RubyGems - omniauth-azure-activedirectory - Versions diffs - 1.0.0 - Mend

omniauth-azure-activedirectory 1.0.0

Files changed (77) hide show

data/lib/omniauth-azure-activedirectory.rb ADDED

@@ -0,0 +1,23 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+require 'omniauth/azure_activedirectory'

data/lib/omniauth/azure_activedirectory.rb ADDED

@@ -0,0 +1,24 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+require 'omniauth/azure_activedirectory/version'
+require 'omniauth/strategies/azure_activedirectory'

data/lib/omniauth/azure_activedirectory/version.rb ADDED

@@ -0,0 +1,28 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+module OmniAuth
+  # The release version.
+  module AzureActiveDirectory
+    VERSION = '1.0.0'
+  end
+end

data/lib/omniauth/strategies/azure_activedirectory.rb ADDED

@@ -0,0 +1,329 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+require 'jwt'
+require 'omniauth'
+require 'openssl'
+require 'securerandom'
+module OmniAuth
+  module Strategies
+    # A strategy for authentication against Azure Active Directory.
+    class AzureActiveDirectory
+      include OmniAuth::AzureActiveDirectory
+      include OmniAuth::Strategy
+      class OAuthError < StandardError; end
+      ##
+      # The client id (key) and tenant must be configured when the OmniAuth
+      # middleware is installed. Example:
+      #
+      #    require 'omniauth'
+      #    require 'omniauth-azure-activedirectory'
+      #
+      #    use OmniAuth::Builder do
+      #      provider :azure_activedirectory, ENV['AAD_KEY'], ENV['AAD_TENANT']
+      #    end
+      #
+      args [:client_id, :tenant]
+      option :client_id, nil
+      option :tenant, nil
+      # Field renaming is an attempt to fit the OmniAuth recommended schema as
+      # best as possible.
+      #
+      # @see https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema
+      uid { @claims['sub'] }
+      info do
+        { name: @claims['name'],
+          email: @claims['email'] || @claims['upn'],
+          first_name: @claims['given_name'],
+          last_name: @claims['family_name'] }
+      end
+      credentials { { code: @code } }
+      extra do
+        { session_state: @session_state,
+          raw_info:
+            { id_token: @id_token,
+              id_token_claims: @claims,
+              id_token_header: @header } }
+      end
+      DEFAULT_RESPONSE_TYPE = 'code id_token'
+      DEFAULT_RESPONSE_MODE = 'form_post'
+      ##
+      # Overridden method from OmniAuth::Strategy. This is the first step in the
+      # authentication process.
+      def request_phase
+        redirect authorize_endpoint_url
+      end
+      ##
+      # Overridden method from OmniAuth::Strategy. This is the second step in
+      # the authentication process. It is called after the user enters
+      # credentials at the authorization endpoint.
+      def callback_phase
+        error = request.params['error_reason'] || request.params['error']
+        fail(OAuthError, error) if error
+        @session_state = request.params['session_state']
+        @id_token = request.params['id_token']
+        @code = request.params['code']
+        @claims, @header = validate_and_parse_id_token(@id_token)
+        validate_chash(@code, @claims, @header)
+        super
+      end
+      private
+      ##
+      # Constructs a one-time-use authorize_endpoint. This method will use
+      # a new nonce on each invocation.
+      #
+      # @return String
+      def authorize_endpoint_url
+        uri = URI(openid_config['authorization_endpoint'])
+        uri.query = URI.encode_www_form(client_id: client_id,
+                                        redirect_uri: callback_url,
+                                        response_mode: response_mode,
