From 5c15ad4518f70e4523405fa67635c4dff1a73e43 Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <volkmer_p@ukw.de>
Date: Fri, 1 Mar 2024 09:30:07 +0100
Subject: [PATCH 1/4] feat: add user role database table and role-based
 permissions

---
 .../config/AppSecurityConfiguration.kt        | 38 ++++++++++++++--
 .../dnpm/etl/processor/security/UserRole.kt   | 44 +++++++++++++++++++
 .../migration/mariadb/V0_3_0__UserRoles.sql   |  7 +++
 .../postgresql/V0_3_0__UserRoles.sql          |  8 ++++
 src/main/resources/templates/index.html       | 10 ++---
 5 files changed, 98 insertions(+), 9 deletions(-)
 create mode 100644 src/main/kotlin/dev/dnpm/etl/processor/security/UserRole.kt
 create mode 100644 src/main/resources/db/migration/mariadb/V0_3_0__UserRoles.sql
 create mode 100644 src/main/resources/db/migration/postgresql/V0_3_0__UserRoles.sql

diff --git a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
index 6017aab..d28369a 100644
--- a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
+++ b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
@@ -19,6 +19,9 @@
 
 package dev.dnpm.etl.processor.config
 
+import dev.dnpm.etl.processor.security.Role
+import dev.dnpm.etl.processor.security.UserRole
+import dev.dnpm.etl.processor.security.UserRoleRepository
 import org.slf4j.LoggerFactory
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
 import org.springframework.boot.context.properties.EnableConfigurationProperties
@@ -27,10 +30,13 @@ import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
+import org.springframework.security.core.authority.SimpleGrantedAuthority
+import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetails
 import org.springframework.security.crypto.factory.PasswordEncoderFactories
 import org.springframework.security.crypto.password.PasswordEncoder
+import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
 import org.springframework.security.web.SecurityFilterChain
 import java.util.*
@@ -77,13 +83,20 @@ class AppSecurityConfiguration(
 
     @Bean
     @ConditionalOnProperty(value = ["app.security.enable-oidc"], havingValue = "true")
-    fun filterChainOidc(http: HttpSecurity, passwordEncoder: PasswordEncoder): SecurityFilterChain {
+    fun filterChainOidc(http: HttpSecurity, passwordEncoder: PasswordEncoder, userRoleRepository: UserRoleRepository): SecurityFilterChain {
         http {
             authorizeRequests {
                 authorize("/configs/**", hasRole("ADMIN"))
                 authorize("/mtbfile/**", hasAnyRole("MTBFILE"))
-                authorize("/report/**", fullyAuthenticated)
-                authorize(anyRequest, permitAll)
+                authorize("/report/**", hasAnyRole("ADMIN", "USER"))
+                authorize("*.css", permitAll)
+                authorize("*.ico", permitAll)
+                authorize("*.jpeg", permitAll)
+                authorize("*.js", permitAll)
+                authorize("*.svg", permitAll)
+                authorize("*.css", permitAll)
+                authorize("/login/**", permitAll)
+                authorize(anyRequest, fullyAuthenticated)
             }
             httpBasic {
                 realmName = "ETL-Processor"
@@ -99,6 +112,24 @@ class AppSecurityConfiguration(
         return http.build()
     }
 
+    @Bean
+    @ConditionalOnProperty(value = ["app.security.enable-oidc"], havingValue = "true")
+    fun grantedAuthoritiesMapper(userRoleRepository: UserRoleRepository): GrantedAuthoritiesMapper {
+        return GrantedAuthoritiesMapper { grantedAuthority ->
+            grantedAuthority.filterIsInstance<OidcUserAuthority>()
+                .onEach {
+                    val userRole = userRoleRepository.findByUsername(it.userInfo.preferredUsername)
+                    if (userRole.isEmpty) {
+                        userRoleRepository.save(UserRole(null, it.userInfo.preferredUsername, Role.GUEST))
+                    }
+                }
+                .map {
+                    val userRole = userRoleRepository.findByUsername(it.userInfo.preferredUsername)
+                    SimpleGrantedAuthority("ROLE_${userRole.get().role.toString().uppercase()}")
+                }
+        }
+    }
+
     @Bean
     @ConditionalOnProperty(value = ["app.security.enable-oidc"], havingValue = "false", matchIfMissing = true)
     fun filterChain(http: HttpSecurity, passwordEncoder: PasswordEncoder): SecurityFilterChain {
@@ -126,4 +157,3 @@ class AppSecurityConfiguration(
     }
 
 }
-
diff --git a/src/main/kotlin/dev/dnpm/etl/processor/security/UserRole.kt b/src/main/kotlin/dev/dnpm/etl/processor/security/UserRole.kt
new file mode 100644
index 0000000..83ba662
--- /dev/null
+++ b/src/main/kotlin/dev/dnpm/etl/processor/security/UserRole.kt
@@ -0,0 +1,44 @@
+/*
+ * This file is part of ETL-Processor
+ *
+ * Copyright (C) 2024  Comprehensive Cancer Center Mainfranken, Datenintegrationszentrum Philipps-Universität Marburg and Contributors
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+package dev.dnpm.etl.processor.security
+
+import org.springframework.data.annotation.Id
+import org.springframework.data.relational.core.mapping.Table
+import org.springframework.data.repository.CrudRepository
+import java.util.Optional
+
+@Table("user_role")
+data class UserRole(
+    @Id val id: Long? = null,
+    val username: String,
+    val role: Role = Role.GUEST
+)
+
+enum class Role(val value: String) {
+    GUEST("guest"),
+    USER("user")
+}
+
+interface UserRoleRepository : CrudRepository<UserRole, Long> {
+
+    fun findByUsername(username: String): Optional<UserRole>
+
+}
\ No newline at end of file
diff --git a/src/main/resources/db/migration/mariadb/V0_3_0__UserRoles.sql b/src/main/resources/db/migration/mariadb/V0_3_0__UserRoles.sql
new file mode 100644
index 0000000..99399fd
--- /dev/null
+++ b/src/main/resources/db/migration/mariadb/V0_3_0__UserRoles.sql
@@ -0,0 +1,7 @@
+CREATE TABLE IF NOT EXISTS user_role
+(
+    id         int auto_increment primary key,
+    username   varchar(255)                     not null unique,
+    role       varchar(255)                     not null,
+    created_at datetime default utc_timestamp() not null
+);
\ No newline at end of file
diff --git a/src/main/resources/db/migration/postgresql/V0_3_0__UserRoles.sql b/src/main/resources/db/migration/postgresql/V0_3_0__UserRoles.sql
new file mode 100644
index 0000000..7dbfc08
--- /dev/null
+++ b/src/main/resources/db/migration/postgresql/V0_3_0__UserRoles.sql
@@ -0,0 +1,8 @@
+CREATE TABLE IF NOT EXISTS user_role
+(
+    id         serial,
+    username   varchar(255)                           not null unique,
+    role       varchar(255)                           not null,
+    created_at timestamp with time zone default now() not null,
+    PRIMARY KEY (id)
+);
\ No newline at end of file
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index 3951f66..be3123b 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -53,17 +53,17 @@
                         <td th:style="${request.type.value == 'delete'} ? 'color: red;'"><small>[[ ${request.type} ]]</small></td>
                         <td th:if="not ${request.report}">[[ ${request.uuid} ]]</td>
                         <td th:if="${request.report}">
-                            <th:block sec:authorize="not authenticated">[[ ${request.uuid} ]]</th:block>
-                            <a th:href="@{/report/{id}(id=${request.uuid})}" sec:authorize="authenticated">[[ ${request.uuid} ]]</a>
+                            <a th:href="@{/report/{id}(id=${request.uuid})}" sec:authorize="hasRole('USER') or hasRole('ADMIN')">[[ ${request.uuid} ]]</a>
+                            <th:block sec:authorize="not (hasRole('USER') or hasRole('ADMIN'))">[[ ${request.uuid} ]]</th:block>
                         </td>
                         <td><time th:datetime="${request.processedAt}">[[ ${request.processedAt} ]]</time></td>
-                        <td class="patient-id" th:if="${patientId != null}" sec:authorize="authenticated">
+                        <td class="patient-id" th:if="${patientId != null}" sec:authorize="hasRole('USER') or hasRole('ADMIN')">
                             [[ ${request.patientId} ]]
                         </td>
-                        <td class="patient-id" th:if="${patientId == null}" sec:authorize="authenticated">
+                        <td class="patient-id" th:if="${patientId == null}" sec:authorize="hasRole('USER') or hasRole('ADMIN')">
                             <a th:href="@{/patient/{pid}(pid=${request.patientId})}">[[ ${request.patientId} ]]</a>
                         </td>
-                        <td class="patient-id" sec:authorize="not authenticated">***</td>
+                        <td class="patient-id" sec:authorize="not (hasRole('USER') or hasRole('ADMIN'))">***</td>
                     </tr>
                 </tbody>
             </table>

From 200c5338ea2d55c9008d646e8eb0462b71dc279f Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <volkmer_p@ukw.de>
Date: Fri, 1 Mar 2024 09:34:51 +0100
Subject: [PATCH 2/4] feat: add default new user role config option

