From 37118423a53fd5d0005b428adfde4e97c5742aa3 Mon Sep 17 00:00:00 2001
From: Quentin Machu <me@quentin-machu.fr>
Date: Mon, 5 Oct 2015 13:35:01 -0400
Subject: [PATCH 01/36] Add support for Quay's vulnerability tool

---
 data/database.py                              |   4 ++
 ...c20cc_backfill_parent_ids_and_checksums.py |  21 ++++++
 ...add_support_for_quay_s_security_indexer.py |  12 ++--
 initdb.py                                     |   4 ++
 test/data/test.db                             | Bin 913408 -> 376832 bytes
 util/migrate/backfill_checksums.py            |  67 ++++++++++++++++++
 util/migrate/backfill_parent_id.py            |  52 ++++++++------
 workers/securityworker.py                     |   7 +-
 8 files changed, 135 insertions(+), 32 deletions(-)
 create mode 100644 data/migrations/versions/2fb9492c20cc_backfill_parent_ids_and_checksums.py
 create mode 100644 util/migrate/backfill_checksums.py

diff --git a/data/database.py b/data/database.py
index c87ece328..4c90d9947 100644
--- a/data/database.py
+++ b/data/database.py
@@ -577,6 +577,10 @@ class Image(BaseModel):
   security_indexed_engine = IntegerField(default=-1)
   parent = ForeignKeyField('self', index=True, null=True, related_name='children')
 
+  security_indexed = BooleanField(default=False)
+  security_indexed_engine = IntegerField(default=-1)
+  parent = ForeignKeyField('self', index=True, null=True, related_name='children')
+
   class Meta:
     database = db
     read_slaves = (read_slave,)
diff --git a/data/migrations/versions/2fb9492c20cc_backfill_parent_ids_and_checksums.py b/data/migrations/versions/2fb9492c20cc_backfill_parent_ids_and_checksums.py
new file mode 100644
index 000000000..afd589809
--- /dev/null
+++ b/data/migrations/versions/2fb9492c20cc_backfill_parent_ids_and_checksums.py
@@ -0,0 +1,21 @@
+"""backfill parent ids and checksums
+Revision ID: 2fb9492c20cc
+Revises: 57dad559ff2d
+Create Date: 2015-07-14 17:38:47.397963
+"""
+
+# revision identifiers, used by Alembic.
+revision = '2fb9492c20cc'
+down_revision = '57dad559ff2d'
+
+from alembic import op
+import sqlalchemy as sa
+from util.migrate.backfill_parent_id import backfill_parent_id
+from util.migrate.backfill_checksums import backfill_checksums
+
+def upgrade(tables):
+    backfill_parent_id()
+    backfill_checksums()
+
+def downgrade(tables):
+    pass
diff --git a/data/migrations/versions/57dad559ff2d_add_support_for_quay_s_security_indexer.py b/data/migrations/versions/57dad559ff2d_add_support_for_quay_s_security_indexer.py
index 9e4d0e6c2..7ba826b14 100644
--- a/data/migrations/versions/57dad559ff2d_add_support_for_quay_s_security_indexer.py
+++ b/data/migrations/versions/57dad559ff2d_add_support_for_quay_s_security_indexer.py
@@ -1,14 +1,12 @@
 """add support for quay's security indexer
-
 Revision ID: 57dad559ff2d
 Revises: 154f2befdfbe
 Create Date: 2015-07-13 16:51:41.669249
-
 """
 
 # revision identifiers, used by Alembic.
 revision = '57dad559ff2d'
-down_revision = '73669db7e12'
+down_revision = '3ff4fbc94644'
 
 from alembic import op
 import sqlalchemy as sa
@@ -16,19 +14,19 @@ import sqlalchemy as sa
 def upgrade(tables):
     ### commands auto generated by Alembic - please adjust! ###
     op.add_column('image', sa.Column('parent_id', sa.Integer(), nullable=True))
-    op.add_column('image', sa.Column('security_indexed', sa.Boolean(), nullable=False, default=False, server_default=sa.sql.expression.false()))
-    op.add_column('image', sa.Column('security_indexed_engine', sa.Integer(), nullable=False, default=-1, server_default="-1"))
+    op.add_column('image', sa.Column('security_indexed', sa.Boolean(), nullable=False))
+    op.add_column('image', sa.Column('security_indexed_engine', sa.Integer(), nullable=False))
     op.create_index('image_parent_id', 'image', ['parent_id'], unique=False)
     op.create_foreign_key(op.f('fk_image_parent_id_image'), 'image', 'image', ['parent_id'], ['id'])
     ### end Alembic commands ###
     op.create_index('image_security_indexed_engine_security_indexed', 'image', ['security_indexed_engine', 'security_indexed'])
 
 def downgrade(tables):
-   ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('image_security_indexed_engine_security_indexed', 'image')
+    ### commands auto generated by Alembic - please adjust! ###
     op.drop_constraint(op.f('fk_image_parent_id_image'), 'image', type_='foreignkey')
     op.drop_index('image_parent_id', table_name='image')
     op.drop_column('image', 'security_indexed')
     op.drop_column('image', 'security_indexed_engine')
     op.drop_column('image', 'parent_id')
     ### end Alembic commands ###
+    op.drop_index('image_security_indexed', 'image')
diff --git a/initdb.py b/initdb.py
index 80c9fa952..8b095b002 100644
--- a/initdb.py
+++ b/initdb.py
@@ -95,6 +95,10 @@ def __create_subtree(repo, structure, creator_username, parent, tag_map):
       for path_builder in paths:
         path = path_builder(new_image.storage.uuid)
         store.put_content('local_us', path, checksum)
+    
+    new_image.security_indexed = False
+    new_image.security_indexed_engine = maxsize
+    new_image.save()
 
     new_image.security_indexed = False
     new_image.security_indexed_engine = maxsize
diff --git a/test/data/test.db b/test/data/test.db
index a301a7fa7b9c497a92d2d79db7742a6ae57927e0..6b318ccd35bcfe1ce60d788a341d160f7a773de7 100644
GIT binary patch
delta 50789
zcmeFacYIVu|1W-KW_uwC5CSQX2C18DFCdUY5(4QE2vNXIvZ1DsLRG?I#fG@ZfJzY_
zdjnAeNK+pxDq`>0d#@;#`<}C#5Q_TT-}8O_{<!z9GC4bE&YUTqKA+ELSG?m|u_7vS
zQf0}U4qtp@OIwq-Bi<${BtoQ|_;^WD4wfX+DxLUrugSE{94whW(kW4y!p!2<QFfgD
z#J*);u#ee$>@D^xdx1U6o@D=K2iP8VKikgkU^lZH*$s@dYuJ_SQg#7b&K9#aHlH=J
zb6G8$%*xn!mdDOwPG;V@-_S<8(C=%0JIWXQ;w8`eGf+O^PeJ*xKN01Ae;mr){%DjB
z_y?if;U9?dPJcMcoBalqTl{L2*ZV2Tb<0s)y%fdeohU9`fMWSP6iXXXbk?J2nTcX<
zEsBQeQ&7&RL@})dMfG?Tl?5m!=Asxk8pRkF3YP_iB@;!e7+S(G6tP2442nb%E{3Ah
zqtL31C@FhWVqdd2cShtq#{zE-OH;GAB=!w^3l&FL;H~UbJ$puCKeCUoh|i#M9}7G)
z)~#pHO6)bP?oaGlRPJZ|odZk}c)r})Ps#3**mvw*b_9!k7j9n90(Z@viu$`Hb~m=;
zd3KO}kNO)};O>^GVQh!QK4b5&7un<NLAC=oHnPBuuJU*>Je72z#M<aFI)l7GQt)L3
zD#b^wQU@+H)QBbR{d8Y=1v#HZ&>fOeN|PuhXG>}98v5g!+^E!**;;kf@Zsdbgbr`r
zeBYcV?<`+?M@t+2^u0C&G8EB)65R}5|Dw(wxLs$_dS}gQ^Ud;h_yUJ?Ndc3-nCJru
zn#jOAhJk@C`VSO%{kXuTh8*UP)&~}9?16ZVCUCE2Cea1@Ytx7kjS~XXwFv`tXsKfN
zN?4jF*k1NIyO+I$*=}NidskQ0MX}3qpEUh%K<*lLx!LJ6dF=I0lfBXDGI_1eMpJ{^
zS8w(D>^7_0?o;cfYRQ(6qEIL_fy*`}b3>{=eaLXfb?4fnUX8B`^G~Qz1)E56lZQ4X
ztF2~>&181*${P%WVw6$8g{c$P4$OS*qtE;aN`u^;KTd9Z4E<H4>wVEF4}JEA>$b=Z
z;;)}5f*sD3+jtKo^H~}C!kE;3S^GVjH?;K^ZTrTb#zGyLf&)XNyEFAoG4bK|-<<h@
zW#z~xI<5Xx8fugwH`=&4nMY^o=K>GOY(F5Fc>O?mGFeoVEkQA{9YsMCiczyr*t{sR
z&qk3}jbcPOiebelqVrJ<0>Y4fKp3I{!VpCU3TZgD;J84Tp9I2uGXTZs0t`P>3w%}4
z?@(rvLQs>N>33`xTf$1%bh?|)BG<8tnO&-)S4+#tc=8Clhenbw$gnlJv3&JaM$^u&
zz3mjBLJWcH_N9r7DS`F(%NOQ=Wv6_R#E)KV6j#zOf#x0Z#W7ydVN5dw5%nX9ea}7u
z#JtV|9~~a1W*<xJ2lg>4-e7@`kH#e^r9_D>peC|f`U;mr(NoVSB3$h+4iBtXl#+om
zK*p&C24a-sHDT(gau@OE2R18W0*93Pz#3&F8NiPm(GB1^Yl%7#r_!O`L;CUO){w!0
z?TUf?w>6l?Mx~bYKdIfoK&Q%NG^(Rqt{yZKy#@ZQiX;&-Ug4R*)hb1xz>pM3RzHkh
zK30237zR|;C8#%H$3>Y39C#Ph<p?PDLu@zO!EOVs-oVzdRm_hyU%=)tFPp|HSux9H
z9%f-_EP)MS5lqVn{e^x@Kc(-|*XR-YBz*|GvxDA7Z=@UO8oG-5=@Pnt&Y@m9jaJfP
znoB*@Lepq%0v$plsFo7)3;C9OO5P=}kt5_u@(|fgc97f1jbsB^Lsk(#Swa?&ImAn*
zkxEiba*2mnNE%5XLr4VCf=~S-eJgz`y(_&ITKt`_eUZonkmmXX6cP55D9;Az{EU6T
z-UeNLo;}ST16AC^?gNFqm2CxMTF0(tm$3`~jxDitmdu8-!K^<sFcp*Nuk;7{75#+1
zN8h9`)92_@^xt$p-9_)EcXrX6=@xn&T}!W`m(rE=Ji3s!(z&#O&Y(54ik8qqnnOoY
zJI$i0G?B*AK{TA|sDk`Kj*;&G%O8<<$m`@q@+^6RJWTeI2gr7EJNXycMAnmQ$Q9&b
zvVtrn9i*AeCUxW-GKEx-31l1@L)^ql!ZOJS5>KMZK+=zBBx$GS_pby?CACUMNN#SQ
zm6?W>`INm6w*3k~;1GKhd}KG<$?jse01U2Y*Rs_BgbUdDY!N_V9`mu80ES7dlobIS
zMllD=20$dSI2Hwv&@(0d6F~7j{gQqRuy}*ML=OWn9-;eaS2tke4tf*a4Cn~ZE9oVG
zk7cxzwg5uv>2x|3Ffx%A(6N9L8#U1snm}V{Bn<<gF!DS38KCkx`H&n1u)IK?A&&!G
z9whgZdjK%o$VS2eGMAH!NEd*noiveI0GqQ(H7N(+<de|@hzqcjL57oIfSv)wNYqld
z+DN{ZSEfd+3;<MynIA-%1AKpvy$*PJiaiWyxtHAzSh)@&%w=pPTMF@IE~|s^QpF}f
zbQ#I4fRIEM4fxP83h4Nbeg@chojwo9c$n@1T-;8#0w}JbmjNV}(l!7@9jyg8_$JUi
zK!cU00~Vrbe?S5yzXA?EBkutUo+nQM2KJD90Rdadb=d#Q$V%*f8<~r}uO(I3`8+Zb
z`<_k`vFZJZj!@}W={xB&={@On%tiimzaC4X83ZLVR;?g}*r{ERI>LUI*w3JAU$O)>
zVN&F*)>&3@Ln%c{Y%<+J#!EYKDM|jANI{lzNpvqIidb`4$8)YB8O+~*Apa@=_#4uD
zGl#8g91wViIQcg>5KX|Uhz&eP6g$UI9U=V##Vnsh@o#S+>49!$2hI9|jUkbsTyu4T
zcN2C@V#hG7uNXfz7MrEO^{;GQ1yTO}<qDz*S4jC1%b{z?XSe|P2O@H^*#*f%`0X38
zO2fL}+5i9{gL&okq<{<+B$~f<J&5jO*8@VL__6Cr4v7;)R8;rp$1>DO{9w8|R_7l*
zNF6mDB)pwhtROKw97LNxcLRyXHKx)YVjf=#8SYCA_+7@oyoU@{v#%uf75fP_?=k+>
z0TOkFIfSc}5z=&tdFit>iBw33@MRiCK2900j+#G=tJZ<=jlf_ddBHl8O@{K$btIV#
z=hv+xGf5o(bsZ@q$@2Xf9E2g3Kf^&0l6c7mlE}a0B!XYb(XMViiPXfXql#?AZ{xt4
zMDE`}1_qnGvYyzmzxoX%hexc(!_6CrM<q5y`nwI7a)O~q?}4Fg1^ZaRT7e&v**MUM
zR4@!3Fya-u7tG;OI-gFWV*u`h$Z;U^LqOgoWCkEBgXpEtG4uPR8>EY*<~6y4yPIR_
zm25iR|87bUIlmNx`G9@Nwt>TZ4{Gr$-6~y73?NU}FsD=_J<SSe6Wu3m1pkVbzF=wO
zVVXgsfJwh$q4G#3sOVBw&FYz+PL}SMTDog8>9s5k-M-(CC6ET+d|!ueW`}o{QQ(1E
z$jm>2eY^=t<T1e^v5nU=zGEycPct&3q>)l2%qbfDN-tdrt*DDdvIsHC;Aez7s$n?a
zvI&&OByZ2=Y^LJxZo=jzbJb=N&#%6QMDkIaA<HE33pWcYCAT}YnK+ogUn0L?Ee4&=
zx32}hC-4E+0ua*V7FE{*5aRjDYtdH<zvWsoU2K&`N>xYAPT}`&Bq=0YZus3s^e}=C
z+XM=c#q&0ia|Vf)Y9S%t3+ebL=mUG86$niPdfL6^v?^N9EPZqfC~qr3|IY^9x1iAg
zHh7?(N!c9`>}NK&bj)d-Q}6AV)6(2u$1OAIfYDkeB{g~HG<W!#z0LK$0U9Qme2ZJ>
zw9RRrHFN%)dS7$9FH+4UOUpuE+sxLsISV26&+Kf6jxbQg{WIx6p~wu;GwTUOW<EOy
zdZM4LhitYp;l@bDqg!ZXrG5a*AT4dPW_I|zO*7{-FN8X)3u8&7&-=9lnTeeGe$60e
zA*a7z%~zmXepd^vIRl<vP0vJu`qY8~^;1fI2`p|fxs!~P{J`STv^9gDcQwgW+w-dm
z{LV~1A)AdQjvj#U_S`3Se%sZ++jRcb)gb6LK4cB3Q5rA3nwW@{U%G}Au$8T;y!jez
zrMY{}HKdgMGlHI(ZbljDOQ7>y0>L2?2a^wHQGUtHS7kCY8Ofi`V1xPdnaoYHx!%N5
ziAPi=@M;r_2N*3hv7yA>eXWU6qA`ImCK3NUUYX5e`R`dQf<K+b^q~H)X0a9_XpiC(
zvzd#|v+$TqAmylF_tP`6d8fV6CF{$7OLNXVr9QRMMivg8_7VwlSU+&iYUwR}xd0=%
z02?xQgj*Fg*`<m~i6iZEnj3tJ1@yGF%=gV~_BMe41i$3*ooQfCPX0+6izT^Sna*m7
zgP)s@m3e3c8^o_lXF~_s)lrd=#P5>TUD1d5H<mw~&Zc4qqcZ?zql43J$Y9{qd~*iN
zB4>%JiDGHK;c=NP<sX)$pP)vJy)OY<zhLhJ314FT{nac{%RT@Lhj=Sk&dZE{u$d)j
z*-_E%Gj<epM;JeP4;!In?}&Dvvv*MUylh2?j}Vlb2Bl=DP=_U+V9_t`@@Ff<rRrgR
z<yftx!6%n#Jsz*O!D+FZJat|Rbl`eu!#1DCWH;A4@z3q{cpDnqeC@M4+kI`xR&TP!
zn!Kp4p>A5O-LlkL;+bZfX3c6ZG<SB+_2sn|jGHoLT9%{I-BRmlnmyUOs5E<iQ=YrD
zxvpq#dp*}Y!(zM4CbK=>Y8h#_;r}eB-R*EV`gcnH3<btE#IGFPJ2s1}-rC@GyG@pc
zIx9xh=r+00-c;wc+kF<Rx6$c#w072k?t}(bS?4UVR<zpk@=8lAbMoEA_Suu>W@Rs$
z-Bi7xrlg>L+){T@mvu_rJlmv>sxnux!@gwR<fgga`j)z^rk3{EzUFx?IkP}u=4aKn
zG(n4Zm@Fp`*Jid_-8M1Y1i)dnN%9*tl13{pWrN#nueVw1O+K&3Wx@~}Om+44I#XRk
zgWXYI=Q3M-jSar8g)%&4G<3AJ)U|Y2iz>#AD|Qv+O(?6FT0XgWV!7Mx&Yxtp+AKw7
z<K0!`EaTnQN^^d>yKJJvT<VxGZE|6yHQ!Y>eroPyd+GQy4btjyo6R0ENGru4<NV5^
zo;B52XSp2>jc&JBj13#!;Io)KPN&=Ca9MpeXJfs?VRkgkX%{A*hS0JWO<Pbk*Ir&-
zWNVz7J+0W9=dM`L?6X@I=DRD3=j0VmsxEHvbQDjRRGd56(Po}nv3RO=34iKO7RQG^
z!&C$NE}=EcWA`|$W<K^X8#LSNHhUX<^$wHMW%ruw4o{uQ?Q#1|F1M@E?y9dho81^;
zaK%D{S>npJ&uy=5o4a_)yxPK+$rUZLi|ko*rnOD2_mot%G-WL=>u75$YgjtXTUB72
zP?kH}Gt0~O9cG!Plg0rI`A8V?K2!<}R7rIb)k5oNB!i@Ge3=o5$SGEiQAJG}%`4(r
zq}DfcPJ_UKV%~oQa{|qaM?kC?&*zO`XT^+CMI}U%PMP9}Ml*c^h{RQq%nM!_!Qx{^
z%8h27Xe0xGXjI7ir+{>Lcy0=dBL(s!9VskjkXt4}mrRsFMzj?F^1FAWu%jeZ@cMB2
znFI@poqh%-g+Z(T0jkZ%kY_eQiFq7qUME`ty6`aV{_JfQLz0Bp^Bc&;m+TYh&96Z?
zI1EkbQCJ(_hxYs+dq5V1RzVQ@noUk3Z4z5Sc9Aydf8)p>5Uw6$1?&_07!=_zU>?{>
zFGJ@O$hF&z$}Uf#WoqTbf|6W!N%aKBIQs;<xp+dcW9lTktEMEkEPqOIL1kHGL3!bX
z0`nBNEw{{FQ&=*7qPg5*nK*4~?zHd%h2Kc*lZ%U|)mECTtMe_T<Hy%j<a^8$r%at-
zn=-keCU<g4xvQYeHLcP%ev+js&tWO4o#?SmGgsvmbXiMEo#nN*Fu9xR$yMWv9c5J|
zlk#nqt_t(yiN#Z@CpgRUtIDQX3Tvvyl~hh0Zz(IRt}PvBcN9;V>b91bPIOh3RE&3&
zms#!og1xxh6C8QYafPK8r^Rd;H?^wBZkt$8TbgT~Twaq`Qe9APE~>IS3ti<!0}4y*
zQys<5np|_9t;lUJaTa*^rGK#Va>^<^MdQai^C~A6<>k35O2<v~jIVHdEaN6mo$Rnp
zw&oX4a@Z^t_KC%A_oOKk##iQ-neDmNC7`TD&eCaReB7TbH|M`46#UUYSx)c%e<wr0
z`+Z;_wEOH)?5NoPFva8~cBRBVgkkv&_A=}UPXnMHX8YK#UZekK>_)WqF@EJR#o~Sx
zLfuXn|A)}0X%~ekH;i^oRH<?B;5SBuv;P)8mYqLQ8R{&I{fA)Ebvm4czy!T1LcR54
z|1GqjGZyO1$g2AQP1ip`%^85E4874%Zz}fR0grE*=nXazc@G%-Z-Hpp`GQy~q#q=@
zjV6-YaZw?a1R`=gs{A~)KOv9bwqG%dl*<(C%LEq95ARo~dCUQY1!7j|0Yxq;>$!Ih
zU6{i+B|#=F<%g44p=PW)YHS+uC-Lq36+`)`WY&+Ah&yrIn80+rA%P_+(pJ`v;p>wj
zwNB`MC>au1=u7}7F2|wIeH}D=0Vtnj{F}{6C4X<MA}LH9$eii6g1=j?NDiZw659>?
zRVB2|H2N-{9!<N7lmJ`uUqh`b)X#qiu)Xlw)l1ky0ILjj^xwj&qNkreV0s29?K+9L
zoe4}?sH6W5LZ_9{Lb1}?Q(&|3e_s?5{7}V?NbDD!TYeg}e`7EAF@B^)Vee7;gd(Sa
zA&s2_dt4VTeggP@Xe=yH`)L6nFk3)iOFWC>oAv^9=kHZSkV$;`UfBJ|@u&AHY@|wt
z;K+Rn56S1{`xIHEqI>y1MLHpW4gT4GrOj<oDAg3_5*JYUT!QkC?p8#m<`<Ti<a!*Q
zsZ*v@RZJ@?E-$Kf7fo}OR!uFlR+(MXD#}VrC)*~~@&orMhV$|FD9TgEm6mwM)q3)*
z)#LL^N^702Tu+6$+&sC`<*-*(R}|Q+71idF;)&vs0s|wl5<Lrc)>twaYosNr;_+(#
zpz*wZx8f`^l^?kmrxcyLVJv%gx57k<_;0%vPX64zib!6x2N+(+FW95VB$K<h?@_EJ
z2C?+C?`aDE_^@KAn*Au_9bWLMjE)Na%Ta|v$+k*tD=OEsrgLCjsn%)}BBOGR#s;&+
zWpy`rP2R?Oh^AhT+vG8O9Hs_yoz-Rb*=)9YPn)l`Wu&*EN!TFTJ33nC`I>u0U`M>!
zJkn+!Y4v2;>=u{D6C_rnC0O2Dq@z%R*66dCe^?3Ma=&6MIVU*Fs~=Dp);*xe)l7u>
z%p}Zb5%(*i__+@#V#wLOO>)Qte&hj=vD)4$Jx}abj3C9lxEo7R!&`SM26kW8t$3M)
zjGeDa>{U$jS!PXP)!P4Lc48e*GLnWVjY{?#WH$8k9pk?ZQ)*B8zFMaVS4z_)HkZCa
zI1WvwN!5XfoIF)krP^<-<iG4tj3#wr$iw+L_hOh8eAT^*BH|TQK2pwII~8tnZa2oR
zBAPOFR54b-C01Y%UwfY-j?C;c-6Qv*Z7J8?4*;0nTW{d0_bZIN{eDGyXx@FsI~HeL
ze`jM{w}L6PtV3e^VgKpCBpVs;=u%!0X=JUEl6WNQ#BoU%@!<Gp7dCK(dW&+ZI;v|5
zzwi%b8ksGl;v;`3bEB(OQNtoheXr8rtMJd_L;q9)RQbd|l`*7|&-zno1x8=@r!txN
z_<=u_xr0}_s$@a?!b(}t7G?tRufF@m?TSPqtbSop`5xlWkb6Jv<vD9r3LRr#hnNgz
z0TVH}kAi={TG?O2z7aC_PpmtkRsFtvBT_3k(x<2srn$q6zjco?Rm)xx($){`71V)!
zy>dXA)w6a%`}a|TQ?)s41wi?1>Fhv6&Un??wQ9e*mivw?U8IR0{6#sKFFUS`;Ex?w
z#<IV<lLBCE{!M8o^MX%2_?yxOod5baEYqCs*x!|nI5Jp1jem6<ZRQ8tjQUM!`70XM
z$9xZacNlv?V!uM8_zXJ58|($l<^ba_3{#ng34Byav9Nd0>#2?0ic3kl4*&4EKs%HB
zf5x7)3zKMc_raf)C4|i2#$S|X(kAcoq+gWz{0}k5yMIwekOg97V}Qng{-R7Jt>W7d
zp7)zFihuJ9*8ZGdm3koX>|d4fq?uz@gZU#VES1M*s$=*Ezbcmx2r>+qRDOf`<U@8e
zv`0^eHt+pxRbm)>JGgn@Kvc$IBPR1y==OVKRgf%R6r27%o_`Uh8sP(SkntDGRTeef
zF0mzaJ8J$#`Suwq!*FY3qs3llahkjiml>LOgU94?_#7s?%kJ{kHF}*cuT#t4ouSI^
zn$+2x84oi_d3{H`Aa6bP5=Xqrj89@_d}2q-%mx@&6Gz4;p5EFjTUUBopWjO%?eP{@
z@K%-^^wH|_D~MLACR)ETS7Wny>U=g!qsbZL^Vnd(aMgnnJMHjfXtdkm4Po~A%zA$N
zOjTaItV;Lk%WZL(gG>M<|3`Kl(+-jR7%f#WqSYH|2L#7%3Fo0#k)gQQDIei%Q8uWf
zeD(a1AA!z``IkQ`&jP&){~24E|C4e6StP1rc-v3P6cDZJegaM`3|4*clQM&xE1G7K
z4nF#4WiE_v<O;s>XJt|!Aezv_op2%s%@+gvobjK#RQ=TK5ea93kD#U-8qD2V-PluS
zC02;Wv0Uw$7x2WS?~&L&GOgdnW~Q=g@}F!q6-?p8n*a5Z3#?(RNrI}ri8W!kGZ}BX
zN2TxbSiH`Ly1GV~#@r}iGcmcnxU%_db<R3hgVpVFC}=j-NTgZ|6~NF4mTL7lV4P|&
z!`#x~v6#GWug`?$79Wg#^|m?-W7#-e#sdVd7WTS^MvuMGW^&d$>tLUOX~yHWH<}vV
zjXq11!{e%}x7rjqF2M+;CW$;kVx*>k7@<F-k^lUSvVfe&kC@bneCD^f_VMy>lxh6g
zZ<Wzx8UHp*oguEFAAG0GW*3fZ;Fo+4+PtKD&-W0D`U!Yq>|3#I-^#~qAfDeIPz}@u
z>wae6Vl9FMRl$EetO}QJ2&Xjxe($rh6iiE)f=NV%K!uUs4(gL6+?p2S6g3H^6G;-T
zDxuH3xoZEox$3A{HtJu(|M&(V_)VrdlS=;J6!2vTKb)<O<DDk;Fs*)$Iw~JcGlESY
zFsY-dv_dqk)XY{#<>DkRrMDLqFV0dAAYHvZsrW@%>J&0dtVljNUo3`K7>#rIv2T=T
zX;u!Hr;bWUp!{HlI)+Ls`I{N)Z$m5c7kox57|_>3&%x|_8PK1q{#y3AAjlw6xbYU_
zpNFZVdl<_pq+2SNa3qun<?bx$DXBaVku$2_k_GCh(FxQ)OlE$(Bvn1wAf&MNIdJ}3
zBCX<;OErV}lvK4<-O?Hy^y*YG=u3J0dAPH0p+?>PRH{0QsC_N!s0>W%&op&Bl`fHq
zx+7hkmVAD*{GdNy=D!Q)w9l!VGk;FUk`q_b#oV8+K3m=1q>l2Si}%yjI6AzD>oe2^
z>RI#EQ5IBA#hEUZF5t^D)T2*gRzk{Vp9;$KX>bibovDshGuX~PlOgME#y@LO4@x<4
z;z`D^<8Xgzq7L#BSxqd`t2ky5-hkr6Q_fSLm28Hc)zbjeslDFe0}gt8CU=9=Y-$iT
zb#J}LYH0*SpQkn@H$cIvtFyRF^;Q=Q*^TuuWY_szCZE&hcKf__buMcofAu`IBe~A)
zGh4ktGk1dvMtI<#3HJGVleN(fTd31+vsrE2a=v<Gay@MG=6Z+I<aBz0nr5@r<nh$G
zOfcWtoepPRz0GartIt;_CO3E*Tt2hYVyd@!8%%be%Vl!=z=6zmyQSV@!OMMS{?hsC
zv(9O7TW|n?!+=JI4IIh^<F(sXUvF}n-3=C}wa(_YS)8!wXcLH3J<HoR%iG-1>20Q-
z#(J~YS!Xj@>+9-4h~WL^b=lmedY8r8;C6U@u6hS=TCUDXw$wL(lel~)N1Yuk#sUjF
z4C5HO&E|18Sba{|eEE^(>Xc-k!&+}~`RpdEOyQh$uvk01SZr8{ZFTjQdV9T<$9AdH
zlN-HtPOrn>fMWs-*lu&$VB2nVn(Cd_daKoAx0%s$ZWmU<*=Y6Qc?T@sZnUh!U_H)8
zy9t}%@z%RNb@kpxzP(GGSzxtT8tTnftbQG=({`s>*z!R$>+Np4(^3aUGg?-9jO;!L
z`F)KGeO!^cA+82O(!#FQ>e5*Dpg6wiajF#-wFhwkeH_-c#~>YEt-g-&2REw=ApBkg
zUfExwzteN1e@XrQVg9gA{zjrYfj^uqQ0uB7(yd5T_vf17>ePOY4t12nK`++J2*eW-
z)dP9eaP>ecT`6N>ch_+BY@#084retW%2y-QRw`Y=6H?TTYGs=`ssNQ&rKn9*x-8gr
zP71nCdsrLJXQikIg^6?YW&aTsup|h&ZDeC4xC-ond(Go;z!JjI82F!k12>yeOm&Mo
zj`1<~s2@*baO(IOZWJHFDd#YjVINMeZvmfMi<W-25Qo!sY$`0=`M_Ho4d)+FKb*#H
zlvz1MOku|EYs7rC$B51Dgrn2Vc&4548xN}+(%5x9&%BEzKZG|u1P{_X;QI3b&fPx3
z7CZ-^=9}1NJTss1>yD}$<BY5s3?o{CFPNL$EWLxvLHKXkQnf#SDKAe@Pb6!(H&LC=
zTNBigd`qHwC_k2<jwMUP%>;gVB5J>RN~`0m6V!SV5N(%0$iYUACfD?Cp<X<$4lefg
zM0LLb!pM))hQu^~!XkB4rGxs5cx<9NnqQTqPN347K2M^?$lpm)XVI{QK>%q@Mqln^
zvGuF_G(>fl;4jzkHxt$IX9lB`EU|S1*wtdGe!^z`gLfU4s*drizgBmqvGo$$D8sg}
z7C(gph+Co1eTXgnoV^66@tuJ3yP)I=wSO+->;F_YrLpsb?EC{Z@gvCIufoFo6ng}l
zaz8xyZed#hF4wTj*?H^&JX6N_d10DWX{=p>m)7^#vX|hF-i=nPSUWa!KLG48$YATi
z=&r`oemqmac>6HTHA>k}2j4${mrk}uJ<QN6&Do4>BoNIa(G+qWT&paSNiwa;jaGFn
zSNq2-=f>rl31oxVwqZQ8OEZLDy<9UI%=+2ongX&uxVoq>hLE$cOLG?Cy;TPON|z>$
ztqfnr&x%*O$hARUctyPWpxA}SctwJG!Wp3_I;2E@2R982`V%(Th=bn~Ll#>kygX$g
z=UdiK2-h+xB0|p;I_Ae9IWslNh`#g0Lp|s2&?S=;(7fO{GgsOtt6<`;{PD;6sXD6E
zL;YiU_)<+QzkG=%o@^4+8ZNH2{PiW8EJC<;siuf*6!i@n333pg$Ou01+EPsnxgq#O
z^fFDl?n2T9mhGXJ#PBbdX{_Wru@uL+`94KIKJ*Fg7=Fq5nhQ?i)_sJMGhPlf(tClJ
z`4Sx{9g}X6^5N0i84&JZUcZX3Tck-M+xVVEnz2O5e_f=BC0lvaVvRjYA(VW2VT4R0
z+dI5%;-7S5cimzQBf4lmQ%6n2L`DTCvVECG!`Cj+M3K$G*`UHIP7ELaPgiKDM)GUa
ze(2#me32%D{7V*iDi>+;bV6b#LbrSyd;B8fZy(n58`@X>@MKv%Hiyj~-0nUW71;vR
zyZ!w5*BYIY!JPRkI{JnsD-~LzrG4a>R>(0A(Q~O0Zk2PS-=+0ZK9*{D>Lk5T3E)yI
z&C(k5z3|neAv!EsW{cBlar5$-+DN|Q9Bo$c95<-+ow$AJ3~dJg@*M5(GvDrcTFG;!
zYsZ|q4Z29>d!}m#{mpH|4DG;3v&UpJhg8@TBRJ_53O;FuHeR%}dQNMJ7nS|Rt<Ps@
z%jH|{)1E^AWB=mTwwYSTNb#=Io?4bDEJ#8-Z}WK@u-Ps8p!K5)hEn+Zra=F#!baq<
z8GZxzJ*7=1xAWhh&_?kapVB6>1%5rxZ3WESCMuKp*zff!Zg@r;M|3>>8ErbbHQ0Fm
zGukYo<<~!>O(nMktKN7<n?W?Zt5p+6ZtC9Hs(FK~drqs2VS6O-<37hAC!B);IuJef
zv}h;Bu!kfNV!<87G4XeD^v@R{urISiXmumw4|QqB#Rx%0+<y?lOwe@l8vN*<0k3}u
zt>8x|TfYvh))vOF-9jq~`XL{{NpsLIdAAq{nr;X+-M3jgK8E7B5ehl`7rO|@h(&NP
z)WY5N5WSOLiKb0dR?>t1Bd0*2VJOQbe+|R>zrU^f``g-+Zg-uAA)1r!pLSc_d;5&w
ztLl6EbeL71db>+D;PgVj;-vehfgzmRLkn|8C_Q1^IOA;ru?lIq1eb9Qt;GdCl!ON&
za%L+osPTvM4<6Gdk$VDL!iMm*-HMd%@sDd45fa7^KA}B}+%4d-6&|?FPipPtF7eI8
zpL<f9O^oZF(vBc^1mSfIV1Jk(a|XId!l}(ebP?Ek7n{LGvsii@&epqenEY)G?TS~x
zn^gDL+iZ{<{0%MB|5F3q-!<qG<WT!}Ekpy&KQ&PIX>ewUIJrSDOmy{by7Dht^fpkO
z(%^Ks7^aZ^7BGh5eo*S@g^UclZDj8of*Uqdg5<W3&V(4f2wuS!){lNppMWQPcLE_f
zl+S!yYdj;u4l*Pvv6<v=HcPAj$0kPIKQ_^7yZ*V2<{z7A)P0+raoYx{PH7U_xUN2{
z7Op&Vo4!pHr#3ll^VAH1N?1G@6MDC&@9xCYc+o=MK$wir#Gs;rA_(MmAlGV$<X>wI
zjqa(F9C^9b4tK6)a#^0UEVrn%!cjeWYEdq%i}sS@n!HJ6Wfdip^PSFVj;Z<M-P5K`
ztEik-JHb^sv2co|>~!R`Ly&=?!fvLgNisOQ>ZhP?31a>T#MZc}9aKJvs{E1adH#Vs
z=27sm`}mEIX`{LKQEduhs#ZO!wUC{`s+S(s+Tg~oeGHuMULjZo#)j#6)ni&5*znHB
z@a%TcaBN7N2E%#~-S1%K<KSkb{jVnqdeuh?=f}&17}iHD%huuh6%xAwFI~y3Z3K~c
zkj#clod}m}fN8d_5uSpO@nF$#IN*M1GsALZw%V*-7n}%P4SfGtU0yKsKw2!3;nHG|
z-T4ZCntu@2J*_Pw-JBfK#_{lnwHj`ET5A+CLO6ftAXN5(L)x(Li>6{Bh2VWzQP3zr
z9@Y-xD<9TIk^6(%NXeTBQF{uWXFPnNCY-ZJwC}_vLiuc%IUnJg^-E^Xn$t16vo0}y
zQfY2UNpaca?sp&2x_VAG`%G4ze6Nf;m@!FfWRt);Ho#AW{6wm7ajkSMCa_ZNkBRm>
z{Ly^ln>vJAJggnUv)<N4k-fdMDbf4m{X<}<fGD2Ny@#~1JnpDY$KMgn9_($V5w#x8
zV0BbA8kPqeE<LJCCVTp{L4}b&cTj6Z1W4^6?Rc^)c=O;PZJ|)a?)s0`G6X|?X51pS
zw|B;;p3C-UOsnl9gF9qpEu3@@-Kd*H`bxP#51ZL#bJ@Bt+N7IK@=jI(Y-XF?<F4zR
zGhaxMb}CSoN%4rply>0HX&=AQAIJB-s`HS8Vw%+m7b$&BXXX*V=!fv<Ue>Aj4X^1&
zAgtw)*K`?VUl0n;I;7Qhhrg~{)njqLSVAOb@Hk^J<M(V<Df#91=$6X%Wm$X#NcY;8
z59nZDhOR10i@5Ot8xb<QYY7$0V5Gl7R~seKdc-_UkoMwIj<E(X#H;*C>gE1K{`*Th
zJ9$hDc_^=VS(k-)h_07)Zt|$8isu_&#`eGWvM!y(bK@&IC;4}<Y27P21pbH#$MP><
z!A9?YMHfyU3Eo77TQd|IU53!;07e6O*Q>hlh!dvk;JQ8(Y`y}k27n-{e_X$$kQx4@
zN%QZ%)(tpiA^3NHin_~$f$%bR4;JS<#xD!gFFUQ>Fn#|n7yShLNtz)TpD+>rr*Zd7
zSO;rC=$en6i(rl^i0dqY{G0~~%FS#n3&DKJh_#JI2unD^`T7JpT6|8JWPLCdzZzyt
z;kRb$+Z7^om=81Qw+(2d5pZzU4j{G!xM!~%t5IqBlB0$kJ}67ys)+7Ba0S0COFvx%
zA<h@E`DCtNi*lA<g|g1iP)_xWSyi8pq7rfXq<j&I(hd|QZ73$Rpcp?NMbTUo`Lj`+
zh1h*EvL1y?#2;H{ps<J_<g6MLnIaN7y$VHY1&Wk1N$MiQC*m?uL?$N`q8K_3MO-e5
zA!AVt7J<r9qfkV8P(+B3<uC^dqYZ^#1TX8dP^b~|Pn78>7%csS4o5)}G5$Z}QT#5V
zfq#ub@iQ_gNI#0`xgSJ)^Y@t|BfyvaP<$bx=|9C9NS|N{q>ts3F{R{`5a%~l`dV5m
zIRW>{>}(tjMLn-eAWw_Hx`Dj(d0h%3c{-oh#gjw9s@tE}4M!Z<bK=ia!7AMgIuoLc
z+%KTjlfkN{7j(%n6M#lhQBm~L1u~(Rqw(cJdc6D27j$u?`@<J?k)%t6T2Xd0O5%pq
z?PmDzj)E=iQ^bjm1dt44M*0yF1ss9EeLLNRAm7#Wd_*(m(h7tzjzCoJJ{m=p2w;4Y
zyh`pSH;_w63z<xuBogtuPf1%~?RylKzdInlF9cKfv)KqQp30`;h2j$!oD-u^vM|!U
z=`6j5A%v9-%u~QPvSp-xOqbZG0U}Z>+v>`;y0dN8Y}h(c84P1M7g+Hnw9$8AUVI5J
zdJ=l#J{SOZ;B~Ot!dMtU7K%&o(q-^@Zh<FsJ)4e~SF(w4SssfRXB#uI6ht}401Ltp
z=geST{~3|apVJTNQQGwyeStnhABU~vL3%&E2LaF9=tjyB@_aeH2>z@~Xgf}WW+CkP
zY+6mr5%`=>M^hI<pEKxiIt;PT1E`UzDM9qxkK}83YP?V0BCj9<`Ve`P96${8PI4Ey
z1yRt~lWTFJw2E9n&L@iy2|bVa$jk%;Lr+4~PZ6ZzQN)1=ur!iH;t*6A0T(Ip>DHI(
zKbON=XNs^^RVb`g4ux*S>RboxHzNdZFb428;%K*%PQ;RyA~w#2FtG#@34L8?>+itQ
z{-V5oJLDC-1FLrv?Cn<}hsR26+<CCu&y@p$i{y~tT!i|Kk^`mtBLKE*C2f!+rVUJD
zs=tnwJ}FqbCsbMlN|(|iK-4Jez`=AHO`>rKjWtjem3mk0RWORDLt((Dg+~to$Tc9W
zum%ybMdU1m)q$T8!5F)Z)AgUq>*EvaW5EGOFZ9g7`uu}28zlOFB2>Ifjuk&?_W!?z
ziVu`y#m^KfE~wsgu`<C>aUER$P*VjQYQp8OWIN*8$KmYvRnjQ!mXHV{^x>xS^j`y6
zr9XsEJRdvXn5#S&Pmbd|TJ=JRg8k`2g|Sdj{&}+7JoipA<|qZlPUi1WqueH(-=GX$
znfM=jgI5(iZK1wU$Vt+7eDg7b=tBBdme2XSS^Av8LHolpXbALcc$Y5|E%CV*G_+oE
zfej{Sc3huAj>v*ccm8qxLV^&x3D4<r$a6vZxcNEVEX3KVkLVoaFtmhdu6;q*kB>N_
z3+Gdx*M;#B;_Ek0Y88Cl5nX?h%5OUYQv8f~IzLfBkWR$fOK`io59BNsDFH6TVbB+3
z3kaV^nvRi-;?u9t-yzmv64%^h951el`E$1guRQ#l+k;mbyy7dvc;GULFOq$W)jTKJ
zm}39~BmILlD!yfxAxGvwD&G3FLG&g4#?OCIeop#2*h<M4+=^C$9eu^mzfwOwMA+XH
z<2(mvX>Y<VcNegF4MO}o*(`+iPlP0p4ca#Vq5MB1x5FDCbq5f+zl~mti2WsW9wPP2
zftEIqvM9vC94B8QBL4{dIqnC^+JFfB^MQ9>P^bb>lQbFQ{shr~UwTP;T<W)5x<lG1
zt(I1+6huS1ue?EDE~jgVH7ZmZ()DNXb1sG#b5f1DkBr;^!RK~lCJ^zclR$7rz?Sec
zPTn2|ExryExQR}|05dT>iov}Mih3(qL(T*3tN_TzV>7;%UY7PtH%nJZ3#Azngc4~`
znpTP-M1f$p`S6u$@9=aPr$lUAHz@U#diVLk`jk`ZUCV;?BTlJzE(z8TKc(KWNUo1c
z)=H6aeP3*`cFK47*LUg%#fTv!p7N-@E!ZIbE`8)VqCxyA4Xn*_g8{?Pcd+Z$ww8tl
z115BB<WQ|Nr0@HJ)dS*AYJ09;wB>8=(huws55=7F&^cPUujo^%r)uQtA*WPVsZqUl
zz~J6jEOcg>$E)PZs1ucrEOSw?a?puNdsmjZAXpoDqSlsW&Iwiy?5z}Y%n+4<$N{Ge
zAXq)9fA2csI0w;Hv(n|}10s6+SZK{Mrv@v-LzM=NM)aJh6g~5M?$$?QMFIo*o%GBw
z`R)*7@V$y2Ac|Jtp-b`ann=SbLy8i&t{H@*l@QoD+!img2!%6IKS0;py?A-Ba*#II
zxC=n)wp(p=4tJQ`dXT2Km(aw5^#jzsy<lQiW3X#g-%3lUQrWlC9I90GR*FGrs5}v-
z?K&BNg7y8WXsi_oBpS=J8wiiVA;G#JQUR^&(}Z=$Oy3VGf~Oq{fFRuumGU;W4X4B$
zgz0ja_`7gy*Up+ipuA98QmR=w#KnA2Di;ii8EiNN(jlN&My6&2cHkeu13sl9LUtJy
zhtA6GPxk8vlYxRsD5XCowut^gTgZ#JJPxw_Nk6~E?635j)lp3;bmb84|5YE)&p)P*
z<YSKM`;k|I$GY>6>E~*)aiW(({RP1`e;m^fATM*vuliWtdQ9J+=lr6#AToOIn>rVH
zDOex=7L;t$x?lBX@}j62Pcr$^U-b_1eD8B1gG|LQ`p7w<<#|2iAsjjc`JYM7qJSLx
z6V~Pvq-J>?tJ6liUw>AgLF%A<gbr~|ca!Lbo5fu?qu&NsiwzL|Rzv)`2()(@1i%GI
z;Wi6y7t>h{C~+A!WgG<Pkq`sT*cL=RvRLGW>5q-!2^GfccgE-FDK{R~-^T#s{NG3Q
