, as observed by passive health checks. + * `passive.unhealthy.http_failures`: Number of HTTP failures in proxied traffic (as defined by `passive.unhealthy.http_statuses`) to consider a target unhealthy, as observed by passive health checks. diff --git a/doc/how-to-build.md b/doc/how-to-build.md index e1b8d8b672ad9..b1a276eba37f9 100644 --- a/doc/how-to-build.md +++ b/doc/how-to-build.md @@ -34,21 +34,21 @@ You can install Apache APISIX in a variety of ways, including source code packag You need to download the Apache source release first: ```shell -wget http://www.apache.org/dist/incubator/apisix/1.2/apache-apisix-1.2-incubating-src.tar.gz -tar zxvf apache-apisix-1.2-incubating-src.tar.gz +wget http://www.apache.org/dist/incubator/apisix/1.4/apache-apisix-1.4-incubating-src.tar.gz +tar zxvf apache-apisix-1.4-incubating-src.tar.gz ``` Install the Lua libraries that the runtime depends on: ```shell -cd apache-apisix-1.2-incubating +cd apache-apisix-1.4-incubating make deps ``` ### Installation via RPM package (CentOS 7) ```shell -sudo yum install -y https://github.com/apache/incubator-apisix/releases/download/1.2/apisix-1.2-0.el7.noarch.rpm +sudo yum install -y https://github.com/apache/incubator-apisix/releases/download/1.4/apisix-1.4-0.el7.noarch.rpm ``` ### Installation via Luarocks (macOS not supported) @@ -64,11 +64,11 @@ sudo sh -c "$(curl -fsSL https://raw.githubusercontent.com/apache/incubator-apis > Install the specified version via Luarocks: ```shell -# Install version 1.2 -sudo luarocks install --lua-dir=/path/openresty/luajit apisix 1.2 +# Install version 1.4 +sudo luarocks install --lua-dir=/path/openresty/luajit apisix 1.4 # old luarocks not support the `lua-dir` parameter, you can remove this option -sudo luarocks install apisix 1.2 +sudo luarocks install apisix 1.4 ``` ## 3. Manage (start/stop) APISIX Server diff --git a/doc/https.md b/doc/https.md index 5e7aa0edba627..c2091a72db475 100644 --- a/doc/https.md +++ b/doc/https.md @@ -17,7 +17,7 @@ # --> -[Chinese](https-cn.md) +[Chinese](zh-cn/https.md) ### HTTPS diff --git a/doc/images/apache.png b/doc/images/apache.png new file mode 100644 index 0000000000000000000000000000000000000000..d0075db9e3691081e94babfcdc8a5f6bf8bacf8f GIT binary patch literal 8491 zcmXY11yodBv>t};?hpo~OS-!T7(lwaq(P)(=oCas5a}9_5JZ|8N>WNm=@bF!9^lRY z-dlH_d+yqI*V=cVv%kIWNz&6%C&Z(}0{{SoU=0<0)QtFV;9#Nd`pX{Js0qtnOI-!< z^xsw7U6qNV;QDBoy#@eCMgALTWc!b^C?d8$7@~^30mLN%((nXvi~s=40I-UpVbIdi zr@#Wko!KGy-o#;(|DbJBQW~DtmqC@}@2i~{(QG|`=~KT9(&2-OIYITNZw6eWuw2Yd}`l&*jkl-UG;CgX{>MJHe4?3YPJ1(g8#Z;?bT#( zp}HVV*yr2XG;DN}vcoz&&T5`&Ab<6kbdBZWeQDso1KuZ>7hmYZcAmI=7^lz`tcn2K z`wqu0O4*&EHWw3SY5-*yy)bNvXKh@_;L*ReH}d`E0K-Z)%lhTb8K(}erzb{(sAS_u zxAok`(W0hQAShof)9y7)I~f7qMI-pgHn&2X(pLXk{G_Z)+;!paeXzm;ew%d!bPVx> z-{RYV4Ad^O_wVn(_l`nBRz?wqzeMm74TklTuS@#NsDQL$&vyc$zoYO~H3^7gmjyLM zBo42gtl%%z0R8NCw^8m;VNIfUqVs_^NkE~FObGINnfnvmx z!hU$Tu7O(9dnY^j|6UqCGD16{g-$X#7;;!0V9xzPuD^ouG-w3$AJ48an9zHs{l0y) zyIn)S+r7kfj8m+B$~6B^uD==K#kZ10iNyyLLkH0!apII>`&ihr={-8RdWx&}HTL>D zs|d1~ezzNl<}vVR=ogVG(1(>RaO`OoUn*)-aA({lgpZ@sh~fGF{?3@`VIQ`YJHuHa z-r0p7hD*T9z=FGI&4Lp{Qj-dZCmK@UatlOfB8l3~)`2vc&1Ih~&`rf5TJi6&(G-7b zHkeVDEaKSyaot%X3*z^vm=FJ(SkqO!~N`$ zVZjPgtLlDtpo?%;Xo>PkQ3@7A@#uw8l+L+ZQrizn>vgSlqxBR0$aD(kxS)+GdsL)i zw)*k03G{YY47+d->)$~z&|HpOHj^`bccj(@i!DaqwZ7wWED<|JA2;ut zeW4JVC%H%k!qK;goWGT|!rYspHF0-umeuxWklCM8uBPa+I!~}V<9Axm^XD(5fnLH% zDrM_p$!v70E6${rAe?hl+z9cri>m#;O8n)K+n+Y4d|K{gClZO+FjVh&PAx_1Tyti~ zEuaDMC+-VI%XJiDX@jhbDL0MudIF6~Y0uH3eKc?TP`PD$Gp~!y1RI^ijP$AxdXb7j z`fh8lHm#~6AHziS%dULJL7CO%UJaWb!<(0uY#+92!M~)5xI!dWCyO}Xn4ez&X~b|= z<=xiCM)}Q}zy3Nsu!XD3SHHJhWZ%4TFut8Ey$$ zqO{Xz_QhSv{JZb{Net1A z%`Jd2xlNeIydq@CMC!GawN^`NYfycIY%?bNp{b*{>;J z=a;1b8zn^hMjH-OfOOpmN}NE*K$NvSRMK^pw!_?t5j*8$SF5SK;Q1qi@Y{6`1XK{y zG|Dgk?iw51EUvT86A~bb8_6}0lcd)QgIlm7)Y9UorPY0cEeEwc2Timg^as2kS0C$R z_I5c?li+L*2~i$U^_nZYhW*vtWuJ;E_Ob(p;MWEyXk5>!3L)iAa*g3&V}|>s2CA%N z$+)M|W}a=z-IbBL%$y~WPz(N>pj>jm%|(nxmr5!F4D&+C(yvO|O zK}?)~vE3lZ)S%@pMZLDMdf?D=tGd$`6MdFcc}Z1eFmHiQET7)@8Z9X=JSBFxFTX=0 zZ#KYP>f)6CkBEjCgFx6>gUza$b#pNEEs0k8+9ghG)$=vp&kXMMEbbFp?sGm0*M+>j z(~o(DG4J+<9cG2Qz)=UQYiGOPTKN~de{P#rdeKwoFf&~Wglnqgb+)>GTlmz|QO+J?Dx zz9OzW#Af00$m!3c=`Kqy;Orh4Km1%NSH!pLHRQ*WmPs(%*Ku(5*T1p%iOAT+`w42w zT{<*^Bl2`^bi>;`2?c%q=M#nnbcPWsN_#N3i4nGKmqf4Zd`2pn-96xYw$}tK_tG(B zFnM+o!!#1bOc7AXkhr%^*94BOYt=w*f-uFD$pd0Df%^l?7+>|DIFKP%LH0H654=33 zaFx6@E-vB>WeU@aA2xiC$}XWhVq6gpxRFFF4{An>k}WS<=nn^I4rdQ^Lv)=Fm(#et zuR<^CEJQ|rw0YFmi{r9y(Ly4rd&e76kF}5S3s%WZqpg@@)?S-eU3652Fs7?wAIlMJ zm=(7=US22EzQ{9T#MDSUabTcI>0d5*5gj(U&4@n?W3LeHM^ijr{WqTyF+;o79jCyU zdWQ}-dRx0i8j{Js=u-a=5WMsOQ-!*&RukF7P8;5zaz6;?s5Q?TeSthcdwC}ME6Ldd z9Xdu`BUIAd6UnNOpq&0Pd&?lkXfftxuZ&HC;rski6Gq7vEd&2@sl$S4c&2wFuLSXE z@%91h=w|}18l2XFf3T4tPdV!A<>&Sx$HG2rAT{ z)CAZLvrNJo%P%j~`joJF<9Nq(+<~E0Tpj?OM0TH*wD}phZ>AQZjhPgsf`^XQO}WMnhRvK?(9x||(9 zvi$Ac2Bf3SwR~rI!u@JQQ}bAFjRIo{Qkrl-?L@+-7=B-B(H*Qmpg1t{JDm34;H^^Z zr{{gIa14aFFdl%8&ehynhB0x-jVo+XB3eWVjZ4R^a;Iwf!ctwMK8}*xYc7*Ot z1;31Gj#nb9Lw0Kc_-JE?q(8=a73Tz-JH-Ep9A6$L(*6N^!DoLiFskf~=8>T7Ehrx+ z;W@A#>7Lu}J&xEh&Z>^j-2SX4Ccu*8k3&iH7Fb)9MJ7fA!U|ot`SI_q(B?gH#;7d z`*}Z?7?^nRvmwIRgF>&-j3TIE)3Wp3Yffj;-r;+xe_hWc<8pm(?ND(Ih7v-9r3vaV ztttN)+|*k(Fq4uQ$u4t_3MT#S#KDiMYt||V&Q)iTeRy$D7}A=Ql$4!ON1_9~`i@H# zWkABT`0#dK-Ga=+l?R28Uqj{0e{E_Ik&1vt7CCh#R~+TM{ABv(_VeDsf^F(6sd~=p zJN^o=l>EKhF*vP@R3e{IW?+KEsohw!iMCruIv6o4TWr!J($5z|UQM&OJNSKCW<08t z72z`B%qLLue^4>@m6a~4zt(cQR3eR3;FEQc0D4r>)!>0cF2zY7>xRQnAmga`7uw3% ztIlsUF{5WJV|zaeCf`Xbc4U!u#_vrAmHQ}>J1$>zL2ZF=;h=$^63EsW6-P;h&^Y-o zCCVe#N-Cpd122OjBICZSe);Y z^uDSviRUf47V(jqsvR69#Z0c8_;(p)>}&YXlO@k=PM&jsXFamt4O)aTs*6h{g+B?zr%-cK z+~H^tcb#U%xOPmV3^Rs}dSkdg3!~m%Z^{x5FTveuRnDE%0*dEWPR)R5IhmL~S&Z}v z0l&)ra~sj5CbGS`p1SG6-W!Zh!w$)+m{J86gC@IoLJN}PvK4=myteO;AUM=BeIY7< ztK=qaXYJuiA<1*njSo=vXpZmhGy{FdqPR>llM_F(V!7rj4$xqt-|EYu;MDzaIEeczz(gn}Go92ssw?nZ5XkIM^FUU(ebDx>&+#@M5Q>PKI~B4%)GO})G5 z=;!)dmovy59y|t-94BNae6~-ecve7C^P6x8qC`1o^63|w3x+G}uwwEdtd0lL!F)}W zGHHR{UfbBBfx&mH?-MfjZs*)3Z#)&?iKXgAM6qTd^Xi2mF4vw5LiV*o{}nL4P8Zx9 zrv)sKalGwXyCL@{P=j6$tvQ4i0S-SHBcV8PTE%AUw^4Sd?L`}qd@j)_KJmw3lMN^; zYgVMa6H5A{%rh;cw8!FF84A>~IVwH;zeK^xiK72C?^I|?Hf%%@1Z z&MiJn@)JGLT4!BXM?6%bcGo$2fx)Xfs*4C)LzY^bW%@?Cuk!B@wZQOhnO+KycnfqH zV%`CZ7*~xyo0be$Om`D9^K7n6w&AC5RC}mRpZp$gd#9B9w_ZP$4dbGE;ZMBoFVo)% zSMPE%R0+ONzU@vagWSFacpBZdOPB_>>n#{;2ep8R?`(`r)cPzngAA2jjZOcwZ^eJ# z3%7kQ4E!waJalz{d1jDo7?I4#)8v1AQ#%PK`+d)#+JU|AtEFO^?%ekAWA!+$0AFwZ zhPl(jC-?bt9`@VhU`03K#?*Mpk&oir=UDn#78GNL19WL>K_T8B_M1jtrv znAbBW2st5l3ctR$IP5IL_=kR^uhgeqJ6e1)(0H@#0CA%Nwm2O|%4if#1;gypburuj z>@3Ko^|{9Jmy~}98(O?orY)KFtVE*txSR)xYF*XI;vjs~ag~shaL@ z@#EEg03G57_a;P=@~~aq58xG`A*$x7+jN7%^^Av2fk>E7J;-P$IIWMVPaPP9wqU*i zll)@musaYB5rUya#UZ_*#KY`cn!2+0-YaPLQiw@ZCKg3GJfu z&qHh>+!3<~99s+94G`1=BzTtVSqj7Y{b6j15GG3mT1l>dxd9sW_Wj zkXXsJ`H zGX6!@W|bvTrF7(xC|H(JK`;>1(V z67I5pFER_082OV^0WdC(VEzVWkvE>0C+g&8!Hu_oxVp$}&@pZYBmiJ2!K}$B0F1|9 zqV&c+Ysfy){?j=oi!}vjAbC1aWS2xa52SVxcvl#u%HQ%d^dx>hd?USow^{%Bhwh? z$uA^4Sq{zCq6FnV=-g*e1+FrPP3-SMvd3(4>?N+MoWTM(gQZTRP^$(fZnW5dI7R-c z9z2dSHFx?{4VukS8vTuf3|2wv;tCLO%OCo3xl;teK=U8J@?y9V0~vIq8q0p7mM%r9sF9b6I+_yyyKr9oiCM3`NbTzO1mUxp`HZ1Zm z!2%8YTfj-J!oqn52>rj>LO+L&vqqF9n8fN{UQ6|ImFv+#oqMLU#Ysn;1Lm9t!cI$_ z{QBkr#VCV)BL?Iy27P|hvAJ7>u~t1Cb3GJcO2|;J@%2W5_BlZ;+KHATF%xB^{}*t- zA5?7cO$&9==M!(+tDAUwKezp#cQzE5b#qe`gKAZyul#CP_?P}TdIp^q6c^RB8f@Fe zi4UH*8ujf`+i+{sF-C5GJ6ZD|)7dk^t=WU0r^Lcw!O+X-13sEJ&wb9nE~SLH*rX#6 zC&pz_GxdoV7%Ive5VD}%$j$2pqivE%_tFAE*n$v;S+}e%7eh`Rvh_;7RoW+~c(>#& z;2?dB-pdqSh<4lGXIHzn+fji^5o;IU>OGmSv80vN3|_ZVM%BZ4((To`-)jwpo-MU^ zsH*=Jp=cPS<-AzaRPXrmRoFcH--j)|ECj)NyEB zQ&&pQjB)=TThfg+bY3@YtrL0uB{KjME9-?FyM#6RS*TCw+a&o5#D|+_bC{8R7ZKFM zkO%$+LhtA8)cmGb=i(4qRQ1PG)WwuDUeMm~o}aV!i*ER^HlQ0}B$T~0n9-v1)`k>h zdgiDUWwrh~Eqv?=25LnMePVuG=aNs9FR)wm{u>x!gIx*q=6vsOR|?yWpGm^&|Fxu* z4k)~OI=6{p!Y<$u6e`Pactx4+_FgVYV2z&s$@8#qfh#;J4rr0xSh%+rZO!sWdwq+1 zi+G!DUHk%mB9rC2`tLL!W1`D-kuUJ0n>l55_X(LGzJzHB$8cTrm7x-Ser3xuL)RQm z8`Y5IKeg9(#UEYxGU}5>@IIqkRSYvIJ{_0egf|OkKiK>FcA|ewY0bN&Pz_DNSOYZ+ zSO+x!*X&#kinipYp+yMjW#5BD)_fhvs-6PgK8whD_h+SEqN*+NAUP%_hG*t*v#SIo zP@l=)Y@!mvdrK&`(QPKdS& z-~-NK;DpwQDba!N)C+E%K*Iyo76FiJO}IJ$0{8*MZD=h2EB_3wMz5yd>BnbT>&NGf zYtOa3o4UJsaaV2IxQ$LvGuME^aLc&8@8ZjiVo8U`$v?&SRWw4%2FU0(-U6*CL%1)n z76}}M1;$IUdQT&;7iTMVqsaev=}~0n{93_3GizJqtH!{ricocVev%p~CkM$NuX*|B zF;zsOnXr$;;x15(GqufsA0qIPn+{D(f}$Sx^A~!3eQGdQE55h&s$lryEIR*hv>P4g zJmKL?bYi7Bgh|hL3B~Sy7s{(=try=-vACd0V?_3&rmz5L~ zaTb${Cb&&8&r-(dyd*Z8D#Rm1>aI4uD&y6lX?>b;xvx9L4XDC)2A;o(%$EtWZ|NJR z;tSQ$$xx0Rq9CGO6MT??y1NTVQVIfT(4??T`18KuW!&bC=9jFu0;><0qKBze|KZQ3 zo{`y+3R>D->=6FkyBmF?N6@bM^t)8XGbSV#k--{CT&Xf@e!Vm9z!T|*ACbh>lX14h zcgFQ~c9q+gtRq=%o1`YXOP8!{hhQzaOt{+mi9CL3u;O57z+kLm=3T4Ln7-;D&ms|*>~B5>pihgMeUSxf=jD8o9TZBp`bsrAC^?*s82qLtAoh(!+} z$AW~Q2jSct{ZciM8`X^6Qb55-N`>vkk(352*;nha$2f-!oNvC%M%Cpu?%~K`POXUk z<^X{F#$%tqc@n%727Z;ULyQ$`y)@?bAY5YA3O0$B+pGQ8 zPFF*^GjW55r_dA4LwoHMuij)ll|i2SYmqF09+$h4(!Q@4EDL=dbsALGyc%gO`!+lE z4aC1UYtR7xW~1H&e60dXicjcdZnoiEt3T@Xr2BVihK0OIem>vr=;k7+pdJ)$1a8wQ zG2YPWJMDV*J@(fPKh!H}U<5CE+fty3Ky$7Q8W@oP>il>{k0wPi&zE1Cd~QQcTQz)5 zK{unx!xaZ94ZKM&fJhXKfRw(w3QF>H*69Z^W;}2R;r->+deSouTjk;OcBwevj;`o8jyxq253?-}X%jDs}SVYO5?(qo1w zWU)ab9&~oX-llG=u2NRBK^LL6@@$>TW}4X8znQsyvhMmmsj<4|%w+x5=`KSgZ{u#w z;QW&QZVpBuFF$SAY!2`z)By7V=LQ%=7-TR-tY?gW0bs;Tr831Mc%2~%BnHGNJYg8( zvPH44<15NztzuI_tV9OY{C=Q>Y~o%vJ%0IO(V*bTTmK=WT8ydO`(Izcar?V4er} zT9s^GU=pDp5uMc@{B7u%H5`;du*akX^xOfWo{Gbm8v{ZfD9zbqmViN8w!%~74YhE$ z-L~FLMq6H=Dg@os%lTQG%K}&mY4OjEnchsefRDh5q+nZp#91}3(u(`4d7J$Z zt|*jo$-Zauuvu#Fh|u?*N}d?i3OMgYZyz>^4S%J#fMQD zg`M>-t4brD5P$|o!^RI=rsDVZks(os$Kqm7%Z3OUg^K6!7{yl1-KWhu+@gFu8Z_<{ zK%eC5%!Fx5a|v0dEp1(+c^v%14I!l}v^lWu-X>CN%j4ZsK8ipIApPJOA*L#)W`b*M^o*jk;k~3PFY{>i>0VNn( zq%r`O;GWDM{?8#+tn}aTB$c;i8D>D6|0A(O3K$1_d&6(@?mA}K{gekuY=e$;J4G{> z#bN*46s^U4>A8~uVD)QN@@~fM6jwHTVK_myDwG{^xV7$|!kpf9b|o;E*G5RG42^1W z2o-r{zm_P$_D&k|D_-*)5KgheQ8HqbLhp=RQSsDi>LWuP5BU7wS%Be$iDf)r&Q(pX zz`PHH*&5KF$Rc6w@%UsA0nnRPLjp9cxwN-vFV@a}ujiI*${+%xtP$8KYa$;K|KB6VBEUh*ER|iiWO*SaV_pz+>5)rwn%V_Ymm~G;!bdvg&VlBcp5W|^dbh==ViVe z2-gPzWs8#OH9Aeg^Oxcs6GCZt_4d1?~1ylIP zzVAk>=VJOv)XI0!>O0lXw!pEHTj)+ zM=hki9H#Ahl3}!8kAA*WA%We$Qz3dM?B7WzIErJ=iog{KP5g#9ti&P091Z$%m2+io zPrn}CNoYQ_{OhI56`{HFI}IJ3a}FqHz1&rJRxRX8N&RxoW$cx36X?b3n{bObCCB>* zZ_)?DYA)CA_sQ>q=@OpGzUO`^RMSi}lY@a@sDwjd{vx2$|I=r12d8;|{1t5!XVwly ziC&t3h<${nbP(z1EK-$ILQD%pb#s=1D6LL~#Otc=WM;DHw6qs_!k{;FdY+o4fg9^eadv6NqYnJmnQu+OZv|3`}>3Wqg#~s=Z&iR zEmVAM?P6y0bTaSQdylj`<1Aztc2QC!Fj`sI6{>hqn`2h(s9yn+2eCp4&C!A>%_N># zyv3Fa3U}r(9G>-F`XfdG+`HjgGf^Po>q6cHU8Ib$Aqg7Wqzr{g#_Fc?@Oi)k8N6>@-oSq=04$XXIx3lV~Cd2tkSHkpnQ|WHZ72fITou2drjPhN?*xDrGoN+Hj8qJ zQj8i$LyPg-D^CUf&#JwJWqG^#wHg)bK8(RyJS74X@x;o?g=~2`8YD#bZ zfX(QwtOTOI`aV+2wqsnFEsPFE(pRa?!1RsDK5>Q#g$a)-M605>MWdi7wfMT&MVp{h zr<7cKPlHU&ylAHMbE#! z)#pljB02AVM50sF(b-;Eqt}Mj5!X4|0Y|KCP^|&hAX`2=vC)nly{-P?l)@V2jr76N zP~w*&bjNh~s>1w7ZEPiW1ti7I;te_%Vf%rZZ6-09Qcg9CM6J5lNy`+m)F3j z&z`V9iIo6%$OjX!DC4Ik_Lf*=Se}t=6F((cC*J4SS$*`3&v+y%`w%tGA1yDST63C+9Y z3q2KNbGCQ(9uSk(}d_9mA^MpwI7v4JGOWgmuCqvvu@E9r+=E74T_)ax?0g2DXM?`6&+3S-Y>F{$VB2-RJ4&t-sL z&m&C;?kKyc==i>|>d^8s*0Y_Prw176rwjYL+~!_F(FM_SKP5?Nytn^d(HWG2$jvvn ztL&n{q|n3-^_#raCjjj952geCqWVbp(U^p-UyEp17&(^WpmZG@59IsG0i<*D4oD zO^<%BzU;5<-_MR_?C*B3W-@T?=L_6_QaM0p5F~u z%{rg0Pb`IB{Q@cM!gr&sVx=5>ns*nSD283GY&=&r=)F*X)_L~(%u}IN@gku(5ijA) zKDj=pI9=Ps=-z)dJ(7U=o0k2O)IvhDya|!cO!bV#$@PF~=_l=mQeY`b!=|HtD{NKg zev)L)ub#(#YR;tk4yu})wZD%xJECQ-qp7Y~Hc$#|;`RXC3{{9t?TyZ8SMSU@9ywlR z_J{y>jJCJWxA%>8qbD~eFZL8?J%Nyi`=qC7U&tc+yW*aFpuA`gH;oGbyKJwMiq4uLD;ZT^=Tl35HE}+*(ETi0n_^11Z6EneY9%x$ z9)%uNMP8*kUYVA@2$y9Co7lGP z`hmB?#uBM@Gb+fpKI~gJt-F-Nn&!?X2a7Z49le(LfnyKrSBB|^ASYGGf;av8;6g<{ z+m-SC!o~&HK`S`RGvKgeG~`pruV^g_ZQ)6v(McN2DbfXSb>#T4&#ao8DZIII)^cln zelxZBqwus4Z|GU(govk?e;NDtgX{1Vb{|s(6YMsoYstN6)=E|riu!vH;b9?61P#XahS8jyj@g_X zr#iiA90V0u^!f46+~_;q{(OXOQcpe@-EHaZ6QBWZzDZ780lc`ix73rjQdUM_f*+$H zAR`hZpumq1;SW(nl7Eh65E&4j{COV<0U^W&0r~H9RN$|Ve=+dK<7fVQMao9{&l%`) z*-!p+jGX&;>dhXLJ^TgzgPguA0s=nm;{#D%gXRzcK^#F|NnV#EL9QJWwlqGQKZ`o?=J4szlMGN`n5gujdX#0RiK>g^ZX0SPuQ=Y zkG{O;cADpFem7Qg$9IE%vwt%v1QUW<)!ejj`|E1s;v%6@1|s~sr{&K`_a@WyO`rbd z`H$aAh=eS6Bqff3i2VHDJyqgSiuc)tBt^acx0e-&fT$si`Y*p8ei`j{C}=UqvpEIk z|9fv<-C^%9Vu9~vMc<+pfPZxQ~xoqb&DbIM3{=aDoaZ2R>7yrJjZjYswwfGf=SM9tiGXn{Lq>BZZXlQ8AaB*pr z=#(=lr|~9|IJKzzobNKKtE;yuNiV(lkN-r!I&3b9ldVseq5j_kRZS|WzhCL<7|L#W zdwEpte|L?Ph>MR;cXx9EQqPl-565T4aKlddZ~Pjuiw7p`bO+-9@4&>bZnn_metfwa z4LyK7nB*JW-QHRZXG?H-?CLR^w)w^OEz|rLbT-hRQ^JJpY~TK`CjF2TXrc#;#W^YhnIhFre8?@S(_j;V&51c)}c?avE%Uo3dSIzwNAEvsfsbKatOpU(ga4C-uo zZ(K#QA0ott0`4C+{EWX}Op};CV3P^b$VQVV@;c1QrEpp9x~BpEcpfc7Oi~ivYIig! zL&y`qX#DW-gZFM#_gd3V1(f^Y7zVXmZ1IkZjg19}0@WZ(ZCC4Qu$&O`K5i!^rHGNq z#>PhB6MgK-5^Y792*TF|ilF-4ruEEw?t9^ftA~Tq%7AMW=k6#nm!sd(Hgommn^T^T z*=$)J>7ex@^T=c<)?xC18opd6`0Cs(coHK2K}t1bI6j93b}_6TGqU0xigx(uxp8ee@GhSYoKabBl8(asP02}1ss$Y>{@&?bqzpvZrpsu5O=%vX6 z60KTPHz|lWa!$@xq2$QYJ5MGuU$@f4WeIp8zcH9`@=UMpG|?9sgX+WCwsxi}N)T1_ z6x!|m%|X}10sNed-Pt-tnJ7}mJX1gUwfE_>5V?KQW4WB`*)~hXnL`)|oS7FK)wl2= zn1+UKJ+*r=C^^eN&cNG9j$@hPAtq&;>HbH)r-_$DX29i&k*YpCkX$wnSN^YSl{h&0 zIwkgi5W8%qe{V6)f)KHVDY_BtqMC!~J#+I^PqfFW|5iIT*lrkza> z_^Hx5l_mpAF;QQ>`TZw0vSW~fKKHA7!2fSAMoLLZskR=Wy4uW(Ub{Jf5ZuA?X$Nk6 zGKJs3UV}><8P7EG{dcZi4jY1#etIw7T;0eQ`U>`9yF;1lnwv97iGAg`#<)-VtjJ48 zioVEUx=UMK3iW@hxroA+9a4)gd^g_|SHJ?a6yscH}D# ziP~Oz;d`;q<4>oQOgT}i3o6X?QTT#ILRX-W*tb)VWRAARlnszi7V)j;)O=fGHSmZp zxI{!LcK+Cu%e_d&#l>8JLDJRMi>^o#ho)+^fk{DwRz6+!rqOkcmT^{19qdxG;*a^1 z0RiAVKkr!m8rK2x{HS^LhRps&u%xbf_IR-mR&l*c!PooWq98Xr@oc|5tLWBTr0*DU zOwv+4ksCuBGdkBpmnXLy50J{X`zs0|y8GYsDcgw#L+1^^8;?~$e==t-yVfxG;nsx$ z99~eodueeV!$1pBWCwz+;4WiOV-?w-$^+HwXeT;TNBu8QbRZ{7l$fck!7-5l?e_2| zPFLdg^%K6GSI=KjvNqMmAU=>&I{4I9iPH3j_VPx%`Yux}vv<7i0F%|vR03#w`x*2C zwXD602EbsEVG5dW1+R8-jb`Ok}xLBSfV=E{tuutF2h~rV>l_4c! z#Kmc+r05VxuX#jeU4Il+LJ`HIDF9f>*&-(Gjahy!xxc=-+Aw6f1KfJwpFD^y5nv>C zz~QVuOOQ7F;sB&vRaLznEw=X7B@Rp4@~rv&>E=k6G{*h*S=M6(+!);6m}!2U5a+M_H;i9)x@v z*QQyhQrBAwh$iN9Odk*>fAmHlB0G_}?%6uK0Y~J^D|yJ5NDH|%UKiH|K_=@WvmiMu zMEgG(_3~37w)oxA;S2L~h=7o%LYOv32{uz!t`&vFmPnQt)37}9yop(RAR?FRx>8}o z34I-@+r|C@nZ|)P&(2nFJUuNft#oc~Zobt(s?n?U=QbG9f2Tz!TzKuCCKKOAxr~AY zO=69QJlq|)T%X$1@EITMG2uY&zmMB$K^jrmE6$wVH$2zc!MgsJ#~og56<}Sp4`FY5S$aZM8NGk68hpSw4OKj8{u|{D@h! zY}ue#HrnEms^O|Gsza^FeydKYd3J*M9BteFfD1$a?Mn=2(XhGKPo|E`2kQG@PSee8I z?Q!LS8|a-`;h<<)APe*xdwh>ZY%V~tn9z9SMDT5R2HWA;lqnRR9v!yJb;?s)ZjYh7 zH(r5(^cePY^~$rgj;y*5_P5G)w!Qgn4T|v?c*0dewM38INxL%gd$z7#%_Y{vU#RDb zdkTqbhevuxn9n}MPmVl;wlhC!n+MJQ%gE2ZQjG1Wcdy~~^Hq6D3W=kC<6V?gbeJTKo4=7ZQM zUoT@J#pdMT62GE>8`ZKsQmU&rJ5XVAM(I)^A)#3& zquW8KQg6Kv_I|v}u|@VXScWHXSN#VZa$$z+gTCB*vSI*)SkSFVDND3f4cO>&R)}|l{V`iJrj%|dZ>pDcMURfVU4i4uw#-{fK167>`D8aWHFY^fbz~p_BR^jbSodsn zr7$aLxLus_W#6c5ra(+B@#D6b1_@e1t$0*etLVoHLxtanOBoZ&KGvk^tl7Z{Mk%K( zlT*f?#yM#pR(_ytO;u)<88%c5Zy2b^DJf}jmf#R_t45NG%vPuQ{wJfh15g@;#{nUk zQPj&ONH>;{boGX!YIS5;@YL`y@uO2PqiE1b*OwYrH^n~hQ4S=^cZq)ok;TjheC^L* z#&y+Vl9hQu3L6QQUwtg@abEDd8%Pb&6d<|DKe}oS%J0?H4C4Z2pmedAh=}oi>&4=G z6j^=Z96sNL7|GXM_Z#|P!xQf;o-Tp#=s&G8=F9!e=s{vAryM#2a3Sx6dHe*-d$PB=Vl&)!&cg$%dQY552H~!!noMB#Z1T z<&?jE3~n%4IFkT-@l%TW#i2^jPZzzWa07BQygmJ^uF7$svkT)>TWn_^@C-M*;)=FjIs&^o(J<46v`hCUbjtlWUX z(-@sGCHS%}g78@l8q2QWv6X;<$MmZ4Uc~o2;d0bRfH~`pjmDs{@IPVZCj$?&EFxRM zu)rI%2x1iZxAO<$OZN)`Uh%MUP$aiC~wLjB9 zX`m{+!6-ARQ&=C$V(%?3ek>v88**x&J^Elf0J-nem)_+a1Cl!tx6K&8qhAD~W1fOx z2uKw#7>t{0=lxCw*otp6efJr)S|PW`iaEywJT*1jjJ7xYIDf;{^A8D+y=Pp35%Tlz z%!fza6luB`9xbhT3&Oj9!1vKxJjI+F62b;ki8jYn#drdA1)9mmH$;)ntzwQ(PU7L6 z*o6%Zs{|!QP_*cEPrtM8&oAq|B>y;U0ZFr5w&`T|XqMk`D0AA|1-NmjktDx7bM{e% zg4o$T=bdG9wkH&K1*rEHnx}{+)cz?emp$N}EO;Sim=d`~S6np*o-N(-f-RX76D#hT zeVhPWM1LGg7X6d-7x^K`*_+w2!cPl(}Y(*&U>5)6S*ibEsoBAdt3$Fm) zLax?H@;2+WOXP00C&<*XEdQVcrJ8lntYu$c`PmN1M!9jb4mO3T(Iyu^B7C11BE%o= z?+W1j!e@bkY40rHxjs53CbO0RU?`JS>ps`YLq|l~fnwvIb~_4pc?>Aqs{sdkBkIGQ zN=V<2;@I??}xk0K(2A@+Vc;K<{Sw=$y=0M>-yzw=6FG;`I!-0tN z{ig+U@4ayXLLq8_QgXoQXTksASuA1fP{o}+z;)r5BfN5;IfnAlG`UE53kWJK|@OidNq>xDkj$a zZw|(d_Wf>EviOdq17)W8;xKradS=W4mJ=n~ZF1sS<&W@)hlgjG7_5vuZ`gj_>bdj< zYreUvmQ6QE#1=nDo0HRpYo$6J>>_1wAz^M{9_xK_Tcz7FSt7eIEc^#Ui@WO%8w?u3%UC`Y&2M|3P$)x!$ zg5TVO-WcbJMvQSOl^k{RfD*D+dccb@o>%@%v2Nql)B=b-NkEeVEB zO_to1Ev&%(V$uazxl=F)T%h6abT>tKL`re9z{{)RFW`4f342+4?53?PwFhG+f~R|w z83&uY^+4CB7fBQiJviI}Jtf;EaM*a}##f%FJ*9K}lR&H|=n3lDc(JAi*u|31fpNg4 zHn5c_A1%hERuBft4>YNkD|`y;lV7NYDO6kcxqKJ*vHIfIXcMnAU#pMZW!zI!zpY+i zajI+#TbV4U9bWQfW0QmSsNEfT?pzd#k&9Asd)_)m3~7T6b`gqm!U=kD&+hX$m zeTj%1Mt8UpLeV#vA!K>7J|NAUjR3fV_inM|B0jGuH|q4aOJTAZFDMIkUjGv}Z4B+W zzHR*5r$mSZ=)2QZKa0Q~HM1<08@Zf^MYh^8ec;uNwVNRb=z-)ifGc|iL0{0Jc&z!u z=7l7e<0e0t`Wjondo6!#$J65TtY>cmE!TC$$no1Og0;ZbE#)h`awg4Q$A()Q-7 zY3+2-Tv16xY0aFTGA2!*6c+}{dY*@++Azor2++GFCsXo?m~+8DqH4CY-43l39d04oI{P2n;_#3xdWZ|_}3xH({9m$dP!~Lzd0PwnY zq)TvMr_tTeCfyaeWW1b;hXep5v@Pb;R4xxVztj&EA!N4cwMkm&x=Rro?3u%Xu=?`u z#{%d?R}+{OD@|INBn_~tY(nUTzXR-SJZ)V{(gi%aKBy@7nfx$6IUeBJ{ql|rIOUeK zSYzgV5RWuLqQiINfX>F@`F%wb=^QCPS)#8n6N!9bW}(?L+@B&(^CS#Uq=~(4{BlVp zGa>WgCd)`}&?L@a$k@Pi0BQ1@0-lXwL5bE^G?3WuRm&wX{5KXw;u10)pKqC!2w4p! znUa&UOnFHQ?P<`Ia*BB{nnab-Ua_oJaH6 zrH8(+FQ~(`jUfJa7VvW67ZWukerKYT9?n`1u#vBU+6b3&hiwB}bmF3s^=b2)F zwa8Ei!|G(YE|hICVFOGm)ozSzo7n4L{=2oIIRax(yqynOq4Yul&TuArE&+8-ykU4F z+~4teww4D~#qP8e-k%p%7&j|W*V*s40dK-))BT2g*J5Rl2PB{V(`Oi>=)E5@luhz~ zy=;Yaw9N!i3}Yd)nOP%8Y(~1jzt0VRRdL|ndb^bS5FY?MVrSHDOGvqxi*8Fazp44? z)1P7gNOsXAJlG4&u9Y-Gg0_Xi4q3d;|Zw^SSDCZ6QhlSY#`-ZWFo43Rpo zsopN`I@k0!?l>M1h)gB)gnoh^--gAdpm#9D1kCHSFAbTJTQ9!l6%~})PGq&KcinBO z%MC7+L-YC=m`TJ=#n5BTbkHjDuG5+tX_0n$V}pK3?4jjF#OYeRYM6 z7)K$ReCA*;OjBpj_3RkvbI$UQ61`lCRDW>jryb-ES1^8}2zu_bz!P}9W@usl>K+-H z2?d^4mN>W%wpN*UZ~IiHJQHHz;WW*vEcB*sZl-qpP1TwJfv?K%pJMd!0)5ZGcHM|OogLmB; zHO|V#0mi^B4^zGoZeu)}t@^#0M%nYbCe?GN87E}#tt#8$rl4^rV^d<|B{>Dz6GSx$ zmR{;yK&-7!a|&`1NiQFYi=jyn0^^dOsMq_-oAW*9a_wQI#7-I;)7DgakB-9G+mh># ztOC>vo33)=fh{9>zBxA!muGuxXITMB`KNC3N~-Y%sMrb*-_DolcYfe>8^=5{naZr6 zD+0KQ^5%%;e>u!zbD$J zsZ6>rEq>4WRK(5^Ao7A)v*DiZW+)3}0aN2)Qn;VZ1<#Llwn@qp5=J@)2h3{MWSku@ zf5z0PIjw`*eJk0Rxn1zJ_<6L7>w6WKuBj+=UFuw+Tc7?$i(6rHD!ii3c4LOx?j|>? zxfR20j+Z=Id)4c0ebL6RBSlcek&|&j^-)WU$-r)Lu#Maz{czcPX&Vns-Gd!M5jfEj z{c{L{c#H2+Bn}4fqD>e=uw7%n0LFdGKGq z@OYBH-YTSO6`4YN1gHUd)Q&eez<8nG+#rx<;j<1+jr#WT4giUv~#}656+S~C$&iu60)kl zZThY2?K$1-q78fv$e3i)vlG6xz12PbT}u!d$hfmA(4hJ&Jq~mOVL`1Y@9~z?88Ecm z#bn20d$_&L8oi1doLYPL*v7?ZQmO;r*|Xz$^rHA$e#b!splRty&=^h?EfsEKILG;7 z8Y!v7ZOv6LWntTl$&`SY{M0&wWNDqy_i*U1uEw6HI)RQ8ikRYVMo+&qbzj zWUI>^i*;2+AvfgaM3CLq8AJ49#?h0LhZLdrncg}&q_eMo;oaOa{>?ZfTJ?{jG;DShc-HDK6!33!CqEx&d z=lV1@OsB&p$;D-szk| z&LP@5ynhuL4C;s?!3idDgLuVnKVwvXSb4iOQ&X5O;QDP^xpA+4&f?ZL(%y%mj)gzGZk9>X^6`1L~Ss&uWEkx?eFgagu-@RZ}&0JEifV=aIdm8 z(N(waCo6f9A_1Ge3j29$=?=RBstSdO!&BLZg8Qk< z3_Cs-_S4j=Za!~!QS9}P9Sqv!$?a~Yc{N$22ycpH*fm0C6>(Vh=fMMB5)uTvi z4d=4F$REi+WbAZE_D8SkCHmH3uwrbf|G}i8J}44kMyjap2q0c1dDORs*?F{a>7(PPTM7 zeziVIe1q*oi5}4JdaE$ftTfI9@tBxAmPn5x-Bi8@M_Alk_KfAA=^+IZq|47Eww6`(pt0(l2fT%Pu?awc;aH zqG(^7UDimao+c)J)X^5cU6Gm=R8yZ}Js)Uwp2~?}lJaUB&2|IhusqHrs{vp#Ke*=< z*E4CYNOT||piNymoW!svrs0cRFfZ1c!Y!V;cT4ocQ5C0(pyXSlkNtjj--Pc6SCi;c zF1m3@K>_DCg+%js#4nhlTduy=LdsiTtQCN?#}zM>?=G}vnr$jK8BtF4WRpS@e6w1o zSVFMil^tc_Bj18hx2r8DCpTF3hpP*t%?7=#$>03WQLNr{SR<=HICOB&e$tk}(|ylT zb5>%g`=!B-ey>y;q_KUb%Zef~=$E{~jTkpaP)~?l{ZA`J&^eh#@ORHpz zwW@qjlUwYpWi=?&t|Dor8kA|2Dl(Q(0fBP~OtoFAwGP47bKo12|qhN^Lk6k1vo9SH#XSoop}K2z z+G0>Io_H;j;-XbY#*;uFlhZU2=(GJWG>kYt-_w{m;v&mx?HG^=k{bKecvljQn_3jgqXGXv^w%zvJKZRy>0IO#C#{e!D%QXWos`5$Rl`q+(>9I&HSz z;I^r=cpH2}+=-2~}AjjqW*!ceCqT>lD^oDt~eiJ);O}>*`99 za(Ie-oBiLv3SYWFse#WLTL+W)&jZX)6=K&QwDXB6boo~i*thF z3haD(4P_32@iWt;BtG6?#=HF(i78{ys@%CGfY4%Uy``M2P!$?3c59|n6rA^VJWf36 zjSoyUNf}(BVR`j#Sv(XQhwlQV7-4xGkGZ!6GEX1PYQUgb@5mFSeC=MtsiJ;`j7nfR z&zcymRb!x^gi=PXt)O!cjKPTLGwG9KKba~u$)7iBh!SpfD^}8~vEF>+u_x$#d+ot{ zSDVl)^2mlFAT828fAQk=LCZ;$@JT;6m-BC_lsqdfVV~2Y1;_0nIU%=A%3xHSB*Z6A zKg32G(|Y_xfCdJ#V@_A_tU+;4;Tj2?UZzGady+q@IR@*m;+APXbMck+uwX~zI)zBW zH`~Qyzlt+D)RL$^qW0NH%?mtwaMS(AdJ$G0WffA<*O2mCyfNg5szo&dEe=+&kIa($NvMwBtgu&71P3#IA}3VUp|qcQK}&!O(JTz z_wmz-GwGuUZc)-Jj&jQ??@tZU@%OnXEnPUxYSGOniMS4v;u+Nq+O9M1v?T2r*shlz z0UddQ^H^@qTCqR*H0!dv>V~COF|7ZVK5>?}S88iD&FoMgM5Z^ zE*eKc>KC~Qwmmeyu^;0A)FX*`xZh1;W!wxJT^%p5mwTqn z`E;?GJ7Bn~o_86mF4FSNy99%O#sWucoIgu{NpXkGTQ9WMefkuV++iqK1ohd1Pyp_% zGe`3!Uv9Yo2u`Y6BV)clzk<33a9YKUc7y!uwe|^pLR!mq;r$_ewj^u=e$o8O%bhT& zm9cg%)xcidyk5X=BWYwbU-+%(RK>c7BgqqkdafkBn^lcTZ�fEybyce%9vAnM|r+ zSJN-Gz8QkJ6-WiAWmH+{H?mC{b2H-k;?T^b?h z$Cf22^`{!H=cDm^jxmPYQ+zlRjD|8Q@G^1ZW&HT@7kTff9MNJUy+#9-s)Q@QnaVZ` z2Tj@wA~(2oYdm&2=4K>VPrLxDWtM{j83MdN#*cl6iY?DFP3p(_|MWz|JC#GR;URxP z{^b{OW4yzPfWNiA$58(K((GyR5ARr#KN0y02@suCXCv{MSl_g4Q~%>>oNZm|cpncx z6Sat>M!Y8NkxT9iDLi8y->WZ;+|Il({PUpFod%oA>n<8@>aqRkRwvEcm6I%CcGb3v zd}Yq4UCsD&W&7>wi*}#-@7w_vrdJgw6(>gM7U|xvRy1Z)W(T~YNisUCVYo7xWjEojTenZ z2j^`7lI+dAjqc~ZEIVAg7NB#cc3Ozm&CpDMTbo!JQvIRZK)g3|W3&yAF3v+h<5}9I+I%A_h|s_@Bwbo7D(y_+HdZxc z{<|({QTN+>B7vrxB4<5zEbEN>>5Gu74`;U%)dy3%FoFIj0=%ahVMz(kL1xIkux*Rp zo>oQk5Kr!vNV!sW6Z)B_vrWr%Vae>!Y-=0jI z#)U{L|043-*%-eSX@*U`q(63$NyS*N&Tm|^pw5PW+kVZc!LiFh8`8$hm#~q~;WT%) z-^MkdzEOmnKY%2P(EsRDf0r`CCX^4Vs={sIZt&2bm!Q-Kdd+CF!andGl|`6}n4BJ4 z(IAIWWk1Pe={1QN_;SG8lK}eGv$BL^SS@h2IB~W!cuq2_`lVH*tn+#=Mid5&g^Zlf zTOr9cCR2h2jk#_Jd?|HKRo}(?v+*>wslQXDhJY}Qv}<@a3k2N-eJ4G-1lbP+7iw_7 z6HwxjlRN&UTv77!>iD?r&}qXJ`|hA%8u5Wzc^B0nAIq92Nl~4~ZgSM+fZ1aGCbyuS zBJHM#l#65oTh$@1S0zckH6XWP6@SJo`OIS>k*QU8s1<4oEUB01DR{y-;ZCyBiP`C5 z+c-gUFY{y}=QGF!<|nA?X0m6i*Syr3NT6zb#D!{1MVAPhKTSnx!#;rR!?Kl3{418I>~4hHq| zaJF!4Ayv*-Sjy~S^3F=Jl&?19v-Qf_=i~ds3z)6d`Hz>dl7#rKJz~Yr+julh3bpXt z-X1lqqmvnER%oVtQGOh}X)N~F1Fc2@F|aZ5#R9}!)6XLGC!t6B4Pp%rWPW&r{d3v# ze$&x`m6%3VHT`&q8g2Jwhh_Kd2DNhM6!7^P5}#aadfSqgzF7hBD3_+;9AeC zZ%BK$+G-gE%068zJG6wD8V%Tum^z9QaesLvgAH6=JrJmqI)Xt#w9>2+X%&kvKY#h6 zkepigJ>hym-(zls;k`5sSX6f+Rwa5%OsSX;Olhz>R`BRCNCZ z!&mYCeZni7b5*NJ17+Kkxx)7Kg7NgMv(n$P9gQT3{9sB(wM0H^)n zBsX98LYj{QT=#TQDB*J-*tvd`RXH!>?(O6sB8;0=y3W~V`z0t!#gkv6gRt^U&bCu^ zB6Dj%*+MRygY#KST`P^dErK!7cmUOjb}%8&;t-pm)l(|%NG&Mpl1JL9-MAWx zNq&0@H^5@5!noRXLuIDfv+{8Y^HRY7wvmQr4ajMkeJ!F>^7u{OJ{ zwV%;QePcrc`_1Q2MDSrOqb%4X-TdTeKcW%4XJUjb6DjE54sVjvX zTa5-tPARE8{c+?Pro;Lg<~-0K+C6@tjE1)O+YjRR6sTJ>-7LLL&!D2JO%09^cB1~- zD#^HqXX2r1rju+GhcRy|^%$pe#)cx7R5JR{yyVHP3CSFu$~g$RmxxQ#7h6h3-xFzR zE1-;NMKWn;pY*J?Apt5aOvMX>u^wxUKx$+zF0M6QJh=*8{^>^NJp0*N`6x1GACB*t z>f7+a{jO-sU&xBhXZ=4P2S?#Tw1I~+Jl*^aGRrbZS3{EfGLZ$36YyZ9Nz>7EA?HC? zp|?SLOL$E!xY|`fLd#RUW~KGP{myDb z@x#xI8;jPK-?N|Xq*29Sphv1RIQ1EqzsxCNtf@!TO_BI~%I*vod@yW)ULy7SSo>j3 ziKPmp`Kf!K1ul);Zw6=&;>3L9*R0+NIqT>`9(EDA+!8$3y`UG+%!*!otr#pl@ zo~LsD8Htt25|u1nzJ&^2XG0q<$86U>4K+MCuG{Ue1Yx$>e!tn(cYW48S&|6&kTBSI z+AbkqZD24WJcCFgDBc%`zduJWc*zKPV>Li*!{wZNG-lovaa-*={{(qZkJYZ<*9nJ^ zBlT+_Dtc#E7jcln-St_#3tXcQ!6vg9FH+|UxW9!Dzrm!3;pz|dW!Q32O9KBtcX2f8 zz}xw$YfT{}QED|sAfcW7hH83)y-T!s8wQC-KWy&a!WtJ+~Tf!(*@kE2VL7qd<@_-CN(7V z>>I68UsGbSK=Ms`4;Y zoPs-doh#CZ$}CXX(?KBwEDVl`D54Lsyydj*Lqk0QyQ8#l!suFfNW}RnPHDP!q(2W} zLhaoa=pOhAuDt~aZy_R8;1AabMv@8X%obm;K91(E{0xEq{uK_3yB1mPdG-7`WhLak zsSG~#lgeYa-c!Qxr`-O7=h?|fGg--aHIyokx9c3^GH911XjK@^^tkZy-Y`wJ46YWkB-|l@&IOm2^ohFkB5hW0hcRK;J96cWTF@mhsm2pd#3o^ZX-t{&! zblz=KCoWfS?`s$@i*a@pr2*`7+0X%2f!zD~ZI?-ZIP%=>Y(w{=7aTSG?$bSqF+bFToaboAl+XjR|Sjc54QM-cgMa$rL35FL$k5hX>=6eGo4#U|& zn-`pdWS)lva4~bUzb&$@xHJJBou~BH<-*a15B74#>$cItWWeD4tnlSVSKQqV>{?Yc z77W*zL&zP*WFAQ=Kl>T4he<=)!=dbA!a6DaZq>rR983b1kb#?5Jifz{rbD1!!}{bK zlcuV0Eu9(-0l}>edpEsg{Q*x@1xEpU<05*(&#&e5?tM}xEj>xd&nLla@X3`uOUtYf zbiE;$E_ig22&aYzroo50PTKCT?ZB`k!+e=Y;w~0-9{~|Sfi(~H?`lh^1$@#z_esJ3 zXsY&E&2ILpeH#)dUk3(;U_Ry*l?*{zSr5|K%abDw!KT`fi?8bhvSvpKzp8!iZPTbm z;km)6%;4iu$$;aDgj5Qe_v#K`zWarp7~El-Gx~k$?eKFN$DEI)y6M*{*>AN|J*=6w zinm-WHeQSIZ&ftJHG^oSXy&14ap|f?LqNc@6gr!EY747Pg znAk%hxIZgzyJ3nBu;+RqDstQPv)W}}fqI&iRX}->;=Zjcy+LF4+@9HI9+!=-r_J=D zx7r3u!%FMh8>Ox(EB}jlMsa{28t)@4x!jQD&rM8BNXS4YWO9R2133MtgD*?jfKUv- zz4!MkC>V`jTYSh%M|FVE?QmH_A9z}1VPU1vo~76*Q1@C($1JEsy@PesnwDvp_@%Ia8OIm{2K)SZR-@fVYovhV4V7nXuFcL@7+fW;fUBWY z(+J?T5n13wgM{Rx=BU1(6i;vQD@QVSr!N27cFPNuTi|q~pSQm6ZnFBFqS!qHcfA8B zwV>wS@%A>ex!}E2eu2&Bwu@K6Z#`L}U;318bPDZE5ecZ27W502Y>Z)MG|Qp#l**J` zzxCco;m!p$82Xt(Vr7T$br`wcigZ_lNC)#S-&6SH`TigF-ZG%7Em{K=1SBK`Q9&uC zC6tn8qo{<0gfxhB2uMnU*q|WNQj*dLf;5=4NO!1oOE+&U6x^J;_q{*w&;4@_?!DJq zbIm!&m?OUN4dSpO+mJ({L21E{Pi*#(h9zNcI=7~uUM;Y`iY>8`VzfUjZ}Obf)ydrW zWXE1Q-c45>wZ&W0VVGi6RfYU7rGr=%%iP`SC$Q4NF$}>SDeGdCk7A>7o$>mpRu?~7 z`?)zyT`8DTm*dIta}FlC6)NTH91Cl=%J83x#p;~%OJ0&TZs95%ZgI&oSSaGs#?C)* z;DAhgID2;S>V|rVHgPQhZBEfuS5@)e zBrB?1Bc^7%aD*d}@O4F<5q)A()#rA#9~IrExrbtnPT!90A)M7%vLqdeUaQ5n>T%6! zW>wONQZKAk6P2(3%xzmS{n=0D*3gi*8D5T`RhjmA70=+DMli7qCc6ua>|N@k$u{DY z6g3J9%3d9hx~|Y%+98w~g75D*DqumSN56&z_Od;;ZoT&9FU3|P`RuxvDGf~62oh@wN7LJBe*T6;>WGE`Rqr*TYVzV zGv~r92x$o~K>{e*46j$d`CzzJ=}KaRs9Wd7bQ1l%loqqa3seu416WvCq@XT>No;F9 z$3n5JY(ZWN4~wHs30nDKERr9G+JSxI;fIoqn_N8mSUxLb>N1M;Q2ab z1J0h7{71DVOFE-z!Icf~&IHFF^*vbg`eUBxk(l5?g4fl?RncuFrwM1xLUQGGR`6Xc zw5Bx;w5EF%Ie1)F&X04=r(M0E@%9>l#^>g`zGMoE-`E9kT;We%N4Lho8W z7k>(r+sj1+ zqZ=iO4+NlWVaj%>_H{>k2D0__7s7w@swe-GeeXAxeq^ZnYrgaGGc&fP*4O9i2Saq-Z<&_O+srO?+xi_kld%7qJq=P1 z^D7Mh775X$pOPsfu~zZ|INe1Zj}7}c`{>E_D`PyVKN8s!)VF_I%4~hRK`;4;R(d;) z!)k2g+j*y|0ETP@b}Pe3))WfudGcab1yzLK~6)XJ79Cd{s#DgP^`GQxl|@2NzE-JnBrc&Q@4k80-%b4aramNXl;Qt z|E8Q+WZr){=;w3eM3GbC?_8zy_kY~K9VrRH!;+4%Q#j`)KdbG9)Kjgm%-!5a$!kV` z>XL6(N5y_DVR2eU#?Ser#ks3CKQ`ndMP63D+0J*Ct727$9Cf;p|0-G9HKAf2@W%Ko zP+K6W!{8`lpH>MmExr^xyO&xx4;lWE6$0-;MGB&ZmAEIV4oB)Lcl zU5jxJ)6c#Xv0Hp>7OQ<*n@r9_$pmI$n({K|x~;v>cB%LrDb{i6Y;Vx{9aqXixD4Em zE<(*585U6$oj@W~KW&GcwAe{lUpC71U_yaZ`O6Cr3`QFh0wN;VR`-7cDCV6zp2GyS zFPO4j{Dzmj0g3_Rx?SoS9wtFeT|03#N-SW0AI1Y*dU|>&@w_$OkUoJ`w}h2iRi+cU3pIH z)(MG;)n8v;FzhRJ{=~-(GNeYkq_fWPgc--(e!O zIbE~OsLIySBrK{f1-K}%%^pVyq#!mL9NL(JOYv7Y%ht1B)0Z&ihUNXv!tKLs#T*Nu z+9nqe^lDVp7)#zMDKjRZXP}p2vH!8;pEH;Y6*^jsU(+abrHc+mKSqLGedLwJ;Vh3# z&2TQb6R%7?_l!EFfbueJN-WT}4kT)4HL(ty8hUj#u9%BodTA0No`CaYO!klde+Jbw zP6JsDCRoKXF@?$@lu&ZG?d6tJU{);BJg?{!WpoTKQ+moSz_|JAJJ(AwOYCC=V~L_o z+DK&)Opb=vf*D^Z4$T$+>gm$cUE{5{ZtA~+lrhx#c4Qk`wtddK*>xmeRx{7ynbdPe za{jU;!(ynJJb0Y%3KuuGNc!lT9S}Ro8LVZ#hfJ7I|9sCgs^mvagKqVHdusnoCfCU$ zH)9WNZ-ZW@EXxK#idM_e6Yb8ZM#V;h=`SU{ZBouiDc}G@|1^`$k_gvK5=}w_Y{ z2fyDng8Q*VJ7!buUWjTF>H0pesjAA}n$bJZeEu1{gDj@Y;>4|@DW01eGd=_mJtsOj zJM_k5%Y6kX5lRYt<_UiXbBom=48uvSRe0Ys36CxOwWM4{L@=Jbynox2hb$bF&KgHe zIFU%0=L`H1V&Cha6jt^)D5%8wLMwli@N-r zOKuAZ!bus;@->y#TK58dx93&~Gnry^wmtS9m)*}BQgyYf8?yj!t?qH`n^YpQI|5pc zlLU0|^79j}m!Q6eK9j(%r==vQMEiZ+#u0`#3pM97dB*+PS_x^oK z-puf~(m1?S^kNx#jzT||4%E1gNc@=3Jpa~93F z;pzyV1XTA0mY1V!X^?s_PZ12q2)E=j(Z^3H)jVE3F9`8oPP^w&1dP1Ar{_`RB)sP> z9YQjr>{Yft$O!~5&dE@;+HlXdqP{BC!$~D-ax=|B=XHlt(Z!*lTMLy)!&@Hqx4dXQr_Jt7A`g${ICZcxB z_haLeb%#YoO?ip1xju(FPJ9ni*`;}ZT_0K&0FxxRwZ?N%wAt3CT>0%MEj&MQo zn`uXOLV+KGwkmJKMuHY_Ql7!QoX%d@{ECG*&xCFX0^~s_Po)!YWAEU#S+Z75e2WXs zg3^2+on0Dz^1`ZAJy9-_HP@^qyQ3aCh-o=791kW&KuOsMfeS%E_v;O8Q%Aiy6XMD9 zzt$C|MOYTWsUAPu>ElU^hg6P3oQ0tewh3>^)VZ{1-%y_K;Tr;u5hCu_6qOWhr}EbF zZ#;QSdiaFFQs}~$yFPfN9-_U@su^8Z4dddK3lxDE*AFS4LTcYQ!?OlIn6p(Gq|1A`$C!r&;0cqp3qJ{__Z-)fwx^-P9^ zWu-Np8>u}}q*Ir17`8tjQ22cV&;?G0XZ`LSz?KTaZ(>+Guv+8Oq!Xw^yilE6dv_U& zqT3=X!bc>;JSyUVW%2MOC%4UU0mm-k#NQ-4UB%1;Kg*kRx7I)DzHeby?5Td$HF>U^ zLzB1Wanx;k<%y2%u`4wG}uG7VVZl`DQ^hNi& zd2WWMZT@)Gqrd3D$99xm=)M@oI}EQyqT_3#?fK$Snt57W3|lb-Zs%`b_jg@-TUI5T zYkqvVYt1-XLptk2QgrpFz_hZ{6N6O+Rt6PvTzQVu5k)ttn>;>8L#5c(O`XHDxBGtr zHIJM9ipeupmB9dw#M~A)k7scePo zm%Q_S3nNMo%Vvu{`%HpAa`0Hkpuoy8XiZZO@b{+$!l(chvoVK_cbdn`_%5Z72H4m5 zA6yueT2%45eD3J_ehqDf^^V&twr_mjq<8bR^`^CFlrpnkw+`f>=N3`o*l>{Q6b*C< zbJ1Tq!pbil;&OXV&otH2i2-<4h8NZ=oqUlu5t&@5m#;G+of&4AywiM2Y|gaAvQF@k zpI-?67{T%F0~+-WtI%dSC4TXYrZi{@t z^|HgRV?53K>=yylQ}VAebL?taC@!w-JBhO?vh@e8b2Regw+4d17}qaedg|j-bNYo- zn!{u#7kIyTgmrFVC0B9}29_@0fK20%lhaKJ35m)J#3J;C6UC%EdPY@uYu5SZ079;( zpoU@O&zcr$KFjSLXx^Pn{@Vz642HMzPeK-?7{cz_Fx6{Eu z&=GoLw_QvAw;}u)4BB6qbpQVL+jl4r!i30`qv3+X_|vCP^NRX<+A8bIDBiu3*z25gu=O_Z*~$bu3F{ODbk{rsHNZb%fAhXIj=mJT@&i3L<?Yndc|8OH>WE1T_@Z?ubz>X@cBG4+d z8x23Nq^OwDQSrMD{U5FdLx>H4`@-hMChU8LAc?9!7Q~H>lg;WRM@IecbbbA%h_li8 zaMyd?epTy-2u3_6hW0`8#h2(azO#bAKkFBUhesI8%A)_K|1%~)pxfR&rHId<+paG8 z%T+u7q-Fv~xq^^_aL@c)#y#U5cuJWCVg>*B!Z5%#gsfrpYz+3E$KoJ}FdT0b*}q)| z3eXdzi3pV-iGFJ!e1Kgfed*F?-X}!(_=QF^LjQgTRCx|i?aikBj76-~9Vw;l--qE+ zGd^mDxqm;E!tsl{P9*woe*GFaQJ@+;k zaG|fK=Q;fNgoKXCBixc5hI&lsy8vx~@NjAdnC{DjN1yD5fRNYxUrhHBVit*f_PU0C zKTiS#y>f3^`47Y1pXvDhs@}+}o;mYr&v4fWV13v84zd5@t@tMm67vdC(JD{p(AS~d z9N?wZ=Jx}hq7P$t1-2h){RGyx%|C08%(^1{H?B87j&3`EdoTDsP)?*^QzlMU7hSED zXYBi*rc{Rxrd0LdsYsZ}-7N)_4QITSfp&b?e@6fI*YB1PEKEto14wQD84!ev;0^IA zl@S>IKfk1>59~ghL&7cSI}E5*fLf=zzFvNPW9503+oear|9mxaTLm5r(Mitmyh21g(OBZ{S` zfJ3syTyT84K3b+NX0J@_y%+J}elic@6FlMD(T$zyXE+UpBg43qDf+zaeEI9M{O8Ep z@KC&OeM2;?-c9U(sp`BL_jNd0S5fsm8_#Z2ygRD&3 z?QO2B-5qM}1s4|Vi)2L?;@xkzm&iH*#w&Lx5#h-C^^Mn-@w8}pJaZ$?)3O(p0@7dD zn3-_{#Krl~k{o7W#$~B`;sEboi_dBbM+TPp^n)F{IcG%mKD?0Uxrzy?ATg z*%28AWC|TUQ(+z=^=EooT3S@fqV$@CtN^&+20Ac%x7vg`za(<4fxpc_y1`fUFZMq8HlnI8p2tR?tGh2yii!bkfpM|1#bdAj z4Cn8EZBqglyL^6#zDH;)k&Kp(NcP95qj=>1{%C$h5aG+cd^mgL?A_t(k4mnaH6BGD z(O%hJL^u+4mb@F#KSmMZE^FN2M5fxN|C+TF`aJF(_#KXNt95TV>EHDSzi!gcgQ5FQ zp#a>zPM%}`da}X1FC(Y-0elto_af23R7t(I5N-|OrT>pJmah3W7>AHjt%T3K^-4J3 zO|!}E>M!&+L|^nT&LOmpJEY3f6^?0qK^7|X z-*`4*@$ip{ZLRp7;I}S6=++o7#dWMFyBh;yM0Z;$Y&SEAd>=30-~L)(hv|gy?XRg% z@&7|At)t-jFGa?_$IwOY4jTzM`CyB_t81|;)qfmzw7-0N$NFP?VjEcMw1R@2sTFtc zVr2@l{)ZwccLH4_FdcRF2Ko?jvpqBSv2aOZQ-n?Z`^A-X7}I`I!(UPPYd3)B&K<2COI{~ByRNw}%&`5U#0qcIxkprPfR|Eu& zyt*(h1KcbZE3WJ+_C|#5+4+qLr0@Q$BOMDe!@Qhal1|SQ{^H8{6JnOQECmDc)&bW9 zARtDV`3C@0@K!lZtzo=)elf{Q7HN{;u`#ZjjHBbEGvZAw>JP!Fjuc9M>zISo!tI^J z20tpFooY-~<%Hslr>b+Ge2!|`L*gk2Nv=#4&&gpXu#p2$X?su7vSVz08!(Nmx`n4 zV4>m1hli>%5W2q5TKOtgrH+PM<_^rd@2;|V80nU|m)K2qssM7JO4)gUWM_8#wLA|h zR*AHuhv&S`9G(dhA8SmI(PMrW_!ps?pr2`0l9zfy$?Hla6%wtPYZe6D=O0eA8LmtL z=mm%r(+{(2G!F}ut~TvUYJ#e62s;{#H7DCF&*<4^;Arz&cB@f4kI+TC6`UTfkDdx$ zwf=+AameuU%3u-!myA{4pSCL9uq_K1Zli~>yt2q2K3&{wU(8X9NR4@~^F)llsOGcPu?Jn;7I(LdlrC^LwPQlHqf zabVCE>|aY<9LbsosN;?Nt4&z6^0U@~WdDtv?i-VRz>1Z^4O z6<(e<(haHUg8CsKUwMKg)p*E)j}YF`K-e=6KAnX^*C^p3XAoMhmep^GkI0yu`Sf;T z&LlG|V1mgX+2hvHMqsUDOES>Y-zD2``xk9s{R#zP>$GR)N0Ms;p?`&XQZ(?eE3S2@ zg?#hz@!_7dcPhig#;>Gu?ABXcD28?@8g2>QU;A0Lx$3o}+*eI=45D26`f_xBcpae5 zA{r-kJG?UmAWhTu^o@evfIdN+EYw51Wdi?`-pUVqOcH-pZSN?AyRXWj6G(bk5R201 z&M%dp0q2v}#FMHt)m@Oj5qLbRX1pL|VH}uafE>4)hYCnRi)Y>wkRCepY*sl;%%c8>(Js$R7ea zK)@EFHrWb~b_Vrp?AK3uLE8Tz$Gu?=*j%<&iEAtG?-3w58K|iG`dsDP>(>??Tpd|@ z-pN33_%uJWtI*#3Ii4AitRm%LWVkIE+CqNZoK}{dZ>mzpfp2%9CZxVo-aO8vAvRWq zKygRGd!dlSRr#?4`lOL$V;cD5cWBmp-1*t|DdpvVq`lOwsH*sl%aSFxJmHD4&fL^K zfi37%V6(ZtVoJ$UXZYFO@d`>o7z-yN%Vt-GqctB0?@#85Q}Ux08JK+A z$5+8y6PUR#83^1phgDOr)pc&u3vMgMN_=oZv(E>KqAQ&8tC*XZ@uZ}rCwPf*_ULq6 zS`rOR1W0z9Lq91;Mp`=HIg@-fB+~{!H=kY8h(4{#5q3uJd`eg-u*9IG0Xa4RDf~ko z6d}CkK{_%%I1)W>OFdPECBsoJY5S5PB~k+lH9_JLX;tTKBmWe|1nF%39f{nB`3~ZP ztnIP$573wFDcQ_XTKmyPhKjm-7=Q7u?>;T>F0kDneg)cCZ0kQDJ3i1XntlmH@lYM@ z0?^CLfNm%bH@6PNkuq&ySf~!+j82nzTA zd(N{blES zq8xCcJBCd7IjbrA zU!#%KH}fZY(7=BY>1aI=(exw}+eO^5*G%XLk1Iwy2DwHgN&FfMI zoMHkli)l_k`K<#=*f`vN-6=)b62wUL6g5(+_-rqoJR^^LuOQ#eWfM2 z+tkzB=TyHugswcen$fieN)2zII;h6H6pokqlsL?tG5<0g_hA&_1;U|4*$6<@w8?qP z2q8x~9HJAUZ2OV{A(i+7k!?T%r*i<1^5)H?yoMZO`SBTq7!Pzx>n3teO}*9y7fjG$ zg89RJ!kni`-N%F+(z*eTbS)Q0x5uW2y;bx#|2QC^#DJq>j_Ja0a-3g_dN;@uM-mhh z!wcK$4TA$6yN37gsVry23{S4o=Cf$;@11vcA4^V(cU_s)SpeddY{zMxj=Y;MB7~h9 z1v5Irpl^%O;$?ukb;`*=SD$$2g)t+cbPvElnBR#ZI>CQE-0Vm)pdsolhU;Fa+Lggu z#n!BjD!NeeEOZ!0O99R!0dSH5O!Cwn1-40SYFXuMqr;_996d{;NzsLlPP^8hB6Krk zRiP$A-+-um+<`BVnt*_KZc%99Fa7x)(T+|0%Z~7r#g-0cGkszKKbie}+)8aN>Uiq4 zbW%4gMM3*91I(Z|={T3301ty;I&fmQI%ph+3hKtV%fuAW@xoLP$Yz}8>dsyCAZm-H zh_Sok*kd08Z6v-lBOK}TKM}t8jleAg2)pcOWn_y+vnlT#E*``t{SGRA zTV%anx>vxy5ajQF(8wJCszRf#ElvHo1xqn%&FAUUU>N8_jz{Ofjtvub%Ff@P2|r;3 zH}`DYS6?~UF1Z;;D=z^aD9xzCk0u1Lx9V$!S96SH5wM@|>PVbon%ZlF3Sr0jcA@Fw zQ%JQ9k45{}Ig+lO0iaSq7fA;_@ZR|V5qT00%u;u~E1t^v-EKpB6@B~V>!7nosjmQ% zh@OR|YS@Wll+*As*aJ&l9@TlJi$EP5GPF|I9mP?y1Yn*T=oW)iyW5O>rE6GiZ&#aR z26r)YDtXsmX@qP&tL#b2-NOe)g5t+ru0}dbe6t=7JN1`kjl|-49)x2s>b>3V09k7+ z8NdwOVUQ9-e~Eq*4Bc&-@OgH_8T2pEtW3D}7#JChhzxKZRvwHtmR2+#c9pYQ(j z%Tb5{uPpgf?0$lbn*__%(ElWg6*tT7FK#N@ZBRrATI<6(&l+^y;VFV#d*hLaOZV|h z|8cPqB>k#=sfYJ$u1efxe8gI=?ABr2ofh1|)W@`M(5h5Z4C$`M{f&*!$5HjaS6sncR=m5OsFC zod28S34KgEllATp><#{>^Lw64bQGRT4qYu~)X(mAMEm=LAx8hW4SDUIn*q3m6rQRB zVH$cy#_xNb3bbFr?}?CH^1E|>FVPnWHG?crV{g?-a$$XEbe~|anx|z#RtV2NV~^zI zZCjeqW3TH;5C*!rw|9u1sD4-^Y|D!>=u?WThoLJoF=|&uOaA^`Wb(gWe)k^4r}S>U z2%|@T?|8(T(>Q-(ucM6aBb0~1Lj~qa&jO-t=d8jafyh!B!(t^Zxq(UHuDGIo|Ld2u zFW~I0HnQf}V^}X9W>$=U2tA-G%&j3rH}?;RA=;xNkWFGcMScq1@AP6j{Lt4o5W)Hu zod*`=cxdKRHP(*4kM>UdJ`7_#2_f@*UqFka4YN|v3u&ncpm9SmmJ~Cz1RgzkQdj8H zz>Pjhdp7{Cfe*}N$NSoga3il~Yy`#RG~aMp$?D@(xHqJ?>cV-StLGSD7pN9qC||*Z zdV?cw3TRLLGmXEei3fHC{*$#zHn8WuVcxoR%Vw;Zs_fEmf zU$5TT-i=UUq+D3F-JGLR!wa%Sl0UzH%2_-)4<$Ex>`2V6q5KN|f4ms-p5JKUF8tkw zLqM4Ll=Sw-LR$iyB~K~2yy><+C9RJq}r=Er?|4A1|3Guk*1HbdpTP@KQrc+bR_FTy1qn@7%~_I&)G z7gfH3d8P>ZA^g9;5MifZ58*M~-`pUe%@u{(kaK|V9rwvn%0~TQRJK5{F=tt#s8ZRWq13Wb; z7akB*o$GVekH+94{o6?Xh?8Up?6=YHv3qhGcMHpVOI%74^P$J)|B&3EK#rgvqGzSi zpHa!^1u+;G?NR9eqGPZ87bT7UPfu>puQs3EZUmyghQBO?B@fROD#D=;xvO`nQU8_R z$tpv=*?3TiyDiIi7_6a#FH-yhjtL5JaKY7i2JW&Xg!bye z^v}_bm?S{2FyVjO|nGcf|LJ@#!c=d=6QMFbAlGO@Q>pRrier)t|Y|is6w?JgTd@wkTq=gv0q$!DTScVg#RTik zT2iFm-NAnTWE|iD2x+E-d$f)=aoa zu4zFi`u-iZ<~Z;&O7CB!0<&A4c5q8<&ALO8VX3HCE02GQLj&&`7geKezS5T7GGe*Cnmu3PRK%bw2l?h{j@wNN^XzU`qr z@6WEFZNh|E5As<5K{Mp1zA5MeC9Mh2ZgF-Zr(SwxcCaM8E>cK!s%*<$DYFc>1(iA< ze3{zmBfbrVi1VBIiH@eR_c2`~41x0aR>M#_VGRr?L%DDp`AWT*?yaNS%P-ju_8wVB(dLq=#*Eh%v8`(26; zD|5pM9$TBEV>gCs!)6<0IIAEDu^t7L&-L3mDQKt0D=x)y9A`YrAfARWz!|vK2cbpT z*>_i@q@-*rs2m?^n5;nI!vJ&-k`pk9UZYe?+%RdVJ@bH=hR^FpatXDP!(rbg|3#n; zv+96^LG@HqciZ(#gl6&JdbAQiz`W6u#Enyt1lJye@D(+;kuTCz4PTIWL4aEfnOCr6 zp3;a}QjR=$2;m?--d18Q`^nChb+*XP2Uclh?SG{C*I%>`5L1@!HU|>9H3;$KI4}=& zuT@ZXG-h8F8X9U4y84ps-*cF*uK zS5T3_-Y@g4$ixtbbVU->+|mm%L4)x`F+#q^fY4B8D6vhz)6j%0b0C{Km-<>nHxg`E zVOYD1M~1{-hnlLX1ntgb%2TyL$2}@*&t}*SN7LQ zP0a@t4`ZEIN0luSQSwx}rrUdD`rDK`X{$?AA7*AYg#XVLl!n06A-l4)9J@{N!+|dm z!5bOZf99}cAAklWDw~jm39YC**T;s?21C5#z9>HTUkr+0EzFAyw?nnKTB!X|8gESK zD3`x;-0XaF){9#q9 z6Nawb@Mz`;*O_n;8E=b5O`fs_~P9ns4rtq_LhD~fZ&^+&aX zzpCPaQb?zvda-$D10w6spkr*Pp2?*wh)z{2$%`2J@_NeGfPBzGc0hWLH-$pis6OiE zmj;jSu=upc%6!?YBJsBPJS0~`E+HFm5qD&bot3qE)uY)>Wn=5^9TYSE$dY@wETU%Q zjtJ8XYQ*L{-Fw{Fk$b{Qv(4t+AOU$mtg8tAr;vTNh&zROgx~(>oe3d(jUxrwgmS(4 z4Z;-+I-A$Oq^ai^KoDohn`6~J0dmk7OEMSss0p|@TLW@6X-5)0;0xLV*hpg|MuMk} zo^f;+?$Z-^K5{U`FzL>JZIXDB@I=FeV2D;UZVzNd)Q@oF)YKT-ts2$@2SJVXG=)gd zcrjEKhh34Ph)x-R${uPQt)fnNcahR0J^^Z= zksjR7-Kv!HHz5__hnLs5kCQO4ssAiH^q1#pYqE6>y592~wc4PYXzt$&VUb#e`P{U3 z5|jffpjlU7j;<`G0dh><_WX}b!pgF9wnZ4`&? zn0h7cVDdYMSGXn$%}}@goc)8VES&lI<1TlJc=Z$VPp{GcMv%Tmz3g_1SEv$J>hw9%1ig<9I zs(%%ZSJV+ahyg0e6fTL6K~WAzRBm3Km`AY-?K*bl)K4u`7(`LvuoyXlt;q*dxI^lH{*v}R0%w4 z9a3kuVY>d|o;X+RQ2-Xti{5DA0e?KNd#&80n_*yHE zPiLG7!@#8Y3~4N5>}HeTD997w*o5EgGP#y?I=#5i@ zv(7*jaHZk>7RNN*7T*bR+7nnjC{{x{Z)NF2i;=7`eWx}jtvqso+`Q<{gFYMVXI9S3 zheqw|c(E=EEPUp&L}cm#wqQZ9f%cZ))^mBQaawHKL9Vz4;@meT4e!~;qdt82F^lYs zM6CJ!jw&h2XUnWwrjwLhme)GY=GqGT6?lY%C1cof?Ruu3h`FdkziraJq>HIZEAZh+ z4-s;-T(V554^KCNGn5N*8gs7z(vdPb>8>!GUW0Y%lFnwpIUqO)gUY&|2kc-lA6?>9 zYRoB)l1qC!-c&R-3o`5|_6t&aY%< z%vdH@d#&`QMQ81Dh61{B=ed3fnO7~YM1lL_)Nr+H_JmidVs7Oi@dR|7=Cp}47bw;B z*x=>Xwne%h`~Sd18mrBo9eF^dudko8E~vF@l;d88SmgVk8QjJYdvQW~w|9Vs;;q*y zaaQm0vKUDc;%#~=no&5Gf|7e}{{raGLm3RZy_*?2AVxCSn>(1};#88VEz`{dGo-C= z$0?Jdck9{_KY$%^fzRR6tvGSl~0?l z=2}%MI{<`b_%8(whqha{`(MCREpX4%8eKi}g)oTq#i0{|c9Md?z<*i0W*RivK8z%M z<%FtOn$kKhM4ffi!Xp+foD5Rw9|nd$wgKNS=M~+ zX@1ioB<2mBhOl@BfLxNHCVXH#zD>tP7RlCZ(!P?(B|O3ZRpZ)c)wKu++*?LMx8ufx zbR`{e^YNP-YcB>@@+>-Ttg3;*0qv|mV;#%A*>w%_mmHKli8AdMlTIl~WKBP!i1726 z&rJ<0MPLl$uf9~}jBvStOT?=}xt?HJ>2s8Gs^g$Qic1&VqvI7in< zi%nY{s~Q7*4Fg!rvezmgJz)?Du~x%Kc9CIUPYzWVNI-@AJ`=>;@LuqBnF@A28xn%5 z4!e3wW!qL$IKn)&>h`hN#YM_5v+P->M<1<_<5VDrb|FF+!@$VM7?|{>8zl2CHe~FB z&G_bOkYqbb{v6E zL5tUfRtX-33Fvc6PDs)i+a=;WPokYsXZa~oMA}=A#|QGPI3JNJ)TzR84kW)|zY3@l zi5&I=3T&)%^>O?l=zD&_(y zVW-X5nn1r)BMHWFJP39}p!|3b?fn2tF9g{2T}Sjs)DL{H_yKNGAb=La)yFx{+6jG~5b3y> z@Ph(O?}7*%{(_Jondt?j)h~dko&$}QxSgqh?r52P*gK?w0Z)!1m=Ut~)8}=VPEFdI z-UIxCiwNVDP+B+wwX^$Qfq|>Svs~4dcNz>*tqmm@s%B`KnxYGD`JE|&6#am`p-=dP2II!#b?n-~ z`3vH!b2NwsvyMeI#9pkMZpgkd5gz&Y&-vwV57B{YK}}~Q7iV)N2CT2v+@*;Q{hLCj z7jiZbh!h5)03RP;j6OBfMLZ*pK?8KtW z*AqG0VlNUjJixiT0pNgagDO%o{#-Dgz@>THQpQn{BttdA)Nfg`a4ogh_EhTBqhVe} zOLI?Uuzs)PWd>I8>~F8(EVD@A%^LF)+a%dw2nvQ=Z6#QVwRuLL$EH>dU7e*JN**92 zJIS!I!!OhfuIlIElz`TuUE2=grYR{N!4JspaLR+ zUq~r0JN!USWi>|oX-4+TzJbf}5>8VE!vhYgMl2iZ50FXXmqqOlCw&;2|2AQ zx4JYr093v(B(y6KXAdX87}ANvCF*Nc-W4*jYvu*Qj$A%54BH%`b)jIr3p{fUVzz>$xSCChEt=V znmG{o4v2+kJn^!sMhh&u^BdS6CH<&0S$qY6i7>XS;VffdLMO{fi3KfIF-3=_U7fl= z{3Y@^)a>Uw<_xIozM#C_KmJlZ06D(IHkacLvnp3=>F!^j_bV!WTxPf^+?C|$BvL{& zO{d%0Ob4YP$=H(jLa=h|vpsQ0h{5~3LRU@Bw&C1$JW`nI^Y#fxf{D3Ryy?tBVk=`E!&I>}6j%$Ej`rx@I1HVhr@K z*Q~q1^P^Cp3I8N1mN3KtYRcAXsNELAh99}JOd-i3S`ph(cJdUbhY&YxxrT$v;XMf7 zUSf%RxO~V>Nvm%nfjVb9PmwrdLIj4at~4Zjgw*9QR>a9OHUpA5@mWuoyjI(!(@7a3 zx$Hh~XT(TiF%t+5`zLA3D47aCYo3Etz;SO}{RV`y8QU(b6Drum2OVe9+ z*??U8wQg}&Gk$=!<`nlre5bA;oV`}}$gxygvE#)L*2@*1ph9s?W()yFS7MYZ9*Vqo zzfR$~&kN4(0utW6kv5#iw#$dhbus06%~>yQX;C!2S9%2MNz=fcm3K&6D zfemBR<=r&<4oW|;`=fySmEZvXjV1VU^!CK-ig@K@MWd6H{EeBqVgRGDNFi$)9C{PE z7VjSs}!@2s-Am#X+P*q{0a4v^qDcPKCM@0*4-n!P(veY6^Dt+C>18BJ zxg3viK3t_r7vUWNsN3US5B9=hU0^_2=dEvD$WZ+kVBz z=$jdUemcHXiWNWLiv28rdpFoK^PnAM(OX4`20IY_7_O7luF=Z(8+6ky9%GwcR?6q( zUYGr${n&m`QzWlYKR!Qk^X#CIVIm zNANMuWz!WvU=9LGiwomSc%i!YEjyNMUh~$<(6jn!2QPIlCWPn&Knidqu^yp|LeST4 z)H3SoFVAB;ft{mtEvYa%YBM(u0J4vb8DA<3E%B>C_S0!R{q4ZC$5zqhn~RnJYSKQ! zrgohpg`${C6M}dqTvDUicA)*pw2d;r^I#;AZt@tPy>r=*Iw;zGRjPD-Rt5oX+e>Mi zoq;k~DzzXFOM^C%Te@xBwn+BkVo2_6n(f=u8gE{8yUx|Y3&Re}hXY zdsZa=2edU%D9nE220A-z^OL5LF#l06YqA+~6oMPG*1uj#L~iY2_432C^0-Yf(F3`A zdfS=!yD{Z`DJsu}uQu4w(ev-YF;9uVD&l^GdTG}IWLCJU!jnEgm5Uzt-c`eICix7-K@ zlAL#orWl&g^}N6kOG@&XoF7ZgB+8!-B;;i_U0?nQ9V*`kKFBuofM&&vS(hgP-xN7& z4qBtt;A&$zv*Qp0;hm<-W`hVH9fV9ft)5R5GYR5uFeoW22RikPnLC2sV5|wt#2B-A zL`gfS&INvKQFNLs@hGqR`p?Tt2?+lEIR0S{t#)%|;FNf#pr_=OAQKY)Oxxum1&eOw zTCPQt9yi;zyKv@E<#aWst9}bBmwwF=1jgS-{P8Z{fhLGo9v}dxg@Vw((RU=-4b}3F z?cjE!GeqdJ62K+tn9V!Gj0oUu%tMC`86}Gla+o&1de%3=-I)PLwb*`qe;eyS)jVIc}88Y2)?$ql(=NaEH)RrEX(Ee@-4F8E?9JgM{3}DBNl(g0= zgcqa&hRnT4ITbck6)=+z0BHWF*|6!T{h25D^|m5!oA~Pl)81WOm0@(G;4*mV(llNG zKGyew!`C2woSuMFLYb6vGIW}*#O@N?yzmm&okCgheO?m?Jj5lUKzarn;AXT_*GmP( zS9?z`$HiaXo)YV$)*er!0a*;GtOr5|<^TZk0N?4L#8soZ~oDG!WatG9Fd70{ayh+$_Hur+0+dJrdNemiJDaFCA~ZgHQnhh(7F! ztazCTuH!KXSb>y0+@$%MZ774#@LgE8Jj;v4#gyf`VnZQdV~{O(^3*BA_AI^F`omZg ztcZzU@a_Kb+La88C^Hd_1cdUl$o_d+o#2`(`Lmm(!2t0O%FcxZfLETd6LuMZE1 zHGgnuX2tA6CLKs;)+y}=Dh~+}K6#DA7e`6I9vm4Z^k==67P|7)tdK)O|IcWy;LW@q zzVh?dpNJ7i@7)xn)+sX8Wi(qM^4y$FY58bVQo2+ii(2_E5M2oGHjbo|`($?0F$$#W zmE<7`pdSg45cT58?F7*5-P(`AIJ+Q82wOwaU*wC{o_hNejQyM_qyY%g3%n16=e!`t zpsvIb###24w^^J}-+h}SCY^6g3%^KNt=ZYj{dp6NXgJhX4E_LEk@-e=K<#L!&x^co~4jrbxzR2)!l~LU1FJdj1I6?|C z0n7j|2U(#%Q}$0qvR+@wW`Zt0-k1EfsJ?b@@o1$l;`1edBZ6TszWB;B)Z`a^B+N6G zHU!gSo;T9L{2^NNSB~T{MC@MLFohxAjdwq#_0Prh!V(2Bl>w#hpS%C1Ub@8We3fy?O$%AqG-ycCWi0He0U@)7*s{#I^< zx=rx$<3~v_36(D5($^@bP+9*$o6vqhtc=j7WPeUzkdJ0;06L91hOX=?gYB1mM<&U> zF9oVEAXRz1*r(wSzY?kta%0j*k3QLRn+U|c1k`3AJp;qNzZcTrqGCYu6;qU1qS;>n zVd1l9>*`;ah=O(|6vc--6RE~WYm2x0`mpZSiC}doLP5RFP%VYA+{3Hruryd6gJcxo zZ(SFsGkcBo(TaNRaDWf`RciFlyTjHye-T&^0>4ZGHtQwV#i73-4M`+0>JF1btxQ@) zGnWj5dF3BaEh-pr;6a9O?DkMv$Q?y0D8OJ$l7I5^ujBIC*FUi1vyZ%KUteFH%>Lox=AqkwZ(I<^adLf7mP;5o6K==`<0`w?ETkiGlV9}$7% ze(Sx0gesSzRn5?9%+kA{1hE+%;XgP90pKlBewt;AfX05QS!6jMgBDAM$~qy#W#7MW zGSMEu0v9OuqK~wNg$0pTq|B}rgBySNp`7}=J&YE#p5R!3=sgFka9!nFC#zc4^=vno zW!ij9yho307&+wRDzpQAe&W5GjOay_JjtO-a&iW2+u?va1vWCu^wHjg&$_C4NF-JI zp*VjPN^%FJ=w839q4dt) zMf3!Tuou`r)ey+D+9Y{dGE@^H4@!}&nBXfJrXGj&Sy7$f$(~aLS|0owC0m{rf)2_K zQT%jxQc`*xALc=jyvniW<@3o2js~}XXNY$XI~{L7$l4ft<6_mcM(-o=D!!2OJI%(k z{YE=LX~1*vlB*y97a>G<>8a-hqy{q{M2vAxHSW@r+WM_Rts8bc9*Xvr>;|E~M!HPi zpIV?xNra}uK%3nNmbg8d5MlscY`{phnJt3b053QO%#17eZ0)bLH{Uv>yXJgz6tHFC zcwTZ#5P92DOiH=J8gj{(eg$1`tNIya=;f8)*gZ^VS<S^U2V4% zW;nSSQtk{%jW7|HypKhgRp9UYmtd}nc0=bWC*ZvQ1UZ|Z-y0#b567CHN!H<=GbsY8 z*W;c(9=D5#N7mBf@K>HS#47oG+J*(|yz2F;sU9xtUSajIYRaJOk)&LtT#yA&DS=>; z3PWK-U^d0t_8f3{K}BRW1i{lQpr;l6mt5iGU;@0Kvn}@thi=&?H*)1`YeLhK`vRW< zQhi;_i(Yl87J|LiG2-3^z`v%mzd5ENJ0n`E+m8#IK(cq_Sf&H)dDLg@&3tQ}#iHOW zJ29f7(l3QMolviG1?qo|sNeQFrxruiCBgvitLw}CTWiu@Mi2&v95}Wamj9e8o~YY+ z7Q)UFQITT0iTS|~ezJkx8w_bsqz)_|Y|;Qo71e*R*w#2$%rRj`b^;uA4ln(BGCY;p z$BAeHUI0{tFC$@zMXab9s`G3%V~J^Z zfe_Xz?kTdky($I_sb`qshrYE;AFVl^A=X(W=9Ny?Ag?0^ppeEib?!$GA6gG|A4AA` zt}`LT9Y|ej-4CSoLA1xF`u&3xCy^A_M%nFmU#J>Ka_R@3U3xM&`C^l?;n`ION>P1r z+6gR#2^n<^Y*oqH&M#eX_) z`ixkU31c@DYJq_n@3iH<{O!R|NyNsffyck)*XA}{w9?%mNE)Od-Q6WfcZi@!cXvulNy~Sh&VQVlZx+jiqw?On_jgb1v-dv1 zrtUzj>8)|HeVO|FSK0T3+Uh-1%QHCiv`hgPWsMOwf|J^n4@Tb+QMp&V8!X)7KrinsKiPxihC$%@D0e{-TS96Y5~DHK3=jNWIF8YT!!K6S?2c?|PF%iwEa&Qce7OzMk2X*($1m3{ z|BC74Rw!6uF`H_$b}+Q;&6K;vYcucTQa)#MH`~~8KS+(HMFFpZmIbG!reS-bZ2?pf zkVf39zrU2 z{m^ZNG>M3Jo|u2dF5%C}rzh&S^Vk#GJD?0< z@$lxj__gh|0{)l}6{${3kBcrJEJQxG>Ie1ZZCHX$&BN$Fu}p?6jzy4ga1o$+%j1>B z#%{d?X~`o$ubvTg6HDAGfiV6S138pHPOq#liSPBTS?o_rSt)(y;l+d*kcM_;QQq2+ z+)5a;{^w#CTrH25GPSLb%x>I4|DC&Qpg>$Oe}Dz&B4`~oX0|TYblv7Ms^{fz+vrt! z35MBPwN)SNVlvUkj4?#Sci!u$iT!5WOC)-*?vL$&vF+*1r^P1lh>xL(N1vBXqnE6w)Y2uo^fFgpf6%AL`1_fD z{rcR!Ew3hXJzUU2*rA-h!g1%cInr#O+=9u#m(`cS`Td>H!ENVc{;gbVVfDOzoi&Id z_HK0BK$iSN+Ny}y>ErRW-X%WxnIKjGya1^aMw$e)7rl@IpUy6hTkH=3z1Fzq||C74)DjWQ2Uo4c~a=SBxl+7a#vR{>u48Q|$CO%|(xP3<= zIY_D|M?)}RXJPlw^Q`ec6MF-$kx1|mN$?~(38#^4tzgxpW`B9FgJ;Kr-309f(}*^^ zK(lSNxk9KZXCW9i@CfFg)B7K_epuXNvvK{enDURb1%!Hn8{gC<8#MtvWr2y6&F1#6 zdRa#i1uL+3;Rh#GVT7S(TP0mZ(FEuP$azo=JL7_ZMAK{+ahvb6UQ~}X2Z-a*Wjt4z zR3a$cSreTgtT}BpUw>$u(*Bo`r8m+pzWe5v5C7~vetls7hTV?X`QwS|cB`L@N3Vo| zy0ym6`T19sALNBZA{PJ_=X!sajGvLp?T{vbg9qN8=jAIz>>^ih37N&*>nZV7VtUNn zt!NB_j;jREzg3ATREuD6IG;|pKn5V?!}I!W)+PK6sS9=94kf>kE?y&xGap)f@axun#Oc1mT{WK&5lP4rW*a&CvX8Bn9Q!jWyiZ)frxYkHg@}f0 zoNk!ju}5nZCvOc8-wG%*?|6-;`GhFZX)*eHv;fENfk?w56rdv~7uo(F!F`SS&Q|%< zd^wePJN9Pf5?QuNK|;KD+wiY!;DQb&`1i?Ncjay8JxmcFufLH<^2&EUuT#f0mlqjZ2=Ujjt4<`jx5*2enrIgSZ+BxUqKe&qR^-)*?s1l1u)Sn zPk6OeIZZX8#^3}JWe{jnc^z1b5q)&-ucte{QeGvK#S&6v{1}1<^Tn` zb1~PJ_t(GB!L(cH|GHuW71b}GJV?kBSR1NzP7R64nA^ ztxtyA?fAc55G584yMEuzPal3~^FJ^9p}OHEDSsY?^H2GS9KGN0xjZUlyf7ahbPj{A zvpG^OjEnvrSZGLuTP*k2Z>3fwNSS8C|91=j z#2O-8)k@1m-U73cBCta~y|VWa@#_zN;LsyU-!Iln4TPC~te18*K#g$~mj}#4PGGcc z&_qlUPRIB8eySk^GHhwj*c|1^Z$54Aewv_)zEhoX`>(dJ#RG0Ck?`E#t{DI86#*xr zV3RK+yJvADN2P#lgX9-M8lA`!4nbI@RZQRK}98td^8yV+M)W~Nsfb_ z(Xh3%^nN3bkR0HB*2?MDx3jDOI7b2lrrOcT0b^~vQjt}w#)uhUNouFdkf=ahQN}+e+E#3+HN77C9MREJ1F7uz}IWBFQy?i=mNVU+45edZ`#EJbYD;*1IjW zdY~a=6JNqy%%lJA>Vb@CwNxS6_eY;gqloeb<%Yumamu{DL1d>Z-0vo$(>)A z@#EeM?x|4Gjp&8mOA@BPZ|X~WX#KI-mjC5F{6Jj?`X_eNL1xns;5~-I_Eoi`AM2(A zg`S{ij;p(2C^Nt@=A&%f7XX@d325#XYQ#N;U?{?)Xfyxnkq{4bG4MsA& z96{0=%I9lfn-bMSuPecT`euxVUVQy+H3^`=7^0$I=tHMb22?p?KW~1)!%D zHqR~huQ3^+LKg&KGOq{n65rc(2M@Gd_mq7D7l)`fVpl3pyq92!#zZ35IppjC3c6ko zuPT`HhT>QO1ddz+iA?leI|3{M<*s)#dZilr+HJ=sx{Et)$6N)dx;BLC-^Sg{UqZSV z#T;FTKrLb(7AAj$(nY@Z%xUMMbByk2yu$_Z&3$y#9j@==J@N{Z;reWR?5#sj#Rt{} zw!Ago*4O0OrBlA4k+YNb`cgksDzZ0H(KhukvOQ7GZ=oY{rmpd{>3u$p4jyjkm4^%} zw8JTP-3kagc81Q*C!F1TeJrT=^Y?X_e|@h0unfB?q&y^bm9;LRIM z1Ot-@YXS%7o<)JscYFXf{luZu$D6V0{nCorswG(($lNOGw{`sd(-fX#OmkXL9`M z&pU@~`KjjQBrdnJQn}jx0|FgI?Yul7_d=-TPZmOcS0vpqb?eDBc)$8XX#oABCwLhC z$O2O0SJ)+IXfFiMdyoDgedl%657PyCgy1v4?zo|m2*EK^)%J60%Dt3((Q=nN=Tw5+~m5Et&+)oX#Z_^~>KBqL98OpEKIBCV-0g%czA< zGs1knB^c>gl#6w<6JNDR&zI|aZb6+|K41!_Q&VE#R;CB7J3Ej;`t)E7VFTtl;0>|m zczN%yM}Hbu^{23Q*trQEPl$jHqlom~tcN_`It; zl)u54@Q+fa#RiBTMR8I8>u`S!AB5>KV1CH}ds=-3p#UFNpEgy=cnNkvYOmJ7ZU7im z$k_uq@s(7hgW5JM9+U!?-vQQz&&XBRS*zFF)IdK%RajVPGro7J9;gJ-Zgv>;K(I9i zn>tRD{uY7j3<}ix+;02!Z>vbgp_f6r(WIQ!!-FaeRDD_%P5bb1>o24Vl{WhIOE1WV zL774n+Gzk?Boar&x38q9lMN~z6=`m9WanI*ROQVIl;tWuF zs%b{eAw^m+OaB^G`9&Fq^_4%5Ru{^~Ebuyx!g`QCP`Zmk_XOJ#%YdJGIjG8N=H-(> z`OT+d{s#HmC(g-F+Dg{O%DV(sU2B&!V%r@|&a(DkrkY0!pDP@eP^cdxu{NV~1qH}h zxx;63YZV$|ZEek$3Y!6h9eMV}rWn-PG*Jce+NYP)mfFg}gJaQd&&Kd|u6BK0RH10`xV?^5u zpoSm6&uuQluB{?ui!l6zoR(4HnS#su;HlU`Ypi$RsWx{>gf}e4k~bYvRXjY}$71gw z;2HS1SNk{Ai7YYKK)cV#A6EIVqWbk)FfK9f_B4bQH;S*!(bgEID{BD2-;=fq4OHSl zRGv@c{3i11CZ|rL_VPq^`5FMDB!g>;NLm1JKGZ%EZtRRpm57RofjLu6h{5y#kSvgc z=wP4-I_)iNC?+OC;NUPYzfQV-Jj6%r(E~tij}EK*0&v2@04!}o>LXr0JSpvS#yUCx z`>X{}--H8_N^6?qNvp>B-2{yE0M;wk`y%MLJC4+z>8)(%Ia<~OHC6#)QS@E&7^Go{ zW_#;ast z$Uf7;+&E4tz;a~?2g5~^B~x9bR}KJ5u@8v_GF+=U5{=U@&K+QufX`k5vI2cv4&>9w z&jB~p!TjXNxx0ajg*Y#QU6>K>e%Gpj-dJKmb%8gTa|>FC6DV9|r54E7Zq-@=;j9V(mL1htI&;%NqopBkq}*XfyWwO|)A zPSIbUcXTx;TfW?DK6?~1JysjV{YRo_FPAQv)q2g zGZNOMky{Fc5yMgpjY6nDaJ$WvG+Abo%C zY=r;X0ewz>z^#y=?gvK6uL=2*9UlcT(n}C9XQ5{$WhD-4;b1b7>p=Zf$gSi|fStBK zY5I*T`GN#GH5#hR()hfr0e5w*Oi^snF^OASJBVqQCePY8WE~Qm0(p^|GDUJ4`_e~` zR`yp0+G?Vm-78i|N{x8pF^#tdIuL@Si%yyb34YIeU257_cU{z$%6aU4d0K;Y)B?*% z_-CN|#Xg5(N%NiA{rb-eb0%|{I$2&P8n3$X55bebD5DLz;b0fnI;HQ;s+rcOlHdKt z)S5YCJM-Czt9G^C9l@3dd)<_x<`$-`Z)GGNt*`OACj=JjCZ(NY{`%lsuZ!kjg*5u! zXzBnk(rs2jeZ8d`Q25=1MLo6nk<9_y1k)zUL#6bJZXn(?@r|GoDpWV zs6~Ll!?CUe`Rq&S@dhrMlzo(k+p9UUGE`B0cNduoNSR~ybv-RUv8QK0U1nz_c*byZ zDCGxnC;b^3Aw?Je^KPRuCheOSsWFcux6fnjTq8}x>tRzWl)!d%n>rN}jIL~+iabtb z?Oybe7$qUP?>!PwNY9b==^7)(*ipKadjA(xbdPg?eWiJO?5Mab8xz>yKZhp#&##7u z7{j;{h$;#kCLY`y&*`sT!9=sUfKvP-jORNN0Q=?`&8{CtZV39}9O<}3YLF0GayZ>XIyaymU{{FtrRoB6yKt$%QS!rkI1C_{%LuF$fIJ*_NA`$9Kty6;1smlp&s`)5T&%BA8_g)h zPd>$Qb8;87v)Q_IZIljpo(Z+sKWsGY1@`(Cb6AMFV9=*jSYpY9Y-!@$oomt4%zPU} zf@n{Np0Whl4DjZRb+z;p)e#x1_@}ZvyZIl;b*fko_fjma*8Q>>8_a?t9!r%x-?>UgDUzoPo!r40sg%L$P;zW2GXx zOJliNa!zB{*fo6n%6@)j2;OAX{`jo+{Tp89BIlO{n|WV&{M%?;=&uFLuSS&fDCef) zcPs2mHrf-jTMEgH7poJpJm@7_d0vN5JX))h4ePpHz$(er!F+aO!~gI`;)_%JD%SW_XgFo3xeM7{b^O~4$f*Md)TA+Q zWk>>qfFX^!Pd%Zf)>l5|rk*at!Ee)CRQ(BxngJ$qa^Xs8UkND@qYwo)dV2cz2Bi6s zJJNxBV1x43nerL#R>)yB1qhW}MI{vS5k3`S8VPF{AKPE@;d}!nx5J*p*6rO* z?#>4!TsjTsjzILSz!ss)x~a_)!?}5D2aY9dYej2%pY1Z!Xy+FnNPTtNv5vRt{yt9v!vVG{53i{!MRtvSj4RvETpwd@HD?hi^zUmsW7UhK(smBKAo64O zm_^-qVi|v?=)Ln7)#1s-p(&$H%r3>fSsF8Cd40-JNt?tX^*0v9J`HQ> zl;ce)sdasZ-96vhe%zGO;&5v-Q2X@kC&RV9r$f2ZN_(2kQ{&&A99Y-6oGz2rxqQ_y zW4jkBs&W1xW;i%V=5CZLdE8Zvw<-QE?byhV^ZP4E3pJvCJl)Z>{}M8L{PXKJl}_7z zNo?|tgvfaG8y5K#c9W>tUpBqA)xCV%-GIJ@Ga zugs;j=`*GXJrkjQ_jDz{DWMbNxptMIE{^C=HUj&PJ7=!AEHs32nPtGaTage!1 zxfv9Gf5r8Q`HrliiYP+aFmU0^yC*)Wmp|zCViTgAHBTiM-*O78dq&qbNWd7woqT=q z?4e=7XSJ~C>m@vl*RD(6`drlFjH`XVg){9@l04T|r#W$lY+xYegY-qI9Qjz$?%Q|G z#p>-g?{AhHOT{y)Jl)I+iz;-#C%Cge#c&~`5|deIg=gj(q%Ca!kCzH_mmRO!r5Er! zCjVSBis}k`U^R4T+wc2kbL%myYHwcdL2Q*o0rLrWI1i&o^DaTig_Y{g_;jHYa?d9u z%IQY(#N%0Pr~U8w1B|CUt5gc^+gzb(db&cWtwQxD1(VmJO_PUfJN$#1>bgBm%pCPGdbve*%;u2QN> zDF3d4fcG+jif-LVz7-lMiSf63iMW*KoTDs%EE|oLy-$$g3J-IpjOlq=7fmnwkW#jn zf|6RD607znhT+VMF*>^fNS|1jj%6tkkQ)=VGrez5c?LdX@bQAJQVU3jeVJQM7i->kHMwXrcz5J-{?5cx}C{`IM=#u`!HX3QY+IqvK1@=XTp9s0W)@@@V$Mwp*KQd=(bBT8=v+ z!|2t_E~?bCHot3A^e8})tbptQKYZ4d$5vqA1CDE*8!5t15F@xXPteJ)iYBupyeM5f zw2n$&t4YlC;6+Jtxc@i*j+nj*u3TfD%$RWOFBt@J4-R_x><5b8pGgwZOSlUR`|~Mh zn-n^u^UHBPy>x#)gwuGR?5I>+ZhK)>RGcD(1wlmD$Y$%48j?2UFIQI=+Zq@gVp5=$ z-MeTa*=@HVCh5FjK%sAJlPIL*dqHgR`Fei!a`1BB+gAl0Fz1_Q+gq+@RHpet< z*0R*_g9p7yM-?4~WW)XNxrX0Po8lFZXJ0Bv>|LU8*e$AgQyJgK=CH7uA#sWF?v5MV zKaSxb8goHK-q16me^-p~IFl2gs2l%apS20ed5RB3W<{8=o*wn-PS-uLSjv+R3t7|z z)Pga*Zb!>>J1HGb)=FT6?AKwx_`q6*-CI_iPMJg=4i@~XUA+id+tg+SF^Vpuj|pL1=A&T%+30G$Cuz0&s8Cn< zB32Q18M`o2%VH>>wA6A+s~`m&8;Ew;bvNqc-a)o4QQd@~m?BR{$o^@_cQJr5nzvq5 zBjaIbcFAbSZbHZ+9t!dypOkH24#FjzrKG_ja18jN#Z$1jP>-`ltj`kI%amw7{@R7t zzThgN+8~g{g)}Qwc(O+6i)_yBQx1mvLv-~uAiQl6ns1|l0KJOYWj`Dzt_GZq~1bNt{KM!Q~Ru@^}+j`X1|-WSuDXgoJ$QT zngOFqc@lkxGbpCkVM^GZV@HMwcjMCD2HZLSCxFS~ehAa%uf)mm{7*&a!HtK#OnBmB+6Tn|I4M((%W1DlNQ=k2 zM6PZPoOiWq2Nv^@qBkNg6t`{tgw@9+M!@X-tumz*TjngsV?C=3;NB69hZx<;tm!EP zntf4ZhSE@BLe+M$a+BG1h|(L}UL^hA2$m2_Qm4h|>&2&OU}9m}f77CQ#vWlYM|}0kk}Hha=eJD6-F)NKnWYBo%2vmc#g((&LW#Ez7AHI zh0B+g2M85!{U~)lCX?Ey^}k%x9bND-CXz+!CKY8rBMxq}jmcDl$GK90&;mSBpY*wh zvZ5;FmVW0XBUiJ1I=srOyeHKn=A&pB)(J_3M9vdaYerUu)K6w6xQ!Q54U|zR#FpOE zP?7Ib*{t$EadBa3ZO5GDy!+wl`6I6areDGK@9GO%B0ciP%AX$K*ExAEh@#GYFhjnu zmwDmb{2kN~H(7|}qRG^7B&dceF=a3qJBRc!H&e{`BgoLkd<6M%!M zmrvPo7w@)h2XLy0JqlXC`J!`e&f_aiL-f(0y#_;2k%f9wKBYj&5Fl|%#C*{!*vX1w zy~l`AQR`zH>KYvDUT`r-ART~4<9S{q7=_RDRJ?&!6q=?KhNQ==#H!snb-X?$j4z(T z5oaOxpm%KqSHkyI7>_#F48D*WNoj)OibSPPBkZL~E{iswtW$mbEaSC5Y8`@}7H z+|qt%E<2`LRifWY^}-bvll%;Dd@+_pf()+$0m4n;s{Rzpj4|_KM1&;m%QIv}s)n^z zo^Pa?4xWbh6^TR-dba0Ds9}$y9JgZ*kAbe5=0+n zyop#~ii%L^B1910TIJf}#@jQ?F{Z<@u)X}TWcE!)hblQ&TNbT_dR6_U6jtJeH>x)V z3fu&BM<&~M)+DnpC@6dx_hLGX-Pfk8px(gMP4yCm9B?y zD;a6n-}jG)@|+4izc;@g)p|nS4W?;SD+Tm%wc`W zOKQ_@?)$uH>%odUNX2q;(9hlP;Y##*C33AnhDvC0etp)iT!H>`wRh5?)DK zCeG#4)*X=?$Qf zm1O0PZKHRkRT}XBR0C_+a15^A!2kOg{Dn7p2%?seq&2-46FC=Xkv3*}Z2=BLJ{|ci zt*rzfM{(50nofaxu19tcb*P?&z;rgm-cLYtYK<(l%}j_P+JJg5G|8P{^06Z)W~xa)`+X z7(B~v%4x(m-A9N#=DTY#F41eLPO%h9at{$1*|2P(XBL7h|Dc!J4LD6mMcwGAQutRV zniTGACJJ-k>17}paT<1#DAS&eNET$O_&t}zOiL?ZV`HP=HjAXRzYyA&v*9_;gbUr4A2@V1W@Y>{@~0%z23$I*3-(p=$q|X% zIhrrR2Rlc&fts*TTZ5DBDyrkj(NmR9O~WOH@-jwKSnVG2%48wlka;t>soY<{~o zA-7Y0g3d5Ae|mMTj$KWzm)=h?>UD(!u#E!2>`=d)_s}e44xD?Dpfs&j$VBQ7EeRZ< zH-rc{NYOPlRur!KN34Ad6l?4>jbzr6InCJzYLDsVYBQzN`wD-Mo`^i(dr)k!OI@fKfJ1`h4hU<-Gq%sf|}S#8eX<}dFCvvd6??%IdBb=CCoI56DxcDGRzW~lyj zW;e`c)SJtau|->``m-jY97FS~_GXDo(5Y#q@Y%VlIG2gY7URtLfY(jxosUHY{{SC% z(1-UA@8;-S{NG{t8zgR!7Pc5{>#$nw-e4JAP=%w>qJ}#AJoUoeB14=ro}2Fke?*C@ zl>m4UD)Q(VlZcNV;k)4++gQup6PQnZW<-2qNV!gGz$OJ(ozyQCv|ge;Jq!%Sb~o7x zlD)2GQ=K~CQ_f@G5BJfVUyx{;%Ze`_i6!xMux$?%gc6L%hAbhhKQcwHv8o6?kFiME6^aF)PKOZZ=qD`K>_N3e>BFN_x zH!oe!YA0|ZE#3694~dcYM(^)+o;n3-=p7}1`gxjr+FVuE(#i=?FlPifBOD&%F!Yc@UOBS~-V zv)}F47#jDgKH#^RWY1&~u%~H$BE3H_xXXuG)A>cSxb(9A?*xqebvo!An!?pB9hyG_ zf!~pOn3kM7^!*$-Zw`w7y0I5gXXjHNlK7B0&EwQYEdp*|M4jDYCn74^!(1nCa2uvw zvVoJwFgVT*E|MD!vNNVs>Ul~i@C5UL9ci@R!EEJH0>|}icFphKQs0I66xhAJ$sGv3 z(z(|aWtwTE&_wvio=>9)uJ$g&A_=pZy#2(p6YsT3ov(qSRSZz5Wwidie zlHfs_R|Vc>8}xnE2cyaWed`3+8sk~G*52-Y%S~bt-w(7m#jC=!>kD0pQgJi{%(X6kV{Xo? zZO0>PkM4pjW)$46It-}wm%xM6(w6ixa$M4&jxJJ|weaQr*xQ*STjH8X^^!Xg*GYu* z+K-E9dNc07dVZ>juSPA3uctH}o$Da7W)pzdwrsgz-ys(7$1Lksqa_&gh2h{w{dY>P zrPX_++)svUV1QKnt!$Z?PLZ-ez^yUm+H6XCs@N8;b3|Z~)Klpqyij=~-9_|j+0QXi zQDasF?l-GT)s^0>`n8zeIumqd5bCthtbI0sAw^q7qWI@2mhksj*B0s>y}bJW<~(i4 zInT%Yt!;9buiO*I9){gGGk#R0D?o~#>7FyYbPP*SQz6_}(OF-JWG3rEGNqN7B6%NkckW>1xN# zyRCX+3gxvRT<3h+h?c4`dN=cw<8g&f28b8@URjtxEPxVePN`;IY!M1A7HG_P$AF$t zo2}UA>{7e~`|&M^et`K&JD0@oFfE zEn?sBHg!kBRo+3H4T+Xv$jSvOBk_{8P>5ykZ3{xu#x>ZdSJqK>01Qi0+8{VwK1yH? zdiAP_x6FpGEyaG!t=*laH+JB~V~Zwv2YRI-H+L}+k!~QoNrJza0t0@$`OUpwNM;|p zM&P?lS@)CsDi+i?9=^y&;9+j{(f(}j?};N#X_VejsM3&gjOUl?!9XxL*+(a6&AJkh zao=5Tp4xKXkd$P|8;Z^3k_=1QtajkI-oxrJYUjA7&({6&A;Zf%>c`ct-tiKLqmRY4 z2su<(V<-tZsx5s#tbQ8EwNtL{+keblu4-uUN%@4uA?Wji2?d60WX(J0QMAV-3XCS2 zt~2wA{Z)fOLnSN*={y|AWcWWZyOW`pEe4?UAkJ2ax!R0->E>Y%Z4ofna&v4t_`!{ehl(4gS~v&XdJWjyRc>O z8*SKg=JzE!VhdL~eS{I8)8?i>zRH=>Zw-^z#oMPuY|&9>z{(Egj-eqHi~zluN$mR} zY59H0%_@|7cnL57PloA_2AlC{N%kz2h2(5+x-M8iWjC2QYpV4@V(&$c5S2pvokAG9 zv~mOyeYDGmc@M{Z<1nldu-r^4C#Uz?D)z;}l-oFmz%Te%l~cIZYTIwbiN~?L5bLYS zTe|FjyDqEKQ1cLoJk)^}+fL-D_no@h3j3GJ-s9IgtHa(%h!KhydHnVvqqZ?U>$Hwi zh{Sz|)fdcOB<424+m2RPLC=o~1tZrgvTjOnrkAjEzFZ*wy1Zo3M;g;^>_*xw$~2Vn z0hht}jKn;0#QswxYcgis%CMG8t8Ca8U4>qzdjlUR2y`s?js^jN6(R~Hq=o^>yMM(7Hy<`d; z2l~6Z-T_{dDx$r3m*zqedi`Q&yp*>LcU6F*S7RUKQ|cA>e2<3=6I~4)`HTI-ltOfkg)XgI zMAab2zu7s%HbJ=7fjs`v4||#TBsagonW&j+Z_kXhH24udSVqYcx}z>)wHVZewSF<9 zty!>xIS!wK=2t0g!|(a&ggXdbt-T%;dWeNT8g zlCP?451D6hvCQ8Rwk$KzSE{xX)FPd7x^yjQS6v(xbEN(m$}m-5hWgw41z-Nr62?(X zFG-NOue{?cWEPd zI01p6aO{DlS-UAQkHMTV{X?jda|rP!>{=sS74@Kgi9XV)R+7f#cibi5AdI~g=JO%{ zNhP{Z64FLsw-NJpw+G63356qHE6FBRzII)(Tx5T*RT~5R~OIfZP@U=)(6aG4MH z!^Mji8SjVlh(}N4vyWaf-h@&l2?)$LW!~OkdkIcBdK?RLP~1q%-8(I@&J#gjk|@#R zj1i!^s$j!voDpKvGwB$Np4mhoG65x6q5doBSmRV;5!%&T53k*K zAsy#TV{W!SntsnriHCCI?^g938vDa@sM+n^pUVE!xxdgwEvbeGVM!fmWJ@#AE+(8u zM{caez}4sphmvk8y9}B%QKY-CjQ}n;r8WKb)>g7t9IB`YBjpi-iJD*tyy+0B;_ouR ziMkuS>Ja0})O%`>{tzTlb`sUWF6X72bhcblAN3ykDn{^%+@V?iF;8>#E~QvVi34Rn zw!Dgwkx@(|oA@)zojN_O8$Q@g(b$osP7|{?HD+dJax5v)a351{;O?`kh=C`Fa*hy! zi9Q>959x*9dMc%`@l{Fzhp%`OYGD2eLBlQzW2@`@dQor8Ix~j);)Cnj4yUDSz-5WL zVE1)yXHUsNdgp#>K`)A3JgrF!L=ue^rESA2}bFb&(s?6Q=6C1DV%{gq+P!fLeEoY{e|1C`d*iS%&B2VM)b^a09z9^bvLdorV;7+74D>w6IbGR9fq>hiS+e?5VkArKR7Bl2$GULOV_#vW^ zjtw4h+unoTvFiwJh7B9Oro&v-!e=J(B=ht7SFPP**>t_+m3%EXmYVLkXZVL={5rd! z6o|aX@3%E2)x2{(>CsPSv#vzPc-1Q`DKz2~52Bsk35wmyS9`A!oL^`g#7o_wu|6HL z`=B_3GwJ^MQKugyEPOUi4^-!4zkC@^Qw+~3*{P)19moja^wi{eKh{SO8-|hWwzt}& zV2`YB`q{f>x^vLJJeZI~_IZ5y2NVW?o*j5R`;P)T{wgkh|Ky>9=WD70E@KGNJ zwhz`NE^Cxf{TCG3x9y2VvO}N9r`Mk9m5rZ7vt~#Cijg|B-^uu|eQnc}FVdkn3Q_D2 zw3tdjazR2*gj=x)=cHn4W7fQum*z~@swmC`2@gk2OQ1yctB;oGXpKl`f4n@=`0|zU z$$8CXMcG%*aTBL7y=Tr8jW8Wye}k&5R$UZ#d0120vjDb*Z%4yTJdf;9CiDZub zl>NHc+1!@JQ}1p?HWekmS}%P`#qgA7W)gHobEDLxOZ@LzrQ!syX;-DaR&YDfq-o4T zk`T>;t6G##@Wg8(tF|~Lo2<8#WohUOUN?yhoSm1yo-J9JqExSB%xH9UJO}opnLWgh z|D1ba6I2+g7`(*&?FbNUk^0%YIy z`>O!~ACed2^1z?}_17Q7c%Y}{%>lQR`YP@$qvtskIod}#kM8R}mtZkYYPf=)hR^~1 z3gdt_hQmi#o?Mi5MqI6f+-#h31(P?n;p}wkj6puO!rrIbyukxycQMwIaVs=!cB0(! z7ASxMz+fxDvxTb>nhi7Nr4piI;T(MaO7j1{4P+;PhXheE#Bp?gpYXqbZ6QPrdDg{; z%S+GzQzeEdMP72@hER;K#W3poCwlJE4_?}Q+?p?ZW=1|OiCWGh6ZE>2CkLEGs8Jb2 zHYmS?F&zEVUD$~rdNk}8I}dfO`Bjm)PoLl2l7rm~A1a0D@J&3G$Tp{Pzj*G^0S4W~836vSlP!*EnyY_v>9E@r7w@A4s{1k}o}}Z-d%P z5rkj^Ow7#8tNb2WX;f*S>ASX5kG5v|@)gkBjGkm#wsGHgrck6>Zt(R`>}zf|BR7@rInrjkqr z1!1>_il0Q;xB-vfAIUu78}*yW{|Ai>X8EGiaOUvI$Yg;Qs9>A|XoU$+y7P66w}fyM z2vMBQ(ciffCZEPa z8&$~>NzB*I^kUrLo+J<2_L}o!t4b7x-8lo-d^e`>egu)C`QbA>*lrDAgK0(T*f!C- zzmFSy^W6+}J7@~T07fH4`XwL*Qp#=+e6f3j6tDpUjFwm0NU7eB^)W^8G|vJm1Md+E zMcQ!N8qSv=|1GLy8Xhx}qNmjyg?-QYSdN92-Y~x_1y0u76P31KazDTOh~#d1Wa3~K z=DxnouO;}XHYOA6+T1_;014U;u&jP%ypjWi0|{EsXD-CB>0WG-=i!H^s8@!ZjV%~C zr~y4tI+(tT^GX76C+CQ&|M}sNpHBm|3{7EsmlPGP##7j>tb0Q- zm+-Vo_Yw#!ayVaXH~m#FlJDaT*Sp_?=UB$RMt6Zxsp^r=#!WQmEC09w(?Jcup;`u? z#3WFHrRAu+S7kGKQimGOLLxyC_aOI*_O%EMW)YOSApEqKZ&0znKR|W-c2%^wSzgbK zIo`K6Cu2rlzGS5dqssa?f|4?t5H|JPKZ6Y*-;lg2m`en?Z+{BsMIjREuxXSRzV)BT zVZ-7H{(EUFFI-#%nwy#)!GAgS^bp0U?nIfFh?3K64XRuAfQyZQxzCMj$S30Y1<#pJ z-Z$sMx*Y!b{CF&3^EmI)f8CpebyWfP7iKCmDD<-pJ7W4%4X|($+^>9;a zac0Zi@_W9n>|7volQC>aTlulp1;s}#yeE&ZdMZUEe-8Z5MHUDawz9ed zK`Mio7)>END5>EU#@ltP+lPz6hH{}ANdG{==Os6Ye_dWO6hv{#+*}~(9&^S&-)v=E z0~l#af+I;PjJC3ZIhi$M2nBoI5$?SRAs)37?OOOGx(|?0QM53{**WKWbAG;)Ua4J| z(2V&=Iz$K(4mAP(5X_5M)nA}{DwWNC>HH5^Yr~HM7&hY*_R7x%c95zB-IJvaK-rNNorgsc*HTaq>YpR{JHEh!f|R% zg$tm+y#`xn)Jyj*RtHAv1;t6>9orf)q=#=N@+jcCLhDGUw&wYu6{l za2h`VA+uviw))V0@`cAWM!z@?{TCQ_2Lnwb{ew+5)2<>peJKM_AhD1#p4 z2y&4AVtWgBQh$Jj@Xo%8YvJGbx6TW@u=t4q{aso7k=sEBA z|NP*{x9MSqkv2{K2Jh1t`s?p~I(RSkX#qL`8)|vE9D^mir<0#=%^}aL=PoXf!`h9# znVb6DmXk`cflHY$OvkL6r7f%fMbHeYMH4#t{xAkq<0~Q($--(o{ffI*>wF_)3~Qti z_)Q_LcO?@rkGiB-2sTfH9e0 zDF;G?(L>eD9ZF(5!H*Kr&>%sMx#uqm{O*9s4RLtfe+t-dPR6ICq$qvyx@##b$88c; z%;!7#&)lCD+W_eL@`U50{1`#&svKs*^El#g41^>9@UOZ_13~T)zvi|%5L)#(H$O(u zYWkcYtZcSh9b{42pzSCl50b>gVf^P${B=%rk#V<3)Is3FTt%iTCh7*=ojhfxIo}VU zkA>CG9l&!|-k4(h@tf{5jqeGkT>-?w#$5@5Ic}M)%HN7*_jyZMpicX9>*qC4L5`jZ zg+dSM#xpXv(=DCbIVy~M4_$d3(Y_JE@ub81{&g;Oe983ErQD~i8WllE@m2amFJVS0 zYhA0SyfTYLF-qA##{=GF*G}E0!aMHC-ia244mM=X=DAZXEL8 z2kBz8!!mE!^Mjz1OHgt(BgTE8NVf8@PUs+-=L;F9-If1UqEI_i-?97lsLFXSCr1z_ z^D9p{+P|{MVtamB)b~z$wq3*<6tIp+6z@h!d4RjvLpsw4uPd{z?M#gZd3|LIoAi9K(nfErQ z62Uo&)ZEYh_XoEiw}Q>S$c1j%uu2?253W-0FDw1&%I7aB1iK*aNmoBDH^Tk%_Jzs) z(V5jsd?J{ir2H5xdq!UiA&qdIs2Z8GJ$G@kG)iu`4wdGPN+_(=9xlc%o08*|hPu^u ziJTw)2jKTt5b%I_B&Gy*AAUYQNs!4N%{0F8ynt2{<53apGE&Jgz@i+Ika#cAVzN#K z{5+C?V4fYj3v;DcZ80i|6gLE*BzcVO^X^^d?fR1t0NV`He(ue@W=b6^&z#vG4<*oS z5c=z-ejVI#>1hDnsNHp?Bur}G@jEE(99%kjD5S!5{B4O5M?=`+YC}_3LyknwoN! z#0%}`z_Y6g5K^st*=g-ehuG%?cl*5@)j~>S7~m_OQ!+B5fAjivgJ$asx$AEsM3cv( zLEoZ$)C-SgaN1)?C09XS*_{$jiE{X@<4z8&t@V%>S|V6+l&g z>)O&F5|UDaNJxovmmnR|y+L}@-Hk;f-Jo=Lry`(qcS&zjVbk@k?f>3;&UfyeaTrFy z*}qt8z3=lr!6xjRd^^*mpmgG-Km#);p-n=r!K5|dCnVXAcxEdm$m|VPpHbDu_CR1DXtz0x zxc?U=4)KFAk*N1CFh+d9e5%BwE?bpFd(^1KLw$X6MnfdbbUNgzOjItj4AS4tQG5MT?Dmww?-&lr{Mjy%52pv%&nRKfylVFn-0NHPiZj3`w?9d=?npv_uweE=QuST9fiX#-F7BZsT}ABRgRrESa*zp6Ddj%7<)ci z+*8fT=ZOAWBL2WZ)vF2D81=o_<_u5)n@R@4aqsBl#7%!1kTiK~tsedN8~%4q{@42K zOzn)+59Rhhwjl4VpN+L1R{eoT+xU6wBmNZPo#zSy2|^>lLBf`{v6FWEu-^9b&z7?h z7FJn5KxHqYDR}e}oH6V6$S&Wypyy-swOQlaDLF(fz}Iam61YiA0M?iMBSe0i3-Lfm z;51>QD=gL-VgSOGP}dC- zf17iZ^2;Ld4{;j4hxol07{!_eVjhQIz~C4$Gc05h8fjqxkB?Nh7W?0N1n}Vg`D2V9 zLvayzx|iRO^gL&cV^q3nfM|;X9|TzE0gyTCrKIGfQX66y1UVvXJ8zKw-loo2aT60- za1tsn{uc2%qGN-!Cg0v(Ic&r~;mIK^ANSegJl@}A+gqA`k3i7ZF|0scFMdGl7@T3B znJf@Dl`aT%6{Z%0ih2Gv_69-VMW6*=Ut2RR?Ro%y&>Fd$e?PeuFxGRHgkrzAgAEuC zY}$YeV)z6)*Xdz_z%Pt#dVdwai9Zlu%lw{?u^^_Bmp8G#@)_id=DYhE>4s8&Il3|P znD9bfNvz!5WpF<}h%+}(iNi_%uP06OuCt!&6a2w)`ehVa z(LS^05jPR&bUayuc=l|^efl&6sgu@QnO+tGWpu1`6r~)n;5nOdGBu`Iu}3~SlLaH2 z2?a_|&>~3#0ejwep$6D7&hCXn5*PQ)uMb5!{+P-Oeyk(@Jy?6dKHZVXE_$~mBIJ7_ zc%-xP*^+sEJ-0wmVm{DfiXKhW7{WY<`oCsapq+V*nt!k;S>}JyjV}|*G6B^1;vkau zGf;8`1O6C_6VVVcV&`%M5QP%6Jtt^pHM8n~6qPZ|6!28iPY>cRzqvD>pXj9~H*-F|y%v(^)mWcuwl;`chsP=kYmtw2`@ zM&wTr()YO}e$&?9!(!ZKOTx`wyNUW|(LLZNIh9w+@)WkA?klZMLNGsOWEZEVBJenR zD7q0h+8yg-XCp|S;! zq$>K~b-QAL9Q$5{(sHieP61It(Sz}VhknCrPYt3$zfyMMBRoeJyb(kp;*ELTc{p5U zGgYYc-R~GEjnxhp;k7}{;0nl|0;?u8y{^L!V8$>GxMkaYk*MB|eMEEIR`{AsTCAp# zCM?lU9O2ulCnLj#9*eI4);E0WWZ2}~y)CJXFWbG?Dp6pfc1f4P0-+I0c=mc^+tM4D zYFx3e%9nOCtj24OEH8f<7$+V2-ZMtr?w^GJP!9CH`n(<@k+euqwOHu@aq3GU@? z+4cUBa^*Hu@o%g!`9#x~v}dudHbQ2*_oC(AaQ#;dPr z*z0o>l}BU@-_~_Rmlw(KWt-xj&;1A46TH6nkl5*d2VmcFd{=#U(c2HqIaC2e)Ea~O z{x4)A5FWU&2kI(8;Jp$K$}kxgWy%77F3ZsYna59@hQz_+F%v^_D)#zhxI}k-f&LrF zzG0Ad-B1J`Ac%~1fer`WIac81me2Ntc?-Lxaeo30XGH%yEL}e4y`RLWAoW8Y_}yz( z09z#PXZ3D|wYt!0x)WtWlpHs?kNcR7@NRTWQ`6#-1)8-P)aI>Fx7v_Xn&hr=y;= z8J8ooIj4hClk4XN+>d9={h|cQ^lq=iKiOY|UmX;DX4BJwmkm~Qi~=EQu`O#sgkR01 z2+6KXe=v#HQlnGII{oz51I*kR7YxnX|3LQs9vTq&l{BTa?W;2V$!!HNg9J5DAb+32 zFxmsq*3wuK;P-|A?=*G9Oc2A88neJdfSwsNdo)*Alxqc>SBe?(d=AT68DwJq!rxVA z19V1E*y(A${X*8aRSv2mD>wISX3G z-4;aJytsbyNS~_Hq)F**axgFi1f=vQR_-S9FXZysJLw1PEhJcT?H|Qizr!F+Zc5!U z-fC*X!Td+lgV=@s<4?>R z_|J^mTb)HQK?x&t?s#II+G^S0jLR9Hgc1_@bI99i=6E_;8*)s%!OrxhWFf&? zg$H*}ur!KGe4wo4^dJlrXZD~LgFpU1j(BI(Ak`ABvAo?s#q1Srr{tjP6qA8tXZ+nG z@GDhT03Egf?6k6)z|uMQmqOA^#okvN`-MgckiwYfwAM5FX4RNeT7D|*LY^?%GBLM4*c*rmUv~!{rDL-wvqeN_^n5)z1+MkPOmYL? z+Rt96(;Pq8%3WJ7P zsS%pt`=<&Q#B9CXDFLL#F`Q3iU^eo8d}z5X1!R%us>j*Z}7~0jj+Kq z*qn#~{4Vv#i>q_BJM@!%-iS3TQXH-Im&pE2mBZVd|JPwDj!R1ug~1n>l}jb!%?;3z z_3Wk3EdSh-C`_QPkZF=d_;D4_0p7-Vagd6@9G!NBg7H=~8|#kYAX98DO`o?oEs%s` zluf@OLp4yM0gR)r$b4`(a+`d|)ILPsN0c{#;sC~o?+0e*D6pP=efVt{FHk?rfFm3U!_Qy+ui*N+0NL zD>OXAe=##QwnBUGg`WTQqi(~tl=~H!S5M2o7axJf)RnrWEsyw9mG;cwPOWMgkJvh~ z!3bxb9;*?%@?uNUX}Z|3$q%bAl~y_WCS~Ytro92fTkm(1bOFn?<|Ga09-kVUX zLZ*U+0o_>equh_=+Prjgqr|O3nT4@vZ-1-fk6klh4e&2E3k|M@_7k zE;}Mle>PL;x}RQG*4gQquYRk4XSiE0o%tCwudivd!j)dWEYzK?w$^()Ea?zgyWF%S zkG}SQ9rgIKafmX02ZN<(CNSXI_xexo_yRidKi!-&Nf0iT;0Or2lexRSVlNZ*ioN}n zhHhA_Ijoy8VCJBF)F?$%=d>nG@F_kgFa)6i+pFQz%b1;zuv3l_UIoa4T%tlBJ zNFRCv-hM(MfBJF*ZRWYr){q82O;)&`4A+tr%_lUlzHf~)D%zf+N+QxT^0{$!A2$z#SLdFSZfa)?ryi)pz zajP{apI!Ohcwa^s5wu@tcmC9d04Di8<;VA~yvG^BHi!mJUs5J4K^Ifs*IT`*xKH&l z>;P>U8WQaet9zWGdV(={bBNUBFfJAhq}m4cq;Fy<>;?4uTEtpO*j` zUhEy+mOYC2*!zJE@^V$sJz;CV+a{c3bj?@vW~zqqq6#}PD*5g1gyoz@o9q@OAmhM* zaYw+5)9$0}!`?b<9G)FeNBfcxWN7v~EG))~?#ztpFmk2r$GtLbjmbRj@}93v-1>dB z7n;JQUX|9pL2v{in=Pkma~l?+!|V6d_spl9oR6aI`M(;~S*aD^xdBr?YVVC8TT2it zHzV}k1B1zXs0Q-JKr$)qBWPEw8lzxYeyqMl8y0)WD0kNkVhOmrRXH`9prODSoc6^V zUV-%blq8rw zni`g`E7dW)VzC8QMaDJos%UfAs6`sl+P$PSHw?w=c<2#f)D#mJo~@Slmyi8^#*s1&+IW)MT7r2HGgEF zen+bWu5q;hM$&WKeo;`_n8>^+Yfm3Wb; zSQP&c=+|`~!1uMDt7TdQ%U=TwuRZpd`{#%-3cdD}nXBH8r)9Jgm`-mneHz!ktzvma zGg$!vx*XHx!#t0&7v4|_|7O4$tz(C--F88-_qzp^bKJw!>tLQ?l=v7)&y73RGA~oYI?z6T9L^lhZ8xXPPIiE>ff;BhKo8exfI%ceGVV&Zu~plnHNr zcx2POU$y`KM$zND1EN7Z@c}WQtcg0 zuf3@^iuUQx#Vr{r=Tvc+kDYt24XIuzc>+ zlPvl8vR>V9dT9Qm<*p79Cz`in*QpGAZq%*_M5+Zq^=>A^SE+*UND-947^TjwpQHd_ zE~T5mgZhlmZ~iHb8wg|4+G%5Axu4xp3V!E%N8ad{RX!)->)T2o75ZX_=*GujP)O047+m;l^9ESX5js+?$D5E!N*3vE^jRCn zZW1FQ58>knosqk9#wH0z(7j}m>mpsx&F)I^Gtp_KW=uKOKsq`byhb-W-j=W{DO`CNBw(<1IHmtPT$^qKgg&BTix zHjz|1oy1__Ys92%BIX_are~F|3weVD4~|i@264Zq7NwYS^pu<&1;5FKvt%G`g7EpJ*Ld+!J zF6?jlEy1s^_}El7j)B=P=j1G|QCsd(#7QDP=EGz9Nl2SoUWUZ4hi>UYJC8Xu9{e+h z`#0RPIx6rw`2^TB7E;#$yVo?r3mLqJ0M_V?!?fx}AtSWk@f!QotpoPn)&y~oY8vr5 zO>8al8zsL>#G(ht+ZIQNC!3f0O8MpAgRwBK@W}InSV~hlBf4+RCE68g55zRtnWDhd zOB~q4=K*(d!Jn)20v))=gL97Ux{T9sTAGD=JBq)~2-}tRi-H?~KIQQKxo-8_+nY0^ z=5Iqp2)YLV=W1p~_NYI3!vsCB#;*QYogG$ z$!8cy1(@lkqr(Uu2{1o~1C4db;pc^T+?lLbOnyqpv@+0B|Hbw$V`q=1BaJdoC!i#c z5E#syxQOd0v3r**msZbC-?l`!m!6tr_}0}nG-9GggT?_;Y${{MQ)?`u}UejplE zyQ56`lLyB28m2l zwTiBr{{yo(zs@n5=ZFqPA8CbK2&cz0Yl;6%DE?UA%EX!%w#4lmLHwT$(Soco^}LXb zjEw%Cgnhc}!NM#ckI}@WVU>!0a#aVlTkynZ$qx&{L~t+z2CqgS7WXO<1;8n_aTQBu z$etFw|EMRGPHV4PAn+=*1O=JtO6r}GG{pJo^r$DldIWazdH(8t=$MbX1m8)cV|_~wrbNGCoe`ox!$_CUWM{Nna3 ziF?&cm@@k4*6(G3{=~_5*v~y>bL9#~w_xo2T+0^sV}`aGTe3*&#c+=%}t_5~hg`neh3B7yVXio4Y&7!QNcms^|YIj*JTte1gYM(N( z4B;t9$U7{L&yB_uy3|>x*H^OItz#eq-7w>jNe~heZo_eWLgJy73K?oxP<1p+FPsLCUPo_`=36>%xG)o-q}45_R3ODl}q zH!ct2z$oUK>ICSp6Rx6L1Q|>ywLd%!issrKBf!tA6D{-OZ)q!O^7Qs0^$OHqtr%ZS z@9EW|{1{6vh34sJub5_LqxcL3!EEh`ci&y<&ONItb81+rHIX@QAwohfr^Eko@QOAn zHr@xD^tr3~xV=pYU^h%+J(u%|T@3pEs!xxG2N(o312mPKRjeS#Cs#S_HA7ic=!gt< zt}-O_*9GB3vq@pMh5BiJ?z9c_O%(xe{jbY_sz&+V-rcFOftxDq zGfYH%dA=F_))PY6>>0X~^t>#wX1AlUk$|r59MJQ{?zk3P#Y520TF!VD;>|YtZp?h{-p^B z2q0jj!AjXlf=sFJIv?{6O*IWNb-Nmh@HCjV;c1fHZO9_~vpyo&;(Yk(CyIP~{)D4I zbr-K7{eff!J0y4NqYf+_pdr`keagKRLiM}4-Y-}q?ql%Z;cI2-)otgYVMi=KyPd0> ze@WvOw;aNCy3aS);2s@Iyt>ZK;w#3sGSMuEYt$~412+2#-#xm?T3bxFLXDJz61{hN zj`ziPUtk+sCqDb7LEeDyV`x!JS&S*22i8)vB0FUM&%X6Wb>-#UG#&Hn9iGt?4C?zF z5y@RjdWox0UJc3bjJdw2WY@>5&aWZU6yfsg3p>tn|7l$C-rVpIU#JDJdWZxykpI`j zqw-ZYNQ0wG+|sVlyZ!YXxd@C`=H^h%X<|w+(|I!HHz`n?tns&5G0mO^tzA#pAkWVz zXq4(ad~Q4I$y#ZnfDAanT-v5ZqUO=!J1>^gV~M<1N!;Sb)6LBHjI~ivF&l#eg+D`< zzv3*-P{=K#Y@TJXoQCs)&2vGa^Ez|#(A39gfSOS9j!r1!?S~I6pW@q^1=N{+<)X#=Rnw;S1#28EcXA5?n(>?;Bmst@`3K-SB`;4jnJY&aJ8{}1kZBw= z4I0JQwAdd^&kwU_2dW*My=ODPtk>Ni=E&QYS)K)$79zSGqJBS_lIipJ=M{|HV79rv z`o3^X!{)~oQ=vkd%YsGYbMnls7ttchYXXal2w{uCmyMIH6aCP>Jo)rukRujMUK6)a z=)SMn%sKhu&V%)`Ix}wtd5DVLh?@HT8|_MU?ea(S&8E`nZ|>&W6nNNzOM`GYPv>)m zqH|mic(bVE&h|b#0rSR#<1NGBFTTIB73Glut5U$K*+FZMv-S-a|Tjh<}Ew z&n{Qu2Lgc-AXkxnnuVy#AL~e+ey(q#0iRTG`w@!#y?S1E@23!pla)~R(&lxf1t6-2}dqqC#ssHRo)lQ zx?&#xIHS|n#Ie{nU5uxA9nNriFbF-5Mb!?vMS35uX;K}MRuvSI@>XiPz@vU?v9|3h z{)JK>y}7Y2<2&xD{l+W)_5tYA4iHu1-9V)FET;I#Cr3~$MlW0}ME`%B8lc$yeHa3a z&V(C;E0MoPYXSL|3zVs zgFifM>`|fK`JGE`car=9EhvJ(6J)JfU7hB_@uP*0FhxL;9B*2ztAXIaaq|Opkg%2%Q& zsDDL||Kl0bvE@C+pZ!)`GtWs0MwHdc54^?21Dz?7h`eLNMm1rb28+W3^^DNHT5;>2 zqdBgZ@(&W2bw1uMB&^%g?T7O-JuOugp?8X?fK4KSKk?6`tYTtzX+|$af`Zrr z>#tt}#yXCjrYR>J2aBm2?0Cq@7aFTLvObY{Q1y143%>}@xevUgRQKoqIF-tMeides zTVkC?gJGWu<=N>&EGQ>h2Eno?MJErnzEv}Ka}G@xQEg_+1v3C!#r1$rzBgC(<(bTtCvRUMCkO~DKKT!*4Tz#PKED%@5Z8pfhI1VV&q*Tzv=ePuI07Evxm1< zK@+VZ7)=KvpWvc2~i9+2DVw9$rdQDXuy-3I2-K$!4jmA1x4be$JQ$D_Wp3c`8 zkIkx>QKD6IAl;m}=thY!QGiR1-Log>{`gHX%CDzyoy>2bwBN94@9*Pz@>0~&WaAGZ z$>jHpetp`F3PT4nj-LNDUDK69NdDZ}prQQMFAS0*&P9VWOOR0Og@5DKkY_4jj(&qcDac8J8&3KTSBt!t1PrxT_ zN&DnU5F)=&QS%>NYZAWWJ8}61LH$~*&yZN<;k0kd)6tJh^rs!MV!3_Zd}YGJ4@1%5 zQU07b>RG5|M-KdzUNIUJ0E0j2((oU;iI3V4zO{R=L zn+u=!uph_MSEuYgI=Xn>^o%lh@6Stt|G!E@4A$dN!;Ywvf`WpGC@5^I-eKmFTaFFQ zeUV`OpSv6w_yK>!{{Cv=NP~mXT#E<0-9qChcc(tkZ>o*8G`ln+h%o@xZ*n2E0>jQu z+#oP5%K!xVH^=DpCk&u?1Hr1#bxBSCI!!uL0z%jQ*I*UNscq-=(zEyCd`F`q?|j}O z7&-SL~4?NVO)nSwO?mW{jrP=>@vhh9=ZVWWpOuBsri^*B-4(xypHlyR-tB8zU z$FR3hluClG!e_l5yV$tKFI}^igd5;L(g~qkYJW96m}Xfe_$i}x;bHlnx>g1?Lb1>A zkW-v;7?eh ze)1aYFR=THMg&*wQg9Q<WSFWx@(+2g1nmHFvprNQuaCsEN!Z>%>z&#uW~^y-oYFswR~3*g|5uXoM zpTtym2BCqPL=ohtIn%#-^{Pk93ktPHN-kUrHrU=m6>kDS3Lf?8nV0KdE{rGF*c`ShfM2O!oI5*1r zhsx7Fg#{hDjJG-GNdZ>v2xjmYNXv}%@A-q5k;dnc59}fI*&54nLH{pYoSd=i=!)QqCOLMO z+Jt`2WQ4*`mlrm{@c{EZQlC1C_W@a(110K%>_8ypC~rF`R*H_nC?aB4{!BRxoKkrr z*L0_U)_R#T)pg?6(`cQ2zpGYhS3q!^lIOp*o)N?h(`H0Ti!!d?FhS1&Crd7Em01w5 zO2X*okdU^pK3*LF^kWhogm_T=^eE2(!QKykx`n*;(wCVx1}Y@L6G;r@LS}06PqZPq zm{&09epm#4X~gE*%t)mp<1`CHifCo zH;f(%d5kQkpH|o!k1fCXb?tF>T4Tv7rDVvTpgVef5t*NtVbpM#EkYWbUQ)gwn{A(t z%lomyJnemaUSk>`lm%OxpjtNOZf(j=dKsNZ{$VuPyOd<76DM1s{$W$T^||C#_cxhR z1Xv}GkYfU!Tu7tX4su4bbGJn_ea5f*xBAChj~AJ~zdIDtJ}HubaTYHFc!@HyT`@A? zJScdUstg$$#qVex%;kpEzQ`3aQh6hIjs|b8zDcB2x_CVS41?=?U#|Wgu>ju-qy;V{ zH{dpLu<~VXY`*vlH*zXu2i)Dt1HbMFDxt)0GvDq)88ctJm2SQPjtND&P7sizOowp0 z2i~%}WQ2s0ewXmkv=IUSqu2Jx@V(hMUfUVt_y(Klq2#0#mg}b*F;66|R=^J3INR7o+pCV@nmxGJ^78vdxy?O+EdG8(h(5r7 zIpBP1kO)6c|9^Fi0_|QgpPUieqe6Aoo)eSBh}rz6s65ah-3&nA4!}Qkckv8 zvMXHjCz-?444A@v@pI(6+N?-i9jO9E^HkfMsbI;C2elN+xUx<_?er-~?CVqFTU>|i zbChM7gEPx55sHrpsL1f5ng&!#`<~4kazP4RLhCOT%V4Cv7@i_cql9!Lw%qRLb3D@d z631%7m0l=7;@xv%lf(Eb z%{~Ab02?YSTp#`IZDxlE=;dX>idCvCN7vY@>*H#g2bmWGqRo4AHWfU&dmuf-6uEj! zm(Pw*htKqcOD`nsgq*g`_;+dg@**i4W1++fK$5t%F1^Ym*2op}rxm;hvv+Gnes`iU zj4ZTuDDS!@LI|y4YB=1JHgOU}iywYHiKFu7f;}KMXpUf7A1vFB?0nVd9+aTQY07 znM(R(Q6_d}PVRFt7)jnAuUTTYTvfBNvFA4HH)X56Y^URZt6pyWq=~l5-5n2B6_9Pz z`*o`>j{VNyX?Phs_N)@h;GQv;Pl~8VwWv?OZU>>S3}UYj4h4(=WVJBeH+mZ*ya~jkfD?;iFgY%pMgAMb0%@HMfWXX+rmq z|LY4rGm=q&@l?AN2@`Ve%adY92z-MIwo)b48R*TdN z`oLSRBt8smZIC32ne zvg(9aQYba>%kPWaEAkawK;OYg&c9A2o0)Muzcp&ifI~OE;^r}aCX9nSP5?nGy%(4S z@%~vl6-a*=@tJ%eciQ$K+hfraa0579HWlNjG%7lpU16)D?^=OJ+?ODe)Q7d;RQf{3 zapFB>4^%`oj9$_-J7^2j9ptZPXZqge&VE6#lHmlMpWc_`Z5` z3rrRA?DA$+hr*bC>H;HgPxpEmw_obRV!rndh{=PtM)|&9Of8MD7>m<9O z^nv~COYUrCLra}mvqdCvrzU3w(cQYJ8cv3cT7Sktdu)xYg_|FH!@ZQdHH)~}3cv5K zyHjfyP$aOh+|{?k;S~bQy7c!0lITiGGh2vjs%v>lUPIoyZ9lUs-A&c8CF>yk{^h=@ z^nYi);vW zsZUPOvzIg`D7>INgP1E+lzHamd(}3nZsHDKpdbnm=96imGcpEE%@ao<=BDYxbp_(8 zl%Jcq^uOWK5Is9U0<{3pEdhk<74$u78`fvt6z&&&_Nkxx?8%=w&D%AkP!M^ygMuc_ zWqucEvTTvN;OJQ`u*jMI=Pd(IuOgPV8`onMazT61Bd&nAGbm?AK9VD$mf9_m;U*;X zNHTKYR!;A+ibJB+_z^iY;m7#2bQ=02sCcTss0MHsf=h!ardE^SCD%4@5I((N=04`t zV%~6f>V$l84O(a~R2kTAAz$;b(4lbLLo?u8cLao5X%8q*y@0sfKCVnr;cyiHM_8bR z?Z};E>WQ+#A#^1$v3cU|X$llo)?7N=?jdG+pue&eucDoUzQh6)O%`^ypTMGGxiNC@ zXM`x<<=NrkL(06bI(qrqT#u|f8x7}FDmcLP(5r}?#1Bh|+`z|`dt`B5OxxURTN<&U zXlozqJOVkDyeRxZ@U#E)Hcf_8T5EwmBr|JiR#4RiJKY z;5?k|NV2};-Yq=H`8rMhJ8qNQS&Ml|ysNe{`^JI$40RznuA(_d-p!GVJ9_k8Ms0h} zWOn8>OU7t{*3w_7rs~X|lxTQgynLtBR2}9YFFL)v|G2g<3AUDe;c4P{SJqU zr5b%+-2fF4d%q!QN}J%+R=v=VlF)=%NAT%>+V1vC$tcq)DC~L!9a;A6(uxpZxS|AGr1{ZD?1Fhs-vVmgm`R_+Tpm-rFcX<5m=)xkmc-Y?sq9ESC2<2sJL)x|{r^($otDPvQ z2h_+P@pB3+gosGK0rylniT-Jr5*OQ3)8)W%8U_!?_{4;fK$gXx#mCjRRzeK8?`0i@6+{YCamXOrQ zUCl6(VARaOvd^xsd%JcK5neRDB@u$2l9o-5pT{RZ>9{vjb!x#t)Ax9bN2>`pMUAradAbr8CsZBsy<3(+ zm?#5wZ%(wRHSgq}1(0=f%rfoyf!&q``I4)EkNxCL$C;J*J9JFSn!Yr%3Cx&2*^eif zs4_s_KZ;6amBNqna%wMhX`0B}LdYjx*(N_1o@y~QvG;mzwJdEE7_{a83^c=FvoVgb z;Fw@dnuE7OdD!|3rlrWG^0MBXg11}HCOZ*b)+Xy@Zlk!Qob$uagNwQVa$|E085mEH z#kXoMVw-z~=(RRIJ+(_M+@1;{G5ageaA+rONUu`mP`-mIPc)87AtbkUp&CLuD_#Eq zJ#JPhq>0BR31a!Dn_B+|NZLF_{GXvq2T%9|=7 z$Hj;Mz8GdYaR+qktP^C6W6-&vQ#3|=oPd39H3cQ1ZxI2sH$Dz2&%_hEu3P|Q z(No%SvB59IAM^Pv*sI&~_7=IHCJFtJuaUJ|ZeN^bHMl%<-5z+GVW(ip;}dVO^Lr9r zH<3lvlILMMxAfi;mGf!#q3-2z0X;9zxoXV-^mXA4WOG*sibi%mmuL>6%XN^1R^%#F z;Wdjb(0kDtH)>om)=drY)GL=)AyGVqy;SEpU(xh9huiJPA{1dfY_O7Pg%ociKTaLVaPw7>iAA9P$wt8zov0CMCiTH_AwxBZ@r8)FUB0|q?od4i$XK!138-^hn~;@h+mV!IV5m9MkIb(V**>pcr6QmyQ)* z2n%u>BL5Uuc`7(_2ZGXFZTw<1bCj!6^K9w@Xjj{96TAbQ)N1$qY?erJb)_v2)W zG&m~#LZnXdr37reP}LPTRrLwJIr4m*GKOqZhYo4PlTEB12?2)xF8=>%13GnsYVGH2 zNQ#_wWsm(%e<&gzRVH$3kSv#|`2;ur3NQ$A?+(fRNox_=Uk2DXaokM4YUzy(#-dS{$@a?Do7% zH!r2U_F7AtzOfc{1gN7;PRBXlg2~WFmxxkD1cz{OvGvL!Np>RR+vmG>!3ugjF+d5l zOjwGU%x(t%+t0ith;<+O9KD3^&7Ob|XOMUd>U|Q{XQT#>L0(o~Ol)5Z@NmQx*~MvP z7k^b^(l|8M@EGz(<#-cj6woc2uC{6rjqYNhX-m{_}wTYgs)*Wt>$H;>~)$sw&mG(EsT>v;FY=0`&I> zGgV!z&eUB?J^oYo3gM|jS3!^Y+BTP_e1y)Fx`3+7CqDhp($w@d5J35{4NY(wk=b60 zi1WjjwTpuB&^a_c~NB;o@p+Fa~(eL2O7=4@gu>AGs;9iR* zT{aOdP7uv4@I2dSp>m$2q}G77KCVF7@*W&Fs=3ly)2mQvUWe|@0H#!Wr+>-Vx6fR& z?Td#tUms!8p9X*KJOQ*AJ$gw0muq{^kG<5lWUt=mT$?^O9bD&1y%Z6=%-5R{_6#hv-PfxKyxuQx2f?T6R0#sl zL1@FNPB=Z$dh!%#^#$^NbARm1%BR1yZ#&TvI9qVpxY)|#BjetGpptqb7gEaIl_$o= zV!l!B0$WMyx~JIS)p>>tcBH}Ue7mR< z`c@rVFPC1qOan{F$E#%*La97SOj?_Bja(MQ=DBR%#CB)T@ zLd9(G><=1ZMZ+jWGWEZ3h4hCb_n2<-t6S`rT4%3=mTyfHeW<|B1soAjuLr%I&nqoq z2t89)fdad@yumT0v5M3tl;_H=8m_h)N*1ppC(BXWn zod>QsJ7zZ3NocDALR;+m^`+Z&u@E6BuL;icsRt3Diu-l2$bB4-9!w?XzfkI&w0W{L zB~no#0sOTW!UvoP2nd7|Il#O5nRtX<&x*mgEiu!^56fYB^r;$az;-}ypIpMFdEbxr zCz58nUr}Ovy$_4^YIVM&O3x~fJG72wu9F2N6D3z$CvY7A$pZiQ*JP03{iv9d5D9T% z|NZ4RL7`Sz>NEj|IaTd|h6QIut{^6Oxc88f0y|P*ttcAS6NSG7`(}T_IVqsJA~^7g zL`YF=aZ^~E!NK2XaaqVBtGsri^U4FkZw0&qAPlx!H! zQfG6@-H2Ru5c6Vp+Grr^!x z`>%uT1hqkCYn^Ci?AH^|$>!M0&2p~x!o(G^(?R9ju2a+VXq&V%mCxa^Ms&@^X0SIo zZq)zx;(o6WtRV1VJ_379H}8WSnR`Kj_pL@k#rA;+{%mHz@N~%Zl^|DWXy}lhANx4x z3o;(I4G)muWyy8Mk^W8qaJ+H$6SayYeA;e&S2~eK$Gk5`V6W?qPsMT`s0Qfq8T;}q zsu)@N&6s~$n1@+@vA8{74QDso=t~$Y)?~4)TZ*r9SQW%h`TKM~3Lv#fj}Vm3!J9XV z3NoD^_@W62uox10+nFRCPZGF+oEi5r5uql>UoWF~<7#ZG`G`LrH&~5+gM9}^^y$#U zP;H1;x6dc8irMPD)8)I{=}g6wYXJME2C~+5z{eES%Pf&VHCNDCHx1c!9msgst@{I% zcQp7t$j5vRv5PXwmI56+#U<4S zj%e_&=L93wOu#YgtgcTt(Zo;40rY7@txGRTA#KfEhlf(297tEWOjqLK_QZ%rTq-a)hP z0J7a6kE;2)3%Imt{W)pMpMBu~`i?D6y`JZ<+3>ffcOQsE)gz$G-@m%l-5dZtAr|s` zLK07e&Rt*w0p+1S^P!fiz^h{|r=r})ZT!8I2(}wc_8^d+7JB0|Svy%`K7Q->Yf{1+ z>;Ra#PhV^nWTn@ostV3T-YYW3cJcl9H7vdo0bV>UvzXOh6aZJTA;Kp5$_-n_giDvC z<^eCTrX4`0u`w|#16M*$<4Sy9sQ%W{!Ej`KkQ2lP>}MQtD}p$*4V>O_Q5R#iA?cJG z2yDR-B^4b#y}v4+mI0hxoap+AAFg}ddJSf$9%#tkecbzi@?UuJF-zR#u!m$Z(+9j;h zKRUlmr8{!f3Y4iVm4LEZk!BRQ2oCauqT|B6JuZyc>I(ACYbOlc^=XDG^3WEM48SBe z_h)HdkU9vkNd#ona7at;bnQY5x)^l)5A0+bn8;YMih_cijN2+E9r)+vOC{OoAPsr@ z$pZNH$3xHGUon&{qcen=REBP!I}0kSJQSzNNAsU+ekBU2`t}Inf;$JiE?x1EbAy!! zu>Nhw1c$;nD4KvZYE{?uC-SF=D(W>d7})dh^#k*uRVUfDC;4RQaEsJM;B&=@nBIt_ z6hQ+r3M%~$n2~&3Dy>ViK%Yn}JJ4!$d}FB<@{L=+TW(kSRi$3`)nWUmQofkU zo|e1RAl95QAySCvXRdWnAFBaCjU7Z#xF^mM>RtY5|D4m$J>H8(YG7QkNrpHEXx^iR zk+3m~c*B3=SJudTu_{__0!+_i%6eoRn2$+`<0%r$fe^Q&->b%~qi?W8Lore?q zlr-3cLHu`MoU|S#bl^DDZZ%5lbvkP~c#@FVJr14;Mg2bH7LmFaluY_a_}KOR z>vtnIX$DQsXp3*}6=f5;fDQa#N0|6ZZD7ScCPPUQCjXbCZ+rLPNl6Q``dbx~J z1bD}dQjO$pO$=ZiL`bCU_u4fqG5`ZiNB40WR>ORw+_MLbots5K zwOY4!xxp-IFpT=r7Y$Q@!qSvB=Eehq1)2o6%m>s2=SfX%IWRxV(7Ccn6HY zE*FL%+c&clz&ykY1iAR4Ut1L!47PJSED3w>`XZiy!Rcx>af9?H$zk_0JN4~kqskYE{;=?f;5mOrn*BZ2U-%5ap zEx{ydX57+e&d+ubH(QtRplR#z*{Y(-F7;~N#2he`X9bB0#Wi<`?VEZ@$${4zs}qO~ zyesa*T9=F`(sEKW-hffAvJrQGmS}6*lGH?OaJxJz#P4Jh0a*JS5=>l(pBjZE!Y$w+ zAYmV_%VqDGL_Risdv|+yH=v|z6l4SpH)Fv@BlW!F+PNxZ4Xzsi8MD5`7zHTiv$9E6 znZLUkClbz&(Fc(*o*UaAR%u{>nBNlVUk-&D59)z)R5~t0T%ivd7{6GX8;<@6b|Q|L zWja=tk9RIc3{}hn2E_Bh{c0C~k@`jM8F}itdWU6u`CrhLINtrWFfMv)?#_9tTytLj z<7mNc$pA*fcHbsj;M-ZOQAB%b{@BB~#)sMi>*bkqKG?rnQQ;nOAavHq|NIxm|D)@x zuVn-!6j2F51e9(Cl!ie;5RmRhX%Hzvnh{J?x>Hi5qy;Gxq`Rb4xflo1;|Ci3TdA^C-(IyIcBhC`WhV@LYn0bCSQVw9KH?zT(Fw{#e2&Ul{Liz{?z z%H*D!2cEPgNxI9`6t%-YbrKo%_>`{JH-o;XtJv+FN!R7iKVY>xJE*-Vh80y$2YNL! zF)#>xElrQR9~IjYjDf%t$Uo%KZc?>)=ce+molE1z?o&4#14lCT-DiuKwB!%^^>3?a zHXb;hMgDTfdY7;LL3nF>*3H4|5qCht9zrFf&OMe2XQUrKqXeIt-otO_c`LW~GosrW zWwwp!c*_u&JFAVr(NH~@;Vn4|T(|&;*)`vs{&&hNc}oRq2b1{TzVI45oNv0kHRSQ@ zS?Nm4bO0#c3hTGgv8e`k{E!i)QTx(smZp=xHfxyGW9w9WIdBf5 zwM`n@`m1?D&f8~{d3mhbxw{H)eZ8c9;1_Tk(g(+wxj`Gb(pB=i0IJoy zf;AIId85|0-9`r^q~W~zerJbhB)Hm4>E~{P&119;KIv=J;{Ywp7x$H!$Iozh>*R?n z4mAM*Dkk^~ELy(M8_(x^)1RD^ftB?d-zfv%voi@V;D$ufjmsxII>Wnd+bkA7brg5^wA5>qK*CPN1LIPN+u4tPP~k0*(WR1X+%kgx{G#-^8;9eD%3he4cy6xrh5(2J zmM{6H8j#5!Pph{L<~dBjN28dO1jG^u0-xfa^d zNXf7$D0cL@+Yq5&%aQoPVM1^_je-&{=)#qp72e~bqDW6&xZ#(jmG?gMwZZM}%E3Ou zl-Rp>6iW*=X60!fHv%$(nIW1Hb)+`e zNtUQE_{UkIl&Y6Ptuydl-(Bu#gvpFLSXaeHwUC%X$Vw4fHd?X#@Lg%+d?Y1KIE*K|0H8?MRZbOk7Jggh8 z##|p`_UDRkxYCwp4e;}ImNuA3AtzUQ>8S9}Yk?Q^$P&j;JB81e6nP331G=hq{neu= z^Rp+huJ$un)D66AQ{sp5h9l66E1XESJ9; z3A!zhD>VUu(R7|4vk(4{E`VxM-(>pc zZeBqk0q%QAI!K^+Y z8=!kN48_oRtr@HK$x?WiIi$+#7wHJas$MT+>cSAWa(y;FdrigQdT0oBTIFKYd9};S079OVI<;ja!i7jeX=~ zQ)^f!w!4aZLw@+Zl{#a|$O%q&zB^NDu2UK5H{^Z3og;BYQOT5plzjV7XLU9?59$&f z`g!%IjWnRrYnY~(zy;-AIJ8;6K;d!jOS+0l+HwhtXFu;YyQSH7#Z)<)ddlT*@0*fi z$<8MPB>d{xdSToF-JaO|9PL$Vv2$OEX`E;>v$++#3Y_B@;soaM?if#djs!{51VQzn zR5)V(hEJ^M!)RC{?O!PiFG}acw^+xfAoZ>itNv#kBDP1<=p_=9mmRm}@>A0?-Bbe( zWXRm@oS+BC5m@YF_WIhjYZp#WxQjq|xW}%PguZ7{y`GepE51qq)2+u@<3QJ~hZSfn5~)637Onr(uEGG=M%-4N``I^35g zA9dn^Xo?*6Nu!S24K2;;w7XmzZlDgh1-|GeCWb0*+GYu|S>bkh2)B0$dv+CnWbsH; zoW6wLtkA}e%R|z_qX{897`$pN49BqUt~Yz9K&c8?K;XOhEQIHxLe!D1t2qbUjdkdP znSy3E52#AMKJvURK170TdAjDrpI!h>H-V}|r97t*W&4_adrG~qQcB?p-3eSaa@KRR znd%|Er@La7wm@Vv^p$$%)yv(J$btL#L{v*;%D)GprpC6iRM~6oi)7`+M&xkxXYKU2 z4=uh{=USC<$QJ=j8mWsOs#69VJ&n3~jwAzR=)GM8vb?oUyWgWPrs}1o3<)7C}T)T|*&kYC~i;7z5_ zqV>_cvuL&(25dr4uxa7`FRcv2>}c7Vbni!izDFBOPSDB?eSRkI6Z+g~ZQ&aaNH|T< z^3hAefh8%S5AyP9>FN$$eU@zJcZ2}5K+0liI(@3=RngN}aYg5up0nT-%0-qtRKN9V zyWK}0A+jho=cGuv?l>VfQ0W^rMvI$tjZQIMglSm9mj;_E@ewNB;HENE|LphYmony7 zdTk`Z3V_usFDoBxD0x$9d?iCY$!`*2yfA{|`qPxTc1`Rnl0*CQAZr9}D)$j~y~&g! z(t~{BFy4b$m-x`a%4fOP<$`Bm+rZ)GrVJ8vH7y1zKf`cNU9(HGorxH}Omv!*cYhDG zl8_qA?gW6vu?9ys?)~|FE-((W`*%QuxKZcx?rJ4EzTbW^K_RXYtq?C_*|sRX^YRox zf^;OhC}i6g1hU#A8()aHLf@}1ej-1REJgPbCG~4OqNcg3dg*dKWv{l?<$g{DK>f^d zSLO!T5vU}}zr<^oaxjnn(*6Y}!Ju$uq=x;kM*P`pp%cQT(ur~@*Nx&aEvL8;fbJn$ z%FY}wq&uSDgwhIL<)~#iv{Y-moE-bj?^L<_bXvtzKE$$ismiLSeOo*d*R>4L8ZLk zTz=v5mm~Uwx*p9J1m(F9eaG-i_MA8Gqs&o|0i5bg^=}`5VznN61aYoR*aYsqDzby6 zEm`_lYfM$&Ri_yS*B{^C7ZfZJVpu311=Q1@%$;LhZ`z{u7{(mN7YbPHj{PR}pc<&Q zrYkeOX$8;f!Y?L-1+_Z5!FR@fjX{)aImLMdM*X*)0)xJ&QpfRdsB-m-Z3hreOc+!L z*Qog!9SUN? zO7)2=x>0`jcp5j($-G-z%c2bw-G85SDJYXbLRN8RY(4!CtRu;$llldk4-$5y;zy2i zFKkKak0woBY!C?NHss>(xARR&Ns-)oa|(G@l4mH;`!8vT6Yf5eZCSdw=)5}DDj@&a z5B-r~$+AO>#`0^|(k3{-Ac*W=V5#CcTWY6M7#VVbJ5!;^Jxxjo>-+9l^JQc@Cxp$s z&gkl5&xG*aA?9(QebhLrHlCir-i&{L!5kp`sIA>9Rz7Bxp`Vl@I0YJx@=O`9Ck=Oj zgPIWei*&*$fO|raMiXEG4aRk391N^g6AL{NQ;`;|smIQEzWO6DutSB$pMD{Y2jPOJa^r>eAcX92Z4{%fQkHby9Y`{|X z+XjBWdNcz*X}w`}XgrIts5QcHNQLD&`L+XPG81B+SVyK~1mCU=$l9*JA#V^kxi}Km z?558g_Js7=ls&Hi?z!u9E;;>+kJSz4F$*0v& z23_wehShK}Vib>?nG+0$bT=;9QeU{4n7sd00*epes91h|z2{s0JwZsU=mND~g>Loi zUdm9-5AAh_eo$M!soY79u=^kKh>#ZmV|;K2nE|g0l=3H!N>*pnlk}Q!@h{9#6FeY2 zP699A0;jQI{c^YeXe0aEs6_*}Es#f*g?L~JuzOPPF!)!JQy8d;qi3GL36LEPZqon( zKy9b5w;U|9`!Iq8(pX#?&N7gQgpO=6!iV^e+k@>`ka(glX7jkaUHKLqeX(&EaaOPw zuaxz80VE6)r_a-0hQRP%%?Lgfxg&yrn8E%S&a?>FMj8C+;D#JTy!VCOPDD7kHW(nf z2K9Pw%6@u(zcI;sXI&amkIK-0Tg)1k(X9nlU~P0YM9+~I4{3rwev}N+zre`&iTb7W zGpa?^-5r$@$S2N3R_vF6bR2m2frRxD_Z9x`t-wRCW1TH`PL%;ozU<7X5N|AuMO=e^ z`6!T-5ypb_4jm=dU#FpT`qbncE?TspXH+EmIxC-1eTj{^9qw>n;jpfsf|7>vVqTEQ$H*FnG4_oWx+4opF-9~OvyZ5PT7L*gw#a=gzQtIguJ8a0`UJWH zs=PfKVTd#*dG1Vgs7btR%(hWZE^`VZ9*+%K_boUK;DR3A+1uqJUhnW6+<%$z%xsn} z_BD&w{|pTYj*aC&mLt0M!)~A8Aws2G;0-_lGbj>~FH7s_3C0pY>?bn}+@buNHN?He zw_;o&#;Wqk)V;NQP;4&b^!nbT)BfQlDf@2+?L-JB7MIJOj9AS6JH-AMT^4S%=1YsP zho#zSyX)yk;xDRtmDnm+=)QH%76E%2Q|>9dpxn37<^1CE{S?qvQGx8{3rtaIJ@ais z?DgBZME<+SXvH`l5})A-7%&3P*RYoGi7+AA$PI`Q*Gc_PgJ5PE* zC|LYhl}pOy8;J41Co407iwvzuJaYK&M}jnh{7s4m=cG=-19{yFok6|DO!*R2O0Z&T zBp0p7U8TKznWQ$}=YhnXLLRAQ>o&=p3{Atu&!0@^eP)0bV9czPCv%+AVQ_sc&v;0j z=PO%oiP0}J?F#pREFitEK+VAFz&5jS{UHhdeYD4%K!(Y7!Zi+c6;Q^Yr_jh`qfpCc zlUf`-Cgmc)y!UPK{bYO&WRSdb)cNcD;U(NqH~LYzz1Y}yhv)V$CT0OP4bD^i@Q+B2 z;2eFtW?!$7q4nlbEOheuSX3{aO8*uKf5e39d_q=&I=9@~ku3c%Yw^ZI#n=U{&qq*s z3?vc45u{H7BGv?KAAW9|ZqnKdcrtQ6?Dq;ywEikhvFC_G*5kPrcqBnsbEjm@Trl3D z?MDwdy)cD1p=%%@o&xK;$CQEQ(K?DiMF%h)D5zrc0Z{wZ18drC`U6eti=p(*D9XOw@O^qa&C@g3b+(PzQ5%Bk@m{;e(H(vPJq|$LE7q z!h6n?5J*AJ6>2`-7;&&BKyVzu=U|ZKY7~JE88-+Q-08XiwJ#J_u9(nJ(kOB7O8Gb; zbtqrXK{dh4SUk8f%O6$fQQF`ADon(AXFZg(PK49_KOZIe20e#AFFx>h7JxkFdGa3T z1s{MgbQj-*b$%p%4muW3%6~Np=L5b@$!qo$R>j;OetF*O=p+@uUC+^T{iUNG><6sC z|K~f;>O{d-8d&~Rb7UB)F|6?vi>Ub(x@LOM2>K?a?}sR?mq&g9m7)U~2k0E||7#p1 zGMumPPHR|RaE|3DmPK2#81-8H5z0YiILTD5 zD0{F#TIZSj6|*ee)8!`}P5%3%-^=?{Nj~T$y6p0&LqNR3qeB>iDsJAW;g% zH)8^V$cv!FDhH#N$;OYK;vjzuA0y(rSPQ*6dAlhxO+Dj{^7$U+(k0(xBcoFO=WZNv zI`Q9&IRkDeOkZN zwR{wh)S+WEHVSTw9jv9hF}b6=UK_0ALhqvf`xN*=5dY8K8!!CtVM``g-xe;GOK27g zQSBNo^c#fL;w(RE;L5D6Sx|G`M115qS@ci@pt-E`RlAkHDm{SOUq7?#E!80~!Lfg# z|FNVfGRTDrZrJ>901?A;rjZS{J<0s##YyIdjpOuJYhm7J-cgqvo8I~<3?nfS5{GDF zh6LFlYq1TjuGxXpWyJPo|9xBckc2Q0BPjCUPtT*X<6)G_*;u&J>ts|#IS0aE+*ckP zd3^r`?^XCAbm#CkR%Y3ci7o|BZVo0(k34yNa-`+wkK=;mLVpvWz=*Cw(PPT+(e1Af zr;|kLlKk$vvA`R6@hv3yE|?OpP4%(cgEnPAd6iSu;O^g)-$m|>7R9NHR-t+hUl<=4 zkIoG&ZoS9LQ+U7jX9)#oo1{jk82a4b_)kA@0Ck)bSxbd96-{7;7?jM)l%R0mk)_R> zR3kZ_tU0{!_{U=I{8%Ioplya?8x!=c=6j}pmuRFZP8SKuITxTpp--lOxE;+O!GlM1 z-=${q%-)F|KW8_k=I0b@i#>Wel7o={KfzE$o!$HW-c>}K5X6eOstn%!ar7j0s%SS| z28`YMLuF6$9L3G4!|*kjI64Q>_x7Vzdp>jIdh=&afNLhcN>Wk9{flH5QWt#ArPl&!two335+t?NaMk4P!E#a7}sL%XjLV z^PT78rH4b!85ci^fC(&~ z4>Ucu)j3Y^7#H3u=v3+{DE0BPKb`UQ=>V-xWjb`-3nLUJlI-=+VLsL5T<*)CIF20L z^FwsFVD|S9#Hs#i39w{<03a&m zxnE zebjE;xG{rsejo1!cYGk@yt~B2-y;W!2=E0T#R%$yhww44k4G+d_r{Dv-bobW)p{Ix zQJ5?Or}@Ew-k)Eqy0Dm>&n}AUyscsVbWz*SkS{y)4dIY7sG~M$peIpO1ayg4pFbPz zxywhA04SXMsh*4sGW=7(lPse^6e!5g&rj_~N`nF0335NB;kV1D8+si_>llHdWs2|q zJ_GyIsIx85qi5B6ohaDhavF*PKh~N@*D;`n9*vBUImqH2}QkMYHB%Tw1%9Y!w? zoN2!i*Xy2!{_^1S%E=YQ9EYbdj=DEa-y#&lh@3}#}AuKK61m^KCItd6m|?Ql@DUPhc!EF=?)#}Bb=h9ScK;CaIF(?RsM-PH?3ggrs+>iS@88J%cj6j{G@DE<^`$Ai#j!?q$fYYN z$BR>Zd3L%PmBq~tJwizGAI7}qIVONjiXDrm|jb-#duR)*)fDh zMe1okI#`8W6km06py{M>gP$iOBdil=8D2dXxhk;F;6!xc0l&MOsS7R)2n_>vhu z;hEF|c8Qb&D=7@F#^2tvoMHU{p1QO6$*z+Ml_^kRS!pWe!CC}{bR9C{4)hO5j*FF? z?mM0%`H3PRAZR+(Kfl~`8BVMEHU@T(%7AQ9!%Fg4b426j>ShJ^>2p446GDq?jj7(d zw}iZB?{p*OGQA_+64joCvXFv>5*n&K_zR|Or4NjZWGQu+TvZS~ZMq^N8VMY;9-usHzNSz^Lq+fm=4WcvOJf%^8S0+ zi<2-VHk_WVJ2IG?7UMhK7^4XaF~?(1+NJU%=^FJe_iI-X$EM5UB8nL z#Pc+r&j?$Jt_znh#sG9y{Z>C}xsOtE!^I~NL{YtQhpIf9c(?2(2z8ngj^@*kk0z(% zuW>?P!kHAa45k*1vRQEj`VBHt>NVf|VBbBFc!0mUce{b|Pg^;Fu_0JvD=2}iThP{% zC=R*EAM>k$<;S(DKl%jL5Hok{IX)wZZnMN@48U$CZ{grc@K}5d-5bF)cG_I6v&|m6 zo-f~iS_kOR2PLf#8;GQBU_Xu>$dD&Y9G$A>wPX2xP5sdEXllQk`}gy=Bb1)&;o}ik{tl!Vl9s})pFe+Q5KCRlP-EbLxN+)aPmy&5?{@%gKP-vcK|fjxtYc z$Cy2dfm)||XlPr6A!a|Aqe&2e=p5I>{|q&sP2^Vw7&vT7i9KtPdas~tM*#rmi_o~> z(_fRf7!4vFZrM;4mw@ec*xx^}p+ z4#8Jp!&VBEWbvnYe-CvT)1x0(ymn=s!2c^}hDKa?n`1<98)u14?+sZeQZ7A#*)!UE zjMqed7pP`$*>+92*8y&x3WbOR2xj<)A8tJ@BJ4a92)gPq$qWn(wTuyZ->H9s>enLl zUIl(3z#Ov3yulkZq8{ zeGfBp%47j}8_Nr5@>m^kNlOr_u!Y41c$4yubcOl-N}4u2~_?R@K+9_VVY0Ecj{l7mKai=Nm$0- zpl|ev3A8ZJl)V15<>_m7m-+C|xfM*FKshr$BP^48PU=H?!4fX?=Li}Mb|a2N3#vkg zaX{Opp0lLZx@-5QVN^ogv&g+W|NliUDUs%0_xM#R>XsxaqJ(KJ2t4>H%!xQs(O=%b z)fimP+;5Ezn!nNzUPC0&5kcYDkRc}dGifb&&}L+Q*T|$^L%I--;kx#ur{#e zg|8^{fpfu;-{2&%|nh30T?AnE9yQO0`3YA#|j44LD&U>Re zx#xfIV3Q1zK@{vrO52c0+v2E$VW!5Ia%;eWuM0Gc6<2_zv9#eF zv}}6MymHr|(x9Y^GSVRVIc(3SxjX#tMW-XFM8e&?^_AwoTo{gYBE(oGqA#E|6>BQ= z!gK{caFNa!!0RoNmIg8^>QwERHY-+E);3W0DuvE|TOUK`BJ8n~1@CGy+gHHfrQN+_5e}*zv)=yXw6gVawl@YsigIbqP{l0Rmi8 z{BA0u=Gq=n8ebQu@%+n#hpK7vLDICI9VSvDZamsoIU~87wFAsX*=1bV>5WT-9=9dR z_r5-J_{=ZP*WG1f>s!M(y|+ZW3-YZE)LsXE9IYF5zZw1@wc37q_ebo}(4)8!_6<6uxGeG9tSb??bDXIZn@!0K|MK_E$GKV z`Qj6VxMY(}nT|}J<=dA!AA59v^R7JBCrhUJnCW*UnjS6hY|fh1=*>~>Qt}$CY!r!K zvn>uSmhIQbN4=_}VB;XmY8Lh+t*xJpv-A9q9mX!_Fj$`EZ=Gc{-y6d(_l38c z<6Gan)?CCgd(oET(j%LKdx^!g@;uEkS@IbVLljePw5oJOUwj2@y^O9rq*_HT?|WSz z_K5{A&x!rwct5%h>gaIV;nfAFq7@ z`jE`r89nf?hapH6&E2xe2^G4MNN}>09 z-6%i&O&tI2_+OOe^=yin0fwg1JpuQLpTJIH39ej&0pAUSQe;_cyS>}*ZaodERCH|bg6um#I7xh64Adm+4Wy~sDM&vZNz>2B^74RGzy-_U z=U{6&-8M?T(6i)U-YkVgW)Wzz^>8m)z@<3dy9cDITe6M4huwhZqJk&gJ8fIF?QAZt zU);xL9UMkJ;|POGnHl$z3lk7L);!+z^JKnRP}@^FXCmjSnO_S}u}`awBG5>C`PKIA zbr=(6hpznvi8oXNSrR4DtU=_IC@Pk@0T0e!gAdjhjB{9Ck* z0&G&`;{NV<*!o2{b!)Ka;4PQ{b$}M6kUxmv&da+iBI_YTR|_J{nf${l0>lpgiUkUD zNW7?fnd10`fkI2w0N0AvTM>tjm{o}=)Ez-0Jo+P{h0g=C(6)yIOTUzNy_{Ou4vy`J zlyv{1ra=KF{A-=R68Lz2(uXJSE8-lz(T@HIJ1_msp6=ln@B@|zpbGHJWu?c$I**ia zw(+(gum{1tH?hQhn5{MqhPhyk$S-u~&i3FVw~1~G7qqWfK>h)M0+OSlod?*EBr`C+ z8uHG#&gcQ?u{k%D=RSt947u^9IMa=#$x4lMoivFx9j}j?nYtx8^3i->y4lR54iPs- z@k)cknB%B#l04rW6{L^l$9s*`9yb?@+;%`1kjR5}5QMTQUtW?Rx{W~J31@8DQXV&t zav<&1{r3nRwiJiYQ3ZPmYTyfWj$UaB^dXUC#pKN`=SwX5Wrcu@unRvl0$Ld)UL=GT z3-1817IjOEQU|r$W0sJn)i{_TKkzmN_GAeA7m~({Uq6_!bqk(oS(~tt;oNtKp;roBd_sG{LMUGjDo9W8lWR3?W7C*4fao>_O z6CFnD5csdR%DbwD4*Kp2KA{isc_H(YGy3uQS<`p;bHVn>>!EDwY!#g}(@Uak6={@Y zeEuCU7$8;eJ0?lgCAeH6Ak3+?U8j)HL-G4i{=K-5G~jrWmcvZ-uy%f&HIY97%-Iwg zsS?xPU@E@OHpF|k%LAuTKjQ~R|MrsfNuZ|I;+bDVI={=t+WkQc8zjLn$~RSS_FV3jGf=u)Lzm>XS_m~eYpmrsvEhmH3B40!_~f;IZLoKO)AoUC^Fnx zio3P<+W!59@IquxLeliO^%J4k%Rr^T z#b(eEsvip0Zngcm2DN61&!MwWh&E>RLsmHdtUSD|e$h2s_F{~IM(Q!KwQ72SS8!($ z-s9w8#amF};q1&q<*My`X!=ct`4<@SK{FtQ^5a}8Pi$iU$O;4f*g7C- zj6x=iL(4q6j8dq>0XPQ}h!07i=J)U4M_`i~&3LziIg?@B`qGepdpb*8N&{Zs+)VbovH12<$i$|$4ksi(+3H^0$36*ePwKr{ zsZXdZIEq{ccECAaxR9Y?V%{)!v-3yvTHU^)drKMeV z#zIh!$Z$9d#s@Cl9^}|uonJL*Kp_5M{H5t`MW}(kH9&J!&ue>G(|k}g53oB*A*Yw_ z%Ef5|IEs_{5mv)pXI%Qf*>mZKhmk*V+-PrBT9FfHkM~^BUY{vw9)UMA>CDf_C{?*W zcA65QPU{r04cxjj3Uk_{AW6W3aRFvdqn$gbz5mZWagYUE=-)vNlgntigisD`o|En- z<(AO#<{f;*i8b7FSF7XjJ`Y&tBXAuU#%;_wsVCs?uf%?$dfA>TN3jmQBU4}`yWujBja>1)bH9`$QCd{tX2K`~mm98vMS;dO68m z?#zY3sK_IJ8@zVNKoiKIwaw1Kw9p6)qlP1L7$#dVBx?};)!N4vLd7WNFil{LZP}NZ zh_TOE|F4JBf`_9%H14!#JZtoU?3!EzCTLXvyc!z`y_*{M%s=QX+!DM1j`PmB(2aL- z4>kvPS)E=jy4wFkxy=cbJE2GQl%bd8AMjh|CiiCf*%F|&5Pji^1TN$p=*J^dZc*4 z`_6gUm343DVr-be5BJICaR(+}Xb7|7q3KX+aFa>sL^KAK6y<}+*#xvAL_52RcRF#(}~q|~9At_)S?(r*t=&u9yJZN1^p z&X+8<>HW^}%lsVa_>plh*Uj#i%2$@g&t|9PR=r){=+Eosztz_f&)2+BkR;)PMFaje zLON<(fDs;QV#N0D*6@`?m|{}_kqBCAo+_5WcN$UR!h1bkT)Aq^sETCifV#dSYu`Jv z&;5Pq1DRKQ#aSns&v54BE{->I--d~K`B;Hg+;fw6(#n64QWdwctpDW`-ose`2oLzG7!l(>?lK^1 zVP9~#Pk65`Fx`tez&hv$`SbJdpq;VK8UHknXFziZa{vP~v-{Gu`WZ$hCXnr5;=wCC z5;gd;>i~miar(vj0MT3AB?+_n7Vl{6zpWLRcEd0j%}l%f79D|wrKqO`BxDH|r4^vu zCk(V=4`?xMm_+9|@*gey>2=H@cQwB2>1C?B7d_VOv@6_-fDiBm*T~ZD*>=3yd^;?C zK-eh_@uFY1$^mXs0cp$IxtE%w3D}d#YaQbS?9U~)3r=5Dk|}UV?L_tF7B+pW(DNPU zV_{3KW^u0q5>`DB=Vp43BlMc3qci+{nN2i7=qj>dPz8D($;T$t%d6$oOt1 zk$`cvD)9@TE3tGe^VQ6aJE0+Df0-iSuJN&B`jCjxUhb-U_?g zal+c!jDB0NbG@*yYIpl~$h!uETuKE?IHv*B+z}OZ|2WUwfW6MepI#JWK~Z~V_MnN! z-nW)4Lp$4EhO$PU?=3zu`~*`gc!eBcxoJ=uy(4Q`)b`%``H%ww=g!tI#a18Iqw>%R z2pn;;>rmI!H@%m9PxwZ2G6gWk)C=^MsEXn`V7{g$8P`B<gRg5!H3B0q9VKm7u_>%2d9ym`&IofPX$8^iGoUIP4l|ig!oMO@wka?c zHMa2!hQsX+r9`De9XN^|+h}D?95tRj@_AV{B3xj4R}6b>e?(!71<5dfzr|fL%7e&N zN2?J{G-e{p>fD~DW{aCy+mY=Z^afskuhC2^WXgl_BZ7}$RN@2$1;t0+6z>Tn;6TmM zKE(3KT3AiEhFYK33{lON5IOmfIHelC63gwX?c$o|oI~mgk>@3LK!)lIFtoX0*4Rlw zJ5`n}>e8)fKHL5t?a$aFuAb>Fh}+!-(!GC^1P|NZP5bSgU@i<&RwhH|L)bP7i6u&# zAh51ZENJYqH@3s4KxEO&?xJJ^L;5LDLoAH=pj(rqQXwH0v`gzqZ=s_&+CpeLt+wst z6S`sy{_MpJ;doOD8iKu~oW0oA!Uq+oW7OQ485m?>a;U+rk;J*zG$OU{0Up?^Ckikt z`$MB%0WRb`SZdJkEDSk4Kf;m6Ene-n_P+8B+24T#V%xK!A3#to8v2@l7JJYpM5HWA z)wmaIKr+q5@29#0cfRzg!HRi+TUDR4FuT3#WxV)?ky>{05~rbr6*>1=>)l>H-&$2p!wSe#hph8U&mLPNoBt2pKv>uK;y;$NGVSGWkUW)QI{RfEl7}?A>C& zLnAX{>SDgT%>R&M=xlI7ujUdr-kCkZD4i#!p&$3UynHB>0cqaoE^Hf3GR`NwlU{&r z+^`GkPJgeJG0FDfmr&&ka@qhRG$N;L z2%qnPtwxxU5ffzitU>ulmQnwvP7&b(r2zHcACHLBfSncY#O{-$tMK>)WPMY3tafZ8 zTJ5!d^Kf>E5D5l}#z8U)3TDt2iXi9ISsTir?#qXPjzy!GOJg=~oo9oUldq1pLAvC+9s<0^Nkl+9T~bvcF5wsU zh)wkAV4O4FYs1pf2c@B1kuF@=yz#E*Z}}W3ug)V!Aa8hTKM(NX#^@ATU4uCy&uoYA z^^=mLHVwbK?6{IfppBjHzB&hA#4}K&>)8}+hE=8Fx1BMdc5c6)Egzw1a2GS#4U_CC zAmHl&EzH-`%xAD5$O0+CR_}MH=UhZ)_Q{SF+R~E|QvB?HB>4B`N76^gs9EkFr`+RX z%-~x%Ke=Qs+p|UmemYgk_vP;}2crSg-MJA!@X|&0A|O)}XhkG>F9ijFR48Y0L~UOa zJG&Q*wH4~QI<7&fSO@9$$t+cSJ>)|%2M8?2UIJ?PkviKg?>o<0xigLs&%=E__3zh& zOr}HfnA`0;xM#e8g1F(ROlH?FRNMTvW-kID^w%O2n+PiTlv+@QoJ)@d6mFNS4ZZo> z97?H-)Szxaz;h+g>AYseXxIbXgoWo^$fk z1G-N}>gNFj$6n7rt`EsKl@1y{ti(KIU=7ig+um6A zkG#;L4Ch5hjtke538D}gXI_M^!xz7J(NwP}p1ku;pOMbYpWiJRVMVo4#2fDw&&6mc z^Hh(5Y^btqI7gI~AXcOa`I+u0U_}H0+Zxt7`i=s=d&JGI12)uB1ie!(c9@n8GwmnS zjP8Z&TnbY7*Avwe3v7DFf9#dPjwtL%7+9pk+JbSx4{srt;CgFjvpG7OzZ>v~-zEr@ zV0&+Hz6=Y4`1la=-Re_gQix@Nc7_Yu1Mj*Z`=0a=*o8ci4QyjE@z*K8oA>4Qw`LsK z2rkaquO$&MgrN;RkNIY^EmXH1md{yOKT=S1_5#q9@gZ?L;X>Bsw^ z4n8lIrcz+mXae&sY34dlqA}^g7Kzdkq^#!tq7|p@i)+;%$bh+6+*V6shz11Q_<)?o8ZWJ9! z2ools2?E=UGJqd>ewK9r>lXm`1eQ+AJv<_lt}N|E7(H9-G(Nh}dSDa=wPZmYN_52% z)be$J?`nXSYmE<}<-|DEU(z7(J+`8G#)eA)8ey`10rsPol z@2n?2OVA<+k_=g-sC)4dDn1#n^-&6Qe04B&OGs#v9Y$kKVf64nraKG0BdJaH2Ee}H zJtS!)0_xWEOtWrUYPPRkP4hY>@XY{+n zcoQe!n4tmUI|2hYr}Ah#79=vX@@|xUm0GNu`XpETUiWs$aq)(*2#ReMX+@@bXx*kf z3@er7mAwNbED@bT3*-FTQj1!X$RrO5F$#iz2%rOzHQ;2XoLCieKyz7J)iv$PVb(CE z7VW0rUizQs$)kfbm7~1w>2bua=-BW8KQ{~70Io)=M)t1xyjXSet2XiHyDHZ%qx{Ir zoKjW?GjB<$kxHRI4ZgjBgGbh1v^|@|rJ+WOXBrk3+!Es?A@t$_xh!3vAHza(>C6${ zs8E6ihL92Wc=Pzu)&BOm@k1vf`Ny+08Rmmx_FitaE(!{VB4>XcDCy*<&blCPv=c_g z*ag^F=r1bUe!^AW2D|J%WPlK%`UGDAq)~cQeIi%dB;}x2wxXeEPfpy`Pah}hJFT6r znim;=I5chQ9Ku5ken~Z3r^qC$vDB54nGo?lKAGqnHreL7Lm z0oeJ^uMnFa7hxwadcRL#a;%6{Ug zP%e5}sBkieGO>o&>j5RdHzv)dKQX2KQ7*x6Er3G4`WlZny8x%Z(Ne}Hn|8)13CdlK z@>d3)qV1^#LTZi*c<#pZZ7_ZF*A>IOXNMR3&C@xnJdzNkt}G#F>j1|S$?QE}JAVI2 z5EZdr{SZbVKPgtvFkEyPsr~NqqyGZxlV0^!?=d1GRY^%dWJN@X^RG5J?yzg6+SJa; ztYZNQUz?MCdW}D%wD>=Nu5tPDJ>80f2M?O6R7Rb7#x>R)dab~G>`s3w8xKz#;qzBo zc}cp~tWTart37S|IGx-5Gt}gIqf80^&99d}eVkL$`~EoT?%V#8aO8ovQKMHrbQEY@ zU(V3i?dG>haiA3ECVz0lt2p%^tKE+x!`C4`TcQ`mtSdM44QF=#o zJ>f_`L^=8Em8l0UJIA}L(jg%;kDd>`oe87K*;vnuo3cXoJHCuxRT{ZM#vnM}&Hz~14cHn^ zpU5OWjEBR8PGVG0uDsOoN_z|lPKtD@VrxD5~#zy=2{RL zH)_MkMGvzGVRe+&{JAt2t;y0%3pB8If{3KYSemLfOKd%oknA%&It5?gAVLP45tsY7Z``JycQ!VkmUjRM!=^Ks{#FofC)b*@#+l8{~TKNLqY= z_4e2EVpxwck1yaA;IK6~D$H)e_-6tGPC@D#IEADozS4+uXMw~-YXJy8kAzCGO0w}$ zeb<^W4I{NqA@y6G<^S-b2stTVSuMZP&LtnvorvDdY0Ws9Ug)%;@=5+l>lW*;)B+WG z`KM%w7oa!p3G#jGCsN-1_{oU@Eki3PU%TdHkY!P@!pXxLL-8gWI2YD1Ch-LB;EnI= zaV!p0Tmk}GkcDVM7EVS+7N)8ip#S#Ab77H78ny>v5Wjiw``9%RkO=f^6` zNqJZZ{r^PlA}k}KTFaDpbisL zzizt~IW)n~D8Q%n;VN-^we;avk`|9eo?mtRZMwtd=xvSV<*_XO?eHjOrOAjoNs3e&gMROdqFMPQ`;1%M}SE^i(&P6xVDR!%t z2Sc&H@X!11`xGC>mSRI)&%!183ZW%+&e$>~pp9Z*3rpI=?%+&ei#^4 z54e&OqF6LEB>syrL74w-c63~lSyOBVXcCqciHVDgBPbjaX6@y_wnJ-z9X+)a<#c^0 zU)?vF&%XZI)jcyCd072^;4Nu_Q(bhOM|0Buc(+?PL%Rufw~64!;j!33nm+A&P1mj? zb(X8M#@kEYP7O!wWEvJ{Mklfm`8{|zHJV`96*&G-tHko286rAzJx-{IW$4ms_}P}% z##bmFA{PU)A+F_0HG4jK(S8u?NP>dt>Pcn=Cx{OW43c1H9RO4&LHn&r>yUJmxrG^iPjT6IXWz{cO9=lqCc0*nnP!}@LFtu?T-h)3K76iA;W!N>GWl1A1z(9% zEeJum;k_(pM11_5lP@$U)2a9tD&pi^W_n&kMxKgVHZ>?{KPnI#%C4yZ;yp@;9__u9 zC+<-0`pefPK_YLp(ZwmNAg3;4q-1aYZ3k;89_ZnQUf$?@d*7nqN00EA=ZA(4YkWHK zSCW8(`=soEungHUbHny}mQQcCF&J~###C`uCPk$uW|$?xQ-|XS)<0m9m|I+A43B!d zzPWP~D%V1>NFnGgw7ylIt382#^r$*C&Gq?^9fi&Zg5}JQX-1xDgp@rQM9@^>j|x<# zN};fT_V0k}cwE~aA0tfO9a>Q!pWNgd&kBlZ}h#diqw53 zva>g3^P+gV(to}>$wD!FcURrWpT}!24+93(3dC0%{l`zAbYxbQzY09>RWC}!_Gt8=~%d~Z7YD-Wy;!A=|2lO*cU3~?zVt-pjwi4H>VjFExCqJImo3^pZ(9X-k( zPTtRl4I;PkQ&LhbP2>xUA`=toL}3L(W!`y>{{V+dBS2(jTMURiy>t=h7f#@;xHro8 z;PPTE2%a@V?g)_*Nut*U=gM8J>5xRhR_Xtzq`g?Ujf*GmC^R)>j&d-@~={{*(Zn@)Nf zM`eaAM!NCY#*=D5ev%P)UQfADec{a&e8khp00u10XSkA3*r%Rh$A_M!hz+LLhia&A-1?M9O0$6p}CGW$yp_FTyy zS6SQV0IT`2CX$6$NJlK|*qsIjM!ATN7K#UMcf=0;GeX#Z{AG83yxUO!SE~)+Xifs_ z+d2L8Ey5Q**9sy^ksc<}wjHwyh)+*Xw+5y$;9jxIzh3tiO#zl&+N2Ed4vbEDQo%?k zu(?uU^V>+@!$VD|7cX9fCuCgza+i3!YEyy0cCKest+PoOkpiHrCUzqqbeZ++ebI56w%p@36aDyDM!4R%Za=&Fe@+10SS z)TZoS{Iqq++sf)y&1W;Zq2m@^SyA_Vef7yr?nRU<%P(|-oXs-GCQXMZinT%o>k!98 zM~8;&qQp7UZSf0pCp1ge*SBx`7wEaS)3IX^UfAwhjd+$^3^8q2;umqYxVZ26NlCe#)Dk|^I#TER4X4j$|K~YG=3w zxdM4f6Y?Y$p)Nudnw5>Dd9l=gKa-oA1SFeEip)Aoxh%!cF}U>(2-MtLvluy z9wg^2S9s=6g@uNir1n}5maj`?8$nEq2Ku9Xb=ccf;3iE0wH0LeQoyIUylv$QKpj7R zd;{2XfY=F74>9hRI6V$-Q&}D)(_~`->|_5@#FL+&bdrXGIc)t`){E-N*=@&p*Pw&SgRpq*xu`0yPuE)d4v~rREJ+_-D;GqirD}N zm721$gjECcyoxoBM3%r6Th?p*b%z6}FWvWXWl~d9wQ)3gd7K&g3dZ%OsB7#CgeyU5 zyA!sUaJUrKbyR~#~J$F_A#xGGZ`l9cj*X~}g{CPF(7`v;zZ~N)JRP`_> zBwf+EwprYID(#s@c5mYX{0pEKWmD_e{|9RHLGJ(!EX=#BL9GEVDLI)Fvrubyao*X! zDr%m!F7C9mm3jl)E!~3aZ~14tcFt_xSzNmoCuA=RYme_*QGNdHbuZJAke*0+{pfsZ zdYW$LMPWiHBovN`EcmcNs|A0~hp~*Egqqq0?=p~f8ZzqPMP>21&&_=gjf{K=%(eQh zSof_p`}Dkg;R`pB)$5Qrh4czO3Eo8^0bTyHElsz+OWex*P;RNP%d3I(1go~{(;dZD zom++^yx7Z5Du_Ayka!aKA8)OX(Y&6^hA9N3?9EaulbSOtJ^TA|?723~WqPRoU%0Aq z6rLxVX;^D9hSIT%)9KACUlfXn>;9*3b={>JO>c{)V~$P&b9!}E?``V)_6@n37nSiP zLsmw?j>-nc%n_FbF)ssViY$PU@#M)92dfX)zL6p}dRQjvOe#!*=jypQKl1l4K-oa| zgQ37ZRQQv}c_=G2*~1L(-hCsiZ}CG4nbw;E1h3;_w_Y*~@35`(TqxR|Q9WwaFPXbC zm)aL(3Us=?c@k1}j3=|gM5>_U(mce|_#lJkP~ewXL21V$EUoh2On^lO+#jJzLaG0= zYS2cUS+!E>CY9_hyblNz+uYBB3gwPK_gZQN1oxZ`6SeHbmDutL^(ybn8ih zn4dTr-&-X=)qI*>sQe)0I+L=^)OhhE+Sq{p>eCj$oYR5IE&<9SB_-by7YO)ZSQLCW zkMRBfW9%x!vdX%)ASfZAgeX!5Ee#?dVIbYzDka?^jV(wBA{|P%beDy6cPiaTH{Uuc z81Kwn-;bF~o$=v3`|Q2;iaWSZ2Iw;vw{eXb^uUzQ5cm{6npRiR!Fd1)^nl=EVDWQv z9eWzsNL-)I%Il8A92iadZ=BlNTA5yMeOzv<9hT>qs&lmcB0)%F${k?uL0|G6?Jd+8 z{yK~j7vpbtBE-aV2d_b8mp0G(;)Sz7W{kx_@%1C8mbrzxjc4o8%x-Ck-vy}Z9lKgZ zIs<_Q-v4@`IKPV;0Hb{n@o~PTI(En9W?`a}C&vb&a~A1P z0;bXdbEcN1`>eI74p(lBJB-6QJ~lpHjaRZhoLe5O8m*1O`kzHbMS-T^8yFg=z!0XJ zGiKl@T3ys20D83``WCMk^oV6Uj6EOF%xiPxZ0uq+6a3^u(aBMuz$p4`;;{5{D&z~7 zoxjyGv6E#O18IArp3@r7Zcsq3aT~w`Z4u*&hWo0RKV$6Al0z_)m{Ksg%MJ689|bBP z;PRz)?C#e1-m!C9w^|Mgy=?ZTMJh_#r6o&Q9LL!vT5ZiR4gd8Fejr8TeeNIIjn)Kp z%-~^Cw52t?TG*zUaiY6KM1UX!@ zJk2XK%ljgc@3a6m`4wB&D%swVv8_E|BH94)rxr~|{_o?nKn2IgdD8Iht8)w%=Y|FR zOyW#Nv+}NIl+r{f0|uTes-tj!Tu|NS22%U;O3rQGAt%} z&)l=@^p^-4y*~Q$lhKYB$aoClSCTA`P%_9Ey-UOl-P~1xt85a{FA}X^ z1q^Psdc~u!Cj|upvBYGEZ30%ZaBQHP$50>NO~nOmRHgdw*@57RlNiU2<=8!@4}4*i3)1#N>r#cB zf89`T5UB}S*P=f4Oni~2(oNPoQQ1d@bEo>nn0MCw>y8HR_tyn0&Y%Y26ic*ED|cdd zmPN;G`O@?7sDV6*Z`t}+Y;%dKU~+sG6ejQ|Y%aOCq|q|1$0Yd4t(wbMvpLfx8B=zK%6v{K zuwE|lXZ7H5hq@{8`gxa<86Cc+ZzvzD%bi8Ss7DL286e(R1fq;3*n$KpK!GejP!)^qn zcu$s|m%59IH$a&ZVG~vl4h|}PJjmt_j`Kl_=8+tvJkIM)Oc(0Q%{CH2{cOPlgh){bP_x!2do9{F!?O=0ZwE+3F1y z=@-W#)o2B`mUNhkO#$Yt4bT*&R@#$>lbg%k(rKAHhqu3%&ac(bGwMD@?|-788EWZ~ zm6rPRW_h7xe2xmB+-GE_Sul4SF_Wuc&=5)7T;*(`rVYie6V{O>O5 zuL?5yE%w_73b)~Ik zG#K^^fD0DWiRzq7VIiJ_1m7Rlu{F+ zm6&8b-T?107`&t>Tg;&mRJ7V-tT~nRcc<#N$7F##STQ*Ar16R>N`Tlr%+lK+YreRo zzLj@JZosyrC}!2PH$jm##iX75p0t=mi?U8x)+fl5uI2ld^`9SRJK(oku%c33YuwRT z+$76j0MIvrX()pv(Cf5+SvN*(LV`MqEOp!xV862sN7Xce*6?!_764a&dj*;}fIG!A zGc%>gB;4CT*k@)ooXP4BEzbQn_I;TI&jQ{u+3yPNtI1+ih^);xTz%0K6L+`H)j~d} zu3e(2Jm`{(ih7u1uETQGIFe_5qcqBPxkA>sz{3|;VS|2@kCS8gU{?`SS!|dFO;_c+ zw)w2^asastKp)mdU2ne#d5exOp+aw~4d%_MQ3CZ1(sM5>Dg<*4TWmSVmjc3JEk@&{TsvZENoR~_r@HRrN+J5arM)`xxBc;&fY z0W%3Y;TZ2&|LvR!z6L@_auXlh$r%PzMCi$^Y(pP$@lunE7_(i5Sd-X76cJHn9az~}tRHennFC~qt&BaZgOtD3K?F1hTs4A4v z?q9#Jhgvwk!yyf5Y-A1%0H;xg+NBNK;3)PWX6@AY4XW zFz}A_mPi~(FpLOAFL6es9inTc;o%8AM8~xt6@K|Ol#~qA)St@a4bA%NaAki^eH4>g zKF;d*fR@pt$B*gh=&B8S;>3eI57E)!Oa0sOpv zTTzQlq)rEa@p@GOY!6+2Qnt8RJyYBH>9w&foKL2{@{UGDoby!POx0@}AwTq1V8d7_ zQ=VhHrpFN2{-xl3PtK%=;Pc&lN+NHq~F85BYh5yZa&g zqLCzTXzFnb()00YBHehnwnGv!?|x@$9YpSfc!Jzb%*c2NTiSz@5X%EZofXIQ#8!^9 za~ieKW;jy@p7}HwPKIPA5!A=cRtlSL0)@+eoihD42tl`Z9eLGb^;V2>4AB| z%*3wU@zT#P8jx~o%mL{Q5pv);W(%}vtmi=Ty3ec0ROF5MiLF?E2LQgdBn+1>DM1HL zMnU1FJRi*;F@693`@V|nMX&|Sb|0!lNn3q8lr7izC1#0zLNHl4DAc`%EQ|i)#kvS4a?{oy0h`?e zI>l~#yW|mGmH&DekdXqYL!H#$zQ&B`Ka_&HPKOKHBQ(SH+V|MYk#bUTUE|D}WjVjc z5Mp#vH!W5HWul-vEtu)*`BKP89dg0GvRT+;YQ;iuZzK!0aQB{61Eh01a8m#enx&{Z zk0!!xY4NZ3o{R{RlwQE|)H@kofwUzH3N9O?bn@9m&?{xASa?-)WS5r%mQU)S{Wyrv zGWpC)9_EnEz&K5-NQAgrXgf_ErwQk>4G8`1AQYI!ztQ}8=3F3bZ+?Dc9J!QaJN5+K z`uF|($J-$^LwYM~OFAnXlnc;c>@_Id{W3jU^*d7G7Qtn!k*5fr0!jrS&{Zo%3_IPu zn}{?hkvd<4dr&;05AGo(%L0snZILgOH76)XFTDG!O#k(x-7`S2c63_$=?W1b8n}&M z*xf-gm7kP>)lN@1;TTMMa3@scqrtR*(`nTtO(pXhby_5E985lt1}VtXzwz@s4l@ps zFp%<1fe5Zv?poTq4Y+%2p7H;+B2T#XZs=RUa%jn)CGv zv}=gTgIJ6~OMRg_C0AT@ zhp?