+                                        response_type: response_type,
+                                        nonce: new_nonce)
+        uri.to_s
+      end
+      ##
+      # The client id of the calling application. This must be configured where
+      # AzureAD is installed as an OmniAuth strategy.
+      #
+      # @return String
+      def client_id
+        return options.client_id if options.client_id
+        fail StandardError, 'No client_id specified in AzureAD configuration.'
+      end
+      ##
+      # The expected id token issuer taken from the discovery endpoint.
+      #
+      # @return String
+      def issuer
+        openid_config['issuer']
+      end
+      ##
+      # Fetches the current signing keys for Azure AD. Note that there should
+      # always two available, and that they have a 6 week rollover.
+      #
+      # Each key is a hash with the following fields:
+      #   kty, use, kid, x5t, n, e, x5c
+      #
+      # @return Array[Hash]
+      def fetch_signing_keys
+        response = JSON.parse(Net::HTTP.get(URI(signing_keys_url)))
+        response['keys']
+      rescue JSON::ParserError
+        raise StandardError, 'Unable to fetch AzureAD signing keys.'
+      end
+      ##
+      # Fetches the OpenId Connect configuration for the AzureAD tenant. This
+      # contains several import values, including:
+      #
+      #   authorization_endpoint
+      #   token_endpoint
+      #   token_endpoint_auth_methods_supported
+      #   jwks_uri
+      #   response_types_supported
+      #   response_modes_supported
+      #   subject_types_supported
+      #   id_token_signing_alg_values_supported
+      #   scopes_supported
+      #   issuer
+      #   claims_supported
+      #   microsoft_multi_refresh_token
+      #   check_session_iframe
+      #   end_session_endpoint
+      #   userinfo_endpoint
+      #
+      # @return Hash
+      def fetch_openid_config
+        JSON.parse(Net::HTTP.get(URI(openid_config_url)))
+      rescue JSON::ParserError
+        raise StandardError, 'Unable to fetch OpenId configuration for ' \
+                             'AzureAD tenant.'
+      end
+      ##
+      # Generates a new nonce for one time use. Stores it in the session so
+      # multiple users don't share nonces. All nonces should be generated by
+      # this method.
+      #
+      # @return String
+      def new_nonce
+        session['omniauth-azure-activedirectory.nonce'] = SecureRandom.uuid
+      end
+      ##
+      # A memoized version of #fetch_openid_config.
+      #
+      # @return Hash
+      def openid_config
+        @openid_config ||= fetch_openid_config
+      end
+      ##
+      # The location of the OpenID configuration for the tenant.
+      #
+      # @return String
+      def openid_config_url
+        "https://login.windows.net/#{tenant}/.well-known/openid-configuration"
+      end
+      ##
+      # Returns the most recent nonce for the session and deletes it from the
+      # session.
+      #
+      # @return String
+      def read_nonce
+        session.delete('omniauth-azure-activedirectory.nonce')
+      end
+      ##
+      # The response_type that will be set in the authorization request query
+      # parameters. Can be overridden by the client, but it shouldn't need to
+      # be.
+      #
+      # @return String
+      def response_type
+        options[:response_type] || DEFAULT_RESPONSE_TYPE
+      end
+      ##
+      # The response_mode that will be set in the authorization request query
+      # parameters. Can be overridden by the client, but it shouldn't need to
+      # be.
+      #
+      # @return String
+      def response_mode
+        options[:response_mode] || DEFAULT_RESPONSE_MODE
+      end
+      ##