---
 .../dev/dnpm/etl/processor/config/AppConfigProperties.kt     | 4 +++-
 .../dnpm/etl/processor/config/AppSecurityConfiguration.kt    | 5 ++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/main/kotlin/dev/dnpm/etl/processor/config/AppConfigProperties.kt b/src/main/kotlin/dev/dnpm/etl/processor/config/AppConfigProperties.kt
index e8d6bfc..d951c60 100644
--- a/src/main/kotlin/dev/dnpm/etl/processor/config/AppConfigProperties.kt
+++ b/src/main/kotlin/dev/dnpm/etl/processor/config/AppConfigProperties.kt
@@ -19,6 +19,7 @@
 
 package dev.dnpm.etl.processor.config
 
+import dev.dnpm.etl.processor.security.Role
 import org.springframework.boot.context.properties.ConfigurationProperties
 import org.springframework.boot.context.properties.DeprecatedConfigurationProperty
 
@@ -102,7 +103,8 @@ data class SecurityConfigProperties(
     val adminUser: String?,
     val adminPassword: String?,
     val enableTokens: Boolean = false,
-    val enableOidc: Boolean = false
+    val enableOidc: Boolean = false,
+    val defaultNewUserRole: Role = Role.USER
 ) {
     companion object {
         const val NAME = "app.security"
diff --git a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
index d28369a..900638c 100644
--- a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
+++ b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
@@ -19,7 +19,6 @@
 
 package dev.dnpm.etl.processor.config
 
-import dev.dnpm.etl.processor.security.Role
 import dev.dnpm.etl.processor.security.UserRole
 import dev.dnpm.etl.processor.security.UserRoleRepository
 import org.slf4j.LoggerFactory
@@ -114,13 +113,13 @@ class AppSecurityConfiguration(
 
     @Bean
     @ConditionalOnProperty(value = ["app.security.enable-oidc"], havingValue = "true")
-    fun grantedAuthoritiesMapper(userRoleRepository: UserRoleRepository): GrantedAuthoritiesMapper {
+    fun grantedAuthoritiesMapper(userRoleRepository: UserRoleRepository, appSecurityConfigProperties: SecurityConfigProperties): GrantedAuthoritiesMapper {
         return GrantedAuthoritiesMapper { grantedAuthority ->
             grantedAuthority.filterIsInstance<OidcUserAuthority>()
                 .onEach {
                     val userRole = userRoleRepository.findByUsername(it.userInfo.preferredUsername)
                     if (userRole.isEmpty) {
-                        userRoleRepository.save(UserRole(null, it.userInfo.preferredUsername, Role.GUEST))
+                        userRoleRepository.save(UserRole(null, it.userInfo.preferredUsername, appSecurityConfigProperties.defaultNewUserRole))
                     }
                 }
                 .map {

From feb9f2430c0f3e73ed94f029cb6f92e7ff1eae65 Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <volkmer_p@ukw.de>
Date: Fri, 1 Mar 2024 13:51:06 +0100
Subject: [PATCH 3/4] feat: add config page for user role assignment

---
 .../config/AppSecurityConfiguration.kt        | 27 +++++++-
 .../dnpm/etl/processor/security/UserRole.kt   |  4 +-
 .../etl/processor/services/UserRoleService.kt | 61 +++++++++++++++++++
 .../etl/processor/web/ConfigController.kt     | 44 ++++++++++++-
 src/main/resources/static/style.css           | 26 +++++++-
 src/main/resources/templates/configs.html     |  3 +
 .../templates/configs/userroles.html          | 39 ++++++++++++
 src/main/resources/templates/login.html       |  1 +
 8 files changed, 197 insertions(+), 8 deletions(-)
 create mode 100644 src/main/kotlin/dev/dnpm/etl/processor/services/UserRoleService.kt
 create mode 100644 src/main/resources/templates/configs/userroles.html

diff --git a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
index 900638c..ca511a7 100644
--- a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
+++ b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
@@ -21,6 +21,7 @@ package dev.dnpm.etl.processor.config
 
 import dev.dnpm.etl.processor.security.UserRole
 import dev.dnpm.etl.processor.security.UserRoleRepository
+import dev.dnpm.etl.processor.services.UserRoleService
 import org.slf4j.LoggerFactory
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
 import org.springframework.boot.context.properties.EnableConfigurationProperties
@@ -31,6 +32,8 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.core.authority.SimpleGrantedAuthority
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper
+import org.springframework.security.core.session.SessionRegistry
+import org.springframework.security.core.session.SessionRegistryImpl
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetails
 import org.springframework.security.crypto.factory.PasswordEncoderFactories
@@ -82,7 +85,7 @@ class AppSecurityConfiguration(
 
     @Bean
     @ConditionalOnProperty(value = ["app.security.enable-oidc"], havingValue = "true")
-    fun filterChainOidc(http: HttpSecurity, passwordEncoder: PasswordEncoder, userRoleRepository: UserRoleRepository): SecurityFilterChain {
+    fun filterChainOidc(http: HttpSecurity, passwordEncoder: PasswordEncoder, userRoleRepository: UserRoleRepository, sessionRegistry: SessionRegistry): SecurityFilterChain {
         http {
             authorizeRequests {
                 authorize("/configs/**", hasRole("ADMIN"))
@@ -95,7 +98,7 @@ class AppSecurityConfiguration(
                 authorize("*.svg", permitAll)
                 authorize("*.css", permitAll)
                 authorize("/login/**", permitAll)
-                authorize(anyRequest, fullyAuthenticated)
+                authorize(anyRequest, permitAll)
             }
             httpBasic {
                 realmName = "ETL-Processor"
@@ -106,6 +109,16 @@ class AppSecurityConfiguration(
             oauth2Login {
                 loginPage = "/login"
             }
+            sessionManagement {
+                sessionConcurrency {
+                    maximumSessions = 1
+                    maxSessionsPreventsLogin = true
+                    expiredUrl = "/login?expired"
+                }
+                sessionFixation {
+                    newSession()
+                }
+            }
             csrf { disable() }
         }
         return http.build()
@@ -150,9 +163,19 @@ class AppSecurityConfiguration(
         return http.build()
     }
 
+    @Bean
+    fun sessionRegistry(): SessionRegistry {
+        return SessionRegistryImpl()
+    }
+
     @Bean
     fun passwordEncoder(): PasswordEncoder {
         return PasswordEncoderFactories.createDelegatingPasswordEncoder()
     }
 
+    @Bean
+    @ConditionalOnProperty(value = ["app.security.enable-oidc"], havingValue = "true")
+    fun userRoleService(userRoleRepository: UserRoleRepository, sessionRegistry: SessionRegistry): UserRoleService {
+        return UserRoleService(userRoleRepository, sessionRegistry)
+    }
 }
diff --git a/src/main/kotlin/dev/dnpm/etl/processor/security/UserRole.kt b/src/main/kotlin/dev/dnpm/etl/processor/security/UserRole.kt
index 83ba662..4de31f5 100644
--- a/src/main/kotlin/dev/dnpm/etl/processor/security/UserRole.kt
+++ b/src/main/kotlin/dev/dnpm/etl/processor/security/UserRole.kt
@@ -23,13 +23,13 @@ package dev.dnpm.etl.processor.security
 import org.springframework.data.annotation.Id
 import org.springframework.data.relational.core.mapping.Table
 import org.springframework.data.repository.CrudRepository
-import java.util.Optional
+import java.util.*
 
 @Table("user_role")
 data class UserRole(
     @Id val id: Long? = null,
     val username: String,
-    val role: Role = Role.GUEST
+    var role: Role = Role.GUEST
 )
 