%j&C=R)HU$umMuTOg(rGU~{_AU{^b3QnUWjQ~s)7y7t4~FHEkt4|N&#vgd+vt` zR}iDG&i7@sRwvAgvm3Hp7k}K-$nCc}|CvRM+dyH`UknQulL`MK@z#uV#O1j40*CyI z+uPd+cH`0G@!ed#RPVyHVAtCxZs)aL9E965B`{l=-cB?1YhIP=PGcl@iWnz@YDThc zN^(EZETP7^HG`nm?W6V-3X4g)TO?wy=##7hYr7k*c|}CUnmsg+&eWefcb-s{wZ*jo z1yx9OsOj}}HjgFjlNV*g#5~pWNlu=O2P}tb(lSWl4l7Y;o9fQJFQNVSkVA-2bFroa zbow{Wy#>K)V{!tUs}Mg2@kOq@N>o2HklZRdemK^Q+%kKP+&XqsYeW1^%#N_S2o+*$6xUmO*N$Gq9(8fq01A0 zFN2hQLpj9w%x4S*?60s?O0buQB#D|!w9I)IlQ9>P2BpYJJrF+DAuzWo>~qzOyMAxD zSHNhoH(*xhiSXm;S{&_U69rW#O{t^vSJr*vrGw4PTV^-SNcisM?1Udi^L$eQoX0c{ zN9u@3OnsY#8$v>=hRaB)H#F3D_)P!lfPbLb9&AGkOVnNB&WHgFLQM}~7feHF?Z62o z6ND8UQb%Q{X|TcaVN2N>t`&G0`D#ubn{lZ9vg2iP;)N_GBS+~gTiBVGv*w?6)M>_W z&AZCu**FVkPU~pSz3;cIH)@H}K$u35ewb5Np)(!D@T!=VoJ@t+g4J%F1(Xj|*{o`T2 zH3hM#6AHjSEFVb2JrMa5Z*o30Y8bfH~v_xu?R0 zyjZ!sn>U4~$x;;4Tsd=Ry5;l}l3&Wx^$-_Jr`%DRblBdQ7e>YkDfuPInXRAn3m*iw zx`#+fY*wF$@@+cbPw_(Zi-A~O?5P#97G<)%W>)#>r37lqY475}%i1q2mlulhQm!f5 zDcfB865E80C`K-gH|EPt0)D10Z42|*F$DiUWMp8VGA&%J1 zK^A(;S)JXu{?b&&J?n;>x*ur7cq8-`nKw+IxjIZA#c{mjmlo1HFImjdj^hiu*8|&? z1LLz>gGyfHjD#fQMj6&u))&6v!E9+jtNos!!OEGQM&$HA(!2$qdz6M{xJls!_0TpdFbq0v_V1P=yLvo0cXlYvfZ`NkVyYIEc%VYsr`*)&;(Yz` zIH$pa&gyUDYp!-Y_T##G%VJLKdxzXg`G;37K8TTs@q2rmA$s!JH|ege;0NgPCoe~g zkB;~#&&hZ{=A6;Qo#l^}j@oK-opbQx&efX4iVM8Q=rhZGGnxg{q_030(S}9%8};A- z0Jdz|;%yN9IL-PlL#`e*l=yDBLY3iPtGP^&9ZXgca5Y2V<4_{$3rDFE7<3a4AQ8%> zOK)|FebRtqXK8ZP8rRduo%zbv8H#dQ9A1u`7;19Kw&n-Iv*UB5sp&y# zmbTU<>`Rw*Csv+U>Nu?gYEn`X(kKN!ZwzEM>TWwLLF%>UaET#m@!(7-hCtn9Wc<{3 z?jBS^|8SF)ofY)t8+5?^*#VdIC=3{%(tRiDWE?P+@+po}q1@I5K}jS>@!u|be1+?V ztE=m(T?n31qh{K}b+nWsxbBjhqaXWFaHmVwa;XlRsOAbm7s;q8-h(91_-^TwAk4-q z5_#j)1-dXO%Q2`WC+o2mslp}8mJ1G~R~O?v)2Wa@U6dqOFV?+kU-H(zSIby(Y&UN& zx1S`zDy=42F2S=1Z-$9oUrX%W7c^v)GEJN&kl)*(s`_|Li+5%ILbkC#ub%b{zv;Gh zjGn%_GBotsOPs82w}pk#(a;LmpZA(xS()jNWbt}DW}K|o_^Riv?t`7FbnoImT#}x0 zopOBKh^->_!#CQWX88v6UWIDh@M9g3Qg+*jLP&<}QtrL8qb+$sMhj0XH^TuNQj6K(H+CiD5M|UTl`KEIEuHSixikgjkfhTM4>8C!9o5o}5mNQc}Cihh~2Ya=z zYoAK)LoH~41cYv0x|!xYzwDyu_}2E4uRxk5Lwj=Uc=TqZPk z)|U2olzM$>%K21fgKikkM zCN$3O=GyvctYE!snm2{5n2Q7OVi3_N@1?1sr|8}PaLPR69`Y7{-W}c6_uai*8QvC?v>G< zZ7@Aw9w9G0mNNke>qPtc0i)i$v?}|GT0^b$pK5~#>C!W|X|ur)?3TYqz6zaO)!EU{U9l21L+HD#0M?X)|Q zOpf!ImD567Nz|AsFTeMu>&rB+ogJ^BG7BspEN=|O_p3PVIo9&+W=iVMs_=71@~J}i zmYkg^0xmHv@!-wzC(>;3!w|=s7d_+?k+DLKTruZVlL*y2F%{^b_*v*yQvF}tdpn)0sn?Pk!r?|e+uJz5lM4A+S}lMdKBLuKS!=hJx_*I* zda^quGB8H@JuXiBuIH*!QF*EQni?;@sg^5K`*l;-lC;U0>n9W`JvB_gyW}@mzP|6KcA%3+hp8vNis9FNs*|~ev-nY(%6kAH!7Ue zTas=@W}8C&Jp7iVLD|@xxm$T_n{vNx;L7s|dhV+gN71FC_)TXC^-yB~Co$iFCD~J_ zUmprtF5--?L_zW&Z%ObA($rkwV^>0&IE3OJ%Q-eXYqd*s{V?ZcBp@7Bkq9j%VpmpC zq;Asr)XC1V@WR7K((1~bo3lD&ftz2_D0Jm!RH<}2lWnm(lUmy&W?afim*V6t6nblWjFzQi zh}0Ih(-o1a)?xBf(Y&Gkx1~ETElr0M?bUBtAH!mh&wL)awaJ}3+u6Y%#m%zjDjnuT zn7`6DCz4$rmS({3_Q{Z#h=4;6&!+|>t7zVP%jUff*Jrd-T{UlCyk8zx7nmAO5Xie< z<3qup&MfQ}GRmZy$6r`FUX|TwiZkYT=h~Zrf@vHWTsIArh(*w=&Qa@|`+ckgTJ;;7OadJsEDoUX7vKWjPq1QiStFIhc2gE@yAQt1ZKr) ze*J<{uWq3l*3u|Z%QdLedNRU>QXz3_rn_9D!QqN@^{2^;8U{Mh0P|u~=Nj30*j&IV zJ2H2vL#-qb9Fk_tjAF!2@&m85Ur0kh;mT^jFvsau^Uj`U`=I!q zQp~EiMh}nD`o>oE3~*^!4M!x3N^r!vRO(OeX30?ZhcY^RKs&Tjl9}N0^dz5JmoGa- z_+_hiSo&G*QG8)1ELY0$cU*ELEd0}gDPt?5XUaA4Ty7^SHL9kyR*%cgQjtsM*xKI9 z7%VD-w5308KuI=3k+1jlitF9Rvxny|N% zW9Bq@iJ|mMIK|jRMZ;lL+}ma39gHdlrPMxQcew`^)^SviEa`E(p9wti;zUPh$n5Ff zqL)nCJqTEi|E$GW-RU&VVkM+42(@dU7Q#$R<#2?5FHS^}cJh%a) zncbY#5OYa_`y;1vuMjKPh`tx+nA(z6UCmYurKBgQ)0J!2Q?3inyVLT;cFK)^B{FT` zTR&Q!bJkaas$>&i$)db)F^ALR9AwhuNpDXmxYf4O$xK zlXGr&AMq}>)p#{6EzXx;`(pM@x8zi1K83AUx^}bj#$mRG~l|Lcdtf?i6LNQIgS0N|NKw)Rd#9a^V(d zK)-`(dl)6((v+LD+jJHyJKdf{X!$7nt6uvBHe$Dp1!Bcy)yez!8`v66p9gIlh>jUe zJ5ML4ZBC75gtsv3cl(K>vYCJFz?lA%BY z`m6Exa8QweF0olSNf6JQX1VsMpN-jGtmWASA!*MJMSG1vQ)_jSLX$Jw^Y^=Ft1>^B zdRboy6y4F48*$m{$!D9~VT!%%qgrOPfqnX1FF&BG>sHmwi0#a+8hMK?>l%dbF>ZXD zF*PPxi?U1}OfH*kqZv5QaC55Wi?Uh<;PpwYmrl*9ApcrpzM|d#b zmrh`Eu5+%#pwUGiPmIHGhexwtG$^lh*_qep_(GPTiAieUO>>wdb_}M?NhpK976WZE zNMT@MVp=9(|AQFbK@k%jjErq1$T{*6<2h&+2KYCy-krEM_dd3}mQJvSHBdupm?p|f z>gvf;Gux(ZXrU5-d#XJ?3jLqYar$(2O=>n$A+E!u+p@9*XHY}yeM2!9RT&hAa z+{tFzSCg#bW~$~$kuVXVFJ-zo+|4T)j7K9s5cOtPgK zFlRx-EixZolNIi_!|pya0&lVcnVg@5cg{O&(hx}Xbg~TXq7-dRLUypTQ(l%o)fgM` zLNs@6vPN1FvgT68qd*|6Knp<_jabinfC}CFz7s^DTsD_w5z=_e)PIaH;rP^{Hbl+n zm(~1?Lg*K7-47$JwZ+p;sPho@=`^jfrfCesq-525?~miDNfBnMmUEc5F*kdqevZ#I z!&)#v^oc&hk4_>MCSEfc^WbZy!$m4dO(wHeP8m=qn-nubKEjee26o#1kAv>I%@kHd zHgwu_Fvx3v+w6laQtC<&LLI!_p!?C3FMmm8MLeaLj8gA0CN5@P%a){zTe3@AdC+be zQ>RU4)cEL7=eKgTq%9K{`p)#!;=OzMwvN5x`Kn1ft7hCmi_J4#tCQJLQ7%3GxeG(L)QUtX2MSsr{a5!?<~dSqeZq@UN9Y31nnNF& z2}0MFu57WLu{DW(GH~y+Yh&BJZt9IOEsUgK6xY|ur zqx4ErTc7u(n|nFG)@r7NjI13M9V=a}ID&f`^xDfy4~b5PhJ0E@@WnHG8H<$-ct*XU zrXAe~f?Qa@fg@pz*rvX(wq-C#&1KDumzX1XRq4pCG&R_O$6 z8Ug}mMiJ#I3LEcSSIuL+GbT@ry2@_*RLb^tn6*~xjJJk%^Xii-q}lUN)a0;EHzbjA zTilo?&QM;g)}4mlZf2_YM z-Q0FuRh63iC>EgAti^`vTjsW-LBi{#$#gX2!Nwb=XEkw8rbpr8nu>bAmo)NWiSB%c z(*zIad`DkWCilFX`QDQ4>1mhQyiS{`4@pb5q-QNqP{9JP1LUz|0Sc;yA~%O742CJ9 z`F&Pi-&ruHSlj_LWwB-#1dW2beFc`GYYysO!uHa`7CB@t3G9e2kjr{add})3{k|^IE3kwb&|^^A=}~2d6&o z&d5ut7VGYqKcQ$%7*-@R)#Te882&`=nM!C#u{4~(uVhzzE955iP#s!ix7he@gy|Er z((&|AVN(Emh;O z@Ijn3v3~j@<33GQyYlgp@s>{^wlG8VdRO~!eDWmVOvl>>;5JDQCbV6%FVF_w zteufRG`XV6*9-aYjcwzKT&23-@6$20uLZ!d{OGmREa_pzjt2FV5CTnmSGHn_5F3X) zLdQH5nBSW`NmffpKGG*p;Yyy*D1~R^DA>E#W0t{wl-i|#%eOS+w08a5P5@w&w(fQ_ zI}BCCY8B6Z?43Dpx@jFSXXcXc6@=-a!eZ-j6OY8yTs{8I>D;;A9@og;tF8iDeI3Kq z)3%}Q&Cu_+Cs|zK)&7pfEDwqlPn)n|9lpTNq(x9AnbQ*sglz4yFPUd_<-Ux@&2(o8 zQ=e*5s$()fUv}yX;fz7C{=oZl@0LHT(~zccxV*Coxy6WuI){Z8j@1N)1E~N9ngpqr zLOX02Z-Ay4crwxQZBE1(0iR@hoAeyEHJQf|^s|29&aTQlz1z^E%)37DYb5*kPKWHd z0yQGy=g{`^O-gGPd99Y|?#DAwLYBG=_KI-_-cbzcw_ly_%7B?3f{B~LW4k-u%VuPE?;~msz8<~Ibu+;N`s?PltDlJZ4Ux_(RuPbuzM#7y2(72 zBMmzdrxO2)YZYuJQG|T{}fF-DLFIX(c2% zX3-xW-Ux9|{}3~7pGL159~-$hcCXh@>s~p`5II)fCwcBLbdb0;j`6(;>Q=3B5V|R( zwstz7vw^=HZi~px89H>d@Ij(lSJtox_Z?QdFMecbr!HtfE2-bHoGbjseyLgYvhC{? zwqj1jbj9w?O*TUUyji|jMuz;)&XU}(cGp(yF(7d?wt-N|AXQ9|gxzs^PK zTXv?NyG%U;Nq|Z>YR&LQ4m-3ZK{a61dFlBnf~q#tJZ$A-{e9~84y8l)*4*2hXEoqHa7cOss=h{ zuypU=!ky(N7Sy{h#lO3x!#UOUdEgW2hxuon@3c>lcJk+r>onnvm zl{gfl!+O<5|7ceCU_)Ny%GhX_=KYxT!aWkc&B_>`{yv`FFZC2TuFZ~4y;C^J(=aT0 z8#QjTFto=VGC~|1=QWU>e#^(kPQ|eE8$P7GR}%YQ+U$(##TX;!cJokUgCtW5;Dn z=vHUZ^BC5fE>J5q3SH<#({yQUhh)yO(9F(&?W*K_or`cMze8HBt^5g6{8Y=m(+Sh$ zWm0FUG^Prv6B2fJUTQ^sE2?8s&`+SR`g-c3e4HIoDesPzS8spU}Mr&t^)Z=|7Q8mvL zb&RZK=ciF#s9Oo?PS>n+vKtQF94~j((l*@|Qy#F4lUUG{qT)EGpx>G3ma&shL^^6# z#M--E>m^tkRvWCRxl6e zJ4RUNjZ7~~Ja(VQO4TTogLEkGq(i5%ef12k^=rMpv|*0nl+#LU0{**iQR$d$QlAY| zPi2quXBW8@P02Hmbw2VD5mrfYZ0>LN_O)J~VmL7{KdmHryQ zVB-$mlU*~ZgvCrs)M=WNi*bs%T8a#cx3uIsxp5|52P`kcomfz-rY>XQr>A$nxNc69 za1GrbKY%cwPl~!e=AJ;w{M#A@TAetiRF#-FQyeJ|lD5Kgmd|=z@5MD7E7#XIp|xlF z%+A8ng!LGK;JtbC#`$jC#g7E2`uT~^2xy9q+4h>|C+SpeV~*H{gk${?GAN_al~Pq+ zBLZ!D9Wcf(Zu_B-^SwLo=Z5OB!9~RWqbWSJg-ZQ7K{SDyIJXH%e4KY%D;!5T{4j%! zdNWL=BxgG7qy(v-)|5CW1s_UN^EOsx)>c!#t?q?M%YId6Oz3JfEv7=E{8hS9xtz`X zb}=cb4uFZbfpFIw8?QdE2Z8|T0!dZ@)yAIJYJkk960AA#Q0I?_{a!`?_?L$>G37_C zvHnL_yyjC}lxsYE(}8f5eG?o#zcI zXmGfSvg7^svC!%GfDZ9Ea+Itggq^0=k^bNB%FlR^6fRy5`AK*B2_NvdLn(v6)-tpQ zN2S23SsHwQYT_dQd=?qUHx9ZO9t6eM(ur{u5`KGEB^!&0H>i_e21W96e(F6Ue05qqhO;-VS4& z{{+ET^rCtUM7sY}(f|Y|mww3?ui85x(1Yw6LPrmG_d`f?q>peLeyno^F`C9+RS&V!N0PsC z7y!NK>c)a@;at`(Xl_h^QXkWb!aq#Ie=Z(qBgxHt*Khd)0CI=E3H+U)=U6j2hXAqw zLYx9{NU4?ZKR>GMqF-br(-Jnt+)IEJ8+4mM|3tOJApIi92SSVs`#r9Cc!3h@)H#&N z1F-s!&l;jfq&S3xgeEII4oeYBx+Chlaj>)rj(-7>wTW2vTtoO>K<&22wo;rFWJA?m zGD=s~pgi$^b1)_F159{) zCBmX!s^rCs7iD!7J^O#%;~E3PxplF*_zRkdeDH#)$J@6oA$TX)f`A=N%f!TF&H2}Z zHex+|@+1Y=qgtBUFexeF;eT*|Uit_M1xa7GmkaIxcu)XEtHyP+%ik0hcDkqk_|IDJ z3d2zSp?GNYfeq)oY;67CG|!6x^=F5LyZ_KXZ>1}YGBG!CfR|CL*9EoY1ehuO&n7FQ zZz{0V5xQ~1LGKQNc?frPiAHmRL`#4LvUVpZMbWjqE zZQ?ZR(X>dywWzNN^2ha*yd<3@rtm?Dm!LI$jzsne9vUIC2?zOr> zfz$)S=jP0j?SD=`aZ%w71$NVQ62t-K)${rD`ZJy|W1*p;CBkbW&dmYJsiuM(&%rUpC}0+Jf4QZU^A{PY zKm-NElJs)D6u?Ul$niEWVp@NS4E=nj&jKD^m=-{*mqR8(=9zT|kS9WGWTS2nAIjes z8~*V;Bl&`GVhDkF&6Wmodo8nnwr)M%QOe{RDFV`b`2H(L)=EWUj1gtP*C|0kj7?DK|K}$;uhxtIs6`vb_)*8{b&`?oP+W@nbPfb%AsV?yg8hQoZ{>v)S z(+4b>9|s3$JTRI>Cc{ki#1~bD=U=SkQanF|4 z5v~0l_G2ZlQ4axw8*$P~-2`tNHr~HDugE3^nOWGR=d0qfoD_VnXdIlJ5_)(@<$I_9 zyhjBoxjbMUX|G)AOHzd_lsNA#XM#sm;?MV2w%Y-`)Udb=S_wR4j zUGT&S3~cOHMBV|kMXR0f$^bas zhS6-_$B+K|s}NrDK=dqu+SQRo_8<q^jNHxI4a8Hj-r&+Tm}{$l3AE^y=!}$>h}6}V~mZuS-NX=_txfv zz?27M{FO(*bp?#cbY}5o8f9f=7onCt+7_HvdF1F(aS()~l8(G02O6kJ3Q7J7sVcH; z1`Q^&@7NDEKEkEwtC7_CuW#eNhXI}~qTss4h`0d(gk1z`+Pz~wFD@%mg2s0Xuogij z(tCNTT^zIr$J#cNe(27@9u|?J)Uje-{4Yc|vW-?zVRi>922sJMJz!{efx>ygV;iJt z(1g3sXNHRm!8McR@a@iN5Z(iODLF`-81}#$6o0nryZs4rSSpA>nB3|Sz3ra~=U-pU zmHIeH{ewrJU;cojxDPoWiMb6=9KzX)vmE|}PeMWu^=&R6dz#vnWOtS3Nuu}f-%~+| zcjgDiHey!ey5G}-2hsMl_8vY?K`&@kg1UN}$u)K{gbxO? z66b-)U~QM(cEFRuK#|)%{+~Y>;{yIuAD{1*Ty>;GuzAY>Gi%>nY@dNp2(QIQ-Ox1= zd4%M2H?l=|9fl&!s;ug9`a} z0MKk|fe=}5X;AGi6fYG)FR;Dv092sPMqfOYYK(5<`3b^>I8YSoADi_RoJC+3Zm`eN zO@sIKl_;a(QpZYct-tk02DTrqf2Oh?Bk0f$i-opEmRUcKbrp1*YT%s4LI0$h;&Tc{ ztSlvHSwi-30U-$J);Ww%*CL8BAc51Wa{kFdc>D&#Y0vq}|2#d%n@|yVRA3u4b0n%} z$D8yQDFUjJqKW$003Rv{tGobdbrEpcsyhM_@RHX3d}*!w8)ZFPklKx$R0q=VLE-|- zmB-f*fUL$?y&ZQ7Qj z%yCE4!xFo0n$Gudx-++|ZO#d`%w}gZl8Fyj0b$=^;^N}AePK8IEzoM5Tln&Xq6X^J z`XVnP25RuT&c1tu4n|4%cY*r0!QKTj;?KOj0}*rKV_hj=ic(x8$ounE4n2VjapQ}q zo(RTzk^7MwWXE`Eh2Q(s#61<4E4gb)C;#U8%NkX&EQ5NcZYu-!J=(<;%N94Z7J7@7 z9>r%xq*OGkQGWejibqXGROz(Z3#6t3UwGQmi*=BywyFWSad=ab>nzcFp*xp$xvNy; z!nVW^w1wGjzeD4;7;+z}3u)bcTLQVO>m{+r-_2xy>^JufR3-J8?=&IKi)b_eorMAkJ`5JZFB4x=8F3$a45i*ph!LHzo%=FnRyApaYG}JTb%c}s$zWxZ$Q(|R zNx857xO!#!q&~?vc@$~*4mCAzQ3a7PsJ_KZTtxxeJ&@e1$7{eQq9;5QWAOC1;8bu^ zkbR|O;T?8f7!Y^EX+Z_UQc|bQQxFSncW2(M7GlB(=ybk3FYNOfTqGzFpIs~;UE=+B zO9}45a?d2Y;A%D_Y)V?ROYfmm*EfBkMr2(5nOIm1VoYDx;m~UpYv@n}pMwmWog&|S z@R9(>`dG2~NawwBvDT_ku}rIv8f+rz+CgvS4BasurZ#a{^dC<@L4~@>lZ)PEuhmch z)b@^>^D_MQ?38|19w0zj4Q569GJ4xK?o z;v|Hj8Us%L0N}w^kF3#%r!N+c?9$8yk>0bqY6OPL{hn9%$b_ z7JEmT1h86h_!6A?n8S1_5 zae+~|a`lfS!7am<)ZcyZs2Av<0`=!8flZ%Ih_OW_v068Ho*Bng6f(Ban)t*s9`1xq z#VLr+D)46mg}jKX+qmMz5|nvF?{+uYI9cq(hxuV07g4GR>@?59Svm)x<0fDN-awJ# zA$zL-VrsCw9MAh<`fr!`5E*Ke^Wrn$(6!9eWjFFOfH|U-S{47!viv=eYB60Y1rKDz zak|&hk(gr|iniH0qa%3a7lF-h>zE?Z{tZzppWql$1KT>Yfs){4tniZTBQ&{Y{c6jq zUiulhczDD(3S#MS`6|FlyzFE8rd123cp>$M6HTxEq4DRCVOSArE4BP-;vrYThhA=U z25G*Pm(M{*5UxuTsmxsv$QA|RP{BzfRi|mh~>5a0C!-<-F_aSP?r!e zY?|QcZlHIJIWcPP0fGfR_hW3PVLOh3j`E(^8MsRutbnIYMXnDjh<3?<$hZm4G}zo~<$?qFZ)}a~N6& z5hS|f$^7!nKl2EOAoz*{w)_(~sICmrl|%$uVU&7VfiF6rl$bT>%;!JQyM^J9Bnb9? zy6<~%7PsCF>TP+>(#=tIntLX7oj?h~j9uBZReh3p3WfQ2(@-V&onDx#hAHpp_Quk) zylj-;a|Tjua4y5kBL>p@9d)};?|@lnobt(a^U~IA9+|Vv7ufdf2{dhVSdgquHOo%e zJlN!V@e1S;5!a3SQIL^Fu7bjF|2>cosR7~Fkcn?#F&8R-YD&T0mv1#VjlNzj&a^lS zxx#@!Ur!B9I0pDID?RJBeM22raH4%l5vlO_p*t5=YGj_8CpvKemzK->GsVJD$1zTM zfD&RLJ~6%-D}ZXtage@2kkD{~b*G;f^y_CWfKS_rd zc`EdmZ0`cM2V$G!((vN^lN_`D9>bl^$&B&(FoTW+E-vIW!R4rz&a9gC;TXM@nhtp? zEp$laQdL-&zD!Q;&aev^9+C$gMN_thV`6X_6+3T?27Qa?A1rmsPh(VO>^iz&IL5x8 z+fe$EKy4!z^RW#4DX2aAjqSzP<1J3Feqw26&O#W&swk2kJDb>`Sh~07rE$fHwY$M$ zhr0H?7e;|5C1+bdjh3H~~FABdY$g+p;f5Zm^N zwz@sAn0o<uuuyc+~*G;ImR;GoK(EG6t(vmE@6|EZ4eSdQj$ps zmwit2r7d8i$=-Aq)UNYfW{AO{>TcfaS>znA`b#k;_AcMnQ*KEW28}E~IPlu^N~yGn z0O~O^9tE4{lZ-}bV`@+sUIf)=LficNdHQw1XQA&cZqA-J%qb$)_(Ty{JLZf84bSZ_o07Eecu)t<`uT%zxT6^Jaf?#-Kq2}s#0;ByUat3EYajWg z83G}c(hy~8$>pOrS!=ux|&?mXwdv$sPma#rMj>2ub`Is6=hkJ)# zwtSc8%QPW*3b4k3P?gkzwb9qoOD>x>z2G2F)E$r7S;TotOdO8=2rMPnma*GH<%6So zAmgRq^y&x;sI0Z@jw&!3=P}jy#Kl3s*&j-{rPnB0VA~Y{db+hB*q}R9;gOWgRT#l} zyp~>xB|LY|a~y8^XHxm;!CwnFM{`=#VAjUYYo9&f^P43rG~E)J&v8}m+0@QEK+ z+<60r=aem3LgLj1+xc!@!^On~t{Ze$E1b~h>~XFY6A3hAOGJF*ereyrpJgLMS)`++5x7*%E=1Vc{4TW)8pe%9qQj?QO*(p~kqV)6 zLze@?Ay9Drg~hWzV!8-kyVYdZ=F@1$*VTu^vT~-ICMKVO4S%`-Rzsp;V9vy<}>X;shB+-snrF35Cbt zsqq2Q0Fd|kS1Fb+1@XjO;QI}{FgOvP)L;M@vj3m7)LCq9%1l^Tvv=yRB=UEazo z+ni!xKP8qAH~}@AWWKFqLL{d+!DVFw1l4Eo#O+kGFEMHq$Y2rD-s+WRzsa}w`Fx&j zy;O=Vw8T5|BoF)C^d&b{&u7!=z7%V5^+60rZ{W_$`-qi{vbIaR(tEIZGpS8dZ8EIV z(b1{D&Or&)QrsCEyC*Qz?oJk`r>)O>kZG~GY^VxTnKw@&GoVZKY*jt`j;c_$H9U2r zn(buvPGizeV}|&dIIEwP&;sKBxc!xb4Fj!2dT1g2J-*fX3!2vPPJ@XPCs23k7Dk4p z#kyu#o)x;#coBAHxJ4S=9F0Q7%+TH=rHZ*WG=~bqgm3%{`94h-<-k-WQ|aFR8$o`8 z2O8=s3bl|Yq3D89j}j;1Y?(9h(($7gv9Gc$45DtBZ#LtTkukze^lYst9dgX7yx9!T;nchgi#|s^vG?yltA(*Rr5x|u()Y6B{R;1 zmBR94yp+3-Q`=7BJa0Kfm(pc0la<$fG%hK>h(?*C_GM)8LthAu)!;Kj%k$`sVwPSl zHA&N0x?Ij(S#|l2#t_rP*!zW=AR8P_st51I;ZC;mIN$3d;`NxZMGHmvoV$B38d922 z{U2Xn0aaDn_3ynjii8*-0#XVHNK0Qtx|Ebg=|;N4RzezSBt^PAETlU`Qju=y{_n%Q z^Tqq0_gib0Yeoh*_nhZE&))l2r=ub!_us_XKtU0d_?$$h9P?>`fAqWx3N3mAp(eaA zForEu3ebe#pXpN<{{G2O1y?B1f{R>P3z!i+&{67q?ERch`lFzBxpzbGp_7+JHMCwu z7tWa^7uBu~-mdpKB(rs>$fHQ3I&bw_$U7Gz3W8lisRSHujU@I2f$yfvrTFx3V0bjD zp{V^hAJ!AofSRL8OGGFf-{0qpFF_GYjp4A1jW zaV$9Ow8&71QE|M!|F4b)<9B+Mt@8O6i#%U@N}<Bet9 zAHR_2Tai(V6ATcN*=Z!}+_YXuhfdr6P;fYEkHo&z&-qa9S7)5wD9kEby zLraSTd9vo0%W)Ic@^pvF5~FaWhmseu9K$}SV!140rR5y*d{zfL;vDrCopmG(lOGhI zxI-MQ)^t^V)q*9g0CW!w=PT5~Kh6E;vx~p_7uZ<0P%21r{LZJ{?F&MCfIS^CCa=5^ zY|lEPzHv9%kD}rO#UU_oE^`RI^9_parVSB=4Weh}TQ}547(?IhJ{Brsk0=fBs*3>D zuep=#w)QKG_j!IgEPL4f5I6pZ znUf6^KD%FSRGbsUeDycBOQN7bY(er^e44X+n-?NnAo2BlJCidQ-y1IoIM1u8DDE7( zY?h(DdEaNjB&<2u9l&3Q|0Ex3siSC}cg3=_2AM%x|a-D3wrn#%afzBg)uUVYfX25HZ z=(b6q$tzw9_lpiy>+|N=C;k-k#a)$LI|9g_zVCCiYgP%qgf+qW`nB4KpU^UUaONlE zE=(jL%{P}t4}&{cXtyieYYyU4eI6LrzJvBhFeK~`4L0<5r}vh0rdQuk352mfhu%8& zBfs`5ABt>#W`^iPS*+yOFAI4ki7sh|QIyNA(hl~&_ z6ls-y{g!ibO4-_w68E<2`=(=8%ZRW*pk8{_aR(z#+Xdq(!i}U;jc@!;W3xXsxOrUQ zEZ(mMWgKK)MH<`ai11~C#x1mtNF(oiYQlzZCazk@miw8RVvqI-g6Q?6D2h5 zWTFV7g$XU>RlY|L+DXbMavJ@PBE6o@PifwupdH{{padIg7*TK!ACJ5m5D`v_F0M@Mf2+9Jy+k@RJiw+>yNeyF|CyuJ6Lkf+l0W!2Yq z0r>o%GVeJ3P(Kt_pg~3j-Ko;@yMLxcdbPAA8%|^IER3I4LhE4~#<5fKCF2}N_l7Gj z5u=aTlPxNy%IpvK_FtKL`7kFBu0-}~9ynN^A@nc7=dtLy10_`WY!@=@153`o3uwQU z)3ed(FhYq2QPgnVjkBB?`b!3>&)b%UZQZtN5f+IK}`Lw*g00zX`e^FNn$ z2V9(n-g-eVo6E$y^#*e5{8>mI)@Vj`glkepUuPc8R*QT9CHsRXc&%&E`eB_AgFDSA zKV*)ySs+#lh0=a3zHVR(eHtG-1g0Sd#n9?_qg?-gi>^=*_pA#U13y-t(={eaf zLR2}y?B-=}`bUB$<<5T3NmjZ1+ZxqmV)N){{3uJo0VC*-jWG~G^@%&b+i zfbeLWA2Rpo&HGt28kFEH{-t=4-}?Ja?%wXqBp()FC2?V8Y`E65<2|f=XiN|TK~Ofc z%tSK1SV*Y!@S|AwHORCm$@ScS?CsZg*w~5x*Yy=*)^sb|<0LeQsjkcKi!zl4GTW5S zZg?hnZ^a0RTFS67i56D$O_yGPoWkW z6r$6O^YiHnhy3c{s?ubG#3V7_G3}|7q~nHfIE|NjZ#ysiP~Ql6$Oi9Tq(PFGO5MU% zNCZztPwL63HlmlTTxwaC01cRtj?&y?Tq(u3H$Rr`g8{R3tE)~|XNt#VildyA-X$Pz z#$-c3Tln4VEs}A303(A4V8p$~RRB1?b%Z1R<9&_GN2@s>?+Ml>M}ZC3H36J=sfCsU zY_(Z;0(|a?LKLTTwfkrpfLF~h=x+1rXQO0^BqU$0679JP)n~(HoF9~^^kG~v=JCtE z^pQ=Gt&1s2MmoT~=$_MN#>WnWmE!MIM!|}OSmRUhSxNU-n_BiF($Qu@X6`)o@VzfR`4svMb-XKTXBv7-Y&AaUf zN&)3F#k(toA4@TYOOnT`uXcMZZnjZ0!S)Dh2$FVvlk@Eb)&^vG!}ZhV0$GQE5u2Z8 zad3(+Rs5Ee7}hhnR4kp9w8fFm=zDa~GxpY{nMFfSHfZ!mXKyDZdG5-w_TFI5&$;C; zB!6;36%AN*h;-16>ft0WIqe7*o2^5r!+VNMyB8Z_+z zqz?v|fR+vF*1{I%JbXopV1H^JP_34n}}4P=M_%;~kd1@af3xT~9CV17g6?WRmByK=%t% z1%&MwvnlhY8$*-L&|k-U_@Oi@btW^>LvABfw_8CI_Keh&73l%bu)_t)rx9xPi`()6 zNt?Ub-Xd9Ai9)WnDWm%vbM$-mQb&C>MGO%p7RU$~=zsN1B>Qgf?o+OZ2a(3&4 zR7lcn*M=_X!_VnSJ zR1X;y)s5IjH^5(1{^Sc4t9V$;ZS_{0BiPLH2iHS$&*dB7Vjc?3VT_^+aLpHwzxx2X zU>!OeTc;}4WUq;oM`4FOqO*86V$bRZ2w|1C;qKC)eF23g z+O-;2-|Z(3!Rgc7)yex@2_INHah>V?{ED$RKTe#^u+J~rgGIKZQ!ewVv*?`v;mz5Wbb;28?BA88(ilwZAJ^_KdrK{7dh9S&> zA)50=fhZ4tKp2-lawv`DV6q~vH0$HvlE(NhgRcomei78_!zwSnd49xU)x~1Rq|3p> zAoK_3k8I(?uVkB&E5hX&DA^6V%O}66MgzkgD-1#g)8oh7xXo0PxD1a|Yqp%aIpNzl z{R?e=$VoZ&sD#3C$tJ0_?rr_jX%G*GXSgczUACP6W3GlE{?R?!i+V^et#V`a;b$qX zw0lO5z6ql#u-iF6tw2uG8H~S^a*86&Yb~c6=;f>0{tyqL1yNBG1-^o%BT(#_K%(pP zf*@N`#*G1snLpF*3#*rW$KLlkxqomgvQZ9-aj7*hgrD`QsC$lT0vSU>Y3_b}Y8KIq zOr#?l14+B(F62Tp%)i5pT2Q<4S6aq6$quB@OaU~`m#NW1?c4qC2@jiA%iqtHhUEPN z1@S}kO-n8l$U_IR1mvDKMG=kRRViOQygLC1#v&6z%J{yMX^p!LRt7_Z~@Cia1 zzL(h;uM8FcS%3GW$ZlMe0!+-?fX*pV`%Vj6mt&&RE>lm8PaEMbjIbwn_q)ok3qv0E z9Ef^`_}jIU=RVMIgIV{}KSO3ouat^28F_g6awXV-!;N5a*5S+>BXY_{%;Y-&EZca_ z&iqzk<6NhMIFb)2g zaaX+GiDS9fxY(?$@Q5Hgke9;5=Y5(G-fzLph4RtHkj&!%uUiWQM$Q?fCRZOpc>Q@3 zA0|`pjNyC_qB-NX7R(9b*gg@{c!t8nWBWz=yETz7b&fN}K!!@u@?5E25uM?^t%&ay zdg{S|z7y9h6t&pTG0--o0WrPoqa|(@hB=m5KC=S$EJu5@?worX!-9vjI4C=^TV@A8 z-)Sk7kaI2%P(enZz*K4;2j}#ua#8#q=aY^L^8=eFAR?8^by-(BZs>$-H(`PR*I~y; z+x4dTax)$DE2TCICL(DFpTW-;pS&$mZ+df{ZHU{9503{@Ifuhvr0(}dB>B;n$Cww*3I<|4a^{Otg<#V`iKdG%j_$Z8i)tC?RGNk zA4Lzp5*FvjO19hs*!xW&jhH^t`Ql37k(QRP^V&@VC~Z1{8yGLqZNA=j-+hC`fPII} zd3A1_4D}>jjr;yGHh~+T0i`e2=Ss30uVWKC+z7WGs~L(vTFD8OQho9gro7i6R5nT_ zJzhxN-?Wtwwz6R#K-b$bBzgiq2NePudduCZFVu3i)sX>;)j&=tBq_Y?@E&QX5UK#u zSPxM4hbwqrdjpPT%2Pcisas?$o265phrH%0$rw~_hXxpeo3`pBS;lX*YMfdm66zEJ zl==-Le|~-;FGa6jyjKSi*?bZU&WWVo?aIq_EE5pfChB}c~6}U8QoeRiJ)A7d@1DeZ++dlpvQhM7fG_P<*`}Is4quAym zQu_nhA5G9T{fcdTe;!3lxSCHu{HqtzO0o0& zIudLnVKky0FkS33k&Pk~JK8a-SsG~B+gvb#9wx<~M3A@um(hF|pvEaEMh0xBi;w7~ zXta5DK8a%H--sREeDXA>+P*Cz@OWvodhm=Ah_~Mu!|0=D;Far?rS>vBuo%U;hzGIE z(gC;H1OOsq|4$g@2xMEgLNs;^~UM*bk?7EP$?0p71jNxxZ5GbXiwz7x;?0Dnjdr;)MV90=U_TA3X3I9T$L=GVmib_-IZ2E-H#BRa2)WD3p209^L(c+wV3sqmU1EWJCK?~7mKq6PLIcY26a znh`zhasf|SqKEGxuCB7ZMb3GBT5%52VFhY69h?RBd23m}69)IJ@j==h;e{LKR#I3= zB`X^CYVU48YimZPB0s@dfP@^7}b9lxMO~DkqiXFgCm%W=Cbx zD2`;U7H3l|qQC(a7FS!X;~m;8y^W3;BNQ?A$(ixczopUj5th{emrnPPjZ?-&LSzH< zi>Oby*9apOeKy28sk;qFkT>!I(WxHhshkw8U>>1}sEG-~T}b|#0wO>WFlV@}!c1R! zOvjkzjJ9Xx=A1u#s9gMQmQ%wW0<_y~s=Of?e%e$qAUDPU2F}KL3s(ewEW>_e3bHX(N1tqibRbEF8dy<+2*M(QT6OP?>w&ypcKk01n2CH$F0XG)+06 z5_R&R5^3B^)-9fgO0Z4v%gIW z1_e29kPV;IPQurdedDzFN$1Fgwxd~BK8|%E5yvEMXyyLgYpr`COuNOVym((@hcFE$bE6IXK6er&6T|xf*e7Iwn+}Y(y`5)Xqvg z2NF&(dxyp)Um+{({)RBB*3QXnlVTdGu>pr+g8^c|c9$Qj{fkfT3vpq^sIE2ca;xroItnfrh?_@0F=55@Jbl>)mDE+){PGfEFIu^tRm{;IsO` zN|fA_OwWc8jXG&4{lsKl=#6SsAuRPsrrOzqx&$|W=}!9ArkH3J-32lqa;c1wfb@K@QUI2gd=#V z90xwACiZ#|!RaEk;Tj{V!ezb5Xg#cK7tg&SU)?p!{-~)&vqhYsICJKcvFh@9^Sd=~$&VJc zS0MZ7j$Kp+?SwLdfc6d<-+=P!kw1*BVn0e!8XAl6(8?Z@u0a6uYg4-(l@Dsn(0qiK z*$g)>I3^0apOBGhw){!Age?4?Mvl@#PR&s|Ih&5_*nEeeWRkaEs5ee5*DwnZNrOsf z|IEP2A`jr>xzbeCU*GY9X_?ss)AeCqHMvWV0=%nM7jyNnVSI3>euz^SX1BPy=;nEp3_t(C$1EVNZ)nCj<%gHGRoJ$ zee%*Ak}x*GfgVtl5=>-|JnA@D;FvU`Le_jfJ~9OG@%|&b`}?Dd%4+^)$hllsb_d>4 zdmIPQ$;EdezNt-NvyO{tZ_dXbhO5m54?d?st6}Pw;InLfNTeZF@-}B)3{%H>q<{Ks z%kQI(Zn~4b%9tmke@S<)BZzr#^edDxcf}j>v3D*$H%L&zg}tVZE?KqSVvAl;Hi2IH ztWNoGsnxZ;0**br6s4qcvrcO6?2nK-ZFB7KA$qBpWlqf*5-gRA&bFJUe!NdP0!1eq z_Y?InA)&cvKt5y8QiVcw3T|wMmihb1%9$mR@SK+yNmj{F`xfhqnVH2aiMaBXjXZ3E zSCVk=c~k*l!qLob9ulFBuTsL`2Ca?Vx$7!vFCpW!DN4O}ejIAQb{nLK<6ApP!I^k~ zV(oRXr7yM*=t&nDxg3k2+h`ry;?ST&_sQaF6p$M|fh-_>nZIRoxcrXYd{3vq<{HE> zzvX{1Z|1spUAyG{Zdcn*L<3nD#{lr-ZQg*0SEwc?uZGlXJ82+yD)fUo*6Eks2-2X> zlFXmsW#q;2-UP0p2SlhGOU$FUX*XekrjG^E!`|f2fa9|}brI-`vMGbSO|TXurkz|? z>h|+uWaTm|dy`+lX2nb*>2Cl=6@$xvr94c`RHC@mCzCAm7MHKqmh295YAX+-Cv_Y!Z!;=Dl) zD_|3w=8V+17cbeGSP8@MFbt~2D#n{5mf?TtjK87x?0$~>9*=qzYJ{ew7_|Kr#wpAZ z(u=QsW#~hsuugrV!uLA8jKvYg`Xn(k7X@F}h4#d~WZIAj%-!c_dNQoF<}_2E3#+8F ztgOk37b0T9RX;zaVzcvyN{=7=iGjFfO4%&D5LWaz94EqC?GC@+L!~Oc@vgTrkXq!& zhzT(6*U)JjSl9`Iw!gl-Dx2HMsp4U61;CL$_Q4!rumyaX^IFCC0H|!P$!1l@qZE>s zlB#0Fu#_G?^u_j4#}tb*-q`whm%yNSfOjDx6Dw_F`(*C9>g*5raDeG+NYPTSd8b=p z|M5&blGg(W;|^z=|rCXuN;HEx?e@>&F`(=zdqmH-^cp;2rFe~Gj^ugFYCk(r7D z%tCbsFdrabNfw}oG?>nqvRGzgfnQe?s0Hq4Gy4q8&G2-|_3B&6TKq0oD$V?;1>3cK zu%G@DI4=s-2Qm~dcb{radwrC5-!3h0kjrseVHaZ8!p}4+d^mgfDe0t`Au&h>KF@T7 z$3T5hjwbK=HIzyeZYQ$)%wR*iWnu-8)MXq5>-5tkRAW<<*?6bAYEfz9m9;lhYURMl zqMb*X^yJGI(i>Be*E*gh5b|+}P4l2r9n1(q(L+Vm1&kj~P=5OiKOZrzFFT@ZJ5%!0 zJXsw%aaAO%B`{V^6vZk5IVtMe-3t2$%tj+u9s4R$rBU}tcU^h zU0PL6SuuL-SuGI3&I0s;P^(6~fW5bzM$d1>(s5UwQNtsqR`}pic5-;JhQLV90;)t% z#V{oLA9bXkjH=!AC!i24Q-UCzR6~U0xJux!AT|A}E57m$)wSX6SDan4C(8yKt&TZ9 z0z$!leKWfM@uU4{jMOpZ*;J%|_mW7y{fw|ISRZ&Jx^+%-VdiCMHYgIJfRPo~N^o2b zJA%{UlRL%tw5EXUSa{)_2ykw+;1^$mqlK(J519hY5PVn82ZQi><0q*l>g`7vL%(4{ zzNjUMbtN}NHRKixw>!j^7PYh+-ER!;`X*BY0}e0?wE8<4)I3PcjiS6NWC0u3zB z97Ehc6-}H>?BRbtS+gYe0KkUyr10CRlB`}s2p@CSTo>S5DEw0zbr&=WGg?|Bn8Rn) zT(o(tdSTL)t7qLQcx4=X6>Jvx?Z!&jU?;j#wS2v3e=6DlDNG$*6Edto$}{k;Z07s- z`|evqW?x&RdV#nzY;{y+&(H6Bg@4kaz5xtQZNtHewFQ#d z7@*%p-E?@4DDBrV1QM^kwCOE4_A$5TtL+V}Xqs)J`#xwr~nhll!<@J++#!1y~snefGOG zZjXFv=q69*%Wy0H`=sm+=g-(A?g(NcY6@tlRIv5U*$ zw~PP~!@K~*p5B8qL6U|bz*G%xbs5_Z%g=?Qk})91#LdB(b%#b9u^5DAdM)!E*9Bri zbHfN+UTu>GKh(f4y`(3PAGc-ki|x(QJDvo0k9n?$tj{=pc}Z$Yl4k1Ndq$nW*L8L? zU)53+V!~z1KJ$h!5OJKm-2d^9or;Ep5pz*d{3=B4?xsS^_K_Q@Ih@_0JS>|l^VnWy zi`8pv!8I9fzTdUTo?r9lbq>U>jd`uNyQ$WHR}P8HiX|JXz=;X?5LCyK&@g735R?3gQx&P|O7Lv7}E5z|BLJwyv#K$&> zaTrXm~Oq( zI1or&b1I(EQ(@6?^0=bl5@>7FcjoWMK2V2{EN%yE5~46Qq=}0^;xSw913p zr0oUwd@2|Stp@txsztGCc6hmE;QilPNH{UK31AAcop8?MsbA;mFRv!sWJJYo;-2hP zenij?c&XAFksOz7w{uJ9Bjvz^+@DSYs5Hfc6NOoVs(GgOHb*RyO|W|y4E5^Mvm=yx*QowW zBlk~NyMuV*9Qiz_pg~iUTvtzzI3PWGpHi^4__s%e{AZ0O+}afp{*5!Jr1MR0Ia4D(=pl28U&Thrlla)N z4SQ@0>1wqqpEfU>n-Ut5V^hY+VM7oE)3!+QR&@jAdzu9e0)-W{?o%c`MVH=LG^{n8cyMB_-Zz4 z>SvP#ZosDEaN9-=xM+FgZ@HXbtJ&%S9Nzkn@AKw@oXxycLnXpDof%NF`R8Tu*KY%a z0$LK9nb3Q*z`YYx)SMIzGWoTAt~Srk35>jsF1&pCG9)riLvGSG$mVjTj}7?^+KGO2 zaGpW_^38<*bKwdzz;5zl!s3EIhUC3&eUWanmn6Vz7x6!v1mf?cHMsWHg=_0s$qp=P zO>QPF@KfWl;=83|R0i`kU80n(f({hHRY1R_kMLE15VQH2lnVf_e|V69bo(M^97&GN zG9;^V{!F!TO=&UVzv0*E4~Ypr!_c0lx@C`Xp&Ghcx{|*X0uSTr>C2=5MOFiqxm#Ay z-;d@r45O7r4^}0#Kz^MAVU>`8MGvCl^+{50p8xb)%aIw_(z^5t>8gi6*LGBB3eoG9 zCQf=rKE8p4eR(`md~$ziQGhU4Pfskmos9hgTZoEpFdwPYU~m(mTTi{ha0S!Qi32>l z^DEkq>J0u)ASPQ{N7gt)CgzrVO6NvQFx^Ban%{OL zgw#k%W>nufU2RIG`E29@zZSLrorWcJR;ADAm;mJ+T0d+q9gNE{>(g#c-J1HDH1NtJ>mAzgFxX zkHe}Q3AI3A;sVYuv0OQmc!v-oxT6s1&A$t?{^x1}qye&w2a*Oz@vr-X*0ZT1Xwq17 zhn-tyerstM#p{C`;CBs&j*jlPLH@CPT1ivtXBtIk%?ck?#YPnVEk)Ye!Tesq+mcWy zC?~^u4dXQWC6)#7{B>a7zAEQn{f{qV;(3_^i#)S^37|Vq%%HW3OhU)#Jz5LD8*w>( zx%&z%qSi^dg|US>3J`er&&pMmEGtHf-uj@~5_bz`-Fl0Alb5i2u1(}D@O#%zz*cR~ zKmt|=NcQ+fn5kDBLatb{{-;}g@^}B^erwRGPAl~6KI;g}R$_OzY*K}WiM-P1(4)cQ zracrM_P@RmQ0y+tQ0#t{aW`zjQYkiRcjEuL8E1Q&1w$)|&V#$rcT?!9ALau#BwSt> zfU?%94aQwlKz8^)Z$3A2^BWU1V46%~K9XLzvHw14v9?U}Xsy$?>G8AEPc620x-qne zXc)yuDcA3)=~Jw|HqMPy$Mxosk<(y_IeNWhIk8vz*^m@J&-tNi7NNi2MNm{# zJI(blhDzw_#<#@_aCf`#{rjfZE zc3(8B)Ju6=sO5)(hlwSXk@Al0)tj)94Gr7poUzptptbVwX)*>cok#{X05+b{j#6?nAwlKTko!? zBo!Y~Jku#R)>WgDu6~}`puC2hRkO_~p?9IY(VI8ziwL9fN@FdeyeAl@W-7c_7$zib z+Z@Z7ZQL2E_t2=qN5mz}{Cg_;5t$jT)M#K8^F?;Okj331`FDSwrO8G!sT8_M5;Rl( z>OShe1@(tsGUy6afPXbqTSy!OEAF#X6u^^_y5jsepZk!O- zQ{X7ktjUlxY)_{w-IAwX{rmoR&R3OW^osMmq5MZ{&kbmnKS@a*T8po|gI?9TX7GP8R>^vB%bj%#7a&G-$EDD0n zJ7C=QY5#%nd5!YFvp3#qq z*0)djKSc}XDubS`{adOxbtJgK4HY>Dw7FS5kFe3zpmerl5O5feN#Xig*m1w!W9~yv zQmOvY_k$Ns)}!~Rz31;`L7F-Dhm5n>2immPugicTjj1R&aM~)xWciXvQTEK4C`%4pYpHAh7iYec=e}K7hdIY z&F#x_J^FbkYdp11%}(RWH7FiQQA8m>z?tQalvLxw8k|KYU}2&HQf{|lEo7YbkI%&Z z4Mu94M*=x?Fkb$jtIxI)A0LS?v$`gE9X1bQOMjhtK;-Xq+WbP<(VNZa&Tl^K;&@Mt z=j$_DB2R1f=;dqJvmeAOxEsCxEgGj&=XQL0Zm^u@<2|L&bTaH^{D|xKZa=T(R2Xxc zC)%Bi7BgP{<~Rkm7OT+e5#yT|7(w*=l`SVkQK&lk7h3*LS2@BlQKLq-yduN~>XJg1jJ@8t)Ffo5%Y_WCRzJifcY6LJ3;bJ2LYrjqM0Xs+jHoZgFYhH|ka<-TFXTMM! z-y>O-@=rcP!T92lkz7ZJA#)UWv|3Y=a*=V%Vvt_C@*K%a-Xm|PgC0f!ho6sit0+v4 zY+nbzl9djkdhKV0^Z3c*Hec?k4l+6uaB~Q&bd;Bx+&&LobB!|6!3bU3z(>_zxWCa) z_ezw?#^-0;_>SQ-SozDOvp=BAx~_j4cjFQ*hqAktoF;R^{BwS`5r+K>i{YgCK{xAn z6rFLXU}v@<+nFgoj!2q5VxSS(3a#PUWo*`?b&Z|>Necx<5<;Ouj4Q}4UOWy+2Um$0 zRSU}u=@VKM2vKxv+$AntxpkfO4RvJyx1*c&zXOgtCXR6fyXvw3n6|l`9Grf{= z_B^Xh;tj3CNAG<^GA_{%|M?(x6fz|p{I)*MB|(6m->4~LdGOk3Ctft;^>8%~-R}pr zeE`K++^Z_VHeoPq=~Nc_yiN*dr`PX0-HO-;;)ZKGU&)+r%89ydV|C9-BPwQnRJ%Fn z@wZ(rt2{M8AxKTxjaf#hofmT_yA^|m9CV!lUSz_oMz8)n&wZa5C~d(ZLd zlkrFYLo&%StYg7Slqe-pnwHzD-|o&}52H%C`TH{;)a9x3_2eH1aiE#USV?TKDFct4 zs}cOEOzNqpoiylwv&dia7A0KaD>^f0^eK3W?4j|aIkmztVb%P^5}wBb%wuf!fBrD; zy7e-}lzEol(XE{yO-OgePrHr5Iw*UZ#6@E?kRP5R;2@J^+5h|NbE0%Nc3U4s9L8$8 z2`AK%|<@`-=9gmkMAO&$H4K(9N0 z&NsUbM!i`Sqze$!1#^x+ydUqm_CLhK*1eY8t6g_tJ=TkNnsrVnBj33Fv~=$U}id3x48zRs+?ru1R@!K1l{DQEk0v{b=N!g#+ntv+d^@m7Zs9Sfh^s|H|w z{f7FkY+N4r*r0v9&~3&>`SxJ4u6BCzqr;Sm^)R2*g=jkc9?z-=1m;ogu7i2u%6xW8 z5zH(w98O8{hp?TVgHhwdVdfX4hPTBVba3)0Q9gTiOow`Do!{QjL<3{434|u?pvazh z0jTVZ&Zpl=M3haJ+hfC)I&_qo4*z(<;ypMb=f*$}U~fInIV5P5?R9HjqS-R-7otTl z!+|!3nqtJPK;aU%_+H(x=Ix^A3`6hMNoP!kGFyL-mXAk1#%aDE&OpvVJHg}+9d$E- z5#dvJnvQVk=c07tjR~QE1gt8d4p++nCjo%0&FxAbM;2nD1)k582Et#%ADp1}dj6AA zT^|b~kHc47m&n?UA4CEy1Hv@DG^@cpQ+sk0UeuY+x*N#`I~G!Hh}3F`3*i<@bLdA% z&$NXS2Xdgtt%fyzM6k`YN^Hc{afmtG*VijkD7*ZTL8BP}l@Z`{O|LK>9^UDyWBgpq zae8+AJ|#nXeYBJII^c6LpS%60(q9nEkI(m;7-vVRaJf<&P-hryh_twM?zG*~Jl3k# zpaV5i_V3ncW#~c7kE-YV@u*2M(#wtAwoLrtGMho0);2B=c}NjWO)}iHt0MFT2g3%w zk^DiO?n&IX$@rXOalpQq5JfRnJ0T?iNeEh#T{l$nxLjt;{qPF2bz8YS9K9ILFK znjEIytEYPPTvTdfpFB*l}=zz}ZdsvK~kB zmdDu*-TNQ!#pWt?MkaELxO$u=2zEHEOvc&9pY_bC8=UvdtJ|LUEU3F^)!ks?{bpd> z(z`RmO^NoP#l(W|(c?2(WqqLKA9`1Jv}Xl$oInNehoknGh0iSP`r3S`8BIBxDb~AJ zoGUiDSDYud4&1@J`8c&q8$Xg^h5lDD1$Q!T+9quO@+ikt%cGh5n4?oS&GRqJuGtg6 z5~X1K<|_tq8V~B9%I0#FrpZn+oi#9n2r4(FiJ@yrk>}!+n})*8LehAAd%;f5Kw|?#Re*J*N(<0YAY&WRxk>K;7 zyp;#GO<}pDtPJgq<*xkP(^q=*rlDlCI&JsMD>9$W*F%P&VfhWHC>OAwo1@s`JO#yJ z()Y^msBNLMP9K<==G|5j`J}ZP$T|Gq!|9xcSPQE(&u`0RGP8cq3@7m23NheU&8Vph z?05^i8hzWh#p26$9%8N+8dYI$S|O_dg7Z}4tIJ?s!?`klsaE`y{~a{3*g=80q0y%l zRWT}2uUkJ&2TtIHn){f{>nlds6-qxUKQE>q`6PkUeIUf!Z!iJ8A zU76{WEhacO^?OR*zwK94VRoT*cIAck*wmTZodnPkU+6ly0o#@fc3j@XgWC??%9#}! zhI`ASe`eza9M<#wN`Si14BI4PN_Jv4xaxqa#of^Evbr6hPw$aC%PRpZcMxfzv<)n! zX$^6djvr~WQ&rIF3Az&8$HEN;0+cZCEc4J!?I&7saxTjkPCN7Jk`AwIZ3 zDQMdMVx-&@yE2H)bShP<;RQBS(2Ss@ar{0B?i6x>W_%v}eqyvf;f=P-*JdoZOql7o)10d&n~mf8PM+2 z@AOYRjSN3XyS6P8T$IPFOJ_YR>oQf5!+xG9mcP@Q)~GS?Pq#D;B6DE`PYmZE6>e|? zOCEfzf6l{ZmN!K*KPLC5LivnDW@z4CGK~C0-FjxZ&~>y0c9WtOy(L7B()*v9Q{Dhs zRQ33G+gsI7Z$@IUd^)Q{dOkd2Z3aWdhT&6we&wfm%)2nQN%d?q^l!^P4R@YDlt>0Q zcc8yz-66>gBo5ll6aTAB-3A+`VLL8|cFW>a$^*a&RS+urwre~!-GnKsR&<(D^*-We zV(qST=joYv{=xQI{P=0yO9PfUlCbbQQE&qOIz8)IR_CfS_@XXz!Bgn#F8Ze?dz^oq z#`Jq)(H)Gw#~kAf|D7QG9e+Rl%N{|nwli8cD99d7bwot?+!TK9=QoJ3fSfa*p1nFj zgT7Xl7=pV=x%18N5)K+g+f|~kDp0f8K`!>~Q?TrlD&2aN{SS(iB>dUUYTs5LF$$v3 zFzd$Iux$YMAsGNU$cP-E#YeQFcZUC(uS|%bg_NXU;$EFK7Ty!`27*tS#h04Q=nZVt z3TackKye#iMgfanRmo6Rj1tXDr-(~697{7{yEZ~4_^6D3-mKLf z@7=7`8=qwEIQNndEnL<9miedV3bxxBs#_rw*JsvL!jlMrou<#Kz44>FEyRNj{LUM8 zVU{N_9zjWp?}jwaWRAR2Ezuk_s~1kuPOzdk7y6@9b%I;^>A{u#XKkA+(hEwkGeX3q4AyDoN(NuWWWxXQjtl-ZO$v28)1!BN^GE@+8NHH$@VE z3Hx`JKW&bx&%n0=cRjDoe$9^T_*jxvBUG)%Mr?P=V2Hjv!X&DL)!D(HE`^QO#}wb^ z$s4{kape@IAsQQmL$uw|sU{0Oxjo4)Si|vybv(FxuQADlv!ib=D(mrJQDOD_J))nG zM}r?jBzU+m&Hn*Hrt!*H?cd|jhIO>q((tv*%85KeJzxy(J{74cJkIO^9WlOIwuU0& zgjZbNUC8-ofH32N%RrW@Ja2zWqopG3ZxIA1uN@pmZr=HsX$BKL?QvWlO9|Hgd#)?M z_`eQu8FTq>DM|28oqVK1QSKfq*?dImeG5UqW;|3bqwz1Huel}}dx-duk*tdQH*Qk4 z2B!<9J;Fj$d9QACPo27ePe>THSGv&p?#c`FegAj#6GA{}G6@Iqve4oxRL4^Txk5v- zRLc!gClyTj=@Gui#AEjhN31oEM>m0iP+3dN^AZ5YjfFww51RS5XN{)qJdJhSD)Nb& zCl56xO8ZjEEEV7b^}z?K0tT1l_`;@0QkbYe=fXhq?q&WqIUf96*gog7LsCicZ=z~V zbK*ERw0o>xL!aAm9&BtX6Z=4r^St5f%K#OiPu+lZ_znB@d3L6YpEzVd)8(Br;{+Km za?hf|n(#9|Ok6{u3`ott7rZmyYJ55cLg5JD(K3y+2_m=)_?$H!SLtmfiP>!>Ll%pI z^zuhX@m_GXLE#&H3+BZmF*`Ueooe-Ry{X^h$g3vLW@&}vJ~H&_7)C;jC*ubc7Vg{X zdC%Iq8Py(k`}sd66y@&WTK>51h}W*1rwP?7%&F6}rA9ax=XuiyFTmCke+>|`^&45> z5phIT;j>n?)P5PM%CGo`G0Mrc1zjQ_BHBz)>Q%)ixrrl3&T%!Ge#a<=1`pdyHW{pE zQ(|PuqLO@%w7~l<&Yl~v1gHk6NnQp7gcmNXjFcvTc$tFp;Zr;h@o@Z|7Y!hby$)go zF1+Gjv-gH5eOknDr~U7}PoT8Cr&^j0W1}C~W9~CoU}>@KCFZXjMwAek(|!vYE^mJ_ z?z3;x3{GV~SbkkcR1NtFAl8W^^ib6De}U@wv`T6p3vbMcPbNtL_U*?Kh_UGa3y|q1 z=+S!*Fd2a{R6be@^b*N&_}Dpq9g4o|T#h|>i^Qj}wq;R7GQj0gOsN~^6FrFKG?Mxo zyRffssG9sXHTyNd^fTh!3!~S{`g0{O{b&fzP;hhljKr>8?KU=zRJ^UH5Qvy4(V|g5oRXt)o*$oD)_DcFeT~Jm2NL!+T7?g{lVI5{SK9;CfKQFb)jS)pr@l#_=I@&EZwX!R8SLSMERMl2dbdT{L z)4oZ0Nkr;KE{>f>z#_?v?g?eDb)6Gw7+(2xg(+^-n13j0bY=Cj%XCNX@sLn)%{2dUb5>e*3UI%OBnqT@E?(Qe(-0sIL$hjs6@mt5X4|*X3zIT%IKi-U=ijlY-pMTv?{=ns6uCn>Y zQzAnuDnWvZr>CBFy;XH{@9;Wwm7U6Yij97I3P%OywJP95MvLkstuTFMAZpx1vI|<4 zsja0>z&derq02P&4^zRQBgee{NKL@~Pm`5k=GR0%#~HTKQu zo0+S+XvZ^-kW=sGvhIin*I|Tx>0u|QQrpRM;AA?r!VOk>(cp4(heVoD;q6_Lo;K@i zHy%9&>Loj3ydV&>a7@;qBYZWg+_eC7H1WDJe%Sx|r-1_>>^>-NtF8NiEdc}Y7r3rH zN;vsyg9P?j{kn%G5wHmxC9uLXFQgCQv(cXP`TmhL+DKFDRMbG5y)x+y3;0sr)etrv zzErw(yHoU`tS$ucWo{!?=Z-c^Xt<@TaVnl*%QQSddni2!evsD9ZE(W)!OF)BcRSONH37+XG(D8VcB`sb;F8qrLnk1R7 ztw?}M9EP%z^=y}-zctn&9}1((V1GE~ojUCG-7IGXMSIu>4PTDsl?7ObeJC5s?)CKxg-D?r#U8;=WQz(P_#w-1eKvc7aynK z$YxqvNDdc(-vz=eypy+F3QZyc2|k!ozw%@7)we1yg$rd-R)LOP%^l26jQR7$R%9Ys zA`Rb#o+8*eixMvBgo=H|>7~e36x=2;Mn4iIu;-3|8ic^-@@*MqxQTH0R?qs!5hoJz zlQGB`_I^%s_4umc{R#s|(G-lMKgc8g$~7ROt?Ls>S`P5}?mAAUwDZnH);PwjWR}41 z{M(N_pJ(McrISe~Dw$2CskWCNwM)NsJiJV6%8R3)rE@HL+|cB1OIS0xGW*iq)*(Xe zix=F1L@QFqM**;SDA43G0ull4@aSb4WYGvqS#IL0rW5!b3P8;g3EZdbIBT#R4}oEX zG|L5`KZ1BQ6>&K&a$eA=1O_-6M+A$yoI7=adZR8u3nHU~Dw)ama5MUkS_tTFm_d$S z1Jq(t;fu2lFi?OwONR`cX=&hqPR5}xT+8}t1}Q`#&xR!z299BLl7ywAwj;NA*=rHW~2%TtwiLWsLY#-PUwp%&s zFL@&zQt;Jnh7+*QCqi7ybL)5Wxm}RXs?i|G9aM*(3Lb2kbB?NGBik7$Im4EQ%Ub~h z?sqK%r!U0eR{TDrF!`H~n`Xy5lf*-y#hf@mj6?n37s0;xxboQwZ;p9)3g~AhW%>`n zCIEa`Db;;|zx`+Rr^H8^OipU zD6&FXr1C(*7wodmYdZl9F+WYVr&{mhjhKhu>llzz*f+~&&w#ZBYoF0?oM)9!?q4g2 z-T%cK>g=-&O7Zs(Gd6AQ(Ak?;C7w6IP3lY5DKWol^P_~|#wpZI?Gc@xEk87K5Zw>u zf*w=T_q{uF`eviENPyWl4yVt%a;bq7s9Uh_REU-+8&8?fbl* z=lT5Z*Zgt6#LQgR^?sl4^E}SuI8KJS;a88fDPLHRY8^*=hgC--BiPEl2pOF* zu#W|fgeyBBnkpnL69msIecIF98_gSB)UpZQ-(Tx({GW&EOCHe0f^U3Wg}o;fi#o6( zi zC-d9bQ6%d9=Zi2T4DD{s12P7qE{unee^^IR=Vsj)6|G=~sPq|4^r#eWaYy1v%w57( zk)Myu?q3t!FsWe6>3{R1uX(xMxu|`I#eomkXPBgcSiXpX2#sCZR;5=XhRMt4RIE5o zo}f`EWRz+!(Fj9LN9o_$HiK^L0VrqWVNkdZH!UAa`|HRGC8F2#hx~A4`pePx6M0yJ z%(tdxm+paQ{^D4yOi2k&m^9dt8w7S@@5Vg~HeyR7<-wje?^8!l~WX}Ns}7aBom|BC;pIipl}VmJSQDaUIFw>Ft)b~4Z6-Wlsm0MFvj)0U&pab%<$GwUB$}KCvi{#*Dmw%jY2SbDtxSm)T zVl$fi_Qj!xj#2RmLP~wfoVolsmd}X?cV1BU7>1>Iuj4H6bnYwni{NFpL7VG(*y*86 z!@73P9l1Q7o*sq2J^&&tMd&>nzYg3LQ>@M(_9v%@lRS=Ljv^16(>*r?U02 z7uXoJ{rOMiWu1Dydg{Tqh4X)}Wo-%Wo=~v3{*M<%5&{D4=Y`2jaD>zosQ5)A%8hdI zbsvwuIr;6mr{yRG84Uxo8O-eNBPoq)z;aPiPd%!+2XJn4vq*;h=bOW5lOdlHFb3EU zJ^CA$9R}aL17oqLnJvQlE2KLVal&ZcmjyA5I2U z9Q_~99-LxdY&VT}%E`Xb7YMB+0e38PfCM<#+s2cvn2zBZgnTXQV1Y;V38 za0gsF)e0|mW|-2Ws|^@X4;){M`24#U065?M;y3ybU6Bdjpah6fQLQS4<2Nb-R$QIu ze%1eB`>yG*JxTueO!Ple(*O29I65@zyL(Kr|3n8B!+U=7 z!(pd9u*yyMnck><&OJ+hPtW)U3+dnK0&yu(f)7RU!Ct!y*DgutJk;cS*UNJS7XXDo zbW`7L4k1F!GMLc+nq|>|VIzW&mYAa$W>p}hB1%4%#agHPR!^P8KjlgMk{=*dID=me zc%-M{K|H^|_d|9ocR)ET(8+VQBGh+S!NVqNu^_@oZXRpbm#%d$#y`Q!kK#p_;7a+G zD(_-+gmYymvgm#8qazXRV0zggx7PKWjK8-x>;xv=?O@C1<$2edRkdU#@D7HNH1VlN zfDDcJiy&w1qL&{`WkF7X_Nn(f$9^4PGiW-72K7K$!wBUa5x9XC5^rJ^|8s$2%uy7p zm(c6={fiJ;ejQ7Kq8PE_M`$`pb`&eGZfZq<+wwHK?_pHk~k;}br>LpqNpe>JPX7-x9S7d5yRoTz5^76qde}$y6tT*`Yw%NnFnD}|j8^lXZx*R>L=r=Ah=05S4=8qD*CW<-Ui#XM zQ0w)jA)lUOHfoDjjD?*}LOxb_n>4seDKq)*!w|4fO=BK#rWr71o{FyPGT5(|f<4Du z8XNc`gw#^)AsxQfLgisG4?}ARR~1};#Vg+(-JF&HEULo zMhe9>Se`#NTVvD(Nd& zCI+%Nu8{d2f)fnNo81k{uwQI*-%VS=`QTHH!e1ogjUu2X3Ia~|W(GK?CD^;>`NlF3?zdG;yv-RpRLKwZGhl_bera9-+4F^P3&auRoUg>b3Qhf@kY>jm(+< zNSW5vs4=k%FZbt7(uUAHGDy>zLnfK>s1BbOge?BkmBzz<8q;#19+{uq!O4FhDhRiLzB|04{m_{ zK~xc(BQJa(Bfa!j#3=1c%xg^Kx^Heo>j&V)^KQgsF#5v{xIoL{AQ`**qB#X*R7xbO zYQnMImUjTo${XQOk2ZL74>GdiNHLJf-D(TB*)25<;Y9UMR{F+I&5994)z-yk1=Z$r zL8Y{EA>W$Hk&&*2vNGM*iZ$TVl|B zmHso&GemO`97tX?l6>6}vn!wx8bbNk@5dQd1manS9gjT4%gNmj(WYlZ5y!)cbKeFp zpCt{rKO^qT@0#k#E1%2z=|$a|aZ_ zIfWX0ccYalKX)`@PsMP-#n=fzEE@Rm%n_cSCX<1SV>sIgRt`N_e#T*GFPcLa_RU9T`I~-0 z$_Yj{08@G)s2hCgQr=tY$8+>r+flKWnvKaz5r?IRLa81Dth)%MIHNXSb5JmmSj)mt z3j)hKoBIwh?v{$6s4MK#|AC82Qzwy!Rey9 z`(X_v6jHey1{(o?-NKv-M%Y5{c|j~|w_$H-eDi5}MeX5)bv%-#)EmM?N1iJrrkVx6 z2&rb1YnT7b^Z$7LBAEWI#md`j_1L^Vygs@9SW)F?{<0D$|LLen8?+ZMVML$MgEK%Z zm<4=U3mPE9V$l7`CVc$VCQI4AkmrwpL1wm7#7a&=tPS+i!E?S1*gkL4r);-^U?<54 zb!$^+C#1{ROG8C#I^jKX0gzL@b4Y;=II)Yv}c1vlp4 zk^K7A8gmdB>);}}Zh{}4>|&-Rc>=|gOsSwk?TtXm2O9r@XF!|lS`~fB$NGr?(_xP@ zE#N-*SYv@#*ZM22Kz5+G&)azk3ZH!or&Ed#^?qy+3!zOn$I9V4A z|7xXCj^X0_^caxju2tNmP8;0;d>3FNI;GCT<9w)JO(!;ynL=>o{TfRlSZ_(Y`oZk; zPwt3Yv||l|mb#R$)0!b}xTfz?BpQY_O)4F1hJ`|--2lkB1FPlWFs)OcK&K59lc9d} z4m@9Np3o|{O&L*}n6GFZ*qc=Gs)6r&-?l=a!@``Y^Nb+&2#JlE<$5lvxJb-Dc-};F z`}|gLi+VzW#vjr4leb|`1;`TkF*4yk{1GP+7op1AD<_9uHpQO$ifgMBitpXrv-eP8 zz3&yr`(HMzSCvYa3d)LFq6Kc-L;8I?aNi4VO(Yh^BC*gHKgb1p=@C4kF=f*3N;3wy zVt(=B3~aaHlT^}Q8n+gWS3+q}^hD=BuxWoc9K4AK>k!2vD09DC{p|_axo_J&?tVGq zb~uK?<9k5R;8?(6s=Exoi+uDkI(!>Ox55pa;gl?4!kYut&#ZJ@ z(H-dHv$#V;;?rX#O}>)|p2ZNmjMU}F$+?=~#-P+8 zn}oJCq*Cr0Ep-ENbjer57W&mkHz{e`XBXlaB=W!M4buPK-peyVIisLWXab45B#_zS zWO-TMq4EVgnfF{fx6Uo=5GtOqO_Vs~bOO&U%hh5}z)$R5TG{arr~kIhO&t?3I?B>g z1k|_MD#swH>z5xqk;Ktoddj4sE=1O{S>*_NwNMq>Y8UdPZ{c1JAhzU2bfpNx;z;w` z(Imt*?x*^kCgIw_915#l4(@n#scl^^oEvX`e}$7!WbYxx4_Qi@-hXwTU(9K?<(!KI zgyf2JbmP1ib0qR+FX6E)es_MIn?%5|0oa(BpwW5~e$EJ`^kU@wCJh9gkfJ8WBBNk$ zP@4C+-X==0@MI&MHOjs;FdkT;(DP)HgXlMxbq*6fe?cwMOvmGb3l94hQ0onD5Dly+ zn^ppW8Id|w3|Z989nxV|)`B+&UxXnRjb`BLFT@_EwhmxkiR?AX@KrF?&D0EOAQ%+x z9bM@hr62?j9fBMnhjrI~gY2PK_xrN$U<0h#PrrxncRJGY^|pL_2#?RaAc@odhN<88 z_1Vv*S*!-rd;ABRDFJjmWh#bbkhP~&RLDjfjsCuPLj=Z<>P)2V9kC#Kg#X0mAC~<~ zX(Gc6u+u1U{7@ucAh%piU0s7c*)|mND5PS^fDD5Vg5{@gy??eGrI}5x z5?@*~-orJ85m=}8;fJCKjJZ?wF0e;Ey&Yf9350II5IhZ`TP@sS^9zo$A+pz}wUfL*8JycaT__3UO0Mktkw7pm$d%|Ei9%z@*P z^38}#d%qf&v`JuJzpu*T&BpSoiJrU>;(Ogks!NwS3{=l@qV0%J-=1p}%9++&f*NH| z7)~>H>El9>14=_;UEh&cy4yXVHQU;U)SRJN^!32f3Zqy;E@UC~{Z*hPVwYGwc;yg3 zJw^oj2?zKX-*8~HkLPKed(dtHmp84f#KcDxwwc}5{4jC->#D|3HkKENMseP<`X&jt+qD0%$PYE9--7b|keXwyg zXl|@C00GpYASAnR5CyD`y-hU=jK2u}sd59426Bpx2S$JW!G`h393Fjf^nNgn zp~JL7*BXW!Pn12AbE}jf4n*Fku76?hte(IA+jHw>7u!<}5i^_A2?lr?o&fm2e;&Ul zPzNPQNrmvaCA|BT{OBQ>KeywCoOM(f^5i14DN$7b8Pw< zdrp0hdcoHl+Qfj8!r$vp7d~;QUj$Qum1d0E0@}*a*ry&R6|R4^HiW5N5$awyH7|B^ zPb4vh7&I+enA6#jsV~R|B;2~ivG#?Z+_~0&#=kI4#@_BaIA>#0=%0Q9V=RI5kyH%% zynLZm9QxC@DJrzy{Pl)fgH_;BJK?_1t{?YDhZqg+|1+~jKhL{aojE1b5_G1-+>rh; z<&1I!7nV~Se-oR{YlZ(lU6-)IIPX@|8DMv`qwUX7sFLj$O`D(#XUVLgdw4oEG2CnO zBlD(Mthh7Mxj_;EkYb^6bB4<_; z()|E_d#1nbv2t?8t=|+?8$#k#ts3PaDNGhUvh&F)TOLYAEopxp^7Kj7F1ln!tq~iF9cju>ETuE1FIWCsrU#CjD4BUV2ef ze6Z*J*R)TQR%@f4-)H&E$ov|z6#o4D{Ez!BH~StKU+k3X4EmG;ozeSGR?VW(&(>4~ z!d+;29#-8!5>c@PH!N!lZs?PA?&zy-$%wGEBY`a^>-*6@;25YUnVflAV>^1^-#wLy9{#Xbr6ercyh}SFZY~=p7w2v!1X}=fzcxUBB)so z{%$St<^Y7oiwnZsP*nPU2y<`3UZtf1??MX~F$5;ksk2s2S13cs z8C0!e!^v|Um&(g=ac_Y%v0%|Ryfp_(%o2|VK(E`kUzM+AZZCzPut%F2v+u8hx1G4> zWvr<7`N%yf8Jicp*?)zpm~y>I{)$+u32+P57hNXh`(k>4!qg5^%PiyqQ4;4KNoWSW z3Mu23n7JxLjW29b?%RrgEw$oMxaC^5TT{FMa5I|YIE+TUI@#XL=JUoJi2g$gF1p1nO6SG z9O~$_HI*42e*6fu49(^1-)GX^Cf2HX4&$qt?Z)kHEW9GzF4aO6+N_3 zZi$CgWWr_jzx}?06!B_QoJT@8vSdXoLcZ$!$bTh1_Hyq>Tp2Bv?%gpTy=&w9nonHg z3Cd=n^DhbcdHUYn()kTg!K5kQhL$6pI7j?${4xOE1igqfm(* zS*-RPvC~*5(=?A9uYj!19CAE`{Cw>CUwmo&;?Geh$odSp{p6(VqVd!RC3 zzD+xTJmn@XG-^}qmU7Iq6Ra32)Ee&)bExUnmQ^x?bMz6^ZC8G8(-*Kr#1=uN7U19w>iUB=)V29idH*1DG|xT2eX>IU0{5-!NHH>M!O6Fpco9aXFGAN+!sK?_?ZCZA z10RGN`dFKT`@Mlm()0*!@Q>5c;W)zFPtWv_!Ct$y)1eEAJHw!)ON z0Uoxoe(Dry+ZcS#7uzZZQ#HZ{SKtwyVdisN;bz8MpB>}_yFgP^5d^S<%pdy-4FxbJ zB(A^2$47y`erCVN388~#i_LDd1CZK;;U5W&TnUFWzj z8yLiZBmI}06BQn;vY5h?IcEk&(yR}yl z9Q{f6=%YpgD7YLUV~&2MU;zQ9-v~Gwymbc}C@acINtAhpH)kO6-XDR9(6X`sUcmlb z?qR>tr~7$~x@698+obZsV%InxIwj1jp)z}j9xV%-0JTo``H6%W5eP8@%+zWG)Q&#x z#H6CpJ*Qx#c7k%47YT0@=H~QIC3Z)9-!29SQOI(Kbrdngo4n#LZ9n z{45$w${PzD)%S;UDGn${nTn><2hiT&_LvSL9sk0=ACHX9Y{!=U9Ucx@TsEZdI`Hea z$NG&;EV~m)%_qW_bWsei*q3i@t4bB{!$;`E=Lrl6OhrWHp7_?PcV{~|`Bo$w|vL?Nwqn{3`2&-0ucxq4xk~3e;JB?ZE$99kYd91@M-MrVu$AaVmwAn>tDbW0_&B$H#YB)hP zw=Nccb?3lgRbO5C$@U_&S@)d_^d_tX45t3r?;@4<7oM0ATJN;-nEPXA|32BAVf@zG z!_A3Fy&TUHdIv@1{Q0%|F^nD4Q^!DKAur(6l-1skQw0R^0KLx9vnZA4$Hid1;U;o%}AMKes% zSW3P%;`Mo;4yvj5fFYhAtZ)n)@u|_?f1fGBhEmAbQ@_d-a*;2414@iE5!acTQ_5dM zqwR@VVPvDMy1b)td9ZRCv|vSzsO+1i1u#<=POW1b6FW2axsC99E z?}sW^?^K69A4EuS-r-F^j&NDq`EJ&r<8R$~`Bf?~!aS~Jzk-hPso{j0-$TMVFMWmM z4q!u{ha#o86s0ptR+=Ii=~envj-k*=C&9(ph-x$zIoH6~HKEye@(wl&A-TV+d*Drp5pb?6s3&b$O z(XZSRP<6>*0Wjo@M{NQgrHAuN8me?16Gy0&f`-X&dh}XHVd1idTHbVvtbD)Zl6$B4 zZ&nGK6Gjp*_B3BL7bIUqQ$7d>T1vUb|s>7?RlWmp=Tn1PVkFal!bsX_##cP!rpofV;OFeE+slo0>r% zy??Bjr8(s^cr^60ep3n$4?lOt(rt6hbAnH!Fa5(qD@|+*5sc_JQY7YTs|XQtqj4df4(Yg)oc3zjS?D z#*+>iG>$r)P;gH-x!6HCYC$%}D-wMpujyfFmSAA!*-UZWRJ)XwV`+(Oa)3I zs8%;c6PKPTGtvtb@6d5+9Z*gf@! zFQ-rMHq>Ccc<256rR$SE$%GpnT)#J#rYyr!kZISC%NxXD#t}!Mz6-m-v18GjLno;C zB5{;wE{Gd0M7nQZ-~QXV!bZZT$Rbpxhw4be9V11(O_js^CtIXA^Kw-8KocwMu^LQ9 z`O4%7Rn4Nj6hDbwtH(}Q!RK~HEYd=f<8#P8Jz2+*^1^DjPf9A9|CPdul(ugY38M^= zE*-g2S0PC~@VUteem$387Uc8E)x& zxi$!P{0|g%VO;|pKj{fyzFycyb3{_xe!zSWuzm0mxB2C=uMxKZFUi>7~L3eW8AN19fTl+bcE zOl2(qR8OjoXQ_4#ylme|A`sX@_uP!slu5lMC4PuIIa>Hmi_HFXYo7}TF9S)5m7F$TCI?~2;t3JreTI)|z=dyuUAH{i>pr|`=RU<*6x5_-fscwm2E z)DyUeP5Ver{ju*yW20%A9gsGBgP{XhY$QK7vZLP{yZ-q?CY{UqaeJ<5+HPfLuE1lc zTTKOTV+GHRUQ6Z+q+?x>CjsNq7{+Fthk^FJFxZeZm0M_-5>RL9mW$RkdvsC?zVY*$ zPIE(b$lRH%%?#MVK&Zl*iJm)3^BTAealX5k79Z-bkvU~O>$*1^7=;(oNjjkdLey(m ztLGj$rceEI58kwWYK(K-LPwE(K^X$}nI6hAesEJ%PEz^M`!LXv6ekZs4F-&4(ZpNo zI-lV~9HI#~Vhiey$I8q5u9~Z={b%#ldh4`s!4-6r^=$cpmW2lIiG)yR_N|z+_K43$u>O0H;(p zJIeM?RLx~=<4r#!FKAq*lrCw_pTMKee+Zr?C)TRgE8o;Oja&7$Z<&f-6A;&XpY|e@ zbB9=}vIVH7EM9v3ZuO+P>w{jdn}#A8;eSpsC@8~eaRQZLoN-!Kz18i)d0-}lo`!3@ z%D|}rHHwPyy$`XGg7_1)Hx^bnyE$Bf;nS2^YlAjxn0Pd-+MmnF7@i(ny^50YdNiM% z9vPeWz5bf>9jhboHsNTm@wxE@UgP{1k^KH4J{1fXAjn~4QPAJ1p6+)WX$Y!>76;Y+ z=1~B46GO+*C6k@`@?f=_nQyqC9;l8_1t@TIkjU6{MMr+I6d|8kai*qT2fFLB73kBu zOAUkDQYl-hC{gvX+IggEd@rCZTaV?I@?LgZK9UuSY>&_qcdW$&Nq90ic7p|DcxvS9 zsFjf-8Jm5cNqOnpKUQl7;j;nX;?WG2_I})vl@&C$GOZc)*&3? zmm9mZ_-E*btv|+fTmhEiO2t3FM14WNN48KRB*2K5b=M9uWr29WL4k&C7h4UbSClyQ z;lQg6>d4&~0yg9@0m&M;yN}uxJM&D!SOu?@;1yz>{_9m`lrKzP34zu6q_^5{BI37Dfd~J9;?ABg}kT9cVobc%7GmwPlJmU{5tTwD*#r0%un$+~s3Q zDKFu7@LKm;uc-fUrC1dAzA&ol5;DoO{k2vui0w~ilN}39=(rfQDU1ZZt`7Kh@ z(NW$wI~--D1`lO~MHKo->{4eHdu!)L8q2kRf7~PpDjwfWJc~DN?F@5NZt}|k;|fZ3 zj$$N?gf+oLDVJ1_HEkBqA#}6IK2uQeE#sJklbDLy_M3NH^yuA$E1F&YC_`4EWPii)i3}0W(?=^qWkdp3)CyzAc@Zn$|_V1e05R=OH=jX0pfwO zjb%4Zg?P~wy=nP^c_n6u*4Ve9NV^J8-Fdi^@4zJcBnQHM@kO@YVdKxbklgJhb=E0# z{N1->azQeePg8nJ?(WbK&_>Bd2>g=d$h$Y?`yIcI&@VLT(WUIC+A8fH7a9OK>$(T z6(8PzR&64E{ptMr2qD7~EF6gMh%txSj;mZ}jiD#`4g0qetu#vX_8MaI5`>*vSX`Ps z&d2>KQQ;{FlR~b+ABEK${krdUHP66}vz_$p9T}!)_lrLfAAA+~92n99lW9){k-G1{ zUHH0X%#2l~Fg%Mrn8M>(W@i)Jq%_@Yh|TLxVG+^MYNu{l!&-LIA%g%h>G?>I4UbEZ zVArs_uvW9lc(a<##nq{2#!I7JE?cP!m0k(>%aYDBKeJck(p3hs4N~h7J)S> zS74j%V_Dx`8;SEWo_Ka4Eox&)%{)GHmhDpNUw>-j11*$LIpij&qG}(`Q0i(wkKZ+k zJxm(yFEKo|^+;wC2B=v9=ZNzqgY{iB>NeFR)8sxTIALxfi{UH+=%$NYffeZ$N?1&N z|6t-n`qixk@994mEUn?FYEq*^-n<$OlTD=*E_5Xh4Evv0RPL7P|7z)@@+9|FE^f$f z#IVp#{sz;k_`Yq zRR|#S9@d?6h^R`^)_~=jpe(Y}F+`NQaaw9NC`tC&2d$*>En|qXXt)#DT3|z8n;ZJl zruyQ-3E1sV1spEWzjHW&T)}Osh{)Q9uf5`0t8+O5QL3jOBo7#+ne7K-EF(M6T?|^b zA2Ps&VjQ|1=9&=Y6p|p62>}Ff#lKPsSqJoj$5T%oT6V?t2UwTEwH?2l6(GIBOo1 z;FPhuR5`?u=P|v_Qg0~i2{={*;09lt9sD@? z0VsE3V9H%lmv9q4QxIE(hLD}QP;GDaT3nN!y9d{jq2YBX{)%eZw5;v8cj=?LD5`pI7o%Kl z3nk#$Zon)w+tYGa_^35SWP`Ve&DkW!eV1iwf;HUsC7|&qA>JnlTnvZrasg$X*CAf2 z;U?6h9AfwGIG2FuYRKuy9a&3A_#C_6K@*2`34^m0(%o-=@{ifqH8&Xv=CV{_UZte3 z=dKuEvO3Sq^3k00_Z)K4J#~Fs*zrdCs?4Uk|MvF*m!SynO7C&K7boM>c@z=}=TXEy zKal&#Us}f<)O4ZO~r2bPQz_P-!x=|YQ zSCLsO(7eY+C_IAp)u6}+V9HD!wT`GVM=>Tx|GmDW5F}v<+RH*Zn376K=pu%qM9^-0pg#Ca(>9+ zvAdK+2!>TNnU#8Q8xCOG?8O^@NMxFv+zv8YbsH8iZk0|$kJ2N4h{;Dzp8;ewHXz-dlbF@4w1-kk((%h{!NBR+-U>S%`VRKV zB<~h3+l_Y<4~V5>m7aYXncJIg2iN*l#8S%>%_VJ2D}ZWXDRKY%1DsHeV}J5HM3Z?s~2S4H+u&t(gr|pK_-l{a!h76HllJgTY3F3P0v<< zASMH-s98>TqGX+rt$#jkKYNs?$hm$Yd) z-x2digJtlb{1*FU78M)F^FZD~@WCs^RbY z9h@i${fH^Ob3?&+V|7BvG9TRKetYi89_J&e5OAgix{J^dYX_+p?XYMUG<}pN4pss{ zHF+KZ?h~O-YYK{;j^pY`68qa$#>jadP6sn!Wm&_(Y<6*T(R*LKD1!Is$q&kaP~Qfl zY|YIo-qNfjNZA;qV+R7Ce|D$)BQhA~op!nJN5jPEFUsg^i?$z#eQun1~*iZ?LMjdHmn7M0(?)jR_9Feph~6q2y3?Wq5=RpLNSi0l#o8o4VG5*TI(y^LR509 z^_su1b@OM6a2aaICR{_vV?l1#3cH74wx+k;K6h0?k(%s8wL9|$8}buEfeW+kG$$@y zDng`L{)vF@(Ro?F@xYr2os0?an-$OGcY@qY+!+f84>MliShNrqHl2Xt-22?qeu7rM<)jBB$cY3hwzgD$ z-Os*rf;k-0$#t8nC40)SSv6M%PHF%X2t1H%sQN}f&?Gg1O^N{ zu+Gg(xo&@4Q?7Y_Iwu^WWPP-11_v0`Bb8ettgK#PRP~QXODCR>+_1TD;;xWTUwZ17 z?F${h4nCe(jr(@;(+}dAZu?eiIT3o@V@+I3$|XBqyl~UVEKMh7fSU4!srf1lcLYx} zf3ntS%x;->2xZ7d`+f~v>ng-8Xq)}X(*cmhFJ>RR_o3WgQ%8{X#1Y87z3)ku!@q3p2``O3yQ21Kh*m0_}SZ61jmkGHt@D`*HBEca=q&j>yHgNg&S*pwSRBp=We6n zMtMnk9e4QWMyXs^iBd_2+r^2h{XBLzmQ&Mf@4M;)1LqHveXKn*e)q%@59!vIXC0qm zGFRpVzVJ5;!%G7JgfVpgf55!5M4-(7JO?VUMqKE;V#Bxf`0`k`08mK<^C1XWX}QkjK=ao6TM%jxKAqX`fJuZ2{NpxetU zXnFEn(ycD>cO`P&BUYo%j*#Gms!f)^j#ChT#ni+q3Nkf@>gUkU#xRjDlfQX3S}^ym ze^W;t+TEj}{HN4Rcs4p%Q9*YnN-2Dee}yl445vcS?toJB6C@g}E2q#hQOKM%E9jKs z=-C!mB^&h`pkm7e%(xBcMaZ%LYYCjqP@`2VG_$(toYetV!TL;P=GMK!#*9`l zRS`4(YO=+>@7jd?*hXjkqq6h0uG{=CJ8Q(7`_ zr_QipsM6x(aBbP@7)h%BEa>AyHCYVq$|fmFSP_Pw6J6e?iC1gx?ectwYW^B=RK|F| z(#2))?vcgU!$DU?w(<}0MtInVY*&xmPNU(YK7q3_C|Z`ZFdG&>oj$s($j-YNA^T%3 zKIg}y#=q&NFdp&GX%P!%zVxtrZ__}CBjTw@$+56G(atUkxt1&4)1y7@D7~) zB2SOzCfN*ly#Mt4QG2KzO=0rHUg3Y1c40-m+{$Po^MhlLIpoWhRQ#{>+9b;+jcd}V zgsA&H8DyomVvG5`Rb7_w4Y_daerlpBGUS)R(DCqf7mzTT4K9)!!T8A3qB&^yH$I?~ z1&z-8Q%p^V#q68M_K((fjy$&yRtrA9YWITugRKhjFJGecW%=S{f#~{dba8(s&Y~NvYJ-Idgrn<5zuECx6V}@2uJzV>#b~@vi%%5;5$@v(A)EwiS09r#+jB z`Ph+9dedR~jv*hDe&6zM5~SE|w*>TE#-~qT{rgeCewu$%3neFv&Bl>ZJCZG2C%c8D z821-s;NJ;aC!%eQn-)awm$~1mhV_9yKpi8YF~3^Jbi?_c`I7@LvG&wa@vnub@30s+ zY-nkC&fyPkzPGYI>Rqh(tFJBpg=)y*mN&-*$!AbW=;7_8oy zI&v%sOU3H*SVyHbUk$uO2Bi>H5yyiyQm}n!uh1=X# z;KOFz@Zxad+K+^d5Q7cNcKt6w-6Nt4ULy3w>`;ZJf$1a zj><%Fel^fC{>f4PP38H7O4|SVYf?>Rfrp7f;>2&aE8$+Qpho@terUHjhPj_%@ZP{{p{uO?1}Y8k5^8N^Sm$rq}! znlN@}yO4Otq)?W?-rGyctgOO`p(ZRbt~-Cs^}oQKB&nF( z1C9D3sPS|UwSwY=|AE{;&8`3O13}}E2Ch8~0p|y0SSd89m%$@K);g6&Po3UwIVf_Y z=+{L^pQX-r?Cjs1nC#DDp=;aVqTZuy&?G`XnANE9#rpa!B;{vA+D=V@IbV=r#=}33 zB0atT?X|853e+2aC>1`?&!&&iWV&-=#54Ki@1t+OYgJ4MVyV#Z{e@OsKc%er3~=3_ z*gA3w>EPZCE!~*uJA7dZ?%bFpiCxUh02&Gpz~cg@qUaTa_`V9tw(j`o!?3Uarw5As z5Q9h2(|ERV%R!PLf|<2zw7E4QAq<|vtGYgJaF76Mc2>z#EcT^Tx?1VHK`*;u+pYj?dXQ`z?8>JS0x3>I_Q%gnqm`1 zsZ04hPZ7JGRg56G0o~#hm5%n~Ib*F7@;k}tDE&GQ^~}ahp!)fQ|9Of0*T)D3g|Lx# zh(Su&zTA7l&ihybV z;)UfxI+syA9S8?s(CbIJK(dUbhGDv7X4m#{pi4k&6068F;%mDzyrVo-K7W{JH3nTE zcyDU{K1JVjavbqT`WG+IM1w^CSJG6iVN)DB-a}11t;6EFGvkxHkRtS>0h^cZnF_K~ zlKI}bG2>eMBmq5ioX|7k92j3$Cv;{vDE!|S;hh3Y+k2_@>3|@)4_(IH$PZRN%hMW_ zKJa%*^!PjDs;bZaGEI4&S3J%~ohK5y5xDclKW|<{?VqmV|9O*!aS$Jri-596@j+R3 z+a?{)l;7A8RmCGjSZjHgB(=XoqgyMDIvp&uRMed#GZ)MEG#RMs{)?Lecg-sozIL~Q zGm;%$!U!5A8i3r49D85zt z*DDg&4GD~R_hI?#89=(AdZoXyBj?0y*u+8I`5jF!nppWZ>arkt1}z)%dOmtHK>3U2 zzy7K)R4c;na#|d$#PuU2k%YWj_ZvtZFVfXQ)ssjB1y|@~gqaJC>fiAXLA$t%EQM0j zAoEhMFZo|-1rE|)>RaV8PW5kFa()Ak%pCHM`*#uJNJ-n;4>?_`=hpt+8f^lh5W+YR z-xvEh{^f@Hk6!>NUT0SI-OW1q;`Ih(KqGoz1^PiY>@MhSUZ8uEe|Z-16amJkM1mH0 ziruQ{;Z$l*my+P)<8#e_#AC0*KTGq!2JrtL*h3o;Vd)427=4s?HWk_g(aL}~!a)Hf zDg#-X6B#F~)%FUInfH(#6ar}>8K;FxW6obgv{8r^j%hsL4zXxf;X(y{d%W~4+yB2$ z5B-bu3Pa+B^tDmJhE&=`h?LNIrteV#GH)&NtHhZn83fy8No#pT9fw1YKpA-~Fikt7 z8r*dbxzuT+8nhh%PP_VN`EoV8q}2z@7jJ|A`}O^AM;YW!@ZmDd5_^uJcC^SqK9F~M zgK?GxY%m3p{BEtUnw$f~y0ZN~<2KBOMvRwUy*FW{(4%0|N^)nW!eb$5TWWk1xgPc} zme_wRz^yc@@jvS`NfWgOP0Sb=@O`$-wyr=gnNNpqdZe*Y=RPc@ltpgerO6X@Fu(}$ z#6e~WS#ae4fg=8X{YkK*Gnu`4`k_glG)SpUUH+{8mOzYmKCFVR#Cd3kwZH5K_GIcM z#-Pp=k%TIsHv3og(t?E~GJL=^3wkP_-XlC;i+w!h035wC2qIN5PGF6&j9&o_%WLvE z1CYW4==1BHo7}Jd4oY7mnDg-iHtAxYiROE7R?7dA1zvPw_6_xj%`(Vo&o5trzd;BJ zX(Eb>=D@%egXd_G&(O6pvjY2Q!pNj95YS;%5c?od;|dhDT4#aQZfj-0 zzT^NtYE%X0C7qHRgi%9BISy!YV8-ASnKNg*%ZyKWJE<0`H~O8)7N*&WLeZNJ>?&iB z<$}FR6p}*h`frVZxJ4YYCZ#|09yT>@rr+R@H}9AC2TJ1OOpw%F=#bZ4+_{ z@K&Bo{ISLx8CWjh2CfJHZ?HkdG;LG#U90F>1u^$beTql~0EGxD?c4$gwFujODg2bM zii(w|-Uj_>2T-XcCdR-s_`OB=&lH>u-Qh#|dJ5JIB>-tXEXQpo_F4^44cSX(d9r zMH~L}3fy`aPxi28B_!ZB<&^mYqy5D|H_uk{J2{_@G|4r7vb{OcqrR4nD7bKcvMth3D(-) zhX&C_Oi|AFJI;6AwLoMM$f#sxJ_vSZBhR2b(St!k0>EXAtH|T}&n$v`1r2sbLWod# z2!w>bdr@AP2b93}VMfLVCAw9FX{UznlzEf=(!WD3$KmmR{^dWp0@eZD{ryF;p4(2A zWD|G+1sgR5XNzkdmW>8x4ptcheeDkDpTuL@o2c1>lEIf%B4a6s!36i? zm?+U8j6kbh2(E=(T?8E3(d0N&ZrCkO86GWeS`#hcO~jFt=89yEG6fi7}gA@HPi1 z3vHJJDe$ASdU^H%(+{jxoPK`Dk5XaKB)|ak`|;0%V=$iQ&%LNG>+&Sf zI)20IPX~`ppkk&GPA-B^JX5|H6s}RSH3a+NzvW!mK-5L4kLMgFry`%0ryWUzslQMl zZ96ydz`G9OLKEFFa(lw>h(t&%(S}kS56dV5 zY4a}PaM7xNKiEP&1y2b3e2A_hc>@58jvM;w}{ zsy()OzrM@b!2Ti}5661JgiEvS{@;8NqrjUqx2gptNfDmH9qAQ(p~nPNoAM?4hq1!V z*mumMe^0H!0Z{NO+KVBd&JmnlQXm6)ypplAhvg7H%yAZUOpgw+;eGkCd70e7*X!@i z%PS}E(1gVFIbgGzod+RW!+fT$TSE0V&5t?bJ>6y@z9g%7J7vl`h7Hwv>p=Ti5F>{H zZ*_xEe^#4@r_%yR#{O@&JX8RwrCb!af?H=t8b>BIgm?c9x`Sm(LE(0uODX?7;21Qm z05i&8lG8&y=$*?>R_BV;Q$1D+9!fTRPqq~Nxe9>{22py_J~4QKkH!+%pO?b@1c>K) z={|l0;3V}CZ((yRHbMvck?=E2$gw5j=*y(2Ywp+)LMS?1mgzU&R*n*p`4{-Lu`*37 zMl5~Kg*6#8-<;H<@AqnLT_18w}mkMK77Q8F|bT?(6x`(juGZo5mxXoqELLErWP zctGiCJi*N#)-JjfPLzB|XNPG9Zs1|W+f#^<2|LWJE#0-RKrrUvkUO>lqIvfvI=e!c z9e8jwkjn9(uFu!gcal`;B(VCg7T$5OX!q2wkHsS0iu+2$^Y;K-`uE!>!$uhV0kRkU zU;OB8Ob8Pn9@rS6Xg3zZPvYU;(ayL>GOSg=gbF0!u+TR-CoBDy()SEp>XW1k0Czfz^`kR8ogh%g4K|NGsXWBDRkiZ_ zn0|w(_`%lv zj}YJYifHZU%2Yl&m&*gr0tEZeUw8fI7IvZL3%Lzst6T~^r3PXAw})U4z8zmRK9Ygy zqs9eD0A;@$ZwL%f^D??<=OSq1CFV3E2aul{KprF}Fe*Y^k78ItpwOJ%Y|*mLlLxGU zng^9lrNvOEG+QhOHZ$Wkxk=ZT4;(0Ot>V4qM%?v*B}TZ~3@4zB@9!-v62j(!5((+m z+|JJ+0$GFRTC~6_zyL>PqPOSGtP@-+%;b{Lz%^Grft|WS3xNIk>PGvZu4`X+u!i+I zdz4A?E}bAAOb2s)AtG`b8gXd)1d+uKfK&{J`MQ`Hk7GNZ zw%2|1#4n%jI_ll^?@4;v5Yp${Lnu1=(GpiQ!%Pg0A}|69{4%jD$!K*)V60{>K$l~k5V=B=2z$I4>7jxX!1ZO9)_Up#D2oZuzX;;Uma%o2 z6%g;0IxZ=QpoqQ*dj6O>^J(wv=)&H08PxSD>+cUf@CgD-5)5_OKN3=lE@u0mTptr& zbtPg3Z2{eS-GKe`e;7JQ?3HPa)-LJdjF?zQph8bw9A~lT+W#3n!UT|p?+8(hY|f}e zQ{^h09Y;l02Xa~-;9vDlYmi9U02)>t6ojx|S(YQ3quqzz_X7SIqLU}zF7ESwR03ty z#UF(yJ46jz-}@wEHqc-5t3MkBf&u3A_LMBB9ZR75V?EdaFn1+g02 zGYCHmjD=D$Jn%kUp>sQ$0*X7P7WChK%~MwdQHxNJ^1QKE~3e==?yX64F z{>%%0z~cQstMpU9R)@jVwX29LK>Osh#u6IpF*?ui6V^y}P46p6%usFupU3p7Q12F}h$jqlhZ*T!f>*FpER1dLy)z5xRu>uG@evtB# z3gq%LtTQ!Twd4L> z)&Xyya#Ly~DEI|k_qI&%k(2C%0SvyMFZDKv#~2m62+xGOW}e(KS}EZsr*P=|OSSy@ z01Mf#+f<>e{#-G&2%k}n>C;}%yPH^|N~b{zIIWEpST+kh9>r3YJ!anm$93+P2jYpbA`@vfu;! zVu-=I#Bg$ahgRTW+89g4342_}MDX91kO-;rn_xZn69H5@#sFj#o)A#i4e%}ESeZOs zBI>6rS*emlncHhcO~aaqIYh1Qs*EKkn6t-bE+4d+8QfoBmz!V>0Alpf;Xeq1e;&LB zO1gZa+80*wxc9RXzQF5>i~NBNnMK-N>Mi;-dF}ID-eo&=*K4KUS=QUjwzUKt?)zqb zktoEd$0P`$*?8r^PdzJz1Qa7Jf_Fy}aQLz3sOCiIDk{59)B}>Z4+4xIF@!{C;xQn! z)+pho)`&TI08*w!m$v~dJUTzkM=Z6Tn1?9vFYial``8olN60q-HQ9Gvi@Ox7+mZq| zr^CVYEh|@Z<)E0$O$|{r0Ltn%qXQ#}5V@6xiH%h7Lpa9?`JD5CmrpX`j_h9vf|@n? zlJ5rVubv{er2+Cg|I>U7NGSp8dV8y{-KvqbRbyO^IC>o z_)Hq)mG!mbon2t#{b1y5V7`_N2qB5ri@7WphM&Xz?%Rd@ixG74(JZ3I$rTfOX$U4M zM1cOu>KX}*MP#g(B_-NJ-V>AqdR?Ti;E?B{Y1d>`C5l6y6}DL%ww|*I^3c zvD@N2V5mnpK90)Ad({g-D`nEs^;8_<#L7eZk zYI-4;O`U^ezsE?^b=yX_A+=2xr*dw5)u72;_+8)@>RTkvtFKTeDlAQ3k<9I2&d^wj zWh;1Qk%1cuTD>owrrE-5k+kxE{iDH8PKpRT>t8XP$iMqDOY$O1r9ozhRB4G z(Qsd>-fa#-5XP+_0+o3`>HcwEm(6@p8_M(H0_|P!I&ITAKtJ~5Hs0&aKlX9~QyEY= z?d~Q4R=S(SoYJCVVpQw%*8%9k02|gN0&r2c&oDf9daT`sc8`{mGP@x-*QNf&XUsxr z*YmCKJ$!&B_W^$%r&O`M5>Eb0B+r*1J1XdSZ}c`018u});%Ka=puG;kM384^iNz&y z#|XbYu1hq|KQZ&#^_y&Tc}}ipB5`0i4~Pcz((?smpxKW_g2F+{iZq9xU-=_WCjeAO z)6rRJd*loRfDABQgU8Wu;wsKJZ~6IQI00!4 zzd2SmMfqKErDE%tzUvxRnutKw_A;&LehC=LLFQ{8qu$sW>b_MvWL2ZRNqCcmkS!BO z^wxV?<1#y2QM5WkZVHM-V^$`lh_DyMRw$^(^w<5bJ$QhX@NxEfYc)ZQcB%W8ZtYUN zsAzX$ja-SXzc^Fc-{w)A3eL_XM2(m`8U#)Yl7Tu5!W#2X5f&l{#Zza*IV{d%Cge zXm4+=I%o-noJ|~g{rNRSnr1W*s`vHQ;v*749dGv@e~R3XMsAp*5zp(XiLU$L?{sPIXvcah|`B z2IVYy=BU^tUgE_x`Q-hFkd4iCS$lhXhx3DxIt%FB+}!53N*`^z4zGT4I4whg#}|Uj$pqZbM4?kT}VY7UwVU& z^&5cN+``{nJ&=KKU&(uCjHxD1&&Ku`8waN)muZZ(HpH}~QyZVHv_;qT$Yw21lGu)%p*K;mM>xC?cIp}yu6^y*#w`utY!T3q&IxSI+6d-(%HGv^E|bY zWvl)qq%9=e4-9JWg&bZqz|~#4xP2y0w-kCkl9MVFFVNUX)oAz{xCxPfOuz?aoNm~%hVUUVt zmP`F>C`KuR$X!O{yIVCO&Plqa0P?kIUw*DI{2;I1;zZJ4&PWqTh|lYLgchxi)(X(5>rT`Ysg;{>-(PjLKVt=&p`A!X$>ZeovI%hBB9Th zA>>Y7*C~23uYkwrbTCym+B+6l(*taAm!}C57BSLU$PT5~pe+5FxrR8?ycS|TrFXH`=zE>m+}*$1Zr8ly}h5n zr#<(&b-CTvEj_j#aN~sSj*>LPupS2cHuzieP@!pS zFmlQ&9Hgr|@YHqstw|WMgbmElMtvOR0Z~T&hMs~#h!tadY}dXR(^3dA^DRABzb^_z z_c;yY{#0^*{HmL7ezfPwz53kN5vfg=DaKIMat|Gc4jKf+MOsx=70#PN&W4MWP0oe8 z$?hm_;EQarX6A7pwxH+4BbVQs%%|SNvvj9qASID~WBpdgE@i!VLd) zB&2o#TwUyBEP9p$pE>)^{XEws8JUSV(OhcI+-HgK7Nm{RU~A@G@kgbCO^xrL1rhRL zo|Q~Xp!-ZI6bp>9PO$pQa368qg%e?*^spGIC}>ai*xZuj;^O^tb}4PCq@yOEXrbk- z4;-Dc6V6MFzux=`h?<+n)ZC*QcyblZM!!(Ib(fy?Ehz~psV=cw0@NUe*xH9P7qu8X zL3wujoxdspmL8=qEC~IDc!0E?Udkw4lP1=30j$X9d~KT4LHV%iS%ZL8PJVt=Le8gg5-DU*Y`La|YMy*V}%l11D&r34f_MD&~ zhyH4Nb_NEm2r9~PvN=E1Z+8-WEPpx4=j!hyw9<=fwMr}4RTU&M;I(P*gkwM&qXrtC zOpA|;OFaXhK3bp?Ith}(r(5RK&?D~)g*-p1sy=`9Dd+aGrC+5Y>$qEDLc;0kKB-IN za=KYZcQ+0BqP@$@s|T^dfM*x$u5uEKuv4d9;f%Vu)!bf0bXzcop_$p1u&IPAaFr7!F;R`HDPl-*~HU9!s^vWSEPUfj$tcWyt-y~2DL z()n2u=~R;ZAyf6aIE@?4MsLG`OlLW+CYT^!r4Z^yF)WX*;==XvCR)Bjp^)J+g+DeUIQg-Pu}MUS;F(bfB#;X==v6{p*?^=?;h}GQV?V# z-X~r9ouI1E3hMane_!Gih#qrTcC@2y{f?x%;Rx>q|4uW`i?sUF5RRH@l*b~u+*<3e zVfJV*BwtjLX-26~cNjI)VKg@n(siyKHLz59?NuIvB->Raer*H5Wc`g~m9dN^p#?rt zW{Z~wMlK3Zz`0rI3nw0^A-;8*+`zi*VkPxL=Hj?b$T=~jVg})&EP!z}8rzw{MuJKDmEV^I;m z;zz+`cd{7U1v+uvaa}>4g@%Kptj#)K{2$-;^C^n-j>{Flt5}3wZmMwTq0RWj#bjdY zqa+TcY2EWePA)FDJx+x4Kw$?6W$5!+qS8xbYy|6l8opJs2T@S=9h~!tXLfTU#2!s! z<=E$9$tR|{x!DFXOuB}+8l9b;f2e_9#Qx_6zzX}ebp>*bJdBf8=9|j5spw%AeLiYY zG5UEGY9_8nh|bTeSl_Wx$n7X0mwQW>;T*R7DraYBljg3MDX(bTDA|f3x-(7JJe&$& zg3r8JFAN4gPTIEtl3nb9jc+Y2ExTDl=jPI9M`~3aWsqMt{O1;gFbE5;X7gK#zuQ83 z%96CApr)t6GBIMcRfprT9pBTqV&&%Dv8N1$E`CfiHbc2-?FUM0aw58ZUmn&u))7xP ziNUv!%gF9Pq}(qtL;5*n!C}rGBZDRA(9q}I8*-9SRE!0+I~Uz<;7k1T*b%EB{02cv ze|fBbB~!=_vR4#0<6Q!kQ>zd<`c7vrV;{lG4b{`zE#+2>tf62tL)OyLT43$HkofMi zvFDRIPWu^NCGTH^;+hHTpKeOwc_JAAwqm~k2C4uE)3m;m4xlVyV9w-z_1oy*9s@ZW zCo+mOMmM}CU(p{HubxD2*l)Pmxz)7a$oZ8!>4nnGGnyq`0mYai9hUg`_-j7)g|Dta zr0`tbR=NhTXDE%bLO1M%rkeyxi?OeUVjX`tDw4VxA%eKi=S+4h8L^#!9n8JH)3H~8 z4z$NE+mkT*W*`kyWER(jZ|iD;a>6m)&KR&`vxd5ZF_R zdQ4_n(`?N=Ky9R)C4w}#UAnivBKn~knjpZta{!uJT0_IKVmd^fk(oJK=zK--iM5R8 z-&ga$6&jeKgS{F*N*%jZEc|7gux4(?)=r(7l_7SC%+uRf%5Im18(unw%|9H+X zqUZ>`a9GFf_Rh`-^TDhR`N z8Vd>r4Q;t`pni{s9$WgWUHB6Rk&Plscvd+8Ky8V{ao=_Vy_Toen6Tzf|U!A+iQ@^vep-YMbrvo~3&TBqnCnG(v zJTpmDLiI<1Pn!0vZEQ%7MeHPyUcM66)Qmsdh;Hg|v=yWqxg0rQx7f|bN#NOL?RP7@igYUM>#Ise?tq3AB1O*j z@bRYCqTb0c(M-grd{H--{yJsgdtBBW3(>GY*mYIlSq>o*bg1?`NGa;{v%ayQ*n1|U z=YBv_bCJ8Y7^R{R4udtKI^5*Nz5WJ=N$K7aaA0E3 zOG~HfzQ&=LeGB2?;VA{w zlfhA=i^JH=ZEOx-(sSHEa%Y{TQr3jhJ7G9QL`TxZYsO>a5>Xo|k}(e2#MA1h?3(QC z^e10;ojd1)&Fa|Lp}8)@tD5eUtdUHx8Wt33{O5LqKlu6KFDKO#F6TK4AYs`-P;*ds z1ED@)`qQU!C$n2*(oSv_{JT?9#yea1T^mO;EK7PWHg&4f$4f&|`828AEFu&lEcZ;+4)OytTxK>Vn(X+J%`^_(?exSVp`2N1{t`OkzQ(fGw;apTMIeL@D zRPQ6OsKAD)h`YUiWa|^}bmk36PV1XkKD+(iy!|0LepF~!VZ4+WBv^zReqqH}CoOVK zVG>O`)V-5OZ@xlDWDcjTPI`+jvg++x(F+s4)^{z*n2DRgVZn~U6R93+IC(E{h)7mQ zr+KBm2l!T@0atXGud5zhT;VofRdI3gEzGC3|1F|e!tZW@JjB6O$}Hh`MMzAK?Dj%! zW8@m`gU${Je4%6=vegxz^C3V8Ni7xlQ=itFwjCWGl0QlDS}Ttn%r^yCj0=e`-L#_Y`3zjA9IO3{%DcNy5uX+s*X< zIX2K&l?}qhsux!&`gF-DxI}DDI+%BxvlQD0K4q|*A5vGTwD#QOsb8`?x~B2`uixMc z%gx9emns27%!f<-V0!z%*Z=eXt}FZceigQGWCog!oc)0^OZAEWAxDAM?g=aDg!(Rs zp#Io|?JIsEGg(Q1T!)m6^5t)=&0iKsObLAA-p=GW%Gm$ z{(R#!-Qy%}CO)C@71{@Y)1K)5lNU$w5k&u=6NSCQ0`~r%4bF4%cV)2R+n&kdmhCTIy$EHZa@?WlP1)byFQ)Tig~}IZfNN%BgYQxN*QWpSvtYA8({dee zQE)8N`MrAe>X3urDM6*sQ99j>`?B`NXScJ!&?=!N)SoN1D@Ag^TxcJ-)LdmrO-Nvv zIp1_q9DZEQ0$yOJ1Hlj00#yh2(b^56W50U9MA_yWk-OBEA>Ek7p$a@i+B%j8m-qNRI#79X&Kd(8^>c<;ZK8zD;){e2s zfCysJp^N#N08(Kf5R{~17^vdaB^v=S20&}B+N^1UJku}x{^!%@V&DSIRx7^QrAAH9 z$f#jlGFgyOF&dO1Zs})DOo(9+@;+^&6r^PCW_FnAKI#DC8{&}D|C4%wE1RO*%qKQo>0&ua=Qj>XgZ)#0-Jzf#Co~AyL%V33&=gC zy(}2Q2t?#d{=GA<)mN_4-)a)MxwU}C1SSZ1UCE2dxA55vQnWcAD=3|yRo-0 z;n>K$Hlwu_Bxdrn5Hw2zVP*zuPcbD7Zd;?DkeD!)f3X|e)J|lYG)Kb$GTR`ZiVOzW zE`Zt9jW1rlbWZfv)lCM8Q=hPJ-@g5KDj@{}}z0J*8Z3T`-rXxY({aw9n8OSX4hB;R+$3xoPre%o zp?Xk)gCk|ZA|YYKj~WMcXJxtZD5smFZ&R3GkEbZpedi_iFhX6d?NHsf;Wp0QZmW6;ecG zBn@aPa9%gVc;S4n})H2L$aSUv0$J)N>2fW@+ zDKf8x>wE2iq3!!+nI5gMMg!axl7YqWEdfftVegC2XRt6~o~3ceh5Wpph%tiRn6T|( ze1CmAh6jI|7Z?^^dsllTS5e{ZJmLzs#qZ9@mN`e=w%#hF?#mQGAt5&Uy*LPgAVJmx zlL*{^qH|9gr-{{}1cZc6p%WTGf35GA8|Z5V?n-ctfudxa8sLItGXV^w0t&raZ&JXm5wJ0$`K=yAN%8~%DBUF~o4*LE)W2$i&atJkw{2L zpnk}tL8`l#{U-5#;T8*`lERgaC=yn{i zv_X094#2*2V{n@YQ6A}Af<#A0?{?{5D5IgF)h6?SBJXDH8VjfhKdZ9N|ILcPD*YmX z{#ji(bvzKEwFAJ4E`g)TdC6op29b;Ei%@I3RMemH_M1&p2=U$Os9{o zPF5LC59a@hq-8V8O|5Ja>>OxE;Om=Mv&J&s7^X%Luph?vYBqfbO6T~!^(o=-* zbCc39p2M^gw1UmdzXJFyMnn~>yxdG*^)K`Ct0X^M0c%h=Wj46-T#1~9MgqX2M)YJD zfCBYA`m)u@_j;P>&7k3zpG)`%sTJn zGZbKpAG6eNemcp$@52Jv6-3^a+>B*@3IgUEH=V7U3PomS zW*!EmxV6OZ9$X&RrYENi|7|6Jtzdz)GrFZomr3r@G>3DTyK?JdsK|S$!V(Pw!&<)$ zp`5Q=1((UpEDYfVKPfnH*RrWu#OHypmwAjg1NZAUQVCo#py;moexZ5!5(WUf3t$LC z3@9TzC2Vhhonyc3JlVYO`0>%s-qBilGQrPnflbSMm<&ZgOD$FyKng^kE)0-YwLiZl zcrRARK_=?}%z#HIT_(TWT!s^{NE(odnY#XcexB;`=<-6pMAr8|OdH!aLQdKnbucSRYn)PHyzkkSyhVzel()P`(dE_S1>G>a2M`)<2#eb+-9tYzQ`TD>7oL^4K&l{+% zq0s6i;;T5>`T4kc3>9EBu_i#Pq-SNx+1Ri={COn4;t~=vT3QK7pkC%M?Y7i`m>@$z zag_*h?0zCF#XgtbCmXgtjKBmq8B>t52Xe=^Up%!&ky>a85h1p!3tX?Q|}3e zDIqg)LbbFQ@bK`IwY5FIdW|9Sx%hPs2fuwA&9_;dHpr_7N{&mYNJvQ1 z;^HqxS=)`CJmI(XeS?D7p?8W%ptXWFRNycUl**j=W{M3z>sUI&XCVKfHkN&Wc%IvS z!TV!dmL2^-SIkt!_PXmg1fUck%O>pc{#F}Q_y7ZQE*5|TwQ7$9&Zclm4+O2D6Po|w zo_NvCPPk-!`{}O#a^}_$Fi{{Hkwv#=JQ`h z>n(Q2tp>$Y69DZMut7}J0_qU`zulVsw}@5QFZ|~E!EPfr9##}}APS+AjSh>lAWqf% zZ@-R?1=#;)44!NM{`tTG5)u-s0rT8VfW;8ltnxf@D0%l^ss8;2U!R%O2o8k*{?EO7 zhKF+VX4IDF65lSsMroCn0Y@tajIGl{3}6853ct6u+q8Z$_~GBb)0$gZ#k_n;>&00q zM10_+qEg2BfJ;Ws@ipf}Pvx>YnZEwc!9jmu5eRH#gnb3hCYmY>(fc+iLA9fxZHEp5 z%ACPX*Z;XDplhz6z6c2DIBL4|a$9~Mm|k67JqXp_5A;+NJV^)FumiOG@>$RSMlje$ zk(d@#wY6EHP%dRnO~%E=A!Q|{f}*v_+Jsf!ob3GDa4i)TI;VrTPv)}S&n?=t*m7mW zl)H%|O0y%;`OTMQ_LRP5&D}#6J2^R#4ZEK1?|*HQiit^FRO~qoKa+;2=rtNjN>$2F zV$}SU%>uUu4?ceM+pPZhy~9=U5s2)APV71VwaMgtjDB%(gf#$2x~SfC8hv3`Tsm0t z_U+qJFi7fTtk-+kT!8f#t@MYkQ^YHVC^|VEupmKoR9Pfi7L}Ei>1kTWn=KwQv?Hf|;<|^IL6H+zEgke4J$7_dI_Pas*l0CMPzdJ8 zt^5GFccgMdIlUSU+vr#6S?hBiq5i3k|F>*@ZSwo~l^Ty4wmQJn-h3h9{54Ju%chaZ z$#vNlmvI>Szs)1;8d83(3KUv^F0{B5E2F1Zg1ZnatDsO)$T*TahNrBfN@21HB~HkV zIjy~3aDC|gVsh65FH$=TkEbGZ@`5XuPCC3z4%)Sa1I1C$?}a0&Szj&ta6v7BGf5S(Sna zy&bx%^hMQgA0a}TU)8|%L>Pj`LVM;khW~Uqtsph*%nAbV{8V?iMr~;4C4P0rgki6d znLLe|ck_u=ot?w)2xfO5lpvce|HkG~3ZLcqtd? zJ7oGXyVA1KOg1mGvZvy_3~S^ncMtx~!BKQy7`Zx>!La&e`b!C!&Q}kK?mNU$)3vQp zse$pmz|?8@JT;$2-numOVRn)wjEg?Q7HeuupbME}@HD|h1@ zo}&?fH2gz9u(=`=mt(7#n@1a);7PZ>hwwbR*DFw38q7%uWunQzBj&U)vzA%%m+sz( zPURJk;>U))EfRChmC-(fnyod-dKus8bP33ZK+d_?@F--o2Dze6cg=n3ZC*RA zsADJ&nQIH9`)dZ|%O@Vn*h#;;IdbShC3!QlKMlv^?AVxy>IYI+tu#E*?aZ;UC*(mjro{7J?J<`5yuVAQ;uiAgtuVg>H%})w!4k2^@mLmKbpa z!|(x62IDlnqDt0yA9PkS<{PJHdA7@7QJEQ5twTdj1<-QL?_F(VTTyYN_X-%I$>&>X z+M7|Sj6XHs)-q&J`jGZHn`!Yqcf4;@;56Y&1lr=CtNOsxw(U#k55V+ zO<$&Gk;Uxm#PxBJ&Xu4Gt}JU8nNg9L00n1U>#I5M@12$9RCE|355*+yH{_$7_+s z(KUQtYNY*geJYWLhxjmOB*vjYPW#?!S*+)Z(mQAl7gKbsI;ERiM(N6+Ktvef8bo<8 zGbEgTkclap^7FT}W+7Nn+g`E5EHLO8NnGkbW8i;Y=YJf|b=7y3m3rFCc(n!tQQ$T0ihz<5sIAuD<&UBfj`FHiAHeX@qv4{MCPyqeWL(`zJpv$LL= zE>D@Cp2SpD&XvJb-83t##_AOZT%LB0b4{46e(iTy{bJ89MrPDTi?(redZM;(=MGU8 zcvp<}FP-;~P5R?0;Ts4Z-cYHBON?i&VW@}IOgx1|fXTq5@%^+5RLL5SwG-xg<1spY zGX0&SBal1S>DEKVUxWd;K$JKT$UR~vNsXs2S#u_PkSzeoRIjUcEJtHB3n1;Jae0Q(QxGUxw z7(9c?GyjG&UVu)X_7S1TWOcCs%1b#oE$B{Knz=dR>Cj)r$-4L@Wvlk*msP z?>}@Vkcx^kM2yi;2tIGlH6?r7I)0C&m+l z-o%7JCOUbm>-roC0*fbi~OqskuGBMXyfam{Pi2R?8=(B~W1$2lC zkXa_yLh~v+GT*|fo8GB*Noa1QH=;|9t@w*UOhVLbdAI80S-zH8jcJV)dsiKsUCFU7 z36|p`)?r}DwPRlQ=ajB+?#6V3Z(tBd65?7=6Vpj{87cBt9BJ>AA{UScCS;7cz%bWc+$q53J zi)I3fd6PkeNfa&N|-m@4+G`A6y$cg-}_$z9%Th4;z|cfz;s zbNomw{99`NVNqDIiqVwRte2lhYwIq8OoFKS0PO2d>jx(3eYdYU9AU|WTJ!SBys|8H zRv}-_O)|h#h6?2&k%Cg==p?Psav>6u1RaTV25U_M!sRUnZP0ZlS%3*GfSbF^xLEYr zYtdv4DkRQ+lAR;=E`&8_!{zs}>p@#Z2sa3ZD^*LY-GOPV%7c zh@#IawT6o{cpGKyaITfql?O~s3uqP&=|6i`oy6{#G?~qO^wh#bFwZ7BR(qX+i-xAn zqN@p4<}21v7RiycqhlF~>Cx?jL1GM9t_seYPBq5qiEO+K_M{zuWR7R~^OKYCl}@qM za$w-TZagjhKPes%pjnhlOl?kSmhPT2m+n6ACKm2=g2sn%6K0%HV32dw$;t@cofvfT z-5I)~T5&xEle9AuVlBiio5z|VPfWkF6Yij)J$T}jO*xdl#K1gcp){`5>o0l#{%vex zVrmdeY#b+WS>eqt(ajORLi>uQ!c2@->cyDHBs?VW!GwAF(~(M2SH@L8@VCMJG%)2;A) z78AoY*|FytkNR_E{8@Izn0Zi#cLFnj|08em&)wWl^bK$;Eqe`SJ6Z2ucxW4^sf98y z7kpj2Ys=Z$;z9jrVu~iKxx>s_DK=G|5_k==k!pqxK{=RZC9{Jm`=3i~Z7bgpMc$il zqw5;IFT?Wgt06amD+6O*1R93GiN!1fFYlvoff6;9p7@VS+uCn~DMWKQ?%m>JRjk@- zmL!e!N!V3BZH{A(d8Az4qNQIF`81!*Q|d@$IITI$iipJLp+y(YSCpj76TgSQwY!>A zxKupC;+`>&dK2xdn#X7A`}Au05_5XVy*J3L!UrPIQ2S-o`orhG&UGa};KWQDt<;Gs35#6N@dj~fb}f*=%hNEm}sbtxcWIHxwP*KzFTI(^<0 zuE)la`9J;l$0JxDF1X0{(IL~`Ybu%*7Kz4Bam@&qjwehU{>A-q8~nd;+n)^r0*c!?!Pinm>ig1{H|P^ybH7Pv2wLqXo7%8 z#G{jZ_pef9TM-2lnAK-$&Ne|-Gv3nQQ@P~ZBHuyNB|A0l=iBjmd2jo~+ZhaAa_PndNcSP~YW+Z5bg`bMm@1*b;{6LBS z8ZHQ+m8-pFaQH}rE@eF=D;lkpvwUnR>D2fpc}9O?swT$GoT?&NIU_xUn8i&?CfBmQ zO{*QMrqx|=UC`cW7HAYMqFXff|H7%MFX^177rOdA?J=e=MT<1Is_x! zz1`{Hx20-~I(TdRo*roC6?eZ*6!Bs@^4Z-}57sN}3sbGsah)@F=<#2P$Tuu&%+(s2 zFvMs*N0r8Ct!s_@2_5;LckjmnA>p=JFK=a#6#z(sAF26j`+45qWz<|VeJj)^YN%AE z-94VyH$90oeu{6F-JUCXF!khp)|)S$>UgXB9JCf(IpQ*j50xvernkm>oiL^}VC`Dp zHpUWZa5$?uy>%ik@+oAlDc5W~FEz@|TT3s`FRkc|CN-u=f7GBL5w8}L+jr?A8#*8K?rACu9Q5{B1HIt_(_6&Cm~TLGdy2F zPu@CN+*}T{>6>&Rp<4qh;o(eXvq5(3Hr!!t+yB7N{xhYnhXA_e;$pN#aZWRG#U!Tg zMRANfeMgDIL4|1-R6RKZuXbLyCEE+`pp%iEn@fyZ8m!u}V-ZUptLOd_v~G*OycHTg zq6e4WEx=aSf0=IO$vfh}b#|PVJnm2;y|K6OLGEeCLPr{)r7P~b={gn((!eRI8VGRE zuOf|dlie>n``)>@sY#YnRY3a1qW*=1Pz_J!-~*7?|HsRHO;K_2V>%MJ_!i!djC29N zF5CeF_aM_EswF@xK}*Ljy8@cDXp#RU@>S~fxN!!~v60dN*#flax$$PrzP4P^7IXMR zOOmC*3?TiRsc_B2hO*w2&0H=`@|Ag~I!;{ZT94(`9Ib+ERV^)=it*AOQC-HF8K$n7 zg276Uq4A5t)`BX0zqz^h4lRq03o%9d*@k(zBeGjK*5R>5A2aYVxZjQx_v_@5X3X~w zc4}Z4X>!q_t7~#)oVpi?XW-@J*G3&K4-R|Tv&(DmXp(&T;Lkqtsc1gAqJ)N~Ra#WE zJkK~fQJXp-fcQyiq>HAGN7FVI&!xYnLpPUcO|HstNbfjSpGigQ%n|ky28qgedecd#nw44oiSk#5JnQGH>EqRNM2w9%=ISzEwfV0XwsDWy>xOfhEv7wZ zW-S`Pce}ChX%d@2I5_lmRC_xcV2vxd$)zqPr6!Q8(3VnUeVJR%4mI#?LP9!SQy0R} z2#^-`Evl^Bb5X!oOUP&5Ze2b`uW(msYq44%jf!$D5XLKrez#f8NSg1AFRg@0^Lwd~dfqNM>B`w`U&XZY3fT#Cbgj4lno7xk844JoK zthx`hL1Hc@l#_qh_BHKvzVgT_bb8y#n|}nbIWbq_xJS$Exj%)XXgGL~;u^LB^<7I65F!Sqfuh*zvQD zbT%M*(2b5UV{8Z}4to2x@4kd=+{^e?Sz=v0#=KKwk=(vMtPw3%N_JJcz7IxL5!VYa zO?v4vGuo4CRLXf(Us#Q7_eW${F7&Aj@*c_qvR53C z)ln*S+Pj)FA{-M?YgOXxW*GjFg&Z$uq^rMJBj$Sgs)bc*Wq6f$g@yKG%`2xvn=ametepFtRxS#CgKp8??@{dN@sd~7+^L`k z?!tfAoKjT{F9+$Lml@NsIt2~~i;Ukv&dca4_j0qsMurqn zzs#HD)ViiT{GeB>LQ{gWiN*Rbe;gEsYK+aX+Q!>kS|rTx-P7_s7rJ#t)1y||8eQZ4 zUa_pCJtzz1%3sumLSF^HLWv%YV=H(T#k9ndG{?Xhz19dnTr#W3VGjyM8z~+%Ru{;X z)!r@8EYsD4lH`dm+RpbgsPf(<;N5lln1;_|JNHQDQE+sSR=-7VmYJWO+AKJy=)nOoWS+S#QJz(K(cygbIftHVxx=mmdhMV z5Q9LUVy{yAk$tk-n*=`FTto^?Oqq&?o<>2|MOF4jN@dsn+{iGwuAX;L{Z6PNwUjol z-g}CivYv!PP54K_`Y3{=VBaW$N%4Pqy}$&OqXNpYnSk^ZK-yLb-O$g=&0VN!IxoSJbxF?^b08r=( zv2<|MnZNSLaL;&Cw3$XnF3ZM9r=r_!{ zPi89@10bv3OxZHENkKw+nQp&>oGN-rRg*$0PMS&o=v#@^gnc2IxLT;hz%=H%1*Q93 zc?@^SsRP-aOb9(R!ugO>X$Jk$WAjIEbt`fz53ipBnX1Esi2%z4WKeQ_;d4!PXcuF} z|9Qaz)wogDs_}KV%Ro+fOVg~)jVxo)WObs~$MAxF(x^&BIpdsK0Edgt?NaoLAA-Tm z+|i^bSPvm?O7)$JZatR9`6qe%&%0KQHGtyl!tV))z9=+U08Gs0=qUgcBbShnSg!w< z!O}aqP8$Bx)g;;q1})mB&t7fD1PqmYc5U!t^Lun;#`Mb!EuNX$?)%ndqi7_H_4reg zLWd@0L6L}uZdO*fwOw&RwyYtO@)gth&CvFxBf2gwRryu|hr_o@CR4@GHskD??B;17 z5rmxIDr=AzX0N>{D@7xDiPKzCQa*j5b;yf(V*xXHp=Rmv5dv>AG-ofNIZh)uwz)fM zB1np>l=8ZmeV>ipcAn9;;{hC$j(9NV*{gYJv((rR6HyQPNVLfI+t}1!ZeTMOBx6J7F5XMkDKVVLc_H0%*0RV7n9(5V{1gyY66>+rUzqPgiiaQF_!# zCPYB$NK}L4uJ6EgOIGnZJS+vd4uNP%%0R};#Vq>DR&^vyB)}KV2jPDL9xz3Qre3M< zcOS3`_dzrz)_1MBy9Yw0s5{~FIF026V zt|QkEh)+~)SxXLVX_jxSS!@G{RWp{lG9ZRWZbp8q?HiE>@e0)9oGSfyq8d&RL5SZx zS2KeP4gxrX+p%@&^QO>4lT3{&k{0D5-vZbOf-*Z@S>)&ZaU5B%Aq1wf)PE*6Ne%4W zr0sD$&un5@(qbmYYaL<@Og{*NSSSBN^{`r@R2AzQ8`bY=F)eL(Np9wvovj+)BqSyd z0^0glxUHPW@9|Fwu6aLvs9bFSgQ*GVLji=QObFQ(P|-T4*}1v7d5F^x6X*QfH72n7 zM%ij^cT&z}NGgm!9so?5*`4}PBdd`$&`S)u4Yw{eP{~vveCQV6_eMDQ$L*#>)xHhr z(bCp2>iuXN5fW~xRh%>}>oT^vE|kM1)oVJz!>pYzD?7A2#35s4R;Q2_kAYOARG=63 znWGnT&o^)T9?h2-DNlwl9lt&^A8RW>SVGC zDp>al`hTe(^2@x}a0V}=a=&A*3o6rA-9v!-^6_$6qfWci`CgO*sV*m8QY=KaibZ9Bu$-}qO0*ecn%kdB6i=H#wUG&qxxuwMjw z!~tAd?qmQ4gz@(|95M*&BVhiHra%JE(6|P5^JTIF5FA{luw1p$ zBnSK4H~2WN(z-1A{V$*0t_unSQM1LR2vAvuJqHM;1*+YO{kW0U-_&~x^5Z#e^pdt{ zFprnh=(9@YTn&1$n0iwa7pT=uDVAz05WH<7m<|-Oj89T?pPdlk+gZ= zo7du~g+UCR2gqx-(;W+?1bjPiZBtYGdqoCAV$Q0q=eg$#ztw2Ii@tIyE8qNhVD+$U zs3DTz`D>kBZD6R&!Yq?(I^wFh-|bBFkG?Qa+$yW7Sq=Q~y!k#fba+`;D0)wHGijLc z@~Fz^=@Fy`2M<4CYZrX;i->nRBJA(I=*&iM+{+Eq7C%T()7@u>g$OUqfW~NI{&yA} zICwyW863Q6_`a%pCjfvG71Loj%_UeTHCvJ+vvMG9gDInYGrexBp>cRcgHMzBxqpbl^>A*Q)^)2xFx#a8=DueR~kBI0roz3v$ zfo{)ucD~V~qh7A`2e@G&S*)_2ocF$T-(jGjsO7;0XyL!ZA*&fw0@_nldXMM45)xmN z)E?V4`Lye%>qw8nqT^xmW-3+-rdtkbh1A;U)IWUEVh&n#3SJTtu>8L4K=BuEjFw=bEK4%VoEn<22>D~Z3`)2b|w*K#3`!W2muih^j=nDD50lExT@m1(&i7& z+ZU;|SSbektR+u?Sl#k&Nt3%lB^F>X9@l65y^num9X~w$3~jt_MqARhY<)cR7U!O^ zYfgvxd`8X$4BUwVkwbcm&O(pJ?<%73Q=KyU*&SA-YI>_wSDH=5pT6Z1ROlDg{ZPzS zWwe}NcXCP3SP@b{N3UDRJyoKnhfKhWv5?tpz^QQ!%5@9R(2NPGYc=4<*ICsMom|p= ztbYspnw+rM^u<@GVM()P(nRrtgA`&#jg*Db&d z+wNoJl+{qr1tX_S1*-klr&gzD@>N@vG{SQL%l3f*loEA*f$8CcAU{rBB$dOh6o(TWbm-`2(e(q z(lA!UyjKGy>hK^+03AHF{bJ{~*ZH+3+L85Hkn)LgD)(_x6$9>xI@lq1$enVu9>tK} zy|~V&?G35XA8Qk6*g4Y~_14Rb*um!ok`U(kdZxTMxOg+t3|+))1=#h zcF}sXoDNJyc|w)D?R>6ZnW?K@mKP|n{-t$n7z3Zq#wMwUPl=!>^h>ay=LHt`GvFui zgrFWs4uLX>DlMhEVdLS^k_y4NdFu6O^zZ2CKp?I&r$|OcyAmPlvg?&M+<)i6THC3wD5Sej$&Z0rcF9mhJA&!%>% z_+`4mnF307N6UPR7({TIy-`vHBWMET!2oBnj_QUbYmx)y9T3{YETa_*yI0~00}H!fW-|j~Ca)HywW8Ol7Oe-(Gt!5em;I*0 z1CnPNOw0SWKm;>ONY@J+*Cd9D_GVQ?ykS(IveD_>SpdaIO48K?+x$G(PD~q%tCb*S z>tvO>J{gJC*-z2D8UpovWx$D@@LgJ2)&PbQPMhBU(D-FFS6Phu@hqDwb5$8JRjXIv zuax3WDO;fodWp2%shsKg*kqsytnMgua5r($VD>%n%T#! ztc%wdSx-x4km6!HLF#*$q>psc)7Mn=^wYL8M~iFidN{SV_1Ft}n}#X{*0MG^U_cS_ z7@U3trHoNx_|FhFFn$BRnoWSIC&j}!d)_6OhL)C3At%ECRbuZht=h_0*?CnhA{ z6>JafjNBV9FW@umP30$~(&3qOgd)KGxaaby_S~=LijBvk6|rnr)%rRAI0G6VTdi1L z^jAM^ulc4Djl;(MEik|D@T&AqeU+YmB0pgmppV30>S^zL>wVr&+IgEIsR&F@pV*?9 z{YCY{B6}V?I2NP=s!W5-)>ht|h;;#(Z(Y*Bpl^9~tcqIoE(TFGyu9k01L35Q5I}tr z&`xg77!;Dm_+72%xxKsFz(3qcV{|3wN}>PYAueuZI?n;R+EU< z!9K0bY>yQTSgM0nORJh~5P`9^i0~()9eTR89)fs+1*h3V|30(XC|L@hQ8=BtT__r+ z>UUZx)&0}<(0qx-VvW1LE`^zL+od_0s;o>8%m*yeKDj}r0in4QMJw}W^O9Ts>g<9~#CGfj+(Qqtc zQn5(uC(G%&KlD59WY?Mx%N>cqfZ(|k57>+U*E13Rd2Xc2vha_L=0Cuso$*Tu#pP%V z?sjiS+bX2q-Nvl;ZFC@LrfiXToGItLu0n?jl_LN9w%Txl=DXG3UT49vX-ahMS#?@9 z@M3A~rwI*p2l7IO;raPJLu`6nT0s`RyLojy+tKwl5HQ$rI z*id-}HqO?-@DChqEOuol?ux>s>z>v#YxQy)}k%!+X4v z3FE60r?cSbk`@SI5bQ@Jsc$g{FX84cxeshOjoYsKiZ%%M80EY`2$3yz$L+Hi@cFGS zvkv;t{sTYFk+BE}*vCK1GR4E^PT@=PFA+M8hl$938{g{x{{1^_+rEgco=#f2QS!pC z@83g^CAnafM#a$OH0Tn+)2D}Z-u6@1&ds0CHiWeRX=hYJ>Y~q*_lLoZ-|7DJIY1!& zxy|S^pI*%4cD_~nddf{%L=mTUZA$kMaBrE7DWC$_m6HeEYc539k zzs=}d-)q`+8LGFTH6Zyx{Kbw8J`iF2y!Nw%E{2ujjpVv^K1sQw8DI{_?$w7MUKnLr zwIfi=D)F}90TCWCy0TLLYh-xz_hR|{+<;{75-UY<@fV4(l5mBc*)OzToo6&6=5wqZ z<_j?+q}N?8Os{44_CO=P(=yT5SHE))&abfTw3~X!-C%}=R#|vc8k#${t4D#5ZK|c! zD{EjtT>Uf#z$|v=fYfYOQbxFzoKBgth?*|myjSw!zspmng9pUPI|5SVO}-+(QcZekZ4a`||_8J7M5AAZyV? zUjtbbgbZu#WkcmcSflJioWep8C0A!M-vFh46M=z0)V<8QNE$ zy65B;a6(sNUGl{4 zfqS+g2gZMQ8rX8beduRD6-S3FKnOUqUcTcC4{*E*M}+>dQTqF6lM(gp?{4%uxV>UB znU%8a0o9D`|6(D|^q>6ER<2P@RroFjblR%)f)f1Vc0(%aYu{GeJ7x^cqI3jcfJ zAHKKv{Go>g(<&q9i>sa_1xPd2OY!vBDH15}&SJ7Evg}nXEl;A;3Y>xYF>+`X8^bz{ zk>;?P_x8)Z+U|anaTNl_sOIUhib%Ift#q$v7dPzlJi-Aws<@{o^d0)kq+ETt9RDA| zw|X_$26zn;xTwrP9ir}Y}zc7A>+{DbvmVfxqQ z54_efv9UC6__D?#yF=0OMjjtX>c7&b>f(wqIAh!&TNQ=J&0gcv5-TD!LJ~Pz0S8jt zYm)xI%&ByR1Z+O2yx2w)o}QV(F)M~;YXt_@N&OWYh%=PY3Y5e{ZZyUCs1k21)pXJw z92|yOn?`^9h(?wLt6QE=O|m2|^ERCbWkKMiieh79zfxQd)t_t*bWwYiUHl)XRQTDo z)iHRd%Ba6^{l}^0XyZrcpT@+0AN9ZA_=%|^gg5c| zRo@zn{Yd`t#+irberswUrOBy42*9J(htVt(-*v5*pc+C>PF`M)n=VWrFS#;tK1)HSsa=9aG(xCVQ;`}w zi$XxaEXj2pdgcXj;)z^;anxJOxB9Em_MJF*c!}rdJV+K-Um0Im&>0G@%QSsn$H;|( zO%%Y}##<`3UvG8*3$4JtkFo1HD*H5*#r@e$DMw&1?V6(huMD>(i(104zxn zg@X^5*@ow=1dM=KKAcgyQ1P!{pWl=0=;){*F91%*!>n$`vi;QPGW%yaOrdw2yl=N3 zNzl;ORa8_`2IkWrzss9Z7nu*<79%SEao7H&Lir2~tB<^y0u(Xy7k+wpcx(sr|IYb6 zt@n`7G_S7-Gx|>~|6_xFeYxK)w=a{~KCWs|Q&A-tghW%M=bSKk>-3MUs?C(jVmiN@ zI7B@T@j5&@^3yk?Ln*KDftwW;B{KH6gD1g94xSQhyy(L%B70HgIL6;0rCKH#SK)mn z5dtZ-qim-66cVPy6g?RM*2@TOhLw4{+*lX)>+Tlo<>&)~F41b&llPo1S?<}ydO-Y_ z;>L9Ap1W_z)TE@yv)Z{42;+(fxhH-P<@1A{(yZvg7dZCS_D1Z#G^BfU9x_y$bf&4$ z(Pb0^y&&U(I9i+~hSW!}YN7R~;o8>LdjXy1!^=ZruH?{)mI?*;5;tGY$EiBsuXIqE zjcWJvod-^;5JtkFo6jf71DiNs{MKK@;M+*m_wFD1q%@8US3zPxQf0vC@b)>-t-XX^ zSX_*t+6DxMM9~Uj%xPlXk$S0v6a|&t-J6j`!Ewl8_o&GO_L3rw?!SxGC8Kb6jm*q; zbKic{dgw`}Lo8*|ph@dkvgo&j3BJHHT9M7Q_@BW1K2i%<2QS5~mb z{iD;Oym?UA=wi;UH%13>h@2mt1z1f8h!gjNCS$nyEqE6fZL{LmvR`mrUaD%euy=># z2O&2UZKNVMl5hdGFG!3AN>pKck9n2^RCz*3SxG^Ayv|0NZKh47+9{yiClu7Yb(C$l z7;74HKrx`}-NS(C#KXkGLWEVyh@#6yJHE;h~p@SshkSD8&oXW4I6 ze9Mv#@3t-p&AvI5<@JJGlOJ@vAuGd<@bgZDeCfqtor1=tPl za~2pD^-{?efiHH)(slsl=%25MRG3*d;wRARPd#O~ zZM&MOEjQ<_4$XhuV0`Ras{K#~W%kb}|LaH=?VE)B<5#WYF6cXtSQt^Jg}n|Q45CXT ze1bMOR;fsGYd!=&mxMC7oA}+;v7*-OYgh^&I7Jd^Cmm~RG?KLq%5sikJITCDAn`>( zF)n`n`n5n$9PNYGmx=Lt+JafD?0OBdHKbGXa9wTf_)^UbQ<9e)py3$2kbGdSh2pMG zT+4CDG~SV6SlC+8w*`@U2fXau z2b!L%Q!YF1Hm&7EE)JC#9TET40!R+&WMWDJX~Ecf$KjWmT7M^Y#aY{K!JOK;peUJen-Bbpdf~8)49wf zWchE3l9Hh*fIk2e6SwmR$7X3R!nCxs{xW&Wl9Btb@YR!Frz9hZ9;D2&dKQNQg8pZx6G5q^n ztkFZWA|7i>)U{sCXizgkf*E#J5QSJG+|V}S7gZw8fg*vN=!YI6;mT_!<>I%*1QnHQ zLGg(*;-7^>$a=(ZgQ?M_di52Pz*y1>;{d`=USs>La4G z5d#wR`}^RCdP{Gy7%PuXKO@u?Jrq=Qimwt(DER0g)hY4*ogG=!Jjx#?%jgdr1^Wv9 z#mZeD58vBncAsIH;MK(kQep!Bx^Aacr_W!$5*nJ7p`x%*l!k_8IKQhnCMHH?xjHnb zuy0G@ZC!B);cXuv{1emPHX|*I##}aRXjHdj)Xz62pz}Qt)R3s<#aT?ew zpDLrIqf;j#6(XmhklrvPA;*YRvJcr&+6Ai%XNm~@1_t67#MVt!6jq2FQ=vv?wBYil zG{hHmI{2hqj?~E)>nnQLB8=a>!*?uAwYd^A(SU}wKIABkPG3@9#@KCx#3dk|vNSmWa0CCaUnU_?D6rzEhpk8U7M(OW4SDH|tS&qW7%H7+!IgTKp4 zxw>{JcfEnU@NbQ^nzkdv^(Q*ft!`GR>byESPmpxG$si$J7#fvjI{tjXk0$PRkZIKM zZ0Nc65?S6pI5a!mzxd$5(sQ7OeqkmzFK_$A|f+Fvq9}{}_!n()s~zjj1i- zdLGAh7CLwY1c^SkNj^*@;Pmu#iy^MRYPtXGR_9F-5EHBL{JAc|<#tYEcoMXOCWf5@ zkN5e~-XT3DYAo4TgmgjoVMJm)xs~$THa??8l@#>e-dufsqQC*WhyC^Ipn|#rRDVo# z#+-~7{BMLFom=(WvyGZhgWYy8(Z7qC%cD?v5VRcAo+)^AlVWt?ixa7rXGa2w&0O(bn#&@0 zJG_*m>Z`^m>pexM z-_;7oDj9ASBxQaO0`F^GhjRg2)8}o-_}A9>A!A`-MFW-vZv^8*1zAOHnL_(A==Iw1 z=38mQsU!)p+3K;3=li~pArTTrF}j`s_R1JF*k1gA_6v4Zyb^1HtkTUrpM{mxmt)Jc zbbg-|Yq3>EK($4bH6bkxLBuDrr>BSadrq~@Kjm&RhaY8@=LDxj+uZ?Vaz;g=DK!6C z)d7%aSgGAk7yR#``#YWqKxK;Sf1V>T8%rF7CDe|-o&kmEDPKFCZlH2@_O7rtjP*6v9fTOF?6V_B6-#ou52>QFk?DI1s|M~M9(n%~xj zX|v~`_ggmD_aKu&;O2xew+-7hD57_7*|$) zXl*W@-b_|6iG@?O1cKY^zt@uziH_c~pD>qNf?)vyH09q_1-VO0Te=dtID z8Nng~HT5cu`IDI+J)}8UGv#^%Xp$Y8Wx#X$-l6!|>kEalfbuW14B!*-HMAgINfD(~ z^^aQJWFVYvEslDKP=ecmV>m;yn~$?HMRGa>)h>`}bR#)gH7Skr~b|M)BA?2sy)Daudx z^ZK3DpLs1o-0sJ7RVcIKaqI923|XEIDxsku2`dP-zB`ULcdjn0VQHE-(ZRMWKEmA@7b7)nTo$0)-U@Rt3gx~cux_xPM?b>cx! z1&YGp(1c8YOG@DN=Byn{*=`IYo`9H@iey^+fs8YGzS}X*C_*eyKwTZ{1YX^WVmDc3 zDgRU~Lz%VUL>}j3&5vAv2;dBrCb0-mewh7%f}VzjC9d2CA#mvG?@M7vMqruk%C!s7 zd;gWiln^uF#Q}2Rl1Gu|`(+ z&OesQ?eNBIdpJdL|Ku36<18)9Yn_DEuxed&9~T8{E9yIsk8pk22NK+&5Ebu-gE!z3 zkiXj0L#TNr-=mytc!G|{%y%U@o0yR_M=}~3>pLRO-F7%=fulrN`}mWKr6uJ}qQWW< z8+x3v;&u1;*#Z^?ixVNj%k2b!$h4|1stfbxi zZZQe~MJdzU}!mnLtb)Kw5u_c^IQ^e0Mq3rF}-CqS0vkBXyz+gAhs8C+=us zafFs9&B{NKq5B@%dskzO@&yx>;`mvO+4?vNolMoq^jwV8E^F)>;QFP8za$~A-mUqmSh;Dny4Y=$Mt$#$ep2SSz4B)OxX*DO_BVuv!jIql5(;hZ1qKvTC1zbk4Y*;H?y#`2 zo1zPw5dTS)mg1gGNPu)o1Q6g2A1duT4Ga!mt>MG`w?eN4^@n-eCK8vQMwyG9L#4j>RiMolfb;?^QRICM$`(`Nup0c-#sR*amiwurm1 zujgh|7BjMqm1>cckPvG*X>HdF%a;s_eC;Uc$P~C7X1M)XfI{bHA84#a_Jd_r$o2*d zHpn7o%_~aE+%%|#P^i#{Mrg?IgN%qc7;JyO(t^2Vct*d^5otV0dV|4Cg?@1h`&!&d zIyoTd^+?MbJ^ocU9n^Z#(Nmxd!h707>5JFzV>^xD%SWe*b{Ai3(s<5ClHb3K7-{jk zueblIprGsp7(S?GRe{XSi%Yee9J+`lMQ}%lH?h^$qydN?R!AUYerjK$2r$e}wyCYF z!;XpL?gFoY>*|~Z7iSoIT~C&nCIO=@Y22@0zxEjb9RR?{LS24Q`|CeXH3h1;lvFo< zj76N;8P`8M^7q1jCiBb5LFRJ34*EKKcuMF%t!aB8pz@Q|x@s^G!Q{C*rl;3AXT{5z zn2g(sdNgMgR;&tH;-SZ6P{rz}j#!#>zPpFr{#7M~BmpxxiVxZ5ovDD>FmVXWE%zN& z^pjixlc2^=k5}hzJvn7MX?}p57=pR!>gWVr-Rw;0<`VWkq?NuKIR+*9Eo`a&7`ugi0UBuWVRoOi?PD&A?0^mK(JPC;N zQin7XW@{%w6A-;br{Ax&nq{a-SXt5Cq$@B4;8_d0tk5hBMP=)PNkB||&r={ruR`H?5*-^~1C(RzOx4yg|{iN+IwV>4^vRu4l z=HNTW*9c`oG;=&}RzJit1`^BHo#0(ewh(@AmYG-a{zO5$6Q%H8M&L8FrBN`Z+tHsR(>N0fiSR?fDs_K(6e>Q4D-vP*7lM=_j)F zfCh;84Ga!4Gbqrwt5+GqR0rIeJ$WZP=%9R7hi1jF9ZIA(o#1=>?j5!oSHz~$czoZ5 zMeB-?q^oO#cI)SH>1J2SbN-Cal;8z4MJoBkO_{(flxeDfL4ue@9r(8h&0+z#5< z6G_<#S%DQ>e`1u#1T)hXCfI2ihg+>cwQX4nu;B7>p_ z#JG9x^7G1O8}Ejt@B(dMh-PfIOPt)+Z* zL-E|K6CuxLPykH$;sD1;(n!tX&TsS7&Vdfx!WN#Y^3l8MQr!KWKr7d;=}kaDfH+{D zn^IdpZJ7X+zNCqY?(3CMj=KHwr)^7d z611!n1`9^2_`TnCv6XId26e*A8nq+ERI(XuBzZ#H5wmhb(s5>Y6AwH{Wkv7R?$Tr@nQAQi!x%TOTz6 z(VQ%KTt_@Vzr5kTqK4qfA;8uwf=be;`lP6Ma%iE>%48&!t&f^!satvChQ*~^3P66b z{d|32Z1L`oD*#;yXd?-*Nq%+4<1T@g}D;A)6)=_uFL`_W#kqt|R;<+dH z>;EWp{yjuYzF}pp9Re~XMV0x096IS@X53fK@2fSA8)en$myz`ANcc|Y&0NJ@Ttc6T z5fl!mY8~8>=56OpHzl`wc|?)G=t<1+qS|0m$L~h#ZXPCh>1R%HooUCqi4++LV4zd&9V ziu~w|ZPjz;aUMt87!((ZyUJpU9vKm?E*-F0WrS&m=Yl<3jor+7L)R)pgDe4NP^7t@ zR2Oq)Kof7eSTR@yR<_mOS9Eu|(Y`w*cZ%LJhXf`t2iffa=wDN10Af+C{>ZRE)m_;L zeHms4G+0s)33$zMY(XG)A?k>84dTv1n7&q zH4LEt6J`H(UDpgyvHYx*4Ay0+X`0EqyAxrFqHu6?-Umq2w3UD@VrG3jP{uuU9JT^K zRvUD~_r#NTol$qe`Sl4iGtlJ!F#W7v3^>L1h2*i@4gh|>oxu^8?G3gqN|ZAffreJa znD=CDnn>k-zbH57g*+CA1}18@0uE>FPHz$3-#nIFH zI+BWui@$cL9eeu40`3(sDh zT_i+~@-2mX62y3X3|U+xyRv)H?Ag@SC*914aCx`S9bygedRT zD?@4q4BYaD4Ix_jaHalFNIksY9{DCB)0(tKF~pT+>jT^>!2$50^`Mcs7e4$(iS~E3 zIH0%Q?50VG&=G`}F+gMacI|aTI*Y6K4}_dB%5|oyCbYGWZJo?^`c_y9V7?8p{D+n7|$i=zO4#yWM%_ki*S) z(gY}SU^ssbjf&DUSJIApUYrvN0aES;+f@)nSw2wU%}Efpw6vTyowQ+GUS56&3>Jp- z`B$FXAgfFd9*HqAevG>pBNgqliJbp`Yl{)=+n0)tu@q0MM$-#&99}3Mbn>)+)Y_JE z3I3$tPU?-|w5lLD^dq|0x}~H<0cg_KexlpXWre4qb&kYA74tfNQnFXBwQJQ<;DI*r0Z-N*?XLWHf-4-fY2K?(6E5qyJ!NA_(E-qB@8Et0jE~HTq1V{} z{ET*PhPUUJ`zZUTSsiil1WGzc5?-FaV*v_N!V&rqpnanW^{ueMRsLkj;*+E}YWd46 z+~gbjNF2h55m4~Y5=D5RCguG&ZnKF`9i4jia}&sDf%G@cS5#(tYD%1GYAA_8M^j!q z!IAdhpxXPvoiuc!ktSlo=(#)RS3s8S57udMNs(xPL@ILFuCV4(M{MKbO|_tFGsbQH ziX`|*larG}5juvATmn-1w^rRBSRUEW$~S;9Uz&MM{mcp1avq+%FgbsjP9&X0>}@)2S0OgL zet?1G+$wO&s#(}(f5JH zZLlhMF0jyF>HwEgiurkJ6y$a9dw(b}Y~9T~1JE>^MXKC<^=VmYiX2!aFE1|y94$D$ z=xHt!z@vDF>1|@tUylyZY*C&9JXb9Wf&SP+NFJad8m|6~Erb;9@I(d$y&m5O^nU}U zE$0H%C7)yuR;B*rQvFS~_~XszXy~boy_qui5P6WetJ-R~Vfw)0Y}(hjI3r*Td%AHZ ziCAVN1LeiHucF5mOhRbCjXd2j#?#Fl2y3rikd0d}RSE&l^hVVtQkmwwX$@!|pW4(z z;d^y``g<@(IT=161}sqatcrQkhfrJFB-Hy0eeJypoO8ZqDc_J_dG+d5IKt%jpQsf6 zXNvYPcsV<+lXtaeC58unNeYeND?uV>se0?tgtEnRf?pWBEiX^qiiTacO8@Ho)*w|1 zW|T5e(}XrdO`mz@6{O2h5}m3pD>w~~jG*&(z!nWUgW{t80&%k6KoddS0jDZcZig*6 z2Z+aZUj%NhA@#!|mmcx{ixVh7xt2NZF=MJDX|yBb&NcquK$kzCJB%~|pQmVTP9KEb zy3=8-ZFV;g8t?Nj9#ePDw8ld-+Gl|t;{{Tw+^^0;(NB0kA4f?LmSOP3Vt;tgLC6U5 zBZ51w(5};Y?m>vW^$rEQhy?f&K6VZ|mW zed|q?GW&Tq<`ZlI$HCWmO>z9U*fzAp=GOA8o%?pc|kxMt!n z_lT5Ydi}{41L|8cj6W;FC~+-1n#5A`6-tK}o-mMpC6?)LDU}|U$L>VP2G1=%=DkQjkOEX5tTAB zGA<5;0R6u`C!j(8dk!JN`EVwMnx8*Q!SjM-VDLY1>lzm{fW_*G1GA9(c7R{K=l$Yp zB0#eIJo;iz>A#Er&q6m)W}hhF=%~6Jj;4F5*vC~gi)~j#+t@{&f1%nvKzEKR5xz`$ zXNcF+76?5EbmF$H^mvHars*eEdB}DbhlZJT_>l(Q@RUuIcuF895S9tNGt#L0Si&_+u9sL9)q*mL5B`C{qCrw zuuCGehXl6>fE(g*HcD{w+;2y$X2j0yFf?FFfWwrrwdWc1N}^Tlc$9LITF~J0mrUd; z34t#zC7IpatT~#+4`_t;?v!ucg0xAqRm(I@gcSf$Ewqmo|G}j{WC)0hhums`NfhY; zB(_iE04S9J$r0iMtZhpLWO0ATF5 z`g@1t+1)FXUm)^-Z=FthIOT55xRA8!BNs!)#%F6y24} z46d-{I8ktMj_Uf2&!bALL!nDUiyOWf^$9;WDqHfEd9XvP=nOZ*mPakK^0$NnG)M48JW|VQ3_!@M* za%kur1<0)iTF<9aJ|b;ti+HY>G|Fj|*?l>`VmVP*B=Q{`8}px(t3XR{p>D9{Nag$( zyi7b`@#g%9Ws%rUlaW$ZJLW|1Qo^K{2%5JXF5i>v#Vl2W^(f%Ju=vhTb>ayBy0aiM z(X-(M8BBup9UdW;A!UwLmvONkyICJ?2~vLJw7@5E9Gq$daS8R#D% zTKIjLYN{zP{8qI)Dzd7^0h&rK9spVrZ-61!I}t@JO)| zRs{Z0%oEK%%>TraKQqt|gg`k_h6GZU5c7yao*u3*?`tFP{Ak%fs#0y(%WPq>ADeq& zqNudUOyS#gK0It(!^^;+D4R(a6NU*|f4z=;7WgHGzlSG{-E?S&zRAuHp3T2BC#S{d zVzk~1OCI=y^6hU-mw|=fZ_lnoGSe{=#@7w7o3!a>Xw{6JjEzShn4I@;sxYBrrYc`m z1^%*i>LJNUVwAePb4Kw$eAUj`zxJ*db8}cPEpSu6sJ7NcA|>?xXVxMH+{^;c9T7!o zEP$1#8O`C}N&3a}9Kl=zOQ^5#X7B4IFe-?xpsa!IV7VLXEjQns8Lk#wT&C54(_j3; z80tR&6R$edT^<7^Wxq6I>remMh6Y?SYUiYh;*4A2Gk^*mDhp`Y7UmZgreg7-OYb}W z6FY7wvSp)J?`9gd%=qu;!?T{mq6iY&+xgsXx0BjV@+&<~v9BZl@6@&Ri|>f3Sgv55 zebfZ5s~N5AP4N|OwMqZAid`r?^K=|ao_!uDb_r~Y>J#En4;o?vt_S=!MP(;=?X=}j=1{h@7&?U=hVF9ip*N!kKb?$Y-Wy6k5T&@*Z zcqryQqF1h(F^N;OHuTFN`q=8t2j{k0(Q-Wq6LP%woZR~sd7`Vzn->j0W>!fBefdh6 zF&h&N4a8omVmJ?xLTJt2>`n;y>V_FFK@Vlf??u1aXqE20q=}Z zOlR#3J;Q>5`5GoGq_Hv8ezFeaW z5n@5wu}JxSk2K!*uhp)n=qyfFbPExwb;5z;r#*BlOv=*zczHBJ;)iBr+l* zedBjsWq-h2kLY(#qCIWmJpJ|-i8^fDSW^9}fioRH_3g5J2L6rZj z#?T@2n^R0I1PmvD{n| zp)J)}vI+Yh%83pHrNQJXy!jc6-3h+F_mGgCeTnaQk6%V{cx?^0JyJ1{RjP1YL=y-u zmZCT$=l)&6y@_z)v9Q9}%$YV$7E0)zccz3^QkX20F*No-Tfx|TQ(h7D|9QcYP*YPA z;<(FEkVvYb3sdvGGAHC%a+-V8(f|J#gttNJ}mzk={x!xJnkia>9B3m13zBeD^yNqV6^z$hBGX zN@fQeQ&~nrUC{Q?zCUxXQg4M+V1)VFD;|R^y+ih#L~ojJ&58=QAgHh8$Fo^-r`13I z>wyrLTm;{yx|fPjFMo!^CLQ`{y2|WRzjp8OJ2cEh&FV=RI2HABnKKRL8b)5ww>aei zNZ>M}ZMRK8Tj33kR9Iflh#=hYxJ@Msgl|9FRXmXJ%HV zY9(N3^S|n|0k(HyR7(+?9Hh;v7#8W*?I{zbtn^(~4o{JW(q*&C!x=$QX{ne*DzkR> zBmEEwC1tn;ayh8p?=Hs43rr5O&HhlK$(mR9{X@QaQ9(gJWFe#394?-QUA653_x}*l z0mJB}ai{FJo^ZyoUgB!ZRZE~C7n_0!U5uQRNn8`1Yu>)DysBk_l5 zxkeHFa-sNvK&c>qukAJOAApCr2!J2I?RTR!+1%eGt{7Is8!g1tD)VX*BdFJ(DLL(V%V*c@!j z05N(Uu~3Q_olKk+xR4^7xbs!(8(>(>j?br}+ML(i%zxz2vUsDhynv72MMy;@4&>Zm zn{bgux)k0uS-%c&Ac1YY;r*$Cze1H-U!H$SY0Ne~LTC_NI-IV2q3U>~ZRc(cC|XRKufHjDcW9`7UIltfmIKH+3~ zNoQqi>7V3z5rYWGHhK1aT&GjdUFIY#9D?1>MSoezo{5}argWQ|l!v#h+o;;dDXn-) zmgdd&cqp=`$}adyu<=WeDv!?6g$iy$mRW_OSB8g&l=YF5v9OghK==lrp^|wn`EH97 z(b6J!wMoD3j-(w=S(4jkR26rQQ!0Os7q+k{cE;f-ZI=cv)dAZUpv2x1QU}9P+g~^x zmNjev);m$Av*kaW3eLnn+}+;;#?yz|EY5uGKx$ve3V&&oFa_b7IT)~`S4llW}rtP&9tdtErjV7Pns;je8x`#mk`begSs$@4g=F+F+Fak@i+HgUOY) zy8m(jDB|$i`g#ddIsOS$O0~|QdNrhew*RSrXP*RPWpl*~Zzcui31LdQS=4f*`j~lZ zO4DULMMLk%z7fcGr#T?ipduoY4hAC0?iN5YKTiLw9l}{*CFxBd-*JfGSv;t{9HCp> zrY1(|bW%n0(=rA#hK-lxjGB1%Zb@qm{RI6YhQcrI&H)~5QgGDR&TfRkz(a;25LV{n z4z3;k7Qqs4a1b#$3XfC6&O@`;c7kTT@nnJuB`z#5Y`T!=mZH1+TU3@_ZRw? zEHf)Bl;oX&7mt0wdKKK?SLfLPyi`iHzVp97$OoTee=K+B?Qv0VAZr(E%RTa4&cuInBfJ8W&ul`;AiYdApN|+oEwYa6*brRBA{5D0df)CoKDx5>@ckFYqzB>=%F!jIKP=K*KAH950j>LI)bInJ3WDF#-mfO-e2Ge!B z+z+nG)@!M)b(!2|DBGLFXrFRmW&MlH&w8xQG zWDw@(&oNtwC3t>@BPsd@N_NXiIfsGhqzAbtduE~O1sH~vfuipS+xkqEi3@rL>4?-t{A=&>XXYeB;5oGMlP7}qW3zW zs*e)#A0i@TN$m?}ra3P6833fI(=acdHh<$o)x&W(Yq-vSN#1khtX+$(mLXWK_VM%R z_Xt?#oNGBoI!a%eq!{O**&S)k2r3N63tIaEN{oPmfa0%rByZTdm_7I1My58nzY#EJ ztjbG~N}K)^A|$pXNAGR4-8E^lE0U4OAV*;9aj{T5^Dq`1(bwnyX1C^^82f02$XZBY z)k5$M3m@c^czkJz0uU7Qv|D-uI+7;#xleOgCo64>J-YyV)zpgp`(pF@3^pBf24q$n z6c-iI=oD>i=p^Xe(fd@CmX3&3v_BLFJx`34rlw*lGX7xw1GnE3X3`uU5MB>`u2}22 zx{C3v=y-0vy1q^ty9KxKDS4f|{@<4qi1)&RK~eKE1tSXi59zC2eG`?|qs0aZps|ek z{vBa+Xli^M50De$C7MK`i(SKit*gBevOM)t!t;@lj|ff;?M7aTIEGiT|0=MDx5S=phQ zg~3Xj*kO1At`%$#eKsiG$WNltyqq~4_dKTD!$)u^VO2_yD1_0O)(z>16m_=QfiR4^ z$%V-<8nVx~28e(_LEpdN|~yyHAjw^M14`n^p!0koV(YYAvtYp7-=Vs@X)#FNFzzTY1+y(fFI!V;u`MD^@YV+|0?wxBWcnH3O5J=rx+Cz{IfFH=) zc*;3V8n0Xi9mq3~1;LXcCEabTDTgomdi2<$^0fE4YK2{OZxfK8N2=ASr4uIB{Ih&Kc3ldG$zlL9I#DxpYm z0wXFEAEnPNtOMpuihYy_9YtOytwl33kqmfvzs7H>lSj6ETo!80m)gDLm9MenA}%-6f7)a<6$Ig zx-#%{*X~9d#!nSUgiKWO7qexZu|a&^kWI3Sjs$yUv#|%+~fjbqW*_MMu1~Qu%)x1Ca3(R-+!FQh^mJBmxeMQF8+XNo_0`$;fI(mAE zr5Z7mgM&1p4eRG$oHHJ+1`%w&0R>0`)J3qoZ%@71P8gGtw9>v!iqzH-Xn`WQo*SE# zj?6;-nm_`V>smP&u-O$hmDP-OV3-k{PN~-Dh131b)ZTKvKT#L=n=bI`O#f& z>Y6VTBAajmFn+TJ_4Vs&nGsIj*LA@i(7Bnu=-l!J0z+sOh9)}g?s`ftlw=hz*&8})*n-%MDO6lwGq+Gz*(*>4$nQuula_~}Z3%*<_W&8k3r zS^v(SL|88q75m@;et#F70ryxerm6zhJB{O7{GyVQoCh)6+#PiWf5N}JIpg=4gk+|X z4xo2+!=J_kj$y|H^tA@??X99FZ%M#qPAVnmAb@Mn74Z`~dNg1=y1iG2CCFeD*l0xK?X2Gw4 zda0?@mZhO&ac*t``j8v>ALj(?76p5uO*7yFbA8;`!SYYS~P^rbjr$*d%Uz=HySzAZJujq4+pi;@l zh4~k-g^9!YJv_h~dkK*vg`0{h@8QD3=L7f?lqW3uQ-WJ{Fv z{EtOLY~jvzD{jmgN^$YDy$)G%x?w5YQfZJMdxgAaj3^7-s&Avh1UgvOtdMa~iO{Sf zq5D3tgc&uo!*-QGO^hkE6tA9p5A?@vgw!jRX;3dQoURY#A1fX5Gsi-?{p4SVbbw0@ zH(+pOp<^;N**a$7yfa}72(tbHG8C}hyXmeHfcXIba&CTl>(4KHyQRUoa$~|p@NU&m5W$AC zL+SKhPd2laO$Iwrqey)zP*DSyQu(;KByAlJCG-#5zlE)S4 zd@EJD0d6O@8Q-wKBuaENiuoiIC zB8XM#@Zj(pxE1Il`n#B0p?U+PWpLlx^Hl*CN=UEGEUkN1hx>KSJurVN2ZMn4-}VCO z{F%T8Gk$@@;C%MTQ4Z^L3n zM>U$%=Lwh9pWbtF9ljNo5)i1ijsUE`uP7>QuYRs9QT(hi>~&~CT)KXzT^LteC}pfR zG96Oz1)ldq7yl5MlFYpX)eSF6F~l!sT&oL)lDz|Rn`C(5q&Ak7d`>ZwS+Z!E<>Y3e z`^|~sU^3)ghmnvf<&Dl}#?<$Fe%$1keK<61j@cXP4C3~ZkAe{;t#QNFsYD`hU@}9q z?n8wzs%DeZ<3YEwIKYiiqdSL$=yU~HNG*~BF}nFpE1%7@01?V3EH~XqL0e8tY~*3EY6J#_r6MXXkE1`OInfRxl)p7tm{8<)* z^SB0a@$$U-67%fQ=6Z1=qo6?iawYjf_!`a?mUwWI=f?m0^ZlbCSQ7@0MYCAwY$Bpjpb~+x^tyAp#LhjOCU8lFb&)JM(_z;4sag$<)8+~kTo+o zJL*F?(XgVf{gf60HjnKPZ0yOdXg>H zE2>dq2eP|S1aN7ZdMhib3E~skBgTNsdMU%}SxQ($gciZ&psz5ms>*s)?abR7grJnw z`63tCX%{guA@`Fx0Zg8G|Ee_J0b;o54)*~677q*olE%i0miLd3;{euZV!$bEK>rUT z_XkOxv4fJgH`*2PaNchfU)>ZFLeTAydcbcRrKUFv);V7B-0AgRkKv}aghc^@4q>4{ z9*P#K9w|;lEF|J2E3e79wt+LL^Y3n9>oqO-JQLSB-P)X0$_^)LU!I>=kghE%N@Ld> zRz6}_fGIfUx4iEWk)o{Q0iOvU^!LkvitF1Fd8inL(1!w#=PuL!$bxgdZ8%myNvFfS zT&OGvze++2nm~SuemRXHf|}I31NHp224Ta>mSdn+rx;*w-wO-}_7Q$(jQ9pqj( zWO0LD835fhbeLln8b~b;DnyBYf^>BTG7%X+05#?t)Scn+$ciGOX<<{4wlZ@M#xI6J<`Kdh-=s= zp8=HE=#L&yn}#{~xg;hznYh%kpIKztGzGmkAw7w7cp`lkIWW>JFHeWXUBL_sYqKXT z+87_U0`8mn+tqb6hX9lK)LuAKRp|mGpIS(YK%e1AV=3E9IV`^bY4%&Rh?Nv2#&efa zY--WYJ9^sogG3n95#gaG4)^I^SZ1LQUFOZG<&$5TD^4&l*_(p6nk0L2=N0OQREkcQ#;qevY(hY^!U1)0EQQV)P3QOw>jwElp1yn+ zxC|IbeC0X*anY=_19Q_pET!RQ1(qHL0B~xi<7rT1^7C~<8{^{xTC=j=9dNGedOvBO ztomEP3x}5(KH&LK;AxV*GnUFiS2jz|`3w;LmiH+g_ZY$fy`2B%Li4*JG=$&t4Utt< zWh(a@m4we$_^I@My{XrPX_W2Dk2ISPqcQ;1X@wq6olS}&qL1f7#X$g4{tP9f zI7Lxb#zCxN(N$)IPKg5r1>55yOx$d_paYktZD~QXK?;$YTo)?c-?5pUhX+}>P)YSb zJxrZms9PK{i{pCo=m6;tH>*mlj5@f zxi%CB;&y?GRdcbSmR^(#Gp{=;8`*ylBRD9qrwTo|ap2i|eu_NarPU!!)$A~Cv|J-7 zBtk9vhwR_a-02SNRU`vQ@nexlBoarKnp^<)r7_RvODT3smFkhPriY&GzcJ1kDbm2m z2tDOTs`k6=pefk`(kHhLMYP_CQJtmZ?5Sq^Lq0#5`AP_bKXv^s)GIjZ^~OmdZ3E^p zziPlY$K;$!M~9Jx#CiYQgk-HAjFr`89Ta>FpCDa&f4D2S{ABYssZ;=~=mZ8vRNcG; zX!sK<&!mLK0%PeLzkY~N8gb*QqihzGrjgX)sRfL20jGja*XfJOd4&?C5UL9KE; ziEew<=V2v`qRWM`)k8jZGlTq^s|;{dn6ND{fO!(?E{IP;L6D|X&z3yG&~$*nC>i~ z;5xWWRRf#+{`U`IgH5w2bLnb2Z^s#141d?qDdB>{ECuxQfAG#h@b^2F)-G6-*3a!v~`BhBt#4v zlkgKvcn3*M$^9dB3bTRRQ&Tz>Wf(|;VJ%E#?-?u(x`bHI3wg+7^L5))3+am%sL}U& zIH9hw7_41$Vsx+agL7+9%w40sMCweu#~Z-K7M=}ln5NUFQ7@6NOPAAV-*``VE-)ZA zIfu*_Y^q-jKyZx8Oj(VrH0?}H7^8tC_t&#Vd(ch2$ z4~yUV4a%q#kok1j@iyx9&{Br-`=NWlM-vwG24!?)&@j36mVj{vjfdKTBH)Km(=aLg=f6A76=kM>0Pl@7S_IVo3f*_zA~ zy?Fk0DhfC;l%|!Hmd4^dp9Q>1vM)Kjs=n52Z1DUG90~?<132ap7hvxTF~fA>77QYEJ0WF6t_=Rd$^ zi8?S7y{OahRh*W;D(5<@mxiYRh_y8~GWr%X4c|i|OaAW*d4i+RFGBD_Ij!rZq|DcnZ+U}8R1Rbkc@Hc?+h ztMydlXAb3_R&PTEu!ZTW^<4FYJzzsm+ICZ2hi+G**d5a^Td^KOxXr|nZQkYM6Xl(H zj>>_={#wIpeSJ;DaN5sHumXIFE^mPKYZJ_zt6{m2A^xO4gQ^F5kSAA8+a0mXNh_Dr)=Sun z%S*PjDUhIo@(MIMgHM8hkqq761KrLz32yZqUQrK_9Agdn*{;ZBZ*bR_1p!_nl z$OPfRvEj*Ed9xLDV?VKeOudW}C4Io;2j9T2L!m(o!!udywDohhq9Pxngq0x^5*J7I zjtv}v30k2>Sf}VB{Sc%~(b4z{z)hk4!#iSR~NATq6KUxT-*wJ)&)qMpPx70 zESOd~o$JgUyT3$O?j=u8ZRDspCIf=N~kWxR(HSaDXnYK84#=a49L-AwT0+FqI$Cb+J9g$Bh`l z;d&9}SqnxP&}08z?uU>%hgm$l2XBC$)=4YWCk_|fREY!%IgYT+`+^?h!euBB-tp*> zP-HzlVn@ncXy$^36BA~R1m783vjrGS@w7(v`;LroFGXS%qPG>13H@T33}@+4c=x6c z4bLp~c(XD_2othq5{%V~8sDy1YSzL-ymzmR>1Ss%4r^w_MI@l%h4&-rud>j^icBM2 zxRcJo?DUL10nhN9W!DtU!UUE+u|%(d5i!22_0yR+UW5E4S2ST#&UMFMCP_#7D~VE} zb>f9(=G2?-Z>{!lQ7pQEA$gY&ciaGu#~t2^+od=?qk}~NDhi69X?as$D`0wKDT&%= zTx0zEd3jSJeqwW=xRRHW(!$KUIhseh5PQPCIPb?viR5{YO4(yStNvJ< zOZH!XYzyNq3(Ps_xi8`$o!&o_JBm$33_zO_)V(`1i;a`tTy|{Gp4w5{9X9PgAF5cK&YNTa4qi4 z5y9rzO#--~HEm4@C-I|cd82hvl#59FD8nAWR1qLiRLQ6{)pOMfB+*fe=BhT~Ic)US z;D0T7xVYd?Ua!!(Eg*HIPE{qs$33(k0~1du=>j$yN^LF- zIyyQ&Oe1Q)Kal@XFpm<3IH;r z=8nGSAs_U~TD2l$FrD<*8s|_eE#>xwV}$0~TO*Q}3V^YA)27&J(X)MF_^MX?aC2Mt ze5yzEYKzr!-@Q++A zU3Ay(Vg$?{3v8~q7cN#UL)Mm7Re3Y~n)VP0UUJ=svhfU-qB!GGyHTbe{#A!vxAFKB ziR`YWnZyNn-rS(5eB9vDRBcy?z$nXV0Th7~0_P3vI;eEn0#!f8AwH~}A%1oR0v^JSXMxKn zVdVzw;qZ>|_zbpg$6UzGcW}to(>8?SpJrV+@cAmkiE1M^g<>8^A z-FglQ4(8*{5t(-pocxtpK8i;LRP26~byA_s1b8EOhI0SOsYn-%iWf!4v+vtmTWdd6 zEqm|IH@_)r{bt}JJ5j{ByH7Z7=5)s+T`gPB-vP_2JQsx}CEWl3g1EGdT(oHUpxYM; zrJMl%KkLQce`(bOS(urZwc_pn4#8{hD{3@!LN@-f0PeOGa}V+$R$&~}f)BJQI(i*W z+|rwSCa$ANo~q$fs%-c_7>H1;RBCajsfF1gfAwQ_3NJg9!HU zdR8;S?>*||dKR4&#qYH+L~5{UbDN=9vN>X!#o1EjZ`IY+k$S-)A?H9O{2N7edlZZI zdxPA(JipRm(Eo42a0dNRSYpX18&fi@-m;9{NEn;!KN^CZ6}xP~fS){yE)^9PTrBq~ zPk7O)g%?Au@QPSEHAhBf^Vf-EBYvRG$VV+FEPYHd& zzI;WIUK)X)GYeVaOl!DWOjg(@$>`IT%fX~HB*KXdsuIu?$ILw|i8*-hkzzKsP$DjB z7<>v)#`SS5WOIHt%! z>J2h-Ir*Lcl*;_Oa)vtsVVv6efN#^vsI%dcWTsnAaW*Hv`8#B8b&YIPT%1n~$uMtv zX*FU95$HUN@c?$D4jFbhM^W| zB{>15@lT}m(eu9e>s+&3>zyv-3c*MLg(KU;k?ht!V`xK~G+L&@5&~O~_f|NZp#6Pe zfmSV{Zxigi1+59m-Q^rP+y}Jkh7O{jX$WV5ppL+}Zs)y718F>)C_t3Z zuV1}``82M~5dV*Qk-Gp)&Z>+uR#DTP0q}wea9nYQ2n+kZ>2cU0S*r#v&$MiZv?H|S z_@p)XTch+p%RoYi7c>Pr(N)^;{(dxXICR?3P_dNVMri70U!n9{n$6;gfnhc>o)Q72 z9(xk%qTHUtb9@3is2ant-pubwg+<1lK}hnoR}i7>_x8V6q{~{Nb4h?)lAGI$x{d!~@ZqrYVMYG^XIMrF(1Z-` z_Cm=ShGGC%O?@xKJ&0Ge_?{~q!&=t=uYU0_5U>Xe(y|O|A0U%8jbYj9EuO-7udoVc z%$Jt$aoe)G4$xRV<_*jK>lazE|7O_t-!~a01jtN3JtGUhkv3>inj<6vB6(SHHLUCH z*6_x};3rmkq!NW6U1Zjgz@QK3fS(Wr??j06YY-Sw4D94owAJy!yi&6r`gD|GKL9jV z9o4!XSlB+meMCk566KXW#+JXL^gYcHCLC_ITV2kqYrd$xk3c5}-B~_FXy~(-9D#nU zu*zIAXphhrXY*jyL*pJojOctZo}EdeK(t5{DMTG6TEv?qx^)g0{q;9j?db1NZoLC?;PzP#hv zg+jTy$M@%<0aK~OKm3t8ek5s${Ym>Ti%ZLJu9y3 zwn&xZnB`gQTf|nTqt#NaeDf1P%F9)65jJr1{iTWPtYa>Ma!X|lP+mx}YC2RFKQdft za6=d78q&9@87AXE+cr#RA1+ukoB+|+Ify5OAZ#l$|l*ys{Q-V5copuyMpTF-}e2aRHAh@k7763mx#u7-Fh}f5h^ugz#(M8__#BRQB)kvjM`ZHhk*6DSyhzDU8dyWXlY7lOYi(_>ui{L>)kA552T3phSpoQy`?h9XHNig zLGuO_aT|FF8b00YkSx`Z_uFlD`!Y*b-5+4&k)jd*=|Eh9z0^6m-4A3l5Ha?hoq&w+ zD!^eRQoUqz8t`$j1~xZzz2`9h;hTiGQTgrxQ;e6sK7mKz`_Ui9v=RtRSZ_r5x>)`b z#cxY>82E+{Rn5%RXlFOkt6*&k+*+eU=_$RPzXXQ_{&n7c=s ztsdulyd>;~oG_5VrIYbSUp!!Rrb-B0#sT4Nki9gH@DErLHPwdiP5Zh|80ewn0|Zm0 z2nD4oNfDC%J5zY~1=Hz1nmJokaIsrJ+7W{S4dQoh-b12LG=fiy4QpIAmu2D$foip% z(sldSIIQ5Y34)_-=~vPj(ST3Dq{HSYu3gL$MBN{e-x$S{p(6FLsE{7CXb&m|J|_y9 z(rPJf>|ios;Yfk6n0tu)RvWI7!QSv4wz5_}tkt>%vXEa2^&*M41DJ`4$ywKXDy`F% zwqub6Y*=)9NXJ!orq|HodN09$iiK4Y6mS)Rbb5Rr&q7c;K&y|4}HEZ}D) z*tI7Lu|lPB@<(P+P)Bt-hrX%RC3fl!rBFSL?;+rPuWw%E=< z1cI|LOSiYD9WR_fuJadV{%vU1Nk9p+xw!hw$a$GGww7#KzTRQ&Bcnt7S54veB&0T; zBqZ>HzG0F9@6p%ScUtp?_!M2wrQtUEANVJ;AFA+O-)FpW6=a&_6HR-11blq!U{yKk z2{a^;F{5NYNc}5@2VQbzB3W?hhv1N~k2K+^;vXb58@{^K1s+DL^9n}X*i`F%zf?1jy)poPxgKvgA%W)VyEu~_baDNOnXyDoFa$vY9EMqoDVBOD;k0Bg z>hxDyi$kVy7g*0&N(Id)DyuCH$7JZMt2~~fm3TSKZ4}fZtAZ7#ORKTOSqf>eGp%w2Ta5HTLgHl*xrK5E;-4@Fh5QG;)=8k9XFW4ONAOq)IgZwZ;LQ z>#v#0;9|#dEX&NRn(}^<?FT^20>k6>-i?wIjSlJe*098Htu9Iz>MfMbmDs zuar`PusFezJ|_@(9Qg(OG+k_gob`tbaG$_eg4pgvbRxJreNV@UBDnuq%j?TGxpOgB zkTA50k)OM?M1sk9RQ5AAC?C7(+}YIf3Krq=X0cUgIETfuZ(*dPia#f4L|YZy%rY%K zRk+8TfrQeLHduV4Ynd})bgFhAepxvY?FYotqpYie?@YDS@H^Tg1 z+~1x%7%LLF`iPNy>pF^jXt1k491h@!2gl*WVbP%r)fb8eL*N5Fn8jPl**$h0K=DuR?JHYG7 z=iuNV^7_w{eDdpD`~L0xy229+J)Kd>hBeIz(9oR&@oNyD4gRPQwk!aMezoW5}dQyIThJ5LM#E&|?}A$@)_Jhw=?1 zl`=(=v~~pHdzP!{iDXCr@FIvll%wQZL>SC>P*>`p9)`YkrnCNb0#dF|Y^SYA5$qR` zKzQfFi5`p1KLFZD5SNAqLG$?{;e4DI4v$}_BS567sj1J{7J$!L#nitYLmxhXJpH<( zdbyxVWOK9_U@23sdDrnUQ<3RI_HS_fZ;6`s3Bvfe(?heIupb7tBpp7{^h$0}x7Fu!&7K0 z7c-|XuWD`uDT@+MIv;NLV}$VKQHRW&z+p}**VL$uCTE)zMwm|;@C(;g#lQ%;b$y@#gJ3xG*zW_`4o54isZCgKO3G8t}v|NB)185K1_2`4R=RsObvN zCsSt3aM*986cjy<9lz8GqR|=6lmcuF{+2oYDGb1IAk0iA4r#=$D|Td6V6hB0F>1w6 z4~hu+o;%nLU=}+H6=t+=0eW2qHOZI5V+y**u54#3nhh9JFjEDZ{L@(h22Q<7-TQXD z%dRf^h*srGynmJ7eHrHMMv0vTqZ)3(quGy1RSkiDkI8t;6Z$;?tu$1oPZwb#SsqO0!qe1*U<_(t zcG;`@=R?{3(CL{rv!g|T`+$}bBBJWyRX$c*g}TK5J`+VG`&DXzw^>?YQ z-ms`gso-7$!K~`vdcW|xVasy=ga+StleQHbo-GRX?_+@$MJ`v^O(r}x7UMJ+gv4{7 zjVVr5ORF3*{zDM{{-%@T0KxZ_GQ8e%4OK+^l7+)#%-^f_Y@+Mq+A@yy$#?h=_JZ0= zYQ%L6uxT0bhO(11VX1*h9lPqTMX?{vh09Eq!JIo7hWK-G@azdM9K*3s1hJbPx^Zzo?LIJ~q``!<_#Zy4gXJe$I`KzA3XK?BaaS!cx~c@-+^&b`51} zO+-FIsaEmQ1?B=_iWgRs6bd9qUXGWz``q8O+%ruCwE0F5wtQ$guPO;>zf`$;GJVI_ z-8S>?f3U!*Jrw-9;I_wYkB2T;7ZBuT=moJ<%7M(|Z=8SsrhoDCKkdBU({20olpyy6 z;EDc@OXGFDdZu@H50}Tk{yd01@J#j`AV9~Q9VEWaFe2{&_+==^`wlqn)1|YwZu=Hl zS;R|AZG^YmUH0YiCodX*U6bxD>Ub9HICpl65RtIFlDE~a(9!*&<}n)3u^g*8q2fL=T;gqbj%@bu;q>8b$!&zVq)KXZuUZ zT2XA*h1jpbOkvP`viycjsYc@tHN-;P#?s=9GzTosep%76$L zT$=W}ua!Pd%tm%Be-iX|Zk|5>GD4xyFh`~WDf8ia+R(gw5Var0pGuadGq#QCFk54V z#1SVRMY?={*K+S?v)b+Rwc|Gv2Y!CF3b5}C4VTM$UUlq@7p^m9yWj4`gSaQDZ%u>0 zzK{Q;-uUbL<6k67LwbA&Xw^AzixS+^9?Vqrv%gh69gWFz3*!`(`iFsiIGKhQVT6R< zB4ZiCU)51gxsFR4e+!qIvz^s<{dLk$|Nd52Np*a+#A812{;t>ja{h3!>kCiM653`; zeLd-zKR+eqsBiQdG(k_pV7jX<6jWnsm z!v0H}bNyubu;*y1C!CGy&|({Iunln!%{3skf!a@kI(l~60FoGHm=}D$0G;nb(DuE<66lSmRJed z$Yb>ls&wd=C6>BrL&lXX+6ZL!F>j zN~aDpd->CL|Mn!RPAt9&2J#K-qA<4Ys!NtLPNjyN!z8K1usQDit)Ykl=}?8%&3QXT zP;#R1hlwNwH@B#{&(h6a7a3mDmaLsZqE`YczD}Be62hWSI^=@}r|3hC_ARhyBbl0} z#>bmj{44=S@q3D>8zhp!-%=z1)9Ph)2jUsJo$QX+dI@B;8ysldZ&zRUQx?^S+y8x_ z-+6g*D)50z_1m{^Fq|nfGwR%Tr$2yP%Wc^9H&gWY>CqY^!QVw^Q$|>c?3Y_iie9Uv zGMS!{A%bC2z(@|2phi)9UO#=A>v2u}%IWgioO_P~wKn%t;Cr#I<394wBV}Mfg#F1N z=QVy6IgwXrF4WZMEP1S=+*apKq}gzhAs#IU&YE!=xC)Hn;VFCw!Zf=<3wj zglI2{;@Ed70qlTtQ9tS`()hV)j>df_VDA~(Aw^l5Le3aB#delWuYj`kj0Jq*+C$%JnHU^&4t);tD z=&I9Pi*vi3%Knb6!{?%nNjz-`HSg=!PCzAp&d3;U={yZ;qI27p%)pS@IXPMXX9g5Y z%Z2Ui?p{gvd)1y~)f@m6)LbSPeu#MOj?E`{+()fX^j&y}P4Iqysr(-J^t!E&T<>;u zdMbu^g8+5p7$4cQ+7?9DZ1P2M&ZY;iwAW1X{|q&?qp&9aO>ZG$!ZVgY>mXUN2$hdY zzw=C4TgB&MaWL1v(GR`B9J+E%elc?zUPI-)AZH8`kzgQI#P^}7CVQ@-A(W?4J7 zpNpr_p^}r6(^D}G`HwOwsRL;eaOk{}XMI-Fie&%lfAAr9KKxl< zt5bMfSjQL&faPkd@&iE}od38F11BfvKM(kS-WtI)te#_8z0JYQyu$rNjVRuz5A5^o z1O#X2`&^-Ob5OXwT%g6QPflLjU@jxFlg4ZqA6?22gq!zzPXz^65)lx{grY_Ol6B51 z5m%^gD(%>>C!-X1E9oQ!K8@Ubgo7K=R3ROGg;j;939bL# z*6o9;k4!xa--jMt=(QRulcLwwp%85jZ0RlD{x(My_k9qE^pzZo$N3bU-&^rd zwI#Uaw0_OUZ(U`u?-ViwIEEo-XS{p7#U6zuBq=<`cU z(Hb1_1Pz5PYjO@EyApTMvfJ~B{DR7?4sG_h@RpvF& zh>RMhhL7OB>ha3KfTU>Cp^N4Fi<6BrGPGRwI({rpvvildi?zG00>R6O5ZHjy7q3J8 zxBAU1N2j)!SMp@5ahXGnf0=JA7T76iYBH-(r+T?G*P@(k$VO%uK@h(%EE7Bt_V}LR zEg=)oQ%<5-W}WW+CEA6LfIwxgXk9zf_=2}B`r8n+z>?Fi<{69ZQP0QuZ}IO!uz526_z)nDez^{^zyMGxUAOE;a8tJWlvp|TEbN&1*H>j5A#RC)Ea|4abF6ZC0B7jbvFRAR~Uk!A- z(l1+e?VSmSqEeA2>tC3#%YRb0zn7PJoWDO(_vyUf{?j;9`WbPS_D+F0GLQacU6jkn z7vbjFFwIJsSFlx^cP6NW+_bP2Wcsh1SY}--%xrVQv1($^JfNtnt9m=OuEa<2pyOP;q)54&)o$bEob#-{6iQnvuaznpg}pKt zO?yjg7JPh#@L1(_Jx4r?d9Z1XlDAhbfT*^|)PY?g`_|eFp?F***vz82gcMyb=~gID zzP#8YmbwA(1C}~zzu^IXJQy!3t{KOuF=#bSn*DbJ*yGc?TV4NoX|@ibnU%up?VB$a zTt4nsO@693vY0A;tgNhjc^ub*@IturHyXT)@#MVdiFEs&1t8>hlC;?QU}#DsxL{^3 zf(v5VTcD|#(@(~@p@JU_`k(9e5BgOA;x7vb8yH$z(tHylfi7yAPZ)k3A&MmH#=_Wu0cYZjD)F8E~{a!*NZ?V8S1)R8dZ_NJ7iWDg_8n%46n!{_KCPgTw&488!h zsiOrdW`0De#F}@13?@P)HuaYjmD@bbO$`M?lS42 z6yb2fzE`TmUWtj=s0xQb1o>vOq;Gl1?Z6JS6AJ$a<7qlWfry|;zZZf>K)}Fgvb73q z@+-i0+%1U2LySbWLU;FQitw*l@)QLMTi|dJbX6bu@!dYwsJ4LREC3td^sKB-|KKY} z26DpRSm*aucxnJeSuLjIrG!lI%|}MVo(V#TDxdBzW-6zpNGFi%ycQrS^Py6!J%tQk z5?YZZ@^yg@dTcUH;TttImhRv>g!D~sKl4R*X4l%s_UI_I!`_d_)UFf?6H&8 z%S7XbX0z3TAGe2gZMMF_3Yn0Mh+hKj6H8FPx|7q3$f(tIbmMlB9XDhg97ApK0Go2p z!ZGi{uf_RH8C3UIUK*C_^O;KT#!>UXv+M^TPCth|Re=K8eU}Rt&3~yVLJ7O7;6ufedttCHqJoJo5!hos`C1fx9++edzw%+39C9gZ$me zF;8bBg-c~$?j}_%3Ktm46bU58_C6Z~y(%eqg$7ZZW8yXuGl(@?5L(eu7nLq~;~^yn z(fxub&2 zeYOCoGCY@y4V(*dbl?1_S?_=j`nQ@BV>~oU<$X6wT}qS|djVt4S}qw(=Wn2zVji4i zM|X!FIxEd8(0KY_qcDiRBU{?-U}f@g`?6@*qPU3AHT33TXGnXFEHNx9CWj5w9z14yV#4Dj z-zi1IFm1U^s7N*FJ?*Vz1o=4lFK#!T;%1nMNr|+T`S83$%htC*46ol>}AO)v>ljQu4Z{J+*seey4{xDJ=z;ujD$fdSt8?ef3Z7x zXx`NF{Do8;y=%go*`pT%?TjMR;lO86JGI5S3OD)qslqa0zrzi}gXSc#{O6`M`=@&X zY!b6cK#cEZ#1CvU*{$&Zy%rV&x4)Q-46BU7YIg`cr|^q}+c8Di<>7R}H~k6XztMVt zCnvQ#NK@x0|5>W|>eD?4S?s1NY1DtUb&*?VNBcK{{MQHMU{BvhNlD4*F5;04D^sd_ zSQS2{FP!&VS8CG~ZyQbE4jRp|K+&h{>aQDKpCLB~FW9Ku408L;ZFMsd!6+DIiM}qw z++y=w%?$P8TPS8%{PeTHz-0?lCjKYy$gjeN>`k+H6fnR@>uP~gOlxz1OH8K$mBih! zFG)eD?fn6Mql4Ej)_-o#Uk)=rb}YiLCF@3Gl~7s!+2nbV_3NQS_a~T6B8G-VFo~2S zV^b8ewtE6r`6MPda4wTv*#$QjIWqz!%leA zK2NpaAYUePyKs#3UXYZPMXO;kKQe;0)zqXORX`Oc2l(XqjlU}$JKaWPYZuB#5CV7v z2wqfFRi&U1JPl%uUZWlUHa?y*>r9cS*uFJsDD4YzaNbo za3-^ky`cmfQ1taGOlD{F%1$9+{hi7PaEWo|NWZ3$Vc$M>lIZYcS>2mfx0rQCrn_G! z+M9`ZUeiO=El8Qa&28%6jAFCEK||-kUNJaSd#PY$iHDoSC$c}7VqH5g2OEyaA~%6< zwzj!*dG30qZYCLvZPXQv6Z8(Y2$SW*Ru|GaW2G(*BlLN8&~opPU(Hdx%`+yOCv?ki zqqQsMh`x0AEzi{9O}zQ6D=yaP>VljG}H)DSnb*G-Yn{T#Sp6F)|{0%`UgNpcs`w zxelUezZ`oWuqz~%txj3v9rv}!Qpl}I)<2u}J;O*usoGa-C(UM@lJ9av;mPDs6cA>! z+P*JhJU=952fW?F`PpE%c6tXp#V+fVCWJ1{bc^JYt#O^G3uBQ?;AqF6x6=NyCt_9H-qH7#>Yp15AL#asS0+9ofn~vL2LT27IIqI5O z)g38uenzl{lc?f&gEFy7-*{AMFHC3awj;DQUSqzV$BtCM%TiiflV?$8TjUeroZPdt zSN?JEA@;j%Mb-W^o1HzrB)W}KV55!;r9A$)V%D^52|=0-Q!0SG;0xEK0Gc2q?xRO4 zCE9pjBeMo*_<({oD(9EFs$dTNx?%SyUA#f$%a84wNb-i2)p{ zVQiLrXmNR%+LuYx-!wn#+^*1k)u_Rtjl;3qlw(-nD(rLbqu5!>gBX>2r80@+cFNPC5!af>;va>%*CLQziY+xpG}UZ+XOSj!1wTLW5zduY zQ6VABUb-+@a-~s$O(C1mohM175%mvI(i8~hj`C*~wBejLF){h1DuDUSszgoTh$I2o zrLFr_C^uYI`zZ}c-1 ziN|k>F-8BJEReMyjF{b%Ex+s$Uee>6h=QHV+X^G;VaESL(s01Tr4gKuty2gXwAwS} z=a^lVQU~Mk2@$?fD|5MExII?2T8$fO_Tjr<^t=2FlkI*pdr|7<@(KlYmEL%eJs3M; zURX5Eh&fOjS?%jOh0(Fom4)3&YeHd#-T`?l-8wdrw%>HA#q&!w)g z+4`}+e|~c>%&$uBH_$SqYbjc5*7J~;eK({M0y~CTWJwo3)yf*Po&|lJweu@lq;^(G z-ag*rl9E9e0a&vbzWaG$*U3I1&v6cVpidt!fziwkm-7Sp7B#5iJ^~e6LnwzVWdDIg z&U9W0OvZ_AcVK-OF|Ka8A8<#Q|8O|~Kh<_q)Y7-#2MP-0uPL7vY2PCV%o+|RRrU4t zg0GnV`WJs|Y|>hgLGzlhiVEDyN=ArSCfA9Ayt2MRqd&KP*LtrPn0$cDsm>(a&3*#1 zO1`(46c)z1*VY*zNbjtKNGkox_pZ(-!!bet@`*VpDO$CYq&pxtg>W#+I0nOoG2y&3yFf;9HY@#rmevM=PTh( zgyeWp*4dfu&Cm&65JGP%g+>LPW>cbMRc zCc=z@;$l%(SA@v5h1V1pmA?7his~eUIp^&;tr&y*yG&Q7mBa|IzZfn!swrCS{#x%? zxH$ug!bweCNCD%!YLC03D6}GmsUTTN0rvN}ILM8+!BJekwE6iXp(4!}Lze+47zgch zDPu9c^pPA}ZkxtqUsuSZ$hJ;flprGcm(;<%1S`3#J+l3GDx{xH8}gWpP984P6H89PV*%H!Byh3F7B)R)y)=^;YOt5weTrg>6$)xwRJh z()OJoVv^!$7rRPR>)QMIV|F}eW5H8Mu$2!Q_<+}UTcYeVlmoh^fRVo3QEj25TYvvOBbmyIUGSG`V7P7ZwVF2V>f@NyR%7yPJf69v9gX%m|BIA z-gtrXoo#b6+P_!Dk6_6k-%)2l>rma%YoHN6XsLc8-uo-kO>kfSDAG!*sKcZqq)Ox_Xa7T}>C6$Rn4>n3?$mC8njImP)d&*{uB!R%#EW23%}UjaM? zM5(6|3brkd>JuNjh;WY(_Vaw@LgN)78?4Z8Zj{aX1VS>rHPj_NR5E5yfC>iTQfs7d zNM%*`J*2PS%yp&Rf&Z*1+H@gPoM867V;>1e7XMD9?mMEU7*OVo?tb+7b=p@crHD79 zdGeV@M;%Cls>=V;gq$KlU3Zn_$PwnJ-t8HG+$-x@BM?`)kEb{Oy&c#jcu@In1^q|S z3;1d@C=q-X{JQa~-2M}cbzk47T=oS}iaEipO9TlkFfqZ{uy2eYm?T=!`G|@;2+BZ0 z*4M|W79APVaG;K8zlTM8laSDB&7n0a!r`z#ASfsp#ZF(9SNINpN5)B=zb8Mq0v>gLH(hFFp31baX69%J?j%fK?dx-xy|#dm>)2>rK0rjhY4gK%MmSm$;&$slXU5wC)?y8<-!O6 zZ=RG%g(4Z1&`Xl(%}V)Z8~;*Z$xy=0lhNH6C=&@EU4L9o2>Zc{-yl=aTe^!p^2jN@ zefKH}()7yVkTbC5-Yw3%QSyzmbEK2jMgH`+$W?I7ba>r8W!F+CARtRxioJM~gI)vD>^-*4AZ+@tkc3S?afXku&spEN2gk$Af+#HDz z7bX4^nuhNy{NuU;;VIF)A|ZX-Z+$q3ts&475`&2@wK?_6jgHMW5e0c2E{E^YMRVVM z)#kzJ?X^MCW_&CeE7c`bw;2|=swOU;P%AwSs97RbnFXC`)0I~&$RO2%fO6)&h>QAy zxm8Qk(_Ow9KT-&3!BVLp%J=AM9=UeO?!Z+gSyJHtj%2;rfk5rR9G(7<4KiHLPrIX0 zD~ASKSeLNwas*D~e*r)56i>KSJjCZ9>xS>c)-Iq$Nf8#ohUxX~XLUcO_}}mHpRoO3 ze-C4VRggg`3_Wnn%2N)qZ7K&qOGyYu;-RK1Hv0=OyDkKp8|kiOrH`s4`e%(22fvMm z1c2^!3G%X4(%|W3L1A`6TE(3&iX?g$iJjt<47?av+bCa3isk3>a4nlt&&A06km4Sc zH`@k}Qe~eVZ60(%hLIg9kGRM$vS{%UW2K6tg)7;)x6f;9bMCJ0CpuQo6J4}Blx8|9 zD7nbKH&$w)i<wZt^*kL?%!&R2kOx4m$>e7yHEM2 zLR`Sg=x|9{UmVPT1bvh?vz9gXXai#K2xbwcENRIA}TVBq`k0gPW}x`SrGoB_JRGyd_p4mstW|fGY5ZYFZu{E33+! zufmMbn`(;O z2vcXJ{PN?G9Kjcl=8?Iipg5_vsj|<~Z^cuBlslzV%r$z*@T@E?pV%Uy>FwWe9ko4g z7^oXfZa|mwnB~j~2G<{*(>hZyTXgBK?=O2Y`e@*0dOkgcCl7^_@J;yV z=RAB5`w%CQmzUQHBBw|7%3r%4Jsuq$E!FP|L^K@uizfa9>iy^QRuVMeGw4550wvc0)hN& zmvE4CZ2ii+Aa4Z&UCi*^J6)h_iD$F=a)doYsXlsA`Fj7bGXOO`aoeF84j9@i7(9Nt zYPy|`i^#3n)(MGKziF>%vLu8u$>eMX=|}vj`#ZJF+w2eK@BP`DAo^U^ytHphd)-J4 z^Pzy{8f;X8&Nc-xg+>dMB0sVWusCdq-`8)Gc1TpgaxQ?lTb#1!{IO$$xmufA@SjVc zO(WQVqAbMu@epXZkz^H^G}VT9g2mXufgnqlz)LA4p2noMogL>N2CB8HCI`QH9!d?|3jv@M#Q&|bU`X%S=v{{uvrOdz7 zR+#>>m+blX>gMK=OhQe9FGi4ivbWKqej-bOFH7{183pdwNPX833R+ihSxYz6urBE1(UGqqe* zU#uTgjaL8VQ#SrM{+ZgDlF;R2Uw znLyZbJUte!obfsF>dbgWnMKzJ8v!n#Ft$zoAeiK1;YV*5mzXc?L;SC*B^JEydLk&G z+PpZn39}>x1O&c%cLjxCc%mBjo5^Wvl8!VD2EHwlKd^{U4Zu;&72k-7iTDKMZ^2Uq zKkD_!v-l|yLevrR%6S)5ENU{Og81b%LsA-1d6@sud7a z(;FQ*GE%CKfY+*}gRSLCTCFZ}I=gO%qrqXH5izGeFyQ~7-G5+Q8VJG7O(Iyq&t7hX z6P`npqDL{Sq=e#dE5J3^UWAV8H<t53N?XbOdH z2q{djzvsEU;`ox?#7|XL4cH=5f#?*j6MDx5Xqz*vksRhRFW$JuXz}l2ALO?I^DqGQ z;~_nik&xof{Z8Q`dv$`9<-;QIqT7rst6~8?nW@h;?_%m9CQ<&6(QGNsSLldONj*~2 zkCpJNK&+SISAkr9viu*pva7)M$_Q0_bJ(&7Q!v9NZo0*b?tKSdk51rIHJZA)8EqbS z+W{E21LPPO%~jtTZqB~y=QBO1GqZ6t^N8Cj`>r2j&V{Wi`L@UFiJRU5Sm05&mz3G^ zAo`<@>Dh#H8Xh>h-7}AIg?pSv!(7Q=8#B1+n81jK!8~qav})QcA`FZyz|K8%?O-}? zZ6j32WoBo32i<(aY70RJcQ(vN?z2(Iunx*YnA7okzu>PG_=%)n8P32`6e7UpXPsU({R9 zvfcut5{m$pR+ErdbSh%aKX=EUxbpA6hh1P00Go59_oQ?`O3=D~CQz3XCwqrS^A(+@ zeF)(#vV3%v-A}(jS!U+NV605*JL6)Eo=k*fa>|Y*bJn1(wQzq!%{TM*%(#mLHn|EB zWAP(TAVkYOoRSd{5g?`wFh45B=nq}mXr zWA|$$O)%uyMc2#PtKyF1>k&Kdvj={z^C{Y|T9ogpFtHJ`tK+fV*YXdp3}RAZ#Gp&~ z1dHkyC})Pt>X95&q=6K$tDX=0BR3<@ALFNDMI#wEO^Es$&&X9nhT9=zCCiBAu;&e- zdLwQCRDS=P6gLO_v@%H@_bbE9$lHf@o&cSMiFBFL;0LR($XoQUQXQFdz~_J_`t)-L zH-Ko`;%PZK&mIaM>Y1xsJ*cl_hdq*cfwJ>ghfEE&v(hT(A4crf7%~3W_}sTg9S@Qj zkWF{Zfrg2>D(i8L`VbxAp|Y#OH&C#D0(3e-Aj)UL_3rNb|4wp$KmR{J4Bx;I=XM%& zetS$v87OLM8Ut%LIWAuyCeducYh@22xrR-%V3Lbl+-Y+D$}V(pfC{kuSD^vhEV4Z z8*h(hi{NL=i0t&0EJ|vb=uozES}%F3Sr?@5LPgPvSRO8*ymT6+eOt$Fe9o7>p<1TFfK|;Sruv(L&Or z2V_%5X}#l;ee{lbaXA<_8$&HDMcuYT!D;=0dU{kC`3OF%680|p==NmD0L)DycLkrk z&Q1GcX#f&un=wvW{khtMlf)UA`DsNDC0cLIbua z&IcTOqI)Niz_k472O>Bowb>*! zgHbxs^Cn;%yF>5*0LlHv)Qyr%QRMAQ4F4rjp0t=xgO}Gt;8Z$+k?5(Mt!vA`&rb_XX#**IqeI+(>=N;2G2Rj%57Jp z_GFN29jOh$gB4_hnm{WRVLj%;MpEA2KE=fP!;X0>3{_z~^gcu!xA>g}rAM8pvX#Z1aMbYCI$B!NUP|=ze`$LFJ9OH12~Kat3Mdt_TK79= zRN7^b?(0|2{4W;sVIb$XA`B;$k;xQ&!5k_>sbtnH1S}x?@^0UhVDod+&wP=FSP!^g zf1M3^td@^bY=ONom_*)<-*dDugLf2|M;v_;x+rYcAN%_|4kAVY_+qnId9DXs^2H+#hQZ+og;9h*7q}Rl_Jt%hGmV3eD#$ zsis8~jJ+sq5WgAx_N^7TR)fH0Hc7wz9_QD!*=@PmI3>}iQI0}nK;@Rqf|d}+lSU3X zw4A#_c8MF6%{+LB==cPy?nzJGl+|2jJ?SIn8B)le6Zd!W@L^YyF5@y$Xm0@AyXLM? z=`DB2A)+Kf2kn%fa-J>a5@8T4>Nk~g~5ruJo z+S(e9{k%W4%loU%fJ*w|yF?R=4t*P&(k$8Hl})s{^XEgzyd_*03~S}+eA4tZ}c zJnkKnlodD=T9FDilQbvr)`TQ2}%{UMijdc?r8p1LD5-dM zCES4WY;JhKICQnm2|$=rM7&v|BeSs9(e0;de|oZ?iW=~vfHAbXVaw4tn+xTuie8K^?l@DX+X!rL=Wu6$h| zo|S5>+?xGf9ed+IKr5^AaBc0~SIxRnm}(_WjIBm=YTS&#`dB(0M6GXJ)=RDLk#siQ zm-r#9mYnz(veGr#9`5PUoC50s@X8|rj1WG&uDxl(=tQ}I4I?(AcbPFG26#IdG}`0# z6SyE`vdXOlSCCkkyjlq@N9yZLVWx3v!YIKy;i=0JcOuf>0jUFenUKK`fGa_~!i-FZ z*O{SnH(dXDb1Ck>2tC(9X>bkEHmoRNDx0tR9jbmr{}O|8nA6yf5T zYWMf!%`-y{pg7oiygUdZmY-&E|Laam*(D(E3$a}ou0SWOAwSFCFz=o__>bfg?a!9`gJ#4;&Bi!7^RXu08Saq7cUe-qeSo_rdO} z`lRXRprPBh{;tCt-cZnM%qMd7Fa3^Ngl91|s2g+nu3rTf*-Tr3T5cOBO^0qsj&nAC zPD}Hco4pKw2U6YM@1;DC#vM<%DvaMQD09#JfO0yKJBTfzD!oh9a%%3DV&V5`|(cXBu&hNz8_ZCUJf}=Ka=B(_K7I zs1UiugQ*%9OPiR~DNPRFKwMxou=N)8g~_%?>e)qnprtydG$L3Gzi0;W8k~FlS+r7= zYgYh28?CIX*G!IA1|~hshz~|Jo|U{+)k*S@%pbLl2WaTVG;d2E*=-Ck2$UThh@z8j zpVcHMC$mCP;0anKmn(hE-Ur=Zcc~Da{G(ol(<#L_3BPzJ-hF+D^GQrIw24z5U>_=V#2l6+9!tGq;LDl29N9bF=yNWH4IoF#xNQA)y8!z%u^DbL^R6Aaqy>xTWr z-IF*pu`>>RhheP8-^KQ&N4PLRjofq+Y3(0b!Kac?*Xx7RQ292bbBXDZ|Lz^viL*#0b#8FYLFNd8#=y)%GuvC`D69vEY+9~Tfhgr>m zWEPRpP)&Jld7?q~Uxe}M#O)}rZ5|zafqrz?we%5p%0^hkpP0-2xHd3}@8>ePJFz5I zN0gQ-SW3`X##vOnWVE!NgyJ@P+N`cZAXvnf+II6J)idx;r=)V|wOV{UFPjgZ2r%~9@leyxy88nUVQCaNNEA-uuu#(^l5 z)A=+{`7&#ts&M;9t^t^6Y+dI}-7!Ulg%hrJ^s_@%)KArP3QNJ(rO$t;y`$qhqsD!7 ztcw2Omne4X3~nCnJ@kIa`{XhuWRjl7puG5C_~zh(TcsGPqt^mpL`2CuA6`2vGeRy`t6_u1o!Ba;y$gzaJbV{!;$L`Ri*<~hD?NsFAsOE)Y^_;!+K*u)}!@us;z1F?!D_>}mQ22E5_IoE4mj6n4Zt>O&|6oPh?!rM%uA z53Ey+jfv>!hB!;uP-i9{?5hvN5@~%&)sobF+1R#(2mI~}5ds2&94dSNwh=NvacxV{!HI&UyJ)^mL&DEKip6Gm& z?9$RT8gP!0=iJ`IxVTU^xGsl$PcSDlwg z=a-h`&vr$OYSU75(-ucrB)SCHT3b+<_`fcsHEpmSNY^DVYzE-W!+#z?iZ z;@Gm-Q&sG+g?bwF?szd))5fkdiSlXnn2COk?+0gD+DH|r=B83NlYSWe6^02+sWF9c z5zzq{8nbyP9}qZY?zC=3CFzzy*)m4N@H(sD&$F|xm9C&aa>ziuf@f-~PSX0dz>pdp z2opZd705^8yB#h_8FptDmrO}iW`C&C&U2|aD9p%!b3N{5*yFSA##O|_j>VF;)eJ$2 ztCUVs)m^xSg+Wmz*Ri4a@s`I$SS!7NWTPxA3$BaMmlBykN$(BTF_273#&9O0uf=85 zX5kuUD{o8{mzblyk`_^#&|WgWju7M|B}G%r4HbGj#o`s;#Gn~=1zf&JeS00GkMA-a z9O^y*wS?Qb8sHgtHePg1?^p0V7z=8@K%c_@08G6L9&C1?Bf3V}15|I7BLzwCsUKHh zxk0`ayW4f;5BV)5<-6sX6t3W8UKm!f-zE{y*0tWKpFld2gj%;Ri=yG13xUed&j*?J z@K&}J{L4)L{w=iH6QqskDGHUQ(<*FlUlBTNH-9sUpTm!gO$-7eAvR57jFRH&H$oyI zCQ3h}*!i#s!XRh<0z#2}Lcg-6KbFP|B}~4j^e@LVFnUU0xwe71x{4G=NJ}fF>1Py( zI`oz(e&i%&dwW}C?p@Jh2yBxBv+bG~YH#lUG~avwd$>n!0M#*AmStnU0j)Vc-Dvlqo7){l1KAOW%}m zp||%PTJ72|fl1YbbT41N1dQq=wp8d<3gb(->awJd`26mZ33ZeKMJ|YhK`FB@e+Rp~ zbPaJE69s6u?3tlL@}6o+zM>~4W(``D`tvu%wj?0&K&7lYF& zx`Y;q@D^x8O-N6Gk*{4M%j+$?Q{Xo;+f_Dzvs;Ps$GRBB0R~*(z1+rfJrhTfpV0nB zI_a=F2L*mMUsP;bJiE0rH1#CnY0|9)*Tr9>jC)bu^NPh*-_kuV3+EQy+}x7wI9OhP zd9NMt50&!oG5E(RkZsbxSySqE7_k1Wj)rx!NS>sUF_mChZgBIEKW@m4a zUO1@-ur{qR?+%-wx8!A!hcT;v&ribuZ5D8jz%~B%<%`TnUM|6PXggZ)f(8Xeib9lX(!s1?iAgc&S7#Jh^a5gkc7%_`ImTTrZlU# z=UuC+t7~&GadJ-DC_47^^bnKxR*l!GC}qZTyOWWVCoyTSIh~d4={5??ST~hr&lGKH zf+=?tWfNQj&gMP$n+u$#E8Y7F=+GbESJ0haUIcFvbOB?RAkv@!a1rGFI%2CxRN>Ou zx%5z#*nkqoTO2LXf|XA@%wL!%dBgNIZ|~WJk^na~hJKXc*}NOpr;*~$#A24m6NWhV zl_uUYU%i)Hxcc_9l@cw)g5GZY3mAj2dcMS4RUa6Le+`gr^@4Rn5j_8~N-)(M(t2CE2oQ7zcfkMklrazQMPdDI!&)}_n zZZ%iotY+P!d!pkHo4&P#v^2>}l4=_2+b?#ot9C5E zov})O8$hTTrkI_TI?0~A^%FjctcyW>z|`x__isF;d-AGF&y1Q_gWhTy7_g3it3m9G z9~5jqKy-F))TU8aQIT#Jrgn6m5Q zaz_s2f7s1#GHnmtL$^yswsX)Zb=UK zE01{r*9Z8beo5oQi>KE`ySn*mj;tlSsoM@H6l}2jshv-%wfv%gZ-~Et4$;7Qdd^dR zVffU5tgfi7J5gL)*4+zegv|4{^$iUGl@HTCZhbaa8R01?n7u#m;`U*K=CS0CuAeR} z=CSIaN4zwx-d3zmj`2!%V78Dt>4xLQfICN^d4NjV!K@v8`5w-K0cFG#_|!3AQ7Oj$A53QSLfFq41wwHbyWVI zYf@d=c;^5m2#v^j8^a>_yND3^2#E_q<&m*y1&xeygGAof_<;1aN#GN5(ky4sy6<1x z8TfB&*%a}Qf$X9W-X$f4gr2xVQYVjBV0!5-mW5eG@DPs zV-JBgQ*aAG&^Z1hDCUt-QH%B%(s8tHw@wQ~LkjtI{Rp>wp9L|90(JqA&`h_?G*-cG zVYY+s-}g%%#{a@oBFQtd$mx=BzRfV3jZ#Ldew%Tu=l|n`d?W@}W>8+f^vWTI+ivX< zt6Z}O2=x0noGl*Kw+x7uI1LleQ1$Z0`~H{H#Oh7)@7qsOH=c0i<|u7n7ZS#fo-EKEG9V9z2iAG zJGqLlJbgh?nO_JI9yu`?rd({S%4d{z&3dA4=QzaN6HaxenDX*?h?J>)witUj9)ob< zB%`ymHg#SRs(4{no|vh0j#5#aZT07{9wDI{4YwXt9^>tQz##!# zVWJNhWVx|sRAk+?9jiSe>U2@dt6!lIDcvuEa*mKKvPwm$5_R0y$*zxr`lR9EQQsC1 z1JN^M^5dI=)@iV#;?8yx6pC^M93mPGuZ3CC97S3e8K@!~7n@#epkx#jAOZ`JvJrOo z>1xy4u}0@5-Mpz~587IDHRa5@Tf&{0mE%_TLwtspA}N~@s!)Uk z^;=yMi#2^V#Rbg^Pyfc2sbcd!J%_X!G1tIAWN~vbTnZMgWK7*6Hf6e#W{-i3M!BbG zS79;53gfWbcWMH|dCxj&grDAWDV#pQ@LkWkAU~f1oCm%rc|wUw6+roRL1fmiW7UTAE1j;9xg!*jy=7t1H8M{j0nBCo6OV;jTlJ(u36MYTj2l zAt5Su;`wP-tWI-9?5wOfbs1m3QZJKY;^0`!`T~>ZNyT*3f^zGRJs=`&CWHsJ@R2L1 zqZne$f(L!w*avIc$djzUKD$7C@&x0-YirWbK*8#c-NJjSdU{Aj=35I{fWtv;Wedjb z+`^a`F-uEOkmpRqQHODPH8VINj-Sih|4l?9P@pR`sBIDk%WH9kXk!La%6A)Uljd4B zy#NehAY_IH50lAK z?_%-*M}>~eet?G|Fnr|^4UYZQr_kLE>j?=8V!}3TTAt1?-MBjG=lC{TE7bZIaepJm z+w;t9MNdj97#35h%EiKh-W^U59bIJ@x}06go$_bb`PU)KN4BuP|CTwZbmY9EsCPPz z-EM9I7}#MzWSDweF(jeB58C|XlqNg`IEzIv2~)XY_ZeE7(bIQ%-fk6{0WQO?f^OzY zW)^8!FLDH;?}zk=r+xJ#YQ#rkp@A_*WyD!DLN1!II9briSC~>k8&m@FeoCA5F)3sm z6tNQc`YbR%SS^O(vS0mK7w<|7 z4j$6#)T6T58t;H=YhfjRdo0f$A0D=Sjv}!fU;OvxM%zHTi)rWV(m=wJjasOF+~^?p zp5mIzjv&miub)oLR5BLQ;~VfmVm7UqrRjzCgpc=LH@YO1vt)Dx_p3tqS~P@Ke&%^gCY}S>~jJqq0-3pst#Zd1+(k)Y%S=hOJ-v+1|4? zNzT3AynkQm+SK}yPX*v(8P3#N@=Yt%=y)v!QFO#vS|tn2K4a_pwfbJ%K~sn_0acD( zzjbzV;~pHG47}+!16OLC7K2hduHNjiB@m;O}o|FQFZ($IiQ0d5e9 zGz6O}tQ1e86L>~q#HYW1FNj{3SK&i@@2z*&A_1Q(gyBQ8bV@eu5@m9mt0lXHgA}og zuq4b+hv$o!(96WYB==B--cO$h?)va|NlK*xR~z%lc>Un%MpyHdv|OeTg(5lp5?i}q zo5f~MsoYnY1qJP*`yl=diO|Ca-VbV2JLvJmuI=C)F=$*n(B-%*Ignp^=6W{~uJEQ- z9O1$lUl@z{Nu2DHKO5X5lT~&Y{@SOkncGv28J)6+nIgi7Dz;9GX0t( zw{7$MS4$%}0e{l84my`GiQaLjmNwnScQxQYsU5=kmp=aET{tjBU0bUk9aU-gR5Q7T z3(79Jr%q}PVCh=?Z|m{#T}+IN3m55Ex=2c*7FlK76UD4SEFRJISFCItK_U@>dZcS# zWJ1n6bKh!5>?-0!#RO^t@C1Uo5E2-e;fZJW+6~!%ZB`0GPr&Q^n4zT_{lSxzZC2nMQR>>@1pAZ5ZZ8IFF3aneM9(M8s@buyYyuR7Q zEq{>L^O(ZXvaI93`yZscVHnCVrQTIqjFqVmk4GfY=d@mRDBv2cZTm%K8!$TbQpzNy zc>DTFoL@L+>)~$~o8#s5*AAPUaTk`y7gVPhtVrl2Mbu#v6Te+~E%(H2jO!-?Iwf6U z#~vTWVQ^sfs8CT}qu81KU~q8q79L&{9n4u>lv0&}INt__j*NK17UdQd_53MWcS2qM zgNLNTXuSR?UtgE~kZqJ+-f#^U&{}FJVEtDiA zBp46n*s*N^TkMuj5`kF2>993gC?O?Tzk`z(dnMZ!kdd=NQ5!(mO3u zl|md-05}<9)zs7wj9bJNBLSe8gJ}h~VSRIRD)X`N@AmxfpWfNkJ20 zOecj8e+#c2Q{{6AJF;<#{>JwSc13UuTTexbZrB8! zxS>e22!}tbM9Ys^G@bs>@pw`?sGu=Osc6J~60a{0*Z(=z{Qc<|pFyY%w8Q3< z4@+EAtn5R!s=Yd;qFa3VtL&U=VXL)M5tBfHS-x3R{2dD6W=fdBnYgBA4Mb{_O1-~lGTg?>G$ra9R$sp1X7`L2zoS!P6 zQBi?}>-T+pCVjb-gTK3T#h$f@CptQKE8*m6A!T`2Y#-O>s7WY8&_`r+4k`z9Wyr{Z zFJecRA5MH>^Q@A}*r?Deg-Qb_1ST1H=Q0gOuPhKw_0Bw6aZdBXe=JvU%RiIQl^~tl z;UQ>qw(UQOhvE9=r@2a5Op@DcMIisa{-7U3GV}wC^C*`*9|a*S&UqzDoK!i@VfJ{~@3nsW)CLhZ`t5NIxA*qK0hK73 zBc$L{OmNO<4--3ktuXcnl1LnS@1U_x9*N57Gz~A{OC?*|GvoVo#tiC4jdLXf+sz19L4Ra=iL;1&h3P zBZT;p=9-*H=;->_*c~!02+c^7xqR?Vos9h7r=wMtjBwRdOoEWcpJ1fD*nVNJGBN77{ap^K8U~RxGQtF^R}GU4*ypVhd3rnk zyACJQb?X>6H(T^OQ*LOTeyfh1iqu)=SVGZc;$mJ;zUOSXx;C$dNXIlvs`gf79J;z% zG)XsSKT{_WhmsHtsT<(aD5$9Tlf&w_Dg{hAK7PZln`PIY9b8LHXh{p*7b^kekFX4W z(JOaAxV4x!Eq6NO11gByIFSi23y~NCj^x{iF^xVn83@|c-uNT#ZQ?NUu+Y%z);0Lw zTlE{bErxIbi^T^a0AgfM_4W5R0F*wCHT8}Y|6I%9p#1f56&Ca(6KeBhgu{kKQPY%eNwQduE2?K? zywESvWqA^UCF@^YyeynA20P>OTBLr*@VX7!H9q&1Qcn2(l0l3s8TQ3}BO50>7As-k zFtCXSM@ELp>3$BU=VnPb|8pTSNOJW0MR|eufG+;0yg~f1{^WSW`PoBqaweXpAtqxA z9+d6jtSC3OF^AWWaGTb**4`W(5S?GT3Ps#?i0+LpXc;k9%GINwH?rL!dlb>Z_kG?s z*(!+`=3(XNx|?1_6}gpuWi%AF1#nzWz_D;>`f+_-Vbq6Z=(4xfo1#qfRPNXL0UE3O z_g@0_+iMie6uBhULOk;->fh_t8mYcV5*|}hx5ZU;uepb#fAjtfus=SnH7)zq|K8Sz zg*!gLC&B=94hrJpVJJhBhqtX;7Thd>MzZSf2l@BU3_CdLn<0rx+n_pW$aio7HQ16> zj8fLI;8ZJ3^MfrfHIBuUxm}K8rf@}*Uzk@G73sMuXc2!u0+|~j)ImDO@dd07(Ocmf z#Si8l7pji#Zre&>@jL%StZl7*5b!t!+ebH7cY@Myq*6NIW$$Q|^Esg!7((End13o4 zpbD(4#}f0@6{r(a?TSFXP;Bv6S1^K-HNrU=Ii6A!df%~5;j_csw-)flfHk2tv6hw; zSJN>wFb)x#kAG<+*v3lw5LSzM`Lo!EY<=q|FPAV6JiSi+3*9WIBfgU%k)zk!)~Ve{ zzfKOHJ@mk^u+D?UPyK!_jj{IWgcHBY9>9x)Mg^`%1Qr3kryCGJ!kW@qrj77^S6c8h z9CDkJ!O?n%(oJ23_3Jf&b^GVXK3dS;o>J`_wcJsm%jAcjtXtcz^zW1)q2&<)u-(ly z#!x+@Nk&)-b7QO?Wsc~NtoDMO9BDKH4HNvrIJ#tVjyK_K;lj1{OmhU=3Z>s@Es&4< zY|cYo?aasez6}_7u1~zJa+Bj$QuVb`J9&X&ID8QzbZ~aY2nhs%m8|WQ4rzd`L!3lf zDL~C#}WOH)8*+8cpcGD=9ld@v#pNdocn

