From b9cdc1f9c5102500ff6c56ee67b0411e0d6dee18 Mon Sep 17 00:00:00 2001 From: johannesschneiders Date: Fri, 11 Oct 2024 20:31:57 +0100 Subject: [PATCH 01/13] WIP: Changes for message signing in the interceptor --- .../service/okhttp/ApproovService.java | 322 +++++++++++------- 1 file changed, 207 insertions(+), 115 deletions(-) diff --git a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java index b1ee48c..7f75018 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java @@ -23,6 +23,7 @@ import com.criticalblue.approovsdk.Approov; import java.io.IOException; +import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; @@ -38,6 +39,23 @@ import okhttp3.OkHttpClient; import okhttp3.Request; import okhttp3.Response; +import okio.Buffer; + +// message signing configuration +class ApproovMessageSigningConfig { + // the name of the header that will be used to send the message signature + public String targetHeader; + // the list of headers to include in the message to be signed, in the order they should be added + public ArrayList signedHeaders; + // true if the message body should also be signed + public Boolean signBody; + // constructor + public ApproovMessageSigningConfig(String targetHeader, ArrayList signedHeaders, Boolean signBody) { + this.targetHeader = targetHeader; + this.signedHeaders = signedHeaders; + this.signBody = signBody; + } +} // ApproovService provides a mediation layer to the Approov SDK itself public class ApproovService { @@ -82,6 +100,9 @@ public class ApproovService { // set of URL regexs that should be excluded from any Approov protection, mapped to the compiled Pattern private static Map exclusionURLRegexs = null; + // message signing configuration, if any + private static ApproovMessageSigningConfig messageSigningConfig; + /** * Construction is disallowed as this is a static only class. */ @@ -118,6 +139,26 @@ public static void initialize(Context context, String config) { } } + /** + * Sets the message signing configuration. If this is set, then a message signature will be computed based on the + * request URL, the headers specified in signedHeaders in the order in which they are listed and, optionally, the + * body of the message. The signature will be added to the request headers using the header name specified in header. + * + * To unset message signing, call this function as setMessageSigning(nil, nil, false) + * + * @param header is the name of the header to use for the message signature + * @param signedHeaders is the list of headers in the order in which to include them in the message signature. + * @param signBody is true if the message body should also be included in the message signature + */ + public static synchronized void setMessageSigning(String header, ArrayList signedHeaders, boolean signBody) { + if ((header == null || header.isEmpty()) && (signedHeaders == null || signedHeaders.isEmpty()) && signBody == false) { + ApproovService.messageSigningConfig = null; + } else { + ApproovService.messageSigningConfig = new ApproovMessageSigningConfig(header, signedHeaders, signBody); + } + Log.d(TAG, "setMessageSigning " + header + ", " + signedHeaders + ", " + signBody); + } + /** * Sets a flag indicating if the network interceptor should proceed anyway if it is * not possible to obtain an Approov token due to a networking failure. If this is set @@ -396,7 +437,7 @@ public static void setDataHashInToken(String data) throws ApproovException { * is not possible to use the networking interception to add the token. This will * likely require network access so may take some time to complete. If the attestation fails * for any reason then an ApproovException is thrown. This will be ApproovNetworkException for - * networking issues wher a user initiated retry of the operation should be allowed. Note that + * networking issues where a user initiated retry of the operation should be allowed. Note that * the returned token should NEVER be cached by your app, you should call this function when * it is needed. * @@ -432,6 +473,7 @@ else if (approovResults.getStatus() != Approov.TokenFetchStatus.SUCCESS) return approovResults.getToken(); } + // TODO remove this function from the public interface? /** * Gets the signature for the given message. This uses an account specific message signing key that is * transmitted to the SDK after a successful fetch if the facility is enabled for the account. Note @@ -629,7 +671,7 @@ public static synchronized OkHttpClient getOkHttpClient() { Log.d(TAG, "Building new Approov OkHttpClient"); ApproovTokenInterceptor interceptor = new ApproovTokenInterceptor(approovTokenHeader, approovTokenPrefix, bindingHeader, proceedOnNetworkFail, substitutionHeaders, - substitutionQueryParams, exclusionURLRegexs); + substitutionQueryParams, exclusionURLRegexs, messageSigningConfig); okHttpClient = okHttpBuilder.certificatePinner(pinBuilder.build()).addInterceptor(interceptor).build(); } else { // if the ApproovService was not initialized then we can't add Approov capabilities @@ -688,6 +730,9 @@ class ApproovTokenInterceptor implements Interceptor { // set of URL regexs that should be excluded from any Approov protection, mapped to the compiled Pattern private Map exclusionURLRegexs; + // message signing configuration, if any + private ApproovMessageSigningConfig messageSigningConfig; + /** * Constructs a new interceptor that adds Approov tokens and substitute headers or query * parameters. @@ -702,7 +747,8 @@ class ApproovTokenInterceptor implements Interceptor { */ public ApproovTokenInterceptor(String approovTokenHeader, String approovTokenPrefix, String bindingHeader, boolean proceedOnNetworkFail, Map substitutionHeaders, - Set substitutionQueryParams, Map exclusionURLRegexs) { + Set substitutionQueryParams, Map exclusionURLRegexs, + ApproovMessageSigningConfig messageSigningConfig) { this.approovTokenHeader = approovTokenHeader; this.approovTokenPrefix = approovTokenPrefix; this.bindingHeader = bindingHeader; @@ -719,6 +765,7 @@ public ApproovTokenInterceptor(String approovTokenHeader, String approovTokenPre } } this.exclusionURLRegexs = new HashMap<>(exclusionURLRegexs); + this.messageSigningConfig = messageSigningConfig; } @Override @@ -738,127 +785,172 @@ public Response intercept(Chain chain) throws IOException { // request an Approov token for the domain String host = request.url().host(); - Approov.TokenFetchResult approovResults = Approov.fetchApproovTokenAndWait(host); - - // provide information about the obtained token or error (note "approov token -check" can - // be used to check the validity of the token and if you use token annotations they - // will appear here to determine why a request is being rejected) - Log.d(TAG, "Token for " + host + ": " + approovResults.getLoggableToken()); + // Ensure that the signing key used for signing the message belongs to the Approov token fetched here + synchronized (ApproovTokenInterceptor.class) { + // fetch the Approov token for the domain + Approov.TokenFetchResult approovResults = Approov.fetchApproovTokenAndWait(host); + + // provide information about the obtained token or error (note "approov token -check" can + // be used to check the validity of the token and if you use token annotations they + // will appear here to determine why a request is being rejected) + Log.d(TAG, "Token for " + host + ": " + approovResults.getLoggableToken()); + + // force a pinning change if there is any dynamic config update + if (approovResults.isConfigChanged()) { + Approov.fetchConfig(); + ApproovService.clearOkHttpClient(); + } - // force a pinning change if there is any dynamic config update - if (approovResults.isConfigChanged()) { - Approov.fetchConfig(); - ApproovService.clearOkHttpClient(); - } + // we cannot proceed if the pins need to be updated. This will be cleared by using getOkHttpClient + // but will persist if the app fails to rebuild the OkHttpClient regularly. This might occur + // on first use after initial app install if the initial network fetch was unable to obtain + // the dynamic configuration for the account if there was poor network connectivity at that + // point. + if (approovResults.isForceApplyPins()) { + ApproovService.clearOkHttpClient(); + throw new ApproovNetworkException("Pins need to be updated"); + } - // we cannot proceed if the pins need to be updated. This will be cleared by using getOkHttpClient - // but will persist if the app fails to rebuild the OkHttpClient regularly. This might occur - // on first use after initial app install if the initial network fetch was unable to obtain - // the dynamic configuration for the account if there was poor network connectivity at that - // point. - if (approovResults.isForceApplyPins()) { - ApproovService.clearOkHttpClient(); - throw new ApproovNetworkException("Pins need to be updated"); - } + // check the status of Approov token fetch + if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) + // we successfully obtained a token so add it to the header for the request + request = request.newBuilder().header(approovTokenHeader, approovTokenPrefix + approovResults.getToken()).build(); + else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { + // we are unable to get an Approov token due to network conditions so the request can + // be retried by the user later - unless this is overridden + if (!proceedOnNetworkFail) + throw new ApproovNetworkException("Approov token fetch for " + host + ": " + approovResults.getStatus().toString()); + } + else if ((approovResults.getStatus() != Approov.TokenFetchStatus.NO_APPROOV_SERVICE) && + (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_URL) && + (approovResults.getStatus() != Approov.TokenFetchStatus.UNPROTECTED_URL)) + // we have failed to get an Approov token with a more serious permanent error + throw new ApproovException("Approov token fetch for " + host + ": " + approovResults.getStatus().toString()); + + // we only continue additional processing if we had a valid status from Approov, to prevent additional delays + // by trying to fetch from Approov again and this also protects against header substitutions in domains not + // protected by Approov and therefore potential subject to a MitM + if ((approovResults.getStatus() != Approov.TokenFetchStatus.SUCCESS) && + (approovResults.getStatus() != Approov.TokenFetchStatus.UNPROTECTED_URL)) + return chain.proceed(request); - // check the status of Approov token fetch - if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) - // we successfully obtained a token so add it to the header for the request - request = request.newBuilder().header(approovTokenHeader, approovTokenPrefix + approovResults.getToken()).build(); - else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { - // we are unable to get an Approov token due to network conditions so the request can - // be retried by the user later - unless this is overridden - if (!proceedOnNetworkFail) - throw new ApproovNetworkException("Approov token fetch for " + host + ": " + approovResults.getStatus().toString()); - } - else if ((approovResults.getStatus() != Approov.TokenFetchStatus.NO_APPROOV_SERVICE) && - (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_URL) && - (approovResults.getStatus() != Approov.TokenFetchStatus.UNPROTECTED_URL)) - // we have failed to get an Approov token with a more serious permanent error - throw new ApproovException("Approov token fetch for " + host + ": " + approovResults.getStatus().toString()); - - // we only continue additional processing if we had a valid status from Approov, to prevent additional delays - // by trying to fetch from Approov again and this also protects against header substitutions in domains not - // protected by Approov and therefore potential subject to a MitM - if ((approovResults.getStatus() != Approov.TokenFetchStatus.SUCCESS) && - (approovResults.getStatus() != Approov.TokenFetchStatus.UNPROTECTED_URL)) - return chain.proceed(request); - - // we now deal with any header substitutions, which may require further fetches but these - // should be using cached results - for (Map.Entry entry: substitutionHeaders.entrySet()) { - String header = entry.getKey(); - String prefix = entry.getValue(); - String value = request.header(header); - if ((value != null) && value.startsWith(prefix) && (value.length() > prefix.length())) { - approovResults = Approov.fetchSecureStringAndWait(value.substring(prefix.length()), null); - Log.d(TAG, "Substituting header: " + header + ", " + approovResults.getStatus().toString()); - if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { - // substitute the header - request = request.newBuilder().header(header, prefix + approovResults.getSecureString()).build(); + // we now deal with any header substitutions, which may require further fetches but these + // should be using cached results + for (Map.Entry entry: substitutionHeaders.entrySet()) { + String header = entry.getKey(); + String prefix = entry.getValue(); + String value = request.header(header); + if ((value != null) && value.startsWith(prefix) && (value.length() > prefix.length())) { + approovResults = Approov.fetchSecureStringAndWait(value.substring(prefix.length()), null); + Log.d(TAG, "Substituting header: " + header + ", " + approovResults.getStatus().toString()); + if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { + // substitute the header + request = request.newBuilder().header(header, prefix + approovResults.getSecureString()).build(); + } + else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) + // if the request is rejected then we provide a special exception with additional information + throw new ApproovRejectionException("Header substitution for " + header + ": " + + approovResults.getStatus().toString() + ": " + approovResults.getARC() + + " " + approovResults.getRejectionReasons(), + approovResults.getARC(), approovResults.getRejectionReasons()); + else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { + // we are unable to get the secure string due to network conditions so the request can + // be retried by the user later - unless this is overridden + if (!proceedOnNetworkFail) + throw new ApproovNetworkException("Header substitution for " + header + ": " + + approovResults.getStatus().toString()); + } + else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) + // we have failed to get a secure string with a more serious permanent error + throw new ApproovException("Header substitution for " + header + ": " + + approovResults.getStatus().toString()); } - else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) - // if the request is rejected then we provide a special exception with additional information - throw new ApproovRejectionException("Header substitution for " + header + ": " + - approovResults.getStatus().toString() + ": " + approovResults.getARC() + - " " + approovResults.getRejectionReasons(), - approovResults.getARC(), approovResults.getRejectionReasons()); - else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { - // we are unable to get the secure string due to network conditions so the request can - // be retried by the user later - unless this is overridden - if (!proceedOnNetworkFail) - throw new ApproovNetworkException("Header substitution for " + header + ": " + - approovResults.getStatus().toString()); + } + + // we now deal with any query parameter substitutions, which may require further fetches but these + // should be using cached results + String currentURL = request.url().toString(); + for (Map.Entry entry: substitutionQueryParams.entrySet()) { + String queryKey = entry.getKey(); + Pattern pattern = entry.getValue(); + Matcher matcher = pattern.matcher(currentURL); + if (matcher.find()) { + // we have found an occurrence of the query parameter to be replaced so we look up the existing + // value as a key for a secure string + String queryValue = matcher.group(1); + approovResults = Approov.fetchSecureStringAndWait(queryValue, null); + Log.d(TAG, "Substituting query parameter: " + queryKey + ", " + approovResults.getStatus().toString()); + if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { + // substitute the query parameter + currentURL = new StringBuilder(currentURL).replace(matcher.start(1), + matcher.end(1), approovResults.getSecureString()).toString(); + request = request.newBuilder().url(currentURL).build(); + } + else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) + // if the request is rejected then we provide a special exception with additional information + throw new ApproovRejectionException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString() + ": " + approovResults.getARC() + + " " + approovResults.getRejectionReasons(), + approovResults.getARC(), approovResults.getRejectionReasons()); + else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { + // we are unable to get the secure string due to network conditions so the request can + // be retried by the user later - unless this is overridden + if (!proceedOnNetworkFail) + throw new ApproovNetworkException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString()); + } + else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) + // we have failed to get a secure string with a more serious permanent error + throw new ApproovException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString()); } - else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) - // we have failed to get a secure string with a more serious permanent error - throw new ApproovException("Header substitution for " + header + ": " + - approovResults.getStatus().toString()); } - } - // we now deal with any query parameter substitutions, which may require further fetches but these - // should be using cached results - String currentURL = request.url().toString(); - for (Map.Entry entry: substitutionQueryParams.entrySet()) { - String queryKey = entry.getKey(); - Pattern pattern = entry.getValue(); - Matcher matcher = pattern.matcher(currentURL); - if (matcher.find()) { - // we have found an occurrence of the query parameter to be replaced so we look up the existing - // value as a key for a secure string - String queryValue = matcher.group(1); - approovResults = Approov.fetchSecureStringAndWait(queryValue, null); - Log.d(TAG, "Substituting query parameter: " + queryKey + ", " + approovResults.getStatus().toString()); - if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { - // substitute the query parameter - currentURL = new StringBuilder(currentURL).replace(matcher.start(1), - matcher.end(1), approovResults.getSecureString()).toString(); - request = request.newBuilder().url(currentURL).build(); + // if message signing is enabled, add the signature header to the request + if (messageSigningConfig != null) { + Log.d(TAG, "Signing message: headers " + messageSigningConfig.signedHeaders + + (messageSigningConfig.signBody ? ", body" : "")); + // build the message to sign, consisting of the URL, the names and values of the included headers and + // the body, if enabled, where each entry is separated from the next by a newline character + StringBuilder message = new StringBuilder(); + // add the URL to the message, followed by a newline + message.append(request.url().toString()); + message.append("\n"); + // add the required headers to the message as 'headername:headervalue', where the headername is in + // lowercase + if (messageSigningConfig.signedHeaders != null) { + for (String header : messageSigningConfig.signedHeaders) { + // add one headername:headervalue\n entry for each header value to be included in the signature + List values = request.headers(header); + for (String value : values) { + message.append(header.toLowerCase()).append(":"); + if (value != null) { + message.append(value); + } + message.append("\n"); + } + } + } + // add the body to the message + if (messageSigningConfig.signBody) { + okhttp3.RequestBody body = request.body(); + if (body != null) { + Buffer buffer = new Buffer(); + body.writeTo(buffer); + message.append(buffer.readUtf8()); + } } - else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) - // if the request is rejected then we provide a special exception with additional information - throw new ApproovRejectionException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString() + ": " + approovResults.getARC() + - " " + approovResults.getRejectionReasons(), - approovResults.getARC(), approovResults.getRejectionReasons()); - else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { - // we are unable to get the secure string due to network conditions so the request can - // be retried by the user later - unless this is overridden - if (!proceedOnNetworkFail) - throw new ApproovNetworkException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString()); + // compute the signature and add it to the request (passing on any exceptions that may occur) + if (messageSigningConfig.targetHeader != null && !messageSigningConfig.targetHeader.isEmpty()) { + String signature = ApproovService.getMessageSignature(message.toString()); + request = request.newBuilder().header(messageSigningConfig.targetHeader, signature).build(); } - else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) - // we have failed to get a secure string with a more serious permanent error - throw new ApproovException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString()); } } From 1c9b3e2bacbe610eabf9738524b017a92583242b Mon Sep 17 00:00:00 2001 From: "ivo.liondov" Date: Tue, 10 Dec 2024 14:29:17 +0000 Subject: [PATCH 02/13] Add flag to use mutex if message signing is enabled only --- .../service/okhttp/ApproovService.java | 351 +++++++++--------- 1 file changed, 185 insertions(+), 166 deletions(-) diff --git a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java index 7f75018..f7a29d2 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java @@ -75,6 +75,9 @@ public class ApproovService { // Approov token private static boolean proceedOnNetworkFail = false; + // true if message signing has been enabled for the ApproovService + private static boolean isMessageSigningEnabled = false; + // builder to be used for new OkHttp clients private static OkHttpClient.Builder okHttpBuilder = null; @@ -151,6 +154,8 @@ public static void initialize(Context context, String config) { * @param signBody is true if the message body should also be included in the message signature */ public static synchronized void setMessageSigning(String header, ArrayList signedHeaders, boolean signBody) { + // Set flag to indicate feature is enabled + isMessageSigningEnabled = true; if ((header == null || header.isEmpty()) && (signedHeaders == null || signedHeaders.isEmpty()) && signBody == false) { ApproovService.messageSigningConfig = null; } else { @@ -160,19 +165,20 @@ public static synchronized void setMessageSigning(String header, ArrayList entry: substitutionHeaders.entrySet()) { - String header = entry.getKey(); - String prefix = entry.getValue(); - String value = request.header(header); - if ((value != null) && value.startsWith(prefix) && (value.length() > prefix.length())) { - approovResults = Approov.fetchSecureStringAndWait(value.substring(prefix.length()), null); - Log.d(TAG, "Substituting header: " + header + ", " + approovResults.getStatus().toString()); - if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { - // substitute the header - request = request.newBuilder().header(header, prefix + approovResults.getSecureString()).build(); - } - else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) - // if the request is rejected then we provide a special exception with additional information - throw new ApproovRejectionException("Header substitution for " + header + ": " + - approovResults.getStatus().toString() + ": " + approovResults.getARC() + - " " + approovResults.getRejectionReasons(), - approovResults.getARC(), approovResults.getRejectionReasons()); - else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { - // we are unable to get the secure string due to network conditions so the request can - // be retried by the user later - unless this is overridden - if (!proceedOnNetworkFail) - throw new ApproovNetworkException("Header substitution for " + header + ": " + - approovResults.getStatus().toString()); - } - else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) - // we have failed to get a secure string with a more serious permanent error - throw new ApproovException("Header substitution for " + header + ": " + - approovResults.getStatus().toString()); + // provide information about the obtained token or error (note "approov token -check" can + // be used to check the validity of the token and if you use token annotations they + // will appear here to determine why a request is being rejected) + Log.d(TAG, "Token for " + host + ": " + approovResults.getLoggableToken()); + + // force a pinning change if there is any dynamic config update + if (approovResults.isConfigChanged()) { + Approov.fetchConfig(); + ApproovService.clearOkHttpClient(); + } + + // we cannot proceed if the pins need to be updated. This will be cleared by using getOkHttpClient + // but will persist if the app fails to rebuild the OkHttpClient regularly. This might occur + // on first use after initial app install if the initial network fetch was unable to obtain + // the dynamic configuration for the account if there was poor network connectivity at that + // point. + if (approovResults.isForceApplyPins()) { + ApproovService.clearOkHttpClient(); + throw new ApproovNetworkException("Pins need to be updated"); + } + + // check the status of Approov token fetch + if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) + // we