itsi-server 0.1.1 → 0.1.3

data/ext/itsi_server/src/response/itsi_response.rs

@@ -0,0 +1,347 @@
+use bytes::{Bytes, BytesMut};
+use derive_more::Debug;
+use futures::stream::{unfold, StreamExt};
+use http::{
+    header::TRANSFER_ENCODING, request::Parts, HeaderMap, HeaderName, HeaderValue, Request,
+    Response, StatusCode,
+};
+use http_body_util::{combinators::BoxBody, Empty, Full, StreamBody};
+use hyper::{body::Frame, upgrade::Upgraded};
+use hyper_util::rt::TokioIo;
+use itsi_error::Result;
+use itsi_tracing::error;
+use magnus::error::Result as MagnusResult;
+use parking_lot::RwLock;
+use std::{
+    convert::Infallible,
+    io,
+    os::{fd::FromRawFd, unix::net::UnixStream},
+    str::FromStr,
+    sync::Arc,
+};
+use tokio::{
+    io::AsyncReadExt,
+    net::UnixStream as TokioUnixStream,
+    sync::{
+        mpsc::{self},
+        watch,
+    },
+};
+use tokio_stream::wrappers::ReceiverStream;
+use tokio_util::io::ReaderStream;
+use tracing::warn;
+
+use crate::server::serve_strategy::single_mode::RunningPhase;
+
+#[magnus::wrap(class = "Itsi::Response", free_immediately, size)]
+#[derive(Debug, Clone)]
+pub struct ItsiResponse {
+    pub data: Arc<ResponseData>,
+}
+
+#[derive(Debug)]
+pub struct ResponseData {
+    pub response: RwLock<Option<Response<BoxBody<Bytes, Infallible>>>>,
+    pub response_writer: RwLock<Option<mpsc::Sender<Option<Bytes>>>>,
+    pub response_buffer: RwLock<BytesMut>,
+    pub hijacked_socket: RwLock<Option<UnixStream>>,
+    pub parts: Parts,
+}
+
+impl ItsiResponse {
+    pub async fn build(
+        &self,
+        first_frame: Option<Bytes>,
+        receiver: mpsc::Receiver<Option<Bytes>>,
+        shutdown_rx: watch::Receiver<RunningPhase>,
+    ) -> Response<BoxBody<Bytes, Infallible>> {
+        if self.is_hijacked() {
+            return match self.process_hijacked_response().await {
+                Ok(result) => result,
+                Err(e) => {
+                    error!("Error processing hijacked response: {}", e);
+                    Response::new(BoxBody::new(Empty::new()))
+                }
+            };
+        }
+
+        let mut response = self.data.response.write().take().unwrap();
+        *response.body_mut() = if first_frame.is_none() {
+            BoxBody::new(Empty::new())
+        } else if receiver.is_closed() && receiver.is_empty() {
+            BoxBody::new(Full::new(first_frame.unwrap()))
+        } else {
+            let initial_frame = tokio_stream::once(Ok(Frame::data(first_frame.unwrap())));
+            let frame_stream = unfold(
+                (ReceiverStream::new(receiver), shutdown_rx),
+                |(mut receiver, mut shutdown_rx)| async move {
+                    if let RunningPhase::ShutdownPending = *shutdown_rx.borrow() {
+                        warn!("Disconnecting streaming client.");
+                        return None;
+                    }
+                    loop {
+                        tokio::select! {
+                            maybe_bytes = receiver.next() => {
+                                if let Some(bytes) = maybe_bytes {
+                                    // We assume `bytes` is Some(Bytes) here.
+                                    return Some((Ok(Frame::data(bytes.unwrap())), (receiver, shutdown_rx)));
+                                } else {
+                                    // Receiver closed, end the stream.
+                                    return None;
+                                }
+                            },
+                            _ = shutdown_rx.changed() => {
+                                match *shutdown_rx.borrow() {
+                                    RunningPhase::ShutdownPending => {
+                                        warn!("Disconnecting streaming client.");
+                                        return None;
+                                    },
+                                    _ => continue,
+                                }
+                            }
+                        }
+                    }
+                },
+            );
+
+            let combined_stream = initial_frame.chain(frame_stream);
+            BoxBody::new(StreamBody::new(combined_stream))
+        };
+        response
+    }
+
+    pub fn close(&self) {
+        self.data.response_writer.write().take();
+    }
+
+    async fn two_way_bridge(upgraded: Upgraded, local: TokioUnixStream) -> io::Result<()> {
+        let client_io = TokioIo::new(upgraded);
+