#r*|3!y^*J}!q zRea27y0o-mKcvYC^*sh4V?yhLI&G=dV8<4EUQM~wcLe!#aqA`B#tYiYvc5!m$kDow_lIG7R6#i z)?U%uL(^*zJUr^3mDKHo{x3fhm~cDa=;kAHJI@P=dq~U6pod0Wb1rnhkygnr8Z1qaNbve{)bA`k_pw3eBzmZ znc`goI0>mTGnLoadU}xG%l_RS5HdRqwxlI04bT^`CD4zExc+qgFsB!gJXz+idk$A$ z(P9!L=yUPrae7)OOj(<^75GN;O=acZRbjR`leSUWGiUMkxEHVHK1S9ZJHxyG@IN5A z$Ujhb%8kY}m5!WadN;sFNLd?b73VMS;<3pf2w8HF$A(+8qZUz3=H$*eKyuT zK^3Ql+q0^+``WD~=F$scixMc<)W@FH)5y!v5{g~2&X|6IWF#Aiop>k@D^;QIermk- z;4m|lf-6tPu744^x*No!tFq<;MsEB0_s^3N<~%iD?nQZ@({u#+#6A=MUO?j5UW#5^ zR99Jy0TDKCZPx7~^HWK&`wqj?9z#5N^V15-d>odA${0R7i7@8PRJ9CLVIm}t9{smM z)nA9m)`Ffc9yKbom2L+5WR$63Nu!%E)>*I5BVC3UWq*R&u{ntBO1~M#@$kB+-&;*2 z7c`f65I35zagE91uf!MlIW1Xareum)Y*Ba$4Jikd{tK|MT3Z*mz-NLcaDkVL`MjR0 zp~S44v|`bEZ^^=x0~PbKrp`~qmEpKbnC~3w(|b$!XRw`gU;zPS_QIv)tJ4kyZ#eGo ziaxkqspDQq6>SPvSsoH2LFuQ_hj*W@=${LOQy`v*f?r&|Gs|lGezHCbMiCN2D_)x( zjM+8s^alo>7O+6w`v7#6c~b<0LS`~rxoh{QxfA~ z`Ag+CY~L(mU@y!q>%3pqoWwNIEAdF`KZKm-8w83;l*xgsy26gop5*{oll8U@sd*e&6 z`Eq_9jpFiZk`CiNMo>GDg{$Cajk2Pxj0)6U%b>wzN$Bp!UnRinRfaSDiViYlU++dp z2`VP_LoBvMb_|wdKjLTM@1FsrGO+H8e(}rmer(=wZSPy}e^wU^vEG+)vB%I^8|pvf za|sarO%R0`#9H2H0}!?sK-l^sv`}63(B9xvv)xcA8>luxOdmmB0X2X54K zXqe=~hp`?Y-#4C}z6$+zk7nBI556yLGq9+RHH0;tK*C__!}-_;ut1t+`AaH*WH~a5 zS>zMeJ`tFCU5bE|MXPN>ft3Be1s8ZFDHxfP9{3XWOte0y!{ho;=GU(Zdfh%rjlUXe z6DWFHbCV^%PTisH&q)Y+`huVX<0DiV>*MC^LzZVFZ^P@pv#<9#3vo!N-?yMeJm``Q z{_Gs?RPZYww#1I6-ny;^rgjcY?W9uF0WdYN2Lj>8-yC2HnrM}FJhhnqVoyV}X)w&& z@tUK*0u39Q*)`c74qrL|?P)eS6{DzD?_VuxC7%o;B>$S1&b`1f=h8Ti(pwBj3qT~I zy)H?Dr_%y5XPq4#7cq-T`oAn_ev*zRxSZ)(aKi|l`YDQ9tbo8d=#)yQA_4VQWU z)Xx)TGwN?TZk%n2xMJNec=^AXwq_O=Wfw~h?&BaJbOP*>Iq#)?G_lfy3&e@uv2Oq& z3#@cv5aGhN^Znhq5O|gL?UDXMOld-!jbSDBm$ikJkPFa$9G#7-L- zGqK@eljiN^zIczsb{pNfoGy*faBZ-A0o2%IIxz*`XuoN<-U#6VH;CA0FzRm-s~-<)9V#Qs1L` zKsyj(S$4}1T2E0)cWU5^1;cZnD{NRX8uyhC7w(w5W(EHJJu|rOVGPR98`-tqOx9fL zP(w^|3^3$dpi$U$W=srdZ8PPkpxY z+urhGJ8%F{&g34EFNloZHV<^TgS+jh-KbD)-@vEV* zpSu!wFvK0P*Vyvru2?B0-c^wIVe?vT}2l5v%Hky~DdCU`o(>C^eL zJkni%G28i7?1GSBU2$F}J3JPt)<4!5RHzbS6|hz~4-KQ^$}qY797_EqP*u&_#L|D1}?x zPY4%aiMtrQD4Hbqw_GNpE>-0N$d-Wsyiq^V7(8-snPfZHp?M5HJcZOpEvXRf{Mq5< zJ!iB3R`vRl^=!nOJMM;CH6_u%b}+(1(-mFrnJNgKd5Q=CN72b^!I0pMGAtZR(m48> z20Zy@_#E6Injx*I>O-zIQ5fo#Le4%GsHk?0x=m(xm`qQra)W*d>HADfc}1ZN7io4L^XHv`)7iZC;Fs9?j9n)@x=LTBc6< zYK726tr|++kPqJoE}B)TCl*n{o(n3Nvz8L8BBmWNp4bSl@q5#k-svx_RH1L19`$-J=3 z+wz8!s{MKR?IxBsLjxn9?9IV_n(gnlUfH_T zHZzJRw!qR37BoG9POaEl;{<6w{o0NF4=HGlMM}A2iN_Nc!yGnQVemx}DXXE(wWt8Q zc($k`mUY|7=CGYY6OVtM@M+c(a8LhMd-mp5tZz}5z_2ThSpAofoc+BD0F7~r`b|Ix zla8C$P&VAJ=$(l~K2DEx9{Wt@@n}1^>nT=g0}DY=(z?4t%cIgwprMdpso9XKPO34N z_ad;n7OSGG-R)w{g}cYT)i|(~l-hkOw&_^}G~0c^{wIIQCP3L@5kA1s>eaKk67&)d zAipLF_7i<7QE#s){>IaQn}%-lb9L}a*61GMeZ%rrnKge~rz<#o?J5J=r@#Z3_0Z zy5F0jbM!(@IbrA9pKXCaFD?2@dalW^qHi&fB$! zFE)I(U3icMXx7>UlwrMlXb!aL&QqCz{vWulYOwN}-?={gd{^OpUFfiy**?ZZCIEqE zo`ZMonp2xJT8sM&`SNN6!{5$Vuk6-a$=6hS@!?0f-XrCL3H$OmKBNslfHBS{D482V zqeqDkV~z&+e^47hX&%c3r`sY$$sr!bBzjf@)?oH{l0r?YS7s2 zQLm%7a65|re*4gJm4gNDV^q>8gvn#VCM(q!ydz=k)QIp29mJ)f&#(k_bqG9q?jp71y>g@+upOLns;51Dv;Ts2jL>IS>lf^| zM_js`C73XHzpTzrv4SQ6F_}YR9{@K8&LrVq-o|4KlEO z_r#P6E|2bbQ%-Cduj=e(yDTptQGW?JLRmHlQ^fLEUGl2k#%9U0D#L1~YfZi)7Uv72 zr(0rduhR3_7eBrczMKs1o#=n3=4B7a1|?ClGSL{PkSo8TG&riRtb_t{`OxF8LlVVr&Nu_8^Va z%`Q*@yfZyw^O=&YE30zSWJbbKwT|B)82vpfb@wzAdm=Zkqsd9RKFZ_2Mu#C{>FsR` zyTq5y3D1SC<_WcBL`6hWE(b8x9>eSbfLzyAU4qNy%a4D~6z4aTET~2 z5En3CCYV4gik$JM?}bV&^8t`-ph4^b!ZtBzeHWuaOJ>d}W3^s55-1 z8nyV*s83$qHW{e;PpG$fd6T6v&Pw!l7}my?*^ zJfqI13qz9$#4|;q(nCd|BGMJ|8CtddD2-#etNPa8Mq+J^b2N15FVC=GKwJ^HAZz)E X&w~2~$;bisb>PSRIR04SQ4;MR8nV|{ diff --git a/doc/images/discovery-cn.png b/doc/images/discovery-cn.png new file mode 100644 index 0000000000000000000000000000000000000000..7b448c2ca1e4e318cc965a5efe910a47951187b3 GIT binary patch literal 42581 zcmdSBby!qi7e9Jt=#<8R-%bkdBc?6i^Hrq*WRzsX;*Ll#(tn=q_QT1W76B20 zynFQfet++K@BRBe&-FRNJj0o@_g=j|Ypn^^(oi8Gyi5o|5Q&IV+v4Dz@-+qMp;B6KRw3(P6X3zhKo?w8}M>6CWMT>O;j2nj)DmO`#OAu+UdS6ahC!C`|nE&+G79TcbLgD zpsnZ`?>E_yFti&ATlK##FGUm_tZMIhY>=|^vT-n|MNZ})PVIrJDFjHQ$eyq zqItLeXWLYe7v6twPZh0#%>{Xx+i1l7&$hXsL(>1IUlb}5Ukf^HA4%c)AG!hpGX4LB zfbH0R76qK>e(Jubgs2@KL#{Iso1uW0TLX#LE!8<{t&%YW6r=<6ZD9C^mQnoh&arpR z{dqUdBA(py>3sTo`dsOz!h!b_Zjp_q{QlSdH;5}0Fcc03p=hZKIZ6j6bV{g0r; zsk$}I3MG}ldJ}^D zE%xUmbDxyqY*E~RlSwR{u74${{*FoOl2brIUdDYT1F`hS-9}<8Cd_xp1^I%!60ucH z$iUrRH~!%<;sHFmRqnpU$4JQ{P4bx(>StiV9C;KRL9Lgs{*PqHXEd+}gz=xVCUV0M zo1(!D=@1U`IH^?Wj}G{Gv75MVU~xh(u4M4w5^HDE)5NpboL%`EW)~tAzGy3kTn#N1 zZ^gT7c)ZBB|FsY-Ev*5Bejaye_wP1d5VTtu>UaAGI^oHlP~n%gK*tV;Wiy zN{1`765qJg-fAOH>r(%s%h^k+hK>cIEdAu6M#vvgMw6+2wJ=m0!!g8rzt>kSOgg#; zahRu654$8jc$mEHGXevP{lqLb)slk1EOz(?DM@od{#+TmrTbUil~z}F$$SPVCGBy4 z_j~^C^A&|xoUKcM3#FQXfG1s}tbcbXia%I&PK{QhU;Bt7DTq}jJB)7~cwC7GONsh& zp0g6GWmqfH>|N{us2NEKtV^|@gbaqVTkL)|2E!HG7L3|Fq33BkTk+TF9(Ul(awnM; z(qz@LC6fmUiBVVH1|lE~m@1*r8}U~Jgp@NHEVwg-su+s)*b^Uc*vXxB3hTFJH0$AI z@CiE)+eGVOL_5?3w3t&Ut{ zf-{0HzE7*G79OjNNKNQIy-3R)6(N#@JZ~z!ZghT3+!Ol*60r5dSHLLR-|h~^s0m6F zpYNF=LEsbmR9iN_<*s|5ikMe^G~MOqWKeg>pn^V7n0Zqm{OB<9&;D2N>Xi@-aD+VH z7_*%I**(a8)qBxK6@drD#0g3@#5@!tFpol3(##13TKk^b>^;+u6SsV>jZ0Aay@OMJpUPau)ZynNF9_enm>X|51r;j0e4vb;b?3@gg|p4b zfpediNmv1KLBgllO=!0ENeJBLux77g%$oszr@nmOH;=4>OhRZyI+|D0`_sa8x-}|O zobuY3XjJ{lWoJvas3+hdNgQ4K|Hzr0`{l3;LS%DILo{!nh|2(wOng~7zC zELHE>I~+X$H2!BYm3Uj&eXj&&#}(ZM7s(8Z+y3~l3bOUt+G>K(&-jzCEQH<9w`FQ@te4tBhaXp>f{hDw2i^r!|Y8kO^W%ywDK3 zoa)l2|A~|H3q=>7jBxHxX(NeSkh|AAiS#Qt$eue<$I!hKzoZu@UN8S~vqB0;nv2Ua zv`@4JI5TVSXW_tjMH8~?GO`*qKR?u|{0zsRh60_a#)TcskCq1Oz7y^#W8Z$=)GA(U z&b?6Tn3F#uO+JZ3d2(#ju%}_|sqyP9v9kqOwzkv}BX=rD;YH}H9WorW*89andO{Q< z18Oq%kGK>2p`3lszFcl38p@R+T0b6cgp(y?ivep_Wu& zH(BwE6>>sUzHTfW@$CJ;4|3p3bV}L(`Vt#5!O)**J?k)fWjB3bd@PY8n&I8WyYf2w zO=Y^V)sm=X)9NQLdHX_jkFt zxxehMkAEK?9^NdQn=^frkicmxW=L)1z4zdB)%c<*MM6PJF+?mvYNHw}-Xck~S8|o_ zbXi5N35Lf=W*7%Y7~*!BN>M?&0o@o+2d;i3LN~?tr(p_qZV?^XzBbKvB^z#8gEXS4 zXD2=sa`E1g!mA}8viJg1_+anNW0%9?IDI#&v#Z(o8tDMFsz4!6K*7)V&I(l$DoMUK zlpyPZXZ+PO@cO-B{p$1M)$L$SFH!%-s!+g zPnau*bFDJNT(lBJxE7Yp4ex#Ux~`&eCFN`*%rJE{LOEAkpbnyinJ$-TR#^`f6J7SSw=njv1 z<8=N&^@nEiX)?VEu+Jd;n~{O{m@ec!n>ssN(Qe3Ku)1nA%|p;W7f5&KM5&sYee;e#p9UcOz6FARpV$IGlXMg=y0*AAWiRI+W3L;)w})b-RbP=@riPe3|)p$l#ru` zey0QlJCM!_0Gbs&->bD{Q~1aQp4r~B--c_|CXWlfj}XJSZ*xLiv+!}{LzREnsumN z8nsGqEq@{v-D!GJ@xy3UWl_`jn9_A^#BbBDow%hX5pMKV_pK>I0NC zIn|4M?#1rme58V++TFX~Gl~qPVTc2kmWq|~0S)0i_;-F})r1p~&q3Yv&5?FBtlyCN zY@Gy_p%!Eg@g%eT$$8qz{MN2z`1!#Rdja=KbYGX<@aYf}{8TQGlxSpdgOJeb=6rs` zf;nN)O|uMbucDQD1Z3o~7g@nU@D3|no?p6gyNyAaN|7HHTGy9&-E7PE;=nhW ze;K}T=*i>Da}QdGye3WoqAF?jjAwV=4Sk`NufVdm-=Rma5=XSpr4IVRkrb~}qxzpc z)sH)4As}fD=gKAZ`>hv0w_vMjc1-%6H;H#!1Alk!W6LzJ;|8_)ucT!uXpZ?JHvP2a za6?_S?>-LN<%c2OsO@yA1yOBnZSlBWT@uInLE}YIs5rmMsJnk2ef_^KX93a$k*{| z2tLZ*Yo1|Ag#DuylrvDQ`!p1eP|p}80Zj2ESk_~kA_)I2k$xSHIGc#DzEjik%}wKEkN_&IP)D2uIW}LXf8Fe-I2xee?{QP7=u;YTohJ>-4Em%s{0Z8}*=>Mi z)4Z-cMU(pO3P0WW2-_bD&Et@`(LNyu6~JRnG|$k77wMWL0AM6(ktM z-*`M!bek=+-Oz8D3rRt)g6(I(6(6(0g>-s*_2qo!xSc}1I(mEU_-xa6Iz_9!I=B7F zs~|>+$*4MtrkhP~znL13odLh`6gwh_?#KWeJ@m+!qz0caOL^x?7^6fCC&YjH7=YMvCu$=8@$hAwEld>SOIhZc-wd|yOuH!@)>N2CsyBmXl5RX3 zhG1khScs06mLU}l^%h&zjZ3Ps0n4}1{e=rity^~?@w0}m>=#s!hdD86Ahs&P7XUE8 zS{;YyG(0dczjC{I`C)c#xfMGXy-%}WT;GeUAJu7h^$$a*ecW#1SjOeAP3Jvyf0xU+ zJ{*jSSMnm#DyA69ev6BbH_+e$hwmFEURO4VcoBl{cRYNV>jpW9mU(Y+uc*?{c=}1; zm>jn$v}F~a+`l3AT$?a*(QpV@wbIp#esuv7hm~OBu@wUJPq_;Z$`hacwb7;T)-Xif zEQOG^*GeuM1w>(~y+Ohj(wmO|zU74W;#7s%doV!s4jaT45@|3IcS1A=XKy%JUtezv z=ibLg>{AqnX=8T}Xv*1Q-zC=_P#r?yAYdI%VofBS%5!AeO1={ z3YXY_S;W_7=61TOzjX7{Wv(|0E0SG&>h9d4{MSdnKibzW)*@xl&v3Z@QGN3=f`iOu zOz>1Y!sqE>E+4Z(%p1zJ6ktffs7Y zwLaNjUt%d6jBZzoVZNyW+T6So_(VM^`zBk#S zYkiSdWX8PI_#0&R2DPg%&QDH023?#55KuZSM5|o(yXvh-VSBb_CFdW6Tf;!6pCdq! z%blrUVe^@w;$A7LoZLghb$3y5cEY*$M&Zrq04s|4T_6ZGPYy6P9JS91M+Sr{;>EN! zREq~AD83--E`&A}NF{PKq4q_y4k?5LbwD@pecptqH+%`qalkG&lQQBEL?P1vFx@Wf zuXrhsGvyt2&E|Hx=I6EN7s1|@4G;LS)o~{e8<}s2Hun=frguwQsy6&lb&IcKAXD(O zCXzV+edbiG_5`5ske!M75KzlsTd?9W} z>qOzOKWb(6!_X~Ikv1d(DME!6+$_2eLEoPKcfJK>M6?=jp8>jb zL-V%6xWQAgUNgb`?UKPlgJq!t8m9pEBHDMMBfqqhe8b5p%3372?e6s37sHQNKIt=s zkFxhTQ?unQj$LMfYU}ErUGZ2TFGEkd8LRpB&BIyierkkNcc`{7aF=S)&>}`%d=F<| z->6iO<=K*j-*a;(c$9Sy4^#*?@+e$J@uT(y-EOpHYhhdghZ^n&3SF zTjh|Tkh6nnIf^1*3iUW-V6T3Yn0KebUsyYp_}OQic;hSZ)y4PM3{)GsjEMGq*j)M6 z;kH^Yi5e@P-lMkQ0cPK71!}0o1AhCkcS{6$$G`14*IK>U4Dp~Lh~^|b+XgDQpi)aC zkj`gn7^{Gk!mK0yZ`xa`f#l_TmW&lB^=i;1T`JOX{K>1A)l=or2z|Wp-R8;%qi#t* zjtI~+)?I$Nyct8~Q&M;`Rir7^q^%KOgMwq&gCf{O*yyHSsH&TD#_v*8?+MFr$2OkK z^}OjobL9?J?z*-N3*A9YGyXRqWincM3*qHIpL+5YR^hQ?Jx(*xMh zDrG_|6pki&I7f#;pfyl;QKbXxTcRr(hlPQ*Q9b)lQL2D?j4W%GVE7F3KYyVU0Gc~6fvx^X;uFJq_eX2qQer;;B`sQm8xndM z7ycL2b$^Qv>85;)SBPq(m-_jnD1dbE@k6!aSU-=;9GpLCz(?##?(aC>`;X_u$VG81 zy0mfyb8gJUJXpz0{#xQ#!s-d)g}ovFng(v-NH_vVCm&dg8D@AG ze1TbCD(%DJIq&BtNAFsggmP=h1|ox2^M;-6(+!^5s+wkV|A?4>c#gsrQULoCHZYvz z!9jiM{`v)gf@_$nWtATW%KFPn@&x4bi3{_fW%!#gGC58dMLVcDq8R|?Yx01J3s$50JHijiO%0s`qW3*xaMY2=;FPkDV|@^z#G z-xdQLm5sSZ9)OD~Fy+ZQdD{iPXB8BO%m;vPgSv}C2>RwC#@WlTXkw2R<1MC%gCAvzY z4Vg1ZNd1K`fDj{K2f&*G7_AtohV6&9}i06x?XsaRKa-9^)KuR@(q|#?T`VEbSDMo(dSezza_5 zRYCk!>Cb6E0f-7}W^exq9w)5^xOvg7_uzpG7pjWk^5v;ev9XUIKMuechx_^*>`F)P zKX?%5;^Gpg_@j*P*)whJfp|@yo!D$5Lc(v^a=d(eHul!mhsLF@i@!|-tC>+>VO^ww z^3PJFDfRP8OPzR7N#Wt)hRzFZ&_BHZKS&onWdBs6zJnbe%3?@}WQ4C!L3*pvw>~go zr#^)9&=Jex&S*m#0OcYnDZump(hNykjqf)AK(9OaMNxkKY23YEC)ZtQUdd;MzWg$C z1lfh1-+uNvzocZFj#Ky}xFP4>FY1E5n_%@KNe|1Yn!#rUzLO&(I>K*64~a2`R}oXN zH3ZDqVuTe`7--d*>QD~o-Sm-vTC@Fbp|P3!5l^oB6FYJ2d1=p`4oFI^(&=Usw%poDKkJZ(OY#)A1P5D&a`zXNzy}9?3hML-2S$1`K`7m(! zIChi@>bJMBu&B8Ai#&Jm5}>qCtYwN#1d#u}P=95wk2RUKIdQsIi$L9Mp~6F49H>$z z*)lbBRIaY40u!WCm-OVIBkq9-eksk*vmH00J9{(yBIVvkYGflNU1zCJ@zbG?7SXkz zIiYmoK>4p7KLA;bp?XRexS$vnA=5-1*#$Mq-wX%&;K5K}r7bgq)YIHSYe)rl_uzJkWfd zSuYc6$K!P%2Ez9Q2x8R36pztFzOX8r(Vf6|@7}#;!ID0l@prp~4S(<*>)|a!_>7s} z>ZhzmBQ34I!#Mzrrdz@s>V_rp5w31N0?;F@YDV-cx{ROC3XGrF*iexRXWW1IaO2&Z zV{~c0!lMGcy&@yW9bstN+SXRaq5JI(CXXiw(r=ieZ@t;WfAxA9qZ4P3GPAPggySt_ zaAqpCxY!y_94E_pczF}Ja=*!EMmet2=jW_oBeBsVBMlUjFaUVhPFJqmmcS8!#-y*C z1@z;G=y@SX=QX2Kd!jFZ6_SBgywqDg2?-6ogmzwN*23BYvg`a76ACfbdvz-RsX#Qz!}+%_A2}7h|0>!fU+^$s!0>w zhgp)(Vc*c6S3`}*E17YMCrbHhu==RS!$WaUd`kj@dUE6{(C!^)0By7C>FZC&Q%1D4 zwM|<>!pUrYvOt-qJm@hrQ11!AR?SF2f)K343@<`_4j+TDi|=X$Umk5douh3;Iy(!~ z2pBOYOsBd{1vA*M(L$EU&-(VCsTUW|vK04+l0=@w1Yv=S+~?FUCR--CgXu8FAANmW zt{*Xk`IhA&iZX;z!Q88=!ndJXm=``WOrPhfilB!genM4b#4<0;tA^{Tz zyyv8*qRM}8%e$#^{Z248YL|f+xApUKHDJhw3Lo45i%m6ui{yc4WM;xJHH&xwVNl0k-@g(io99}gCC{&96t%WBJ&oG zC{s?Dr>%3l?o~eg;`V*FX)HlPv`ci6Zu}6iYFp;^X97aPJp>2WLh_d}rg%Xu_L&^FYt?-yCalQ5}0q;vg+779Yjka|@8q-1+wHTS*5t z`VF`CJ|Q-|yVBP8-G>h!xXa#;)}~`B-(QabSN?{Led<8WgnOm6e}kMbv#yTelI$TO zLh=_^7=svT`te|%L-&mzyCwa4>g_62)YMnW@OQn>0POtr>T5>RbK?nAg!GQ;DZoR& z-o#@vZ*XlU5lf8q4BT_39uKU#?0PG~&M-DJxsDItGk;E1CLZDAwIiY$Si`&HUj ziHeFg0J1M;*;w3iX|=xh)XQ{bp-Kn;+|gXiOVtKV;ZSkYUJyY*p&3;95Al{0%2!uG$Zw(p|DMfH|u zlfpszEwC2q*E(ZztZ6OdMfDGa{{&9y|9ZtNY@~vMLO5SjU2Uzy$$Aw7^Tp?bDF$Jy z9+A*9a|@6+Dmj+8d#q7G(`OrQB|nTP`f%J&x4(v)kiig(%h{1_04RR_L7V+C@78O% zQ`iNlemRWWS}G)QLLI0}^S}df%}R>_pJ3lAI=@Sb6r`(vG~o^OJ%z6273?f&xHhY# zeZy%G!w0{*L55uu5mxN_B%!@eC+drH_;%beZ`nsDObaD3<6GjQ-SzuZZ z9#ljQzwkzojr^!wKd2aHhQx)b2qzP6E?}YvG#0R|(k6-;AT-R7^D~Fffa<}QCwZxs zr{~!Mn}tT7FI%N~aHPHX#r-BOj)V;IuYuH*90{I2d2-X%wzq90p<$Oj1)zP2GWr_{ zJJ<;AO>4jrYP1z_HF@)Uv%A5>C zB*yi9U(rxpQsT%=VEa}Tx)1*8#1H9!fBQ{D0_6`MJUAPzT)#^$_U`s|t2*F{HaLO( z_hE3t1+TAT&k;b|E5>D(;WaJ#4<1-}9n6E3+;y3k(n$nkwSWbOv# zz{p7+8GGMI^V(5!=9~dgvgG-GRil!@D-a3$RqaM8kkXG&PF^EAU1};MnMoKM0KTsO7z-L|(@e3Z{=SZJ!H5c2~_2Q^*TvqjbWaPpA zus|;`!RQ5n+k~S^4rmD=u73{j!2_Zx|>7#bSJ#8u@K z7jK0vUw!W8RwX7PQr`Xp_`t$`Jzohb!o7*D4M*4uVl)Hrv8Lnu)1jfE2Vrbugt-2p z6~nPWg(4k=3ho1Z@AIE{(HPX%opq}}etZhT7GYF64HeZXKN)^vfE9o_*>8PN+S%0N z+V$X^H(|o0OhK5OvJQmaGZJtX2tYN_Z!r~MfyPrIw*FpSt5h7oPc1EzCC`=IgsklB z=IRZ_kO=}Zx%0AKS*b#Z>)JJ?$B#3QY(U|EsmXqU6yWy%|#`|!%s(ij)jgUtvgl+R{x{<5DBioQ^=OHgwirK^$8Z) z7Y72!@fr_7pu8~=uD{&FTX%-_I;~>-4jDPUb9o@sabj>k-p!_%ws;b~)iMSK2BrMs zC}i88q<2LTBrX>9!md$wG1)|GXB!B?oo)jE0Ez+67P9PITy9{B!=$R%9Cg3vvdW&X z+!Iy|J`l*1w>Xd+yQV7ZJO^jnoAUa72UN4B(Lv;_VZ43s?^5_oQGr~h5g#xV#CE>p zmFu(*i;T`fM3{lY#jz}JF02%}apQ*iB=B2A%HfwQ7HWQ`J^PfOFMVh3oHutkuz6M= z?uUj|+R}=Nik`FXBn|6fH*d17y^n2pr;*BID{ZAaJp1Wk!Heb&;Sv|N;YJJHn3OK6 z&eFA*n3#lzg$CRm-*i+Fyx4TOBD{%Z{RBA3hk|94Ac(c0P<18HY1>&V>wSwa6T^#~ z@IMD~JnK1qas_;j{5-X;;S8I-X$N`T~Qwh=}%UaZ#aJ`=0QUl@o{eVZLCY{M;C;uK(f{6dM79lq+A4 z+=Z9depz}egMIzu4LVg)KbO_vBvpCe)NJZaDq{Ka1c>U z#MqrImh1_MO?wHG%Is?88#i9DwY5EaRbuv)G{tkHW~mT;6K@auB{%3_0bq1jlQA|b zg<`F0+GolB=-A%(L|;TqELk1x^j(JqTkYhBk!OJfbyR4JQ-^y;4EvmE3nj{iF3lU{ zJ?3u!$fCS$S>Xsky*W!OK-^IT0zLzbVt#aM6<-hgcEVb_x~uW%_Qh8@Hl5pZEZ1^^=jRem247ET|pVVjuKBL_NUt7wE3LZ}oufwU9Bs zawC}VsheVFY?FtkcQ*K(rOJ3Fp5peQHkVuxQyXWIvx5B6o6_tAknlrHCLd3NNvA^q z0Snv9j49fg{FFj>nd6$o;@}*bxZl1(M`A<-3sSHGzjzvxbv@)c$xNj4&yV(2P7|lY z?QDjXcYsCHgV)kHwOrE`SiRrd_}buaGu*2Qh#9~Gs;V=U4Gc*6aj6QcNt6AYtJMFf0C`I>me=8b2l?8yBa zgc?(e*zp2*Q!hG$Py@XZDrd6V10Y|c(yat-zcWvP{V5b>#@iHzhtfWiDELHz>-Rz1 zThv42hc@=Z0=WED;oPwr=Ld%GI868_=U5(NYJ({N% z@^Cx$zCNg(nGmYdi<$=;bGQK_zemZD{s$Q3GM#>+c_0_sDt45(0Sv+^@NrQWqI39a z2zeA}gMax5B;xL^F)4U|;7|-4pbSE2b1DIbUKRjc@HJUJ0y6sd`WNsx1Gj92|AA8e zLTs3(PDZ3D^&{Xp90HTXRsX&X7Bs*hQWZEOzO`VXoKUuLpxJ*vxFrI%rt;ZjbAPz%J-kX<_Dj*45SgBM#LW@W@}3871us zvV-3ZSVkDMnp)lI3ZPRVK!Rp&l{xmwVp3u4W>1GPD(H#`Pu|}aCqT<6AHe?=t8X;U z7&uUDVwCqkv`2Mf(5x;K#*GYc!b2wvJoEQLVSrjvL`euQ=8mS@jBNk;3$hTLYGDk% zCT9pf)2|e>{_m&U--5&Cb+3NvxCD!8Q(!$>0QE^0+3qB5zS5kw%Mv$0%TZWW%NH6a{rUtVb zms7Pd%E}DRb7V#o5r7>7us>C0F5z^ss%O%>kHt1#6m{~Q<`Q$TEtCZ%l3f*aE0Rws z)`#tLIk8+95BZlTlxx6FGTN@p5fz4OQ+sWruuvz|7Q{(IsU z2CyYfz9zryWm;fm);>SJ_8%pJrDK$+hX`ROTd^t`KCW5YxmJSnKFJ`U`4-lS-PnWm zyHNEv14h8#zk5U$0x2<1JH2=o-Rk?gW;ywT)0`a(Jml{6u|`f9Xfl3LH^Tp)n^Ae- zW;QXa-=yJtpQAl;T-k&)cQ_xPo?2`R*vTdF=SA>}aKe0C@PH-XWoY};os59NlwotL zH~$C)+4RFwhsFbcyNSAzPQE#_PCw={MBN5OxK(jqiqq`D+a(P?uRNmlCtF9F`wzp5 zsrXZM0*)vNuU_oyXF^-atrEsS_3JSul1EE3CaQ?5fWGJMZ{0>XM1IB`)Rp+C>~P7L z5mK4|JZthM#9ONuI4fqTcqVn*=E5ef`5XLw(*3YevokklpicVs^d}e-<0p>MAU)7w z1WvbB{$L?%V_J4iLqgihBABl}v?~}zHF{QL$Xj=js_RSNGy18$8h&(56F8S);~N~cWJEd?1$G_$S~U!{=aW? zs}53qy{ajzryuiD%?Oe+#06EFuVT?=z+!EY082HU_?B`Hf;AGM*f(90CNGu@?0%?x zR?$}07x(tM+7f9@5u~P=C03btMag;&zcU5uqBmals~Q}o;(}5fP5)aUx5}WXkyEF; z2V;Aqk%Ph`&&1q{SOztCny$2d6bshL>rje%nj|it!`kT{+7VlUlwPcEW!rgxqplLCB9Q2YlzzEW?{Sp>L5ix%rQ1T zzmwol7YbToBh;F#jmXz8F)a^R;cE-7+jGN;F*n!jOhv6f4r1snzm5|%dAiJUfMecu zV6%4R`9xkAuOR4(YbrJ-#6cPJb$fv0ECBz8suv-`Q-V8Up4*Nyp~O(@VC#Hb3Q2i) zYtTQkZt_+Z=vx#j=37&O6u*_25p{XP)YhmC3 z7M&z#5Nx&UW3=VjWzsNgT(Yffh^+A_m)UiGn8eW9hKN;P0&RX(wqT;E-g^P=0I_D% zES3Hiu#*X$t7cUb5|FqSBttMVQE;bJFc^RL@ZAQ?6ggJJwW7wyLH>H5Yo`*E!CnF| zK3E51O&FW3ey~Ncz~l&^(QRKZ?Gd)~7n$r~hn_#V;kPqiWQEp5Px>B7RqiU1Tt00; zmU`iquBD6jH`RY83a8@|*m?(^r#fq4{s8ktRWb0y=ad$nY*7+$ACLtB6StRY`NQ{h z>Uyqk%Q2R1Rg!TlNQ`l%tyjK6wsI8NdE3`g^h~c9RYQb)%&V6#*QWA2U$z5wn7JO@iHOQ{9|?a z&IgyPiPEiUjVIg|8jwmI=%AbSHdWmgCP~R%18UKsU!AfLw9%jMgYe1xP7mnOLc0Kq zXkaBoI`S2}o*!b7x(F3(pOX`ox+q)B+Q?yH)T2RaT7M^X?k6i!oN&x(sGe7(tw}(X zoUyOk=O~uqepM!-cyyKghSOu6rMO>R7@KLpzu*5E0&eyKF+T{>X-x48g`GmVRSHD~ zZojOm>yq~<4$$pU`@$EW_okg?dZS7;!CI;`BT{j^X0ee%ubh%W$}@g(&e<2u)fslv zbuBkVQiFe=^m(g?ZE|>Aa$R@Xe8`&)n$zG!t+f7#^2V9<%%1|PDnh0AM=Y}Wagd^1 zWtd>?@Ac!)!iG+xcYP%zjJ-d;ifwH?>weJnTx01y&7JU2EKDg-JRz?S?-eLRVk`WqcsUFW)#1E_XoFD zKbN14GTY_s#G2VvdNUCEiG#M8$j=YhR=w1{zoY{{z3!kt!A%}KqkAOg_LlBwg=?-& zTdanTc4KndUM{Y(n*d#_@dgJq*5R+R=h*+w;4rQZ*Xf&J3JWLsqjmj&503nFm+~eJ zq}5?jM8DSljE`ZS4cK4L16?`HV0cut+VZOatNAJEkg5}*mQ)R$({-^SmOQc_A_o&H zWL1dZU##D~b5sWr!EiP^#gdMO1!pyi%G&N%isT`?ljS#TCQyp^iSycZ7O-bN)g6Sj zb_c@I|CC4#G(m5KfxWy27;OdX*`3-Tw=PsI_^ocLaD4n zN1jdoA`8pK)Y1Ok^tTukX2F|opMMN-LZ;bRYC*lVE==xb$+rBIoe^hmD2Oy|ezk>& zt2N(C{Z#I;*U&0{F|Qyus#?)|dkD1g{I#Y?I4Q7&;;0rLwkS@_9$J1F(e$kF(XJ0r zu5(Jp7V@pp)(-^gi>-x;P}R(MT0gnytZ-`>w`ePG_^k3qaRXOT{mt@LiqlgBzXBjh zFh?j*g|(+>oF zOy{aTD1CqN zGnn5eZ~xWntk12N5r?|j@~>Pa*YQVplYJnt|7Y*&-G`^k%!Kwi;V7p}8! z_oOCmUp>uN44qemn*fKecpTil&p`j0?|e}MS*Wh-*Hm#roqURGC-5BRREHzs1Jvvh z2vi&@j>O&5$+td2%fax$?*e9@~Qdt2jFG@yv^SaWp)--U=K8HT!7 zLOJEKtn?v^6oT21#Mf`2K{sCqh~~fZ&qI3{PQ4v#vV1MWu&aouL7MAv(V2o}^| zv`*n=m!2pa;X2MoW9$Dmqwp@6mZWhT9oyk$VYFZ1mwyuu>OxO4EUiCUg(g`hSMbk5quFB2|kjdR8VhIlMy?_S4w zVyAxDz-}o_K(Tv)r5$HF^9{pP`~>z2eW%uOq>rURw2)f&LU|J}&@sIw zaHos7>f*MvCM=5Jqs{*@6V4dt&|B=bMzM*L8RXX?S`q#9H=xRM3p zYYwG8;8U}o35ZxZ6DNV%6@v2qD967U#ZUahn^4eqw#@hx?1??2gD6cnk2*Y2E)(A( z5ZzQ&x3#+@s7N<>o989pN7ltX+sc|X&&@XeH?%ylL`d1jpJ)8PUC1xha5=3!0-fcI zZ7LQbJ*_%I-#KxR9Pdl-V2r(kDzGz*FHLVyv}0kM@Jl^;dw!4>5KV6|I{Bag4VT$Z z>F0?YTNg|zVXEJW34+qqT0}Q zJ>^x#bNE&b2QmcX@Mxcwn>rxILGt^?6x)OCP6MUcI^#t`{46snFtY2BYwcp2#dk~# z_tq;NDfOlsob8QWx01(Q?)f3=PK4XA9jucqT+bf)P_?a&uZK0_Sm1n1kyHe@=Ifmc zr;L_v-zZ+3D0lU z@@sc<9D3XMZPvQ!XIjt{XFvN1l&Y*hqz z2)TRsZw`;L2j-tmY!5^!U4|&J{x=h=sJrpo({e5bj~jbVthh*%>tLnxzB61zWnXC$ z!y4k){T8tHpO65|?{eAz06qRjMXKQ-v~)5mRq*Zft#c?)5KC3OcI%aq&YBcaP&L&bei9s@RpVB`{MX{~Mv|fCeC#0*Ime_go z^d6KG5E_RG7ZINUt@=A-3!*_m0pNogkN9x~-1CSI?AC5wW>R%MYjwLw`5cm1BIYv4 zEprnVMZy0Nb27hOOyin>W~DMb3BXZ;BDHgQ0v_-y(}UrhqJiJbZ-gzmhDXyNzQ5p6 zJ}{U_6@7;eSk1XO?-S44p~6A(lp1+VFgwQ&8~Pm&o-y_I6&5QhIg&XASUMQO}5qFP>wNDq6L_-*AEX z^9*J{JWaHy2*AQKyw1+0|9(aRsEpu!ColeKAT$ffO5#`k;Xc4sFr8^{btNSwGb(am z0uaa+c`F$Wd;=b(awTK_T@ z`4laCanw5xrtFpv`W`$o3=9b&^x6(JW-KoO15jiqpwxuwRl1ESo9KLgaRaogrDtSh zAnX|CzeauqEgSb3@_V0ZLx){6DFA{(`d~6_0Z#`JwkXiUihR2H8Xtw3+tkj}xN#}X zdw*1XHNWf_8x49DLJeIPBHj^@&1f8=yybTZ-TlAsEIJTjy!(% zy~un0S)#C&MmmI<&Bcr}@4Hl6c3)0$`o^tOVv2K1UHyc>e{4)oL`1}7p*-1A{1S&q%g`{~Z)5N!}Cda+#(?4)m};6FMhspvi4#&d$OBxQAUD+| zW)c>Z0tJotf{vrW!b1M}c>z25?@BZWpclk=y4A$-H~Eh&P`T<(fv*8#SA)^Ss|^=? zJ>W^=^DTN9QHvr6@<;#Wo3a{$70AcEW*+#Airg_dW^y?Zul4L_mvAqm1AMDTYBQsv zVu)`c+tAn4Q@_zi2GdMr(HWn_bb&=G4z;$nx`WEG17=1Q4Csh2C7R(*Fss@Qp1%ih z^CcpK%MDvrPQ7#5=CSKp}I=T0sHVBHX)8Drx=t^ccl_EGXf@jucqSQ>dOpHZca|(>FZ$gt3sf3^bxiuN4CLjB znlNM3=D)v<=?_Zj&|?Rth{Si=S-1NXF46n?aBuHG?RJfaM*_N~*kHCSO9B?vm>sG} z6mpGXPh~8;fOoI3dXDfEGacHMB%FF_#OekRRZ9nrKSmhiHchO7Jf%2~7eB_rO!3lJ zT?rnNON7V{QU^4ox(&AC5-%{{GH~+i(r|J$F|Y#`99E#0@B}C@U{SI!V+z}}uXN`?^fr_HCqR;5LvtY|0(uM85K5Q_`*p~l zgFd14pZ^zkZyi--*S!nxz3J{y5RsM!>D&@h($dn1bT2VyEqH0{Y{x2oskt7=63t`z2rN6zgVJ zR1oj9oMec)#wCUnm$y!ynFZ*B_rHF$ngovKeNY&KUyr|JyccW*)+T{u^6YFdU&VD; zQ{g>vI_b9i(fWurln3uhHC5<+Xfx9#I~&`dUNn03`ucj==@)Xeip@c;%OvLXFCXq> zc2Fu2vnU~dU&DQU8$U7L3MOkL5zP$swg;*(V|8hu43EGAex?DbNXvkOI@;%p=l`#j zrT*SZ|1Xw7JIEmChDn8IHtx$IA~vMEyx>eCq8WRx4GOUToQ~5Z1A-0YxNR;XFAsFM zoV@hkjR0e;LU|RuxCwb(uuA{HGw7jkQ-np7d=n$(opGHjSSszvGaxe(TmoXHZ@AW8 z2^e617$AOdqxLtw418=63NclZ`7NsxIirMv>b9ZIsCSYgAO2hV0B-+2*+A_nEji)q zE>9e~R)dkn%OsjrH1Hp{P+5Uyvx7t=FvlwFRAZDQh0iI$2}WhiwVpDVzfdy{T~&(w z|9!G7OP0MW0pe`$wnnXntWydRxWTiE0#@ENP_@7bw)i)G7cT`=Yz79)fSq-ZFuLFg zmvsUuc+EA4Qm9*159w7!CXQ_CgGY?oeJr%8RUOSsX6l2H6tU|Tg`bPYMU z`$wFSMY_zhonrt#u)i|^r-P*)RD+K#7}(IxPVEjAQ4S5w;?SUw6*M53uE~Bp9@lU- zT(%+LB)!HBvX(4sHxfb)g1jbMy;>B~!Ci8)j^>REzu8^%QYpfGDZ3581!) z^MCKW`xSBF`n2cu``frvsB)V+fN~T-8+xPEmI!rTSMR&$(NX|Ug0jC$|J@rytGzjM z?sMy+w1(7hgvFDn;~gci+G2BM=cAPxA~-^7FTc9Rq>i2vE6-rzohF3&2 zw&8{SxR-!%2028Ba0}=3&Q%r-$bR@EPsiQnyE(s=HOVdA;uI)&dfM`_kqj)RjQ{Ny z*NH88jGUn=td!>0Au`|Et^ht}5bz;K#i2ix6tp!RB@n-upD*x^d|2@U$qg_Gu&qyN z$Xl_^LW??o`3ea9McM}XUhp9LK5+-K5AHn|Gx}|ezDXH;7`RmjfeTWhXkN4L0>`5# zYwxhs1=W2we+C5?HeH*Q*G)tq*_f_(@ZDe>xZiM*H#*mZ2w*De9s77pjk;-U2!%g+ zG@tr}t93Qm)jf@AUIEyUcqv_D;YB@BlQv<$fdK>F4ud-by}Z|r{n+>Ipy#8e#qP)K z{AKXKUNZ3TVLitQg=ZQVMq%eZ%Kf2D($SXQXWq*F75u2ZNao|AegDmHQvL0h-rF=U zY(>et(CpM9OW7VcHItZTj5RGJ$}L1(Cuo~g=2*ImT8f|009!24!h0|DN$>WknR>zn11Z2k z1oAC(&J#qTx`H*7-gj}JpI3c%X2MdtGtV{8j-|c zSs^>#Htw3Xs=3`livCA!rR|2!|BO9=I8cVMyW z7Ew0oI7U~*ND>IY=g($Jq3zJF9ao37jfwZP{`a6kB>yQexAG;BKi-F(uJQANWZKyx zU}F!$^!Pbpq!`u+bELZn#0v$rN-)qX-%V}ce+1#Ko2zZAno zD>qMVAz^G%xX0_J?(zBrHf%EBhf8jK97b@*ft*KXL+l5;f5#fHK`gjwy7fPb*6;1U z+u#+%@`Rl3slfOm6c4+OhjX!2Y0ck9BHg>F#QaGl0AZ7!f^oF|nt*rV+|9s5#%w4% zh3}K(yH{p&V3R9hbI!R5n2o@f3Za6_GCYTESx4FkKm3t=XR($0RIkzGwaphIHO}$i z&C}5JEjkhnzt>A%2Jzs0x&K$)x{rs-v)nlIN>TFFE$eL)`NH%kA(C%&oJlLy5+mtH z_+3Nz7vQU#Kqr8`$?9k((>yzHY7Z{b-E(gx%@HWDAMu7ZJx0x7yJ4vo*4$O6kp z1DHV4?R9x~314(O-ArOCM;2^V<`Wr2vMk8I2yMW#ko&5$;=&wtAci3_F%TV><;G*S zUK7>Egw)T>&r={)_#E{izs%9d9F(lPLe*MfC)6DP2&rdR`2nfzG+it`X#3N#X#ao#|!c$`bmhm|vP3D`0 zNfm(#Y58~3V$y4eTfHJS?8GM)bOTcmb%f znY3zXs2e@{X!ML}H-1hP%6Y8Ln$PIQ3t}$fF#FUQwCBDCeZgovWv;rh}h40yoC z4kYdUeGyrwv8sZ_Kl@?#r2DZz^gSqRHnFm%0X4YnZkR93w7mQyMw?gVZNL4iZbpNt zfcX5fu*dV^r>S4R&fIB*kK5MX3mDyl-jIN6-#Wu+=$d)$k-s5 zy3-U{unSj>RMT8`bys@DSI-nt>wwXCuBoRJ9ExgxHjM0hC^-utZT;syoGz?k?=g)wWTG#Y+szc-^`gIP`(bwg zxHxymf^*|vVEW23ZM^WGy9x#nKV5F|}HKkr@l zwK1~Ti`-CkdK2-~dJHD!cVKaU)8$Ugt)ZmUhn0GyF2bmN+K6bfk)^&=zcjqNtZca3c?WL`zO@g13JTTB&nvTUufwhUjT7J)>}wZYz(n1Y<*`aUpxDrsw9uPBR0cU3I)wZ_yr8E)IR?`Z1-z z4Z-5&w=?G!zgZluW{VL|U^++`dO4nm=$n~j!b=Q?$2zam(PQRay-CREupo7{iDhuc z12H_S^w_=uWZX+I=Dz8FM#lhk-KqTg5Q2qvZU%V`vy(C9*uQvaKeBqByT_e$E!y>N zHd&|b=F7*U;X3y51w%+eXLEg_f41gp1LpF4#aAOr$P@HSCWuw{&7P`x;^{_cGH=xu zZu}n$C#w_F>liLc%~zOhJaL?v!I%2~6Dr}dzrn+ERYRA{I;K@z8uObb3cGbG5BU~4 zXFuxw!T9EmSKYg7$sJh>=zyadgz3Ki3n;J8xCRNtb3?3>NlE5`C`nus^njIe0jW9L zL<8 z8HMxBCoY`^nto0Z&qw_cWatqhvZ+uO}M_b0LReP^2Ifdvvn+-!Bdu9)rASf&Fy zY89$Z-$X_?Pzl!CCpHS#ZEBXd{F;?dX&OTspUO3zF19kBV6ZD=KEn62Y;xpA>z%gB zPIG-TT258;`Q=H$P#U zNeK|rl469KeqsOAj$iAk*#CS#`+QUdVvJXqFzZzHE|ostq9RQ_uw;37ZqF5OY-qGeD`Vv#|4Zb>AcyMS!4^&JWEL;PTh)LxQ0 zZs@QCB;R$V76Z;mo)I$0bI+l>&0{WlrG)9?Hty+pvUYY-8tm{5jSf-i25<4kDZ5{Aw`rU%qMwG9CZpX6BbnMw&{0O?zIPP+xZhm z_Q;^UbgGj(u8avY=b!`;P16VJ9Y2_-6yvoKO~PIav(YmwKUU@asctXO_YWU!@1|Jx@% zQ$A2}?w9ihHQr`rRK5D?ZcuIOb5^N4Wzu_>E6;+YH6_x+jnwjDHm6k<`EZVW*E&E= zF5BfB-+AIP)aAVO`&y??V&p<75>5_LD`{=sqO}Q#{L370S^ccz6Fhx32kOyv*JK=Q zC8;!|w?%S$Y`sO%#>(~9}5UKYzx!I6}HuPv8{I*i0Z%383f;;xl6yoFqIGBV8AO`s1;-ZPO}x7TGceZ_~}~r2abFbT>jqCl8ye~(brXq8J|CVx_U!ReLPny7^Iv?-8Xmq-+8(}rU?9})_aMEZ+<<38ll}&?iE@PqO<~c_>1m|`B z)t{v=6hx4JumIrK7J({ObL))IyNFIx)2@5(gO->HR6NTDS4J)xjC{WXO=CafB~6*emPfi&j;UzUcL1GT;bFHQ&IMn@ovk( z4ENKhR^8`Inq_yml~Sg80XeFl@>1j74Z( zCq|hKH&~IUyUHag*578dW|@~`{2-^A)1LDvf{en3GWSvL6Tt?0ZU+W7wrr~8?V>XO z>wfR1;!k#;o1C^rPFh!e_fJElHg=i>RwY-(=f>>P*S)zdRU~!AZ*dqqN$s_I<05=Q zEP`f-+IKqqzCYV~M$i_bb(7qCUoQGes7Sf(Evx&2fMS+6aiOCGzVa16d&$mo?9>sF zrpx*kOQ_OMw+Jcpuw|Hsia*g2LNmH3kmztccejYWulqz@>805N(!Z+7{g-}|v?oa| zdS8Qdi8#JKLu)!NrK-)y@d6LN_@e4T9S6_8|(j-5X zmX?JQj+rfHzgG%pZawK#%{5=dhu^^nz2@zc%}xr_ZOZ;Jqp|)V#fPAY=CZ+K_c~*v^`_kw3-=-1=r0^D6xwys$ zUo}PFxnSXdSdsBKia)=Ij+#h^R6Ho~7>%cixrpJZ+NU`@mZ8d$<7%k6Hl%)3Ci^lF zo9LQkNu^EM;~X>=XnBu}rQBf6;+2Ozv#`$gzW#&peHJtD*}VEmKF3%4Y&BR6op(Eerwiv03q`jK5-g(E$1+N-Fx@*VI2wrA? zsL6C26AGO2vnhGPbWj%1W#}B5o$;{P5C8eQJcSg_2|;SQ@@8m5RceGou$DT5l~k~j zCe8Jv3~o$4y7$S9aPsj&|Nr4kJqhaQ?h^g4c}X9TaR- z%LY&0uIPyjKGm2{DPtPwlb){R6!7|roWebAdnx5}o?TQ(OIO8*WdhT%792d~Ar}}k zyCm@+B&@01n}dG)*d*|&RZuD{crHiquubHmqEzXK#P-S5sUQa|ZglS}W_i`u>x`L2TsxIo~gU|$dx5f`jbvu(c737$BKmG|et8t~%GKT`kI zR)d+VV^p!`k^D?`3DSr`d~=hhg00ctt|8s|{%VwErnjnv0Dd^iMp20Qg?71ttnwr?wC8PKTuwc zmb-jARm@lRlz}imIevUrapF@a4dRK&b3JqiIQC75yR!7-XW!%Nq|X!8OzUDj9)}0S z!6~tAvd&(;jN3CbcQ+z_9&OsrR`?~Pb&8+=a{r^9&4GkX?ZAGc@K>Wsjs`R|NJ>7M zc^D>|HAdD?o1k~Rg&V$wlXVSO`Ny+j9@|!DdJ4H&h2)Rgcm`?;AQ_|O?UqmA?O6G( zWXq%@qgqSqh=TJbu1;yG9|E7o|P!?&mR692!hJp#d7VR6_k9QStdzZS7L?!YD?Y@Bm?&^xUJx2fRSg~rft zsfhKRt(}XlYxDlqTbAuHO7z0$3D=T?!stoDOXRGxknsDzv$y-}&`afvKQ+L5!VGfG z^GLZ^ja;v`Uc5|Bxut9K?5>w`1U6(yuFrE!DXHNH`D!CX-kp>LvP8$07U%WC&>0qG z#9Ntn@jBY}Zql6ucpz!Ta?_NQXMQC*t~wRv{F-S-@$FLSWKQJAKy2KC8a;os?}c3< zfoJg=&hgwG=KkH#m8}8e2EzL-*prGugH=?mVz)bIf$F7T7NM=XgV0wj9}rFu)$a(m zI!>?Ws^5W>)Z@3~@)a>1KXiA#i3D{NZai*VF&G_J!TSC#kE*=n8<*XTq`Q!hwnCd> z=x(aWF6n7!_=0FIg?fLJzN3^)tIB$RNcRJ@0i7-BDYLURy|^g5R_+h#TIPhIp5jHyx*t7h0a{3uCGPtUi7+;VFP3R5 zAr&zfK&O1p0vGyGPjFw(07@V0%lx4~;D!7#@Fas7wGOpo$W zlVRa>g6NH`lEkCya9XC?E2DZm;#U+FNtVM;KW^9C6*Wu+7*JL1tA-0S^V)jE&r_wYVB&UzX0;t0Z z38yBf4y>%86&$<0 zT{uv&!sJXf4X$c)xLR^t(Z4oOWBz;{#)SXI>-?Np`2t#tOQsyOl}r?}!30$x(I0eS z$5k22sa;@U6TG9bytUzfw?Yp2z}8>~jJ=Z78EUFhD4pMt{)wgQ%K6#S0&gdQ;uW>w z$=VJ$CNW zZ{;k`Nb0JKeZ{z9f{KD(u|XKn-wFSCS$F-VZf{WbB73;GCZjdqPN@zcvclEP?zF zI;`dR=$qgm{jH#upkOT`>!ZqTyBR71|FV$L=Q2u3WbXG_l3J{SzLzM$xLI}wx3fhG zZmew_&3u>IAnUAr1&4+~xcMvX$R&{nJ$e2rG#|fcc*8^lL8)n)<{pL>5-oVau0J@QSUX1B-1JlF?4t-$j*7mT-?H}IIzIg_@CLrSZAVa zYi+zbxkilTAy)d)7veG)Hyb5>ZDO)4&BNIvlD&>30Y}674P4 zWryl=!zht0Ff-e$6SF+?gSkD5HA%#08lC);=fB&F98aZ^KA=TIXAXJH0oO_AlN^OP zsC8G!!e!jUMvf4C1W1xf2FPs<8nbn(`CoW@I<|MXqsj2WT6B)0S(YkH-fEo^!`+y& zxO&I+r?9$YVgJ}0qn+q-@)uFNK#{9g&(FLrBP~;$Sl2sAVnm-M*%L~e<2Yh+vZi8KD#I`inRC_ust8R@{|CZp^=>_X4 ziG3~kfVZW^nmtb4X6t!Xn1OCmf{*-yvqnln&4x_#^_e@V3j5=&7gC%Zg=QYgtljXHRo99! zU&fIn#)G4Vr0UxKD(LJzA(S26u@06&OfJLQM+RYb#*0}O80-5hGi+0FC2&xK#h{9+ zElSKe>PH_bC8|^dDe~LG@%oW6Xn5Ws7H*gwG)g%)kMC-Qr^X!ZA4=mUU!WsFys5G9 zj!0}P@&to<-<^Og>@!}e-@TvQ#+iykDW5rLVic%J(Jn7=4)^du()tb_pbP5##IRnP zR*X`oP_5N2xv90s3J-f{;KI!5-o0&b-X}xxY$aa(Ovvwqv^~SAFK4Wv#%i^|bd8NmErqR)US`C$yDztOzG4UF)0WSP<(B3fj+t{kY%^nJ}^-d+jOAQSkggb(!Zw z69AOorOI~6a=1?P-A%<`<*hNnE~Q*78I+#bo{t|fp_N`VwBZW8dgV|b`DFN%goXc! z?bqpX1iJ3_t&j>|p{&kjCr$xnH|%B26fQv#d!&~=A;!-av2D*OV5~aABGzZ(-73 zypAsSKGH3FIta}@p>9%v3=2tO|G8TL<6Nu5b^g+U3on-`^q}~ulW@vfcj>!IPflS< z7}}fd>NaTk&^fsKB9?mYr26-TnF^^3UochOiM(bHHQQ5kG@SuIbci!$M9P5SEcpyZ z{v`kJ5}Rho$F~#>41EWu*oOVD75WM;%s%u~iFX4$Ot|ylnYc{h1a-%2Tjgy}3sbb} zFe-yvez__hVT-l?k5#C@Mcjn9VzS)X{_>j(X&m1aqDR&;E2P=##+05DEO0t>>1Hk) zNo+M;be99?SkJ23>3fi5VI}?6Q%#SA{FL&oB*PFK=6A~*hax*+Uj5*5Ux=tWrkG3mgC9*&Kq=M)U-#rk7pQwgMS+W=JWEcIu)y?@D?_Tf= z)&WXuA4&njkd4PSKa1*Su2$h}3vVyF7&u|@%z!M8EvzS=Ke!&sEd2$}$N?`SWybv0 zJ}+t{JK8?)^DFrGaL_)Sr%bd9Z|~}P4=r>R4>1|mh)6h{b>ec)DmuJ7{n@8172QoH zt1cT;!<$9W%joh3O*px@mMX}(nNE3zkRq{Ub4>`UQN{hqbvztYlgxql#9`d9p?7-7 zvt!rU8$@KOs!g4ms(Q#r9!5?>t&_vM#>>-nbOM)ysI1_K7(qB^{K=zsCk2?6dzzW~ zMPJ(LE|lyqzo&f}001j;B!x2%h$owIaK~V5_1#_5M1>0Gl+&@*gtmBB_w(!a1US$t zM#%^db5kLncO{tHkUk?0ubvaC>RG;KlDDKQRV8CB&3y3z^z0D30B6vIv{`O{(m9C1wpEWl`_zMte(#Zal1M z`{}4+kfVCDLR_2E ztS1~A7;wicIi&uF?#*g(!3R%+tIx}OwzFtaK)p9`2W-vWKEd@G>Dwdw0SaiP z`*El1+}PK*=+p(f?lNS{7=Y1Kq44yP6{1fb;fUx%1ZIimr5`Al3wxG55oAdkKKyv! zy$q!0i-b$;t91||TnBpwKnu-cRUaQkUS8)-~2s}0Ho=hqp z9mmv|fZb;4cfl_bMC!sBJlR!laE6xj0pG0S%f_(t!|dB+-%Z>&(YT|~_tU_HWzd8V zRjVT3!_4H{Kk-sLnC}Y2eE8%o<-|3=J_@`c2Xk8#MG)l2L{Gv$VsbR|`*R4E8H(cj|X-F0Vj;K|@<_Jd0&sb?KnaMQiG zv!pV%+WAxjhtx$Zc=B8&D@sv@H)6AzDh{i8l+k2jnFxIt0_ohR&hn=%DwE_Jw-CUjbM$n7A4dG;paY3=^BsG|MQZ37-XWpJ~zyFbggfTJh7prF(b z-)Q08eIBwqm-6ITckrqLwCjXVqLwhMDnB2?@NT#RXK9NG4}Lpxw#AKQ&~t67zFeoE zxC)3^{Yc?ML$xdel6j=5#P;6AE=7>IA1S5<=|l`JJVnYo^Z;HFj8CRN>LP@&V-pmL zh&RmM)k|5CWgAf8YYhq@4XD5Yufs&W4)X|TC4TvtE^c{y2Eg8_1?|Xz`qrhBIG}v2 zx&UM~-Jv@P84#4bGg@XGiE8Br`ZF0HyMh)D7JxMop*s4kHk}o6JtzQqc;}+F@kikd zx88=drNxAA2LM^eJ%l;0Yi&B7b7uwOm$pH(24-#6-Px{K1SoSm^jy6 zI4)o^5%H8z7eIrsJpA)Zw;kY^Zv(l#XRjgp4KDY9me)Xx+Oo$Dmh>sq6er+|?`k?$KA}WrLhH)U^vI$j_Q$D0rBhSE9lG<=lRwEI zy)-;wU3b&%tH||qt?1qiefKUH$4mW(8GzV8tsH<`LI5m1;C1;ms+C!B+29HWqxEx(%cO=B#~oE zbM3knp*on4TFPW0wb0;hW4r#--qD4*TI2Oqc0sJ>6d^%9b zVH}~sW_5NNnX2It-*>gweRpn;SAY6NN9`X#E2?mUViM6sp~ysw7yTBohy!%EV|z5h z4>`L(qaPWMn6~jO15FkXU^Aoix+D0=p)MPx^%g%;>Ll_OuMgS*;~|R%QEF5V1V?{O zep6_=_Mmg@P3F>XeIc66Wn`Ux8cWRwlb4tG0UR6`K=rX0%u_<~j0pXtW3#b?W@veitwv~jeH}JijiqL<=t576p#UGb@;Hs@H(6us8CW32U|1`xircx$U z>Ui98RH^M!UG60|`kLPKOD3&2Yy^s9_5OKAB^{AUDijS@Q{5pU?^)P3bggfC~>IBuE|_+(^b-QsuDwEp$uhVtipr;9O+tjATs?-)|uBj)Y`&NOHw zVnh;<%x!EpgWe2CLZj^_zUZ5KK7O<)+E6=ScyW4X{n5yY=o@GOjHGFM|FX1y9;rwV z1?z=_gq7@Ok|y31=EhXrzFr^-LaGYSkRM>e>8`#%GWqIPme z?ZSI!)=?ho4I$R;Ppr;FUD1hbpk*ffMh*yPzuyKr6Xo#;fxet(6cH zP383YlMCruak>p)%Xz5o)Kan&-<;=KCA%_j5>&WF*@%#U`)1#WqRkv_j2W?>qoiTM z(=0F#F0SGpe_7;bif9MD*+%23IX~xwz}`lEDQ`Wun@&Z)D0Veb#f7X+ByoUn>>GdZ zF%2R;7(PGwZ2$-&KesJaz=Q>7DqIfdRD)(PR9JO`55`A;Y z@fOgdh|hUef-ZO=x51*@Y&jG_s8fcCPu%wOQR!RWK(*RTUNGBwKoYg zjMK`J3^C^Ifte)w9D%zNzzSs~ZiGTAu#uSr?Wbk7AAw_*LmtG#iVdj_e_LBA0DAQ}!w3qxCd9Mv`J^->Ie)B`1FB8ZXTUSThR)IEv@EB~l zHYnKUi>X1Zh^t_DR$IgM>5Eo7$XK`vG2(^_8$Fqc4Z^~apMj4KBUOntmv*;$PN)J5 z^b#{o25hh}<|zy$dE4BLN8UN;EQtv;X8Yf26?n!BZ5^Bm*_7U0=Y#;S@j&?#8MGu^ zxMb9D-&$QqS?B!f8s2<zUQPbf$6X3ufHjL)dUb&~U@lix~pBlmuRlZMFjJ-)_6odO(a|?95Dr zZv#nYh!SpH&`lstzd>1ThL)b*iU0fTjw7sHG{`Dgo_FGSh+nx1vAn9)j20RNI!aRh zqU7Tk^eZQ-c^T%^H$AVBjW?7cXwSjv?NS#oQzM28p&3;hqk%L+fpdhW=>P$Ll5k20 zcyql?DRW1GRbk`M(q0-lZm2STdt7&u{adZ8AXD!s2JKw;ovgh|nf~ zlOfgl^Br_HUYY}uTEE{d20(A5eF)Zq#QHY_1mydt_>&m$T65}zfFX8Z9=!R(z*)Yf zi!I>(Ofw{4I$(H{lS+g5xU#ZBvq)g{^r-|jQf&6WACC?i2pmKM?rdt377sXciow$0 z<`3(Z*2<9-^Q#^(we!lMOO({o*(pGPtzbdZK(Ex+wS%+kqS{$~FjrU8eAf7`ntE2CUgYKM6GLfFBY9a#+Zhuv$wXO-F0GlK|o>3vNZ)qrwXlR@&Z3mh?hnY7|ZdKDHm+Xz@fiRk9eoR?Q(gB+~H|aca z^!$E1??*5@VVmVCj0p&ohF`Il1}x;G<^lqpMfu)NaM|eE60t z*H;&-#$3x#e;$nM>Y?Z2M8m_3o85pp=a zg=mG84H?dv>gfr~1`2_BbNy(0&4XxXnl8{IbXVCbGP=Aofp~i&O>XIBn(ly!JE9GcDruLG834IT=TAFAOiE3h>OkG{~ z)F8rGuwaF}>q5=kF6yv7;rwAm;9bkArSF%;{1e`$0qI%fdoRzWB5=`630W-mx27kK z8wj*k7eB_;ukvVEe1s-}Za~kj3_s>Vnql3Y#RWOXvgMs;- z5~92-x=Y&JPEe_Pt?N=3#qiizrp1Sq?j6v5V-`e6+Nwhm6TDH@LjvzcMn;sHgNjdI zNJR|pJ)|f0NzDAa$r*|$xdS%ffcRFI!CgRNLzw<0*@24WAUNaT0@MtRwD=Ggyt?J< zFT%7j+%owZ3g#$t!5r=ZitodE*&#Ee%)SdTzen$v#EP*O#3R zwkF_kD@BnH-`pksPu>sMcpx}|k9j3WU%b3?Z{v%TUaV*5s)^dnauDN%uf}vJUaQ1u zi?cg1kplsPvb5D^dx9{uo?y@7d_YDo3^yP0ZM>i}2Bp>V*H0RtrPGgoAk8?4=$Ad6 zS-t1r6mz4Y$FTdD?oVfpWs69qa|y1`cCYTR1HOeL%v?(Qs;(>9kJsKO{_O*#BhasM zq+Ip;_i+h8jKc+D#7^YddD7~qpG}cz`X=pK&)Grzs^6>e_>atnBw}hG9n95*%978& z8@&anHN#UUv?eYU@b7ZL++5G+_+kUy@HA{1SsOnAkKZ%-^uKdG2$l!IV^~9xzZ&oO zNqU%qgdXSf`iCEBY1ax;AyZ*>Gq7(>ka{3ZS+D;ARIUG+cEt#wT*T{aG_XH%!$3W^ zI!Cx!r&|B>d;8q>%2HQ2z(RYqs*V2VMu5~s5?YUk@MyUHy`=EFs~ZXQhEJK@)czf_ zuL5!l24}b)c5tYq*kh&Xq8aIbbzgx}AE$*WI7NJPL~SJlOrd%_|q>QEQudVM{ES z`chY4)7OaJF|V}7fQ+>b5yJd74dQga8R`<5->CMlJtm>77e(??XL?-VaH+RND64kS zo$Sk7)Da#r%}DabWOn3@p#S5jjh#x;7ZJoht&%aNfJeY`ExyfrlLC%Re02d1}15b@Yo+H2Ck zYJaPMKCdq-(NW6Re;*-nW2jl`;B|Y$T_!NW{c8u3(@m+luN*+VaT3Z`GmgBqOb47u z$K(DOh#3R#XUMaQ)Rq6mEJF~f7zha@KqiGuqz=8q7%!V>n#?MnoUwbxWTJC-`;YaY zImW1^i7!2^amF}Zl}v~-d3M4lBm?~oJ^XJ;%3uJle0aq4+0nnvXXCt{~jk+X$Ts01n6PZ zhw^7p4%g2tCG+&nHL_&_I4T+^v&{xRC63T!uH1qA zUOIKjjKB~#telS|9^I*4?H$$*x^*+pF9O^I5OuQukKsaBiCsQJzIFAq9cg&`+yjou zjJ2k)Vd)8|v;sv~L^R*^I>Z^`1hu2wLR*ZYr1TpA4Q_so$v zOr=EjUxmx!55KPQwBX5a;!Srmx|e#+^O6OV;`XTJ!q087{ZqYjup9RmREFZCH~~n# z5GZ*Pe5VBp_s~jZuxg`d6nw)ZU1DhYsMZ9T+!lb>Ea;s2E;ebG4l<$d5jfnjjTz%ser` z9(wJ=^)TKc>e|N_viVbU#pPs|LF67UF$Ti8xSH#YVD~L!?sizac+~3nL|N<)ClOL zz-sTp{qO$vRY87&&A(4CZFsKD+odP1!wdzw9CqWjSa);x9i$bLobwH--`i1-$R>Z89wF{`!e>?I2_6&F+$A zLfeF*C*hhM5N6~~*aY`Af3G_77itMmup-vqYn;M&rYOZ805MaC%~dA?1DvjoZc}9s z{eeGwcjxH78mAhT3|((4d-$j|3dRY3>wCx&*&x*O+0Q>4@@I?k_vOFtr3!51tmi+f zCZubBSjwNr4|zvmlHZpEJO{tLF+Ty?J9iY<%We7hF7-nW4baI5!F7Uh?(ZJT7Q)datcmB7iiW88diUQHGMxeFc`(czKgmVGZmt3 zA+N{rC6GAP=9;avEn$9ZZy54t+Mt1glgPGsEA|*|pD@I$5!}Kscl!O;Jd}WW&>L$a zI5RI7Lix(1No2hO$7vkrE1&I~HDEvYj<-^&g7(s2_|B(pd}V`27y;+zYVGjfV?p6B z>kl${>M$6O1y}3o29;$xXr?Azs-T|5#h61BfiSz1M1q<9IkD2ACvrUD{b_LNJq|zh zk28Loffk=aglfef)vfQ5xYQ}S)BeYrf=yJxz~Hd`%VtS3m&o^YWS;c~fz|gMsJbq5V@wJvv5khGW+JkSG zhg|(rqX2oqUtW>=G2QyLgUW#N@Y^>WaSkcWMe6Lo+^Q(X=6?Qv&0PmjQ|T5?k+zgY zBA~KDfLH-3N>M?=f&`XoSwswoil9;qbrIAg>MBT)vMgvou&gKsqzDp_qJY36D2fpl z76c;7QltrnBJW(vMR(uqyqULe<}sPfof~fMx##@lod5swedmvcUfTbo-RS;Q$hT7M zV|r#Shxe*A*i=yrGhSkhRo8FmQ~1mS*FjO}>rwDzR~fgNbvZ9qj%oU#HLs-@pV_J< zrc!<@rctPN+0?V_XPX4bGDKft)UmBLrQ$d;n`BWic@HWnFBkSfjZ$*oR_iSgF=<}|H*hkBW?KwkQ?&|;v z`Q>e#1ya3mNm>|2GSEk9dNMveVd99e``C@Q`!h$H`JRl#0gJ=W)K3fPjA!!&fAbRe z*-mPmzIRYm^SCosNmq)KKv`9J0|R(!nNVXS$1uB(k+w;a=q z?z2IXBT$t}OIF%!I=X>vRgyoYSKU@}r-ZQt6Uoml{}JtUE-?%_0rEzh#rTe2b2v@+ zTF&a|D(L0L6Hf4l1J@g8*Z*v?|6q++Pkq+N{Zsq8E{?w;(ao}$L-KPvky}?-Ds)tM8jGe=7peMTJ9K9qH}jqc*{I*eBlB3g z@sS_JBIMPwy=_*hV}7Sgka>~ibmbG}A&himZw3&qhPf982FjAo!8Se598{@@l{ensOq%WS!=&J-In7 z&L9v9pPYSE22v~c)*3x%YAh;@4mo$^jHu>^HFpof_dH7YH(xVoWk9D0Be-h~tLh@_ zUUz5ifRc*wF~86{+Xn#`kBHzm4Jy>XD!ox=kZ{5TOX~T22WQs53~?}LP_f!{vOPdI zX~n|^DpOE8kNX&5RR*Kct9QlXh>BG9LRxPJriAWwk{5j1v^-m0urf@7l=>-F zD9F236BrT=ExM4RBT_9GWj3WrLVM#yto_eGKydLDP0D-|kfLFrRuWnoZIKCIJ7A2S zCt{Im-h+G~&I#6TQ+6kW#-bHr6(}n)sCyZmsbLuSsg+r_0@|b~$ddBC?>6_}_+8`0fmDVhQpH`dg0TjeH(mUf7He0=cVCH?X=K8_sn?dCzrlf|U|v_E z&3Yb}w&eRa|2@KEEr#k!TaPmQ5jP>>^(OqIU=3f_1F`;lK$ajN+u?<6| zPkmTXJPtZ{${7WJqVRF2fcfgIq+kDV92+fI({uZmJc zbVq@gRWo?hI4e{iTTJZTVPog*>#X;KW&;E+oGyeFIHh zY64?|X$k5{U%J6H{H1LR9nnCP_rquU_tA2hMNyivq0$)9WVUPy|Sy9MZ7^ULa}06v@>#V;WD!7qI;&iL3P zD=Vwea9dwyE3kgDZLfkLYl8oC^=U#h5oa_m4dMe!NH}L8b`9*h$_XtERV8Rvglv1SAWC*LTw`Z)Bz(WbuU`(LLf1uO?4Y7hRfMfbX|8HuA|$ghclH8m1*FZ zH7Io7_jSDe19XHAkOr&(;lo~=#zR2e`PYs;%JFQ@6PKmZm~XhsS>uHSOh>UV@N4e< z`ozkvX;JkD&$gEo)|VeT{5X7>T^)iGNI;l7z2xPC-d&Ac!KPzOdTX5dR^K0EZf~EgA@PpY|qzai@CTuIFCtd{|thmV*22CS|puHGHa+VSt0q$5b zfRrjtoaj^jY!Li)x+|MZ|HSd{BVnKw0u0fJx|Qg%1Zf6dk@Gg0E}xow zszCbM&POLR91FR>mDZTjUu8IQO`W7pfiSoq4;$6WVzCsxwkk=GT1)bWLNp{F5|86I zJ4L^Eg~15CHa9WaB|FR8Ifd|ceoxWDjqyxf=+brRfRCXz`+UB_1~ZsxLhm|6na}4! z@)^{g5gBNAMHM>|-SpvLPVbT+zCUPUPTP`FA9WP<`f9KY|*r$C?1CP_qi+F z4zA?nVJdB8!34i(7en--NFWb?eR#Ows5c1tY3a(MiD#55{HsfKmSZup z)~Xvu+lpRu9QLh<>a~x|S3<@^6gljH8u1#@x9`v4?A&dMeZ8y3#}U2e2*So`m)NU% z9tpT`vhhN|<&l6_+9e)&3Lkx3C{dzjl1&|A)^~Ry-+89;q}&|U(BZ*$5;;Sybnpf2 z!Vn!vO(1DC=hW*6e&DwU84llo+RBsK3iKM11yKnw41jlW3Esa&s>*=*@(z=X(XeWu z{*aVb*ATwz=4RIt)M8SUI1YYanhMFo<4aT0!wOI#?E{n=Q2UEyCrAT;lsp} za2zCx7gQ(EY@+Hb=JDZ?`*DxD0N<#dUk^s!9?x;g=glNJ;k zC*O$iSG?fxwivp0#|9KPNo4A;9$>Y-Gqxg3D=QJ7rvBO;O}@YA-s7DD0{Me!cN*F@ zgofgXv3^au=>6_p&)mzR7eLY-if zi2J05iB6x$0dWiobc{AVYj-bVyB*jKyA3n7B09~F$W?fY1_`ED@#=^lh4RlDIEK>vSc zn-6d!6UTI3i+z65jOY#zl6~$n9_@cKw)I0p;cRbZ?{0ELp5=o_uvLjShgi}XGMMp%*-ZHYX9mhOKNoEuZha!$Gn`0c2QT8}C zCuN;;tnBT39q#+{>Ha((zu!OKzrOwPew^Op8n5|$jmzstYB2f}tS2ZaDCqAiDLkg2 zIEtm9proOp26xhR^?p-Oa8uk@xUK17JUdG3qlp{c|AR-}r@Tz%^h7<%U)w%6{#eQ<~5!%B07=PRekzDKS0d(J`$P!yzh`m*^s^MK9=%P@R#d`0El$r_1Tc)pqyq zd*Bs$8mtc$4Yxm7_WxXxSh#n*YC>(e|GGzhIv(fvf4;6=rhH-2fe@ot`0oSmohADJ z8SZdk4`csD(xymy!2iy3@au(1&0niLSab*78KexpLE_ARANVh}K>o8%8t$K-N9yvY zE8kP|{P)2b(z&|73sw_|o%k1F! z#!efQZwhr|R=je8JScY_kj2wS{}GR9Iw3=dQeD7Hp4dD>+mfaJrSlh5DB8sZ8!nQi z!i@n)QGS8)CVfqp&N=_hlLtI=5tQF(%N0%IJrJNrJCxyU@vhf@4Woi640pKb zgvopz0q?*a@sF+_E>is57ud5vbjW)GZ5`=^Sf7trpW)3?Kb4Ub$*3obDdY8T~Zi>4vhO`?%-QmXX z*GmmtYS=Yo1r`=2Umgfi5;M?8jJFLtnJoSbRM30gT=$pHr>vTNXF`1~Du7o6Ycke4 zRa4cc4p3xMELEKalv(@&M6({H(sQ5(KKyTT!!w1ljlbnE@?s-+%O5M;n=Xh~(@VcT!VNpn$Z~uu4IF(zeyGXKy8ep^Vi%7ca`KUB zfMH~v{?v(^Pd}=`=e^)mrlTBQrVdmOLc`c}V-gCl9Ee}7BUl=C^~Rhcd3%eowRLc& zv!{r8treK5ALUC|XzBc>dX#Au+^B9qj(8Z}^wasS)$v#aEb!;`BYRvS9ni$71KZ;9 z;O8KHPlImRbcU7+-}yXMuZc(I*?E$El1+nHXvD1{=-Mgolz`qIvt*__|2A~g-Da!bkcgpr=uuWLm?;XY}9SD56TQ(e$gMs={r9(k+0cNtTTFmj# zo^c~6Gr3%gH5Igj#e~m((GHG+GGsbwejT{d4D>`%$Y?rYR$uh1Q%rH3X0U>7Lt%24 z-#vcs&ONxhxBItmst45g4h+Ee@bZ7ub^V0Uz$4Mvv?Ee`mJb4TwL=vs1--&PiVWxq z#_G+KI~&zGW;^dBDs}vhhPKn>F_~X&C`=c)an&X>Ob~JQi$=zYvIB-}XaRrHpM)Mg zn4>||^i_ZJTy;b(b$#GDPOS-_mD2jFyNiO|!z+`G+A`=HT{Fu(V%kTgWm)#8mFa*; z1>6DhM>l%3itE6R1ZW;h+AMxd$?BCRMM#ZJ6m5FfL2yo9F7ku~H~VZSn|i2Qz3KbO z5v&$lGD?9`=gVGy0Am@qzx>x@VPev{v8$e6 z1@9cg&;XajeJIG6`2!m1<3e?>Yh<|WbY>pARrv&SK3n$dyWjL?tq-oeZhdgWg*{iH zX~ia2bBP5Tr*l93$$QL@XwMZ*=4G!(7rKSCltHJ%wyUhfgb~31s{8pA``e0`9hN`~gKFs?ZTpdQy7d1jaErg9# zIvKsJCM|Cq37y^Vl@UUB&tanaHv(!dXkFY%UvhR5rOZ3Sy@N?%!)QNWB-N>XQa)fX zFyl@&vJi%mwb58M11<&zBkycGk9;QyO!g;9_TDRHTO-^IdZIkS!}m<5*E}+*XA1&X zlOk01Wgfd!oWE}LE$5B%(d^Hu4@PIMzP0nt==l7O$0K&pfC{C+#4vLe>};InHrO8e z5#OP%VW^rS-ei2bK5ADTCdefu6Dg%H8Y`(mIfuB!PEf^MjIoI_wRrZ6Bh5ha8fnUK z7~y&<2zKAwR5>3eanmj{>Ef-cbLzHM3r-D2FHCgYj>gDyGaadOysGbsiCat%ur>}n za18SLl;7L`z>Q~Yc+y3_7AOf`I(s9xX=o&ZzCfa!zv4ltO#JY!a`6YPros9+tMfC` zW3l5aR@W=jHHEG>U@p5k7HTsu_0wYitePMvelK&b#zsc%PpNT;FB=O#I$c?Fef# z2jY30+8^* zjoBJWH&uC9x{=t%_4y1^gBY+g@?fJa^19=p z8|8)veAbB25G{-oz~m*X`d-gUx>#JG)xUeH)mHd7OYG8+$@Ofaasg$TVrWsiRK?bU z!saQgU4LFoQHQL-De2j3n_ZE}caK@dklS-hW!PQSy%n@v+KM3*!UBENn7wSWzok?0 zD@1UDfKHAzavyA98i%N(y2TL7*X8y%J0>Ijc2Y-t*GHEcM3G(2S`dek%P=nAVne^( zRq-cvR81Xx6;X=`!rz5re-q_qiU!m|?i~964XVedKN8Bibj>SgDMkmfc-yPP8P|Pu z*2RX=Int_D zC>b`>gV~Gctk0yNNda2Q#Cxt} zO=4Q(p$x8OpO~FLzq9~FZGIO>E{4J5g!Firn3&e`lRbXD7I&L@hMW#KdtQ6BNC@fHh$j(ly0jx9z>0nVTE4+#!d(ZXvh7v%Hjm-?`_2A@El$ z)NIdEWWsy9syuYuCJ;Ltf5g4lo>i*e4LTVGh*?&|(KVg8B_Sy}Xx}A8)YP>{_o>&b zuWWrijpR0O42ybFAM|~s!gX@B-z09iUHakP?t)*7K(Y^yWA$pR%v@!0v1ZMmaL48- z80VEPOjiCH9=o?HdO_BwoZWl2K-_a_LPXBm$t(@NIa|~*0p2RWXKS>zw6vt9r{7C| zm@IPi_^Ee@F;5s0kX0Z@1JM&HyVbmxBvP~St9>tYEHyQ2tNu-kNaX{w1wgj`iGn81 zB7DjEnD;Qg`}T48PHE^Ex?={BxtoD+L?Onmm~7Osu=}3tTHjwQ!A0|LE^M@P|-6T?0eo%sA#Y+ou_kYxF1nb zrmNZVb;5gpWW5cV*MiWez-lj5dEBE4l%S8WZo}U!1v1EK$w(j3j%;Ffn9ykr`RyL- zG`z{<0>qA(Q#ZWOy=eDTXMNAx(>7yzVc$n)x$pVQ{Z+=~*vn zpw(h@Onh;tFx&H$`5ara8$XYF?)+(*tUoPR9N2i|IJ+steRFAYsm&4Db1Ha$VSiWd z!ZlO>nT(%(xdwAz)=TnzRYj^-9&Z~PsYpBjQjngVN&Bi_PwL0+!83Dmid(#Xy%v}~ z`HS1k4u9*F8?EX3WqM>xKFhe)Z`9?O!u;Db;%W(VLpq!$1sEX|Vj;pl4 z-I>a{(&1UB+&B#`dL>r&)3O_;mAkBK68?7Oy-=cGj|#rBLv}ludh+h6n+onjHUfi= z*xgxoyMgXf8(;TO%F#Wx+qVd7Ay7<(B7)2 zF^a2xHYi?+uUSbG9rRrUveA&_kV`U=+uJagKFOb@fzYIn)sIUC=F(k0ta_!g(?1h` zdqtLhXe-yoVDEhG0ZH7jCq55m53A)0=9vbBR* zWsbj%NHF0TFH2v?w>bA5o1Xi?SJVcNtg(9)`u3r$9+61IgfSAEKL;u7w)k16)EYnvlNFdu2*)93pz!AgY|{P1}QByfVD6yJA01dc6H*G zwSnyJiiY%?*qE5X4&rGxH#Y;syPEZ}2-UBt3pjOq`0Hw~gtZ*_E-oL5yD6U4A+uO} zbm?vK&Nn1_Prg1ghFW$v;8ost*}aY5(%B!sYV_w3mC7SbiIZ+au36(cu(;LA*ZPEr zK4?fTZxd^4>Lj7j1bT;4n(nKOw4^@~kzxIv`z0y12PIZAPeGyAqz*tfy; zRhK^}9c=uhVWn%(vmbDH^Vo_z5f=vjKyFuiCDD#-lQ60>u@R`O{?(<5g#}yQ3uQnpOY?ltf^Bg0Y%fe^s(9_~b@X3vVHT>I@Au2~o%&!k z8>K|g(WQbOAX?|BL2z%*c*|`33|tFNi=ZUUkoI>v_6K;^4QG5rO69Ghr>94a>!2-3mkkS5 z?!Kzgx$8Qc7T|@;(psbWtdTtGKHN4oS5{qZw6#L$NxMal4i67c+4CZJV5~NrS#-kfoi+?vx$rZmh-GgZzt7LUY46}rdbfNG9RRUS z^Bw8y>)TxT1Mnzb_4z`;V!|xM=?D_FXh7j+{2DOm;+bbH1_|f^)n(q-%;ti4xK5nR&xG`sN<@XP1$h3HooqIvL zlrLj7Zp8QJ8QOO>{5;ZpzpeyHV*8B{Mkr359^c*Upu!8+pALMwi@x1t3`J?crsgpu z5pUZ(Y9S7$UTjX2F{>%OShL53_{HhXgf9|%P#W|rOnC7I|e7V}-SaeSxoaj0`S&Z6htKOVSkU`ddvb2%w z_;6j|$p+5b?VBF#>uUEEB9zH^`{LShrT;%HklzrFKrXonYtSZt=XSGzoV8|X5ejo9 zrJglHCytz2^w;ySs3tWc!{@*V&bvpGr<@i5$r~%GV69%mon4^gcv7Ah_TW zJ@T#{?_C?tt5O>6Q`gLmnbBe~?i#SKX8AL{Y8)~TBvf_#-`jHETyDKSN1uUth{Iub zNYf!@iK^Y7du>YEsCXKDB@Ga!HG()UTuKX{r8Dv&>2glF5doKRaT?S*Cp+*Y$+{=#HNS8cq~rimqzB46yxT2V>Sg29p}3*i0E2jTw`Hc-d8fj0QZ}R4 z>9IriP$8V&1XfGm{5-)v`j3hFgcTc(t}vtF?8$q9hR|^xNPf3`#<(7&28=&{6AI<1 z9M|F>@3)bL*Gr+8K57iW-EOTx=Zbq~33IRO^7s7ZNu1J>hG=OM#3+0%Vr(mNZ!DMv z2^{U#cEBQO1{*tIhcYKcEOYv6G)A;*C!~A+Z@$<^#1yy+4u*`>yNXd7$Gq^7747F_6i7_uy z?pnkTjPYaGwN=qw%=dQ@v4m6QUN-W5t97j0ZdBr9&G~9*93ch2)mJv_XC{iO$%3uT zyfdm^K|$-%pYVBs7#M-~MNFrwb?xV|$)lVbFRX2^`n`RLhm-mS?d((I-bR_AWij3* zc~9nQuEbIE8eM1Qkm*GT&`7(Nq>#|?e#=oU>C(KRv3U&)yvZ7MmEAXALvZ&=;QUIC zFPk@^Q4dN4QhW|~KewcGBD85)R%9Xs$j>l5GY` z{;i_fkjv`r7jwA#IxreV1% zy5{vPk`w;<>pjTj?l&J(yy zJn3V&!I9Qen|s6%BGTQ7w%R0O^heY5VVz!dSXS2jimCYa@J}fhHHSZ0l{6X`^dzCS zti9cgvhsFuQ4ft=b9ykV?>Tml1aKx#SWM{jpCp~;?Nxv*br(6pm0jIjMd-ij*EoDh zvzj0VSI&3l?rmY!a*G`$s|foRKi;VJI2;`!*t_PX&fqHNb6`I2P}t_G)-`m^-*~Uf_Qb1Z_je37?;^fQYW{ z*1m>&=vz(8qygM!KTmhXlit$dDV1wJ$jGi?1>ZAlNtI(oN<0CAXVt=yrSOpRUF&GX zP1-d=%xo4q`lShKDDx`}9efY%MPz_MqrJZ#V{yC5d_ORsb2o)_8IHCKltYm({jz&jBXGbPo$?oaIJ%T*xUc6BGHSU}sN+hp?pj2aQn+0RDF`1di zV?6aFcKEa2QvU$CmVP65ihe})GMi)7lep}j=aM-vKlv!Yg_VThy?ed>*>as-ZB1^r zm_7g7SjF5(hxqil1!Q}^Z1yw-NofOw+})d_!2XS162^T0FoyQczi5Dn?1MKB=>Q$6 z%g^2`pDhvpKg>`?yLmY`c@6gF&uJu8$_)=>r52Y|GgcT2*`-qr!A~rQl&?#csxdR5 z8b=Indg#GjzS!(LH*N@z&9vzLQHsH9g;?C^2?&9`B3pToG(N-CVE z;;fcfv1#t*`fTk~mNRlMXly9+qRBAYO0J3XZ5kYxIY2z`DD3%c8$MyYt%)xJX^NIF zPwFv=uTZT&2#B6scBv|5Y6E|hj=4BPf9gNVho=3Oz#HO+$^wdNd+L~OhwgO6M*1A0 z5Y*FYeu%yrms+4z?@NSnT7Ky(8>nGGk3;k--O$z?gdPTMj;>H+sH!fylgOw$N*D-_ zQ=7!8w}G_VuyOMDmj$1Ib= zMq3ge-$j4_CXn0UBs~(95J0^d=yE_6Rw;ce9;npzzYSMl59c~;I?G&A^pVkMhxV*EFvnQ$JZk|CJ^*&?>YKP0>W;c8-=`o z3xohPH_l!wvJ2x#e0<~d$oZl`OTA=iuOpC2RZxY4*c!h8K>|NOsHL3C>b~#^iSr+> zfV5@5c9YsCcTQxHhN23y%8hF><9S_!o^)yC9HR_XH!b!WMgx>>+L52MfhnW}HBmZf zz||Fz&Vr{145$&ZWYxXE!&cuv1ocHZQTqu#ko%X1fY%VRwBWK89Si;+3+hRF)M@1- zv~KJynu3j*L!t$gf!~JK{H&I9@5P2%!r477T5Ze*HPVZ`FJvn|P>9sEjWR9g8)r}% z^c74aSA}W87-O3^z=fcq|D1wS50qG+UU>H_#Dv>Dt0*$!!qvTq)MGToF@O z4dWyKC_Lq_Wm`Y+-fmY%@j*2>1C)hQIaG?yET)2Ak=1Gm%b@7dCI}G)m0kqR`#~IB z|D2s|##au>6lTJSGsvEp-#5W-QQ&R3(Vdr7fZ411k=>l&9(S!e?9`i(3FbP-C^tqN zz|<3z4zyTN>`viH&Re?fc;EFGF;DBWCw9Mch%kb545-?jrKFkA2cly)z7z9sqb*s| z@eV}*JDozkuewv034Cs!IK=}b1B&ldNniJN_+Y0?@hcTQ#ZUFmY!UF~mqL3@r} zj-?tT@5L{iF4r^t+NfX9%F82u*+DW~Qls&7d0m_8M+dTS@&md*SQ%Lr8t*sSy=@OT zaWuesqZ;JbEWbWKw$|(j)v>e74&#v4b|@dGu5*O?-}=oFU?rRTPTt~4-A^|AOfj%< zQ`;WFs#FCPP^kS4WMjeY+IYXT?|qdsi`BI_9TR(r@;t+e#~>*w5EBzq`u)BD>XJZ` zN6N0>{+y%VTl~%xWC`R9oAWB?ZSmKAx7^5?^j#8EOAm&;`{~VWNxyL++2p?$GoN@) zC-TK_7o@Kk==)XTL`v}L>gpG*l6~Fd-mr6Qa>ya8T9af9j6pj7g1AL+B4CXRF%vyB z`DLnqJ=xBgLZZ}mF&F-5aP{oT$moK=e(CZ!1F|5efV>;C7GhOj?;l0|=^fy`P~HD* zsQCUK$Q}QXUZ~==N^}mgcWJ)(su|?^u14Nk3f|dhl8e<)yQz3eZpTTwc5hPDFY0z6 z^>tk=}M5`W=lbRnSY@*-2d)G{^ z*63Av6v#9{w`A$DTO*(rbIA$?kM-HxoF>%V9sN^H2xFX zBv~@yb2Hs1;`eq11JI_+XF;JZ%I#gC?O7xTw=*5ksaNuDL(8DZVivh5yEb5sVlu%Z zt2w+PrRQ&Kf;vFwCLaD-cYk zVA1fb5=*_5am3tE$r4D+7_W^YOtx!;4N3&i3oplzgeR&1^ClpXPGEP~N!0iJtpysTOJ4UyNs);(aXE$xFFidg0a;QPHw` zM;n{WTU#@!M)TY4h#KB(?cC_i<>_d#CI!LkVeJoq_ zUT%X7_aq6ZB@U$0f{b&i1O(CoDlMXxmX^*iB%I?9sGo`S8@h%kdQN?)7PsDzS!(8; z%j_)Z@9^7m^_K7&rV;bo!)%(TIB-xFOmFdDe=_7Mei6w*HftmQrPz50NP7$`(*_9+F8(;E(E~5X_`rYB;F^~)$Vv_}&j{}jgS0{18z)oZxv@BI zWLym#aF?IkZ$Xgq!_W9tg8UQ|@hpP5&}-G!d#EVlDrvs+b^9jY&eO`KE27hs90|s` zXQBe`kHO=^1e24Ow-zbM6gxsC4zdnU{hLyO+Y2O}diQ*n9_tD%wl)i_OHg5L$R z0jla!frx8}TBd$|GR`D6D2RG{cFeLR_WRw_G8U24By|N)n}S(sz^$xDGeL>!d*QG{ z<##pdxl42`BJUP_7rfW}dTMjN>Y*QZB;M>9ngJ+(ncy9t7<0QXQ_Nd-w5pxFVuRqJGiktrO&_n z>Qqd29_EK^(B(C+EdtuIJ@MueFxWb75NnQAoC+knyXZNbwV2b6@g((}Ne{!MJU8%7 zyE-%n1$F;^Ae>_a_5Za()*GtSU44E0Epei8d%N4iB)`;8l7p^YCXmM9yyaa`bekn~ zOV54@?14!y6iM84J!l&P3nc;Xo43Hz#55sl5|LRBOv8xCPl+AOCyo~;kQGY!KRq%P zzzaqz1J}`qlo)7Q7JeFP1J_A`m^Y`=j0@ z=Cny>jM2KurS0T`8wr*Mu`#2Vr$sLBULNd+f)Yjc2tFslWra`pHbsCC-Fs*ziwg0Z zQXr1|1x{%D@j+u40Azp;!a>F^+OWF(>jLutE^`4#?mIw`xNz95;XwIx?fmxfpMAZ2 zJKR;x*i*pFA-Hj{gJu5DMM*?{L)GCM#{um4--{x+{STx$=#~5T^56EJLum){)eMNI zI2NFJ&|On2M=2>OiND@Bau(gdrfBg&Y^p|{`&xEprj1>mCa7wl4PxQWH`rw})6yo} zG{-bFG>XucdVDIeLVB@3Tt`C5n)-mTYf2DcRwgGn~z1+qBrhqR*E=-`IPAg3LLH0aM>z;0rxc zE48$=5QK~zOT9|4t?J}@eiEMR!PQAF4i-L6n*kkbjV>kdn zt!A3@#nKBaDm)3L{02B2PUm&A9#3JU*py^TAt(LII}rENU%-4i`mykc;4tPWKk&og z(piF?ULWE|ON)SzesM;1Ru=KyfL}kNx3_l|&5Mb(M45(N;Nj^AZZ`k)Xog{T71XL= ziWYBz+4*=xL!0#(^v<7n>5!3?75_x9FWBkEPEmApw3m77pIFN_NaIPSs7>%$(mPmiq2tiOQ&?1cv>I_UMaHNJ-^SfuQkhj~_2ROlTo@YT}M={OtZs23}Fo&D6l zTqM^9PP~fhFoH18uNUcJPcQ zF;Zbdp5Z1p;|br3rH;0?wjz+mo!;};F@Ot}Vk>NLa+;V7%n|zyeMyTXRLy4)iM+7{ zdK`QEiiml@`$g%;3bU%YJW;_+C#eO)#n2=<9v92YjPa>hZ6IbjVpD{9jqs+h3$AxA zo!u-FOD_dOJ8Nm-&bJiq@$vKr-TA}?6ZGo5eSGfRNovV!poV6kp>cii{B`uOb&;l) zmW;VxU+kmHZiTYR)`WO^a4M!^%#UTj0F_qWx>)Nsalb=*rspuYtQuhkUTCSY7nW$M3&J>(wfh;5 z2Y!W_)jx}l!Ux{{)X7qbt;ArqU_351c6Ov|^b1hmp~4);xVX55QtPgiHqN=H@xc0u zfX*pQ&Ry}0Q{#}Mw>UuysUx6c^(eMs05jINYP3c$GSiNMgITB}W{_sx}o`3e^~+Xn7v<@MwS) zEvzH~_$KxgKQ%RV7pyKl{i&#VYeM7uqWFXat~{Vmt}l}T|Kpg=_tmWcL{&R--8*cz zUdE0XJ#%_9r08O={{MFJGrsl@q|bMwTAKo8z8dIbeIujl+QOV_AUSU9QzAO5s^LlW zLaM5&Y{2w7o{8FLiV}Ts=Tn)PV-A=}e)pxZRMk*Hb@gb7nq!}pot@n_X!L4lippOl z^jI|m+`V`oI*u^#_fu1lEfONZ8sD?5-ukWC&LR?>mll8EGCTp^nL6@8=dioz4Sj$G zD5IxOJuq(#Y6K-ON{C#Wb%ZqqX}){CW1 z-hQB9XpcpfIt20Yc;$21Re=Cvspyit}Q@(J~Kuar)O{3(z zd3&!--EmHjpAmd~d{CEdwHxd;rlh`H$2C%ae&6}!qYM}Hjg9v#Wh!-Uf(7P@HO{DY zJT!=1eJ*wn@otY;+UW@wWi!SFH-|R9_vVdiZUyZa&nEqk9L*AL*{TSh9UU91*;Wy) zUKuP!2wiWK0H40iH7FDDBc#R2c8(@_(_x42Md9)8n%yga7}6od+Zj^iCSv&jU~rGk zQy51cf*cJ%PlQ3OPt*D3g-4e^H*tOkeNQ*CK7Uq#sYQ0bjVeWGS3eB|>)Atc~Wn4?l>l|Rk^-6?kta1#DjCQLm^|HYp+FQ%7ogl-l$BfsCvPrW)B_w;_{7M~}7YDp- zfxaLDm*h0OE|{xXJ2*rjEHo}=HAn+51_Qo-0@cpHDCswBC=H?^;JG(1iTFV1VlrP-E+TYvz+3pQ|NQ&IT{YD4)4C4yd zE%7=>HP0*TN2o%;hz70Iu+g3~G{DZIm}sbKo`wzHRgh(lO7q=XsZfo)s+?N&?3Ni2 z@LgTVpA#?doVG}n|8cN=Chnc|t5alTGC#*=8w3&^WH(iQ)I)|WCBS5nduKnME7Uv& zTov~f>LXND0stHvCwKE4BD2T;??$N2rd%JhJ4N@(lFQtpSZ7!_!(EjQWUZj_OnP$E?v%{ygO5OKOlevs{=59bZnuzVIa9Kmz~x} z(`C=R!4Peu#LQhbctY-RH&Lp@2EVwoHse^|z+$jk;l(iy(J6dKhP#J`(_jA7u@qoA z?}?{n3heaEZkuw>z)U|nIyves@88BYz@(Y6%67) zPQDfBWSk=pCr{SWvY(&{IbX*s+8x~JB6FmalyQU15jt>R6f?*YerabbCBfzrIkpD_ zPK|vc=ea1z8OtO2Afs5_{k9mi@`q>xF(!9~lc{O~?)!GN)mUE|?`Ii(zzYIA1#s%DRuGJqzjA5rFycChRJg&320Z)6#}>B%+Bx=QI_+PIfiW3h0U&W>>$N^V zILXEj`E}|qKKOtx_Er0S@4Rtvat(fk{;(tWa7b@3{tbxjZ^7dcn1!r}@KsEbR6y$Xq z3WF31eEm@cBRP9w>MRI$_XbeiQAG2~xq}?80hs>T{l{vb$kWds83VSy25ew!?;Hhr zeNH7H3c-!uoqP$+WmAg-WYj^Nj#0S{tQsZr!9j`&vZKBeBYvPAg?u0<9D8Z|=fj7DWNMUH`WpU@pSC~5v<`0-#RNRsnHY1|@dv?k5+FXCAUfnndjp)}+H zB)AWIME@5*MlOSU=J}7%Zs2=D#-Ec1Oh3H*bB@Nh^FdwyY3K+3zfSqR0Y|_fMmLjO z697@{W$yTb?I8d=W-CR|U&(|~2ehE;H%j2;5oW7jT4|c=Ub6YNXVs7%Z1m|iU##W| zosy!7%GK@T6XhtC&o1(hwy00&n3Q2ZERxnZQ;=Zef1fQ>1k7vmThAR}kJ{uaZW)oB zbKih_*=(RN2AL1oAM@1z5JE?8PRZ8gJ7VI4c>Mhh01qAJE)Wlb_>X|GJHE$B!{Mz4 zm0I&2R@qg1dQCKr(6|U16WJ8a^phYn7+e7b6!4)XFaAH?zLT8jm*Z+CCBr7BnC!(J z?JJ)}ybm)Of|!2){E1IIHRZwDa6m=p3w)T|l>;v+4y5L(gA#ct3d#zAVyD`r^b7MQ z?R85Pr~C$zR^wC$ZeE6`ZZ|)f{F)PI^z4}UlEE{Xd%i$%U4e}Js~5M(;$V-c8DK39 zT+rZ>HW^N^4d0v%p$YVu{?RYV2iA2rMqQSy2MWM834l5bAp27wS{-9uom;i> zx#A0fYvpVjb7ki8{PT}_(DU&d8y81Ml>0Z@eXQ)X`!@KugWTvBC3#gW?1_mGl!Cj$e4wh{?{K$ zQmYmRDQb1*(rA@(a+lTW2aDI>0bGIm%UF!1XnB71lck4b>M)H*^c`VQ(qAX3Q2AP7Hn`*tRq5r0XbO7|YkTl?OIVyko+ z^se(CZZfG4%Z^D0rxu%m-G^Yubt3Ozo?2wKW+?5mj|~ty|J0nW6CH>2`#C%!tI!!8 zphB+>Bb=v4ut6rM$2n}uZTcuY=+3>vpNdtJs{8TT2jZ9go!D4BZE=oJjwo0ru8@rA$-acKGg!#2Zn4mRN{vWOH-PkxUNuHz$m0*<5eZV&4YE4v<3N zu0nF)Y?Iuol>Nav50qaXWIMs+qt9&nh*BV%l8`fK_E@uJcFkj46H?PXie||@jbN62 zVr9fN0y`ym+THV$uk4>f;X*Ul9WRpCuM4~?bMS`ILf5BEh|QiCCUJ-}xWCSJWge?^yTq~8=n<|Vm$ZV^y?fi?q3=o{a;$plpEHHg2n-_UGpTbvSQ%M$FmDTrge@rHBZM54|S34 zn7=&3iH(ap#Aaff;LvPa?viBp@UF&X3x(k!nSXl$HgK33r7vn_N$ToTgC(^u@H{(5 zgRcVIP)3er40i9^ktHUd){HU-sE_v(B*O zK6GqbDjtP%ICFL69_8O*p5wZ!2_l>-;N@49A9j;bS8W2NF+CR3h?vTX7)|^g{w;kd z0b1zY>F=L2YKEcewYwKPcv~D3fXhJ)e}3YbV11@frGH?)(p+BZnPf_8rxzbIM9I&$ zOJHuTXsc!jrR?=Uy|2_-DQQz}Yx*3CaRvW*H} zdx~d~E=-uA;T2eQDf}Aq)@5bm(x{>rP;)g0(GYKt+U`=-1cmh~fNWM>7P_UtUO#Re zt2&Q_f1k@0l)h(LRPa?xs_*+f*fV&KFnxEw#WiC5Y@!L;BrQVU1gpdK=LdBsXsD9u z@Ff#I0=WL0&(nah05C3x#zSmJ#D>0w9!O4C-!nsSv=X$$Tz0^K^GW?8c5a~7LokNQ z=%Zyx{Kg*)p_IP6GqU38x8C0u%ku=q&G@{JJiwEJ*fZb6JIS4#=xDh3vte<2@%Wre z{Zd{6%yNkBL)ad1>vw|Av#11ZhnQXW*?~pnmL3(fSpI;;=agie<(6A<4Ky5MX|C&5 zHuGbTCuuQ3RrLoMM|YEfX+R_Ifi8KTTQu9) zZK$+gYhH*KmWgCnW|8V@Z|S0_ba@-~$uf4vp}ngu-|T2kkQQnwM`zOi;{#4@9=4(I zR=pk(K`F)AY0Ls;E^p;lV#EqDxFD}1m;KC_el}A4)B{oB<*n);6NNI}TwU$Or~Y2T zKR&nCoYMFtmi0U-uFSFoogO)JgH!3K`Lm2_bFBmp+f->~fuYtP-=U)eyuoh8y2H*r zKW0n8-QA3c(X47G24r<-Xz}4+J2>$E0qnr>pR2d+lyNhC#7}=EhPINbGBI>`SY6pG zC_j&s8+?JXZ`(kYzGdh1&}7%?Vd+Sj5MS@vQ>}yXLy5CR7r_Zk;wEX>ZzpQ2=+=Re zK19tRfCqJR{-6cn^K0%CZ}QS`U79i-kg*tR3;hl}t_15<+`Z*qfWB+>JM7n(tZ>$!jG{4QsZozF<*N_+CJoNszP?OS8yDt?cfLs^jYNcuGmcTTDbQ*1Il6U zWvESu@r>fozw;kT9}wK4l3~|b){*%g44vyNzjgtZQ`)y;+ZEW4f)1{vvQqQq>^sH) zDkRDBVhI(0fRo&i_a9C2?fforP&79?A{vB$mKTTXQkQwVz9gfP=KiRE*(ud(ow%J6 zC$fwZD}0cbIn!g=KdnfrcWKJXT@z`mNcu6m;@Uc~!H-^Op7ssfnbJr=kn3;GWGu{l zAV?0(V0ZQqp0d1WZ-XWcz;VVOjWL%m15_IOA-nWPC|li{*QiY;B5|C}dn78zh=UJU zhjEy9<*OAt*lN^!`kbQMT3^ILl$bi*K;ABh4&y`*xC_EmAST3I-W>XtAqALWku%@$ zx2!URh3h3Kn|+tK8>0c@bDz3>zTv;|XFv)_pfKC_tApyQd@T#vx>a*1zEf*zl&-lP z(2QPN{wMhW%Z3?b4|l-l#HpIzhlG?jh<@=T_iOar>TNi zUlYKc6r#vga!zAIt@iY|jhdR21~ z*M?ciNWXtqg%5fbWm7r2aqBMtb*SP_ul+%B|D6FWVA`)!WLefaE{(0;CXx!)l0D1y z2Giv`3ktj(HlKN`kJHoq_UlkQfjT9|Fq*F(yl12qp3qwpzV{V4dQzy7KF0^%W#W z#zA1`>DA`te_sN0@&GXl8`c$WHMKQqpEu_T0-`+Nu-9DE%>H_d5rp<^*wa&0SS<+( zlAATen2gKp!gr-gD#~gAl>MWUrUu-A;1PH4wL>IIc7`hP~k;=Van^&@ytX&XproDXPZLRBtutA6=gGj(shgor*P-0o(RrBD3s2p*RSK zf3kJ{%s!$U=p-dFimEX0E&HtEEGPxD*gHN4qE&Z2jM%eRW*mf3MAOFy16MA;4T@2= z+?SWi`Z)+JP|}<}D@fWl0EF~UuYkY5+_CeUbJcjs7wO`X6=mISS%rE1sM6ykxa*(F z@Wq6G(o28kd?+YA$!RTte)>!aiVovyT-VTu2j5wrx6)Q#$HyTWx0C)V=-1YR(A)}@ z&0D+N=TOo=l@5Y$G_)h*auK9FgwuIqHg_Z@1jH9i!t;ND_*yGKw_d1WVE#O1E{rkP zabY)@hhuJctMjaPd=a&2-Uvt?x{_1~e~TkIOsSsl$?SaS%NUE6wTX*;SYPO(p|C|Q zbYW1`)bWAj6ZF~4(JReS3WPuDtBm6iVJXhP(r>j~V5xp9MO^y#H&*Y8_S_?bp?`w! zZV;NK(>9sskxO!UDj8>hF;NBHXSeTnF$;L-vIr0x=T(*xRRG8)N#yTNfM3E+#}~a0 zFqJWxq1?tmD!tMKY>opfnhSD-)|C+<{||X@{TJodwhs>o(jW@bpoG#$OXEfX2`TB6 zhM}Z$7*s^1l~6haq`PAfq@`i#lI|Qj-Zi-I=eghS`~45zU-oAM&Ro}8>s)6Z=W(LF zqXyu(fUKuqzdSk#`b`!jaN^MkoGrRFa9p?`p|MD_1GZ^|L*ls@@bs*~AD>OQp}pN( zJAvT$6jK|)vbWJmPyyf-PJ&0fxooQnU#|c#Ou@CmoibW|J`PO(GmwDf8ZSuy1NIKi zgVyUSmc{~~(MeFW6OPV*6vq1m)m)=cjwQ}vX!IKBeO2`FsU>8PGypaK6V^{4nXCVu zPOkhqZTEMd+JoT6&D%MexeHcOXWuxD>U0<*10K&S%R1>Y~JT zRlRyKM*nG7van+kUDey4Cd>9{$Sc@E33opM%Jm;RL)jXOUB;Kr%M#Ra<$2fyciTIo zIV^^LsHyAgb1WzOHxxDr%n5h-KUV!0v2%TWjBcYh8lbxt0Td}F(S7_my3es=E{K6U zK>FURN=X2g+nZ;&(s?1WNOopKl;?laWo+J;^28YcZ95tRZdjn!h7SuF0AOqHe80DA zwAgGjd+3y&C>QjlC-`2S&20MyU5*1x>q4IlN%VRl!ie5`K5b?JEmu#%fL=-%-Pz{DYUjZl;%ngWa*2}#MvIXDe`W#3=(FrIb zScGSMOJgNRj3)j$Mk#9#s)B?^E~HkXw%qE+HH#4(|CsmOw$|7Wr770e0APB2o;xOD zdA8ESp#`RIcL0E3Q#BWH_?F>3Wk21<-oE@QKCEC3_qD(|D7&h->Y3r{+|rOQl@y=gU7r6?B)wYBx#Exz-AzqE+=GuFKb6jI-v)$f{KqFI#a6i`NF zCZK!6xJ1cyvsl*4{#+c*Ai8k)0npM%bnlLecs~`aS7ezMO&U@&Nr4}@pg(gOLuX1N zvT*Bc#G!6i*5{p;T!i4LJHyGv5#ovqG(LU-U^j&a%5g&(;(iV-pU4m83omONhBE9w z7$Rutbdiy30Gwy+yYkN1*p)vNlp2IV5`Jn@Y={W08ymOhgbxWk0RnR~;%woIN+&jj zfl1-uuuZe*rq`ceA0;I3Cc;21*G|O+$<`tIPhP54mSmez&4VNGk1OOn3+oT{d_>E_ zsFR(V@DiU?`y5{kCSRI|FRl4ANO-$8k)Qwp!RPLH;V$ily=eNQl^;bfHZMU}`C>2$ zz_a~dbrv}7Dmp-K0m_>#7ZBI)M?Y~G%0{};5R-w?QC5IlHf;)jCbO5746_X~mJmDs zz!bLfx)5Luq;sL}Zk_u;DmejM!gb2wXy4!~J+VV?DAQ z2CD)d){4bA;OQ$smyBwBexUCas8~q7pK8D2y=+VX1b^*C z2lYR0qE1KiK?i0Z!fMv~p8#BKNtX1wsF7hWO}*<{$@^YXCfU(ifrkW$(}b<_I>6k~ z1ptp8BHMNQXyuF7yp6-)dk;W$b1t?3`l4uGGVz}aG&zO)guU>Y&UfR>z1TxN)BIBU zw`BFm0z+ufW)}~l&gG(HM9Q_PaKz{9A&4RVg)_3FX$_C{8pG#2x?;H8cg_LCbdxUD zO?UxN7jyz}g1O3b*g?PCCaMaBLLFAV1_V@9G0KpL^O z*9{uQPw5k#^V4fU(LOD`L9|6r&c)5|^}&D#R2A3-w`FU;Er2g8lPL`oI9p^qKh4Op z`41Bz+92BC9t)n!X1kJkcE<^pyq=duo0Cm{)83O%7JDf4j$v&s)Y|RBG3{(%<-HL@ z|7`B|@S_4W+O+OW#`|yw0N~9=ls&u-C!QUn^uq^@{>#5nzXekE$^oDB4FSs1%?n3O z;=lfg&jvh(?~>a+nZUz}kNY2BDB6MexA}-cIA~{mz9;Ly9WrL%D?PaLXCxR@UiCR8 zo=Jd0O)0uWHdc`F3jNuK!1+j8k)^)R2qQ z-`mDqvZONUjtKSg=jFLB@k*zFYGbTQ)Bl#E1JZ6ia&r#VaZXR~q^=&aji{xa>H=Xe z+Rs^#2US)kolo7h;Mleo>Ht~dIj70mcO}lTKkX*L8>UmN3}Q90@&9^npsz?+u81t& z19-C29bWgrB{ggu>S#9Y81Z&{w3j-3Pv+d=+1a(jhY#TR=oaj^8zAN?otI}rAEz0{ zzQ1$T2ip6j)furtTP16Y>TQ9}Oh6-ow-EtprX}1M(|sUc-C`ow>k-9Ls^`2DsrFi; zX^(u}+Y5u^uh8LxVkeg?$dD|6KAbtmiGb-< zsj0@Vg1(g7itMM@-_r_NqAzYZPxi2=i`--NyAhaMI5DGi?B+wFCIvk0GI;ivt4}P( zA8Z!%NUO(lV$UR|oT!7)U#}_vMEBfd_)|A2I^F-2s zpPIr&yg)E-p$iHnoF>!@`lbs>4lTsxYm09=5ug72JqdYzaBf0|og@X0!hDXKTGjK3 z`Fp2UbWC-t2BM6a75c?|DbeYZcx%?z9c#Ix-opZLZcahCqM1LME^&WetA+LaoI zx}=^iaJaL{Qs>>w?#+9eBzqkQ{oCc$%Aq{6C&W3yxGyz%$-iq?@7B}7qM*&s?Nb* z1o4g!wo-kYEE3NH96SS$afKvBkLQ9EW9|Mk(_1b-%16S(iBTgT06lhPw7$mq}o9p7EH#*e||o zO3ol7a=*WXnO#V`4svk+l{f>?OSf51_sGe=%f5I*=KrtRbOW%_#E0E^05a6fi^E|Ak*SZjPuVH*m8}+ zc;Y^3s9iq-4N>uNFMW^1LE52fA#GD%Z4q=g_+H1}7I7Q-)kdv4 z{eZ$jk(HgF{q*?oF>{k+N#U=KLg9)_y{DOvs|5pnE?F}#FsTrO@5z$p02YMx9}JC$ z6rWg*KCz7Gx;gui3I%{V4iHRqDyO#I<^NrNUI+O~T{#1unbPGUpF==#b9#M>Y}l)+7BG8$mC6G$pOc+QNfk^Y@h1 zgSHV}llmHHFc|QCW50br<%#;Cq|1#q7dReb z6=qK$NyVzwaq7yTvRYl_2B#ICU5rYavjnRl4nX)nmKH*ZtmL!c^i28uRtz=maN@NT zF2-zb;k)rmC;4N$9&Zit=!)KKIb)>1B6F2|7)_&BV@rS65W3%x)fT)5y54>Af7ZKE zZQo26@epip#wvM^4F$W*v;vcD(Rf9cn2Qlez=bxX??Q@~oxgml$p-A#c;NOx8uDMKO@0{=#w}!EzUQH_4)bXdC z_)d!9*vZ(T1e(=-0(r3RN@Ql*-e@v4_ zvM{Elq6G2Qu84J*GLpCN#annp?rbq4w@iOOG40@G!!JMjuf5)-FiDMdu0<(!?i{h1%n-lBrq_dFRR18}b~GV965TEB*Z+tnmKmFEdE zE*YEtc40&sgM;v=L!53~!tE|yL%z1Nnd(0L)K1|o4*f00s8t`ra}_=BeBH4JvX753 zVMK^{CeuPxy^TdYv>|vjF;4Kn_F^gDUZooL&e*2v*i`W&P)YU{|5 zO8auqbm{vRuBQ=b@*HgWEJ`})XTL35yrA~+oj?0Lj)?mwNX~z zl{vFxUoQ$R@G$+yP%M;Xn%PV(-H>PR6fzm4l_{M5Ggrb(&o z1ny2@>7gY4bz*HN8aNdII*=tK7tT1)S8Hup3y?=oiD}59Ixl~6iwUg17*g^3{zRCw z{Ow!5SIf80M!wKxd_NirU1J(~8FjLz|KMD7b*m*gJR%>^%Kj#P;n3SFu_Q_*ymNY9 z7Yt}_;bwpws)J4=G5?dp{R66EPP#z9pRaYZr;iWb%dl7ve{A2KqW3dmR^^#L<&iI! z-};-I1QvE?M_-H;fRMVryE~npnLU{J0V-2UJ}=H6PL$Gc-!Z$GwD3Que=y&PSSS%y zqr*Dq>Z{r%^vNmZHQu_(D_8NJX5siJhcofPK^z@R)!Uo1xit-4-g<9-dQ;Ul2a6Qm z;JMBo?nM3Fg8vgeAt{SSPwX%F?;VCmTjTv{2)%b|34UwaCOUU*`!? zqG1-D+=8sGREkkg$zG*?>zD0qb_;5FzM@%;X)dKpa#YmxJu?r_k#NJO@z>7Tz#TM} zf~}<{btrH61aR~yf>NvK7%s<`y}`3jle=Vq)a0P~4U)w)Wx(q4KUje0pBELL!ZL^^&ttUqMe$*jyw!4aXGaO9u7hNBXz8Vfff>5{k z$+{9{q+N$2?FWh%Zu1;de%}43PRmF9{|f~<$=ulg7;7I%9zQ>#KXRv+QrEVSV=E>x zcx^(dyyTtnLsJJLgx=AU8}3oO$mJJtKP5oD;6{Lzl+;tD+OVQlJ3fngc3Eokb2yI6 zj_mR?NypO;tNg)VB?WgQU(u1oMIW~616JqPMz=h!k%Y&(jgA0TLo_h;*{X1wor{L4 zMC5bwER95t_34MO?gCR88%K>IpvKCD+t(y9^EN$;1v&SntYfpJ9JWc{x!J#7gu_A6 zn*B~tRC`g$AE`v4v2BeeN51112p$hW^r z4p!1+d^Q#)GjyQkA0}Co4-mqI>%MmcH&;=Dw+UBPwmT9lDfd(A&j3+!VaENYzxrSD z&WnK8|m;_U5<&`vz=W}%>LcAH;qk1K8m#>GR#gDIs<-3OTVzGTo8V(+ppic`sIriVCPeO z%or@`c9>v4FfPVKIV)XBRi(cf!o1Eobz{PC5uzpD`=5k-TylLw58Su+|9Nkm9~_3Y z?z&DzZjoe20KE3ShstK_dZbi;7LaIR8Uw<#y?;49N8rcHqP=1jf(Wo}ilR*N3jsNVBWT54w>^@E{?`nL?$n{G2BiK3O9Wb*Mb zo?<*JDSBsa*>iO6$oHzG*V$^Rr+(WnNz%TfemQAhjAD1u&i6j{278gyx|8SRGUj8V z#v<1E6XG{NZ_~zCKJHw;?c+1iKV#UpW@)$S#nGeQah1FIt0E>t1CB|S0`I_dCqa}v ziNczxjz7o4YvA+qlJ|(^&9CYt$(y2jr}W&x57n#Qy0RV>@XcPro#)>yr_!C+T9?GlwO(@u zVTO_GRAka%`dr?o9!zyI2_g0m6sx5)8>*m8R+%)*5FEj*p;R4H=6OCn*8CAlu9ykI zW|aEaHAG;#-}Zz-=?|R@31Z{$ z?`0)sYGV9=H<_|tkYfHk6#llKe!C5oQ^u@pgJL#YD<#JEVYxEk_<5XA$*F6s^$Bbr z1e=q|WMqc}>T6X9o$Rizj~ulYla_T4vZ^hziFF`V%_8X#cw=sTBUfZ*DBWCHf*H4q z1!_k!+8nrclZYxXCO19(!@{zK)M=>IqF=g?&$yCWOohCBQoZEi{znV^gM<52UtWvRD6+H;;#`919RB#RCrrw9H zEx&?>_1>n@Y3XeEu_RwLM9AuAr$K5A$)TJtS#H&1PEJSfEru2DsNlJK#mARr5*$xl z$0L-K#vTrS73E4VBdEj*$!`C0>Z7;ui}R=3R%>f^yK~Q$;9LICvnDxrG0`U0&)&~U zerhr=w(mYK2|oBGArU#5boc1dx$J;)MtLa)7t=p?>xRBj#@08!AvcR=HSr6u5G4t) zZ?T8@bD-|u@+HKT3@@%n>LKov4mov%zfBb{S>F#-_Hcy1q4hd&!cy74i?0gg)Tszg z*IdY1UGHK)kDEtDWALr`g^++LN4&%Hh$MOt$7nB~%btpK{XqTpD>aEFN}&QWc#=`B zk%F3Gsuo;5`VrzAvgr`+FQOt!Z@gk1KrVViQ!w_%8VTeyP&eucj>4k`?Qi+McZUxH zIdlj!xE*arNR*inM-w@Tc7*6{!vD%`(za8Z_5iNWz8>1I#n1h%hI8H3f=n36A+QIH z63pApo6+I zN0m-Ly$gc*(%u)Hwa2&dN1vOFA;qyKg&_bg)?;fso~7JI*0Jq&W>~n!X+CsU=9Ra` zygSCv+aX=G!>~|`VD!eRHY#C=y`MR2$QG7`32)i@EU4zW({0w#;uk?ZY!A9#MocBh z#2W|V=-}n@E$SA$u@io9bd)k)xH~E<#qM!4bXjj3lZ&Z#FCpZh^Fwi7FIT%e)q1Ff zvP)fTl!(iWl0mh~2GjU1^5=ivT@puC<(aq7=dJknuSF^!t{VChVQ(-Ml^t3`_)}24 z%Auz`QMr_6K9^mRp>|m;ia8eJr6KOZMy(FL)h!hc{4{dcJN%je?686fr;!FjrLrf+ z2%)Vwy*#Gb%4fB)+L2+JRH3qTSGjoIXC*I$&v6;4xMJKVE0B}!WwLDa<5l|Qbll*+ z`lw|}TKyE{@byA3mb^cbUUiR;C&&oL%?Gg}EMVD6im@EX!aBjx)}4WzI(i^38O z4gIpkZz_EKK1Eo@y7QdchJ)|5OGWKVJ)@&GBvtz=r0poLMbeeIac5$;^8S;f9RuM9 zsP4vJ^^;sZEt?yxEF#U?NYqjg5k}VqMR?G;jB<9%^xYM!kJ%>qi1XpiSGx0EfS>rojdO)_JCYUnWYLV3nDf?hVTap9#dWz z{#}L1^v5b=J&pl@*sjMV6<{*&9M#nh4*Y@|gpnVKf4~R`M_<|$X--T+1YNG%T|zN2 zXL;m6r*%%k^2GFTe|uR1f&=QmXq~|>6|&lAnV>c~=J9if=3<*V{+;o>c%LxFci0!U z&>1t|9=d)H?Bo<_ZvunUx@m1I6Z1!K^6-SThEFwuq06U|ShH2FR&F-)TRrtNpK9{t z>8%Z*Vz=?-ZrD1q9=t(@^2(Mry-%j#pN}$Rz%}e&x_S&_ANDeHq=|-H8rba zp~|%qQhheMe*`Pq-v5|s!}%+=>X^IdCpK+69D@-SZ?ijVj*;iB)Uf^9j<6ox2+~<= zkS~#9ry6T;LvXgcLd6Uc4r%RqVvt5RS48?HE%z>rO&(rSJX}0CajxbJ!;GP*I(T+L zN%jD0lCL;-!#c08ae^c%kCC9TE9Xc?S_04HrG^>By;+{0@1~Q#jvqfO$7#;@$DXBt z5P!(CLy@}fcr{*dwjP~7F0o>)%XQV4V&z&-hz}DTi0(Uv;1*y`lJ{+qIBn3+RIn-6 zwJykB#S)Tg1y`zFpM*2kpOgK;u(^@EsifwS*@~^_y4y4jA2pAAo3nT-VOzkG&!5j# z$5RU<6c$^ilFSAx+u9v}Y-R{v-E=awBYPm8@tU-CS={!Y=bUdaZ5}#xD0+Xxl&$a>qdllJtgDthViw&}_;s_mF??sS>W>sm11^ zydk|!^WIoyCEa+7!4-sW#AJ}?Mng~h7V37g=8#v`r0y+HgWm8ohZ_vQ!h*w4#QU|s zoCPevw{;5(*OxsDiK35hr0?q`1<{DsYEM(tn19+hHO>rvloLL%&gx?eIKD3vD%wmmDEy23#F@$!pCkHEXLftoSV{W0#2r1UJL~hj5?Q-K;sJMfGqp99dW9uiR}pR`Si5JQowKE6@~MsH ztP64{m)+D6i3!^FuW@RnV#_bYA*qPC3xd6pVBUYeU1fED&QDLBs3Cy<){(Y8nGJH)kvh0i4-EV?6Pi*qL(fH&&hm*SbhY|K5_6l#6?+ zoVx_E*e)dHNBekaNTxeqlU_*;J>MVO*5Tm?T8Z_|zay>r#~Cf!St~Z=xzfkot0`gg zs~zSyO|V5QSFu96P8`KGi6wki6-66{FDzfau~5B-jY<9E?DycTH%BSAtKM0&YSN!~ z_G`>m>(pJ$L*iA#XSkk7rcwJZ{jS=EQr1`Zs$OE;ih_f-^s~yYv;+03m%ObDPb(^_ z-R=ihZWERBQ`Cyn%sKl+WRqZ(QK$w&E-9p~sXgbvQ1f7H{o!A$HS8Cgt$B=X*rNUS z%mT3tsE?nk%&wVnzRZ4{J20m9w3uvadiPm>6u(bm$kP#h)6UY32NGu14>C9IoQ`Bz z>zPjZP{HOm;}@`I?fV`R&zqgcPP>nLt_JH}1}0Eo52)RXK~%>e1}>DKc{%CL}~3RBaJblm9rgk^V)9Etj)(=+R5sa z4XilUJ&~La7gX!zKaaaVK?!%fS%jc!DQ7n;f6cu-ny`FFRVeto^f=zrGRy32O$9Sj zvL!3;M_1GHnxVU08G=$boTT6~aSlEdda)+HTa1b(;zf)%PR>H#PoRR_vlO8c3<^EV z-7z+kONLitk`NSz$cN`93Vk@?59;pL7NezJ9FtN}H_QbL+&azovBcL9Sc zvhl}ng&zVJ1G&Ix;5!?Qy{bQ zw11>^Nps#?(!$m+c7u}eI5^cQK&_yO0yl?^GI^?MpP%R2{g&59FV^*++(eJx74MRIJ^5rpq#)8_3f$&;;)m0uP{ zAun$?_NzXo)?=Xk32g`%xC%gCJ-M6ovv;pTc8Ab06+VyEbh%@cWlmupNWt*6#Jg1n9b)_&mOyG0m^xT+( z(%SmZY(I(iZEIMCpw#MD+m@XP(uv?1tMs5O+=8w3Vvcnh+CujhW=@j&3PA>kBWqTm zGdMN-e)7>ya2zrznHEqoe3w4OGdOkh%OOy8d7)mM|29?-p(iY$yq!4ub$6$}c+10} zAP-w;Td%~0GRioNT#TYmLX=A!a zJN)CJMuN_?1EHbZIT(83i*d$-?{segO&t(*ZA%B696cXCzr}sVYoZifkT=-sAH+Sz z3Ek{5iJjAtb(1@CHhWnxLAlA5yEnhT`GAglvV($!sY<4%HpFH$RT0wxCTyVurJtI( zLAC2P(6U1_J<(-L{1lRf@tDo7TYn|&>YsII>F8I!J#Sx}%8zQ{k1Cj`q2_QG@}635 zzHI#Zf|mN@1=&v%ys&P5tLmSh*Gl6tp=C64`EQ70Onj%eTz)A+4+Ua0Slw94w&;-z zDgslr<57~IkJ{sm^9ya+x8<-7cI}(0*m%tDqr-642yV<5#E3*xWOUdA+rlJw@hsu# z8Gb^<{U;*9rLWUt3wT1Es~)utk;WFxbc%s1%#USMD1qB%?*A#HT<%6h3I)tGRRlw4 znp7a{4zyNR)7;+L=WyrRChqmJijX{Ztsf?XDKc?X1lQhmZSUmcuzcQMHF$2 zbqG~anz7QO{mI2JOs-ns54nteR53DM@X7wt%hx~k?qwX`iZov9(Rlsf-ay=HUj*r5-V#lD z19nn^X^7h8hxO6Z*4SL{)Y>@0&}_KvWV|%;-i;#@C`!58h!+7Txi-hrq6Cl5D`tGO zh!G_o(X_P!5>mO%F7F3V;zP=}dWaB~*fUdm6OiA(suCv5HbY({bL4}7uoPosc*~EP zCzY6D?t22m?LF9C1&msJ&J$h=?%u_|st0yQ%SFhw;fNXIMsd6D-8s(Tlk?00>Ti6U z7;c^k=Ee}`7{|lOCFi@^$po>yX?2eKg=`ldD>b)6)+^aEkGOK!-%PMx?F~1lyxrj;dM22U#=5f8|)z1 zg!Ohh^zvj!OdgrbGrG_k7S+#IOpS(RRDb2c@VO=Ms#Zc?wbJ zm67glE*9al=POwcAg3DLhO_nQA$JeMH&Tmg$+%m9K23v#k$`|!dbI-97k~%p31}jP zcfPpa^%i%F{b#XXgWwv-El^sUQLG}@FTv=7)@9Y!m+M|jWbNvIBS~U(9DMX=S?o>g z%J!skv15I|(dsfudt=C}ZxJqD7UTO(T(I9cd2M@fVOctgCP|`?@9gD;T<+O&%;xRr z>-kBg6v+1n?O;Sf*<5Fds$4oB$qtuiw{gUuG38Epsji7z`>E2R3n#zJulFULN-=53hb>H*iSng$2doo`i41M8Xu%BC>iIjPQq_`r` zyCRr(zJ%J2afV!<_<#|7u5zC{3iMX!yeXoJ-RPNoytZzmW?*4>i^uNJY|BzgGLMKd zRY%qvBs4=m)=zyMlDdH{VQBgCXNAS%hvzZK7nlbK&Y>?BeWyOGz9gaBsRro~KP)({ z#@Y{*A!V{pKAT1HEqql-1k-1}p*i@vDl0AS)EKXvB)8u(GV z%;}pPNYT~aEnvu%#W=&`%ooXiZCmom!&S>&Kc*CB>>#VBexYxMW0}!(^?8GM!Ggl< z-S{ghrHT*N&&s<8p5?~V{{H1{IKyb)EzrGis9?UcIW96SmOu()n&A>LQh`boqI^So zCA##YP3>7tTmrrd&M`=*d_M`9yRu_|pThHw>IF8o@|D}}Pno%B3WZ;Py*g{- z4h>a92&8vv$Rw{j)E&P}$t@`+*~ZR^T=WlXN#$OFHP!|LEY^@ z)6j*jNz{G2elBZYIi%TfM0UvD&zV<W% zyHHBjgP8t-3`Fp25jnk@_j$C~8?3i_L%y```&mR)?&_uT@0fLytFDo#uF%|tEz4A! zdn{?XGn>c%y))F{&J?5GDg_!H%RmVH56l)TAjmDkw0Ol=pg>W~JN#>!K4fciDe`IY zZtFo*ee?F8O`m4E<6G1|E#J*zgA58@Kh9iMuN4T|Op(^Z<;>Y6$S4dTh`rGsoYzz0 zAbfo54XRR@!I7CH26_H_bVXsk_|;05{hHv)V(fmot<_8Shs# zPlqcV@DeY|VI7BDoUkwGJ}yrb`#W_EX+(HR0bHG9&Lh_B5B*H}k3am$=4nSJcn$v6 z?U0W8wh^N12s}KqUJVhnHe2K>hLQqV|1z?QqfvMOEMI)^{d^{z6_Co1{yyC}Ce% zx{sLk8XM+3o|h}JaLNmqoJJLDn;2}hA7t}D6)<0td*3d~bKRx&fY zEhzEOt1oQmbn?AtKr-0gEJKwkimZ

Q9}phMfn?2WlI=L%KQ?wjUH7lF9Q2uxK`? z44uH&f*|y5?-D%5%S-~d0^;nMNPm5k-ocVy^yupx4z;>kl8m&(&*Q${r0><>oZ~$1 z<<4-L^a8c(gPpQ%B~^L54<*%dTrZgpG93}j0W9SRh$}DIKQuk|I6D$#LNYQ>)-P2R z!c5nvy+U2F4RR>k7V4tD$L$MVJEqbBmKg7iVTA6aMK;IzUO(O{n{Es^@>VcC#+%<; zYB_$y0O~Mlq&gM(QkYN1iq=Z3>7j1hLe>}TWLv+gCQ1IV28CbyJrHcuyC%n>-@-`r zlo|`>Jjmh6I={#9hffGv7tj0g$zRd2n)n2;4BttKqSbJHN@$O|;fcfU$?)c93*}6$ z=zG3n-0M}UHj-gv10Sv+s@V(m{C5Yt*FVU>05ac z*AE$e(wIHxF;(MMwVdR$18BSNQ4$JyES@IQPyGiAa6gFlO>SWWwNasP_S6~ZZMj2m zm$PwWtd!StXZCx;1UFBq@v)!Zgbvo*4ENQ0E)%IEW(M5;Szm)Y2Uz>68^Lv#Igz_j z5UDE4ptmeT6|ZMwT~FO;%j!#9c}8cxxhom=QtI>Hi^gigg7FZ* zX#}&L%vb9?qTN-}DiVgpR1TBcTQFUVB|5tY!TxjC$@JI{j9(0O;z)1!_U#)Np~dO` zm{oEpz@7gALu-R4gyS&Fkg5vL_Hnm~?i3jx8ydJs8XV*JRNug$qkIeQ%Zki(H1V(W z$YUi?!jfU9Hj@B|?FnG&eSjQLNC_-OND@rPGw@!`=$1m0Q}2Ra2S88UAe}7fr>d$7 zhZa=dl<+we*g64CHal5T7kGeIK7-epGrbBB;T=zH!-6P`JTbHlUSpdpxE-T@-BFnZ zfcIZ?9+Mbs{#%pPva{~BQ{9z*dmRrwcYfl8p2|OpQJVu(B?xgCXhrQXBlT(F8*5wgFeb5m`mN)Q-!QA(|Jf#KJIoh^h#B8~ zB0yzLd$2V{1E!_Xg+2ZQNGS@4F_Qf+z0Lte`cE(k)ozj_00o%cWsHpI>Ae<67nYVx zo8J?)_J&Iw>eK9{HRQO^9{G5yYJLZ_w$Kcg0OmEQIAA;noPIY#&X`@n&+CuD_*7o= z_FGZW(XYlzEFJ^Ka9%*xKPnj_;M)lU+G{gZ)!UN#@R@T?9%>l)GLFtht(DhxkH2}i z@3rtd&4mYJpjRzK`V5Fbs&=7~tWGqXoyIT_XD%m)ooT4E_wu-H3MUsZ+EOAOr04Se zLyM1?s`Us`%AE$Yn&PEG(epFEn$`ot&ZQDCEj4s`3vmStp%%raed4KFy?a7nkf;V#C`B7W3Rxg52!v3P-&HX{Qs9 z&b1Jj8DZf+P+@h?r{29DJMY4fJCvYN{vY8>qj0i4CVK9N8rGI&HLP*X=C#ntd}8c5 z7x;KSgg->zoV`RzF~+6^ht5@%0I<+yQVm9e`OJ$;J7??0SJddHH2ult{S&7SmRQRB zhegfA{4jSw%1+Hx#`lKvX9cPq-SGiu)5x4XT`z0{b9MEi9`twNSM3rT2%@|t^>L3_|YhK6)u;(P5vN9{j~ls3`LBl)K%-}HFi8*7N@ z{w>J;d-@wJv%hvY=G+_M7_6L}c9r}V-;cgoCGjG=r@fXFS-H4cz_jSTS8a;&(-rpd zq_D+}+4L~cobGzQdR@%?ys>DuUa%IC1-qHPnknSm5f~c7C$xxfd}GoGoB3rI^($S9 z$!V7L$PCzvDoR*lUzZ)zU(Nnk2bq!q9aO)TlY0+pWl@@Q$UWAlkSQs3&?nQ{zBO}s zC~Rh1inX+(C~L4NRkEvT-R&qh=K;DsT3_1Y{p4%Wo4$`B=2{M->wst_8yFz%eB?CS zcy~M6rl&;f1T+E)zR9hzxOW6_9Z@g=4fXdlg}&fVeY?da(}+pJ`m z_Fm^o0ONqaihDT+&3S;yhmRMdG(tSU?Aey?qYkn)^zhzMFnS@>ERr5}{K|~0ct|(w z3BF;xkUd}1A?Q(zAK`g;wXU#5Lk0V?-i3))ZS>ds90>vi>YiVo+ckcj z7lB~k<^hLR3mxHR@^lz0X&HU3>n^i}%%_n&U12g)*aM2yIl0B3qu}r|xiE{qy5hn)=br_cKFd z``rMk^9&20fZ)iz+Q5HMFB~J{j#fT7ckDU|uwOd2p_;*;KHcQV5J&$+2c_~2`|G(z zD4>sEHzraIF9J~7zoX?Kt63OL2Ys!BUk_|A1UT`ocN z-akm=EWVGifdsaOciiT82=+KR5dZUPbz4a|N^e~sG`h6~NT<-iiy;r#Gg@y{4K43W zka4|w^5jWU*W&3DsGq~LXDx^{zoesUcM*b}cW-uRho&S}Z8nrfIIW`ME}#zOy}SeK zar9&u9vP8AZgo=Y>0V9r`&l04Vi|iCzI&~EMT5VXKf`220?g#}kNAzfjj~`caZaM= z@H)lt?AbGkGGy`%PvM6TmlH}#`23+sX=!N)+x#r{jGNK1vHlc9Go*5~{XQcFhWcel zD*zy3YV*04>qZ647bFO+H3B4yB*-}&pC1bVDR0FD-|0V~H#2*5c60@LZ5wO~*}$)S zZ1Q7oupXZHsswJaadL`lv#|sng!b$CM5%K`tB(L4W`E8j&w8V8M^QMl){x}(4K_%Z zujCBZ-agO<>^`7#*aPzTW}^|r7qWG9;tQ&J{&;YHXJ_XZY#bc91ob29s2qe!SQ!^bU44a}+5CLfPg@e`J6qY;O35F#!!yQqvO;N2n9L$BBrN4v_43E?a<^= zl_HxPJvuMDXV+34@yW{>KmN9OUU$8M2w3ogFDV-}LYCB!R%-a6|iH z#izN-w?;hd>@_bypQAc^XY}0@9);|gvy02~ z9a5{p5svhVSPOG=LTYi(ox?)JrQY;@FL+kA@^*yNd5OBM;v>p)Kd|X+k8fP5$!BmoFzd5f29611{?u`B$dD*HN8O z%PL^g3IR(8pLcCtTH2p?J076F{`_9$1eeBlo}CllaPqr%CBH{e(@`gKf!kWDzGecM z!E6VAiS5`2C-2CX0XsPHZLJ849NPZP-|Omsfg0f}IVz$L&Co(TiGzv&#! zgMaD|JepeboC@`|oP>mg`sNX;{oK@Rr_BnamPKo?Hix|58w2OGQ+G!5-t2L(R!E4#-6SM11BJjpa4^;#j@3ixR}6@xhK6{`25 z(aM1b>+Mera&qz@4=s|yky@(8`BXrUam`0CZ% zt&Eo$$Qr^%E4n&u*}!CLz4=;QHo^3UhRf%8)g?n|a^dt+z(LoL4fkhP48RZ{>+9>| zDZBZ2;1oP%Gq*e@d)%sn%(igkj0N5znY=BWy+P3se{B--Sip79zcjHor7$@bOni3^YEG*hG0R@-$zr?w^=P zRkmpA=!~{4I@_ZKq5q&aq^%rzQHJEhKD7jj>Px1-Y!q8Y5{6UNxpm9KNxcLAfc@Da!lW66JPCuKy1M@av zJVx6n@4`r%jsR(sWI!U}B(t*g=FOW(?pVc47Q}6Q1U5Fd7x=;5{Ia}v*++CEnIL1& z!$2V$Hn;vB7~&VhdQ$7o)$a>+ivP(p?;_jy60N=uX#h4B*4Oi8gP%?!~3BJ70Hno`u3UW!xjy%>95_NCOhO*CvMdSr6r}M>wrMO zJUx3NS{)-FMUlG0G0erzu9sh45Wy5mO-+sT1%7aRy-}f(W{hDpgG=p{KjF={e78B{ zjk^c*y2|E*|53IV{c_|3k$})Lh#s=$5#|H&oNy*d%Qx0InGvMx8v4VteY>%n@!G`R zBLelQ!JN7tIs}pNIhBAQ;Z00Dh9 z&F|UVjJ|HnB6oCzG;TU&B+PLvde%>yneVehWEOZ@A*>J;Fy6^gQ-m<1#hqodRIKqVnNhl7yg9TI$)35khZSB&1D)fHr&4>6nydzWh; z#DzKlfrR==Yt!uRxBxKpZ*q{JIF`;Bns%u4QTFmWAxVrXkPV@H-4{kD#;%>O$0GNj z#g)!`CG`yGBNzxJueK)~5r#Ax_cx`;USHH1ZHp;n6D=+-TE!j1?*6qhLf{gWKbI?^ zGCAIyWnyJzeLS$}Tu(G>4dl~OtTG$;M{auS6hN;=-}d$at<`>uozZ;iWHsjImN|JO z;J~xMmjs(t0DU-qG)5+b0M#H7`WG>W3#Q>N88)( zwS`~GT@|vEfrp472a-pKz&rh;%Zbf;i#sLGJ;fNU-sEhI{!Q8lfv29cZZLvpK2rfI zHYqjgGrzaROJ>($jH=%4BMN_TZ6;(8qhxjrHshnRLPe4M-iu$qd;`k5py;e-@_(21 zpNvApH2BWdDgV3+2jF|+BHlL>i`n&_o}RvfG#FPqFV#%p;4Xr`WyvQNwYSJWKP1Mb&J;OH}u7v`4eaR1L^t~0C{;8A$e7LjZ~FqHAc zj1~U-g9o?3FT-J`T(!W?Z;pTP`0tN47K4w5ZF)}#Cd`ev8+P9OH@dn$j7D*wv-df5 z)osDEHP(A8|8?{K{&4_&GJ8F#=3Y^W5d4|`xlT2g^?8z!_MpF~z|5Et;o1GoP^P+K13pG^ zH`SXx3=ywFZtdHWnH(?1qIc?Vz>R)?S5T3OPY9m}NFQ_|Z&DdHgzYxTv$>@Hb*T5P z&B?dNML5g<@SnF{JTHd)_XkJy!9#a1IG|pNTH8$oGiS>FW4|P(zVdPsq&rV$#wPwh z)m?c!)Lq+`s7KveP>jh^mdcDTWT6I{9zl1&9q^YX`lXn&ZifsGfE!P3X=6Tgev@|tv1zz# z?eZp1$pd5`e=|R<`avQV^CpJ{{e0}jh)$}S4wL%~*Ucd6Ie(0J(&hznbC7oQ$XWiZ zaBf4#cY3zR1XkCrhhOqVQS8pNpQE5!HKkL#b+N&MYDwm$zB?mjvR&C%Ye(v!tpZ3Z z4x+v*<5+(IrMCx2PFL5GG;TPpGGeARpM@=E$%RE2Qoo=SeYH~e2MBe>*2xLT zS7tgCMX+z$m75D5utaa|BDawVA~)GyN^nso6Q`rh+|Ig?pZqR)scY$ZuY62qU?W4H zhv~?c>GavWnc?1Md?t@y#_Clf7Am+}*#VK2Q&v=29zt2PQe=UUi*1+rm!`nl?b3ox zX|brCG=NSEvxs_s(rZvU`kc=?D0 zR=2asYPIAoA!;BIrjc_}MOB8JdAJk@hB>uvHNh}U1F#zgf~a3Tv7do>eJxd%TChjK z-JIHG(p0Kfou6JcO#poe|#NG-IV2EbpV}>P;1?JW-ix{>$@|J5fw9I%x>L1C1j%Vfgh=NWael5v=?JxwgAqncp&K5a7j>UDfv2T9mMeT&07w z*Mj`HIcnL~_KP3*_Bonk{TOO$nV>`o(2NB=luZgk+Lq)%TW@yuzuijlCm`9i^hC9uW#vH?@(cYF8h*pr(a@X;*)Yxv+y2FrL_Y#er z@2YEka#j7i4;ps1$gD=7DsP9ic(E9_XP1ZuaLcV^-+V&S+ZU7fiIpO$JDIepi<{Qd znxt1#XOe_{v_yQ`jMJ2&Oy`}p#?zM$^1{FV0(ziM( zsmm9&jqRH!|4NW$5Y^hZ-e)hA%r}E_wqBH`k?qx1c)Y2I{i}kxv@kLa;T9fl`5dbv zq1u#he;4N0L=#X;mxeZs5V2gKfmEA|w1nc?q_7@DQ*5xS2dwGw+tu>+gtIkK1FfiE z;+T-KOR#4Yo1b|(UptU1r?3_x@z!}|XQ=!iOZ3hgan!28C ztO^s0zj1L9FW*_0dmFZ-Lcskvt89Ui0oYktWF&@RmTlJV0 zgjkJj?h}{re$RIi<6UmfzNIlCu3t@6uDcpGQ8lp6e`Q6MzhmUWU_*|>Q!#u}9v z8EyfSikT|}+tI2tJKZjHAwt@AGX4=_;gRn-rEbM%OUfYOB2Ih@1hJ{Cjb)$3laOa0$wCYZ49S=?_A`93hQMt zAY1lBUM4WUXc^D6Jq_g}B{9RjK@F493xSd*LrM->qN&5SdEe&>)5UyIvJa_hr-^91b+dH9jI0QjnZ3jKm;$*&ukKw7o&lX38zRtxwn-MR* z*vJ$2==h4YW)n*twT@=LBzc3C;c!>nRvd)h|8Mdh+|c&JIGe@1Ta8&;*R@R*niUX` zP?<@K+poB{voa8-;gQsVAdub8vMa>O`#9k4cm&DiMX=|npDiJDr9>{lK*GseN08WP z?RU{<>vFrP48G}>PxhjU2t>)7Axx_4<{F=c%2_E`EACSoFTPIiJQfj3CBnIeOB7v1arD3B4&E~Dj zpB*$eNyGozV@@<_ZBM9>tjrD>3!NOSdTmx9)oyAuSUudKr)c&*5_d_{apRoL(uig0 zT*Z=~wJH}C?3C^se+8~I7fb8&8IA%F-3q2QyiRvLW#~PZ+pkb+=vU-`wOz!c!WyA> zpYkeT=TCUN`|;TfC@!K(Be>1j^Y}@u6cTSRY>HCgvRUz^eFxSulXz1~#vQ$}VX0PL zC5Kxsw!RfK`%fpL|2k{HU3FrW+3bSs`8C7Q&0t1EqvKC(rdV&C_{0}8f{ezc4a*utqryq1@y+ES^p_rKp+5Mv0q-W0>zxga$QD}l2GW>+}8B+J-JBG0wgha*8BMw z!%wPbhy3Kv3Wjrf7fb!&zXOQg=hycf>VSL7p^bPQ%G*P9fDkDG{;yz8{I5C(Q|3zC zkt-&mPzG+(oiT0~$bW~(1Sx0-24W=Cu+G0nM}nI~cA0nr^g3)O0UDVu)Lt10RAtGc zT~IZ`?zWt05G*R>3Iawa9I5wXqGF^Q%YTszj?>kbTCMt66%5^MJ#=Td?av&}YqhlT z2NpJPs5ab307D6J^!e-z7Bgm?!)Ozsy4Ajw?)$rh&Jvvl(pfcJod#`cX%Fa{dSnuK zt7+q}CvB{tANM5yx~>)_9Yug{>jb=Y6E(a=_c(A^>v?i#F^dAaaV)hrp!`~10Cbh+ z-^g@)q>VE`gMgsy3kP)1>6RR42c|(&a-{Kj=-uX(HkiPxGd`IV(5uZ8qB8X3cdhc# zUXSWfzD3}$1>smJ%W@{*t^NMmBcX*0%+Q>?sSdcigM6 z%%MPlX=2rPaO>c4&qtulu_bVP@+jYNEcv7`;~9ho1rQ)u8Q@{Bp#!x@YxAbMiOR5* zDUvF9NB&elNrVZ60hpg~pQr+n%@75bAd;05curQCm z{f`(iRk`ip$<@Ebh)tC)4aMV+w}NWbw8N;>aMf~ZgRYePc&1FD)}0H`I+2kL;! zw{8m_6D~$3-RXP8BXxrX3-B*O;=hLENfi<8}t5mkV4yVonv zu7tnJAc{o#j?pLsWv-+5YsX5O-_nJ}*nI&w!ov-x`+w^{`24YWQv~MP^x2(!%`Z(; z_2O-GF91kbY<%TZrvIA#>U;so!6~V6xKbq6?8bxdz=!>Lk&;o+eJkV(`5#1NKw68hKb536B9d7{Gky;khIfSTps*VLkzhR8xdhd@ zjj;^peLLOJ)>}F|7>njTywHL|e>%@?Zk^r~ZC5EhvDA#zcW4TiUVH!Y<%efO;>ZZh z17r0JUEe(s6%1#F51UzCR7^{U3<7fHZqyt%Fb$=QgEXV4bz!^PRM00&&xhiOaB2 zU+@Zfh+7T-IUUv3(Q*2~cGUIz8b?HdLx;@+w1U#&YeMKPmrPw;j2gn;9Ydy%WsgFK zd@i=YZP9n^kF*fI!Vhgs1*mOoEksS@R@MTKS}*HAk~k%U&_{ntcW6Ns9SCn@`57ifTqz)})jw+&zY7p?`%z0zZ~Gj$HrrviXr5z(2gpkG zEZyuF53TY&<{6clw=G4GacHkmk>3uT&idqyiOWgfC>D*kM8NOV`evM98*mPEe-%2- zc`?2kXz$dw#)eP@EsQRI)QfW0j@c*Hbk|fsRaj*ouUjcdpN;^UsOM_^ZH^}iKh&`RD6FI&{j^fzS4oq zprStOe785Q-}n_!LEnva#NA@7!qnS<6ozD}xQ#Ur&DGWZDvDUq1g<}?SqJEOuZ5uF zgUyTGVHGZ*{Bu=k9TDzafbF7vy&wQXMgZ8^c`FsHlT-HB*ftAqiGdPx%4uzP6N^%> zyzGN0&HLQq#sQ#&`q7s(1gI39sM2u^naHkc^}du4YE915jgB!-eX20T;{&j5Rlkxz zZT z`jt?jh%6P`h8G8uOuTzh-9pHBm@92l3mTffn8$el?zr6dMPw=_S+ZEWuHoxUXG$>t ztp_$RJ9qLY+IUo=jS`fPefI;9l{gRuy(^FHeAwQ8?dNDy^`icw0;%^ED5)KmS4<2t zYW?NzivF$Z%cu~C&tNG>6=n^0EULgytAXEwtYD_fOqJ#E3?>kAIskRhZ-$&^ z`m>&ZUzmGEOfWb&n1L0;89+XQ1omek&dKScFBG{4TCm4 zeGbq)%r_BWBfYAa97#C`{rC~255nIbO3H}?bX&Y0%rOK;0>LCnG{e%h%>Z4e>FMjx zrt}C|Tld=dtJc5ubpyI0Jh*~%Ko?USbb#T?H3s-aQg^1`RiMw-X(AT`T_8qnF97Wup^@3B5B)0>I}f?&_H|cA91pvBw++3sY#6 ztV5r_>K_ku5oX#8-!U-2^!Qg$lBL^0Tu?x(njU+Wmzx!>g;!ty`Aa_sO$uLh1(o+v zGludP7Ap6Scl)VMhBLh=ZvzRN!dKMpWmeyRd!o#E?O6@C)T-#^SPb;&7Gz_VW>wr* zzJAThn8TtPMbB3GJ*$19%AZrAMWN*7Z=_UL_-?51Y^)1{t|tmTjO7_75BNz=(gWOF zng`V($Kl4mMs$>#^Hdf?AdSBGmXE=T9}f|K05zcLqe`bQ_F(t*u0Q2qOC$h`00hos z!r&67|H#+`bpBVTKizo~a2&{E>PaHVecbZpY{i1Ih@kUm?_f8mL~V3~1X87U-Fh?I zee2g7>|#LYh=o1l(CGfg2vY&ZBJM+t`oFMC2AvyC^0ngsIznAKnkq0n@Gndy2Sn5N weWy}7{GWSZbL`K6RSg^esp{kl^mY9fG?A8h3XHu8k91BDe()9^4^l;}RSK1Zk{+#@#je+~)he znpab=YHI$QQ(d8N-*b$f_eewD!@Js0r zbY$SqGgon0jn}VV!i@mm@4;>%;{59SS5LqtEqMe0~x1)BI`dl|fOD0zpKYlTo~@@(4+K!b@8kcC!>@?cyLohMq8< zs=2#+lXox8{iz9t#!ru>P4^c34%;s7k}mT74&^1QnbjQ#NJ!H8U1^^H%@#B2(j-U1 z3C)=wfFQ1cbkaMGf#@fY0)0myuU@@!7C~H`kX2kGAzfX3{j~i1MLIg-c1uX92$EPE zD&jVf;zi;9dsTf-|9AGEVn0Rr|GU|77jm`s-&Z8B498qGU__C`C^~@Z-@*O=suW`Z z*FQ0qO3;zMJ3jlLXVyj`s{h*!l;=C~|8r|T;D<8Wf4RO-U-2+%BASfz)ZqLH(#ifS z)I>%^Z&02*Hks$Yd`JrSzQq6AjsHJ1?xz?I)pMYERKdZ)BDY6f_xJbcqPOo;6#S1m zUr9(vXjd3C-oqPRH!}s?Q9eIK3KZuFxWDDJ8c9eT* z3cW+qj}9m>v>pA#TZ-he0oU7whpm^3A>{siCj;lTHWMX}X=60YSYQ7p%F*}P6)>t| z_wt1kK*3Zt7dMCPz#T!LaXULZgM)JUYGMC?e)+l|d*0q&oj#l!Kez+c9~?N8YYE1A zPESp7y#4A+4D1fLo10t9{q=5^@5w*{gSyoC9?)G%X5it~{j==}sxS}Q_!J&+D%6%c zMWG);PXCAQ6;j}_6HwZ;alqaAwDCi8`%SaOP}1E|h$u(_c#u}^9mdhk9i3A8FTL`i zBo?2O0lHX6(btaccc1+Gh=B3URTc6gbbn8>1EZ$DdYpybv7-)TN+?7P1;}zZoz%G(;H8@3w_;vVUXgtOZxR|V8Y3Cnm_FW12YeWoEp@v;bFkpm^5PfronGt4j`6O+ltpcusGM( z*MSvILO}4t?Iug&5@CW=IRGPbU=5U8US6I09wFDlkrl}5r`TyAUqu>;jzk9H$oA|N0@S9dm!M*h1!u2&Z(A`MNMc6Hcr^3R*ii(QlzDJ!vP7I(8fnUyJ9{$Bxjb_%t_FG$9 z`yq#&L2vN?`XC`KX-UVBfgK$DPltKi&&wStfCYo};s6G}zX-#oOHECUCKXItZPtsd zc>&C{{b(joxbVX<`NL-wAY+Gnwo1P_2Mt!3Ri+oMl?O-2furcfjM)}2i0@N})^~vM zT8-kxKpaX9vhOhXd@lA*M@3_NZ$^$RJ_32>D*ew(M@1ieFAo-812rI-*LfT+W@l%o zXXr#9K6{1~Xt3teDDrT7N-Fs29S)Ge$p`2gFmyLPZ2qx!g2C5-eg5uxu{V3#Cwh;G zm=UD;sHv$b(c5M8n~QykHeuRHVDBMO3V5GcD=VWH#3C%l0<78Na3G$}6>Q3nFwbIW z+uPf-HCE^)kGESv5O=yGp~R_FL(5NlMQ4EWZS%Kf4IAByKDtf#=a3e_r35)_# zLkvh2=eddLB?T~5=>Hkpg{MeAf8L%Iie_-zB@J6jJeG1l*B16tTJ7R zJ7Nw3!;W`KD{Z+_y-qhM5Oeun$uqOEtW3yl>+iSPXv8SLXD9Rjx2!C3Wj>g|@Lw(D zvT<_q@)O%0XySM1U}o# zr=Jlf;L@XJ9J3}z#zZ8Yk}?P6L|RC%mZ0y;zRd*YX(*|+PUUxEBM#eN!BwxV;GBI( zov~8ENz{vhpY2-9*NJC4hAmD|WZ8MJI-D7{IE%7L`;HQk^c`5nsJAu~p%NvEXR8#| z26Hbi;xy4AA+2TC*-h6&Aaqz^zlR~mh&BFVr3c^mc6QXCCzFNx%WmX`pX#}s@iawR z>Hthe%E-Acv*p_Bi)C>kI7CrfVRF~`;0+C@M=Y4Uj+pm)RUpL5G0m#Du%4At?i%b@&>RJRbB(9t;^P5isl6oBUJO1PE@JWwj#?qW1)|#_}G|ZJwNTL zw73XTnRBV{DH;38^&34!+s6$uO?sUCb??&4KZ=l0_1I)m zDvz(40yVojk)fe^TcuIH7R9D=vEupV0Ut;bE9Js+r(A+^d?kJCBlmcr3#L=Wz|*%V zj-Fe3u8=(z3-63X$^17YBRzBDHu;Phjpw9c(fU!%rqp3*byHVpk}-Uw#D1~gD({Og zaAfzD6HgAbiO5;hn2&ma>N-#~$J|_R*4gxwX|b@XY%@L@+14DM-FP&SLd!rPwOYT7 z4}yl-^eme!EGrh2a&>7qlBwRiUrxrigR>l#fc|B)CxwQ-Y<(%Idi7GZX+p33F!$ye zQpYzh;21(9;X4YXP-w3v2k>9vS1`lRWwx&2#0@eOx_#DXt-yQ=4Dsp)>z58G*~BY;~5W?jy1^M<}yxc#tn=>ZZ6aa+7WcGv8g% zk9^DidrIl>!K#X7T1NQ3;|5gxu`leKOYE@5h2+i7`mo|DeM78vVv?=h-e-y^=fD$KgME0wV+PD2g5`OGn?7LUOt+C}y?!*V+`By|&`dF!Kr(ls#wV~tyZG!O5IXrn8QJWWBg+sP7T z@E|j(wz+Q7`VZ-kGFJ-8%tJ2KmAfiwKCQ!iX*5!Y(Sy$f&);I=V&mGScAqKU5W<<> zck3-CtS?$Bvgg9t-wjm@k=Ujx{t@ypo@ymUo31n1$9dQ&4DrGqX>HowNFx zJ#yC{2NYDgJJh#{KW?=vDxi%g5nJp)$yW|jfFu7yrmL%~r>6(KTJq7^du4T-HBY;6 z{j&kGzohk9_|Vn9#XCZi(lq&cH92lT{@9Z_#kZ#)!_2^9BJa!MFnIrvDT--$F!r32 zi=$MKn_ycwnLs$(zp7xYpBxmj-OZiw8Sw7k9 zN6S3S;Kuqpdmq7ZvRne)vx6>G6L)5Fs(rHQ<)3E_(2MS^_WW-AKj#q(Rs6It+L(v( zUjdD3-VjdDOnNHSAYlS!S~eQ9Do=r(v6wx5+2RvhSfq25W<1JueQjO)XsVWeq8qOr za3Cqi`o2K7mBdkM@#?i?l&`i9E9{gPHGYb%d|EPYYugz!S-#K!fZym+YPG9;4Ed57)z-mY+4^}i*^|!*@7lK#DV}Sd?_Ipkpx?fPGt6OQjOK?X6hJN4 zuRg(LSG0Axc*}-MW;M1vBcN;6ezThk2Tr8Q-{U5R|Gsu75;*iY#PU&Yh}=CKim6M%zDhEI0*m1WbD&1&zE|zh6c><|oPKO;5f;OJIo4{C#@jD@3zY33Ot$2r* z5^qcWe@}f9@aqx+^Apb5U|TW~2CIrV*rL7duVyan0?WG(Vg+XubF$zj^vKD-6aJ+> zies0m3~YqIT77ZjD=}7S%B({J6W}B-+a%2$qEvh3_rUhZN(VbiZ^Td6^;qbVp>Z3h zDQ6zIzv0vkhH{-p&W)N|O$gDb|K9O912#0e2e6M4Q*M(TqI6sALL^1?2XL^v7~S9O zzoN1MHme)F)9Se*Vb?FY1vQUp8eOs!d(o~%ZXw%sZH2w9t%U_WU?i}2!{{=%wzs|B zgK-C{Bhdj*b?J$G57_5>7xLsu503hcFfUr=&pF~n<0H9ne z00_~4Qarjk&dExJ2oH_?{wUgz}F0XM{=i^|Jc%6xqQm}5nX^o}h74+CYv{Y`pDFkZw zhp|b80u8!7yS!BHH$R!1n|pPXpQ>UFKzPx`M0<8FB#CEB9{|2!@9^;9z@t6w;fe?0 zGp}WZHMIjw0fTN5Wbdi5z*(&cIJN2~<@V4;>@4$$;>=y-wl!k`pf1U%p1;a)ci`)7viBU)6 z2B#xC^nikl)`97=cvH9{PDEkRg zKjaM!0CEFw3`3KpsgAO0=3)u%g>Jg$~g>pxLJkx{kMeO0Jg$l z1~r(1frh3stnby!mE+iP6))y<+g8Ax7WM`^9La{*hJOiQ2zEdY;^$He84k~}E1<`j z81j<0J6wlF|72k7lXb&JGAQ-+Dnd|SS8R!KD+4$Z+X+C+64Z(ns7;jZN}EIw~_mt<&mG@*%mT@654_>fNij7R!~h|DB{PP6xydgz$KYeWuA&P z@WoGwo5G=ZQzJZwA$(k}?RY&D1frI_;6B+=3(Bc&DH!vil>}88wupD8XdjiRC0;o_ zB}JB?LN6-WRYaw=`#P&p%D_U)AOQk>?My0cI8h5S^=>ptgj{YQnG=$Z^BbEfdKKr$ zuq*bke0sqyg7hwpq^bRJslQhmNd3#c#PNtdoz8VMCw|MZY#J=pcCcOGaZi|T89dq6y67bSclz}Pw-%{H zE8Q1%23)ua>OS?L%-bNUuX(gNrukPXmg=Men88y1AHS884s-S-MU_+J&$hzA8d$BX z=q>V1<>1UjB1$UP`kH$upQD^%Z*Yc8(pcwf0aVx81y$lP=#h8^R4c@s7^%7gvE%}U z6q)4+g6R_*1h}>2Xw(TASyWY01_A`;8(|h@2|3aRQ$(Ha!Q+IKQkx5D^eJ8s3EwZ^LHV=XZRDw4H#MuH(H3Z{l+T*APfFx-JPd^)C8WlA zFOm2Gk`_UNblm-cl)lJJ>;@O~;4IEp86 zS9YJf7feH-bZyv9QzbZ>Ba5XTy@bAA^lRknaaxyH`Df96jdXG`X;HXp=9OLNw(ow8 zE(@f7+-2S%G-gf*yLJ2GMH^2Kh(PydC+yQds4+57lp%c|y1D@1^CPc(kVeP@Cw3V6 z1M1@mF*CCZ#Y{!JN+YA&Ko0SV`YvL+&d7g?IZ%84vpMO9B-w+~8`x@DWz7ruGH}R( z_e;!gz9S7Rf_jRB2@S*B&1D|sht?%Z^^U*vAffrF;7*D9v6`-$D6~5Fh@rCZ2HT+_ zJA+ucW=9Ar_TZBxEr31W?5}9~Uk4mAaKN<=<0$?i9tPFD*&5}0-tiYn>{S~pzy~}I z9bmMP)|5G7Msom$js$M$6hQnp%lUO+_7jyNQUZh}eM~0;@J9%RxDaded&vG@ocTKh zeTPVa1K z(NCg9B2JXYgkazQUur;|1kTOCW8bt7tz2ROy%d1e6U+Ye5#fwKrv6>u$AjSU0zpmw zSNLTQzyo1E|Kap-fA|pn4(S98WcU$Def*-P^rjTN8W~aQ5N6&s*@Q27__8KDb+v@w zXw>=3Y!wqh{J}0orn9qvHg)_7p?rCtQ|}>yaw7=#I_|-5KS|1A@eVR=k~=R#eDc+b zOLj8)u*_InGuYto7QND-D2e%Z5#{N2%TP3SPXA+>x->allpyhJdf-eYx+<<+^f(@J z9QM`_=WUJx!|K`J)|d}qeS7-daTDdyLLVn@3D2eV$D7GY`cQ`bd0w}$&%ssOTWWZp z>GaQyZ;}|TeHky*iu9d2p; zzTnyMKWW6rQ;2N#&&y2r7ws<9DFTb;KKvIyS332c4!8+qv{CX5Yr(#517DRs%~}2| zjMOf;`~8Lu2Os}%w&vB7Cu^`q(~UnVe87CZZ{x_Ww}Od7Hi}XL-Mw4c*mpLEK*ftm zg`P^I&YA{y!D7r3Ahok!T`J}4ZhA`AXPL2~^cPs8EcHZOB`)$e0s96NO=FAdWaRsJ- zC#J%r^Q*`FJ{@j*Zod3ls-L64{HrRnbcHV?2~r!H92T1AD$@5fvvi}Dh^75Eacrne zc+0%?UzvgXHxmUA$7c?GU`ABk~aj>^Q8QCR59XCp7t>%&*^xOiCUdC8SjX=jRfbf!~K z-*_r@30_J|-0X46##LA?06yiV5SN1yGp@3%O|S{Tq4c*&NhE6N=da`O z`EEMMbgCbE62FL^aGtaMx+-(Fan_<^v0xwNXk#zz;X20#5J08;N`)+y9DFf!q4f1b zKe_qKq`qeB4W;P$Hj`}hyle~SJdB7QGt3Xn*J$Q9$v1ncU4MLA|lAU4h`5`$f<9B0HP%F1LZIjkQz^LoNdI7m*8awnCpYx6@P!SpaI7JJ$Hu zw=%Jy@BQU;O%>NR_tGJoDYhbWL^F)F;9oe8)PpcE8*kfs|91IhoMfSUaQV7yAS+>g zVmKA66FU*e(x^8u>HRVo_-0Z0w{g_cQIbpvIB?ET1xX!C)nSWqz(X*Kt<3F6^r7l> z;A>IxC+cz`2ijqK{XS``2ts$e=JCQbZki@qcA(9-xbf8$ z;E$2zqz2tZ+MlRHEWC6MU?sd{p+f_#HzXOt1j!a&OM$T#-|Bw=E&cTejDm_@3oVZF zxf!ockFF<71VEx1*+DIX?gW#wZc==Rfqk zDjZ`Xr&Awk0UXPkyUARnLKz7b{C7!)!hKVO$rifN5Phziw5D+vI8Up$Uvm0h?J%a0 z)x=3Za%!%tw8LD%9BaYNr`LmC2TpoPqfO_W`-WZBzH=rUrIHuEs5zRRenn)(}uyDP9r21+b7u!n-E@UP>S+!mS}+Z)bNmumWBqiL4(u& zTpbt;zH%;)li;j<3B-RRhyz1y?d+5@1cLa)lv*F$Jv@}JyZ9E1^q>^6)P@CtB?%P0 zzVAN$`rJ57G)P1R86F`PjI8_OoS|RzvmcXPfPQxO3l(plTAYA)>?Ej!D7VeroF=G5 z?{6{&W^RQ>p{Xn*rV!oa3Ubz^H8T;eS<3iX|3Vc?tI7vZq+GFDO-s{{BAtB3_&5n1 z;go#b>@S+pSF|Y@%E6{pd8&t$l!G$e-^>W(Z5&l5NYD1ed#<}WL2^{8wRF_bMn%rh z(6QS*P6dz^sN}t#oerhi4p+&-u?8*XU^VyW&@m|CtSO~jXls7&v%zjmJLyEuCKXwb zt#Dsz$P2Ewn8Wq6JM;IY9^CwGTC$)rwfxlbDW{f74JV{ z7VYeWcs_Ln3j)ERgORV4i5b>QV~*;1-QHq;xgr4$;QzD$RRS=z5m&VYt!jwf@z7$? z4`xIE>$B}-He<4Z+KBLQAR;+FISEkt**@e%z#1Nhi;aKmm|cq0(l2+_r3_EUnU(a< zjSH1&>^7M<#UG7zH;*-8;D8wkd@2NW$;dKtum3Sx&K+31_6&nFjd?+IJj;u zE-qnK5=2PC!(_Di!a^xt=nwA_QmU0|Fc(g9f;0*=PCm1-epW?{R; zZtMUR77}K-hD`cCTA@IZhFVJYIJQpOaXZ+6?_;@hKGB|5>qq^(=&aWUh9x@e8x@vz z>-FOaCf`_0`&=$|h$JGb`8M?JkCJBWBizKxRlJSf#)xoH#$k;`MA8mrnlGf{&^8H# z{fH}OifsCJox|>)=s+DLmyXs`V&7yM*Yqq~ZqYFPo-&j7g?E{J4Es}Vt>41eI%;24 zZT6Um3f_@F`0v+EQ_D7G+BnYDZV#bFsm7+;oV1W^?3PtDnkcilxJI08)GkL)xGAnG}Dxu_j3R6qASw*JhiTQ(J-ggY4VPQeUoPY@IXgWWqSIp~24>dGYwd#0FH!RdtS`ZW#O5ZfpQU0bB zUoZ8OXGY!j%vD~27QOJnc`F;H>Pk^msdLbQ4);zOJsz3eFG$nLke`PDNkR1W+Ha(5QhWqZ9;_StbG2<=yvu%_8oF?p)vV^kgU7U2V zugH{fIX-1T#HE;d-wHN|`le_yruX-uyj~RT6ltVfg1~B>BQ8{vXxp$7Z1$(V=XVma zlwo%OA1&tCPdGfI>6EacSxh$BEGz-^mTk-Ib8O)kwpST%%E8E;MQ^T*qU1naILD;O zuH4=Qfr4iM=g2E0bbEU`S~#%{qk&xtC~Y*gFby=1k;cks)8$3qd_ktn>8`p!I{uw* zH>COITBCW>`b+3m%d`QwWu1TD&Qix$(95~hV~yd?8bUA)6W#?E2q?DD;UsSTH>7)C^9v%$fV9d;8>UzqQ!5KZKwEVv!jh9*(2FyWJE8Vzr~w6^0QW z`2QF$4&e_#z~A#=zA^q1!)1%g_&>ij0M2>EmQsCZ^viL%e79E5RMY*-drnDEYNEp_ zkzl1W`&)L+k*P%6VD}q{K)QUbk!cZV+HHpAy;}&%5I0Zqh~>mFW0K79wxyKmSC5AE zo=Hoapb@VqZj()E(j>Nx0>&%7a-XQV^l-Pb!y_Y?88^M+9|Td*_UZ1VymaEb`j-{z zJs7#`C7R2f1T4-synK7^dfMz=MN!~p7W?0cG_DQqc3c7;CQ4GIjJfrP=b-6HI}hxeA|=D#d0)<>p_hyepIsTg0^~(~E4a$4 ze4fJehnhp~D7W@7$x-jLZlg9erPjpKsc0^3IG(*SB0!GEtm8x;+{?0{-ri#d)y?oJ zGZc09D080MtyQ9wqTwPxfBmN}w1)OD_QxIFmrul)#ox;B3;O!zDPc?e4ICN)k)bk> z-@5JdJ(@lmk>bS@HmrRsSXB_^v>G>UhF_muhjDJ|w-20uR?VH)cK~6HJkx?-1~kg} zW(-&k+x9pO%_hW5OVe|)J`4ZIJpb(gUfR^egzHkrXIX)&me&(nPh1>y@Jv36-=7VH z?TivguQJm(unUfE?TJ>U*-h@%DIcmIM%-tx_z!FZNRs;%8|sbQm%Nh;izZ6mkty;* zGeRIp2y$ThuGwm{b0lgYNx+Azfb7rkU@DZjBKkZ0Khx^P)R?&J>f8ctpQkAe0)2_` z1F&h1qbv8t#Ds{GIY2!iLdJ3&1*ZM_AlqR2Pu*h;5(;>np!|78Wf-SG!LPojXituK zo*dk|+SaEl!OAgb*?yp@1wbEP%tqeBKpU^!@JY#i162JyFJi z^Sl_+=7=0WF*GzZ{`_D!<2dj_TY&d=!H{&>-^wyDcqs~ryvK-%(NIi#&e6)MIHswN z6TZD3?7lx%>bjiYZ&IjhY$TwVO|NN#&sCqPV4%+eZ7v=Asmg$Z5+rA*v%0T{Y4LPw zJSUC5L_bFt2Ea+Rgp!iC(NtBh1WxZ=x-ZK*o!{2nA$oF92snm{y$h_pDbMB?njHRIUf4kiK2JDTpDFxzDM!^3 zMdbv2Fihf}W^huq+1X62u6up9D6eM!Ko~7PFPv zuFGdtDparP7{NOv3aO}{DDYL0o%AkMx_1S_BC7CkK z1Ws6QoQ)hc9h7RGhG^9#0_+}dRcSaX6Dy-Zgwo&?MeF7(H~swp)C3AMW#gUu6!s^sKKdD20Ug0` zWb5$IK2HQwjYq#lvv!7LF_{u)&e_Zcs*z9Xp&l)pB>TC&wcQWBk-NYOFrpDuQr< zB#A<8WW(KfUJtU>Iw?9Zz~!ZoFkzA%#xt( zx0t!ESxP`?b+yX#M6Jl?A}Wh_(bH9bPzI1P=nWd&m4YIF2`059DDyXWyuwJ7xKr-5L0YZ8rzS0t zZx6mgF-tRPlPOPcfq0+(?}7x^u;|A5UBS$E`MMs;@F$&HsTU0bwubw}hEsDq*-9#h zr&smYZlg&rGpoF5eCSt}cb{Jr&D7@`>LxqD@fuS9B{RrJ*pb zrK(K0VH#RdRdA_C9K$Fa`~4W?cNg8@3>j_hCeg8S%Ty`=3^od5fwi*OBtZ~A^T=&C zW7Dzz84?h{L0b9{|KwfY8nlB1jeC?fb%KPf?c8zuD4TXdh+F^ndm1^#@*Yx>hKoYa zX|xFc`ZxyKV9g!8IdrMDS_3Fw~t;$hE3I+te#U?l2F*FD(UVE?jd@sHy7*P!36SR0CO;{m0J*LV!6Wt+k4uz1vww6CJ7h>jR{< z5t;$lxEL#-OzviJ2#gg(Z{&RcriZ=sH_rPP%Iw`CrW0=xZwAubrJA491^eghz|{pUY0lKZ^`P?yN4O zmTmtBX!R~?vP`TyzLFC$X;=6HE|19F*~D(U*H(7Ofwt=<1YLP=3W)Lr0N|c&dTM`~ zbehGu#j~oqx;iIkMG$@!4V>nCl^v_szeA@DkPJqj05o$y#Q%KGu9BZ5dU<&{Cnsk! zE8yOHDk}R4x~28)wsOFUcWWB2qd!o^{l7j@tT8~C`v9nI-)UVf10nglySvTNEM;me z7$9*2v~EBU^1CCTJ?%Ir0XX15@onviLgjYfD-KLWAmB>9>tJi^{ckyhoond>TGT?b zM~wMG!2M}ftI=UNE)zz@?djQsG9sRM36R|19pNaCIOHUly6xj9cldA|Lzb$Aus?d5 z5{ZYNak%gCVYbc@jkF(X-!`AosH^u^_uNWeXX6-JY@w zvb4-mSoU7d=ld_r(OYXy$jcWdyV6?S++bm<(ynmxKb7#Py06TbOZC|f@n~Ofsdrdt z0;HGtMxM)~K-Yp%iH|rklK(d!{cP?UrV(q2fMp78@R|=qTxw&R#SICT>o~r{hmoYwi0k-FYW*=-|_j`YsmwIS`KNI z72DRQp2f{hDiv9$aQX%-*S}36VF&CLzIjHX-2-)e-OT}n577nRLiLmi*S|>}5&|HS z?Reg_^g}Kqr1oK&_1R@YS5w2{JE!!e*Ke^fd!hw)&q=h0ZJ78^FBWkyGn}2hOII1b zepsr7PEBd+6Dght+p@G52uscCXS=c(6gS=l`&fi6ZFsk(Zo27>Oj6R)H;o<$lOE20 zbaI!^b>x(SoX(-Pf_6pb78^>aI-U3`LnjO8XZ zqs^TLj%)meenXWslyM_hByT(`QYUO{0TmyJaxk<)uk^um3Y$UF$boCC)*vxSf9b6O zH6=rJ<(Nu7RLiFE1sa?`YzvKL0|JmJig9_nDW3!~76H{gAVl>Yl~~>AQ9DjZup|hs z?)B9WxQm9UF7c5Tmh$dn`9WXcCj zxQT!X7@1swt-ojEInqq`GIpabN3}28Ea3yD>wywj1m@sl<#faG#6j~ic&4O*ZSDjij#O36{_c-$d*c2w?5># z-a7d4{kzv*_JB|upc1%NoNDH;aCq<{29VwjaTOnAAzhn0Tx|aTg{a>06WMLMrsF4_ zv$XT)WF0!L7pU830l4utu=n|OMeGXz>2dE$AoM?lJO`vQLoU~4()4C5j?vB_2w4zw zNI(Vg6$Q)OIg?RS!_amOAWE{cRUUM?U7`e-@`)V7Q%`k3%###vxaTK{MC*>Em4DW0_SyqJqL}zUFw-t@v=5gGR=%EjoUeECNo94F`d+OJq@htST!t%(N)#7!&-$}vvcuj?4;mw042Nak9m0*bQ)RQ zu%=W?)(w_&Qf$PYQ`44h8EPFpthKtGw+AkE6b@I-Sui;lN563>-K<^mk{rbvvllL$ zEGpHdlrvBI z-rNv7wp4xW{Bpy^MKF<_*Zw)LGq9$Uu)JPxvlpRJr@>A9u}US7P6@$AuIzE%P?{gws2Wtg!w8pVj!%Qxk3 z&7{cT$hW1ZRTUQ^4DX4PYK;h`r^3XJwonkr*Yi4c=15I^B{8I4#hJah_`RWYu@1T- zx{T)lL#JGztociqfEhd9@ViJvKA}|-!O){HW8#+9#mH6R(8ftns4*r2F9$qXd9TMV z4xB?TO#V+SajRIHNdBk#R!-Y!w+K^@!qN)KW?p-8+E1}`ZXJ9aDLjea321t@dnfk` zhAu%JdaH8WGv(f$^)jTQm<>%DRi=Loho|K5BHJ42EWM<0ntP&ATMAh*=Ca#NKHI&b zw2+Es_S=6&XD>oXk49glGo5;)uovkP~r?o}koz5@N!aT@`a+Tl; z@tf=Kjjh~=QGIOtBCnv>|BEA5QvH8$#4XpJ68{g5cz-@hAcohdwSb}PwSIT>`W}>3 zsGGiqRD8!g;x2L#BC9gWS+YsUvRhv6z34Gc!`!qV(Xo}OB~*>AtDleqddpgxy`-t3 zk!bD_@`QlgwW8O=C|`rzr3^aZ9=AX z)1ot!ZEb_bSB>C+k3GRyXWmgP~#76G|=X;SJ*PVM@_3eeWz` zci6z!D#+ev4O=@F8R{ABqo!n3DhvVsWnofmBagBORcj^fECPYbK2A#Ch2&zzx-G)T zsG?@IrjQgVWPx}{Icro#1Upf=01?isFsz(iU5`Aq!q$0M^>4-9)aSu&Z-OSBANpO( zTPxi_2cDc>MZ7b)T#h#NY}_XbI*~HDB18nOI+UN-0s53ElYf>>0V5V?!K@rkqA`tJ zyxR8hODMf_nXp*P`&X^rB)tO$$sRObyiHVC+YZ>LwjZ)=FG&q5Z69nbOxdafv7;QlQXmdZ!N6h>fccjNXX~4&XG*A=sn7dV!kV7F<)$W! zKyg*zl^HlZhHuUKQ9I}n2X{|=LKbQo|DaYc=-Knd?+v+8A=I{^cY@J`7Bki|AC~TN zOcXtVOy<(0U6P^)2`FX!1u88cM-eREJ|d;f#lnQn7zm6NtfF$aoP&xTEQNSH3lnJV zm=1lS1a45_EL@|@6;U&#bq3s4LOCvu+*NsNc6BR6byv`DE@4BuE1ViOb#GueP$3CW zUOl<>M8+={O_B$DHg)z-`nnUTbdh_QW>={{OFDnoL!J-rEpo@{SB~q=$?yItF)DP( z7Hk|pG%S*Ni>bbOp>L|>*QjN6X27h;9xm8j+`Togv*Wnr`5B)FGzl&F_c3V@8b-zA zP|PL;Qf{~-?l&x4cWWuvhSyKzl(~A8#m>9yffJ|xaZLD5QoY|gxHPk#9~VB?7n&L} z+RUVPP5S}x!I*;kcz`qjEFsnkg`fTVp>Iws^h(<(BQ;xpx$Mxx8QPNFyGNC=;j$O~ zqK$i3umwtyrc??&8u?HfP#8wT(C``i)4UEF_>=n5cW%F#g0u=11$9E6kn?6iK&sC! zkj=AG#!;I&dP3PT>3usYcc8~o$my-l=zgrjVu=c^V`+~$co76(FVo&g!q6`3)ql{% z%bk4)+#h&*(OC{DJiM3ShneEV&~svF#Tun%nP6(1&ce&AfbwVx2Je~e85UZA!fgRd zr}?o;6faJ>vj%Xzu~RcOPQaTEBKtHH?K9FcN`vgFFMIT`iU%)7ltE5pJ&Y@)+Q|kt`|H+6nh@Zn2;dEZ??;VPdYiVw z@;ETF_v!VQq#W!)!gx*yQd-Q4zLrH@Nx1#-?V+zvePvU0(B2x`J;%{ee^tpxjgpae5QEdOi>>O#B342Vh-Pk_RPoj! z%p}xna;6^kO&btP(u)CD>pkIom8U(sl|hbKXpwj!12V0;*(9&g!g2sF!TdB)grr2P zY%!~Bp`>&0tZ*^~ACr+1} zs+qX~rCnW}gkdXMg_cD9?m>eKGEmBqIHDVo*%^Wml3%2y#kIe8`)}}BKg#iUfcr`Z z0tVcYhdAmS9<)MS!=~ilCT^voHNOakRzP0xoX%6=at5t4dNmQqC(gE1g1~lO;9!$d zuASzaPHX^!@$NF1Cfrw?4B!^%UPZnjc?t-81td%yQe13B9$(@^w)$rC-vp@lWPOXC*QNaJuBM9o` z6w&S_K%@4UfatF0FX}N>U5%!hbXc)srhDnb@r<;D`Q^f^~8@;J4 zXJ)G`aokpdmUUGCBlP(H0$^gwj$OFFRLX@u;zh@u9bxb;O2w_};(1n1>C{fU%$T2+ z(demn=CqwA%8N_!|6VftzcohIZu*--8!wf)ID0Rk!M*Mq-npNroi_|yu`n$_A$m~H zlZye-TyKpY3{_gZ8J$s0=X9kZeZB4>5NMn~%k0UhrYjYyBz2BQx?bz7o_a-z%kz-D zEt3#Hv9w*A{&!253XqD?Wa`^rn=?ScF!StjcurOuB07Rmjd8p|IxI$5_6vOxIxPa3@Q_taZmxsgID>OB?EM5Km*G7Nl zOiS*HPp-M6EX`Vh3M)?}fwMB7Ii5t$>=vawz&E(fY_lMD@a3BOxhxz!Yarl|pF72R&CHdTk(@A7X`;5_c@GvM_K z1peAtCmmQ;(kHa@reQ@NI&mrl2mi%uUbJm;gs7_Tq8Z1oPdJ#w3Z?^4D4LvuK{}NH znsjiyadbog(`Hnx>;@=NGq89HpoFsE&$zXIm(sS3fe;q4cO_K;*a`<*-Q>6rc<%}j z^*o6BT$01OGd5!