+      # The keys used to sign the id token JWTs. This is just a memoized version
+      # of #fetch_signing_keys.
+      #
+      # @return Array[Hash]
+      def signing_keys
+        @signing_keys ||= fetch_signing_keys
+      end
+      ##
+      # The location of the public keys of the token signer. This is parsed from
+      # the OpenId config response.
+      #
+      # @return String
+      def signing_keys_url
+        return openid_config['jwks_uri'] if openid_config.include? 'jwks_uri'
+        fail StandardError, 'No jwks_uri in OpenId config response.'
+      end
+      ##
+      # The tenant of the calling application. Note that this must be
+      # explicitly configured when installing the AzureAD OmniAuth strategy.
+      #
+      # @return String
+      def tenant
+        return options.tenant if options.tenant
+        fail StandardError, 'No tenant specified in AzureAD configuration.'
+      end
+      ##
+      # Verifies the signature of the id token as well as the exp, nbf, iat,
+      # iss, and aud fields.
+      #
+      # See OpenId Connect Core 3.1.3.7 and 3.2.2.11.
+      #
+      # @return Claims, Header
+      def validate_and_parse_id_token(id_token)
+        # The second parameter is the public key to verify the signature.
+        # However, that key is overridden by the value of the executed block
+        # if one is present.
+        #
+        # If you're thinking that this looks ugly with the raw nil and boolean,
+        # see https://github.com/jwt/ruby-jwt/issues/59.
+        jwt_claims, jwt_header =
+          JWT.decode(id_token, nil, true, verify_options) do |header|
+            # There should always be one key from the discovery endpoint that
+            # matches the id in the JWT header.
+            x5c = (signing_keys.find do |key|
+              key['kid'] == header['kid']
+            end || {})['x5c']
+            if x5c.nil? || x5c.empty?
+              fail JWT::VerificationError,
+                   'No keys from key endpoint match the id token'
+            end
+            # The key also contains other fields, such as n and e, that are
+            # redundant. x5c is sufficient to verify the id token.
+            OpenSSL::X509::Certificate.new(JWT.base64url_decode(x5c.first)).public_key
+          end
+        return jwt_claims, jwt_header if jwt_claims['nonce'] == read_nonce
+        fail JWT::DecodeError, 'Returned nonce did not match.'
+      end
+      ##
+      # Verifies that the c_hash the id token claims matches the authorization
+      # code. See OpenId Connect Core 3.3.2.11.
+      #
+      # @param String code
+      # @param Hash claims
+      # @param Hash header
+      def validate_chash(code, claims, header)
+        # This maps RS256 -> sha256, ES384 -> sha384, etc.
+        algorithm = (header['alg'] || 'RS256').sub(/RS|ES|HS/, 'sha')
+        full_hash = OpenSSL::Digest.new(algorithm).digest code
+        c_hash = JWT.base64url_encode full_hash[0..full_hash.length / 2 - 1]
+        return if c_hash == claims['c_hash']
+        fail JWT::VerificationError,
+             'c_hash in id token does not match auth code.'
+      end
+      ##
+      # The options passed to the Ruby JWT library to verify the id token.
+      # Note that these are not all the checks we perform. Some (like nonce)
+      # are not handled by the JWT API and are checked manually in
+      # #validate_and_parse_id_token.
+      #
+      # @return Hash
+      def verify_options
+        { verify_expiration: true,
+          verify_not_before: true,
+          verify_iat: true,
+          verify_iss: true,
+          'iss' => issuer,
+          verify_aud: true,
+          'aud' => client_id }
+      end
+    end
+  end
+end
+OmniAuth.config.add_camelization 'azure_activedirectory', 'AzureActiveDirectory'

