@boxyhq/saml-jackson 0.2.3-beta.211 → 0.2.3-beta.223

package/src/saml/saml.ts

@@ -0,0 +1,234 @@
+const saml = require('@boxyhq/saml20');
+const xml2js = require('xml2js');
+const thumbprint = require('thumbprint');
+const xmlcrypto = require('xml-crypto');
+import * as rambda from 'rambda';
+import xmlbuilder from 'xmlbuilder';
+import crypto from 'crypto';
+import claims from './claims';
+import { SAMLProfile, SAMLReq } from 'saml-jackson';
+
+const idPrefix = '_';
+const authnXPath =
+  '/*[local-name(.)="AuthnRequest" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:protocol"]';
+const issuerXPath =
+  '/*[local-name(.)="Issuer" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:assertion"]';
+
+const signRequest = (xml: string, signingKey: string) => {
+  if (!xml) {
+    throw new Error('Please specify xml');
+  }
+  if (!signingKey) {
+    throw new Error('Please specify signingKey');
+  }
+
+  const sig = new xmlcrypto.SignedXml();
+  sig.signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
+  sig.signingKey = signingKey;
+  sig.addReference(
+    authnXPath,
+    [
+      'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
+      'http://www.w3.org/2001/10/xml-exc-c14n#',
+    ],
+    'http://www.w3.org/2001/04/xmlenc#sha256'
+  );
+  sig.computeSignature(xml, {
+    location: { reference: authnXPath + issuerXPath, action: 'after' },
+  });
+
+  return sig.getSignedXml();
+};
+
+const request = ({
+  ssoUrl,
+  entityID,
+  callbackUrl,
+  isPassive = false,
+  forceAuthn = false,
+  identifierFormat = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+  providerName = 'BoxyHQ',
+  signingKey,
+}: SAMLReq): { id: string; request: string } => {
+  const id = idPrefix + crypto.randomBytes(10).toString('hex');
+  const date = new Date().toISOString();
+
+  let samlReq: Record<string, any> = {
+    'samlp:AuthnRequest': {
+      '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
+      '@ID': id,
+      '@Version': '2.0',
+      '@IssueInstant': date,
+      '@ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+      '@Destination': ssoUrl,
+      'saml:Issuer': {
+        '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
+        '#text': entityID,
+      },
+    },
+  };
+
+  if (isPassive) samlReq['samlp:AuthnRequest']['@IsPassive'] = true;
+
+  if (forceAuthn) {
+    samlReq['samlp:AuthnRequest']['@ForceAuthn'] = true;
+  }
+
+  samlReq['samlp:AuthnRequest']['@AssertionConsumerServiceURL'] = callbackUrl;
+
+  samlReq['samlp:AuthnRequest']['samlp:NameIDPolicy'] = {
+    '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
+    '@Format': identifierFormat,
+    '@AllowCreate': 'true',
+  };
+
+  if (providerName != null) {
+    samlReq['samlp:AuthnRequest']['@ProviderName'] = providerName;
+  }
+
+  let xml = xmlbuilder.create(samlReq).end({});
+  if (signingKey) {
+    xml = signRequest(xml, signingKey);
+  }
+
+  return {
+    id,
+    request: xml,
+  };
+};
+
+const parseAsync = async (
+  rawAssertion: string
+): Promise<SAMLProfile | void> => {
+  return new Promise((resolve, reject) => {
+    saml.parse(
+      rawAssertion,
+      function onParseAsync(err: Error, profile: SAMLProfile) {
+        if (err) {
+          reject(err);
+          return;
+        }
+
+        resolve(profile);
+      }
+    );
+  });
+};
+
+const validateAsync = async (
+  rawAssertion: string,
+  options
+): Promise<SAMLProfile | void> => {
+  return new Promise((resolve, reject) => {
+    saml.validate(
+      rawAssertion,
+      options,
+      function onValidateAsync(err, profile: SAMLProfile) {
+        if (err) {
+          reject(err);
+          return;
+        }
+
+        if (profile && profile.claims) {