successfully obtained a token so add it to the header for the request + request = request.newBuilder().header(approovTokenHeader, approovTokenPrefix + approovResults.getToken()).build(); + else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { + // we are unable to get an Approov token due to network conditions so the request can + // be retried by the user later - unless this is overridden + if (!proceedOnNetworkFail) + throw new ApproovNetworkException("Approov token fetch for " + host + ": " + approovResults.getStatus().toString()); + } + else if ((approovResults.getStatus() != Approov.TokenFetchStatus.NO_APPROOV_SERVICE) && + (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_URL) && + (approovResults.getStatus() != Approov.TokenFetchStatus.UNPROTECTED_URL)) + // we have failed to get an Approov token with a more serious permanent error + throw new ApproovException("Approov token fetch for " + host + ": " + approovResults.getStatus().toString()); + + // we only continue additional processing if we had a valid status from Approov, to prevent additional delays + // by trying to fetch from Approov again and this also protects against header substitutions in domains not + // protected by Approov and therefore potential subject to a MitM + if ((approovResults.getStatus() != Approov.TokenFetchStatus.SUCCESS) && + (approovResults.getStatus() != Approov.TokenFetchStatus.UNPROTECTED_URL)) + return request; //return chain.proceed(request); + + // we now deal with any header substitutions, which may require further fetches but these + // should be using cached results + for (Map.Entry entry: substitutionHeaders.entrySet()) { + String header = entry.getKey(); + String prefix = entry.getValue(); + String value = request.header(header); + if ((value != null) && value.startsWith(prefix) && (value.length() > prefix.length())) { + approovResults = Approov.fetchSecureStringAndWait(value.substring(prefix.length()), null); + Log.d(TAG, "Substituting header: " + header + ", " + approovResults.getStatus().toString()); + if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { + // substitute the header + request = request.newBuilder().header(header, prefix + approovResults.getSecureString()).build(); + } + else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) + // if the request is rejected then we provide a special exception with additional information + throw new ApproovRejectionException("Header substitution for " + header + ": " + + approovResults.getStatus().toString() + ": " + approovResults.getARC() + + " " + approovResults.getRejectionReasons(), + approovResults.getARC(), approovResults.getRejectionReasons()); + else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { + // we are unable to get the secure string due to network conditions so the request can + // be retried by the user later - unless this is overridden + if (!proceedOnNetworkFail) + throw new ApproovNetworkException("Header substitution for " + header + ": " + + approovResults.getStatus().toString()); } + else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) + // we have failed to get a secure string with a more serious permanent error + throw new ApproovException("Header substitution for " + header + ": " + + approovResults.getStatus().toString()); } + } - // we now deal with any query parameter substitutions, which may require further fetches but these - // should be using cached results - String currentURL = request.url().toString(); - for (Map.Entry entry: substitutionQueryParams.entrySet()) { - String queryKey = entry.getKey(); - Pattern pattern = entry.getValue(); - Matcher matcher = pattern.matcher(currentURL); - if (matcher.find()) { - // we have found an occurrence of the query parameter to be replaced so we look up the existing - // value as a key for a secure string - String queryValue = matcher.group(1); - approovResults = Approov.fetchSecureStringAndWait(queryValue, null); - Log.d(TAG, "Substituting query parameter: " + queryKey + ", " + approovResults.getStatus().toString()); - if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { - // substitute the query parameter - currentURL = new StringBuilder(currentURL).replace(matcher.start(1), - matcher.end(1), approovResults.getSecureString()).toString(); - request = request.newBuilder().url(currentURL).build(); - } - else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) - // if the request is rejected then we provide a special exception with additional information - throw new ApproovRejectionException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString() + ": " + approovResults.getARC() + - " " + approovResults.getRejectionReasons(), - approovResults.getARC(), approovResults.getRejectionReasons()); - else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { - // we are unable to get the secure string due to network conditions so the request can - // be retried by the user later - unless this is overridden - if (!proceedOnNetworkFail) - throw new ApproovNetworkException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString()); - } - else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) - // we have failed to get a secure string with a more serious permanent error - throw new ApproovException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString()); + // we now deal with any query parameter substitutions, which may require further fetches but these + // should be using cached results + String currentURL = request.url().toString(); + for (Map.Entry entry: substitutionQueryParams.entrySet()) { + String queryKey = entry.getKey(); + Pattern pattern = entry.getValue(); + Matcher matcher = pattern.matcher(currentURL); + if (matcher.find()) { + // we have found an occurrence of the query parameter to be replaced so we look up the existing + // value as a key for a secure string + String queryValue = matcher.group(1); + approovResults = Approov.fetchSecureStringAndWait(queryValue, null); + Log.d(TAG, "Substituting query parameter: " + queryKey + ", " + approovResults.getStatus().toString()); + if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { + // substitute the query parameter + currentURL = new StringBuilder(currentURL).replace(matcher.start(1), + matcher.end(1), approovResults.getSecureString()).toString(); + request = request.newBuilder().url(currentURL).build(); + } + else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) + // if the request is rejected then we provide a special exception with additional information + throw new ApproovRejectionException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString() + ": " + approovResults.getARC() + + " " + approovResults.getRejectionReasons(), + approovResults.getARC(), approovResults.getRejectionReasons()); + else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { + // we are unable to get the secure string due to network conditions so the request can + // be retried by the user later - unless this is overridden + if (!proceedOnNetworkFail) + throw new ApproovNetworkException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString()); } + else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) + // we have failed to get a secure string with a more serious permanent error + throw new ApproovException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString()); } + } - // if message signing is enabled, add the signature header to the request - if (messageSigningConfig != null) { - Log.d(TAG, "Signing message: headers " + messageSigningConfig.signedHeaders + - (messageSigningConfig.signBody ? ", body" : "")); - // build the message to sign, consisting of the URL, the names and values of the included headers and - // the body, if enabled, where each entry is separated from the next by a newline character - StringBuilder message = new StringBuilder(); - // add the URL to the message, followed by a newline - message.append(request.url().toString()); - message.append("\n"); - // add the required headers to the message as 'headername:headervalue', where the headername is in - // lowercase - if (messageSigningConfig.signedHeaders != null) { - for (String header : messageSigningConfig.signedHeaders) { - // add one headername:headervalue\n entry for each header value to be included in the signature - List values = request.headers(header); - for (String value : values) { - message.append(header.toLowerCase()).append(":"); - if (value != null) { - message.append(value); - } - message.append("\n"); + // if message signing is enabled, add the signature header to the request + if (messageSigningConfig != null) { + Log.d(TAG, "Signing message: headers " + messageSigningConfig.signedHeaders + + (messageSigningConfig.signBody ? ", body" : "")); + // build the message to sign, consisting of the URL, the names and values of the included headers and + // the body, if enabled, where each entry is separated from the next by a newline character + StringBuilder message = new StringBuilder(); + // add the URL to the message, followed by a newline + message.append(request.url().toString()); + message.append("\n"); + // add the required headers to the message as 'headername:headervalue', where the headername is in + // lowercase + if (messageSigningConfig.signedHeaders != null) { + for (String header : messageSigningConfig.signedHeaders) { + // add one headername:headervalue\n entry for each header value to be included in the signature + List values = request.headers(header); + for (String value : values) { + message.append(header.toLowerCase()).append(":"); + if (value != null) { + message.append(value); } + message.append("\n"); } } - // add the body to the message - if (messageSigningConfig.signBody) { - okhttp3.RequestBody body = request.body(); - if (body != null) { - Buffer buffer = new Buffer(); - body.writeTo(buffer); - message.append(buffer.readUtf8()); - } - } - // compute the signature and add it to the request (passing on any exceptions that may occur) - if (messageSigningConfig.targetHeader != null && !messageSigningConfig.targetHeader.isEmpty()) { - String signature = ApproovService.getMessageSignature(message.toString()); - request = request.newBuilder().header(messageSigningConfig.targetHeader, signature).build(); + } + // add the body to the message + if (messageSigningConfig.signBody) { + okhttp3.RequestBody body = request.body(); + if (body != null) { + Buffer buffer = new Buffer(); + body.writeTo(buffer); + message.append(buffer.readUtf8()); } } + // compute the signature and add it to the request (passing on any exceptions that may occur) + if (messageSigningConfig.targetHeader != null && !messageSigningConfig.targetHeader.isEmpty()) { + String signature = ApproovService.getMessageSignature(message.toString()); + request = request.newBuilder().header(messageSigningConfig.targetHeader, signature).build(); + } } - // proceed with the rest of the chain - return chain.proceed(request); + return request; } } From 0d8e1e34a339f2a084103fe6aa1c6b407e320bcd Mon Sep 17 00:00:00 2001 From: "ivo.liondov" Date: Wed, 8 Jan 2025 13:20:39 +0000 Subject: [PATCH 03/13] Revert "Add flag to use mutex if message signing is enabled only" This reverts commit 1c9b3e2bacbe610eabf9738524b017a92583242b. --- .../service/okhttp/ApproovService.java | 351 +++++++++--------- 1 file changed, 166 insertions(+), 185 deletions(-) diff --git a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java index f7a29d2..7f75018 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java @@ -75,9 +75,6 @@ public class ApproovService { // Approov token private static boolean proceedOnNetworkFail = false; - // true if message signing has been enabled for the ApproovService - private static boolean isMessageSigningEnabled = false; - // builder to be used for new OkHttp clients private static OkHttpClient.Builder okHttpBuilder = null; @@ -154,8 +151,6 @@ public static void initialize(Context context, String config) { * @param signBody is true if the message body should also be included in the message signature */ public static synchronized void setMessageSigning(String header, ArrayList signedHeaders, boolean signBody) { - // Set flag to indicate feature is enabled - isMessageSigningEnabled = true; if ((header == null || header.isEmpty()) && (signedHeaders == null || signedHeaders.isEmpty()) && signBody == false) { ApproovService.messageSigningConfig = null; } else { @@ -165,20 +160,19 @@ public static synchronized void setMessageSigning(String header, ArrayList entry: substitutionHeaders.entrySet()) { - String header = entry.getKey(); - String prefix = entry.getValue(); - String value = request.header(header); - if ((value != null) && value.startsWith(prefix) && (value.length() > prefix.length())) { - approovResults = Approov.fetchSecureStringAndWait(value.substring(prefix.length()), null); - Log.d(TAG, "Substituting header: " + header + ", " + approovResults.getStatus().toString()); - if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { - // substitute the header - request = request.newBuilder().header(header, prefix + approovResults.getSecureString()).build(); - } - else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) - // if the request is rejected then we provide a special exception with additional information - throw new ApproovRejectionException("Header substitution for " + header + ": " + - approovResults.getStatus().toString() + ": " + approovResults.getARC() + - " " + approovResults.getRejectionReasons(), - approovResults.getARC(), approovResults.getRejectionReasons()); - else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { - // we are unable to get the secure string due to network conditions so the request can - // be retried by the user later - unless this is overridden - if (!proceedOnNetworkFail) - throw new ApproovNetworkException("Header substitution for " + header + ": " + - approovResults.getStatus().toString()); + // we now deal with any header substitutions, which may require further fetches but these + // should be using cached results + for (Map.Entry entry: substitutionHeaders.entrySet()) { + String header = entry.getKey(); + String prefix = entry.getValue(); + String value = request.header(header); + if ((value != null) && value.startsWith(prefix) && (value.length() > prefix.length())) { + approovResults = Approov.fetchSecureStringAndWait(value.substring(prefix.length()), null); + Log.d(TAG, "Substituting header: " + header + ", " + approovResults.getStatus().toString()); + if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { + // substitute the header + request = request.newBuilder().header(header, prefix + approovResults.getSecureString()).build(); + } + else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) + // if the request is rejected then we provide a special exception with additional information + throw new ApproovRejectionException("Header substitution for " + header + ": " + + approovResults.getStatus().toString() + ": " + approovResults.getARC() + + " " + approovResults.getRejectionReasons(), + approovResults.getARC(), approovResults.getRejectionReasons()); + else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { + // we are unable to get the secure string due to network conditions so the request can + // be retried by the user later - unless this is overridden + if (!proceedOnNetworkFail) + throw new ApproovNetworkException("Header substitution for " + header + ": " + + approovResults.getStatus().toString()); + } + else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) + // we have failed to get a secure string with a more serious permanent error + throw new ApproovException("Header substitution for " + header + ": " + + approovResults.getStatus().toString()); } - else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) - // we have failed to get a secure string with a more serious permanent error - throw new ApproovException("Header substitution for " + header + ": " + - approovResults.getStatus().toString()); } - } - // we now deal with any query parameter substitutions, which may require further fetches but these - // should be using cached results - String currentURL = request.url().toString(); - for (Map.Entry entry: substitutionQueryParams.entrySet()) { - String queryKey = entry.getKey(); - Pattern pattern = entry.getValue(); - Matcher matcher = pattern.matcher(currentURL); - if (matcher.find()) { - // we have found an occurrence of the query parameter to be replaced so we look up the existing - // value as a key for a secure string - String queryValue = matcher.group(1); - approovResults = Approov.fetchSecureStringAndWait(queryValue, null); - Log.d(TAG, "Substituting query parameter: " + queryKey + ", " + approovResults.getStatus().toString()); - if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { - // substitute the query parameter - currentURL = new StringBuilder(currentURL).replace(matcher.start(1), - matcher.end(1), approovResults.getSecureString()).toString(); - request = request.newBuilder().url(currentURL).build(); - } - else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) - // if the request is rejected then we provide a special exception with additional information - throw new ApproovRejectionException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString() + ": " + approovResults.getARC() + - " " + approovResults.getRejectionReasons(), - approovResults.getARC(), approovResults.getRejectionReasons()); - else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { - // we are unable to get the secure string due to network conditions so the request can - // be retried by the user later - unless this is overridden - if (!proceedOnNetworkFail) - throw new ApproovNetworkException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString()); + // we now deal with any query parameter substitutions, which may require further fetches but these + // should be using cached results + String currentURL = request.url().toString(); + for (Map.Entry entry: substitutionQueryParams.entrySet()) { + String queryKey = entry.getKey(); + Pattern pattern = entry.getValue(); + Matcher matcher = pattern.matcher(currentURL); + if (matcher.find()) { + // we have found an occurrence of the query parameter to be replaced so we look up the existing + // value as a key for a secure string + String queryValue = matcher.group(1); + approovResults = Approov.fetchSecureStringAndWait(queryValue, null); + Log.d(TAG, "Substituting query parameter: " + queryKey + ", " + approovResults.getStatus().toString()); + if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { + // substitute the query parameter + currentURL = new StringBuilder(currentURL).replace(matcher.start(1), + matcher.end(1), approovResults.getSecureString()).toString(); + request = request.newBuilder().url(currentURL).build(); + } + else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) + // if the request is rejected then we provide a special exception with additional information + throw new ApproovRejectionException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString() + ": " + approovResults.getARC() + + " " + approovResults.getRejectionReasons(), + approovResults.getARC(), approovResults.getRejectionReasons()); + else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { + // we are unable to get the secure string due to network conditions so the request can + // be retried by the user later - unless this is overridden + if (!proceedOnNetworkFail) + throw new ApproovNetworkException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString()); + } + else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) + // we have failed to get a secure string with a more serious permanent error + throw new ApproovException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString()); } - else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) - // we have failed to get a secure string with a more serious permanent error - throw new ApproovException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString()); } - } - // if message signing is enabled, add the signature header to the request - if (messageSigningConfig != null) { - Log.d(TAG, "Signing message: headers " + messageSigningConfig.signedHeaders + - (messageSigningConfig.signBody ? ", body" : "")); - // build the message to sign, consisting of the URL, the names and values of the included headers and - // the body, if enabled, where each entry is separated from the next by a newline character - StringBuilder message = new StringBuilder(); - // add the URL to the message, followed by a newline - message.append(request.url().toString()); - message.append("\n"); - // add the required headers to the message as 'headername:headervalue', where the headername is in - // lowercase - if (messageSigningConfig.signedHeaders != null) { - for (String header : messageSigningConfig.signedHeaders) { - // add one headername:headervalue\n entry for each header value to be included in the signature - List values = request.headers(header); - for (String value : values) { - message.append(header.toLowerCase()).append(":"); - if (value != null) { - message.append(value); + // if message signing is enabled, add the signature header to the request + if (messageSigningConfig != null) { + Log.d(TAG, "Signing message: headers " + messageSigningConfig.signedHeaders + + (messageSigningConfig.signBody ? ", body" : "")); + // build the message to sign, consisting of the URL, the names and values of the included headers and + // the body, if enabled, where each entry is separated from the next by a newline character + StringBuilder message = new StringBuilder(); + // add the URL to the message, followed by a newline + message.append(request.url().toString()); + message.append("\n"); + // add the required headers to the message as 'headername:headervalue', where the headername is in + // lowercase + if (messageSigningConfig.signedHeaders != null) { + for (String header : messageSigningConfig.signedHeaders) { + // add one headername:headervalue\n entry for each header value to be included in the signature + List values = request.headers(header); + for (String value : values) { + message.append(header.toLowerCase()).append(":"); + if (value != null) { + message.append(value); + } + message.append("\n"); } - message.append("\n"); } } - } - // add the body to the message - if (messageSigningConfig.signBody) { - okhttp3.RequestBody body = request.body(); - if (body != null) { - Buffer buffer = new Buffer(); - body.writeTo(buffer); - message.append(buffer.readUtf8()); + // add the body to the message + if (messageSigningConfig.signBody) { + okhttp3.RequestBody body = request.body(); + if (body != null) { + Buffer buffer = new Buffer(); + body.writeTo(buffer); + message.append(buffer.readUtf8()); + } + } + // compute the signature and add it to the request (passing on any exceptions that may occur) + if (messageSigningConfig.targetHeader != null && !messageSigningConfig.targetHeader.isEmpty()) { + String signature = ApproovService.getMessageSignature(message.toString()); + request = request.newBuilder().header(messageSigningConfig.targetHeader, signature).build(); } - } - // compute the signature and add it to the request (passing on any exceptions that may occur) - if (messageSigningConfig.targetHeader != null && !messageSigningConfig.targetHeader.isEmpty()) { - String signature = ApproovService.getMessageSignature(message.toString()); - request = request.newBuilder().header(messageSigningConfig.targetHeader, signature).build(); } } - return request; + // proceed with the rest of the chain + return chain.proceed(request); } } From df484a3883a7adae32ad6483b6809c916bf6a196 Mon Sep 17 00:00:00 2001 From: "ivo.liondov" Date: Wed, 8 Jan 2025 14:17:15 +0000 Subject: [PATCH 04/13] Message signing should check for Approov-Token header inclusion; disable changing header name if message signing has been enabled --- .../service/okhttp/ApproovService.java | 331 +++++++++--------- 1 file changed, 171 insertions(+), 160 deletions(-) diff --git a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java index 7f75018..c780a8f 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java @@ -150,13 +150,22 @@ public static void initialize(Context context, String config) { * @param signedHeaders is the list of headers in the order in which to include them in the message signature. * @param signBody is true if the message body should also be included in the message signature */ - public static synchronized void setMessageSigning(String header, ArrayList signedHeaders, boolean signBody) { + public static synchronized void setMessageSigning(String header, ArrayList signedHeaders, boolean signBody) throws ApproovException { if ((header == null || header.isEmpty()) && (signedHeaders == null || signedHeaders.isEmpty()) && signBody == false) { ApproovService.messageSigningConfig = null; } else { - ApproovService.messageSigningConfig = new ApproovMessageSigningConfig(header, signedHeaders, signBody); + // We check if the the approovTokenHeader matches one of the signedHeaders + for (String signedHeader : signedHeaders) { + if (signedHeader.equals(header)) { + Log.d(TAG, "setMessageSigning " + header + ", " + signedHeaders + ", " + signBody); + ApproovService.messageSigningConfig = new ApproovMessageSigningConfig(header, signedHeaders, signBody); + return; + } + } + // The approovTokenHeader is not included in the signedHeaders list. We throw since this is an error + throw new ApproovException("The Approov Token header: " + approovTokenHeader + " to be used for the message signature must be included in the list of headers to be