From d718829f5de996f6b20260102a6c373fa3e08b8a Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 16 Feb 2017 15:16:47 -0500
Subject: [PATCH 01/30] Initial LDAP group member iteration support

Add interface for group member iteration on internal auth providers and implement support in the LDAP interface.
---
 data/users/__init__.py     | 10 ++++++
 data/users/externalldap.py | 73 +++++++++++++++++++++++++++++++++++---
 data/users/federated.py    | 60 +++++++++++++++++--------------
 test/test_ldap.py          | 32 +++++++++++++++--
 4 files changed, 141 insertions(+), 34 deletions(-)

diff --git a/data/users/__init__.py b/data/users/__init__.py
index 1f083e8ff..669ba7918 100644
--- a/data/users/__init__.py
+++ b/data/users/__init__.py
@@ -186,6 +186,16 @@ class UserAuthentication(object):
     """ Verifies that the given username and password credentials are valid. """
     return self.state.verify_credentials(username_or_email, password)
 
+  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
+    """ Returns a tuple of an iterator over all the members of the group matching the given lookup
+        args dictionary, or the error that occurred if the initial call failed or is unsupported.
+        The format of the lookup args dictionary is specific to the implementation.
+        Each result in the iterator is a tuple of (UserInformation, error_message), and only
+        one will be not-None.
+    """
+    return self.state.iterate_group_members(group_lookup_args, page_size=page_size,
+                                            disable_pagination=disable_pagination)
+
   def verify_and_link_user(self, username_or_email, password, basic_auth=False):
     """ Verifies that the given username and password credentials are valid and, if so,
         creates or links the database user to the federated identity. """
diff --git a/data/users/externalldap.py b/data/users/externalldap.py
index 8cd82ac28..6642e7279 100644
--- a/data/users/externalldap.py
+++ b/data/users/externalldap.py
@@ -2,6 +2,8 @@ import ldap
 import logging
 import os
 
+from ldap.controls import SimplePagedResultsControl
+
 from collections import namedtuple
 from data.users.federated import FederatedUsers, UserInformation
 from util.itertoolrecipes import take
@@ -10,6 +12,7 @@ logger = logging.getLogger(__name__)
 
 _DEFAULT_NETWORK_TIMEOUT = 10.0 # seconds
 _DEFAULT_TIMEOUT = 10.0 # seconds
+_DEFAULT_PAGE_SIZE = 500
 
 
 class LDAPConnectionBuilder(object):
@@ -84,6 +87,7 @@ class LDAPUsers(FederatedUsers):
 
     # Create the set of full DN paths.
     self._user_dns = [get_full_rdn(relative_dn) for relative_dn in relative_user_dns]
+    self._base_dn = ','.join(base_dn)
 
   def _get_ldap_referral_dn(self, referral_exception):
     logger.debug('Got referral: %s', referral_exception.args[0])
@@ -174,7 +178,7 @@ class LDAPUsers(FederatedUsers):
     with_mail = [result for result in with_dns if result.attrs.get(self._email_attr)]
     return (with_mail[0] if with_mail else with_dns[0], None)
 
-  def _credential_for_user(self, response):
+  def _build_user_information(self, response):
     if not response.get(self._uid_attr):
       return (None, 'Missing uid field "%s" in user record' % self._uid_attr)
 
@@ -194,7 +198,7 @@ class LDAPUsers(FederatedUsers):
 
     logger.debug('Found user for LDAP username or email %s', username_or_email)
     _, found_response = found_user
-    return self._credential_for_user(found_response)
+    return self._build_user_information(found_response)
 
   def query_users(self, query, limit=20):
     """ Queries LDAP for matching users. """
@@ -208,7 +212,7 @@ class LDAPUsers(FederatedUsers):
 
     final_results = []
     for result in results[0:limit]:
-      credentials, err_msg = self._credential_for_user(result.attrs)
+      credentials, err_msg = self._build_user_information(result.attrs)
       if err_msg is not None:
         continue
 
@@ -253,4 +257,65 @@ class LDAPUsers(FederatedUsers):
       logger.debug('Invalid LDAP credentials')
       return (None, 'Invalid password')
 
-    return self._credential_for_user(found_response)
+    return self._build_user_information(found_response)
+
+  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
+    try:
+      with self._ldap.get_connection():
+        pass
+    except ldap.INVALID_CREDENTIALS:
+      return (None, 'LDAP Admin dn or password is invalid')
+
+    group_dn = group_lookup_args['group_dn']
+    page_size = page_size or _DEFAULT_PAGE_SIZE
+    return (self._iterate_members(group_dn, page_size, disable_pagination), None)
+
+  def _iterate_members(self, group_dn, page_size, disable_pagination):
+    with self._ldap.get_connection() as conn:
+      lc = ldap.controls.libldap.SimplePagedResultsControl(criticality=True, size=page_size,
+                                                           cookie='')
+
+      search_flt = '(memberOf=%s,%s)' % (group_dn, self._base_dn)
+
+      for user_search_dn in self._user_dns:
+        # Conduct the initial search for users that are a member of the group.
+        if disable_pagination:
+          msgid = conn.search(user_search_dn, ldap.SCOPE_SUBTREE, search_flt)
+        else:
+          msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, serverctrls=[lc])
+
+        while True:
+          if disable_pagination:
+            _, rdata = conn.result(msgid)
+          else:
+            _, rdata, _, serverctrls = conn.result3(msgid)
+
+          # Yield any users found.
+          for userdata in rdata:
+            yield self._build_user_information(userdata[1])
+
+          # If pagination is disabled, nothing more to do.
+          if disable_pagination:
+            break
+
+          # Filter down the controls with which the server responded, looking for the paging
+          # control type. If not found, then the server does not support pagination and we already
+          # got all of the results.
+          pctrls = [control for control in serverctrls
+                    if control.controlType == ldap.controls.SimplePagedResultsControl.controlType]
+
+          if pctrls:
+            # Server supports pagination. Update the cookie so the next search finds the next page,
+            # then conduct the next search.
+            cookie = lc.cookie = pctrls[0].cookie
+            if cookie:
+                msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt,
+                                        serverctrls=[lc])
+                continue
+            else:
+              # No additional results.
+              break
+          else:
+            # Pagintation is not supported.
+            logger.debug('Pagination is not supported for this LDAP server')
+            break
diff --git a/data/users/federated.py b/data/users/federated.py
index 8b6e570cb..683cc0945 100644
--- a/data/users/federated.py
+++ b/data/users/federated.py
@@ -37,33 +37,6 @@ class FederatedUsers(object):
     """ If implemented, get_user must be implemented as well. """
     return (None, 'Not supported')
 
-  def _get_federated_user(self, username, email):
-    db_user = model.user.verify_federated_login(self._federated_service, username)
-    if not db_user:
-      # We must create the user in our db
-      valid_username = None
-      for valid_username in generate_valid_usernames(username):
-        if model.user.is_username_unique(valid_username):
-          break
-
-      if not valid_username:
-        logger.error('Unable to pick a username for user: %s', username)
-        return (None, 'Unable to pick a username. Please report this to your administrator.')
-
-      prompts = model.user.get_default_user_prompts(features)
-      db_user = model.user.create_federated_user(valid_username, email, self._federated_service,
-                                                 username,
-                                                 set_password_notification=False,
-                                                 email_required=self._requires_email,
-                                                 prompts=prompts)
-    else:
-      # Update the db attributes from the federated service.
-      if email:
-        db_user.email = email
-        db_user.save()
-
-    return (db_user, None)
-
   def link_user(self, username_or_email):
     (credentials, err_msg) = self.get_user(username_or_email)
     if credentials is None:
@@ -98,3 +71,36 @@ class FederatedUsers(object):
       return (None, err_msg)
 
     return (db_user, None)
+
+  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
+    """ Returns an iterator over all the members of the group matching the given lookup args
+        dictionary. The format of the lookup args dictionary is specific to the implementation.
+    """
+    return (None, 'Not supported')
+
+  def _get_federated_user(self, username, email):
+    db_user = model.user.verify_federated_login(self._federated_service, username)
+    if not db_user:
+      # We must create the user in our db
+      valid_username = None
+      for valid_username in generate_valid_usernames(username):
+        if model.user.is_username_unique(valid_username):
+          break
+
+      if not valid_username:
+        logger.error('Unable to pick a username for user: %s', username)
+        return (None, 'Unable to pick a username. Please report this to your administrator.')
+
+      prompts = model.user.get_default_user_prompts(features)
+      db_user = model.user.create_federated_user(valid_username, email, self._federated_service,
+                                                 username,
+                                                 set_password_notification=False,
+                                                 email_required=self._requires_email,
+                                                 prompts=prompts)
+    else:
+      # Update the db attributes from the federated service.
+      if email:
+        db_user.email = email
+        db_user.save()
+
+    return (db_user, None)
diff --git a/test/test_ldap.py b/test/test_ldap.py
index 6e2a5d914..621d1d00e 100644
--- a/test/test_ldap.py
+++ b/test/test_ldap.py
@@ -34,18 +34,25 @@ def mock_ldap(requires_email=True):
       'dc': ['quay', 'io'],
       'ou': 'otheremployees'
     },
+    'cn=AwesomeFolk,dc=quay,dc=io': {
+      'dc': ['quay', 'io'],
+      'cn': 'AwesomeFolk'
+    },
     'uid=testy,ou=employees,dc=quay,dc=io': {
       'dc': ['quay', 'io'],
       'ou': 'employees',
-      'uid': 'testy',
-      'userPassword': ['password']
+      'uid': ['testy'],
+      'userPassword': ['password'],
+      'mail': ['bar@baz.com'],
+      'memberOf': ['cn=AwesomeFolk,dc=quay,dc=io'],
     },
     'uid=someuser,ou=employees,dc=quay,dc=io': {
       'dc': ['quay', 'io'],
       'ou': 'employees',
       'uid': ['someuser'],
       'userPassword': ['somepass'],
-      'mail': ['foo@bar.com']
+      'mail': ['foo@bar.com'],
+      'memberOf': ['cn=AwesomeFolk,dc=quay,dc=io'],
     },
     'uid=nomail,ou=employees,dc=quay,dc=io': {
       'dc': ['quay', 'io'],
@@ -301,6 +308,25 @@ class TestLDAP(unittest.TestCase):
                        requires_email=False, timeout=5)
       ldap.query_users('cool')
 
+  def test_iterate_group_members(self):
+    with mock_ldap() as ldap:
+      (it, err) = ldap.iterate_group_members({'group_dn': 'cn=AwesomeFolk'},
+                                             disable_pagination=True)
+      self.assertIsNone(err)
+
+      results = list(it)
+      self.assertEquals(2, len(results))
+
+      first = results[0][0]
+      self.assertEquals('testy', first.id)
+      self.assertEquals('testy', first.username)
+      self.assertEquals('bar@baz.com', first.email)
+
+      second = results[1][0]
+      self.assertEquals('someuser', second.id)
+      self.assertEquals('someuser', second.username)
+      self.assertEquals('foo@bar.com', second.email)
+
 if __name__ == '__main__':
   unittest.main()
 

From f5a854c1898289e311db3ecabefe399612028ff7 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 17 Feb 2017 12:01:41 -0500
Subject: [PATCH 02/30] Add TeamSync database and API support

Teams can now have a TeamSync entry in the database, indicating how they are synced via an external group. If found, then the user membership of the team cannot be changed via the API.
---
 data/database.py       | 11 +++++++++-
 data/model/team.py     | 31 +++++++++++++++++++++++---
 endpoints/api/team.py  | 49 +++++++++++++++++++++++++++++++++--------
 initdb.py              |  3 +++
 test/test_api_usage.py | 50 ++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 131 insertions(+), 13 deletions(-)

diff --git a/data/database.py b/data/database.py
index 6d7b7e3b2..37b89a7af 100644
--- a/data/database.py
+++ b/data/database.py
@@ -451,7 +451,7 @@ class User(BaseModel):
                                  TagManifest, AccessToken, OAuthAccessToken, BlobUpload,
                                  RepositoryNotification, OAuthAuthorizationCode,
                                  RepositoryActionCount, TagManifestLabel, Tag,
-                                 ManifestLabel, BlobUploading} | beta_classes
+                                 ManifestLabel, BlobUploading, TeamSync} | beta_classes
 
       delete_instance_filtered(self, User, delete_nullable, skip_transitive_deletes)
 
@@ -526,6 +526,15 @@ class LoginService(BaseModel):
   name = CharField(unique=True, index=True)
 
 
+class TeamSync(BaseModel):
+  team = ForeignKeyField(Team)
+
+  transaction_id = CharField()
+  last_updated = DateTimeField(default=datetime.now, index=True)
+  service = ForeignKeyField(LoginService)
+  config = JSONField()
+
+
 class FederatedLogin(BaseModel):
   user = QuayUserField(allows_robots=True, index=True)
   service = ForeignKeyField(LoginService)
diff --git a/data/model/team.py b/data/model/team.py
index 753d00e2f..1d176ebdf 100644
--- a/data/model/team.py
+++ b/data/model/team.py
@@ -1,9 +1,13 @@
-from data.database import Team, TeamMember, TeamRole, User, TeamMemberInvite, RepositoryPermission
+import json
+
+from peewee import fn
+
+from data.database import (Team, TeamMember, TeamRole, User, TeamMemberInvite, RepositoryPermission,
+                           TeamSync, LoginService)
 from data.model import (DataModelException, InvalidTeamException, UserAlreadyInTeam,
-                        InvalidTeamMemberException, user, _basequery)
+                        InvalidTeamMemberException, _basequery)
 from data.text import prefix_search
 from util.validation import validate_username
-from peewee import fn, JOIN_LEFT_OUTER
 from util.morecollections import AttrDict
 
 
@@ -369,3 +373,24 @@ def confirm_team_invite(code, user_obj):
   team = found.team
   inviter = found.inviter
   return (team, inviter)
+
+def set_team_syncing(team, login_service_name, config):
+  login_service = LoginService.get(name=login_service_name)
+  TeamSync.create(team=team, transaction_id='', service=login_service, config=json.dumps(config))
+
+def get_team_sync_information(orgname, teamname):
+  """ Returns the team syncing information for the team with the given name under the organization
+      with the given name or None if none.
+  """
+  query = (TeamSync
+           .select(TeamSync, LoginService)
+           .join(Team)
+           .join(User)
+           .switch(TeamSync)
+           .join(LoginService)
+           .where(Team.name == teamname, User.organization == True, User.username == orgname))
+
+  try:
+    return query.get()
+  except TeamSync.DoesNotExist:
+    return None
diff --git a/endpoints/api/team.py b/endpoints/api/team.py
index 81b779b58..fada006f2 100644
--- a/endpoints/api/team.py
+++ b/endpoints/api/team.py
@@ -1,19 +1,22 @@
 """ Create, list and manage an organization's teams. """
 
+from functools import wraps
+
 from flask import request
 
 import features
 
-from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
-                           log_action, internal_only, require_scope, path_param, query_param,
-                           truthy_bool, parse_args, require_user_admin, show_if)
-from endpoints.exception import Unauthorized, NotFound
+from app import avatar, authentication
 from auth.permissions import AdministerOrganizationPermission, ViewTeamPermission
 from auth.auth_context import get_authenticated_user
 from auth import scopes
 from data import model
+from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
+                           log_action, internal_only, require_scope, path_param, query_param,
+                           truthy_bool, parse_args, require_user_admin, show_if, format_date)
+from endpoints.exception import Unauthorized, NotFound, InvalidRequest
 from util.useremails import send_org_invite_email
-from app import avatar
+from util.names import parse_robot_username
 
 def permission_view(permission):
   return {
@@ -24,7 +27,6 @@ def permission_view(permission):
     'role': permission.role.name
   }
 
-
 def try_accept_invite(code, user):
   (team, inviter) = model.team.confirm_team_invite(code, user)
 
@@ -40,7 +42,6 @@ def try_accept_invite(code, user):
 
   return team
 
-
 def handle_addinvite_team(inviter, team, user=None, email=None):
   requires_invite = features.MAILING and features.REQUIRE_TEAM_INVITE
   invite = model.team.add_or_invite_to_team(inviter, team, user, email,
@@ -82,7 +83,6 @@ def member_view(member, invited=False):
     'invited': invited,
   }
 
-
 def invite_view(invite):
   if invite.user:
     return member_view(invite.user, invited=True)
@@ -94,6 +94,26 @@ def invite_view(invite):
       'invited': True
     }
 
+def disallow_for_synced_team(except_robots=False):
+  """ Disallows the decorated operation for a team that is marked as being synced from an internal
+      auth provider such as LDAP. If except_robots is True, then the operation is allowed if the
+      member specified on the operation is a robot account.
+  """
+  def inner(func):
+    @wraps(func)
+    def wrapper(self, *args, **kwargs):
+      # Team syncing can only be enabled if we have a federated service.
+      if authentication.federated_service:
+        orgname = kwargs['orgname']
+        teamname = kwargs['teamname']
+        if model.team.get_team_sync_information(orgname, teamname):
+          if not except_robots or not parse_robot_username(kwargs.get('membername', '')):
+            raise InvalidRequest('Cannot call this method on an auth-synced team')
+
+      return func(self, *args, **kwargs)
+    return wrapper
+  return inner
+
 
 @resource('/v1/organization/<orgname>/team/<teamname>')
 @path_param('orgname', 'The name of the organization')
@@ -214,6 +234,14 @@ class TeamMemberList(ApiResource):
         'can_edit': edit_permission.can()
       }
 
+      sync_info = model.team.get_team_sync_information(orgname, teamname)
+      if sync_info is not None:
+        data['synced'] = {
+          'last_updated': format_date(sync_info.last_updated),
+          'service': sync_info.service.name,
+          'config': sync_info.config,
+        }
+
       return data
 
     raise Unauthorized()
@@ -228,6 +256,7 @@ class TeamMember(ApiResource):
 
   @require_scope(scopes.ORG_ADMIN)
   @nickname('updateOrganizationTeamMember')
+  @disallow_for_synced_team(except_robots=True)
   def put(self, orgname, teamname, membername):
     """ Adds or invites a member to an existing team. """
     permission = AdministerOrganizationPermission(orgname)
@@ -265,6 +294,7 @@ class TeamMember(ApiResource):
 
   @require_scope(scopes.ORG_ADMIN)
   @nickname('deleteOrganizationTeamMember')
+  @disallow_for_synced_team(except_robots=True)
   def delete(self, orgname, teamname, membername):
     """ Delete a member of a team. If the user is merely invited to join
         the team, then the invite is removed instead.
@@ -308,6 +338,7 @@ class InviteTeamMember(ApiResource):
   """ Resource for inviting a team member via email address. """
   @require_scope(scopes.ORG_ADMIN)
   @nickname('inviteTeamMemberEmail')
+  @disallow_for_synced_team()
   def put(self, orgname, teamname, email):
     """ Invites an email address to an existing team. """
     permission = AdministerOrganizationPermission(orgname)
@@ -407,7 +438,7 @@ class TeamMemberInvite(ApiResource):
   @nickname('declineOrganizationTeamInvite')
   @require_user_admin
   def delete(self, code):
-    """ Delete an existing member of a team. """
+    """ Delete an existing invitation to join a team. """
     (team, inviter) = model.team.delete_team_invite(code, user_obj=get_authenticated_user())
 
     model.notification.delete_matching_notifications(get_authenticated_user(), 'org_team_invite',
diff --git a/initdb.py b/initdb.py
index 03bb9131c..f8ce513ab 100644
--- a/initdb.py
+++ b/initdb.py
@@ -700,6 +700,9 @@ def populate_database(minimal=False, with_storage=False):
   model.team.add_user_to_team(creatorbot, creators)
   model.team.add_user_to_team(creatoruser, creators)
 
+  synced_team = model.team.create_team('synced', org, 'member', 'Some synced team.')
+  model.team.set_team_syncing(synced_team, 'ldap', {'group_dn': 'cn=Test-Group,ou=Users'})
+
   __generate_repository(with_storage, new_user_1, 'superwide', None, False, [],
                         [(10, [], 'latest2'),
                          (2, [], 'latest3'),
diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index 2f2548df5..52dabbaaa 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -7,6 +7,7 @@ import time
 import re
 import json as py_json
 
+from mock import patch
 from StringIO import StringIO
 from calendar import timegm
 from contextlib import contextmanager
@@ -77,6 +78,7 @@ from endpoints.api.suconfig import (SuperUserRegistryStatus, SuperUserConfig, Su
                                     SuperUserCreateInitialSuperUser)
 from endpoints.api.manifest import RepositoryManifestLabels, ManageRepositoryManifestLabel
 from test.test_ssl_util import generate_test_cert
+from util.morecollections import AttrDict
 
 
 try:
@@ -1592,6 +1594,54 @@ class TestUpdateOrganizationTeamMember(ApiTestCase):
       self.assertNotEqual(membername, member['name'])
 
 
+  def test_updatemembers_syncedteam(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    with patch('endpoints.api.team.authentication', AttrDict({'federated_service': 'foobar'})):
+      # Add the user to a non-synced team, which should succeed.
+      self.putJsonResponse(TeamMember,
+                           params=dict(orgname=ORGANIZATION, teamname='owners',
+                                       membername=READ_ACCESS_USER))
+
+      # Remove the user from the non-synced team, which should succeed.
+      self.deleteEmptyResponse(TeamMember,
+                               params=dict(orgname=ORGANIZATION, teamname='owners',
+                                           membername=READ_ACCESS_USER))
+
+      # Attempt to add the user to a synced team, which should fail.
+      self.putResponse(TeamMember,
+                       params=dict(orgname=ORGANIZATION, teamname='synced',
+                                   membername=READ_ACCESS_USER),
+                       expected_code=400)
+
+      # Attempt to remove the user from the synced team, which should fail.
+      self.deleteResponse(TeamMember,
+                          params=dict(orgname=ORGANIZATION, teamname='synced',
+                                      membername=READ_ACCESS_USER),
+                          expected_code=400)
+
+      # Add a robot to the synced team, which should succeed.
+      self.putJsonResponse(TeamMember,
+                           params=dict(orgname=ORGANIZATION, teamname='synced',
+                                       membername=ORGANIZATION + '+coolrobot'))
+
+      # Remove the robot from the non-synced team, which should succeed.
+      self.deleteEmptyResponse(TeamMember,
+                               params=dict(orgname=ORGANIZATION, teamname='synced',
+                                           membername=ORGANIZATION + '+coolrobot'))
+
+      # Invite a team member to a non-synced team, which should succeed.
+      self.putJsonResponse(InviteTeamMember,
+                           params=dict(orgname=ORGANIZATION, teamname='owners',
+                                       email='someguy+new@devtable.com'))
+
+      # Attempt to invite a team member to a synced team, which should fail.
+      self.putResponse(InviteTeamMember,
+                       params=dict(orgname=ORGANIZATION, teamname='synced',
+                                   email='someguy+new@devtable.com'),
+                       expected_code=400)
+
+
 class TestAcceptTeamMemberInvite(ApiTestCase):
   def test_accept(self):
     self.login(ADMIN_ACCESS_USER)

From 1cfc4a834114e4d90dd4feacced2a77cb51c8f28 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 17 Feb 2017 14:23:50 -0500
Subject: [PATCH 03/30] Change max size of LDAP pages and add filtering to
 reduce attributes returned

---
 data/users/externalldap.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/data/users/externalldap.py b/data/users/externalldap.py
index 6642e7279..cce256f47 100644
--- a/data/users/externalldap.py
+++ b/data/users/externalldap.py
@@ -12,7 +12,7 @@ logger = logging.getLogger(__name__)
 
 _DEFAULT_NETWORK_TIMEOUT = 10.0 # seconds
 _DEFAULT_TIMEOUT = 10.0 # seconds
-_DEFAULT_PAGE_SIZE = 500
+_DEFAULT_PAGE_SIZE = 1000
 
 
 class LDAPConnectionBuilder(object):
@@ -276,13 +276,15 @@ class LDAPUsers(FederatedUsers):
                                                            cookie='')
 
       search_flt = '(memberOf=%s,%s)' % (group_dn, self._base_dn)
+      attributes = [self._uid_attr, self._email_attr]
 
       for user_search_dn in self._user_dns:
         # Conduct the initial search for users that are a member of the group.
         if disable_pagination:
-          msgid = conn.search(user_search_dn, ldap.SCOPE_SUBTREE, search_flt)
+          msgid = conn.search(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, attrlist=attributes)
         else:
-          msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, serverctrls=[lc])
+          msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, serverctrls=[lc],
+                                  attrlist=attributes)
 
         while True:
           if disable_pagination:

From ecfac817217f22d3a4d174a003423798c950cd5a Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 17 Feb 2017 17:10:26 -0500
Subject: [PATCH 04/30] Add check_group_lookup_args and service_metadata to
 auth providers

---
 data/users/__init__.py     | 12 ++++++++++++
 data/users/database.py     | 11 +++++++++++
 data/users/externalldap.py | 20 ++++++++++++++++++++
 data/users/federated.py    | 12 ++++++++++++
 test/test_ldap.py          | 16 ++++++++++++++++
 5 files changed, 71 insertions(+)

diff --git a/data/users/__init__.py b/data/users/__init__.py
index 669ba7918..7cf3bccef 100644
--- a/data/users/__init__.py
+++ b/data/users/__init__.py
@@ -186,6 +186,18 @@ class UserAuthentication(object):
     """ Verifies that the given username and password credentials are valid. """
     return self.state.verify_credentials(username_or_email, password)
 
+  def check_group_lookup_args(self, group_lookup_args):
+    """ Verifies that the given group lookup args point to a valid group. Returns a tuple consisting
+        of a boolean status and an error message (if any).
+    """
+    return self.state.check_group_lookup_args(group_lookup_args)
+
+  def service_metadata(self):
+    """ Returns a dictionary of extra metadata to present to *superusers* about this auth engine.
+        For example, LDAP returns the base DN so we can display to the user during sync setup.
+    """
+    return self.state.service_metadata()
+
   def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
     """ Returns a tuple of an iterator over all the members of the group matching the given lookup
         args dictionary, or the error that occurred if the initial call failed or is unsupported.
diff --git a/data/users/database.py b/data/users/database.py
index 4edb0f442..6e5bf9949 100644
--- a/data/users/database.py
+++ b/data/users/database.py
@@ -28,3 +28,14 @@ class DatabaseUsers(object):
     """ No need to implement, as we already query for users directly in the database. """
     return (None, '', '')
 
+  def check_group_lookup_args(self, group_lookup_args):
+    """ Never used since all groups, by definition, are in the database. """
+    return (False, 'Not supported')
+
+  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
+    """ Never used since all groups, by definition, are in the database. """
+    return (None, 'Not supported')
+
+  def service_metadata(self):
+    """ Never used since database has no metadata """
+    return {}
diff --git a/data/users/externalldap.py b/data/users/externalldap.py
index cce256f47..a059352af 100644
--- a/data/users/externalldap.py
+++ b/data/users/externalldap.py
@@ -259,6 +259,26 @@ class LDAPUsers(FederatedUsers):
 
     return self._build_user_information(found_response)
 
+  def service_metadata(self):
+    return {
+      'base_dn': self._base_dn,
+    }
+
+  def check_group_lookup_args(self, group_lookup_args, disable_pagination=False):
+    if not group_lookup_args.get('group_dn'):
+      return (False, 'Missing group_dn')
+
+    (it, err) = self.iterate_group_members(group_lookup_args, page_size=1,
+                                           disable_pagination=disable_pagination)
+    if err is not None:
+      return (False, err)
+
+    results = list(it)
+    if not results:
+      return (False, 'Group does not exist or is empty')
+
+    return (True, None)
+
   def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
     try:
       with self._ldap.get_connection():
diff --git a/data/users/federated.py b/data/users/federated.py
index 683cc0945..09d2eb748 100644
--- a/data/users/federated.py
+++ b/data/users/federated.py
@@ -72,6 +72,18 @@ class FederatedUsers(object):
 
     return (db_user, None)
 
+  def service_metadata(self):
+    """ Returns a dictionary of extra metadata to present to *superusers* about this auth engine.
+        For example, LDAP returns the base DN so we can display to the user during sync setup.
+    """
+    return {}
+
+  def check_group_lookup_args(self, group_lookup_args):
+    """ Verifies that the given group lookup args point to a valid group. Returns a tuple consisting
+        of a boolean status and an error message (if any).
+    """
+    return (False, 'Not supported')
+
   def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
     """ Returns an iterator over all the members of the group matching the given lookup args
         dictionary. The format of the lookup args dictionary is specific to the implementation.
diff --git a/test/test_ldap.py b/test/test_ldap.py
index 621d1d00e..2cbd2999a 100644
--- a/test/test_ldap.py
+++ b/test/test_ldap.py
@@ -327,6 +327,22 @@ class TestLDAP(unittest.TestCase):
       self.assertEquals('someuser', second.username)
       self.assertEquals('foo@bar.com', second.email)
 
+  def test_check_group_lookup_args(self):
+    with mock_ldap() as ldap:
+      (result, err) = ldap.check_group_lookup_args({'group_dn': 'cn=invalid'},
+                                                   disable_pagination=True)
+      self.assertFalse(result)
+      self.assertIsNotNone(err)
+
+      (result, err) = ldap.check_group_lookup_args({'group_dn': 'cn=AwesomeFolk'},
+                                                   disable_pagination=True)
+      self.assertTrue(result)
+      self.assertIsNone(err)
+
+  def test_metadata(self):
+    with mock_ldap() as ldap:
+      assert 'base_dn' in ldap.service_metadata()
+
 if __name__ == '__main__':
   unittest.main()
 

From bb20422260ba3c3480032456116e097ea9b8f0f3 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 17 Feb 2017 18:02:53 -0500
Subject: [PATCH 05/30] Fix pagination disabling in LDAP with mockldap

Since mockldap doesn't support pagination, just disable it globally
---
 data/users/externalldap.py | 18 ++++++++++--------
 test/test_ldap.py          |  2 +-
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/data/users/externalldap.py b/data/users/externalldap.py
index a059352af..6ab4b6c6b 100644
--- a/data/users/externalldap.py
+++ b/data/users/externalldap.py
@@ -66,7 +66,7 @@ class LDAPUsers(FederatedUsers):
 
   def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
                allow_tls_fallback=False, secondary_user_rdns=None, requires_email=True,
-               timeout=None, network_timeout=None):
+               timeout=None, network_timeout=None, force_no_pagination=False):
     super(LDAPUsers, self).__init__('ldap', requires_email)
 
     self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback,
@@ -76,6 +76,7 @@ class LDAPUsers(FederatedUsers):
     self._email_attr = email_attr
     self._allow_tls_fallback = allow_tls_fallback
     self._requires_email = requires_email
+    self._force_no_pagination = force_no_pagination
 
     # Note: user_rdn is a list of RDN pieces (for historical reasons), and secondary_user_rds
     # is a list of RDN strings.
@@ -291,6 +292,7 @@ class LDAPUsers(FederatedUsers):
     return (self._iterate_members(group_dn, page_size, disable_pagination), None)
 
   def _iterate_members(self, group_dn, page_size, disable_pagination):
+    has_pagination = not(self._force_no_pagination or disable_pagination)
     with self._ldap.get_connection() as conn:
       lc = ldap.controls.libldap.SimplePagedResultsControl(criticality=True, size=page_size,
                                                            cookie='')
@@ -300,24 +302,24 @@ class LDAPUsers(FederatedUsers):
 
       for user_search_dn in self._user_dns:
         # Conduct the initial search for users that are a member of the group.
-        if disable_pagination:
-          msgid = conn.search(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, attrlist=attributes)
-        else:
+        if has_pagination:
           msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, serverctrls=[lc],
                                   attrlist=attributes)
+        else:
+          msgid = conn.search(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, attrlist=attributes)
 
         while True:
-          if disable_pagination:
-            _, rdata = conn.result(msgid)
-          else:
+          if has_pagination:
             _, rdata, _, serverctrls = conn.result3(msgid)
+          else:
+            _, rdata = conn.result(msgid)
 
           # Yield any users found.
           for userdata in rdata:
             yield self._build_user_information(userdata[1])
 
           # If pagination is disabled, nothing more to do.
-          if disable_pagination:
+          if not has_pagination:
             break
 
           # Filter down the controls with which the server responded, looking for the paging
diff --git a/test/test_ldap.py b/test/test_ldap.py
index 2cbd2999a..0bb05ab12 100644
--- a/test/test_ldap.py
+++ b/test/test_ldap.py
@@ -19,7 +19,7 @@ def _create_ldap(requires_email=True):
 
   ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
                    uid_attr, email_attr, secondary_user_rdns=secondary_user_rdns,
-                   requires_email=requires_email)
+                   requires_email=requires_email, force_no_pagination=True)
   return ldap
 
 @contextmanager

From a17b6370325c9ac3131a1cae7981efbb5a1b7fef Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 17 Feb 2017 18:19:35 -0500
Subject: [PATCH 06/30] Fix ordering in LDAP test

---
 test/test_ldap.py | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/test/test_ldap.py b/test/test_ldap.py
index 0bb05ab12..04b6f4fdb 100644
--- a/test/test_ldap.py
+++ b/test/test_ldap.py
@@ -318,14 +318,20 @@ class TestLDAP(unittest.TestCase):
       self.assertEquals(2, len(results))
 
       first = results[0][0]
-      self.assertEquals('testy', first.id)
-      self.assertEquals('testy', first.username)
-      self.assertEquals('bar@baz.com', first.email)
-
       second = results[1][0]
-      self.assertEquals('someuser', second.id)
-      self.assertEquals('someuser', second.username)
-      self.assertEquals('foo@bar.com', second.email)
+
+      if first.id == 'testy':
+        testy, someuser = first, second
+      else:
+        testy, someuser = second, first
+
+      self.assertEquals('testy', testy.id)
+      self.assertEquals('testy', testy.username)
+      self.assertEquals('bar@baz.com', testy.email)
+
+      self.assertEquals('someuser', someuser.id)
+      self.assertEquals('someuser', someuser.username)
+      self.assertEquals('foo@bar.com', someuser.email)
 
   def test_check_group_lookup_args(self):
     with mock_ldap() as ldap:

From 8ea39771400f3014e07e0c313240b191da25f778 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 17 Feb 2017 18:20:23 -0500
Subject: [PATCH 07/30] Add ability to enable, disable and view team syncing in
 UI and API

Also extracts out some common testing infrastructure to make testing APIs easier now using pytest
---
 data/model/team.py                   |  6 ++
 endpoints/api/team.py                | 88 ++++++++++++++++++++++++----
 endpoints/api/test/shared.py         |  3 -
 endpoints/api/test/test_security.py  | 14 ++++-
 endpoints/api/test/test_team.py      | 35 +++++++++++
 static/css/pages/team-view.css       | 18 +++++-
 static/directives/team-view-add.html | 16 +++--
 static/js/pages/team-view.js         | 80 +++++++++++++++++++++++++
 static/partials/team-view.html       | 65 ++++++++++++++++++--
 9 files changed, 298 insertions(+), 27 deletions(-)
 create mode 100644 endpoints/api/test/test_team.py

diff --git a/data/model/team.py b/data/model/team.py
index 1d176ebdf..52a58b842 100644
--- a/data/model/team.py
+++ b/data/model/team.py
@@ -375,9 +375,15 @@ def confirm_team_invite(code, user_obj):
   return (team, inviter)
 
 def set_team_syncing(team, login_service_name, config):
+  """ Sets the given team to sync to the given service using the given config. """
   login_service = LoginService.get(name=login_service_name)
   TeamSync.create(team=team, transaction_id='', service=login_service, config=json.dumps(config))
 
+def remove_team_syncing(orgname, teamname):
+  existing = get_team_sync_information(orgname, teamname)
+  if existing:
+    existing.delete_instance()
+
 def get_team_sync_information(orgname, teamname):
   """ Returns the team syncing information for the team with the given name under the organization
       with the given name or None if none.
diff --git a/endpoints/api/team.py b/endpoints/api/team.py
index fada006f2..80c2ad5ef 100644
--- a/endpoints/api/team.py
+++ b/endpoints/api/team.py
@@ -1,5 +1,7 @@
 """ Create, list and manage an organization's teams. """
 
+import json
+
 from functools import wraps
 
 from flask import request
@@ -7,13 +9,16 @@ from flask import request
 import features
 
 from app import avatar, authentication
-from auth.permissions import AdministerOrganizationPermission, ViewTeamPermission
+from auth.permissions import (AdministerOrganizationPermission, ViewTeamPermission,
+                              SuperUserPermission)
+
 from auth.auth_context import get_authenticated_user
 from auth import scopes
 from data import model
 from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
                            log_action, internal_only, require_scope, path_param, query_param,
-                           truthy_bool, parse_args, require_user_admin, show_if, format_date)
+                           truthy_bool, parse_args, require_user_admin, show_if, format_date,
+                           verify_not_prod, require_fresh_login)
 from endpoints.exception import Unauthorized, NotFound, InvalidRequest
 from util.useremails import send_org_invite_email
 from util.names import parse_robot_username
@@ -200,6 +205,57 @@ class OrganizationTeam(ApiResource):
     raise Unauthorized()
 
 
+@resource('/v1/organization/<orgname>/team/<teamname>/syncing')
+@path_param('orgname', 'The name of the organization')
+@path_param('teamname', 'The name of the team')
+class OrganizationTeamSyncing(ApiResource):
+  """ Resource for managing syncing of a team by a backing group. """
+  @require_scope(scopes.ORG_ADMIN)
+  @require_scope(scopes.SUPERUSER)
+  @nickname('enableOrganizationTeamSync')
+  @verify_not_prod
+  @require_fresh_login
+  def post(self, orgname, teamname):
+    # User must be both the org admin AND a superuser.
+    if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
+      try:
+        team = model.team.get_organization_team(orgname, teamname)
+      except model.InvalidTeamException:
+        raise NotFound()
+
+      config = request.get_json()
+
+      # Ensure that the specified config points to a valid group.
+      status, err = authentication.check_group_lookup_args(config)
+      if not status:
+        raise InvalidRequest('Could not sync to group: %s' % err)
+
+      # Set the team's syncing config.
+      model.team.set_team_syncing(team, authentication.federated_service, config)
+
+      return team_view(orgname, team)
+
+    raise Unauthorized()
+
+  @require_scope(scopes.ORG_ADMIN)
+  @require_scope(scopes.SUPERUSER)
+  @nickname('disableOrganizationTeamSync')
+  @verify_not_prod
+  @require_fresh_login
+  def delete(self, orgname, teamname):
+    # User must be both the org admin AND a superuser.
+    if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
+      try:
+        team = model.team.get_organization_team(orgname, teamname)
+      except model.InvalidTeamException:
+        raise NotFound()
+
+      model.team.remove_team_syncing(orgname, teamname)
+      return team_view(orgname, team)
+
+    raise Unauthorized()
+
+
 @resource('/v1/organization/<orgname>/team/<teamname>/members')
 @path_param('orgname', 'The name of the organization')
 @path_param('teamname', 'The name of the team')
@@ -231,16 +287,28 @@ class TeamMemberList(ApiResource):
       data = {
         'name': teamname,
         'members': [member_view(m) for m in members] + [invite_view(i) for i in invites],
-        'can_edit': edit_permission.can()
+        'can_edit': edit_permission.can(),
       }
 
-      sync_info = model.team.get_team_sync_information(orgname, teamname)
-      if sync_info is not None:
-        data['synced'] = {
-          'last_updated': format_date(sync_info.last_updated),
-          'service': sync_info.service.name,
-          'config': sync_info.config,
-        }
+      if authentication.federated_service:
+        if SuperUserPermission().can():
+          data['can_sync'] = {
+            'service': authentication.federated_service,
+          }
+
+          data['can_sync'].update(authentication.service_metadata())
+
+        sync_info = model.team.get_team_sync_information(orgname, teamname)
+        if sync_info is not None:
+          data['synced'] = {
+            'service': sync_info.service.name,
+          }
+
+          if SuperUserPermission().can():
+            data['synced'].update({
+              'last_updated': format_date(sync_info.last_updated),
+              'config': json.loads(sync_info.config),
+            })
 
       return data
 
diff --git a/endpoints/api/test/shared.py b/endpoints/api/test/shared.py
index 5b9c2f090..140f6b37e 100644
--- a/endpoints/api/test/shared.py
+++ b/endpoints/api/test/shared.py
@@ -2,15 +2,12 @@ import datetime
 import json
 
 from contextlib import contextmanager
-
 from data import model
 from endpoints.api import api
 
 CSRF_TOKEN_KEY = '_csrf_token'
 CSRF_TOKEN = '123csrfforme'
 
-
-@contextmanager
 def client_with_identity(auth_username, client):
   with client.session_transaction() as sess:
     if auth_username and auth_username is not None:
diff --git a/endpoints/api/test/test_security.py b/endpoints/api/test/test_security.py
index 7d094f44c..dafd9fd0c 100644
--- a/endpoints/api/test/test_security.py
+++ b/endpoints/api/test/test_security.py
@@ -1,14 +1,26 @@
 import pytest
 
+from endpoints.api import api
+from endpoints.api.team import OrganizationTeamSyncing
 from endpoints.api.test.shared import client_with_identity, conduct_api_call
 from endpoints.api.superuser import SuperUserRepositoryBuildLogs, SuperUserRepositoryBuildResource
 from endpoints.api.superuser import SuperUserRepositoryBuildStatus
-from test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
+from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
 
 TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
 BUILD_PARAMS = {'build_uuid': 'test-1234'}
 
 @pytest.mark.parametrize('resource,method,params,body,identity,expected', [
+  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, None, 403),
+  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'freshuser', 403),
+  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'reader', 403),
+  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'devtable', 400),
+
+  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, None, 403),
+  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'freshuser', 403),
+  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'reader', 403),
+  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'devtable', 200),
+
   (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, None, 401),
   (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
   (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'reader', 403),
diff --git a/endpoints/api/test/test_team.py b/endpoints/api/test/test_team.py
new file mode 100644
index 000000000..1f04ed108
--- /dev/null
+++ b/endpoints/api/test/test_team.py
@@ -0,0 +1,35 @@
+import json
+
+from mock import patch
+
+from data import model
+from endpoints.api import api
+from endpoints.api.test.shared import client_with_identity, conduct_api_call
+from endpoints.api.team import OrganizationTeamSyncing
+from test.test_ldap import mock_ldap
+
+TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
+
+def test_team_syncing(client):
+  with mock_ldap() as ldap:
+    with patch('endpoints.api.team.authentication', ldap):
+      cl = client_with_identity('devtable', client)
+      config = {
+        'group_dn': 'cn=AwesomeFolk',
+      }
+
+      conduct_api_call(cl, OrganizationTeamSyncing, 'POST', TEAM_PARAMS, config)
+
+      # Ensure the team is now synced.
+      sync_info = model.team.get_team_sync_information(TEAM_PARAMS['orgname'],
+                                                       TEAM_PARAMS['teamname'])
+      assert sync_info is not None
+      assert json.loads(sync_info.config) == config
+
+      # Remove the syncing.
+      conduct_api_call(cl, OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, None)
+
+      # Ensure the team is no longer synced.
+      sync_info = model.team.get_team_sync_information(TEAM_PARAMS['orgname'],
+                                                       TEAM_PARAMS['teamname'])
+      assert sync_info is None
diff --git a/static/css/pages/team-view.css b/static/css/pages/team-view.css
index 86cb7b6de..dad2fccab 100644
--- a/static/css/pages/team-view.css
+++ b/static/css/pages/team-view.css
@@ -3,6 +3,18 @@
   position: relative;
 }
 
+.team-view .team-sync-table {
+  margin-bottom: 20px;
+}
+
+.team-view .team-sync-table td {
+  padding: 6px;
+}
+
+.team-view .team-sync-table td:first-child {
+  font-weight: bold;
+}
+
 .team-view .team-title {
   vertical-align: middle;
   margin-right: 10px;
@@ -14,10 +26,10 @@
   margin-left: 6px;
 }
 
-.team-view .team-view-header {
+.team-view .team-view-header, .team-view .team-sync-header {
   border-bottom: 1px solid #eee;
-  margin-bottom: 10px;
-  padding-bottom: 10px;
+  margin-bottom: 20px;
+  padding-bottom: 20px;
 }
 
 .team-view .team-view-header button i.fa {
diff --git a/static/directives/team-view-add.html b/static/directives/team-view-add.html
index 88c747d2f..91aa154bb 100644
--- a/static/directives/team-view-add.html
+++ b/static/directives/team-view-add.html
@@ -1,20 +1,26 @@
 <div class="team-view-add-element" focusable-popover-content>
   <div class="entity-search"
-       namespace="orgname" placeholder="allowEmail ? 'Add a registered user, robot or email address to the team' : 'Add a registered user or robot to the team'"
+       namespace="orgname"
+       placeholder="getAddPlaceholder(allowEmail, syncInfo)"
        entity-selected="addNewMember(entity)"
        email-selected="inviteEmail(email)"
        current-entity="selectedMember"
        auto-clear="true"
-       allowed-entities="['user', 'robot']"
+       allowed-entities="allowedEntities"
        pull-right="true"
-       allow-emails="allowEmail"
+       allow-emails="allowEmail && syncInfo"
        email-message="Press enter to invite the entered e-mail address to this team"
        ng-show="!addingMember"></div>
   <div ng-show="addingMember">
     <div class="cor-loader-inline"></div> Inviting team member
   </div>
   <div class="help-text" ng-show="!addingMember">
-  <span ng-if="allowEmail">Search by registry username, robot account name or enter an email address to invite</span>
-  <span ng-if="!allowEmail">Search by registry username or robot account name</span>
+  <span ng-if="!syncInfo">
+    <span ng-if="allowEmail">Search by registry username, robot account name or enter an email address to invite</span>
+    <span ng-if="!allowEmail">Search by registry username or robot account name</span>
+  </span>
+  <span ng-if="syncInfo">
+    Search by robot account name. Users must be added in {{ syncInfo.service }}.
+  </span>
   </div>
 </div>
diff --git a/static/js/pages/team-view.js b/static/js/pages/team-view.js
index 0215ab080..91135163c 100644
--- a/static/js/pages/team-view.js
+++ b/static/js/pages/team-view.js
@@ -14,12 +14,14 @@
     var teamname = $routeParams.teamname;
     var orgname = $routeParams.orgname;
 
+    $scope.context = {};
     $scope.orgname = orgname;
     $scope.teamname = teamname;
     $scope.addingMember = false;
     $scope.memberMap = null;
     $scope.allowEmail = Features.MAILING;
     $scope.feedback = null;
+    $scope.allowedEntities = ['user', 'robot'];
 
     $rootScope.title = 'Loading...';
 
@@ -146,6 +148,39 @@
       }, ApiService.errorDisplay('Cannot remove team member'));
     };
 
+    $scope.getServiceName = function(service) {
+      switch (service) {
+        case 'ldap':
+          return 'LDAP';
+
+        case 'keystone':
+          return 'Keystone Auth';
+
+        case 'jwtauthn':
+          return 'External JWT Auth';
+
+        default:
+          return synced.service;
+      }
+    };
+
+    $scope.getAddPlaceholder = function(email, synced) {
+      var kinds = [];
+
+      if (!synced) {
+        kinds.push('registered user');
+      }
+
+      kinds.push('robot');
+
+      if (email && !synced) {
+        kinds.push('email address');
+      }
+
+      kind_string = kinds.join(', ')
+      return 'Add a ' + kind_string + ' to the team';
+    };
+
     $scope.updateForDescription = function(content) {
       $scope.organization.teams[teamname].description = content;
 
@@ -166,6 +201,48 @@
       });
     };
 
+    $scope.showEnableSyncing = function() {
+      $scope.enableSyncingInfo = {
+        'service_info': $scope.canSync,
+        'config': {}
+      };
+    };
+
+    $scope.showDisableSyncing = function() {
+      msg = 'Are you sure you want to disable group syncing on this team? ' +
+            'The team will once again become editable.';
+      bootbox.confirm(msg, function(result) {
+        if (result) {
+          $scope.disableSyncing();
+        }
+      });
+    };
+
+    $scope.disableSyncing = function() {
+      var params = {
+        'orgname': orgname,
+        'teamname': teamname
+      };
+
+      var errorHandler = ApiService.errorDisplay('Could not disable team syncing');
+      ApiService.disableOrganizationTeamSync(null, params).then(function(resp) {
+        loadMembers();
+      }, errorHandler);
+    };
+
+    $scope.enableSyncing = function(config, callback) {
+      var params = {
+        'orgname': orgname,
+        'teamname': teamname
+      };
+
+      var errorHandler = ApiService.errorDisplay('Cannot enable team syncing', callback);
+      ApiService.enableOrganizationTeamSync(config, params).then(function(resp) {
+        loadMembers();
+        callback(true);
+      }, errorHandler);
+    };
+
     var loadOrganization = function() {
       $scope.orgResource = ApiService.getOrganizationAsResource({'orgname': orgname}).get(function(org) {
         $scope.organization = org;
@@ -187,6 +264,9 @@
       $scope.membersResource = ApiService.getOrganizationTeamMembersAsResource(params).get(function(resp) {
         $scope.members = resp.members;
         $scope.canEditMembers = resp.can_edit;
+        $scope.canSync = resp.can_sync;
+        $scope.syncInfo = resp.synced;
+        $scope.allowedEntities = resp.synced ? ['robot'] : ['user', 'robot'];
 
         $('.info-icon').popover({
           'trigger': 'hover',
diff --git a/static/partials/team-view.html b/static/partials/team-view.html
index 5be2d58c5..c3694ba7a 100644
--- a/static/partials/team-view.html
+++ b/static/partials/team-view.html
@@ -18,6 +18,39 @@
     <div class="co-main-content-panel">
       <div class="feedback-bar" feedback="feedback"></div>
 
+      <div class="team-sync-header" ng-if="canSync && !syncInfo">
+        <div class="section-header">Directory Synchronization</div>
+        <p>Directory synchronization allows this team's user membership to be backed by a group in {{ getServiceName(canSync.service) }}.</p>
+        <button class="btn btn-primary" ng-click="showEnableSyncing()">Enable Directory Synchronization</button>
+      </div>
+
+      <!-- Sync Header -->
+      <div ng-if="syncInfo">
+        <div class="co-alert co-alert-info">
+        This team is synchronized with a group in <strong>{{ getServiceName(syncInfo.service) }}</strong> and its user membership is therefore <strong>read-only</strong>.
+        </div>
+
+        <div class="team-sync-header" ng-if="syncInfo.last_updated">
+          <div class="section-header">Directory Synchronization</div>
+          <table class="team-sync-table">
+          <tr>
+            <td>Bound to group:</td>
+            <td>
+              <div ng-if="syncInfo.service == 'ldap'">
+                <code>{{ syncInfo.config.group_dn }}</code>
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td>Last Updated:</td>
+            <td><span am-time-ago="syncInfo.last_updated"></span> at {{ syncInfo.last_updated | amDateFormat:'dddd, MMMM Do YYYY, h:mm:ss a' }}</td>
+          </tr>
+          </table>
+
+          <button class="btn btn-default" ng-click="showDisableSyncing()">Remove Synchronization</button>
+        </div>
+      </div>
+
       <!-- Description -->
       <div class="section-header">Team Description</div>
       <div class="team-view-header">
@@ -33,12 +66,15 @@
           <div ng-include="'/static/directives/team-view-add.html'" style="max-width: 500px;"></div>
         </div>
       </div>
-      <div class="section-header">Team Members</div>
+      <div class="section-header" style="margin-bottom: 55px;">Team Members</div>
 