zx%FhN@U{9JKC>?%{(K#_`(Mb|C44(tA(xLua+MnFZ9jBoha7$kiDlkHQkf?pdfyG6
zw2od*zCsF>eDI*>APC+|wvn|^MOq+yJCH$U2-TC{G1E-az4lA}d^%eOK60)|=JYA_
zgTqMUawRl@8=xa}LqBLhI+qMURUuNi`~(en7*3VmMhch5kl5#TdIRL1m9&G-CI=zP
z$3Sl0Lart&NGmxP8IC4ER5c(^%~xV90IOrSoNF{td8YMYhOIq*bit?+?5~clrz4P`
z#eud-dVhl70iXJ@0=Bk)rys_r|DYdA-U@<VtgzSJ@dH4}&fok&KbE{1G{~SnjK}|=
zSMZ`A^+yqEp7N7EoxC9*9>4aJ-oV>`(ho<t`36z_dQY{LSh(S5eG++<n}60n`&S3*
zvM1aY3H!1IE4Y^NE#-!!;*$K*iizXQRmGF0*ea)0<!2C;L>wk9Mb!4}mbSK>o*-Ni
z7hO^_e%iQd`_xI(3aTrsCRxSmQ{lY+3i|?m9%2rWmf_Sc=>TTZp83&JqeLR9?64U$
zcadi#b~fEgo<Y|Khyobx;<tULpG4m2T}3Y<`ImpMFC}k_gZjZ-Uf3VL*XL>edGSr5
z*p){m=&m9JXE)=Ib{WQ2rAW;Zyo;WPf6)JI;*)FGIx|%a)G%1SKgCP8!)awXNMIpz
z<Mr{3-yB1q=+YsF$q=cAVxzjzOr%8_PQRBH{AFqsjYy6n{lNTxpB6<V#|Y&@@wT=i
zbY9Nykt*FU_RQPRFjLsaW-j8UOseJ=XVPqi^o10~cV|*tJjs+aO)U*`qL{6xk6>$G
z-Rzc@c^TYbqVWo(UwM<8P4pTC61AMqA2ZQB{#*ui@v&JnQo;1n5MGl-cMf3HQbwB(
zc|tlwRu%+dO0j%sHgyS^H<nM!rnjt%r;4mdN+js4FMx&I0v&$=tXrd?fNJOm^dQnN
z{R^3-2weeVMGeHmbgbZE!f(l-X}l$q#*AwBb#%4{=hV?QXVxs_Fc{1n1l7UH248!9
z+niRB<0MiTANmZ4+cRl$tdR{Pt)1<&<>s2;xB2tsZ(6>|L}U21CTilDCR)aS6JK99
z(L^4F6kx-}GKmBxVpWARz|1CJQ=P9Z#()^_CL|~k(>CxgGHHB7kcX|3SRTC+mV;6M
zFJHs|%hw?1=lH)lU&Be6LabSE`*pir$Z8>wMJ4i>O@XwaB6V<Li<JDs^+<J*;8#NB
z3#B%3nsM@ILDCR!eI0zM5ke@EOVpWc@E~?M;4tm7HMDegw9jeq0Zo&GxlJ0IitEd#
zl{PG`Z0>6C&dTjr*w#`sDQmuKQM=Dq*ikdCz?wV0y~(zuz1lK+YG+x~yrOBX<;^YD
zoQ~Pv=6UUBP8{OMa#$QTk5lC2NYr7VF?|PGXZD!uyl$(>Qg0P`ND-D%2M^^6L}=KZ
zR;$nLb$K22@FRl5eQ1~yCob)nvuM`r=A~KVI~LBZt(!6-w=`>($J5p{sd2u!ZA#~?
zg-uJQ`Pv<mvpjQ(tQC`{Oq;_GKFJ22w5pCQiye;LRxz#wEyjiXD<>AvYqwb%oL-N~
zXLZ1>+u;_@==BXIpQEwC;jU|NIIV8s-PD^HreV?CrYZKO+WNv$^Z04SxjuW9XRfb(
z-hz2;ws{a3Di$_Q?W$}YH!Htp^0;wD4ahVz$v&sK#qzg{XU}rk&32cZ&}6tKw9Cl4
z5=>xI*I;dMA~qDMVJz5X;m!@u`#MvD&xt&)7K<CZ-PsH_gJf1Bqe+*X!p7-sbr)0@
zO{iOFnJ})n%Gppop<zmSNnT?|QG0VoZ9!FeY3=;kOPgD2+UiT2U5hJiQztHIZgKp>
zKy5C!+3gmqIb3}zI6BO>I=9Et)d(+n3>T-q9+SHf9{FBuE+*)(xE;1OZ*xOSlW+hI
zZFE6<g}ufxZ>gue!_qOYqNZYEO^4H0R#ID&J<H~5sjXaWZJX>W?WirRs$Nnwxoko0
z?6w8XE%v`0Xcznh?Di}(y#HNxG13$jM(XLC$j0UJHFyD(@Xr^=(;f@L5zIaWF4Q^e
zEk3K+>@+v_<^;;{B2n0EUz?oF<Ufc7AOE+xF8Vn4^ri^%cw7jR!cYa`Gii#%GRY&-
zlmOx%2dtcnq-;2%iV{auCi#epTaFrX|G%ANZS7x4!bNvsT9NVBpP*4mvL%vtW$Tec
zcikOse)np_6xhD6kmzo53;vifj`)aLbr_x_VKAxUBOZ%guFr|1+3Fta*UG_IXEYIq
zX;N^Y-sSpSZcfuD>P2qgWhrwSQbr<gT&g~gZ%)(K4hTc;K)F-QEiN>ghtl;qyfj@u
zTOm>f^WEwCNnzuVISGS~LC-VMGmp*CuTj(^OEBM&q2C(JFeQ~r^kp(jD#dWe4qO?f
zJ<+u()U~&tF^4Z3j+4El2cj49uZQa=^`Ebi+lj72CxHAnX3XX5M(8^gQ%v0-^RN{C
zwulr!J4PyYAtgAs7%?|xs@|dyDU$ifRQ=XLV*k`4Sa}0-tmcvZBw9KsXG6?4{vViT
zdH#?=2?Hk&Js#UB4oZC@(7h**G=H<pn9NsX>(kE?Fr}Kms!aS1GPZ*ftH$ZmaOBBN
z!TKb~5EU%^vHf}yItwV{%dapdD}XXKesG|12si)RP;T@Y`@ATSvoV=xZ8oG2iP*B{
zhQW8Ozoq4to%uC}V3T0N>LL4k5>|V-<#FSnn8<q+6Na8Wf7T3j!Y%#;edvwBgw=O%
zJkdBIOP|J9r0X5gk?-C5-q3Bk&l+D7H{DN=8(qvan7w-5{$xHf8QH7*9jH|fylJ`G
z+S#$ppQa7<8q8iDi!|8Fha-En06fbd-@YpT`cpMMla;eq??X?UN9gBAD~38ZDj)eM
zOn_gIB-kao7n$Jffb9|eR}MAEz&Pv#qU}2mz<5i7KGh)R6hgEVzW+SnQe2|`?C=J?
z4CX@wn8yheT9v5Zt`O7VW0UmT`sadYhj3S5m_|joe-qBZ9m)EMdNHFO<Xy4JkjI}%
z)=!hMjuNj#55sP*#K?Y*s0}-nNc?%dAul?tmqg6#cVZagyq&jfG;}MPe{np@(>EEm
zg=HD#VGIwU8Gmb&VVOegDBlsU-<l{Caf5Ud+<fVWER(h4oYF`hr5j<qcSv92M)0@-
zM+Rm5h0FED!8x3FrC!5-xI#akS6pw%(S!#N87Ti9c;0P%+wcPsAZSDmPGY9-z`Ri*
zeS+ZpEo>Lnkb`6~OO<LcJ*PVOpn^}|Wz6mUa^pHI)18;;%X$9gc*Ps5@Y=PjaFu+S
zzKGXfp<lzxufuEm^*o)e1$p`XQvKDLL3G#~M293yA_?9jaY0Ow{ILUjphKWS;K<%&
zp0>^~-{>3A7yf_Un=E|NY$A`F)y>z$>*I%{``)e?b@tqryw-hHHU0adg6W22zIVML
zE@rUqC{4Ka$YJr<pA>Nd1(X{89FUH$-eB;>j@k0(zoy=8y%%mo*E#0+S$HqtD>Z@Z
z(bsR+84BZ+V<vy0o|?a1k}ev2%>aK|*h!$jX<ss*aD$;KCj4D>UDS=Od%IpAo#IdJ
z#d87rXTo#ySr<GsVe+m{BA`QTd_O5&_;+`(ELZ}!;*dI$9L6DYK3x90accoz{H>w1
zd)IG<&j>esXDCtzkLnT*8*{op{=*PW(&bJvB;;9W>(kLW$mjYTk`s@UGNeC3i_ahZ
z)=<QsS)`xHt-l#^LtV*R{p?b`s@wdFp__&<V5~&1B4efZ0U|F&)JB|&0p~8$=L}`p
z5xqE2g5OsFstFjMsSKi;fJ^?>b%rSlv4VX3^@eTXEnzaM2qc&JKL71{!-ER3c>KW|
z3|qs4gkdYvM3O_&R;f@xXhiM6Q(rH}JXDcAu=n*N2FS0E45667^lt<RujU4`UO-F_
zrhmN-m~L2asO?|aUw$MEk4Pa_3KYoUyVt`ZSwIkfYrSDo_?(CnBaXw&c<u(nPE`<g
z_^}O!Afu*;jYp2-q0++`@qH1sgH9dso2&FW!xY(rdPm$EDfgSuvl3#+mTNKO+t(VF
zD3+?~U*c)k8nz9XKTvMhhm{j9Z(000L#N_g%b+oQ!#cy()F9gJI)QcxfC!Py-ya*@
z7v=cjON~9q1=YpH6Z#wLjI)OHq92gp&g;N_?lGjtI9FWpd`amVWdDDE(75BZgL|<K
zjZ8q@LsuK(;;gGDPcD4owmkga$F;lC{7F%L@h%X3eTdf`Ni}B5d?z;iiJktaF7JJk
zwD<K{t$sGBF9KHfv>%%uY_H~<GW20_R((ZuVc5%;;Vlt6zxJm^o`jE=ULRs`77O3L
z!;rRajd66$ke5n%a{A^M#A5nWdkK%smU;+}HSS=|7il-Y_kmc+AoLBA=yoz15rd)6
z%H+W^q@)N)5fHHCYQqABm@Cr48n*RsjgoiBBz96jh(^U9TmsJZ;TppdgP372=i0jj
zoa^>$3};7_4(jbPh%THg#UnKV!&HNqU+*IVZus$lq1Gv=MHKRO!CreejQ-~^o3s>m
z>vv%dUrih7XsLn@#0mE!$V$Ed*^7rsKS|F>|3X+CzhjXxi*L*|CR1ru;OM<3?r1lr
z1s=UWjh~MnSqKF7qy_Nv7fO{#fe_fRAsK17-+3U7zuIL?RfszNY@sn(xj?>6)+Cd{
zz|vhNo>Pj-N%H-D<8e7#zI?aHm`vseo<@TkI*n<3Y@0EikDXvlLK=vJ3yfKT<9m}s
zQz;8gMJf}MVLEB?iOFCppOc5l25Bn{`bEI2AEl>}fttUx2;E(|5JhY!Ivcq*nYaQ&
zcbfv8`_gzhhC${A`eTOi3((}?L}OCmzz!v!fRO-R(*kT)THxLX(*kMhl9gHVcq=Dj
z=;z2&+kH*4a*SM=U2aScl;5Z1cVmtL^G+rBR9fIetdjzNzq)_8oQ#@DR*61IN~A!-
zjl&~WM#acrAm|B5n?Hf)-f7sW(4T#4IzM(N2+7iD`Myou&k$gA&RvGb^$qQh_3rh|
zyMX@9cLO}^LuBv}Ae9n?sB8gIvG*9pC<G?*8TS}&PFLaFoK2#)AY(9m>F{M(56A-P
z<NG3gAY+4!A4m#f;kn5W01uDQpJnt7>&1HfN=m;6llkShK<Ffw&aI%sz1w`2w?3#D
z+KcmO0^s2LZUv{!`fA_%x%X{bP=8zdT7N>^35-Xh=g{cw+YG*FdP7PUyJfD?zUTfO
zeiGY@<!H0&!5(}?{@vXMvy9_0BOd-}nsZ!Ov32NG7x>d+PQvgp*CnfhA_0GBsxe(g
zaIv^yAMF|`{`%8<$(%v~et#x1XC7IWb*OU7EuX^85DPCbN(e}77epjkK$2?6Vyb~?
zv<0V1@32<Eez@skA$YBX@bk#U`d8s<`bVZQ2dT8)x<vmrAMlc)m^WO2o4*e-=4f(y
zd_B%RZpaO(aEMcVkW7*+=q#!K%3(w0trc`Xq)#4Mgst6it07GxR+GPdD`<)@?gZ5r
zk}YV;x%(kuy>y$Q*&x=l7ihfu!LwH14xq`4m3tOEFevTv>5I|x=sOH03bCU6$~z2O
zGsL8IkS`z|K+HHrVi*Tm0dhnLjQ9;d8cKNn4~C}|Lh9g|(Z*cWm_l4q{`HN<ypRAf
z^L;4p@B>ov?<PYkY5vJ@6A4KXGbQ>g^1L%l{l|#fgj1N}x<wEol-UWrJaK;fiCG67
zS9$g?=-ha-q0=xrQGHhLtRbr8@Mmwvth0y7vlhfTq{Hq%fQ35m7K2A20GK~`i(#ud
z$Q}PyM;mbx!o16S5C(}G9tR-{BFyl<2s3znGB+Op!i>y*;g`yVsgIPmZ^)=g?u#(F
zdy;whjX;>l{70>Ej}{e(zy5@zz6ir7UTI7gF(1HAaAbaC6<m5{1<l~|d=XK5;e_H#
za#Q^zu`dGcTi-K2s~BGhfyiC?H`AJ9Wi`2~a(`OFNeHxe&xt20V~uhAT(7Y>X2^mE
zo02wr)=vpMe49VDmuSd5@{B|SspuE)4x5*EgV+zTtQ2A*jz4;3#iUbqnXfh)bK;cQ
zNxj=VF|l{cLV!9G*uo388LAax<b2CE!B!JwVCW+t@jn*=p83DPR>g38fI)x}pK+6+
zHY7c6ljybNX=$5O1h8{O)Q&iHK<8WpxKm}1=pE3A;k}p>gdxI*eFgwaKVUE`#HR8Y
z2Mk*W_zRQec6~+0tc7^F@kWS@VrRMKM#H53vy)DYJcPVg83B{8-Uzut>?JSXYS=3C
z5GoS-twF(&M`CA0ZR)9GJ@7RoT~&5!?^xSXPIPXPdBeIr=(}jIVF_HBFFv~WtDbe?
zMBFg$gRDD$#A%3iV<*<~!F`Y+XMgCN&+YpSTi2P5ibR$4fRG_?p$TLegop<qbNFL3
zPr{8~cJ+WO(tPk6cN<cI*nywB>M@o;K74jv54_ohNEXM<sd`n6I-~Vcop$5plC;)S
z`*dx3FS6i?iMvnqYZhoQFiy4Nv5DH~d*JnbrSY?I{-m@MhyxmLyc{~+`rXj!TthB<
zwlwMCNmzj^lYa5D)LvXcvwo|C5-;!zxlSB>L5BXUxTJSBt+0+<v_g_@KX`VtKO^M?
zvfz<~Rec_Tki6zjLw#J_uNSXOJ68Q^aGCw7y%a;nmNQa}=phR><|b_pJ6kMrP`peO
z;$@+fxF&btfRzd9GDOMTK;BFu`x5eby9{YiGQ_0$`dz?=S!pMBFeGFi?!XSN-fd_`
zLosXYHyW0vo<Ocpj{=7H&wC8jXecJjD;_k!?7()x>;UtCFa>O3t>A#~&<bLfJ|PEj
zf~{e@WbSw63cZ>i{n$`MRO@~QmX2PD?|-TQS)-pflyg%w*w1+{8Z`XABjAL?k3hrB
zCAj;{^QgOa1*`?*1nd0a1p|r;^toz~jPXWr(K7JMu-qU8sgdZ@q(=G;Z~Q8v)^sWo
zc>gfu3{z#BdXZp3<_RPavXoGsT0X%nAG_bM7-(?C&~Zt<XdvIX>;c2s{Vf^2YZDZ!
z2tU6YPr17d9;}UkNZ#3P*g7J}E`SI^y6TGv){_vS^x7VPb(&;=tvAlH^u>Y9T|GG9
z5WgxH!h!gQH|#XMHF_;V9Bx_~Q)}*v0}o!C%tsxDRy8_m-z(LZY&#cm3-7%%+n<!(
z7xDwkcO~=Nb^!3RRz)}Fj;KkMq&<fc*Z5ghAHWx4uJ}<qz`cW;*BNB9Ur3!ASo-w(
z*!iC$y5fpFO@=?sbOQV#o}Ifcna{Wn=8e=9TW7oP8?<K852FJ9^j<O`B&@(+kb#lP
zHSy`{Lndsr*ajWM37wP)$K#+yA}Dc4nZn!w>qK99L*khRW1$ksbDk%>>n;FMs>(P~
zHg_p?vIMf{8DlPT%f0iR;d$Y2P{>0S{itz`0J}oIrA=SRH-8rrz9<A8dNqoV0a>p_
z)MlRwS()uH_p7qAdm(E=Rxd(^6te~GKr_uwLlq!ItQDWJ6KK|CI)RU&1B`S30D4s4
zXIQ8ZtHlrB7o?~<hS_5fjZ!8CF|_|mmqmVsPy|B4{pL2j;;Uy2IYt>GdLb8+focC)
z!`WdeX89SR5XdU1WxJsb;}M|2XB-A^TG^B>4@k&CJz8jn82NQO3?0A-0Uf>lidpm8
zdxcU76)PO-mC&;2Kv|s}4P|mQ-9?594J@c=Lgjo#T1qz1cS$Ssw8}NPG5p=D@RNO{
zNcvYG0gB|R)yC5FH1G|l&Fn)yCNC1s*^spgKTlw)v%rdH@wggn790q<>dpAgkBc5O
z1#aD&#@joM!_)Blm}yQMj?<8M3g=e!$YJI7HsS{u95#~=2f%Jbv056vzU6^kdrX1t
zJJSMr`_lrMyV3)DA4uirLOCVvfj@Sd0^S2@;<q00<9%1&YYJ3D+1s~&xB!&2z@~j^
zfqDCf2jx=fH;Jx5u>~7)O+>BzRHz_2qo6nT9;mp0*yP0>D;77%bOE4;Ksi2r%5a(D
zyx$MJ$`>7ivF3cM+|DD~h3L{cY%6bm+HjGQ6u$HG9sJnShTxHk3csub`f?K;h96vt
z!xv!(AKGuZ8<^-%!=Ule1dQFuXN#04olP0-v%OY_b0ku5c@VH(U*|OY>fLs4oeKxL
zR;;wgjAgU9{^|ZKS6>PR4LT%xx`Lu-41aE(Q5}7G=Fp*OqaTsT{;aPK)jIo<s0C}2
z`4^9YM6pGk&5G9-*d%i6wukTXCpr3(C;<{Z)W<1wycw~H`3rx~K4v&Bk()A0$NHJQ
zFRj|qeWLY48&9HD%FhSQ)f5l&N@V3HFX#C)Y$s?H$k6NEvN;Px&S|pPgPhtK`-ExY
zLm%oTBKF3g-b=P+!gV^?j?Ef%{?$3V?|D*^Hz~-JhDr2BNI;KZTkemjb)E_&;DG{2
zoIOCYvdbZF{=^d)Nce%(z%<nphD!}%%Do6ESHJ!Q)R%MYGGZ6tp&-3krvu%)^hrab
zK}@#y2?3IP<Wq)P`MAI+E$C}CK4I+r16Jb&7;w4xZ3n@&b9sc`*kd)uYjgRYFp$a7
z3-l$tP;D$Yh0b=*W5yvp+S_7@{+lc&u{$Gj`jLoQ_h~Btjtk=H?p=XmmpmE#&Q1?y
zJKl;nE_>84NiX0iG#mcLzhQ)pdCX87;c?1ORN@Ii*P!O+F2EB{JZ8vO2%zF&j~lio
zz&leGRah$31Vt3cE;T}E5hocCTLKB+y0|Q<O#RTXnm2xCSi@Z(KonW`F@%zj5x~KJ
z{>+fC3`!m%T7w_{6!M8>FBaSUfkDmJK8H51d}>$)7rwitarn(Mk?I5~Q2yx$883y$
z>Qdylx&=9nK0*+L7r$mE;x;l^B)p&Bf^Y1#h|}=m7Zr=)lbVK*vq-8(xY^IJ)xC>=
zh(mbQm(m+Bc0GWYjcds{7m#KImE|HjB9p`;i}9b*9*ijT(fzOXzC1pPD%-!Rx<i)k
zOI8A8fg}XTV$$i()(HWUAX`Az0HG6tSy{8NLjXg?AUgt4u7D`3$}%i65L^&JMNvdV
z2LVNvVH9zh(b1=<Bky}|cUL+Y80R<dH}l^6yvZL`m9E=ex9&aXo^#Lk)wNYj=EM|}
zw4{~JTQNzCaU;%z4-!*N(FS0JIIg>R=-P<u&b|OMawg~T`6-4-KEH?Io}e(%*q*c(
zDjMTDgo5Arrr#I?_`5w2a{WUOLl<E4v7UyMLdT<%OwuC9rNtyIbX+EwqzCPn$N`j8
zPhDHtWVWQ3Y8_WerumL5iwTLe;%<Uzj{VAPHO=A!QVrJDj{nW3>S&-f@dX><9=(zZ
zN7t%#Am>+74KMRcJq;ad?eG4O{Zwy1)!9!AC{@w)fH=+*#~N{*EsitAaf&!ri6gSk
z(7s3<k!OW#z)#{hTpat0W286+i=!WowX(@m{NtwAd3&0?l=;A%-J}zVbt)8_kEBhA
zQhpu?o9mRNu)@9|?FJ2u1k7G1Wb{eWM@Y(i2Pjxm<(?>>wi*=E22gud$jdp8)<-ej
zo1`^BEh~3UJDtTGr6rmQB}nZ3CacwCO*5q>n9|Iq0zL|(f&vOhx*HHDX^Q9PyBiSq
z$-mAplyIL6!&T@CQjji<ayHxY%I=2D5aq0-*Jwl}aN3C|$!v<@ZlDlT9~W}U!uP%G
zwB_<?GlJtodKkjoI`!16prCX^H(uJ!u-hST&r3=r-fbRMrb=I1ddr0bnp<W_D^t32
zA$ib0O)RA)w3L#(<=)4Qmkob@@6TU2myrF(u!MAb#fWeVt7toh+B)|Fw`ni%*(>n#
zyjk_^C~XlHAHV&o(I#RV?k0eHG!wwE3bzozi6tc^MbK3&RutJyE;g4WA~3D2xU3{G
z#e&eQl3%+&uDh!M{?i(G5<^%_u;GcWnLfSFAVNj;Up2;-;UaQ*)=F(VYNZ`49HRcA
zNkbOj?B9KPjik(&F(Fj#)Xi1=HWW5E#Ug;XQn?JTLrCOz*13sC4$hI3tjH^gsxIAC
z0Kaf3l6xP6=QAq*z$xp3;!sHmF+F`)jZJGNZcjBt^4jCZiqPoNtVh$nIgTW0nin;O
z^cKVqAl`&F2hdx{gA1vg8fQroPNooJ<}1s6yUvc0WSSKrWTl@Z<zXD21ZAxDwPm!V
zjCVr>Wn^fS;oD8jb`{OGaL3K>z%J?Ob$DS%w#BcmGF?cN325L@;4^7EdiiDJY(2dX
z&p)R5>~baLSvgnw0S~|FYwOYS;n>?|x9{P6bX|UT@ym1Z%cQsS)4}W+J<S!b31M6P
z24slaGjQ83%4ANx=hdNXgq~)IpA2OVZ=v+8q~zluqM>|knJu3TTXJ@Art`@UcIoLy
z&Q;Z&-dga(f_Cg{!=-`k<~aEwydBHtFSTbj--sUe#xgY)j)s^Z_N9K;x!;fB!NIKA
z=9ZMtCM(aq&KacD25NmIZ|lb<vvIv#=`{x*FZTz%>aG5Nak~-xlO!F#=YjpUY*%{S
zPllNn16XKikM-qlqqcpQE=fneo%mZdJgbRFvCn)QKX$1ND+@AxGO50ocge6?n|`mV
z%XFp70br2YwyaO6EXB5w%eSBw`Nso$tyE)sHlxe04mt@gEe_@Hgu%u<BRQmZ_kAx*
z3JsMSL!8}2qTp=D?l_HK{g9Q_#=J6I>h^KwZAqcQB15?e02D~I{{uEaC;v&=nN?bL
zW(P`$Zc5K=o}GESmOuQs;k*anf<2Vm(u&5ajfT}qt(P)LGLf?K4Jv7#L$c2ED53fU
zYH8LXq@Wz>Iyt%w)CdSuGEoa4642HjNE!YDiRNdZaQs$&3MK89A{(<(z8{I%_o601
z6hMoO*p>eYaK-OSC*Td(DLt+WL*9@c=}I?H*6S3Iwf7-Z;SuE_#d|h@lMB!X$6w>I
z^@f*`xG70zx&J!DhkWJZhWG8-bbzGHlLI6&D(&>OWw)ew-vGhr*-o0TE6Wm$F8tmi
zwr6!4wqH;5!TSWVtv+(5xDU3lGdlk<kiD%Z%HVIcb?})^ikFm+09X)@r-lX8&AL~7
zM|f(Tq5?W{CU^5=4?sj-8nEIszQ_;EZ0;qPS$Gv3_N9;gz|8ag8Ci;m;`#IbXc(R?
z8oC<r=vDZ>07eEpB6@x)fNhDfo0L$@kG6bdQVNG&7c9n24asp5CjR%}<bLGcV!(Q3
z{WaD@JV`2cR1`Os#N%IQVZxr;K4aT!^K(Dh(}vD@NK+>I76D>BbE$Lx1)n$!{(-@)
zYR@jecUDFeE=tH%JN0eiL>N3Lpf%qa$I3#I=JNUd=e&<P84DZQcTwd&8Z&}n;r_L6
z7imk+&7~}uhix!M1j}1*JfIA?95}SCx<ifa-HbD>t0VaaA660C^~{X=)FV@dp;||X
zu0oB`)*B%)oa;?Oa7S-z=O6m1_W2+-G(sP8X!>x|p}=4@nJLLci5q#CTW1uLJvW=z
zUW0D`&Nbr){FfWXRs5lA(CsU4U?<=XJ0?GL1OIloiY>y^@LV}ORq2va2YA?z@ndIv
zZGBskXJH)64(Y2AXYW2@)`>Xn9t>GH1-Ze*2J2}Ic%g}H38<UfTM(S^`8w?e*o|cJ
zhkV$BZekdCYhUJ!d)Xi<4e}IegVYn<F!|bYT6P1jw#;C6Q;xGE>hS)eBjk~wz*k-v
z%c>1T3r@Kp$Fc!%I`(U#QoA=Xfp$K#?_tqKq6SSv!iFf5|M4D{?=!Kl=(=#f2tk`4
z#|{~ZB(%mDluSM*p4mh$SsMxUott74HalVy0w_8`{v7cMZ;?aa>CVRsR`Ea9BQT-w
zLe_=XEN44;!$T~JcUl2w+Y5BHXc4a98;j-o#rSu|3O1ad?aw0k;Kj_X0dXSy<_dP&
z?4<;PK<<%r@zP=W46Kd!$V<t{sN8_baWe%!^`-?${Mm!2$nxAO%YH2abK|_(K(5rl
zatNZy;*E0<A=Pmw3MSx7%fu#LY@2(#*?pgvFR@HTs^^uh*nK?fb7N13Bb3BF5GD&+
zvpx>0g024%l%hF-w>|7@8`yF>@wChkchf-Ubk<c35Q8ojJt61SDE1tdk!6FV{k%ss
z+v-0dN3<X(uOqTo=0p`dIfhNu&)gO`lkbXg74j`zIYXK)HDAHc!80OA$`96-8mMoD
z2O{}%ogn1{8wSnjxWT;|^>O+oe{UP4tuR<KHo|Yozm9~I4=wrd+vv{YBCziN_R~7G
z(|xXM3oLdHL2HJ$Xd^2O@tWfMXzM2ioROr1Lk%lc-9T-L!LJ@0<kWS|7C3C|-kOf9
zZ}q#!@=7Tj7?*F|Qey|Wt}y%ue1*Rqg(W6n$IWgbUtV2kA2KycTUbRvp0==B({2yB
zHPq50ng)zkW*tJMlmjpnQ^b_>udeGL!8T5-D|s2H_5;5h$xQeby{nVYdPYM3%J0l<
zJ{9+g8PW`~{6uHgh&iNJ<!TqmjGTcQH`-NHndmN)&+5v^$V_j@-|p(v72zvVPT+78
zMD&rbZD>m(8XLy4gNAA(G=GSAyk>&rSHsyGZnC%Az2SUM1l#JJI#@j2X@2HKomjn|
zCYOKKsimAE?a)<DjdUfRhMvzxa<h%Z)Ci4sAS1@(<4yT2rhV9VPv^x)HU=c^n147g
zSEC#>S^cb_h-61NN?@>mn-f=p4hK&5KXC4THGFsz`9SPZpb?3^WL|yI5keLuJ>k7T
zy43FzI;*;2uJkht%|!)8{J7mc8E=mu^9=rUkn!c6>5?1~JsC7Kv>6Ris1JWW3^e5B
zk+rn7Vdb|dL&X;EQe!lZAu+`@j*0Jlq;*Wv?`rUSG`Myx2b-pOFy?wob%x<$9z-}$
zDAIKJlVjK}KB$ll_bwPFX25Cl<NFKQGj5_&yl^br;`^XHRD4%6H}irpcFIk3hsT98
zd&n?FuE6LJ1p^qob`;c$@ZLO#MFjgge0Nv&utEGku0q^>@&_DR)8VC0aG1FltN+pK
z#v%NJE0Bm?NFt8h!}{?()OaQ}Iq@5o?Qp0+B`IIYXHlXf2PBy8Ya7{;1do0KC$)!Z
zq(+3%Bg7lhI_7k!*IoyO^L&=5CvxDY^FfO3b44>+%p{7NRts3Uo=AXyUH}!(+jR&@
zy3r8oY07CFhY94O)`)Ly5yT<_TSWZq6x_7`*%y2CA**re5!O!T6^F3oqbOQ-<7Y3i
zwlc4-HS~ea6p^tAIv1<APU=E2u<fKS2t4ywtMWu&X+FoIFO(}Xm{iBZqga1q_tjr)
z(8Qwn_`W=5@SirSX(_NfiDd5m2YhLF9-F7H?RmHtj~|Uiy=tUrCuFTX?gc^zW6C?*
z*lfKm{=jIy*~YfS+jU3;eKlnoG!ObJaOF=<v2C=&0h=YdM176R*SHn*ycmtRF&9gH
z#*f1`jVPS9Tava+U*0#*=EAW2D7ES~f`tYLTqvF%nlN%pSxp+!3`RHO)Er0??SW7^
zLwVR*mKEgR`sQOnd**H)vgw0FRnF6x6$`<a`y=@aqgbC{8o`m4{oCoRMvrP@O*9I`
zg7QKhs|fDwtG}6eeNzpMoEoJqM#BB>T#T|iFHGK?v}iy84I3$sffDKyBfL-vu!k2)
zZ`t(`r>-JxcIqY4ED>n<-Ri8i!k1NQE=fy3N>yAM0K$>rmu!i%CL>X;s4T^rl9FUj
zOD;_TP{$O~VnP=p;Bd-9C@WL%MX=+%hBx;i&XP13=;1N^wS~}Npkqh#*#2-=mGj%n
z5WX1nQWPJ%jBRi5ej$pFSdP1Ema<I_>Kh;_8{~P?0PtLQ|GM~mL4HIcPS-V+Yg(Jj
zta_R*o{<ZN3bAQ?Cm8CFxom=-W{MY#07Dgz7IY?*2eGH}8Oin-X<9Vm_1**d<~54h
z9KDE<lqJ{%$E?l@@vqA+)cDn@_EuG*ed{VVP(P@{dMhuiBDJ^e81Wpj_Bqp(yh-h?
z9LlPVv1R`4o1RA>#|&czzv%@{%wpf1@pmcUV978xU%##Jn{e(m+?5CJ7Wi1)j0fCv
zG?GkSdx@f+B3M6GR-~~21WXUK;kze6VznLY9vim#-0$d|cfTtGAfOa>kI7(wHeL3w
z3w?Y|Ms@t!iE8**R|aS}y)TmQt$;nl_*u?6KmYMn`R>=>RpmlglK+06Q#`>qrUiT1
z-SWW^&n@bhuyN#TG?;4im}YDc240ym6l_2PnDO#&N77l1(Rf~nr#tg}kbJZ3qOxZt
zmn0fVyR1UQ`onUE1HPGlzh2=q>aG<|<0^|P%IF7Wr2*R){M-_yasLLd!7?i2COFHg
zQ^8boLbBB&s&{JNag(k~x;oUgvdGJ&>!9?ryzVufe{E?}Nm6mS1-|3dVx%%A0QcTn
zT3j5LioDk%_=3%r#PZ@9b1EkT%&08Zkz-q2HT}N|RxK7wb3!e3+>ywLj>Eib5jmHg
zypeNhhA9qdtezeoSvt=oD<F%ki79awvjzBUgmjdaP+k-Vz$e&<Q7||;&84GNvntD`
zqMN^lDqMS4xO4}qu%n+Xx|w86PNvk*F0IkcRM&160iwxjE(0K(nNX+7ib~?FCCPBo
zms%5w%galV#ah%fo|Uy_vyfUXQbYf%xW#wuX;Ly0XQ`)=$c!41=-SgHOLAgjZDMLs
zTv?GBQ(u};9#;gADOAHQu_RegW;r3Tq^YYVRaKMi{ruaw$iE7U+^nCy1=u2HKG9;e
zQ1<scqqj7oqh#_hW7=unVf!bDJ>YgFr2vwzEJ0x2qN~N0l(K|!3lJI0`G_|FAuE`m
ziIyyu#1xt&;usyQ7s_MuOq}io?I-!#id$+{@9bik9gL=8r)H%NFVfTy+VGPaGIlqX
z;2o1#oSv2~esL01%#QbK;z9_5?vvSMJ*`-L?_?+(Wn;x!s~Oj5XA?#%`BN3FQcsH(
zZ&%5-*hqdxBSlXhfg+e2U^=`ezbC&czbNW5UPVRE6R5BEB<gogM!}&tRI6<V?1%4>
zCVCBJIgg<rDb)pf6t(weD&ye+9i(KVR$YwJLGi}>{v>?Vo73U%tx7k9d${ZTWmB@L
z6>pbr=)kkn4RL&l74FIdbRY+pw=Wg)Fr}Hy2_|!r$(yS^4bcIuy>#sz9~#6@q?x?<
zC95HYw@)*q=)-iq;g1S~BXMe)VUtyOuaZqErc{%M@HW!5JH02P6y?LHbQDDzv@!%5
z^-&c1G)dTG2t$1m@Aott%)34V-FeI={NUL4Sv<jUS$DBj?)|7Zpu)KCH^yv78Xe=5
zrp0eR#oYPShYi_{KD*g?r*plzX`r;_#P=M>vO`Oq(_U9q(llXCL((6=fap9mp3Ovf
zk7~<1tjSbyW90;v??0hfe65+afJlmWpU9>fht3NbsC`L%{L@5cb4}o*;J20ueB+zR
zS4#b`myf6L3r99l**I76x^Iytf>S6~IaEZLv>Ul$SLo%ZUd%sw$UU#zRn(G(<j^8h
zII>j(gW<^hwnyc#7y3*HDp14ATtzM~Mr&SO4w>8j-Kg=Ak!NG+tm;ZNnF}R%9W`1u
z4o(Ea_j8B%ynOi_Vk?Kf@1e$)G>KTWJJa;&WPU7+m4})>&Y0Xw_f>*@h}9@fyATG2
zJ8Bmp>2YnshfW>xI*qTL&+Ey!uvw~?qOh0nwT){z+xM4(&6#POHs3+zf`2J9oA{Ub
zb1&NPL1heCxflk=yzxDyusa+rWAKBPiMh6KI2}vF)pC5NqMVJ_)1dGR<yabWO0}hd
ztPeb69D5WLM8lyGL+zI!t<dqz)|L8i1cD;!9Zf_X&3{8H{vU-_jQ<sA#e_1HOcZLM
z?xdtU2{jPt(SMrj4qdLuQi7Pia)?SS5dgVFWM3+w*P_ygrK~s!c#$Qv{w69DodDF=
zQ0w?CA|sAtXa6k9i*7-c<TWUDSBFTOsi4DRoej0&a!@HfU1vd!;|SD9_tSZyPTY^m
zH>eVK4Q{Hl%A3k@#9-7ui(+wGP>XbpvJ?g5YLuyPSrscb6spUCI7)|KEJle?f>6)c
z3pGlAl)pix>}&ExR5N}P8^h;O#%?D<HP*{(;3=z<YY?<CQ7)Ek@R#MFNOQVukz?ct
zc+LD|FIka(1RmW@_|7ikjl^H$#SpoR4pBvtG#YXKx*q`0cLSBN&I7sd4c*I-IQvl0
zZxgDCtwJT|1-jXgK;w1y!*w@A*H4#;O7IDAc!WW+`sh4#5~}X~32wM6%6ZhZeFL?$
z4#OGujIs$5Yn8GX6}4t7)sVIKqpsEvrJs@se2xSqO6eA+v{QT#JtfIM$bXV=$X8Gc
z{EYktyefxLI`0|z3HcGc-vW82JQ;77Cl7)*FkMbSndT6P>f*)+g5~Q<ElqHlbV1VH
zLQU$=P}TbaP^V4;b?P}(^xgsN#&w8hS%QeDIjHzG0kKe{QOUc%E(>+M&8TJ{j_QHF
zsNpRuw@|_RGwjDNU`078G==>rp0FA5GOJNCO+{_nDar&yO^sHDB5o>6NkhTzXvG$e
zB7(k(C&H(0$zP-5)>Zie%H5tsvBBr${qhb}>0T$VMqZPOkjg3Y1f=kfmWRsy5lxkb
zlGD)$zG;ub+@1hXyM;2ipGjBoF803z7ryAK%cJ*;QnvkLv(yCz7X47+>=%^RzKIz+
z2UqEF%+DTW8`xo>a$x@F1y1RoFDYl`eCamE_G@3;gqHH)ozD^Q&P)?Dc`$vvSloqC
z+3C47m0)pysu;WD<-;oH^R6W@Eys=%i#z34I}L9nTX<+GOV*R9<$0xSi^;C<RFmaw
znl4WH6eFLHl*`ldVmTXev4^B;Ws75A$mPLzeGHxF^z$&8ef28q*{arVP7`r-qhG+M
zy&DlzxcvoqOza+#_zNu4U0Q5!R=6G=h<%aWx3&@ShU7GI>#O~$yY!&FRp!ga%(mTV
z0`3-<QwdS61;%nCw2BsiIe?|LmL;Z?C8w38q!uTZSrd~=OG;7zYzy$$Qoy+X%KdQ_
zn%V+gU?(zJ;oO8_EPT`S-<bT*Ed#Q4QLnzX$(pi)R+R7Rur^ZwEj*$Dp%Io(GE7%K
z{8Ex`zI=MU+G$dg!h&xUqT_u1MtEA?dwg2s6?ti=B)zfXMxm;k=&G_%GOI(eO4ZyT
zKKs)H+ZNWty>V=?bX|>|&`f)Q!wk-xBABov2jmU4ymQSUN&7aQIIYHLI-9T&+(~Ck
zOIUMw=DpH}^9XVWHF?R^0J5!-bOq9PWIU5UleX&4Az1tr8PO0cPASL!FqhRRJbbmG
zi#<<x%Dw1-??Y?>Kh+CYM;9V!587We&t1$q>*eE!!#=$)y5ZIRo%Mjq?FvspCp`s?
z^Ef0Y^QwB*ia%M;x-@h=633rf%(nCCOV~_u-VG(&*?l~;p2Y~elp-Ufz8(jv?RnhS
zHmM~8_1p-5?IewTMobiJkqWkOdR+GI1Xcd@1RJZTq2z^6lHqF31i@w|wA13ei5Gcv
z5v$YFSn|C^nqvmFdFti+q_5G3-}~AsTK0kH9!gz>){CUcq8EMf>&^(FRga?=eI94s
z-2|=h#gD^GH)oRQg)sjM*K5W`_Nq}3iBs+S_;ILxgPvfc5e~c&3R<p&ZRB-14&tOr
z*A>7BT*^ghaCiA7X(PI4;Wb-We@eaSOM4XgIG)NjvmqjlbM4ctpSFE*`Zn9`WSn!{
z;j^B?VbSNtEUnGv?+|;JunoJK*SE2(FydJqTppl{X!3ltt!h$4MIyA%W9)!F`shp}
zfBi8w+}~I!?o*Vo7O>Zo2Dx$_dsH9Ne)1Xaz8-5??+P(ogVD}u@)S$SU)ICPPMnC!
zCx4GYaJqv@$QR&2Deq2(O>-vglugqZALc+xC~)jQtQ5Fz&)RA4v3AQ^W2?ZkJsKXl
zls8pd1Mr3C9|HAWeFU~ascyqu>ClDU$v=P7R}G)i#P?`LN%Z{ZN3l^!t{HhM=i@o`
zbXMhRjqB0K4a<r4Yy>5_r0fL8g?m5OGroVy$SVt9Q=_YzSRdcZaQ&XJyo>Bk8uaw3
zQ+?>H#?S()g+GY})cGjQGTOoWaP*Qu`Msl(OcP<B+GUdRJc4MJNhXj|M_=2tmXvNb
zBEyrJrfHNOG*wJp)Aog*afbxC_y~(M(%5Jljd$Hai8+sAtLi<aiE5lxvyS`>s<`zi
zwl6ePylgES?%S(c`)Rukny>f~R$>EZ_vvY5cmdZK6lHwQLI-e^@tM)G+v+Opv1e$V
zuADA<K(bSFtq*=0{YziNW*LVJ@vhOjEk6Fs8kX-HJ56+_N#ODXBi?jZ14}j%rD$KF
zG2-_;!fby}E^>`?rUc1ere*byZ<3>Rjw_*#C%QA9g55evxx)ILd9QatTJep%*{-y?
z8g1;eY)-%|2L?x_)O~0jIOG(a0aV?LMC*HNGKa9|M9^qZ;QAcjj@wSR4QuTAq$<yJ
zrB+mUXyPT232Jw>2785kx3YEA(pz*^qh~ZD)m$(jKeLM5IV*oZJ?WA29y31v<|{Qy
zV^guSz5|=K4;mht7<ut{4NZleGEsnGsr;Cu07J<vF@HpK_G(av-)4LD)NMZLG@K(<
zGsRTV2AMo~yu&+ext@B+_q@Y~`PWUGA-*qkEJsS0Or&*e6`N<IK5BCb!pY>zRx?|S
zmo82+piYlNg|Zj#ai~!E*yWG^Vq|Ohnp04pX4^HMuR9@JWH5iy0LeCErlB_nGxXtN
z%YIqG;(CtZ-!rr@`T&E&4ZroC%wgL>ouxUz->_?1v|js4_4eWTR??-S{PMRLkgu2c
z+UB+-`0gh`@N+eS53FfoxmbtA;N3>N+81xKDt+t+-}>^gZ?WNiUFT>l=Ts^`-Hv8%
zr<hq!B*)WFVZH7%TN_`=@oTG3p;^M)EX+XU<`_S|>J%FgNh)Y-33*P{aMeajjq;f$
zH?G`EDUg>cf!ysNYj6bDz%iA@Pm!K^`5^0SFG!Ga66t_*8~qNm1SP@?X{!d9>fj5%
z0sx@F2oC!c9`PqAzZF0=u;*d*LNfmrh&}(UtUuqrl{H!F#IV1!g8_jTGL3YOKHRt+
zLiWkc5S;d^4vf?Lc+7U1`bdm=N_Ebgn7%9?_6%mO@fr5+o!LALKkWEZLsSTE`+|&*
zJa`zm$-$}!*n1o)Q1+SwwXQr*ij`e0G$Xnpks`sv+D9Edy&%oFs5X22b#vYWuI&Hn
zLNHtY35cflJKF5;^hM+MbXLRXH{<(sT3}*chiGztS}OB8w7#oV_raf4d7dk?3*~P4
z8}QX86nwC<*TJ|GbXKG1HskJR@Ket9M);gXp^jE>eO~7I;P1Oywq8boIBj(koUW~I
zK}2!gixyv}vz?$3mA6LTB&B2K?(wZFncsrJubcpbQ&)Mz>mb0Yc^UyaUG&~Wr%T>|
zi=H~GF|hc!!%1fFnKZZQH;L(a`bpNPr+)J9PBNq(VQP$uze{8rDx$ko-2r6kYQr0H
zJgKqBzAH*BNkuNOB?-BYsqh08rC6<T<yH$a^%6?Vspb^vA))Zj&!%cT3n_~-j&=mm
zl%yWZTQ6c=8*+ae&F_DhZEE;ze_X@&`#L+KFaTUf%>9k@2u7pcFJG1I?5zlTB1b^c
zaVWi#s_}PQRkAa<A|x7?yfd$`0|q&Mv)Rdt)vvGtK6PDdn=v@Q`6`=kBx2GA?8{d%
zjyqpt`F?#K&<5Gb<=~i1o_B(U>4~`byc2Aguy<rC>ff71wFH<q^8rRX1sPOj0>x^$
z?ml4QWua<#GB9wWb)9sffG_X`4xXEG8}@@g1AX9AY(_o=0>L}5A-tj-Q5u1bvkT$1
zPb#(Rlm=x5Kyp-Nt}+7<1QV1JfaQ#WIbnd(8`ap;;E0F=C_%UqjD#$2*c5bt3-}&Z
zh0o<b05sqN935{1j_Vlk*AL2jVO!WLZ<IN#3(Mq%D7Q05o+ekw<DgyS!#Oe-Hilku
zcYy4e<yaI!>*xtXgTKsVcd5~x$$wF52P&xZ_9KuEzJm4Vnn3100}I!yx|g7`KZ~I4
zr(gqGui<&k1E2%pd6fcBIS;n3fv7W|32Rppg1Mt$?+Vcc!XD&>pzL2@5&A~?0uXRl
zVD)-mISs4Oapgtj5bQ!bQD^-LSccXpq052A^MEo7#-RzYe&s8<K=kT^aj?R$Lgm+&
z%8lENNJn!_TpeLh{0B@`{~GwMCiJb^^$09q2}{<$6n?7-eaj1$ya2g1p+_C?_{+~U
zaWLBbw@zHWG7mTxla*3L+UF_*m3x&8B?*v9kqTvI&XW&3_VabQm=>xy#Ebk|Ccs@H
z`5l4$poj$Ugde!!Tkyd-aKK^E{(4aTJUlE&ZtVV;p&oe$cv`0NZz}m;MkS7UTiAp!
z^XWegn(<D^jJ5wlXvRAsGqS&eX1w*kVrkwn&~Q#}N+HQbRgwreW+RY75=7!3x@4<n
zx+KhKk^JI^Y;x-|)y-9ZB*lY*X;XM+gd>L}$b7gh@4X>6ZPH`bsytQisy`ldG*9M7
zI<fX4X;;F|4{h~G5uE{&qid!`eu=hrQz!zrEj+vnD+o?`Y2z0Ix6Ry_d(RA%fKwG$
zg%W}Ph?Y9W`h<j5eDGRyVo_f@11TE`NJ1?ZRfZ|34z*5>vx<<UC&%yTzw3uDl23bH
zRHK@-XQ4*kS$l3z%8vZ>o>_F(_KXk98^oT`udYlLg~;W$q#}usxE&v}eR}FHA9I;)
z4N$99#jfz6g;T2(_Oo5bSdN~0%x@ioRjWcpt~Rof#4kCvk5dj|N3i)go1v#J^PpGQ
zR^dX42GAWO>p9)g|F772AcS9q&Z~98q5TuE^X>?p*S3?V<Z^@mvfJSPZzR2cBk2K`
z?td1NUhY4Pq$lw8XmN4Z<w&|ubf=)u6F5|<E(bbOl8!&K%g}bH??&Fv1YS^FfGy3b
z(lP-L*)G22ofK(_{Z3rVJIT@_JLaU%ZbMt(AFgc|+p<Zb^q~FAF)i;TV2uKF;94(v
znA8^t&`|R~0rJ|fq7VZ+v<o&j87RhD>WWBQ`wv4B-x-nk8o;4;H^brm+bG1f|4%T)
zcSRv~N9=&KKvLb{VV6)s0>?VNPLfea0+;o4iDDACe26YlQ398X>C%e261ZMU*E10)
z?Kgb}f%Q(EE<Ro%j?3xh6uCxfRaH%wRq{az&}U-|sgvbXl3z(FeWSR9jzz`Pph*6`
z<Tv(y`k+vtMvp0^kH=uE-!8v^KDOo4akPz&d86rOo)Rjx8##(T7%`HLxg+Q}JeO_`
zSMu=0@IpgspfXW1_UT8r`t+q^=RV3}sU5E@Gz5{=%htHO&@fxB?F~Gz|Hf^P_i_Xc
zx@>#EN5|z_F-yy(72>>9S|-kmr6uD0khDmg>!pR_Tqiv!&SF+&`GHz`+j;ZpSTmQ7
zv**xp<}5lk%^K!z8htWlDjln;=~z)o$H{!*7(;9ZT{fRG`lR`6(I<DBsI`TLc09Du
zkYc13&S~Hi3xQdQaUbF^^?WJmk`)h>g?YHaH?tO|9`}}}9+Y3r3}-0C;$rM+)!f)a
z79r~vSZ2<B$g1@b8`JyqoR8RWpJ>(1Zta0WL*`t*=OZ@5NV=b9?NRA#RhL+SPhVAl
zl*ry_Oy(Z`(Ir-DB=t{gOcrSV(k15gxAjwFGyQb$EW55qwlce}Xs;m&b=Baiu99Pz
z%$=egGQh~(8N@1{$o4z6v%u2(m!Le=fm>ludcJ_)<ryEa(2&UUW6vi(I_xJpLsfMm
zR|q@|Q4E{2^Q<g5>ge>3(f}sdYu&nsp`d!WDyY9}dN^#YNg@+5B<Nz~fzJHYk93Bv
z>fTIOT|E<zpL`LzDjVyi^E;fCYWn%!fzVYo?Of=pnsy#Z(~>Zw@iv`lPwgQek#vWZ
zR>*KZ0<$&zxXNJA{&rb&zIq>oQTo+QuwM_^j%ZYh?vTfkRl7gGLLb0@pG8+5+zPW?
zQ=w|7&Km%o*N!5i>Aa}A<b#TN-0eK8Fw#J1bBkbB%<Xv)LbVDAC#bhX2*P_3dx5Rc
z(;)B{FTgEVp}IF$e|h*tc34lZ&o5nsB291C3PmpvDx`&+;LZ9f6b0OfBEy^HyHP)D
zN&OfD@~lfMT&UmJocj6h_t^nskKu=!oOXNP2cfQbpLqq;MXP`vb13U}mxjXM+JxI)
z=a@xLbj35zv2Ff+RXc)+ll+ON-uxP4V*P-H>xs1Zm=D-6BME;+d0Nt8XNH&Bp!k3^
zSToWH$Bv8)<3!11-7gObx!xl-YU+`y{M2u^gG4k25hQXq1_`8B8kKc>7M<y_GU}%&
z596T=m4Lbml{KFQOl|9fAc*<zfye1V+SJk*@*eNA{0{Uh2C0{XVD5Q{9XN*IF$SyW
z1o&khlX^AyW_FGm4rpWqP03l(I8UR&C05>?N}=+}=6Jjqiqi4HV?EpO1qGh*0WQfO
zO}7^pddBiE3p_jD`L^@hZaj00XOBC#!B0f-=f`*k{*BwlLeGFU0K!U42)kPc#Uu25
zc%f$)wX~%DRZBc*&|PkQUg$Yk+_L`Fx9|!*?{aJFSkGh&J?pQ&H8+BQCL_|rBJ8+q
z(<0`JsnvCqbR99ZZFIai-?Pn~-*{QR=bA3aG_e+!n@jK_g#DGA3^=t!B;b@LSQ3#l
MQIcp*EsdD}pR?bOz5oCK