$5)Ere5A(019Vdiuq7T?H4cSGi`*cA1`cbu+28G^iaCaFZncJNCmLWY+X*_ee7~szNogVpgHV@xttqwf}%@;fKBot!880 zW&ePyZEdEJuOM9XE!X#NPiYdqZ%Vx8=RCb)G|IgE^Sb%v8_v{%#6I*01O1%5 zL@dFwHprXQ0-JTWX@Oj}e47-swke`Uohi#&mjVgTdM3khE=4AbrZT(RE(`F=uS8u~ z>^*40(lSv%J=AfzQrof3okY}ro#$LJfg5a@Q>l1#mb{V1Q5ej*9nCHNFQ>ppZ##o^ zG~3PVAYqm%AeUz7@Vc?Ct@8_TBOBgTxlO=ohb;|qkf!wc(+O)1u4I{^Jyv`RG5eKg zGpA5**E)82aIUq^)Axom;x8S(C=0L_gwQsthPbU1C&;od9hH@oR8TG*rU|262;jJ;TXmd!h$V*6mA* zj-Yd8cs<;2x9LTx*Xc9^lCJ{YHFb(h*IiT1T*F~-|0k2SrO53rGRFhttkMUV(*yMN(MNu?3~71a#Kqv=m2 z-GsVG$@`Tj3{^qpy(2v~y+!e6#A&&8BF3ff<|Mmt8GM8jGmG)KB<$^|{eE{EDCcrW zF=CAEmku;2S<16|xOGp%e*b|)@36FgP#Cz98%}4)8qt=J;)@$T9FdWTJ1bD;TZxwv zBylb9T~wy6>HRE<9ZJsdT;OYQfrzxBR~r^o2$Qog1Dc&lhGL;iIfGDEd(IsBx&+ev z^khvcIV}{){Lvu9?(AhsNq(t7m$QjuimKo&REVJ&URg`R7c`Bd`vPLRXpLG6v(JmmU1;Wkv`*EN-oUj<&<`&8DVJgto+cgPiX@t~$| zV^`N-M!5qw4m%uX_w67@)fMqa-}Xmvj(Jf^_u6WmuNW*L_i{f zKU?p`$$@%mMC8@!TUB%gMl3C=@z-8Vjal2Ra9XXp1Qn@8?%SiKLpKz>OxuVGo}vy{ zg+uE~OD}&Vr~MfkOlPQBy&z^`s0|$yE4%)9vC?=?J=1+w!XSj&e} z{y#tL)9l6FKffGf->*SlpL|H6W6S0wTO@aSBU}=#)0r%^VZy-8+Y#dtOw*$=V-luq zCT{nCk@Xf}QMFyzD82@YG$IYs-Hn7wh_rNf!_YCbigZagNO#9D(lK;6(lvB^6-$-CJ(xpJQ~kktRzoIv-jm?Bp=TjXD$3jBEw;^pN+5kn@AmADb^Q&F32x)C zl=*lXKGvB~>E1neeb*dc))lo~UFmjaM;(&q{)PR${Mj={6!3Sq0pi^xtoY-EQLYJ2 zUtMp~9A&i`(7x3mrkzP^sc6VOI`HX}skLNoBVnMxqOqOcd}e4iwtuDGT*j$!I@R%# zuX3vY?^Rf!cA0)OLXX4t z#)Rn_X%U%EqWAFW01 z=wW8EC9pnF@~jI_vFY}BfSa2;;KLFig0fzuQjl=EJ%%DI_W{}6$Q+pefqoO%5nyCmYJp#Q z1Mu9!)v&wh<)VMy*$js+*7u$w#cVOa^<7Le@>rL{I=ns~FVXNj&7l|?9Go+$ETa(# zOevUE$!zw0yD(o^0pB_EY`*{0d|%`_dv0l$63kFHYI>!W5ga@=m-==6S!}x@hr{cQ zeN6>Qs%&NvK7W2K%CirUA=90fpZX(CO!$@@5G)3)LKjUgqy`RvkrtJe?Ex|%BHDkU zSrqboR6Ki&8m*wtBm0MQ`wQ~?9uuO}0wWI3d;uG#6^}+;w#0$VxPe5x;l3XiO8W__ zt(YEIiNY4gK>0{qSYw>sMa$T(VT#rQzL@3aJg%HPj@mK2>}wM}Vzys2>5oy-)tH4F1Oj(}Q``Okzo!Y+#)V6#D zXfXvzf!mJU#Kk*dVFU;Cc}y?`{4@}zo&TgDei&xa35#-^@xkhql+k&eRem0`^+?^x zS$)J_yM{?$Nm`CtlJn8brqFBmwa18)dc+F(ia#@1LLngF!NhgOy#fkc<}|jAmxtoGV72@J|7R>l2tUGSb4OcNBD|#amAxK^+5XviSHA-| z_Os>Db5`;Pw)QJI#q80g%;w*!OqI0VWW^m)w*##J@(C0( zQ`|11S|a64P*5~g4K}acI0$!lcbi7K5{;|SDTZIsu_?;wW+Yt-kXXf-^w6HM#iUrv zR^5@oaezg=E=e%9pX6za-2`sDw@V3oV;1{Nx8tlar`K?+NJ@n;a9e!Z+1*8d=5P6L zDHPacWe))DK!83D^4Z*H_gFX8MPQ%$@L{H(H1Fosz`;i+qr?zc%nf><2;XR|XLH{= z#d3#5=d#6!xC&P~qLMhA47Ws4)tNNpN`~^_YxwmWnIPId_WNaaVe%1p&PVv)OaMw{ z;r_!oBJ5h*;R{TqNcGh7Zg6lgr%}gv<6BSR|NUrQ`1sra0zO9o@a%j_uNmqhG_UA; z9IM3eJ^$}n`2uqm%WBHE`l~-BD0o#@;e)~YTo#U$Apoj}k!F#Xmp5wJ&SRvtYORrk zH4CfAQ{}12Dy&}V@=KV-Yt363zndke$rltsMBt(C7pz3=hz}NTL-=8Cvfiy_vp*Hw*?xi`&I6Mr9s5I&WlKpr8yM1KMd; zhnJp!GTQIHM~iU4wgcKigy@0D6(vlgU|E`{60ZDE+h@u(t}~y-eHCC3Rwg6n93)jq zwv;hGIk|Io4KU&%vN^vV@8uVuKa1rTj6Y354=j+|+Yo&K9Sx#opXvGcNM6a+ZoK1g z5i0P_M#St6JO5qU7md1Sf#nsDE7NL1W88SWJVDdQni2mp-~;8&F9r&SXTz*66-6-= zL-@>7kq%-213^eg=oioS%#22ZIurhKxsXPa5|bYDDad%g_BLM5EoEc!hY)VZ6CSiFc9K%ofWW4taCz1nOSaDPLN=&BK-qH=2%^UU_2j1LZu zlN*^Zm(79wQL?u~J2l9N^T2Ebk3)7E{+rDiH&V&y@;JrAdC$8B9~7O57Kno;bWwTE=<)q1I~+QMBtwsz1v8MTYuH< z2y(6A0&d#6JPFfZTI^Q;6{kjEIu_Hrj$07Nkllz(JI4s?Nk?eS_h=e7K8vzYw#bfQ z*;p7U%G6Y)Y8kQ+!IgcbH~dv|ct2`9%S(9u{+RvY7`cL&R55u^YC>%gf+Zq8L?ae{ z#$A^UrP9mSx@zJ zl`UVa0@nBM+NlFCTd&d-kjh zn{wf!Jw>j!bG&uLR*CrWs&$^lO3H_&pMYra-O>57{=&qIc7HqQD84r{wIZHc+%l^2 zshqk`jFGeg*4ouxbU7JYk5GU3`oK6?M}tkVMB;w~IcyV~y0xf)JPQdD=HLnMk@q1B zi-rVEpm-ejUot(jCfxc5HJc=V9cjBWt4}IwR9w~Q(MWkk21|UvjB>O!Pd*tP9j&Vi z1N+g>&d{evNCDy|?&~i{yUMGB*`MT5lSlS8PbTixYAGZq;g_xvk?6(a*?kNaRu>f;R=7~bBw>8LmxoJ) z+0XiVH&0LEJ>WTV-+EDOq$Opb!tJ$u`Na1ZaQUvrEmPd=Us&%8_9;8jZqLP?SX`5W zO~<&VACdRn-zFWHRSurNI<)|&3HkB7KKa!={&`Izw>Xb$D=gqo@57MWvnH$}g?PEb z_6eV@?o4zWU67;ux#Wz%99q!hS8XOuI;^m?Ezxp&v2G`^n&6&3ADXX*NFRJ%`Bj~g zG9eRlaWPXU+>+(Bneh~R7E_7t(qlUX4K`+{V`+C6i+7b+*WptVC@4`06+d6t;p+D# zpiQ^%H9bR5_$pI;x3#{xI?w7&X^Qg!ns;Vx$2*Q798?YVC9Abn6cHNX>Tk8?J{TAj zJD7Z5Q}?#@UB~jf-#6NrA_R*AFyZ!l$Z-$Ws&UrOxc<0-fjlmJS%YrYxw^E5zO|WE zS9_-!bwpET**d}!;`po?p|mhY-ux3g`r4?pxd`#I0xo7%ZHt~)jFp!z=h|vm#J_o_ zIL>b$W&VmPdzobD8h?H9MnVF{pMH&h)^32O_dHo+6T}W?r4zp!j+2qxvalN%^#nF+ zeUUU%`MDr~4xDRYUC%Qn9^$l)L3_w@3OXq zS#!MqTAxHNje7Ktkhb@mh!ei|AFtp%ldn9{yER{T=X%4!GF~386+@o?c}PEt)sj!< z5y3fny=0`Z)=8e4wQ*g6!d%uujZ+al2B;=1yzzU(HvLIx^JOjPEiBlHgD}ezszLzP6H*nqbFxg|_KvYZ$!!tx6@jY5{8=9k8xKal zDb>imm*3B|yK3@((8t+_ptsn4jv;GF*H;mrNPH16T-*YwAsgwv3o@C8mma6}WD1KvqMxO^Hlf96vnu@J`A^9=q=!GY{kBCmWZ z(Rl^eHKN%SzklVZ8PkZBy>tzxcXV{z1f>;rjcfsup8TQ)qqTCV52XVqq!zk66t`f7 z`P$=4#@2=mf{CMV^T-1bjr5v$*%WQ0@d7vi%>gGHn1fX6=0(^D+Qiwn!!-IBMyr&3 zAK|IGzWxgQ%R2RuDqE;fp4#H%@hx%5&Z5K8zK(t>{X>T%Q2Iv4BY#6P3+e2y!1->W zm!Y1qkP4h2X7nI_ohw)5Q8oz+aOPO$klofS9eJFLe21x_*T^`K4iD>G=QI^8>O4N= zJ^C_~+c<$;c7E2J8eDr6KFmNalgI-Ev8Vcx!A6=1WhPn)Mw&J>6=qmkL{#~a5W8bn zGK#cIiBT@Hrbryj2#u&=|F_{?!Oavl0V`BFD{r}gjB@}Urc{q>xb=)CK?U_vd}+Q_ zih8KMap5qxW;q?JO^UjLrzTbYxl~qN>56FQfvvl^2||gsyPcso!ON(l}ZtUfAict+?ypPdh{=6!t;mFuft1s zOy7^z{$V6g*$5>7P6quXF;h_s*#V24Eh;=ljP!>?7Q3=1u87l8by7Kz3W6 z8RG!Ifi>jM;Lj1u(uC~3X5(~b{XaZqy4T=rmz}=xOCx4Tk$rZl6*ry_=vzT6kAdCG zuGzYYURX6Bx8i(%GUn2B`F6570);V3BZN&eb-P3g{#4}B|qw|^Vk)P9t zHRxLciq$~c{V!UoqYCEXvfaFlQ8-axd(xdB12KqOOKDJk^3C zV9VABCRyowl<-W-p<#kcqDy$EQa&h`S$WYBr-8wm?UUvq=%0!m+*uXdXHV#}wW&3{YUXvN$Z%}Vnhj-r z<#^H)q|gMXL4pbr5~I1qCu2%_v)Mc&39j>&VOJYy0tt^pMZ%mq)gdKHT}Vr%DrC^A_5JL(0sEZ_A3J8R-!Dtn#!FpGq&8DIEMx#@47L+T1aP zbDM@LFxj<+>jc_(N&H}lNGFNTjc!+xgc=M z9@`n=OKld;X>Fl$w%*C4tmlmpT{0|(eCt=eo-NDj%BwDd;eKAdt?h#+Ikk#TxzeOA zq(=wRY{_RjbkSot)`Th1ofPkf)e2M3B|KQ7`suvH<}N8yjR!wKU3!YGk0d26axsVDm932E|#ht~qS4v~}qcK_as zpxrY`u48q--K3FTj-{_p_OLDvPR=)hGL>dHwJ0@C-LuYA=Pdr_a-5GpB~8VWHXcRJ zMQUbmVr4vUSTJokYeD1~?J&{J7@WGFU+;37#}D~sPqqdUnl!8!S6V<=i+?zlO}SS0 z1SGbiv>ku{%Krt2UDi|>T4z&QYBkfvhy@W%ONV!3z1VeL+NB>qnrf;N%9sN?3!neA z&zrib0_^5_d8QYeGTBRkrooq{kQr-5B3S&7F(%b6Q?H+F9wF ze6DAL*UTz))C<-ctyQcxYWytB=LlgHQ@pR~j-`0jP=DDa$E%Ytn>tY&(t=T1>E58q zx+9n);3a%DcgqX9{i)P^i)9#^2^aG@H@&yi9)8>8*NebUYbBf_vb>{ z|KsQ8jWw_L+rMmdzXo{+8wFcEKet^0|MEf8gSJ%uCc-+vY6u`#`&hatOMWtFU`$J9 zeOyeB=EGWpHbe3f_#=sDu#w!k^a5LC$zY%S$NR^82jn%$nkr!o<;tRvdUTRV3iK!Z zsX1LrWxpMTSh(T_Ot11eqSIOoaW6O}BX)6>@59T^U^VMC#8-^m0*ISpDRUYfeoO2s> zVLtKi1@UhwUJ6bZf+k*VA6{2XvMLW_HK-GONYK01%zp{l61BCwVs9!CPVpjY(_0p> zb8^DnJ8aOdvyNvOutfbr>*&_}$~phz-aRNSw*A8m3Nes?AaCjG`;?Zp_yj0Ax{ubN|00^IAdeXh2R>uCto!5PAA4Up$TFwWNV-#y@G z%M_>E*e$HM38jF(!F+gfl&ky{rIm9J1K&AW+u>vmiTHGYaC0UNq=kq;>yQ7q6yI5; zxU|QJ3xU4 z{D5s^H2t1q(H@LIWI%q+>J6_;)qpHo<^DIl)s&ZC{AyS3mDA^giKJVju4cxV3hbh* zdmjZ^|LH%5c8K}Rhh2-uybpo1bA-}*w8g!Bcfg-uR7s!=JFC#myZyy2@B8qP5ZO88 zIX!H%y4Vzr@!k^bOx)Dx-)S0Phv@S|)Xn-vDs~6~?^)XlT+vp#B{O1)7gRPl6M0IX z!j~hT<`BY;fpi1={oe}Qua)v~Z*mg@P8MJkoGLUoLKAt)(j3O2%b6@nheOacqX%nB z@6V$=tX@jk`cPho&5H$MPA4s93!(28jelqXXG1xE;8(Yp?nG^}@_V*8`##7R7=GSnAZ%VQeFygLGxnoQU?KLuQMw%QH(9NP%F$)y$&y zs8iieWkEt~)ST{m=82-8)pBs}p0sI{AlPg2kQdn5zYZctj+M5@ZDnsAtxQUSk0iGK zu(5_-lgQH^H_iHVib|hHl{%~^X~5@~2vEO#G}v$IYFIWV!>L+!gK(&pEARt~J^+F` z_rDnyiCpe5H)eq@hN=Fvegs%1$eoxsNVEJ;hp ztf9N9hrH;O(i|D2cOcyXMm~&lwU|6PN3N1htRf z_`IZ*3CsKDtHgOWgPD@C4fZ~IURasgp{3mQ)-nnjsD=b*yy#MdI;Xdfy~2qv>Ig>7 zC8?7yK>hHKuhWw+H>!haL$BaSgcM9dUJXoipgP>Erd7bmzYx7Ej}ZuZ>G7bm?5YD> zS;DO%f9g8dG(RT8y`j~H>gYvgXKd@`$Jb97r;_VIC&U#&waT|H`n1aIuoc0u&f#M> zI0trwo^nVbc*4R8El({wR5^_Wq5Y3ZVa_dV$4Uh{;zy<9E5W3B7u_tX@zQ`$o%j*XKR^VP1vp+wdn&DNMzA;V2bHL5Gnlogs(Y9l02iOSR`Kp{p z7v1JM{;)f#49k`c`5yrMGMEk#vHdXAJdI#UV#P2YIB8!6qJC%lT7LedA>`|?Q$b8P zYX)`W2aWeFfwv`mCoSmFxX$DJUTNzEJE;Z~@~%Rl2);1G`i5V5R5;PczO{O_noq)@ zRe}z5Q8_dyC;;Q5=k+LVq}S@tIs}UVl?Dc#l%Gx05cJ}D%!E%?r3Pfua2Os@-rs*q z^deh?!q##hdJ1*c(nu{Ub-v`AW00}PmTRL+V%1UZsA}-T=R9|~{mBTOwzcC3`&hW* zqG=k;CQ0_~VInbS;H8fL@BpQ3P8qb1jQVS4jJ=<&Cy)t^ zocgY`?pL9>c+uU_?duNMwoU2sPynpAW9bhK@+32P|By`8%8vt*yLnQR40%f5d_>Kb z5bQPFp5ZulAh%?Ti$ad>+C(FPs?xdTEV`ydQ-rM->>8z&odZluxH&U|A_5@4nQ56n z?ps=t8*~&TZC;OPT?MTDCM_|XebNA!o z`4wt+4MELOg7;-*F8b5?o+1-V@7ratwN8>?K6sb=f1@*e!D zV1!wMPDQE?^VtWMG;UOPO)aXcv-Ne(hf79+nua>1ToL2VE$}sMMxiGx|6?!ujYhV= zNkMlNS%Uipg(W{ou`st-MZy(bJpAVS9AvAT66#q?N_JlHYpu6Pe<(Mw8qhLaP^6P- zIn^X^uANReU`TVo#?Kjf2_<;xQzijRQt7=E!yLe5qd6hf8B$Rr)G+1|zIdHoJj9rMXWq(|Awq+VqsH|fF_PBj8Du+bvlK#2g}f)B6=&fTOC}^xRUJxr_m7k< zJIAx)*A`(6^$ogikwh=X8gU1$Rb0zdC2=s#S3oS7b|{CMQek193~fVUhl_x^>_SOV zQIW5Ho%Q(Y>gv#zW!g<=DIW=@`&48Ry7=H|B*MgiWvYBNdse(?w*1S^_ed3^s(NCZ z3oj2psps8TN0#0wUvz5E@ypLX({Az7&IL5cUR)JuY)k*H=eC&L!%3Zsd?qR6@n_XV|5V3;>9TR>Re>UVPY-dq3m-#b9#GItpt*kTQ$zR6| zSRgj(mC7&c8hx^UR`PDn;a2lV$%P{rbp7aH=@kSgUU+buN12A|u3d+SOGg4(Yo|=w zS{Y(7o}JhG8y!bJkNm;}b4>_`;a-C#x?9q_=+`=f@2R?J+|nb0(c$Y#hfS?e%Kpl4 z5V)IH;e+iP+lwobA=QE3u?dHq1Or@f?&=3xxOZ@{+;Te@^&6n;eDm!FVifH)C1R&O z*BasTh}@ry=#J?3)uUMgltz3fI)K^o`Z1#QU%VHH6tEP{4Vo{_L(Igy8e>2fH0Rae z3&l5#m`~oad91L%h`LNsUuYF^za9!IY)>EZT_kOz{zDH3THE|3%9w>)eayb*!=zGX zmz+O;*I*@lJU5@u4)~Oz1bdfLsdsGvUk4bP*&G?(ob%wdK<#9U{A>p603+*=;J9e= zigCd3r9QPdOp}wi(g2;^-K$JhA0!3vPnkprNe zybk?zaPt0Bv`P8;@0;;99oD8LK4CKs;iAbM4C9T4Gq7-Nq-F5}M5MhrfxJ~9Lu94* z;Ka>Oz#wqMO|t&b8xXRhrSz*65#Cc=tDe^7qm$nAib0EZ8lG&T&(n?YBFh>)O@wZb zFa1^{?U}y~r!4xrXJEZ;NeU&MC(75O98KN(Z1Qmvx-BvrZl#e8pfOCQUi`^pLU2fk zMX;rujI-T>GYbxXYcoQwN#hV%{gkrx>sx+-M;to zA}@~Je($4{R4oZWqOtew=CA@5_?_}o$U%6YgbSsq)$Z{8{8a5SiNXd6EXY@#`f2Jv zF)}>U2Oy4d`#lY|?<^lS>xB#`A}`*%b89Skzf-OXc?6s+c3juO#*J#i%7V@wnf>|5 z+00<|ft$z+A+~4D6>IDAJ}WzW-3#%vEj9hBMqQ7U-B?n|2F$s)PTxuY#)*bE4kQSU zmDnAfJYL!innGTJu-qiU)T<9)E7B6m=XUH@VC|Gnwj83nu0CS%b`H~oOc_yYyGKVV z(Rty791*qyJ8Yd+SWKzMci*vBh$LZq*8fJc)NX*hhGL=m(&V|2qIFSy)8k z2Rb=`|Gz_$;{RAuInU4{`$w23q}!CrRfz0tYH(z1l3$?lBLGHVHL^Z)e*n1$$$u)c zf>(t~4_zEMYZDJ9JaazTzi*PsUB9{D(E-;a^Uu~xaianD)Tf`Q*4VdKVDl>!&EYiKw{SEFBna7L0tr|Wz(U`Oo2LRs+S8Hu>6dWaDQ zI*t#aqkZTqv&1NLN+C5FqFK7{u-<)zX=9kLrVD7_zH4d*3yd69E|uANII|Q=byA;r zZ&jvt=uI3Q-fLD3EpT=*NGA_yQhI;^X$ z^#-Ka0VV<%#Y4@sj#KE;&G-B)fI{K18CLc}~I(!2(Gbn46J%frTPy!vC7=5nRL zn-oWnwX#upC6WHmO%g(5g$t+bsKDv7#vUsXv$%igd^@l-UIftTg;X8c+WpRv=-7yx zqqHyF{IuHLbF$^2H`quIUCcYddYQoA{SvA_aOF_J#$X13ok`;HT(P+=6vyNio#HFg za}6%NgbTQFs@XDjhd#qb7KO@#t7xPaDd}4Kl@&S|G6Xf#C-3)Dyzg9smONI#*N-KD zs83=>- zb?K@%O(YM5eUr3vx899T#$klRz<+Gpn2FerFsY^n3tOD#+1UywJZR${`6Q^ey%dJ~t%?(6B*j!$JAY=^#`0c0~Rit#m9Ck?F?iQe<2XuQIY%0LGy9K&H`5w)Yr++Ve zSo!<_70EQ4Mz-sc0Gc=f=J+C69BF#Ifc&45J-JgK?z3g2q(oDHsN&kQ0?W^I>cI~Mun?a>0~JNH^73AG zJ6?ny?ww82vQ}o<=x_HbYW@x(g=z^2B&FGyz|?xleziShBsIGr)+sDV#rbZddi$5P zp7V5A(`^6pEnxAE_}aetUXNzpuhNTAW&{1yX7B&M6SJ++D&&4WpL;iFR!qr{;{(*p zU8Kxvv>eByszsn?9O4u`+kSY8H@tU+l*kxbdB9T?t^%58Y3O_8K_Kp5@fb92Q*6F! z(e*#ErGHr*=}Z=Oqk#j$5Q2PXiNL|j;Ya&NjFvzZmsp~wc7!fY<-wvw4hU@Irx$x( zjGXB-jGtbWf=18!54}v5?jE^|V{wM}k#Ehy9OJ=Yzc$v>LLuX)2FFQ3OsuaLKfD0M}nzzFo zo@XD{7Bb0=j5zNk$3KZZ*A1A1^W{Yw-jlg7Xwrx&_r^Y^ zM>xM6Z2Gg%!cAuas35f+pCbux$Zx;f9zUcM_vH!DMUg!&aTtDawBq5I8r-|NJs>Za z<}$xEybG+@$6bfA|M*7&>;~`+TZ=#l8-`4*L~j0wY=636>5#-X`&`+0SUKK*Gu3=d zsgdc%dJYs67H5Np>&ZLc2mY2L3?4wG?hV4XFv(S&c`Y}ZO6|{|!j3YC6aNQ0v)rCp z%Rf73bS;7oLKOG-1An$%4YRuTU|EvC+Qe;%~>rT2GyGKe97Cs?aKDQcQT9Z z5#&Rvj}awBKRRu}f0Wqk>Dl8e2$aGF&v*f!@~xVE9kn-=r7(&7s}Lq9r`FLwhE>na zQwwx{ouNVhE6A@XR<7j!+$-6vV{$wPojUyM>H(Z^f=QKZ5LsRj&Dvu|*Z8`6&GM+I zl@8XOF(nSIS989%Uf|w2XZrs|#xaC~t9&o+FBvKL-S<)dGi!tA8D>XN)~*mYw(E66 zmpT^i`XBLqI5^QlLJat7XS%&U8HL%!LUcaSza{`mjbntoW*-AkEq(%HOH7aZBnoCL zi3?`yilzABP|05%LGQ#tfSO)#qY|4xSJ*Liw*;b+4N5gTD@(zH^-bXayKpVZ>e1}1PZ<|ckU%lG8f?NN=LgSi=&vwL5Zn^uoD*~@E{ z{aYhLOQjsY%wsZEG)+>M7vBP=)Ai9T)Mim8ljYA`<2%s(cW0OXaAe$`aH_-mnL<0B zyTM(kIm}ZeKBhB~VV$*RhV0c6W>lZ)QvKQb1n@p`PnZ4~q14%MD^+*yd7K4_>Er(= zt46XOwxVx_w&5bR?pSky#`LcHC|K1|B!c zZ(l85BU@o2$1<|e138fNwZ8-4aRHt7q%qACAY0$|%O zJYK8SF>v-r7~;;&Q}=&(SweA+%3t48j*F95Phy>MO2_Q3qjZE(a1ycHso#v%m3n89%(r{M|`=8M=8hKOE_dj~x=nX*5kN)Ufgqznx1cV-)7)!gcWqXY#s4g@A*1uUCY8?i`ocYsvqA+}l|S#@FIhj)A$%AnAOQu&gMD=y?ih-sIQEQ&GBWaE(P|PJDp?{+ zt7h@RIBrrV>}Z4Is+R5yj3uf@9*P3jp_ZjI&G|`S$KMt-#lFK>q4v{rIcZDPG%rQ| z+$&GEXtv1Z60>-DdO?olBo*AAb!@!MRUtx;6$epo59FfqO*%V9}i$h-zGq= zoF=;*qswXh8#{~s;Z)RV_@<3fNi^{@ldVW%KoD`igyokcM^_T|+1fkRvO|zORd; zr{YabkCak?-duo9(myNeRA}0`HBA}SI6>Ab&@q_Ku|LA5$PMy2OaKzX5bFvu+m4qh85n?etb-E^T0+>yN45;m^2*4(^Y$ougz$ zX`O{CCl!L}UYEA5Vd-+8!l~6i=9-Rj^~@_X3jTVVw7`=#4}%AZD7@8cJsx&UOOsWM z&au043;eqP13j)%k*zf)Tu!dfk#54auKcLo&HsIx)N>+XIz9DJl^=iO=ZITr zu?dy}l`5e!a_Z#`a^j5EAwVJWN2nGgETzkt$w{M@0-v@tu zRo1R5YOGf-f~;oJ`#XSeYrOC#%I|gsS*x)9JJ_<^HJsP z;_<44VAYf}Z(cJlgS3oRQHkxdT_%VE9Tk;{j`yu`c1b*Y)LFw*_g(A1%#Hp?vl^3W zTe@`e=P!OOFM8ne6MnLY2=5;3lXkLp!!fJN_Dwh#`t8X?w7+4TGr&KUQC3nSt2Pd} z%xlPdUmwsjzBQ%e5g(lIT*a*= z8yipA-SzsIKn);q)8)=SzA|p@*(K))2HhW4v1x$x*_{46TN1}bo0l&MkUze#X=e_b zu@Ck8GUNUB{`$M|z}N0uPT;-J_=EN{b|4Y0RJda^={x`Z*+8 zigt5!IbyUnpsU5nLG|LvCz zsT{Qtd>`J|u|R6A|2YKCJ$3JF=)m&V5_^}Yc=ksF!rik35kQg+ZKcnM(M9D{2xYew`H7SBJh$?1N2`D&ft^YOV!}B9SzS=rr&QCi zDx9LyDxDuMcbH6kcLHA)$^Cq-cTKF~RqVuWg>c%|Ncu=68u z%j>@r_|gb$5)zP=ys!T8;^x_8Rr@8|J*O`ZzscFh$XDR|^4G&>A7eEH9;(=aaP$Ck z42;F{#q0C3_WA*wUxtTimn>82Ql3o_bj|wq%c%gWzYW0rTfjU%CkIQ*15{$+wf#&a z4_60t_6(?Yi(Lz_v)Z0W8~1+jEm*Vi2j025diMZ;bnv*bz3QZl(jqv?cIu2tqPd=Y z1;ZcFFyDZ_D=FUz)w+kLK11C5ZR$GB@9nJ}0*4no_nN4lHW1%+Cw<^AFMn%{hJ&w? z6=B{P>ls@o(lD-@no@0-;EBOmg?pD~Ck~bGI~>J!emY5$Cr#M|kg-R+1p&iD^_GZ}=Ee zy$k+qL43MjR_(8Bk?=BZU_$3B2)a6p9x|J6uTx3B^yYk(;whyDLSC=KRJR3bbcb@bc@fU9oR$83G zn|lb9feikTnv+2p+?x!q$s{67t_~D#CF?w@to4%?9A7~!l(doR&#G>w5eqU=vE6ik zDndRI{k*f9g-#r}H*zZgvrU1lJk5}%K{jF^o9)!M|M;!B)T1gRf=8X*nv_sreKxfj zN7SXwoMAF~;rU_q4|Z(0u*JlWg*q{8!Oi2YSNR(*avd91Asn#RH@cCjql<6J4sJ=2gBo{$R%fvlsIlgXnCeX+&D<{a&uCB$Xjd^{^bloh0j1rGqRt9Xk5HV ze-RxvEPKI@X9*IYAoxplyksaz7RY@6=mt8xAX{?)N}I@blZB9=)L>qIPj_3FDT_WT z)Z!ug@4>;iU3i_K7m|t}bCw(gNI@CQIiK>2w_@Izq=O(qnZ{gVZbmPKk0d0#FAK$f z<29}i6H*~sl?Ptyq;@Ee?{c}GxA{N*NCh8+ml#LXkKfb4T&RdiSaPo@D~PVK{DW{- zT7ACb-nRL>)E$(l3C8JtwhssG(3^Mi+X0CB^bPN}o z17iQOJ?jeSdCg=ODhWXX1HMe&hpW9P(O<+R8LG^{tM1iHLyjKmAX~G5#QRxVWBHMU zF>=M@2KOTEYnPQp^%z^h^#$ucuNlUl%IuBSA)a%gpeTpU+ll$z3vUA^Z)_HljYwd8 zg-ey}*sPa{cf?ZR;DV#lwdDjp;L}+#YOPUbC95bCdoRItC+uHZ0-ydcvk{I)g=^)S z$AvI3Xs+u!$sboL9xprf)o}=`y>=p6P`A;V+?+PB*VihTtYGaO5E$sU_NO6U zXII^kpy8Zy`?bB!_|0B*lA`%I2B8A!+Oo2$wL3b-jU?fURG@+i2VI(wyX&;o^a*Ox z2iNLWeYba4wFezH8P)Bz!fm`mjPr+-nO@x7Q4X^EFTHYP@y-qtrbfBCJ@awJo5LRv5f0d92Ehe0h7Aks^Tq@x*Ed3_ zA`&DY&F@DJ8wOFgLXC?yj@d`9n==1PIb*^rtJB696 z<(hkvxG3+oHJd%pfU3Js5xbe)muJRE$ zPf(YdHIBw8N_52$%R?mug-%%9elm>PTNS4=9#!zfvpS8sG}`3obLE zl4R7N(xvF3lDG(#T0sM-Ax7D{jckMK+%8-Km!sA=IGl4%shqP05EnzEddliL>(3_R zqvr0J_4#nC431O501q=>`eW_0!0R6=sa#5-vf(6pGT!8YWVQW;yX%4;=V zH@#z9hjc#sKEpm@-2yeXBRomrfq~ip?K+vF2?NnDEUeZ0njm9I37XF(Q1Xo10I(R z&4#1lRK3(*fw+!1PO=0#4G!J$pB7u5pyfE~yZRU8bRLvv^eg$+9dy^fxlCYW&@q{w zo*|=1PNLrVqdaC{kwz6OzZCw`dfTne?IWs}rZ}UG??>z>Sze79URAtI&%a^YXY?>7 zxT5>iJC_CO%?TZ*4A&9Ej58eu%lja;-A~^K-%O;~ATa3{jvytQHvit3>n5F#l;y*-_t96G_nl6zRVUclj)dhjp2ldEH@u;lKVIAs z8Bh6yOE=lDVw%sx<4N>x+v{pAk!XFE$Qiw}6yQA>J^F$UwQJ1-S|%>EeD>~n9cvU4 z#9nTv*%uKwYx1cUCUdVDD_@~bkgE40-6u@V*`GPWCZmjRJt!^ATI3SOh;Cx7Q0Dfu zqrKTpJd0<}nE7-37)7%wLvs3t8IjaJkEc}doLd0Z`O*pT7~hv#d_L2pmrSM1jAL_{ULc}>ccUeaD|uAUH_FLm}A#A zwwV97<1-Hw6zYn)IyI{3+eyDW4SRcboU`-uma_>R+>lkEAW`HSpa|P{nwNTFo*9K;uT0~@>maFWC^~Z=`$-9f<&@{VmlXYSe5>!+1yc>E%jQzLu_Jhfm^0+0&<}xcM_91H~|c#4u3#w`oSn(hpRb zV?fCr`mG8lqi*_1sG;(0_=O}NU#>K?}vJwPh4_71XqQ@th54U0LEnpyVj}54J zi~(Iz&^U>29-&UEXypG0g&D)-yfhD-hD}0DXN>b8F}zKTd@Ot?IwyE~=38>Abgq(iz9M5MbB5CsI5?gphn zx}=uw2I=sd#rJ)G*Y%x$V0X`%GiT1sGtd3h?d0{L?sY%L$T+?CyEfH)b(}(1@3pfD z@nj}cUM;?df|>M@>H_|!a;IfphJ4Y}D375fb0L;;nq5tQ!%)mM7i_|Id~K6^wFMGAa252uOA_bdqay+j z(MhycvyNKSZ$gT(u8_@E$opp~kUD!3I|pB|9_^8oJ3FwXhg@$REY)OTKS$m<&kqO3 zRdAC_U~WXjT|G}0a9tvnm;E+khHtdq)OTzZ`$2Oo7^3IhndU>WL__fE*)sC)`lgK}C|7v?MvkSfa(BQ;ym>+DgGZ=e2to1gdu3=g1} ziNsL(srDmD9R!qb$yL!;8^>qSd|j!wF32vA4xydYbf8zI*N`*M&aPqNx(JafV0=xl zVLthYj2yXSY@G>@P`H&9naFwjL@vU-FVvGt??ZO81{HpF4cK(pCrF~G1l|AkVYvp( z%#3cO6>CC&DK;x6^>xV@wdoXS(2rY3{@5qc&*7DwW0ng_OG+w08MjVUwJAEyB;(V! znI}Ts=S;Rkr1boUr%1(fc6_@Uxt)F`STE>^Vk~Fa@OB2S*I~fe)Up?*nGgeq7n)76 zp|g`rf4I|~DX%h&vyCvW(g)Z>{VcRGf;O22-QHQ7EYkcS2v?DbYJojITszCaLz`+M5ns{brB6F~!jI zqhK#z2Hjcmyof>xbgY^F3@tp90&Uk$SrS*e2N_)HD=K=cV+47Wi6%qKNuKjfS^w@V zeq=FIulY@T_j%A}lv8lVPShES*ql~IX$8si$D$!E2B!Ku@_ze)q=c0=Z}&rx#XQoZ zW`8pwighEu=@#^H@bt5_sB@hWxYLGLRK{KuGB`QW zTIUlfr9YSRzCAi*(;Tu{26P#}M znpLRCFJDHZ&Y32g7%Gd{z`mP=$b4lV(wwUHxU9#*q62MVjyz5>HyIHk50yxgmynQd zZXx^tl@XKpW$I?cKa!11Vw3N!ASR*EGOcgsUiI-$?@)?LBFN_q|wXqzO4*?57ap;JJlQmnAVhZyWjKKftg{Yl~rJGde5o>7^b)*M0%5jyyh_ z653bM{h3XU(n}qkV>f5S?Kp!HUuS<~>TjOccr-htXb=p*#E%(<=3DbRng(zNpB3s| z9EO(tE}g`_JMR5qz$*TX-D)lkP{Au91?z3O4#i?%9+k_GP&^;`m^&IL{I4iN43gB} zgIXGm>*YXFM6sJVlXO~QzSUz;>^jB5;<-_gn(Qk+#o_8s0*bFKB6jtCW&AEH*Ws`5 z6N5jf+ShcpI{VyQ#$#`McnjTMG#V`CZW1beDCQwpG+CFLGQtjLsW-<(O7m8{f>rKr9Qf zZ$_`j%3vL5kHr<@oTrL@8#52j=<)GA)3Eujo&JcZWsl{?U%9WjF^1X@tgQ^&=xSL}*^0`4T;@mA-(ZH-peKDx+KW0Q zkN2Wcrd0Xm(txdR9!*2o@b%fwcl&P=Mz#EAo+{8)JZe2-udyGBF|_U<8Ck3oeI-z# zdIuGXWYkk{1qLSB%KKw{mUR?X zyB?bBDXF0-7;;Z_27zqb;WA(51y}Q}myNw+4SMtM+%K?T_tJG37znyO?{uDrJScRlF95*CUV%<|bGWugow2+)Tg z;1Lv}_@PPO`8_6d$z=cO);HZGQbg{vz#;-afH3f+eACExAjAHjG~T^CYCLEOpTyG{ z%Tu(mv627IA!bNc8Z-3Xhd6R-ulA4blT)rQ3*c<_5}4G2G{a&%caYu)m=1o>ANtcNVd7nuaz4}b5F4gj* z9tOxN2N+?XjHHju;}sRMvZ7*+{6;~~q;Yyx=SYNfe?psLyAQk=n%^QaJMl{B1|B(i zSeHk~lNc>Xj|E%-gFqJAFZ0_@Bq-xqB?N{}d>DiCA;-v&OVmR_K+y$(m^G9qP{pz? z7ZqirySaVB#1k=mK$`WS1w8`vS0v9AciGhEPoQI6BR?UrHrl3U*d@0{0`00vxi+I# zk~-fFE`yjMRpR073!M*LA)PBHa@d?tKbhk@{B+3pOyxICmQ}mT;3swB;gszK@gI2g1&$?z1~{4qDA; z%WmCfVCHRqw`sNr=8Qs6SY|BPB9(L_SpCQ)yuM-q`PbF(&I`v^U9SbYz(Z2U_manA zu*K;$j@@FdmX-5!qBZ6px-9FETej-V11wqt|jUvWlVl`QtX~s`zcC{+eFi z1uQwB$k_7{!w9U6t(Rw~>#1SqSKrtnoRd`3hl7&TvZ5CArVAQXHjJ(W?P2M^=44i! z^rXw%1w(t3B_iI6iYH1DDtA!qMKy32uOrP2o~9l6=f#cUck5G8(R%%|S}=pAw7EKr zqk0RNS26}qm`~^_w&1+%Dftt81m1Oz%P;NT_|0I+^{Y>tmf+Wff1P? z8YJj4YUMyuB=eM%w?=jl4SATy6z=$QP{8h$vZ<3#+jGoQ59=(=4cX4+BTuR!w5Xs@ zHAx|z)?-*7yuNDlso2f19*5$m24uCt8z!RU_z1yqWPVd}Iv;hj#BvJ?BH$`T~M6HGg1zAIYSzbYMd z_Q>Uv*HPx-1W)=>$gT7RdGX~$^q zOc?h=0ZhpzSNXzifoy25`D!GX4%JqnvY>Y>iB#cfViGS-rU)kBebY|UvMlr`apoPR z&&ud`RUm)CgPk4lnXxZE>bbm5u~o)-1vdfgpp3bk^GRrk*mbe_6DKf3GxSxf`FqYi z>8am_X1M^P;6oBD)Ll;!B?ZXMUu|5{0dzMX9nIMA_kJ+s`7 za&d36(+C$65=P!vNzpkp5BI zn5Kl$DX=e&sZ+0$b+X4G#xx+RYJ-v*E<5|@vp&FtNpgupo+(?LX!4v>a{U2Ql%AiO zZidMn@K;xIM~|FxVVHf~v+Hyrv@XNbgmLNamp<3OD$qYy&-%#n%Z%)(~i9RxT>&PpLynZyp@q_&`6-A3V?p_QW6IywxAKABhch6Xx7Ko9Pzb$P3 zCcK^2`#P$eSLo13ALH>4qhbuU!s?7i=$u3GnC+ZC^ezrdxR`qL%!q-cJ~M4>lzPM4 zdcUyPA|%LrV`V5&DMrShe2l8b4-V;7v3#3mQ^V<=CCLy`$gzDsv1;UWMC~~~N{GFz zD20R>@0(p*N!5^Hyd)DTCQ1Fb~brzpPvFokfS)A_;beM+dvF=f=XHTTAj^v z4Q2AYDl$e&`M5EAQ|8zZW0DCxoT>UKi6^2Mfv)($>I{4(Nl8n4d{UHb-j4y8;dhOY zd3%KX&Y?PxtS_lR?lftFUspJiqEyOVD643URh(TFs7mi#&r#-gI3q%e&z`N?Ne{G3 zs9EzZFXTRv;E|9VCv&ecHKx?Z{Gv1zaRmzFQjRxC;OFVubz{*>?*ySmn z$C^d)TOr8S+y=P2p0qW3xqOcz3q7(E1vb6rw3lpGT^?y`CzegXi1x1Q0%$gEdpIX0 zYzYHppNJ>ZlPBt7TaE*P-kV0J#2i0Jd9 z#1|w&`}A{UtYzCrmFdLI%iyeD_tL7=R3-JQUMhk)N~pf;sj|%ue{qWlk57&$4METI z;90D&%qXdL;DVSD(2|mnh;X@yF)|CsU0-$*M5V}Eg`NZQSiq`W2B?dMaDK=JbT|R#}Ot+B^7tub$Z1K@8?|2N{{8 z<5)(fC_ciNm>Eb{&k!gCMkv)LTx7qL57x}KE3>7>-{SjNrn01VymQ{x*NZq_Q5xHw z5m|1G=G_8ft}*4yau_clw>Nsjjl*8<7R}vttz|uJVxy*Am}ZbSNKGCb=Nbcb5cVq< zHf-T9%1hk8*JdKx66qO2FP}}O{n0pe;33*6v_+txRD)8>yc*+`&H8R%P`UNKom~x@ zp@GxGy-9r(V5d>Tot|b0t=Nl}k&6sQdSvd_Q9U#Bd-+|F+XWW8V!5tfUpZ2%bM=^a zU9T=94vzM%Pmh(l4GyP#W=X-U?zeOiAI2~fi$A?@t8)pp`mFMLo-+SVC09yr_pY7B zN59TUwBGWtyA4f;dBstNHam=AZ*L20=uC2r4`{H3YVYpGXerct=^B#N6(|_kqA0LW z*YYq*Vr_?aVOfr-M5lfkNp#XLm*TWKye6s{|6(FGxTZ1qNO3S%a|21rbQ~Ht5pPTP z9pmHNj%_4Dx;29^_t(ou$TRmD_ujW;aWG zJClpsVl$7L$kQ8Mhte?d@k!e176y#Fm zYKpbHh#d$dM#Wl+Z$e_rqEiW?I)JGm%SCHQy&NmJ*SNkOttFon@xw{4>q!JY9!2UG z_7V~gp6ywa@m0B$T{0H*2F6@u9WIp`1r_UePgX2Hj&Nt)ETu)=F*t1!HQuS9^>wB!n^l0nx z{n%C1o<=9XBh_?}+GU(LyQ+(gMRC*K;%vC01P(Ws>YkScVWRaKieg;pL1{48HVwX) z{&pEIF{bRQUBTIi_ve3pt(I&kmGEu$$m+O?uwsGoAVw>LW=Q6DL07inFORvgqTqV3O2ZdUpCa6GK~nICPonqS*~P{nM$x>4y$rC3B2*`;%#_^UzQpgV8Mr}$Ny+5)OX-0#5GqAU} z*VM#bW?e3R-}G?xkJ z*Q8n?L3{r|!JUAX5F;pCg8L{9kK=9A?b$3mpuUU*El;7%?&NINVJL;|(YyO|aj`+j zQ*(23Nc(H|xelAY{(f{~0iNAY_w;~mUE>!@A zp4WMO@%*2)rkx5aba7ued1{bbQ0;t>|6upvpmimRA43Aypylpr2b6*~4t&~Xca_rH zC-;NDFK1najN4J_y`~7Iv3l)KCc#C$+9N%$-`qw_rADoOTcf#~Pg%Da4H{f-uTH^h z6tTVng_)yCA#+?zOiYLmQNu4!Hd;Z$A?;-ovl9~&phh#F@71e7#BVY@gs@tN1r(O1 z_pc#s=W&PX3XJdmkYco3?afr9w*N}wMDcv$I1B!U8>fKyDs$}`Y(90H<%HuS)yocn zYS^{_VWU?KcWPHMFU3N2r=fDON;*xlTzCITm_jvzxP(N9_Y|(J-PG9kG=-J^&ldKJ zFUS#!^Uwn1Nt}{GD?3ceJw9s#1)Ap1L6LcRIL$9-{#_WdBKH`|)&KvGNxLRbl z@O?dk2PZAvd9UU5D=)rPylwrF2Egf)9(O5?tCJAe^I zN-0u57kdEdrSd^TA@I@CZd!L77GYTT0mR>JyDjL;t-o z-D;^~=GVzgR>)LwMCdu;@Hvm#j_T4DuHg>&?jzSZsBT=Lw{ueNiuFJX#*$U9B+!@7 z9poIuP_a}Cz1pH5i>Sa-Dqb&4^J-DlIru4X+V|sV^|zroY%EedIBKPwR#r!|3j>pa zp_&?XpqZ zj>WF-taVfRZqpd&!=wBQIck#p%0ZzQZ8k5dp2(R8sNR|-o?Hz3VcO{C*AT9P9|&Gj z(dRaZ6!?wKjC=2$5OFp%G(02Xt8(3$1o=8eMMcuYo{u}vmUTn68M;RHSS%TeGy5lYr;nyq1r#2Z&A|I||nnle{ulV_* zcwC#N7UFk3RO^LYy^bL!7H$x6Ui58U*)A-rd6ZRE&%@S z{6Isc5jjw7Xk^gR-EwQf+3%PrHFNOiSmMRIX1wu%G5KKIwx%ES(|L(dIRzBE(?;Kj zuAa3xlYn+rT9(=0)+|a~?|t&hy|T5gb)_x7m`byeESHXck0YKKPix>s?zFWy2`_|Z zSnfWu7{jcuc|BOGjW(O#kXw18{oTU8$}fpYww1@0!;Z55$6%BxQOW2R-)3d+V(>yP z1$?jm6zkPy3V0s3T<<@B{9vr7RP@g+_Yq*Z20yt>MLvQ+%G^Xyp+k&)7MOd#C(aQ zuw3U8EJ4XIS}>(s#aCOBGR9Ql98X(z-nT-=tl?1M4XllR!2NIJwUt}78@kdRO+s7W z9YvI$m{{$!))(NKX3v=QT%seSwBdPqQ_PszbIf+7x2D--95vrl2A<2~>v=@EHYn{7 zB_|EX6-<t-8N;R(U6FJ@UFoY+q`VPJ9*~xc}R##)9*R9 zL#m$>L+3SX91(e5{0s~`Ae8_ejFB{nZ_s-&Ye0Po`YuigSuE^x4^lq(A`vgU&jp-a z{ldg}`#Qc8%Tj-HVk{~~_^lTE;zB~MWK|6}W=l+;mMoDAP*6zaBs-jY{C;0o_k;4t ziAgbRrOCb-*|_BwklEJ%4jUVU!hPqB!M*898sEHxh5e>wt4+oQj_fzf$LU7LNFdFT z`4=tj)!&E|Jf5FE^3KB;mM31bX?D5QeRf1iX5H~tK>8;pou27AGS$JrD)Zj;`ABTU%ob38}z2FTW`BJ3e?+|j}+rKOv9*mw#%&2B@;_W zHsC=BX!41987t+`?wy^6Is zyIHG-U%zl3{qSr9L^Y6K4{VdCN7M98Y~>Ko4(8`+lQFEXBG^TZ@wK-jE^7d~i9>-_ zlg_YGu-{*9WJw#&+Zy&(Nh1IC)1nnk2;pInFFcE03tNM6XOLwAdg+XP$5>4!lhruK zLtJHv?Av_?i?*lSiTOCLWn+;OJ4BPq9{CJuHy)%+O@}{G0G~PtidPjNZq+Qm&5*#~ zk&ASXEvTXDc&+gC`uR|@P19Ik4D6QMi z75iviq05G%=>$j*ZEW^v8sYt9LImj z$*xe9*==|$6a!Q8*(&-%oufWiPNUraxPtt%}wf%}1L0`i2H78BGnSt~(@0~EJg=WQI zjzo@kk<%{Ir}*E>NgN#oUCogTv>7#jRed^T-VjKV$z#&=V$f+%$DC$N=bY71{i3eq zfPrI;N8UHW@0Ro=YYGGm+y?NZJ4Xs7KE6&-s?bW-+PWM}OQ)-DWbpJZ0KFb>{xQB= zDqk_sy<0+M#-dTEp<8J*RyIOg-*qX**N1?M}-MIswwQr6WsHJn+E%WSWe>g*dg)}Ovy?88YX=B6hakvP=`I)f8vwY8{*-XK%dJJZ&GN1xkJKo*3ef3md&&bG# zhwyHKhIJp{rJds1!7O26)2@i)<72C_Jacn%GC2s{IopTJ)fhGawB!yn+kBiv z7{0iFw{I342f}z91_KGFB=;T4*Yj%u%Qp9@?mdMkI+4BW| z;TiCD?a_-wKFE6lsE8ah)MHV%78w!+V%>qS?ZHmGcyQIjWBO)2@b4qt2hG>iZ{U=V z@Z)_|Np1N*w49R%#)J$J!WywiXISc?WqvqWjMWmy_2UPm?9!iS_S0 z(|--gD8^GO{=DF7L&VQ*-IB@n;^*eZvAU17r`!C2Kmx3@A&=TZHbMP?y*;8x=_so8 z2arWgzh8@fZ~hJawPsH~wUp4em#Tf);-3Jm!S<1dl)>kJeanei_r zltgWBI__hzG?Foom01NHlK^NNaOuP+o~3cxNRW?A7VBYR$mjs#=^ucEe9S80dP2*H zh~w?ALJeq#30tAP%vv;3cqco4w7^F{tYHAXsm36XQB=QHv?VEqC? z3*Qr5T~E>d4j-*@z%*1lfQ%#oN?KoE-w3Y7{hM*5z*5XRG9TpV%|e9-2pt)&eSGk# zrLX`U^JWsBaRfMfz^(kg{HFfO(sDs=GcIOm9@W<;CyKETOc3!j%J%aOu2+AyIy*bR zal0af*^%RKMnE--3-j~q>U)BoO{DSU`ZTEvu_+hV@}YOPP;8XeFM9(lqRxmN-nq=C zqhtE?E-vlaA-AV(y4*3gr$fU?v;6VXXyeb?jEM|cMb-lE5-B_v3dhHvBAnF?hu<9w z0##!Jkd>SiGt@Y6{-Oa^kUHAsg@aZN?i<;lrafa~Hsa;tT9|IRN$2l!Q=tFwANB~I z&rw9^_COU(%e8B4r!qaPZp94t%F+tmDLw?p}F!P8e!!E-gSD-Tkd3^_NU_-Lj_x_>>jd zt&D(Ae5QlVCpIN?S6?!jsQV}3!1Vu+r_=%6{i=B%o*Q0jZ2W;Gc9-usrnu;JfqH>F z{X7nH*~Q|1VVqd5ZmzoX%P4f_`n(7tH+4trYPn)Y#)27wRl3o-p7lu2y)kIop#G(8 zFh0jy1w}=)p%WY^ToucmHc>B#*D9~^QUg1jDm@BXwO#oS=~r+FRzP1#jEL#W&&++{ zu3{HMTO|t3G^SVSIf;lAlqRB9DxS=rD2xl^{vZHchKln2<4?eC3pgjeh8BIz{`l_Q zYiRt$(JXp3y9mM;KhQRue;U=!4B5F%B{0AvfFw8@e^je)>#v|jm*7C}haYbO^QTPH zvo*146OoIJBi%Q-F|)Z9si3|R63xWvhET@W3@BB3#SdD#RoF*{d4_ec9_VGyxV=c_ z$%jI17AK8B`3taSq6Ln7@|kNwLsU1Q)qtr>3rMyipr6W^@upoWI`w?NX4S({hU)BHb~ zeM|E41nCjQ1b%<%pZFb(B<5XhQrPUgNVPW+*1eknjIW060{VOW42ZX2QsUJzF@o@E zCygPy%}pG>Dd)l`153cavz)QR>sG@bcK%sqEep_+fn@>gO*04SL)m%wof zfGenOxLKuLq2MUvrAH+^c@b7lA&z~K3 z`i(con&MP}FuQIAyxJNHp|WIYS2UV$B|1g+dLUx3Zt5#-@lMN<4#$?&OqCUo=V?N| zR{$a|3=hW;9}tlHgo2nI5d?zeQvh8S z+W6qRk|ELQl@n?SIT9vY^tA7u#3y>6qU?P(@bU7kbL{*GcA*NDFuG@~QoN!>gd3lQ z-p|A;XZ`ZQDp)?2Bq3AFYuduG-yn5HfQ=|S$nYb|uMtzAhyt>>Rn}GKz!2Oc4I{=R z9H&P*9dO*aSv#b_mQIuOs^*Yz$0cKuKdhA3K)@<?@cX6rjvG$liu#{P0X#OgHQ#B=H{jp<=d`pCsn+ z>A#AFl+P&uKjGDaCh|7zv6)`hhT>SC1grDCbe6?7 z2;dx;7(a0HbecE$cFo^XB%8G1ldhqMH_ZIXN%EVeO35_~yW zJc1w*ks|Ac8}=k~FfvV^ILttKk(oC|TRCP(r6+8lYwfL8IHQMz4JE>BG)LPIQCxqU7% zrST)>+C}NOXH6DVzYRSLCTG;@^Qz^4=nJAcn5PP{Jxwg9e^HKVYgspesvrRw~untL1Q*U{?Wgc zA%PTNszfS{>-MSoY66NS7y2ycH%uQ|-a9*dYLIch#6gKj8VgE$>PP6;Wtw4c%_B;w znwpi!#Z-uvnC?2=lUcQohX~ZJwvWn^%{x^>y(_$4-Gg5)J&W0Y$RNM4eTIptX6s&D zQZcB?7m{tOaca-sJ-jHUhSh8esvVGj*O!-Yvag1Eff8bM%U`O$P)<&!?dpga&i6IN zZSJ^zf`XeXn0D zqf)Sx0EC)bJXOuf=Oe!KhG~{)Ns{_hDO2Wa%9ab$o6_HbznY54s)lo5lBg6KEUq)e zROBWW1k;I1d(QZ)>R$5Mdim#n{=5kxfRN4$y{)KFJ*>4T@Ko!r#1Qhx8xVV9BDAcopZj!(1a|9-~n;?ybE;#I8^ z{8;ANM98&;-4hU*5&Pe~dxZoM(e?cW;2V1$z#o=RB(R2&Lr%<9Eqw?8E`a1@{nP(J zl3?l-{Y4+p-tDsi90l3xySwAMzAq`BT0Z%Vd5nx9TlElQWV+JgK2H)jM_MIkTOW}< z1!XvC`1u=4OVQzuq4(oOwcU{f?mIPEVyAA(%IGuTNe3bbxc7IbEAQQ7Utq+t+JLf@ z^cM69T)|!g!zSwh+W1b+`o$S=Kvh&!4D(UIkhk2WdKmue1XHVmbzQAOAX_w?-LuV#=wUFnB?y9~(9`i0$P5e&?CR<|TIv3KR@=&niz)%$4)tRi(+ob>ZD3Ju$!!F{87TB? zr)Pj_lBVMUspK0WUbDQ==QK4nHGY6*R9WzJoO{8?8Cd0RLH`c`xc)=(_lN{hsp|@4 z+g`+H-B7Ciw*z^K>1P0_fQP4h2z;dFerJ_gXg5a#+zWH>x``wbl9OqY`!Q1^PQgh^ z>0C_zyD%&~983ueg!eB3KuDk{2ADw@2*6;#z|1_D00-ZrqrjU(k*n&t+JhPNkn|;( zd5g;zTxRU83#FP+pk1ZYopMbAa3Z6XqWUa`4|rz*Xy2?+pr*M;UbPSM5+3C|15uM- zU{4#E;(L)!0PI{m8=no8c=!$?^8|O{De&MvvWn69Z#$^%VA7Wq6d+|oaNqs=8JN5p z!EBNwR{;qAehEaTDo`t71ero0$g;8$qUy>0A9+B|B)lz(!8NB;g}m7^id8(oX!Z=0 zoEgp*Kk^_1?dhZd`h@EM^SVllp_=OIffP21%Kr=^jI{$T1{vP}qdipj*{8Kg@I?-s zx4$@szzRfo2d=*FO~%sM?lk;cGkrK1-r55OkH5$LEWm3m_JB3;egydAZ^1Mb1ooKL zyPejz`puE>eQ^{98sc_|Bv)B1B=S5@nn$y z`uh4^_9Ir+hQ>yDd3iwD`|-6%SHn(8BXB`eCCXujDV&^68G%{64{&d-U3A?XV8NTU z2G-@B$zosq#05GzW~C->Ag8qlT@hM{l$@X69hk~s0V$dszxf|JrN?Z~Oq1(}6X(GJt_4CkD%+_3pG3E;fdQt`)LhlRis* zd$K;@y#5QA4ZQ77{O+wE5fQV03FslXhal_Ccex|f$nTO$?7_vK00qbWxq7fB{ZA*f zYW=6cQ~)`1reJO*CME)F%ig*2-#^O#tO=ZA4^r2`)0RS^;^i4u>qA+8ft4@1r$j9u z*7Eo6Iu@k4r>;y}WbJKlA7A=_;o7S;>&1%hJ^|teJNx~wa$pUFR~*#P&_I-wvT|@Z z*xK@3PqmOTJD__77i;VT@D&|ybhCVMv;x1L2JvSCof@(CF59Q}085dXYakYfgm1T$ ziHL|0CG%8hU)a~`6{tt`zz+1QtzXW74M3^`;Qg`LSpwvbkMfg%Nx9aZ$tJ!&>%4ZPR`B?-Uos=g@|u*d`e6GmZ@O^N}>F@11u%rEjQ`aIAKY~k__n1k^$+dt08`LHwgA>29GOmLy z0j#=c+j7PG`JyT+DJf}WwBY~u+#g7DU`vEsP-tRh;AN=rk0^e?H^CVCeL#Hyj3x8V zLxPC#)PlLsU@jGvl^r_xU+d8mqOOBQFH(4TeG8@}%YC>?ofVkariz6I(AsW3S0v(z_FkhFN}CHU_& zv#tm{2F)T`Mn;7U@t^QLK!%CKVvv!E$)L`W?Eajo0w9H(;Dcnk829~<(*ynZ%LK?m-Mzh&5`G7Gs82-&+>AE@&gyZ5 z+nm8WUvuP9wc|Wa_>TcqKT_(Om8Inc5KRs42Zr!`3{q3@#=e)8If6Aw=bE(#y?T{rN`e{s;H5OA*wOk&*b3)GRFMP+Nd~&7#!4E6w}= zy^R*WyP&17`6tWsO}Wzb0C9SFxRL*@>-`<~Zb7+V&+UTmGqbb)r%t-Zs3&dz?AwI(0#IRM+txQYrO?}lHlFNiVPjt z*Zlw~If&A+&^ZIL8AP%pf`ULIUKgM&DX_45dwYYZ7kG3=)M#bf{oTUo68p~1&PGQ^ zfw|Eei0AtY@PC8V1m>%rrsf%FJrZWZU%kCIH>XbtqJ!pwKv2(Te)p2^-=&$8Td%gE z@N3#=tHBZhLi`*=PwnjNaNtLNyLBmpTdZ?J!HW?g#X$b(chOE#qEks7D?>^R9_rgq zU?siZS-da{gDD4n^TFb}KFPP-NQ`FXViqZ~q#U>`pj z+DhDs$?p|+bTRbQU}1)0+SVW*z4j83P(0;32?z=r=<3RC z8|!WUZL_XU>w5*c%WQ9N2mJvpMny$|Mi{YasHr2KK<;W*R#s@k`qqx8rnLAn4E6Ot zXJnu)Eixt4KKO#Ped<*YCs|i{k&%_f9e93madCKfxVZS`64Lh99UNePb#fXFnFh4Q zAe}-T^ecC8aL{p`)Zq~Zs5cocby%VaO-@cmM@PT(5dtonlS{E|U^*YWMi77WeoDBh zwbe*pzvCTY_tC_J1`v5YJu=y^EjxBsZ&@2}k893XAvY%%^S`l{dHlS*!d5P7%}s1= z8N9rC`T^7KK#a56kuQFzE3?hlc1ft5^H?>~Z&9@+Z7Z<@E|=H~w2C%B)W z${#kVjs(GYs7HcLKvxPfBW1tbcsU_cNRMOmT}zy-lb0?HPI78GQcH6)-2giY*LL|HY6 zgs?Y?8Q(|JJDH4LK;=t!EerK)(iivG+TK&JS)tB&#n3%2CS=cE=s55hzp5oYdyFW~{ zZh#{myiO=?|K4)x>h0UAM|DTS)L*9mbVYmS>s#dwi)S{UjS{=#4xWh{cy~hLy`_7u ziLgbfWhloC( zjD=jWO$-O94{}(|8WZO8EAJyoI2Z}Oq)6r!MwaPg4+z>wim_LLf0>c@*!X?Iy7|5B^Q@h*Fim)z}mE_d2}7bp_ulMQ+PND4I0nQ@z+T zXF*>{oU*AnX|rfm66%v zy{Nl=K1Q0lmnlY1A(V4Ak}u3a$Rfv}4FwI-$Qkq%n2_%<;Vy@?OSnr*aPajBi4^Fpx+q=X(D-345nY;{lj0rz17<;gQ&x<`xkSu`m6K~@@Dc!WlZpRA@-U?1`sZNlUhd0Zl(*lDx6cHC~g_ zNER(+jApIX*5n1fY1G9XZ|1X|RKe46qvZ~LP2@I`7gISZ@YLF4sQFCNhI`OqU*4bg z^oLEH(1KG;L`z`1{qmgo5Yqq zxQp{jtWzIUe$gwnAmPb5L(hPD6Drdjh8Xh6(hplfuKF^I=0M{$nnmn-E zi6f{*@YIP0R6D_e2ClajJC$&)?fMgOJGsMoDdPzj(fXPr`8C5hTmr55O!(9}IV5HA zMp4o_zgZk1CS41z=l)2%%T~=(-g{Bc;Yph*v8o7LiHrys?*O4Rb%WH1*sVS;dp(x| zcY7K*xpWYr7*b2-iPjdvwtej~SY8APch?=g} zMq-{t3`c%?iZDY6(N<*yr4w0pv9VJf6eIb~}y@1Z9sZBt=UUn+9DTiB4nPv6dVzOWpvxU9LtscuObg039;gRV%hG!j2rUZllsWWY z_7d;seDaD2t6RDZ+$=!bP}x_+oTgJ=gksPXuZk}7*YTQBi&n6#O;o7Y!AXgU!+PP2 zQ}BBNv}N(MCu$!lva0}uFwONSmk5 zdFD25P|xH;S2j>r>_}XLl)KxB4VQM~gOjAbmrXrpRXpQ7V?_@|(7F2GO}=9e`l2JI#%FGan|?*bY2`5EScuAkUn+&2Z#5>&dxoPU zhX-4^s`u~gN+uj@JZ2Au(5vj7Q>!{mK8*YG<3_EQ+BzKR*LuB!-ye=#NuHxdVzu~t zVr>@tyfK1tsIE^oeby^dwqy$0it}u>tt-;ScTTYq*M=mlaC~w_JHdUOtS*1qb7|2C zPo#;0g~41xG3**=I)wn;MoJ^)FYr(mz7Hm&WM}+fRFh>A(7>Bz+vTg($2*U>x|T_O z_qOOga&O?pQNzhAb9I-+;q(N=C|Xw@Bqwr6c}oA?^&6N}Cmm!GiIS|B!hqjn#v}Qo z;8@YzO1Z#RSk%uHEHc36~4>qAp3OP2Vh$s7+3eSB>os*PQ>F#&>?b*+wdHw~VYAFl8Svgi>pb^c^=K;LNyv(31e>BY z%7cZ^VKF(Sw?4`HAf3nh`IolJ;>iYcy{{!dkkg8}jI_F{KY=YJ$42Rp< znsXQR3*fXp<`=SY30INt@HgsNFm@44xZt^5%-|K;l^JDZ*INXzte!^pw19M8PM zs;=pfd!A`o!%?!9QRs0RhUx-~ivFuNzfpXZ|s=0mkY zznd>B=ypM8OUMz&1#|G~(iay@KGc%*Ji*a3p|;>Uwp$;+hJWvh@h$s4yVjRi-;TGo z7O`~c&hs0>J?@1G`R6HV@5qDb@LASGx9oUb72Ruu^{0E&)cqA zNBIhYNf#(gObqz{9$Dg3>*B~=oCDKEJ#)}08d3ZB%koUHwHEF{xa?Aj^zSn5Dp zr-znx9xr$beTjQ{A&aoYie3tKFC^=JitxqvU?TyGM;q@M?`m@h!F+E=*K^`?cfsd< zKW{VZovE0AhzfQZ_noG)HzE)CEu0}1Z!WJao9{40A`WcL`xI16Epk-#Vq&zxD9kje zF@-J)84aP6cdm>(ko(XX$W6~(r1KZYzGV-@@ok~n>HLC1E4_}DU&wcI1lXmw%Y3L- zWy`>q4fO_l`*=^i>N=O^_gjrpQErPtx+k)qJag->s$0o?G(#$@A9?_t)aP>WE7w2g zXlvTyA?%*0>0($%O4qHl+j>IT zbM~0Mo~nn)L5tTL4!x%07=})jSQtf)K(AjsTZNvYr)pgq2YP%5rJVxpGg&qS_m@vE zQ19QCN(_J|+GZ+&FP(SP6}@&6enS^sfPNU?CN#fm+d+TxwVDL@b?`}asNSB=Orl=uOiZUE4U&tb(i zH8uH7b!PeTm%RS~Pl3k(@YED1)fBx+s!<~+LfT|y+3inX0k{feA`&dleeG8NarroK z$9QW>)4O-^KcLpGTp;ZHTnE6_|2P!=@1VimcxnF#fmuJ)K=K%8dm}ppdPK6RKOQvo z+~64H_|{A6czG?o+@^*DXFHrXJiL1{H~-C}(I#u&G4z{oVV|L^vP@5O%2H!;2yNUd^rCa*KGmUj zs)5iU48n)x)x+PAe+~w;rhi=%pWr|Gan^DpErH+=my_lYV-d#>vt;JnI9t5OyvIVS zeVa>Pye80{jYtp@6~;SQ_x+~arP?yJAbXIU+@7EotxJW{@Pqr+R-fY(1|-*EM_?4f zNk%9Nl4H^_EkEo#w6*VsIbyR^6Lwto%20OBLLuoAQp;}G=5|h8EqakJ+ec}CB{Zp0 z@afP=ZHVssuJ5TSB0__Rhq>)70|$n0n^FRS>xlpv zv8e?-&DqM3Z`GYaiL;ex5c2LB(0)qSB8?)pziASl^vwRQQRw9r$5=~m%Gd7E`k9)A z1@r!1bwWZ0&tyC#+n$!3O5h3ks>dWq1LLWEeM@PPy6@ZMGnGKV;P*b2Q)jeETobF` z;k@4$UaUizo&xEUO^(%~(4uL>GF(FUM_l%xZ~;doT}~YwJ#0f`SsLO8`Ch{wa9DY+ zjsgqCEL#cOKa$VpMKM8ZeYeM+V2!2T43sw=h8ICPd{N1vA|ZT7s@8d9Ex4&W zJu+dmw^lkxzwWgg;Cv>^F7A}XS12BCDzuA1su3}mx~>E*_Y{zbb4Z=k6p>ZaHTk)Ya8; z61L7}_uBO+-1-+MSEuj)Xt6-nv4)1EG&EA$4@3)u3-db8_EXua4^OmHoOKW#5z}?2(&-oQVepT_7{^?%jBRgbSw`NeK0nTC;ED z5V4ojf3em2vng~jl$EKG%4 zPyBw-eP8jjs;BiN8KvDLvt^fVnwe^$&fDU{?UEi{R&>VXhC8dPLqyfSWK*})adD5S zPHR$(9lb&MUOTg7+;48Fd~T37EgS_FM*5;MTrVA)tM6(VR0M`AkiIC~^_z%M1LEJA zxpN4~0`n@#yRF4S+WFH&Bk_ux6L}!hMC%NFD{^u?p=RWF<*ha0FggD|43_Q3Xt`)q z;*~XaH*4T_w~dOIfxP% zj!w&NuT(JW)#_5<6tu*gpSC`fVQr}=|4IyZTY5a7$GUH}=K-oRN1TF}%RF>O2}C6; z$yjp%l1=82ggHOxrYyXecFQ)$p3ihVDmZaRglQ1vq#yIw>+iS5WtSq(Q6K3*PeX#Y<`0%lUumsY|Td1rG9Au#vp1?9> z$6dxcNfy5=h7~Kohmo2fN^_=43>iCazucY7zhaVgH&@vg7~ZO#vq_r?X8>b^(nfhc zz}ZLSbe^N0$*{5v>+NmYoA@wV2vHvrp;*_!ptGtchKz<`Ot zbcD!_8$x&GrPnP-$zn6^sfd9X|m|g|<%k_d1G0^i?YleNR6c zPcWhC-Hm^DnxO#2_~u3>teN-oRNKedWP4{@zK#t5F~b{V^lL8!k*#1IL7d8(VsnJ* z?#iZ3UL~-JZmP0IVe@-G$JciF$^0#Gjrj+^$INnt)3(V3_vgsgbFjCbYgHCLE`|iP zMobWt;fvQHx?W}o{`muveaTF;N?md!SqvxJ#&v8*`v4i@W`Ok#Gr7JF8iW+JC zL;^6*p~NF@_|37;q97BuySK(z!Pu z5;J)YG2fp>efh);L|t^;7>B!K_D4Mj^|Br*8q*x(?<{uwGr;W6Chi}iy{HhM*|-M} zS|{Y+%pNycQ5%Y2JsrAp1VDr{V3pWf3#JIH@@5tnh{!D5y%zwF^VXsM`i!}+4+I`j zPCxK!n*attM76OmvZ99yY3<{j?Eo1We6{)b{>}^Q6J+E6gWSzu=z{*9F#2DCtNS~f zzh5!vr%7#+YVW8)S2iVwa2hvp+L+GsE9lWr%&s=3oKc;!Pd(aDB{d_)6`Bb4I@v(3 z7gSHWiLha2*WLyuk^EUc*Bb=<(P-YvqkBtU`zN}*KKC~sS6f9eTfwnu*_eGs?C*z1 z$5I#YZK(cW_m1REEeM^eUJu9r z^4EG9B~Xw%NIx>uDUqNVi%@sm*f{=ag}HYRGJCy4#llD2GfIAkQa-%}hH&!zvQ6B{ z7@trzZ9)z=2y)X@?JKwPZ?peO~v=?9W5*)-&45g>z5qenGC;0}zPa zwn$-mjB^Vo^kbIT3OY_1#w`(bJDk7OGkFi*Ps-RN#b}GUK5bquSTXzs{`;3crpKw$ z>*D#6znR0>q?TqIY!;4j_x+u2>@H<9#PrcDYW^pzVH#i>`j2Z!H7096clNrAkR%){ ziyD;3xi#&%e|6jt2k;wPwej*p6?GSa+Dc4f)fgh6MHw6+JJd6KtT1v;O56g`3{T1) z<68;$JVGg$dIe~~r_B%{a_3-rdKwm^Bzl!R_SQJ|k+sI?*A|CS>M@^KL-qBLHN;*l z1E;qA0YJJ~DvkWKrkI6b|Gi$SaLTzJN6xL0Iq$x*Z_N)aE*Lw$I&-|AbmtlGGijxE zH+}($he$KleY^$WjeX{={i%dcG>atabNZqH6M(f+*7rru*A0S=b4RioDY_aFA z>8On&?=(lS5>#l8IQ)_5wioZBzxMtCED%iV)b#D)ehgEYQ0U6&tKYHm?GCL3089m? zj3cgli3Yn2WH-%YjYYql(!euP`cxJbA*WyT_dUiDE#SjM5VfY`%{jzkfAP_9QyFRX zwddEus@ivmx@U;pk`L5+d2ZKIarSssM06}lBXiSQZ-2_PhYjmkvnEC_r94vmX(1}z ztmBYb^LwkjR8Y`Ek}Hz$bnq2T^_P@msBWdLIi~~n5<_P?J^SC|af~pXXj9l*wLj{4 z{MhRJYUUXBmh1kPa0YJ-k8uDxWewD;fFnUZ4IvkOPALJr!jjbXrs3Qrk<@mVkmlo% zPUL-QP-@h&MqQOsQ0VuwD~I2d-~umYW{jy^!>+OyApd{_fc$8mm`AT>&1w&hWy((N zTW1C!jejQ&__Kp4nrUJQovR{>hkkdGNQ-2l-->=;7qxf>miHx^6$AYmpPm!J4{2nr zSm`l9vbkTS8aVZS)paEy@0U2Imdoh;;N^Gaz8rdq5?u%UbkT847^y25*fcR|Sy$%) zHO(D_iWyy1gX}Sr#eBfMFi0=7NPR}wU#_m{6SCg@?KuQp80S;_eji6X%0>zA>w?OPXeGSGg zanx^|u*bIfs=|%6E|=3nmN@k*n-eMvvmGL`+59hVbG^I8jKb6)Tdv6#E5gfMo|yF- zCAe3TV$RpiNWJn?s+2~W*-4hVN0h4*`y=;{pnybw6Yv@m#JJA$!sm)AnAS z+Jr*0T@oSZ7yimS?SMxl*hF|!{^pmE%t0XT7kj+=l5(0gm6m_wXeSH;>+ZVh@#zv+ z5CtQgtt9v1^g!Zo06ONEo6_(OMSE3vAqm!D_cDQnqzE}o4XMJxz~AF=>s{jFfg&Dz zJ>9Ru%3br7%4v32ZKVj4i(kzV{xns!tx>yv#{Z^gf)A(o6*$q82$XKQ4W0*a?yi@E zL}z22i>KC$)t-dy%}pSlnXW<=PwWBhf^t9xFF$ z6Z?Gg|0){!-yb*s4OIRt4gVXaxP=D%<9^>?Uv+4_=xQ3SulE}t9_+7GP)+T#`jm?v zwOz7b0zafBHq&&%JK9S&Jpx?PzWE=)Xjq}fHP**KZeX?Fw_E$}1I&%l(KZ6_>(y#Z zi|Wuon;Udl6MX?(T%`*V&$j|X%`a+rfGY`2V`pA~Q52u#%zBmBGvjKdUj0re>DoZR@`IZnYB^Ea<*i}2s-R>e<;B*W z;evJLI})`nRc?oNMP_?3Sub~;O)T*xPcqospskbB>EM)S?R!>Zt)C-L_^KM2Ru+uq z$y*isj}Ab7Z__h0GZ0i!ykpfo2Li8jEvXZ6x7{_VrawF9n8BQ7ukGkqpSv}l!8;`D zu62Hb>7{jn%VtM?D}o&e7ht&sbqsFEotO3Gv86>?QLu0f^C{cSkwV<`F*=UYWtwJ+ z2cn3x26+2Z9|OZl_FEuUWgY6o&7?t-!t0(aw+bh85l1&pVgvt4R;L5c@l#nbE}evX zy*^K7j~PPt?G6^L4wHlrk2+!%Q{J?vZ_vUJFK>cP>2!OIFJv9pM&Dykw~tdVZ*%yr zvM4OScjL&d<39s5Z~77IDK@2J=GE+V^Im~T*2^d2mq5@mo7iMsQe}2~BaU%TV<#Lb z`=wBaiF+dcDFWc~v->aa$8Q9a3&RqMjuJ6T#&OrWN@d{1%U70E7F{4ZUd??UChqSB zz|wC*tKJ#DIhFGu+%_`(Qwm`O)9GWw^e9gyT)1h7C)xy*F&hYvcY@#!m*bT_VGrc- z#)0a1ZrZh2O}uURy<#`R!?%tHQdsTk4R*BIWR5C0b&`lr4y`CfI!MY zhM!(mfy2E}$_vH&&Hoxj8UoOltZzpe%7rk&2hH2L|=;HCWr}_bjOn8nd zGvLfafNhG0^>W?+S@QnBj1m8o5t!@j5c>T{G_E!j$K(@6yq`roUF_E4LH~P)psU0w&fqu&IzgFOSgzmDbTG+D(cdZ|@IjQC z*}vBJ{n>^8^SPIwWmd@_32S4arHPIs?`7Ss+pF`M%S3G^JyZxP3Q!jN?0D{Hyosc) zvBOUYlk9qxr8cjPfNOBsa07;rGwf>Ep);w+Udv_F>;byee^MHR%xX)_pLfq^uW}g< z)c|rmg-A+F$!B+QP=*mccGkftpT{XDc5iO@G$Hn8HUkSob{}y7rIYqK)%}LLC{Z}b zxM)~mTYbU!5kt!?PZImsfWB4TQ{?^f%Ur0I~_>Q zOKdFz7M1I@g0S?1_r_LC(>93J`iueG{rySJ@qCXwLfKZJzhb7~2(VQ=x{5+O z>ZARH!&2J->caKMRJ{X0n4g;8eamv-kB+qFq!XgDq^F+OT5uMR|G{~zAIn*AJ-Kd% zsCen`WPMhqkxr#pu(e}MLjKYpqzQVHSZ(KD!q@z1E&luLTt~AS!?S7`21S+czOH?k+#(2+48yEu)%kl(1dyOL?#XE;J1P?1cdj;gY1SVyghLs?F zm9r_^ISS77`Oj8W^W9AW>OfLXE(9BXppLgR?C0ncvMVkc0HS>(4JaRyIbdw#&3gk! z8_Ot>sBm%}v1WE)rl$P#MAO`*23=6O2rh3@50|!kwp2FFF_X=dkZLOSf_9!}Xl6c4 zd!KdJ@XAT2>I$;UL`@E0?_`n*3XPNi>J535iGn(bF7gLuNC%P#X_#E64;~OQN)Pjo zD|ewfILI5bWoQg~VrDE4$hdR5kDFEBDK_hkRy;9Jo`}hdkb_9zm+9^>x%}m^tw9Qnn~31~Kr7MZT)o)sT~EE+W_Lm)dgb991T&i?{Gg4SWSYOzpGV7olV==aah zaCa_b{im#P`Zsd~y-Uw!F#o+f>ZoqzVJgEKq`lbxExQxF&#_Kg_c2Lxf>wt4WTjET z>IupC6!^rVS5Tc?O2t9ku2m=@6N%=qAlJfvi*eqy{6$9o_#o(E;cz~S*C}-1Z#tS5 z)9XMI83?|1R5qse`6g{&rK;1nSo9jj5_^6L`)QjwB1Aid0P&fujK6&(F{ed=W>A;Qmrnhl0~pSx7zG%p=y0twSEi22e+PisTlbkuC;Y^65dla{4N zW4#%l%U-AIG{)x{}$ zM-BWR)z0HQBgy-Fwmcm3_;vd0wFV%yh;Q|)FF^Y zckBrgmd_2MVAISHy@M!pYC&+#thwWU^u^l9@tT`Q)^G0@UtN9L_^)pN|Mltrtlj_L zWze^q_x?~;SVI+@0XwM~E()l+k6Kx^=(xs7nVzZ9*%9ad$cw-}jw%_Si0?0l#1yT8 zH5jP8mH=B~TUPnq;E@Y7KyX*dedGTqX~$`2Qi1glXr<0*n)_Jhk5VJ<#z)n}jeaTz zd+Z64wQ4&*Y1Npe{j|i9CWWzSS!IbV4e*T0LhS4aD|M={JrR&_lwUd7VKFpiRHWm) zpTn7%c-dE*!*hGjItFHcP!7!otS_mU#TiQ#;LEd|V8)Vs*2uekoy+ukKXve`zgb|s z&utPeEEtS=)6$SBGT_6ttY{!wWL8kzUi&&EbX^N}68h8lZRRVP(|qERRMD3&r>cI9 z>Gev!pRkVYE`Jd{`oPEOz+U{B3(}yVtGiu^HoEWtwtNmfiJtYLwjqrng zX#kN?_OTa7oWZ9s;7Em>^Kv)+Q5~(x-Mv+)2%loi2CaWcuU=4F#eatuPwu~SP4yu4 zdYmN+rf*f)u|D50fgcRcRb=AQpK&a72b+u8|}zeHaChE^6|Wp6vSnvFsP?i|9@|D1O)mk83AJrU+Y-OzbX)-oAz*oKPmC*pz)z#dgIh7h?5_ z*2SVH6aqq$p-6Qsr1(u6*besgIWT?8GC*=cr#)5o#Moy#J|Uf?nm(6-mm!NRy{W*a z5wmh?sptD8Bw5F#HTcMdpYiy&J=anL*cvH?*|gUzI_|}xH?QD#ktmqiB2Axzf?WyX z7B`_Oflr(OyS^$wDys#RBaT^h7M5i^Zo@$;#Xjv>C3DaHNeluKx4gZIM($}s{zoFK zk?Lx&m6htM{9|f)Ini&iJ~}|+BOn%g8R@48=)ZJVVP$6Sn4|dqH4#{2Vj(=vBIgTq z!%TvK2Bms`Cwx+4Rk#Jx$Y0K{t8!E&hX9+cN+r}g&-(jFUwnS%pW9XS*C6v$-1xX| zYAhq#ymf55#~`2FL3Iy`V$W|qGu-Slt`S6reGOB^GXhUgkWNCWAcLSA85akUO~y@RU` z{AYPM^7q$qIQyc_Yf3lT9-|X=>cO8gYZiOFMyZvo*zthcX#szy#UGAN$#GTNOb1La& z=y2AY2-7>pH=6Bw?>+ad z9kiR~4Y;xIc7L2I&Gxpklrn+XM!JJ!atZ9ci=i1~yzt#f`!tF{#xPkPp4AUI5CJ?U zfIvS@L$^c27mNKS*vh#ZRx@e)I&j2ZSAc+=3`W0JhmbMn)o&3o9j=8tSDmj`38~nz zLmLA;AFmlva&BVJ!&WPhEn6>zFbjcWc_oflJvUy|!rPZVbXX33BLn!dzh|=^429s+ zL5EWC=F6`eLQN_S@a~+h#;90+6x8&;n$Ct(*xf@)(cbpO`J= zowHUwg;b%;?X=&bgd*S-NW%+h$&*AoLp*-gt%Fnh6{vJEzF>12?_1dElO=m*(p?xTFKgp0R|M)m&U+0dCEXiuL>q2#CoZ zO-I65VlU1EvfxegxBgH3`T3R!jtp*C_)eJ%sFrI$>#gb!n#SAdTl?BG%=^f|-dfUiN@W>3Zz>-rGao=`6Ssc4fkYzLo4ORisM85$v*kTL=H(@S9d) zvO=TQ#3%ETx(|b#0T5iQXD?pbFCE;h7n{xFaoUR;A-8)YGpcH++jFzeXi;!Aeg#W| zN~L8KT=*TB?3-Khgr727Hu}xm`ywZ*!+Ub{RHW4M}fEEUxd~|8Yc^{(BcV+c4J*^9AgWy%9Aai2B;@g zKCu|4oCi|v9=dV$13^^bxLY%|gvYej{q(oiM>hEkY4ZWo+|+%*o6x z7Z0=R$+*>!;X{Loa|N)|g06YQr`G9jd#Q;sPA1R^z$u@GUHSkMU#`M}fI5qt=*v^pxE zG=MQb0dDS~J|6?qwAWvkx0?V|yph(#rC~yFL>3k%M|WdHOx;*Aei2FwYLMBB7rSf) z+xr<|f?K3MhxoY)j#zie{VJ=QQn~+*mQ-GgaH~IsSmj%q0~nJE5d4Yai872k=vG06 zv|Krfd`U_jNHy|SC(C%WfmB|$DD}J?bdd$6Qte2Lw}@hs;!5ctA|s!ly&ELHwpdJX zeaOrat(E!$jdt{=AD7bhlQ-x)?4%_}CDeti&79BCp*8=5KmUaxcZK|m;Sqbhigy0S zkW&!N9PNe>G0O*l*wwKc_XER~(S9uHF!I_eRKqH^B9lYIHL+bS{lg%7?y~b1&8QoH z;U0wlG&>1Ms;+vdF#s643O;>icio+4VXtR4;#!ZYj)xYli|Uwx!6;JfADa{y8&+f~ zZfF3&VT*Qoi1oj>f*~At#jm3b;P%L+92Yw{vU*|X@#A5RKK_Ga5QI_rCb6VS8IT;A z)HD$Aex1uvvg#9~PV*i$r`1)&`#6XblUAwl9>cUaiU~(exmj-OLo!^oP=08nnSu>Y! zq_|##q?9yFFYfTlQj-MC8a8YTAi;;vhvWYD0!hA6D zZiijjCm^=637>x@k=E9iu?e~J#vfEbmBHOrTjWl&(*aT&L9`Sd;P8Zuvw~aB|Imc6 z)gX0Xb%N?i{~%A*^CZU_m8Ar5;?wYo!F!-oO3zI+|Bpvx!H^4bghNr2fSms-a_}51 zRqu#lUf<@t3dPGvzw+6Tt!w3&xCD9(Z=td=vCJkEQ1Pt<`ScaN*t|bxx%pq3U)G|K6Y6i{$#;-RG&PKXhxRjNTlgF#IKLq za`q^G;Ua^Jsz!7l60O)cVc0}fODd!1aVlXL(A2vez7biPdFtMAv76?wESvw%Z+8tf z#@{dr<%Z$kl$PtoTKeO0gMX9#XI6w3jq7a^YoW#C613F+rnI!OFshhWY;|KAYKO5_~ye*Wz-8GlVc_ixVT_ycv$l|i?2wPo#&%b+VZfT{hOONc`6`0t?T~$yPr-y2DW@9PV`%PH&b8qVd4p)9I z*BD0TOE#(~CJE zWx@z6T4IrhK9IUUHgz?^SI|Ejx=;8gvziJl5bi_#TCZvlTf_u z1D{szdy_X+cTT5t-_k(jl!k>yyna`98J_gQ29vp(mSO}^`Yxxu;05W|lj-s>#5m{5 zJYQpEwn)wMJ--&2j3e&q;j!{t^dM{}+xWh6U>AJy63gwkvInc$&91xo**Yy0ExRU) zU}~!IJge1N6||nE?OJym*;+dq@G^4leuzzPsk29OtgMo z9gtJc|5hzJEn%`8Kw%48$wwF5?6DVzGe`zs_{F=%mq#CohB!loQZX%e>AbmVl|=s< z@T(`w%S@CqoB7G}bQ0n4mD?vKaGvCQEx{2Tm=xn>FOsP5W0Q7KA;fwjcU@l(+Y)tkY4^-i?N3bg!P6Vo+9jwL;)_xz-MgTH+hKYhs)`&t;ZC7EP z>n6+Ky+plVx1}&IEK%Y*KHn&A=o_pm+MMW6&wp%zP}SxJlJ1=cr2Kb>gr5^zuQ$-S zD*;(kb`d*dIlki7K{N)L-PavXPMAs`<^;2`viz{e-gHmsioD4VTkf2XYFrKXMxEyj z^y`(<8_m|`jWWJ=!=!pf_XsP?Pq!qvqhfr#nN|)i3?iFv)LJ03Eu*#Q#8Nkeb#1yKF7e)t#j1`-`clfkwEYr#k8=*)gIo9eccvo@ zS!mpJ3OKlC)wAi;c1=Elk~BPC(c?W?wYkUNP3-wpNf*yOd}T^zC;@yr%T3xXug=#) z%{#_YSn*_blLbf5ZRShl=}z!r=Nu->Sv23l;>?vTRI`nPD|R(qX9dgqm5*OUix#Ak z8Tts4#}d}P@|{lMtb%Xta z2m2gNxYX?PD?_|lI@&V*>Jc*PaC!}m*>~vsAaQp>Utc3ZsHEJAQH4{RSKiiZzg)m2 zRL1wEbs0xqU{6sOM-c8QdUVl?N0GnlL>95tJ>Mo+*LiC=o=a4N%;pA?d2R>7hDMP2 z+5Fe+73{RA{2`f?jH=a2+P1-EoO4Wd@sof29z-2oOQmNC{Slpcc!HHbpfEeGmz-9f z(t5KO+Xc**6dM-5G3@?z7;xf`MR`j0wDkdewuFK`N7qVx3EHY5568%u@}mtsBR6w~ z-Q^@SiYC8WwlTMOF{duV%o^x|FiA^BR=nN_NqIMA>ji$ztoNd@K)=+!jUi46|a1V|9!D+O9C>+Md{BEA8M&w{U zcEIafJqAd56-%UI=D@NrxwU+%@5?z5m6I(AL$JNbr8P=94k%c~WZf7?AgFauY&mM{ zJK!y2kX5OPA6qgqcjpwW*N`Hf4kVXH-6)pa_RWZts!mLJ!3ayEl}%l)zc&vAFpG+W zZy9sp8V^A-l&#=L5~91q_hPcQ6os75d=l6CIj(CfNWZVar`tPsc`)4McjEZR6P?|2 zr9N0qTksD5TR!xDU(Rw1|LE)kFpY`%YzroG(fwE~H&8irMBh*b&TIu3YhHE;>)M4Z z6u%mfFjslcPrLE=l+W{PzX~r;)X(tC4_1*MEqh^Na71S})4Gn2+$7n(s_^0NdjvJV zN6KJ;sMODynn`3tYq=EC042MXB<5M!7t_#d82;>6;D8V)n_u#pR1*NED%SXVxH|4I zFOIJ$b0V5J#;R5(JQf7c^A^f?_3DtzBWnc*i6%c~0Ou$P!;I^|_Xb5jnU0%256;{O zb^OHLU1Ds@FQ4K=ppNZ1aabpPbqMyQJIBkLqyir(!=Yf=bm(kkG;n^DpsKxur59Rf zC%{}*?HfQ}@#Y9lyx(Rra^Jg-Jj`+P8Roo-NZFWjL)eF1Lc8YSAd#eP5q71%2-4w| z5gncBP6^At>MQY{gRU@SO1E>Ey);~?1-ENDU)EP&ldMkEJKL+BNGKoA+c#3FKOmXR z{l&p5d;n%=d1m4#GGp&39p*~3snqBOM;_vo~ zAUtYqU`1E#gg;q6l|Eb%>OBxQbJZAY8=pGXR9O{y)E?Y6|7wMtb?g@TI(NJRWib^* zO=Vd`hRU|S6xCRU(K|`}ODrP%``rEAf7gkGbk`1SXQQ@!COW#hfa9=#9a zPJdf*?n?0%7~9u2%%h*YJHH!0$=Pq7^oVh^Snsvx>pPu`L^B(`Njk=UKadD#>qQP1 z(vIL4sL2iV-m)!jCZNe&L63c=r;*Uez%*8v;ZxUR>G z_F}&VnW1wlA>G>|8xm z!N11z|8BOZ54w4j%qN>J`-*OC7O_QPCKeIQdBtY8(vp9jNE)qHnJ;g3+mRwJ)(%7n z&DXysCIlW|IXh1eIt?*zGOS!`s!xF$_pJk=_`|t;Zt0FoYXyyjamDuySb$t7)Y4YY z4&{0hzDiDP5laMW`5xPR96aAULL6&rUt>qBw#r#E*S&lUgfl3Z;>6o4rvxTDF5KJl zCIE;zFzc>9+~gsC=UKbnx>fq>sqXHih0jGN58gVyZ>_EG;&5C2Pd)ONJbdFI!7OhFk&xSYU?T&QC)9LW*!Aj zO8cWPt`6fYRF~>g$>)l2y%+Ms`$S<*`Lb6EPZYaUt#r^O$txYeSq*xjt|uvH7>R|4 zVzEn$a{pKcy==Kfee8Q5CKICX6-7dk5!)TvZp*6g&!v-b7mg?0u$iwON2ILjs#E-xANh??G6tKa__)T{6Wh!u@ zLtuGRi$g05m8Xr8m~R-fxyFyOR8{`eq@v!PL6AN{4$ka}inj94^F(^oOQ({w zQ@drUz9Gi7I?!P|b6Z1V`dEPpNPO-&5b=B$Z+@Yk@>JVzyFCb545QjTIiUroA81Iz z-gh#oEz(~&*&cDM)|<|zDFVs;R6_VgeQe45aUi)mqqFv=`)>)#v=dgYBt5&GiZ{z= zxZb4j+2#l%v&Y91dm`5Eu@qbi#X5N*iN(sU%sqIqY}r5VY$K=60>12BuZX%PR=GsqCuVd%igW4ColjL16Q1MJC#tiHI;Pan%mb~ zj&ksG5&ZNes@t6{Dof}We}V~qJ1=Is8Z&j0Ch&Dk5kvUIm6IFD>ITGi3@aPrFkz?BZb zV?%%4t_hXds;qTy-zDkryuM_!!s{p0W>_8o literal 0 HcmV?d00001 diff --git a/doc/images/plugin/skywalking-2.png b/doc/images/plugin/skywalking-2.png new file mode 100644 index 0000000000000000000000000000000000000000..f7d9d4ca0f489637f2455e79d4c33abd4fab3f01 GIT binary patch literal 30629 zcmeFZcU)6j*Di{iy}_+0MyX2Cg-Q`Y1W^%)XaWiff>fm_2*?&hdQWttvM7QGQlu%x zLT}O`qJfB^NRS!<1u;?rLI@B-k~4#4@Av)Qd(L;y{n{Tlzn_M+vdS!Dj`55!o-xDE z80u|Uw{;y456^~^Cr~ClJikIbJiJHN@_{oMMJmzYYmJwQ-Z7rSc8PIt@T;@VX&oM( zl9=@?7k>lCzh66H<;BCZ@fG*q8iM=NOFTS&8YfXYrvA26)?myf7mT#;oZ#1ALVD*5 zAKm8h?7aM-M=gvP`G?7uez!O=ul&cvE|~)@$>Yxo(+eLI7QT7&Ccib1=&D>SdfV^x zc~RT^rd_`pG`zLl>-y#8^)*2ydCz|r`;&T0S!DaA2-^TPAu8=qX(Bof z&!)n!U&C>fOPGci{P#VEMo=iH?HTUcvJ(W%XJ<^s)(4ftY|qcmxpu5>yCTeZV#7e5 zJ9hD5l?3QbUpkZ-3jG59@-;%N0blb@chRWV#I@*O!GX14mK?+;*)10@C$e*jgr&hb zo_$i_V&s1p+ zBc{wvX?)bKk279=VWM1_dfZwx)u(ZDl*AEd(BG=<7$kIeaLRCJ z29t-=Uq^(=R$^;B`UxW#dmL$QLA$`geS|SOan(9uwmxod`Om7{$5z81v4rUknv?Kc;jgJp#RbVf+4zIKp^s{+zzd;Zidlbnz>brW&UfTby;&yjh743vOVAewow{O%p=g z^0F2}6zm5o;d*`5M``o^8nrB?4GTz_%zPiED>;JC>b_w6564BoD_+u{n^3(u;$@|f zwq53d6#Eo$L|UTLyPQV0GfGhos9K(7&sULfxGrO#O@`?2bZ1nnyHT&Q_RPfqW)5U; zzE5$X$i=ERleKWt<#@p^ zdO++MENJ|KH*16@l~8G?0694l>@!liYVDzN1RTD+`A##xiJ|iSr_Y^LFD071%TV#C zwboQqetua}Rap9t!)dkXvVr;I3d(bKz7;}|@XP$$=7`RvYj2v_iOC2RGrP>rrK4}A z8V1V5CpuzJOd<=XhxUjHmNaP5>@lsnv#av`<<*8gP+|DIo$poJj{9E55}!inl9#ABkICU31 z3Z5UQGs=cnhWFd&^a}Ct=!0cGFQ1SSp@VigeAcEThT?|Rq`c~(YsB+aM(K?o_>JfK zW;8xsTxhYwOWW0^=(x)@qJO;YSsoraW7Jf#jtA$z_wpl(etBWa(x!Iug<10te&IP9 z4%v4IL@@mrlodldWjMHK`7^2Xe0Q(Z7*V8wald@pgZ^9@`)s-8AbEgLTU}!tM*85} z+c4|uY1g#>qq4c5t(4jD334{=fh+UQDCG|AlwmZ-ep2k<`SHWQ@La!_9swKWEuP~o zTbxd)sKqE9l#8ZNDS3h$d-uxtRa1gT$TMbk%j;ug?erLLR~p(_4EHA?yU8I8i`+1J zuQ958eWazi0(A9r2fBCi%+~kQ?;1PnERzz~mQ3{zw)93qkQ?WIaP2vD8T(SZYIv!5 zIh$Uk&9DthnUu%2f*IA1L8H|D8<^cK4=3}w2?k^v{2{(iiQ9x`YG5&fm#Sx=erbeZ)K7G{Ys!o`v8}!9H|8|DwIm|hiFtNd&!Qp9mnIh< z%90MfYnbte2l>`YX@s0)x`p4gQNuJ?s5wm*_PCw^_12hV6vE?N$msOc!lIO6MUZ8E zZ{O$4a|DT}BQ$^(ezQ1>nz~f17Og`c<7>(x_$L#zqA63QO7v7Lvwr+kSPKrxxZl!i zaO>r<2Z)j?#nH@xB7%}_#z$Q9s&tV>ZoQ(FB^ofBOQ-ikZ*G2e4MPTTbbK}wBhaXe z%<|wYaYTSiapYzlVDVqjJ$+Om%(O)w!G-m)$lR`-&p&c}+=lo0(!p&)?2#w8Mze8> z$Y1j1tAClU8_jSu)Go(AWmG5M#XP&sZA7R zMZqtlU{Sxk41>v;p@QgA2Sp|F7lnNz!&8_HjO8K22OcVel(;8P`b*iZ9RS$$R6PJ~ z5WFNh`8hN{@NGPwmCN<}?zJs7;VlmfrG6!RDD=Q?^QXJe*XsL7hrVyrq%bIl zPaz-988jK}Z7>xTG(M`9fCYkF)TTt1lU6+##J;DERdOQOVM30~e_aMD!!4(O(@E>c z#sji=ik7CP-1})@ffDT6jcaU3#uAq%KaU-^*_}PNLs*bek&>UXH1ulX%Li8fTnp_C zHm$=-|W597O*%frLjT%bIS}bi{STE z>cQZR4ukoZk|t_6K9v^RUV5dAuD4r$6V#nJ(Gd)9{s=S&&eNH#lRy*S)Q=foAW?MR z^#tppn3RVhLH19OqN2fWFB|MKNFOTP91*jgGzellM-@W$4Q|#ADptKqc50qYCeWVW zCo*@WB)@IYnjPvgJ(aJp?cC(KGKD{UK6Yw12ih%91$EcIvdhDae|@;T;Ec0=?{xMK zZ4J+L;lfX(sH7UC^!6F=7u}kMN;XRSIO}PA(^$9tRVxFbBQ>XOoX%+0*JU2Cbk%HM zpsChN$Y7(|2=x<;)GvV>w-ISx=e+82$dfiKuk>d~*%1p3_L27SD7f4WbCS^Hgi=h; zz+jb>*aJ618nl5TAgd=j-E^tmpB=t-h`W<5Ad0r?{!j@sp!RM0Siv#(azuB(9YLk5IW>)!?IvRuj!pSl;@~UVCpAo&b?Zpk=0|EWBhz)+OQb~Q!!q{czQOe!8IcRVlT;>Me#2FA1+)0gm^h+q zikMKIGfvU-)uNe9r(f*ocEE%9RCxTVOuUYkj z8Xkw6y?5iiolrHW9FF8rfPK|3dYjhcKpRG#i zu)4VKT;N8U*HU%MmEst21aCn5<3+OCxtsFI>!UHOvfR|>L$%<8Jw zSGENDhvPLJJ9XtqH*}&L2duU+0uN9g|mIfxkGX7&%Xq3 zhFCFT#uv&LuRK+rlzTtC!88~H-EeroaX@NEd{{bx8q^*fUf%k|HA zwL7jpeDA1n;OR9y4^iM&zNS^2vT7XnOMOErLWm%zGw+cdjN*US z{->P8A5BY3Gt(o;b~k?Xpnv`F`-|=PAd|X-O+lvP_3MG%Fh&WSS^1OmW!Bhdd8*oO z;f7B5Vs>1YGd(DNQI?0N;t?$NaOsLe{H7cqp5vPwQFRvgdw`Kuh=A8b;MCGHGDLgV z2AdX6~4V`JMKNN!-xO4+YUa3tIiJwvhGYg-{o#GBb`uz)2LkfkP zqq_#B7tOa$Z*R*hY^a4~DMxd8qB7Wkdd` znU7~xpL2~;!s%${NO_>9oe05@nNvh#o=?@IHIM>6F-4~rzm^AfTZ$5hF&Q)D7#hv1 zN@b)zw_JkfdP;$s`5Sqt)C$o>+Mcm1Hf7q+pGnQ}$y?ZFi%^klHR50HDiS3(ZO52z ztcy6dW7}(-|6yjJIo~B!QQNds!=AQ;gKuusojCEE4yJWU0PdkSN5R1y5=+W)@!vPy{TtbTA^+6;}hlb~bD+Cx%u}RnZ)&P-aM7k2Z*F_^Oyhvbt1g zMb7paJ)`93^RI-F*OcuV^3#!6Tdkmld<`wFTUTbfn1T_+H9S?x_KHFdnPS_T#Gd6v zok3knbb4Q-TCJrllyKVlpkjrQJuX0Jwuis_;wVP>Y7rV`yYF4ju~z8vgBc6=BQ`y9 z>mx#$#}LJ)C`C~*5P~p63C;M4p;0T>>-}dlmnX5TA`2XciL(obxu5s%@JU~aSkH0h zF|j7%ol<&(V1AW_om3^(sX{faNI~dL*hmyy+s)*yRg+2R;Af`g96K-c%V3$@V|96G zVA3IDgEI^^4a76kWGUCsC?h_#G~wa*uFc)W0Ef=>kD zNOy(J$Zbv<<;bYgh4#S~%qvb5TyyiXz~?8w9ryT*zw`lD)e0#KBrIA5>*8x5XphbW zYp%mT$B&DT0FrQGXpPkJoRLu1=L}O!egb+;z^6PSr zSs*(5umL!9V@b7*FbD)#tF^BCv%3EUvQ{yx!gSN6$%#hxZZ!VWWT4aWfrACa%8bJE z@lp)+9OmiC!pAWDOxHv5U7W0u6Y?sw`q}J|Ew<;rQb&~z8t*@q35%usKHGaF7gT6KIjWH@J3bL0FLVSDFm>i`0IZy=A8v`9%y&_uz zjeji%HR~XDtX^Rf4cT83LX19yH?5AQydFYje+2At2DLhUaC{alCjL(^Xw3@E$`OtD zX#BTplCwtRCO*wuc}Tu`^!GRVzxg%C1AzoA;A4*3UL zW1W6|HQ!I+?|!l=z?JDUyoZ8^tWdIrylIfhDL^04q~&GNo2e9 z!L3+!^Y9X`JBBjD9-3)O5ZHsAbZ6lvX^~hNk93bC?aZ37nhuFh)H}NcPLJ3&xvVV@KJUw%c&IZdw&UC$9{!Fb~ zoRJ_6*lf~Q9R2H*P6isKz1=AEL-3|&@Rx%Qicm%U@aYJ6 zK3ITG-^^VM;qt;8L+)=vfQuW=gb}d|bJ`KGb{D-W?4DZ$oY$%p37gzz2d=jC-KVDG z8M{y@#G0UM_tB`J?fKxD5wO!Y;dymhVf(V;4k%)6U+4}|1eGptL+oPh#4TJIwhn3y z{+d>CT3zz)XXZ`sDblFnVr<6wag2Qke8W%R1ufevnnlYFF&W5scDE=pKTyepq`qTU zL;K7T;a?dQJCKI@H8Ivq&6-jdM5lI)|NHT3LziJ^X7xHM#eyrQg-Q`?t8@!X;maU4 zutDUkKC!DI$1yKDSul!r!&$(V#?qG;{$J2h!+UpuVj5nZQM!PcO|r*Xrk74zL)1}UEm4oc@k!r)MEDqJ zh6*`m$7bRj`Kh`oa!>;z)iEtKeY`l*epB`#bGcCJI(m4gZHt>B83k_x= zo0G2~v8=HAVv7SZnenGr-)Tm$`}Rh~4*vHx;naI8)?ER&3UxwuDoc?VV==oVWkb@U zg+u4m_PHmDmS`@t@K2{`i=MQwx53x}d*xl2mrhv-@OHF8#HK%SYY>F;7DT~_$FgZD zI7Z5z$lI2p;wq!)mr`(?|%Zq}Uu#WG}=*}UfGzSUUo+n-rqXdjg zNZ^W1%sAA6mN+=9Zlu_eA&S1qRUp>ATm^F58s)vgwrf_O_lxfU@5BO+cXvaHrt~%U zd%?x2$Z2n6&VHz1&xYu;_PF^K{6cKGonj30bW2R4Y&3#+wns~pN>SRCFxFvUp>tOh z5nD*Lx57x-j1M4lLf8QVF*&S085gTS40ps(+&Ma~1VJj-1>{|d`=w9`d}S_Hm{#sf zKO9IXQh@9;f^iEa13+y3o<+fqRKf$<`x~hAXV#Ym-;x*O(#dyATf91lWH(n<0?DMs z&ZH#V@&>P~$kE?4h<_*xa{|MljLWq>RufSu2s30`TL zBDht$2)?ep$48{%OLy{R<>*}6DShpB)v(%iBbS-lKfa0+X*ym<#x1K?4&@NiX3m}) z^1+U4k|(>o5~Pgu2eiYfqzd_Q?XCu!4zz~uIVn2|r3A#oPIjE!%*>&^&WJG?!OVrk ztRug&{kR%D%`Ik=O$_Vx|Z7=fg=%cYw!b_r20!U=yu1n^#Qy+K1y(K$T*7S&3{Po*)&N5q`X6XB|Jf+(B2+g1 z-58doKqHPm!TzR_IK})UT7^=Q66QvR>nA_kb6!o%&JthNY*aSNCGZovT^tzmhw^6f zj)&B}TDHET*Kv-Ve~9286(-wFY@T!Oj$84+@?4sDD#Uj7y~1}`pkHl;#s?v-LT1MV z-%S4Dmv_DhXI#IqOzvie_0PQ$%sn_cHe)W`O-whP!3kHANy{Yd+LAaZ({kMNgJAj}!>zz8cZ4_2`E(rQ|C4 z=swAtLMMY?3^mx48ec@zI9ziCm1FkOo)JU_FuTQFj{4b=p1lz5kXB>6*y8T9l4<$f_c2(^cZ|X=3q9w z`;4wL+YQ=ZO@?nk4hYJ;saz9Y#}2{h_eLZVYE zQW_$=yJUDz-C|6IukULD2`%$>*wO-Zihso*L$%XvtD-Q1!8)*47(qW=s4TXXx$6$| zbd6M(V+8Ez^cSYQ{Mt#Q&daYMnBBi|9E+C&Ks`96eAon0QXE{@MlFY*^3M{wm z6-$VO(X;!`_kfsrq5m%KTnD-)bXFPSeiMM2-1G+2O_s#mJ1|F zT}c5hjEHB72%^AE!wIF9QM)_Q>6_|M)I%7Tn(CG-b#tRkksUXZTsh+pAp6MvO&5`g zPT4ws3foD(ZEG0bZwJkewZ03TH&+3!RD4Wl5~8!}ox?f(cs}OIGB_zgk~oIy%Z4pw zly_+){T-|?n4=^*l)9hta~Lm>Od_XF%+mSXudT|FNy3OHbk_*)_rkl$QbyD6DrK2@ znn{1O!%0Jnr2MFAGc@X>wTAq6l~4haJ(qmVQEy8p#Ss*`pxMf`A3urw3n${A^%YQ< z{6B>A@c)InjM*5SU@Lc9@9#Z}jyB2#5tSw%fv~@8-qf_T?lQ>GFr(KlvEt*zk5+PB zoijq4R8&Vk%zChr5dvM#8PcX1L)bGRl+nMOsZ4;q_sRTpetw<0@z=BeOAiWzFf%c^ z6Iq<%T=qennHiGp-qAh&^5q@ce)L?U!=tmld= zxYbnzI1^yh3cUm>P;X|-faCaAD^&VwFae`auooBZTkpoGgJ!5l{&*AL`CgEj9>o9i zyC#>>h?110e&BKTE3U%4o7NODR~r!a@ZIvG6)MMo>)72nd(!8czqOX8|I4Ex3k)6l zIE%mAPn&&dVRW~rmVL1gD--TJ{iB)x25_WOb(d{|;8ik3yu%J7rSjUw$2Kooc%0T?V)F6sW;;S@oj_lA2zulY zqh$1Xt9ubKml;88-4Y|i8H#4MOY1RxnTH!rt-5t!epU9XY|CUFQ_+loZ|sf;E5baN zPoUow)6BW?&Pe3Q#VMSx54{9;053q?FZ*nw?P~F z;+FDUcW#I}#`X!imXZ)ACXrKgmP9>tRUm4P956uXWUs$=PKr`G{eF&lQt1H*s4(oR zkEgot+;A^Wt=LsLGCsNslScA5OVSR|CqgBf!^jF3Bqw&kHz%L`IEESFIGc(h;bQ0C zKR+AD9kNFi83FzLV^l$00TCxXA_+eP;8h{^EUP^S^4TpZ&Fae0$|x zJ_vwZBueaW#a<~ zrSXRD&Ip;qlNr zd@3$4wwT!O+fwN;T#nU#Ay171&CBy4gyXj>xNT{PDVu(;U#Yx0*`v`#T_5&sru0Z9 zB_!PEdpx^TBXyo#mmSY--|&HJd(-reOjh($LYim@;@l^Yf|bCt^U_n|%_v(Yd+zU! z?fblc@xFeXZ%uScd*0;XA@!dE`7MmqoF-P@^daZUg?PTpjOE~Kb_2L_#ldKw*p(`m zyYW|_G+G3uoM>pP@glktKDea_)Wau2TYc5FoYG0NG>SS&d$BM+`o43&kgeGl9saX8u(QFDdXr$;a zDwN|GU>|}>j}@E$%sX7gF`X!%Q8gO33|Ou!I>8>O#0ipkv?U!b3|12huPsmg2L-hn5A@L5%$p=uywl?dXc*(dZa&!K$c6=)+c5y;jx3zCqfDM9 zmBf*@E8#<2y{?L$mPVs?rrBxCoCva->Y}gY5X3nN>=D~@J%&upvva*WH$0SKgj96- zwp4Q$ZY8`)=*A#BXcxs^nfFN%JX&(5jwZ^*2@Wl?OPK~T+gCDMW9bw$lnu1bp3gW zu`)MzvHE&An_{boZf#gSePmet9twWZOE^ zs$c|yce-V}1|P$Cdp0(bY?!aWJK>`jr^Coi{e%$f31yuRQZUDVMX$n@@c2+pY+pM2qbrB&PCJvEq9TClOPf7YlVPgv?H;6(xEGqR-!8pk#J5b)b9tNQ zv?m*DA%vj2-cl3m;GaFsooV|I4b&)jy)dH7GkbPP-FTP)e4;)-MwK?0?kj(TU)B#| z%R#1Il>d&wfdS@l!PV}umoL2;o`}wRYSYw+D)h%5XH@XKI zf&rJomG2ecai|;EJFyvpbaoDud4>GB#>e*@>Rss4=tRqJz|(6&dtAqz+;KO0aKI^3 zOUB-#Mb9E&Uw4BdWHptcJX{W67LgpU29Xxi?n+K*?(#u)8Fi&yF0!em=K5a{Nqu)R*GQ_9pYTW=CDw>Z&W&*0ZHMJ~p2 zr-;|bOMnAEXTPHoczgqo9duE&>MNcux2=2eb{Ge9JZBb}f!XUBx8*zP#z=j`tB{of zbnH>o>o=i*COUkOsTppMC~0zqi!%VN;NcPBO)j;cuLo;*tsibr&c0vS9LivAr(Jg;VI(Tix2gyK1t) zvg79A^vlH87mN`T&$i-QZ=02^KNrd|^~_IgEY9@5oG5d$dZ){e44m~OFyV3$w_aYT zw??(TxoHK$WjdW=E5mup!=F_Z7iZ3Emq~|+8z@%i~u=chULTM3e zu0jMkPa}R{ljT5`ZO2aW(6EW7z6&YuWjj_; z5*m=o>v}q1xuL?-22rNk`Kgr z<&hBLqY-;vkM6jY>zxBbZ(MT<1d@b$L=h<+uw`p@5~dv`f%8tSNqyb^=rMS}>Dy{c z>%qO-h5;278U-=mcwbc+`>T$KP6dH`u1wRbpLU^Wnjq#hUcpcY8IIUS!Uv<JS-V1_4Tuc5{_IUUV8iCK0v)!vvHYi;fHbz;8j4=0x46`CRZz=&+TwR#s z2fwA6*mFg!No;`jQV0JBm!s)KerHDMywB8@mc=$@=hul%7u>tm86nR*9ODdjl4iT? zsz-eO zU;T!X*}_5jGa~t{m`%}t*GKw9KuQD zkT3x%#Vw=yXw>GDc10Rb-lp#=aRD-@U)KNt{i<4>2c=j*^6il>q6h{LQreZ0^HM1S z4t{*RLHl097;odk3na3mFgs*GRj5a+FxU#tE~0t;Au2NN;l2fpFWx*X!?+R>x2n*8 zh~#9f+GY1d-h)~ZYrm}$4l8YVj}lI9RResFy;Vu|`ygVY6Umn<@NYBWyZ^X2tz)uF zUqr!90{{NyxVi+Rz9m$-&~>Hd%t(+i03xYB<9~nGLf_+r|2|F8KFk=LvB1tf8N1PE zwr{DnTHFLND~nyun()KU@RzBA6kDv>kJnI`$fb+)SI8AYQ)8dm8Pxmt0y*%~Xt*@{ zBQh7u4IW+!`Jt5pnO=TbveemFMImq7kt@KJKvJkubp8}sh z0ha*Z$Hx&FHIE=@h=b6 zJ*aZ|X%&m^$$&-xm(Jf(OXIbKVZ)jTa`fxGmh0F#%V=Anp65*!c~Z0*`nI3MAg?>1 z>Znrt>BdOrJmu>GnOIp9z@K zs2aG+$GKvvy%rSJ_eQ{K z>mS*mg6G@4YoAr-Eedwk)OHsDRZYhq@k?AtNtA4IFl=3r?|5gKYP48weF}+2349Sv zysGAGBw;42ygPKVyg>;uMunEjiu&n+wEwg4qvkg?$b$&o=0~oLFPjo`~LT&kn)H~(&79ggkaVbmgZCCXMY(zC?1|WI$3epcGF_fSlTA2iu@%A90m>wNaYvk94@^s4}#h_&Ec2SG(xZ zzV(mBN6@I*B$^w^Lp=rIAs&QN%Tn8yK?Z^U#whqIm9Rf<*nM1Lj%iuhkOy0OMbEyP zpXe@|pfNMdhFL#m>mFBl#te39X!F`@r(6W~rFM8%zhZcRyh&t8ZyK>_iuy`{5<2Um zVw`^CS|iXgb^)DdIxbum6=YEFFAke@XkHeT+<}dvj<&VCV4^2`l#!qBQw{}adf>XC zkpQ2s$=~I4X9ryl+AYHIYMz_AIo8NgN23TT6wa0AQ|1x*iYm8FQK!_94?Q&A+FJYG zyjGHuB$>yy zQ`OGUL@Kobr~^L9&NtEcHeUwxr}iml)Kanj>e*N>RpLKWgZvEguF3_p$}{Y2>?Eyk z`ucY+Vkwi%8kltAj3XaUCX?MMY9v<3u+yq9SvsBC3)PZoRS( z`EstE{#R#B(I_VA_H8SxebQek()Rt!D`BTATx=hxkaxF6!j4_y8`})DUwU&2$E@{! zXbDeUz(5xKl;ZT;v5U9G2?D1eMP4dMlYiEFipxO!&IGYW+kasBv8NaF zkSkf(y6){OH9Mu4oUiTA^6odV zzoB}Y5vR7Gaq0Bpwl2ygP*=%?_1u;9Nnx`p4|^QR%5bjS>2w_LxHaYRAu-&?k^OgU zz9pBrIwv;oM6mXsYF@FFY_(0!3!kR;{k?rc2mqh0hYJ5%iLcE-X$qhnk5M)L>o2?{ zjm9sgr<%F1%qt7Are|0jr}Ou>khAd~>;b^&?YL^z&BQGaHd8ZLZ;DzQ2HXH!5KKji zLcw|*-OjvwcqMJFW|;BOJH%zM@E<#{a6ksqzsY&U86Qp_e2~D$iNVpy22H5VzoGMu zcIhf8j!c?re?p^zCCSa&we7%lHQrfH!*Q?)iF$J($YsGNw~jx{KZD}g@J*(xBj#;T z_|o72p^e7spTg-S*qwG65%Arf8JXkB2t?EI2ZNh9y0LeQI3F`kt&a%q&-IB|`|vxd z$08O`Lyfn8%7ib2a#+Q6w@=h&!$oAm<@0{e29dO7v95|nAZ)>tl^X>}hsOWCF<)JPI_j9Cm~RNSxu*I;-G zj|b_Zb{0gE8B?&YeM;SHx$0;%>cQX{1<1S&KEb3+-s@A2PF7m%tNaJadktJuV<}Yl zro;=M$f!9_sAmulivLAWCE!kz#=F=-Gt|v_oHHIb{z{qVw&?f|EiIjaGPUw{gs_k2 zE4ST#O$=LT*wsrXMfn2mDODdZ5nt}uth$3lIgPLJPA#W403zVuR^9?|nfmWW{3*8u z0>N<8efZLH?Oh9Z1Ph`*<)GvNY4P=zN*YlCGFHHY%>fXxE4~fd`Vnep?d^Oe|GpBL z4-lP(ptUDsHxtkH-vv(Z*vr$(Q09dbm034ma|n?qp1~(Fev5TaoJj;}vRS`>8g6Iq zjMb>g7%8qd*2MeDgP66X>?iW{e&8B;Qu{XnQt??6`PeIoqHat@nSXqDh%mz8&D#iA zWx(f~qs2uF)e&+~LKa+A_YXr2$dkYv6UqN&7yh3aA6(HX1uJrxg`pd9#yOg`yO7JB z$Y+?vMa;h1=h`_sK&RoBE1iwnH*!&i+zu%%?OekQtsKW z8M$|JDfniJ99OlI<5g6?MqBZCoP0_8uyPwFNOd%7>%)JsRz-f=nEwlg)&I`_`xof# z{|&(_b&V+EJBL)A_LG2!o ziQe)#3+lH*0iCra?`6&Dx?IDJF}ZOTIX>qD4~V~&Hf%69nB+V06T)1MfWKu-d$99{ z71O_jvba1;W^3e~ZRb(mq8o|~qsZJ4A){xahJpx?k~JT&sjQLXeUt;ziD?TLaHi@Y-`XRLaLZd4mCP7}_EaRNov+!s)9*RAs3@uB ztsIYtsyOh+%GE62r?)>y>hPCq2YI$%>0{ezZcdYBArtl&F-lZs3N@pLFa_5I`_G#E zaANO8Wx;YGlDm#F=fW8LmhD%KvaQy3>2NalSvIJR-kIo0TfsP2QV6X|8(e124m|cz z0$dr7tK>cxgvz$B9nR=WO(>9qRZx6PxSVh2=c0>oLD!ym>d1`mQKk-SuwVT22EeF)Wb zP^M^nm+$MgR*lPoODWP~hx^?@t-_$~e&kgGtLHJnZD^*I#BWNFn<9jeB)BH7y%JpuLZB+!ps6gdN6zQB zsW;v#LNCiDEI}IB9cOt^YZ_Frl}GocQ}5aY&dNEt*1cYE&ri7=zx~xFJ<+08SkC=d^~CJ9=cI=pU{m;YcRpneJ^^735s%JDF^ z_#GjH;01+oMf0!t4(fnH+ywAT+5Kky!=UC?9=fjb)%G`@7wX`mPl-Vn1nMl-@Dy(V zKQYFn#CT`Scz9foBUFw8hN^l^A>W5wJpU$1O>Lz@UY_d!eeimF2b-j&YVRrJ75mda zCSoy{q`|{u33B~MXA_%~ggrc$>)18r8(x^fi`o9}5sPv&M&F)zW_CSh<+;jZZGul9 zC=s4HIXjen6I249=ho5kJOr7D|9M~V4UHp5^0>s@&{v}q9~-w^*ZJP9r=%cJ9-e$) z=N>No#_1f*nwanR!cFmpZk{K%=MJlP1(W0{ zXF2wo5rAT_CTn)SEU23xXqa2}vgTRY#8PAZ#B`|hEuTSdS-tD%10jS_?&5HSgFFNZ z?T=17(wA)G5l^}qq#D}9cxX^}T996MBq&do2fIx5HD3q$h}wDj97ei6F2SfifH_om z(-L-2dJ_)(dqU7;=tQx9>Wa1qbMGg|lZ1cXnV{sBlv@SlqIBxPP(9g?@*mE8flA$w%cH0$=PsH9wmR9QCH5`CGwV$i!#@~?yYyd+M9$>sqfGWd(xfPQ%aC60^60b!LBxu zajxV;L&3ufC8PkQg#zLx)%_pr+l}%%ko6WJi=AZ?E0MH``A+9=TP4FfAcvRo4DNx^`eivWm%uDAR3R4uv!~=@8Ol*FY)>L zNr{5hFT+rV>#s*cnUff&#gh5MLhkiiZy=~m-SRt@r1W=_vajj?|JwiSc|rZEPm-u#YIwQ<{pwIf>cLn-l_fQB#tz5Q#;#_u~f{tx+5 zIrEQ{{a^O2{oXCJz!|Us1aPT%g>WB`fx)I}+CkHaAs5b!XpMuSan@h`mSYcy?LxUo zzSx8kN6eUk%{0CZFaX%#ohmoT{He+kB(*l-(v)($EFLb6~tI5C8eFUYTtoqMbpMDOq$?_xzb@*@kYFln1~>V^ zyVBdP`(}bZT@pGK*;$p;$OtJ9=oPLbA4L=!tt}!sLno-evEiM>o)h?s%CS+_hC_MR zzW*|bzseA^UVE9J>d@#=b*}9?@I(2pxi+rX!n$q;6na$BsB=VXjUvNT8rN@n0Vj|< z(c|zv8@4MkfwtbRMHfgkzPVkIZuU}Z1lXVS4M~~zdALjK7spmA_|s|8z2S4BKE;n+ zw4Y4HwkSDB7JAawVz9QSeu$<4o0@TI^}F}oq&>Sa&p|}ujjlC%XslJuHE$0m6^xq(*q9!m+CG6dXLN-4q<>!w%e#2wciUlD1ZI^-8T7`T2-zyhp4osq z-Huq%rpWI0w>J$LR@U_TGC>byi2jzI$J91DPLQ_IWTDFhg=C=#5$hAEucK~B%WiFU z=Hmo*g}pXLW4Rhz&b{0`ZcM**4M{;(Y3$H>x5D`z!{PG*)snHR<^ZoY(U*7PHTk9jx5XI-mK@ z1ti#IKBa9**bsgF*_b`1bm2OW0cZ+@zvL%dDWk0@1&^s< z=Nr8)7?da}8LX4P_H|flHFUTCP%}7&qJ|_g!2r>T{w`}aCTU+uffJ4o@h5ciO#b&d`^C)U;GxyyIQV`H< zlv}f@u0qk(;-92)e}EN6ITUdcGpm-xa{c;>^e2^AkXIu0_Nw{L(Pp`=&=)vQJCZF$(&$|p#g^2ngS9AErz(+W{Ki(4IE?e*nE5ZCd6r-CCd?!Dog3HysK zyF4le{ubLa72`V;$yo&XNGCaeJ740Iw&VO6O4<*hS-1LG3*IJlj9crB_RNMoi|Ct3=? zO6=!E1kwG5j^U_f7Ty*g8&%4m&G+tImSgr#=2L%5MHoKG39vEwt9apRfZC5j@5AaI zcvF&R&z8|&0o@c|m3nES4WM{4g8D|7dx6q1<)0-!H@=9~dQX)cBUUAa&KSpb%dZ6H zS?~I}dl~+50GW$bbt&1>270GI^=~tu{%3x~FT~f}k(Tq}a+$ciT+I1lnIK0HxHwXd zOyuqA8|;jIj_*i$0{4Dmb&WgPkPrTv1}#+j?csf}3DTjvw#K&|?)^yM$f?3CnMK&q z0^lf>Fx;hc-~1Ho@b0|eFks~^2*%L@LZ6I-o)!(LDIajVc=H_~j@*|f(u#qu1v+0- zRrdQ#@-}F)Cs1!u{W2B0W=(gOZ(T3x-sKQea-3A73SdC3?FW^|<9Sh%CaZdzUE&4Y z7nt6#j!=bIb5r7GAI!w7a=`j4@_!Qm?boBP*1#UGN(-LDi8^4vzvn*85oqt11$C?Du&u@_X}-_=&_FY=T6RM_?wa4?D> z8JE~gA1gxfr-AJ651}9Krl2omXH{6<;qv7opWjvn@%6(m{@HJ7JG8D!b?XkiLfHwB zp1rB9e^m3U+QS@~xX$&AWGdeNfeUqI@R3w(q8JEJcdN5EzMzs&Cd z*c}n2QwqSV7r%(b`ASaw&Bn3yve|ZMsf);=K+cOV7vV+otK|$}SB)MJMT3;yQUvln zmmrKw;pt$uT@L}!aC>_S?qBg{##>WRJVhmAhn`USH7FYRhxckWEa<1ji%PXB$?T zyFGgaV{8zAML@25SyS-dK4$PH)7H!-wV;4$$8(vp)^K8_^2wE#Ajhn(TKaLL7j+Ps+vqk_1~f~>fr^rgQMTjjCCCf`W3 zz&lWV%`T^SZ8#VlQ{e%eG`Q=D=q~(A|6tqWLQo&t;)b+tH`>j3Rg;ajHLZK`J{GDa zbiP5L#%08o9QTjDL&b_GLn;A)5M1qyV(&wb@9x@gZGy0^Cr>54Rkx=*PeWmc;B<5Q z&B=zIv4aSno1BP%`5oJ%!G#>F{}3?0WB0=4#A=_%31E@XQeLd`M;wIv?`>Z3%gs#V zj|&d6k(0N*jGg_>n~>wU0B05Pl8Sbfb_V&$Bw^&N%%@1H6&wvO70xyWxW22%guhWrT2j) zgt!`t1_=3+4(a%Fj{5leS00kLLjQ=qG%7U(D^PvC27NQ*dl}lB7Ya`&3QS#cy`0!Vos0rU5z}c9}sEnDl&t&{>tL@QvY9Q)M<)p~H+H@!Z-{+t@wueH%2KM5JMbUcb3P^%DJhVHmTvLF~`uw?WJCv4pA>^9= z+!-3#3H>{AwHa8*pD9k^{cQsAZg-V3KW}<4@miFmY27iOhn=^90!=r+w%x~NcD|X} zYlq1LVV0WW(T#~1v1OExpZ{kjP6J5&!l_u#z~LOj;o5r{TX&XHzy{2yiatkPqkZIN zi^Q2i>);yVop|fzYmE+YLWzy+DR2Fs%}iqAJXy!p(!#**=ewIV$=$H|@#9Y>?RV{E zHz^OT<{mx8%DWe_e<%gUNS@}-etniMw7Kay>a~pf-zRO~lyJq}3lOf0tTRwKU8)NG zd5g}aqN;)_BSGS;O0SvaL ztX(kPxKe)0nwo+A^+%wdv~n(aNbHL=CG*u_3z;%19ak*cSObV?zh%mTzmS)M12qoM zMis9EBtJoYLAh!xo$SNmJuF(2eFTIxI8BmH&M)u+lIm5p3z&&rt9H|%7bOMF&> z&BzeW$#+m=GPcQ19tj*?eIXKbhWKnh4Yk2Z7q3C{k-7>?a3dKQj+*z{>c+v1qO(0- zJr?EJu2L-=xBDRrf5I3084kwy1{bu>iaHb4r=}(WRbYs#1y@8;z+V8EKqBisIih4t z4=##5;#B%X8}w1?-{FGGk@JHs!HWNR|GK*>f-P(%3HBxUXuz1Bt%+z6w?*%VfmcZX zAElfBP2Nd_hK1Sg1VdhbqqX-{{9f>&m(@iG`5*c)z||M>z%Z+NnV5ob4VZTbz<3Yr_?ur-0-UILEk|q5iK@-Oq{p#DLES%Y zlqO;$9Cj)zU2KJ0i56tkUF3MvV2tsToF$OHSKI*-0U@_OE=CA-)j`Yln3CcC5~oXb zjIr_gt`??!pwp4+Bh1!TI4+$|9sh8WQ%836>{J3ZKNyb4MAl_{S@_g^erPBZ@`vfualcN=tBQlf?Mc zb8ee$WxDI$CMBed(Wq9BZmAkkA8ys;jAi+w6eC)M&5@m}E;}qrVx;8gM^;VeBQ2Tt z)T2YMT-Zsrs777fOX?m6w4Ii)Xb!_yn1!!bD;hXwPy*_79CkP606b*_uXlBs7>Z8q ztdDWXrXhBxG5xvqG+y-_%-y|?9)1IveP)<`hG<6`NM;^Hq@Esb?XF5-!yVR?z{-MJ zr$h(`v`lQt{cIIE`QEBuqDX#4PV)Qg2h2(XP3)MuB

;Z8_Ge#qv-uZcDm)gjZvT zmTDWQs=z3y zl!%?y>xj+SLG3!_>(Edl4DKQbgQXxZY@_zUjG~x8IGbJ=F!US{vMHFls5MPmbs(=W z5;=aUr13uTfsLZPI&ppF%u8;+@g<;C5Q{pWaLF#mPi<4V=dvq7SKn*?NP^JLQ7fXI zhQqI&5@vNuMi(YgV(6_MIb-s>XeeB#p>)xX_yQW_%H;F+oeRf8VY3t=`OZjy@FEaT zM0%M_195vqO3O?{J3%nJGQ2+)PL5gjUq#=OlWC^Atq+^$&tAYxF9+`!86e^Djvtu1 zonm@rMKF=8h}isKolAi}FB}pv5(JU{>-}&pIdO zPa6oW{r0*$vk)3e9yXx)f0aMj!`AK#^tC1#MBHNf1PwONPYqZx5AQs6niqIq(sy7n zaP^2|DSgp-uRy7g?h%!ROB+ZX;8Eg@d-q6;POxt~Ip4jbNLFoE^pXAEx4_sR$Msv| zkkNyMy}s?W86zozn=}2q-u_ap3}iUP7hP*u_9m`=iA{4cZSNJRBdN$FZ2Bzy@Ebg7 zaqz}zWE-tvFEOWQf?c)rT>T-UBowi+tYO$&C;*1=VP7lbls27Wa8Q zhZ!1bF4zv8@qqholAY4d2Qq5uk_MbzZm+Hmb_Z{fSnX@DioavK{dS;!nZc4{165UO zit;;+x1F`ORbL%J;b7pXP9O#}k~UzYp{Qhcb`MX7GB?d3u18L4J#N*BHQYOJDxDy7 zALxy5?eN#OcBwucyvMjsF$0JRFy;?bMcN={X?%a~OX8c+%Hc3yb5jh8Alx&8XB*Ge z3e>a0Tg#V>d?~Ab#VdVNOPG@gMzL`r-wFMeDc|G3g^RE7zg<#@cM`ZdS- zW0aG|;Fp4pS?hme&9N9}O^KQ7%VxSqW4$gyp{@4)a7yVRo>P|4`h8*X65Dna`5TJf z!kd-U(8D$?vJ|M1tjL?%Zv3dg&skNdGzQy1OAz@W7VB+LSXLyAY4=3vl(`5Z)fzM) zkm&pq3bjucSs|AFsrv)MboD?d<-k?N()|wo5>=CWOlq6^b(1QMSZOCJ zkRz?>VLJ{6WX|arw$_+>5a~6!hSn}SY63nx&H`$h^o5>U&`MB)k^yZ^%MLv9@3ht7 z{%k8s!+ia=hP{W?V3wsPPeAW9@DxZfj6qAYQ!K+kz7Az+I{9Ll7C2!rZvXRx9$E(B%`O8Vd3$#gPO&tSKQ@ZCM{?<^QA06HOUrGo1=4#@&dw~u-^=v zwpZ0NmpX)l;xK4CveLu)bi!Oh=U8PEk1uIv8gd}TdTXECIy2=T4uJ0CmGRmO+lsco4k!wl{)sR~-Eb{tBst~&!=1Y)`@?-Nm*qM8 zNZY0dP#>>zqzemRxx*SXs?tDE)e4aJ^go7^yxReDC#=*XjfiIk*2q2{yV4EMW=m8g zNqLb3zaT&kPg*xM%_^BAdO@M_J#R3@0}67`wBSUU!_L#nt&}EjQ~wwWizXLhG@`Jo z*qK9L_R9>AYmkv+2{33JDm5XgA)Q2j!q)4c@b)5pP}mA3;VV<90sBs->R_r0+tNn> z&SZb7LI?IB%--~|z=s-Vf8O+-x2WodN6dD(0G7#0UbcgssdEkFbyGtz>V4e-$pfUT zuYP`}DI{QYE&3M?CU|{2oI7yUIq`jQ`w+NJV^ho~&io#p&DvR6x$Pm3P23zI26`^C zQcrWAR6iWDL!+Y&FTdRopZt+o@t*glYccZ4oHsY?)LbyPz8XKaq7|5jF><1!b>;n~ zPI*(&zR&s(!1lOn9_7UH{0x*rz;@3t(XkyEjf7S8=nb|yNHunMjh~u&zy*R-0L_cU8@(;?IEQ7o6 z1xIemZIPglm;ajd6wW+iP`v(WHc6%A8eI+?5c)nE`m*_Js9F*PEt|cP@i;;L{eN)d-@zRajf0AD6GW6Nh|?o*!L?l!If4X&`VGqw9dX-Y0oAg$Io8yU u1za4Cw>h}<0`#bXmw$cDbis_Xw!W>gV|T}~=|IsFoHRRQT4Lh*>wf^=td^qy literal 0 HcmV?d00001 diff --git a/doc/images/plugin/skywalking-3.png b/doc/images/plugin/skywalking-3.png new file mode 100644 index 0000000000000000000000000000000000000000..691b3061135068b6cc15f44bc92a2aa31147c163 GIT binary patch literal 62575 zcmb5VcRZW#_Xn(1w6xV>v{t%pTC=rMv{hO{39YTDy~UQaRJ9Z>Ma@_>LhOjGs8LGn zk%&+uR%{6(JZV3l&-eG&^Ljnc^;dG=*L_{*KIdF#ywABm=;~;kVdY_EU|=|-`S`&z z1_ovr1H7WSvY0bX$p=DYA;Y!hD@@u?vS55GLodwWbrPgnPR{{3T|LPtUA z+nO-VI2nh*T=BKh!#(+*YfpD?PHinxsIv##Mo6Da^v!jf4NG?Woy`)R;moC5jx|F* zPDYYAyJPfQ85f3L(Ar|gRaoeMR!)1C2Os~gBe8vXw&{p|;dPoize%^7#c}%Y`%xV* z>Yqmxqm0K@{`~l7*yyA=!x>&jpsiW-1OHxr{j2+DCR&og;Gu9hkVk2<$|c2x(Aa|? zMV6NKi5G$k6R26ENFS1dVV(|u2++1Wp@%#ZV}i%XI*nj`3Bh(Kr_u6S$Z{BT zqsR27a9>b~(A_?qJ9y#X)l?wXK-J6&HdDXP$7~tVTJEOeY zlnF_GHaGX6SS+bBKYx8G2T3rWP-DU2Mg@~wy>>Rc}75m zGV0z5;RLcmw_}h|yz;L$KK>>4d#@TECL^%1mE1m& zW@EHWHY*SQquqapC@YMWjSbHS#Mc3)Zbg&`Me)d%GoBqIKzFADeV;NUoljj8+!k^o z{v%o+pSGC`{WF{lue)Yj08GHZ)tWq%{pT7(w-1%h;{*IpI!^qz^8HuC12)dd#5}V) za=ec&|C67v-7%rU{hei;8`LYQZc*i*nYscU09ZY3JFmlzD#O4q=RW_F@H`D^0;{CU z^*O#4@@%ryydgl&zE5-YkZ>q>kHonAoPp98 z1z6BZX`rmGxOVW%_ubM?o(;JI^RO|#z1trqSPNo!>n-HB*q?1TVaxi~dy7kKw{H>} z_^Le`S-My`s8eC)Gv1~=f}y`e&6S03dGHEC!xjoM`P`n(cu1mkl4T5X@lkRVz!i;o zZyxK5kMjWoj}kkjQWO^CWIVmP`>q}rmCP6i0{u)0L+4AtmQlP9HjS7f;PW%qQk?6 z`LXzyy@Fa)_*h1I&F63@m7xB~7Xqjdeuez-J=w;ipmz(3ej`#nk1 zeQ`y08)u!{3jtx1On(G(Um;*;iNA(W=L={7SPFi&=Tp4I3O2Z(Go^v{7P>KTH%Lb( zx?z8*@?%=$@%-jcmhr5Ik*mV-atTUU-`tz&%6JAa)Icgc zx=y?FRur&Qp(k0kf^NEUE4Rj`h;7^!Vp|^^EfmNU!qKPAjf;9y*;9F0j8|yWaOl3n z>Y)Zeyqq$bLR1q7yTb})K7DBldKRGaE9^GsRk_`bjt$IthO1ze-52FHntEXvL?3bA zgktKtTD%(Y?C~JV$q4Ows}(-k5LowJ!y==kft(z;x{w`H<)dv<9RbJ7b79MGp;mH3 zdA^}%9t(YTt9Z#3*82INZ*y8=!ToB-TPGKXmiv#c4uI!3zu2-3ny-=xFB9;}kE!e> zfy1=x&X2NQ{|Hx@_sn{`S=?Q5Vf^U=gvBBy5NU+ByKZ;mEIOh!%a%)tx{-KBqAbb; z-Tf?u&-ByFuX7a{*Ys}mS{SVk~fDJtPAoTq|UaF zKm=IdkO?pt`YHI)ML`|Uj)wIXwh6Cs*4JA4c|LDQ<5CkyWI{-)!4Ed*5TZb-vV?AE z;++6l85(aex!Nh$kLi-Iwgs0SKh2Ch{BHaE2hpYF?J0@f^GxEkN1fMW-W~Q4yf9|~ zDoWWM6yiDFgN3o$#m4llW9Pi+QY>jYtfd~m81J*})!;a+MM+Hnztu@=xjD-UCG3!&oIqR$-b-+>jJU0rN>~i|#Yx@MTf|OoP0 znPoX%>X(Gr#j4%ZoASg%Mr*%o0OK~U>LFZyYt3{V0-(G7kJqzxwWt*EBZSU?6f*mh z5bw+y>nz8+n{_?@Ti3W5G?DMl@Fvs_Mx2B`=$I_C)~KOe=j3N7D0+gNG}wp}8`eLb zzXyAXYl%0?n(DaDpyt2ugzhR>>XuTvbW6;u@hNJ6em-DR;Ea!0**gmiaER@x?9`IO`lenu3< zglDMJ`H3mokh?B&u=uhr>@dCCg5UWfr3%?=G$M0tHQfLoSB*54F>?3<6h$lvx}j}g zWr$ef4c@Wqe5rLIihF#$v*9276Hx4I3eV*MKPuN=@w0Mqpq!mtdw5tvQvK*UR|A)?l6YtpTe$6DYAQT* zt)3D0ski%2nEP6Ueq5_0Ec>-7-TOg^?I#(@%SP5-z{A~8-d{sOP4u()$c7(3>Sde@ zsVuJgx$Q<{%oo_)+A^Dd6Cn_EF4m#I@X#i?{gBwJ-4K-$QW|l(xoc(|w&E(O<7B%g zZvPSz^a6Y>l=+Mlfk#3f9iJAsy8eZ|(uZVB#Sv}^nigAgb8#iq!dLNib+-l0R2cT@ zW_e&zE`i=>1<^nj%TDP_1wn8LoBn?IF= zp6OlAPFSz~Fn_qQ>}0~ACMMKx9J37Le2b=P zX;A4Comxy@SGe-NoBI)AdgJ(&Q_MiRjv2S?FboADqWgpH;_KGd6m)KiJ`)nP*oi}4 zd2AjmJ3;F^>}CD{UXKru;j*Jyi0X2CYptn1(&g zwY|RGKh^}G0OXv%I=SR!IIWCPCp^IlQ9O`0F5{aG+Q~9MjjNoK;#(rUJE+SC>#gjX zt#G6Xy4D}6qp)~`o5A4_{*>vyf{%`lP7P(IjSVWpu6s+&xU!Q;tV1BMNc-#UtJkR~ z${ohbF-VP=^bvZnMO|-ow;;rU1o&Q1-8_7dYtrIGg|j0~IZ878*g1gR1q; zAGw0ZWQ1;=zU==RQXXXTb-rF5vGf7|pt<)-iesom;I(GM>npEyGDqcVR$#}7bC5Ew zy(iW!slRZ#>kY%cs(rqn&mAn5V2X z_!6s^by7wK&MJywT=a*BvGx951){~qxll<(=VDkY4(1}Hd#yW(`mDQFfoXGY1J_= z-0$TQGqc`N+^!N3KOpxYHMrw1B3X?t&cSS+j1HmCe&&Ch2s_$)nJvushuL3xV>W2( z>eaz$K2K?gNyX@ zqBAiRcGtA0_LZpHPntnr;oL+-L1s$&^MoSL+=F%tA2dmBT4Xd?d(#f@(&}3BmGJJX z2i2xK<#t=HIVZHp(7m-?kZ`L;qRJ%lhWN(jqj%8|@W#xIHQU1w2f5a0RDB=evT|g) zJ}=scJIH9;zNSGsyWq?(#h=VIoFQ9O`;9ueVd%?HwQj}TwBi?*`ixsNF__&uS>CVQ z`+)@-sWiqv%#8g>&$5BC?RkctJl8+ne8N>%r7;ch>A~(D%MaiZ-!EZ%VsK2_wrj|f z^h7mQEzvvIq`$V@)$CO}fi`v&#%*rN4m`*gt-5sk3WhwXsC2Vk5H42nCzFcKEAwlZ zkNCQlFVnQwW9yLz`=H^n=t;(-yQ9_Fm1X9%1dv3=D@+<4p^Y3?l`bvVf^E8S>4TcD-DkXGqRXlpc2uRakpp~zb_ z*xphZ0;gkD-@KjwaD(BK3V1g)m^?0wqz>tW#@nNK%?*E+q!pXWewCQxX*?#C&M~W^oIPjz3ePPDS#O)RTzO%GIO@XiRrPmY_OJG}mDHGQU;WXWsT2=PdS*QL4{VrkJTy(D zgBo7eC*7K8J|El#l|btZM*Uj{TbM)z8e=?=;nQ<}QP==jV>+_&tx?f)S2~M}zl1J5 zSGd&-3gDRkg8q2+ub>#th1~-IY2Gb!tfA)6y*VwV>kRjEhX#)HnR*i~pbm7@uyCDm zo=B{-ZtIo&6N>&FuQ$D>K}chi>80!sAL($EsTB*|HOB>S_p9M-6ZcoY{x^}Kv*_`0 zeYC5YJP{KPkSOg*LE9YMXN{-hGoAd|I%!==CMWODSv3OweITDFtIKU^1ZkHn2A!<; zuW~hmwx7)k?n$Af<9v57F-QpqY(BX4>>pTe{F#!(d1dos4EaxQYPq*eKaCcDzMe_9 z^dkyBD^rM&u9tN3$@FvqhX9Krp)_WL1BUpVQun&yVl!No8zG&f{|^qRcq~f&fDVF< ztDIrD|GC=XV~aqrRf#z*DtN1Bbfhtu1!oB`J-YcjR#(d>+;TH@9#lh zYi-kEky?y%Lx2JH?|QEz@}@Lq-Y~pIT(wHhE`2ntfZ%&x_Ogb4AnZoy&WVo5p_tF` zJZ}hqr~`RxA!z4uzWoq_V~QN-7#8K^Lfbz>H>1ctg}UlG_qWKjkUT@mL#l0vHQ86*^Wg($wVKJ_BuK(eFXK`vM`)XVMZQan7jETQlErZQ@y3e%%T-;!g zJ$>~3AK8z$RG(llIP7G9s$dKXK(wBXZri_Jj zk?;NQ$`$pmTmLLizm&mz_28d3qW{TPJxQ-j{5u@awfv_N46k|KuK)jjBuA$T!~nL? zK^l)(CbkV>LxqMIx#JW8Ag6uFR`lvwsMePuHr^vLXi%Gd|rTobRB<9}! zW0M+3aJ&;Ex?3WO4x<2#AEm4h zRmjnHB}WGh!(PP@cy=^OZL;_ zwsD5LGoh!LE@@31kUFhFrGiJBPs36zZz<7cFG|#`;PMg!i`X8;#F^cNrc4u0_w4Qo z?OqQ4>Gs=jmoISp^JSpGe+=13eb&r$O3`QK@iN!;Rx`(wFJR+o5Khiz0yBo->;cCW zfyW0y(Y~q?7k*erD-7V_QvNT86dc2Ii5<#*77BR=E{n=_q~5wGN(2-eC%yRgcf9WE zm+9rWnPl+%`Saf+^suWMv&=O_uTZfnqaS>+7HZXfHNExGt5-o*q&h@y#di7Q&Y?B?{I++Co~+niLEy_!1qLrinWMeM1IkERE@}uD6-$D0&{E6 z2|Y#Oq6U` zP(z>oOQ=EmSXVl|wopUdsi^FN4?GR@N7OOVc53qI61V%ZoCWpob7XHn%%15s>m zY9Yw#JJAF)Sd=nlDDLvOQJS~mAqmpt1y&01;JLrI_cN44R$PmIt5)_Ux*$sftlHR< z#1iC4_2f0-Lb*YQR{ASp>uDlf3Yn7-HqYL zW$nuDa9IcJ4|BE#F8Z^`+IPKrB_Lv9g0BcHMcOx=4S4`qU+F7zJyQ2(!U%`5)Qoba zXi1zR307e>N{(Xt+epM%ur3(#r()EbrZ5%~!)0sfMkD3g^~wf%=ga80~ z7Ob^V#ug@OG->4_Is+Y)|5TJDc_c_#;`fB*~TQ)ug;`LjsWp1 zHB&0bufgM&cJ8fn?59!+r&lqa^ilzN_ej~{NkT#@MdGv9yL1P7qF^ywYvi{@cadWj z>B4(D_T!Dz71Amde&N9Rhl+sQ@A^t}kerNjUmq5QliqF&HtkhrDrxY8pE?R|QgPST zuz*iHsZ7dK_P=6OrOHNw4ltR~vO~9S?ehIO@%MY~NNp2(h%ri|`+Na@Se)bOLxiYA z#SB#LZZ>f!SDTl*R9G@WYYe7hi(XW8)t6YxVqEJ;T&SlrOoc`zI!-WHHH}Mgb6v^z zsM#Y18^LMuWp5(n%d!0Rx#VRSvHYAZLl@(Ll=k)Pa|6NDy&@c& z?t-h9bAiFEBFwy6*Rn^z_oY^f+=aZRZ#I2ExcBqs%Ik2dvI4!EG~;f$9v$|4v5r=e zy0D@ovwEJpvbryy?%As^2CYQ%DhMhYGHKUWIc`+@cxPHW=+3Q4zHJqvT_rCDKhC+( zu_o_Vv>ssQJZw~WjZ=;FbF^?W+HR&jq;J`g?}hKr*w|3B0PVz&XO+@Tf~Om`zyH?@ zz;c(oI?=yMYt{B?erSZv>sApZ^!5VV_KBEE>lMeq!%R0)W#o}_w)q$#7w%I$ZUU22 z6x%*P)s6FZSU9kE;NP@l(MYXtyJ;S)Ws7;`Xm=nVQUPPlEd2Isn4|CXgOu8CE;t@_J%YIr)YN~=n|9anO1aVnQiY^DTV{b)T?X97U)q2chiEo`4s1POw_;_YAY0scn~;NZ zyn+i?PA8XbR=;tzRFcz0EO~mFgiT_S$T7l_3464Uq8AK$HEVlyeYJJUr8_39YmUSO z#$0_@X5^;F+;{IeKUkrVl>(<~RLI}+XGp*LXqBxz!M)LE+L1g4K*=`M9YnTO>pO|< z{+(+7tyh86G~bmeMs{ylbnPw9p{hJW3e*WRaeH`!UiHiz0LvH!Nw@dHm|B`W^Y}AhgOJ<1=wF2Iuj)W7>(-eq$87 z5?=gqFFKk_lF#^#IA6lw=q#e3Wu{0P6cZrf(|1&XNz_o|2Z!=`uD{Xi9Cne2X?SiZ7q=5^yd=6P9Ky7X%b^SDhu$cOLGcFW;&im*|sF6)WN4v899wC_f z1u#iCPVgbCN^#x1h@#`vDZLkAo~JpBcYlASdrQpd;?o6iJBLx4NP8o!^h z`9u~0FN4{#Ca%?53bbxN;+_PA~|LI37R#F!R%be0_}ae&^${@*CcKOgB|NCP`BoI%`f4 zY`_yrJH!pwqk^|U70YM3^iz}=Z!9iDqX%TNnUN2dg-_@Y_ukRqpQBg!AE@l=J<$;Uf&VuiM8qbNIH12TVKu)4Q>Q*r(`u%qDM9^GBM z8kK5#*END#sK}nuV4PFUJIyo8+>hb)C@wrv>+uV@D!)GSfv4IlG^A~q+0Mu1)f!D& zy%{uNEnt(a-XYej4p~W*hSo>;bgHsoU#r7jmgvBczo>qq+ldLxd9sgJS&$9cj27!_ z4M)%qs;-hgiW{8l&0QG?=eAABm7>A$=aZS?3Cpz8PIetp{4Q{F6$$Tth?I%k9X_RY zGvD|43;8colwTF&FJPZPBE1ELo zeBawRqE@g444w5@xU6n^#hWyYT#2q*)#hO+SjyX3t*bLxuQdXL);C58K{FwIOsP5*yK=a{=-) z5}doPVem71NK3GUO;1&Oy{GR~wdKOB>doU<@Pq|~Pi<`k07$@Wk50NTi^}vPK_%wJ zJR0B!Dpxjvp#{%B9nUh@13u`#VlT3FX0cl3O2ioyS&R;d({^j3DvJd~4}@KQi;*OU zfz^m&I|_}ol9^XSy?5^(IWcc=xBTvkqhfiRGcQr?YYd5Z*-b;>6&a3xg)wa|j4kI$%}2B^DdU!~)$8 zS$sA#;wHZPz9`t&KoVpguaYkd&gxZP6uq>111nJ_l`oFXIDIU$_R#QmzQ zAAPcWspB8G*~{D%Wh-9wNSti2c({B50pO_r)ur5ym96-CTdI<@$aOaD$%+N12YRe} z;;S6kc*G8=oZXR^SY*j|wo`+-#i{ddbulcMm_L`J1~-Aive^O;cl+Si#6^ZLNIb`L zJvkO50@?Ook3|LRf6vB*AwXcf*MSEkJ$p~#h5=o~gxsh5yG!bm$GJ^4Yr`g`gPZQ& zGrYC}njODGY^w|yr0FE!6f1Af2R695N}Dvz+XhEVVxT z1Co-{0nh^|=Bu#91xn!Q# zh8aQN+pOUs$RUmip^ti&St2}m4xs|9hGufhML@=`oM%9hl$eFXm$M{&?~mSU*$=oR z&6h;pdr#6+(~3aa^wiR)_0793grIM6le|0Ui!|S*$=>ihYGsNn%CL-stWGqWrzMC@ zExE~?^^F=og1Y(T2B*Plc7`U5-8f6UY(}}NR(q1#a7tb^J8myL-ENA&f_TySj+xPN zw7H9sqxWvs?%>X322bc3@EhPA&KWWmpW&6!a-dB_u9cl~ZHxnv2BgoHt0#wnm2F+QLmX#ZO=sRwqXOnAf##?b+>Hcg`<;|Ci02!_XLwf3 zD_$XyFL;|aMLLZ{PT#GB7fyXhLqFhHJ>f7}-ay8RmLsb^pwpO#3VE6CSGB4Uu9iGB z=Jp|#yDc=BCYHu(w=j-({~|lu%K4@?3{eDl8?0*2)R~6%f0#e`Fk0;LzVL9*yO&jQ zb!-9C65)WZhO>ecWBeyv?**shcO4eC`s`c=v_AYkw&xE15pmC$@`%@LJ4x6ocrl(E z{Gk}4HhG;@`w7n88Lo+7D0fugPB@}OE+pE>xnZ42 zYHPLuUUk~#Z5Dji9Z{QvI@SHNVoDOo5J6uAII+|B7{(2UX6El^GKCYP{(vz&FIA~CJ!mQEiwG=M z&mLvf$}Eoo-TpYRTtiR7f4>7F0tU83L`^Q|5v;U52BVB>;4t`RNzO9A$4t!#@JO1P z^Kiq9U2^wVE&z(+-+10Xp_t6x`3i^pyp;MoBID&ZgF_B5Tfs2yGvOm@&~;qC^63NY=1#XOwzu~kt?~q~YQvMQND12>=_`Q!>^P>r# zqP}LQSa+03pPJFj3QG`jwzn;A$aiF>>3j-$O*$mHc)WdUi@) zyg5_H&9+Ak=Fmhjwa>GguuhaP0dRgnl&}7fHCpwKKdVyoL9mLHvanT7$A-{iRrpLd zCc!+~Zv)?p7FUhZX#2n2nWjVspSeZmTOM(l>04{Dk7ItFG26>r9+dmaKLBwV@{Mp> ztje+B)bZ;r3$J&D%&2ry45;u=N~K)%;tc{kuOC;up{qX;;9 zR|L)&NPd6fWR~vLLD$B;`NxHFs5gqM)iYhgwWP1s(V9-Q#lgJ9+TK$g;jmy`Fc9fW z5Z`X}M%(@VNXge)$n=OwFy6b)12?)8?iuOFUn?^YqsbaQ6cFuxFFz0P-kgfd3Q-KZ zyMb-oyRFgDNE^BHxubDY)L-gGD7>#O`+(@OR*x zLy9F_sfX%CljXfWr&r85@y;fSP1DXaR44ZMWW$_D-@02v7hT;YZ|D7p zf>Ld+>T~+GeoZk8EUfSALA%wh$6DZoGbMv9j-8J=4u|s}=_?lH8x`C@9Bdr>Y+rlMy<565Y7=Ltz*a5*6n8X>MASW zZ1>4dmi&mzq|GOX!6d&eOqk+|hIGnmpOGd>7Bkq$DBi zTEvIWelTjkSVInfj-Eh~k&WX=_xc-^XZ-Z*`GV6r9NOr%Upbq#PLE{zX%U{XQ_*3z z{KIeB;aaihcI0=$U$j&=GzUi}EnJT&6+BeBDsn=%?16j4m!}5Dl=o)iK2v@1kVHJa zHJVJvA`)u$^GZu^dp6m2$C6S;kS2*_6?T>UJaLPSFzw()3!mN>c4Oet3EgW`HA|Zo zCeTA)VJ2YKNA%cX_<%iPBt?I!<(jxxrrz3uB|>J@)Hl1~4$0Q{={FxV z-rv_4M~Bk*6+leSSnIvt{1Rp@_|0@bfZgZalpsI5MbNjJh?IOgJM0=ksVx`o8H2A3 z-1>?DxOh2wLoilGxGnCl4P`bK%X>YYk8j4XeJH99PH9Px?U0O!5GXtppZx7$G{ojb zM~`lq3M%PNc1w^h9+K7@WbP}y5#hO8E)&EVV}W4sL=EsxrB)@f<>&oCOljYi zS2X&R*-i}p_uAn&dk^ZOtS>J4_u7Wt(LI8|Zqf)!-Z^bw(7NnLzjq~R26M=4xTIGF{T%qP>#bQOCGi0hkuZ;K-gjU zNP#sAWp`{QJMXQY$z3KOV~ld`k8+#zgKp{KT8%f!?G&*4rdq#gUDrdIb{LM|H#{0v z(S7~`=MO(|V;Ns7P~qJ-Mq;$fA_scR*@n%ll=b|;SUWdPuQVxLM!91L} zMzKplLMNUT%IXcrsBt6LD2jHgrlTVooHFduqR|Y8hcUtukhpQL2n}Jn6JN}dk?^k2 zlQ^vv9`cP~4$Ce)(6fy_&Wp+sWnfbe2xN|KnA@maPfM8$tq70t?kHSTfH=D) zTJXaTv$Rv>5?%6Q%pB0GDwD2vx9RpW=(n7+#>6G#yycE*|KJJJ`)ym4pv{(o;$f4w zYFSRQO}bKha$C`#$y9V~v4Oa~&U^K<3Vl7wan8^$8M5qVFJu6qkO9QCwl}@@yvFam zA{`UI5$;MlBEe>h!RB>7QEY-CUhXGCBfGLx*I!f+9|#o2kI=COEtjiC;6IpW1KdgN z=v?O*busjjAYEe;N;fsI4!r=QDEB8TkM4vn{uCWmz)1xM%Yh#+Z9uJ=84A`|;u% z#$V#&=c#%)v|e`0QCWVKTi{BWMh!h=KI1DRS5Wh2r$UT0Yb@jDN{ngzf%1;j*gEoF z8B;;hyGDvK*B^2!cZqXIEzU0nk8G;%&&AhDhC%i#G=GFc5x*}m1viVpmt8N-%pV(2 zF_;5$IfMh}zR8mo1+$5>{S)`oW2M1;LN`vmyKSs-EaG^=7!iM+Q&K}+aS zM}rg{o2&dh{61-ZNNvfLj6}p$HX!1HQmPE9&WkHjCq936@iuKxVFKEn0ZgY4`kMvx zhpp~e5l=@2AZ4{xRsB}qMn0m6ECv`IkSXNpkT3@lE=(aDY9~!_aLsE}nlz?&n>|#G z4&G1VBxX$4yf$qEMUKmDl*Lj}kcw8-{yoarwm_sQ_)|2bw(!z3KW|rKVv=^_rYa+n zYq$58;%+&4X>*TheV@ z2*35fpP+@7)~au4b4hmBy^a-ZYP|WxOd!C4!0SZA&wl{L2Kdp}&6ke|m@hX94nEY% zT@UU5W+45vzD)w+8__ys2Y9ygKysPa|J8d4&M8b>K>u(MQzZ%wM6$uWk#z7U7!RMh z%3@}JhF6Z&ED$g@b3`F_`s(Kn)9XMz51a1Z+5R~DZPs@p7!&|@r-#K~s#QQh6{RDS z4{LLpunrPuv7a@Ij}YHFv~T+*6Ghzmgp{NqQU3MVV{ zx1O%o?6kjxm}aGpLy({}XT;mW*R>DQjYcaB9E#yb!53(R66y+moXHmiH1YhtRSiGm z0}SOf_X({L$uJ=9egH2{$4uTZ`^2inku2nQ%8*rfThl-yKL45q^|T@P-rnnw?$DuF z*SW4A!3Desn?&uvJ^(8?tzZGGz^d$R zSICe9ic?bT+`?oUe`~1rpyEh-tsPhgG)K51S^$Qi<>k+rC8s(q`NwE!kXl}ceGDFx~X1q7EMvVPMmM)(Qf26Oe%-e!|arz8l;HH}G@brN4Q zqM79vtYtmnFl>p@zs^hTuTS4Z0Ge6U}h@^=Udg`k%z_C zR%6(eQ+;r)2F6Wo`!nh@7tCjD$1UWLCxdg{_`E9k`4(urPvG&K-A~-IxyAkGKr-Mn zvK178Q--gK(Qc6vwDF3>@jmJO=Y+{%=X{g3u62mgt6B&zZ@}by{ImY?U;9zP6VXmw zt~>OMsoot|b4m7_)Zez18);Q;tU)0%Xv{C)NyybVCCsswmkbQ)!8H2mcrC=Koy-{{ z@*0cAbx-8g1{ft-BZ`P(l^53|hI{nV+ z?0Y>H2Q7Db`$W&~steSQg8sN7#KLA_3B)Va-ZidV_x21+@o=v8)#w{MrH8E~G?otQ zUtN^~3m_aHn~UyGf_Jk`AQ_tk(c;Ei&sa^N>MIF?Epd|?r+)2SY?K&%#Ptw+VIT7& zdB?}}##e9NvA~!c$?7-VY0N~P{g<`)OT-BsCHsaR9=!_YD$eZ%>CAIN_`Z%OXi`dk zgQ<2F!(()LglUJ~sQG3W+&*rl{d}C*zI0`a`38;)*xxKirMD zKW!J?MipTf_Q{KLw_a~@_!ZnJQs|`&RxTEgtAsh)wZ3z!_}^!QpDy&gfc;z;t2#G_ zhSK&uT?j=lqyyb2uFD39#7BG?UMH@%#+1>{E?BW2IXEX(x#4S(QH{Iu@ zbo?5E{;__4Mt<+f7mn#tJ$urtnbei#5+h@Z01H+Uq!`KYjTxs`-RkK$XG4`iM3KU9 z|3~=iG}ELOz*;sFpn6?{G|IuOSt_*v14x$T9ZIQe?k+h&-RK{5dQiZ3IA%k0=yj^` zA=p6=bJ_vh@^B&Cg#LMHp{dhd@G{+5^ZG7R;||G*f~{0TYISxD&EbRfesDmemaq@d z7w@m{KlzTw1xH32q756I;g3*y)oK50()naI#|q=9<=}Ascml}k8{#sx{d{?$Y*q3_ zc_))%GwI>kH zpCn31lmTv#Y3#g69a4h9QO7>ZFYMm zktq~DMx*WQ+j-IH;JH)CnDF(iU%M~rNEk#-$<2wmDT@ZN|yc;fS1tt&8#t-bt! z$J7ms1Fy@n!y&*znFHkBgt(L}y=*o*sZF8zK$Ft{Yfoaxr$=;H)XrCLxx1VBZ{&P? z#f*>@`za+z&B0u`?IMeD-jXIqX##ZcQK~!^nT-o!+9C}bnS0`x5+S%XhCp%>&?Nk9 zn)4{$2kq}gK(!s2*{Jv4#gQi}(zMg|<(G#X0Ms@~jQ4Vh@y@pfdABMYDEnQMsqRo6 z2DH-3KIscYyAkF`hJ(SU=~dNC#U@!NL)^NTq&u}wDh%AMLbLclTbTGyE)0$#^cK+N zn(H{h|5|exUjGs@!pZ+{hJpB7;Q#)}p8W63(Aj%NZTD~c<)6E{q2~_&H*4q$glEX@ z3(4z$SMI+XDgdYa{=asy<>p_td=N z-^riEg=2Eo#>!fK3XEc!eRH%&KNjYqIp3nt`aor~i5Z{%$%R8?dWR zz5d1MMak7-WgE89e><;EBvGO5Wa{@Z#Uhs! z<*f7+S-W(+GC9+8&19_`Cv7*r3j~_w&c!!3mE@(XC^->z4S`2(mlIM_cy}g#x3Rgj zr??r6-H8EOeWKE1pIpPSJ6c|c`A@WzDA;WnE)RZCGC@^w8arvS-G4mg=x{EQcAfnd>2J?G{Z%u{<3$e&g8NVjgPRP#7RPjT7GPn3iO=rAOqU`L>uy{~ z_^3n?^X-0>@ws@cRO3zG><5rx_kA0?i@ao^bI6EGc zc&8lDqs+bnCYk?t+ONpYIa23C;hi&h>Mc_=Xf4#N4U-~0`9UeKFYj6i99F+8$=z;K zz9e`aEFu14AIN5qb*`i;siEHXvJ|XKa=f0m0^$t)ri2lvb2{+P9+wwF6_=k ze^5GG<+A013F)?g+6EZ-<*@Q8qhIyZUT`54*B-oF9?eUv131g)=`Nv-Oq1Q=1z$G@ zx?KU-#AqTe+aIL7RnM05(jr?edl?2Z8EOo1*$Bb4nFyGKaRfybh*5^M4wd_yMr-yc zg5-w&L&xNM6$F$%%)b`ph$=*yQIUZXVD!dm=TFPGZ$W6YxKRWd9KKuhLrD={rovsGSevXMGqz zQOJL=Fs*(bFt$(@5^kv|D^7`Vt6L0M?hii7C&_bhR8Kvce)5T3`Jl?U7>6inihe7A z?G5K=jd`h_IAET#Yq^|%ed}7sKp99NC5`O;#{sOEU27pf~Q}6nVT#Fi?kv6kA@sBH~)v=|`tRkAv*bb{Sw!g1ln}On$ z0;}FM!HTv+Cyjw1`T%xQFEw?t5rjC2&a_)t)ueez4lk^mX;W}a8ILGmkaE|o@s}V_apTsPDGTY3~laoAbBsuOojc@X}>M%3p3dX1g%`r@#iPL+w{E z7A|SpJEi2hslOI;2_cwwA93c$tA-Ay?7Sl2h~MHg8`|0RDY73qaO!fW#R`rqRYSzjXbRA5#4y-EB%?6cvby) z;?K?N+{TJgMY5}n2F3MINnNO|h+(N6E3_cI>8Px9o5u+vjPSxK&5nksX=Eo1YNkN@S@c@hK5 z`h()>u}|3Vhpa7MVApOhZBRHtk9Qp}8zDeYWe+}1;@kbfV8151Y2MXC*8{AIo$SW^ zefu)~y-v?>(OF5N!1GM+ay^wN;Y(v)O8S~Ma^c;&^+@#a%)MvyXNBig{2jy8EJ+By zQg9(%%w%Gk*AU%AyP3{2)Bk zg(8$xnF7Y>876)HyzO0+vjy3~y8G^>v*DUCVjn9f4Emg z{MV5bXf7G7?hMJMFDS1@|5Z&`)KDH~jHei6*r4XGdmSV7MMn`8azS4_PUYw63Y$eA zgr*&E<|n1F>-*0&JRLN8B$&vo!RW;VSAXO;3);C%!8IwRbccaHK1+Mg2z zUHPdR8%y&xbdRe zZP5{`90Skrl`y&CjsFp*-Qz%dcs#`qxpMnSV!yLj^47Ru^{Y1C93s~I2g{-Qa(724 zbRH?`>B`@4g{-gE__V)p;fRso8kYXsqQ`nb=(Vi$*h656G5@+lEx4aN3M83WCfbR8 zhSQX!#wrL(NM^kYKGq~!lKuY;I8$lYjgG%|8?77h31v9we+_x;v5r(J^uBM{TcBUN z2OYon>_Nvr$H<5K+qWK{Q)oMm79BcqD*W}w>uZz~>7Gk52ZrsPuLS)^WEGzXYN&m^ z7yMw7r-yCMtTy}={ujf{`#}E2e~$Q@|D`(cUyAmBp+P7;{nicSq+l-6wSJOR>Gw^y5bas)}@qX%j_d+!nShZywv0wlsu`Qj#*RPH$ zs8P%MmwtyaW`$fXdob!YpHk;x=|lLk>MsRc0#!kCExb>^Pcm-{xxBetmAo;CeK-|* zV7vr>VC0j_W=gG_=kNl9w)qSr0q$0G9{VPP&g_nfb?LF$R5U^u72OoYfoB?>;o@!5m~{%jL;k}U0BA$9O~TEY*B^u4 zjOFxeUQAh2m=!20ZRnksE#mA{av?LC* z7whp94F3^C);JPbC>ZpN{LN1I^KuqzC68|ZyCK+}m=h*4P$SE}&^H0|w(`PCjpQ&vnP5@yO;Wv_g zo)g>RUqm#7`@KlfGCNhYBN_|qxU||N3VK%59jE!;(&4Kw|CmEFGG+H1ypG4(=JGj% zp*|U7J#ABs)!fT=60@|qBVyIG@FvlT1S6RPEtTTy4{M`;ld}7KYht_o7NWi>PUHH^ zkuP@`Rkh{ggeB-O34k8?_vd8Hly|i-_>J-kG z%ldu5IO`4nFu}PQ?o-y7+`fO(619kXqZ59KW|&p>ygAj+bwU%mk>f({5 zt4Crbn=i(-%+gO@iaDvEEQXduh75wjCA}V-Tz_8vbg=!bqTBQkioUzuR z!XCso+*OSM0b?LzS@y+@AwJN%#<uoCq>GD6b@ zwEkHmutA|9GxLnwQBT(o;YtZWtj#h7)?nc}B}4}SS)wKvF&1}o7`LkrU!VtjOCJ|? z29><{(0JVtR3&&U;ItCwZfcEQHbuvixri@!`7|lY-RK_z%!!q?)8x-Dr`H8FRz99D zV5Y&}7hYRS9@&^*zgD_qooq-1*FCt4Z@vHSqK3@^;XLlnn|Y;w8uTs6<0VK(K=X^C z`fp`lW+t-!5z~KdDKg1aTY37|fu)tNJJ2}zh7UT9LFNivD~R71rwKpa{&5P3TGuOJ zf_E-hXS-+I-k?F3fBcj;i@N-)_-p^TtPSwQBV;viz{wL_UKH|->s6Rr<8?>S!|G9v zmJ^0~04QWG~rVo98HHKA9H2^E- zHQS>Fr%f_`k;Xw|j{<#{&F5=aHV-uj>7CAM4zq8**{$N-3%x;B#h1^w z4F(s(@bC4X;;$V!taJ9lv97>$75J?|_JmYTsg^vxu^8G$fSYx{&UJp=)7@QcW(&7o=E4_?OwgZ>mTAXtrUhr;ecxIr z>hvRO*gR3g5?`0DEBw-ow#+4DL@+mcz-zUh=y6CZUU?!lkX$nu;4?ANU_mc9F6h$` z=(f}GJM|V$qp+A1e*`_UT)X5f9J*|KCg22i`3ha-lxyJ3~Ka&j_CO zof~(Y<1yV~RBx!t{XFk6d(mA9j^qjd^RGtkf@nE``C88U`YvT{t)RK4v_R&wJVmFm zpRHpnP_?zBwNm$*i`aKMFCr)#KP-kaW*dfqKoES1T^Q77UP7!o_C|a@W1lm-@Gf?q z6rsFtj_g+RRc1Jfg^l~7vDqK$6Tn()>>OjCp0i-^`E?sInM_qPU5e)9{Fzd1Smrde$D${B}v_fr`6SlE^L?N-L5N>`*qsR57L z8MWUR9`i-U^G)#`xN`8J-M$-2cO3V*vW50Ez%VINgxLFY-f$>%?2ck_pawH(?9JScYZcw)*1wCzxO1$+0L~ z{t4!n7jqoU>F$0oeOhpCN_hL(PA`-!KGX73_nH+5*H2j(g5ANbtlHkCMr=e0Ut13K zUh|Au`dNLI-oXK{nyDipS8kNZ`A^&^@M&JFFZF?!JY9qqz-22Xrs+$C1_TM=Y|9QE zwbGz`ewo%cJ911aM?a26wUv>TZGAu$Ib6sgUu4!6A5jvBpij_2+MBQa)iH&+NZF6x zh>{;JMKIYRr}Zk(w!jt#b8fSr3#{pV4=;&htqm*;Vo=MLk+fZh{`o;UNEgPIo{5Zc z!z~RZ;0wLSF_Dcyh?i!0L!STudBDm3nwkB`P3HR2qiw##0?v8*ZfB7Lb=wGT*h=d3 zCncL~@1i`3NoV@i3b^ckm@yN3OlZyp(1nTMT?;E0o9#6jz<;JjS!*dR0w@&LG>iyY z6r3QTJV%Wy`bH$`6Tm_qZB5pFo;k?`rhl$;67%y^aauO%y zEpwWed#&!i8JJ~Y0$^i7E~%l8evN8a!SlNtwrbDgcKaZb{T{)5zrj4@jQMl&tOvS^ zx){^l4d#*MK5bCm(LhQw2xOLj)!Z~pdbOI1qz}f}mxttR?MBRPYxG$EvX$!T#=urJ zBRoqiccH=}{*1=!e0{Ldzas3BK zW7pB%vH&$mjX))C-*{9_Nn5Nx>Lw}6?&JMib5y`p&h|o-eV`|2$!O;_g3;5fwAO3F zh7c>CyF_1e zw-lIr8=Dy1q?ufeg7+WHopoF0aGo%8T5 za|QF3YTn;^h3^)1PdsYJ7`S(BT-=RxZT1iRo;1=jViQRL&u|>1}YXdID4Pk(sf*FG=?HF}8!-Gt8^K3_f4+R?7A+i7~OB17^~6&zWwp+HPg6r|=iaEi)&IKm!Br5xJf9lcnpP8j&Qf zjTB7Thk+0Q-%sDO!SfyntDcCXj+~**EoFt0=h~-! zdnvlzWDtF35hdzR= zqYey+6U;6o=i@-} zn$+*M60#??E8W~X#@!creuGbhT59j=1`QVyT8f$%I2*ekFcke^w;bQKJ)fPQeB?VN z`9W^kOfC*-mXe1Kn5Pt6JF7Buv)beQs3qC&?y-E!sYQi*nxGC6(rUU;s5ZCAj8)$7 zZblc=XCSeAF0ZgIoeg0a(>=%bX=*pzQ{Ij9Tx@s7a_g`}*yR!{s)Ix5Dj?X~hw|$M z*RsWkvUf8=3R70!0exaQn=?#kAW(m!Giwn$Vts0b4U#}CMMZyIdcaJ)1L_Ud?DW1K zId~~{y?U;dzb|Q|?JI`ZmIbQ8mfygXR^9oTfAl3@&pIvnG7P^l2?O(n+66C<&lfJF zl(MOK7;%XhnI0Wf^SRlu#lwBd{d!@|elc0m+uC4p-xxDJ0hHwnG{>i^D!!$tqq|L* zAqto8_;`_ZmYFYS7C-4goHgWCfQiU6fV?SW$qtT zkV+|?ve7UFK!2aw{3n>U3Z7pHZ@pIsSL;}VOM z3lX=3)MId~%9>N{9WDNYCXo2mGv+qgLtD<)<$1f?W-f$zC8yWWP-h)FSNLoAO_B z^oSfX*)^!L9ur>m7Y1I}PZK1~@+w_2eTWd^x)=#!H(e;3H#q;w^D=6glCD{&mO*IOz(!gpVHVv^e@8PCV(HnG5Y#%P*iHvzvM>$t*5@dNv_=xcJ(>` z&*L1A0n}fA4%b_M4dy+!|22^RpF8zx)4QcR$j&@qC#Ldq#-??EGJUcZeR^})Rq!37 zQ{!ttbE_xKtLsyShT8&z^eU5Dk(CG|wP`T^3$dYGReERad-`?1#L>SOXpSjvZ}61&w?-M2rvbg8{t zrnOXlO#soldM0BJr1}7RP#2+A>Unp?5+3DL*+6bf7%P1~X#0Fv%f)MJ02BHTR&VbwnBQlOD4DR>R*tJxQjd3|{}F&=gUw5j-p~mHuG`r) zt*a8K)#o+=aL0>3zT53L5Cna?V%WV=FCi01UHT#>8Tm*Wqkf`CV*(jSXM4vWr9V7y ziZPAaC~uAV&O7G$;Jq+f_*#R9v4$*`gj)1RgsS=@o>p2}d?5bH4tlOByQ^c)`LMAp z$H8nr#xIFPjq`9cI*}+^_Olpa$9ZL%j{0&wTIU2pwC8n1jyk9bT^c6rpKnsdNlP9M zHxkV)%DoxA%GK(lqI7Rt#g6_HQRl;1rI3NIT#hzAc#jAWJw%s01w`#`7#bw~h%hh9 z*3ovQ3q{$T|00zlRbdT}oN|8}c-brJPl(T#@K+mkcQ!>oh06y|@@%^J@5H3d*-mWv zlpBTW7;mrrY!^w6mGZsFJE+acrfqbZv5*`lxmKu7@-tUBIk_KhbsBwi%Y9WHvKDIJ zVIv+ADRAS~&y(okq6u@0OF}@>mOtaDT%EakG-|tqU@6k-i(w$#(;BSyaq%v#sS=Me zJY{RJYzjLj0xyE{3a_-I*BC_I9Nsvb>EccO?zQvExfQ==Hcgk?G;b5Xk9sdev~i}y zklK_UC6+7|e!#4~(~~VU9aJ!Zv^kD_l-IU5AF>YSCEf660P^*;om`A2lXY}Ov)T!R`=9}bm=$pYj0n4W4&@mxfT)!GKd z*mxkBEiORGu@~>>7(MWz$bc8(Lcq%8M%BcsN$IDt3?upvT8nFJa&1D1vekvA6+mNRT{ksKVo% zLQjp_ZBBOWmxc(9TK>(P8vZXv*4k$9{7J=c-4M9!tDwld%0!al!pA?2@A2JxV-w4d zWQ1`O3eC{N{V`+OW3QHOs(SNQI<@tB?R+e(MWcvoJDk$V$ktxn9#aiQx0WP2=hXGv zur_?SBxW{NT6S6|4n~YXl>(HRLjo@1H6Qq;?Meqm!vq4n#3a2Rfjn1E+Wq=)^Yzas zPiw8Ghp*(ei?Yqnmq*DGa%)}lDkr771}!^grV?tu|M6`+SXlrjUN0Pf4dJKGk~^$O z5|n72{hoeSyka%w=)?(RdOEhQ(_C{X?_w+SjQAk8l5xR%DHWiez`OL0e03hZ-iknS zo~en~#r+voZ-mum`HbEd%D6Zo2S&?3wlwh4yFVVLZ0KH>3txjy6po=; zE=0q|yD25?B?Uj92w)o82QL?-?y4GMJZO=4#qa#o_RhAkDR?F6&Bo!0+FWpccS#BgYk^ z>3=MBE3u86UEZcA;o9LWikPHm`#z)U`Ad=)+hepugf>mDbK2$JVmoCfVEuiH1x{SX z73p_ahqSEeBvM+KKMf1qU!2WRJ&2m>dyh2&Oeb|5z1kKBj}HZo4Y>ny{nwEU;`t9lirss`N=#A z6p6NbZ6}as@1|1+IK=m$1^@&4_jYGr!sgla4D4k154MTzQ{o0dnB$XbKr%|te85h$-H(5~Zox{TfB7sO&;RAG{Qo%hHF5P* z9*@R{1{`&%O^{@jsCgMS2}Ro&qQ`KTq5?NN=MwrCMt)9ub?e#ng=|{Cy|h_#5#QH8 z;U~FN=lHN@JA{kmWe~AroNZ79%Td>4j?K*_ zLu_rvCTie1JJ~uIeRBO=je=9tmQW@2D>1K6FK;*t538>RyH+zBb^5eFcNxTWsjTXC zZKhbn4&@VioJNVfw&tEAK5ISanMoDopBA3uyDl?Xy!Z3(W~klH;xDSrn!sQAXd9*+ zy{$~$7(2}J;McKdTU?D@lrsOmr1dns!~Lw=-zeo5A#wXtO>{UzGws@@TH`z20D{aO z*3B`dQ9{7XwB3X|&;6{H7J3zt1skK!2a=Vk+t!Joxm>GD-~rVuLj(uvRs5Wm4{x;7mKgtrkeB5#CvvV)B5p32Y??2u-ci_MXU>XcQ{95ug z8zMJP+fsf#=c4Sa&g|;w0@QFDMI%0QOg)}8oEG19ge7?AxYgF$%-S3)R42=VoHDXt zhFTsT62z)6j~R?X(`l9V_=$kaBK1=n+c^~e!t}(7D5nW1N4AwsZDQs7-s&i-I&)Q) zbf1it=;+tjlta4gKndg4h})x8iv`}d4fKwV`x;uBSTr~b*NoxD3JB#+V|uV6=-L*r z$JC#)w$Z-!h@9YST?Dv7HuA;{tau1GnLu}Y0OXa5Ln0oFnZ%dCCKw7cWxX+N)lxDhp|tCPmW4W1dCGX+!aqM8S#ZxIV%ni2a zGTt^nWs?GtI=vW0VML!*DeXJ{V43IH=zv6v$_KP3byY^Vws172lDo*7iioWQOu#&N zY2obgGJZhqQhfHidx+pPfxX(dT`zE+vhP)IF0wM_2tW}sk1rj-$Gki zAF!}Ill1rQpP8KWfwifIqo$yhOZiqw-Pdm(ysT38`Y07vS6yDJZ}kiSPun*FOv9)B zIWK5@UT@KS336WrrR1sJ`MysVAwYQhl8ueBC0pY5qnl=%68GXo9au#{5`CPD#?_WC zAli(Wrb~9C;nKpN{l-iJ`HioCcAIi(@tj$@&FkndobF1T5?V@DaJS0V${#OePHqWs zoI=Y%;nB@g%B&vdu`iO;LBeDYz8FkxwogoVc^#%VMLDIUVBCu~WKz42g-`i_`V82j znnL_|me8o(^Vy5=T!BbQ)VtpK!)uM0*ry>^pa<=17F`jSbk$w3dA41){(@ZhcBn4C zZ@OPB%f&6Iw%wlcU<`;0n zaR=S_B;Xe+VC6MD4k)uKk>BxA5pi`KSJ6w|S;Oc`P*a?v?Y5#+B`%h-aI(G8oT_rF z8vt!)bC%E=>KsP?!m z+aKwc_7I3vwEonk!H-tsLsCmeEbWC5iisGa78-GQDVogG5Do6>ny z0k}UycBA@zy*CUw7TRT9XCR<MsRApM8#3=*mdT*ul$T<(5fX&7t-!esKOc|>jLN`Ec11MkwHt1JX;fx||JXi17;& zwwuV!yW37PJrP`UPbmA+#CNKQZ_v}6suhhn;6yqe9trP1i=Z%VuaQ9EaKJ|nK z?9}r2H{3OGiJtrHJW}Ehp9oKIRrkH8n`j%L>H7V>Xt2e)M`tEKb5{d~>tBVIE5nfs z-xOT4_6#?M_q|MbtP6?qj`N%kwL@=P9272z^2|y$i|66iCc3s#N^E3$i4a@uXI$6s z9n=-6@j(^ViW;@2OVv8s>38%`O(MKo?u6d45c+z_mz$TyLo+|&UxUwfCfd1g3`oS# z2<5)#V%kQ&Pa*`u8eUIP2p3^6sSP>Y?eYQDhSl9DXGq~WXD?tum<1hBo9Ui|eBv0> zl-2NHn#`qm6VIIQ&-d-luWq0Azm|Py?(O;togHAv!9Fi>ZY?wqIv5S z5BE&_L$WO<{N{h|@S}?YyUGSi%1dHEykk|DGqpL)Ql_?)uTwRctE=I$!Y(w5Y+hK6 zNjJlwI>^})s)BIOham!wode8`-IJ36W9iU>d3WFR{pqpTd*MeXiG@`j*Pd9MxZiHK zHa#D^#oxbHH;a%#Umf7}S5LEQJnbssOW;PIUkryHl=2U-nw5h96jR1jO(Of7IxBVX zeS)i%FW`Brm;%0Poyl6L`2>ppN!qZPnJIWuG1|@=L3i=yj2l#K@R!bh?+TF?ZnPO| zpSr1-PGDhK$B5{lRpO5?j=~>-hRPzQruHq>VK>uG0YELW#BQFSwbeIiy!J1sS@Qe| zY_jV%z7y_;i~mhU+e!S7nQnG3z*G6+pC685HSj$Z30QRA`9QhAqY@gqbzB)ZCe_%ie zfR@0q6EBba=ePe>>)`*y`1oz*$zJ+hsvz8z%JAAm1@=)2!cc9VmyYX!JXf9ODl9Sp z^VZIys+TyNNQCr(aI3cifI6vwRWx^hb7TuMR>ET1K(x=GM9uB*V4h7(5as)N9&RTu#(%H2K~W{ndAM*r z#{r{P%ORMn!feYjG{DsO85ULY@6qo7L{ZTRYaY;|>X`(?e&z}X^RhKS*i#>vE`!cm zr(nD^kTY_b3fo!ZuAkeRULNfSYE(whFpTx=elTMie19g!HiNQYQdv*Cw?jDq3)39D zjnUpf&L}ykX417+I99K0P@DTLvXA zu$+FaQb-r9US57`#}swa@ps78zHgjxq+GK*a_e^(iguJo8oLOdbp!U|(Ld?7sm~Gf z!j)OvcxP6S#X+EO4dX5x5zQuuAa5ebp;{MMrGSzXwyLBg&xoT_MF1OSk?bgJv{DW} zIY;(Av-{Y1-+K5_xkVFNp0-*yP@hQj+;>_}Tu*L#_Ajy8UnXr*&v(u>B?DFMyq!I_ ztHRiXD0Mch=A66gZj7hieyl&83gmcy+DkE6fYHJtqrc zqd@{55Y2{-mA1I2f}4V`mZ0JJY`+6WK`g;O4tsi2@ZoJd@8$;IZYY*L!tJ+VYvh@$ zh97;%^_x6{9GqIAw%akb61iZ}VC*oa&}zhPg=-m#OJj>Lyl?dh2~Z`fy*y@|+3OJI zn_aeCv;g%XFz5SCnpY#I67T|TYSDoL%#$(V?u#934LgHHL(GFxHghUlM*`8wHSycwuXL!i6lIL%KX>n#KihwO3AF zZwG3{E;yS+uB}b;L+8iCU~Z$Po&g6{2WcnG&Xn)YVHi&Cy_%?sRtAxpUXuawVf@kb-KD{xsp%a*)d#Pv`Dg_x9p3S$OpwhCkH*Z)ROb6;}T6X#m?sa1Mu)?nYZVst0 zZW)nUMS#Od4L)Srj$Mp@w`^c7cxtfd>8wYxx`rFH!cF)M99TMLbv4XD77)Ar_Q>rx zq=lCScO~|LIO_%ffHA;73uHaPn$1D=C0+{^ZlpN8|B!`4a!(gqcsiX};*suBR%hsy z!86t6#ce)NMk0xAh{Vx^qwj>XjM0sU{g$!%nU#4FuE4FAMM|eAIAxn@wgAYqQWWi){q> z-wuw{JHU3nSyysb0*-a@rqq*2Fuz9bM?^n$t?yl*T$~X6(cK#Q5I@R4L&w*2D7@Hl zd`zWfeS|kDkw;^DQEM5{PqlCn^6*kMa@}X_t2yWDS)~H*m^MiDQU%@+i^wV5$>9;v zvswh@tRfAYGUIGUB|b)+d<>NNY@vq<1z_2DJrs4zK3jPYN~T*^&tD8Fw>rW@<6g^^ z3T)@rv#5)92Q2f0`rz}NzEqoUB*=Ie-wTNwtv!iAbswfXo65H4?43Fm55lNCxJ9dSf=&-A8GX@-d-wM3mw zkL`CJ;@sBxEn8QK%PkbTxok*yje(|*6{N5LHWF+Nj%~68O2J|( zOgcXHzZ$frd+vPVgdFLV`#{Qg=p zwb*5Iyq*3gZlu8u!a4sTMp!46>$t=Aek5XH+%neK6!3i&iUs5~Wds>4^LDJMvJ z3MPPe0p7JxA_Xz?Mkd-{fJO;e9UX9GjP1nLdl*)J77kizG+bJgJQleo-jrvVUfbYT z5MZL{`8&VYTP|=pa(Ut!wT_ok{qAduGhs=XMN92$PdnzM-PSFLTW>wobbCDv%hQgJ zUM8lui=*C%H)VKcVa&Ybc&FG1-VWp)S-_%*B|69oB{x(!+oA_S#?-av78y0xm!_9< z)AI^vpGY@rF9S@88KwFMk8g+gS|y>6QvDHD7s#&mono?emo+NAp`)HvGE3BvSsAp6!zORTO;ZUT353+;MsHZt?-v6IpN1 z)5c|VJ`1S(iAV9t|HAqHl5zhnjws=`yHK}1li2BI7-va``vc|AvH|i*UK|2_)OO_e zSDn7%hXztJhn=@NHVyTKY1yvUhqX9&o3ChuZw78R`S6I`@U{EZY%WH0cMg!+pA4$n z$zA8~R>#}3tdHk7aElm&oy&3A{$hAW({y4qTx;3T3E1%h;^T22`kH;IRXK$>(90VI zwbc2I_hbVna>Iw%LaYX;!E<-CTM$2dgy43mW`DkS!@8GH@>7~lG~YY7DxZ4+yEz4a z8d3*qJfq>3m$!Mtm!$hwu#39pq0*ew)9!Qa9_Rm!1qf(QS0!Z*E<`vdo6FX?qG-Ju zP*YO#1e?nv=~RF(o@ev?<%mMOXmPlaL@qqw{7}?9#xEr*ar{n^>+<%a55F89lv55> zEgx(BCB}w0JoG>V#|rH22SJ@&jol;=bGyu!JpSZbrcME)A@Y~B8&J+fAG0%%ExGT_ zFILO$s<$`$CYY$Zb1r$C**N$^@Wq1>Jz_NhdD)ZMBaap_xN0}VPJ4%3wwMy`t<3}u z_fg2YiQaMMYF`W&O>?L_SY^#tfZVrKj?{O;Z{Aa_Bl-D01VEi?yBfWq1KI(s@rP!whpN92nVr*(WC9B$ z)pV;YzxS$1!gfceTg&(G)a+|^Eae}uEHz$TA14p9eED+5Lt#f5&>mTFRDkt+caF99 z&={GqOjfEr18n75s6H?oOAqWIh@KJCX1HhTPXPbNAMyV$Zs655Ks)`Cvvd`+t-n)? zqt&hhMaUpobUcy<>)$3}CY-9l2+I2yTIHCB-p&_RO(Xx^7CA&o{|=6h$0c{Eul<52NSWE7F%CmQ;tUa&J0a-}pE%W{upm66mt|-6Rj>tDe4Vfhj^`wjs&IGma_#t zN=lu*C)<>zE+@37=9Z}f?xr4(_Lys&Rkzs60MyUb+BS#69&0BQX>)@^K}6kjEPFe* z3XrHu9ynxevnQd{m@_~hdQaO49t$AP+ zUgG)aSaRuXf=ug%Mad&=;~WzqJ#iptEb&sei1$dXzqwI~X zPfz{vd?_RV8oHwdXW@qfv9lX8`;)OvM|!DvV1n6NT$<6T;tccj?~Os!E5o|L6_j`8NvnnQs{lB zMY=!TeJ{C|p;tArojj5AgSqGcg60bo%3flBhI{XbHpSN^*A+BGtF7-%U`NkL`47T- za$64r3=mF03{LQd=?T|S>w|_sEyrh=7g^(OMFP42iemYY1Gt48-|%rcGIqDMsm8Y2 z!_TT!_oBK}<@Tlpea19*_l%?Do)I9p5DQ$)7wSw$IDC5}V&J&voa=GkdmGIx>n{Uk z8N@1~Y=9SvC0hv?uV?Kp)Z%Q*vdXcU`C^@a&R6UOzp?Z*sH&_MH&_3M3lP7@9APB-1Oypx~qx9G!$$a3Yt2H>14%v=?g3&GUsHw=E( z+-o)Cl>pVmh$U6nb)@tnoSJ8AurOQ%hE}?{IzwynA|$$9GUww3e%*q=0ICG35X|@Y zV!rI~nwps5qK3W6RVKGLBP((bB=1&@Sz9*P5~3{Yt#hf_9>FFJ#|2f_Lvh;(h=`H@ zUZ$p2U_aoN?AdUBsYU#fod+#g^{E+kJ8v3xmAI0X_eIRDT87x>U;oi&;ZNHd0Eucr zbGZiw*byg$HLbQ2$-dnC2S?qI0GgKw(*&@4-frj8_q9B{#3C?=!6raP9gCw&c`l;8 z5nKROIh|{^&(sAUWkk@1dP88_Jg&g`-2xj>tV9?{5&^X6*T9}TaMZ@T1?(LMQ(0H> znl&QAeE0Qe%}Q>C7iZU;%?a2BN;mEeM|Rde4&;4Ysffl-^E)qE!L_XK?=PM1uXsvG zSw=oHwvUfCKHqQcE4x@0L|tFWtQE$N$-y{SQq_p(#92Xht&u8ewUtIvj^FXK9M(}Z z6DhU`{4${yHP_ok@u-dp5e7gzh-zh7;_T{<+o83?ZIRNhgo=zR5NtWgYmoRkvG4X? zi?62s?j~$%ez=WZR(`m%Az0h@DSWD5kc{j;vetgxILJRj4g%EnvUdj|pGP>MQi3XG zc34=_^5l^e*TtVD$u&m&(mqS0W+P!^1ZXvdb=J0abJ0M!dZA*HaT6_F7-Soc%Z?KA zUQ}y$jS((80!;bf=T}mHgBjdb)sMs$e^%FSJu+Pyv6qT45{Il?`H#GGTJ7)XiygU& zvh5)ji#1raC}o5=5?&4WC6pKO^aG)+R6-MU1|o^d!f0IF+iBe=kPW2cu$e&`|m8DA}geVjp^z0yCilMf=>9n36(kY@eh>kpZ5cFItX( zK~AZzruq~+!HZrud9<&P5UBR@23IRuhH*R7C{)#+*v2_K?Ru-c_vVC+)wZII$^~|R zRba-qKfmM6qG0aLy)})i34ZaMi-2p{d{Yc#K5yTQGg@fd3;d#IUTnf_QK5`OR?DYE zLJ}JyoYU$UfZygc?n{U0g@~2eq&bJoi+XXqzm2MGmzSH1w%YOO$m2sOQ`*K7SWxf< zxr5F)z}km>dp^+S%`3iq(k8&m-~a9H`2<3wjhf$z(OLQQi;V9XFSS_|_-f(6nFpD* zm4(NKx&`>8DZU?f4*&`84^~ES+f)VTcEAIB`)k=)Oz~E!sn=44ci>sICtjm<_E3A9 zP$l^%M!O-hh`SITbVgv6Rd4@$bERCwB+AnCz+nGUA^_v|+Vw(y>qrRZxgr3L8~Jt* zHgZs3v)ErgEC1-$YJ4Ao)c%0}<9Xw`){Sto^q>a&v~V&}Hh*)GfN4eZ_b*k5hDOVl zeBQE>EV2XW+Y@2`e%qYbg~8!a)xd8NUi2^+-y0Gcb~D;%^J*{R)WeRY%5n2;(bKjc zW#ctI`w7q==x7@P^OHrqb^d!tE1!nRC9rhsR(M3R9x2K8pwjkHNaViL3vC}k{_3fG zUWzvo&BdAndN+Lp*0GH6rPdweL6hYoeipv5c54iA_1Pr(_t!8KKJ8{$1k|*vc>+N3 z9PRBG?}Z`mB_YiqKhA?h+A1i<9TbA8vON(TdcB8l^=2twhZu5G97PrpX|S7aKWA-t zfJMt?w93(aCp(Ii3C+saB}rGMjdVJ_j@^>*I(XH;4s-G$`1ONJk{+Tg?7hj*6Yf0Y zR{*qn-FSA1H-{~%y?YMD$5K|rrsl!-A@4CoCgg3SC6&vA=K1CQi{yD+{4dtCVhAIi zsi;^SvVOG+>eyt|UGUMK;qzzMNMXWrfBAoMFWf*o~%`mtI_DF|a4YRVYMWrX8D z%G*h`D8Q^f4|4)kMHCAxgYcJ z7`&GIy081buIIJf*Im5oL0=-?$TcNo_2mc4ShIYO@&Xd@uR?c9E8kqk4PC6IO8{y$ z-_zCKM>r2S)B}j7-BG<6{_gaPw7q73>}vmT`(U{DA&Z0Wc`M)p&rJ{ddk@8;pB0z# zwBv#4&x5LY*lX0rR+s8*T*(3;{s*oo#><4A5{SAU63b~V(HJzfKl=iaWG}{yYewkp zxjHbhx_*Qw9!O)vY@fuL>DIc{(IY|;lbc3q^*&EH&@o4r%jKqe!|zh{!$ z5qE0_uW0YIq?&_(FnrO@OkfOT*5}AveUsMiUj{kjF`M*$nlE5%D0_b@G3~V=8xZ_2 zMT0G(>9P6ofWjTnVyO7@}eFGlG}h=GHa&7x{WUL*Qe>F_d@L&cXPGqU=cca-WBRM zg#F%=Zv!YzHr{TQt9g8B?JAg9T6FEj&J3lG!^U$ez*zo>Gq+>K=D)J~9a1!KIl%N_D zgn;tlwZomi9&9GF>%6JNg+N!zpLhx2(&OjkgPn~Ho2PU3lY9aIUX}sV;V3-4SALWBS~nIFcdBjp~HNR!%noWgi48 zv1!BEDa1G^m$$R8d$?5_N19iSC${^ZjI+lspy^cl@n_nKpK1(lW1 z(mVgI9a2>-gkiX@&|jpMx_TS&zWx;^dg3M%oslS~@##D~=}P&q@rl1rtIhN%*=lR+ zYZ{ZprpdG_15bMVtnz2B6i<&sf@en3*@MF=UA0^Nv#YXPoX2e=eKit|?|?%FlI4=u z11nQ6WpcqD&~$7AR~V_-<>s)ykEx{Ig}ejjh};S(X)gh{?9FJc^3z1@1nCKM2y$dVqx!cD zF?Dc0RxjH1+FM}E7haV(=Ut{XWSq4RGyppPV>^3oJ(RBuWa5BgJRfHp@8Q-*X`O;%B7YXh*!q-sT>u6LYfWS|Dat6qHqH8wh^9w%pr%5>Ol&yDy zCa&$^329ZW^{_=TM1rtq!t4zxTf-v263n|ez5RMkcE68H$KYZM%Q>;+CW9uyJrCzE zo_o~U$`;bwGEMY1Sr_r`!B-sO!`a_EL6N%7-SK?!BD5Cbsp5o6S)yY@i}Q2Argz^zCT?XsR>^natzVVm_qQQR(Eba73G(XmiDm2Mp_lI8y_dh0 z=!-Jjo&q7}xK$xqzCiQAw7w?O<2?$nhwrd}$9MJRT(1PpC0jo?n&4-Pn%fF+`PMfT zAE0_Jg6qUS((!ulTL4MSRmxvckqulO-ht=hX+ShoixO&NOT_)4Dd~d%V~tfZSp9bZb4J|G|H!-o71Msl=SnOfwGy{# z=bT>|?S6AY9+d~oBGisWnn&jK>f5`tAFR#^_SId^vzoqf^T=4QDz^LlwXD5izxv^Z zjU^eW>l@$ndAtBfaGPsJKuXEGZ?vCSB(^o`gdL&#Ve)ah)cKGsn}Q4CGfQJ+feyU^ zQ(qOK0iC+kx}}BDO61a_&uWyo=E%a?^>4t@qCxfryBD>eX3o5NlGGFkmALZs)3EVu zZ0H_-CG@@nzlHHjfcyowCYQ$~J3(BFSdq9o71mb}%IFKAG<*R1zfV?xeci7MNWwcx zx5iX_DEJ!Qo_;@F5HLQE?|;%h84jcvJU2V&E)FBtWsT&kJR}Z*G`bh|cNv#?Kr7q) zTGNzKi9xO3j$e9ovof_uN=z&}5a<&e$m;slr)W`CV7bl43P{>yC7Rn1K0Rm#j6@s#izztwgLhoVgW^UL42<4xDdMy$s_{U_j3fKh2X}Zxe zvG*CMmexKoPXMq=7Em?^X zm`cz30$>$u0^058_4lC5X}(LN)h_E*bAUP9@psN>XgewlaWhCiE#a}l(;R>~2F#JDWdeDJ& zre}da|Nmuv{2U#^DzEaxM~$=V>wNkw6T3lHf;)IJJuZ+gs=-B2n#K)F>D)e=bNl#H z-Ulx2kugnTZ)6W0U;T1Z08PvtG<(v>U5s$c~T*7wTeJrc&a&I}$M z^xSc!OCF?h8RHDa56|kIDQrb3Aqj+2^`5*rQtktuTIu^5QK#wyg_&0W!FWrA|~Y> zNKMnaOkuwEK*s-#Qh-vu|3WFvHJi(=i*uva)_D)Y)cYjr9Zi~R@Y`N0F0(oU{taB- zEqaXjT!gS&rnscB$*2GqvWui}1<~sCF9>AQ{vll*Tl8Tje}7bc+UsZ$+&d2_voLpV zxu;=HMLq*R*kt;55olQ_swBxY>@}aM5N0CswL4{k!+bcR{m9zp;^vF0KSy4^cCU=* z^Ys6@E_vGRhXNm`c&}3xSNdd318osOP)Oj^Uv4h#pT5mut-n9fnYTgwk|CK+^()^i zUGN14F0>PPlR#U3PeMi`wY9@#Xe??SNolO#Q6eJxH#+OM%Vw4;j`uwG9gD`y_qD$l%Gr;Vk!mP$xXZkymU1xH)WQ2+O5n&F z-YU@Ye<*w~kllR@Cf`U~h#l$bzF?DZke`?e^=;pDX{y=>e=?GJseYJmFA$P9rEAv~ ztk(X5d~X@W4#V$&X!f^#*k*1(-!4+$q>#C0K|wqq7+(_PzP z;-s3{Z_aL|KV?@{BM!r0Rr&N+`3}6qZPmlWR6wTup7-L_q9To9E0RJgpZr3N0FA5e zzhuJo0)1Ww;MTcoAMW@1OgRbVwE(HXwvW4S0a?2RFEs^tZyddCai|2pY-3YN8+aIa zL2%$2H&#-3A>}^^WAD3%$?rl>Z&UZ@4_VGwqoV6jqvHHvBZwp-jBNX_g)O8GR0NBpRyl5{PHG2+Bf$Va7qkdO3ubUXtr5`%>bj8 ziA$iUsi!x9b%kNQHyZ5e;DnC`+?gj7osqz%wwMRmj~(ebY`ve0aQ;}>C-8alq?Gl{ zWI#9TPp6bi0S^`Af6Edb`m$xVh!rUZxvPB6Kg5 zZp&XP9*oJZy`3{kkdqgu`!8h7x|TB2TG`u%TF7%`@a6~Z^zt1I@|+zA!5TRu2n0QUio7Sl>mD-LGz^)%V0k>i_P(mD&!+< zRcg7>4K6a$IpS<%A2KmabXKF*35sZPumdkVHYkE(J*#0%8Vn)-p(QRT_m(FDlGdM9GDX-~(2KY8S$;me`|hDzzjnI;EWK3zW9&>5CrG@` zVR))5aKQyPHtIjK*bwbDkMTJ6;pp$*ej;|@(s$vTl!a-nPn)}uteywu9n8+}bxUxd z++SN5++QC)Ig(7g`fCpxaCOd7H(hICbf~6GL`9Arp_r(-R$)tBk^vzXU!&J(c-7|F zh*xgE0674%`a5BDWgT1~d z>7(`!-v2^Hz)gjBXZ?N9n7XeX=!vM@wmdBbQUf+9R^4rV6vX_&R@Jk<|F4l5KgOnq zE|qBE>%17%apH^-$8NMGrEy%VqPcXbs#n)1vUF%`Qta=}@SMxoT@3bBr`gQEhCZ2( z^R)i%23}K^^=Ym-F)pY2)VHhmsEFi01D|CNSuzD#lB|$)6PZv3T{ftb<-d6i*{Kd8 zPDzL-`uMi!|1-Z%yN*g&qqQjYi>;z74{%&si2-Zr0AF#U!I|9IJ34k${9lYpLgGq% z-Uh<{fitH#j#IAFJ1fB!ym8gg!y`UV%rv}V-J=->QC4CEh&Nf z-<2;FyboPHSkiX#m+1)*dw4Csx&$;d9lw-MIp7O}`n(dU={y7;g{sepSw;W*sSl~< zmBeB^Wzq(GcM*!*+PzI1HEbyrd{@&1QNOdGZ9s)!hJuXeG!x#XAHM{oknvw|95UqnH6si*8r>QL)kL8nv*m`fYo%L)JHpjI3+V$jkAI<1Rsv zq%N_b$?ITzWO9>Zw%!4sHgN@oT4PfU;ORUr&sL`VRlGhA7Rt6RD7SY8_ISFys_+Ei`-fBlAWnSr;g4!c>lK|=XR2|yJqBV3n8Q9XYAM!WkPp*W1v}d2eBEwv{Xv)oT+b~>rJ_| zY5vVbed*9?=%cScu7Y$p(A=50(|1;%B$_pc77E3QrUaAA172-In&f8-<@p419c5aK z%ZA^JvaLOljj+^tYS$m&DF>$I=-B!*<7B28zZx}XZI1meoi|=@-6G3LiR`?BNaW3a zUX)DpXl^x5KWuQ*T3D~hTxI^v?qp|$6*v6dcE;?4L(Rd<2 zvt}amd9u5?Ji&A6w}#V(QAtI5jQ(q71G5tFLpFnrBPDmM^Tyq7G9MM65NXXl zA*g+AT*|i7rZH7vMe;QCHvI7|=H76LOa&L-7c)YbBWa!m&B=LrHN*SHXCL*LC}N+n zLs)eGvZWfIVJG3?;<6IAk)c-`YXjd`RD2e$F*jYOH&RvoPqBlQe3+f0=v^zG$ZD~( zixYUo3~S~+51?~+VgH5qf<%wYk9p0J1|_&9v%Z^>&;z(_MENexF*@n^Ed`GmQPf!= zS_hm_lxwYjk;cu<;<@eHNrToeBCU7!69 zyq9>5F#N}oy8yW6jk@iZblLH)V_we1_a?YAC*%*ue>9QK^Nat8nM|FV|IuhXNA~_B ztU`X919ZlX>WywAB8Sa30RI#Syt|_tDrmsrvysWUPFo;MdMYqo?d*f7eBd~cL@nnE z_^-yG1Ut{{HrBGE58=fP`2>iEWUI$~T)ID@DLt4lW-NeA)&xHfTAkZ0jEgU*^$2?0 z|K`EckmOk_F*=d|ySGtd*?C5Wu)@;Qg`gpz7{t$dF``w*XBHDFm!%{~ zF6mY#!sWqjEgtKPV5d$uz6R};iN-M`7~Sbve-DMw(?kr;EVhZWJF^&7lv$D|!