signed"); } - Log.d(TAG, "setMessageSigning " + header + ", " + signedHeaders + ", " + signBody); + } /** @@ -207,8 +216,12 @@ public static synchronized void setDevKey(String devKey) throws ApproovException * @param header is the header to place the Approov token on * @param prefix is any prefix String for the Approov token header */ - public static synchronized void setApproovHeader(String header, String prefix) { + public static synchronized void setApproovHeader(String header, String prefix) throws ApproovException { Log.d(TAG, "setApproovHeader " + header + ", " + prefix); + // We only allow this to proceed if message signing is not enabled since changing the header after configuring the message signing is not allowed + if (messageSigningConfig != null) { + throw new ApproovException("The Approov Token header cannot be changed after configuring the message signing"); + } approovTokenHeader = header; approovTokenPrefix = prefix; okHttpClient = null; @@ -785,173 +798,171 @@ public Response intercept(Chain chain) throws IOException { // request an Approov token for the domain String host = request.url().host(); - // Ensure that the signing key used for signing the message belongs to the Approov token fetched here - synchronized (ApproovTokenInterceptor.class) { - // fetch the Approov token for the domain - Approov.TokenFetchResult approovResults = Approov.fetchApproovTokenAndWait(host); - - // provide information about the obtained token or error (note "approov token -check" can - // be used to check the validity of the token and if you use token annotations they - // will appear here to determine why a request is being rejected) - Log.d(TAG, "Token for " + host + ": " + approovResults.getLoggableToken()); - - // force a pinning change if there is any dynamic config update - if (approovResults.isConfigChanged()) { - Approov.fetchConfig(); - ApproovService.clearOkHttpClient(); - } - - // we cannot proceed if the pins need to be updated. This will be cleared by using getOkHttpClient - // but will persist if the app fails to rebuild the OkHttpClient regularly. This might occur - // on first use after initial app install if the initial network fetch was unable to obtain - // the dynamic configuration for the account if there was poor network connectivity at that - // point. - if (approovResults.isForceApplyPins()) { - ApproovService.clearOkHttpClient(); - throw new ApproovNetworkException("Pins need to be updated"); - } - - // check the status of Approov token fetch - if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) - // we successfully obtained a token so add it to the header for the request - request = request.newBuilder().header(approovTokenHeader, approovTokenPrefix + approovResults.getToken()).build(); - else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { - // we are unable to get an Approov token due to network conditions so the request can - // be retried by the user later - unless this is overridden - if (!proceedOnNetworkFail) - throw new ApproovNetworkException("Approov token fetch for " + host + ": " + approovResults.getStatus().toString()); - } - else if ((approovResults.getStatus() != Approov.TokenFetchStatus.NO_APPROOV_SERVICE) && - (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_URL) && - (approovResults.getStatus() != Approov.TokenFetchStatus.UNPROTECTED_URL)) - // we have failed to get an Approov token with a more serious permanent error - throw new ApproovException("Approov token fetch for " + host + ": " + approovResults.getStatus().toString()); - - // we only continue additional processing if we had a valid status from Approov, to prevent additional delays - // by trying to fetch from Approov again and this also protects against header substitutions in domains not - // protected by Approov and therefore potential subject to a MitM - if ((approovResults.getStatus() != Approov.TokenFetchStatus.SUCCESS) && - (approovResults.getStatus() != Approov.TokenFetchStatus.UNPROTECTED_URL)) - return chain.proceed(request); - - // we now deal with any header substitutions, which may require further fetches but these - // should be using cached results - for (Map.Entry entry: substitutionHeaders.entrySet()) { - String header = entry.getKey(); - String prefix = entry.getValue(); - String value = request.header(header); - if ((value != null) && value.startsWith(prefix) && (value.length() > prefix.length())) { - approovResults = Approov.fetchSecureStringAndWait(value.substring(prefix.length()), null); - Log.d(TAG, "Substituting header: " + header + ", " + approovResults.getStatus().toString()); - if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { - // substitute the header - request = request.newBuilder().header(header, prefix + approovResults.getSecureString()).build(); - } - else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) - // if the request is rejected then we provide a special exception with additional information - throw new ApproovRejectionException("Header substitution for " + header + ": " + - approovResults.getStatus().toString() + ": " + approovResults.getARC() + - " " + approovResults.getRejectionReasons(), - approovResults.getARC(), approovResults.getRejectionReasons()); - else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { - // we are unable to get the secure string due to network conditions so the request can - // be retried by the user later - unless this is overridden - if (!proceedOnNetworkFail) - throw new ApproovNetworkException("Header substitution for " + header + ": " + - approovResults.getStatus().toString()); - } - else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) - // we have failed to get a secure string with a more serious permanent error - throw new ApproovException("Header substitution for " + header + ": " + - approovResults.getStatus().toString()); + + // fetch the Approov token for the domain + Approov.TokenFetchResult approovResults = Approov.fetchApproovTokenAndWait(host); + + // provide information about the obtained token or error (note "approov token -check" can + // be used to check the validity of the token and if you use token annotations they + // will appear here to determine why a request is being rejected) + Log.d(TAG, "Token for " + host + ": " + approovResults.getLoggableToken()); + + // force a pinning change if there is any dynamic config update + if (approovResults.isConfigChanged()) { + Approov.fetchConfig(); + ApproovService.clearOkHttpClient(); + } + + // we cannot proceed if the pins need to be updated. This will be cleared by using getOkHttpClient + // but will persist if the app fails to rebuild the OkHttpClient regularly. This might occur + // on first use after initial app install if the initial network fetch was unable to obtain + // the dynamic configuration for the account if there was poor network connectivity at that + // point. + if (approovResults.isForceApplyPins()) { + ApproovService.clearOkHttpClient(); + throw new ApproovNetworkException("Pins need to be updated"); + } + + // check the status of Approov token fetch + if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) + // we successfully obtained a token so add it to the header for the request + request = request.newBuilder().header(approovTokenHeader, approovTokenPrefix + approovResults.getToken()).build(); + else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { + // we are unable to get an Approov token due to network conditions so the request can + // be retried by the user later - unless this is overridden + if (!proceedOnNetworkFail) + throw new ApproovNetworkException("Approov token fetch for " + host + ": " + approovResults.getStatus().toString()); + } + else if ((approovResults.getStatus() != Approov.TokenFetchStatus.NO_APPROOV_SERVICE) && + (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_URL) && + (approovResults.getStatus() != Approov.TokenFetchStatus.UNPROTECTED_URL)) + // we have failed to get an Approov token with a more serious permanent error + throw new ApproovException("Approov token fetch for " + host + ": " + approovResults.getStatus().toString()); + + // we only continue additional processing if we had a valid status from Approov, to prevent additional delays + // by trying to fetch from Approov again and this also protects against header substitutions in domains not + // protected by Approov and therefore potential subject to a MitM + if ((approovResults.getStatus() != Approov.TokenFetchStatus.SUCCESS) && + (approovResults.getStatus() != Approov.TokenFetchStatus.UNPROTECTED_URL)) + return chain.proceed(request); + + // we now deal with any header substitutions, which may require further fetches but these + // should be using cached results + for (Map.Entry entry: substitutionHeaders.entrySet()) { + String header = entry.getKey(); + String prefix = entry.getValue(); + String value = request.header(header); + if ((value != null) && value.startsWith(prefix) && (value.length() > prefix.length())) { + approovResults = Approov.fetchSecureStringAndWait(value.substring(prefix.length()), null); + Log.d(TAG, "Substituting header: " + header + ", " + approovResults.getStatus().toString()); + if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { + // substitute the header + request = request.newBuilder().header(header, prefix + approovResults.getSecureString()).build(); + } + else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) + // if the request is rejected then we provide a special exception with additional information + throw new ApproovRejectionException("Header substitution for " + header + ": " + + approovResults.getStatus().toString() + ": " + approovResults.getARC() + + " " + approovResults.getRejectionReasons(), + approovResults.getARC(), approovResults.getRejectionReasons()); + else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { + // we are unable to get the secure string due to network conditions so the request can + // be retried by the user later - unless this is overridden + if (!proceedOnNetworkFail) + throw new ApproovNetworkException("Header substitution for " + header + ": " + + approovResults.getStatus().toString()); } + else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) + // we have failed to get a secure string with a more serious permanent error + throw new ApproovException("Header substitution for " + header + ": " + + approovResults.getStatus().toString()); } + } - // we now deal with any query parameter substitutions, which may require further fetches but these - // should be using cached results - String currentURL = request.url().toString(); - for (Map.Entry entry: substitutionQueryParams.entrySet()) { - String queryKey = entry.getKey(); - Pattern pattern = entry.getValue(); - Matcher matcher = pattern.matcher(currentURL); - if (matcher.find()) { - // we have found an occurrence of the query parameter to be replaced so we look up the existing - // value as a key for a secure string - String queryValue = matcher.group(1); - approovResults = Approov.fetchSecureStringAndWait(queryValue, null); - Log.d(TAG, "Substituting query parameter: " + queryKey + ", " + approovResults.getStatus().toString()); - if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { - // substitute the query parameter - currentURL = new StringBuilder(currentURL).replace(matcher.start(1), - matcher.end(1), approovResults.getSecureString()).toString(); - request = request.newBuilder().url(currentURL).build(); - } - else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) - // if the request is rejected then we provide a special exception with additional information - throw new ApproovRejectionException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString() + ": " + approovResults.getARC() + - " " + approovResults.getRejectionReasons(), - approovResults.getARC(), approovResults.getRejectionReasons()); - else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || - (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { - // we are unable to get the secure string due to network conditions so the request can - // be retried by the user later - unless this is overridden - if (!proceedOnNetworkFail) - throw new ApproovNetworkException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString()); - } - else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) - // we have failed to get a secure string with a more serious permanent error - throw new ApproovException("Query parameter substitution for " + queryKey + ": " + - approovResults.getStatus().toString()); + // we now deal with any query parameter substitutions, which may require further fetches but these + // should be using cached results + String currentURL = request.url().toString(); + for (Map.Entry entry: substitutionQueryParams.entrySet()) { + String queryKey = entry.getKey(); + Pattern pattern = entry.getValue(); + Matcher matcher = pattern.matcher(currentURL); + if (matcher.find()) { + // we have found an occurrence of the query parameter to be replaced so we look up the existing + // value as a key for a secure string + String queryValue = matcher.group(1); + approovResults = Approov.fetchSecureStringAndWait(queryValue, null); + Log.d(TAG, "Substituting query parameter: " + queryKey + ", " + approovResults.getStatus().toString()); + if (approovResults.getStatus() == Approov.TokenFetchStatus.SUCCESS) { + // substitute the query parameter + currentURL = new StringBuilder(currentURL).replace(matcher.start(1), + matcher.end(1), approovResults.getSecureString()).toString(); + request = request.newBuilder().url(currentURL).build(); } + else if (approovResults.getStatus() == Approov.TokenFetchStatus.REJECTED) + // if the request is rejected then we provide a special exception with additional information + throw new ApproovRejectionException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString() + ": " + approovResults.getARC() + + " " + approovResults.getRejectionReasons(), + approovResults.getARC(), approovResults.getRejectionReasons()); + else if ((approovResults.getStatus() == Approov.TokenFetchStatus.NO_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.POOR_NETWORK) || + (approovResults.getStatus() == Approov.TokenFetchStatus.MITM_DETECTED)) { + // we are unable to get the secure string due to network conditions so the request can + // be retried by the user later - unless this is overridden + if (!proceedOnNetworkFail) + throw new ApproovNetworkException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString()); + } + else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) + // we have failed to get a secure string with a more serious permanent error + throw new ApproovException("Query parameter substitution for " + queryKey + ": " + + approovResults.getStatus().toString()); } + } - // if message signing is enabled, add the signature header to the request - if (messageSigningConfig != null) { - Log.d(TAG, "Signing message: headers " + messageSigningConfig.signedHeaders + - (messageSigningConfig.signBody ? ", body" : "")); - // build the message to sign, consisting of the URL, the names and values of the included headers and - // the body, if enabled, where each entry is separated from the next by a newline character - StringBuilder message = new StringBuilder(); - // add the URL to the message, followed by a newline - message.append(request.url().toString()); - message.append("\n"); - // add the required headers to the message as 'headername:headervalue', where the headername is in - // lowercase - if (messageSigningConfig.signedHeaders != null) { - for (String header : messageSigningConfig.signedHeaders) { - // add one headername:headervalue\n entry for each header value to be included in the signature - List values = request.headers(header); - for (String value : values) { - message.append(header.toLowerCase()).append(":"); - if (value != null) { - message.append(value); - } - message.append("\n"); + // if message signing is enabled, add the signature header to the request + if (messageSigningConfig != null) { + Log.d(TAG, "Signing message: headers " + messageSigningConfig.signedHeaders + + (messageSigningConfig.signBody ? ", body" : "")); + // build the message to sign, consisting of the URL, the names and values of the included headers and + // the body, if enabled, where each entry is separated from the next by a newline character + StringBuilder message = new StringBuilder(); + // add the URL to the message, followed by a newline + message.append(request.url().toString()); + message.append("\n"); + // add the required headers to the message as 'headername:headervalue', where the headername is in + // lowercase + if (messageSigningConfig.signedHeaders != null) { + for (String header : messageSigningConfig.signedHeaders) { + // add one headername:headervalue\n entry for each header value to be included in the signature + List values = request.headers(header); + for (String value : values) { + message.append(header.toLowerCase()).append(":"); + if (value != null) { + message.append(value); } + message.append("\n"); } } - // add the body to the message - if (messageSigningConfig.signBody) { - okhttp3.RequestBody body = request.body(); - if (body != null) { - Buffer buffer = new Buffer(); - body.writeTo(buffer); - message.append(buffer.readUtf8()); - } - } - // compute the signature and add it to the request (passing on any exceptions that may occur) - if (messageSigningConfig.targetHeader != null && !messageSigningConfig.targetHeader.isEmpty()) { - String signature = ApproovService.getMessageSignature(message.toString()); - request = request.newBuilder().header(messageSigningConfig.targetHeader, signature).build(); + } + // add the body to the message + if (messageSigningConfig.signBody) { + okhttp3.RequestBody body = request.body(); + if (body != null) { + Buffer buffer = new Buffer(); + body.writeTo(buffer); + message.append(buffer.readUtf8()); } } + // compute the signature and add it to the request (passing on any exceptions that may occur) + if (messageSigningConfig.targetHeader != null && !messageSigningConfig.targetHeader.isEmpty()) { + String signature = ApproovService.getMessageSignature(message.toString()); + request = request.newBuilder().header(messageSigningConfig.targetHeader, signature).build(); + } } // proceed with the rest of the chain From 03613818b44e91937961a88c7125b6ff8be735c1 Mon Sep 17 00:00:00 2001 From: "ivo.liondov" Date: Wed, 8 Jan 2025 16:51:38 +0000 Subject: [PATCH 05/13] Implement message signing changes to apply to different domains and map to configurations --- approov-service/build.gradle | 24 +- .../okhttp/ApproovMessageSigningConfig.java | 87 +++++ .../service/okhttp/ApproovService.java | 97 +++--- build.gradle | 3 +- gradle/wrapper/gradle-wrapper.jar | Bin 49896 -> 43504 bytes gradle/wrapper/gradle-wrapper.properties | 5 +- gradlew | 314 +++++++++++------- gradlew.bat | 184 +++++----- 8 files changed, 439 insertions(+), 275 deletions(-) create mode 100644 approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java diff --git a/approov-service/build.gradle b/approov-service/build.gradle index b80a4f5..ea08e1d 100644 --- a/approov-service/build.gradle +++ b/approov-service/build.gradle @@ -6,18 +6,14 @@ plugins { repositories { mavenCentral() google() - jcenter() - maven { url "https://jitpack.io" } } -group = 'com.github.approov' - android { - compileSdkVersion 30 - + compileSdkVersion 34 + namespace 'io.approov.service.okhttp' defaultConfig { minSdkVersion 21 - targetSdkVersion 28 + targetSdkVersion 34 } buildTypes { @@ -34,18 +30,6 @@ android { dependencies { implementation 'com.squareup.okhttp3:okhttp:4.12.0' - implementation 'com.github.approov:approov-android-sdk:3.2.2' + implementation 'io.approov:approov-android-sdk:3.3.0' } -afterEvaluate { - publishing { - publications { - release(MavenPublication) { - from components.release - groupId = 'com.github.approov' - artifactId = 'approov-service-okhttp' - version = '3.2.2' - } - } - } -} diff --git a/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java b/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java new file mode 100644 index 0000000..48ddcc4 --- /dev/null +++ b/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java @@ -0,0 +1,87 @@ +package io.approov.service.okhttp; + +import java.util.ArrayList; + +/* message signing configuration +* This class is used to configure the message signing feature. The message signature can be computed based on the +* request URL, the headers specified in signedHeaders in the order in which they are listed and, optionally, the +* body of the message. The signature will be added to the request headers using the header name specified in header. +* You can have multiple configurations for different domains and a default '*' configuration that will be used if no +* specific configuration is found for a domain. +*/ +public class ApproovMessageSigningConfig { + // the name of the header that will be used to send the message signature + protected String targetHeader; + // the list of headers to include in the message to be signed, in the order they should be added + protected ArrayList signedHeaders; + // true if the message body should also be signed + protected Boolean signBody; + // true if the Approov token header is included in the signature + protected Boolean signApproovToken; + // true if target URL should be included in the signature + protected Boolean signURL; + // true if the network request method should be included in the signature + protected Boolean signMethod; + // constructor + public ApproovMessageSigningConfig(String targetHeader) { + if (targetHeader == null || targetHeader.isEmpty()) + throw new IllegalArgumentException("The target header must be specified"); + this.targetHeader = targetHeader; + this.signedHeaders = new ArrayList<>(); + this.signBody = false; + this.signApproovToken = true; + this.signURL = true; + this.signMethod = true; + } + + /* Get/set methods */ + + /* Get target header */ + public String getTargetHeader() { + return targetHeader; + } + /* Get signed headers */ + public ArrayList getSignedHeaders() { + return signedHeaders; + } + /* Add a header to the list of signed headers: NOTE the sequence of headers DOES matter */ + public void addSignedHeader(String header) { + if (header == null || header.isEmpty()) + throw new IllegalArgumentException("The header must be specified"); + signedHeaders.add(header); + } + /* Get signBody flag */ + public Boolean getSignBody() { + return signBody; + } + /* Set signBody flag */ + public void setSignBody(Boolean signBody) { + this.signBody = signBody; + } + /* Get signApproovToken flag */ + public Boolean getSignApproovToken() { + return signApproovToken; + } + /* Set signApproovToken flag */ + public void setSignApproovToken(Boolean signApproovToken) { + this.signApproovToken = signApproovToken; + } + /* Get signURL flag */ + public Boolean getSignURL() { + return signURL; + } + /* Set signURL flag */ + public void setSignURL(Boolean signURL) { + this.signURL = signURL; + } + /* Get signMethod flag */ + public Boolean getSignMethod() { + return signMethod; + } + /* Set signMethod flag */ + public void setSignMethod(Boolean signMethod) { + this.signMethod = signMethod; + } + + +} diff --git a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java index c780a8f..e094234 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java @@ -23,7 +23,6 @@ import com.criticalblue.approovsdk.Approov; import java.io.IOException; -import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; @@ -41,22 +40,6 @@ import okhttp3.Response; import okio.Buffer; -// message signing configuration -class ApproovMessageSigningConfig { - // the name of the header that will be used to send the message signature - public String targetHeader; - // the list of headers to include in the message to be signed, in the order they should be added - public ArrayList signedHeaders; - // true if the message body should also be signed - public Boolean signBody; - // constructor - public ApproovMessageSigningConfig(String targetHeader, ArrayList signedHeaders, Boolean signBody) { - this.targetHeader = targetHeader; - this.signedHeaders = signedHeaders; - this.signBody = signBody; - } -} - // ApproovService provides a mediation layer to the Approov SDK itself public class ApproovService { // logging tag @@ -100,8 +83,8 @@ public class ApproovService { // set of URL regexs that should be excluded from any Approov protection, mapped to the compiled Pattern private static Map exclusionURLRegexs = null; - // message signing configuration, if any - private static ApproovMessageSigningConfig messageSigningConfig; + // message signing configurations mapped to a domain + private static Map messageSigningConfigs = null; /** * Construction is disallowed as this is a static only class. @@ -146,24 +129,20 @@ public static void initialize(Context context, String config) { * * To unset message signing, call this function as setMessageSigning(nil, nil, false) * - * @param header is the name of the header to use for the message signature - * @param signedHeaders is the list of headers in the order in which to include them in the message signature. - * @param signBody is true if the message body should also be included in the message signature + * @param messageConfig is the ApproovMessageSingingConfig object that contains the message signing configuration + * @param domain is the domain for which the message signing configuration should be used; use '*' for the default configuration which is applied when no specific configuration is found for a domain */ - public static synchronized void setMessageSigning(String