       <div class="empty" ng-if="!members.length">
         <div class="empty-primary-msg">This team has no members.</div>
-        <div class="empty-secondary-msg">
-          Click the "Add Team Member" button above to add or invite team members.
+        <div class="empty-secondary-msg" ng-if="!syncInfo">
+          Enter a user or robot above to add or invite to the team.
+        </div>
+        <div class="empty-secondary-msg" ng-if="syncInfo">
+          This team is synchronized with an external group defined in {{ getServiceName(syncInfo.service) }}. To add a user to this team, add them in the backing group. To add a robot account to this team, enter them above.
         </div>
       </div>
 
@@ -46,7 +82,7 @@
         <!-- Team Members -->
         <tr class="co-table-header-row"
             ng-if="(members | filter: filterFunction(false, false)).length">
-          <td colspan="3"><i class="fa fa-user"></i> Team Members</td>
+          <td colspan="3"><i class="fa fa-user"></i> Team Members <span ng-if="syncInfo">(defined in {{ getServiceName(syncInfo.service) }})</span></td>
         </tr>
 
         <tr class="indented-row"
@@ -56,7 +92,7 @@
                   show-avatar="true" avatar-size="24"></span>
           </td>
           <td class="options-col">
-            <span class="cor-options-menu" ng-if="canEditMembers">
+            <span class="cor-options-menu" ng-if="canEditMembers && !syncInfo">
               <span class="cor-option" option-click="removeMember(member.name)">
                 <i class="fa fa-times"></i> Remove {{ member.name }}
               </span>
@@ -122,6 +158,25 @@
   </div>
 </div>
 
+<!-- Directory binding dialog -->
+<div class="cor-confirm-dialog"
+   dialog-context="enableSyncingInfo"
+   dialog-action="enableSyncing(info.config, callback)"
+   dialog-title="Enable Directory Syncing"
+   dialog-action-title="Enable Group Sync"
+   dialog-form="context.syncform">
+   <div class="co-alert co-alert-warning">Please note that once team syncing is enabled, the team's user membership from within <span class="registry-name"></span> will be read-only.</div>
+   <form name="context.syncform" class="co-single-field-dialog">
+     <div ng-switch on="enableSyncingInfo.service_info.service">
+      <div ng-switch-when="ldap">
+        Enter the distinguished name of the group, relative to <code>{{ enableSyncingInfo.service_info.base_dn }}</code>:
+        <input type="text" class="form-control" placeholder="Group DN" ng-model="enableSyncingInfo.config.group_dn" required>
+      </div>
+     </div>
+   </form>
+</div>
+
+
 <!-- Modal message dialog -->
 <div class="modal fade" id="cannotChangeTeamModal">
   <div class="modal-dialog">

From 94b07e6de9768cbaaf4709d7cbf4d35a9c2da47e Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 17 Feb 2017 18:36:56 -0500
Subject: [PATCH 08/30] Allow nulls in last_updated field to accurately report
 the last updated time to users for newly sync teams

---
 data/database.py               | 2 +-
 static/partials/team-view.html | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/data/database.py b/data/database.py
index 37b89a7af..36820053c 100644
--- a/data/database.py
+++ b/data/database.py
@@ -530,7 +530,7 @@ class TeamSync(BaseModel):
   team = ForeignKeyField(Team)
 
   transaction_id = CharField()
-  last_updated = DateTimeField(default=datetime.now, index=True)
+  last_updated = DateTimeField(null=True, index=True)
   service = ForeignKeyField(LoginService)
   config = JSONField()
 
diff --git a/static/partials/team-view.html b/static/partials/team-view.html
index c3694ba7a..02ec3a24e 100644
--- a/static/partials/team-view.html
+++ b/static/partials/team-view.html
@@ -43,7 +43,8 @@
           </tr>
           <tr>
             <td>Last Updated:</td>
-            <td><span am-time-ago="syncInfo.last_updated"></span> at {{ syncInfo.last_updated | amDateFormat:'dddd, MMMM Do YYYY, h:mm:ss a' }}</td>
+            <td ng-if="syncInfo.last_updated"><span am-time-ago="syncInfo.last_updated"></span> at {{ syncInfo.last_updated | amDateFormat:'dddd, MMMM Do YYYY, h:mm:ss a' }}</td>
+            <td ng-if="!syncInfo.last_updated">Never</td>
           </tr>
           </table>
 

From eeadeb9383aaf60a9a5d6d4e3a5a67118fe65237 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 21 Feb 2017 21:07:48 -0500
Subject: [PATCH 09/30] Initial interfaces and support for team syncing worker

---
 data/model/team.py                         |  95 ++++++++++++++-
 data/users/__init__.py                     |   6 +
 data/users/database.py                     |   4 +
 data/users/federated.py                    |  11 +-
 endpoints/api/organization.py              |   6 +-
 endpoints/api/team.py                      |   2 +-
 static/css/core-ui.css                     |  18 ++-
 static/css/directives/ui/teams-manager.css |   4 +
 static/directives/teams-manager.html       |   7 +-
 static/js/directives/ui/teams-manager.js   |   3 +-
 static/partials/team-view.html             |   7 +-
 workers/teamsyncworker.py                  | 134 +++++++++++++++++++++
 12 files changed, 282 insertions(+), 15 deletions(-)
 create mode 100644 workers/teamsyncworker.py

diff --git a/data/model/team.py b/data/model/team.py
index 52a58b842..9def9fdb4 100644
--- a/data/model/team.py
+++ b/data/model/team.py
@@ -1,9 +1,11 @@
 import json
+import uuid
 
+from datetime import datetime
 from peewee import fn
 
 from data.database import (Team, TeamMember, TeamRole, User, TeamMemberInvite, RepositoryPermission,
-                           TeamSync, LoginService)
+                           TeamSync, LoginService, FederatedLogin, db_random_func, db_transaction)
 from data.model import (DataModelException, InvalidTeamException, UserAlreadyInTeam,
                         InvalidTeamMemberException, _basequery)
 from data.text import prefix_search
@@ -192,7 +194,7 @@ def get_matching_teams(team_prefix, organization):
   return query.limit(10)
 
 
-def get_teams_within_org(organization):
+def get_teams_within_org(organization, has_external_auth=False):
   """ Returns a AttrDict of team info (id, name, description), its role under the org,
       the number of repositories on which it has permission, and the number of members.
   """
@@ -209,6 +211,8 @@ def get_teams_within_org(organization):
 
       'repo_count': 0,
       'member_count': 0,
+
+      'is_synced': False,
     }
 
   teams = {team.id: _team_view(team) for team in query}
@@ -236,6 +240,12 @@ def get_teams_within_org(organization):
   for member_tuple in members_tuples:
     teams[member_tuple[0]]['member_count'] = member_tuple[1]
 
+  # Add syncing information.
+  if has_external_auth:
+    sync_query = TeamSync.select(TeamSync.team).where(TeamSync.team << teams.keys())
+    for team_sync in sync_query:
+      teams[team_sync.team_id]['is_synced'] = True
+
   return [AttrDict(team_info) for team_info in teams.values()]
 
 
@@ -374,16 +384,72 @@ def confirm_team_invite(code, user_obj):
   inviter = found.inviter
   return (team, inviter)
 
+
+def list_federated_team_members(team, login_service_name):
+  """ Returns a dict of all federated IDs for all team members in the team whose users are
+      bound to the login service withn the given name. The dictionary is from federated service
+      identifier (username) to their Quay User table ID.
+  """
+  login_service = LoginService.get(name=login_service_name)
+
+  query = (FederatedLogin
+           .select(FederatedLogin.service_ident, User.id)
+           .join(User)
+           .join(TeamMember)
+           .join(Team)
+           .where(Team.id == team, User.robot == False, FederatedLogin.service == login_service))
+  return dict(query.tuples())
+
+
+def list_team_users(team):
+  """ Returns an iterator of all the *users* found in a team. Does not include robots. """
+  return (User
+          .select()
+          .join(TeamMember)
+          .join(Team)
+          .where(Team.id == team, User.robot == False))
+
+
 def set_team_syncing(team, login_service_name, config):
   """ Sets the given team to sync to the given service using the given config. """
   login_service = LoginService.get(name=login_service_name)
   TeamSync.create(team=team, transaction_id='', service=login_service, config=json.dumps(config))
 
+
 def remove_team_syncing(orgname, teamname):
+  """ Removes syncing on the team matching the given organization name and team name. """
   existing = get_team_sync_information(orgname, teamname)
   if existing:
     existing.delete_instance()
 
+
+def get_stale_team(stale_timespan):
+  """ Returns a team that is setup to sync to an external group, and who has not been synced in
+      now - stale_timespan. Returns None if none found.
+  """
+  stale_at = datetime.now() - stale_timespan
+
+  try:
+    candidates = (TeamSync
+                 .select(TeamSync.id)
+                 .where((TeamSync.last_updated <= stale_at) | (TeamSync.last_updated >> None))
+                 .limit(500)
+                 .alias('candidates'))
+
+    found = (TeamSync
+             .select(candidates.c.id)
+             .from_(candidates)
+             .order_by(db_random_func())
+             .get())
+
+    if found is None:
+      return
+
+    return TeamSync.select(TeamSync, Team).join(Team).where(TeamSync.id == found.id).get()
+  except TeamSync.DoesNotExist:
+    return None
+
+
 def get_team_sync_information(orgname, teamname):
   """ Returns the team syncing information for the team with the given name under the organization
       with the given name or None if none.
@@ -400,3 +466,28 @@ def get_team_sync_information(orgname, teamname):
     return query.get()
   except TeamSync.DoesNotExist:
     return None
+
+
+def update_sync_status(team_sync_info):
+  """ Attempts to update the transaction ID and last updated time on a TeamSync object. If the
+      transaction ID on the entry in the DB does not match that found on the object, this method
+      returns False, which indicates another caller updated it first.
+  """
+  new_transaction_id = str(uuid.uuid4())
+  query = (TeamSync
+           .update(transaction_id=new_transaction_id, last_updated=datetime.now())
+           .where(TeamSync.id == team_sync_info.id,
+                  TeamSync.transaction_id == team_sync_info.transaction_id))
+  return query.execute() == 1
+
+
+def delete_members_not_present(team, member_id_set):
+  """ Deletes all members of the given team that are not found in the member ID set. """
+  with db_transaction():
+    user_ids = set([u.id for u in list_team_users(team)])
+    to_delete = list(user_ids - member_id_set)
+    if to_delete:
+      query = TeamMember.delete().where(TeamMember.team == team, TeamMember.user << to_delete)
+      return query.execute()
+
+  return 0
diff --git a/data/users/__init__.py b/data/users/__init__.py
index 7cf3bccef..d53413b74 100644
--- a/data/users/__init__.py
+++ b/data/users/__init__.py
@@ -175,6 +175,12 @@ class UserAuthentication(object):
     """
     return self.state.link_user(username_or_email)
 
+  def get_federated_user(self, user_info):
+    """ Returns a tuple containing the database user record linked to the given UserInformation
+        pair and any error that occurred when trying to link the user.
+    """
+    return self.state.get_federated_user(user_info)
+
   def confirm_existing_user(self, username, password):
     """ Verifies that the given password matches to the given DB username. Unlike
         verify_credentials, this call first translates the DB user via the FederatedLogin table
diff --git a/data/users/database.py b/data/users/database.py
index 6e5bf9949..07e327688 100644
--- a/data/users/database.py
+++ b/data/users/database.py
@@ -24,6 +24,10 @@ class DatabaseUsers(object):
     """ Never used since all users being added are already, by definition, in the database. """
     return (None, 'Unsupported for this authentication system')
 
+  def get_federated_user(self, user_info):
+    """ Never used since all users being added are already, by definition, in the database. """
+    return (None, 'Unsupported for this authentication system')
+
   def query_users(self, query, limit):
     """ No need to implement, as we already query for users directly in the database. """
     return (None, '', '')
diff --git a/data/users/federated.py b/data/users/federated.py
index 09d2eb748..fbb982367 100644
--- a/data/users/federated.py
+++ b/data/users/federated.py
@@ -38,11 +38,14 @@ class FederatedUsers(object):
     return (None, 'Not supported')
 
   def link_user(self, username_or_email):
-    (credentials, err_msg) = self.get_user(username_or_email)
-    if credentials is None:
+    (user_info, err_msg) = self.get_user(username_or_email)
+    if user_info is None:
       return (None, err_msg)
 
-    return self._get_federated_user(credentials.username, credentials.email)
+    return self.get_federated_user(user_info)
+
+  def get_federated_user(self, user_info):
+    return self._get_federated_user(user_info.username, user_info.email)
 
   def verify_and_link_user(self, username_or_email, password):
     """ Verifies the given credentials and, if valid, creates/links a database user to the
@@ -111,7 +114,7 @@ class FederatedUsers(object):
                                                  prompts=prompts)
     else:
       # Update the db attributes from the federated service.
-      if email:
+      if email and db_user.email != email:
         db_user.email = email
         db_user.save()
 
diff --git a/endpoints/api/organization.py b/endpoints/api/organization.py
index 854451454..49e3194d9 100644
--- a/endpoints/api/organization.py
+++ b/endpoints/api/organization.py
@@ -6,7 +6,7 @@ from flask import request
 
 import features
 
-from app import billing as stripe, avatar, all_queues
+from app import billing as stripe, avatar, all_queues, authentication
 from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
                            related_user_resource, internal_only, require_user_admin, log_action,
                            show_if, path_param, require_scope, require_fresh_login)
@@ -33,6 +33,8 @@ def team_view(orgname, team):
 
     'repo_count': team.repo_count,
     'member_count': team.member_count,
+
+    'is_synced': team.is_synced,
   }
 
 
@@ -157,7 +159,7 @@ class Organization(ApiResource):
 
     teams = None
     if OrganizationMemberPermission(orgname).can():
-      teams = model.team.get_teams_within_org(org)
+      teams = model.team.get_teams_within_org(org, bool(authentication.federated_service))
 
     return org_view(org, teams)
 
diff --git a/endpoints/api/team.py b/endpoints/api/team.py
index 80c2ad5ef..42c1f3f3c 100644
--- a/endpoints/api/team.py
+++ b/endpoints/api/team.py
@@ -291,7 +291,7 @@ class TeamMemberList(ApiResource):
       }
 
       if authentication.federated_service:
-        if SuperUserPermission().can():
+        if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
           data['can_sync'] = {
             'service': authentication.federated_service,
           }
diff --git a/static/css/core-ui.css b/static/css/core-ui.css
index 217d31de1..36b2ce342 100644
--- a/static/css/core-ui.css
+++ b/static/css/core-ui.css
@@ -1521,7 +1521,7 @@ a:focus {
   top: 11px;
   left: 12px;
   font-size: 22px;
-  color: #E4C212;
+  color: #FCA657;
 }
 
 .co-alert.co-alert-danger {
@@ -1566,6 +1566,14 @@ a:focus {
   left: 19px;
 }
 
+.co-alert-inline:before {
+  position: relative !important;
+  top: auto !important;
+  left: auto !important;
+  vertical-align: middle;
+  margin-right: 10px;
+}
+
 .co-alert-popin-warning {
   margin-left: 10px;
 }
@@ -1579,6 +1587,14 @@ a:focus {
   }
 }
 
+.co-alert-inline {
+  border: 0px;
+  display: inline-block;
+  background-color: transparent !important;
+  margin: 0px;
+  padding: 4px;
+}
+
 .co-list-table tr td:first-child {
   font-weight: bold;
   padding-right: 10px;
diff --git a/static/css/directives/ui/teams-manager.css b/static/css/directives/ui/teams-manager.css
index a93a844ac..4c7c6e6b5 100644
--- a/static/css/directives/ui/teams-manager.css
+++ b/static/css/directives/ui/teams-manager.css
@@ -111,3 +111,7 @@
   color: #aaa;
   font-size: 14px;
 }
+
+.teams-manager .fa-refresh {
+  color: #aaa;
+}
diff --git a/static/directives/teams-manager.html b/static/directives/teams-manager.html
index 714b5711a..217dcbaef 100644
--- a/static/directives/teams-manager.html
+++ b/static/directives/teams-manager.html
@@ -41,6 +41,7 @@
 
     <table class="co-table" style="margin-top: 10px;">
       <thead>
+        <td class="options-col" ng-if="::Config.AUTHENTICATION_TYPE != 'Database'"></td>
         <td ng-class="TableService.tablePredicateClass('name', options.predicate, options.reverse)">
           <a ng-click="TableService.orderBy('name', options)">Team Name</a>
         </td>
@@ -65,6 +66,9 @@
        <tr class="co-checkable-row"
            ng-repeat="team in orderedTeams.visibleEntries"
            bindonce>
+        <td class="options-col" ng-if="::Config.AUTHENTICATION_TYPE != 'Database'">
+          <i class="fa fa-refresh" ng-if="team.is_synced" data-title="Team is synchronized with a backing group" bs-tooltip></i>
+        </td>
         <td style="white-space: nowrap;">
           <span class="avatar" data="team.avatar" size="24"></span>
           <span bo-show="team.can_view">
@@ -97,7 +101,8 @@
         </td>
         <td>
           <span class="role-group" current-role="team.role" pull-left="true"
-                role-changed="setRole(role, team.name)" roles="teamRoles"></span>
+                role-changed="setRole(role, team.name)" roles="teamRoles"
+                read-only="!organization.is_admin"></span>
         </td>
         <td>
           <span class="cor-options-menu" ng-show="organization.is_admin">
diff --git a/static/js/directives/ui/teams-manager.js b/static/js/directives/ui/teams-manager.js
index 7235c91f2..240eeb5fa 100644
--- a/static/js/directives/ui/teams-manager.js
+++ b/static/js/directives/ui/teams-manager.js
@@ -12,8 +12,9 @@ angular.module('quay').directive('teamsManager', function () {
       'organization': '=organization',
       'isEnabled': '=isEnabled'
     },
-    controller: function($scope, $element, ApiService, $timeout, UserService, TableService, UIService) {
+    controller: function($scope, $element, ApiService, $timeout, UserService, TableService, UIService, Config) {
       $scope.TableService = TableService;
+      $scope.Config = Config;
 
       $scope.options = {
         'predicate': 'ordered_team_index',
diff --git a/static/partials/team-view.html b/static/partials/team-view.html
index 02ec3a24e..6da8e07c3 100644
--- a/static/partials/team-view.html
+++ b/static/partials/team-view.html
@@ -30,7 +30,7 @@
         This team is synchronized with a group in <strong>{{ getServiceName(syncInfo.service) }}</strong> and its user membership is therefore <strong>read-only</strong>.
         </div>
 
-        <div class="team-sync-header" ng-if="syncInfo.last_updated">
+        <div class="team-sync-header" ng-if="syncInfo.config">
           <div class="section-header">Directory Synchronization</div>
           <table class="team-sync-table">
           <tr>
@@ -44,11 +44,12 @@
           <tr>
             <td>Last Updated:</td>
             <td ng-if="syncInfo.last_updated"><span am-time-ago="syncInfo.last_updated"></span> at {{ syncInfo.last_updated | amDateFormat:'dddd, MMMM Do YYYY, h:mm:ss a' }}</td>
-            <td ng-if="!syncInfo.last_updated">Never</td>
+            <td ng-if="!syncInfo.last_updated" style="color: #aaa;">Never</td>
           </tr>
           </table>
 
-          <button class="btn btn-default" ng-click="showDisableSyncing()">Remove Synchronization</button>
+          <button class="btn btn-default" ng-click="showDisableSyncing()" ng-if="canSync">Remove Synchronization</button>
+          <div ng-if="!canSync" class="co-alert co-alert-warning co-alert-inline">You must be an admin of this organization to disable team synchronization</div>
         </div>
       </div>
 
diff --git a/workers/teamsyncworker.py b/workers/teamsyncworker.py
new file mode 100644
index 000000000..d658bd64f
--- /dev/null
+++ b/workers/teamsyncworker.py
@@ -0,0 +1,134 @@
+import logging
+import time
+import json
+
+from app import app, authentication
+from data import model
+from workers.worker import Worker
+from util.timedeltastring import convert_to_timedelta
+
+logger = logging.getLogger(__name__)
+
+WORKER_FREQUENCY = app.config.get('TEAM_SYNC_WORKER_FREQUENCY', 10)
+STALE_CUTOFF = convert_to_timedelta(app.config.get('TEAM_RESYNC_STALE_TIME', '30s'))
+
+class TeamSynchronizationWorker(Worker):
+  """ Worker which synchronizes teams with their backing groups in LDAP/Keystone/etc.
+  """
+  def __init__(self):
+    super(TeamSynchronizationWorker, self).__init__()
+    self.add_operation(self._sync_teams_to_groups, WORKER_FREQUENCY)
+
+  def _sync_teams_to_groups(self):
+    logger.debug('Looking up teams to sync to groups')
+
+    sync_team_tried = set()
+    while True:
+      # Find a stale team.
+      stale_team_sync = model.team.get_stale_team(STALE_CUTOFF)
+      if not stale_team_sync:
+        logger.debug('No additional stale team found; sleeping')
+        return
+
+      # Make sure we don't try to reprocess a team on this iteration.
+      if stale_team_sync.id in sync_team_tried:
+        continue
+
+      sync_team_tried.add(stale_team_sync.id)
+
+      sync_config = json.loads(stale_team_sync.config)
+      logger.info('Syncing team `%s` under organization %s via %s (#%s)', stale_team_sync.team.name,
+                  stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id)
+
+      # Load all the existing members of the team in Quay that are bound to the auth service.
+      existing_users = model.team.list_federated_team_members(stale_team_sync.team,
+                                                              authentication.federated_service)
+
+      logger.debug('Existing membership of %s for team `%s` under organization %s via %s (#%s)',
+                   len(existing_users), stale_team_sync.team.name,
+                   stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id)
+
+      # Load all the members of the team from the authenication system.
+      (member_iterator, err) = authentication.iterate_group_members(sync_config)
+      if err is not None:
+        logger.error('Got error when trying to iterate group members with config %s: %s',
+                     sync_config, err)
+        continue
+
+      # Collect all the members currently found in the group, adding them to the team as we go
+      # along.
+      group_membership = set()
+      for (member_info, err) in member_iterator:
+        if err is not None:
+          logger.error('Got error when trying to construct a member: %s', err)
+          continue
+
+        # If the member is already in the team, nothing more to do.
+        if member_info.username in existing_users:
+          logger.debug('Member %s already in team `%s` under organization %s via %s (#%s)',
+                       member_info.username, stale_team_sync.team.name,
+                       stale_team_sync.team.organization.username, sync_config,
+                       stale_team_sync.team_id)
+
+          group_membership.add(existing_users[member_info.username])
+          continue
+
+        # Retrieve the Quay user associated with the member info.
+        (quay_user, err) = authentication.get_federated_user(member_info)
+        if err is not None:
+          logger.error('Could not link external user %s to an internal user: %s',
+                       member_info.username, err)
+          continue
+
+        # Add the user to the membership set.
+        group_membership.add(quay_user.id)
+
+        # Add the user to the team.
+        try:
+          logger.info('Adding member %s to team `%s` under organization %s via %s (#%s)',
+                      quay_user.username, stale_team_sync.team.name,
+                      stale_team_sync.team.organization.username, sync_config,
+                      stale_team_sync.team_id)
+
+          model.team.add_user_to_team(quay_user, stale_team_sync.team)
+        except model.UserAlreadyInTeam:
+          # If the user is already present, nothing more to do for them.
+          pass
+
+      # Update the transaction and last_updated time of the team sync. Only if it matches
+      # the current value will we then perform the deletion step.
+      result = model.team.update_sync_status(stale_team_sync)
+      if not result:
+        # Another worker updated this team. Nothing more to do.
+        logger.debug('Another worker synced team `%s` under organization %s via %s (#%s)',
+                     stale_team_sync.team.name,
+                     stale_team_sync.team.organization.username, sync_config,
+                     stale_team_sync.team_id)
+        continue
+
+      # Delete any team members not found in the backing auth system.
+      logger.debug('Deleting stale members for team `%s` under organization %s via %s (#%s)',
+                   stale_team_sync.team.name, stale_team_sync.team.organization.username,
+                   sync_config, stale_team_sync.team_id)
+
+      deleted = model.team.delete_members_not_present(stale_team_sync.team, group_membership)
+
+      # Done!
+      logger.info('Finishing sync for team `%s` under organization %s via %s (#%s): %s deleted',
+                  stale_team_sync.team.name, stale_team_sync.team.organization.username,
+                  sync_config, stale_team_sync.team_id, deleted)
+
+def main():
+  logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)
+
+  if not authentication.federated_service:
+    logger.debug('No federated auth is used; sleeping')
+    while True:
+      time.sleep(100000)
+
+  worker = TeamSynchronizationWorker()
+  worker.start()
+
+
+if __name__ == "__main__":
+  main()

From b683088f87a4a43327a04ca27694ad8b609ce48b Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 22 Feb 2017 15:23:52 -0500
Subject: [PATCH 10/30] Update tests for teams API

---
 endpoints/api/test/shared.py    |  2 +
 endpoints/api/test/test_team.py | 88 ++++++++++++++++++++++++++-------
 initdb.py                       | 12 +++++
 test/test_api_usage.py          |  2 +-
 4 files changed, 85 insertions(+), 19 deletions(-)

diff --git a/endpoints/api/test/shared.py b/endpoints/api/test/shared.py
index 140f6b37e..3d1f0cffa 100644
--- a/endpoints/api/test/shared.py
+++ b/endpoints/api/test/shared.py
@@ -8,6 +8,8 @@ from endpoints.api import api
 CSRF_TOKEN_KEY = '_csrf_token'
 CSRF_TOKEN = '123csrfforme'
 
+
+@contextmanager
 def client_with_identity(auth_username, client):
   with client.session_transaction() as sess:
     if auth_username and auth_username is not None:
diff --git a/endpoints/api/test/test_team.py b/endpoints/api/test/test_team.py
index 1f04ed108..36a4d95a1 100644
--- a/endpoints/api/test/test_team.py
+++ b/endpoints/api/test/test_team.py
@@ -5,31 +5,83 @@ from mock import patch
 from data import model
 from endpoints.api import api
 from endpoints.api.test.shared import client_with_identity, conduct_api_call
-from endpoints.api.team import OrganizationTeamSyncing
+from endpoints.api.team import OrganizationTeamSyncing, TeamMemberList
+from endpoints.api.organization import Organization
+from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
 from test.test_ldap import mock_ldap
 
-TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
+SYNCED_TEAM_PARAMS = {'orgname': 'sellnsmall', 'teamname': 'synced'}
+UNSYNCED_TEAM_PARAMS = {'orgname': 'sellnsmall', 'teamname': 'owners'}
 
 def test_team_syncing(client):
   with mock_ldap() as ldap:
     with patch('endpoints.api.team.authentication', ldap):
-      cl = client_with_identity('devtable', client)
-      config = {
-        'group_dn': 'cn=AwesomeFolk',
-      }
+      with client_with_identity('devtable', client) as cl:
+        config = {
+          'group_dn': 'cn=AwesomeFolk',
+        }
 
-      conduct_api_call(cl, OrganizationTeamSyncing, 'POST', TEAM_PARAMS, config)
+        conduct_api_call(cl, OrganizationTeamSyncing, 'POST', UNSYNCED_TEAM_PARAMS, config)
 
-      # Ensure the team is now synced.
-      sync_info = model.team.get_team_sync_information(TEAM_PARAMS['orgname'],
-                                                       TEAM_PARAMS['teamname'])
-      assert sync_info is not None
-      assert json.loads(sync_info.config) == config
+        # Ensure the team is now synced.
+        sync_info = model.team.get_team_sync_information(UNSYNCED_TEAM_PARAMS['orgname'],
+                                                         UNSYNCED_TEAM_PARAMS['teamname'])
+        assert sync_info is not None
+        assert json.loads(sync_info.config) == config
 
-      # Remove the syncing.
-      conduct_api_call(cl, OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, None)
+        # Remove the syncing.
+        conduct_api_call(cl, OrganizationTeamSyncing, 'DELETE', UNSYNCED_TEAM_PARAMS, None)
 
-      # Ensure the team is no longer synced.
-      sync_info = model.team.get_team_sync_information(TEAM_PARAMS['orgname'],
-                                                       TEAM_PARAMS['teamname'])
-      assert sync_info is None
+        # Ensure the team is no longer synced.
+        sync_info = model.team.get_team_sync_information(UNSYNCED_TEAM_PARAMS['orgname'],
+                                                         UNSYNCED_TEAM_PARAMS['teamname'])
+        assert sync_info is None
+
+
+def test_team_member_sync_info(client):
+  with mock_ldap() as ldap:
+    with patch('endpoints.api.team.authentication', ldap):
+      # Check for an unsynced team, with superuser.
+      with client_with_identity('devtable', client) as cl:
+        resp = conduct_api_call(cl, TeamMemberList, 'GET', UNSYNCED_TEAM_PARAMS)
+        assert 'can_sync' in resp.json
+        assert resp.json['can_sync']['service'] == 'ldap'
+
+        assert 'synced' not in resp.json
+
+      # Check for an unsynced team, with non-superuser.
+      with client_with_identity('randomuser', client) as cl:
+        resp = conduct_api_call(cl, TeamMemberList, 'GET', UNSYNCED_TEAM_PARAMS)
+        assert 'can_sync' not in resp.json
+        assert 'synced' not in resp.json
+
+      # Check for a synced team, with superuser.
+      with client_with_identity('devtable', client) as cl:
+        resp = conduct_api_call(cl, TeamMemberList, 'GET', SYNCED_TEAM_PARAMS)
+        assert 'can_sync' in resp.json
+        assert resp.json['can_sync']['service'] == 'ldap'
+
+        assert 'synced' in resp.json
+        assert 'last_updated' in resp.json['synced']
+        assert 'group_dn' in resp.json['synced']['config']
+
+      # Check for a synced team, with non-superuser.
+      with client_with_identity('randomuser', client) as cl:
+        resp = conduct_api_call(cl, TeamMemberList, 'GET', SYNCED_TEAM_PARAMS)
+        assert 'can_sync' not in resp.json
+
+        assert 'synced' in resp.json
+        assert 'last_updated' not in resp.json['synced']
+        assert 'config' not in resp.json['synced']
+
+
+def test_organization_teams_sync_bool(client):
+  with mock_ldap() as ldap:
+    with patch('endpoints.api.organization.authentication', ldap):
+      # Ensure synced teams are marked as such in the organization teams list.
+      with client_with_identity('devtable', client) as cl:
+        resp = conduct_api_call(cl, Organization, 'GET', {'orgname': 'sellnsmall'})
+
+        assert not resp.json['teams']['owners']['is_synced']
+
+        assert resp.json['teams']['synced']['is_synced']
diff --git a/initdb.py b/initdb.py
index f8ce513ab..d13b0a058 100644
--- a/initdb.py
+++ b/initdb.py
@@ -657,6 +657,9 @@ def populate_database(minimal=False, with_storage=False):
   liborg = model.organization.create_organization('library', 'quay+library@devtable.com', new_user_1)
   liborg.save()
 
+  thirdorg = model.organization.create_organization('sellnsmall', 'quay+sell@devtable.com', new_user_1)
+  thirdorg.save()
+
   model.user.create_robot('coolrobot', org)
 
   oauth_app_1 = model.oauth.create_application(org, 'Some Test App', 'http://localhost:8000',
@@ -700,9 +703,18 @@ def populate_database(minimal=False, with_storage=False):
   model.team.add_user_to_team(creatorbot, creators)
   model.team.add_user_to_team(creatoruser, creators)
 
+  sell_owners = model.team.get_organization_team('sellnsmall', 'owners')
+  sell_owners.description = 'Owners have unfettered access across the entire org.'
+  sell_owners.save()
+
+  model.team.add_user_to_team(new_user_4, sell_owners)
+
   synced_team = model.team.create_team('synced', org, 'member', 'Some synced team.')
   model.team.set_team_syncing(synced_team, 'ldap', {'group_dn': 'cn=Test-Group,ou=Users'})
 
+  another_synced_team = model.team.create_team('synced', thirdorg, 'member', 'Some synced team.')
+  model.team.set_team_syncing(another_synced_team, 'ldap', {'group_dn': 'cn=Test-Group,ou=Users'})
+
   __generate_repository(with_storage, new_user_1, 'superwide', None, False, [],
                         [(10, [], 'latest2'),
                          (2, [], 'latest3'),
diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index 52dabbaaa..8066d83e3 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -1007,7 +1007,7 @@ class TestConductSearch(ApiTestCase):
     json = self.getJsonResponse(ConductSearch,
                                 params=dict(query='owners'))
 
-    self.assertEquals(2, len(json['results']))
+    self.assertEquals(3, len(json['results']))
     self.assertEquals(json['results'][0]['kind'], 'team')
     self.assertEquals(json['results'][0]['name'], 'owners')
 

From 938730c0760e84139baeda0656ab3488ff33d45e Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 22 Feb 2017 18:34:05 -0500
Subject: [PATCH 11/30] Move sync team into its own module and add tests

---
 data/model/team.py               |   9 ++
 data/users/teamsync.py           | 119 +++++++++++++++++
 data/users/test/test_teamsync.py | 220 +++++++++++++++++++++++++++++++
 workers/teamsyncworker.py        | 100 +-------------
 4 files changed, 350 insertions(+), 98 deletions(-)
 create mode 100644 data/users/teamsync.py
 create mode 100644 data/users/test/test_teamsync.py

diff --git a/data/model/team.py b/data/model/team.py
index 9def9fdb4..0ca4cf328 100644
--- a/data/model/team.py
+++ b/data/model/team.py
@@ -410,6 +410,15 @@ def list_team_users(team):
           .where(Team.id == team, User.robot == False))
 
 
+def list_team_robots(team):
+  """ Returns an iterator of all the *robots* found in a team. Does not include users. """
+  return (User
+          .select()
+          .join(TeamMember)
+          .join(Team)
+          .where(Team.id == team, User.robot == True))
+
+
 def set_team_syncing(team, login_service_name, config):
   """ Sets the given team to sync to the given service using the given config. """
   login_service = LoginService.get(name=login_service_name)
diff --git a/data/users/teamsync.py b/data/users/teamsync.py
new file mode 100644
index 000000000..b44d600e8
--- /dev/null
+++ b/data/users/teamsync.py
@@ -0,0 +1,119 @@
+import logging
+import json
+
+from data import model
+
+logger = logging.getLogger(__name__)
+
+
+def sync_teams_to_groups(authentication, stale_cutoff):
+  """ Performs team syncing by looking up any stale team(s) found, and performing the sync
+      operation on them.
+  """
+  logger.debug('Looking up teams to sync to groups')
+
+  sync_team_tried = set()
+  while True:
+    # Find a stale team.
+    stale_team_sync = model.team.get_stale_team(stale_cutoff)
+    if not stale_team_sync:
+      logger.debug('No additional stale team found; sleeping')
+      return
+
+    # Make sure we don't try to reprocess a team on this iteration.
+    if stale_team_sync.id in sync_team_tried:
+      break
+
+    sync_team_tried.add(stale_team_sync.id)
+
+    # Sync the team.
+    if not sync_team(authentication, stale_team_sync):
+      return
+
+
+def sync_team(authentication, stale_team_sync):
+  """ Performs synchronization of a team (as referenced by the TeamSync stale_team_sync).
+      Returns True on success and False otherwise.
+  """
+  sync_config = json.loads(stale_team_sync.config)
+  logger.info('Syncing team `%s` under organization %s via %s (#%s)', stale_team_sync.team.name,
+              stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id)
+
+  # Load all the existing members of the team in Quay that are bound to the auth service.
+  existing_users = model.team.list_federated_team_members(stale_team_sync.team,
+                                                          authentication.federated_service)
+
+  logger.debug('Existing membership of %s for team `%s` under organization %s via %s (#%s)',
+               len(existing_users), stale_team_sync.team.name,
+               stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id)
+
+  # Load all the members of the team from the authenication system.
+  (member_iterator, err) = authentication.iterate_group_members(sync_config)
+  if err is not None:
+    logger.error('Got error when trying to iterate group members with config %s: %s',
+                 sync_config, err)
+    return False
+
+  # Collect all the members currently found in the group, adding them to the team as we go
+  # along.
+  group_membership = set()
+  for (member_info, err) in member_iterator:
+    if err is not None:
+      logger.error('Got error when trying to construct a member: %s', err)
+      continue
+
+    # If the member is already in the team, nothing more to do.
+    if member_info.username in existing_users:
+      logger.debug('Member %s already in team `%s` under organization %s via %s (#%s)',
+                   member_info.username, stale_team_sync.team.name,
+                   stale_team_sync.team.organization.username, sync_config,
+                   stale_team_sync.team_id)
+
+      group_membership.add(existing_users[member_info.username])
+      continue
+
+    # Retrieve the Quay user associated with the member info.
+    (quay_user, err) = authentication.get_federated_user(member_info)
+    if err is not None:
+      logger.error('Could not link external user %s to an internal user: %s',
+                   member_info.username, err)
+      continue
+
+    # Add the user to the membership set.
+    group_membership.add(quay_user.id)
+
+    # Add the user to the team.
+    try:
+      logger.info('Adding member %s to team `%s` under organization %s via %s (#%s)',
+                  quay_user.username, stale_team_sync.team.name,
+                  stale_team_sync.team.organization.username, sync_config,
+                  stale_team_sync.team_id)
+
+      model.team.add_user_to_team(quay_user, stale_team_sync.team)
+    except model.UserAlreadyInTeam:
+      # If the user is already present, nothing more to do for them.
+      pass
+
+  # Update the transaction and last_updated time of the team sync. Only if it matches
+  # the current value will we then perform the deletion step.
+  result = model.team.update_sync_status(stale_team_sync)
+  if not result:
+    # Another worker updated this team. Nothing more to do.
+    logger.debug('Another worker synced team `%s` under organization %s via %s (#%s)',
+                 stale_team_sync.team.name,
+                 stale_team_sync.team.organization.username, sync_config,
+                 stale_team_sync.team_id)
+    return True
+
+  # Delete any team members not found in the backing auth system.
+  logger.debug('Deleting stale members for team `%s` under organization %s via %s (#%s)',
+               stale_team_sync.team.name, stale_team_sync.team.organization.username,
+               sync_config, stale_team_sync.team_id)
+
+  deleted = model.team.delete_members_not_present(stale_team_sync.team, group_membership)
+
+  # Done!
+  logger.info('Finishing sync for team `%s` under organization %s via %s (#%s): %s deleted',
+              stale_team_sync.team.name, stale_team_sync.team.organization.username,
+              sync_config, stale_team_sync.team_id, deleted)
+  return True
diff --git a/data/users/test/test_teamsync.py b/data/users/test/test_teamsync.py
new file mode 100644
index 000000000..d51739d15
--- /dev/null
+++ b/data/users/test/test_teamsync.py
@@ -0,0 +1,220 @@
+import pytest
+
+from datetime import timedelta
+from mock import patch
+
+from data import model, database
+from data.users.federated import FederatedUsers, UserInformation
+from data.users.teamsync import sync_team, sync_teams_to_groups
+from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
+from util.names import parse_robot_username
+
+_FAKE_AUTH = 'fake'
+
+class FakeUsers(FederatedUsers):
+  def __init__(self, group_members):
+    super(FakeUsers, self).__init__(_FAKE_AUTH, False)
+    self.group_tuples = [(m, None) for m in group_members]
+
+  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
+    return (self.group_tuples, None)
+
+
+@pytest.mark.parametrize('starting_membership,group_membership,expected_membership', [
+  # Empty team + single member in group => Single member in team.
+  ([],
+   [
+     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
+   ],
+   ['someuser']),
+
+  # Team with a Quay user + empty group => empty team.
+  ([('someuser', None)],
+   [],
+   []),
+
+  # Team with an existing external user + user is in the group => no changes.
+  ([
+    ('someuser', 'someuser'),
+   ],
+   [
+     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
+   ],
+   ['someuser']),
+
+  # Team with an existing external user (with a different Quay username) + user is in the group.
+  # => no changes
+  ([
+    ('anotherquayname', 'someuser'),
+   ],
+   [
+     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
+   ],
+   ['someuser']),
+
+  # Team missing a few members that are in the group => members added.
+  ([('someuser', 'someuser')],
+   [
+     UserInformation('anotheruser', 'anotheruser', 'anotheruser@devtable.com'),
+     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
+     UserInformation('thirduser', 'thirduser', 'thirduser@devtable.com'),
+   ],
+   ['anotheruser', 'someuser', 'thirduser']),
+
+  # Team has a few extra members no longer in the group => members removed.
+  ([
+    ('anotheruser', 'anotheruser'),
+    ('someuser', 'someuser'),
+    ('thirduser', 'thirduser'),
+    ('nontestuser', None),
+   ],
+   [
+     UserInformation('thirduser', 'thirduser', 'thirduser@devtable.com'),
+   ],
+   ['thirduser']),
+
+  # Team has different membership than the group => members added and removed.
+  ([
+    ('anotheruser', 'anotheruser'),
+    ('someuser', 'someuser'),
+    ('nontestuser', None),
+   ],
+   [
+     UserInformation('anotheruser', 'anotheruser', 'anotheruser@devtable.com'),
+     UserInformation('missinguser', 'missinguser', 'missinguser@devtable.com'),
+   ],
+   ['anotheruser', 'missinguser']),
+
+  # Team has same membership but some robots => robots remain and no other changes.
+  ([
+    ('someuser', 'someuser'),
+    ('buynlarge+anotherbot', None),
+    ('buynlarge+somerobot', None),
+   ],
+   [
+     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
+   ],
+   ['someuser', 'buynlarge+somerobot', 'buynlarge+anotherbot']),
+
+  # Team has an extra member and some robots => member removed and robots remain.
+  ([
+    ('someuser', 'someuser'),
+    ('buynlarge+anotherbot', None),
+    ('buynlarge+somerobot', None),
+   ],
+   [
+     # No members.
+   ],
+   ['buynlarge+somerobot', 'buynlarge+anotherbot']),
+
+  # Team has a different member and some robots => member changed and robots remain.
+  ([
+    ('someuser', 'someuser'),
+    ('buynlarge+anotherbot', None),
+    ('buynlarge+somerobot', None),
+   ],
+   [
+     UserInformation('anotheruser', 'anotheruser', 'anotheruser@devtable.com'),
+   ],
+   ['anotheruser', 'buynlarge+somerobot', 'buynlarge+anotherbot']),
+
+  # Team with an existing external user (with a different Quay username) + user is in the group.
+  # => no changes and robots remain.
+  ([
+    ('anotherquayname', 'someuser'),
+    ('buynlarge+anotherbot', None),
+   ],
+   [
+     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
+   ],
+   ['someuser', 'buynlarge+anotherbot']),
+])
+def test_syncing(starting_membership, group_membership, expected_membership, app):
+  org = model.organization.get_organization('buynlarge')
+
+  # Necessary for the fake auth entries to be created in FederatedLogin.
+  database.LoginService.create(name=_FAKE_AUTH)
+
+  # Assert the team is empty, so we have a clean slate.
+  sync_team_info = model.team.get_team_sync_information('buynlarge', 'synced')
+  assert len(list(model.team.list_team_users(sync_team_info.team))) == 0
+
+  # Add the existing starting members to the team.
+  for starting_member in starting_membership:
+    (quay_username, fakeauth_username) = starting_member
+    if '+' in quay_username:
+      # Add a robot.
+      (_, shortname) = parse_robot_username(quay_username)
+      robot, _ = model.user.create_robot(shortname, org)
+      model.team.add_user_to_team(robot, sync_team_info.team)
+    else:
+      email = quay_username + '@devtable.com'
+
+      if fakeauth_username is None:
+        quay_user = model.user.create_user_noverify(quay_username, email)
+      else:
+        quay_user = model.user.create_federated_user(quay_username, email, _FAKE_AUTH,
+                                                     fakeauth_username, False)
+
+      model.team.add_user_to_team(quay_user, sync_team_info.team)
+
+  # Call syncing on the team.
+  fake_auth = FakeUsers(group_membership)
+  assert sync_team(fake_auth, sync_team_info)
+
+  # Ensure the last updated time and transaction_id's have changed.
+  updated_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
+  assert updated_sync_info.last_updated is not None
+  assert updated_sync_info.transaction_id != sync_team_info.transaction_id
+
+  users_expected = set([name for name in expected_membership if '+' not in name])
+  robots_expected = set([name for name in expected_membership if '+' in name])
+  assert len(users_expected) + len(robots_expected) == len(expected_membership)
+
+  # Check that the team's users match those expected.
+  service_user_map = model.team.list_federated_team_members(sync_team_info.team, _FAKE_AUTH)
+  assert set(service_user_map.keys()) == users_expected
+
+  quay_users = model.team.list_team_users(sync_team_info.team)
+  assert len(quay_users) == len(users_expected)
+
+  for quay_user in quay_users:
+    fakeauth_record = model.user.lookup_federated_login(quay_user, _FAKE_AUTH)
+    assert fakeauth_record is not None
+    assert fakeauth_record.service_ident in users_expected
+    assert service_user_map[fakeauth_record.service_ident] == quay_user.id
+
+  # Check that the team's robots match those expected.
+  robots_found = set([r.username for r in model.team.list_team_robots(sync_team_info.team)])
+  assert robots_expected == robots_found
+
+
+def test_sync_teams_to_groups(app):
+  # Necessary for the fake auth entries to be created in FederatedLogin.
+  database.LoginService.create(name=_FAKE_AUTH)
+
+  # Assert the team has not yet been updated.
+  sync_team_info = model.team.get_team_sync_information('buynlarge', 'synced')
+  assert sync_team_info.last_updated is None
+
+  # Call to sync all teams.
+  fake_auth = FakeUsers([])
+  sync_teams_to_groups(fake_auth, timedelta(seconds=1))
+
+  # Ensure the team was synced.
+  updated_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
+  assert updated_sync_info.last_updated is not None
+  assert updated_sync_info.transaction_id != sync_team_info.transaction_id
+
+  # Set the stale threshold to a high amount and ensure the team is not resynced.
+  sync_teams_to_groups(fake_auth, timedelta(seconds=120))
+
+  third_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
+  assert third_sync_info.last_updated == updated_sync_info.last_updated
+  assert third_sync_info.transaction_id == updated_sync_info.transaction_id
+
+  # Set the stale threshold to -1 seconds, and ensure the team is resynced.
+  sync_teams_to_groups(fake_auth, timedelta(seconds=-1))
+
+  fourth_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
+  assert fourth_sync_info.transaction_id != updated_sync_info.transaction_id
diff --git a/workers/teamsyncworker.py b/workers/teamsyncworker.py
index d658bd64f..225118834 100644
--- a/workers/teamsyncworker.py
+++ b/workers/teamsyncworker.py
@@ -1,9 +1,8 @@
 import logging
 import time
-import json
 
 from app import app, authentication
-from data import model
+from data.users.teamsync import sync_teams_to_groups
 from workers.worker import Worker
 from util.timedeltastring import convert_to_timedelta
 
@@ -20,103 +19,8 @@ class TeamSynchronizationWorker(Worker):
     self.add_operation(self._sync_teams_to_groups, WORKER_FREQUENCY)
 
   def _sync_teams_to_groups(self):
-    logger.debug('Looking up teams to sync to groups')
+    sync_teams_to_groups(authentication, STALE_CUTOFF)
 
-    sync_team_tried = set()
-    while True:
-      # Find a stale team.
-      stale_team_sync = model.team.get_stale_team(STALE_CUTOFF)
-      if not stale_team_sync:
-        logger.debug('No additional stale team found; sleeping')
-        return
-
-      # Make sure we don't try to reprocess a team on this iteration.
-      if stale_team_sync.id in sync_team_tried:
-        continue
-
-      sync_team_tried.add(stale_team_sync.id)
-
-      sync_config = json.loads(stale_team_sync.config)
-      logger.info('Syncing team `%s` under organization %s via %s (#%s)', stale_team_sync.team.name,
-                  stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id)
-
-      # Load all the existing members of the team in Quay that are bound to the auth service.
-      existing_users = model.team.list_federated_team_members(stale_team_sync.team,
-                                                              authentication.federated_service)
-
-      logger.debug('Existing membership of %s for team `%s` under organization %s via %s (#%s)',
-                   len(existing_users), stale_team_sync.team.name,
-                   stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id)
-
-      # Load all the members of the team from the authenication system.
-      (member_iterator, err) = authentication.iterate_group_members(sync_config)
-      if err is not None:
-        logger.error('Got error when trying to iterate group members with config %s: %s',
-                     sync_config, err)
-        continue
-
-      # Collect all the members currently found in the group, adding them to the team as we go
-      # along.
-      group_membership = set()
-      for (member_info, err) in member_iterator:
-        if err is not None:
-          logger.error('Got error when trying to construct a member: %s', err)
-          continue
-
-        # If the member is already in the team, nothing more to do.
-        if member_info.username in existing_users:
-          logger.debug('Member %s already in team `%s` under organization %s via %s (#%s)',
-                       member_info.username, stale_team_sync.team.name,
-                       stale_team_sync.team.organization.username, sync_config,
-                       stale_team_sync.team_id)
-
-          group_membership.add(existing_users[member_info.username])
-          continue
-
-        # Retrieve the Quay user associated with the member info.
-        (quay_user, err) = authentication.get_federated_user(member_info)
-        if err is not None:
-          logger.error('Could not link external user %s to an internal user: %s',
-                       member_info.username, err)
-          continue
-
-        # Add the user to the membership set.
-        group_membership.add(quay_user.id)
-
-        # Add the user to the team.
-        try:
-          logger.info('Adding member %s to team `%s` under organization %s via %s (#%s)',
-                      quay_user.username, stale_team_sync.team.name,
-                      stale_team_sync.team.organization.username, sync_config,
-                      stale_team_sync.team_id)
-
-          model.team.add_user_to_team(quay_user, stale_team_sync.team)
-        except model.UserAlreadyInTeam:
-          # If the user is already present, nothing more to do for them.
-          pass
-
-      # Update the transaction and last_updated time of the team sync. Only if it matches
-      # the current value will we then perform the deletion step.
-      result = model.team.update_sync_status(stale_team_sync)
-      if not result:
-        # Another worker updated this team. Nothing more to do.
-        logger.debug('Another worker synced team `%s` under organization %s via %s (#%s)',
-                     stale_team_sync.team.name,
-                     stale_team_sync.team.organization.username, sync_config,
-                     stale_team_sync.team_id)
-        continue
-
-      # Delete any team members not found in the backing auth system.
-      logger.debug('Deleting stale members for team `%s` under organization %s via %s (#%s)',
-                   stale_team_sync.team.name, stale_team_sync.team.organization.username,
-                   sync_config, stale_team_sync.team_id)
-
-      deleted = model.team.delete_members_not_present(stale_team_sync.team, group_membership)
-
-      # Done!
-      logger.info('Finishing sync for team `%s` under organization %s via %s (#%s): %s deleted',
-                  stale_team_sync.team.name, stale_team_sync.team.organization.username,
-                  sync_config, stale_team_sync.team_id, deleted)
 
 def main():
   logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)

From 4055158fc4853de8d6d3a34ec949ed7c905e627c Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 23 Feb 2017 13:04:03 -0500
Subject: [PATCH 12/30] Fix indentation

---
 data/model/team.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/model/team.py b/data/model/team.py
index 0ca4cf328..f314a4c22 100644
--- a/data/model/team.py
+++ b/data/model/team.py
@@ -440,10 +440,10 @@ def get_stale_team(stale_timespan):
 
   try:
     candidates = (TeamSync
-                 .select(TeamSync.id)
-                 .where((TeamSync.last_updated <= stale_at) | (TeamSync.last_updated >> None))
-                 .limit(500)
-                 .alias('candidates'))
+                  .select(TeamSync.id)
+                  .where((TeamSync.last_updated <= stale_at) | (TeamSync.last_updated >> None))
+                  .limit(500)
+                  .alias('candidates'))
 
     found = (TeamSync
              .select(candidates.c.id)

From 96b9d6b0cd986e803a8742e45fa08c4f05b1a653 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 23 Feb 2017 13:10:11 -0500
Subject: [PATCH 13/30] Add end-to-end test for team sync

---
 data/users/test/test_teamsync.py | 14 ++++++++++++++
 test/test_keystone_auth.py       |  4 ++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/data/users/test/test_teamsync.py b/data/users/test/test_teamsync.py
index d51739d15..ffbb96b72 100644
--- a/data/users/test/test_teamsync.py
+++ b/data/users/test/test_teamsync.py
@@ -9,6 +9,8 @@ from data.users.teamsync import sync_team, sync_teams_to_groups
 from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
 from util.names import parse_robot_username
 
+from test.test_ldap import mock_ldap
+
 _FAKE_AUTH = 'fake'
 
 class FakeUsers(FederatedUsers):
@@ -218,3 +220,15 @@ def test_sync_teams_to_groups(app):
 
   fourth_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
   assert fourth_sync_info.transaction_id != updated_sync_info.transaction_id
+
+
+@pytest.mark.parametrize('auth_system_builder', [
+  mock_ldap,
+])
+def test_teamsync_end_to_end(auth_system_builder, app):
+  # Assert the team has not yet been updated.
+  sync_team_info = model.team.get_team_sync_information('buynlarge', 'synced')
+  assert sync_team_info.last_updated is None
+
+  with auth_system_builder() as auth:
+    assert sync_team(auth, sync_team_info)
diff --git a/test/test_keystone_auth.py b/test/test_keystone_auth.py
index c70261241..a7ec985f0 100644
--- a/test/test_keystone_auth.py
+++ b/test/test_keystone_auth.py
@@ -7,14 +7,14 @@ import requests
 from flask import Flask, request, abort, make_response
 from contextlib import contextmanager
 
-from helpers import liveserver_app
+from test.helpers import liveserver_app
 from data.users.keystone import get_keystone_users
 from initdb import setup_database_for_testing, finished_database_for_testing
 
 _PORT_NUMBER = 5001
 
 @contextmanager
-def fake_keystone(version, requires_email=True):
+def fake_keystone(version=3, requires_email=True):
   """ Context manager which instantiates and runs a webserver with a fake Keystone implementation,
       until the result is yielded.
 