 enum class Role(val value: String) {
diff --git a/src/main/kotlin/dev/dnpm/etl/processor/services/UserRoleService.kt b/src/main/kotlin/dev/dnpm/etl/processor/services/UserRoleService.kt
new file mode 100644
index 0000000..6649f7d
--- /dev/null
+++ b/src/main/kotlin/dev/dnpm/etl/processor/services/UserRoleService.kt
@@ -0,0 +1,61 @@
+/*
+ * This file is part of ETL-Processor
+ *
+ * Copyright (c) 2024  Comprehensive Cancer Center Mainfranken, Datenintegrationszentrum Philipps-Universität Marburg and Contributors
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package dev.dnpm.etl.processor.services
+
+import dev.dnpm.etl.processor.security.Role
+import dev.dnpm.etl.processor.security.UserRole
+import dev.dnpm.etl.processor.security.UserRoleRepository
+import org.springframework.data.repository.findByIdOrNull
+import org.springframework.security.core.session.SessionRegistry
+import org.springframework.security.oauth2.core.oidc.user.OidcUser
+
+class UserRoleService(
+    private val userRoleRepository: UserRoleRepository,
+    private val sessionRegistry: SessionRegistry
+) {
+    fun updateUserRole(id: Long, role: Role) {
+        val userRole = userRoleRepository.findByIdOrNull(id) ?: return
+        userRole.role = role
+        userRoleRepository.save(userRole)
+        expireSessionFor(userRole.username)
+    }
+
+    fun deleteUserRole(id: Long) {
+        val userRole = userRoleRepository.findByIdOrNull(id) ?: return
+        userRoleRepository.delete(userRole)
+        expireSessionFor(userRole.username)
+    }
+
+    fun findAll(): List<UserRole> {
+        return userRoleRepository.findAll().toList()
+    }
+
+    private fun expireSessionFor(username: String) {
+        sessionRegistry.allPrincipals
+            .filterIsInstance<OidcUser>()
+            .filter { it.preferredUsername == username }
+            .flatMap {
+                sessionRegistry.getAllSessions(it, true)
+            }
+            .onEach {
+                it.expireNow()
+            }
+    }
+}
\ No newline at end of file
diff --git a/src/main/kotlin/dev/dnpm/etl/processor/web/ConfigController.kt b/src/main/kotlin/dev/dnpm/etl/processor/web/ConfigController.kt
index dbedee5..44ea400 100644
--- a/src/main/kotlin/dev/dnpm/etl/processor/web/ConfigController.kt
+++ b/src/main/kotlin/dev/dnpm/etl/processor/web/ConfigController.kt
@@ -22,9 +22,12 @@ package dev.dnpm.etl.processor.web
 import dev.dnpm.etl.processor.monitoring.ConnectionCheckService
 import dev.dnpm.etl.processor.output.MtbFileSender
 import dev.dnpm.etl.processor.pseudonym.Generator
+import dev.dnpm.etl.processor.security.Role
+import dev.dnpm.etl.processor.security.UserRole
 import dev.dnpm.etl.processor.services.Token
 import dev.dnpm.etl.processor.services.TokenService
 import dev.dnpm.etl.processor.services.TransformationService
+import dev.dnpm.etl.processor.services.UserRoleService
 import org.springframework.beans.factory.annotation.Qualifier
 import org.springframework.http.MediaType
 import org.springframework.http.codec.ServerSentEvent
@@ -43,7 +46,8 @@ class ConfigController(
     private val pseudonymGenerator: Generator,
     private val mtbFileSender: MtbFileSender,
     private val connectionCheckService: ConnectionCheckService,
-    private val tokenService: TokenService?
+    private val tokenService: TokenService?,
+    private val userRoleService: UserRoleService?
 ) {
 
     @GetMapping
@@ -56,10 +60,16 @@ class ConfigController(
         if (tokenService != null) {
             model.addAttribute("tokens", tokenService.findAll())
         } else {
-            model.addAttribute("tokens", listOf<Token>())
+            model.addAttribute("tokens", emptyList<Token>())
         }
         model.addAttribute("transformations", transformationService.getTransformations())
-
+        if (userRoleService != null) {
+            model.addAttribute("userRolesEnabled", true)
+            model.addAttribute("userRoles", userRoleService.findAll())
+        } else {
+            model.addAttribute("userRolesEnabled", false)
+            model.addAttribute("userRoles", emptyList<UserRole>())
+        }
         return "configs"
     }
 
@@ -112,6 +122,34 @@ class ConfigController(
         return "configs/tokens"
     }
 
+    @DeleteMapping(path = ["userroles/{id}"])
+    fun deleteUserRole(@PathVariable id: Long, model: Model): String {
+        if (userRoleService != null) {
+            userRoleService.deleteUserRole(id)
+
+            model.addAttribute("userRolesEnabled", true)
+            model.addAttribute("userRoles", userRoleService.findAll())
+        } else {
+            model.addAttribute("userRolesEnabled", false)
+            model.addAttribute("userRoles", emptyList<UserRole>())
+        }
+        return "configs/userroles"
+    }
+
+    @PutMapping(path = ["userroles/{id}"])
+    fun updateUserRole(@PathVariable id: Long, @ModelAttribute("role") role: Role, model: Model): String {
+        if (userRoleService != null) {
+            userRoleService.updateUserRole(id, role)
+
+            model.addAttribute("userRolesEnabled", true)
+            model.addAttribute("userRoles", userRoleService.findAll())
+        } else {
+            model.addAttribute("userRolesEnabled", false)
+            model.addAttribute("userRoles", emptyList<UserRole>())
+        }
+        return "configs/userroles"
+    }
+
     @GetMapping(path = ["events"], produces = [MediaType.TEXT_EVENT_STREAM_VALUE])
     fun events(): Flux<ServerSentEvent<Any>> {
         return configsUpdateProducer.asFlux().map {
diff --git a/src/main/resources/static/style.css b/src/main/resources/static/style.css
index c7a0b38..0dd5820 100644
--- a/src/main/resources/static/style.css
+++ b/src/main/resources/static/style.css
@@ -202,6 +202,17 @@ form.samplecode-input input:focus-visible {
     background: none;
 }
 
+.userrole-form form {
+    margin: 0;
+    padding: 0;
+
+    border: none;
+    border-radius: 0;
+    background: none;
+
+    text-align: inherit;
+}
+
 .login-form form *,
 .token-form form * {
     padding: 0.5em;
@@ -210,7 +221,8 @@ form.samplecode-input input:focus-visible {
 }
 
 .login-form form hr,
-.token-form form hr {
+.token-form form hr,
+.userrole-form form hr {
     padding: 0;
     width: 100%;
 }
@@ -224,6 +236,14 @@ form.samplecode-input input:focus-visible {
     border: none;
 }
 
+.userrole-form form select {
+    padding: 0.5em;
+    border: none;
+    border-radius: 3px;
+    line-height: 1.2rem;
+    font-size: 0.8rem;
+}
+
 .border {
     padding: 1.5em;
     border: 1px solid var(--table-border);
@@ -527,6 +547,10 @@ input.inline:focus-visible {
     color: var(--bg-green);
 }
 
+.notification.notice {
+    color: var(--bg-yellow);
+}
+
 .notification.error {
     color: var(--bg-red);
 }
diff --git a/src/main/resources/templates/configs.html b/src/main/resources/templates/configs.html
index ebef7ca..2103b0b 100644
--- a/src/main/resources/templates/configs.html
+++ b/src/main/resources/templates/configs.html
@@ -40,6 +40,9 @@
         <section th:insert="~{configs/tokens.html}">
         </section>
 
+        <section th:insert="~{configs/userroles.html}">
+        </section>
+
         <section hx-ext="sse" th:sse-connect="@{/configs/events}">
             <div th:insert="~{configs/connectionAvailable.html}" th:hx-get="@{/configs?connectionAvailable}" hx-trigger="sse:connection-available">
             </div>
diff --git a/src/main/resources/templates/configs/userroles.html b/src/main/resources/templates/configs/userroles.html
new file mode 100644
index 0000000..23cc5f2
--- /dev/null
+++ b/src/main/resources/templates/configs/userroles.html
@@ -0,0 +1,39 @@
+<div th:if="${not userRolesEnabled}">
+    <h2><span>⛔</span> Benutzerberechtigungen</h2>
+    <p>Die Verwendung von rollenbasierten Benutzerberechtigungen ist nicht aktiviert.</p>
+</div>
+
+<div id="userroles" th:if="${userRolesEnabled}">
+    <h2><span>✅</span> Benutzerberechtigungen</h2>
+    <div class="border">
+        <div th:if="${userRoles.isEmpty()}">Noch keine Benutzerberechtigungen vorhanden.</div>
+        <table th:if="${not userRoles.isEmpty()}">
+            <thead>
+                <tr>
+                    <th>Benutzername</th>
+                    <th>Rolle</th>
+                    <th></th>
+                </tr>
+            </thead>
+            <tbody>
+                <tr th:each="userRole : ${userRoles}">
+                    <td>[[ ${userRole.username} ]]</td>
+                    <td>
+                        <div class="userrole-form">
+                            <form th:hx-put="@{/configs/userroles/{id}(id=${userRole.id})}" hx-target="#userroles">
+                                <select name="role">
+                                    <option th:selected="${userRole.role.value == 'guest'}" value="GUEST">Gast</option>
+                                    <option th:selected="${userRole.role.value == 'user'}" value="USER">Benutzer</option>
+                                </select>
+                                <button class="btn btn-blue">Übernehmen</button>
+                            </form>
+                        </div>
+                    </td>
+                    <td>
+                        <button class="btn btn-red" th:hx-delete="@{/configs/userroles/{id}(id=${userRole.id})}" hx-target="#userroles">Löschen</button>
+                    </td>
+                </tr>
+            </tbody>
+        </table>
+    </div>
+</div>
\ No newline at end of file
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index 4ef8ec9..75a3681 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -11,6 +11,7 @@
         <div class="login-form">
             <h2 class="centered">Anmelden</h2>
             <div class="centered notification error" th:if="${param.error}">Anmeldung nicht erfolgreich</div>
+            <div class="centered notification notice" th:if="${param.expired}">Sitzung abgelaufen oder von einem Administrator beendet.</div>
             <div class="centered notification success" th:if="${param.logout}">Sie haben sich abgemeldet</div>
             <form method="post" th:action="@{/login}">
                 <input type="text" id="username" name="username" class="form-control" placeholder="Username" required="" autofocus="" />

From 1eb40b40c99b4aed31da983332e8b44275c19dd9 Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <volkmer_p@ukw.de>
Date: Fri, 1 Mar 2024 14:02:50 +0100
Subject: [PATCH 4/4] docs: add documentation for user roles

---
 README.md          |  17 +++++++++++++++++
 docs/userroles.png | Bin 0 -> 16671 bytes
 2 files changed, 17 insertions(+)
 create mode 100644 docs/userroles.png

diff --git a/README.md b/README.md
index e033d69..2f1fc25 100644
--- a/README.md
+++ b/README.md
@@ -114,6 +114,23 @@ Weitere Informationen zur Konfiguration des OIDC-Providers
 sind [hier](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client)
 zu finden.
 