-S-- z)MgnU)tfz-${U~jGVw2dwf29F@B_>4b(loFtCK>Yc~dz+$Z5L5{yKX=_#W)*f1dA0 zXW+po_=d=lH{^CRuN4>wPkQ}NPj^}8)As%$dfYk2} zHemvT&PbQk!VkB*^d|x{0AkpOD3>p(^~=h+WIQf)Z%cy;;S;HFOq>~yD)wD<QZral8dVcsd{F zoSRY08iU<)_L>j3rCWZORbszex-h%;JM3|FoS=wY%8h7s2k?Z|iQZ4QVSAs9G*`vG z!ROoWcTtLIE0h938au5_eD5?)woK)QJ`_vJC1y?+p9P7ymhOty%nyBtY0Etr5o0o% zh$YspC0r+{h2XSu-?t;RbF@JP==R_g?8J58F^lL*jk7BQg2?tLG08`o)jHq_`*K&~ zce{|a*bKvcwl@Y6y%0fzZL{&$<9*yV_Q@c-`@Kw3;HSK@qNe;r4-F&{Z_b>|OK{9s zc21jV9O%D8YhKZZfbSLMF1%&=mwd1li(C-B2zRNHDa>7HWBIRL(N-X8j^Yr)S6LLf zXu$C(%W(a~!M+eOY&+r)O3ig`=W<}`9N}5UWBueS192>k=wum}L7(I1g$pX=x=3H- zg2>_;_3lVEY`ou=mfdcjfU>1I*r5Kv(f&&DJ*lLPVbh`p-0b1Opx*uRd%D}|Heqa) zjbgtBgPW3|pmeq=5IaDYFbbWgabk`HRBVK;!WJESL1t=@)$?)KNxRz+fy}_F^}TyU z*s5oFmoRV~oZUBGW`?4cXN%pEpTSKv5QmkKyL4v`ZFEi3Nt=ncJh4uSCVKY!hXV8T*o;(7`srwTvzPT2Xg=O| z7`Zx*D9ai4H#Z%oC-$mkH5vhzR#4=Dj*ejN;r#&xkz}}H?NgfGRu@^gjxPatskPr$ z>+M91H!#iH8!gOfWJ^;J&( z@#yck>2#MN+EVzSQxB;WA?;S(N<0U2f={;Fr|XC7xYdbhR6;22)reG)kj0>DIR5o) zF|rC;NtSiiT&j@Mr3Q~?K^_X5yII_EBaDD&@3ud&_@F2Bhlp33CH!fmJ-pUi9NBHr z?a0cYJ{uJxdJOs;5~SNkZ$*l@kX*;xp-N6U1aM+}ZG{9CU!BoPgZetGxJ9IE#4(ud zVw6b;^r0&-@%z6*38<3yoPfgW1^l_445J`JnqiS@V>v5(`~V_!9%|n}DINw-27JG7 zPzf-?btFc3<$f!$um-fUC|9W^P+SqrlHV=PP@F8w7>H|79I&B@ZWBe`@&Rrk>i4VkuB+(52|>Rt;W^eS&uN3h@0Vdcd;BJRd%9&!_(V;nzC5*;^S& zto*NU3*%)-?D_aF?M3hFGHU%u2-CYq?~VxRD^sDPV|DK<@0b#b?z0|6=bioPdK1=w zK=yjt>`A!?SsM7VD4)Htp6rUqhGftndV69e@vrklo?gFI-I|^sI9?;IzV@WxqY_Bz z>46hWwncUge-$g@U~pv*v9_5{bc;w1>RG(dep?fPgatq3D;ZIF{2`;ZnzBrnQhU(p zz15LX(C1~D0mvW=^RAA?%N|>?^;}3)IE@sio|tLyR2oP#{}TTmP{fLs=Clr$zn}Ox z#(u?lxb$}CjP(*S6}K5)IP;8@7odzvZ=q%fQ{!06feX*1Wd;&h1+45dYKy9=QSwH> zZ}m~zvL>lu2w854R6t@(JfS?s(owg;YsOMxKm<9hK!-_mE(gs2=!9M9;4O3=&v^RR=zBz= zmZwtB7NhB-@F8-zx+(QbiMZ>aEPib;I%Yx=vgf>lQ)F zoN;%Bl=w(>PY|KJz7yx!Ko(gP{bI3IBH_Qhqlu-VJ>h*m9)d1_STMavc2-5w46=YY z9Y3ID9gUx_Y^2>$a>5W+Oh);fsiKtmhIw>HWd@*)i_Oy^QURj!0H^%4L7ZoR`4T#{ ziUQqK0tBz)v>~8nTP@BrP^33AmjK<{Z3}>`(gmm7QU9>|k)3V>Mn0G+F~Ax9tHm@` zdH(&KXZOE65t%x*)25$&Psycn1`zT+)9Q-x(|@hc2(Fh+jh9J%tGgSnj<5A=x|}LF z5Dl*lPyO|&d~3U=>XzZ%%N#ba^NgykgroEOL|0I>urH9Vv6;_IN0*f{{NW6Q=G?r| ztC=^^BcP4CisWbeJO7&bEqUEqz!pr}+##zs_QA;nl6m0+ebYYaFI$n{MUfJxD5s zSbDu1U_x1dq)X216Xf+@i=x zd(E62d0dU}tDv2D!#dli0j^k7c1-`_snQ8_yz%^Y_kr)8^QQAiqhXk~obGU$xD%p+ zWETf%hmHcs^lCdzy2JV2$O>a&$v(JFv$o;E#97>>Ob5$(v)99e4>&S{TU#i;t7rQb z6dns9$??|VXrN35fVM%nbi5&bpjanbK*dY&=LhWX~~l9Mrd2IATUaW-ZLToiu$h=sDD1_#+IgBg~uk z;34~VxuK#)C-ljP>Spta*pU+gbVkLSpou&cwZ%U_tBZ_}M%0Gm4}mqtp%Pwgl1ubW zulXF8Z*Mz{y3hD!nh+=*e*mUQ!BR)_J&D|~Bx+?b@Nqtq5-iA)yX9E6U zkIc`b75z8p)X|S03lCTtnFr41*iISGe|jCABdl{P*XPh8zbxAoSu*v}>s$$>$YoHi zDaVe6C0OU$(av;|KqF4tizGQGj7&S!?;OLmM8C({D0-8e~e}d+3G&LMND}EY!eBntq6L-0GlPU;-Gy?4bio{;XX;FqI&GwqE_6Wq7)9SZpr0{B;QJxiXN=vymJlwgf@0Wlhqi_-c6?hOdM>7R z>_NhVW31)uirQ9*QD?;iCh8I}@y~|4qiaP}mTFHGd@&~c`lK5Z)aokyZsx{b9S0F= zgNkaUueuxZnaTIn3fPRfsD2NRJ-B~5ik{D3*gtf;*xUTY>@NItF%oj?2uI_uyPNAc zfsCay`=;`Ct>`Wu=zwpNxcc^7jBA${S$wnE zK!7I`Z2@zKPNWwl=6CJj@!dlOO56Z0!NO_L{G~~LsT({Yfxf;L4$-%PKt1a17S~~@ z^WH+OZ7k(KQJw#1DsxQ5MbbBC1xq1QGPw*uRZMBEet?AH-5i35L;wbWJlc7247qyNMxkUC)C$gVI2jf7AXE=N`Lr6 zz}m}i=5b(k@KBRr(MTf(jy2J!dHr<;G$DP%X#YG2x&;HF5Bpp5|vM zDK(elLzgm(VrvY24;RFi8SXp7qqF$&xeTEvFR-9DX7QM52|SeeVXKuadiZ?$8Di3& z%$X+%KB6rTSNcbGWTE3WP7Eu5tg;)>-0H{M!hIqe~?k5ZVu1;^8myfVEg zJomC7O~BT~X1dGvu79%4!M|`Nq(jWIM~8V%s*=Y<;y2!BDFR8&!n&1+i5!D;Va0K0 zx&k^u+%3l}7yhDxyU|baQ3A8~ImfN6%x90-v!|V9e5R&{l+HX4jNS}Cf$@^p_>MtK zdK{C3DjeVUh%bE57KEKv38m*z*)B~nCfLST`JyA>GGeHpxVF6}CHmrTJpD7TWc^+X zkE1RJp4HfGYfu9Ka(yF zg=dJ=PaL$%(^*Yi$-mV{N74rT(gWY(gQ^$xjKwULE&~S(dv*`zIx&Z;@26lTcASg) zBW>ckw6&0pSSAE?-|l#xiRZxJH!nYfXReAt95&-1Wu{ob683T)FkLd~^TpGbrRk6` zl5PLi0>sP#;9#ar@)=lyr)ttbeS5X?m%>vw;o4);UVx9znyi$!b9}&U(BCz0+R>?Y++k9?YLRPKwFU`Z!Kjo-4@bj!+ zFH)f`2cEE|ru1mpTI|`Rh8L`~(eQ)IkNjfDNey&SVxhqK@IsH6g8gn&7*h}J`(T^C zFHdaM7YkY|N}>nUEL}G=$y9dr<a z>(w4xq&zIWZz{WAGL{Sb)mzTTenY}hsWFaHw5Tkk~{^V*r z<5tmTWAixq0a*rE{T9XG3=!PE$b)}T^YLc=%WEH4^z%eqQ(2%&LzVlD{3)hjc<4cb z%9Rk@)#{BsEzhHmmj0a!(2NwFw51ff&Su*0ncFgt(cd$tmPAKHt2cdmf6ZT~Y{(CG zqd;Ll&pWwAWJzN$0wbX^2B|3knWc}(m#KXf-mKzSPrMh7ysqiVQoA~j|Kw#(T#+&p z8f=FlB!;}z?}N7*GN_xg0WijvD3wjEvyxYcfnrmnE;(c4xdmRJ{!Aa7Ey#HD*?Qg;aK?>T^5f z>;RPHHUG9K444ohhL=P(v(4njc3P=FFf%=CoPO-Fl=7I{ctKcy1^wXGnIf;RLK!ug zXx~F+;%-}&t(wLw$DFa#opyQ$Ed%*@GNBL#h$JnY38`U!Huu`9>W&)GE{?i~fjZ7L zk~6Q2N!wjFPalvhM18U{qhJGV!w|R`!DGO5{i1dA-D;o1_~#zaqMoE*D0m{Xy(LwcZWY67kP2TCiaG%#)Fwf2qrjHk_=)=ui-H<;Z>FSI7j-u6NmcYxG1g8PoB2vT z&K+Lp-NySCjV7sZyH|EAAA-FNR*IaPEU@vQi2V?8yT2CXH+Q1%3yS;*4`d^Jj9WrEIhszb^$(0|k;)t_HofUkSO`2HCO3z}lwmM3c z9#N!&jn$;-$rfu6T*MYPkQ@ISQwzj~Q0+0hUF!GchoE+Tk$~rQBu6-lT(ZA1v)e$3OmnQ-Z~Hdz3!^*wpkGc8 z{V3F)QkYQq>O6!OW&gU-0Vcv;dGoN!kyq2Y#`?91(kBvvzFl! zdMn%i;_>Cj0(+#q+Y|wObm12kI-Cboaro6{PyLS&tx$avTWno+dK}nhaJ#x+vR@S_ zC7i|Gam91{bbOaB*@W$mAu31tNCGfxeTmrNfnh0I%A2O|0L@;==s? z!GklGlMgV;A! zOaMZUk_d?&Oqoan{w9)Q?|3Qdf{i3jrC*8raQ3QN8y6Ly6IJ?>PMz`ud|<#~E`~Q` zckApohg%&-9BlA80|zhhJpr;fzY6B4%@N^OGrQD8fFm{ z`+w)Tow#2P^<8sgIU6+HfSeX?OUp-e`Z20)sy1HL>+*!WULM4I?%}wN&SSJTC!7-D zsh3U}by|>a%$stSb)c6x#@x#i)m(3R*eT9TVdwc zI9iE0$T6jA@x)I~U| z?Yzuc9(({AsdL~50Z1O+#EFg4Y==ByHeT&>ZfUn%N|}c?OtCR%Q7n;C)=Gllo2jK4 zOzo*!Z6GITsa?Wu)Ft^TkSHWQSP+2q^o+jmIjTwAane-CE->Jeb~@%yv(XPjg+P<^-f+#i4$=BOA&_v7|CmU5*&PzEH+GGCWN|&D9r<UfidbXIrq6jXjCz{G@(t4vsXS*1TviKzj8d0LQ zjlKLxe9UqY_Lx~(C2#zeymzsqWVAd`rrpU_%aq2QCr^~`AtoMat?CHt+`(9_yXr-6OBld(@Q}=KKxKndNy~xnIoulbBB&;E^q2U zF|O92O*9^SuDmNBkl?-iEb$y)sEVjjwop|)Dxx&H0snVVUI z)b^C>tC!jeR%FkAc+_2J!kn|j?WPY**wAH^Q1||56#I8zeVUtT}?UG#7>c3S!?EO_`lmoR^e>QbpyY4%zOS$&N>0+bfsf= z?R#rO%T?2kDAsN_)8}36xY2ghaJc|$A7=}y&%;6nWPzjNiULxBq0mXF&}#b@JlX9D zY9yi|`pYwnF;l4crZAk>Fe32xx57=qWQe=wVEm-O8L00c52TLU=t-S*{pcF!X3L{9 zs+cmNo_PO9f~>=PU?7wy`@=>~A?dYqyDt5bTC@!4CLl4_;rPj>j~ z*IK73cFanM+zXsTc2U+h?m4qPF0QT*0>{K4O6#|*m)=Di`%0xhy+2p3=P2pz?oec= zJTk*z*uX6EGjMfrXF?VN1P5HYC_N_!cYH{3nFeSNdHkNLYBK!|s6F6@5JIb$NlR%g zriPOtq66>p1O-!%bxEAs#iRND@R;GX0)Ya8C!2GD5mOEojUN27~Of75?*A%7jxBPu`xP<`~!p8R(T(#>hc2DV(%sFGIyMsF#W!y zXlzz};n)CGc)+Uj+&P}PbJr@QZZTkIJS`+2(6_OB+1{+!FI-9Sn;Cw2~8=oG%k{B)icl>0dB!~9v%k((r8}VbZkgr zxv|g9W%Cy7+Y?3Udpf7`*u`~+?P&fkz?tWj{*0NEsqpd6&Q$o2+0GQ4Jvqb>o#S`~i$Z>Xvc3vSOzlxG)hNV@ot}-7(wfg{F`JztX}|Bd0u~ zBWk!LDBDapJkQ&l822SmaVmAdmO(+966gEbO0K(dV;0yq%@=(pB1wnC@|-H)rzpGj ztBr9<4KmhbJOcE!wMx%0QrxwKH3A?^!kdeRS03(VdsWxx8Z zhB4nek2;i79hku=k)giBgh9m|gUFt`#i$eMWR(F&YJ|x9?CWqny^%(XaBmo95ev1D zgfNqZm~QMRIgjgDesPJ3phe#Y^Xm$SxyjVkh5bO-I`pfmI(y453#7Pb6+M^6EM914`}u)o?Ad zBj)TQEq;9pb5&%*?vRX!gA=d=htU+0UXVw&JQ3F= z1LV-bDD>EfguWJRDq2pSnDMM9tnznml|-QFL}~?i-2Ikb#$s`R%1$LD5U{&1s2n$8E-3i>PI{+o8Sl#!@Msn^;wjYMs+d{? zwGTV<;uciNZ*+;qmf9h7|e|M z-A~zv_m6k2cm2Na`rdz7%UV3o{XEZgU-xx=KA-El1A1Co>`T*o6+?Vy#gSal0I6)b z%#S`|?h{77e_mt`+OTL3pm}Dn-l#XX`i>fxMT&R%Sje>Q(v;Nw4RwlMh4;0Mgd@ze z?q0BpW*89P4k+FQEhdRep2qE%j~v2d>R1}v*~4}cij^{|yl=Y{NhLd#$p^{G#Gl zOFiIDJuYqax10yEw;Y^RzjfEL7H!xW7(CJWK2{RFQ*AA~+YMdBqv>-|n__Oe9${I3 zT^r<$7kOT+I}nnli`cD9rvx5YPJHI7`}@qNpN?k<;;KR{-i|djR0T6Tls5HDF!=l+ zRxAduPVhp5xbTS6Xa~PseG{Mfna{z&Q(Qir|D!A#FxOs}xM$1lxWnjxNpDhLHKR#a z674V?=;CR~ovyW04K=53*nUa$id!KK{YHtV2O{%?Fg~~Ugk0iS;nU&{Q!Xw4Ab|I3Z^rnjv6-bI!MDpX%KJWR@3xeE;b0x-e(~)TrZ|yY<))knGRF?rFj* znT1oNiC@NrtbENqElIy#B>0HbA(NQodtf^ z3sv2a{P^yIKv%U)7qWBU^})Khkh29mif;_(Wa+g$n&9RPt7ttMVo>~6{Z;*!s#>f| zAw8ZHmolp|^5?kVy=M!U;JaKnmK4oCnFzBG^Ahlemd~z6OF?6H%Lkz}q35na9%}^3 z$bAtjuYgonCv)LdpPpTytLx38VQ}nq75q$@P3mS5g^|$Xd|A-m_$b{N#bap^Mn3mc z7G=w+3HhXwNiXhtHG9;oI#x1*25);DNZ)}o=;h|~mt;r0S0Sha8|oU%E1*s-f{2X2 zoJYd4g35SJuAJngd2m<^zk@+vV?-qLhuW2FrX4ia@3K0^i07hH{l=-)`ptFJZ*xyc z)KT}^+G0UoRc=?6X);a40Oz#b{na^z!g8dbQbW~~jz!m-CF^x3$Ij6~>J=YQ3mie{ zc;b)vUfjgnF*>o!T8!VA=jm?g;BmRDyD7uy11B4T87Z`_OxY@*HY{m#ZJ-}kTqC6G z<I zef~no*(s23=2xiR3+fTJVSQl_UknIn)QPV*R}6t(gOszx$3UmtW;x~9rn;%lo0rGPDTL37)@rkT3jMrlMei(u@{34 z;iS)(h4w5y8n%UXK5NiVb4*X6`HLtV%5j|7Jt5EdeR2?U1x2nVtdNOAW%bp?#6VItlk>&qz1s)JIWkwo%|P4v z?&NQG(qt${jgsw`qOr$nmn><`XAYX#a9&;8-KmT4&Ip|0H+I--E9NSBM9`$IPO3F3K%;zaMelaND@e=j!w6WoL zfBLG>*60DQ)efjd@X!%-Z?}{)ZimdKQdz#q!E`?s6-*ASY%EHe;U_j4WIgDcop5?ukU$KSz`~$1x0h9z4Hw4=9Y8hpN7s(l%*0w1(7lL?e=W1UQ(Bx-6!r zwH>)r(dO0A(^uhlaEr^+#;?vTT~!`=xl6zAFchrhUg@JL*Pa>z;U1r+Mlq`Y`Zd?a zXVzI-Sl6}1r)r~ig6E=Ll6(#zMNSzr+CF& zJB4}zH+nzK%$Q~XJb4*unmh0EWJ1MbDxo`AHf#7BlJDWImXZ}$>vdH&jkEHt-)~>f zzFd-pb}IF1?(hhP-!s_Z;bp>V+b=Co(H}T#iPT?1s;w2^vsvgr8D~YL0}`CfG%^p5 zUP256_i803m}EMEY(AE8MFZFgu8tlxkFnwETB9z{>8EaUO);oDbp2*&$d%Nwx%658 z%A&5*rG{=bd;9jkn<7A2_S0T@gDv-T2@vTqb~8At5sDY1Gb2tZW(3oBm>x(cF@zG2 zTZ)lAanoCpwmP2amVRM}2gfv$#+d?{I$||^8{Hd(0+&{poHOaos>{3we z@paje2sw?SyKSu6@^5(3YcwNSV%In0Udi?4ULUmrO4+>x&5Pmb=sWlE?{hwC8IrR$ z#}eS%_uQxUZz}gh)AArS35!Ii(mJy4*JR z>{@BN@?g=F;1m=!_JqX(4NA7AzK}FV;TJ~;7eOgk?NF-w16zE4x*vrwtk;v;hI03m-28v#BHhBsyq{eS{76yL0!1Vk7k6Wf4OjUmZ&)OrlwSG zXLJVd!ONMrCnY8+iIm7!CBx}5MLyP9ZnwzJUCRk4rra+=GuMFl2`E6GG8;b1|f5!cv+&6?#O zXX{+%xkF6EmE@iK**UbEpWWL@^F>kH0lADHi5X^)m*Y$1b-tJ*Kch%7ZwJvfw#qS_{>>FSHsB6%ekQf3X! zMWWYD8_k1YZ_4I|?ZUW1+<+ui(Q614$?FVz8(8%o58G%xM7)N54Dk zq|>rnhN6~q>cfLpWg>%+fCh`V}heqPYdmN@D=95~}AD%Ctu38LpkyNw^egSkH zQF-wY57U|Z3=p9gl(#;nD$V_V>kX^FE8u?2c1Ba*Zp1q07VZg8s6!VZbY%V7jq%k* z`MXpYuO~@gk>*DZXU9G}ZEcx#p%%AG6M})>YD2#E(+!XvXLv$XpIjP;(G+Nxb8^8^ zlehV@xC{ibz6d$C@y&L((O-HRgVcIba~4uJjIpa|B>#`xce?|xSP z>j&QW;J{2(aiM%_2bI&?VG?Hxg9B@Pn)&?&Bbe>>Ed1N0s1(Ga8*@Cu>NIH3An@8P zgyz56Qd9I&aZV2e;={FpRhxLqeaOpsAry$t6?l;6aEe|>Xs=}6dDC`Yb#0r{WPg_Y z!)>q&yK{z09ybAf&+i7XA>Yp}R^^-)h6hOMVHvOl*dQzZx%MwkzZt-0m2=m3x>r4B z1Mx>VYZ(=C)vId2XS`Y)ak>itEiDp9V44~>Hr1b@h^_`oDd#Rw)+)Rw0TI-qb;f$2 z9L;KHmxClFu1Q5I^lPj1st>WfVk?*5Lv&n5H1OuAJeVQ1@M_hOtIGhrQH`DLK(nJE zw(Y(3YF69OuR_-2XMEpb+(#dbq>8adv!iPww+2@dr`cQDQ#@*j!61mfQQ_5ChVWO5 zen=0vy)c=M`inw~d@Bxf+D*h)4h}7m$wMIP9TPS9VksC=+2(-vdNrIu+Y8%0@On0| zW^w1f=j3JP>TPkQx%U+mOX0w=y}(j)3FRC$%5iZ(_-35!FZIxG0rMwmSmp$(EtZ6c zsuhwSj1<0~kdRHe1n90*uupBqCcJSCsHvexP!rI31dxK%tTZehDWc75?~JlCY8B1W z=?>>d4BG#p7&S#u0(_#@0xv8%b{VyRJ#4#uIS;Ez!mP9xub$tu88)F3G4lq?>ZiKL zqad^x)_E52Dfcmmwle(HKPY0#uRpY7(C(w&Xrs~so2*Idl)VPAv19GiCDcf19{q`; z%MgTTpsnHVk;RO?~y$w=~wd ziX7{e*?il0odsQD;UpnW6XT7H9tchuZx>J;ai%uG)!cT+_DzHQW<<*5Qg<%plGny1 zV6d_l^;P2Ow`Jp`833f+AXiNGD}?Ei=mEEuPiY;X)om5qUeqipCudEM*jX4%pU-{t zoB*&BiR%jB&ifdUi}*1vJ`Gr)xzK`6uC#^YP(%fHgBGv}#Ga|9M<0D_aU z!daeNvPcmCXru9i=OD|Ce^iZ$jyn$@l3dr@|JSubvw;qsJjAT}gL&ox(M3iy_-=~t zjESEIIZoby9W)WjF)*z&KY$cELfY-&lNQhyJmM1{-kfkEx&B(Lu>9?u?otl}*nrCs zX&=|*NIizzR(r(DWQEXoK%$MSvwfVE&H1Tzo^!r0%){VL| z7V4QMh|EbUyG!+q;U>ta-ph|UEp@hmliQN$?JLB(v(^Wi};wNt!ERGZ5H!Pjr4Ak zf!^TO3Gai?V@xu2Nvz_#k8$@+Odr@d@W!)Y-p-DNR0;v_97s+GJ;9H2Vw$%rFxylK7 zCdg4xg8XZqInDfPYf?&!!l3CJo@x)Ay|yu ztoR2|GbuM5L{7atYYFYCU`WXkN23K0j%geegvBM>FjG?IJk4ysi~Ai6ZQ%W*i!*1) zH6L9_d>vawXx|ZsfIK?{0kn)Up7$?Ot46~l%$I<=g#L=EUSCS#BdzxX+$|dtp$rj1 zytJ+7cwr0K95Qgg@EOu)=bW@J4iq2pzuHGg988i4!OVYq71l%u-NYH9+vx(`>%B*b zoAF&PIjJm0b@^QM>pc6OXt>h-ouVRA-U$U=oJYrN-zMl?ltb}Ge^p_!ADydsq9-3u zP|oqS#BU09V5|t1gmY2^1|1sieER`;Hs}6)+|V>x;wWK(iDU;&C43u7O6T}q##c>_ zlZTelt!9BZd|y$PfcdURx&g$^KKi2E9_$kD&9*GP)#mxIaF-dD$a1{ zHqc~H2JnGWFZ5^J!$m62TU+aD68BB4?0(E z6;B~`tY)gwv+H@q>KFT_!w(OyPbYHypR(H!)rpCTIu)-T#kf?T#(v=?>WN6(C#)1_ z#~^2&0;EHZjbyo4_UB4iPgs$D>DChq5%wbOT8KxUmbJQFt^D^b>9?N6B1A3MUmCWG zO53xi=T-nRjy`cOB}6m>Vr3?))eTmhmZD6)>I$in(!1o*we>r#ZS{Diq_MuW>GP*y z8Rnt@M7vg>uTy2sq(vU2d1`y%xxm)qh z5(TK7WXcT%NrJuu;euQ+PfeAsJCotwJ|v+A47?EQ@bEadB~xtqFoi ztIj#`9qw}grr*2&${083`zft3J#4CpWXNOeN|&#mEoXf7W%I0Ja)ePsCSB zU|Q~MkY#G5-Z8{{r~UY!dKSKyK&lzAb;Ef;jM4vw7W=RG-v6IBS!(sR_6 zVv8e9D#k~t$j9z0K&_#USG_Y-pJ=pBO9ui!I*vL_htS|u_;Fj178suS_S~o~;wc~t zk*tqf#W6iYp0m*aWA>log)FByWW!dylo1La5>DSScFpWN-(%8A21VS2fv@7tc;lVOLXBrv=EFe@}#INavma(6-XHYT@ z3NKQ{i1H&%(YY^7HHOO40G)9%zVdIYIRdyNLg@}UKYql*?FyT~7F&_gdc_nC^mru-A&;VSW@AkQDyB?KWkI)YzN+>8 zZVzM@>I&Y5I0oMX6k*;hj3>UIQ3}G5wx81lKNZ5x>#hURX7N#CC5Y~NmVnpXk|u~d(Ag~rXH5%xq|AbgspKx~A% z14(})?2d^BpZhNZYoUo@Mo*#!shC!95M5BO=vr~)`)&I*9Q?%>?|k_#HHk*t7Y&Z9 z`I6Zd_VL_w8C`91#dtGcQu5y8LDu37-*gZ>*LV*0=zRMn)WI7tnJ5qutX>N_0=6yb zqVNqKck~e02o05}BjbShnOU4xa`mKf+v=-?@htP0L)FXG!siHBYDjuhJi;5Wja#!Y zU(tC-_xl25ywZnIuYC0*T;a(|5=0yLnCMHwCiLB_z9$1g>(4Qt_HP4zR5>0U_b1Pm zC4L-6xT_B?g@#~*v7=YE;FEkm$L2LHK|zgAdWu>3(`w{4LuJpP7}$2=w~dPd!9(T` zzq6ls{B4gR>ptEQ-JXsf0+G!7dmU$qB0x3s_n!vbdiGB&51S&XK@|MPh!Od(m*f2h zZfKpmJfjJHu4^&%42`<(ZLn)P8!fmVgIx|9p}RJU1y3B<07Q@*5C87LhS%N);iAxx f+z6}x>le|p);@6$XSOLBnuY#ZBb}l@uZ8^&b8BM6 literal 0 HcmV?d00001 diff --git a/doc/images/plugin/skywalking-4.png b/doc/images/plugin/skywalking-4.png new file mode 100644 index 0000000000000000000000000000000000000000..4a8fb15e9b48a7753cfe810b3eba762edd0fadc6 GIT binary patch literal 30340 zcmeFZcT`i`*Dj2DJSZrUDoV*wL`pzJqzNP*3nla(x}bnGY0^vN2u46aNKxHxmHnLjejP-dX7otWY+D3A^!so;u zhEEl1+$iZx?EAd)HbcSl#)W&y2FenmPx?-~*)AvL!fk9YM}wtY>3}zTVau%Mdd_*t zce-`Cfu~y>ujl}At%1YdfJK&ZZjY~5ZXQ&&d z?cLD*;@M~$ir3YdxM6&AM43ya?Lu4F-Pw@MAY@$&Hh8hVicGli)pI7kvS*8aKnUBi zp=C2qW-$YLlah@6=x#$t~Z-Ho*jXsPOsQ5e9ME3*Y%MNjbDk^KT-K8 z;VEn_y=;Ly^c8ws6SafC;W=(+zItoJNbv&~A-@5TOxw7<7e+yqhr0*Q)t|p|E!|vg z+^!vdMpU}6=81?-lgHL$9^>}aIuw1|-S{+Q^E7hHlz#W%x#`4G%QiFcNteEiEG74C zYvi-$4=@hX;0aRluR1 zWh7bo8Ce;6F6JOu;rk7Y$4Vn;P!ZW!l0*fJO-O5pH**Xv4p=123gyXu=6VdqsS244*t-<$Ox$vQW%3j)$tvV6{@NojHxbXmaUlBWJ0;FjPldQzhkl zF&rUg_nACH4BPsqxp^u@%BD{>{@zjearfno>es!gFeo9KhAxa%ec|XL;||x(ci2!{ zdL%wjeswcf#Y2jgupbCv7!`^6S=+0ZA04wD{K0-=!1C*Z4bs4Bxs;M=u;@P;1D3XV z?0UVcy{((6o27d}+Nr0dcbM~C$G2U$>+9R}jPAv&YV}<1WA5-Sh_c@<{Pt3~v=6I< z5j4ISkALdFao!~k=Tj|>RBbK8Hxh3=VZc>pu~+Qpa^ou*M-OvN-7ZWX@iOk`*6T#quIseJ2@0Q+{1q$$Qhz-OM@xl>flCee z4>`Ny#p$#HHse_FaTJ}G&ze*)TRzba7nHmxbnV@|S42ZFREqVA+ux6}NJT#NopD#k zw>_-|A2^(a?CsHv4c}|1h-8oMQjU-OYqUpQ(qmaI2ZpyVk(*E>10 ze}_jBuZ|v}RBeAji`MqrNnXi#32_EQCLBM;snYi;6 zpcXXcp`6qbtnr-OC4(-*bQ8o-0VNz4xfCCHp?G)e8CoQj>{!nxvFWG zHFEfGS9yFBG)Wu9@#v?i<#RdI8H2wYSmfu_fX2P@0<>4f>P*3kiI!IrH#_dJOzEh}e=yXvN zw`tS^X;~kSL6TU}!uec&t#^(8Xk?g5h?JEGWb&IN-~4coRZ!B4*bcv?JY|LuE3Xbn zUtW^XMrdq$KYXg^H1R6A!hjPtB@f-|zW(*#ElxQwFGo1J^VCwC zU~0<*geT(YZOtiWvC_h-XmPvO8l~0e>IH~7&AMXuMT;&&}oTi>)mL=GGF zNvW=WH0(=4r&vX;S8oIO(KV|;pmFLdE4ti{9L86b4qHfGDM>n^!-XyS7I>grDdjmn za%-{nVh6mAE`u{%m8)JyV=%5HB@kqJGq;u6Kx;3_HGP-LG&ID)wa5x76;gBnaYgLE zeQjRmX72KrhGdFmK8gHgzuql7EhQD1IneihA0`k27kY@Fs{;Vyr;elxA`+`zT3wOW z-aE}Tr>Pf9HJosTw)j&4?yJg2OkVN6U7 zGHAAw;&?cJ7+&w~ZqDt#oKsgz;~dkil^ynqIZUGZB+m=o4c(E4P4dV@v0v5nX^(k)~x@itRf*$z)@zk zYF$X}otL_L=z;sInm4fKehG`TY`1!@hYpdKils`D>f%q9?CW0#SWsiHNO=pNr+sZ! z^Zt`m$+!J-E&ly0roupw7(sVZan6=@jr=nB8U-nx=$&4yw%KEZ*<+(fgVi^t+jm3l zYQ7xr_&cv6!JMd!nx5y8gFk8wF-LS3r9RAdP&y;J%+?MU7w_j2>-7}kK4*?sQ+%9M z>lT#!_*;!-ot8_*;~DJkep-r?&C=AQc9~3&b>C`wi{K_3wrlBXt0NQBhNU6GY;7Sq z#rS9J%Is`HB$>#BJE(AC0=WqOVuKxA#JjTPb;) zes%g%kqLHu20PxFlWA)kTsCU*DCv>2929pe|$ulh@$Uv-${ZdHILugS$v zIjt@E>Xn_gc|I1Ut5(5?RC4fjHu=(E|waS)#rdjJ5Xmell>uC=mVFXrI>2j`_6##*DST5L>=x) z(SLLTn)Cq*j0RWB8J&gbEB6-WUMBKjWQxA@Y?c^{!MVDZGP z*=ahZX-nk<)6jddl6%pL{DnZ$69q^eUM^+j`deNj#@q0=e-knwrKSr2I5m%WC%0Sv zUGO~xLqX5qLS$}SDY@4joB4%}8Yxl{gQqG;)~>noaG3CL8jIUJxxixfhsG;P11C|u zq;p*^W~3;t&Pkx9I-woJ)F%F&=ZMvFei`%|U&!OC=dQm{Km8Hbe=SQ>_|HTmb+PEa zPJ6@E2R7f zcm3WVNJ)98?5IM>-Fd(H-zISaceL*=OEIq3=-M@_^XIRV$Sbe%>9w1l4c0 zd8HHC_dW|W6|(M`Hv|HfaU6yGCeH?6voWSDanknW=(7(qI(X&$2NS+ z#$Gv{0DL_9>^Qpj2jer3E<+Pch3fz3moT=c^cSr|)t;ieZWqq-)yE89ZoNj>i!3)> z*#nk_2=R87r*C*!59?xupC2E|(+^>zGVnu9%S*!CY;P=9d;pCgSp4`+vXHZm)pspu>6n8)i9b6h4-Q5j>N@N^ zy!XaIra8vWUqb~|3;F#XOC1_mM z)ym~0`GCnXJ&^O`GO^rZ7j#Na)rvi?LE)I4RGONFlNDaP1)TaB>8xh+)0Ce2*IqCXl-&Yhs$l+4y#r^7j(_sS!elxA6N zC~*I!CS1CugDpNteO>l(x**QQVAy*Jx^I5aAtmQtPqB_4a1U~iTBRgzWyTHc)2l~A zoI)@z@l+x?al+RDhea12T!{XAfe%A1U0b>_bM00|^J?ELNE1esLe9o@EX{nc(sHt% z^Lz03HZB@4?G;TTeQXUhQZMT~2EP#D7%ki-n%tlj%s+RZ;vB=W@YtXv7a`)?m%4a z6{#Iw3F|6MYs^YK6bE19I-yPY9>|6^LPV}gA*W;R<|OxpO(4?`y1$q86wOoa2l%an zmJe*NhQ1Yrj&Kd*srcu1Bt>lp^11Jq%c|GoIua&O!`?+plDS3-Z?s>XgHftsAk1zb zW@amezK%@kLT5Iy*@p?w9r`PMN9DsFwP@k4 z!zB5e9kim1e;RPlxZqt=7c#xOmM%{V^~XsCi#El?&Fv~+_LeHGg5A>Y_5ure1avQm z1Bs+<#leNl;25DIs*OhS2EBYCyXEq`eq#0L_Ksqlk-rmNEqc`FbN4z%s-1-i@;xCO zEgE}Uj13oQbKmmu*>m@m#UOTfJhRZ-Bx5@TG1bV_FNfBBcQ`3ymGt&1lS;{`{qC zb0{_6zPG9^K8C{yEV;b`qT3&2E=^_+>q(c?xK}r?53)i$Yv7a=k{THKalK>uA2jq} z0es4Wo~I(ebF50Gq*=LpCyHH?p%6S~r2DHlj)-umbkOMK^QQA;Ap&9(Lmn3!~+dQ|U`ew52zhAZE@2FL~@Mo10tnJylVyBp90 zvfN1dxWtJnuv4VWk=F5m*8h4#*P@yCVQn?`>7Q|hR7*KnK`%^h9wW7f!z8(80?N;{ z?`enUyoB7h6lH#iFMi2s-}N|_S1`(cZdOkEEf?xk*WDnzXhMT4yKU57fhv+KsvJ*n zjek_8FYDd)#xC`86c;Xtps?Xrsby4B9Q?~L$6tpcJ~~{~i#+I>JSg8!J;caKA(m|- zC+Wrzc{YiEeh?qzl%7;aFD^@$Btf-CLwz42 zG*rs@-3-W>Z=J-~Yby4Yo5B%mL`oki=+1f&ozgusNeipI(pp~=dP=gBh^nhF2n0I; z__Py6jGv$e&-9ZGCw=i%F$*iJzw`)8Tidl3<5^)%LkJDL0^h+B*7}5H zsg!&=cm}EhwN^(sQRz3Cruh1JOz>`=u+P!kin_hnXrY@?4eV;cozFP3O<&Po9?Rox zo%>S5Yp5I5?Ffy$?ZZuH@uHBrYcHKYKe!mX$)p-3$;pMj1<&? zr9P0rs5sKTi*{d4-^0(FoevTO4mrUoxf(ett?yM!xcaam(By5o-qrP~3Jw)=UA;WD zI9M6eX{YO|G=`awN1-Q}6Z1jwl9hSy4<4jV(9!v)Ao{^>bE3(1*2m1c78(HxU;U1vk-2y|8)wg$LSL1`l337W4@L)?L zL=n9i2_zj>9O=&bUimb3sf)f*8&Eq|&3Sz88-*_GOdC&^{7WtqTR_-3FhBUxq~xwF(uSWzSF2|*{%`YYp}PfrOQdxpUi3;wEBaoZz;AN{)&YVEJB#C09bJ_cdoSg ziF=;!CK_A=tUO5v+-iQE95mmiyZKMK0$ zM2PE61>Gt=Rv_m#vpy991Vz>B3Il$&k&jx%rmMN?QRfm=o}9f}^i#hxK_Y)d?d?s~ zl93LL$}HD$7zjD>Qfytwq-q&PvF?6>_E*!ZSxotD55nuWcru*bBISPeQw|vyj(j(%(Y4K_g=pQ8N+Yf@GyG}c;g3Sj%FWK+3ng&f(xtdwl?KcDL=H`7wBykSY+nxA>2ZQz8 zg*Th)1>>ATtgDmXe0@#3og#_bhbBpl9opW2S`T5~iFCl-TEOJmiI1A#i+p_xai(_> zk>;D-BxBW*sk8qvg+77aM_Gc<=}xPGH)67>6WEpW(b?F29Gc>H$wqe-`*bZua6*$#~GFtqFn=&c1EVLQ2-7{{78?7NJ;;O`cZc~%QJirvx z6WZGQ<;EmT)qs+D9_^S6+odPet>H*yMqc~hy?5H-p2)JqvBm8-?4XmqxnCTY&Ol<= zCEZZOk(zMyi;*gQm5P4lg6a;q*((WxK|kU7)754mb@A*#ghIeR}Fyoq=*-~M^WY5qCk!%UDiopWE>D-iz4HnBs zWAMA9r)np-kXtH;2QuRUAOjxXqA#himEPewFd_ydTKy&2Nm-tLx9T9bdi}WupaBjf!t?Or%R5+2+^9rAD|q3KordDt6rs zvAZn>H8QEXVk=Bz8^Ma{+sFx8>sy;LSf#?{g&mt$41nmeucP{PuI> z^Msvuq(!MCzA8+myUY>)qD`UcNK=FG#5#cBD|TV$`mxTI?mO7f3}WWQ<`Z^Xhy6>= zv{d&)6)}w$=trH$o-O!bJK*d>y*3Lwah(U}z~{qqOB8T$m$xs4?$~X;+?i``h`Ia{ z*zlUe2e4i+u7175H7TA2R8GpbPbD|#b`@rLC7H$G!9G2(A@feyIYVsr*Tb-UK`m$G z83!Q~gUVb%4FhDSJ@_93T+~!qK9& zphd#cP1R&#$j|3Jn%A+VKqe}8#QWuG?05r&C_!SGZo>z&Dasx@yrE6UN=TkZj%x1o zVpz4=uUs?5>F^*XR5NRyC_%677t`pJiA|&7Tber)W6Vr_F85y{A}cSczVHu?_bUAL z6aXod1UJr<5^6)HZQ28<;AT>M&}~CGcQgG!YH$G(_#RC!j7I)3N_!wdk58d~lG{O< z8!Cv|X{glP)Gnvbjvu6y8S?^_e6f_SLXLuNc1it}fOQVrJo}bLr8AHopZupLh{#-H zC_r?LVaR*?JBJGsx3<4t-HAg)!ix7muLz!UE&G&hRJYfoBKn$NyP^qR!)fj@TESVk z74<&Z?9Kjzco*7jd7-^ouf^wfickB4hobvNaE@s;Wf&hDhZz?K@?YbTws{ANF+#@p z&3hEmtNI1+(*E+5oZIUuPFY_CA2N8P#5hB3LDkge(HiPncQ*E5YLPC|O6mGGho={f zlT8B}M{#+N7adzE2TFTXu~23M49LxvlW8L?NYKQjX*)-2q1^wafpk>_X@q{N?>Kx1 z>?yN?JjWCNUN7$20FtXNZ7!~7yuY!v2`K3-8s1BaKqXy>VHeU4dz8fv$y5Kvqt6o* ziG_gT~0`%&#DtuEx9x_Wxy>$M`yk^Ft6aN1@_Hkv?c3rN3%hg+jp|BxmPi@4Lnzd$)kr4vC1ovk>XWH{0(CN<>}%c6dOMY8mA)cfM#VTsiZt zO1f%(wP$Qx*)FenhT=pCRks_Y*I#+-@Q;XJ*|4sv6_k3HKD$a|(TRIq$)Z!*9hgZiAiig~A&nceU$WNujIF zb$h^1nfl!$b*(L6t_8r-UHK^&YO_B)X*6K(@wZcuJkp;2)rF3*w9&--DHFS@uLES8 z=_yfrb)5-z<61kR^5q3L1%M$Q@c8jE#9$h|cGN=k_VWMc@@{PJ$;C4&>3`nwqq8x7 z#53y?l8(BwnV&ZBobk6r`|4r++L@44TVP_cWe353R9r7##ogj(+(a~wxlPG&9DO|M zlwtbM%ic9{nBb*Vt*Db7hcl&2epgykI*CamK?9bDbsMhDpwiWGFI_G&m?&Hu2bA%b zEDkFS$V@dkyE&(R>U0s4Xr+D%-~|^3vsQTWk}j!Q&9|9;xkoPhI7At z_iw#F^h z6%`TtN?Uv9!+Qt)?jg`%Dj#Ng(ajyHNXj_cU3nnO@$V33T8K#f1)$#eHN!e!lbndP z;%7)>BJ{6pNnPP+Z0H87nKFq63YB6NweM;cy+;0#h>d`Zft@V6+ZiHNTs-}+fD%_r zf~n~km8HU@%Ox4Nf)s-(W3c#XdI#+A{J46`$aXbjcjv#~-)Lbg9E%VW#OzbSS5mSw z8Ld&pUwh9&HV>cd&n`@EI%oUQhLJp>yP2jA$>dr07dw)D64|Eh^^W7Z51jG<4Q&7^ zC$4Ylk=axs_mS+m+qL>QG4C`GM+Q_82&NB^j7R=Zg=(RC zc;ZPEdX!yi^Kjsh8rb!O$Q2>=cdA>W+Aan*y2FR8 zc|V7hG5jXm`l4=^MA9770Z<>`U1T}|F;mRv+E4{{e1F@n25PPFuX%Y)Ce#WZnX3j# zh?j8n=9-$1j)`9|x%lUnNNwYLW5KzRYcO ze_bhW)3$8$v`L}=yNNugnOiZ#a6tE&vMKzGFyUPGq%M?CC#!K}D;0MbEcCw9KKc~r z3C-2OMG+u6+nj6OwZnH#TXOEKRN4YBUEWF?^;ycveKU4ZIf1MX-utF}IZwFco|&cC z=(M1%!K7E|KFgtT;b_nTCTAUc=gcuf3WT2VZF%Q=N2xaSZz4~%8pH}w)Pg2s7ue3 z>Lp28iQnpd9B(|C()7$WIKs<1VGzWMs>H#7S}o#dfgWPUc;{<&waCu99tJrN6+7L! zL(Ulk=(1Paymc7W`iaha~}23ltx*{)|rer^=%1 zRYAAbCcJO1O<0&VfeX&Yu7fO?yA!b|M+F(2;;qB#&wIS73S6Iw0<291IxixrBF@A( z$2jlqY9~+YV16OZU>#?xwuws&j_ootNH`Jmrpjfr@(`$pr6*w1-}DOg4V4uQWg|o? zj_a|5Z@N2j)ae{&<7%B)d*HiBJ|I)AxBPb|Z_8&t(B_q><&oWthS-L(oXVnnH>TojMp7%e zaDVHETul?yKo}(Cx!Z%Fo_i}#%gsJTq$ZNvLoi4ie<~~}#Gi_ko@<2_YSTZ3%(^32 zHp456gkqK+trkwltxD)ThLpAaK7rr@KO;z}$fVq>4d4|!u0fBDw9X{ncsb(4k zCTLABCiFjyu5P`c;dS zx2jc0qDdh#sDsY837Lg;zI+9HIDQsTYq6B_ZXNA<;7^Z-D&sHFMVz+&lm}juZ7V{* z$NDiJf4z0nAKHFp!tW-mc?q<^N>9&>~oXyqaGj;C8S7VLevt)#Pgx}3feha$HkZGLR^FS?rdz9^`Fq`%PW-U@Y9 zl8@Jh*l<6ts@o8#bxW#0U1I$^R$M2fc|J#e_Xm-zrLh!(C;?9SzpqbONCJ{CR`2vIG$6X?RM@-kL1R#Vef>s_G zKIma1D+XVu#9-;!?Qzt>xCk)$FfM}J8fxR4K20~LhPut*4%%^Nl;ZfmWXYI-NgRNS zE7rJtaI$Dyxq4*(!Nv8as(9fT{i}N&0r>SpNBIbHsE5r#rTZc~Ft6zpQl4lt#1%zkl~VdO2U(?w~m!lb}nYJG$Pt_ z!hdoW*41eIrz%kvz!>Tg#tihdcaH*oPxjd1{%6J0{?f%u`3!{l+OwSMQ|}5wwETWd z4Bwsni4ceoLnSOeOE9pOi(370j*i)1^`)k={ zcAk`Oi`z}zFT`*6RxC1@bX%Hn`0H81U0WiJGY>-HXJwAHK2snCy*OwSawDVZ@SZ{t zsq%UV-ucZBWEHzH-uRhsEZEijd_~=F2<3VHC4XJW)^%ImR~gi_IIgue0q3(`|pmgh@vuPtbg+=&a1kNkGprGBwK#KQLlP4q?5AvM^- zQ|U5miQJJ#E$+H!He#H}h&Rgq;+7u?S`A*SBoDb*gGR2qz3ZuOIZkMX%=f1D1w3xt z-SVDY5yGODIa4}DKSjD)0adQ52OM+oYtTU7^QS?c!EQ4vQrSN0K*pA<40 zgO#TIDP11RvySausO-VPA`TF#=Pq1Ozp9O6b1WY?eb?FB#aFxFt}IXn+rQ)6L>yWk zGW{cI;Hw^^A;F#G84_A2B^jUBTz=c}x3L^O9@!}P?yEM0lHJA&6M2p75Mmja{YMH& z>awby*m2EQ;`#yO2UC6W*#r3g<-WKVvxE~lL36P{W9MJHZi0+*o%5e}-5vhgeNr?% znoo2S=mpMON!~YNH+{QvWU3FNHXkwekCpiq0-=_{2dN(GzWh!cbLxVs?xb*1=k{R)K3g1T_9-=Yq-aJnb!T=rw>*3} zu9;s4dgwh~bD|!`v#(5u>-bav)Ew=a`_Q>w<(8LiiC<>fB&Jn%%+YPt);ei-BrrCP=DG3%^leK z1WM>LZcPTZm}E+x;G7+*?3_!k6#kataqz z{lI4*CU&=1%E-6p1@0=4)X#{QJNzyDIjLIS#yRS;-#dPz-Z&|hjO^ltALFaDoe}A_ zc89@;u@*(x%|dsVP@rSNPA_BxE@;xp{fp};K36&`s$91Hc`vH){;9?mZUy+z{6JiI zh;GPLet-Pj>{@BI+r8IbXNttRjeu@=^M#Qvwf6X7(~j9h)Aq`pxEF5cVO)Yge6N?p z<(dT6Jrb!N05M-Y6O!)duwU~cKH1RXcIdgNL@b!QiZOnhSnSe^$Bq67@<+qZr^ zl?$|gMDdUdyb^m=j5*m$LTm$@Psvy$V_$fi3St?_NgO1uhPCX|>aOsbHTe*@l6Tzt=u;4H7St8h9 ztYp$h_Nk*tg-?(DubW3MB))rA;1nMlhX3#d2z$Zg9j~bYiaAD`|13(^+D(ZL$kyXN zciJN^yD9#Rcu^t806)vqo8Zc-9GG&A?L&W$Uq=30Kb7u`#Zq&m1X+w={Gxj*$00{V z>uGcAr;r?%L&v+=&hKl4VB5SQ9)zmql8vHYwbOfebBjkys31D|*$q=Yu_U#UDNGpv zF`gsv<{LwIgR)Mo=4XLa(tU4nox1gk5&chVXab409Xa)=4VC(f!#o#FSW3f$vyj3Q z-aoZ`X=p&3aV9L{5u+7eNIAQ_{2)UFCg5g?(r#>p?V49;qdfp4FOCK(p$W|8tPV}y zA<{(B@}=ZTxT@N!Tox4>jVv)J3Rjd~)zDi5(e~bh);ZEk^kIO>=$S5iBJ)we* zkIQ~9W(3Hu{$pZ+BIG3E*R3trUul8)Zr0x`3?2)#cx@eYNyJJxgu{zRa&8m&As`<& z7QVpxh_V=^_7^I;;d`~4YKXAGBc3ZzP*|=H46?He9EwkaNn!d2J z5|=1nB}Yf^VnwT;#jlwLm8b5L+#gYK3V>c-9!)1>rc%bXBi_%^^f-LL<^ynU%2xPu zeBLPt;lu41c8Jy2#flt17vQIoyRH|#w#|QCXIOqn|B#u8I*YdK{Wl0U9$OsTn z3FKORMs~CBU0fZIi&S=91^cBMB}#60ALZ8Aub2>trvky3o@%RPX4oLU3YoC+yJR%T z39{5&v*s3!MU2-7?LHAa(_-;LfaMQ?dkk#7rRr;qzAF_$Tj%T{MW6*ustUi=Ryr6W za4o`5_uN=j`250K2Y}|(ot)c%f8W6kE)U7Sfv%lysAs_E+lQTr-#>qOon~5>(9t^| zHaDA77W^JAZ7yuhUdV1zx7Oc^;x!n}r05}#`14geJ&)KhLc45WcXDW05aT}z0Knbt zc_Kio5IjKVyvE7I2=i@rh+%j8$Blv1Jr#>8O-Vm@ejw{R>R9sS!e5DktPUReZ{Zys z+Tm84zn15TXC+|2v8k$}3OMI@pWo^1RaTz@TVbe38q`NNLjfrR*r@zC7l^*Rf)o5G ze>QwZ;=>tvwqq-|wt{)|M#1!mt)JhePjzX>(c5l9Qhz;E>;qR-2u?aH zv!RY(e>9uY6+F^QNQL~-cr;c z2_39#65bKO_&{4*qY>U)^(vbKyD%=>><*k-ClRYEhC+*GIWBzK!NgB*&d`k}y`Kf$ zJ#wv#EJCzx$7~7&{HM|AMd>;=t?-<$CrHN6S7slTwI#4X7T$7nz2yLRzx6s8K?4im z$3Lnbj`i=!h^QvBJ_UI;V4m6R%d2p?OE3g7pHK(>D!<9;OL2yYfavxj7iey+;j zQ{}dl!_eK6F*0-Ke;esAG*)zF(8DOm(ol6uzq!yZ!GHe*BP8F#Mx zuiL&qG?hKwoM{H)sMrA|--u7~lt1eAS4pO90+=@^(f)6AeFf3gW7Qp@Z2V2U0Ed(< z^%gtc>v~wf*{inmDpPxqIr(?JhS!Rmea6ZVdu3_*Z0V&(jB*u!kFJN3CG6As(63J( z0K6{l6lOH@s}lLy(&0jC8xDG6t69Mf`xjMGGMN93SN20+9miZ_d?9fDys1dB;ta~| zIpL3b=8hkaLTNzmXYe6F^GyY@D9OCU?qpr9CVqUR%bW{3?Z1Zj$fnHqk!XTx-ZpqF z=yT&@9cX>vc;9YhpY7)Ea)sMczj2hEo>`f`cw6sL(S&HJTma`U{RSHfJ^mvohhGb* z>_mjcr&6O#xj2lT{lkFlDH%dVGOxHCzdwNJR1X#N3PjNu4?^(BQ%eF-aR4q`e^D*G zw;J0jul#f+H^=XR`;Cj&F(a#IBtS<&BiF*2!Ur7Hh3;fk*shR<>Q%s>+S_+yGfG+< zID5t}{yUgNR59&6aJ(*vxcBJxU!^WM!yK1whwZ&TlTi#oB%*;_3LFXK%g4n7?IC-w zvQDoS*sxJ2KPQwcdJvD+l2yNE=p)Ux_SAT6L|h1w*inp?Wezt4Q&bOTTwreqwIGz? zUVttV&pcZUZZ@~scRpwvgZH)UFK<1SqjqhrxZqBK6-=9u8y&O7wE^0bU-G{%ogYr? zTuK?Wz|maEvSivKdF+t7Fo`9~hQhS5)XwPf8%4_@lfL%l7Mnko=Uv#QLXLDJ0UYM^ zrBc8sDcWZkn~h{dq9`l(Ufa;iGkHJt!qJOg3`|%c1cG;V7R>i%KNRDGaY(nGDIf9f z9d;lKrWIh<49Bu2bBgyT@~yppZX9{8Jv%o0+em{%1#GOvdu=m0xBV5>Y$=LqK$S1aSOLaQ#ftD9D6R_?xn-LM{)b19gxJTs= z>1|o_t87zNzXd+@d&Nky@%NuGONG{{luRA^9vm#eWW7ZPTy5WRahq>q`KyL6-ZAie zkEr8UbkK(d1KZ)Qn5etn?+&4Io9;ndk>n|V{xPeIIh;%AF-0;_afj-vuv?wuNHN&< zVct0ELP5w8dT+1BVWgD(_xfz9mDw&Vkd)8`oBr_U$@&7-CtnpRDvWSndS5vuVY}dh zdwfCVMx25{K9`dDbKRT(BxkNwg3y!gfS%0)Xoy4R0C}pKZ2s%k!JTc{|GdD2k4+go zDnKW#WkB@D=1Yf^cC!wD#XIbreD%2QTznjt*gI9=nDvGGH^x2=<3Da!NIL?X%Gizi z3>gOp`;_3!fjf05Eo_#F{NiF8^HHGqjX?KG40nJXvmFaJ^P z-4&Pm^V~y?fGcW><~NyNE$-EVKMa@bPkHf*#pI{DVay8(>@?)oUDmO>l9SMufb6-| zA3j^9IgZ5dpI2G_6C?n}ot`FVKS`4d`tefw5lvrM`%{kRwWO*3Tbj1QN*M(KN$Ota zWAo-Tow&^3h=(FqC#lDy!u(}N!=KQpFQaV$RPd%51F7TI}d;GTS1Xk|99`ys* zNYUDLG;Mv(ZO0(zS(j6YcG$vEdDYKqENtm6alUk3`I*j9!OhROxyDP*+};D}1-&hD z~4Rawy6;iHYwBqUS??izw05#7mKUik0qnL{Ium=%CK3iS?`KHb4YxSzD*R8%>{GQV%y87*fvWMp)=jLA2^6a{{N?a_VsB5qNnRNzNq2B^aP z2zLddQ+C$V0&gjT9>^Yvqr{U7-~3VuSnsI};vA^cMv>-uGr_UWrVHDH z=?@HsS2fGu+8VSvG9tG_DbkL`S=Lw2fN|o9R55Bmjty%=p(nuHMq+=$BW_%=8q(dO zS9akSVm{KpK1p*P1`nKs;I4p+_Q-QrXsg8Dj;wN7Pu$F=u?%zP6Rs75k-ItEwgJFw zXUC}S^;g-&1;BXd+~>%tSeVQ)QO)>dT2og|Fp}+w2>L?uiv_I!wg zRM^1#xyykT!SBo!(5}eGrmKY=(6%BNsy@FbMDx$&NHvCoj*69eNa$F>8y;-#V1hiSl`;}&*w za$98o!PMij1MT=H#k2*>mr;b|eP6iq=V&q~H<6W@8PXvpL%whrNjt!6CD9Cvz@z{9 z($5YQ;^6%g`7+D`&AYRq;9oTnd<6IHKRc>cp1!0!TR=+yiwn=oVm@1Vz$H@ECd0); zG=OCrwL1EZiRoCOXia%w8T~mAKqY%H1wR2Tm3_8gDdAue!A@BZ=h!uusrJBfX{!2A zxd7t4lM<(<^}l4|DygEyv8)%@yFMLugBB~xG7HL`1Th>xvi*sFcc_;tqmWKxx;{GD zmw}0Hkn%AgHPn5{v4uaDqEaC@+LggAtSx#%X?ne_<5R4kVJwm()>E|i%)xL9B%B^m z-n)swQ09oFTeVb=vz+C4R=$FgxWC+g1>8ih*N@z^P+F17DQ~%`S*=6<#wmQl>&6{3 zP?{t&#u;cq{K7h|-0jvJ8*R+thTgAlMXP>?K>loT_UqN$bP`2u<|!sm^#FcTfnmVkG55_swI5rv(m;fXx6`eSgI{-N=7hTx&LoFDS)XTi{-pRFlKptl;$OFl48XW*X6ye4i228zScL%H2>kkK zW12*u`#tPWYm~&`5)&n8R7FxtI`l8Vl5~jc@!c-{3$Wxv$9+E~zH7~a(Ph{MGKwyqcXSrt)UGp_Q=2i>C) zEFEQ-LKRpjTin9XpBnq&C^~Et>~J$mn7G<$j4NR;lstOA)nHv$m|rE2v{)EMh5D9m zT0>eN5qdT6K@kV{>Mx(c2y=Lxzz6alB_cWi6e=aTT)5fMY(IgUq~k)@;^-2g^9ggy zs32b~s|M?frKeVDR4%OyCGR0Phm`oUQ!C|>o6)HPH1-ceIyIlYsp9?PQgsYy5>A{K zl|;Shhv%H&Ji6MWr{PDWKeHO;;*P(s@1yE_;F^b!se9s_t5*`{`rSMQXu&lnVob6I zbk?gxEeA!2Yd=x@OHc!GxaXPGt1ILgJ-patQg4@cG#V!cefU{}^pyXg$koTw9Cm zJG7bQe!4l%c5_@sm4HIoGFd9c%uATSbW9)qJGT#Ws!A(!p;>YEvvOSXM8eSmQ|zd( zSY4KKzd&qoruq{F?|K9A3?XB)^;Y(zb)DK!B`O&kbPCC8@av(URRx)AefU(F+N2f{ zBVB|+8**&%Si73{8PE%Qo=lmD)1(-9v)hJ(2I{^qc1_Fk!0bk0>i$fk7{)5rH-}`-F)`f}7YU#hxq#M= z^d<5|O||6pU#nIy@s|5qKxrf|c^cxghmc2!ThldA$*m%y*F2y*oXQKJK}7 z1#ZCTnXQtqoMbNx)7yYOv4DD&>tu3HZlFE}z~*(X+|G6n9mP_4Rh`mKUCq%+@{hu? zs-~Y?#R%ARLj~AV<0|u`6?I!``^bw$RrLOfeRXlRRRFoJS*1>Sy~0u%C0jpa$xE^B zJaO%--yghgTyup_dxab{=XQ(sS2<>qL6|)O{GN#PrSQhLbu(FUm@r17C)=!aKKr5l zBo2amsGdnKyT^}ft|4jIY&EpdhiMpI=1`S%a*)48cj%hk@ps}ao!e0Ac4DAAHn{FG zHn@WIk<9Me22~mFgghZPQ~0him+`sGP$@p+A@};YkI1I__2{K3ZAtj7m!Ev+Ue4a& z^m?TiV?e3x==V~itEqY_NDj=Ch_pFTvhIb4Inu&en?(WZu}&qo8Z;~;nFpEXM??p@ z{^fkoBWvLTqfCnuB}fCL((eC8#`L)?#u=i>=JavFy&zV&osTJ{vpp1*cQKK^<1 zuqKBOkt=4-jXa&DAb6jn5%F;g=*`F-r&KCS#{YgLdgbCuN-Jp6re*&d9-Cv&*`_)6 zn|+i*@&nLcl4TacMWmdt8z$XV?DL|qVS|=I;n+v*hoSt;e4Qh$H-e8RS8bqQ=y;#G zGKK1StiV#x)uKS)xxAe`oMr1IRX-KBM2`<~^28$Py-yAM^y>hlVd`&URl9Q?b)lqg zHQN~HYeC%ad=ixaG)y)C#G3ddHvA#w{Q0;Z=Ap$?KetBu1xbzT_X8&=l7BTIo=bhd85N4 z$Pc5jlLZ+f7ESBBQn+pe?P#Ufn5T^=CpMRmqbat0&m}`n01$M1Dp`T`cPjGDsGtn5 zA}a)Am3&w~$ENbC^;Tm$ea%tXsU#4RA`pB*w?~}+mc7j2assrA>Ae0;$g*jj2gaqs zlP>bdOz~1$2lsb*)+mYj2|YC6gW(pshDAEr6C>$cd9weUR}R4VH0U98U4vqVRvWjt0G=K1IPcduOrJgI2> zZhad52?QmaHxMIj=pardUy8>)6I&fY_%OP2Q+fA!Y@LIfGU}Ex$v8J-cmnJ+(ZZVc zU4PKZdbaPshS%bZxM^*U!@uLTPoz{q5I)KiQJJMzqV|&Cp_ch z#n@qQZ?;iJXG$Pk3)Ngu*hP-uRVR;rinG75@^jplY&J2zSz$<6b|bVxEBQH*kz5T_+fi)o5_P2t{Kjk{ZI96c)j}cwIsmVpGfFf`3)A$$r&Wv|C7m=9c-d~ynHHA3#R4+|juo*udV!ujKs`l|YW(isIWwE21LgQXUd0PL zM>SX zwh{pL`((hec3ph0M#w9{YyQ*P=Fkiw&ujAm!q;T$Y7_6_mD-KrCqFe$6k+6`1wxKs zYbO?ryDv6<{zZ3Ryd-XDDxkxb^ZzTbo5O|0@4f)enLIX1=OpUdFT^oXCi3T+reb5mm6#~e#uy!; zi}#H2(M3RS`O^gG8UmK02C05sl@v9rEg6#Qcs;uEgu+59uuM{= zGxOkk2-42;6u@p1HGk`X9&aWabOCV98B~WH*h|sKPD?T8t031(~glPdeZJ%fMr_mOx@`;OoW)H|Ab(=#FI9uSd;6&%G4oyG7ul#D&Dr3`HZi z8z)e)O}Y1xWv7JATw|NVfL(tOgay+-@o)Cfby*X-1EB1-GPX&xPI9>puZ?AYBj_NmZ*Ah1SwaK4AF%8_8}@j3HQ9{>i%Z1RRi5fFdlk2XAm zdHCHC2rHkFkTesf)tsuFGd(%~9K8NIQ7Bv@jkZxFRC#cMQ(LeubW$B%rz=+_+dw$Z=vY?wi}cG()~`| zVASwDHNod*+k>*L)mg0FhgMc~MJyC#`e?;Mcx-9tDR zP~WsU2^_SLe(tEn-rfXTpMdsPdSPRt+_kZ5*w?JId&KbSt+8%0=i6fG{Hg0J^p+t= z+De%Pc@8LDMcZz&aq2-*7YV(Ua^VTRAL-=h=T;U{`8`*s*hdHFtl2tAC56R7pgPyi zs|OUoKbh7pX!(zO6R=wZ7h0HF&#J}z!aJmu{5ugVa?>U-SS*oXXs^cy6T5f1uIVD` z$=w~Cw8ort+=nk_##58eWwf?zF0N*42&c{t+3&gLvEN!UL`E!ZUO4sFELkjcoxR_4 zqo1wCp%XU*1jmLTD_0lT*2~Gi`rES90>G@M?@HJ;dqBNvhmQw6;fLWANmDNajKr&i zJV&HZxa0APr{9SHv*A!c9Wp@I1-Nc! zWa_amrwa6)tkDjvbYrtfOKTN%Nj3A(!fqhv%u&i*`0QxkzGVBED4c4YBP&*L%I`Q| zEcA*;QtNeqUs>triz7o+pGZGBlJ-r(PtF8MY0|rqR2M#oNy}DsxPVSm;}jcTcY>hs z=$G=wYMK_MZjS!MenhQCXf1UWJr>$0TUYEh>;CB3Q@z6<0)XhsmDuLRsyXUc_9De~ zA>>Syq-Ga-sD5k2{_cuB)X5@I3*7qf?`e9nCkL*YMf3{nX}XvLXgV4>vjd09)jc5E zfY6p8h2Pc2brWbh9HWdU1l2d8evPH#)oTuc`&0Lo`?}oh2^q)_I^$lx`AH>c)aQ1) zBb4t(evo!j34^}!NPW`-v)b!B?5ke60P88A_mhM;2F7$0tM?WMYj&C92=Dg8RAUsu z2)xA}*C_OOBplCQWv#c;h~3pEC7Yk&xP9MN`Z<;KY_@zQtB~!BZTDn*+Ao0AC&?pJ zu5w&U3T%`z^$-R-NnVl?pjzr)y|mB+zBBaa^Q|`p)rvVC#Xxy7#Z3m!!P3I~8W;)A zMmPH;l*??O1;=x~9^g8{9l1<&K)W-W;{LJ8c%v~Cx|fE0YRf-%nSB{cX0n5^BZs&2 zKtp57w3#iHv>cADDZXN}EbB&#pauWf&3>cm(4b*%o_SE)fl*t~2++AS-N|xw+!9#F zw-P;6x4;rUEs@7D9A)@g9`lVSn;?sxYSM1F9=6w5N2qup$U+pkiS7Q?y$_f%GZfLsOK5pDUqC z3aVckY9-s=Dzc>7-Hc=@^6RT za-S_wDPK9?T{MdoMFwkabjY%AVcVH(=G7(1;U9f zMmCq7ISJD%J@>(Cn3$!hWRYoqjA4oZS=J+*?%3t#ak?jH6^g?gzDZ4xM`ace0a5Cw zgd-L6t>^!a67fXgE_eJ_QYl!uJ>_;Mv1m5(TC zsvWC-iy_^2hrZ++2{d|?;qpKnhxz_TbqZvIp6YcKl1>$~&6Z2i@CqRlj6`}|yV|5jk7SBxb8Q}|BM@Rm zroR!6zjrEGTIUsfZtMPkq)xo4hN2_5R{nbfzD4Qb$P&p^Kt@efhN#BiaD?kut?d^( z`s#|?^FN*^*w|1K!dP$p3fJ6w;YW*S`^7H$8{!KF^vSIS<0_}EVilL{p7F@%9uhVm z-f&372A2N(wTdSf_^Q_tA7*|?t(YREzTB8g-AGml5g0$u2`6{|9)8HIog17|Ar@dS zeI+K^`TQ8ec})zb1LCkOxh&iGQB{eKkiYGHix=JZ98SD1t(<>(b<0zX)~2RXiHeGX z9!M9~uQTC;ExmhoAt7K_GtjkBcqgtED4ksDr8cD%biy4xVsU)ix; zs!6>4^+N+0A}5w2q(=pp2Z(d(VrLm&7?is4X5&W@eW`pDXoxeykKU%@HyTvz9@N^( zdT2Q5dgI>eZjZ@RcM~>h7+*$mcaPY++*ROY<`)|w$_UbzgXX4ZWd>uJrV+FwiHH{$ z;)6oJNoAC7*HR$6{22U4h0Q#NFWUo)#dB)IOl1zaIWJ3FCuDQl60H$1PW75;66UNx zU4(B*-Dp^x{m63L#zXh%-S?L1#iD0StUdi}wxqBl#fgwA+`P_LjVAWy@N{Qbgv#mr z$7)KLvV?i?Hk{gSDU7M;RlNNG zA$57wDA|-P1tAVY*k$wQwe$M(@bQ$wg>3Q4)vzF|X>a6txs#kSn!YxD_=8-b+fdua zdqvf^PRz=8saHNKK7lRG38DB(&L?!}e3&P&`!KyaNB#L``C0YF>B6fAJkov4?(oAJ zFo4nl43zb96Hn{xEX=&4b#;~5K;z5i)+aD@dztE93i;E>VKO6$hMO!II&@NJ<1XAv zCj1$%Md}wI%ygcB)$(3fuY2mI?7T8kiG62c1Ehh==Py+gvEzNySlrA^g>1KT%wKIh9RD&ha834uplla3P}Sx>AaS!A)hz#zKlf+yAu<&Z zd!3~izrF)PS$1;u+Fi`rwZ!=ktgVduFCu_W)<_na2|7#V>ND?pZmRu$-*qJr95FFV znLE{eIAWJyWKQno2bq9cWHDIVAZ#mgTkBJQ78Sy zz;7bOISh9|u`lyt(VY$K->imIMoV8iX%ng`UbPiNVm^(%y`tQq|6Zgye%AIrqA?*z zn?wE9I@~;0|B005Y5g|aGjQ5JaBOCXsGlH;{vfERgx|NSQl)U3T_P^fw|C@#2PC|J zy0HNR!87YgEI28}-&g`-?H@%$mW1%SZ9lTF31Gzvcr7(Y*ijKAgv1Zx-~(oG(wqAxb@$5=70x=^Cmz^}dA& zMVF#GTeBMfMw}V_@&VIK?&Z*AYk5B0p|}7Cbvn6X*{PKEt8em? zaA|?@45*Dgd7_w01Fa|7ifAbYsPO5RTIkm-$ecFjXqY3YF2%@t17hTIKsN&neymX6 zFwa@QXSXZjz^8V&$M{_hqz}G}cA|r4QX(uIj)-fBE{h|DTW^Ns+*vdb)QjxH$thdk z)aQef1zRmM|In;V5$I>t8;m^C&ZX>w7G19ZL}AD{5z~VW zTyAotcPCC-ngG?L#|i;XS@?gb+5zbCUJ>}BJO2QXW1%&MO+9N?12p$gPsRH0b7A?x z(m_8SrV8W-4>#0ryf?6yk@r~PQkq`AD2X2qQS|NzI9Y8DZM9V|cpS*-gg!X8+-BQA#{%oy4S&vtUT zwI1U8H?4=ihYb?|EB!F9Uu>PhAz2-5;~-0(I-YFqs0Zx4LJl}Y$s6?PPM`KUcEu=# z2MiRwjJ}zu^tygMHx_J&_uk#c)+X}WC-H=c%>ZuXAWFe2!OFlv8(Fe;KIy*F}gq_^@~!$KiBD3THK`_14yw5LYS zNBx9Mx5=31LnRH1V;%cy+R#H5sH=VX-+Y@FZZD@-Z;2u&7UumDmNnMum7UU^j_%At zoFC6!T``%`FOKdl9}=r!zr}PskDxUJ8HknNnmJ=!z&i6tLWB_ma6c+Z{y#o9OuZ@e zy+JJV`Z+&+UnNl^)}Z648IKx%mqbfl(?iu9_s16dn)3NXAp4r~_om%%0q-t6aB z4H@;8(TNF5(=kooFWm4h`Yna=0w`Y2BO3qqc}E@o{N+QyC3z+5qt}I*3{|;U$!Kr{ zjN-H>P)9X+bFo977#9p_Sawc`$p18eazAkBpPf@pGQA`rdHR$$LR`a7>51&LY-#X` zPJMc&Hus*Z?~m+65iqU~-2?F+IR8u{-d11#+HY4RUzw>pszoR*;1|!N?@Q zcV~x#-PBS(W4Hv{&F}Qwrd7E_F-Nhi;wX?AIcDhn$NPL)9gxdBlRR@ghqTNo{YdA4 za*c@9?#rO7@-n!cSvP(;wsYk37kd;hzXGmU5C+u#Bqw^rJ6ABg1FUDw-W^RqT5cv1 z7fw*rjDLNheZ&&zAAU9rzM)2gwJ2YBhV*~KOj-MpDct88Y=hG9l+F=Z5CU#uwxCiu zgIT->T1wgWdG8+)&S~VG_g-uQLHXsmCWpTaqz;-(M&f}+l>mn!KVztMZuTd_L54F+ z5bV7V5dDWo92WIY98`HZo4Nafq(8h zwc2&Hc(ZrKy8m`_vEuF(E(ZZtp8~#C5IsDdCj9&Z!c^v+$T$2h3?GM;Ke=8Uo(JTk zv~xrYKD;lwC~=IdUBXi!VxQqvQfJ^VXJQeGedp$jhU(|I_v;9Qy<~ag!&9l%$MI3V zNxIKCeOOq%fdGu<(+sc%Y4ZvDTOb;Ktx~;t#6?akAXgApYsG;ZYk3O3>F3n9DXcOQ z+{)n$Ccu-3DUKQUn!UQ^a(1}=z5Pj%k_A4;K=245Y|ZI<&-Y@lznU5?%H#QMo7j-^ zJD}=ckwi#J_LEdW15Op$Q6--<*&_txMR3IE)yD_%yLP$}{<$g$jAfuZ>0lNin>XF_ zQetm>YN@%|&TZ)`^T+?ji`NT#8-oL!cvo5n`p&r_6EA~NiQfprTcC_1k6$h!501BUr|_!o99wjf&Gw79^?*Ya01l&l zxj+Tsb1ce8oL_nbPd2%1VtK{J(j9$=SAn(FGudOWyD!$3ukW7GZRWM{+i(Dm@- zYkOY(J>7&%eq^#Gq-oO{?J+c~Uau2(eNBSmiHct+T zNvRTyNex9zp?u%~Oi?RDsV1M^)pX^OpxF)|Zr)VKqmAB;H@>MkeBU1hJL|>D*2q2?lWP~U9{rT zT^Vc<99T5n5ns|*4%zW#yJvhFAKga6xEMcX+8)6qhh_wPGyro;9wXE{pm(S5%3+r` zoilW-TJnAW@gkuyXh$!%e{{AfO_~^b%MNRM=o(<_cjQZ&fqV%}zPuCH@yh_I8`h^c zOPX01^R!BB(%n*d2QO!9>F!g&|BVg!8TJ%(E2TlJ(!uV?QSBEg>R_G^p(!J|EUZt8 zr=<&ZNxj?Ae}r4hn`uPV_bELTws#rT6-|o5?=!^fQIv7lo=YBJnKq5A4+oevz9d@r z?|Y@meZP&{A5^da_f@W>R*El+Yu*T~47}a*&1Xly2Iu$Y5k7W3m5z$;&_T7ypdATZ zM!dwan|lK^-W2oKa%G&xc4Y1MQUCA$*YX!)g+BKkgxO@*NGauT3)}UJfKfdEal*83 z?>1}d?gPaju!^u4E{=1I7rGEm$fobMT|WzW)nyi`Fy(fgO%QbjtJgk3mt zojX=kJ5^)CzFiD01fmMiN!0A7~HtfKZRN?X({YK0QJHLIwql4{Ka=}?=r2-Vueti4C1wTV(Q zB1Ubo_a?s=+V_3mpZoK9eE;~p9uJ9;*OhafbFOoq=Xp*9fVEVq&NH1qapDA(y4ro+ z6DQ6hPnn_CMmPl2bCuXR-wPvo>+BLY8=*(y9xIB_B$abeH$4Dd6>OSMO@ zPn@8xJ^VV^2uZg-apH%u`h5j`ck{V@*piTe$Kr+DOg)!Ot)4cv#k=rWy>-JOHzNm; zx%oRf+H?U-qC+;2E6Mkg{3{;Z?(jMNBjg?5=a5eh;EOs{7Zom&ktqlVX#@wjy=1hy z+9IU#*u#oF;V#c&^Gs=chipas@>*Bv_E*fodd%wTqxFpSuU?E^%!QRxTWuY$ahKw^ zvKTr3?Q+Z^9SoCp%_)!-fG1f#p3)6 z-paZ^{k}j|cBTW*$-3N>uqRY&9iv%$=8ThVkA$25pG%KetaqJbH210MHK!D5Pc0~W zSh0jYbYLv*Voj2&+)4*tFK)#izZy?^H-{4OdgQt_qH3+mw%`9}Jnq+o-y2ea30jH7us%)<(*Y_5;K z3Xy!_mpsX~4ERzZxq zy;f|yTMe%+I(amF71wbbkK3%Gw{G{|c>PB`w54Wtejhi;2jxbJEv|DoW=dZXK<}Z> z*%*0_!Y`0uW5wqF)($=(gh#7YA)u>-m$Xaol9VF~QZ)Gq!Zfr|$<=n@5ONO*_kScq z6{${dP~`5PqIJ?6%m5RsF}v}FbAFWtFwC}m<YJQhVP_?fGPgSmlg?pn?D#!j?~)eB59LHB(3y+6`uK^)+?YNc2gaCiN#}l zu_E!8SVSxj_P36^Kh|itX#RfsS_=-1X9@iy)K~UII*uom(zF8g=Ae%1ArP=Bs>IGQ zHd5VErK%rGNtNnQ@pfkv>(xkZY>{BFe^3UbFK)?)mrj8F*kq&QR}(ugg}a{5WjRgj zbSYL!KM);JUA-GsW512bEe!*_ODWy?mjX!?HhGK2Nhx6-{I8{Y$&r8D(TSH!U-AA6 zw;3@1hHhYD*ntCTSf&sDB?h?PO?JUayNOzATHZ#L#ifY(go9tfH&ywa1kK3#Y)R@> z9DF|m&nxHT4L;aN{qYk#{EhY>>5>lWEviIdi?HFT(An@KmGLW~Hmk-+ET>Y^DZ6sp zx7kRlR;(QtK7Ff9Y5es%e%DiC&u%pYvR6B|Gn-2T9rN3YnUZm{LnF<%Taw>tLp${b zma&GXV&wO`#*{w4?s_0`Mt&`k#umP&3el>GW!Rebh_a!K7+s-=6gTlI6z9@hMx6HtZRQ|?Mjr-K%Z%8Mx z5KU%3yjV#lb;KyM+`)sqqUf2g#fgcX(!(Agm*l=Q%~@n3%OwGIcP`5?vrx)iG(DP& z41~|Iz*cXQjJfos?(FW-cz^afh?p$XlOxs6SsYAQXh5*SqGM(v^z&A~!i87t_jY?!KE7>DjXN@I&c4+JBs_xea3cUg}P zms9wD9j|b@Tr!sa9@?$~a7@z&g#LUhLg79v8kBH3O5QLUC-_>&VzUD0x3TYr*=;YR zullXr^K#q77tl?QC6jDBLn)I$^TFoE`}GA3+=lLY0GrG{=^5oJRM3Mx%mo)7w>Hi- zN9;Tc0*m%&)hOQ>OEkU&=BjvNo`xw=m$pw|*5STeMY^U%@P!dDC*=&|BGTbqeBDiS zuwYGEFF51I<~j9y6F>DRHA;;5XRoC$8mED5heODbUw%BG-KqQ7biq|o?XpthMMX3x z%#5&gQH=Oe02kfJtd;I_6rmr=Jh<;oGKKOq+qzJMJ^9WBWa5LpA?`%F(dU_je8NHG zN9BXajYF+^PzH^@)RrAK3~?YyfdeO0t#Z>DZU}WA$kmT6&O!JCO1+lh6l2w^ zC=yCkD;2j2JM_gMi@h+FKC8jdd+HH3@;e>pxCPNyN^d<399&BA3zIOUxT{d@-8EhyQG5t{!0NAn0AO zGAmj_Ih{*3?8VD&lxFVKCg3HY@ z%q^ckbf8U|Ub=rOO5pdWi|OZWI?XkZT8O0QOcc@j&&D>z14lkGO|CtA-o||TI`b1E z?qGv^VjL@F7|9ZufvbHaa-0K9J)r(;=LMi=(N9N4l=hocJdzB_gg>{BX9RZTjr&+Kw>foa3rNkN66WfHZ zD$>qSMee#D{Zi@DeW8|J3v(KeFF5eL*qkJ!tnbe7Lx;P|88*g*Tg`2^>iE6&_$!_X z{{~Q$0~ONRJhydP>H~<7p?|{6a&1Xc(}+%1lcw=c;2r;}^6C~}S4$~k^k-t6N<;I_ zXhWLKYjgtjHvVRBb-M+Vam5#qUsgS^n(yK~@lnnjJOcBSNZ-}iL3$XhM>Jp)DT z0GL0R?N@ll7sC)5tbsxVar-jMRe>wDYf{s!YF>%DR)fblmSqAPw^D9egh*h%<@s%= zux!&rUF=5a;)RI&$5!Jl-Dg3XgTyr3D4<(OQ0%X=NYmk^%>qAr{Li@4(Z{9gV2^m{^mSoSj|JU&9u|d z%Y6Ild=P=u%!}a!AauL|l8{OUTJ+wGuS7@fn0^Hl@3wn5a?ULeggz$X+r7110kGX+ zww>>2o4^G+#RyNxn)Pc+aq_Hum-f(Uezukx7A-AP-LP(S1Rv_$$K3nv7O8XBJ=0=0 zrji}6`T2mXPH}et?i=~0)|X5CGevIfMVmx$hUkEgvLy@JTqWoOD9!Ugycq3(j*VGL zzoS26j?mNUs1354T~~)~`26OfFniI?c4@rtBcG4B)NKJa!8FCB+qVl8BG_I8IL!7^ zBIkB)M@9LlZr@G}9@l}_OFl|16+W&>q$hxaEq{qori7wu4JC5n2q$}ubFw{{v;zRV z)199AW(T;vm2|n!P1k{kgh<*(kJ|d2?FJ^o0r$9{mh!kS03v3 z3dh0C!q`Y@IsKV~{j>(o?J$@8L>)?q95|!#40Z{{0D-auh&Ba?Ls^hNwC+~t&-D%| z)>rh}?3~mm&+c~q8K+HL33qxr$V@n{(aLHY+JDn=HAiWU*#rJvj~l8ov{SkcU{YBZ z*ek-YF)@R)7UhOuk?3Ur6H7MIOJC@uBAu2?qaqWF_8T9oOF5~TV5+W8EDrCYjeMPq zEcVN9W*e!*+pm5F9R~73BlJwVz%;Sztj5r7C7GFYBin)(kora`<%G*2NUStCDLDN6 zj5q=V1L%#9vH(Pyp!ZE4T(Xsp zuxS>v!4Cx{=W=~l8ZreOZx;D>HlzBH375XHuadXk-+Fy&?1F{+Gad`!{UD5c{O*J< zBhQ#MQ*>`=>0v2dQYoGorpYJk8@Ju6G;rb>u&z*66dlLm-;S=)HVpt0_AMBHIO0VL zk4Oy-3+QL&Q$l(~1x{?3P5%{@y83PjdmqrB;=b(C@zREgVOyUYWrShf$3ZBaswB#*dA zD~kh6g;MP}B$(!i+NA8c^knn-v&u>l9wb+8;;SH9tnpJ+LUjF|8iNb_HYgLwSJL{v=Tib z6v(7k>>nFP>xVQD(C*|~tNHue(i@;KyQ*zkr`=)+Nb&L{^&f7>DH=L|kqj_nZ^#AY zMW;J!j^lq>yR=UG+KlmD#s6XRJcEao%XDQLlrm5EbdCeYQp0`?YEFTnv4Yrd;|f)-28=q?lG1B z^X`4gK7!irEs*k)tx|#n&Ah)};9tggB#a$L{K2=Wr)him%0fh}oA;8JZCosRx?bdU znsS}TcAv%e0|{q5nGFH$_3odo%%YBzQu2r*yn3%E*T!MsbvqjWDOajLmY#NMga@Fs zT9TKl{+By+hyiQAm1vO5Iuh`m;i1XMxBk+(^d&FChU66f3SYP0d9+)?bOvdE5Wm|d zCGC#4&1qtVPLGHwuCPB;j7c;9RiF;tCHu!JI1Ruiq14Dw7?w~oHgI6M=)g|?i8Qgk zNE-QC>rMeC+a7KUQvTI_RaiYY)xx7iZ*cpf)709#$OoMS-oG0wlXE;LzfaUIP5GTI z=ok;!l;w&*{r4tLUo{`lev8%e#?VG=Ui=L@DUa3bqiw`9LSIu#wg38tlkDD>MVv*6 zmIytCuN<(9L`{<1n9QlWwMBrcUG&qP+hsR>PxB)+Y2Z7BaVG0|(N^he$XsvPZ(V@y zq^ej8LY?B~&wE(Md&ovwmk+J^m%WB6V0no1m;UO;lxBj$n4m!E&+7jBtjYZ^inw$zf9Epw-%U7iKt}iHQPBp0NE!vLu zzxU4SNH3~iK|0uFUg$5zvIql4ei!cJgXvJY}~3L zy?Tg}U~L4H=OwrJt9EcCE4@@Zbpz+U8olt+l*MAp!hDi?m|DBS-EHH*XcCTDiJAKn zG;Ba6zjC^=&|VHaaN+v#X?Zf@N~?s5-y7!*pyN}XmvnMZUmKYdOmyqQ70{%Qux-tp z#v93{r!g-A3J{2j;}{9ss|t~57xV0*l5Zt(Zrxn^Er(tB;WrAQBjjpB2xts+S%H}iOwOO4H*G;_^u4^r8307K~3qzL9#@a%Ti zM?HnWRavNmjb`$V5YA>00ron213vbd*UAjTk`n6Clju*+aP@JE!96e=+u?IT0+yXu z;`dG6MX;pgTGZaPB!mL4+_>RRJDXWfgPhsWx&cmhQI@uSvqCO)y)b>%RleV2r^sap z&PI3Y$e^PQ?yV2-2yail4IYSTyh(Iv_gIZB?nir$g}0vJCZ17?66w8`%w{kHz}dzi zuf$F^QzzT)^eX8>Ea@f-uP~E<`q`!5?`b}mgS0(c^a?r6AHjK$PMZTJdosT^7t1Ar zajW98!j%V&mMdrFD@MwmS0Lv1om}@tq1CH}@FqvBoFTeotYD6tC0jvf4$aloWKZEp#+*L=oiCC$?aFvDl?{i~cj5))=uX{`zS*k# zwCcFJX6HS?@zm3z-Dp3|7QO1fQV zW6zqYk9i6u8nV8+oWET@xerkLeZI^q_5`~{4+wB% zomgu#xaI1BGcwzJ@}}Der@24ZaUu3gBQ}yh_v<3PBKJ{bGqvZY6d?GR=veAZ{|E#7 z(rVBkH=aUvCd}|TwiXYo&0`n@2Hl3elCSmZ5fO#h#b1fK`%=E36%vclUjCOfGvYnE zPrsVJs=P~)G;6)uj|4ZLRjGH10IMHFz2x%+{TvfiON)e}YwQhrU8jK~|3Q&k2g+Kn z+Djq&Fn>gYGPFokEdZ010@qeoOzx9bn+&PD$I~X5sC`2_OX-W`H$na9vk!X25#OvR z<3{t!gm*f;otUlrxBR6ESsLB5g6>`40`ogG4oFRrOmLUvk;;OgOkepPa_*2ECwGgR z)|yPE`f8mo(z~&77$;KW*{$@d$dOJ4ev-!b?sdNWr|%yR{z_x+HADOMpG*wHkv|e4 zKwiY?9-3An-s9Ocs%W!hadN5z^D>PwWldP%Jv&8sCaYS5l=X98(3ERy)SC572Z2|Q zpFN!nWdyYK@XW)`!O}l(V$V7oOa(&mhM2isjQ1eZbLW_#nu5&Dci)1{Q|%r@VC~;N zi{6u3Jw2s=vNM-uuXV}T*TQ+38~sCfxBN%nYvGJdTc>No!;G3g+igrOTo{b!!e493 z>igP{sjfhy+X|cLg#tGTQ{B)DGKj>k9av!NWTzm z9gx_G-W-x{saHhN*jkj272?^(;W%03__Dh~$z9K12 zl;!GbI3Wp@l{65?7J^hM76vPiD70NKc^>jSy; zXk4^{gWfe8mU&*M{0Wi?2uLgF>;zSSnTb9XGsk(`~hnq~);+1!oXbJNy~4QH|( z-XK7+FML2VGM$nV&1LSa8ABJ=w=?puMVHLW7Cvd&s8fZ2K64?e!$}h^GW7dxBe|NB z>d5_W8Ir^XMkiE3R4(2kRHHyXXmu}h{lK_?-Jl0uvM-prUgjl*YdF}LEUw*O^;|W! zxQ59YLmUC3GO^IPjPA^ZjH1W6+#xa>3sJ*G!D<=Q$gBCXhdozTue5#Rjkh%3La^Ui zY}8#`2+VG6`%|}w+TCC^L`qI0LAlDQcnm7=VR?Cr_}wX7k$YSIKQsEKOa6C z-r7}P!E8c5CA`#6*Iy{L&-pp~y?*$`@3h zycp*-@&RAi17Q`~;i{UaK!Uh$=%PP5e+2I240a!@V-Q!avU~m@-Fe8N8N!cB)P?2p z>_4myJQKPM2I>hZpw)g)*?V{zs1aBqFr4}Hp;Q(rX`ill%@kNe6`t?`dPlguLY#F-ji)fBz@W+mG}6!!V z`##Zyx3=;fio?f$iY!-@kY$lcZRm=t-8c&sjW30Y)Vc6aA$@o9v?eON?rpC9VsC!V zPe3EV88En%`CiT_(`bl&@$TogdLW2i2&&+o2Iu_3n z8}%fei-d4eOJ6%@G!QMj^gR~O;->Z{LT*x+>a(xxffj(mlN>Bqou)#fw79-3i0_N( zS0pl?FW%5U|79#E6!N-%0;oI>-(t?px>IG0_F?p-eBmotYn$v81F3)JK2oSS!=W^)3$38|aSnS`F{EAuqBQgn!B zJguJ^Qr8F*6}0xBd>i{7zhJJNX|R=bkosvFvOBmi)^}ZG3_j&=}A2T zS$r-AsX{YR-NdJNe`GF9x!fV!6tcu10%apwN#a0|dl0y7 zB&AQs&DR0CnbfFpf~(f0J-+0Pa%uqjgLM^U|L* z86l~~qzYc|9EqfEyh?$rD?3n}>*=|2BRd@XeC@gTzeBbQOJBbb0AUVTEc5tb}r)Nw}f@r&XG1JVcWoG8I z?hD2h-HBm_r&0;kuVJn|Q?3#XcWx(!5q8xcBrBnY>{Msw!}&wjd#R(|5L>cx7?&hf zb`yce>(imf9v4sfm5e16ueK7hEi8h(bT|8gYO99iw{K6BDG=Z4Cza;pUi9+trJFQE5GU*3scUE^dbZ9x=%~0G7CZzoJ$MnTqZUcABEKSfW*+>>%oE3 zL)uPXs^6%wX3>Ab__cEOgVjrf8cv3(j5e`6wHWrbrtnEtHkJyoa2ikbZR)mY*g zaip`X8+VZ*HDgkUspH9elVlx3rqULtc_@|RY7ro~7rdiBzRj_0IX7&%y5w!UG>;bN z?{|s1 z4}%JhbmR>O+v!Q9+7o7?vRBug4ZIv~Ct+`I#3Z)3DWbyVu4C1vvY2MDVupA0D@Gc= z)_Oxp=j1-iipz&~N&|QuCuSO&Rkbmh?I7*gQN27nqMMuBa}WkiYeV+sqr=s5lz^Ey^rB0!r?wx}ynqYwc?o{9^SvGMUb`O_E zWL>kkE6$^tc_5M|_>O~xx?#+G4~{+`2C(me3c)IAP`aw7S%!sYV~c|LmnzgnKC)uw z4b5Ut7%n$rXC;R}4(TgR24DkMn}**llyl8qhFKBsJ!c8Q;JVUohkC5ysDNpfq9xfeq`eKiofyD2AmE3K?T_dLF2-$;d&F*x#`0E0`Xzx6mW{Fcq}T{v zg)aH0Ml5NOJ;{glej9y$Tg%}qM@l}>IIL@=YPXw-c9$e-dmSvbF`93?nyq>MTsQ3j ztDoZB9u&m8(cJ_ZXN%eIco>J+_yQang=Rvc_U#a{#aXS}<=wOP#q;J~LTT!4Kc7ow z%s!9t7U4SiQPW76*GD77{*75lRSrVEjCy=ABSrI08#?uv%gOnYXbYk-c+8ckboU!& z$T+S0Hkn;hUNBgl{DsefOf21^radl zZktpRA4V$tdMX5{EILmNq^{lm75K0p5x$nqY{H3jgnI7N zyO(Cq2ss?mT}mR{#O%wps1DG*weN9N!AVg%aBWnQs_qrB4r1N_%hvDuYq`{Hv+E>nTA!v+f5p zQ?9aRa`9;4+o3wkJ6~RTjl#aebuhn_ zux8-SZVIewPTR{t|@atg|+(9jxbi#)?~{TrD+n^oS7%E2)T zJ-q9TB1)rh%)8Q4DDjse^gJ-6HhO-mj#s{m%0&D}qx?4G!v7@aO)emra)a_xXPTWG zn6V>2o!EbM02w3Q)s_u9d!cr%-F+72a@Uec&y~T@7o-|*LW9HJzy^;6UThXji(#eh zSkA|+e0BU?K+#eH`=2zvqYzMCrk%G5%;WJ@+*n_X%P06~mK&sxM`WcU-(>Km@!guw zNWlu38@)A1HZt&ZINaGLEs03Mj5kp)c~mm^FGk2;#?16bnpZj8MGJ!eg{bHP+ zkRyeu&;ich!`E~{krN+4cI5^qY~Jzfyvu%K4p36p(tHFv?NwRNO`W+poAM(0h2YzN zIy9q`hy0Pyn!doP)SNeI=Uo*=5+lLjTfDU2bxHd7MR=QB$-7k+RkXp=lH8BYztmhtJHZfJ~~sK-=wKSD7QAt^a==s(&r^f3?mQpmUet zvj5q5TXn+hFyqJI>lu!RQ&?NPvUmRD1ypNBG;MK9DenglCwM8ey^Vd3-l#14faf^l zpEdCmhCVsevzzQPzc%)7SLUe8_8RE2&E{Ba%g4w4X)qt(bf{0DuXq&ZjvxNjYWsh0 zgic_D>%i|lEB#snJM||i9}}e1Kkc=?LrHikk)c1eFfZI(Er~>kJ9MM})-0}=t=*jP zd2waVhm_RWiB-6mdOvE@dMeK2 z8xxO9a~#arv$hd7d#$Z&{w~cwo5}G5npLsl`a9T7Ymp{WXvkKsY?rU{PhT^6_dq)F z>_82>R`9sQ2!~D6Z zO4QxKI0X+DW-~vDrBSVlU@5LfsThe0r~vV?UE=jiQ!~14N(vbw6YCm1s2$VJy>~w1 z-AZZHDBSIGR;jLthS!#6k;ZX3wg1@Q^q~Q%(Wd@HoW2hm^j~AlNY%BclQz| zKvSUYTbgc=&BqkxM)H$}*a@;z{YfMGOzJ4P?GThQ!=vDEB6i2n7Z@?jnkbk7r;FH5 zy8Le4EE2B{3X!_fresr#CgdSryKPS;zNIEEr$VL89``Bl8A#!ZW?Sx;7{Ni@Lb6y8EypI zqWNIGugzm*r?&mF(FL&u=z_tagXtCZc2AFuuW(>e`PPt=g=-V>T(3D^3vZ5hgutEE z(Z+`@`?lZ9ZZ01q#NQOl_No#(-}n{2W(+CMcXIid|5jZ5MB^*{G2z6{=j9Riu9Jbb zJ!^+W4h>`8@ZAVOTqv-TTbwq=T@|7^mw4odr92}W}=^!d^Htpk6_i)6~WHF z@Q4%a)lpoJ1D`*37^ia)XP1V(hcpIMR$PoqV45ec|7d~iZ~6@^*$g7*Sufqt$t}5h z<8Va20<13U%_}}?G&~bZ<(Q3_`qW^~e4WbfL_>L5%)NvRTsW5~FbfL3pI#&&oJ?JR zU6jbkF%|E=z|TDPb#=Nz@2sAUY}m5;%YZ_cyHklAWuH{pL1uwdh!WDiSbvCRXSs)$ zeYVj|6%RH8YUR7^vUKREol-%^XH4>3yi-%qfba4HoswaKNSyX=xJcPsY$_jNah_g# zre_H{aR?Qf6;TyVS&lD)62q#5tG(uLLy-v7bMdwwDqG^qm}IP7Yj!r1xl(M{S<+}R z6`Avxy~!B-8^Tqx4U6hcWDxkUssUxCaLM|nIx=wi!0|#!&)wEu*_c>thSIA6`MB7e z91E%Y1tcsmwIjKiE@H%WGF3`jIm@FvuVuW7XT9`c+9+uU8Xduowcj5-`^P!f9G^qN z(q#%-0lB~SYw!yoYF0Obc-No1qgM_)ywza2#T~UyMvR((UY0f_8XEf}^ zfS8CzEfYP7JH|XCVbq`INa`O`-l^@@lkdVb#o)=+{9UV$D3LSUR*a^+fBYZ^N;Ud5 zwbVieonX_owh@$88ZYqxf}uPdIJtC?O6ORhK}GhG6Gc5@Xr{uFSzFIhmr;}4aC;eh z>1Q6_Sy?f&JGnmE0!?$2KKj}y#Y+P9A~xgwE`NeVOpv+NRw@xNl!!I{HhO=QI6w8E ziy)$OJY1s1@%DtH!OX?OuRkjDTw|&|6u=$Ijy<{&A`kg8Mr7MQ;x};`i(%N6fb}v?YM4VMgArJ|~k;4Fl_8|DH0-@X(MEGxMcp4Mmtj6rHfg zYMa6TC7<{&Bg{fbPXLgC;&wYQ-+ZyRp>f$Ds|Bb!Aag~F%k;Y-;pPQ2#NuooxvpE= z_EO_O#fM|Spbor^gSVCT;H?a8V)-~y2WITLZ#LX2ywu<&X3-`gY)9=TH)mUys2{{Xov*C^Hwjd&h--5D0jy%414pzu-v3kEyAn~jjh|@>Py!rcjoBv z#hY{O3oTeJKey;y?7_K0?Xof7L)$>)B_hUN%shxH_3q^7>`wOFyE^;bb$UK3@d$L; zDeXfbFxBC7*a2^}8=g=H@$Q2$f}9I?kBONmBy?WNpgXZ+Neqz%>@ms@Vz45WN27kv6x}Z_x*{YHo`u7pgnta@y(H zHeiWSv3zh?7bRfr!&5UG>I0hcc7VG!vSfA`s#`4-&72*af8KN@iiI5PH_7QjUOFSt z!~Vu*^gl%JPf)AjWIV8dle85-a~+NH672|3LG{lmurQzN_kP+^B`TWqb%PcCVyTdh z=&>Kal0K{ zE*nELGVHK#GHG?GZ=VJA$l;&ljUT&_%Q;2VYC-M-hFf~G%)UT+V>sGtqs&<*q`XT| z-WM~+R#z%4acG4HM^?yCI)SarvN}!yUz2bQj>Q0Ry1zKA_d#t1b70Z{NbhYz9M|?P zba#Gaf=C%!N}tZAd!MmH09}wf+kSjBQeRZcth6z2N|2U*ZK?i_24|F}g~jn0L8T3T z=#a+%HbA#B0(1rt{r2aK&nkG8oK@bTb$@?K)q;i3YceqFon^TRd1MvPkO0!O7AwGP z6!Tigqpbk-_wW`4w_9|5t`rx(1<37?+RZ+YiB116xkIRSjahC4m?vEBu|ZvxeUL-* z7W}%pZpP{9L~{GUi41$w%0pEuMv8Mwh7E%YYA2lBOZU69O-`p7Vwa}-2|J|hmk&=3p*_b6CScHusWl)AnwUMq2HPx!?@oXtebk*EQbrz3LNF1U()xen zxF1OQwBtH6kCv5CNck*r<aKUVO(!pL>36=>)%R7` zmX-GO{}b-hsE{?usgBKU*}l!3>78sXX`*hjX2#d=vGhO8P%1M3;NpqM0Hem^f=WU; zS9IVxP_mxp-nJk)yhpX2_3&_hM8{D4c}*?@mR|JLm(J@r;#5Sa4m9r!KzHBc>8tm_ z(}`SfJKa`De)0!er%>k#>@i?JRbE3(e0LG!<@$S>(?7T@b)^tQeD@zusaP6Y)c-s# zvmxA_CL}`*VTA75q#u?!xAo6c6;CFRS&ccw_%;j_zkc-ggv+znf0E~^hdkyi$BA*^ zGP>dA?3wr~E<23JY(Sdt2=Gx*&c(IlCF__t!^s{SI}}cR?!j$9hp%J$=I~;MM;S*W z9#Zk!qVToj-qb~oW>Tk;I#i^&`jffFkW5ahY8aV@-5W01Pcy^nnSMQuNx!~6bq9{$ zVSKOj9lqb$nCnsHFzA2M+TN?Vk!l`Q68l%~oBGc;&XR-PXV2WZ2jr@Xn0s%eikc5& zJOJoU-nf(-dR)&r2AW%yt-D!l@BH#-lO=`I+wxY;M~q8Ej6;Aa>a`-^W8_aex>CF& z2AASMy&irbhfwOsn8pDEL|(X4NFMMJv(y5d-htcne9?D^pvRFTXZt?RAb*#_8cgNW zSy5PAk*A6NbKK|!qE!g}NuMMRz;cIft9$6SDjNU0+s2iYc3!N6@_%TI%gAfmP{}Zx zj{})CJXVL^^ccH@9@g5adEZm*xYw)e=&5Ngn?sGPnUy5@zib8~#gO+x5oKiHJmX5` zqYo|#x8rZ}&-{s61z_Sp?u4|YcqeqMMa6{aHLlC%_N1<#xXEFdvg!VxffmwrP@)?Z zi$RS)13pQ&slMkB^A>}-w62tydVFZIcOo?oxMk?tnd!5=m53Yhyb8MRW?JEUhPrYx zRiR@_+NrN%E?wvD+L%7FoJqJ<44L1|W>}FfP1us%mgo@0U;XTS1(lTxCyUZc{2#(B zzEVS=+E_uix{tzPf!%TFID~tL*%9CuV(yKZc1+$nt`FMN_M7Pk@@(`X<~RQh zcpuF*kKQ}^Z_%Tkm$U=A-Xw4H>6=taaA^X~N zfPD0ylit*8zinkirbA3@j?nEtd=HR9CGSy$k1jH1o8*oE7puhTl28=-cM7_ut1PA6Q{r6J$8`$~`)L#PX?f^Gc)DOoNH7`*NDw>@`UNc<@$Zi9Rak&l~!Vy0FJ#Y=j+@olP8 z>F-BD4oe^>N4eQ@5$Z>6HxyC4pOmLRHwr+_Ut{KwJS6AG@77E}H(7PE*Jm zypvMqlU>I{=l{;@;qC$4-M~W;QmX-;#(OE5vVn7V{t~_E+=9_RiZs;*H15QS-V4ma zx|5aEY?EpHqX%Zr#7=4rZHm70YgZo)#P849PMG^-Uw8RM!2I)?GH+naH(@Q}jg122 z({jzq(uT-CqUXf>fTa0kxgS6JWnx{GCsVcmrt(Bj7v$Xwm|S0NRAYg;xw0LYn``3Kw(V0@!_|l`o?7R-#qd3av>WZ#vHvIl zXQ7BQu7{%V>n>LPQ<(f&EaQ7i=V5zB&-)@NP%;)xtV_IciHwA zA?XLM%tDQ}5m?)xB%ssGfIJ+|5 z#cJupT5qXWySG+kOGWerNkW+4&n#@vSgVwj^R*xxON?9H>nfOC6!0A`-Yt6dc{zOe zM%41pxp&XY1Vk7Yf^pca77(sh>g(AW?tf{aWz|@@IQ;Z;!h7y^ zl`#^zrHA{jTiMQlS@-+R2^YZ(5zyTsm%&viKhmZ=aSF(=i_&d^mA8Ejg3P6dJoH@c zUzE}OP++8P8n&6f9kY@U_*s#nZ$J%$}&+7a2DZQ?>iGr^4@}O6t$F*PEy>xf-Rd zH>=9w`&R7mMw`jq#Pbg$+MI+A7W(9M4P~AJ6J$R^1qAmTqKvfc{oF(ZhkXZaq7Bh6 z?hFv<9d>ow{r)H>Yq4cRKTHLal#lnuqDvfu4XFYeW8-P$3(@&EZ{NIXV;It-_1?os zX%l=Dq*XGMP`w}19rNI}?r^nQ7}MEuc769@3?2aOr~-ISdTx1fpL<5g|~U$YH4$>_IBqCh{4z0j74Xr6DT@{t2g&C1uW1 zp`eB5)GaxEf#7xS>_yb`{x;$( zrG35G%c=I=#F48CZ|Pe;t86n|?faEL%W=ClWOUtbyJ})h=^d)Tlvx13l=kb}qV%dw zGl@Mfy_WJ3;&wtgS7r4LY$USR}0?|Bt!v4u`Az{`E$h zLzw*^UWSu^y3^zIY-1yFAXozBn;_q=0V?M;x9e>tQpyO*-h>o z*vyw!A!izFQK#QPe|wOZf%AI33{8Dxox+|*Tx1yS73g*#nZp&+u+Gb759)ce9?>KR z(=)y7a(opmdT;wZ2hzUJS!D}b!T{5y#$_`IH|xzmKcdB{8C-d!Ci0`I=0K5}Q6&Dn z-GFvGoo*>+bcd^;m~9UlHz>3mQ87u`&WGFm6~X*2UIk>T(BHaF(pe)@W-ukn?UzgP zHsH&yIkiq^h9HA@x|V?9u{%t<;xb+m3wQMG@~ppN!j9IhcbwnJ;BT;dj||`2+vU8^ znH$@Pd3Ha5NFe;uwK^PU`as=}o%LsKMk*K?9cgfiav<4S9?P`0kqK@3+kD62U9t`_ z$s&(ftz!M$fFj=+IIp*8(eYH$U+F<4XA+y9pQX4xsRZuqjNP*!n8g9y5EPQd+_PUv zAO!@OFtNFNwJDp)=+H|{5A}^Jj*Krx8N`m&`eA&^V?cRUCto*9N=6VDqn3SUS6p(X zhIY8_phe1#_eByC-4v5XqTw*_Us}M4+i)sXMTfaU@RoSEZ|QVN@*|oP^BLFSswo@I zCjeI$O*c`jDH|XI`G#Teinn!R>?V!Kkm=3iOY22h{EZ)>jW_&sJM(C^2Ki(}HZgpn zJ?M+E->b;+Dr^0j&J|0H3>f)tQl8OIx7TEd)+o|V(q`yRNl&8NVRC$+eUNeqgT8uliJMo4WlDvyUPi0ic7#)>osl~E zq@XOR$G$V|44Oa8NjCQ5L&uX52-`spzk{DUMh%*VO7tn3sk#w&px7!DAurXVk2a+y z5DKjA4Bnv&t?T-(88!!HpSszT$F{cdt90yhg%dz1#oMJB9uAo?85ZRZf2s4Tioc5) zLV7WFJdo^{u2lXsQzw!UE{?wIGe)o;sG>{_L~23+RcMRp{R&b>R+t*V!6sM7m({qC zWU)PkBX@_SE7X~iZHAT@)LQ%&$I{PSnv!5y;)v>HtADi2z;A5Il5hI?EMrsU{aZ)_ z<6VP}rArZyTd@Je;T!aThBGjZZ)}@g?c7{vfdB^~nV!Lc$fZ%vYA z%X3=qgT18lL_BLpr68^r(Gxxmk=)qHPQCEU7}7zvpogQ$S@s0WHoN3rKdg@{`&%Ye^`n!_|$AzEqK$0Kt9vq?Pz6U)FsV|Uph zKEkgyV0^Qb$(Uxj<--+OI7%qCw7-!-SL8cw!CcJN;#^I=&f_@B1>4K~vb*Uyy+Hwe znRGcwUOSV96&nfcZrt2wg1Os58qKK{#?Tu=#A!6JqR9kXjI zg`XC*Zqn~piv7cc{H5@K8dKlmCmPv8$zBJ}{IfigoV;%-jV?G}ot* z-Dxtv*%5v_O1vHT$K-Z8VgZlK^frF`UZ#BGm$y`@3a_QRDEQ}pL=*wb^HDQ_b<8=v zvw0F{RYH}4e}Mb_8ATFvI>jxALjRgjx%a=VwBRbQ|8%9yOa8OecJx2%U~lb+7l4-Z zdwoi4qyBs`@Jp2o;B3sKN9p;iG`^F>Qun&({s~axN9dv6{*0wlp9Mq#cxd9HV5oV+ zEe+3srZMfb?-+K#v7~4}hY;^q;N}xm9-j z>S^F7QZ@d4x4X6!QQmbWU2yjyJA>)H?^Mz|a1k z8y{~SkU>(EK5%?Q7I5F%LFoevX1?g|t?#$l)BA7@xcUHA@R{HLtoQ4mqqZ-KKl^sS zT6{|e%GC~3HoGZ2m^@1a@M!+J?#}=|Hb9{>>k&2|QkaD30XQ9Rrc?a>Gr?2fp+Jp# z@Z#PouN9?nCG5Rltj~0+a|7&{r* za#;Qz5J5PAAn3A#$CK)p;{C*6gQ(598`L*Aeb`{V(?L&o#bzXWs)h<8Bn4qxvB#nh z4DC;rI{jjecIFsyq?c7jU1n0kr_psz9`4UL<#r2$zoOS{VF8)2G z_l&?M0D|$jbwAPC#i-u%^&4`AkKrG2YGb_XN=Zyq0Ca!>dyQ5abeyYVGeTocZN>``mmj5T_h(w`r)y2F1CIRG zGd(y7(YU6C-{xD&_VvHIQ|4Iokt@*==D|f61%~Q2M-6 zATvnO2iI(V zUil`c-c`KWDr9I3XBjtbPdZPI&?d4-WCGDWNrL_1N z$?p+7I(I58Dm;fve{R6FsvJPBV^+SUsxT>WLg_28mNug!+Ia;RqDf*aN3}WfUu75H zS2m0UW+?5(PSJ9eeoZj2S~AvLKcLNUf`PL-a>DjZflliPagE(DGB#YN zqRYO~$@J$m=&=E(s$*u|u%r`3=XrzlVneinx_$*e7q7E3%{nv8>v}W4&I<0WfQpK2= zJ8iR|5wO!l{8fI>7V{i9fB;ldRhTMJK=W&32Bk%>I<@Zc@PcoFWRsJ8`3A?Yas(>z zF9Nlsi=P;jV}a#m{_yx7P?Yg-`BKd1VX|0ry{JH`%K<7nyV~(ON9W&iG_E?qoIIxn zl>)?;-@2eBF_Ry|)_C8%(>9?@0QQ$ikMDm2;vn+BaWOU-d&iIqO!K`XNQK{!pQ-&; zy4Lk(7Km45V`$4jsw6P<IO7_HtyS?O6q^0PU7NKbSMH!0Wf-Glgsb&je(iboI%L zl}|4S=a##I{0W1dk(a0u zrieyfwLC|Y9z~k-aZaGX?dfA2jq}JIpctVHqs7I1-sE392_Xa?Z#+p~0q9m1oZaSM z6-NJ39^d8zRrsG;lgZ{Ai&ax>enzgQYpGLgD!sWD59F1VhK;m+7E9Oq6lf?OV{=wj zotIs*v5VFuk~kKq<*EM1LxO+}0z3q|Yt?wMK9=S4Ta=7Mc;TzUQ2dh`0X2mw@s~9i zzT*K0_x@a~I1#|Su`(pz<7X$u$8X`!Z)FF!9 zkxYQF`Oe>W{~SbS8I&9mJds}4IO}tJUF6r-jf(x!^}*4#m(rsIpD{w`U#tumgf#y3 zK1r3g-j%7OW<;$N30dGf7dj1;c)Mod@Z9FsC4LRt_3O1^EYJFy?(0XKC3P|y_GStWZgIhUXdUUsA?+Zi<=b1?f!=er zOnj1})So_pXgpe7f$+lgcK~-)lqllCDUq0@cdcypo#H)N?Bf_Dx#X|I@hJze!+)Js zH^9gunto`Pz)QPP(CUe;DH2i6Tq$#smKWM-gUEM4KHq%LkjATPtP8;g(fUT_Cv$pJ z>E)2#QL!|@@*UK?KrlW=2xU9!?_=L%H+PiP6DkekD^0)Nas29i9bk!;3Q^dD8g)Y_ ztg#p>fk#ZKD<^T-a>>{_(>!hv#Zum{^YNkl?*npGHk%4H+PeE~Z10En@f86vCgt*# zTUpi^CJOdfFU`HaY}bTcx#mBYfTc+Oz@}BA%5Oq(8@xrrHE5(>TI_`OS1hk63~git zwwqR=33J%8;m&ic4NcIDbgvYR<4a z<);EPkVV%_ep#=d06j+r$@Tkoe zUQ}W|o04vk!`6xzGgd|t96ajEESK$XZuoS_@hrD`rjO!cX5L8qWeG3=%N#Ea=hEKt zCo|J`gq3m~c2gy&!<31{Xn*@DSMCXVBrWGV(39DkkLNY)JMHh7>?lf24qgt5vXAwO z#wi`N*GEwz>Myp(3#Y4Rer2gVKnf*lK8isWIB~7}0@?FC?-5~KVQXy@XwnqE& zsxMO%`m{etP9zqq7G6cw*{4Ubo8gD6-mk5Ek{b0s_t)Z%x&p_h1_b{&Ns!G7E@K*? zJaH4QkHOQwBj#%YRVW<3dN;A$Q*INYIqnQR6qU07z&nqH29E9xScmZ4j3{S%aFH|F ziHS~YYgi`ejYE)8Zl%DTI#3=lM~3kGyw0UjvLav*ju6A32#7~SXw~$?8Xj!vntuGq z-iq&!<x0miXlA84&r%8cHt#1Kbe-p4@ww$Rp{uS;57N}`!pb7+(*&Kf>s}z9Sc1zRM zJc|};S1HGq%=XQVk6;>KK02iY1*nAIRJONpNph+0yG%}Qq{{>r-#)rf7UZYdK=9nS zl7`dB4ZBd*BK;9?^$bp)Sq)##(|C8|m#(Yi07pH~CLbjxiJe5tN4;tDR}p@1eOCC3 zK$Izbh{QW;33vdMb`^Ti$sROl0CW{V>Hu8@4!d5g)bS1&5Sg+Anvth&ZDQI7!NtNg z(3oo(>vZOaLD>D@ zYkhiLf&uzfgU?sK!mqH`IS|Em+|OML0LSDlIFeXJf%1~oFMttPAiG`2vAWBK+KC>& zEpwf9fEW4edal-V8p>zATKII%$!%Cfop)FMBIFRnArhml;nzjUdNw3oOZ6FRB1oAF z2x=8t8j^GE%{WK9eU0}Su1Zy@Ikc3(CpuhE{ulBB;Bl9l`rU(Ww_7ZR(Wj5lZTnsT za^-#gfu+m`05&Vop(7m4G=BczWdR>*M?CR`d}Q9_b^S3@oV=PAf~!? zi%0Pv!}ps0qXtq)V|P{$%yvei)w_*-XKl-Jr7`k%atjfKjdmA4Q9Y_(v-*zqkLI3g2PxA?nfypInHG*HPAsDroNWe;On$EeDXEwzpg4_*LPeU8?^cKvqy}7vEOnuue6x6TZE&@$#LHZl$gI--?J$ zF53;0#}t`*hN}5CPAlX;zazc)A6J} zo0=L+L8dH|Iws}z&Tnqw+K#Ina-Se4A*e_dN28Ag5ePNSu?48fqR*%sF>Ob6!8m&6 zRGR{ceTyG>pq_*F84SiZ%XxZ;{x+Ho;g(q0TmxR4ha&mpB7%vz;WPbijx0geKb9lh zyx}o{>B2*OH?URuz4gvVb4#Y}2<~qK#o{PodAB!|JJUt#H;t>=BzU`!zH8RwjDn}e z7}r(aXL^*9bxXpUWV~VelnegA&cttPCub{KPA|!*{6O98tDHhKWspQFL6ZFuzj0CN z)%}W! z%tPC4XgyNizRuE_d(GRYu#Y!ARgJpjV1+~Z_gbs^N8M>jg`K-clR>&3h2r4lOTp&P zGy|yAuM`kQJSO5>#(@p=VoBpum5UPtc8j&h9m8Ba>?aXSxwwr|Q@ah}yT1Ht&2Ywv$d>(d0rx^MN?}EhoqpJ#7;VvEta1FnNf=Ecv`^D8Ul4*JJ9xzF5dzJjc77h zxvOGYp8q5`5XMoEh%8jCNj5i>v{$j4l$!Un+LJ@(SpcE`M@rA8MT#TQy>dU6)w4;! zYDRXeV&IV_^SUixr5Kz)DPPB4adh8sl5xy)xeN5iczEw)3;^B)$}KmMezVsGSDLKH z8}#t*=$2{FEQpBR-t)zHW|e=(nw{{lvE#kJ=h(K(bRRcqA20$9XPVJg zX+G||6XmOj5T3DvXVom7En_Iv@2>HdFh*3oPkR?_tN;TF_FAG?mCRARx6(d#8U>J@ zt`1I&Y^xrW*`ec?0rGkujtSfk)Jl}4UU~|;fgvM^vh{)A57W4#6-xQ1u2X2rK@3Rw z&9s0qz&LMDotiu8d$U#=NlRIOWVPqIj786uoXqFDCQ6-dHN^lG7|xeXVvU;(!Ygq& zycYCz^-?1k!zJd0WTa|U_)A&3};Kg*7nil#=rXb@{xE-TCGfeuIY zwg5+_BEQq2MABYrD%>WKlaE_AOo4!PE&vw>?Dl3(iOE2fjdfXi7JGmP$|nVhD^ITB zzglM>azirqyA)?+z}4~VE#G~I+On$s;)k{Ko`_*jLk_}(ywCbn-rTCg)vtHs2`qmg zf*vk(n|QUOR;GPSRDyi0O{jC=AZ3cE7u)AJ7*MXM0Oy;Bm|_SqE(h5P;+TpN7gUvd z&pT&Pci-L=&T=rE(r5r2&DSb=EUidIZ&CUZlL_lPj?@fmlc^fC3#ziLh%myjY$xwf z7d&S5N{*GtIn{5mbBZid`wm712ohA)^az2Y0_~=LBno~Sf0G9-qOpYR7K!)=PV$-9 zwm`*-cm|!62&+Xe63Li@rqA9gs(*4Lh4Tg4_LH`DN%`3a2hN@3tQ5qo6C+pQ ztF^shXdLTRLypI1^5DSkv_lw4#vadG&4t8%b^Ss}y?jM^zSnm&87YoOR{?b`zO#FE ziY!7RyD$=w3g9DtR%q>Z;STq6_W^X5#xN-GeiP7Ps4v*y0;5h#bu$S!usYv`7!X1u zLDoUi6n6xN3Y_kS$ZUhR3|m#Z1oc2sAfvBO%+q48edr)A^8yJXuS1mA|OD z9rk*Q^2GxqD+@R{KJ7e}_&pn1o@JcHUB3SHXzl=&8Y$P|@MmE<_gMz#OA2N(F>)sK z1_X{tmu4C`B3{wu8a#$RJYQfDy>?JEuHdQB;mZudBRS8>JzunJ#`eJtO_dj|X8=M# zYa^)a)&7>GVpXCpf2Jn=^g=(thCh?}AtfjN5dgzt6*$j78vKX@bM9ymXAO8|tkx$3 zT8FCK&K@+I0lRJFcC)t8oBJ=Vl_s!|J@Lhu&v^Yf(v&`62<4EU)AU3^fwRC3_^ot5tdEmfh zi)A5m@etNQ)pw=dYU5iA3FSTAq!`;S#=dWkI8|D#>r7>}!o0T3gWe7Ovn6W}E)qHTEv zxtd`dcVi_WIV$74b*RZQ1D;=(zt`#|Z@hbe^3jrTo~nmBg)3 z1zmbh)^H^MgOEXZ>&E!p&iTGda@kac-KfE*e7tAgjef0N^j5R8s6}698=y^IWVk8$ z)fp<6@RwO{A75^&!=x}0zNfIhVCL!8mU!>DSTi!|g}S*Th!fjbpr~c<0UzRm6{KrX znBNx1+5>cN6fhC&5Q52b0!)R|h9)n60_F8u?Tg0$6;09?eZQ`ai5RAF`Zl(MxG1QI zLQitE##|Ou<71c<$0Yy~P>L$z*41on%(R+S{oZ_1%g4<|AyVA@)y9vGCY8MYPxjn9 z_5(;b&!mmIZ~z2w_e?r=A})3<-^?d{OOu|oL_N1O9l+l&{{do1Bm4eEjN}`K-jm42 zJa8A9_-(UdODcovsn}EnXiYDSR0Gdb8Df$rzh<&;^S3ckJZxcugEpO}%L7w>Nk%q6=Z}YD@7qglYtj#%QUfjR zIz-VR4qut?w+21ege)-|U%UnG3Hp-}#pYWllFXO#*B3QSEe|~19Z7g28$<;dQL^Kn z$-IQQ!#O8Ulx4dzcj4c3!fvO1bT=8f)D9TvMeqMsPG8hKF*6y7}RHCz*RYDz>@ zY$T~D8>zR1z=wcb3#I0ZdFvil9`jhSdXYl(o&F6#uF_|O;=lr~t6Ti(0~HG+EkPrl z40ZOLVFx)d#<6ek(q36ny)MRxB9eE|?W$?dTE9w$D7f>!Z++sEn*%vFsF2~akSr$WLvl;$qV(d8F}bMRwjAHi{*>n z$DTxf=DfFvRQF-mDhfJmxUBAv8N-=dYAV^r`KP}5d<+w~;sgOcd9C556DGB+zcy1- zxb!ItFU_aWz-`;&Xvdvgl7#>W{2Glt=6Rl;!`QPl!S6{o^X22OxGpkK2I$B+JpC5Y zq9cdP*s9Pv%M$MFJb+@V0h%jv=L!fPvSB1YOrwZM$C2&+Dk&ILWp@p6xuozXs`|8p z4Z!dq=VVpUOJBBtx2dyVgH{gBT{F2CvX$*t!!2qL^kqpgf)72WywNt1BTLVDeSyxy zgq~bTDGLZ>d=&dh6N4|k5(>#>aSj_f@TZQt?>){7^oQL=Ux*AJ!@9Y|P14V5DT`{w>29-gLMe43J!xqZmHH^+ zR|8cf>)+S8kwHc--OAEhuy@F0laC-tD)h-Kak+3Mgj#4Q(>D=0dDEZb_e z`3&NcQ-uRrm$qYvYeMM<=Kwb_8!P&#Ew7qvz^9OCt{?kna+p_?&%{f$IO~Y{lt{uxBm<3gsKvoHDaA0x3dflr0s{d3yAH67Oa50i zoJu$f^6khzT^T9DqXB@2?)}?CFWWeC!Jb(E#)(?CfZ-DHt7TB$*YFV3Lx4=ve34=y z-g?fh=SsVO8$cgEG+uzCmA-Fy;OE|gpczI` z!{k`$uf6k%Ms6g<%_l`Ya+Iv)ZVnOrN;Pox$)Wc&zn4Iy-g(U_$=EO`eKQ)Of7_HJ z&SFGvNYZa}&d(PI7#iFCenumM+^Eh|$?FYZ6xQelMt9t(9uq{u5=IdCLEX)d965I+ zfSmdD#w+m_dxztNFQ1f-;~B&sE!EGQw1ONK-G;nB8c7y^CNeeuG(i2{brH}&v7f#= z#2@mOKs*6Jv?lUHXE>8qgZ%OF*H!OBBOx`Hv?0i4qrZ&P@h;K&uBKT3{k5;sHJ)=1 zLispUVRtH&G_pyP7#Ri?hgikU`T#G0EPC@Xl-mn4W^?gY@{cc<-C5qemW;ZQ(pyU1 zAzJ?|gYaeabp1O^F-fMb=X2aQIKw9t`ynweg16k*?2j2>Bk z3MegvPMLgm^KR@~5_Oh3wF_52U#1(8Cv&V(8)~_1k%2z+1;%9wElEys#{0T%M1VG| zElgEmGxU(#H=s~gVufPHo^18Ibg*P8$%O&Vt(sgGOIGzk8dymyW|;b0*kaLOHHl_! zoy3-#N?XBdv^{U`dP=bcy4BwBBk==6H4pLMKoomP_0ft%5JFQk;o!_N4y=?Din0FzYyNNps%u z>+G*<=pf{kSs2Nu^>uGLxR{BYo2#7niDsPx2{b&1Kj7Q6-I-DVU`1T+L+<$V0h-GBYFV)|Ql;3(8 ztfM(%Qklsu_`0xjC&Fp5;VppzbmuGcOx>F&Ixzq;mtgRosQpw+qzR`QAQ+v8XZ0Gb|5@;ccTrs^txy z!mVcrp0_joO}3RB|F64~QhW2;b+ew^ol=keL^i0jOOPfJ{KZLHxu*qu0I(P>_pAFP zkl`uH`{!=?-Sh#su_Q7twVhN)ubI}`g)pS$1x8qk1fKBCiOs0mQQZ%dyuuokoM1E; zZa}zq8+N+DOKnw7s9p7))D{5jlbY>Y>DJ9(atEER8p;fLcx=WNBfffyP!kX&B<}zQ z@Rg_492Z51e^htWag$9EMb$@i2VIJknh@?Io5+Nhl5x)hnao5s3kFT5WCY@8}2LO2(Ot{%Wb#JzpvJPh!p9C|kM<)Qv+f;eLm;E70`|E#mW- zRd4l*g}@);4rJ*Ab}N#tw5u=I?I$&})$z?cn?OtV-ABeQlrg(AvYQ}WU{c*odmj<; zB}sH&BcvsH*Bdson^SNN-qq?}NMFu0VP3Z7*b4*%TknBsZBe5TYO{ervXZ2n^v9n~ zlWAZy@&K*8M3~fL-wc*Jl%+sUJN)WzE`XZP8>-_HtV8>7~Liz@0e-YYf%To;yP(2gZsmxBJfp` z!9hLg%e9dkIkgqIO7C>Nz{a(cjuVY#n3K`Pb+e;}Mb5ik8ZHfMTBo9g62P#YZsi>t ztF$}?qFCQJ&&#E=MRB=A0x0Cu^&{ZuN@)1OV@^^g*^wfX&Mqn5ovvc+g(_>unCp(hE8U>d)OIx~Afx)biXQ4JD^55&Jg~$2@zq!NM*4ytSt zGLck?lZbb)NY;3Jlcn;x|H)*5Gr@RL3GR)7HNPgk2}bBBDVCLk|NFf9A0@Ha~jHJ)Mgv>`U_T1kZ9P#FA7Tf4CADM0>61gelXBIm$ppd^h~&u;)U~6lxYvQQh-J2A#}9 zYZ4X6fJh$@T#m;{V|~ElMw$F=%iPS>j^#MJ%E|d7b11J~$&BHOI7139#=h;VgJW^M zm3oZV_7Bv7<&pTBg``g&x5wqm^~^P>jt>I}(|=5zUSHS)Vt24QZak*Tz%=@Vs|6*; z)3lXmHcUX1=?JOgldW2lbvp>ycyc+J)pI+SDs7Wm1izQ(H51E;RJhS@39cc1Ig~=5wjQRSiYl0V9zV!s^Zpu2VD_+hlf|O<7x2{vN zGHEEnEg7tJzik7dp$KsRR4iQU1EjfoVtTrk)8JdQA;QO#MC8i+ZD|yjpu>Y9l80gs zMFRb4Nqn?3J4yW{Fkixn@Nd6w$5B10H34XXt=u|{lUO?Hy(i0B8{w?sVeZ^0a-p`N z9fcazakLUwbE1nnaZM#pZHF#$08yLWig=@AohsB(cV_O$smjY_(R#I7 z+Rw;@uzT?4-r3C2vBjjIm9)1UY7_+*&y!iv`!%-Ab8U91C+OCCUo@S z%^eZWfluT^A`J5SW}a1M9~fB@AwdeS^9x-c*CzkSd^;Ho6dZofr>4;zlGMm-%B5mh zdmCjvc)-XDVy96FwKkwNs&DQ4kSrQmZ&i*9I>uBBXwgXmlaVnAOdkJQPyBkPmVUwYM3O zzDu7@QT)8q(@}SPtL|y;@Ph9VLw}2y3GOEsfY#mnk8gs-r?$amjebKon36I4vm^Uo z1cldDf0ms%=-^E@E2n!|GWMO}(;ckwB0)Yefmd28%+Bwt`-WwgdgV2R`pe|V)GGFT z`G-A5PtJMWOmoH~qT@aMlIz3BbU{~6DC=kt9#q1k>hTFzNE`$z4=!$1mxPaXGv z8eXDB#_MGPb_X~1I&5L(#Gqy&Xjs=s4@!#JX#C&;xzjwpAjT6ud(5CEbJ1Srl~*8$^WV0NKeP9Hb4tsnVUVQ3uIwP z{o4X1C5_Dz(X=AVVEtsVLO>u)cxnWFUX6BC?^XRTENNz-{Uu=biv9b${(rD$|Hn2i zzD(=))r0SM^>e6S<(JzZghJ_#>bFk1S_g} zGEdfaF~@)Zyf(92&uM%wyL$Vy_aN{Zg#NA+0HpoTCwn#Z5Fw{hR?&@()A$?&fSa{# zV{oNYcO4&H*q&bpDmr`*vAu{e1J{NdYbOUQo1#Y$lXizY7cL{F=z`*RVm%IYhqlvt z8@&C*43*+6TE(tSye-y<^Wm*+;LQB7Khdd4G&M*vq1eezNbu;~sk0sYgL~4ebgAvt zeicn2#wp{tn=yj?ArY1&M`1Y`pP+q>Q|R7O;7ZRCtZb{!Y2q6dOAK5t4q|9V1ieGRmBkoIrWFjDCqW^JsskOD+bbIPK)Oq3M1(?yuk51&>)0 ze5%98lm=w88;n&paPi*-<*UFKl+C=URlX3Y^sZO4Gj+jbDW?qJS*#!RTpN@!+td_C zqtEjA_|N47flJtSA&j^_U%>S=a*0x0oe-@fCeTwmt(3aijCi*2<-gwRM(S|EZ-^Kg znf^Uk{*}B9@fd_O{kmxCtwN<&VN8-{t-X{C(QI46kSoJL7xVW>rbDAR$eB2Eu_uye zr?%Kkj^iCsHt-m!{gO~<%@-IocP24G0`DIn25@WeQEgSC*es;x1oLtRP*5oOusJ)< zST*yajQ`aJ&!&j80;P%r8Czn4a@4t$>X!GP3Dk*1bLF!6Q-7%YBAe}Wz+M(6Kw#QX zXbg9~DIsOjSiW}0$BXf5DVApJqgz9&j23{mR|0Mv?cfWsuc z%(R!N5+hT!S(xN$%(=wVG-z(IGIbwG>o6&6KC*g#Hv^%*Ap9VC(>J+9Tb`<m%a!G5-BZXXMn5X|)HUV-&Z`337}+nq*q)(ygpM_kBxK_q~!M6|POi&lyUJ^3+uti|pD*$l(7XV1`D0&a*6QwpACk?LfSD6lEn~WI|DQjCOsc+4M(ucUw z?4(}-q$hUi@J6wrg$|)cRb^u9`>cMB2+TW;;?7}gmEBhxN7Kc34gEKfYDhPwKQqGTI#tcl`oRdH1K&#nTqfbm?6n!e9Z4z1{YupyO2w}*lN7Z7bUKAy ztmeX3j<=Z9p@X`J(Ov|0Vc_NLY^Jl3Lna&JN5x_U?Y$O%A09*yS7I1(QoT9db0AaB@LkB!XKEp&>}Z7rauYioZI#e z$5i@t7cV9mkH`tRhi8{h+uk3O@IZqKOKKZMo-dgAMA8O-8;NC5H85X+c|(F1s=oWx zOFA>?9j(49x+xQCc)8B@B?-jb$i`50uKwzYL!UR}@U%LA@%rN-eGLhzB#{wmuSm*? zs5k@SJH;AC>wc0(O+7~1W};vCV})77+_j`QVrE>KS zhUru-wj0W3&*oH?n{}YPheY_t_g~qncanIWsM(YjjwIOw(-N}iLOjEqFZ{l~o%q-= zt=<-%+I!hXyrfrhuuUOsvC6ipVNC*q?*Dp2-<@#u+syPzyqoFbj&vl*dcu3`IVf*S zG~6e$H+XGdH<`EDiejwwaD8`Au2LgSV%F^*Te~~Lr}*`OykBMi%<`6on3|N`Ahk<( zV#H1jlRqX#%3VB0x%jTU*s)t7oN%eiSx-xMT)Fs5oTa4J%6?GI*v7bnwo5(pmz`E| zMw}`ZdcLc?VfEUV(y)bmsnzNtU85jjs^4Y<5yh+$8I#v`GUbjPqRdcV>IGm!+LRB2 zmfZZjZo+UC-Afv^KxIx>AMK0T2{p0sBt4&3?@)H*Nh6~PS&ox47X(!&e!Sewv04-c z#F`xiMDAS!LoRaYyZHE1QGqQX8l-bgac^c0gwt=W>`mqGcw3 z@r6IQY7tQ1aFVfD#Igm{cz2+Ig~4VzGN{ssly=j0&7)c8TXoRek7*bu&+1nuG6Eao z)}D|^qZBOsUN^=bTJMn5TRV>s5uFQ5M%9nlDj4D*vk(FI{t7F0kS@J75vaPGl|{%xaZrS<<>S*)CXeh;BF1Czrl(b zE@fESKj;h@6hu^1qlA_Y%(}4D?pN}*+WALj+lEFm534#TUB{Pmhi39g?|%YR{7;O& zb61TO;5cm|%%)optf-^baHuOlb|+c;WYRd~Y;An$w&HJCm9s6M&V@mNqwkiBXnRrr zL^ms3MvgX@28rsi4p>`q>|JN#v`l`Sdz-oVV6I--WG2qTk?9~?PocC>$JhgV$Abl$g~PWi1yE^W+GUaW z>J;Yh8*07nUrJSbj_lhs7+v-x-l-$wYoyM0V2mmzH{H-!jYy4=J9#jmyO&7X6yY2n z5m~+)aROGoZ$kG9O4|Ow=EAqcSrCJ5o?~$hL#&&4gT}aB2_h-zRFMC4O}LoB6y_fU zIYAxP!VTB_X}>xfS=KeYP4@=R`OkYLEr{qdu@Fb7M(Cvgv{RCvCe zXeexcPKQ}`-8)AnL*(XC0*a@g)+}S8rUb!;@ThklU*irr|IyoL^C(J?Yq>Q}e(~up zVFHN-dghMI2FfAXqGL;8>Zx(v`b?#VPqB5fbUw~QUjh3rD}h%M`Kd>njty58gOy$O z6~!TZ8Uzv8B6K#)!P0z&4d_GyyOc zf%w0SGwz9s?leDPk{)ur&lS#ir7~{(jU6hBRMCV2QI z^<%vJVtuK7njfJ4rvRfFNIEAVc-RxMgAZ6f*Khg{Ti05D;yNSYjTLV?>aYNp2hz$% zp%ivJXaD##_;?yVECdYk=XILa|Bt)>E8BU>?c@k&1%za@|IOZ@q5%{tB+&hDc^?0G z;Q!q)@P(=P024l1e0u#VTK%u@zWv+LBA9>mj|ds?@te)-=ek1Gq#1_VhE0tkuVNjK zpM{yKz#aL7PVME>sRHq+Kc4p~UBy4|k~aiM@CqM!f*5sQxk;)IHSV?WzvM`7Xc|&V z+4}v?NKd`x)8U@FKR@5(&%6ICANqGV@aJrSpQk>?Kki=n&mH&RC`p=*Ie}uC_F?$x zIpv|^r2pC@egKrnt`W{*+#Pyz#aPmIb~fFjf%4GYg}Eu+2JomCPyuS9FCnMb8;3Vj zZvWe<2@O!e(SMDgqRQZ6;C%Nj-*CR-O9B0ti5$Ka?IR{y0)n4t0|~l0g)+(a9z3$3 zsfK}V8GSfS)f59lo7!ac;JYfMgRHCnQc;Cl%4JFVOb@x@KV?U9x^+$`_#9s|yoZkPKz1hG9$ZFbqzz}BaQJA) z#`dWScy?@$%7kB5KdE#f(f9puHE#$0U6eYhRU{R-k*>>%!hmuX(AnIGdiN}NKs2(Ut9()jC_yc4{wqR8ahO1J1Mfd zV2@BX`#M^lOK>9l=<^{;>XjG9_?A@?&#@=ro;6fS$Gs;<`HpH2C_UiHJi$g;_s z2{cKxMJ=Zsg6~(3rM4rdoE?<=ecshkCh2$vaB46$9X5fNW;I!O0E_P!`7}kS8~Fhq zrk6;6bs8T&%ZTB~1KMsgo_kjh6msUofKGr-kD=igw2E(TO}ld47$_kkwMX6vr-qsp z=OcRIh^82yx?PQ6`{cBwR^Y4>+z#>1GZc}5CdnxiW0&pPn$QBc`?N%{V?HoCy>Fn_!Yxa$$;ct;kO42*7~VKMjgx=a;4}hl_zTa~u`K@TFRmNK zo|ofCmQBEhI@@p1dXQ|pm`aJy3Z0iogawS56Z~4zOsFh~lz5(}_Pk=xldrR4D$n>% z&4pAeSH*7B|CHQa?E5A0J#6kFDpWq(vgLKbY})gTHms}B9Vvc-&(&So#sgK0B;4UX zS1Y|n%1cxnS!<52)LE{&*WX%amK5BuuGHg39+nWnEIEBy8fWN;m%c_s+q-Nnij;(T z9%Q~1K;tlwe#LW0tR5YZ<}mb0TXSprV|{AjlkX2hchmI1Wy^oSDCW zG-xaTRD<1KL6JI9uoTMvV!M?W?=&o*|A8tC&$EW;DTH7<1Ko0dMKY1o*m{f1dwMNp z4)Te%7u^i;_cPj=4D=ZTi2^!04!J=qv%*;uX%IrV_R(x!qQx1CbV2_ylEu)9LRCQQ z%a+U=R)p8Z)meTheO_|5RZ99?)MDtH`dZVe>0N$b({{Cp#yL|ePc5m(c@_%?Sl{{+ zG93~Nu+#Q6(=X0%PQA$e5xV7R2)~vZukaBu@2%NFB0iJWYQ>z9y*fMDuJ0>7EOt_^ zDK_02X5WXM>aXKYuKFxzuZ`tBno6jjc9sy1*b81~ue4)U4ttE=HCY=)dC>6}m2K-b z(q0r+?=Nwpe|)%~-yedDwZqW;WvVVGkFuTren)=Q0a$s~J?|_RcmNRExDi3#FNSuz zSS&M%s-)1~`}Lu%XM8oj^BIN-yrTVBKyCzk!(BA5@|rvj@wFekC|<}wR)Y^4BIi~r zV@iUsy*6^;tt5l>fOGYjDc6K|4Xw#7adS?DIxflLcoS+sHL#%RyULLq(P! z2P$u!1amEV;Q};kn0|p$CKZ#GMYX)gT&?3kCdjMHB3o0%wu#v`J^`oCK$olee z-2-At*pe3-_p>nss1bQza!H`_JD5m^n9V`PDk^9kp=j_vzMk}yoQw239Gip8sVf+N z--W+r)#;pUBJDzNT|z&u^8O`>pQp7SHp0SR>bQ_8Ke+H*!-Amt!-)tbrJS&^o&SQh4?h;(XNMIeC_A! zjcj+%!Xy+h%hFDDj@sx~*>X|V_6?%sa#~|qGH-dO#Eh3RymHSZwK7z7%E8ohHTUDS zfp1x4$*ye*W96j0wdcsT`Bq9yvg;+f*^PY+lLW((9DPOLnsAQpnID#FAo`?3wDS>G zu&IdsUNo>`-adYcv1#ShZ9U{bpYZ8Y%rHqdcC!pC&hON(W%wDd?*n7$x%TYGVUInq zS3>s^IG%Z{-;xm;O!rv-wQHnnh}YBFG;f5jeq}%ozYM!7>n91_O& zEvDh!zAa4d#xLMpy@uX!cFbfnJ`%Vl(F9E~Jby>7QWpC_i z&XQdhqWR?76B}8ZGxsNwLKI{ScziROLuk?c_^-1@*-GIH7mkxe74~wH8YctJWU>Ix z+^i3G_gy<*Zev>EaVyt;+1AEAbN3dIeRTq_GkQt`UOFqy;LPnScFtRr&iJ;$E{FM@ z#&zN}UVA8Kw;NM}?CU|i`CK+e5Pb z!!3N@tn!Pnv3*Mw134z+*%4#fK6yufO%Ms|Jj0FGr{{=&s2eoFE{?o8?-9Aw9jv#I z12;_0b+^J_07E3M^TloQD{wDdp;DHD2Q)~ zyVaDPTV!;Q#ZBcq#SK5W^=R?uYj&tvn9SB2@uFW#wy;H>C3=EpX<8sMgLp@-cD!(O zN;E)KR*0evfyR&y3sPtR`$ z`jm2N>h?k=@M{WcaDFm?r){^6wT!GKqjR{$rdOZV%uD`;`EH4Zh47AkH~sGNAs|Ed z!Nik5RW2miHV`8&GB!b%*0?o=Cy5Mhe4%QCpowB=c7>v9y4w+7B@NCteAcr}->~6% zY@5}FULkhromErwlAfghhb1Zg?6PY{G$S6er^>S(9d=REOu%=mv1sOnn}F9~1+cOwboQ#J}q+|Qu_t%0qJ6mZqf&GQbTGW*?pE{RcrZT0RpB&luCy^2HJ(?WYqUp;O(BA>Y!tf5VU;nTRhpg6+?;E8bv0T9-&ko9Qd-7zs6~Tp0wO)U zOHNUrLj)13>!^g}UimQS++0=6Otp@;&3JX|h-T0H&Kw&~m?}ze=>7p;Jp^9gvZ9&1 zkajDDS4G(0MzBlPK;IH)@9r~ujyxwR&f$t8U}@@h8La{ONy9k0IiKmnwU2_f{rgMQ z-APh`VzR(6{~P-12Y|0;o7}VO9u%;N#Bu+9`#)S|t+Z0_2w`#Y*gIS78bJFjJ7=++ z1XgK@g?~(sL1)&^HlnNwu%@_~O{doE{)bdKLI5#5@_usN=m6`g_sJ z0_S%qev3G9C%ex73f%j*IO{I^zuxMDu9W~FNBs%DSnhCWag8ToZ#5$8w#)Lu3EOAN z>*i8vR_1UCTO8QWm~#C`C=$5Q4}3v=Qf+F61QnX%9$W`YHf%E{1cl8^ug{_$Z>o)1 zM6=o^7zfOBX*yB`#f%y?o9V%wNg%2)o7EPcAvV!vv?>GMr`>*U55gOmf$Ou@ayNzL zvF=e5-<_9lpu8b%Rc_Y?V~B-OUJc4anH2s22|a zhEd))r3qF=tBzH@Rk$Kw&@Y!^!K7hFeTr|7m9JJSRVWScBSzyc{q$IIpQu`NXVV7u zvje-+jSo-bEN`o1AHVsC7_pBy)6^5nXLE>3i#RVEU_O9SXh-IE?gTAN(#}0cu1!|l zOc{P9yv;b2?aM*+{N(^4d0$#@ZW|b#1I%(eGr9C_0Hg6-LAW*|V=jK!1EI!#yF)-K z_C?-_aP!-Z7wu8uXDYd#hM!zljvg{}kWH3;;U;x4!OnWv{>i%cI$r61aooaT* z(wKGm8;PFdm`)Z1_hLbCpBOLg5>NTptdi9`gXw-sT0?){-11yI#jP^0Dxj zMFUhqrnRq8hKeMjT)6-9)YxggPklq`PQ5F;ggCVBKdVCJa_Lcs#)`+gc51R8++^ek zSzPo^Wp z@^UdQ{pEjl=>Wb?_aH?YPELD6huNbsglF3g=u291H~qDx3X<=NDP~p4863cIOrMkv zZT$A|e5!_o`jf9&+S}24#^hlP%J^Cp zDbWK-x_!rivOCS?FaO)Wy`e+`RPoZ!n&VIXB+-vs!1HFvUX4&)u z^#YP0ec?(m=qw@Y-|l%LsWx2oGf2efn-EPV(}L*?PY&LV-9ghnuy4xd^07}MQTQ#b zxm4J`=I4$I0~4dU*7p)#bQ&JMq>CJTfGd^ca7na2&}ZZ&Ok#DFaJR86a7hA-0SUrpOzdEl_lP z?6Y(ZWJvWH9Dq5P{&N_4MWyc_d+I0Nmd1l9(P?giUmM8SxY59%Fg%zPMkJsxP7T97 zGc(bPPY@2*f+k*JV-+=omcIA`&9s7|(z>N1&xmRLsU>lDS=?M_CHd@cNk3)-^%IhDgvLjOM7{@Of3dpo|*TxOC7z z9oHkl~5hC}r%F!i3941HcP<85@E8w8TM zgx)pRRfYD+jS(R~_Kdm7;S5!TzHNbkxZ;l(&+(4e+SWxaum+^xq1d>}-lN=jg=}Y# zU~|J7!l8`qB=5&#OXCM)h3UrxZVv?v{z_Z zTLG!ASOFj5Tc&{c(lY785rsoLCx)cpABiKTeXT)SV`R_s6-9{&>7}DP%CODaqn!x# zTIbXF+JFH>z39>p_rd9v0AjaOMkYD)MD%Le5t-LW{<-W!CQR0fwF{X%C5h+Meor8U)2wCA%mcenRGLqPAO}< zTQwT=WcGX+-Z3nFmA2P<^r9#|QoX_p;qIPD^9YTT4-pkM-Y#NAji$j3ozp@l;)8giI z1}hEH`jD;kPS0y{FBHjAo$#+F!Akg$EvxYwZi&tWLMi0~{d=U7?aX%B(l3IjTQK#4 zjR`2e$Dv817K@qP6+0dJpqQp`(bKnbFJ=!Z-Ahl4XR?!4v+W=ewTya}EKckv?@!_X z5l@9?1AJx`IGV7sJ%j2ubQWKhSs8GlWdoOOo9SvHtA{^ZkyT8;CfG3P4ViJ6Y?FoD zc^vR^-X$}dPFIj^w1S_m$Pg}jK-cB1J!y+0SwwQdY^@vAQm6g8+gI=iQCV1FTS``C zQ2*j`NM#9g5&CT#3+mLL9c9ra1CSH+t$GV~!Xpo7czbd$iPS&R^LUe9G287a!+{sf zPjG;kwFN7GzGG>MMBku3*a9|2Zn6;7Zn6bckz0m3?dnuxZaP~$%}ZmqPL4hC(oGa^ z)9`Hdr#3juwlPo;0VpOz0e%{t3l6%+Ex>GvZG@!~5WCT+QH#IR zUoEoJvl~OmuG==Nskvs!{(4tcEupK{$p!dpnDzlzh4^A$$8&qQuzWpUWmNpY>(&xp zIu92-)nW8j|G|(Dor*2BSu*e_V&D|b!P*u}b2hZaBBAB>ReFv#+(oz?_dC`-y6Y_i z26093>PG>}18o)%RdkuHX<(r&SR8&Em7mH)J;IB~l`GZ)l5>CCFdhu`fRY zz;}kpMJd*7yz|u=fwz+G`aDC`lu7NCf>@iUWJu}qN)6DFONZBj6e z#Y^ArQn=wnS*4WN%EgDAYb?zQ_nxglE1KiQMN1oTCNBdM`>$C`CBULv7bvwg5Gk^Y z%4u^9M`l>a@D_D`5pqnC@193(!w7TL^XAM~0t*PFsu%a8+TBC1_hD<+`LB8gXQorX zOyXC)a4M+NLEja(cSHOqCPx^~w72HwR;#Eh*^^6Vw)i2E>v@Y>>l7UgJpyWsrvP>3 z!Sf0?dnfaHbf;xnr8lN`gzMPXjCZTp@*?TI;#W$)F0HC$%U}++lfoyR?gs|W1*hm` zOEgGa3zb*pc3cjTXbRZ)Ol`-#Ui~1TzCJWea0%8>eriu@?CF>ovlecM_sz3$^C}LH zGuoj$`m#H|UKvkXA{9g-2>QLoB_)59fBaOS3o3j`a>)bTS^-;UMmeKekHRMQd$dD7X4%;V- zpRX;*2tD2AwLxMJx-eU>7{VWyvcbU(w+Bx`x$rw!p||cLYB}&o$GIhKN!lFdj-_ll zJnUBk+YZIVvS+C_`uMY`(9yD0-)F7~_U0)(_Z<5L$f&GCq(e?apHSpCtli3Q&qG|4 zHYWC#@`W+8e8Q`0!Q_PWgtfxUKc;R?oRSxjE9*`tm_=sU?DZV^6l2!b>em4=F>>@} zj1DOuz#!uN%L(ybS}d5Smm{1$$sz*?h7$I@2F`V4 zZn1ItG$FmB&^`NLbkCL*r-U_S?lv;b(Oys}`(PS`JiYiXNI7}6Pa30FD3x5U@&F21 zCc2uNPN0mF2mMsEF%k91U`nrmeh_@w7Qbp~9W*qfC9g6j`%*-_e)6pk)xKO+dYCvv zA1toW$~2-9myV-^DRpt-qVjD2^Xi!Wk1e(-1@E`Z=$CWn-qZS` zN@H~L*|rQ&3#ws(8}i2LTn}SKxea{SlXCOP&iEb3fRNoUzaOU7Mz}J!hw_hxLBifj z?Ujn6_MarI?5I8I$gG-W54E@TjBa@hdf?3$${I6v?X%SvAP)3li36>GIB?3(-Cw_8 zpU^wcCC~5A_Q-3*oY|&T`SkBhgi|dZ1Q~ozQTh?3w^~~S3%b!sI zJpc9Rl@*{A9$_hk@l2(#R2zFyB0bVroT(K4y`IUuV8+L0)8i51->wT(Ih*)SWEjox z>XrXRjqtCO-pq6RiXslB7B8l&=rzjF2B z3Nmw;>b$4D2#pRN{c_Q7Z8{);mLzrPD~d+!gmpA58?V#^C>T}%R`mIfe^PEeK;hu< zIJ_4W6iq~Q)J|BA34|eCJ3&D48L7=>{Qtn1wRckqn*0+;k9{!pUHM(9qkeu(l;QCA z@6Q!eF}v?tJSaVu)Auk73Vum>^Lb5xsvb)hU@uZKfm_6-=SJDSw zG1(MARZ;J6CVg%f3mr3i{b^Y*| zEfGp2zMYOIO_u(#SJUlO=loWZ;}IcF{pfSgH=x=$8IL z0S;`|=tqh{`y{sr*zaI_#my|KvnE{^qXo$C4D7`}XYN1f5tx7ef99y77<33R7d2?9 zuP7U|^0cBoYom;-TiaaNT+Unr%=^D2`LmujMk1K24I`&wwvz~;0H@T=!lBNH*aOTyYf$XzlG-Xp~qF0%X2+nQD6IAJ~B-RJyGUM zGQ-pIp=lv2GoynMDM@2%XrDX3#y4%OBr^j8*Tb@{1&W#|;)CwQ>*KZQ6W{t87d(DM zr)^LNQ|6?ib~6%=q8JHB`&;4078qI;c?p%&O=N#8u$Aq(@aCy#$&sYj4X@W}&Q%_i zL@aN+!U%9o)%VYm^Wf!suNkoJpW61uZrfQh5>hjDmhJA~=FvdrXK71yV8}a@Zmvm^Rwrs(%J==0S=FX< zVrq&Vq|`}$I3jgSmyuGZ6&9cC2Q`l+a)>A`x-F;`jFW{{C+HPH#KiaKES7s1MB(J_ z%@49nPQs!Qk{n6d=4s_|2Rc^H6>*MbHTbw&8>Q4RnJpcrd_9zDZbjE4( zG!WjIL=O~wN3e~?a*iAE3q{O3h#cAqqWMX=;b-!8Y2NnCNl3nE-@9@=c1)h%PM^Py z>Q-+L@vWr;z{;nYut z@l-=3i85PdyP0Fiv3U$@qqMD+pa0EHa4dppCkPE5VVDWRcE6v_Iq1C8Nv0)8y4~mS z&KQm{8Aa5&<)5$0GUuN3=D9b_C)PeEI89Jr;6Dg>@=*w^LRiX8j9=YJKUIiBdutr9 zw`hSVjho0HMPe~x9Wxv;k>M9lG8j120um?6;NFJs3p-gR7`QQpruv^)hFIEpj~Wl) zx&UEffOP{wq?&sRUI?14WATo$Zn@woiQ`-(F=N# zd?1QEK6=V}?h=_83FRlt9EZB>jz};Nbz=M?HGK2UV40L;n$zpW$iQPu{U@iyC_V%Q ziFaQz*Dwb@vwt*ifCcDMGtczTLh&iopBQNyTDVvc=6ii(^CA?ti=m}U-m>Xl{jup` zt=ph*!|=QO-#to(ug*28g7)kgMw?VvzilixU-$3kIq;%q{bRnG{(F?|zvJ-V`2d1b z{`*|8qGJB{$KmmhupmFTtw-73UUcJHChT{~?XTdhy=`oju9;f0?TrGfWkGGtqr_Bg nwhU>e^!d8Z|JRp`a{;PF)#19{{Jf7Dvs>%3-Y;;q>-YZ$&&DOK literal 0 HcmV?d00001 diff --git a/doc/index.html b/doc/index.html new file mode 100644 index 0000000000000..61aaf2e0aad34 --- /dev/null +++ b/doc/index.html @@ -0,0 +1,52 @@ + + + + + + + Document + + + + + + + + +

+ + + + + diff --git a/doc/install-dependencies.md b/doc/install-dependencies.md index 989ca9ba36c71..0a5ad26247303 100644 --- a/doc/install-dependencies.md +++ b/doc/install-dependencies.md @@ -20,6 +20,7 @@ # Install Dependencies - [CentOS 6](#centos-6) - [CentOS 7](#centos-7) +- [Fedora 31 & 32](#fedora-31--32) - [Ubuntu 16.04 & 18.04](#ubuntu-1604--1804) - [Debian 9 & 10](#debian-9--10) - [Mac OSX](#mac-osx) @@ -65,6 +66,21 @@ sudo yum install -y etcd openresty curl git gcc luarocks lua-devel sudo service etcd start ``` +Fedora 31 & 32 +============== + +```shell +# add OpenResty source +sudo yum install yum-utils +sudo yum-config-manager --add-repo https://openresty.org/package/fedora/openresty.repo + +# install OpenResty, etcd and some compilation tools +sudo yum install -y etcd openresty curl git gcc luarocks lua-devel + +# start etcd server +sudo etcd --enable-v2=true & +``` + Ubuntu 16.04 & 18.04 ==================== diff --git a/doc/plugin-develop.md b/doc/plugin-develop.md index f6a6cb66bbe4d..a85c208eb4ca1 100644 --- a/doc/plugin-develop.md +++ b/doc/plugin-develop.md @@ -16,7 +16,7 @@ # limitations under the License. # --> -[中文](plugin-develop-cn.md) +[中文](zh-cn/plugin-develop.md) # table of contents @@ -98,6 +98,12 @@ plugins: # plugin list Note : the order of the plugins is not related to the order of execution. +If your plugin has a new code directory of its own, you will need to modify the `Makefile` to create directory, such as: +``` +$(INSTALL) -d $(INST_LUADIR)/apisix/plugins/skywalking +$(INSTALL) apisix/plugins/skywalking/*.lua $(INST_LUADIR)/apisix/plugins/skywalking/ +``` + ## schema and check Write [Json Schema](https://json-schema.org) descriptions and check functions. similarly, take the key-auth plugin as an example to see its diff --git a/doc/plugins.md b/doc/plugins.md index 081d2d7385fc3..bf39cf15f0a41 100644 --- a/doc/plugins.md +++ b/doc/plugins.md @@ -17,7 +17,7 @@ # --> -[Chinese](plugins-cn.md) +[Chinese](zh-cn/plugins.md) ## Hot reload diff --git a/doc/plugins/authz-keycloak.md b/doc/plugins/authz-keycloak.md new file mode 100644 index 0000000000000..39a3dcae35a0d --- /dev/null +++ b/doc/plugins/authz-keycloak.md @@ -0,0 +1,135 @@ + + +[中文](../zh-cn/plugins/authz-keycloak-cn.md) + +# Summary +- [**Name**](#name) +- [**Attributes**](#attributes) +- [**How To Enable**](#how-to-enable) +- [**Test Plugin**](#test-plugin) +- [**Disable Plugin**](#disable-plugin) +- [**Examples**](#examples) + + +## Name + +`authz-keycloak` is an authorization plugin to be used with the Keycloak Identity Server. Keycloak is an OAuth/OIDC and +UMA compliant Ideneity Server. Although, its developed to working in conjunction with Keycloak it should work with any +OAuth/OIDC and UMA compliant identity providers as well. + +For more information on Keycloak, refer to [Keycloak Authorization Docs](https://www.keycloak.org/docs/latest/authorization_services) for more information. + +## Attributes + +|Name |Requirement |Description| +|--------- |-------- |-----------| +| token_endpoint|required |A OAuth2-compliant Token Endpoint that supports the `urn:ietf:params:oauth:grant-type:uma-ticket` grant type.| +| grant_type |optional |Default value is `urn:ietf:params:oauth:grant-type:uma-ticket`.| +| audience |optional |The client identifier of the resource server to which the client is seeking access. This parameter is mandatory in case the permission parameter is defined.| +| permissions |optional |This parameter is optional. A string representing a set of one or more resources and scopes the client is seeking access. The format of the string must be: `RESOURCE_ID#SCOPE_ID`.| +| timeout |optional |Timeout for the http connection with the Identity Server. Default is 3 seconds| +| policy_enforcement_mode|required |Enforcing or Permissive.| + + +### Policy Enforcement Mode + +Specifies how policies are enforced when processing authorization requests sent to the server. + +**Enforcing** + +- (default mode) Requests are denied by default even when there is no policy associated with a given resource. + +**Permissive** + +- Requests are allowed even when there is no policy associated with a given resource. + + +## How To Enable + +Create a `route` and enable the `authz-keycloak` plugin on the route: + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/get", + "plugins": { + "authz-keycloak": { + "token_endpoint": "http://127.0.0.1:8090/auth/realms/{client_id}/protocol/openid-connect/token", + "permissions": ["resource name#scope name"], + "audience": "Client ID" + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:8080": 1 + } + } +} +``` + + +## Test Plugin + +```shell +curl http://127.0.0.1:9080/get -H 'Authorization: Bearer {JWT Token}' +``` + + +## Disable Plugin + +Remove the corresponding json configuration in the plugin configuration to disable the `authz-keycloak`. +APISIX plugins are hot-reloaded, therefore no need to restart APISIX. + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/get", + "plugins": { + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:8080": 1 + } + } +} +``` + +## Examples + +Checkout the unit test for of the authz-keycloak.t to understand how the authorization policies can be integrated into your +API workflows. Run the following docker image and visit `http://localhost:8090` to view the associated policies for the unit tests. + +```bash +docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -p 8090:8080 sshniro/keycloak-apisix +``` + +The following image shows how the policies are configures in the Keycloak server. + +![Keycloak policy design](../images/plugin/authz-keycloak.png) + +## Future Development + +- Currently the `authz-plugin` requires to define the resource name and required scopes in order to enforce policies for the routes. +However, Keycloak's official adapters (Java, JS) also provides path matching by querying Keycloak paths dynamically, and +lazy loading the paths to identity resources. Future version on authz-plugin will support this functionality. + +- Support to read scope and configurations from the Keycloak JSON File diff --git a/doc/plugins/basic-auth.md b/doc/plugins/basic-auth.md index c564358727a74..dda4cba69352f 100644 --- a/doc/plugins/basic-auth.md +++ b/doc/plugins/basic-auth.md @@ -17,7 +17,7 @@ # --> -# [Chinese](basic-auth-cn.md) +# [Chinese](../zh-cn/plugins/basic-auth.md) # Summary diff --git a/doc/plugins/batch-requests.md b/doc/plugins/batch-requests.md index 081c5904ddac5..b3ea993e4cadf 100644 --- a/doc/plugins/batch-requests.md +++ b/doc/plugins/batch-requests.md @@ -17,7 +17,7 @@ # --> -# [Chinese](batch-requests-cn.md) +# [Chinese](../zh-cn/plugins/batch-requests.md) # Summary @@ -32,6 +32,10 @@ `batch-requests` can accept mutiple request and send them from `apisix` via [http pipeline](https://en.wikipedia.org/wiki/HTTP_pipelining),and return a aggregated response to client,this can significantly improve performance when the client needs to access multiple APIs. +> **Tips** +> +> The HTTP headers for the outer batch request, except for the Content- headers such as Content-Type, apply to every request in the batch. If you specify a given HTTP header in both the outer request and an individual call, then the individual call header's value overrides the outer batch request header's value. The headers for an individual call apply only to that call. + ## Attributes None @@ -41,7 +45,7 @@ None Default enbaled ## Batch Api Request/Response -The plugin will create a api in `apisix` to handle your aggregation request. +The plugin will create a api in `apisix` to handle your batch request. ### Batch Api Request: @@ -67,7 +71,7 @@ Response is `Array` of [HttpResponse](#HttpResponse). #### HttpResponse | ParameterName | Type | Description | -| --- | --- | --- | --- | --- | +| --- | --- | --- | | status | Integer | http status code | | reason | String | http reason phrase | | body | String | http response body | diff --git a/doc/plugins/consumer-restriction.md b/doc/plugins/consumer-restriction.md new file mode 100644 index 0000000000000..60dafa8e8ac3a --- /dev/null +++ b/doc/plugins/consumer-restriction.md @@ -0,0 +1,134 @@ + + +[Chinese](../zh-cn/plugins/consumer-restriction.md) + +# Summary +- [**Name**](#name) +- [**Attributes**](#attributes) +- [**How To Enable**](#how-to-enable) +- [**Test Plugin**](#test-plugin) +- [**Disable Plugin**](#disable-plugin) + + +## Name + +The `consumer-restriction` can restrict access to a Service or a Route by either +whitelisting or blacklisting consumers. Support single or multiple consumers. + +## Attributes + +|Name |Requirement |Description| +|---------|--------|-----------| +|whitelist|optional |List of consumers to whitelist| +|blacklist|optional |List of consumers to blacklist| + +One of `whitelist` or `blacklist` must be specified, and they can not work +together. + +## How To Enable + +Creates a route or service object, and enable plugin `consumer-restriction`. + +```shell +curl http://127.0.0.1:9080/apisix/admin/consumers/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' +{ + "username": "jack1", + "plugins": { + "basic-auth": { + "username":"jack2019", + "password": "123456" + } + } +}' + +curl http://127.0.0.1:9080/apisix/admin/consumers/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' +{ + "username": "jack2", + "plugins": { + "basic-auth": { + "username":"jack2020", + "password": "123456" + } + } +}' + +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/index.html", + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "plugins": { + "basic-auth": {}, + "consumer-restriction": { + "whitelist": [ + "jack1" + ] + } + } +}' +``` + +## Test Plugin + +Requests from jack1: + +```shell +$ curl -u jack2019:123456 http://127.0.0.1:9080/index.html +HTTP/1.1 200 OK +... +``` + +Requests from jack2: + +```shell +$ curl -u jack2020:123456 http://127.0.0.1:9080/index.html -i +HTTP/1.1 403 Forbidden +... +{"message":"You are not allowed"} +``` + + +## Disable Plugin + +When you want to disable the `consumer-restriction` plugin, it is very simple, +you can delete the corresponding json configuration in the plugin configuration, +no need to restart the service, it will take effect immediately: + +```shell +$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/index.html", + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "plugins": { + "basic-auth": {} + } +}' +``` + +The `consumer-restriction` plugin has been disabled now. It works for other plugins. diff --git a/doc/plugins/cors.md b/doc/plugins/cors.md index 6e6114ee215c2..2cf0f55c897ff 100644 --- a/doc/plugins/cors.md +++ b/doc/plugins/cors.md @@ -17,7 +17,7 @@ # --> -# [Chinese](cors-cn.md) +# [Chinese](../zh-cn/plugins/cors.md) # Summary diff --git a/doc/plugins/echo.md b/doc/plugins/echo.md new file mode 100644 index 0000000000000..2e2b4051354ac --- /dev/null +++ b/doc/plugins/echo.md @@ -0,0 +1,95 @@ + + +# Summary +- [**Name**](#name) +- [**Attributes**](#attributes) +- [**How To Enable**](#how-to-enable) +- [**Test Plugin**](#test-plugin) +- [**Disable Plugin**](#disable-plugin) + + +## Name + +`echo` is a a useful plugin to help users understand as fully as possible how to develop an APISIX plugin. + +This plugin addresses the corresponding functionality in the common phases such as init, rewrite, access, balancer +, header filer, body filter and log. + +## Attributes + +|Name |Requirement |Description| +|--------- |-------- |-----------| +| before_body |optional | Body before the filter phase.| +| body |optional | Body to replace upstream response.| +| after_body |optional |Body after the modification of filter phase.| + + +## How To Enable + +The following is an example on how to enable the echo plugin for a specific route. + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "plugins": { + "echo": { + "before_body": "before the body modification " + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" +}' +``` + +## Test Plugin + +* success: + +```shell +$ curl -i http://127.0.0.1:9080/hello +HTTP/1.1 200 OK +... +before the body modification hello world +``` + +## Disable Plugin + +Remove the corresponding json configuration in the plugin configuration to disable the `echo`. +APISIX plugins are hot-reloaded, therefore no need to restart APISIX. + +```shell +$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' +{ + "methods": ["GET"], + "uri": "/hello", + "plugins": {}, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + } +}' +``` diff --git a/doc/plugins/fault-injection.md b/doc/plugins/fault-injection.md index cb895ef620928..7a90b8abcfee9 100644 --- a/doc/plugins/fault-injection.md +++ b/doc/plugins/fault-injection.md @@ -17,7 +17,7 @@ # --> -# [Chinese](fault-injection-cn.md) +# [Chinese](../zh-cn/plugins/fault-injection.md) ## Name diff --git a/doc/plugins/grpc-transcoding.md b/doc/plugins/grpc-transcode.md similarity index 98% rename from doc/plugins/grpc-transcoding.md rename to doc/plugins/grpc-transcode.md index 870f9c540ee29..cc9ca4ac3f2af 100644 --- a/doc/plugins/grpc-transcoding.md +++ b/doc/plugins/grpc-transcode.md @@ -17,7 +17,7 @@ # --> -# [Chinese](grpc-transcoding-cn.md) +# [Chinese](../zh-cn/plugins/grpc-transcode.md) ## Name diff --git a/doc/plugins/http-logger.md b/doc/plugins/http-logger.md new file mode 100644 index 0000000000000..b72325dfbe6bf --- /dev/null +++ b/doc/plugins/http-logger.md @@ -0,0 +1,100 @@ + + +# Summary +- [**Name**](#name) +- [**Attributes**](#attributes) +- [**How To Enable**](#how-to-enable) +- [**Test Plugin**](#test-plugin) +- [**Disable Plugin**](#disable-plugin) + + +## Name + +`http-logger` is a plugin which push Log data requests to HTTP/HTTPS servers. + +This will provide the ability to send Log data requests as JSON objects to Monitoring tools and other HTTP servers. + +## Attributes + +|Name |Requirement |Description| +|--------- |-------- |-----------| +|uri |required |URI of the server| +|authorization |optional |Any authorization headers| +|keepalive |optional |Time to keep the connection alive after sending a request| +|name |optional |A unique identifier to identity the logger| +|batch_max_size |optional |Max size of each batch, default is 1000| +|inactive_timeout|optional |maximum age in seconds when the buffer will be flushed if inactive, default is 5s| +|buffer_duration|optional |Maximum age in seconds of the oldest entry in a batch before the batch must be processed, default is 5| +|max_retry_count|optional |Maximum number of retries before removing from the processing pipe line; default is zero| +|retry_delay |optional |Number of seconds the process execution should be delayed if the execution fails; default is 1| + + +## How To Enable + +The following is an example on how to enable the http-logger for a specific route. + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "plugins": { + "http-logger": { + "uri": "127.0.0.1:80/postendpoint?param=1", + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "uri": "/hello" +}' +``` + +## Test Plugin + +* success: + +```shell +$ curl -i http://127.0.0.1:9080/hello +HTTP/1.1 200 OK +... +hello, world +``` + +## Disable Plugin + +Remove the corresponding json configuration in the plugin configuration to disable the `http-logger`. +APISIX plugins are hot-reloaded, therefore no need to restart APISIX. + +```shell +$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' +{ + "methods": ["GET"], + "uri": "/hello", + "plugins": {}, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + } +}' +``` diff --git a/doc/plugins/ip-restriction.md b/doc/plugins/ip-restriction.md index ddec4744e1d00..68b50f65d4133 100644 --- a/doc/plugins/ip-restriction.md +++ b/doc/plugins/ip-restriction.md @@ -17,7 +17,7 @@ # --> -[Chinese](ip-restriction-cn.md) +[Chinese](../zh-cn/plugins/ip-restriction.md) # Summary - [**Name**](#name) @@ -141,7 +141,7 @@ you can delete the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately: ```shell -$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value=' +$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' { "uri": "/index.html", "plugins": {}, diff --git a/doc/plugins/jwt-auth.md b/doc/plugins/jwt-auth.md index ed57175159a7f..f2e8bfa855569 100644 --- a/doc/plugins/jwt-auth.md +++ b/doc/plugins/jwt-auth.md @@ -17,7 +17,7 @@ # --> -[Chinese](jwt-auth-cn.md) +[Chinese](../zh-cn/plugins/jwt-auth.md) # Summary - [**Name**](#name) diff --git a/doc/plugins/kafka-logger-cn.md b/doc/plugins/kafka-logger-cn.md deleted file mode 100644 index 53572f4606885..0000000000000 --- a/doc/plugins/kafka-logger-cn.md +++ /dev/null @@ -1,129 +0,0 @@ - - -# Summary -- [**定义**](#name) -- [**属性列表**](#attributes) -- [**信息**](#info) -- [**如何开启**](#how-to-enable) -- [**测试插件**](#test-plugin) -- [**禁用插件**](#disable-plugin) - -## 定义 - -`kafka-logger` 是一个插件,可用作ngx_lua nginx模块的Kafka客户端驱动程序。 - -这将提供将Log数据请求作为JSON对象发送到外部Kafka集群的功能。 - -## 属性列表 - -|属性名称 |必选项 |描述| -|--------- |--------|-----------| -| broker_list |必要的| 一系列的Kafka经纪人。| -| kafka_topic |必要的| 定位主题以推送数据。| -| timeout |可选的|上游发送数据超时。| -| async |可选的|布尔值,用于控制是否执行异步推送。| -| key |必要的|消息的密钥。| -| max_retry |可选的|没有重试次数。| - -## 信息 - -异步与同步数据推送之间的区别。 - -1. 同步模型 - - 如果成功,则返回当前代理和分区的偏移量(** cdata:LL **)。 - 如果发生错误,则返回“ nil”,并带有描述错误的字符串。 - -2. 在异步模型中 - - 消息将首先写入缓冲区。 - 当缓冲区超过`batch_num`时,它将发送到kafka服务器, - 或每个`flush_time`刷新缓冲区。 - - 如果成功,则返回“ true”。 - 如果出现错误,则返回“ nil”,并带有描述错误的字符串(“缓冲区溢出”)。 - -##### 样本经纪人名单 - -此插件支持一次推送到多个经纪人。如以下示例所示,指定外部kafka服务器的代理,以使此功能生效。 - -```json -{ - "127.0.0.1":9092, - "127.0.0.1":9093 -} -``` - -## 如何开启 - -1. 这是有关如何为特定路由启用kafka-logger插件的示例。 - -```shell -curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' -{ - "plugins": { - "kafka-logger": { - "broker_list" : - { - "127.0.0.1":9092 - }, - "kafka_topic" : "test2", - "key" : "key1" - } - }, - "upstream": { - "nodes": { - "127.0.0.1:1980": 1 - }, - "type": "roundrobin" - }, - "uri": "/hello" -}' -``` - -## 测试插件 - -* 成功: - -```shell -$ curl -i http://127.0.0.1:9080/hello -HTTP/1.1 200 OK -... -hello, world -``` - -## 禁用插件 - -当您要禁用`kafka-logger`插件时,这很简单,您可以在插件配置中删除相应的json配置,无需重新启动服务,它将立即生效: - -```shell -$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -X PUT -d value=' -{ - "methods": ["GET"], - "uri": "/hello", - "plugins": {}, - "upstream": { - "type": "roundrobin", - "nodes": { - "127.0.0.1:1980": 1 - } - } -}' -``` diff --git a/doc/plugins/kafka-logger.md b/doc/plugins/kafka-logger.md index 83316d397a3f1..809ea5203180b 100644 --- a/doc/plugins/kafka-logger.md +++ b/doc/plugins/kafka-logger.md @@ -32,6 +32,11 @@ This will provide the ability to send Log data requests as JSON objects to external Kafka clusters. +This plugin provides the ability to push Log data as a batch to you're external Kafka topics. In case if you did not recieve the log data don't worry give it some time it will automatically send the logs after the timer function expires in our Batch Processor. + +For more info on Batch-Processor in Apache APISIX please refer. +[Batch-Processor](../batch-processor.md) + ## Attributes |Name |Requirement |Description| @@ -39,7 +44,6 @@ This will provide the ability to send Log data requests as JSON objects to exter | broker_list |required | An array of Kafka brokers.| | kafka_topic |required | Target topic to push data.| | timeout |optional |Timeout for the upstream to send data.| -| async |optional |Boolean value to control whether to perform async push.| | key |required |Key for the message.| |name |optional |A unique identifier to identity the batch processor| |batch_max_size |optional |Max size of each batch, default is 1000| @@ -50,21 +54,12 @@ This will provide the ability to send Log data requests as JSON objects to exter ## Info -Difference between async and the sync data push. - -1. In sync model - - In case of success, returns the offset (** cdata: LL **) of the current broker and partition. - In case of errors, returns `nil` with a string describing the error. - -2. In async model - - The `message` will write to the buffer first. - It will send to the kafka server when the buffer exceed the `batch_num`, - or every `flush_time` flush the buffer. +The `message` will write to the buffer first. +It will send to the kafka server when the buffer exceed the `batch_max_size`, +or every `buffer_duration` flush the buffer. - In case of success, returns `true`. - In case of errors, returns `nil` with a string describing the error (`buffer overflow`). +In case of success, returns `true`. +In case of errors, returns `nil` with a string describing the error (`buffer overflow`). ##### Sample broker list @@ -124,7 +119,7 @@ Remove the corresponding json configuration in the plugin configuration to disab APISIX plugins are hot-reloaded, therefore no need to restart APISIX. ```shell -$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -X PUT -d value=' +$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' { "methods": ["GET"], "uri": "/hello", diff --git a/doc/plugins/key-auth.md b/doc/plugins/key-auth.md index acb02f77bb96d..2e28f4865876a 100644 --- a/doc/plugins/key-auth.md +++ b/doc/plugins/key-auth.md @@ -17,7 +17,7 @@ # --> -[Chinese](key-auth-cn.md) +[Chinese](../zh-cn/plugins/key-auth.md) # Summary - [**Name**](#name) diff --git a/doc/plugins/limit-conn.md b/doc/plugins/limit-conn.md index db963f777d316..3fe8a26901f38 100644 --- a/doc/plugins/limit-conn.md +++ b/doc/plugins/limit-conn.md @@ -17,7 +17,7 @@ # --> -[Chinese](limit-conn-cn.md) +[Chinese](../zh-cn/plugins/limit-conn.md) # Summary - [**Name**](#name) @@ -28,7 +28,7 @@ ## Name -Limiting request concurrency (or concurrent connections) plugin for Apisix. +Limiting request concurrency plugin. ## Attributes @@ -38,7 +38,9 @@ Limiting request concurrency (or concurrent connections) plugin for Apisix. |burst |required|is the number of excessive concurrent requests (or connections) allowed to be delayed.| |default_conn_delay |required|is the default processing latency of a typical connection (or request).| |key |required|is the user specified key to limit the concurrency level.
For example, one can use the host name (or server zone) as the key so that we limit concurrency per host name. Otherwise, we can also use the client address as the key so that we can avoid a single client from flooding our service with too many parallel connections or requests.