data/omniauth-azure-activedirectory.gemspec ADDED

@@ -0,0 +1,25 @@
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+require 'omniauth/azure_activedirectory/version'
+Gem::Specification.new do |s|
+  s.name            = 'omniauth-azure-activedirectory'
+  s.version         = OmniAuth::AzureActiveDirectory::VERSION
+  s.author          = 'Microsoft Corporation'
+  s.email           = 'nugetaad@microsoft.com'
+  s.summary         = 'Azure Active Directory strategy for OmniAuth'
+  s.description     = 'Allows developers to authenticate to AAD'
+  s.homepage        = 'https://github.com/AzureAD/omniauth-azure-activedirectory'
+  s.license         = 'MIT'
+  s.files           = `git ls-files`.split("\n")
+  s.require_paths   = ['lib']
+  s.add_runtime_dependency 'jwt', '~> 1.5'
+  s.add_runtime_dependency 'omniauth', '~> 1.1'
+  s.add_development_dependency 'rake', '~> 10.4'
+  s.add_development_dependency 'rspec', '~> 3.3'
+  s.add_development_dependency 'rubocop', '~> 0.32'
+  s.add_development_dependency 'simplecov', '~> 0.10'
+  s.add_development_dependency 'webmock', '~> 1.21'
+end

data/spec/fixtures/id_token.txt ADDED

@@ -0,0 +1 @@

+ eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFiYzEyMyJ9.eyJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9idW5jaC1vZi1yYW5kb20tY2hhcnMiLCJuYW1lIjoiSm9obiBTbWl0aCIsImF1ZCI6InRoZSBjbGllbnQgaWQiLCJub25jZSI6Im15IG5vbmNlIiwiZ2l2ZW5fbmFtZSI6IkpvaG4iLCJmYW1pbHlfbmFtZSI6InNtaXRoIiwiZW1haWwiOiJqc21pdGhAY29udG9zby5jb20iLCJjX2hhc2giOiJWcFRRaWk1VF84cmd3eEEtV3RiMkJ3In0.Xz9SL1dm9xeJ3YtBIwSpL7SHEMr5lsL32mkJIugoAt7rNhj2ZauN77_N3skU9FIRTVb_XBFHrLo1AXion7RWoOGAMk8xnuQRlhamGoWsjttWE9oO6J6kuQPSDBvLTA88UqLoGNezDwFNfgUFQq-66m33ZWdkiNOFoFZ_In6DtAwxHZZUys-KoYD3iCbviUoBzU57aV-SBsWyComq39pDGpw03qZoa_xgRfujdVHG1DKlO5VG79kUE3ySYWJyBYVKUdAzjH1iotjpPA1svtqytn4CUldAMi4nnf7iq5SCJMb4ucu0mN6AhJH9ktY--fGY6_OidyiDe4F57ZzLw-3jOQ

data/spec/fixtures/id_token_bad_audience.txt ADDED

@@ -0,0 +1 @@

+ eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFiYzEyMyJ9.eyJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9idW5jaC1vZi1yYW5kb20tY2hhcnMiLCJuYW1lIjoiSm9obiBTbWl0aCIsImF1ZCI6Im5vdCB0aGUgY2xpZW50IGlkIiwibm9uY2UiOiJteSBub25jZSIsImdpdmVuX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJzbWl0aCIsImVtYWlsIjoianNtaXRoQGNvbnRvc28uY29tIn0.gGCFTcGDBb2P5tPRj2ojUUiwOJoSslQlxEVTElZY6FCzCZzcypsnrYOB9Adkztp2AWF4wW9fT58lqXwaahKquXtK4wyK4KoNBxXBhS4sDMeNpVkK4914tT_6gecvyUsI_tlJaS0epd5c0mN9-1QjgvNEirY1L-XYaT290LmLYVYIFTEJXoSlnwvv081k0txdJZKr14JXd_bSLUbhGSd-NcGZkJuVmg2F_C65zd1wUsQOkV2iVdJ-ycaDJklv8-DFfDFIHQio8S9yqyieHwArRmTW9HzcoHhWBh2MIItszoTSbmQEF062NtNBPW8gyk1OSot5X9klJUhgPAAFqJ0TJQ