+#### Rollenbasierte Berechtigungen
+
+Wird OpenID Connect verwendet, gibt es eine rollenbasierte Berechtigungszuweisung. 
+
+Die Standardrolle für neue OIDC-Benutzer kann mit der Option `APP_SECURITY_DEFAULT_USER_ROLE` festgelegt werden.
+Mögliche Werte sind `user` oder `guest`. Standardwert ist `user`.
+
+Benutzer mit der Rolle "Gast" sehen nur die Inhalte, die auch nicht angemeldete Benutzer sehen.
+
+Hierdurch ist es möglich, einzelne Benutzer einzuschränken oder durch Änderung der Standardrolle auf `guest` nur
+einzelne Benutzer als vollwertige Nutzer zuzulassen.
+
+![Rollenverwaltung](docs/userroles.png)
+
+Benutzer werden nach dem Entfernen oder der Änderung der vergebenen Rolle automatisch abgemeldet und müssen sich neu anmelden.
+Sie bekommen dabei wieder die Standardrolle zugewiesen.
+
 #### Auswirkungen auf den dargestellten Inhalt
 
 Nur Administratoren haben Zugriff auf den Konfigurationsbereich, nur angemeldete Benutzer können die anonymisierte oder
diff --git a/docs/userroles.png b/docs/userroles.png
new file mode 100644
index 0000000000000000000000000000000000000000..cefb175f7d4d28e446341e09565eb10fe91ede76
GIT binary patch
literal 16671
zcmeHvc{tQ>+c!!yD$1agB`SkZ*^(@yCbEPW`%=g@mh7T2mZZj>BxK)*vF~e9wk$FB
zH5J)+BgXPx)BW7f{cAbi<2~Nv{qKGLnPX-ybA7+pxqi;id44@tyCZ)T!V00Fpg4M4
z;pSZmii242zJ~S?cpW+WYK?+|lj8PGxTd?&!YIvaC}ON>MMmPg83hxR>2jiP@=bMh
zN+zZwnY8J`_pUP`G>>@m)M9lh;ZSN}&fAx~y$>tjV?Hi?>YPAynO6z%(vkVaw)wWj
zj`_01itqO_sw%e$Qci95`$$8xSk$c>6qE-UWPg2uty3Xrv5;LU3JNM(PVZk|K2y_T
z%a8y56Y>t=dz!y}UrMK@{(khgZGL|IzuD`(rh4(Cxm)`AJ2W2$ip2yQxU}9|YYh;r
zU*)m&@6A8?^=^M&ChWRTreE^WSmF7WQ)R=+y_jzvB0S>LCiu;{*K=OezaIWyvfy-}
zQl~+1>|Yza)p_bg7&nWMUj3rgW;K(*-HT^;yAJ;;7jM}`>f~eC^qpmF4e2YYLgq`I
z)QCej1HX2mN&R+8$~W3Kj;*|<W-TYiABD0@<>;5$wMeK@&TMRsW6Fd(u5ydS+;4a~
zcsAh7i?FU>cB!GoswL@h?dK=X&!>b+D=O4E`~G$`+2n&S*r9CN`$te3`xi;GdC|n7
zC{_Q)I1M!svt|a*?U@X>Yn@*{1nPglGU1JCJo+kKP?BqH!g#Zm7tdFlBfQ2QeP^rM
z=+nQ^6eHo39?6H~Qw?F8gVSP@>9AV4239<89?Cu2?2_jwF%6Y+rLpr()>)D+mH$;>
z%_yJLLkN<l)Tcedyj|H7m*W^C^aa<VjoAJznWocF1Qpw(Z{frq4OQK)WW?H#;NsWg
z&<`q6>ug`~Fzf|b%rzGrF9lMgT*7(!Q)&V|&2QEy%gOAMN{!G9n6A`1kaKHGYR7#_
zh}3roJ-{PUs^gbj)G0mO8YN_Z>eMMBkl7G8@C~%oYBP6Vj&6}ohoo_tihrWzXr+r*
zsf{i_j0y41{RMjB#VP1{&-wMx-(_k?{el_lFEePf))y@Ha8{tydBNC$24UJ1QX)lc
zJ`y+87H!I6{MaEg@3eh&SEchzq2Gtq$&U+ZQAUNQgv|#MFnd<9;`XI_CDyuYQ|)+E
zf38-Mc{^Ka=#iT-B357cBb{?>hfAaRqMYB<5Qq4S$AvquoBGkv6EWkqWurDD<qk>x
z>8c5K;v)}lOfN0f?bjkR)!wm++r3#3t@?uHpYK)@Dk-%cj_EjCMSRbwIsnweHe@zd
z{b=uv3~64NBh@NqY|L}XmM7jlInJp=LJQpFr_ykrXE^=Z{XI|5jb3e)JT|uxhrT+@
zew;5?@O}$VLUD!DcfA6W56XA?4c+2;a}7N+k{YkDFPwRFlvTv?GaB<_f`(rsJxC?~
z`XGlXAzdZi%D}#Ew{&-BtyB7XjzL8so7ayC*LTz`It@>cy0LzIC7^Fp|KzZkRrfj4
zN)w0e#%!;&`^!%7mZK8m$^;cKtn4Y)3h&4;sBr8{S2>O8fOPi=*6lcwz>Y=Ln(t~}
z5_*bc_I@;oJXj#8%7_MQqqwaMVWUd#&{`?Cj>cYfFqzhw*d!RbjXubT_pqK8)t!#P
z#d$7PxDr&vw`Al)OoxiCh$Bv&TO{qx;4z*!NjKuFaDn*CxX@~M8FP~P1mf4o=aYHx
z#R=$wx&y~tS0QFP%RHjivn9RbbWMY|2_6RV<?^R$2%x7|nNZI_lZYh|cdqgF)YYCb
z_FO2@JtP3UXVtj5;eh{gm|W5)ZDaIgL)vos!`pCdJypqaqUGkOTUptd2Y>M+BO1i^
zi#-1q+)ZbWWP0sxd$se#Rq2^=CcnK;oF7bD;Wxk@!G=goos1Pl_1$SwQ%K=VyAyXU
zY1fo3)b&W+Aqcv5XH|)#I}3@|>!m?J+@bN0*V@Ias^5uHuapkk4c~{)mZ18#@5%2j
z;CL^3>~8eC%_O@7Xi_o{>Xq79(Mzp|?K^P!av6p$j#kB{=lhEbc%a`OmmlCsc>D$P
z#!#&%LzQFhQ_>B~O-pd<=K*Z4ujyI1V|_c;I%Q<mzq&WQ)?R8dG&1md_N)6aM99|r
zB_|`WdZEm_wxNnHyRv(FC2!gHKWhzF+Rhz25GV?3oz2mlNa2e~)H4T`;@YQcF<9?U
zw<}1)?w**J{wd}X<bbcxdmM$w*I;ouy88hE&>>YHtnYDTLR*52jPs9S`#LG8+!GoE
z&~!%dDd7vnhFb70I-%;%{2Gm+92`Sh?*ed6J*=YE-}rAEc`k?=^D>H1U+9$Ce+*Oj
zv=wqjqB}rXW_LXzZ%>U08zaY#Y=LR2r+pg7>@Q$)KYiUJEp1{#j$qe?kuMHv{D3~?
zHF)mawF3P40q$Z~j3gX2RGcNX_v7nc-b#=>3Bj)PJ(Kz))6E(812o6h1HEb9sgzjv
z&L;;7Uh#MK@O_<|5mV1K%1Bx$OW5~Z8mmE{SN~MZP}!j|HICkl6VNMe_OzHxc9Q<_
z*>B-%s7xsnzt)rOt`+Bf-nZKu{l@5rCyPVaB)6^4iw3I_2a(VjcC~#t;Sma>Qq)sH