Now accept those as key: "remote_addr"(client's IP), "server_addr"(server's IP), "X-Forwarded-For/X-Real-IP" in request header.| -|rejected_code |required| The HTTP status code returned when the request exceeds the threshold is rejected. The default is 503.| +|rejected_code |required| The HTTP status code returned when the request exceeds `conn` + `burst` will be rejected. The default is 503.| + +**Key can be customized by the user, only need to modify a line of code of the plug-in to complete. It is a security consideration that is not open in the plugin.** ## How To Enable diff --git a/doc/plugins/limit-count.md b/doc/plugins/limit-count.md index 44eca68e84629..4d03a1d060401 100644 --- a/doc/plugins/limit-count.md +++ b/doc/plugins/limit-count.md @@ -17,7 +17,7 @@ # --> -[Chinese](limit-count-cn.md) +[Chinese](../zh-cn/plugins/limit-count.md) # Summary @@ -38,13 +38,16 @@ Limit request rate by a fixed number of requests in a given time window. |count |required|the specified number of requests threshold.| |time_window |required|the time window in seconds before the request count is reset.| |key |required|the user specified key to limit the rate. Here is fully key list: "remote_addr", "server_addr", "http_x_real_ip", "http_x_forwarded_for".| -|rejected_code |optional|The HTTP status code returned when the request exceeds the threshold is rejected. The default is 503.| +|rejected_code |optional|The HTTP status code returned when the request exceeds the threshold is rejected, default 503.| |policy |optional|The rate-limiting policies to use for retrieving and incrementing the limits. Available values are `local`(the counters will be stored locally in-memory on the node, default value) and `redis`(counters are stored on a Redis server and will be shared across the nodes, usually used it to do the global speed limit).| |redis_host |optional|When using the `redis` policy, this property specifies the address of the Redis server.| |redis_port |optional|When using the `redis` policy, this property specifies the port of the Redis server. The default port is 6379.| |redis_password|optional|When using the `redis` policy, this property specifies the password of the Redis server.| |redis_timeout |optional|When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server. The default timeout is 1000 ms(1 second).| + +**Key can be customized by the user, only need to modify a line of code of the plug-in to complete. It is a security consideration that is not open in the plugin.** + ## How To Enable Here's an example, enable the `limit count` plugin on the specified route: diff --git a/doc/plugins/limit-req.md b/doc/plugins/limit-req.md index f388756189f17..5a5d7c2c26e76 100644 --- a/doc/plugins/limit-req.md +++ b/doc/plugins/limit-req.md @@ -17,7 +17,7 @@ # --> -# [Chinese](limit-req-cn.md) +# [Chinese](../zh-cn/plugins/limit-req.md) # Summary @@ -37,8 +37,10 @@ limit request rate using the "leaky bucket" method. |--------- |--------|-----------| |rate |required|is the specified request rate (number per second) threshold. Requests exceeding this rate (and below `burst`) will get delayed to conform to the rate.| |burst |required|is the number of excessive requests per second allowed to be delayed. Requests exceeding this hard limit will get rejected immediately.| -|rejected_code |required|The HTTP status code returned when the request exceeds the threshold is rejected. The default is 503.| | key |required|is the user specified key to limit the rate, now accept those as key: "remote_addr"(client's IP), "server_addr"(server's IP), "X-Forwarded-For/X-Real-IP" in request header.| +|rejected_code |optional|The HTTP status code returned when the request exceeds the threshold is rejected. The default is 503.| + +**Key can be customized by the user, only need to modify a line of code of the plug-in to complete. It is a security consideration that is not open in the plugin.** ## How To Enable diff --git a/doc/plugins/mqtt-proxy.md b/doc/plugins/mqtt-proxy.md index 83ff9f9cc863c..49900b7dfe01f 100644 --- a/doc/plugins/mqtt-proxy.md +++ b/doc/plugins/mqtt-proxy.md @@ -17,7 +17,7 @@ # --> -[中文](mqtt-proxy-cn.md) +[中文](../zh-cn/plugins/mqtt-proxy.md) # Summary - [**Name**](#name) diff --git a/doc/plugins/prometheus.md b/doc/plugins/prometheus.md index 1b57a97cef3f4..3f882f7107a52 100644 --- a/doc/plugins/prometheus.md +++ b/doc/plugins/prometheus.md @@ -17,7 +17,7 @@ # --> -[Chinese](prometheus-cn.md) +[Chinese](../zh-cn/plugins/prometheus.md) # prometheus This plugin exposes metrics in Prometheus Exposition format. diff --git a/doc/plugins/proxy-cache.md b/doc/plugins/proxy-cache.md index c8e668c810772..61931a3d0ad89 100644 --- a/doc/plugins/proxy-cache.md +++ b/doc/plugins/proxy-cache.md @@ -17,7 +17,7 @@ # --> -[Chinese](proxy-cache-cn.md) +[Chinese](/doc/zh-cn/plugins/proxy-cache.md) # proxy-cache @@ -50,7 +50,7 @@ Note: 1: enable the proxy-cache plugin for a specific route : ```shell -curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d ' +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "plugins": { "proxy-cache": { @@ -130,7 +130,7 @@ Remove the corresponding JSON in the plugin configuration to disable the plugin ```shell -curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d ' +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "uri": "/hello", "plugins": {}, diff --git a/doc/plugins/proxy-mirror.md b/doc/plugins/proxy-mirror.md index 3b6ee542a3449..c209d73d65ab1 100644 --- a/doc/plugins/proxy-mirror.md +++ b/doc/plugins/proxy-mirror.md @@ -17,7 +17,7 @@ # --> -[Chinese](proxy-mirror-cn.md) +[Chinese](../zh-cn/plugins/proxy-mirror.md) # proxy-mirror @@ -39,7 +39,7 @@ The proxy-mirror plugin, which provides the ability to mirror client requests. 1: enable the proxy-mirror plugin for a specific route : ```shell -curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d ' +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "plugins": { "proxy-mirror": { @@ -81,7 +81,7 @@ Remove the corresponding JSON in the plugin configuration to disable the plugin ```shell -curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d ' +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "uri": "/hello", "plugins": {}, diff --git a/doc/plugins/proxy-rewrite.md b/doc/plugins/proxy-rewrite.md index fa73438671f1c..6221c5a9761e3 100644 --- a/doc/plugins/proxy-rewrite.md +++ b/doc/plugins/proxy-rewrite.md @@ -17,7 +17,7 @@ # --> -[Chinese](proxy-rewrite-cn.md) +[Chinese](../zh-cn/plugins/proxy-rewrite.md) # Summary - [**Name**](#name) diff --git a/doc/plugins/redirect.md b/doc/plugins/redirect.md index 187cdc90f0af7..b288c37935d7d 100644 --- a/doc/plugins/redirect.md +++ b/doc/plugins/redirect.md @@ -17,7 +17,7 @@ # --> -[Chinese](redirect-cn.md) +[Chinese](../zh-cn/plugins/redirect.md) # Summary - [**Name**](#name) @@ -34,8 +34,9 @@ URI redirect. |Name |Requirement|Description| |------- |-----|------| -|uri |required| New uri which can contain Nginx variable, eg: `/test/index.html`, `$uri/index.html`. You can refer to variables in a way similar to `${xxx}` to avoid ambiguity, eg: `${uri}foo/index.html`. If you just need the original `$` character, add `\` in front of it, like this one: `/\$foo/index.html`. If you refer to a variable name that does not exist, this will not produce an error, and it will be used as an empty string.| -|ret_code|optional|Response code, the default value is `302`.| +|uri |required, need pick one from `uri` and `http_to_https`| New uri which can contain Nginx variable, eg: `/test/index.html`, `$uri/index.html`. You can refer to variables in a way similar to `${xxx}` to avoid ambiguity, eg: `${uri}foo/index.html`. If you just need the original `$` character, add `\` in front of it, like this one: `/\$foo/index.html`. If you refer to a variable name that does not exist, this will not produce an error, and it will be used as an empty string.| +|ret_code|optional, only works with `uri`|Response code, the default value is `302`.| +|http_to_https|required, need pick one from `uri` and `http_to_https`|Boolean value. The default value is `false`. When it is set to `ture` and the request is HTTP, will be automatically redirected to HTTPS with 301 response code, and the URI will keep the same as client request.| ## How To Enable @@ -101,6 +102,19 @@ We can check the response code and the response header `Location`. It shows that the `redirect` plugin is in effect. + Here is an example of redirect HTTP to HTTPS: +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/hello", + "plugins": { + "redirect": { + "http_to_https": true + } + } +}' +``` + ## Disable Plugin When you want to disable the `redirect` plugin, it is very simple, diff --git a/doc/plugins/response-rewrite.md b/doc/plugins/response-rewrite.md index b2c26c5bd9619..f1c8576ce3643 100644 --- a/doc/plugins/response-rewrite.md +++ b/doc/plugins/response-rewrite.md @@ -17,9 +17,10 @@ # --> -[Chinese](response-rewrite-cn.md) +[Chinese](../zh-cn/plugins/response-rewrite.md) # Summary + - [**Name**](#name) - [**Attributes**](#attributes) - [**How To Enable**](#how-to-enable) @@ -27,21 +28,25 @@ - [**Disable Plugin**](#disable-plugin) ## Name + response rewrite plugin, rewrite the content from upstream. **senario**: + 1. can set `Access-Control-Allow-*` series field to support CORS(Cross-origin Resource Sharing). 2. we can set customized `status_code` and `Location` field in header to achieve redirect, you can alse use [redirect](redirect.md) plugin if you just want a redirection. ## Attributes + |Name |Requirement|Description| |------- |-----|------| -|status_code |optional| New `status code` to client| +|status_code |optional| New `status code` to client, keep the original response code by default.| |body |optional| New `body` to client, and the content-length will be reset too.| |body_base64 |optional| This is a boolean value,identify if `body` in configuration need base64 decoded before rewrite to client.| |headers |optional| Set the new `headers` for client, can set up multiple. If it exists already from upstream, will rewrite the header, otherwise will add the header. You can set the corresponding value to an empty string to remove a header. | ## How To Enable + Here's an example, enable the `response rewrite` plugin on the specified route: ```shell @@ -68,6 +73,7 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f1 ``` ## Test Plugin + Testing based on the above examples : ```shell @@ -76,6 +82,7 @@ curl -X GET -i http://127.0.0.1:9080/test/index.html It will output like below,no matter what kind of content from upstream. ``` + HTTP/1.1 200 OK Date: Sat, 16 Nov 2019 09:15:12 GMT Transfer-Encoding: chunked @@ -89,9 +96,11 @@ X-Server-status: on This means that the `response rewrite` plugin is in effect. ## Disable Plugin + When you want to disable the `response rewrite` plugin, it is very simple, you can delete the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately: + ```shell curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { @@ -107,4 +116,3 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f1 ``` The `response rewrite` plugin has been disabled now. It works for other plugins. - diff --git a/doc/plugins/serverless.md b/doc/plugins/serverless.md index bb6a30fb35f08..d2e370e399c54 100644 --- a/doc/plugins/serverless.md +++ b/doc/plugins/serverless.md @@ -17,7 +17,7 @@ # --> -[Chinese](serverless-cn.md) +[Chinese](../zh-cn/plugins/serverless.md) # Summary diff --git a/doc/plugins/skywalking.md b/doc/plugins/skywalking.md new file mode 100644 index 0000000000000..1eefe7c86707e --- /dev/null +++ b/doc/plugins/skywalking.md @@ -0,0 +1,187 @@ + + +[Chinese](../zh-cn/plugins/skywalking.md) + +# Summary +- [**Summary**](#Summary) + - [**Name**](#Name) + - [**Attributes**](#Attributes) + - [**How To Enable**](#How-To-Enable) + - [**Test Plugin**](#Test-Plugin) + - [**Run Skywalking Example**](#Run-Skywalking-Example) + - [**Disable Plugin**](#Disable-Plugin) + - [**Upstream services(Code With SpringBoot)**](#Upstream-services(Code-With-SpringBoot)) + +## Name + +**Skywalking**(https://github.com/apache/skywalking) is an OpenTracing plugin.\ +The skywalking server can supports both http and grpc protocols . The APISIX client only support http protocols. +## Attributes +|Name |Requirement |Description| +|-------|-------|-------| +|endpoint|required| the http endpoint of Skywalking ,for example: http://127.0.0.1:12800| +|sample_ratio|required| the ratio of sample, the minimum is 0.00001, the maximum is 1| +|service_name|optional| service name for skywalking reporter, the default values is **APISIX**| + +## How To Enable + +Here's an example, enable the skywalking plugin on the specified route: + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "methods": ["GET"], + "uris": [ + "/uid/*" + ], + "plugins": { + "skywalking": { + "endpoint": "http://10.110.149.175:12800", + "sample_ratio": 1, + "service_name": "APISIX_SERVER" + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "10.110.149.175:8089": 1 + } + } +}' +``` +You can open dashboard with a browser:`http://127.0.0.1:9080/apisix/dashboard/`,to complete the above operation through the web interface, first add a route:\ +![](../images/plugin/skywalking-1.png)\ +Then add skywalking plugin:\ +![](../images/plugin/skywalking-2.png) +## Test Plugin + +### Run-Skywalking-Example + +#### e.g. +1. Run Skywalking Server: + - By default,use H2 storage , start skywalking directly + ``` + sudo docker run --name skywalking -d -p 1234:1234 -p 11800:11800 -p 12800:12800 --restart always apache/skywalking-oap-server + ``` + + - Of Course,you can use elasticsearch storage + 1. Firstly, you should install elasticsearch: + ``` + sudo docker run -d --name elasticsearch -p 9200:9200 -p 9300:9300 --restart always -e "discovery.type=single-node" elasticsearch:6.7.2 + ``` + 2. You can install ElasticSearch management page: elasticsearch-hq(Optional) + ``` + sudo docker run -d --name elastic-hq -p 5000:5000 --restart always elastichq/elasticsearch-hq + ``` + 3. Run skywalking server: + ``` + sudo docker run --name skywalking -d -p 1234:1234 -p 11800:11800 -p 12800:12800 --restart always --link elasticsearch:elasticsearch -e SW_STORAGE=elasticsearch -e SW_STORAGE_ES_CLUSTER_NODES=elasticsearch:9200 apache/skywalking-oap-server + ``` +2. Skywalking WebUI: + 1. Run SkyWalking webUI Server: + ``` + sudo docker run --name skywalking-ui -d -p 8080:8080 --link skywalking:skywalking -e SW_OAP_ADDRESS=skywalking:12800 --restart always apache/skywalking-ui + ``` + 2. Open the webUI of skywalking: + You can open dashboard with a browser: http://10.110.149.175:8080 .it will be a successful install as follow: + ![](../images/plugin/skywalking-3.png) + +3. Test: + - Access to upstream services through access apisix: + ```bash + $ curl -v http://10.110.149.192:9080/uid/12 + HTTP/1.1 200 OK + OK + ... + ``` + - Open the webUI of skyWalking: + ``` + http://10.110.149.175:8080/ + ``` + You can see the topology of all service\ + ![](../../doc/images/plugin/skywalking-4.png)\ + You can also see the tracer of all service\ + ![](../../doc/images/plugin/skywalking-5.png) + +## Disable Plugin + +When you want to disable the skyWalking plugin, it is very simple, + you can delete the corresponding json configuration in the plugin configuration, + no need to restart the service, it will take effect immediately: + +```shell +$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' +{ + "methods": ["GET"], + "uris": [ + "/uid/*" + ], + "plugins": { + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "10.110.149.175:8089": 1 + } + } +}' +``` + +The skywalking plugin has been disabled now. It works for other plugins. + + +## Upstream services(Code With SpringBoot) + +```java +package com.lenovo.ai.controller; + +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; +import javax.servlet.http.HttpServletRequest; + +/** + * @author cyxinda + * @create 2020-05-29 14:02 + * @desc skywalking test controller + **/ +@RestController +public class TestController { + @RequestMapping("/uid/{count}") + public String getUidList(@PathVariable("count") String countStr, HttpServletRequest request) { + System.out.println("counter:::::-----"+countStr); + return "OK"; + } +} +``` +Configuring the skywalking agent, when starting the service. +update the file of agent/config/agent.config +``` +agent.service_name=yourservername +collector.backend_service=10.110.149.175:11800 +``` +Run the script: +``` +nohup java -javaagent:/root/skywalking/app/agent/skywalking-agent.jar \ +-jar /root/skywalking/app/app.jar \ +--server.port=8089 \ +2>&1 > /root/skywalking/app/logs/nohup.log & +``` + diff --git a/doc/plugins/syslog.md b/doc/plugins/syslog.md new file mode 100644 index 0000000000000..41a9713798001 --- /dev/null +++ b/doc/plugins/syslog.md @@ -0,0 +1,105 @@ + + +# Summary +- [**Name**](#name) +- [**Attributes**](#attributes) +- [**How To Enable**](#how-to-enable) +- [**Test Plugin**](#test-plugin) +- [**Disable Plugin**](#disable-plugin) + + +## Name + +`sys` is a plugin which push Log data requests to Syslog. + +This will provide the ability to send Log data requests as JSON objects. + +## Attributes + +|Name |Requirement |Description| +|--------- |-------- |-----------| +|host |required | IP address or the Hostname.| +|port |required | Target upstream port.| +|timeout |optional |Timeout for the upstream to send data.| +|tls |optional |Boolean value to control whether to perform SSL verification| +|flush_limit |optional |If the buffered messages' size plus the current message size reaches (>=) this limit (in bytes), the buffered log messages will be written to log server. Default to 4096 (4KB).| +|drop_limit |optional |If the buffered messages' size plus the current message size is larger than this limit (in bytes), the current log message will be dropped because of limited buffer size. Default drop_limit is 1048576 (1MB).| +|sock_type|optional |IP protocol type to use for transport layer. Can be either "tcp" or "udp". Default is "tcp".| +|max_retry_times|optional |Max number of retry times after a connect to a log server failed or send log messages to a log server failed.| +|retry_interval|optional |The time delay (in ms) before retry to connect to a log server or retry to send log messages to a log server, default to 100 (0.1s).| +|pool_size |optional |Keepalive pool size used by sock:keepalive. Default to 10.| + +## How To Enable + +The following is an example on how to enable the sys-logger for a specific route. + +```shell +curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "username": "foo", + "plugins": { + "plugins": { + "syslog": { + "host" : "127.0.0.1", + "port" : 5044, + "flush_limit" : 1 + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "uri": "/hello" + } +}' +``` + +## Test Plugin + +* success: + +```shell +$ curl -i http://127.0.0.1:9080/hello +HTTP/1.1 200 OK +... +hello, world +``` + +## Disable Plugin + +Remove the corresponding json configuration in the plugin configuration to disable the `sys-logger`. +APISIX plugins are hot-reloaded, therefore no need to restart APISIX. + +```shell +$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' +{ + "methods": ["GET"], + "uri": "/hello", + "plugins": {}, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + } +}' +``` diff --git a/doc/plugins/tcp-logger.md b/doc/plugins/tcp-logger.md index 7949444feeee3..1a6d4433bc4ca 100644 --- a/doc/plugins/tcp-logger.md +++ b/doc/plugins/tcp-logger.md @@ -18,19 +18,24 @@ --> # Summary + - [**Name**](#name) - [**Attributes**](#attributes) - [**How To Enable**](#how-to-enable) - [**Test Plugin**](#test-plugin) - [**Disable Plugin**](#disable-plugin) - ## Name `tcp-logger` is a plugin which push Log data requests to TCP servers. This will provide the ability to send Log data requests as JSON objects to Monitoring tools and other TCP servers. +This plugin provides the ability to push Log data as a batch to you're external TCP servers. In case if you did not recieve the log data don't worry give it some time it will automatically send the logs after the timer function expires in our Batch Processor. + +For more info on Batch-Processor in Apache APISIX please refer. +[Batch-Processor](../batch-processor.md) + ## Attributes |Name |Requirement |Description| @@ -47,7 +52,6 @@ This will provide the ability to send Log data requests as JSON objects to Monit |max_retry_count|optional |Maximum number of retries before removing from the processing pipe line; default is zero| |retry_delay |optional |Number of seconds the process execution should be delayed if the execution fails; default is 1| - ## How To Enable The following is an example on how to enable the tcp-logger for a specific route. @@ -91,7 +95,7 @@ Remove the corresponding json configuration in the plugin configuration to disab APISIX plugins are hot-reloaded, therefore no need to restart APISIX. ```shell -$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -X PUT -d value=' +$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' { "methods": ["GET"], "uri": "/hello", diff --git a/doc/plugins/udp-logger.md b/doc/plugins/udp-logger.md index b7a36d2e2e0e8..2d6d0f0986986 100644 --- a/doc/plugins/udp-logger.md +++ b/doc/plugins/udp-logger.md @@ -18,19 +18,24 @@ --> # Summary + - [**Name**](#name) - [**Attributes**](#attributes) - [**How To Enable**](#how-to-enable) - [**Test Plugin**](#test-plugin) - [**Disable Plugin**](#disable-plugin) - ## Name `udp-logger` is a plugin which push Log data requests to UDP servers. This will provide the ability to send Log data requests as JSON objects to Monitoring tools and other UDP servers. +This plugin provides the ability to push Log data as a batch to you're external UDP servers. In case if you did not recieve the log data don't worry give it some time it will automatically send the logs after the timer function expires in our Batch Processor. + +For more info on Batch-Processor in Apache APISIX please refer. +[Batch-Processor](../batch-processor.md) + ## Attributes |Name |Requirement |Description| @@ -85,7 +90,7 @@ Remove the corresponding json configuration in the plugin configuration to disab APISIX plugins are hot-reloaded, therefore no need to restart APISIX. ```shell -$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -X PUT -d value=' +$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' { "methods": ["GET"], "uri": "/hello", diff --git a/doc/plugins/uri-blocker.md b/doc/plugins/uri-blocker.md new file mode 100644 index 0000000000000..270f3039c2d0d --- /dev/null +++ b/doc/plugins/uri-blocker.md @@ -0,0 +1,96 @@ + + +[Chinese](uri-blocker.md) + +# Summary + +- [**Name**](#name) +- [**Attributes**](#attributes) +- [**How To Enable**](#how-to-enable) +- [**Test Plugin**](#test-plugin) +- [**Disable Plugin**](#disable-plugin) + +## Name + +The plugin helps we intercept user requests, we only need to indicate the `block_rules`. + +## Attributes + +|Name |Requirement |Description| +|--------- |--------|-----------| +|block_rules |required|Regular filter rule array. Each of these items is a regular rule. If the current request URI hits any one of them, set the response code to rejected_code to exit the current user request. Example: `["root.exe", "root.m+"]`.| +|rejected_code |optional|The HTTP status code returned when the request URI hit any of `filter_rule`, default `403`.| + +## How To Enable + +Here's an example, enable the `uri blocker` plugin on the specified route: + +```shell +curl -i http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/*", + "plugins": { + "uri-blocker": { + "block_rules": ["root.exe", "root.m+"] + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + } +}' +``` + +## Test Plugin + +```shell +$ curl -i http://127.0.0.1:9080/root.exe?a=a +HTTP/1.1 403 Forbidden +Date: Wed, 17 Jun 2020 13:55:41 GMT +Content-Type: text/html; charset=utf-8 +Content-Length: 150 +Connection: keep-alive +Server: APISIX web server + +... ... +``` + +## Disable Plugin + +When you want to disable the `uri blocker` plugin, it is very simple, + you can delete the corresponding json configuration in the plugin configuration, + no need to restart the service, it will take effect immediately: + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/*", + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + } +}' +``` + +The `uri blocker` plugin has been disabled now. It works for other plugins. diff --git a/doc/plugins/wolf-rbac.md b/doc/plugins/wolf-rbac.md index 6e94ee68486fa..c8a5de3a605b2 100644 --- a/doc/plugins/wolf-rbac.md +++ b/doc/plugins/wolf-rbac.md @@ -17,7 +17,7 @@ # --> -[中文](wolf-rbac-cn.md) +[中文](../zh-cn/plugins/wolf-rbac.md) # Summary diff --git a/doc/plugins/zipkin.md b/doc/plugins/zipkin.md index b4bf4c0380b65..ec8008707fe20 100644 --- a/doc/plugins/zipkin.md +++ b/doc/plugins/zipkin.md @@ -17,7 +17,7 @@ # --> -[Chinese](zipkin-cn.md) +[Chinese](../zh-cn/plugins/zipkin.md) # Summary - [**Name**](#name) @@ -111,7 +111,7 @@ When you want to disable the zipkin plugin, it is very simple, no need to restart the service, it will take effect immediately: ```shell -$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value=' +$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' { "methods": ["GET"], "uri": "/index.html", diff --git a/doc/stand-alone.md b/doc/stand-alone.md index 2093ae4744e70..b88d81aa3ee50 100644 --- a/doc/stand-alone.md +++ b/doc/stand-alone.md @@ -17,7 +17,7 @@ # --> -[Chinese](stand-alone-cn.md) +[Chinese](zh-cn/stand-alone.md) ## Stand-alone mode diff --git a/doc/stream-proxy.md b/doc/stream-proxy.md index 7956be7496c24..606b92786b963 100644 --- a/doc/stream-proxy.md +++ b/doc/stream-proxy.md @@ -17,7 +17,7 @@ # --> -[Chinese](stream-proxy-cn.md) +[Chinese](zh-cn/stream-proxy.md) # Stream Proxy diff --git a/doc/zh-cn/README.md b/doc/zh-cn/README.md new file mode 100644 index 0000000000000..88966ee4f177d --- /dev/null +++ b/doc/zh-cn/README.md @@ -0,0 +1,83 @@ + +[English](../README.md) + +参考文档 +================== + +* [APISIX 说明](../../README_CN.md) +* [架构设计](architecture-design.md) +* [压力测试](benchmark.md) +* [如何构建 Apache APISIX](how-to-build.md) +* [健康检查](health-check.md): 支持对上游节点的主动和被动健康检查,在负载均衡时自动过滤掉不健康的节点。 +* [路由 radixtree](../router-radixtree.md) +* [独立运行模型](stand-alone.md): 支持从本地 yaml 格式的配置文件启动,更适合 Kubernetes(k8s) 体系。 +* [TCP/UDP 动态代理](stream-proxy.md) +* [管理 API](admin-api.md) +* [变更日志](../../CHANGELOG_CN.md) +* [代码风格](../CODE_STYLE.md) +* [常见问答](../../FAQ_CN.md) + +插件 +=== + +* [插件热加载](plugins.md):无需重启服务,完成插件热加载或卸载。 +* [HTTPS](https.md):根据 TLS 扩展字段 SNI(Server Name Indication) 动态加载证书。 +* [动态负载均衡](architecture-design.md#upstream):跨多个上游服务的动态负载均衡,目前已支持 round-robin 和一致性哈希算法。 +* [key-auth](plugins/key-auth.md):基于 Key Authentication 的用户认证。 +* [JWT-auth](plugins/jwt-auth.md):基于 [JWT](https://jwt.io/) (JSON Web Tokens) Authentication 的用户认证。 +* [basic-auth](plugins/basic-auth.md):基于 basic auth 的用户认证。 +* [wolf-rbac](plugins/wolf-rbac.md) 基于 *RBAC* 的用户认证及授权。 +* [limit-count](plugins/limit-count.md):基于“固定窗口”的限速实现。 +* [limit-req](plugins/limit-req.md):基于漏桶原理的请求限速实现。 +* [limit-conn](plugins/limit-conn.md):限制并发请求(或并发连接)。 +* [proxy-rewrite](plugins/proxy-rewrite.md): 支持自定义修改 proxy 到上游的信息。 +* [prometheus](plugins/prometheus.md):以 Prometheus 格式导出 APISIX 自身的状态信息,方便被外部 Prometheus 服务抓取。 +* [OpenTracing](plugins/zipkin.md):支持 Zikpin 和 Apache SkyWalking。 +* [grpc-transcode](plugins/grpc-transcode.md):REST <--> gRPC 转码。 +* [serverless](plugins/serverless.md):允许在 APISIX 中的不同阶段动态运行 Lua 代码。 +* [ip-restriction](plugins/ip-restriction.md): IP 黑白名单。 +* [openid-connect](plugins/oauth.md) +* [redirect](plugins/redirect.md): URI 重定向。 +* [response-rewrite](plugins/response-rewrite.md): 支持自定义修改返回内容的 `status code`、`body`、`headers`。 +* [fault-injection](plugins/fault-injection.md):故障注入,可以返回指定的响应体、响应码和响应时间,从而提供了不同的失败场景下处理的能力,例如服务失败、服务过载、服务高延时等。 +* [proxy-cache](plugins/proxy-cache.md):代理缓存插件提供缓存后端响应数据的能力。 +* [proxy-mirror](plugins/proxy-mirror.md):代理镜像插件提供镜像客户端请求的能力。 +* [udp-logger](plugins/udp-logger.md): 将请求记录到 UDP 服务器 +* [tcp-logger](plugins/tcp-logger.md): 将请求记录到 TCP 服务器 +* [kafka-logger](plugins/kafka-logger.md): 将请求记录到外部 Kafka 服务器。 +* [cors](plugins/cors.md): 为你的API启用 CORS +* [batch-requests](plugins/batch-requests.md): 以 **http pipeline** 的方式在网关一次性发起多个 `http` 请求。 +* [authz-keycloak](plugins/authz-keycloak-cn.md): 支持 Keycloak 身份认证服务器 +* [uri-blocker](plugins/uri-blocker.md): 根据 URI 拦截用户请求。 +* [oauth](plugins/oauth.md): 提供 OAuth 2 身份验证和自省。 + +部署 +======= + +### AWS + +推荐的方法是在 [AWS Fargate](https://aws.amazon.com/fargate/) 上使用 [AWS CDK](https://aws.amazon.com/cdk/) 部署 APISIX,这有助于将 APISIX 层和上游层分离到具有自动缩放功能的完全托管和安全的无服务器容器计算环境之上。 + +请参阅 [Pahud Hsieh](https://github.com/pahud) 撰写的[指南](https://github.com/pahud/cdk-samples/blob/master/typescript/apisix/README.md),了解如何在 AWS CDK 中 100% 配置推荐的架构。 + +### Kubernetes + +请参阅[指南](../../kubernetes/README.md)并了解如何在 Kubernetes 中部署 APISIX。 + diff --git a/doc/zh-cn/_sidebar.md b/doc/zh-cn/_sidebar.md new file mode 100644 index 0000000000000..95504b63e965f --- /dev/null +++ b/doc/zh-cn/_sidebar.md @@ -0,0 +1,103 @@ + + +- Getting started + + - [Introduction](./zh-cn/README.md) + - [Quick start](./zh-cn/getting-started.md) + +- General + + - [Architecture](./zh-cn/architecture-design.md) + + - [Benchmark](./zh-cn/benchmark.md) + + - Installation + + - [How to build](./zh-cn/how-to-build.md) + - [Install Dependencies](./zh-cn/install-dependencies.md) + + - [HTTPS](./zh-cn/https.md) + + - [Router](./zh-cn/router-radixtree.md) + + - Plugins + + - [Develop Plugins](./zh-cn/plugin-develop.md) + - [Hot Reload](./zh-cn/plugins.md) + + - Proxy Modes + + - [GRPC Proxy](./zh-cn/grpc-proxy.md) + - [Stream Proxy](./zh-cn/stream-proxy.md) + +- Plugins + + - Authentication + + - [Key Auth](./zh-cn/plugins/key-auth.md) + - [Basic Auth](./zh-cn/plugins/basic-auth.md) + - [JWT Auth](./zh-cn/plugins/jwt-auth.md) + - [Opend ID Connect](./zh-cn/plugins/oauth.md) + + - General + + - [Redirect](./zh-cn/plugins/redirect.md) + - [Serverless](./zh-cn/plugins/serverless.md) + - [Batch Request](./zh-cn/plugins/batch-requests.md) + - [Fault Injection](./zh-cn/plugins/fault-injection.md) + - [MQTT Proxy](./zh-cn/plugins/mqtt-proxy.md) + - [Proxy Cache](./zh-cn/plugins/proxy-cache.md) + - [Proxy Mirror](./zh-cn/plugins/proxy-mirror.md) + - [Echo](./zh-cn/plugins/echo.md) + + - Transformations + + - [Response Rewrite](./zh-cn/plugins/response-rewrite.md) + - [Proxy Rewrite](./zh-cn/plugins/proxy-rewrite.md) + - [GRPC Transcoding](./zh-cn/plugins/grpc-transcode.md) + + - Security + + - [Consumer Restriction](./zh-cn/plugins/consumer-restriction.md) + - [Limit Connection](./zh-cn/plugins/limit-conn.md) + - [Limit Count](./zh-cn/plugins/limit-count.md) + - [Limit Request](./zh-cn/plugins/limit-req.md) + - [CORS](./zh-cn/plugins/cors.md) + - [IP Restriction](./zh-cn/plugins/ip-restriction.md) + - [Keycloak Authorization](./zh-cn/plugins/authz-keycloak.md) + - [RBAC Wolf](./zh-cn/plugins/wolf-rbac.md) + + - Monitoring + + - [Prometheus](./zh-cn/plugins/prometheus.md) + - [SKywalking](./zh-cn/plugins/skywalking.md) + - [Zipkin](./zh-cn/plugins/zipkin.md) + + - Loggers + + - [HTTP Logger](./zh-cn/plugins/http-logger.md) + - [Kafka Logger](./zh-cn/plugins/kafka-logger.md) + - [Syslog](./zh-cn/plugins/syslog.md) + - [TCP Logger](./zh-cn/plugins/tcp-logger.md) + - [UDP Logger](./zh-cn/plugins/udp-logger.md) + +- Admin API + + - [Admin API](./zh-cn/admin-api.md) diff --git a/doc/admin-api-cn.md b/doc/zh-cn/admin-api.md similarity index 86% rename from doc/admin-api-cn.md rename to doc/zh-cn/admin-api.md index 7a7d3555b27cc..16256611d791e 100644 --- a/doc/admin-api-cn.md +++ b/doc/zh-cn/admin-api.md @@ -40,7 +40,7 @@ |PUT |/apisix/admin/routes/{id}|{...}|根据 id 创建资源| |POST |/apisix/admin/routes |{...}|创建资源,id 由后台服务自动生成| |DELETE |/apisix/admin/routes/{id}|无|删除资源| -|PATCH |/apisix/admin/routes/{id}/{path}|{...}|修改已有 Route 的部分内容,其他不涉及部分会原样保留。| +|PATCH |/apisix/admin/routes/{id}|{...}|修改已有 Route 的部分内容,其他不涉及部分会原样保留;如果你要删除某个属性,将该属性的值设置为null 即可删除| > uri 请求参数: @@ -52,21 +52,22 @@ |名字 |可选项 |类型 |说明 |示例| |---------|---------|----|-----------|----| -|uri |与 `uris` 二选一 |匹配规则|除了如 `/foo/bar`、`/foo/gloo` 这种全量匹配外,使用不同 [Router](architecture-design-cn.md#router) 还允许更高级匹配,更多见 [Router](architecture-design-cn.md#router)。|"/hello"| +|uri |与 `uris` 二选一 |匹配规则|除了如 `/foo/bar`、`/foo/gloo` 这种全量匹配外,使用不同 [Router](architecture-design.md#router) 还允许更高级匹配,更多见 [Router](architecture-design.md#router)。|"/hello"| |uris |与 `uri` 二选一 |匹配规则|数组形式,可以匹配多个 `uri`|["/hello", "/world"]| -|plugins |`plugins`、`upstream`/`upstream_id`、`service_id`至少选择一个 |Plugin|详见 [Plugin](architecture-design-cn.md#plugin) || -|upstream |`plugins`、`upstream`/`upstream_id`、`service_id`至少选择一个 |Upstream|启用的 Upstream 配置,详见 [Upstream](architecture-design-cn.md#upstream)|| -|upstream_id|`plugins`、`upstream`/`upstream_id`、`service_id`至少选择一个 |Upstream|启用的 upstream id,详见 [Upstream](architecture-design-cn.md#upstream)|| -|service_id|`plugins`、`upstream`/`upstream_id`、`service_id`至少选择一个 |Service|绑定的 Service 配置,详见 [Service](architecture-design-cn.md#service)|| +|plugins |`plugins`、`upstream`/`upstream_id`、`service_id`至少选择一个 |Plugin|详见 [Plugin](architecture-design.md#plugin) || +|upstream |`plugins`、`upstream`/`upstream_id`、`service_id`至少选择一个 |Upstream|启用的 Upstream 配置,详见 [Upstream](architecture-design.md#upstream)|| +|upstream_id|`plugins`、`upstream`/`upstream_id`、`service_id`至少选择一个 |Upstream|启用的 upstream id,详见 [Upstream](architecture-design.md#upstream)|| +|service_id|`plugins`、`upstream`/`upstream_id`、`service_id`至少选择一个 |Service|绑定的 Service 配置,详见 [Service](architecture-design.md#service)|| |service_protocol|可选|上游协议类型|只可以是 "grpc", "http" 二选一。|默认 "http",使用gRPC proxy 或gRPC transcode 时,必须用"grpc"| -|desc |可选 |辅助 |标识路由名称、使用场景等。|客户 xxxx| +|name |可选 |辅助 |标识路由名称|route-xxxx| +|desc |可选 |辅助 |标识描述、使用场景等。|客户 xxxx| |host |可选 |匹配规则|当前请求域名,比如 `foo.com`;也支持泛域名,比如 `*.foo.com`。|"foo.com"| |hosts |可选 |匹配规则|列表形态的 `host`,表示允许有多个不同 `host`,匹配其中任意一个即可。|{"foo.com", "*.bar.com"}| |remote_addr|可选 |匹配规则|客户端请求 IP 地址: `192.168.1.101`、`192.168.1.102` 以及 CIDR 格式的支持 `192.168.1.0/24`。特别的,APISIX 也完整支持 IPv6 地址匹配:`::1`,`fe80::1`, `fe80::1/64` 等。|"192.168.1.0/24"| |remote_addrs|可选 |匹配规则|列表形态的 `remote_addr`,表示允许有多个不同 IP 地址,符合其中任意一个即可。|{"127.0.0.1", "192.0.0.0/8", "::1"}| |methods |可选 |匹配规则|如果为空或没有该选项,代表没有任何 `method` 限制,也可以是一个或多个的组合:`GET`, `POST`, `PUT`, `DELETE`, `PATCH`, `HEAD`, `OPTIONS`,`CONNECT`,`TRACE`。|{"GET", "POST"}| |priority |可选 |匹配规则|如果不同路由包含相同 `uri`,根据属性 `priority` 确定哪个 `route` 被优先匹配,值越大优先级越高,默认值为 0。|priority = 10| -|vars |可选 |匹配规则|由一个或多个`{var, operator, val}`元素组成的列表,类似这样:`{{var, operator, val}, {var, operator, val}, ...}`。例如:`{"arg_name", "==", "json"}`,表示当前请求参数 `name` 是 `json`。这里的 `var` 与 Nginx 内部自身变量命名是保持一致,所以也可以使用 `request_uri`、`host` 等;对于 `operator` 部分,目前已支持的运算符有 `==`、`~=`、`>`、`<` 和 `~~`。对于`>`和`<`两个运算符,会把结果先转换成 number 然后再做比较。查看支持的[运算符列表](#运算符列表)|{{"arg_name", "==", "json"}, {"arg_age", ">", 18}}| +|vars |可选 |匹配规则|由一个或多个`{var, operator, val}`元素组成的列表,类似这样:`{{var, operator, val}, {var, operator, val}, ...}}`。例如:`{"arg_name", "==", "json"}`,表示当前请求参数 `name` 是 `json`。这里的 `var` 与 Nginx 内部自身变量命名是保持一致,所以也可以使用 `request_uri`、`host` 等;对于 `operator` 部分,目前已支持的运算符有 `==`、`~=`、`>`、`<` 和 `~~`。对于`>`和`<`两个运算符,会把结果先转换成 number 然后再做比较。查看支持的[运算符列表](#运算符列表)|{{"arg_name", "==", "json"}, {"arg_age", ">", 18}}| |filter_func|可选|匹配规则|用户自定义的过滤函数。可以使用它来实现特殊场景的匹配要求实现。该函数默认接受一个名为 vars 的输入参数,可以用它来获取 Nginx 变量。|function(vars) return vars["arg_name"] == "json" end| 有两点需要特别注意: @@ -86,6 +87,7 @@ route 对象 json 配置内容: "hosts": ["a.com","b.com"], # 一组 host 域名, host 与 hosts 只需要有一个非空即可 "plugins": {}, # 指定 route 绑定的插件 "priority": 0, # apisix 支持多种匹配方式,可能会在一次匹配中同时匹配到多条路由,此时优先级高的优先匹配中 + "name": "路由xxx", "desc": "hello world", "remote_addr": "127.0.0.1", # 客户端请求 IP 地址 "remote_addrs": ["127.0.0.1"], # 一组客户端请求 IP 地址, remote_addr 与 remote_addrs 只需要有一个非空即可 @@ -187,16 +189,17 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13 |PUT |/apisix/admin/services/{id}|{...}|根据 id 创建资源| |POST |/apisix/admin/services |{...}|创建资源,id 由后台服务自动生成| |DELETE |/apisix/admin/services/{id}|无|删除资源| -|PATCH |/apisix/admin/services/{id}/{path}|{...}|修改已有 Service 的部分内容,其他不涉及部分会原样保留。| +|PATCH |/apisix/admin/services/{id}|{...}|修改已有 Service 的部分内容,其他不涉及部分会原样保留;如果你要删除某个属性,将该属性的值设置为null 即可删除| > body 请求参数: |名字 |可选项 |类型 |说明 |示例| |---------|---------|----|-----------|----| -|plugins |可选 |Plugin|详见 [Plugin](architecture-design-cn.md#plugin) || -|upstream | upstream 或 upstream_id 两个选一个 |Upstream|启用的 Upstream 配置,详见 [Upstream](architecture-design-cn.md#upstream)|| -|upstream_id| upstream 或 upstream_id 两个选一个 |Upstream|启用的 upstream id,详见 [Upstream](architecture-design-cn.md#upstream)|| -|desc |可选 |辅助 |标识服务名称、使用场景等。|| +|plugins |可选 |Plugin|详见 [Plugin](architecture-design.md#plugin) || +|upstream | upstream 或 upstream_id 两个选一个 |Upstream|启用的 Upstream 配置,详见 [Upstream](architecture-design.md#upstream)|| +|upstream_id| upstream 或 upstream_id 两个选一个 |Upstream|启用的 upstream id,详见 [Upstream](architecture-design.md#upstream)|| +|name |可选 |辅助 |标识服务名称。|| +|desc |可选 |辅助 |服务描述、使用场景等。|| serivce 对象 json 配置内容: @@ -206,6 +209,7 @@ serivce 对象 json 配置内容: "plugins": {}, # 指定 service 绑定的插件 "upstream_id": "1", # upstream 对象在 etcd 中的 id ,建议使用此值 "upstream": {}, # upstream 信息对象,不建议使用 + "name": "测试svc", # service 名称 "desc": "hello world", # service 描述 } ``` @@ -214,7 +218,7 @@ serivce 对象 json 配置内容: ```shell # 创建一个Service -$ curl http://127.0.0.1:9080/apisix/admin/services/201 -X PUT -i -d ' +$ curl http://127.0.0.1:9080/apisix/admin/services/201 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' { "plugins": { "limit-count": { @@ -294,7 +298,7 @@ consumer 对象 json 配置内容: ```shell # 创建 Consumer ,指定认证插件 key-auth ,并开启特定插件 limit-count -$ curl http://127.0.0.1:9080/apisix/admin/consumers/2 -X PUT -i -d ' +$ curl http://127.0.0.1:9080/apisix/admin/consumers/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' { "username": "jack", "plugins": { @@ -336,7 +340,7 @@ Date: Thu, 26 Dec 2019 08:17:49 GMT |PUT |/apisix/admin/upstreams/{id}|{...}|根据 id 创建资源| |POST |/apisix/admin/upstreams |{...}|创建资源,id 由后台服务自动生成| |DELETE |/apisix/admin/upstreams/{id}|无|删除资源| -|PATCH |/apisix/admin/upstreams/{id}/{path}|{...}|修改已有 Route 的部分内容,其他不涉及部分会原样保留。| +|PATCH |/apisix/admin/upstreams/{id}|{...}|修改已有 Route 的部分内容,其他不涉及部分会原样保留;如果你要删除某个属性,将该属性的值设置为null 即可删除| > body 请求参数: @@ -348,12 +352,13 @@ APISIX 的 Upstream 除了基本的复杂均衡算法选择外,还支持对上 |k8s_deployment_info|与 `nodes` 二选一|哈希表|字段包括 `namespace`、`deploy_name`、`service_name`、`port`、`backend_type`,其中 `port` 字段为数值,`backend_type` 为 `pod` 或 `service`,其他为字符串 | `{"namespace": "test-namespace", "deploy_name": "test-deploy-name", "service_name": "test-service-name", "backend_type": "pod", "port": 8080}` | |type |必需|枚举|`roundrobin` 支持权重的负载,`chash` 一致性哈希,两者是二选一的|`roundrobin`|| |key |条件必需|匹配类型|该选项只有类型是 `chash` 才有效。根据 `key` 来查找对应的 node `id`,相同的 `key` 在同一个对象中,永远返回相同 id,目前支持的 Nginx 内置变量有 `uri, server_name, server_addr, request_uri, remote_port, remote_addr, query_string, host, hostname, arg_***`,其中 `arg_***` 是来自URL的请求参数,[Nginx 变量列表](http://nginx.org/en/docs/varindex.html)|| -|checks |可选|health_checker|配置健康检查的参数,详细可参考[health-check](health-check.md)|| +|checks |可选|health_checker|配置健康检查的参数,详细可参考[health-check](../health-check.md)|| |retries |可选|整型|使用底层的 Nginx 重试机制将请求传递给下一个上游,默认不启用重试机制|| |timeout |可选|超时时间对象|设置连接、发送消息、接收消息的超时时间|| |enable_websocket |可选 |辅助|是否允许启用 websocket 能力|| |hash_on |可选 |辅助|该参数作为一致性 hash 的入参|| -|desc |可选 |辅助|标识服务名称、使用场景等。|| +|name |可选 |辅助|标识上游服务名称、使用场景等。|| +|desc |可选 |辅助|上游服务描述、使用场景等。|| upstream 对象 json 配置内容: @@ -379,6 +384,7 @@ upstream 对象 json 配置内容: "checks": {}, # 配置健康检查的参数 "hash_on": "", "key": "", + "name": "upstream-xxx", # upstream 名称 "desc": "hello world", # upstream 描述 } ``` @@ -387,15 +393,15 @@ upstream 对象 json 配置内容: ```shell # 创建一个upstream -$ curl http://127.0.0.1:9080/apisix/admin/upstreams/100 -i -X PUT -d ' -> { -> "type": "roundrobin", -> "nodes": { -> "127.0.0.1:80": 1, -> "127.0.0.2:80": 2, -> "foo.com:80": 3 -> } -> }' +$ curl http://127.0.0.1:9080/apisix/admin/upstreams/100 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -i -X PUT -d ' +{ + "type":"roundrobin", + "nodes":{ + "127.0.0.1:80":1, + "127.0.0.2:80":2, + "foo.com:80":3 + } +}' HTTP/1.1 201 Created Date: Thu, 26 Dec 2019 04:19:34 GMT Content-Type: text/plain diff --git a/doc/architecture-design-cn.md b/doc/zh-cn/architecture-design.md similarity index 89% rename from doc/architecture-design-cn.md rename to doc/zh-cn/architecture-design.md index 3fa688448fe33..a9f66846546ce 100644 --- a/doc/architecture-design-cn.md +++ b/doc/zh-cn/architecture-design.md @@ -34,7 +34,7 @@ ### 插件加载流程 -![插件加载流程](./images/flow-load-plugin.png) +![插件加载流程](../images/flow-load-plugin.png) ### 插件内部结构 @@ -105,7 +105,7 @@ Server: APISIX web server 当我们接收到成功应答,表示该 Route 已成功创建。 -有关 Route 的具体选项,可具体查阅 [Admin API 之 Route](admin-api-cn.md#route)。 +有关 Route 的具体选项,可具体查阅 [Admin API 之 Route](admin-api.md#route)。 [返回目录](#目录) @@ -193,7 +193,7 @@ curl http://127.0.0.1:9080/apisix/admin/routes/102 -H 'X-API-KEY: edd1c9f034335f 优先级更高。 一个插件在一次请求中只会执行一次,即使被同时绑定到多个不同对象中(比如 Route 或 Service)。 -插件运行先后顺序是根据插件自身的优先级来决定的,例如:[example-plugin](../apisix/plugins/example-plugin.lua#L37)。 +插件运行先后顺序是根据插件自身的优先级来决定的,例如:[example-plugin](../../apisix/plugins/example-plugin.lua#L37)。 插件配置作为 Route 或 Service 的一部分提交的,放到 `plugins` 下。它内部是使用插件 名字作为哈希的 key 来保存不同插件的配置项。 @@ -216,7 +216,7 @@ curl http://127.0.0.1:9080/apisix/admin/routes/102 -H 'X-API-KEY: edd1c9f034335f 并不是所有插件都有具体配置项,比如 `prometheus` 下是没有任何具体配置项,这时候用一个空的对象 标识即可。 -[查看 APISIX 已支持插件列表](plugins-cn.md) +[查看 APISIX 已支持插件列表](plugins.md) [返回目录](#目录) @@ -238,11 +238,12 @@ APISIX 的 Upstream 除了基本的复杂均衡算法选择外,还支持对上 |名字 |可选|说明| |------- |-----|------| |type |必填|`roundrobin` 支持权重的负载,`chash` 一致性哈希,两者是二选一的| -|nodes |与 `k8s_deployment_info` 二选一|哈希表,内部元素的 key 是上游机器地址列表,格式为`地址 + Port`,其中地址部分可以是 IP 也可以是域名,比如 `192.168.1.100:80`、`foo.com:80` 等。value 则是节点的权重。当权重值为 `0` 代表该上游节点失效,不会被选中,可以用于暂时摘除节点的情况。| -|k8s_deployment_info|与 `nodes` 二选一|哈希表|字段包括 `namespace`、`deploy_name`、`service_name`、`port`、`backend_type`,其中 `port` 字段为数值,`backend_type` 为 `pod` 或 `service`,其他为字符串 | +|nodes |与 `k8s_deployment_info`、 `service_name` 三选一|哈希表,内部元素的 key 是上游机器地址列表,格式为`地址 + Port`,其中地址部分可以是 IP 也可以是域名,比如 `192.168.1.100:80`、`foo.com:80` 等。value 则是节点的权重。当权重值为 `0` 代表该上游节点失效,不会被选中,可以用于暂时摘除节点的情况。| +|service_name |与 `nodes`、 `k8s_deployment_info` 三选一 |用于设置上游服务名,并配合注册中心使用,详细可参考[集成服务发现注册中心](discovery.md) | +|k8s_deployment_info|与 `nodes`、 `service_name` 三选一|哈希表|字段包括 `namespace`、`deploy_name`、`service_name`、`port`、`backend_type`,其中 `port` 字段为数值,`backend_type` 为 `pod` 或 `service`,其他为字符串 | |key |可选|在 `type` 等于 `chash` 是必选项。 `key` 需要配合 `hash_on` 来使用,通过 `hash_on` 和 `key` 来查找对应的 node `id`| |hash_on |可选|`hash_on` 支持的类型有 `vars`(Nginx内置变量),`header`(自定义header),`cookie`,`consumer`,默认值为 `vars`| -|checks |可选|配置健康检查的参数,详细可参考[health-check](health-check.md)| +|checks |可选|配置健康检查的参数,详细可参考[health-check](../health-check.md)| |retries |可选|使用底层的 Nginx 重试机制将请求传递给下一个上游,默认 APISIX 会启用重试机制,根据配置的后端节点个数设置重试次数,如果此参数显式被设置将会覆盖系统默认设置的重试次数。| |enable_websocket|可选| 是否启用 `websocket`(布尔值),默认不启用| @@ -352,7 +353,7 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13 }' ``` -更多细节可以参考[健康检查的文档](health-check.md)。 +更多细节可以参考[健康检查的文档](../health-check.md)。 下面是几个使用不同`hash_on`类型的配置示例: @@ -361,7 +362,7 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13 创建一个consumer对象: ```shell -curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ` +curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "username": "jack", "plugins": { @@ -369,7 +370,7 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1 "key": "auth-jack" } } -}` +}' ``` 新建路由,打开`key-auth`插件认证,`upstream`的`hash_on`类型为`consumer`: @@ -459,7 +460,7 @@ APISIX 区别于其他 API 网关的一大特点是允许用户选择不同 Rout 在本地配置 `conf/config.yaml` 中设置最符合自身业务需求的路由。 * `apisix.router.http`: HTTP 请求路由。 - * `radixtree_uri`: (默认)只使用 `uri` 作为主索引。基于 `radixtree` 引擎,支持全量和深前缀匹配,更多见 [如何使用 router-radixtree](router-radixtree.md)。 + * `radixtree_uri`: (默认)只使用 `uri` 作为主索引。基于 `radixtree` 引擎,支持全量和深前缀匹配,更多见 [如何使用 router-radixtree](../router-radixtree.md)。 * `绝对匹配`:完整匹配给定的 `uri` ,比如 `/foo/bar`,`/foo/glo`。 * `前缀匹配`:末尾使用 `*` 代表给定的 `uri` 是前缀匹配。比如 `/foo*`,则允许匹配 `/foo/`、`/foo/a`和`/foo/b`等。 * `匹配优先级`:优先尝试绝对匹配,若无法命中绝对匹配,再尝试前缀匹配。 @@ -489,14 +490,14 @@ APISIX 区别于其他 API 网关的一大特点是允许用户选择不同 Rout -1. 授权认证:比如有 [key-auth](./plugins/key-auth.md)、[JWT](./plugins/jwt-auth-cn.md) 等。 +1. 授权认证:比如有 [key-auth](../plugins/key-auth.md)、[JWT](plugins/jwt-auth.md) 等。 2. 获取 consumer_id:通过授权认证,即可自然获取到对应的 Consumer `id`,它是 Consumer 对象的唯一识别标识。 3. 获取 Consumer 上绑定的 Plugin 或 Upstream 信息:完成对不同 Consumer 做不同配置的效果。 概括一下,Consumer 是某类服务的消费者,需与用户认证体系配合才能使用。 比如不同的 Consumer 请求同一个 API,网关服务根据当前请求用户信息,对应不同的 Plugin 或 Upstream 配置。 -此外,大家也可以参考 [key-auth](./plugins/key-auth.md) 认证授权插件的调用逻辑,辅助大家来进一步理解 Consumer 概念和使用。 +此外,大家也可以参考 [key-auth](../plugins/key-auth.md) 认证授权插件的调用逻辑,辅助大家来进一步理解 Consumer 概念和使用。 如何对某个 Consumer 开启指定插件,可以看下面例子: @@ -547,6 +548,36 @@ HTTP/1.1 503 Service Temporarily Unavailable ``` +结合 [consumer-restriction](plugins/consumer-restriction.md) 插件,限制jack对该 route 的访问 + +# 设置黑名单,禁止jack访问该API +$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "plugins": { + "key-auth": {}, + "consumer-restriction": { + "blacklist": [ + "jack" + ] + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" +}' + +# 反复测试,均返回 403,jack被禁止访问 +$ curl http://127.0.0.1:9080/hello -H 'apikey: auth-one' -I +HTTP/1.1 403 +... + +``` + + [返回目录](#目录) ## Global Rule @@ -558,6 +589,7 @@ HTTP/1.1 503 Service Temporarily Unavailable curl -X PUT \ https://{apisix_listen_address}/apisix/admin/global_rules/1 \ -H 'Content-Type: application/json' \ + -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \ -d '{ "plugins": { "limit-count": { @@ -576,7 +608,7 @@ curl -X PUT \ 我们可以通过以下接口查看所有的 `GlobalRule`: ```shell -curl https://{apisix_listen_address}/apisix/admin/global_rules +curl https://{apisix_listen_address}/apisix/admin/global_rules -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' ``` [返回目录](#目录) diff --git a/doc/zh-cn/batch-processor.md b/doc/zh-cn/batch-processor.md new file mode 100644 index 0000000000000..e9cfe2816bbba --- /dev/null +++ b/doc/zh-cn/batch-processor.md @@ -0,0 +1,69 @@ + + +[English](../batch-processor.md) + +# 批处理机 + +批处理处理器可用于聚合条目(日志/任何数据)并进行批处理。 +当batch_max_size设置为零时,处理器将立即执行每个条目。将批处理的最大大小设置为大于1将开始聚合条目,直到达到最大大小或超时到期为止 + +## 构型 + +创建批处理程序的唯一必需参数是函数。当批处理达到最大大小或缓冲区持续时间超过时,将执行该功能。 + +|名称 |需求 |描述| +|------- |----- |------| +|id |可选的 |标识批处理者的唯一标识符| +|batch_max_size |可选的 |每批的最大大小,默认为1000| +|inactive_timeout|可选的 |如果不活动,将刷新缓冲区的最大时间(以秒为单位),默认值为5s| +|buffer_duration|可选的 |必须先处理批次中最旧条目的最大期限(以秒为单位),默认是5| +|max_retry_count|可选的 |从处理管道中移除之前的最大重试次数;默认为零| +|retry_delay |可选的 |如果执行失败,应该延迟进程执行的秒数;默认为1| + +以下代码显示了如何使用批处理程序的示例。批处理处理器将要执行的功能作为第一个参数,将批处理配置作为第二个参数。 + +```lua +local bp = require("apisix.plugins.batch-processor") +local func_to_execute = function(entries) + -- serialize to json array core.json.encode(entries) + -- process/send data + return true + end + +local config = { + max_retry_count = 2, + buffer_duration = 60, + inactive_timeout = 5, + batch_max_size = 1, + retry_delay = 0 +} + + +local batch_processor, err = bp:new(func_to_execute, config) + +if batch_processor then + batch_processor:push({hello='world'}) +end +``` + + +注意:请确保批处理的最大大小(条目数)在函数执行的范围内。 +刷新批处理的计时器基于“ inactive_timeout”配置运行。因此,为了获得最佳使用效果, +保持“ inactive_timeout”小于“ buffer_duration”。 diff --git a/doc/benchmark-cn.md b/doc/zh-cn/benchmark.md similarity index 96% rename from doc/benchmark-cn.md rename to doc/zh-cn/benchmark.md index b42cf90f4763f..5e1dd4c80b653 100644 --- a/doc/benchmark-cn.md +++ b/doc/zh-cn/benchmark.md @@ -17,7 +17,7 @@ # --> -[English](benchmark.md) +[English](../benchmark.md) ### 测试环境 @@ -66,4 +66,4 @@ #### 火焰图 火焰图的采样结果: -![火焰图采样结果](../doc/images/flamegraph-2.jpg) +![火焰图采样结果](../images/flamegraph-2.jpg) diff --git a/doc/zh-cn/discovery.md b/doc/zh-cn/discovery.md new file mode 100644 index 0000000000000..003cc287be8d7 --- /dev/null +++ b/doc/zh-cn/discovery.md @@ -0,0 +1,253 @@ + +[English](../discovery.md) + +# 集成服务发现注册中心 + +* [**摘要**](#摘要) +* [**如何扩展注册中心**](#如何扩展注册中心) + * [**基本步骤**](#基本步骤) + * [**以 Eureka 举例**](#以-Eureka-举例) + * [**实现 eureka.lua**](#实现-eurekalua) + * [**Eureka 与 APISIX 之间数据转换逻辑**](#Eureka-与-APISIX-之间数据转换逻辑) +* [**注册中心配置**](#注册中心配置) + * [**选择注册中心**](#选择注册中心) + * [**Eureka 的配置**](#Eureka-的配置) +* [**upstream 配置**](#upstream-配置) + +## 摘要 + +当业务量发生变化时,需要对上游服务进行扩缩容,或者因服务器硬件故障需要更换服务器。如果网关是通过配置来维护上游服务信息,在微服务架构模式下,其带来的维护成本可想而知。再者因不能及时更新这些信息,也会对业务带来一定的影响,还有人为误操作带来的影响也不可忽视,所以网关非常必要通过服务注册中心动态获取最新的服务实例信息。架构图如下所示: + +![](../images/discovery-cn.png) + +1. 服务启动时将自身的一些信息,比如服务名、IP、端口等信息上报到注册中心;各个服务与注册中心使用一定机制(例如心跳)通信,如果注册中心与服务长时间无法通信,就会注销该实例;当服务下线时,会删除注册中心的实例信息; +2. 网关会准实时地从注册中心获取服务实例信息; +3. 当用户通过网关请求服务时,网关从注册中心获取的实例列表中选择一个进行代理; + +常见的注册中心:Eureka, Etcd, Consul, Nacos, Zookeeper等 + + +## 如何扩展注册中心? + +### 基本步骤 + +APISIX 要扩展注册中心其实是件非常容易的事情,其基本步骤如下: + +1. 在 `apisix/discovery/` 目录中添加注册中心客户端的实现; +2. 实现用于初始化的 `_M.init_worker()` 函数以及用于获取服务实例节点列表的 `_M.nodes(service_name)` 函数; +3. 将注册中心数据转换为 APISIX 格式的数据; + +### 以 Eureka 举例 + +#### 实现 eureka.lua + +首先在 `apisix/discovery/` 目录中添加 [`eureka.lua`](../../apisix/discovery/eureka.lua); + +然后在 `eureka.lua` 实现用于初始化的 `init_worker` 函数以及用于获取服务实例节点列表的 `nodes` 函数即可: + + ```lua + local _M = { + version = 0.1, + } + + + function _M.nodes(service_name) + ... ... + end + + + function _M.init_worker() + ... ... + end + + + return _M + ``` + +#### Eureka 与 APISIX 之间数据转换逻辑 + +APISIX是通过 `upstream.nodes` 来配置上游服务的,所以使用注册中心后,通过注册中心获取服务的所有 node 后,赋值给 `upstream.nodes` 来达到相同的效果。那么 APISIX 是怎么将 Eureka 的数据转成 node 的呢? 假如从 Eureka 获取如下数据: + +```json +{ + "applications": { + "application": [ + { + "name": "USER-SERVICE", # 服务名称 + "instance": [ + { + "instanceId": "192.168.1.100:8761", + "hostName": "192.168.1.100", + "app": "USER-SERVICE", # 服务名称 + "ipAddr": "192.168.1.100", # 实例 IP 地址 + "status": "UP", # 状态 + "overriddenStatus": "UNKNOWN", # 覆盖状态 + "port": { + "$": 8761, # 端口 + "@enabled": "true" # 开始端口 + }, + "securePort": { + "$": 443, + "@enabled": "false" + }, + "metadata": { + "management.port": "8761", + "weight": 100 # 权重,需要通过 spring boot 应用的 eureka.instance.metadata-map.weight 进行配置 + }, + "homePageUrl": "http://192.168.1.100:8761/", + "statusPageUrl": "http://192.168.1.100:8761/actuator/info", + "healthCheckUrl": "http://192.168.1.100:8761/actuator/health", + ... ... + } + ] + } + ] + } +} +``` + +解析 instance 数据步骤: + +1. 首先要选择状态为 “UP” 的实例: overriddenStatus 值不为 "UNKNOWN" 以 overriddenStatus 为准,否则以 status 的值为准; +2. IP 地址:以 ipAddr 的值为 IP; 并且必须是 IPv4 或 IPv6 格式的; +3. 端口:端口取值规则是,如果 port["@enabled"] 等于 "true" 那么使用 port["\$"] 的值;如果 securePort["@enabled"] 等于 "true" 那么使用 securePort["$"] 的值; +4. 权重:权重取值顺序是,先判断 `metadata.weight` 是否有值,如果没有,则取配置中的 `eureka.weight` 的值, 如果还没有,则取默认值`100`; + +这个例子转成 APISIX nodes 的结果如下: + +```json +[ + { + "host" : "192.168.1.100", + "port" : 8761, + "weight" : 100, + "metadata" : { + "management.port": "8761", + } + } +] +``` + +## 注册中心配置 + +### 选择注册中心 + +首先要在 `conf/config.yaml` 文件中增加如下配置,以选择注册中心的类型: + +```yaml +apisix: + discovery: eureka +``` + +此名称要与 `apisix/discovery/` 目录中实现对应注册中心的文件名保持一致。 + +现已支持注册中心有:Eureka 。 + +### Eureka 的配置 + +在 `conf/config.yaml` 增加如下格式的配置: + +```yaml +eureka: + host: # it's possible to define multiple eureka hosts addresses of the same eureka cluster. + - "http://${usename}:${passowrd}@${eureka_host1}:${eureka_port1}" + - "http://${usename}:${passowrd}@${eureka_host2}:${eureka_port2}" + prefix: "/eureka/" + fetch_interval: 30 # 从 eureka 中拉取数据的时间间隔,默认30秒 + weight: 100 # default weight for node + timeout: + connect: 2000 # 连接 eureka 的超时时间,默认2000ms + send: 2000 # 向 eureka 发送数据的超时时间,默认2000ms + read: 5000 # 从 eureka 读数据的超时时间,默认5000ms +``` + +通过 `eureka.host ` 配置 eureka 的服务器地址。 + +如果 eureka 的地址是 `http://127.0.0.1:8761/` ,并且不需要用户名和密码验证的话,配置如下: + +```yaml +eureka: + host: + - "http://127.0.0.1:8761" + prefix: "/eureka/" +``` + +## upstream 配置 + +APISIX是通过 `upstream.service_name` 与注册中心的服务名进行关联。下面是将 uri 为 "/user/*" 的请求路由到注册中心名为 "USER-SERVICE" 的服务上例子: + +```shell +$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' +{ + "uri": "/user/*", + "upstream": { + "service_name": "USER-SERVICE", + "type": "roundrobin" + } +}' + +HTTP/1.1 201 Created +Date: Sat, 31 Aug 2019 01:17:15 GMT +Content-Type: text/plain +Transfer-Encoding: chunked +Connection: keep-alive +Server: APISIX web server + +{"node":{"value":{"uri":"\/user\/*","upstream": {"service_name": "USER-SERVICE", "type": "roundrobin"}},"createdIndex":61925,"key":"\/apisix\/routes\/1","modifiedIndex":61925},"action":"create"} +``` + +因为上游的接口 URL 可能会有冲突,通常会在网关通过前缀来进行区分: + +```shell +$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' +{ + "uri": "/a/*", + "plugins": { + "proxy-rewrite" : { + regex_uri: ["^/a/(.*)", "/${1}"] + } + } + "upstream": { + "service_name": "A-SERVICE", + "type": "roundrobin" + } +}' + +$ curl http://127.0.0.1:9080/apisix/admin/routes/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' +{ + "uri": "/b/*", + "plugins": { + "proxy-rewrite" : { + regex_uri: ["^/b/(.*)", "/${1}"] + } + } + "upstream": { + "service_name": "B-SERVICE", + "type": "roundrobin" + } +}' +``` + +假如 A-SERVICE 和 B-SERVICE 都提供了一个 `/test` 的接口,通过上面的配置,可以通过 `/a/test` 访问 A-SERVICE 的 `/test` 接口,通过 `/b/test` 访问 B-SERVICE 的 `/test` 接口。 + + +**注意**:配置 `upstream.service_name` 后 `upstream.nodes` 将不再生效,而是使用从注册中心的数据来替换,即使注册中心的数据是空的。 + + diff --git a/doc/getting-started-cn.md b/doc/zh-cn/getting-started.md similarity index 97% rename from doc/getting-started-cn.md rename to doc/zh-cn/getting-started.md index 8825279b030b2..556533d42c68e 100644 --- a/doc/getting-started-cn.md +++ b/doc/zh-cn/getting-started.md @@ -16,7 +16,7 @@ # limitations under the License. # --> -[English](getting-started.md) +[English](../getting-started.md) # 快速入门指南 @@ -38,12 +38,12 @@ $ curl --location --request GET "https://httpbin.org/get?foo1=bar1&foo2=bar2" ## 前提 -- 本指南使用 docker 和 docker compose 来安装 Apache APISIX。 但是, 如果您已经以其他方式安装了 Apache APISIX ,您只需跳到 [第二步](getting-started-cn.md#第二步:-在-APISIX-中设置路由) 。 +- 本指南使用 docker 和 docker compose 来安装 Apache APISIX。 但是, 如果您已经以其他方式安装了 Apache APISIX ,您只需跳到 [第二步](getting-started.md#第二步:-在-APISIX-中设置路由) 。 - Curl:指南使用 Curl 命令进行 API 测试,但是您也可以使用您选择的任何其他工具( 例如 Postman )。 ## 第一步: 安装 APISIX -Apache APISIX 可以多种操作环境中安装。[如何安装文档](how-to-build-cn.md#installation-via-source-release) 显示了多个平台中的安装步骤。 +Apache APISIX 可以多种操作环境中安装。[如何安装文档](how-to-build.md#installation-via-source-release) 显示了多个平台中的安装步骤。 为了快速入门,让我们基于 docker 容器的安装方式进行安装。启动 Apache APISIX 服务,我们可以参照这个镜像文件[repository](https://github.com/apache/incubator-apisix-docker) 并切换到 example 文件夹下执行如下命令。 如下命令会启动 Apache APISIX 服务并默认在 9080 端口( https 请求是 9443 端口) 提供 admin API 接口服务 @@ -240,7 +240,7 @@ curl -i -X GET http://127.0.0.1:9080/samplePrefix/get?param1=foo¶m2=bar -H ' 到目前为止,已经通过使用 admin API 接口编排对 Apache APISIX 的 API 的调用。然而,Apache APISIX 还提供执行类似操作的一个 web 应用,就是web控制台。 可以在[repository](https://github.com/apache/incubator-apisix)中使用。控制台是直观的,您可以通过它编排同样的路由配置。 -![Dashboard](images/dashboard.png) +![Dashboard](../images/dashboard.png) ### 故障排查 diff --git a/doc/grpc-proxy-cn.md b/doc/zh-cn/grpc-proxy.md similarity index 96% rename from doc/grpc-proxy-cn.md rename to doc/zh-cn/grpc-proxy.md index 8c5a4e625a055..3f76fd8bec659 100644 --- a/doc/grpc-proxy-cn.md +++ b/doc/zh-cn/grpc-proxy.md @@ -17,7 +17,7 @@ # --> -[English](grpc-proxy.md) +[English](../grpc-proxy.md) # grpc-proxy @@ -35,7 +35,7 @@ 在指定 Route 中,代理 gRPC 服务接口: * 注意: 这个 Route 的属性 `service_protocol` 必须设置为 `grpc`; -* 注意: APISIX 使用 TLS 加密的 HTTP/2 暴露 gRPC 服务, 所以需要先 [配置 SSL 证书](https-cn.md); +* 注意: APISIX 使用 TLS 加密的 HTTP/2 暴露 gRPC 服务, 所以需要先 [配置 SSL 证书](https.md); * 下面例子所代理的 gRPC 服务可供参考:[grpc_server_example](https://github.com/iresty/grpc_server_example)。 ```shell diff --git a/doc/zh-cn/health-check.md b/doc/zh-cn/health-check.md new file mode 100644 index 0000000000000..6be4691c98b3d --- /dev/null +++ b/doc/zh-cn/health-check.md @@ -0,0 +1,103 @@ + + +# [English](../health-check.md) + +## Upstream的健康检查 + +APISIX的健康检查使用[lua-resty-healthcheck](https://github.com/Kong/lua-resty-healthcheck)实现,你可以在upstream中使用它。 + +下面是一个检查检查的例子: + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/index.html", + "plugins": { + "limit-count": { + "count": 2, + "time_window": 60, + "rejected_code": 503, + "key": "remote_addr" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1, + "127.0.0.1:1970": 1 + }, + "type": "roundrobin", + "retries": 2, + "checks": { + "active": { + "http_path": "/status", + "host": "foo.com", + "healthy": { + "interval": 2, + "successes": 1 + }, + "unhealthy": { + "interval": 1, + "http_failures": 2 + }, + "req_headers": ["User-Agent: curl/7.29.0"] + }, + "passive": { + "healthy": { + "http_statuses": [200, 201], + "successes": 3 + }, + "unhealthy": { + "http_statuses": [500], + "http_failures": 3, + "tcp_failures": 3 + } + } + } + } +}' +``` + +监控检查的配置内容在`checks`中,`checks`包含两个类型:`active` 和 `passive`,详情如下 + +* `active`: 要启动探活健康检查,需要在upstream配置中的 `checks.active` 添加如下配置项。 + + * `active.http_path`: 用于发现upstream节点健康可用的HTTP GET请求路径。 + * `active.host`: 用于发现upstream节点健康可用的HTTP请求主机名。 + + `healthy`的阀值字段: + * `active.healthy.interval`: 健康的目标节点的健康检查间隔时间(以秒为单位),最小值为1。 + * `active.healthy.successes`: 确定目标是否健康的成功次数,最小值为1。 + + `unhealthy`的阀值字段: + * `active.unhealthy.interval`: 针对不健康目标节点的健康检查之间的间隔(以秒为单位),最小值为1。 + * `active.unhealthy.http_failures`: 确定目标节点不健康的http请求失败次数,最小值为1。 + * `active.req_headers`: 其他请求标头。数组格式,可以填写多个标题。 + +* `passive`: 要启用被动健康检查,需要在upstream配置中的 `checks.passive` 添加如下配置项。 + + `healthy`的阀值字段: + * `passive.healthy.http_statuses`: 如果当前HTTP响应状态码是其中任何一个,则将upstream节点设置为 `healthy` 状态。否则,请忽略此请求。 + * `passive.healthy.successes`: 如果upstream节点被检测成功(由 `passive.healthy.http_statuses` 定义)的次数超过 `successes` 次,则将该节点设置为 `healthy` 状态。 + + `unhealthy`的阀值字段: + * `passive.unhealthy.http_statuses`: 如果当前HTTP响应状态码是其中任何一个,则将upstream节点设置为 `unhealthy` 状态。否则,请忽略此请求。 + * `passive.unhealthy.tcp_failures`: 如果TCP通讯失败次数超过 `tcp_failures` 次,则将upstream节点设置为 `unhealthy` 状态。 + * `passive.unhealthy.timeouts`: 如果被动健康检查超时次数超过 `timeouts` 次,则将upstream节点设置为 `unhealthy` 状态。 + * `passive.unhealthy.http_failures`: 如果被动健康检查的HTTP请求失败(由 `passive.unhealthy.http_statuses` 定义)的次数超过 `http_failures`次,则将upstream节点设置为 `unhealthy` 状态。 diff --git a/doc/how-to-build-cn.md b/doc/zh-cn/how-to-build.md similarity index 93% rename from doc/how-to-build-cn.md rename to doc/zh-cn/how-to-build.md index 3f54eb0346204..303dcd680f014 100644 --- a/doc/how-to-build-cn.md +++ b/doc/zh-cn/how-to-build.md @@ -34,20 +34,20 @@ Apache APISIX 的运行环境需要 Nginx 和 etcd, 你需要先下载 Apache Release 源码包: ```shell -wget http://www.apache.org/dist/incubator/apisix/1.2/apache-apisix-1.2-incubating-src.tar.gz -tar zxvf apache-apisix-1.2-incubating-src.tar.gz +wget http://www.apache.org/dist/incubator/apisix/1.4/apache-apisix-1.4-incubating-src.tar.gz +tar zxvf apache-apisix-1.4-incubating-src.tar.gz ``` 安装运行时依赖的 Lua 库: ``` -cd apache-apisix-1.2-incubating +cd apache-apisix-1.4-incubating make deps ``` ### 通过 RPM 包安装(CentOS 7) ```shell -sudo yum install -y https://github.com/apache/incubator-apisix/releases/download/1.2/apisix-1.2-0.el7.noarch.rpm +sudo yum install -y https://github.com/apache/incubator-apisix/releases/download/1.4/apisix-1.4-0.el7.noarch.rpm ``` ### 通过 Luarocks 安装 (不支持 macOS) @@ -63,11 +63,11 @@ sudo sh -c "$(curl -fsSL https://raw.githubusercontent.com/apache/incubator-apis > 通过 Luarocks 安装指定的版本: ```shell -# 安装 apisix 的 1.2 版本 -sudo luarocks install --lua-dir=/path/openresty/luajit apisix 1.2 +# 安装 apisix 的 1.4 版本 +sudo luarocks install --lua-dir=/path/openresty/luajit apisix 1.4 # 老版本 luarocks 可能不支持 `lua-dir` 参数,可以删除该选项 -sudo luarocks install apisix 1.2 +sudo luarocks install apisix 1.4 ``` ## 3. 管理(启动、关闭等)APISIX 服务 diff --git a/doc/https-cn.md b/doc/zh-cn/https.md similarity index 99% rename from doc/https-cn.md rename to doc/zh-cn/https.md index 4ea82d5f21fb3..33ce14c22137d 100644 --- a/doc/https-cn.md +++ b/doc/zh-cn/https.md @@ -17,7 +17,7 @@ # --> -[English](https.md) +[English](../https.md) ### HTTPS diff --git a/doc/zh-cn/install-dependencies.md b/doc/zh-cn/install-dependencies.md new file mode 100644 index 0000000000000..f0d4201a7e33e --- /dev/null +++ b/doc/zh-cn/install-dependencies.md @@ -0,0 +1,153 @@ + + +# 安装依赖 +- [CentOS 6](#centos-6) +- [CentOS 7](#centos-7) +- [Fedora 31 & 32](#fedora-31--32) +- [Ubuntu 16.04 & 18.04](#ubuntu-1604--1804) +- [Debian 9 & 10](#debian-9--10) +- [Mac OSX](#mac-osx) +- [如何编译 Openresty](#如何编译-openresty) +- [注意](#注意) + +CentOS 6 +======== + +```shell +# 添加 OpenResty 源 +sudo yum install yum-utils +sudo yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo + +# 安装 OpenResty, etcd 和 编译工具 +sudo yum install -y openresty curl git gcc luarocks lua-devel make + +wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz +tar -xvf etcd-v3.3.13-linux-amd64.tar.gz && \ + cd etcd-v3.3.13-linux-amd64 && \ + sudo cp -a etcd etcdctl /usr/bin/ + +# 开启 etcd server +nohup etcd & +``` + +CentOS 7 +======== + +```shell +# 安装 epel, `luarocks` 需要它 +wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm +sudo rpm -ivh epel-release-latest-7.noarch.rpm + +# 添加 OpenResty 源 +sudo yum install yum-utils +sudo yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo + +# 安装 OpenResty, etcd 和 编译工具 +sudo yum install -y etcd openresty curl git gcc luarocks lua-devel + +# 开启 etcd server +sudo service etcd start +``` + +Fedora 31 & 32 +============== + +```shell +# add OpenResty source +sudo yum install yum-utils +sudo yum-config-manager --add-repo https://openresty.org/package/fedora/openresty.repo + +# install OpenResty, etcd and some compilation tools +sudo yum install -y etcd openresty curl git gcc luarocks lua-devel + +# start etcd server +sudo etcd --enable-v2=true & +``` + +Ubuntu 16.04 & 18.04 +==================== + +```shell +# 添加 OpenResty 源 +wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add - +sudo apt-get update +sudo apt-get -y install software-properties-common +sudo add-apt-repository -y "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main" +sudo apt-get update + +# 安装 OpenResty, etcd 和 编译工具 +sudo apt-get install -y git etcd openresty curl luarocks + +# 开启 etcd server +sudo service etcd start +``` + +Debian 9 & 10 +============= + +```shell +# 可选 +sed -i 's|^deb http://deb.debian.org/debian|deb http://mirrors.huaweicloud.com/debian|g' /etc/apt/sources.list +sed -i 's|^deb http://security.debian.org/debian-security|deb http://mirrors.huaweicloud.com/debian-security|g' /etc/apt/sources.list +apt update +apt install wget gnupg -y + +# 添加 OpenResty 源 +wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add - +sudo apt-get -y install software-properties-common +sudo add-apt-repository -y "deb http://openresty.org/package/debian $(lsb_release -sc) openresty" +sudo apt-get update + +# 安装 etcd +wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz +tar -xvf etcd-v3.3.13-linux-amd64.tar.gz && \ + cd etcd-v3.3.13-linux-amd64 && \ + sudo cp -a etcd etcdctl /usr/bin/ + +# 安装 OpenResty, etcd 和 编译工具 +sudo apt-get install -y git openresty curl luarocks make + +# 开启 etcd server +nohup etcd & +``` + +Mac OSX +======= + +```shell +# 安装 OpenResty, etcd 和 编译工具 +brew install openresty/brew/openresty etcd luarocks curl git + +# 开启 etcd server 并启用 v2 的功能 +etcd --enable-v2=true & +``` + +如何编译 Openresty +============================ + +编译 Openresty 是一件比较复杂的事情,没办法简单地说明白。所以我们推荐你直接参考官方的安装文档。 + +http://openresty.org/en/linux-packages.html + +注意 +==== +- Apache APISIX 目前只支持 `v2` 版本的 etcd,但是最新版的 etcd (从 3.4 起)已经默认关闭了 `v2` 版本的功能。所以你需要添加启动参数 `--enable-v2=true` 来开启 `v2` 的功能,目前对 `v3` etcd 的开发工作已经启动,不久后便可投入使用。 + +- 如果你要想使用 Tengine 替代 OpenResty,请参考 [Install Tengine at Ubuntu](../../.travis/linux_tengine_runner.sh)。 diff --git a/doc/plugin-develop-cn.md b/doc/zh-cn/plugin-develop.md similarity index 95% rename from doc/plugin-develop-cn.md rename to doc/zh-cn/plugin-develop.md index c8a7663b8d301..85083ddf1e25a 100644 --- a/doc/plugin-develop-cn.md +++ b/doc/zh-cn/plugin-develop.md @@ -16,7 +16,7 @@ # limitations under the License. # --> -[English](plugin-develop.md) +[English](../plugin-develop.md) # 目录 @@ -95,6 +95,12 @@ plugins: # plugin list 注:先后顺序与执行顺序无关。 +特别需要注意的是,如果你的插件有新建自己的代码目录,那么就需要修改 Makefile 文件,新增创建文件夹的操作,比如: +``` +$(INSTALL) -d $(INST_LUADIR)/apisix/plugins/skywalking +$(INSTALL) apisix/plugins/skywalking/*.lua $(INST_LUADIR)/apisix/plugins/skywalking/ +``` + ## 配置描述与校验 定义插件的配置项,以及对应的 [Json Schema](https://json-schema.org) 描述,并完成对 json 的校验,这样方便对配置的数据规 diff --git a/doc/plugins-cn.md b/doc/zh-cn/plugins.md similarity index 97% rename from doc/plugins-cn.md rename to doc/zh-cn/plugins.md index 103cfb070810c..dc861fb6029e8 100644 --- a/doc/plugins-cn.md +++ b/doc/zh-cn/plugins.md @@ -17,7 +17,7 @@ # --> -[English](plugins.md) +[English](../plugins.md) ## 热加载 diff --git a/doc/zh-cn/plugins/authz-keycloak-cn.md b/doc/zh-cn/plugins/authz-keycloak-cn.md new file mode 100644 index 0000000000000..fe433c8fe6acd --- /dev/null +++ b/doc/zh-cn/plugins/authz-keycloak-cn.md @@ -0,0 +1,124 @@ + + +[English](../../plugins/authz-keycloak.md) + +# 目录 +- [**名字**](#名字) +- [**属性**](#属性) +- [**如何启用**](#如何启用) +- [**测试插件**](#测试插件) +- [**禁用插件**](#禁用插件) +- [**示例**](#示例) + +## 名字 + +`authz-keycloak` 是和 Keycloak Identity Server 配合使用的鉴权插件。Keycloak 是一种兼容 OAuth/OIDC 和 UMA 协议的身份认证服务器。尽管本插件是和 Keycloak 服务器配合开发的,但也应该能够适配任意兼容 OAuth/OIDC 和 UMA 协议的身份认证服务器。 + +有关 Keycloak 的更多信息,可参考 [Keycloak Authorization Docs](https://www.keycloak.org/docs/latest/authorization_services) 查看更多信息。 + +## 属性 + +|名称 |选项 |描述| +|--------- |-------- |-----------| +| token_endpoint|必填 |接受 OAuth2 兼容 token 的接口,需要支持 `urn:ietf:params:oauth:grant-type:uma-ticket` 授权类型| +| grant_type |选填 |默认值为 `urn:ietf:params:oauth:grant-type:uma-ticket`| +| audience |选填 |客户端应用访问相应的资源服务器时所需提供的身份信息。当 permissions 参数有值时这个参数是必填的。| +| permissions |选填 |描述客户端应用所需访问的资源和权限范围的字符串。格式必须为:`RESOURCE_ID#SCOPE_ID`| +| timeout |选填 |与身份认证服务器的 http 连接的超时时间。默认值为 3 秒。| +| policy_enforcement_mode|必填 |只能是 ENFORCING 或 PERMISSIVE。| + +### 策略执行模式 + +定义了在处理身份认证请求时如何应用策略 + +**Enforcing** + +- (默认)如果资源没有绑定任何访问策略,请求默认会被拒绝。 + +**Permissive** + +- 如果资源没有绑定任何访问策略,请求会被允许。 + +## 如何启用 + +创建一个 `route` 对象,并在该 `route` 对象上启用 `authz-keycloak` 插件: + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/get", + "plugins": { + "authz-keycloak": { + "token_endpoint": "http://127.0.0.1:8090/auth/realms/{client_id}/protocol/openid-connect/token", + "permissions": ["resource name#scope name"], + "audience": "Client ID" + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:8080": 1 + } + } +} +``` + +## 测试插件 + +```shell +curl http://127.0.0.1:9080/get -H 'Authorization: Bearer {JWT Token}' +``` + +## 禁用插件 + +在插件设置页面中删除相应的 json 配置即可禁用 `authz-keycloak` 插件。APISIX 的插件是热加载的,因此无需重启 APISIX 服务。 + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/get", + "plugins": { + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:8080": 1 + } + } +} +``` + +## 示例 + +请查看 authz-keycloak.t 中的单元测试来了解如何将身份认证策略与您的 API 工作流集成。运行以下 docker 镜像并访问 `http://localhost:8090` 来查看单元测试中绑定的访问策略: + +```bash +docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -p 8090:8080 sshniro/keycloak-apisix +``` + +下面这张截图显示了如何在 Keycloak 服务器上配置访问策略: + +![Keycloak policy design](../../images/plugin/authz-keycloak.png) + +## 后续开发 + +- 目前 `authz-plugin` 仅支持通过定义资源名和访问权限范畴来应用 `route` 的访问策略。但是 Keycloak 官方适配的其他语言的客户端 (Java, JS) 还可以通过动态查询 Keycloak 路径以及懒加载身份资源的路径来支持路径匹配。未来版本的 `authz-plugin` 将会支持这项功能。 + +- 支持从 Keycloak JSON 文件中读取权限范畴和其他配置项。 diff --git a/doc/plugins/basic-auth-cn.md b/doc/zh-cn/plugins/basic-auth.md similarity index 96% rename from doc/plugins/basic-auth-cn.md rename to doc/zh-cn/plugins/basic-auth.md index e4e862d1ea83f..f4442f0f658b6 100644 --- a/doc/plugins/basic-auth-cn.md +++ b/doc/zh-cn/plugins/basic-auth.md @@ -17,7 +17,7 @@ # --> -# [English](basic-auth.md) +# [English](../../plugins/basic-auth.md) # 目录 @@ -58,10 +58,10 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1 ``` 你可以使用浏览器打开 dashboard:`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 consumer: -![auth-1](../images/plugin/basic-auth-1.png) +![auth-1](../../images/plugin/basic-auth-1.png) 然后在 consumer 页面中添加 basic-auth 插件: -![auth-2](../images/plugin/basic-auth-2.png) +![auth-2](../../images/plugin/basic-auth-2.png) ### 2. 创建 Route 或 Service 对象,并开启 `basic-auth` 插件。 diff --git a/doc/plugins/batch-requests-cn.md b/doc/zh-cn/plugins/batch-requests.md similarity index 94% rename from doc/plugins/batch-requests-cn.md rename to doc/zh-cn/plugins/batch-requests.md index dc06e862bdef0..bea6bd5ffc7d8 100644 --- a/doc/plugins/batch-requests-cn.md +++ b/doc/zh-cn/plugins/batch-requests.md @@ -17,7 +17,7 @@ # --> -# [English](batch-requests.md) +# [English](../../plugins/batch-requests.md) # 目录 @@ -32,6 +32,10 @@ `batch-requests` 插件可以一次接受多个请求并以 [http pipeline](https://en.wikipedia.org/wiki/HTTP_pipelining) 的方式在网关发起多个http请求,合并结果后再返回客户端,这在客户端需要访问多个接口时可以显著地提升请求性能。 +> **提示** +> +> 外层的 Http 请求头会自动设置到每一个独立请求中,如果独立请求中出现相同键值的请求头,那么只有独立请求的请求头会生效。 + ## 属性 无 @@ -67,7 +71,7 @@ #### HttpResponse | 参数名 | 类型 | 描述 | -| --- | --- | --- | --- | --- | +| --- | --- | --- | | status | Integer | Http 请求的状态码 | | reason | String | Http 请求的返回信息 | | body | String | Http 请求的响应体 | diff --git a/doc/zh-cn/plugins/consumer-restriction.md b/doc/zh-cn/plugins/consumer-restriction.md new file mode 100644 index 0000000000000..c1f3d1e359666 --- /dev/null +++ b/doc/zh-cn/plugins/consumer-restriction.md @@ -0,0 +1,128 @@ + + +[English](../../plugins/consumer-restriction.md) + +# 目录 +- [**名字**](#名字) +- [**属性**](#属性) +- [**如何启用**](#如何启用) +- [**测试插件**](#测试插件) +- [**禁用插件**](#禁用插件) + +## 名字 + +`consumer-restriction` 可以通过以下方式限制对服务或路线的访问,将 consumer 列入白名单或黑名单。 支持单个或多个 consumer。 + +## 属性 + +* `whitelist`: 可选,加入白名单的consumer +* `blacklist`: 可选,加入黑名单的consumer + +只能单独启用白名单或黑名单,两个不能一起使用。 + +## 如何启用 + +下面是一个示例,在指定的 route 上开启了 `consumer-restriction` 插件,限制consumer访问: + + +```shell +curl http://127.0.0.1:9080/apisix/admin/consumers/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' +{ + "username": "jack1", + "plugins": { + "basic-auth": { + "username":"jack2019", + "password": "123456" + } + } +}' + +curl http://127.0.0.1:9080/apisix/admin/consumers/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d ' +{ + "username": "jack2", + "plugins": { + "basic-auth": { + "username":"jack2020", + "password": "123456" + } + } +}' + +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/index.html", + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "plugins": { + "basic-auth": {}, + "consumer-restriction": { + "whitelist": [ + "jack1" + ] + } + } +}' +``` + +## 测试插件 + +jack1 访问: + +```shell +$ curl -u jack2019:123456 http://127.0.0.1:9080/index.html +HTTP/1.1 200 OK +... +``` + +jack2 访问: + +```shell +$ curl -u jack2020:123456 http://127.0.0.1:9080/index.html -i +HTTP/1.1 403 Forbidden +... +{"message":"You are not allowed"} +``` + +## 禁用插件 + +当你想去掉 `consumer-restriction` 插件的时候,很简单,在插件的配置中把对应的 json 配置删除即可,无须重启服务,即刻生效: + +```shell +$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/index.html", + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "plugins": { + "basic-auth": {} + } +}' +``` + +现在就已移除 `consumer-restriction` 插件,其它插件的开启和移除也类似。 + diff --git a/doc/plugins/cors-cn.md b/doc/zh-cn/plugins/cors.md similarity index 99% rename from doc/plugins/cors-cn.md rename to doc/zh-cn/plugins/cors.md index 413dc95acc854..bc26df7307cf6 100644 --- a/doc/plugins/cors-cn.md +++ b/doc/zh-cn/plugins/cors.md @@ -17,7 +17,7 @@ # --> -# [English](cors.md) +# [English](../../plugins/cors.md) # 目录 diff --git a/doc/zh-cn/plugins/echo.md b/doc/zh-cn/plugins/echo.md new file mode 100644 index 0000000000000..71122fb4c309b --- /dev/null +++ b/doc/zh-cn/plugins/echo.md @@ -0,0 +1,92 @@ + + +# 目录 +- [**简介**](#简介) +- [**属性**](#属性) +- [**如何启用**](#如何启用) +- [**测试插件**](#测试插件) +- [**禁用插件**](#禁用插件) + +## 简介 + +echo 是一个有用的插件,可帮助用户尽可能全面地了解如何开发APISIX插件。 + + +该插件展示了如何在常见的 phase 中实现相应的功能,常见的 phase 有:init, rewrite, access, balancer, header filer, body filter 以及 log。 + +## 属性 + +|属性名称 |必选项 |描述| +|--------- |--------|-----------| +| before_body |可选| 在 body 属性之前添加的内容,如果 body 属性没有指定将添加在 upstream response body 之前。 | +| body |可选| 返回给客户端的响应内容,它将覆盖 upstream 返回的响应 body。 | +| after_body |可选| 在 body 属性之后添加的内容,如果 body 属性没有指定将在 upstream 响应 body 之后添加。 | + +## 如何启用 + +1. 为特定路由启用 echo 插件。 + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "plugins": { + "echo": { + "before_body": "before the body modification " + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" +}' +``` + +## 测试插件 + +* 成功: + +```shell +$ curl -i http://127.0.0.1:9080/hello +HTTP/1.1 200 OK +... +before the body modification hello world +``` + +## 禁用插件 + +当您要禁用`echo`插件时,这很简单,您可以在插件配置中删除相应的json配置,无需重新启动服务,它将立即生效: + +```shell +$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' +{ + "methods": ["GET"], + "uri": "/hello", + "plugins": {}, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + } +}' +``` diff --git a/doc/plugins/fault-injection-cn.md b/doc/zh-cn/plugins/fault-injection.md similarity index 98% rename from doc/plugins/fault-injection-cn.md rename to doc/zh-cn/plugins/fault-injection.md index 29453a8115b43..d6155efe1b66e 100644 --- a/doc/plugins/fault-injection-cn.md +++ b/doc/zh-cn/plugins/fault-injection.md @@ -17,7 +17,7 @@ # --> -# [English](fault-injection.md) +# [English](../../plugins/fault-injection.md) # fault-injection diff --git a/doc/plugins/grpc-transcoding-cn.md b/doc/zh-cn/plugins/grpc-transcode.md similarity index 98% rename from doc/plugins/grpc-transcoding-cn.md rename to doc/zh-cn/plugins/grpc-transcode.md index 7bb4faa5d1202..b0c74601ffe93 100644 --- a/doc/plugins/grpc-transcoding-cn.md +++ b/doc/zh-cn/plugins/grpc-transcode.md @@ -17,9 +17,9 @@ # --> -# [English](grpc-transcoding.md) +# [English](../../plugins/grpc-transcode.md) -# grpc-transcoding +# grpc-transcode HTTP(s) -> APISIX -> gRPC server diff --git a/doc/zh-cn/plugins/http-logger.md b/doc/zh-cn/plugins/http-logger.md new file mode 100644 index 0000000000000..01e3ee10ca0e4 --- /dev/null +++ b/doc/zh-cn/plugins/http-logger.md @@ -0,0 +1,97 @@ + + +# 目录 +- [**定义**](#name) +- [**属性列表**](#attributes) +- [**如何开启**](#how-to-enable) +- [**测试插件**](#test-plugin) +- [**禁用插件**](#disable-plugin) + +## 定义 + +`http-logger` 是一个插件,可将Log数据请求推送到 HTTP / HTTPS 服务器。 + +这将提供将 Log 数据请求作为JSON对象发送到监视工具和其他 HTTP 服务器的功能。 + +## 属性列表 + +|名称 |必选项 |描述| +|--------- |--------|-----------| +| uri |必要的| 服务器的 URI | +| authorization |可选的| 授权头部 | +| keepalive |可选的|发送请求后保持连接活动的时间| +| name |可选的|标识 logger 的唯一标识符| +| batch_max_size |可选的|每批的最大大小,默认为 1000| +| inactive_timeout |可选的|刷新缓冲区的最大时间(以秒为单位),默认值为 5| +| buffer_duration |可选的|必须先处理批次中最旧条目的最长期限(以秒为单位),默认值为 5| +| max_retry_count |可选的|从处理管道中移除之前的最大重试次数,默认为 0| +| retry_delay |可选的|如果执行失败,则应延迟执行流程的秒数,默认为 1| + +## 如何开启 + +1. 这是有关如何为特定路由启用 http-logger 插件的示例。 + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "plugins": { + "http-logger": { + "uri": "127.0.0.1:80/postendpoint?param=1" + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "uri": "/hello" +}' +``` + +## 测试插件 + +* 成功: + +```shell +$ curl -i http://127.0.0.1:9080/hello +HTTP/1.1 200 OK +... +hello, world +``` + +## 禁用插件 + +在插件配置中删除相应的 json 配置以禁用 http-logger。APISIX 插件是热重载的,因此无需重新启动 APISIX: + +```shell +$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' +{ + "methods": ["GET"], + "uri": "/hello", + "plugins": {}, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + } +}' +``` diff --git a/doc/plugins/ip-restriction-cn.md b/doc/zh-cn/plugins/ip-restriction.md similarity index 94% rename from doc/plugins/ip-restriction-cn.md rename to doc/zh-cn/plugins/ip-restriction.md index c9f1fcfdb5cfe..89ecf5363e559 100644 --- a/doc/plugins/ip-restriction-cn.md +++ b/doc/zh-cn/plugins/ip-restriction.md @@ -17,7 +17,7 @@ # --> -[English](ip-restriction.md) +[English](../../plugins/ip-restriction.md) # 目录 - [**名字**](#名字) @@ -86,7 +86,7 @@ HTTP/1.1 403 Forbidden 当你想去掉 `ip-restriction` 插件的时候,很简单,在插件的配置中把对应的 json 配置删除即可,无须重启服务,即刻生效: ```shell -$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value=' +$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' { "uri": "/index.html", "plugins": {}, diff --git a/doc/plugins/jwt-auth-cn.md b/doc/zh-cn/plugins/jwt-auth.md similarity index 97% rename from doc/plugins/jwt-auth-cn.md rename to doc/zh-cn/plugins/jwt-auth.md index 8dfc5cb6b04ed..8a33e8eec6e5c 100644 --- a/doc/plugins/jwt-auth-cn.md +++ b/doc/zh-cn/plugins/jwt-auth.md @@ -17,7 +17,7 @@ # --> -[English](jwt-auth.md) +[English](../../plugins/jwt-auth.md) # 目录 - [**名字**](#名字) @@ -59,10 +59,10 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1 }' ``` 你可以使用浏览器打开 dashboard:`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 consumer: -![](../images/plugin/jwt-auth-1.png) +![](../../images/plugin/jwt-auth-1.png) 然后在 consumer 页面中添加 jwt-auth 插件: -![](../images/plugin/jwt-auth-2.png) +![](../../images/plugin/jwt-auth-2.png) 2. 创建 Route 或 Service 对象,并开启 `jwt-auth` 插件。 diff --git a/doc/zh-cn/plugins/kafka-logger.md b/doc/zh-cn/plugins/kafka-logger.md new file mode 100644 index 0000000000000..eecded5da01e0 --- /dev/null +++ b/doc/zh-cn/plugins/kafka-logger.md @@ -0,0 +1,127 @@ + + +# 目录 +- [**简介**](#简介) +- [**属性**](#属性) +- [**工作原理**](#工作原理) +- [**如何启用**](#如何启用) +- [**测试插件**](#测试插件) +- [**禁用插件**](#禁用插件) + +## 简介 + +`kafka-logger` 是一个插件,可用作ngx_lua nginx 模块的 Kafka 客户端驱动程序。 + +它可以将接口请求日志以 JSON 的形式推送给外部 Kafka 集群。如果在短时间内没有收到日志数据,请放心,它会在我们的批处理处理器中的计时器功能到期后自动发送日志。 + +有关 Apache APISIX 中 Batch-Processor 的更多信息,请参考。 +[Batch-Processor](../batch-processor.md) + +## 属性 + +|属性名称 |必选项 |描述| +|--------- |--------|-----------| +| broker_list |必须| 要推送的 kafka 的 broker 列表。| +| kafka_topic |必须| 要推送的 topic。| +| timeout |可选| 发送数据的超时时间。| +| key |必须| 用于加密消息的密钥。| +| name |必须| batch processor 的唯一标识。| +| batch_max_size |可选| 批量发送的消息最大数量,当到达该阀值后会立即发送消息| +| inactive_timeout |可选| 不活跃时间,如果在该时间范围内都没有消息写入缓冲区,那么会立即发送到 kafka。默认值: 5(s)| +| buffer_duration |可选| 缓冲周期,消息停留在缓冲区的最大时间,当超过该时间时会立即发送到 kafka。默认值: 60(s)| +| max_retry_count |可选| 最大重试次数。默认值: 0| +| retry_delay |可选| 重试间隔。默认值: 1(s)| + +## 工作原理 + +消息将首先写入缓冲区。 +当缓冲区超过`batch_max_size`时,它将发送到kafka服务器, +或每个`buffer_duration`刷新缓冲区。 + +如果成功,则返回“ true”。 +如果出现错误,则返回“ nil”,并带有描述错误的字符串(`buffer overflow`)。 + +##### Broker 列表 + +插件支持一次推送到多个 Broker,如下配置: + +```json +{ + "127.0.0.1":9092, + "127.0.0.1":9093 +} +``` + +## 如何启用 + +1. 为特定路由启用 kafka-logger 插件。 + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "plugins": { + "kafka-logger": { + "broker_list" : + { + "127.0.0.1":9092 + }, + "kafka_topic" : "test2", + "key" : "key1" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" +}' +``` + +## 测试插件 + +* 成功: + +```shell +$ curl -i http://127.0.0.1:9080/hello +HTTP/1.1 200 OK +... +hello, world +``` + +## 禁用插件 + +当您要禁用`kafka-logger`插件时,这很简单,您可以在插件配置中删除相应的json配置,无需重新启动服务,它将立即生效: + +```shell +$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' +{ + "methods": ["GET"], + "uri": "/hello", + "plugins": {}, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + } +}' +``` diff --git a/doc/plugins/key-auth-cn.md b/doc/zh-cn/plugins/key-auth.md similarity index 96% rename from doc/plugins/key-auth-cn.md rename to doc/zh-cn/plugins/key-auth.md index e7b392c69bea5..0c2c75c7782e8 100644 --- a/doc/plugins/key-auth-cn.md +++ b/doc/zh-cn/plugins/key-auth.md @@ -17,7 +17,7 @@ # --> -[English](key-auth.md) +[English](../../plugins/key-auth.md) # 目录 - [**名字**](#名字) @@ -54,10 +54,10 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1 ``` 你可以使用浏览器打开 dashboard:`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 consumer: -![](../images/plugin/key-auth-1.png) +![](../../images/plugin/key-auth-1.png) 然后在 consumer 页面中添加 key-auth 插件: -![](../images/plugin/key-auth-2.png) +![](../../images/plugin/key-auth-2.png) 2. 创建 route 或 service 对象,并开启 `key-auth` 插件。 diff --git a/doc/plugins/limit-conn-cn.md b/doc/zh-cn/plugins/limit-conn.md similarity index 84% rename from doc/plugins/limit-conn-cn.md rename to doc/zh-cn/plugins/limit-conn.md index fb0b4d70b4edd..9bb7c3c76e2f1 100644 --- a/doc/plugins/limit-conn-cn.md +++ b/doc/zh-cn/plugins/limit-conn.md @@ -17,15 +17,15 @@ # --> -[English](limit-conn.md) +[English](../../plugins/limit-conn.md) # limit-conn -Apisix 的限制并发请求(或并发连接)插件。 +限制并发请求(或并发连接)插件。 ### 属性 -* `conn`: 允许的最大并发请求数。 超过这个比率的请求(低于“ conn” + “ burst”)将被延迟以符合这个阈值。 -* `burst`: 允许延迟的过多并发请求(或连接)的数量。 +* `conn`: 允许的最大并发请求数。超过 `conn` 的限制、但是低于 `conn` + `burst` 的请求,将被延迟处理。 +* `burst`: 允许被延迟处理的并发请求数。 * `default_conn_delay`: 默认的典型连接(或请求)的处理延迟时间。 * `key`: 用户指定的限制并发级别的关键字,可以是客户端IP或服务端IP。 @@ -33,7 +33,8 @@ Apisix 的限制并发请求(或并发连接)插件。 现在接受以下关键字: “remote_addr”(客户端的 IP),“server_addr”(服务器的 IP),请求头中的“ X-Forwarded-For/X-Real-IP”。 -* `rejected_code`: 当请求超过阈值时返回的 HTTP状态码, 默认值是503。 + **key 是可以被用户自定义的,只需要修改插件的一行代码即可完成。并没有在插件中放开是处于安全的考虑。** +* `rejected_code`: 当请求超过 `conn` + `burst` 这个阈值时,返回的 HTTP状态码,默认值是503。 #### 如何启用 @@ -64,10 +65,10 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13 ``` 你可以使用浏览器打开 dashboard:`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 route: -![](../images/plugin/limit-conn-1.png) +![](../../images/plugin/limit-conn-1.png) 然后在 route 页面中添加 limit-conn 插件: -![](../images/plugin/limit-conn-2.png) +![](../../images/plugin/limit-conn-2.png) #### test plugin diff --git a/doc/plugins/limit-count-cn.md b/doc/zh-cn/plugins/limit-count.md similarity index 94% rename from doc/plugins/limit-count-cn.md rename to doc/zh-cn/plugins/limit-count.md index 1768ebc638e60..718c6af49e73d 100644 --- a/doc/plugins/limit-count-cn.md +++ b/doc/zh-cn/plugins/limit-count.md @@ -17,7 +17,7 @@ # --> -[English](limit-count.md) +[English](../../plugins/limit-count.md) # limit-count @@ -31,13 +31,16 @@ |count |必选 |指定时间窗口内的请求数量阈值| |time_window |必选 |时间窗口的大小(以秒为单位),超过这个时间就会重置| |key |必选 |是用来做请求计数的依据,当前接受的 key 有: "remote_addr", "server_addr", "http_x_real_ip", "http_x_forwarded_for"。| -|rejected_code |可选 |T当请求超过阈值被拒绝时,返回的 HTTP 状态码,默认是 503| +|rejected_code |可选 |T当请求超过阈值被拒绝时,返回的 HTTP 状态码,默认 503。| |policy |可选 |用于检索和增加限制的速率限制策略。可选的值有:`local`(计数器被以内存方式保存在节点本地,默认选项) 和 `redis`(计数器保存在 Redis 服务节点上,从而可以跨节点共享结果,通常用它来完成全局限速).| |redis_host |可选 |当使用 `redis` 限速策略时,该属性是 Redis 服务节点的地址。| |redis_port |可选 |当使用 `redis` 限速策略时,该属性是 Redis 服务节点的端口,默认端口 6379。| |redis_password|可选 |当使用 `redis` 限速策略时,该属性是 Redis 服务节点的密码。| |redis_timeout |可选 |当使用 `redis` 限速策略时,该属性是 Redis 服务节点以毫秒为单位的超时时间,默认是 1000 ms(1 秒)。| + +**key 是可以被用户自定义的,只需要修改插件的一行代码即可完成。并没有在插件中放开是处于安全的考虑。** + ### 示例 #### 开启插件 @@ -66,10 +69,10 @@ curl -i http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335 ``` 你可以使用浏览器打开 dashboard:`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 route: -![添加路由](../images/plugin/limit-count-1.png) +![添加路由](../../images/plugin/limit-count-1.png) 然后在 route 页面中添加 limit-count 插件: -![添加插件](../images/plugin/limit-count-2.png) +![添加插件](../../images/plugin/limit-count-2.png) 如果你需要一个集群级别的流量控制,我们可以借助 redis server 来完成。不同的 APISIX 节点之间将共享流量限速结果,实现集群流量限速。 diff --git a/doc/plugins/limit-req-cn.md b/doc/zh-cn/plugins/limit-req.md similarity index 75% rename from doc/plugins/limit-req-cn.md rename to doc/zh-cn/plugins/limit-req.md index b05148ca736a4..420359e2a4225 100644 --- a/doc/plugins/limit-req-cn.md +++ b/doc/zh-cn/plugins/limit-req.md @@ -17,7 +17,7 @@ # --> -# [English](limit-req.md) +# [English](../../plugins/limit-req.md) # limit-req @@ -25,10 +25,14 @@ ## 参数 -* `rate`:指定的请求速率(以秒为单位),请求速率超过 `rate` 但没有超过 (`rate` + `brust`)的请求会被加上延时 -* `burst`:请求速率超过 (`rate` + `brust`)的请求会被直接拒绝 -* `rejected_code`:当请求超过阈值被拒绝时,返回的 HTTP 状态码 -* `key`:是用来做请求计数的依据,当前接受的 key 有:"remote_addr"(客户端IP地址), "server_addr"(服务端 IP 地址), 请求头中的"X-Forwarded-For" 或 "X-Real-IP"。 +|名称 |可选项 |描述| +|--------- |--------|-----------| +|rate |必选|指定的请求速率(以秒为单位),请求速率超过 `rate` 但没有超过 (`rate` + `brust`)的请求会被加上延时。| +|burst |必选|请求速率超过 (`rate` + `brust`)的请求会被直接拒绝。| +| key |必选|是用来做请求计数的依据,当前接受的 key 有:"remote_addr"(客户端IP地址), "server_addr"(服务端 IP 地址), 请求头中的"X-Forwarded-For" 或 "X-Real-IP"。| +|rejected_code |可选|当请求超过阈值被拒绝时,返回的 HTTP 状态码,默认 503。| + +**key 是可以被用户自定义的,只需要修改插件的一行代码即可完成。并没有在插件中放开是处于安全的考虑。** ## 示例 @@ -60,11 +64,11 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13 你可以使用浏览器打开 dashboard:`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 route: -![添加路由](../images/plugin/limit-req-1.png) +![添加路由](../../images/plugin/limit-req-1.png) 然后在 route 页面中添加 limit-req 插件: -![添加插件](../images/plugin/limit-req-2.png) +![添加插件](../../images/plugin/limit-req-2.png) ### 测试插件 diff --git a/doc/plugins/mqtt-proxy-cn.md b/doc/zh-cn/plugins/mqtt-proxy.md similarity index 98% rename from doc/plugins/mqtt-proxy-cn.md rename to doc/zh-cn/plugins/mqtt-proxy.md index 141e99897e262..d55a7d391d8e0 100644 --- a/doc/plugins/mqtt-proxy-cn.md +++ b/doc/zh-cn/plugins/mqtt-proxy.md @@ -17,7 +17,7 @@ # --> -[English](mqtt-proxy.md) +[English](../../plugins/mqtt-proxy.md) # 目录 diff --git a/doc/zh-cn/plugins/oauth.md b/doc/zh-cn/plugins/oauth.md new file mode 100644 index 0000000000000..3c6d0ec23ff13 --- /dev/null +++ b/doc/zh-cn/plugins/oauth.md @@ -0,0 +1,129 @@ + + +# 目录 + +- [**定义**](#定义) +- [**属性列表**](#属性列表) +- [**令牌自省**](#令牌自省) + +## 定义 + +OAuth 2 / Open ID Connect(OIDC)插件为 APISIX 提供身份验证和自省功能。 + +## 属性列表 + +|名称 |必选项 |描述| +|------- |----- |------| +|client_id |必要的 |OAuth 客户端 ID| +|client_secret |必要的 |OAuth 客户端 secret| +|discovery |必要的 |身份服务器的发现端点的 URL| +|realm |可选的 |用于认证的领域; 默认为apisix| +|bearer_only |可选的 |设置为“true”将检查请求中带有承载令牌的授权标头; 默认为`false`| +|logout_path |可选的 |默认是`/logout`| +|redirect_uri |可选的 |默认是 `ngx.var.request_uri`| +|timeout |可选的 |默认是 3 秒| +|ssl_verify |可选的 |默认是 `false`| +|introspection_endpoint |可选的 |身份服务器的令牌验证端点的 URL| +|introspection_endpoint_auth_method |可选的 |令牌自省的认证方法名称 | +|public_key |可选的 |验证令牌的公钥 | +|token_signing_alg_values_expected |可选的 |用于对令牌进行签名的算法 | + +### 令牌自省 + +令牌自省通过针对 Oauth 2 授权服务器验证令牌来帮助验证请求。 +前提条件是,您应该在身份服务器中创建受信任的客户端,并生成用于自省的有效令牌(JWT)。 +下图显示了通过网关进行令牌自省的示例(成功)流程。 + +![token introspection](../../images/plugin/oauth-1.png) + +以下是 curl 命令,用于将插件启用到外部服务。 +通过自省请求标头中提供的令牌,此路由将保护 https://httpbin.org/get(echo 服务)。 + +```bash +curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri":"/get", + "plugins":{ + "proxy-rewrite":{ + "scheme":"https" + }, + "openid-connect":{ + "client_id":"api_six_client_id", + "client_secret":"client_secret_code", + "discovery":"full_URL_of_the_discovery_endpoint", + "introspection_endpoint":"full_URL_of_introspection_endpoint", + "bearer_only":true, + "realm":"master", + "introspection_endpoint_auth_method":"client_secret_basic" + } + }, + "upstream":{ + "type":"roundrobin", + "nodes":{ + "httpbin.org:443":1 + } + } +}' +``` + +以下命令可用于访问新路由。 + +```bash +curl -i -X GET http://127.0.0.1:9080/get -H "Host: httpbin.org" -H "Authorization: Bearer {replace_jwt_token}" +``` + +#### 公钥自省 + +您还可以提供 JWT 令牌的公钥来验证令牌。 如果您提供了公共密钥和令牌自省端点,则将执行公共密钥工作流,而不是通过身份服务器进行验证。如果要减少额外的网络呼叫并加快过程,可以使用此方法。 + +以下配置显示了如何向路由添加公钥自省。 + +```bash +curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri":"/get", + "plugins":{ + "proxy-rewrite":{ + "scheme":"https" + }, + "openid-connect":{ + "client_id":"api_six_client_id", + "client_secret":"client_secret_code", + "discovery":"full_URL_of_the_discovery_endpoint", + "bearer_only":true, + "realm":"master", + "token_signing_alg_values_expected":"RS256", + "public_key":"-----BEGIN CERTIFICATE----- + {public_key} + -----END CERTIFICATE-----" + } + }, + "upstream":{ + "type":"roundrobin", + "nodes":{ + "httpbin.org:443":1 + } + } +}' +``` + +## 故障排除 + +如果 APISIX 无法解析/连接到身份提供者,请检查/修改DNS设置(`conf / config.yaml`)。 diff --git a/doc/plugins/prometheus-cn.md b/doc/zh-cn/plugins/prometheus.md similarity index 93% rename from doc/plugins/prometheus-cn.md rename to doc/zh-cn/plugins/prometheus.md index 1dd814285cf11..946d113d10a6c 100644 --- a/doc/plugins/prometheus-cn.md +++ b/doc/zh-cn/plugins/prometheus.md @@ -17,7 +17,7 @@ # --> -[English](prometheus.md) +[English](../../plugins/prometheus.md) # prometheus @@ -51,11 +51,11 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13 你可以使用浏览器打开 dashboard:`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 route: -![](../images/plugin/prometheus-1.png) +![](../../images/plugin/prometheus-1.png) 然后在 route 页面中添加 prometheus 插件: -![](../images/plugin/prometheus-2.png) +![](../../images/plugin/prometheus-2.png) ## 如何提取指标数据 @@ -78,9 +78,9 @@ scrape_configs: 我们也可以在 prometheus 控制台中去检查状态: -![](../../doc/images/plugin/prometheus01.png) +![](../../images/plugin/prometheus01.png) -![](../../doc/images/plugin/prometheus02.png) +![](../../images/plugin/prometheus02.png) ### Grafana 面板 @@ -89,11 +89,11 @@ scrape_configs: 你可以到 [Grafana meta](https://grafana.com/grafana/dashboards/11719) 下载 `Grafana` 元数据. -![](../../doc/images/plugin/grafana_1.png) +![](../../images/plugin/grafana_1.png) -![](../../doc/images/plugin/grafana_2.png) +![](../../images/plugin/grafana_2.png) -![](../../doc/images/plugin/grafana_3.png) +![](../../images/plugin/grafana_3.png) ### 可有的指标 diff --git a/doc/plugins/proxy-cache-cn.md b/doc/zh-cn/plugins/proxy-cache.md similarity index 94% rename from doc/plugins/proxy-cache-cn.md rename to doc/zh-cn/plugins/proxy-cache.md index 95f3bdaf7d0f4..9381ea883ae9f 100644 --- a/doc/plugins/proxy-cache-cn.md +++ b/doc/zh-cn/plugins/proxy-cache.md @@ -17,7 +17,7 @@ # --> -[English](proxy-cache.md) +[English](../../plugins/proxy-cache.md) # proxy-cache @@ -48,7 +48,7 @@ 示例1:为特定路由启用 `proxy-cache` 插件: ```shell -curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d ' +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "plugins": { "proxy-cache": { @@ -130,7 +130,7 @@ Server: APISIX web server 移除插件配置中相应的 JSON 配置可立即禁用该插件,无需重启服务: ```shell -curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d ' +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "uri": "/hello", "plugins": {}, diff --git a/doc/plugins/proxy-mirror-cn.md b/doc/zh-cn/plugins/proxy-mirror.md similarity index 89% rename from doc/plugins/proxy-mirror-cn.md rename to doc/zh-cn/plugins/proxy-mirror.md index 4b3f0730cc210..e4c4d3d3b77b8 100644 --- a/doc/plugins/proxy-mirror-cn.md +++ b/doc/zh-cn/plugins/proxy-mirror.md @@ -17,7 +17,7 @@ # --> -[English](proxy-mirror.md) +[English](../../plugins/proxy-mirror.md) # proxy-mirror @@ -38,7 +38,7 @@ 示例1:为特定路由启用 `proxy-mirror` 插件: ```shell -curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d ' +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "plugins": { "proxy-mirror": { @@ -77,7 +77,7 @@ hello world 移除插件配置中相应的 JSON 配置可立即禁用该插件,无需重启服务: ```shell -curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d ' +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "uri": "/hello", "plugins": {}, diff --git a/doc/plugins/proxy-rewrite-cn.md b/doc/zh-cn/plugins/proxy-rewrite.md similarity index 98% rename from doc/plugins/proxy-rewrite-cn.md rename to doc/zh-cn/plugins/proxy-rewrite.md index f714ad5f4f5b3..45a6c95040ea5 100644 --- a/doc/plugins/proxy-rewrite-cn.md +++ b/doc/zh-cn/plugins/proxy-rewrite.md @@ -17,7 +17,7 @@ # --> -[English](proxy-rewrite.md) +[English](../../plugins/proxy-rewrite.md) # proxy-rewrite 上游代理信息重写插件。 diff --git a/doc/plugins/redirect-cn.md b/doc/zh-cn/plugins/redirect.md similarity index 74% rename from doc/plugins/redirect-cn.md rename to doc/zh-cn/plugins/redirect.md index ba7d94ce35eb6..ead153a444212 100644 --- a/doc/plugins/redirect-cn.md +++ b/doc/zh-cn/plugins/redirect.md @@ -17,7 +17,7 @@ # --> -[English](redirect.md) +[English](../../plugins/redirect.md) # redirect @@ -27,8 +27,9 @@ URI 重定向插件。 |名称 |必须|描述| |------- |-----|------| -|uri |是| 可以包含 Nginx 变量的 URI,例如:`/test/index.html`, `$uri/index.html`。你可以通过类似于 `$ {xxx}` 的方式引用变量,以避免产生歧义,例如:`${uri}foo/index.html`。若你需要保留 `$` 字符,那么使用如下格式:`/\$foo/index.html`。| -|ret_code|否|请求响应码,默认值为 `302`。| +|uri |是,与 `http_to_https` 二选一| 可以包含 Nginx 变量的 URI,例如:`/test/index.html`, `$uri/index.html`。你可以通过类似于 `$ {xxx}` 的方式引用变量,以避免产生歧义,例如:`${uri}foo/index.html`。若你需要保留 `$` 字符,那么使用如下格式:`/\$foo/index.html`。| +|ret_code|否,只和 `uri` 配置使用。|请求响应码,默认值为 `302`。| +|http_to_https|是,与 `uri` 二选一|布尔值,默认是 `false`。当设置为 `ture` 并且请求是 http 时,会自动 301 重定向为 https,uri 保持不变| ### 示例 @@ -94,6 +95,21 @@ Location: /test/default.html 我们可以检查响应码和响应头中的 `Location` 参数,它表示该插件已启用。 +``` + +下面是一个实现 http 到 https 跳转的示例: +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "uri": "/hello", + "plugins": { + "redirect": { + "http_to_https": true + } + } +}' +``` + #### 禁用插件 移除插件配置中相应的 JSON 配置可立即禁用该插件,无需重启服务: diff --git a/doc/plugins/response-rewrite-cn.md b/doc/zh-cn/plugins/response-rewrite.md similarity index 91% rename from doc/plugins/response-rewrite-cn.md rename to doc/zh-cn/plugins/response-rewrite.md index aa79bc2c5b9ae..83c5aac51c96c 100644 --- a/doc/plugins/response-rewrite-cn.md +++ b/doc/zh-cn/plugins/response-rewrite.md @@ -17,27 +17,29 @@ # --> -[English](response-rewrite.md) +[English](../../plugins/response-rewrite.md) + # response-rewrite 该插件支持修改上游服务返回的 body 和 header 信息。 使用场景: 1、可以设置 `Access-Control-Allow-*` 等 header 信息,来实现 CORS (跨域资源共享)的功能。 -2、另外也可以通过配置 status_code 和 header 里面的 Location 来实现重定向,当然如果只是需要重定向功能,最好使用 [redirect](redirect-cn.md) 插件。 +2、另外也可以通过配置 status_code 和 header 里面的 Location 来实现重定向,当然如果只是需要重定向功能,最好使用 [redirect](redirect.md) 插件。 + +## 配置参数 -#### 配置参数 |名字 |可选|说明| |------- |-----|------| -|status_code |可选| 修改上游返回状态码| +|status_code |可选| 修改上游返回状态码,默认保留原始响应代码。| |body |可选| 修改上游返回的 `body` 内容,如果设置了新内容,header 里面的 content-length 字段也会被去掉| |body_base64 |可选| 布尔类型,描述 `body` 字段是否需要 base64 解码之后再返回给客户端,用在某些图片和 Protobuffer 场景| |headers |可选| 返回给客户端的 `headers`,这里可以设置多个。头信息如果存在将重写,不存在则添加。想要删除某个 header 的话,把对应的值设置为空字符串即可| +## 示例 -### 示例 +### 开启插件 -#### 开启插件 下面是一个示例,在指定的 route 上开启了 `response rewrite` 插件: ```shell @@ -63,7 +65,8 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f1 }' ``` -#### 测试插件 +### 测试插件 + 基于上述配置进行测试: ```shell @@ -71,7 +74,8 @@ curl -X GET -i http://127.0.0.1:9080/test/index.html ``` 如果看到返回的头部信息和内容都被修改了,即表示 `response rewrite` 插件生效了。 -``` + +```shell HTTP/1.1 200 OK Date: Sat, 16 Nov 2019 09:15:12 GMT Transfer-Encoding: chunked diff --git a/doc/plugins/serverless-cn.md b/doc/zh-cn/plugins/serverless.md similarity index 98% rename from doc/plugins/serverless-cn.md rename to doc/zh-cn/plugins/serverless.md index fab9ad9e5a0b7..7ef432662f006 100644 --- a/doc/plugins/serverless-cn.md +++ b/doc/zh-cn/plugins/serverless.md @@ -17,7 +17,7 @@ # --> -[English](serverless.md) +[English](../../plugins/serverless.md) # serverless diff --git a/doc/zh-cn/plugins/skywalking.md b/doc/zh-cn/plugins/skywalking.md new file mode 100644 index 0000000000000..91ae3c1ebffb6 --- /dev/null +++ b/doc/zh-cn/plugins/skywalking.md @@ -0,0 +1,192 @@ + + +[English](../../plugins/skywalking.md) + +# 目录 +- [目录](#目录) + - [名字](#名字) + - [属性](#属性) + - [如何启用](#如何启用) + - [测试插件](#测试插件) + - [运行 Skywalking 实例](#运行-Skywalking-实例) + - [禁用插件](#禁用插件) + - [上游服务是java的SpringBoot示例代码](#上游服务是java的SpringBoot示例代码) + +## 名字 + +`Skywalking`(https://github.com/apache/skywalking) 是一个开源的服务跟踪插件。 + +服务端目前支持http和grpc两种协议,在apisix中目前只支持http协议 + +## 属性 + +* `endpoint`: Skywalking 的 http 节点,例如`http://127.0.0.1:12800`。 +* `sample_ratio`: 监听的比例,最小为0.00001,最大为1。 +* `service_name`: 可选参数,标记当前服务的名称,默认值是`APISIX`。 + +## 如何启用 + +下面是一个示例,在指定的 route 上开启了 skywalking 插件: + +```shell +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "methods": ["GET"], + "uris": [ + "/uid/*" + ], + "plugins": { + "skywalking": { + "endpoint": "http://10.110.149.175:12800", + "sample_ratio": 1, + "service_name": "APISIX_SERVER" + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "10.110.149.175:8089": 1 + } + } +}' +``` + +你可以使用浏览器打开 dashboard:`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 route: + +![](../../images/plugin/skywalking-1.png) + +然后在 route 页面中添加 skywalking 插件: + +![](../../images/plugin/skywalking-2.png) + +## 测试插件 + +### 运行 Skywalking 实例 + +#### 例子: +1. 启动Skywalking Server: + - 默认使用H2存储,直接启动skywalking即可 + ``` + sudo docker run --name skywalking -d -p 1234:1234 -p 11800:11800 -p 12800:12800 --restart always apache/skywalking-oap-server + ``` + + - 如果使用elasticsearch存储 + 1. 则需要先安装elasticsearch: + ``` + sudo docker run -d --name elasticsearch -p 9200:9200 -p 9300:9300 --restart always -e "discovery.type=single-node" elasticsearch:6.7.2 + + ``` + 2. 安装 ElasticSearch管理界面elasticsearch-hq + ``` + sudo docker run -d --name elastic-hq -p 5000:5000 --restart always elastichq/elasticsearch-hq + ``` + 3. 启动skywalking: + ``` + sudo docker run --name skywalking -d -p 1234:1234 -p 11800:11800 -p 12800:12800 --restart always --link elasticsearch:elasticsearch -e SW_STORAGE=elasticsearch -e SW_STORAGE_ES_CLUSTER_NODES=elasticsearch:9200 apache/skywalking-oap-server + ``` +2. Skywalking管理系统: + 1. 启动管理系统: + ``` + sudo docker run --name skywalking-ui -d -p 8080:8080 --link skywalking:skywalking -e SW_OAP_ADDRESS=skywalking:12800 --restart always apache/skywalking-ui + ``` + 2. 打开管理页面 + 在浏览器里面输入http://10.110.149.175:8080,出现了如下界面,则表示安装成功 + ![](../../images/plugin/skywalking-3.png) + +3. 测试示例: + - 通过访问apisix,访问上游服务 + + ```bash + $ curl -v http://10.110.149.192:9080/uid/12 + HTTP/1.1 200 OK + OK + ... + ``` + - 打开浏览器,访问 Skywalking 的 web 页面: + ``` + http://10.110.149.175:8080/ + ``` + 可以看到访问拓扑图\ + ![](../../images/plugin/skywalking-4.png)\ + 可以看到服务追踪图\ + ![](../../images/plugin/skywalking-5.png) +## 禁用插件 + +当你想去掉插件的时候,很简单,在插件的配置中把对应的 json 配置删除即可,无须重启服务,即刻生效: + +```shell +$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' +{ + "methods": ["GET"], + "uris": [ + "/uid/*" + ], + "plugins": { + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "10.110.149.175:8089": 1 + } + } +}' +``` + +现在就已经移除了 Skywalking 插件了。其他插件的开启和移除也是同样的方法。 + + +## 上游服务是java的SpringBoot示例代码 + +```java +package com.lenovo.ai.controller; + +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; +import javax.servlet.http.HttpServletRequest; + +/** + * @author cyxinda + * @create 2020-05-29 14:02 + * @desc skywalking测试中央控制层 + **/ +@RestController +public class TestController { + @RequestMapping("/uid/{count}") + public String getUidList(@PathVariable("count") String countStr, HttpServletRequest request) { + System.out.println("counter:::::"+countStr); + return "OK"; + } +} +``` +启动服务的时候,需要配置skywalking agent, +修改agent/config/agent.config中的配置 +``` +agent.service_name=yourservername +collector.backend_service=10.110.149.175:11800 +``` +启动服务脚本: +``` +nohup java -javaagent:/root/skywalking/app/agent/skywalking-agent.jar \ +-jar /root/skywalking/app/app.jar \ +--server.port=8089 \ +2>&1 > /root/skywalking/app/logs/nohup.log & +``` + diff --git a/doc/zh-cn/plugins/syslog.md b/doc/zh-cn/plugins/syslog.md new file mode 100644 index 0000000000000..486d1606424cb --- /dev/null +++ b/doc/zh-cn/plugins/syslog.md @@ -0,0 +1,105 @@ + + +# 摘要 +- [**定义**](#name) +- [**属性列表**](#attributes) +- [**如何开启**](#how-to-enable) +- [**测试插件**](#test-plugin) +- [**禁用插件**](#disable-plugin) + + +## 定义 + +`sys` 是一个将Log data请求推送到Syslog的插件。 + +这将提供将Log数据请求作为JSON对象发送的功能。 + +## 属性列表 + +|属性名称 |必选项 |描述| +|--------- |-------- |-----------| +|host |必要的 |IP地址或主机名。| +|port |必要的 |目标上游端口。| +|timeout |可选的 |上游发送数据超时。| +|tls |可选的 |布尔值,用于控制是否执行SSL验证。| +|flush_limit |可选的 |如果缓冲的消息的大小加上当前消息的大小达到(> =)此限制(以字节为单位),则缓冲的日志消息将被写入日志服务器。默认为4096(4KB)。| +|drop_limit |可选的 |如果缓冲的消息的大小加上当前消息的大小大于此限制(以字节为单位),则由于缓冲区大小有限,当前的日志消息将被丢弃。默认drop_limit为1048576(1MB)。| +|sock_type|可选的 |用于传输层的IP协议类型。可以是“ tcp”或“ udp”。默认值为“ tcp”。| +|max_retry_times|可选的 |连接到日志服务器失败或将日志消息发送到日志服务器失败后的最大重试次数。| +|retry_interval|可选的 |重试连接到日志服务器或重试向日志服务器发送日志消息之前的时间延迟(以毫秒为单位),默认为100(0.1s)。| +|pool_size |可选的 |sock:keepalive使用的Keepalive池大小。默认为10。| + +## 如何开启 + +1. 下面例子展示了如何为指定路由开启 `sys-logger` 插件的。 + +```shell +curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "username": "foo", + "plugins": { + "plugins": { + "syslog": { + "host" : "127.0.0.1", + "port" : 5044, + "flush_limit" : 1 + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "uri": "/hello" + } +}' +``` + +## 测试插件 + +* 成功的情况: + +```shell +$ curl -i http://127.0.0.1:9080/hello +HTTP/1.1 200 OK +... +hello, world +``` + +## 禁用插件 + + +想要禁用“sys-logger”插件,是非常简单的,将对应的插件配置从json配置删除,就会立即生效,不需要重新启动服务: + +```shell +$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' +{ + "methods": ["GET"], + "uri": "/hello", + "plugins": {}, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + } +}' +``` diff --git a/doc/plugins/tcp-logger-cn.md b/doc/zh-cn/plugins/tcp-logger.md similarity index 84% rename from doc/plugins/tcp-logger-cn.md rename to doc/zh-cn/plugins/tcp-logger.md index 27da9ffce738b..652f2afadabbb 100644 --- a/doc/plugins/tcp-logger-cn.md +++ b/doc/zh-cn/plugins/tcp-logger.md @@ -18,19 +18,24 @@ --> # 摘要 + - [**定义**](#name) - [**属性列表**](#attributes) - [**如何开启**](#how-to-enable) - [**测试插件**](#test-plugin) - [**禁用插件**](#disable-plugin) - ## 定义 `tcp-logger` 是用于将日志数据发送到TCP服务的插件。 以实现将日志数据以JSON格式发送到监控工具或其它TCP服务的能力。 +该插件提供了将Log Data作为批处理推送到外部TCP服务器的功能。如果您没有收到日志数据,请放心一些时间,它会在我们的批处理处理器中的计时器功能到期后自动发送日志。 + +有关Apache APISIX中Batch-Processor的更多信息,请参考。 +[Batch-Processor](../batch-processor.md) + ## 属性列表 |属性名称 |必选项 |描述| @@ -41,7 +46,6 @@ | tls |可选的|布尔值,用于控制是否执行SSL验证。| | tls_options |可选的|TLS 选项| - ## 如何开启 1. 下面例子展示了如何为指定路由开启 `tcp-logger` 插件的。 @@ -79,11 +83,10 @@ hello, world ## 禁用插件 - 想要禁用“tcp-logger”插件,是非常简单的,将对应的插件配置从json配置删除,就会立即生效,不需要重新启动服务: ```shell -$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -X PUT -d value=' +$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' { "methods": ["GET"], "uri": "/hello", diff --git a/doc/plugins/udp-logger-cn.md b/doc/zh-cn/plugins/udp-logger.md similarity index 84% rename from doc/plugins/udp-logger-cn.md rename to doc/zh-cn/plugins/udp-logger.md index 148a2afd52422..f129dc2f8b645 100644 --- a/doc/plugins/udp-logger-cn.md +++ b/doc/zh-cn/plugins/udp-logger.md @@ -18,19 +18,24 @@ --> # 摘要 + - [**定义**](#name) - [**属性列表**](#attributes) - [**如何开启**](#how-to-enable) - [**测试插件**](#test-plugin) - [**禁用插件**](#disable-plugin) - ## 定义 `udp-logger` 是用于将日志数据发送到UDP服务的插件。 以实现将日志数据以JSON格式发送到监控工具或其它UDP服务的能力。 +此插件提供了将批处理数据批量推送到外部UDP服务器的功能。如果您没有收到日志数据,请放心一些时间,它会在我们的批处理处理器中的计时器功能到期后自动发送日志 + +有关Apache APISIX中Batch-Processor的更多信息,请参考。 +[Batch-Processor](../../batch-processor.md) + ## 属性列表 |属性名称 |必选项 |描述| @@ -39,7 +44,6 @@ | port |必要的| 目标端口。| | timeout |可选的|发送数据超时间。| - ## 如何开启 1. 下面例子展示了如何为指定路由开启 `udp-logger` 插件的。 @@ -77,11 +81,10 @@ hello, world ## 禁用插件 - 想要禁用“udp-logger”插件,是非常简单的,将对应的插件配置从json配置删除,就会立即生效,不需要重新启动服务: ```shell -$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -X PUT -d value=' +$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' { "methods": ["GET"], "uri": "/hello", diff --git a/doc/plugins/wolf-rbac-cn.md b/doc/zh-cn/plugins/wolf-rbac.md similarity index 98% rename from doc/plugins/wolf-rbac-cn.md rename to doc/zh-cn/plugins/wolf-rbac.md index 1b9996c91eccc..0ed3f5cd42fc3 100644 --- a/doc/plugins/wolf-rbac-cn.md +++ b/doc/zh-cn/plugins/wolf-rbac.md @@ -17,7 +17,7 @@ # --> -[English](wolf-rbac.md) +[English](../../plugins/wolf-rbac.md) # 目录 @@ -70,10 +70,10 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f ``` 你可以使用浏览器打开 dashboard:`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 consumer: -![](../images/plugin/wolf-rbac-1.png) +![](../../images/plugin/wolf-rbac-1.png) 然后在 consumer 页面中添加 wolf-rbac 插件: -![](../images/plugin/wolf-rbac-2.png) +![](../../images/plugin/wolf-rbac-2.png) 注意: 上面填写的 `appid` 需要在wolf控制台中已经存在的. diff --git a/doc/plugins/zipkin-cn.md b/doc/zh-cn/plugins/zipkin.md similarity index 93% rename from doc/plugins/zipkin-cn.md rename to doc/zh-cn/plugins/zipkin.md index ad53dc2aa569b..fb7fc096a34ca 100644 --- a/doc/plugins/zipkin-cn.md +++ b/doc/zh-cn/plugins/zipkin.md @@ -17,7 +17,7 @@ # --> -[English](zipkin.md) +[English](../../plugins/zipkin.md) # 目录 - [**名字**](#名字) @@ -67,11 +67,11 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f1 你可以使用浏览器打开 dashboard:`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 route: -![](../images/plugin/zipkin-1.png) +![](../../images/plugin/zipkin-1.png) 然后在 route 页面中添加 zipkin 插件: -![](../images/plugin/zipkin-2.png) +![](../../images/plugin/zipkin-2.png) ## 测试插件 @@ -97,16 +97,16 @@ HTTP/1.1 200 OK http://127.0.0.1:9411/zipkin ``` -![](../../doc/images/plugin/zipkin-1.jpg) +![](../../images/plugin/zipkin-1.jpg) -![](../../doc/images/plugin/zipkin-2.jpg) +![](../../images/plugin/zipkin-2.jpg) ## 禁用插件 当你想去掉插件的时候,很简单,在插件的配置中把对应的 json 配置删除即可,无须重启服务,即刻生效: ```shell -$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value=' +$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value=' { "methods": ["GET"], "uri": "/index.html", diff --git a/doc/profile-cn.md b/doc/zh-cn/profile.md similarity index 100% rename from doc/profile-cn.md rename to doc/zh-cn/profile.md diff --git a/doc/stand-alone-cn.md b/doc/zh-cn/stand-alone.md similarity index 99% rename from doc/stand-alone-cn.md rename to doc/zh-cn/stand-alone.md index 0da4b09120023..34127ce0c2de7 100644 --- a/doc/stand-alone-cn.md +++ b/doc/zh-cn/stand-alone.md @@ -17,7 +17,7 @@ # --> -[English](stand-alone.md) +[English](../stand-alone.md) ## Stand-alone mode diff --git a/doc/stream-proxy-cn.md b/doc/zh-cn/stream-proxy.md similarity index 96% rename from doc/stream-proxy-cn.md rename to doc/zh-cn/stream-proxy.md index 0a413d73b3bf5..afb9fd2988262 100644 --- a/doc/stream-proxy-cn.md +++ b/doc/zh-cn/stream-proxy.md @@ -17,7 +17,7 @@ # --> -[English](stream-proxy.md) +[English](../stream-proxy.md) # Stream 代理 @@ -59,7 +59,7 @@ curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f03 ``` 例子中 APISIX 对客户端IP为 `127.0.0.1` 的请求代理转发到上游主机 `127.0.0.1:1995`。 -更多用例,请参照 [test case](../t/stream-node/sanity.t). +更多用例,请参照 [test case](../../t/stream-node/sanity.t). ## 更多限制选项 diff --git a/kubernetes/README.md b/kubernetes/README.md index 3d914e7d3046d..30f299d99415b 100644 --- a/kubernetes/README.md +++ b/kubernetes/README.md @@ -16,6 +16,12 @@ # limitations under the License. # --> +### kubernetes + +There are some yaml files for deploying apisix in Kubernetes. + +### Prerequisites +- Install etcd ### Usage diff --git a/kubernetes/apisix-gw-config-cm.yaml b/kubernetes/apisix-gw-config-cm.yaml index 67833f09a21e5..05c554e2aa385 100644 --- a/kubernetes/apisix-gw-config-cm.yaml +++ b/kubernetes/apisix-gw-config-cm.yaml @@ -144,6 +144,7 @@ data: - fault-injection - udp-logger - wolf-rbac + - consumer-restriction stream_plugins: - mqtt-proxy diff --git a/rockspec/apisix-1.3-0.rockspec b/rockspec/apisix-1.3-0.rockspec new file mode 100644 index 0000000000000..99dddc51f4a1d --- /dev/null +++ b/rockspec/apisix-1.3-0.rockspec @@ -0,0 +1,72 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +package = "apisix" +version = "1.3-0" +supported_platforms = {"linux", "macosx"} + +source = { + url = "git://github.com/apache/incubator-apisix", + tag = "1.3", +} + +description = { + summary = "Apache APISIX(incubating) is a cloud-native microservices API gateway, delivering the ultimate performance, security, open source and scalable platform for all your APIs and microservices.", + homepage = "https://github.com/apache/incubator-apisix", + license = "Apache License 2.0", +} + +dependencies = { + "lua-resty-template = 1.9", + "lua-resty-etcd = 0.9", + "lua-resty-balancer = 0.02rc5", + "lua-resty-ngxvar = 0.5", + "lua-resty-jit-uuid = 0.0.7", + "lua-resty-healthcheck-api7 = 2.2.0", + "lua-resty-jwt = 0.2.0", + "lua-resty-cookie = 0.1.0", + "lua-resty-session = 2.24", + "opentracing-openresty = 0.1", + "lua-resty-radixtree = 1.8", + "lua-protobuf = 0.3.1", + "lua-resty-openidc = 1.7.2-1", + "luafilesystem = 1.7.0-2", + "lua-tinyyaml = 0.1", + "lua-resty-prometheus = 1.0", + "jsonschema = 0.8", + "lua-resty-ipmatcher = 0.6", + "lua-resty-kafka = 0.07", + "lua-resty-logger-socket = 2.0-0", +} + +build = { + type = "make", + build_variables = { + CFLAGS="$(CFLAGS)", + LIBFLAG="$(LIBFLAG)", + LUA_LIBDIR="$(LUA_LIBDIR)", + LUA_BINDIR="$(LUA_BINDIR)", + LUA_INCDIR="$(LUA_INCDIR)", + LUA="$(LUA)", + }, + install_variables = { + INST_PREFIX="$(PREFIX)", + INST_BINDIR="$(BINDIR)", + INST_LIBDIR="$(LIBDIR)", + INST_LUADIR="$(LUADIR)", + INST_CONFDIR="$(CONFDIR)", + }, +} diff --git a/rockspec/apisix-1.4-0.rockspec b/rockspec/apisix-1.4-0.rockspec new file mode 100644 index 0000000000000..f9bb44d0ef270 --- /dev/null +++ b/rockspec/apisix-1.4-0.rockspec @@ -0,0 +1,74 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +package = "apisix" +version = "1.4-0" +supported_platforms = {"linux", "macosx"} + +source = { + url = "git://github.com/apache/incubator-apisix", + tag = "1.4", +} + +description = { + summary = "Apache APISIX(incubating) is a cloud-native microservices API gateway, delivering the ultimate performance, security, open source and scalable platform for all your APIs and microservices.", + homepage = "https://github.com/apache/incubator-apisix", + license = "Apache License 2.0", +} + +dependencies = { + "lua-resty-template = 1.9", + "lua-resty-etcd = 1.0", + "lua-resty-balancer = 0.02rc5", + "lua-resty-ngxvar = 0.5", + "lua-resty-jit-uuid = 0.0.7", + "lua-resty-healthcheck-api7 = 2.2.0", + "lua-resty-jwt = 0.2.0", + "lua-resty-cookie = 0.1.0", + "lua-resty-session = 2.24", + "opentracing-openresty = 0.1", + "lua-resty-radixtree = 1.9", + "lua-protobuf = 0.3.1", + "lua-resty-openidc = 1.7.2-1", + "luafilesystem = 1.7.0-2", + "lua-tinyyaml = 0.1", + "lua-resty-prometheus = 1.1", + "jsonschema = 0.8", + "lua-resty-ipmatcher = 0.6", + "lua-resty-kafka = 0.07", + "lua-resty-logger-socket = 2.0-0", + "skywalking-nginx-lua-plugin = 1.0-0", +} + +build = { + type = "make", + build_variables = { + CFLAGS="$(CFLAGS)", + LIBFLAG="$(LIBFLAG)", + LUA_LIBDIR="$(LUA_LIBDIR)", + LUA_BINDIR="$(LUA_BINDIR)", + LUA_INCDIR="$(LUA_INCDIR)", + LUA="$(LUA)", + }, + install_variables = { + INST_PREFIX="$(PREFIX)", + INST_BINDIR="$(BINDIR)", + INST_LIBDIR="$(LIBDIR)", + INST_LUADIR="$(LUADIR)", + INST_CONFDIR="$(CONFDIR)", + }, +} diff --git a/rockspec/apisix-master-0.rockspec b/rockspec/apisix-master-0.rockspec index f52af72a14c61..ef09a66e197e7 100644 --- a/rockspec/apisix-master-0.rockspec +++ b/rockspec/apisix-master-0.rockspec @@ -32,7 +32,7 @@ description = { dependencies = { "lua-resty-template = 1.9", - "lua-resty-etcd = 0.9", + "lua-resty-etcd = 1.0", "lua-resty-balancer = 0.02rc5", "lua-resty-ngxvar = 0.5", "lua-resty-jit-uuid = 0.0.7", @@ -41,15 +41,17 @@ dependencies = { "lua-resty-cookie = 0.1.0", "lua-resty-session = 2.24", "opentracing-openresty = 0.1", - "lua-resty-radixtree = 1.8", + "lua-resty-radixtree = 2.0", "lua-protobuf = 0.3.1", "lua-resty-openidc = 1.7.2-1", "luafilesystem = 1.7.0-2", "lua-tinyyaml = 0.1", - "lua-resty-prometheus = 1.0", + "lua-resty-prometheus = 1.1", "jsonschema = 0.8", "lua-resty-ipmatcher = 0.6", "lua-resty-kafka = 0.07", + "lua-resty-logger-socket = 2.0-0", + "skywalking-nginx-lua-plugin = 1.0-0", } build = { diff --git a/t/APISIX.pm b/t/APISIX.pm index b8aa664bf9419..0b93fb28064fd 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -72,11 +72,21 @@ if ($enable_local_dns) { my $yaml_config = read_file("conf/config.yaml"); my $ssl_crt = read_file("conf/cert/apisix.crt"); my $ssl_key = read_file("conf/cert/apisix.key"); +my $test2_crt = read_file("conf/cert/test2.crt"); +my $test2_key = read_file("conf/cert/test2.key"); $yaml_config =~ s/node_listen: 9080/node_listen: 1984/; $yaml_config =~ s/enable_heartbeat: true/enable_heartbeat: false/; $yaml_config =~ s/ # stream_proxy:/ stream_proxy:\n tcp:\n - 9100/; $yaml_config =~ s/admin_key:/disable_admin_key:/; +my $etcd_enable_auth = $ENV{"ETCD_ENABLE_AUTH"} || "false"; + +if ($etcd_enable_auth eq "true") { + $yaml_config =~ s/ # user:/ user:/; + $yaml_config =~ s/ # password:/ password:/; +} + + my $profile = $ENV{"APISIX_PROFILE"}; @@ -100,7 +110,7 @@ add_block_preprocessor(sub { my $main_config = $block->main_config // <<_EOC_; worker_rlimit_core 500M; -working_directory $apisix_home; +env ENABLE_ETCD_AUTH; env APISIX_PROFILE; _EOC_ @@ -199,6 +209,7 @@ _EOC_ lua_shared_dict upstream-healthcheck 32m; lua_shared_dict worker-events 10m; lua_shared_dict lrucache-lock 10m; + lua_shared_dict skywalking-tracing-buffer 100m; resolver $dns_addrs_str; resolver_timeout 5; @@ -417,6 +428,10 @@ $user_yaml_config $ssl_crt >>> ../conf/cert/apisix.key $ssl_key +>>> ../conf/cert/test2.crt +$test2_crt +>>> ../conf/cert/test2.key +$test2_key $user_apisix_yaml _EOC_ diff --git a/t/admin/balancer.t b/t/admin/balancer.t index 0be70dbd47bff..1afcedafa214a 100644 --- a/t/admin/balancer.t +++ b/t/admin/balancer.t @@ -26,17 +26,20 @@ add_block_preprocessor(sub { my $init_by_lua_block = <<_EOC_; require "resty.core" apisix = require("apisix") + core = require("apisix.core") apisix.http_init() function test(route, ctx, count) local balancer = require("apisix.balancer") local res = {} for i = 1, count or 12 do - local host, port, err = balancer.pick_server(route, ctx) + local server, err = balancer.pick_server(route, ctx) if err then ngx.say("failed: ", err) end - res[host] = (res[host] or 0) + 1 + + core.log.warn("host: ", server.host, " port: ", server.port) + res[server.host] = (res[server.host] or 0) + 1 end local keys = {} @@ -61,20 +64,18 @@ __DATA__ --- config location /t { content_by_lua_block { - local route = { - value = { - upstream = { - nodes = { - ["39.97.63.215:80"] = 1, - ["39.97.63.216:81"] = 1, - ["39.97.63.217:82"] = 1, - }, - type = "roundrobin", - }, - id = 1 - } + local up_conf = { + type = "roundrobin", + nodes = { + {host = "39.97.63.215", port = 80, weight = 1}, + {host = "39.97.63.216", port = 81, weight = 1}, + {host = "39.97.63.217", port = 82, weight = 1}, } + } local ctx = {conf_version = 1} + ctx.upstream_conf = up_conf + ctx.upstream_version = "ver" + ctx.upstream_key = up_conf.type .. "#route_" .. "id" test(route, ctx) } @@ -94,23 +95,18 @@ host: 39.97.63.217 count: 4 --- config location /t { content_by_lua_block { - local core = require("apisix.core") - local balancer = require("apisix.balancer") - - local route = { - value = { - upstream = { - nodes = { - ["39.97.63.215:80"] = 1, - ["39.97.63.216:81"] = 2, - ["39.97.63.217:82"] = 3, - }, - type = "roundrobin", - }, - id = 1 - } + local up_conf = { + type = "roundrobin", + nodes = { + {host = "39.97.63.215", port = 80, weight = 1}, + {host = "39.97.63.216", port = 81, weight = 2}, + {host = "39.97.63.217", port = 82, weight = 3}, } + } local ctx = {conf_version = 1} + ctx.upstream_conf = up_conf + ctx.upstream_version = "ver" + ctx.upstream_key = up_conf.type .. "#route_" .. "id" test(route, ctx) } @@ -130,33 +126,30 @@ host: 39.97.63.217 count: 6 --- config location /t { content_by_lua_block { - local balancer = require("apisix.balancer") - - local route = { - value = { - upstream = { - nodes = { - ["39.97.63.215:80"] = 1, - ["39.97.63.216:81"] = 1, - ["39.97.63.217:82"] = 1, - }, - type = "roundrobin", - }, - id = 1 - } + local up_conf = { + type = "roundrobin", + nodes = { + {host = "39.97.63.215", port = 80, weight = 1}, + {host = "39.97.63.216", port = 81, weight = 1}, + {host = "39.97.63.217", port = 82, weight = 1}, } - local ctx = {conf_version = 1} + } + local ctx = {} + ctx.upstream_conf = up_conf + ctx.upstream_version = 1 + ctx.upstream_key = up_conf.type .. "#route_" .. "id" test(route, ctx) -- cached by version - route.value.upstream.nodes = { - ["39.97.63.218:83"] = 1, + up_conf.nodes = { + {host = "39.97.63.218", port = 80, weight = 1}, + {host = "39.97.63.219", port = 80, weight = 0}, } test(route, ctx) -- update, version changed - ctx = {conf_version = 2} + ctx.upstream_version = 2 test(route, ctx) } } @@ -179,37 +172,33 @@ host: 39.97.63.218 count: 12 --- config location /t { content_by_lua_block { - local route = { - value = { - upstream = { - nodes = { - ["39.97.63.215:80"] = 1, - ["39.97.63.216:81"] = 1, - ["39.97.63.217:82"] = 1, - }, - type = "chash", - key = "remote_addr", - }, - id = 1 - } + local up_conf = { + type = "chash", + key = "remote_addr", + nodes = { + {host = "39.97.63.215", port = 80, weight = 1}, + {host = "39.97.63.216", port = 81, weight = 1}, + {host = "39.97.63.217", port = 82, weight = 1}, } + } local ctx = { - conf_version = 1, - var = { - remote_addr = "127.0.0.1" - } + var = {remote_addr = "127.0.0.1"}, } + ctx.upstream_conf = up_conf + ctx.upstream_version = 1 + ctx.upstream_key = up_conf.type .. "#route_" .. "id" test(route, ctx) -- cached by version - route.value.upstream.nodes = { - ["39.97.63.218:83"] = 1, + up_conf.nodes = { + {host = "39.97.63.218", port = 80, weight = 1}, + {host = "39.97.63.219", port = 80, weight = 0}, } test(route, ctx) -- update, version changed - ctx.conf_version = 2 + ctx.upstream_version = 2 test(route, ctx) } } @@ -221,3 +210,41 @@ host: 39.97.63.215 count: 12 host: 39.97.63.218 count: 12 --- no_error_log [error] + + + +=== TEST 5: return item directly if only have one item in `nodes` +--- config + location /t { + content_by_lua_block { + local up_conf = { + type = "roundrobin", + nodes = { + {host = "39.97.63.215", port = 80, weight = 1}, + {host = "39.97.63.216", port = 81, weight = 1}, + {host = "39.97.63.217", port = 82, weight = 1}, + } + } + local ctx = {} + ctx.upstream_conf = up_conf + ctx.upstream_version = 1 + ctx.upstream_key = up_conf.type .. "#route_" .. "id" + + test(route, ctx) + + -- one item in nodes, return it directly + up_conf.nodes = { + {host = "39.97.63.218", port = 80, weight = 1}, + } + test(route, ctx) + } + } +--- request +GET /t +--- response_body +host: 39.97.63.215 count: 4 +host: 39.97.63.216 count: 4 +host: 39.97.63.217 count: 4 +host: 39.97.63.218 count: 12 +--- no_error_log +[error] diff --git a/t/admin/global-rules.t b/t/admin/global-rules.t index aa7a0c600ea1d..2cda952f205cd 100644 --- a/t/admin/global-rules.t +++ b/t/admin/global-rules.t @@ -164,16 +164,17 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/global_rules/1/plugins', + local code, body = t('/apisix/admin/global_rules/1', ngx.HTTP_PATCH, [[{ + "plugins": { "limit-count": { "count": 3, "time_window": 60, "rejected_code": 503, "key": "remote_addr" } - }]], + }}]], [[{ "node": { "value": { @@ -308,3 +309,59 @@ GET /t {"error_msg":"invalid configuration: property \"plugins\" is required"} --- no_error_log [error] + + + +=== TEST 9: string id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/global_rules/a-b-c-ABC_0123', + ngx.HTTP_PUT, + [[{ + "plugins": { + "limit-count": { + "count": 2, + "time_window": 60, + "rejected_code": 503, + "key": "remote_addr" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 10: string id(DELETE) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/global_rules/a-b-c-ABC_0123', + ngx.HTTP_DELETE + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] diff --git a/t/admin/plugins.t b/t/admin/plugins.t index 11939872ff4c0..784b5d23cef76 100644 --- a/t/admin/plugins.t +++ b/t/admin/plugins.t @@ -30,7 +30,7 @@ __DATA__ --- request GET /apisix/admin/plugins/list --- response_body_like eval -qr/\["limit-req","limit-count","limit-conn","key-auth","basic-auth","prometheus","node-status","jwt-auth","zipkin","ip-restriction","grpc-transcode","serverless-pre-function","serverless-post-function","openid-connect","proxy-rewrite","redirect","response-rewrite","fault-injection","udp-logger","wolf-rbac","proxy-cache","tcp-logger","proxy-mirror","kafka-logger","cors","batch-requests"\]/ +qr/\["fault-injection","serverless-pre-function","batch-requests","cors","ip-restriction","uri-blocker","openid-connect","wolf-rbac","basic-auth","jwt-auth","key-auth","consumer-restriction","authz-keycloak","proxy-mirror","proxy-cache","proxy-rewrite","limit-conn","limit-count","limit-req","node-status","redirect","response-rewrite","grpc-transcode","prometheus","echo","http-logger","tcp-logger","kafka-logger","syslog","udp-logger","zipkin","skywalking","serverless-post-function"\]/ --- no_error_log [error] @@ -51,7 +51,7 @@ GET /apisix/admin/plugins --- request GET /apisix/admin/plugins/limit-req --- response_body -{"properties":{"rate":{"minimum":0,"type":"number"},"burst":{"minimum":0,"type":"number"},"key":{"enum":["remote_addr","server_addr","http_x_real_ip","http_x_forwarded_for"],"type":"string"},"rejected_code":{"minimum":200,"type":"integer"}},"required":["rate","burst","key","rejected_code"],"type":"object"} +{"properties":{"rate":{"minimum":0,"type":"number"},"burst":{"minimum":0,"type":"number"},"key":{"enum":["remote_addr","server_addr","http_x_real_ip","http_x_forwarded_for"],"type":"string"},"rejected_code":{"type":"integer","default":503,"minimum":200}},"required":["rate","burst","key"],"type":"object"} --- no_error_log [error] diff --git a/t/admin/routes-array-nodes.t b/t/admin/routes-array-nodes.t new file mode 100644 index 0000000000000..c9b141883a28d --- /dev/null +++ b/t/admin/routes-array-nodes.t @@ -0,0 +1,125 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +no_shuffle(); +log_level("info"); + +run_tests; + +__DATA__ + +=== TEST 1: set route(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "methods": ["GET"], + "upstream": { + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin" + }, + "desc": "new route", + "uri": "/index.html" + }]], + [[{ + "node": { + "value": { + "methods": [ + "GET" + ], + "uri": "/index.html", + "desc": "new route", + "upstream": { + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin" + } + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 2: get route(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_GET, + nil, + [[{ + "node": { + "value": { + "methods": [ + "GET" + ], + "uri": "/index.html", + "desc": "new route", + "upstream": { + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin" + } + }, + "key": "/apisix/routes/1" + }, + "action": "get" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] diff --git a/t/admin/routes.t b/t/admin/routes.t index 78ab5c62fb6bb..0e0d198892a74 100644 --- a/t/admin/routes.t +++ b/t/admin/routes.t @@ -993,9 +993,11 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/routes/1/methods', + local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PATCH, - '["GET"]', + [[{ + "methods": ["GET", null, null, null, null, null, null, null, null] + }]], [[{ "node": { "value": { @@ -1027,9 +1029,11 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/routes/1/uri', + local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PATCH, - '"/patch_test"', + [[{ + "uri": "/patch_test" + }]], [[{ "node": { "value": { @@ -1054,23 +1058,22 @@ passed -=== TEST 30: patch route(whole) +=== TEST 30: patch route(multi) --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/routes/1/', + local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PATCH, [[{ "methods": ["GET"], "upstream": { "nodes": { - "127.0.0.1:8080": 1 - }, - "type": "roundrobin" + "127.0.0.1:8080": null, + "127.0.0.2:8080": 1 + } }, - "desc": "new route", - "uri": "/index.html" + "desc": "new route" }]], [[{ "node": { @@ -1078,11 +1081,11 @@ passed "methods": [ "GET" ], - "uri": "/index.html", + "uri": "/patch_test", "desc": "new route", "upstream": { "nodes": { - "127.0.0.1:8080": 1 + "127.0.0.2:8080": 1 }, "type": "roundrobin" } @@ -1727,3 +1730,158 @@ GET /t passed --- no_error_log [error] + + + +=== TEST 47: set route(id: 1 + name: test name) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "methods": ["GET"], + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }, + "name": "test name", + "uri": "/index.html" + }]], + [[{ + "node": { + "value": { + "name": "test name" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 48: string id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/a-b-c-ABC_0123', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }, + "uri": "/index.html" + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 49: string id(delete) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/a-b-c-ABC_0123', + ngx.HTTP_DELETE + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 50: invalid string id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/*invalid', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }, + "uri": "/index.html" + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- error_code: 400 +--- no_error_log +[error] + + + +=== TEST 51: Verify Response Content-Type=applciation/json +--- config + location /t { + content_by_lua_block { + local http = require("resty.http") + local httpc = http.new() + httpc:set_timeout(500) + httpc:connect(ngx.var.server_addr, ngx.var.server_port) + local res, err = httpc:request( + { + path = '/apisix/admin/routes/1?ttl=1', + method = "GET", + } + ) + + ngx.header["Content-Type"] = res.headers["Content-Type"] + ngx.status = 200 + ngx.say("passed") + } + } +--- request +GET /t +--- response_headers +Content-Type: application/json diff --git a/t/admin/schema.t b/t/admin/schema.t index 54ef58ee7ee77..d98b491d79a53 100644 --- a/t/admin/schema.t +++ b/t/admin/schema.t @@ -93,9 +93,23 @@ location /t { sni = { type = "string", pattern = [[^\*?[0-9a-zA-Z-.]+$]], - } + }, + snis = { + type = "array", + items = { + type = "string", + pattern = [[^\*?[0-9a-zA-Z-.]