delta 46332
zcmeFacYIVu_b|S5@7;b2q!3z2A(0d|TkjTHdO`~6A)&J^5C{pR&~e#d1yOO8u>m6X
z0wQWCD#gbxDq=wt1+3Vxfb~&-XYMB15D5A_zTfx#<M)jp#=CRQlsj|ooHOT~IkR$Q
z)XL+wk(K4e^{w96x~ArN&emA7te*@aSw?KEOeTkavJc^3*WXj?Mw&}vWx7u_a>!B(
zuM@yN;Wyz&;XC0g;WOc+@V@Z2@Vcr+`LW^-1toVfH_@l)Jai0=mp#x`OX&apAp-&f
zt1?kkU~<(IRirX1--i6=Kupz;z>%t<XaHm<1O`<bQAD7q+KM6r<q3lWkJPAl++EEh
zRk$*$ARYO00e^7dt%>n~HUDg6fU7A$VS$>OaVWeKzl`=5^baJCnE?4g3^wr1*oeS=
zW5%O?f$zp-Df(wu<Yra{d}Cq)wPPJBK^ZjxdXgR(IVLgi^w>y6zb<%k;H9RpK*?Bj
z;I%OVliZ%k2Mpt^NRV10*{jE$LR_FV-4Pf$LKRqamWTeZf!ETFw0|%g`1ukGK;bR$
z>7S5*pLzqu22S5TlxolhZXA(}*zWFqI3jMGU#)==NrVxpZ}fN<*Uxj#^0u@#HN*dA
zxSJYVy^XCi+_Syzxh-w;dIGgwosD#!hZi4PS`r)I6FWXODZY1Y@yYFRYGqVnBDzf8
z>U1@Ddlu;Vtbun~9QZxK7|2fy*N%*hcRO2V%y+iV#{C5}K-E=m;E@EF%ftetCNH?|
zctjxm5=G!};s=4)*xJC%+nF85W51=w0AXzPCqufy9}VeMeh$)>WsuCQgQU0u5_2Xb
zg9*~02m+>r_hrIq;r$)`r=F&F#7;flBMBHHG6U}`la<0TneeS}tPh;5z%gx-RyZgV
z&I+FjM}&iY;H3o)3U;mVs!VtnNc~6Q)jsg___z`=fj7cU{S?AYGU0pSgm6gMD?BXR
zbbg69=z#+iw9LG)t)bD|>~z&P)VD5~QP<Sg=m|U=RRcAwmkC?p!+Jy5C;T9+Kfi{<
z^uQ?Ej4n`tBCvHxjUa57310}ug*S!gg+0Rd^D8(`uPfsN+ha;2G%%nF;ZYfM_yyrf
z;Y;CB;jIhd!@vrGM^h_&lyDY`$UcN6;4J?&{{-*j$MgNUquds*ffLz3*yq{n*-31?
z_Dk(!+7;S7t)Mxg*{qqPF{}TrepY?0x<(zVI;DD4wM><x;*@VIHz{W;jf!6t&nT`@
zR4azbKa)QqUn0+vYneBh4NM)Qr+=pR)2r!9dMNb?6~2{PL}gHF^ai>Od5})_qwM*0
znS&~p=V@fs&@YwBpKKKE4!7NH);Y~qUA|h%SF2=ocDK`NG#PYmlgX*GxGWBx%jU4@
zTyBrU;jo*`cF`i{5p;%8sbo0w13Dpm!2Dy4F>_wKMa&HWX0Blp!qfJ>7@65x+#%+K
z0GEygfKu_`2KC#++r;b;;FG5T5L>Zwi7sQpLNO}@80iJTFly(+DfDZ#VrB@ingEd9
zxe+~Hy->^u0d#c)aH3-Zb>}R(m>vSW_Yrh=_<-8Sj4|W?EshHTJ~;^h>tgkj#hLex
z632!B`>UWTeT89lR{F7P#W5j3N;Lq|CtZ_O`^dUvadZeUb1wjx;$h_qCS`#*Dg@9?
z1VGwaL6@0&QY$(_fai}v<L3MRxNLmI?_Y`b5P*-8Cxjcv%>5$g8^c!776R<IkTx>f
zlI1_V;}ESOK#E9umGP{-cJ1-cMKJ`piU4$Ti*8L{Z@o*jgaA4#0Jz(pI~>jxtQE~6
zz+(gu_RBAogV!Y=6-^;PCK;>5duP93=@?lg8hZfJpv0(=O-<zsX1^*LLV%fi0E8#G
z<_vygxKq@J0CNcWBz(ScuKA&U{}$6i0R1p1G5qX34pYtNPl&n@fd3FmP*>@O&}*7&
z#gQSvoB=Ray32=ePv7lL5mQ5eUyehGLDz__!~a$ImY5O(%p{|${cTwPe$W2+v6vhJ
zyhmm*@~Tbu3`=~dL`(_+^gIBfZho*JPIdYfaYP941OW_p(4&o|hbqKNLIA_Rp>g$Z
z>6^J<CPj#eA;3Wb(9{O@@XIN=m=FS3eg{B8TNO5I?!QAE9s*>phBnM4+Gq0*KM*d)
zhXBQde8%0s`C!fN@n4E@A;8W*0HCXQ&6?iw%_m}P2$1$U0Mh*FcVrHk6fVYu06cl~
zxZ@_HeqMNgaaahjk+c!BeeURy(_gF*qeFmePXS=~m1i}^r)zj|Xb52Z0sz#}U*qUM
zr>BWSLV!7he1<=|ZkF+vKb{c>hX6@$0>Cma=}>`p(;9J52=FWcM4o!Hc-X@SUKa<3
z0BLUlAcZ}VIO>Bp4~kJCz%>Lg_~4Y4iI;!6QXCKh7~ckfRr$j+MR)CaK#U9ligfVi
zsmIo@99!Q|EJkz#0*4F<;bZuWy;b37#);wG`S?9Th^k?xmD*`bJ{7}4fJ{P&_PdoU
zN+--eDfaIM1d5H&r%TuA6QgeC#eUuS*!VQmG?M>f%Gj;TibbIt5ZDL>`akABHSopu
zheW<R9~<r?O{cQcwM~nj5V>wZ;9DpVF>luKp|_+eM7BF0XG%-!mxEMkk*AM{+7RIS
z`=KVi{>I5!LVcmA=>`Pmnt-I9JUXK0En~f??#{<MAAkapYrkt6rW^LEsOkm;o`M1?
z@2z`(jLdYasO-+iJo)tdZI4_QHN8AnRCEIZ2S+A^5B2@_#fVR5ZWZO-`8abT3?E-$
z*c~D3&xlMnAn=MVA)FOvE$Mf1+WjIO$}dk#2zPkzm{K++{85n#<^K-(Oh?lJ#jW*O
zBI?e^-yWmme82_Y^0Sb>2|Q6ITg#bb!oP)|Kq&cI_+0o%_yB~NH-*=PmxO0Qz}O=^
zA#4{O67Ci56gCJq3jyI;;cDSB!6z&g+JyPST%k^I3R8s|p+cA-j2E(nae_mz2znt!
zNEBj)A;JKmzrYGgf#QGXf98Mi@!#;L_>cJy`J?<>{OkP7{B!(%{z<-rf0TcizmMO-
zZ{%;`Z{)AzSM!(iEBR&oLVf|?z|Z1c{4~CnujEVk0zQXN=ST4(Z{Sn;OZYf`C?Ca#
z@f@$>Y3>j17w!yqn)`zLggef?$Gy!R;$GpN=MHdBaXUHv4sI)VKX(_miMy4%iMyU#
z!(G9x<d$-+Tq8G|b8%C-iCh_1$mMY3I6G(RCGCKq6XvU8{K-_Svl+zf)Rx&!lV}~~
z65R%e3;wgXy$+kF&R}pD?GCHm<h8imR)_Ioa5*ibWNW4L8Yx{PrK_d%YAL-+O0SgC
zD}2)bE|=2Fq;!>(wo9pBN>?(p4EacMDM?n4WI0Kekz^@JmXKsINfwc0AxYXu(n^vR
zk~EWK0ZHbQq=_Vrj1SUz<gtMyb4fCXB=sbjO_Et8sUwM(Bp#BuN#Y`jlO!`qGJ_=3
zNivNjQ%N#~B$G)pi6pfosUgWkl2k+DLsjIlk|Y%*DJMx8NlHmlLXrt2DJDq~NeW3)
zK$7t!$tOu3NpeY&Ly~NgWRWD3BpD=0C&@UHj3vn!l8iQybQDP(B(amkMiMJYM3PuY
zVkU`%Y{Xn8y$$cPQ5il8J~|{EhE(>haF}{RwUl{TIHEYNH49qJb@Khxhw?92ndSt0
zkXA7x6yYdWwMDyC`6ru<FcrovP!Cg@P$PR6KaM{sOj9K(I_N*Nm(vevcJjMa<<we!
z7I&-c2Xsm~MYuwFnLL^)Q{N(3<TtYw{PhYiQ*?%Yi(N*qQh%wbqbDoh=EiHra?fZY
zv>G&2o+ob-wrQvGk?Q%Bhx<x#EpsQcMD`MGROc%nR;tlH^#R2g?K`ToTny<y9`+QY
z!^W4G1T-B-JPprjJDCK0{3I<8Y&9q111D%5zJ3>gC*iF%avg3xK_}yxA42lzUM3l*
zZ3a*kzU~7+)7=Tr71;a{tqW9<vR5-{_^H)Q5<aa1RQ-AY7vr62&<Ot#RPf0}c`|N&
zib=t1mN3InJ|0VI0ogklgPaZUrvdcT(@>ts%JR%4x*B039it5V4yoY8Nx&yEE<Qd$
zF2_WuMPu;RD0z~6bPySYRx}Dfa}1C*QP6uLddh7Qj0l@@tMo|3OSu><0dga<;Q3cW
zCqYz9#+hl*38x-90peaV4v;($<B~CmY{?kJGZ>91c_My?jK*~np^Z-nAg~&K5-|xS
z;$c!{Bm;z<WK0Abd7RW55oJ&;*6fAWKuAf(L?A)Yc$f|{K-7SGNM(<bmnGtYe4tc}
z2nait8WvM{u%3y=ZKP!NNG1`VfUyk#OF=Zg4!9-*6MTeBTQVEmR(~pk?dGSw)<bE7
z4U1w?;8R<SQus_JoDn|j1E)Cf+30BBTI~v%@C&GiPQj+~UDyY|DC`$@0h763*eu*4
ztONGq7nTSMgnD2slZ0}iK*$7^Vib~vIAIVl6SaW&U-<8Ui=5!!<qz>M0{_^>Z|Cpl
zHv{Kb$6w9+`6a+J>Uk$Wi7y9kk;yxFBcBX>Vi51^&#QR^EaE%v6nBDq7ns9~+<tBs
zw;i~`X6_bl9d|Y7=az5_xO&dXP2$SA0xpwta7Hefi{l1y{W&#<*k9Q1*i-BY_FeW6
z`y#ua-NkNa?`Jo&x3KHjt64w0gk8YavrgFRma_$HChK60Y%&|i4vJ;_vuf?1+Ox0&
zKB0X_dr<p~c9(XW_HONM+I8A1wJUlIo+08Is^cz&d@6eUUHJ&wC-H0cX2P$31og!i
z!pFd^kANcJ72!GH)w_kqKrwJ1aO&HI^}_YSYT(nC3X6qip#iw`OkuK6C6oY<&JxB5
zR>1%qIzbpF3>3nEKPv<o|0{n6nDgiSN&bEQZD7qW@&DqV=63>Peu%$^zk~PP3Vium
z{wltmUk+S(K0k-|@Y8`OSMbGr9-jdm*}|vsNqju;;{kj>Uc)oMjeq98=f2`T1zvoV
zdy{*WdjUA{liU;BBisYPhBtCIb2o6;T$~AWBe_es*x}q@E`sAZ6(?hVX1`@WXOFW-
z*w@(?*nR9y_7V0z_6`=u<uJCMS|7_wx?|`Z`NybZd7b<!<Xg+$EhEYaP!XL1Y3G>m
z4v^r>AnWV}BHRHgnR|f@Zxe13t^-0`C9Dt@0V&QEyuu71#!8TJ@_`&j3nEB3$-;0U
zT8ILY)CzL`Paw)4K;`inkmY+I+PnsY`3(OQ2sYdK2l>1CO+cIh-nW*&66kXo-^Moq
zg}OnesR0@-;&VZwaqwnd$BzIy9l}TQ0uU<A{m%Uar1~YuG9Lo59_9{$B(tB}!#&Pz
z1A^VcZQwAF>>BQJ&Id%>!p-Am0ohLBs<~1i+-z<vX9Lnr<r29VAl~p;j^mUte!sBa
zvtP0wv&Y!C+1FqM_p`g%9qdEw-95-J*76wLk>ZlSjXIW1mtPHIr@d4r{0frd7odJR
z3Uv39Z~&<8QQ-lgxm$%Bfa2OgE^HR&2ri(u3ZW2aZIoaFN{bf;1D$C=3jCG-p8o=9
z>?r>RP}l)}H_+Du{GI%*{0$)Twew5)W*{sVKN-lXkk105GVv)uQiFM47*G_&{R;H-
z1$Ppt=?(5Bprzg1qd-Y_f;e{rx0-7QQLdSr1A^RSt^&lkEN&EM;!?PHAf7Nz!%^(7
z@akW%C)uOy8|+K$0eJC8*$3D=*<0Bg*wt)1yOeEa=ddnzGF!nGvRUjX*2Jc;@$BGO
zHjLG<GVPDrue2w%N3^eM|E1lneMEbY_IB+J+N-pe_82=u#9FFj=<m$OREO(VW+T#&
zH53Uy$%LPJV0CLJVFjHYu0*sfa@PD=Ci0yl;b)ofb04@f0zXgTP`^H)b8na_{~rN1
zFu4&3G^foV$WI4a9Kl|ueM_6B(Woy~_xlf3{KKOprF3p=K}k+-Z7jTTufP8_1^llm
zpvx2xM;Fr{$Rg1}8T}<X$le9qvqXKbTBT}JzNGj`(X3$PK6!s;B`iM->>s1K9n@S@
zEBi{el-tpZtiXPd5*U0yN6jA@DBm|yp%2<dUf&lPShYU|r3SX{Pf?_WGJn{A36csZ
zbX}P-frbNdbWi%6M7PgR4qSgAKCtcf$Q{ogaG)s8BjbWLBe2!@!}>I3>1jVdJaEm1
zk?0b9`x|I5-g_8n10QS{i{b-AHzuP*$pSQGqaMWt)@)2b34up8PNN!P12a}8qu~;8
z<4Qe>3B0;80gC*va)xS{GHR|FwF?1V`=Eefl{&E8p9rOip=(KdL}yM|U}Jl9fNqaR
z(Sb|aa{_m*8Xj2No{feE4z-Vg>iAXFsv*j#QZw>rOBFr8iVLh;6^@1hC_eD~DhIs^
zY;SoDCKSD6Nka=lg92aA%Z2h?2DQ_Te8AOcL<0jiHfEq9l0ocrW2Gue88r=TX)Tgf
zZzmYf7BxizQm|NLprfgPh@Pc^K~))Ck40j3QXp#62$&#(ShZ;+8WHesiif$mYtvN9
zb4eii_C%B{0X?^;z_49+dn`%{JaYR~7&2~y5zwWA8^lg=_G@C@`MQrKv?B0z%Rq(j
zjZFAP!2L7Or#(dqVp1|hOrrzeEQ<OcS!e(I<-37#>9zOBK#}tXC~ocqX?i6nX<Q)q
z<$%bN1oE>6*zY@_Z`llTTmxuR#sPC3!2JfY#eR?_mT=QS*iGfMARN5RKE~e8Ud}eM
zHLRH(#wvjAy#`jBdwPtSAz}fI?N`z-bTqD{Z=ly-Lz52ND-#Y29UxzA;jh+y&Hup0
zfN*n!zmvU!V?mm_L9nv5>?=YpKTrEQ{}j7{Rf5PrnEgsf<_>^DCkj~mzquK}x<`U|
zxKyYX+}g*r_p%m2%U7|FvrXr8pqa+#TG+#=R?{}g?&a||cw4<Qn!WRzW-Ri$W;Zp>
zO~nhYq9gIjYhmkCd*e+s{(21^zWy?r2~!ed*jW&0-iIzfNA@8-D(_~`>&n=`_S;Ga
z5XP(|=CDV>6!s&S&vt{V?1EOrb!A-O(Jd82Sz*vQ_C8RY%?2?t8^p&!y<0Lw6w<y3
zmX_&T!K^!@v8lDbuHNlzt#4`!)6%lkrsi2QTD{JBGwK@`f`Ojb(6Zt4ob|-+>uhv;
z!_~A*=UqI%zPY|}){KUFx3{sy8>ymY#-@ed<{9&w>lZp<T-sW|TpXc<R^~ffS{5}m
zdtj&*wAD9zJz#f??9=cFuQE7fcq9a6fGyfe*b@#u-v|jCLONi2Fme<dPN$+?9oGu<
zaMYvYnh08ldUsqM@IN>}r;4QY=)8U^FKpfnJoMnC|Mq))?7x<n{`->u{b&B)m%M0i
z8yMd}sz64Mp!QG&LOy>J>?hRh73?7G25pq)LCtjar|RpKw<yyUKPv7~<jcQjZek+n
z+fhJvS`k$_PFC2>YtzYZMO1PmS|qtDw6y>QwzM|a&-cr6l~E2o@+V3FFVH~)cm>qe
z6K9ipyde_}L<MB2#xG|ghbl)IrPur8vhj>;G#VQ@Gyp%6jlh4yoP~c%LYXK}!iBuS
zI64_|xGfop|CF~=3p4RU$;g0m@v&r-r^--9r6(i*aQsIS8ior}5RY;QBpRouAPx4V
zpi59Xz9$7Gq3n*=QjihF_VM=K8TB4A7FoERMOHKx?_yCL%Ea%nXw2X-im13q)D{{r
zX>bU7py})YoX?@yA)_UnSs|R}CRbA{!AZyM97+R))pia=qjA!(e9WN{102ez$VhZ$
zk>s~QFv-8M9dSJR5K&e3z}07B(U`ykXDrAT`0&h7G&=C_Gm{5f6;UyfXo1vFb5nzN
zMx%3{mpqJun#}`5sZzg9s+44te~!Sevo**P=>MY;*#q0(8yJ}K<0zFGMlS|NFL1|^
zfq}<=6rdRbI`*TPnrjM#y_bxvQbyH#smK^u`JMrZ@Vk_nZ3x_QBnheuVygom9f^(A
zE2Cm!&}E#|?t(UNn-^BXdEF1D9mC(HkSYyCjN!;XHxPGVNMQBRu)yS_T7|Joev1vP
zIa;XkTXjLKB@))@ePQf^Hs_LN;2zEvuYrtT;N5*r1zGcD|JS!#7yH83Uxnmq;UgJv
zps$3FdUFxNv|u}#7x?J6c(w2`Y&bzp)R&x-ANcssIJNL0sp|{j!#?WD!XMJ;618xg
zRQ9ECybrW&;^q>YM0UFU<n1yci(d;mw$bd>+7Goh&2{Q8)p@Fos#xU`#p{X`d3&%H
zL&RK!KYo)5_nE{xr^_qW>8xh2L1%F~T*Lvxqw^Y^c7w-ibhr&}SKE@t250juZ>qc5
z>jc*)ApWA-$<@}Z+?w*D$)@rwQ%+`HWqxj+t=4L>W|vK#JXy>dKcOVICMz??Xq}Wd
zInz4PRGyPrT45=zwp1A=7Mcu3QD-#zbOvjz$vDbr7-g`g*&Pmx*&5a+^A8vL$*PSq
zKc|wZV8@Y3t376Cofq6ebS4w{hgb{-a1t@Q%uwEKvYJGr!DcmtI@+`d+<2gyrRAow
z3Ax#mN+uPUClyT2b4)BNtTyFNoHTL#go)<KHKVFc_DV-tc2&(}ds#urgz6%Pt!$E5
zY@C#vW4BJOuITJ%uWp*nb_dqK%?$9F%@z}woJ=~guFj>ih~V8~w;Me=W1YwD^g2yO
zyRpakHF|;d&yrS;vI%)v<u;SeJh6201iQtSJ0Z_%E;rOxRTO28&nYUdDYr}%O}X~s
z%t_VOB1diJ#PQYHj&hU3P$-t!s|>-8`HbiG%x*J?(f}rKFo5Qs18B87J#NwM)fqk3
zI-SL6gP9hMHeH=fv|8;}Tb<it4Go~Xsi{HgXZd(rZEkk<<V-Q!m?M_w7a9w5?1u67
z3R_lQZGo?#%4im=s&mWp^UJfcYbx?<9fgx?YVDTn+$u-5A%9}Y1xL_ouscMU=;f>+
ztB#TBRYsU)GR<{$Hjl>(16XG=I&>DV7sk_N5_Mj)13ZTucCW*2?(XG+Hhkb6W<>8n
zFxw4gGohkHEet}OUk<(&P&=vKCb~QZkIAm{fPE0C$Y$3$oKBO@=&A!RBzv91;;}Zh
zwYJoIyf9G-CTD`tl#uORP;Hx7Hm9-5I48|mQ9i+4x_C}nVTri3EXUngW%ZR;Rm`s}
zYMx~&tSBk3p0J?V*wVb9vB{LtI@{Sew<XQpH1FI|FgQkujx?)iHQ2}~_~SLu(IGuM
z>a~hSx7%#jSv(H2&SDp>I;R&V&mp>v2CEUiR;Ru5YfNwlyJ<GeU+9`#P~_E%EkJ15
zbM>}av)UR<iu8ph(KgBBot-CU)mbajnkU(FawbfwPOGbIYix4=MK8&y+pT!UP4obt
z#bk1O&1M&Txkhl;GP_0Sm7`AQF}R)Z8G7t?(F{w3$J^XFbWJ7BJaK`msk(m2g62A7
zUUOxcyQ$Qb<#MEDHCETuR1}Y&*pyRTST;U$*6h57;_^ksWu=Wx#tZk!2P;Kz=wRZk
zHi^&^Rh@GTD@AaQy*8)Y?6AN}VRgfjW^fvHE|<j%6lJh_MbYdu*O}WIK{^LP-|Ok@
zXrX!b+=7;d#w7)Fix=cMJbG8@q@1=Kcf-VzrMYtpGsVSbgWcD>)MLz>*VMeQMxP~?
zTVamH3-`3MqxLkL!(=uaC1O;bM~p6~!%*ii=^S2I%`6T((7L(Kqcd5&Zi~?bk1ny<
z+30DSM}!CHsE<%%i=(X4t#`N7mcY2>FPv}5b(sph<1?Km*Q6!Jyn>n%r(;3hLUVIj
z#hliq%~kf=tQzR3<u5ua8q5Zhg>-a;0y^sGxpX*TEwh4!-KX=`dEv7$S&cfo#o*D|
ztaWCi#pN(toc6kAZ_8}b(NrgFqGo%WrRAd_v#O>tt2QskRGM9uTVtv)lxI5fa&0A(
zOLHoU?X}rfQ)afqR$;Ept+kIgOfpQ$HPx63%E~8Bs<LE>lh65XeA4XO(<~0FO_cho
zmqTA;{BrQQ>-xftCa2dVdUXc7(FlX;^Z<!k-9W71Q)o81-1a(GcUL<n-@CAA_F{c)
zmRMIHR#_U|r3I4<&EB@G5=%+ZT+uM8sB*4ju|7x770zkSD{pFUDa&^jWMjD+#dNPd
zgf8uAKw@TtwDzPj(6d2)Ir#Q<_RQ|F*I7+&m(J?4dtnd_4ju4^I-SvCa(hIV*<y9L
z=C`?E582r*mu*7MLU&WqB#UKsPJaH<>ed!ZOImBWb52%fLygN}nm2o{ugPhf(3F*H
zubiCiT<k8NKW~oH-Q-G}*VHoG+c>u=V-}J1FT4WT(i|qE(PAT$9!EoWb>~dF30yDD
zB4KJyi_QW(R_C+;=P-HdoOSj(uife}c)Y%al2DlHX_cniTu@ajibZ0HwWw%fW~HO1
zxJtB_RM!?ys4dFOtEsFkFRwD@XXj1Mubo_xmtUJ(VaqNvS535+RaF!gS7e<t-O_AB
zCyf?|%|tqBqM(z}emVG$2FFz8npJ19h;<(L*c~=9$)Z!|a2wq^quXpWc?@2Q&F1yg
zw-E2?u1|el&Vogj@rzp*8EVR!tLDxrU9h0Aq_o04DXnd3O|HFmVujJA&ztL6T-oZh
z&8l8pUDUWR8^1J!Sb5b*5z)nR$&B05tR}m`VaMrOG+?&T=&*nTia}?pvjgq9JQf}N
z0(_6jWN?~ob#(@l#~U26&N+5w8LH>j*0kE|#0i<6oW^Exl5=+HEPLb92@@-GN{nK@
zV}fbvc>OHbq^vw~&UlNpX>LA#N{dFOpW6?!*=#ctW<o^ge*70Qp;)l+Ux1!~293cP
zP)&UXik6LFA$lIHY;D5I-twd&BAo8{A`A^d!-;x^cqb9xq@JEh--GS0(>tkm>DZ}9
zX}moORSoBwWx`7SPp}8=<o@7u1UG1Sa)r;q<LD0lE3h5!;8*u9Y>2oG`EnUQhyJNp
z*-xtFucW>U34OkvQlB7I^G`)IUaIBd0#vvBG_WrL3STuCEzkI;>nP3{f-*Dy>F0@`
z9fC5t$>V(IwJz7SXM4|ZkUV05JcP9};S=zKe-BQm90D8q^I*+<O4te3a|}AlwXh-D
zd|qM86Et2s94!`jaGTo!X7xe*E8yea+f5Ag!%dX0NTGzIGk&grKl-0i)3Oys^3KWx
z`fn1Iug|Rn)W&qy#?$|lwxBY)voenENn*b9h4gM3>x;xnpf;+rHU<69NX;uwhT2eP
zZ8ZH)Np9H+vY;u**^wR&1m}@RaQ{6De~XbEpVY$|_8*jB@Ch?Y5cqN#ERhSqGvF5f
zgpl034MW7W6rN_MmA-#USD?iM0!4q9q<T}7uX}eY@2u#bQWMizPftSXn~r>aZ}#ZU
zivAf5iIb^3GD7MLQ&0MTAW#H}=g>LMPrWC$Q+bny4~<5a|5lfMQQc87k}G*|<yys`
z=gMV>NTu<oB`7kf(qMK}Ps*w-%(GV%+NvkoCz#5O#pT&$h6yI4VRCl4*`8}Fwi@u>
zQgBflUy4eTsx8Gvv8b@La&kd!wk@}ySS+@g%j{-@qry~EWU88!nOQTbprn!%$sO4r
z{U{R(`Fprx@Se)itW^J^o~g`JyrxK(Z;&gQR@y>c0Vq$(s$@m$GQ-1jCQ9l^x3312
ziIK=}tE<AVuSLYM@a$TYJ)lxjM_yJgNr1#gLjKiulw6DA5$)$H@YGf`7S-UDGf@QI
zN}kK{SFI=?P3+F<kA*hG<5_LUgv#)(ZOG15OB%!6*s9E|;#{23h6duF+R#Z<ijOWt
zqrh_!s*AxtEd;f5z7rJCQx>8As07bjghr!E0*u9L76I_>MJR>#$4tN(Gf_G?IReC~
zDu$zcIylOQPb>tb_MbD+Q0NmWv)+lcq`qWSgcmqLnOqiZ=YSK`%!T-r6OBZr9RpnG
z3wX5w1vsW0je%C7Xat^L4(~J`?<@!9@`UazE#@mgo1Kr-E1+yqM?(d=5z10|`1cGz
zEX0;fGy#;|?U~5jL-`I$Zh01{l*e~ivQP>_|Cth=CG<}Hg-0O%tOgBJz?m^vQL*tV
zW`1uwtHiBgC1vn0QxGc`?vx34Ug)D)SEiml6=`MFYIR&>R3^uXR<|8AEMA@2ZG(NH
z#bwgDyhg9iV>6jVL!HShT0m(rziE`yGmn_iT3TD1=6V}@O8w?h;Mi>eU7*$BusX==
zAmNBiIC7!(LF1Zk8bMd9|4zHXsxIc=gMXfjIJxj|5Pth;&5i%vgw+2BP?jO}|Hwik
zDXCj!!qaeSp!K|$uyoM4bq%_PCu2bir#o5dd3Zr)T0xj8gMSF1FtzY)r~hLgxRnGq
zQcZa7DbQ+P&^imVm4T1lhLY66J46ONBfQf`ZKLozo8S}ppV0p|FhvpQP8n4Q15_Z;
zd^`IU+W<Cpm&U99U40Xr^}STdD{fXK$@kNj0pb~1@hGn{%4|kg4UyKl`QGMv^(`%6
z9`+~B#=|~A;OF}z8jKoo!H>vE`%`D(`5&WPG!G}AMe+Fhk5L%jb_Vv2%1_V$R7Xl=
zqXvSUir0REtOMI^7hOj$8|B5%eFDql+>T#9K}w49dho8-VV#<T_Z~t+@E@;(Ez6B#
z55Xc+AIzG42#r84eElI9!`UP&4><|KARO}s3P-boSS4?uOTZ(2CXU$&OL|=g_`!H!
zeNxT95AK3>%PZNk_FV@QaCR3gpwsb&-6#qd?}pXZgYUQ-mgR-J!F|TE8=f8`x$a=@
z2fLy5saUZG#X=`W>_P9+e&rPGx(nH$8&EI?`|bh*-g9@u;yvwd#G%P}?%gmzo9;zX
zXhskNo|X96y=XXIc`p>$dpG>N?rzi%x&bv5p<4Xa-SEQGItJZ?>Ja6t!T#%DOr~~q
zI%7x|^O9_7k^!IC(#XRUT(uU;R%8EK*z8Wm8`i?;_T+4t>#s))brJK^O1S`M2|ArJ
zKZ32y;XVl2fDd;dUFU&bu=o5M3^|_&AHo;%Z677Z1V6fu_M&)R_@MKngH8As;1TmC
zbGY|PZHTC)gC$NrLuB4J$tV2-wDKm{pZYqDZNzUrkBmzG5t*=rf24Ou3=wB3{K!j)
zP4tKci``+d>#RmQXn=_Az+rP(bfU%LFj&lXW1Z2i!6#lqdS701{m57_<&-onj3ui%
zvFS*f+E|?d{^H?GdTY}R54b|akBW^yAKP>e_KF@1!DtPF(i|3x(QNlK<Y*OA`{kJ`
z7wDzIj$qU|hS)4tFkaa}Eol=CI?)KKX&13+7~Cv=;ANB*D=ABQ)MYd|j6q%rZ1Ak`
zTklcmlnEzGgBz})7#gWNnJc)Hf^wvf0#or%?;u_&JR<{d-DmnhO2TU&pfo`RPLDp3
z_oJfeO!b9dKh))Izz>COeN-MXgPb_{J99@7))^YazQ>Rl7inRh3=XJm6y}}RuH_LL
z&-(~zeI^HJk)0Nc&g25?l7%Q>opn~5&T9jOAu$mcJT8XPQz|%8q=rp8>oR)l>dYRi
z&T6-S!pv;2>KqQR`xq=nui53XdObEL4bCW10VG4L4WJIM)uVG6>p<OSsH@XCoj{>p
zx6>&Oa9czJ*s>Tp$ltyr6ZKtRu4L0`{N0x*LM=#WKMCKR_g+CZSQY%f&Ynj7BwP|?
zqc3u)ie_jvqR9~?iDH=ll+mgPQ$F3dT=qui*Z#wwgeiYX)*$%W`{;QI{*tB!UxbY|
zF!o4PEE6ig7d(~=um`m}wPl+3!R6#<)s+wk;0nd3ay_$=;pjQk5h@H&9sa~il~L{e
zmgAI(lnt%Ir&($sex-^M@YNHk?X*988IB%96`^)mi3ecc7|M-@j-lf5q_I>ao^XcJ
z;AvwhE%JAPBM77vEx{j-qvG(mF_aQlj-evaO6(^!|2dW#rHoyyj4Brq&KO6HMZRu;
z7Ec{Vad_J}Dox2RQby$h%GR;e(Dmum5Oiq|w2X8rP37kohET9I32;{Qz*(3?>6Ml?
zWt0fDJOn?`^5DCzO`>>QlZA$NT#^iL%tyC^e`Xx=*GP;7Kb!*Hz9xmzpk-aJq{hXm
zR2Y6Sg%WwD1sVlxeK+<{EfIiQ>cNb@WGU&uAUq+JvMU!iE2GB7A$(0Ll?=lHfWqO8
z3zSiDap>|9lH?I87kXOU0TVC*C3)s6qf((AwbahS`j-065Eg{#g?=uQ_~TNZN>(m!
zlIq3}@Gue!@$)=2McLd4UP91^WPuui+Hi$H<tppuDWi;#w^5*mqgMQkK#fgk4{MML
zuWFJyMvOkq-dP|Lg`S$R@Dut@<<Fk0jGAReIQ0zdkro7HqV;Fs^ViH#MrDJaYbw^A
z0m+0r3o_Jv0xt(KX4zTfKutmHcg`Xmh%x_}q!sZ`JV@4)?YeM^@P$)-ep;uZsG$l0
z)a-;aU(i=|5{<tYLJf!~t0$)g0s0X*qA?WCPR-**?k(;*&Iku-u4G4Od&>eKD97Lz
ze`3ND>TDL#<M4uafk<rjW-tZYO;&@>=`c#p8DKZ`;t@lsF$rd`(dzNqtU558gT2^g
zH|QKz7p#*mrw!BrqG)h?@s&d<U4q+TvbY_#I-T2Sheg_4XVW>|b#`dNW%IbKPNUgr
z!bgTuVuH==v^wixowXZWVC^;7?K(R+3Ftf?sLtlBGea%d7)^~zFuJ{Uq6L<Fx7P)h
zOt%Zdc$lG1r@?A>dF&>;$>qY=MN{z!HY+Ub;JBeP*EwK^2*-4FE{7e;SnOcYhWH;g
zgB`yWO^umq^8zcenT^0b;5{r((FC3VVBT?hT}FfGaJlQ;Rx9Xw)p1BxJqz4ZoQ<t*
z&PEChF2FxM;2vW2!kD={9vv94p=%zK%j6bqUYE&?=MAGW5}YoN*>3eZbtbpb1O_?a
zSx%$Dt+Tnz4lvBu8C)=ChlWuj5{y>616Yw)=d^;!+v2H%UYpEdxb-;e3`V2N4z?XU
zG=@q^Fo{khu}uRDBQpk8Qn2oVWy)wZ7|ceq(QbFT@thbK2{5CZO*W@X=Y|;pe+(F6
z=pT%k!)`Ivx$S0?-GU#9p+@G~>_)F>gE6y{#A5Nlt{U7Yz$Rxi*4a%CK$T<}PI!z6
z20hfIVD;%brPdJ_O9gsF<&h*wptPAm_O^34HDRc*hqxql#gHP}`90vG`x|KLpA$Ob
z5~y1*Sbon4DtG;OiizfgaWZgx-VG;{o`*AVL<AiNhYP=j6G{`H{78^(ddaU+`{VS~
z^T|RsadY|xq~oI?WjqHafk)v`*hb+-DC`#&!eKBM9Ct4kvU`7!hKM>EXPc=5$--ty
zF#C%$^_zvBuGB$iW6Qs2yxB&1l7(BlsyG2J{xbAqKLp@;5RO?r0bXC9lAv1f72hpv
z>fMW2%TqMIbu?AC{tk*s2^X#>_56+Fg6G$>gT~iqQ*FrtoH*Pd%?7cRyabBr`(VrZ
z2@KAc!dt?>zzp&moSS?40*V>S9va`APt8jfmXqDU88G903VV(tU~YLycn03*aX7Ge
zuW$!U%?-jDVY#sC{9bIL@$w?->Lj5>24~BDfR}$ucon?M?|}1pEig1s!`wb6Y=a*C
z3TGbg6$1VDjq5eHI}8!CY1~pu-5{4-`p;`5C|*_LZz?Heq^4Wu6^YD*gzv$FyN@E1
z26A*<NJ#E1@Eg2r9|c_ax0fl6oG3ARueDvDK@I-aP09QB=muG~FR}-0V8(_~i)GYe
zp#{PzXy9yGj^<H~T<uYfSN^07C|UV3=1=BoCXQYsTPAx{HjY%+^|!#^A3t#;l^T9a
zr?NA69xHy;5<icX>#1n8z9Vrx^&X=86tx`wFh2*{%s9%QFEM>rLzAm*enXR!xR!TG
z7~uIjqphvp69UR^A~Jw4lyL#<V0f|+3JFejPMu^wN2-la_WD^Oc~G5_N2pBiW^e3#
z)9R9f^6K2cinFSoeUK`Xf}(|LAgu-)Y4K}`U_$w$dcSEyQ_xi(-ZNBC7C3iQLy#Fg
z@Z;xRpuL{(<RyNH{5BSvjp^O&IfD_ZUUoxY4dcz@sE8>c%=1Syc@^h}U~h48)a7nT
zstO^8o@DDf8<3RavGE}YJ`qiizz<CXQG4pAXqeo!1Wp~`S0_?~1qhY_Uf^Ww9b1)K
zTNOAsE<P&0D}o)UM4YfKcLre?{X~@nMy1<nPz2!>J}MPmFNus#`=~71=~v>s<sb%L
zhvzJ((vbo`u$&r-uEozUrz}x&Vhx}!>o0X4+G{5NWNSOZR!}seqx}qyolRw<Yl1@e
z^4U}loO$0ro61LPy0bW(Ru2_ZxUrrZhgSE<2Q`-lzh6(qGXBASga=+qW#N@Xc!r8N
zyz)}Y)bFwczYNI4L0t*&1O6WPyV=wLl0=~^gR(r}vUu7Y>P;@*yHJYTM||LC;pM3)
z0jJNU_G|p(eB_`M<!{0NuA-9g-mR1z&#s~dpesV+{l+S4B5W|uR#Ca=@?ak!YY^Fq
z^ux=msaV)qY^bKjpv$^}EdHaKO8zH8=|4DL+Q29f(ItJ*$MTqqKUhWa!@5)?L0?>(
z%?{o)!L|5rXv8nR`mQ0X@2{|1?V|@yR?euAn)-`1_hL4-e=t55t+s&~!fIVI;C9P}
z5fJoXCeOh^@Ot)l_GUI)+gqvufu;_}?3G6by@Wuy1EXm)q?xRC5yZLid*wHjxC{=1
z!wFUqkWE4G6~PhJ;Q-xQoy`COBDjQFL}UDlN(h?-5kOI<Y?hkUc5_E-Z0|Zt1F*AR
zc|DbO;U=%Tfl9?+Ur!}o7~EA_jx*L#<1UN?RV3lv>!<-20kbzy5s|O~Fqr!6pwt9|
zD{r7;B~0Uan9xv3AD}O9ph_c+2A%o*Qt%4teSo$EC~^D+OD&5hs$imw4En3K#7lk#
ztgu@K0&Gtax;s?Cg=lwOnHKN9jVc-<?3aOjMdZa`SSJ#M^(zpR-WFcIP&uHJFuZ>g
zl{19M+@#1Jkh_D*VF*wo90Un^|Ah*|p}3&HzIO|iH(1z3v_-)l?uBp)!QcwJp#K-P
z>seNJ>W`kfml{8W2Ui?WQVMqomxE7DKAcokLy&-%A@Ic7-c1`Ko~9(FWzgTT7Y(w*
z=uFf%iE1wn)?6H{J_qbO?*mYs13wR}JO_Lpbt=vQpGREs-eBLkUo;bfUx+s8i-UV8
zdoNU)EWRwih{OTi&o2Vm+b2xd3S&Ws@EZhj*u|e0b^|18kh=YpFP4ErS|M5Xyg^|l
zgo~^y+P^~3TnxcS7CZIDFbIO`uMm{I5YC^xUI<;&=j&c^<$YjuBQQM?E;I>r3?u6z
z?hC=GVF2&kjC8@zS@b#0GqQfvR2hU7xfy~t?9jNt&^Sl+q~bUnp;ySSkPoD$!ZF{8
z{5G_O-xP?8NPs|R{$WHk8i4zqq>Sj^pcql6q~&<!Tc9BwdJ=S!qv6~r`KiS>o}|K5
z(aNYA2j#EC=p;21zjTsHMECSA_u@&=)3%<ZVpWTp>s$SzKNfE|4$9j5dn4{W4hqbe
z6O>tdx!n&3(m|+Nt;WW)R79`?MQ?#nbyrZRdjCxjs;)mtF&%5(qCio&^<j$dc=v74
zAkuUFgYoDCAVhA#`=6l(WB&oj9fa>c055fCFzf6A$_xg?<Y%ZPw3&#Sf%M^8-24m`
z55~ruo`JG=5X5w5Rjq#jZhr`*&rN|lh7ao4`w+Dep-4P^D+pQ}appEkhhNwV0%ine
zw^0^!JIR`g!tus!)FtRP@+%6zzl}<ur~AWj^^H^lx;2=&?nWw}9DWbrKNPeBJ=8rI
zW3~Q~{{LuPBgnXVXGl&BuqBC4hM64NJ(C>X^d>ZWcXtDw)4B0Ym`+J}Jgx{%u@(<_
zixTLrZ6dmb^fZCsC@^~yY!Cb4l$)p&baU_x8g8P}AddBIH^Cs{VAgv#!O->GOCCo<
z_!%<L13bmg0DZ<HIGt`3c>YWN1qlCgP5_$VDsnxAXFNf17hLZLu<>$OV9-St5ViI%
zQ8>+CqNvrrzs6DhC5lSf8|A#EBwW!OCAgUQdWdiR<QK;2iNc(N(zPJ;6atlWoE%n^
zPJVeIj94m`U`UHftnPy1OB9im5z!G{kO{<Ec7hIQ55?A1Ot4hjGtH$nrIob>RYkc4
z6(w0Ug(a5U8cRv`gtD^I0+U!>mY-8vT9G%oxVorfVnM-V*kl%2%(cZ6D>Kh$B5+R6
zCYr#wNB!;10f;zzdP@|Y2G;n}9Ps;A|Kn~-!*TIVh@=9#ILd2ep8`_RdGb%})HiA4
z0?E}0sS{;w5LEGRNb&gT!&H_gI7}CBSnAuwwplz)%hZ3Trq9SLT&$+Q<-*j0R2o{l
zUB+L>4bz?*o#9QoBk%@OihAuA?M4xfLb}@O8$3E<bm|!P9aV{X?ik1cPq0K-937W`
zPfbH3&)sj@4F<an4j^`wC+|uNSIC4bK+Sjo@2?kWe8q2+PyKhjnEs@|U<yh_Nj&d^
z7^@-frDVQUBZ{WgYL2}{#?qk6t>m|HKdSet3st*R@yc~dwPKn4SNeJ?0^I}Qqw@Fy
zZXcJ=?u0I9!M~n=ext$f@EfqzN@t+mc#)M}hV=LcD=ng3l4fO`jh=|o@J%*)1loz8
zveDV}6u%BThSG7U15X)Bk47Ug9!kfeC-Bapz@Jj__e1GK^f(>}t^z0pPmTuIV|ZCK
zZ68wSPgX`nMNwBLOBxXAjsPi<?SM!y;eoKTBQVIzAJGeqGvGFWK^<QXqazW0sXqxr
zyiE&ww3{_4@H&Q0LnH7$hPI>a-T5l~0hrhEa5)X<?{SHowxUP6feJiF4#0=ybP{-|
z0yiCs(-bs^|CH1H(6%0EkZV^ZD5Hu}DgS69u|(i~3c4RY0s;ypd$<SYeqhP4K#(v1
zy_hpNS6!>54d}rh*sq_V7_2-C!b2QRISU-{0ZB&bXgo{ZKmm_O(}=(`gz;<r7Ti)u
z+tAZ^dl7VVZ6Ph-w+rE=%or6xtxpB>ON!``$b^>_(I)0^$V*mL3|NOj49gCRVf#*i
z!F$yS5SH%i?qw&_-+O`@1#u1jwv-n=zpbHRhIGhEk}QJX$6paN{$5Lm|25s??*)Rk
znwXDPU&yoMAdOdt)64!&O;L21Nh`cSK7tQmBO0<N9fQgbgB5{*+EcmyaM%nbB6Hjb
zS$nz+fA}c93{T%d-x<*!$4ammfXU<lQz;PMw42VrS3X21@iN(6-o-yJ8&U5WF)DUM
z5b)bW^puEM+Avb(ASmXK?kYFtaVU5H!}L6bOtxz2jBoMat@M`gEREDcIH1m8I$Kz<
z6)=TubP-ck`0{!@eH(peSo=V=RHs1d)G_`z8J>Ozy@MqYsk?jNyaNhO+e~XC=BXs?
zAp|?MtKKnp0(j46x{ax;KKvWD+zIU`DW&$K0C7YYUgqs|7Eawl>zUC@vtsb{E%crJ
z+XpGSJ1QfH`1adrFPrk>$h*3m-*h|FKVbt5KtFk?v(copDuoO;Z3OUd8|c{#3382R
zZKNy1av4&qn)I{t_3_ignM}-XqDz=*^A{Y&(>IZcm`jri)ufy7_R=_EV+Wmy9~elt
zFy&5-6UPmrw?xdMBs?;lUGJ^NOFE$8sKNAnChE623cTi4`p)nQBsDCk$$NKpaGx3Q
ze7Di5OnCOMIe6=B^k5P$`<S1^>^<5B$vgFsygdz)!{v~?kqgPeQINc%hvel1NM0HU
z$%~SM)>_31V)l9mEM(bm*le^WOkJuDSG}WpShWi5GOLuiN>Q1pj8w`MXA~zPD#Fu>
zhZMIet^zC9DdCuEiE6IOH%XPPN>*u=r<Bh?<dv(HOO$h!)09QZ(aKci5T#b}o8pw>
z9mTVX9g5A0>l7;>++vy#BXInu5Tox9?93m4cxVeCn)V6^shG)^K`_NjAo%H1n(H-I
zh?y;iNQy6VM<68j?c9}I6IaDqxkw0Y`VxfFY+<w6ep9qZwVSnGZKCF+=5~!=)1;ZK
z$<mC_3<T@nv%)To8g`K1sNYvVuimD<QN2)It<F=AQm3j1sWqxURHs$Pz+`y`7)@^g
z)9Gw*bFERmsyd+Bp}I?TvkLcDp~XQ{ogsoj_`UH=f=@$7QF^1<s+V1@pan`VyQ(wC
zqL*D6%(<d7$E25C9?ZF{GsmEptqSI}2Xjnzz04oXS*fO@kltvr>LGr%fb^Gk{<i2>
zNWYg$zf+ASlYW_$v9uGxpkE^WUL5>wwCfj1zZc@<LdHH=dS1{8GwSC{znhZj8iY4T
z%cJo%h0KczDbtIE5154DvlE-UpQqvdA28Nnel7k9p4Ae5Wh|YG%RgiW<H8S_I}B1@
z0T0Yr55r@&>1_u6_;Y{eYw00f&^&zd7z6^o?HCi+uSa$!ISGg}OPC0pQO*p+`$`!#
zzV;ZyF<A^4Rn7;f<>~1R*g1MZN=lhWary-2M8|ir^y8FIZ#3w&N;(|r9eRz_RkhTr
zsJH5EdX+Rj<XI`<i2C5`$|W45-lR9{ncx`0GcDm5_29TBsP%-stYz=-GKYT+r$<kK
z9r`Vxz!yPf_!QWJw+p@p1+ayK9XS98_pStDTLuS9o8Y*qTbKsc`f{NNPJX6C9AUGd
z6GlKJ;UPk#AV4f(8p6{51kr@Q<UfI!^zZVA`GfrPpj_X>KhAH1n8I854LpXZ!fPNJ
zy$|9Fw}8*gEQl;Tg|FsIA+~TfKbE)gMjym2OXOo9z;HN(p;tnL;orEk5QP2|_YrrD
zdk3Nnzsx<$?S(kQJGh6rdm+;BZ4iC_I*2vAid(@gf@s5YIWNRKo5WRe6S#Z`!Zw-{
zIX%Q29?nH`Q4n=l%Q2wo|B*cnac@sR@Y2KVE9|rE(`*MszP(?zBW&t7T`mo<<LXGc
zl!R^dEtOwRLf(RI_TON6e+_oqUcmrS-v&bWK7dHFk8o`eD|G^dTC+j0wKy)4Q$lFi
zFCi@KYwUhd1rtT^aqxq9QyS{+(qKOb<9s)GLtHCd1@RUaf-zz~coUKExcO3m+)Rix
zH(ClV90tK&+j*ZyiZTr0H3Y?9L>TT0Fx(Yhm;@J|z~{rlH5!8b>mh{ma6TFW{j<D+
zmvxWt5eNkPN@q~q^Fs<Z#d02qYF7)<VDq^#5DWJbZV1P*f5IyF5&IV0N3`o45&Q+Z
zN=Z|c?3%8K{L-)0vd)<N(yyyzol*IvUsuRF<MK<tE|YZz=9hl8%Q{2zcW}w{DGL7>
zkV6RI|92sr$pHKQABJ!y5u9WGQ3&VDkQ70m5*lDxki8GyFb&Fs{4~Ym>QrT>=4yJL
zY7<qhUZCB~q|1KNWV3$)mpet>rkbSqjXOl0;BvK}p|OG<t&;cWx2QX~HR|8x8x&2H
zpq-*fW_9w9lvfIEs&IA}^D^7QT#jCpZI{=mKB0fnMv?~MFOU>rVx(2nU%_M|JD&1@
zya-=6mdVG=SSA;@vGP3JHU^Tff28wpdJ>a?j5sZwDZ<o#$k0bInR4koHrAh}GlNyl
z9RyX4#G6S~aPlV)FMNc_!-rH%hCE4XORolm5qQctKrrusw%X-Px*{Q1&y24?5_)Yc
zgt4zcP$FI`0q#GUu=&V&mM+34ex)-MF+t>A-@@~-;B(yf@Ejd{o)6Cmwn;w${>)F{
zc`#m0%I@9M)ycAVNi%C11*X?R?@WgPDH8wjFF-OLgo?t06|ID4IBJqI2D(b0r8DHx
zQFy%hCD<eiSZAP5<FDf&x<4HUl@O6tp$-;&<#D=eWIzPXz^}zYQ+uE9&LjdPoT=SC
zoXMkd8LaQ1M-y%7A)K~@$y348>!cn$E{VzX8HvnB39})Uy$6BOXTy5UanJG_w3oAA
zbE5Vjw?aFXjb!g;r)eHm{SIetay8NFwd%K2k892<Z&I`=<*IqAM8#7IopOTm7(I<T
z2>a8s^w+Yr)L80r*;^=@c~)MH9+rP1-@vS3MC6ro^xdR6^0%%)PzDd6D)7t)<e6~E
z0HegGBbf2{`ACwifGM=*G6ncvlK0sFNNfaf?^kp_PKyEn5XX32b1CF40*dLb4X6WZ
z%Y)h$<pYe62reDKsPJc(LX{Kqn5=G8V>6SXO6=-}Uk;f1TqrpGE2#PD({vZ69B-xw
z>}wk1=FvT}33=esZy>@ZBasAd+C#6y`*zW#*tZMn5Ozan@7YPiAr(w!9dFu6E3uV;
zRy|IS2d@g}I1uK)ehhLyBe)ZHL-{jyIs%tHPFwJq#{kpw7@gno^5gUdL?-h!Ty~Nf
zPo7@I`(QwVLGM*#$>jr|fGGVUm?s|w4zvz}v$qMefa?^29ZC-zJsg6t{{*)Jyayb7
zF9coR!ruh3)|c>eA;x+sun;pa=qO$dobPLhrGAKe24bk+3jzPv00VA<nCX>VE^xu*
zUfjXAi+vCxlwJoh{aaWsghDM~N3%LM2EzE$5Qg|O?Yr8SwNF6+|IONf_HykaZM}Ai
zc7irtYt#<cMrxIsUo>B8j%i-g?APqj+^xZyt2N6s^E5Lw<(h1b2$J+5jTU6+)9MrI
z!*Bs!hx&f?Z9s-T^#ZjUr0M+OY6pnZ(Q3FHN%fuTr0THhU#iDd_o%SyD%c>*QB6@5
zt2*MU<S(EuNxBt6-OrO>Ms-}<!0bafwh3f3*I0Tfh2NjcB+Mr2T7&jJ;w}6(1igO%
zLfx+fpT<hy*_VJ8{wE0j|2#-Ow}QMgkDmzRHWEgSf-!p=#FzUZ*8Fl1RLbCLoLEi;
z!pPeog51Mi%PwT6vpEnay&r@}e_wk*dtVQ(Dn*GcyiOh!JvPcT5H3NBreLmBss```
zYH2mvWNWyI0Ku06if?R`aUk4!b}ou2yON+72g0>y=Rz#9%YzWO_v~DVS+*(&fs4=1
zg&1HfNopGa(YS`79$j(xIG+T7o6pVx*jEG#z{O|h<lB}7^WomJbMmcANWNhJTzhs-
zzPL!rkAhpzqI))MG_?f*!|`_+bi@!+7VbGar>vz}Lcy__bmUZm0N0wGgJ5cu5W?YB
zv&dlO^P8JI9u|6{kAxe|2K8()m>mxHnf1V(sU^60T_zm?^PrD}yUWfgG*u1ov`DzQ
z?40Zxm6Q$lmYtJbp(NSiaBEp-6AP_rhVcr>)P=*1WnGzKnjt@!3AdGXWm<e`hTLE-
zTvgVUYfdv{kj#<ca7|ffCV9tHl9?I_ca)vefnfFkxS_0boWKtZLTAoOk<i28g0ilP
zO=*UtU?$v7CS|fJ6{$I14mGFXZCP|Aj7Um2+(p)-OpF8_1ox1UcHvscAVm*mpim6_
zOOAxA$j<3f6agg<0FRo^E{S%d6Wpu&(Ih_{?jh^(TEWZ#>L9WYz8LVwHoHW-AYl)H
zOUTZBv0#2UTtXJ=q=^ew4HuAwGL4;?aQj#&)6kg-H;?t`go=WmB}LL|-??uR%nyTW
z$0CuMe9dII$lE1Fz`3|V!MxyjNV#MiXW$`fB~g2y=U@V>`s1KozhBq_uErQv_ch=N
z;)8o&T7-G9$~%QA!iZ|26f_9gu-x0gV3-Q`i^V`d>u`aC+r<z#BAn$<!}5P#Kukl#
zD->~LmUn!fM-N1^gB>|aG&BFFZvkOoGx;O*;&ZqI<Y<otQ1b0IL_9-v94&!($ZmlP
z?Ph!5xz+*h<`091^%ihBzXi5g*MS=Ja#*65!B%Sl+~hI~+|Q>8wXk59z-Z*argju;
zxC}5JmjDwS3ipwO!H7J0e(OI{<QA&OXrMFvuSz=8&D}`Om3#?DIuFA=C+lIz?}A%i
ziM#uJ*fyub?H#o+zC6@xfo<~7aJR`xxYy(b*cxvI=DMC=!+isHbYufFeI0gRkHTdn
zH-eg}2{y+fTw*ea*K)s~--{Kf<Hl;bfie(26hXmdEO!fIq2kLR3V93rgyv7pLSToD
zs>8}Zlq$t~MFMk#F$43udq-SE8^!p`{bTW=C3GcvA>;+QVJ0Z-e_BF^2Tj-TQ^2p!
zq#3+=DLq6rMj16Fo$^nC=nHfVeq||GH=Ylwz@>6Sm(f`eT6o4XItM*>PMsMLO!tGC
zbUJ!A=w1-2x4=n%h#WZC1zP%lNw$;sTr`W@Two2c<J(B~GhNvxWW&50B3>WBCO7@6
z7T&<BjG8xsY9E9@ET9vyzJMNv_J>-YS3u7}B0f?;k3xHi?mrp-SpdfP%tG1-w@dwJ
zwgM47NvbGiR+;@q?6bhj?+F?r_FCwL2>stN2ibxj9XFF)4|NKZH?P4ZF>66fb2}(-
zIzUC}fy-i2;j_+z3u1m0`Ux@M{q+G{5c3>dKlA{9JKQ?d&bRWjxqYB!83J01JK*BJ
zmE3%8Cfx8;2+9E#?#cOv5aRg+SAg!FIf<quvUg9R@4Uz%#EW`gUJMvKrgaAidw)mo
z9*}Q;U6~x;(L@g~$j&UZR9560ER*bx>a0ojRHT3#<8*3jPK$eXQ*(1hS4_4v2-KN1
z!D24U&V=ZaRYfJ^tINp3MUj97U-cQTV2p*tQt#ag6;A8a7q0DZMBWIeqywaqjhzyn
zm4V*(ywEX06Z*<j{G5*-H<U${G9i`Q&sJ)+aDMZB<#t7;{1W;EwFp(hXKY6QYgqaJ
zyJ2PGP*yfu#=pW%(|)13RjpTfm80b^Gu1SMu9wXQ*R$~v?TG^=i_-|O<#Ze0KpByN
z>yOZB%o}^YcjDWQ&|CU1h?0y=I%4yYtZlgDUHVDpm&<1QFn^TZ(ywGdcSSRZH4g7P
zO5e(S(82tPr@u#RYb}vd4RNFforIx3L_Z03y8E{EAA?UH0>je02npp}gIdiiU?}_S
z4X{8hKeY5oJpC{+RgDOjT8o6rx-Du%J%Z1^LK~QjXB@xd<bz;&%MX+Ah(S-*Wr315
z(ZgP)W3}WO-A=<A_8p{)BHCy7mwG^Kk^bmT6Ij|9PzHSdDp<A_o~a*>r@uxlbrbqY
z6%&JI@O4XHq;Fwvb>!IbS1-bN%@;xyNwze+=_Ps()0i^p7@qzzd4&dE!jSBjoz_Ea
zG=TEw@$GagGqvrVGg$X146Lz-=~NmvVmgIk+xf=vBa#JGI&sR%cFFh`xI$L1Ii+5y
znx;&W?_{#5@6aj$Ooh1~6*eWYA2FB;2$nebBi2Hqyogcg6McUM|NQw0=Z}}9(}+<p
zv08F(bk}&Tlru$<?Q@4qFCk58w-FXJWf}OCf>{8)ylU#(U*qXY28OI8UaFgrTIY}<
z=4L?IuN{+$zeLQI{w;B#+JYpqkzxpmv^#H|j;GTMkkPzY2`5A&c>XW+PNtfFISG&a
z6~@aH)7{JnX}mu8m0k{YthqP(4?O)hGI_DXBoxx?pqVxETe^X%f9}hJc>A|Nhjr1R
zHae*QVM$MO?{{<~Qy97O20Z9{Ag}D9QbmLeyA8`k#fSMH=wjxQwQH`z(|@4vjBFn`
zM5-}lSSF*t=^Mbj;$t8za$hz6^<%oS|FXdnq8V!Rr%K(Q_6hyGHth7J-4<Y?H^fb!
z(o@33K~nSNqm*7%rNGxd3luc;GkP5J`Q6VwjHiD_-(%3CTp9m1SEv16vqe2h6{YxC
zzJQTYk3n{9d%U5$4jAX4^?gV(XsUK4GkW|@GE7T@Ug{H>xZp>DH>WTi%u>tb{&;#S
z1GHR_);*xz;{Yny47@&(sbH#$_S}QNNrajjb)kU`eifT9VRkXbiIMa0^burw=Z};y
zB!ZH@3S2*k*~2V&@4@?V%3x+oKSQe26zPog<>U7UGs~I!WAClN(}ys3hPTJ2boWJ?
zTo7=HHm|K8lgyTt-=ppxM^N%*;IH~IQzGh;L*440Z~tKE|E>L*MkZ(Cl|N%X3>q&^
z>TX<mPrNUTxtaO@di(D9sEYU9J$q)h?<ORHP$Q58Qb@9!FhD42KpFv3AP_=A0O=(O
zy-8RQq!&>KP<oLj0wReTs#FC;1xpkNC{>ylQBc2dpE;Y|gI_=Qe(wF}=O36o&-8g`
z=AHL_W@hZFZzl3WUs3$h=4$a>6^t;FO43&w9?2gV$wuE%&D5;iqrP7p%6HvF#*;Ru
zn?K@(X3?b0gO#lQIm2PN^4|%ulgP8TvUwOK8xn+yZ`Lf(*e+UES?ZbIFt&syFb*$S
zz9IbwpCgsA?)fLb-M{7luRM}eznyyqm|5Ib$#)pq*ELGl_Cfpm1os%t3-eL1S$?rf
z4F(EnPzEWauJRb9u0<Akhy1jnb0R;Jg}(M~ql7CE;arkjmQ8*j?>|UBzzcIkPo=k3
zvg#$eQiwVd>L<*&pC^(W%k;ffUwgU=*4+d?Jc;D{wr!=v$wC~@dIgIws0STMM>1v1
zpzXY{BYI+%hAG*15!t&IEPE{ZoV0VS8^fQ+qAv?tDk*hF09Qr#v?be!^+XTMs_jGy
z+88B;c#(o@HnKX%S)vJBO!;L8YB)Vw2@op+xN5j8nw+AVd-gZ>^1>J~=e2PtnTX-+
znvB|qkXcsE$$8;-Je3p93vLNT<w9N<i>?NdxO*%*$fCZLQ^kPXpqOi;C8(7j+pc@H
zz=_oVU$c8xuptfz)4TqXE<zaBX-{e;$AyVqz9(;%3*_3`v)b9Xf8(+Ao-{~mq`9bB
z<PoA}={Aq~dv|XXzBmP@amT_J4Ct!GykCtuK8-*0BTIO%I<UImssk&!YOxolcfQV#
zbQf-$RPH?hNgk?=B%8N`Sd~1GyYU<M<urcsp0I=qyLu$d_Ha_TP3H!F2u>cJd0&2u
zx4MUrV-c~Yh*a^*@I&`t9v3!wL~|SB_5TwV_g306a~q9ab6%tW4)@-cc!k)iO%F|5
zO+}`<G?T6{p4TrWcKMcZt}(&z#IRehF$~4?JVkPE*;_k9UZ*{!Z6iIDw(2T0=c$1l
zCX;j}xUQ^PpK54qTLH3(0c6BUR=edEHJDFXZjr;5b^26GZ%=P&c#8@drtIzHElJP&
zpAb!2Cfa%jI$_IJG<Z^5Xjto}!D-<o+#6e_k?;7yGLj@bAaFu-#<vsO$THq~8%dFL
zy#HR&U7bibejl+V927W$4qLkw@h9v+a?`irpEbg#a$`IGIUyV{kb)G1%sh&aSGFT$
z?sR-ryeZRPAxn|!KU^;JJo4pssATe9$)qEdc3W}RV?Z;SU>NQ4xmbC8J^UK({^f1N
zuVGfZCRKzi7QcqNvHr<45nd0uh>z<+)63UfBLgJ<Fctz;Aqs8~)&0K+bXkbl9Wn_I
zw0`V0&MOios0~_+tuL%9=kY3PC(AQwIv&X#Yl(o%Vm(|Gwc(POXX*%BOF3K(;nH!#
zb;DXio;Jtet3RuMO`iy6(TBQXT`2vDzC&}VH~EabO5)@v@?LqQ+)P`oU8Q!TMzb-(
zPvT*RF$lts;h+4YxPCPm&NwY!zXJ2)xyKOkLm+n5I6mF(y+tnXXHir1qZ}<Kmcy62
z89ob#oLm!9bYOY@@A77;=7Si5QXD`37+%K-F^B^HqgJi~g>RFWixPYiBX=$@JuKgG
z$4h8S6UuKMmFr7ohTd3vcH=pBOABoet?k8nL42?26Lf!yRy5br?W6B#e)o!$X4-D)
z=irgrz6KxNXqs#8ZL6cLrry#i>v`=e{Tb_g^IGzm`G#m`wDK6uZsXs^{qhrIiT;e-
z%ot|)S!*+_aktm<P(OQ3c@K5Lni9DLuHhIsHTlIw5a0E}#j9v)H=B|SUO$ee@R)eo
zS@D;a--{!@?kZtOB=W!EX|74F-!%O0v<RskDkC+H<@U$$Ek6zkc_rg7<fZ46+LL%b
zzXOI1CdOobp#%KQLbhmo7#Kd{2fb)gO^RYa0xF+IUd)Aun%_*ODMCuMT==7DbA+$t
zHE!?{3(eqKC@u&f-QidF%85E?0MaIjLtlyG<?YeQ>lfpKUzcEXpG_0=nwc)w@7*Mt
zAWh;e8lyb$5O?8XaN#I4oXD^9BB8Xyy^Zl5hoTbUd>*h)j;D&>n7iH5dS0?dj_2hI
zQCYbIc`d-De>gO@5!Qz0115jNDBUeuM*7O3(r%3d_sZ6uIjys@PAWQWjm98}mP+8?
z%p|j@W>eEYPVvH7LVudjNeQZKGhOOm{5W#NGJZhh2cGp3b4dd4HlF1B*gGn#t49}v
z0#PI;r@zLNSTZ_)Rvq4U0(7p%NlGw}x-ST(%O)U^sEH($bTevK^TLTj=Ng=-<gV;3
z+`B(JmNh=K6l$Pdm-diXm15!7CMe;snR4q6i^f1Rs9uzo$_vMm4RvNUkM|XOEvMe2
zJcvw>^hc)p{$v-qykps4{G<M4qfcO*E2N}q5u*l>d*qWhV^etHKvAr|9hCA<bt@4H
zL3TQldbfZKBC{JsE#TgTsAoodCER#~^XNtpxg@UdM{-Ed&z?)Xu%FOueA+4HFBVz4
zbR$b1xkT!ejyc5d<&h1IMW<Tu)SRu{nq~<ycQsZUiuHkXA6X!0N?&Nwv7Zd9JxiOV
zB%>-wqF|0KDA@TeWFFOgD+T-U!gmSwKhranpsK1Qf?@@NhP|51wrVc?XLfH-2P@x4
zu0aR4>8{ksqdq~G?|{KvZ!JdN+KKx{g19Ogs9859n2?$pm0#i*rwM%I3KB&|4xF$F
zGbGvQH?pfz3UwnRN`V2M!1+otjtodQhVfdf&?#vdN`gXS+>F^&F>UDH#&)Jx@QROk
z;oG8Gqq`^xDgsl(n3ebgk@JLQWP+v3{kVOeS}C8~zK-q2@N^}XQ0?9PS&3)9ijKPT
zIw>KoC-|@Ah09SfXOA?c9Aew(A<$ylN#OTiB@v|VjjLVwOS4Iichgi)d6k~$&e>!n
z_PjHatfl<d*^rG9DN3HozN%)U&K+K8%bRn^SmM-8`Ir~JCN$RMWF;w4CD#@w-AP_2
zo#T!l=G9KJ;VlaxWyu=cEPWb$(|oTWcr5mVw3lkDg%?FPT1Q$LrstEErItKPQ}Zu)
z%Jda;vf0b@ooT&kxG4rx_HpB4V=rT4!)?P}!&E~j+&lM;eyx6}-l6+b_o;57uBR@5
z-lV(fWK57|a)GQSgGm&Y#3S;2IY(}&y{`4zrJblv&>E$$q_=U2X$1F9kX|;kWZV>~
z5e`BPPrNJ#`PM19H2S6CU#w)ERiJ1A3G$6Re7bhxxQuevNd>020HD|HSZ(|!a6Id%
z0@n`$Xq-J`azsMc2`otkS_}dZpsjc>O#Y%bOH_gR0+8DDUn70ka{^0Hfr!BZxLV#-
zyI}}rc*DkB+#h~IaRcl0-sgBJ^=}rZ0@tqrXf?@LnUVNzTZXq~+%b;yKvGfJ_W4Qi
zmlm`3DiGEaKz!c9q~5!ig|c=kP;>|Y$q2~Ok+4$MRs|w*0YonHibxE<W@fP}aPkr|
zkJ<X{)zs|&++}T4z~)bbd>!pa-05`RzKgY1fg>$N9tq<^>7#FBSt}I?W1>_E$J_K?
zRDFvv6__i4h!I^@#lO{R6Kkmg5v>4N-#+oRuQhEEi&24n0`PhIG^hTu&?*+K0*Run
zg5Mo_s%3eLF3j-)5Q!LVTND>(l@2|}>?%+c1;96C!0`HC1@>p4Ot@QjxDcP9TWdzd
z?DYPdMXEql0Ad6_-Vz(#>(+j_6g)9(R}e!xH==>OU`%fY0);23I%uni*@1iFKOPju
zz@KmfPpc85-a<Am@L2jq2Ks~>C=#t}{wtuC_wnC<W?)aafgeN<)}Fg|OF;0>ZY)Fv
zqHF;CSL{e@Vt8<dfj;4mv0ngzv2r^{_b;;<_!Dlx{x>o={uRI8`ZUjvfk5E~&I-WP
zd-*4}X<Ev_pl|~%{{ukS|6)wr*0DepNSu#6V!D}+r+mHLmw`{=j*%h6CvMyNv%Nk}
z{e?AAfr@7UBC@||6+ia=bq0ckJ4WO!0Flo4b%_n~d>I%PZonpL-lRI(5jD!U76Z$|
z4XhD)ytHRTyB39~vl)06Zea0k0D-SPHaQOVvayCL;J5=oTlHrX`FUX^1NXumW4I6>
zVTW@(efB8>`@#)`TmaB=RLGZUgVru!;9t0b;{vFC`$9&*dq>YRFfiOe<V65smaD;S
zFJCyzz`}3?3k6XBZ2pYk**9h|FfrVK;~N02^p8I6vgwoU3}g&9&?N#j55M%*j1I#_
zW-t&kYJlZm+Jk)C+Y%1-@ck{0fs^5m@PiOULqPNlbHU^r46F<{kSGLE7`(f8ExE=(
z%W$WZ;Xs+DFN+HHUtwclX1F6b4kD!%wmbP9c1_J-phmePtU-iY`<%Dyo}Rgrfve$;
zVBadT4!0DVizn`9;A^-eJVXS)QA4U5t_;^PkTu*95|yd-mwJZC+7G^Cpli5+rQ48F
zRMZ=NlDvkcGw?OsDUFDRNL5xf?{(2JjDfP@j!>~35yUB-fQW!|%-{i*A3%h#AC~>t
zUK72FfwJL_U=u^%dr$4D{)Jhc8E6~s9L}}~@@-i5*PZ4!igqzDH{1~tbJ2X_NR6MS
z7GYp-xFej22=cXf4VmnHtza9I)$du6LB6qr*5zmB`|f2RaJa+&2j59~@loBXVM$C}
zZd|iuJ%lKii6b%fpBy_b^si(MuB7~*U1ZC|DmzcklIv-&YPV@iwXs@BIxQ`e@}wpx
z%}4IdmH7WOCyw9r#2*HOGZfEWI$Gl@#E3x=I6$O)HX1Z`+(<d7HLmL&FaR%iwrn-9
zHQqDCb-{RMtUvB!ZZjx)a4d7G0^#7{@6bTMTIpY<)MX1#Gv^B;aj!NF@(Uc<$Kl|6
zCNifg6WqR<2K)B^`Q7AsmfOtvf>2EVQ4aD8YEp1F`priE%&AHRcdS8TEmm(0iJOr1
zC3C(Y7t=5+`*}OP7yCExk6=z!FnHJu#PQ#l{ZkYFs#4~BK{QSY#5{I%p|?SEhdEW*
z;C3gFc0a#=Cg=O3Kve1Aiv;33dW+Pc<xGh=Rr%nKnLxZJbr|MvtL(>|FG$E2l_bb7
zqWzBZ@jV{SV@{1KJN66+C(c_H(mD+qu`(4nD}b0)4boHNnzdxpRbcf2$iF>rdZUiJ
zU&&{$sKC;$h!OS8*B6tXF8+f}Q-P<*-M9Akhz$WfwxqGCDlpv-G3?*AI@zhH>?bxw
z1?(*W*vy;z_-?y7olRDO^CE`j`P3+%=*f6#Q3Y1dLmn+JFa9%~^gqTXs=!hv@_71q
zM5kpz1K0!=Xf39@x+hGHn(nH4%*K0w<v+wgeYiMhxNl+8H`qAOcODsnl;Tg{Ka<z>
z<{dUx1wI!*+j?)d&gw<#u`w#}KorVw&^yD@A)T;N6<8dK7!m8kbK|dWti?)H;7bUe
zZ~G^uO?u{k`35WY0Lz^yRO3EX10uRSo5x0bzVk{kxzu~N%Ywi=t(LG+DsaRbfW9*F
zoasX195zw~!fF99?HvEN?bp&j*$5RFE|O|<vi&dJU+I~~hO0n?4*);Q?H?QZ_{Fec
zDo|G};4ig0=?wqCzZ)B>0+m7wGWGrTp3V7JT{c7oPTvyU^yvGE=}qlp*<cm0-v$tR
zvcdSauQV%RgH&Ll06Of5)8*y{ZeTB~K-3)o0Z%{wA-rJ!b2d-~_6xvzaC;lyxF$|E
zKm{UC0r2bdB(Gsv{`;)I3Vber+7ssP2(a{iz=~90^;Og(Y}(}8?WWf9Vf|EK@oB^`
zPS?I}O_x`)LKSd)1|YJ*Kx4wf1K+a(6{ss#tl%GBzs@u*t*oyKL{<Q(>+{v?O+I+E
zlI44V<-5@3jz3R*)cMKYcUT|KcYZ<?DkQ7ttTv^W8?ihUSo)F3;>?geE${rXjP+K5
zn2!O}Z}#ZRpm*;7%6h3lg#a29U3k{4N5Mdrs{%!0a9F;&{9CQx$OG0>1x~I*3@zDz
zPW$!X9M(exBG&_GsAmJ3cSx^fIVvz;0CDFoSM<6+LSoq}5U~M(_b)>${NH~nu`Cs6
zE%r28d2OZk%PZ?xrV2EB12Nd_^LNwl&;OZqSAi2^pvCxgIF&N9@@Ljf1uBJvn(B?3
zVhdc^iFH+h2SPhC2bGk1tsLH(WvD>ZTLNg^hkAYR^C;Fu1uDf}z;9CX1`W5iI>gdd
zz$S_tu%uPDuv2AiS(*x*oP-!+r``0&i@04(1tKQ{XeX!a$zJ0KXDKQ$A3#{Ull%V6
z*<)X(SW={V8rwSSB1?(6qw&0<m;Pn?j9iv?;@X;eno8JGR{7)?{>v}d;TTD3Q0Vc?
z)h$pq@Tv!y&p1v#AVL^<>k}l$cYI$ZfMVQGyiu@*9sC2<{!1s|*V&t$k;w~B3TsJJ
zzQ<Ug_@smp<iS=L71kUkZOE$l$p?AWVVDdW_3>B&JXRIO)c?g1(u@r4w1@JiM_^SM
zn5UXEJl<2q(*NKn8A0M7<<I1Wp9*tENpB@ZQHOqRHpaPq$a(TUl17AV^Ar0>POS;O
z)T+2VZ=oNOL$GJewoR|%cRz#)t|V6pqS!NBhQhV`;inw--nJikVY%=whV}FmzlI{h
zqjtlF^K>VPA$_YpyT$GAp_cV~D8Ym=##2kL?I=_5E)q!keB)Q2XY3O0%p4^{rTvxD
z*1Yj1vV({*!FRn+vVCV3WGg9o9E!pksd!s9lR;E-^X{TEylOMqP(#<aps{^y&9byG
z_cY!zOw@<#>XJX@)7mV}1<gc=L{Fdm;r|i|csh~-hI>R}$}pu!Q7F3G6Dx7}KazM=
zeL902fBIDseBu;l)$v2s26cHVM;hs2vgK3L6>c}tjXse>l(GxnON~tMA~;KUu$eNn
z`#Xc9{}=qy6wTUTuo6-n60d15F6}|HetVY$ks)L9rt;@^Ar#(&{;RnJ;Q?lLFm&#b
zp+u|&y#IZOZQ9F9dM}vTU>N)f?XP<PTU+kDKm2*&10lAf2P!GPXlvt+c$9I%b(q>(
zFAZ<+F}1C|hWKr72vgetCDK1lZD}_E-?~A@kkBuk1RM$2y_`MzE9DUVtC-sO?(blW
z6YB{N`X1$MTI4CG$GCb(7%)$NPeO4^!E3*c8RjW~0>o7bYC%7>)Ski7wF>d>R>7uR
zFz(3=@S}v`tz)5*fhelW@YePiSweDte|(>xJtmyK<TqS5@<?O(T{<k?*0!T7bOQ}%
z<UZP$wfhZI$mjYU@<p%jbk*h<FSBV0nT!{W9NH@+lismtOjq?6EoWr|X|7wO^OZUq
zHkx<opIbs{vc#o^w4v5Vo@FgH2I!-u(X`mI$rfk3=2c(_(P1RX&&;#sou)1owvP;1
z+C{b@)>SCQBWtRugY{FBpV@>2l4-Hm`{us3+Qt&?%htQP#bg7StoclK7*q7`>5bB1
z<569E^S6e_)|bTIfd?GGscEsw;(?!)SLH|^RY3xI^);Dd!3^d{ugVd8?-e<WpE*SW
z@r+Q3_<-dsj32lxhj6h>;R&B5m+@6BKzQyg<|q6O#VeFwzl?u`w!@3Bg3*gLB9seN
z4bKr&L?T<v^r27>gZWFB5M_BJV3-SoiLSjSgbVv136*<lxzMR~ni=A86)u!wT=H5X
zl8U(^GKD2iO5oojDSq{u97?c-XwG4j3*=LNL@6g#%V9)`Dy(auIDdLc1j^Thav0A-
zxiFN`)`rKLOb*jn(=d_a|I2PkvxsN@h~~<!mYeYo*HDtgND{{TN0AT?qg5zhj>2#l
zqk@Ss1(^-6gUn!Q3MS~LR1VV;fL}D(9JVCouTU<GM^XsCijWAT*~Eoyh&EFSFRVc{
z*piJ1!u~^p@F!YpKAHj6olq_;IkbrqRM>84V{>0o!$ZJfnL(!C;-@ghh_{p@(DpF0
z1QR6@VO7E5$6cb^guR5;g=l1RVIf&Q#lD$XKgBQDEP};fq02KI6Nzo9W-1p(hULFF
z!o)8W<sb=No)q1Uc(ueYVFg%T5#5&8k0Ooucu@k}D1=bCXoc&Ms4-+OdpUOII5f8e
zQTg3Va)`pFNGFXnIQX{9Yc@IV)z>RVZ}2kd`{0B@1+H}%jN|8i)?dg2>rq2<>q`AB
zYl;4uZof5!cC-fQ7FizSl=w!=6x|g|mL<ge-29FCJ@cz{lsR92(Hw0ynyO9Zrp2_L
zX%IbZYOi;YQj;&eZM<VVLb-8;u~9Ke(X}IujLEu}jg1Vy88Qu@8#a))^*ePwhRGi^
z@pH<e(+RKgr_K27+B8zxzw)(}IJhZxrMy-y#i`c0IPJN)64D@ckXp@5{&^(`T<0=q
zARbX!DF$3mKe~xyj}^ur&Lbh%jRf<GTpGc}E`t{zAe3YG5X!M32<1&{<1eAl)4@vr
z3Jsnwo{ubV%!jZEEnFI~{3Qqav<}_OmwkkBn#WE4bn5cVm{2jmBl-9PNNB-i42t)J
z(7$?!OyeC6lCO9@(e_@4NS4x_ywN-|lb=G7c+z|n?#=lG<M|u8DUV)2&bfxseAv{b
zM4r_G5troBD1I}So~&_GjnvrQwT6M*w#`@%{ZdXhkvX^-;<{!e*3k_36vr!5u%Z~b
zw28OdQlU-EdbV3|eJC6`#p9GP3h%RqmL>6mYE07~I_N|)AvA0>w?|{4Y%x}urIm%U
zh97EgjO8ylhB8tz>HPN~{!q;34aO+pJj*11y9FIWTJ>wUfrD{_^|4gRP*o?y`dAW)
z_3`frI+TcQB_A3|bG$p1coK3g3!g>OrKBLI%Pd|PCD!)3#cE2fJ8K#T(GQ5&XYy}@
zXpWzCv=X2f78VyxNho}RLcw1Nrf-tCOSh--I?YhG<WWji-Nh2<=408gz?z%W?j*R?
z>R-Xp6Ln)Fm2fEt=khicG@>)CQllxwfu0qxs1ec+3!wRaQ${G+D_%kmMf7T2p``@S
zGAj9;ecGHCz9e*u+~G>Xt;G^pQvk;f6rijg?PsadRjMnz;Cz4&Nc)tT%%?P=xN=`t
zA?2E9fNC?<&{&^pdZ^b(Rtanv`KD>Bu0+37J4G;Vw4WN!8|Ui3lY8nyj0y4@!xPy;
zCK+~1Yr(CtYmU(sUgfk}>o5$ZnV2k6#j~_ptJ}OaXfR%8Z53;ejuxw!g35q-)L{^4
zbQ@@zz9s^<AH$c3CRC4&9u5n;KX>0u6SSJS0!ian5P`2rMVQL=@ckVW-|#b&Z)!~8
zHJa&;w0IBD;y?h6`_Kdo=1FNZwT2*L<^6w$if<7dmhKy9cRq0=QfZPz<9YE$YT&u)
zXuc~=0SIaa?|zNw!HQXfzwzKtZZ-HW4k5h=fy2Y;G?j0z_OQ5+HdH`QMnystO1jXc
z+@6N?Ts#{$vj+VMpL|o4@t<s*vyf=K^AmNIEY*Y3@W3irxKO{!`86`^1@28vE-FK)
z`~QJl1R_!*Kd_#r^%7j15NdjXi=!L$A{WO}p=)Ltqx%yo_6@qiyiT8B?ql}T?K7P-
z&81oTGt^{CGWZA%iLpemN9Yy98vPstZ&D$*c0UvGj+<Yz6V)5tiKe+}73fF3X0D54
zad4&R)HyudLOW|Uv-rF{;6{k9(zzbF=VfVVxw%#_PL^~A&qVG_6Uxtbrgm)&0YvPT
zXr6Mc{=aA*3;5T9yP9tUK_kWsW%$?&B~U_M1@%L+mWS^qg;M$XJ@_|B>@}@YuExu1
z-D3ICyvM|iAqJ*9rz7Nh`2a3{&DH#YDe-IHzE0V-w-D#|@t>G`>=v33V8z`&?(K!M
z)Tvd5qnEa3yT*6Uri+NMP4W(NXpYZlr=$#Re*|z{7{%Am0qxv=`A{S;c#UqXGqbK!
z<C>jBkZ|{&&;A>@CMkKegb1T0|0ECdTu7OcnV2w@?HX^?hmNxhe6(_iXHF4q$}jby
z`MxRBT_qDUkULSdasr>9k1K$MU6b$1r`dipUw*|^LIm{i`HRGeS)55nlFm+PB7c@i
zH+q*$^CYP3O!@9Cx{wHSCr`+xIld#Os_E1?`uXC{=$aeZbR3Dh_G1%pTE%SaKgCsF
zk)cvwP7~=~BFv!tlSEO^$^Tu?B-AtUvME%pCwMyiQj)0WBu}wC^%N`~KEEUCDJ-RY
zS4X9u6V>v$nJXZCCGt6K=txW2q33fwsrPS+RV^+Ssh3Rfr0&^{E7Qa;u{4bct155P
zmS(#sK5}!7?JetPmUqlEOg1dE@9Tb|ACi@Fb7&|=*>~n>r`1)27ldIygdyR^_D^_0
zIo;?BVX(Lw$0H2<`A+(QMHu`&#lu{hz@NQG&3<7{v#Y5PToDO_4yP+Op!R)t(P&H0
zb8+8!Vkw`icG13msZNutR*2<kGfc+`eBS%C35kZM0Q+^CU3=zWr|Y&iMSR_j*6%2U
z<F!q66v;fK^W#r8(M`2Vod!>mF6r3083RE$5O{|z%0STntL|G+_mH50rM%!>SKW30
zs{0Bo)54>`_phWmwZfeApVj5{R?+d6l->bho@!#DNZ?hglxixMx=CVida8La9*r~a
zZB$b@9dNgrtD4HSZqh%h8D)X&z6K?g1m5^*IDhgg-DncihlK0;yiWc5c-<-4I?ZWS
y9X>)C4QeW0{TM$g950SU;}z!tY@j`MK<ohKasj!R7$Te@>h15wC2jfZ;{OIa+&NAF