zBT$t%4T4@NabY;1H24AxBG!k_s6}ouKMC&5)*gQc%zbK-blLgK4&|?Tp3}~!+%LKH
z0ZzZgB+YguX2IA*6x&B~5mAxU0J;jKdv3ROU)@aUrdlcm9C-!KnP_V1(G}-5HbbA0
zh1mAIgs|M*-jKd|nCc|5ZF<Ri;;cUvHp<v*5V~iX0Q_|n1c0eBLJEP2Im@305#y1@
z$!V!ejqs3)7saxB{kZSB@__}t3Awty`8i8(bIj8omI_Iip#J*fOQ6tv;YUHbU?oBc
zH2>xy1mwDAR@#iigun;_DFu=Lh9iFVqaVstPmznw#wt)6T>tvK`Vh`p{Zi@v9w}g3
z`v;5B<rM!UriTYr2t;38Ch(mtwcBUa+})FxRb6LgEMsCaQF!K=<V5wRE~%u}*UK|H
zxX;(NzD4YMbzL-%L#ja^8ND0mUBV%=m6Ia&w8=t__gpM+T^RE3;2%na?YLJqeFIiy
z0}1-VW@=Q+;a2XjMfWQvkTsxkphlGNFIi}dRW)Im1nidfe#EG3O)z1WXD40D=Je_F
zzaWG;wDV@nV_ZwKnNe!ci{^L;wF>5LT4;=KFx>A@bh=hnmdS<8V=cFD_QLuNoPx(M
zUT5fvvPI7v({radZWI}z4exq(ocpn;$|tUjlQV&PzSMM%*9`YPmIsK<vfrj+?TK?I
z5v32KmSy3?R@+fW{L()wL|$46;#p<2WJ?52cQ0T<Ir_>6RsO*AEGmV$#hXtZ_2%RW
zLxtAif*?r*&_n!Od(`Cz`|#1d4pN@Pb<|eo<OSH>2U_`FVcXs1qI=78Y&n?7phN{q
zt^7t!v-}^e{CThW^8Y27lnSANL%*4xr%$<Wa-&N~(VgJjBOBM(q7I8K&P}*(6}ah+
zTGMPLpeAO0H0(>;^~Dz)4;CCkOa$tpu#tUtx}buh=tuojAFXRVHXs5XZwMdyp(UK|
zwDdQNr-JrQi>SOK<CuMvyLb3#kFd(AyI~B)_b#J$rCwpVkj|E~nxCLH{sF?<6@3;E
zzIexL-$C@<@-O5*5Z>%x;OAB7)b+A-`9p*s1%Ld?wEIL;x5=cop-b<vjFc=t993ZY
z0>B#5mx4xkGCf*xp$aU9rg&W@5fxnxoh)YdTp*S1A*~oO=Hlkd)`|)B+$B2c@w`6>
zCgaw+0_J!tkC@f;ePrN~ea*}1*cuQ-qn4U17wJmjzu_q(&fG)=rW;XboT_^9L!3QT
z=}}h4Q6;vEGJfX70^?VhsL3uTMrf7>y5Jads2~#e5>u%g&V_Kz1lPYbG1qwW*e#82
z5wwaxRnuEz%<e`l1|%SbUS9Zq_*}(wAUfYXlo-eZ>!xaiWciAkc1SK=CoN(2t0Ju2
zsYB&B@#iCu*>}^h7+;;@P@hg)gnIGUmKoORjb<#@Db%%*+?e!NRx2wbT2QNSJNzjo
z5h+ns!tve{Oi+Z@oMr1MoaVuyTx-bZ<Sf`-nA23W#WvcxbK1zT%r0)<(^XZ9uzd$k
zA`aW{YEb$yA4IH#T&_-r4K6iZwD&Oj4f{RQBg>+O|Khc}m7{%$eMIZP&zT%TuWeGk
zA8T=Cs5p$(RPRYsic%|iB1efH1fE-a0egr+B3NFA&~p~wOGripe)5o9If&RkfuGT`
zzE<kXkMBy^FcYj^mLm*_!|CX;Ty@TMApU3p^utzN%pQV^@fF&J7_2*sv+)%A=N(Rc
ztEg%oXn<1K&1~h(q`>mPum&m9n0-=$jMgXDl3PGJ>KucH2Wr?W?sVkhvWw&5buvDD
zJS}3$(94Rz1>Jp?^eRFL<fs@?)J}0#;?a|r-iAmnma_>Wi&0SjfNMC-?n)iK*9HQG
z$qG%hMg+ZE@D1G`HCelk06Y)LOEy+NmRVeH{7my(Eq0miJsWgJ!J}R`<CgZ|@e=)~
z$EvTGW=XB@1(!M~nfD^J1o{$T*`nB<I%bhR-v;Y&Ro%N3DQdR~7RAp>s7_K}*#2_*
zVo&z&m%~`7f`Mbp`6LZZSaQMiccoVs2Pb+O{F0k-N2L(+pKj1^5HQ8kFXWD?1nSp5
zu2{N3$BW{7#U9B%R?JZ5o7J2V)Qi{e|CWYjl}b|z_3vL1t<7OSz@aO_c!p>7wwd0?
zTcJ<26O*Z{{9M<&<YUwGvOWmMzsZF^e6ySpZ>4VU4~t<<r&s{_qkvxe$6J{e<)oPO
zw^>#z4%B{dLX0HjG4zr(o?i-iF*_q3p|75r(LHnR(7Sl%i9QdlN^{l(z9%M+W}|~j
z-V%$g2=jS$dyrtME3nG#*=&_a3pj!B9s0xz)I*XZ{1r#BJ-XjCI+IWR4BS`m@BLO+
zF+|Dc`X+yV#>Q%7);?FVsVZ@L`!*)F%<N8x-*bRpa5q#^x+6MS#cWOv-Ms&)q~GW?
zM6Ym2ybK<`jr10_=;-*Koq_UKojFX8)jXc&&3&DMwlUL69(SmFPNHPl#b2{MCF3DA
zp~tl(kG(8DHgWnHcgS**M*eH3he3*we9=@)QW64|1tIdJNlo=sTTQ8yw{oZ%vwi@r
z$gqz0F{`JYVIdB7x6WfIp3jmiHUtkTn)l_RwjZr>+YB@b5T{mgq_0l|kY(`4%GVpQ
z)9iH2X7uB#{c@Xf4@1v$!LV*YkG8zpW~3VCezU1Tx|?j!nzgUl#18u5j8h0#{R~C4
zew`IwK)0x7`)t*X@kiZ7TBYAYLQUw$jhN&h-mblx_fxC`8-q`itdl->O-&5X(v_u;
zTiPa#dy(43>_(>hi_{~7Yu!;p(Kw86mcfc9bjJN!2s=;iEGynHMeziBLfhrjQSlK5
z*1PU%sT>^%GUH3)Zi@zl;<UsMr=iqnGG>$E@>==wVQ)kek!pp+iKu@FWPYUe(F%*a
z6tBR7l%A=~<WpplQi%~+NiuL(fX-(-1-V`y;)zLA80Mwu`Z5*4qe|>mTGg0*-GPjh
ztSr4|Jjw&txSHXOm`KDugI<l~*X{__kJQyWBgGm8gc;0T&Z60p#>ZV^35;RDgD(!}
zBVweRZDQH>`ZBTcwEd4-%~KhqYt>e47ix^xze!41+9vboRd+9Chuso54p+BpB!gtO
zdp~~11#M(zp$OyIX+*N_f2WcoFQA)KJUY54!EX|+s+W9LZGhTW@sdgaoqdepV1<)~
z4DzlDN_o_!-*Brw5@OoMa`G7V7ucN|F53g|n!=y9{S>e{V9)Q>);ohTOd-%$^n{F&
zo)~O2bkL?oyal0fXI%t|?9DSC7l~61w8?&9Nv;|-k!RDf!UElK90E*@uQ>$IF#eLR
z6?g!7!WFmPXRB}9H9LN>LFIB_29ty6&EAhoc1()M=N4{6IHxT&w7%GWT>9ghMw)tO
zyi|%_6`!s`)}=<XILTeEU$`HC1ZR3;W`5$sc-n6z-hE}Dz6>)qR-{uy9X&5#R@21p
z`6DCUYCAf<?^Oc%juNELoc{HWXefP?oy)Or4*ZI^$U+ID0BZ+1yQ%-Obd2gCV&)-}
z1kJByA9-(1O0afVHkIx#OKgDH>Ym_pJocNbfRD0NVC{sr0?S{PuF*0;(;AT9&iqM<
z`5Xjm=PAMk|FY!FzzI_f$ZnSSop%E=JWO7r;4=Kn(hR4p+RJ0w;ZDCLQ1ZtU<TZ+$
zm48|4hI=Q%*mAkP|DvIPo#vb@SfhOA?DLDU{k(Rn9|c_fngOEYx1xd!WE8x?8WqC~
z)h{~xd2NONt>Vb_$i|%b!1mG8HiY!{(no7k2aovwMMjhdzc9g!s>>r`>LZF#d=EhW
z$7aU@NXf*%Ul4p+T-SefGRJ1{iUZs0xIZNf<iVeBXZRFvRMZEetyLsHGN@whwI7%N