+$]], + } + }, + exptime = { + type = "integer", + minimum = 1588262400, -- 2020/5/1 0:0:0 + }, + }, + oneOf = { + {required = {"sni", "key", "cert"}}, + {required = {"snis", "key", "cert"}} }, - required = {"sni", "key", "cert"}, additionalProperties = false, } ) @@ -117,7 +131,7 @@ passed --- request GET /apisix/admin/schema/plugins/limit-count --- response_body eval -qr/"required":\["count","time_window","key","rejected_code"]/ +qr/"required":\["count","time_window","key"\]/ --- no_error_log [error] diff --git a/t/admin/services-array-nodes.t b/t/admin/services-array-nodes.t new file mode 100644 index 0000000000000..7ca2c6cb5f8a0 --- /dev/null +++ b/t/admin/services-array-nodes.t @@ -0,0 +1,115 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +no_shuffle(); +log_level("info"); + +run_tests; + +__DATA__ + +=== TEST 1: set service(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/1', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin" + }, + "desc": "new service" + }]], + [[{ + "node": { + "value": { + "upstream": { + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin" + }, + "desc": "new service" + }, + "key": "/apisix/services/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 2: get service(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/1', + ngx.HTTP_GET, + nil, + [[{ + "node": { + "value": { + "upstream": { + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin" + }, + "desc": "new service" + }, + "key": "/apisix/services/1" + }, + "action": "get" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] diff --git a/t/admin/services-string-id.t b/t/admin/services-string-id.t new file mode 100644 index 0000000000000..63ffce13c4825 --- /dev/null +++ b/t/admin/services-string-id.t @@ -0,0 +1,884 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +no_shuffle(); +log_level("info"); + +run_tests; + +__DATA__ + +=== TEST 1: set service(id: 5eeb3dc90f747328b2930b0b) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }, + "desc": "new service" + }]], + [[{ + "node": { + "value": { + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }, + "desc": "new service" + }, + "key": "/apisix/services/5eeb3dc90f747328b2930b0b" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 2: get service(id: 5eeb3dc90f747328b2930b0b) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_GET, + nil, + [[{ + "node": { + "value": { + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }, + "desc": "new service" + }, + "key": "/apisix/services/5eeb3dc90f747328b2930b0b" + }, + "action": "get" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 3: delete service(id: 5eeb3dc90f747328b2930b0b) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, message = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_DELETE, + nil, + [[{ + "action": "delete" + }]] + ) + ngx.say("[delete] code: ", code, " message: ", message) + } + } +--- request +GET /t +--- response_body +[delete] code: 200 message: passed +--- no_error_log +[error] + + + +=== TEST 4: delete service(id: not_found) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code = t('/apisix/admin/services/not_found', + ngx.HTTP_DELETE, + nil, + [[{ + "action": "delete" + }]] + ) + + ngx.say("[delete] code: ", code) + } + } +--- request +GET /t +--- response_body +[delete] code: 404 +--- no_error_log +[error] + + + +=== TEST 5: post service + delete +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, message, res = t('/apisix/admin/services', + ngx.HTTP_POST, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + } + }]], + [[{ + "node": { + "value": { + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + } + } + }, + "action": "create" + }]] + ) + + if code ~= 200 then + ngx.status = code + ngx.say(message) + return + end + + ngx.say("[push] code: ", code, " message: ", message) + + local id = string.sub(res.node.key, #"/apisix/services/" + 1) + code, message = t('/apisix/admin/services/' .. id, + ngx.HTTP_DELETE, + nil, + [[{ + "action": "delete" + }]] + ) + ngx.say("[delete] code: ", code, " message: ", message) + } + } +--- request +GET /t +--- response_body +[push] code: 200 message: passed +[delete] code: 200 message: passed +--- no_error_log +[error] + + + +=== TEST 6: uri + upstream +--- config + location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin").test + local code, message, res = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + } + }]], + [[{ + "node": { + "value": { + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + } + } + }, + "action": "set" + }]] + ) + + if code ~= 200 then + ngx.status = code + ngx.say(message) + return + end + + ngx.say("[push] code: ", code, " message: ", message) + } + } +--- request +GET /t +--- response_body +[push] code: 200 message: passed +--- no_error_log +[error] + + + +=== TEST 7: uri + plugins +--- config + location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin").test + local code, message, res = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PUT, + [[{ + "plugins": { + "limit-count": { + "count": 2, + "time_window": 60, + "rejected_code": 503, + "key": "remote_addr" + } + } + }]], + [[{ + "node": { + "value": { + "plugins": { + "limit-count": { + "count": 2, + "time_window": 60, + "rejected_code": 503, + "key": "remote_addr" + } + } + } + }, + "action": "set" + }]] + ) + + if code ~= 200 then + ngx.status = code + ngx.say(message) + return + end + + ngx.say("[push] code: ", code, " message: ", message) + } + } +--- request +GET /t +--- response_body +[push] code: 200 message: passed +--- no_error_log +[error] + + + +=== TEST 8: invalid empty plugins (todo) + location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin").test + local code, message, res = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PUT, + [[{ + "plugins": {} + }]] + ) + + if code ~= 200 then + ngx.status = code + ngx.print(message) + return + end + + ngx.say("[push] code: ", code, " message: ", message) + } + } +--- request +GET /t +--- error_code: 400 +--- SKIP + + + +=== TEST 9: invalid service id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/*invalid_id$', + ngx.HTTP_PUT, + [[{ + "plugins": { + "limit-count": { + "count": 2, + "time_window": 60, + "rejected_code": 503, + "key": "remote_addr" + } + } + }]] + ) + + ngx.exit(code) + } + } +--- request +GET /t +--- error_code: 400 +--- no_error_log +[error] + + + +=== TEST 10: invalid id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PUT, + [[{ + "id": "3", + "plugins": {} + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"wrong service id"} +--- no_error_log +[error] + + + +=== TEST 11: id in the rule +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services', + ngx.HTTP_PUT, + [[{ + "id": "5eeb3dc90f747328b2930b0b", + "plugins": {} + }]], + [[{ + "node": { + "value": { + "plugins": {} + }, + "key": "/apisix/services/5eeb3dc90f747328b2930b0b" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 12: integer id less than 1 +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services', + ngx.HTTP_PUT, + [[{ + "id": -100, + "plugins": {} + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"invalid configuration: property \"id\" validation failed: object matches none of the requireds"} +--- no_error_log +[error] + + + +=== TEST 13: invalid service id: contains symbols value +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services', + ngx.HTTP_PUT, + [[{ + "id": "*invalid_id$", + "plugins": {} + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"invalid configuration: property \"id\" validation failed: object matches none of the requireds"} +--- no_error_log +[error] + + + +=== TEST 14: no additional properties is valid +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services', + ngx.HTTP_PUT, + [[{ + "id": "5eeb3dc90f747328b2930b0b", + "invalid_property": "/index.html" + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"invalid configuration: additional properties forbidden, found invalid_property"} +--- no_error_log +[error] + + + +=== TEST 15: invalid upstream_id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services', + ngx.HTTP_PUT, + [[{ + "id": "5eeb3dc90f747328b2930b0b", + "upstream_id": "invalid$" + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"invalid configuration: property \"upstream_id\" validation failed: object matches none of the requireds"} +--- no_error_log +[error] + + + +=== TEST 16: not exist upstream_id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services', + ngx.HTTP_PUT, + [[{ + "id": "5eeb3dc90f747328b2930b0b", + "upstream_id": "9999999999" + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"failed to fetch upstream info by upstream id [9999999999], response code: 404"} +--- no_error_log +[error] + + + +=== TEST 17: wrong service id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_POST, + [[{ + "plugins": {} + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"wrong service id, do not need it"} +--- no_error_log +[error] + + + +=== TEST 18: wrong service id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services', + ngx.HTTP_POST, + [[{ + "id": "5eeb3dc90f747328b2930b0b", + "plugins": {} + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"wrong service id, do not need it"} +--- no_error_log +[error] + + + +=== TEST 19: patch service(whole) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PATCH, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }, + "desc": "new 20 service" + }]], + [[{ + "node": { + "value": { + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }, + "desc": "new 20 service" + }, + "key": "/apisix/services/5eeb3dc90f747328b2930b0b" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 20: patch service(new desc) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PATCH, + [[{ + "desc": "new 19 service" + }]], + [[{ + "node": { + "value": { + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }, + "desc": "new 19 service" + }, + "key": "/apisix/services/5eeb3dc90f747328b2930b0b" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 21: patch service(new nodes) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PATCH, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8081": 3, + "127.0.0.1:8082": 4 + }, + "type": "roundrobin" + } + }]], + [[{ + "node": { + "value": { + "upstream": { + "nodes": { + "127.0.0.1:8080": 1, + "127.0.0.1:8081": 3, + "127.0.0.1:8082": 4 + }, + "type": "roundrobin" + } + } + } + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 22: set service(id: 5eeb3dc90f747328b2930b0b) and upstream(type:chash, default hash_on: vars, missing key) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "chash" + }, + "desc": "new service" + }]]) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"missing key"} +--- no_error_log +[error] + + + +=== TEST 23: set service(id: 5eeb3dc90f747328b2930b0b) and upstream(type:chash, hash_on: header, missing key) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "chash", + "hash_on": "header" + }, + "desc": "new service" + }]]) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"missing key"} +--- no_error_log +[error] + + + +=== TEST 24: set service(id: 5eeb3dc90f747328b2930b0b) and upstream(type:chash, hash_on: cookie, missing key) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "chash", + "hash_on": "cookie" + }, + "desc": "new service" + }]]) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"missing key"} +--- no_error_log +[error] + + + +=== TEST 25: set service(id: 5eeb3dc90f747328b2930b0b) and upstream(type:chash, hash_on: consumer, missing key is ok) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/5eeb3dc90f747328b2930b0b', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "chash", + "hash_on": "consumer" + }, + "desc": "new service" + }]]) + + ngx.status = code + ngx.say(code .. " " .. body) + } + } +--- request +GET /t +--- response_body +200 passed +--- no_error_log +[error] diff --git a/t/admin/services.t b/t/admin/services.t index 6c6f5037a69ff..546e2ce03b558 100644 --- a/t/admin/services.t +++ b/t/admin/services.t @@ -633,7 +633,7 @@ GET /t location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/services/1/', + local code, body = t('/apisix/admin/services/1', ngx.HTTP_PATCH, [[{ "upstream": { @@ -679,9 +679,11 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/services/1/desc', + local code, body = t('/apisix/admin/services/1', ngx.HTTP_PATCH, - '"new 19 service"', + [[{ + "desc": "new 19 service" + }]], [[{ "node": { "value": { @@ -717,20 +719,23 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/services/1/upstream', + local code, body = t('/apisix/admin/services/1', ngx.HTTP_PATCH, [[{ - "nodes": { - "127.0.0.1:8081": 3, - "127.0.0.1:8082": 4 - }, - "type": "roundrobin" + "upstream": { + "nodes": { + "127.0.0.1:8081": 3, + "127.0.0.1:8082": 4 + }, + "type": "roundrobin" + } }]], [[{ "node": { "value": { "upstream": { "nodes": { + "127.0.0.1:8080": 1, "127.0.0.1:8081": 3, "127.0.0.1:8082": 4 }, @@ -877,3 +882,80 @@ GET /t 200 passed --- no_error_log [error] + + + +=== TEST 26: set service(id: 1 + test service name) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/1', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }, + "name": "test service name" + }]], + [[{ + "node": { + "value": { + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }, + "name": "test service name" + }, + "key": "/apisix/services/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 27: invalid string id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/*invalid', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- error_code: 400 +--- no_error_log +[error] diff --git a/t/admin/ssl.t b/t/admin/ssl.t index 15bfb0ae4301c..e93ca1971174b 100644 --- a/t/admin/ssl.t +++ b/t/admin/ssl.t @@ -228,7 +228,7 @@ GET /t GET /t --- error_code: 400 --- response_body -{"error_msg":"invalid configuration: property \"cert\" is required"} +{"error_msg":"invalid configuration: value should match only one schema, but matches none"} --- no_error_log [error] @@ -269,3 +269,175 @@ GET /t passed --- no_error_log [error] + + + +=== TEST 8: store sni in `snis` +--- config + location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin") + + local ssl_cert = t.read_file("conf/cert/apisix.crt") + local ssl_key = t.read_file("conf/cert/apisix.key") + local data = { + cert = ssl_cert, key = ssl_key, + snis = {"*.foo.com", "bar.com"}, + } + + local code, body = t.test('/apisix/admin/ssl/1', + ngx.HTTP_PUT, + core.json.encode(data), + [[{ + "node": { + "value": { + "snis": ["*.foo.com", "bar.com"] + }, + "key": "/apisix/ssl/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 9: store exptime +--- config + location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin") + + local ssl_cert = t.read_file("conf/cert/apisix.crt") + local ssl_key = t.read_file("conf/cert/apisix.key") + local data = { + cert = ssl_cert, key = ssl_key, + sni = "bar.com", + exptime = 1588262400 + 60 * 60 * 24 * 365, + } + + local code, body = t.test('/apisix/admin/ssl/1', + ngx.HTTP_PUT, + core.json.encode(data), + [[{ + "node": { + "value": { + "sni": "bar.com", + "exptime": 1619798400 + }, + "key": "/apisix/ssl/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 10: string id +--- config + location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin") + + local ssl_cert = t.read_file("conf/cert/apisix.crt") + local ssl_key = t.read_file("conf/cert/apisix.key") + local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"} + + local code, body = t.test('/apisix/admin/ssl/a-b-c-ABC_0123', + ngx.HTTP_PUT, + core.json.encode(data) + ) + if code > 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 11: string id(delete) +--- config + location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin") + + local ssl_cert = t.read_file("conf/cert/apisix.crt") + local ssl_key = t.read_file("conf/cert/apisix.key") + local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"} + + local code, body = t.test('/apisix/admin/ssl/a-b-c-ABC_0123', + ngx.HTTP_DELETE + ) + if code > 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 12: invalid id +--- config + location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin") + + local ssl_cert = t.read_file("conf/cert/apisix.crt") + local ssl_key = t.read_file("conf/cert/apisix.key") + local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"} + + local code, body = t.test('/apisix/admin/ssl/*invalid', + ngx.HTTP_PUT, + core.json.encode(data) + ) + if code > 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- error_code: 400 +--- no_error_log +[error] diff --git a/t/admin/stream-routes.t b/t/admin/stream-routes.t index 24b5e5ef0331d..5bd36ff33613d 100644 --- a/t/admin/stream-routes.t +++ b/t/admin/stream-routes.t @@ -297,3 +297,89 @@ GET /t [delete] code: 200 message: passed --- no_error_log [error] + + + +=== TEST 8: string id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/stream_routes/a-b-c-ABC_0123', + ngx.HTTP_PUT, + [[{ + "remote_addr": "127.0.0.1", + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + } + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 9: string id(delete) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/stream_routes/a-b-c-ABC_0123', + ngx.HTTP_DELETE + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 10: invalid string id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/stream_routes/*invalid', + ngx.HTTP_PUT, + [[{ + "remote_addr": "127.0.0.1", + "upstream": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + } + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- error_code: 400 +--- no_error_log +[error] diff --git a/t/admin/upstream-array-nodes.t b/t/admin/upstream-array-nodes.t new file mode 100644 index 0000000000000..9f0c5b8d99780 --- /dev/null +++ b/t/admin/upstream-array-nodes.t @@ -0,0 +1,409 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +no_shuffle(); +log_level("info"); + +run_tests; + +__DATA__ + +=== TEST 1: set upstream(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams/1', + ngx.HTTP_PUT, + [[{ + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin", + "desc": "new upstream" + }]], + [[{ + "node": { + "value": { + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin", + "desc": "new upstream" + }, + "key": "/apisix/upstreams/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 2: get upstream(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams/1', + ngx.HTTP_GET, + nil, + [[{ + "node": { + "value": { + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin", + "desc": "new upstream" + }, + "key": "/apisix/upstreams/1" + }, + "action": "get" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 3: delete upstream(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, message = t('/apisix/admin/upstreams/1', + ngx.HTTP_DELETE, + nil, + [[{ + "action": "delete" + }]] + ) + ngx.say("[delete] code: ", code, " message: ", message) + } + } +--- request +GET /t +--- response_body +[delete] code: 200 message: passed +--- no_error_log +[error] + + + +=== TEST 4: delete upstream(id: not_found) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code = t('/apisix/admin/upstreams/not_found', + ngx.HTTP_DELETE, + nil, + [[{ + "action": "delete" + }]] + ) + + ngx.say("[delete] code: ", code) + } + } +--- request +GET /t +--- response_body +[delete] code: 404 +--- no_error_log +[error] + + + +=== TEST 5: push upstream + delete +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, message, res = t('/apisix/admin/upstreams', + ngx.HTTP_POST, + [[{ + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin" + }]], + [[{ + "node": { + "value": { + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin" + } + }, + "action": "create" + }]] + ) + + if code ~= 200 then + ngx.status = code + ngx.say(message) + return + end + + ngx.say("[push] code: ", code, " message: ", message) + + local id = string.sub(res.node.key, #"/apisix/upstreams/" + 1) + code, message = t('/apisix/admin/upstreams/' .. id, + ngx.HTTP_DELETE, + nil, + [[{ + "action": "delete" + }]] + ) + ngx.say("[delete] code: ", code, " message: ", message) + } + } +--- request +GET /t +--- response_body +[push] code: 200 message: passed +[delete] code: 200 message: passed +--- no_error_log +[error] + + + +=== TEST 6: empty nodes +--- config + location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin").test + local code, message, res = t('/apisix/admin/upstreams/1', + ngx.HTTP_PUT, + [[{ + "nodes": [], + "type": "roundrobin" + }]] + ) + + if code ~= 200 then + ngx.status = code + ngx.print(message) + return + end + + ngx.say("[push] code: ", code, " message: ", message) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"invalid configuration: property \"nodes\" validation failed: object matches none of the requireds"} + + + +=== TEST 7: no additional properties is valid +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams', + ngx.HTTP_PUT, + [[{ + "id": 1, + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": 1 + }], + "type": "roundrobin", + "invalid_property": "/index.html" + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"invalid configuration: additional properties forbidden, found invalid_property"} +--- no_error_log +[error] + + + +=== TEST 8: invalid weight of node +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams', + ngx.HTTP_PUT, + [[{ + "id": 1, + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": "1" + }], + "type": "chash" + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"invalid configuration: property \"nodes\" validation failed: object matches none of the requireds"} +--- no_error_log +[error] + + + +=== TEST 9: invalid weight of node +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams', + ngx.HTTP_PUT, + [[{ + "id": 1, + "nodes": [{ + "host": "127.0.0.1", + "port": 8080, + "weight": -100 + }], + "type": "chash" + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"invalid configuration: property \"nodes\" validation failed: object matches none of the requireds"} +--- no_error_log +[error] + + + +=== TEST 10: invalid port of node +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams', + ngx.HTTP_PUT, + [[{ + "id": 1, + "nodes": [{ + "host": "127.0.0.1", + "port": 0, + "weight": 1 + }], + "type": "chash" + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"invalid configuration: property \"nodes\" validation failed: object matches none of the requireds"} +--- no_error_log +[error] + + + +=== TEST 11: invalid host of node +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams', + ngx.HTTP_PUT, + [[{ + "id": 1, + "nodes": [{ + "host": "127.#.%.1", + "port": 8080, + "weight": 1 + }], + "type": "chash" + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"invalid configuration: property \"nodes\" validation failed: object matches none of the requireds"} +--- no_error_log +[error] diff --git a/t/admin/upstream.t b/t/admin/upstream.t index da131348a43c1..d1167ab80418b 100644 --- a/t/admin/upstream.t +++ b/t/admin/upstream.t @@ -235,7 +235,7 @@ GET /t GET /t --- error_code: 400 --- response_body -{"error_msg":"invalid configuration: property \"nodes\" validation failed: expect object to have at least 1 properties"} +{"error_msg":"invalid configuration: property \"nodes\" validation failed: object matches none of the requireds"} @@ -523,7 +523,7 @@ GET /t GET /t --- error_code: 400 --- response_body -{"error_msg":"invalid configuration: property \"nodes\" validation failed: failed to validate 127.0.0.1:8080 (matching \".*\"): wrong type: expected integer, got string"} +{"error_msg":"invalid configuration: property \"nodes\" validation failed: object matches none of the requireds"} --- no_error_log [error] @@ -553,7 +553,7 @@ GET /t GET /t --- error_code: 400 --- response_body -{"error_msg":"invalid configuration: property \"nodes\" validation failed: failed to validate 127.0.0.1:8080 (matching \".*\"): expected -100 to be greater than 0"} +{"error_msg":"invalid configuration: property \"nodes\" validation failed: object matches none of the requireds"} --- no_error_log [error] @@ -652,7 +652,7 @@ GET /t location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/upstreams/1/', + local code, body = t('/apisix/admin/upstreams/1', ngx.HTTP_PATCH, [[{ "nodes": { @@ -694,9 +694,11 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/upstreams/1/desc', + local code, body = t('/apisix/admin/upstreams/1', ngx.HTTP_PATCH, - '"new 21 upstream"', + [[{ + "desc": "new 21 upstream" + }]], [[{ "node": { "value": { @@ -730,16 +732,19 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/upstreams/1/nodes', + local code, body = t('/apisix/admin/upstreams/1', ngx.HTTP_PATCH, [[{ - "127.0.0.1:8081": 3, - "127.0.0.1:8082": 4 + "nodes": { + "127.0.0.1:8081": 3, + "127.0.0.1:8082": 4 + } }]], [[{ "node": { "value": { "nodes": { + "127.0.0.1:8080": 1, "127.0.0.1:8081": 3, "127.0.0.1:8082": 4 }, @@ -768,18 +773,20 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/upstreams/1/nodes', + local code, body = t('/apisix/admin/upstreams/1', ngx.HTTP_PATCH, [[{ - "127.0.0.1:8081": 0, - "127.0.0.1:8082": 4 + "nodes": { + "127.0.0.1:8081": 3, + "127.0.0.1:8082": 0 + } }]], [[{ "node": { "value": { "nodes": { - "127.0.0.1:8081": 0, - "127.0.0.1:8082": 4 + "127.0.0.1:8081": 3, + "127.0.0.1:8082": 0 }, "type": "roundrobin", "desc": "new 21 upstream" @@ -1140,7 +1147,7 @@ GET /t -=== TEST 35: type chash, hash_on: consumer, don't need upstream key +=== TEST 35: type chash, hash_on: consumer, do not need upstream key --- config location /t { content_by_lua_block { @@ -1230,3 +1237,127 @@ GET /t {"error_msg":"invalid configuration: property \"hash_on\" validation failed: matches non of the enum values"} --- no_error_log [error] + + + +=== TEST 38: set upstream(id: 1 + name: test name) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams/1', + ngx.HTTP_PUT, + [[{ + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin", + "name": "test upstream name" + }]], + [[{ + "node": { + "value": { + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin", + "name": "test upstream name" + }, + "key": "/apisix/upstreams/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 39: string id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams/a-b-c-ABC_0123', + ngx.HTTP_PUT, + [[{ + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 40: string id(delete) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams/a-b-c-ABC_0123', + ngx.HTTP_DELETE + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 41: invalid string id +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams/*invalid', + ngx.HTTP_PUT, + [[{ + "nodes": { + "127.0.0.1:8080": 1 + }, + "type": "roundrobin" + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"invalid configuration: property \"id\" validation failed: object matches none of the requireds"} +--- no_error_log +[error] diff --git a/t/apisix.luacov b/t/apisix.luacov index f9792d8953091..0694c2bffa1af 100644 --- a/t/apisix.luacov +++ b/t/apisix.luacov @@ -28,6 +28,7 @@ return { ["apisix/plugins/prometheus/*"] = "plugins/prometheus", ["apisix/plugins/zipkin/*"] = "plugins/zipkin", ["apisix/utils/*"] = "utils", + ["apisix/discovery/*"] = "discovery", -- can not enable both at http and stream, will fix it later. -- ["apisix/stream/*"] = "stream", diff --git a/t/core/etcd-auth-fail.t b/t/core/etcd-auth-fail.t new file mode 100644 index 0000000000000..dfeaffee178fc --- /dev/null +++ b/t/core/etcd-auth-fail.t @@ -0,0 +1,56 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +BEGIN { + $ENV{"ETCD_ENABLE_AUTH"} = "false" +} + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +log_level("info"); + +# Authentication is enabled at etcd and credentials are set +system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY user add root:5tHkHhYkjr6cQY'); +system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY auth enable'); +system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY role revoke --path "/*" -rw guest'); + +run_tests; + +# Authentication is disabled at etcd & guest access is granted +system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY auth disable'); +system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY role grant --path "/*" -rw guest'); + + +__DATA__ + +=== TEST 1: Set and Get a value pass +--- config + location /t { + content_by_lua_block { + local core = require("apisix.core") + local key = "/test_key" + local val = "test_value" + local res, err = core.etcd.set(key, val) + ngx.say(err) + } + } +--- request +GET /t +--- response_body +insufficient credentials code: 401 diff --git a/t/core/etcd-auth.t b/t/core/etcd-auth.t new file mode 100644 index 0000000000000..3051a68ffbde1 --- /dev/null +++ b/t/core/etcd-auth.t @@ -0,0 +1,59 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +BEGIN { + $ENV{"ETCD_ENABLE_AUTH"} = "true" +} + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +log_level("info"); + +# Authentication is enabled at etcd and credentials are set +system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY user add root:5tHkHhYkjr6cQY'); +system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY auth enable'); +system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY role revoke --path "/*" -rw guest'); + +run_tests; + +# Authentication is disabled at etcd & guest access is granted +system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY auth disable'); +system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY role grant --path "/*" -rw guest'); + +__DATA__ + +=== TEST 1: Set and Get a value pass with authentication +--- config + location /t { + content_by_lua_block { + local core = require("apisix.core") + local key = "/test_key" + local val = "test_value" + core.etcd.set(key, val) + local res, err = core.etcd.get(key) + ngx.say(res.body.node.value) + core.etcd.delete(val) + } + } +--- request +GET /t +--- response_body +test_value +--- no_error_log +[error] diff --git a/t/core/lrucache.t b/t/core/lrucache.t index 5a9aefe08d7c6..83b930869672c 100644 --- a/t/core/lrucache.t +++ b/t/core/lrucache.t @@ -258,7 +258,7 @@ obj: {"idx":2,"_cache_ver":"ver"} end local lru_get = core.lrucache.new({ - ttl = 0.1, count = 256, invalid_stale = true, + ttl = 1, count = 256, invalid_stale = true, }) local function f() diff --git a/t/debug/debug-mode.t b/t/debug/debug-mode.t index dcd66e50d4ad3..63e3141b43f34 100644 --- a/t/debug/debug-mode.t +++ b/t/debug/debug-mode.t @@ -60,11 +60,14 @@ loaded plugin and sort by priority: 10000 name: serverless-pre-function loaded plugin and sort by priority: 4010 name: batch-requests loaded plugin and sort by priority: 4000 name: cors loaded plugin and sort by priority: 3000 name: ip-restriction +loaded plugin and sort by priority: 2900 name: uri-blocker loaded plugin and sort by priority: 2599 name: openid-connect loaded plugin and sort by priority: 2555 name: wolf-rbac loaded plugin and sort by priority: 2520 name: basic-auth loaded plugin and sort by priority: 2510 name: jwt-auth loaded plugin and sort by priority: 2500 name: key-auth +loaded plugin and sort by priority: 2400 name: consumer-restriction +loaded plugin and sort by priority: 2000 name: authz-keycloak loaded plugin and sort by priority: 1010 name: proxy-mirror loaded plugin and sort by priority: 1009 name: proxy-cache loaded plugin and sort by priority: 1008 name: proxy-rewrite @@ -76,16 +79,19 @@ loaded plugin and sort by priority: 900 name: redirect loaded plugin and sort by priority: 899 name: response-rewrite loaded plugin and sort by priority: 506 name: grpc-transcode loaded plugin and sort by priority: 500 name: prometheus +loaded plugin and sort by priority: 412 name: echo +loaded plugin and sort by priority: 410 name: http-logger loaded plugin and sort by priority: 405 name: tcp-logger loaded plugin and sort by priority: 403 name: kafka-logger +loaded plugin and sort by priority: 401 name: syslog loaded plugin and sort by priority: 400 name: udp-logger loaded plugin and sort by priority: 0 name: example-plugin loaded plugin and sort by priority: -1000 name: zipkin +loaded plugin and sort by priority: -1100 name: skywalking loaded plugin and sort by priority: -2000 name: serverless-post-function - === TEST 2: set route(no plugin) --- config location /t { diff --git a/t/discovery/eureka.t b/t/discovery/eureka.t new file mode 100644 index 0000000000000..724cc7dc55895 --- /dev/null +++ b/t/discovery/eureka.t @@ -0,0 +1,131 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +log_level('info'); +no_root_location(); +no_shuffle(); + +sub read_file($) { + my $infile = shift; + open my $in, $infile + or die "cannot open $infile for reading: $!"; + my $cert = do { local $/; <$in> }; + close $in; + $cert; +} + +our $yaml_config = read_file("conf/config.yaml"); +$yaml_config =~ s/node_listen: 9080/node_listen: 1984/; +$yaml_config =~ s/enable_heartbeat: true/enable_heartbeat: false/; +$yaml_config =~ s/config_center: etcd/config_center: yaml/; +$yaml_config =~ s/enable_admin: true/enable_admin: false/; +$yaml_config =~ s/enable_admin: true/enable_admin: false/; +$yaml_config =~ s/ discovery:/ discovery: eureka #/; +$yaml_config =~ s/# discovery:/ discovery: eureka #/; +$yaml_config =~ s/error_log_level: "warn"/error_log_level: "info"/; + + +$yaml_config .= <<_EOC_; +eureka: + host: + - "http://127.0.0.1:8761" + prefix: "/eureka/" + fetch_interval: 10 + weight: 80 + timeout: + connect: 1500 + send: 1500 + read: 1500 +_EOC_ + +run_tests(); + +__DATA__ + +=== TEST 1: get APISIX-EUREKA info from EUREKA +--- yaml_config eval: $::yaml_config +--- apisix_yaml +routes: + - + uri: /eureka/* + upstream: + service_name: APISIX-EUREKA + type: roundrobin + +#END +--- request +GET /eureka/apps/APISIX-EUREKA +--- response_body_like +.*APISIX-EUREKA.* +--- error_log +use config_center: yaml +default_weight:80. +fetch_interval:10. +eureka uri:http://127.0.0.1:8761/eureka/. +connect_timeout:1500, send_timeout:1500, read_timeout:1500. +--- no_error_log +[error] + + + +=== TEST 2: error service_name name +--- yaml_config eval: $::yaml_config +--- apisix_yaml +routes: + - + uri: /eureka/* + upstream: + service_name: APISIX-EUREKA-DEMO + type: roundrobin + +#END +--- request +GET /eureka/apps/APISIX-EUREKA +--- error_code: 502 +--- error_log eval +qr/.*failed to pick server: no valid upstream node.*/ + + + +=== TEST 3: with proxy-rewrite +--- yaml_config eval: $::yaml_config +--- apisix_yaml +routes: + - + uri: /eureka-test/* + plugins: + proxy-rewrite: + regex_uri: ["^/eureka-test/(.*)", "/${1}"] + upstream: + service_name: APISIX-EUREKA + type: roundrobin + +#END +--- request +GET /eureka-test/eureka/apps/APISIX-EUREKA +--- response_body_like +.*APISIX-EUREKA.* +--- error_log +use config_center: yaml +default_weight:80. +fetch_interval:10. +eureka uri:http://127.0.0.1:8761/eureka/. +connect_timeout:1500, send_timeout:1500, read_timeout:1500. +--- no_error_log +[error] diff --git a/t/lib/server.lua b/t/lib/server.lua index 0f8fbe35d006e..e34602c302340 100644 --- a/t/lib/server.lua +++ b/t/lib/server.lua @@ -28,7 +28,6 @@ function _M.hello1() ngx.say("hello1 world") end - function _M.server_port() ngx.print(ngx.var.server_port) end @@ -90,7 +89,6 @@ function _M.opentracing() ngx.say("opentracing") end - function _M.with_header() ngx.header['Content-Type'] = 'application/xml' ngx.header['X-Server-id'] = 100 @@ -100,6 +98,28 @@ function _M.with_header() ngx.say("!") end +function _M.mock_skywalking_v2_service_register() + ngx.say('[{"key":"APISIX","value":1}]') +end + +function _M.mock_skywalking_v2_instance_register() + ngx.req.read_body() + local data = ngx.req.get_body_data() + data = json_decode(data) + local key = data['instances'][1]['instanceUUID'] + local ret = {} + ret[1] = {key = key, value = 1} + ngx.say(json_encode(ret)) +end + +function _M.mock_skywalking_v2_instance_heartbeat() + ngx.say('skywalking heartbeat ok') +end + +function _M.mock_skywalking_v2_segments() + ngx.say('skywalking segments ok') +end + function _M.mock_zipkin() ngx.req.read_body() local data = ngx.req.get_body_data() diff --git a/t/lib/test_admin.lua b/t/lib/test_admin.lua index 8b4d6c53f5fb7..dc245c3bb7b72 100644 --- a/t/lib/test_admin.lua +++ b/t/lib/test_admin.lua @@ -14,9 +14,12 @@ -- See the License for the specific language governing permissions and -- limitations under the License. -- -local http = require("resty.http") -local json = require("cjson.safe") -local dir_names = {} +local http = require("resty.http") +local json = require("cjson.safe") +local aes = require "resty.aes" +local ngx_encode_base64 = ngx.encode_base64 +local str_find = string.find +local dir_names = {} local _M = {} @@ -101,6 +104,8 @@ end function _M.comp_tab(left_tab, right_tab) + dir_names = {} + if type(left_tab) == "string" then left_tab = json.decode(left_tab) end @@ -110,14 +115,21 @@ function _M.comp_tab(left_tab, right_tab) local ok, err = com_tab(left_tab, right_tab) if not ok then - return 500, "failed, " .. err + return false, err end return true end -function _M.test(uri, method, body, pattern) +function _M.test(uri, method, body, pattern, headers) + if not headers then + headers = {} + end + if not headers["Content-Type"] then + headers["Content-Type"] = "application/x-www-form-urlencoded" + end + if type(body) == "table" then body = json.encode(body) end @@ -139,9 +151,7 @@ function _M.test(uri, method, body, pattern) method = method, body = body, keepalive = false, - headers = { - ["Content-Type"] = "application/x-www-form-urlencoded", - }, + headers = headers, } ) if not res then @@ -203,4 +213,22 @@ function _M.req_self_with_http(uri, method, body, headers) end +function _M.aes_encrypt(origin) + local iv = "1234567890123456" + local aes_128_cbc_with_iv = assert(aes:new(iv, nil, aes.cipher(128, "cbc"), {iv=iv})) + + if aes_128_cbc_with_iv ~= nil and str_find(origin, "---") then + local encrypted = aes_128_cbc_with_iv:encrypt(origin) + if encrypted == nil then + core.log.error("failed to encrypt key[", origin, "] ") + return origin + end + + return ngx_encode_base64(encrypted) + end + + return origin +end + + return _M diff --git a/t/node/filter_func.t b/t/node/filter_func.t new file mode 100644 index 0000000000000..b016d13a537e1 --- /dev/null +++ b/t/node/filter_func.t @@ -0,0 +1,81 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +log_level('info'); +no_root_location(); +no_shuffle(); + +run_tests(); + +__DATA__ + +=== TEST 1: set route with filter_func +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "filter_func": "function(vars) + return vars['arg_a1'] == 'a1' and vars['arg_a2'] == 'a2' + end", + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 2: hit route +--- request +GET /hello?a1=a1&a2=a2 +--- response_body +hello world +--- no_error_log +[error] + + + +=== TEST 3: miss route +--- request +GET /hello?a1=xxxx&a2=xxxx +--- error_code: 404 +--- response_body +{"error_msg":"failed to match any routes"} +--- no_error_log +[error] diff --git a/t/node/not-exist-upstream.t b/t/node/not-exist-upstream.t index a5a008d0543d2..73684ea9898b5 100644 --- a/t/node/not-exist-upstream.t +++ b/t/node/not-exist-upstream.t @@ -83,4 +83,4 @@ qr/502 Bad Gateway|500 Internal Server Error/ --- grep_error_log eval qr/\[error\].*/ --- grep_error_log_out eval -qr/failed to pick server: missing upstream configuration while connecting to upstream/ +qr/missing upstream configuration in Route or Service/ diff --git a/t/node/upstream-array-nodes.t b/t/node/upstream-array-nodes.t new file mode 100644 index 0000000000000..9e38da93bdc4a --- /dev/null +++ b/t/node/upstream-array-nodes.t @@ -0,0 +1,215 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +log_level('info'); +worker_connections(256); +no_root_location(); +no_shuffle(); + +run_tests(); + +__DATA__ + +=== TEST 1: set upstream(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/upstreams/1', + ngx.HTTP_PUT, + [[{ + "nodes": [{ + "host": "127.0.0.1", + "port": 1980, + "weight": 1 + }], + "type": "roundrobin", + "desc": "new upstream" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 2: set route(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "upstream_id": "1" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 3: hit routes +--- request +GET /hello +--- response_body +hello world +--- no_error_log +[error] + + + +=== TEST 4: set route(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "upstream": { + "nodes": [{ + "host": "127.0.0.1", + "port": 1980, + "weight": 1 + }], + "type": "roundrobin", + "desc": "new upstream" + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 5: hit routes +--- request +GET /hello +--- response_body +hello world +--- no_error_log +[error] + + + +=== TEST 6: set services(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/1', + ngx.HTTP_PUT, + [[{ + "upstream": { + "nodes": [{ + "host": "127.0.0.1", + "port": 1980, + "weight": 1 + }], + "type": "roundrobin", + "desc": "new upstream" + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 7: set route(id: 1) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "service_id": 1 + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 8: hit routes +--- request +GET /hello +--- response_body +hello world +--- no_error_log +[error] diff --git a/t/node/vars.t b/t/node/vars.t index fdbe22ea66c55..a51af1f6916c9 100644 --- a/t/node/vars.t +++ b/t/node/vars.t @@ -34,7 +34,7 @@ __DATA__ ngx.HTTP_PUT, [[{ "uri": "/hello", - "vars": [ ["arg_k", "v"] ], + "vars": [ ["arg_k", "==", "v"] ], "upstream": { "nodes": { "127.0.0.1:1980": 1 @@ -100,7 +100,7 @@ hello world ngx.HTTP_PUT, [=[{ "uri": "/hello", - "vars": [["cookie_k", "v"]], + "vars": [["cookie_k", "==", "v"]], "upstream": { "nodes": { "127.0.0.1:1980": 1 @@ -170,7 +170,7 @@ hello world ngx.HTTP_PUT, [=[{ "uri": "/hello", - "vars": [["http_k", "v"]], + "vars": [["http_k", "==", "v"]], "upstream": { "nodes": { "127.0.0.1:1980": 1 @@ -240,7 +240,7 @@ hello world ngx.HTTP_PUT, [=[{ "uri": "/hello", - "vars": [["http_k", "header"], ["cookie_k", "cookie"], ["arg_k", "uri_arg"]], + "vars": [["http_k", "==", "header"], ["cookie_k", "==", "cookie"], ["arg_k", "==", "uri_arg"]], "upstream": { "nodes": { "127.0.0.1:1980": 1 diff --git a/t/plugin/authz-keycloak.t b/t/plugin/authz-keycloak.t new file mode 100644 index 0000000000000..00ebc0ddb2706 --- /dev/null +++ b/t/plugin/authz-keycloak.t @@ -0,0 +1,353 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +log_level('debug'); +repeat_each(1); +no_long_string(); +no_root_location(); +run_tests; + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-keycloak") + local ok, err = plugin.check_schema({ + token_endpoint = "https://efactory-security-portal.salzburgresearch.at/", + grant_type = "urn:ietf:params:oauth:grant-type:uma-ticket" + }) + if not ok then + ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +done +--- no_error_log +[error] + + + +=== TEST 2: full schema check +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-keycloak") + local ok, err = plugin.check_schema({token_endpoint = "https://efactory-security-portal.salzburgresearch.at/", + permissions = {"res:customer#scopes:view"}, + timeout = 1000, + audience = "University", + grant_type = "urn:ietf:params:oauth:grant-type:uma-ticket" + }) + if not ok then + ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +done +--- no_error_log +[error] + + + +=== TEST 3: token_endpoint missing +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-keycloak") + local ok, err = plugin.check_schema({permissions = {"res:customer#scopes:view"}}) + if not ok then + ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +property "token_endpoint" is required +done +--- no_error_log +[error] + + + +=== TEST 4: add plugin with view course permissions +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "authz-keycloak": { + "token_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token", + "permissions": ["course_resource#view"], + "audience": "course_management", + "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket", + "timeout": 3000 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }]], + [[{ + "node": { + "value": { + "plugins": { + "authz-keycloak": { + "token_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token", + "permissions": ["course_resource#view"], + "audience": "course_management", + "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket", + "timeout": 3000 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 5: Get access token for teacher and access view course route +--- config + location /t { + content_by_lua_block { + local json_decode = require("cjson").decode + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token" + local res, err = httpc:request_uri(uri, { + method = "POST", + body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456", + headers = { + ["Content-Type"] = "application/x-www-form-urlencoded" + } + }) + + if res.status == 200 then + local body = json_decode(res.body) + local accessToken = body["access_token"] + + + uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello1" + local res, err = httpc:request_uri(uri, { + method = "GET", + headers = { + ["Authorization"] = "Bearer " .. accessToken, + } + }) + + if res.status == 200 then + ngx.say(true) + else + ngx.say(false) + end + else + ngx.say(false) + end + } + } +--- request +GET /t +--- response_body +true +--- no_error_log +[error] + + + +=== TEST 6: invalid access token +--- config + location /t { + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello1" + local res, err = httpc:request_uri(uri, { + method = "GET", + headers = { + ["Authorization"] = "Bearer wrong_token", + } + }) + if res.status == 401 then + ngx.say(true) + end + } + } +--- request +GET /t +--- response_body +true +--- error_log +Invalid bearer token + + + +=== TEST 7: add plugin for delete course route +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "authz-keycloak": { + "token_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token", + "permissions": ["course_resource#delete"], + "audience": "course_management", + "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket", + "timeout": 3000 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }]], + [[{ + "node": { + "value": { + "plugins": { + "authz-keycloak": { + "token_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token", + "permissions": ["course_resource#delete"], + "audience": "course_management", + "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket", + "timeout": 3000 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 8: Get access token for student and delete course +--- config + location /t { + content_by_lua_block { + local json_decode = require("cjson").decode + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token" + local res, err = httpc:request_uri(uri, { + method = "POST", + body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=student@gmail.com&password=123456", + headers = { + ["Content-Type"] = "application/x-www-form-urlencoded" + } + }) + + if res.status == 200 then + local body = json_decode(res.body) + local accessToken = body["access_token"] + + + uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello1" + local res, err = httpc:request_uri(uri, { + method = "GET", + headers = { + ["Authorization"] = "Bearer " .. accessToken, + } + }) + + if res.status == 403 then + ngx.say(true) + else + ngx.say(false) + end + else + ngx.say(false) + end + } + } +--- request +GET /t +--- response_body +true +--- error_log +{"error":"access_denied","error_description":"not_authorized"} diff --git a/t/plugin/batch-requests.t b/t/plugin/batch-requests.t index 9c784a6bd481c..c409ceea4f46b 100644 --- a/t/plugin/batch-requests.t +++ b/t/plugin/batch-requests.t @@ -40,7 +40,8 @@ __DATA__ }, "headers": { "Base-Header": "base", - "Conflict-Header": "header_value" + "ConflictHeader": "header_value", + "OuterConflict": "common_value" }, "pipeline":[ { @@ -48,7 +49,7 @@ __DATA__ "headers": { "Header1": "hello", "Header2": "world", - "Conflict-Header": "b-header-value" + "ConflictHeader": "b-header-value" } },{ "path": "/c", @@ -71,7 +72,8 @@ __DATA__ "X-Res": "B", "X-Header1": "hello", "X-Header2": "world", - "X-Conflict-Header": "b-header-value" + "X-Conflict-Header": "b-header-value", + "X-OuterConflict": "common_value" } }, { @@ -95,8 +97,11 @@ __DATA__ "X-Query-Conflict": "d_value" } } - ]]=] - ) + ]]=], + { + ConflictHeader = "outer_header", + OuterConflict = "outer_confliect" + }) ngx.status = code ngx.say(body) @@ -110,7 +115,8 @@ __DATA__ ngx.header["Base-Query"] = ngx.var.arg_base ngx.header["X-Header1"] = ngx.req.get_headers()["Header1"] ngx.header["X-Header2"] = ngx.req.get_headers()["Header2"] - ngx.header["X-Conflict-Header"] = ngx.req.get_headers()["Conflict-Header"] + ngx.header["X-Conflict-Header"] = ngx.req.get_headers()["ConflictHeader"] + ngx.header["X-OuterConflict"] = ngx.req.get_headers()["OuterConflict"] ngx.header["X-Res"] = "B" ngx.print("B") } @@ -684,3 +690,91 @@ GET /aggregate passed --- no_error_log [error] + + + +=== TEST 15: copy all header to every request except Contenct- +--- config + client_body_in_file_only on; + location = /aggregate { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin").test + local code, body = t('/apisix/batch-requests', + ngx.HTTP_POST, + [=[{ + "timeout": 1000, + "pipeline":[ + { + "path": "/b", + "headers": { + "Header1": "hello", + "Header2": "world" + } + },{ + "path": "/c", + "method": "PUT" + },{ + "path": "/d" + }] + }]=], + [=[[ + { + "status": 200, + "headers": { + "X-Cookie": "request-cookies-b", + "X-HeaderB": "request-header-b" + } + }, + { + "status": 201, + "headers": { + "X-Cookie": "request-cookies-c", + "X-HeaderC": "request-header-c" + } + }, + { + "status": 202, + "headers": { + "X-Cookie": "request-cookies-d", + "X-HeaderD": "request-header-d" + } + } + ]]=], + { + Cookie = "request-cookies", + OuterHeader = "request-header" + }) + + ngx.status = code + ngx.say(body) + } + } + + location = /b { + content_by_lua_block { + ngx.status = 200 + ngx.header["X-Cookie"] = ngx.req.get_headers()["Cookie"] .. "-b" + ngx.header["X-HeaderB"] = ngx.req.get_headers()["OuterHeader"] .. "-b" + } + } + location = /c { + content_by_lua_block { + ngx.status = 201 + ngx.header["X-Cookie"] = ngx.req.get_headers()["Cookie"] .. "-c" + ngx.header["X-HeaderC"] = ngx.req.get_headers()["OuterHeader"] .. "-c" + } + } + location = /d { + content_by_lua_block { + ngx.status = 202 + ngx.header["X-Cookie"] = ngx.req.get_headers()["Cookie"] .. "-d" + ngx.header["X-HeaderD"] = ngx.req.get_headers()["OuterHeader"] .. "-d" + } + } +--- request +GET /aggregate +--- response_body +passed +--- no_error_log +[error] diff --git a/t/plugin/consumer-restriction.t b/t/plugin/consumer-restriction.t new file mode 100644 index 0000000000000..57bbed3d58df1 --- /dev/null +++ b/t/plugin/consumer-restriction.t @@ -0,0 +1,542 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_shuffle(); +no_root_location(); + +run_tests; + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.consumer-restriction") + local conf = { + whitelist = { + "jack1", + "jack2" + } + } + local ok, err = plugin.check_schema(conf) + if not ok then + ngx.say(err) + end + + ngx.say(require("cjson").encode(conf)) + } + } +--- request +GET /t +--- response_body +{"whitelist":["jack1","jack2"]} +--- no_error_log +[error] + + + +=== TEST 2: whitelist and blacklist mutual exclusive +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.consumer-restriction") + local ok, err = plugin.check_schema({whitelist={"jack1"}, blacklist={"jack2"}}) + if not ok then + ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +value should match only one schema, but matches both schemas 1 and 2 +done +--- no_error_log +[error] + + + +=== TEST 3: add consumer jack1 +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack1", + "plugins": { + "basic-auth": { + "username": "jack2019", + "password": "123456" + } + } + }]], + [[{ + "node": { + "value": { + "username": "jack1", + "plugins": { + "basic-auth": { + "username": "jack2019", + "password": "123456" + } + } + } + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 4: add consumer jack2 +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack2", + "plugins": { + "basic-auth": { + "username": "jack2020", + "password": "123456" + } + } + }]], + [[{ + "node": { + "value": { + "username": "jack2", + "plugins": { + "basic-auth": { + "username": "jack2020", + "password": "123456" + } + } + } + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 5: set whitelist +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "plugins": { + "basic-auth": {}, + "consumer-restriction": { + "whitelist": [ + "jack1" + ] + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 6: verify unauthorized +--- request +GET /hello +--- error_code: 401 +--- response_body +{"message":"Missing authorization in request"} +--- no_error_log +[error] + + + +=== TEST 7: verify jack1 +--- request +GET /hello +--- more_headers +Authorization: Basic amFjazIwMTk6MTIzNDU2 +--- response_body +hello world +--- no_error_log +[error] + + + +=== TEST 8: verify jack2 +--- request +GET /hello +--- more_headers +Authorization: Basic amFjazIwMjA6MTIzNDU2 +--- error_code: 403 +--- response_body +{"message":"The consumer is not allowed"} +--- no_error_log +[error] + + + +=== TEST 9: set blacklist +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "plugins": { + "basic-auth": {}, + "consumer-restriction": { + "blacklist": [ + "jack1" + ] + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 10: verify unauthorized +--- request +GET /hello +--- error_code: 401 +--- response_body +{"message":"Missing authorization in request"} +--- no_error_log +[error] + + + +=== TEST 11: verify jack1 +--- request +GET /hello +--- more_headers +Authorization: Basic amFjazIwMTk6MTIzNDU2 +--- error_code: 403 +--- response_body +{"message":"The consumer is not allowed"} +--- no_error_log +[error] + + + +=== TEST 12: verify jack2 +--- request +GET /hello +--- more_headers +Authorization: Basic amFjazIwMjA6MTIzNDU2 +--- response_body +hello world +--- no_error_log +[error] + + + +=== TEST 13: set whitelist without authorization +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "plugins": { + "consumer-restriction": { + "whitelist": [ + "jack1" + ] + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 14: verify unauthorized +--- request +GET /hello +--- error_code: 401 +--- response_body +{"message":"Missing authentication or identity verification."} +--- no_error_log +[error] + + + +=== TEST 15: verify jack1 +--- request +GET /hello +--- more_headers +Authorization: Basic amFjazIwMTk6MTIzNDU2 +--- error_code: 401 +--- response_body +{"message":"Missing authentication or identity verification."} +--- no_error_log +[error] + + + +=== TEST 16: verify jack2 +--- request +GET /hello +--- more_headers +Authorization: Basic amFjazIwMjA6MTIzNDU2 +--- error_code: 401 +--- response_body +{"message":"Missing authentication or identity verification."} +--- no_error_log +[error] + + + +=== TEST 17: set blacklist without authorization +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "plugins": { + "consumer-restriction": { + "blacklist": [ + "jack1" + ] + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 18: verify unauthorized +--- request +GET /hello +--- error_code: 401 +--- response_body +{"message":"Missing authentication or identity verification."} +--- no_error_log +[error] + + + +=== TEST 19: verify jack1 +--- request +GET /hello +--- more_headers +Authorization: Basic amFjazIwMTk6MTIzNDU2 +--- error_code: 401 +--- response_body +{"message":"Missing authentication or identity verification."} +--- no_error_log +[error] + + + +=== TEST 20: verify jack2 +--- request +GET /hello +--- more_headers +Authorization: Basic amFjazIwMjA6MTIzNDU2 +--- error_code: 401 +--- response_body +{"message":"Missing authentication or identity verification."} +--- no_error_log +[error] + + + +=== TEST 21: remove consumer-restriction +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "plugins": { + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 22: verify jack1 +--- request +GET /hello +--- more_headers +Authorization: Basic amFjazIwMTk6MTIzNDU2 +--- response_body +hello world +--- no_error_log +[error] + + + +=== TEST 23: verify jack2 +--- request +GET /hello +--- more_headers +Authorization: Basic amFjazIwMjA6MTIzNDU2 +--- response_body +hello world +--- no_error_log +[error] + + + +=== TEST 24: verify unauthorized +--- request +GET /hello +--- response_body +hello world +--- no_error_log +[error] diff --git a/t/plugin/cors.t b/t/plugin/cors.t index 392162f3e368e..364ae909df418 100644 --- a/t/plugin/cors.t +++ b/t/plugin/cors.t @@ -426,3 +426,68 @@ OPTIONS /hello HTTP/1.1 --- no_error_log [error] + + + +=== TEST 15: set route(auth plugins faills) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "key-auth": {}, + "cors": { + "allow_origins": "**", + "allow_methods": "**", + "allow_headers": "*", + "expose_headers": "*" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 16: auth failed still work +--- request +GET /hello HTTP/1.1 +--- more_headers +Origin: https://sub.domain.com +ExternalHeader1: val +ExternalHeader2: val +ExternalHeader3: val +--- response_body +{"message":"Missing API key found in request"} +--- error_code: 401 +--- response_headers +Access-Control-Allow-Origin: https://sub.domain.com +Access-Control-Allow-Methods: GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE +Access-Control-Allow-Headers: * +Access-Control-Expose-Headers: * +Access-Control-Max-Age: 5 +Access-Control-Allow-Credentials: +--- no_error_log +[error] diff --git a/t/plugin/echo.t b/t/plugin/echo.t new file mode 100644 index 0000000000000..7040820f8bafe --- /dev/null +++ b/t/plugin/echo.t @@ -0,0 +1,469 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +run_tests; + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.echo") + local ok, err = plugin.check_schema({before_body = "body before", body = "body to attach" , + after_body = "body to attach"}) + if not ok then + ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +done +--- no_error_log +[error] + + + +=== TEST 2: wrong type of integer +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.echo") + local ok, err = plugin.check_schema({before_body = "body before", body = "body to attach" , + after_body = 10}) + if not ok then + ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +property "after_body" validation failed: wrong type: expected string, got number +done +--- no_error_log +[error] + + + +=== TEST 3: add plugin +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "echo": { + "before_body": "before the body modification ", + "body":"hello upstream", + "headers": { + "Location":"https://www.iresty.com", + "Authorization": "userpass" + }, + "auth_value" : "userpass" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "echo": { + "before_body": "before the body modification ", + "body":"hello upstream", + "headers": { + "Location":"https://www.iresty.com" + }, + "auth_value" : "userpass" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 4: access +--- request +GET /hello +--- more_headers +Authorization: userpass +--- response_body chomp +before the body modification hello upstream +--- response_headers +Location: https://www.iresty.com +Authorization: userpass +--- no_error_log +[error] +--- wait: 0.2 + + + +=== TEST 5: update plugin +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "echo": { + "before_body": "before the body modification ", + "auth_value" : "userpass", + "headers": { + "Location":"https://www.iresty.com" + } + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "echo": { + "before_body": "before the body modification ", + "auth_value" : "userpass", + "headers": { + "Location":"https://www.iresty.com" + } + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 6: access without upstream body change +--- request +GET /hello +--- more_headers +Authorization: userpass +--- response_body +before the body modification hello world +--- response_headers +Location: https://www.iresty.com +--- wait: 0.2 +--- no_error_log +[error] +--- wait: 0.2 + + + +=== TEST 7: update plugin back +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "echo": { + "before_body": "before the body modification ", + "auth_value" : "userpasswrd", + "headers": { + "Location":"https://www.iresty.com" + } + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "echo": { + "before_body": "before the body modification ", + "auth_value" : "userpasswrd", + "headers": { + "Location":"https://www.iresty.com" + } + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 8: access with wrong value in auth header value throws 401 +--- request +GET /hello +--- more_headers +Authorization: userpass +--- error_code: 401 +--- response_body chomp +before the body modification unauthorized body +--- response_headers +Location: https://www.iresty.com + + + +=== TEST 9: update plugin back +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "echo": { + "before_body": "before the body modification ", + "headers": { + "Location":"https://www.iresty.com" + } + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "echo": { + "before_body": "before the body modification ", + "headers": { + "Location":"https://www.iresty.com" + } + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 10: access with no auth header and value throws 401 +--- request +GET /hello +--- more_headers +Authorization: userpass +--- error_code: 401 +--- response_body chomp +before the body modification unauthorized body +--- response_headers +Location: https://www.iresty.com + + + +=== TEST 11: update plugin +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "echo": { + "before_body": "before the body modification ", + "auth_value" : "userpass", + "headers": { + "Location":"https://www.iresty.com" + } + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "echo": { + "before_body": "before the body modification ", + "auth_value" : "userpass", + "headers": { + "Location":"https://www.iresty.com" + } + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 12: access without authorization as a header should throws 401 +--- request +GET /hello +--- error_code: 401 +--- response_body chomp +before the body modification unauthorized body +--- response_headers +Location: https://www.iresty.com diff --git a/t/plugin/grpc-transcode.t b/t/plugin/grpc-transcode.t index 92a760cf8529d..9baca82075959 100644 --- a/t/plugin/grpc-transcode.t +++ b/t/plugin/grpc-transcode.t @@ -81,7 +81,7 @@ passed local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ - "methods": ["GET"], + "methods": ["GET", "POST"], "uri": "/grpctest", "service_protocol": "grpc", "plugins": { @@ -125,7 +125,31 @@ qr/\{"message":"Hello world"\}/ -=== TEST 4: wrong service protocol +=== TEST 4: hit route by post +--- request +POST /grpctest +name=world +--- response_body eval +qr/\{"message":"Hello world"\}/ +--- no_error_log +[error] + + + +=== TEST 5: hit route by post json +--- request +POST /grpctest +{"name": "world"} +--- more_headers +Content-Type: application/json +--- response_body eval +qr/\{"message":"Hello world"\}/ +--- no_error_log +[error] + + + +=== TEST 6: wrong service protocol --- config location /t { content_by_lua_block { @@ -166,7 +190,7 @@ GET /t -=== TEST 5: wrong upstream address +=== TEST 7: wrong upstream address --- config location /t { content_by_lua_block { @@ -208,7 +232,7 @@ passed -=== TEST 6: hit route (Connection refused) +=== TEST 8: hit route (Connection refused) --- request GET /grpctest --- response_body eval @@ -219,7 +243,7 @@ Connection refused) while connecting to upstream -=== TEST 7: update proto(id: 1) +=== TEST 9: update proto(id: 1) --- config location /t { content_by_lua_block { @@ -266,7 +290,7 @@ passed -=== TEST 8: set routes(id: 2) +=== TEST 10: set routes(id: 2) --- config location /t { content_by_lua_block { @@ -309,7 +333,7 @@ passed -=== TEST 9: hit route +=== TEST 11: hit route --- request GET /grpc_plus?a=1&b=2 --- response_body eval @@ -319,7 +343,7 @@ qr/\{"result":3\}/ -=== TEST 10: hit route +=== TEST 12: hit route --- request GET /grpc_plus?a=1&b=2251799813685260 --- response_body eval @@ -329,7 +353,7 @@ qr/\{"result":"#2251799813685261"\}/ -=== TEST 11: set route3 deadline nodelay +=== TEST 13: set route3 deadline nodelay --- config location /t { content_by_lua_block { @@ -371,7 +395,7 @@ passed -=== TEST 12: hit route +=== TEST 14: hit route --- request GET /grpc_deadline?name=apisix --- response_body eval @@ -381,7 +405,7 @@ qr/\{"message":"Hello apisix"\}/ -=== TEST 13: set route4 deadline delay +=== TEST 15: set route4 deadline delay --- config location /t { content_by_lua_block { @@ -423,14 +447,14 @@ passed -=== TEST 14: hit route +=== TEST 16: hit route --- request GET /grpc_delay?name=apisix --- error_code: 504 -=== TEST 15: set routes: missing method +=== TEST 17: set routes: missing method --- config location /t { content_by_lua_block { diff --git a/t/plugin/http-logger.t b/t/plugin/http-logger.t new file mode 100644 index 0000000000000..029a85e17413e --- /dev/null +++ b/t/plugin/http-logger.t @@ -0,0 +1,597 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +log_level('debug'); +repeat_each(1); +no_long_string(); +no_root_location(); +run_tests; + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.http-logger") + local ok, err = plugin.check_schema({uri = "127.0.0.1"}) + if not ok then + ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +done +--- no_error_log +[error] + + + +=== TEST 2: full schema check +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.http-logger") + local ok, err = plugin.check_schema({uri = "127.0.0.1", + auth_header = "Basic 123", + timeout = 3, + name = "http-logger", + max_retry_count = 2, + retry_delay = 2, + buffer_duration = 2, + inactive_timeout = 2, + batch_max_size = 500, + }) + if not ok then + ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +done +--- no_error_log +[error] + + + +=== TEST 3: uri is missing +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.http-logger") + local ok, err = plugin.check_schema({auth_header = "Basic 123", + timeout = 3, + name = "http-logger", + max_retry_count = 2, + retry_delay = 2, + buffer_duration = 2, + inactive_timeout = 2, + batch_max_size = 500, + }) + if not ok then + ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +property "uri" is required +done +--- no_error_log +[error] + + + +=== TEST 4: add plugin +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "http-logger": { + "uri": "http://127.0.0.1:1982/hello", + "batch_max_size": 1, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/opentracing" + }]], + [[{ + "node": { + "value": { + "plugins": { + "http-logger": { + "uri": "http://127.0.0.1:1982/hello", + "batch_max_size": 1, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/opentracing" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 5: access local server +--- request +GET /opentracing +--- response_body +opentracing +--- error_log +Batch Processor[http logger] successfully processed the entries +--- wait: 0.5 + + + +=== TEST 6: set to the http external endpoint +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "http-logger": { + "uri": "http://127.0.0.1:8888/hello-world-http", + "batch_max_size": 1, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "http-logger": { + "uri": "http://127.0.0.1:8888/hello-world-http", + "batch_max_size": 1, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 7: access external endpoint +--- request +GET /hello +--- response_body +hello world +--- error_log +Batch Processor[http logger] successfully processed the entries +--- wait: 1.5 + + + +=== TEST 8: set wrong https endpoint +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "http-logger": { + "uri": "https://127.0.0.1:8888/hello-world-http", + "batch_max_size": 1, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }]], + [[{ + "node": { + "value": { + "plugins": { + "http-logger": { + "uri": "https://127.0.0.1:8888/hello-world-http", + "batch_max_size": 1, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 9: access wrong https endpoint +--- request +GET /hello1 +--- response_body +hello1 world +--- error_log +failed to perform SSL with host[127.0.0.1] port[8888] handshake failed +--- wait: 1.5 + + + +=== TEST 10: set correct https endpoint +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "http-logger": { + "uri": "https://127.0.0.1:9999/hello-world-http", + "batch_max_size": 1, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }]], + [[{ + "node": { + "value": { + "plugins": { + "http-logger": { + "uri": "https://127.0.0.1:9999/hello-world-http", + "batch_max_size": 1, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 11: access correct https endpoint +--- request +GET /hello1 +--- response_body +hello1 world +--- error_log +Batch Processor[http logger] successfully processed the entries +--- wait: 1.5 + + + +=== TEST 12: set batch max size to two +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "http-logger": { + "uri": "https://127.0.0.1:9999/hello-world-http", + "batch_max_size": 2, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }]], + [[{ + "node": { + "value": { + "plugins": { + "http-logger": { + "uri": "https://127.0.0.1:9999/hello-world-http", + "batch_max_size": 2, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 13: access route with batch max size twice +--- config + location /t { + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello1" + local res, err = httpc:request_uri(uri, { method = "GET"}) + res, err = httpc:request_uri(uri, { method = "GET"}) + ngx.status = res.status + if res.status == 200 then + ngx.say("hello1 world") + end + } + } +--- request +GET /t +--- response_body +hello1 world +--- error_log +Batch Processor[http logger] batch max size has exceeded +tranferring buffer entries to processing pipe line, buffercount[2] +Batch Processor[http logger] successfully processed the entries +--- wait: 1.5 + + + +=== TEST 14: set wrong port +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "http-logger": { + "uri": "http://127.0.0.1:9991/hello-world-http", + "batch_max_size": 1, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }]], + [[{ + "node": { + "value": { + "plugins": { + "http-logger": { + "uri": "http://127.0.0.1:9991/hello-world-http", + "batch_max_size": 1, + "max_retry_count": 1, + "retry_delay": 2, + "buffer_duration": 2, + "inactive_timeout": 2 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 15: access wrong port +--- request +GET /hello1 +--- response_body +hello1 world +--- error_log +Batch Processor[http logger] failed to process entries: failed to connect to host[127.0.0.1] port[9991] connection refused +--- wait: 1.5 diff --git a/t/plugin/limit-conn.t b/t/plugin/limit-conn.t index 3cfbc6d8f3db8..02f907f6a1ac2 100644 --- a/t/plugin/limit-conn.t +++ b/t/plugin/limit-conn.t @@ -797,3 +797,64 @@ GET /test_concurrency 503 --- error_log limit key: 10.10.10.2route + + + +=== TEST 20: default rejected_code +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "limit-conn": { + "conn": 100, + "burst": 50, + "default_conn_delay": 0.1, + "key": "remote_addr" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/limit_conn" + }]], + [[{ + "node": { + "value": { + "plugins": { + "limit-conn": { + "rejected_code": 503 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/limit_conn" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] diff --git a/t/plugin/limit-count.t b/t/plugin/limit-count.t index 988a99cf9a9cb..0e22937d029a8 100644 --- a/t/plugin/limit-count.t +++ b/t/plugin/limit-count.t @@ -585,3 +585,55 @@ passed [200, 200, 503, 503] --- no_error_log [error] + + + +=== TEST 20: default rejected_code +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "methods": ["GET"], + "plugins": { + "limit-count": { + "count": 2, + "time_window": 60, + "key": "remote_addr" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "limit-count": { + "rejected_code": 503 + } + } + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] diff --git a/t/plugin/limit-req.t b/t/plugin/limit-req.t index a9d4127bb8c74..001d975d684f3 100644 --- a/t/plugin/limit-req.t +++ b/t/plugin/limit-req.t @@ -379,3 +379,56 @@ GET /t passed --- no_error_log [error] + + + +=== TEST 11: default rejected_code +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "limit-req": { + "rate": 4, + "burst": 2, + "key": "remote_addr" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "desc": "上游节点", + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "limit-req": { + "rejected_code": 503, + "key": "remote_addr" + } + } + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] diff --git a/t/plugin/prometheus.t b/t/plugin/prometheus.t index 078d4796691e3..4e99b84d4a95c 100644 --- a/t/plugin/prometheus.t +++ b/t/plugin/prometheus.t @@ -524,3 +524,142 @@ GET /apisix/prometheus/metrics qr/apisix_http_status\{code="404",route="3",service="",node="127.0.0.1"\} 2/ --- no_error_log [error] + + + +=== TEST 25: fetch the prometheus metric data with `overhead` +--- request +GET /apisix/prometheus/metrics +--- response_body eval +qr/.*apisix_http_overhead_bucket.*/ +--- no_error_log +[error] + + + +=== TEST 26: add service 3 to distinguish other services +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/3', + ngx.HTTP_PUT, + [[{ + "plugins": { + "prometheus": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1981": 1 + }, + "type": "roundrobin" + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 27: add a route 4 to redirect /sleep1 +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/4', + ngx.HTTP_PUT, + [[{ + "service_id": 3, + "uri": "/sleep1" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 28: request from client to /sleep1 ( all hit) +--- pipelined_requests eval +["GET /sleep1", "GET /sleep1", "GET /sleep1"] +--- error_code eval +[200, 200, 200] +--- no_error_log +[error] + + + +=== TEST 29: fetch the prometheus metric data with `overhead`(the overhead < 1s) +--- request +GET /apisix/prometheus/metrics +--- response_body eval +qr/apisix_http_overhead_bucket.*service=\"3\".*le=\"00500.0.*/ +--- no_error_log +[error] + + + +=== TEST 30: delete route 4 +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/4', + ngx.HTTP_DELETE + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 31: delete service 3 +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/services/3', + ngx.HTTP_DELETE + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] diff --git a/t/plugin/redirect.t b/t/plugin/redirect.t index 0f413c5218127..1415db2da82d8 100644 --- a/t/plugin/redirect.t +++ b/t/plugin/redirect.t @@ -14,18 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. # -BEGIN { - if ($ENV{TEST_NGINX_CHECK_LEAK}) { - $SkipReason = "unavailable for the hup tests"; - - } else { - $ENV{TEST_NGINX_USE_HUP} = 1; - undef $ENV{TEST_NGINX_USE_STAP}; - } -} - use t::APISIX 'no_plan'; +$ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); + repeat_each(1); no_long_string(); no_shuffle(); @@ -346,3 +338,340 @@ Location: /hello//bar --- error_code: 301 --- no_error_log [error] + + + +=== TEST 15: http -> https redirect +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "host": "foo.com", + "vars": [ + [ + "scheme", + "==", + "http" + ] + ], + "plugins": { + "redirect": { + "uri": "https://$host$request_uri", + "ret_code": 301 + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 16: redirect +--- request +GET /hello +--- more_headers +Host: foo.com +--- error_code: 301 +--- response_headers +Location: https://foo.com/hello + + + +=== TEST 17: enable http_to_https +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "host": "foo.com", + "plugins": { + "redirect": { + "http_to_https": true + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 18: redirect +--- request +GET /hello +--- more_headers +Host: foo.com +--- error_code: 301 +--- response_headers +Location: https://foo.com/hello + + + +=== TEST 19: enable http_to_https with ret_code(not take effect) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "host": "foo.com", + "plugins": { + "redirect": { + "http_to_https": true, + "ret_code": 302 + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 20: redirect +--- request +GET /hello +--- more_headers +Host: foo.com +--- error_code: 301 +--- response_headers +Location: https://foo.com/hello + + + +=== TEST 21: wrong configure, enable http_to_https with uri +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "host": "foo.com", + "plugins": { + "redirect": { + "http_to_https": true, + "uri": "/hello" + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body eval +qr/error_msg":"failed to check the configuration of plugin redirect err: value should match only one schema, but matches both schemas 1 and 2/ +--- no_error_log +[error] + + + +=== TEST 22: enable http_to_https with upstream +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "uri": "/hello", + "host": "test.com", + "plugins": { + "redirect": { + "http_to_https": true + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 23: redirect +--- request +GET /hello +--- more_headers +Host: test.com +--- error_code: 301 +--- response_headers +Location: https://test.com/hello + + + +=== TEST 24: set ssl(sni: test.com) +--- config +location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin") + + local ssl_cert = t.read_file("conf/cert/apisix.crt") + local ssl_key = t.read_file("conf/cert/apisix.key") + local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"} + + local code, body = t.test('/apisix/admin/ssl/1', + ngx.HTTP_PUT, + core.json.encode(data), + [[{ + "node": { + "value": { + "sni": "test.com" + }, + "key": "/apisix/ssl/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 25: client https request +--- config +listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + +location /t { + content_by_lua_block { + -- etcd sync + ngx.sleep(0.2) + + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test.com", false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /hello HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to receive response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + -- collectgarbage() + } +} +--- request +GET /t +--- response_body eval +qr{connected: 1 +ssl handshake: userdata +sent http request: 58 bytes. +received: HTTP/1.1 200 OK +received: Content-Type: text/plain +received: Connection: close +received: Server: \w+ +received: \nreceived: hello world +close: 1 nil} +--- no_error_log +[error] +[alert] diff --git a/t/plugin/serverless.t b/t/plugin/serverless.t index d6c691a3e0b0b..ad7828640dd13 100644 --- a/t/plugin/serverless.t +++ b/t/plugin/serverless.t @@ -568,3 +568,62 @@ passed GET /hello --- error_log serverless pre function:2 + + + +=== TEST 19: http -> https redirect +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "serverless-pre-function": { + "functions" : ["return function() if ngx.var.scheme == \"http\" and ngx.var.host == \"foo.com\" then ngx.header[\"Location\"] = \"https://foo.com\" .. ngx.var.request_uri; ngx.exit(ngx.HTTP_MOVED_PERMANENTLY); end; end"] + } + }, + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "serverless-pre-function": { + "functions" : ["return function() if ngx.var.scheme == \"http\" and ngx.var.host == \"foo.com\" then ngx.header[\"Location\"] = \"https://foo.com\" .. ngx.var.request_uri; ngx.exit(ngx.HTTP_MOVED_PERMANENTLY); end; end"] + } + }, + "uri": "/hello" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- more_headers +Host: foo.com +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 20: check plugin +--- request +GET /hello +--- more_headers +Host: foo.com +--- error_code: 301 +--- response_headers +Location: https://foo.com/hello diff --git a/t/plugin/skywalking.t b/t/plugin/skywalking.t new file mode 100644 index 0000000000000..fef7b464031ef --- /dev/null +++ b/t/plugin/skywalking.t @@ -0,0 +1,328 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +BEGIN { + if ($ENV{TEST_NGINX_CHECK_LEAK}) { + $SkipReason = "unavailable for the hup tests"; + + } else { + $ENV{TEST_NGINX_USE_HUP} = 1; + undef $ENV{TEST_NGINX_USE_STAP}; + } +} + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +log_level("debug"); +run_tests; + +__DATA__ + +=== TEST 1: add plugin +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "skywalking": { + "endpoint": "http://127.0.0.1:1982/mock_skywalking", + "sample_ratio": 1, + "service_name": "APISIX" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/opentracing" + }]], + [[{ + "node": { + "value": { + "plugins": { + "skywalking": { + "endpoint": "http://127.0.0.1:1982/mock_skywalking", + "sample_ratio": 1, + "service_name":"APISIX" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/opentracing" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 2: tiger skywalking +--- request +GET /opentracing +--- response_body +opentracing +--- no_error_log +[error] +--- grep_error_log eval +qr/skywalking service Instance registered, service instance id: \d+/ +--- grep_error_log_out eval +qr/skywalking service Instance registered, service instance id: 1/ + + + +=== TEST 3: test heartbeat +--- request +GET /opentracing +--- response_body +opentracing +--- no_error_log +[error] +--- error_log +skywalking heartbeat ok + + + +=== TEST 4: change sample ratio +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "skywalking": { + "endpoint": "http://127.0.0.1:1982/mock_skywalking", + "sample_ratio": 0.00001 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/opentracing" + }]], + [[{ + "node": { + "value": { + "plugins": { + "skywalking": { + "endpoint": "http://127.0.0.1:1982/mock_skywalking", + "sample_ratio": 0.00001 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/opentracing" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 5: not tiger skywalking +--- request +GET /opentracing +--- response_body +opentracing +--- no_error_log +push data into skywalking context + + + +=== TEST 6: disabled +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/opentracing" + }]], + [[{ + "node": { + "value": { + "plugins": { + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/opentracing" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 7: not tiger skywalking +--- request +GET /opentracing +--- response_body +opentracing +--- no_error_log +rewrite phase of skywalking plugin + + + +=== TEST 8: enable skywalking +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "skywalking": { + "endpoint": "http://127.0.0.1:1982/mock_skywalking", + "sample_ratio": 1, + "service_name": "APISIX" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/opentracing" + }]], + [[{ + "node": { + "value": { + "plugins": { + "skywalking": { + "endpoint": "http://127.0.0.1:1982/mock_skywalking", + "sample_ratio": 1, + "service_name":"APISIX" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/opentracing" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 9: test segments report +--- request +GET /opentracing +--- response_body +opentracing +--- no_error_log +[error] +--- error_log +skywalking segments reported diff --git a/t/plugin/syslog.t b/t/plugin/syslog.t new file mode 100644 index 0000000000000..05a5cd1dd80c0 --- /dev/null +++ b/t/plugin/syslog.t @@ -0,0 +1,267 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +run_tests; + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.syslog") + local ok, err = plugin.check_schema({ + host = "127.0.0.1", + port = 3000, + }) + if not ok then + ngx.say(err) + end + ngx.say("done") + } + } +--- request +GET /t +--- response_body +done +--- no_error_log +[error] + + + +=== TEST 2: missing port +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.syslog") + local ok, err = plugin.check_schema({host = "127.0.0.1"}) + if not ok then + ngx.say(err) + end + ngx.say("done") + } + } +--- request +GET /t +--- response_body +property "port" is required +done +--- no_error_log +[error] + + + +=== TEST 3: wrong type of string +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.syslog") + local ok, err = plugin.check_schema({ + host = "127.0.0.1", + port = "3000", + }) + if not ok then + ngx.say(err) + end + ngx.say("done") + } + } +--- request +GET /t +--- response_body +property "port" validation failed: wrong type: expected integer, got string +done +--- no_error_log +[error] + + + +=== TEST 4: add plugin +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "syslog": { + "host" : "127.0.0.1", + "port" : 5044 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "syslog": { + "host" : "127.0.0.1", + "port" : 5044 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 5: access +--- request +GET /hello +--- response_body +hello world +--- no_error_log +[error] +--- wait: 0.2 + + + +=== TEST 6: flush manually +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.syslog") + local logger_socket = require "resty.logger.socket" + local logger, err = logger_socket:new({ + host = "127.0.0.1", + port = 5044, + flush_limit = 100, + }) + + local bytes, err = logger:log("abc") + if err then + ngx.log(ngx.ERR, err) + end + + local bytes, err = logger:log("efg") + if err then + ngx.log(ngx.ERR, err) + end + + local ok, err = plugin.flush_syslog(logger) + if not ok then + ngx.say(err) + end + ngx.say("done") + } + } +--- request +GET /t +--- no_error_log +[error] + + + +=== TEST 7: small flush_limit, instant flush +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "syslog": { + "host" : "127.0.0.1", + "port" : 5044, + "flush_limit" : 1 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "syslog": { + "host" : "127.0.0.1", + "port" : 5044, + "flush_limit" : 1 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + + ngx.say(body) + + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello" + local res, err = httpc:request_uri(uri, {method = "GET"}) + } + } +--- request +GET /hello +hello world +--- no_error_log +[error] +--- wait: 0.2 diff --git a/t/plugin/uri-blocker.t b/t/plugin/uri-blocker.t new file mode 100644 index 0000000000000..3cf2e37bc12b2 --- /dev/null +++ b/t/plugin/uri-blocker.t @@ -0,0 +1,332 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(2); +no_long_string(); +no_root_location(); +no_shuffle(); + +run_tests; + +__DATA__ + +=== TEST 1: invalid regular expression +--- config +location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "uri-blocker": { + "block_rules": [".+("] + } + }, + "uri": "/hello" + }]]) + + if code >= 300 then + ngx.status = code + end + ngx.print(body) + } +} +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"failed to check the configuration of plugin uri-blocker err: pcre_compile() failed: missing ) in \".+(\""} +--- no_error_log +[error] + + + +=== TEST 2: multiple valid rules +--- config +location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "uri-blocker": { + "block_rules": ["^a", "^b"] + } + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] +--- error_log +concat block_rules: ^a|^b, + + + +=== TEST 3: multiple rules(include one invalid rule) +--- config +location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "uri-blocker": { + "block_rules": ["^a", "^b("] + } + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.print(body) + } +} +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"failed to check the configuration of plugin uri-blocker err: pcre_compile() failed: missing ) in \"^b(\""} +--- no_error_log +[error] + + + +=== TEST 4: sanity +--- config +location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "uri-blocker": { + "block_rules": ["aa"] + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]], + [[{ + "node": { + "value": { + "plugins": { + "uri-blocker": { + "block_rules": ["aa"] + } + } + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] +--- error_log +concat block_rules: aa, + + + +=== TEST 5: hit block rule +--- request +GET /hello?aa=1 +--- error_code: 403 +--- no_error_log +[error] + + + +=== TEST 6: miss block rule +--- request +GET /hello?bb=2 +--- no_error_log +[error] + + + +=== TEST 7: multiple block rules +--- config +location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "uri-blocker": { + "block_rules": ["aa", "bb", "c\\d+"] + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] +--- error_log +concat block_rules: aa|bb|c\d+, + + + +=== TEST 8: hit block rule +--- request +GET /hello?x=bb +--- error_code: 403 +--- no_error_log +[error] + + + +=== TEST 9: hit block rule +--- request +GET /hello?bb=2 +--- error_code: 403 +--- no_error_log +[error] + + + +=== TEST 10: hit block rule +--- request +GET /hello?c1=2 +--- error_code: 403 +--- no_error_log +[error] + + + +=== TEST 11: not hit block rule +--- request +GET /hello?cc=2 +--- no_error_log +[error] + + + +=== TEST 12: SQL injection +--- config +location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "uri-blocker": { + "block_rules": ["select.+(from|limit)", "(?:(union(.*?)select))"] + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] +--- error_log +concat block_rules: select.+(from|limit)|(?:(union(.*?)select)), + + + +=== TEST 13: hit block rule +--- request +GET /hello?name=;select%20from%20sys +--- error_code: 403 +--- no_error_log +[error] + + + +=== TEST 14: hit block rule +--- request +GET /hello?name=;union%20select%20 +--- error_code: 403 +--- no_error_log +[error] + + + +=== TEST 15: not hit block rule +--- request +GET /hello?cc=2 +--- no_error_log +[error] diff --git a/t/router/radixtree-sni.t b/t/router/radixtree-sni.t index 8f1854509fd18..86724e04f2ced 100644 --- a/t/router/radixtree-sni.t +++ b/t/router/radixtree-sni.t @@ -362,7 +362,7 @@ passed -=== TEST 8: client request +=== TEST 8: client request: test.com --- config listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; @@ -434,3 +434,510 @@ lua ssl server name: "test.com" --- no_error_log [error] [alert] + + + +=== TEST 9: set ssl(sni: *.test2.com) +--- config +location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin") + + local ssl_cert = t.read_file("conf/cert/test2.crt") + local ssl_key = t.read_file("conf/cert/test2.key") + local data = {cert = ssl_cert, key = ssl_key, sni = "*.test2.com"} + + local code, body = t.test('/apisix/admin/ssl/1', + ngx.HTTP_PUT, + core.json.encode(data), + [[{ + "node": { + "value": { + "sni": "*.test2.com" + }, + "key": "/apisix/ssl/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 10: client request: www.test2.com +--- config +listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + +location /t { + content_by_lua_block { + -- etcd sync + ngx.sleep(0.2) + + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "www.test2.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + -- collectgarbage() + } +} +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: 18: self signed certificate +--- error_log +lua ssl server name: "www.test2.com" +--- no_error_log +[error] +[alert] + + + +=== TEST 11: client request: aa.bb.test2.com +--- config +listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + +location /t { + content_by_lua_block { + -- etcd sync + ngx.sleep(0.2) + + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "aa.bb.test2.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + -- collectgarbage() + } +} +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: certificate host mismatch +--- error_log +lua ssl server name: "aa.bb.test2.com" +not found any valid sni configuration, matched sni: *.test2.com current sni: aa.bb.test2.com +--- no_error_log +[error] +[alert] + + + +=== TEST 12: disable ssl(sni: *.test2.com) +--- config +location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin") + + local data = {status = 0} + + local code, body = t.test('/apisix/admin/ssl/1', + ngx.HTTP_PATCH, + core.json.encode(data), + [[{ + "node": { + "value": { + "status": 0 + }, + "key": "/apisix/ssl/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 13: client request: www.test2.com -- failed by disable +--- config +listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + +location /t { + content_by_lua_block { + -- etcd sync + ngx.sleep(0.2) + + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "www.test2.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + -- collectgarbage() + } +} +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: certificate host mismatch +--- error_log +lua ssl server name: "www.test2.com" +--- no_error_log +[error] +[alert] + + + +=== TEST 14: enable ssl(sni: *.test2.com) +--- config +location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin") + + local data = {status = 1} + + local code, body = t.test('/apisix/admin/ssl/1', + ngx.HTTP_PATCH, + core.json.encode(data), + [[{ + "node": { + "value": { + "status": 1 + }, + "key": "/apisix/ssl/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 15: client request: www.test2.com again +--- config +listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + +location /t { + content_by_lua_block { + -- etcd sync + ngx.sleep(0.2) + + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "www.test2.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + -- collectgarbage() + } +} +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: 18: self signed certificate +--- error_log +lua ssl server name: "www.test2.com" +--- no_error_log +[error] +[alert] + + + +=== TEST 16: set ssl(snis: {test2.com, *.test2.com}) +--- config +location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin") + + local ssl_cert = t.read_file("conf/cert/test2.crt") + local ssl_key = t.read_file("conf/cert/test2.key") + local data = {cert = ssl_cert, key = ssl_key, snis = {"test2.com", "*.test2.com"}} + + local code, body = t.test('/apisix/admin/ssl/1', + ngx.HTTP_PUT, + core.json.encode(data), + [[{ + "node": { + "value": { + "snis": ["test2.com", "*.test2.com"] + }, + "key": "/apisix/ssl/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 17: client request: test2.com +--- config +listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + +location /t { + content_by_lua_block { + -- etcd sync + ngx.sleep(0.2) + + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test2.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + -- collectgarbage() + } +} +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: 18: self signed certificate +--- error_log +lua ssl server name: "test2.com" +--- no_error_log +[error] +[alert] + + + +=== TEST 18: client request: aa.bb.test2.com -- snis un-include +--- config +listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + +location /t { + content_by_lua_block { + -- etcd sync + ngx.sleep(0.2) + + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "aa.bb.test2.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + -- collectgarbage() + } +} +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: certificate host mismatch +--- error_log +lua ssl server name: "aa.bb.test2.com" +not found any valid sni configuration, matched sni: ["moc.2tset","moc.2tset.*"] current sni: aa.bb.test2.com +--- no_error_log +[error] +[alert] + + + +=== TEST 19: set ssl(encrypt ssl key with another iv) +--- config +location /t { + content_by_lua_block { + local core = require("apisix.core") + local t = require("lib.test_admin") + + local ssl_cert = t.read_file("conf/cert/test2.crt") + local ssl_key = t.aes_encrypt(t.read_file("conf/cert/test2.key")) + local data = {cert = ssl_cert, key = ssl_key, snis = {"test2.com", "*.test2.com"}} + + local code, body = t.test('/apisix/admin/ssl/1', + ngx.HTTP_PUT, + core.json.encode(data), + [[{ + "node": { + "value": { + "snis": ["test2.com", "*.test2.com"] + }, + "key": "/apisix/ssl/1" + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 20: client request: test2.com +--- config +listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + +location /t { + content_by_lua_block { + -- etcd sync + ngx.sleep(0.2) + + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local sess, err = sock:sslhandshake(nil, "test2.com", true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + end -- do + -- collectgarbage() + } +} +--- request +GET /t +--- response_body +connected: 1 +failed to do SSL handshake: handshake failed +--- error_log +decrypt ssl key failed. diff --git a/t/stream-plugin/mqtt-proxy.t b/t/stream-plugin/mqtt-proxy.t index 7556fcd491a47..82f5453ba329a 100644 --- a/t/stream-plugin/mqtt-proxy.t +++ b/t/stream-plugin/mqtt-proxy.t @@ -14,9 +14,6 @@ # See the License for the specific language governing permissions and # limitations under the License. # -BEGIN { - $ENV{TEST_NGINX_USE_HUP} = 1; -} use t::APISIX 'no_plan';

!Khe=*(S_f#pecz9UmM z(q8UV?5+ERn=*{!^BNpM%d=Cg?q^dtJ2OrX)#*c)69P9IoiBL^X2mmW_Yg1 zl;)9_yShGgccUX?$q5^ZpaW@lls#`JCuK37ihM{}kwMd&A4)*OgBtKSO~h1_tO&|! zERUbt-aH({ME(rK6u{eAR_0%S`+N$NA5kX(65oKjCd=le>sDx5G;;8~a%}b&Oi|B& zJEowyX#En<%3nS8i@`8Su|VuJcI$ezmgfzi-wN!<75a(Ne{a7(E8AaxL3nhRf#C@) zMwFDRE5B4QO%w&pcn;F4!LC9^hq*e2R;Ol^xO!k$){$itysR88n$ytOz}>93j+v~e ztQ}&9T^5|I0+CCV>XZ#3e|hr*=_w!ic%U7(e!4Ubjk%3xhr)xi^tN^4aBjC7YHHGV z72@3i_(YwZnCAy?NxJyVj@K|N2@OJ*C$l=EhbfC{^SWNAaJu01FHw#WM5#oV6lZa& z^C5n~P;dB*OyJdkAH79uqz&9{eF_3mK^%q!aLEuF@Od(;;g*k-W zXo!5+;b-UOhJi1^zQ?|s<=QdyCvnErCg35mdtUVEpOyQ-SX;<#KrEIaF!AP7%KqMH z$9{`|n!^D-|E+r=qvwxvy}C|>%O^e_S7(brt|{VJyW&#yh#QVN&g>mw0qxs(??(UY zV}YM6ASO>AWj<`>A4%bVZrR^^R|Cn{|Ne_px~eET;oK+l0wCqrOmm!%f)ZODwo66b zJ$9lK)KKi8;jN;q9B{m(6PuJYL#G((aG)z2Xq#7E0w+#tAe%iA{;bLOKC$ocWDA%o zzDm*4tzle=+rDYCCDS(8q+dA5JSNs^e6!Tfyf}nzI?Cq0rJ<&z74(Fk^AQJ^9>AG( z&V;HtrCbavf^)X;!X)HU^OBO9up|>nRBn(Sp9KUUZU>8c=T4)9)Jvu7hM8?mKb@B8 zvGo$rr`6=165aOmN2u219n!165e;TRxXvcLMttxX-$qQ?!Y~rD(3$B|A>trlO8R9) zUck~r1pg_?IwcPYF#iiK_t-U0Rb6BT)OSz0jQaYg5C{Z}(o6*isRAYl-~_Iw20LCm z={u>toVzQUL4h@O&*Yd><$1=p)F*`ep@csc9;{i>3;(Nw{A=Tb{r={Sdzb_I|xc-I@DdzO7pv8TTaVrSY(teW|@rlG%V0KiVv5U zS2fOU-%n7Z6j0@JNdP=Ulj8?)c!Ax?tKp^q+t`ZnE+)t8SFbW!TW=5|eCK$Q1-HMi zA)%Asx*QDbz1al~;|b($*v2JrC6e7P{TX*vz{BpAic~$H4-#SPW-}LQrB}9_pYMdj z`xD)5DO>|H5x_CuIc@zS!sD|baZyI6h)oy3mAqU^mKQx ztZih_LzQrFE}Wfagz$M>hdCc?KE14E%~lj;YjEkLoYeGJrl2?cd1IHrMFJTy4(-|) zW>Ub;^r4U0eEdl)h;4MEDWnHS0_|CM=gaNc238DQAEk*jMX>@>o>tAJL!CLD1rh@m z4`+$?Xt6a_^@)tEN-PK4QoT2OkF-~{HB|h+zxq}jJ=%2@XV4Ky2@ij6Fjcu}t5=D{ zaAO&O|5n{HIF;6;tHXDxtjW6FABCgs+qVaqZJy`FCHc$y%_b}JjG=gV0X+LD3=;|H zE8JrGgl?%3pK+wGR%FV=xExB^?Ya)85J11qf@snaaWhx>$O_K&?hWu1xLBB%up&Tu zL<|Q`IWVi6C7LF-3g&}j`0%5$!SM6E?JbzHp%4Geb>n&S`BKQWxdJ}Q-$(pkXZ`Ij zfG`B^UO~{Mj_7p#H%GnHIr{zao~q$X8j6b{T`8u%Np*ERR@yA;_-}~01LaxO7|6)* z_FLUPj?&Q=GRnz?pDu-JQOB5})@7m*5 z!}f6?4%e!;VQzj^@;37%NYISYdy)M=p45Mq+yCW137W&TEw$VA(N!s`sQA>)|0wB{ zEWjhCVoPptWy3CSZG5namd$QG?@W?}gm}P|6`$44tkawjbnn5yVh96$hA6yhR&0Y% zE*V0ZD7=<<1o?7kM^EP-&)bS+LnfH;o7oM500>ET2MUdX75uXe;-uH3C0Ol7mj*Ey~J6aV-}bM;r%{reZ6Z8@j=X`vG_laZ7(C&VD&mS>n z2cOPK9<(98yg;uz&=E^BHTm;G(`09+pu=Q2G=`IVniC%?3LkRkvz=ha0b8G#s_Gc7 zVoW2aZflC4bWdVEr9rMeq#}096SFPK&{L64&p=k`+uYoJL$NNyo_AClmG;!+ax#(E z+lJ`XO-*?1(8!z!CPM?L4OY;E-b_GFP6$9oeM7bxS6*W;mez@qk})|^yMNtijzsl> zZ1oF)UQW-`B_6S)^3|RGu0pfr7U}nU;eLU^57|Ao4o}9DuMXCd(@A)W-*<9Kg||J1 zuHBak{dR;o0(@QVAavJ{@<8+ZVmf*Dzlhy`Kga)m%07S@yeE*2mJPy3IWkL19=d%` z6|OUSM99foTj*W2fM681Lh-#+`6i6L$`wXk9>6Q_{V zY2Q>Ty-`L&t85+8yX&sknWnqCDr4r1QqqCyXGeG|l zkJ!f6!LCymEjgcXAMUSN)j$tv|@ zp{J1o99lZLxT2r4E4(|QMq;$9%gaGFkaf`zPHJ}gM-{{?LGQ%tI}ZFLn|0m?7XJ9* zv9P*Ip7p+U+6Dq+Gkc|%I>pgR97s(|iJf0y@CxsxN~_BNs*j4NXAr01Sg>-;vxso$ zMh(9$n{Bz|<+q6L-j3X z3EbUVWSW8D;KeWTC|yLi7TjOWSNeJgwQ&$DW+?;^n-a6 zM944TfkFSY%K>(tnS5TE>Xulp!TVxx*SwszvT$3!V{0^{tMb%H9Dfy%4m4TNVf!8- zVC;pstTyJ#^WYQfeWkZA8EorX9Pn>sH#yaq?t5TB1(f5Qxc`-D{-9C_u}AQT$NxFwXIlulFx@{hp5V#2#hSEl;;ODfnU|ttI zlz@t(EFFzfLVRm#P{a^bN#0~jZ8l|P;jS*hjP|fktVUrzQ9T`L{+9Y34gkJ!uKVr=8*Q`AQV>$h{GF=MT!h$A*b~Q`N z;Gt@0E;rfk#g|Q$6kZrkB3eWJ%TH*bPa#xr%+|CmE=55&#Q)#Lx8y8vgV;2;vf__99rnwpy4CQ7fqIz<3vUm3YqeVWGq zRjN?osJArV+hjpnO)RFT>^4pC-w{*wEoLxNQIQ8f>1vZCsAXn3dX*QLy0RV<5YO|& z-D81pA?yx}|L9cJCno=8p`45!8prx`VyY)j96>R5QQuxrN19PlzcWL98S`-1taw|I zjvnmwqOy0JMYu7s>V4T#m!-l+E@45H=4S68lJ1!h&6?1GuR7&v$+>eIlc*P^&e0vy zbd2Ge)Con!#o|fz9J@14Xz6GFqzF^O1n<9+c}2j4&J zcb$EI97I$y+R7=VWsiwnj)d+XVmFFLn;_7(b8lpb=tlrtp-{bYgXCX$&VT>HM*@b% zuk4_F7dOBkpO}gY>6T+Ndx~#R_00HI+5L~tBR;q-Z~No^5e4;`Ky|(Opp_7ut~ry9 zsP{FUV)VJLR8(jl6oX@`HAe;L#`$Q=t|zMkmGx7cG>IERke>-ATtPhQimH9n)1p<7 zyKJniS&}6Qtn&ku0Wv6s=SBkDFUkAex2MO|2NH&!si0zF5||mlJ7|T7eQ&9Ccv9P&g_PH%g$wiAdmy~glzSu}K~G$>rkvV{dyQan&vr^FQR zT)4T4H#ptWM0|X>KXmgVr7f_ftzNxB_P@8*Uw`2v2dAuGz%y4wFazxVc5}uN6Bjpa zu?>v=BqSxx1#HNa`dRjLT@#OCEBeE=n`Fqg zMF;03B?l}j*&Zy`tHo?G-14a9g-zv!jm)_2p%rrh8u?cNtDsi-zLkkYzoG zh+jBsKxI*uc2v~V{7OpTQn*t6!DVXcGjCxNbWaO@}ux<}L>#p807XKJdsYC@LqpQygI{#m3@h&fCs09?<+n9AA zb&6|(6bN__qav|6>45H>#%O@XpRvIBY+I^y)zGL6xqT z?l3M~1Vy#nBQ#)}0XO0B#u`~D-L^RS=TK$y;z284C*mu;YCn{?|v4ZJ&z1_8} zhS!8}(0B;z8&XVSOw3r4YqPYV#u1Oz&CT$@Kq5fkL{(JucHwihNP+2py}ml?<5_*3 zSX{{;8LRt3C#Ne|dSr*oaB+3_xz#6h*xrt6bJT|?V`yH+-xei16o}s(9e)>lr4k6y z*sP5Su~RjbZ0KNRcR)*>=utyPm%p&&c9^D|rCBP-mCm2WeBnV zUN1haWZ+*s~l~XXcN{?{kpck^RNT>}3FypO`_Q8`>5nEe? zqa!Iref1|#FeUsRyj;qGXw=)h30hRnr@|C3#d0bzn~L|kHjjm3Cb^4JGVc#;~4^#KuAKV(5)>_Vx zJF#&%ZscjoeYO79N#%iSm^nV0fHUPu?X9MwZh$v$z#)bIH;qmbsFK-6NeK|CU ze4&N=$k3gkuu_$_$VM{R)HD-#NeIN};OK-g$|3D?XO+GJwg-~DII=ga%MoA^MU>@2 zR#r>{sq)>e9u$Y2QLlhvU#k-;i>A!M{QO~`+803sgKC^8Zt<26*Qk1)rWDMbr9Dtz z%`z*3Tvjl5a{A%?Fj$&8bjWP3@j}7reL{i)I6ylQ3&5}`wpGW5jSYM=+ee0^!PZ&z zLWP1>6{B2k>?r#myq=z(qKtD2;xvYSKpKw91d-HHqRa!#5a%s>2f3~NZ(ayM67yOo z{JF|HEs>H=xjhfSOP>RWO?u(V@R=12x3~FNNRQGydg%Ty_#1!&_2KX*9p7&~^==ht zx4wtW%*+;NX=!QUURQNq(b03;AVuJzUHj~7=pPK5zhIuHqwp#@%plg1u^ri!l%Dlo-}u zfDt8xkT4vOl>)Wjhtxw+x(vK5pSvDJ)`NzG*(9ZM^c9h;kN%jBeXZ8S7A;7;UDPBQxXo+oQGQ7MZF z6J#Id+!$ZUWh!<^Jb%eA#+$3?s5Q#B1%}-9?o`SrQfHltd6hr1Rg<9J_KWWRFvlcT zQ{SLFkIiqU&b#f$Hico&{C5ZZ zHr-pSYVNr(mV>10)$X+|3p7}?Lp4Y`>Jp=ZH6)|3sBt_nBgX$>4#1k?@RT1D>HEq8 zy;T8bluCAB#%L!Mcn^Kw_8`oxss;b9|$!F}n8O5it@u(ttJV;^~b z{$Mcp?C7D=f`{EDj!g2WQMZkx3s>!nll`RR68g@Fn|v;gHE4Zg`Q=RQJ#zXXqlDUV zXcYHdPyPfpw@^{Ef$nxFy6g{qY;%-`P7Dc@2HgP^^8dzN|NP4a4P3TZSUVWLgM{s~ zohierWDs?KJGJSO-6FhMBwUeO7fe3o{Ac_PIO$&4pexj6gKm~YCdC&#YNE3}uAtdw z1J!#ddnisXwqpckRRI%CjgY)OhZe%+QM+F~8>vJJmt+2h95Yt39>0~-RT0D_EKnFc z4{JF-JHrsqb?%VF*Hcrw`vxkCNjmHw_by%COee=8U`x|%$~mqAz}C-cst^Fm-hEG(U0cT|#HYW3jZ;a`9UZ4iZJWnR(m;`%11Kw@Viry%zXBo0`N zoAZqfA8v31dBl-_5~9~n^EfN+55StZ$!UMQ=NY!D*}QEZ-RtXA9;aSB*^oENI40@g zF@Sa%{1BwpB|p<>b$3ZtwRh(p*aP4lGz3di-L9Gd$S-<+;!{m!AF8NpZNlEbBe35U zzqvUL=>j}0vU|=kE)11*odeGMmUE8aV$6TF!@@$t$@%nntslMSqQ<3BPyii2Ond0N zl85}*68Y8zCXL$DK1G)7F#%nVJL}UvaSAHbl z>KJqz;XO=(04)sovEgUMB_&ZO97KIG!eEeG5CiR{s#v)zLvj4@_^j z2=cV+>R$DrHGKMOd}z zZQXDwy8ut4S$yALXQT!C(BSuS_f?uTyR%z&@(&jlW4yL2h`{_NGs+Dpc57Ar{;fqu z;PL^2oRU@}tfhc}7o_pnDWKtm4r@u`l*f?6pGT@ zsaSM9G^$%9jGuY7!{>L1c2(!N%e&0!aAEuSOd==iVg5k6yg0Dm53DDpRCwkX!l=kJ zcd!U@Jl%2C%G1aORA61Py?fj`FUSOaVlbf-=(l|@h~BLzqw&-vp`=8N5V+w?^Ss=Y zW3b^v6 zmSW8OYFvE0@%V5nPy|hF)@tLbmjR8*nvs@P5`;=4jt^L2*Snq;t>%6j1Qr?Z7?P|@ zzs)(SlsJ6z_`Y}>G?09#fwux^z#qMz52b$ax>jN`AE*5RlJ45t{g8PqvRUTcv^iWi zhMsRGSN>U39a0srgV5wu_xdHU9fVmbNSkJsB{J8~a@p)`4t5Y73;MdJ5Y*4F#% zrvw+Xu(fp&`2K7z4VEkX%O7K6a|dxABmO%NF$z&&SQc+Te9# zvDdu&v8+3=hGri-X*mbhjV4u6PW;OD&}+F%;NDIkaJ?yS8N3gcpYhFE4!5JvamFEw{IH%*Ii*Z&1$J~DvAZ3B6YS+j!ALLo>|Lz6Yi`O1pVm!3IL z;Zj45gsCHo%B+}7hIh~21@d`JDoaRCr$UhL!(Y~Nib(bY2dUAJ7gEwMg%WjmXllEb z3Q_4`DkV=>bAlD)-(#Xc)uHzlv}lCJ!$Pc?`iITk?qB3mex|8N49B=zZS3L;C>^Jzp);^_7*$((eG=*XmT%lGNqVb3cSOow`*CLM2=kS3oijBld#Z zh?@GgnZD~wqYNxek4>av*m9TVoG!vvt<5aB$c3YuV3^A~s5b%#_aH?7NBbcrPvO+u zcRdFJ%{r^pnob~?oa3Gw`;{nAS_v$BD;`_Ygn#v$IJWEN{)5>|h-!0kJ-qzF&LaXr!F~qsvf6`JlY&+C1Ht?ge%`UGp+%@k?QS)bh9Sa!n1w~H5~2qaJToWh2NjzIIb2+*{e zhUDvp^)!~_>7Us%N1q69hPY?+S_V?eZni(%^wl%=17omhIcxG0E6=b!yPQe1`x@ih zB?Lw%o!I)f9v*p(M>Ex?=s>%k9zJdnjudvl|Tniv%YG~J|%i(VE8e@jNc7VZe9(5v>Mr1z+y}sj48`n>+S11Tnr%8N}g+Wsd8vM^(9H? zxtzD!_xQk({v?&joKLK;`r+8EUdf;QuG>B~-$m=3I=rPv9&1m8j)y?2^C2;S6ka>1 zt1h;570e^5^I~@K1Fr{iDS6ETRP|IOwsr?#9@@1kwTyDg(eCx5+iL;nKoF*GkwkR# z^YWjUKyMGM3K1Pydd~mo8sn?-Db$eTywHI-lfkMjsvZi55Q9khBlBY*>w@xAn zd~UP`h9Ia@=8@x`#JlbBctsT*`l5`sUGm(ltVVwX71fE)4gKUMDrxcYJiNSfisgqc z^kE9dF?V&G}Z|$+Lm;-%c zAoD)qZdvIPN!Y{)@^h_|EZ;^dS-{8d=LT488}J7F!rQ``$vzFjg;)$y09gHEAcf0v zYsPJO%-No=WqW5_+uEqcqmOun? zs5v-1^^J(2aBpeJh;mg#ljL-CPniv6#`ihWl6G{2JbuPWbLiM0CX@R=?OpX-lv}hG z1OyR-5CjyYk(6!_5b08p5|A1i1OXXZR6=POY6z7YYJ{O173uCqrBgbFxO+TD&(Wjz z54g|ehk53KkNxa#=UVSt>wQz(4dr9_;x>qVubAMd0tls4iMl+C&HAm$Jz|i4Et|j) z?rInm)_YIUI{_i2IF=1kYy63JIQh}iXm!D?!|n!!zK0ivXS&dY&A)|Zh0z}ZpI%FlN8 zZ27QtFq*%KF-Jh+BO!K(*Tl+;>dUsg+}!6S_q#%K`dnAXZ8zR!6iL%4V@#s_^2RLu zg~>WU3$75WvD}!Ln1}CGK)EVv%fCkamBZqekjf7$gBKfmWCH}39`Da*bj8u?j9me8 zN`}KPTb6Y?^k4jpI~%23_|~;_ey|Td5zlQ55Vb-iAwZ^U+qLNy+4^Ha2cgDBTlTqqKZi zsMno(<)i9x3Q2*pJ2u)ck+wSY?FS?b0%Mnph_L_|XX>#(f1Q*xDhNN@Y5w+XgZ>Nd z=J#Vnlo_Q*dC!QEEF(phmzdP9TwT#2z2)4FTuk%(icDP$t~TJ`e66x*QHH5~n%AXI zWCyySd8yo`!E}lX8&yu zN*SJ?TR^)QZVrtJ@QXBPZdO!@f1S1=AU6o?<1Vv(yOhY}DwI`;cmOm@&qbo4pF!$Be+_FP&0+3Z5z@2m6DLMYD9Cezf}VJ#m3a6Qo=*7p zNd#!`0(K=}3RjNf!Sz1cNbcINyt5e1PwBO{KAj8shm_~9*pX4d1@(b9PjN1sQpg#d zVx@oRa4a0?ChCuZbgOIYUo*apYkYL6)0D3uuY5mVN>Rng%4$K~Kr1+YST`;&X4*M3 zCsWSS64%jDDa?_T5YmzU34~R@NSG-nwn}oa^uA4(`=FBS=`tJ;u~G%Op58%0WN64G z97^ePQ&8m{2s2KPT18*bN4$wlt|kC zR4okYynQ`94ZvhW_^Is9aMmy=2+4DdHBy;l^X((JS^#yWzd|Ha97~Oi|JfV&)2g>} z?YGQgRINd>nsm;Vi{40rglD;PJjOuxOQ;2cg1J}X`cUNds&%xpC-WkWoxLQ9dupB6TFVM@yHi}m%n1g%w^6>JqeeYQ!$6upMK8z_L zih#fX$dU`0w_ouC2?0Syvtpd^7AXydAs=!@%R2@y{O-KC6kILgbwKR0tStTTVHtkP zg8JRtFM@(VN|@H`)Kcj}g1$`qO!5I1a*{}h^=!GkhrzReEC3mVynd&dqtCDOdG90r zgU1Y&mEtdjSjEKNwq*qetH?c#c4VbGbvCJfC6PG{4!^qQz16KIm{?IwD)$U$<o< zV|iWSAGU)V08;ufF-xVv;}ah?sk|_eS;KP-eW(VbK{016_k$XdSNe=83 zXY2jCb6!Sco#U0qB44WRnQXITBY@7)D?sa8>Z5&%h2+{C03^=kqI7R<=$IRNJf#C)uLn2#nUbtnf_Nox74F_ac>0rECGsVDpTL52dk@} zsbqK}m3er%ct5#^zOQs!t#)1Y_}Hqv?zOr@Wn^_Nbh9|n8K2h2hs_bYiPd)$6W zCSWOT1cwdBenpf(8&6u?oF!=W1orn2DJ9>iDA^74dn2bS5_-V7xHdAeuMRMeldQu| zgQihg7lbqNHD{9Xtp)s|nkdqA-oVr2UKv0wvxOmA98AaEd$WBunxb*Xe0x5Do&`0c z!iSz?)?s%Ng;x?rf~Gp_G~HTEpHlLsOW~25Dox~^Q4mO{+)35R;-gr6yr#gq|21=I zbT52q$VnEE(kO2;^Pa5ndjl7iQ(ApV8fjsk;+A{b?A_A`JgMCGG;bf))b3inp z>H6M>TQmOqj1~8Jy>hhk-*KY%AwWH7J=fkdyUiR(Mw=aAOmj71$>q&7E>DGvoce?5 z-Yi-k$LNU|4AQecY>kYYYuBZEJhi+a==~8?yHy;{o1;B8yKcR{H|l2H62nzP>ld@# z^~eLTR-`k{YmhkaOQN+0tPvcZ;-XIVRV%k-!0eFjc6c9saXWT4&tyi0QVY|Gx-5lZ zWMc8Cg-3?nk&nJqxsH}T|h?QtK2Dl|{)o^zE;#BczJHOyyA675pH3Fo3a)28|93p|d+uoK^nc=BT z)a{ltntpgh>rPzdSN~cNQbGh4a{G)*utrc=ZpK?^U37K|rP zLWt|ghH(VVS%Qqm zt#&S)N5O6q+}8v|$;Yn-4THe@AK1#hXJyIZdHK-_AI|x?OV}7b_6apvCAb&3 zkavbAa(4{c@YB4{4{U=x?P7wkZfDgEEdwsnWYPA=qx4{WUlHR^p-!NBIQc-cfSa$30jf+pxNyvsQU&z8w;P1Kl*DwFt(krB$QmjPpx}*?n zc@z(bpL$qCWO*=DxLyVnZ9E8ji{3MI=0Q-x)pRU{_<4l{Jf?c)4~qIv2%Pgb&UviN zgmt&z=pvq)2X#ldw=vO2Gd;KJ$5IiCW74}$hPF|^6Gha#ZlXUnkXob|5E@;H|<(5 zhn6B=+YQ!=jq0#j+1ZyIEZX*?Vqyj!)P#sw2ykflF9Y5NcRc$G=aLLBV zZ*$z+)9+_X!<>Xtx3I^n?OhAi-WH?x?Xq)5~K;18s)egZXjfo!5@Bh<4+EO!GihWMri6`OqYs z_NFGFK!suzR%xl7C$P0wd2>E79bHIH>kQOeS}^in8ED)cT>(|4kCy$URm6sBgFyVk zR)9?rhz@bhQ8k}}N*_EUH+aih=d21?N}>Vz;Ug<~4mHO%{((nUH1>)7v9)?e@#Z>1 z6|Tq}!jz!XlY$6N|e*PW9J#FCNFO> zmeyucGVboI`lTT>253XK451*l=As;u8Os3pO30`j2XUVdBWNg#gzK=;Zkchd50+!Y zW!K%I1Ur0MhwFqm>z*SVg5K2$R$&VmKz<^-2)+n_GqbhN^?Aw~L`8);0z?O^Ha!ua zRCT@r+fmc89Obk5_Xhj6mwtTED&z2FTF8Go(L@u)0m29Gr{BM(Ur%acDzYBH8rpe~ zPfEijr~`DHj93$RSe0jTS>G&lz@wi-c}qg|G&L(hh|yc@9>mslJo#KucVnjP7x-9B z32A)meR>Hq>^I5|y1uM$21@M90}1Evq~3Lvcy&co088_}hvk;l5)icTPaM}n-4IUO zfG6tVNeeIPPGH0_w^N_PJU04`jg6IwlvmAoA5|r74*1ZvX{YHR_~aG+qWRQobJKl| z)Wo-<6s85+lO_jpw5P#}*OxM+-dI+DZ0-Osk1TBQ-#xuvXyAQslpVpR#AmB=%K zEVMYA^hkE~_X#u}9oDaJkI*Rk5qust!>(9R9untp8}M9?Ovx-Aq-a`*G=I|JXgc>6 zYaQ_^CLS$THWg7F0Uv!R{d~p!Ecrwuj(picyd-a?vY_Ym+8c zUt>vV0ePlfOT?VDoD6tH5&H8vI|f8dee0?5O){wPIRXzNu|AUJVPe3lYHf(tO+Yx$ z&Z;Ify~PG2j#ufmtlMANiRK zs@`!|9zg)h;%QQgFSLRa#5zi9D=PK%#q#(h7z}aR+fJBZziF3u?qg-;Kt#>;r+t-P zK3c;qs(LAB11AV-R*v*NiEf#EViTFjruIB;GSfF^JLcthlSFpFGiVTXjVBg%>hKQ1 zzE)exR3XNqfD1dp{S8)&LPVe@Q2u`0BfCbZdFJ2o+>-&7;uuPS59FWBmXGFfn@JF*J_NzgbY`gq z5VtP?_h;GB{-Wq;$36dd@1#4@+oLGgmPnuCa=5-`UMe#6Ps(%yl}&yQy`9w3Rqzvt zmG#qYyk9c$X(!XA-j2J2Ai5S6ZJN^nkGt;Y4$JZ8#b@tlLwF@uE`aS_g1cFDkBhyt z)g2h1MLNnLti0xu@oGAmKVZVL?sORRXm2)ACSH;ohk35qsn+FUcX#&`Cb`OerL19l zAA`hu$CQ40PBlEFG=))m$2F@%R;-k}pg}cq%6XHBL0H8$0z zE|Y1;Iduf}?p!G~kFRD!h?e|XJ`W-@6DD$dU6uFRP-mL?;f}}o+uZzoa)=m$fS{nW zGa7m{Ed70A}#8e!KM681EeGJtW!2{xL(EH^bWq+*B;54UOWd-g~(m$~W7 z30w(b6y>DvV3i4$_|;E*9DY+AJ^rY%vVj7Mc()I%4?n?s9g1DIC778TP)Z64fsmo) zXMrTlLFOU4`Nq#iWL&K(9o80lQ|Divz<$6CPKt;GyK)7uuYNR-dE|xF?x6f0i@IGt z3yxvxZ&u;xMZk3v1GK`LFbYVboAzECRFRy}QjAOvo@!B2D6H7vt&uNeD?{?ovTME5 zw-6*>b-jGcRkay0%e`-~Vh%)JlXCRSG=Y|2T6MJn-xD`hsI*!=GY-TltdHV6g zXF7(KylR%u5g+9^nr3lS5dP@2J&&5x0*q12yiwad{2EhuiF99ib8OKwm zib+iu`Du}%Q}MKj>O&p|R@OT6x9grB#ZOTuurxWVM0B-ekn*m>0D?`dKfAj1Ap~4h zjL|@%F3qsU>+;HMt_-04g>1c&@t*?vB;AgQkT-;cz&(6K751NI8eZ;HfMMl99&f^ zsxRTn85`yH)@fF?D{}d$7>IAZFmHd2ahdL4=#--6P|1qZ=8x>f*g8x-;QkFTkL_0W zXb7c=5gdQ~-kjfgT+g`*R$>>2=or}rSaVcmWu-vEqZ|;J8eA;{PGZtBWowoR+A47` z&mACHBQJBRL#A`ol$A+|VymWMda{yKe16$@QsR44k&g9b_Xb~FCnhGIs`WkD513)v z+Vhz1KPo-|*#lc*=2(C46KFbMDD$&$5GML*<9uaInO=&BBw6B+tf|>^w?@Gw?lMoO zQyVs|DYA-dJUHsteE?%i&B@VKg$*<+M0#dr706ks4#d4U?iluLC(jo34r$py&PK&R z>IV2kv?q9Wo944#=_VIuW*QI!D&6E;a?qg7l}IK}o*v~h(ph`%nN4sr#ksB3*vM64|AM%?w!m8wMQden+(ms>^r!kqxRaOn303%wP4k01GRuh zY4c56ARyyzEUOk$2~4B)KBQL>oB!#@G#tE{%;vrCgfI1V-2h=`Z`WSN%n=X-UKCD( z33>qLKJn0RXvhH>{*3!7ke|GHGF4Z=etPTOv{S~km~$D>+r(=qHdtL;0~tY{w#JyX z-}y=k3N5#gV<0*!;<6OGeB3U&8Zhor1jrBFfR>poue@__vHb)mbR$D0L7>fR#};W1 zsa{-|^{r9im6{jhPjLabo=XV`>)hK+k1ML=Z%ZmNZ;MyG51(8X%E1^1-_RK{4At17 z*XuZ@Eo0@wY92tM^EHv1_wT>|_0U_ezTWf}GPt*NbO_9%>rF$fq5vh+Z5UFnxkV)` ziXcqH5<62hiLXv`M(h4v2ytnzLK{LCfyj#%i44!GKFVS3ffT4F+VYh!2}90KJyj?= zV+$P9l-n(4xR!PjkjQk|IH~lxOqRgV7ty7=6bi}#f>^475%373**I7{3$&$CIb6cC zTcwz#N-eUr^^Q}r)sysy)_VGgPnJbwnQgPQ;ggwpaUa_1iYTaA z2{C`z(x#;Ci{7(v=mj{{6d+tJd4CKNKQ`H<6p`06TKY!+=C}3+S1JfEQ=%w=LdvHu#RG{RrIo{&m8S)$P|yZ=LXMynsJ-_-+8z zyXpimwCKL!Vk;WyQ4g76 z@eZAJlJ>Hr5P6i@rilJRb3AC?BI355Iv@@*_NMDj(G=>Wi!`T9Z=J}I{d=MVE<6UT z(tu0;L;F46{>5i6Cy_pT8(D$p0oc2q+?(cTtr;w%c=STg%Y(VBlIr7zHyc)5u*-$Jb?oH#BD??)tsqOJQTwAXd?0 zSynP<@irVw>OscrB{ve(63*#Z!rlNjvAQcVN{Vv?c%a9!&re9!gs+J>o5610yvbuT z$X$^QTizS$@am6#|Mna<{v$u|z?jd<=P*j{<0Vwb@P)<2#ly4Z4<81JJF>K;WTmZQ zA};p2M|PblH;P9MZrt$Qn->O zUpGchKlT6SbzfjjAs=JcEo@vI-Fhw4CWIsxaG9Y~L!L5W{AowR3J}uY)2;u>GfjWg2;ieD>n!2jESnCMn2{#9k zv0?Vw@4Bgq>1I!Mo&F!X>1#*I!p{xo6wAFzS) zQ=!glCYAW!ymufsZt9i)m55xulH!rj;9sX7M+Tf%Ml6nJ{(U(7v#7u~HV~U+M?pGZ zfQDJV#_P}{3ohZQ3$m9jb;=ym0Q|K7o0rEX10$+_WBa#gAm${ppyvknS_0$3b1J*A zxw$!kkwh{YkFUOMB3l4cR=RyV5*6?MYoDGlfg$Z=5kCKiA@u=qw!uN|IG_nA_OUcd>eBR zY>NZi5>o-T4#)ypAT<9uvO9Ia5i7zb=l$zz{Fq8r!p(&~B?-VcIP3^DX$aXW^LBDV zVG4RQLF^TEj_Ui9-`C~bOW>|0cD?5Mwg2CzRZ0pQu#sbM+{V!|Cq{bu_lx=Q@$spZ zm7|LSTE8AgojSg;?JH7$>>w5nHW>u~Zh#uQvH(yNRa&r|VaZ@*W>zvVNZJVd&-`E$ z<16^|0*2q4J&Zl)rD%C@K+*~2B@#0j76Cx84L|@DTLe#(-p9uso1dS5h3KRF*fnma z8Rfu`kd=O6ZXs;^U9PvbBLc^wJtTj>vj{2B1_%QlUn8JPFavDi1+J?GP3`S4;HfLv z*x2}^dw$&_Sl&2KF4B^blh0mS1@S)=Bn}tnd;m4p(HyBTGP;J>c5nOuc&jhQEdXTY zhRxv(qqpB~9ZZmF8Mt#&8^kNXFDVD*9ZaUG>{=->{h;;0#Ur9*cyW>A^aKG9@6QwJ z8*nk;bpO(9YaIO{dgomKC!w?0_@(SAbsE4AWk4sith~CyDJeN&@JvCgMqSCt14o)! zU0t0vJ~6T%g=1H-EC8ta=5^G9Abzzs8P1cC(1Y6cm^tyEoyvdhN!kNkXk7V9GO5eC z<2@dkpL_Ftsr>8te{TL-d*2kZuyuD?kzbd>A1xz>A9OuM*?|(kTzc0Dp-5Wlb z&~cf4d%*wp(9i!k8G%6}Zt$M@)6)L=aZGrWKatz##^kHSq=**s~ZC;tOEM8C@b literal 202492 zcma&OWmJ@H_dZNXNeal&0@4kVk|LdgbPWvMHI$@CNDLiHi-6S7-Q697q|z_~(joB< zdi&hZ|6R|AAM09tm<5aT+UK#4eeC1hC-2o&<#4gdv5}CFa24cVY9JwD1R^1!31Olm zKG~k?kVZm6HnowKR=1OulXkLqa@BM;1zEhbadWme^;YLYLSl{s0f8C{?9Bb9ra)l- z2pbEwtEWbIc$5Y(puZjOT{Dgu4)*(jo(B+QWN}Fb9By(F-=^Mn%uihKx5FX~{51+S z#_ce({GT(CWiQjXXL6CCiPNj*Pi`>6H4`32C;|Wg%|QE&qj(g8Ce;4NEGQz_{h6p{ z1=4dAl0Tke{=(E%k&oqz^+WB~mLHWz``B@T+CQuC;*px1ne^TRWXF`@)wk*0iXliK z6et5~;%Du|Kbo}G7hZKOAMcb+`z$5iN{sNP5< zv=;mPeG|WskR*{5UP`_8LjKW$k!bbRXvMp@NLp*`?rC~lxVSt&yn z2yh$c7}~+!0eEjtz=%nU{74GLB36Agcf#7Tv8kw- z?Z>a_?FGMIr$fTN2f}sxzuG*z4*d811h4%MTIPjR4a@nEiMao7PpVkZ$X8f9$^Y@k z5kDqG3q&n{{uV1W@c;C%zYD}|e`q7G(}kwo{(pMxkvwSrugeJvArPvG^{FRk1fu*u zkGkTwiwmKCHr}?4BS=GQMMaLa;5!v)-qdzoCk6H)*8h&r7s+YF-IF4e+-T9vzbZLeOPk z?0fVibM-NmRnnFlj3|(AFIS+`Ic=kI{=Jti21J44ZgX*w>NHM0I`>I@kh(^E}7bcd73b ztNZ3Xh$0Nm=Z^h9;+FaxIRM3HpTqi6<==OHi2~q11h`>=!oJ(s*};o=h)`(`@$m3g zt#x8j98aR)OxoCGFXZurFq-(RM$_LN)-X^`-JYQO4x3|v(_T>3k8Mkw&|iE!B-ZcY z{U1ZR8^s@Jux;N@l3{@m}%on;~O zW&en_gPQ!C)j0k$8QDHI9q76^Qmnx?Hdi~ppUIA=2r>0&F%_{KjPm3E3Smhk0?cq* zC)n)2F@%yk9phB;{s?0Av+vRnq{4&(;AXiQ{#!}eXBugryXsqr1-Z&jya#)~MO7H9 z%Dy4fu-C)4B`&C6IYX z;Xz@kP{H-ki`DrL|0^U>(ukCCsc(AyFERk{kV2bpZf>Lo^$low$4!UVbz3EkT>iJm=Y8 z*FvWsIy>{osmNoGX>Rtr^+DmiHT#(~Avn~}(3OVc@-BVIRd1(i^)emnGuAl93~X9( z$|dwd<*UyHEnXP&g2kWL84gBrlM%H#%p><-TWtt#7#aN+QOem=h!rdxy4n7_y6tqN zLGGxKdR+x=?bxVx@5BC-I+Z-@p~$Uc1SPO3D!d?$e|Irgm|?yiQj>wjo`iHG=BK8s z*ET)t(UL4F>6W-}v~Tj92oQmE0|677d^XKUG?v~NkP;o?e;aFje0Z6ecz`|FvVct%mKo!BUeAdT@e{iy zSfN)ctAfKa1F1tNygmx%*K*lV30sfSCcY9Z-drq0D`>{wEkHm|QXCPLt zLt@M8DEI{q+`*WaY5WFVLvf{O-px7l^tx+;o>gauXcnN;=jXL^ZLdd9<;3nQ{h%PNhgC54N9vq(+`q z(KliJVW8Oi@UnHt_4eOQ=Egt~KpM+QV$b~>&UQ1*9|s3n%(i{daYP!Hkq4fiow1Sy z_9ZtsTrzjQ!r66*tGo{9>N-;&9OC`pyM)&GRFbA|ytlyYR8l_W@_E^JtnvJMUewm! zXCa@v?4q8E$$l#t!@xIUBjXO^^iarm=8#aFgt^3dNn9=fq_A2_Di z&dJIN%K#)ldogJ-@+?!!@1ks|G9%^h8UnGRR1kDmVbH$u zpZzY0XeVAqk|pb$wPy-W4ngN zW4T$~{)Wb^>OSXAK(R2Y>oEN=1@H1tiYzTltw}|t@b5ZnJ~Jl}1bnz9P@-s~7{Gmb zjQkcjp#7?Um0eH`K{>J)2gjbzKc%XD5VKnA<@x)_y8MXc^cQ4|GG1A(*@kk2vU(tj zXEt2xQpxpu-BProLcM*x;o`zQ-t-g^it}8_ERZ!2Q7S9)6;~*K^U^iuxIZAs!kwxS zJ+Umzk=SxTQj{_WvgSqpe9DxvuMYtsI9cvp@5B>iX5cUj2`Bri=g^m3~w%RX|LU4Om zc;!S{z@M9`r3-^A-`6!vv*mkGAl^&%PA7RSn1aIoL6?B?nJD8Fs z%RMRmVQh>G)1>b$Vs%@JeHr`So0w)ySbFeVB|_*Xt4P}E^rm_3^*YVgfhlcP1Hv>c zRG==9%4eg|6#-u~)%yM|+Jg63U%G|1{DU)`7m^X=EOyMVBUYg#Ow7*f@Ykw}RN~PQ z8cbt{mnO|oh24=c#jOp4Oz(JZXSH-U2J()lQ7<=yxk5g?=*iFzA2uQjoY}%$16=`O z!v(z)N2!v^fw#sd4MRfEm@OH}tXvu;+g|NW=d09BcgRLx{LlshL?tnSXMlG?H;_J- zXqEXl+k%Jh>zbMj-bBlb9MP)HR){cG{}=o!ur7X?fa(H=1pgG{pa+j6$=Srt7_h!iivYcsNDO)F9 zJ+l#<(=>T8Nz}U+$605$zjJ-FfR-;C7^c5?P%z87)Gxij8yc3Du$6i7%Vh;<&=QA+oS&-U z`6s*+nDP^mNFt2gKLa0`E2E;h0*Pe`yIkUi_>zHNl2D$riCvmq^uRgZm3Vn?$S!W2Aj9b*R`6U`=c!B}=J`~m3|KcO@01l#MJ$~0u1URv);eK_i$++f-(>W{&3SPtc63%<6%{GBKLjO{|-)YL7j z^cM7bM=qp37M(ItxskQ*l5!5Vrp9p^xaAEhn4CM^M-HLNK$)|L(n&k6|2E0lT!;#N zE;D=im*3H_B8vneniJ_k-UOTC#GWpa5CIo^qh@LlY}sN8T_S zc1ub~48J%Wnc>QUN^kM)eL%PcQKEvpdPSPI)*5QEH~t~5Aa8_1^jhAt+W9AizP$@f zeE3dlCHy5;N1CY$2_dtqH-#=XE*pO+JgS<<=~T62VxReVM-EK$bX(JZ{{a~VGn2r} zZBO48HNEt@`?@NNsH?!mBQiMmwYCvW_vDep=ecwtPq~o-Mj13_^h@2BGRsb z#XTnAJuYkVGIdfqQOSWGHuO&=nUzQA0{+@YxczU<$Ne0|0jJf)g2%Ad8!k9%huf#I zxvjEQB0_`#y~?WNePq>B>Z*$EbJR1`{#9Uw)k5ceuHfURG&Zq>Ju?J%c8RX9%6BqT zu~S%oQ1+pPK4};G2sUwsxUjc}F`ZYOX>3%U zQ4O#U=%QWlsv%@|a^!99Wvc(vzJ`lt+%CGc@xM(*HWs4fq^Y}+|C6`dACMH06EVGT zj2tKx(TE@VbT+FPTiC==gbiz0%D;b=>`?-*K#}Ej#-j(teb;eWi*5YG&E;AxO-(eo zw6MUYDBfV#uWWFftZUrT`1s>5GuEv3{YJ;pF|^%BK;`e$iDhZahcJ~uo^;{oL(Uz( z`3=5HiH5&w9(`*a7wh!vbeXR>n@D*Ts*jOp@$=vi%dpYCFa^x*H;8`#S!qrF>nm(3 zBBI<-o4z6Nn-p~^ky(HiCk{m~U+5|6chZ4Cq)4DVz|k70?{sf(Z-Tf#5nqkvXRL~^ z(56URRaC8^of#VA3UA8!oeAU1ewU2MoV zX^j6UUdLb0B}_c*nz@5}nsmn0y1_6L3r8Wa)k*qiY`0M|0=kQs<;LM+M|K=Nmlx*) zG3WuhOeCdD6y`fmiJoTrCos%!45d`5dU`-w=X-ooe7DQyrCEO{t6Q1>UjIE2kRcLH zEuV!w{C8a1^)Z3vlL-r2f`{Exo9P5PiOJDo*w`&S>LH~#z8aW`c{x#)V&XuN%}{*B*Y0J+Ji` z4tM>cwj>gV!HEaobcqkTOO+f$0}NHRT93O`j4s~;nNeEO&g6xm57l^5_But`NR9Xb zYrqyC6-qV#&HI|ocq%)CE0>v;Z}ED{rH&_3V!i|i7R@vt^p*6e?_r-xjmUul7-Mq( z@2mhmKvRE`Ef3^l>Z`zUvfmWa{vu>S>)qdO__%J{CrQxr>$}HdJEI0rX2MtnaZb(C z$gw1JJe6$LAaUx}LjBscdrPG~7A-aGL-5A0)G!ulc%2YsWhQ4a8S+)gtbr z%>0D5-BMLCPb97Jnds33dWDL(ORI$}keE)US9d-36T@fsG=W<*z9&ke^nZgxq@EI#964goFd5@$&7piG(c|<^j{y)%Zcz3frcoAav3RERLh${VhocS#+5+Lw+K7qcnx8FeYM>kXV|Y$o>yxiJrR>X@;8<79!y_3lL!BySXZpiP2TUodYd&a5_G-z7Q&r48jmo9i40qz$nSiK&ih@APspO1y1NPj`VRg6 z6xMMLWIOc6jh)4RbW*k;ihZKj>PMAC-$rhSR^nZsD?vqK(Fp#d-NCq&LAq|t95p$x z7W!o(SqB3KuQ{1O15{0yNRF3uAQeLIzjG|(t$g`W0(D6ZKCbpdIa>`SO3FXDO|285 zjFo}RC?#WF^^kI<0u1D);VJJ^X-QeAkmr>&%#Ut#rEdnaoYcakCb31WMqiET@mebN z&nfZO-w7N#=Z1awJbVC1!js0lgpZfH4C(Qf;a^jsG51NCO@ZQ%T2BEP{d>&7s3Msr z?J!(~ImAd46DjB{qD_5Os=gJ5xppP5Jt&hb>OE)v$*?m;c(t;^qAFul4ZDaJ zanw#9v%cz?Y`-pjr$~_+d34VITR8;TA{<$0??A;r+X2)@n={;Tn~%Y*Amb51+K)xwNCBxa?lhH|#i*xQb&W6Rc6 z)p5|wj*bAzIp&-m!coAH4Lnt(py#%u#39La!mz7U#Wu_6Ms@R;dh+d;HTj;p4tB2^ znNdT*+^>o)uzfb#u8VJ833*fYo!;1#hd~wC1=`(cBa+<2E$`4))?A5aTaww4u0xno;BA*xwx3g39lpDkTQ3d8+on%Dz6jLy z(v9~7zgk#W$kgexZO0p$39iFFm30o25h_MUv&KKm=Ow5L-4OEV&S^21gp^&*{guE# zQIuPOIj2=#8Ii;@GEhR`p?l3@kHMBk4<1MBJA-?uz8|D!JClUD!w2AG(hmS znq4N-{7*N11a}`|aYHJWyLh;4RW#&yXH8WmXIQ#iBC*PsKi^=2OZaVF1~Fg-DhsXb zP9_JTNav&u-8T_^hX&}TMw&KPluiD9v@Rfo=7Wh*()8{4ii#rpL9*WHLj+=4MxX!j zPg6OO+mJ<7jdByR^cgCPazT~zC#EFUKZ zV|}wn5XoH=tA_^Xqs_d?H67vnObcu|^E~AjySdy-=&7cQqm7K-tD-`)PI(GdTOv*s z@W!KohjD7&uT>IKQpQM$fWC2^O+xu)9}#AK@ACi_x~!Nogo+-HM6%0oyrT;`#kR9( zI>fBLbU*jfXj*T@Dwj14knX1rt|>d?)EZ>OJ+C`^y0cd4r<=qZ8+KdVOhQ)$DPFJY z7W$!SUB%mXOJZ!PEjtLir%}WP3LwSwEi?Qv9hIYyBA5h3?1jQS4jFaQn9YI51HHDa z5H;AQ@NQtq{Ew|3r7Wvsjy%aL{frf6lxi#ns-sx0z4?$_j@N>aDoP6t>NLyUB+{7b zZiY7Y2k744-Uo9HDOLXX@gtowK7Yq5R3Y*eR>O}gTFE!Yt-cLe!x?ZhtnNX6NWn8f z_Q#EEmI#rIi9Bm}@d>P%{6zGm&&yhn6PY5YZ$n~c@~dWf);H>n+x>YPni)ou+4U0> zbCu_#B+&|nQ$F@KcD(Zs1-N6m%xFEF)zjeV(tmit<=#Z)3`lYOBkhn;0PvrB6m6~D zxg}m*UvQIf0_^L}`eY+i99Qrfm??xY<07LeGuKKAf)s*%RRrH8_VhMEa}5U=FB36f zbM^6_6gqj1-9bvjC5j*P?#l2sy%ob*y?Z0ZYX^l=C%2{rixUroW-!OCyq+(NqD`WC zUC=oU{}fBjUtd8$Nr|o<_0 z{GI@~_O=7BYbh2o5{uJj|Iz%}v@EOA<5h)$q-AB>wIl(6`9_!UYQeF(Ax^%GsC?MO zqpqaEnFN@(H|xQt*yde8SGb9`BgGoiWpVUeH|b2Yhn-nD$x!OU>qD81p2I50jGB9C zDKC9S))9CvQ!-6_zSVt;+XCec;Rp_r;3c&tjdr8%>MgN8`&XHCwIU()S;BUKsis_jSXJb+-~tmeh~RV>;pD zrD-v1|G46kqzKaAfBWh9&rxG4E;2DIK={x>(9-rfQn>)Ty`vpNJPH#L%G@K!f5mw!G;*H)xT z;dV5Qp0UP@p%&$(wQ9MMH^xuzL`3hZotduLO4%i<4K0G$J|FBYT;4TEU(@wVS@BqU z6zG(JLDR^w)S!}qv}QkhApmaR_tjN+p^t7V8&C$9#JF=JSSsq%uiK;|*j4ivA zRi(DdPy_rVm4<0K#b+61MDZ97Ph?Ek12TLkT?Q~707crK*_juZ?B*Z|O|DFDONBb+fK{e^x#Rh^&z1>h@4Jm$Vs)aM`k%(PRLHpRsF<9SE?)V-8CbR3xhYn+w zocb^ORM<4Qh-`8p^fR5fK#(2U36h&nnFmL2bxeI*jfWN$v8sWq((l7PI0M3^^;uZv zzwZKqdWe9*k0=_hin!CL$;Q;ThknlYO3uC3#_<*+JF7gBk|loW>Rfbm#&uZ8=0uv5umnEUnC3Mq}im~qnc0r zkn|YDXE)lomzI<=_Mtr<(^<`Vej;UCq{zi^1Big4$<=s&-Bv7n>Ho3Ngo1O=o zI&F$WI?wK<8=;Em;U{~G#p8N$OGFiR&pPz&seO&uCNn&az4$!ZDuO9qMu5N%f`inv zQ83zWn6!d-`l=YoUT9xW-+HcJ+$QI)v|dD3O50dkJ2}E5wpI}eyMj%Stn@;)1%mbpM&8hbz&A~#EdqSIIzbM~i`T*L5gUs@G z7f2nF9INpapA7!!%)|Y<{^3+uN?_I@t31<(qFAjLeT5T{AV+%L7;mwE>5P9-74GKL zE zrk6Y$mR6zu!jQ2kFuO7g@)O0>*Oo953=$^zcFX(*2*N)7);b$ZFAY^;NjWmZ$M^4( zH8aXWVH-j?H9!a_tv)S;3XdIM$j0gJo9%VOn@L zbL~A&{LZSqKio4eqC2r<07ru0LyAW#$GVD*46KG>))Znq5-;^QLCa{VZHO0XUKpQ5 z&@?d-&~NsvqY(v@FlMv{yDCaMGOHfdJ^I9KozOAfz%HpyP zYd8q$*Fpms%a$2t{tcNMU;(%&%fublYEE{~dQa{rhV)+hj-t6@mOINk4bC-}$KEUU zRCMH}f}J-tQ1|uV3bsU2Etdoeg@a>%Q;w**@F~@jKAkL+!)#ybxuuU z&1d2+pTTKIO6uK&`dS~LI+Jobjil8)em?}tz|}Ndk^NS0ct5@%YW>-~EJO`XQ}okR zc|B)42b>Va=H^8&WXTM2CK`1S7r%F1gBtFSojExygyopj&t5`Fz&C<~k@_rydL@@T zEw>-WTHaOu5`fa&MEWyG)2A_!QLK51%rZtsKfd7|A}nBzDS4*(T#l*|=etoqR^41Z z>sfWMZzJVocH-MNMmp!m`qM3Y6s%y2bX#BDY~rV%aWTP^=PqL*Jsk3FS`s?SLawc2 zbq=qSySxeeHCM-qA1D8w#X7>WR*?eG^w~u=PY-96km^;zO*@+FHN{uLD)=3~1!{f$ zm@IVI_GV(|vU9_k+P+#egEgHwdrP_%I5**#K4eis`@ge(J%}2 zm=bRGArfmmY|USU#80PUy44nC5ApVkkStBER3r-es5WoaNR$^GpO03re8DKn-TG0L z+@-tM$;w(9@Cdm8vmhoJn)6}-UKNGzh?fwS;8@?3%`XPmjP1Io(s+rWcMgV{Anc7~ zmf`vSn(FE+8ds%anEL5}#xjmp?a)qGV5_)#ZLM<3viq>&*4heV`BRj6CgPd*-UfEn zC8uOCJqlYIx%3h*8HnO($66@e6IE;&i1kCY1(lmLV5J$Jofw zp3Wf6eXJd)L{S&9dZjOpoZ6*teD(R7xRsX_WfDH#TLBtr_p`J@QF@9XpGO8WU|SWW zo)w{W^idwHxz1;NZZ18f4LdB=#g`Doj@I|a6BoBS#6 zi#mXlUPBzv^~SOzd~&et)Ah5=a;fYkv3=5s##{0q0J{%dB*rwLr8f1(PI*Xc2<*C> z2iD}ZEoC7@nIb8AHeRc>f?i8!w&>xuGey_l(sl9GvQ7Op{fG_->KU`H z?dnGXrMNR61*du zk+{%AZMPTYtk^`9K*-nOpy>p#?l&Ms(L zOq1eo*`c^Gwcix`1;3b0@!MVA94%qHG#%47T4QWGbhSktWr0AGLKLOb;!azWm)Cc=u?IUX$*7jTpm=F{`1C>GV~xX4IA2}#g#?*96>JIA zO>(k^6*{69ciDE2U20|ys$Pt;M87ziteEV+RM`RO@mPKfbGA3;iFex#?EU%rj3}km>P0 zcP#8cn9Tc1;M>k#J*Pp%d*sw38>X69zM=(ZyYV0$Zyx9*qn)!)l_f6N$c>7OiJO>5 z+{ahfP0e|!nBbfLgtYM@myH_r4}O3|m`6Y319&>M2Ia?uA$T&O!fc3NCK7a2Pr#CKxL?zeF@pUz! zQ~X$kU+6A|5^I6N^90#7)7j<*!~xDwBbGInlv#K>@>x5wfV18O@rL)b~deYMth^Mk&e&;`7aRJR9O9PgF6U|5U3fR z5|54=M*3)m0@FjLSvURrtE0y~#m1}UJcU_N#@JO)!*PRmm1M9bTKJQaQm%5ZRso8_ z=HFCEX0pcjJ20rcB8jApKWIMx1dPw+P)KVf1xBN=`x);Pg}O)}W*${UudEm4gp!#| zAPch!M?F94>%Q>|V&E^|9z+Zf!&f#PJTACR2D0YM@5q^)YFGL?`M$(BWMZ`a3Kr@|bmGV>1jLVOp z=Tyt>gH)f$ZFIbS{J?vjg_<`$W{~lREwXZpH`~lUIdbZ2p4&$;0ui`vFjw!N;l7jS zNP7c!^meNe)XdiLCP~jUW+yOQ-tER5IzhlRgo6cRkzq%#sIj&1+BSfUWxr%$`Q(;0 zH?J)m=t$Q>=bLPO=94QRhjznvetKHQeZ^{l;yD8QwwXm-A)3Ga@~~7QIK=Npeo9nl zsh~t+!;Jm|v}&{eV?t8z_hu~XfRa;Pk!hdOA$`0<0Y{%3lJh-I_-gYX4?L8*7`a(c=I2I@Uh%Pf;SVu2?RqOqJ8;@$ zshu}rW0mNZ7@`zrXm!X?2G1j_3zz)Rj1_KpBFAytA8%(PO@Amf_9CvlKgYbUt`sB7 z#i%%#=X(A7lQo&gMDuc)wd`)|S*OAxqp%xa=sv{&`5k9M?#`)5L}Mz$O`}8Ga01!B zn-`lG4#*Ol)S5I^$TCH-IBr=?{xJ(Fy^$L&g_67Br^T5s}2lfcQO7g6%iu$ zanOmh_*DG9tc|XcmfugkV~&RHRCP%6PuF25*Wm%hDR+prF`f#L^WF|uQqof;+71eg z;$!Ap9jFNVly315r5YDI?_w`lgdcxdkscEF71~r_yQ=^eg<+)RfN0qrq(jOjOTd6llX$} zEG7wcYEA5IipD2Z`D+GA*98P&;+=*{fO8_qP6~H>fst08n@C20S`5-&iLkZLq#hlS zwOXLJ50=wSEkj5BXbYq+O#*q=#(~E63I3+nCi2Log}HpfhMt`Jj&48?9Dk-}i1)7< z@)PaZc{%3M_IFuv}k1tu2()%6aILCg2i_e_qQRUtw)(j9h-90M}o6@3hZ{d(8xLHI91I55Y zY!d+}N6oF?>06oR-s$>-iYJk?Cu2OBLqhYlSqY>!fqrOiFEg%n<)$wy<;nC0RV922 zeUkG|5heG&jkqKPE~bb_UdoHCintN(gvY@2F&>HZ@wgE8_9d1csnMBVn?j{IH* ziu>XTjilN++}`o-O!boX?C>~kkF24Tcrm;>CZxsh$y{qI!&%1Pi95JA}mj6^^%X~@!TkuDhcOpq3HSXQ< zih~NV)+vSuL5p2#A1=p#5V6hu>;?+!e`)fia)82MwqmGYZ~NHgj?#cJB}*-^b;OtU zz+=d2gKdbe-7vy4>!8-?`+#BLsc~Hc7ro%D@oO-yQeeMk!mKoY`pFrzw$_ z;Qr!1Vv9QEp?l?UwBSX;Z%!A!lDKolQB)|^?cDiUuH}9Xrp_StN3PQoUy-LelBETodSvTpk+;!LPYAovhRb1)Mmr z3>HHu;B@QroJo?TZpRv5-SxPH_(sb^$!v{eKWI{o#j3mkLO^{7wReia4T8o@@k}65 ze9U|!{qxw?xBSGJ;_B;@N2EO*jj}B@9;2)Y0dLHHn;{5m$BzJrXSQ#8Yr#3F zpFmJB0{eay`!ccCNje+6Rh3{xM)zk?T6=F=h+2vRm`3>d%0OQf zcI7Eq;PPSu$S{5@9kO<)=n~nPub3f%KJw`(%}`pnH&v#8l}a0Is58jFiMsx!vl*MK zccoT#CskUTCZfy}9JOeRf2B!6ZIp=cVhPm@=8V(={h@F2Y$aO6G49CUBHg6kvN4F} zWMGxVA^qaKR(I_-bO=L_PwKPzGMOIeBt6!@Zyt;gv^pGx96xb-D#SHwb?BMqx0S~An@GaKG|%!{Jv z3dblHf*$qEc-29r$44@dll6qWZ>);2O?{FzCmjmB`Q+LGpW@FdR7LrFpPaNf*dPVC zl;2|=D2BMtcz#&?WLU3Ts>b{h!1}ptP)$ig353!`2rRMvbpQxW@VI2K5u53odp$kN zsz%@O{+cA2i)kcs=7T}_~!bf2ez zC~xZ$i|i$*%;Yaq#3f)W{%@?I999im@_`i?7Ua}0?HpPED3FWp$&TqN`0}#Roud1+ zSVM5tisSVw6k011CRA&!JhLRxv|g4slHs*4Mmdcr7;KU$wTPXyHal2`IZimPXrnNz zuJj)V7iJZ^1t_<0y2Zx0DEj%c_*vsEa;#Nia^LZAT~L2CY2roa4dcb*&8l?~rIhv8 zqV&uA5y`qP?LQoO!qdD|jWrI{%bH7`*3=zSdVFun-#>_IJYO~{V>~46gmSs^AlcSG+yQfZrTO5YwlCSy^XSO&+G5&Q)GNCOZ*gf+}MR9>X7BlY~`9@t^ z>@W_RUE#?xG#yqmw4-cGZL4-7vUu+}KA+5|pSefm>}_{t=<5fT*xxvEe*?NZ%6Dm~%PxBF%l7UuerB@<7;(G65ZDnj`$ewN% z`DhVoiJtRN&oN{aOf}fQEMRhld6ZJ4G}92%s5bDbtzm3waY1X|T5)lU_2Es3;MjcY zo&fC1z>#P>0?92Xy3J^UQi5jQ&C~PToTjA4QmasxG`WCFvDv%{X? zP0`7Ape;mXwU{-v;OX7u!46ABZ>stU%MHtbt)4P)5H0ng{dI=xL;i$lo_LISXK-TV za7#(THmRPf-Io$O@j4uolMK3>f$7=Pq3r#CF7uSU51h5x78@ryM3l8gMnuJfz05FS zL(vc=@DSV1S>&8=uYTm)-tDb;hb-g#3V~KCqSQ}^r9-T|nVNmjzEe)~mtRNfBkcW# zU`dB5KDk~!3XYqCmm;UxMxO!V1I}gv>YSq^^%!G$D^r>~i~#1w=CXVZt|3zt5CKrU z+JF;z78i`uUczuuiDLJ;8H}>E##OjJQC!72Fx0gb#-u)LVjamf74!Fh0l=Cu&_YvY z8UD`l`(kBFSYOQ~U(U|Q=35Ow{5ky_4e8q7{Fz7>AmM zXfAzrZR&hKa`xK7J?zi)vsWwoe)8gFtM%_>2cpzqWlNhm@Poxv_9BEktPvd>HEzqp$3d02d8;$H zU+s@x@=`N+QsuJPjAcC6sq61pt(rJunn&;2dwbs*XFo=MybH)z4^?%U7^QqW=?KBg zG%H$Tb)vyF(wQaHyb6Fx!`jAY2yT3J|_kZ-$e)D3cr?(=f|lhxef$eWQY6n?bb&AsVDTMfY?-!|r% zE0g4Ca!5WcY3408^vz)|APg*b>A;GjQR&L1#73y0E={=;$RxrF4{{UxEH*bfa%;t1 z+;FX!&f}OV`%=J&XmrZcW=pt?Ve0hgZ$(I@Lv|M|p|5aKo)PDfaZKKkMdaH`f43F- zllIV{peU7>uwa1q;KjnGn`Qr;M}i>%98pheC1*8>rUqYUl! zk-X_HwZlBbEp>(p7n8xywA;DkOQ@^uof)HPsvHz%YS7R zM`62X@HDs#S30ou8yEKJnErW2t9~{(STUb!vK4+Ae0`J{R)YVtJ5Fx4q$1n?T0Mhu zG!4nkQJdz3qV3pGN9p&yn)?fiCG?k-0Q^?9SLZwupWumeS%Jn@O)>iL*5xY|od^{r zk_Y}G8UB3b9ygYRNAg$%PA5|o>;g*w+Q}^j3Ps;Gqo?HeSE265B7MBVUG$w~;`rLg zQVyerT;@~;ZZ3I0YiE>3;t2F4;uAwhB*TRk;qv@yd+qf?}!+PEvw;piv_8Enyc+4It~ zNQb8ulpD*c2W%|CVhk4R!UKx>=O08BheXGGiQinc@9*#PvcdK5ZA-+{j)Tcfx+OL) zhH(RehE)nrF0A&Zg--2 ze){$+xmG>ADdnU(bX6q^3WG`5N!o2s3vpY8oJf7odFE`E77gI(N=8No{7C%+UW!~` zMTEGSAaxMydDG{$+s`faSy)4xWMumQ(#lzG@TU2ohQC%H(ZHTF8QM1L;dNz{e#7Ix zMO_WW-`X>CPauC9F{Qx-fH(N3Amyp$tnH>>RB+qEuGY;g`K3#b|oJW z^uMtAFTdbT-aRWcDDR^taWgfCu{W2W{Mw32sG9NG;4JNY@zIF%hkaXB5bxIz_|sK$ z5Y-~=AAOgjAO|kgP|Lp<<(IvSV9&>T;va)g5OO=gE{wA7dYeW0d9Z9Xgyo#h+pgh} zY)1J_9T=RUPYJTQ@QCb+x*6!m#rLhXtB>tRP1oidq5Y9cS+=!+VSuZKdrzGEr)x56 zTF5n{(#g)||F>~JPf2Tjce-hO(D`5Q^;1~i-d=$_;Kjey_K_k8`9RvNrTR@olflYF zf1&xG9c-8nH|m-vUh~6Gaw{XHOe1&ZExopjIx-1hYsH|A#ctuPQHP22etwDmk(Nle!^+tIKBd0}odtXKN5B*_$#OR<2Nl2JM%;MzEduD3QLvs0 zXRl&>5b;oG`fCQSV)x~4y>#R+@gF=1ET9qtc3baY6@-rZrq{niw@Ud51LJemDHPTi z(qC0GRL2`gxswbGdvhYh(n;oAs|8S^s)DuF+&6a5%?0!+*zS{pF%+k5S^T${c*14xTz zB=vzeGlJb-NB<*jTF!|1O)SPgZT_k}P85F%O3pp9Xsk;TC1ur?hHZ%hN>oDyrQF^Sq=hswt}_-R)8 zL@d%BE5fpheaPzodCuCe553YxvxVniqIjMvZ z+DPC;U8g<5GwyFVo3HctF@CkvpZQ&Ecdx-rUb2%(>Mz;%cUg-+X#M`M{CQclU0s#? zKrfcvG*aw_5wZvm0l;%nI%F_c`#{hbLr8g;Go8`$+xQxGPO7Yk3vsNQr;O7N~{f{k$LUE?qn$= zULkQ=9FHcfJXM!IhaHQE+o!YNJZ=en0~FSK<#Io2$Z9!4w9);9`*Vb!d?Tul!2i<~ z)x^Z#LV`^ppp~_%jp`Z^B|Cfy<@FX$JFSn;ENN_Eo6eGBzg=#@aId%_K(^*4b@$sy|*Et>w2hME=NdLQIVI-Ki*SCZ2L9snbkb z1N~I+WOVQ+#j{_3-AHnQ$5gku%=YSi7%Czp!s;?3Fl1^>$wE0hzd0E0CKU~6Ue+~w z>s2|_Z(Zy38JJ5?dKj!yXgEZLNmn}i>=~IG@-%6E+;5{d`jd0R9e-@WeZ@ZXM71lq) zow&Ze`=7r4cVx$QB@wn=+sWP;kV`<%?)rL_rL2hL1h9H=0)K{5t}Yt%xo@UcTa3WG zkzg}>9CrS&(Q9e183H@eX3HTa$Ct$*PIb5*&ojVJ(0zdZkbW&WmID2SKXZ3Ng5 zZ!_pE5D;k#x02zKy&dg|S#xb)zIB-X;b~mL^7wuXv1h>a&_-`=U35T)AHP@_Qs>hD z&jiDuYoT3Qb!PE#u<_F~+K8%LBOlamsf*G76_2+<_JKT|5Q1$!d9RPGe67oHnb=qq`%e zx;x6xW0m5^vu`U?;=J2Ijb*bT*OW2NxrYHS=pun9{)u9uvm)Q1AAz{1-UzNcTn7yP zA{J2&13vO(Rhd(#sK!o{CCUFddaw2R~L{7wYm^(FUui zXoR&>bnl9_s|>5Fj9YM_>Qm^WGSrYcY^&7F^3P1V9I`DLEl8ufDyqFDQI$l)pro+R z8+o=WeoeyNEQ=&CP!pQQ`MhOMt8;SK?kz^IksvQ)hV%d0Hg-2vPOe_yB4jH(U)rsX zfY+`d>u!sk-ElHZk3f5&@&#_-3!I^2Mgjp#g}Sh^AKXtC`%}hOZr*WAkNDsRDl4bB zvedE!XB~@z4g42_6dMx7+j-q?j2rY1`qw~fUy`MB)_&83N)4o_TV)xWVgtYA;sT6H zKB6rO$j(8dK59QQEYGQnXsUD{|FMa(`lADwD`B+hFyvcbpGa*Ed>&t&VP_~LI|Axs zbU$l<^>4!jJ0JYd>xB5n*z=l@g*#2NMwjFWk+XzHcw?iw4^(#S3fRfHC2`7XYCPvn zLtJnaP*hY$-MuYbS;17k$U*IeqIzdzZ_2k4L91E8PHq^fcFhx6@)%|>u=os0PJE$3 zmJy_ZTn->o>dEzs6X3Of5>Z*Swwx#=78bQX+txYAWOlj{Lu$BrcqgR>aI!YTs3{nr zr-M&3L8jp1bMGN|BcgIu+F3>WS0MYnbU1xGUDvUyns`Ttke~(9Dt1v3a56nTU3ZnE z|2-RGL-_;5j~Ub3*s0~4Jxi;b^u6QKZfp^`wrujpmUJZvpeWsNPHy_j#y%q}i%ck2 zS4Wa!v2#(Py3*?3{C{&dv9N_6_abSlY6@7&Y-4WE`=qZ< z$|#atrHT0z#GrKDmVWzhQ~US6Xo3wi0rxr-3Xv0tep0_ttTsT6fA0{YC+@Xa(6)RH zV!C$_ATM5j=n$@mnc4iv@O(;n;Zegnh1o7^3|TJog>yLM{Zu_lAgY{Rkiz0I*@bHE)iG{%7UEj$VHP{`lKkqMlaBY*ISs1X(Lh zfYrO=WMfgh$8&W~ zzI{7PRwgxI+$Kz$3=>~kCeg$R0y23Ju3V+kX3*u*l{5&y7&J@GZEkGM8~SJh%vs<& z3AE_{T36O<_)Z%ksnkU8NoiW3O$ml7Eox>&c6(%NeDbINj}cPDqYzHHPl)|OcVC@GWDMa91jcCo*f!^tjRc=dvF z;9+*@L;ZC%Eyupn6pikO+d%^A9XD}CFPDzw!6es^V^Dj5`4^c5)DI1^2h5-=xhcqM zNxBz+!T)Mxh}0(iNUS|C4B*U9SANI*l~tj&v%V5*YJ%Q$T@|G5!65(e&*n(I1@{ff z$QJBO#-Rz1dcgu*@D4TY=;`ykyScqu$Z;}xU)xkp_PNH3znBlpM_SyuuByMz&WlMl zK6d`Q>-+DSVgKd7jko1?w6#6F`c{lTM0Z<*;2$fl`0!!Ji$n#BH`c>rhEQ*Bn2z<@ z`sz*h?PCp$-CSaVvhYGLWI4bn^tL6JMJJ~|>R1%_1?)+q!SS8* zzI}%uvq%p6B5O|n@ZDp`9kMbR>*4l<@)~&`7M!2fAH90Cn> z>AF{bBE#kBMA0U@d4iQ19lu*qJx$Z&;;u#30Kp(~-sT;fw$>(aUgSy+@T#|$U}+$2 zw!J9h{8_fQHaZ|07mgf*irUX3OWUM*8&|qq@3zdcpl&bciNH&f_%Fp&*2N}}l0I`)%hc*pXaF0E(g64%DgK&*v`NzUy77Vs~1#PMheS8D3^#|36%Tf#f} zrKbpJa|7f|ez_Nft`VK4%8|MLwHdk}bA1S0+2a7yg09ja`n1rV4(y4&n`m-2)Q)bK z71@(sg%BIoNH=w9-#qB`?`^k>9vS<^zlzgqEzgb51ciCh7NnBY$?7mExbRpEvy9|Ga$I12vScl4_s2G1<-5?BY6~ z0lhA`M)g}mEtriIAo01F&vaK_1~-l&UEjCg(~0>_1zNg#;pq`>7uZTc!qy^QjtK=3 zH9$_XdN%13v*rL^u)g+N&?6lVg3Ssb%Gb-MP^dfyW)7SkIH4`X%-Jk+^Hsc zJ|aN1XSWzxNmu;bO;SS7M2dG)NlW_G#VuoDRdFONXnBNm?96%_1EOjv_f_xfrxF%) zeshsH`>GIuF>7S%dqsTF>NbRppL{Lm$)XrrW*B9Hv)pOBQ}#V=tu%x%@X?0YhW`J5 zx3?m2u3aWmY5i7ZBzN^?8ksT<)uIJX6%xBh+oRb8pI;a5iIogQU}kl*cpU9BKejoEdz6&-bxFeOhcV z$L@=s3?207(7=9xzK?Hh0E%4v^ayxI3J7OdMlWJo$-jDcU=4bmqi51C`#X&>_1_ti zf@!&XhW?u;1D141$_!$%3NA33`UkR2jUk6QQw)Wt887k%0> z1lB?QFEqiCqI^~XoK`prE*q5MYjiKdrkS!Z*Xk5jO~VlQ%y8m#e6B}8RQ zLcUj}X;V{*pAU0<6e9EORrysBgV-ze-pFx6YeNBy3zr({^u)g40L>-V{HlhsLks{R z)a)+O%wO_s;`M?JgZMu-AG-lRHO2_4mtr*b0*Tir!5>R&pgYD!)(P8=16KGJGvI_8 z%$8CB4dxFrs*!R^(xfTUsg>^R2m@Vno=4JEOrq6b5(XRa-IUpy(5SSqj{~PHbfVy9 zZemKv#kco(64>w-IV-$E35%gC$|l+79s{cRyI0RnBALLQ?^S~p#Y~-|;y>M+G0A64BOkMssS=#`@eK`~t$xs*2^5e^PrpHBZ4YZ)! z<&IiAQ8FgHdHzN;H^B8RchD+#V%xF|n3Ryk%m02eC*%C(#Tsr^O_)>ZEUn4}_>C#; zLj7u)+37`BNYN|{gT_2!t<-xqi*TAlv^bUWd&^6rA9`k(LU&fP^yu6EM9ujh!=vkAWweV;LZD2s%DV9cDa#~v^2BBF_c1Kn22J$M1mnkrU^d&BOOD!txtO(;u# zfmzYx%H0-R8Sy`?{XRc}f<>34GcK88&WFg9$Qq?mF$F^;vtsj-a^YjoK7_bXuhId( zY&bl;`kfXzVDGb+qi)(A5X;`0!*>|BzFmuUz^Y}B!Cgl1b{2ql@W$j2syc41t4Cg& z1zuM|8b;Qb>*1lM-a^~bB);)>m}a&(L1hj0G6<%JN-g=PG)NO2bx<@fxF0R(g$7?D zZN;yK4Jlg-zS}nxtsbvm-={O7!$Y?_uJ#X@?Xm$xQ?EY7kmNF>&q~j~#OSZp%bmNw z!&4_NeNcGHS3(6M>(P5g!vtKINj(+B(;EP*9(#?^w2Pm27p%swRq>#(J3X~5#e?oI z@t)o(HFk0RKmAZkrRUD3TzQ2%vFADGsQ- z7+_8WKy?oh<;w2R_1I(&MF$OAeaGgVma@-JPv@QKzl;327Z<_k>qQr|Y5lS)`uA@u zn5zSu0D-!vt`ShGHizl{@9ST{Fa@9_H@lp4#+@qc2G>*emYlsdFgnf&-mFKhWHddY zT_ejrcie#i++d!BiAEoH0rUy==S-$P2~i2x*)OC6ws+Q#zsw9{etrmO-Nc5K{;-c)M4#dn=qn$fuJa*zk2*O)&!a>A%VF+1lefNk#fXG8GL0_Y+p z1FdWRFyL}x5l|c3vQZRsr$+jc!?BUSOlVIi-|tCQ{#1Xqh4gD39YEK=$VS@4mgTU8 z2N#P-!{uJX0B**4%%F3~cK(^R)bbe{Kql3@e=|foMme&T1ugc<*y_;lm8k}P{ZxDT z<>0mIQ_1*z%u1x+#l?knHh9~|0g&5lp1C#PwJ-KJMSce7QIZ? zyk#&xLUgoo7_tbTbb_N{k?ienNECY@Lwo@iUfr$`Vf+0#fR2Dtf*t89AGNjXpU{_G zg7{smr$GT3FV8YGiMGbx$kPQSV|M){?Wmsey3yf(71IU43l{H3^T|4CWvG>0C6{`S zDe+`E7AtV#%6y#7rl_rat@LjweoKw5Ee&RvXHcdK3=&&p2p38l>p3uqw85eQ7T48I z8(A11@l&`>NRc5+Sz~>@B0E10b`-4Ah>CbAt94FdyoGH9YMj0m64uMBRySF9)B6qe zGgf!E3WC49NqWxAm&Hd(-KEYHYMJiwK2B+@JZ%u0r0C@5hDF6&peeW^4(h16Cd?PI zp3=qy*$r#6KCyk@V24l3k-J1&Ft+MG5j8-y1_~xUR(#{2LsgBH&!;(RF!VkX_&Z6` zavkz-%B1SyXn1Z6jfR}B07DSX!f!<$6>7e z5F)bvE5P~lN~a48=wrmov)tm$o#HHFHw~O7kE@Dd9azDZ_uJL#={Qf5%&(-e6Ow`V zmAUKfZ!*Mvw{_O{bpc@MT->?>(dV|2t%<~U2}zoWCx4NivudICu}KvhAg4!kCz>S%@I?UA)4gI0?slwoJkF$3F=&eL*u zGk_F#V~Q(9a3-d?Bd4M`YXAj->}a|AVH=d_O=OY$knKMdXpTqN(|meT0O2z7o>lug zHUN76=`?lqxYZZ^cu5TG+aJyf?_X_h$p}lgkT=*EAubhDTpVC-$WK|Fh3Z7j>d=WV zG!okn8v0>1YO?#L{3cn)iNqx90zd(Q+CHL%wP(U7E0nRl5yS$b50u0EE%j}Fy0M60 z7aOPiJ0L{YVAb@e)deq2F=-Im1K*KTt`1|hU+fl#6X_c%`s00vBq#2Q zZ@dR1cgS7mG>GjdcT3W~?e{Bk1X3go&DBf`ZAB<%>2>1$8{$bdmL4J+g)rZ?