+        // Split each side
+        let (mut lr, mut lw) = tokio::io::split(local);
+        let (mut cr, mut cw) = tokio::io::split(client_io);
+
+        let to_ruby = tokio::spawn(async move {
+            if let Err(e) = tokio::io::copy(&mut cr, &mut lw).await {
+                eprintln!("Error copying upgraded->local: {:?}", e);
+            }
+        });
+        let from_ruby = tokio::spawn(async move {
+            if let Err(e) = tokio::io::copy(&mut lr, &mut cw).await {
+                eprintln!("Error copying upgraded->local: {:?}", e);
+            }
+        });
+
+        let _ = to_ruby.await;
+        let _ = from_ruby.await;
+        Ok(())
+    }
+
+    async fn read_response_headers(&self, reader: &mut TokioUnixStream) -> Result<Vec<u8>> {
+        let mut buf = [0u8; 1];
+        let mut collected = Vec::new();
+        loop {
+            let n = reader.read(&mut buf).await?;
+            if n == 0 {
+                // EOF reached unexpectedly
+                break;
+            }
+            collected.push(buf[0]);
+            if collected.ends_with(b"\r\n\r\n") {
+                break;
+            }
+        }
+
+        Ok(collected)
+    }
+
+    pub async fn read_hijacked_headers(
+        &self,
+    ) -> Result<(HeaderMap, StatusCode, bool, TokioUnixStream)> {
+        let hijacked_socket =
+            self.data
+                .hijacked_socket
+                .write()
+                .take()
+                .ok_or(itsi_error::ItsiError::InvalidInput(
+                    "Couldn't hijack stream".to_owned(),
+                ))?;
+        let mut reader = TokioUnixStream::from_std(hijacked_socket).unwrap();
+        let response_headers = self.read_response_headers(&mut reader).await?;
+        let mut headers = [httparse::EMPTY_HEADER; 64];
+        let mut resp = httparse::Response::new(&mut headers);
+        resp.parse(&response_headers)?;
+
+        let status = StatusCode::from_u16(resp.code.unwrap_or(200)).unwrap_or(StatusCode::OK);
+        let mut headers = HeaderMap::new();
+        for header in resp.headers.iter() {
+            headers.insert(
+                HeaderName::from_str(header.name).unwrap(),
+                HeaderValue::from_bytes(header.value).unwrap(),
+            );
+        }
+        let requires_upgrade = status == StatusCode::SWITCHING_PROTOCOLS;
+        Ok((headers, status, requires_upgrade, reader))
+    }
+
+    pub async fn process_hijacked_response(&self) -> Result<Response<BoxBody<Bytes, Infallible>>> {
+        let (headers, status, requires_upgrade, reader) = self.read_hijacked_headers().await?;
+        let mut response = if requires_upgrade {
+            let parts = self.data.parts.clone();
+            tokio::spawn(async move {
+                let mut req = Request::from_parts(parts, Empty::<Bytes>::new());
+                match hyper::upgrade::on(&mut req).await {
+                    Ok(upgraded) => {
+                        Self::two_way_bridge(upgraded, reader)
+                            .await
+                            .expect("Error in creating two way bridge");
+                    }
+                    Err(e) => eprintln!("upgrade error: {:?}", e),
+                }
+            });
+            Response::new(BoxBody::new(Empty::new()))
+        } else {
+            let stream = ReaderStream::new(reader);
+            let boxed_body = if headers
+                .get(TRANSFER_ENCODING)
+                .is_some_and(|h| h == "chunked")
+            {
+                BoxBody::new(StreamBody::new(unfold(
+                    (stream, Vec::new()),
+                    |(mut stream, mut buf)| async move {
+                        loop {
+                            if let Some(pos) = buf.iter().position(|&b| b == b'\n') {
+                                let line = buf.drain(..=pos).collect::<Vec<u8>>();
+                                let line = std::str::from_utf8(&line).ok()?.trim();
+                                let chunk_size = usize::from_str_radix(line, 16).ok()?;
+                                if chunk_size == 0 {
+                                    return None;
+                                }
+                                while buf.len() < chunk_size {
+                                    match stream.next().await {
+                                        Some(Ok(chunk)) => buf.extend_from_slice(&chunk),
+                                        _ => return None,
+                                    }
+                                }