data/spec/fixtures/id_token_bad_chash.txt ADDED

@@ -0,0 +1 @@

+ eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFiYzEyMyJ9.eyJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9idW5jaC1vZi1yYW5kb20tY2hhcnMiLCJuYW1lIjoiSm9obiBTbWl0aCIsImF1ZCI6InRoZSBjbGllbnQgaWQiLCJub25jZSI6Im15IG5vbmNlIiwiZ2l2ZW5fbmFtZSI6IkpvaG4iLCJmYW1pbHlfbmFtZSI6InNtaXRoIiwiZW1haWwiOiJqc21pdGhAY29udG9zby5jb20iLCJjX2hhc2giOiI1WEhDdk9qcUgtbnJBXzNXNUJYaWJnIn0.EHPFrxMbr2EH1IZ15F3oP1yvrukadY4ggZSOxm625qPoMxfhv-QzFm0YMhkAG0cLM_LSHi_RgedDwTGuzOtIWqmheYzydnhtbIBeKmx0RSgdob6WeiTZwJ93VRiV4q82Qda41JaaIl_wdWd4lVyVstd9o9jPYMtKEVLgaNDrtHt6pPxEGCVraiaM6tVyKc5XIHu3wNaqle5UZZREU6oirwTCUhXDZkz1g5qY2-aWUdfFVsElSarJuMcxGDPD20hvx7T3D7SCHAF8WhKw3AwQyrodKWCo3cqDOz6vHymb_-ELkJc14GMbtJiyrf6XYySZZoseoI_WBDmLfKcK637xCw

data/spec/fixtures/id_token_bad_issuer.txt ADDED

@@ -0,0 +1 @@

+ eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFiYzEyMyJ9.eyJpc3MiOiJodHRwczovL3N0cy5pbXBvc3Rlci5uZXQvYnVuY2gtb2YtcmFuZG9tLWNoYXJzIiwibmFtZSI6IkpvaG4gU21pdGgiLCJhdWQiOiJ0aGUgY2xpZW50IGlkIiwibm9uY2UiOiJteSBub25jZSIsImdpdmVuX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJzbWl0aCIsImVtYWlsIjoianNtaXRoQGNvbnRvc28uY29tIn0.fwnJuRsif_Td3MfXoyADHidYJyPFdWSBBoLbVAu4Lz3-pmSln9Vgxl5KowqEKq2LX5n0aqyWVGLcoT-_G_PNXuizuNmssv5vreKLvDMpsFXt2irdwGYDCRki7KQPBk3bn12YjBzE2EqiRy7dTEG_0vWoh1RqoNP72BBL8xYQUlIOFleZhT5KGNYbh7rvcmDq7aA-xdaXT3QJfHCHpitW_zVzZ5Gok_awcdx_v3r3eFbG2IT0PfmT40Ljia0aP2i60KgsOLLHarYO51KFNDEfr1pUDf4IweaEzstbVLwk-_5ulJ5QgByhNJrmWDfrGeCQRk0SO2XX-EUsVn5ySVJ5CQ

data/spec/fixtures/id_token_bad_kid.txt ADDED

@@ -0,0 +1 @@

+ eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFiYzEyMzQifQ.eyJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9idW5jaC1vZi1yYW5kb20tY2hhcnMiLCJuYW1lIjoiSm9obiBTbWl0aCIsImF1ZCI6InRoZSBjbGllbnQgaWQiLCJub25jZSI6Im15IG5vbmNlIiwiZ2l2ZW5fbmFtZSI6IkpvaG4iLCJmYW1pbHlfbmFtZSI6InNtaXRoIiwiZW1haWwiOiJqc21pdGhAY29udG9zby5jb20iLCJjX2hhc2giOiI1WEhDdk9qcUgtbnJBXzNXNUJYaWJnIn0.gWGBc9rH30SN17Ikm1CjqIYAyzFHX0yeRQu85sVYLE3r5k26bjS3R6rTJcCQlYqHPRdoPcnkUgT1QVbdThw34ICrODoavs7I5QYEn_jKP9zM4UJEKQaCLBAtitzrk1KDEf0GLcNKif-MYu7MiQfoOzwCGWfIs-vgqk4lv0JUs9OlSLp5LHru7G3jKy6Qswbrpxpjzm9I8BnKEdhUfhz4P6wIf9KLMmhgeGQdQ6wBuxPmOf9r6EKIij2AENhFp1qP90m8kXq9tIt5FZFjwIs_G6spLl0gQXyx0qC8rP5JTkqwrBUieWU-BRqVdax8YxA0iDKzZyfsMV92yVcZT6S_NQ