header, ArrayList signedHeaders, boolean signBody) throws ApproovException { - if ((header == null || header.isEmpty()) && (signedHeaders == null || signedHeaders.isEmpty()) && signBody == false) { - ApproovService.messageSigningConfig = null; + public static synchronized void setMessageSigning(ApproovMessageSigningConfig messageConfig, String domain) throws ApproovException { + if ((messageConfig == null) || (domain == null) || (domain.isEmpty())) { + throw new ApproovException("The message signing configuration and domain must be specified"); } else { - // We check if the the approovTokenHeader matches one of the signedHeaders - for (String signedHeader : signedHeaders) { - if (signedHeader.equals(header)) { - Log.d(TAG, "setMessageSigning " + header + ", " + signedHeaders + ", " + signBody); - ApproovService.messageSigningConfig = new ApproovMessageSigningConfig(header, signedHeaders, signBody); - return; - } + // We check if this is the first message configuration that is created + if (messageSigningConfigs == null) { + messageSigningConfigs = new HashMap<>(); } - // The approovTokenHeader is not included in the signedHeaders list. We throw since this is an error - throw new ApproovException("The Approov Token header: " + approovTokenHeader + " to be used for the message signature must be included in the list of headers to be signed"); + // Add the configuration and domain to the map + messageSigningConfigs.put(domain, messageConfig); + Log.d(TAG, "setMessageSigning for domain: " + domain); } } @@ -219,7 +198,7 @@ public static synchronized void setDevKey(String devKey) throws ApproovException public static synchronized void setApproovHeader(String header, String prefix) throws ApproovException { Log.d(TAG, "setApproovHeader " + header + ", " + prefix); // We only allow this to proceed if message signing is not enabled since changing the header after configuring the message signing is not allowed - if (messageSigningConfig != null) { + if (messageSigningConfigs != null) { throw new ApproovException("The Approov Token header cannot be changed after configuring the message signing"); } approovTokenHeader = header; @@ -486,7 +465,7 @@ else if (approovResults.getStatus() != Approov.TokenFetchStatus.SUCCESS) return approovResults.getToken(); } - // TODO remove this function from the public interface? + /** * Gets the signature for the given message. This uses an account specific message signing key that is * transmitted to the SDK after a successful fetch if the facility is enabled for the account. Note @@ -684,7 +663,7 @@ public static synchronized OkHttpClient getOkHttpClient() { Log.d(TAG, "Building new Approov OkHttpClient"); ApproovTokenInterceptor interceptor = new ApproovTokenInterceptor(approovTokenHeader, approovTokenPrefix, bindingHeader, proceedOnNetworkFail, substitutionHeaders, - substitutionQueryParams, exclusionURLRegexs, messageSigningConfig); + substitutionQueryParams, exclusionURLRegexs, messageSigningConfigs); okHttpClient = okHttpBuilder.certificatePinner(pinBuilder.build()).addInterceptor(interceptor).build(); } else { // if the ApproovService was not initialized then we can't add Approov capabilities @@ -744,7 +723,7 @@ class ApproovTokenInterceptor implements Interceptor { private Map exclusionURLRegexs; // message signing configuration, if any - private ApproovMessageSigningConfig messageSigningConfig; + private Map messageSigningConfigs; /** * Constructs a new interceptor that adds Approov tokens and substitute headers or query @@ -761,7 +740,7 @@ class ApproovTokenInterceptor implements Interceptor { public ApproovTokenInterceptor(String approovTokenHeader, String approovTokenPrefix, String bindingHeader, boolean proceedOnNetworkFail, Map substitutionHeaders, Set substitutionQueryParams, Map exclusionURLRegexs, - ApproovMessageSigningConfig messageSigningConfig) { + Map messageSigningConfigs) { this.approovTokenHeader = approovTokenHeader; this.approovTokenPrefix = approovTokenPrefix; this.bindingHeader = bindingHeader; @@ -778,7 +757,7 @@ public ApproovTokenInterceptor(String approovTokenHeader, String approovTokenPre } } this.exclusionURLRegexs = new HashMap<>(exclusionURLRegexs); - this.messageSigningConfig = messageSigningConfig; + this.messageSigningConfigs = messageSigningConfigs; } @Override @@ -925,18 +904,40 @@ else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) } // if message signing is enabled, add the signature header to the request - if (messageSigningConfig != null) { - Log.d(TAG, "Signing message: headers " + messageSigningConfig.signedHeaders + - (messageSigningConfig.signBody ? ", body" : "")); + if (messageSigningConfigs != null) { + // Match the domain of the request URL against the configured message signing domains + String domain = request.url().host(); + ApproovMessageSigningConfig messageSigningConfig = messageSigningConfigs.get(domain); + if (messageSigningConfig == null) { + // If no specific configuration is found for the domain, use the default configuration + domain = "*"; + messageSigningConfig = messageSigningConfigs.get(domain); + } + if (messageSigningConfig == null) { + // If no default configuration is found, do not sign the message + return chain.proceed(request); + } + Log.d(TAG, "Signing message with configuration for domain: " + domain + ": " + (messageSigningConfig.getSignApproovToken() ? ", " + approovTokenHeader + " **** " : "") + " headers " + messageSigningConfig.getSignedHeaders() + + (messageSigningConfig.getSignBody() ? ", body" : "")); // build the message to sign, consisting of the URL, the names and values of the included headers and // the body, if enabled, where each entry is separated from the next by a newline character StringBuilder message = new StringBuilder(); - // add the URL to the message, followed by a newline - message.append(request.url().toString()); + // 1. add the URL to the message, followed by a newline + message.append(request.url()); + message.append("\n"); + // 2. Add the Method to the message + message.append(request.method()); message.append("\n"); - // add the required headers to the message as 'headername:headervalue', where the headername is in + // 3. add the Approov token to the message, if required (TODO: Note we add the approov token and the prefix!?????) + if (messageSigningConfig.signApproovToken) { + if (approovResults.getToken() != null) { + message.append(approovTokenPrefix + approovResults.getToken()); + } + message.append("\n"); + } + // 4. add the required headers to the message as 'headername:headervalue', where the headername is in // lowercase - if (messageSigningConfig.signedHeaders != null) { + if (messageSigningConfig.getSignedHeaders() != null) { for (String header : messageSigningConfig.signedHeaders) { // add one headername:headervalue\n entry for each header value to be included in the signature List values = request.headers(header); @@ -950,7 +951,7 @@ else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) } } // add the body to the message - if (messageSigningConfig.signBody) { + if (messageSigningConfig.getSignBody()) { okhttp3.RequestBody body = request.body(); if (body != null) { Buffer buffer = new Buffer(); diff --git a/build.gradle b/build.gradle index 255c492..eb4bb13 100644 --- a/build.gradle +++ b/build.gradle @@ -5,7 +5,7 @@ buildscript { mavenCentral() } dependencies { - classpath 'com.android.tools.build:gradle:7.1.1' + classpath 'com.android.tools.build:gradle:8.1.1' // Update to the latest version } } @@ -13,7 +13,6 @@ allprojects { repositories { mavenCentral() google() - maven { url "https://jitpack.io" } jcenter() } } diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar index 8c0fb64a8698b08ecc4158d828ca593c4928e9dd..2c3521197d7c4586c843d1d3e9090525f1898cde 100644 GIT binary patch literal 43504 zcma&N1CXTcmMvW9vTb(Rwr$&4wr$(C?dmSu>@vG-+vuvg^_??!{yS%8zW-#zn-LkA z5&1^$^{lnmUON?}LBF8_K|(?T0Ra(xUH{($5eN!MR#ZihR#HxkUPe+_R8Cn`RRs(P z_^*#_XlXmGv7!4;*Y%p4nw?{bNp@UZHv1?Um8r6)Fei3p@ClJn0ECfg1hkeuUU@Or zDaPa;U3fE=3L}DooL;8f;P0ipPt0Z~9P0)lbStMS)ag54=uL9ia-Lm3nh|@(Y?B`; zx_#arJIpXH!U{fbCbI^17}6Ri*H<>OLR%c|^mh8+)*h~K8Z!9)DPf zR2h?lbDZQ`p9P;&DQ4F0sur@TMa!Y}S8irn(%d-gi0*WxxCSk*A?3lGh=gcYN?FGl z7D=Js!i~0=u3rox^eO3i@$0=n{K1lPNU zwmfjRVmLOCRfe=seV&P*1Iq=^i`502keY8Uy-WNPwVNNtJFx?IwAyRPZo2Wo1+S(xF37LJZ~%i)kpFQ3Fw=mXfd@>%+)RpYQLnr}B~~zoof(JVm^^&f zxKV^+3D3$A1G;qh4gPVjhrC8e(VYUHv#dy^)(RoUFM?o%W-EHxufuWf(l*@-l+7vt z=l`qmR56K~F|v<^Pd*p~1_y^P0P^aPC##d8+HqX4IR1gu+7w#~TBFphJxF)T$2WEa zxa?H&6=Qe7d(#tha?_1uQys2KtHQ{)Qco)qwGjrdNL7thd^G5i8Os)CHqc>iOidS} z%nFEDdm=GXBw=yXe1W-ShHHFb?Cc70+$W~z_+}nAoHFYI1MV1wZegw*0y^tC*s%3h zhD3tN8b=Gv&rj}!SUM6|ajSPp*58KR7MPpI{oAJCtY~JECm)*m_x>AZEu>DFgUcby z1Qaw8lU4jZpQ_$;*7RME+gq1KySGG#Wql>aL~k9tLrSO()LWn*q&YxHEuzmwd1?aAtI zBJ>P=&$=l1efe1CDU;`Fd+_;&wI07?V0aAIgc(!{a z0Jg6Y=inXc3^n!U0Atk`iCFIQooHqcWhO(qrieUOW8X(x?(RD}iYDLMjSwffH2~tB z)oDgNBLB^AJBM1M^c5HdRx6fBfka`(LD-qrlh5jqH~);#nw|iyp)()xVYak3;Ybik z0j`(+69aK*B>)e_p%=wu8XC&9e{AO4c~O1U`5X9}?0mrd*m$_EUek{R?DNSh(=br# z#Q61gBzEpmy`$pA*6!87 zSDD+=@fTY7<4A?GLqpA?Pb2z$pbCc4B4zL{BeZ?F-8`s$?>*lXXtn*NC61>|*w7J* z$?!iB{6R-0=KFmyp1nnEmLsA-H0a6l+1uaH^g%c(p{iT&YFrbQ$&PRb8Up#X3@Zsk zD^^&LK~111%cqlP%!_gFNa^dTYT?rhkGl}5=fL{a`UViaXWI$k-UcHJwmaH1s=S$4 z%4)PdWJX;hh5UoK?6aWoyLxX&NhNRqKam7tcOkLh{%j3K^4Mgx1@i|Pi&}<^5>hs5 zm8?uOS>%)NzT(%PjVPGa?X%`N2TQCKbeH2l;cTnHiHppPSJ<7y-yEIiC!P*ikl&!B z%+?>VttCOQM@ShFguHVjxX^?mHX^hSaO_;pnyh^v9EumqSZTi+#f&_Vaija0Q-e*| z7ulQj6Fs*bbmsWp{`auM04gGwsYYdNNZcg|ph0OgD>7O}Asn7^Z=eI>`$2*v78;sj-}oMoEj&@)9+ycEOo92xSyY344^ z11Hb8^kdOvbf^GNAK++bYioknrpdN>+u8R?JxG=!2Kd9r=YWCOJYXYuM0cOq^FhEd zBg2puKy__7VT3-r*dG4c62Wgxi52EMCQ`bKgf*#*ou(D4-ZN$+mg&7$u!! z-^+Z%;-3IDwqZ|K=ah85OLwkO zKxNBh+4QHh)u9D?MFtpbl)us}9+V!D%w9jfAMYEb>%$A;u)rrI zuBudh;5PN}_6J_}l55P3l_)&RMlH{m!)ai-i$g)&*M`eN$XQMw{v^r@-125^RRCF0 z^2>|DxhQw(mtNEI2Kj(;KblC7x=JlK$@78`O~>V!`|1Lm-^JR$-5pUANAnb(5}B}JGjBsliK4& zk6y(;$e&h)lh2)L=bvZKbvh@>vLlreBdH8No2>$#%_Wp1U0N7Ank!6$dFSi#xzh|( zRi{Uw%-4W!{IXZ)fWx@XX6;&(m_F%c6~X8hx=BN1&q}*( zoaNjWabE{oUPb!Bt$eyd#$5j9rItB-h*5JiNi(v^e|XKAj*8(k<5-2$&ZBR5fF|JA z9&m4fbzNQnAU}r8ab>fFV%J0z5awe#UZ|bz?Ur)U9bCIKWEzi2%A+5CLqh?}K4JHi z4vtM;+uPsVz{Lfr;78W78gC;z*yTch~4YkLr&m-7%-xc ztw6Mh2d>_iO*$Rd8(-Cr1_V8EO1f*^@wRoSozS) zy1UoC@pruAaC8Z_7~_w4Q6n*&B0AjOmMWa;sIav&gu z|J5&|{=a@vR!~k-OjKEgPFCzcJ>#A1uL&7xTDn;{XBdeM}V=l3B8fE1--DHjSaxoSjNKEM9|U9#m2<3>n{Iuo`r3UZp;>GkT2YBNAh|b z^jTq-hJp(ebZh#Lk8hVBP%qXwv-@vbvoREX$TqRGTgEi$%_F9tZES@z8Bx}$#5eeG zk^UsLBH{bc2VBW)*EdS({yw=?qmevwi?BL6*=12k9zM5gJv1>y#ML4!)iiPzVaH9% zgSImetD@dam~e>{LvVh!phhzpW+iFvWpGT#CVE5TQ40n%F|p(sP5mXxna+Ev7PDwA zamaV4m*^~*xV+&p;W749xhb_X=$|LD;FHuB&JL5?*Y2-oIT(wYY2;73<^#46S~Gx| z^cez%V7x$81}UWqS13Gz80379Rj;6~WdiXWOSsdmzY39L;Hg3MH43o*y8ibNBBH`(av4|u;YPq%{R;IuYow<+GEsf@R?=@tT@!}?#>zIIn0CoyV!hq3mw zHj>OOjfJM3F{RG#6ujzo?y32m^tgSXf@v=J$ELdJ+=5j|=F-~hP$G&}tDZsZE?5rX ztGj`!S>)CFmdkccxM9eGIcGnS2AfK#gXwj%esuIBNJQP1WV~b~+D7PJTmWGTSDrR` zEAu4B8l>NPuhsk5a`rReSya2nfV1EK01+G!x8aBdTs3Io$u5!6n6KX%uv@DxAp3F@{4UYg4SWJtQ-W~0MDb|j-$lwVn znAm*Pl!?Ps&3wO=R115RWKb*JKoexo*)uhhHBncEDMSVa_PyA>k{Zm2(wMQ(5NM3# z)jkza|GoWEQo4^s*wE(gHz?Xsg4`}HUAcs42cM1-qq_=+=!Gk^y710j=66(cSWqUe zklbm8+zB_syQv5A2rj!Vbw8;|$@C!vfNmNV!yJIWDQ>{+2x zKjuFX`~~HKG~^6h5FntRpnnHt=D&rq0>IJ9#F0eM)Y-)GpRjiN7gkA8wvnG#K=q{q z9dBn8_~wm4J<3J_vl|9H{7q6u2A!cW{bp#r*-f{gOV^e=8S{nc1DxMHFwuM$;aVI^ zz6A*}m8N-&x8;aunp1w7_vtB*pa+OYBw=TMc6QK=mbA-|Cf* zvyh8D4LRJImooUaSb7t*fVfih<97Gf@VE0|z>NcBwBQze);Rh!k3K_sfunToZY;f2 z^HmC4KjHRVg+eKYj;PRN^|E0>Gj_zagfRbrki68I^#~6-HaHg3BUW%+clM1xQEdPYt_g<2K+z!$>*$9nQ>; zf9Bei{?zY^-e{q_*|W#2rJG`2fy@{%6u0i_VEWTq$*(ZN37|8lFFFt)nCG({r!q#9 z5VK_kkSJ3?zOH)OezMT{!YkCuSSn!K#-Rhl$uUM(bq*jY? zi1xbMVthJ`E>d>(f3)~fozjg^@eheMF6<)I`oeJYx4*+M&%c9VArn(OM-wp%M<-`x z7sLP1&3^%Nld9Dhm@$3f2}87!quhI@nwd@3~fZl_3LYW-B?Ia>ui`ELg z&Qfe!7m6ze=mZ`Ia9$z|ARSw|IdMpooY4YiPN8K z4B(ts3p%2i(Td=tgEHX z0UQ_>URBtG+-?0E;E7Ld^dyZ;jjw0}XZ(}-QzC6+NN=40oDb2^v!L1g9xRvE#@IBR zO!b-2N7wVfLV;mhEaXQ9XAU+>=XVA6f&T4Z-@AX!leJ8obP^P^wP0aICND?~w&NykJ#54x3_@r7IDMdRNy4Hh;h*!u(Ol(#0bJdwEo$5437-UBjQ+j=Ic>Q2z` zJNDf0yO6@mr6y1#n3)s(W|$iE_i8r@Gd@!DWDqZ7J&~gAm1#~maIGJ1sls^gxL9LLG_NhU!pTGty!TbhzQnu)I*S^54U6Yu%ZeCg`R>Q zhBv$n5j0v%O_j{QYWG!R9W?5_b&67KB$t}&e2LdMvd(PxN6Ir!H4>PNlerpBL>Zvyy!yw z-SOo8caEpDt(}|gKPBd$qND5#a5nju^O>V&;f890?yEOfkSG^HQVmEbM3Ugzu+UtH zC(INPDdraBN?P%kE;*Ae%Wto&sgw(crfZ#Qy(<4nk;S|hD3j{IQRI6Yq|f^basLY; z-HB&Je%Gg}Jt@={_C{L$!RM;$$|iD6vu#3w?v?*;&()uB|I-XqEKqZPS!reW9JkLewLb!70T7n`i!gNtb1%vN- zySZj{8-1>6E%H&=V}LM#xmt`J3XQoaD|@XygXjdZ1+P77-=;=eYpoEQ01B@L*a(uW zrZeZz?HJsw_4g0vhUgkg@VF8<-X$B8pOqCuWAl28uB|@r`19DTUQQsb^pfqB6QtiT z*`_UZ`fT}vtUY#%sq2{rchyfu*pCg;uec2$-$N_xgjZcoumE5vSI{+s@iLWoz^Mf; zuI8kDP{!XY6OP~q5}%1&L}CtfH^N<3o4L@J@zg1-mt{9L`s^z$Vgb|mr{@WiwAqKg zp#t-lhrU>F8o0s1q_9y`gQNf~Vb!F%70f}$>i7o4ho$`uciNf=xgJ>&!gSt0g;M>*x4-`U)ysFW&Vs^Vk6m%?iuWU+o&m(2Jm26Y(3%TL; zA7T)BP{WS!&xmxNw%J=$MPfn(9*^*TV;$JwRy8Zl*yUZi8jWYF>==j~&S|Xinsb%c z2?B+kpet*muEW7@AzjBA^wAJBY8i|#C{WtO_or&Nj2{=6JTTX05}|H>N2B|Wf!*3_ z7hW*j6p3TvpghEc6-wufFiY!%-GvOx*bZrhZu+7?iSrZL5q9}igiF^*R3%DE4aCHZ zqu>xS8LkW+Auv%z-<1Xs92u23R$nk@Pk}MU5!gT|c7vGlEA%G^2th&Q*zfg%-D^=f z&J_}jskj|Q;73NP4<4k*Y%pXPU2Thoqr+5uH1yEYM|VtBPW6lXaetokD0u z9qVek6Q&wk)tFbQ8(^HGf3Wp16gKmr>G;#G(HRBx?F`9AIRboK+;OfHaLJ(P>IP0w zyTbTkx_THEOs%Q&aPrxbZrJlio+hCC_HK<4%f3ZoSAyG7Dn`=X=&h@m*|UYO-4Hq0 z-Bq&+Ie!S##4A6OGoC~>ZW`Y5J)*ouaFl_e9GA*VSL!O_@xGiBw!AF}1{tB)z(w%c zS1Hmrb9OC8>0a_$BzeiN?rkPLc9%&;1CZW*4}CDDNr2gcl_3z+WC15&H1Zc2{o~i) z)LLW=WQ{?ricmC`G1GfJ0Yp4Dy~Ba;j6ZV4r{8xRs`13{dD!xXmr^Aga|C=iSmor% z8hi|pTXH)5Yf&v~exp3o+sY4B^^b*eYkkCYl*T{*=-0HniSA_1F53eCb{x~1k3*`W zr~};p1A`k{1DV9=UPnLDgz{aJH=-LQo<5%+Em!DNN252xwIf*wF_zS^!(XSm(9eoj z=*dXG&n0>)_)N5oc6v!>-bd(2ragD8O=M|wGW z!xJQS<)u70m&6OmrF0WSsr@I%T*c#Qo#Ha4d3COcX+9}hM5!7JIGF>7<~C(Ear^Sn zm^ZFkV6~Ula6+8S?oOROOA6$C&q&dp`>oR-2Ym3(HT@O7Sd5c~+kjrmM)YmgPH*tL zX+znN>`tv;5eOfX?h{AuX^LK~V#gPCu=)Tigtq9&?7Xh$qN|%A$?V*v=&-2F$zTUv z`C#WyIrChS5|Kgm_GeudCFf;)!WH7FI60j^0o#65o6`w*S7R@)88n$1nrgU(oU0M9 zx+EuMkC>(4j1;m6NoGqEkpJYJ?vc|B zOlwT3t&UgL!pX_P*6g36`ZXQ; z9~Cv}ANFnJGp(;ZhS(@FT;3e)0)Kp;h^x;$*xZn*k0U6-&FwI=uOGaODdrsp-!K$Ac32^c{+FhI-HkYd5v=`PGsg%6I`4d9Jy)uW0y%) zm&j^9WBAp*P8#kGJUhB!L?a%h$hJgQrx!6KCB_TRo%9{t0J7KW8!o1B!NC)VGLM5! zpZy5Jc{`r{1e(jd%jsG7k%I+m#CGS*BPA65ZVW~fLYw0dA-H_}O zrkGFL&P1PG9p2(%QiEWm6x;U-U&I#;Em$nx-_I^wtgw3xUPVVu zqSuKnx&dIT-XT+T10p;yjo1Y)z(x1fb8Dzfn8e yu?e%!_ptzGB|8GrCfu%p?(_ zQccdaaVK$5bz;*rnyK{_SQYM>;aES6Qs^lj9lEs6_J+%nIiuQC*fN;z8md>r_~Mfl zU%p5Dt_YT>gQqfr@`cR!$NWr~+`CZb%dn;WtzrAOI>P_JtsB76PYe*<%H(y>qx-`Kq!X_; z<{RpAqYhE=L1r*M)gNF3B8r(<%8mo*SR2hu zccLRZwGARt)Hlo1euqTyM>^!HK*!Q2P;4UYrysje@;(<|$&%vQekbn|0Ruu_Io(w4#%p6ld2Yp7tlA`Y$cciThP zKzNGIMPXX%&Ud0uQh!uQZz|FB`4KGD?3!ND?wQt6!n*f4EmCoJUh&b?;B{|lxs#F- z31~HQ`SF4x$&v00@(P+j1pAaj5!s`)b2RDBp*PB=2IB>oBF!*6vwr7Dp%zpAx*dPr zb@Zjq^XjN?O4QcZ*O+8>)|HlrR>oD*?WQl5ri3R#2?*W6iJ>>kH%KnnME&TT@ZzrHS$Q%LC?n|e>V+D+8D zYc4)QddFz7I8#}y#Wj6>4P%34dZH~OUDb?uP%-E zwjXM(?Sg~1!|wI(RVuxbu)-rH+O=igSho_pDCw(c6b=P zKk4ATlB?bj9+HHlh<_!&z0rx13K3ZrAR8W)!@Y}o`?a*JJsD+twZIv`W)@Y?Amu_u zz``@-e2X}27$i(2=9rvIu5uTUOVhzwu%mNazS|lZb&PT;XE2|B&W1>=B58#*!~D&) zfVmJGg8UdP*fx(>Cj^?yS^zH#o-$Q-*$SnK(ZVFkw+er=>N^7!)FtP3y~Xxnu^nzY zikgB>Nj0%;WOltWIob|}%lo?_C7<``a5hEkx&1ku$|)i>Rh6@3h*`slY=9U}(Ql_< zaNG*J8vb&@zpdhAvv`?{=zDedJ23TD&Zg__snRAH4eh~^oawdYi6A3w8<Ozh@Kw)#bdktM^GVb zrG08?0bG?|NG+w^&JvD*7LAbjED{_Zkc`3H!My>0u5Q}m!+6VokMLXxl`Mkd=g&Xx z-a>m*#G3SLlhbKB!)tnzfWOBV;u;ftU}S!NdD5+YtOjLg?X}dl>7m^gOpihrf1;PY zvll&>dIuUGs{Qnd- zwIR3oIrct8Va^Tm0t#(bJD7c$Z7DO9*7NnRZorrSm`b`cxz>OIC;jSE3DO8`hX955ui`s%||YQtt2 z5DNA&pG-V+4oI2s*x^>-$6J?p=I>C|9wZF8z;VjR??Icg?1w2v5Me+FgAeGGa8(3S z4vg*$>zC-WIVZtJ7}o9{D-7d>zCe|z#<9>CFve-OPAYsneTb^JH!Enaza#j}^mXy1 z+ULn^10+rWLF6j2>Ya@@Kq?26>AqK{A_| zQKb*~F1>sE*=d?A?W7N2j?L09_7n+HGi{VY;MoTGr_)G9)ot$p!-UY5zZ2Xtbm=t z@dpPSGwgH=QtIcEulQNI>S-#ifbnO5EWkI;$A|pxJd885oM+ zGZ0_0gDvG8q2xebj+fbCHYfAXuZStH2j~|d^sBAzo46(K8n59+T6rzBwK)^rfPT+B zyIFw)9YC-V^rhtK`!3jrhmW-sTmM+tPH+;nwjL#-SjQPUZ53L@A>y*rt(#M(qsiB2 zx6B)dI}6Wlsw%bJ8h|(lhkJVogQZA&n{?Vgs6gNSXzuZpEyu*xySy8ro07QZ7Vk1!3tJphN_5V7qOiyK8p z#@jcDD8nmtYi1^l8ml;AF<#IPK?!pqf9D4moYk>d99Im}Jtwj6c#+A;f)CQ*f-hZ< z=p_T86jog%!p)D&5g9taSwYi&eP z#JuEK%+NULWus;0w32-SYFku#i}d~+{Pkho&^{;RxzP&0!RCm3-9K6`>KZpnzS6?L z^H^V*s!8<>x8bomvD%rh>Zp3>Db%kyin;qtl+jAv8Oo~1g~mqGAC&Qi_wy|xEt2iz zWAJEfTV%cl2Cs<1L&DLRVVH05EDq`pH7Oh7sR`NNkL%wi}8n>IXcO40hp+J+sC!W?!krJf!GJNE8uj zg-y~Ns-<~D?yqbzVRB}G>0A^f0!^N7l=$m0OdZuqAOQqLc zX?AEGr1Ht+inZ-Qiwnl@Z0qukd__a!C*CKuGdy5#nD7VUBM^6OCpxCa2A(X;e0&V4 zM&WR8+wErQ7UIc6LY~Q9x%Sn*Tn>>P`^t&idaOEnOd(Ufw#>NoR^1QdhJ8s`h^|R_ zXX`c5*O~Xdvh%q;7L!_!ohf$NfEBmCde|#uVZvEo>OfEq%+Ns7&_f$OR9xsihRpBb z+cjk8LyDm@U{YN>+r46?nn{7Gh(;WhFw6GAxtcKD+YWV?uge>;+q#Xx4!GpRkVZYu zzsF}1)7$?%s9g9CH=Zs+B%M_)+~*j3L0&Q9u7!|+T`^O{xE6qvAP?XWv9_MrZKdo& z%IyU)$Q95AB4!#hT!_dA>4e@zjOBD*Y=XjtMm)V|+IXzjuM;(l+8aA5#Kaz_$rR6! zj>#&^DidYD$nUY(D$mH`9eb|dtV0b{S>H6FBfq>t5`;OxA4Nn{J(+XihF(stSche7$es&~N$epi&PDM_N`As;*9D^L==2Q7Z2zD+CiU(|+-kL*VG+&9!Yb3LgPy?A zm7Z&^qRG_JIxK7-FBzZI3Q<;{`DIxtc48k> zc|0dmX;Z=W$+)qE)~`yn6MdoJ4co;%!`ddy+FV538Y)j(vg}5*k(WK)KWZ3WaOG!8 z!syGn=s{H$odtpqFrT#JGM*utN7B((abXnpDM6w56nhw}OY}0TiTG1#f*VFZr+^-g zbP10`$LPq_;PvrA1XXlyx2uM^mrjTzX}w{yuLo-cOClE8MMk47T25G8M!9Z5ypOSV zAJUBGEg5L2fY)ZGJb^E34R2zJ?}Vf>{~gB!8=5Z) z9y$>5c)=;o0HeHHSuE4U)#vG&KF|I%-cF6f$~pdYJWk_dD}iOA>iA$O$+4%@>JU08 zS`ep)$XLPJ+n0_i@PkF#ri6T8?ZeAot$6JIYHm&P6EB=BiaNY|aA$W0I+nz*zkz_z zkEru!tj!QUffq%)8y0y`T&`fuus-1p>=^hnBiBqD^hXrPs`PY9tU3m0np~rISY09> z`P3s=-kt_cYcxWd{de@}TwSqg*xVhp;E9zCsnXo6z z?f&Sv^U7n4`xr=mXle94HzOdN!2kB~4=%)u&N!+2;z6UYKUDqi-s6AZ!haB;@&B`? z_TRX0%@suz^TRdCb?!vNJYPY8L_}&07uySH9%W^Tc&1pia6y1q#?*Drf}GjGbPjBS zbOPcUY#*$3sL2x4v_i*Y=N7E$mR}J%|GUI(>WEr+28+V z%v5{#e!UF*6~G&%;l*q*$V?&r$Pp^sE^i-0$+RH3ERUUdQ0>rAq2(2QAbG}$y{de( z>{qD~GGuOk559Y@%$?N^1ApVL_a704>8OD%8Y%8B;FCt%AoPu8*D1 zLB5X>b}Syz81pn;xnB}%0FnwazlWfUV)Z-~rZg6~b z6!9J$EcE&sEbzcy?CI~=boWA&eeIa%z(7SE^qgVLz??1Vbc1*aRvc%Mri)AJaAG!p z$X!_9Ds;Zz)f+;%s&dRcJt2==P{^j3bf0M=nJd&xwUGlUFn?H=2W(*2I2Gdu zv!gYCwM10aeus)`RIZSrCK=&oKaO_Ry~D1B5!y0R=%!i2*KfXGYX&gNv_u+n9wiR5 z*e$Zjju&ODRW3phN925%S(jL+bCHv6rZtc?!*`1TyYXT6%Ju=|X;6D@lq$8T zW{Y|e39ioPez(pBH%k)HzFITXHvnD6hw^lIoUMA;qAJ^CU?top1fo@s7xT13Fvn1H z6JWa-6+FJF#x>~+A;D~;VDs26>^oH0EI`IYT2iagy23?nyJ==i{g4%HrAf1-*v zK1)~@&(KkwR7TL}L(A@C_S0G;-GMDy=MJn2$FP5s<%wC)4jC5PXoxrQBFZ_k0P{{s@sz+gX`-!=T8rcB(=7vW}^K6oLWMmp(rwDh}b zwaGGd>yEy6fHv%jM$yJXo5oMAQ>c9j`**}F?MCry;T@47@r?&sKHgVe$MCqk#Z_3S z1GZI~nOEN*P~+UaFGnj{{Jo@16`(qVNtbU>O0Hf57-P>x8Jikp=`s8xWs^dAJ9lCQ z)GFm+=OV%AMVqVATtN@|vp61VVAHRn87}%PC^RAzJ%JngmZTasWBAWsoAqBU+8L8u z4A&Pe?fmTm0?mK-BL9t+{y7o(7jm+RpOhL9KnY#E&qu^}B6=K_dB}*VlSEiC9fn)+V=J;OnN)Ta5v66ic1rG+dGAJ1 z1%Zb_+!$=tQ~lxQrzv3x#CPb?CekEkA}0MYSgx$Jdd}q8+R=ma$|&1a#)TQ=l$1tQ z=tL9&_^vJ)Pk}EDO-va`UCT1m#Uty1{v^A3P~83_#v^ozH}6*9mIjIr;t3Uv%@VeW zGL6(CwCUp)Jq%G0bIG%?{_*Y#5IHf*5M@wPo6A{$Um++Co$wLC=J1aoG93&T7Ho}P z=mGEPP7GbvoG!uD$k(H3A$Z))+i{Hy?QHdk>3xSBXR0j!11O^mEe9RHmw!pvzv?Ua~2_l2Yh~_!s1qS`|0~0)YsbHSz8!mG)WiJE| z2f($6TQtt6L_f~ApQYQKSb=`053LgrQq7G@98#igV>y#i==-nEjQ!XNu9 z~;mE+gtj4IDDNQJ~JVk5Ux6&LCSFL!y=>79kE9=V}J7tD==Ga+IW zX)r7>VZ9dY=V&}DR))xUoV!u(Z|%3ciQi_2jl}3=$Agc(`RPb z8kEBpvY>1FGQ9W$n>Cq=DIpski};nE)`p3IUw1Oz0|wxll^)4dq3;CCY@RyJgFgc# zKouFh!`?Xuo{IMz^xi-h=StCis_M7yq$u) z?XHvw*HP0VgR+KR6wI)jEMX|ssqYvSf*_3W8zVTQzD?3>H!#>InzpSO)@SC8q*ii- z%%h}_#0{4JG;Jm`4zg};BPTGkYamx$Xo#O~lBirRY)q=5M45n{GCfV7h9qwyu1NxOMoP4)jjZMxmT|IQQh0U7C$EbnMN<3)Kk?fFHYq$d|ICu>KbY_hO zTZM+uKHe(cIZfEqyzyYSUBZa8;Fcut-GN!HSA9ius`ltNebF46ZX_BbZNU}}ZOm{M2&nANL9@0qvih15(|`S~z}m&h!u4x~(%MAO$jHRWNfuxWF#B)E&g3ghSQ9|> z(MFaLQj)NE0lowyjvg8z0#m6FIuKE9lDO~Glg}nSb7`~^&#(Lw{}GVOS>U)m8bF}x zVjbXljBm34Cs-yM6TVusr+3kYFjr28STT3g056y3cH5Tmge~ASxBj z%|yb>$eF;WgrcOZf569sDZOVwoo%8>XO>XQOX1OyN9I-SQgrm;U;+#3OI(zrWyow3 zk==|{lt2xrQ%FIXOTejR>;wv(Pb8u8}BUpx?yd(Abh6? zsoO3VYWkeLnF43&@*#MQ9-i-d0t*xN-UEyNKeyNMHw|A(k(_6QKO=nKMCxD(W(Yop zsRQ)QeL4X3Lxp^L%wzi2-WVSsf61dqliPUM7srDB?Wm6Lzn0&{*}|IsKQW;02(Y&| zaTKv|`U(pSzuvR6Rduu$wzK_W-Y-7>7s?G$)U}&uK;<>vU}^^ns@Z!p+9?St1s)dG zK%y6xkPyyS1$~&6v{kl?Md6gwM|>mt6Upm>oa8RLD^8T{0?HC!Z>;(Bob7el(DV6x zi`I)$&E&ngwFS@bi4^xFLAn`=fzTC;aimE^!cMI2n@Vo%Ae-ne`RF((&5y6xsjjAZ zVguVoQ?Z9uk$2ON;ersE%PU*xGO@T*;j1BO5#TuZKEf(mB7|g7pcEA=nYJ{s3vlbg zd4-DUlD{*6o%Gc^N!Nptgay>j6E5;3psI+C3Q!1ZIbeCubW%w4pq9)MSDyB{HLm|k zxv-{$$A*pS@csolri$Ge<4VZ}e~78JOL-EVyrbxKra^d{?|NnPp86!q>t<&IP07?Z z^>~IK^k#OEKgRH+LjllZXk7iA>2cfH6+(e&9ku5poo~6y{GC5>(bRK7hwjiurqAiZ zg*DmtgY}v83IjE&AbiWgMyFbaRUPZ{lYiz$U^&Zt2YjG<%m((&_JUbZcfJ22(>bi5 z!J?<7AySj0JZ&<-qXX;mcV!f~>G=sB0KnjWca4}vrtunD^1TrpfeS^4dvFr!65knK zZh`d;*VOkPs4*-9kL>$GP0`(M!j~B;#x?Ba~&s6CopvO86oM?-? zOw#dIRc;6A6T?B`Qp%^<U5 z19x(ywSH$_N+Io!6;e?`tWaM$`=Db!gzx|lQ${DG!zb1Zl&|{kX0y6xvO1o z220r<-oaS^^R2pEyY;=Qllqpmue|5yI~D|iI!IGt@iod{Opz@*ml^w2bNs)p`M(Io z|E;;m*Xpjd9l)4G#KaWfV(t8YUn@A;nK^#xgv=LtnArX|vWQVuw3}B${h+frU2>9^ z!l6)!Uo4`5k`<<;E(ido7M6lKTgWezNLq>U*=uz&s=cc$1%>VrAeOoUtA|T6gO4>UNqsdK=NF*8|~*sl&wI=x9-EGiq*aqV!(VVXA57 zw9*o6Ir8Lj1npUXvlevtn(_+^X5rzdR>#(}4YcB9O50q97%rW2me5_L=%ffYPUSRc z!vv?Kv>dH994Qi>U(a<0KF6NH5b16enCp+mw^Hb3Xs1^tThFpz!3QuN#}KBbww`(h z7GO)1olDqy6?T$()R7y%NYx*B0k_2IBiZ14&8|JPFxeMF{vW>HF-ViB*%t0;Thq2} z+qP}n=Cp0wwr%5S+qN<7?r+``=l(h0z2`^8j;g2~Q4u?{cIL{JYY%l|iw&YH4FL(8 z1-*E#ANDHi+1f%lMJbRfq*`nG)*#?EJEVoDH5XdfqwR-C{zmbQoh?E zhW!|TvYv~>R*OAnyZf@gC+=%}6N90yU@E;0b_OV#xL9B?GX(D&7BkujjFC@HVKFci zb_>I5e!yuHA1LC`xm&;wnn|3ht3h7|rDaOsh0ePhcg_^Wh8Bq|AGe`4t5Gk(9^F;M z8mFr{uCm{)Uq0Xa$Fw6+da`C4%)M_#jaX$xj;}&Lzc8wTc%r!Y#1akd|6FMf(a4I6 z`cQqS_{rm0iLnhMG~CfDZc96G3O=Tihnv8g;*w?)C4N4LE0m#H1?-P=4{KeC+o}8b zZX)x#(zEysFm$v9W8-4lkW%VJIjM~iQIVW)A*RCO{Oe_L;rQ3BmF*bhWa}!=wcu@# zaRWW{&7~V-e_$s)j!lJsa-J?z;54!;KnU3vuhp~(9KRU2GKYfPj{qA?;#}H5f$Wv-_ zGrTb(EAnpR0*pKft3a}6$npzzq{}ApC&=C&9KoM3Ge@24D^8ZWJDiXq@r{hP=-02& z@Qrn-cbr2YFc$7XR0j7{jAyR;4LLBf_XNSrmd{dV3;ae;fsEjds*2DZ&@#e)Qcc}w zLgkfW=9Kz|eeM$E`-+=jQSt}*kAwbMBn7AZSAjkHUn4n||NBq*|2QPcKaceA6m)g5 z_}3?DX>90X|35eI7?n+>f9+hl5b>#q`2+`FXbOu9Q94UX-GWH;d*dpmSFd~7WM#H2 zvKNxjOtC)U_tx*0(J)eAI8xAD8SvhZ+VRUA?)| zeJjvg9)vi`Qx;;1QP!c_6hJp1=J=*%!>ug}%O!CoSh-D_6LK0JyiY}rOaqSeja&jb#P|DR7 z_JannlfrFeaE$irfrRIiN|huXmQhQUN6VG*6`bzN4Z3!*G?FjN8!`ZTn6Wn4n=Ync z_|Sq=pO7+~{W2}599SfKz@umgRYj6LR9u0*BaHqdEw^i)dKo5HomT9zzB$I6w$r?6 zs2gu*wNOAMK`+5yPBIxSOJpL$@SN&iUaM zQ3%$EQt%zQBNd`+rl9R~utRDAH%7XP@2Z1s=)ks77I(>#FuwydE5>LzFx)8ye4ClM zb*e2i*E$Te%hTKh7`&rQXz;gvm4Dam(r-!FBEcw*b$U%Wo9DIPOwlC5Ywm3WRCM4{ zF42rnEbBzUP>o>MA){;KANhAW7=FKR=DKK&S1AqSxyP;k z;fp_GVuV}y6YqAd)5p=tJ~0KtaeRQv^nvO?*hZEK-qA;vuIo!}Xgec4QGW2ipf2HK z&G&ppF*1aC`C!FR9(j4&r|SHy74IiDky~3Ab)z@9r&vF+Bapx<{u~gb2?*J zSl{6YcZ$&m*X)X?|8<2S}WDrWN3yhyY7wlf*q`n^z3LT4T$@$y``b{m953kfBBPpQ7hT;zs(Nme`Qw@{_pUO0OG zfugi3N?l|jn-Du3Qn{Aa2#6w&qT+oof=YM!Zq~Xi`vlg<;^)Jreeb^x6_4HL-j}sU z1U^^;-WetwPLKMsdx4QZ$haq3)rA#ATpEh{NXto-tOXjCwO~nJ(Z9F%plZ{z(ZW!e zF>nv&4ViOTs58M+f+sGimF^9cB*9b(gAizwyu5|--SLmBOP-uftqVnVBd$f7YrkJ8!jm*QQEQC zEQ+@T*AA1kV@SPF6H5sT%^$$6!e5;#N((^=OA5t}bqIdqf`PiMMFEDhnV#AQWSfLp zX=|ZEsbLt8Sk&wegQU0&kMC|cuY`&@<#r{t2*sq2$%epiTVpJxWm#OPC^wo_4p++U zU|%XFYs+ZCS4JHSRaVET)jV?lbYAd4ouXx0Ka6*wIFBRgvBgmg$kTNQEvs0=2s^sU z_909)3`Ut!m}}@sv<63E@aQx}-!qVdOjSOnAXTh~MKvr$0nr(1Fj-3uS{U6-T9NG1Y(Ua)Nc}Mi< zOBQz^&^v*$BqmTIO^;r@kpaq3n!BI?L{#bw)pdFV&M?D0HKqC*YBxa;QD_4(RlawI z5wBK;7T^4dT7zt%%P<*-M~m?Et;S^tdNgQSn?4$mFvIHHL!`-@K~_Ar4vBnhy{xuy zigp!>UAwPyl!@~(bkOY;un&B~Evy@5#Y&cEmzGm+)L~4o4~|g0uu&9bh8N0`&{B2b zDj2>biRE1`iw}lv!rl$Smn(4Ob>j<{4dT^TfLe-`cm#S!w_9f;U)@aXWSU4}90LuR zVcbw;`2|6ra88#Cjf#u62xq?J)}I)_y{`@hzES(@mX~}cPWI8}SRoH-H;o~`>JWU$ zhLudK3ug%iS=xjv9tnmOdTXcq_?&o30O;(+VmC&p+%+pd_`V}RY4ibQMNE&N5O+hb3bQ8bxk^33Fu4DB2*~t1909gqoutQHx^plq~;@g$d_+rzS0`2;}2UR2h#?p35B=B*f0BZS4ysiWC!kw?4B-dM%m6_BfRbey1Wh? zT1!@>-y=U}^fxH0A`u1)Mz90G6-<4aW^a@l_9L6Y;cd$3<#xIrhup)XLkFi$W&Ohu z8_j~-VeVXDf9b&6aGelt$g*BzEHgzh)KDgII_Y zb$fcY8?XI6-GEGTZVWW%O;njZld)29a_&1QvNYJ@OpFrUH{er@mnh*}326TYAK7_Z zA={KnK_o3QLk|%m@bx3U#^tCChLxjPxMesOc5D4G+&mvp@Clicz^=kQlWp1|+z|V7 zkU#7l61m@^#`1`{+m2L{sZC#j?#>0)2z4}}kqGhB{NX%~+3{5jOyij!e$5-OAs zDvq+>I2(XsY9%NNhNvKiF<%!6t^7&k{L7~FLdkP9!h%=2Kt$bUt(Zwp*&xq_+nco5 zK#5RCM_@b4WBK*~$CsWj!N!3sF>ijS=~$}_iw@vbKaSp5Jfg89?peR@51M5}xwcHW z(@1TK_kq$c4lmyb=aX3-JORe+JmuNkPP=bM*B?};c=_;h2gT-nt#qbriPkpaqoF@q z<)!80iKvTu`T-B3VT%qKO^lfPQ#m5Ei6Y%Fs@%Pt!8yX&C#tL$=|Ma8i?*^9;}Fk> zyzdQQC5YTBO&gx6kB~yhUUT&%q3a3o+zueh>5D7tdByYVcMz@>j!C@Iyg{N1)veYl`SPshuH6Rk=O6pvVrI71rI5*%uU3u81DpD%qmXsbKWMFR@2m4vO_^l6MMbO9a()DcWmYT&?0B_ zuY~tDiQ6*X7;9B*5pj?;xy_B}*{G}LjW*qU&%*QAyt30@-@O&NQTARZ+%VScr>`s^KX;M!p; z?8)|}P}L_CbOn!u(A{c5?g{s31Kn#7i)U@+_KNU-ZyVD$H7rtOjSht8%N(ST-)%r` z63;Hyp^KIm-?D;E-EnpAAWgz2#z{fawTx_;MR7)O6X~*jm*VUkam7>ueT^@+Gb3-Y zN3@wZls8ibbpaoR2xH=$b3x1Ng5Tai=LT2@_P&4JuBQ!r#Py3ew!ZVH4~T!^TcdyC ze#^@k4a(nNe~G+y zI~yXK@1HHWU4pj{gWT6v@$c(x){cLq*KlFeKy?f$_u##)hDu0X_mwL6uKei~oPd9( zRaF_k&w(J3J8b_`F~?0(Ei_pH}U^c&r$uSYawB8Ybs-JZ|&;vKLWX! z|HFZ%-uBDaP*hMcQKf*|j5!b%H40SPD*#{A`kj|~esk@1?q}-O7WyAm3mD@-vHzw( zTSOlO(K9>GW;@?@xSwpk%X3Ui4_Psm;c*HF~RW+q+C#RO_VT5(x!5B#On-W`T|u z>>=t)W{=B-8wWZejxMaBC9sHzBZGv5uz_uu281kxHg2cll_sZBC&1AKD`CYh2vKeW zm#|MMdC}6A&^DX=>_(etx8f}9o}`(G?Y``M?D+aTPJbZqONmSs>y>WSbvs>7PE~cb zjO+1Y)PMi*!=06^$%< z*{b^66BIl{7zKvz^jut7ylDQBt)ba_F*$UkDgJ2gSNfHB6+`OEiz@xs$Tcrl>X4?o zu9~~b&Xl0?w(7lJXu8-9Yh6V|A3f?)1|~+u-q&6#YV`U2i?XIqUw*lc-QTXwuf@8d zSjMe1BhBKY`Mo{$s%Ce~Hv(^B{K%w{yndEtvyYjjbvFY^rn2>C1Lbi!3RV7F>&;zlSDSk}R>{twI}V zA~NK%T!z=^!qbw(OEgsmSj?#?GR&A$0&K>^(?^4iphc3rN_(xXA%joi)k~DmRLEXl zaWmwMolK%@YiyI|HvX{X$*Ei7y+zJ%m{b}$?N7_SN&p+FpeT%4Z_2`0CP=}Y3D-*@ zL|4W4ja#8*%SfkZzn5sfVknpJv&>glRk^oUqykedE8yCgIwCV)fC1iVwMr4hc#KcV!|M-r_N|nQWw@`j+0(Ywct~kLXQ)Qyncmi{Q4`Ur7A{Ep)n`zCtm8D zVX`kxa8Syc`g$6$($Qc-(_|LtQKWZXDrTir5s*pSVmGhk#dKJzCYT?vqA9}N9DGv> zw}N$byrt?Mk*ZZbN5&zb>pv;rU}EH@Rp54)vhZ=330bLvrKPEPu!WqR%yeM3LB!(E zw|J05Y!tajnZ9Ml*-aX&5T8YtuWDq@on)_*FMhz-?m|>RT0~e3OHllrEMthVY(KwQ zu>ijTc4>Xz-q1(g!ESjaZ+C+Zk5FgmF)rFX29_RmU!`7Pw+0}>8xK^=pOxtUDV)ok zw-=p=OvEH&VO3wToRdI!hPHc`qX+_{T_mj!NxcA&xOgkEuvz`-Aa`ZlNv>qnD0`YT1T3USO0ec!