+                                let data = buf.drain(..chunk_size).collect::<Vec<u8>>();
+                                if buf.starts_with(b"\r\n") {
+                                    buf.drain(..2);
+                                }
+                                return Some((Ok(Frame::data(Bytes::from(data))), (stream, buf)));
+                            }
+                            match stream.next().await {
+                                Some(Ok(chunk)) => buf.extend_from_slice(&chunk),
+                                _ => return None,
+                            }
+                        }
+                    },
+                )))
+            } else {
+                BoxBody::new(StreamBody::new(stream.map(
+                    |result: std::result::Result<Bytes, io::Error>| {
+                        result
+                            .map(Frame::data)
+                            .map_err(|e| unreachable!("unexpected io error: {:?}", e))
+                    },
+                )))
+            };
+            Response::new(boxed_body)
+        };
+
+        *response.status_mut() = status;
+        *response.headers_mut() = headers;
+        Ok(response)
+    }
+
+    pub fn internal_server_error(&self, message: String) {
+        error!(message);
+        self.data.response_writer.write().take();
+        if let Some(ref mut response) = *self.data.response.write() {
+            *response.status_mut() = StatusCode::INTERNAL_SERVER_ERROR;
+        }
+    }
+
+    pub fn send_frame(&self, frame: Bytes) -> MagnusResult<usize> {
+        self.send_frame_into(frame, &self.data.response_writer)
+    }
+
+    pub fn send_and_close(&self, frame: Bytes) -> MagnusResult<usize> {
+        let result = self.send_frame_into(frame, &self.data.response_writer);
+        self.data.response_writer.write().take();
+        result
+    }
+
+    pub fn send_frame_into(
+        &self,
+        frame: Bytes,
+        writer: &RwLock<Option<mpsc::Sender<Option<Bytes>>>>,
+    ) -> MagnusResult<usize> {
+        if let Some(writer) = writer.write().as_ref() {
+            writer
+                .blocking_send(Some(frame))
+                .map_err(|_| itsi_error::ItsiError::ClientConnectionClosed)?;
+        }
+        Ok(0)
+    }
+
+    pub fn is_hijacked(&self) -> bool {
+        self.data.hijacked_socket.read().is_some()
+    }
+
+    pub fn close_write(&self) -> MagnusResult<bool> {
+        self.data.response_writer.write().take();
+        Ok(true)
+    }
+
+    pub fn close_read(&self) -> MagnusResult<bool> {
+        todo!();
+    }
+
+    pub fn new(parts: Parts, response_writer: mpsc::Sender<Option<Bytes>>) -> Self {
+        Self {
+            data: Arc::new(ResponseData {
+                response: RwLock::new(Some(Response::new(BoxBody::new(Empty::new())))),
+                response_writer: RwLock::new(Some(response_writer)),
+                response_buffer: RwLock::new(BytesMut::new()),
+                hijacked_socket: RwLock::new(None),
+                parts,
+            }),
+        }
+    }
+
+    pub fn add_header(&self, name: Bytes, value: Bytes) -> MagnusResult<()> {
+        let header_name: HeaderName = HeaderName::from_bytes(&name).map_err(|e| {
+            itsi_error::ItsiError::InvalidInput(format!("Invalid header name {:?}: {:?}", name, e))
+        })?;
+        let header_value = unsafe { HeaderValue::from_maybe_shared_unchecked(value) };
+        if let Some(ref mut resp) = *self.data.response.write() {
+            resp.headers_mut().insert(header_name, header_value);
+        }
+        Ok(())
+    }
+
+    pub fn set_status(&self, status: u16) -> MagnusResult<()> {
+        if let Some(ref mut resp) = *self.data.response.write() {
+            *resp.status_mut() = StatusCode::from_u16(status).map_err(|e| {
+                itsi_error::ItsiError::InvalidInput(format!(
+                    "Invalid status code {:?}: {:?}",
+                    status, e
+                ))
+            })?;
+        }
+        Ok(())
+    }
+
+    pub fn hijack(&self, fd: i32) -> MagnusResult<()> {
+        let stream = unsafe { UnixStream::from_raw_fd(fd) };
+
+        *self.data.hijacked_socket.write() = Some(stream);
+        if let Some(writer) = self.data.response_writer.write().as_ref() {
+            writer
+                .blocking_send(None)
+                .map_err(|_| itsi_error::ItsiError::ClientConnectionClosed)?;
+        }
+        self.close();
+        Ok(())
+    }
+}