zO#~MDeD2=m&=9u2{mkUVK&fpke#at`NkFfM51GS2sJ%>$I4x#VjM2iE#)#rRI5UXd
z`W4LmJa@Asr9UDt>S7TN$yYIBc|KYCp)$N{m5Cp36Me;@(<#tH)8@BI`lmj^_$gIx
z43}GJC>Pb6K(Ne$dL|{-TALc3mVeqC1r@dSJ;1t@+HAGHHh=m73f--FSg=s5-|ox*
zw)t=8k)tXwmpF(Rx&G&7vM~@~yfglj#ee?LM+XqVCQPQDe{mHRu++U?@2K~eEpvc}
z6<`ab{^FSFV9CnkzJ$PEw$uXttn*=j{V&#}0hUB+^4~E3xg|q3Fv1)Yo8Rd@V9Kdk
zU@68(=MLSUTRuYqlh?ZZJHts<Vz(w(QW3hC;s2*QyyufugJz!`=Kj-*tiaOCbe2~H
zxj*f~gozV|MFuS#|HCnTM8J|Ff$pQ#**~`|0J{0W*GT+}jQ>Y%zgy7%UTtCB@UB6N
z1lzUmo%C@|S$ETNK#AX%rNJ{dQsI=tTruXgI8xD9<LNfu*~Edd`4Gs`>5||KRN}A1
zx$1;}ytP`|Z{#`X&thZ=*jAIClYsFpa_W@ow+BqblD<ELY5tYIT>+>rI`?<dW9_h&
zLSi@nVF*6;++oacb-+z80E}Hi228a-zR+Pd;=Q)5P=E@KH)^Rqf)%qLQ)Y<F(2nvu
z8zxQ#S1TqhR>evWd+lvm=oedtGx6Sie=FpS6`+`mH4mJHVX@DH|LM1!a-0IbTuAzj
z`9VUd&7etpjHs|bY}@wH@~|_y%VRbxV}35Lt~4m<h~#JQ13B`c?9v8z>AXIU)uKK3
zAJ{Yoosxc10VtXIoT84^;p?D*Am+Y&PZBWfy9vFyb$cFl3kViNGe8vQ>)Y43WSpJ{
zhcDy6>~uXn##Tu{y(<?TBQrydA#5nj-c|-O&uH|{)ro^u>)lFt=b3KiJ^v+8gRY}@
z0Xtl4ou!>;R4d0>RZzFu%3r&GUg_1q)1#+ztb1{;BMwc200&v%>hGdPD@*XYMU7R;
zao2i7w*Z8`#I{uNJ-*1{YvUI72^oo9bDsXZ*<v+PJq!}Os}Cm(BF&+dqjMa0t`Z1v
z*V9l%rr!dv=V&t!H;YDHhuiN+OhSzxX%?Ebut|#-X2W8n(UnI}i?wN6%&y5Ud7?{u
zaY%mRyCRx@Mx4}YS-pb@z;74b3T7PyguNZ$`>&|<y6<g$-*pbArehwUW-+)o*PmAw
zp(;IS-IF<SBLc5qHWVmSYYA?|9tP{~)s#)iw`_gMt5s~Nep=W(Xhxg_S4-tPkK`w_
zXFPGvFZK)5c6)roW{U}Tihv=K)Z}d^TO-N*`u_LqyxJjEBq6E}5X>JjmkGp#$E(lV
zqlKG7H)~0Y!xMA~wG=?}-3gt3^wK9G*uv9Q^*DbzmThn4iH_;6lm*bWSb_I2X&X#5
zoj8bqG&_etdZA}p3Qay>r470}*DK|?{dFaRB`3$(-cV3&aWb$&M*-(7=1H`vn#E=B
zD1f6+@?*(pU&d4up__4sjbjn^xtCN4dL4av#&wy#Ts2Xo^_i~+xTrOhq69Y*RAcJ1
zO?flZ{~6(ACr&5?Cc;)<%qT_FANM~E(OCEY9(LncK>&x>fc^G#O6c}%oQA4Y?_%X#
zu9}+jkBI;hE(u&hH(LvD1Kh|9;}3(Y^`zcrG>%JUW``O&wTr$Y^axW6?QeBr=D{}0
zOjKm@9+|DRB{TQ>+AAs{|J!;Nw^fY46&o{L_t%C_ZzQtvRTX4oVVP&{zD-S>FKA*f
z0%9A`rpuy+tM}&`E)1daN`SxD(-=e2FDSph2lTK;*_*BsyHkrxY_%G}Jxo07Eo(y+
zj)Gd*Q<v6wZW7_8F?>&;T!7qdtCPt_W>00G-iS_3&zDc&mcXm0_9F{2FV%pSpx3yP
zV8wf{-3@IHPU>F2f;dY3e`Xa~KDtzd8dMr_!}w+G*3@YY|4`qPDsY1RkXx^B;yGIV
zbwD3#X^4h;Re5zvZR%9HF1Vh8TE)EL^B38;n31TUF{TMmRZN;{k0q%o^h(5h=>_QN
z;?i0FD>z?B?eYv=BJPndbNfJ3D2F|0c5L?2;9!s#zBJ92R6x~02G$>F_G&@;if^?7
zo0~0@06aMQgKw#NiPoL3(o?TZ?{3w+8#vy~0=%u;(|)ODlbCQB;_lZea#Rt;v^&1P
zn?V0;%!_0z(^0p-Hyki-4e>@EeW{@atzL3-Nrr^1pOXJ)N7|?Ue3%wITrds@FK8b8
zgb2D{gWi+}9#gA;?!gU$xUZ5y^3B6C4@|XHsk-$z^awn(SR?ldYR_-s^7C&G&=())
zzV%}xY&}hx(CP~)%E-N(be9`FbusDBVQ;tB397p*nq5%knNRk+eteX{H;e&8I?EQU
zKNot_Yl5z{#cEz9R%}B<y+;I%U{Zo~n5AGjkQcM4jZgYP_-gh**wzI+_-@o)GQ~z9
zII_BdMi8XG>Uj|Y6cxY%cwrE#*w4FJE-mY0+K8_A&l%AhX6}e^uXHu>j6_%_Y<8gF
z>oHYL4gVCX8B3OqJ8!KB|5d$QdE9a4-?IS!%JxtOpJH09uPC;-d=3yDJKHzDzi|pl
zh)MF#5sgzM<U#kQ%ho?e36+6%#|RBajCr`mKr)sK&v+u|drGaSD7TIqj1~)>o-W(7
zwjC-i0F=}=b%AJ{3Sqpb_>lTw;e*`-QA1@@+Iqay<_JOiidFDAJU+DqEAqiiTU7|M
znDC}CH_P#wy=X8ZQa0w=X1_6Jk`H!Q;U%G*u34(%5`zM-PjjMzpLTP0qVBt3Uw!}1
z?K9oUL`W19#axjPZ9H;=rCp;_gj)N4xpc((pk{^RgSz-Z;F#0>5_juF{+YjF22@tZ
zq0~{zb2FAPujE+q)KJZZ9iTF=+1JdbeJs4l$}`TN;CnN&+gvZfITIBYKmysMgU^-y
zfIJbgRi?bl0JVy>NI>@m$U*Qu>j<0AZ+-S!%)$j;U&&}ai<HW$lsDcHIj=&f7jaRV
zqb3u$1LKd^R8C(pdj=ZjL)tfIMvzRAu~;r@ghX)F!<xve`Ug*N=Vt>)(h{ouVS@4A
z+a-}^Ij9MGI>tUF_4YLhOd|Xz`(w<y4kBh%DI@qUY=G!9yL|-t4F6CO^GCFsNz8m`
z$k)OACl*!61vu3aJ;U~wrBeX;zO2wZ0{zR{|NQKq*oO?Z{;wq|t4NIyAK6uK6rKK?
z7S8$vEL937rKn^j!jdfRSo{gdDX1htrSEX#F9kcTJEbp|-NAp_`@hQoU#`VJ^(sr@
zvp}T@brAo5y%)8@y@jD8ADeaTLHgmBO;N-rK?U^Q11v(u7q{^~!g~L>NeH>Rr!1#E
zLazM7-o}WYDz!5_bn@^Cn0{$cq>!r4OU^r$|7mEz&Vka-|C^js3@xYHGW9D#L-=`h
zDxnCzK%92oi?{4EkpG<2XPpHUJ^QG(Q(WG%SlWw5)z=ZXVy-oSDGuv4zc`T%Q_^x#
zMX5)7<?GD{0Rz;0FNIL;v1hDp_1W1-9rHhFiZDGY^!971wII+_&JtZ532`kOZOg4}
zoez<89A+eOhw*^>c~sv92R7pK22`t#Vpx|zFhsJlgtlB#PGFk5KOjv>#Zzo)vM_um
z);oUsCykLP3mNgM(yjBNcC>sXmT6SewoPm=YH;8LOa!Rmv_p2u`yHeMtj@_E7Z#M7
zbCaK+ZMz=d^Ani!j*A74D+*ngRH7!U&+7k+KS}q-Su+bLwiobN_mo&O)mr0j4tA-=