%{KE~UOGPJX%I5_rZDGx@|w zVIMsRPP+}^Xxa&{x!q{hY1wat8jDO7YP0(8xHWeEdrd79lUjB8%)v{X1pQu|1dr*y9M&a(J`038}4>lK&K zIM~6wnX{XA?pFHz{hOmEq{oYBnB@56twXqEcFrFqvCy)sH9B{pQ`G50o{W^t&onwY z-l{ur4#8ylPV5YRLD%%j^d0&_WI>0nmfZ8! zaZ&vo@7D`!=?215+Vk181*U@^{U>VyoXh2F&ZNzZx5tDDtlLc)gi2=|o=GC`uaH;< zFuuF?Q9Q`>S#c(~2p|s49RA`3242`2P+)F)t2N!CIrcl^0#gN@MLRDQ2W4S#MXZJO z8<(9P>MvW;rf2qZ$6sHxCVIr0B-gP?G{5jEDn%W#{T#2_&eIjvlVqm8J$*8A#n`5r zs6PuC!JuZJ@<8cFbbP{cRnIZs>B`?`rPWWL*A?1C3QqGEG?*&!*S0|DgB~`vo_xIo z&n_Sa(>6<$P7%Py{R<>n6Jy?3W|mYYoxe5h^b6C#+UoKJ(zl?^WcBn#|7wMI5=?S# zRgk8l-J`oM%GV&jFc)9&h#9mAyowg^v%Fc-7_^ou5$*YvELa!1q>4tHfX7&PCGqW* zu8In~5`Q5qQvMdToE$w+RP^_cIS2xJjghjCTp6Z(za_D<$S;0Xjt?mAE8~Ym{)zfb zV62v9|59XOvR}wEpm~Cnhyr`=JfC$*o15k?T`3s-ZqF6Gy;Gm+_6H$%oJPywWA^Wl zzn$L=N%{VT8DkQba0|2LqGR#O2Pw!b%LV4#Ojcx5`?Cm;+aLpkyZ=!r1z@E}V= z$2v6v%Ai)MMd`@IM&UD!%%(63VH8+m0Ebk<5Du#0=WeK(E<2~3@>8TceT$wy5F52n zRFtY>G9Gp~h#&R92{G{jLruZSNJ4)gNK+zg*$P zW@~Hf>_Do)tvfEAAMKE1nQ=8coTgog&S;wj(s?Xa0!r?UU5#2>18V#|tKvay1Ka53 zl$RxpMqrkv`Sv&#!_u8$8PMken`QL0_sD2)r&dZziefzSlAdKNKroVU;gRJE#o*}w zP_bO{F4g;|t!iroy^xf~(Q5qc8a3<+vBW%VIOQ1!??d;yEn1at1wpt}*n- z0iQtfu}Isw4ZfH~8p~#RQUKwf<$XeqUr-5?8TSqokdHL7tY|47R; z#d+4NS%Cqp>LQbvvAMIhcCX@|HozKXl)%*5o>P2ZegGuOerV&_MeA}|+o-3L!ZNJd z#1xB^(r!IfE~i>*5r{u;pIfCjhY^Oev$Y1MT16w8pJ0?9@&FH*`d;hS=c#F6fq z{mqsHd*xa;>Hg?j80MwZ%}anqc@&s&2v{vHQS68fueNi5Z(VD2eH>jmv4uvE|HEQm z^=b&?1R9?<@=kjtUfm*I!wPf5Xnma(4*DfPk}Es*H$%NGCIM1qt(LSvbl7&tV>e2$ zUqvZOTiwQyxDoxL(mn?n_x%Tre?L&!FYCOy0>o}#DTC3uSPnyGBv*}!*Yv5IV)Bg_t%V+UrTXfr!Q8+eX}ANR*YLzwme7Rl z@q_*fP7wP2AZ(3WG*)4Z(q@)~c{Je&7?w^?&Wy3)v0{TvNQRGle9mIG>$M2TtQ(Vf z3*PV@1mX)}beRTPjoG#&&IO#Mn(DLGp}mn)_0e=9kXDewC8Pk@yo<8@XZjFP-_zic z{mocvT9Eo)H4Oj$>1->^#DbbiJn^M4?v7XbK>co+v=7g$hE{#HoG6ZEat!s~I<^_s zlFee93KDSbJKlv_+GPfC6P8b>(;dlJ5r9&Pc4kC2uR(0{Kjf+SMeUktef``iXD}8` zGufkM9*Sx4>+5WcK#Vqm$g#5z1DUhc_#gLGe4_icSzN5GKr|J&eB)LS;jTXWA$?(k zy?*%U9Q#Y88(blIlxrtKp6^jksNF>-K1?8=pmYAPj?qq}yO5L>_s8CAv=LQMe3J6? zOfWD>Kx_5A4jRoIU}&aICTgdYMqC|45}St;@0~7>Af+uK3vps9D!9qD)1;Y6Fz>4^ zR1X$s{QNZl7l%}Zwo2wXP+Cj-K|^wqZW?)s1WUw_APZLhH55g{wNW3liInD)WHh${ zOz&K>sB*4inVY3m)3z8w!yUz+CKF%_-s2KVr7DpwTUuZjPS9k-em^;>H4*?*B0Bg7 zLy2nfU=ac5N}x1+Tlq^lkNmB~Dj+t&l#fO&%|7~2iw*N!*xBy+ZBQ>#g_;I*+J{W* z=@*15><)Bh9f>>dgQrEhkrr2FEJ;R2rH%`kda8sD-FY6e#7S-<)V*zQA>)Ps)L- zgUuu@5;Ych#jX_KZ+;qEJJbu{_Z9WSsLSo#XqLpCK$gFidk}gddW(9$v}iyGm_OoH ztn$pv81zROq686_7@avq2heXZnkRi4n(3{5jTDO?9iP%u8S4KEqGL?^uBeg(-ws#1 z9!!Y_2Q~D?gCL3MQZO!n$+Wy(Twr5AS3{F7ak2f)Bu0iG^k^x??0}b6l!>Vjp{e*F z8r*(Y?3ZDDoS1G?lz#J4`d9jAEc9YGq1LbpYoFl!W!(j8-33Ey)@yx+BVpDIVyvpZ zq5QgKy>P}LlV?Bgy@I)JvefCG)I69H1;q@{8E8Ytw^s-rC7m5>Q>ZO(`$`9@`49s2)q#{2eN0A?~qS8%wxh%P*99h*Sv` zW_z3<=iRZBQKaDsKw^TfN;6`mRck|6Yt&e$R~tMA0ix;qgw$n~fe=62aG2v0S`7mU zI}gR#W)f+Gn=e3mm*F^r^tcv&S`Rym`X`6K`i8g-a0!p|#69@Bl!*&)QJ9(E7ycxz z)5-m9v`~$N1zszFi^=m%vw}Y{ZyYub!-6^KIY@mwF|W+|t~bZ%@rifEZ-28I@s$C` z>E+k~R1JC-M>8iC_GR>V9f9+uL2wPRATL9bC(sxd;AMJ>v6c#PcG|Xx1N5^1>ISd0 z4%vf-SNOw+1%yQq1YP`>iqq>5Q590_pr?OxS|HbLjx=9~Y)QO37RihG%JrJ^=Nj>g zPTcO$6r{jdE_096b&L;Wm8vcxUVxF0mA%W`aZz4n6XtvOi($ zaL!{WUCh&{5ar=>u)!mit|&EkGY$|YG<_)ZD)I32uEIWwu`R-_ z`FVeKyrx3>8Ep#2~%VVrQ%u#exo!anPe`bc)-M=^IP1n1?L2UQ@# zpNjoq-0+XCfqXS!LwMgFvG$PkX}5^6yxW)6%`S8{r~BA2-c%-u5SE#%mQ~5JQ=o$c z%+qa0udVq9`|=2n=0k#M=yiEh_vp?(tB|{J{EhVLPM^S@f-O*Lgb390BvwK7{wfdMKqUc0uIXKj5>g^z z#2`5^)>T73Eci+=E4n&jl42E@VYF2*UDiWLUOgF#p9`E4&-A#MJLUa&^hB@g7KL+n zr_bz+kfCcLIlAevILckIq~RCwh6dc5@%yN@#f3lhHIx4fZ_yT~o0#3@h#!HCN(rHHC6#0$+1AMq?bY~(3nn{o5g8{*e_#4RhW)xPmK zTYBEntuYd)`?`bzDksI9*MG$=^w!iiIcWg1lD&kM1NF@qKha0fDVz^W7JCam^!AQFxY@7*`a3tfBwN0uK_~YBQ18@^i%=YB}K0Iq(Q3 z=7hNZ#!N@YErE7{T|{kjVFZ+f9Hn($zih;f&q^wO)PJSF`K)|LdT>!^JLf=zXG>>G z15TmM=X`1%Ynk&dvu$Vic!XyFC(c=qM33v&SIl|p+z6Ah9(XQ0CWE^N-LgE#WF6Z+ zb_v`7^Rz8%KKg_@B>5*s-q*TVwu~MCRiXvVx&_3#r1h&L+{rM&-H6 zrcgH@I>0eY8WBX#Qj}Vml+fpv?;EQXBbD0lx%L?E4)b-nvrmMQS^}p_CI3M24IK(f| zV?tWzkaJXH87MBz^HyVKT&oHB;A4DRhZy;fIC-TlvECK)nu4-3s7qJfF-ZZGt7+6C3xZt!ZX4`M{eN|q!y*d^B+cF5W- zc9C|FzL;$bAfh56fg&y0j!PF8mjBV!qA=z$=~r-orU-{0AcQUt4 zNYC=_9(MOWe$Br9_50i#0z!*a1>U6ZvH>JYS9U$kkrCt7!mEUJR$W#Jt5vT?U&LCD zd@)kn%y|rkV|CijnZ((B2=j_rB;`b}F9+E1T46sg_aOPp+&*W~44r9t3AI}z)yUFJ z+}z5E6|oq+oPC3Jli)EPh9)o^B4KUYkk~AU9!g`OvC`a!#Q>JmDiMLTx>96_iDD9h@nW%Je4%>URwYM%5YU1&Dcdulvv3IH3GSrA4$)QjlGwUt6 zsR6+PnyJ$1x{|R=ogzErr~U|X!+b+F8=6y?Yi`E$yjWXsdmxZa^hIqa)YV9ubUqOj&IGY}bk zH4*DEn({py@MG5LQCI;J#6+98GaZYGW-K-&C`(r5#?R0Z){DlY8ZZk}lIi$xG}Q@2 z0LJhzuus-7dLAEpG1Lf+KOxn&NSwO{wn_~e0=}dovX)T(|WRMTqacoW8;A>8tTDr+0yRa+U!LW z!H#Gnf^iCy$tTk3kBBC=r@xhskjf1}NOkEEM4*r+A4`yNAIjz`_JMUI#xTf$+{UA7 zpBO_aJkKz)iaKqRA{8a6AtpdUwtc#Y-hxtZnWz~i(sfjMk`lq|kGea=`62V6y)TMPZw8q}tFDDHrW_n(Z84ZxWvRrntcw;F|Mv4ff9iaM% z4IM{=*zw}vIpbg=9%w&v`sA+a3UV@Rpn<6`c&5h+8a7izP>E@7CSsCv*AAvd-izwU z!sGJQ?fpCbt+LK`6m2Z3&cKtgcElAl){*m0b^0U#n<7?`8ktdIe#ytZTvaZy728o6 z3GDmw=vhh*U#hCo0gb9s#V5(IILXkw>(6a?BFdIb0%3~Y*5FiMh&JWHd2n(|y@?F8 zL$%!)uFu&n+1(6)oW6Hx*?{d~y zBeR)N*Z{7*gMlhMOad#k4gf`37OzEJ&pH?h!Z4#mNNCfnDI@LbiU~&2Gd^q7ix8~Y6$a=B9bK(BaTEO0$Oh=VCkBPwt0 zf#QuB25&2!m7MWY5xV_~sf(0|Y*#Wf8+FQI(sl2wgdM5H7V{aH6|ntE+OcLsTC`u; zeyrlkJgzdIb5=n#SCH)+kjN)rYW7=rppN3Eb;q_^8Zi}6jtL@eZ2XO^w{mCwX(q!t ztM^`%`ndZ5c+2@?p>R*dDNeVk#v>rsn>vEo;cP2Ecp=@E>A#n0!jZACKZ1=D0`f|{ zZnF;Ocp;$j86m}Gt~N+Ch6CJo7+Wzv|nlsXBvm z?St-5Ke&6hbGAWoO!Z2Rd8ARJhOY|a1rm*sOif%Th`*=^jlgWo%e9`3sS51n*>+Mh(9C7g@*mE|r%h*3k6I_uo;C!N z7CVMIX4kbA#gPZf_0%m18+BVeS4?D;U$QC`TT;X zP#H}tMsa=zS6N7n#BA$Fy8#R7vOesiCLM@d1UO6Tsnwv^gb}Q9I}ZQLI?--C8ok&S z9Idy06+V(_aj?M78-*vYBu|AaJ9mlEJpFEIP}{tRwm?G{ag>6u(ReBKAAx zDR6qe!3G88NQP$i99DZ~CW9lzz}iGynvGA4!yL}_9t`l*SZbEL-%N{n$%JgpDHJRn zvh<{AqR7z@ylV`kXdk+uEu-WWAt^=A4n(J=A1e8DpeLzAd;Nl#qlmp#KcHU!8`YJY zvBZy@>WiBZpx*wQ8JzKw?@k}8l99Wo&H>__vCFL}>m~MTmGvae% zPTn9?iR=@7NJ)?e+n-4kx$V#qS4tLpVUX*Je0@`f5LICdxLnph&Vjbxd*|+PbzS(l zBqqMlUeNoo8wL&_HKnM^8{iDI3IdzJAt32UupSr6XXh9KH2LjWD)Pz+`cmps%eHeD zU%i1SbPuSddp6?th;;DfUlxYnjRpd~i7vQ4V`cD%4+a9*!{+#QRBr5^Q$5Ec?gpju zv@dk9;G>d7QNEdRy}fgeA?i=~KFeibDtYffy)^OP?Ro~-X!onDpm+uGpe&6)*f@xJ zE1I3Qh}`1<7aFB@TS#}ee={<#9%1wOL%cuvOd($y4MC2?`1Nin=pVLXPkknn*0kx> z!9XHW${hYEV;r6F#iz7W=fg|a@GY0UG5>>9>$3Bj5@!N{nWDD`;JOdz_ZaZVVIUgH zo+<=+n8VGL*U%M|J$A~#ll__<`y+jL>bv;TpC!&|d=q%E2B|5p=)b-Q+ZrFO%+D_u z4%rc8BmOAO6{n(i(802yZW93?U;K^ZZlo0Gvs7B+<%}R;$%O}pe*Gi;!xP-M73W`k zXLv473Ex_VPcM-M^JO|H>KD;!sEGJ|E}Qepen;yNG2 zXqgD5sjQUDI(XLM+^8ZX1s_(X+PeyQ$Q5RukRt|Kwr-FSnW!^9?OG64UYX1^bU9d8 zJ}8K&UEYG+Je^cThf8W*^RqG07nSCmp*o5Z;#F zS?jochDWX@p+%CZ%dOKUl}q{9)^U@}qkQtA3zBF)`I&zyIKgb{mv)KtZ}?_h{r#VZ z%C+hwv&nB?we0^H+H`OKGw-&8FaF;=ei!tAclS5Q?qH9J$nt+YxdKkbRFLnWvn7GH zezC6<{mK0dd763JlLFqy&Oe|7UXII;K&2pye~yG4jldY~N;M9&rX}m76NsP=R#FEw zt(9h+=m9^zfl=6pH*D;JP~OVgbJkXh(+2MO_^;%F{V@pc2nGn~=U)Qx|JEV-e=vXk zPxA2J<9~IH{}29#X~KW$(1reJv}lc4_1JF31gdev>!CddVhf_62nsr6%w)?IWxz}{ z(}~~@w>c07!r=FZANq4R!F2Qi2?QGavZ{)PCq~X}3x;4ylsd&m;dQe;0GFSn5 zZ*J<=Xg1fEGYYDZ0{Z4}Jh*xlXa}@412nlKSM#@wjMM z*0(k>Gfd1Mj)smUuX}EM6m)811%n5zzr}T?$ZzH~*3b`3q3gHSpA<3cbzTeRDi`SA zT{O)l3%bH(CN0EEF9ph1(Osw5y$SJolG&Db~uL!I3U{X`h(h%^KsL71`2B1Yn z7(xI+Fk?|xS_Y5)x?oqk$xmjG@_+JdErI(q95~UBTvOXTQaJs?lgrC6Wa@d0%O0cC zzvslIeWMo0|C0({iEWX{=5F)t4Z*`rh@-t0ZTMse3VaJ`5`1zeUK0~F^KRY zj2z-gr%sR<(u0@SNEp%Lj38AB2v-+cd<8pKdtRU&8t3eYH#h7qH%bvKup4cnnrN>l z!5fve)~Y5_U9US`uXDFoOtx2gI&Z!t&VPIoqiv>&H(&1;J9b}kZhcOX7EiW*Bujy#MaCl52%NO-l|@2$aRKvZ!YjwpXwC#nA(tJtd1p?jx&U|?&jcb!0MT6oBlWurVRyiSCX?sN3j}d zh3==XK$^*8#zr+U^wk(UkF}bta4bKVgr`elH^az{w(m}3%23;y7dsEnH*pp{HW$Uk zV9J^I9ea7vp_A}0F8qF{>|rj`CeHZ?lf%HImvEJF<@7cgc1Tw%vAUA47{Qe(sP^5M zT=z<~l%*ZjJvObcWtlN?0$b%NdAj&l`Cr|x((dFs-njsj9%IIqoN|Q?tYtJYlRNIu zY(LtC-F14)Og*_V@gjGH^tLV4uN?f^#=dscCFV~a`r8_o?$gj3HrSk=YK2k^UW)sJ z&=a&&JkMkWshp0sto$c6j8f$J!Bsn*MTjC`3cv@l@7cINa!}fNcu(0XF7ZCAYbX|WJIL$iGx8l zGFFQsw}x|i!jOZIaP{@sw0BrV5Z5u!TGe@JGTzvH$}55Gf<;rieZlz+6E1}z_o3m2 z(t;Cp^Geen7iSt)ZVtC`+tzuv^<6--M`^5JXBeeLXV)>2;f7=l%(-4?+<5~;@=Th{1#>rK3+rLn(44TAFS@u(}dunUSYu}~))W*fr` zkBL}3k_@a4pXJ#u*_N|e#1gTqxE&WPsfDa=`@LL?PRR()9^HxG?~^SNmeO#^-5tMw zeGEW&CuX(Uz#-wZOEt8MmF}hQc%14L)0=ebo`e$$G6nVrb)afh!>+Nfa5P;N zCCOQ^NRel#saUVt$Ds0rGd%gkKP2LsQRxq6)g*`-r(FGM!Q51c|9lk!ha8Um3ys1{ zWpT7XDWYshQ{_F!8D8@3hvXhQDw;GlkUOzni&T1>^uD){WH3wRONgjh$u4u7?+$(Y zqTXEF>1aPNZCXP0nJ;zs6_%6;+D&J_|ugcih**y(4ApT`RKAi5>SZe0Bz|+l7z>P14>0ljIH*LhK z@}2O#{?1RNa&!~sEPBvIkm-uIt^Pt#%JnsbJ`-T0%pb ze}d;dzJFu7oQ=i`VHNt%Sv@?7$*oO`Rt*bRNhXh{FArB`9#f%ksG%q?Z`_<19;dBW z5pIoIo-JIK9N$IE1)g8@+4}_`sE7;Lus&WNAJ^H&=4rGjeAJP%Dw!tn*koQ&PrNZw zY88=H7qpHz11f}oTD!0lWO>pMI;i4sauS`%_!zM!n@91sLH#rz1~iEAu#1b%LA zhB}7{1(8{1{V8+SEs=*f=FcRE^;`6Pxm$Hie~|aD~W1BYy#@Y$C?pxJh*cC!T@8C9{xx*T*8P zhbkRk3*6)Zbk%}u>^?ItOhxdmX$j9KyoxxN>NrYGKMkLF4*fLsL_PRjHNNHCyaUHN z7W8yEhf&ag07fc9FD>B{t0#Civsoy0hvVepDREX(NK1LbK0n*>UJp&1FygZMg7T^G z(02BS)g#qMOI{RJIh7}pGNS8WhSH@kG+4n=(8j<+gVfTur)s*hYus70AHUBS2bN6Zp_GOHYxsbg{-Rcet{@0gzE`t$M0_!ZIqSAIW53j+Ln7N~8J zLZ0DOUjp^j`MvX#hq5dFixo^1szoQ=FTqa|@m>9F@%>7OuF9&_C_MDco&-{wfLKNrDMEN4pRUS8-SD6@GP`>_7$;r>dJo>KbeXm>GfQS? zjFS+Y6^%pDCaI0?9(z^ELsAE1`WhbhNv5DJ$Y}~r;>FynHjmjmA{bfDbseZXsKUv`%Fekv)1@f%7ti;B5hhs}5db1dP+P0${1DgKtb(DvN}6H6;0*LP6blg*rpr;Z(7? zrve>M`x6ZI(wtQc4%lO?v5vr{0iTPl&JT!@k-7qUN8b$O9YuItu7zrQ*$?xJIN#~b z#@z|*5z&D7g5>!o(^v+3N?JnJns5O2W4EkF>re*q1uVjgT#6ROP5>Ho)XTJoHDNRC zuLC(Cd_ZM?FAFPoMw;3FM4Ln0=!+vgTYBx2TdXpM@EhDCorzTS6@2`swp4J^9C0)U zq?)H8)=D;i+H`EVYge>kPy8d*AxKl};iumYu^UeM+e_3>O+LY`D4?pD%;Vextj!(; zomJ(u+dR(0m>+-61HTV7!>03vqozyo@uY@Zh^KrW`w7^ENCYh86_P2VC|4}(ilMBe zwa&B|1a7%Qkd>d14}2*_yYr@8-N}^&?LfSwr)C~UUHr)ydENu=?ZHkvoLS~xTiBH= zD%A=OdoC+10l7@rXif~Z#^AvW+4M-(KQBj=Nhgts)>xmA--IJf1jSZF6>@Ns&nmv} zXRk`|`@P5_9W4O-SI|f^DCZ-n*yX@2gf6N)epc~lRWl7QgCyXdx|zr^gy>q`Vwn^y z&r3_zS}N=HmrVtTZhAQS`3$kBmVZDqr4+o(oNok?tqel9kn3;uUerFRti=k+&W{bb zT{ZtEf51Qf+|Jc*@(nyn#U+nr1SFpu4(I7<1a=)M_yPUAcKVF+(vK!|DTL2;P)yG~ zrI*7V)wN_92cM)j`PtAOFz_dO)jIfTeawh2{d@x0nd^#?pDkBTBzr0Oxgmvjt`U^$ zcTPl=iwuen=;7ExMVh7LLFSKUrTiPJpMB&*Ml32>wl} zYn(H0N4+>MCrm2BC4p{meYPafDEXd4yf$i%ylWpC|9%R4XZBUQiha(x%wgQ5iJ?K_wQBRfw z+pYuKoIameAWV7Ex4$PCd>bYD7)A9J`ri&bwTRN*w~7DR0EeLXW|I2()Zkl6vxiw? zFBX){0zT@w_4YUT4~@TXa;nPb^Tu$DJ=vluc~9)mZ}uHd#4*V_eS7)^eZ9oI%Wws_ z`;97^W|?_Z6xHSsE!3EKHPN<3IZ^jTJW=Il{rMmlnR#OuoE6dqOO1KOMpW84ZtDHNn)(pYvs=frO`$X}sY zKY0At$G85&2>B|-{*+B*aqQn&Mqjt*DVH2kdwEm5f}~Xwn9+tPt?EPwh8=8=VWA8rjt*bHEs1FJ92QohQ)Y z4sQH~AzB5!Pisyf?pVa0?L4gthx2;SKlrr?XRU`?Y>RJgUeJn!az#sNF7oDbzksrD zw8)f=f1t*UK&$}_ktf!yf4Rjt{56ffTA{A=9n})E7~iXaQkE+%GW4zqbmlYF(|hE@ z421q9`UQf$uA5yDLx67`=EnSTxdEaG!6C%9_obpb?;u-^QFX% zU1wQ}Li{PeT^fS;&Sk2#$ZM#Zpxrn7jsd<@qhfWy*H)cw9q!I9!fDOCw~4zg zbW`EHsTp9IQUCETUse)!ZmuRICx}0Oe1KVoqdK+u>67A8v`*X*!*_i5`_qTzYRkbYXg#4vT5~A{lK#bA}Oc4ePu5hr-@;i%Z!4Y;-(yR z(1rHYTc7i1h1aipP4DaIY3g2kF#MX{XW7g&zL!39ohO98=eo5nZtq+nz}2E$OZpxx z&OFaOM1O;?mxq+`%k>YS!-=H7BB&WhqSTUC{S!x*k9E zcB;u0I!h%3nEchQwu1GnNkaQxuWnW0D@Xq5j@5WE@E(WlgDU;FLsT*eV|Bh)aH0;~@^yygFj<=+Vu3p)LlF%1AA%y5z-Oh`2 z$RDKk_6r+f#I`8fQ%y#Wx%~de1qkWL2(q^~veLKwht-dIcpt(@lc>`~@mISRIPKPm zD!Za&aX@7dy*CT!&Z7JC1jP2@8+ro8SmlH>_gzRte%ojgiwfd?TR+%Ny0`sp`QRLy zl5TiQkFhIC!2aaJ&=Ua`c9UuOk9GkSFZ}!IGeMZ5MXrL zGtMj`m{(X9+l%=d|L zW2OY?8!_pyhvJ1@O!Chsf6}@3HmKq@)x;CFItPMpkSr@npO&8zMc_O?*|sqkuL^U? zV9+x3vbr|6;Ft0J^J>IH_xpa<{S5K?u-sQWC7FB9YFMwoCKK3WZ*gvO-wAApF`K%#7@1 z^sEj4*%hH`f0@sRDGI|#Dl20o$Z*gttP$q(_?#~2!H9(!d=)I93-3)?e%@$1^*F=t9t&OQ9!p84Z`+y<$yQ9wlamK~Hz2CRpS8dWJfBl@(M2qX!9d_F= zd|4A&U~8dX^M25wyC7$Swa22$G61V;fl{%Q4Lh!t_#=SP(sr_pvQ=wqOi`R)do~QX zk*_gsy75$xoi5XE&h7;-xVECk;DLoO0lJ3|6(Ba~ezi73_SYdCZPItS5MKaGE_1My zdQpx?h&RuoQ7I=UY{2Qf ziGQ-FpR%piffR_4X{74~>Q!=i`)J@T415!{8e`AXy`J#ZK)5WWm3oH?x1PVvcAqE@ zWI|DEUgxyN({@Y99vCJVwiGyx@9)y2jNg`R{$s2o;`4!^6nDX_pb~fTuzf>ZoPV@X zXKe1ehcZ+3dxCB+vikgKz8pvH?>ZzlOEObd{(-aWY;F0XIbuIjSA+!%TNy87a>BoX zsae$}Fcw&+)z@n{Fvzo;SkAw0U*}?unSO)^-+sbpNRjD8&qyfp%GNH;YKdHlz^)4( z;n%`#2Pw&DPA8tc)R9FW7EBR3?GDWhf@0(u3G4ijQV;{qp3B)`Fd}kMV}gB2U%4Sy z3x>YU&`V^PU$xWc4J!OG{Jglti@E3rdYo62K31iu!BU&pdo}S66Ctq{NB<88P92Y9 zTOqX$h6HH_8fKH(I>MEJZl1_2GB~xI+!|BLvN;CnQrjHuh?grzUO7h;1AbzLi|_O= z2S=(0tX#nBjN92gRsv;7`rDCATA!o(ZA}6)+;g;T#+1~HXGFD1@3D#|Ky9!E@)u=h z3@zg3Us0BCYmq(pB`^QTp|RB9!lX*{;7r|Z(^>J+av(0-oUmIdR78c4(q%hP#=R@W ze{;yy$T^8kXr(oC*#NQMZSQlgU)aa=BrZDwpLUk5tm&(AkNt&Gel`=ydcL*<@Ypx{ z2uOxl>2vSY2g3%Si&JU<9D5#{_z{9PzJh=miNH;STk^;5#%8iMRfPe#G~T>^U_zt? zgSE)`UQhb!G$at%yCf5MU)<&(L73(hY3*%qqPbX;`%QDHed3ZaWw^k)8Vjd#ePg@;I&pMe+A18k+S+bou|QX?8eQ`{P-0vrm=uR;Y(bHV>d>Gen4LHILqcm_ z3peDMRE3JMA8wWgPkSthI^K<|8aal38qvIcEgLjHAFB0P#IfqP2y}L>=8eBR}Fm^V*mw2Q4+o=exP@*#=Zs zIqHh@neG)Vy%v4cB1!L}w9J>IqAo}CsqbFPrUVc@;~Ld7t_2IIG=15mT7Itrjq#2~ zqX*&nwZP>vso$6W!#` z-YZ}jhBwQku-Qc>TIMpn%_z~`^u4v3Skyf)KA}V{`dr!Q;3xK1TuGYdl}$sKF^9X!*a-R*Oq1#tLq!W)gO}{q`1HM;oh1-k4FU@8W(qe>P05$+ z`ud2&;4IW4vq8#2yA{G>OH=G+pS_jctJ*BqD$j-MI#avR+<>m-`H1@{3VgKYn2_Ih z0`2_1qUMRuzgj_V^*;5Ax_0s{_3tYR>|$i#c!F7)#`oVGmsD*M2?%930cBSI4Mj>P zTm&JmUrvDXlB%zeA_7$&ogjGK3>SOlV$ct{4)P0k)Kua%*fx9?)_fkvz<(G=F`KCp zE`0j*=FzH$^Y@iUI}MM2Hf#Yr@oQdlJMB5xe0$aGNk%tgex;0)NEuVYtLEvOt{}ti zL`o$K9HnnUnl*;DTGTNiwr&ydfDp@3Y)g5$pcY9l1-9g;yn6SBr_S9MV8Xl+RWgwb zXL%kZLE4#4rUO(Pj484!=`jy74tQxD0Zg>99vvQ}R$7~GW)-0DVJR@$5}drsp3IQG zlrJL}M{+SdWbrO@+g2BY^a}0VdQtuoml`jJ2s6GsG5D@(^$5pMi3$27psEIOe^n=*Nj|Ug7VXN0OrwMrRq&@sR&vdnsRlI%*$vfmJ~)s z^?lstAT$Ked`b&UZ@A6I<(uCHGZ9pLqNhD_g-kj*Sa#0%(=8j}4zd;@!o;#vJ+Bsd z4&K4RIP>6It9Ir)ey?M6Gi6@JzKNg;=jM=$)gs2#u_WhvuTRwm1x2^*!e%l&j02xz zYInQgI$_V7Epzf3*BU~gos}|EurFj8l}hsI(!5yX!~ECL%cnYMS-e<`AKDL%(G)62 zPU;uF1(~(YbH2444JGh58coXT>(*CdEwaFuyvB|%CULgVQesH$ znB`vk3BMP<-QauWOZ0W6xB5y7?tE5cisG|V;bhY^8+*BH1T0ZLbn&gi12|a9Oa%;I zxvaxX_xe3@ng%;4C?zPHQ1v%dbhjA6Sl7w<*)Nr#F{Ahzj}%n9c&!g5HVrlvUO&R2C)_$x6M9 zahficAbeHL2%jILO>Pq&RPPxl;i{K5#O*Yt15AORTCvkjNfJ)LrN4K{sY7>tGuTQ@ z^?N*+xssG&sfp0c$^vV*H)U1O!fTHk8;Q7@42MT@z6UTd^&DKSxVcC-1OLjl7m63& zBb&goU!hes(GF^yc!107bkV6Pr%;A-WWd@DK2;&=zyiK*0i^0@f?fh2c)4&DRSjrI zk!W^=l^JKlPW9US{*yo?_XT@T2Bx+Cm^+r{*5LVcKVw*ll3+)lkebA-4)o z8f5xHWOx0!FDSs4nv@o@>mxTQrOeKzj@5uL`d>mXSp|#{FE54EE_!KtQNq>-G(&5) ztz?xkqPU16A-8@-quJ|SU^ClZ?bJ2kCJPB|6L>NTDYBprw$WcwCH{B z5qlJ6wK_9sT@Kl6G|Q&$gsl@WT>hE;nDAbH#%f1ZwuOkvWLj{qV$m3LF423&l!^iV zhym*>R>Yyens++~6F5+uZQTCz9t~PEW+e?w)XF2g!^^%6k?@Jcu;MG0FG9!T+Gx{Z zK;31y@(J{!-$k4E{5#Sv(2DGy3EZQY}G_*z*G&CZ_J?m&Fg4IBrvPx1w z1zAb3k}6nT?E)HNCi%}aR^?)%w-DcpBR*tD(r_c{QU6V&2vU-j0;{TVDN6los%YJZ z5C(*ZE#kv-BvlGLDf9>EO#RH_jtolA)iRJ>tSfJpF!#DO+tk% zBAKCwVZwO^p)(Rhk2en$XLfWjQQ`ix>K}Ru6-sn8Ih6k&$$y`zQ}}4dj~o@9gX9_= z#~EkchJqd5$**l}~~6mOl(q#GMIcFg&XCKO;$w>!K14 zko1egAORiG{r|8qj*FsN>?7d`han?*MD#xe^)sOqj;o;hgdaVnBH$BM{_73?znS+R z*G2VHM!Jw6#<FfJ-J%-9AuDW$@mc-Eyk~F{Jbvt` zn;(%DbBDnKIYr~|I>ZTvbH@cxUyw%bp*)OSs}lwO^HTJ2M#u5QsPF0?Jv*OVPfdKv z+t$Z5P!~jzZ~Y!d#iP?S{?M_g%Ua0Q)WawbIx+2uYpcf(7Im%W=rAu4dSceo7RZh# zN38=RmwOJQE$qbPXIuO^E`wSeJKCx3Q76irp~QS#19dusEVCWPrKhK9{7cbIMg9U} TZiJi*F`$tkWLn) literal 49896 zcmagFb986H(k`5d^NVfUwr$(C?M#x1ZQHiZiEVpg+jrjgoQrerx!>1o_ul)D>ebz~ zs=Mmxr&>W81QY-S1PKWQ%N-;H^tS;2*XwVA`dej1RRn1z<;3VgfE4~kaG`A%QSPsR z#ovnZe+tS9%1MfeDyz`RirvdjPRK~p(#^q2(^5@O&NM19EHdvN-A&StN>0g6QA^VN z0Gx%Gq#PD$QMRFzmK+utjS^Y1F0e8&u&^=w5K<;4Rz|i3A=o|IKLY+g`iK6vfr9?+ z-`>gmU&i?FGSL5&F?TXFu`&Js6h;15QFkXp2M1H9|Eq~bpov-GU(uz%mH0n55wUl- zv#~ccAz`F5wlQ>e_KlJS3@{)B?^v*EQM=IxLa&76^y51a((wq|2-`qON>+4dLc{Oo z51}}o^Zen(oAjxDK7b++9_Yg`67p$bPo3~BCpGM7uAWmvIhWc5Gi+gQZ|Pwa-Gll@<1xmcPy z|NZmu6m)g5Ftu~BG&Xdxclw7Cij{xbBMBn-LMII#Slp`AElb&2^Hw+w>(3crLH!;I zN+Vk$D+wP1#^!MDCiad@vM>H#6+`Ct#~6VHL4lzmy;lSdk>`z6)=>Wh15Q2)dQtGqvn0vJU@+(B5{MUc*qs4!T+V=q=wy)<6$~ z!G>e_4dN@lGeF_$q9`Ju6Ncb*x?O7=l{anm7Eahuj_6lA{*#Gv*TaJclevPVbbVYu z(NY?5q+xxbO6%g1xF0r@Ix8fJ~u)VRUp`S%&rN$&e!Od`~s+64J z5*)*WSi*i{k%JjMSIN#X;jC{HG$-^iX+5f5BGOIHWAl*%15Z#!xntpk($-EGKCzKa zT7{siZ9;4TICsWQ$pu&wKZQTCvpI$Xvzwxoi+XkkpeE&&kFb!B?h2hi%^YlXt|-@5 zHJ~%AN!g_^tmn1?HSm^|gCE#!GRtK2(L{9pL#hp0xh zME}|DB>(5)`iE7CM)&_+S}-Bslc#@B5W4_+k4Cp$l>iVyg$KP>CN?SVGZ(&02>iZK zB<^HP$g$Lq*L$BWd?2(F?-MUbNWTJVQdW7$#8a|k_30#vHAD1Z{c#p;bETk0VnU5A zBgLe2HFJ3032$G<`m*OB!KM$*sdM20jm)It5OSru@tXpK5LT>#8)N!*skNu1$TpIw zufjjdp#lyH5bZ%|Iuo|iu9vG1HrIVWLH>278xo>aVBkPN3V$~!=KnlXQ4eDqS7%E% zQ!z^$Q$b^6Q)g#cLpwur(|<0gWHo6A6jc;n`t(V9T;LzTAU{IAu*uEQ%Ort1k+Kn+f_N`9|bxYC+~Z1 zCC1UCWv*Orx$_@ydv9mIe(liLfOr7mhbV@tKw{6)q^1DH1nmvZ0cj215R<~&I<4S| zgnr;9Cdjqpz#o8i0CQjtl`}{c*P)aSdH|abxGdrR)-3z+02-eX(k*B)Uqv6~^nh** z zGh0A%o~bd$iYvP!egRY{hObDIvy_vXAOkeTgl5o!33m!l4VLm@<-FwT0+k|yl~vUh z@RFcL4=b(QQQmwQ;>FS_e96dyIU`jmR%&&Amxcb8^&?wvpK{_V_IbmqHh);$hBa~S z;^ph!k~noKv{`Ix7Hi&;Hq%y3wpqUsYO%HhI3Oe~HPmjnSTEasoU;Q_UfYbzd?Vv@ zD6ztDG|W|%xq)xqSx%bU1f>fF#;p9g=Hnjph>Pp$ZHaHS@-DkHw#H&vb1gARf4A*zm3Z75QQ6l( z=-MPMjish$J$0I49EEg^Ykw8IqSY`XkCP&TC?!7zmO`ILgJ9R{56s-ZY$f> zU9GwXt`(^0LGOD9@WoNFK0owGKDC1)QACY_r#@IuE2<`tep4B#I^(PRQ_-Fw(5nws zpkX=rVeVXzR;+%UzoNa;jjx<&@ABmU5X926KsQsz40o*{@47S2 z)p9z@lt=9?A2~!G*QqJWYT5z^CTeckRwhSWiC3h8PQ0M9R}_#QC+lz>`?kgy2DZio zz&2Ozo=yTXVf-?&E;_t`qY{Oy>?+7+I= zWl!tZM_YCLmGXY1nKbIHc;*Mag{Nzx-#yA{ zTATrWj;Nn;NWm6_1#0zy9SQiQV=38f(`DRgD|RxwggL(!^`}lcDTuL4RtLB2F5)lt z=mNMJN|1gcui=?#{NfL{r^nQY+_|N|6Gp5L^vRgt5&tZjSRIk{_*y<3^NrX6PTkze zD|*8!08ZVN)-72TA4Wo3B=+Rg1sc>SX9*X>a!rR~ntLVYeWF5MrLl zA&1L8oli@9ERY|geFokJq^O$2hEpVpIW8G>PPH0;=|7|#AQChL2Hz)4XtpAk zNrN2@Ju^8y&42HCvGddK3)r8FM?oM!3oeQ??bjoYjl$2^3|T7~s}_^835Q(&b>~3} z2kybqM_%CIKk1KSOuXDo@Y=OG2o!SL{Eb4H0-QCc+BwE8x6{rq9j$6EQUYK5a7JL! z`#NqLkDC^u0$R1Wh@%&;yj?39HRipTeiy6#+?5OF%pWyN{0+dVIf*7@T&}{v%_aC8 zCCD1xJ+^*uRsDT%lLxEUuiFqSnBZu`0yIFSv*ajhO^DNoi35o1**16bg1JB z{jl8@msjlAn3`qW{1^SIklxN^q#w|#gqFgkAZ4xtaoJN*u z{YUf|`W)RJfq)@6F&LfUxoMQz%@3SuEJHU;-YXb7a$%W=2RWu5;j44cMjC0oYy|1! zed@H>VQ!7=f~DVYkWT0nfQfAp*<@FZh{^;wmhr|K(D)i?fq9r2FEIatP=^0(s{f8GBn<8T zVz_@sKhbLE&d91L-?o`13zv6PNeK}O5dv>f{-`!ms#4U+JtPV=fgQ5;iNPl9Hf&9( zsJSm5iXIqN7|;I5M08MjUJ{J2@M3 zYN9ft?xIjx&{$K_>S%;Wfwf9N>#|ArVF^shFb9vS)v9Gm00m_%^wcLxe;gIx$7^xR zz$-JDB|>2tnGG@Rrt@R>O40AreXSU|kB3Bm)NILHlrcQ&jak^+~b`)2;otjI(n8A_X~kvp4N$+4|{8IIIv zw*(i}tt+)Kife9&xo-TyoPffGYe;D0a%!Uk(Nd^m?SvaF-gdAz4~-DTm3|Qzf%Pfd zC&tA;D2b4F@d23KV)Csxg6fyOD2>pLy#n+rU&KaQU*txfUj&D3aryVj!Lnz*;xHvl zzo}=X>kl0mBeSRXoZ^SeF94hlCU*cg+b}8p#>JZvWj8gh#66A0ODJ`AX>rubFqbBw z-WR3Z5`33S;7D5J8nq%Z^JqvZj^l)wZUX#7^q&*R+XVPln{wtnJ~;_WQzO{BIFV55 zLRuAKXu+A|7*2L*<_P${>0VdVjlC|n^@lRi}r?wnzQQm z3&h~C3!4C`w<92{?Dpea@5nLP2RJrxvCCBh%Tjobl2FupWZfayq_U$Q@L%$uEB6#X zrm_1TZA8FEtkd`tg)a_jaqnv3BC_O*AUq-*RNLOT)$>2D!r>FZdH&$x5G_FiAPaw4 zgK*7>(qd6R?+M3s@h>Z|H%7eGPxJWn_U$w`fb(Mp+_IK2Kj37YT#Xe5e6KS-_~mW} z`NXEovDJh7n!#q4b+=ne<7uB7Y2(TAR<3@PS&o3P$h#cZ-xF$~JiH6_gsv9v(#ehK zhSB_#AI%lF#+!MB5DMUN+Zhf}=t~{B|Fn{rGM?dOaSvX!D{oGXfS*%~g`W84JJAy4 zMdS?9Bb$vx?`91$J`pD-MGCTHNxU+SxLg&QY+*b_pk0R=A`F}jw$pN*BNM8`6Y=cm zgRh#vab$N$0=XjH6vMyTHQg*+1~gwOO9yhnzZx#e!1H#|Mr<`jJGetsM;$TnciSPJ z5I-R0)$)0r8ABy-2y&`2$33xx#%1mp+@1Vr|q_e=#t7YjjWXH#3F|Fu<G#+-tE2K7 zOJkYxNa74@UT_K4CyJ%mR9Yfa$l=z}lB(6)tZ1Ksp2bv$^OUn3Oed@=Q0M}imYTwX zQoO^_H7SKzf_#kPgKcs%r4BFUyAK9MzfYReHCd=l)YJEgPKq-^z3C%4lq%{&8c{2CGQ3jo!iD|wSEhZ# zjJoH87Rt{4*M_1GdBnBU3trC*hn@KCFABd=Zu`hK;@!TW`hp~;4Aac@24m|GI)Ula z4y%}ClnEu;AL4XVQ6^*!()W#P>BYC@K5mw7c4X|Hk^(mS9ZtfMsVLoPIiwI?w_X0- z#vyiV5q9(xq~fS`_FiUZw->8Awktga>2SrWyvZ|h@LVFtnY#T z%OX30{yiSov4!43kFd(8)cPRMyrN z={af_ONd;m=`^wc7lL|b7V!;zmCI}&8qz=?-6t=uOV;X>G{8pAwf9UJ`Hm=ubIbgR zs6bw3pFeQHL`1P1m5fP~fL*s?rX_|8%tB`Phrij^Nkj{o0oCo*g|ELexQU+2gt66=7}w5A+Qr}mHXC%)(ODT# zK#XTuzqOmMsO~*wgoYjDcy)P7G`5x7mYVB?DOXV^D3nN89P#?cp?A~c%c$#;+|10O z8z(C>mwk#A*LDlpv2~JXY_y_OLZ*Mt)>@gqKf-Ym+cZ{8d%+!1xNm3_xMygTp-!A5 zUTpYFd=!lz&4IFq)Ni7kxLYWhd0o2)ngenV-QP@VCu;147_Lo9f~=+=Nw$6=xyZzp zn7zAe41Sac>O60(dgwPd5a^umFVSH;<7vN>o;}YlMYhBZFZ}-sz`P^3oAI>SCZy&zUtwKSewH;CYysPQN7H>&m215&e2J? zY}>5N-LhaDeRF~C0cB>M z7@y&xh9q??*EIKnh*;1)n-WuSl6HkrI?OUiS^lx$Sr2C-jUm6zhd{nd(>#O8k9*kF zPom7-%w1NjFpj7WP=^!>Vx^6SG^r`r+M&s7V(uh~!T7aE;_ubqNSy)<5(Vi)-^Mp9 zEH@8Vs-+FEeJK%M0z3FzqjkXz$n~BzrtjQv`LagAMo>=?dO8-(af?k@UpL5J#;18~ zHCnWuB(m6G6a2gDq2s`^^5km@A3Rqg-oHZ68v5NqVc zHX_Iw!OOMhzS=gfR7k;K1gkEwuFs|MYTeNhc0js>Wo#^=wX4T<`p zR2$8p6%A9ZTac;OvA4u#Oe3(OUep%&QgqpR8-&{0gjRE()!Ikc?ClygFmGa(7Z^9X zWzmV0$<8Uh)#qaH1`2YCV4Zu6@~*c*bhtHXw~1I6q4I>{92Eq+ZS@_nSQU43bZyidk@hd$j-_iL=^^2CwPcaXnBP;s;b zA4C!k+~rg4U)}=bZ2q*)c4BZ#a&o!uJo*6hK3JRBhOOUQ6fQI;dU#3v>_#yi62&Sp z-%9JJxwIfQ`@w(_qH0J0z~(lbh`P zHoyp2?Oppx^WXwD<~20v!lYm~n53G1w*Ej z9^B*j@lrd>XGW43ff)F;5k|HnGGRu=wmZG9c~#%vDWQHlOIA9(;&TBr#yza{(?k0> zcGF&nOI}JhuPl`kLViBEd)~p2nY9QLdX42u9C~EUWsl-@CE;05y@^V1^wM$ z&zemD1oZd$Z))kEw9)_Mf+X#nT?}n({(+aXHK2S@j$MDsdrw-iLb?#r{?Vud?I5+I zVQ8U?LXsQ}8-)JBGaoawyOsTTK_f8~gFFJ&lhDLs8@Rw$ey-wr&eqSEU^~1jtHmz6 z!D2g4Yh?3VE*W8=*r&G`?u?M~AdO;uTRPfE(@=Gkg z7gh=EGu!6VJJ?S_>|5ZwY?dGFBp3B9m4J1=7u=HcGjsCW+y6`W?OWxfH?S#X8&Zk& zvz6tWcnaS1@~3FTH}q_*$)AjYA_j;yl0H0{I(CW7Rq|;5Q2>Ngd(tmJDp+~qHe_8y zPU_fiCrn!SJ3x&>o6;WDnjUVEt`2fhc9+uLI>99(l$(>Tzwpbh>O775OA5i`jaBdp zXnCwUgomyF3K$0tXzgQhSAc!6nhyRh_$fP}Rd$|*Y7?ah(JrN=I7+)+Hp4BLJJ2P~ zFD!)H^uR2*m7GQZpLUVS#R3^?2wCd}(gcFcz!u5KN9ldNJdh@%onf06z9m~T0n;dqg6@?>G@S|rPO*Kj>{su+R|7bH>osA&uD4eqxtr**k($ii`uO? z7-&VkiL4Rp3S&e+T}2Z#;NtWHZco(v8O3QMvN0g7l8GV|U2>x-DbamkZo5)bjaSFR zr~Y9(EvF9{o*@|nBPj+e5o$_K`%TH1hD=|its}|qS^o6EQu_gOuDUH=Dtzik;P7G$ zq%_T<>9O}bGIB?;IQ*H`BJ5NWF6+XLv@G7aZwcy(&BoepG~u`aIcG>y+;J7+L=wTZ zB=%n@O}=+mjBO%1lMo6C0@1*+mhBqqY((%QMUBhyeC~r*5WVqzisOXFncr*5Lr0q6 zyPU&NOV}Vt2jl>&yig4I6j93?D>Ft=keRh=Y;3*^Z-I26nkZ#Jj5OJ89_?@#9lNjp z#gfAO6i937)~I|98P%xAWxwmk(F&@lTMx63*FZ~2b{NHU+}EV8+kMAB0bM*Zn#&7ubt98!PT^ZcMOfwMgkYz6+;?CKbvV zQ}Z@s_3JcMPhF&y1?}9uZFIBiPR3g7lf=+XEr9Bl%zRfGcaKb*ZQq5b35ZkR@=JEw zP#iqgh2^#@VA-h)>r`7R-$1_ddGr&oWWV$rx;pkG0Yohp9p@In_p)hKvMo@qIv zcN2t{23&^Nj=Y&gX;*vJ;kjM zHE2`jtjVRRn;=WqVAY&m$z=IoKa{>DgJ;To@OPqNbh=#jiS$WE+O4TZIOv?niWs47 zQfRBG&WGmU~>2O{}h17wXGEnigSIhCkg%N~|e?hG8a- zG!Wv&NMu5z!*80>;c^G9h3n#e>SBt5JpCm0o-03o2u=@v^n+#6Q^r#96J5Q=Dd=>s z(n0{v%yj)=j_Je2`DoyT#yykulwTB+@ejCB{dA7VUnG>4`oE?GFV4sx$5;%9&}yxfz<-wWk|IlA|g&! zN_Emw#w*2GT=f95(%Y1#Viop;Yro3SqUrW~2`Fl?Ten{jAt==a>hx$0$zXN`^7>V_ zG*o7iqeZV)txtHUU2#SDTyU#@paP;_yxp!SAG##cB= zr@LoQg4f~Uy5QM++W`WlbNrDa*U;54`3$T;^YVNSHX4?%z|`B~i7W+kl0wBB`8|(l zAyI6dXL&-Sei0=f#P^m`z=JJ`=W;PPX18HF;5AaB%Zlze`#pz;t#7Bzq0;k8IyvdK=R zBW+4GhjOv+oNq^~#!5(+pDz)Ku{u60bVjyym8Or8L;iqR|qTcxEKTRm^Y%QjFYU=ab+^a|!{!hYc+= z%Qc02=prKpzD+jiiOwzyb(dELO|-iyWzizeLugO!<1(j|3cbR!8Ty1$C|l@cWoi?v zLe<5+(Z-eH++=fX**O-I8^ceYZgiA!!dH+7zfoP-Q+@$>;ab&~cLFg!uOUX7h0r== z`@*QP9tnV1cu1!9pHc43C!{3?-GUBJEzI(&#~vY9MEUcRNR*61)mo!RG>_Yb^rNN7 zR9^bI45V?3Lq`^^BMD!GONuO4NH#v9OP3@s%6*Ha3#S*;f z6JEi)qW#Iq#5BtIXT9Gby|H?NJG}DN#Li82kZ_Rt1=T0Z@U6OAdyf}4OD|Sk^2%-1 zzgvqZ@b6~kL!^sZLO$r{s!3fQ5bHW}8r$uTVS*iw1u8^9{YlPp_^Xm5IN zF|@)ZOReX zB*#tEbWEX~@f)ST|s$oUKS@drycE1tYtdJ9b*(uFTxNZ{n3BI*kF7wXgT6+@PI@vwH7iQS{1T!Nauk>fm8gOLe`->Pi~ z8)3=UL_$OLl2n7QZlHt846nkYFu4V};3LpYA%5VaF#a2#d2g0&ZO~3WA%1XlerVpg zCAlM;(9OqH@`(>Tha{*@R%twB!}1ng4V=^+R`Q{#fkRk)C|suozf-uCXrkIH2SC^C z6wlxR`yS;-U#uu#`OnD%U<41%C4mp>LYLPIbgVO~WsT1if)Y)T*8nUB`2*(B;U_ha1NWv2`GqrZ z3MWWpT3tZ!*N@d*!j3=@K4>X*gX4A^@QPAz24?7u90AXaLiFq=Z$|5p$Ok2|YCX_Z zFgNPiY2r_Bg2BQE!0z=_N*G?%0cNITmAru*!Mws=F+F&Qw!&1?DBN{vSy%IvGRV@1 zS->PARgL^XS!-aZj zi@`~LhWfD!H-L0kNv=Jil9zR0>jZLqu)cLq?$yXVyk%EteKcWbe^qh#spHJPa#?92 za(N(Kw0se^$7nQUQZBet;C_Dj5(2_?TdrXFYwmebq}YGQbN5Ex7M zGSCX~Ey;5AqAzEDNr%p^!cuG?&wIeY&Bm5guVg>8F=!nT%7QZTGR(uGM&IZuMw0V_ zhPiIFWm?H?aw*(v6#uVT@NEzi2h5I$cZ-n0~m$tmwdMTjG*of^Y%1 zW?Y%o*-_iMqEJhXo^!Qo?tGFUn1Mb|urN4_;a)9bila2}5rBS#hZ5wV+t1xbyF1TW zj+~cdjbcMgY$zTOq6;ODaxzNA@PZIXX(-=cT8DBd;9ihfqqtbDr9#gXGtK24BPxjZ z9+Xp>W1(s)->-}VX~BoQv$I|-CBdO`gULrvNL>;@*HvTdh@wyNf}~IB5mFnTitX2i z;>W>tlQyc2)T4Mq+f!(i3#KuK-I8Kj3Wm(UYx?KWWt8DEPR_Jdb9CE~Fjc7Rkh#gh zowNv()KRO@##-C+ig0l!^*ol!Bj%d32_N*~d!|&>{t!k3lc?6VrdlCCb1?qyoR42m zv;4KdwCgvMT*{?tJKa(T?cl|b;k4P>c&O@~g71K5@}ys$)?}WSxD;<5%4wEz7h=+q ztLumn6>leWdDk#*@{=v9p)MsvuJMyf_VEs;pJh?i3z7_W@Q|3p$a}P@MQ-NpMtDUBgH!h4Ia#L&POr4Qw0Tqdw^}gCmQAB z8Dgkzn?V!_@04(cx0~-pqJOpeP1_}@Ml3pCb45EJoghLows9ET13J8kt0;m$6-jO( z4F|p+JFD1NT%4bpn4?&)d+~<360$z5on`eS6{H`S>t`VS$>(D`#mC*XK6zULj1Da# zpV$gw$2Ui{07NiYJQQNK;rOepRxA>soNK~B2;>z;{Ovx`k}(dlOHHuNHfeR}7tmIp zcM}q4*Fq8vSNJYi@4-;}`@bC?nrUy`3jR%HXhs79qWI5;hyTpH5%n-NcKu&j(aGwT z1~{geeq?Jd>>HL+?2`0K8dB2pvTS=LO~tb~vx_<=iN8^rW!y@~lBTAaxHmvVQJSeJ z!cb9ffMdP1lgI=>QJN{XpM4{reRrdIt|v|0-8!p}M*Qw^uV1@Ho-YsNd0!a(os$F* zT0tGHA#0%u0j*%S>kL*73@~7|iP;;!JbWSTA@`#VHv_l_%Z7CgX@>dhg_ zgn0|U)SY~U-E5{QiT@(uPp#1jaz!(_3^Cbz2 z4ZgWWz=PdGCiGznk{^4TBfx_;ZjAHQ>dB4YI}zfEnTbf60lR%=@VWt0yc=fd38Ig* z)Q38#e9^+tA7K}IDG5Z~>JE?J+n%0_-|i2{E*$jb4h?|_^$HRHjVkiyX6@Y+)0C2a zA+eegpT1dUpqQFIwx;!ayQcWQBQTj1n5&h<%Lggt@&tE19Rm~Rijtqw6nmYip_xg0 zO_IYpU304embcWP+**H|Z5~%R*mqq+y{KbTVqugkb)JFSgjVljsR{-c>u+{?moCCl zTL)?85;LXk0HIDC3v*|bB-r_z%zvL6Dp__L*A~Z*o?$rm>cYux&)W=6#+Cb}TF&Kd zdCgz3(ZrNA>-V>$C{a^Y^2F!l_%3lFe$s(IOfLBLEJ4Mcd!y&Ah9r)7q?oc z5L(+S8{AhZ)@3bw0*8(}Xw{94Vmz6FrK&VFrJN;xB96QmqYEibFz|yHgUluA-=+yS}I-+#_Pk zN67-#8W(R^e7f!;i0tXbJgMmJZH%yEwn*-}5ew13D<_FYWnt?{Mv1+MI~u;FN~?~m z{hUnlD1|RkN}c1HQ6l@^WYbHAXPJ^m0te1woe;LDJ}XEJqh1tPf=sD0%b+OuR1aCoP>I>GBn4C24Zu$D)qg=gq;D??5 zUSj%;-Hvk_ffj-+SI{ZCp`gZcNu=L@_N}kCcs?TyMr-37fhy$?a<7lt1`fZw<%$8@B6(Wgo!#!z9z{ab|x`+&;kP!(gfdY}A-GP&4Cbh-S< z1(kmgnMyB2z3ipEj5;4<{(=&<7a>A_Jl`ujUKYV@%k(oD=cD7W@8~5O=R*zdjM_y; zXwme~0wo0aDa~9rDnjF=B}Bbj|DHRQjN|?@(F^=bVFdr!#mwr|c0843k>%~5J|7|v zSY=T)iPU6rEAwrM(xTZwPio%D4y9Z4kL0bMLKvu4yd)0ZJA3<;>a2q~rEfcREn}~1 zCJ~3c?Afvx?3^@+!lnf(kB6YwfsJ*u^y7kZA?VmM%nBmaMspWu?WXq4)jQsq`9EbT zlF2zJ)wXuAF*2u|yd5hNrG>~|i}R&ZyeetTQ!?Hz6xGZZb3W6|vR>Hq=}*m=V=Lsp zUOMxh;ZfP4za~C{Ppn^%rhitvpnu^G{Z#o-r?TdEgSbtK_+~_iD49xM;$}X*mJF02|WBL{SDqK9}p4N!G$3m=x#@T+4QcapM{4j|Q zwO!(hldpuSW#by!zHEP@tzIC|KdD z%BJzQ7Ho1(HemWm`Z8m_D#*`PZ-(R%sZmPrS$aHS#WPjH3EDitxN|DY+ zYC|3S?PQ3NNYau$Qk8f>{w}~xCX;;CE=7;Kp4^xXR8#&^L+y-jep7oO^wnQ840tg1 zuN17QKsfdqZPlB8OzwF+)q#IsmenEmIbRAJHJ$JjxzawKpk8^sBm3iy=*kB%LppNb zhSdk`^n?01FKQ;=iU+McN7Mk0^`KE>mMe1CQ2a_R26_}^$bogFm=2vqJake7x)KN( zYz;gRPL+r4*KD>1U+DU+1jh{mT8#P#(z9^(aDljpeN{mRmx{AZX&hXKXNuxj3x*RrpjvOaZ#`1EqK!$+8=0yv8}=;>f=E?5tGbRUd4%?QL zy$kq6mZeF%k6E1&8nwAYMd!-lRkhQTob$7s`*XqcHs;l~mHV}fx&0I&i!CHaPVSM{ zHdRh7a>hP)t@YTrWm9y zl-ENWSVzlKVvTdWK>)enmGCEw(WYS=FtY{srdE{Z(3~4svwd)ct;`6Y{^qiW+9E@A ztzd?lj5F#k`=E1U-n*1JJc0{x{0q!_tkD<_S6bGsW)^RxGu%Rj^Mvw|R0WP1SqvAI zs(MiAd@Y5x!UKu376&|quQNxir;{Iz(+}3k-GNb29HaQh?K30u=6sXpIc?j0hF{VY zM$Do*>pN)eRljAOgpx7fMfSrnZ7>fi@@>Jh;qxj1#-Vj}JC3E^GCbC(r55_AG>6cq z4ru34FtVuBt)bkX4>ZFWjToyu)VA>IE6hXc+^(3ruUaKRqHnx3z)(GXetm;^0D95s zQ&drwfjhM4*|q=;i5Io0eDf?I{p}qo@7i7abHX5qLu~VDwYf4bmV~-^M_U?DL(+cG z{AyE^a|*73Ft)o5k-p)+GLXj#q01VlJ9#ZJkf|+c%6qfRgVp&6NsU3~F?!uh}HJm73xq>v$h zYoW3wJE6n9P|;{8U<^%UE2wjR4x^G_Nc$J(i)!