diff --git a/util/migrate/backfill_checksums.py b/util/migrate/backfill_checksums.py
new file mode 100644
index 000000000..42c1fed44
--- /dev/null
+++ b/util/migrate/backfill_checksums.py
@@ -0,0 +1,67 @@
+import logging
+from app import storage as store
+from data.database import ImageStorage, ImageStoragePlacement, ImageStorageLocation, JOIN_LEFT_OUTER
+from digest import checksums
+
+logger = logging.getLogger(__name__)
+
+def _get_imagestorages_with_locations(query_modifier):
+  query = (ImageStoragePlacement
+           .select(ImageStoragePlacement, ImageStorage, ImageStorageLocation)
+           .join(ImageStorageLocation)
+           .switch(ImageStoragePlacement)
+           .join(ImageStorage, JOIN_LEFT_OUTER))
+  query = query_modifier(query)
+
+  location_list = list(query)
+
+  storages = {}
+  for location in location_list:
+    storage = location.storage
+
+    if not storage.id in storages:
+      storages[storage.id] = storage
+      storage.locations = set()
+    else:
+      storage = storages[storage.id]
+
+    storage.locations.add(location.location.name)
+
+  return storages.values()
+
+def backfill_checksum(imagestorage_with_locations):
+  try:
+    json_data = store.get_content(imagestorage_with_locations.locations, store.image_json_path(imagestorage_with_locations.uuid))
+    with store.stream_read_file(imagestorage_with_locations.locations, store.image_layer_path(imagestorage_with_locations.uuid)) as fp:
+      imagestorage_with_locations.checksum = 'sha256:{0}'.format(checksums.sha256_file(fp, json_data + '\n'))
+      imagestorage_with_locations.save()
+  except IOError as e:
+    if str(e).startswith("No such key"):
+      imagestorage_with_locations.checksum = 'unknown:{0}'.format(imagestorage_with_locations.uuid)
+      imagestorage_with_locations.save()
+  except:
+    logger.exception('exception when backfilling checksum of %s', imagestorage_with_locations.uuid)
+
+def backfill_checksums():
+  logger.setLevel(logging.DEBUG)
+
+  logger.debug('backfill_checksums: Starting')
+  logger.debug('backfill_checksums: This can be a LONG RUNNING OPERATION. Please wait!')
+
+  def limit_to_empty_checksum(query):
+    return query.where(ImageStorage.checksum >> None, ImageStorage.uploading == False).limit(100)
+
+  while True:
+    storages = _get_imagestorages_with_locations(limit_to_empty_checksum)
+    if len(storages) == 0:
+      logger.debug('backfill_checksums: Completed')
+      return
+
+    for storage in storages:
+      backfill_checksum(storage)
+
+if __name__ == "__main__":
+  logging.basicConfig(level=logging.DEBUG)
+  logging.getLogger('peewee').setLevel(logging.CRITICAL)
+  logging.getLogger('boto').setLevel(logging.CRITICAL)
+  backfill_checksums()
diff --git a/util/migrate/backfill_parent_id.py b/util/migrate/backfill_parent_id.py
index 2a4e7b091..0d2540489 100644
--- a/util/migrate/backfill_parent_id.py
+++ b/util/migrate/backfill_parent_id.py
@@ -1,38 +1,46 @@
 import logging
-
-from data.database import Image, ImageStorage, db, db_for_update
+from data.database import Image, ImageStorage, db
 from app import app
-from util.migrate import yield_random_entries
-
 