+          // we map claims to our attributes id, email, firstName, lastName where possible. We also map original claims to raw
+          profile.claims = claims.map(profile.claims);
+
+          // some providers don't return the id in the assertion, we set it to a sha256 hash of the email
+          if (!profile.claims.id) {
+            profile.claims.id = crypto
+              .createHash('sha256')
+              .update(profile.claims.email)
+              .digest('hex');
+          }
+        }
+
+        resolve(profile);
+      }
+    );
+  });
+};
+
+const parseMetadataAsync = async (
+  idpMeta: string
+): Promise<Record<string, any>> => {
+  return new Promise((resolve, reject) => {
+    xml2js.parseString(
+      idpMeta,
+      { tagNameProcessors: [xml2js.processors.stripPrefix] },
+      (err: Error, res) => {
+        if (err) {
+          reject(err);
+          return;
+        }
+
+        const entityID = rambda.path('EntityDescriptor.$.entityID', res);
+        let X509Certificate = null;
+        let ssoPostUrl: null | undefined = null;
+        let ssoRedirectUrl: null | undefined = null;
+        let loginType = 'idp';
+
+        let ssoDes: any = rambda.pathOr(
+          null,
+          'EntityDescriptor.IDPSSODescriptor',
+          res
+        );
+        if (!ssoDes) {
+          ssoDes = rambda.pathOr([], 'EntityDescriptor.SPSSODescriptor', res);
+          if (!ssoDes) {
+            loginType = 'sp';
+          }
+        }
+
+        for (const ssoDesRec of ssoDes) {
+          const keyDes = ssoDesRec['KeyDescriptor'];
+          for (const keyDesRec of keyDes) {
+            if (keyDesRec['$'] && keyDesRec['$'].use === 'signing') {
+              const ki = keyDesRec['KeyInfo'][0];
+              const cd = ki['X509Data'][0];
+              X509Certificate = cd['X509Certificate'][0];
+            }
+          }
+
+          const ssoSvc =
+            ssoDesRec['SingleSignOnService'] ||
+            ssoDesRec['AssertionConsumerService'] ||
+            [];
+          for (const ssoSvcRec of ssoSvc) {
+            if (
+              rambda.pathOr('', '$.Binding', ssoSvcRec).endsWith('HTTP-POST')
+            ) {
+              ssoPostUrl = rambda.path('$.Location', ssoSvcRec);
+            } else if (
+              rambda
+                .pathOr('', '$.Binding', ssoSvcRec)
+                .endsWith('HTTP-Redirect')
+            ) {
+              ssoRedirectUrl = rambda.path('$.Location', ssoSvcRec);
+            }
+          }
+        }
+
+        const ret: Record<string, any> = {
+          sso: {},
+        };
+        if (entityID) {
+          ret.entityID = entityID;
+        }
+        if (X509Certificate) {
+          ret.thumbprint = thumbprint.calculate(X509Certificate);
+        }
+        if (ssoPostUrl) {
+          ret.sso.postUrl = ssoPostUrl;
+        }
+        if (ssoRedirectUrl) {
+          ret.sso.redirectUrl = ssoRedirectUrl;
+        }
+        ret.loginType = loginType;
+
+        resolve(ret);
+      }
+    );
+  });
+};
+
+export default { request, parseAsync, validateAsync, parseMetadataAsync };

package/src/saml/x509.ts

@@ -0,0 +1,51 @@
+import * as x509 from '@peculiar/x509';
+import { Crypto } from '@peculiar/webcrypto';
+
+const crypto = new Crypto();
+x509.cryptoProvider.set(crypto);
+
+const alg = {
+  name: 'RSASSA-PKCS1-v1_5',
+  hash: 'SHA-256',
+  publicExponent: new Uint8Array([1, 0, 1]),
+  modulusLength: 2048,
+};
+
+const generate = async () => {
+  const keys = await crypto.subtle.generateKey(alg, true, ['sign', 'verify']);
+
+  const extensions: x509.Extension[] = [
+    new x509.BasicConstraintsExtension(false, undefined, true),
+  ];
+
+  extensions.push(
+    new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature, true)
+  );
+  if (keys.publicKey) {