From 04225f2d25d3759b90895bb23b8a872ce269c446 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 23 Feb 2017 13:26:47 -0500
Subject: [PATCH 14/30] Add feature flag for team syncing

---
 config.py                                |  5 +++++
 endpoints/api/organization.py            |  3 ++-
 endpoints/api/team.py                    |  5 +++--
 static/directives/teams-manager.html     |  4 ++--
 static/js/directives/ui/teams-manager.js |  3 ++-
 test/testconfig.py                       |  1 +
 workers/teamsyncworker.py                | 10 ++++++----
 7 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/config.py b/config.py
index d8482b59f..a0fdefaa2 100644
--- a/config.py
+++ b/config.py
@@ -432,3 +432,8 @@ class DefaultConfig(object):
 
   # Maximum size allowed for layers in the registry.
   MAXIMUM_LAYER_SIZE = '20G'
+
+  # Feature Flag: Whether team syncing from the backing auth is enabled.
+  FEATURE_TEAM_SYNCING = False
+  TEAM_RESYNC_STALE_TIME = '30m'
+  TEAM_SYNC_WORKER_FREQUENCY = 60 # seconds
diff --git a/endpoints/api/organization.py b/endpoints/api/organization.py
index 49e3194d9..9411d8edd 100644
--- a/endpoints/api/organization.py
+++ b/endpoints/api/organization.py
@@ -159,7 +159,8 @@ class Organization(ApiResource):
 
     teams = None
     if OrganizationMemberPermission(orgname).can():
-      teams = model.team.get_teams_within_org(org, bool(authentication.federated_service))
+      has_syncing = features.TEAM_SYNCING and bool(authentication.federated_service)
+      teams = model.team.get_teams_within_org(org, has_syncing)
 
     return org_view(org, teams)
 
diff --git a/endpoints/api/team.py b/endpoints/api/team.py
index 42c1f3f3c..320d008ad 100644
--- a/endpoints/api/team.py
+++ b/endpoints/api/team.py
@@ -108,7 +108,7 @@ def disallow_for_synced_team(except_robots=False):
     @wraps(func)
     def wrapper(self, *args, **kwargs):
       # Team syncing can only be enabled if we have a federated service.
-      if authentication.federated_service:
+      if features.TEAM_SYNCING and authentication.federated_service:
         orgname = kwargs['orgname']
         teamname = kwargs['teamname']
         if model.team.get_team_sync_information(orgname, teamname):
@@ -208,6 +208,7 @@ class OrganizationTeam(ApiResource):
 @resource('/v1/organization/<orgname>/team/<teamname>/syncing')
 @path_param('orgname', 'The name of the organization')
 @path_param('teamname', 'The name of the team')
+@show_if(features.TEAM_SYNCING)
 class OrganizationTeamSyncing(ApiResource):
   """ Resource for managing syncing of a team by a backing group. """
   @require_scope(scopes.ORG_ADMIN)
@@ -290,7 +291,7 @@ class TeamMemberList(ApiResource):
         'can_edit': edit_permission.can(),
       }
 
-      if authentication.federated_service:
+      if features.TEAM_SYNCING and authentication.federated_service:
         if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
           data['can_sync'] = {
             'service': authentication.federated_service,
diff --git a/static/directives/teams-manager.html b/static/directives/teams-manager.html
index 217dcbaef..338e9fb72 100644
--- a/static/directives/teams-manager.html
+++ b/static/directives/teams-manager.html
@@ -41,7 +41,7 @@
 
     <table class="co-table" style="margin-top: 10px;">
       <thead>
-        <td class="options-col" ng-if="::Config.AUTHENTICATION_TYPE != 'Database'"></td>
+        <td class="options-col" ng-if="::Config.AUTHENTICATION_TYPE != 'Database' && Features.TEAM_SYNCING"></td>
         <td ng-class="TableService.tablePredicateClass('name', options.predicate, options.reverse)">
           <a ng-click="TableService.orderBy('name', options)">Team Name</a>
         </td>
@@ -66,7 +66,7 @@
        <tr class="co-checkable-row"
            ng-repeat="team in orderedTeams.visibleEntries"
            bindonce>
-        <td class="options-col" ng-if="::Config.AUTHENTICATION_TYPE != 'Database'">
+        <td class="options-col" ng-if="::Config.AUTHENTICATION_TYPE != 'Database' && Features.TEAM_SYNCING">
           <i class="fa fa-refresh" ng-if="team.is_synced" data-title="Team is synchronized with a backing group" bs-tooltip></i>
         </td>
         <td style="white-space: nowrap;">
diff --git a/static/js/directives/ui/teams-manager.js b/static/js/directives/ui/teams-manager.js
index 240eeb5fa..88e926318 100644
--- a/static/js/directives/ui/teams-manager.js
+++ b/static/js/directives/ui/teams-manager.js
@@ -12,9 +12,10 @@ angular.module('quay').directive('teamsManager', function () {
       'organization': '=organization',
       'isEnabled': '=isEnabled'
     },
-    controller: function($scope, $element, ApiService, $timeout, UserService, TableService, UIService, Config) {
+    controller: function($scope, $element, ApiService, $timeout, UserService, TableService, UIService, Config, Features) {
       $scope.TableService = TableService;
       $scope.Config = Config;
+      $scope.Features = Features;
 
       $scope.options = {
         'predicate': 'ordered_team_index',
diff --git a/test/testconfig.py b/test/testconfig.py
index b870a787a..72c5fb229 100644
--- a/test/testconfig.py
+++ b/test/testconfig.py
@@ -94,3 +94,4 @@ class TestConfig(DefaultConfig):
   RECAPTCHA_SECRET_KEY = 'somesecretkey'
 
   FEATURE_APP_REGISTRY = True
+  FEATURE_TEAM_SYNCING = True
diff --git a/workers/teamsyncworker.py b/workers/teamsyncworker.py
index 225118834..8776dcdc0 100644
--- a/workers/teamsyncworker.py
+++ b/workers/teamsyncworker.py
@@ -1,6 +1,8 @@
 import logging
 import time
 
+import features
+
 from app import app, authentication
 from data.users.teamsync import sync_teams_to_groups
 from workers.worker import Worker
@@ -8,8 +10,8 @@ from util.timedeltastring import convert_to_timedelta
 
 logger = logging.getLogger(__name__)
 
-WORKER_FREQUENCY = app.config.get('TEAM_SYNC_WORKER_FREQUENCY', 10)
-STALE_CUTOFF = convert_to_timedelta(app.config.get('TEAM_RESYNC_STALE_TIME', '30s'))
+WORKER_FREQUENCY = app.config.get('TEAM_SYNC_WORKER_FREQUENCY', 60)
+STALE_CUTOFF = convert_to_timedelta(app.config.get('TEAM_RESYNC_STALE_TIME', '30m'))
 
 class TeamSynchronizationWorker(Worker):
   """ Worker which synchronizes teams with their backing groups in LDAP/Keystone/etc.
@@ -25,8 +27,8 @@ class TeamSynchronizationWorker(Worker):
 def main():
   logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)
 
-  if not authentication.federated_service:
-    logger.debug('No federated auth is used; sleeping')
+  if not features.TEAM_SYNCING or not authentication.federated_service:
+    logger.debug('Team syncing is disabled; sleeping')
     while True:
       time.sleep(100000)
 

From df603462b88b0c3bb7d1de033109cef184ecb27f Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 23 Feb 2017 13:37:47 -0500
Subject: [PATCH 15/30] Add database migration for TeamSync

---
 data/database.py                              |  2 +-
 .../be8d1c402ce0_add_teamsync_table.py        | 39 +++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 data/migrations/versions/be8d1c402ce0_add_teamsync_table.py

diff --git a/data/database.py b/data/database.py
index 36820053c..8a7a87004 100644
--- a/data/database.py
+++ b/data/database.py
@@ -527,7 +527,7 @@ class LoginService(BaseModel):
 
 
 class TeamSync(BaseModel):
-  team = ForeignKeyField(Team)
+  team = ForeignKeyField(Team, unique=True)
 
   transaction_id = CharField()
   last_updated = DateTimeField(null=True, index=True)
diff --git a/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py b/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py
new file mode 100644
index 000000000..ac9467767
--- /dev/null
+++ b/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py
@@ -0,0 +1,39 @@
+"""Add TeamSync table
+
+Revision ID: be8d1c402ce0
+Revises: e2894a3a3c19
+Create Date: 2017-02-23 13:34:52.356812
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = 'be8d1c402ce0'
+down_revision = 'e2894a3a3c19'
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import mysql
+
+def upgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('teamsync',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('team_id', sa.Integer(), nullable=False),
+    sa.Column('transaction_id', sa.String(length=255), nullable=False),
+    sa.Column('last_updated', sa.DateTime(), nullable=True),
+    sa.Column('service_id', sa.Integer(), nullable=False),
+    sa.Column('config', sa.Text(), nullable=False),
+    sa.ForeignKeyConstraint(['service_id'], ['loginservice.id'], name=op.f('fk_teamsync_service_id_loginservice')),
+    sa.ForeignKeyConstraint(['team_id'], ['team.id'], name=op.f('fk_teamsync_team_id_team')),
+    sa.PrimaryKeyConstraint('id', name=op.f('pk_teamsync'))
+    )
+    op.create_index('teamsync_last_updated', 'teamsync', ['last_updated'], unique=False)
+    op.create_index('teamsync_service_id', 'teamsync', ['service_id'], unique=False)
+    op.create_index('teamsync_team_id', 'teamsync', ['team_id'], unique=True)
+    ### end Alembic commands ###
+
+
+def downgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('teamsync')
+    ### end Alembic commands ###

From 47278cc559d32f117b09b86b7d67a80dd0066901 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 23 Feb 2017 13:48:06 -0500
Subject: [PATCH 16/30] Cleanup test fixtures

---
 data/users/test/test_teamsync.py    | 10 ++++------
 endpoints/api/test/test_security.py |  2 +-
 endpoints/api/test/test_team.py     |  2 +-
 endpoints/oauth/test/test_login.py  |  6 ++----
 4 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/data/users/test/test_teamsync.py b/data/users/test/test_teamsync.py
index ffbb96b72..a3172f010 100644
--- a/data/users/test/test_teamsync.py
+++ b/data/users/test/test_teamsync.py
@@ -1,15 +1,13 @@
-import pytest
-
 from datetime import timedelta
-from mock import patch
+
+import pytest
 
 from data import model, database
 from data.users.federated import FederatedUsers, UserInformation
 from data.users.teamsync import sync_team, sync_teams_to_groups
-from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
-from util.names import parse_robot_username
-
+from test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
 from test.test_ldap import mock_ldap
+from util.names import parse_robot_username
 
 _FAKE_AUTH = 'fake'
 
diff --git a/endpoints/api/test/test_security.py b/endpoints/api/test/test_security.py
index dafd9fd0c..1ae2c31cc 100644
--- a/endpoints/api/test/test_security.py
+++ b/endpoints/api/test/test_security.py
@@ -5,7 +5,7 @@ from endpoints.api.team import OrganizationTeamSyncing
 from endpoints.api.test.shared import client_with_identity, conduct_api_call
 from endpoints.api.superuser import SuperUserRepositoryBuildLogs, SuperUserRepositoryBuildResource
 from endpoints.api.superuser import SuperUserRepositoryBuildStatus
-from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
+from test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
 
 TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
 BUILD_PARAMS = {'build_uuid': 'test-1234'}
diff --git a/endpoints/api/test/test_team.py b/endpoints/api/test/test_team.py
index 36a4d95a1..4dfa98b7f 100644
--- a/endpoints/api/test/test_team.py
+++ b/endpoints/api/test/test_team.py
@@ -7,7 +7,7 @@ from endpoints.api import api
 from endpoints.api.test.shared import client_with_identity, conduct_api_call
 from endpoints.api.team import OrganizationTeamSyncing, TeamMemberList
 from endpoints.api.organization import Organization
-from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
+from test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
 from test.test_ldap import mock_ldap
 
 SYNCED_TEAM_PARAMS = {'orgname': 'sellnsmall', 'teamname': 'synced'}
diff --git a/endpoints/oauth/test/test_login.py b/endpoints/oauth/test/test_login.py
index 04b510aef..f081f84b1 100644
--- a/endpoints/oauth/test/test_login.py
+++ b/endpoints/oauth/test/test_login.py
@@ -1,11 +1,9 @@
 import pytest
 
-from endpoints.oauth.login import _conduct_oauth_login
-
-from oauth.services.github import GithubOAuthService
-
 from data import model, database
 from data.users import get_users_handler, DatabaseUsers
+from endpoints.oauth.login import _conduct_oauth_login
+from oauth.services.github import GithubOAuthService
 from test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
 from test.test_ldap import mock_ldap
 

From d7825c6720871be178126b9f500d2c10087250d9 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 23 Feb 2017 14:41:27 -0500
Subject: [PATCH 17/30] Add group iteration and syncing support to Keystone
 auth

---
 data/model/team.py               |  3 +-
 data/users/keystone.py           | 51 ++++++++++++++++++++--
 data/users/test/test_teamsync.py | 27 ++++++++----
 initdb.py                        |  3 +-
 static/partials/team-view.html   |  7 ++++
 test/test_keystone_auth.py       | 72 ++++++++++++++++++++++++++++++++
 6 files changed, 148 insertions(+), 15 deletions(-)

diff --git a/data/model/team.py b/data/model/team.py
index f314a4c22..2da96df55 100644
--- a/data/model/team.py
+++ b/data/model/team.py
@@ -422,7 +422,8 @@ def list_team_robots(team):
 def set_team_syncing(team, login_service_name, config):
   """ Sets the given team to sync to the given service using the given config. """
   login_service = LoginService.get(name=login_service_name)
-  TeamSync.create(team=team, transaction_id='', service=login_service, config=json.dumps(config))
+  return TeamSync.create(team=team, transaction_id='', service=login_service,
+                         config=json.dumps(config))
 
 
 def remove_team_syncing(orgname, teamname):
diff --git a/data/users/keystone.py b/data/users/keystone.py
index b3e7ad442..f01b9f4b7 100644
--- a/data/users/keystone.py
+++ b/data/users/keystone.py
@@ -5,6 +5,7 @@ from keystoneclient.v2_0 import client as kclient
 from keystoneclient.v3 import client as kv3client
 from keystoneclient.exceptions import AuthorizationFailure as KeystoneAuthorizationFailure
 from keystoneclient.exceptions import Unauthorized as KeystoneUnauthorized
+from keystoneclient.exceptions import NotFound as KeystoneNotFound
 from data.users.federated import FederatedUsers, UserInformation
 from util.itertoolrecipes import take
 
@@ -83,6 +84,11 @@ class KeystoneV3Users(FederatedUsers):
     self.debug = os.environ.get('USERS_DEBUG') == '1'
     self.requires_email = requires_email
 
+  def _get_admin_client(self):
+    return kv3client.Client(username=self.admin_username, password=self.admin_password,
+                            tenant_name=self.admin_tenant, auth_url=self.auth_url,
+                            timeout=self.timeout, debug=self.debug)
+
   def verify_credentials(self, username_or_email, password):
     try:
       keystone_client = kv3client.Client(username=username_or_email, password=password,
@@ -116,6 +122,46 @@ class KeystoneV3Users(FederatedUsers):
 
     return (user, None)
 
+  def check_group_lookup_args(self, group_lookup_args):
+    if not group_lookup_args.get('group_id'):
+      return (False, 'Missing group_id')
+
+    group_id = group_lookup_args['group_id']
+    return self._check_group(group_id)
+
+  def _check_group(self, group_id):
+    try:
+      return (bool(self._get_admin_client().groups.get(group_id)), None)
+    except KeystoneNotFound:
+      return (False, 'Group not found')
+    except KeystoneAuthorizationFailure as kaf:
+      logger.exception('Keystone auth failure for admin user for group lookup %s', group_id)
+      return (False, kaf.message or 'Invalid admin username or password')
+    except KeystoneUnauthorized as kut:
+      logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
+      return (False, kut.message or 'Invalid admin username or password')
+
+  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
+    group_id = group_lookup_args['group_id']
+
+    (status, err) = self._check_group(group_id)
+    if not status:
+      return (None, err)
+
+    try:
+      group_member_iterator = self._get_admin_client().users.list(group=group_id)
+      def iterator():
+        for user in group_member_iterator:
+          yield (self._user_info(user), None)
+
+      return (iterator(), None)
+    except KeystoneAuthorizationFailure as kaf:
+      logger.exception('Keystone auth failure for admin user for group lookup %s', group_id)
+      return (False, kaf.message or 'Invalid admin username or password')
+    except KeystoneUnauthorized as kut:
+      logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
+      return (False, kut.message or 'Invalid admin username or password')
+
   @staticmethod
   def _user_info(user):
     email = user.email if hasattr(user, 'email') else None
@@ -126,10 +172,7 @@ class KeystoneV3Users(FederatedUsers):
       return ([], self.federated_service, None)
 
     try:
-      keystone_client = kv3client.Client(username=self.admin_username, password=self.admin_password,
-                                         tenant_name=self.admin_tenant, auth_url=self.auth_url,
-                                         timeout=self.timeout, debug=self.debug)
-      found_users = list(take(limit, keystone_client.users.list(name=query)))
+      found_users = list(take(limit, self._get_admin_client().users.list(name=query)))
       logger.debug('For Keystone query %s found users: %s', query, found_users)
       if not found_users:
         return ([], self.federated_service, None)
diff --git a/data/users/test/test_teamsync.py b/data/users/test/test_teamsync.py
index a3172f010..5cb4fcda8 100644
--- a/data/users/test/test_teamsync.py
+++ b/data/users/test/test_teamsync.py
@@ -7,6 +7,7 @@ from data.users.federated import FederatedUsers, UserInformation
 from data.users.teamsync import sync_team, sync_teams_to_groups
 from test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
 from test.test_ldap import mock_ldap
+from test.test_keystone_auth import fake_keystone
 from util.names import parse_robot_username
 
 _FAKE_AUTH = 'fake'
@@ -213,20 +214,28 @@ def test_sync_teams_to_groups(app):
   assert third_sync_info.last_updated == updated_sync_info.last_updated
   assert third_sync_info.transaction_id == updated_sync_info.transaction_id
 
-  # Set the stale threshold to -1 seconds, and ensure the team is resynced.
-  sync_teams_to_groups(fake_auth, timedelta(seconds=-1))
+  # Set the stale threshold to -10 seconds, and ensure the team is resynced.
+  sync_teams_to_groups(fake_auth, timedelta(seconds=-120))
 
   fourth_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
   assert fourth_sync_info.transaction_id != updated_sync_info.transaction_id
 
 
-@pytest.mark.parametrize('auth_system_builder', [
-  mock_ldap,
+@pytest.mark.parametrize('auth_system_builder,config', [
+  (mock_ldap, {'group_dn': 'cn=AwesomeFolk'}),
+  (fake_keystone, {'group_id': 'somegroupid'}),
 ])
-def test_teamsync_end_to_end(auth_system_builder, app):
-  # Assert the team has not yet been updated.
-  sync_team_info = model.team.get_team_sync_information('buynlarge', 'synced')
-  assert sync_team_info.last_updated is None
-
+def test_teamsync_end_to_end(auth_system_builder, config, app):
   with auth_system_builder() as auth:
+    # Create an new team to sync.
+    org = model.organization.get_organization('buynlarge')
+    new_synced_team = model.team.create_team('synced2', org, 'member', 'Some synced team.')
+    sync_team_info = model.team.set_team_syncing(new_synced_team, auth.federated_service, config)
+
+    # Sync the team.
     assert sync_team(auth, sync_team_info)
+
+    # Ensure we now have members.
+    msg = 'Auth system: %s' % auth.federated_service
+    sync_team_info = model.team.get_team_sync_information('buynlarge', 'synced2')
+    assert len(list(model.team.list_team_users(sync_team_info.team))) > 0, msg
diff --git a/initdb.py b/initdb.py
index d13b0a058..a7e278823 100644
--- a/initdb.py
+++ b/initdb.py
@@ -709,8 +709,9 @@ def populate_database(minimal=False, with_storage=False):
 
   model.team.add_user_to_team(new_user_4, sell_owners)
 
+  sync_config = {'group_dn': 'cn=Test-Group,ou=Users', 'group_id': 'somegroupid'}
   synced_team = model.team.create_team('synced', org, 'member', 'Some synced team.')
-  model.team.set_team_syncing(synced_team, 'ldap', {'group_dn': 'cn=Test-Group,ou=Users'})
+  model.team.set_team_syncing(synced_team, 'ldap', sync_config)
 
   another_synced_team = model.team.create_team('synced', thirdorg, 'member', 'Some synced team.')
   model.team.set_team_syncing(another_synced_team, 'ldap', {'group_dn': 'cn=Test-Group,ou=Users'})
diff --git a/static/partials/team-view.html b/static/partials/team-view.html
index 6da8e07c3..b046f8d2b 100644
--- a/static/partials/team-view.html
+++ b/static/partials/team-view.html
@@ -39,6 +39,9 @@
               <div ng-if="syncInfo.service == 'ldap'">
                 <code>{{ syncInfo.config.group_dn }}</code>
               </div>
+              <div ng-if="syncInfo.service == 'keystone'">
+                <code>{{ syncInfo.config.group_id }}</code>
+              </div>
             </td>
           </tr>
           <tr>
@@ -174,6 +177,10 @@
         Enter the distinguished name of the group, relative to <code>{{ enableSyncingInfo.service_info.base_dn }}</code>:
         <input type="text" class="form-control" placeholder="Group DN" ng-model="enableSyncingInfo.config.group_dn" required>
       </div>
+      <div ng-switch-when="keystone">
+        Enter the Keystone group ID:
+        <input type="text" class="form-control" placeholder="Group ID" ng-model="enableSyncingInfo.config.group_id" required>
+      </div>
      </div>
    </form>
 </div>
diff --git a/test/test_keystone_auth.py b/test/test_keystone_auth.py
index a7ec985f0..4d70a4c1b 100644
--- a/test/test_keystone_auth.py
+++ b/test/test_keystone_auth.py
@@ -47,6 +47,23 @@ def _create_app(requires_email=True):
     {'username': 'some.neat.user', 'name': 'Neat User', 'password': 'foobar'},
   ]
 
+  groups = [
+    {'id': 'somegroupid', 'name': 'somegroup', 'description': 'Hi there!',
+     'members': ['adminuser', 'cool.user']},
+  ]
+
+  def _get_user(username):
+    for user in users:
+      if user['username'] == username:
+        user_data = {}
+        user_data['id'] = username
+        user_data['name'] = username
+        if requires_email:
+          user_data['email'] = username + '@example.com'
+        return user_data
+
+    return None
+
   ks_app = Flask('testks')
   ks_app.config['SERVER_HOSTNAME'] = 'localhost:%s' % _PORT_NUMBER
   if os.environ.get('DEBUG') == 'true':
@@ -66,6 +83,35 @@ def _create_app(requires_email=True):
 
     abort(404)
 
+  @ks_app.route('/v3/identity/groups/<groupid>/users', methods=['GET'])
+  def getv3groupmembers(groupid):
+    for group in groups:
+      if group['id'] == groupid:
+        group_data = {
+          "links": {},
+          "users": [_get_user(username) for username in group['members']],
+        }
+
+        return json.dumps(group_data)
+
+    abort(404)
+
+  @ks_app.route('/v3/identity/groups/<groupid>', methods=['GET'])
+  def getv3group(groupid):
+    for group in groups:
+      if group['id'] == groupid:
+        group_data = {
+          "description": group['description'],
+          "domain_id": "default",
+          "id": groupid,
+          "links": {},
+          "name": group['name'],
+        }
+
+        return json.dumps({'group': group_data})
+
+    abort(404)
+
   @ks_app.route('/v3/identity/users/<userid>', methods=['GET'])
   def getv3user(userid):
     for user in users:
@@ -321,6 +367,32 @@ class KeystoneV3AuthTests(KeystoneAuthTestsMixin, unittest.TestCase):
       self.assertIsNotNone(result)
       self.assertEquals('cool_user', result.username)
 
+  def test_check_group_lookup_args(self):
+    with self.fake_keystone() as keystone:
+      (status, err) = keystone.check_group_lookup_args({})
+      self.assertFalse(status)
+      self.assertEquals('Missing group_id', err)
+
+      (status, err) = keystone.check_group_lookup_args({'group_id': 'unknownid'})
+      self.assertFalse(status)
+      self.assertEquals('Group not found', err)
+
+      (status, err) = keystone.check_group_lookup_args({'group_id': 'somegroupid'})
+      self.assertTrue(status)
+      self.assertIsNone(err)
+
+  def test_iterate_group_members(self):
+    with self.fake_keystone() as keystone:
+      (itt, err) = keystone.iterate_group_members({'group_id': 'somegroupid'})
+      self.assertIsNone(err)
+
+      results = list(itt)
+      results.sort()
+
+      self.assertEquals(2, len(results))
+      self.assertEquals('adminuser', results[0][0].id)
+      self.assertEquals('cool.user', results[1][0].id)
+
 
 if __name__ == '__main__':
   unittest.main()

From 0b6c062e324e6917686218c87ce2526d5137ec6f Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 24 Feb 2017 13:20:29 -0500
Subject: [PATCH 18/30] Add superuser panel config for team syncing

---
 .../directives/config/config-setup-tool.html  | 28 +++++++++++++++++--
 util/config/configutil.py                     |  1 +
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/static/directives/config/config-setup-tool.html b/static/directives/config/config-setup-tool.html
index ead4609bf..226a7f8da 100644
--- a/static/directives/config/config-setup-tool.html
+++ b/static/directives/config/config-setup-tool.html
@@ -194,7 +194,7 @@
               <span class="config-string-field" binding="mapped.redis.host"
                     placeholder="The redis server hostname"
                     pattern="{{ HOSTNAME_REGEX }}"
-                    validator="validateHostname(value)">></span>
+                    validator="validateHostname(value)"></span>
             </td>
           </tr>
           <tr>
@@ -553,7 +553,7 @@
           prevent passwords from being saved as plaintext by the Docker client.
         </div>
 
-        <table class="config-table">
+        <table class="config-table" style="margin-bottom: 20px;">
           <tr>
             <td class="non-input">Authentication:</td>
             <td>
@@ -565,6 +565,28 @@
               </select>
             </td>
           </tr>
+
+          <tr ng-if="config.AUTHENTICATION_TYPE == 'LDAP' || config.AUTHENTICATION_TYPE == 'Keystone'">
+            <td>Team synchronization:</td>
+            <td>
+              <div class="config-bool-field" binding="config.FEATURE_TEAM_SYNCING">
+                Enable Team Synchronization Support
+              </div>
+              <div class="help-text">
+                If enabled, organization administrators who are also superusers can set teams to have their membership synchronized with a backing group in {{ config.AUTHENTICATION_TYPE }}.
+              </div>
+            </td>
+          </tr>
+          <tr ng-if="(config.AUTHENTICATION_TYPE == 'LDAP' || config.AUTHENTICATION_TYPE == 'Keystone') && config.FEATURE_TEAM_SYNCING">
+          <td>Resynchronization duration:</td>
+          <td>
+            <span class="config-string-field" binding="config.TEAM_RESYNC_STALE_TIME"
+                  pattern="[0-9]+(m|h|d|s)"></span>
+            <div class="help-text">
+            The duration before a team must be re-synchronized. Must be expressed in a duration string form: <code>30m</code>, <code>1h</code>, <code>1d</code>.
+            </div>
+          </td>
+          </tr>
         </table>
 
         <!--  Keystone Authentication -->
@@ -758,7 +780,7 @@
           <tr>
             <td>Administrator DN Password:</td>
             <td>
-              <div class="co-alert co-alert-warning">
+              <div class="co-alert co-alert-warning" style="margin-bottom: 10px;">
                 Note: This will be stored in
                 <strong>plaintext</strong> inside the config.yaml, so setting up a dedicated account or using
                 <a href="http://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html" ng-safenewtab>a password hash</a> is <strong>highly</strong> recommended.
diff --git a/util/config/configutil.py b/util/config/configutil.py
index c52d22928..e1105d9f7 100644
--- a/util/config/configutil.py
+++ b/util/config/configutil.py
@@ -76,3 +76,4 @@ def add_enterprise_config_defaults(config_obj, current_secret_key, hostname):
   config_obj['PREFERRED_URL_SCHEME'] = config_obj.get('PREFERRED_URL_SCHEME', 'http')
   config_obj['ENTERPRISE_LOGO_URL'] = config_obj.get(
     'ENTERPRISE_LOGO_URL', '/static/img/quay-logo.png')
+  config_obj['TEAM_RESYNC_STALE_TIME'] = '60m'

From 71d52d45ba057dd547c3d5d10ebbfcded5e8ef15 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 7 Mar 2017 14:36:56 -0500
Subject: [PATCH 19/30] Add a test for same user returned twice in team sync

---
 data/users/test/test_teamsync.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/data/users/test/test_teamsync.py b/data/users/test/test_teamsync.py
index 5cb4fcda8..34bb42fcd 100644
--- a/data/users/test/test_teamsync.py
+++ b/data/users/test/test_teamsync.py
@@ -129,6 +129,16 @@ class FakeUsers(FederatedUsers):
      UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
    ],
    ['someuser', 'buynlarge+anotherbot']),
+
+  # Team which returns the same member twice, as pagination in some engines (like LDAP) is not
+  # stable.
+  ([],
+   [
+     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
+     UserInformation('anotheruser', 'anotheruser', 'anotheruser@devtable.com'),
+     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
+   ],
+   ['anotheruser', 'someuser']),
 ])
 def test_syncing(starting_membership, group_membership, expected_membership, app):
   org = model.organization.get_organization('buynlarge')

From 84e37b68ee6f0dbd3662106931bf30cd705dd795 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 7 Mar 2017 17:39:01 -0500
Subject: [PATCH 20/30] Change if statement to be more readable

---
 data/users/teamsync.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/users/teamsync.py b/data/users/teamsync.py
index b44d600e8..1d44b2639 100644
--- a/data/users/teamsync.py
+++ b/data/users/teamsync.py
@@ -27,7 +27,8 @@ def sync_teams_to_groups(authentication, stale_cutoff):
     sync_team_tried.add(stale_team_sync.id)
 
     # Sync the team.
-    if not sync_team(authentication, stale_team_sync):
+    sync_successful = sync_team(authentication, stale_team_sync)
+    if not sync_successful:
       return
 
 

From 7f0aa1929204c3fa4c287c1567580ca5e25db4cc Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 15 Mar 2017 18:32:40 -0400
Subject: [PATCH 21/30] Code cleanup and style improvements in team sync

---
 .../be8d1c402ce0_add_teamsync_table.py        |  4 +--
 data/users/externalldap.py                    |  5 ++-
 data/users/teamsync.py                        | 33 ++++++++++++++-----
 3 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py b/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py
index ac9467767..073d395f0 100644
--- a/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py
+++ b/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py
@@ -1,14 +1,14 @@
 """Add TeamSync table
 
 Revision ID: be8d1c402ce0
-Revises: e2894a3a3c19
+Revises: a6c463dfb9fe
 Create Date: 2017-02-23 13:34:52.356812
 
 """
 
 # revision identifiers, used by Alembic.
 revision = 'be8d1c402ce0'
-down_revision = 'e2894a3a3c19'
+down_revision = 'a6c463dfb9fe'
 
 from alembic import op
 import sqlalchemy as sa
diff --git a/data/users/externalldap.py b/data/users/externalldap.py
index 6ab4b6c6b..d7c21a5af 100644
--- a/data/users/externalldap.py
+++ b/data/users/externalldap.py
@@ -274,8 +274,7 @@ class LDAPUsers(FederatedUsers):
     if err is not None:
       return (False, err)
 
-    results = list(it)
-    if not results:
+    if not list(it):
       return (False, 'Group does not exist or is empty')
 
     return (True, None)
@@ -340,6 +339,6 @@ class LDAPUsers(FederatedUsers):
               # No additional results.
               break
           else:
-            # Pagintation is not supported.
+            # Pagination is not supported.
             logger.debug('Pagination is not supported for this LDAP server')
             break
diff --git a/data/users/teamsync.py b/data/users/teamsync.py
index 1d44b2639..571f1cc3d 100644
--- a/data/users/teamsync.py
+++ b/data/users/teamsync.py
@@ -6,6 +6,9 @@ from data import model
 logger = logging.getLogger(__name__)
 
 
+MAX_TEAMS_PER_ITERATION = 500
+
+
 def sync_teams_to_groups(authentication, stale_cutoff):
   """ Performs team syncing by looking up any stale team(s) found, and performing the sync
       operation on them.
@@ -13,7 +16,7 @@ def sync_teams_to_groups(authentication, stale_cutoff):
   logger.debug('Looking up teams to sync to groups')
 
   sync_team_tried = set()
-  while True:
+  while len(sync_team_tried) < MAX_TEAMS_PER_ITERATION:
     # Find a stale team.
     stale_team_sync = model.team.get_stale_team(stale_cutoff)
     if not stale_team_sync:
@@ -38,7 +41,8 @@ def sync_team(authentication, stale_team_sync):
   """
   sync_config = json.loads(stale_team_sync.config)
   logger.info('Syncing team `%s` under organization %s via %s (#%s)', stale_team_sync.team.name,
-              stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id)
+              stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id,
+              extra={'team': stale_team_sync.team_id, 'sync_config': sync_config})
 
   # Load all the existing members of the team in Quay that are bound to the auth service.
   existing_users = model.team.list_federated_team_members(stale_team_sync.team,
@@ -46,7 +50,9 @@ def sync_team(authentication, stale_team_sync):
 
   logger.debug('Existing membership of %s for team `%s` under organization %s via %s (#%s)',
                len(existing_users), stale_team_sync.team.name,
-               stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id)
+               stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id,
+               extra={'team': stale_team_sync.team_id, 'sync_config': sync_config,
+                      'existing_member_count': len(existing_users)})
 
   # Load all the members of the team from the authenication system.
   (member_iterator, err) = authentication.iterate_group_members(sync_config)
@@ -68,7 +74,9 @@ def sync_team(authentication, stale_team_sync):
       logger.debug('Member %s already in team `%s` under organization %s via %s (#%s)',
                    member_info.username, stale_team_sync.team.name,
                    stale_team_sync.team.organization.username, sync_config,
-                   stale_team_sync.team_id)
+                   stale_team_sync.team_id,
+                   extra={'team': stale_team_sync.team_id, 'sync_config': sync_config,
+                          'member': member_info.username})
 
       group_membership.add(existing_users[member_info.username])
       continue
@@ -77,7 +85,9 @@ def sync_team(authentication, stale_team_sync):
     (quay_user, err) = authentication.get_federated_user(member_info)
     if err is not None:
       logger.error('Could not link external user %s to an internal user: %s',
-                   member_info.username, err)
+                   member_info.username, err,
+                   extra={'team': stale_team_sync.team_id, 'sync_config': sync_config,
+                          'member': member_info.username, 'error': err})
       continue
 
     # Add the user to the membership set.
@@ -88,7 +98,9 @@ def sync_team(authentication, stale_team_sync):
       logger.info('Adding member %s to team `%s` under organization %s via %s (#%s)',
                   quay_user.username, stale_team_sync.team.name,
                   stale_team_sync.team.organization.username, sync_config,
-                  stale_team_sync.team_id)
+                  stale_team_sync.team_id,
+                  extra={'team': stale_team_sync.team_id, 'sync_config': sync_config,
+                         'member': quay_user.username})
 
       model.team.add_user_to_team(quay_user, stale_team_sync.team)
     except model.UserAlreadyInTeam:
@@ -103,18 +115,21 @@ def sync_team(authentication, stale_team_sync):
     logger.debug('Another worker synced team `%s` under organization %s via %s (#%s)',
                  stale_team_sync.team.name,
                  stale_team_sync.team.organization.username, sync_config,
-                 stale_team_sync.team_id)
+                 stale_team_sync.team_id,
+                 extra={'team': stale_team_sync.team_id, 'sync_config': sync_config})
     return True
 
   # Delete any team members not found in the backing auth system.
   logger.debug('Deleting stale members for team `%s` under organization %s via %s (#%s)',
                stale_team_sync.team.name, stale_team_sync.team.organization.username,
-               sync_config, stale_team_sync.team_id)
+               sync_config, stale_team_sync.team_id,
+               extra={'team': stale_team_sync.team_id, 'sync_config': sync_config})
 
   deleted = model.team.delete_members_not_present(stale_team_sync.team, group_membership)
 
   # Done!
   logger.info('Finishing sync for team `%s` under organization %s via %s (#%s): %s deleted',
               stale_team_sync.team.name, stale_team_sync.team.organization.username,
-              sync_config, stale_team_sync.team_id, deleted)
+              sync_config, stale_team_sync.team_id, deleted,
+              extra={'team': stale_team_sync.team_id, 'sync_config': sync_config})
   return True

From 103186f5e8383b3378f9393addf06e3549dcd498 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 20 Mar 2017 16:49:20 -0400
Subject: [PATCH 22/30] Small renames to make team syncing code more clear

---
 data/model/team.py               | 4 ++--
 data/users/teamsync.py           | 8 ++++----
 data/users/test/test_teamsync.py | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/data/model/team.py b/data/model/team.py
index 2da96df55..923951299 100644
--- a/data/model/team.py
+++ b/data/model/team.py
@@ -385,9 +385,9 @@ def confirm_team_invite(code, user_obj):
   return (team, inviter)
 
 
-def list_federated_team_members(team, login_service_name):
+def get_federated_team_member_mapping(team, login_service_name):
   """ Returns a dict of all federated IDs for all team members in the team whose users are
-      bound to the login service withn the given name. The dictionary is from federated service
+      bound to the login service within the given name. The dictionary is from federated service
       identifier (username) to their Quay User table ID.
   """
   login_service = LoginService.get(name=login_service_name)
diff --git a/data/users/teamsync.py b/data/users/teamsync.py
index 571f1cc3d..65fc31b35 100644
--- a/data/users/teamsync.py
+++ b/data/users/teamsync.py
@@ -45,8 +45,8 @@ def sync_team(authentication, stale_team_sync):
               extra={'team': stale_team_sync.team_id, 'sync_config': sync_config})
 
   # Load all the existing members of the team in Quay that are bound to the auth service.
-  existing_users = model.team.list_federated_team_members(stale_team_sync.team,
-                                                          authentication.federated_service)
+  existing_users = model.team.get_federated_team_member_mapping(stale_team_sync.team,
+                                                                authentication.federated_service)
 
   logger.debug('Existing membership of %s for team `%s` under organization %s via %s (#%s)',
                len(existing_users), stale_team_sync.team.name,
@@ -109,8 +109,8 @@ def sync_team(authentication, stale_team_sync):
 
   # Update the transaction and last_updated time of the team sync. Only if it matches
   # the current value will we then perform the deletion step.
-  result = model.team.update_sync_status(stale_team_sync)
-  if not result:
+  got_transaction_handle = model.team.update_sync_status(stale_team_sync)
+  if not got_transaction_handle:
     # Another worker updated this team. Nothing more to do.
     logger.debug('Another worker synced team `%s` under organization %s via %s (#%s)',
                  stale_team_sync.team.name,
diff --git a/data/users/test/test_teamsync.py b/data/users/test/test_teamsync.py
index 34bb42fcd..22d999123 100644
--- a/data/users/test/test_teamsync.py
+++ b/data/users/test/test_teamsync.py
@@ -183,7 +183,7 @@ def test_syncing(starting_membership, group_membership, expected_membership, app
   assert len(users_expected) + len(robots_expected) == len(expected_membership)
 
   # Check that the team's users match those expected.
-  service_user_map = model.team.list_federated_team_members(sync_team_info.team, _FAKE_AUTH)
+  service_user_map = model.team.get_federated_team_member_mapping(sync_team_info.team, _FAKE_AUTH)
   assert set(service_user_map.keys()) == users_expected
 
   quay_users = model.team.list_team_users(sync_team_info.team)

From 541aa722c2a620615de8f8021c2cd10fc85c8d82 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 20 Mar 2017 17:52:52 -0400
Subject: [PATCH 23/30] Add sleeps to make test non-flaky

Sucks, but MySQL only has second-level timing, so we need this to be sure
---
 data/users/test/test_teamsync.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/data/users/test/test_teamsync.py b/data/users/test/test_teamsync.py
index 22d999123..2c6bbb223 100644
--- a/data/users/test/test_teamsync.py
+++ b/data/users/test/test_teamsync.py
@@ -1,4 +1,5 @@
 from datetime import timedelta
+import time
 
 import pytest
 
@@ -210,6 +211,8 @@ def test_sync_teams_to_groups(app):
 
   # Call to sync all teams.
   fake_auth = FakeUsers([])
+
+  time.sleep(1)
   sync_teams_to_groups(fake_auth, timedelta(seconds=1))
 
   # Ensure the team was synced.
@@ -218,13 +221,15 @@ def test_sync_teams_to_groups(app):
   assert updated_sync_info.transaction_id != sync_team_info.transaction_id
 
   # Set the stale threshold to a high amount and ensure the team is not resynced.
+  time.sleep(1)
   sync_teams_to_groups(fake_auth, timedelta(seconds=120))
 
   third_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
   assert third_sync_info.last_updated == updated_sync_info.last_updated
   assert third_sync_info.transaction_id == updated_sync_info.transaction_id
 
-  # Set the stale threshold to -10 seconds, and ensure the team is resynced.
+  # Set the stale threshold to -120 seconds, and ensure the team is resynced.
+  time.sleep(1)
   sync_teams_to_groups(fake_auth, timedelta(seconds=-120))
 
   fourth_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')

From 8c07f733eb3dbcbcd7ff3e48b70fac6cdfd74236 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 20 Mar 2017 17:53:15 -0400
Subject: [PATCH 24/30] Add pagination tests for LDAP

---
 data/users/externalldap.py |  2 +-
 test/test_ldap.py          | 67 +++++++++++++++++++++++++++++++++++++-
 2 files changed, 67 insertions(+), 2 deletions(-)

diff --git a/data/users/externalldap.py b/data/users/externalldap.py
index d7c21a5af..1cfb61385 100644
--- a/data/users/externalldap.py
+++ b/data/users/externalldap.py
@@ -333,7 +333,7 @@ class LDAPUsers(FederatedUsers):
             cookie = lc.cookie = pctrls[0].cookie
             if cookie:
                 msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt,
-                                        serverctrls=[lc])
+                                        serverctrls=[lc], attrlist=attributes)
                 continue
             else:
               # No additional results.
diff --git a/test/test_ldap.py b/test/test_ldap.py
index 04b6f4fdb..46085fb54 100644
--- a/test/test_ldap.py
+++ b/test/test_ldap.py
@@ -1,5 +1,7 @@
 import unittest
 
+import ldap
+
 from app import app
 from initdb import setup_database_for_testing, finished_database_for_testing
 from data.users import LDAPUsers
@@ -19,7 +21,7 @@ def _create_ldap(requires_email=True):
 
   ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
                    uid_attr, email_attr, secondary_user_rdns=secondary_user_rdns,
-                   requires_email=requires_email, force_no_pagination=True)
+                   requires_email=requires_email)
   return ldap
 
 @contextmanager
@@ -123,6 +125,45 @@ def mock_ldap(requires_email=True):
     obj.search_s.seed('ou=employees,dc=quay,dc=io', 2, '(|(uid=unknown*)(mail=unknown*))')([])
     obj.search_s.seed('ou=otheremployees,dc=quay,dc=io', 2,
                       '(|(uid=unknown*)(mail=unknown*))')([])
+
+    obj._results = {}
+
+    def result3(messageid):
+      if messageid is None:
+        return None, [], None, None
+
+      return obj._results[messageid]
+
+    def search_ext(user_search_dn, scope, search_flt, serverctrls=None, attrlist=None):
+      if scope != ldap.SCOPE_SUBTREE:
+        return None
+
+      if not serverctrls:
+        return None
+
+      page_control = serverctrls[0]
+      if page_control.controlType != ldap.controls.SimplePagedResultsControl.controlType:
+        return None
+
+      msgid = obj.search(user_search_dn, scope, search_flt, attrlist=attrlist)
+      _, rdata = obj.result(msgid)
+
+      msgid = 'messageid'
+      cookie = int(page_control.cookie) if page_control.cookie else 0
+
+      results = rdata[cookie:cookie+page_control.size]
+      cookie = cookie + page_control.size
+      if cookie > len(results):
+        page_control.cookie = None
+      else:
+        page_control.cookie = cookie
+
+      obj._results['messageid'] = (None, results, None, [page_control])
+      return msgid
+
+    obj.search_ext = search_ext
+    obj.result3 = result3
+
     return obj
 
   mockldap.start()
@@ -333,6 +374,30 @@ class TestLDAP(unittest.TestCase):
       self.assertEquals('someuser', someuser.username)
       self.assertEquals('foo@bar.com', someuser.email)
 
+  def test_iterate_group_members_with_pagination(self):
+    with mock_ldap() as ldap:
+      (it, err) = ldap.iterate_group_members({'group_dn': 'cn=AwesomeFolk'}, page_size=1)
+      self.assertIsNone(err)
+
+      results = list(it)
+      self.assertEquals(2, len(results))
+
+      first = results[0][0]
+      second = results[1][0]
+
+      if first.id == 'testy':
+        testy, someuser = first, second
+      else:
+        testy, someuser = second, first
+
+      self.assertEquals('testy', testy.id)
+      self.assertEquals('testy', testy.username)
+      self.assertEquals('bar@baz.com', testy.email)
+
+      self.assertEquals('someuser', someuser.id)
+      self.assertEquals('someuser', someuser.username)
+      self.assertEquals('foo@bar.com', someuser.email)
+
   def test_check_group_lookup_args(self):
     with mock_ldap() as ldap:
       (result, err) = ldap.check_group_lookup_args({'group_dn': 'cn=invalid'},

From 1a31d98c4485784f4c61fdb16ff1f4d51752966d Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 21 Mar 2017 11:45:26 -0400
Subject: [PATCH 25/30] Clarify variable name in Keystone auth

---
 data/users/keystone.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/users/keystone.py b/data/users/keystone.py
index f01b9f4b7..8c46a7869 100644
--- a/data/users/keystone.py
+++ b/data/users/keystone.py
@@ -149,9 +149,9 @@ class KeystoneV3Users(FederatedUsers):
       return (None, err)
 
     try:
-      group_member_iterator = self._get_admin_client().users.list(group=group_id)
+      user_info_iterator = self._get_admin_client().users.list(group=group_id)
       def iterator():
-        for user in group_member_iterator:
+        for user in user_info_iterator:
           yield (self._user_info(user), None)
 
       return (iterator(), None)

From bd22fb255ea83f9b1998c592f310f762174f2294 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 21 Mar 2017 13:06:55 -0400
Subject: [PATCH 26/30] Rename get_federated_user to
 get_and_link_federated_user_info

Better to be explicit wherever possible
---
 data/users/__init__.py  |  4 ++--
 data/users/database.py  |  2 +-
 data/users/federated.py | 10 +++++-----
 data/users/teamsync.py  |  2 +-
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/data/users/__init__.py b/data/users/__init__.py
index d53413b74..f8e47ba16 100644
--- a/data/users/__init__.py
+++ b/data/users/__init__.py
@@ -175,11 +175,11 @@ class UserAuthentication(object):
     """
     return self.state.link_user(username_or_email)
 
-  def get_federated_user(self, user_info):
+  def get_and_link_federated_user_info(self, user_info):
     """ Returns a tuple containing the database user record linked to the given UserInformation
         pair and any error that occurred when trying to link the user.
     """
-    return self.state.get_federated_user(user_info)
+    return self.state.get_and_link_federated_user_info(user_info)
 
   def confirm_existing_user(self, username, password):
     """ Verifies that the given password matches to the given DB username. Unlike
diff --git a/data/users/database.py b/data/users/database.py
index 07e327688..862065723 100644
--- a/data/users/database.py
+++ b/data/users/database.py
@@ -24,7 +24,7 @@ class DatabaseUsers(object):
     """ Never used since all users being added are already, by definition, in the database. """
     return (None, 'Unsupported for this authentication system')
 