 logger = logging.getLogger(__name__)
 
-
 def backfill_parent_id():
   logger.setLevel(logging.DEBUG)
 
   logger.debug('backfill_parent_id: Starting')
   logger.debug('backfill_parent_id: This can be a LONG RUNNING OPERATION. Please wait!')
 
-  def fetch_batch():
-    return (Image
-            .select(Image.id, Image.ancestors)
-            .join(ImageStorage)
-            .where(Image.parent >> None, Image.ancestors != '/',
-                   ImageStorage.uploading == False))
+  # Check for any images without parent
+  has_images = bool(list(Image
+                         .select(Image.id)
+                         .join(ImageStorage)
+                         .where(Image.parent >> None, Image.ancestors != '/', ImageStorage.uploading == False)
+                         .limit(1)))
 
-  for to_backfill in yield_random_entries(fetch_batch, 10000, 0.3):
-    with app.config['DB_TRANSACTION_FACTORY'](db):
-      try:
-        image = db_for_update(Image
-                              .select()
-                              .where(Image.id == to_backfill.id)).get()
-        image.parent = to_backfill.ancestors.split('/')[-2]
-        image.save()
-      except Image.DoesNotExist:
-        pass
+  if not has_images:
+    logger.debug('backfill_parent_id: No migration needed')
+    return
 
-  logger.debug('backfill_parent_id: Completed')
+  while True:
+    # Load the record from the DB.
+    batch_images_ids = list(Image
+                            .select(Image.id)
+                            .join(ImageStorage)
+                            .where(Image.parent >> None, Image.ancestors != '/', ImageStorage.uploading == False)
+                            .limit(100))
+
+    if len(batch_images_ids) == 0:
+      logger.debug('backfill_parent_id: Completed')
+      return
+
+    for image_id in batch_images_ids:
+      with app.config['DB_TRANSACTION_FACTORY'](db):
+        try:
+          image = Image.select(Image.id, Image.ancestors).where(Image.id == image_id).get()
+          image.parent = image.ancestors.split('/')[-2]
+          image.save()
+        except Image.DoesNotExist:
+          pass
 
 if __name__ == "__main__":
   logging.basicConfig(level=logging.DEBUG)
diff --git a/workers/securityworker.py b/workers/securityworker.py
index 81402cd07..29fdd3dcf 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -33,6 +33,7 @@ def _get_image_to_export(version):
 
   images = (Image
     .select(candidates.c.docker_image_id, candidates.c.uuid, candidates.c.checksum)
+    .distinct()
     .from_(candidates)
     .order_by(db_random_func())
     .tuples()
@@ -54,13 +55,14 @@ def _get_image_to_export(version):
 
   images = (Image
     .select(candidates.c.docker_image_id, candidates.c.uuid, candidates.c.checksum, candidates.c.parent_docker_image_id, candidates.c.parent_storage_uuid)
+    .distinct()
     .from_(candidates)
     .order_by(db_random_func())
     .tuples()
     .limit(BATCH_SIZE))
 
   for image in images:
-    rimages.append({'docker_image_id': image[0], 'storage_uuid': image[1], 'storage_checksum': image[2], 'parent_docker_image_id': image[3], 'parent_storage_uuid': image[4]})
+    rimages.append({'docker_image_id': image[0], 'storage_uuid': image[1], 'storage_checksum': image[2], 'parent_docker_image_id': None, 'parent_storage_uuid': None})
 
   # Re-shuffle, otherwise the images without parents will always be on the top
   random.shuffle(rimages)
@@ -164,8 +166,7 @@ class SecurityWorker(Worker):
             'TarSum': img['storage_checksum'],
             'Path': uri
           }
-
-          if img['parent_docker_image_id'] is not None and img['parent_storage_uuid'] is not None:
+          if img['parent_docker_image_id'] is not None:
             request['ParentID'] = img['parent_docker_image_id']+'.'+img['parent_storage_uuid']
 
           # Post request

From d7ace69fe3957a49e319708f3a2f10d2e2db5e24 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 13 Oct 2015 18:14:52 -0400
Subject: [PATCH 02/36] Add a vulnerability_found event for notice when we
 detect a vuln

Fixes #637

Note: This PR does *not* actually raise the event; it merely adds support for it
---
 .../versions/50925110da8c_add_event_specific_config.py          | 1 -
 initdb.py                                                       | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/data/migrations/versions/50925110da8c_add_event_specific_config.py b/data/migrations/versions/50925110da8c_add_event_specific_config.py
index 4a7672b70..8b67fe51a 100644
--- a/data/migrations/versions/50925110da8c_add_event_specific_config.py
+++ b/data/migrations/versions/50925110da8c_add_event_specific_config.py
@@ -14,7 +14,6 @@ from alembic import op
 import sqlalchemy as sa
 from util.migrate import UTF8LongText
 
-
 def upgrade(tables):
     ### commands auto generated by Alembic - please adjust! ###
     op.add_column('repositorynotification', sa.Column('event_config_json', UTF8LongText, nullable=False))
diff --git a/initdb.py b/initdb.py
index 8b095b002..bc474fd03 100644
--- a/initdb.py
+++ b/initdb.py
@@ -95,7 +95,7 @@ def __create_subtree(repo, structure, creator_username, parent, tag_map):
       for path_builder in paths:
         path = path_builder(new_image.storage.uuid)
         store.put_content('local_us', path, checksum)
-    
+
     new_image.security_indexed = False
     new_image.security_indexed_engine = maxsize
     new_image.save()

From 87c56d1caa4c3271a9c3774479c92aa6f0d09a53 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 23 Oct 2015 15:20:28 -0400
Subject: [PATCH 03/36] Add vulnerabilities and packages API to Quay

Fixes #564
---
 endpoints/api/sec.py      | 111 ++++++++++++++++++++++++++++++++++++++
 test/test_api_security.py |   1 -
 2 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 endpoints/api/sec.py

diff --git a/endpoints/api/sec.py b/endpoints/api/sec.py
new file mode 100644
index 000000000..e4e571414
--- /dev/null
+++ b/endpoints/api/sec.py
@@ -0,0 +1,111 @@
+""" List and manage repository vulnerabilities and other sec information. """
+
+import logging
+import features
+import requests
+import json
+
+from urlparse import urljoin
+from app import app
+from data import model
+from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_param,
+                           RepositoryParamResource, resource, nickname, show_if, parse_args,
+                           query_param)
+
+
+logger = logging.getLogger(__name__)
+
+def _call_security_api(relative_url, *args, **kwargs):
+  """ Issues an HTTP call to the sec API at the given relative URL. """
+  url = urljoin(app.config['SECURITY_SCANNER']['ENDPOINT'], relative_url % args)
+
+  client = app.config['HTTPCLIENT']
+  timeout = app.config['SECURITY_SCANNER'].get('API_CALL_TIMEOUT', 1)
+
+  logger.debug('Looking up sec information: %s', url)
+
+  try:
+    response = client.get(url, params=kwargs, timeout=timeout)
+  except requests.exceptions.Timeout:
+    raise DownstreamIssue(payload=dict(message='API call timed out'))
+  except requests.exceptions.ConnectionError:
+    raise DownstreamIssue(payload=dict(message='Could not connect to downstream service'))
+
+  if response.status_code == 404:
+    raise NotFound()
+
+  try:
+    response_data = json.loads(response.text)
+  except ValueError:
+    raise DownstreamIssue(payload=dict(message='Non-json response from downstream service'))
+
+  if response.status_code / 100 != 2:
+    logger.warning('Got %s status code to call %s: %s', response.status_code, url,
+                   response.text)
+    raise DownstreamIssue(payload=dict(message=response_data['Message']))
+
+  return response_data
+
+
+@show_if(features.SECURITY_SCANNER)
+@resource('/v1/repository/<repopath:repository>/tag/<tag>/vulnerabilities')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('tag', 'The name of the tag')
+class RepositoryTagVulnerabilities(RepositoryParamResource):
+  """ Operations for managing the vulnerabilities in a repository tag. """
+
+  @require_repo_read
+  @nickname('getRepoTagVulnerabilities')
+  @parse_args
+  @query_param('minimumPriority', 'Minimum vulnerability priority', type=str,
+               default='Low')
+  def get(self, args, namespace, repository, tag):
+    """ Fetches the vulnerabilities (if any) for a repository tag. """
+    try:
+      tag_image = model.tag.get_tag_image(namespace, repository, tag)
+    except model.DataModelException:
+      raise NotFound()
+
+    if not tag_image.security_indexed:
+      logger.debug('Image %s for tag %s under repository %s/%s not security indexed',
+                   tag_image.docker_image_id, tag, namespace, repository)
+      return {
+        'security_indexed': False
+      }
+
+    data = _call_security_api('/layers/%s/vulnerabilities', tag_image.docker_image_id,
+                              minimumPriority=args.minimumPriority)
+
+    return {
+      'security_indexed': True,
+      'data': data,
+    }
+
+
+@show_if(features.SECURITY_SCANNER)
+@resource('/v1/repository/<repopath:repository>/image/<imageid>/packages')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('imageid', 'The image ID')
+class RepositoryImagePackages(RepositoryParamResource):
+  """ Operations for listing the packages added/removed in an image. """
+
+  @require_repo_read
+  @nickname('getRepoImagePackages')
+  def get(self, namespace, repository, imageid):
+    """ Fetches the packages added/removed in the given repo image. """
+    repo_image = model.image.get_repo_image(namespace, repository, imageid)
+    if repo_image is None:
+      raise NotFound()
+
+    if not repo_image.security_indexed:
+      return {
+        'security_indexed': False
+      }
+
+    data = _call_security_api('/layers/%s/packages', repo_image.docker_image_id)
+
+    return {
+      'security_indexed': True,
+      'data': data,
+    }
+
diff --git a/test/test_api_security.py b/test/test_api_security.py
index 11b33f71a..290008f2b 100644
--- a/test/test_api_security.py
+++ b/test/test_api_security.py
@@ -49,7 +49,6 @@ from endpoints.api.superuser import (SuperUserLogs, SuperUserList, SuperUserMana
                                      SuperUserSendRecoveryEmail, ChangeLog,
                                      SuperUserOrganizationManagement, SuperUserOrganizationList,
                                      SuperUserAggregateLogs)
-
 from endpoints.api.secscan import RepositoryImagePackages, RepositoryTagVulnerabilities
 
 

From fb3d0fa27dd9d204da9bf4891439cf1555a0b009 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 26 Oct 2015 15:13:58 -0400
Subject: [PATCH 04/36] Add a SecEndpoint class and move all the cert and
 config handling in there

---
 endpoints/api/sec.py    | 22 ++++++------------
 util/sec/__init__.py    |  0
 util/sec/secendpoint.py | 51 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 58 insertions(+), 15 deletions(-)
 create mode 100644 util/sec/__init__.py
 create mode 100644 util/sec/secendpoint.py

diff --git a/endpoints/api/sec.py b/endpoints/api/sec.py
index e4e571414..e4550f488 100644
--- a/endpoints/api/sec.py
+++ b/endpoints/api/sec.py
@@ -2,11 +2,10 @@
 
 import logging
 import features
-import requests
 import json
+import requests
 
-from urlparse import urljoin
-from app import app
+from app import sec_endpoint
 from data import model
 from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_param,
                            RepositoryParamResource, resource, nickname, show_if, parse_args,
@@ -15,17 +14,11 @@ from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_pa
 
 logger = logging.getLogger(__name__)
 
+
 def _call_security_api(relative_url, *args, **kwargs):
   """ Issues an HTTP call to the sec API at the given relative URL. """
-  url = urljoin(app.config['SECURITY_SCANNER']['ENDPOINT'], relative_url % args)
-
-  client = app.config['HTTPCLIENT']
-  timeout = app.config['SECURITY_SCANNER'].get('API_CALL_TIMEOUT', 1)
-
-  logger.debug('Looking up sec information: %s', url)
-
   try:
-    response = client.get(url, params=kwargs, timeout=timeout)
+    response = sec_endpoint.call_api(relative_url, *args, **kwargs)
   except requests.exceptions.Timeout:
     raise DownstreamIssue(payload=dict(message='API call timed out'))
   except requests.exceptions.ConnectionError:
@@ -40,8 +33,7 @@ def _call_security_api(relative_url, *args, **kwargs):
     raise DownstreamIssue(payload=dict(message='Non-json response from downstream service'))
 
   if response.status_code / 100 != 2:
-    logger.warning('Got %s status code to call %s: %s', response.status_code, url,
-                   response.text)
+    logger.warning('Got %s status code to call: %s', response.status_code, response.text)
     raise DownstreamIssue(payload=dict(message=response_data['Message']))
 
   return response_data
@@ -73,7 +65,7 @@ class RepositoryTagVulnerabilities(RepositoryParamResource):
         'security_indexed': False
       }
 
-    data = _call_security_api('/layers/%s/vulnerabilities', tag_image.docker_image_id,
+    data = _call_security_api('layers/%s/vulnerabilities', tag_image.docker_image_id,
                               minimumPriority=args.minimumPriority)
 
     return {
@@ -102,7 +94,7 @@ class RepositoryImagePackages(RepositoryParamResource):
         'security_indexed': False
       }
 
-    data = _call_security_api('/layers/%s/packages', repo_image.docker_image_id)
+    data = _call_security_api('layers/%s/packages/diff', repo_image.docker_image_id)
 
     return {
       'security_indexed': True,
diff --git a/util/sec/__init__.py b/util/sec/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/util/sec/secendpoint.py b/util/sec/secendpoint.py
new file mode 100644
index 000000000..9e9e57413
--- /dev/null
+++ b/util/sec/secendpoint.py
@@ -0,0 +1,51 @@
+import features
+import logging
+import requests
+import json
+
+from urlparse import urljoin
+
+logger = logging.getLogger(__name__)
+
+class SecEndpoint(object):
+  """ Helper class for talking to the Sec API. """
+  def __init__(self, app, config_provider):
+    self.app = app
+    self.config_provider = config_provider
+
+    if not features.SECURITY_SCANNER:
+      return
+
+    self.security_config = app.config['SECURITY_SCANNER']
+
+    self.certificate = self._getfilepath('CA_CERTIFICATE_FILENAME') or False
+    self.public_key = self._getfilepath('PUBLIC_KEY_FILENAME')
+    self.private_key = self._getfilepath('PRIVATE_KEY_FILENAME')
+
+    if self.public_key and self.private_key:
+      self.keys = (self.public_key, self.private_key)
+    else:
+      self.keys = None
+
+  def _getfilepath(self, config_key):
+    security_config = self.security_config
+
+    if config_key in security_config:
+      with self.config_provider.get_volume_file(security_config[config_key]) as f:
+        return f.name
+
+    return None
+
+  def call_api(self, relative_url, *args, **kwargs):
+    """ Issues an HTTP call to the sec API at the given relative URL. """
+    security_config = self.security_config
+    api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'
+    url = urljoin(api_url, relative_url % args)
+
+    client = self.app.config['HTTPCLIENT']
+    timeout = security_config.get('API_CALL_TIMEOUT', 1)
+    logger.debug('Looking up sec information: %s', url)
+
+    return client.get(url, params=kwargs, timeout=timeout, cert=self.keys,
+                      verify=self.certificate)
+

From 407eaae137ec4ccf4819d8faa1c81690c19fb546 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 27 Oct 2015 17:38:48 -0400
Subject: [PATCH 05/36] WIP: Towards sec demo

---
 data/model/image.py       | 13 ++++++
 data/model/tag.py         | 10 ++++
 endpoints/sec.py          | 55 ++++++++++++++++++++++
 web.py                    |  2 +
 workers/securityworker.py | 96 +++++++++++++++++++++++++++++++++------
 workers/worker.py         |  2 +-
 6 files changed, 164 insertions(+), 14 deletions(-)
 create mode 100644 endpoints/sec.py

diff --git a/data/model/image.py b/data/model/image.py
index 7b673ee2f..207887235 100644
--- a/data/model/image.py
+++ b/data/model/image.py
@@ -12,6 +12,19 @@ from data.database import (Image, Repository, ImageStoragePlacement, Namespace,
 logger = logging.getLogger(__name__)
 
 
+def get_repository_images_recursive(docker_image_ids):
+  """ Returns a query matching the given docker image IDs, along with any which have the image IDs
+      as parents.
+
+      Note: This is a DB intensive operation and should be used sparingly.
+  """
+  inner_images = Image.select('%/' + Image.id + '/%').where(Image.docker_image_id << docker_image_ids)
+
+  images = Image.select(Image.id).where(Image.docker_image_id << docker_image_ids)
+  recursive_images = Image.select(Image.id).where(Image.ancestors ** inner_images)
+  return recursive_images | images
+
+
 def get_parent_images(namespace_name, repository_name, image_obj):
   """ Returns a list of parent Image objects in chronilogical order. """
   parents = image_obj.ancestors
diff --git a/data/model/tag.py b/data/model/tag.py
index cf6ddf3c6..535d6c533 100644
--- a/data/model/tag.py
+++ b/data/model/tag.py
@@ -12,6 +12,16 @@ def _tag_alive(query, now_ts=None):
                      (RepositoryTag.lifetime_end_ts > now_ts))
 
 
+def get_matching_tags(docker_image_ids, *args):
+  """ Returns a query pointing to all tags that contain the given image(s). """
+  return (RepositoryTag
+            .select(*args)
+            .distinct()
+            .join(Image)
+            .where(Image.id << image.get_repository_images_recursive(docker_image_ids),
+                   RepositoryTag.lifetime_end_ts >> None))
+
+
 def list_repository_tags(namespace_name, repository_name, include_hidden=False,
                          include_storage=False):
   to_select = (RepositoryTag, Image)
diff --git a/endpoints/sec.py b/endpoints/sec.py
new file mode 100644
index 000000000..c8b0e342b
--- /dev/null
+++ b/endpoints/sec.py
@@ -0,0 +1,55 @@
+import logging
+
+from flask import request, make_response, Blueprint
+from data import model
+from data.database import RepositoryNotification, Repository, ExternalNotificationEvent, RepositoryTag, Image
+from endpoints.notificationhelper import spawn_notification
+from collections import defaultdict
+
+logger = logging.getLogger(__name__)
+
+sec = Blueprint('sec', __name__)
+
+@sec.route('/notification', methods=['POST'])
+def sec_notification():
+  data = request.get_json()
+  print data
+
+  # Find all tags that contain the layer(s) introducing the vulnerability.
+  # TODO: remove this check once fixed.
+  if not 'IntroducingLayersIDs' in data['Content']:
+    return make_response('Okay')
+
+  layer_ids = data['Content']['IntroducingLayersIDs']
+  tags = model.tag.get_matching_tags(layer_ids, RepositoryTag, Repository, Image)
+
+  # For any repository that has a notification setup, issue a notification.
+  event = ExternalNotificationEvent.get(name='vulnerability_found')
+
+  matching = (tags.switch(RepositoryTag)
+    .join(Repository)
+    .join(RepositoryNotification)
+    .where(RepositoryNotification.event == event))
+
+  repository_map = defaultdict(list)
+
+  for tag in matching:
+    repository_map[tag.repository_id].append(tag)
+
+  for repository_id in repository_map:
+    tags = repository_map[repository_id]
+
+    # TODO(jschorr): Pull out the other metadata once added.
+    event_data = {
+      'tags': [tag.name for tag in tags],
+      'vulnerability': {
+        'id': data['Name'],
+        'description': 'Some description',
+        'link': 'https://security-tracker.debian.org/tracker/CVE-FAKE-CVE',
+        'priority': 'Medium',
+      },
+    }
+
+    spawn_notification(tags[0].repository, 'vulnerability_found', event_data)
+
+  return make_response('Okay')
diff --git a/web.py b/web.py
index 96457d5c9..5430e7b93 100644
--- a/web.py
+++ b/web.py
@@ -11,6 +11,7 @@ from endpoints.oauthlogin import oauthlogin
 from endpoints.githubtrigger import githubtrigger
 from endpoints.gitlabtrigger import gitlabtrigger
 from endpoints.bitbuckettrigger import bitbuckettrigger
+from endpoints.sec import sec
 
 if os.environ.get('DEBUGLOG') == 'true':
   logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)
@@ -23,3 +24,4 @@ application.register_blueprint(bitbuckettrigger, url_prefix='/oauth1')
 application.register_blueprint(api_bp, url_prefix='/api')
 application.register_blueprint(webhooks, url_prefix='/webhooks')
 application.register_blueprint(realtime, url_prefix='/realtime')
+application.register_blueprint(sec, url_prefix='/sec')
diff --git a/workers/securityworker.py b/workers/securityworker.py
index 29fdd3dcf..c6a940b4a 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -1,22 +1,29 @@
 import logging
+import logging.config
+
 import requests
 import features
 import time
 import os
 import random
+import json
 
+from endpoints.notificationhelper import spawn_notification
+from collections import defaultdict
 from sys import exc_info
 from peewee import JOIN_LEFT_OUTER
-from app import app, storage, OVERRIDE_CONFIG_DIRECTORY
+from app import app, storage, OVERRIDE_CONFIG_DIRECTORY, sec_endpoint
 from workers.worker import Worker
-from data.database import Image, ImageStorage, ImageStorageLocation, ImageStoragePlacement, db_random_func, UseThenDisconnect
+from data.database import (Image, ImageStorage, ImageStorageLocation, ImageStoragePlacement,
+                           db_random_func, UseThenDisconnect, RepositoryTag, Repository,
+                           ExternalNotificationEvent, RepositoryNotification)
 
 logger = logging.getLogger(__name__)
 
 BATCH_SIZE = 20
 INDEXING_INTERVAL = 10
-API_METHOD_INSERT = '/layers'
-API_METHOD_VERSION = '/versions/engine'
+API_METHOD_INSERT = '/v1/layers'
+API_METHOD_VERSION = '/v1/versions/engine'
 
 def _get_image_to_export(version):
   Parent = Image.alias()
@@ -25,14 +32,14 @@ def _get_image_to_export(version):
 
   # Without parent
   candidates = (Image
-    .select(Image.docker_image_id, ImageStorage.uuid, ImageStorage.checksum)
+    .select(Image.id, Image.docker_image_id, ImageStorage.uuid, ImageStorage.checksum)
     .join(ImageStorage)
     .where(Image.security_indexed_engine < version, Image.parent >> None, ImageStorage.uploading == False, ImageStorage.checksum != '')
     .limit(BATCH_SIZE*10)
     .alias('candidates'))
 
   images = (Image
-    .select(candidates.c.docker_image_id, candidates.c.uuid, candidates.c.checksum)
+    .select(candidates.c.id, candidates.c.docker_image_id, candidates.c.uuid, candidates.c.checksum)
     .distinct()
     .from_(candidates)
     .order_by(db_random_func())
@@ -40,11 +47,11 @@ def _get_image_to_export(version):
     .limit(BATCH_SIZE))
 
   for image in images:
-    rimages.append({'docker_image_id': image[0], 'storage_uuid': image[1], 'storage_checksum': image[2], 'parent_docker_image_id': None, 'parent_storage_uuid': None})
+    rimages.append({'image_id': image[0], 'docker_image_id': image[1], 'storage_uuid': image[2], 'storage_checksum': image[3], 'parent_docker_image_id': None, 'parent_storage_uuid': None})
 
   # With analyzed parent
   candidates = (Image
-      .select(Image.docker_image_id, ImageStorage.uuid, ImageStorage.checksum, Parent.docker_image_id.alias('parent_docker_image_id'), ParentImageStorage.uuid.alias('parent_storage_uuid'))
+      .select(Image.id, Image.docker_image_id, ImageStorage.uuid, ImageStorage.checksum, Parent.docker_image_id.alias('parent_docker_image_id'), ParentImageStorage.uuid.alias('parent_storage_uuid'))
       .join(Parent, on=(Image.parent == Parent.id))
       .join(ParentImageStorage, on=(ParentImageStorage.id == Parent.storage))
       .switch(Image)
@@ -54,7 +61,7 @@ def _get_image_to_export(version):
       .alias('candidates'))
 
   images = (Image
-    .select(candidates.c.docker_image_id, candidates.c.uuid, candidates.c.checksum, candidates.c.parent_docker_image_id, candidates.c.parent_storage_uuid)
+    .select(candidates.c.id, candidates.c.docker_image_id, candidates.c.uuid, candidates.c.checksum, candidates.c.parent_docker_image_id, candidates.c.parent_storage_uuid)
     .distinct()
     .from_(candidates)
     .order_by(db_random_func())
@@ -62,7 +69,7 @@ def _get_image_to_export(version):
     .limit(BATCH_SIZE))
 
   for image in images:
-    rimages.append({'docker_image_id': image[0], 'storage_uuid': image[1], 'storage_checksum': image[2], 'parent_docker_image_id': None, 'parent_storage_uuid': None})
+    rimages.append({'image_id': image[0], 'docker_image_id': image[1], 'storage_uuid': image[2], 'storage_checksum': image[3], 'parent_docker_image_id': image[4], 'parent_storage_uuid': image[5]})
 
   # Re-shuffle, otherwise the images without parents will always be on the top
   random.shuffle(rimages)
@@ -134,15 +141,24 @@ class SecurityWorker(Worker):
     return True
 
   def _index_images(self):
+    logger.debug('Starting indexing')
+
     with UseThenDisconnect(app.config):
       while True:
+        logger.debug('Looking up images to index')
+
         # Get images to analyze
         try:
           images = _get_image_to_export(self._target_version)
+          if not images:
+            logger.debug('No more image to analyze')
+            return
+
         except Image.DoesNotExist:
           logger.debug('No more image to analyze')
           return
 
+        logger.debug('Found images to index: %s', images)
         for img in images:
           # Get layer storage URL
           path = storage.image_layer_path(img['storage_uuid'])
@@ -191,6 +207,62 @@ class SecurityWorker(Worker):
               logger.warning('An engine runs on version %d but the target version is %d')
             _update_image(img, True, api_version)
             logger.info('Layer ID %s : analyzed successfully', request['ID'])
+
+
+            # TODO(jschorr): Put this in a proper place, properly comment, unify with the
+            # callback code, etc.
+            try:
+              logger.debug('Loading vulnerabilities for layer %s', img['image_id'])
+              response = sec_endpoint.call_api('layers/%s/vulnerabilities', request['ID'])
+            except requests.exceptions.Timeout:
+              logger.debug('Timeout when calling Sec')
+              continue
+            except requests.exceptions.ConnectionError:
+              logger.debug('Connection error when calling Sec')
+              continue
+
+            logger.debug('Got response %s for vulnerabilities for layer %s', response.status_code, img['image_id'])
+
+            if response.status_code == 404:
+              continue
+
+            sec_data = json.loads(response.text)
+            logger.debug('Got response vulnerabilities for layer %s: %s', img['image_id'], sec_data)
+
+            if not sec_data['Vulnerabilities']:
+              continue
+
+            event = ExternalNotificationEvent.get(name='vulnerability_found')
+            matching = (RepositoryTag
+              .select(RepositoryTag, Repository)
+              .distinct()
+              .where(RepositoryTag.image_id == img['id'])
+              .join(Repository)
+              .join(RepositoryNotification)
+              .where(RepositoryNotification.event == event))
+
+            repository_map = defaultdict(list)
+
+            for tag in matching:
+              repository_map[tag.repository_id].append(tag)
+
+            for repository_id in repository_map:
+              tags = repository_map[repository_id]
+
+              for vuln in sec_data['Vulnerabilities']:
+                event_data = {
+                  'tags': [tag.name for tag in tags],
+                  'vulnerability': {
+                    'id': vuln['ID'],
+                    'description': vuln['Description'],
+                    'link': vuln['Link'],
+                    'priority': vuln['Priority'],
+                  },
+                }
+
+                spawn_notification(tags[0].repository, 'vulnerability_found', event_data)
+
+
           else:
             if 'Message' in jsonResponse:
               if 'OS and/or package manager are not supported' in jsonResponse['Message']:
@@ -206,13 +278,11 @@ class SecurityWorker(Worker):
               return
 
 if __name__ == '__main__':
-  logging.getLogger('requests').setLevel(logging.WARNING)
-  logging.getLogger('apscheduler').setLevel(logging.CRITICAL)
-
   if not features.SECURITY_SCANNER:
     logger.debug('Security scanner disabled; skipping')
     while True:
       time.sleep(100000)
 
+  logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)
   worker = SecurityWorker()
   worker.start()
diff --git a/workers/worker.py b/workers/worker.py
index a9ea5d219..47dcaf9ef 100644
--- a/workers/worker.py
+++ b/workers/worker.py
@@ -61,7 +61,7 @@ class Worker(object):
       pass
 
   def start(self):
-    logging.config.fileConfig('conf/logging.conf', disable_existing_loggers=False)
+    logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)
 
     if not app.config.get('SETUP_COMPLETE', False):
       logger.info('Product setup is not yet complete; skipping worker startup')

From 7fa4fe08e7028cce3d673c591b3aae5aa6f5bdbe Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 28 Oct 2015 14:33:29 -0400
Subject: [PATCH 06/36] Fix worker

---
 workers/securityworker.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/workers/securityworker.py b/workers/securityworker.py
index c6a940b4a..f3c2cd5b0 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -222,7 +222,6 @@ class SecurityWorker(Worker):
               continue
 
             logger.debug('Got response %s for vulnerabilities for layer %s', response.status_code, img['image_id'])
-
             if response.status_code == 404:
               continue
 
@@ -236,10 +235,10 @@ class SecurityWorker(Worker):
             matching = (RepositoryTag
               .select(RepositoryTag, Repository)
               .distinct()
-              .where(RepositoryTag.image_id == img['id'])
               .join(Repository)
               .join(RepositoryNotification)
-              .where(RepositoryNotification.event == event))
+              .where(RepositoryNotification.event == event,
+                     RepositoryTag.image == img['image_id']))
 
             repository_map = defaultdict(list)
 

From 75dfec7875a82378f2e0a8d20afeba87007a46e5 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 28 Oct 2015 14:33:41 -0400
Subject: [PATCH 07/36] Fix endpoint

---
 config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config.py b/config.py
index 40d685706..3e03b951b 100644
--- a/config.py
+++ b/config.py
@@ -254,7 +254,7 @@ class DefaultConfig(object):
   # Security scanner
   FEATURE_SECURITY_SCANNER = False
   SECURITY_SCANNER = {
-    'ENDPOINT': 'http://192.168.99.100:6060',
+    'ENDPOINT': 'http://192.168.99.101:6060',
     'ENGINE_VERSION_TARGET': 1,
     'API_VERSION': 'v1',
     'API_TIMEOUT_SECONDS': 10,

From 8c144397e920cfc51a53700e6db6b64f4b521077 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 28 Oct 2015 15:38:55 -0400
Subject: [PATCH 08/36] WIP: UI for QuaySec

---
 .../directives/repo-view/repo-panel-tags.css  | 36 +++++++++++++
 .../directives/repo-view/repo-panel-tags.html | 42 ++++++++++++++++
 .../directives/repo-view/repo-panel-tags.js   | 50 ++++++++++++++++++-
 static/js/pages/image-view.js                 | 13 +++++
 static/partials/image-view.html               | 37 ++++++++++++++
 5 files changed, 177 insertions(+), 1 deletion(-)

diff --git a/static/css/directives/repo-view/repo-panel-tags.css b/static/css/directives/repo-view/repo-panel-tags.css
index 267daf9e9..fe9a60385 100644
--- a/static/css/directives/repo-view/repo-panel-tags.css
+++ b/static/css/directives/repo-view/repo-panel-tags.css
@@ -85,6 +85,42 @@
   margin-right: 2px;
 }
 
+.repo-panel-tags-element .fa-flag {
+  cursor: pointer;
+}
+
+.repo-panel-tags-element .vuln-name {
+
+}
+
+.repo-panel-tags-element .vuln-description {
+  color: #ccc;
+  font-size: 10px;
+}
+
+.repo-panel-tags-element .fa-flag.None {
+  color: #00CA00;
+}
+
+.repo-panel-tags-element .fa-flag.Medium {
+  color: orange;
+}
+
+.repo-panel-tags-element .fa-flag.High {
+  color: red;
+}
+
+@keyframes flickerAnimation { /* flame pulses */
+  0%   { opacity:1; }
+  50%  { opacity:0; }
+  100% { opacity:1; }
+}
+
+.repo-panel-tags-element .fa-flag.Critical {
+  color: red;
+   opacity:1;
+    animation: flickerAnimation 1s infinite;
+}
 