+e-ZW z&5@}2U&x)#@2w$Br7c-xO;7fk&wSf%4Pj1RdLHlgNJ~ZWy}tXYMIl+v4sS~_|Dfpn z0=)Zzus`rhA0zbeh>ptY))6Va?f#>m;&S1E&O(R#G%J5Pdqwyy_%|~qEGo0njmNX& za5^TIAH1J^}Kdrri-GUTQ?yq$4duvqKKDN}BGEC}gP~{mQ)ijvJXo`E$($ z+XjgkjT@zmuI3NzzmD79$Ge1{5w<0V`P+-5hPz6>D{0^MTpUi~yQa@bc1?yPk?n=D z{-^>@>j5iuX%)E=&GBHA;wTE>z0LG1&$bXfB(#S_DnMx6M{@VN!>gk?d%)vrrw?llELk$kO^M?ri?W8RDnoo`{Q zgc=kz)P^?Bp!G;cleJGW#iTS3f5T=q{t(19X)z!89LIz+PYD3hfGUfNj7r&fKevdG z%>2w>@9j^!PN;VCxUfxNh&<9>E9Xyn zW@VXB5GRE=K$7$yoIdf_zHetz&Uk>WQ>fWCdCVa2y<(saSv@tGm_`sNZA9LNL}83MTM7tV&`B8Oy-Bibhi_m}75(wU0q zt|#MM30eHq_Uk-$CzT$%sv%$!2dD{*$R2bzMu^*eGZAGp)rc7Ex0Ccf24e3zJd0&y zXt&J}u$t077?^pVfy+;iXEgWnK;rEYlF zU_Y}dR2HV-LNe2pH>C&WIwfKh+J~-AaYM)w{XRfMrgAX1JC#Hv0 zS!ynf*4PwD=nt)U*M1eLmOg(7fL83WE1aKI{im}?_00%$uXD!HwM+%tNQ^GWe_Qk- zkiA>zDoif)TYJ-MSn1g0;sW@9ZR!h)cX&*#RY!?Wv~-f!sEc(r?9WTAB4R;Vi_Fg; z4LkImm@+3dLFYB3Ke%`3f7+v1712f(#}RV~>A4J>1su*cbUS|Y{_`1`_eRduH1Wi8 zKz2N>uES9r?@07?*{k7~3!YL>@S9E9eU{L)E}7H!YlgCyvtMZf$=Yr~;O)!3zUaLj zL@!~XUV-%6%2*62N>qabIFPtjR+i9IBOZG?o_una>v2*L|1`3qcTpOU@H8f?%1H~B z-QdMHhE3RT&{s6QkT6oa7PacIjm<#ayVkrgi?{h_!5U7*$?#o3p&*p^7Ory#glxaK zoNhFs7?R1t| zlfG9s?HRU~xxHX~GLe81L%ygzxkwC6v+>gwKm9$l)1*veiuWiGkR(F8%O)*}x2;T+ zQg}w82Mjd#rQ)!Rc&n#uC5j**g2l;>H}JBHYA+8HJJB!w`$en=)oNsfC-5bGpP zhxh6ZvV?=+89}KRCFt?vW4Q2(kzb>K-Wj~HW`PM$34PMeb@TUHX|g|g998Sgcnz@B zO}Eu|2iy~pa31VjN{WmLV|VhxG_;wRBRNi~cnOvux} zZRSgQWRJGr@9bR#S=XoMuVT*oRYVnwi)S0!*qxYg7XlE&B@jDt_*x0^W(L}w0~SrG zuqHEvVQEjegkIFwqGKDC;|q^-#ldIOqWvn{h%8(0BYEe}08L-!Hde-c-D(U&` zY}~hx#76Cln8Y3g`7(E15vO@foIgB%>shuSzbHqi4U>8egLjDR^h*c?21hoG#uP;V zvGSk&6*Y%K^EJ=r3OSo3x#{=UM14YpB7xg&(Z>gjU zS8J~6q~FQIv;x<9G|wB^rB<|M)qRftycOZ=5(=uv_W)f4-?A6qRh;k#d$J#CiJP}Pp~bzR{^L%z6g3h(CQwGWx`M#eq*@xVr!zL^5*?DPNR z=MfU$@CLPKUk`UKix$`VSaMm8>9B}gmQ4T|;4&rc8}J6X7X_S0{KC=!JrJo8f2NRj zvPM=T@6EpUgqmh?Z*BOqrf$!52Pnh61`J_eV8t^TZDRYDWQUtqQZMA8bF4a_djef*!J58Ebkdusm_ph@@3LootwP40 z+np7~R_mJUM)i?gwv0A)_>-BL#*Wu@*3`sQoW#zp zbsg==&z?uEP;6s5uUN)12n|)E0|J5(SDY9_+|F^{2dI8+D@DhR-@Ibnu6tzPrtx1b zJ;y^1&5|{3NwqtkV33aLXvo2ZMFw4QTU2I_mU7>W10n}G(5Sc}1(5e{1RjP2vDM})nXuw@8N9p#MrJu}s0H*4}zR|wEKiRyEBkFU!dAHz&A6db5ysXN0e z?*^xB7%P6)r0@1DEe4Vzcax3^%UrLmVB=pOki6wP%~60`oSQ1n9>wm$1WU8;vFVMz zG9}8{$7WZO;dK!vwjZ#dS^ORw|)P&V(K%WaO6edrZtS7(p}0%tSZJO)u! z56b+4xpej#S(L|jS@dY?I?^z(?sRu%s~U%|-c{2tfY%fAq_lMA?H^?>UL|sTe)ZmG zF#;-;+I$+`SL_xsBcS0~w_ruuDFjsSVb!K_)tZ-VeLzO$H_g}~o#U@-^kB2#SIijv zU*6slJuV=q@mfjN?PPk>&Za?P<`tmM?}B*fUM|aJNEUQ^wo=isMuyAYzfCU$dl3_s zmt;yvvAPv^Pf9B^&X2uBDs2kA3nIVg%>YjxBEd?q@452F)RS<0-b@<$?|!OUun)$Q zC}<{TEE)QpGWp&gR-ukk?wg5CBzQ-IO?^!X^j)5Mwshjl)*@FhB>#)V46ikT6K{08 z9vMZd)5~!$bVWpB;r*ao9Nx`kK7muJ zkbSKwg+t~2>sN#4otCLF0&`c%i=#FIS!+cc>YMzcRXWu|O2;Ch`OyNt-9TsEguY`e zy&cNtqVjY)*RN+HEH$y^d)UX89<*(G#8%pzAG#-a;KF!a zCo1e-f$LRVRKru}fMcTTTQADO{>2Ju^}_N)td>#6@rqxXO1UGlQIR!+t2o+T=Ojg* zai{GU@=he`h)EJ@Wp`5Z=eVcX#T@tYAp3y4#3N3qxmO`5*889AXAo-RI0s9d8oJM9fv;M^6 znl5w6q3_<&b)OLt-laRUb!BA@#jm+a93}rQQ3Z+IA4dP&ZvJqlkI@J{jYRa{VvJc% z@|@azhY|irD*sL7rN2?=4UN#B+=3L07iWN&qOMTof?Bw|IoG#>6u<+-=N;Sg}F_pC3=6qf5+R` z_cu0j>D^_s6Q&P6q(zP$Pldz=u@l|PDRFISGGnY_>pBJsIE}b5E%h`FhGfl?t((Zg zmkddEo!pX;keSuB<7>_gz3OM7{Wa!WQfcpxVlJ3#-dXj# zp)yR1@p+*K2(!y|41fYUqj&gur_Q@iDI^VuAiQbu6;EeYN*q$_w$}zWg@Evt(rXUc z`^AmhFhdxkHw7YORC|=Z)_ROJo6Oc!4Gz&oD&a6y7-LiICTDci?6N?42BE9Ta&$rV z>ZbZ!*le)y`(H*%l^ZMZj1(8&+6K1ahqbYEs4#TM2Ft_=tiM*A?aBJ>sMZjQOPlqP zqd&W9PyAfM>yjlb>-sd|&#Ll-L!OQ7gyHN^1Ur?pKE1y(TF9 z-06UGh%;OQ)#nrU{_5+7T9Orxwf(wuGfD38%&8HLa9S8~e@aVT3~F|H)GnY|=Sei* zA`NfzN|)if^R|dAj0?5C)<*}=IpEj#tSpi@5?vK_)$)<0>>3fcCc9vExDeFJ1WNstVza6IRYs zQpJcZzm(j#s+Q=3P_meHJJ|=Gl@uQ7$LbtFC7URrL=bAM=hoCd)busYY&Hz_V*YVl zWJ#U**ESt0)lQS2LL~xF?6~S-jZC18$CeTHQb)Yp123Z!$P)DZJh@N4jNJ-XCx|+x z&GxsmgdK`iBJ_^gEw=sr-`7-Y^!aG)mJqg|bUt!Q-4o$Mp~>9LkuvA88RUZ)Ps~tH zZj1wRz)=$r;*Xw|^*Pbs`$F3{E6)5CvZU9{%2+MTUK87Dn?iXs3mur&QJMB&k{Fk4 zR5fO_X~IX+PTZs!4zUKBGp>Tio`3JbU6*HCe--@{fHK2->dgP^^qYZxgOjo1b$Km8 zBQu^-A`6k;!m)2(p;P&C!?r70K^*maZ^)dHlI@ueFD!LOn=RW5@-aQe zK$tx%Jwf8lF57EUkoWgLT|98_a+nm{JeaM_d)na-ib1?7zGHW+toowGRxy>z`=yw6FbO7>s>p?$N;{*rfspd?Ocd4G=wx>3alki-0z)wc-=}X zsuC|?qj<}mgT?|c;!)u7W%UrmMBEjoT{5{FZG&p*IquNIBsyUZF%1Qq{;y+Ntj%#8 zPq)QK5BB$q9E~m*1kSILEp9x3*mXvmjI&gyqvFJ{;LFBxO;JNnKR5A9iACmWM_;$B zGabrfr?XaH5Z%46Ko%BuGH#ZI6zSg{wIC71gcrx6w9nGc5W_uD59a&WXJIaWPQj7_ zk5P-x7*8>C->t@i2FwPA>B8jLqK9FsClN}IJY1)2Y7>HHiP3>^)+o~`j(l>3;yK93 zdbc9{e{iP}>>lM~+OivF#5pKyZvw0Ac>F3|@SdJ~pVsW)#C%8ze~_(urNUe+VA~!1 zP23AgC-O=u>+VkFCcjo)d>N4u7QuIM)z`R)4arK+orNrVp2Rzwur?z65O<;Rp59+h zeIbb1W#kLemVUCx)kwaZ?xgL`J22FtcVpRjxy0}7yO9op&p7pA35MG3Jdn>LN$|wn zwH?N=7CE`b%F{4H#1B3ue{%g5kk*9)Y)k%?j*~=jneiL8PoZK)$N_MX13uss&ZmJ+ z8^QRU=sK`eN!M=j;avq{$CI9(lxF|<*ugll_t^X%Uk>!z%(m1G3j_;@wGxutgR5Uo+Z{tBU5SSUsVtp~DbTIO(4sYv*VI5nU=(z|iiQB> z*6m_kY}ca(qIWoboong(4$mFCc5RfHw8|Ha^Z9)wRA+JLMR?oeh!_t16SKC5EH5NF zmL)&aaCa)?EPfG#bTlu1O}!o`W@Ita5X~$}s!ys~n^j$aH(}qCls$V!3YW`u2_%4s zut7o72kPN;XxR4LoL1Z&UA)jo{}ZQ^y3@JA53fHsV2bl5Cc4F(_%Xp^d&Fhxn?rHL zt4F=v?Su;rQ#%?}=6hnaVXI+pB#P@{wgx4cu=#wBP6uwel;>FJzy|pdVzhnB({-poL;v~|$<`-&r57*2i~%Yau8b*L(&kFIhXtg(xV zO-=qM6R8I-P2VVYEhksJdOxFv?Y8W+5L+0VL+Pc*dHK!$9AWA_5}OZso`2=}@bWo6 z74akMBN2{QKaPl>nzt|tG@9ad!0%Y!j(x1z!}VkBap|AC6%BFCKJR6kJm2Tn7ZemU z6f|ILAXN#De)*fBu8vz&c!D^dy@|SjTnf3Mp`grRu_;BSD+160;VQSkjzIcF~$L@A~mUf&nl63|%W z#WcVn#5HxA2uOK}|56VB<&QdiUD_a7>VAA)FurxTC4ul|akGviae6AzPV03E=~auY z>uO9VY`0E9S4}RiRj!DzgqV!96lKV~Lh!*qropCAQ|jJ=fGuAm8V|GO>Z2?=j|Jv&JzxR&Ect=_G zii9f-OQm)7te$L^OW|3$P^-yK#EqPUft`dbaf&%s+CtQg8T9xb@MfxhA^Ifei2oLS zJYCSdr^r&rNqU;M*a$lZ^UJ!z=jC1JmrfV-%Xsw9&YHprmRgx&NT~AdLe2Q|Wi=km zA2q$ab+oj>=O(nlM6p?PW`7pmaQ|*gQ-Q6n?mpAR{IOU`}Zq z^-HfNEZYK0rC0KlXwP7Y^H=gUd(|ur&FYt)!BUNr=l#>A8^7y6Oiu`1pi2!UZEn?^ zb%KE;z|KWmWrKsDNa#7j()v@j!@P29v#E1$=&^*Y+^ zj?yfD58i!RQ0v=kbtQ2A<(;2**K2)|8LS z)C=3Ax)RU%*7uLqis6=}^u2e2zePfy!LL85l#{jyyms+QFEYKXtwQUkCMm+#>Pel_F}V)lwYWB7W~8w95$8bK8RNyuq6(UT#8X?CumBQ#TfviJCPZoY~AI^XZg2svD$HOs7*D&MNp zK!HYy>My2=$adU0l5qTWH9U zJ};789Pk_2Y)^&>q9;F=lc$e(=h#wGKPppw$&R;`{*4b*tTQ1v5|{fFmo6~trQ70H z{8yY`6eVI@+9I3vxn3!bX9a#4si~EvrVEU?cA!ryKh8aHbc?U+fXTQzh^+<+84qzW z=uvNM`6m*xWwQM41+p<#D6O=FHi$jSukT>Zc9ELPC-k;fOiJ_=0@k{SZs~ub96O=dd!HW1+@=baDBzH_)nl}7%v1vBS z2o(}7h`s_@@1dc!AvBDe-xfVXFmGW@$~eYeO|!;KpWIcy*?I~hNG1m!RQL)@F@1(s z5x?tJwu3;UU-{47AJWXm2@(DrWkA}*L|mgTIB5R-ZzASxC|4v&bxw`YiXTCYbka++Jfz)%z6WL4)l4 zr6bJCpUI4Gxz4SX+myF&^&U+4d7Qk*KMU)v3NZ_g6_2SeTKL>8J^Btxoc8az8iciM zwL{$1cx9TZFJ6jF@878|qca$AA2Je}67x)0N}}6Kk*YLbTv?j8EETR`U~!M@qq%MC zGpWww-KNeHAk6=YuZaEID@R-HXLW1sj`jtK^_lYv>-9cYLLqFxBK02&4#kr>aiASr z-=DLlqxu!InU$L&l;TkEY&dHV&RjUCN#WE!bW!zMR+HcELNg*@E%j?u8%eNw1^0Gp zd6wz>hx}#mV|qWa1v|_G!iLOEC`5r!Nd8O>3=j)0>GU#N^Wgp*3EhT%m(1GM@5v^r zWC&^&*{q|RWnr@9e#>bSRn+cdfABoxPW;c9hHyER`mK6!U3fN7FU^6#?L7jOFh%<= z&RXR2<>m zdOx%?UI|whxitE$$q|{?FbB85I9bHZZ?GqhE76o8 zqe1n@w>@j=uG5%l^I?vg89^rxz(x-6AbZYVdxp<9L{U(4_iyo#yuNYxIC%mW!dnRwJSlB>9C6a{Z0L z7Y=@&;rVDQY0x!Ts(Iwe{=7VgD{>@-BxRoGGsfB`wEX3|%2f#twZld1QgI!1~Z@GXxfxEe}b7?d0^tE%D&2HR6qCf_3h{cC90?4ah5LT z(jgeZJ}yGG1MV&myZ`eUt}8OijMT7SjZb89kyf(|@tX;~D?F-2?`mnk?mk;%qX##w zzJcGA)Q5Njto#y^D-S>(^$fmC`E!)RA{KXHH6shfU=-px)aTmN0}LpjDHG#UTCA6n z5(6t>XYJ;pC>b~7TKiLYRt-McX~Aw+Ms52uw2qo!n6xxFRTG2J5}{TGP8#C3!a+x{MD;D3IMZ8>;0Mi=*^>6W{?4 zc@*#@O(}2@-}l9C&9L_(fVXQ1jht{?nI>E{p+1-%Mqbti6_JsRi9CqhvdYM^Ra0?4 z$7l1G-MA8+voN@#G4|6kmh2gO)O+<%`C1a(AX#u2dYxrv{4qBD?vR%T#d|qjjfd2c zL{zCQtDDfaC>eJkXF_la%hCoj{P-w9khbw`tA>m;QCXM}`~751DKZ!)k6mV|ODjje z<@Rh}<5wKR4E@Rms|m9AK&7O{61S=LO(UTRGp)63j92=MwjZ6;kA{NC^|Imppl6$^ z-X%}$5!lj)?eI?tg2J+Ab#b#mMehT!Nht|R4wV;*ik3LI$Q0y z`X258j$;~lLYFi9=;d_aho-N8LA%+hHqI3?5=gSc(HrY>=YrsI z)_RtlCXhpcDd8I?zBiEQjY1#_(v`^Lq=xY?V_3NO?Zmf~jk%K7G3#~~3{rJ4>YaNm z*4&!7``FXDOsUTWskW_`inWdq3&z*>A(MF0wW2hx_yi?tat)rsq!oFcjLJ0wp4yC)hRX{*eq#GHK?uMa} zmIi4NP)X??LP2uq92mM`=$_#{+|TpA>-*N4#b3j~oU_lhe|25k#mi+l`ti-o1Bh%Q zKVH75suUM{r0IZRh-wyxM~U#N@>*dzdE92uSV?vfzNCKZ-T{{U!-44{8SwY{0OkNT zNXM0l>?<4GQL&0LrvDpdz=!4fQ5!93q7@R~`RhS(Fi#VBxMlyEHm_;GvM3e-!0U8(3@+#EK+Q~z8wGvY?%?6|i-MJB z1hN`$a!{daAor8;#+OsuYru-UqEiq?GYU)rnQJ?2p1C|m-}Tw`YqE>}#%}Auh;g7= z(8_8H_ilY8OQ;J6X5z%du5m=0=7Q9*m+xeJweO=Te8`0-Z}^R5hhR4d4ij?u6@4B= z+IZFF|CE8hEPSXTOs6pfoOD0CwO}*ci{Mf3G_5K1(3P~uK*7#eU?zBQho?7Qdd$+_ z_(!!lb89~Ph4%J@zMrZ+pS8pl=AueBtDnia;uUaa2t}ba;GR(pkCKmJgOa>|zX1H}~-?bl6zIy^(iC!j$gO0`@$^Fm2* z)AP#}TS7MqTlD6deq%3pSco3w^r-ab7=2obY!gp~5i)TatvJfb6L5c;yN6x=})Q`*$v zRP6Sg(J4L6jUyu4>~J9JOI=zFk(m8C)=7J~jFDt{E^C^V*K+{8U*fy4g_rQms z(iw#)AbZb%>B1RQ|NO1sBho0!pta<8tV?knIcv`-T~TN6u##~#DNiN8X{Uacd)sNm zGRG<)EsF<4hu>U< zEPk?SZegpj-*{WL{?!+NV_llSS#IB%VMxq2vMVe0g`!ghZe-*-d^G7SV0yMABF4_X z=x0ieE~u-is0x71`OMBYL#8!dq;EhkA_ z0Dp>4=~&7o%*4xF85tl+^gtX+K(l;*211RQRn=zUrHhaY!zNU zTryfkh7@A4*{`;?jo!^6+(e%~8Jcv7Q0)`L8praS`itqgTbU>LY{wPJm7-BmQsUW|Dw2^r zd&i~4Cq={MPDQb)^H%u4-SgcaI||RC(#lLNFvwA%Pt9c%^0zBtBeh7N=`=fRuKreu zzIDmd%L~|Y^!-NIR@?+5R0(5Uh&@Io*c@H0VoZ0*2@mbbx;wWAAEQs|8J8++R2&c7 zKgOsQL8)f&5J1o!aq`BT{;g5R)&szu6c-D;5R%1r-bL4S*Z!U`TqT8O;F4v%<)@Z* z9?LLB;kyc^x|F%sL(aStdW`RG9Hm$jK+{Qgia)4-)E+dxTGG+exoPp^eYj#3Y5)st zw@2vnGXmUW14QekK1dBl#?|0o480z4Lng_uc4Uv&$3d8%9Ryhfe!{+Sefw1-_(DJ= z0fg)LalWrEWlF@Um)y2pY^_wW-c%-a6`Q1*P(0U#gYG?{%O-6E!vN-c1|hyrF)COp zSXZ>aEOffZev>a^x*J<$_nE|<1X}Mm?mPzZKxemfL`4v6qR;p7)>-;YpkEhSffC8l zoKN99&fSU(9S!H!gS@Nj-(Hd%Qq?PmPKU80 zIVW6)o4@JlHdvm^KELF+pge$yg=kR~(tQsqcKV+8?lG^L{wJ8euSVOS4?pQZN93PU z9=KO9t_R(JI?kg(d7SfG@ao8p}#QyCUl z?;I|8fB_=WTX&K5#4dd%x6TBQ{O%PZC>Kazff& zR8W{eHI?#k^{ax^#&b6J3U2kloR9yQm%jVu!BtFs%Y)^r{)YoTep`@3?Bg=i*xcoq z$Zr1YRE=a%9-8BxZuIQzmX%!A@Nv$E5fIIl!NIlB%kgINx<;|56Cu^Vp7{AGTj7qH zDn!ZCv+idIvCQ*5?+^?#Ja4DQZC5BtMsHG(H7-h4Q+V}4QQ=jgVxc9ir^LZ-rs%FJ zTV5U3)o@9!L9)oZW_uG1KpFFMZ+Nc(t1HKw<^1ozqJX4L0HzU3b2n zYFAtlI8SL!joVlHcaX!KZEb%v<7w>!k7hIJ(JkpG%={ev!pWHQ4cKkuV7UrW113XG zG((-{9u>X8ij&g>vaqGrf+d~!u-}XJ;$7P`Tf;`T1_!8%xTA(&MaOa;8sz-WYbS~@&A5Cl0QjVYvEBDh5NQ}HrBjy`!ln;kKxj{jz_ zlKU2~LKjL~5Y%4n_6N&1B1?nkj!mU|beYoUfxVJ(!?lDcm1>%^QkWdy=Qi*73c*Mw z=iFDF4dZg9+Ldb7DK=`+9(!fQZF0uEi0lvYNmFLS z(auR|ngaZ>;?bngYeEX&KukWU*wyB=Q-ia0ujL&}guTyEtZagc)3C-F%@*&W!DRlS zLcs){W=4+h<|OiOqSz{KBRuG~Sn>243SL?ayj*0yEURevdb_P8YuHkC9_qHahzRoj zWd2Xp>_%HDSFgg@eOUOg?R13G*MH9lzT2?qwQz(gl|}w+-LDz!w%={z1z!&`dk;4? z-JJ|BDv+D3qfnQS)&-~5Vd>*Pq)v;TGoI8A)ghAm)jhB>)AL`|2??qTdXSqB-nR#w z_%Zes_34rusqa-r5@b;B0PdjiNx2xB%@yeZ(wUT3Ot|62BGzi`maW_wwyv`!G_Nf zEqgqDt~3v-y}BTpMp)W$*KDXH ztR@?RP((lktZ+a0WaER#Wj#!MJfKUR1P=andw^9)&hx@VfzOQtqn@NdEkTo|NTWXN zR>e_l;^!#cyYaE7k=$ShY@3OV>8}^M=R{VSlRdcj&K-jQ`}&KR`E{3ic!&27El2i! z1RKW7FG*-IOdN0DYx1wg+1saTMhjq6zzrHgdaWg>AQkc~nkniy3D*f7+zQzrWpZZhtN>Z@Hn!z4EW>0Vk}h1opOtA*)T+fujyM_e!(Oli6u)!qrfR-=6$Z`ZFFKor@JKs!{*^@?6M2uy z<1{~d^88(FyiB|qs5^&p=yJ)wO7eX2eQDF>gsl7K5Ie$fC30?fXj;*0{uAqEZ9cM` zub=LLJT@P4Isp>05VIO7RAyPR@+QaV;xfOb&;)*XBQo30zN7g)SFQ7`TqN_)Ono|| z)q(68r*fpZpwG9S;)>7zaACAmpVazH5?s^0!|ff9&czq^O@aKYr%}hP|0yWd4xHn$GPJd+$+04L(cP zIgH)^9N>MPO5bL&13bW}!vlkQ8?!O(3bSV5XpOquvCUE)_NO7ccyAU2Tm`wxh&&?_ z125+K_%RhMSInK@Uf3|`3~&n6C=p@B|2zV+m6shW3_ zhLL*I&aJJb@4`8OnsZIi_0`M0-GEf|SW|Rwq2ZQS?b@ChW2_~-PVjX15^~>e#lEd_ z5=MV#{xzkEuT=ckNeDei*Q(P!?=)xB)=ta0ZcNcj+&V2(YHvati;Rbj5q@6jt;Ub4 zN$$PBgWflpc+LI&T`q!csk>D`*DKwdpBN=s1{fw!Rq57vD0#Oej`GbV$drN(+qLH90 zVX|`mE>u)NiivMpaODU5u9@4(Nd^RV(0;j8eCuZ_1uVitm^+l<@~I{7i}dDKzgw65 z_99f~MLUk;qX!J1wVU0HXQ=d_E}}L?A+C_yMT81MUFLe-1^jJ1Or%BM0B0ael4`p7A@%RxNk9n+?1l_5_w}0$?JXv6@7X& zGlhk0+meR5{)sl@xt?)#+B@F&hu`M4-t3mC%ICXu;~mybsAmhH#fE&Kxjk%kZX&7< zEW2z+1g;EO2*%y+Tvp-T3FcqFV^8>IdR04)+yfPRTaFbu9p`JfuRTG{l`}E*N?wfC zJFPr&c6sfew|yfz&pDQB`dN+`Z$_Q=zNyzBQAKqj0kD$A(Z?>75wubPt$T}vQhf$o6#s4q2h_Xo?GDl z85@G^8W%&8(%92GPmp~k6Xu2PHfiTiOpijvY?@_nA@{eC(W9Xt^^WQ~a;Q_&N~8<4 z2$N8(GuM4Ye5IToPW$*381mgJLA>N_{%$_35rRB8ut!rDUz^sS+=EHmyq;;)+JKJ$ zRX;4Li{9g5YvyDpAZird5G@G%5_Qs#9V{eO6vL;7p}RT$NxPIqukLYq1g_M@tkvPP zk+bLh-Ina)SNlrJL;t3Ybff1N&Y=P@QQhfKKg;z`m-|y@+0U^&|Ni+S_MX64@5pO^ z=eD%@H;$_Fb;#Z>CxmAAYVDqHYhpwd(J>h>d;70$3l#=fG1ranEBo@=L`8@?7*7N# z%Wsl&*{F+pL+XMy)PXn&5_c4C0zeNM{|!^BeZfKVe7D;{!KVvxU-k$60mxDuDj*<0 zGOd8GQj*{QZql(~uGgCXLQ8{BFumPXbiqNej|#M+SZ($2cyE3yM*;i`P*Xt=OjS06S zL{dj`Kb%(9M{zXlkC-ACX0XAC; zb4Jc;Z-c}T!7#Y-0(%5QE9k2VTJ95TK}YZa+5q7IL7CZG8lb_$(jPvFB`WSlp{e*D zY$%?sl+4v8b!O}PUCH8E3P5T9-tnjai3;fu^7d^73mbGR7Pqx{(U!FY$;wn`D#Ga` zbL?uoTzUx=03b9f6`x99!rlv@PWV1Of7kzd;0cEfXt74<<@jf5-v^`@E(k7C{vJkU zBC-B0mdDNiu(`B#Jz2Gc!W9`9j?3ytPta<6nPC>xED0 zj=w$}liVAh)xTHi*!}#&`TGGxIMV7K%0*L?rNYa7y5ALjLpt)2qHQSBg|2!X$9L7l z3;#P=;Qi6n=srl_#3EILEr8k&6W)4Z4?6)Y{ZUG+S*wg7pvRCrnOTJra>3kyhIc9gOYLx#?+h>91Ng zzuK$JbR1_84n4ryaY>%p1vd5V?^kXBM!Iek2Bs#8$Tu5kSong{14S(AxCdo^e-z1m zC-EBqQi-K;`yKbF+ny1IUfvX238cS-(?0XZK3KE+u#v?GpUrv=tukZo1XGi9kMy`$ zS$1}%IXE9ROvpx!s*wz$9lDeL*&YXxPq>}-H{C^oPi?Ceao(mzRAxLl44QHnT=day zVk1|oZdx_fo|unaKu^ikPAG=n*GaKU|MwOh-~bCEfb(dd@J-$bf>e1!V;`8_qCcX2 zg%Q62php$=e)Gaejf-E!&MH!_-3_lK5pC{GP)C@*|HbHQqUOL*gX*Tll0=#P2ZrSW zhuP)_9n{Y>Fmwz0FP5g|qs~fKI*-NHcr9Sw@IVXjY<_>Xh=cAXU)Pr$P#PaBaGjCf z6+cqL{*IXtmUODMpu zgF}}1{S@o5900==6m_%ayDC(OgY>%Y7w#>7gVQ2d6m<#Ns=Xy*e*yicsl?uyv?)U@Y5kb;KCWhRflHr!5U(lOo;YvSALmF6?scoHG4;ox_ zILRo>ldd3E|h*<&j{nt;005T?c;pxJ~7cV zc8&1wlU!QS|MrBD$Jf7K)s%!Pd?!3>)S#Eofy5E*>ayDAnq3lL*0iU(neHB0KgHcQ zKdKu6Zh`ehc2wVk9@Sbt@sD7uDXGlR=DVBlJE~!spA%YYUpE@`u|B@zn7-7s+f`jo z1m6`&0ti#}@w2!#t{LA6HPML22B3{uI96F{+i5PM9N4GAogAC+O*a(&%P2BnqTj@c z2&SO-$llIDEni!BRpTl4{CF|F(+SkkqRmd}oEHmuq zvL|m(lCLMt?g8ffx@QZ(8>W{44HuQVBg=ozrN2D;^`DvY%U^7lIH0H`);pz^pNx*t zR`_+0o2jZ-uUQ1YC|8{)LXIMMnFs|maAk}M7nU4bc7TzX8MU%cB?iKr2d1@fTSAEf zmN5(Sf|(nxX{)h>y5AiF#pRrtPAWF?96)SyzgMZ?=T`K$nO3^|g4yxnwL^UA3+8CL z*8b;ZX0#~v*}U%Xje7V|q-Z$iq}fGHhP5FJtXsvOMGZ(Jq)+>)j*#)V z0y)NYx!{v@i9TMqJ8lDWm|SU&XD`o&l#%Rm{+{1%sS!yf39YJ}s$8Gt*lPfclL4(}TPAnn=3t`|LV1W4PM(XFj*g;+R=d-WI7;XS54~qD}aS2jL-sq6|FXbolVF z6+x)fQA0yglwC#^H$hQ_mzW@`%BY2BLnbk`Uu@M)*P-k$_WPOeARjSnE`Rt)KIBb$ z1gZ4e(%sPr9KpJKaok5wWb@)Tob+&exn|u%TZZ3q;hzlbidI!3@2GqEo!InFgBWFf z97af+0mVgv|I&ml(?MD~r64%Re`aTkOpf_TVR9W*Jyndtu3( zvImNYo7eld>EKz(^#=}CIJfLgf;15pLXY9{#sKXPNSi-m!+69fhm2fZSpQL!;3j*w zLR320SeKhA{zfwDV(0;&(xLWwPvPaY&xnU#R`~!>Rw51U9Nh?a?%m8i5`Ir$6LBM@ z&mWpr@^oI8D|Y{~KCsa^|3Pi~z%tvD)^Wj-?V#<}Fv!!|)I%f-)8gf)PM4ukGzBsA z;W>K5O*-t=9=7bI=gw;#W6Xl&Na>_zc!naQaZHL08jDma=Tdrho z5fJdzf*kbdyb9bdvTc7V__}gPOk^m*$GsgIe4r_*+ij#+wkj^^P4tI})Gl#cZe2b*sOSOC|)Wbq+ z?C%sr={WS+GKC3~PjT}B9u8-V^5P?U=us}SSzQInHc{;X9C);SO7ww3IT5NhK8ey7 zxJn%Ys!_~Yvl)FC+drS_p0&#wW=mD)=!#p2v&Hp#RO@qOTUUF_mJ zeX;q;0iqGSximre={3ocDsEK;Y;bDvt{{n(XtW+@1b((13OIDncVBRZ1kTQtlC}T> zU4+xD#sEF~KU+8aC5q2Q{*u4nP!8%i(s+D4)~jHmv?wDeHM|5Id^eN!u!%M`9<%-D z_s4%Ogi+Yyhj5Skf?6pdZp67?=RVw)QoE|@nUfW+=2CV|B|ksMb7EUM^mzvFMNhp< zv}YJYZ)2z(B3@o@@Pd8W3*pxz-YPQ+O-DGHWG|#u!v3>bFhUp;rN-w@{!xTd?(YwJ zhfy|`d<5y1IESAv&Iuo?ZTkZuBY$;x26Ma`McmNPidfe+&>ImXC}J8Hx6kaLy(iE^ zK@oITL~r1dAOkk`Ct<90HNQ84|1dhqaakdnuLOy2g)a+8_ZB$cJ}t`ND{7{vhzxzN zAzgpA{UE9BNchQ{Q3qnQkekis&yi=79m;Zcd+K>7QZL;;n`!Lt0M6Tdh(1;?mcio4 z14o8^hn*Mq8KLfiW>?ChZGCu7+r9{w*R35>1W<5dHt`?+z0q1&jvjJgSYp*!^z4qP zY3V$)JqZ)jwSHWNt z5;zV5&lcOoTG8zV04bC(C@_azV$mrItyFO0)j1X4hPNMG%-dJF@ERW)V1H$fd&fuf zbs5;{OGR&FulqG38M9KTD7mWs;eV|ikr;dcYxT<|xrpYiJQroq1%Axq-gj|L>k%XG znK3I7`NWMuN+hq{s4RT9?f$}*a3LjJ)h_ye*;iS=saZX4G_hcQdleQ+OQJ2;7Cm2G z91J*Qxl%DHlCDQQOv^rkCb?fe;=*{u(CHS>Qs+BR;n5ZM zGao>gh3@eDYv<`K5gO~?D5vc6N6!H5O|FzgF8bYlW=JD$t*zs8mW>+c(R01*&uiyL zJw&ZGdA=oQyJSEy1a59uu*E9qIcew%;Yy;RWe{kU1+UC>mce;~h^e{aET>DSfg8Ve zXjUMkBPgfZ`&<8%o>{IRH9NL)ieC8K)bP`b4dKFJm(47j`GeHjKx#SxTbdqK*uEtG zhWpk??rH{ggXK3hCrn%i(7905BcG>KA(uDRMkL>@&+=qTRkRS;P;ZC1$=d0Q4~=Gi zn-1Gz*r7p)H`U>%0A28SXtXc~9SuP8zrP9Zg@*~9ibf~qHHxBBx6zBv*0;OMNPDOD zQFw}vpB1`9p;FxpUSfO#D1J_4G7JzPC*#ouDJ)$S_^@jJ@D}M2@1eO3JCLUq#+esm z4$}GNIPSy(bsgWPu$r8pD5+wiugAWsT?Ez#ig>b>Aiha)St8obu2X3_TI@db*6NOL zFwLM{+5egbe0OZIg;TWiyN`}~#DSTcLe1b8@o(vxYx?+B?eBxozT4wFc5aS9DqN?W!*mUi;t9I=mFWIA&JNPIj~`?ULm!ShxjSlW1}bc_Xrz0WFh9PM)d0eiu6Qo(E1 zBFe?Zvl$JURZVffZN!RaEi;H-E5sKH7sKQW>~~weZ0G+mtzC7EwA*DCjLC@2_ujbR zOSt))>3IBy06(#%s;}J{t@qz>lH%xxBjB*sZt@Pkn;#w;*=-+g3{4i>In%=kwarFw zVYSnQU2#imCeUB+_pY@|%G$OGL8pW=m*-9ld@Q`J2LX*|>GWcv9hPO4wweMc#pvx0 zQoMrq-wFBKomd5`rL1sEa}>-BfAaqIhmBp9txtE)G}i(WJ8TYa*8H#!nwRj9dL^M_l};*ThrmCl9D^|+QV{C3GkJ_1|uVp`aO zh@snpNhnfTBDyr!>#O7?%zd~&RdB`P?5>L_=qZnt124bkA>c|RB#4H}Q;TkZNVCmG zrbFs%xIB${kE!)h!pFZe5?`2CZ#FZSEB3!NTfaaVnx;;S0rKFCOej}g# z5$$ln#|%h)Wqh4D8e$6sFT=J;y_u36F6CaNaLw zImiW|5E0^t@EX)G(d67sH+D?r0@`?S!D>1lPx~E0LHL~5^iBe=$1&&6uvomi4b)D{ zF2$Sl>~Y$zj{6?eufayy1}rBKIa`OlXNEe-SmCm2=y~Z_{}}=k38;`YWgqIJ2TM(( z8TXrUwwv*jip`RWy*(3Rbg5REIXXmmBC{bscno%TX>swp`mk5%*PolATt!ja-0xS} zxo_JBdf(^mDPqm1p&`S*3oK$M-Z<`gZD_Ka@l`AHrom3=yin_TLP6^#f_RhD^V{!0 z0}mOR1gy-R{-suyp~ngI90_X}bsd?0hA& z5^fHmb~fNrCF-5ulDTYN;l9h-$zj^p+NTD)Dlz`0w;0MBi2t$#oOIQ`hgkajqnnVv zHbE^Ney-Gb^^H`b`)Yx9-(s?HB`^Jaa*L}M^X}hOHkIq3*!PsTI6rj%>JNU@$0G{~ z?i5*Yc)x1ykDfvIhQ|SoEK%!fBG0ZQlep!pP$1GsCO-)WT{iHS^gvc$58xqAG%qKjcIF> zFn7KEYtFT*M3ouGcWAT@&0XwmeP6P+7{+ybqfv|pL#8(r;}P{IGfu|y!kA62l1i-LSqx5a1`Px8le5H@tJ- zDfI5*vPv&3Ng2dn+LA{2E-jE{@cQYt124#oqDyIe>@ej|i8@Id2!k+9t zx6x~)o<00fyqvKVkY@x8kWN2bKw7%=i83V|abr0fEqY*$g^oqXcIAvVs9Ik5Kq>3sObb9)nA9W4oysSS(Ze)DjePxO5W+;yrew^W! z2mXZheE9jeDpJRBPKO{Hw54?nL_z9g&~<0$En~U6nX@RFhNop%0Ege<*VIeCuiCms z*9zbTM2eA5&W_-%piN-U4@83BK|gE0M-cre7&@d+3a|bI{Uv^jqSREN7j<$r>SjU$ z;kjP#=@I5??P~t}_OI+(-6{N$;i~)2ZV4u!hsJ4BiNal_jAMhBJ z0d$kEr!_W4*y6jkfJ784^VKbJY$BX^MrU?RXwLtB-+S37;kbSb+Z;^)V*HDjjvGlC zU{6W9)|pYUe1GA*W8$bf(>NF6B$SzC#JjWbQFcbqKGz%qaTRqNCWoC!27Rdd@tE8R zYPisfiq{-q}~(PqP_C!TeON-qKi?ku5Y@6?v; zy>DM!-VYe~9(h=1hP2yp^+<~!kHt30Tt&BzFi|Qh8QF4{$~mVF%vz-buiY=6ibkBm zax;%J+&>8HbbFakp?<}@NdU_F8*^s#0qVF8`m0Wy?x+TB(v50oeA6AP8?p`IFn`L_ z_-gHG)GY$>t@ri7-FtQM;%8{s!%UdGinHErYqW=Vr%>MJ#wQIlfcm3*k@30pxy6S# z6Ys?-6EO1JqWzEVtNiOBo03QU4C@(?yNyC(Z`9p&VV-#(t#{5Q&msDtDflEMA3wgM zO$k~Jgh3*VDE=N)4T=DX55T{Zw_vN9LVIVHjfm+$4;rdTP?bfP9>?f~8`-s=74v$+ zuX;tbcUV=TD^9*8g|$vF4aaqc;LZM)brB5TD45d)BF@Y&N0qUDq}cXMKugu>k2Apoos3mc+u9Y`BNzS%uZV(ZYXFn_VmSFgva>+o5&rlw^OC?^}Yq z4RWuz&7uD7=|{2C-ITlJMUpz5e3n!=adQ`_+gmWv1D|Z~8!}SCP*YBB9)Gw|6aBQ- zcb+EFD?uvtC$FQECixj0s5;v;ZW}+?`>jKQu-JI{_xZY~;vf{4;&(N5LF}6U9-6P3sBhP15v~>NNV%^V#}*<^b^TQ~KAtQIT$?&9 z2T)~m;>a(*sWMZt^wx_!LF7kl?c3ETQi3)2{99vo{F`iw;GNR7gp)6Ge=d1fa(V04DYT6Y9l|VtxmMw zdXQ>=BUi#2y-As%42*#GgwJ6Ky(_4NK-_pSA{gW%6r#=^e3s0-e85s%88UV9f(KrH z@?QZ?QzJ4BFHYb2@^zFyKE_$!`Wh6=y32EbBoKvZPXC1L3+Dc-BNG@@xE_4V-x?*I zlg#0-ip7|?WBhVRh9xlVE)%{zXYc1X@nX@~CX9=5li6`$l~Y_m<3ci2`d&|Lz1 z5XO7+n;0*TVriB;+lq`es_&iYUaiq@#L0e3O2CZaSSm)g4lr^*E|S5ziu6Ep+{A!q z_k<%B9f}f*6>NzA#medY>~gc|Fh4>9o~$gOu*^gxW<46}8c$<$Qw!-_^DU^(g0zIwo&zI_k8J?^ox>fYm9D_hyd- z{slN*qWAY3exzN>Oxvcgmx09X%GHe6EFhvTek#q?HT?MmQ1aEOM@bjSufj>yaW5OV zAJG|K?O2v@?^x*m9_G4ObW=09{mUEVs$wQ$Xmf3GGo$4_ga+#6?=@S0$ORBJ#C6N< zww5C90PVVQ|76&Lf&ZRAJH0r6CCq$Z3ek4j&DiTJ_WGv0cEqjRcrz9X*PwQ~^9Qcn zm7+uZ-vQh8y?EyUtA9z>6-9x*y6;HNRP0A7@gJ)IpIqTqC)VGto#8oNwf0 zi8o;736jB+8!+GGvF=b$keJx9+NeJSEM442kmX1T`5H^hXT9zNrVy@5YnO^9ujfEJ z(P25F0v01@fp;b7y%UgiRU3FfnTsRng4(x{ePZ+HD4{rO2JjBtbtP_diQ|fbA`INl z;7=}Ce${;>E{b@tSgYLDlMXy zGtFLLC1;fpMi?T2(QN5tYwn@#pvaIb5sny;vF$h}_ZC2joK3LRU=!16r4o zW`%W7I_-Fxxu*=K;NY&4Y8}6#Tw22fW)FzXgdh8_Uk)3L8)C5y4r}&YzCM12OaRSp zHQy700rWb3scSbuYQC8Sfv%KftD6ajz-0yfOp&{KQL3z#+t#CG3)Th3#Y@)W%J+y8 z?Z>tgvkb9-Yo_C7dUaX%`X3Q~@-ro0P^j3@G7W*ZrKQx(+y5G^H1#mf94T=fYr3$h zXRUVvj=FF%VCHA11mI2FBHD$=49dN#MmN`h-(}UbFW4*f?DXvS&y*jD`o%9fQnP^> z8*|nfCNLoRv9sL+q`SZbmu1Cf!!ZT`lTYZazyI6=-BYA?{3zc7WKUR(-I~uBHbXb6 zl^I(wZz?BCw@LM7vK*fgN^BSW+MUQ`>-IVXtQ@5s}63(3{ePj+opl$L)3-rKtTR`T*tFgAqhAjV{WG&~yX1>npziZ&!=s z1B%Xzl>9rUkHP$uBjtRXM2erEm_4kb`E0ZU&ohZJgZ6D)AH`OgO6f%Uc{qhc+0JDh zry7Ok^f=C|jF&72H^rw=J-s6wkt}d^NMCjQ|D6T!SnI(r{KYDVv%i_`%;Wpr{S**2 zGY*kYF3v2n*v<5B*!q_T-Wg__#JYwAp6k;^j|kH0-;IB&)v6l$(JVyKZ~sc^6!^A{ z3r9mWhKQic)*eF6NNW%(nP)HOpt^@}W$BfW-7n(wKbFo+W*0zl9^ED=0+MNL#+#H@ zwX&pH2^Ex1$AkOkU~GY0d5|*WRp5haVwxf&OLHMR@4J=TqewxhFOp3>?7`5#5HGs4 zy#z$x#21Que0;?AKYn$6J|f~y`C3wCOUy#{yC76bFyODLaswC`BhUl^+@yI&iY;Z< z+-E#EVIeRx-Cyf$J%4K!cwHFvz%RlyeEBgj7dplX4sLW?r<%j?M)3+$6vd4yU%x7i zNHCowKvB$b06o&%_!x<~w*tW7X&n_af;O)kd-=CC(B)^+YI^1k+klCf(N6nGR|n!C zTF;I>Lfs#1tbh}A`qBqN)PIvv_=6>cU zu#bGpWe>5^yxNdG6MLKo524cLVluG)R4w8aX~@M(IU@O(XfKZGc7`!#bIL$oDUg{S0%uR3a2Yj&IIW-@b1 z{ry#6>3+7(2(@4cKmd3(=6J9FGfF|(kU?GujQ@n{dPf5+Vf|dFCdYl(Tjfp&4jto z-u&x5S-rlI(n9-(o4f(E$jBGC@mQl(4!z|89*u_=0}%#=ZwCCD`eAZRYk#rE2mIuN zd~EN)*1as@K+c+&ybZtz{elKiLCxYsv_Qs|P$qeJ>b2e!R zBqB?=ex{Y;BV0rG^6E|VgpaqY4%*PN9C4o{sI?YfwA4j8u zLms}`|6Zy8ykY8I`Zwv3+;abxIt4%zIaTMJ#%E-5avTeV zZ&mAIi?)Cl%(aiNN-7xLS9H!MKafUMT`-aL_X8SKF6EpL7>j`SvbpaorCE>G%#@O`a3+gV6LqOym#2o`?7k zXGqc>)NRn|*0sdE<;JGPWg$9bF6(YE1=oWFJ+5sZNzJ&RMHQ01Sfj-PZ;=#1D=xO`Lq- zi4X1chc1MTx|@qI07!Mw^-VJ`Z`$w9Gp}lM#U5 zHgshz4#<^BE`KOg6|A0tyuRXhx=x;PsRXMp#C2BhwD^6i@<0$%%p(H@P<~QWp335i zN>O2iq#M*Yk@^G8Zc(ywEcSjCG|Wzl`y?Q$!n+cwh7j@1DF1P;hshWJ-&Y8TWP2A+ zw`m@MKhui3JL~^)EGo^}{0u!2jnp&w;#L73oKTcgV8zy$;~@_5W5vh?pzvnp#1A$I za4RAh%_F0P@Opj(`%{sE_zI8ZFkipKNW(pItZt=VIt_E`Ps@KiO`88>y=`rY=q<;yBe^erIfZLsbr(;1(&LYf&{Wi; z_A<`&V|lpsG9ibQ_Sm(G8H05@*#?^G`=rS zbQ=G6xd2_Bia?j=PY}l7)q-8V-VXOu^c&PRUSwpX<@<=B&Ka#g;;%A*)%RRl*|-V# zLkEg-*vnqG-v$zK>)6rbh=)XaeyB1sR1~6Jio71d?{cu zLe}GIXnP2ama}YPQ;@3U@S&hEsF26LakBm|EofVnQ|PAF1B|_hwA;)w&x>1lX)}v?b%MkjY5+z3g2ku9hY@G36cq&=gl+nX#IE-dOn{?Y zyXS>krrQK1)pp`vijYW|w5PFk}Em5*|XY7bs1%}%&%lY$FO8t8CCJcv@ zc-;Sg*QKp2(36&6LTK0vzqnl<(3-$4XnjlKfz@EApG=*%mf$iF@nHnA1PnfUh_o$2 zs)6vQqY6XC?@m!PqqRb{BsL>YhSAmwLZ|62Ggp(>Wm7NC2IMasZ(aci26F~z>^BdP z{#Fy^*Muw4BuID#bi;gv_=Q*Uk>YBaegJ~$^zUHXdT|sT{IlL>iS}{OpzFOpVr~fk zfcZAd;+S`btjT|!g}NAQ;cS>G1I6Vl1Nr}pRvs9gz6BO)c2YXT`pyxWSYa%jhSn0s zq+Cm1eO-@!QmP(1cBfI>E!j5R*8`njd2DLCoHO&jwIwlRViqqVyrr)dkD zhn8u(w*f&+Cep~_h045;anB+iKix&xuwQ?pF)%+xltbk&=~MHamvNAKuCX}zG{(yE z9*QAtm7Kj79&H1jtKVF;dDdijq@~tOjAg#9Y@0r8SimfRJne+)H#D42^|M0d#VYre zA1gus-!hVjLPH)?-Xdpkxz?Pw0(>^=3b8nbVG31Ay0!~Nd!q%=x}rAwMJN zJyG8E54b^clo(p=j+5*Xv0}75e&J$BG|u}1J-NP@#3Aae!1#pHdyM}>)>nW<)pqT| zFao2162j2k-5pAIiF8X#cXvrkH%Nn^bcl3=bc1xKbi>)>`+nc~|8u;!#zEZ7v!A`< zUTZz;UJ1VF=7ykmr|)*4kTpC|5@&+v(Dk3Iv92(`ju=-AbScrCGJ2@fpG9Nc5iR}( z%4FX~c_w#(sQM(wi7DX;RKceQt<%Og`b_1@@zGJfu>wDe2;?wO2%3vJKS-zz2<}sy zM0Q4!ORwg;EATkgFdT6Be6i`nH0%mbyhzyG>+41b6!Voo1t`Hjf!XIqEOm34`ey2H zjS6P70Xir@bd8?n;YU=Os|!lMXtMeDSH@zt7)4i{-bg<3^@g`-=g)WE@KBJA_5+20 zqm6Ihnj=KgUrFUPv*&@TL*$1@I{3qp^C?H`hofyS(TBi~6|fGaXYU&>am7YkZ{FCz zI);zh)yCIif1rSAs%d<8zEULWJL!EkJ(9@FHx5*;$$0frLKSU50RLWv33an0qJ>-_ zy&c~>dHd%k`3TGFq`%K4=Rk_ic0u@RAoo9-@%Oo4rNbdEIRq|@<%&hM?Qof|=goY7 zvnH_463F6H^I4;^^{0xuKA;>k$=}`riD{Zw@N~ZV<`f36ddv-bUOoM+5GM&2QUCrl zGFoBl3e-hs85?iUZ0^UjKW9vzdl`+9+Z+gUhZ;r-dn?KtCY~)4GMI2S-+AgDYb_)@ z7P|7j`i@>I9fCYS#z*6%5li9fqe8QwvFSIAv8s;Ik&lp&%u$LG94;J2{q3Bd0Jh;I zekxLjKZmcU2MYejjfhyG8^8&8e4@yd7-v{1UWIxiNviOai;I`M_MeAr6g`v)GCqF; zQ#Lkqk=$M>7Q7dx93@mFvZxzB$5Je43i3D2j2+UL>QvFj32xJ?*hS9v8?v=zO&xg+Lo(wl<`4RM@XN zDc?A3Fj@ZBg}{LZQ>9;_e0>AomCKdw^B>UkFLV+BL9JQ0lC*zEx}x~>mP4AbfIc&J zPoU8(%+GQBa!(y*maxGrD0X6IBWeQ#sL#TYCuMScCmwW`dpv)Pc|L9=E!~oH11-?C zh??q8K$o{Y5K0;auX4|hNU8XOoTO;-yxQ$#kf>h)R+)}_w`<{VJ$qS^)8P~1&4X73Y&fWyVfs|C!~Z)% zgcID<A`m_Ik`>ES=K6jx zv|!KGU?)TA(yn3(>i-6z)0Ui{f4aSt^RU0Gur(L6Pp_9MYUo>c39xS>R+#1=Qm5wg z6FmMGwxXeeM`<&qsl)oB|7N@FvITui6Z{?{7T%5Wg>E=dk%YjT7Lam0FTVHgjK~(p zLxCz%ki~NQ1Edcw1eoNC&#D8M?FR#m?<*Hhqp8%~1j}rIHp01)3)`mF{j5e8I$?)| zm+%9`k*(8^_LcpYa+TYf#(5t*ueGgsG}oy0$;rtzn@vwKe;J<(spgzg{Dsc{NWp(! zm7pMt+uNNtP!bzH-QgX#b*e`!Dr1>2WR7s4$3!0V%^YwHd!l}baEU?zmBA8l?Ak2ylroWwY#zU+Nx95I0Rn33^1N>r~}1DZ8Q$0bFX8gc%51m8WgP<6KNoQCOt zZRNj^)qfs2e|LYq=MtfAcJyQb?jr{fA|wK)POty1Iv@bnB5gnc<2BwhXaFyZ2FlBq zq2KI!t2t0#ypT0RFAf&D`eRw)8xhzMXxD=yv<6fQI-`W$)xVql5o~|xv@sg<&A`{q zU`ktRx07JLySW_tO~J$EELdi{37jfR8E(~?3Kp5ReJguvQbiS@y=klFh=A9=_Cz} zr0nsYykBbL>cL{vRVv2R#;gi=9NZ*u5U<`y^| zS;9PinTmbmVaLevI=Q;*{-ga(4e`E;!PtS_J-g)QB(yn3zLlw z01{@i`K_o10DcL`O6}@tnx=_9l%n>uO1dyB1we}g{-N6fRYMace#RSuUwkI!<%3L^ zh?(r`Ce>bz+q@E{@%dGF^)394FaY=uM){wwB32kIKdoy^db3+UL9e*}5D1D++m*?O zE=B-NiC-tHUb8yO#KSJkr-(I`Hk0_w`dscW;}6iijnMAXn!zf?rkdzT&WEij**%@M z-TZKesONk9Va?w}r7`-X{=KNvlDo1S@aX4&Hg3=SbdAf8TqCc&|XO| zI%eSmouQRS0P`W)W#iL#E4xIor9mK{=j7Fb2@hs2f*kMWa*S=9f$MiZf})u6_|xlv`r?137IqJi?;To< z2uowh27jXPQ%2a&d1`~Q13e;I)Aia$P^zIMaqeABwB;Yb$%$y9v zNg8rlRyvk_Zi|@tj69}iIEQ@+>;l!QSwqStp-t*lnblgvG9 zA(0)a{sAoCUDQ<45xMQHGuO5hX#b)4c;$bKDMGEhukve$VC{W)O;a*YanW3e3>hd> z1nB>8?NEPDB%Tum87(O^Qb%fv60WKOqHUI7I9ZYji<79aT80QY4QTu>4P{hP=4U^| z-?74crU}P1Nz&;9w}|cP9Au-WV5RF>y+i9HP7_Hmo`fIYtnknuD`$3RuETHzi~;O< zYH5T;x8s*W{x}(FiaCkqT!q^%Mn^jd`rx{+rP_cckh|3NtL#G`!-?w zzlTBdGT%1^`e42cI2lAbyT4Q@PS4>Ze>!R1Zx-#YjQUr0CR8S-qyUw<@|JqLg62I~ zaA1Zxn$te~_&DJ00)jFs$M)1Rn)}+#eoQ;4tjSVr$dTj9v#I3`L)$8wZe0X~g(IXb z;Mt2sAd|ih94D*p5i8aZ%jty7e!{CY3fq$#`W}gv+P+nzU)&qPf!s1JFxZORg+5Bu zX8#UmQF17el~O0{lK|Rw^oHY>yTvg{;zJ;PCh0mrTjaF(@srD4)!}=s<2(zd*kO&u}JfD?6u8rvtM5Ca<=u$ zQTTQ&W-ksLObcR^gzKhR5EYARt>J}+$)*RwTV%43By-^qL_%~dEreOknFne&eMn@! zBiHcyGy9xG*Z|$30Ix@VCO^>R^ZSc<#JoW7Ko&Abw%;y~r98yhX%Sm}vQ?l+h+EXI z+`hjR87tM#6b|QRpT-)HcoT^ErLCrb$J`gNQt=_soOlG3_|0gMi0@aB{#LJ>X2iEK za@fVpf)!qL2!<@?x3if338RDV?ub3ihRqHalw|;WT*D7PAU7W~S=*xHzL}V7G?S%l zs%PK*+6Fk6S|thevjIdYMQ8Y1ecI;guY_8?`NPQPeO5H7nRJH^NTPX&So-Op!?f`f zz>2!b?SQOj2tw5ZoBG4)nm2Vp@dNUPAbqlnur-c;jM3!v-PX@t^@B!$mqP)}fzXiI zQg})RA{6s`&S%-YlXE~{W-aG8*9!DEetkT0ZM9k_ptqWOC2|t>Wz=-RP7%q%&W=UE zQIWbQYodR39_PL{F*^wNYVoSf3a0huCZL2+`)WUCfP{s1?h8RT4FfumO8efF!IyPN zyoQxrTlg}MdG*ZI-=EzQIr@cgg*EziMP}C6^ryO_)4pu1VRt0}H7F5-0D6hz8hCD? zufWxtOtl!eHB$Kb75AB_8fWt#T@Yu_rIYUNJTtOUIUq3Nj&E553}c@h9J#n4-)br* zMGRRirawR_uuxt#K&SfFSQ?-jyaq$TfuzZCUrlSo?ISRfe|qsc+LCLf8V2yQ6Wkfj zahlK>x^%EbCz-+0M|?4GCWJi%`m+wCboL`(Y@C=u7Ze5(nyn-2`ZIXkt7fcQpAlO# zm96+b9c5p>6AZ3P14aS>PJ3%4`*{RJ6_#@}%j6l?=X14P!d9~Hr z=Kz$@-jt=y1a6BGl=h(gHaCKcq7CKcC20n~t4+!e7=eTL8fLb6X9k_D`zsNPK8Inb zi?u0>gdy4`{MN@~JINbdYOZnY;0ito`=Gz7mI)yMN}Wgf@e0pTJE7gfJnJY|0XWS$ znblvLYvKHPjG23+BI{6$a#|#m)5M2-v0Jx_mO_*xisrUGw%L#Px%o#v>4U}E8t1Cb ze!!X@ZGhGwJJ^}HJD>}17ftxyE*D6X7L&v8lIy5!L=;E zJ4`q|2ir95Qn>;d@}npGTeyZ4k1iOK{2u=r=f(UY;zP|*Pm6Q(?N zTL5)IM9bceXM#Pn9V*sEhb|o$&WEQmoEqxtROnGabImompTRqTi+xjw;!-RQHJGkw zea6$lJm^}SwA^R6+o5t%zWG5>4d8!KzkoLn;s#D^= z0;SS&?MJ@E(o^7gh7vc32Dj$k@%JCP6%aa$iIxB7{CpVB^Z5to0c2a~Z7ZTTG@8Rqf#$bnF6d&Cb(>?{>1Z`7wSSUQbsALR@OxI5s6xMeVwX2|Xl=YL%f9^;2(;PcW% zH_S(wFt#$@y!QWsuC$P2t}nK0p$;m{D>i%l7)x-dU2D8At!0PwL4gpU?*{oF2WBso4&YM3Hg+pWn3uD7g-FcT2v zr#5VnfZHfu>L->H4&M2&ceT{@QmLqT_v2`LF@={eA2|(LH620NV6@E1F5nRX(mf3S zubY`?mGIco$wCdi zO8%30jv$P|hG<#2@fFZ{EK;-(6=BcquM9)|n~SmwUyWBzsMXUVGA9)xV43d0hy|Kns|Lc#^9xxdbQ?^MInp z4QF$>Wf6SWhY$Z{8;o(~~pF@$e&bYEK&o}4_UOSg~?s75M{J)Sm*s8FTg$C z7anq@*DgKRdn8&ZYkhXdxy$e`PM?5`PMhaz;L~aeJ1QO%2Tak?pi;t)We z5*`bq=i^B9OY*Uy^ATSX1F2whqWeTCpB?Tn7+goW(0qAQtxtS3fozCQl^H9uS_o0J z`MayC5Q?eFgmR0)4HvV}HTp6(1&Nh`Rb7OOf~uP9My2QCISt_JJIk8f#8xXO`uDbyyRlRg zlJQ*8GS-On)bEZZE%sXGU;*GIj?z7FZ8*3z6+IamruTQ>0+BVS1ER(746&n}G3Xj4 zcjtE$lnXfi(YG2h_<`Rp?}j!qnNhqg5_F|o;rAL`HZl^HEwejAG;6);WuA9ic3%EY zPOsFqUI^e|Z;LvA|HC9WyO2zmU6pX%lgOIkI)!X*SbU&t9EkT~qu_iOEbcze8O1Wg zqNDpLdk(G7rto*WE4JBOtVkC5KVv6_dQgun^rgjeq`>1AG!Y3#1weOv4monp*U|A2 z!jqE3elUoGAbkv3K`NSv`qc`*;h)Xo_x{=nw6ab?@nAz#*I; z&(jqjf9*&88|;cflw7$)%@IaJ6trz8LS)zw&xW05GYUE_dT`V-q=D^KAj{hZK2x63 zK-QXr6aAA8I8DkA@k1HiL|Rxmsq&fiPX27%1^<{k4fPO8>2$FUlfch^q8km?2C8s` zOJUJM~Tmuev%kP5nM zUaMQi^JTyEw5n|-PH7`&Cjb8Hmi3uE{i$C#fN)@E#E~Buzis5wqxS&^j>1hLhh%#P zmJ1RIkoPn3F8A6{Y`y7A$7&6lrAx}#a_X5Dfdp9o9`s7&O)jDfyim|*m?a|v9wYSCwU@`;{2}d#%6xA$ zJHSRGEwSP@Fm@}vq$Z>oK8O;36U4)b)gjs6-+mmmjI#Y6<1{uIJ;kdtptT*CcTtCd zSfKWAh67Iq?m;r?(nK%3hD)wI@O6JEbDdg9WSh`yUG4}G*J`r&&9Eo^O0q2h(f$~~ zR(#=bs8V=&pSLhp@N+m!N<@>|^Wn35U8QeZXwHCw))BWljG6OL7EaW(47c!eiv;ib zw_~INybBFR=NHb{J(XVvSl4=?R2IIV`=zfxvD8Aa1+Qw3EpIX<&m`S6la*pZ3V=eN z{}%d+ZR6BH_12im5bUtXJgWPSdTE4nsnvX+`%_drb!6M&_;HGioNKv+2)m#5VFc|@ zve6!JF%*~b_rXAG6gs^XqnICJ@gsKHUAvrxUd*w`EHv?EIKexEldq<6S-TRjFO#8g z66!%!lfrwL+787DwTX35Qg3&9zt5`ge&de^2Rs+0bC#-oOK80OMXPm-$fqmYgp1ba zBUfecO#ik=4dbV-37<0PJ8kJ}ru@Fa z2zE3fwrH*7S@m)ag|=kSaM(X1!AS7oQG^Jj5wQleP~KWZy=~wQWHlUj*}(0Xs~9Zc zqGjB?-?$hakA|NaS6q_jcBiGjHo5#rv`hUcfTfq8=@ehb@RpCK&$kR0sd|HZSdnO% zooVrlAbIw^&&{uzagsD3u+G!s?Q89lNhA`9 z$1F?2Sq-a!GxL{4(t)+^6Ag*@=*2jI8{ZdyzY3HD^T|ZEwFZTX-cm{u0#>CazY?sZ z!exwQY3x`s`*+)gz)FQV*Kbb0cFNtPeP9`8uh8nxnPdxOzL3s{1FAwDFRhKxDt_@q z`XW+nCJL|p5?vMdxE|I7Y_AujH!_fc`L}dO{SF0bD?`~L-QDVmYf6z4S{q3T${;&a zFePBRnc??Jn+JouREtN&a@@h!3xCY&=fCRBhu84tS!*nEFI?lxt7e@er{89gSGng=@2tXpmWZ3CB$B#O62=zjOl0_3q9K=oV$lWXG!3c#{d(8&Tnqbh z6EN-O=b2tiRb)FFP3KM2!m`=Vv)n)bW@mD;z-#jylgE?p(7=+bdp=GJyAOgBv&G-7 zS4{KPR0YUllK@n2A>9wl$X0;O;mmQr>cr7~=OSO>{=C3o75pnYvNiaDLna0Ic{^k_ zaw>qjnzVm#uvkr&2fBVk#f8v5!sDzp^ZIT9Yl) z{Qjbq@VTK+y72v=mGdDMI}P5irV)<$i3Cy zwQ*Q>>4a9`Z-@_^b;(~WIscue>1r%yWcAw0toK)8dH&b31mP!dK~uKRLXr9Rg=zic zBW8Lt8|4#GtvwiMmzj-BU+jZh3p@%Umbq@WT+xtBW&Wx*3=^s$E5+10+zHF$Pwee- z*l2J5pv}yb228~8{SnZY$&o3N@wRj~Tm=L?Q@$j)D9?YLgbQeB>1%Q&g=cB$S$IIv zv;c>ybXTN~@WW$m9EmqH{j~HdrP~70EP_0y+7@}3yqPR0*WXmN71S!;!fqm|Y$h=? zfqXDAx&oICOn=JJ0H2!UW6?{>0R9>7!iF-}+v-qxp3bsYjjZrWoRY-aOu033oDyWM zkVEw83zuZ!fio07q3+i^GFPY#=NA8AAU*8#Pa|eq&g|~R`;2x@*HH*OhO5pUAFVu1 z)hP?;?3bnk-nye8xLf@F657^O353o9TXaSU`@amp=8d)g4?fm7}T}+a`vyUjE5YlSne*_@EeF);S(a= zp=Ik(jy=sXdKvuo@K$21Dij5pG>!peofN(n<^rurF!eLk;h&$U zg9bJN>Af+)KDJ)%mB^rB-##Ql~9xR9wl8NDG);>~)>7K)WLAL!n6g2rSbI4Qf# z1KSWR>40(11#!`%eSAjoOCIG z;1FlmiiQzZS=y@=(+OQs<${&(MBpeJalI`zlC5@TNIjm>!uE(!v29>9X+$at*WC00 zU2Q0LwlqI-O;Dz+c=;>znh*#sx|k$0IpxmO#qx3r%Ex(|gdHibG9R<%#1nmf{4#iF zOa6T`yp{aa_S2@!bIUVW{aEA?e69TspW3(LdF2Ii&AKI3jql(lz4ebQmVw|24}EP~ z8){&U^%FDi^u%(WA%Evi#T#M#lbg_0h{@8eIDt7%3i0EX5looYDLYvrCDxn6g2lNa zTF<0y(6KpkO!3OUIIC;rRp6%CWlQpB{z-ul2x=JSVUzk=oV}A3xcKt|6E&bb`lE6y z=V7-;g6np6;j(xHx;hmWYnKuaxM*`^N)ULiQT$ zIMMa86fKs29ocuUo71|17&dYs*FQRpdf>rYMyazNby}Wi2A%2<@%hI%>h#0K2R|Fc zO4fGZl}(wtt}Hkh3d7<=R)7BD8PqxF=G#WgqGv)7&98d|1oLtUrSaL)!8h!$-hb+H zXiY0Q9=hheuwXr60nOZMM{fnSraHI}@7uEDeS?+p2QXJ`*<(B^y%;>`LEThs%kT(y z^U8hr&J2gE(-CAA67U1x%=OGE1wg;}rpuMhBVX+iM-z+4x&$GlGm3OVTQc zF6V1eHr`BV{)-BW6|3tJ-Vz()qT`x{brxz3evz<{(YJX->&x<^dHhS02+$> z`M;_$E-ssw|9Ys(q`x67yU+xj-lP6s5vpC+1~9MncVM0LaKI7if#i~zybE`1%saGT zQc27&7#tX%Q@)VputGm26cZ$BU?DP$V%-}mr~rtqr{fbIx=bmH_!~bOFgOlNS-L<< z+#x8%>y@}eSL_GZ>f;~j3|_~_df&D)&9ZnEN90C^zLjk?9-9>w-R0W>g4=b!&txBM9w=jmR9BY1`YS547Kz2 ztYSsrmfhU6g10Dg5Zn}+3K`)c8JKpTJ)%39F?PfaXx9yx4Y^*0OG`m%4RK`nws}!7 zV*S7rEX?pI`RDcLt=g!fQO(d+6&`PuvoC0NGV*h&$S(%4Eec}eYAW=8dd%};7+=mh z)z1&F47`O52#5Lvpd}30kK8k&{5-hSoS&7|WNAV3X6mggp}iudZdQQ?O9!5(ft=wn z_j*X+Aq=8^kA1-3SVbpDf>ib0F(vzmg4KM(A!xnZ1bjMsY$;jb06(-9lGP$$Rrvl; zo_ZGdY}5dVtO%(374l}fG%qIlZMuVgApGIM!N;U#`FFss`+=D-W}6VMjVzd+LJ_`t zCG@5bRwnbSa>=nDbt`<#XjAPK8IZ+;w)YizMbeTEbyS9tTa}W#MWR?O2UcJ>V@0oE zS%*8RJ_!*!h&Opj>P1t64k?}`Q+}X)xyNxEO6#t&#nkCggYOeD3oKqr1hhcur&n80 ziRONF{d~vrg=Hz`a4*?lMP*Z3;gc*N9E0XZR*A!2lqCLBkQ@RQ9xl|ZvKPg07<~zC z(^Mc?BZlf#e#8#sb4~(7KULb7Y=5OECA)3uT(Bo)Ry^Ht&Itb9q@Cvbih|h!9nQ;k z(@$p*+`;G-%Uk6nLEny7y?oAM{OMn++dexDIA^En_C*X$;+zi05#O-*ZaB)qWA_O< zk3BOv>P+O>5YOV-Ma77169BtS*G&`u676`mP12???-tQTuv;V-zwKvVGy+XzTjm_M zq$i(w>)LtrAy(uF>;$*1CptjwAB9=m!e+eQt?UJ1kbv84lHb*li$!7YSb>IAtaR}v z95+VB;TkDXz%~XWB^A#2x#ST%uCdP7fltbD{JLcBrk&WXE8`#AB05Z zciNFZ1$$^D&)^emsiduC+&+29iT;(EXlas2LFL;?g$XI{3u=eD!^aG(WKgpmXdNY^ z^ei6R5edzOVS9jxx(zBAqz_$(N`Gp zaxsI>PpA@fGTS15lN$FmUn%z34gAJ-0@aV5XfeT_f(qsUsedLqvT@t+Clh;$?@<3L z`;V1!>?6oj(B{(kf}!sB05Z5VuMZjh z1@Qyi&|4p&^gXuTs{GjSrj48fYwJc^y&7gT!dCBaTt$HLh=Fw}KW_3}oe11Rp>!(> zl2v3LZ(=CxgZVnog}=hQn$6mGk}7&Vg^Ln~Ua}m7YmEzQ3rgTNs1W*$Kq+y+Fz}VI zkg5v0KuCy2Ah0p;kPS&cA-o6Mmpv~dbyg>bVw`@8*%hHpqePBD2V=(IlFl0rGuz?x$W=xd{^sS2qoNAyppy9+Zn{0w50+)@`ngc z1QHeou?KP@|60D-B)D}E9`|$=G{I7V5Uy_BQ?K|54{6+_VfwwY7}2b3F^h4{K2ewFZyR%>1F+awB0K#$rgw>dHkP?wOOcBMMJpG<8xdhL}7J4BA%0=57 zBF08QHt8{ji^I3vIgX8KEVrst>N%x4uIADWT^bnURkl@xv(j*|$-C;7_(>EVgyo zUjC-gQArjt8T}QR+0>Y9RSn$ey7Vocs$iijX?mwJoq3X!a$n%(6;K=u|d@%C*_JYT>@nsRs z$=(Jv+7)+!ezMIC!380b!~1Q{leJQzb({mu+O&N&inB)vLgu zTsgQ<_``t9H~4h*sSX0IfYSk7dKP%69*`#5_LOId8~#G^mXRXcw9J-+@dpknxijr~ zioaR(91q+TDhb>jWyD30?C3rhlEXuE$l7wufVKCai?|;fe=%%}>TH$xVgTO=1HPN&AlkC24Fl}RRzF7Y-SKP1Tf2IrH z`!RV{Ffz+HGOE!fVwSw`Sc$r6;%3;|R zdbvr{I(RQoO$1NawqMC@202I*nMIeXCtWpIVlyl z=LZ%DP)!1atuG9YezEuQ(NdzDhZl`?hh?iKN|m>NQ4%{cEV9Ts;_K~VHXGWey$OnHTX-b#1kGL z5lhG!}1XA+ML&Lvy~npDY&QH z?R#hYRPMHdK&EeYuYl+teIkBd|3jE6kyCq+k zUQeRujO!Py2Wn~Ow7C?ch-!SucxkBd>yqr-k~Pf{ zkLlq3Dc>xBJq8=bP4nprn1nDTyZvOm(ZlngrhlQHi_(BmN%ZhmE^Cz&j$!rm+6-KJu4gA*`>|^g^&-L@0?PTw{zc@M^uEyXs)sy|;Vj08y&Sf&X$W`!#Zgij=;p?Oo8v;t&ZOyPw5U#>sk{CRob_A=ub z?lC<3I(%&#kfBe>KMzd0fnM7k)z*m02*Ou#lTv4}=@us=PdCEMEn8MCh1X}kk0aTU z<6pNZV~J0E&n11&&xH}|fk{eJ-6QuyBUsFC?Jqt({ULtr+-?3VO$V89>q-RLO!Ofo zq&+1CgLtQEg!!}|dZc3f*?JmsO^lBMbW}g&qN)vYy+d2KO@=#U?lubH0_{W+?6|K| zm`4a-Xzdg?dl%xB^6g!DFJEQu7c*$x2kT!4uN^=9Y<2YrL>Mw~{x;tEcJf!x%Sbnsbz+qeC8 z6McLgy{7osFRa-NbSpE%nEf&`I-afpaV_n8WcF_d0PIT%mj?Xrj``1bURAD8tEI&a zC!BiF{ zMRAi7ueZ@n_X8tPzP);%{d$S>HE!QCZbdW$mjjbX{$1gUHXR6!7LV^ytQj#Aoq`ipgHJ z)@+W-uRB^3USvO1`@Z)&Fed)-9r;w!XG2nUkRDM?b?z z8CHc#e76^ynPuGsFBGRU9`|K<(RHk4EK`h+J@OVfj zFRN>!S#hq5g653eUF+k_lLs4=nHE7pKo3)X<@M;((elHOH5jY&31ACtrCEn$K^Q;) zkNs&h^rIk)#On764R&Aoq=gqA3NpR6njYibeY{;F{S}7u@P~ZjB8USTE^b9qGaRRs zEcrj>8N0{Nf&gcMS}Ux^R!d-gHKBih_4K%`sOzT45(BN7k>!L8{1qzFN$ry|sI~8key9RP`rU?Qo>_Re!w zF6ZvECg3>(U<@*_Md}}jVbCU9U_gMC+nv-_2w_pKz*8>!W|3y?tWMJp@^B{25`FT=kq%+s2?O@m^K(rBD+fT zn}a+16B}A?JsY;gM)|k8m2uZ*DxU*3Lm@w*HuUX26PrBJ5b2C2Qcv%Gn~Z{wP&-vT zj?5RoS3DDJ&%+(-4-KRjj_%}o1dWA>AOD2nGzT;ixMkg>#x;Tzbe+Z>R@6q80g`il zA+=^;js-)@<9=(48$i9H?lr;ft$Olv`R->C_Y0k{4PlsUn^K7A6Y#Mbx2braMT%R> zr=3=|McLDs6}eiGO6U-LQH_>b(xzZ}0RXFN15Ra#6dZ^Ko<_t|-RrA0Way27bl@<- zX*|`4PzWiNh#_)k8<97H{i6M|VEk3(7>{=+FeBAyzjn)gJH|`cR=?z7byBMSb1#AV zqTRNPG}QYl*zylCL@Fl)?xAaLZm#58(YN_8)h~+j%g(Ln>K&fA7^4 zHE|3+Yku5NeEe{N^R%YlOp^B`WkBZ-tu8EFf9NFmHGYo>|PKc2DFJp-UdkcZi?J{ zm><`ev3=JR@56f<^k5MEJC^?_>FAr$xWQf(w#m)Fc|4#>-n!dq2ZFj+ z)+c->hnS=A7D$sn-+-)ucg-%SDXo7aSg92_u+iK04Kf!A0+Ym@*u7vy&dJOO9zz{d zhcT@AH9P%zaQ{?|6>Of7E%K>DkD%%Hh`v;$nUr6ST&jp545>$F`UEA}7F+&qlW`_H51O zi*j2*!i^F97sY`%%`4AHqq8xf@*=+tIGQ?_rJf}9p%0|DQqIa=g!v7&(ZOQ*{cnh6 zh5Mb{p=DBxuy!1ZVJ&5T< zj5rVsPh~Rqp8S9%o`k@4Jf^JEJ=c>(k&@Bu-Ec(w=F)*D*-yzInW22R#&;W<>ccG2 zXyv}!Z$!fn>4lnp6ZG7%QI5ateS70IaGZefkV$wlHCmXr1W;@g?O1!5YG(-X?TtJh zjAWf&Ge2#%Vi9cq$w3m7LbAgRTb9Hu#>bJM-iivP67l_Qvc2kYUT?A>O-yKttaGlP zG1k|0#WSiqn%Wc8knE&7$S;wVaHWJJdcn7c(UOZ)l+as4!4d@Ig-L57>ER(LRBdpL z_5QvrVB6R>WRNaqAi8vg%L^03w{Lvgt^^g33p;{GegLF5TD{l6ASbV;9@}iSPFL?4 z*Vi!Kv4~J$Py-Aa`);cHn4HuU36@_E0VwRu@njRQmQPNPKLqWE6=51+4EfkEHQ*L> zCMH<>qt37k4Y9{Q;|+mm18Wa@N5gEU@h#Mw(4^+Yz^C?Thg0F+6cN6uWd)-6=&O(M zaEMOxuR@j^Z}GB98t-&Z-3GOn#*6bD$`vHNPa^bnycX)cwNJi>3Vy8wW#27sV=H>^ zslLdlo%%CB({kDM&7t*Me2xR>C>iVu$>^ zyE2UF1DQ|lQ-qbbP-F55E$E5eRDMi<^!2Xq)rYfOG&{H$LqdgngM%XQG>P3htvQnZOgkOszVtS4 zAH%i*=n(_*m;``!f(rgaUf3SxA%A?co!8pk(5=k5@#hJ9fTh%-V!4Y)4%d){%8q!Q z2MKY=F4m<$yycG``?)h5Ir%9@HiGEZESyzjG4!qUgdGEDEW4}v?XEkTxw>(7J6}M4 zsK0xK-`5z=#dXVg>f=HyRp&`qOj+xmr1)4VeAzqjbgKj5YRle*;3?Z7+V#vrA` zIwCpDle@WNh-ELd!y>Zc9OT}hof;dC%!+?p1y^Vjh}||m+b9?!n1VBIn9(ikDZk6U z8$*CHqhe@8_?6o-o^Aoc1w(>7$o?s@leh~n1KNyWb)8v3f7nn#;q=L-ZG8!;1ZzeL<=eKQSf>2N|?Mm67tmh|AB`tl5IJB_2p^)>)U zPNRDAP_b#a^|X}3n8bTz32nhxi-?N6k#gg<2XMwg9TU_hu&Yw#`ITL z7v*nhnzR>4t57mw`VOPfWD&f-N ztWOYlsO@PPp={PCkIfi;EVLQ5RRxdZ4ls+i6q3Rt@4(d&!WIp<2R4fD)X&fnI0iWA zrT#)-itmab>tUpx8csqis1D1P)3db#wsVfn*Slx9%dC-!QEwvw%C$8QRjsb|oR4ut z7o*PloPuki@ED@YP*K8D#~^m-jdZ-D@p#!l%Gy&^^^Y_nln!a_pGkX9ECF?b^d+Zk znfH*cvq5^cULo?6#h2b&XGM8I7=58|>nS4|LKl^i(&omhpxgI6j79kqPPRLeqBxbx zOfI7exZ7zT($)n|duHWQi}?&fYb_#}&10^zc5sBOn z0RiCas$_985NkL8v`QUGwE7(xVGu(?E#ot(`haD4RTs5Iud7h!SnpNceIwC*z}zcd zR;4J^)$7eiF5J+3MLw37>zb1fu^d~UBK&Kjao8M*8n;pMeJ}Q=K78Fyn5s!8Z6oX7 z;kO8NM*2LeDE1_>+%Yy)&j93F3LtHA0FPR67B*wdLgA^tBSNGMc;K@#{|4fE0P`$b6Yeu_nUsB>fk4s*`k_Q$ z^%ncz_h%o4m4$V)r}gJ=J8@4lmv1t=VJR4V0I{+`S45Jz%?ELtD!GKjGE z+W}pq{LnYZ)F?gQTRd#k1u7)xZG& z7~<3$8M2>lvi0v%h0n|^v-`tlI72*sdPn}sRGf62FgrS>U#?qNPTGIDJq6@##?E)# z^gt2l$iI29QGaE!jxZh)XS&Le5S|ll2wCpzA;b)HJ1~ppEMWYIB-jG-`+wz7B)kn^ zR%~8_O|3YIi}A{Ls=KqAi(MeRbBJs_dKtLANx+%?O;j%HtJ=u>TL64$NFgDU{wp`;Fsm_Fup~C0u z$Y9&o#e|iy?5vjbOKO9>wQyPCv02gwB|Glq5a27zg zYDPC_SIJU1eF($8S>*h68>rv2{#B@GoK-M-~z2abCuzZ zLlRX_H};UZT}nrSpC^h|78+B1tDbsW+9^~(uDB%~XM0hth*vYQ=Y8V4z&=H7J?{St z0RH`dBAPc}?e?18q%FfTV=w`bk~NTDpyLzy)O{~GT{c#xa*(gEP%3vw173vpN=U2A zz|aVXqtDRzJ!}BW`A5sP39U3Z+xEk*uR%BPYU|hjt?6eRex}x|s;xy^v3mc*X{E=Xu(Sf9jPs*yhEOz;ORrbx?b6Epjw3vR(iMR zV{9d+vIL0p$AmWJ#QUiC$wsh*vpI#I!WA$r>d@)IQTWO+0vK&~sImx~HP#K#@wUhN zuS+X>j0f)nSke=g3oUSi&6c%0gebao^fv~v9{_Wx8I}N6X>8w(nESX1-k#{wBmL8@ zCq=I{%%Yj%DO{xv|GRU5;QnpPlrKw1EK#;$YzK|wyUav~Z`L|rr^n)+dRGU~7Tr*J z(Pk{owF%G_bmq^Ms2N9$bbT@+&IH(*PRpmmp8l3%{D4!9A~>d%>XEG$s>Dfn4syB_ z;R@q*a5gDo3lZ`+WA%>3BZp(EYn4FKDTZ>}8$kTFASiXTrQAMhe;CFrFZ}DpO!e>G z@qS=5QMk}u9ItjD8*{gY1Ef)ro>qu;=BzyI8h zbI$WR*Y%k9$NllR@?2_G921WW!0ijSx!ik$IFI*OiKjr`sMWaObGmRFzs>CV@}%5F~5aFF;(RbJP$&~uTaImobM;WL!@u2XW zjLVC#O9#JShWTAG;clvz*lIYj-U?%Kvww6lJ7uj~9boc&Jn!T8!T-EPA0eQZaxRb} z_U$KTVAR={QY@X95UlN#L1G7w=7oCfo1%=rds<>ewQM#fIf0&!=87^#V_p)b{NTnI z>v027Zl>>PmU0uj7o`mp5F-Gea{cw~ZT(+npDkuCVc+5DBOLyh^=tDemBj95-KrTE zo843`m>teRz4a*|VWwt|k&88HGuZs*hHJBEpsr0t#=p~zv(p*8>#msAid{0vO|mQ@ zp*WiDnC1k>Rs!+G2h4Ij{zy}|zW52v;~<|+uE6}W!+fsVImOyJQ_WvGPp>VeA`-_+ zv>8#eJ~4MV$uPsMg;8|m^o&*L_NMlBb%A8K9H;D@-QTE>p_}4KBuQ(PG2LywJ&`VT5&_exTmK1>$*B!DR;U1cYf)wGhed3Gq$kgt)6a6=nU0Z%GsM9&- zWo+H2flEmd6s!Rq(0&WS4==p(>n=3z1Bjun;@wH_zuUhnFI*{e zUlS`{F)Sxvit47pikjKZqHYooI5Z*g{TQv|1)g2A%cgFSZ*>eTygBUZJwx%URhPI$ z{^0!}7~|vMIWrxRba<}?RNbQg3pJ)Bp!!z}|IG0X)CLiU-AhTc?_b)`Kd`G=uhlFX z$mnC#7#B|p$7n+L?I( z=z4fE>9d=EI&j(8;GpdpxvKY8cu@CYPB(yB!Mxqtaxi2uuh1(s3c1<$fQxj;vo?-t7Rqg2F{h|4^U}_uC{^|0PR+rDV?P=%Lko9r0WbB&zxKjGBn>O!mYV)frj9@k5H zehwS2tNu;VY$yCSJV)hrFx6*0-6JQLmK#M;*!?P48|)SHq6lKk4%%lU{Excp#SU#k zV?!%rzqpUqus=e>?Wuo5{yg^VoHzm8kRH>gwg>LQSVwdJw)e!pX4J@gGp_IiJdT`5 zSZet7Q+S)(8qNnmbQ~K2SYmbP9fHp@d^~VdMM#Fhf^F$Qnh`1D5oFezCg5kvqmR{W zP+Yzl#C7nQi`DxtfltA|zX6hZ)!?QC&eNvJf0T`vKw;}D7I>Cq*Tb_!(BJ-UyKWm8 zS$FI8^V*iT1|lHVSR5)W%r=<2ihsYkPJV}L+-@zWwx`B{&Rkwgib0?* zG|72hca%ITmh^Df+VKOu{WHy=+!u(8Cmd^@e<_!g$R4Cm-ZIxus9gwI?)mi|3(c#| zH67gq6rrQxk8g;Z*|M`1?KIZM1>`gSvsoRA5atD3MOL!xa~eH@>Wd0zmoeMJIwdN* z5LB?!cLy4WMkfE%{B+rk56Q=ihY4xN-`wIRctH9nAuFz{0MAkJMQ?y9%@RH(h)ax@ z)`uQ=>_S9zL( zwZx>FK$ddqc$zf(w_OUl{N@sxLjNM><^BY5cL@nGa`Y_Igxzta>T~z`Ua=#?lwKmL5q;q@mTlC*t>V$?8hFxK?a%t zr{rSsJ{k0>`3Ei{J(&UZ?h%W9u6%UUSB+~vXB*(9cU+#v=LnVi((zgTaa+EaaJc05 zeaY?P1j9ozy9Y0Qo;Fo0`JPUJK?F6PKkxs~GB7aSs4}#FF<%smAFxPT#I5>u)Ork7 z{<`dipwlATBInSTUNqeES1H>Ri@}#1eFs;4s5E>LLaos8@7z!jRTGu+d}{Vh;3Fdg zu^JQEl#aeaMKXKNMb?6`f+4O`gF(rLkI%p@^c+HM(>$SWN(YmDE(X{RN@GwXu3h|9 z;&YOJ=9K#Y`yX^gy^}(43&{$VP3)1^NH2TG_myn9pBBvn3)!mY!tvz9BOxWw_QB=exi_&OH~49n!5{K1rT;ZU>u}h zQ9J|s^iJx)i4v=&Q*8S3%X$2nYSf&Ka-V$l=wk6wA0YS?!S|{qM4F<0V@FWf74PIw z2tLoX=i8g(s5Y@du|AMq0~ZGJh$wpB?a!P0EQgep_qGXkLNaB7rW+Uygj~{O%kwQx ze^RpAL+gt=@mAL-QIjHH>3npX`f zQo_D1RWbi#1T()b^1#P`3$H{pY0c)i;pr?@wMVoa6{C)>}$R8qmeITA0v5Y zpeo{qC_(7hPn&7spHk1wUBwYsg8qB6_B*LyaJOD!o9CO$flgg|j@NgzLMq2GPWw+D z{C(Jrb#M5Fx;uMgUaFhUKIMnrJw-sA(P^RgGh-Qx+;Nz=NKDP*Jj>B^Wr55 zCYSs#a>YD>B3=t2RsBD=GfOzhQ7yx|vQ!)*U}@RiZXx_>O6Njp#{jJs4^!qtdJqa( zuxbdss%q0LqbygEq|l=*<3i`+3NyQRG`-=g z36Lt%{Vy%6)!*4C@Zo>0rvI5Sra$=400Pn_yeW$gKfchd(~V{;+hsydX!)k!9e@6c zj^VA+Xn`Qu1u-4S&fEitmo-=A9p@>Y5S<;ZUojrrUu80IY-UGDcm04S$Z#LQo*0$d zC@H=DWr_=by0vm#=Wd1mr$rcTXfP`xk?4p)>ZGXn2=Km`nSBN*I(CQb3ss>}-xVMW z`P;?!Zk_$-b#fGa8)H1+$E6!j^e-hwV7#mx{&Ki@SX_%TxrgU-$@SiY4e-vFj42N+ zo`Pzr6qKc&r7tf~%m}M%iqqTsH>UQBiH?|kPkjx#(9#HTsI)F(lom5n2RkowMnJl-fmD-C5$PgtV)_t`{Xc+sONaT@_1+ z#o;nnN$oxv+$hyqOM67WxVE1{U+E&j-QK^9Zz;Sl>mhZtqYEX_>eP zb!m~OVtbO`>S@s%|1j$Uc=htl+Od%AG0y)nPQlNxBqh`jnEXBNKK1ebP*G2x>m}uQ z>fg@RE64~#P$yr6Bt7i*00%n^pEF{KtNHYj7EJ*+svh&3k)*#H9(4{{hQWSW2y8jq ziW1_Dz^i0?<%iy(d2Fvy(NNealwmvhiLzjGO)>AMdy~7$^9%9gk50GqFMhNXRG3sM z;K9Oh5Cd zM<8-q0SgnH@CS%2qaUp41_rM>T{<%HuEq#k5$DiPkX|G)v@Y+|KWWAxQG?kz|* z?+Z{4CbbC@i1vvw;Tht2b-0)HpR06%2~^0(t?|qMbn!MG)eBUZxNPN*WX1{g-@6|6 zUKaFR79_4Ev_-{Nv9BJ~FZaG4+d9ujFn{2G_lU{s$H9F$la2UzI|Z5Vyp~yYZFAcs z3GiGX-46!%z_FRa5JN}AQ#nxS)XjbB&(ngb*GPK~s(vbHoNEXry>D+uzISQHmsG{| zLOtO>5AHQv=?;HwkGOj46-}?KE62`2_A^y{t+s~}a<1ZAByB@~GOL*`BHy9Ac#d}y zFdjXqQL9?;Xsg6FF+sdCf==b39q{N@pa?tg>UDA%2(#TVVc!ql9M!m{FiaHT;_~`K!46xhMXihzdeM^%#-qbR<+_YlL!(yK@7Ljiq`>sea z3@*FZE~=-1M7!>(OfP_xL^rqh3s&L2J{<< zH&m4ScfgLa!&By_XtO<(b)%qc5iopG?fP=zCy&z3JvxS%aMi6k)yj-{g!sE9nGEIz zg=l*{NkSX9yolwh-kQ70D|2=wY}wl|o;LB!U%w#F7gpzy7TY>rTDvjT)i}b+xyDhUx6d>8X56#h2O-(WShk^8)eQM457f6p* zfwEMVuBa%;`{I%`Xg66N5?ss_cmg5z1-y*ft@v;rHVS|+*OKtiZPc3 z&i$W(j>`yp&Uv*4O3DPekLP&e`9i7*-*$yXYtE)WFnqCKn@G&ZDYNkzbBYUu3=^N< zg|CK44N8SP_!1fhW6Wa99sgM@RmCiI7Z>6SyR-xsCSLTcB#_7mq z#5JM9`wXYuC*kAO$OxL@c=ChPv&OE;+HO-Jd->bu+{s9M)082mdl%h*V64zdaix-FP;5Geowch$;`pf{tJ7U0|%?`T(th(R^UNDul ze^V{n;BC@DD~19VbgF-y%)9&dFFwbJ*PNvPbcN|k<4UlJ;Ol4-GG>eFQ&+Ng*(9IM zIodj~F=Wba_;!^Gm;o3l+Sw1gsCx*|Vd*<+I^iQs|5A>w~?R9?QI%`WM(FTIf22`fYm)`13hzBmu?3y*jmeCH?1g zLuF9^W?pwM(<{rIoQ4}ZgWj|I&t~pirHGp;9cV!om0=h7&-Xz{01s)+Su5&HS+Fz8 zO6v#k>MUCY?@>m36 zpS%S8EgB$xCqfi}>!%$n6(9Bn?%?)foar8!r2(1w5I){Azd;Eya4Bl}dMwXQijf>) zy=sXv+3mFJf&V^1=>PNYMsTPx_w&2?{98s=&U*TO)oz^fDc|EcWA}Tv9+sK+GM`*Q zJ)Qr8l}eWOinw%E9A6{yjOBt`160E33SJWfInp@bMZy)2(Fnd8kQcUu1Jx8;k@*I! z5z4!ZXi>0;Me)<&lGj5jKy< zB$gs)jsDTm>b5+qH8_>{gQs+`z%H#Ldx3vrc;MWnHWnm*cr07h6;t9N-S&%pgMN)IVwl(C&IlIA-f3Q}hUklmUDS*#Pf&TP{M;{&y*g`-dXy)9IyA#(A-|f06G1?OaKY9JLOg3 zHCPva(j-wiHzBNDdqQTUw)P~8L9^Vv!|RASuJ-LJv{X`|d*J5zK27oBSt~@xy2?U5 z=s*RWi{C<+!R`hWF+W0d9dVy%lupXapu!pRh-s&06zRw7ZO&*yMuik!~UN8kxIYe^G;zvsw+_)bD z7d2lz)L+b7LACvf5@;&fvPG6PVxK>Y->95i`EO@=@fN?- zz&hdIC)d`ayheH0Q%OQ#VB+L7UtPheU8DA}?jqX#gM%{MuidMI#eu(UUe4YE-W>(a z(Y`MINJo=tNSSTegfw^hi;`8v#@~g=?%J-L_=BEA=)Ki(rH^#yUTF>1lWKQL&7YF> zm7cm}FI2}S0psOkS!y%kr1ZL8Q5@f&mC>D&w1&t|d)H zHYZ??XbMX0D#^K0!(;rFCT6=5uzK%=9%@bX2#7eFKajKtW;}nQ2eX~y!p6kP;Ff$! zh}7}i*SAlt5V&6p;)}o6G|J#>ynNR{Xh%n2^B1IztFp`>&f_{Xl zwN}A0wypVto3pdC!|C$B#OQ;YX}_yK$5x(utvMCiggRvrEx>C?24|22Q87YdtWjA- z)RW}4)i;moP;Hz>hcC$`{WxLp1(ID#)RptP8=`A-2zfZl*_UdY zDa_e9|GBSBNvEK7tYr1QZC5MXg}7Y=2j!s{_cDOKsgtH88yUPy zE2|`nNz6($-)h|zQg5?+`{PB}!cft#$zs*);V|*f6d&T|AgAH7{ zk`|Bf?RKe)ZrDBp z?LWj5rS`tAW(1o_!|Ck0cGU5iq9skAw5w4s#z%REip=Qo8<@YC zN5Vi0ugZGXSHqs%(LyemjWIi2JN9Csz(x5Od%`J9^0KKAF^A$kJh+sv1ikalm&szb zuWVBgXS!FnGlB+(FNA?i6LwW_9gMZeewus?# z^1kLq9c+Q)VItKM)1IKlD<5JspI6XK(UFB3p5C3JIzOk!7-ghfj#Im*CI~@8pKnL$ zLMa(AR~&;$rR#4H{EgWOXe-Y8$MTU^Q8(@HYVqioIJW&ISf2XkdED2`!0m`P#>1-f z8pJFiQf{~H#&;`Gi>X4i`ci6gStm#^lwd3-db3!Jy-PXFpsL^C{Cv?IWOhG$qAXR1 z8M%XjwKA>_22psKfj$2touBV}UCj8GEXx-sYyJDB&on;@N3CcR{QacA_2(i} znNv3ESg)y8{E^_e7|aRN3n>%EDyD3VeR~d_SL3{qtG;w9=~PFBn(ucqJ{!`HZo)0@ zlPKP*GUv_Cny3g>K=T=k;AGYKjMGjeo&itOBVq5!JVm#kJhI0UUHUUqH&Aaz4U)Gk z7VhufTe~qk`l)9glBtYJbY~l+YLh%eB`&mGB*mkQQa%!nt3x&xk$M2D4}zewYf)L> zi59~_#G9S8cSa07rsiI4I=-o-@w=K-WWGax8(Ya&PQc77CqxvZ%57^`t0&ii!kzyX z^Cx%vC#Q^0AHtFG01gP%KZ`Pe#xr5&5X=<$<;(ZgnrKJnY1!(Hiu9a6N9G@#NI+RW znh?RaR^(Dt1Rn(LPbhj8n2 zpyS^Ah^lDGM*_{_1|k};$qQXb8;PLkhw$MP5vzfZodVUbW5rQLrcUw9*2SGOv( zkyLrNsm9(%BSC@}ae)v-(ckEr#5#<*s090IF*nyLS}ig3sQ5M(n^09O7JA*DELF7c z$llo~d~*L5-tVgmVqR2T^RA*d4kd|aVy;JQGjLx0__c5A%StLL@_)n$G!`Cl^cRZ~ zlmq7Q8rZ|Z6q_WlomQ|XFJpcP2zNFic4KZ*a+3APyT-~d-hmtT<9WcZXoQRb36f({===66Se%r}DTH#D_6x$dzl^(JK#~em}pRQyZ^RoLAZ2(t(N!6A;eVD9-7tYIhbP&eufoUxT4-rGp{E4CK}ZCTJdP+) z`ttqVHrlXxGA}QS01>CjsH`BlzW&^AxHw+>jW4BeREiZfX-g2WHPy?~7T}Z~!R-78 zSOug%-d@kK$opi65NQ6Za0Tl1@t(#tD=|uqzQ<|?eK;kiMSH_Wh_+7Dxt~Ttu72}h z4jkY+HiUXGU`8XG#3&2f9YdAoIW?R}SdR1ctDbU8Vx2k^-#Hj)#eVvEP_NE!EP<2b zOp>p~VJeEfRRG@OxB)ECyXWe%;5hi9wWn_UJ1>uY;5$4CBI$;E@g*z7o|fi=eMyd%K|h{|Bzi-UU6XU;R5mH|KsM2& z{5kbS9RTeFA9|MGJ~_r%Kn^^ZWtgBLc;qdpl3oBpDW0h!n=n}|6G7uh&iRb4z((Uw zZV-0)R|0O2=cH1W5iJjx%)rw3lzsIv((`H${M_pQ%c7N-?WC4Ab)5b_9S(JB*>5?# z`EIA(HZFy_{VclgXX{3}CezG$cJ4-!5^7V-ie=3G4UU2phqcM~{Ww<=ZhID8+u#l9j)b9}vU&+wwIyYDhB`CDBTF0uz&G(L3kg9y)^Dc8flFjomXXy~=Ejg>b? zeI{Mclggs%!W9PS#w4-pF*|-vPWq8_>MtZ5ux*ij(CMK~Yo9xg$LHy_1m5AxLo<*U zgV_RtRQWA9;usK}r=0svMop$sw}!^DerYBod=x=O`vk^0r&&JMt>pyF0y#QgydnDy zmJ(}WoHcVKGt$Grg`7Dt$PQsGLGu^fr&~u=?2n1FUJv87J0)P0QE$B~^g?8)wsq^B zQWJc3MI8EDAG)`+{yg#guB*9p4%(pI;K5X73z2R8Ko}Sa%P*SbK(D9@Z7`WK#r@4y z%9s@1&G`W{x$AZV)8#5`U++g4nNoaj(FnN60*3_9bnYFcir;rYNN59#Gq^M+r?R87 zKQ{;AxbbkKm0VOHDbUc~ROr&H*z`>O+A7}Wa=XU3U%339F!x&{w?iWMjh~ZhCjqYzZEh0+48}v)2vdZT-pW&! zvJd{h8f>2x-aY&p{(xy+x}t<@5r#D-|Bud&N%AqcSB@Bgx+`QMcXk?|xI*6Q;%!q#D!6 z&Fz(c!5dhQxLUH?#9lg&#@^GQM*lG+m-~x#B%VWQrAoAiBdKOatEn^%_zHJS`Y7V^ zH^IjK05Mb+*5WnTAtqSmQzn#G&eog4OEQb^joFLoi{i375X?;?HuW)Y)Gov zBVP{ZERaAQsewUWn11~o>~9IVVV{+MVpN6CZsj%ce0y>=sdu?iCac z`n0oxdJ*k3Gnp=(OV8BJ*~nUHX`zs+c}wZOaSu=A5ALh_5($~CZB+iJwHC@ckRHM7 zGipymBFv~hOWHd@uQR^%1V_yb9pW+>TV%U!a?SQF!rgFk=Of_duq$FFAqG)p6(EJZ zN+Q*25znHcWvZU%YCzaJXEoxgqA~^}r^9^jBowNL2fp6bW6`$K%WIEY zhrVjO7TwKAUm+#Dw25H#%JS=)zyz{wtsmn-yVF{!H-=3bL>f zV{c|P{>*Hs?Q9z69M<#nwGvQmG>-`fD&*#D5U%{<2{7=kEY1i}*#r(MyIojawLgYo z)`OESmg3GJ+W!_lfAA7|e;ScKs-Ha69N$&NxAl1<`c3Ongzp#r z`4V%DExj3o$ZAFwu6P16KXEQ??WhdLhWG!Q1(1nTd(y|MDV>mT2|*1a=%Ry2(i@=U z;E*f_pPWSmhHqBd{9OOU7aUK6clgxVWy8##%sQe%()k@LarE(Pg%3agIY?4$Gq~a^ zS>8F0G&!uj(S3cZ?H)P^EX#0i+6SD&1Hu$qE#}wyS5#^Elpy<=2xTpXBfIXp^!=Jp(C8yQwduic_#p@13T zBYjrc))jnzsEi#uI1%v}>cQx{Ef`rtOu!YS z9ry6NXWZ|7P#xvQVfNdF{ATAUpA(y-hLEkii)vdK+ewr~3%dknu^WwNZ7UmQ#u68V zd+Zw7c->%tzRY+UZ$Zd4LS9F!{{(wYVMryKh;or)HmzpdFB@8bo>Gjm^j%5-&ws*95T|)IAOQ<`}Chd))To=_I7D8@_XfMUz8d*z~_*#MZe|4OyMowPDEsa<5XpUL3LQpemK?JX z%|g5{6WH~|WLw+Sh=934N?_jDe`FH@Wys}#4-`%BN(XGDuYPcNi+8(uB1&3;Nq7F! z!#%s5-xEW0YEOsSC)?fl6Pd3OQ~fl1eop)by)sTgK6`4siU1Q`jfJ?g9kO~MP}w)} z^vhZiiFdvFw4)(TiXQS6uZ+e?^*a*xg7j(0<@BnTfvkbCTO>vaX7=*oiLbO@N1KFm z%8l!p=817BPUC8={NTvGeTYi}IXNp-Ngy_+GqvNBfb1vX-v&@#g=FHXrF0$Gji!%} zIke(gMBgmDZl)_fcXqf5Mvd7y;(CSX&KejSPzuj#QblE`2AV z-t5UVkM&v~R!1T+)ueHg;wmR`I~?{xaXE`*sTwKI?9z+ykRP#X?TQ{B^vgV(cmzW; z-#sgxtZ0p|h0Wvo)g(%BOm(Zb7`;HEr5UO5p5tV{;2MciDiaWJpJ-O7I-9iob>9J?(xWMF zVR#xlZe#br7)6Wh2aLAQJ4=+;V~8A5hN7<{D@;B@#{$&QeB7Vy|4NE-f07CK_2Y2I z250tAWGTtc`x|2sV5lLfb|A#-j{B?O_tlyc^Tpy&OA)cCFO4tsk$(OsWbZGJ41E40 z{4U%6_zVGCcHYU<=8Jq|P?GqXQVGyA7z(KI_(OMx;)_8%1c9pjC4SP%FJr|!l_pgD zrC1)F^qO|o8(F6$R396>`EgqWZF#Rv1Gi>gIw{GIX$=LOc*q-^G0)40JG^{gi=$1P zc4IWx6#E|;wO`GOZ_^a-M);8p*=H)e^f?n;B1>qlcu6^An0TF)WDR1@B{$^%FDdAR zdoC@};cc*V+bcaFNi@(PTjhH0kLdbH+XFr*Bk zqHVmB2dnA{YKIlcj#J&{$a;nfWW1vtG@M}T+%r9N-D9BTXh$y!`!wosq<+c>R2!L#@IJNEvcZ!KZZgY1R2a8YG|q0>h0>rLUO*Y z2)$6(4!Mu@NDta3pM9Xj*PPzUNyJ30+%?Z*;T{UCD;_+UK842>DYyX;w^AA3MotqX zCW5r)j_7A&AK2GH`VM&(=54`wNB=c43|iNw%y?lQ>7^fi?VYnPDt9R>tyHyzGy>iu z@#;QO-#X3Hka)6vO^m=T0u-u2Uxpfi-TT4Jzi-taWxWD&#ZW*1W!YP;v|2fG;9w5# z&t?5;SxEHG`@=C$Qse8{!u*iH!3WtrTxursxWZ0K5(GsfEdlEp$O-pcmX_a>@m;W7 zol&2s*C3Z%51Ol0Kt)tAVNIopP~7!m`C+X>t3vt1Y4ET1nVj#2N_xPqk5-Nm#@@wD?B+z|EG>% zX~YUsp2o}HLtBBJEQ*8oAAxDB&CAc4OfCxV9jYl}_?^k|!XU0wdPIOLCWF%RB;|L@ zEh`(R2Wy@TWr@7oIcXyDue#S^UHK7sD4gJklcwbFYJKv^(P;;bHhd(A zSqKxyVS7>1WJK-4HZ$h9==D*%;qnhs-tNFj81>4rN$v9eusnmNJ!K8X6b|iB4c5J? zWN-7wlYSiO-)vk@{fG1pDI&!qbfLbN{prstEv{dWzv zSiD$OdZ)B!^4C7#vwmzlK&{z=a)A23AHeNMZ9{0ehGP^u25k_&|!T|Rp z|1fYrm6Q=|hFc9u;5F5Xca&uQfe{UT5Q?}=%)XkwiQo9m!S&1w_NU0BCqFlGUu~JX z)@~lLRc&t=e#!N*h}^UlF5?3yy#e7gNkf^rs3S7sMW(mJFTxEbyqmJldtZ@Vx>pNP z{92q!-}j%GBQCSF55XDt*U-}6osC6s>zJpNlB~*@OicEBz-gg=+oZWeuPp^h+7gS= zY^Lclaq3I3EKjzQcAnZ*w67|B)h&cRT4f+=wsoUx7`l9Glu;mg&T=@$;u2OQG5>9| za;!PKS)E_r&_b*@r@bODw{wq-G>DBbkpwa>jM)B&2%MO+p~sF!`m3_l=Gsj<|Exq7 z6+BFkzfL?&XJ*3N*7e#MTKw;dT$TT3ZW$pqTFM8?30>-b{knr2qN?0{ghR0Al#ISp z%Nu@>5amxypjguqnAe`>?zM0$jFKk6JZRj1{S|dAn_zV3?5IK+Dm}kA%0BI`Ufkkf zm0Z8A{Y+58Wn~~s7*tj2;imhP7=4-dDpfgR&f~LAxHGjR!MHsa{Gh9t#B)$YTB@={ z75)dgpYHgidCr4acu*_0>RNdBPJpQF`-IVkxSUSV!SV^PoI7m4 zbW_Fq@8j|iKw6|3FIMzERM_e150a|d+C6lI_EQ9@!GEB)s!ct=A611rcd8|MIITUO z6S?YSCXy?TsSeuxfvnufT+eN{QSmZ)k|pGmB|-V)D*3PIK31O%wom}kgHn@>5lYl| z$#lt6jrP3l$$`n&@7iVWl~ggj&Rq6yW>@PU**B-Qq4HY`gNW8KgcRXO;sUBXPUl= zO?7Ev?BSkEVqZzMrqgqC(Lx%(w$PO`8^MXb19L&e zGpT5F(WMW5UC~I(~b@O0*Bwmk6RxL@B*y!fJv|zg6_-}x8 zqwDeB88_^l7M)A_m_N_D#B9b$)9fERsIvDeKk5yb#+Fakd~zytTzVNw2bN zL3=GEO=ut+yMJD_G=cZH-1$R~DSt_o(>$3F`T!z+e>X%1DU`ZE?Ke}ZFwAE@^ptfg z@{jP~-%8`0=F+hEZ9#=MdP5cUt%!w_RVMD{8ShmUWFb74{jyVprRcr(B>;C%mBR#< zATLv1(&ngiExnI@{Ph@F_CVJGXfo|#S`EvZ(wIGT;mg>s5)tCyZ)al(BPMM<3rVTr zdNZhC3XKD=DZ()PCA*%Ge{*8~m9JAI^kj51X3oGSs1f!EUU;Kej2?=9o<#(`Z7CdV zi4;LE4&-u$q1A^Lq#z5lRvtXA(hiIX1E*~Pcw{f$XK#YT9 zP=Qcl-T|TkO~kYhm`oE0ULzYNgIcUQ@GE5?Ns$B~VBj%oegpoOaR;Z$Fq%gcD(mm&5Qt$#y*4ym}Xb*c(8 z+7Ur_p6%#*z;hnyd!%0Tr=Ng@-F*_(Uq=%DFpnb({hEaBr3T`ltE;OtSbCVTKp4v9 zG29+F2pVD=af4s`Hiwf>h8uIsCY~Q}ah(;NU^_~N1-fH}SEQNGz}QKz#?a%I(1c*G zA4j-mz#Uy%Fyn9q*Eo*tv0^`VhF32s+uo~PZLeL`gdCDvF}|fa+oX|{^bsliMT0Cs zasJ&N_{OIBS}|&5>G>2xrD?n^e(MackZ>!&Tsy3K@X zxRYjZuihX>>uU4XuSOnGI5Grdc#`c?;<_L@sZ+gQv%w(&8X<3=x4oN-ujq*Q+VuQuwMzdh#RN{SyQ z?+Z}AA|97mCw<61@-)!1tVJ&t_+slDL+O{wMW&{Auq6mx_m9m2aRE5U@f+bIn#g-K z{C%;bMtxePsaM>dxqnND&_6(K9)9|uK}q9%w3t`5E^>mePJH#oi0N(|Y)@)xTVi87 zF#qs-z6jS9QQ9-y0L6u~BQpu;olo;7qfuM*pzU*pvTl>IJ1wQG=I=W$v9n1o(xH3k z=;}Gf+mC!eU!mjlS;?ufgj&f8!02lE7?t}*py*st!G#wI4r*I^ynD(nT@uClM8eIw zvlO(dYx2TnSImHf(iX@Q*dZd+mSYn(tX&e70gY#f8Sg2+!zx|Q^xL$Jh5ZN(k(Ag+ z-wL`1?`o+0x|{niLG`r;01#<0mMODtM|-wsdovHNyMHnwr^S?~qiyke_;oy+T|ApB zlJ=A*ca$5Y!3={q?WE6`QbMuaZ>r)oKk>dLg9*O3yWP4_MXXXoPV=NKW%ZphrK008 zCXL4~T&St_&-u6OWv)jLr!}vCTT`R9z8$?H+|^LccuI35%s`b~RTxnN8f3ITW0%V{j8}vryN#u$BAt-mF3q<7S-Hy}97L5P)MoGEZ;W5%K_J8z;I609Y>#SE!`?#Kdotb*>#2pM@G*xj3w-WS(bli4!V6# z+P*iMKC1Tu|<4y?bX%;O2+No zy$3T}%uY!&6o}u3OORT<>q)>FY|;N+nsgGMV}4ro$g%0(_F6Emd@!d-dsv`(W%&-{ zH9uv*YmI#vHT5Pfbn*~;|J_}~$d7#bk2NzspZYYd^ous7)r94#9Pc>23?wClg1I1M zfx5OeC9ZqL$y8a#dcIQ25-7Ydm+;2$q@DD>jdF3&Ks&A+%l;nb+9)iUb>0E3^V3Lz zC+q$tFZ))RY@MI_@`wbwj(o>Jc0;_<{h*E|-MxS0kY(ZdK_2E>?JbkD=5pSWiRqDN zx6Q-QyLPJr=1YtPm!Zkd)HXuQSO0htL0ST1Y|19T+m7R@SXbi%`U&h_s39lHe-DY z;g0l)?+wM9owjVQXz9=!aKEY&oH=Ag)06cac+8DRz8t2y9ip=lCn4IgwOMeK(*PqG z+090N=JXcd7lBqSYFg^|Ey=?h;eO9G9{x3&;hn!FUoFeMYf2^@^L3g#1OtUb$%v9d zU1h&;kknbfQLQfhKxq*!J6C^p9=d@`4gQ;l_zCkH_E0rhT9Vn?@fl!~^?zHyjtcJP za&d0xc4fM1i9XV(7EdU%wak}Ug&9k}3f1wsRf`-VD;N$VS5dZNks}_moKm~CxoTWx z%t=;S_F4>w{6#SX+|X@)o&|W}DN?+fiV0dQ>YkJCDMUg8Pfi`!`X&qsZdqsLhev%N z3P%JBNJGi!LSi)E(Z^PX-bziU7_=amZsAyv_GB^-liVz44sjUUa`_$T(YDY&85X+m zo#T_F_1!tEpp|pVyCROw05jVL^5DSWYZG7)_nb?*j-89Qqi|I>`hz>FdGN4gXf8p= zu;_p>Q#o}Z(uOmd$W@+Q$5#0-UhEI|Jl|2{?BLyA+ zj21ItOZZ8^cDULo9!DzD02h-L&dTK_S+-oI;|$kC7L&Zlcy*k-RospjEQZMb<(9~6 z+lRAS+)pV@)VZ&3Lo}*QLfk_m0%Rqp_CU9d5jF_N2Zgg%)O`&0-wki(u zHuwEjURE)6%r{*@x`xLZP9wkn2uU&!@ppuI?cW^=D&a+|~p~HDdR(jx~7b}n7!SXCmElgjQIEjI(>{DIjqWa_ER=<+<_IC~uN zT9dS#e&)~sf}Zfw_98^@O^;xnpV63gMXl0K@Yb4j^J8Td(|ID~_mPEvl3dEB#OTR7 zY)j8BgR8QYq-(mz3KN#A5VHr1E#E8>H4LQl<&mu~Z%|uIg6t#o{wo@e9Mmups(eEv zF_oZ&(ElXNi2AX!p}fj*kO^IQfCsCWwNnW5!l)yqL{8UI13^cIp$dk+>v3Oxp<)Js zNL0EBW^MHkp+G6AY_;aCc-;(seFECETv*^oj5;@2Z1xh{xu9#*WmfF5W4%vYeg1vk z_yZOn;~0q^@y?PdVNFpwW+2N*t)ufg;;;Zx! z@8EkO0zv4v5}VOX4HKN-t#3z?#N#Aa?7pADm`&id(UQAJ`TkiZeWj1>z(b6j_;OCw z|5K%Z4{R{UsK|$O$XU+hrtse%7|N!e7*s_rXwS!%=}?Z94;~*hec1G9ZG6kidZmZ= z6JeHpRrhs^b-%e_?152U&ZRi4_hhfu0K&HUcI>-P>d6L*1%W5`6fTP)f0HWKe;jB| zYlIQb<~Wt73ixy1g56iNAu>|NnBKCob;q|WhIx+S-FsCTc=w0H{T{%^H&?0w=+Ihp8X%duYu{C~mmexsk4-!IQVRfPRC?S;Y3>lY>-8$}8(p`Lhr@M9u zS7-~a=fA}b_ZFAM@O=Cg7)TKJz2L!CgedO9gYYR4x7*J@AeyS*cwz5zk*^fp!C9Z- zVv`uei%A-*hr-&F7B(FMFZ_&ha!^iV5i0R78Jp{V4^|yWltpNej+(~Ms2vw;;MQ>4 zXyzfLvU0w~{4E_VCGHemGykqVo>_vr9gtuE#RB4HVQ-D;Iz~u@MgWB;@nk?vd-wn- zrhP^xlw{Oo5&yP3+2v*^LtfHYy^PeuL!ID>NLU{O@0a^hY$Ghhqg7rx<9lF9l^F(y zfvCTj-oo!)Pvbndr>rrNBROmxv<`7m_tAe@3?3}1Qbcwcg{<-Y%2W>!8%bVnw%2%c z1F10TvxmV-z8W4{2RiEN?+qnIBV21P#O9QcD1K}R7b+2{bFVeA+>3D1^a?$@mM-@( z%yL9Ji@4=i(Z;IU8@T7W|AXOR!vgDdG}C@orK9P{CF?^q6oxurBtugF!T#EPmE|}S z4d(wgQXeJF{)*$I!eOjLaVupLMR}rmvWcR4$xc7#N2_ODyY-(BD?ZCWY|Jeve_-Bk zx;^JK$Q9+eVmsQMH%GcJIVsUTuDqY3s5#3^+<1Elj>eHb4x}8lKVjIq-FIC2iHV)f z;+N|cjYv!OEc4TGLx#2TG1MwQJ%p^W4Bq~| zEu+TZem*gB269ULPI@T7UwumFYyLKRB~Fl3i7sxS-u_`Ug^%1v`6r$B_?u>g{=$#w zSl@iiTA8o$K!%Hp#dq%Jcg%=YNt2(lLl2{wy%Y!Im=Nswp~y8)mJU`A;d%$)#a-VZI#Itj-XSHJO{YzH)8aO)XtN z8%knp{sMqPIickL$VA9q5VB#2q7c#~%Ntib1+S=MJk&(B9)rnxPTM%!`>`Tg2Sw-_ z_la2Y3m$-B*&S`A1S(}3gM$W!Yk=U4=_~Ix?{MJox*`hPo_zit8#R_#E<)qzr{9wMm zYO^*!S3P)JnC=Zu59YM$pSAG!{Nhkoa@Fc_vF1MyCP1AI(pWysXC?Ue3B-T&YFbaC zw)HLs#p3vr1P)(%Dn=6a?=L;*jUerFIgJ@q0*09FMN> z^s0yNs{dzC=$3qIPS``oI@8J< z|Mq)I{{Hw^;OJMKU1Z6hs}`?|-LkVk$VtPP$m~v(6q>zgC=YboRlXx2t|Aty2$#Ic z51@UDU<4FyT{bB ztHp@AFUbY?MTxvkhNFaS?*3LTU}KzTpXZgFA4!QTr+Zfi+s9kk+E5f|q`CJWPVA7M z9cwv$Y*%?=^RbgO5wc#(M~1UL{KfsHuIB>V&sQkiF!){+f%c*>`F=sUy+m8b42x*P z&g$G(jCj)J%~QOI+VN1Yw}bUojHgJ|{NerAK&ohM-n*K=_pSagZg$F!#nso=3O?xo z+s_WNTGQubp7n*|4VH>|1~t{EZ#>vn=A)oFu!`B{aDZCn=G2jnYcxZI!rB*JAnDnt;E}Desbz2{2*bXPG zLItg9Si{86E&Mt)PbRQ@*7xo)MR7yy28bBGJ=)83(V%0vw=I3TyAN~fWLha!r_0kc z+Dm_7g7Pm>T_zAhF+AV*Oa+Ti?OcnF-Ku5{r5?4vFTkz(4e^kl{mF2RhzQE$41tbs z`4p4kWq$7W`9f6pGjPAbPuOz!qxp8?8_wSeC8spK-#>p;T)F=G-QKYzmJI_kr^Mb2 zH&6;}7v@MMSV5rTuj&Nn=9@HY|4ySl%Yr&Ud_q2eV(uR%@H7GZaAP{+hNG|K?8RRu zxMQ_R<8%9d6QCp^6CYnTGKUJ=ii=CNYK1$>PE}6J4S=`{1;_ofyTb^P55aT?0 zx4btpknYe{>zv65#7nnz`uYS5RTwylYAP$NpyYnuCv?hUsMYD0x9j#+sdCas3~%4J z|FjAd1K~EC!lmo>=5h2t`@JT{2*1ZLhRmSAi*FrJNf9%IY#)mlcld1HNekXa4S3lo zW!bgfjo^mH9UY>J51OMb{}QTfc4Y4G?p6x0`1@<9o`~~tCThD#MB&?$U#R~z8#YNq z%B2|X2W;{mWDDfKS*f^umMtq?o*);!YkalEn=v~A5$qZQm*gumBilH z-kVBb=_L$0tTN?&?xA-+qH~%6xFSbiUMgm6iuGvGQH*o}=NERet`#LlE({!e*FI#~ zlq&5o+z9mHsliRl%E2cFFrVS-=SJ%&{-nUnNmi@Z{}}pSDCP}~6UNz3kQB#Ea#!SJ zBWM+sQb5Hm2AxsKIu#`U&@0^7sf$VMSm zY5eUo%akxU%CLn@tAwjB=+ysu$83*fnR@VAar!w+&$Bty?TAZZNLKHyu!UC66Z4$ z788uL&M6o3)t@{eq8L_}N*VHR99$CWht-gq;#9iPD?;ojZVz!8eCnqTmXfd$RF(Er z-x5g{Rn?%%>K%##q)PoSZ%YkJz-c&Bp-&bH+(K(Vn^Oov=c;4`ME_e$pMZwtlah7M zZkm8n4d#1MOWHUVM0>NzO80ie6X6TF-fQOycQ%4bj_p6||GFo(&FGsm$ZvI)O;xofi0Sq9}WeSYcV}| zSzdTTj{I`{eEUf;cZ+NClcM>ywXH>bKb$1&iO*PP|E|>4V%LKBxYfrSimIougg0?X zs5q4lqW|{=CvCe?UJW{dH=*@>p#uUJkY5G*sGTt1FVc`W=~K9Zq}(Uml$t&`~KwJQB&JhZ2VH&E4Qs` zbc|fz%bi|b$*t72GkPB@%t_(s0lBa_Ang{)M4ds)iW2VDMpZUB=g{2-U9U!*&Ajjnz3@_(QLnW z*ODFdfp@^=Yxt>%|10Q`mv(~HC_}p!-~_OOoLHNacGOKhy&&0L*&BuEwqL-aO|Bv0 z{_tag(RMsTh@L^~i9C!<=8D$c*o5Fqc~W17Yi!c*CdW_f_Lc}8@UCL4E;1lHpky5~@p#R$gZOYbBxY*hjWZ>6Z-7Pc8_4aelRMx29I;vy z4XRySCtTVIaMHXd;V?(o0qif1n(KfxXp|WdZJ_{1+)4rUB9%A4<0%o`y>xk!@e&#G zHHMdB^Oq{MyI8xxc&Ai$Vu1Nxrl4@f=>)8OX??*MFilJ=@Kf>%FO-elaem8&@?1(Z zwDgaSuVXy|rMotb>Oe8uXRp5p=QDIR)@m-Qa7WQllBkpnjx1oPSoSb*u(jA_7*U#( zAT~632!U-gW?~*VOj_D^X3Et4o>Oc8a|>Q>Yt6*Ad|C7KxQM8-gKuq4Ac1LkNQ(ot z_s?M+wpQr1t>2B*;uh~?NoAa&D~&9gMK*yKt(N4GBMnaT7bTU_PM{&nF)P{+?CKhZ zs4^elPuB-Nn@1auz_xQ0*~XMS(7bvx9~8)P9NloNxAyP*%3~n5aHD>_#Nfn596kYk zC!>Sq^xdtPN;JV&WH^vx7jt^FsPP}hl0GSs;gsu31SkVqoO?*VR8B0^RX$yi+ z3g)0PSfspvJ>&ZQ!FO7N5G(KG8x5>39>kWnhsUjc3N9;pO0&>5+7ep5ABK1 zj>>SVk>0-1+CfcxyncuxPTM z(Lz{Jb^n#*aH}ieXZgXM^^tlfuj-KanEd9YZ_|-}N;>MV{)qNH-h+qC14RRq6#?cg zjB5lu!EQ2BpaT}(Tgk21hXs?P%8>y90k}a5_S4wYiTe5mI*0JfO&y`5qmO-Q zPV0SEmU4#2>9^&6h5~hZ2y~t{kDJdo<7DfCygDmg^@i@;n+dyq8 zZ7ec$1z8dsL6j}1zUpuixVfH+M{orDqddimrn$jMM#Y;~ByawH>wiAN!ULq@X_fFz zl^b3-R~#Bv55k&%y}biRqFJHc5*VP_dfHgi_x44Bl0k)0K7~fz9={qm&~6i>n7`rn zFnz;vq|?}a{r9P+J;bJ_Ls$jRhxD%M~uv; zlPPFa0P5!)82|gh=Y>0O87k#Z-IiQbY%^P?|9#7RM>-rbKOb(i3+81q9s6yuuC5<| z8+JZ*?Zf@~0H|c}b~EVlxm(4!Mgich78Y5c9ab{hXrHptzt4@~z)*YrljbW$`f3bE zS(|0Gdc0UeuZH#Ft2pSpckjd_8oDOEQ3m@TQ~YDTA5YLTL+ErdzFu?ps3(~l7>iI> zglWrQSe>QSbx5cvQEk(wWzD)g``alG5)MIr zetJ1$9jQ(sKlhW*ARo7NLXA(aAJm2t^*GU}?B5jobNwF!{A-Rk6zJX>+Y*49vOA;e z_D_?)*;ZPDzVr!3F0M4#tq=|~8=W=KV~w9APn=QhInEKWuI~*#zi_Q1euLprclz#K z!C$K;kfO7}FGFOY(5cZBGz~9IuLwiX+Q}dE(RSz*V@}&dN)|8kO~d~;2;Xq0Lj$B3 z=&UimHhowOS{AR;JuM=9zXwa=$&klT(M?4w;$FNEAj@gDmBE;Hby2X|m9!c%D$H*# zxP-R#IbPv%pi3eo$Ep4u0RmLjcas$xr4_q~yoMiZR{@6^K6E@lx=^hu@=t!S2bjp+ z%7!)az2-lb|G(p4xT+V(_zCTyiq5dM7G){;OKvbZh>*9%*>2uLmM%E61%uR9vuIGRuyUfosWzU(Xo@m%3^L- z%UA@7f1jySF4w$H3T)8N8)g(aUx^?#@LHaEs=RD$J+WmK%nox!atiDV=NJ6`Ev|=l87NEHd^~N zVL(pdPN+{IuV2!UA|#CVTuu@QX3r@_^0zTx>gPvEA=9RDxJkhFkSm8niub z)Z*APhm1=E=LgV_vh=UHQo9Jo4^$GVTWMvkrLmQiSI0wa$8w~mw8Xs5ZGy;8Ha0fS zYqi?1N9%#44C-!UaU~nagHT1bow>@d$`oTeCLJEIIE%qANe5aFV+iKul?U<{psdf0 zr9||F03U075+N~`&Rd>?JJ6h?ly#|o4R)d{UF~d~V6rE+ zfEZNca%VveVcb;u&jCr7zU_5q#f9o={%yHG+}};9LfYZ;C6;M*w@S=?0{A^gnK~Nh z*Y0|VMx{Qyf~W2L3>PQcB`(}boVVJ=p-n?d(x+c6_h!qdjPHgj5wA~eJ1%VpH`7d{ zZ|&#+^J{6>$x+M+VF6OP4a@IU&}eJMX65J2gghB06<$!sn}voV!+YVRq@-Fmne!e+ zJ3$;K+-Tn&6}|hPIV2dNMjO(cLj@yHQ&OOs z?pLca=a;MQM$5Kc=xU0`+S>mE>$tleyw|4N;ht{-TGycNq8lj6d)d=7nY**8F{P7_ z^$Avhc9$d{eMnQ^%dH}&aAW3e8z4(2klFt zthFD{lcEc)!t~IeX9yO+z>OYmr_HhWi8xOoGS%1L5-?v&3a3LVSNJ-VM!{x>qRqN^ zrnCuhE48aZ2;aQATIgVqsBWs-i1HPaNMzJrOMOy#Wp^yz@vBq+hH%x*8zq1hjgXRhraQdwU$=F$K7q zCC93a++H4lljb^*7lUoE6)+TG!2s7gMQN`{UI)uu1#h5u{;eS`PVitchwNF`k?-2g z(E*y)rq2--&#bl|e?235*O!fW;GG09EPZ<2HCy+daBugd6h*PiH>@v|B3lgtA5#?lWw#}Q{xo($_c z^&e*Khm4L@ul%K$He*jl$yK3GO+0oTPc>_fJAdOqJUT@jIEY^m2`?SGUNuS4D`p{W+RPf6<3mM0j2J+I;*<^Ewzyk!ajS z|ApDyOS{Z-*Uir^R)(cR)&nM|DW_Pobz-LKEf)CK@zR6a$>Yz3j41Z6w%eG;Sy2b@ z;ai7KhUE8K(;KYMN&$ha=GdwH=mL71bDJvYnA_q5CdZ|uY4;l7#;0?m4fnDMukUq) z*igExrMIFNIjt`Wh2ka;HM8x)zxV#GVYSULWS&h_?QwR_wOd#a?s^Snt$9+&!{BKO zI33Sfzbt5nCylxlj8#|3KEk=-+nr?4v%TG@R}I>D?zvy9_%xdscN)p^vK?Z zOLl8FODdPC8TNhglLB4d!)R%Wv0NX-8;Ia73t=EBxy!s@Xu{pfBm6|6Giz1`Pe&7z zPWA=eMG}hC5)KS$EEE|(lDBC+PQs_MD3_o8>OSYTff7*4@)LFtA?7BQGSv#_8+*IM zhVkhpv3U!bEYB_V2v1++bF%t?ask6niB=Gth<-!NUT)&Dlb7}i6D0WyAiw3zO4rRd z))|I?_OH>c$P>%c|8qhJqYfEsi$dOi5A;5Qz`8*-8iJ1rpNVXymOvMtMjOv}>TwRW z3v=;;^l#xPmVAz(VU!R6L=%P0O#RWwmmZNhO<-bH?f0i_g*sLk*DeW{KP=#uhf<9# z*LSVzppYCEu1SzM87?q-_3Lyfb?Ra}f1mNZT@lM~`&0pQld>CTyr6SgI!3SV_OQhJ z{V2fj8F(4m_lFpmBgO*sj(`oNBjmqCF z0pzzZlh#gJK8iL?ddV-6tQ40Lg}fESwznt~v+2HmV%TszVlH;Z1g^UqAdlX#J4|Xj z`|$g$!bA)nS zLRfjKj~5+=my)oTPn#HCMz|+67}`&QAXYafTM`i_rvmD72am)>PIFDZh!%#HjFAUw zDKfT!Vx4~q+5hKnqqML+2Tj%=L0qr*zcjOH5)75H^`(mvLxORL*fK=`!urImD=02B zsa}PVXIiI|Y7TNaqsin0D$W`wRL%x-Ee3RZ5PKyJw)i12M+hs0k)q?2B8Ep4X4I1t zsoLzuW{c_>kjb8JII*d%HcZlb03zdQV{*EB=*M*|^{$xIPcIx^M*iGDfPJCSM(6Y@ z5Lwh+~}!FuMzFsF3=Ew1C`r9{OC0aG&~YM3sBzHV#TZ6i6W zE&FNig0raSZ-uiY-SS)rjK@Ik?rKIg5z^)j8>kz3M}L{1p!2Mk_?QVsWUhX|vUor| zn)X1Jn@{hEThb$%8+pBzQ_`L-yJW<2P#Ig_ zy;M#S;VpxTZF{*_H7JlyIc^LWhV_VipU_2y!+$*key> zDc+cXQwQ}svh`Xfj*z>z(zD=uLyHe; z6KyxuR<%eVMP%*P1&J%5B8wJo>8oEjmxFP{w`2k>_@?O<`M6{+O&4mcCUQ5OXb(R1 z)6ELymf8|7@_R^78=0(Vw;fAhQ+1EjaKxU3pR1{RcT`as9eEBZ3iLtp3p(MSg;DxaVV6eI)4Wwg25%Oi^KaWlt+2Wu9WphAqj&KuR9} zH|$>qEeXuN8P~6w?o584C_Slczu7gG98d+thiwa8_YP@Am~V1-W={DBdB2xZm5@9H+hD&0$F; zPB*C=L&sP9nJ_iEwYXLayYy}YUi1BN9A6QfEBm9g{z2z;n3sE3jcyr5f8Z`=W!n6KbPG z&;Arx9j!J<1$5_Ci5tU=A^w5B*Kpa|r@xtBQ^&|Xo8{-@&H5HW zR69xjCv+}S!W0UKn9WZTFku9EgTaX?oleL}+phQJWkW~X5dax*wW<65X-oLChM|Ra zkfYA}p@sD%aO|>VLz{L>vtuhuk__1|3Fg(55cfV~UJ$t1wVKT-KSfj=^jl{3BJDkw zk9f(u_k_dWcz7J0Y{c1H;|ArnyQy?j`>}_j2a$CPETk~B+Gz!au6knd4()}SFQ3UA zLNe)Mp28}Oq}iMF%krO-an(JjwH^>I9Aj^Z%Q?(8xqigd&)^KAaQijaktyG)l;88g zS&PD71=K0|hsj!wbCvs#ZbjxC7Xx%GGi3xcKnTKHW{ze@Zl<#g2Fux9OrQ?7mlLC;fz5#&o9PGCyI-lt7(U6_#ku_LPZH z+J>#0lyW6639Tyo^LLXtTH*9y2t+rb-wt9s?BsMemk8DG7W;E<1VYHvNYz{5ir;4Z zgblf#c^f>awXZVL+3~&{So=}TnoSpNdNaHezqxfmOZk-6@=srKqp!wLM>L5;bymCC z=Bvuwe7vqGnmf7qK$!MqrCd}wS@&d?wW>tp-h9c1KGSjs&pc$4Y5L$Q@WI!4xkmTb z46(%67QwO6AKC3r)FnW=yK_1!f;wOaxF8c==PmwNF4%xrKGVYx)V9K8kBN_t+!_4U zcI2JYuqqSRs5rzM+H_9gqd4JKz= z79hU&w&7BP)m;^NAcHillycb{YOtcaxTsy{AU%vXZsJHkDEn|T&w_K)=P{?O?~w;o z!`)0SUn1#K;ht?Qo7>8r1Ahs29~%-|se9l)urTuJVx;Gn;f_o@@Sv5xXafh_MJvXA z%itP|+&1~%mhf|i#X-MFDdJNYR> zoRo6wN;{Qw9gxFi6)h_JtS^d5c=^1?PiE+_voEVZnzz50iz~^GVioQpzmZp}TJvk7 zwPs@6TY-@_5UB+KdAsKQcYBGE#K=;`;QTzAX!hnI9-YJ&zNe15*hQ`+o$YuSnAduA z77rKU5Y(k5DHmaRdi;y1SloZl0FrSpXQ$!|>7^vrC$0cdl`7{{r&Oq;$#2QV$gx@B zrM?v@+hm}U6Py6bWnKO|Ya zQc3L#631PW)t~G2q@G+8g{NYQ_q7Fsy zy0%$dj>8mi5-JfO{J~?Tnq`h2%hWPbR`G{${8!bvY}|?-=^Xtg%vf9@L(mN+8pAx} z7S{n{i3$Vwk!QZ0dx!UkJPjbZjwe-tTv7NyVx?BYuRei^nAst>mtwgzy}7BEDSBo$E~5qT1(A% z*im9%t3CYODbzV#m(fS;%)K;0v0Wh6KjBvvO#O*q4ObO$cjKStml3u2mepY-%1bZa zK6Jk5w{k*{mhh328IbT3QDMMwf_>6&MO(1N+Pm%Y>uHq&E;GK$;rf&sH~k40JS^q0 zj`Ql+C95#r9DNp|%<$mT9_gauqDo5zeZq~H|E$vvCMB!x5Hp#9tWOhn_o{pBdF2NG zQ^s!I2Y@6$V0F(#s+i#D-i*cWsd_2f<6ZZW`L4@?3U3JY+T-OVjO#s+Ja$@wwQAw5 zO9y`a1o1u~)elNB#>@Spm$<8LxYD?T@p@w&$NN>)UPpX#yYgwD5#I$RWEYa?`LMiPsRdI`&Z@PolpliOX({!BDBrd7fWfIRRe)mHoUv--6X#Z*FhM23N z=I3?|BlO}s?21eZ5LowS$wuX#h$~5SuRE@pVcNLn-6_xTyFn9^M&dIcOp<+4M>qG= zgu7W-}6%I|^ zZ3c?IejeZtnwbL)dbh|^9`iH9MAy`Y+hyTT#pkZOx^@nLK`^@FvUu&!sY)a#hB|YCbcU?}1x@OI zKJU037L~_h@LQcILEMk5g||zTu7Z&~5_)|MAa%tz%Eav6vRULrCQJL)YBj?*W^ikW z;1Bo6GjX;H6zp+dA06Te%^plc>FQb@t+Wj;*4rk{wH>++_Qld3aK!dV4Z#hv4ssX# z#p?+LuhRSVBlMvX=4P8ig9&bTWfo~8>nEJ?CKV8?J3rW?{2ovl&4NS1 z!HeqT5A3fG6=o&6yPNTCO~K~Pc68@(1n!%mc5X0_|JV)CAY~o@>GAW2B~ey?3e58! zUPshBrfNHWAb8_qvX?-atbNK*s=z%oUvr8I&ce%dtKTbVAu~-NJN2SHHAk`eSD)$zCqU0xf^EG!cn*ii$L7>ThHQuM*5Ee6^2#I|ejhmSMdZj?^wAKOnZ=BKh-)Fhb5KsIb5q2Z(1w8U&rW3V42aw{;K1tRAyZsr9roq{S?d))K(w z2g{??rEqLqE9I($G*$u3NPGC5@(e3djkv2~K=2ngd_%(wLvd6UOWY@J?)G_i@ceVz zv4NE4=up9nVNk%w(Ube&px=e9#8dl<%3s&;Abeis`_fdH9}Xd%^49On;*dA5b@*_s z96o$J{Hh2_7h{h8q3@Hu#moBn#se2OnFrrhA>AYWlQ`t|gsvnpdUaYw zqeM4;TagpCO`ZzKCh@`-G9y5QtddfTmadPwo|iUOb40-7PNNZ_*ne+-vKF}W!J2|9 zrf&w(1nq}uNX4*6%M`iAt4)t>2TTw>GJYY^$L-sUX#k7CePh!HNR|rFvB;lU)`lf# z)o#G_W+H2CaY`s#Im~PH(Z+~I+PCh9S9eK*{PJt>20UG&F^#Xt60$CAH{uzV(&)&? zv>u*jHMS~nN84R@K9TT_QYK5N?Ro#;0Z7#je5m!7RzWCgM$=v_*+(7JB%Igngpk0) z?EX!`Es}x;BB36=Ew+SfQ?L@)89cil1ARph<38jL6Tw$G`I^w3#dGk^p{2xB0tgZT zJ$So0W>u=@9zCN8P)ST1qHeV#wI^HUsAT#fCNY)LFr?pbN!{Ig2Q4OK&rLYsQNI?1 z_#7-Ow3UBiN{Ma#Kz5s;0ZM6ouFfA4t%^+?W&~6Fs^hvZRYR$l@E-aVFCri;7nz_yx;b9_rUxKQcU zg0;TfVw)NWPslT%zmA*A{&a!*J)Wb^lg$L zZmQK9Eh7!WmW|-4tQY)NC`1&VPE4P?+AVI$<_STE$}d{$n!ogg7oEKYW8z90*pM!0eCUnu^r2Ex zy41LUW}Y>l=LY*m7ziL<>djO@J7MIrAQ17ayf*@@KSkv03!cD|1I82UaAQ>u0@5~| z@oc*PEVxjocEsoGGVGb2ctipeZcnFKr^-@xJ(0Y2^ zl^2-bbM?- zl|ge6F!vhbarX+r*+G+pP&GSphY(K;C*WR~M4Wj;L|wKxQvYT=+A0s*mC&EV0$gbK z(}fg$tK*RFxiIU9J(IgnPmDU6*5Ox?qNdnKn#(iM0om4UgzM+xs}Vw?+O%>V05*acdbI`4nqy4=5m-n-Mf5WKMLhguwxf>{oi(6eY`3(yDP!xpdjnRkn`vmCk%iRD}-&0AS= z6p4TeQ_pGZ4^!I2;xqtU*|IQWj%ZS2?+FAwe^LtBz!dnYO!Yo8Mvt$_fb&dh79#S{ z$!6F()b8R-M@8n*sCVZ zH&m8Qn-+vzar;(dl*{|wg0w?hd%e;R!oX~EL)W0J2D{;6s|I|AYulFVQUHT8a;m)6 zTM1`=thD_uYQJWc#a~@?qfH&{Y^lLEz~G2C#ZSQAuve}e6=!e2ldF89)Ty-6#};|H zkkEOV#b;kJf^c)L@gE_lO>Hh^Krg7Rl4l;XTgKh|{z=uK#csiAo!&@g>cnY%e70jy z^OO)VAQCZ8oT^ga}dqG!#QQV85`WJi?tZjxq1o_?$=rWA0S2@K_GW` z%C^9jr7ZsS&`dUWdP*um{EwSs~rlNc;NNt`BP;hz%;mJ-s^;q~aqsRg{+w{G4n7{j@ha5TW4C<(k;*N=P-= zwN$lv@N_8mMRtQtKeqYtBg*Id*_xkZpnl)=t`@+!7Do6aiL83+QoG6QbI+oIwDx&~ zeZ)3*FpAek~IyF)9R!o_9+_v8-psvczrvUjg7Ox zIjf0Oo~*$PR&LqrhJap)Xyc`WfNFC;**=_4-Q9HFbC^rjjz4+2)9d#?5Z5?A(J|B& z^X${_fE}v!FZLuMJMCd3Ek7%ILJKJ6x;3aPu5e97D)eSL?i9E-vJN~a?`CWDI%Ct2 zQj%EaTODruHU*DJwrhv*f15DHXfKANd4Arya@+rU1eRI4T3Ud-_Z>^^m2Shds@k3~ z)b6j2MN+TPBQl=)cLgEx?IT$2IN#Mh+U}^LzpQ6cPiqn0D(O=p;ls5YSlSyrq5*9>bOd(eqJ(LRCaCU3C9M(qeaA{T@p-OXzUB@-lgZp@*{& z6qG6`?mHy5PUuWlYQm!Ti8}{qTw^kNz27Xmdn+F%ko2M%D(EJ)TtIin9)eg;ll<~D zt8y?sly;N*!)W_fnI_y$F8CMM+;2^Kiqh}>+>_(l-4^i|3;=yIX*}a)KD%y8fluiL zODnukQg^L+@h3I)v8M_PVdrbTswm>YH=`cC`Cuu*Nu%)~g<5ZilR9>Skv1PKG?7FLbY{4_d44bZhHlpm;b!Vb%1-FH`5NZlP4H<#MV< z`A3B$cP8^_EXXR&&YO-ancTaT0&Y|$0m5|WabE@)t>wbnTcPuqirexiXO`V#jsQRraHpIykZ99m-Eh;6O;XcievT5i;b_7p#nJ$76WvRChkH7*}= zIvq#ig|C}y)={~h<7|zqzV`6M0ICmiEzDDqnIP99Y6&8}sVh5$PNfJ%mV|xBt;0j@ z;^1Uj8p^+kufS0z;*6>y*08Q;!TVHBk%sO329!@E-0VzOZ4rI`OX=i`YB{yogZw92 zBERI(RKL06Tf-F4@^?F0J**(LWioGKYF#S;5;J80@MVr*@D!+RKiU?oMh9mu_Ag}W zOid3XM&{e$OB&$Dq?w35_gwA+LP;|K3n+{|np@ei&E3}MX-Rb~(T=V`SFCHUz5a-< z_h)GtA*qj>E0SE+e4zTzKJRdEpU9PgUr9qhFJc|vgw`g`IP=!=m@F)|^Ozl6)&D_O z>18y(ox5yz5Oux1m0=J|FeSgqcyxx-C$1M^@-!NSThaS9spF$P6xCMmP40B2zpr?q zWsM0f)6+c$Mkm;OGS4;3+UoNi)h{z5rr_F71ZH+wr4irKK@;4Tpj6kl)lD*VRiqB2Rn&F{~8rw%Q8{eii;~1`M>|SPrE*kg3k;}$d zjFVN3!x=b&mr+d1a>!MjGrjsHJ6%uQ&2-v#5u!`9Z6WaXxQ^fXnB8GM4g&k)lkXaG zx8oLrNIkJVFb0*fi3Mu&x|8Eu zqO6|TMIDr0werf0%5UIVlf7>%_=!{cv&nB>lo50oxM4MVINh0ZN@x|rqrL;ZIsn6R z!SRxfB4<82aQL{CXmg_LVdKFH)UAsfQ5M%&`^)y%t^e&J;nBiAS+7Q_QZb>Yo1tc? z@5c~1iHmin)>S(Q(MpTN^*y$Na84j5}gv-m`&hYNy$cq?vv*r0KWkk`~icmCm-O`ow#**MJr6=jnV5s4o zw~}{&>vIge{XYEDv>Gy&tKP~-J5iC9&01KyuVnF7#V52o{sprr(xcFT1ZwG6{8XDm zf`SvcBz4k`S8=&xr*p0V9R&f=*}(GXQJdRX^PF1V(#NBp*X>@x%BFrIbp6Q!^{_q; zrVc57qO;`;Pl4|BKAd0q=^3iGwP^6YnZhBVE)OVRvA$Pp7(})r@G7XtBI_mh^x(2H z{qElL4+-;@(mI{~C*`*&m=y}bQXg8YQ%$3b$I|K6rHQBYncLjy5$8?5b`qxbc$lyF z*(IfeA=|6vvq9nN`4u*Ud1)@)i1}xy%z%YH=PbzEg{aFRD_~;u*au{dP`Re#FXrG5 z#HAl(Z)wbjqBZ0|B76nf6fZk!@pAX9_F#;IT{}62ZPL?$^Np8{or>R|ARv^r^6TDn zZ)paK;^cR^V31^i)O8_UZx?8ZZqD&KQEU=4vU{Ls0h?fJ*W0)|CXY_^tueJu(pxKa zp+(>7q?1Wj#4h5o1iiE08od;R-16bRGLbxApvGdHJ;l9_F@Aa(Gbia++$41KwGMWJ zAi!9i#x{Cv6>`~wYc-P4=^0^iCiSU%jBPjz&!93&7L3B(Hrk8jpZp7n+{12XJTxmF|!nO1c|qct<~v-{1QOYq4O>touHD@3Z&0_O-90H0tRCcBw5m zspf~qwuVdQuAOSD%)b;)g^SC0ZQ9t87X$h4b)9db?w!f0Jx@ z72@oi*WM&ij}~ISxNCSTb(el5wOqq%tMuk3nX%%cqUt5EUI$DYcG%DyY|4(#y#Iyh z`>#yv5D$*+_O^B76i9-!89~D{2I)A!ca>@dhTw$)HC2{52|nWDmKh03hd_YtdfSjDzH~H>C3UViVmngGh>WanSI;-LGzg^ zSi+^hwwB&t!x7eT2?nAFqGS?Tu-9Cy5EW;7gru;wVV={gP@N^m3`k)`S`?#rF$%;$$q7NRA#pwIs8<|pq*BYyW(7Bpb;02e~RMwFw}$SnwL9@!)vK~&w? zfLLW!o#}_bq$J2v!}A&B8HKYhDsvaAYcHv>n5LZFjEq9{U}dCcAZpsGE_^0Hw^9|F zp3SqN8X!ZqM86}}E<5`$fvZ&J~+gchpm<9-jXWtL<&y0`!*y{5de|G%wX%#nHm|j2Xpz5iG-?e%(vD zetQ62PfjDHqX19Le&`jRjq@TrVM;Otm7yYTk4js$!7!iZP8;M9`!K;VVP~Jwhm3DE z!^YX@2C{u=A;KW3lymJo@M04plH#Tw=3v8{=&q2Oy(Et~wbc`GKv&m<7Vpi{O=G zy_`(YcVH#5@qE6XGU(j#LGQd#TC&s4B+$DzM<&SCbmx&DXWPTzv)$>LRd z!V51^s77w5G0F*sbmhYNmTla8;J*J$gk-*EjkP2Jl?AMvJbT}05yiI#^`#!x*OO0S zgoeG!gvrc?nqS5N-w`4R%{UjJ%nwHfZ0b*h3vqWd4dzsI4md|nIFPpk&6QTrUr(-N zv+=CrgI~~#P1?UL%sv1>^m-K(!5tgf3k|26;l(vqv8~INBM2{=Pi})%27~^L+xwIM^ z6Dg&q#prD;SYNumSNi6`S4*({ygFeBjNJzjEM8OTdCO(50vPM-l0$hjwjRnE5Ra|Q z*y;$Q>0x0xcqlCS?~rGn%yNj@ioIMIT_|FYe2gjnrl+gf?AHS?cZVF75aj37*dl_E z$p*RT$?&s+I?^6{{x(b(bFG(njy38mr9EwBz+`aXazMAfSf1lht3Sj*)t_&1zp#X4 zAKW@q*c%Li*&GUvp$iBC2|pyK-gGH@=I7Vevpo#Yj^Rh2T{?U7 ztybvP_BNn4Q|9n!G!C5-<_bHApP1}HR%xP(v#IWvCOjv`=8cARwx5;G6-#^&!OB^` z&^D;eDhfItdibL6!5*HFug^BFy=gt`GX#rw&n_3|p}i`#^&veROD(!!rg2lcwE+94 z-@VX|stup7hP=}|uJj`Pfs&gmsi2_fE-3yYddj3U9IlI{rDY~coKg;TEO2R^-ZPi% zAg_%jF3539P5jF>;12aG0(;zbxj(TEfhFOW(0bP$ed^{rbsQo+#Fq*dMVZ=aY5&&% z!$nLdJ5w=YB3-0kRFfVkocE{-^uh}^5{tTN7uy8r?^7)JiVE#ALhBnWp;AVgAKR@+ zjIJJgW>kEfw0NV$MS>@M#xYcUcjOmWq1P=cc;LYgNJ#5FfL^h@2FJpqumeiyUSC9w zuE4PgWW>FbKcw3>PmtFfNmbncsd4GkkHQh!0BM~Z!ud9Yz`uK{2&L>XI59qtL}5$7-_m3{GUx;$2=lA({bER zOTCPOUXNcp1vd{%FyIjeo!+zC4wy0rhKI5>f+|(;zCNkR&_85fG)OS*Shh=30FQ3E z2-!~n-&R?n(pg8&t8~TVzRqt`A4I%QSkRj#JYCG;ah~o`1XvG2aeUFy^G66(H`md8 z7O)iV1PF2PJvV<|==8f!nqwuV@{UBduwZh?qa1ag!^))&7llUQ?a1L8&|ZeAu%5@& z6rZ@p*_scZo4pqGN2Ge>G=$nRZU}7M0mf5%*k2y6(wqLC@o>+*@AmZjz2Zo@1QE-# z5e@J-#*>JBE=xONubiuveOKpO3~;FjoV9j*Q3 zn}nkFc}Bo`jrMQU==Q> z9VTN<_4$%i{XOr`QXG^S>qW#NTnVtt*tC4ho@SLhAXQT6j{^Vc9I-)~T@_R zv~P$PZT!YLorFeaF z^ZXiueHQSXxh7DA_2^fgzrC3=C?SQ8DKNxy*D1ICcKCY5)@Cb~Jjne-B|e&Z$8VL* zs1tJf;4Xs18EEkf1--glr`T3|WMyG-sd?t2Oe|U>yL>kf_zBLse9k~r z68h!7PdmR3=BMElguVl^@~QvpDRoECn7;(SQXLH)6pdEm4*A8avYvi2qt=e|F+*k+ z7m6&WC033ZqtY+a9*-p`o3ZDVhPrTmKM>6Sm>P+!6GgpdNw)5 z0sR9wWu0*}w&kq&0a%jsrt9NKxNmeB%G}qALZOZih|d^Xj~U8gym*V(8mrcd6p9H)C<%czKYWkK zraf#}pkDnqDnZ6i*SxhfqwB7=E5&i`36B$&i(?*v(OSwbNNiZwD(&3nZa7@N%sS9^Kf?H(u_^Ov2ARpS-|93mK%m+23ijy%4$10g)q3 zCb-~{EjVFA7cW0Rp-W>650iW-?+LsHJzWI3$}BLjC;SvYPYYvumZ^7R(~W(0^1raK zTyiU^avzi=aJ7z%o^j9`O2rpAzS;5B=OxQCv-5v6Q(3(TWmP>z-I}BibiH6=+F*@y z?6d$ojyUh?Dh-!mA)T!j%&);G9 zoge(ns65Fb>Olwa(Z_LW|60>|xU*E`0(<=Xq`VY1FHoT}-arAeXP$Tag!^Z*@dhx? zhjHH?0oY2pPV8J!yM!ln!??fdrX03PKmZ|2vNZ}r-d5c~|4xaYc+<|ubD%+A&c;p4 zPp%<}=-1NcE!Y~*N43j?un7{XU#hyvZ>fdoi)YJ1*B;-aRg5%GAO^DQn@jjFYcDW+ z*FTXyYgjI`BJu@*=|q!whCWz%Cr9V&dg z8<%SzV|`880-p~WACFRxOiwnj^G86ZYfx9;w+cQp1$)Is!OYx zlX1H*m1#J-%eHHn+nH^SuxM=3dOjL6fsK+hY99s6?I3U6=7q9adBNQ&z5&Cl|6& z^P)lVTMCawuCH>&nk@&(X%5q2fY(^KyO)#1H_}xvu?MSy?|;yIQ)+!kfot{|dDSf> z?e5Z1=!>izPCd>5iNu0a>-fRSqv^BLOZX43#m{4H4c+^2eMWoqW$bX_vx>tWJW$Qd zjE$$}cRt%<55UI77uAd5i^uzMg9#N&R5DCs-cV$|`vYWUi~mJM>$`8k4c@z!FQ?pKTcs6!qMY;63o{Yp{syabQO*IRicQo_hZg4GJ{ zD&0|MI<)5Wd4p~EK3V8c^t8;fQ~1?wM%6Y0AsgAs+kLb414-@_DPw|OBzyg_>MaMG zA&M<@w{RcD+hq|CW^Wk7#FTu~Z@UBbq@2K{#U$n<5k&7BQaij^>tF^Fs zMa)3@6Iymc&;29)WF7<}tR+IvM5&>1iU26BBXTjf!BDlcy_X0XY-wEqjB@0*EOwk3 z!jIVw!%u!E59a&Lk7{Q(5ygT>!nOK98rfAC_Cj8=MAflSML_3haB~@)P>sh`v~cs z0oCrBE^nL;vn>}(t+grZSHRXu4m@KZd_5Ff18DT|K-u%d4EYOF;3WG@sm1_l7Mv-I z^_bYuk2#J@Z<@e~6Sv^GOsH@mFEz@HD;AnoJ{`M)t%#>ncdE`(Jk*P za-L4yiXHh8=dN_#2aI4*cSGHI_nlm5K!?2@dD)H4mObm4fO>kY%3A;;oYF82+>lgi zJ==#_f{7*!LmZ%autg}q53ZFAPhOww5;lTq{bvNz?bvSVKh*j)JTkm*{Xxf+1dDvW z6GF@SZl#xuGz{6MhNmR1-mOV$v?rp0M7V#3oVvrS^Ni7Y%*d>T*BK`Jg=b?q4L^IF zRTMRJbb^qvgU;1vvg=V`-V(GdxC4ss3Cf@ALPHUs%2Lccl1uO0iR)gWlN^O?& z^G$*O2An}HFEe~Ldab(P=kmeEq?t{tXX$ixI=5G}sMN@Vgt%{lWp;nwk6~9D{_Hng z(%1MJ#AH{87$Va0z zWA#@PK$9dGHd;!fmj)@pTY|@`cW8_?0ugu&nvE%u6Wl`KQTU?R6oSI28D!5YxHD1e zf#0CD!tR@Jvu)YPxD?FM3@epRKG3J>$Zk7#=fztQuNNPXC(FX^Zx~X`n3}AxFkAVMZ@XzM~J~m zsCMr^O%NhGM4~nBU`x%q!hdP?11kK$su{#l&-woPgiwAazB2aWJ+~Abdu5pM@CYAf~|{-UIih%fP`UCFn+)^ z?1p4!M`?j0(xHT-xQ6~?ghiWT>eBIk)ZlLmmx3jx)0O|8Ife>Bc!2zy>I~iA86(b@ zC@ulqwy&T&=52!k(qR8Cg)wQ^^1+@z-w{Q$?d0Q$s%<+)7WKW98N{;TIy&;?H!VYw z#BHh5BUwmF8>~K=@7Q5pw?qkuPz2wXh?f5hk<2Uzq7H^C zciR#RX?7jvAUbfjP|(d7$mNTm4D9K`hBN>9#s6Q=q}v6jMYH;sbi>AO#pXEVtHh>N z`H7||wS!jVI@7kmPZaw#*atP45FE^&%cNJHrt!j)bdWHEpYOm$gUDNc7r?R)(WlBh z@?r;w2-H*Y0bgroBXi)q1`as}Bd;l2kWjc9cF5+&Po2sR{ywDM{AZY5@)|qn`tfI~%pke+cEHY}_aOf8 zHeELQ;gI`Oz+qa=@wJ*515}Js?+|+{6WT_bw0B#f{Y6La`~iD=D%> zg#q>XPxGL5Fm72XYr1RWey1ud5^+#yVQM)Sx!-1+|mMPSyLz((k|#+s=K*Wi2o z7G!QSTKV~bub}8OH#0L6?87~N^(P35g1Zxw#u*gU!R;ob7{z?}CJJ!t6*ZeWb0Bih zhv+XJ3I2XYy@l--K+ft@>M4vkfNM7!9j6tG2k2dwb(qej*qMdMN7j^48hAVf6GqL~ zdXG*&aVB_z6vV>${QvU_U>Kay8?KiB#nE4NoZw@sd|OgahC1HTf1VUXlYj-^_|>bc z?h6HcWWbB>8gC>Jya&uS+9#RFB?3CW?r_PdHwL-EusDQuY-jb zSCwhYb732RBpb>u&GkdQt{us`mq){(4;gyy50+f*8&{~yxOrywWz zn%@5t`XQo5oF|D4?oxh48Ns&hgb8nib*l=oG}&|O413NssBSyKnM!#Sv3-Akb39I+OwPA4sFiM#p zVK=lpx}#dUp6>H2{!sgwt)eKwN=n%3ttm*NnoF?X!CLD7YgxcLhQip+>`;1JeV&Z> z?0qCtoY=dTLVK3k;fc*8+cz|v0Kyln2@U=xsVT!fF@$vCTdG?4e=E;E40!UQ7^66Q zp95()%L!8#8DiD;wzW9Qp8DH%#q5}8xh}p{Y_oL*W8DXoARbvZK|Q&r%!E^{ z=RxEd5n|oTN|Ywb;P+`4O%k0XGXDx%^J1KGp9G01^Ay#kb5wHqlu#E|aWkQ2-vhRt z@!Z6b86-@gmN;MHEe`fEAAnmcZ=FlNqT*5G$#0qiw)>j%V(+fEyys1r(~TiP0Bm4n z9fqh{xsni+$c3F&PUuNGRo>tPrN4=P6?x*N_f+u(vc;uK`8t>$M|0FV>7BjdKR1(n zfnue$O%n0l5D{ea6k|2%@D+g~dW1c3z&=eQ`NrpCp6T@DM=UHZ3~yuXmiG(U#m63?-|(jcG3LLsxih(;z$!5jC0eS9xgQc5)@loYLLyx8J1AO zb6OZVpH{r3@*~a~%j9FB#!7*!C9$~Dz$yR3LpxDam|Km=hfO=U7iCy zCq_vU%2LOBnuYpzo(vnXP69zWz6*o9I;{xxY zi1$U`pjB#Ic^_5t#hWv^D*7bKE9#x!y(J?GX)d_yfKhLs>r%b0wZqG{r&K zg?T~c(T_c`YsZ*uFFcn}h5V00y^}x?t`$yGh^ev}3QTJF?l!ZOG5D2*-e=C8{qm0~ zDrMoK7dz-Ef!G99_#l)~lGUE#*!up?`%g{{ z=BzQ@AYeaQU=<}Z0tltv-yjh+u=;ub&$qUP!wpF$YkfwMr!F~?ZT0J^e4%OrZ?tGp z+oADe!2x|Ypze>nn4~ZE1ec!gxiqlwj|73-cs!f*D{20;<-P?6CDGbjxwfpSd&b!f z<00OoqM)E-Vm`Fia=ZUi;u@pLPlddFohcop)DG}i?y1};ohtbSGr6QIV)7|loXKJu zwv5y2@p`uW(>lY+yc1WQwZ>b&%T`z-){Tbq;MEPU!cgZBNwggUDTd&?jiPDDh_wt^rQ+5{D4xHKtEh#um;4BS@RAC)>rgdg%j zXD{7_QI=kjm+ft6^q z2#krkiMq7i`(Fv+O+K!L$-!&^`~L(Q;(U!%jlkPPd=gYSa}xO1HwkQS1thf&0!69xtb zWN<-`8sqbFq)F<1y5FdqjPc;LW=F#VN@tyjTJ3W|3-1{wD;BwMGOKCFM`6L-8H+3X zp~Vl9Z=5S@jp&8F*9Q^(VRB%DF!%QHK(o(7LMOO9jj2eYSN%f-mAu9ggvo?8IInh@ zN~lmGF{wa>1D_t`aTT5i;sd&B#TybsdC3&wnLQf9{ehG{pPvu`kshn4Y& zrUVRd<{Iq2LKvKhkP`v|9vo|bO07GrkKV+C_#sUos?|{NWAV~j-XHg9A`CWZ_k5$0 z%1WGW(9G1=^rorI!wFf9$a*`O%ik)CvxbKK5`I(3#IFCj>8UL0rs_`~=Olw2b}2BA zNh<$(7;Q-RM!dvIIWA5~pLLoEK^SFH)#LrOLMz)w#2|VxZx1G<)qUr8Ehs?zb~8!L zTC@6|=9saQQ+A-9nYnW!v#vYJ+uLT){zZ(IQFo{p>SIU-&!@eTar z(4RmsZ7zym`c~gF@#&Ikt`6p|g?KhiSATp8^yd@7{xN(sb9^5c^ZvjF``cudF5u|yi`M}A0&O4{!LF2_gCLbdksrM#zjPqz3|j7Qno zPp?0q0gkNRw%8Q-EZ%GRQM`rImGfbW-faJ4$ru8J1)iu$<+@UN*jK@#3RWN{}#l7fGs)#GmzHb{nO#;S!`0d|Cfb9=w2p@8}PN$Oy8iuA9}?5q8N_#L-02hRv{ zj8_qIudREr=d2%@?!@peYmAypnN<~cV7g(*1WKCRFJI{koMki$ZQYQqO2J1a~@@*@9X z5u1DnCwjQFYk#2PTF1p`NAU+nOp}kuxz_ion!?|b9{$Qgw(TH;?9jgmyi zHvbaZkVc8NyfvKG?4;d~h)|VEQ{@Ci-5{_Elcz>TP(1`qf$=+p#Or#PWR(C2>8OYG zsB18CZt)k$OUCLD&DR27AFEIe>i+D2WC%?PtiK0v7flIbtpUSUw|MsyZ_G@sovK&& zokX$oA130@idH}O5GibNZP+Q2xs=P)pKtdYOV{|0Q;pCFdm38Al_0v1m#9BFpusO< zMVN2DIGmrE>@0CB3hNl-W|6f*c# z&k5;3;_M>d zM`FICTr3DrWP>-+i6BM%@p9TRtT6H8q&j!tubb=+D=k`_pOUYGKcR5yukB{?kE2tS zRfKqlIlp6((Y6xR_Us~x8n0hXzn69hg7bs2(f7_+U65{Fo=LAvqtPYdQ;?jEGuvBZ+ zP8XA}3pC{f0Q|0COy6`APA^F_&O?)!DNgfWhLaaj8LMG^f;TzWhYMQoPZZG|$q-qE zNov>RGS*CVW?MtUzJmS>J!QCf{ebuH|1-kd7`PYj^^bY-DN8w9&8vj*<=_yhj23*7 z&ok)d81C(!ti?ErZp^2mkWM+n^bSER3s67#8&0mD^)S6EDJl)}@eMGVpZtPPDVpEU zcuSP}3k)NI_)1Pw%OzQ18DN=~+B4@A(!$ftM!Z48M-QU2IZk|d(qK(9jjZo+s;s4U zMac_=!uG)qiMKX$Q1kV8r)Lz%$I(=60NUrl!NE<~80j=7@GM9oc!k)t@l%_{NAb7b19`oMwarl)(J&Lm6A4TiTuvf z!X$5YRhb!O5-g0GoyZr?d6jQV>>_2%AMdUPA8s!~;s91tePO&YdX{~>c9B48zqhO1 z*}`@BE|a&GZyz!PFe$JhYJi)*;`kP94swRR{1T_X>Yt6IlRpjr8>nc)51y$qzYD`eu`SwYOY{BAGvZYX6=W$s2{Dr0vd?nz~SS7r{IWccW=bgnw=>KU^lOcYJKZHGiU!gOz)Vxo zAlFp>(g7ZMl^4+gvvXzXAcIA(Z6P4FnHlkZ{AlyGGUQ!f@#U{%jM@jH6RzV?7C#k< zu@EO&fK37PV$p&T ztA*}ymFLEfT8NeMaE0zii(fmv1IizPXFuc!O?0DNYJ`t(6rg&=W@|=$vP~X#7azCN zetHKSKO~))a6Rhc9YIJv@dKx4`->Z+>d)__D2n$|&+kf(VbHpH%b)7e_<`@k-|A5~ zK1hpb0X6cC!J)I?wQ8K-)BVz2u2e(otjDVc7&xV>t~qwwlTcATVNH{yph=O@RDg1h zD(m`AdpAJFcskj#k1gsAy)vKymSo^9qXtneB=2O%2tWZY7e9JJP~|BQ(g!Uf1Xa+H zr&8*>sr3h5u$nj0rzY2=KNK1lRc{Hi798TvX#(KPidsB2P@lvR(%o{l%PQhMaJwDy z@GGN}?bivR@><)|`;h3!dx0&aEzBX(JXj{$rA;#lymW@W#jZHQ20dHYp;@pUhX_r!jQBmxTEh; z_$)piqK=p&55aQSFmYCUawWwq^{n(}3Lv-sa(q!7glU|7l&Y%D04)inA&h`fXy zDp;asKD8c?B$bG&lNksa_m@q+cTA;8_#jj4;mU1J5A|MG7cXcUAL3vw0-jnoRGK{!3!-l;c`}Kkj5J`9bVBmoq2B9(Yf>OB=;1T0tt($2wwf3FQ+IZ>lKpQ5PYq;`x4(F4RIAZth(x$36e@(U%ElpBCm2OJwgQ#5`Nv} zb7k@=snuN3{hPuh0gEq(1N*3&GB%3mtJ*HDV?FlTiQKJQi!^M$=|GzS#nqhr`OjlT zbiHC*T?gMk(%HOnEK3TbI7GzdsRcuLu48`82YC^e{gl&IZTDHjxVOf!Z(6%#n>a=Eowt$KH#@bSEBy18w5> zv~eV5o;3Lc-A5yYu_=Fxgd90ITvq#2tUcmJf6|b3BJCOs^Tg7QArX2pHT0w+R%%m# zcLXJ<$5{X4kB{S4Qw}Obq~glPuY+pyv16#eXEe!VVj20_)o&p3du+3z#mqH(^Z`!(w(^Jw5SmgzN2m4c^V=?a*NuHH34tIHQ>(-t$8QL40$0wYMp_!# z_Ee&gf$JUZxWRhF=W{(_K0}3x!k*S#7Q1>d+kTFgjB%o~sTHc$olxfrEM6X_^;5VX zO7D4;VkC7-7vc?dQIrTa^CsNejI^g{wjpGxEf5UfuJQg}HSDMB@C2oJ;BpGy5D4tESgx##1*%D?GK2AnT2dSuXHJzr{|VvF^B- z)PepUfS$SJ>ykR_?ud3Vw;qRoSB(^ zxmiN@jZ!Di)+gZ%{p)u{E?K|39I`FD1RUvIIj?Q9e_SVf=NbfSsrn7IQ0JD$rJj`? zt$vYDqTF8mEolGn8W!J8UVV82Z~g^%K0Zn)J-h5gf(mx`tC+@@fCLFft?F0~wrz=X_A2y1;(QvrI?s6DZ2;d=( z7g~*T#H-Rp?CYEHNRw;(V(VSwyTobvBtMyhPq=|aWQ)_yxFg+;WaaPto!O^kxybl6 z&KQC`m!^Dq$eOG#D#61cIHe&bJ}x(f)HdWkJ=5CVC`xQY_}jE#VP4!5-fJ6<~2 zPG7ea#WFFMiq7AY4-f@JI(hhjjZaJxw*^ruPMb zAR2VW@}j13bLo}OJ(p5H6GgYUHf_mI8WaTyA`=OUn&>s8Ezc`3HbON;z0;Z@+*g9b ztNf60qdX=EAeu3{I4z*b!3ZBMtxY-a+f59wZHmzbp>@ukawf6!78~u2OgoTr6xYaU zmxoB9#qC!Z;WmZWG-1NArpUYR)T5g`{$+sI?^kYXn|^3WJT{%^UGgj*G!?yT=(Dxk z;5@&{u+5E(3pq;oFwIenx)te%q%)MfOjzRo!~Kp}Cznyjdl>I=bSy_iMoJc9)M%qt zH@^7-{4S0ytqX1>{l|5j?Iw<08Cfanh5LhDW5Q={!3Ddb+(`-TRH7;(w=`SvZ{#;y zY&_zSC{bF6KA|2c%C)FQbffFsEQ|jqVgWE;T+i^&ESe47_Kqp~b;8>|tmnfA2cDNC z0&-NLu-+8)hs&J*PRQ(tL{v6v$LUK{uS(MeZI~vB61cpZP@|0#-%oHQ#et)1c1NRF z(5&dW98$97$#%{-SUM~^%E$^eWn6Ky0#(td?ltd1tJT$fG_ebsh{2j^4aw<02Wjxi zI_!$Xc_PQ(bDR>&VJ3kz0T)cqs@dsHGX)WRPwq%i*1}Ow=hgmHk$Y12cy4%W>^%WI zvx~8=Pm~gf*J}{J+jG-aI;^R6Cyj{P)ZbL2Y$ww_*udYu$-zI13ej*}XxSLwt1UV_ zPap5O-yF?@ipt7gh8ITB)JIU?N3aOWn4TAP7KoPhwwD*eKgV#3>QXp3M38QUQ(oou zGB*JLpPuE05T4qsDIB^JJ4U{6dyHN|lbzRfc-i_iNS)6MA_BpbeXF7di^`m@zFrik z_>5o`U;&L^+R0?laYW533DmBsv=)x^m&V>CVg|&BylWqAnY;=#4D3(#_Z?C0RIWPk zBzc#%e_VBVn%Ty&n9GL`sdg#HD($jr_0 z!_XapD3eS<>l=T+4A-hil^la@FM!=Bp7^ag`5TV%7cmPN2E|{8TiAqa$MHDwjP?Nz zLRbE)eYVBn0TXMhU_o4tbF#wJ-W)NAMY~l>Uz`=6zi;+ft(89itAiK`0 zeN@ZTWY4dTz^9i6mq;&qnVZ1MPPUPzou9P6pElgX3)@gFEI-ScWo}iFA}b=krm(}+ zPR&CJni; z-y~afR|r)q?aonWNexCn_er0XWKyJs>lw$OSPQOj8mz(Zut3~HRg$2`sLnE0OMLvQ z5Aj!C*-OFXj#B01uYP@-kEKLU(Ja)XW*n-Zv>u{;WW9=U+oNT#jIhO#P&CqSx4$k~ zlEJk`^`Mrevi4v7dEeo^c=eP9=8NY9*SU{%@Gi2{v%u%770~t#Op_wnI={AP4@ouo=tnAf>fFrBHqVT?{QRvxpd7Sm2#*{)X zf!*}CFlV)ea^~^Vq%b(+NTAm9t+<->$yC?mPLw1m&O6hKCHdF9|CrAyR0(o0sUkU0 zk|sUaarHRjo5jlDalJlX;gSL%TS1fLG=x=7Y7p@&svDIC*>FpV19$KM^AGRuaCsdB z*xnE02mJD_23Fc>0u+5>=xCKxK}rS@sEb`fYZN=U^j1z~_}|b=>O? zG!Ll8KI2d?_t0CY#LyU?hUnx0(2~$T$RAdBVL}eY(k)%XzIQTz<4A6C@Q>gwVV80( z+jJKCFvt)Q&YYajI6sWGm53xljpVt)89^AO028OOU$W{Ksv5P*w(7@w!?yunkBaK8 z*lrU@3iC=YJADJYGdo|OsddNP@IJ!6Sbu9#z|Kv&D+zFzIrJ&{cM;~)CpYQ)0GO`u z%wqiO-r&0dB3@525*riku;zoYJ^s+(8iQR=4z_Q{2_sITs*#Wjfv z1c$WWy`-ILNWs0&s`U7+e+tNpIOem8yrDX6P_ccEFYj~Egm@KIOkDN}H& z%YD|$BnoSvSAW;z)_IC+$Y5w42H3yl6aS=&`gKt5A_SxWK))`uXkWEvD{ZI=yq#sN zfXxvG+TI@Bmk!!Cb=vv6z7@?RGbrvY7`f;Gp4G+(r5nx2J&|{&$-c5+0WD$c&&UJW76?s9#rd1>c|T$62AX%*HJn4+r!mic$Ev0Q;=7$D{B2y zKv`UaeBk?}$kM=)Rk^yJB{xGv7p>~H-{cKQ~3qxv6gaE!HJfa3ld_xG#6bOB4^4H@OLb1t0a!;-uc0N(bRr z)_zH7;Y6{{kNH$HHb`#8;H|BzDVQ%PMV)0pY{)y(2BFnB&*s99!m{pEGZI=%DsK9i z#rAb-W$sKg-lH~N*ZiEAM&=BnDpW^1YW+~$)w^k(!MT4&5T-|5_{EdUStLt5x?26c;h>!+3QJk2ij<10C*b-}l{4Q6$GoFJG3P!M}1+sT}l_V46+ zGFC0!^|f`K<&HmB|L(t5(;0tv9hJZVvU6r8_lDI%-l%KoVKv_Cn&C!MDb0^T>C)eF zy;OS(Invm)34!+20io)Zeaf`HzH zZpUMm0n#ZgLY(2H@#F9du#!hgj_4MoR#5k-P6^LjX|?YY`yKqyyID-BO|9~yGUqKZ ziEYwkyV{43@?twf9ch%~b`Y2TX3s9Xy27o|-(~L~eoDyYtD)=?OgIi<#76(Ec*y0c zqTxR8USYfjp~ZnvfS-(JQf>9VjdT-eqtWo%;1`p#f4q5_{p#J>-1XQ~*P&R*N3f2p zl*P+yxd$urG0&;$wwlFHU`4;7fFFpT-1OyLe;``HkAKfhJi5R7WgE&s&bR(+}uk3QS|EDRx)X zRqO>s7WU$bR2#^S!j2-FMBWj&Mb#4wedfw!@8V;u5zizOrC0HbB#W1{G^*%acLmyv zQ-`-r@K+m&5Xqo4$$La@slT&4Gkl~2RdVD96_z8I;#+_Zo3wzeZknp6>E|SV1Iq&} z!B3IPM{9$^$tGQW2UGd(8u09TUNMpq=uZPFXHR53il?}!KKa#TOX zlAT%vaPQ*Imvw!=AufoOiRx3^OyRao&2EY{lRl?o;|YZRPRh$LzNXlIh?k?N{T|tX zKZK0uN#Kebg*ICVI%4yV`!u;Jv5Lcgiz8#Y_E`=!`_~SdtX}G;po=|NKdx)XIbajX zinYfv24T_f#57VNhL6_+sib|GBI9EaPI?b(cfMoz>*f^pWVYrJJPiU_Ym3)1#_e|e zf%p3)PraLLj_oD^u_+iw2{{B0XuXLinpRLtmb~ue8^@)DRqOrSvv3%7OH|)%+i1Nf z{-MCM$K0k1!^AEN$l6nEC6!va6e>juuU zmu9{;e3&q>+3$Yo)jjc%#L??p`)!_Wcs^Fd9RvB(28K$y{4&A^SqJ2$g zLO}m4Pn^j>UfdoPshG>zxWxVcarG8JZEaE8Fi=XNxE1%}4#k7CxEF#JhXzVoXKP+Ip^%X*R!4_d#&uy6yJU(^6D;@bIN?R zH-29prTxqZcp)<}NImplBB)&SF{?};low%4qc-iP1g7;K5S6w-)M@1by2qifH8y{S zTUAq3p`W*mNY0bo@nj;#p$6`2fnExF5Xnn%$g9zz$U*#j(p;VD?h%DoE(2O`=2zx# zF3o!A&;=gI9-x3>m^dVwNna91#+5xbNE;u@dX&9X9zq&PyXjLaJs{RA;}BUpT{Dn#?RejwrLj-#=f#V zW~}p{|oumm8Y#OnYtn)Fi0+)r-nV5~ukU zKCs<~>;L`{jis)P(LR5HlI|~1a>M`RU!a87kn@KilExobcjZ-DA~jg2FP(JK)_zU# zvz_vve3{e1q&M8r`~@&z#gMP$T|x{Yijh z6M(oFpg4pL-ClCsa*Y?U3Egr=b6jfn0h3=JR4LVyrXa^k5Vgv)=b}O=tX8Jxsr&-U zV+=zChx7EKD%2;t#-3DC%Ue0Qx0`eaeZJTpQQJdtT9^#H{mi^Iz#1ZVUsQUJ%xuAm zul%hssO@Dq@dt9Nk{EFYz&z`|rWT14n(>9#FKrl8z{?(Fa9{L8OxEZ8kzUNu(b*bi)Fti~r+h>l+n=NM5JY4-6E_$)mM2l<;hyHcp z5{hk6!8~?-0i6IC-c=5&R-c`bVVc`@LX`xi=aF4nQy~YTrL5V8Y%9Ob5Z40Hx?&q{ zrWy{+KDJu=e$ehhH2HMngx24u*5|RIp9-d7O%aMY6-i~elY++ko64mSwU*>>!LoFb z|BMD!2BMbtIr>1gTH)$--<}v6bodHB! z0`V(6{*Hd3Iw@%ODW^l8;UDM~Y2vrV;~ika3Rm^0SDZ4%P^I1g%f*k^rf8_=uRx#V z?);IMW&A9<>@Elcx$wt{O&sKvG9;^7-w%wl>(x&eC!_VIJkqr3f(dCi;7%Skero}U zgIp*Zx?~%Teo_Z2ZZHFRh#Vw|i6N2?!@W6-dGZ9(5 zdEl^Xo~IqU7YLPegI^V#r#!$CeOad*{R-ahZr?(e#;1etv$8&aL{qy3#`M-LuS%f- zGtbJ8nhdr$JL$<7Mshbl`T3u^Pg?VCnxYovseJu86vL7%lWyj*32gK7RwcVP)$;~@ zK0Qkm3$cmG{DZ+%8(;d2Y>nQ~Lc*hTJ=cPvzcit8tY#5xEumy)p*V<2fACWo1cQxw6I$}4&RBVZN@=lf-vdl{tTY34lftAG_v)rSjt@m znc}H^B*S(X9BMbrS9n)t9r~{=z!2(ss%-*e8S1_95toFuiUsn#%?y-1ZA%$6?o*?vvmp)OTXMqv3 zdg6SXAuQ7pJDjO<;oWwQ7yEoc92N`^&aE>mwSbBnT34|Y6m)Mdq8c2jIE+Md-vzKC zJc3kY)J=_e%?n1I6Q&Z8`gpE9KuK}`XGfmkKvHQ*)ysw zz^0FuZWu*$!4{BhG+VIXPBda?I(GJ5LZlIJ?RK4H;mv)U%>r+8~>5}nyD8uHz zJ}-0a+efQ^cjpZS<>*OGgvF)URplJ``bi1X|NALN!cnaK*;z!eku-P(x znzW0MXaeWS|I=0}}SF3r+I&G2p(XM*E?`AVtS>f|h+$#EzH;SKi z60lDy8^8z!zZ8dqI_IVU-0kw+s5IbF@uE8*o-Zi3?R#{E=LJWAsFV20EiJoB+fLPy zx6<6jop^*rgxgXtoo0V-l#n7+uy0$BQapHzUp3RBKlU3Mma879-R`0_)alT(dc<;~ zff?TR5Q1=>oip}dGExpMDzjp)=-?X87P3MBKlUi`Z4Q%p_3$qYCdt9icr$&WFJQSm zQd|Lun<)6}^@=1V0Hb;8c%f*QS^P;_1w5l~FflWpJr-7XnJ3?t_bJ4ZFx+Syv>a%d8RcJfdAJT?2 z)EL8ud&O8FwlP{}#eFvDxY12_kT&k|=2h%*G4e|ha6CPetJmv!wi4*Om)=_Lnyt~j zna}(-5d>dVZyCnQ5!(2dlC)sfKSr*-@GnZEc%W~}TkYvaloQ4V8M#>J%e6_8VvNk! zUZOWl!t{3^_*-+0&LcJVI8EOOC)d6+&{Aq>v$9^1(>1eNoE4(j!p9q7bG-~)DzK=s zA>1pb`}1KdxY6`?eNRv38TSQqz~k$>BFJ3nv;W;3JO{L(hWWFa($e)+$`qA|Kt!}0 z@GzNjQAjK}vjR(a`Q{lpo))PnO&Vc?a|4kIQHcWWN)#-2NPG6P9r0&5>XFsb+tbR2 zEMhNJ?eh{j0CV&vuS-q14hG$5M095aJR$d^0Gy}IL{{Ec!2RT59jJ62S@be zSW-OsKv$ic-|@wJm}=Vz^AG7HzwQe5Yu|k6(Kn9o->=XyveNB_V`u(ZXLZHW}*8Ufd8hU zm*v}tKzBo&0C=4w?HS-5cg%y#rBefP__f10RdFV{7NY)Jo679$2diBPR{Q=E&2FYC z!3tB8L4@UuBr=zm4&_UC3NTK%&yRM#*G(+&+?SskxQS!fU5qQ9F1Wa(99SF9HyRr!f2;R1ndt|Y*>lDh9{-G3@dAau3q}RZP@(n|!1BrJAKa8y2BKKF z1CkGZ-icuIZ>JShRM}V(k74e}TvhU?vngmD?Jor&Xuh;Ev@jHZJv7lV z9H-dqh65X!M{nAf#D=|Bdc3UL_;8b|O+F@FgfT}O^mPu?e5om zHkX6n`aQlBJGCAJg|+f+Hq~ZBlBp}8OnlD!5|;TeVK$UdBIIw0e1v<(kEVK57P?of zc7%Hz@vo}xGJjK!Q)#9I)!wTyM1tGtIWKF%SKE|lV5lVDsd`NjZrO4y(<)z6iCl*R>od^$@R|G%?!iV%&cYAp#HO7 z^=HN3S}aA^npevuBlwwmVa4uew7hf|=G!B~50Sv1$6hJ1xb3%6pFe;0G()>E*FO`$ zs3`GKU4OpP{n+=Tq793=V!J3e(S3U4>uKkLJnn;Kg~oan zapoI?j58NzwsyewFE@})f$djCV){P~V|O15_StedmZmo#J}aF=XWb}b$~{N@MJrRX z5=f_)TaD^$NVL>Qb+`i_Xta33+7%7!VVk$=BD9O)U-cq8H<2|ilW!&sxCe%Zc8z_V z63xIp+5BG_6P%aPs5kQce=t1%ksU2peFw!W7&BT1Ui2G(OKZzT|k=XBJ~7>X35 zPspHjG3IfEVs3ueBxf0QS9vb^jSCZs)!_cKmjSpuA!B)qVw#HQ$r01=qUoO7@Bad#ERw5H0(kTV5cl+^pQ z8>9W^7Ts!q9@re$T>X4SC zYbwEVsQ>W-VIkvo$Zm3EKpAFSEXlPUm=i@5IxU#dt})^3@hvXu7Ch*{X$Z1e+hVGy zsj+r9IL(B|g+;pze;x<_ zRhV#k@odJYzAv14_hqKCQ!@m0xavK)D}6jKOmH&k5gso0pGHJAHTX#m<7waAB{tTB zQd+jZ?cbJuqdY4b_8LY=Dy>zE=GEiv#YH(XgwdQ$J#PW88`JQ#f!@`E0cWu@x{s3W zF3-y8%%BKI%}a9olRi(PR$zSav>kX%yo(u+ib)mxJ={xc^QDc;q>>(5HY%C=0?1ou zE1#9cayq?%C#;acDt+t^sv&D@bOjSeVB7v};G#$_BSDJ>uO-)?3h&i*1 zu)Ix#lw0dDeKgM*_@0VxvK1|g|4c_2L-nTdJ(-5ezb|@Cb?RO}uNw+F?~Yf~8v~El zD8GI?K`G1iv+^CcaV!ks-ksa7l{c8-LZc*1o|=~*cnQ$cRA--@h1+|t$1=rg7q zLbss1Zr(vYdcVJ$^QLLJTHPBQc@3dAZb>A z?80~$avXxm&I@6bo>92G?7vvgdZraWJJ^3G9#P<<9U1?wlQvwIuo(^g4Y;K^pv0;m zy5nvt>2to$-zAsI!a@S)2BNLBx+jK)_kH^+OL|t=Mx9WVt=w*4JZ0p#UdVdP!yG8C%}fO;A&_lNr!CD3pcfxP z%YzuWy);$ZubDNFT&5}CN}$^LxtoT_4uVePvD@KrnCivSVL(lE_kz&Ie#)a2NMAqf z$SZ0Id-{ZU#yg&}IZjW2{qs40tBXJQSOjKhi+8hcwF2@1XBc6j?Xz3f`G7h;_eeqD zwN7C>;<5C1*g1;+=c+Mb=qHOj$X=;nlYKhB>(@`fBYLAHudbW7yN>sfyG8;`DG{Hq2TCikviVua7;Jh$M8c&pK~cgLj~CA z*PP+)P)yy@ejzAK{N$x=`Yo{hsux8#R9&RsV7A;TnkY}cpnDEDBLL!(9-wW5@KDV6 zVz|T8-@Q*eU&)%<1J`N58owvdVrcc%yu*Zd^cO?)m@_`ilCcIm>r=;pydJ9$*WXg% zhT;TrHXrghbz=%dw1pp!R7TOJ6X3=G4)47_LR|aH_uansbBr~&L?z53WEJyAdQjX* z?t2kn*{_S`JZ=i1FioiSw_eVgMMv%j0;>Ef)luYeWMHC677KZ!gmt_{bYTsB*3rM% zxqZmf@|Y4pz?EpAcmY69U%05E7!?4pbJvOhQe9Z98W_&Z4f!^-IO;kZ;bV=JLhcJ- z2&fhoX)Dv2(pcQi>Mn#XmMPz85))4;n)aI;(9;esV6hiO^_q(gf6{6RMQ=h`=`$bg z`|n0X4L;-FaM*0Ncw^7+F^_d==m8JHArHKKqw=?O?L*VuAe;2*)`$$3#Ng^Zj)P3k zEXs;hBI$H6XHL{={LFH}Vt3gtlr62T{;By}#7UF>*Nl(ap06#Ek>4U<^BN_v;Nl?S zet{rF{%pbRmNLA`=hZx`)FC;c2!HRbikEyI z5PWmIG^Dfv_1=t?9hSrveb*$b-u>x~TpyL@zDT)z#+>pi12t$oDJ@!uCKvw z#)|myUd5*56yRH?9$`&&_ZXF)78WeT%2ChgIf?rcNU)BMZhwPaSdZgm%1>;Dj1p$v zAJx`B9t4Ng4_@qd*$>W^?xe7Cw#^Q5_c&b3$~K%&AU<^6x4Q4^x{2u3?Tu z#()CIdqZhZ&JT8?YNq?{u2FppYA$u{#J?+G)3wy}k$# z#_A$vDEi*eq+jq#6W_Bq2u)k+s%a9^)lgj4Wcv+O4gm^n(Nd893$^@6(iDsDT#MTv z_BLN%DHbE>>UCLR{V1U$xBNWGtkQ2a+^AAida=f5kV?@p^oln(jGThGh+@IHHi7+Q zHiqX#?!YMIqNv_wZ_8ihisvRcQ@h1Eb}T-9FgA{}$osLD&_Hr2!Z&TE5w0grT2w%@ zRX#K|{)`43>LS18v<>IwUkw=){)P*vf7PQLZqAa6^txJU_dCU8SCb|?VK%S#V-#ce z1%`!6o)>8=@2~-<9X}#2O&A=szWsQme$G|lSy(+f%{+Qt>CF+CUo9v*xY1u2|N5E&PA+0w5!S4N=9c{o!F7Ip%l8; zd+z*x(>EC6$j6zityc6ab^)U_1_;bT)83+EJ zd6wh!2Nhpu%9?NHSA?h2rM3!d+3Eis1III?XON zCrnE+3v-*4hT{ADs8!x5vLx>GFN%DcSbg#f4Ks24^JIC^)g3FEiwzNG4tNEBLhmN3 zOmKBXOE;PL{>5Y$ywzSYem$0o+?ZQSxjrfW0F3sUh@{ThaKo>XkOS}@78%f4?tD@q z*i6tW-}(j10X;OSd^&bQ7rZ_>c<4JjWH^Tl`Df5zWiLZlbvFq`(`J z@IxFIG*pYNQr-pIt>OKDq7q(?;%A0;-xzHP+#uZ8X^ND%VmPS=-}v0RX?^>^F}>tX z)-M_l9O41XrQ{8NB>L#xkO*LG4~J#hF`5KKwR9Cg&gBd%%luauP`fwmZtrL@?)rH% zu-O`*)dOw@Ao|}}tlzYZ71@?*Qywiuz*JTTiOfl-s0S~!1>!QRJTWraxqlxMZ_!*w zta(RlH8+2K9Kr-EW+*Iu>Q%$KZE%bb-DCv?09Ie* zPT$kkuEi;G80giW{ZB0bU9Ib`i(|We|D0>WE0p@4dF=qn6f<8G{z5^RhuTvjp2}|U z?I89!W$+RNH^Ban5S9}Zt?Fi;OKDPC3^=waH2GcbMCTk%|FOa0%G1%Fh48|B`Nttk zV_;YND0kDS2Z00c&^xz&RL)-WM<6uJdK&=V+6fI0x7&Z!5DexHo>=A9PhXhdH&+5fwmIOdrhmF8%Xp;7~L$x_W4S>9c&WWI(=@cuU$wy#8%L9 zNI17Id}8)oJgXqdaq9? zVt^=ss_`aV803XJ_%rxiVo4vuufxSkD$;-=;<>X=-E&s@kZBQ*&pxX?Q?-_=<9)wo z@zi%*THW(JkUgG2s50S@T15oM>kOp^Hj(W3?4Zb zU7PCZgELt#*$f<~^jxfA7Rh7MQQj}nJ7jlw=lP`*wj0X>ufsPMjXY6by>V%15v=Lz zU!LV9r+jWz1V`Tuy%ulX&csU*fl|wxY zt}+w1(lfAIo?nH1Jr34>i%{q+Sev3{h*6c6lmL)@bvsVM8SZRN1FhZKEsbcUt|x4# z!UiFFz`_nSg&7`4ZC8S-+Z!`?$z5p?Ij3fU1#vkLr4)`mjVoIbb?_r`&mqktLp6^`+*#|j4gU5; zc1ZRZFaaC7T4KG8ovIrEkwG#6dlq_?fSGC=QRpk(sBeiE(l16I4=m|!zw10YRjoX) z9?yc^BF;Bp_zoZ2=2=ungJuP8UhI|8wg{-H0HJ|JH}-6;1^^jRgUdGUURx;Q^sfMM z=9vVyB8Ew$?To(YOwTpm&-~uso>m~e5Rb+7pq10&^@b=9R=$b>{6_`U@(;}mGZ-H1 z{K%aF{?hcUJxo^?*w z$~+e;k*}4l)=)>~nM?x=gfAPE^ka>jVdfOZin{L;RhVHk8A>4G?jIMp>EYI}CTwTV zZ>aBRoC6V^*P7v4ILGF%)NEjuYG^J4kSvbP}Wk7--XN@lliDG!|n z3sPy2>cn#Z+d{bmzuQ%sN2^i_Ydn^_7U3AICw}W^ku#`wX8X+Hcn#vXZ2oCJB3wAW zN$dn)><=u_{zU;obS3u=jeiP?rU=W2CX z2ckLo?{6GT2RKEgF`AsAqj!+e^YYdR!cZ>B0|aIkUguAVM+2;{c>$`0uKPT3Yjw(h zl<#q6((Ln6qAocE_s1Y}^|NX7d!P6WoYkovosV=i8AL%tyh_c_hdE-5M#(8N5IU^H zEEU33T+Gy6oSP|Gp*+e}%2<3q0Ftx!SuUZD{L&IMk8Zj;o(` z1&*&YH;%eo7P|p-VPb7%pqIulz#Xsc-Nv^7@2=d;5KmUC@Jy^HC^;fpN4!}@@?R4H zK8!D`g>1V^RU$%IH`>N0lk=w<#{A!BC^h4}0kP%RWDS>g@J}Yp40bk_yBYo-3Gw`V z_u;sr=>W4Ux2C!XYeraSe64R-R%*X#QdNj{DMY~~P)Oxd)eelcg6(kJ#o^ev$4e7{ZxMbu!l~Vj-p{(0t7y{V}fG&{BCF$mE?)oD4XUc3>k(N5bOPpUK#vh~Id>XG8b z``UPuQg$F_V(`&?^#kxp2o)9(89BRyU7TFt`L@ifRJ_ka_$J>xF5}f2M*krzjAqM{9G7U~`vES){*T;2Y;#sx6wG`;y{=3FI|mGv zR{d8~0}Cf|{Xu!N?OPW0mFXp{0?dBjOfuUBlS_mCRs=e0l`<+X{@L%oVam!vlOaEJ z1QabeEm!AsuQK`rH`=P=o09MC(jRHkA^aj|1+SYykD6sa8&8;2Ye6vK87%hZI_Ww0 z^T#Cc^USa1*GKYm!GhA4*xg4%D>j%2SrK$%^;^ZuK;;GPy4G;w6c#ykqHWP=T-?Hm z&au!U<`3@09rJx`Zm=5s_f@S*!uQabytGSo+dYAUc%0I@_z$#Y1unevWRJwCrg~xh4`h9JX_rPe z(#D2uSd;+4;*u^NJoHTGDTn^TV`rcnEz`+--4MB$r(mPLG5Y#%!7IkSoT(IDW!Wfl zAw9Q#;+`l6QHmZ2+Og0i&)a@p8@Nj(kaJ&CxV*U|v}L2aE$kH*Ik8vaBKD{&6q73l zA6m^-o;xa|k!^jU-^pQ)ktYnJsy|&br1}I_+M@Q^LOo?G7e1)gS8`Z^00TtCrhDP% zZC^tEK(GwOHI8W}ySxTlMMp0>u>~GSo<@zS_S-}~t|P2R_Q!h|pxA7g!>yroHp;?` zlgCTVZqvU9!-lGY36Hup4D&)SFEF;}_Rd*Zp{If~_>5yJ)@3E-v@78~66dsh8M88m z7F%VCL}yVO?ulGX9SMv#hPdeX9{S)eG5xe0{V(|7&?QJ6pr1EXbt$SP8)IAOd|}B0 z{Cxi{3a|<+cv9yp18_3g72SON<=*s-Vy|L;SrOM}Pt`oNIt=vk+aw!WHZXqo20 zw=R`6qH15|;k8%)csG;HwTO6^Q>VrVtL#+470 z?^aKf^Y?#R87_-g_*pb+)2F54zYlRNS*Up?esps@7rgI(g_v)POTU1ZL6U?(f&OrP zG=v!xB`RFAS&YB>()S_fh=|ItY1i7x1@(rN%CK#3)t>Y7$6TQi|~i?c|@R8;AM9YyofMFwVlmaR!=|7+V&i9 zMKxBQ;XmY10#qdHme~&#RmK z*9tQ-lcF*zFSA48tpjNJSFh)Ve%4{L@SKN2 z<2Q_jeN&lx1COpT)<1K5>t(>pt2xsb-@)hPV@Euu#uL0Tm%sSP=6{N?sY2+*xDHe4 z+Ns=E{U&(1hxi%oEix*;r9XO~4>CG&T4YhZC$%WVA9iR{# z{8bUz^}A4YgMdT&GbIFHD-yP0>2`P37RosA>NtHJ(gtxHHP%vx-d!%{{dF}43;^Tko zuR>hFeF3C+Oz|?Lr($CDrh3sn)RXbm%;4F0;~Y^hZD6O#nw<>muHS1=;O>K%bKQw7 zJgU2x;PcNb!QIOt2$(2n(wLo^l@@4~0-q*^=!T@+?xfePO~0LgPg0WEhK0fbTtXXd z9881TP|`@(td6R&C#Q_2?G0b3g6|#KlEIGn^F8N7Ep~+LPZ1wA-uVj5oKixisJFc8 zEUUiYA=zuW-gdE!@lL8PUmP87x@)eD_lAG$wIJU)3=PEH*1dIe$J~+MXy6ZAJ9mR- zgv4b#@#d~Yi0Yr1yO^4}FSoZ@ub{0(FW6>B(qjy0*bb0k zsZDgv&N|npl1V&#G68EcN9J*a6w z_fPbm8i@}tYht*NHS#-Yd_k75f^X1uAdz9R6~&MQm7u+GFFNp8T3A=kH_2}{99|LN z{GS*SJ5JV%@6qX~mw^bpGim#PWAqnu%y1c{^n=%B-l`uvfIfvwRC?Ul0^c3D!(A8_ zy=`ae@ILct*743~jcWDcsDJWaAV%Iiu*rg*Y??pb4mUBJ2s$*ipxI#k=`(U4#wJ_9 z5lM4=X8XFnF4>%og*6*7AnTr26{TBNNw0JWMUibs{k|E@#hTob%eIQs*gUQMNk!fMer|M>d?T;auC3bY%CgHq@*V`NvaA z(Zyg_w4N+(*-{H|etz zA4A1I!{K*H@>#hqe=_fQWyx@)nXDo#TB|%Lat`s_;N834ul(99zf-wR^dG27A=#oB z=eU9K{bW$bxj^EpIih8YUxsBOlGi1`%o50n_B01Jv^KH$sn({7OCu@+qeXY3|6l8h;^Y_R9*H)MOxYII}!VU zhe&w^h51E%^dFkMMQv;X?C#A>d8OC-93FppVLPW_?#UpJrU@;-e8?D3oXZ~@-iqba zcYEKGgs>PmNlW%uH^EUas$)FKA*Bi9$id%IpAM-)?`L^`(Qd_F%iD3>O~W_$X?VIE zaLIXxR6ZqtH8t+&D!7+&849TV1;rLmHbV%JqT2q_5tb1Kb^D$tZ--ASAZ8 z-*+mLmo$PW;=NQ_FR3|Jc&hBT(R;dSX{JK9WC4s>dQx1!D;W-*VvH9_Yp~H?P@QF- zY!4{Z^}OGE5E%LC`Rl!}$~Ygd)$o}bo#K@_g%a9#i<7&>_D4qe{xMFDU8pr9EI3;D zX;rC-^kv^$%2?`ynC1crUM#*b<2PpBDjLNONhUhgWO;e_%cMKSU4~R1!eyolTL!L^ z=qPdPnp-SHjJ*O+XB!;3QY^>*TZZT+t{5$(Q=DU@{P+K+S7;;a)0Jt<49&hp5{ZJo z%k(rI1bA-d33)C?Ju5a9heOTF)I0${4`ObDy~89#khirmEb7bjY@lv~E#R|!t5?66 zpRQggZf}S{d7>%BOb*aXo?)RK9jMkiPS8frCzgvio0{z=Wh<0;VH7tn+ZzX`o8=Aj znJ(rU=dWDyzz^`3>Ja-j66jPi97!~ss;%ERs?SweE=d@_ z51n=tg8%CrnxQh7a-xKivon&;7ZPw#LpW0qm6V~_qq1Ss0V)v5Ue0c7<yC zhVcJzf$OTskQx!U<9B-X*4!5tPd*Iwu@=$})Tjv*#?f57yu3hy+EF4L33XG;<@h=&U54Gv;YLon*i61i^F&zYTvV z6gzvx(qJzr>xC~2shv+6nyBy`v92S!)&5>~;$e~3vP9uq4uKXdJLYGu?bE%Upb(!8ET)^ge`P@wox zf1?17V(`0F#Hw0(*;~|>s!q&O{+PN;Ktu_|;5c_y>0Wq>39&&X^|j)E<^~>`9D)k+ zFMK=fIg$=X_`@IJxWmhH;r=}80eG{?9vQZ)Uh8*IX8M0f)9TV_HN~)I%HE86PBP^P2|o=07A^1WFWsFT$Ue zJT5xaeQYwD{0oo;KCEU@AWvw|SS&oi^j+P8JN$Z|mz$TenH1q_A@yxcQ$+=G->8|ro-n>LBMOw%^tcmP{Qb_67GJO9M!s)0#1$^@gzdY17sat^tKn+ug#* zql-UVeQsv!m#msWzLZczJQVwsz~sng5>E7d1lGw~r_ieP)${^PPbx zGm_}>5R`zYmla-PSJ1n-J!8CIm9P2pFCAl-D%4tuRrlzAiOad`H`Q8d80j4j3(Ws2 zUjqh-_SYWv9Bgcx*Hu6MfFAXwYEv^ZC_+t9L0lkz$pm?Pc@e^BE9+{*rxtCh4O>Opq zam=wG0TmIrU%uzID$?rc>46r# zRn>@Xrst91%vWy-iQTnXcW}0EMbmny+5pM^4GG2n5Gxe41{v85>?@QJ&GG+V2mh}R z<6xxAn$K5t<3!!nP2ec2l%-TcndLfRMkE&;2~_Jz8dEGw_18DWK6Vypbr?FU%dRyx zKq>n!20*|ZL;4Up5&vCWQ(!-<}i>h{Eh(EqV1BQaZ*-XUvuhW#ra|IbxIqJzDJ zjNI^=@d@6sIQ)AGO(UDbeeMM^laFVr^QA1j0cf4P$52pY2#jroZAWV9?(QzOf$Sof zDnQ2^OMw2l$=$2-=keT1D&is2f!=>`@ae6@2Auvy;>o1TW7y)h<>38GG5_~9nFZ;x z9fJE?-$yyV=1&333kX~@n~>Nj`~dM=L*-IGTL+7B(+Ns91adxqIJV)iQ+ezO9uY*z zqJCXCYXo_jil{FoxAUKUnMH$S`;LTeblzI$9fbTP>wiq=f6X#AQU;yxcwm;^Z<^QK zR=2ZNW`T;b7J-pJBo|c{2hR&PXjkDpim#F2Zv25}C}iPstgHLaEqJ2O4kh)L_MPId zBzeiiNIc(~f!&7xc3Z8KZxBjkQ-RD?9Rx%Ae{8=0_pY?7Qi~2+h8v%d^^LORmER)q zu(s3evazv6Aa4l=WK7>~Rb(P3BhKf^DW;UGLz|W2FJm|wesO!$kJOs-dUcP+M%hQN zvs?uw`npP8!M!#A5IKB?jxU`0x4xN`x?zU@%{*Kb|L^flo*J~WG95s(PCHFKdP`Lv z9qNM0pFPmW?Y4-fsf0=m5W@9ESO-nTOX=THymk=KYZ|+W9deuDJPezbp4oIo~eI9z(5!%L}@9o*9kgqB9w^IdoK@ zqW-vkPZzqbmT0?dJi>4$|L>dAc67Jx#d_l_q~;L*?@jgBJp>XmfxOk?% z(beT>g2hdQh=6k(ti}l@dQd-VEjT`7Ox3Sj(^4j5?zLsB3Njqu_orZ{$C-~H*yi*w zEBz-y#PJB6bbtY%OkxyC0>=re9~u8x^1F0!`Q4(U}R%_VdUITci5qUpyl;~ zU3olNbjNV<#c=q~u?o~pURAc_eBcJ6_h7!&$iDIIRz~xikqLZ$I+5LK9Z%2xDz&@A ztU;j7w>)fZ;VGT52RK#jZ%A-&><0CQqb>KS-anYB(0ZTsY)n zn)QcA%!3GzYYqhj+vH~d|3LBY8abdfh!F+katPh~y+v?imJPB*--_r&k#v}%MVOL} z*j0Q!Gg*(}^qeXTC9$fLZ+5HSJCwlu>TFkQ-5gx9s?d@WV$yi+E53gVlka`p#zRh zlk__OwS+&G^*Np>pN!?$=#Z6_t?;n{b)g`s`Q=>|O_B{RA+d$=T{h#H?op99?PSdY zrwfvc@*e50E=zmwk}}~hZ9$!r-}M+ zlQ^G(Ph-pA32tbpGUh;#MbERe1k9Inl0p|as2|SCr~7#R5%9u(t~@&5iWz2~%7PEB zIN(5}GR$>=Ualln^ZhQ#|L26>YY?^lq-gcZFA*f=xPp-kn0X8gp^I%;n*5*(41N=w zw}N`<8VE^rlBW6mATa$yBJ=!vo4RRiif{QNX{5~YlOko3*s73e6bfZ~LrAu{ye!R& z=^PCB{Ykq+Jbsw|i6XLz2_T%kx_LRJZ%K7geQ)UVw5%_55*iTG&?&&O1spg%?9c3j zouZf_)K@34Gp%TjcsYkS6>Dw@Y7hSVIW>ZN&=R#wY%t?8dcx$J>bI;(`G-#^IPd9b zYF)Hy`0$yo^sm$XV*=!nMCc!mVM1i^Yd+be(Rxu6&x+j4ac`Nrvu;NFYgU$vnuLl! z2Ap>jJlK+xtmKodU}uT0u`M&Y6Md&?8}*bQZqv9MFg5FO`P5whRrBCUB}$rCyd?WdMaCU6giUA1@qF_Wr5#;q zGGEy_XQimELz%{nqs-6tXq#S>6_qJa@@Gq&{raeNN0t7z{ZNsgmZq($+_#PQK93w# zX=i94^0iB83mpIVtqBVNo zg^ikk%O!fmInN~9^#WI#AH(kE?=CJbJ|r24w2+d{%)X|ygMnymM*rJ61$xp-@?T<- zdX4Wd8`mvFHPQF0vKTfX(FLBKJ9lQ@eK&zsStM4LJ<9sPYQ!1+s(#h-4#J|lFi2T< z0ME#7Qreo3E?ks2U_FNHi^F<4BtOChr2 zh!eG{D+^E!G2M>;ak!%j``lFYOs&C}=HBQqT~ zb*4GXv@-p#7DZd9+)^~*PfpYC&sP)Wtl)`P=HfcY89C^&qCOZyUv#S-sKl<7TX3r< z_sntWh5aoa|JD(d#7ewimS^1MBBJqexM}~QNOS$C*C>5+WvZeXQmopSea4Yu8RE7T z$TY)%anl@0_$6+ICjSJ;NyAd#no_gMjGZfwU22$!Y*vioQK9{^wCQ^ftC3{wz0U%k z<@PI+30|?)4;s|IUWO%=CGBO>JLL{0qv=p?udSN?zO7#b!ujn3Cp|sAhmLE%#EM0l z*n>Laj?k9D{Uh>fG=4EX``@>ngQAt%i@M->&ORgQFg= zYUm^#%zh})UL6I-#iV?X-ICkHZS|rhXKH#1eUIkE!Mpn%-|Eg7==%&(F!0A=xNVD~ zzO0K_Klt%cYF}KZ^WH{1T_Bb(OANbZD#GG(xOQbX=JW$>Yvk){ZJArjhgs9^JsZQq@YUm@GJ9k*%rT z_An1cbnZQd@9a_7sqAxm0L`C`KS}lbNqMso(-S(ZkO4^%)8rjEkA4R#?=@%QhicaWlEUi(fR~V|BW1;Y@D8y=IyE7kp}qrT9$DqQc36J zy-G-#);Enm?8-iICI=W&!Z!5h` ziZCEE5`$Ii*L8dTLN;tl4yLg{T|Ux1*-MQyarhZ;SB5y-lBUmSDm&amz+5I6_eg9y zjRuen>ZK7K-ChxQguRAO?qO&>wU$b@n7`>$-al-rm=wy`kCw}=e(5|u`{MRsga$Ml z-Qd)q7pib#&kH!Bj6Z4ADCyIhtDdy473KHujy6%^laHuE*DRJUMSc!eSVdFxe??KX zEWCZOs=_M)8oyEl-utS!`jpo%l+xu$hd1eHoTVl|+0Cx3O!){po5C*-RqRXHF#p_QhkRhyJJgw^68rl?zYT9P?+`#{!y| zZtf`qBZxj=eR!cJu%j#mTnL>yW`<(yEHkHS(w=OaquksXaDj{3pQZNYW)sYF$msQE z=}y3Mz%J8U*EM9`EC}eXJB>qB*wJJnoMNMu47ME>4`x*iyLTHVuQXKDyJjC{hR0^W z{FgtYIgc|ZC!89+M@0k%I3Apa9_ZgsLs)HI-V2i(P{e_py3GHThQG7q1JWTx2REF} zhwUYMR+uPjc0}a+)O&^3Vrk7gq!fXqxms@+X($by@zSvz?6`LJaknh0fNU_yeJrr% z0Tv?%@*}W}36(1PNo_Uw0YR}Mp_Q`-C7|!_U zOA_V3y!tNjEt&ElxuHAv^y$cCk&DS3uKKa!aN&+^o1Cv*tlQrh)g^H4xfr)5I&K=y z0Av(SMRa*)w-K6aH@bTXs4Z|ku)4h)&+=8&E?xYP7^qzfkJX<_^|{n8Wz>88nY$EN zLHZf=rsG>*vn!su3%otXzl!j)jysBlk7uA8eS(3>M=`AXT8^+*6Ug+yvYcc|{MExK zhG0C(4qWSMohKvw5TH9T`RVL1JyR9%@-=`VZ4W*OH4|IHwRq;Kq*w^G5p2xr&SUGN z-8j&AWX)}q$bN0pcTlsvL<<;TI-^KB?#)CX@LtM2*@Fm*A*3q(Dgp4ta9&;^QEB(S zISMB1S*-^$))mZlKSFzgI20(_hZp&3%u0o zM$`m;R~QFrA9ne_PQa6NC{{Vb;$ks|o{mk#FgchUn5 zlX)*f)H-EJ6gn-D)gxN6`jGh9ug3yh3UeJTS5M<#Skt8P!@87?mpD$#x3n@Wi~oip z@)V*NgLkdL{d2u!zE#=c*ayJT0WaUuL*K!ny6(_pniGlk6y(c8CaCI$tS zR-C37Vj}ALM4AN%bN_wa=qgCD1;E%=%RUz&L~-ofkdv1yzma>u&Ct z^X20YDCSSpy(Bv8?I>)QYPAe$VS_?~rYzqUgV%vh%S9dwMx5(!)DkYRNj;ZRZ&Q>WqSKs=GH?xom zdh%JTz9ApRA)T7c(hr-a$EJb&>Ld##5(8--2Xnue)RnZ+jrw@JbV_f)M<(*6@u)12 zna!3qSOlJXyyU8Lweo?m`u8Qt8DNgx%U6r_Gww8Ioe> zYFx`t_7t29hF+0bFFy-6Ph%(<68z!ic#^cv*o{l|eR2-)XJb%Ot=msh)ESyqbpMv} z&q(V7K8U<6y*mD`=!03Wi{x#|6Ux)Z%AIi57;5;w-;9$NMK`tgF1#pmesggtbBCJE ze|H>&K4}f3av?N$iE?%ZuN`c@E0DV0dm}#}ouTKj%oTRsaMYg#j+k$9s^Gi+x9lnA zo+q64`*QmVm&gNK#M6s!yOlV6q~AqbH$^+yGt6NFmY%H6l~+`~T+cB3#sJRJxWb*Cj~=RlzF*T(FOxV$sb0y(cx8Xw$ETj_6BYVE z_C)lFE!RON0}LAcVhtepan#Xt)yaVEgbM0oHp!=IEr#ETfn(SAyAXqN-hC%tO@#Z$ z8U}I-ooXR4nuaV3qWh1DC>?%nS)@-0PBu$JE>~8)Ob~`0ZA}}!|A?lV(w{_$KK5VP zljHIeYC%5|ee z6&r4fkOrA&ckS*lGcaAaRc~uD9#fu!9^sB zk-QGpzlW3aEVfT^10iqN8~eG}z$D@B-9~&G!eAK*Bf$6+F5$(4vFUPS2-sM6=fh)cGwX&%wBXm-oLi?%&s zZYj}^uPt>O56u@~|KN65+(E;YFZdvb1o`vBNUVY5v{Hr+&c;Iu^1Vy^(=A_$il{({dLHqpn4J% z2@U30kcgs&^li^U%+fd?tMa$Myo)~`XJ-z<)tcDa97}bN6#CL@#>j-}GmCSzvS&GG zRjw(hi0xr}K4~Xg8T)t7L4|keL0S_GDrft=m-`Zmo>!u6rD&(9oJL^&yVnf|T5jY* z_&lQ_ee*aldaCa6$%+)aU;ShLZWrvN9sb7^9P|*rTY)kbG5yMdU@NTpzU^C3f^MAOQ_mE)<16bW1~rv*SKC3hmFz0qCdG>lXN)b|TJfQ-k8(!9E4L9#QhH z9a6Hb<4~+rh+(EqqOi)~RS=>D9D2A}{_zAlNa_5p(X9)ES|2xVa;br#CoddypS_vi zA&jVHgJ%XR&p3GP!!Jn89PI#`Ri#+wHW}d?cg!Wu!1ZnjkzM*T(r@S*&k(q9xbMZK z)B;Qe*vDE7yrf4FB-dtv2TUF`ZR18WSuPw19 zEV=mda!#lb{^_Muy_+&zfAPUYu0UrAAP{)Wy1MH%n}5^67t0{oQuBdkJ0&GW1uk#% zwOFnD8kbr`p?2>q8LMInjJDBi)~S0TzZ|qdBss5?XHzh_F3G-Bm{i;GkEpv z7{!bcl!w}hO?PF(kL7D>{8CupykqMomHrKfxK3^Ez9M^{J;r=Y(FM?8Z`yDQz2^9! zFzxZ+79Z3q@lf`o1>8iGdOlkx5Pr=yjfbhR5hF%!3dSb3GEI-=7{8q-nhht2v5OFkDClkS88sG{>}c;4L3 zAjUU5=FG`pLYvX$0H#+3v~zN}8Gb>Q`tt)X-^$Cf7sS&RvXFYK2gW)C0!YyN*3bi} zCE2eb<2oxYS+V13dN+S6{q7D2()uu0rrR^~;i-GLW3#9WUK)Iw16{F+p5XVHS1$-; zZb@AK0FM;?RRsGBvM7-B(kSG?uLaQDqG6(;qX|gA!?sYzi1-3sh+ezu7Gli3&Hi16 zCI{p9oh262pK|4h({+B(X??O zE6+*&7AraC*RolBV^>VM^oykZ^)L{#6HOdWj>})N)<3rFTk4i@02K z?7K0-Jm+<|q8A+n%OJxq|HVtpK9jsLX|hVAv7U^o<588>SEt}ODJQVt?g;D|mIF!F zO73W73C+0US@~#n=_L69m4#F<2v+nDzn4)64AY#H6O=KleSG)68FHAGHw0wjBv1+H z9Xt97w_cgG$6kS2kA|*#p{h%PTYKNF7~i&w3TBDwIvR;)#B`I>haj9mJtF2Q`@Sxf zur=OtBOB<_o=0d~h`I{9P+K8iaC-#T8kr*g?8 z6Hzl>eDPTuIW?k3igo>Ab;wu4qFh8pq^TiCA!RI4GqrgpZ6NjeqI&-^73;Nc2e&jE zpx>#~f#8YlIOFAZ&a95uD;o+MvWSAhcso4@Hi_v`DlJ%16p_{TN6(#ayjydKfvP*l z2y4_w94FB3ELpc)5`WqZuT_*{c0*D5ML9qY9ip`+td=@X+bqU!Fj*k%?02WH|4{U@ zn%HBrgHw1~LkyuAI}G*h^Yuf*c6jtwUX1RbZcvA1@`Qjo7M1IOlNv!km6XP>^xK!^=fOu|cwGLNv`7vRpec}bLRq8*G zuJsB)?1}A~nDmCL@+X<0d&DUU)`I`AY$ z->a6c92>!` z!-AVBa{I<(&?+bkHZy&*@A{7E=ejaO(W&rTpbrX7mY2CK%O1|RyCX=u%qIwQ+XokU zyzJ3cHNF>)!llY5D*fKQrXQ$B^ffC#x#y}ZPYv!kZhFit_bRl}P=K%c0kSBD2;QtM zL7>}~n!l$JMY6#4GO`c8fe#l=Fxk4LqSIRm+vEd>pXnY!rr7v)@!;vLdnT_hdzTsd z=QNCO>z+-%E#rN5M2mDnG>kVdM($frAOGYqq;`kcd+*GT(gQPxd+^1i4p2q+CB4a0y;Grfgh1bplmmEi z7s3AkbnGibCPdoS|3r&({`gr#Ec7SWC6P~4BcDKItr{aQCjPk^A>vzi%ZEptpI?Dm zkm%*_Vqt!*C%tZhHKO1_es8z7nb#QC>D?akOxbQ!rXx)tr|B*sHw|xz^KyNOy~vwT`n7~ys(YRe`M^a~Bz@M~ zcsFKE|Hlz+m=-IyLw3r>tuK4eK5Fe@%f4$O$Qt)1D>qFB&g@%{hkXILbr0_5UhnqD zk5jGG0Z*K7e(IV#(2%k}Qg|oVOjC<+Gi~J01&_E^vHSx9(zpOMO_PJk_#$V{#;3V$ zi!UA6g&w%|31jNkIYTXWH}tS%^?T`G?cbPO`KGTTBREr@l}I%6f1uze@kH#-6GRm^ zlLR&yh%KW*_^JDt!R?7g`}C32X?-ac#P0J|R5g67G%f8A9$kamnyW&gk0#=m!Z;tr zWlM1gHunnjoHTAqNIbY(3){-B9c|c{ORCzrC2SNF+1g50nY*gi)LATeEk$48&9}&! z1?Fb_Ugv`A;3g`d#cqozHmSg@ZXzA8>{v&a{-ArLvRHIkpAxniTT@A12D2EvS@!;)u79R_)8@tjxHSt@Y8aDCR zPCGlDvXd-LJHkC}qUThXSE+5eZG3A0@T=oCRubYtY53vQNAB7gr__*>EbEErD4p@B zRy~r>RMhr@U*U~1x++HGsc~H7DajtO{tpzx6>vKXi<~cVUD_IwsoI5R5Fc9mc13Y3 z0@8x%2;E7!;Y@>lR?(3w+}}BJF5q3q@%SR|`yw4jjs0DWnD(K6Z~Qm(v(DaXuO4DT zVrE*&kTDC7Rb(8mwzs+V!D0PM9_Hj=J&R;s zekH~JZ`(D99FTF*zK?M2dVjb4fiT2wTmV9#bz`biTlxt1pmGLJR8pR`WN*Ro9swT@ zfT%g2J^qUhp-)FLmMYH*>OaL_?Pt$^>LGv2kd)aZ z0t8F^b%jn^bLw*1fK5`-YcZ4*X+&0BS?{((%r4RGEI4K1rUh*@Nv$Pz>w|AK2I@Qc z8h^hy`HzrkaV>4Nz}dF`bkzx8*g%*C?7Ka;a|y!>+v8pB4nTFQfMNS(PT7%i3G2%+ z8^j)i1K+3*ZmfZhlb36G4&rt6bwL@TpVFrGwi#%CCW&DJS%2|SDC3^!oL8RW1zmX=Bv(Nxi59qe6Br;1yI zQlmzD6J|lq{`iDb)P*xeNyiQKYgR?)j`)YB*%|(H)fa~K?Z0ZW1Ly#Dpz+)248&m! zLZ}WA(BwUuIcJ&Uvr#;?^gQtVoC+xcB5a_6I^r=A4y3&iUcX#^(pbMB0E(5QPiklS zOnS#>W@gqDy)7PS^idR?s1e1kl>esBo>Rf7$SlPTeA1Ghah)v+;`5Kj&yG#w4p2LS zmOS}&En5z&Md0J2!PtlUgH&7CB2Q++_)lryt1MFuDUEY1Uwe@7Ub7d=Y+gz4*t7tP zCX9G3$miju14KFET2!(vbf&0gDu=1TDT=Ik8oS#syF~>vL_wYyYfOcSd)58Q?MOHT z#w(Fh{qfG!SI=(^MrWk&?F5jY4P(9Y`HPR3dEc9uT~1$?J_*5HJgW$g6KDzn;#&|> z&H1tT&}o5)$i7X7mYozsL7_U5lAC;2#SWJ)P%#OsZap?b_#-@S_idt{9h$#rv(yV2 z)irG~sy`sm2e&2)4*B;IuZ^W*`EI53W0^eIFIY$nl=`jMtfB|y?cmid*{62DZ4d8X&98Y8o-Yh1uAPq8i(5%@g1uRJ zL}YH1WGG)^-=1J;Ll7^vkJO!?c=C5d5P#TCsNgc!ItR;9gf|k1cr|yjDv3NE zRr?2F2f2}~rJ_bj=t4}a0aVI6a;da70olHotAqdRbp_4QnDNkBLp7str--xDPoJQt zTTbX^B1T#o>fUEe?Va>qf*Gl%Rep%x)ae4vY$7$iLtKWjz_E^#_Zsh3PR<#jYm;`l zbRzgk<v^=&tiXEEZbuvQkNg015Iq}&IoceDap&N1{)GR#61S4;AO2)LDjDAZs~nd_jL}0iqT=Z& z>sQZdNfe?beRidJD1_kVR+XV(hS$ibW_t(I1s#Pr7SV;C4a~)XT;S3!jGzUxyd9a--yAi6?wwe# zW)2=Q@Gn)cB6-wWE4wh4B--H zwtjhB9-*NFRbs4U_3UCQ7A<{zseKvlhD60g9ex#iF6!V)&ehx-+X?J z7OWp|#Drxus=apq<^{+B;*`*Iq(aI0{n)0>LVk|J!)I}-kazmmro4oMQZS^0EI!Mh zkHFhAb~%;#HaUibS&fsfajJCejMw)8ym3Idz=Yd}sI3>w@Thb%vcL%s^NACtrc{gW z9o!3GJrd#XSkd4+*lR|ExuR?a_MVTw$MA=HL%`$zGKSK}+2pVr4eaU)y~U7UXtXntz5Vmg&sjbL?$=ZkTa zPTaPh@fweR@HL?cMK_OjXUhIuPF$aeZ-MdR5o~hOYk=wNy>+xcacGNx{xflScJ*7- ztj>33@}pYy@eHIM@t9Ypy=+si$<#P#01c~y_|k-&OnQIFb)aE;zw+hml>Q(MY>B0^ zS~ae>e|__kI_23)aJZ`INxRz%yvnG_ZJMQ$5IPguRpFKR6{{X9{9A(8psO;_uVq7)v<)O3xL4s*&2Su*;|A2 zK^8i1~F(@4Jqj&y5pufk%)uPmX8IyWH=GS%f>H3-1f%Z)%&I( z=b3L+QW-~48Vjt+9b;N+FMUzpwqY6&c-QMryXBQq{b7NeC(El+9)bto7)7hjc1kX9 zU7=J}CD(5WOrI3#FM4A7B{Q}BH?%`_W?kX@**CyyMA>_!WzgwNw({eE69g$4*s+83BH6(S#cZNy z$`-hqT?lvI#11=Z^~&U+Rf%=NY00W*&UXvis%cq2c!eV>$p32FwNC+zNSi zcBe1(*Q0o4zdc@~nkx9LHBpmYEhzlSg0p4kiyN3@O{gIyy?S%J^wt*t#y~*lfC9PA z(6w+hb!&%f>&Te*wz;o-bC|z2h7s9er$;&F^=YZaGu;?*arL-J1;%p?=8u%e%&4#S zZ5bl_t$BT_7|Y;TCJD+E*3^<*BHTnkt3VlrU5Zg5D#c}4@`6BGdapcmdycBZOxh}B z!e-hxGZ{cleI#U<)wufJ*m(YSE!1r1`?$#VuF&H%C+iCkM!8(sZv4oCNN*gYfk~Lf zxV8$j?=GFpcj9vd}z+f2MGXA{ww2nVcLTw zU`i@Q3Of>Cym1rNhDYR9<0$B*x$?m_l?drz31+zj<5UNT`g_pewng;AoJA;no1U>z z&p6#@kUdM+#dI=L-t6UExk;;hH>xOr&jMtL2m|s_fd@SXMb}yip)1U|OPZl<;@39^GnPB!!Xxx|CD-|gBcW%<6ss4fQ>NP5c{1#mI?U1plQF)0Jp3;= z`_A4vGKj%oK5l)_Vo7=AnO_MU!#e4(BoWQb8vP)j-(HR3`^y9ksv;G-nnn|*XySA6 z18xwHBFq%xH!3m+KL9dm+q?|kx!jLFokLRuz>?|6#($>)YsAC{)A+AQQ?V%|y_>hm zX(b(Jdirsou}Vhz1|N3d+Fq)YoEOEGu0DLYYEU-3vy@QHgPXJ^|BHa+7$ zsK6X%A1VJUjRK$5yR{E|mo*I9161d7mmBZT z%Vsk4#yBpAmj3gsgxFf`Y@o6@3qCttl^*mS&=1Q!McMS1)y?@FpbG;~hO$<3p1NM4 zL4_k_&dO%bNYdCMA5N%Z&*u-Z+fxYD(c6%tu4!a{+yp}_3S`t(h28=ebvTw!z=G!GE{ora!cqy}$xQ!d zpNE9j@fsef*xhI2X(cE+*Dcm#P4kem6~A+~Z8iO@1>1|bKqYJDSicY!-+w;7M^KX% zBH%ry7xQ(=5~}{3nrwDw)I=2>faelBTv&a=KP#fw1q*yk3UQF`z6^eRY_`|^iBWQ-hkX% z-zDZM-z#VD>GnHLZKEDocy8v-g712r{R*ed7J^~A{8wWJCoIdSq_nRuS7X9cG}E#E zOO*{J%X1rWz^er+>n;3t>OssU6au0mt6# zJ5NN$^*(t1JmR$>VUY{yMb(uE$eO2y;@itZhed{Y@;UKf+<^ZjmtPH@=;?DZUBmb2 zdF7@gu?4iWr|X?#5#BN8jZj0WBYq5lJ(;0}(zDQ8Jtn|iTk@?XIuo(;zO9Av?sH8} z!!r$bPvP&TjM#?|1{L?kFO9HXTaM}kncHXu1aX^#ng@QMl?A8aD z>S-e^%-PyUE{}PFZc50s$?!S|`$A4O-iQ(wE!pwn!{0F@1sl@GABjo_G6$}M7}(E! zjT#B+&e*UBobPMj4Om1ffyD{5NM(|<4>eU%KZ#y~*82|c+&7$)y>iwZPwm%t$**$!iQO@d;4jMb%dL~*<^r*hR*;%R^Qo3bxb3Juao}lwJJIJAb_irj|L7SGI&LFPY zP5HTl_%NF=!wt-ODxz`z{Z~j?e{CD*DdLTa{MtARG!6OP?}SnMORg&FpjQ4;w%=>C z=C*wDim=y|`7;6JY>hBc(znKk<=fxI*Y?;wQ&*rbpwTq`TK4_mL)Q3lgkq0cf#P5M z#Fca?UHBIzg(;Dv@3IA@Pxkq+R1kzjN8q*JK~liEL1qPRBVujd_t_-{W*dp=6?sLp zS(jb=-R=HLt7l+vtG||_3o*rUkA@Ync?YGo?&T($rhZ4&#Ey$Ffnl9@<>A4@?R< ztbcu)V|!VQ%zAAhMB1P548esihQa?N4Mwu>cPW3W1L&+>1f zw|1Rag@n?3oeumfAQO_kbtCFLzVcs7)BlOcj6JnqQ8LRQBMj6!ZP<969Y|sf;)4?PZWU561|T&u0XtJak?G>EpMH(+ic};~A*t=#*S$X_QqudN>rEq> z{l@O+V)<$L*#gbtis06ih6Q=pN$k1=f^FkFedzB<$vz}YoI@J`*2V}Ib_E^+i;+6% z`YnoE!H?kuJ-AzrR~-pA>;(PZ9>V)dAd2Y}5HJ)K;DgmSQuvQ29{&e-ReM1HR{TG|b+3Z5eB+yZL zUK~omq^VaH^H$tn^Q}F7&?Ayn)E*KMFgf*T{9u8-pJ-cApy#&`NE%;IEiSG489XGm zp`qd3!FqD~sk)3<{XJgEX=wrCdZvL$<-cYwqkL|9t0x1QwYSs8?Ts8vy!M-w=0DKg zD=5+?IY+6RcNsEethDJYa$pW~&5OMrF9d#yvkw^p1gGWga@?MRZP36Sko#71gP$=t z^@G>?P#r13RiQTt*;3S`6mZ71f}ypz;6DC5&oyf#6&g*p=^PnJ;NkU=P`;AMCC4!d zcDzwAI%&A9h0Np_LN8$YU7mjb6S&xgYynoc?EQ&_)rfDZAZi^vfAF02aHsTjsA^_# za6^C6yH{(I$f%pGo?!YUfJ@kh)V@qYL84l+g-~=xc+IM~Ev4vVcA2!&RVj0Yw6dk- ze&ZRH(XEXH+k=l++>&E)nvsnTvcZ%LO2T&f_E$xlQu=0nwbG0UvkHy~tI2ZEC51rM ztsA_DbM9@W-UUpR?h7ZCO_Zlz5#@b5w-kh*T{~Y|9+o7Q1>|^QqeOr0x#!VJqXSn! z+9!d{zUAoWFpudkI|I}=J$W@7eqRH0zB+2oq2%GHr%U&ke<^RNdCVET!U6(DM{&ft zwG>N@w`WH8W*H!|^ngF#B=QFr4* zvmb1p_e@@HNxTXx3m8Op6EW?NsMig~$lrICW*jn$=dxlkH-7aOnX3Q#NXJhO2fkH2=s~Dq`zJ!pm z66Em$3Ews@X9nPbou4knk0o9U{T;YQ)dGDO+fw2Lr9{5J_VlbBX_5?PYFd7%`?Kb; z4AVq8KCWlwtwHqv)s1{fvNm(m;KJjNSZn>yf#U}KlJH{r2{N~bwR`49<9koYc zq`x8q5e>7v9l+P6f<#ycqWh}xy?p0q*EWWT_Vx^O%K|1IMku^e-?j6Ed1#z;trBjc zOoLKBi!4)E1Nmz2DFu9?eNSYRon8K~2AR925Ry+UeFrJYiklK*eim?-f0Cq~e$+nq zPh^_qmJ6aJ%4q8S>KC@><}yS=Je4mC($2+2v=(pa zo^+AGxkln|S*ISOpQYnoVR9im%9Sirks$#-O$P+ov2j*qV2p+jPu3Z^>6{cN#P!gDL;uW#<@ zW)ou02FktQumAm(p^&OVGe$h(6!8U9NSS}-BM*Q_Fh`?{kV>Ds21WoL;+f^_UPdZ* zKTj)|*7j;N2a#l(lR?L?O>sghI`%Bjolr&p3L@GUAJoL2@bUg=+}sc;03qeUWSbxeP3yY3RRmlFi*3@gOB> z-B&fi37mRsD_f9Aq|yU$?TLYEIVoWyUbD}G?Ch>QYl~2DAi4QtVqb!lX)pq|)R<3+ za_Pt|+&uM6w*J@ea^`NwlsBskkKW+BLnjM*NQ|qyc8hVDvhPWa zB!8|fPL6+f zz+c0(**6LMP#B{?56my*r%IZWBAyB`-j@1=X%yHUrx`k3dl-$~qOxCiWw<4n+-PwA z+{dbc$eDUWu1|%HQT`7)p2bTlecTI^zwV!EuR1Mmg!_|0=yUg8Ww$X&-qc z^xboRh*xFkL$W{h^36NM){LH2ZuajhlRuA;G|Jw-v8#*KTIX}v0>DHKnTE>Db(PMK z<9qcyyG5JwDvF$t3!*7aLkMNVLbC38-WCh7`v;HHt_5aVl)OK;>+{f1N3y20iLo~m zXZAJxRoLzf`{;7-TB#BtD<^*&2vT>XCVR$yNja}XR5JU}@Up#W)(`u1nTQ;+j*96< zgV+uAvOni=DK57Cl~Q?gE7zrWL)v-kqIadEP-1zYq!7oQl(#AC}Bs3(0YE6C=W>!BFBtS;o#5rdKjX`mM z`$JFjf?MOlz0syHIRkD%ZUG>1{nhnyQU648cm?8zN~WdeT}Ogpzv6C%3{)f*WvlX? z)`+g54G7shS*rtSTW_MC<}YMgO5nDZNzb#t=P6B!Smjo=q!6N<~oCaCOa`j>8+RL2Oy1z4*|G}t?R>cmZ6LXJoY}{5}Gc*QWU!T z+v!eMaVqr_mH+d))g(XSv}11$3Qny4o9{dLwvUi_+-|G+@^EFvaN)P0r9 zWZ5RhE&<^&w>}&9&`r{C2=xqXq{;oE;Chp+MK5u*@x&zzeANiFDTZ-7-rnWdYaDnr zm9g!0n;tG}=mkvE72yviMwU(o+XRMp7jz_h1~ zCiX~l5R@fr-Kx@g{Ld2Z0!YixfvMpz4FT`eD>3>68F4wlNY_Uv!Vt59pw^4e>$eE| zt48zw5XiF^DH%lsu%*q;(%)@ZO0+jUW-oxKBKE0wE?x#JypsFCOAx3#FT3~vveSCK zX;_PZI_b)L@IolF7vH8Mi+D@BnyELoXWLD#z`xp{_CGNV_b?(3aT?Qf3fZ0k9`KFt z1kJj>BKiH|0igsof|`V_MJ_W){v2YIQVg{Dapz(dboIg_X*P&pBo_hh*KiKdTKjx$ zpAlZfdq)cP5>Pj~0ht2{dhNNdfBpD(&uAJ>SP+N_3+ z>8{w#>0AAE<{g(Xi}bMi%kGwoVzl#|y4g{qMu4OPwQKWpC2ndpYJ~;;^*?z=2_35y z+WGW#dHilIc$8;S$5(>a;fLwQ-NAfq#BQb&v;o?BJ>j=IYh6297u-jYm<#+3ab-Iisnzx^Vpz-|o*~x_z4y;4?uZfB z@rh-3^C^G)))M(mjP}V8Xmu>tOQ{PG)~z z-ReJcK!hZOn#N*LaI8Kk)NhkvTod2wV{OgFQ!Qb0c6{ln^>b!F_WhF-A|oo*KMC>q z34EduNXge}b}JEI4Z4`RUh_8`M4XH5a9F?Hxy&rib0y48N`Xb`*DQ5*Rkl4;cN=;uciE`Xz z`p3$# zo$SdK*Q(M_8PCGM?(!!P$;vB+{)s8)t9eTlqo!om|M@Pl#(9$d+om6o=w;{lI`O00>RqJcO`-Eggjy(D=A67n(Z~#W{2htpUffaI8Og}8>L`dA_ z{Wl?*MoxU}{lhVf94AtB-0qaVxm;&TB9>HVdc?-_+i)=u0wC@&}8nyeCR`w~U4A9u ze8G&)vWW1_9K;3M`s@~jZGS|aN0~?){WrFs#HtV+H*jD2Jp8o`kqhf4bJ3(R1NxMHRNIdxB0P#}D&X>3 zKJzKt4UOvg?SIlR+XSL^^x|UvF!?+e53fDVUBV^0&eA4(|L}bFAy#7R3tEkkvbJR& z+rMFWjX#J`irK!Zom(Xkl}3*?b-dR%69N)z3>TenRyx9e!ozcJ=fzGkNKMUiIU-}} zpCn?oc@3y>8O{Ex7ym#9RsbC-D^aeze`9-cqtfrqJI~^H01@V>h2FkcwJR1H1zHPZ zs(~*A56M4dJ^o_+C0TKUH|~nspPkkRIF6yIb8!6$&(`!w(&Wn9ob=tl0m~U$mv%>g z{`W4$&z)~Z&^@WY3;6twXwa5STfB|YR;cef%ZUB1n!CzKQ2D`*f)h38Z&kNTDntvK z5Xs9a#k3D&d!M)sasL0i{hU=HJoOfsu5~>@llF86((MgLyv1$e&}`CY=VeLhhORK>A4_wWkOW3 z=#Z&^=G~K64BZ1y4D|+A?II1*CvsaxZV_otbXEOsI=RX!F$+eYclm2hR#~@Fh4FE$ zn4`^Qn3>gGS4VLFokYZm6tE(@3N^Pc?0udO?kkdq&Na13C7%P_7r&bLO-uYoC4+*| zt(}g@YZfnfmCjrJ9oKYC(;6J zOONz`6##Fk@HM4$jf70EfHVvn>B$hP|9Bn z%aTFf^vJUAR{a}$l;@Bzi>%u0@y}d4+*i>}s_!m8)`5h*rluDlm_tZtMVq5P#)b;5 zxoPPzE~+eX6w#%oNO9x74$+|t6${=e9f%Yo9Jx8>`ljDW^Oh7eOmr(IRVPQY;HB?_ zS3(Lj9*p%_=o5>Ggk@r79v+)BPe!1ptdVmcm-_aWgM5?YSo4Xl05`ku-cpD|yG_5j z6~6kzir<7Nc9nk46vt|m4a_0FJ7{t;e*V&WoahouwGJ+`>v z^7hoKu%S{?QVIxnjoUL6=xDmebU8dAtv0`GW?@2vB5~m^fBTn(_YI=&&}r9YrfadI zTh?1!C>!eob~ehT#aRa)qZS6`)%j+!3uBv&653C-3rrQts2#7wZ+Zcq6;W)a;an+ z7dF9P9bw~4IdIg@jfr8tKOeEfNS^3`PtZ=#K6$j2Wb|qSV!6h?GxTdv^%fLHQh1Mb z@X5s8DzTZNphvtfx``&3`Ihb#m0i;9ZmZUoEI%k_MS4I8pfH|mi7I7(g>#tskU21H zDl@atuy(MbO4XEjmHSwW2kEX@I%K)tJlqM?8t%t2Zwd__+% zTI(QSUZe6FEcz-2wLfn51mfVpt4)J{!Q%@nLStdy0O16bWp4%K{)C{SN$QI3c%nNC z>bkC@u5Lqvc7LZ@voN@ec8e%h{E$z%g7g52vo>zUfiYw2xIi$yzalIyd5~Is8Ba2a zygFJ8-MwjF_zV^;arvd7+#@z*;sfZ>h}k3av-%OKTL(c68z#cnWFSBPz%5dS*4M0e zYU-sQaYU+J8-s9gF{g3_GWJ+d%m24A0RbjC@YP-1gCwo@k-@$fzlkpVgfeT<$NUI_ zk@RS=9xbjf>j&~$d46HkvT><2&f8w8+i}|h^dK3D*k{6t-H6bG4rjP*ufwS%HG(d{ zArga47hoiCzyovuEJ+>Q@oV(wa-JcngYnaAw?wH~J0PgvzhCq(oavcNmp0a#v>kpU zll#Hsn$xl3y#YZmu!90sDpB9WNPS>FSX6RR`1ASh3r)vYQ(cG4nc6R*?Xm=S0iS>n z_|CzV%{1TgUI)S?>3PJO)883mt@W)yi(OctTOniFSSld?vP!(ki1Xax5L%K%njKJ0 z3Uy4(;_e@&@x46o2(=Rf%44P`vp&4V%;?(N1AbUwkietfqYD|vUp^7@F^}?KQ)X2A z6jFDDE-u*4HEnMm5vl?+1){mRM7G3{WI zYmtGG2`JOEA;*2&qB-r95c5T=f_(8j0g~UAjdMT3)y841+sv=<2Lcy#f@XWiJ-WO~D zj3Uq}5hmH}Sl86fM4jpVA``@=23N1QSg8#1!TaNPs%iV%cf@mg?W!Y+D{h6mML<`# z&*jdDOD=MYztmiM8q5a~`x3T@gEj>9k)$p#_AQc@XoB2nW6yj-%uRAPRPtjGlW4^C ziiP|QZ0zZGuqKsgg+f%0Q_kui&%4Lz?GN@}h_}~1_iE5f&@QX-P0jwuEOoGhRQZG- zZx_O~8o zcTCr2zkZET90FWsyYeBj^0Mpkw)^oe`{6?S(JQA;f4$d7Rr(F*RxTeoSV%9>Du`3L z@6>j;A;w%J%8Vq|Kh6dp%>@6b;h&2X>AMoC^XQ4qV^ujYYN&oJ$~ni@E|u8I^@r|lye?;-Taiw;Q`O6YBJ3Qx z87(VUlbjqHMMteW@9=_xCT7}gX?pAY^tAiYG$mWH?DI;5!r>bmvB23SyR~26#lMY- zIB6b7%y-^#8M(Fk?d$kM%ZFHCkf4t2gO0{#0dC5WFn2>in$Ft~2{5*2kCgCM4-1{k zsMK2ylA9SyBa?7~SWd~^@6LUW_YzH@`-~)8HI`bA;c2^2!9S1f`gKdv5?>r@>ut}E z3$07G87^kHSYq*zcmwL_k$L0d2Wlwgd8>B2oJT|+j1D%uG&pNw?B|j8H0Dw0Ca-L) z^XgkRPo$Tg!qT^M1Q_hWmiy}Zu6E^(;!E%Kw(=uW%yO%W-NLyVVKQ)EwuF7JYRUDR zlA#-VOav<)3c{6_AU9KbL93K|NcA{lHCuLecFMHGcG;}tQRA^j^ZWUu5^$$;cj@%2 zwW@pEoDou_z@93jOmu7+v*PkOSg^JZd@vACr(9YJTz6)%5bzBcE{Md=Kq(z9kcozW!)S z00k~pX;+!PDK!dssT_a|2%2zG4oG=Ia_O@2mg~sf#_S0vTZsBswO{Z4w(vqIdQX*m zuS_awfC@lBwoS^=euQPv-}|o{EggUAb@7R2(?)`)Q%LHByZ`V&mO(pPs$2KVZEW>l z%|X%iPI4zyaw(%JwNX(Y=18O5+uz|?<40@!moGynV^%A(CU`d9_7MlrGbSQ-uA-_c z-Nr91H&KJ6uguMRueZN=t^p~f0BOHdu0D}tWzZvX=T*IO;~tjJkKw+FF9)c4NG+K4 z-g~o&4L7C%_8EI2Hx5RIhp%luO}-_Lo0m(u0t&sK|(j%+OC{QLFix>)HV;mXg_Q?# zC?lCR#UiRMgX1$-lw-`hwNsh{=m~}TD6Axzi%yG_@!Uf;5 z`+Q&zR%CU;G-d@do!NlIk2p>@VcCKc>N&DHN|%j;Ubr~h=MgNMXKE(8G==uO1fz{hJ<2eQdf)ui$x$;zV&BEB`N(dwhC<)HG0(4ay&vZk_R<=g=H-=7)c?AcQ$UT@(bhI=J5O${uktJDTg`n1 z6YPdl4P_?Dv>f^FSO9w_vQ^9nMVn_?|2~ybj}9wCN^*a$cW<=%=Y?~u9b~8^XVqe; zx%b;v!kW&Z67z1}x-zX_gycUCFUB{W1wJ#%kMz8wYlcSWb01Jnw70i^H01ppL2PBN zsC4mkT41hcKAlri(Z(s^9+W{WOJDYVEy+QHm#TH3xow>EuAwj5Izr5Wd7I10IgrDc z1!uhg{2igz!HnCEtBHo%7YH!LJ%u)>m}g*xBNm*FZY8qQq9EYj-x(s!;LM;;@k5t( z+RV72C7oRK;!+cKJs*gFtS2t34DH8axi-iR-@a!)@A&gawAx%Id0mzE@MKYn?gL2a zoYCh4z#%+uW9f{Y+dr?v-GGOIRDi)~v-DM{SDq-*&2e9waO2R6Q{=37vF_9;b$_?` zOpc7|_Cn-pJa+yq@;a|SYQ;1P-6fYv;aqwkoN;)}eM&R%0`DW2qu=c;$OF!OB$Y~h zr3^8DdC{~J6`W6ZAb#+?X<0n!lK}MFF3mcJEC%5M&;_7`;Ub_SXS(vs7PzDE4#NMa z{`u?h!0Zb+?My&YeC=Za%q5NfXn1#bd|vp+c;&X*!F6zTOB^3|%TPm={@BvzpSVNA z@lXTIEWn4_HDPM9KE-P?*@n9&gPr~m;vuW|(?TqYk>W%fP8lz&>RltiM-}YO>7^#o zkG4c$L0W;-F+?B`?KewV?kJ7ZL1C$vSs`LqjC}ytu*{I5gF~1{zPxj;qx(H$ZixLA zSLP=G0fVZ(%|rYv0{BC=ciM)8CXCX$ zFG}8ZreRf%LdH}_l0fL}2k-l0d2`Bf>_5Qps)E0V_tN=#EQ8RlnGpSc@@OneAA0+8 zhdgQ~d@R*jp8)eRzEMsZ_ZkKc%)>{9nKlcaziM9w#(@uE0C^?SKyzlp)4ly~bf)UT z>1apE@DzF?b+jj)zbxlp!N`3;!=S4r1F6fGq3Cn5*X&R9w3*JhJ5X~sdQ;5vQ~sQ$ zr43fS525BxgKq8vS$h&o1w9W{&19>wq$lP;bF%HSZ|_=^qbDYwb^Dj5xj@m*B9$ki z2j)J>gEK8lgLh2|%+d)H>k*Dtr`Gn_ecInqEbK}9l!p>Wm_UFB>xzI}F`Ixms+8Yi zs0jf@cZ=3sI@xsT?;#CW>5VCerTH;u)H2yYoOy?U@>6f-8VN;7HuV=RVO9i|g&ofc z`hQ;S&&lsqNerZtAcOR;%7+`_-q67g;^7ObTWr#c_7y%Za~#-T)4e>rJ4}1Ky1E`^ zO(C-)s)un{2U&&c={yyYXg#;z9LmCAU}mrH0rpQoX4wGF7Khv&ge&y}j#w6Lp{#vkRg+T{4AT2g5b_!1XN6Si*E!>#!g8pM1~6I8m4_0)^f2VcQSZHU71cZTPlcWY zD;UXwN1r@mJ<`?J)VwGnW_{)6aGrd4qh1gS&v=&IcxzK=pV8knfIS_xK{qo9u(qDUl9J3GPcKZn*eG^ zQrdozutft zc%Y!UdC12z+ljkBbRMU%Ez@Jcie%knF7+eM1@2R;T4MGX0_I`lJbL>Mp5Im;=%po# zF2Ws1Y(#e7e#r~koKlefQbg9yyv`K!{FarK1y<`37G3F+?W4>d2GTYB&aVZ$QGTanVs!M#ECVg=B_;MTB?_*9@odVEM=!&SrWm~ zg^Bfmvq7C)nLWEd1Sh@MGPHZhqb*1ZH?Bg8ePp2& zim-v{D79FJ1N#hS5|K-6tD*|dU%idWCz@E!ZKFbxK_XqfA0*&0ME@|c4Pk7E5`M+` zZOmIWeFE?VLxOTxc}O@*ec#aKl6cn0<3IuGX zx>pYq=~481Ws6h>z$DvVe}GFDkifa_B9#(pl+8jukID(BU)IE?!$_ey`}Ln>a>s79 zzfp_*9EL~mbEvg~g)`jr#$D%g^t$M(mD@K7FrDp8&L@igm`33FcvvE@Jw1VkpQ`Ty z_!*=!oCxT=n8e*jWN8h#X>n^4!0L7=*C1*9b|Z2xuP9#WJT_YMe(j9jWV#lYY# zZ~C8Kq~o0Ll*2S009OJO9jr(C@88jUadFAwhNSa3tZhND69MPTPhJsZZZ5H5^md>j z%xJo62QqjrJy8ZLBU6)mr}=2?%7h%&#TAD8`gn*P2)jwYO)#6qC;!0D(&T_8d_3Y% zVsfc8Xm_H{3N@tKU>t#0pF~e+XGjL8G7)d;=W8Y#{G@96Kt$>9Js?vK;k4Ti87dnJ z3g~bk;JU|}(>7vJ67V_Yfd^Uwwd1U&aT(%^`zsVKMp(cJir>cG{&9pJc4%t-$O2snQ)1oLG?J3bZz_i zx5Ef9{t93I-npXkkzy%jHT_*-1sE$F0NDsAMUqt;*4FZwsgmEH%oBFq;CxWmJ0=gH zg3DvyI6WaN26Se4OONs++4<|qdq1w*j0}4Z&qRoU7n^b!NDPhh@Oih|Gco;WR>Knu zNNS_$_=Lgiorg&LY~aNIiX?);Jb0B!A2nD7YkhCjuTZlX(`e-Z9U zgFfgKN1Pp{h#MnJjKtB3j~v4CYVzC(Cm<+p5~-Dbx=C*ET{9dBiFc=01j|#hG%~G>*nOkDyv7N zSk4MUWqd_Sd1}4ezez~onO6Yv#PL{Sx`_h*v~{2a#QdEqOoT$IVZ~sBgzk6RJ~+IU zYY~ohgrrI7uRP0pt|L0hV0t2fOkP%q&Pe(Df<5xOu}B{_s$ALZ44?g-Fr4_{=^h@8 zxdg_-uI4neU z^jp$j^27No9{3p5#Bz&GDSBd@W&eaeRsm;JX@)=J-oaJ(t=k{G9>9{WQ)=ISm*|T1 zz^|i9EsT*0;$AAwN9FFO{bPPzfSDkl1{L^&l^>>KP|)U()MJ9hs-a-w1Vvutex#;3`CZ~lSYi4ot?vK2a8`qRoaQgNt6qc z!s2xaFj!#YdC2t#2x3U;2hzr6T(|64iLsyn9_zO;r{2h6EbS1K4srz%S-NBNvrb%b zv>V}e;j0wn_F(YZDBAkcx4+n*8zso}{02#Z<=Bs|7IW_j2{2AQp*r}nedOmiUnFjZ z+=TgJz_*m25{U@m=vQRTiLpM!g&=^AP2iJMm;PWE0T(E(7JNa!8f6p-Vzz_l(lgxg z{ObkN`ossV$DffspKhgeN)vg=A_|DHvw#SP1GV$PKqB(uxRQegV(uJtFb=ycEl#+& zMyq9Cxv9DV_BrDaWDFFo(s%b;uW{o$b%})K!Ystv`CKs;YM902D*2&`fJtdrK7Rgf zW(F>f!>eiBkl~ZU6cDNaYUeLFVm`u&^q103A8$WC4p61`^{F{)`s9lovwy4XXcO(W z_^Fpt4KSUao2AE%gB&8gO6!~AXRPOQG_mkVQ8Gx7d2ZYh97 zmwVexVb3kcQg-F}C$6q3JSw@6WPALN~Ia+6m#0Linj{g~1cU*~Z8 zjLV*xc3KmoTu?u1NZ+@_Jz@1oAM#8dZir5A^!pPx%>zjYTjTepsoCsS>n1ljeI5kAr4Xp_FY)u@0uO*-42j zdJ21PEHBO-WDh4O=JvY`AIn;e-YD~cto-tRgoi$uTLj5keOU`{^Gl(f9rSlQjX#^s z(NOB-L@H$K{>HuV7MakeZOe`7fc?-^iP*kHd*|&)>2UrfRe!mxK=+#}Q!D-%%F!E% z-@eS}>k$^VYqhNY?XAnuSWQaMLXe?CzK=sbNA1675DH*gtOxz3AFtxT;CJs5l4nY zXa+Krfn{=#o-(r&BNAv+FE|l(f)j%~P`iY3_9d0UHF1e%265D+@Dk0o7Io?C8sQv+ zIdKY;rs>tgvqO&|I|57ze`hZOuE6!(CLVSOF_bhmC&pnJlz0moD%7l+5@IbLfVSMQ zurmK5m)(Td5iT`WZ?_=F7xPZp!7g;Yyu}&=YmfZ*3#_N1LHp%mR%IalsCShy)<*1A zN3pF%bT2nVOu@YIG!IoM#cF|>Yze{pQ1U#=jm)&~r;R)O)Fu9WrpxHXnJu}GcTujA z*9l8H9Zu!m(O;fqTPo)3w4k;Vk*liT>YVCiDgENyzO32fJj_|L8XJ>Z1X&R(V#06w zK*gY_9cb^dbUKl=niLj=Tq>*#19OGOt(lL_zw_c4ORvxBGgnp)W=k=@!B{^G?3t6#JEIwTkoc<9j z3)G~k%^dGNz2pf&^i5H^Q={&|mB(d`{Zi`uh`g zXN@c)?bo*uD{8;4Q+z*p!fF{7ueP;u5EoH6i4~$a^bqxv{UOur6v6O)gr(God%(}@ z$6{1x8uyRRpeyg@l{|fWL`NB>a-AFxHRUhJ;d2|rP=5tiOH*sUVCTRcHvC8ZTx>HE&6v|!*p#=Q-`2;^dhM`&(hDY z5=SQy2r8YHJYh?Z+!sO7Jr)HJ#nrb#!Wr@ z5&f`F(YYemqV(32RPXFV(cwAFA3-V}Z&j~`5VuYG8w$lX(#0IHS{*NkUgEC4RNsQP zy3I7c4eiFTKr?lT!tuL}erH4p#=KsC!S235AXjO9odX@DSp}+%rm4Ote6Sdv{54y* zJzu)~HH;T7?zqkGh;cpMb6_#QcDOGUS1)d)V$SOoq`7V9L)1O5SDZPm5Au}4m))^u z1DIz=0z}U=xA)PN)})drF4nDH=tI%Q=}zC#W1`gK^`~yZg+%T?@AGk?v^-CUzGV{K zx4peR>F>Y$%PUtmk|@8NLhU>keEafOc?MXJb0mEkubWJWO70kxcQ)knnWCFaw`9%T zEysT%isL?u{|@;gJjFqEqcw*okV!z)Sr#8A!(`4kITr+#YR@C6N&*7|QTNW*N4D(z zRbE_dk6DrNs)iGpy08WEr#l+D%zq-lk^h8fO{VK0v6I~BxcuOz3kenB6qQZ7KvaYtDmO9Pk?glCNpX6L`jNG;xw;Lp8U9%pF9JS#xu-#*v;EnYog|tnN6LgUp9V&}t8ij2fbFV>QV$1$ zl$W^y>rIK}gmb0!Pn`Xj%@sUrobSKflYuy-9-KW1=_zsusP^VeZ6+X5-L~ zQ$HMoQ1&EJtT&zZ&uXnsA5ktC`bUXoAi(dlM*H!bpbMR0B&~TW{RGIa5h*Kk|9HJzQPy;{>*U0ZCFZj-!wqP~pPC?5rfA^o zT(NCgZ>5be$^zYNqj~LZ+$sffNyJtKbB|4Mz6KlAs6AdG*X1{FcLBKH!aK}(?HMRs z&Ju{-o|NX6;&?Ee*LY$uLB^M2DJhNiR@o}Phhb!EJZ zxg~y$=J>iy8DB4L$4GLy9fuKCz8%j{rBB6XW`7swuW+SJP3rh_4uWz-ob7M;!;@s? zseOYR=OGKT3uo`X=gJL&^-6vs@&F|$oBLRJ@_|}Ib!iuo2mdW@8wIi6YS4kv%;xX+ zIt&;1oni&IvhPsAWy?ZctxP@;qAu>e7sa9+- z3XlOcH-7l8xD0ejeH)98t%IV4Gq?tDNm+YR5{SOe7!*wx6ISGHrz_g_$MW!d=X@+t5m589^7kL5awQwgIIkm$F^wvqc8xP(U(EmB>G7# z>cu?Dku4aN@A+;+KsvaNNAsJh+G7b&5eu{aU|O1`oF84r;J!QH)CJ1-zPM0 zKDu9`nPMty0`nMBX_v#*a)m*dD53uJQmXqz!{fLUFZy4cKqV7lm!Sxi`9ow+EPdia z!*z>jBHM57>#d#a2`y-YL@C@oIsT8B0n6iG_ z4|2!l(R80C_sX@gWOFX}G3{CRB3h8cH}Cx}f|G-BFmlA=^Sstg@1Y#Cw(p342?sly z056IpdTC)H?1D((4{GYd!2Z&Q3yg~r@6{J2CwcnJBtg7>66=GLz7r2B9$3spH=IYL z**Sg44?24K>LhW4Ck!_^y#gz=(9F!t#LO(K-%VADYEVogri9w!)vEwngP=o>Y=?_4 zEDN2o_xrT==JdSQaLK^H^G%jZ44S2aWWUeYQ4~_!lY)8|HTsp@KN3Xp!X~~gutRTW zqaWRe^3nOa^Qx(-IWgV2N(tlV=TBHpVLU!-ZebC0V5#!U$iyUrZew#@ei`mXsaLFPvkO!v9i7g&& zYS@Lp2xhf7=Iz_&|Elmsbf&i^d+h(95xg*!AI@}%9e(Malq|#{>dK%KXfNU?gUa6V zc4n5za~%TJlH4ERI4v;+wR=12nSupclE_-8V9dL=S67u*!;y>hXQu}VjKJ}_` z%y^bS0=2ZT*t$bTVanTFvKb0$6}I?ipD43h%)mT|)#ZmTm2`4?pBX%sG7`ZSxc@Ck zK;s}=2r+6%MJpv%%E0YI+~P^SHjJaA0W!_?L9kL`C}MGOv6xoV@qZTxcE5W_hy#UC z1zrL3fyJVtvoKqpQB1QH2~hgah(u)q4u0BZZb7WPqCNn5g(Wh1;{+4H4s1lJ8imhr zL(0%%@zmdD_oggd~xourrli;q}fH0`hA*F;7}0%6hNcKXKruPpMvUjRI$ zlllab2)q8AusoA__MMTwXmyMKv*Tf9Q;S8Bgg$xlaucbp(NK`lPJ0MI`6U%`T_fP#=`Q&K5XLB zyLH|{Mo>LbKgKJ$Fx>bLj{^Cr(r-*x4YXb|UsVvbSXhs5wf189{oS%F>1aRFfo13# zAKxafs}4)rzt({age4tvLSOF>xh2V36`qqGQX16@E1{KkRyi20Q95A0Tb=CLAe{8R zmy~FtaxUSPBE;bjg&yeb!%H> zGbeHCKWIZ;Af+HXnyL?GU2bTQ$u;M43x-%$Q1AsXE)k>pR))BJ8h<}Y4ckq#a#JRgk&e3Y>J>)k z=H_;{Wm|rFp7Q>0W0NQco!mMKEY6u(Nwh_Vo7y@#4h#>=C&!C+rqWNh*6SLjMq0|A z>rEN6SV;yP-<^g%Pe&*2~5Arl#(lf{c9 zM{3DOsd4@!dpWte!RHU!L>r`JKN#QaC3F}pnsUHvGV&>OpYZn~0Y>Eh@IoD&+fFyh zMX)kBO>ADvYYlJF{t$TL<8-oAY6|f9mg&vx# z*Iu|aSeazr)O8kR4O#{-Fid|>w3UXGGEE0P!Y2BWZ7`UJPgdUHx6Z3Dk7Nq(?Ta}_ z=BMczEFVz$Alouf|_>0vo2ylERmL9CdY{6`a3EtLu>HKX|jEHH@YYd)}v=|pLW zLx`Upjve4E0>G>)`iL?15Ye+Q$#T7Sz=GD6j&ane*bX!Ee~cdll?2-=QD0O-3=$ZQ z_U&98Iy=`^=FYM_&lf`MX6UezzO54Z`}c2-Au3Q#QY{k4EjP*&Y~)r=)R;gIlVPEH zGj}RXIgv;5=;WCn_ypiT{02^-JIXlg&MPSt$(D?)hZqU{;vc)qoBUNY3v@qOc9@EC zwiEdGyO-VhA;Y=jZ*ZHZGBv7nXPN4y+GVrw7MY_b&)x3nmQkGj_^HWVY|-R@{71O4 zH~Q|kv6(^vuAic&$h?bkZT!-)#M;{0+{>$?isI8%bw0f`5N5SzdpwK$pw{Q$N`Gp4 z(~%V1MJQR{(FujGDdxIlyh3;)A)q9g?yP*K{xlfGy} z|5ij_#vJk5o07u}pXm{JfhtX$M!bD2@p|$sVy><83uF%dIX*ma5?9{&H(2Jl;8X{V zEnUng&~Ij64g9V3#fs2kr3QiVJ+RF4YxzFTEiExQ)e-4g z8|U(`c;Hk+6HTF=Idu2LWP`^ZL>y94O2v$eEWU-JLwh{2WmkZ^2LK((wGG{NUY=Ex z!>oaB8_%{n<}2uBGyZo2fpclIdR9AP5D8;%dJJWp4GQ%yhzpfMR?>x^I^zT-Km^QJ z=X;QDcue6#lY5l7oS3*Wlc8h;(&V!uqGbPGZxD^h4BKS#*7|MiuR{8)-fx0DEZwz7 zMa)AwgD#@Rj*458Heeq9AHvS!#&KbtlGm-JDt>Hg6SQtGMv;N>72{hoH71uVs7_12 z|G~2WCCd0s0A~5~!$R%r{QOGMt)KQm@x6KS9-dl8EVUyXkV{IV^)#rS1Mh1V>2qtp ziXkgAn-(WWZT=;B0_Y2}I)Qe}xd!3GiYi!jG69vudoNJYEkB^xeN zr3c0T^?EDnciY%&xf!niNDM!1CO=5aIHAUxOjJ;V#{IflT60w|uYe|6UdKkfE8+tj zZWd45CRu8YK*ldg7JX-L_xxlbJqp6N!u`EYd4%- zbi%phKn78?KC20B`ODne`s+5&oe}F6a0V+U_7G=1k?(*UPkNO8FUwGBq*6vPGn?8Q z@ZaV~$%}dESGxQ< zkHG0`r^j8i;T9^hp!4YpHxo|m%89_zJ4AWbOqLCt79sxy1!O3Z-z&tIL92GJIgoPx z&mNSl4tU1*;wY%o)@FrSTH=Mnii*qsZV$jFU577vcRof$?1)Dgr!f{~=bS~2>5b+9R~ zSh@Q=k!3j!Y0Oc!o$N0zkU_W4lTnx=54Pxb7OH+cpn(9 z!sa0UDeHR|P`wVShYy{8S=-v)1dS8@OS9iPO&j|DuSmhTOy0cma;=e8g%Hq0N4m0r zx9`oM6O>uuR(#Vui}w{On5=<_)0xJ0p6i0G@?z5TC`=}CcGe81(*I{Z5}j)X!{7dH z>ADH}cH_U0v8OYLdm6e0Ir#B=+h&-;MLc^2d*s3Sr~jX|F?a+zx;beJu_r)reSwft zjh-13?M>!l!OO3&QC9}3|3WwktBa4-_l5QRd)Ge&Nz@Y%xjrCT#J9Q0!QqhWXN5g$ zR2L6L)5AK?IT#snnp;|?ZEkMfjnVjD9~w-9BE$yRpH~U+DyjSi6?Kfzv(ptLQSOfp zwfz5Brvebk$H!H1;6pSp93*-#?s?5@GFG|cJ4gPnT{Q+-6ss6hZB4B00(ma5W2&oC zBoF_YqFAer_@;gF-%Eo-S9Pyd$DH(|F#+o4HO$s<$%{a2Z?p?7FDstbQzo3SR*o91 z{;g^fPF4mtfc^P?5M5Zpj8@2007Z~QKj`Z6D+wbP9rub6i)GipWwLnA;c#9*VaYDn zIfYmZLttWUEjY42y1i62x)xDVNOkWWj_hJUc2V}7i@3biRWg^Un+XpRcIr60B5MwQ zzn<&Kc)i|+NDFq`NUrjpxf-GV@hqJ$vhJXAsHip^>r9}&!z{{YQws|Vd(1FZi^W4- zs_MGE`-j50j&09LhwwojJUs>79lurhdZO;#Muw6rPn@{(E$k-|W~0q=9t67|Oqyvj zf5hh9QTAl5FO)==iwkDt@LqT(=Ss5VUh-_D`)=g+^M%e}x7SWXL!-suoTe=KD}aLX zAB2}mj2s2nJ<+(NHJ3U@w0cssi&uZQd7aqt7YEBni^|o8_2t78J5u-%^PAt@(P?x& z{!Mj9uJg!z7s7oVk>I|3(lcuZn4H-kf;-ZJ%z{aPYERn!$g-P>tLvdl+3|+bv5@%s z$9A#fQT|%ep4*Vh{QRWpWvkv-yZ~3{*;nGXD>=a@SnRmnCH8uA-R$;?E%%H6=!zgY z0iz_Ul(Tee(5xGXqgt$3N3xYbgZKP*Rt1a{ZZ2Xi%BA z-e#tHijnxdX6TilT~(9s7H1ylrm=->9+=O5&-@8G$^T$oCOW`=*8r6H)2TlKyrS!& zg3U^mph4Yvy-2_EtuV~*oG{GYt^qS{M^@7xbej}tjnVGcTYPP6x{zW`5s(- zf5cO@9=H5O6=EB9L(y;ubQko@zD~7H|09SEqC=7_1yo9)7~Ot2+@1oytB}Cp>@JFn zj2xlV0Yk&XV(uOe9k$q=(Un`KE2G;hVVZnAvKbsKs{fJQtR6~%eHaY^@+IIpX+qK@ zcUkqDk+{nazRAtGj?+9Wcdn4u%}B`db>4J%`gAQ(VO$9e!DN;O0nUj*RuIkgkUN;0XOD!ZZ2UbKc7{Z%eQbunrDp=woc!nM;6iDG zYCa-WMXa=e6^Vm_ul#U3LDgL|?lEUsaQ%}8YCA8&v%|RE)w$nqe5dV;d&)_qj6W#U z%8Y*zHZMiZHFYLyFX?OMKkW{H_yYLM>pQZ{eI4zxGy^B5%=ja6Q~RE_8k^sV8+V=` zUghCqBEoajRGS9;$;xo-(I>n`8srEG4htRQUp~GqDXH&IEHU)hQ0^q0c!CW#$ck90 zPN>L$cHS?{%Tu0ZwGz?+rO%ToNZ>zt;mNx_Po)y7%C=7WOj!lA3HSmFHs8F)@xbam z^3D9~JG)c*59e8252X_{1*?(apq+|s9#`~*paw`5mR_Ykwme>Zz2%zQJQcY7kkCC^v1$|X z=*?mAC@NyfUblQ<-u)V%?jdIF>~K;TNS=0s6HPDVE{TVN4%tT%0lF`4T;%{uHGYrY zYjclN99iMbu${B5dc;3EOE4>Czo=WbpRDycG5v%c*YkEWY94Zq?MxKf4mCPuT~Hhr zk8_v^PVL>7xII>fZw*v-1h8yYe~-f`k`Z=GazDscU%>Kk#be?}N>T1%@#_O?{`=&S z!zSoyHA-H1dsTLBuKHCB=o7j1s?Qv^4-%2T8r%CcTJ&bVVEIzi+T7uh-W|6?s89^TfGy^QW~b9k>&c7rSgXZZOkmmvEX+Wv4?%IweN8ielN%5+NE+Z2wHl5Ykm#k9~{2!s(cEa>(- z%6+lYAnX}d=jY( zk@B^#_Zr3?7>yq0hn33)&#=&yIq&uf*c1Q^}s9&jugO_DzMC+~#@JsPZeIJYg8BX4Nn z`_$Tg@@r5;5?-{3yEvP;9;p)^BsuQWHAt8s(QVdv|6}n<-o`2&X~~dERed$isU_E_ zTfp^qhxxX*K~zyfg6;B=XxU$)4l1Ztybv9^BI9m)-2I znB&KD@w;78()!hnh6UqkdQlNMLI*t}Aq8il{Cs>V_0p6?lRa^+SfiJTZr~h^qMY4% zm|?rmm%LPNw4Wj>dAVZi$U&=mzR0=H8FzRYG%r6in73V)E2$Z$>r%XRrS5Xe1nu^$ zcw&`JE~os5fRl)R912Ch4V4Q4h5_7YapC9QU;FuGXWZG$-N&oE5cEci!+(seJdO+u z{UdApqaEDA&Q4V+Uo8PersM(kk|F(FhYLH0^@W=mCFh;ei-_GG-Z|P~kt1(h(lIWl zIdQO?X=h^hT(*!~xt{}rnZ+r)xo&HgZTB0YFf0%JBgdS>MoywfIpBI-4^;aLFVa{f z=lrbm9A8aDpXA11*ZnCq#f>RezcOD6Nnr-tR^s7Bd)c9k#O#P`4df41B#8 zR})#K7p+iRsHu2simofA|0wzOLg!e_lzLFOEky=CkYEGun$Ms47jb$)uWInd=w_Vb zHcM(Z;>cofM3cpC`)jd&Q) zMDr_?syEpvnUEuq_nqA|=6m?i?l}5}0s)mYMt`VZym(98RNC?N7}N23lWATS z-hE}lZvE;Z4kxOozoF>y1_j8a*ZKFYD}s#Ml`6{A&ofR8M(g{9Q%Eh z30F=U1Z^S1OMB{0SR2KqVX)svwat)FBC#Lj`IwobY`6aPY^~u=hI{l>B&DQXh{48D zAnVGtNRkj4NYUIw*y~yzkfXXrO&@eaCJ%ej4=Rbs-s1T6osZ(Li*{F!bzgTGen#}q zFWTabsLt(%Bm0x2;8g(BGT|8S+5Q5PD7~8|kKQiSI31^@PAcuxbWOZ7BYU94j>Dz_ zJuuNv!(QQ4EeJmIWh_FmW>Ye)VEH)oRg3LC@THZO9*KDU3U(&6?Csymkcs_b7bRkS0u3D%a_r)Cv!MJ@Gxd=>q6Y*wKpq`cr_^Ks&%c0S$c zAn_^Z0!K(fI22JraE!<83l?z<({xuwPtKcdu#r!TLk9 zd&@6R5?47O3NN+U!fWG4w1p98oa1s!_iRbk<;9njovL~la-9sYTb&r6{<<%Zk?mE- zEIGJ{w`b0T3%YY1;rVOT_V~jzf`UprQ>(akZQ&*eH@WjFh7{&m4%YSBbrPuk8wSz0_n@)te;w#!bhY%|Q z>2U0^8j@BG5cf9FVpgymR@O%aDphkcF747ip5D?nRrT%Nm*iurkpSj(KY7MN8H4F!r449JOoEfGYfEKb7obq%)u zmf&-n-iRh`=9xg|s(r!=!2}z6nGS^0nf5zTdcu;s;9ejX)Q=4Q&!Lt_;f1T6{lN)M zU$$el??;L)h<2?uy68viSH0>hvv$EM1*@_d3Mfc-Mok4!q*t#)%CDPIxj6N4?D%y3 zm7?BXM1n6|&|>>njO&|lEm%*K5-S{e;+%%u9~fCWNe3M2R8a)IPu^X4IQ4F!WonL) zLNa_^8gkP!mU`iu^LMW*Vj?+?5Uu(vP6X5UB-I7o!5L(vEzG_I(KY+#$Zc!SlH2a3 zq`otCzAY~&An^!U{_E3N{L~bk-~C4nI4wyOh6+-44{RR=FH|^!t-PH2cf7Vv+tit( z#({f-W8qU5)EQK+zQy{4r~&NOSbg>vZfoSZo;S4kxnS8{_0DGBn0!S{iMm+Hp{ zmoPwA|Ta569j?{QJR1t9i?}W66pj~RHR51kfPF*D!qkbLwaw45RgvjfdmLi z&P-Tq?X|zX&wKuVf4IC%@;tMQagTeHIc8Gk+~$Vj`~D?ruPs+Qt>YFvjb*YvMT4*4u9b=+y>p^6ucXXSrU32*7Jf(Dt}O!zJhpAA2O zvOc%T$%wrZKr7;zkXe4fsc6n@!#IAnBtt0>j)9idZc^OvJN}f+DoelIo&1p*&Y~@3 z0H3IdXUA7UIlZci&8Dip-7$5c4PWhbFD&cPsSix12 z(fjFc9K@SO?f8>x#^ZaY8>xD@o73zA-Cvc-(e85|*o0~JI72;3Fbfys7&!a`DVx}9 zg+G&OZZmV|TzBYz(p+AC{^`vjrL7WL7Qq9+B1)3Rak4fJ)n?}3I-!Wght72ukQ99e zuv=5+6ItfF)D`rId-q~)eVAe|iyw{8iV17&%eNFWUW*Kf43}R@&3axcjDFxwYvsm( zybiR8^-&Dn7nZn{R_(!`T)T?sNkC8^5nyiB7k-|~;bLtpXnK*l{nlagvon`HHFMz@ zD!^R-;lo*&IUc?uBOgQx@f{r*;rgQYmDfePoo@hHhU?7$b!qiTPM(!Y>+1^fE4FdyBD4~lmJz~56q6N9jl>aJGXcZB$@G@@Hee5QE> z#d@yWJ~bY&rl*}&{ktsg-^LUz$R>YfKyf|MeZH+Or3z>2bgltuX;M4=7O`J(qkd1h z?Kab4XuHq+?PbiH9JTJOMys=9VEj zF)QP!#^!j5%TE54wvfLLZWO^h)&2RCn=>E14*4#^#43Wtul|j-r)%D7&@>7h-Qi_e zkf7^*Ka0D%-Tq0K(WWKhyrIgPQb7%*Jq=84 zGo1Zj$!N5JGxm-^P~&&8w@b~2@wnV>D96g5 zT^9)dHANpkjYLCPBHMk*D?)m^rraIrBt^cVy2o|eIP=jd181i*#%qN$=@UZ;{8r!5 zzpbcEJaB@l=M8OXZZPlBLCnydEbJDxXka<3q`1jqKk|7CASE1`eLjk=Z&0|pd#zMX z`KS2vkm@c@ndQS=NK7zjNOGbjw+zkO6{uz+BoHA57Ry7@T3legLd^X0F%JU(}-`@rCXC z;>S)?MeaLa6(fO*RNOPN^G!x&FoY&Ir$hjw8f$(aK{Fl|56#Hu0una1$+5li(s1}#_-L&cuMDIDhr^i@Cyzr< zr#k}KcyM&E2~sP7UB73Gk9PiI(0}S}YAKVSJPIr4oXW_ z-wsID6Z}v-luWm#=XS-VD(>gYLkWObG0Cy$-uha6($AmhYUPQ@m#F=W~czo63 zmY$oudw%-nV|ip{-wFSD*j!Y|wH%M{8dE4Fz7olle8lUbjDPqr2@z0rm^nQD%m-r2 zQ;ooS5m;4H7NBO-0r%-l#k-&7c8q3HiYFHIV;a9W1{WQ& zt}OfO%lb_?XJHnLCj=}y-on@mYN*`bHRP=({cyE6ph5VtrAJCbgG+@S%C0X<*5EGd z5@kRE%yc2u)tC|rMK4R+nH<)O*__WU>S~@4dtZ?`Fk!vnj~#4Y6Q-X*)zLE}e=5)r zaDHj~u2vJHDs|BsZ;zM{J61#(a~55ww%(I)jMk?l3>51+xo-$@fxSmxC|q5oVmO}^ zxvgDUgl6CQthYppk$aI^<#X$a1j^w@P2D9$m!0?1;4*J6)Ein<{#|DMw6#;~^p>A1 zdTUKN)9Ya)TAF+xq8UIj<)ke>T;u{-5+IaIu9Sx)BzvBeSJs`;yR@p1Y7nz3#d zoN4IOX@<<}z{b?>GzY}Rx>R9<}RJc2g_%{C9MK1Yg z6DV4Y;}-LRQ?l6EleWjsM;`czsxCIsvFqOTf6lSKPkI5)t65YWK@9fkYJJR42WY3M z#wZ%lm&;N4SDf(_A6r8|DC#IFE9*}xK%j4h);mLypOl|KKm4!h5eYqz!0_yTAdvkb~;#k`-+%G?$S$;bhxA=LK|{pE+zjRf7|f!C)2;00aY{(3v}e&NE3 zib31~F4PlZ-5T#wq3wn<$9FkpH1M+bguG|pSsYlSpCh3en!la_{(+nZfoACfb^3XE zu=LrWTG@gWT(qUx2JphmcVb46ah#c5qj3fUY+5Pvk;8$qo^?t-% zrQPRC+~f@^Kl~$1Z$Ae&cm{N)AULSut3uiGp_QdWV$#p<&}rnq#zI3kHkq5C9*m8P z=kM&Ul_(n$<6ANN`ySP$%gcEjH1?AEpSAb2pW0k-Klu0L?D*33oWq3f>HZU){jara zg`4^BZFIjwd)vRq|6hwj9|-8z!B7F!p*6+$|Bmrr|6|4u0SRkOgzA5OS`05Z(*gOy z_rDD1Ut_q)iu|e1)eBmmfH%PPAxW4mcdI!u%k$!xOVEC)s=2kJ<_k9TBuw`6dUZs5 zY58Nx(vqw3`ClHUSkP@6`dsJSQk8V}Lyrze(ab&!MnYOz@9X;}dhtihc`%B&TzA^@ z&G;eKy35H++n54Xx1oSIJLdOSeacRqe9KCkiQuiV$&sl!v5o-C#DTPjua{+BF z!Y8cg-O~hbkGWenp_DGgJkKa9Esj=qUPzy?zxO=j!Wr7Hv&(>Nmg1C`XbWrxYLrO% zVxs9kVZ~f;?&zVXakz~0qL1ib1g*Jz^x~#_*8W_FJvqmErZ9Gcfd-^NF!fnP#9A{- zE!8@TbAu`7h<49y?Dp>YdfqgTn%!Qr^smyl>tB1ayImzW!2WS>Mt)_6?LzFS&*=^OYm(0+OBwaX&+!sA_bVp@-C z7?bsMzBu@kew^T)DuB7a&+L~T9#qRR-I7NQO#4vG%<>1YE6YBqseWV)f>V?}d zcD)EWEd9um*gNBGX+*_RosYi$w4b(xnim)cMwR-;(Q~xK_{vT=@UkcO9%E=Kcojo zqW7JEc>mQU2c8F=?jBjK&RAM3PfzX`eaBwl)w?y~>^CV6BJG)5M-dvfOC$LEV9C3E zr9{?7&Ld>&FiY*X(UeWKh>SY(39*HAUl2vUq@? zhZ9-Tpkha1CZeY)e0Xa?P78r2l(_sPdk=5aGGO0&gY--Z{&RWyQi6E;mN`P@9?|Pb zqG8qKx3AI~8HblI1$&Gg9w-CxQX zC#0$ahPGOVd)nhiZdC1(u+uhgbJU|gk&s=L{@E3^imGB-qxKU?jLaXmMNE`Q#KY{w{kFv|88IX)+Z|UlWhFH$ zgGv61W58^Ow{7mVwNyfQu~$!k2B$N*FQ%ySWzX8zg}|&H-~R8L-C5Mfi5=4?mV7tj z+^0KCBG1-yDNQiXI@N3_W|((uFPdDG8BN^^<;cWbF>Qu)>t(f-lV?Qg4&7;_G~DwB zk#pd)p?wFIm#-4mf>ZmFh7rP?-?pQix1QtW6Xa3@5CujpAd)VT3j6r!O(@apuE7q8 zDn>d|mE2xK2+^K#TW+0JQF!ZF?3?*~%DqXOs%B6{jJ})%xa9y<$T47{;Bs(FhhOdR z;>nwlL%Vr<0&4}q3f$jJSW*$bgN;2MnYlNYZG*kwy{M=Y= zw~$n2H05T0C~+a)M<3mE%CfrLPefF4bGX|HG2<&WQ&ey5oS-<+;z@qNK@6&k_wDJ( zn!u9L?sLTfSsVR!81J7IKDdf4g=s{)VDQcKUP zWlCtt_6GH`NAc-zTeZW|R7*5y(p0s6vJOOXN##A~1E|=npVcPu8@d!7@x^zkGA}+W z5Jspe>er|p-5L60(rY!8Ow&QPh1sEMZ*qinBjtO^+V6n(x~I3_kIr=2Uo|arrr<^k zT1-ic`iI8dEL(k!IMt9?6ce-%ivLh?~frNnP@W70Il;f?e=ynz}aJ_%r^BT^AC zb4~S8^tGPfcT-c!`;QZ*>mC9}E@<{{Hi?SkSy^vLNKV4RULX`UrcDYk86LIeZ*?R)yqt@H)#&AumU69E?|Qzewp5y<#)JpVq!QLpr;F;2Vfc72!a-se|i@IQ8Ti8_M0f>1@+Hs3YUWXRHi5zh70L;m!Y`vcq0 zXk7F87>$*r{eiH?W2>bR%l%B0^Z}f7PAq*xJ~nrQZ-M;}S?TeX#L z_zk@NHo3(~D$7}fRZlTJz=Iv`e@8r!(`{W0v;5h1aT$!1i27qxFeU=$p1Zl?A)RzZ zCT^)oBP)+s`&i=?aJZVMH;onRoG3-8#_&UNb%Y_**g|`j(`=hF7vt0{S)sg$Nzlko|Si~Ms_sCbXsHNN`}Lx-EK>a6MSQ699nL+rjVYxM+=XQ z)}xesI{ay;-s;@}JxFq4xYRrX7-t}$9c!6=w+Mn*a$o=~_FA+dsh7vc#=eY+7VCbKRhd z+T)FKkseKHt4nI*so5A;)Uc-PgtWunnv)jl-0o5EBh@B_lAM>XP7h#er_?_CY_p7ZUKFOxpBjMk<+FbMcw*Anzu(Z3NL!(LqZOpk}`ha%c*YzK4?4Nxr#29_%) zmaRybbD{wlL<(sKS3KH0G;{b}n4SpATyajor%w6M$iua@jnQ?o^Oh1eP71qKjgq{l ze^JKtBhg7@i_&svi(tZwAO#mF44BK19Gs?ZR!t`P*Gk_cX!R#OojOdFajeA=dkAd> z%Zo|uaXwP42=Dqz;$N-yFEi5DhmN-JG(atpKEV`x!!lih^6QPHpi`syic_aG=4t-} zPt!pfj^d@~5I9a)mJF=kw`W?wWw-d0?aj6oEelw!1pI@>{Egtx6V3W2wjW;H`Nk>R@G8pIdx zO)Bs=I(P)U`INmrI*{?iY0|Hb_Qi6GywxG2A70Kg4#xZCF>)rU_ne0dMx$Usitne3 z$Cke(^F+Y{B7V-}@6kvxDxi4(x2YGt*^NMqV?|C3iutGfKB z;_3hT&0`>5Zge8!8Es_$_ospKDaNs(ZMpw(y6eCHgoRdQ@kZ-9U6TI$NB?^MyFB1y zIFPyj#|gauK7i*Ss={%5*Bk!7kF8bL%(X1!uevVH-1?>d&+AQfqzMUWJ%=hSPE)gS z6OFri#;%WdpbK|ix8s+S3i;LyuVnO-8ibN^}CC>+g0FW~~gHIa0u?cQP2 zSauAjPS&3SN|ig&2U91z^_G65SI`)^yY7#fXk$X!vKS>esey2PQqQ$?bM7-P8#nS5 zAG7k%b0x_zF~e&~-PM#E$)TMUHQ2c!YKE(&7B7tlWk=M1&2U0Lan}6IQoWNzaWv5P zHp^J!yFyz#&HTWb!sd5N6)M|M2JeKAPYp2C=~z7@_~^57HOL%rJwyxAdQ%2R;Rd??4jp zQzq|!d>-v>yrztx9oTl1-2Y>c%%Dp+1LN4Y>)~}4uc)r zeGvfA*?Ti=u4E&(Wx;!9c+r=EcfeQ zbWliAI5({-+If{Ix>PThj}UG^D(*wpK-cT?<$Ut0XY{9Bh|40}wKsSw>{Mo0FQbkzJvKC(mbZ1;2fxb^M?eWAgx_eNl+4r10+%E=3d)`Wt5t(iqq z*X|<5&=HlRIoPY_Lbdc=%+3K~QYEI3rpx`9=L_YLap!<8?nm&Q99%vzwl!Ny{;@!s;telzBE&ohHINDlwGM z=keGd5W{3YC-Un{En??adC z0NS36AH?ijC?}8Hpy+(rE2)p#ly{;I7r3>M+P^5-+XO{GSax1id!_Ux7sHUp8Ti5I zwjkfLc$oct6vxZ_cQ9+h+MiCj2j_G3Wthv&qTfEFD=j=0T9z8XH_N`Q?X)tR_uxwz z(POb@rwz!{#)-^(H3h=QZ_=by@HSBOOYJd1v|o+As;?k@CQ+3;$-Mzjs`pf-8d!YI ztyw4dcd_Og^Wf zSFm=vufh-gyuo?7(U=&k=cOb3h5m{__!A^W(a(OzcdUywfsW_-ey@?Kg7N4KQEpt!51PIIe z!M(vKvG?DP_9VMK3?5(x88$@D@>ZrJR6vOWN`hG%`kW6a$V(j1m)E*_v!Wz&$g|G?1z$b6Z816D<) z!PH|*^*U(2#{5RgpKIj6j_m-oK^oVSU1QK~a4@L0?(#v3*oJyj&at&ybT9#oHo1*s z7R)DCT?mn*O_$dui0)ZAwIK z>8h?!cST9trgam%Q#my;qRO)qb!;C}1eO~*qvBO&AUc5C;P?A!4eY}n9czo^Hp!YOs!s$bZhVSrqbgXGcY_TcN zwHdvLM^(8y&6;$5WL&15n|Ic~d9lCnIXI}3`&lDcMXgc~Csd7G}B$UIcRukb=8 zVxL|4usX-yXu2Xqv9d9!JN@FKn~npA!NQw$N=^xktTg$Y>i(0KKm(>VV%3JQ;%uBO zuFY0jRP>gaF0n)R11M5mRjNZ-zhQuEun+pLuCAUtxi?}5>n*+htiLpfHJ{?)G7d0! z4Lv8|`<-)lYrpUn78hTst+>(>h?)I;MM>jKs%sLKgnjVwVMRWQmAdt{@glbjV!Y-{ z95Vdq@twYhwjLg(c4}$0V1R)jH5G_@xL*fCGdlIwwEf_p^`GwnlBl>=naDbj=R=Vj zLE0-$qqA!5#%q2vAiW^6S3w`@DT$Q$Donni!5{T?FLmDtcrpM-%q9Q5V+1$FTd}!tJjrR}V`|QWYMcEKOIAUbH1b}~Vf((8AT5?VL%0gk zSL!9`UC^goC4(FYIChy?ajUgDtZ+zr@mW&b}?PN*iw(>u6k){-iw5sI+l zWWN~c!2nB@KmQrcXMy?C{jWYssOb6QpbP@`J+qe%LHdpl&hb3qMEH+#qn2|T@_0YZ zOYvoU# zTjMLV6b=F@YZ=Y2)Y;Dn72*ZR24Q_AM8~;Jfs4NLlnIOmX2x`Cx-YwQvfqR%OvCg6 z(GB$kX-Vw4$b|Z{4W>Czj8YQR9GWOl2+FnqHw&gV_-X9$Hc>ap__PRUWgNLl98$lK<{evTBYHd}^dk z{ou_1Ib6EOv!jl%Y5uOAn5piidlRSOj_LC8;5n_nt%_4UN^Sghu!g4g?8m`9B-y<9 zb2NSQIbJc1iOiq_kY`74dDa7r|1?|2OVD!DW09`PS<6ESYX+bqJYx^rt zr3yV1B}MX17qgfsth^p$z#lSN4oXdtJc&IM84B+nD^M32Os;j+I5Mf_dKs7}XBar2 zu=E>24VCj9NUg$*9~Q?|mUzAx4%qN;+K37`NqUwQf8c`_a|~aaSv29y>k*FG4e#f1 zdPhWmW*+NQu&YQi7&cW)NFFF2`pHps<%-Iflffqks!4=Rc zk0+_a+E|r;tF(#~0j&7IG{Dzkc^U9+~Z`MaS{h?r6*Cb8gS2OC((sB3sl?*|gN7Z>DDB-* z5%0Ip%MP%|l(?4I7@z2`BPv!m>P`0MxLU>0U0PC6Cf84n>?Mrx+ewf}cI38CT!+NtvjA=f~&Z zC6-P`MW#{Ll6QLBI8h~eJQnxN#A+!#Kdb4%n4GQ0 zaPx-#E5ElzlVo8%+$V^u0gnLeZ4tB9R=1tKeK)IgbiXO`msiJ7ziZ(9C*JfZlMrm9 zsGIw&Yq?jWHHKhb{v-K({G99zcfkIhlhHiiEpYEjrQ`4FT-45EGSGAIE8KvqC0JSZ z%=@6!qjkcgrU$maSRkMH#Wfl)OkCd#2C_W~U`B>Xr-;sr;bsVgwXby4(p~hBNEzvK ztlQ|Uy4MWN_M|>m;??{Ts2+Fz>Z|l%Ta4EYn%~sT;y@Woni!S29TMOspx-OiWE+vxy2+Zyny}XtgE<1{jj*l=Qwxw6&Cc#9Rrqz_tSygj zFznUG{N|2+FIeO>EYo3IrssA`;`%6MCMFeD;vmbaz+XAhJDu136!%Il7`~$BH1k}U zC2#GC%cVi2eNf{?3U?3#r)I9}-U zwh}Y5Q#?NgnAEou%X(4%?5aJNi+Qs|udrs`ZgdT6@DUF%=(FI({?B>b{^gf$%UIJj+K=vc$)4wLs?38j=Cy#H_ebW~3 zQ8g$0m~@feLjzBe7)jcR+jkKgI3xS+CFCiiqBF~-Qu+Qo(os(W#8(W-9AUCcWIhmstW9=oL4 z#1Y=;HcM3-_B%jOoOSj1dY|U`mkN<&ZOI8Zc4#9t9BZ%SRK4d1VAafS) zbb30dgRhEvP_K(LWA)Wo>$FDiO&F@-E%0+z@<0t-EO=vUIWX>)r%{z1`3&9Z0hh%)DiVKUrL?Fy5+?0KoHETkUv+%VeZ}99eYw@-Dg-kv=Yz% zKmZ5yd3}4o)r!NIB5TTFa7SR+AJ|cYWRG%cGuG8Uo|tW(AtUFF`r_9jcL(a&Yrtd^fp!%N+ z%-3*}SqC$#jn&gOtM-59fOs4kR9H_R-t5mZriKK_q4e|4mwV2MSCgGd#^oj6^Xqe) zdy$DOf`i#uXV@jl$Q|}hg*b1W&yTyStQg($?7h{lr`Z6Pc*dBzr0DrQm?|LXy)9eu zq@g;v+Fx-YuD?U9>UE4>QDB)`m5V+H*#>yqj8I>&MGK@OAN}e25_Wi2afhhHyLnq$ z*8MS28^by}b9THn#q6^VuVA<_OoYK2VT^u6V6awV2m`twJyuz-PW?H?x9+`?t5kJ-&G-I&6cjSwt$|={RFi$$?}oe@7%u$F z9e~%%`u3GVdr_w0_h!6j3bOND;zrjlOH7=F)R=km2c(ihsgHcpF zwK}k0HXB**EEbxo>ULxha~g_LiZBXoyg0>YROcYdn`^Gm8MQNQ=f9{pTb?Kf0L#Dg zEc7)y$PSgrO#KsuK5)EKrH+r$?9vcp$-%_MFLo&PCu|r^r^MYrKu~=RR+bz$_b0O^ z+Fwz0Eb~%bl2>SaYF*sd2u3qjD;s$}+N0Et7gj%$4Cg1c^}{ZAg_gLFzk@W;oG;!m zxLliRD~(Igwt|_r(}7X$PG8ftYT2t1Vo4sCwYP+yYjDj^Ud7l;`f#UjfUgBQL$*<; zKzunkZ(Fn{SzbT2^}&$TvjA~RaJ5#sWX9EvF3LwSO0i$%bjkZTngb-jGFyIio8^u{3D;^ zBlP?}n>t}!b#srHT2?leC_SRCf0JA(>X>e*L)%n^HX9Aa%J z&NhdiS{dbG%nR{Ues~%e1bb3idtqps$3L%QP0+`PH-NsLk68zugS>y8r3oQFoMDjf z1l^;g%i0h2cYO!kC63Cu=5;UyH*Eg!a8DG$9)-4RMb`jpZ^MY)Bjg&K!hWpCwJSU{ z&RR(~Oq8L_CMC3WndJTT&hR_w+Q9xjn3MT(D2aBV3#Qc-a9s81ZUpMfc{YWmeBHLs zqJSiy2lPo?|F7sIn6{l58__F7_EmQ9{p9Rkm0K_*ULA_Wv-1alJkkxg@j^~Hboj;d zYJ5+b&W+7tK99~C^j_hB^DryNPM;~xHp3qK!urUyJEuDP*6lPToQ1F0`X`DPqj&tOvwcb`GGkLboM0*XwLN%t1hlnU_riPO>4~;VYY2ZGFdr)eO}e%`<~dSznHv%f zU8|9~PMtWl$@7k{1H^2>)o!r0!SXM)ETZr5<%o7C+x z_o?%V-s>?$JhYv*JPn3yc9_vo;P`Cc!-mFOG2i?C=(zdo@iyIvs!yeN5v4Eopzjyk zkTOvNzEW(1iJ3oU9Of&qdDA+!$Z$1J;I z4&)Vi5@H)vA19(p}k{20l%Xl_7zIx-qovN%97TbKTs**kMe zBJ2PmIcz9ZV&5-j9c>Vvkc{Un{YNWn4r|scA)@)zWO*OJ%P>w6)n`OL3SW=4MfAB` zOmcs9Ngl$idZbY7`C_|C7=HiuZCu)7qWb7(qcZ#Z+@t3-{TRunxQ~?*R4kg^mil_} z#>T)N0~*4_h^CR%&a(X4$8hNsyh z`;K7Q##}*%$RakCLLz8vluXH18$YwU%Y|*=Qln{KmL#WJ3(Z< zY!DHXu4nIi5xh~ToRGd-A0Q1X8lL>HG`ZRI$Ep$V%Zy}aL%kmaszZaG4^P{DysA%r z#dHFKC742nA0^ZRTLg=Z0xT@+JSY9e-Dr%99*U1Qfdt7>b>+ z3ygo8sO)t3VWq)~s_XFk0!kidwI^z#)T7#~KV2*+YT`i3vIx3-k$XA;A=d*oVmVD~ta4(B|lzrt_4CE2Us ze(&0U5Pxz`I9+fZth^#{v`AmMvSGU;D?M6xbncXJA&0tWRI~b;y+d$jk3B2YE_Y6p zC(Hx>2pfW*@+gB4_Vch#TPKm4Ds6{uN5>Th6?^q738dY$ z@R7L$;EJ)q$KC~&l~;|u_$viD1VLvBtQZos(tM%(tevoR3l4?dtQG@uKh*uPP!qEkI0&V zN9VSM((E~H1*l6Fp7KjxrWv} zUIvk2ld^Kr8C+*y^yI;96BVYf?o7$?Vq5(W;FuD7P7S(v|JH?*jPZoGMWSy<=mwkZ zok$v%k6YYu46&x;3w%WdkT@jR+G=vpUJ7)9H!XPYfvRX76@k)^H@Nn;D4VxAH~f~t zTSGUTMo&rHHXO-t(d)~x}+yVPPV|}lE7aG7-Q3$(vhBI6-2bi87xYZ+Q>(FB_ zd!91_`*cT{Q3bP==@c=$Em#N3*tlT~=cqKv&Cj16;C*sC?IUE{wAWKZ$+U_$Z}xgR z`fsQK5cT6&VZC!}QvwLrUpoq%ts%$<+1-zIjNyzB7}GK4l;efPY0f36Z6m}>JCg(b zKQ-NDc}9iVKFVpw>NrChhD48h3DxtNAGjru7hHApX}_$Id$Qmm(53{O1~xxHPjCFA zw&j80$i z@c3!rvSaR?g8@kd_jOHg?Wes7Y4YSjnOI}z*aF_dxN{(2z-&|ffqKjMxA|~nW=XQ= zE{4!oweu$9BGIrjegey%&sb8K4`c{eWnoLtwbZ8sLhiCmiX2hxZZF*H`Hc9`92J?c z1Z|%<*q&Q;Rtw{>g?<>;vwc}K(7s1Ml8^n@>NQ8d{T-k7!@{%|!~F$_;OK#k_)_f%H2DoOynqc^7ncg&{^LZNeYs zzc>Q_9Q(lqFhn(A9-K-n=!_1Ky&z4NCqoaB;;{7f1lW&~iJV8eXQc2if zLXFK1+s4m|blC=j!h7~d`{(<%`E=I^Y4o%jJd(%M6q`;)F z?`>&(B@liSE>|!05Z*nCp?=B34EeaI z3}duz?^ZzkdHPcPrNl>}3pIh<<@OE*NuB;^Al?EX8LTk$Ok)>bUW%r1JHQ@!tQi#u zoL_VS$66~H4cd65U*=r)=vKIff&@I6`=;y|n}EL5<`{K8^^E3=KuU)@6DTICVi|