-  def get_federated_user(self, user_info):
+  def get_and_link_federated_user_info(self, user_info):
     """ Never used since all users being added are already, by definition, in the database. """
     return (None, 'Unsupported for this authentication system')
 
diff --git a/data/users/federated.py b/data/users/federated.py
index fbb982367..cdf6a28ce 100644
--- a/data/users/federated.py
+++ b/data/users/federated.py
@@ -42,10 +42,10 @@ class FederatedUsers(object):
     if user_info is None:
       return (None, err_msg)
 
-    return self.get_federated_user(user_info)
+    return self.get_and_link_federated_user_info(user_info)
 
-  def get_federated_user(self, user_info):
-    return self._get_federated_user(user_info.username, user_info.email)
+  def get_and_link_federated_user_info(self, user_info):
+    return self._get_and_link_federated_user_info(user_info.username, user_info.email)
 
   def verify_and_link_user(self, username_or_email, password):
     """ Verifies the given credentials and, if valid, creates/links a database user to the
@@ -55,7 +55,7 @@ class FederatedUsers(object):
     if credentials is None:
       return (None, err_msg)
 
-    return self._get_federated_user(credentials.username, credentials.email)
+    return self._get_and_link_federated_user_info(credentials.username, credentials.email)
 
   def confirm_existing_user(self, username, password):
     """ Confirms that the given *database* username and service password are valid for the linked
@@ -93,7 +93,7 @@ class FederatedUsers(object):
     """
     return (None, 'Not supported')
 
-  def _get_federated_user(self, username, email):
+  def _get_and_link_federated_user_info(self, username, email):
     db_user = model.user.verify_federated_login(self._federated_service, username)
     if not db_user:
       # We must create the user in our db
diff --git a/data/users/teamsync.py b/data/users/teamsync.py
index 65fc31b35..44dc52032 100644
--- a/data/users/teamsync.py
+++ b/data/users/teamsync.py
@@ -82,7 +82,7 @@ def sync_team(authentication, stale_team_sync):
       continue
 
     # Retrieve the Quay user associated with the member info.
-    (quay_user, err) = authentication.get_federated_user(member_info)
+    (quay_user, err) = authentication.get_and_link_federated_user_info(member_info)
     if err is not None:
       logger.error('Could not link external user %s to an internal user: %s',
                    member_info.username, err,

From b26bd3c9c56cd02dcdf825b7fd7ba4b96d19fb9c Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 30 Mar 2017 15:04:44 -0400
Subject: [PATCH 27/30] Regenerate test.db after merge