 @media (max-width: 767px) {
   .repo-panel-tags-element .tag-span {
diff --git a/static/directives/repo-view/repo-panel-tags.html b/static/directives/repo-view/repo-panel-tags.html
index 420f95f60..f5690d29b 100644
--- a/static/directives/repo-view/repo-panel-tags.html
+++ b/static/directives/repo-view/repo-panel-tags.html
@@ -86,6 +86,12 @@
           style="min-width: 62px;">
         <a href="javascript:void(0)" ng-click="orderBy('size')">Size</a>
       </td>
+      <td ng-class="tablePredicateClass('vuln_level', options.predicate, options.reverse)"
+          style="width: 60px;">
+        <a href="javascript:void(0)" ng-click="orderBy('vuln_level')">
+          <i class="fa fa-flag"></i>
+        </a>
+      </td>
       <td class="hidden-xs"
           ng-class="tablePredicateClass('image_id', options.predicate, options.reverse)"
           colspan="{{ imageTracks.length + 1 }}"
@@ -108,6 +114,42 @@
         <span bo-if="!tag.last_modified">Unknown</span>
       </td>
       <td class="hidden-xs" bo-text="tag.size | bytes"></td>
+      <td>
+        <span class="cor-loader-inline" ng-if="getTagVulnerabilities(tag).loading"></span>
+        <span ng-if="!getTagVulnerabilities(tag).loading">
+          <i class="fa fa-flag-o" ng-if="!getTagVulnerabilities(tag).indexed"
+             data-title="Image is currently being checked for vulnerabilities"
+             bs-tooltip>
+          </i>
+          <i class="fa fa-flag None"
+             ng-if="getTagVulnerabilities(tag).indexed && !getTagVulnerabilities(tag).hasVulnerabilities"
+             data-title="Image has no vulnerabilities"
+             bs-tooltip>
+          </i>
+          <div class="dropdown" style="text-align: left;"
+               ng-if="getTagVulnerabilities(tag).indexed && getTagVulnerabilities(tag).hasVulnerabilities">
+            <i class="fa fa-flag"
+               data-title="Image has vulnerabilities"
+               data-toggle="dropdown"
+               ng-class="getTagVulnerabilities(tag).highestVulnerability.Priority"
+               bs-tooltip>
+            </i>
+            <ul class="dropdown-menu pull-right">
+              <li ng-repeat="vuln in getTagVulnerabilities(tag).vulnerabilities">
+                <a href="{{ vuln.Link }}" target="_new">
+                  <div class="vuln-name">
+                    <i class="fa fa-flag" bo-class="vuln.Priority"></i>
+                    {{ vuln.ID }}
+                  </div>
+                  <div class="vuln-description">
+                    {{ vuln.Description }}
+                  </div>
+                </a>
+              </li>
+            </ul>
+          </div>
+        </span>
+      </td>
       <td class="hidden-xs image-id-col">
         <span class="image-link" repository="repository" image-id="tag.image_id"></span>
       </td>
diff --git a/static/js/directives/repo-view/repo-panel-tags.js b/static/js/directives/repo-view/repo-panel-tags.js
index 95e365a56..fcc5d950e 100644
--- a/static/js/directives/repo-view/repo-panel-tags.js
+++ b/static/js/directives/repo-view/repo-panel-tags.js
@@ -18,7 +18,7 @@ angular.module('quay').directive('repoPanelTags', function () {
 
       'getImages': '&getImages'
     },
-    controller: function($scope, $element, $filter, $location, ApiService, UIService) {
+    controller: function($scope, $element, $filter, $location, ApiService, UIService, VulnerabilityService) {
       var orderBy = $filter('orderBy');
 
       $scope.checkedTags = UIService.createCheckStateController([], 'name');
@@ -35,6 +35,7 @@ angular.module('quay').directive('repoPanelTags', function () {
       $scope.tagActionHandler = null;
       $scope.showingHistory = false;
       $scope.tagsPerPage = 50;
+      $scope.tagVulnerabilities = {};
 
       var setTagState = function() {
         if (!$scope.repository || !$scope.selectedTags) { return; }
@@ -149,6 +150,53 @@ angular.module('quay').directive('repoPanelTags', function () {
         setTagState();
       });
 
+      $scope.loadTagVulnerabilities = function(tag, tagData) {
+        var params = {
+          'tag': tag.name,
+          'repository': $scope.repository.namespace + '/' + $scope.repository.name,
+        };
+
+        ApiService.getRepoTagVulnerabilities(null, params).then(function(resp) {
+          tagData.indexed = resp.security_indexed;
+          tagData.loading = false;
+
+          if (resp.security_indexed) {
+            tagData.hasVulnerabilities = !!resp.data.Vulnerabilities.length;
+            tagData.vulnerabilities = resp.data.Vulnerabilities;
+
+            var highest = null;
+            resp.data.Vulnerabilities.forEach(function(v) {
+              if (highest == null ||
+                  VulnerabilityService.LEVELS[v.Priority].index < VulnerabilityService.LEVELS[highest.Priority].index) {
+                highest = v;
+              }
+            });
+
+            tagData.highestVulnerability = highest;
+          }
+        }, function() {
+          tagData.loading = false;
+          tagData.hasError = true;
+        });
+      };
+
+      $scope.getTagVulnerabilities = function(tag) {
+        if (!$scope.repository) {
+          return
+        }
+
+        var tagName = tag.name;
+        if (!$scope.tagVulnerabilities[tagName]) {
+          $scope.tagVulnerabilities[tagName] = {
+            'loading': true
+          };
+
+          $scope.loadTagVulnerabilities(tag, $scope.tagVulnerabilities[tagName]);
+        }
+
+        return $scope.tagVulnerabilities[tagName];
+      };
+
       $scope.clearSelectedTags = function() {
         $scope.checkedTags.setChecked([]);
       };
diff --git a/static/js/pages/image-view.js b/static/js/pages/image-view.js
index d8d3adc22..d848440f2 100644
--- a/static/js/pages/image-view.js
+++ b/static/js/pages/image-view.js
@@ -40,6 +40,19 @@
     loadImage();
     loadRepository();
 
+    $scope.downloadPackages = function() {
+      if ($scope.packagesResource) { return; }
+
+      var params = {
+        'repository': namespace + '/' + name,
+        'imageid': imageid
+      };
+
+      $scope.packagesResource = ApiService.getRepoImagePackagesAsResource(params).get(function(packages) {
+        $scope.packages = packages;
+      });
+    };
+
     $scope.downloadChanges = function() {
       if ($scope.changesResource) { return; }
 
diff --git a/static/partials/image-view.html b/static/partials/image-view.html
index 181938afc..3213ee7ac 100644
--- a/static/partials/image-view.html
+++ b/static/partials/image-view.html
@@ -25,6 +25,10 @@
               tab-init="downloadChanges()">
           <i class="fa fa-code-fork"></i>
         </span>
+        <span class="cor-tab" tab-title="Packages" tab-target="#packages"
+              tab-init="downloadPackages()">
+          <i class="fa ci-package"></i>
+        </span>
       </div> <!-- /cor-tabs -->
 
       <div class="cor-tab-content">
@@ -53,6 +57,39 @@
             </div>
           </div>
         </div>
+
+        <!-- Packages -->
+        <div id="packages" class="tab-pane">
+          <div class="resource-view" resource="packagesResource" error-message="'Could not load image packages'">
+            <h3>Image Packages</h3>
+            <div class="empty" ng-if="!packages.security_indexed">
+              <div class="empty-primary-msg">This image has not been indexed yet</div>
+              <div class="empty-secondary-msg">
+                Please try again in a few minutes.
+              </div>
+            </div>
+            <div class="empty" ng-if="packages.security_indexed && !packages.data.InstalledPackages.length">
+              <div class="empty-primary-msg">This image contains no recognized packages</div>
+              <div class="empty-secondary-msg">
+                Quay currently indexes Debian, Red Hat and Ubuntu packages.
+              </div>
+            </div>
+
+            <table class="table" ng-if="packages.security_indexed && packages.data.InstalledPackages.length">
+              <thead>
+                <th>Package Name</th>
+                <th>Package Version</th>
+                <th>OS</th>
+              </thead>
+
+              <tr ng-repeat="package in packages.data.InstalledPackages | orderBy:'Name'">
+                <td>{{ package.Name }}</td>
+                <td>{{ package.Version }}</td>
+                <td>{{ package.OS }}</td>
+              </tr>
+            </table>
+          </div>
+        </div>
      </div>
     </div>
   </div>

From 136ab28f17727defbfbe8d32b9581b6b712caa24 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 28 Oct 2015 16:24:44 -0400
Subject: [PATCH 09/36] Base demo DB

---
 test/data/test.db | Bin 376832 -> 901120 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/test/data/test.db b/test/data/test.db
index 6b318ccd35bcfe1ce60d788a341d160f7a773de7..85fd5f0a1ed530b6a3396875548a22abc32e51fc 100644
GIT binary patch
delta 38957
zcmeEv2Xqz1_wdf{zP^Q$5K17Gl7yGMULcT08VTu*BJf%ulmt@f_y~w1hzd^~M5&4>
zRzM7(bOo^iB47gq6h#CqU@zaDeMtxjp#Pu$-}%n@&WFd%zL`6B@6Ozrxoz&wnG-Z;
zjy1F}Kf9vV6IxzXJ<(AcYNXmx2vLclp%f+SK~dDFOF|Q@Jt*yYnGAlZ#KUl<_K3fU
zKZ@Up--us|XT?v&<KkhZQ_({{M|N7)ksZUlP7g=>Q6FDez*1je(IC{xH>_wm3WRH<
zuS@Y*6yVE`?CN`|RJD0saREXdeUq*Q`uNfXs6%5#o-aH;54CSB=X{q31o)ngUnFmr
zQjnTd<nzXd_{s*%l#5M2qkL~wb@1g3Q27qUi@v@C`yoNX1SOjn4vavEZ$@<}LGQcP
z%j(OE?1r!WghagKeH7}u@_4XsY3~@MX@)!9JIogq*&C@h=SKpKDpIlJvjAU0FS+k%
z&r`n8&@$iX$Jx!Fg?>xNL!Uff9|PAF_1)llPrU%wDKp_RdJJ5$3*cf*hD+CIxO5KS
z;Yy32QsNcy)6MNiTwykcj`*y_#it8M@_nj^Qivxh@mulaEnt#;CpCRE;=7c1O*}7t
zD873OxLDu2qD>>dM~NT7i2W$OcMG^U{Fwr=zV|yC+R4R-De-&pjCe%cB|a}c+_uI0
zOy^E=hB8j6n^5Vgb~r00RMbu%RbEwB>GnMzR0<d#p~M$}Ki(I2i$92uw8e0g=^Vru
z(M=G@eJ^w?6~&E|__g?%_<?vpd{x}o7QtuCl03n;F(fxY4IL^MH&H<Fo8oKYMRAjO
z>}K%Lv7&ENOu;~zcpjQipEh&ydCf~2Ry{}cscNpOi?UL&R}n8?CLbs}A?wS|VSZ;y
z=-=sw(N`#*+DhF6oShM?FD4k^pUP}D7|LB{vsP!dmupQ<qetu1S#4U2#iF+xj8>z;
zVZaezGt;=fyIxTYT=(bk_^|3&y#8xuH77b=>m9h@0}J_!3okOOx^~|5)Piu|mhUKP
zS!nKCo-P`ym@<a-W?2@${sEKQISOw={rc@k-igm7mv#2nQlwUUj7jD+8TZtQZ-0Bd
z_}EWLc=j=7SvT&7uX=R|Po*hpuDAP>^{A7-$tco9cbpl|MgQ@}rg&Yz8+D7!cj9M`
z15s>y-$2<W)55`vtKPxICzw?n^VQEb+4SM{X)`~)AHVh*GrUW1{E-iOFDSc~y!7*u
zvJThDP~xOcvPfLCgX!M2S4oGt=4Ut0C4cL~+H=yI)OROOUbKT*$OS09+k-Xd*%`Tq
z=HQ5(%rs$OLYIe1dqy0hsHctVAIHz^1ZtS)2PVsU?s%Z$>itSwyo*`YCF)e|yZu%i
z-&&rYyMGMd+(9y>?^}H&{_bfeTIl^wc9OMW#Z`)0-FdSf_kM=S;bQ8ZniGHGLYHaT
z<=^7^XP9MNyNO>+4Wg0~vybndgnMp)5$Z0^8Qtf_A%*c{KmG+jvjH9-GIZFZG3V|)
zPX6NJXW{YcLx=W@;a6TruS;0xQZzoEVOS*=;@C*v!oJb!zKfFwjv5iauIjXJci$Y&
z;yYr@9=j+#e%jd;zOLG3oa~GC<CKXTe<go?JGIj|^-f2Ds9uoJGwYc?zU0`|oUEtt
zu)=u8(sgnAaeVnH7z1_uwNXNG>0N<i?Me92^~?}2FyDvu99-X@1ef=U;BvqQm;J#o
z+7uFx!j(EE9;IJV&S2jbKa_u_F^U@X1F}8zY1!8tr9Q*G%P862@{TA~`Gn>L#a~<$
z!gL3IvZ{x|fGW8sg@M9Z@eXAlc?0vOW<K+rdaJNanNKek#_-E2&kyK=Vz_v>;x1Wt
zHc$1aXp$}C3WNvc9`-78jGM{KQ(aV-Gs6_e`3&^{exEu(qej89G+CASqGp5;sG3B(
z`ETU+vuoMu)LV>Rm9BVRp+dV=d*$((6Uu9R2%#VM*uiSC{w+2Vjl=;v;XZaN8;L(V
z%gB5$7<=NqXBaJha2r$)#V?e~w7B*R6NN{ghRdd1Y!r@N164)%fl~mcT?_XG*m#c7
z`ie-~d)ZjLV<FoIU(o_++#^t(jkm_aLxgjH;ENJj6t3ODM&m`(*$9-52M{cy7Xj>@
zec|%OPN>?k6WTBIu#vK)K1?yf+H$~>h))m%XU+oro+3hTCz%XK7eiG%ej!NKN7mmD
zTmmKi@V=7(tPTR|_m}{YRjP|N!>vWST|jQl{uUN!VZxK{1tOEqLbIe;Ai@y`M2tHH
zKYgT3Ag@2J6Hx!lXK*(<NY)ddAieQG2|VKqQsG+&Ki~bGi9|hd4+$A5$R>nr{ga85
zg-K6~{R#j=v3eIgZ6&F@{{j?r$33)AFpfORN04nIFB^Ldnst_%-3PauXXvKUxN98S
z9oLbT#eLbH_zd)|FF!UCG5CR<Y$OW<`~exZD9*nro~K~5IDd<^JIi<88ln)tq{OS@
zm$!h)_I=sEyLYi>HYNT7GRg(m5<Y@m?4Y<u+$L@mpApxHkBUpgd&PQjx;R;^5FO%B
zF<;CSlSI3y7o)^5v5VMVREbFVMfgs*Ae<3C5{?K5g+0PHVWaSjuts=PSR&jj)C<#v
z$wGzT5QYl*LZ*-;*af{1C4>oG1aEsmB_RG6{yY8xe}?~vKf)j6_wd{Jjr=qG8vap!
z34bqN&rjzk^A)^<AIj(RnS2s&=k<IPAI5j#+w&?OaldfiaTmBV+(+CI?jW~^+s19=
zp5fMTk8(@6d%1dUIyafC;2hjgE}zTfk~ll3=c2eUu1hG_o>OW5(p=MA)SS_r(7dbJ
zr`e`?QL|3-m}ZIQ9?k3)ou>=9k8XHUE*pWid?f45c*$P6m|I4Pzk{goE$qObi>E-i
zcwc-++z(s%cJXD{)}I#FijRwrh!2Vj#k<5i#c5)-I6*8IM~lP6A~8qI5R=7t(IV=^
zXfaakA$Ar!h@2=FDdAV)s&HBON;oTgDjXLM3vUUp3p<6a!Y1K4;VEIY;9V{}B-}47
z5atTAgek%#VVvL=Mhay@fsiev35h~K!6d{AeS~l!Sm-3Q6Vw9B|H=Q%f6srzpXWd0
zKjuH+-{arp_wujtukbJN8~7*rmHaY(DSsb-H$R7;!PoMY{8-+}kKjxAJbo}gh#$z?
zcmv;;@5P5k@Ll-;Uf`8H#r@2E%YDUt#(l^g=HBFXb6dHWxTm?*91a`AT3gC&ra4SQ
z@HpA$s9{#QYyt8v=GIXlT3iDG?}B(vJSm<47JOTL1B9t<;${%2)&m<pCO#}a0E{?K
zoGnfTRva&S#8JSEh2jt~9oVtIXcpsuAtS`@Vi2&TMwAJE0aN}UToS$nw){jmCL99B
z+$Zc18h|yQ71jx>fH{4Fcd>8}@aIgSPN)J7bqRL}rNE<ELaLAeTxt}wLT}*HZbG0S
z0;4kgAN)_isu%e$_|w3wNBMX81Hi7Y@>}>9fnlHESMV5Eb`d|H_X5+_@Duqlz_!Er
zVm=obH-#U-TY+_B_?~<SFmK0Dp63<Nf4^|wa~HYKxs%*+?hy3g9&S6gnR|{~*Mj{*
zO)oPI(N5WM)G%|T>|W?Q&7G9^D+r%ogYft<@ZDSDUf{Y-;s)Tk<>FG{xVhpC;J0z2
z6S%EF91OhHPc#6hg^OK*&(tCfT=u>2HSpNS!u!Bsdxh=5UmJwA!g67$un<^lhENTR
z<rIbiTMZVHfvF5aG_X`x!P@~iispX>e)^g}3*7WR{}%Alc779Z(pr8w@X<nkE^tvb
zKMr_k7+(M!l+5=7{)y(pfq6RcYM$nPg;)QYJIj5{z0bYH?S&WL#BJc#a?81;+(K?H
zH-oF@#&J$=7+1gz=90O7oPmqx!nv-YTnA3gQJNn$-)PQiKGeLYd0n#|gwv-qk874{
z7HIBl(RaFl#dJgPAMEFJgY#E*B~p_$6p24k;!iE0nsp11en)mxAchJYGii*0%yT6E
zOo>0=0(O+|=ixkRcZ=HbOGnH8E0q&iLjc-Oq5X6b{T?%x`GH*}OO|~nU#56VX;U6k
zxz$f=(llRkoB2@!Esht~iiwmPByv5dF4YnD`+g3e=^I5Cx43`QcNE>{>w}*2g@u+9
zt!>F?89t`h3%=n!Gg@nQam`wv8r?)Cyt(Q)IU&B4im4rFzpjJ&77qN%_uzn(TPduU
z;?r(aZEe1Y_}n)7Z@RCzG_i$_ys;#$S$9tNWfa?QP^@{R>JXp^O1GkVqc5bWoA1M-
z;AR~>u5q`$L{!I1w;169-=&(4@r0#1p_3FkNzY{ZGheey<Tm*U#W-c4@+;Lu)hFuF
z>i0CGG$*;?+#Z+*&xs-8L&7mJomx&&z9p3@sEeeEU#aZeYzr9XORCC3L5;e0ps%5-
z({1W9Z@^OEyEri&b!*nsuT%;?XJwo(Wr7(6Z=OD(8u^^_l2Lb`FfZJ9V4mIg-rNM#
z1AZ0xBIl-|5UG6e++<&VeI6+O#PTqGZh%iWPvx6c-@&(XZg(FuH_Z3WoL(r*_rsh!
ze0R)=LE#eI$~keqg)4ia2;WO9@9=e98RJ`1-^n+8Wvp-EidYb$9)BNo#k-Dz5#iK|
zc%Np45%rSV6|FG)7C#=2di!2_e7LXo<GsN&LZ0h>Jj&-?6^WvJPp%r_3tSb2qW$oz
zVtkAD_CzrNAF%nrUOV!2-Ww<H>$i3s-W}qbus6*2+@8L2ZBtR8?}t4-HDpH9;$=#_
zEaLWw=zPl^ir5!)0e3LI%Tt5?E7SHrUkxU(&N$6el=u~_^{>DhzeJoPPJ*?)NE`$^
zU>^|2)UcYL5MBe(Yk@F9C<LV>TIj_823yr0*qWyEBSChG;We<=yv@DLJ<iSND!Ee5
z$o1glu!<hiysUYu1&`|jCNtP}5A$Y2<s4=y^T>S+Az(cv9u*s4yM98rS93}DfeV4X
z@<U-QcQ?<$=Dbw2aAn*(VyZAvb6D8Ht>6?OL3ZW75u^CMLW~duJH_w(D3}3#LE4xh
z7K<*;7R`FjBx-~rZVOj+0|C_xM)!kAtX#-gB_oL2Gr?2q8CC6>R5fa<$2qpDYJ3cy
zynqSBbM6O8y6mBc8GLCG)A5nJ7`B6gSVpeF{`e`7yq}1*Es!^__Dk|O-^RysI}xr>
z5ZlNmu#5Z%wv_E)QMsu}X-OXM+w??1Fei4o!T2M3#jzljq<}QirS+3^0fQND0LM^q
zwVs;VQI%D-73CE!M{Pw_Wd{vI#Z*;~8CC0XOdM5FIRy-jf|{WsCORrAYdw{YN|&dj
zilMZgX_G3dD=No~no!~LRMvO`l?<h?n&PP*HL1E{iUazkuEsIO6QF>nOmfuJOs%SR
zLsw0%tEl$4!3Y(2ODhz-O4sXFD8f)Wkof0-iqW;LMM@Wt#rO=*2KM7RGBKzX;Tn;N
zKrIMY2QXUHnsAk`{@G4iWgruW+R&-Exvk6h+_OXf)A{)Ff4l+z=Pm#9Y5t$L{LiVK
zz{Yn*hbeTJPNsijo@Woq?6TM7QSx<)7zI{*t{kD<q<%)jXtF`L`i;xup9jt2DRG4G
z6dFyPral3w!s5%_9V?H$zR=Fw6XmPlos8n7wfdvo4t0H;RuObZ1ganJ3)|bxxA0^2
zf6%6bZ`j8gxvuFsp}s{Q5B8yt!jS%nh>wsDe;ADnzKx%B_MQAu<vaIb58v!hjK~Bf
zxxRLv#2~X&SM*7gYKB1(ln{dIBYdkr?Cjg}qlhex?TkL*M-#G2zlQ&4_pQCw3E6zx
zt`+-=uXROscproB<kcRipYQjpLw)yL4M+Wb8?G8V&#Sd5f&v54Jz2F5=LAn(ji;LY
zAKwrrpwkGy$fFQ6fb<6boJT!_)BDMT!UEBlib}U<8UY+tUFEE*C3geyTpnqIbNWjV
zb=M(0Fta8Qhy)2wI-tZ29Et!l$|oG^A6hs-9uyUbre1GRQ(Ijz$up|LO<E=4xg0X%
zC!$ddN^Uq5jr0hIM<X*z!6&1@SdkEo)Yu!1BJqYOWI%&RX)3<j2Mt20(gR;gfvvlH
z6ykAR6d=m$g9f6srkdjabbkKF9RJ7yBvXm!C|It)5zn<=a>)u0qI{a~+;8D3@pBON
zK}Eln5SQ-z{I4*Tc$(n)T0DIVT*>$}gL<jN&j_-M;%B!2OCb(|&^|;YY$uybiOIrZ
zuy6F|?$w;uSk(`xE~?U$E0v*&>GH$!XxUsp7G1!2gg^g)?dUb=4JJpq$*r|JEk>=$
zWpimAI;&gjw&<<pPGh;vZ8SLRrdLjIRFCn*xT-yl+Nx?`9ZOm9U|U&cVR~s^S$g*1
z<XmfUUO`S~l3|FU$XH^x8TDDZvXUZGT2`_-Wk^waaZXWIN%5fMyqpX}jwv_apwpYR
zdYxBmu!S0Q{S3x_W=pKasyFG)9qOq12(cYitf%UEC8bm;l}U`s>~`vmX189ecbg4b
zlgZ%J+N~~^*5I<5ow{<XL1(sHC$wrRI6#2RAtjb{y{R-iH#;dQFQw3CFlJek3k<pX
zA%>FlvY}c1k}P_iHOpWzCY9=P^HL3&W@BENeef`QiX}NYw`g!9oi~zcG1v_@9Cw`U
z<aL_$E~C!l)S3)toz|o?*tK?>%b<0-Jyy5NpmSI}uIpq~dSIU%Bh9_+!XX){hT`;s
z!NrBShJum;U2<l2T6#vN&0@FY=BMk^Qu0buO{uz^{LF$}V_sT{esHEfxzL<6I4x(e
zuFy}IS9c?2W~<d;ARQRVLkAjLcA(9zH(L!(o3`9&uxd?4gGKAm>m6E;zTB$!l<O@X
zPm2z8RaH%p=o~V1Xj)lPkyU3KT9P}+o?Dz@FEAGB?S*-{Mw883TAXA{&obu^%Qcq`
zPAVuER+5o#PZ^R|svlaS%g#4uX56#~O**5&1a!{gM5;K1ic{)gl*uq#EgqZIUGCIc
z?N+_kq}SWEHl1D%Z)vcbJSMZ-0q@YnkCW^0-V<z;_XZw<w=?QV7xdIX7lhTzqEr;%
zmXJH_2E7itz~l4)v%Ae!t=;2sXkEZt2AfM~uviUMb+t7WZVwDoq`?uXH$>K$T&|>o
zRAbqcsij7HYSo0v<{1+_uIz$RS5e*M2@}Rwc=PmbLrSXII&|Xry0L~y6G|MG$|^%*
z?N~?U_?lQ()x@@aV2rgI%@&(PXt){(?beb|k4finnCvhOT@K>CGMB@wgp0-D^teq1
zy~|^=G|ok!QX;b=t!Uh&Qv1}JvZ3~2`S$EFX195UXK-O*P0d*M&?%PcWW$V<+M&ZT
zU9RlO`t*sq>gkTy$|~32P-!xl%oZaa^)S=P>-N~~W{=*ewYwZ{SS!H0X4C8JFa-^E
zkI`Uo8*C<6Al#nn#;zMzUOUE^pJARdwPsAkm@#9=j~`N#om(_)TJp4{oD^4{bDCpn
ztTV?xX^<|}mYw0L$sUvCsjSl9oF;GMI$?~}>y3J&T^eI$;~2v_;UD92qt#?~ddymr
z*#ktn9eORydYjg5@L26`yG!TLnd&M*kOi68<8CChcAUO?T1sthYVlB0U2)m4LHR?f
zCdW?Cbd1d&XRu6|R_>UPW%d>omL^wcOwFA!tsvIwvN<ZN%r~dBkx)adO=p5hA`z-+
z&5UlV$7(a_P1<ss!v(!*F=_33n@wwXSZofr+g@(9o2wm_?y8AoI|V|$gd3};#k$K1
z;v7kXv&K$MnH=XV9+#cv$<7;RjJ0G9ot%<Vn=y5QGpTe!LDt~OsZ+=3-31wil~ty{
zA=G38TF8W~?=1&H?JXA$i>2HOUR1YNYxKB)8y(Q44yWFt1t+T2q_=^CwcK7_?Wq|{
z2#tYmsU7R7mKKkUL20R}CFyy3OOd{y*gmLqXnuO3&X$)^RA?*7wwQ)x=jG)lWflz4
z7Y-U~GbH7iO@nl1Q_di3fjy@nJNbrr<CS&^L#)XLohprfoD66Ush1@*&v3iZZP6Kw
z2C|8Hv?h;5r?oj?zc8CT1~=(fdkaz<2Y*;{a-MZaY+j{f;so0`kE?h>dd}oneQHIa
zZORyfX;OM}k<L(P2fL!aIK$@FRb`bIm&9V33Wc>;c?_|7v%#)2l0J-Kfvzs~vH{I>
znVfpNv)riDdRzve%WO7kotAR5)(V4dayzYhok=&T&I!s^BT=c={Hz%nDJiivW5?AL
zr4}cb<s_xmO`SHyR8=x%XsmtMgmLz%#p1Y0#rfk0O*5yP2NhJA>hQ}d6xxC)eXI>u
zTAj2bgfT#r_J)Clfzw+}R&BZ2M%G%B1&H#Pv>vnFsJB>+<!%FPV^bsvGsayjji@El
zoMhIS)ACAeI!jSOvavL!q@+YwmSVRg>9SL@V5j#c>-G7T{L)NA(cn~TVQz*_pOtP-
zv6tkP3^t|TFr?Cm0+B|u$u5nkfd(SG*UQqIdQRywJ6%S-+pYyJ1R||YU_OV-p>;YO
z9+%tY0yn?MT~R}%;Ktc(iHvilmzkzl#ZH@SEh|l_oK_y2JZy5EWk!}|T+LMHl%ej}
zX*t76>oV+9il<DCn?6=wJ+9D$-|9wuXey-aaD6|~$C~x91R8OI26Y;1*SRbpW!Ryc
zEU>^BZ62-N?y+dimU5Tf?$o)<%PmbE);Nx3C7EL_vBr{#GpfwvZH3dz$2qcd>vGb^
zxeDxglgFf+E7G&`hvYcx#?{uO=t?T}<0hJ?;~g3lJD?>M2A#pG(*bW0%RxKgYf8)(
zO~TipGBcn&Uj-}8mtb>P3AXnG;J>I7=d_j<bpaijhOaxIZYY9SDt-r<@)B5gPJtut
z1Mv{p^WOmL{yFd^y$bf8o7gTsX7I)!R20EiQ{o)HTKEh6J6nZ8q6>^2sp40{esB|g
z175k!!os$Xehhh2*?J!RTcNR?gyrvKx|@k~-j*_*D53ec0+`?@=C<Ndvvkzumf{h<
zw=0^N_-_|VJg6H=O8f_t^R{ynztIgPHuJ~#5{H~?!6S{_A->Uih(kvZ{s;m75EoP8
z7Z4!y2}GbB0r%tqa1`wjw}N95gS~Ds=sRoLG&a4$;KdPWnkX13@WhpiU4(Z8uV82m
zs0*l~y;*Vvgu~VI?b|W`mYrtK&XP4E6PbU=Ro+`_3V@Am#3nHRmbm~K(};{`T8iM_
zwla7#liiZX02|$iP0su~R`X;h12)u%jbZ*R%gvlkRx~*Ys%zn!Z9Vdh>UBT-Ek-hY
zHVziC|3M2DpE06HQOKvnZ9={{8T_=5iczhfp$oX5#&_5lh4<g`l{{Sr42u3KOSR@G
zZ?p0#Yee*KxruEe=pQXs-dpQ(Oe3Oy$3xl4bQ<X))y=sl;YM-dwkwvOd5+u=SJHZ5
z8<{5-AL)-w{|&p*BiTr%5Fkosp3o*rMi&sn;PW{su+N}kyD7WSn44NSWKg!*s!K5p
z$;!-5DF$UfC8Kz7YSEyy%pqliQt_@_a9m~NqTD`d!^|eL!JLw7Ps*?kF%L;A$V^K&
zWDZJ6GnXV;hh>!Irlbriwv>=2NgU}5`fmbp@Ry~ii%v2Y(VZx|6Eg{XxzptF@_mXC
zswt{V>e-qQ%@!_$Um#e7{UBV77q<)Jz~<T)dy|j_Wk?3Nx08?+|C)&GC==7kVA)H@
zreySX<9!3%L&(~kBrx{1g*PRkEF52e;?UrR2?gjOgtz1aqAWaTGz!3z@{tA$1t=B=
z=c5EPq`5Q|pLal;oQ6(L^fkg&4rD~Rq&5Wab$}7^^k@{1@<>7GBM!ik?m&I;fYB%!
z<&(nEc>Gi}0K&`&0A4f|tcu5{qG)_#3X~T5@%%IeN}*j>JbWqyA>%sKpD&V(zp0@`
zNy*u%II#|O#y{1eGx+OTl!=N-y8!$`EozU&IwasRbx4PY)}lmI(p=TQ^IU6zWUIX^
zUy`JW=Y{-V+K_WU3P+6|!fRyx!}<m6q}ConX>WyfkHx<XN1RMtONnc5#^OuzRAWaV
zh<sG3!UBVmc;4=IcpL_uRjYTHZD60$8?<(vz8tJ>7LNstL16E25a(7uhkGJ%{?ydg
zR*m;mwiM8f{q(wiMlj5Qcy6{621DY9l=$Jzo)6~F1VeA8SoKey>qm9FKnMKuc*M)Z
z-$7Qr#nW8)_bR0NUjUhjRR5J_L9!UvQsPc=nONKAB}@$ru3d!g6G&e$;+4h?unnBw
zvRpv6J{JGrLmgD&w~c{dw}34quz@PFLtX$A^G*GVFj|TD<YTChN<2X%wyWZaTVU&l
zPpm?*|BVj1eY6V1oCKn~DReiwOb?*vF)X`W)>XD#9;paZ+^hIbIZLfnPg7skjMTg#
z(830>Ot>J{EJ^CDm{q9=3JXJcgFtu1?=42XP#M0q7$srvV$>Z1QdcZS`fh`Y<v}5V
z$R&9%Bxfk7|KRR*OdN)b7NZ#KeE=4Mf73b!4VM<n-4B4r<ia{wyhb#1c?y*yT(J&T
z(mU|#b+CNSSr7Lk$$bc3wH_(($@M4#k9rdIL!<nq-Y3CPvVR>=bH_TwVdhnE!8ma5
zSJ6lKvF#`tISE*2d}=%F8b(s!@)t}Y1y65-b<*8L2aB(5Lj!T}R@57L8Xz{pjp)kJ
zIP?hWf<xX%9Z@;nbp&<8Iq#!h`2HhEhsKbCG#qjSY0+4J<=7)o*>D)#Iu-tcKM%u_
zy6+2E?Z-9z@&!`RxZ4*f4UNZ{KSDn){sLL>#LrO%nt-FOp>X`*=cogI@ha%riZ4(n
z%>D=-pNRz4A)UdHLxgl=sM$HtB97jID|Ps21JX7gG5}A?@8BZ&LOc!Z{_QPV#QSH^
zxm_q+5KlGEAW&|;hQN#u*rTnNU0pyK<8N_x9}zb{AoKGFc*+Oh*}2sT5k3Ck0MaXj
zmnd<%@KS3+bOG0B{L)*9kJQ=B7I(Q(Ytg%4Wp>#eS{s=Av~IiIWpcT}AES4v@tL<!
zoVV2D?i&i0fLvEC_(}BUCTEE$RI7u3;eA8HYpX`N!66^sFEqR@v|ci?G(pd9vAF9k
z{;F7=3G6-AdKRguVx+2<B`I};K2Nz#>*!{&TEOCGv4X|V>CxJ(E{9R)f@-&&!yDd4
zgL(jMEijpMR;ynQfer1N_*?5PXq3f<Nj=+9O|uMAH3}{eAqQ58TQnGfe>#B#g}9G`
z0K|Q_0P2GmZ=gA1H)%l;c{jQ{lcc)&t6wMhMcCKG7jJ<&0Ka$|$%g%daihr=c)bH}
z-G4*~W5kIRSYK9(6Wcu3^b&(7o<kb1!Ju;*!Q=%tOc#uW#{vd0!ZuF5&TO`TgT(08
zvveG-q)@R6RAbI<F`8XAVli`=i3MB-<LK1swBSG>txXp2fG`jaAvHi0;;c@C!%Xnn
zZ607p8(1ivIz2c79X7MAQ@PD)wHb{p<KL&gBg6FFt%8|GGWffTC_p7jU_Xi9wRtc9
zc2?w{TGy_ib`mT(x^^pODeBHLD#Wl1g(QAq|EC+Kl5DP5ZY^KE-#F2K_={|=7s>Ji
z6a5yH=irMB-Sxk*9ZG71c!A8D3%7jug&;auE`t4!EL%5?CmYJ(ue;HmEQG%T(1R3u
zknT#aXC|_9*{@|IWuMBE6`Pe><;$ufjYji0r{xaw4hTKIB)lz_QENcd?}?{f17W(-
zzg(ZVhWe`16^ft~BdU+V+N-cv@YhgRR7L9Zx~Gg&1dV~J>C#R*$x}VCqNWBSjV4uB
z)mHsaFew@_;h3u^9Zm8-{gJDvC~|Ix@zRbyuc|rNq1rPBo<aN#{=3Oo{0V)hD4(DR
z(!<ujQlukLHQp!E0~FO06+w0=ixTPHs0J5^bZScxp&P2j2LyU}A9s}^C?*WmtE3m1
zQc+XUcz%uu2G@VqNt@{mfsTrtTRBOhYkqHuE+R|URDgSY`t`f14OcjN2vSU&tOyza
zMBEocN1<uBo})9xdbU~-lnPIblb(p5kEVk)*PBi!P+jnl7}_S*cdt<d<pOAFGiVsT
zFPc`P89+`a?2V^YI6H>!fDcB~CgnU+ts=;5M)<itbR3$Afrid_aUWX1rO7Cwp;r`b
zMGBz~o(?cC44{Ltr4QW=%_2|ijQ<)yYw(mlbgZ&om~tKFkpuvl-2x;rfq;ZgRRrY&
zn#6(h0CZ=I>JbBJ9=|w{j#UWLnz2}sw;7}#J`)dpGpFed0`SlQbPn!D3hSE+LDDIq
z`=Po1cX+3W7V*6$^u}<)-Mj__;g=xhJQxmxOcc!gG5!Hw4<`fe;d*OYivb|;hTwxg
zu^quMU+#8U-Qc`5ScxON+@Q6291ieqd7Q8TJ8a<pz`cX%_(-c;SMD@>tXgxq4($B~
zn?vic*j-vHs8L3{$>{*^3BD(o)<zm!dV||#0Y9G81pXZxXkAX16~LWtv)y0-FOSWH
zKMbbLfV13a)Wcp1ehaeqmxJ5S462zy?}2sJWpLSTR;=$%_lp1rI5?(3HULL3gcj&w
z3AZ_6SvTk`7PrX^?rRIazdIcfX?A(^;1ITh(+h|*5y8T)2QqX<m&awad(1AE9v|yY
z$B(evoMxw~+@UQm2N$~uJQyH&fHMW07<LP66kwLnS-`-m3PV)!7zp`rRMyrxDrwSF
z;7M|8ZSW{?!kC=k0x=okC+LM{9W-`W@x&f<Vx$qmMJyiJJlx=HgLnuxyq>`g?rS5E
zY%y9OR>Osl^q_l3TI^=4$89uf^&UI%J~?3+ta`WB;50(mgu`idy39B@gpP&*v$)JA
zsM1-?&>P^6(K?Obtb*;zXfZlXHodbPj|-v0Bit6N&E|n^vK$<mFc#qca~Snjt;b>l
z_q0oAa@z2VA+$CX{MAmNyj<%xIZV*O4#4Itw`*arJm7e@n(TTr*=Bh0Wg-@|FinE1
zrRmU3Ls%&7YjH$a5+Q-lM*BCntr7H)VDVKF<<oR7n^?qOg%Hu-z&gHPYzT{_m*2Gg
ztG(&eM>1%(J1-8TAn<lO9JDw9M|z0tIS|fDeG3OJhCutiAlbAMT&3p^jH3@ki76y<
z=rV}KAA^jsAI$KZ;Ec;k@gZnjFHQl|j#DfJKT=BT%|;hc&fpXyy*El+BMD{T8Y0f3
zmac#|np{QVb8u{?WhgHZ@ivE=UT5$cEA5UFmp7p}126tI(6I+j13wF=MqYtHs`KQa
zI?Um9;;PnEgqn6RczJ)i{E^i(8{JWSkl^_Tr=Qy5+05VvQ|P)V5e`tTkVb>}C*A^w
z+0&qze*v9yQ9LHT4z7pa;26-(o0wNjuQGU9Iz2H;oJG`ttI!?iLD~2aTpVwS``~@H
z!1=57;%XS0rQ#xSmN>616{{FLD~rCjk61&&QJEj$<&TN)L3HzKIBrw}U9%I$cE9){
zQ1mMt;aV^H+V39NYHT;_0>(19CYN3+lS0bdJj5?t730f=v?7pimUtzR9EsmU1o17J
z4DHM_Vb?|E#s<H^%if}aQzW80Pv!_B_K4QYZPQ#R#oxMUS^E~Wkd>QicMG)Rmrh_~
zJJMq)dJKJ)d7QmNewQL#@v_pPqSZarRqCUfVSFhBcN>NEqEehF7EsecVu|ZqS+7<E
zS-aEq9i<I&Le&^gWo`BJQTVC7v<W?i_v`~(z_q>fV5~2K?PY$`_M*Zoi|BrMc`==U
z=J|IfDB$p)#dH+@zK9OHbyWtstGPiJveC7}vx?~uY$&3$TRosiyerZRQiz?t$03Od
z_`9)mCvpiwcl&p?S!3a;cZ{Py;KMyrfc8<Ys><?;F?d!C7&jBf(|g$ZuJsh|d?(mj
z7x<qGO?W)#PTIiM3-t(BR?q|S93nDE6`+-?@uwAZC|e&@Pvbpf>2$QPMZ?$%dH~bC
zp24AG=@hi6xhARW+|KnZF<8=fwU>yksdZG7|Ec>LI?SeNgxAlaL(pP;U>2>%DYNKa
z=zctI7Cit@_ky(X0Ca62-sz>2G4lu=h8}F_`3U_9!pk0}W6%<u^dcREKY5t$gL^+r
zYtd4F!GwqDzIgLPbSy;G0z@R~PC4ctrn}*Shd^w5$Pc#UAvzpC_9BQ-5Bm!~C9ujD
zX&ZWk6bzFSe!LBH{m0Rte`l(aBVtlGbqlUe#i!=c?Sii>reINpumYXlKYjjzjq`Rh
z5&yP`R?Ea+L2tRm^BvJLR)thFnR<d6Jhb~^iRulfXGaS>oG7f|{@|8zDH^BxNA=<s
zD0BhKY26qBluDHfC53o-x_L$MtJtP~28eCY=?t(t8?3Q9_)m{7E~UdWYAPm9n&6SF
z6OJ*&G6Cv<JAC#ySTOv^>Y1BkGZ<`o5PWXH)};-$31IK2sSTfvLw3o6NVrC$!f%V!
znITZZjx%=2mgeZnT~?jj>4G2)69`ZiP=uXs5MA8mHoMMIPD1|d;j;@hL~Eu{5;aD}
zX<EG@grzp)%=OW5^y5KVce4jBSW3s>OApe$Z&umVQic<k(1|yLfaZPh_9b-ZTUK&Q
z>3~2zgnOFWyzC9=SzNf34wWE{Z6M(>Ik%{SVat`O3~gEg{)AgpJ>jFx*@UV#t!9Q3
zV=5VXe@I|Wxa8>-M6iu*hyC)U8-%Lnv$!qT&o4-fILWAq{x6UVkGDTY4-OT?1`4)b
zB1(`zmhYvUH?P57`VH)($HlkXA|Yu>*p_(qtfEr@4;Xz2hApt~z6w&B--h@R9N~Ev
z<gGnz@qFqx6)0&z#vlai@2gMHnIVGsJTWl%Ut$-8(vaiC{zJyw;5BdR*3kvbki-)3
z91>JKkGHL-vqA+SS2A&lPm1#)5+WVWTB+dF?Ave>d$CX{<hCYB7ch&K%w8nwi_C%+
zb5iKRB%xLeEma$&Nygu#x&^;;x3AW;s`j>;g6dZFt*TYGuU6i^T5&_QG$XtuguH34
z%5SJ|GY@39uV!zkZo}EkO{=q-AAX~?u}yQb<_m(E<i*(|ln7>FDu{qyaill^^w{6v
zbo4f%%~^ILQtJZx)80@PC866a!@{ir8V6khP`BcW7G1|l0Jm5Ny<~CK+zx^OsQ(T?
z^>+ZuTL5^QJ6X{RqRpx(Zw1hn3H}a%Z3O@$>Gj*po7jvAVW}1~tj$o<J)r)&RNbcD
z&kAs`@3go>h=&{%qd+a13WqH9q99xp-h@N(>xe+p{BLuQ5ocQ}d~o7~#-m=L<=)%y
z1TTckfNO5fHjP}t`$2BQ7o9ji$jv#!D{Z?f&Fx?$5MKSaAS%`0gD6{pG_8Iu7+I-k
z1=Dut>?m&y(uPag$^IUM4VO(M9ellO+KjY<36lY<TwjgbK!nnv1mZT_5=6u|M3mT@
zt`DK6t)Qg7N^|Aur9+dlhYZdbJSd|ybx0{3U`w$KDoicSvKqiJWzW-DiwpA&g_%Xg
zDb^fIp(!WdP?S2Tv}EY8yi#jHis2?)00Ju*Urbi|A4{xY_jtASX4UBZ3C|q_(V(h-
zO{UZxx0j6HCX(^(K@QQXXr5k5(My>`S+H!O>__<&`RA%#>Is@)%|UJ=Bp}%(<OyGj
z(@-fY1Z{H!zVkWINtXFmM|5e}^&I^e!b|so{xa+ZIuT)_hiLJeaDP*<SoA1SMiX$a
zeV`95C(4p9Awq+z_tBxPl~p~q?FE(SaliIjznAWbdmaNT>q@`M_~{3rGCp{gW*ZhA
zqw8p*=XD}_UMJk{EJ!A+KA<DfD!*Qrr(k4w&M{hnSAGCiU`bj1Oztn!;7-TDs`|uP
zP+M2G20wTfs%p>Dp_-}Ha8!7d6d{7YJ45H8HLYQT&jRZHaP*fvNrN9c3mS3Z8Bjad
zwuanwhPL75pV2w!i8fWAfe}083~j`{u7NiBr1Yu{mDlK{bYmus`zZ0gwv2U@!S@}d
zg~)#*^W&XI>14H^lW)%(68qdvJrfv)QvDN5UlK;V9j1R2%u<7tYDTk>5+2}tXl{(s
z{(x!lz0c;O8?{V03kAm7x{3*IEpcNs^!Sc0MlEy<nAdP_O=oJD|2;hlMPJvXNQJ?w
zw_R^b-jWgTro_8JSiVUF&_M>@{TuC7{nJR6zi4o_fk{e|;M)$Ube^&pe=jl}{|T7p
zpMgo(77~;0!khVe-(~Q^j?Bz|^1vXbLqCo9CfS-l0U7_gjrSxVKMIyTsftwl|IO9G
zi9Co3?TH|9pbVef#LSjACc+!JnOTcX&oMJOk_B&O?+SPCexbebs_jf-!*9<q-4IK1
z;Wc!9fk{NHlmu_&i_l`oYUXt*6JB!*$7&`K-?4@{%91pA4W_kBFK7S>@9@Ycpuv5Q
zGj$wEch}rt)#LDpAuE_ph$UI?@R*el4oK47;gPGLLCG@a085hHHH39x$`MPl+%+s(
z&V(RV6O(clzwj8-wGv+M<9Y_J$EU#M=s36>83~ueB*W&RG`Jk>50^J}aCxIATwd=2
zmwi0h&DycwQ0zA{hwOX#y^5}iwMw0Gqxvt+FwI`BJ2#WNz~3iia%RXQu|g2V;gpk_
z2kUQN{PAce1?}{&f-6QdB0fBtVPzHW@X$>B8q36^4b97n5}yLkHI9%my>Wk*v7%?2
ztK@hI%f#SK-Jyq{gM=s@eI2g#ZUD{WXM{_;Lu!E+@XYRv6<-Nv`k)ta=kAOdZ@fwy
z(Yh8W4qv5NthfetztF3&G(Xi`)gQa$OafZpTp-7L<cuA^FJlIvr(2Z9${7pJk}-Dl
zOpDTSGNAf-8Pf~zV442^trtqdj|4Me=q0>07+%y83~A&x;^DzS=29yYjW*#ORwe~s
zu>f(KCA;20D^r9G7G@B78Bet^)9_3abfNPY4LhNUsX>n{qgn4_IV5`f4b<VyVhS7x
z>96jf%2jn#o=`rooTu<9<|$GYW<^g$ph70UDnAS7l6T6VlP{Mq0HgQ?@uYIPa=db=
zGDR7s)F>_}_9-5PaIfi#@rpYXS&IIUB%qr@BmYf)L4HF1hJ3Spjr;-mY{)eg3rTKx
z;k@v(;5`B=)COTCWP*D@m<<V~l3@Eb2)!Wn+Ya@EYKssg$RLl@LH<Mj1^#jV9=?h%
z;w^k2BzAiX5{cDtDO@|v$C@=7kEW;ktom_vJs6&csgu>c)t$jt@P@cety2A=x(s<q
z52#*LJp^&H#i}$_KUIvXi%PBhGemhsc@jJvtHH;z6g(|sA(36F@;&8V<!0rR%4JI2
zUWumpE&I9v7U54a*hsIM38LflMoS!ZubdI-IBG#-i7Ae{$6s=HV~HV-n(r^UtFc5E
zN6qt>%=MQTY;jb*zhsVz2|{stgC))@V?-2pXX9^E+-&LhEa`WQ-e8EEDHY6U1klAz
zmwr$4|JK{$rb@r3;Hbf@t*dlDxv@?kH%a<k6~&Yyyr#RXJHBr)dr&SFda!tkjr89;
zu(A364!q|SYw?$t;h*4MCBYYlGO0NKG}{#qKFzMyNoAP=uxT80kI@=u)x~Ap_%mGt
zQ@F7<4WB&;X%HVf$%eISQJh3h>)@muHUKB)vz_toTvmneKgsfJGFz{>Nrg(5kiddj
zy;YN(Ty_&q7{Z=u_%4*$LVM%%x;Tx3>4@U&acYTFmGo3|oF&d0r<D4K+$$s)bDaNm
zWfF`&&JbseWBq*y_lyLikAo-|Q58q_+r`{7P2RIhVB|UjZmVO!f(OCpv;)jt8%6K4
z#B~O4Cm)=xxd)hSCLI2%f+Jxr@eXkA<%?NxIx7LPC>lkr*c<XFb`t|d5i%(<!XLs<
zkW2BR@P%+1&TSnP-W3jjMfg==i|`_3RD42MAz;X<xJZ}}M{%YLHQ-<$19=sP3&lb%
zWL8WO1_)L`?}aowJ%tcZT{{ZApn&{}zwy`jE0BTU9DkBO0XY`m=HK9VL6*hM{PX;J
z$g}tu|1fyz@8#$5v-zp~WPUvFffPMM`9gjOpAI>L`txQ!4l*uA@ZI?!$hoNDSujuk
z$X$V~e`g?d+fnWv?hS4y*8q9{o}o5(7;(8tAqM@YA^J{|w9Y$2HlHN?+eSL?JapJ{
zNaLr2Bt@Npyi<@z?<KwtGQ|yn%s^Ji4HU))@(M_dcM+1}9pd(YJ&;%eKLfYv2U1sW
zlsfxa=;w9dJiT9B0LkvAfCYULgdULOfay|tz$8eF)L%-i*a1@A%@w?EDaRrla2Mr&
zlV7nZy<$^xMUq-^h>#8oSAVb%#X$ng2%)>sLEr?rKsER8hmZ#EoyL@aZ4)Y1h4OAl
z!c+#i@Y4Bs$OPDn@5b}oU$DxZ<Bo9$xNSGcTyHW(3Wlbs`>4e-hJwG+uZ7ei>DNN(
z*8=KZ>DL13*WJ`T(yzOvUw2XSrC)bRzvfc&q+fFz_$cNAjeqpXAOYh4y#$t|gT4P3
z6Ihb`l_CEsf#qGuOY#TP;sm%-AA$3Hg5q7_4*3>Uj3P;WFEdfOiY``7)~sO@sGrm+
z++VQEU7#OR4we7LAED3ishTg*05J~DleHI~P&M$2RDZ};$g5~kGh80UX=UdW_lR}M
zj@&l(ZLWr$j}B5BWu?k5m|rx3<bm+d*C)WhN~>sn0h@$uc=!fc7Jgs=n~vE5Y$~qf
zWNElA9xj)DWYTa#A2t!`aclych3P#|5EsNI$)q!rIPMCQ<VQ8W3!v(Y*AP???w^LI
zyu_yABT6<=)<=3)oC*MX<KY7Vz_=NnHCM(a$RquDMt#F1;X?x;iEjad7U5D0h!#jf
zVR+CROcp-#E0ZV>@dI!B7Vdla@58=_`|kexNpO#XaqLe3Kl%%}?}`_aw!2<!A~NqI
z@|eY}95ai7I>QkF3dDcD4nX>M0Z~UkqB(F6q0Q0pKq_+$j0w_lRlMdcu)>R2t7ER<
zOJR`Pm<a<UL{yin{0-mP!Zh_v5(wn@P#8RF*Ma83s+E9PhPOwsX>=-!;~JR$BuDSN
zICe9eri8n92p&AJ51ZuG`?+K+8L<<P7IrMG*F67*utGDRyTqF{@A9)X1GqqL9e0QN
zdF3B!k1AE&UA0(sOu0pUP4Te2P9alHRQ8nbkZTn~6epQG=y#bwbd9-0Eruxk`P4Dg
zoqa=AjGmW$AzQ)DX3fYW<C$hF<&sQM;XflL$D=pMk|4!0tH4(R*bICikX&ZN5L!~%
zOuU|yec1^vR#LJ48zvpc20;ZdM+Ppv6UwFn$24OD?f`6QfNg3z)DafJxt$=t_m_79
z%91oTxfxVn%_b^)Hjz;;1IV~kXgKm4z`XMc(*!BQYiLq;iNUzKe~V(m9ys?hB!pun
zmcUi7GE4C8ZA>oqZUY?Rb|Chtt;~Z^PevWD+R7-fg;dSk!el@mWye4^314~{O1~tq
zCEKC>RT~q4^R_T1eD!63bid4`H@v-tS%Ju4zK!$FvKi#=Exa2##Gmq4Ie?^I{sKhl
zgW#Wf9(JH5keaqm90R*f7B~#zU`Ou=DQJI!oXDTR4!#Rg&ORYL44G!93*#ZfY%Xje
zM%bW(1QqOjmmrhu5q=+JkX;Yyju*iOTm>0p3;9&o1*2N+4&H6tvyf2l0mx`v!+9Wc
zUnbWdVnstBi7^8yjK9=;q<LGj1JW0-(fBm;HB&Ven&Fxungoqr6QK#zDAd2GFRD+f
z52^R4H>=mFvHD*1O!Y+dD0RL%MQsLAx{F!^Li82Y8P!qM8>$A?Gpfgc4ZW(#Di?^;
z=@BYB$kW|bA|wL%PI*>&RQbAci}EQYRxSVqVVrWfGF#aYRwR29HA&L7kmz@!>@K?D
z{t4`EghQ)9Msp5eX3+T4@oeN+Ufe+GG~oOGT0E{<3_JS6kaKQ4?A-muUSMti2~r;)
z0Lf=L$U76kEt4elg<hkf&yIum@-$@HodtqQ9^@nr<&_|e90w8PDeiu53OAA)1X*I+
zL2}qnHG4Hrx7by60VPas7e+;OL5O9QO25}yNtftjKZgH*?W|K#-Dw#9rYgOSTFgVu
zsm^h&Ypm2FQgagD`G73Q3pbs$twGGxJrYRgzO8Fa)O>$UOzRpWHP2rY-MU5x#tQPl
zPLMvQ8_?fOq}|JVrHVeSDr~d;4SKgKx6bsJ_i9ycneH#|*{a+;RVojP1d>`lSZ}EF
zS480N5}AN*gt+ilZB5k@2o6nR0!I*l&{hD3N(rE2h>8mIBPWpwZVuk))4(47p=y3r
ze{sj|H^7e85Lmn<i3xyl_%yIvt41SK60WYTic6JJahF!b1qxE!v2*hyrdVQi8FHyG
z=z5_!R+sKC>~y`*<c-y(lG0B)23{{U#_AINg#pcl<Q-$A!oZHL2=Eto>d@Rz5b6VY
z;>JY#akOv7F~tz8>*FtM*I39Yl~P=XjL?8zOlAV1M?UEY5hIO#OWK5x+K;>N{^vGN
zgRU$TA0}0STq}}-NY%%kATFbk@gO~k19A(sV@P>Nbu)VMaDQPZl^@s(V`noNj83yn
zl%P8)o3S*$n7_QEq8SSiY2f{+<t+>KjfJw7g*tyBtkWG^@DG{OK`g*|{WF~qc72|A
zpa}*QnL?yOdb<EPZPUeH=3f@1Qlj(e1V}PRjG}GA5nu}-feO!vPe2$WhOJ-`#0YpH
zWqu7r!i|BX`NPHD#bPd)8&Y6zu!0vcM(hb@kuI=D@S*~;=l>>L6RyBs(I$VLF5n%S
z1WC#ozDi>{qp^NMJ|<?I|Luh7ENGrT0u^7uG5n8Ptd>%^hb~|r-SBY^<oa}pERwpR
zb=+wKgt0ykk(*CIDC?u3k39gU-1)GU&jg)pG9<ho17WRqh-I*{=Ri*k0`0dSXl6R-
zi(ar>21DBR4$vE~iL7|J?b9#ODkZ}r;Im&D%oj2*Gr)29bt@eOoYh#tN+(g84F5X*
zA#!5lBAg^U3Q6N1fkAl^K6pcdZ6|>io&c%P%U}cqc)AI+?w{eH#aT!a|0ZbKFTh^?
zh_Hyi3<=LuU~fJQ%G@T%?EVl~t*SuRHp8)uE`o;t1Gs|P95~`)lcwtr2bhf-9x7%g
z(qqI!l#b6KA7Hq^=RiW2YOn>=L&lALU?O-{bVEA!7~qC9NWuQ2*iH<AaFSDyf_*<E
z_}?Hr4tf3O3bn#memAJ{-9R&5%|8ek`6uzC;TsBrK>_6;6a8gEUEAKWq7Ln4s0)i|
zKMzaYwtn<bhL*a`HJq8y6-bAeFB%wMl%YTXB~yR^viQPqCiuU1kY+VW9=y6W(S*yE
z<jL^rDkdT`(^8g{XE0}{CJi;2G7Ga~keotht%@F3;~HC4U7gsJ%qJFdxTV<A(~>d=
z4IMVDbZ}{bu8d3(njD_}=9Wii<4q(ZZR@Ad9T~0a=GgwxDe$R`CYVz^MJZ>hSk-Jb
zr(Um_1)1wV=Sv{(db*-17Tbgw{O)wH$L+ly><Y&6cKE01Oh>;9u-SHw7tUb1;AvTm
z4ZVUlW`Ugh=U~Q&8pwSx&dFk;@ua~_KeW|fuy`=o+>Z}t`rr>TnSp2<DUHH^Wr9O7
zX)qJ_NG3A`ZNL81iJ8n;tZ{)e;#F*LG4J7JPUx1`B!luNP9_fbBENSu{pN6;lZm*w
zksoI|n3H(;Oc1hnU4H<)#{j%`29u9=`%UQ5dj`*B5*{g|StTvLL4nz}O>PFiJ9<tG
z-tT1w_TwoXCHCd_aU~j2^@sATVyiq;7ROwq??Nu9y5Zmdqt2WX9Y;;0gr$6_=7@TX
zYNfJHA(#2sRQi4NJXA!GJ}3qsmWZU@P$G(`N67(Q|C(#)B6+v8#Jk1LO;F15{cnKQ
z9Q-8{&yufV;gMf5Ydg*j?<|4!1~5tjLqyL`#1$VheOdB-tcJ%vWU3HLK8uBgkC`X<
ztWM1>MzMJ3$INn8`Y6`OPryOd;|TLEOTLKJaODUy9<kD=utpw*nzipRcQNo8tcEC}
zziP<Wt{S~w*!wP%)p72a_U(x~E(9onuU|<N$Hs$-`PF;OB>%^+Mjiq@2?v>HSn}Pg
zhHnlsm57x-cs25EsBvs$-ek$wuCR6!vsOBg#8D?GVIIWOMyg*^Emw|}|027awa^Da
zCqF^WB%uRn1kPgFPuPsy)dLzJDi=uW8+-7NCer4}*sOrL<02%|!X(mUgfxV~)B&f+
z<?Li|8s2TSK8i;w*tNpkA>r41M}~(Wb~)5PT{W|B!$rhGKhD}~jKL!rb}b(D3v-aI
zn0Mh~L*HMSSj0|y=#&0<<ZtjI`fr(8Y}L4&vWAV{GH%3<@y3TXbom~v7OeD5w2?mm
zkl}OYb(VY(t>M?t!5zj+A3|&PBNDp_t~$>QOCVmoVE7)J_$Yi)CYj&KcZF}X4FAU;
za>HQ(tQC&1B>(?!v;F^Xv;8lBn{Bw4IIYFCKd&W!{fr9VUmO8)(PR9#{2<WiJ8O1o
zO4S=wzpJJw-&amkiVCOv6}drnpG?PsC!Co;pNANq&(TckJt{|91Fv7^6xT=je<}4&
zm&Iy@Jb_YrRFer(Q9=}k1D`s{@Hyl(Mcu@hnz0Up+0xHsfg^oZy%Q2?x?B#c1&*j$
z%@(t(+~cvET#)MWZ|ZSjDZ5Gteye0kpPcC$ini#2_TZOI>~KMQ>J*n~V>VE97tfw7
z+}+IP2npYP6FqeP=lv*j@$Pd8c)FQgCYT=IqsV+ZX%dB=edwn^9AaUo3DKPojO=%1
z_B;wr`Pm}ibryED(5+qI+da?aZ=q23>B^UIp%tDx@VS>GOLso}4u$lG%D%v_1jBQK
zgZgClE?oHzMg0)|<Q^Q-9iH1a`>(MBWu7Il4r*qB)3`gktegF+_f&pFmvI!eVdw02
z^(fZ=(LU)Lh_OA`@f>&P>;CPpoS8rA;2#FOz6ZOS>$ahKd#_g~j&uFm;U`=e0t8q$
zX+{kBB?Y9+yUzW(8o$D^!@I?nC%6-@E&86KmQP)MZ&|b-FZmp!l6-V666f)3_ijB-
zPd*c4dw<P@_Ku$QVNor<gQ&!x?1GQOy}+{`jy;>JkRPvnVu=3AARHz@*K~Vv-_>4w
zPlr>~sr^szc)h@`4({KDyHfDlvs)mnq0{Lu_0hc=vBj{g49ES>ED;i3&|ezbyTc~<
z5a}Q9N8{bUGsC&y(Bp}{9Wg(Uy#V+AgURVewt@klbbXWjt&fPfPLmA2;J6TIdif8=
z6CAvG$P0a9?Th^zK|K@R+;IQ~--?UGrGGMMLd^3SXh6@mP5%7=Kl3MiH?iZu%*3wW
zzVm~$EfoI+A28H9r|w9&_v2$^XTUqZ0<u)m_kn{b=1FOT=y?IY(WtoC!KMj3pF{Qt
z?7hG&>l<^&!SCZ=sShDr1(`@1ltN;Xx@z81J5`BFPQFamhdD`4gyJt@+j~nG(L!pF
zQ^YxttkQe`^8dr-QS4nT;f#jMQS1c75{AGdW5@=V5i4zQWG{s6Kffo7S;7wumwOUG
zi4jKjhV8Aa3;P~Rc%UJ=E31Qj5QZL)>_$+8L^q?L;Paa8*h-EJdh_N5mgPkJO*?jY
zM^BWr@pii|6ChmQ6->m-+q0D{;eiIB1DlOlY3N6Ggy#mU*h4HCb$ms|J|R^0x{e_R
zv<x-79X4cX%tvb2r}}89zLc<^Pt)vGyOd`X>*Pb(1B@Q+hT<Fk;or*G%k2Enigz0>
z4P_@HwmN0g7Cdq|Jn_Rk_KJ)i6XEkUypzu^Ml%1LA6W=>(~{VAyfojN-wv$siFjNx
z`z<R?`H?9A7Gh^VWyx%B_{+`?N31l-NA`!B-*xOMmdx*lQ+jq5Vx?(4(g-zu`>;M<
zn$pdviHiqwQS30uSZzSpD0GePPtT<fGVPc$W;OE_t7E6JyJbpQo@|-yGkG8RB>7ea
zrN~e`sQ6GBsvN6)N%^xXQMEvISlt;uTJ*H~Ta8UKNAo7v4nFL%n)`~^@zX#tRYCyA
zGT}2g3o%LDdi}1s$8bylD=?`t72aWFQkXQjc`bq+g!?uy_cwY4Xvv|Xl$-+p01&Tu
z1#I^LuYjE%yfYd2$yY#_oxO$0!9Um_!11~j|GJ?c?D^o!*ap`A^V{KW<#r|$mxA#h
zd<4WxgyXgW#wo8t>H4iuPuxpbxg9X>-v(upU%@X%y~-$Ccom3a0&gWg5#1%w%T`?`
z?u5(GqRDrmB(h;T_=kwI3-7wbDB!-ygQ38&SI85IcV+)2Kyscmoq7d+_5#GsE|Ydn
z7|LCNutI{H4!kkMIdg;irOBC-i%Xk*HsIDtl7?PK&!Ol!^qc?HVZVV1ZWwwM&PxM&
zb*XGFZu0gh@r_;}$0l&dtR4gqlKW^BdBN*GB>jCYJWVf^L0?p*Ltlt#?7jaZv<FfF
zE#$h*#9yU>SL(XYO7eT%Ih!4fzq%8=e=F|<5b$xOBL#Ns2S%9W1<I_%Id*v#REfl=
zwbRQc<JGgEBBdXIz?}lGe;O)cpM|H~`3ym^0e)J@owxzY4m<-tr$8-IVf`L>i&alU
zo6Ao_)p@9g(!9M;dU^wt?tB)oe`^Pp*m@4?C!J$+a4fkye-_ZKI@>t3W^^aTCb09_
zw`J|Y*2Kw5Wh-Ro;Bzfi@-662`EQCO#odZ`lpU01%rEeriO*Hh%x2Xj)hnvs(Hjsl
zwLtwIU8o6wh`!aD^ITu9nmz+xZ2Xg64j*`2$RCD}MUD{GGQEYbAbzVB&V@<W#=#{H
zXFPc~cv;_#l_kn2`JJUOm*R2sZeZY;*WogJFXW_51NSG5*DRAI($qbWKZMD~4&sA$
zghO8^_LC*brbr&r75!vMs1C;-Xyv($I|s}WyAPT@@d}%OwfkVE>aM_SI<yDMCP63=
zes2#W#~H+r4bJRzoKw#xKwd1ME)BnGgm|T`#2ZXp%%}(6et=2yySMWZ_`LmY=?ALe
zHc=wuome1a5+1Q1kRN{oFg!>ugWmu&47r<PgyBAX4Qksv;V}d8_Mc!)^S?gvq7z?r
zHoi>Wa5pH=jWuMz(J&mUZ+dvl7I1`@V(qiCY|LJRSj2XIKRZn2G|U*7Mi;#P2xxkN
z_;47Tjguc|5{Ua*fp<r+iPGGTWhyB4E%q*1J6VbBaoJf|#4F`5%YRiQHVwRTB~w8L
z-aqXAL2nvz<|Q)dWXPKaocT!@!48DaJ~j?{Q#oOTrn2h{pl^J+U0I--$36hD1cnCa
zoIm4%*s1a0^Y{14E^l*e0h!d0`tdM$>KiK?-RFJpV^eTLJj{?a_d`NdKhNaOmnABw
zxqd9)B+C*ZIZNMA;F{P7c-EC!q_ZQy8$bDbCP5zT2ZPDk*mWe-Kpy5VB~E-2?U0Sz
zZGbuUXDGB^`xfxfAED5l17C-M9ElGPfcggq0DfZwRNd?~{BL=?x5&l?ACX~N40xTZ
zfv(0d0<vz&;~QyA1Ih<21{(Y!3kk9e?3e|-y=EYAgJU3YKsRzZHUKW8iERPGDCC$P
z0K&o~62K5g0y)TH3dheObOFL4vSg_PgQ@2zu>i6&_ks^_I^er*a?Kp|r|P-tE~*L2
zoyvZShZHvX5qU4!4E9GhkGaY$qEFE}v;pj@&q)T5_!ggNcUa5@i^&D)Qb?8%6Zy)A
z!vi_q-8T3r2WUc0NX3D}*04ET<k_r4#wRS76JCsQ<C$yNWn9;HPCwjpzMUa|@&767
z$>XA~w*St|y|aAhJ2MK%zAv)K44WW=2%-rhZfq{l<c6tfE-8xI0~8JQiQ1S4HCaXK
zrI_Sn5CKuCOr@;n7O6m{W>J<uEp79i`yCnkyx%`_@7(R&d(OG%o^$T<^{8ehOGR;B
z>>-b99QWWst_o_a(PVK@PBD0nyoMU;*|Z)Lq}QOuFmT|3n+~@N(d;;yvOO0XccICm
zFkHFGYiHsi=E~^r-T;rc&}6Zzi4ArAW|NNN_VBjv!rHgcWYI4_u`9l^G7_zgdDrrb
zB&k--n}A_AdBw%;U;EMmOI{PQ9=hHx3LO7Tf!B+sM~eX!_^#b#v7oFT+b!77i5@<#
z$OM@{Dg@`k35)!k>7Su>F~^{JHOY3gAN)hIhb%RWg)@?^CJY6AK1tO22lX9@x_lJP
ziLLKB=fc{2wBrUlR!)k{Jd9_px0HQ40KC?a)q-p2wqpNP!5ilm>Q6!K8bnEe+kX_%
zfu~d)*JkQC4C!kTCDNzEhmmmCI~=!r<<AG9aW2Vr_S!o7Rl_esBJkW#Uel6kiPjzv
z7?Mj81;_Ivio6@Wik5x9QUYspkt72ymW_7U@@mI)&*(z%n1>`$z5mEYvvaBwC-bjt
z*#x!o5We&5#?O3z+Ec>G-0pw80@7bb_+F0=tPk1hw4Rg6whgF-V;M-2xSuD-WHrUP
zbJAW|<O6P*ND}vr4X!~ag12$fnu9L)AU_jFZFAl1=sZ87gp)F589cHOuG-VXTW2zU
z!bwG~xi*Vb#)SUg+AqeG*q+3PB~Wt~Z5FPW(>7=_)JJ%^a=pTtJ|-Qq6v+il4zQ{h
z9G3%M7n0uy!=SmRh~!JC1#`v?s1zGkkV^tXnpG!8#UcSFt|Z?QhBt`GBQ-W2iGMRd
zEbhFWc~~rD6$vCF0*$M%F}r2tG-22?cP%3Y5<Icaux5OXRGS-S5-BDyl$npuB9#~y
zQDvNi^)g;0O@v{|Jitg&Bt%4x@g;K5Rp4Sdtx2;)*rV2~T9wNcQhJS)%iJY<x!9ef
zT)?fCG*NNBn7e8jNXtAi)?uq-_meL*;vBJ#E#y7y^rCV!OvGtotiWPUWoWvw8Dg#~
zV-^{k7%*@zsnH~-T1SnR+o`>1xv^;h#(kt(w|?>X=Z2CVHRPS-guv#56&T9i1ar)r
z#8X1VSz$CGw0*^-kgzEM9vexz#w*zhf}>Edk-Un=7Ml^~pEr^P5+Y6n;~V6ecUBV5
zX@AswAskePtD2Q(6?5cc=pb1+I{4$cTWF?s{I8ihp^GG_)gdog4b`9yQb7haB-}T5
zb`ZP}p^N<Pb@Q-~@H6yef3L0{j2{zpatCKyyJhi(OW^)Hh`RE2g3gt1hR!y3wG+J6
zF@4{lBjzWk$SetQ4U8QN#xpp?!N<tkWI*4BR`}=`N!PBND&mPb%!~9C{Qpf(;TTV8
z68xa=-)L|y%M$ZNUoje-`x{9s=I<QSxDbqHZ0_J8vWd)jtuxsidYCv$2os^^)Ouo+
z5K(s4A0cUpY&y7d__@zL_zj1V_+4dtp+(44zr+8*uU1`Bt--_l^A*jCq4FK_DEb-o
zCM#q=%95ph(hZU;k|3<O60sNcH_?vY)56d1;G2cH5ySE2g;{gi1DCUg>G7q(s4#r4
zDPms4Z14%9s|97%u>fJvTc1a7pI;AkL9|i``Qg~6(N4QFSqSMvXoXfI|Mj@dh=&U}
z30b;71da`$*;=QPvRt2&vF#l9>w?-ma2rS`YMuOEiT4>g`)7{3(W@B<`2%U0mNdW1
z$;<op;I)$zRbPOI4PC93WTZq%uD^Vn<J!5$UqG!5t<=WMT>0^o=8><XTs&0&Hl*7k
zT!;UJUiX@D6OmJ#8hsgBz9rd0q-<ShO7tL)Mfr*+;ByZbCq8?bleUnw3|qN17+$}J
zl2GsLY#Z;p<t_`s>pPT4u?1?+^zkd7a9qoi51&BYcPI%pvBB;(oA@0ZSG1=2OUV2l
z*MUeoU1`ds<lk1rm!5#Ovj{JKNP&LZQpe>i1iw!Zo}^~vUTMnDBcs*7{SF16AUw~;
zwafJv#x9DQ-!cn)&Y|3wughAlvdfn<R)xBA=sIJZI%xdbwJe16^Q6MX_m8hqBhJnn
z#&L{wbF(cH-k+^iruqn9xZgyA1dnm<9}KzBv5Rpn_#a2`am%_EWYP04G3JG$;|N|o
z!n|2`;^pZg5BoKf)y|B49gc2{Wns~fsn3@|3g%|=rd!C_%_kCXZ>z8{a#2v$-~46h
zqw7W&*2GG(NUOhi&pW|4fA=$nZmuNR!9E>T--O$a6Bti3z7@DmPFtqQ6Drk1Ri|;s
zYL0v?b(B>}{qTUK=Lj-|ovF()Uvi|pL}2u`N|<;jnt<LSirylT=0+D<4cRLCIbq~B
zhw?N?LPR<n)tFP<M^+I=Wb@NLHho0u&iau&AtFtU_i?s)-zJ@Eq^1=H+EFOQ?l37P
z($shtOI2P&DJBxs_e=7rzzAura1v##d1M!Hl@O7f#;?f1f<(HIQ%+GlRR$>6$V+LP
zvPMy?xT1Wda#tnMg^F<0yvtOlRNwKo@*aMKBAd^ZoB2}S%=ge;YLz-%olU=07po7e
zuc)620m2md2w{!#g4{-^Q5?qO^p7;|nk0EH?)mS*ud08qwbRBaRN8rXd!|X-i=S>!
zia;m%MttGws^W?!nUB+);qBDC#FdVvOLRxnIod(0rP8^YK6xprCi&bsS(qwGaaf^}
zw5v|bN2sqVA89<02pqV#;?0b(bHo=_VY@br8=6oj>iJqmk>mW}bgxVgJC0-abf}+7
z^{}EBx0R6{0-@m~2?RqGW@W(kn^;U=jqx;yxFyq@GFaWsc(S&23kiVxdMp~U8?#fP
z$$&t#x3GcRSu_w<w2~m$nvdc-3F25QGq+;de+1*t?Ka{GldsDRkk*5{-T%0bH?LOr
z$fm)L3Dg&#JzUCKjp#;bUm-M)8(7(7z@*YZ%w7ha*D>MtO$4O3K@aniUfc?Axrq&Z
zz<Ph-EP|W`S6Mu#8)4|WaqoOT8=Z;OS;$Hz-bA+VV-25WKHR-Guw32^%$Rrs@2=_R
z5nq}RAj_2W5B(||R{bq374j`!R`WD<hU#G$OSBC5Ypfd5M0^;2<#-zxGhSgoiR>rj
zGFEZ4U>va=WXcN*fG0heb80AJZkXv`5rL4TCkE5#@Bq+;Fbo+Gd5H#+2CW7}vo}MC
zi0h`m@Y<M{>3BHeGX%?oRN-hdOfQG)P32*MBE1WYJkmdfxN&%Rvs!tce5ib=a#JW(
zV-+)0OZu6YAHnC6`+TX=pEoNu@I8vZ<c(?-9jy+RZ^P52A_L32Ei5do5o&}Bbg}SA
zahb8Ng?Xuy=6l+%wNr$VW!gA;k1;U?ZIipUmn6w!iJOj>&&9hiIm*e5p~*hQA-N46
z-|(`-hp>?P1iBpPV7NDk8X&A330cvC#$Qk&#s+3lJf~iQTvpqHgA7|weWl!bINw4-
z;L}v<BPoDAjJ-4M=mFTj8H@b1nFN@MkXxFvke5#lV0_Vv8v+X%D>`mL^mz}$Sm-^Z
z>^zaO|HLSiZb6WD7$+OfV$N(aCnyr5Q7mejV(_IhF|mXtMv777;UKt^MT6k2Eb0%L
z!NiY<8C!C(%qTJX&&x<B2h$FuQ&1)nc?9Ha#o>hRCO$M(ED?4EOV~rx7EIp7I+)0Q
zKHiK!E7@RDk(}OaXkqWje5h8e)A<M1@dN%O)^TdXl6TloEBo2SezxDkvmB*uIHpAQ
z_qw>Xa+2sxKVf4HxE(`dEgj9rE+xUzR&2+o6@jr?o#Q|QE#uHfVfIkq9gs3Rk0XOk
zhhBSz)(j>=?C}bK$sR}liaiZ9`G)yE+m7$yw8feU0_F2mIZAs4p?3)$(w2O|^>D?g
zvgH1+!iNr{1hpn)l~v&@8&2OQssZaZnxkW=w}eb|{wy4fvA7(}3Zv&q{I8RKGlzz=
zg(7Bt@#kQSz?`kYbQK9Ge<|NA*Hc_5gsb-rFyBBQ5K+l7hF}?;FYO>q!!ch)1mNjl
zRBX)lgXw70!9|6}=#Ql)xY3;g(`Bs7!%R1}X1TL9OVnqK9`rx~#|4sw99c*j$nSJC
z-AXUXUFCD}PUS;I96D(}RXQkNQr0Q&tD;qfs<Zq+emY;p-@|2L4c@a=3+ecE_HXbS
z)JjdOmTD*Bk+g2SDu$kRS-CDiCXm&-rIHG&B%xdf^WsaxbWL<JljmGA`-+PcUu6nu
zmnDL{nvPRgk~9$7fhl?~s(_Dr@o0X3@}yekqbp%K<DeTWKzTBjX&Hge$TpUSe<#BM
zPnw|O*7sK`J&L(Yd@#dv290>;v(|`?JxLy%>?KoRmK%-72j)Y1NwO7|*eOg=Ky42h
z1zA1lNoAfy<x<Pl01cF*YY<w!aNDfEyOWvYaFhiY(+?yIq1&5If-p~X5cl^-?Cm6$
z-0O%%USU0-3<FdcUjU)wF#T={9Yt7isPd$v;bscuVQLBjYZ{M^n7eF@tC&X%M>`Hy
zkE6-fLCw_C=YSZtU_uI2f$eZv|5XSL!$Jaz8^kv@Q-jU4Rw3s52j$7USosXOIGC}R
zJE@u`r&&~dJX!jDySrU*#RKcv{QEpn6)LYQ*DGBVOXR2JaY*Gja+w6m)=7Vrrb&L4
zZ0BxqiAe9NeoYSJN+v3O;j0F^7&1OUz1?BHYLREhmw&Pln%|~5g0wgJ22qB8=A9oU
z1@HZIlHdV9_yxy0cCrv&-%s}lo}I!B{r5K=MlPT+;9XAh1-E^VdjenkMb1K~E2mXL
z<d&&tQXck>$$BvD5M)#!EU)?8JwwN*wk(9^LWC7i=(0HagXv|lCb$aTMF`8*cHKhf
zW4*Ij2(K3*EJeqqM!qNKFZ;?XbHIB&!qQ%s9JcG+_ke{^w;o}s<*w^=uRc7inZJyO
zj134&Iy<9OmX$Y?h0vZ#vjt~ZW%7$zF*H%R{3!TOpc4iErN6rm8}{KZEQF#76m5X|
zZjbnfpFbYkc*6tyCZeU|r1*>TQHRcBA-p>gTef}R@8r_A-^btQ{7lH4L@NZ_umefX
z-A<t_g!Z8bi=4T$SN`7hWkG?V2f#lPVfp2z@Iz<p?P4JmMIx;DRUvOp>(VVue&dic
z_(dTsCb5L~>(f~X??xdktxrL;?fLP?L;;pL3}HD;`>DwDh}nh7FlY-vSOd@bO>?~4
z*(-`Nzd(fL^3l@qgTLM%$)p(+1k$p(OqdP)-Q^$)*_s|ec}_Xa;`vuCl`m$V|K~1X
z`CxUW{5R(L$8IiHBrr#?{1|ij(kY4yl-FET+F14gnCq8z>sBZ>>6*nen|KK5Ouu9Q
z5Ke<v$Ix;8PFtK73a-TB!EM{aB+4cjBG4D4+y>Zu6kV)rhR7}79E5^#I0s5J=+oT(
z0!;$kCQN{fFW_HszfAuD%7^w_Xr1RYV8u7{&`+BP7g;0T=<~&|RQ&lq#w+nH26!5Z
zS{+_cOM<ZX@xt5J4e0I17wL59Db=%|DlPM^YB6>Rx0IiGpV4VD3jPo<Cy!l_+mMFW
z*P<;>TDBQOr?WV)Yi@FXOL7JJm%)(4+PaN?UVRb@$i+_BuVBa-i>XDOviKMqHla0K
zAE(```CO<|m-3z}gW|0GDZNZ^=TVx8S?sX|?qksxp_Af)JFdt}Dd(Uq9x<?aAN9ib
z8)zDY7t_;(O$qbkV%(P?Y%ZANHc_-d#7Xet8?*)<OrswXaR!{2POqww@vTb|!!_KP
zK|6`a{q@<{X3S*TP8jQ(|C&rkN(ke5b3z(*mJpHIjp?|$Jxriyh{)+DM$sz*<M8K=
zq7Z`{iP)&f=JlglN26)Gz<AtRiY?bLayXsg%CNzceVi^*s}z1vuj5Np9?A@bzg!^u
z`q^m*Y;UCJh|8hcGw`Ar2lc}t`k^SctPSFlfnNE;bceuXmNi*ZjlJorrx%GRxayCv
z-W))*F{x#Ke1M^ii7Rv5L54O_PQ6&iAe156L?P9<hh7tyaI!Xvs|Yr_7aJ8N6w)FK
gUlC2`bm{-^%<|B^GN@}n=|sl7J(WJGJIu!LUj?UQmjD0&