+    extensions.push(
+      await x509.SubjectKeyIdentifierExtension.create(keys.publicKey)
+    );
+  }
+
+  const cert = await x509.X509CertificateGenerator.createSelfSigned({
+    serialNumber: '01',
+    name: 'CN=BoxyHQ Jackson',
+    notBefore: new Date(),
+    notAfter: new Date('3021/01/01'), // TODO: set shorter expiry and rotate ceritifcates
+    signingAlgorithm: alg,
+    keys: keys,
+    extensions,
+  });
+  if (keys.privateKey) {
+    const pkcs8 = await crypto.subtle.exportKey('pkcs8', keys.privateKey);
+
+    return {
+      publicKey: cert.toString('pem'),
+      privateKey: x509.PemConverter.encode(pkcs8, 'private key'),
+    };
+  }
+};
+
+export default {
+  generate,
+};

package/src/test/api.test.ts

@@ -0,0 +1,271 @@
+import * as path from 'path';
+import { DatabaseOption, IdPConfig } from 'saml-jackson';
+import sinon from 'sinon';
+import tap from 'tap';
+import * as dbutils from '../db/utils';
+import controllers from '../index';
+import readConfig from '../read-config';
+
+// TODO: Add the type
+let apiController;
+
+const CLIENT_ID = '75edb050796a0eb1cf2cfb0da7245f85bc50baa7';
+const PROVIDER = 'accounts.google.com';
+const OPTIONS = {
+  externalUrl: 'https://my-cool-app.com',
+  samlAudience: 'https://saml.boxyhq.com',
+  samlPath: '/sso/oauth/saml',
+  db: {
+    engine: 'mongo',
+    url: 'mongodb://localhost:27017/jackson-demo',
+  } as DatabaseOption,
+};
+
+tap.before(async () => {
+  const controller = await controllers(OPTIONS);
+
+  apiController = controller.apiController;
+});
+
+tap.teardown(async () => {
+  process.exit(0);
+});
+
+tap.test('controller/api', async (t) => {
+  const metadataPath = path.join(__dirname, '/data/metadata');
+  const config = await readConfig(metadataPath);
+
+  t.afterEach(async () => {
+    await apiController.deleteConfig({
+      tenant: config[0].tenant,
+      product: config[0].product,
+    });
+  });
+
+  t.test('Create the config', async (t) => {
+    t.test('when required fields are missing or invalid', async (t) => {
+      t.test('when `rawMetadata` is empty', async (t) => {
+        const body: Partial<IdPConfig> = Object.assign({}, config[0]);
+        delete body['rawMetadata'];
+
+        try {
+          await apiController.config(body);
+          t.fail('Expecting JacksonError.');
+        } catch (err: any) {
+          t.equal(err.message, 'Please provide rawMetadata');
+          t.equal(err.statusCode, 400);
+        }
+
+        t.end();
+      });
+
+      t.test('when `defaultRedirectUrl` is empty', async (t) => {
+        const body: Partial<IdPConfig> = Object.assign({}, config[0]);
+        delete body['defaultRedirectUrl'];
+
+        try {
+          await apiController.config(body);
+          t.fail('Expecting JacksonError.');
+        } catch (err: any) {
+          t.equal(err.message, 'Please provide a defaultRedirectUrl');
+          t.equal(err.statusCode, 400);
+        }
+
+        t.end();
+      });
+
+      t.test('when `redirectUrl` is empty', async (t) => {
+        const body: Partial<IdPConfig> = Object.assign({}, config[0]);
+        delete body['redirectUrl'];
+
+        try {
+          await apiController.config(body);
+          t.fail('Expecting JacksonError.');
+        } catch (err: any) {
+          t.equal(err.message, 'Please provide redirectUrl');
+          t.equal(err.statusCode, 400);
+        }
+
+        t.end();
+      });
+
+      t.test('when `tenant` is empty', async (t) => {
+        const body: Partial<IdPConfig> = Object.assign({}, config[0]);
+        delete body['tenant'];
+
+        try {
+          await apiController.config(body);
+          t.fail('Expecting JacksonError.');
+        } catch (err: any) {
+          t.equal(err.message, 'Please provide tenant');