>;g4`CCh2z^Dth#ah#<`#axDR?F z4>~hnN2%B2ZUuU6j>m1Qjj~5jQSdA&Q#7hOky#=Ue)}7LPJ!8nbZO_0Sw{G>>M7&E zb1dy|0Zi$(ubk`4^XkVI%4WIpe?Bh!D~IjvZs14yHw=aQ8-`N-=P*?Kzi&eRGZ_6Z zT>eis`!Dy3eT3=vt#Lbc+;}i5XJf7zM3QneL{t?w=U<1rk7+z2Cu^|~=~54tAeSYF zsXHsU;nM0dpK>+71yo(NFLV-^Lf7%U?Q$*q{^j04Gl71ya2)^j`nmJ$cmI9eFMjp+ z#)jKmi4lZc<;l>!={@jTm%?!5jS;6;c*Ml55~r6Y?22B^K3bPhKQ(ICc&z%w<4W1= zjTTtz_}IA$%kCqU)h#$!Yq>>2mVG}qYL}!avmCWYV}x4!YEeq)pgTp| zR;+skHuc7YXRLrcbYXt>?@pa{l^2pL>RrZ!22zMmi1ZR?nkaWF*`@XFK4jGh&Em3vn(l z3~^Q9&tM^eV=f^lccCUc9v02z%^n5VV6s$~k0uq5B#Ipd6`M1Kptg^v<2jiNdlAWQ z_MmtNEaeYIHaiuaFQdG&df7miiB5lZkSbg&kxY*Eh|KTW`Tk~VwKC~+-GoYE+pvwc{+nIEizq6!xP>7ZQ(S2%48l$Y98L zvs7s<&0ArXqOb*GdLH0>Yq-f!{I~e~Z@FUIPm?jzqFZvz9VeZLYNGO}>Vh<=!Er7W zS!X6RF^et7)IM1pq57z*^hP5w7HKSDd8jHX!*gkKrGc-GssrNu5H%7-cNE{h$!aEQK3g*qy;= z)}pxO8;}nLVYm_24@iEs8)R7i;Th0n4->&$8m6(LKCRd(yn7KY%QHu_f=*#e`H^U( z{u!`9JaRD?Z?23fEXrjx>A@+a!y-_oaDB)o@2s{2%A97-ctFfrN0cXQ@6aGH`X~Nr z144?qk;MzDU-cgQOLfT3-ZR#hKmYtKG*iGf4ZJ`|`9!^SkBDUUSJCba)>mM!)k~(z zdjUqB`)~!UObMHB1b$UItM$<0kwlqHH;c z=)+~bkOcIT7vI0Iy(wD)vsg9|oi##%Rgrq`Ek;pN)}lbpz`iv{F4K*{ZZ?Zjixxxr zY|SPl2NsXH+5pimj+MvbZ_+HrfvdC13|9Zs)Y=nW$z<0mhl}%irBSm5T3ZrN#2AhY z_ZrTmS(L`U#y}VZ@~QL9wUS6AnU*7LWS02Xyz`b>%rTml#Wb0yr>@c(Ym*40g;P{V zjV1XSHdU>oY!&Jh7MzhzUV8(9E+yl5UJYga>=0Ldjwtc`5!1>LxaB-kVW;IlSPs+0 zUBx=m8OKVp<`frNvMK>WMO(iKY%PuvqD+PK*vP6f?_o!O)MCW5Ic zv(%f5PLHyOJ2h@Yn_to@54Yq;fdoy40&sbe3A$4uUXHsHP_~K}h#)p&TyOx(~JE?y(IBAQKl}~VQjVC-c6oZwmESL;`Xth?2)-b6ImNcJi z;w|`Q*k?`L(+Dp}t(FocvzWB(%~9$EAB6_J6CrA}hMj-Vy*6iA$FdV}!lvk%6}M)4 zTf<)EbXr9^hveAav1yA?>O0aNEpv0&rju{(Gt|dP=AP%)uQm~OE7@+wEhILrRLt&E zoEsF^nz>4yK1|EOU*kM+9317S;+bb7?TJM2UUpc!%sDp}7!<`i=W!ot8*C&fpj>mk#qt~GCeqcy)?W6sl>eUnR%yCBR&Ow-rc|q;lhnI+f-%`6Xf)% zIYZru;27%vA{Qi2=J`PQC<28;tFx(V^sgXf>)8WNxxQwT14M9I6- z+V0@tiCiDkv`7r-06sJS8@s|Lf>mV+8h}SPT4ZGPSMaFK7_SMXH$3KN7b2V?iV-jA zh1!Z>2tv^HVbHnNUAf-wQW#zMV(h8=3x2Swd|-%AczEIWLcm~EAu7rc3s%56b;7ME zj}$pe#fc^314Mb9i)xH^_#({)tTD4hsoz!7XcHUh9*G|}?k=D?9LBkTm2?fgaIG(%%$DL#}a-_990rQBU+M;jrf zCcvgM`+oyZmsUqc?lly9axZfO)02l$TMS#I+jHYY`Uk!gtDv|@GBQ||uaG^n*QR3Q z@tV?D;R;KmkxSDQh<2DkDC1?m?jTvf2i^T;+}aYhzL?ymNZmdns2e)}2V>tDCRw{= zTV3q3ZQDkdZQHi3?y{@8Y@1!SZQHi(y7|qSx$~Vl=iX<2`@y3eSYpsBV zI`Q-6;)B=p(ZbX55C*pu1C&yqS|@Pytis3$VDux0kxKK}2tO&GC;cH~759o?W2V)2 z)`;U(nCHBE!-maQz%z#zoRNpJR+GmJ!3N^@cA>0EGg?OtgM_h|j1X=!4N%!`g~%hdI3%yz&wq4rYChPIGnSg{H%i>96! z-(@qsCOfnz7ozXoUXzfzDmr>gg$5Z1DK$z#;wn9nnfJhy6T5-oi9fT^_CY%VrL?l} zGvnrMZP_P|XC$*}{V}b^|Hc38YaZQESOWqA1|tiXKtIxxiQ%Zthz?_wfx@<8I{XUW z+LH%eO9RxR_)8gia6-1>ZjZB2(=`?uuX|MkX082Dz*=ep%hMwK$TVTyr2*|gDy&QOWu zorR#*(SDS{S|DzOU$<-I#JTKxj#@0(__e&GRz4NuZZLUS8}$w+$QBgWMMaKge*2-) zrm62RUyB?YSUCWTiP_j-thgG>#(ZEN+~bMuqT~i3;Ri`l${s0OCvCM>sqtIX?Cy`8 zm)MRz-s^YOw>9`aR#J^tJz6$S-et%elmR2iuSqMd(gr6a#gA_+=N(I6%Cc+-mg$?_1>PlK zbgD2`hLZ?z4S~uhJf=rraLBL?H#c$cXyqt{u^?#2vX2sFb z^EU-9jmp{IZ~^ii@+7ogf!n_QawvItcLiC}w^$~vgEi(mX79UwDdBg`IlF42E5lWE zbSibqoIx*0>WWMT{Z_NadHkSg8{YW4*mZ@6!>VP>ey}2PuGwo%>W7FwVv7R!OD32n zW6ArEJX8g_aIxkbBl^YeTy5mhl1kFGI#n>%3hI>b(^`1uh}2+>kKJh0NUC|1&(l)D zh3Barl&yHRG+Le2#~u>KoY-#GSF>v)>xsEp%zgpq4;V6upzm3>V&yk^AD}uIF{vIn zRN-^d4(Sk6ioqcK@EObsAi#Z-u&Hh#kZdv1rjm4u=$2QF<6$mgJ4BE0yefFI zT7HWn?f668n!;x>!CrbdA~lDfjX?)315k1fMR~lG)|X_o()w|NX&iYUTKxI2TLl|r z{&TWcBxP>*;|XSZ1GkL&lSg?XL9rR4Ub&4&03kf};+6$F)%2rsI%9W_i_P|P%Z^b@ zDHH2LV*jB@Izq0~E4F^j04+C|SFiV8{!bth%bz(KfCg42^ zGz5P7xor$)I4VX}Cf6|DqZ$-hG7(}91tg#AknfMLFozF1-R~KS3&5I0GNb`P1+hIB z?OPmW8md3RB6v#N{4S5jm@$WTT{Sg{rVEs*)vA^CQLx?XrMKM@*gcB3mk@j#l0(~2 z9I=(Xh8)bcR(@8=&9sl1C?1}w(z+FA2`Z^NXw1t(!rpYH3(gf7&m=mm3+-sls8vRq z#E(Os4ZNSDdxRo&`NiRpo)Ai|7^GziBL6s@;1DZqlN@P_rfv4Ce1={V2BI~@(;N`A zMqjHDayBZ);7{j>)-eo~ZwBHz0eMGRu`43F`@I0g!%s~ANs>Vum~RicKT1sUXnL=gOG zDR`d=#>s?m+Af1fiaxYxSx{c5@u%@gvoHf#s6g>u57#@#a2~fNvb%uTYPfBoT_$~a^w96(}#d;-wELAoaiZCbM zxY4fKlS6-l1!b1!yra|`LOQoJB))=CxUAYqFcTDThhA?d}6FD$gYlk**!# zD=!KW>>tg1EtmSejwz{usaTPgyQm~o+NDg`MvNo)*2eWX*qAQ)4_I?Pl__?+UL>zU zvoT(dQ)pe9z1y}qa^fi-NawtuXXM>*o6Al~8~$6e>l*vX)3pB_2NFKR#2f&zqbDp7 z5aGX%gMYRH3R1Q3LS91k6-#2tzadzwbwGd{Z~z+fBD5iJ6bz4o1Rj#7cBL|x8k%jO z{cW0%iYUcCODdCIB(++gAsK(^OkY5tbWY;)>IeTp{{d~Y#hpaDa-5r#&Ha?+G{tn~ zb(#A1=WG1~q1*ReXb4CcR7gFcFK*I6Lr8bXLt9>9IybMR&%ZK15Pg4p_(v5Sya_70 ziuUYG@EBKKbKYLWbDZ)|jXpJJZ&bB|>%8bcJ7>l2>hXuf-h5Bm+ zHZ55e9(Sg>G@8a`P@3e2(YWbpKayoLQ}ar?bOh2hs89=v+ifONL~;q(d^X$7qfw=; zENCt`J*+G;dV_85dL3Tm5qz2K4m$dvUXh>H*6A@*)DSZ2og!!0GMoCPTbcd!h z@fRl3f;{F%##~e|?vw6>4VLOJXrgF2O{)k7={TiDIE=(Dq*Qy@oTM*zDr{&ElSiYM zp<=R4r36J69aTWU+R9Hfd$H5gWmJ?V){KU3!FGyE(^@i!wFjeZHzi@5dLM387u=ld zDuI1Y9aR$wW>s#I{2!yLDaVkbP0&*0Rw%6bi(LtieJQ4(1V!z!ec zxPd)Ro0iU%RP#L|_l?KE=8&DRHK>jyVOYvhGeH+Dg_E%lgA(HtS6e$v%D7I;JSA2x zJyAuin-tvpN9g7>R_VAk2y;z??3BAp?u`h-AVDA;hP#m+Ie`7qbROGh%_UTW#R8yfGp<`u zT0}L)#f%(XEE)^iXVkO8^cvjflS zqgCxM310)JQde*o>fUl#>ZVeKsgO|j#uKGi)nF_ur&_f+8#C0&TfHnfsLOL|l(2qn zzdv^wdTi|o>$q(G;+tkTKrC4rE)BY?U`NHrct*gVx&Fq2&`!3htkZEOfODxftr4Te zoseFuag=IL1Nmq45nu|G#!^@0vYG5IueVyabw#q#aMxI9byjs99WGL*y)AKSaV(zx z_`(}GNM*1y<}4H9wYYSFJyg9J)H?v((!TfFaWx(sU*fU823wPgN}sS|an>&UvI;9B(IW(V)zPBm!iHD} z#^w74Lpmu7Q-GzlVS%*T-z*?q9;ZE1rs0ART4jnba~>D}G#opcQ=0H)af6HcoRn+b z<2rB{evcd1C9+1D2J<8wZ*NxIgjZtv5GLmCgt?t)h#_#ke{c+R6mv6))J@*}Y25ef z&~LoA&qL-#o=tcfhjH{wqDJ;~-TG^?2bCf~s0k4Rr!xwz%Aef_LeAklxE=Yzv|3jf zgD0G~)e9wr@)BCjlY84wz?$NS8KC9I$wf(T&+79JjF#n?BTI)Oub%4wiOcqw+R`R_q<`dcuoF z%~hKeL&tDFFYqCY)LkC&5y(k7TTrD>35rIAx}tH4k!g9bwYVJ>Vdir4F$T*wC@$08 z9Vo*Q0>*RcvK##h>MGUhA9xix+?c1wc6xJhn)^9;@BE6i*Rl8VQdstnLOP1mq$2;!bfASHmiW7|=fA{k$rs^-8n{D6_ z!O0=_K}HvcZJLSOC6z-L^pl3Gg>8-rU#Sp1VHMqgXPE@9x&IHe;K3;!^SQLDP1Gk&szPtk| z!gP;D7|#y~yVQ?sOFiT*V(Z-}5w1H6Q_U5JM#iW16yZiFRP1Re z6d4#47#NzEm};1qRP9}1;S?AECZC5?6r)p;GIW%UGW3$tBN7WTlOy|7R1?%A<1!8Z zWcm5P6(|@=;*K&3_$9aiP>2C|H*~SEHl}qnF*32RcmCVYu#s!C?PGvhf1vgQ({MEQ z0-#j>--RMe{&5&$0wkE87$5Ic5_O3gm&0wuE-r3wCp?G1zA70H{;-u#8CM~=RwB~( zn~C`<6feUh$bdO1%&N3!qbu6nGRd5`MM1E_qrbKh-8UYp5Bn)+3H>W^BhAn;{BMii zQ6h=TvFrK)^wKK>Ii6gKj}shWFYof%+9iCj?ME4sR7F+EI)n8FL{{PKEFvB65==*@ ztYjjVTJCuAFf8I~yB-pN_PJtqH&j$`#<<`CruB zL=_u3WB~-;t3q)iNn0eU(mFTih<4nOAb>1#WtBpLi(I)^zeYIHtkMGXCMx+I zxn4BT0V=+JPzPeY=!gAL9H~Iu%!rH0-S@IcG%~=tB#6 z3?WE7GAfJ{>GE{?Cn3T!QE}GK9b*EdSJ02&x@t|}JrL{^wrM@w^&})o;&q816M5`} zv)GB;AU7`haa1_vGQ}a$!m-zkV(+M>q!vI0Swo18{;<>GYZw7-V-`G#FZ z;+`vsBihuCk1RFz1IPbPX8$W|nDk6yiU8Si40!zy{^nmv_P1=2H*j<^as01|W>BQS zU)H`NU*-*((5?rqp;kgu@+hDpJ;?p8CA1d65)bxtJikJal(bvzdGGk}O*hXz+<}J? zLcR+L2OeA7Hg4Ngrc@8htV!xzT1}8!;I6q4U&S$O9SdTrot<`XEF=(`1{T&NmQ>K7 zMhGtK9(g1p@`t)<)=eZjN8=Kn#0pC2gzXjXcadjHMc_pfV(@^3541)LC1fY~k2zn&2PdaW`RPEHoKW^(p_b=LxpW&kF?v&nzb z1`@60=JZj9zNXk(E6D5D}(@k4Oi@$e2^M%grhlEuRwVGjDDay$Qpj z`_X-Y_!4e-Y*GVgF==F0ow5MlTTAsnKR;h#b0TF>AyJe`6r|%==oiwd6xDy5ky6qQ z)}Rd0f)8xoNo)1jj59p;ChIv4Eo7z*{m2yXq6)lJrnziw9jn%Ez|A-2Xg4@1)ET2u zIX8`u5M4m=+-6?`S;?VDFJkEMf+=q?0D7?rRv)mH=gptBFJGuQo21rlIyP>%ymGWk z=PsJ>>q~i>EN~{zO0TklBIe(8i>xkd=+U@;C{SdQ`E03*KXmWm4v#DEJi_-F+3lrR z;0al0yXA&axWr)U%1VZ@(83WozZbaogIoGYpl!5vz@Tz5?u36m;N=*f0UY$ssXR!q zWj~U)qW9Q9Fg9UW?|XPnelikeqa9R^Gk77PgEyEqW$1j=P@L z*ndO!fwPeq_7J_H1Sx>#L$EO_;MfYj{lKuD8ZrUtgQLUUEhvaXA$)-<61v`C=qUhI zioV&KR#l50fn!-2VT`aMv|LycLOFPT{rRSRGTBMc)A`Cl%K&4KIgMf}G%Qpb2@cB* zw8obt-BI3q8Lab!O<#zeaz{P-lI2l`2@qrjD+Qy)^VKks5&SeT(I)i?&Kf59{F`Rw zuh7Q>SQNwqLO%cu2lzcJ7eR*3!g}U)9=EQ}js-q{d%h!wl6X3%H0Z2^8f&^H;yqti4z6TNWc& zDUU8YV(ZHA*34HHaj#C43PFZq7a>=PMmj4+?C4&l=Y-W1D#1VYvJ1~K%$&g-o*-heAgLXXIGRhU zufonwl1R<@Kc8dPKkb`i5P9VFT_NOiRA=#tM0WX2Zut)_ zLjAlJS1&nnrL8x8!o$G+*z|kmgv4DMjvfnvH)7s$X=-nQC3(eU!ioQwIkaXrl+58 z@v)uj$7>i`^#+Xu%21!F#AuX|6lD-uelN9ggShOX&ZIN+G#y5T0q+RL*(T(EP)(nP744-ML= z+Rs3|2`L4I;b=WHwvKX_AD56GU+z92_Q9D*P|HjPYa$yW0o|NO{>4B1Uvq!T;g_N- zAbNf%J0QBo1cL@iahigvWJ9~A4-glDJEK?>9*+GI6)I~UIWi>7ybj#%Po}yT6d6Li z^AGh(W{NJwz#a~Qs!IvGKjqYir%cY1+8(5lFgGvl(nhFHc7H2^A(P}yeOa_;%+bh` zcql{#E$kdu?yhRNS$iE@F8!9E5NISAlyeuOhRD)&xMf0gz^J927u5aK|P- z>B%*9vSHy?L_q)OD>4+P;^tz4T>d(rqGI7Qp@@@EQ-v9w-;n;7N05{)V4c7}&Y^!`kH3}Q z4RtMV6gAARY~y$hG7uSbU|4hRMn97Dv0$Le@1jDIq&DKy{D$FOjqw{NruxivljBGw zP4iM(4Nrz^^~;{QBD7TVrb6PB=B$<-e9!0QeE8lcZLdDeb?Gv$ePllO2jgy&FSbW* zSDjDUV^=`S(Oo0;k(Idvzh}aXkfO)F6AqB?wWqYJw-1wOn5!{-ghaHb^v|B^92LmQ9QZj zHA&X)fd%B$^+TQaM@FPXM$$DdW|Vl)4bM-#?Slb^qUX1`$Yh6Lhc4>9J$I4ba->f3 z9CeGO>T!W3w(){M{OJ+?9!MK68KovK#k9TSX#R?++W4A+N>W8nnk**6AB)e;rev=$ zN_+(?(YEX;vsZ{EkEGw%J#iJYgR8A}p+iW;c@V>Z1&K->wI>!x-+!0*pn|{f=XA7J zfjw88LeeJgs4YI?&dHkBL|PRX`ULOIZlnniTUgo-k`2O2RXx4FC76;K^|ZC6WOAEw zz~V0bZ29xe=!#Xk?*b{sjw+^8l0Koy+e7HjWXgmPa4sITz+$VP!YlJ$eyfi3^6gGx6jZLpbUzX;!Z6K}aoc!1CRi zB6Lhwt%-GMcUW;Yiy6Y7hX(2oksbsi;Z6k*=;y;1!taBcCNBXkhuVPTi+1N*z*}bf z`R=&hH*Ck5oWz>FR~>MO$3dbDSJ!y|wrff-H$y(5KadrA_PR|rR>jS=*9&J*ykWLr z-1Z^QOxE=!6I z%Bozo)mW7#2Hd$-`hzg=F@6*cNz^$#BbGlIf${ZV1ADc}sNl=B72g`41|F7JtZ^BT z+y}nqn3Ug`2scS_{MjykPW2~*k$i6PhvvxJCW;n!SK5B8Rpm41fCEdy=ea-4F`rN5 zF>ClKp#4?}pI7eR#6U|}t`DA!GQJB7nT$HVV*{qPjIRU1Ou3W;I^pCt54o|ZHvWaH zooFx9L%#yv)!P;^er5LCU$5@qXMhJ-*T5Ah8|}byGNU5oMp3V)yR;hWJKojJEregX z<1UPt%&~=5OuP(|B{ty);vLdoe7o^?`tkQa7zoXKAW6D@lc+FTzucotaOfJ!(Bm zHE8f8j@6||lH`y2<&hP}Q1wr(=6ze0D6NRL{7QaE1=nTAzqjIeD}Be&@#_d*dyurz z&L7xo-D9!dS`i>^GaIPArR@r=N#-ppIh!UBcb!N*?nLUO+*%C>_dCF1IH)q>5oT(t zjQo{AoDB;mWL;3&;vTt?;bvJSj>^Gq4Jrh}S}D>G)+b!>oRDWI?c_d77$kF5ms{Gx zak*>~*5AvaB-Xl)IgdZ^Cupv6HxQ0 zM(KPaDpPsPOd)e)aFw}|=tfzg@J1P8oJx2ZBY=g4>_G(Hkgld(u&~jN((eJ}5@b1} zI(P7j443AZj*I@%q!$JQ2?DZV47U!|Tt6_;tlb`mSP3 z74DE4#|1FMDqwYbT4P6#wSI%s?*wDc>)MR$4z9ZtJg04+CTUds>1JSDwI}=vpRoRR zLqx(Tvf34CvkTMOPkoH~$CG~fSZb;(2S4Q6Vpe9G83V={hwQ>acu+MCX)@0i>Vd`% z4I8Ye+7&Kcbh(*bN1etKmrpN)v|=eI+$oD=zzii6nP&w|kn2Y-f!(v<aE zKmOz#{6PZB(8zD={il`RO6D}v(@mN_66KXUAEefgg|;VmBfP?UrfB$&zaRw7oanna zkNmVGz4Vhd!vZSnp1(&_5^t;eSv6O771BloJAHi=Pnn+aa6y(e2iiE97uZ{evzQ^8 z*lN@ZYx<-hLXP^IuYLGf<01O*>nDp0fo;;Iyt`JADrxt7-jEF(vv_btyp6CT8=@5t zm`I0lW+2+_xj2CRL|40kcYysuyYeiGihGe&a)yilqP}5h+^)m8$=mzrUe`$(?BIY> zfF7-V10Gu0CkWF)wz04&hhI>es0NS7d`cnT`4y8K!wUAKv$H09fa>KeNQvwUNDT1zn}_*RHykC$CD%*h7vRCQ&Z z4&N-!L>(@8i?K$l5)13n0%VPPV`iG7Q$2{1T3JypLSvN%1kX73goBIOEmg=Uf$9e? zm}g>JFu}EQKH>|K!)m9teoCmTc`y2Ll}msZYyy0Pkqjeid66>DP_?C{KCw94lHvLW z-+X!2YSm70s833lH0o+|A%Xwsw`@8lE3ia0n_Dve;LC7@I+i~@%$lD|3fNf&R6ob6 z@iGfx^OC4s`$|vO!0jTWwVpX;X^EqJF{i324I>N=f@u+rTN+xJGGR0LsCQc;iFD=F zbZJrgOpS;04o^wP7HF5QBaJ$KJgS2V4u02ViWD=6+7rcu`uc&MOoyf%ZBU|gQZkUg z<}ax>*Fo?d*77Ia)+{(`X45{a8>Bi$u-0BWSteyp#GJnTs?&k&<0NeHA$Qb3;SAJK zl}H*~eyD-0qHI3SEcn`_7d zq@YRsFdBig+k490BZSQwW)j}~GvM7x>2ymO4zakaHZ!q6C2{fz^NvvD8+e%7?BQBH z-}%B{oROo2+|6g%#+XmyyIJrK_(uEbg%MHlBn3^!&hWi+9c0iqM69enep#5FvV_^r z?Yr(k*5FbG{==#CGI1zU0Wk{V?UGhBBfv9HP9A-AmcJmL^f4S zY3E2$WQa&n#WRQ5DOqty_Pu z-NWQGCR^Hnu^Vo2rm`-M>zzf|uMCUd1X0{wISJL2Pp=AO5 zF@(50!g|SYw3n<_VP0T~`WUjtY**6Npphr5bD%i3#*p7h8$#;XTLJAt5J-x~O1~`z z`2C~P4%XSI(JbrEmVMEwqdsa^aqXWg;A6KBn^jDxTl!}Q!^WhprL$kb(Iqq zUS`i$tIPs#hdE-zAaMGoxcG?Z;RO2L0Y|gcjV_)FFo|e)MtTl`msLTwq>po$`H6_U zhdWK97~M>idl9GE_WgobQkK_P85H_0jN?s3O)+m&68B`_;FnbZ3W*Qm++ghSs7|T4b7m~VVV%j0gl`Iw!?+-9#Lsb!j3O%fSTVuK z37V>qM81D+Atl};23`TqEAfEkQDpz$-1$e__>X2jN>xh@Sq)I6sj@< ziJ^66GSmW9c%F7eu6&_t$UaLXF4KweZecS1ZiHPWy-$e_7`jVk74OS*!z=l#(CQ^K zW-ke|g^&0o=hn+4uh-8lUh0>!VIXXnQXwKr>`94+2~<;+`k z$|}QZ>#pm2g}8k*;)`@EnM~ZQtci%_$ink9t6`HP{gn}P1==;WDAld3JX?k%^GcTU za>m|CH|UsyFhyJBwG5=`6562hkVRMQ=_ron-Vlm$4bG^GFz|Jh5mM{J1`!!hAr~8F^w> z^YhQ=c|bFn_6~9X$v(30v$5IX;#Nl-XXRPgs{g_~RS*znH^6Vhe}8>T?aMA|qfnWO zQpf(wr^PfygfM+m2u!9}F|frrZPBQ!dh(varsYo!tCV)WA(Wn^_t=WR_G7cQU`AGx zrK^B6<}9+$w;$vra)QWMKf_Tnqg93AMVZ6Qd=q6rdB{;ZhsoT zWy9QhnpEnc@Dauz4!8gq zqDanAX#$^vf-4~ZqUJtSe?SO+Hmb?)l2#}v(8}2+P{ZZuhlib0$3G0|a5?JR>QgUUP$HTE5hb`h>imq#7P+Y*-UVLm@9km|V# zoigziFt$bxgQMwqKKhd!c--&ciywIED>faY3zHLrA{V#IA)!mq!FXxf?1coGK~N(b zjwu*@2B1^(bzFVBJO`4EJ$=it!a0kbgUvPL;Er(0io{W4G7Bkqh)=g)uS|l0YfD}f zaCJwY7vR-D=P9M68`cmtmQ^!F-$lt@0S|9G7cHgT13A0xMv)HmH#Z<4{~iYo_VOD{ z5!kU+>mUOvHouw+-y?*cNlUlDwD#;6ZvAIc$YcwG&qKZFh>EtM(Eda+w)E$HcfZyB zG*$<*ae_ApE%gxWx%O^~XMnRSNLv!y`g99F(J_m)spJAc95P|_joOIoru%atbw z9PYgkcE*8x#)-W{>96KDl&74iW<#wrK)1s zxzU{`rW5af+dT6Z@_1dG<}CtDMT`EGVEXSL_5D9)Z;6UJe-TW7)M?bY%E;8G?Yc!$ zic;F5=#dba^P~7f#qvC}Nd#XEo2r_UlgfR_`B2^W0QjXU?RAi$>f&{G_Lu8Fp0qDp z?vAdm%z#3kcZmaJ@afooB=A@>8_N~O9Yzu=ZCEikM>UgU+{%>pPvmSNzGk@*jnc5~ z(Z#H4OL^gw>)gqZ!9X|3i4LAdp9vo)?F9QCR3##{BHoZ73Uk^Ha={2rc*TBijfKH- z=$cZQdc<5%*$kVo|{+bL3 zEoU&tq*YPR)^y-SISeQNQ)YZ9v>Hm4O=J)lf(y=Yu1ao&zj#5GVGxyj%V%vl9}dw< zO;@NRd4qe@Et}E@Q;SChBR2QPKll1{*5*jT*<$$5TywvC77vt=1=0xZ46>_17YzbiBoDffH(1_qFP7v2SVhZmA_7JDB50t#C39 z8V<9(E?bVWI<7d6MzcS^w!XmZ**{AO!~DZNU)pgr=yY1 zT@!AapE;yg&hmj*g{I3vd## zx+d%^O?d%%?Dba|l~X6ZOW|>FPsrjPjn-h4swysH!RNJUWofC?K(^0uHrBPrH5#W> zMn8^@USzjUucqo%+5&))Dnnw`5l1mp>roaA99Nkk4keZl2wAF7oa(!x?@8uGWzc5Q zM}g`}zf-D@B6lVFYWmmJ8a+_%z8g$C7Ww~PD9&jki08NY!b!fK288R;E?e3Z+Pk{is%HxQU`xu9+y5 zq?DWJD7kKp(B2J$t5Ij8-)?g!T9_n<&0L8F5-D0dp>9!Qnl#E{eDtkNo#lw6rMJG$ z9Gz_Z&a_6ie?;F1Y^6I$Mg9_sml@-z6t!YLr=ml<6{^U~UIbZUUa_zy>fBtR3Rpig zc1kLSJj!rEJILzL^uE1mQ}hjMCkA|ZlWVC9T-#=~ip%McP%6QscEGlYLuUxDUC=aX zCK@}@!_@~@z;70I+Hp5#Tq4h#d4r!$Np1KhXkAGlY$ap7IZ9DY})&(xoTyle8^dBXbQUhPE6ehWHrfMh&0=d<)E2+pxvWo=@`^ zIk@;-$}a4zJmK;rnaC)^a1_a_ie7OE*|hYEq1<6EG>r}!XI9+(j>oe!fVBG%7d}?U z#ja?T@`XO(;q~fe2CfFm-g8FbVD;O7y9c;J)k0>#q7z-%oMy4l+ zW>V~Y?s`NoXkBeHlXg&u*8B7)B%alfYcCriYwFQWeZ6Qre!4timF`d$=YN~_fPM5Kc8P;B-WIDrg^-j=|{Szq6(TC)oa!V7y zLmMFN1&0lM`+TC$7}on;!51{d^&M`UW ztI$U4S&}_R?G;2sI)g4)uS-t}sbnRoXVwM!&vi3GfYsU?fSI5Hn2GCOJ5IpPZ%Y#+ z=l@;;{XiY_r#^RJSr?s1) z4b@ve?p5(@YTD-<%79-%w)Iv@!Nf+6F4F1`&t~S{b4!B3fl-!~58a~Uj~d4-xRt`k zsmGHs$D~Wr&+DWK$cy07NH@_z(Ku8gdSN989efXqpreBSw$I%17RdxoE<5C^N&9sk!s2b9*#}#v@O@Hgm z2|U7Gs*@hu1JO$H(Mk)%buh~*>paY&Z|_AKf-?cz6jlT-v6 zF>l9?C6EBRpV2&c1~{1$VeSA|G7T(VqyzZr&G>vm87oBq2S%H0D+RbZm}Z`t5Hf$C zFn7X*;R_D^ z#Ug0tYczRP$s!6w<27;5Mw0QT3uNO5xY($|*-DoR1cq8H9l}_^O(=g5jLnbU5*SLx zGpjfy(NPyjL`^Oln_$uI6(aEh(iS4G=$%0;n39C(iw79RlXG>W&8;R1h;oVaODw2nw^v{~`j(1K8$ z5pHKrj2wJhMfw0Sos}kyOS48Dw_~=ka$0ZPb!9=_FhfOx9NpMxd80!a-$dKOmOGDW zi$G74Sd(-u8c!%35lL|GkyxZdlYUCML{V-Ovq{g}SXea9t`pYM^ioot&1_(85oVZ6 zUhCw#HkfCg7mRT3|>99{swr3FlA@_$RnE?714^o;vps4j4}u=PfUAd zMmV3j;Rogci^f!ms$Z;gqiy7>soQwo7clLNJ4=JAyrz;=*Yhe8q7*$Du970BXW89Xyq92M4GSkNS-6uVN~Y4r7iG>{OyW=R?@DmRoi9GS^QtbP zFy2DB`|uZTv8|ow|Jcz6?C=10U$*_l2oWiacRwyoLafS!EO%Lv8N-*U8V+2<_~eEA zgPG-klSM19k%(%;3YM|>F||hE4>7GMA(GaOvZBrE{$t|Hvg(C2^PEsi4+)w#P4jE2XDi2SBm1?6NiSkOp-IT<|r}L9)4tLI_KJ*GKhv16IV}An+Jyx z=Mk`vCXkt-qg|ah5=GD;g5gZQugsv!#)$@ zkE=6=6W9u9VWiGjr|MgyF<&XcKX&S3oN{c{jt-*1HHaQgY({yjZiWW97rha^TxZy< z2%-5X;0EBP>(Y9|x*603*Pz-eMF5*#4M;F`QjTBH>rrO$r3iz5 z?_nHysyjnizhZQMXo1gz7b{p`yZ8Q78^ zFJ3&CzM9fzAqb6ac}@00d*zjW`)TBzL=s$M`X*0{z8$pkd2@#4CGyKEhzqQR!7*Lo@mhw`yNEE6~+nF3p;Qp;x#-C)N5qQD)z#rmZ#)g*~Nk z)#HPdF_V$0wlJ4f3HFy&fTB#7Iq|HwGdd#P3k=p3dcpfCfn$O)C7;y;;J4Za_;+DEH%|8nKwnWcD zBgHX)JrDRqtn(hC+?fV5QVpv1^3=t2!q~AVwMBXohuW@6p`!h>>C58%sth4+Baw|u zh&>N1`t(FHKv(P+@nT$Mvcl){&d%Y5dx|&jkUxjpUO3ii1*^l$zCE*>59`AvAja%`Bfry-`?(Oo?5wY|b4YM0lC?*o7_G$QC~QwKslQTWac z#;%`sWIt8-mVa1|2KH=u!^ukn-3xyQcm4@|+Ra&~nNBi0F81BZT$XgH@$2h2wk2W% znpo1OZuQ1N>bX52II+lsnQ`WVUxmZ?4fR_f0243_m`mbc3`?iy*HBJI)p2 z`GQ{`uS;@;e1COn-vgE2D!>EheLBCF-+ok-x5X8Cu>4H}98dH^O(VlqQwE>jlLcs> zNG`aSgDNHnH8zWw?h!tye^aN|%>@k;h`Z_H6*py3hHO^6PE1-GSbkhG%wg;+vVo&dc)3~9&` zPtZtJyCqCdrFUIEt%Gs_?J``ycD16pKm^bZn>4xq3i>9{b`Ri6yH|K>kfC; zI5l&P)4NHPR)*R0DUcyB4!|2cir(Y1&Bsn3X8v4D(#QW8Dtv@D)CCO zadQC85Zy=Rkrhm9&csynbm>B_nwMTFah9ETdNcLU@J{haekA|9*DA2pY&A|FS*L!*O+>@Q$00FeL+2lg2NWLITxH5 z0l;yj=vQWI@q~jVn~+5MG!mV@Y`gE958tV#UcO#56hn>b69 zM;lq+P@MW=cIvIXkQmKS$*7l|}AW%6zETA2b`qD*cL z(=k4-4=t6FzQo#uMXVwF{4HvE%%tGbiOlO)Q3Y6D<5W$ z9pm>%TBUI99MC`N9S$crpOCr4sWJHP)$Zg#NXa~j?WeVo03P3}_w%##A@F|Bjo-nNxJZX%lbcyQtG8sO zWKHes>38e-!hu1$6VvY+W-z?<942r=i&i<88UGWdQHuMQjWC-rs$7xE<_-PNgC z_aIqBfG^4puRkogKc%I-rLIVF=M8jCh?C4!M|Q=_kO&3gwwjv$ay{FUDs?k7xr%jD zHreor1+#e1_;6|2wGPtz$``x}nzWQFj8V&Wm8Tu#oaqM<$BLh+Xis=Tt+bzEpC}w) z_c&qJ6u&eWHDb<>p;%F_>|`0p6kXYpw0B_3sIT@!=fWHH`M{FYdkF}*CxT|`v%pvx z#F#^4tdS0|O9M1#db%MF(5Opy;i( zL(Pc2aM4*f_Bme@o{xMrsO=)&>YKQw+)P-`FwEHR4vjU>#9~X7ElQ#sRMjR^Cd)wl zg^67Bgn9CK=WP%Ar>T4J!}DcLDe z=ehSmTp##KyQ78cmArL=IjOD6+n@jHCbOatm)#4l$t5YV?q-J86T&;>lEyK&9(XLh zr{kPuX+P8LN%rd%8&&Ia)iKX_%=j`Mr*)c)cO1`-B$XBvoT3yQCDKA>8F0KL$GpHL zPe?6dkE&T+VX=uJOjXyrq$BQ`a8H@wN1%0nw4qBI$2zBx)ID^6;Ux+? zu{?X$_1hoz9d^jkDJpT-N6+HDNo%^MQ2~yqsSBJj4@5;|1@w+BE04#@Jo4I63<~?O?ok%g%vQakTJKpMsk&oeVES1>cnaF7ZkFpqN6lx` zzD+YhR%wq2DP0fJCNC}CXK`g{AA6*}!O}%#0!Tdho4ooh&a5&{xtcFmjO4%Kj$f(1 zTk||{u|*?tAT{{<)?PmD_$JVA;dw;UF+x~|!q-EE*Oy?gFIlB*^``@ob2VL?rogtP z0M34@?2$;}n;^OAV2?o|zHg`+@Adk+&@Syd!rS zWvW$e5w{onua4sp+jHuJ&olMz#V53Z5y-FkcJDz>Wk%_J>COk5<0ya*aZLZl9LH}A zJhJ`Q-n9K+c8=0`FWE^x^xn4Fa7PDUc;v2+us(dSaoIUR4D#QQh91R!${|j{)=Zy1 zG;hqgdhSklM-VKL6HNC3&B(p1B)2Nshe7)F=-HBe=8o%OhK1MN*Gq6dBuPvqDRVJ{ z;zVNY?wSB%W0s^OMR_HL(Ws)va7eWGF*MWx<1wG7hZ}o=B62D?i|&0b14_7UG287YDr%?aYMMpeCkY1i`b+H!J9sqrvKc#Y6c8At@QiLSwj)@ifz~Z|c$lOMA@?cPqFRmZ%_>bz2X4(B=`^3;MDjsEeAO=? zSoD&+L>A|fGt7+6kF2@LqhL06sD%|~YsIe=EcWqy{e_61N_D(*CacnMvyXMjP87HI z4PT6!$fzxx{}=>jeqzkkoN+!r9e|@lZUN4pn(T28v`k=_vIhTn^i9O3qTqd)-%!QQ zYB6*6B@&b(!#X4C~59SLZuorNU_wWZA36{>O%iX)VS5NNZh49C_ppI>?)wwml}_0MLzOXT>lmo#&Ew6d?mu8~~I_^4VGBQtCAke;RQa5DL` z1PFDPsKb3CS$v;RhlQ1J@AHa1VRuuxp}NOIvrC>4$$A0Ix0VpAc0lfG%8{mR{TRQ( zbXM#1Tci3H*Wt>cVuMta^6^z`=^B@j+YhJqq9?>zZPxyg2U(wvod=uwJs{8gtpyab zXHQX<0FOGW6+dw&%c_qMUOI^+Rnb?&HB7Fee|33p4#8i>%_ev(aTm7N1f#6lV%28O zQ`tQh$VDjy8x(Lh#$rg1Kco$Bw%gULq+lc4$&HFGvLMO30QBSDvZ#*~hEHVZ`5=Kw z3y^9D512@P%d~s{x!lrHeL4!TzL`9(ITC97`Cwnn8PSdxPG@0_v{No|kfu3DbtF}K zuoP+88j4dP+Bn7hlGwU$BJy+LN6g&d3HJWMAd1P9xCXG-_P)raipYg5R{KQO$j;I9 z1y1cw#13K|&kfsRZ@qQC<>j=|OC?*v1|VrY$s=2!{}e33aQcZghqc@YsHKq^)kpkg z>B;CWNX+K=u|y#N)O>n5YuyvPl5cO6B^scmG?J zC8ix)E1PlhNaw8FpD+b|D$z`Id^4)rJe78MNiBga?Z- z0$L&MRTieSB1_E#KaN*H#Ns1}?zOA%Ybr{G+Sn3moXTVZj=L`nt?D&-MjOMz-Yq&@ z$P3h23d_F8Dcf*?txX7}p>nM*s+65t z1il8bHHsBynUK|aEXSjzY6sz1nZ%|%XeWTcGLRyRl@q4YAR)JovbdTTY&7u>@}28A zgV^Npp?}I!?3K7IXu9ml-Lw;w@9m zBYTeU+Seh8uJ-w?4e_6byq0f7>O3xm(hO}Y=fgU5^vW|>0yQ^0+?}LT55ei$i zzlU-iRbd8TRX9Ept%h%ariV=%u%F@@FA>U*XdAalcH%>#5_a&w)g`uW%3}m?vP- zc5}DkuF6ruKDwEYj+2YTSQ9=rkp19U5P@(zRm(nLod(sG9{~nw1BUoS2OFDXa{xfw zZ~UaZLFUZxfQ*9?_X?*~`d;nn-BbaefLJ`DT13KF6?T5Mnt;v5d>H}s)aAIzJcs#B z|CuXPJKww}hWBKsUfks#Kh$)ptp?5U1b@ttXFRbe_BZ&_R9XC6CA4WhWhMUE9Y2H4 z{w#CBCR<)Fd1M;mx*m?Z=L-^1kv1WKtqG(BjMiR4M^5yN4rlFM6oGUS2Wf~7Z@e*- ze84Vr`Bmi!(a1y}-m^HHMpbAiKPVEv|(7=|}D#Ihfk+-S5Hlkfch02z&$(zS3vrYz2g*ic{xBy~*gIp(eG}^gMc7 zPu2Eivnp@BH3SOgx!aJXttx*()!=2)%Bf$Gs^4cCs@)=(PJNxhH5lVY&qSZYaa?A^LhZW`B9(N?fx<^gCb(VE%3QpA*_Pohgp6vCB36iVaq zc1TI%L2Le?kuv?6Dq`H+W>AqnjyEzUBK948|DB|)U0_4DzWF#7L{agwo%y$hC>->r z4|_g_6ZC!n2=GF4RqVh6$$reQ(bG0K)i9(oC1t6kY)R@DNxicxGxejwL2sB<>l#w4 zE$QkyFI^(kZ#eE5srv*JDRIqRp2Totc8I%{jWhC$GrPWVc&gE1(8#?k!xDEQ)Tu~e zdU@aD8enALmN@%1FmWUz;4p}41)@c>Fg}1vv~q>xD}KC#sF|L&FU);^Ye|Q;1#^ps z)WmmdQI2;%?S%6i86-GD88>r|(nJackvJ#50vG6fm$1GWf*f6>oBiDKG0Kkwb17KPnS%7CKb zB7$V58cTd8x*NXg=uEX8Man_cDu;)4+P}BuCvYH6P|`x-#CMOp;%u$e z&BZNHgXz-KlbLp;j)si^~BI{!yNLWs5fK+!##G;yVWq|<>7TlosfaWN-;C@oag~V`3rZM_HN`kpF`u1p# ztNTl4`j*Lf>>3NIoiu{ZrM9&E5H~ozq-Qz@Lkbp-xdm>FbHQ2KCc8WD7kt?=R*kG# z!rQ178&ZoU(~U<;lsg@n216Ze3rB2FwqjbZ=u|J?nN%<4J9(Bl(90xevE|7ejUYm9 zg@E_xX}u2d%O1mpA2XzjRwWinvSeg)gHABeMH(2!A^g@~4l%8e0WWAkBvv60Cr>TR zQB1%EQ zUoZeUdqjh+1gFo6h~C~z#A57mf5ibmq$y_uVtA_kWv8X)CzfVEooDaY!#P?5$Y zGPKXbE<75nc%D-|w4OrP#;87oL@2^4+sxKah;a-5&z_&SUf~-z(1}bP=tM^GYtR3a z!x4zjSa^)KWG6jxfUI#{<26g$iAI;o_+B{LXY@WfWEdEl6%#8s3@b`?&Tm#aSK!~| z^%DdrXnijW`d!ajWuKApw&{L+WCPpFialo&^dZ9jC7A%BO`2ZF&YUDe;Yu|zFuv`2 z)BE*7Lkay)M7uohJ)446X``0x0%PzPTWY92`1Oq4a2D_7V0wypPnXFR)WM0IlFgg@ zqz#hv2xJEQL8eu}O;e(w4rSA?5|eZHbS6jENytJBq59?bOf>Wrl8ySZH36H(6fGR#vHM6q zn}!7!I@4$*+LFXs{x?|=q2*QtYT%Lw3+5(8uc0j8o3}TrG(zSV#>4wo6~)u|R+Yx# z?0$AspZDjv{dfv417~C17Oy%Fal{%+B6H(NX`$Bl>II-L3N3 zZc+sKZbqewU*&_Xt;9k=%4*aVYBvE1n&JZS7Uqjd%n8nOQmzh^x#vWK{;In~=QO)g zT-n3OU(1@3QfL|$g1d2xeBb@O15Rl01+hmpup2De7p%Yrd$E7(In!*R+;IJZh}v!svi z;7N~pq8KZDXXap0qd_D=Y^B)rz4S0^SF=&v6YYTAV$ad43#x!+n~-6< zK{8*vWoAdW(gGGt&URD}@g6tMoY(+Lw=vvxhfIIK9AjvNF_(W}1Rxn(mp;tJfDV<0 zbJN0t(@Xb8UeO{&T{$$uDrs7)j$}=?WsuDl+T2N5Y<4TMHGOMcocPr$%~(yvtKv(n z`U96d!D0cb9>Dx2zz$m&lAhazs%UeR^K*gb>d8CPs+?qlpfA;t{InXa)^2ryC(FU(Zc6Xbnnh`lg`K&g^JeS>}^c0MJKUCfV+~ zV(EN0Z5ztoN;hqcj!8V+VRbSltJ<~|y`U+9#wv|~H zNE!j9uXa=dec@JQSgJ6N6@Il&tzCBJv9#ldR`Lm*<)YwH4tdlAlG0Fl8Nfa(J~c%DQ2AA-}x8D=p(l#n1+hgx;N;1Aq?lq@{Lt9FKu89CjnnHD1G_@p;%Lp`+b@ttb33!E_Xt;QUD9~nRQl&xAro9-{+&6^ljK2f-d>&qy&d#0xwH z@slNv@ULKp!Cf*JHuS@#4c?F->WjPc)yiuSargAIEg>muRxzY?Hzdq@G5CS)U1*Et zE2SLh=@DI1J(guiy2Igq(?(xI9WL%g^f@{5Hmr|!Qz4`vn|LjrtO=b~I6~5EU5Fxy z;-#<)6w#w=DkpSthAu+E;OL?!?6C9Mwt*o(@68(Jhvs-eX4V z=d=>HI|`3J%H5X|gSrC8KH^IL?h5=3ID6svwHH@(wRbSG`Zsor^q4`3PCn#-(YX?< z_q8+T)51$E0xyKR{L!LN(G=+9K6$3#PDT^IAe|Igkx=!4#rqKWoXiZdh`&ocjp=Ok zemJe6*{it~>;sr(B0fSmp(S#*y5I0)OOz~Oe6Im+($S}e3tyx7Y6pA8vKCBmSEQDa zLfkm*;uMbTLpcR0)tF_v-lbK%`5>POyI2E(!)2=Rj0p;WKi=|UNt6HsQv0xR3QIK9 zsew(AFyzH!7Azxum{%VC^`cqhGdGbABGQ4cYdNBPTx+XpJ=NUEDeP^e^w^AOE1pQI zP{Us-sk!v$gj}@684E!uWjzvpoF|%v-6hwnitN1sCSg@(>RDCVgU8Ile_-xX`hL6u zzI4*Q)AVu(-ef8{#~P9STQ5t|qIMRoh&S?7Oq+cL6vxG?{NUr@k(~7^%w)P6nPbDa~4Jw}*p-|cT4p1?)!c0FoB(^DNJ+FDg+LoP6=RgB7Or673WD5MG&C!4< zerd6q$ODkBvFoy*%cpHGKSt z3uDC6Sc=xvv@kDzRD)aIO`x}BaWLycA%(w-D`Pd+uL*rL|etagQ;U&xt_9?7#}=}5HI)cU-0 z%pMA`>Xb7s)|Y)4HKSZOu;{lg=KjeIyXb0{@EM`FTDkLRH`!W%z*lQJ74P%Ka76)H zblrSIzf+dMWbO`g;=(b@{pS)zUcO&GrIFe%&?YeX4r8B2bBArB%-5ZrQ+vonr%AYy z1+u0*K{UVUmV>h5vD!F;6}a%KdMZQLs04oGkpiaC)zI( zT2U9qta5o|6Y+It1)sE8>u&0)W~l$NX@ZQ8UZfB=`($EW6?FT%{EoRhOrb9)z@3r8y?Z99FNLDE;7V=Q zotj&igu*Rh^VQn3MQKBq!T{yTwGhn1YL6k*?j?{_ek5xe8#i#GG4S-a_Re2lssG!} z`Y-d0BcOdB@!m?4y&hMN68}#0-IIlm_xO)d#}ugX{q^OZe{-@LeJyv`cY&ze4t2~! zKb{qX-j;kt{?gC(vW%}X4pm@1F?~LH{^Q8d@X$dy@5ff~p!J3zmA>H`A)y+6RB_h* zZfIO+bd=*LiymRw{asW%xxaVl33_xtdVrrqIPn zc@y8oMJvNtgcO~4i0`f)GCFkWY8EF?4duLVjHTdb6oYLnO9}Q-pe{CKQJL)hV8)JI z$mVA0Dq&7Z1TbYdSC(WbJ+IBjXngZTu&I+vHF|>Zo$757{8lL;8Zr-Exkf?3jzN5k z_d9I>{>^J?!l)< zNd$7E9FVrta}3qy3L7Ys$^fRWNuu^hs^{*eXvazd&+Q*?lTfc>2+EdP(o0P_Z05HX zVKsfFAQ{t^CRu~Dw(CuJ>tvx*p$5@flA>QRl455b&{*U?xU8`)nF2T$uu_(l8VNtq z?pBiRQIckGzk8W&SFSB=g6eG`ZC;6v9w`?eF*S}3E@N`2ropeHP)E}o?qJkyVEI;K$!)bWY zt9>4WmDVJh7U~m$|K`T#hF!v|znj^=M;69uXrFys#51XT;DbMr4H)>7UQ1e2(cuQf z4kr~Tt1tpBB2GaJ(|j~lHgW40EgMMVqR6eJoJig1SBg|2=$~4I3P0eP$q%_`sS&4~ z26=&a&tLjQbch1`cVXa-2fTl1y8}->|Nqu?uVrNTov!=VKh)g89wUPTgAzkSKZ57_ zr=B^mcldE3K04t4{;RaG53&9yovq;@aR#VHx+R1^^*kr-vEEd!uea68Z<{R%_DD6fn&T4 zu;fDj07L-(_fLSJGdkeh&c&7A(ZLj`7iwnkAcqUexU;WjUkqeg1m1-IUZTIZA(4dtr2Gr`e{BIejlCgS<33MB=1!8?a74!F%=Uo7N`F@k} ze+1C_eU4Y_$mvdjci zwEtCIphA2PBzBhng5=M#e4r%)RW5rVD|_`PvY$7BK`}w~d>%0O9sY#*LUAq=^OjMF^PY5m<7!=s5jyRfosCQAo#hL`h5vN-M}6Q z0Li}){5?wi8)GVHNkF|U9*8V5ej)nhb^TLw1KqiPK(@{P1^L&P=`ZNt?