delta 43845
zcmeEvcYKsZ_wO?^yV>?^LVyqm2_z&C0&KQ7S}GxdG(rL-)XnaOngo*21PqJ4Ai^R8
zND~z7fT$6aB8sS>*j_tg#V&Sz#d5#18$txs_kP~ry?@-#U1jp@%skW1nRCvZIp^%s
zrOu^GV-rV@DxBWrPpqkLsP!}@S|x=<h?JR_C`rn$l0;^&Ow5?vRWh8`DkVuuWhSK3
zDR!3q$i87;u#egM>?C`gz096x&#))iLAH-Q#CEZJ*mias+rT(m#g?;c*%j<^wtzLT
zS*(UlVO6Z06|;Pn%?2|EGwnGbH_&FZ`$oWq^yPr)<oQ5<q)!J@ksc28LV6&OfOKyl
z4(Y>zE=YF=IwQR|&;jZ8fQ)oYK!x<y07bgyawIojhUA91NUofN<nozFE~`N@*Ndcn
zGLjipNPH8=Ae}S{No66DihLxah9Mc5g(P<flA%r{PBRko03?0I(2{y0iSLG_OAL|@
zVklZ25>132DP?a<><oK*PqgU;7JR#Bnu?v2*w^eNGG1iClg7R}_MF6iV5hN&&mnU^
z3qF_O(y`|y_6An>NA^524>11jPNoRHRAPx#vil_VEqjl>h{e7Sg}1WceUrx`|9*+x
z4{*H14zcf$zkvnsuOA!5c1!Ft_AYyc9c7QQ-6+_|g1ehb62<T$q$?%XK!2u_$jc-Z
zUzQ?Md{hxCzPX8v6KmS`5jnT->8rn!a?^TZ>Zqr?C8d-mQA);3X>1k!VP#fq@K;SL
zkvTc6?ZitiC#pR|wJt(*eAh%(Oz>T~b8w69Lj{`54PGl}2ES1|N#yy;!Bc8ESfZK1
zqZg81!M8L?owcYM!5)w>;iuVS>~r=2`xoZ0i3J~6Q8p!(-GFjZ`@eyYE7=Vuhu`3~
zc^w8@jl*g1SR6G5pUdyHc>Ff2#bxuWbW(+6O-fZLf;AgT<=*!7Q*5!XCzeG8Mg$LS
zD3+D6zecH&R(Bro#_7+3aU0jlsgHm5mh-Ndb>eUEz{Uk~-~H(a-0HV9-mA8K9n9Xe
zMNaJS(DnfznwJfHdafn-)uxTWb}}shJRzO{HWn!t8N~~cjBG?QtQN_jsYt9IB*yVb
z(khVjDM8Y+07+a9k}g0?5(%^<YM>=i^hYA~#*&;BX!)Z+%da~j`CI_|GnLpC5%gQ6
z14thB>~{Js>&X_fLN<}^rBlgzb~Up}W%Oog5y>Y{u$?r9d_j7y%!=oa7w8Rpn(u9-
zfE~ble}+CyJdFviy(9Es3Yxct9+LT~yil3+?_k|+B1`(2w>b1^a(F+Sme_afG(h+!
z3!XmMQ^h`(*!S#XWW2?KAD>9*p_F<_Yz{S$71CFD?12W(eWE+4_{WP#Dd`+Wr$mJu
zJQdNI*DfZ*gYPPHNhki|bJ|X87LjPaYY}k;0}(l-<GH-NU=NiWC2gn~%!tqg4=ELU
znpHgsi8|lrA+@<#kUPT8iZmPO^&Yn4iy(22v%PFLy9>l^9b3t+V*xDR95$VKSS1_9
z3Ro6%Gc!wLNvs=-W*SE5zv(yhQ~Dl#gT6?gp^syschkG*ZFC)7Nw1>;x{%JH)2WA6
z(owX4W>Gga(==L@M7z;ws-cAZn|wn)CGU|p$cy9|@;KQ`c9XlvZDbu;Nv<OSvXIOn
z(}{;vl2N39WDz$plQfb<x{+w20Wtr#^o{hX^q%xa>oV?n<LzEd;9HhoAOvAQigY|^
z&1dXG_6`WqOYAs%3S?v-dk`e$PPP@4d=0yqUC*xkJ37w#u@u&Wb!8oy%p#aXf1%&g
zujnWAefl<imA*iqrBBiW^bz_1y|<Zer(5WHx|-fZucgcAVmgn`rZcFIPNL&z87-uF
zG?NabHkwZR(q1&4cA*`pmMX~a<Y)3N(DF2Sm%K?{A<vVi$zk#sd6?`Xcaz)6CbE{S
zA~%w&$x?C|X(DxG8mT4|$Qa<w2$D;N5*M+Mr~#x8NhEQkGl?W>N!p|S@+-lENR^Ti
zl9knNWh${UpRy0Y=UxK}9Aig7c=xhB>^`;wXmBgLg{=T0T)~#G`9Ou4%+DqR8Ah`r
zHXP_Mh}oGD2$9SZSS(ON$CUIBAjNm|OZqX;;w}0wdIE^?1l>=YTYww)&^zd6U`LQH
zr`G^K7SXx19vI@K6X{ss$VfVjW&lg9)Id{d675c7XcQ2Ik>AKqK$XwQN8}Wc<z@05
zISO=nlsrUs0%5k1jf4YbZXj2YW*|)?sU=f^HseVJDFNc-kRhFj6S&i#^d>!lJ)MZ2
zsH8or-_C><W}H|U;AaSBz87gGHtzfEO`yxO>@bk!0d_Y~Wj$E_^=uit4D5aes|K?#
zV<W)o2Qmu~q!)_=dT1F1a(qia18TfUUjkwrru%>vchjxFiB<G^V8ms#0r*f&tAGvu
z5i}dfV4?kh3URa}5P_0kfCitD_kjd2k!OJd`^W=8fURUbz<)hi2H-c483271DFfiM
z$v}X;AL#{{cO+UurC+3PrO%}Ir8hB`(5K~1nZz*&79>NZAcWYcP0%dDev;TvAW&bj
z9xB45n5na;T10_Tiji13-A(ePJ$RHPesU!cEG|TFf=kIYq+95bA8IC<!SU2hx`v2P
z3;1FJ2_9j?NbEVHb1jK!BTOCm*NcfF_<|xwE7%`lKTGUq^#2v(KN|rQ1)hIlYch%Q
z?;mFqMF)kHBe6`nl6-~-pm{LbWaKMX6FceIa&$FTh<_d=!%2^G<B<9Ko57K*R}&*2
zd^3<Dp>0?yQPh>c@Sq}rXZB_BymTcgB;C)w8N**_CTf0SC5a4fBJn&WNMc)Q{+B|+
z`4XdkkMS>8kWR9g7G+;a>?`&ovfpR?tDPkF60^Y+Iz~tnCFY^e(_~UA9mAJOOd^*h
zs$zNVI?|u7x|MX{_pif%KU)jb?ae!^BNMfO(gaoPOe<Ly#ot>)dhvB@!3j2TV0B7p
z#C-8uQp;y@l1GyHVo_r`2XnY*EoMyDg2TMN2Be}_xaj7!M8mT=N#pJ{z@$WxJ3d0p
zLi#&kj5*Ilr1!x@wt{6WWwWs<%2_VxLSHZmEw;gH^f54mYw0XHnhphycOhr7fgi_)
zT}UQ@qW32{>2pl|L1}|@l~lJft7}W0Oqa8X=>NUc@Q(aa4CX`jCEEtB@*OC|>vXGh
zHIYG*RxyV(PCCwp(OSA++6bN%Cw;-v$YI)_#$x;YN+x4c13)=1V-?KHbhKQ0NUCoc
z7f)|tX=wI?NR~u={#pJe|KujmRJ}lcl@Kg{0LyqAg2YpTD*}+WGQQhLOH%brFR7(e
z33G}AkJ3rYadc>AF)Uh)GW_WS_>JE{Qi&l9kIW<%!8dIHG)~@%T{>XR1~Q&czLi)3
zVj(>8J8va+{``7kB>njB>xqX?S&x-T3m4wDo}}})*MX>~a<-mK1WCsT`l65Qjo^mH
zwmua6s*R}g_y&@KH%@OL6S@dEs)UUB0OZRbAt&#Hv@9faoL?Tupk;A7W^N~Q<505{
zWPUuzyBU=_v96tUOfok48=EHA)i+JAneO#8O|P%(sO9Do+G&V}Ny)XI>2*#1I!~R~
z-$~6RgMY#7=?&BCrcRzU-RrMw^v9@}WUim*Z<sv0Vfs7|)_HEDXR5z*1P_$Z&O*S)
zAS~wv{8?-Q&QAfh7Q&PTgXqk7++-RvO4o_?C-n_eCpY;$wUejU&BNJF8^w}Iy8&oA
zGXuGB0O~HxOfDXPiZ4a8{JzO_+$DDBQhF&0)Gim>H&Q7DB(Sos<X$pR3IwA~L-@Qz
zmaeenlnvvbB(iKkH3VNEfQP@3#L|h4KfW1c^k5=O<Eu9VGp!;cgZJDF;9J6l6MHc&
zZ`@3h_`Msk>rFtH&Ml`mLi+jVeR*lp*;!Bj1)9z!5E>$J@beBVmb-g1D;daZd$SUL
zB8BxMZt>ieckInl`F+XQ7_J>Bk{RK*B{3tPmCV%goVlKb4cIN7M!%zNusZHdW+Q|+
zJcxgh$ejGK-T>90P-AQQV503h3LPE)ma<%W2JLd=^sEDpch^Xeup+?}E2NY7as|4-
z0w9>dToJK+LSNR4Wb@{}%*sDZWj#n12T7{rJe9?fOaYWG{OME{A3MXQij9dO0cVq^
zdX~STKKw6(XQ#3Xen%f>BSXTA@@*gH=4pMHi3|>BH1uIsG3T%OA*|P5OgBVN82doN
z=KF%(lB7SfC(#tm_y^6bmxg@^<_o!0u#Z<6|8NCM(y&va>Syc}@?K>8)MnO4!`>D3
zK4<SD@1@XrIWbz0Um6x~9pZ>6@uU~E3z`E)We2IEXF!>uk<|EPF^${p@%S8Oo55Y}
zG2>k5#R<{scN=UbuLJ*FF1N>5)8KEMHn-8=kYe$qm@O&ut9{j#RW|cwmO^)>wbGK_
zm}i<hcZNTE_ORSBV=B|_qg?e>_S$LXp7}+_S+&`&qPptgGa9{Iy`S}HHrWy_=7BaV
z{!e$<Tz0#?<6J4wUxATz3n+)Qjm+%yT6`Xt%V73ZTQHs)m%)YlhH8(^<~LhBH4c}3
z_S|aFk=9|2s&*7wN@rWMvx^GN({o$}wrQhhq#Nf?tF4$bu5g$)_cGUT%b2L@nby%w
zWyQ_{yKUjj@>>4jewO&BL0L@}i_0nol>}6(Fh~KtT2gC5%jI*KY+kF`Yw&yAP6Gzw
zGgNzR)rM-H&t~^lJ56SPjn6+Xgf9JkO%3(c^-Y%HrMbBU&SBXjic80qloyOFak*SM
zqb(Mzd3bTYt1Q=?-|VuCGUb%GibvW_MfMSu<$0qlInLtzv03G|qI`?VY&V!qhW0CG
zal1?=w-}^_Vvq>|<?wSWr?$B4z8aUyBZdZ;`ut{t+u?8->`sf{>ZtMB?Iyc#dZR#T
zUwG{tDZ?x0l+Cb}R1CM)j5SskSh8KEbL#vy^Sm5aX~FdDywMc}_3oyE5u*#T%IyuN
zv84;fS{CwW&#(mEV?R@OJU=!|y4&WqTTDFTAnP*C<1%@Cey`o&aN0Zuo84V)aJgN6
zgVW`#u{ph7lgWhvh8L_AjtiYe+l<Dlh8YVM&aBF-FE6d1Hr$pzy|Q7f*IigvUz@(5
zxT&F`*mqf_r)-#YL~+(M_f!wxe~_j3Z#N3;fYU-9^^sCA?Fgw_q8c0rYDgEU1z#qC
z7!<IfAO>gqv!0}YcOSs)d_#Y5jC_8mKO4jg`?Kz3c$h*jK^@LSMjr3kpBeaF{qWMT
zaN#@sSa1G7UlvPpTAuC8PLaNXuXdoHNzgCY=w}f884k+d<GAoK#Dz^b7#zjPX)are
z9ebFzeD*xrO%_tcuh__6vQKaneFKd61Wp%6pz-<u2hvB`!y!52I>vWJX%zgSQ>-+Z
zG)QbId4x3JT$M|HhXC^w8^%7NPvL<11&-Z&==JDf1mU|5$;xJTo_Xx3k;4kJT!j@Q
z?76lPHdDcf0{hs}Hs`p)tm2$81;a)aj~Z5zH)5D+jLVu;>>8I>m_O1~VmFVh9Gg|y
zVVEMIC${o}g378<rizLjb5VZ&xY8WAY2=u(BdlY}hmFfBFD!8mD|S|nvgVIAmu1_{
zg;gWn)=E=Z_OND4VUeSx${H1FrlPzozrbExRyaDxI?7pUDj!)erecJnIH#<*(wsN0
zEVppf*nD$wUPV<=uFYOBW~|FnQZ&+8R#=*EFDbUzBEzjXT_fz-j@-N=v%_pM=Z-BK
zZnKUYR#lW`DK8n9U05-!#5BCj=E!rF4DXy*Xd7!UaE!|`Wm|{4Y=w?t?qYu3S8P#c
zajAQFe!e4n)X3r4+0N3U+>!45Qit1|TRyhjZY{Uu6pXf8&84=H1uoa<F(dLv<rJH2
zSrvsKeZw6^mBl>w49m*=54QQ=?s9(Q49jdogKtBK@IgCNXhi~c1TX~}?EZt5C$r@e
z`v^MDx7e#Vp&tic9cKI4BW?QU&)99K?Pq*>lwv^?g&eg9dgyNSIBljvdg?)&M@Fci
z_zvi!JFx#2Ll!L=scda5iv5R((tI(dv?2;xQ?#}g$^Kh>L1V17F+Hnjhc?asgg2K$
z8?;7STZ>@-9rpMui_sd?4IvmX_TOUBq9uadDWvZux{dZCcjKW{Dhx)O+$<+s#U~iq
zP*M`6Tf2;`ly6UGxuiIhvBt<I@bq+MAw}Gi&W7>(49rdn#dE@%be7Ib2S9Ke(Xw~|
zB<5EAG<5oBaTq!i))N7vo?-m!6-p(4->68A5-R^o6)X6A8H$uBI!a=Dq3{`nqgon$
z4{r~l&BK*IM)F_dVnk~@{~;Q-VPSI{!D>ZAWotwKEe0yiwbKsyE`fW^e<E6!LO#~o
z(0_+_mBlnqthD9=jLW;EeDb%1OK`gg_M*i8jhnGg!wO@-azEoQPFC2?ou0&rNCDLo
zn*a?~Gah~fQhvnphN<|eT?#iD%?%GKM)KKv6b@1rM$pIhD4e|8ZiShY@{zk0$M~xc
zC_3<)HsKiD;d^B-KHkVO+97krxvtvjhi+CVRTP@{D`-gbPWkCgikQARc_oEeZo7Nz
zm@#FgmBR~4hF7?TS2~Nz#ui)3OwP*E;-aE*>*y+eaI>N}&)=*l>6=?r=+3QjXIm=r
za|(;99L_9vsj0+NKFVpgl~t4uvsy|kOoas_#Vc7I#2#cMUZR7cgN!F#u^bx03i4I_
ziH8*#WGp|lPtloQ|FA;Gd$lMA^1%;d1;(`Hy7__!6-H9ta_57J)udHv)b6@~f4o!C
ztu_0H&=x}npN4jxg8%!3LRPY^65EQ*wXAjmv=9{<O;Sv3mR|2OnVlAw&tve^cp(~k
z+%ALL<hC1prfQ4R<hNR_UU!3kcKtw)uT~t~8=IQyXZq{fBv5;z$u!Vv8fbB+TWw~i
z+a0DhLnLUW>!njTXP9;Ae91mVHklx%GlhS(S1}0s3_K_D$bFb_#Xdz}K5wtWN~%O|
zPyWnaMGBwLf(egnxv@p@8EIAiy)LoWF@@)u1*a{|e=>4`iGNZW{-Mw-*{=|+(9XAv
z{~D##{OP+<tL~tbDkV09zD77M3o50GV6-Wlm5owy#{oqqsSX3>h69R0{M!AB5zxMb
zV26xoe*b<&B){QNh0O0g0C@H}0QAg%4D+4Ra^+(RCE*W0su)Zrho{-`F@=Nod{i-%
zOcWW3Jo8b7UcB9}b-wM!X;f-1fz0jjdNxyPSd+vKKoQb}$<;94RIj`-M$cwTO5&EN
z1J?u1#Et8YM*x)Bsx53RR6?`9QO5C&-zuZYG`>ZayYM65Dl>Q=<dUg8>l<Z%{?#|i
z1X3fOJMo_1Dtqwyua$j>Kb&#s8)bUeWzMqDq4>&Cp;L~~w}^k<mUj*)dXXrAASyP;
zO#=O=*ZKSlF5P9MfD~hATG<0800k-dhJt_Btn8>}Ukh3IN7j-wMfE|bAVwp2$*0H@
z>ZucqpWLkMt6{GR@#lN?8uGw+UfZcmKeudQ74Rv73#936DKK-qG(H$@%4g%Npw9h4
zIS@L~7r$5b<okY5YWeR!DB~}g+lR0JUg;n+Mco3f_)cjg(_3ucDQkqHB<=?k&Elhe
zP!{|LsuwY$2==nXet}H?8KnBR*vlCALB?N>iZH~Bjii*~u`2XdY9)8#QIgi<A3l8X
z&&pKND3pJ3EeC#9LZtuZC#97%gn>BdXJr<@?k8nGGDnQFD?k2|vNul>8MDI~K9P~~
zqcWM)@%$f^Z*&UNY-kgHh34QRcB*x;kGDeMgPsw+qS!lOD0~ee6c=O|>$9!J?;9h)
z++PvU`ws8F0xgBO=s(2xD;W`H72PGVg>)BkZl`=#afCjlrp9cmHaiR+yVHaNsn2b2
z+x>Qf&1rM`t7|+Cr^lh;?-fTFn@7*B8<2=&T#2_SQBa+8x&nKm!Guq*0g1hu>L>f4
zDC{*bvDd}5Eg{Xqx!OzG2$wC<><kyByFj)q&VYhwqza-5D6`a7v%A`FHP;v%-TiJW
zj`dD22&BViFyWAD!`-;a?>FiA-6avZJutR*ExF8glUPg2K!<-|XEEniI^11D6^v+f
zdfEhWtVO~F-c6(j9`=OpBDOFe_T!|p%Kl^lPdKaW&aa=U*7BWam0kE(zW|Tti`*=}
z;1{Kd%nR3e@)y*e!oU7S*^MXvqU=PP!ue&tDEmOyL~i6ue+G!#<4G%%z&#GmmKfaU
zt>?$H^$}VXdqToB))UBXVZ5YRBM<rW<is-31eT?_^eUd8`%a1N4AJUsjPG0#p{)83
z;7tWlKfmyQz3w4i%4#K?hc~fW40bZ(wVNY!&2F>D;j6B$fo{l!1PTR%%Y!GY-&*ac
zcKR$Xr(HpfR4tJT4diRN2JFt_wnJ~@GeH;ObDIqwm&b2Fb+aG3F0ZxP%$O0kqIiMe
zw%=Cmt8v?EtOkeIQ4Qq<^cHTHt;SH}s_~m+?QUna*J4#b<qu*e)k@?E(p{<zVubwe
z-<A1fG2i?L#FXcLS9av7e<-b7@jI^S7m3{dJpFg2iZA+IY2-)FD(z%p%h|IKRayz-
zHv(SYgszA{|GwE7(OJVnc|WmlumWM4sNg>wjOY+55H?8y_fR0z0}iHO5((j-LQn4o
zT}c+UDhqJymkhOpBncyl*3ZltszB}xRqRwN<vYt%!>JSq5Btn0RRn*bOw~z@J%N{u
zR`t*ZbkkL_IaV6z&v%!py73`psyHew4ZnadDqc8BmC9F+QVk-_ZOshem47IQktHI-
zBb1_<{QlpSgL^OQG*cCultizn4{;KqVQlbE#RbCoCutd9Ia>A2-}4KNU?gY6NdrsJ
z#z@XYbkwlV1-S){LcvMKKmQ{l?i_<?&rAhnmP#btZ}h^cX|VLHR1%Cf4N@(fqlz7p
zMESn4sx&HH$2&|^b>+W~RhiYx>Su?B&PR+<b*Iv`{KiUE*Otr2sO%)oU$2VopF{(i
z5Cfbyy>WW=^jXuJ7EZ47)cVhVm97a(x!uO7(o&Yxg_;ZGgjV8wrSnhH)jUw48n0@s
zRmHk7rf<qsxB$C~-&YPeSSnNlR8wcEV$CSIu3VK&r7J|qkU#MyAq=xm1)cgdydIxs
zsNz)&daBPtsP+!ypOvV(q@KULBSYC)SZ~x)JNXw`LCn(Y(4`COFY)22vs8mqOwdHS
zeb6r2ymmjfqT6q9`5Y#LPiU4sUbn?u<Kx%NQW;WwIPO$eo1F%)#R-LOjTZ{tYQNLq
zcUWC6zo)v|X{q6_&r;b_s$G7Q#e?1E@;RZ3#x^uSOYJpSYHZLKI&4;}#mddKs)5N~
zXsAtIyTjmcc(6lFCX2!Cu67!r;j}sIj%u&f#c!%rC8zk@KBwR0FdMv9kI!K9JDmoX
zAI!*PvzfhSGy3+M_`hmZgD3c0W@y2o5wEdZ!K|Fn?z*gAufbt*`OFSWwbf-cJD@bt
zBoV1%s;6P9r><$Pr;fU7ye5yM+G?<PtGyscW~;&Dw7Lvlr`h6j**$)z*UoF}RGBGe
zuMbSc={MM`ZQwR$Xm_DG#>lN!x65boJD?WjFV?A2Q~Y*|*X;D$43-d`b5uj8YxiKS
zp-8n>d(B>(*TUoLRsB+GJk<`5-R6U~90Rsl9ad<6Ya9lz!{W7A+%~HTHD}bTdL=t*
zEPlLihfdgqn$;Mr+fidP00wT4*X6GEdic(Im0_60Z1#Cg7OZ_W^tU#LN$9#kIK4KP
z&0($v!x<7{FM9SMB=z<O{dRUVEs#BftzyF?&8nh!_NchRIA=mBlva=8CiN^7SWiLT
zTdG>$%ApRfP-VsI*;Qbk9VPl3ogm#VbqquWqUNe%huLYs$jy^faojjw?7y4D)=U;(
zRDAAuRjT?5dy^{GZl`=grOHU9<t^BsONpvSqbjxpTja5EDhriv6dSN7kE~SXX#>gz
zw2NJ9<Ojy7l4NlRYMkCw->^`+KD_Tyts`GPPL-+x?k~C|Sx6G1fSwJNaMisJHX%o0
zG$e$hp|F|y8nz)tnBmQ;1jdJMRvk@aFi`jjh5#SIlH>$tzaQ7IJHX>sqh^53!%b^7
z8w(Y34mN8H<2gH3htt??Ax;hnQs{}>s|Syq(-O0LVVtua?=&)g+d-8tjjccT&U;wt
zW9aE|7!=+EdzFWA>vS3`{{jqG?_itp&aBqe-*iG%jhnPOu#PwhMoccUU3wRfUGU$c
z%TzpdlB$@j7VFoKZ<(Zm!e}Bgf+AyqCTc-D5GC=m6I7k4v`VaEnI>tzDs~jWH#`i!
zQ4>^2R9YDZ-<k=kL7J#}?Ou-KheGgO5w3tQDjqRGl`7VG)jy*_x~SKQ-7Mz+BOve(
zW?q<oHRCs*Qq4_cYbCZZgr`Ee`YhD;cjBb=5#aPW`xnf8_W)z>!|6+$v1hcd*@iQ!
z>1k}Skcz(tcuqsAejQrbXW0{2?uTGcwu5Z}BCKLJu*K{OyjaZm;y+Z^rLjf{Mnm5L
z82^GbaSLi)#~J~u13;apAX%*i54#y}2k_1?#v7y5tCS%d5`6y<79>5@s-AM2jAqrd
zf!H)=iKdeEu=FuY2Fb88D~>f^uHqZK>LRj^Pw}WL`So6PG#!x0Gpf~n`9yr-mq*Du
z9zR*7BWuGr-|SI$<7XzSI`C7~>L|Y4tM0(}dDKG*50@XTR@?cPlT-uAEg=rbGbgJK
z2@d}h?>|X3qCJMJ=^!g22>TZH1Q_-wtg9aPndb*BASJ90Lt@M~EK<nMA?iZJVNe_d
zKL!;kQ7fa{&lE46yDi4?Dp`R;6O1}$Nc%&lCs7*u1QG&N6<g${fegN)Mjg+epQhIE
zJvHiBvT4mUb#L+ArU;}32v0nw>B66%sy362D5=&)1|&#4c(Z@_&4Q`w?qoygB?#>O
zqOK&(;Ky!yP4^Jz=5wa0yYOW`w7fpNB1@*KWq!b?euZZkSR_9)U7gMkJ)!NuNsao7
zKe6X_63HbWJL%~I*pE39?JWH)?T~U{fytq3GV%Hu>ON!}Uo%5Jg!h=C?n$=tp)=HG
zPN%E8k=t70r>iMZ1mXgWUt6QjCYwXU|GGwP5f@}f|94hqQ;k}!kOFEIe|d)5NNx{{
zFkNS=v$aABCgRNa4&eI=<L?|)cZffKpm3*K+*Z5Q76x=XT}MbK(*}5c_LN$yWY81-
zf@Z#EDN2QgXlOf;WHv;S$LSQRhk@U8={ISuloO0L_3k@bCxm<$cS=(=vaSuY&K=k6
z=5&+U;V`>+$sg(%zVuhMNnBcn&vNGrul-%!pMUwQI`vY8=iXHE%-__Rm#Tr+`|^Fi
zsk{DVq5QkLbBxJtu$nIF`%ld)_~_r&iK3>(eNjzxQ~Vc2`+rgQ;`%?-hETcdqF2#L
z#$Oa|`$KIXC_238twp_ribtHd8~h$0;9Rc@>nqA|@`c%HDo(X!fI=qUQKwENck{1n
z)v^3^9fo49Q>T-=!WsMP)p|irBKVDU>hAn-t=d5D6h%3FY^}OK*%7X`z7~sEHB+5L
z?hqzzU0PPnR39O0UeGGyWwuWOYi)O_aNaf*_;OBoI1r`DL*2(E&|kss#Kr2jA)k#e
zKv!R7$58h+#vkvg$w4(pB%;EjkV?YJkT+o2^&GhO<ERG9u8?Btpiwgnb@z&sM%Wzo
zAZ};F=COOlfKYc`Yu)`Bn&I)VQwtrh+3oBqT)GX1g^31spU3FEbUEtQ($JAxSRPz}
zgK`g+MgAIpb$?&1{rh6g1;x!5bgsUj{DNXtTk$1PIHG;=#dxc{xVRaHAZ@!(@u%{O
zun;EJtqXHWBt5UHxMZ<FScP=C1jA)Dt-^z#R~>@UrfK~8LvY>L8Qc=pjbHwZM#a}H
zAc-w^KA~wMeAQu1Cb_>2eY>oALX*jB>(wrDUt4AlSJ$i4$UWhVf_imIPeJ8mI$wBi
zJWl6>qc^ijYzT{|XJPicm+nb=Zyaq-RKUbh``3_`Llyppl<EGdg7)t!Gz)5|`MVmT
zg8H8-sM=MyG*bMzLK|8%x4~Wc7d6@{C@!dQF>3TwNPmkPJy0GNH`<V+e|yvm18lMc
zp>02%4B2=-OjXS+l73E~hE4XKq;E25b1x+T_ID8LB8RK|4a_vUf2^X{Ub;$iyRD+p
zT)IyCD(Zi%qE@x9a!KfQifF6SjDxCJy^Hu!2W4BGzpSFTu*yX+RIwx_fEXryZBS|l
zB!erFCW<N-0J2>bS8P}ef%uL+wu14s%^JDJHFmT;JFCL($}*Q1XFH0sh8LCEE6T?X
z&w|#_R#-4DdvtMeX<>Pe!%=A;o0IRVtgI{@RarH{Icj9y7<2K(d(;MT2AT((iC!en
z;7%!0L0u9A{XX#Za8VnmeKL&*#HeNlI`f`KG+p`1r!<|&gZ%y};DU#q(xmW(Q`9!H
zM`ZZ;wj-L3<bjZ670igz@mG&%5_$X)O*+{nD#UUB5l!#bJ0q~JN74LlR+0<r9L;|{
zQ9%>WOX2+NP7Q>ycEZ^~jRr#ejS{;Ny)I+?##5Te6dzQr)ip4RgM<g&gxwBnLaPZX
zAd|&v@i<{G=k)Odr!?7Nt9WUFM0!gLKzV2JgU@J2k`|tLM4P~OJqyxnd{#4rfB2MU
z2ze+hKNmf#>CiIbsAev0opQU;ghtmUN_J&T(&*V}Q2BMRejq=RGCbTO-GZK$u|W4Y
zUVB_qLLO_^TkyE1BmeHW#>$^LrpYIdwktYwOrsM;i7Kci=fPN+#~#y^l6~!}+;~hg
zl-E9s89dT1_vEvh3~>ayPn;!^x#?Mrp5Jst3ool@HR_Az+IlQ%H>oHsmb`6J7v5QR
zWK5%JCk@*}2c{0BrN<C$1vxKu0zs`Nr`2g~xoW6(G8x<^W`qi?Hn*#K?(|tgl(SK>
zWtfx*Cp&33{#^9oo+H{J<dB$S55E71*3Q3pQfnm#MMf6y^PI*=_J@GgQumx@)j1vZ
z)e@ZQ!q)-|7{9ti+Z@u<hD0|YPn({0vKD$;91BA-8VYct6*}x*&|zx`71PzzUvTaj
zBvCIMUPefd;W6Zp3b-b+K(dOPp4K|aQ{nNIJgrspo1WGt^Q}j<gUOL_?r%r6Rvvd$
zJCHmX&KP)9tL00MYWwi(pF*`K!nt=nrPcHG$22iqbyVA#e|JPXlsq0TDt$`p23Sc1
zU;dOfUMz#2Pno3B^5Ub~h`(B#R=xF~XZLNhw$r6%%zv!cMrqjfLYa0w+li%E%=q=2
zwTmvS{OwL{$7Uz}1b`xS5IxVU)BaPB<b|w>)x$~2&!)hfe+(S>3L&6oLqc&eD@%vh
zRto$h<KVZ@0e)NUJlf2D2eg-dmx)(BE~oOlAJaA}gllI@(td3XQN*<zypi8<Ks!-5
zl+6;3$z(=AgLG;j0%>)CAsrhK1Fu+uWE7l~Ny&U9MNLQw8<32sN0L7a$?zFSa;6~}
z498_M(2K+=+(IprkeG#UX!<xL1B8QUzcM6!OOd1&OHwoGJra+-gu`f39+DopND{J;
zbjv`}Rrrs_4nh*+MiMPNNu%sY^j0J~;Zv$jN1}qiGg0<K!l3phv^Nsc3*-MI5y@}D
zNAs8NNPdFLxb%Z?h5BB&oqjh!xI=##iR266N&G3+K>7qrAblLVEmBGj2~JyMr8ClM
z$pJi0;R(mJDdf0tn~LFM@yrh&(<YN+BBL|^1<(AZC$)Xav*C=P&jI~HC#iRy)JF39
z=d>FB`?F}_nQ-~cC-K7Wr?uV5(H6LUT43*o&MDiDl(?Xs+79c`LC`sU3h%ywfOt=)
zr>Ef${UW5(yXhvlX0D)1;DnY%OW}Ri2fmp5X)IO3@9Y`!I=P>0fRk4}DJKpR124;G
zr7cj69f6wc9>}`$!1@Ag8k|DMva#q;e1cs~-4#j}MOrq!tyMF4sgTauihzo5c~d*I
zS%9RI@U<~ooJNbwXtfxj7DQ&)hJ6Z9{7W3)-h(dgU+Cx=sMPjDQMMc1L2n7AS`g0m
z*PzoyFsrSHv8|U)MCYT}NEpOsz%$j#3@jDCsojCnQSeS>&?x@||J2XvNAwhJeuKVD
zpQA^iS9p{@M0dhXbsODCIUH4QpjTn-7Scvsf=q?8>Udf~OW>}WLx)f&99H|&-n1t?
zRy$EWRZ#-}r60%{7#(~-PLkK)w|a~mAqU~Px`*6HcEES_R&on2Qm!LckR@b3{8wiZ
zKbf2a7uM0F2<~WEWDq>mjBwmZhNoOC99e~mMv_`|Uur)Oc_U61-iQ&c-iRRw)*7tN
zdTeDAoT$2D0Pn#2aTl2j7r-KTH#y-&l0;%~z7?n2ccE*3CA5CKLo0X>R__jIoNq#?
zf@J{QVrZ^sgxolXha5Sx;H)($<lfp5ev8e^s4wK_Dl>^i{I!qkpIlteIk*b<)*?C_
z7&VC6aV?uhlW77x8f6+mrM6Xj9VGsEtMleXPOaU5ay~eQje}$3a55M!n|(-kBG^}p
z{x|KXq4n{L^)W-c--bPtus;8w`31fGpK$PP4te<gY4-nD9eg{7JbW+Z;4A3cM6ohq
z2VX6W(vVYzJyeUwU&t<aBj@7w^L0`q?Umq(-}>Q(c-<Kx&HT=Pe@xC33^14P?w|`j
zY50aCa-JaXGehRs{8@!QQ!B`FO8EQ1opP3Vr2~&V9DdorJKvxWy<E!EPsn*fdX~No
z*Dm=+&Qy-V_iuPsi#)7r_`tphf;2q?)8$2?Dn1W@TzYxI^V<I8#jw<|{CRC7;Ws{~
z%_T1g^0$D0dR*%!C&D6hqC&}sJf|(;i;ipik>|qnao=&Rv6sLRt?+@CU?cP(2v$5?
zwXeio#}{M^NSj)kh^_|l*=yute$N2iL~KPedU(h_RnN25=`)p!kyF5<XXx`qnfqMX
zue-wY?$1l_m-EF6B=RYDho3s~N4AHbB6x>wp(p8AZrT`rI>R&9g`d9SrMJlWtz`Rc
zF~$kFD|#DRs{62KSHkUjE}IH>>ycpEMo_j+aIgLe{`PNykR60K^)`A7yr>t_ned)2
z!KSl<P{qOp;w<?RUeYhZR^cHKq;>F$UV>fa0sR>UT9FpoPk(@<e<1x!Ix0o(mF|%?
zN-Lxl5efq7b@^ajNyvphUayEyljc9dpD7q#_dn&B+R3Os$S8NiTU<B~js`jDgJbni
zxKug{O1mEPwU&;-00&@r6oY#e^zu%!k}L*gECoU*0uX1USEU2ecIhT*o-|2<a3OU`
z(@5P3QNWLB7L0)!o7~O%G0_{>bm@CRzH3Q1KlOrq=b~_ap9}IG3&Z)nFUYsg59P<E
zXr!2g_8prob3-NkOrfqzcQJ%s7rbg~2v<lf(#1>=6%sF~V5tjL=+qN!hnt?=Q1A1}
zn9waTJv36c_WgykJ0<+7?i8J<%U2fZIyZ}#x?k|p1Wl-|xC^q!szce`F32uZA$xVF
zu5De+bEKQ{BSM+6=QHi;rs3htF6T3C&FQ9L;oO+>xz==3W;nBRTc(&}e~}rC>2$#W
z!r5Iqwyjemyl>$(+AmbSQ*>J!^DOD6zTwOct(me~En4oS6fN_e#kv@*NU&4npWf*i
zD($8Z_p3OEL~#ndbS?g^ijglEQmiOi)diOft!QU=nLP-a(t(NmPTIESMd#tnE}C%V
zW+17{X0cY=T~VRhUDR!@v`#FX-$~Wh3MOXJhntRQpJ{H*RJPAFwPq^XGQ}X&G&B*W
zY5p?;h4VX7QCTB4kf<D*U1ylYbqnW(Hx;(EH%-uJ6NQtaIH6snA_qZw2*<p;*fw04
zauB8)pzdzQ)l?&^1%dM5e9@<Zl|UHG0i|+6r`DhKhPc@c6id%kh!b*_{s031DQ)$C
zY$4(bR@w5&Bwbh1Sug>m^oPXe)8A=5c?FMWL6tvY0ketk(8|T+H9_Wk@=}eg;Qh36
zN8Vp2mvOyT9ztFX-%_40TBwzc{Bn&vko>D%(XAReiVxDs@CDPz(OjXCt>l%q@^rpf
zExX7|Z5g3%Leh5!{*_wpB98Dr6MeJQn6>pz;D07$h5~Zxk64{g5HRD-J<+BH+VW<d
zu0QeO7}0vGaj_vl3k(VF!-e%W7!$06aJK^D%~hbjiy+|5K_sfFFf5qJ#(@?W11z}^
zkOxA{GXXGtz)0c|t)nAA^BB6jgK~Yd?m-3&=T9C~W%^8HwXh%h944VJ!%uh(pnW^y
z6A9CW*$}!j5b$CgKpTmcY!I@4My!wb5$EG+$kq3QC9R=1kgpKdA_pw!1xR@hkZoi&
z&KdQPtnCQu(T(cJZ|HXbX<5Bo2Z>vt9+@Hn<$Ma+{{$jyEQgf80rGzfWPcwbZ1e|C
z<squZk2tFK#Qn-Uh^p}vLap3QH$bLYMw{p~atLC2cgVzB$jxLanN6l3=FA9)p)w+e
zd?khgjQV-Ul#MzXnyGiQZdRO5iIWYXp}nD3l5Tho?+L~~-K>j0XGRuwYXI!EbS>?J
zkQ#Qhm8=US1?;NWf(#lM#&@gap8R;E+=HAH7w?I@hZ^`67bP3`7`>cB-VQ6e4jj^U
z<<IKn*ZGICY#?t5+ukH@)yv7eL1ersGIIH1ot#Qu=eO(R=l|;VIArIwMFNDjU@ccO
zzU7oIxu7tosB~nmsjOi180)CYvYh@TLLzp9hQc#<T75%9<~cXabZ>oa;kf+D+zQ*+
z(Urq0MwN}W2pT|zx%F%83$%HR*@Z9tg-y~<%%HjSs~5W|{Gron8F@}(<LOrN92z}H
z_;!^%mb}}xN|Shglw3;Q32(gwwcLSQ)v}5IAQo_Iq?~`ziniLj9+7Yu6&@dZ89&lf
z&L~Tj>LeJ<yabb%|Jhg+tJs=Es_3j{Q22g|PItjt<8n~FJmy08iHvX8(WjfW2rJP|
z8b<+=7E}|FDtgoJq&a^XtwJs0RY>2nz~4uz5U~qd!&7)>&xR{>DE>lU=^+6fkIy$*
zm@!SB4=J9i_|@^$sF1#pV)@>9YE2{qBz0}QZ+a};{9D@y*Y;OWtFNEgpUVj}QGtjU
zZ*x-uU8O+mj3xZ31e(oX=uVwHqX&&qFrCzmkLyAAbYc}!{{}zeI5des8F1K>;(3pr
z)G5vm@w~Dp-La+vRiwvIBH<AFGPuSL9NOnV_cRD6N;UnE9zqzL+Y!)*(528mjDtkj
z4=Z?r@EzT08n2J1-3K-Lo950A&#9?l`qZiLNbd?4HDre~ef~yo!}QrA21Sg}CbSz6
zx5d*G*pu}nv*$KW3sqN#zs;Hz`ljKV5@>gRO9D0U0SUC2|0=$|nLvB-*dDZRZ?Q}w
zzJyrSP>hLMe{HqDp}WiyNG;+=h-u6Gi+GwC9p+irNi3T#hbmwY95DXB_x=C(zW;yS
z`@UTe1xq^YQ(Z1+$GMW&3=tw;)EGzr5u_TnSus+ew+=xIk^)Mc;#vbyI83-uGb6}@
z$6F1XUwEU5KmpYTD@<LTb{O_Lt-kuXO^wrier&_mPyscy1>Ta%BHv}B>U^H&saZ|)
z8tR9SPM_tR-{|+}HI2(1X35HLthFv|tT0a-JGZ!Y=J3kdC3W?d%%*9cx|xlF)wR2S
zZ;eY~Pq&-xR<{GA5A@PvpxxUKwA$o0ReM|(gV}2lkrd%YPz_UBgRR(Sb66~Xm&fU`
zdtoO7<I&b(jvRSe)AadMr`27Sp5HWYMpgBg5m`m)Q{C={+R-($Obuh^PMue~u+raX
zFHd(*A8sifJ*ILxKeU&1X}6~Kbh8ci#}+ZFBn?J|Xc_01&ttQieGZS?;J4UeeQb9L
zlWDKd;J4TK?5=8`-C=PF+nu%`9=`cAYRA}WtGszdru@o+EWfSHJ;UEPbI!~L>r62I
z(s?ywN6l`|otiVQJU4f^4^crz+ospmoBwv{Z0Sy$$>t0Nrs%D1g)yRMgoBM#`z$^O
zoD31j!weV;t7F)QR~vkO2jWng%`U)tZXK8iLJ5UKQ#2#oh{H46HLPOzi0XOf5xE6r
z4qwFx-<XoZ?3$+Gjde{`!^%pEs%A~Qtge1sgSV*8xnPua?8t?6_4a=lsMYB*xm;p3
zd#f%)M!U&c?Q+8*sM+GhaB-#SHn?hFIPL*xF+sc8Ww$nX>U{OJ?c$;gYb>>mv(LQD
zUD9N3nprxobmX`uhrhV6YMgPZ)mdLPYJsJp+*#CAl~-1=aCmv~oT_OJbL#4Ce>2eL
zfi_#Z2}bHpn;2<o1V-v^ACSc9^!q$ONtls~yH~dvM)M{=%<HQiUbEj~GC52&ZSh<B
zdl05+8oVq-Sd#z9e>l(l*I^GX-Z<8Dx7!Jy9t>4%dnS#M*Z}f`G$shoJ3i(y?a>P_
zi&}75)RQO_YwmIJ`;GD#D3))O=w7k|e@u8QF}g|>h53>w=qvG2M@W2fP|nm*qw1XU
ziNF7dcCJFiByAbLS38L)L^M*qf1ma{*^4lwi&CfiQU@lc@~l;ICja$OZB=A=a77Y*
zl}we2&`kz6KBRq8PJTFUUR(8>6Lgt8<6-T~iZO<kk6XI5X!{U_2!+ZsAJJ~@BHB<1
z*U@!|^q5T!kT~g3C_r0|?*Bp@)y;C3q|W6%&c@FTUAe8BERP=~7BOPhb;aUunCc#q
zSOxAfdLve5Dn^$STEcJ=h>w&*!CphrhJ%aOuGIVWZQ)-P>fqP+r36Q;>nBHVS-GL>
zeQS5r@7R+QT(+)Qj@hXg(PR9qsgqPmJA!YoTPw%Bf9Lx>w(T99KQ3WnaOwI5a^%4(
zW#>CCS6SvZEea}b-4a??^Y7ohF4i}=>(<S2iXM)Q$|p`oiIoil!zR(k5Ua@sVD#bM
z-P%R6Xuk~@#x-(gOTPzjpQRApv=r>oW)g+yfG>YgyEOz+N<0!h0ad0Fjr<f{6?Gxv
zMBM_!VaBL7#91{|ep*rYZ~GBGDMQ{Gxh!4ZLEu_%B4Xh3p}Vw86k^)^@m<=jy~Ghn
zmhOQ0A^nIAV2!v4(vu@}BlM?s=}Q!ZwZ+idmhe~l>+<>0)p9=negK}FtL5Q*dr&TD
z>71@BCw%E+xO|?n62;4Jmh(a_>k+7qnCQDWMV3mRz>9YadxWaVA+mt=mBwL04pmsY
ztl+!dz~hW{vWgdTxqv^|PdA+BphKeI=Hqe}-?bJ+scX@CiYS`522W657x0g7!7v_P
zi+5BUd4*}ZtN~#}c`S@5$(Tzr?$;Aq5hW1cxgC<IgD>8j5}bU?tl(?6jF<cQ-zgn5
zenx%v?EPiIp=*k}ch#PvNq4?@Li`ORN4LJ1pin5)!9pO@u{Hk4p<DjAeeC^~2Vfns
z-ab7zm@kM_4lVyeH8y9LBwf{YRj1%#oN_z7r>c&<ZT4f$Zw^Tf)~(&_7<|R!Bg!9{
zO9ZF{7$T*9!V0vBr9&~Y6?bwm<OJ^2a$pVIf}%O$;q%LPW4^n0$s_sX4Oo}@hvh<U
zd{`dFFHg~D!UKBaL&$jHR;;G{0BY9mLCr1?;pxQ(<vecMiGmYxy1bBsXQb3$f-7}H
zyKW~ST;U4{xS5Nh-&<EK4^}vopRLhn^XFo9Be~&9IWxlDdcVOj2sEhVd9gaQ-wny!
zz36UdnLZ<8Zm7~4+=1}=y#U~EyD-pgk6<7@%k`Oj=!0?uU$G7?Ozfe{3mIEek|EKX
zZt0<aI*6!Y(N)nG;`@~DI)U%eZTSA;Ao(tZSmu_?2g`LtAr_c_Jw)Cb4p<;<MbI>I
z41e+j!bMkgzOcm-jvb^hc5Z8Nu1mg>0Rviob;&VA7O-#Ivmrd4I8fGgoE{x5_Ek^p
zt3ZNsS%x}-PwuYE;*SoLXX8>_-~u-e!VVPJNZ}=mu$?`m!x+Sa(N$e890ZVD45CZh
zAcA)JIr*{(@4wo*K810%-0P5&i9E&JWoTQz7(egslB@cL@&1wXc%KC5im=gv__#me
z{9E^=1iP=AB~R_vMje&G+g6oycPzc}rNW|>2rB(Sm)x^eUBksv2;U9ZD28A{q-8~U
zdEV1^Wg}MmEsvxH5i~l!!_#{LvCW<bCF!v@r_K(rF5&kkhu&+(d+Dq5A}zYoxV)%W
zug81Qd(H%xuHGVd`&SY6^X8YuJc9#n*=$NUH13PE?eBjmCK#rnT_n1T41tGE>t|U?
z*AP8R#kxyM{-{}=gVh!zX)#&kdLoMvw5`o!-N5fYx60$Ai@LPEHaQF}5(j9lwaFFY
zeT;~IW0SW!#8!+&co`^#?uUYL0<%h&K@avGv~MeD4ILtt($2U`djf%J=OC<hPw7YL
zIq7z|qVO4ZeL6pE*Y^pY+G^mFo%*!kkvr1(hlrLP4Bnj<jM|yTkGS>yf*);9;j`U(
z1E1BbPbPDM$8I<9UZUX9t$n#UMxVlecj_bfFC9@jD|q})179WD$k>|36T6|b)P+)o
zOP|Kaxb!KlBQ9<ou~aO^%(T*i^JB({KPQLDI%zBPga{8S{U9Aj*ipV(jQ9(?zMS_O
zf)0A!l@^?PUmD+yq4T01`V_?UIPStYFCUDIOpJk748|}OclPBB4?L>|dc5BUVKfg6
zLg95HnKDS<muI{rrvy#glpwBY!H+O^#l2~K)j)mkRw>0I(Pv1ZWWi=g;nR!cCl$K!
zclK*B7t4K#k|g*VpW>5B<gFc-*}8?GW)RFP3^ijnK<$`G9t@}n9OXK*ywwoK`~wmj
zO?M#RBP?Zbwbt_-&H(=t+u=X|y;feyZ>^KZ%jDV_rL?zao8Nr$Lr&}EVmbY*{U2mK
zxNVO2uEy1TLcP3JrW;bz*^U`{+rEc(2Oqh4f!yct=}Jd#RDq?(O;-d5uiPSw!AG5b
zWT5yP{AA^3)4<~NW23h0_!QPTn2SIu!3x<UV1^-9D2*cvs2WUg3)Hypve|+%@vqn8
zO18@eFtI24=w9cO#M9NcBI(~(cQfC<0W8j!490tA1IX)5>*Va##e`GTqhz#XMkC35
zeSy4KA;#VkH$wIiofvfMZs4;=$l3hZNcm@l7&$*$C~xgA#-;_60nrDqxquPmf(3v*
zv@RoG{{UEv=K!d8ZfB7B?V!ZUFc)avh`V9ICiu<w=wZfj4S#+g>VADMDARinfCJ4F
ze8Kz}27X6Z-7tQ~qj=iG^chhT!qjoHM4u;<3Bw$Ih^|VyfI6;;1<h9)liG;mzw_j0
z<RQIOgWEPb*@vzo^X1cu5Ga4nm$#b2Nb$GwVxM+sp$?w8D}|q&A<yDtX970{8ejhR
zsCj*#C}~{RpC6bh7k7`zIbumTGJKf$8%Rn%FAXTvTt5;!bL1@9-%a+rzlg57azw#3
zS$zYfR~so*@ME*&nKHRAXFDDDbMd&Wh!UP#D}xHod9*fpvwQ8B;9=oYB5&@ZV+;01
z&CK2)rWjrzaK+{4xnlAK3&c-m%h~bC=hkQ0$X@4(okFlCBG_yuzb;p<kVVIB>n5^W
z1`LDxT^8M+%NHxoH|NP!txR;AL~kL-rESu1K**`6>JugL=1lo5g;<=HNm<~N3b87D
zezrV1a$0hTH712vqk_MlEk7)a)i~F>7;YwiJ4dbx1q-DjsL)Cz9Imo^qO1B|IJ>2b
z!5kxueb3F0$1RahD6T&B*jN0^CGxh&S$#tNbr=2hSMW`j%lj15K61?BlbYr2NfFY+
zf+OyrNn{b|^}`_Vf%pOK0MBPn1wDwGCXer~>OcEht!Cp5lC;`gb-b!yd;T{P*m2i1
zIUzn`=~E*$aXVpIw_N{OZXh}BJR&IhyVK<BBc0u@f4(UB@MuZ8dU^7{`Ml}!g2?1|
zH!ZacoWE3(?mjfWj{iDc-ja~;%hk)$ey;cw^)Q)0-!^nqC~#UihmLXG=4{ML-W)Yv
z%t@dFlX?lRm?!mGnbkRRSyI0cw8e6RBNi`|>p&aD(D<Q+Se>b9=T|2|$>&@q??EGC
zV6E`rhvv)KEpryhj3`25Td-Kh(SSXIqX7hXA*^p<vq8DurKQ9qeL@aF>#t^ygs9f?
zM4gIXvlV0t+dGSwZi1M1a5J6~l29;zGYUW*AhsugbO}K6sBN;E8%4qDMC5(E2~S5w
zm9d-TEET4guZKbEiPLgsR8|=I$4T@!87KXU4!?@7GF*rrCm`(tJq&H=v38#PyyC_l
zxydav=F29c5U}K%7RX!si1tGGAoxUke6X~`2Q?osSl^o$`{bGYs81drnRs~J9>d8Y
zt6^e!$7S8Q$uAd24vF3WTE#Wnroc?{{dcGF8~yUy?&;UX)nxS<*H@DE9qY9+z|!0H
zzLICu$TK557ad<4KkIXtXx^9&m%N8-u>1Qi-8#+nV3(EizaJFj)l=oo8OoK3{Zz*c
zSPC%*EeNny8UP!muxK8p(b52MN`RQ&o<d7uYJC4ReU<{g<uCD3M4v?_@yw$j#<%U!
zX7G%okht&Pq|c0)AFd0%Ll*xd9#TETOJUa}<?;JA>9fw2pC|;xHg(lS@R%c@*)Kc^
z0e(wI5c6J-YBQr0Vfes%6T#)Bj{%=IqN|J-!Y9xmXLmQAgU+%M>22uRDv8bM1fFhc
zlFQJXSeSEoxv~*>d7?>3ykd3Q$cF$pA39I2TC-GEXc-m<{ntnX(0>p9)J<|w83xp(
z74lY|Ge^EsAz;*UY>qsOC<JKuphh9;K_cn^X-Eh~v~x(v8v+q;1$~6{5CT(J{DUC)
znsgaiN8cl}Ay$oAnbn=w7vM)x$Z+ZQU=k#}6ZsH|$~GnUO9Pp4SWSLJ8}J~giWM;#
z5T4dhZAP41v)k#jnxRK>dQFI9v0^CXs-__jq6RG1C-<9=-}^~(SfPkRWCduvya>|Z
z^3)ih<Fp$5P#nA9)M2ji_%G-04b`UycW>((%)UP@IN;8HJbNg_u1Kf8Z;;-e7WC{)
z3r^dRLR7)!TMfaAJJW&(Z%t7Od$6?Ni#$ac)t6O};7#jOqQd7b=~sy^MY08pw<@~I
zb|LVdj|T6JFxt+6j~~84en+wRw}Y>@+<v3Hn8<nW{&Y_pWIzKl`K+7ds*oxv0x|9(
zk=;RiBJ_O%z6ec7kI2hi*ld9`3<)1~P`@LkxXIJdIJdTc<1~-O?ih#=5^i{Dd8-{J
zzt?5+R6C*RwO}pXCaj9t`A_A1kq5gr=7s@1dZZ0`LLvv!zdFW0^kCPr`E%<OZ_cqw
z<j!q}@8g-(^4iE=IrDxq{w$xB$Q=WUGWh9g5NqY<U1q2YdU_<X?2}is`7E!zCDIZ9
zv|;4qAL%3_X3yh%^5*#TK}&AV+`ID`iHKzg?}nZdy$yWk3C#7O=qksB3ku>W7Sz$U
zpzmEPzpW5mw>*BGJf0{*Jtp2DZ%qsfj&s_p1<s$(f0y85lBgdQ3WUr5cpqo--0(>~
zP>qxNrl+yz?LBo)erT19d%&l$@pGcFabG$L0d6$WXIxAe_CAH8(_(kOnxM;r43O1&
zcwHdTC&>a5zbD!hNusM<7tQIa(41UtbE>>rzC#~c_cqjk;F!rrUL$|42rYfawer>^
z*cXI&4C_nPVcr6!Gfr?Dp(Fyo2`0Vg<RKQb^EUZr-t#uFiPyFuF>Z%A{K*|4NjtX5
z*9p3n&mY?kNpn675&2};Ao43yz+I-^CTHQM`hF=FzqW8`7h4#3|M}-%u7x$mWr$y}
z10Lz8VczG#?<fe1#QrP>c0DIy_Hhd=5Iy+)mIByYq`_1=hU#D@{S(fG@4?jX7`pmW
zdJ8A6hhdF)3z={Qse>_e7VQ28!16B|=05u{qSlX=#Zsf$>M%;zMX)Gpl&(dA!H5j2
z)0n1180FUIK57;ddhQ*K;Opm%%K4I4VOPK89qoWFiJ{72WAlViWjx38z3*rZ{O5O|
z>Fvt(r?ieqtv%X|(lxD*7Nc}k>!ZmiT@ikS$+{HKAOf_}Y;hRj=n{Ie8JDy^S&VSv
z2<4fK3&T%lmvKHH`I^=h+4|jVoSnwTBAot2eFES2n)Vrf@|3nmb9kaxhyPp|{<AFn
zXQ{BKH(nk}7l+czLg|7~Ixm#Y38nR+6sFOr?+K+a2F5df+6L+9P+Aa5Q$lI?P}&h`
zGch7$A}T2rEJ|b4(k1v|sx2&J{T%>beOuZBbDMqm@t$?`dK~W`mF@+=$KcmIl3{i(
zNpHh*-~__(H;@cO!dMCPh`}#<)Wf{=b<{ox*lv+l;fE4x&cRsx4FSY$HNwrK1KDkK
zxr{Ei(QPui&Bh6QELH`-SF-=47I*)~bpHBDEo>S1H*agbyu;ht_aM+oafrqb$AVa1
zcT$@fPhXN0Z3q$aG6-Xg&1~$)l|Tn$UOU{$!u#4VBDKr?6L#^^ceIJh<O~G@MxdKP
z-1nCD-thj%v}hfY#UN>Q(NzO4-2M>e1W6m%w*Adl$Y+$~yO+QFqNVqh@^YN%pRIpj
zEN{6=4&O2S6=N9Mo-y!i2k9^53|6n#>j96nxDdn4UTyYTagpk;_Is@k3oZ-2|5VOB
zC&3wXn^H47<h+1OnLwwTC-P@cf-~4kul=lG$c>jtbne{g3B1oc;0!50xE5LWKeSMy
zSt;*Y`SEwa8TyXjbKJGGIzgiG#vPCFvQyv;X}+vm+}|FC`-_+|e|`!$gPi%qjnSzK
z`bnXwhd6_DR-!AAY{oLKjIJ7d;WC11iDewzwu}Ro%3mo&*DXB)axGDWdR(!rO{Z8c
z(FaJm^fTJ~EV^pwh3!G^7VQmfYp?uE`4NSfa!ZG=<Pk&>n(3r7@^&qi9+2pGB%xca
z=&H;M+k(<Tw3T_Tt(J(-WJ;9uWMS8ZE&9*pEksZ6dG&*dZRB2b&VTtru4*rH3rXPo
z87#NG%neB@g>QZXhwpB0%H!h{u1>!xKk0rJKNmUR^4(S0=MQ51rZ=Jb7`nbjIrjD+
z21?TY?`J&7-+mK{8sq7iSLQ@{%bKecJNeSL04yT)k0CW%5vcH;!kn9U#M=Otd9FQv
z*pOX^q|n&;gKx{5oBKU6S{n3D<{wgM4ub6(5&0FKL?1!=d*=U;d3t@Dd3q1w?{VHf
z{m<s<e>C$IgLSW~Rj^g3e<12p{Se(s+N`C;l2P!qZxK-ERhTR8LyV+N2&uCSR|qvQ
zSR8?$<4k9XG!w2)DfqoLH9R7|fFI2Z;7bpZ?FevjJ<QST$Q1aU<ih2tFMdi(#&P0n
z>3!)H=_x3F?v^&NM3_w~V6FKHT>OvY=iYYVYGO6Lnno?a&v{M27+OCqj}O!xg5|n|
zQ%5Ja?k#@PVBITWd8o5Q7n9DCI4<5DU6p+yW-Y}*515sG4zqaN$MRu?fMLtKAIr_a
zD*?MUyb_4W@BLIhcj1{X(YFy;G##xc@(~}%ujo#WT>fcmb^iPNP<hS#P)3tLqqasM
zOyE@WkvzU*Qg+*6L<%Vwagl`q@sX$HG!WeoaxFM5Z|x`M5&^y)l4r%qF$rI~hh`s$
zAJHC@`DD;7Uim6e`Ndb|@!baBeq>4c>HA~E-*ND%5WhwVjXDnaOKyku^EEj^*4N*E
zPsbBC^_p~zshqEV4W!4mh%YHv_zIlwt_pVR!w0@DFObQ$PcEk;Pjwj;8@P)fcpbQ$
z`oi2Ro%`pM!JRLj)$&<y$eT^wdq%l>|C}F?B(V?zmu0Y{R(T5AM}+K{El%;`1doEy
zHQfJd@5<w<s@C>i`y2)jdx3zWA_yWPpl}X{*&M(D5J|y-6ij0>B@|IXMHC^297{2m
zN(wmOY?`+Ybu)*u+hB%PrZ$;*v%J<dvum2e_q_WY4oG(G>rUVOeeuWMo4wE3XYKW_
zz1BNC@AFb3$6(=wYz`5>4V&1X&;`A>Q8aFgk|^xAC~?eA)Et4WSicR5q~BJ+6m3Pu
zG9D|ux8h@BixSW5)IiU(Ta{$-;Wni~ckC|7<){_(DFjrnO^b))sM}fPhL#?}6!^I^
z1B-*&_^s!xA)87`u3!aHrPLc=(mSUmHXk!+U!N9<))BMjrZPuM-77qADMPteLZeKz
zV%9BXqLw<=^xZ9GJkzTEIr@&WLB)TzmOwt%=<2VrxcXa>v!DG1?*6yQao*rIM|1MU
zU;Dvpo>atrZKZP6n3}cP7e&@~4TN3x;4XhLW+3db<#DhH$7~D`Ey>3}Sv(#Odk;Rs
zK%q&%<v%B4Bfk&#`Dcl6pLa`u(|iTaRh-6GViNJ)+*<#NmAer!7{EJ+=wvrYv74j`
zmg-nN90J|gBJu;sU%@L-LxH;f^y;a9X1ku;C*qyAAet`^!(?}B4W(X2+>eADD~`Pd
z<3N53sY&?CVkQpgVSwws9D0iC6>!e%c@=tf_1n;<3*UrAFy?LiyBx>?i!}h}(@Nxv
zzK-6gb52WYE*$(qjJusasX;vD`2!mrP(e20=ym0fc(oP}lJ=Sw-%!RehoVhx4G;zK
z`3=0WF*lWwoy~9DJ$!e`P2M(f=>&Xti{Hbl?p86V(5upJ5;9X0!mo*|?_pK<%=+kR
zK<7t&FfIMzLb*tOUs>&;D{y|=as9x0NqRoTVOg0bsnJVgkN)=+{vRlDo?gqZCv-Eu
znhkf|XV<TnbscE=(IARxiQHaz#dm$6OmJ+q?cxI--+VsL{6NC*q*B#6`cCro6l1Rd
zdM<hj4T5m;K6pqd7T546PW=GK1U1X_$lu5@L9G$>*OZMsG08fB$Jl`XRuSkgYKCZk
z-MaY4N%HG(0bYa@K6Xw^X)XmyJae$qr!+`GbogF5ZNr>w`gJtj{9cJ*3iXn8M$9;d
z@iO}dCGGBsj+X1D6J2VPuD3@-%2#-K@jS7{i>E8zKWrHh>}zTjwry6O*jbNQifilF
z&$`#S<+<)V`G~MRjwM=J?=(mHB;iZii|xm;M7L;vVUTigdv}TX1ms;8h7*|9boQ}}
z937TjMP4(Xw?lk-LaFN3dB0;|*ayY<96f@0Wq}e_0>6TjRPHcT9b!(Z$5|4$9QiJ>
z+ldbm4_sF2Y}8wue!Ps;1fX}iWyuxta6%Lmmx1c<4{H;?O#&wXrZ57tBR~rl59e1q
zk&t00&_l7}@^;LA5xX!&9@_x}wD%4ijoFFU!)+)2U9ba3uj4A}3m*RyK7Mc)KK?hF
zR%>@+<G5StV{xe0O7get1hT&pA;0d<X{pWShg-)u*y~fR@~c(&d@c2@$-sGArln3b
zB{_0ngVf%n$5q2Q6xDAQ$WenkDv+RnLjLNXIJSrn6o;lk?k!uxzXvpm>It+FY!Qza
zlM|KRD4sZBK2H*b3vr_COQpBSU&!sm9(DD60vFf-oLlz<&J}qfV1SZ51BKDU;x^Do
zehB5Wwvr#k8sD(z&nP{YU#heYIrI>|(t<m<PI*X`9))zvf-Lchck%qfQO8TPrM>I=
zil=mZqho%m`Z+bO06%}M1K+Qt1@9Yay(M*;NK$xOuzB)8K(G-jbay~-RMU|x_R^C5
zQG1S%c)EEyK)q-ik>SAyJNCFSq<Z-1DLW-;!_+15;$;s$NNIICbE>Bybwf^Z^cLaf
z$yY0`ju%(E@19wcT>W9Fc*&Dbcc+I<HSXO^`?7$C8s`tKNb0~>wD0V!y%>7Fx|p7?
z%-{NEshUB<o7JcDyzrW^1p`~rW72qalfb`(@UGm-9Nv}QHm_3+YnW8iuwF^i)Icv)
z@m3v^*&$ic2Egj5ST@jqW5bO>QQ-h9X5>UfMMQ*!M2BZbNJ~Wlt!|$Eu}~HC=impN
zf#s`2^c;lcD?A<x)T~W`;z)liSATsFOW0|g62p`5=}!2!B4dYt#lB~~#pNWftC+gk
zU(Cj(3a1^27boHJirN4`umVNlgK$<(-PRBd9w^C`tV9}!H=(C%d2qUQ@-v5gnVNzt
z#@X-)OoJo?(*_$3&=hsP>5whYU|O};{p`6JZJ_~PMqUUFK9GuC_h!6G8Ps8Ily#Ua
z#>g`T%De+=Z0ESPGbL&8kjkdfS2|ihGUksMNvLIzcK^_FW|NU5irVt!!nGZy!#0EM
zx_Z}~{DAhNxE%&fYrnl~JfB(7V^Z*{T=9N83>xL@#5FFi<MPw(&L0=k-T8FI=fwqH
zhIOe&sJ-H*JFix#g*^`bA(i%GYkOYh&MxMhk#{c>l0;25PlbS&Jjpujb2hl#k2S^5
z&_K?1H)~1|F*(!Cm|Ow<3%6P*oAy4SOJTuxeIvvW9%WQ{R;=H!kx<sJ99g<XwnRD)
zF`f|R&ud&uv%|8&GRGR>0gucCj?;kZZBf~onL&{N{bs<O9bya}n^`zxVjc*GbGlmK
z#XxcXqcxi>AkNYz#pS>p15bfb1)O$r0^l^HDd03L3bevep%FpG5F?n>iH$hgFg7Cy
zoXl`HfC?x)x=BOxr%lY6jAq`i3{UAV)(x|i;rTh(l$uH90|^)F=ZI!THf?4GXq2Nu
zazNc4Ld4KH8CgM5S>XsZpn_lK*s-YAhx69{oLHJO4XAPz7yFME`nhLI!@_|Yrk45w
zVmLgsX-mV5;h~|Wp^+J=DHsCLXB)-_Wq=48R9jibFe3<*453+#P0h;B&oj64?-vrf
zZylk#+Sy;Njesr<HAWc;_+Fwop;Dxzw+}(#Ln;&rHxiNIgIYT*0_6EQ2DNewnwn{h
z$T5sHqJY9!F}zL_))}vW1xSzkp~_(diHP174Qwb>7%sxDA4Yzdb6RHerTpta9^;_s
zGp$Q`bvHgoogb{zP5mD*-Q)%F`3g-A*3(YAF;Vpj=E%%br-;#dUYi;KNGTf*>WxZR
z^yg3+{5AHn$_DW{ctl=D&VLnHL-LRY83e+cw%}*H1~BhAkbzLOdP-P)8hijn@;Laf
z2cZyms2nJFke$%>pUk0znlm6k%0Hv)Xm6)+W%_Wvt!R5j*Fj6kLZah2rIkoK13s69
zr{H(qM;mfpIyqC~kv>`<V$g?#>77K`XS#q^jyg>{%Si|IX3=_`_~eu>LbN-ri_m&&
z`U9A7S@9G_r*+Rnsh-JjeS|(zZ?F1~>DbP!r2%wZhipuL(#zyz=xGPQG@_TFNUAQY
zFyS$l4_;-03bQzeCpUm0f6C?wb_qmoAamjT94w1moDq3?L<Z`fg+?~%S=hb$XQ8%z
z2~q>G9tzq$jhyV}GR1dDrrB1R9uDB|IHZlJv&s%U5izDSf!v#EQ%XFN#O<zpLszp}
zq9Ri%{@fgyI<DzbVrY$}<lWX-N?NB@?(qDq_T}^gFQ9^t8<rBdhOhRTIOLCU<K0Jz
zr`)iVv^(xU&e!)uSK5oPHhj9H!?l^oEf0Qn5?Fwg_wB_?ZFse#{?i_LeKp@200~4}
z#kjV-%A<Qw>y9atlmA4mG>_=HWUbUlb0vRhZq8|sHh=hc05x^s`bVt~ALqxXX{jxy
zLw-<5)y7ym;*nfHJs<Pud$npiyaV`#F7!JJNcWLim<xuA<MQup{QnQx_=E4m#&5_0
z9RUp$rg>A+ya|;Ag@rCZW(Un8!<dC2`B+Tc2IMP6gd<cQNmWmfbYslP3`2#1ESfk%
z<=lqaMCZT~bOPa;!?2B>19is+@C&U#5_vgdeUmW?Gf~2H2)w3!kT`AxJCF~k!dx^u
zWMSVxQTL0OLC+uy`z`q}0z;+GAr*TAcs^Fhi;#|8EKi0vG*eDP7I-42)b4P(2FgCN
zJD7lU;QzS6u7G3e9E!7_U~fS`e+fC_+Yvun%T~Y%Th59RNy=rJEDf&MM9>>`XGRu?
zs_E{`h3S}#x^h=g<>VX^u`Pe5GYa$5Ag(D%BY~UJ{0JWSuaJUz3as~UXbxhk+=Ep4
zYNYKx1rDS+n(3H2$7vpcS2!7k#$!N;W`G;e8>>T04GNeerTsEIyk}8mz8-1q2Z43n
zBX32))z$J-DEdA}o-R+qdhrMnSd--hc$A}LgX}Lq;4Qb6TOx8Ru^-uG_7yt|7Oi^r
z27HZmNKD^~67(zad~;Y4%fr)+V1wXj?#>J#IP$=9lWCgmz|PC1B;XwB^j)R);B-HP
zxa?j~Fw`L3e>uqG%Rs+S02Zta@WZ4a#XlAdSRo*F>xk5RXRu!}`8v3-zJ^(J8uQ7U
z>T0(ai6S)!;w?vRav6AI3gq#K+m4h|5V?(&qd|2QAg6UihQ71h0s-9X>^r2ke$GyV
zO6E;u^1sOTvTfkES_9^mg~&IV0m$!o<YJ6uDQp1ZxzQkN3P41#9Vo3@fTsI8C}zHv
zKF70||Ms2!xQk{4J)gh4>9<MA57Y%NNF}}vVycUf&`EgV4?{k?<xO}UlH`4}J{rX=
zOIErhpJ3_I9rW#Y&S~SD&)R1?s<ZZZ>#SYVi67T488UH}smPZHG6z~-EVH&a>I)3P
zH=X%Ny?OneL@tFXnjrZCIy4=C;$!Ry)(5ze7o<t@2Fvpj{9x5`_=Mkd2B7H0`8-Z&
zmcn%q`aRqPx0b+75VwH$7Y_y_Q(=r)Jr9?<ErA>1@mugUB#0aH;gHz87~rLb8`(;a
zlRH!No}<LJd4M|dmm-G~v2t1=B|?e+S>zA}Nup3FIww3jCn7R4G$$%FEISM3z@tJ?
z_ahs%o$hm8Jnq8N9XnP}-KBRuxfpenGWy1gOD=qnqmS{+9{RH%eIrR14<1`95?uLe
zN4s7Zigmu9Y?q`rmVPx_eCvw!xaHpNZf!=-g{Sb)VClS=+6wEj@4yi$#&^#-NYb8l
zuOAaWt$9_nVMSe0KdJH*uuzbVj!i<XkYbdWlzt$?pM5QD)SLuz=_ok>09+zex+_fm
zVwvg``f14}EtbuIKf^hW&k>dVVWICKGksVB@2q8qr2r8-2v+%#8ec6ck#wmTx1p1k
zkV|4+0lt*q5B}(?en7E%?Ftgl4aO%whE*R^8z3BV6<^i`CC%XIer}7us2GGBLMAEX
z3ka;JsO=;?`|&`_Xap#0F6$-{4aH$?+G9?VsnDD2m_iS4)eX*i^BB|H9XUXHY6sl$
zv6%2OLnhl?Y`(+yzi>{Q(0nw9EKx`E1nX#i@L|5(fh5o{gxSNqkE!cuu4h_R2&2dF
zP2TIEb_|oCuAgT?m?rZzT|kv5q+y_wvSY7E>+owv@z-&D06kc|_$HV46+8nPWxq%H
z0903i_W16294#1+VIDP}4;F;B6Jy5Vh#rRJqR;|9zVuNZ>qG-q1NS846o4J-w(!>+
z0uB@@4NYu05+lASjeo6pw9Biv_Db*Z(3p0l^Pg<Y!)(VW{wpBvQ=2M}w`W0lteg$y
z(SFs2Rf?_KiCz^eKM|O12Psl{<xJ^?(>ud&UWpf@N})W47pERg{B*`#+Kbwj@IwT3
zbb7IO@PLTav-6IKKxg<NsNLNsPi{$janhMrb#ST+Sm?&yJ0LM?z4>7mOY%zy$1Rrh
z=t(c<v?<NyhVCNWaf(%L7l!j`4%C!}PMI(aa@&#0k$OYzY3LOw_sD4)!MAJGHoY{$
zI#Q4!ccL*vuJC8SI7I!$LhCOk4CQZYlarl_O>Kr@-czV&8h(Yu86%bs=V^NLbaSw&
z3$b~+VR6$gf29~*o<5VOw+oZc@`U>L`j3jv{A$GXCJ{dh3;BxgXL3))Kcf7jsHEhh
zv=<&F5Q5v<L}#x}$J%(CdRK{qB@lwn<A-IA{)?{DUi6y<A#`5$#niBsr|b(qz4EQN
zJPXbs_o1GlzGn^>)AN``faHorY_%o1V(of<P^;c?bQRwq&L;C`v~)YuoD}W@1OVNq
zb_m}PsM7>V4&*m8Pw?jCGs^^z(@p+FdV9?7tq3O8_cerv$T4nXMxI^H#j4TkH8{Ns
z-2n6d;2juN8KnN#zk_odTjQLD&b@+cCmY=IJ%pY>rzdVvdH_Y8EU(N}NfQYM->VYv
zUkjbnW;Pe;fqYe@Gp!<BR>@ygx_)@o*(%553-Gh+p5e>1Bn6Xx9mbPZ?d*j0e27{^
z$58?XaT46(0g{Q;H@eJOUwIT;gpeEknIEiRGwwEc9$x(VrC6{|(9J)?`en&~Kzm}f
z>Pq$EGr-QyFvs91SIpMMd`u=2%8>>?iEn?q3=8AMKp^lk#i(VN0p2Z9VtsUgRXf0(
zMHJ#JSULwII(q@Ji1mcO2Ad>oUc6DL5SEGA#Wf2p*_?&W9+``YXJZ~$fzxrEsT_X2
zMO6kLV9BlIz+~gM!5^3lu;4aG!+HU8XsmF^!<<(97*AMLuV}m4O3enmx7rKprp%)Z
zvnPeG)%;p9dm09O`{|ft{0|(P6Rj*L?KAFth$x?qIi}sV)_Xf$GF_v+_;@;ox7`*g
zNB6?oE>W5fzZY|6V0arweYmXe^FgoEUTBLkylvn9OHPZ&zvyDz_*s$IQ;gwFGVPi1
z#Ch7Ahd1KMD_FJE9lg;_ydf~W>5ir)t9dV`rCXVft>LJMr{3ezS`L&UTCd2iP2#-Z
z^l6gPC7ZBtzQO!y5d^$6BQz^ABFJDw-LbGpH~}*vqM}e8(FiE20foy#BE+lxcsIfT
z2a7TB@MN#s7C;(DK*ccNZ<_*wZJ=ahG5#(C>t;m7*EK=nqu#u;B?1KgWE$gFq?LG*
zxi0Bt%sk3vwXZ2B+-oI|QMg_zvkvo@R`MeX3$6*V4)dz#Fe~m}$#vp`r};b$`rq{M
zDw;Z}<E@{%Gauvi74V0tCPR!|_G_V#3qi>^3uOZe0E5g?DO87|;8#49?+3uHrHA_6
zN#hA_EoU$)+sJpIf`1QotP4<0J_1A5yHLYlmG{dgP&e)X47f@zT_ab>OTpn-CeM@$
zL6J3H&H|U?L(s?v%KgC{6b*k=5J<B+%I$%wbb?y00iV@1DCU1*e+H}7Y52R|0T=8c
z6v}y?Jqz`GBU{G=6!gVx9`e3suqkW;dlbt-I(%e<p{Dm`J;4DP!nz^_+N%Y0byvoj
zowU#H)-Aa-Nk-D`4KQ(i3;XGuT1KTFHsWh2Q&k5mai^vhR@7Q6muv~h#)wNc8-*`M
zz*<ZKB~lFR#V{ak{9!SAXxv~?>42EI4V&tUd<pc!XJI$KFCT+lby$8`egT%%c2EMX
zhi$b&_FMv{$l3BVm{;RrKc>sWz$P1qZis?uLQFx6*uKp-Pcn<x%84HBSJeFaCo#V^
z62F$N1?XoPOu>IE^J^pVs}81cE9OYFru*!_xk++^)%zcn+g!N>G;DctHc(K*<RrPD
z+(Qln->0ukDCrWmZ}p|~ER&|5AjG!rhtm25l$8Z!g#lr}8{vX?;VRyOlNkSX82M{4
z=1cHn?#$FP%3&@rVfeKe`S(%sUp7iCa+}vket6+u#tMEfQt;A$BP;m5NWuBfSi!IV
zH_XhYZI^T>StDL%7*fi7;L`U2FwmVAap+67P4p#uGOK;X!&3p6`Cuv^rG(VA5&bKN
zML)JWDqr+0<b##yv)-ptY*%K`UaT(UYm|sr)?G^4RJ3PUx5B-mXAz&Fcux56NI+;t
zJnhBdB3`3}RgK#=V8@S_!jH8$Bl4&5YIjl**p}VXXm2$No@A94qu|n0{IEiIv?>T}
zITVB&%lUQn_SVzT=Ya#P;O}eId$(E1H>&Qs01y^~e*C27z(17(8GUwN3gprTTHAjC
z2l72BklS=>AvL)mZYMd|{mzK|J0tS{IY#7RznKwP<w>S_!cLPYp~mY`sJ_JbnXO5L
zdJ(1>*Vce{0OdBpd1mH|4T(a6F_@S|TYd8@k<wz7_`7Xz^D7b3Li3fN=2ya{1?m;i
zGRdJ0n5|c}?b`e!q0-~#F9$ZiVgT>}O<AR5L!@}{+d@bF60ExStsVhZct6+$J-~>O
z-L#TK>2EG2aqmhJ=fDBF^RD^{f4_P}>Hn&H#4lElutVfZnj@9jAig6Zs|wq4twv%<
zt-|44Iz)aI4(HP$lB{s}1RX{p)e6Up=(q?VDwnB+RAgcDRQ2>yb-RQv7O-N;Hh&Tw
z=CkLe2r>JXE;0`^0WMkD^o`6c+Gb?Z2Qt_flFOJ!=)`EX+Q-AA>GZ>}cH5?pqSI;V
zv>lm7+Yuw_;t1JOYMc5Hofw`<+hN0LJ9HRb94e2%FLu1Gi*%E7B_%F_F2%*uwsV~P
zgw$3{ysdL5FK(J?$!*<qR@xu5um3@t!D$I#7foyiyjh1)XP2b3L|Uru7fFlN{S(qc
zbw6KPpzh~N^VEI0^tifLrOMdsQhM5wS+p&lN!#f&Xj?RmwvAGQ?55C}g2}YapG4aU
z6KR_#=H1eD?Lmiki;T|PEiF28FF~!k4TfjW+qwvaKG7fsk$W5Uq|ool7H`Klk|tcX
zM_S~Q70!lIcsuNxdpnlz;C*z`0;{j%o1OfKgU`C|11#EzsNM-znf-2HWJqDM>L|!|
zjS**d^LnkSHSK<ur~0Xh8u!x2l)Ln?iQ&-4+7v(^d$Iuf7@x4dkIT{Rqm2D;yNhcD
z(8qjFjX4$i^pKxuFNREpKIVU5>c`O_WbV6W&6DEVWawk=XMFc{7DsQ;UX)CMKE}uB
zG%j_qk@}ncl0?8%UhPYdVJI}+p*<OC_H4hTsgrGyiLoEvJwzbn!59ylnH8);4o8%D
z7d8{&?j!f2n3NAc9lU=7=m@a>i8wcCBF-7Id3SMXK6g|DFB%E{-$qr>Ya3KOYOJ-t
z0E3AULEHItEw$JbxP#C|YEu(;@{O&idA3LeL-f@e?nBe!WivSFF8Y@^HRK`Q-H$Yb
zdV=19AtwHp1kRfaoF0+fTT87XS8Czj>NWI*VryeN*7BHDweW6r*#h)43C6T{3!$G?
ziM+Fw4>6bDleb73$Quo<l*P~k5Q4|~US0hs@6S(<yt-L@F^N~Z(TyL9y)%vWwAe8u
z<H=9rEAwPgxrx7}RX;j@GvC;OE<2zoHQ-bwh!7n@===A|%=apiDgMFA%*K0_#EiPT
zGIP%4DL%7QfoZ%XjTZ#gS`$z<8ZRL#JD@Ul`7F1e*Rr%$Srv<avR~o%YpOZ=%=#ay
CPvZ&z