zgUW7_SDc2N0SlRdFm^_dgS{F?L(h3Jte-4-+u&x%vQhdkt{}{W3V}@>@Qx4}vAsSh
zcDv9yRu+VXtCzlm2^G+%a}Le#$lu)@A3t=IwfKe*pegdr+hYb%c{S#w`6AUb^7mK{
zGQfg>Jf7Fhf){ZW^U#BcmYy_wpl;3tAe$>fK-bda&(27*f{iU-77pBkfBM!EaTx1(
zzd4tdGv5%D#4BzG;ObvgA_lqP>Q`K5$V^?c1u$*j<j1wt5|7uZc-f$!Yy7A$5q<y^
zDC0Ju`fy!-M>8x?Hev#>{W=wZZiN7Z_ek$7-vA~U$L8347L2A~_zf$IOKgYx*gdAt
zqIxpJ$6W!&-m^%#6<k=eIX3)C$k+~yPSv4_gBDup%BR4*f}f$+)+9jCU14^`@UGO`
z5%VA)lmSAqjSQ$fS6g@t!>Zduix7d#wW|udKU-t=ah(88%*Wc-7C@Nzbja`ylsOQ#
z&5uHL#ru1kbzY>T8v)x+sKLUt(Ol{;fO-il{3$f&zY2{OySl~vZMlms^|4xN{)6Su
z??B0Mxe7EQ765!L1p^nJKI~E+I^?-7Q1ldo*`eXKXkqjvawaVM>?KndnjV$~<{BDl
z#DuDsefO(;UxSIJ;Ze77TY#HO_;bta1#8yt&J7fpDu@GmJE<f8e#888p7{Ks64Y={
zmWC}za>Uu}yrB;)#`6sV!J8msmXSx306@*r$haeYwes5wC325swW$`Arg%^>?G4Oo
z$PmO>>pC3X`BE!81@6^aC>?}=*1!4}A*CyR$?T)o1_yWv_*=cLTJ}p)3%w3Y=l2dm
zbb-nE&-*%60{1QlTqu|t>}N~pwuoJYcV%V7TN_q7udqzu%f<?|jUIgnkb>ykkz5do
zy>#E#b5^B2POuw{QcYxsYA&R_oyKM77LsvkEwt~9=X?PX%mI<G=SwW&A2n+K$du!?
zl%Pg{TwWT?CJFL+)lzNMxC%VHF%y?OY**DzqfJIaGVzVqKuzKa49xb+`{!EU#_2WK
zG>|tyU4(+c?pkgDk^lG<_>_Wb=4_au+WI>hLXOjS;oa|%d-^5TNK`Mbgsy0*h!2T7
z$M(6X)11^9i{2a+nrTw}MhPaykT|stExfM9hd`zcreswAgL974{)Ixm$#RbdC9Hru
zT?Cc^Br<8F>bIu6l{oE7CzuaLGe}C8ZHGii<NJHx4@8lnnf6IE=z~>NE5~f7g=M)d
zjcL_+p~sub9lqvxY|JiZ1qbeoGxhaksy8g{Z_nkC_G>|{4B7^I(|VMl>A{BX6aGm6
z%toXq&kR7Y0MdskB2})X%bi0XJ`&^0k7V3f7#4>@t%joIcvu1F6)JlN-UT{U3w)5e
zQgZDH%GAa51S3<I*&YW<BI9lO>7fm(s?WZ3qtMZa7hX9x**T-(>aJg}m#&<3ZT2Az
z33K1#S#|!hILE#@uw@}%^Pq08;L@V>s)@XBa<$sjNs#<xr4K`k6D^ZS`#0N}w|;!B
zroMl9u6kq2(%~?02IubEJi29eqdP79-lwEIii1yH=F(J$vJ-DYcyn}1ZKBy8zNHjH
zZ#&CKDGOv{lYxB><q1QJ#mC$mXe48{na6xVtFVT9cS~k}D>P5RdLTcE-mMUV6(Q!;
zZnr)?a>|5TKBR5c_YewN1IlU#LuXex3Ljry23s{~kk|C5vqUfrQEuIOcuyWQ=^kp>
zdR8&ah>J6o<Vr2S^%D$|9;pL?>8QcL$T%M3T1R@kGmKtbu&0;VdClhj*=KJ<ikLZ5
zPdp`fb$omu{pJ0NU0kWxqJ{A2wnf>{@<gX@nquT=jBOhFlBne;0&%0?X}1*eJ`l<~
zixaHd#Bhks>#{tRne7ij4Xx{xv5&}tz!$T-P6)LdnxE{;*0vX~+4L9&@!7C<@<*o7
zEil|QA1=>c2KXfV05mADt@;i78~k@Zy3X>Sf~$W&W^2>Xs3PXNy3Q8jrW-|=Z`!IG
zE)K1`<eQu+G<WRu3FwFKjYed>DAL|!gpRr;RAAn}CN1>js<z;z=K2m?7H4Z1k<n|z
zHyq#3VuXIMZ;H1P3Im?Iy)lQTO)1<blPE$8Y&q(wGiDDyzS;=9j#8fvHPp)y_3@q2
z16<eI+%c<#L^9!(x5ZdY9*Eo=%ur4E#EQ@po(>Z3ptW6_$w;Uax?b~mnNgbhA}w}(
z4Lw3L3V!kZKo0QzE|8KUZPhe$4J5>CQj6jMJ>)tS9ZgUcnN*o$U?ZdZ0l*FK*M2)l
zmnC}<-bJ3$!d=MAXH>PBlP2Z5o^6ps_2pzqZS-*N7qJ+hnYfXpTU5K8zyZO|_GVjj
zN=vq(jgSr+y7mQtG^xm{j7Gi~1XD;g$ZYe)qV<kAKCEV37O#VVerX{P{n(h7=L^7W
zU<@flI?$zkD?VYqsqg#(wi7dLhZ%SD9QQXd2X<ddpl`_!YpQRoeoPqw)R1c{Z**iT
zq`1;$ZZ>^6zUpHuZs!R0m~>+NQ4a^@;*6-Cg-n<tpHSS-QvN1)*t5ju_JRBajM(O6
z#|R^~4N81JOpE;zX<8@82^0`s`>+}ih<jNNK#evyk!8WJox9E?tM~pIH+O^f`t{|v
z2fXgjCGv81Yc#IECM_qRC{a=y${GXfFGc(na7XSwWE4TeyPflSHPQ#b9M<FWVP29P
zWFFv|9KQ-ma^eYN;ZbaHaO2u?1N|_dI&Fb2?Nq|hqb&KTh5UwNYXKKvd<U15?-Zy(
zzCoe9VZ30-B*7!SwTYm*G@b3z8kP4s-uvo%6=SxAJ;{#YnY9`314I|5SKJGkDIr9-
zdY#v1Rmt$3%{<kFJs(nab&E>pZqL5dSfb_fXZYf4`|Yo@Yb)JKRU}+$yp;XgE^c=E
zrN&StkM!Qmo}qZBN|96}I=7<$)S$w-sGNMu?$qa?=Ne7f7Htu42c{GiUlEp8g<;m^
z7%BZC*EqJJdoub_1!H5;mxradFBU<RwAfUw?+3G*Ydu77PnL--#zpT{X0c|Om++M~
z;vYH7tu^M#%_xy<7B~CwPLg$obEYB1ch4&ggx2lY3Ds_u+B)~DSd$hshBpSgaay^S
zO4>VLnftx^z4lQB7!`OIiNniWCG_e5-zy=Dz*mB0>Za)f_2)m{$P4u%9gs|O(a6?G
zs@`4yXfL)mO23ff+N8^-ZCm;!p;xTimP6U_<BX2I@*8WOGU-M>?Thw-uP&~U4mGtd
z)@!Ik`-gqWZ7ZK1hGtu}RE(r$jm~DV#rTNO1R4<@`);DvGMZ%jx&i|<Z(CPk#cIAV
z6kU-_CAsJBWK7k*+c!Frf)~z?9NCoTxKdGaAMO95FJgC5(n*!^%BKEy+n#=z*k;<r
zqWaqtFFjv}>8pvYi7w35CRBXjYTq?)n;*7sm&&pv)eagSPmfP)+|_HAj|L{09%r?E
z>L@^W3NAixe3S15bH!z(w@a^oqA*UoYSj&8vDw@p+{;D|*Vaa-dx7~#4Z%d|E*b=2
zY056BjL0M!kiJEPq7mKmgT~u+@`n(N7lPbSwGZw{X$&I~;l2qPs<swin^X&d6KyRF
zmB|cFb?y&pvSp=zHU+G!^clVKWqX$CGDnTCdm*H|yI>MEw{T5_^fh!G&4JVNSZgn^
z(=$jjBt|E|)ia2;JC(BIJD0|-my8IxwbK{N%)4Ss-{KjaJ%*V}zuSr0JoBv4=}LB0
z*}Nm>L^Oz%K!wm_p#zUs+C#-wc0+9=Nd7+c3Ho`9*22=e-D5FV8j#PK%J_w@6Q~tr
z26{rJ-6m9ZtME+-V*MQB!f*ofKv#fxu|^2Wdh^JcDL(`?==bI3-_HwjO6ontLBad}