data/ext/itsi_server/src/response/mod.rs

@@ -0,0 +1 @@
+pub mod itsi_response;

data/ext/itsi_server/src/server/bind.rs

@@ -1,4 +1,4 @@
-use super::{tls::configure_tls, transfer_protocol::TransferProtocol};
+use super::{bind_protocol::BindProtocol, tls::configure_tls};
 use itsi_error::ItsiError;
 use std::{
     collections::HashMap,
@@ -8,7 +8,6 @@ use std::{
 };
 use tokio_rustls::rustls::ServerConfig;
 
-// Support binding to either IP or Unix Socket
 #[derive(Debug, Clone)]
 pub enum BindAddress {
     Ip(IpAddr),
@@ -21,23 +20,54 @@ impl Default for BindAddress {
     }
 }
 
-#[derive(Debug, Default, Clone)]
+#[derive(Default, Clone)]
 #[magnus::wrap(class = "Itsi::Bind")]
 pub struct Bind {
     pub address: BindAddress,
     pub port: Option<u16>, // None for Unix Sockets
-    pub protocol: TransferProtocol,
+    pub protocol: BindProtocol,
     pub tls_config: Option<ServerConfig>,
 }
 
+impl std::fmt::Debug for Bind {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match &self.address {
+            BindAddress::Ip(ip) => match self.protocol {
+                BindProtocol::Unix | BindProtocol::Unixs => {
+                    write!(f, "{}://{}", self.protocol, ip)
+                }
+                BindProtocol::Https if self.port == Some(443) => {
+                    write!(f, "{}://{}", self.protocol, ip)
+                }
+                BindProtocol::Http if self.port == Some(80) => {
+                    write!(f, "{}://{}", self.protocol, ip)
+                }
+                _ => match self.port {
+                    Some(port) => write!(f, "{}://{}:{}", self.protocol, ip, port),
+                    None => write!(f, "{}://{}", self.protocol, ip),
+                },
+            },
+            BindAddress::UnixSocket(path) => {
+                write!(f, "{}://{}", self.protocol, path.display())
+            }
+        }
+    }
+}
+
+/// We can build a Bind from a string in the format `protocol://host:port?options`
+/// E.g.
+/// *`https://example.com:443?tls_cert=/path/to/cert.pem&tls_key=/path/to/key.pem`
+/// *`unix:///path/to/socket.sock`
+/// *`http://example.com:80`
+/// *`https://[::]:80`
 impl FromStr for Bind {
     type Err = ItsiError;
 
     fn from_str(s: &str) -> Result<Self, Self::Err> {
         let (protocol, remainder) = if let Some((proto, rest)) = s.split_once("://") {
-            (proto.parse::<TransferProtocol>()?, rest)
+            (proto.parse::<BindProtocol>()?, rest)
         } else {
-            (TransferProtocol::Https, s)
+            (BindProtocol::Https, s)
         };
 