+          t.equal(err.statusCode, 400);
+        }
+
+        t.end();
+      });
+
+      t.test('when `product` is empty', async (t) => {
+        const body: Partial<IdPConfig> = Object.assign({}, config[0]);
+        delete body['product'];
+
+        try {
+          await apiController.config(body);
+          t.fail('Expecting JacksonError.');
+        } catch (err: any) {
+          t.equal(err.message, 'Please provide product');
+          t.equal(err.statusCode, 400);
+        }
+
+        t.end();
+      });
+
+      t.test('when `rawMetadata` is not a valid XML', async (t) => {
+        const body = Object.assign({}, config[0]);
+        body['rawMetadata'] = 'not a valid XML';
+
+        try {
+          await apiController.config(body);
+          t.fail('Expecting Error.');
+        } catch (err: any) {
+          t.match(err.message, /Non-whitespace before first tag./);
+        }
+
+        t.end();
+      });
+    });
+
+    t.test('when the request is good', async (t) => {
+      const body = Object.assign({}, config[0]);
+
+      const kdStub = sinon.stub(dbutils, 'keyDigest').returns(CLIENT_ID);
+
+      const response = await apiController.config(body);
+
+      t.ok(kdStub.called);
+      t.equal(response.client_id, CLIENT_ID);
+      t.equal(response.provider, PROVIDER);
+
+      let savedConf = await apiController.getConfig({
+        clientID: CLIENT_ID,
+      });
+
+      t.equal(savedConf.provider, PROVIDER);
+
+      kdStub.restore();
+
+      t.end();
+    });
+
+    t.end();
+  });
+
+  t.test('Get the config', async (t) => {
+    t.test('when valid request', async (t) => {
+      const body: Partial<IdPConfig> = Object.assign({}, config[0]);
+
+      await apiController.config(body);
+
+      const { provider } = await apiController.getConfig(body);
+
+      t.equal(provider, PROVIDER);
+
+      t.end();
+    });
+
+    t.test('when invalid request', async (t) => {
+      let response;
+
+      const body: Partial<IdPConfig> = Object.assign({}, config[0]);
+
+      await apiController.config(body);
+
+      // Empty body
+      try {
+        await apiController.getConfig({});
+        t.fail('Expecting Error.');
+      } catch (err: any) {
+        t.match(
+          err.message,
+          'Please provide `clientID` or `tenant` and `product`.'
+        );
+      }
+
+      // Invalid clientID
+      response = await apiController.getConfig({
+        clientID: 'an invalid clientID',
+      });
+
+      t.match(response, {});
+
+      // Invalid tenant and product combination
+      response = await apiController.getConfig({
+        tenant: 'demo.com',
+        product: 'desk',
+      });
+
+      t.match(response, {});
+
+      t.end();
+    });
+
+    t.end();
+  });
+
+  t.test('Delete the config', async (t) => {
+    t.test('when valid request', async (t) => {
+      const body: Partial<IdPConfig> = Object.assign({}, config[0]);
+
+      const client = await apiController.config(body);
+
+      await apiController.deleteConfig({
+        clientID: client.client_id,
+        clientSecret: client.client_secret,
+      });
+
+      const response = await apiController.getConfig({
+        clientID: client.client_id,
+      });
+
+      t.match(response, {});
+
+      t.end();
+    });
+
+    t.test('when invalid request', async (t) => {
+      let response;
+
+      const body: Partial<IdPConfig> = Object.assign({}, config[0]);
+
+      const client = await apiController.config(body);
+
+      // Empty body
+      try {
+        await apiController.deleteConfig({});
+        t.fail('Expecting Error.');
+      } catch (err: any) {
+        t.match(
+          err.message,
+          'Please provide `clientID` and `clientSecret` or `tenant` and `product`.'