_+}&0(8Uh zfyyZFPgMV7ECt;Jdw|`|{}b$w4&x77VxR>8wUs|GQ5FBf1UlvasqX$qfk5rI4>Wfr zztH>y`=daAef**C12yJ7;LDf&3;h3X+5@dGPy@vS(RSs3CWimbTp=g '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s +' "$PWD" ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum -warn ( ) { +warn () { echo "$*" -} +} >&2 -die ( ) { +die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac -# For Cygwin, ensure paths are in UNIX format before anything is touched. -if $cygwin ; then - [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"` -fi - -# Attempt to set APP_HOME -# Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi -done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >&- -APP_HOME="`pwd -P`" -cd "$SAVED" >&- - CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + # Determine the Java command to use to start the JVM. if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -82,83 +133,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) -# For Cygwin, switch paths to Windows format before running java -if $cygwin ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=$((i+1)) + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - (0) set -- ;; - (1) set -- "$args0" ;; - (2) set -- "$args0" "$args1" ;; - (3) set -- "$args0" "$args1" "$args2" ;; - (4) set -- "$args0" "$args1" "$args2" "$args3" ;; - (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules -function splitJvmOpts() { - JVM_OPTS=("$@") -} -eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS -JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME" -exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat index 8a0b282..9b42019 100644 --- a/gradlew.bat +++ b/gradlew.bat @@ -1,90 +1,94 @@ -@if "%DEBUG%" == "" @echo off -@rem ########################################################################## -@rem -@rem Gradle startup script for Windows -@rem -@rem ########################################################################## - -@rem Set local scope for the variables with windows NT shell -if "%OS%"=="Windows_NT" setlocal - -@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -set DEFAULT_JVM_OPTS= - -set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. -set APP_BASE_NAME=%~n0 -set APP_HOME=%DIRNAME% - -@rem Find java.exe -if defined JAVA_HOME goto findJavaFromJavaHome - -set JAVA_EXE=java.exe -%JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init - -echo. -echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. -echo. -echo Please set the JAVA_HOME variable in your environment to match the -echo location of your Java installation. - -goto fail - -:findJavaFromJavaHome -set JAVA_HOME=%JAVA_HOME:"=% -set JAVA_EXE=%JAVA_HOME%/bin/java.exe - -if exist "%JAVA_EXE%" goto init - -echo. -echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% -echo. -echo Please set the JAVA_HOME variable in your environment to match the -echo location of your Java installation. - -goto fail - -:init -@rem Get command-line arguments, handling Windowz variants - -if not "%OS%" == "Windows_NT" goto win9xME_args -if "%@eval[2+2]" == "4" goto 4NT_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* -goto execute - -:4NT_args -@rem Get arguments from the 4NT Shell from JP Software -set CMD_LINE_ARGS=%$ - -:execute -@rem Setup the command line - -set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar - -@rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% - -:end -@rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd - -:fail -rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of -rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 - -:mainEnd -if "%OS%"=="Windows_NT" endlocal - -:omega +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem +@rem SPDX-License-Identifier: Apache-2.0 +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega From af023c4ae625224f02c44fabbf2f5662d66b13c6 Mon Sep 17 00:00:00 2001 From: jexh Date: Tue, 14 Jan 2025 20:56:09 +0000 Subject: [PATCH 06/13] Update ApproovMessageSigningConfig.java Proposed changes that will need to be discussed before being adopted in a final form. --- .../okhttp/ApproovMessageSigningConfig.java | 136 +++++++++++------- 1 file changed, 87 insertions(+), 49 deletions(-) diff --git a/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java b/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java index 48ddcc4..58499ec 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java @@ -1,6 +1,18 @@ package io.approov.service.okhttp; import java.util.ArrayList; +import okhttp3.Request; + +/* Add the following interfaces */ +interface MessageSigningConfig { + String getSigningMessage(); + String getTargetHeaderName(); + String generateTargetHeaderValue(String messageSignature, String approovTokenHeader); +} + +interface MessageSigningConfigFactory { + MessageSigningConfig generateMessageSigningConfig(Request request, String approovTokenHeader); +} /* message signing configuration * This class is used to configure the message signing feature. The message signature can be computed based on the @@ -9,29 +21,18 @@ * You can have multiple configurations for different domains and a default '*' configuration that will be used if no * specific configuration is found for a domain. */ -public class ApproovMessageSigningConfig { +public class DefaultMessageSigningConfigFactory implements MessageSigningConfigFactory { // the name of the header that will be used to send the message signature protected String targetHeader; // the list of headers to include in the message to be signed, in the order they should be added protected ArrayList signedHeaders; - // true if the message body should also be signed - protected Boolean signBody; - // true if the Approov token header is included in the signature - protected Boolean signApproovToken; - // true if target URL should be included in the signature - protected Boolean signURL; - // true if the network request method should be included in the signature - protected Boolean signMethod; + // constructor public ApproovMessageSigningConfig(String targetHeader) { if (targetHeader == null || targetHeader.isEmpty()) throw new IllegalArgumentException("The target header must be specified"); this.targetHeader = targetHeader; this.signedHeaders = new ArrayList<>(); - this.signBody = false; - this.signApproovToken = true; - this.signURL = true; - this.signMethod = true; } /* Get/set methods */ @@ -40,48 +41,85 @@ public ApproovMessageSigningConfig(String targetHeader) { public String getTargetHeader() { return targetHeader; } - /* Get signed headers */ - public ArrayList getSignedHeaders() { - return signedHeaders; - } + /* Add a header to the list of signed headers: NOTE the sequence of headers DOES matter */ - public void addSignedHeader(String header) { + public DefaultMessageSigningConfigFactory addSignedHeader(String header) { if (header == null || header.isEmpty()) throw new IllegalArgumentException("The header must be specified"); signedHeaders.add(header); + return this; } - /* Get signBody flag */ - public Boolean getSignBody() { - return signBody; - } - /* Set signBody flag */ - public void setSignBody(Boolean signBody) { - this.signBody = signBody; - } - /* Get signApproovToken flag */ - public Boolean getSignApproovToken() { - return signApproovToken; - } - /* Set signApproovToken flag */ - public void setSignApproovToken(Boolean signApproovToken) { - this.signApproovToken = signApproovToken; - } - /* Get signURL flag */ - public Boolean getSignURL() { - return signURL; - } - /* Set signURL flag */ - public void setSignURL(Boolean signURL) { - this.signURL = signURL; - } - /* Get signMethod flag */ - public Boolean getSignMethod() { - return signMethod; - } - /* Set signMethod flag */ - public void setSignMethod(Boolean signMethod) { - this.signMethod = signMethod; + + MessageSigningConfig generateMessageSigningConfig(Request request, String approovTokenHeader){ + StringBuilder usedHeadersSpec = new StringBuilder(); + StringBuilder message = new StringBuilder(); + // 1. Add the Method to the message + message.append(request.method()); + message.append("\n"); + // 2. add the URL to the message, followed by a newline + message.append(request.url()); // TODO make sure this includes all the URL params if there are any + message.append("\n"); + // 3. add the Approov token header to the message + List values = request.headers(approovTokenHeader); // make sure the okhtp lookup works whatever the case used on the header name + usedHeadersSpec.append(approovTokenHeader.toLowerCase() + "," + values.size()) + for (String value : values) { + message.append(approovTokenHeader.toLowerCase()).append(":"); + if (value != null) { + message.append(value); + } + message.append("\n"); + } + + // 4. add the required headers to the message as 'headername:headervalue', where the headername is in + // lowercase + if (messageSigningConfig.getSignedHeaders() != null) { + for (String header : messageSigningConfig.signedHeaders) { + // add one headername:headervalue\n entry for each header value to be included in the signature + List values = request.headers(header); + if (values != null && values.length() > 0) { + usedHeadersSpec.append(approovTokenHeader.toLowerCase()+ "," + values.size()) + for (String value : values) { + message.append(header.toLowerCase()).append(":"); + if (value != null) { + message.append(value); + } + message.append("\n"); + } + } + } + } + String finalUsedHeadersSpec = usedHeadersSpec.String() + message.append(finalUsedHeadersSpec) + + // add the body to the message + okhttp3.RequestBody body = request.body(); + if (body != null) { + Buffer buffer = new Buffer(); + body.writeTo(buffer); + message.append(buffer.readUtf8()); + } + return new DefaultMessageSigningConfig( + ); } +} +public class DefaultMessageSigningConfig implements MessageSigningConfig + // the name of the header that will be used to send the message signature + private String targetHeader; + // the list of headers with counts that are expected by the server and were also included in the message to be signed + private String usedHeadersSpec; + // the message to be signed + private String message; + DefaultMessageSigningConfig(String targetHeader, String usedHeadersSpec, String message) { + this.targeHeader = targetHeader; + this.usedHeaderSpec = usedHeaderSpec; + this.message = message; + } + + public String getTargetHeaderName(){ return targetHeader } + public String getSigningMessage() { return usedHeadersSpec } + public String generateTargetHeaderValue(String messageSignature) { + return usedHeaderSpec + ";" + messageSignature; + } } From af9ab1bf67cd345c715e46bc4ee7c9163cc55c31 Mon Sep 17 00:00:00 2001 From: jexh Date: Wed, 15 Jan 2025 12:46:15 +0000 Subject: [PATCH 07/13] Update ApproovMessageSigningConfig.java New approach --- .../okhttp/ApproovMessageSigningConfig.java | 42 +++++++++++-------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java b/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java index 58499ec..a6c7d0a 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java @@ -7,7 +7,7 @@ interface MessageSigningConfig { String getSigningMessage(); String getTargetHeaderName(); - String generateTargetHeaderValue(String messageSignature, String approovTokenHeader); + String generateTargetHeaderValue(String messageSignature); } interface MessageSigningConfigFactory { @@ -21,11 +21,11 @@ interface MessageSigningConfigFactory { * You can have multiple configurations for different domains and a default '*' configuration that will be used if no * specific configuration is found for a domain. */ -public class DefaultMessageSigningConfigFactory implements MessageSigningConfigFactory { +public final class DefaultMessageSigningConfigFactory implements MessageSigningConfigFactory { // the name of the header that will be used to send the message signature - protected String targetHeader; + private String targetHeader; // the list of headers to include in the message to be signed, in the order they should be added - protected ArrayList signedHeaders; + private ArrayList signedHeaders; // constructor public ApproovMessageSigningConfig(String targetHeader) { @@ -51,7 +51,7 @@ public DefaultMessageSigningConfigFactory addSignedHeader(String header) { } MessageSigningConfig generateMessageSigningConfig(Request request, String approovTokenHeader){ - StringBuilder usedHeadersSpec = new StringBuilder(); + List usedHeaders = new ArrayList<>(); StringBuilder message = new StringBuilder(); // 1. Add the Method to the message message.append(request.method()); @@ -61,7 +61,10 @@ MessageSigningConfig generateMessageSigningConfig(Request request, String approo message.append("\n"); // 3. add the Approov token header to the message List values = request.headers(approovTokenHeader); // make sure the okhtp lookup works whatever the case used on the header name - usedHeadersSpec.append(approovTokenHeader.toLowerCase() + "," + values.size()) + if values == null || values.isEmpty() { + throw new IllegalArgumentException("provided request does not include the Approov token header"); + } + usedHeaders.add(approovTokenHeader.toLowerCase()) for (String value : values) { message.append(approovTokenHeader.toLowerCase()).append(":"); if (value != null) { @@ -76,8 +79,8 @@ MessageSigningConfig generateMessageSigningConfig(Request request, String approo for (String header : messageSigningConfig.signedHeaders) { // add one headername:headervalue\n entry for each header value to be included in the signature List values = request.headers(header); - if (values != null && values.length() > 0) { - usedHeadersSpec.append(approovTokenHeader.toLowerCase()+ "," + values.size()) + if (values != null && values.size() > 0) { + usedHeaders.add(approovTokenHeader.toLowerCase()) for (String value : values) { message.append(header.toLowerCase()).append(":"); if (value != null) { @@ -88,18 +91,16 @@ MessageSigningConfig generateMessageSigningConfig(Request request, String approo } } } - String finalUsedHeadersSpec = usedHeadersSpec.String() - message.append(finalUsedHeadersSpec) // add the body to the message okhttp3.RequestBody body = request.body(); - if (body != null) { + if (body != null && !body.isOneShot()) { // we can't support one-shot bodies without making a copy - we probably need to do that extra work. Buffer buffer = new Buffer(); body.writeTo(buffer); + // need to convert the contents of the buffer to b64 - using readUtf8 may still cause serious problems in the message signing code if it contains control characters (or most problematic NULLs) message.append(buffer.readUtf8()); } - return new DefaultMessageSigningConfig( - ); + return new DefaultMessageSigningConfig(targetHeader, usedHeaders, message.String()); } } @@ -107,19 +108,26 @@ public class DefaultMessageSigningConfig implements MessageSigningConfig // the name of the header that will be used to send the message signature private String targetHeader; // the list of headers with counts that are expected by the server and were also included in the message to be signed - private String usedHeadersSpec; + private List usedHeaders; // the message to be signed private String message; - DefaultMessageSigningConfig(String targetHeader, String usedHeadersSpec, String message) { + DefaultMessageSigningConfig(String targetHeader, String usedHeaders, String message) { this.targeHeader = targetHeader; - this.usedHeaderSpec = usedHeaderSpec; + this.usedHeaders = usedHeaders; this.message = message; } public String getTargetHeaderName(){ return targetHeader } public String getSigningMessage() { return usedHeadersSpec } public String generateTargetHeaderValue(String messageSignature) { - return usedHeaderSpec + ";" + messageSignature; + // create a JSON object of the following form: + // { + // "accountSig":"messageSignature.String()", + // "headers":usedHeaders list as JSON list of strings + // } + // base 64 the JSON + String b64HeaderValue = "" + return b64HeaderValue; } } From 3e4e0e7408ed5027859c4d139f2d5a1912cbd979 Mon Sep 17 00:00:00 2001 From: jexh Date: Wed, 15 Jan 2025 13:24:31 +0000 Subject: [PATCH 08/13] Update ApproovService.java Use new message signing scheme --- .../service/okhttp/ApproovService.java | 110 ++++-------------- 1 file changed, 21 insertions(+), 89 deletions(-) diff --git a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java index e094234..fc54ecc 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java @@ -84,7 +84,7 @@ public class ApproovService { private static Map exclusionURLRegexs = null; // message signing configurations mapped to a domain - private static Map messageSigningConfigs = null; + private static MessageSigningConfigFactory messageSigningConfigFactory = null; /** * Construction is disallowed as this is a static only class. @@ -123,28 +123,16 @@ public static void initialize(Context context, String config) { } /** - * Sets the message signing configuration. If this is set, then a message signature will be computed based on the - * request URL, the headers specified in signedHeaders in the order in which they are listed and, optionally, the - * body of the message. The signature will be added to the request headers using the header name specified in header. + * Sets the message signing configuration. If this is set, then it will be used to generate a message from each request + * which is then signed and the signature data is added to a header on the request sent to the server. * - * To unset message signing, call this function as setMessageSigning(nil, nil, false) + * To unset message signing, call this function as setMessageSigning(null) * - * @param messageConfig is the ApproovMessageSingingConfig object that contains the message signing configuration - * @param domain is the domain for which the message signing configuration should be used; use '*' for the default configuration which is applied when no specific configuration is found for a domain + * @param factory is the MessageSigningConfigFactory that is used by the interceptor to determine request specific + * message signing properties. */ - public static synchronized void setMessageSigning(ApproovMessageSigningConfig messageConfig, String domain) throws ApproovException { - if ((messageConfig == null) || (domain == null) || (domain.isEmpty())) { - throw new ApproovException("The message signing configuration and domain must be specified"); - } else { - // We check if this is the first message configuration that is created - if (messageSigningConfigs == null) { - messageSigningConfigs = new HashMap<>(); - } - // Add the configuration and domain to the map - messageSigningConfigs.put(domain, messageConfig); - Log.d(TAG, "setMessageSigning for domain: " + domain); - } - + public static synchronized void setMessageSigning(MessageSigningConfigFactory factory) throws ApproovException { + messageSigningConfigFactory = factory } /** @@ -197,10 +185,6 @@ public static synchronized void setDevKey(String devKey) throws ApproovException */ public static synchronized void setApproovHeader(String header, String prefix) throws ApproovException { Log.d(TAG, "setApproovHeader " + header + ", " + prefix); - // We only allow this to proceed if message signing is not enabled since changing the header after configuring the message signing is not allowed - if (messageSigningConfigs != null) { - throw new ApproovException("The Approov Token header cannot be changed after configuring the message signing"); - } approovTokenHeader = header; approovTokenPrefix = prefix; okHttpClient = null; @@ -663,7 +647,7 @@ public static synchronized OkHttpClient getOkHttpClient() { Log.d(TAG, "Building new Approov OkHttpClient"); ApproovTokenInterceptor interceptor = new ApproovTokenInterceptor(approovTokenHeader, approovTokenPrefix, bindingHeader, proceedOnNetworkFail, substitutionHeaders, - substitutionQueryParams, exclusionURLRegexs, messageSigningConfigs); + substitutionQueryParams, exclusionURLRegexs, messageSigningConfigFactory); okHttpClient = okHttpBuilder.certificatePinner(pinBuilder.build()).addInterceptor(interceptor).build(); } else { // if the ApproovService was not initialized then we can't add Approov capabilities @@ -722,8 +706,8 @@ class ApproovTokenInterceptor implements Interceptor { // set of URL regexs that should be excluded from any Approov protection, mapped to the compiled Pattern private Map exclusionURLRegexs; - // message signing configuration, if any - private Map messageSigningConfigs; + // message signing configuration + private MessageSigningConfigFactory messageSigningConfigFactory; /** * Constructs a new interceptor that adds Approov tokens and substitute headers or query @@ -736,11 +720,12 @@ class ApproovTokenInterceptor implements Interceptor { * @param substitutionHeaders is the map of secure string substitution headers mapped to any required prefixes * @param substitutionQueryParams is the set of query parameter key names subject to substitution * @param exclusionURLRegexs specifies regexs of URLs that should be excluded + * @paraf messageSigningConfigFactory FIXME */ public ApproovTokenInterceptor(String approovTokenHeader, String approovTokenPrefix, String bindingHeader, boolean proceedOnNetworkFail, Map substitutionHeaders, Set substitutionQueryParams, Map exclusionURLRegexs, - Map messageSigningConfigs) { + MessageSigningConfigFactory messageSigningConfigFactory) { this.approovTokenHeader = approovTokenHeader; this.approovTokenPrefix = approovTokenPrefix; this.bindingHeader = bindingHeader; @@ -757,7 +742,7 @@ public ApproovTokenInterceptor(String approovTokenHeader, String approovTokenPre } } this.exclusionURLRegexs = new HashMap<>(exclusionURLRegexs); - this.messageSigningConfigs = messageSigningConfigs; + this.messageSigningConfigFactory = messageSigningConfigFactory; } @Override @@ -904,66 +889,13 @@ else if (approovResults.getStatus() != Approov.TokenFetchStatus.UNKNOWN_KEY) } // if message signing is enabled, add the signature header to the request - if (messageSigningConfigs != null) { - // Match the domain of the request URL against the configured message signing domains - String domain = request.url().host(); - ApproovMessageSigningConfig messageSigningConfig = messageSigningConfigs.get(domain); - if (messageSigningConfig == null) { - // If no specific configuration is found for the domain, use the default configuration - domain = "*"; - messageSigningConfig = messageSigningConfigs.get(domain); - } - if (messageSigningConfig == null) { - // If no default configuration is found, do not sign the message - return chain.proceed(request); - } - Log.d(TAG, "Signing message with configuration for domain: " + domain + ": " + (messageSigningConfig.getSignApproovToken() ? ", " + approovTokenHeader + " **** " : "") + " headers " + messageSigningConfig.getSignedHeaders() + - (messageSigningConfig.getSignBody() ? ", body" : "")); - // build the message to sign, consisting of the URL, the names and values of the included headers and - // the body, if enabled, where each entry is separated from the next by a newline character - StringBuilder message = new StringBuilder(); - // 1. add the URL to the message, followed by a newline - message.append(request.url()); - message.append("\n"); - // 2. Add the Method to the message - message.append(request.method()); - message.append("\n"); - // 3. add the Approov token to the message, if required (TODO: Note we add the approov token and the prefix!?????) - if (messageSigningConfig.signApproovToken) { - if (approovResults.getToken() != null) { - message.append(approovTokenPrefix + approovResults.getToken()); - } - message.append("\n"); - } - // 4. add the required headers to the message as 'headername:headervalue', where the headername is in - // lowercase - if (messageSigningConfig.getSignedHeaders() != null) { - for (String header : messageSigningConfig.signedHeaders) { - // add one headername:headervalue\n entry for each header value to be included in the signature - List values = request.headers(header); - for (String value : values) { - message.append(header.toLowerCase()).append(":"); - if (value != null) { - message.append(value); - } - message.append("\n"); - } - } - } - // add the body to the message - if (messageSigningConfig.getSignBody()) { - okhttp3.RequestBody body = request.body(); - if (body != null) { - Buffer buffer = new Buffer(); - body.writeTo(buffer); - message.append(buffer.readUtf8()); - } - } - // compute the signature and add it to the request (passing on any exceptions that may occur) - if (messageSigningConfig.targetHeader != null && !messageSigningConfig.targetHeader.isEmpty()) { - String signature = ApproovService.getMessageSignature(message.toString()); - request = request.newBuilder().header(messageSigningConfig.targetHeader, signature).build(); - } + if (messageSigningConfigFactory != null) { + MessageSigningConfig messageSigningConfig = messageSigningConfigFactory.generateMessageSigningConfig(request, approovTokenHeader); + Log.d(TAG, "Signing message with configuration: " + messageSigningConfig); // add a useful toString on DefaultMessageSigningConfig + String signature = ApproovService.getMessageSignature(messageSigningConfig.getMessage()); + String signatureHeaderName = messageSigningConfig.getTargetHeaderName(); + String signatureHeaderValue = messageSigningConfig.generateTargetHeaderValue(signature); + request = request.newBuilder().header(signatureHeaderName, signatureHeaderValue).build(); } // proceed with the rest of the chain From 0b1c810d5c05f9611cd709e8c1ce034f32f95781 Mon Sep 17 00:00:00 2001 From: "ivo.liondov" Date: Thu, 16 Jan 2025 15:37:33 +0000 Subject: [PATCH 09/13] Fix typos and update gradle files to conform to SDK 34 --- approov-service/build.gradle | 2 +- .../service/okhttp/ApproovService.java | 2 +- ...> DefaultMessageSigningConfigFactory.java} | 20 +++++++++---------- build.gradle | 6 ++---- 4 files changed, 14 insertions(+), 16 deletions(-) rename approov-service/src/main/java/io/approov/service/okhttp/{ApproovMessageSigningConfig.java => DefaultMessageSigningConfigFactory.java} (91%) diff --git a/approov-service/build.gradle b/approov-service/build.gradle index ea08e1d..97e9785 100644 --- a/approov-service/build.gradle +++ b/approov-service/build.gradle @@ -9,7 +9,7 @@ repositories { } android { - compileSdkVersion 34 + compileSdk 34 namespace 'io.approov.service.okhttp' defaultConfig { minSdkVersion 21 diff --git a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java index fc54ecc..06aeee7 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/ApproovService.java @@ -132,7 +132,7 @@ public static void initialize(Context context, String config) { * message signing properties. */ public static synchronized void setMessageSigning(MessageSigningConfigFactory factory) throws ApproovException { - messageSigningConfigFactory = factory + messageSigningConfigFactory = factory; } /** diff --git a/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java similarity index 91% rename from approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java rename to approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java index a6c7d0a..5732441 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/ApproovMessageSigningConfig.