         let (url, options) = if let Some((base, options)) = remainder.split_once('?') {
@@ -80,22 +110,23 @@ impl FromStr for Bind {
         } else {
             resolve_hostname(host)
                 .map(BindAddress::Ip)
-                .unwrap_or(BindAddress::Ip(IpAddr::V4(Ipv4Addr::UNSPECIFIED)))
+                .ok_or(ItsiError::ArgumentError(format!(
+                    "Failed to resolve hostname {}",
+                    host
+                )))?
         };
         let (port, address) = match protocol {
-            TransferProtocol::Http => (port.or(Some(80)), address),
-            TransferProtocol::Https => (port.or(Some(443)), address),
-            TransferProtocol::Unix => (None, BindAddress::UnixSocket(host.into())),
+            BindProtocol::Http => (port.or(Some(80)), address),
+            BindProtocol::Https => (port.or(Some(443)), address),
+            BindProtocol::Unix => (None, BindAddress::UnixSocket(host.into())),
+            BindProtocol::Unixs => (None, BindAddress::UnixSocket(host.into())),
         };
 
-        let tls_config = if let TransferProtocol::Http = protocol {
-            None
-        } else if let TransferProtocol::Https = protocol {
-            Some(configure_tls(host, &options)?)
-        } else if options.contains_key("cert") {
-            Some(configure_tls(host, &options)?)
-        } else {
-            None
+        let tls_config = match protocol {
+            BindProtocol::Http => None,
+            BindProtocol::Https => Some(configure_tls(host, &options)?),
+            BindProtocol::Unix => None,
+            BindProtocol::Unixs => Some(configure_tls(host, &options)?),
         };
 
         Ok(Self {
@@ -120,14 +151,13 @@ fn resolve_hostname(hostname: &str) -> Option<IpAddr> {
     (hostname, 0)
         .to_socket_addrs()
         .ok()?
-        .filter_map(|addr| {
+        .find_map(|addr| {
             if addr.is_ipv6() {
                 Some(addr.ip()) // Prefer IPv6
             } else {
                 None
             }
         })
-        .next()
         .or_else(|| {
             (hostname, 0)
                 .to_socket_addrs()

data/ext/itsi_server/src/server/bind_protocol.rs

@@ -0,0 +1,37 @@
+use itsi_error::ItsiError;
+use std::str::FromStr;
+
+#[derive(Debug, Default, Clone)]
+pub enum BindProtocol {
+    #[default]
+    Https,
+    Http,
+    Unix,
+    Unixs,
+}
+
+impl FromStr for BindProtocol {
+    type Err = ItsiError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s {
+            "http" => Ok(BindProtocol::Http),
+            "https" => Ok(BindProtocol::Https),
+            "unix" => Ok(BindProtocol::Unix),
+            "tls" => Ok(BindProtocol::Unixs),
+            _ => Err(ItsiError::UnsupportedProtocol(s.to_string())),
+        }
+    }
+}
+
+impl std::fmt::Display for BindProtocol {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let s = match self {
+            BindProtocol::Https => "https",
+            BindProtocol::Http => "http",
+            BindProtocol::Unix => "unix",
+            BindProtocol::Unixs => "tls",
+        };
+        write!(f, "{}", s)
+    }
+}