---
 test/data/test.db | Bin 1634304 -> 1654784 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/test/data/test.db b/test/data/test.db
index fc8c7f1273e44fc9340d8f548b497e568bc1a139..55e2f8cfa75f575eca5c6f87bf0facc7c394036e 100644
GIT binary patch
delta 77574
zcmeFad3+mJwK%SkWJ|Iojcmtp*2YPkJ#uCrP0}o~EKBkt$(FUbE$&Df*|N1+i)FjC
zs@<|YpmZ^CSxPBTwnw2Y<;ARR;T3qSZ7D5uBV}J6rR?wpUi&*E#kL%$N%-=8zrXM&
zxze0-?wPxtbMHOp+^g%Kk6wShbj#MJxI%%wMX~aS3AY}m0ciedLmdEd{G*U!j$5<a
zl=w&Qd-HajgGYM74C$_gZIBuk8iC@k^VdN7)A<CX-<tPB`sw+TkiLKZ5Tv)vx845(
z{NSC~n-}%>{#3i;sZZq&BQ}YM;Wqc8^FBh`_WmJ$XWLWPFJ6CNsDq4I#3;+g%oNR9
z%uGzMn8g@Dn?;LAP>e`O97!+!9daFdIM{f+r=^IJR{)=dPY~K8AN&>Hb^6+$qQ7;t
zx)-(g6I%KWTaGyQJzz!ejREA%06G5Zzg!V$z2Xy#C!caJZulgj-Rhm*zV~=;Ke~D^
zkh~Kh_46;z>b7}o=sNXA_hS2h5ZcRM3cu`+wY`1u*wgMS4{y~fpo%)JB0_OuRE)&U
zQHi3>3}=a$1u;sQV-g|6ECN9@5^;FTGIgA?h<t?R%`u9Mn;9uCn#D*YW{wh~MDP?N
zu~BAGd79Ab9;E->@B!yA`bJ$Vyl&Gn0}IJp1dflJMM)r`Wk}L2QWR&VS%!*4BSf5|
znZs?%)KMzV6Lf?!$7xzJGb~A%g*YEIGjudAl7fYXk}v)kUe~hl#=utZl^<Q)wsf6#
zpY7N?xIcgT$;G~B+>5_iYABNyiitp*n+49om>H53&4NXUnAteVi*bUXV{zhe%gRdy
zCSr*aoH@<|Aw$PwP*{s#7NUeD5|6SxM+=9Wm#KM4pqUr}gc3(Ug~W*25|72rbcCZN
zs4W*^Fk*4;Q!qk)ylu<Q+)WQGe*78tZJ#Ez2Y>dr?Uy&*_QgfZr?1nte&N^N%Zfj{
zeDMKzs7GJht2_F$Zy^$Ga4+8W8A5wta^E)L?}^_pzVs}#rhfV5z+7Z#mNT<71tp+Z
z0bb70W(y%iMIy#f7LqvJxJ+#kNGKUgnOQCtF*8viYPLj4i`@1s#S5YkC-}v}X9?}5
zPkbe{Yw<@fFW&vx>$H3KTy`ZpcJTVed!KVJUjI2li~aIfw<z!FBi{N37+Lk7C$y~}
zc;`)*xleov?F_>pe$(e0h9sWnVx%aT*@y_eB{zx~Cpoi3k`lww@d(F?hwGNh#l)a@
z*(kJLl;h2e$U-km(BE_<%Ci=pry~Tj_;YxXD)!bNs~@V<FSb8$o%Xol>aG6S_C4sT
z2RFGF|L_2zJ@M((hTx;p!s6ivuhSmTFMU&(VP1p2pxa27LCP2Ak3c#-53-Jpk3({W
z6OxfVN|0_P{sBm_Mf`F61Nv{`-&5VKyUh6MhPZaW@+K^;Jl(KC`~JoT?KhNX>N2`_
z)IYEOdc$#?sr#i~q4<6M<*Jt&eqeZ~@fKq%ewF$UsvER}x~z82IA+*Ux83lc`fKzD
zu2%2EUu!&}_F@ldbjBYlk2TzE_?3#pP{XG*S7@G8zfT!!{CMMQG#{&%^ml1))cz6s
zg?>ocjNhYk7^d`ps$ViVRU_Co#n*IStZ&i0T>obEtm+B8QA4S;jo;P%cik5jAAX4L
zV4+<jG!-@TEDQ;T7FihPQQAyOWF#ihq!<;r#jRfm?xCUtNpMld%!(G7P_mdKQIKas
z5JiUJA|hjnUxAMQdZT&q;V<0P0V;xyaS~yUQ#AA@2P#dp2$Wd_#X$ll&PB!h-}J?Z
zs-KNoKol$>uM`FHN?Ih4Zixg*q9OtjkHToPoZPSSW3d?YxL^^@ah3)>LJ}|(MUgZU
zF#-57f~+5pe)&j8!~&AXLLuWM36g7xfVzlKj5$U|ECkO|9M8uVZ~AhugW-u7M}Qc{
zqY_jJ#upGq1$c}}5=X^YnWOeAf7>IG7C{gxr~(P2l99*1#S&-CoDhvt0Eg<wC^Y-b
zM)Mw?BDuIAH;xz+WO?Du0%#DZH^o>;i6DR#flmEo<AKHZ|Cf0WEpZWoq<G**0cVk8
z%#lbGT0jK#8mFTKL5pTI_$z4DU0=OxPfXz8Uo>tOWbt5Ffdk#ffKn0(3rC2&{I?Hv
zKE3I{;)bsUE@?`+|IJ_9gY{p6Lf<O)!6oVPm%rXQbSXM}lg#l_)ODLoxcHmX9gFY(
zM&~7I<_#6rm!OneWWr0($3(MC7^6fBYWnYuI~S+E`Qf2U(WH7g+odScMwxK&`p<SO
z-u$iW-It;a>*XAmq6h2Hoj-)}_S#2wXhC5W4ygP}^!G2ebu=hG0?&Dw4f?gNt;0~1
z^_t4~Ct0uEdcXeB7mV07=&_etThN*RYCBc0co)Fq6~JQrj2)BEdw<`$;f9CKEIo7v
zd)(Sg6YV5>lwgihbSJ?QtU#j=>{R||M;rzw69ZjML}8MHl?`ZiNnk)e;~->&CC)N5
zdebiDW=udI+@<uKkI`ct$}Q*{yOb@6*{$4kK8ou*l>5<ZcPkH`4++^XL(lJ4UVc6#
z<UD|a9m=*>K%Q#i)>RA`b~Ul<z?DMu?@=B+5AJn)l)ffrT^8Wf`nJ8w&hwy7?o|rs
z0sq@x;J=<x_Mmb*de=Usvz`(dP`_yBL1hQ>?Ne^KWMaeqS0*l-l{)mQ{mRShc|ou&
zvw!#>&T-8F<>vD>G!(y}p$J)XSBif8Qi%4WmP5*o=V|OpW8jCCJ@o=lam%GGA6C|(
zZyZv#{v$bFvH74y?6oECK)m^a?RO6Ki{@8siS3B*RL;Lb3v5R}>r^hRB1uapL6R^T
zEM0R%nIG7>UJkdksc4KMNZt$^3Q9ouwaSg<^<<kaQ(0HY)}z}ljNW)*bn7|j@;SO<
zLoJ?KCvh!n(CZ|x`NHU?HRy`$lxr20X+6Fcjb9jTyfE5uUUYdyOX|;yUqLrs7~N2d
zUf*fDS3;MoDq35Mr`ENr=ECUuHRyFZsqO;kt6_dn*W%ZgU3Fo!a=Xf^TOQRbxmTp&
z^!3WG>UXceSK4#SW;I4*>g9|e4lmrT+;l#1XjfxaOutOHo>SY!2sU1fpml|yT#?Q7
z@7S<HQ5D|xf^iPPx-M+K7(tUvP+qMlwXPpc=df5ufM1NjxI?X5)h+AaU?^XNKz|W@
z<3;cdYw+vaxvaYgfp!i4Jd$z|eEnMdxlLH6>n=<{tJmPy*Fbd<yz(;Wf>)FmrNEuO
zMfsTiJaVvQlUh+beYBI7qXYr}Ht$d?Ry%cli8fV6#fqe@Cum#GpuA=QSrwoQaHtB<
z1qe2*X_fQLD{Jv=`P>CsReV<7u)gD))^a$vV`<Yx@c0^hdA)30RCd-dSfBqN5}mSn
zJ%fwM&i_l%DZ>I~oeH~%?EJqJ9Trwd>j&zEWd}s(PUY8Ld9Hy);>yzNUvtgH=9)D+
zVf|nPaj8){>+v8h7sMNOsLK~50CBk>9%h;g;z3$!@axBtZb$jT1TfRoFjy}Qnv38;
zT59vJQ%H3%*ItkSW||uO`WnDYb3wdv2P`Ob%H>hN!eDu6hH<CwRU-YK6~xNgY~z-#
zb+9<YY9;1#pHpr*&#a`|w5tx5XRFJW_1p|?7bVecyf{hguDbF?-lW}d4x95#G%e?n
ztW$HQ=2s$F-7J`z&ZSw`zZ%odI_RI3o!ojEX~!={(PmsjalToBFsvat&%8nEFGfK$
zUW|flkSWTmwOQZIgl;X9^%SIbEya47A~YAID8pujtUrfjUBeS~7o#B6Ybn+jl~A3J
z;z;dolvM7NNB#u_jC<Y74=Ulm3jV8?UVgA{yQd@0uwYLIi#$ikwqx+Am@OQ`fX5^r
z<svLga5Rff;q`mULX_bJN-#?TFB{~+zH9+Q9T>kUmM6$KLx>SEohgh<xuh78k|ael
zDoUwQ_*+_Z7$MvGBfysz3D(RIVAd8W3A}w4OAKt)6hnd^E|ZCfb4n7c=Fu@k9PHvO
z80&dLFdt$>o-%_`9sG*|xOu2ZoR0CaN~T-`*e2EZRSNtb{CoIoakTT%w#)Bt_cr5Y
z*^GH9byQc(rk7Ahl}vak)lu$K`E?y@D{=lhoNljw{mBlBh)XmV1s?(UDZm~Y1-}Cw
zi<+b0B_%98%|=)T-91`=c)#4%;AgXd<x~L6smStXkq1gnjK^7thEAizL^_^1{e0v7
z_`s#`t(5gr*q+YT|N7<{8xzwhfD_cheNyx5Bj*91CN#g^aXz?L^HrRehq+K$*bAMs
z07gDboj@`aIC3bt{@}n97;uzCq4&WH7y%Cy)R$&XU#)reNXI2n-lBP-TCBCNfw8Z7
z46l^y9K;VF(d@c+f3w=Jz)u)oV|dPRNMCIHO5@gsjP5JC%d|Poi<()Dsy<Zr(K<}+
zzrV?QKwX|c(7Zw6XBG1XtwO8QYON|A3`d2;#kiR4aEiuQkStkNEFw6K!O_gKB1cGZ
zaPAam(@8NmCLN0AB(admMKT3pxSw?N6GJYypAdq=U|%m`p~GRC9qM)Q{=Qxt-xum-
zT=srO=pwBFXIZd$2l!rJFxV3w>gu<3)lRV0>XDt`7^irmxu}@m*93(n&n;{e++z&K
zP-cRSfioQjkXazeh&jST#DNGtdGL_07B*8#OL9>MyZt@h@&Iig;(adb;2<y9N1UPF
zAjgM%{ey0yTX0)#e!nl&P4<&LA&-ypbPu!rLw4HZana#^==16dcy%N|QNbHe(Q;7_
znxLrsxkZ&YHWHEIoEe;n5D~$a!A%LGL4azB#aKxoI4L5mmNhMvGP$u_28!D?%<`<$
z8D{-{`vA`fejc2D!l1p&!nuYm!ydm)7#eYS-IUMc8yX4uiQXX1^bQS&?89Nc+uL{k
z(l)RH!OO+nkE6$4tKCqJ&}5WgS=t;C1aS6&dNo@}2BcZysTe^JF@hsj%NNaLl9kd~
zLU!vg;RxA=2b_$hKQQPSak_dKuXQK@u@k{i59uTM;SonK@9r58!l8bfg(3Pw&YnOw
zG1%i@X-jcUV-g%sGf=vMu|?tEsSvafsj)IdBOFP@s2DV*2z|}K2r*lzXv9p5918|=
zh~5w*c`2Dp=Tl-bIaL&A56O=RyGh$RQ2QEi#zJSvuQ9-Dwkl4pc}-j(S@70J%~Twm
zJPZ*5$0js}S!6-oNe~tyG3dV6X%Ey0B-u&wEW^|2SFh7<?jXr1C;`Ypz{mjA5QF#^
z7D7iPk)yzo%tmQOKnGs0Wt!F$inCBGO21yawG3K=wTNsKoWx=bW;t*d3sLZ|#-X+>
z0W(pQw`7Wid?F^nVCkU54wCASvZdT`elj@_>x&CR^kBTNm??G^;(c@O5$Kqiz)*}3
zyq!E1PC1EzxFZvuiY3w+>QrG|Oi$)JqnXs%5z|uHJ62?o<U45^`h-GT|4qB4Y~e@>
zCeDaCCQ6|6q9SjO#39-NJjWCd-t;)nuxC}n*;099(@DQKKSquX<|ds3vk7OvohSwi
zLdh9V&lV>-r=ro$X!=OBBt~q}>9KydZ^o0(MAw%J3I%43YN@zR3vVGgQXa>9bRc${
z=j#sW6fjhl)mfb8EsO~LM?x@#nE~g%IYNLF-$H<r<KtvRib|lvVp8sGK?g}!U@SK?
zl_0D{a%{4DwzGfG<&kpzHnuxv$-AkNKP<%N`m-~EVwZ2$MrXp5eJY(H&s);fg0dtB
zx*sLqpxu&yFcdlbKr~A+5t=VfMj_q<dKhAd1i3;n2x%#%r=?sXo{(Z^3l_|!C)~5q
ze8K6NrpFRV8#Ny4D^9Q}GGr4(x;ql1r>9*oo~_*EB<-H2^HB$S@eSIx%64P9y(oew
zIa#vi4``shcAnc_;5`=jIC%S`5WfZMr6|M<SwQ{s5=2l4F@}gzTuw~KGO1#IrOo;%
zP(+>GDK9tV8=1Cs4tkFa2a83Q#YqNwr^@y*n>)l$yKG!whA#$&XrU|D8E~XC%mv$w
z?SvQ$f#T%C9;%1J3g_z7ILkta7WAuF4Qq<AvgU_XU=*Sd2pT32Iv&rJrTn;D*h6R6
zc@?$gag6u}xjviV3pzmc`z>yF(8|-okgca*AbeJu8VUBf9o)cBPtZB+>LrFp{H{JL
zZ5eQOg(!%pI(G^np}0_9rqZ@_9Ta!ReBDWTES6UWBb1f3NFoFrQ4nRufRLCYv>=+J
z5zzgd$k9B^5V^C(J=^VxKq;2#3Cv~Pg>-jkfh`pVkMwr-T4<*uKNF-%vt6D-FqE3^
zo?<#3ft1%57-G1Id~`gM%N;66`NAoryb09%ii&}PvM`GXvfi6NqOJ<f@ijsN3pG%v
z1Y;&56ilmvg@rgNSh&$KlCnf248g~_Y%!8dM9&s7k|UVD$+$Bz$w$UAiQoj;nds@9
zrkL?Wf2oujF4|ihZg#NH6&?4CCnnkS@C?J)(1&l*wy$bWC>S_537SAp-vl~_Wdvvz
zSbjvKagbawLYO0<b<J@RmhB=f5f(Nclcoz|Bq<$=6)L?-4Kc&RJz;BaFx=;}5<RZo
z5yINt>lCc6Fdep#!?cg<<p%9+7ts%L!uB|Z?S76M?(y{ooI_z-O|O>Esu;OYBrjB^
zN=^x_wSB(MvD{h^f}l_k5ZptH(U_T+V`Ctg2%@(jB*-j5gibVWks=U?6iejgaxTkq
zIOgn~bRNlvhv^JCHy!Tv^hW238Ez;s5h)H?9f4w?c|agzV`A1mG#l}DyF+t68~WNk
z+U>}AlU7^PX!25)VHpcLcC&WNIE*itfj}KcVFLss4A$ikvIjbkj*y}V>vVx;mm6)l
z@1`uV;oeBkR5#<}q#0LF+InQlV?B~#f&tM+^W20mJ<~J6xR2O!6VZ%)&~DF&=<_#g
zJFTl@is@u67MM<9Ov#&?X5%9YydU3ee8l*&@#lB~{{#MQ{Ac*5@jLKS_z3<L{ARp}
zllb+p5`DiBeg6*arcKQoAslRVeX+b&YeL5NXgBXO$v)pz?8@o`H>!4Gt8+a%`5x_;
z_BR^@1%AD;(I6PUWPI6B#-sR`aXbEV<Cl$h8h>Sc%6PvqX&f}Z0p4yfpnI?0SXcf>
zSFh(TUYqUec>`8iSpMIvE6ZmWmQ58l|LlU#RN?ZEEX<CaZ)JvWQ3=?}>gm+-u#p!C
zX!7IQcbxiXbtvk-M{7Ox&&n+N(mmRfs%HEKq`6nyUUvijOZ>e{<h|M}aI6{K{i1d=
zdhdhUsJa>dkOG;!$~Mhu{673{{6kBZ-C~%>+tey8)+{GYa$=GbT&>cf2OiP(?3Xj)
zf5-ofzkvT7|33Z{{vG@g{A>7^@Q3iv;=jXxgrDUFBk3BMl}=`*lUeCxRyvuL7CmrA
z+q3fioho>Dg}zR$QdEl=Qne~Ru%!8omT{MxRsZZ*yyn`zI*kIu<_%3vs(*Ayme1Ym
z05|nnZYI?~J2HWp>MS!{b>0D5{s*=WzzqyFm5SD@{@K9@%)o+!^~lYpQvI`oa_Oa$
zx*y>!&GmIE3~Q>BQ<GXw@ufd_bX!dI#vkBQ#&^ItIBqOE>foi=Ki%*3XZifoU0!#V
z(LdYU>a%>#+tI82T)yZYQFWHlKikL39=WA;=kzZ1kFOI>XLaAjH#gU7)EI`Tn(C^b
zCUx}_U;0g1_XNJd=Lpb_E{Y%Y*jTRDK@?`QnaU=#GJRKq3rTtUrobq6`WD@9aMQUt
zPT#5f+hzNmeqngP$M<p$Zm_E_ILz8dtTZbxX@-fQZI~VD>I!&+ZaaGLLERqYd{F1v
z=jaZGLqP{@qFtOf)Fs%g1kvRgq5VAr-T_C5^aWi#BR22S0}txDy)BO`G{!F~@LTa8
z;%a;ncNl+UM1!YVr@$6@xv{)MQ?J;JVMp?_>8KPls(hK0)LwmPFGymlb4PtGfqp%K
zRV5SXij_${Z}iA^n0))VI4!jo({ZU#fGt?8U5rMhd>%e>8TbH;Y`c^$Byw7*9X7X}
zyXsJAN5gJRjb6Q@A&%p}Rp7wVaF!+d;f{t~#0KnU1@1LIU|295)jz5)H~y{RT@94(
z3%Y<dsChwiL;auXUZs9kJ)-&+b~C0@_!gVIJJj=s=gsIdI~#h?2d{11jh^1w(2QQU
zvtc_L+SSm89Yzzo8jhkr<^lDUT@9VsA@rwR4K(_Eu2H*0?ru;iv4e=+(_q2wN9jEc
zgV+J|(4Gbs`-J?o13kB=L4&sKZP<hDm*Lyd=-!4+*nL$beAl2m_BQOr_MtEBZ7^f^
zqUR4ZY(j_kHZ&~0*03AxIM`rXa_(!`fMI*lRr?!A>>l*qq^1?!wZEYo+k<|wzu^G(
zahcgBbm&0CJ`5rx4*=+6RnW)xH)zqj4>Yu6yU_y&8g`=J?QPhM{&Jw<3+3_oU79v}
zyK=rUk&a0-ayQC7IttsQ=|of-O~jT#ijUfcz`|p1ce%Umq4r(N@EX!x?H>0kVpseA
zU8`(%9Z1jb)U@&Ns+QGPZIa)W6!V4AVm2lgq?Na!rUMNdMk+<AMX!Iu8tj4ie7mO2
z4DT?kzC(V6T-e&We5BHR(Um%!#jj_-j5x4x<@^p!+xG3s*XSxcjpeM%pNbEkZJuFk
zSHFF=70}>q(5vFUhHd%+?3eRmw2;W8N72qw<F<`!3g6xhtvl=*u%oa4Rl5s)CxW-3
zdl6<tZ#&qq3%%6QU_vkaux>MY<KMI!mp*f_L9N~>FR?ZFeF`|O@hAMh@#kSd{W<(T
zm`vV<qvt(ZHC>fXO@nGPR{dJvsM?BE?Hu_!y=psl);g0{%QUhOp`V{@*w(DUzpKFi
zhW`SVHqYUI#9zd}yVUe3_67W;Ja-v2a;mS)Y5K~XrmxItMwJXVDAg)Vr>~an>FToS
zclfXHpF;VbmbpBPqo>}}pl_6kRh8^Y^jnX9Llgdf1^#u|BK!=08vi_gFaCb0$xXOT
zuLiACExu7x^PsOcsJCLvwb9oZ)!VU^`smda%4N0i(@eu<S|y%S;2*(rz&4JTS$WN1
zP+*cqz3ZAQcY%$ym>rF!uiSOC{mNa@^zmWXGn*YU^l+wl+z&%Jf90-gclj}GCENV&
z`kH)+ST$cBbYg{*3^)voUXd++4&T#{>i!R|(Nr3*{)6p$Qw6Y7T>+>K(9=5n^9ua0
z`0t@De~dqiKY@P}7NDPp%Df-Hs$Qpt1rV6_wen|!8fGN;Y*yFR!>6vPzD|DB!IS){
zhDKK_bkO)p`9rD3;6o>Om=6EeYKMIby6ii0r@<>eiSL%XOQVz12CbYnS4IJ_hVQyc
zH>%NZ@4;F&>hN#MOwPcV{0)@xDHxr<#D5G-?#Fk@#HtDtb%hDcl(0Ik@TjZss6#LA
zz*>RF1M>L$11z|If<FLb@XPp<__u(^T{v5rTs10P<+DMpt$a4CHT7x?mfY337z$JY
ztLxPDY8||D>G$_EJcZMB#a#NREVGI9bfO>~W#CvJFCROB^Dc01Oa#}JXn}(`aH<bZ
z(TH4}w0!902SIbzoqoPyW=EOi;S^1bggrhL0aLC3R@_JgjJg~xT4K?N7^kF&T6shX
zW5ln6rq;`6UKlaPoB0U19GO_fgaW>yxWrm$O5jC_k?K@O<U!@vVG2x7iZLo45#Y28
z3Em^Hxx~OzATnTbj!=SzXE~aKnCO>YZutAjO?66@N}-d-#s=)83gz#VU3kEFw-Iau
z*~U#<)KjYKu#aL!K-d07=DSee6Z$>aH_+4*`peZfw9i}7eNX6jVqZri*~TvQ{O0*n
z=-H{pli1ggm~Y&NY`I2S)iQq)?antIM}yZjZbt9UH)_#*zL8V?BeUiq^?YXj1X{eV
zk;MKBed)T!2eISmHD!4E3TiJlZbf&L8ynGc<;LBr%>3o(*&@8DvDml)`?8F-VaHIc
z*mwl{QkD3gV&h@#s7z(X9<GA+OgHX_^A_&u#)If|xp5nM%XH&z%z{2O-M9z)B6{p6
zbz7GHGTk_iVLTFN8joRLK;&%W4s_j2qXB(&rtz?r)3iCv%6S^yJloiYHq16|!yb}p
z0vL;4KihZ;dr*FAN57bD?7|pyc&_ns?13t%cMh1mxwAo!#%CMx&Dkv2#l(uXPsDZ|
zn4YI$`UBQ2GV6`#`MJhcbo&gjf^TZH`5GuFg^pj-Xhy^=tSNHWH2xIRlA5+LS~)+9
zrgp(9qI_-RKJ2py+XWNCSFddxR?j!i6X-K}sK{rk&`pI#0y~0CI~xw5o7)?<VxOwQ
zpU*X(Qth4Zlri1dQWbb_q4DJDQ;qi=83f;x1q^O+u--G^^8wosSjWM24VEhreB5xB
zh2e5iHgi;rf#k^6#6o6LO4pdlDDo&v9wlV|7e#aA=~Kq%@ZFcd^^=<V_NDrJ8(-R?
zSLufo_>A%6`XSv<WNo1<zecZaQ1~(3>#wkC?O;{A@zrOakHIqq!WzGEq6&Fk*{Zz?
zOsWK!+AQD~iGiDh;$!j&UhrJOAy7UFM`ghQtG#AdT1-ix<Y5H^>yG6W%A_<4`g(c6
zBBQ5@da(kVC{4mMIuh0IT6(>x4`F2>tjwEIY*b#g0G4C~LLdl^696{}{rw93Q&K^M
zEF$2qx%S$c_B(rS06fVgLtCgLHRT!=v)No`T1*}}TjIg$+6;<(guF4Vsx;B-igJ^{
znGiTR4ChBJ^0`Mi6%2KU1|TDXeBLw)*70~v0~FI$&Qc6nJCz;vH5DzV-Mx`H*IbC|
z%J)bib9yq8_1lVFHb0qgl`NrfpV&PivSg+-=PmiV2+8T5?H){xMeNbyAUo>Gx#Ik|
zmzf<32V5kR0V8kLJ&?Bq@>8Rdci8OjE6&gs%kV(RneFm~#ojbO8w?GGot|E6cTAj~
zDf6D5G0W7fKNpB`(E>F*n#x#nV}s+9lUCo{Xeu7F*}LN1bN0|kSI-oi^a{D~<jkx!
z!cI6RC9|6xoR}E*W&FLAt2hx0P5Al9Bqfe`Y_r1|YA)y^I7cuLFprSksUh>QC*Cv2
zxq@?DQV%zg^b||p^4vt9E5!3|pO_z-5s08AI0F^v8l<|X9SO2HX$~YOT*X|`H8@Zl
zrXpd{;_K!7P@BFX2cK|HB-2hYWA%;Cc5#W^fQL+Xxk~Zi*x;^fFEDtRmBCY%2N5lg
z$cv2_*f`2(Sn2bR7@5lva^9h=43Y(%RjY^-ENtJv69$1V5D625SQaq~-c9hCf}qO>
z^J8&6dj9*3M0vb;xE*Y}17faS9;(YuEWX_geqcf_T_Lk90lS9JrKTX7nmG#Ds?_U8
zJ2(?TU>L?SUx!u7H(v+k;{-TW2WMi<mM!2m1#c%WR9vlQQULF#1f`~<7W9!bjrLu#
z-MPAbmO1gfg_9RCD*Uwyh@$x(MAO^@dSsv)MRO_2p%O)NDMD0<qPdiYtVE_Tt5tgC
z8dXdFq5{_1e}t9K-{h6@Q}{l4!KAIMuC<lbwZ5_*G*+p9x4c+;L8g8VM=#uiwdqy(
zT?*L2|0jMI{u-!%5ig(r#L2R*d4=;T%LD8D=T%nv?iJ3f)OHAz=*enHpTs``C3*+$
zKCHS53<+m9nV`tl>9`sdr*2o-UxBzfyj4qoKBE7OVbvKz$yI|B^91_O<NB-Dz$sX=
zaXeyA=<PLdUiKdo6ouZj7S46@3_}Yf`q2r!vxXjgd~lB1!lC0Q*YE-N2Sw1VfZhV|
z8gD+`$+4t`|IjZ_>UY<$fnvg}LG$SE5xu`mO+-@J@u4h73KJ6}k?yhZKu^IU_7meH
zQ{aCY^cAMLkwRg5dU%e?N0?L>J)Iw+3VxWVrNM|Wo3cma@t$n=6hQ?d7PEP1E*MT1
zBB}VqAV1XIOSp!TV!%lR9X&(+Qx5ZxyVvcB&y=#U)R=8<CRTP)d?@LgBZ8T+L~O!F
zbq#k7N8Mxgk+gLL%uc+RxBJJO#pHN&G?DM=rs?rKm2iyp4>@Lwo=~aaPv)~zv%cY6
zD4QGT>2{<>^BFTs&YF9R;h~w~$dsR$n(5B=PDCUt5gm(ggAu1d_V(Ky{i)ChSI*mK
zBHqMkgzF*4dl|yoll2q^ibE6G0ctXq3M52+JT}E7cqZovkM)es5M5G4?057El9WtS
zo~SqMnQ+aHggh=wPnhqU423P`RMrYA_nI}jry5iwbjo)^uxA~(l$mO>oO?(Dor&p(
z%4tWeWajKd??jH{%(Df1u;7dJr>2QgH#27rctkNEj@sRGVTUE$pUP3=VUI*mlH{ND
znn&%4u^!h{-&C&PXU$Sp?DpEYsX0qB9_xx)LuA%F?v9!JiUD)fG1@f@!6iMmp6qO5
zv=kKPC|`JFG+s`HyR&XSIw%ZBY!fNg+MVDB{8lbH<Vj8rkS=rIXfEEBkSwA8?!a7u
z84MFds5>$#jdzbmJ+^?Gi1{47j?#c@W@OeW6n&+X&F;v$<K0p^Nl%Uok%5^xJ25$#
zo#dP|#VLmnkC)Qct~rTxS;%<2Tw=VF!BWN-?aTPaho|9g3`@5e9JuLRcGx#7=DNoU
zuE@;jIP0RaPH%xN%z0*}L){ROGUuP^3W|JsYE&q3-A=*^OA5*XAtQ8rGW81GB1<AE
zd+e7F7c>d$y5+&RUMf%cg#KaYFpT<vKq7CYlV)k0v^v>1EJU1Mr+>`m%ZBGt)X;D$
zIA)HG5X89OG8gU7PD3;dc*&jYtf#~cWb%$oU^F+H7e>frpX4O_LSn%`A#k=J7iOlI
zlsz?_E#@YfUTPxLA0?+a4_tjv3YK&Ei3H8rhIuaT&SsrcB{$P0h5U1Ub2j%tZ%@8N
z!_bG@T81)RPB6=Mds73$R!d<#?YBD%o+3LIFw@iCiN49KkPbtH-DG;eF*3mh%{gW$
zCyb95Cn;)TSeUlDMSFNG>kzE8d8}_bB}5BZn=?>$(7pV)owcPCmUPJ5Hzx>8oEe`P
z%tW}th>wfg2mSVB#K8=W@TJV4Q|dE^rkvp!zdz4}`F?uBF>PkT<XEOqoSvI>MMGYH
zk6;sHrSnS*C_<WtP|0eyFlMreUe_(37}xvCbK&TyFg2Zs3pRT$SenjG=Dg#B$-v0W
zxPPP=5j`oYZ(_K&H{r92bNyDqQYgh(r#t907dT7IMa}h-zJcV#NGdd%v`e;$9=kV`
z8j6sqS#Kbjbyy~P#>}~ZCpr-vnd&M8Q^}Z{w*`ZF`)FE-hq}wIX|@<j7kd+3++-;)
z`6v6s12fL)-msWU&q($;XJ3?>E~O^N(^R08o3fWOqmh26H}A@K*+9I5S>Eo<43wP1
zOm@t|Czuo)?3x`Kh5b-($viXTAVRLF&^ItbOLm%&Y(mINI)-McA~iBQ706AMU147;
zJeC;k>gt=3SaB}fYwZcSEWM?^=mgyZ=b4jyVV3t%Gf{8%0K;4CTr4)&-RJd9GSMC;
zJTyBt5^;GwR@-pOBltqF=c3r@u2)iG@;pR9pwP0k&`spJZdshr5C3a9|G&1JKi}NK
zK*SP+2eUW4N~u>IYCZ5;6iez|<;+-;k4^=<tmBCZt8=hl@Ys84ae6Gr<T;3>>neoI
zC0j1<8_wkYeFT-wdz^j<v>|)#lPSN0?IDxN-s!0^?}U}^H4}Lu6rT!ZC+33v{V>#{
z;LxFL<FVvuz&DwMh{AEJ1A^9RJ2&7p+gbbQblDRo3uBJ)h%=RovVKp955?1SL#*BE
zu>@g0voRrooJ~pAU?E=|iIZVpy070Io6Ap)_mO@5rHM4<wRKOh<BsvnOp**vP4|Rn
zOFn|i4UF5f88aW3y1SB6emZH+P6jj4>~L~?Iy{u{4N#?YADb%=q$GbNTC&;_z2WGj
zIoq4_6bjTFGwq>f(v~4_!I>Dy+rkmPr)NBrcMdo+EN`23`Fi6$WATxwUv&GTTyUr~
zIp`)WWBwQ=joIyv!B<dOuoffXb{gtJD(hHUKUgN?6OM5%E%uo0gO2coKW?|Vh#pIR
zDnByV?@RV_sWfHlrW_^KAM^*QVaYu0@Ny;F;Oy|Yv#-a_1;aLiaeE+kaE9*|X2wQ*
zNi#PlO$Mf?=gebfd(T`jS}bJqCDAt7#fsxIZa(GD@&3?M#K~AelLs9l#98;xI17Os
zne`;%KA$y~?@msKZIUl$9qRSW_VE3Vk!aHFNhK!|Y08y}O*y0SiA175*xjFxq-LiQ
zJyd#RX3*uD?k{k&E~_hK<s-g?*Bi|Ri)L~#nV%-6X1!gcPl)$TMiX6<R~#Lq6J_Vr
zkd-VBrzTy#sZ1<IN!>1T04Bg>X;4fIB?1Mv;O!c=bF9s88J#KhPFb0(kg#;;3lcdy
zK0FbKb-|`Omv+R($w+LpYh)%VN)XU_{+R@p!VCkGyS#(Z;vZAsOS-K7&pRxJx}svE
zBBN05S3QQm3nz`AHFg?4um7aJxAFN#U&H0PZ|knqKC3O%f26*>?k?4s@=J;gwm~t!
z*yQC+H?Z@5O&iN9U)xym&LHto{RZ^-xAm>q^T>P5xCwppQN3{qe_S8NUctV3+59m2
z!4rB5b_NZeFz!IYlX@rSLkmyp4`AO%;@eG|(8Eva_tct8m%v<l9oWtliX*bU^pI+H
zehB^QN&OM*xoQUHyLtv2M2YX}Y3$i52-r5Gzr4d_LRUYj-?;C<4UT!Qrfug=<!ghL
zlFL@Md;&u0XIH-|o~hQs{2jdp&1M@rmV)2Y$1u!;KKGP<FZOiR7x<T_^oKAv>UbI~
zxlf^<r}bB11L&@&^=9mQ=-W^09aulw@(fhwyQupa{VA*uz2+I9d=h==8T}uyUUd7j
zdJ=o0%Ia&+K_UP6te(PLX#aEi1L(1*^)2XI&%x^_pMy6#(QN?59!H;h4mdf`|2zkr
zzKz~{M!yO1-`9T=>p^vA^qtsaGQlR)e@1^0v!l`($n&U7HLA+bccaPgK-nIVP0X9n
zecyprv!Ne+2S~nI1x;MnxJPx4vHF9z=ue$~UjODdc8F9wMo5wb(RC2*2^R*D5U&nF
zv|!kX(GW;W#W?|eV$yKDgNjHL1tIrvpOj1)g>Y7jC?CuaDTu#?U1B`Kpq8Yevm?eZ
z5FaO-J^7eyc#zKsfl<Ls^KjoC2hpz<LPAo~z;%c;g!5Sh8ZH=<F9MT~0zot)0SN@%
z!L5E4DN3OSlLmVS-0?=k!I-F-h?C$jU<sgv+ruD|o0H&PI3~u%VrYNLaI8ZPtBu2{
zB{NtNAsCp5Ti^^s1eRJBiC~0ioQ+vX^tzN`cLxD+xo~w~4D5OlsF8fQSBT5e;czjR
ze8m?qiKB0&pzb0pq$vUp*wDOuEnXa)3E)P6o3_XpoU@7YOgt{4BWXh`+%Fb~sRpVI
zW<qc~00Jr#hkM9)nuMr-+CmFF8c!Rn9dh`f1oxwvV{y3p3|uDA@-&!Q;miQsYzD!9
za7h^YX4<g7LySP&yuiSbAOiNI4BYz#_GJjmh0{_*6wH(a2LbMzGloMQB$zzmhCEP$
z5NQgAONdkyBXCKW#1hbz(8v**M&lW%I~$FY@?|;@VlIKDnjqn7H`t1sNjQVWN|C61
zZzH-VV=#9xaE&7wjlmUc(Eq?wzTZrM;8jwJM`;Pl09|)FYhXQC-4gepK{CPT?T;9~
zdlIWd1>E>1k3sbl@T&|eR6}^m_+LiWkk)^wp{#pBcS`#{Emn6&-3j#*>REL=_+75Y
z{s@Gu!mU`?G(VwfYi(8D*i@0{d_l~~{}q2)x|cN8VcLYI&DWxwmyk#sw;|$qi@vTP
zjw$|FmAscJ;|Mm6MrflM`vYoZj2-B1+Q@6iG;IRp+AinXTFLNx8QTjtR|Od3PV9GR
zhA|#f&*Sp})c$S#apXN=)S~gXo0?Gegs~aD{@eO}CQwwz&aWlwp0@>{NT(U&W!P`g
z6O2*7VhCrAJFwrNBdqZl7Dbb+u>*S%-NG7e$j=y?&;)HXpgd!2L)#hncITr_^=K<+
z+}tW^+FDwa|F*m8Cl|-$>b<b!;*4&k_G(SrfS?3d(kTII|5=N%9s5;PG5-CiQU5l<
zXu(F2AQ-!_|6T>7I|U=BeU+xo4_Q6ctbY}tIKQl+`9Ffuh~D!SP^`eognoQAZfY>j
zU!`fYL8e31OdmRG+=~68CezQ38auHo(Z*v?;h!(TMDYTKU4c#<H}+valc#}$X!N+T
z72R^ecp3WHapQJuL`LpJ*PH<8O(%`5*iU4#IV>!<`cCx13F9{G$JG}=yEh{9Nh67c
z(CA5{4f|0I{Q8s7WR=q1c>>Bk_n5vJ3s!l+8#U-Z9)qdthcy{0(8|0aXVA%U>=4kf
z>%eJ~@w+<?#No0)QG#70Ts8@sOC-RiE1$5VSrJ0iISFoIjVZ4IJILwlHP7O^FM)jN
zWsmX2M=G|e>g{K6q($CpSU%WpXg_@l$4pMu9g1e<f<n0fhSomg!}<^F4>vyC=x+FN
zgIjl0d#hHZvDU@ae^t+^^+0+8Mqka}eEa-$nl=ygjSUT6jc-H$^G;I(dgz^|He`H<
zX|Mdqsb6E6zZShq#09LOG6OEXAmY8)mJ7?6vN9v5Q80!d#B}I4F?<WUJ%;atTi+gz
z;fFA-46<T#h>~zPtSLWjMP&)6uvzp83Ez*^S4HtR65ff;pdE31H)w=AZ^kyGn~+I^
zZn>thed&fcK8;}|^w%*ckh;2J&`sctC^L@tW7Ft!<M=TprmA*e1+guGo3SG5P2k;1
zOj(0~9A^h^h3?(sc(duif@!`0?m}L9!*N-R&=1D(jcCIJ-m1i~>SCZm?4H0sh2@cE
z5~r1zqFU|;o@#19hf}~bF$tB*q1z|%1K7*x%aiy?YzoyUp&TzECW$++EP8bk-;4cE
zO~x-K@txX?rtSDn<@^q0oW!^5Bgsspm`!HHnBwnfLkjAbMq&!ziTw?kpKaQ-^sW^C
z0}M-{R}scT=zU2j=z9obH<m;{CXBnWzaTAXJc&&rCke9gXC#qE^0XHpz&j`~<-_C*
za|{df5;!7YdVnLbW*$z93N#Hzis1gqsZspe)lpbEYtIQhcRGtdyW^5LoW2ELbB0sC
zR;<F|UWlQ%Bo1$T2;Z}{#fTYRgaegdH+<UgA;a4YHyUz=s|{|$<%WY`(f*~rY}!_*
zz_dHH%Uf|uFm0_sR<2qC$d(GkP(!o10;#KkY^p#SY9MU@(e13cJpkWW2j}2+){wN8
zE4fxK!hv^fs6bY)co9r36^OAWTXO}Xs)00BAS<^V03TBY(pW=-S0MGPkalBT87gnB
zVZCgIAUj!zSFi}}204?prs}H{U|<($u3cZDsA;ZM3b;KQ&MUPyRw!zUvPw}V!LHBo
z?QqjIyr!o0mPv?CK_GdWZr4>PYFcWQ!UC66!zp@gg`%b>S1C9F3PQANDik$6(!PB0
z8_~&76hjd0^%auZMmp=N0;4}1P-W=$x(Y>2*Pne2401R)3{BFmu29r;;VK23?_g=R
zT~(og4ur^*>NR+)Bm@PkKBiq+A*t!nWePC0((;;i2PTguYfX2qI@Mt5MOC(H+wd!7
z7fu<1dTxiXp0`0r&l?~NDFxB+9|l+3>^3;qaRvSj{6>h>$wOHD`|!`;BK}Ey4F5QO
z3rNUTe5m5e+9s#^t#WGEBBynm<+NdwoN6ke^Bd)_x>h+=Z;(@Ci=3*O<y6@ur;R2#
ztzY`s8T>gzS=c6@{#Y&l*0qmY);?}t`?zWCW82!tjcXrU*FJ8jJeHSD)k4c!bo1KB
zrnQfzwU29W<6AL$FU!x`+xTkGv;ZfRXm0Iwd^Py0=&ZesuLfNeo3*#`t)Q1>X3cGU
zR1LZ!FlBblb$qq>s<^DZjjtwqRaDmA#<z?nm*r&bZG0=}Wg)4%tgN!ubpG<_w!ldw
zSwz-&H&@CgPb3xbSmWJXMK8<78t-N;np>5OV+M!9@G<-cMht(*@EiO+hHv558Rqb-
zjJxs64Y%W44G!a94WBnYWq70UQ^sZ^GK7rNhJ?{?IAdf$GBk#=NsaBqYV^&v3ZO<4
zZmj@nl;@TTphkCWt^jKE-lhtmMn$#ZYF(|AY^)H-da!y+A0@O_AT{b{Lj_Qy)mtin
zn)#x+0;o|gO%*_miZ)dMHF~gmt6mM$72UZq)+;xx)ztQEpHd{;vrrlA=UmLUJSc$R
z>~OCT)RbbC!`T5}AvoJy^6gwJELO&Rh2jF!gswtR(`(D`AUe+u`wBr#53CZL9rzW3
zdTLdHoTXSD`xT0sZeAu>8T}Q4nl4)<I6M3+1T{UjN^n*H+SMm8D^}Bm%M>dzu;z-r
zm6nnt04hT8Nz+~U72s6w4g~vqMglgHu+sK!il^*WK^U<2`Rsio-PZmQd!UEywt6ky
zjHjCz>4WPP!tU<=Fz*;3xX?;pt;BRdXOaw<QiP?Kanl#@Q~&H6PCwM}@{XmKM~#^2
zwAYltJ1*r0=cSuQP5E|04zV;TeF~MNE~y^Jea3eherY(~5YxS=dzJPpT0!$!4Xyl+
z(uduqcnrHk@nz&a)tXyu_wH<7Xlb4wUTD^|W%el-w$C45FrcY-o3^2E+-^FAZI!nH
z+tJr=2f**%ZQ6`_-)-89>17HBwxx=ElS~cB6Idf6?=Ug24XI@6zr&<MZ@R;@8x9;U
zG@$ElH3`_JD(W4#nvCe-tMOL!ms?FOs>%6Rqkz2gS=|inX`KJR-G9ZE>Us5o4&k?%
zIP~Y+O*_z`+hFIGzRk2xtJSm}JEWZ7imY!jwW3el2AjE0y&EWgew*pAR-<XN1M-NB
zY(wcq$aH)Ww(HUzK#^QDaoT!KTOUvyt7d<25#UR=LIU4#q<@Ra4Er#s=QecHyG;gp
z``v&}-e%fUeS|%_3ElG+(-zo{eeEqK0)6#1$h!Hhraj696*~1+(;+mlXwstKF|b{j
z-)hn=-Sk$|8<ffgCF;Ez-;FMRyQu>+$qg9QEx<}72wPKMb!+;Ix1080xQv3M7H_Y%
zZ99s*!_=%>P-xn&0?N@U<vZSC+7A)?6-xNtBwKoE_56YPviuSUy87*~wM|`(SN8s`
z=z0-$j2vmiPv2>J3IEVbxW=^f(mf{i_SGGaECpaNXSk&e-!zS4m6(#14LKZ0wk+NF
zEz{N5+6*k*?9VOz=@HXsJl-|(RN=H{%3F&De$1LFZw<P__H=vGTTdQc1Fvu`iHSlY
zJ*L`Uhgr8`=ND(Wyy%h9rrN8{WxGP9xc_Ig=?+|YWybp;IBe_6M8B3!=KE--scrKb
zaE0&La^0mOPMcI1K^u~aChUyDXvEGm{=RVntQC{GMa^XWpX=xA{!%xs{*Lla{5Jfc
z@ez>lo3S@39x;4ovB{fkNH1IlHn=wBd>a_6o3<JgDRE4~%y8;sURc<LUi@~`DU4hs
zwJj)nrl|=%^t~nxy5jLBFSZli{dg0L5tU80R?c<_T449V8;OO@nzpt!<?AaJ0IBl6
z>Pz>pJ!*m;`-1xL(wn~91iSD}DE(B^Q8;l@IUWS2058^t@TZ$-I5^b%Ow%?r`g9Ye
z-3V5(eX><-=QB+$=<cVRw!$Hz3i=yQHJvr(ol4;i=+{p*wW<%~7h1t}&~yZj6#<bQ
z+kkF)rs**H@Ka44==o=wI<OX0_iWQXZ08c#1O5&U7EpMIe4?ojYp<4L?i=a`bo&!c
z3DxvM6T0pe6M^kO)<@Kv(6#S0HKTXR=;QAJ+sZF*F&RJz|8fiHxyz~)Pg`0xqAPAS
z!B%GhN8h@`#A4g4m~HPd@#=-*f)VlWGVMdJexgZ>KGmbb(Xsb{bYJ%_Q)k5z^uCJ1
ztp_7)XrUdszthx?9jWxw!grv|JJ7!aL=9bXezkkKDzvZ-X`h5#hbp-)f3j&WDDLQ!
zO?$9|70B&RHg$rw{`!-^?mz`n|J^16YxoaL_41JqnpEv?Bbpnro0s%Nb3LYi{Vjj`
z>NUHn5yI%^|7kmgUPU(h3~l-*xYYvNfzdk^YV-ivoYrUWe)^sjO7W$(Q%iGH^9D?B
zfB4L8EASss&8N`Qbn|c3gz~ptOOG(kqgdrfa%2j$lWlh33zD{3=Diho&mU5wH*w9M
zRR_kCKV2H&n|EO9<Nxu2*`=(d*@WraZh77I71oyt&8L>WAvEKdTK-`hbmnMtzu}}>
zE~ifBHCl%($C}?#uTXs0vgLX7=&|N^wMZ)YRk}9$Rpz>d;|eW?$denb=)udI^KcU3
zuE%fu`^pQ-m%|ILJKo%esmH$D@q?vzoM_&JT_OKo%`yoDE=y4`Y*L&6ztZq;^YAlP
z*bOs~ygCWV%qS!|A0#OUBx9FDay1D_cn>7L&5#Tks=sOj<O=LHOZrpIQ5-B&Sx>VI
zn_T*gr+M&d?8YViz0IRIHi424Huqr(wEezj=jn%<Kd^Q3xxmsULZ{d++Z46hB*c2>
z3nZ_&#Ta@naC*~`b1|Ia%~ee2xfoXQrYgpKE{0LOp@KoCXPeu`WwwXTB_R~At&p@G
z)G4;s7DZ6pSVh2HH){|U#X=Ra{~QFbxW4+fo1blN-3o8pxECm3qrFl+_SIE_2cK=;
zxD5!}I-oeU1SC0ArTA@?#eZzvbq))<C=>h#+WA~_>lN^&rCq0Jt+IeX_E^FoV_SFV
z<kO_9FRp@HE?Yw@=_|C`&!Me?(XG!lZz#*Www{B(QU}>S*}CN%a8O$TZ$1Y+q>;fb
zn^xXD&2<va`U<dZ707lHjw*2DDv&96680*zbrlLf6>_Qy+^_<atA0oZ-rw4CP64Xm
zjm<0V2+C><Cewoz@|LC*9@A7OvA+s5odxQ(TAA~%I+-)N=ljjA&?5J@7}w<4QNeCD
zRNt#!9?DzPkm<wl{}ZkHbBfd^qdu{*aivJGosfSN$fT0tEe$K|<(F518+BFUGK?h)
zLxCsNf>)?FYFD_NtymS_qFLbr6{8GQ*7dbO@+`2f7D${0s#kz=A+$;;*?p}lU25&P
zs=}L<GBKQzt2UQhyZbg^a-}P<s%TfB2HhJJO^Tl>z=TB_|J~>@+^v66^MvNg`p4_L
z>pr6Xj_UiWBp9Dwt@v5P*K}Xj$p@tOHqILtI+srlx%rk|=wp_aChP=y(9#mnnl)`M
zIQYXOz-)xGS1`q%5&(T%M(?Ns+E2FBqZ@^my>Qa_qe6=ryBv|1w`@i!ON$P{T=om}
z<D)ITaO(KTv6h2y5DIc`M)_kve-OPBKuGLYZA5qSEsf|W$68<_LWav*cEedH;PRMu
zzosn(`;X1&%<+~z=*aPw%ivH{CCuUGM`5vIqQOOY%kdTmEF8Xfyyd8TI!X?BSVq>N
zBaE>gIZm|fha*P|d(lT9ZQ?PmO7yo!o51l{x3C9UABA-eyOMPidi1zahuY7;O6cE@
zw;0t2rWZQUXTJ|~BU2?(pJ_6yZy*<Tqoa?(<VjVXJadmVP02I2N|IMqj8?J0u?va?
z7WGmsBM?VWS=!w5-*p;v58YxyDXOI%{g!IE61ckQmOiW-c^IhWgLI2S3umsXPQyW}
zWg9xkv~)m}0ia_VO4AmGg*)<6E!)v|8ED9^YCiamBZ_Td3~=~L5R|VSEc_!YJoM+s
zn*y-#IqyQ_2-aCyAS^Etbx89>)82E}mgvCaO@~nO@unT<&NEGFSnqt`Ow&&6a3$;0
zXPOQ!sh@BD{1Fuh;?l!-%k4YlZzy`C<=tRHS19)4UGi-A7MSf?UZXEhQ<-AIMhuP)
z*@||7^Ue8#-PWMT(l;gL+_oNHnzu|%g-7`CM81zGSiP~y!TzbaX^32oPY%0>BHmPD
zd~|v=SsKnero_QvuWQ^B>zj*bM!e1><)(;2mv`Ko%}iuNAtxMkDNg1`hf|@s#ALuV
z9GxtWky9a;Ys5<qmLk0n-Ztj;_D_Vy{UISfGc)W8P4P@Wm6hn6-{$HOx_py;1!1sv
zbjlnb9LmMJQ;AUs*RavKal1r@`YiqZ5l3$+PW#*(H98?p4cOVaOfQ=(4*R={Q}82d
zrIL&7B?jPX(b3RUW-`dJ(}Pw!#m|J@`5Dfhof~B)`-xaMp5tfdIEaE82|(;<E^L`}
zJCh@}$=P0~B@pn$BKb^$nVW+XKX#kdCi00wDLLvE`}!lf*@Bxv@7}m+9J$>sJB$OR
zK)0RsOjrregq=q7@7}nh?BI$vx4%SZ_~|rFjt+RJQOY$#vlEuMb=X@N85<pR5rcgt
zDi&~0b){!K3F~ZcZ?7=b73dx>2#N7-do0ltwue2*ZhO(6lkBNfEb2`=nVE5`8?Kll
zdct&nc5=9z$mV9liLn7Do17@+_@LPn2-?biYmd3lJ2^8*#r@t$F2EE#nI5+*?j^$m
zv+iW5<V#NuO%-R0Fj8)le-H2$`DZ|Hf?xQ=-gE$xH|~Sv4e~nb^&ODBZZ{<JJ0ZD#
z2PEaoAh~WkB-hHn8#=cYlG!bg6y-(NRGVT<fn_(s*H|kg(H2M|&5(#qkc>hg0`@8#
zlB-}vh+PTB6)XflAczI!UnC4bV3>S%R)G!6KkPNAfy4`IOw1!M{@kD!umKe${jjjZ
z`oK-y^6(>9IS5Zb7vQZfSD2xLBm5z(UV*V@o$~AjXlpJlvQj>uAMPjZby)^n-2ty`
z+|k#aR^Vyl&yA#hu<?$D-!@oujOG^_qW+C_r@==1wmS9v;DUhOaH7Qru~HSy`9CLG
zM9`w6CtJE9OllcqLXV$pF*nY$3%sW7ij&IuE6}YcK*=WwP|D7#+Jl@X^f{uX3smUK
zM9WDCm#W050USqhvgJphME`%*br^}p*cJh^F1?p+`2YsHRR`Z<!%kI|ElewLTnD|x
zw{Y0W>ZIj<C)iT1w6yHgzS6wsJKetFnH_u1?HXl^%B(xL3r?TfaO<{zX{vu|stakV
zAl>bniVjaDdHZOL9~<+;-6=QeXG^6*qA0k66J~$0k1a~EqIn=EcoQDV-o;PEhlY|v
zly%5u_x8_5?D5!GuS3YiW-=plj9-{?ho*~TL2H7a43pNmkwMC5w)(n-F4xeQJ5O-q
zMBE*jnVL?{cJ=h<-F@RZk{LF~a&T&<GzZs(6Vu&%IFOsBt=^eI_nad*X%EInS+|=R
zT>8!EhWGw!`u*RXe$yMyKmCpj#&f;dA$l}hC{4v2@!3McnaIrbPUre&?b*SpE?b|N
z=;w!=6HG3|_VrtPA`?+!GSn09vig0NQeRdaE|3Abdo(#pPEGWCUGCgyd}wMWLr)Bs
zQsSr+cqUv<U$2)4F<pGfVj0g*d+qsNrZ8n0D<`vaiNsK!HR*=inlgkVKxC+p6zC;|
zJ~BC%h>c|v?A*B9nsJf6Y-A#0ag7!nUHJ?><8<_AY*Xpp9BG~ox>6C(%usM(Vu())
zgrAPNrMZ4bdUlYqPUWLSXn2H*MrSgaqT4072YSefQI_vDd(*)|Iu~arowKDuKHy4}
zx_HK#rBf5Wk+>&1lp~8#n{8TfF>Xgm=pGI6`E)ofxU#vKiJoC0nj55CJ$(tk$2R2~
zp0K3p!c5rdrt`Vsr57_B-uJID{l7b=uX}|touG!r$ZT}5AFk*mXVU>|fOF+&I^z!!
zr7?frKQltj!~>!y;S5XGp%|6o#^;J9dmv&SlnPl(caWLs;i#Dj%WT~1qa1U#xR8dk
zR6Vh<&*>XuOW7P3cKKc5u1Lu49SHQKB1s+&g{56^EqZBqxGX05Ea8V=_a<|5T>>{6
zE%m{oy}Kt-9AbLy))~n>m6@{y90Z%?=FEf9@KBl`6@(sgvd20R>>&tta14&;4Frem
zGjmaTCO}E?U@6~k_4tL6QfaP#sE{9+;Db|{kV6=ya%5M`JV6fxMkac~Da$}8IU8k|
zeAG8Ko#}!*N-bl7E(a%!<c255<Dq<?l(D7K1LMh=Bsb!Sq$kE^`-q{wanB5A361oW
z61hUpcuJg}fFC5tPyugmt|SQ=A7>kbTiX7msQ<V3NpF6ILG83phdn~c9%Tbvp3u01
zb`phLsXIBqr`(Q|uY0Ih;%4n7$y`dYDf?{9Z=Gcw7LVEK>G91tCVGStDFkw^-co;z
z8;MT&#JDUZaSNTCOeczP|81(!=XLp$&d@lhdSF*5WJ{h<b}k%D1>w*$9de|EBsp40
z*^1#D=S<S0UDoM{CosYJAwVRV72_j?l+W!SPW4lKex}bOgkVoR=oe-kez#?6gzk~z
zvr>1q5FH;9huG=qQ7$*r>*xVJ-Rq0khXs1vHA-9a!(GMLtUEF2wdEPMFWEa8Pf)I8
zD3O@ta*0{k``N<rqUe$=S!ygyndkg02~P6S$<g6r$d#W+N#1mXm>l!E*>naDEM;B(
zczBNIrDFG}wJT!pi@S?LXlBYcWOcE_zS7cfZvNMx{@)(dcbq$@nd;_0pR*0j4UPVP
z?7exo+ti&mex2MTH_1&>AlD8{AdnCeh=L?*Ed=l?*^(F8vMrm%X!XADrf>tD(oR>(
z9jX?lKubH_*r&rSP}VNPRv>MGvJ|G2?zGUB?o;@E9Z334=izDIKk|G3N#My7A0HhZ
zOGi5Ae7~Qi6=~*b$gm!i3RS+`#LXcnvnPE$G8wFkeXH-WQiFh4L_<t3)CE#?Pt2y{
zW)$JV&9LmR7jmJoKTG7zajlR>^SB~rIlL(5*iJOd=VF%N6AMFF_ll~{g+(t~K?_B8
zoDGQcVkq0vN?jJss!fY8b&XgVJaWd3as`|vN_1;n6$5!5mB}Vg$e=6`r1hdq@hxN&
zjU!U9WJu#kz!M5fNuFruo5MWeX^=UwNWs*R6~uNcomN_IteOzUm3}T><td*OkSjwv
zPekK6G9yV14>ryRvQe=Y>x)t<YQ^v_o$igRZYs_8)f&lWG5<i%@ia~b$V?scm-9J^
z3de@2Y`xV{3t}&5WGu27$c%(=612Pf`Pkws*Bn}X{J$F09?plGcmQjrbhI2Aj&pra
zLa5V?VyDtBHX9W^hLn=!I4yVJ)|V7^pe2eKi}Go~9Bp>;eP2hY%37?Jl&!X2DUHXm
zykEv(dj$*JP%tP-1+nZ?V`;wHFxjG768u1jC*4&O?_kM(VZM|FE@G+J3g)f8j}X*K
z+8-%|cp!RvkXX4Y6QGV>sSl&Ec3cT6!q|^R6-Ls#;b__8%SS;F0ZFUzo*6IJI62ls
zJ%%Trq)89m^EP{att!(^p#(-4)d;Udq*yeF8?c#+i`nFGEMT}&k^|oQfKM`sZZhUA
zWJi%f66xh~VRT%T{KH;YvS=lm<-+BHLX-;qgpQk7K&yL3g_b)s@~WIgm9sLM^eO7F
zV<o6`q(CSI&*G~$9ePp!zZ%p@am1;Owxqf{1|cNapf{0d6hrBnAE>+v*<@1$pY^$0
zakCU5a)EI{tM-{bs90#B2%GAmOxdcl%mCuhv3|ZsgR)f?3BV%M6!8?2Yq(7*M~g_U
z6pgX9vfTAG>Z6o9i*>+`f(fhUe4mv{zFrB@eGMT;n&Uw{R2|2QK}=vpqY}?^O3Lyz
zf<>W5wkeC}6P#C121LY%2}mtB=BmS-k476!%!HYw5=_^FoGG!ndXTR4JQcE)Z}Q^^
z)(LhA9}z+ZN<FD-?tG{g3F}y-CMxy5j3+CeIIB?Yx`|uBcEkw}!NUuFJfyH16AmDP
z+UoR!A&~MQaH=$Hsf`LtX<eET(t4^DiKN5s1SK`wg+^c?rvjY<%N6Wb?^(a`u;S{i
ztBzW^e8mr!U$Cq&ee#lr>|^g;|Jor0#6Lhl%>JJU2>aeMooCs9eQf>8W4<=E_7iJ%
zuKww&cdxv6=IRyHvInN;mmcBx?bO$%Y5-9Z?84*ge>(e6`jWrlOZGgz{w({dJ?o!X
z{jP^H`#=@8<J;@cTD<ey>o+;3f91bZTYTX=>jRFN`*$0AtJv6g*9R6`Ppm)QF@5>d
z!%d4Hdvd+un9j$}{q^GOPpv=JF@5~E&5tc^dV2j@(15-8mC^ooAAK6mHhyOPL(~7_
zzw{ZKe|G&<Ykcq6i)%S?f)|;#UwwA{mDAn#{^D8tvgg)cwHByO`#>)jBhxnf{q=WG
zmml~F2881ER~=!j-TUp4Z^BmI!jg!Gd+e8=U*Da{1a~|;IkO#m9=dze3+rDz6qh)-
zafx5O&1$z-YI_4-e}d`tV`Q2J=dTWkGStaziYS3>lU~84wv>}X?rstp=W2XNY^9AN
zg*Jy)BHqbod}*)LXjO8BGSwJ^-w>V7<Cx|xhn2F{sQB1XscfjEJnDH=F708O)nbq&
zLiGXgne(VWINwskITNB-nR2REOJeCd(qxJP(j>Zpg1_WJlLYV6MWdxL2~R*xL#sZ2
zA8T4vp&}5CRIC~vbb}~8s6}$!*tlj=SwF||$e=Cx{D?3RHP)M=Mv*pIt&^xA7AmQ6
zp_52g5{bG#7&D5YQ00POLb5$8fm>0`Y_tM?qzU;?nyU_41<j+DM`=HTRnr<d^!V$;
zk|*WqMQVaD%6da)x=E955anqW@luV9hAUmmS7DQ|GI-_C%HUwH4Bl=~m&ZkxjwXmg
zGE|FqMm;kvwPKc6(A=f5VDw5_zljv(S~IRx%Jo7gU1fY|Opnx?yswSnLM>WW#(|&|
z%-4NmG8i;lmJlZEZJ&k>1WFq>+vzls9CpcE-76TwjyrA@13?Hs1f*<mpvUF~R`JK$