z)D_1ZH^Ll7$jH32=7j{)@=&0p{+8o|T~;NGpn=W8&>7SQaj1d)G*M5pNw3f*O|s9O
zBh1Ab^M*dd*Yttg%3<smFH}A^V4guC<;V!NG6q5X6<vYk;-yW@&Q$!#Z(f8iUK1_^
zl_~b)wxye6Q>{VmBl~$nNdYmWrhtk^i_w%}v5&sQ!_2g@waj(CVUIi>SZko4Vty&A
zUr;|H6LaMTM_CA-KBU%7V|L?H>dNB&X(moyC{AB{?xooxiJ&^g9NRvxs`T2DV<A?9
z8`gUJSwGz`^&p7Q;icM~PHmUvD{yg3qw9U*qY(@|Rav@u3nw(-UCR?f1L5*w#5|yX
z&#I=Xx?N&bl4#&ldXA~=m!&j__R*dqNjZ&9O~hbQ1Fu)BcA4FxxaB?>HE+9w=T<E~
zjcZKGvS{KMA400^MP}2nKS9i%s|r)d`);AuQ{8f(_*R2k?)y-hslM@jkv?jv&C$md
zM=`d(*&|yGbz``h30JjU^n4b}*gCw+p^4oJ&4Csywr`(B&Wo`?H`p)1)}2ME;Y<b;
zYpwcAdTSQ~h9+p1mi*o%Zp=OMKk8)_wEM+Zf*PKu>ONk(?HZ4%@ERR*bq)B6Uovgj
z9pBhSeH|~77_S(AUFq7`g3mD+ydw4``1anC3o-LSRJ>cv=my3w<$9l{+r>@#X-sJE
zAY1l$9q{`vjL^wh{JRcvwtmOltfKa<?`4UEQ(Jq2xH$6M+VxSJ6C8V)G1J$}ypq^=
zzM4CfXK_t=DZQu&#(9k}rjPFI#MwfL>(fd8c4eF2Ux}=sI4T0Twsw7I&j%a&guUW(
zC_(}V)-D=-A9?9jMuHfjr~C~oT>Xw*wGjot?U1*Kd$i!<-Um&<NL?DCZXYdpCgw~3
z*=^uwhW^e@bwpLbC8L>I-bff%@LUjEDF<jAw=S{2LpLhaCRhRnlPZnF;wJi-^-cpw
z_96Sx8nY{y;NGgGIrg}D_rwz8Y0=qn4Ck)r;SzJTJR`jwk0+!DWB2XgbG?F}VwU#b
zWG2F1Rh>Tt59c!zvmLTAb=7Ozb|y`HH(u~ltzEybn&LM*9MM^KoYju>HFk?HUfncf
zz^^8+0Hc-X@M?Hx4l!yk6NP_BNHhGDf~I#-Rrb6#|J(|KwX0aAs+t*Fpx3-wFsZJU
zV*S9=YTXQl*(vB-oxUY_)A2lUUra^y^hA0(`a53`^x#qSqc;LS%3`u}vyW9Sw?!C!
z=u)e5`8JnPf#pG7tC6sZ!5H?cYP(7iJY<%Yb3-FXH@IQg$whO0a^d{pAn?tKNy+)G
z??|ee-PF<5GgEzUTppB8_03%puN#{e6W=g=7rv)WsaEF|jg*DF;EJthFT0Rq<zpkd
z3AGltka5CA6E&K@z2ZJBiVsZX(XHaKA%QtQv{U89g9wSkD;|^#3V=7H_;Hy`A93EN
z0;+h&inx~8cSplTEkSy7n@1eSTV4S`@QBEk{ixop^P`pK!E#Kuz#k52qnMc-_Mc_z
z6eN?%wB$FJ3hpN*T5hjf+1;N#jb2X4h<BNDO-fiqrYlE(+QO{1Sa>bO9p^U62WfYt
z_;V@yxld^yx9nEtjjR}<C02a{#H^ZFdZYSbTdB&SC!5l%ks=UJy)(Vddz;_rl2pLc
zT0=;v)vS&&l2m<lNcBdbO_hg9jBj#m-qmrt+Rn%i`@>+cjal%V^)%m$dhpDI7dK1M
z7*Z|O%JCiRO@P%Zq_kY^Px>Z5LBIKQ{Ac+4DPo!vTUll}m?M45vI>fx_d3>KGat$C
z6#7JTbGWe01uIgLg9wb1;$kT}1|s{35;yveX6xq>^ThVs@rf{=vqnM`pje~+%yo$@
zMOi9vCE5=>VL^Z`XGxu97ud^D%e3s`s*TB*IUZ0xgX|nUR90SGAKzgY%!NNJvPnun
zBRYCnTp*x*lVw=dn={3dVpQURkCoHvQ>=QZiXy!SGrD)Pz9U&Gt<&5_R;ISz=7s39
z@X{uqI0c;~>VV1D(U0@waRSgmEQW`BDrOs>yk==vS!K-9jQ?n<krA`8XuEiuJq8nB
zVIJ;TUlO}%XJ_X*wVux^S}J6|&?mMYsA24^K1J-sMKcN6<w7Nk_%co9okANsu7goJ
z&5V!=9=d2lSKTQuz0K)nZsGphce!DTTf^au%|_md&m<3md=BIM$!0LL&|*beD_va6
zj`4^TNm*B5f-1$v@l_(Ot2B#NCU%#V`=Lb5?7J;|<<v>^4us|_efIgh1dD}bFlfz!
zdOYo;)g9TE2Zn0KJS?6XbHjj;Pe$<h5HpdZ$j|l;s@L_QxJ!y=YA=UDHjB&x<d&y5
zI~aZNq2dM=TIy$>>X{jHkGs))0r4JuPNSUS)Z^`#PJ;nGRVj^p=T50;!l#jj>jqXu
z6<a@|Ycg?}nEkd5zmW#n5d%-B^8|?iDZPHnx88031ujRVRxV~<;)3yADq}iuJA}-m
z8_Y0)vp&-WjFoxe88-zjwU=Lg1~~-*u~j}WaF~p1j{1N}zn-fRBf&4SEGpJam#!b@
zgtao7A0y9)e!B?fIEvJB^vSaquj+<Dyv~!6CqD`If;{2TqNMh+XE>;XksEwCDepmM
zKph3ZdsKbgH9+K5TV3%y2UAQJM3YN^EwI^5wU?b`oB^Rg4=@k@Qu0*5&z;<je3ReD
zUMK=(wb^X9II#Dy&Yz^h)?+%yAJc%AOD;1}BKv(7S#RIZ{~vFj-y?MyHP>f*Tk6*R
zS%Xk~o>7gWa>nDIOy!Wv<%NdE=f`17@eFQDDvOuj|Lny0tV0KE#Q|T|y*838m91BD
zC86}zjYMxibTTc|y<cXKO<bnU(T%u2*Y^M#&v<7w8dMvN;9)#Qf_h`!W>U>pc2m`l
zo<59vA_YX-kap4mr<>r`DSWDre==PnZG4P1W$H;;pMB6*W)Ej$`zptIPFC%GJ9*{>
z%IQ;r628c7Diw*SD8GO^cUM8P)MlpKBYNi@kC<uS8U324t;yvSrXyK$TZMg<GZTI3
zx?fLjnmPTvz)QyRO`{^7go}@nqPX<Ri9<#DcDE~(8olW<fH_Q5FTN24qWx{SCO?7#
zeq8)7ql4bwfSUet>)!-D`3k^de!hV3+5hwDKko(vWf8~S{xYHXKYRUuEU&O0EEvO$
z(%Y~`=I9idy#8lz|KD?E(0e|BjTk7L<j0!_TdRi_HjDKqk9vG)#pIYhKLH-g9kg`2
zFZoX!{4cBXdCZ_wWRACWy{|s0$dn@O0fr0#=WDZt#XLTNOjQWaq_2PahtUHcc*K+M
zGN+|q=v;xs-)&JWPfoDZSB8gQGc554wjC*N!6EU=I#B$T;eXC*{MYS1I+qxxpwZF#
zQt-j#$Ed)W%*!+gxX#P)g0a>rUQ0mmKjV$YS~=SU{rh<Ta5{!aZ*yPUf&8w%+>iN=
z4?ey>b7F=QJTx_=jzr8|x$^HR(9A<^xBhn9Eyu}Ip!`$3i#L*W(qsKYFDxd)Br<O1
z{q2vp&Vy)dyn2S^-;VnqSB2dp1A%$pOK1KRDrX%)$E!;5Uw@rp{&@vzW$(mHZ$pNs
zet(|rTNDU0UM)@re{PxReHet#e7gFF{|F=hR^iSGkaL6{g#`Y-<p@@W9{hWN4)Xs6
z0MYRhNL*B|@RP^>jACKN;5b|7J01QqS4ee1R!#G*AZ^2cT6F&{hgBtzit4^e2>!XH
z+FNpsFhG6(>Yt*O^#aG4jJn>0`0tqb-&;an11V5eaUP-hQ|iq^KKnFBdBbsU<@*uf
PWE8g%cW&m&-Shol7RM`y

literal 0
HcmV?d00001