+        );
+      }
+
+      // Invalid clientID or clientSecret
+      try {
+        await apiController.deleteConfig({
+          clientID: client.client_id,
+          clientSecret: 'invalid client secret',
+        });
+
+        t.fail('Expecting Error.');
+      } catch (err: any) {
+        t.match(err.message, 'clientSecret mismatch.');
+      }
+
+      t.end();
+    });
+
+    t.end();
+  });
+
+  t.end();
+});

package/src/test/data/metadata/boxyhq.js

@@ -0,0 +1,6 @@
+module.exports = {
+  defaultRedirectUrl: 'http://localhost:3000/sso/oauth/completed',
+  redirectUrl: '["http://localhost:3000"]',
+  tenant: 'boxyhq.com',
+  product: 'crm',
+};

package/src/test/data/metadata/boxyhq.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2" validUntil="2026-06-22T18:39:53.000Z">
+  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAXo6K+u/MA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
+bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
+b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMjEwNjIz
+MTgzOTUzWhcNMjYwNjIyMTgzOTUzWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
+TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA4qZcxwPiVka9GzGdQ9LVlgVkn3A7O3HtxR6RIm5AMaL4YZziEHt2HgxLdJZyXYJw
+yfT1KB2IHt+XDQBkgEpQVXuuwSPI8vhI8Jr+nr8zia3MMoy9vJF8ZG7HuWeakaKEh7tJqjYu1Cl9
+a81rkYdXAFUA+gl2q+stvK26xylAUwptCJSQo0NanWzCq+k5zvX0uLmh58+W5Yv11hDTtAoW+1dH
+LWUTHXPfoZINPRy5NGKJ2Onq5/D5XJRimNnUa2iYi0Yv9txp1RRq4dpB9MaVttt3iKyDo4/+8fg/
+bL8BLhguiOeqcP4DEIzMuExi3bZAOu2NC7k7Qf28nA81LzP9DQIDAQABMA0GCSqGSIb3DQEBCwUA
+A4IBAQARBNB3+MfmKr5WXNXXE9YwUzUGmpfbqUPXh2y2dOAkj6TzoekAsOLWB0p8oyJ5d1bFlTsx
+i1OY9RuFl0tc35Jbo+ae5GfUvJmbnYGi9z8sBL55HY6x3KQNmM/ehof7ttZwvB6nwuRxAiGYG497
+3tSzrqMQzEskcgX1mlCW0vks/ztCaayprDXcCUxWdP9FaiSZDEXV6PHhFZgGlRNvERsgaMDJgOsq
+v6hLX10Q9CtOWzqu18PI4DcfoZ7exWcC29yWvwZzDTfHGaSG1DtUFLwiQmhVUbfd7/fmLV+/iOxV
+zI0b5xSYZOJ7Kena7gd5zGVrc2ygKAFKiffiI5GLmLkv</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2"/>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2"/>
+  </md:IDPSSODescriptor>
+</md:EntityDescriptor>

package/src/test/data/saml_response

@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxzYW1sMnA6UmVzcG9uc2UgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovLzdlYTItMTAzLTE1My0xMDQtMTYxLm5ncm9rLmlvL3Nzby9vYXV0aC9zYW1sIiBJRD0iXzRkZmM5MjYwZDFjZTVlMDRhZTQ4ZTg4ZWJkNGNlOTY3IiBJblJlc3BvbnNlVG89Il9kYWNkMTRhZGVmMmNiMDc1NGM5NiIgSXNzdWVJbnN0YW50PSIyMDIxLTEyLTA2VDE1OjIzOjA3LjM2MFoiIFZlcnNpb249IjIuMCI+DQogICA8c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9zYW1sMjwvc2FtbDI6SXNzdWVyPg0KICAgPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogICAgICA8ZHM6U2lnbmVkSW5mbz4NCiAgICAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPg0KICAgICAgICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiIC8+DQogICAgICAgICA8ZHM6UmVmZXJlbmNlIFVSST0iI180ZGZjOTI2MGQxY2U1ZTA0YWU0