zS`S3pOaufrYY8UGl5|M#bo4eQXRA@VfcrYlm^P3HlJ4thp`xU)`MOY2(*0DDrJ6b~
zWOPz!`$3+-6J<rRUWvvzf7dM)^=8Qzig#lWWeKO)uBWC_y<{MZMCnG0XYzh3(?LiN
z9}aSz7U!2OpQUw1K@k)O=zN>Qd|6SlxUsubv_Q+Ws<kOa3+8pPQxA~AL`6x)0~I4K
zmxUIWF-NIjk!6H<wA-op7hief&=&4skLkAyOJt;MqUWW=ItUIK&2TLx2wK%cctt7K
z=@&gnS^}-ul;-IMyC@e<2a8@biY5HaP}jL+Rx(RS)}O*cA;hd@aK9J@{kjrJWmF2W
zaZ~mZj2WT|X+f0|2_dgyi8v8Q5Hc>O=&GPgT6exBdTOnBu1ZTIgrlmdS|*ahDsHgN
zt#ML%5F?7gR3p<?uqck3o{CwJkis}771CUctkg)gp?X7kw95L0kze8S^=g2si<mnE
zF=8&}ZC2vlaH`u3%HCwBLUoFrmLm6<41~?n-H68+D~W2h=5CKFw4P)jPBDt7Qhg&|
zta(Oen-_Uai|1+?UQ&~M&`co7=#Zs`4I^sRy*{fDPPHY|N~+;7B8pNo&j*J&#fxEH
z9$wVz<_=~04l>Z@*tx&U^t}~pYj)`&mrSQU7S`vPX4c)eD4G(faClsb0@x`5f+3w4
z+7J;=R?-&7WaLO5WLJ_zDAhtc;Xry6jPM*8_hvg9R}CY&hmV_<$?3jUuhkwT<5-~G
z;0!%e%=sCgB=bRDP@~y=$v*=1_W6FJ6ZJ`!rxxzC;&K#g)HSnH?Hbuyw&AUhW6Zd1
z4%MJ&CdF_?r^n<709N4IsTox()bb4r!*)s<N83b1s7AblJ|W}r+K3^W{<c~hWy<+>
zInL%9)qbNDG(x>vBE^(*2+^fwK9Kef6`5DFp}xs#ML}#Nvl%kOMcaXN1Lmo6w_0Gu
zic$!JC}n3Pc!fCVId{WS2W-nkEvLpB(UMw2I-!)`pRP*jG2<2ZP$SYIYmgN=?$Dq<
z*l+5cZ!@TC`HWX>FnlAZW{VLERMlea$kQzJ#=IZG|K1@gR|kW1C&sXmZlYxws%JEo
zf`b%K8yr>Yusyf06SLYaPGlPc#)xAG>8C@P7|~2wk&HHESTz`Kwy0)j+-r{`ygrQM
z?V>dtRg`>WJRhyeOi}EoIgmcGn3!Cwcm-_G4lo=I+LW9ppi~Amw%=jpQO<<s4PL@4
z-JB#uOpPZKhEb37dqu>M%*23d#|oqp?)9)59WpDH8y$p0yvenS8KoEwMmil)t|7fq
zxF?s{fxA_-NF^Jfhv7IABjg0QtMgopldTTgABze%U_>_5G5J0TV8y<Q$wt^~;=@48
zPe=5WkZ<+s0URlZ;*pdpr=$crR+?hQ7dMBQ^uT`g)H&xd$4{+&|C;_Rv+Ajpcg%cf
z#pY%IF<o7{e2LF-{M5s+k^X|c2c3InT6otT=HgA*+*-#pITicU;(hqs5sulLHj^v&
zZ+MS)&z)s&BIf=&eWS3E2DZiARckB9@7=W?|0V;%eu$jA2heMm4>w$Ie~6m9YJFkT
z-tXTeW4y_baM(KuXy{$^To1r+yU%*>>w7o0FHmy<`wV98zh>X}+@pK;pY)zLfHP8N
z=aPpXb?n}~_2g7jZ*eX5aIimq$2;e?!#OYgg#Y7<yWTl>u4B4iN|hI{K5g!uj%hE}
zzkTt!)93Pz=_8xpy<+jqGv+osW?%i*nf?7|xaN$xvleeWbI$LWIqvDNw0GEK)kbAk
zbb-GGopD{4ppSPwy?bHzEy@-Qgk^LR+ya1h3kpwQwvDI;$WcvH#Bq?Jfn2eB;lJUi
zQ@);Ay(@S`&#s;g?ObvzI&<p3y-a&=yYR>MU$)Fe7iRt)opHbas8jiq?)KQ9GN9zc
zP_pY?e>^)qclNCdXFeTWSpQ{o=ID5T<JMj6ZT9(Fp~{s|G6_JeJSOI|FPe5n7dHI|
zI&=E#**8*#>*EWjJrg}=$I&xWDeyI!nF71*i669u=%5RQOk|=a<^UiVW}@I73o6Wn
ziS9URUu_F#R4}fm5ikM)k9yMr7XeKJ4^mV$QBYMd!J>Cz$!+M&%6r^jT=Q98wjWtG
z2dCSxuK}>%WIzZERJ2SG$RZ33LsW1v2SpwN*K`o+r`*I2*S^{yR|Y<{Abkabv7pHg
zsXtKkqCr{Aty?M>io2ob3opUxj=1Cl>7(Q4d}-mB#fxT6@}2ex>JPU+xgb0nU3hhI
z)jVkZ5E@)_@ErxKUXW`ApJ)b@-bo9iRSPBDhK24pV*g25LSuB4LM$385^f8`!Aypo
zIM#z#s7}(9o858vzS>|2>?RBpDw-5X3{5;!7|XB_w?=`{GX@6tgacg|e+5R!OUE2_
zeEUOpFWmTS^zz%$nUjC=myM?%cKQ7a%<UJ=%-#2^__4j8oW5{3d{}Njv~}e>fAXk}
z+3TYVm*0WzWiGM*UHa|9>(9Z}oZWYFXj}zX3JL)^3g`hoQHO^s2=2|S4tn*(M9O)`
z>V35t&~-B`5=ThN0M8Yj1)FCb<iFtBlQ_+)AYn`|bnirGHr)E3wG$S8_{PHZcV0BJ
z^~7V(Aqyw(Uby-D(S_Y#MQ0p8fBCW{Hwow!?}w4K{4R86!h$+Bdd4^G<Fhb`KX})w
zgh|t&xCDmRAYKM{YjROk3j@p7iQNK7ziAYy?pU_3U!YRwhJgcDPp3d*O(o$jn{dCu
zks4&^Xd1j5h=rfRiIy5yyfl69ve|`AcV9HKYt8vbr$(Djw9ma~Lv-P_yV035Zm+G+
zJZ@gHu;ZSKW+uTxc1XO(zHg;7`my-ja!~bI5uXb>n(!(+VfJDNzj7+Ibm`2@#oO&`
zp4+fxx$lU=xj*^6ebyi6qV{X?Ido>(_YVK$%+B3C`>^*oqxM*Wq7#35{m03}KX96T
z?Cl$(A4^P1lot^qboyuQHzt)XofKhLVBZXshcDW9C+04iIpyVF&h5JBNAI?Oc_~!5
zJP8$6y-OLdy>V_}Ka_+DM}KkigIn)-{l|7(hEJz$={%Hp<kLsl#jkFNp1lJc*WY|h
zNgYJ!z;zfrJaBjtK>QA#8_);>Z(VSrw{*CV%#Jhm)dnkda0&oBbPIsrP#c9it*W3X
zWPl(RSed}<$DU8kVKYaqIr_0J!+YPiaM_;d&K;-kJ6>a8z=NC|Vqq9OFpLIIsfH7X
zfr0Z04YV_wHf$mdzvb9}SxcY%7<Z&yO+)YL<&F<VW{Q_B?D}@pJ}Wb~Y70T5U>F3C
zhozffy#e<fTGCng2!=tR$p;#BZo8g=mRR=cXX6_OZ`hCg$K(!7id+lj_a5)KVza$N
zfyT)d+<oC)Mt9+i??gYAg|D6ODp!vi|3$a4ML6QpNzr6R3cIh{Zr`1SBX+)c!)niU
z_pGzO3Kw(d4t(FwGcjP+0&54ngkWS6lV<?TTnL0>bse9uc__`W@6ADbM}KGf16yBX
zKVqMocR>s2z7}X4qb$}02|pFQz~NB>-NcEzv8v*rsAr-moWbs%4J{l_Uv}e>yZ?Hx
zeG3dz`_Gf2Gu9mzNdMraKQEm1MAY7W4qPR-Nogo}azi)3c7jkT&|1`VxW(X-WLa)d
z2z0CVjpx9zOMLHVm!5L=F$=f65VeVOq2wK>zOvK#g-g~f{1RHbV^TuU&)*U{ditXa
zo+sfhoChV_?)~%@cFj!>+t>iE)Hf$ZlSyv#Cx2hIUq5e7*<!F1{I7!o;^bK+NS1;Z
zE$BRw;2Z;fPxR!EJ<h{%Tl-(Vfqc6D0sEET&qZ%Lf9|7)!pjFYyj*{qwJ;cCtNBzo
z!j(qVDp92{OOnGnl_(mF*vXEQk|$yrnp#C7egV7?6nY5y@-lG0wSljc>4w8eL>{PB
zce63lka}$}h;&Bz^q`>hYE0iuR;h}StLcb>Kr$}d&yK=%!sy~!eH5uT0;SA+Moy~9
z4x){donV+vv%O$}@cG>X#xFL!ZZT(QAmSeAmqH4sWy9K_AXu?%(r8w4km7E_d=+JD
zV+b(I^$Hm^h5^zaMDrw?N(bB?ooF_OO|cCr$0V1GGdM2kdXK<@mRhT}aV&}s6t6qm
zYokU?5sVNB2y<d#z*O~eFz&O2dMKu*<U}#gdq}`QX=n}iGF(^hm$_g#k4Y(SLLPV<
zLt`xa0f=NUy~uFDwurt;L)4;iXoGjKH+UEQ{h%h_L<n`qZ7wOM8{xsQ->PLi#V`oa
z*MqH*zn82P5(9{krGggMF!^8(X+`z4>GoEoYSK^FTJ12F&d|o7q!nwHx37qO0`+o@
z`WP(i@)-tAG}?GGY(l0)XqKfw4$o%#B_5&jpbYNm`f756p4Ut*;jMJVbcN~Vq@Gf1
zg2LK}$(5T-Cs1*F`fe&jctlUMX~o1OhGGyBQ^J9gSE!akbvcOx`o7Uh$dT~SP%W)d
z&z14UsG8Lazz(C!;QyePDJfCpBBn`;qC49TjS4AFGt2F9zE@Ey=@yP^`LMfPiDOtr
z5Yzc)hp^a8GR$Lgw`Y|AU=-<i+D3-0mLoYiAIFPmTL6$A9SKN^I`XBe<5(F0-qoHK
zND1S3G!%$Vu$+em^}!z0AAXxb-OP6f;)rFqLf^+Ff|+3@((YEu={`4(G^vpriB;Hq
zGFaqVBR1<3Yg*VElEZqtlWF2q+M65oq-cNG41(-&sqc3KT0PRP;F+cx=?ZN_<mE~<
zl_%3C$LM{L5(agw!uLi#H=!rT5nP<Fw^Pk7Kg6Ym5^E00Zhlzqd5x?$q7_sRB^AX0
z#n%dDJc+8&aUw)%VtEuQ8ZuS|YYw**&j6TH%7hvMB>LP^UMqwHJzv-2bIPC)6lJ-L
z^$KjZ*VjWz6AebX(QG=IV9jhj6;*~-TdCH)W4h{5@XSc-WUxUfstXz4xERV58%n+r
zmI4@F=SH1Tu3NECZ_L|eq>j`mr8>PxBh*O5YQv&t))|^(G)^heIx2O-_~cFfkwb&}
zU=QlIdsF+1g=jxaClIYzLR!I$Z`AX-!Mi}yFf7%L)bd=12>1P{Oy??zKsiXInQE)p
zf>)&uwjDAKCI)^FZZ*1bDOB{9dVP<``^dOB)V-xx1dZ@b&yZEgGzrOI*)PeyD5oM>
zpPWg6&z#<wZ%NG(HHsB7*+#xeqhi5JTN;lFvF<=s)OaXHrj!O)z@RxD2|_m83<?@A
z%Q7FYHA~TylpAT~Gz87KA?s~0@o>f0V~HvzDw@vcLL$S9e!N`7VhOjE@(sl5xZjJ7
zggjr$CX$*=Dv?oDW3UicA9j5LQNd$vmd_WegRtyrCUG&Li|zqe=B!lGlgE5{znJ0E
zvf7aVc3sH;G{2G}Ww%*s46R<DOxD=+n5^m|DcP@HGv_=iJGJ&>YqqU^Vb!}<=4bHb
z-&l6e^oAujf$UBecCW0hUpsfj^lKN<H!uG8wR0d<^4N)~ciYE(dhV(ttW)=f(N3C#
z**3lv{QB^@AT+Y}y16by(LQ<E=DYSr(ORE|DB5G!&HZ7zbshEj#fLsKXF6sJTc6*#
zKis9B=R9lif`6L>yvtpmJN3@RYd<%)-7$UV<{$mR{?_N=R7ais_hB}N{puGWV0Y&i
z=C;GBKIMF9+ul<h_XRi=_Qkox+Vi*nEy%ZVnf=i(&V3mIa+h3k=dTw-Uz!UzX7@;|
z-?zU5_rw6=^UU>g$+eY}{zvfev>WyY4?pgz-eA9e19YXZ^>6K-^472ZQ~*MLzr69y
z*x^4d*}AtY@f+s=6m!$uAyCXgPD}l-T<cp4yokS{#)p-7ToVFBZ!oNP3tqmK?yv)-
z6ceK1dMak6n5M${T13U7dgWxNm?S%ZMoEtt6v+1BKq!&p{X;#82vsJ|m1r)E4%-3P
z*pyR!caCOd6suxfxGiC6pmUkSK_JQW)Uleao89?Dr<hLVgLs@Oq};^;Qt-!wViXzZ
za;4$T$MaR6N{VtdmG9|V)9dRK34s2wb-kHyrKG492?fdqj)&b^&L?%Utw<~wNhf<z
zGEhJvA#9aJD-}rtQ;jYSQ!!62ZdiE<fatMK*g)I?pTdUAMbyl+R2C;wL*D0UL`3k0
z3#64yUdm+Dc5YmbnSlyNLVUDVYL-LkVXO*}*j|O?2mMTBlu$$UfM6nYE<hD2IhdB~
zW(elOdk)Qo2YW93U!a(`26ccCGX97!%y9({qjRBQuqO24Qn6h~M6+JQ$Ay>_7q&=}
z0}C*jL13=x6xwk;9Zb^AY%&@mXkP9LDBw~sDHGR=3YrlDd0#%La|ms;qLoZeiqdAI
zImFCCRmRu`U<ky#jQ7i?R+`t%_}E(okF=;;s>c0fxeI7jHq^HS1x@wY$gn&hQ&l`Y
z=I~YtEezWIM!lY98oqioHkS2KF3-eB0_4WAN`k6Y@MxvisH6~%9vABQfidpmDbRoD
z49R+=z^6iLILVj0zPv}Ol{H9vW#X_gis@{%KP*RL;b7P&^NiP*D4})KhpUOKk`Cm!
zJXYlNgfhw@o=~e*D<s*j8_=^xO44KiCiF9gR3U1^6jB6R3?t)4s*A5YHg||sd5~Y!
z&%e#4r5K6%qUlClsz~Ef8%?wELPAf+*hbEb(iKR`)Of66mclwAdHO;I>E=}nVEhCr
zmk6X)5;ZrlRnQh2L&ivx^oex4+pEVLd7s|#(;Ct<dj+J@Yqt`)ae((wzE0Jzij@#n
zK_XgwOwMay)`(L|moXz2+4HA;kRKhk^Tk|3!JB2im>LDxU?}WQb1m?_^hd-9RWc2<
z##{YRhHQ~Fne7hBwX&7UjN>INDZ3kFAPpIPX4E6caxq#{(Ly-fZWWXco*b(ocd=fp
zrLrE1?$KdcX^#2;n+y~NQN4!M6G0y1z0m?0Ef$2rXp}bc8V-xOVg_l*Qm56dh@Lvq
z4UsKTX+TP5)Qm`i7o0IeZHDVd!Ufcf<g#kf3p?=_=6*Hps4u?o(%h{p4rx0aRBea1
zTZLGBmPp5B;4apq3D)g(x7*ETq?I3PWl3#>grw!>8wn!=n-Q|WCW@Vo7s-wiBi)x*
z`euwmik`6E3=l20uCbX$lH)RJnvR4*9L^6$seGk24p|<oG6qVc==BELMUN3q=z+qp
zIqsGC`8b*!CH$f%pYt~9ZrAO_!kC=o;_({l>H7-fRKMQD<H2DA0KwG}?A@z?7whvZ
zTdPsl#L5*_i&)qTzNLi6D-%XN6>(?ExoUh!XUDz<YvJKq)Q4JZqnskkQYgX4Q<-vy
z723X_uN6>e;0nhF64B?BT*sY8nYv2UvZ-P|L^YB~aVY0A<%Euox?yFIvkLiPQS|u?
z+(0^m3TqBVVzC^ijR+_d594Y!PfH1P#BvM_?pNkE9>2!%v*wPa`<L;j!ZLm_cbM}m
z$1=xHdwZT(yykGH=~(Ibuirg#;@(C1uMc+y78C28UdQy8f=|sXetgdPUdQUo&#zwd
zRvUKnBd~+1xSW5QJ)f8UvcKg$F4!R4yutaiY3cUGa~3~&q;ueyiF8Yw_cr^=k<hGq
zv~#s%debGV#Kq<@&Jq0cjNkug@s}H&UFgA4)=T`}s%IYS4A?gv=gc^+wO4F%GONF`
z1b1BT*gAFXR2w#2+w9IJ=Xo>ui;ujA+x1U(*w6eGvM47V?}RK$edm>%uk@T@-?9#}
zdpAsqR{dh;_I06I%5Kd-k^2NF+V1>Ko4xeXYwWwuaYa{Lywrfy<FtM63C`^^Cz+>T
zN}nX(X}@}c6LPI;$0qOm)OYL}BrWZ)Z=N*w#6N#v-O0bb-@XMhP<D6=6s_iNJ$v0l
z-<-FJBcSN<EzVV2Fb&r%7Nrr&azp;cGQrFX2mAp`8yHSms%n4|?CX<*k@K0`&b;(L
z9=7jV<&3^_$9elQS|lW8H8-w<br<B53AYLcQjG2fTPO@HrQDdRv(&{)&z<xfbn-6V
zzOd=OEi;a#w?6KuEWB#}{6y&esXT&uvF|-+fAmjqeeT{0{lfK$3A;`}A_=mI1Z2b!
zO$X!v3PxEV-m9tLX=T5>75cT}(a*iK>Q~2}X`g-_{PgxoQ1p%)H~q?$+j*3I6{MQ%
zKTe8ftMB>9Va6SQvC(aC!lerrJhIGjL)`w<XW*FW?NH&g<7;mu9<Uy^4?7pG&HJ}Q
zA7C1B8<dGc>U3gC2Ih}|!vKpe6>tw2d}C3%YJX*N@Cny{@HF%TC*N+rx*b~ILH&Dc
z*N=CW?Uj=&|Min66+V=C3C&+HYybDjP+`^2Z~o*u{<3H7%5FIQ<EKD{sXym-I?lW3
zEIaxdbUD2PidO7icJr#;D}HY`a?s3klOpoQ-)$7OZT_A8_{DIbhCtDVAD2rfJhyYf
z-n|rxemW__Hyrhu;PH3=$lkOQPPX>LS6;JTJp(NF&Vy!N+X)q>15tL_pRc{m-f`-r
zyT3W_sWV>w#SZ)R-#}sxbuK^asGFzOeqqh()uoj$&;0X>>hd$EA6c4OvVQ93sT>UI
zcP^gObROfFzTkl?&Bb@MoVy&;<FEhZip9Iy&W>aHrlWrI(M6)`Y&fPrCx&lW{9Mnu
z-7)jAtGC~?_ksCS4<49}1Lxz@@5era+P@w+uUdP)=Wm;E*xX+^bbc9htS-HJo3a0a
zy><w%f-6T(%rR{~+(j238#}LdO#6=g$?q0h?{Z%0n0Ee@_@~8n7daE~biS5*?%KU4
zQ!ko4o%2rF(XeMvah|d0-R(>reQ4@DcvEM^&V15&%>NK@3k}}P(5Rwkti<AZF`DCo
z*?wB^O0iH57^&?XhO|vGmmBx_LPPDCV+#@y-sYg`DFr&2a=TNL3Z-aPlZWFn=?V6t
znX%F@VQq?#3s~BV)4&u3<HB4Ci&YC0N%^9Uwn7VooV)A;5H{Nisg2S+q9u@S(c7+L
zC9T;r!?|`pSTFJcC0z3s(0IkCw_Bq~8m;vir0@69oDUJ3!)|M!dqf@0j|r>g501J`
zcaJLgaw&E|56i>8JisKs1xwXjKHe9zMm9a<d`--wXcV3(7Ylir!LSbRZz?re8hd$(
z3VFkQ6^RrpZKd29S!8>tb!wVYO?Aa^nvAG*mJ)l0*+4>ha~KWPM`WcnFnyFMC~}3T
z6kPIIi2}R}Nj1gy^n(4-<6I4p#=q*eYn_L3>IZq#^Y=OReS<rkig&SQW{euaO0&Sn
z8*)HYd|G<Y%(Q{U(rTneR*L4tZWJ*neOv>LjBqA0#KFdal?jtg!QJP3d?@SddLf0P
z^akZ>Fc>V<V+2Vzye!0cq|li2Ank#dDtDM_qeNvC4;q0`m#<6DrwUaJj3C5RT%-!X
z>DIjwy<hQ|Ss_z~V3WUR1T7#{8y+*7#WQZX*~<ly0-EIqm9VJ}ePc!(rImURbPNi#
z>2s$TI@0%5!r^8h*N=uE4HVIWg=!5@q63nrTSBf!pjj<mc9SW~!W1*uCu*^5c{mp3
zdTzvd^tjGgT%m!)!%egUv~sQM_x8p>F3*Ju0|Ep+1O)-E*9ftSKC=&T^Ew_W8}V3I
z%(OF#1X<B;k%M*NP0mA1fP*}!|33Y=Z&3F<CLOEd?QX5!Wm^6rZl=9{vZ>W`V~}hk
z@_8|CVwpt6;%Fw$SiNjBz~p?9o<&%(fiIc#)zf^eUBKKx!bVcwSfmykFbz`dhex5X
zE_8IOkH)elou}(caKxlBRE>0mM8nHzeUvTEyCo)*@l-?N$P!4>7wpk>2(^YfNW$!E
zU73qAx>c)rlZk3TiE7?{1J9YFmqb;5#K%fGnG*F*y26cAzL0BRX$c$2lmvW%UMrC_
z6l_3}(OfT*ZS-**q)P+D5NWv+QoLgIw6+p)D}`WJ6C_16lDQJmZREOP#8=UV?OrYv
zCITHnD_C`(m61q2V}&rGmKY2EEX*nquNv@5S)Y(cVojmq&gM<<eAaS9ves`|10Zul
zrskNRPObgn+9PIfTpd{DnECjM-g58sgG)unYg0d+x*S$n&Bc%1>pa3Seazt78y9c5
z&$$f5<ex~qfB%Z;I1j9dUccXoI@UPWJ@S=>{a>7?z!w*M-HAA+U!q=&EMET&=c$hA
zTjaS17GL<L^Ej|;{LxSL=4x#0KVf+!Jm5^MwIX|0U~eUV>@PjwyaUoJAN=$4y~Wal
zu>YFYfB5p!#Ty=i?bpod7u|H>-qqC`55YDm|A=z~tiCp$_T$A1zU4gHF+JI1*jGO4
z6puKH|KDkzSA4MXVjpvEhXvl}PuwKz@Acj<ZhXv{o)1lZcWT{}>uvz&v$NM>>sG9N
ze(jgnzJL0rwdz`C?YcETTJzO43u{Vi&RVl!_LbRh&VF*XJ1fi{zxt1>A6@;K)fcRm
zR&QJN`l|1)`qK2-t1elUoqo@%Q&%lp`RvMDr@p)LpI4s0l3KZD=7%%4&s;WBm^ou+
zZpF(hzP94Z6|EKAijB)(TmI1U?bj~vFOMwWyzEcQ9$)skWfv}!mz}a~$@J6k->RiQ
zSo)QvA6aTG-L-W6lAqhxKknRN-~57eD=57#J@-HW${V&VO*s}`y={xVb&qqWec>Kw
za@#+K0i%cSJ#6=#TNXa@=ra3{dz>fR*Zt6$+^hnaP*V{~1!rGCTTk4T0h>sgmS(^v
z3B@$5V!sL%w@;2g5ac0hANNCN!rt{A=gut$fDoQtxa?8HUigl4b7DJe5D3bkDIE+a
z0U!+EbqZj-&><2wP2{AbfXLQ~srx52aRZQn7JyRS6Q5~7L8@RSOu$D#Py_PRtrH|=
zXTR$_+g|>JGcj-JC?Jvn8VyK8gaB|a)TT_t(80BtRKa(cz%HEp!~@xio;Nu^X{i)$
z0g&530r^Y-QW317DGj=VvnHm3t)Zb$*?XG=gyzD`BPX7CAUN7H!85~o^2vM8K<T)K
zyHSK8Xn@_S;L@zYSpko3;s)WS7`LTQ-Dscir1Qxw;FxV`D1tK+5HkZPbrsB`5x_Rn
zKr{s$vm2j!pZ%LBohR?Tj|T#JUbe97A!OmPuWvu`Kwz}2{qj@JFKmYurKSU1T}J_h
z4#Nkqt>EkomeCm8R)D3V20it!liy}P{^1Q<>=(c1JS92#NT4*KnsE03^$)ilg8{(e
z8gLdg!mVK}P7tg)b<N~r9tc_$vDZ8ekB0HIbBjD_-HqcIVA3H#p--Hw0oV$l`U%F~
zz`@6Y0pb8_OkMeAO^hMkuwB>G38r0T09tEkVAXBVV0vL122N8`i}o!~JHNDLf*%HZ
zR9Yk8l0*ChVF1z(&k#$oFm`E;R;Mnp)6Y0hjUGT8;_S)Uak#w%kRAXOKk27N!yvW5
z#@tP~!B(BdXw#ymZn1Yi<Gf_y^82^gv1gsx&HtF}v3cQkc*Gui)_DPhBmQBe=6w6U
z=bTAoa;*=9y0CuIar?0kY}m47>UO*MedlNQj$PDXz}cM95!htF^QOWL)d&-)541|_
zVEYYZK5FXo_L}FN@3y}>>pH=H_IY?Co%#aYw)ei^JaK;2lHX48Q{P!N^;gHp@khsF
zORilqSlV71TDob;AEtdP(CMR={(9*H%g$Q%FUx+q{I=yET5c>qZN>E~-n}B{h&xVN
z_td%@mmI(Rg>~<li7%U5ch0iXI`_I&Q{P$p191EM$h5uInmNgF-4bE#t`)DZT|a%_
znqMrtYsrJl4_ooXbZyQ3Yd*1NzPW}2_r|Mce>eNc^e<+wn;p+ev)fj`vHHoCKVQ0W
z<$WtZ?ifuUIrY~S*viJVZ~2E-23KyJd2RV^OSzecXFl!t!_rrl8#5!&u>L>)Os*6R
z4idc4fd)YUB%Z(kjSjx=I)Yg^OObGKfci3Z*LM4lKX7ihx58i3lN<4|Q=MBf;mPq7
zj0)U<S0h6L?0c`(I*=4l1l|;2%Z?csV=z;9>^+ldP?|}AbuS9IcftZ|dd2|m3q!bR
z0-|-Q?$)QiyrgG;1m4sOKYnP7ef*1X3wrR^DNBAkIqQKCJSMO2?e>Fk5VB%sYHw%%
z?<R@u$fUCxWx<1onuuxbg|x%K0rn60*Bijf!Qo8}ER3m7FFSK;q4^+kB269Otaahu
zvB>JC4sS~a1|JFUQMdqzO2BJ|p%@C@H#$&l@Tq^X?|aGlPm?)u%k-p2S2SEOqCa4t
z`6C#T_x;GZW8vaEH=nX<@|CL57R_jrH$O^3ToE!#tO0$;G#%JPZi>bzYU<tgNqd~g
z-sySEflSZ#3qN*l-v(o5n_)7*=|NEhHFXGE!rw6a!MmL?f$~He&|BTKvp<1u5kGOB
zxc5Q*zgjmqoc0qxaemHm?!x&GpE$8}AnY&7b6afWnGGj{%KVZS4}@oRl>NnLHte(=
z%G_rA-k&+APc9q??FJTvOU|$(&uuux{?v0DHcxcpU$)QsxpUk6*A9dhfkXW(4}f06
zg0H!wbs)5YiJ(4j&~E#RpF6wIovClxYkuKOZaDxJ))5P>Zy^geK6WAu$?41Q*<!!`
z3n#kyA5+F$3qQMWr=5No)<}C^c5dHt0Bo1j?PGuGOh*rdEqC<f!99?mbINZ1()syC
z&##;z$3p7s+fF<Xg4XKWUUhC=?iehd^m}J{`Jo`_!3%<di^bb*sS700NDs5AEXj&2
zDtOaWs*ytFUclc4pak2_w7R`sLI_r3Se4OR5>_Czp3L?YUazxdGT1h?7MK@ep?Id9
z%ezClOpDAXRNN>>badRwhYhd+DapMtN8z1Xvz`j&Q)F1>wMH<-<IVYw<w?|1X1tm$
zrK3p2528P8kFS%x+}Q9}TMC_PMny@KsPv!~D+}Ffj6u0z-Ji#Eopz<$F0@%Xg+|Lk
zlxbwMayvZ4alag|ap^>r&WW-yR0ka$?=>=bQDP<2?e@5Jf2JaZ{dqRoSHfd+jFNtK
zFp3wkW+9;GhQlzCOm<`8R#NbXV(AK1D*_?8AB~l2#Wc}md}K;h!$KzEm%!{a=}iOS
zN$N5^3qrdfN&pymP;s?ieZzU(jO*(c{P_4Fx7NOA$%g0^KXYL-yCT0jCiR`&AF}Vh
z6G&7|hii2bR^O1RvfKy|UnaBgWbc8&G(ci*2B%>cz_`^N7ticVZ@~idA1=@BM;&mk
zWhW-26~tMq?A<9yw4|0m(c$IY??3W^$cOC@FLCW&@o#qq#CI=8>?dEJi`x29`2M&Z
zr+wm-&m<f6zb<uUlLs<4?YMZ!zMkRwKVHS!{4|{Al&{?Q@-Fheo9&CIUGp>4MOPm!
zhQFV+Kk#1YXL^|n$cRsTH%$C-J7Mq1Oj1pgqT_emws~jk;fL(e`z8do3-_IsJb=xZ
zec5to0c}3|@4h|9tM(&3XcR0G(V62CmmGG=(?1jJ=nB_GGwa`5=pS>}W#6;!=tG4Q
zW}w0x`M@<BZ@F~{d^0He{G^EaVeh5bXTEo){a-UK;F}%D1bfa(IBvs@!)s6Y&~r!F
zj|8Bp7biuItN)o>;?F*4e<Th?#Z^#r`uSIHkl*XO)4p~U^ytJNZj6zu?*EjHaZsVV
z8Y-N&<TgI>N%Q0O&dFW-^J>?sE#_W>O~_5c^@j})5Z!>{%eWB}1^PCj8?;W~_O@9#
zcx^>Icm1h*V)ps7(E7H+E<l(KqciN6{{T%9YoNl4>!v=j>XxY|?dlq+ut_`p1tgtf
zY>bA}pS2b$Ou|1WJ@cF2+5h#IIk*j#eYfF2mQnU=lNM%XKJkauXYTr~y=#(O9j}9;
zQ?7V2xNG{457<}z&KbS!9WMM374M)@@m|^J`kz`W`y#9%KIb2Bh8D%Rvfx!&Ll6lq
z1F9%ZVhD@|e{-P4TD~kZHVJ}HWs0q6wVMZ_Y?d(dLs=IyYAO@pYQliv0#QZrR|t1Q
zsN_gL8SvG@Aqo^W2jy}}O^h<_VWzGm$Pnvp;n8s>(@!MmdAZzCBY{rBTTQgEY*wq+
za`Yh7jChKA*@NRvS&3%|IpSwC(N^12iZn`r0&a2zP-%n2R=FYgYeT}zG%aONmpq|*
z52#k6o(xh+enc052k7bez~!pa2QR6yH&W<IQm59>c*00D<VjIVJ5?`N1O5>}`}<}f
zkx)vWawpp`y1|Z!Vg6Jsq7pgaWc6aE;R}^nOGze&5psz3o7qA~&cuZ>K2&3Yb~l_K
zqkYz@MXWf?ag&@_Z^vm<Yk#rko3m%HdU@5<%%@kpZ~1xCzgqgtl7DraHnj!7<Ll4=
zTYPfL{&n5eSiEMF3&b6?Yd`y^+fHzSwnOyDGv2*;#%332J4{|fi=W!!+US^FT<Cmk
zf8f$_BB)2K+UiOke$v_d+dJtkD0wpp@ROUjx+qvYU;Wabe{cVMtLv&GT)Dj!CyEts
z$xJxxvrd9$zIT#q>jY{aZ0+?awNF3E6<8FuxejwopZ}xp*o)_HchQdN$s5VO>SUL=
zzMA=4*cO@IE9mI3*99QNdfF+jcTJD~^we?oU8lINT3<}>t+-c1<CJ|B?+HT1>vy<@
zGu02j|Ngxp-E})$0lR~^5=Wen+TX{M_8qVrfj(~7>2go|FI;!UqO=n_HhcOrYyT#{
z`H{0A_I%^1t{)zHp&Zl~O7!o+m-}8Qtzx<q7@`8`<f-|5#sD-{H`-&uk#q|~xT<K@
z^C}zf_<MbB&|}b1+|TA%pU^F(!gXrwZMQl`c!=sLFR6B-j1tQ-Ohuu*cz2LVgd#oM
zj}pF)8Wl1P(u0FUc_7G#R71_@VhKexYV$fORC+<n=qKff0s0_FB1h-Eu`%v%*2<((
z)D*G6lBU~Vmk0Hvrh_jAkiNo|pgS<2>QP@@A9N_+06a8uVxI@rWGp9lNn#xCxN}Kj
z1gdueU$Ow>AL*O;$Sg~dK9koA15*yhct%o$IHLMSMll8`yx4fmnnBqT6GBN7&B%b3
z1EKLap1{adup-AWO{$K@(Uiy2Mned29i@yCD)|X_jnGF1PZ&%Wv0ABspFzNT=uFq4
zJmf*nLq^|bmIODFUbLV`M*<~zNFm)FNOdge>(vnuNE!q@Tq9c>HJe=!CyI=+ek$K9
zXg!iC2AgK01SoW{D-tmU5V>kMCu^J#_vXvtezs7r7i5q$DwPPfubZPVlPP5xK^~<?
zYP(m87e}gC&FTGl28%1PP9fB>I1fPrMZJ<WsZ@<DRAUnyah>t?#d<2)lM+GHTcmS-
zLJbaMnOrZ~9wMN?M1*5LuW5`q4o_zigLK8)XYqOy99L>I7b%v42wf`W@McsVdAwwT
z<|EyXk@XDf#K=<)^^{SKOV&Xfo6E#JlE9$@!#9j%nY4xnQrb9G5VHv`Q4jet-FPAh
z`IksvP(3X<TF#?s&L1|@!GzKYs7*YebEQNKR|Hj$kNZIVh`F5aIHm}R$ThdkUblMJ
z%D>DktaxnsmzJHi^zkJ>bi8}22#Ls`ZJh7AaJEiw{P_M!@3^0Xc{ZZDz&ty3czMbG
z@;818GsK59*Q?W$jhB6~?h@D5N^ee5OC}E1)AqBv>ua+$?ZMmkAM^tq4tm*eCD#^<
zd#fHdsS3W@5z}?|baB_9xOkZ5+61Ti_V1tHe^g$C+3UiB>p!O_o2W&;=$dm(e}R3f
zyQr32XE<grym;H+2w|^4<;7o=T}L^lxh3zfEv~G(&I8$H*y7lgn(LYATlL@HwHT_q
zjs&mu-)>uF!#d!~+nTOJaGHbs#9#FHPyFyrteC(jVvGv8e5#x-b!ryh@@G6+u29Hy
zwT|2k5`}=*m)2u>Mjx;oY~#IFI@jb1eqAIK4Qo}(W;Wc@ll_)FR>)dM4rNIT!SY#<
zqsa$ilDi0~XBLTiMx_C(1WSAdEh2TfXR3`V(I3qB{c5r}>Ub!xm`s`JqESyqaG?t7
zHU6Z#m{8DUZ-Dyxo_t6h3X+h|WEGV6nPoTDvKXzJ9<xJFX@rS^N(ut@@*tdG$U>j*
zhxCHdm-VLXSE_C>_-LyG#Vw{Id5$Yb{8k~U!;ea{iVtf;EB#<+oX8BCg?vBG1~c_W
zBO9p)hcYUV;i5n5t&i9^sZ?A3zPrOKqkaJ9Tz`@P;T`Zv6DF`DnfG-}eSmj~q1;3i
zFtM3GG>si>ve*BL{k=7)JDz+N&ABOm0f<pKJqT+YDbzE~A?TzA>rz+qb+Y9^!)S-i
zyjN6`(Jn@zhCVWTbv7I-XT8lrOXv;-GAkJ{b9kctWHoO1z|gKGrK&!yiH*>Nx7AKY
zL7599hK*7qI5Jw*a>6giOm5yEZ%|Ss5DN9cXK_q&R6?w=S+bh$iOtpsA9~wFvk+zZ
zWUtu8%i!&Z@)1c#GX0#_FIxFT%F1P%MSz9jDU9_7%fSd1jO+2XW%}}CY=~;*8V@YY
zK)^_3Lc_k=X=i#BtE-fWBI5I9GuAMh?k3EVQP=8RIhPuA@Y*m2OdZy$N2-FSs8y-5
z!Ya*b*Ms_F9luhHMOZy<6k%72q){+ZX4HIkT(4SkFQt-0u$qzvoyAu^;yOh3I@mAj
zzmuvDy)~v&EM3$)ENF&Ep&StMsz^pD<y9&!wA>v$+=^$r-CW8l_l$NbM;pF;1BnE?
zwXEW8)T)G~pmC)a2e@uaH1t6|fEgr$HW&<G8AvK%H5f8oP}=o!V=Q|OcYrJUY0>8?
z#?b~D1)WW5KHyV@R-s;snQX`e%59Z0E8%1oFKT@}59XBPjM3#hmQfb5!Z_0y38iMm
zOsT#`RE;GJKlosWVg>MTGAuD<ga@7o8VgoPX&4Jxv1)*5C`~;_V_sAa7DhEc9V}Sj
zcav_V`EuG6U{M(hdxk))5lSI1s4SPdyw#!T!bq1zf{DX|l#~mMIyPI_n2;GhS7u{F
z->})P0M)`9s=34QX4C9;+ihGgjz$qQ+6jZwM!O12vuh5$s1Npw`o_0eeN<9X7k4K?
z1*nU8m>QDed8J+vY2Pr@($TJAf^OA-CQ+X+g|L-!56|_@M6=`$hI1`M>I*?i>W4^g
zs27!#kr7H~Dr%>ukBen~kVCLmT46^(sqG+W+7~Ii$7ZcEkP~Ji5mvoKM&;+FE;<->
zvPICHN^_;Gna=dx5+?-#KpSv#YME1Fl}t(i?JCHtbj3=&+bb8fR*LDml_5*^I=NQ2
z(FOHy#K&j?No%SVZ&Z5`aY%-n0|3-Sv&8_<C&fWq_DX85grWhjEXq_HjAuNoBBh!{
zGgcGwMb$98))-*ADALG;1f`M{c*5iFU;%eVX89VL5yxX5XuX1wvnVD9L${h%qoq=e
zkA`E}v|#8Vk5Fn2M#)AEHqke^u;q?R7f-m&)i{)aJh%~}yWeJT>+ZIf(K<vrRcxb3
z!V`}B1K^EO$wq29JfcMs8PZpjK;t;8yQ8_lP^@PAhE!w7aTNT!NLncA0^JHykz7BN
zO9O+Is)}A@DEgFqhDM4)nc~aEF^I=oSRq^}x5`AR8L0)zcxPPFMx%L*&7k>|$7|I&
zNh+ant(I4^m4VXqMF=%g3Ff+~a^2leHr4K!W(R{LS_O5V>Zp#^6N5TpY8{sMdk8RF
zC>g1$oF<4=05te3gN{GyEoGG<AFwi-5n<z8LFlseKrhE74H-0Bbe11vL1!7bjDd{8
z(z%4U6YRujB4RO89sng=cvw+OBquO!-ITZlTT_efPF;wV$_a@}CNecvY$!~!D}@v^
zEcy#-iiieGCLB*CJmApeayq*9ihEtS>j%@fPM@;$GfR6*ezl~qgmK*BIC<(XQ(f3i
zZ?Sv#LPqY0bDVD+ebl8Nx9<h{Ui-iAb*<h^{$s?Tee!)Se8%~^FRtFS<&Nj<&yFCc
zdFy@9+=(m7Yur!mJlx*20!U!&{jSwpbj^S#5|C}CsX>wo2b`z|!mgmCN*k;SNFxI$
z?c)7#@J8w63%0L5ZDfDye#j0kUF$q$I{1qx?3HVs(NlL^ylr2`=|E6n_GiBa4NhHl
z^6sezpE%M!Y&G;|$Je3AmBDswy21aHeN1^n^z<DUpSZ78ivTU&3A9Ng05S+jPzq7q
z1c?}|Y0)ZyQkaHby!7HN`{{%BN1xxYWoGN+t|zGUd%tF%oq%gl{05xj=*xaz-D=-s
z*q{1_E4$@DKuPwo--P4VU%uOa%(ssGqrDvjkL}M+igs+<vv$|F?+)7MubKRS|8&i6
zJ^+lPefEFCv8SGL_q)BTRxR4r<j21_DO&kU-zV1m=o>5TqaSePHXi`Y(*F1ZaF`Q2
z|El8-`{iftJrBSSIuIPB9eogvTb;Z7o9lk${(*hUgc10}gD!l<(;s;1EcCJkd+kHe
z(t&_q?GHQzE#X((&<pPQVAKBWk#Lm{e;A6~*S~w7&-_BLk2wm8KJhS&v;%=?*$+Gn
z-I#iuOn>Xuu<dvR2HI(-zKkcHyXA2EeUne@t}poGn>X#Su?a=?+;2^O$9oF$JB~lu
zYhV34D0*p9G%ft*@#RZ@`Oo&oN8y;GcYgQgt!vNuy`6JFUw-o_RM`6ZHBVCZ^_Saw
zCPkyipy<dg|NgPfZuQ$X`)8mxKJLOCvoUj?*&j$c^~Vs)x^NG~vR1Riv7daa+-@GR
z!DD~_+pb?Pg^Rbi=R1?|lI2BTTm1QVC+VQcb+98(x_&#`{*3g?{f%K&h)R9%Dc8@Y
ziR&)@%HrsIuAXD%)So(6Tso;@Km0vN=$!tHYsRr`>R$3??_%g#SKl%7<(vQMS9`y|
z>RI@H_WQ1Fj@g@y%a7gPtVe}rcR%lXarO%GuKNDs287!dZ+yXZ>5fBio`VVJ`SqF&
zf0w`AxBZEd_=pdSfw9bSTs}FB%GL-CkHC_m7OyDP${5d77&q|n%O(%DT68O>rojW&
zS4d|)h*{6ovi))q(yO^-CfCYxiIgN4U<t^_xtb66#;|-NRoBv>v+5a^b5XO!`i9C7
zx2hu~$d)|wqdJv~VW^jm@__Xxlz^8kW#v@5mzQ`tQDJ>Pzm>_LS`avc?oqhHh{V{E
zM0bMld1_<D1N;2g0B?>Wk&1y23n?qn@kJ{!&S-;ZYRr>G#8!|S*JH&59;ppU-Ke#b
zoj#tR^+c&P?kUB7Rw(-O6(dy#bafGuFo<u^iI(yqHY=KeQZ}FVcPs5gl>x2GP^vPP
z6JT-*ssS0f1=ZvJ2A>twQK`k0;#Gu=yK_<t$-SAst=;yH4g9i01N-0&>`T{<y{U*?
zp(1{Xij;#kR@ks<J{_Y5Iktp0Doi|pq`<HWe7yT<D-;ezgZ*xOIK(<lQi;o$UoVj{
zziJA;C}i(ih#<=4YH~;=n1Yz`^HQ4*0?3)6B%*F{nKF`Sr`=_DGne%99Y02y8Ja}e
zdNCqYtZ1T?q7p%x8_(AvBE^<ReP5g*iDsymGxe%$h1|w)%;o(4fj^lE_Q#NC457nd
zB3#Rm!74{IGg)#}?0O2dXy2XIMX(BWH_E+!Gg{0yM+DIxR3bH_=Ji8BR;hPscfi}H
zdlo7T676O<pY9G*ezB4U;F{PX+98T9QwBV=Brhv%xy5wBQJJadgj9`bA|pDM6h?@*
znKGKqppNys-fFWm2t^vzwq|&7bI{a;K@|-I4FE21zDU^Oq{V;Ru;JyUhlcb2pTpU;
z;kbD@8F8C~GVia9c^Zi@RM_yO@u8>984&hKp!_Ii`h$E|^~>NGpGMR~EY$R+Wj9_K
z3GPw?9u8CPQ=VWk-10;b3ymjzg_aa0(JUQQmAJ;qppIg;t!$Z(c%`@pk)n~9rxsvh
zKx((<>q$1-wQx{~Y{LGd><ctuchd|elC=&O#$$z2MrBPoj3na_>ta)tjFykerB)jm
z_TwG!?Q#=Mm>}dl)uGZzK^~SdvxMVmq~#x#*pxK%#$^H<g!==b<qrgF<`9dNvMetc
zow}tVBPCrZ<qBD$+SVHbBbe+0>6ekrkmyYYP^Q-)QCz9f!PrPK5l@)HbuZm@gJQQH
z>5;(VEc<GCz2hy$m{FfK@N^<w0Nb!Zr2x#_<2D@1h#%yz>(0MlcZ}Z5kHJF0L?Ck6
zjWm;Cf2!;2=?RZoS2*1*V8c+U&g-FCsFIKN)L{~2p-X(N>(7q|3Ac)mGJU*}(^^tk
zP3nn`0qP2wv;}TQ?rf}7tTaU*3316tNyZA19LI}AkW;NT1$RD6RjuAAIgYaPRGA*o
zqwbItO(VpO$aoA342@2wS{G>~AFN~w1Hd6$GC$<XX1f@!sUcJzXDg8^)(YpPd@NxW
zD4<~o#gaI*kpHi}bB&!Ht?T$6IDxab!zHkeMq$AvxGt5p(`jcGShkmGr_-5E+qreR
zOG;-tZD%^2-lrE?Pc{+5B6oyQL@@}f2`Vo%`$tg`7KmaXkQf5u;zkUMF)V6gNJN6a
zIqn)m*l>Jt@XeVw|D<W3|8(Z*Gtckx{d{9*mcn2hGs`S9LZ@C0mIl44(6X78ov!Iw
z5)yMtJ&=YmHRYZ%XT9!hjykoQuof8TF>1e@jt82Et)fu}*kQal9*Bov*qgQqw+!{5
zsz=ide8Y<=FDv{a2$WUVz$Rr(s0X#uhHFikEL&&adU@kN&YeF6=f`hijZd9_#dn|A
zIC}_h80T(0h1gGQypK2iJj4d~5{(CMyw$w>!6%PKs|I~0w;E7nJ_XTdJF@Y75bZv8
z&+q-uhW+ucL8<$*RO4^Xp913J2iuKLo@cC!^jXkp=;tnnu%~m6AL}%P<MUq8c>npk
zKdNeHfAWgPYtNlOMWtsicvS<?E6MQIKR&zbuEuTWF0e0Jl9#V}+g%MHl)k!gjZk`(
zAIk5CIf_p_l;EZd+28d*O{OL5!S=wk^gh0ff!o`(Cw;Lqi?pQAx6|1yS-6A}v;&9k
z>1u~1#(s<qMw&^j!~wNyri0O_*_qnJA?xq$z1hU&4vVJkq3`yzE?63AUY3Lk*5svw
zLDq6HSnY=3eJ%=O;GuJhWM&7+*>1=~PWde}m&z(-mSC6Ki;!)UM6H6#_h`}URo-IV
z!>fZlHaH9VU(gLBKxb**3oN_8Ywy&W#6!kvB@r$Ly}`<yV;QsUcB7;yG`73zX9T9T
zHiRa1Tzx25y|EB&b*~jVyFM-V2Su|LcBOsNPwDlXPiE|r%z^iehT}jbGPfINy<S{|
z1yRpg%Am*Tly|8tA;I9?uWa2f!%+-r<55Gu76@F$bn*8E0{tU)+Bv1BA#}977{<6+
zM&_Y=Q1q2sOO=}Ei2=ftIGXP04z%43vF0M(uLGq+h<M*vt@l*mZD~zZXCX61LIs))
zbz%}Z3vRpOmPJxxj_VTSbmtAgZvh;=jE+>!xoq2;ubVk=>7C{9lA?(8GMwyOMFH<8
zW1w-(Y$LCEkLuOlwDfzb4z_uKhy-goXJGU(0StR-cylsE<$2snsZjQr4%21;N7~V8
z&Fqcb3B7Aqu|KD&o}$|YGaPiIiQ?vCokd$)lp{Me6VRQyi|Bhv@2E(#ZEd?KT{MU4
z!k$!FJ)IwV`w~;KJQdc6ZW%~O6|&drkpuy0ZfQ<RbhS51X`t!M9(=2&_QYCYsRlt(
zH)B@C*@ODENZ_j0_I~huUhXr&QT!!l47XEvHHb?p4Qd9e2Ebt!Ne4&bc)Hdq5W7#T
zpbrsa&H2l~)+T#*)Hi{oEP1<fF<gzS5toK>9mdE~j#g863hHcJ%@-M`t5vpM6Nh+|
z9LnyNv3X4HO&z(E>Ptfp)ntRoy+IliN)5jirs<_k+zu)L;LKY2stx}+8<#%1)M|FK
z3;2C-XbpmOg|zFsKj@?()*nD0?27ZM8N1bFZoR<D3LV8(s35zxfax<IpAA+}-j2Hj
zsv4||4>*;nh*>;e3s#H94k#A%dOc%WuCZ#UHr)l@;RpWMGb;eeBd$@`NIG5s`d%VL
z0Gz75mhEp_em?WDNqb{Uh^FjUgXy3Y<8r##7iZrx8;fhp^N)OaX6CrNaICnAuW?CX
zJ0+$n2$hz;#Lvc5x~7J(-1c~T(CROwY_#&~O$2o?ZtrYHV;tmj18G!~`>`smQey7o
zb$QS-3ajbJ>Zv^-`Sh|f&O8m|aVxS-<5EBE$W+^%AJn30l$W;2Xb80ReI;&Mt7a5b
zKFnJ-&6P}>@oC0`mLn!KE9*yqGw)S-HLbRjA+{Hiz$7KubS%aIO`k2C9c(q$3^Om#
z4qF$*0%LKSG(4RY6<)DB<5@lwSB9>EDF~C`OpMRgd!}_-p5<ZSZ^&NhYY{gyz?=b?
zRw8N5fV&Z;(Za|0j#V6{3!!SK@^0SmhCO{a^L>OV4@;aL1c}?-ZdRKO8;-Fuq{9+&
zqGu0!*Our1hvj)KXm}1VF^0%jK%Jcp4rs`PqxmweTT^V_)tgLE?n{B`8|WtHgxZ^H
zxX$oo#yiDqB6U}ioVfNu+nU8xFj;NHqPb+n!zTC^(uTT|rfmb@O;gmH<td{@(y;C4
z(sDuvdE8GfwGa7vtcapXW1Pa#aU#2cU?xDif~^d?NcCtW@D;S_3B|0_OFLm?klL!o
zcRQUECaygInC~>%5k@Ow6QtO=ChgIAWVM+c1|@e|5&GtCvu7v##*6x@$BBrxlu8rr
zZVd}7_2ClDig+^yOs*E>mNpYN0)yb#!XJguU001D)3i7wv;GL@G-QY*6MGISVt(Qd
z`H@NNTCHWf<4>qE=(z}sn-no}%i4xSO?Ykld==;Oq49&a8+JTd=|tOG+UcYwDt<IW
z_R~PHihUC_$odpkzeHWLHoEUeb1+#l7WlfBB~w(<HZw!X;chw^&Pg4rBW1`U`4T19
zN)fn`A{xuF6z2w0E&1_^-!qDi8KfWPS#Pa~rek)xl749ur$d^Q(0<`B%;9L#X#%5K
z*tQXh9hwIVsxkT=JoOUr<aMj|mYEg0R$GRbXhbs_WIblYXE<Z!P{^?`CteGxFX86W
zw6W4NMl|0v+IEwS(WZoNL`ikp9aEHPGjm6-vl+nSvgz=>Ssfiz$K0;!I@JMGSYe}e
zy5vMtAM@ZrMJfZQC}(1q9o6i>A|eFYn7OX8n!D!$wkfv)YBF?FrJN88VFg-w0k+TO
zwe|Tb&gWa6Vm_y3(qGt$0Nk6d;}%P~&=D8k0Pat1W%>e4kbGnsE#juvqNfs(@vO5b
z-I7q{fapfHtw!~vNH+*KXp(%4#3`HasGaN$xn18c<9&OY$|+l{Y!6yFLvKD+(UH8(
z;~j+=laY9dolt%n`(`ZL#bgfqZ;;tE1=n1tlQKW}!MJO2+i*Fht&;awoXcpQTn{(B
zfs(DX;RNrlmwB=x_d$-r8{hNO&Vd)F!z2Y;=AAfd#*o(VX$e_6u>l>NGP3fBBq$B8
zPBn7t>j@>v%sR*qrY0RC+wz<J^<ir->kex!;-x*NcI${`d1x6T0+6DicHeIm-2(=l
z_fCRLcFHP+05VK4Y+jf(qP4MZ$2=v{FEzgX%%67FxYI^~Ze_R06TJ#+K}!tS?_#)P
z5x^@TG3<E58yfh9yVy7W)%=cozJ4_R0a_g1@rDL=;fCiw`lgF7_^pSJUpO85@dp|=
z0^sTj2y49u;Nlnl#)tp*W$f+t@%{%ImoD7)jMtsV!+LkT^&^c_`_HSMY}C0D_|ft8
zZ-fEwy8Am{n!ohZ-#PyI8)3kwsgJzj>95}C$1i;1@_=_fIpCGhkdB}DWf%~D;3q!K
zf9&6S$NQfK4K3oE;LuH<e-rbZfBEFS$DjNR-0|n%1b5uTe>nc@_`TD`uXx>8@Nv(1
z?$LNZT>MLKhC?r8|MT%XKJ~8Q@e8LzH@^kO>s$eY>G;aGz{Rg}?tjVj-@kF)J9V(u
zefV_b_UPF^b?4K?PaGdrp}njB*3%bq1$?k$^;Wp}7WWs=z3??3`P}iIq#-}_w#GNl
zo$oFD>Dj-&z43x`H=e%hC-TY1kADsF(D%Hvao>6N19yD&?C;(QiR$yGZ}52MyBd$5
zzxy3ue(l-I-rZQ9yZkL&&JzE^yCJju$g%O6^RHg~&V{oN{VI%k{`6@cKl^KqPu*zz
z#g}e<a`f=GA)o!#_cWe+?#9!{^W@==!{OsA-`jZbyz|AkGiP6aFN}Zwbi-$Z-#jI}
zZ-4mLuY2O$7aw1QHSRw9{r5HAb1gu;Y60R?Z9o!&McL6PGZwPwaLHglLi_rrNr5UU
z6v$oHcEB=Hm`~O_*<~CqjteFkOR7aVUT3{jTFxd&)p=_$^_o3m?jE|J`9}`Bwh0>w
z!a@KDV77ORqV9FD1g_?-Jv6wW1=iVek-!<@CB%+ts(*ll0iG9rv23?hAwq??6lNzg
z`9vsJIj-Y9$&jg;kZ(9IOQk-_Fe0DsB4$r_N6n0YwoG&u4(LNItJ+qE?ful>EBi9m
z)3wo`Fm7j@OG9rzAG69}#A;!hX+vk3+j@wXhiORZ3`#E8rDR5uho`s}*9w?f_#+bf
z3B0LMw>I;(Q_Zx=su!A^(?eJ4(Bdqo<+4$4&tMz1E$p-{J~}kFxB(d1vk(4m<D1ti
z`9Jdcyl!rV$!I}#*k-pHu$3{?ofaz4K!ZcMgNB{j=;fs|v?d+V(1PV$1;IuvGgfm*
zcf*0CuA~xN7P*3q7!l$4^;$}eYQd@<rK<K$sUmw^0PSyC7U7m_lbzi6$7x$@?p+Q^
z@k?t#p3k9q*aJX^n#-)E5da~r+IB+kdJ4t+^=>|3@El8Jc|V9F03KNpl1O~ZT&$>^
z-y1}ZW%V%Q61pNq+*{{dHsST1D;x|e9gjNmT>#pZ{l*j=b!{|jP=|2Tx~PqAN9}{>
z=|GvUOWeh>b|GmydhOS(ZCePORNc4jzS&vXLdw@t3cUpYC~ox+jI!iFR-bTrI$R1F
z*$(+t4BCA>*$=dBzD%K5d-kmlH}vOUYfQOXjVVvHJdd}1%on$~3aO}Rc-W%lA@jk@
zw`%njV!IM3Tf}BWokS?buB3r58BU`}%jUF7FAluC-IRtO5*t3+%|?Egh@c^bQJ~z0
zti~pd$E>w(55{URBls}F$T;1x3oR~MIu6zaVrpDkQQdq=?1vSOi``mbIum+SiR!LU
zEop+byt!Pm<g{tz)<7u{W0@na1<-komujA0pBf5Hp5&=6yW20@JJ6kEB+Pmb2rvs!
znb0&msVd~$*0M}DM?pl}o5j4dWu`f+WJ$p5Y<p)~-8hz#ppT`Jy8v#30vdKh?TS$)
zOxP9O-N;$D$+{zB2rS$|pEXQyKSY{PTvaFF5SvZ7T9OTKCk~gU=c${jq+xmf%WKQ?
zRg4dxYCiK&v<BF&o>=*$J!c37N%WAYsFj(F(a{!TM3!I!(5%`4h(!*Ni*pMunYgXC
z-j26aw0GI<_TcShZ{e_drT`fgje-NgvV^T+V1cdW>%DCd8z0;Y=6zW5>cwuj0DoZK
zwoCdF6{u@79r+HADS0uGvT!aWp&{o>OO&VUF+LvKT96qShbqK`?S|WqIdt1HpZ1)&
zFO8*cGMqK(fjgLt#dxvXOh)art_oCfM!_7+idU?b$F_nxmfWnEeTa~0Fk37@y~^1m
zOoy_h$oBf0$xv)6G%KJwS;i<{_+%B@m8Ue>PQNzkiAM)<u%4{~E}924hc8GZVC|5R
z03XXPd=JzRAv^2N{9?S!`)%;`{cz)XHhST%>rQ0cXTAPe_W}?1`U~F0M=w5f@y!=k
z7w^3I?3*9E`Oj|tm7BLW)0e5}pStP2HzhZTH{E*Uw{QIH6IAq<-tgTM75#?$Z_t5=
z{*3D%x&Du?f8+Jm_3i5~Uie2Kp?~zkJO1!F$`_ycb0<pb6$GQybq}A;JihM@CwlP5
z-+Av}Bge<S)Og9U_2tIPkB@%2ao=q}T-kBm2aopyiu5+TZBa`|MA<l4JOL>c7|+Wk
zaKuqSJySR!_*TUKhL*}-Y25n~8w0+0YYB`Q!nT%(<zOU;TQDdUH^GsrWj*6W(>&hv
z*e$mmKl7EwADp12@4F1pz9L%b@$N?&KYN+adL^{C`0_{bPfz=?+m3(wNaGIe^sldk
zR99R+(QX37x(#gbRuk?XgP^}{0bm%lJK!-zbV#h(x$F4YBaN5;Oos$8>dFCRE!;8D
z0<lcTApl)y0fP>OfFE8jz5G_b_c?eg%da-Ra2cX|CCJ0;9ynhA&$rxu`TQ%<4qf-5
z<Gp|1nE#(>s}DWe5UvG+Ke~;x{NIfnLljH}J7p4&CW<2^$(~HMrXT{Bv+9+ooU389
zv$<l(feagd<~JILNSja>s)4v>h0SWnGUl8l+IlttfiqTGqS3)CY0jfvT&iN#vj`+r
z6iQgET+>=n;es12qE<w)Go7;+mynE<$ptY?in0X->yGLK*{*2SV&&j`vY%`WtR-$D
zmqdW=X0G;<r_6eG>S_qq?y`ftTyN1Pmr&keKBh*vVNGHb-HdevJdt*Fh}TNolXH(s
zHD_QBBv6x=F8FR9Dp!#8y*Musmmb)NGt0@Y*#!%M{IKLUGkn);(XBZ;*LM5?R{g#(
zoK*gSBa<1L8fBJLSy(T91|wC`;z|$XurZhL-nw#)wk$5sKJbmk<JaQAAKi3*qAzKa
zPcXUavpqwnhjt5`iL+U&H^Yj&*sOR8n6tULnReH%uVzBurxq46kC+0BtM%|eazu1+
zG0~HGu;Em~j2Q7QKj}^oTo~wk2RU>dimudNu@tcmmvvpON>a(Tka6nvX3b`N>A?3^
zh-r#V3I%%$X+F}07>a)^r9jb~lD2WFrX9{l@lFTH+vHMihKJbqPv*pIR(Q4s5c5D=
zwc3k8n31*4jQZ6iOO&h_HRrNJNs|du7swP1(TwutU~6+p5p*U+$k60K_cF}TW<5PJ
zy1R9C2++d@ygxz0>P?4^P5NB7#p8XZ<J4U)^;=^Pq@UTKtm+xM%)lVp5o*mM;=T$p
dg%Pb=P0^mYmNhS4e8a7mU-zB<zUGGe{tJD^Jgfi!