data/ext/itsi_server/src/server/io_stream.rs

@@ -0,0 +1,104 @@
+use super::listener::SockAddr;
+use pin_project::pin_project;
+use tokio::net::{TcpStream, UnixStream};
+use tokio_rustls::server::TlsStream;
+
+use std::os::unix::io::{AsRawFd, RawFd};
+use std::pin::Pin;
+use std::task::{Context, Poll};
+use tokio::io::{AsyncRead, AsyncWrite};
+
+#[pin_project(project = IoStreamEnumProj)]
+pub enum IoStream {
+    Tcp {
+        #[pin]
+        stream: TcpStream,
+        addr: SockAddr,
+    },
+    TcpTls {
+        #[pin]
+        stream: TlsStream<TcpStream>,
+        addr: SockAddr,
+    },
+    Unix {
+        #[pin]
+        stream: UnixStream,
+        addr: SockAddr,
+    },
+    UnixTls {
+        #[pin]
+        stream: TlsStream<UnixStream>,
+        addr: SockAddr,
+    },
+}
+
+impl IoStream {
+    pub fn addr(&self) -> SockAddr {
+        match self {
+            IoStream::Tcp { addr, .. } => addr.clone(),
+            IoStream::TcpTls { addr, .. } => addr.clone(),
+            IoStream::Unix { addr, .. } => addr.clone(),
+            IoStream::UnixTls { addr, .. } => addr.clone(),
+        }
+    }
+}
+
+impl AsyncRead for IoStream {
+    fn poll_read(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &mut tokio::io::ReadBuf<'_>,
+    ) -> Poll<std::io::Result<()>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_read(cx, buf),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_read(cx, buf),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_read(cx, buf),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_read(cx, buf),
+        }
+    }
+}
+
+impl AsyncWrite for IoStream {
+    fn poll_write(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<std::io::Result<usize>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_write(cx, buf),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_write(cx, buf),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_write(cx, buf),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_write(cx, buf),
+        }
+    }
+
+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_flush(cx),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_flush(cx),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_flush(cx),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_flush(cx),
+        }
+    }
+
+    fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
+        match self.project() {
+            IoStreamEnumProj::Tcp { stream, .. } => stream.poll_shutdown(cx),
+            IoStreamEnumProj::TcpTls { stream, .. } => stream.poll_shutdown(cx),
+            IoStreamEnumProj::Unix { stream, .. } => stream.poll_shutdown(cx),
+            IoStreamEnumProj::UnixTls { stream, .. } => stream.poll_shutdown(cx),
+        }
+    }
+}
+
+impl AsRawFd for IoStream {
+    fn as_raw_fd(&self) -> RawFd {
+        // For immutable access, we can simply pattern-match on self.
+        match self {
+            IoStream::Tcp { stream, .. } => stream.as_raw_fd(),
+            IoStream::TcpTls { stream, .. } => stream.get_ref().0.as_raw_fd(),
+            IoStream::Unix { stream, .. } => stream.as_raw_fd(),
+            IoStream::UnixTls { stream, .. } => stream.get_ref().0.as_raw_fd(),
+        }
+    }
+}