OGU4OGViZDRjZTk2NyI+DQogICAgICAgICAgICA8ZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz4NCiAgICAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+DQogICAgICAgICAgICA8L2RzOlRyYW5zZm9ybXM+DQogICAgICAgICAgICA8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPg0KICAgICAgICAgICAgPGRzOkRpZ2VzdFZhbHVlPjI3Vy9EZTVKTlZIWkk1VTVKZGIvUi9mUXIya0pmd1VPbk0vVlRmQ1ZwQU09PC9kczpEaWdlc3RWYWx1ZT4NCiAgICAgICAgIDwvZHM6UmVmZXJlbmNlPg0KICAgICAgPC9kczpTaWduZWRJbmZvPg0KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPm4vWCsvb0ZzK3JNU2gxMlg4dnowWlNkNlFpcU50eTY3RnFVbVNwdGllRmNoM0NScGQzZ2dpSHNwTTlMcm9MWjZVZGlsbThtdFZqTkgNCi9ob21yWDNvVEQ4UStxdzNiSllOTEptNEQvRWNmZmRDNmpSb0RJZzRYeFYxYlBVaWhQTnI4dlBFZEF2eEdwNTNiZ2MyREJsWkJpT3gNCnh4RlBSbEtnajJDWjh5SWk1R05FMUVTYms2SEtjY3g4R2dxWmtSYkVRbWtnbVMxZG1xcGl5bUpQM3orMHlaaXQyZ3dwQW5WVjNCMDUNCnZOcy8rSTFzRlZLaHNWcTc4QzZNWlZzV1pUSi80RFhadWhVSnpLNElTSU11b1RqUWFacEZMeEpBKzlhZzIvcm9OMjkwcitpcTZ5MVQNCjNHSlF1TlBPU0JVS1NpWlZVNmdwTldRRDBxckFxSWFQUFpOZnp3PT08L2RzOlNpZ25hdHVyZVZhbHVlPg0KICAgICAgPGRzOktleUluZm8+DQogICAgICAgICA8ZHM6WDUwOURhdGE+DQogICAgICAgICAgICA8ZHM6WDUwOVN1YmplY3ROYW1lPlNUPUNhbGlmb3JuaWEsQz1VUyxPVT1Hb29nbGUgRm9yIFdvcmssQ049R29vZ2xlLEw9TW91bnRhaW4gVmlldyxPPUdvb2dsZSBJbmMuPC9kczpYNTA5U3ViamVjdE5hbWU+DQogICAgICAgICAgICA8ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURkRENDQWx5Z0F3SUJBZ0lHQVhvNksrdS9NQTBHQ1NxR1NJYjNEUUVCQ3dVQU1Ic3hGREFTQmdOVkJBb1RDMGR2YjJkc1pTQkoNCmJtTXVNUll3RkFZRFZRUUhFdzFOYjNWdWRHRnBiaUJXYVdWM01ROHdEUVlEVlFRREV3WkhiMjluYkdVeEdEQVdCZ05WQkFzVEQwZHYNCmIyZHNaU0JHYjNJZ1YyOXlhekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXdIaGNOTWpFd05qSXoNCk1UZ3pPVFV6V2hjTk1qWXdOakl5TVRnek9UVXpXakI3TVJRd0VnWURWUVFLRXd0SGIyOW5iR1VnU1c1akxqRVdNQlFHQTFVRUJ4TU4NClRXOTFiblJoYVc0Z1ZtbGxkekVQTUEwR0ExVUVBeE1HUjI5dloyeGxNUmd3RmdZRFZRUUxFdzlIYjI5bmJHVWdSbTl5SUZkdmNtc3gNCkN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEENCk1JSUJDZ0tDQVFFQTRxWmN4d1BpVmthOUd6R2RROUxWbGdWa24zQTdPM0h0eFI2UkltNUFNYUw0WVp6aUVIdDJIZ3hMZEpaeVhZSncNCnlmVDFLQjJJSHQrWERRQmtnRXBRVlh1dXdTUEk4dmhJOEpyK25yOHppYTNNTW95OXZKRjhaRzdIdVdlYWthS0VoN3RKcWpZdTFDbDkNCmE4MXJrWWRYQUZVQStnbDJxK3N0dksyNnh5bEFVd3B0Q0pTUW8wTmFuV3pDcStrNXp2WDB1TG1oNTgrVzVZdjExaERUdEFvVysxZEgNCkxXVVRIWFBmb1pJTlBSeTVOR0tKMk9ucTUvRDVYSlJpbU5uVWEyaVlpMFl2OXR4cDFSUnE0ZHBCOU1hVnR0dDNpS3lEbzQvKzhmZy8NCmJMOEJMaGd1aU9lcWNQNERFSXpNdUV4aTNiWkFPdTJOQzdrN1FmMjhuQTgxTHpQOURRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUENCkE0SUJBUUFSQk5CMytNZm1LcjVXWE5YWEU5WXdVelVHbXBmYnFVUFhoMnkyZE9Ba2o2VHpvZWtBc09MV0IwcDhveUo1ZDFiRmxUc3gNCmkxT1k5UnVGbDB0YzM1SmJvK2FlNUdmVXZKbWJuWUdpOXo4c0JMNTVIWTZ4M0tRTm1NL2Vob2Y3dHRad3ZCNm53dVJ4QWlHWUc0OTcNCjN0U3pycU1RekVza2NnWDFtbENXMHZrcy96dENhYXlwckRYY0NVeFdkUDlGYWlTWkRFWFY2UEhoRlpnR2xSTnZFUnNnYU1ESmdPc3ENCnY2aExYMTBROUN0T1d6cXUxOFBJNERjZm9aN2V4V2NDMjl5V3Z3WnpEVGZIR2FTRzFEdFVGTHdpUW1oVlViZmQ3L2ZtTFYrL2lPeFYNCnpJMGI1eFNZWk9KN0tlbmE3Z2Q1ekdWcmMyeWdLQUZLaWZmaUk1R0xtTGt2PC9kczpYNTA5Q2VydGlmaWNhdGU+DQogICAgICAgICA8L2RzOlg1MDlEYXRhPg0KICAgICAgPC9kczpLZXlJbmZvPg0KICAgPC9kczpTaWduYXR1cmU+DQogICA8c2FtbDJwOlN0YXR1cz4NCiAgICAgIDxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIiAvPg0KICAgPC9zYW1sMnA6U3RhdHVzPg0KICAgPHNhbWwyOkFzc2VydGlvbiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il8xMWZkN2U5MDdjZmNiMTEwODM3NjI5OGM1Nzc0ZjgyNyIgSXNzdWVJbnN0YW50PSIyMDIxLTEyLTA2VDE1OjIzOjA3LjM2MFoiIFZlcnNpb249IjIuMCI+DQogICAgICA8c2FtbDI6SXNzdWVyPmh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL3NhbWwyPC9zYW1sMjpJc3N1ZXI+DQogICAgICA8c2FtbDI6U3ViamVjdD4NCiAgICAgICAgIDxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPmtpcmFuQGRlbW8uY29tPC9zYW1sMjpOYW1lSUQ+DQogICAgICAgICA8c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPg0KICAgICAgICAgICAgPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iX2RhY2QxNGFkZWYyY2IwNzU0Yzk2IiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMTItMDZUMTU6Mjg6MDcuMzYwWiIgUmVjaXBpZW50PSJodHRwczovLzdlYTItMTAzLTE1My0xMDQtMTYxLm5ncm9rLmlvL3Nzby9vYXV0aC9zYW1sIiAvPg0KICAgICAgICAgPC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgICAgPC9zYW1sMjpTdWJqZWN0Pg0KICAgICAgPHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDIxLTEyLTA2VDE1OjE4OjA3LjM2MFoiIE5vdE9uT3JBZnRlcj0iMjAyMS0xMi0wNlQxNToyODowNy4zNjBaIj4NCiAgICAgICAgIDxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICAgICAgPHNhbWwyOkF1ZGllbmNlPmh0dHBzOi8vc2FtbC5ib3h5aHEuY29tPC9zYW1sMjpBdWRpZW5jZT4NCiAgICAgICAgIDwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgIDwvc2FtbDI6Q29uZGl0aW9ucz4NCiAgICAgIDxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXIuZW1haWwiPg0KICAgICAgICAgICAgPHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPmtpcmFuQGRlbW8uY29tPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgICAgIDwvc2FtbDI6QXR0cmlidXRlPg0KICAgICAgICAgPHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ1c2VyLmZpcnN0TmFtZSI+DQogICAgICAgICAgICA8c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6YW55VHlwZSI+S2lyYW48L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgPC9zYW1sMjpBdHRyaWJ1dGU+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXIuaWQiIC8+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXIubGFzdE5hbWUiPg0KICAgICAgICAgICAgPHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPks8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgPC9zYW1sMjpBdHRyaWJ1dGU+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9Im1lbWJlci1vZiIgLz4NCiAgICAgIDwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMS0xMi0wNlQxNToxNzowNS4wMDBaIiBTZXNzaW9uSW5kZXg9Il8xMWZkN2U5MDdjZmNiMTEwODM3NjI5OGM1Nzc0ZjgyNyI+DQogICAgICAgICA8c2FtbDI6QXV0aG5Db250ZXh0Pg0KICAgICAgICAgICAgPHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgICAgIDwvc2FtbDI6QXV0aG5Db250ZXh0Pg0KICAgICAgPC9zYW1sMjpBdXRoblN0YXRlbWVudD4NCiAgIDwvc2FtbDI6QXNzZXJ0aW9uPg0KPC9zYW1sMnA6UmVzcG9uc2U+