delta 74922
zcmeFad3>8!l`!l_mTlQu9@}!_tc{a6TN63YzO+pf$=YS@ySlhq9$DTb*;*{QP{*N^
zw$P?bfXluNGi=i~Eif_Lw3NcMbh-fpv}}c8h8^0n%?!*-zw=13W5;O{KHmAg|KMM8
zEuC}jx$8Oi-gC~qK7L#}{{8elTYKy+E!fGHl^=|K^C235h97mc0Z@lO2r0(AxwuWC
z{MmzdZ^t>yz^-IE4Ztf-?1HrGgcd0NbFmKTzc1z>eR?qn>8BQtK>ESO1CZXcxbYJ|
zz^{BicE>5r13yyjxxtiWyx0E@5r5b3Ic0y4P+fWRjW1nYzxAi5jz1V16w;ZLz)(p;
zhGvomh7$;bkfsDfGRbm$T1*Kf&7Arl$km>Xe^K@FYwtx<{{VbWe4J2m>0duEvgfwn
zqd%56cuuK4L8$iq=*=JHza!m-KJZC^+zk-bcOI>2a^`QJI{LilRNp5FmEkunCys^a
zpQ4+pK=Mw2?7V#|IrQ?w|A1}@ZS<TP_(wvu>p90D@px7`b@jJA*B{!dY6-WrbgEiX
z5|d7+$*h4E(u9E#(wsq*Sjj-KX&!!)G|y!YZCR#Hl36O7qA~_jq9p?(5j?a>OdFCc
z$w;EWB}Ixor8q;Vgpamny+P#{(39Z}P~4_v1{py}3k=Ufr=%dsLZ^s~C>jWn%8IFs
zm|>x~{$*-1NwN&jrwtUHN*S0G4PBUm;zWtbrunSEvq|>Uze91`o_o(5_NS`5Pi<Se
zMRnDN2e0+}-~3OfT;KMbdTFU^fg_UyClRcHr_;27;km3q%+j=h&89L`n&miPdPu)q
zC@^LOA(J%-w3vlLp|t`}kp_YjSSrP21%b;R>RqOm80aX0O&VyLp@27&G6-3UGSJBs
z!>37}rzK1{HUB9X0Q~C558wYw*Qxuz?fIKe6RNH5BQNh2Uh<z3K7EU7Q?WR>i*J=q
zJp^C2q1WX1ci5gn<d6G2r~c+MgzCu1^+VyWxW9GkPv3#w)GQay3Ym<=@-W3%5(Y1o
zA`K~0A`MxJ6;tU9EAVOIkb0S#BeN-<<0%70Wq>-%XALPy<PBMd6(}j26j(t#RsJlY
z8kCL@)NglHPu=_3TU5JRlY0-pH}v$W2fph$b^LQMXP@oc(Rs%|ehJ;_gQ?a2PlW24
ze|x_#e8l<<wDY4di{JE5U4g7XWi!bnXOO5YV_+DXfQn_(29_duF)1d~Ns2nuwp=kH
zl}?c<n0|yvW(*7o^FbiUv?0T0X(^QzB`M3D`Uw=Y`@RQb<Zlk%d}`pKTU2ew{_FJ}
ziQnCZZooHtPW|>FLe=pgU+?<jkB3hkdiWL<_3P7;E%=25dL+J)UH~zF?c!lbXBO3v
zra{WFh^#omdlVqv3j9NmVt3<T!#{*sG=Y}i;Lo+*+j)iV)2jW7yV~`NGhKbE54QbG
z-PQR8#S3kP&UYyPrR#_yquZcqX}_lRPnxH6*LM9t^`!Qlx_j^&l)r6#U1zcV`>J`}
zSlf0iuYL3;&CSYv_-#sGR~GwxN2l)J6jyhh)c&HC#E|-%U7zZ>uHzfZzg54!<Gzkp
zG=HbQzvEWb@35aLdhyepHqGy~Gwn-SdusyQ*7AhrK>OXwx^_qF*E^_osa4ha^R`D+
zeq4R(i=U?l$t0DcNs2Jg*%Zu)4D=|>f}}wZVB}dsOtBJsYU?A>LFiqINC_NBAt4$V
zN@5HmCz1w{O=n1fODCCZ>eSmF`RX9c&?zd-(*}{JK;BspKoO7zlBYzDCTKcI5}$a}
z7gDVwG?`9|TsmW*MG2%v$Z`hIav4L0Bn5&Mp*&tZy1zAyQ8Y{eno1iukx9!H0Om=U
z8bX%j1wmlh40GzLe?B}YWd(+nQnZ0c3W9-2bCMwml4oFP5o9t+rr8vC>aKr|?%@SG
z!%AtvAV@T{C<(O{M2a^^*(_8Vn#^Zd5nX?@-*Ae1?5RB|juS!Pvj&2o<hEy01`&kD
z!12i>#Sla$3DS;Shx!eBvI5D{6bIUlkp)JeL0~9?GNeQz$?z1xFk+TK+jjxy4?lij
z5680%%QKCNKxYvGs2K*-3=gwDnaxUE8iWnaUjyX3zWjH4Xj&rqq$n8(fd?5$rA0%E
z&9a6xBS{R!2%<o-`%v=0<^!kto`~$ZoHb=P`oXop{c}(J=g4KK^{w)7T$V<E<zI$8
zm!r8i$s8|7Y4@Xhd8p_|o;+|_%DGSGdpUYpFB4vdN)~!$!VHxZ&`*Xo?>sg0)JFoB
zqf9k&w#(6@YMJoV@y`yPI{EZ*&*iAYb~(r8Xu>vhayRtdozHA-6F_Gb(0y0;9}wYF
z{<144tGrg-?`4(urcY>|{iP18qOW*1>d_0EHXUnkc^ANw4Zx}F3l{7q^nu}xeXslc
z3rnAW0sES<ml6g@`YM*Wir|K5LF6a_{ryhGql0Pq!g55?KoT@8g&e^cl2lrr+5~7D
znEWiwqBreQY{q!>p<N2^g&2KhP_YF)xl5r(%x=Y|3sD>&RP0B$?N(fQAtYqK0)2nC
z;+hK~A?E=U9aQwc3i4PFv#w#l(9}b(12-x$vPW^{1#oZJqX_m;>#_i+4R7147`g!J
z=w5|*0q`Arf&Y3&#VZxt(Yy93?Cm6|VTMCHuT%`8;6BBc%O=+De|6#ogQ64NxL<Ki
zJ4aE%GW#$7**R`LpxAt&j)v-&J4lff&hkETIYj%B{-9#x1v<OY8TcWEwVj8#w_MwW
zLy9)^<Uz%TKPShlb|3VJWp#}Q5pTF?|D8wuqTyA0Vmso86pOFY1KZJ$hZHAPA*msT
zCrE}^y7{o8<lebn4!88T(ilaMya85Kibwcs6&n}UlWn@9)p(9<oiz7f9KG@4=ndzg
z7tYfaeQWURBu>8uy-xCaFOKe6gKo&q!fHj;y&k_Bjb9wCyEs~VLG;3kmegDjzk*g@
z9No1By>8GtUk$y`RMDz6_;vl-adC9}8uU7y)OHc{O|U*F*WlOHz4hW~#r9TX=gO>J
z$-OKMXO1hrtl7POmT%dt#Ar;pl95NhyjQX5LgFx>#Eh6`g>a>W<>jsaQUn_>MX+Io
zV4*3S>&oa`p=c7U7mV`=)(v6rr3iXtf`wHLT{n*1=doBvfM1G0w?o;vO1G?Ipk25G
zf#wo;^(F9KYw_#)d7<+X1gf?8b=}-?34Hrn{P{hwAhcbaKv1s5uWLc;CGd(XU<h7S
zUK9**<{rgYG#8MAEt`}rtCx=fQn-pB;NRvQ%9d4wx~@i>8nfb@q^%?9U(aA+%?7e5
zKo{ZA6rhU`^sVic_2RP@PcNLmL2HW7xf0e5e9u}A=MSvVeF;3i2ERb9V{l2?S;Js`
z{y$4}7QhO0eivLycK&aQ&H`*u)^+hEWas~;=&<q*Y28G<xa@%FykGIetFJX3D@({<
z*P2VOHEVUky2%LQvRdh^!-KS36tCT(T(~F!h|5Lsu+m%<57M$4ziuvd?pU}u0jxBu
z8LX2ASZOYb2WeT2U)Muzu-0Cb09KmS_;oFSmFA*&#SYj|bShS6{R)G#TQiI}^MC?r
z_N<q)ja#<1!R8EGEis?_oMOubR;A8OyV_uTwrbn5Qq1!HOxu4+lFp5nCfTs7ZQ&9n
zsrt@mvwoq`pHH%GV7q%?jpW>6p}XgNnswvb(Y><`#^>BgZXLw{ekqE6-5QDutqO#8
z4ao)84N`L{3POD;3bIS4SXkAXb;C?_p2uVz1*tlZVqMo09T%lofWr#eejdrXZYA0-
zML{ahqgYo}qV+-)hgY9QNySci=3hj>h&R0Qumb+K!hhw`D-XAA_YS7A*%U{x83Rv}
zV0!~|0ob>}a!n_RB)A?W+4O>r;q7~12a-;vXa;;VBpAX4LIMlAC>RJ*Os6S2Dag*t
ze4(6^W~Y)VX^Nz1rj=53w1oBgPK?S5;8Easa1=67j0kR?B$&<(Qc}!H3`g=(O3D@r
zspPzZ#F}|JQ#`moIk3;u$&6$;$Pj4?Eac#lOAEY|Vbe)AolP||&31upQi<Qtf}h53
z!=J;^&VfzWd}83HUVK3|a$Zgwl`<i78EtHp2`{HPihZr&&cU^fxNsZJ47A^VbTG|l
zlF&TpB5+X19t`l#No)!n6W|L=CBYn;;?cdM?S~i+Tr)JC0Uu);yp)VULcgTJX)Gnv
z3=KXVise${`D{V%6$O5}1$yN4CwgxBAnupzemUhd>V7%JoGG^d>g2M`39P*0kO+<v
zhW=#7uMS@Te1_=w)s73neH~xMd0FxEjg7uA1il^cn6$A1ohGFe0p=+Ie0^!~u7KMz
zYseDmY$hv7JfCFG+|==%!-JPac~8eLo7Gxd49G&qSMWx?&O`j$Gab7g*wdr@mlph5
z-RrgA)gIJT)Q_pRb`?4w>%2lW+wo#Yz5QuW0dq>U^Z163!KC}I)~go}^z^la*_K7E
zszueQQW;x2VJKRlNkRs^ZU!Qo1Q8OmBnSccUo+_pPl5*>oLd=m&#kJy1v||+EK!%k
zWeySHP$)*m-6OP*XRSus!rR><5%IZrkJHL=7LGFoVvNt?^|~3-9^jY&9b#6mvCS4S
zLjplj0@qt<S=`qRwIk23od{Bu1S772OD|+VMnPV|uL|x#f#=B#n_<aRHj}E<^Ha&$
zG3j7oE-%fd3gwX55g2h1u@UEphao9P#1;1XZMNu$J8Fy45x>`w@CJq*0h2Wmc7)9l
zSHw>F2_s<@7^BBw^jxT_3%n?Df+*MZN*wCSpI_G$B__eAC&07-Upgaz(>(=~-avzA
zm=icT=zus^)x0!Um>rufKyAGgPjW7kiL*Lbf^m9+MzeWD6bTzO;t9Iq4#E-&34w)#
zF=C{w?x2^q#Vo>zE6iDj6Gn^AAG=U>d66dsMy~CC9n_XSzqU+<gxCQVJk;RjYr3~Z
zFviPq0$CA8J<WnAcBNy}g~GyAqq0`f5ep@_gjopi!>(8&%vvcsA7nXuEF5#v0x?1k
zJK`?S2<eJ4tlz<t9+I=#OfWTqrU)CjU|j`4<VmP&S*vdeZ*4iMg0PO287i>?Xk=zv
z(!gb8PrQ_&4M`p}QBovRj0gb=Sr$F`2GxO8vce33OBKAV=ofELZ5{-FsRV9d&XCT6
zwr5z8lShU!WWiBP69P;kDvJ)>u3~!5Njq@hIfg*_+f`d(>d{Gx6KKc=OAHLH1j;Q7
zu>d4^I6>mMY?>)l%BAs)1cN$AB?n1rFj}09jyYnnk?Ke(Q%DGc*J+WwE~js%IyDpb
zhYknRvljnYZP=AFN2NfDwdU=xSW(ByxnzE_G?Xq(pY1Gt<Cxc!8FB~~KT@R8);m;N
z7T6@61!pt_Y)Axnq6OI#Er91LP0&2Jg=vlf7y7J}EEi_a){4wUU9>P^G)_n3zLJ@t
zatXffWu$rDMkKQFdO1cF&GD+4j63U5n_wAnB{N*UkX~Oas1#TrmTLvO4qA}MaB)v3
z%(u;pZ3jAAU=Ww}3`K)4n}J{(h|mD%dYX{y44=RkFOWRJQanRJMKjWJMPnXg(OeyJ
z7AkXmnD$rw?gHto6y{=)qMeShwkaW*7bo*xDqACcR?}Rez`Lp8e1W`RP0v-7rg?!7
z(bS!)E#m?MetlS;Akct=?xSGkN`k&H(6A<wd>SHUm{cWSm1f7Y<5K2q51Q*akFj8{
zPFkkigePsPGIO3Ough3;jM*%el2Dw9OpFm6U$bYYY?BkwO2F$uFW#x@Z=4L4`-@;1
zk!{H5fez@eo#*#g3WBXfj)0vH11@(a1(7bYdVwiNLNAe7Sa7A;WIj`vu9Q~#tQtyJ
zqqT9iFyY9%B?}$Nvvt#uHC>g;Lv((@WoG>~C*knseYC6Yl7?z^&#+(07nqCo83Cd|
zKxC9WxCh&zvf}y5gofA~Hc3G3C`MjHcoC}2v9K3_-CCMqlN`xpXBVVWPOj|1vs<!;
zK5;T0D&QRU@WzCT^U|c-Z1IN~J0r#z%I_I*60VrV25MRyN!Tf~nGYt&fIUFjV^qi!
zW37qx`UI*AVGIN-SC?*s>h4%<J1Wn`g_X&e6<HS6ZIBbF9B34nhe;lSxhOuvr=X<}
zlEi0c&sKMN*co3XKO4yoQvstj%cuDwH(vKf%5xQyMXK1s!v$~TFfUdLQ}&^;!)z|(
z&Lxr)rF5<^JA1G!mCDDE;x1T5&#4$<h=B<xHYUMgWm9O5tPvU(L^#FMqJe_7116~i
zv1%ezHp4JHnWZ6nGE=OirpD7}D>*hfQHWXQ>Pdnrl)}~FnZw-dgv1%`;jBMDHWMXG
z`ia>gGg*%(b6#p@a&9OymY+r+xl1*$N_!GRvR-2u^sT!<#}G`CfekXOYe@nmmxKTr
zU=J&WNJ;68ATmUf%}CX9GBqU~%#<6W$|fvPw})~0-FA^Q({>Ll3_DB_&Lsv#+U6V~
z%r4GmAsGkhv{}5A3q-*JI|f_OVR16f0JUmV7tX2}xl*8c8w)U}fZp1^*k)VqEtR~L
zVKeC@2~j5oi52Bo7l>OFAhOK>b(Bb!O=Z(bDKlP@>$xn;rWiMAoS&qps%|!uaTCR=
z%|m&IQi&nL7c-`d)eza6j-*rUoQbj|UC!8$;C0y06Q@<%k?t;)YPr+S?lLJ*zUb<c
zsx3KA-Z^EN3>-Bfnt<UTgh{03o}*IGSv17dQN(hmogKTt1U2NDq0>AcPEr;=9UL<9
zX>WWYHqMR3GIR0zTqzryn5`ZT)m*Xqkbj=Ym!s&PPO65Eo}E*TT5u4$z{zt;-f8#f
zzSn|};QMvo!*#m<#K-a9;$OvojDH$`FMbS9;E&-a@d|z%_Tit@p=aK!+O(->BLsAv
zTlbeYRNd&6_o_B;!e!^|IV|i7nwtW2^nI!??d{QqTJYn#z1ooO747%6@5IyiKjRks
zC%S*uy<hhW-SfIn=%#dcLSa{G(E|@`Z2OCMlsy*Zq89uAz1dqhyW8t-u(`Zl*sE{C
z@CKJZXM5Clq5Tn>ykGT>V}GeuMCQ{f<FUU~3elHNtB$tz;J2fW2UG*CKf^x&gLfm2
z?tM|U8GYbkRa)7D-`j$^eTshdXYn)mgZRDpm+;R6(Fwd)*{Z^N<fL0pa7fTY&#0_>
z<t+IB;QxvL68{PQJ^Xq6U-4(~C**wiukjz^XZbAi=#+VM$~-z{9-Zi+7gW}jVs~Qq
zHVEY!#ajEYA1`&hq+&b^J*|J~Vddu6y4pHgFl<rV)7|>#&aj2^&lA8+d6paA`j<{L
zVAgt;nXdJM^KIeJ*pCA@u!l4n+TQw?PCH-*h7!ywcUx=gUpoDk{&ckShq%6{y{#3)
zy4&OwSIVhw>9^j_E#2+-jP3`zcfbrdqFb=FL7~`RJnrph`TWI0-gcJJUpm^#vwSW%
z(C5Z^;gSch*0YTM(lJ(8<(}?5Z*-|Ye~mv=?EEIaxu?BDiD6i4cU$u}u5A9+ExokR
z`E|U{Z1!^_BV;rf^}F0G<0;pR1%%zD+R#{fVZ}SU^pZ3sp1G&<CA|Cm9B1C&`Nu2v
zTTRYDEF!o#hY`Z@;}$n>3b0<AHxTm^7IT=jSVPW$&F4c8Kis(o*&puo?h`|9Ux*S+
zA>L|<QIsVv(g7PEPLLz!P{`%v!F1q^82w8RJ=|&b>0Sn7U!(<pKmKp{JRX5bX~h-0
zl*qB8Yd6-4rgwB@(ZB8J+C}KGGcCG@bUN*8G{@BcrM_Ezr0dh2pXv0eex!=GKhl1*
z?Vs96#jh1v><p%9N$LLnRL@Pjx)=8@UfIzfrWK3cark@?J#e?$jC~T3uT$?r&)%)>
zM*B{xDeOuaegM7hq<Sm%i4|lgdg7#-Q!gG`JkZe}2Od$BJgMG{K0naai|!cc>cc+X
zqy>OgwZEg^2s9A3E7R=T*|i0GP)57)Td!W+*U?YYircr!n?3a4&aOW6aY(QSmLA*L
z)uq7pqOb1m60p<gfqh+@kYP_(2YPXLR~KRiyY^#y&<lfI+tK_Wpib}W+T6r{e6Z^f
zHYlT5?7o$J47MAk_H-GrdzbFn(>0D^yU-u@c9GaWpbt!SY(T{;yOikA{w^KF40ci2
zPV~~gu732MeO<lS$7CKyu>l!$0Q;!?Z8M_xckRP=pzHQ`?ZiHUfa50g*8N?NEdB9d
zSDO;qUs7H7wwF~u?rvIazuE%J((mz~<6m9s`9Agqe51N`E7m-kmXw;-?O5|bjec^p
zYnw)i|Fi}FBmN@(Q~Y;8uKzB+Thq`{npRm;X%)&=tW(ou{PX6z_cH$Tf9z@fHjaMg
zZSO+A^XhTn@`P*<{Vi<Go`9M28GM^oxfNS3RHM`>w_|6Eoh@n5j|yE^^mgD+w%~uj
ze*+c$A^sg$MW2M6XK*LT6R7j9*7kP!cTa0u8~pC<Zdb}*JC*IN@^7WGO`&Y*#1u*l
zes#+A>%gC1sUNJ$|AD_CH~&$5liZH34mn+|i940(<x#aBs?o^yAJAhjK(?3gpEa|g
zZ;f_oNO{?AC~hba7$_T^qENK9E|>X~+<U*pe}Vry{uKUQ{Oiz$C46r~1$4D`G=BHU
zO~GIf(9{r}%BF@;DwlrqV%PIHt*p%EuPRH)>G6DZyewTMNtD25lahgCN!WT*A`5}}
zf_%IuCAizei&Xl<ue{PVfGN)msB1eG;5HK_@o-;=Nkiy5Bg$86BsdHb5X4T2G|kd!
zN~t)kP{B=$PUt%g+$RvEEL^8aH{26h`F2ePY)TxMe@RNniV(W5Y(0!MGGHy>_JhkR
zaJ2v~C-4#+OwtnA#yPlJ#lty;@8HC2h9I)A+NuBNXuA?Rr=|1EJ?hhk7eu)KLP&5A
zfK0;Cfk~32L4a!maI{G>sf-{|842cMv2ax~1C5u@nB~HxlwWmtqKK;)_y@);k>*)J
ztGlA5uZ6*s7Dc7?j5e$myFTBwzw=hruT?j+f3n@x_Iz7X`67Nocd~T{_FPvB(~{He
zdfmX{5%jU+>YdnQ=*i=16C%btHZA%8RWpbw7dJ0ngARRFa}@h$bmI$}P3Xzjsa1$r
zRO`_3MfIW9S5s9)tA6onbb3*J1pCt3j2)=&g!*tRXe+eyZuQlOc%6DTTDV(HTvWNW
z78V8co!5iHQoml^hrW9o)MDT3)z?6ncINf!!`LHe;PvXQ==AH=hcHeiG+>`^g7(~|
z-jA`!bDR1~?BOQpEw`z6V+{J#ZR$PPL+C62(Y9sjziw0KFpNgY+o4LoyHh=YZn<5p
zMPI&MeMm)h^xF)IMH-#FL*0-1?oe;TK8MIV)DetCx8I>YhJ9B4Hh_M5huVY@=+K=|
zt<N+;&O3q0vxmDhD0hb%-&`!hNj_N~FXTtZGrJB{7Y}#zL!9oSUS_=!eg97N2JF*v
z&K>e+CEEN(sOS(n@<wRR($eG`)xX44hK~L*P~Y{Y`mW!lHlX(mbnQl8zDpf~YeOw9
zGx<f+*y2&dyr4ONeOd1OBg)0X;#KIx>(nInMR|xD!}wuLMCDu6B&yw}-iGeFRjo!(
z-m2bx=6DC_xXYNBpX_KKSZaSs{ihu&h3@_qyr#P!g!^xG<f2W{)e^=!PjnhpEwal*
zHdex|6p#;wl5gk0l@$XRp|f;~5X5AbM=xBVAr~srp#eDOx|6d5@&sQt=urc33x*(e
z9U9nGE{tZ9Wog${1G_@&sD*|PXPNr7t7PPCa4$7Pk#Mz(TWrG`)mv<X>M?v0JcNR1
z$ZToa6eO?^!o4s9#U&ZI^TTH-ibNmXp|LD)N8n0<%!%Mg^2|-`pTOgn)53;p>s(o{
zUX-k;75ML3@ZaHoT<STF{|rYjdDY7H#xkQjb5GZQ<KWm_(XR^p(H7W`JlfEzM=l(q
zy4>zp4N+}2=0o>%b)P9}9@H+IJfNZA5o2MnIP~aiH8-6Hhn^G>d&}95X<9vnAs)=q
z1drZyKAZ(x7SEv{-lDOu;X}~`FOcZS!WusO5DO+okw9+&_$r${4;>FT9zXoE1<md?
zYy^m_2WP<l{H-RuQ1Az){5Jb&pqMd_In2R$wIJq39U@r^q{h-FYmGLI2(}zpe4S2@
zkVuB-(qrkdXt@w#=~5t6D$Y%UmE6Q6<8f9frK0nrV#zf<Vqv(raoiD_94n7A=^&Nk
z4WpUiKtOVbePb?ma-{6_6lO9b3%RLa!cWfF?2}Vd3~#kg&6cvMKvELK%$&~~91dmb
zla@(a!egD9@wjtdFi+3W4qJ}T=EK2QH949x#(Z_V7&C~|5%&}k50TYC#5y}&$OWak
z!R4VH&M51hA#2W1V&2U~Cc@TfPsL%f$1~nh=K}4XoDpZhP;Qx-8F7mvW5rt8kqVA;
zRAfFGHyd-d7+nc^VusPGEkp`aBfeNM5awqIOMsd3+b4ulW;8fFoVM1+=Ii6q{8VZ*
zV~!I3U9Y`)jZ`fUIb4<HU~}Gx=!bioJ>2;rd+3F~(*zdg$C6_cVSkL7j3olKdcvQY
zv-755_wZEJ5a#BpzLaZRbmi;iilfeZDfdJs7NdPRvSb+}YR&*LpQ3zBrR*Qc6M4z*
zA!@O3$`%RcChe>vAC=N>@5DqpTui4TX7^-0JH{q+<~qs6M`I~du;N(=l%lM0!fNx?
zs=0WUDunCP74u}QU<&)#NX``_W7JGJW2t-DQYc=NrXnMxTX0JrX@qrVY?+eZOqp`_
zwAI72LDPhtijh<HT**8fb<-xt{B+Fhut?POJei&Ka}#1MHA3*=N+>YtE?8}onZSY|
zMk904RGd%M9F}<0U2%`{j_PEP9}SKc=uD>O4ULs%bN=a^x#%{JJ8R+Gq*RsYY{?v%
zcGV27QZ8&A59G#%Cs>{;M{`9om+(ejby&av$#U$98tegu3MZ-67or~ikVaY{gv699
zkjsqt$hy%LW2yPsswtHt!(_?op0cK?imjS3O&O<Bp7F83h*&OE!X*#kC1!%|$;m41
zmckXr9hN350dXXnnGQ?V;yh8d%oP3Xe8DSbCjBGhk>r#(<|)kD4RpQeDvCx^wQLVd
zwHmW9R&tM;j5%(?=p)Bdv3X<4YnmpEbH!P=WY5@~RIxs8g&Ur9Fc_`aTxP#{VrDFp
zB<-USdOG4sIHK9GzZOVlnbB~Zp#t+G(dcw(eBLn?v*c~Icv(zLre;PHxnX~BxLyZy
zZOY=RR=~Z?Po(Sy*c>JjrlO7GMy(!qX@oM*=3RF1K_@5t1-F6D&wy_%@6RMCqkVXC
z%sXXE&WuK8!<>J(Y^r3Y#$pwLwOUG1i@_Akj@sb5sMD69LUXSsEiCvW!LZ(t7REsK
zkn4u!;~&uk7igMdtl4Na74zGOQDe+2&NzHQv&B>o1*cPq^laEWp2$h2sAt0Eb-JQ#
zNE)_y#;eoQvknVqh!=uYQ<*Z9Avz`>&pM4`wsg@tGvPCi#3rb5em?3l&O|DHV})=|
z&!z${r^6;zW<xYw`nRORi3LwS=?WGic3Z{jn<&Oy)fw8tB@<*qu$z3uM9nv4t`CPt
z1Cuq;J<faUmXc{C>!S0aRI->f^A%$t7M@Q#C+n7KxLhEn*!sB59i5^w>A2aNi$$fn
zpR$C_COc`Z#q*|MaDvN_wNPPV!eJ;olM8X0mxP)xT@Q>3@mP_rj%KpiDbTBlL@bu^
zh12OO0S-daI_;FQ){1$2RK5crn;Q)qrnA$cDQlniM^cj++GZaqRYR3<Wh8B|hF(=#
zD2ijnb6$xaaow<-`j{rPP_~T?&wEp&&NNfu<I|<-U~J6mfC(J%C4E`<jC*>xTFR&W
zlf%J8ZItwR1$)&oof$4r!<3btam7<P(@ZQ^mb{74M5HvFiA+wKy)G%{@{#kE`C82s
zmCV+NZ)R$$I!P7W;n{gpC1H%m%N}BEIKAMTwz0J`6&RVU%-T%ju}CW7Hkl)&FltE^
zM?3}a(Q%gW{Jh;x3zWw!<am2ka7+a3Y%NlrNv1L(KUXyd=OXp-(QqOjEer?jVY^^r
z>UG!H^z3AQHW?2WJh|z}Y&2x3=CdQBKNqdUbCVOZe1uu3MRJv4YQi<b1XHOwYuY(Q
zO_~D6)C4`j)R@pnrWCByBMAd(veojVlbJcElO}3n&`<m9Tsg;1gNHruG)s};xqycv
z9ga!f9d|OXGAz98qUTxibvG(BEeAIoxD93Q)i@SPrC5P43Z`Us+*V4BdPgg^csibk
z7#+W3qDWINGAPW~GD2}~o~b152{J_!6z!jpgm`gs+y?;|uJKGYM5J9|YiVNIk>O|E
zsf>>#i{sXL2rH=aURN?PM!Tnsqo#4+1X;G4W6ppqVU=+=xgbt^$443WNPTvepP4Ys
zo83fae7rbc8VSu;iG*0QyJj;Z*@^Uch@U37be#9FwbHnov3uM>+dO47O+fexm8;G{
zNI*GHRXye8Y@Hf)5i<^9*5{t6h_1k>%{fZV1|4aC29`YwJr?1rxoOtP%q<vGL6<Q;
z6`D@XlVLMN_1FXabS?qMQzAYyQMU>%N4c1-XQnFl3}ekr8ih)*P?*b^ExvLsX0e2f
zgn4elF*iF2PAHSJQcG6?(Ujp;2Z0r7*s@<tWnF#0#=k)GR$Ab4S&EQ^sZywx86G2q
zXe?UDds(y1EsfVBl+9Fj6<OLCGN)p*Ga>7EF>4#+3$|#2h>x1mQl6Wfi6)1Wfx@uK
zXB3GT=bI30ett5aWZ8TyZ77bLc?0jrPmE<GBjKH<tu{||Y%DHu3n6=)P7aS(Y;$D_
z0)6O_>8LF{8FbP`K}^q^sL22|m#o!mGp0B@GRHIN{QOLC+G&#}$$1EYm~)ma?y0$n
z1mUgG<5QstwptBD4USZPIyfF8nYb7(6BWD2*c}#Y&PgRRGu~KL@Me7z@o_3IEzFby
zx#(QM$&I*1%BA#d&Q8{{iAZQP$+!cP`I$&~&Y!Zxvzf7?AvWtQ)nop&ZDMXZ!On(8
z>yZLG=c$_KT=j{FUEsvY=wvBn%fz@>9TtkD1)7i#3@ZG-7JRAm0nLBz_|W$?$HLmS
z`&u?)ceJ$GmETk5@Di@j{<rp|c8})m>P2;b*9W?Gc7D3!R~=IOPumyTzN<K`*apP^
z-r`>zUW|71Ct1bf&ExruRFh2)rEv%?S;QB^Xl7Km6D4lcZNt8gx<_?`=v_DJ2rPu2
zyiqrdy&!{b!h$l@5$t>Nx83Ngqq-p_<P9|Q&IKXwcbllCAfR5yF8a|=gE|)b4#M{9
zHzDnfI^EJU&uZdWYiaQqdgyx^1M)Azp<nre<}kMUNP85!7QOcc%^vLWronLGxO$%w
zx`JpJGVsTS0~TY*G7vJF7Oz<Jp)Y?`BVgZdlHQf;=t9MBXnGO-H4TS((Ztu_p!_XF
zBy^k5y<gMpX{|4M(1*VcB|hH-zW8+wqjGojTXrfI52I(ls@aJ~zM)ZL&o$A&>l$nX
z-S-X6PVAe_hWzp?nvSJkeM56QhPlw(bDF)_H=2ci;yKMh%!yuj4rsrQu;(>5U=B3;
zyvBh2D|+R5&1UqW=QTr^9ew?IsMFVE&@s%0j(rQrzlu`d()<>)qUg6ZB=(gizxRGy
zW5z7V{T)p|`op(1z1Xwp#qWZdX3uvt`!KT%KY%^c1fBejW<NHJKJ^{o^%T1PdqDN;
z?`WRFOz899g)*O%sZ5v=QQw0+{~{BNo*B^I{l-BS-f5sA!V=y(q2Yxao`)B17$IdK
zSa?wf;$b;B^P!LbgZ9WEnaxn592^2BGYI5jAh1Dz=Ul)&4&k<N*&bf{NF)8d+Mz)L
zmUqzY1O#Zv0atR^mOw)Y3<Jk%LV&|JpG_g@UM)8$rCB0N2oU%S$9LI)0HG)8WYPfo
z2wn?;w>`)VjUK*NYZ;`-G%aP|MGN>1Pv{5|yvC8`8?Svxgun?IcyR{pzfXJhAk-N=
z`4Ha=+`uRSCPc6ZW<&#@VK_Q1q$qgz0=?lr?e0McdCl_hz>h&--~kdwgePnuIE*!L
zM1~_E20(--LD19pLE9xV3(wQQ{tu!T!IlS4h=4T^UN;d*FfhWKL$sJ?(Bb>F8wUAQ
z7A$>f$pE3m&|(ULivb6fB{C@pErd8UfkL_awZ=gR0%0T$VmC#2XheQ=26)1wCWaJ5
z9uN?{1V+a+dg^}d{=qCwuwXQVcRygHpcm5+#|r@-1~LT^74YDXKqoo0`Ly;Ry!*ta
zS%|+jKo~Q`9c7a6GEx#Eensf{ESMZ=E=i!=X=pnIu|Ciuhz*8-G#H~4)PsPC2Y5nB
z;vt|<4$MZUPiqZ>61<lKF~EcYUKWAyAQ~cr#3VfVBSKt|m?Wem97WDNpk=+7a*2CI
zD|N%~cjLNm9>tWX?A5*L%uTv)?zjOg2NILY!XT$oP%}CSn+1pug=q)j6%xc+2z*9y
zGn_)@r?57({GbKDPWQMD(_W?S?K<B1wN6&`mUgo3D{Z+pjq(%9VCxTBBZ`k>Z^JA=
znmE;S(_ZCb>*6?i{Jr==>~~G^>3kn<#&XE>K72R!TQvJV{OA>9?frW;C<+Y)Sb~Ll
zRE}r@bDjLT<u~Y=_u=H06Pp&Z9sL_NC~oa(M8(Ls2L9JeUZ1WFQ%N2DLA_#8dRsuZ
z4aN89HEreOSj)?2W!A4tU>Wq^ew_h(34JU8s?-(G@v3x3zX+MOL#C|_`WI!S6HB4r
z1wi$t!a6-V5Y!#m6<JKS_aD?Nnpzq-kIMfip~_HCxu9PnQ%EPmqZqFV>2_ehK<^Ie
zuEs{ub0OUz_H*=qLZGm3M8>dgC-yVBh#lymxUL=D9@cH%a6?DGUaz=gccWdvOJ?`e
zr88ljN1?jDqu(tmz_fT@44RdX={iw4uIopiOXyUHPw1|YVLWyn`cO<~!hS4k$2~|F
z2mPKv#;3YBqR+*2S~M1iTKuSqgwI-ZY*g2co{sBwVR7_wTz4(@A2KqajX{5iiZ>)1
zRY5&5-A45H30*(-!={ei8q;YI*ljInhrV~$lKnbe3d5r4AFkKA(EX!OqmN8==uku3
zpS)2A#?9+>8{~#|Bj2b_he9{#wqp^Qd?)(J4S@R7UVRt(`Sm(A_Jig)oy!V%A9gt_
z;0<qkw!3|){qyQ?;=3+Ao0ncWseAF6h9RqYGzT+22#m;m=qByJnd3Oty@b6VqI(7*
z1Ph+0k{_sIQlL$FP!=g7orGvrcs)oIKtXdUG;<n%?e%h?P?MK@zlnvdn=C9n7;3@m
z+8Z=K(9|`p>UXGHJ74Uysy@~6`}VDEr`rxIA5jK@<Tou=AYSvcIIuY1(eD)(4=mm+
zkKt}K|4jEF1}*@3wS3<_xK;*eoBc{W)7`CK*)-G}Hg1^#`sSnEW~^f+j}@z<o4?pC
zV(pEQTzcw@-C0HJ<YEosZ^1XA<BxXh(OqxFRp`uHa6P*J(e6EfoRg6UL1CPJ3%(Ua
z-h%Ii2Vq|O7Muj<D}dZs1^u75;QKK}WAIKL#ns6ARuJnlnvj2C==~?L&FGFds`o8D
z{Z_n+sY)IFH}HzZ64JdL7{2m$XiDKdSR1M%d?VJfY6_f2codsO9dF04R<yj*Yz4r;
zrvG;QkZJ}*9oV>5v1!btr{9jN6)k^SA>Z8WqwgYod)t8%-HSzZ?K^Nz(ei(qv-$3K
z;E%#PIe~ZLG`iv4cxQ9=zWbfH6U(C?zY{-zo_aU*$fkGU0yd5O@4^k(A5hP`@XhG$
z@4|<$DfHO8phy0@S#8LsM!I+71K1=w{BHa(_FqlX@pnQa8?ydJ899OOeK)=n`~A|>
z@5cWd!`7)rQ*$;yfPZ7hWlg~|&*JAUS~TqB%_(^1CGcNf7KgWV@7da?Q)pk(eoy<P
z_A}a#Xy2y2RXeM_N$b&GqrDQ$+&|MSbZ={G!BjiDnkN$Z5s~h#4M^)M$d(2~y9%<o
z0nx33Y-&K-S3&w4khWEjjSYx;6=Y#U19a~8I^W&bfSh}sf$!D>q;u!0tApLW4VrTo
z5&7<(2ISmrZoa#_0a2YR49D9bQhw(-z<{o80UB>y)r@6<XNL%mA{lx>D|0cfYWgw-
zGX&mFhGqve4T@FuJx3vcJ)UC*)D4PN%|1u50BVI6sR4Mo5{g+h3g<{T3OqK{Kxczu
zRY#qpV8H-Ja|5ad#i|CMqo4(z6xe}|2F0q599Vv=g&BhPd1#IsXm60L8pdTN^bieu
zG@2S{Yf!8j)^ijDyaq+_1Ih-)s<Bw6poZY+3&x>=)&>PkF^E@fK3#K;1R~ry=y*kg
zWYrL#qmV;+8DR$|52ta}aIPq8@JtZ|EuZGL;n&H2`j3Lc9f7+&2|l3rfcLx(K?@~_
zA$apvi17R%{v`f-2)?`yg6bCV&){#wKZ%dw_se(CHjKb^pl5Y~hF5=^oVIS2Q|%Tx
z)oqs3_J+^DtzZ7E-YBP?8{|~eC#M~HIaTz^sj^2-RgLhxrTcbte^<M}Z_~BzJa?g!
z-@5kembG6uul>4d?brUbUpKD(x?%0tzQ)&uhUrw6di`2-@7k|DYrl4{{krxQofX^o
zvJ9<#MP~&q3($frL2IAUS%q(k&)QdXR-v1sv-TC8Rp_SNtbIji6}llb3*6dgbXMV;
zBD3}tomJ?jxU79eX9c}1D{EiTS%q#2O4}6+tKVf>!7q!++E;W|p_?MI_7$B~=%#$E
zby2QDuab_dwYC=BApQgG%lPNDG5mcx1%8Y6-S`dKH{#c5zmIR#>2-h5KBRkIYtwy7
zd!G(zpV3vd<GQeRUdO=t(V<=FR$@D`ReEb%1F&lG*xCTBQlMKJfK@toa|5tS<!ovI
zR%w|224Ix}-PiztGF;Ig8yb*RTDY$PSf%Uq4Ztde(%S&6Qd2z*z$yjWjVn7>OK0;n
zoK;m{(Vr`Gz40>2s@5)Rt>xuH+aOp~&vOK4r+b57Ra?&yoSpCug0o#NzpAk^w9L@i
zIp3hT$WqbSAXwGVb7h>J_6>qnop+Al?8I*nv{UC4$TG#s+;32<8pLx1XJ>zdU{&`o
z6Rb@C2EnSSbdKPx01POv#f;dhAw5TNRtDBSjkD5IvKwDsBF-G^{yY3SliTLu+yNpX
zgkk}=(<*xWCYzbCG9lK%nkj#X^$8}?o^U#2QDfBX<b0k0ZAv5pz6jw9hv{>JwQ^v9
z!v{RZD-uhuc)K6LkNu@3d{X_&j-^-Lr^C9>+|xadU)IZuOLx7myEO2&ZZ({tAgB|+
zy6Yf>Gu_<MbrKJD&Z@qk+R%25@-ZdX`o7j4#VLgvo7W9#r#1JgY26bozXigxKZ{3B
zs8Dfx?>01aMepv`>Ip5%Z|Nnlt;qO{auZsTKWorWw)8UCmL}+3`Mz%S@PNJ@xwiHW
zv}#YZqvyWREu!`>cke*Nqus1}QF)>bA}0^Zk&`ccp?d>*(_`IT=!VC-yV1L3BKS(e
z>Exlux@olQ2>^6I-hBwpCPyCc7O<Y?F<{4+yW3Ix@oo)z|Kr_P!cpa49`C*y>s~>c
z;Fto%ZbP?xxqCZ?ufW@7z}Z9A1CMvB(fwESYSag2PqcLOvrr?vStH#O-F=vDRW9Qb
z-Fp;^3n=$Q_d!hCJZQKd?e1Lq$0xe)R45j2k&kpX^xkK>_oDls>b_R7_*(R<r@HNE
z>lXoX{nOpY6pODx?|r)4g>^RBHcou_Gu`G+-RYK0NB;%7wpY1$fivH*@<ioC7y8ew
zz5B3D=s|1iM)d8iy`AXUo%)|5kEyjAUewgHN*K9LdE|DWYai*}gfx#p_f9|7?9C43
z>+SW)B<BYAAbMHG!Z2?|{a@(5R@Kqbe*}7DN3%y}zW_`sj|0U=ztDY9HW0%Uc&fW!
zx!86>jq+Q2SvV6m=EUc=_VUWhKIJaG42RzCr9Zvct=zu${La&0LR{+8_KaeUz?GGQ
zJx>zM(yh9lo3OPR;O4NvFZ~|x`Ha_h?({C-PL(;WT`*V6s?3jByI`(HH`t!JspqXn
zuUgM_E;(Kv&yTh4Z^MjRu?y=0nLk*&dR9MhD%&R-)&1}H^}H7sU!Czjh^^XsZjZRS
zVhz5}p6==2ye4~t@7a3&T`O^>yA>mBx&vV6`*2H}L4&F90?)<WU7F5`4zB(2_M6(<
z@V~`L<%g86){iKDj&ZtA=?(+wxgQweogMwd`xFpN{lcJrK(_DbAUyB*Ui~(7V4uEE
zxu`y|3)%PTd5Gf!Xi)h&^284G{676YY-kDm5qCiNqj=&9boT*0gM5eeBzoY0z8Bqm
zSieX9)Pbr!y_>P^=$;;!Mu(aw?>`#!k*(XnI@f>JIyXL@9Fs<i$yq6127?Itg*;Oq
z+upkul+pb|`ok!&qjv+^-_zTVIuGmjD;Gm2bO>$kb)hS^^`5n1%|EH^LNGyl&_kPh
zH=+YudQF3|6PwnRlFX+eM6@tlY7~m?J4LGWsC@^N)sGB2diP*^8<6ad-XUxwdg~4l
z#XSwkvpaf;ZMPC9Hgxp&_bYBc(y+KSm^3*JE`6@IcdJ6x2L?ds&>+J4d-ce(u~&;;
z>4Q&u`+EmhzP6!HzZ369H}>~-pwSJzn^pRb{-cm<cQe<QH}tB}dpGpzAmkhD7n{(R
zHuQ2>FZ!Pi(2F~pAm_$jQPl&nk&sQ_%=X@my&E9tyOHC`jlBlYnt#~XdkBKQ8v*0j
zz=OG<Fbn<ArtJvq8Jm_)_xJug)&mowy`%q9lYs@+qx<v(b{O5WPj6|>pV)#J7!K?}
zqkoEr^$aMAzdx+siS2JdzI9lC<v%K0|L5?Bx?2a{R_s+{cP?p)z3rIh^aEe0-@FUL
zJ0VIDopf(HhHjkc4Qe-Qdf-wmwgaPgwzQ##W_t7OEiHF_;I;>sh}qujG39K?{`sYQ
zO1&bcjQ{YtcP~9v?j6OH@|*gIsP>NZjj4L&{97Ua;=#5PM_N>{R`}<7kD+I)y%pef
z=hncNmK<}vJ20hmX2V;TrfR)lW*`3eCkso*>%CD-DZhY^zCGVN(tAWH*QHbDHL7f|
zLchGb*NEnC?)50se{;`g(bG5gzDu8Om5c1`my0x<r6W&nG@^fcO>aqc^xt1d%k4x1
zuj#ccExfjOBc{CSgFpJ-(mQVH-Gp5yKW)F<4P;7`;A$p#HsmLuZ(W2xd4b(hgJf<B
zlF}$7)9}YEu$&E&)HRS?M?w<X1BqudByMf<0em2D!HzF!j`yZ<Yz!4o_Byca(q~Tg
z`ftJ(mNYN*j^dbvre5iFfqi}Z%f0qb>i>T0<hMR}?IxnLWxE1G;Z>?Bh#)PMNxtPC
zT};LtJ|Dxi+}*?sosVH#-qgex&c`q<cQ!Dndz-#LC$l|xJ_*rsn@n<~|H{smt*fgd
zw%po8z<v5P2%+Uf6S4n11mAMJfj}p>={IZzo*VZ91sv8_n#aDTN$~JC{l;x_p@UGJ
z)dVD2Yf`+t%wpGhEa*y;VCQ!IhU<WZexS2uLz6{uwvZXu%8l8uqqAl6YQ9ad{)#oU
zk_Kq6*|7aQ+9nvidAq)ELB?-A4}X1UBiokqz)@8Ly!kwEphE`hH?5Rh<%S4*djr^i
z4hW|nTNAkP9FSQUA}melhI3GQh&Uz#uh#di0Oh71Yydat&#OQays>wsAHgFu2CM9q
zO&&cfJgU?XvA+rIJ`2>SR5IsXZE|tw^cDII&?8stb!+nMXka&Mo8>B(r}7phWFp}I
zRU0(tRjFS_UA0lYQYDDyO~QlO-K{cQ-?hSCF1!ic*x4jrfVl*J9)?b_0^XqBs9NE2
zwqZ@UzGH<8G>p<VS+}nSl4pT!tAWH>pmGH$S3;#|G^Dlj+O_kl3GY?N#GUdymx&v#
z>%-(mH(*WCZa~iv`bQ48LL-;HII4g54*3&GFX-Phq}3H#^ev_q?Z0YX(R8Yj`cUVG
zJ9|~fJO0oy+?G~8ploe*Dy%JkY%zg%@wPV``_zl<3A&^Ix}%E4>(C=o-wu=*>)Qv8
z^o9q-kcD%@$Hw|h7=?a0)^`-V>5WJRfa55X>-!<>EuJ`_PoTS}`p&NAr+?nofliP2
zy$LoWPhY8bVaL!j2VqNb^q}6Rf(rp*aItyOR}R27<zol+gAn!r=uF2DT<ro3diH>R
zJBl9C?}Z46Mn3qAqk*YD1~Z`WRG)|)Svon@_xG6U5afW%1(WEe0sSs?W4><-x^Jg`
zxfZ+iYIJNT9C+TB?;F7mqF?0uI5f0dzoiNN?3P{~@)i1a!nKU}fc`4%Ds*_ae)CEe
zjeJ@<h#f#bAJAV7Hwl)JN3s3r_)fh66PE7ZsSjh=KBU~OzY^|g0L4+bKvs~yam`ix
z^lm)`*T(*Bw|+NV(E$3*Xvd)bQ*d4Exk0@Xu46RTcG(a2w!Qj|D7Hr*f_r24?Sbl0
zD;qg2dVfIIhMo?93-j8qX}VBtkAC|$`41xX!^I8QLC~v%Sr+{#So9gGFNpqTyl-RE
zJqUx9g!>>TvwdcWnOG?kH3qkJtj_@U@|KppxJh1qPQvn|f4yd*FkveAr(;tVOD;z;
zzU*|S7MP`iTrwT;2eQ>_aCEYq93HEhEg56jVM{nBM~BI%KQTw<%i>6N*grY#D@zmR
zQaLu0HC6qyr9#d$TdM?wVS6n&ONR?)4?pgmv#@N8%+y=~6T~Gj!$DG*vC^iog?i9F
zpSQb2aVn9T2xQHHOh|AzY!EeB8}Ue<7#;Ha0`vB%>O_RJ^RrCOC6<cgF)lYZMFuSS
zOg>R3k}<=$DViEH<|7$4oHKe&!-fnumJR1QrtD3HSjHHyl?_rXl@OWX;Z$`dWASsw
z>2Nw3b*7}^j7j3BjlPK6;?6`kc!`2@Oiwe@?6hs9n0MF=^`hD9@DrX486Nhea>N+r
zqjLsNaV%N#XDNutG*~RQqKk+p?9rJ}plY^Gp!Z}qfkXao{SKXjiI^?4cOp!9CyaHp
z_{)tu7Bc=^$~G}IW-->8(fQ$g%?EMEo<Mrsp72<>nR0N}kqXo@%y6vE)iRmtjL943
zM1Lh)XXnM~l9#qe1M|~VO~_|+R{vb85-JiUQ#FwTM*>%$v_{NM-d>xw6QgdUW4@N2
zcZQ5vi*+(SYb!>C`2{Hz9WfBj#FVo(?XNPU!$g>}WX!%w#9W9Q!n3(t%5RAW=F2cs
z?vnqO&l?Sp+<p*}H^7v{ZrcaR>*bBj>joh?u^W=t?1bdz9gxgl0ZDy3B(-gjRJKA=
z-U3Nc-UUtdw~V!5lN;gV=mtn`)I)MZFC^E)HWy2DLlVa!iRmDTg5wtpY9I;7e@(~_
zt_92oFM?rScuNBt>43xq+eXYO@5UT(G{)?$kl0|Sg;~Kft^eXPN5TSc9C4ZAp5c(6
z4B3f;SbGb`8afqcpFKIY{KAF&mJtMUk|ImmSl;F5oObV-V&AuS>^Yx>Lf>lWTt|9O
z-<!AnRigeXQ5Tb_M2&~2(WqbxxcsiEEWuR56kL#)G|VQMI$7n0b6FczWv!0vY}juv
zB}0<8Yzv0OVsvy&NEXLZR+m_um}0WUS?f%4*y8YyvZiW`cTNW4S)r28)vZQ%-WSS<
zb3XrYLUj8g_Tr4WJ|~n}^9)}eHjYrkGr@o~T(+3~$+>)N#6M;#6^*vg)EGZf3zuRe
z^<3JP2#*fWyXKZ&I^Fkyzb+I1yUWBweHUIP^5Y{}XN1dAVJbEjv^poJN5T`u8k?<o
zW`a>ylCMukV~P1hAYKw}HDN?B_#?yQ^hhEKkC+uLf+Lie%M??tqIs$!veA%ehzMg$
z-d#41<)<p{nllE|D=tm)$uu=TP84mE!&b5o$k0|pz%x}_nD>T#h5GPVaKuF?CNg8C
zXwGVbM*z#l%6zdzvBYekHk%2>CTHT~siNOqaYn2n7af<TJkH|qOvE4<jg#|~yFAT}
zyGrn5u+)o@f`Oc~jfCbzx0LhRc;o2Qu!(mEEM9lGZk<oXL$%<{WR@zHqV|MDc`KQk
z$2Mn#ha<96uIZxahU-0*s>w9to3f9Mvk=ekoy<lPmVnb}n5|lKX(kj*xxHgEli@PF
z^p%N6E!=csIB&|;LK8908m%q8_;BCf{&i0O@6PF`Uu8~9v%a{kTpab9Ec9d|HXAB3
z0W(!{dSVkMa)PlZsxzt4vaJxD4+m2Mk#yOE!JGju6tD$*G|ZACB_Whxt)|H23~YV!
z6UI?-HtP0`RqK>xIu_50lSzIyW;EA9^-TxOl|-=Sia3dUA<T~Z9FYa<++?^o@A4E2
z!<o4%HDjL@g`m$VxyvIq!WFj#$3k%BfzMBnc_NjK*`-7<#)jbT)<`K79xEmawRD!^
ztj4+goX^2fQQA2vS$(;QfYV1#^3x@=!#OfWWNB9^oN~?P3b2W@kCSs2crG(C!TMwA
zKy1u7ZZXVI?p%QjjMnG8MloKfI5I-W%@o};(-ZmJ++@Nroyt`5Go^`q+7byA?Q^4L
zr`MlhXGZDS2|tA32NDU!>B~<L`D&Vv`j=jM=C6wSe|tawy;qsk;VFlmw#Mh&q$wHn
zh2o`=xzHRtk#}V?wJC3Q#*j8ll~ZYF#y%2oj(IC-(jn$KX_l8JbG#+SP5AkgkY`JE
zpJ&RNGINH|Ov2~mgC%d+nj1Ifia|aXi;RjBfs{W2)76;eghI3?kz-X4C)gGyBtAJU
z8YhKZCGQyb_^bBG^l-S&m&t;$7;w~lge&BrXPiO4I37;fEos|Kddxppch#b$`n+w#
zRH2x7aMU>hkJXNYDos{AcE2I*%EkjGZvw7RSY~oj=Xl1Hue*Iy95qh4*+e)sF&y{h
z#!UVgOy98>$0mhXHWUd;fiVMId`+8bj(JZxWi|!P!;_4|n621LWk)IKsd2-}nM|3Z
z9Uy20B5zHl9CK3<X)>SZ)3I=L&K1g3=KK^)>KFbxssFbp^{-xKQoCajf1)x9E}u%d
zQji=o6`nE9azbdDNcgQu-Zx+M223;FT!=7xQ?cQ4y~;)Ewt~SkXHLN%BpvZ45^i?b
z$K<DkG2RvMB$;X<H9Z+gy6e{L)SSx?moDwr$(bo>J~x~zm8;p|svqtsmuItv;rIeq
zvQCFGg=}%GQm#!V?c*VL39ftxLXLWxPtnn6&J|>>t`bLk&4DN<neAf%E??$K&fL5~
zEXGG5u6SlrG#AXiTxHyvov4^c(ymm&E7UxcIL8~DxzUM2xo#=UWun5kR7;Lprk%4v
zq8jmsChF1oVab#qb=T>-BUE+r96e!-_$z*AIXpdO4v>*Voyt3;=oC4fDOx6kXoz%j
zxhUrf)u@2mSE>exq=la_8sdyZX6gp3*_;`VNX*iUFaCA+@&9U0$7)$uCN-BO3-!Q^
zeIgppvlC;fabeCM9<>KX%+#!xFnaj;f?>*MWJ;nRUfZ<Ju_cGk%y{61Q7#kZrI|!-
zX3A?XROUyECSQ`bO&KT3BuUK|#-~H%2pJ2e%|%OaJ~%RCPLD_xxXbMd@QG^Gu;7g5
zGlmhL&lyjen9*`|vcQo1L?t#e<8>M=_5?R(E{sMatf?~ZA?kt22u+q;Q)IPJ$_5jB
ze#}~(8DRrf&dn5x6(I|k#Jwq@$i}Ue{Kyo%5nvyyWN25lU}9%VnY<@!^7Hjs2OEzv
zGb0neLd@yNS-Cj;ac+~#l#AA4_2_8EQVdUIUABycbbw_`8h85=)^TH@keN0ZO1#HX
z2u$bZ@=22=Z;z+azFfvA`Kn@iB9j?)6xndyJvIl5`jx*b>i<`hI>Zi-7aZAnk(njD
z-b^uLvpZ))E-vhzGqP}1I0SEWSi>a)Jz<MlBPLpysykDmDNo&K@Uo`5Av8apn|3p9
zhbJ)Ssnq-)ceUm$i?&qNk}byVmT}i`%;{#LQJ;I<5KnQ_vsuAh^~FQ;#(LFiTF8j*
zc_}={O>v~nUnq}SO6iGt*ns<^c3U+|#mn{okG(e!lccKBhpW1>yQ{mayV<I;*c)h|
zx9E<@*jYRGJ#vf4h)9+s*4+0sQlS6^QACt-3=~HNg%Lpn7gA7A5Jyo&P;r9+g>lqz
z0TeeB{GBXloSzPl{XNgu-}g`VACPt9#*G^hH}1XXocFx1Bs4O7tPsN7?hu~Vb&HLX
z9(3eUL*4+6M!YoN)n%793j0!qk}IMf&Ip+n?n&jSdWLmL4WaIH1%{qv!;rj0wLgMH
z+Z5%C$t}4?O2rBtXeV7TLZxgr1{A&#gNh{m<%rhlx&_W{s0=Ye^0?(=EFci+rFvYv
z)|T2?4tJwjr6KB_q&Nfth*BuuYyw9*7EP3OCS^ajdH&c#%NusAKW^RnwLe{R;p&oO
z*Q$r?;|`gB;b4G#B|tv+KLh0U7q4E}Yrk~-{JLZAnF7e_jtx(*zi{2%v)8UgSKsfj
zW;Ra$YU-Y;0_3py?b??4pE(|J9=2mFpD=&y^vqq~d|+&yIA5H0+_U<g(D)}O&HI7)
z>;~=4<J~9Em!};UpVj=%`2DBM>(jH6_|(poko~VunTMRwZS#*g5^p&AQ{z*%&u^M`
zoN&d_*qGTde;Azp=(k?Bxt;UZZS)_q0$VtF0u@+o|9<EE`@m=X^Ed4Hiv8|g^Ve-E
zZ(czqOi&G%Agk>&k@<V!`0d|1Rk8ny%wKo7xoPG2k(1-Eq84oI?Ep3S_3rsDc%+yA
z^wuA)^eDA^-ar1tp82N_dKV6?cj2u0|J`FI=Q`3*OAaHLF)@0YVcr_i$pT9bYrRk_
z5)C%n-WnwI=98mX#7$8`)f*wRVy`4tEIn071f;Y_^t*%Jq%5~I@5r6dx`db1Bi^<)
zGCG|=Nlq7{LcZ7HRl&${akihx_<5W#8Y8?>UW&O}fl8y~b@eL|%xt*hHI2v&Q+#un
zA9OXDK_Z+tQ1=G0QZmBT0>D3l=CP5bhv^PymiTJ9neMa-MpW(6#U3<O?quXl5Xb;>
zeY4-H${s1wXWZVh(xL^`G%U)EigHp;^vmg5f=EiT7--ZZ^&lP%_0y?rI$OX>J)KoD
ze$kL|u@75`SUQe$IXoejn<-T8VWNuTl6N5XhXXDUuL;dM-psh$v@hpRM&KVt27BNJ
zK70P48~6Z63tw+gN7_+*=#wGAyUq7>s--2RP9>D8RVx)UAU6H}fYyn`eaToRUqB(a
zNsmTY7y^L3MuW_`@@Uo9Hp-S3Y@&r4qJ(2TF6$ebL{v`(0|wjg1ry~?xHA&n{dlV9
zuk_=Y7;3naiBcd%rCq+INR$w&frPGj!mVPO^T)DkMp3glZ!qfBgMw9VHr&ZPPy3>o
zYy*fo5Ke38;cVCpltc}an?zJgws{43{=?~NGZhVqgkj3PjNh9d4*k7BzJ^!gRDqPL
zYS4=Tu~oCwGJ>@b*9@_IR}p(er4|<xXe><iDZW^ZDcG<OOV`uQ1Za}b%_iqEDpj;>
zA|s?q!Hp)eMm5G0gJNGO_v(1qV^u}bubN$*O}V_;TD%QZV#V>ZiTQ(W-~&9SU(dO~
z*9{sRyU~0GMFphaR=H6l*)Dk6q85y?Kwy<b<9M-9=+p*$NA0x={$dhsdg_QE^a_D!
zwWj3J%%~5Lf}$_YXhpAps%R%|NmQxnr&Dc9P^zvl;;%Lf?qQ|S?iEH}q}|O03rSKP
z4VUr}fGY5{WI71KN|?##6G#vXxraeBMWYcipW<~~k~9G?b$sn+JL0Nf@LjO&z%XIp
zEN^8-Xr<|ol{$39V+^C=f=c@>C7q~pR6%bNAf}T5hLxhk4kOX5(u{Y=vbSBY7lRFd
z1}R6S0TU&KN;?#wnC!^MR+&<>?Dm^2EtClMGn|RKU4o|rOjf*9iw8&{;^UK1xz%QS
zCTF!`vej#`db3n68bXIJb(<B=FLOD*Fn%t7aH2lYhFJY|b{~>uqLnzpHz5oWH*~ZR
zALU|IR+WQDUSX7+9t7?jqQa)kk&ahAZq`qvyK=G?==!7Hc*v(Db2%X<0?!{XK8E-(
zHVTx;NTG{#da4nr@cD2O3kiH9gqdu=X1M%evEYw4@z$`(4#SP5a2v_Sl0G0X%jJP7
zNfIlxmGUPIrPm2pOP!(**Cil_%PG-b8e)nD=86{x22iBgm`5J9D+z(jnXy5jI|Rk8
zA>P&!p<GHyN}j|3Pr2ghVS-`3nY7aI)|Fwqm@zwTJa2-Iqe@uA%0QxmG!Q>|Ro*L(
z+U7`<qos}~TF6!fvDG%nPAW?Iyeb<FQ)MiQyFIyZn<Dd#P`u3+206XLyXkfzoXU37
zJXH|VGGTTDBO&1)Ki4=os1Nj@zUXxZbxxLJN<6Q62HuPgL~;GHOyyd2JyLN;gSCcS
zFqt&pir^_FP&P~1h*3{gNh;Fy#R|0L3lD%sN{$SYy>c(_l8FpRi6OOW!_70%CZ6o@
zLEX#Mi%ih;>M<hdrKy}Z<nqEWsIpO42IH3U;aoWce5M5&+*NWi<}D<919vwl^oc-#
zDq!9q(vAwIl1P?DRG04t>priJDi)LPr}|M}uLzt}iEcUF>17GktpZ8{jns?DM97TP
zqt$E!2)JGSYAl{`slf@~UIAzXa{*xp)3IV@Bq>y|fCti&LKT;55Y4nzoG!=H(Q>j{
zNdzcTXQCA=5=06?ED%Xkxl$E)QsY8N@(;-Xs<%S!R@lvy{5>m3#_IlfZWL_C;$^8|
zKesf$aLlPwo8GpuKgX>9-n!4vUcL6z)t_^;XXaLgr%#=F6b$80*k8YR{)diJ(O=&?
zzWI`geS7k|4|&`8bC=E^K0Wu2FFf+nK5)8y^*vyFANA(>mmF6w;qSJOzHI)wBT6T%
z*sUk5*tM@f->2=?W%GOO^_S0Ej^<S#J;Q$M<xtVsvQqICSpL3>PhAcbhi{qh&7S}H
zkNj-KzJ2_1u(;2-V*W>tYkVc#-tyM@>keByZpF5qTx9B1c>SYq0o!=f+vc}B#OHtZ
z;P}k9&7U{zNbOD3#~-+I{<LYw@t1BmWBkP1=OH!Vn0xfc#%I4{{-o)-KRYTvf9-ab
zw#@Gx-*)x9Z+iCR^E@VzIQMrp`Vl9$9J&LY-SLL=pF7=p^Us$rzC!{gARYWWKvO;u
zQ3cK*5c6a}lnennAPP9sRR+i)m;VB1t<mHMW}m<CR=au&v~%ev(OF9S&F!(1FaN#$
z=k7eWJo_nh_SFA+*Uj`3#^v_)pN5imK*{VAUmDI8eUC4n{R3|Kh)<)l$Zw}E-OJ-Y
zw=d{JmG?o(#O1L2`7hjJU&JqP%UeE!&Yt-F@K*Gzrm=kb54m%99X&fGOhLx{lnNA7
zng$Y_I0KYQ1fx+v*aVF3pkGPD|1q4V^j$~otF2(>M2t~KFarm2DFa056omzzBjBq7
zx)ci7n8@W-ccQb*%`;{q<G9~`NSKGqE$(YTXBZ8LkAN(m0-ksRChCbw8;hVU&{nHD
ztCMg!=f2vQ0t8VstpS^q3jA0qP+Ti2T#hveQ=?4=)FR2{|AfmO^ZkE)%Qm%t((*Cm
zi)K%ozvHY_>RtCNM<3^wpBt}VqA(zDG(e#aoXkL9MN>diZvv4Os5t5_jie}Obl2hg
zE(#4345OPsn>CT!o7^oZJAyhZ#gH!0wPP5{+;!N#+6Dm+iUHM1;C}#qB_M<X%6w4W
z#1)mGH4JjijA>?h^jUZTn@|7hp4)yEUB2yc?wY&M*`woUK7R`HTxyxQ>!R7kW^?O_
z^o+55FZ^+g{l@yXwZU)L*iVn(man-Rot<Q>2#>~pxcu@H@HFT4U7Tb<ZjA&wD1rp~
zEFgCRZYm5ENKN450!A=MI@Oq68}`+vFcT=lXkZcsQhj*#KnkWBppa)0BrtCQ#TMub
zE_XkN&Tci%L|reO*k8W&a~I8?IHR1h=L7u1%eVgrw|w#EVaz^q#PRFi`k61=Z%e|^
zT5}INJIQ|$&J29lKH+8<#c#i7ecA+VM_o}UP!~2==*oa#2h&0I5i)Io(Mr)2muuJR
zeH{b#G8I!{_@OKY1Yf|@14^YB=xdTDZm1?}7$&v+Gq})6AHPGwe!KGx%UkZfXm<79
zKVG&r_q)sO^EMyJEx&LtI=l7`+FJj>Prb{#zHrg(#0wbA+@G`WlNY%6d}w|Ru)VDP
z(0pLJ4s+O+xl3k3>!t(;VEr%IzI@>WTW8tMv)3gX$DD2N4J~l?3m=+CXZOtB$-2M)
z*JJEMAA_RN^-y%^nHQY4c;a3EZ6CMpNbWs1Oe#IOo%POqJ7NEIQt9$Zk;}OEn7})l
zSK0U8Fb}VGeC!1$zV~;(w14$osBq1Pp~BH;f9SGPPX5u|_SZfP6^=b|?Ni$xJd3fD
zAA!I2+*CNz^O-Mw&MwX!$(^$c1U+B*P;m@&5GW8cz*z%^C1X+uOd~p?V;BQcjKCsE
zv%AjPR~tyuK)1l9Arxp3!^bvJw^ZN-0I3=cTD&Bw6ZX=L^VsYur+)lCvi!wO%kO-Y
z+r8_IedilMi$)qMj-Uzy8mAfsBx*435#T3*F9Nh$NtLpRo8VsNt{MOF(DxDd+0~n%
z_t;PYD%}&lynN=jID7BE&9C1Iw4XX@fVL}RfQ%@ifB-bG^wOY%Yy!m+3By+>?fSn#
zONakK+<o+Kf7G!bT0MCKlcLjqwS;B<YjI%j`Y1HMkh<XH<IlS58_Q>Xn|sgAaCrLt
zPZFy<Gf&&t+R3w@6iwD5;{DE3?R#&AGtik`^IrNR$J(EVhq-%~Yv1jGtSJj$y$J;P
zz)(kk-Y3XpV+KOeisB+r6tt{q`->lg_Kti0N@-_$`y1@@KH=m}+lB6H!36ep+y(l@
z7%};n7|_^OT_~``v8X}--x>jWz?aNG3e>A(%s$~n=hoRnAD!VBpRa7T?|?CDzjzB=
z;Ox`hd#iNWnQvR(`xs|md@DRLAZ8^<;Cq`qF_>gg;N1hIO&l~YT$o~-2BopIecP>Y
z?rG_Z%c+|_^_As2p5koc<505Zj`yCkF2C+4%fEuw?w*uj_xfD^5C7?~W%qaCjobz$
zs~)(iF!Q5hw%gcO<~jS{Cq<JbZ`&F2AMBTJo0ql%M;}Hjtbw2m4PURSvA~A~0v|x7
zXAqzgI8ivXN1uT6cKk~I!Wl<8&$6ElEO2+;KL4(RPUZvaWWM+Bcf_Mt(EBAVT`O~m
z9_jOhqg<_3&Sk5>NFC}RJtk9ZBmwb~Z8tmFTtG63cp_ayC67PdXY=`7XE<tCale0<
zZ>L@0nN`>>qXv6si|F=|93a_x&32Bh>GfWPGKFC$NG1b(!Yd6)Jw2-W)8&52yTmZ4
zj#X+oF6s**xrCHwJOdA%sCNtDXggpv0`XkIo09QJCLuN0ZVs!ZNGYH0)Z?*iAl7Mh
z!nll+xqeU(8YQ3EqOnAO*cW*^l9l`AA%(_Bl^hv4rktkm6q4(N;zYFNW@?cbLi>DD
zE8+Ij6>Go^fsYx>V05oUNbWq}LmDcRAJwdOtKIKOXuH@eq7bF_s(4VBBQ3L(k_E4b
zm4HGsl_&=TjWPu~n_+h==S}4^;Jf(3K{M|_n|Tkv&Y+IP;+=L@bMxIWjh70!I1<RG
z)p`$5l(OCy%Ao?1C8U}O+O}nttMFRF%BdkM&>93`Kqr$_3-LFomQh6F6l^S7)tV=V
zwCGU;ScthooKI%ea9x8u44<0s=NUbP*VVWuSP5kcp@EuM@|Tfbo=Q`ekQqe{J)#Tg
zW?s(6Wm+E<8j?3w@|DE0-&c$bT`@_(!qoy+8|HzO*_Ai7Xqz7;yj4vkBe2x@I<RL&
zAk`?4tyrT@G|?obMonn|hj%T26?{>?==V?+N~IDJtSG9HKt`%`$U?nYvJ7kp3KX$s
zDehAQy%S3Un`*ROsQAO3)KJ%ibl;656j#b(Squ%Q!eU7-aLo==%=c356iB&q;F>q3
zqRdfL*V_Z%#WxQQ>H|HfpM0G`oweMU)pzy#!!{Y=6CgC*1mv1NRB2ahlxmgKMorI~
zgAP(6h2BsvM>RcJ6Rc`@(5ta(oksya+#(8K&i7&|F;GX+?x81QMbjg#nG-WXOs=J9
zq)`}%93bQ(DK9!GbdzkaFPSN<SzE$-W-cxiMafgfC7Pr|(PY$>P-TuW8YZ20jrgkN
z!Ye9S2o#6?U_=T~l{AtLqaI0(C92*e^bDlfNy?Yvl~Sz2q*Fo56|B?}g>)_sRKr3g
zTz54iEHfZg4RcGd%D8K}u0R>J7!{S=R6{Mshrza7t+_!bFxt(O+QJC*V01k&Ld`_k
z92AKv7akI6t1C9}L?P_Sxr>2ZA&<+cQa@-i<$7AlBE7`0f!8~(XaK1g5Dt9m;GjOx
zgZlMm>MEKWlryPBGE(E~9nu{E*&2UWD+sP=M+#eFH`u0oLSYbTYsqvXq^N0c*jtDh
zT`A)ylA<a~sT@XR+<hh9wjx<P-YN)^RO+~rP2h(LGC4%67O@cF$%3&xtR%%u)RHoB
z*Kp8HX{FK95a{Rw6`mi3>%;D_n9X$B37?qn8H(s)Ycx^|1S32U35$M{V;lU)8>q&+
zF1N^(+epM!Y&2VF5&QtO2W0DALp2pmS94)2R;YG|v3_+>s)_|r??|QE5a<l|Yf^T^
zhTBTDJ(7}jcQh?&I42TTIBvBRx6(0Fii@XMv{ph2BTg$0<2j}q_J}g(R*SwuzbUI6
zVCVQYlIV-EOf1Zk`A**FCd`Crc8Wz>ig*~K=JvVm=boKkI7*w^bnV7n8=hHz>AJ$~
zX=}c*T6b(&b=UNJrZg~Ry|(<^{J+fo@T%*+_nN1w^(k<?o%a0v_vSwKiS`FxEB?^)
z;5|F<H}jcI`koc%+Nl#S+_6Bd^qcv+9mDXaFCAa>+xflIv-xZ66IYyTkNg(EBO87<
zf6TPQm;U{~j(7fkzBKK)A~8ODeC;3Rw@*8+)IRe$`^$d>Jj>#a|KW49Yk!(=%o%5_
zeet!6U;SR_(~cM6;^%Mwn`aL$e&vhvpPrL$POf^b>bqWqeqQxw@EcxLIN4*r<1c`B
zDV_Qce#7@f7TxxRFM-$4YCL>|{g;=ZnsLhC+TQu9>+kx@!1ecwm%(Xx=B3;-EBD2{
zJORc0^&lwbKu;L|5NmzaUJ0nV&cI-}@-RR~V_88%8e%ZaM>@TN8SNWj<GM6MB+8y5
z&uOi)lpdtpF*i&R9n@8o(E%D`i|%^Ponx3ZM!1Z0J6y3EJX)cmcswDN+D0X3qRruO
z5aA)Rr7?kIrJF?QVFm3pTjr8Z1F|s2o87bzU@nEWS#9x1jcAcgSu`u4zT<87xmb%P
ziuqUv)jXM2s~(F=ZNsbyCWE+mZ=UuG7B=vN%PlHrun97QLN<(*4vNEau~>p_U2~|_
z{GO~=5F!4bNek^nhww{s%$rS1m0@G#s#e0@Xg#BbMYquJR2hm^b+E1w(_@IeYI)d>
zHcRQIlsDXFyk6JMOtzg-GTG{=s_=zmTNeV=Slug_$pTVj)9zkqvI=fqI0%Y4zyN}O
z0L8pIs6h&~DQ7&Y1^aQLrgZW`lx$}!IiHscH{EQs%6q*+NFno9eGsV0`L<})v4DF7
z7Aw`o3v!Ne2@xrW)Wb>59rdtEeJCYcm99zF6E!+F^hjn~5!Dbz>ItUq%bT!v1v1TS
zuu@i;n0HBXkB}mS=l%6SQlN`NcQY6-HPt?d1f-KWFCh(hA`TIzc2GtAILJ_Wqmf>o
zsikUNUoc-t)sPVnB!+0TB4S+1E1?0TJIX*}fl+UWejID1D+pqZLR1m!^WAc)7_F6R
znREjH4Fx&d7xSvmgqRhZP=h>H<1AmKnl?L>M<oewr`Mu-9dD~#9vNyfNEFdgyXOwc
z^+MGOWV{VtlzZ7&$fM?p0D%}um2RZb$Y(r#Z*BbS@e2n*F$Z`|?_T&j^x~^yTI|Yw
zy&Pm@h3{4eVcw@VLIPXvk)qffF(yg3JzfrLXk@U6`tzxNyJERVU0UiFBoCJ;BdLV!
zPx`R<kT4`oOfghD&=5Nn%$Ei%RzEF_fN_H1(Of@VEQzf^Iw+vg6cWqih#;D&c$NY!
zy`7h`ScA>rHNrwu&5^t3uhmM~Yy%4-ie<p3;!5aU(E37iH0d?ta>ws!@&Pd^DUCRl
z<hxBR=I+EI1_*Qc5{+Ei>w`lU5p;{WUWcHDMmy6q6ioK;o^UQ}(DI0D4UJq!9uktJ
z(1=#<<^~Cb<SFl9RLvVwxM%pxa$9aDf-$Swj?sJ%GUkL96CZeM6`zFD1m|Z`e7Kqg
zC$Z{<^x>|km|Vl%(hHQ;c9~#<?^*b@W4bhcidgvM+Jg)Y2b7`V^>!igxY!%TGAc`y
z3W^-8`J=5t1O|JcL#T;xr{I;{#ZfC4P(0NL*FxI0OjxbZK57W2wjAz8-BvjaX^g|N
zFFB&|dR!DtZz8}Y02M=)^W_#AZh`(72@`uQ>kC4Lp<KmeAw9zToQC_PC4$V4!g^3i
zSz>@3WD`_eEftbkj>b3|ui?sw(1^U%Z^y6-r4*InP;|>}g7hR?xw5LVmAt_wiwQmF
z(c)RnM@Fkid(>$7`*_r+bV9HOg^P@b!g;HOnO&DRQ#G5pT({6P>!q5YlpzH|mbgS>
z;Li7{@TebXdNZ+XtDftC_8A`6czQ%6sW=tN$NPg&GFKETR$8?L2805;jfTLqv;L}L
z`57>y$kqsz+5>OJ*Apku+=XLL*tqIk(O!OSSHI_j3wy^oWnu61>Q%|Jh<A-Ys4f`O
z>sB3l?3?l{oAT$?1^+m$FL<UMkDAYp$JZJQZ<*fkp45$wSKF|gPXR|>rLgd)xht+c
z|L)gXezX9l#qGs~pF4(EUsf6aYiVIHJu7^+@%T!!&z7KBrLwSL+QA2}|H-&nU9hGd
zM}7N~k@2r;3tb?&`o-7&a_CCcv+E0f`xA`?ar%0DZF7OyaMvn)`s09mxPGbwrq*`5
z-CQ_-cJ<lI$E=lse(8sCh&r9pT7W>zonOtR@x_bmJMvI;>!j$|@wNW#@4Nm*yCp%9
zs|`hGTy)t({2eEZ?R#!@a%(SHr9*UR#{NQkVf$M3YgbRbjr*$oTzdiHT>bvXj&I*|
zf?b2qrTst$PTdTCpZVT@H0?Ve3}r{UP&9MMPi}TZ9zWhDG$?wcyRd#M11d@^3Q<20
z6M|S93$Zo;8?Xq*=s07lngJr}_REu#kA32$Gq*qdmlN%KatjdFI)7hS3rNgV9Ab$G
zZmJMg27ze=0?7)(Fc3T@K^6)Ec9+bY_gYwMdCPrUXI-cK`4a(Z`5pFu_n`NO9DDeK
z3s)cgDf?Yv=>5I@Nxx8NQe~h^6gmmFf#4HMO(d5{O~)8YQ$PaA{$(HfwdKjB5ASxw
zBK8@-g_GL@D4M-%=?8Pvf9<iagBX+j$4Sx7D?WDr8Na#WW*Z&C1&K$p>%z|sJNET2
zKm~_2sqmdkKX~T3cRpz!`f+$RZ?m8eBuJgQw8;~Jup<P_Cvw?vT?C^+_X#9ma1gw*
zKRY@3__J4qci#K{hwSGpXno_?w;pnM;@W5Ib(1Imzz8awbnCeY_I&*N_FqO&;gr3e
zD0$WP_uG|6;PQ{W0V>QLsjWKXIk9AOJ}An*5sJ><a)(R0;E#vdjgLVyPplN(x%^St
z_3&ryM;?V*>V;72^!doA(&OU0?Ta%|^s`CP#=8QM!>NCHpS|Ux$-|xfL1Ll(;A6IO
z8#MF6MNr|y@6Epx{rB;M_O2zUFx~vd?^ii8SK2RoAR>41!kWEDeR68k%^NptD6RYD
z?3HWlYut{9XT((tQ=gnV7sm7%<J=b)z`QSYU#7;R`xefecF^3aw~Rk`|3YWl@x<?2
z9~rwISZGYoect(->DRuvA3p$J+^@d8@Z;G}o!{QJ^6mWL%kb?S{gs7B9B+B-E2jPI
zR~D|@biVs<);L)D*M4>3)3ce?t@Bn+aDNrP%j+IoK&Ktw=FZi}-~8Ib2c{jL-kdvn
z+<Iu?ebbJceAI^V=7$&3FiBi$|KQ1$vy_J?pXfIic+gmxd&9z6W6vWC!qErU&jYu9
zR&4QC3&;H5oMEqS4%Iv}qO)~M^BIGPmg$7qa0Usu`04-;2Wnb7Z0K^JFi3=ev}}lx
ziC`;}B)D|N&8bnhH_DKpQptEAMIbmBR<aQ<hQ+hofbDQTA(qv$$xc0kCmCPDU8p2+
zH)2Uj-7L#RCE*zb*oJQ@n=1^W9NkD4ab~2u;?1-gpv(ehMqQD*PI*;8Hd(GwrP>N5
znM6mkASobKE{dKMJ5Z>WAed2igrZFp$mV=8Dw}EaO~kDDx@gknM#64ICD|H9gjs8#
z1_GIK*j2#WF|(AcHk*d017OyoSL?y5?+5NPP;Vm&?S@ZvNnqc|GLOom8da?OiG*j^
z&vB(F7wd{rb!7R)26zaQ*_49x0)a9lYsXU<UW+9nqfxWikq7p>8qUV@mJ6=C^SOnC
zA@u`n`TRpj9epLF9?u|NKyUFbGp0$cpt}H6e}s3C@KBwh9tf9Xv0z<pc{6G>o}lwY
zxllIHv_ixRT)of=YFwIk^K7<OZgDwZIys7(AOb9whHh6f-nBfrW(eVPY#1p7)Jjnp
zWKEe2N;I7pd)|(#+Y2tW2A!~M(b?RfRV-D50*Ena1k2>RI^=T?vW3W~8s<B=hpaZr
z$xunC8>r~7r*d>quVI|rR$5xnoi1b&EkaA81AmMJedSTyV}Y=5$_k)X#oa9V10f=n
z@SBlgmBQQBphX7Lo?sO&Bc*ztmcQz2F=er3v|Gsl6Hj*gXtI*4npQV~^bmw{2|QBi
z`U+vlCJ0yLbli~e6pLb=9%Rne5?QW8bz`0q!_$RAz$|HDEDDy-Uk|#d4z%C(AEJ-1
z4(e3APIU8$GMT2;Uav9Igc8xK4Dc4|9ff;{hizAyGM38#D!6C1-N2m@1gXuU>d}G`
zpGo?|5yOYayHVQ13DLT)(D`DND+e;eiboEnFp-y<{aBYpBwj`afnw6%MxqcE;`2GH
z#6`5FNj8kXljlcdEH7tiI3w=%bo`M<OdbZg2H!0efvI5Rv9ev7%SYRlRxRSIH-nJ8
zV7j@KOB`6$hSb#qwRUjgA(eTB^b{jhxS|>r$mi-}5)<`R*mN%yXsVftmxj!4S@gt(
zemb1yCACT9HIp>cIjfVbTKbR_R11rQUFB}YG+jlr87?LuidoBsM|fpK#Zzvv5gfz@
z?R+&*Z^nEPH}Gvs=&)&dTb*IW>r03|$~{;K)Ex86sZBrGG(UIyhT!^{+4rxt)&v~i
zm`P6maq5>-?}5EmcYMtu&cml2XAj<e*7)W_ovWwkW^TFs-LLJcj(-<eNG~4dL_y5z
zciZ?sjQ1Sj>`l*psr<+*d!I{=aQf}%=biuMxOeB7_m3Z6Z~`Uyo4UQC{j$?}-4S|x
zWw-TeQ0G-5^Tv@**r_c#yR*jU|Kp^UEmU$5nz{W*=N}x~&l1J)Ek`+x>Dg_Mzx}H#
zM_)S1=^vkWjB|0?ahS1i+}JwSc{KDBjE&d&dHrW#_xGdYoQ{o)q5m25dHy(OV@}xd
z*9Ts!`Rp>(yzO{rb}2ITovF>=-F)e0Y3e(h_iSFh>4{CB+Vr+f7i^+7ZQS^b<1&z>
zd)LO|#<MmaG53qP`{wMq`ka66*bOgi`1*z$Hdq@H8%|mO()w?&zj^(|>$B^T^^SFq
zJI+~mhXY%81;E{?&9|=GIQyTochA0awlI6v?EKnauDyTld)GGB2G$<4<~M5|T(kXy
zYkF&<YffDKr`6wFebeeUuFkC9v3lC^ea9ypp8z@2&(2&uW6qp8bHu7&*tc$R?%IJ;
zps`DvETZ5OurjWKjx7NoU>$^dal;^W$}k{td};=_Z>OExZT<x3_LKL=%sI!lPH>9L
zmwfJ|<*OfFJwXNT*t#DGN!H#=!etsKI``OLInkN1Pr;o%`^P6alS|6xZ8O3&1)33*
z38-b7n27nZpk}Em3I=FVz%7I7F6m<R!Aiw{iZ0wfBdkI-Kr(A!I+_#dTfiWK#l`|&
zQUQ3Qq38r)P}QmXCpEX?7)b7dye)zOD<D{SI*qUlsv?>TV;L0#93)^(-?Y_v&bIx4
zVIMK+qWx>xxplg?{PLF&d(Fwt9m}g9+G_s^ek@In?hojBZqhRnw2ny--bD;Rbb=N!
zLjtVW)Bwh)7^ndVc2JI+x?-it{jd!MsAwloaemv5pX%JYV{!q2#cCJ^;{&4rKuVYZ
z7iUO7nByb}->HD5$5?dggUe@rZTl<L6%Aj3IRl0sVCWiX`7(wM)j^0@R|u9cb$05G
z<*z^RYIPDcegV1;;8K9u6S}H{I5Z$~p=FoKC@O`a_|&_X-}@l4-1+i$yRyxhISH_<
zxNhnQNf>Y*4G>O-22eQY6k{kru634F?H_M*3ieyKJ9ls0518kv%j>_6oV-8S<FoBO
zJDj)Jj-4<}r}NH}><{mB=3sFAGZ->^*78;NZ?{j_<&^CY?{eO-v>zUb^CvHDf06^7
zlh=eX22G=o;^1N@PsIT6u?oEcXf#O!#+h`{1U~iAS87tE-9nsE$K)^jn~yJU-8FUB
z$`KfK3=P0*jlf}$n+7BWz)yhtLaLd<u)2#<r*5=2?{?m3Ke^larj!0TqJ6b}&K_ra
zWn`d$<2TjGCrg668T6S+Xc$npxS<#tkXst?QB8f?{`el}?vp7L6dy>KlL%0S2K8Ei
z{DX)$LJ_oKs5ELYIy!Z!{oOsz9rky&z$Y{5Jqqa$AY%<_777jRlklCYG>AYOBumkt
zeMJE5dFqz+(}}6j)VJrRUYh>H^uyCPZn$;&jnkP`u~i?M3C$euIC8B#^W4l=W<KDk
zuim@*-K&4L=FT-&t<l$<z80PO_Vg*6zqk3eRVS=@3e*$NolUNu-;A#=ZC<}=>BpcS
zbM+>3)0u1EG<)i*-lijFS{r|{_T`QDJMP=~-qrW4dT{My4)4b1#^A=|=6*N#kmDC~
zA9mPtqq)@Fwl#-t`0Ix6uKMlFvr~UrJL@=d%~k8JUA?@nu`aOY&Q;NM$IiYm{fF7F
z&)zWo;h8V5#n$MvmZJtl;{WsCHamqmx9ymo3>XlSL`l#XgsdDFJU<ttYQO^{KrCE=
zA%d}n%b+f_PsN<u9cyQ&9QHRc=kECbd($dpS}gzgYuoLYP<S;bxSSJ}Dwx2x+tJDI
z8T;zV?+4-c^3C7ev1;ZzdkgMNBa_#s;0z9sbONEwiA+4CPryV*!gRozkQ9J3E=Wq5
zx&iL}|6U~Gc8zfE;8#!XeSc8+?BrS+M!>oO`79<5;C7h9V5k7vA2BtP)j_cx@@AAN
z+rE!*zS%wzAnmVwDUGCa>)NR+S1z@D@#nVMhfvNn_Wh)D=kkePer2-MTnc2E&=YNT
z0zl<DXnis$OCXwVk~*XsnT)AVy~)0nb|U`|S5w4(hH{?lSbOW#Hv7dKbZK(K_QmJG
z8q&5=+PQlh<O`t~tV8hO!u`Mu;DSU5P>9zFoY3IA&{V~&%vw|SEzO0Kr;GMuwDaGl
z@#PD?esUI;czC-1Jey_B<f8kN6o5`mt$Nx%WBZXDFoUmpr+otJ+_7yxvMoToWz|{l
z`RM%C)inH?x0iMvx$~rdntQ|?X5Ys;cTK;~-h0#h)*Yt<1$k?Ka<CTdcbw*YgZ-o3
zM{c)Wr#p8q_rI|%y+4^zlQ9IcTMS5SLCTbClE9!5kW;3@e;_GILG?){oJmi8Y4X6X
z`NCHF<<p(0EuP^VZQYMlw4?2Z&VZF`Khif`_Hk!Av+ucneyjc8XF4xFd4E#Zj#{?w
zLzc-eZMQ#vmh%r=_alq%q~+uT$jSTTcfa7yz0OnCOt;6U2At(J2OX9N&S4262d`)T
zMhbyUu-FUx#cZ_I&vJRGRAeJSIMX3>?jB<13n54isz)@P5PGdhov^G<m=p;q(;!*J
z?5j%9lrqC%IjN=VfY>esTca>n(~XYQf@Ry405C7E8*Dop?DzuiQaDqv1|uP<d$QHa
zD7Vz52t8obYC^jQN)vRok#wtBHt&r}DGn)mOt0xCXapFn$x68tDc0OUrHIPIbVEuv
za3*E6n_kv3THP$>0cLcnM<Z6JneR6mB}HiG+(UtZAcqm4O9&TgmNkEpS0QGYkx~ut
zK+&=kEh#=e!k5q>0>rN2dLhvlXfnqGIf))XRiO3p$30RgTXb_hMQjYJk>03PM?7&N
zTo1?8JYYf6F{G{{VGdZeiJY(1^@6ek;1m<i56^D+$TQC$5<mMm`wQts&i;AQiOo`l
zH+N$@E<eM*cLO9mHB-(F8N&o(Sxr$9U^j#97}yrD48vprld!6jE=DmKb=M`c`yx{N
zvx~PMPQkSf5k6jCcv9YNUwk9PMuapJo&L;q|C;&!UceBhofohD)8H?$-#?Dn-{l~<
zqGjOtS+~6X2jb`dsM+t&IOWX#EK$2IS+%cc=zeU)><|x^*?hwnZk>PT2V3n+c<0ir
zOa0ajfw$!r>?^+q{mcqZ$od`iuZ{WV>h`1mHi-^RiVnZ}H{GMPEoa!)_nnZscHzFO
z?$0j9erFb1m<?XVZ?N+{`=KvGqYEMw?S4V%xIaI*-sVK-MYC&Py8Rm)_Wa>8`|f{-
z3MWcXfqd|-*F@tv7vzRP(MKmm>{HjjIko!f<Lw_wPHF4@*qQdZGMu;NXJ6m3`>;FL
z+7JB;H1+hPh<VdZ>BMoLxyiozLr_%ALD6AHHjX+n`|!Q?hjP%P1=l(6J^t|cIvca0
zLiZe~u=c4p9<pKe$8WcHPu|*#=Q!7IH6iJh)gdho(7KaUNET8dO~_AUR0YR%mC_(z
z)ZTV3oQ(b~^0IGOe96AxTxgxy{f%#P|Mtrl>|X|<DdIe+KrYt*Jt7pIwyWnsg)@Hg
zCQERqZnm+vz~%Rz4;3c98tI4c&)PqVF2HN3?0XISv!$?Kn6$9zP1wI4k@ENKGbi!T
zQ67r0d)|Dc|At?lWMAiZa(7<fbRA5aJD_QE&(@rOhi-b+9h!^z@~mM2WA7m3XNsAK
zJBP=ku8^3MRVjqh6zi8*tWk>$HKvb2el)n)#bFg_qErzti3A_3$19R=5D&X+olz)K
z%l6rx3n*FnSZk21HJj~LC~c-Pp>{}*#wA745}sn!M~^hrLo3ClGD~v`&g&M_$eLZN
z!}OX3fiGl&LY&F5LyRb~E-K~|R9D_GqRrk=LF;)}K9bK-EaL}AN-y1)f^t0S^AVz}
zXi<^8r-Mc<D-j4sx?T_NQ@I|+m=zk2Nod2{;=>v~0%S>rjCU$tNyXYssu&jw?r7HI
zrP}@pvm2-OhB8X9)nTsQg*ciX%oeHau#A?(R7DIXxq%WR8Y3!z#86MQlJr#pDX4@r
zud0T^$pV?=Q<DHz?-+J!(=RqYFek46uXQhiJM_(K&UO59=KHJOH_c9+INsWH{&0G3
zaMR-}i0l<j$7Bn9m65jdH;%^5I~T@#JI?&{++_Osn?JDwHGa``KIV9<{n@ka2YSxy
zHlBRWYd*+R9d@<ve50dy+pp&BU-zBY9X_91IXGdFnA%4oamWxFd1Bx^Wft8T_|l5g
zbML_EAE$=SL#OACJM?>h^K@=LYw>jZX3P14V=@id*N>dBO?B~aZdPDs{PW0pKWO(H
z_4W^P_I+<~0&`<_<@khr0+<=?@*ABK=Ek3YgiqSLE`%;^6<+Josr%$6m);G2(xWbN
z;!yLB-sKmLQx{G8^2YO=<Ja!}>UV;7__ihIGY2P&13Fo7{{V%2b+Tw^byG=3bLJ=#
zF_8p@W66?W@}9(~QypSjKi}^qGom}~t#nLD^Km{rQYOf9k0R48OD|+b3Yk_#nIjli
z)iuJDYOP}oOR&exru}`2f-tckulgIEQZdAld{^^Caw<S6ld%ws4mozo=OyCqG9T*K
zJZ8{GMxq|R&`TC_X2G=Fakl94bnzJC%J)$d)J^=MQ7#~(STWcd6cS#uU^ENCb_?P9
zLZ=-~qlrpA8}Nq*x?EzzLw=C=)^cSTqB9{%hLyCIbTu;`iUN@}UXC!yN?xi&itQla
z<h+T5C!~6fpx6QRs%{6842vNp41s;#g8<KdLdn!zDi&h{y)LB7VA*ssP_@tw#ie|B
z)13tQ0Gu>|**_up1U?NpwpTk3V%86El=}m(vjPTb%iU1idZz?ba8Z{#n_#$Dh|aV~
zGglch9Y8^JtD{kG&@EzNEe1@<p`bTKw!8h5s}V=5>@Wpc=2Wocf;_*L)@39NsEIfa
zk`HtScu&b0{<xg4TNR{<heFv_O?ELYJdyTlb)(;?FQuAlI4G3zyfBF7>7u8V38w_k
zg#kGdkeZNak8Vb!AW-wSJEZOx!hNnpnRN|S;`LHW5_2s|ZI(iv02?j0yh>IU*@B1$
zyi6)qVe`3A9Zi&gbdv9g2tFt^stR7y%ANqhce9CFLx@Z1hy}x&<f8fFi1Y>%Lw`0`
zi6yeG8bRkeaiK+tLZOfjg>gODcl#5p6759El*=y@#W3YB8sTKoD0aJ1${+Ogn++3*
zqNPRy2K5J>3x^z|Pi=Z;<DGLK-f-r+KhG|&{pOlmR-ZNV(5k1Vm!@=x2zu<|?am7w
zl@DDjj(>i;6V!@5b46nu{-l$cUa_54R;TMe=?reZv{8Cx-B|_e3amR%eaiVIP@}u=
z$@mkmEfL?m4wjK$f7+SZR4%SmK7LXe7NNvvRu-W<uJ}-UeCVCdEz@(o8y%0mc3%Gd
zaNdPu=T{sPgJ>N3taE<a@%GJs&W)A3oM*v0R6G5)*D5~?mB+uh+j-QqBeK3UH(vL7
z=lRo)iMe7|?s5Lmaof}Perz1R*Lfr$xUR#p_VrEY`|kXr^B|7p0Ds{Rzup&~B@1{$
zHZ;ip4*Q5$1!x@`qB>COo;X={hkc?h)rGbeD`DOUUY4Uk@luQCct2O>a;X~d_!^CF
zFjQo-Dw~WHIZ*!b42*cN;)`hBP`vMnD4JBS`f)NOTSGF_cLPDN8A7VE&)X<6OKyp>
zI<Y1RGBo^1%F=PgFS)&HhH<OmNHvmSgFx8Y^`RNuovF0h8pC^l=bg@L*;YSV#&V@#
z9O#=mZD3zZ3|(HfURO(GwU-MScurAcu--r-FjJ}bM1`)CW)?v!>C7k`wt$(H_SU3~
z9PZ^&9<pCb*$ff^t%BaD!pkiX{OC4&{d!vC8;x?qjiZ>m$5eI55p!jSOmcvh+DJu<
zd-|l2NkvhuT#b|!cd8c&D&_D9zVL4zT(<uI!m%VI55l9-At;nmeXda9LXvA(i^WUo
z(B0q*sHao!RB<VfX+ZE_QR4n;Eteh2!DNi`XF@rxSdS_BQ7IQ8hPhxM>Gf2_Oa#xB
zfU&pGw2Wk$H$#a?HI)ELz;-DokQ85QsxfKMRMRypy%eo`b1`=T@9|O~Cs(o*m+<D=
zv53n<dgM|%=<1~X?OY=gw_J3llqW*@q7ZctijWfAFN4q$<k7G^p>Sla*3lAW){@z1
zzQ8eMgB^rA@sN_|0=lO;YWgyDUd|4(93_-;dd*V_cp#}>Ob-Z#>kZm;jrHry(Cl}S
z+)x3=7lmf3MyFp6<n-hK7f83;J%EL`+^p2Wj3lEO*~hzs)hb^oTk&GBIh3tRtvv*<
zqnpE`<7c089!#}5&=d9FiyOUaU+8@m=yf#Q?UnMPmm;fbGo0+!EsKVC4s;M)j2nhQ
z71uKesuk}5XuQ-CLG*!8fi0MMHy$^FWdpA!%Uq*0Ean3NtS1zaiWqgJs-1`wQ3#@#
zft`vH1_34ApGlFST3=RGG0TB=i@el~mlH%pXwb=$C=C(6%S?~5Wmkzzry5)u8+5p&
zP{mAzZ*iFDQ@kn2JMj&H34W9&2{Z}7L!Xx_(<Lh>c07?J9`C4KO%#JQArz$~MDI)S
ztXa=`WxWyYu+;+BrUb7k((OPxRBR=sW;4_;ib&KG=#_HKeiEcWs{uSg2#ppvrx9}`
zVR**hiH>A8o|QG!$B&A|96JK}TwqtO3Jl{HD`9?!dUM_QfYOK#qYc6}$VPeg;6#0(
zC+e5~e)oaBf}$;_L0T=}^Oh^IB;hK$GKL6S3BSxJEvoAC$Vq>u+=~XRco6m1VGCYr
zFdhvMFZqxVDf*Li13@?x?}Bo6$d{7XfPawfrudL08!oFCcEPwcWG03asgW9L4ShHg
z&J{b^QFfT@_LOpJsWak9Hpuxx;kFi*^-xO5U~)AZcC%We)l<R)T=yaclpj?k;P>${
zSc0x7(Q*uP<3&JSm_QcqZnkvM9mu*6z7XvfNv{zpjX*z9wj>~6$tuC7ELd94FK~K8
zDY3Gb&r-SO(Dc{C5s7XDeI6+*)<e~SNb^m18E;v>T;JD1T$+%;@+Kro68%8fWo2tj
zf+_cfkjiOkyjkfY7+do7G9{~pgMqHc+G?F`p?LrcqZ1UZ6I(NV$@s)Ii;aWf!~^RQ
z+O+t0?&Fogy=7_OBPyAcjzpwrES)!U?XWjk^iy>TNw>mMk4tyctvX-JYZ68EusCmK
z`L16nG`m8u6riFSxL|6Y6v9-cWT#c5{oYy&)Q^3sUPIwz)t^Ig9uyGT2^`2!DmBWZ
z>q!ZuM#FwzS5u?4C4B&dQC`r`@B})Lq)WPk1G(>Q1~Xi=I}n4V957>*npL#WPu1%Q
zw<0i|VndT~khp84^pO<OlJ#tnW&&s-m?m5vH4mvwam0s3X#}lHwCO=>1y?T+bJui6
z7mKZo;pJNRsNf13!wMnxM3#vGZ;Dr?y}1rbdV!0Zu4dD*8iWzUoRY!)dMJ?5Vu}mv
z>vS{{8HsfdEyQ&$X87TXR<J%w#LE$M7#nh+be{mOm^grGH!m(s_w2QYEV`UeJ3i&u
zHFM)kf7P?AimTY^PfqWg`pZ-gjOUZ>?jeiVEMY7@18KYK?Joj{uKnjj7B`#(jHVbt
zkQAa!h+E+oa49MP-ePo+OT$r<VHJD(p^L8B?LUolPWu?S*1qvUh*;inC^R?w^@~0*
zmvny2-Xbn=dv;y2b6><~e?U}r;V@`|JoeOYMb34+-Tu&Fi%YXdJ}h0cb<5MHz3%*#
z2Dj~NaDQ-V_D2qf22VQYuo$*<vBN&}90(!pJOYZ2q+fdRBu;ymeazj99KGw3lV59f
zKagsdth!|DO77v$k67Hk*4VH-byfd;_Bl7eGbqkO<2%W4^^6O@f!f#4FUni@2YzH9
zw*cok?|Avf6L#qr+uMP4*uHU6w0r!$Pr3_VxyHWWJSf`bT%0>;KTwnQInK$s&;0RF
z_l@tk$Tlap{q&@0CV%^rj=Od|VjsP@nA<P7<F$)$8cjYCibo6A+K(>64VfkjSR~*z
z)mgyx5~=|>J_^WcRRd+9#6_Ew%jS-R^VT(<JAEUSOxrsr`FM{Vx#(K^>$}9g9QAQ~
z(^1gU{-CAoE02PfPF;Qd2dV4d@T7fX37+y{M?=x}b5lQJe|qD$?PJPN^xmTvH*6*L
z1M_Kr^=RnEm1kq()%QMWPagwAY*lm3_h(8U-fdqo`D@KjpZ)B*TaGE(*d#yoykjT#
zzubE{{&4Fh`vZO``p-$x=DT+!797`KZy$RcoO8kph-1%NH+;*^rJygrISwl9x%_8K
zp10oe6Z_Fgk#+o}$M4?ro72cA?y}hkBo}U3#HQ!!@4oDZuepZyP>XxV7oM<q#PkOG
z{F|?NwcKuMK-BXeCoVoe0}pTf=t+y<T}mpyT^j%Q)<xjko;(LTe#+u+=VGxpt&n=J
zM1!!;gH!75r!M~7vGG3Ncx-K3>`kwm-jF);sY$!`*S9VD$7k$VoSg<7cZoZ79NxLu
zpPqf_vF~qRIey(vI6j9gZkwLF=jf0Bt&i?IpxKLeFFrkY-KiIU_qDD!80h+KdloO>
zbr70!AfY+WpZCA6rN=LM5IIz7_}V1rE(k(BVfL{GMd$l5Dm5x9oocz-$)lxsPm>2h
zu~cZY8KBTB_i3qB#gdqu$8p?)m@(K;b_mOlf^1+u5N()hK0=lxS*sP=aeq)7Bq|-W
zkqMSC47}H!P_~k&NJS<hFBOYIE?(Ajt==aEe>4Pm8)F2rRcXbIt0}Bq5fry*31D5w
z>3pje@(}G(T*+5@q^p)Edu=n5mWr`t9pEfUSCM1IGNmW_Xv^{#eoxF@mrW)Ru6ar<
zEk~r#usLLfk_HGJ))Put)<Cl8hQxVTnjHC((Qdch^<%(h=I@q9Evpg45f|qts7$E=
zfTXgk)5^-6*c_y?N?S_FXtmv<thA?@9nzIV#;p;4h8vKXfQA+(q1f7;7c7QW9~{^R
zZeU*y9(N(mYZS+)sJJg{V}-@zm&$&2lrCgLbS-50x}ILIH;VeZV5(&Kq?z^!(y$r;
z0-$m*8u7IVs^0}#`oS=5wU7i-XvX=d;h#u5<N<^nX{YK`u%o1<=AcY?Fn6481fnK~
zl-sxv_VojyLZ-;b)gl<iS$D-KBTRe=v?XIBl6Hsd!AWYVP|qg4J|G9>gOtVPgFsBw
zKy)N0g6>;5LFhSP<Tkm1#xfT0>K5aka=O6}lcwko=O`=^Pt{DVA&3MTfNf?u!OB7}
zN>f=fE=b9I!~}eS98dOWZ$a?6E1hIhN~rB1O;!Ln;fdzkO;1i>O*U%^S{`SFVVtC*
zroR~|mmx92Xe59>52#qQc8Y21SU*^kI%%#O2mtkki}I71fizOWR0IU(3*(!Li@%&X
zIG+E%9M9v$ElV|zE<^_z%v~<JD}pzMFwroo7P$aO2u2gVQ8>}<%Ed$l;3cw<FZaUD
zaxUnqBzr|H7EE~Zz)b?KPNqE2gjCo}q0Ouji$MfDporCC%^yiNSPwf0G$KuuO@aVQ
z4A`fPlGJ4g0UavHQUOw3fk_&adPuoDF!S|l3lS?Vq~=f2m0`Mymwi~T1u3>fEU$z;
za>wL45krNX2)c=T^e!r-42~}JTL9Wg3Xr4dMU_ap0a5iD($%8c08@sZjK&Ta+)Isu
z0UfQ!`zDqpn83*AL&U6C3RDbNz}wB#LaBOGHGM761rt-U8Y~7nW+gE~dkGb(al;5%
zW>8Pu%lU^UUlzOG65{4DI^1by6D^kY@^~a1$V7%goB><Dv3M{5et^BM7roBDBN8lF
zxuI(?N=9QG%{7PKPO?+b2STniVvBW7%QuT{%tyszsX;YRR@=>l$I7!pq?*M1BUdGq
zXEi(zB%yfH>c&YKviUW{H|+I-4WQl0446g>*l#g0<}H_c)q09?`+cKGSq?@iPZ1d|
zbsObSFsb><kYEjgD`4`A6q?bJ93N>|*XMJKMQl_U42nXx(aKoOlt}@XmeowKUb2jH
zLr7yQXVNa{OHuXeR(fb)TCO7?`M6N4u>@T(JiWZs5B98@cO-@-rpbp}ap3nClcQlu
z_KRYe4rOSU5O4Qow9TcOSP1F48YxWUGSN<|)5(|OI-iU7Aqvrs3e`fKz#4;kqLcE(
zT~xPH4)&>pZXiKHcMs`c)@$hAav?Z=c4_g&X~)Dkw|{lX;+Gw+Pd<3)_|8igbJH6p
zCiXttVD9T+8=U**#hW&8zqnZ6SK9p4qI=9;wg@riiTOOPUJf?H+!@P<1YX;){~BN1
zYk%V{i{EifOkw-RD;6Jc?0g^p*KzHwi_-Lp2|KB4f8ni*LHmd+7jJL`O5YX7cVD@9
z!L(yym5z_QYH>n*azpx(@mcR!+&Vpb+P%5v$~o_R2iOjuxEgGPgKNxzTVnvH{|`)x
zuX>Ha4_d9_0nQiAqC~~)B#pG2<6?X<l}dH7o-Z0yi;!#%`c;&!NL)(^#Y%0SFQw(?
z08O#2rXcm|s$0{&C<qz26tE|7yqWgk-Z(X^H4G+&Nr_kn)V{PZgz_SBB<_nAWV}&8
z0PG<xg@<^Q=i>f2P|hLQ0T-!xs5I9p(j~f?ZkBsGQ_F<pkm`1K%57BSiXkh;g@Hh;
zVre205M633qC)Vc?8|40wO%li4)+>SbX4Z*4M2Kjn-ej*ZY+~3btG?flxI^NZ@pZS
zm6*t@ZeF4ZKF!CfBo;08BJFacRp6v*jG$b_Ak)=~nGueq-0ge_4^lu|TCieTP%Z_%
z)*#>Nl2nhA46eY+O(D%SC`^=H>0Uleb>s;uWl=h42pm9f@&9fJqzc7sGYB$KfqXci
zbs>f(fC@&}6|P&zK*beLK*=YDiCU@@CqtIhj9O(LR+%zGctIzwXAH0&SMOGHRT_A4
z5TROhB?v?*ae=asPzWJ_ceM^44SMSp-N<@s3{|9EbrLHUtNluyDK6C-*<8CW$(ElM
zrFv{2YT04Gi7*1NC#r6)Mk$ghM46_ZOf{2H;6CVvN{FkVbQ4Vp$sm;AW;%R6pC6UG
z{Rx#=v)c=|(ReY1rt!S&EgNbu-wugc#E%BTXazurE|66mF=9SO<8ncYxygb~B$FEN
zqq{WAwnQzWb!mX1P|Z}SRP(gk(IjHQ&fjF*K!!77wOSxostc}$P_H$Kiq+1$QX^I#
z_-n(kl|ao@xBq|IJGWTb&8v>*po5y6oD*nJo4uhx+NM&{)QNB7u|p$b&&Br4cxG(R
zcsx$3VQi1@m$Ap=8Cxw!sR~jb%0ml`ls-TNjkt(_fM!=nv`V2(1u9S;=q<fKp%>I9
zf(jKxA*|UUPqbn`knnQ$!`{-T?Qh28Pv3lNt^fM{mn-({iQl*p2)wMNz3;uAjrDfY
zQ8mfghA}^AtJ5e$ll8LijHuLY!=APoVso7kw-HW>J#M+{453-IM{YSwSK{2{@DUnK
z-O}Em?NY<0Ik*%${mz)4CyUUe$20IvUhR8P$~1P8Swh47K+`>L71P~aHlAI#RKx`o
zLuT!?O$XcT>YdKB(?Vc!aKxJLM?0%36xg}xeBK-wc}k}dL6MB#S4I%D82oGoRku!5
zccHH~&|+ugq_#U?iAf2LjZmnW^Amr#%Z;JaCv<KARg{>Y*pp%eCwiS+0$IM7ld!v6
zBXqXu#|BhGw(9{Hh?1BxQxyVmslC=B(_O>>n**xACjQ)#NXuVHRI;h%=BT~iMZ(0_
zgr2ocsZO2<B(Xnx{&!F2H@4?jczeF{x=rCI8}8MS8#X7FCbm-yK$t2+hMOj+Mh9Ws
zTZ3w*yGA26cWcjHIT0zSQc35nCaRPW5$_5UvXQ<lh2|`y^I%MgPNuYRSXB5pRB29A
zJj0hFw<?#NwPz=@VyfdKF;{21>z%sMorg)simYCn+bmmPcblmF<vbt5LJX0}_6&?_
z_5`61_334W$;+vqCIslKJ4iwV^iHe=eAhw=Ssnt-G-Ox3%+v{IZPwEW`Z`F3FXpCb
zF}8t;uA8a+ra*UllN9&V)R`$wk3|dvW3y}tq;xc3YeK0w6X~t`tUC<QnyEQv-ypj}
zl)#E^+nFTtU^eAAqm3eWHa)lLgY}5q19}@nw%Sumqrg1ri4Wb_o&O(pXJM~c^BlrY
zVQLHEK<nv&xDT|IEscnYz@(t(?3R)0x+Kt!Su+3-{V*u}vf*wWo!k|UWv}prTUET&
z!z9MG_(DK9f7~0*(d~S~m!m0K`Ft?4QU%fCB^EDgt=-5JK*nqn?fS;c<(`{F=>};P
z@f7bOYom#9jg%aBtBeE5MqyCAEY4j~U|buk#+urQ<;3rRWv-K_MBM~!HN7pnWoyuk
zMzoGjz?iy>{8^H4r5?6-?Q8)cYSHtkAno*K%%Gnbke2VVwAs+9jbJJIk=x%K<s1Q>
zw}re0<MqL!V^v7KtM+ck>L<z+S-FMEvfvZEUdXPNPRoYK>%uNw_HxjKM#C5zMM6Ri
zLK9k}AW!p=8>i=&aXo+h<a?hsczJ0oeQUA>d1bj<7zNqR<Y6+)s2;xtN6M;$=;TZn
z+g&x!i!`6@<YJexltgx!*s?|gYcjUfyaXx5bV+~$N6d^-YVzwTGM=Cg5c7**mo!zW
zPgq76r=q{}P`OsRAj;qq<~q`0kSLhy&U`|E3L^yx-KasXaUN{-oJ?|K=wzNOd**me
z49naZ#&I`i#Hz_ToQLPa!Y5ahT4XG-N2k>^^ZjMQ3Xa@p$RdM@0w3zJhpJiBK*XwE
zr>QvA&F!=aeLdnPN!EJQYT}+o!}khp*Rim0B#EuPb(hIijmMC6w6mkSV*sbEn{5}#
zav-TtfU1YHM#^vOd@F+?7>jKvr-#KW%Vk$nEhU^CoSr{%V}E`b*R%6|)^pHkXhppA
z0N4}Ceol}!Z?6jjV)PC-95+=#(M?h9RAC#}sk|zfb>i2(_FisG6??n@tkfRcrbAkv
z^W3-?8d(I0#h%0~rL~`8JteT=7}E`Uw6|XlRv_`^8(^1Ia}Cj^L3DS$g=h3w_3_1c
zj+@ZVqVJ?;A1#zU%KNQaW^q-CG{@NtC2ucI`gRe=h_lwG4LXF@8%~^e^?K-`2;15=
zP;s8R5IFh?;Tiz=+5jCb$8dLFNkt2t7=a$t0p953ekd^P$_tcGpQm)}7wJTuDeH1c
zY2&Tg^;TN9m(FY|!k0{K$omTIc+3RT4ZgDx<sfuwm9yiKp!UelW@=bE*gUZ!z%pHJ
zUaUI9Jqtq5zdZTQtKN74{K(<TXF&aP*FEq3ApWb5p$7v8IKg{Ab5uCo{D-e+@?U!9
z@Tud_>1RQcaUs5$@Y$oJf}7m)nn#{x4v&5oBo+5Q@xqf2zV3zh9PYgN^e7~H@Fj)L
zMc8tOpZgq4c*h&mhwil4`QgK#g9({SxBtiJFQiW#K6U%~gb%zl;R?fn#0U<t;J$s1
z{Q@^za(QG`(G(Dlz_S`94j=tIOo%wIQh)jvK7H-*r~*0=@mUyp@cw^)|MWNCmmgmD
zqj1N6^(@>mKyqyG>;<CRxdAP3;9zD7nBWv`0zhqbw17RlaJ=}<5B}YEe(H_uZy$_*
z293zie*uPmxc&Ikul@MjZ##VIICSlcFyBS+R)@EK5iY*ec_(-2nWr9kpALq$e{vkT
z<r)0r*M6@S4qtv8)Lp$V9Yr!1;HVv{FTuqRJpA1A@*jNt#|{sF^kn$dmruTR>9T}(
z|K{wU{`TZ2F5P;3)-NTTpC(S(!^2-WdB^1kzM+2l?AfnCp8E3f2_7E!hm+?nkKgD#
zc=ndBo|u=;pTc>P_-DTgiRCYR?c~oc2fzFS&z=4D*I~}f$4~R{$#0x|?A8a~`K}MW
zG<*7ONN0cXA5U(-bnEfsd1?4*7(Tr9n<r0PzV+${Z$A6#H(~zE#~VHyJa^1@Cr`iX
zumAgh-*9;SqbCoY{m%0zkKKq5U$*%0e;h!J7wh=mcr+ra)L4x-J2Ld@vfA!bK0xP~
zm$v)8!I*G}weB_7+Zf%n2z3<!7={Of(pE-RBUetOme<dk-N^tCm(6+J%hj&I=tUn}
zIiRDYIXGKTL{QI(wj%V<TrHBACYSS(;;x7SxgJ*Pu(8JGI}swicI8g%eKaoPxMhr2
z&0-lWN_G(~bFoBM##T23r&k1s(%duKfU<ydH8-Frsv2p`V>Gv52k55c!g4Vf5USYh
zQZ~ye5$Ddwt(DdeQ+Y!)0IuQY6&7}TKo`(6X0UcBS?qvjplPyItG%Tyq+Sn3mEd@t
zUd3()h8LOznUr!|ZvA{V><{`x7vaaP0iboF5D^(1JX@W5Dk|A7!9=}-@6JB(uP5KS
zQOAG9*R$hvYpv%7djuVpWF?8>CQEo}D9AoL2r@;RcfC+|HW`qnyJ=D7W@j;?XH?Rq
zDq)#;-Tq>c5)l9U3&k66W^K|UqIHd_x-ko)c6T?`DokfF18Z>lxZM;sVk$3Yak|j4
zibSu^_=VRZ+tt?R(7vr?(_H9|ad{r*7_TWJ)9~3*-m4PuFIkp=_e}=~G4>O@l_U{V
zGo*Cp&Kex)a_h}xAE7cGN8P@k0Wq-{^t4O{ZS!hpOoq`g47b_D<2EL*3GUpqrh4CO
z&E|^Q)OpuVvSn*L8MKBxp0qhB1G}zPQ_M$UiB8O9Rw{HfVEimkBm<ex+y>#B>~hlZ
zhe(~eB&3R(3AZhUq>VC5zTTZZ|H6s>nj0m<m#bv>{kCT?;pC0=vNvJ7Vx(9K%Bh0P
zsHA1q13g|cioF8#W4N4gGu-WTu&zyxO3=qk@{aG1scCb~U<obyQl(L7&s-xMP|sQ0
zZ$a9lEWIfqXJVM<WSdY_Pnn9~X3kVx-=Vi#r&=Y~x4|kDEM`q32|jif^gP>WWLpGJ
zK)J~b#qN~t7&)1<z#Uwr=B(9Gb9B+0#MYqgkZH$8MU*B053>gktq?Q96>r;StBR+d
zvl%TaZ9Wk3yvLxMV7VQkKJEEiG1zQJi)5<XWu}J$WG3rftL5zlF+pV1*{mybt@B=P
z<ikZJuiTNaXpUWemW6h|^6|9~21EmdQ~F`ZcQicHl>q6FM@dH3q=@v*4x1+I*#}Ne
zZ*0#mpDyM5t>>ukR;}S&O#QCO4KfJd$Lb=sb8qeLhjN-T^N5PaGTPdfrS8@J7FoyL
zBwZ%CBw4Y#>S}q8*>t1Rh^ltHVhy%ThGN1R7Q!PF0GTsuQ!+|oqzXvE>r4g!wuqI*
zc(TWW33|PyLWaO41p?37<(A$js5j+h2Fo^0Emp~aVwsBNn0qzFYEFy_lf#NuHdHc~
z%!kPuw`<X(++@l{X*(Nk?NZ!~7@<AysoTWxOgD$5#G>wV0F!749#G)rrVY;OOKld-
zhqyn(5phQL<E5=SNU*o3n>v)Uq@)XEh#+gZqef$-16dS;Hg}d1N7)7?u&SSUGP{fW
zv{bgMhBZ^oinWbCk*pgYQZ)kbq<P`wHRk;{J2xF!wdb5#=Z6Sj)PDK4v)kTtn|<2@
zx4rt>*RFl|+Am%Uu03?^j;qgI{nM-OznWhaum0q%|8fo@-=BlXzY8Gp-@5YXmD!d1
zuKeIFpTFhzZ+SOB$Q!p@z4<Fg1o^MM`e$x_5sUgOpE&}ApFT1%FVb^x(_`;@<j;}A
zNA5m-(>>=n(F<_SvcuoseR}`(3q));oxO-C{l8?Hp5Ixsi635j&uM-4|Jrn8-Sp(~
zJsj@Sfz4VSew?}EzTrjCr^lDM2sZGhcLRj_^j(MlH14?b@ZC3`K6z0<>OF@~-h2A?
z7a!WauRT7r$IoB$0)h2Se{}fRTTazOfSlfc7fo9<c?8B&Cj4@62%Jd<u*(eYFs9Ae
zAXhm#{4sL+Z|7vy7eTcTz3q;>00n(||B<o!ri(CEf8;6jl)n)MzM{wGqx{uvE_$Y(
z<=8Z6hrv?knHit#==oqrO-FTGa{D7_Uf!ujVzlvb(^^q`)$LC_DHx6zQbx@k?(C*Y
z8|2<llNi~O;bX&2S5Y}gY6C}Rz*jt}VI%M@B4|34)>*lsN;>vDDPHx{>mDcR_@-1w
zD-NT#oLrC$%X0xv^7LA3EHc=6+t|L`lvXDR+aR3UWdQZ`no6Uedqz5=wEh@i1?!F2
zF{B&}j#+HAtXUk=ZLOxF&M2<$t{S8?B-GJnChL~P&2ekK72_>k$(DxgSwG!3>uwYd
zLRp1Eq*F~}yKAu)d?i&<zU?l$?sg~z6FXQ;7ll}adt4BleKjO^T~;7Lx@!w4mC$?5
zZtVC~LrdmozfPY%cOwXVMOX8&IiYXFjmCIYpc1!gS`oEM_RyX!1$L&vx?Ke0&>mE?
z5UmqxM=a5KGQ+V|3NTx@t%iIhwx{h>Y;WU+0k#Ga70FH$^!fT+rZ@2<S*Al23jk74
zBRN%@gqd=2Yg^0cKm;9;)*68MWe?$yt>a2y$hr}dy5@9p4+ZCNpUhm#$K6rC#Zmo9
z!+_{3cZ(cz12Lq9Z9Sn1IG-$#GN-{0Op4f$V{vT(t~T@01T2Xtw`ca3ay|(QKs#bY
z!VGO|SL2<|zNnC<7}c5PO#=<9b)~)R7v4H4rYmF<%iBOH^Z{lJL=nRaL+WE|HlEB^
zMqG+LVC=7bzotmP-`a9;mWty!5<^s(+e@u&Z)eDk-LY@Da_9NaJC1+fcI6%a1?7vR
AApigX