data/ext/itsi_server/src/server/itsi_ca/itsi_ca.crt

@@ -1,32 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIFgTCCA2mgAwIBAgIUe316+G3qdkcWtRxYKlNBEAEenzAwDQYJKoZIhvcNAQEL
-BQAwUDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0c2kxDTALBgNVBAcMBEl0c2kx
-EDAOBgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0c2kuZnlpMB4XDTI1MDIyODAy
-NTkyNVoXDTM1MDIyNjAyNTkyNVowUDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0
-c2kxDTALBgNVBAcMBEl0c2kxEDAOBgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0
-c2kuZnlpMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzKAK2RIvnATa
-pOxNYubaGjOx8z4thxwWM/KxMqI8gABmgRFTa99n1vrTenlfdX4PcoRyCXEJ3krh
-nPsRmP1nnUS1BEIX4Ha9xVPIy0UoP0JN1a4kVInejZe2ZTcpRv8k2KlkafIw0ISt
-/hSoopNV2SESCMDxx2e3F9d4wzHmkfs2+6k+12TTYkkifXaXgSOXm91a5ABqTfa8
-wS6td/zmwv6W5RNBU3kS3TsqoKjc0xdu25aifJ40i/+82b5OOWhWt+psSPlTZb+Y
-5elMhlh8Hjs52S3u48wz5joPsBi9r4yLYGhgB+AiW+b+y0uss7EiTQR24U+CroEB
-4c1LA4qTgQPUvUIXyyFGC3lPsjKHGiEitbIT4sDQOz3nMMvT0FIP7DPtiSAuyx0I
-J6/3+/QQ/8dzGqZskolKTSWGToOysNWcIxbbBprDAXYseOTJvREVpwC/Qra5OUqU
-6P8K72yp2hSCu/5EQwV3kwKMw0JmjJFyaL8SC2GJnueWWCIIZjYdc0ZAA9Dvl9eo
-SfQA4emLjUcScFpj8kv3Iu5tGJxnO1gqJ4JV+NKJ/09AxXvFYpNhaBXJ0xUOTA8/
-vBTkAs9hTFV1IFIgJNP5CxEbkWr5FcFYUKAopFhDKfQkXGCKEn4s3wuNqUuzEEdE
-Sx2YVV8XKbb9eKpHN5cQ6ljeFvanKpMCAwEAAaNTMFEwHQYDVR0OBBYEFIaKuU5Z
-CCv9JAsdqvHyR5QnE1OdMB8GA1UdIwQYMBaAFIaKuU5ZCCv9JAsdqvHyR5QnE1Od
-MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGslKyiOzrJzfVEA
-HwJu/4CpDs7MpZuzAJ/AS0shWR3qlpHJUn6c/NIaQBfmVIo+vfxTvwV+ih6tZ+4A
-HmIZrCQm7rn5uQm2Q9G++JQ0RgQfLngnz3FBL+aERW2wxw1vOcPwg8JWCeGUSCd4
-Lj4jtpvlniS5uIiCD2GYxRIub401egX60XAiHdR0k6rS2dKxab9vMKW28RvRddak
-YCk7UKSXOZlj39XVH/JCB8+4IokDLTikpoAUqiNfytO+kx9+1JHKti8NjSQJwjqO
-JtBd1OD2ziQqd0gVKjr3J4IwIBv3Yl3GGUi3c5HVyDejriPciPrK+4G6a4IDGiyG
-rQRTzTR98ILsPX5uvOJadF1TAyZpS8oN7xFM8BnKfdpB34x3p9KgBqk34dRIXxbF
-nM3AJRT5dHlcHkn6z1snFqRHko4QvG0bSHlZFepogLG9yOGB0B1Hp4JPTSimEb6f
-b+CL5o8mXzAMRDIzdjTkBM/nQg5NMoXaXvmKypw/zIYI/ffb6Kwu/Y6gWmXubQrA
-fJ95Ssb14RKtmW6IDmHD5mNpybjhoSzwtBZyuHAyVZT/5P8/QHNkMBwpfQsevY5f
-FmOcAZIq9bHTBvn5SNNvi2NxZfTRD7sTMogXgqKKcxwe2rs52IYecamNekQMjrPL
-jI16bCLO/G1NaQ+N9YFL4TGfvbCe
+MIIB9TCCAZugAwIBAgIUMpQtAScU2Ow9c1Xy/0b/kS/BuwcwCgYIKoZIzj0EAwIw
+UDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0c2kxDTALBgNVBAcMBEl0c2kxEDAO
+BgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0c2kuZnlpMB4XDTI1MDMwMzIwMjg1
+N1oXDTM1MDMwMTIwMjg1N1owUDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0c2kx
+DTALBgNVBAcMBEl0c2kxEDAOBgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0c2ku
+ZnlpMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqGdC9Vi1r7ARvqSkPXkAgiV5
+gn2MMTeEafagrWT7G1onSh/G+Qstxl61kfFNLOTiy6NSgAtKG+gfveCTo0Pcz6NT
+MFEwHQYDVR0OBBYEFN7zzDodmiK2VAzLDydDvb6Er+U+MB8GA1UdIwQYMBaAFN7z
+zDodmiK2VAzLDydDvb6Er+U+MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwID
+SAAwRQIhAP8q3PiwqTwCbRvYvvetxH39mAce1mfQMosb33ns228VAiBXdb+p9s0o
+5ug5g9/MTvrIPI7GgolXCWZunkouy0LSrw==
 -----END CERTIFICATE-----