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java @@ -61,10 +61,10 @@ MessageSigningConfig generateMessageSigningConfig(Request request, String approo message.append("\n"); // 3. add the Approov token header to the message List values = request.headers(approovTokenHeader); // make sure the okhtp lookup works whatever the case used on the header name - if values == null || values.isEmpty() { + if (values == null || values.isEmpty()) { throw new IllegalArgumentException("provided request does not include the Approov token header"); } - usedHeaders.add(approovTokenHeader.toLowerCase()) + usedHeaders.add(approovTokenHeader.toLowerCase()); for (String value : values) { message.append(approovTokenHeader.toLowerCase()).append(":"); if (value != null) { @@ -78,11 +78,11 @@ MessageSigningConfig generateMessageSigningConfig(Request request, String approo if (messageSigningConfig.getSignedHeaders() != null) { for (String header : messageSigningConfig.signedHeaders) { // add one headername:headervalue\n entry for each header value to be included in the signature - List values = request.headers(header); - if (values != null && values.size() > 0) { - usedHeaders.add(approovTokenHeader.toLowerCase()) + List headerValues = request.headers(header); + if (headerValues != null && headerValues.size() > 0) { + usedHeaders.add(approovTokenHeader.toLowerCase()); for (String value : values) { - message.append(header.toLowerCase()).append(":"); + message.append(headerValues.toLowerCase()).append(":"); if (value != null) { message.append(value); } @@ -104,7 +104,7 @@ MessageSigningConfig generateMessageSigningConfig(Request request, String approo } } -public class DefaultMessageSigningConfig implements MessageSigningConfig +public class DefaultMessageSigningConfig implements MessageSigningConfig { // the name of the header that will be used to send the message signature private String targetHeader; // the list of headers with counts that are expected by the server and were also included in the message to be signed @@ -118,8 +118,8 @@ public class DefaultMessageSigningConfig implements MessageSigningConfig this.message = message; } - public String getTargetHeaderName(){ return targetHeader } - public String getSigningMessage() { return usedHeadersSpec } + public String getTargetHeaderName(){ return targetHeader; } + public String getSigningMessage() { return usedHeadersSpec; } public String generateTargetHeaderValue(String messageSignature) { // create a JSON object of the following form: // { @@ -127,7 +127,7 @@ public String generateTargetHeaderValue(String messageSignature) { // "headers":usedHeaders list as JSON list of strings // } // base 64 the JSON - String b64HeaderValue = "" + String b64HeaderValue = ""; return b64HeaderValue; } } diff --git a/build.gradle b/build.gradle index eb4bb13..23cb242 100644 --- a/build.gradle +++ b/build.gradle @@ -1,11 +1,10 @@ buildscript { repositories { google() - jcenter() mavenCentral() } dependencies { - classpath 'com.android.tools.build:gradle:8.1.1' // Update to the latest version + classpath 'com.android.tools.build:gradle:8.1.4' // Update to the latest version } } @@ -13,10 +12,9 @@ allprojects { repositories { mavenCentral() google() - jcenter() } } -task clean(type: Delete) { +tasks.register('clean', Delete) { delete rootProject.buildDir } From 8e60cf7df3996231cc680726ebabe5d9ddea9daa Mon Sep 17 00:00:00 2001 From: jexh Date: Fri, 17 Jan 2025 23:14:58 +0000 Subject: [PATCH 10/13] Update DefaultMessageSigningConfigFactory.java Added pseudocode for the debug capability Richard requested Also switch to adding the sha256 of the body to the signature message instead of the body itself. --- .../DefaultMessageSigningConfigFactory.java | 132 +++++++++++++----- 1 file changed, 97 insertions(+), 35 deletions(-) diff --git a/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java index 5732441..82860ae 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java @@ -26,9 +26,11 @@ public final class DefaultMessageSigningConfigFactory implements MessageSigningC private String targetHeader; // the list of headers to include in the message to be signed, in the order they should be added private ArrayList signedHeaders; + // set to true to include debug helper strings in the generated message signing header + private boolean includeDebugHelperStrings; // constructor - public ApproovMessageSigningConfig(String targetHeader) { + public ApproovMessageSigningConfig(String targetHeader, ) { if (targetHeader == null || targetHeader.isEmpty()) throw new IllegalArgumentException("The target header must be specified"); this.targetHeader = targetHeader; @@ -50,45 +52,102 @@ public DefaultMessageSigningConfigFactory addSignedHeader(String header) { return this; } - MessageSigningConfig generateMessageSigningConfig(Request request, String approovTokenHeader){ - List usedHeaders = new ArrayList<>(); - StringBuilder message = new StringBuilder(); - // 1. Add the Method to the message - message.append(request.method()); + public DefaultMessageSigningConfigFactory addDebugHelperStrings(boolean enablement) { + includeDebugHelperStrings = enablement; + return this; + } + + // add html method to the message + private addHTMLMethod(StringBuilder message, List debugHelper, String method){ + message.append(method); message.append("\n"); - // 2. add the URL to the message, followed by a newline - message.append(request.url()); // TODO make sure this includes all the URL params if there are any + debugHelper.add(method.substring(0,2)); + } + + // Generate a SHA256 hash of the provided data, convert it to b64url and + // return the specified number of characters at the start of the b64url string. + private getB64URLDigestSnippet(byte[] data, int snippetLength) String { + if (snippetLength <= 0 || data == null || data.length == 0) { + return "" + MessageDigest digest = MessageDigest.getInstance("SHA-256"); + byte[] hash = digest.digest(data.getBytes("UTF-8")); + String b64UrlEncoded = Base64.getUrlEncoder().withoutPadding().encodeToString(hash); + if (b64UrlEncoded.length() <= snippetLength) { + return b64UrlEncoded; + } + return b64UrlEncoded.substring(0, snippetLength); + } + + // adds the URL string to the message - must include all bits of the url from the scheme through to the last param + private addURL(StringBuilder message, List debugHelper, String url) { + int start = message.length() + message.append(url); message.append("\n"); - // 3. add the Approov token header to the message - List values = request.headers(approovTokenHeader); // make sure the okhtp lookup works whatever the case used on the header name + if debugHelper != null { + debugHelper.add(getB64URLDigestSnippet(message.substring(start).getBytes("UTF-8"), 6); + } + } + + // add a header to the message + private addHeaderValues(List usedHeaders, StringBuilder message, List debugHelper, String headerName, List headerValues) { if (values == null || values.isEmpty()) { - throw new IllegalArgumentException("provided request does not include the Approov token header"); + return } - usedHeaders.add(approovTokenHeader.toLowerCase()); + usedHeaders.add(headerName); + int start = message.length(); + String lowercaseName = headerName.toLowerCase(); + // add one headername:headervalue\n entry for each header value to be included in the signature for (String value : values) { - message.append(approovTokenHeader.toLowerCase()).append(":"); + message.append(lowercaseName).append(":"); if (value != null) { message.append(value); } message.append("\n"); } + if debugHelper != null { + debugHelper.add(getB64URLDigestSnippet(message.substring(start).getBytes("UTF-8"), 6); + } + } + + private addBody(StringBuilder message, List debugHelper, Buffer body) { + String b64UrlSha256 = body.sha256().base64Url(); + message.append(b64UrlSha256); + if debugHelper != null { + debugHelper.add(b64UrlSha256.substring(0, 6)); + } + } + + MessageSigningConfig generateMessageSigningConfig(Request request, String approovTokenHeader){ + // capture the set of header names that are included in the message + List usedHeaders = new ArrayList<>(); + // build the message as a list of + StringBuilder message = new StringBuilder(); + // capture a list of properties that will help debug the construction of the message on the server side. + // Every property added to the message has an associated entry in the debugHelper. That way, if the + // server fails to match a signature it can iterate over the properties in the debug helper to determine + // which property was incorrect while constructing the message. To keep the debug helper short it often + // uses a substring of the base64 encoded SHA256 hash of the property added to the message. + List debugHelper = includeDebugHelperStrings ? new ArrayList<>() : null; + + // 1. Add the Method to the message + addHTMLMethod(message, debugHelper, request.method()); + + // 2. add the URL to the message, followed by a newline + // TODO make sure this includes all the full URL - scheme through to all params + addURL(message, debugHelper, request.url()) + + // 3. add the Approov token header to the message + List values = request.headers(approovTokenHeader); // make sure the okhtp lookup works whatever the case used on the header name + if (values == null || values.isEmpty()) { + throw new IllegalArgumentException("provided request does not include the Approov token header"); + } + addHeaderValues(usedHeaders, message, debugHelper, approovTokenHeader, values); // 4. add the required headers to the message as 'headername:headervalue', where the headername is in // lowercase if (messageSigningConfig.getSignedHeaders() != null) { for (String header : messageSigningConfig.signedHeaders) { - // add one headername:headervalue\n entry for each header value to be included in the signature - List headerValues = request.headers(header); - if (headerValues != null && headerValues.size() > 0) { - usedHeaders.add(approovTokenHeader.toLowerCase()); - for (String value : values) { - message.append(headerValues.toLowerCase()).append(":"); - if (value != null) { - message.append(value); - } - message.append("\n"); - } - } + addHeaderValues(message, debugHelper, usedHeaders, header, request.headers(header)); } } @@ -97,37 +156,40 @@ MessageSigningConfig generateMessageSigningConfig(Request request, String approo if (body != null && !body.isOneShot()) { // we can't support one-shot bodies without making a copy - we probably need to do that extra work. Buffer buffer = new Buffer(); body.writeTo(buffer); - // need to convert the contents of the buffer to b64 - using readUtf8 may still cause serious problems in the message signing code if it contains control characters (or most problematic NULLs) - message.append(buffer.readUtf8()); + addBody(message, debugHelper, buffer); } - return new DefaultMessageSigningConfig(targetHeader, usedHeaders, message.String()); + return new DefaultMessageSigningConfig(targetHeader, usedHeaders, message.String(), debugHelper); } } public class DefaultMessageSigningConfig implements MessageSigningConfig { // the name of the header that will be used to send the message signature private String targetHeader; - // the list of headers with counts that are expected by the server and were also included in the message to be signed + // the list of headers that were added to the message private List usedHeaders; // the message to be signed private String message; + // the list of strings that can be used to help find issues on the server if a message signature doesn't match the required value + private List debugHelper; - DefaultMessageSigningConfig(String targetHeader, String usedHeaders, String message) { + DefaultMessageSigningConfig(String targetHeader, String usedHeaders, String message, List debugHelper) { this.targeHeader = targetHeader; this.usedHeaders = usedHeaders; this.message = message; + this.debugHelper = debugHelper; } public String getTargetHeaderName(){ return targetHeader; } public String getSigningMessage() { return usedHeadersSpec; } public String generateTargetHeaderValue(String messageSignature) { - // create a JSON object of the following form: + // create a JSON object of the following form (although all blank space should be left out): // { // "accountSig":"messageSignature.String()", - // "headers":usedHeaders list as JSON list of strings + // "headers": [JSON usedHeaders list string values], + // "debugHelper": [JSON debug helpers list string values] // only add debugHelper if it is non-null // } - // base 64 the JSON - String b64HeaderValue = ""; - return b64HeaderValue; + // b64URL encode the JSON for communication in the target header + String jsonData = "{...}"; + return Base64.getUrlEncoder().withoutPadding().encodeToString(jsonData.getBytes("UTF-8")); } } From 1844b9f4e85f9c38364866f3f0129195d3f31dbd Mon Sep 17 00:00:00 2001 From: "ivo.liondov" Date: Mon, 20 Jan 2025 09:25:10 +0000 Subject: [PATCH 11/13] Initial changes stashed --- .../okhttp/DefaultMessageSigningConfig.java | 37 ++++++++ .../DefaultMessageSigningConfigFactory.java | 91 ++++++++----------- 2 files changed, 73 insertions(+), 55 deletions(-) create mode 100644 approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfig.java diff --git a/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfig.java b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfig.java new file mode 100644 index 0000000..376b4c8 --- /dev/null +++ b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfig.java @@ -0,0 +1,37 @@ +package io.approov.service.okhttp; + +import java.io.UnsupportedEncodingException; +import java.util.List; + +public class DefaultMessageSigningConfig implements MessageSigningConfig { + // the name of the header that will be used to send the message signature + private String targetHeader; + // the list of headers that were added to the message + private List usedHeaders; + // the message to be signed + private String message; + // the list of strings that can be used to help find issues on the server if a message signature doesn't match the required value + private List debugHelper; + + DefaultMessageSigningConfig(String targetHeader, List usedHeaders, String message, List debugHelper) { + this.targetHeader = targetHeader; + this.usedHeaders = usedHeaders; + this.message = message; + this.debugHelper = debugHelper; + } + + public String getTargetHeaderName(){ return targetHeader; } + public String getSigningMessage() { return message; } + public String generateTargetHeaderValue(String messageSignature) throws UnsupportedEncodingException { + // create a JSON object of the following form (although all blank space should be left out): + // { + // "accountSig":"messageSignature.String()", + // "headers": [JSON usedHeaders list string values], + // "debugHelper": [JSON debug helpers list string values] // only add debugHelper if it is non-null + // } + // b64URL encode the JSON for communication in the target header + String jsonData = "{...}"; + return android.util.Base64.encodeToString(jsonData.getBytes("UTF-8"), android.util.Base64.URL_SAFE | android.util.Base64.NO_PADDING).replace("\n", ""); + + } +} diff --git a/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java index 82860ae..efa91a1 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java @@ -1,17 +1,24 @@ package io.approov.service.okhttp; +import java.io.UnsupportedEncodingException; +import java.nio.Buffer; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.util.ArrayList; +import java.util.Base64; +import java.util.List; + import okhttp3.Request; /* Add the following interfaces */ interface MessageSigningConfig { String getSigningMessage(); String getTargetHeaderName(); - String generateTargetHeaderValue(String messageSignature); + String generateTargetHeaderValue(String messageSignature) throws UnsupportedEncodingException; } interface MessageSigningConfigFactory { - MessageSigningConfig generateMessageSigningConfig(Request request, String approovTokenHeader); + MessageSigningConfig generateMessageSigningConfig(Request request, String approovTokenHeader) throws UnsupportedEncodingException, NoSuchAlgorithmException; } /* message signing configuration @@ -28,9 +35,11 @@ public final class DefaultMessageSigningConfigFactory implements MessageSigningC private ArrayList signedHeaders; // set to true to include debug helper strings in the generated message signing header private boolean includeDebugHelperStrings; + // The debug helper configuration + private List debugHelper; // constructor - public ApproovMessageSigningConfig(String targetHeader, ) { + public DefaultMessageSigningConfigFactory(String targetHeader) { if (targetHeader == null || targetHeader.isEmpty()) throw new IllegalArgumentException("The target header must be specified"); this.targetHeader = targetHeader; @@ -58,20 +67,22 @@ public DefaultMessageSigningConfigFactory addDebugHelperStrings(boolean enableme } // add html method to the message - private addHTMLMethod(StringBuilder message, List debugHelper, String method){ + private void addHTMLMethod(StringBuilder message, List debugHelper, String method){ message.append(method); message.append("\n"); - debugHelper.add(method.substring(0,2)); + debugHelper.add(method.substring(0,2)); // TODO: ? } // Generate a SHA256 hash of the provided data, convert it to b64url and // return the specified number of characters at the start of the b64url string. - private getB64URLDigestSnippet(byte[] data, int snippetLength) String { + private String getB64URLDigestSnippet(byte[] data, int snippetLength) throws NoSuchAlgorithmException { if (snippetLength <= 0 || data == null || data.length == 0) { - return "" + return ""; + } MessageDigest digest = MessageDigest.getInstance("SHA-256"); - byte[] hash = digest.digest(data.getBytes("UTF-8")); - String b64UrlEncoded = Base64.getUrlEncoder().withoutPadding().encodeToString(hash); + byte[] hash = digest.digest(data); + //String b64UrlEncoded = Base64.getUrlEncoder().withoutPadding().encodeToString(hash); + String b64UrlEncoded = android.util.Base64.encodeToString(hash, android.util.Base64.URL_SAFE | android.util.Base64.NO_PADDING).replace("\n", ""); if (b64UrlEncoded.length() <= snippetLength) { return b64UrlEncoded; } @@ -79,25 +90,25 @@ private getB64URLDigestSnippet(byte[] data, int snippetLength) String { } // adds the URL string to the message - must include all bits of the url from the scheme through to the last param - private addURL(StringBuilder message, List debugHelper, String url) { - int start = message.length() + private void addURL(StringBuilder message, String url) throws UnsupportedEncodingException, NoSuchAlgorithmException { + int start = message.length(); message.append(url); message.append("\n"); if debugHelper != null { - debugHelper.add(getB64URLDigestSnippet(message.substring(start).getBytes("UTF-8"), 6); + debugHelper.add(getB64URLDigestSnippet(message.substring(start).getBytes("UTF-8"), 6)); } } // add a header to the message - private addHeaderValues(List usedHeaders, StringBuilder message, List debugHelper, String headerName, List headerValues) { - if (values == null || values.isEmpty()) { - return + private void addHeaderValues(List usedHeaders, StringBuilder message, String headerName, List headerValues) throws UnsupportedEncodingException, NoSuchAlgorithmException { + if (headerValues == null || headerValues.isEmpty()) { + return; } usedHeaders.add(headerName); int start = message.length(); String lowercaseName = headerName.toLowerCase(); // add one headername:headervalue\n entry for each header value to be included in the signature - for (String value : values) { + for (String value : headerValues) { message.append(lowercaseName).append(":"); if (value != null) { message.append(value); @@ -105,19 +116,19 @@ private addHeaderValues(List usedHeaders, StringBuilder message, List debugHelper, Buffer body) { - String b64UrlSha256 = body.sha256().base64Url(); - message.append(b64UrlSha256); + private void addBody(StringBuilder message, Buffer body) { + //String b64UrlSha256 = body.sha256().base64Url(); //TODO: is this Buffer from nio package? + //message.append(b64UrlSha256); // TDOD: fix if debugHelper != null { - debugHelper.add(b64UrlSha256.substring(0, 6)); + //debugHelper.add(b64UrlSha256.substring(0, 6)); // TODO: fix } } - MessageSigningConfig generateMessageSigningConfig(Request request, String approovTokenHeader){ + public MessageSigningConfig generateMessageSigningConfig(Request request, String approovTokenHeader) throws UnsupportedEncodingException, NoSuchAlgorithmException { // capture the set of header names that are included in the message List usedHeaders = new ArrayList<>(); // build the message as a list of @@ -127,14 +138,14 @@ MessageSigningConfig generateMessageSigningConfig(Request request, String approo // server fails to match a signature it can iterate over the properties in the debug helper to determine // which property was incorrect while constructing the message. To keep the debug helper short it often // uses a substring of the base64 encoded SHA256 hash of the property added to the message. - List debugHelper = includeDebugHelperStrings ? new ArrayList<>() : null; + debugHelper = includeDebugHelperStrings ? new ArrayList<>() : null; // 1. Add the Method to the message addHTMLMethod(message, debugHelper, request.method()); // 2. add the URL to the message, followed by a newline - // TODO make sure this includes all the full URL - scheme through to all params - addURL(message, debugHelper, request.url()) + // TODO: make sure this includes all the full URL - scheme through to all params + addURL(message, debugHelper, String.valueOf(request.url())); // 3. add the Approov token header to the message List values = request.headers(approovTokenHeader); // make sure the okhtp lookup works whatever the case used on the header name @@ -162,34 +173,4 @@ MessageSigningConfig generateMessageSigningConfig(Request request, String approo } } -public class DefaultMessageSigningConfig implements MessageSigningConfig { - // the name of the header that will be used to send the message signature - private String targetHeader; - // the list of headers that were added to the message - private List usedHeaders; - // the message to be signed - private String message; - // the list of strings that can be used to help find issues on the server if a message signature doesn't match the required value - private List debugHelper; - - DefaultMessageSigningConfig(String targetHeader, String usedHeaders, String message, List debugHelper) { - this.targeHeader = targetHeader; - this.usedHeaders = usedHeaders; - this.message = message; - this.debugHelper = debugHelper; - } - public String getTargetHeaderName(){ return targetHeader; } - public String getSigningMessage() { return usedHeadersSpec; } - public String generateTargetHeaderValue(String messageSignature) { - // create a JSON object of the following form (although all blank space should be left out): - // { - // "accountSig":"messageSignature.String()", - // "headers": [JSON usedHeaders list string values], - // "debugHelper": [JSON debug helpers list string values] // only add debugHelper if it is non-null - // } - // b64URL encode the JSON for communication in the target header - String jsonData = "{...}"; - return Base64.getUrlEncoder().withoutPadding().encodeToString(jsonData.getBytes("UTF-8")); - } -} From 73f9b32d32083a0c958c306e32e0929791c1c81a Mon Sep 17 00:00:00 2001 From: "ivo.liondov" Date: Mon, 20 Jan 2025 15:18:40 +0000 Subject: [PATCH 12/13] Rename variable --- .../service/okhttp/DefaultMessageSigningConfigFactory.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java index efa91a1..158c6e5 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java @@ -94,7 +94,7 @@ private void addURL(StringBuilder message, String url) throws UnsupportedEncodin int start = message.length(); message.append(url); message.append("\n"); - if debugHelper != null { + if (debugHelper != null) { debugHelper.add(getB64URLDigestSnippet(message.substring(start).getBytes("UTF-8"), 6)); } } @@ -115,7 +115,7 @@ private void addHeaderValues(List usedHeaders, StringBuilder message, St } message.append("\n"); } - if debugHelper != null { + if (debugHelper != null) { debugHelper.add(getB64URLDigestSnippet(message.substring(start).getBytes("UTF-8"), 6)); } } @@ -123,7 +123,7 @@ private void addHeaderValues(List usedHeaders, StringBuilder message, St private void addBody(StringBuilder message, Buffer body) { //String b64UrlSha256 = body.sha256().base64Url(); //TODO: is this Buffer from nio package? //message.append(b64UrlSha256); // TDOD: fix - if debugHelper != null { + if (debugHelper != null) { //debugHelper.add(b64UrlSha256.substring(0, 6)); // TODO: fix } } From ffdfd88053f28dd9107fd199cdee76d52b9f3dfd Mon Sep 17 00:00:00 2001 From: "ivo.liondov" Date: Mon, 27 Jan 2025 11:36:58 +0000 Subject: [PATCH 13/13] Stash changes --- .../okhttp/DefaultMessageSigningConfigFactory.java | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java index 158c6e5..a27f458 100644 --- a/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java +++ b/approov-service/src/main/java/io/approov/service/okhttp/DefaultMessageSigningConfigFactory.java @@ -2,6 +2,7 @@ import java.io.UnsupportedEncodingException; import java.nio.Buffer; +import java.nio.ByteBuffer; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; @@ -90,7 +91,7 @@ private String getB64URLDigestSnippet(byte[] data, int snippetLength) throws NoS } // adds the URL string to the message - must include all bits of the url from the scheme through to the last param - private void addURL(StringBuilder message, String url) throws UnsupportedEncodingException, NoSuchAlgorithmException { + private void addURL(StringBuilder message, String url, List debugHelper) throws UnsupportedEncodingException, NoSuchAlgorithmException { int start = message.length(); message.append(url); message.append("\n"); @@ -145,29 +146,30 @@ public MessageSigningConfig generateMessageSigningConfig(Request request, String // 2. add the URL to the message, followed by a newline // TODO: make sure this includes all the full URL - scheme through to all params - addURL(message, debugHelper, String.valueOf(request.url())); + addURL(message, String.valueOf(request.url()), debugHelper); // 3. add the Approov token header to the message List values = request.headers(approovTokenHeader); // make sure the okhtp lookup works whatever the case used on the header name if (values == null || values.isEmpty()) { throw new IllegalArgumentException("provided request does not include the Approov token header"); } - addHeaderValues(usedHeaders, message, debugHelper, approovTokenHeader, values); + addHeaderValues( usedHeaders, message, approovTokenHeader, values); // 4. add the required headers to the message as 'headername:headervalue', where the headername is in // lowercase if (messageSigningConfig.getSignedHeaders() != null) { for (String header : messageSigningConfig.signedHeaders) { - addHeaderValues(message, debugHelper, usedHeaders, header, request.headers(header)); + addHeaderValues(usedHeaders, message, header, request.headers(header)); + //addHeaderValues(List usedHeaders, StringBuilder message, String headerName, List headerValues) } } // add the body to the message okhttp3.RequestBody body = request.body(); if (body != null && !body.isOneShot()) { // we can't support one-shot bodies without making a copy - we probably need to do that extra work. - Buffer buffer = new Buffer(); + Buffer buffer = new ByteBuffer(); body.writeTo(buffer); - addBody(message, debugHelper, buffer); + addBody(message, buffer); } return new DefaultMessageSigningConfig(targetHeader, usedHeaders, message.String(), debugHelper); }