From bdd07d4f3941d8fc289adf20abfedeed122d4e4c Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 31 Mar 2017 14:21:01 -0400
Subject: [PATCH 28/30] Fix flakiness in team sync tests

---
 data/users/test/test_teamsync.py | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/data/users/test/test_teamsync.py b/data/users/test/test_teamsync.py
index 2c6bbb223..51ab82e6f 100644
--- a/data/users/test/test_teamsync.py
+++ b/data/users/test/test_teamsync.py
@@ -1,5 +1,4 @@
-from datetime import timedelta
-import time
+from datetime import datetime, timedelta
 
 import pytest
 
@@ -211,8 +210,6 @@ def test_sync_teams_to_groups(app):
 
   # Call to sync all teams.
   fake_auth = FakeUsers([])
-
-  time.sleep(1)
   sync_teams_to_groups(fake_auth, timedelta(seconds=1))
 
   # Ensure the team was synced.
@@ -221,16 +218,23 @@ def test_sync_teams_to_groups(app):
   assert updated_sync_info.transaction_id != sync_team_info.transaction_id
 
   # Set the stale threshold to a high amount and ensure the team is not resynced.
-  time.sleep(1)
+  current_info = model.team.get_team_sync_information('buynlarge', 'synced')
+  current_info.last_updated = datetime.now() - timedelta(seconds=2)
+  current_info.save()
+
   sync_teams_to_groups(fake_auth, timedelta(seconds=120))
 
   third_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
-  assert third_sync_info.last_updated == updated_sync_info.last_updated
+  assert third_sync_info.last_updated == current_info.last_updated
   assert third_sync_info.transaction_id == updated_sync_info.transaction_id
 
-  # Set the stale threshold to -120 seconds, and ensure the team is resynced.
-  time.sleep(1)
-  sync_teams_to_groups(fake_auth, timedelta(seconds=-120))
+  # Set the stale threshold to 10 seconds, and ensure the team is resynced, after making it
+  # "updated" 20s ago.
+  current_info = model.team.get_team_sync_information('buynlarge', 'synced')
+  current_info.last_updated = datetime.now() - timedelta(seconds=20)
+  current_info.save()
+
+  sync_teams_to_groups(fake_auth, timedelta(seconds=10))
 
   fourth_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
   assert fourth_sync_info.transaction_id != updated_sync_info.transaction_id

From b10608e277b4ac757592a8ae4049702c4ec43540 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 3 Apr 2017 14:16:29 -0400
Subject: [PATCH 29/30] Change teamsync config to be a UTF8 field

---
 data/migrations/versions/be8d1c402ce0_add_teamsync_table.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py b/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py
index 073d395f0..e13d0a344 100644
--- a/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py
+++ b/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py
@@ -12,7 +12,7 @@ down_revision = 'a6c463dfb9fe'
 
 from alembic import op
 import sqlalchemy as sa
-from sqlalchemy.dialects import mysql
+from util.migrate import UTF8LongText
 
 def upgrade(tables):
     ### commands auto generated by Alembic - please adjust! ###
@@ -22,7 +22,7 @@ def upgrade(tables):
     sa.Column('transaction_id', sa.String(length=255), nullable=False),
     sa.Column('last_updated', sa.DateTime(), nullable=True),
     sa.Column('service_id', sa.Integer(), nullable=False),
-    sa.Column('config', sa.Text(), nullable=False),
+    sa.Column('config', UTF8LongText(), nullable=False),
     sa.ForeignKeyConstraint(['service_id'], ['loginservice.id'], name=op.f('fk_teamsync_service_id_loginservice')),
     sa.ForeignKeyConstraint(['team_id'], ['team.id'], name=op.f('fk_teamsync_team_id_team')),
     sa.PrimaryKeyConstraint('id', name=op.f('pk_teamsync'))

From 55b1ad49edfe208fbb8726e452a6da90ee5d4684 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 3 Apr 2017 15:35:44 -0400
Subject: [PATCH 30/30] Make team API decorators more descriptive for better
 readability

---
 endpoints/api/team.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/endpoints/api/team.py b/endpoints/api/team.py
index 320d008ad..981e0f1cc 100644
--- a/endpoints/api/team.py
+++ b/endpoints/api/team.py
@@ -120,6 +120,10 @@ def disallow_for_synced_team(except_robots=False):
   return inner
 
 
+disallow_nonrobots_for_synced_team = disallow_for_synced_team(except_robots=True)
+disallow_all_for_synced_team = disallow_for_synced_team(except_robots=False)
+
+
 @resource('/v1/organization/<orgname>/team/<teamname>')
 @path_param('orgname', 'The name of the organization')
 @path_param('teamname', 'The name of the team')
@@ -325,7 +329,7 @@ class TeamMember(ApiResource):
 
   @require_scope(scopes.ORG_ADMIN)
   @nickname('updateOrganizationTeamMember')
-  @disallow_for_synced_team(except_robots=True)
+  @disallow_nonrobots_for_synced_team
   def put(self, orgname, teamname, membername):
     """ Adds or invites a member to an existing team. """
     permission = AdministerOrganizationPermission(orgname)
@@ -363,7 +367,7 @@ class TeamMember(ApiResource):
 
   @require_scope(scopes.ORG_ADMIN)
   @nickname('deleteOrganizationTeamMember')
-  @disallow_for_synced_team(except_robots=True)
+  @disallow_nonrobots_for_synced_team
   def delete(self, orgname, teamname, membername):
     """ Delete a member of a team. If the user is merely invited to join
         the team, then the invite is removed instead.
@@ -407,7 +411,7 @@ class InviteTeamMember(ApiResource):
   """ Resource for inviting a team member via email address. """
   @require_scope(scopes.ORG_ADMIN)
   @nickname('inviteTeamMemberEmail')
-  @disallow_for_synced_team()
+  @disallow_all_for_synced_team
   def put(self, orgname, teamname, email):
     """ Invites an email address to an existing team. """
     permission = AdministerOrganizationPermission(orgname)