From 75173d55737e300c32fe38aeedf8d4ea23442b76 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 28 Oct 2015 16:26:19 -0400
Subject: [PATCH 10/36] Base DB with notification

---
 test/data/test.db | Bin 901120 -> 901120 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/test/data/test.db b/test/data/test.db
index 85fd5f0a1ed530b6a3396875548a22abc32e51fc..5a438c4de776d5e74874fad754552454be6bbf67 100644
GIT binary patch
delta 1462
zcma))+lw1j9LMLD%h`73%zDGpT^puKDduu!GLuPS#f@95t=Ls@tMs8emrR=JCYd#p
zM3xwm6oOAuMPb0V(z+tDxLC3SQmIAgt4RNVMPEdp7E8AvMLm<1lCB_OI50Ekd%k?n
z_xI`b)Lu{h=pZS4JTp%UeQltT1C1JJ^gv?<T4<n!2U=vPMXxSIDef!*N$%{mX>^+F
z_MfJvh((elkMy5Es+0^_7ELKp6eTqw8;X%IvPCl?>$xJzA~k0!78MSkbls*EJK;2I
z#hBC<n)Qm1j|t^QW5vy<Qf0?kc9U*JH<y#9Q%$*6y=9x0n|cdL>WTErg;S{)(ee2=
zPt8kGs{4*rK7Qss^HsynUTCI`%t>)^c|ol<g-%<jSS@R0EeoCg`{XDmIDFAPDq5x?
ziy4%Vibg3RtGb@Zm1H@AWL+udR7H_gnHrDT78-i}yw$)t+rqM4D+Ym^I9XSS#{|8l
z<L%L&=~SHHO*pJ8ikOpw?QwnZUDn-lAjy@?w3L=IlBBBXk|9~yk}8@A-!g+l!&Cxo
zO|M#kwrI5)x>2!&&ci>w`+r42%yyURj^PCHN_xe$I(sg^sYMyyXTE3d!bq56XcB}s
zd*N&FwTT9HgkA)bG`6<AkKaE<5CjEx2zVdv_|tRb@6g-66k@_*ilzbB+=w!BG!JII
z$aZv=0Y8FSjM3d_x1Zvt2oeCYaOff%rz9jQ2@%gH8xu2mDU(MiDT@lq$QZ07!jIS%
z>eh-AbmQ9972HfvjMK17wy8I4r?zB|hBV0yg?Kk6U{-2DfkLZUsabX1uq$?Bb*U6k
z8hBT&M%fuzj?lzJJqI5|e&#=sl{^xY85PM0O%S>JQ07U>4kAq+`Q4_zx-{O7&^gb6
ze+%!jl>gbE(F-Athie4<77pPC{0goOIq)g;HXvZU;THXfcO8OPW_Y+xz@OkPcoR?f
z9{dCT3V(sup%1@->;4Q6J{&*s!y!=Md3YtD;U2dA8h#0{_<Rgp+NI)?&;NeXyO9Df
z(LB8DMG%-};1}>RMq+hW5RLO8nk3`UTYmw(P4nEe7n#E<4sp|1^&9IgoCc3RJH`k9
z6kQ<q;4?N0=;H%JlIPhw1pFD^<j!yk_ZWM}=U)d~tf!m<k7M8-(8k9YvOw;|aojHu
zc!e5x!e2PIYkZr4Tkt#X7<Yi(VQ>4q25zw40jxk{#&KQ<Vdwv|#+N=;0|!0q8~z|)
S19(m0wGXfTe!j-udgC8;wvxvH

delta 322
zcmXAiF-yZx6onI$G`VSeZ`CRmwRU%CmeNJAAUFuxR@6;-t3$gw8i$8;C~Z-Ae?aIY
z4VLgg6e)sx@dp%LT#F8ZIQSBW?+k~Jb9}$-`{nMkp6{(}>G=!Bna<e^X9i~`XBKA(
z&g_smH`Tt$^o$Beg{N2gX5dr|blbw7I;+E3@6?s;ALq<+kphkGDWo8rgKO&5Py_@A
zOGr|qF}=`;e(9S&>4V<sfut;CpdD*+4R%vV11%Op8pvz`I&@X=GGf}XOff7%-9Wk(
zwg=H?i$r%~TjFjL_6@|Uuq$!Dj^g<|F)xZuNXo_@2t9>Z(&&vwc!VXHt-&O%X1B%H
sF)aLRhbJ(Iw46p0dc+OP$t;7XNZS#w4OqNXYYJD9RHS6FnI6~w0Opfo)Bpeg


From b408cfd2cc80e48a99a6cf3250d82443a616ca10 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 28 Oct 2015 16:32:46 -0400
Subject: [PATCH 11/36] Ready for demo

---
 data/model/image.py                           |   5 +-
 endpoints/api/sec.py                          |   8 +-
 endpoints/sec.py                              |   7 +-
 .../directives/repo-view/repo-panel-tags.css  |   7 +-
 .../directives/repo-view/repo-panel-tags.html |   2 +-
 static/partials/image-view.html               |   6 +-
 workers/securityworker.py                     | 139 +++++++++---------
 7 files changed, 94 insertions(+), 80 deletions(-)

diff --git a/data/model/image.py b/data/model/image.py
index 207887235..8fcddc032 100644
--- a/data/model/image.py
+++ b/data/model/image.py
@@ -1,7 +1,7 @@
 import logging
 import dateutil.parser
 
-from peewee import JOIN_LEFT_OUTER, fn
+from peewee import JOIN_LEFT_OUTER, fn, SQL
 from datetime import datetime
 
 from data.model import DataModelException, db_transaction, _basequery, storage
@@ -18,7 +18,8 @@ def get_repository_images_recursive(docker_image_ids):
 
       Note: This is a DB intensive operation and should be used sparingly.
   """
-  inner_images = Image.select('%/' + Image.id + '/%').where(Image.docker_image_id << docker_image_ids)
+  # TODO: test this on MySQL and Postgres
+  inner_images = Image.select(SQL('"%/" || id || "/%"')).where(Image.docker_image_id << docker_image_ids)
 
   images = Image.select(Image.id).where(Image.docker_image_id << docker_image_ids)
   recursive_images = Image.select(Image.id).where(Image.ancestors ** inner_images)
diff --git a/endpoints/api/sec.py b/endpoints/api/sec.py
index e4550f488..a0703b6f5 100644
--- a/endpoints/api/sec.py
+++ b/endpoints/api/sec.py
@@ -65,7 +65,8 @@ class RepositoryTagVulnerabilities(RepositoryParamResource):
         'security_indexed': False
       }
 
-    data = _call_security_api('layers/%s/vulnerabilities', tag_image.docker_image_id,
+    data = _call_security_api('layers/%s.%s/vulnerabilities', tag_image.docker_image_id,
+                              tag_image.storage.uuid,
                               minimumPriority=args.minimumPriority)
 
     return {
@@ -79,7 +80,7 @@ class RepositoryTagVulnerabilities(RepositoryParamResource):
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('imageid', 'The image ID')
 class RepositoryImagePackages(RepositoryParamResource):
-  """ Operations for listing the packages added/removed in an image. """
+  """ Operations for listing the packages in an image. """
 
   @require_repo_read
   @nickname('getRepoImagePackages')
@@ -94,7 +95,8 @@ class RepositoryImagePackages(RepositoryParamResource):
         'security_indexed': False
       }
 
-    data = _call_security_api('layers/%s/packages/diff', repo_image.docker_image_id)
+    data = _call_security_api('layers/%s.%s/packages', repo_image.docker_image_id,
+                              repo_image.storage.uuid)
 
     return {
       'security_indexed': True,
diff --git a/endpoints/sec.py b/endpoints/sec.py
index c8b0e342b..367e77fd0 100644
--- a/endpoints/sec.py
+++ b/endpoints/sec.py
@@ -13,14 +13,17 @@ sec = Blueprint('sec', __name__)
 @sec.route('/notification', methods=['POST'])
 def sec_notification():
   data = request.get_json()
-  print data
 
   # Find all tags that contain the layer(s) introducing the vulnerability.
   # TODO: remove this check once fixed.
   if not 'IntroducingLayersIDs' in data['Content']:
     return make_response('Okay')
 
-  layer_ids = data['Content']['IntroducingLayersIDs']
+  # TODO: fix this for the image_id.storage thing properly.
+  layer_ids = [full_id.split('.')[0] for full_id in data['Content']['IntroducingLayersIDs']]
+  if not layer_ids:
+    return make_response('Okay')
+
   tags = model.tag.get_matching_tags(layer_ids, RepositoryTag, Repository, Image)
 
   # For any repository that has a notification setup, issue a notification.
diff --git a/static/css/directives/repo-view/repo-panel-tags.css b/static/css/directives/repo-view/repo-panel-tags.css
index fe9a60385..6bc6975e1 100644
--- a/static/css/directives/repo-view/repo-panel-tags.css
+++ b/static/css/directives/repo-view/repo-panel-tags.css
@@ -94,8 +94,9 @@
 }
 
 .repo-panel-tags-element .vuln-description {
-  color: #ccc;
+  color: #aaa;
   font-size: 10px;
+  white-space: normal;
 }
 
 .repo-panel-tags-element .fa-flag.None {
@@ -110,6 +111,10 @@
   color: red;
 }
 
+.repo-panel-tags-element .vuln-dropdown ul {
+  min-width: 400px;
+}
+
 @keyframes flickerAnimation { /* flame pulses */
   0%   { opacity:1; }
   50%  { opacity:0; }
diff --git a/static/directives/repo-view/repo-panel-tags.html b/static/directives/repo-view/repo-panel-tags.html
index f5690d29b..7d369f3f9 100644
--- a/static/directives/repo-view/repo-panel-tags.html
+++ b/static/directives/repo-view/repo-panel-tags.html
@@ -126,7 +126,7 @@
              data-title="Image has no vulnerabilities"
              bs-tooltip>
           </i>
-          <div class="dropdown" style="text-align: left;"
+          <div class="dropdown vuln-dropdown" style="text-align: left;"
                ng-if="getTagVulnerabilities(tag).indexed && getTagVulnerabilities(tag).hasVulnerabilities">
             <i class="fa fa-flag"
                data-title="Image has vulnerabilities"
diff --git a/static/partials/image-view.html b/static/partials/image-view.html
index 3213ee7ac..ee306150f 100644
--- a/static/partials/image-view.html
+++ b/static/partials/image-view.html
@@ -68,21 +68,21 @@
                 Please try again in a few minutes.
               </div>
             </div>
-            <div class="empty" ng-if="packages.security_indexed && !packages.data.InstalledPackages.length">
+            <div class="empty" ng-if="packages.security_indexed && !packages.data.Packages.length">
               <div class="empty-primary-msg">This image contains no recognized packages</div>
               <div class="empty-secondary-msg">
                 Quay currently indexes Debian, Red Hat and Ubuntu packages.
               </div>
             </div>
 
-            <table class="table" ng-if="packages.security_indexed && packages.data.InstalledPackages.length">
+            <table class="table" ng-if="packages.security_indexed && packages.data.Packages.length">
               <thead>
                 <th>Package Name</th>
                 <th>Package Version</th>
                 <th>OS</th>
               </thead>
 
-              <tr ng-repeat="package in packages.data.InstalledPackages | orderBy:'Name'">
+              <tr ng-repeat="package in packages.data.Packages | orderBy:'Name'">
                 <td>{{ package.Name }}</td>
                 <td>{{ package.Version }}</td>
                 <td>{{ package.OS }}</td>
diff --git a/workers/securityworker.py b/workers/securityworker.py
index f3c2cd5b0..5a377ec95 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -97,13 +97,13 @@ def _update_image(image, indexed, version):
       .where(Image.docker_image_id == image['docker_image_id'], ImageStorage.uuid == image['storage_uuid']))
 
   updated_images = list()
-  for image in query:
-    updated_images.append(image.id)
+  for row in query:
+    updated_images.append(row.id)
 
-  query = (Image
+  (Image
       .update(security_indexed=indexed, security_indexed_engine=version)
-      .where(Image.id << updated_images))
-  query.execute()
+      .where(Image.id << updated_images)
+      .execute())
 
 class SecurityWorker(Worker):
   def __init__(self):
@@ -163,14 +163,17 @@ class SecurityWorker(Worker):
           # Get layer storage URL
           path = storage.image_layer_path(img['storage_uuid'])
           locations = self._default_storage_locations
+
           if not storage.exists(locations, path):
             locations = _get_storage_locations(img['storage_uuid'])
+
           if not storage.exists(locations, path):
             logger.warning('Could not find a valid location to download layer %s', img['docker_image_id']+'.'+img['storage_uuid'])
             # Mark as analyzed because that error is most likely to occur during the pre-process, with the database copy
             # when images are actually removed on the real database (and therefore in S3)
             _update_image(img, False, self._target_version)
             continue
+
           uri = storage.get_direct_download_url(locations, path)
           if uri == None:
             # Local storage hack
@@ -200,69 +203,7 @@ class SecurityWorker(Worker):
             logger.exception('An exception occurred when analyzing layer ID %s : the response is not valid JSON (%s)', request['ID'], httpResponse.text)
             return
 
-          if httpResponse.status_code == 201:
-            # The layer has been successfully indexed
-            api_version = jsonResponse['Version']
-            if api_version < self._target_version:
-              logger.warning('An engine runs on version %d but the target version is %d')
-            _update_image(img, True, api_version)
-            logger.info('Layer ID %s : analyzed successfully', request['ID'])
-
-
-            # TODO(jschorr): Put this in a proper place, properly comment, unify with the
-            # callback code, etc.
-            try:
-              logger.debug('Loading vulnerabilities for layer %s', img['image_id'])
-              response = sec_endpoint.call_api('layers/%s/vulnerabilities', request['ID'])
-            except requests.exceptions.Timeout:
-              logger.debug('Timeout when calling Sec')
-              continue
-            except requests.exceptions.ConnectionError:
-              logger.debug('Connection error when calling Sec')
-              continue
-
-            logger.debug('Got response %s for vulnerabilities for layer %s', response.status_code, img['image_id'])
-            if response.status_code == 404:
-              continue
-
-            sec_data = json.loads(response.text)
-            logger.debug('Got response vulnerabilities for layer %s: %s', img['image_id'], sec_data)
-
-            if not sec_data['Vulnerabilities']:
-              continue
-
-            event = ExternalNotificationEvent.get(name='vulnerability_found')
-            matching = (RepositoryTag
-              .select(RepositoryTag, Repository)
-              .distinct()
-              .join(Repository)
-              .join(RepositoryNotification)
-              .where(RepositoryNotification.event == event,
-                     RepositoryTag.image == img['image_id']))
-
-            repository_map = defaultdict(list)
-
-            for tag in matching:
-              repository_map[tag.repository_id].append(tag)
-
-            for repository_id in repository_map:
-              tags = repository_map[repository_id]
-
-              for vuln in sec_data['Vulnerabilities']:
-                event_data = {
-                  'tags': [tag.name for tag in tags],
-                  'vulnerability': {
-                    'id': vuln['ID'],
-                    'description': vuln['Description'],
-                    'link': vuln['Link'],
-                    'priority': vuln['Priority'],
-                  },
-                }
-
-                spawn_notification(tags[0].repository, 'vulnerability_found', event_data)
-
-
-          else:
+          if httpResponse.status_code != 201:
             if 'Message' in jsonResponse:
               if 'OS and/or package manager are not supported' in jsonResponse['Message']:
                 # The current engine could not index this layer
@@ -276,6 +217,68 @@ class SecurityWorker(Worker):
               logger.exception('An exception occurred when analyzing layer ID %s : %d', request['ID'], httpResponse.status_code)
               return
 
+          # The layer has been successfully indexed
+          api_version = jsonResponse['Version']
+          if api_version < self._target_version:
+            logger.warning('An engine runs on version %d but the target version is %d')
+
+          logger.debug('Layer %s analyzed successfully', request['ID'])
+          _update_image(img, True, api_version)
+
+
+          # TODO(jschorr): Put this in a proper place, properly comment, unify with the
+          # callback code, etc.
+          try:
+            logger.debug('Loading vulnerabilities for layer %s', img['image_id'])
+            response = sec_endpoint.call_api('layers/%s/vulnerabilities', request['ID'])
+          except requests.exceptions.Timeout:
+            logger.debug('Timeout when calling Sec')
+            continue
+          except requests.exceptions.ConnectionError:
+            logger.debug('Connection error when calling Sec')
+            continue
+
+          logger.debug('Got response %s for vulnerabilities for layer %s', response.status_code, img['image_id'])
+          if response.status_code == 404:
+            continue
+
+          sec_data = json.loads(response.text)
+          logger.debug('Got response vulnerabilities for layer %s: %s', img['image_id'], sec_data)
+
+          if not sec_data['Vulnerabilities']:
+            continue
+
+          event = ExternalNotificationEvent.get(name='vulnerability_found')
+          matching = (RepositoryTag
+            .select(RepositoryTag, Repository)
+            .distinct()
+            .join(Repository)
+            .join(RepositoryNotification)
+            .where(RepositoryNotification.event == event,
+                   RepositoryTag.image == img['image_id']))
+
+          repository_map = defaultdict(list)
+
+          for tag in matching:
+            repository_map[tag.repository_id].append(tag)
+
+          for repository_id in repository_map:
+            tags = repository_map[repository_id]
+
+            for vuln in sec_data['Vulnerabilities']:
+              event_data = {
+                'tags': [tag.name for tag in tags],
+                'vulnerability': {
+                  'id': vuln['ID'],
+                  'description': vuln['Description'],
+                  'link': vuln['Link'],
+                  'priority': vuln['Priority'],
+                },
+              }
+
+              spawn_notification(tags[0].repository, 'vulnerability_found', event_data)
+
+
 if __name__ == '__main__':
   if not features.SECURITY_SCANNER:
     logger.debug('Security scanner disabled; skipping')

From 02e2bef94371c872552cec88ff68e0433ccdefb4 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 28 Oct 2015 17:06:40 -0400
Subject: [PATCH 12/36] Fix hardcoded priority

---
 endpoints/sec.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/endpoints/sec.py b/endpoints/sec.py
index 367e77fd0..2548e615c 100644
--- a/endpoints/sec.py
+++ b/endpoints/sec.py
@@ -49,7 +49,7 @@ def sec_notification():
         'id': data['Name'],
         'description': 'Some description',
         'link': 'https://security-tracker.debian.org/tracker/CVE-FAKE-CVE',
-        'priority': 'Medium',
+        'priority': 'High',
       },
     }
 

From 7dbe15e339100aaf0cfd4fc0354036f2e7bed04b Mon Sep 17 00:00:00 2001
From: Quentin Machu <me@quentin-machu.fr>
Date: Mon, 9 Nov 2015 14:31:24 -0500
Subject: [PATCH 13/36] Remove checksum from Clair's worker and adjust line
 length

---
 workers/securityworker.py | 126 +++++++++++++++++++++++---------------
 1 file changed, 76 insertions(+), 50 deletions(-)

diff --git a/workers/securityworker.py b/workers/securityworker.py
index 5a377ec95..82a35a5b7 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -32,44 +32,63 @@ def _get_image_to_export(version):
 
   # Without parent
   candidates = (Image
-    .select(Image.id, Image.docker_image_id, ImageStorage.uuid, ImageStorage.checksum)
-    .join(ImageStorage)
-    .where(Image.security_indexed_engine < version, Image.parent >> None, ImageStorage.uploading == False, ImageStorage.checksum != '')
-    .limit(BATCH_SIZE*10)
-    .alias('candidates'))
+                .select(Image.id, Image.docker_image_id, ImageStorage.uuid)
+                .join(ImageStorage)
+                .where(Image.security_indexed_engine < version,
+                       Image.parent >> None,
+                       ImageStorage.uploading == False)
+                .limit(BATCH_SIZE*10)
+                .alias('candidates'))
 
   images = (Image
-    .select(candidates.c.id, candidates.c.docker_image_id, candidates.c.uuid, candidates.c.checksum)
-    .distinct()
-    .from_(candidates)
-    .order_by(db_random_func())
-    .tuples()
-    .limit(BATCH_SIZE))
+            .select(candidates.c.id, candidates.c.docker_image_id, candidates.c.uuid)
+            .from_(candidates)
+            .order_by(db_random_func())
+            .tuples()
+            .limit(BATCH_SIZE))
 
   for image in images:
-    rimages.append({'image_id': image[0], 'docker_image_id': image[1], 'storage_uuid': image[2], 'storage_checksum': image[3], 'parent_docker_image_id': None, 'parent_storage_uuid': None})
+    rimages.append({'image_id': image[0],
+                    'docker_image_id': image[0],
+                    'storage_uuid': image[1],
+                    'parent_docker_image_id': None,
+                    'parent_storage_uuid': None})
 
   # With analyzed parent
   candidates = (Image
-      .select(Image.id, Image.docker_image_id, ImageStorage.uuid, ImageStorage.checksum, Parent.docker_image_id.alias('parent_docker_image_id'), ParentImageStorage.uuid.alias('parent_storage_uuid'))
-      .join(Parent, on=(Image.parent == Parent.id))
-      .join(ParentImageStorage, on=(ParentImageStorage.id == Parent.storage))
-      .switch(Image)
-      .join(ImageStorage)
-      .where(Image.security_indexed_engine < version, Parent.security_indexed == True, Parent.security_indexed_engine >= version, ImageStorage.uploading == False, ImageStorage.checksum != '')
-      .limit(BATCH_SIZE*10)
-      .alias('candidates'))
+                .select(Image.id,
+                        Image.docker_image_id,
+                        ImageStorage.uuid,
+                        Parent.docker_image_id.alias('parent_docker_image_id'),
+                        ParentImageStorage.uuid.alias('parent_storage_uuid'))
+                .join(Parent, on=(Image.parent == Parent.id))
+                .join(ParentImageStorage, on=(ParentImageStorage.id == Parent.storage))
+                .switch(Image)
+                .join(ImageStorage)
+                .where(Image.security_indexed_engine < version,
+                       Parent.security_indexed == True,
+                       Parent.security_indexed_engine >= version,
+                       ImageStorage.uploading == False)
+                .limit(BATCH_SIZE*10)
+                .alias('candidates'))
 
   images = (Image
-    .select(candidates.c.id, candidates.c.docker_image_id, candidates.c.uuid, candidates.c.checksum, candidates.c.parent_docker_image_id, candidates.c.parent_storage_uuid)
-    .distinct()
-    .from_(candidates)
-    .order_by(db_random_func())
-    .tuples()
-    .limit(BATCH_SIZE))
+            .select(candidates.c.id,
+                    candidates.c.docker_image_id,
+                    candidates.c.uuid,
+                    candidates.c.parent_docker_image_id,
+                    candidates.c.parent_storage_uuid)
+            .from_(candidates)
+            .order_by(db_random_func())
+            .tuples()
+            .limit(BATCH_SIZE))
 
   for image in images:
-    rimages.append({'image_id': image[0], 'docker_image_id': image[1], 'storage_uuid': image[2], 'storage_checksum': image[3], 'parent_docker_image_id': image[4], 'parent_storage_uuid': image[5]})
+    rimages.append({'image_id': image[0],
+                    'docker_image_id': image[1],
+                    'storage_uuid': image[2],
+                    'parent_docker_image_id': image[3],
+                    'parent_storage_uuid': image[4]})
 
   # Re-shuffle, otherwise the images without parents will always be on the top
   random.shuffle(rimages)
@@ -78,11 +97,11 @@ def _get_image_to_export(version):
 
 def _get_storage_locations(uuid):
   query = (ImageStoragePlacement
-      .select()
-      .join(ImageStorageLocation)
-      .switch(ImageStoragePlacement)
-      .join(ImageStorage, JOIN_LEFT_OUTER)
-      .where(ImageStorage.uuid == uuid))
+           .select()
+           .join(ImageStorageLocation)
+           .switch(ImageStoragePlacement)
+           .join(ImageStorage, JOIN_LEFT_OUTER)
+           .where(ImageStorage.uuid == uuid))
 
   locations = list()
   for location in query:
@@ -92,9 +111,10 @@ def _get_storage_locations(uuid):
 
 def _update_image(image, indexed, version):
   query = (Image
-      .select()
-      .join(ImageStorage)
-      .where(Image.docker_image_id == image['docker_image_id'], ImageStorage.uuid == image['storage_uuid']))
+           .select()
+           .join(ImageStorage)
+           .where(Image.docker_image_id == image['docker_image_id'],
+                  ImageStorage.uuid == image['storage_uuid']))
 
   updated_images = list()
   for row in query:
@@ -115,18 +135,20 @@ class SecurityWorker(Worker):
     # Load configuration
     config = app.config.get('SECURITY_SCANNER')
 
-    if not config or not 'ENDPOINT' in config or not 'ENGINE_VERSION_TARGET' in config or not 'DISTRIBUTED_STORAGE_PREFERENCE' in app.config:
+    if (not config
+        or not 'ENDPOINT' in config or not 'ENGINE_VERSION_TARGET' in config
+        or not 'DISTRIBUTED_STORAGE_PREFERENCE' in app.config):
       logger.exception('No configuration found for the security worker')
       return False
     self._api = config['ENDPOINT']
     self._target_version = config['ENGINE_VERSION_TARGET']
     self._default_storage_locations = app.config['DISTRIBUTED_STORAGE_PREFERENCE']
 
-    self._ca_verification = False
+    self._ca = False
     self._cert = None
     if 'CA_CERTIFICATE_FILENAME' in config:
-      self._ca_verification = os.path.join(OVERRIDE_CONFIG_DIRECTORY, config['CA_CERTIFICATE_FILENAME'])
-      if not os.path.isfile(self._ca_verification):
+      self._ca = os.path.join(OVERRIDE_CONFIG_DIRECTORY, config['CA_CERTIFICATE_FILENAME'])
+      if not os.path.isfile(self._ca):
         logger.exception('Could not find configured CA file')
         return False
     if 'PRIVATE_KEY_FILENAME' in config and 'PUBLIC_KEY_FILENAME' in config:
@@ -168,9 +190,8 @@ class SecurityWorker(Worker):
             locations = _get_storage_locations(img['storage_uuid'])
 
           if not storage.exists(locations, path):
-            logger.warning('Could not find a valid location to download layer %s', img['docker_image_id']+'.'+img['storage_uuid'])
-            # Mark as analyzed because that error is most likely to occur during the pre-process, with the database copy
-            # when images are actually removed on the real database (and therefore in S3)
+            logger.warning('Could not find a valid location to download layer %s',
+                           img['docker_image_id']+'.'+img['storage_uuid'])
             _update_image(img, False, self._target_version)
             continue
 
@@ -182,10 +203,9 @@ class SecurityWorker(Worker):
           # Forge request
           request = {
             'ID': img['docker_image_id']+'.'+img['storage_uuid'],
-            'TarSum': img['storage_checksum'],
             'Path': uri
           }
-          if img['parent_docker_image_id'] is not None:
+          if img['parent_docker_image_id'] is not None and img['parent_storage_uuid'] is not None:
             request['ParentID'] = img['parent_docker_image_id']+'.'+img['parent_storage_uuid']
 
           # Post request
@@ -193,28 +213,34 @@ class SecurityWorker(Worker):
             logger.info('Analyzing %s', request['ID'])
             # Using invalid certificates doesn't return proper errors because of
             # https://github.com/shazow/urllib3/issues/556
-            httpResponse = requests.post(self._api + API_METHOD_INSERT, json=request, cert=self._cert, verify=self._ca_verification)
+            httpResponse = requests.post(self._api + API_METHOD_INSERT, json=request,
+                                         cert=self._cert, verify=self._ca)
           except:
-            logger.exception('An exception occurred when analyzing layer ID %s : %s', request['ID'], exc_info()[0])
+            logger.exception('An exception occurred when analyzing layer ID %s : %s',
+                             request['ID'], exc_info()[0])
             return
           try:
             jsonResponse = httpResponse.json()
           except:
-            logger.exception('An exception occurred when analyzing layer ID %s : the response is not valid JSON (%s)', request['ID'], httpResponse.text)
+            logger.exception('An exception occurred when analyzing layer ID %s : the response is \
+                             not valid JSON (%s)', request['ID'], httpResponse.text)
             return
 
           if httpResponse.status_code != 201:
             if 'Message' in jsonResponse:
               if 'OS and/or package manager are not supported' in jsonResponse['Message']:
                 # The current engine could not index this layer
-                logger.warning('A warning event occurred when analyzing layer ID %s : %s', request['ID'], jsonResponse['Message'])
+                logger.warning('A warning event occurred when analyzing layer ID %s : %s',
+                               request['ID'], jsonResponse['Message'])
                 # Hopefully, there is no version lower than the target one running
                 _update_image(img, False, self._target_version)
               else:
-                logger.exception('An exception occurred when analyzing layer ID %s : %d %s', request['ID'], httpResponse.status_code, jsonResponse['Message'])
+                logger.exception('An exception occurred when analyzing layer ID %s : %d %s',
+                                 request['ID'], httpResponse.status_code, jsonResponse['Message'])
                 return
             else:
-              logger.exception('An exception occurred when analyzing layer ID %s : %d', request['ID'], httpResponse.status_code)
+              logger.exception('An exception occurred when analyzing layer ID %s : %d',
+                               request['ID'], httpResponse.status_code)
               return
 
           # The layer has been successfully indexed

From 16c364a90c4220c704caf3b5d3503f27511998b7 Mon Sep 17 00:00:00 2001
From: Quentin Machu <me@quentin-machu.fr>
Date: Mon, 9 Nov 2015 15:14:25 -0500
Subject: [PATCH 14/36] Rename secscan_endpoint where required, fix index and
 indentation

---
 endpoints/api/sec.py      |  4 ++--
 workers/securityworker.py | 20 ++++++++++----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/endpoints/api/sec.py b/endpoints/api/sec.py
index a0703b6f5..d080d2fe1 100644
--- a/endpoints/api/sec.py
+++ b/endpoints/api/sec.py
@@ -5,7 +5,7 @@ import features
 import json
 import requests
 
-from app import sec_endpoint
+from app import secscan_endpoint
 from data import model
 from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_param,
                            RepositoryParamResource, resource, nickname, show_if, parse_args,
@@ -18,7 +18,7 @@ logger = logging.getLogger(__name__)
 def _call_security_api(relative_url, *args, **kwargs):
   """ Issues an HTTP call to the sec API at the given relative URL. """
   try:
-    response = sec_endpoint.call_api(relative_url, *args, **kwargs)
+    response = secscan_endpoint.call_api(relative_url, *args, **kwargs)
   except requests.exceptions.Timeout:
     raise DownstreamIssue(payload=dict(message='API call timed out'))
   except requests.exceptions.ConnectionError:
diff --git a/workers/securityworker.py b/workers/securityworker.py
index 82a35a5b7..1deba196a 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -12,7 +12,7 @@ from endpoints.notificationhelper import spawn_notification
 from collections import defaultdict
 from sys import exc_info
 from peewee import JOIN_LEFT_OUTER
-from app import app, storage, OVERRIDE_CONFIG_DIRECTORY, sec_endpoint
+from app import app, storage, OVERRIDE_CONFIG_DIRECTORY, secscan_endpoint
 from workers.worker import Worker
 from data.database import (Image, ImageStorage, ImageStorageLocation, ImageStoragePlacement,
                            db_random_func, UseThenDisconnect, RepositoryTag, Repository,
@@ -49,8 +49,8 @@ def _get_image_to_export(version):
 
   for image in images:
     rimages.append({'image_id': image[0],
-                    'docker_image_id': image[0],
-                    'storage_uuid': image[1],
+                    'docker_image_id': image[1],
+                    'storage_uuid': image[2],
                     'parent_docker_image_id': None,
                     'parent_storage_uuid': None})
 
@@ -102,7 +102,7 @@ def _get_storage_locations(uuid):
            .switch(ImageStoragePlacement)
            .join(ImageStorage, JOIN_LEFT_OUTER)
            .where(ImageStorage.uuid == uuid))
-
+  return query.get()
   locations = list()
   for location in query:
     locations.append(location.location.name)
@@ -189,11 +189,11 @@ class SecurityWorker(Worker):
           if not storage.exists(locations, path):
             locations = _get_storage_locations(img['storage_uuid'])
 
-          if not storage.exists(locations, path):
-            logger.warning('Could not find a valid location to download layer %s',
-                           img['docker_image_id']+'.'+img['storage_uuid'])
-            _update_image(img, False, self._target_version)
-            continue
+            if not storage.exists(locations, path):
+              logger.warning('Could not find a valid location to download layer %s',
+                             img['docker_image_id']+'.'+img['storage_uuid'])
+              _update_image(img, False, self._target_version)
+              continue
 
           uri = storage.get_direct_download_url(locations, path)
           if uri == None:
@@ -256,7 +256,7 @@ class SecurityWorker(Worker):
           # callback code, etc.
           try:
             logger.debug('Loading vulnerabilities for layer %s', img['image_id'])
-            response = sec_endpoint.call_api('layers/%s/vulnerabilities', request['ID'])
+            response = secscan_endpoint.call_api('layers/%s/vulnerabilities', request['ID'])
           except requests.exceptions.Timeout:
             logger.debug('Timeout when calling Sec')
             continue

From a69c9e12fdb84ace59426f39f6f41206c6cc4a1b Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 9 Nov 2015 17:12:22 -0500
Subject: [PATCH 15/36] Update quay sec code to fix problems identified in
 previous review

- Change get_repository_images_recursive to operate over a single docker image and storage uuid
- Move endpoints/sec to endpoints/secscan
- Change notification system to work with new Quay-sec format

Fixes #768
---
 data/model/image.py             | 25 ++++++----
 data/model/tag.py               | 11 +++--
 endpoints/api/secscan.py        |  2 +-
 endpoints/sec.py                | 58 ----------------------
 endpoints/secscan.py            | 88 +++++++++++++++++++++++++++++++++
 util/secscan/secscanendpoint.py | 37 ++++++++++++--
 web.py                          |  4 +-
 7 files changed, 146 insertions(+), 79 deletions(-)
 delete mode 100644 endpoints/sec.py
 create mode 100644 endpoints/secscan.py

diff --git a/data/model/image.py b/data/model/image.py
index 8fcddc032..9421e29ab 100644
--- a/data/model/image.py
+++ b/data/model/image.py
@@ -12,18 +12,23 @@ from data.database import (Image, Repository, ImageStoragePlacement, Namespace,
 logger = logging.getLogger(__name__)
 
 
-def get_repository_images_recursive(docker_image_ids):
-  """ Returns a query matching the given docker image IDs, along with any which have the image IDs
-      as parents.
-
-      Note: This is a DB intensive operation and should be used sparingly.
+def get_repository_image_and_deriving(docker_image_id, storage_uuid):
+  """ Returns all matching images with the given docker image ID and storage uuid, along with any
+      images which have the image ID as parents.
   """
-  # TODO: test this on MySQL and Postgres
-  inner_images = Image.select(SQL('"%/" || id || "/%"')).where(Image.docker_image_id << docker_image_ids)
+  try:
+    image_found = (Image
+                    .select()
+                    .join(ImageStorage)
+                    .where(Image.docker_image_id == docker_image_id,
+                           ImageStorage.uuid == storage_uuid)
+                    .get())
+  except Image.DoesNotExist:
+    return Image.select().where(Image.id < 0) # Empty query
 
-  images = Image.select(Image.id).where(Image.docker_image_id << docker_image_ids)
-  recursive_images = Image.select(Image.id).where(Image.ancestors ** inner_images)
-  return recursive_images | images
+  ancestors_pattern = '%s%s/%%' % (image_found.ancestors, image_found.id)
+  return Image.select().where((Image.ancestors ** ancestors_pattern) |
+                              (Image.id == image_found.id))
 
 
 def get_parent_images(namespace_name, repository_name, image_obj):
diff --git a/data/model/tag.py b/data/model/tag.py
index 535d6c533..fcaa7f342 100644
--- a/data/model/tag.py
+++ b/data/model/tag.py
@@ -12,14 +12,17 @@ def _tag_alive(query, now_ts=None):
                      (RepositoryTag.lifetime_end_ts > now_ts))
 
 
-def get_matching_tags(docker_image_ids, *args):
-  """ Returns a query pointing to all tags that contain the given image(s). """
+def get_matching_tags(docker_image_id, storage_uuid, *args):
+  """ Returns a query pointing to all tags that contain the image with the
+      given docker_image_id and storage_uuid. """
+  image_query = image.get_repository_image_and_deriving(docker_image_id, storage_uuid)
+
   return (RepositoryTag
             .select(*args)
             .distinct()
             .join(Image)
-            .where(Image.id << image.get_repository_images_recursive(docker_image_ids),
-                   RepositoryTag.lifetime_end_ts >> None))
+            .join(ImageStorage)
+            .where(Image.id << image_query, RepositoryTag.lifetime_end_ts >> None))
 
 
 def list_repository_tags(namespace_name, repository_name, include_hidden=False,
diff --git a/endpoints/api/secscan.py b/endpoints/api/secscan.py
index ab3f73051..9a1773ccb 100644
--- a/endpoints/api/secscan.py
+++ b/endpoints/api/secscan.py
@@ -18,7 +18,7 @@ logger = logging.getLogger(__name__)
 def _call_security_api(relative_url, *args, **kwargs):
   """ Issues an HTTP call to the sec API at the given relative URL. """
   try:
-    response = secscan_endpoint.call_api(relative_url, *args, **kwargs)
+    response = secscan_endpoint.call_api(relative_url, body=None, *args, **kwargs)
   except requests.exceptions.Timeout:
     raise DownstreamIssue(payload=dict(message='API call timed out'))
   except requests.exceptions.ConnectionError:
diff --git a/endpoints/sec.py b/endpoints/sec.py
deleted file mode 100644
index 2548e615c..000000000
--- a/endpoints/sec.py
+++ /dev/null
@@ -1,58 +0,0 @@
-import logging
-
-from flask import request, make_response, Blueprint
-from data import model
-from data.database import RepositoryNotification, Repository, ExternalNotificationEvent, RepositoryTag, Image
-from endpoints.notificationhelper import spawn_notification
-from collections import defaultdict
-
-logger = logging.getLogger(__name__)
-
-sec = Blueprint('sec', __name__)
-
-@sec.route('/notification', methods=['POST'])
-def sec_notification():
-  data = request.get_json()
-
-  # Find all tags that contain the layer(s) introducing the vulnerability.
-  # TODO: remove this check once fixed.
-  if not 'IntroducingLayersIDs' in data['Content']:
-    return make_response('Okay')
-
-  # TODO: fix this for the image_id.storage thing properly.
-  layer_ids = [full_id.split('.')[0] for full_id in data['Content']['IntroducingLayersIDs']]
-  if not layer_ids:
-    return make_response('Okay')
-
-  tags = model.tag.get_matching_tags(layer_ids, RepositoryTag, Repository, Image)
-
-  # For any repository that has a notification setup, issue a notification.
-  event = ExternalNotificationEvent.get(name='vulnerability_found')
-
-  matching = (tags.switch(RepositoryTag)
-    .join(Repository)
-    .join(RepositoryNotification)
-    .where(RepositoryNotification.event == event))
-
-  repository_map = defaultdict(list)
-
-  for tag in matching:
-    repository_map[tag.repository_id].append(tag)
-
-  for repository_id in repository_map:
-    tags = repository_map[repository_id]
-
-    # TODO(jschorr): Pull out the other metadata once added.
-    event_data = {
-      'tags': [tag.name for tag in tags],
-      'vulnerability': {
-        'id': data['Name'],
-        'description': 'Some description',
-        'link': 'https://security-tracker.debian.org/tracker/CVE-FAKE-CVE',
-        'priority': 'High',
-      },
-    }
-
-    spawn_notification(tags[0].repository, 'vulnerability_found', event_data)
-
-  return make_response('Okay')
diff --git a/endpoints/secscan.py b/endpoints/secscan.py
new file mode 100644
index 000000000..874aec243
--- /dev/null
+++ b/endpoints/secscan.py
@@ -0,0 +1,88 @@
+import logging
+import features
+
+from app import secscan_endpoint
+from flask import request, make_response, Blueprint
+from data import model
+from data.database import (RepositoryNotification, Repository, ExternalNotificationEvent,
+                           RepositoryTag, Image, ImageStorage)
+from endpoints.common import route_show_if
+from endpoints.notificationhelper import spawn_notification
+from collections import defaultdict
+
+logger = logging.getLogger(__name__)
+secscan = Blueprint('secscan', __name__)
+
+@route_show_if(features.SECURITY_SCANNER)
+@secscan.route('/notification', methods=['POST'])
+def secscan_notification():
+  data = request.get_json()
+  logger.debug('Got notification from Clair: %s', data)
+
+  # Find all tags that contain the layer(s) introducing the vulnerability.
+  content = data['Content']
+  layer_ids = content.get('NewIntroducingLayersIDs', content.get('IntroducingLayersIDs', []))
+  if not layer_ids:
+    return make_response('Okay')
+
+  # TODO(jzelinkskie): Write a queueitem for these layer ids, and do the rest of this
+  # in a worker.
+  cve_id = data['Name']
+  vulnerability = data['Content']['Vulnerability']
+  priority = vulnerability['Priority']
+
+  # Lookup the external event for when we have vulnerabilities.
+  event = ExternalNotificationEvent.get(name='vulnerability_found')
+
+  # For each layer, retrieving the matching tags and join with repository to determine which
+  # require new notifications.
+  tag_map = defaultdict(set)
+  repository_map = {}
+
+  for layer_id in layer_ids:
+    (docker_image_id, storage_uuid) = layer_id.split('.', 2)
+    tags = model.tag.get_matching_tags(docker_image_id, storage_uuid, RepositoryTag,
+                                       Repository, Image, ImageStorage)
+
+    # Additionally filter to tags only in repositories that have the event setup.
+    matching = (tags.switch(RepositoryTag)
+      .join(Repository)
+      .join(RepositoryNotification)
+      .where(RepositoryNotification.event == event))
+
+    check_map = {}
+    for tag in matching:
+      # Verify that the tag's root image has the vulnerability.
+      tag_layer_id = '%s.%s' % (tag.image.docker_image_id, tag.image.storage.uuid)
+      logger.debug('Checking if layer %s is vulnerable to %s', tag_layer_id, cve_id)
+
+      if not tag_layer_id in check_map:
+        is_vulerable = secscan_endpoint.check_layer_vulnerable(tag_layer_id, cve_id)
+        check_map[tag_layer_id] = is_vulerable
+
+      logger.debug('Result of layer %s is vulnerable to %s check: %s', tag_layer_id, cve_id,
+                   check_map[tag_layer_id])
+
+      if check_map[tag_layer_id]:
+        # Add the vulnerable tag to the list.
+        tag_map[tag.repository_id].add(tag.name)
+        repository_map[tag.repository_id] = tag.repository
+
+  # For each of the tags found, issue a notification.
+  for repository_id in tag_map:
+    tags = tag_map[repository_id]
+    event_data = {
+      'tags': list(tags),
+      'vulnerability': {
+        'id': data['Name'],
+        'description': vulnerability['Description'],
+        'link': vulnerability['Link'],
+        'priority': priority,
+      },
+    }
+
+    # TODO: only add this notification if the repository's event(s) defined meet the priority
+    # minimum.
+    spawn_notification(repository_map[repository_id], 'vulnerability_found', event_data)
+
+  return make_response('Okay')
diff --git a/util/secscan/secscanendpoint.py b/util/secscan/secscanendpoint.py
index 7f759219b..2cd24fab1 100644
--- a/util/secscan/secscanendpoint.py
+++ b/util/secscan/secscanendpoint.py
@@ -1,7 +1,6 @@
 import features
 import logging
 import requests
-import json
 
 from urlparse import urljoin
 
@@ -36,7 +35,33 @@ class SecurityScanEndpoint(object):
 
     return None
 
-  def call_api(self, relative_url, *args, **kwargs):
+  def check_layer_vulnerable(self, layer_id, cve_id):
+    """ Checks with Clair whether the given layer is vulnerable to the given CVE. """
+    try:
+      body = {
+        'LayersIDs': [layer_id]
+      }
+      response = self.call_api('vulnerabilities/%s/affected-layers', body, cve_id)
+    except requests.exceptions.RequestException:
+      logger.exception('Got exception when trying to call Clair endpoint')
+      return False
+
+    if response.status_code != 200:
+      return False
+
+    try:
+      response_data = response.json()
+    except ValueError:
+      logger.exception('Got exception when trying to parse Clair response')
+      return False
+
+    if (not layer_id in response_data or
+        not response_data[layer_id].get('Vulnerable', False)):
+      return False
+
+    return True
+
+  def call_api(self, relative_url, body=None, *args, **kwargs):
     """ Issues an HTTP call to the sec API at the given relative URL. """
     security_config = self.security_config
     api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'
@@ -46,5 +71,9 @@ class SecurityScanEndpoint(object):
     timeout = security_config.get('API_TIMEOUT_SECONDS', 1)
     logger.debug('Looking up sec information: %s', url)
 
-    return client.get(url, params=kwargs, timeout=timeout, cert=self.keys,
-                      verify=self.certificate)
\ No newline at end of file
+    if body is not None:
+      return client.post(url, json=body, params=kwargs, timeout=timeout, cert=self.keys,
+                         verify=self.certificate)
+    else:
+      return client.get(url, params=kwargs, timeout=timeout, cert=self.keys,
+                        verify=self.certificate)
\ No newline at end of file
diff --git a/web.py b/web.py
index 5430e7b93..445c2fa5b 100644
--- a/web.py
+++ b/web.py
@@ -11,7 +11,7 @@ from endpoints.oauthlogin import oauthlogin
 from endpoints.githubtrigger import githubtrigger
 from endpoints.gitlabtrigger import gitlabtrigger
 from endpoints.bitbuckettrigger import bitbuckettrigger
-from endpoints.sec import sec
+from endpoints.secscan import secscan
 
 if os.environ.get('DEBUGLOG') == 'true':
   logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)
@@ -24,4 +24,4 @@ application.register_blueprint(bitbuckettrigger, url_prefix='/oauth1')
 application.register_blueprint(api_bp, url_prefix='/api')
 application.register_blueprint(webhooks, url_prefix='/webhooks')
 application.register_blueprint(realtime, url_prefix='/realtime')
-application.register_blueprint(sec, url_prefix='/sec')
+application.register_blueprint(secscan, url_prefix='/secscan')

From dc476470fe282abbf5ca255fdf05bac241ab31e3 Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Mon, 9 Nov 2015 18:30:14 -0500
Subject: [PATCH 16/36] add secscan notification queue

---
 app.py    | 2 ++
 config.py | 1 +
 2 files changed, 3 insertions(+)

diff --git a/app.py b/app.py
index 01c4ae6ab..bbc8ecee1 100644
--- a/app.py
+++ b/app.py
@@ -148,6 +148,8 @@ image_replication_queue = WorkQueue(app.config['REPLICATION_QUEUE_NAME'], tf)
 dockerfile_build_queue = WorkQueue(app.config['DOCKERFILE_BUILD_QUEUE_NAME'], tf,
                                    reporter=MetricQueueReporter(metric_queue))
 notification_queue = WorkQueue(app.config['NOTIFICATION_QUEUE_NAME'], tf)
+secscan_notification_queue = WorkQueue(app.config['SECSCAN_NOTIFICATION_QUEUE_NAME'], tf)
+
 secscan_endpoint = SecurityScanEndpoint(app, config_provider)
 
 database.configure(app.config)
diff --git a/config.py b/config.py
index 3e03b951b..3629ecab4 100644
--- a/config.py
+++ b/config.py
@@ -131,6 +131,7 @@ class DefaultConfig(object):
   DIFFS_QUEUE_NAME = 'imagediff'
   DOCKERFILE_BUILD_QUEUE_NAME = 'dockerfilebuild'
   REPLICATION_QUEUE_NAME = 'imagestoragereplication'
+  SECSCAN_NOTIFICATION_QUEUE_NAME = 'secscan_notification'
 
   # Super user config. Note: This MUST BE an empty list for the default config.
   SUPER_USERS = []

From d651ea4b48ba08a209aa5c00a870f3ad86220a82 Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Mon, 9 Nov 2015 19:17:15 -0500
Subject: [PATCH 17/36] initial security notification worker

---
 endpoints/secscan.py                    | 71 ++----------------
 workers/security_notification_worker.py | 95 +++++++++++++++++++++++++
 2 files changed, 99 insertions(+), 67 deletions(-)
 create mode 100644 workers/security_notification_worker.py

diff --git a/endpoints/secscan.py b/endpoints/secscan.py
index 874aec243..7576318e8 100644
--- a/endpoints/secscan.py
+++ b/endpoints/secscan.py
@@ -1,14 +1,11 @@
 import logging
+import json
+
 import features
 
-from app import secscan_endpoint
+from app import secscan_notification_queue
 from flask import request, make_response, Blueprint
-from data import model
-from data.database import (RepositoryNotification, Repository, ExternalNotificationEvent,
-                           RepositoryTag, Image, ImageStorage)
 from endpoints.common import route_show_if
-from endpoints.notificationhelper import spawn_notification
-from collections import defaultdict
 
 logger = logging.getLogger(__name__)
 secscan = Blueprint('secscan', __name__)
@@ -19,70 +16,10 @@ def secscan_notification():
   data = request.get_json()
   logger.debug('Got notification from Clair: %s', data)
 
-  # Find all tags that contain the layer(s) introducing the vulnerability.
   content = data['Content']
   layer_ids = content.get('NewIntroducingLayersIDs', content.get('IntroducingLayersIDs', []))
   if not layer_ids:
     return make_response('Okay')
 
-  # TODO(jzelinkskie): Write a queueitem for these layer ids, and do the rest of this
-  # in a worker.
-  cve_id = data['Name']
-  vulnerability = data['Content']['Vulnerability']
-  priority = vulnerability['Priority']
-
-  # Lookup the external event for when we have vulnerabilities.
-  event = ExternalNotificationEvent.get(name='vulnerability_found')
-
-  # For each layer, retrieving the matching tags and join with repository to determine which
-  # require new notifications.
-  tag_map = defaultdict(set)
-  repository_map = {}
-
-  for layer_id in layer_ids:
-    (docker_image_id, storage_uuid) = layer_id.split('.', 2)
-    tags = model.tag.get_matching_tags(docker_image_id, storage_uuid, RepositoryTag,
-                                       Repository, Image, ImageStorage)
-
-    # Additionally filter to tags only in repositories that have the event setup.
-    matching = (tags.switch(RepositoryTag)
-      .join(Repository)
-      .join(RepositoryNotification)
-      .where(RepositoryNotification.event == event))
-
-    check_map = {}
-    for tag in matching:
-      # Verify that the tag's root image has the vulnerability.
-      tag_layer_id = '%s.%s' % (tag.image.docker_image_id, tag.image.storage.uuid)
-      logger.debug('Checking if layer %s is vulnerable to %s', tag_layer_id, cve_id)
-
-      if not tag_layer_id in check_map:
-        is_vulerable = secscan_endpoint.check_layer_vulnerable(tag_layer_id, cve_id)
-        check_map[tag_layer_id] = is_vulerable
-
-      logger.debug('Result of layer %s is vulnerable to %s check: %s', tag_layer_id, cve_id,
-                   check_map[tag_layer_id])
-
-      if check_map[tag_layer_id]:
-        # Add the vulnerable tag to the list.
-        tag_map[tag.repository_id].add(tag.name)
-        repository_map[tag.repository_id] = tag.repository
-
-  # For each of the tags found, issue a notification.
-  for repository_id in tag_map:
-    tags = tag_map[repository_id]
-    event_data = {
-      'tags': list(tags),
-      'vulnerability': {
-        'id': data['Name'],
-        'description': vulnerability['Description'],
-        'link': vulnerability['Link'],
-        'priority': priority,
-      },
-    }
-
-    # TODO: only add this notification if the repository's event(s) defined meet the priority
-    # minimum.
-    spawn_notification(repository_map[repository_id], 'vulnerability_found', event_data)
-
+  secscan_notification_queue.put(data['Name'], json.dumps(data))
   return make_response('Okay')
diff --git a/workers/security_notification_worker.py b/workers/security_notification_worker.py
new file mode 100644
index 000000000..2c89d4623
--- /dev/null
+++ b/workers/security_notification_worker.py
@@ -0,0 +1,95 @@
+import json
+import logging
+import time
+
+from collections import defaultdict
+
+import features
+
+from app import secscan_notification_queue, secscan_endpoint
+from data import model
+from data.database import (Image, ImageStorage, ExternalNotificationEvent,
+                           Repository, RepositoryNotification, RepositoryTag)
+from endpoints.notificationhelper import spawn_notification
+from workers.queueworker import QueueWorker
+
+
+logger = logging.getLogger(__name__)
+
+
+class SecurityNotificationWorker(QueueWorker):
+  def process_queue_item(self, queueitem):
+    data = json.loads(queueitem.body)
+
+    cve_id = data['Name']
+    vulnerability = data['Content']['Vulnerability']
+    priority = vulnerability['Priority']
+
+    # Lookup the external event for when we have vulnerabilities.
+    event = ExternalNotificationEvent.get(name='vulnerability_found')
+
+    # For each layer, retrieving the matching tags and join with repository to determine which
+    # require new notifications.
+    tag_map = defaultdict(set)
+    repository_map = {}
+
+    # Find all tags that contain the layer(s) introducing the vulnerability.
+    content = data['Content']
+    layer_ids = content.get('NewIntroducingLayersIDs', content.get('IntroducingLayersIDs', []))
+    for layer_id in layer_ids:
+      (docker_image_id, storage_uuid) = layer_id.split('.', 2)
+      tags = model.tag.get_matching_tags(docker_image_id, storage_uuid, RepositoryTag,
+                                         Repository, Image, ImageStorage)
+
+      # Additionally filter to tags only in repositories that have the event setup.
+      matching = (tags
+                  .switch(RepositoryTag)
+                  .join(Repository)
+                  .join(RepositoryNotification)
+                  .where(RepositoryNotification.event == event))
+
+      check_map = {}
+      for tag in matching:
+        # Verify that the tag's root image has the vulnerability.
+        tag_layer_id = '%s.%s' % (tag.image.docker_image_id, tag.image.storage.uuid)
+        logger.debug('Checking if layer %s is vulnerable to %s', tag_layer_id, cve_id)
+
+        if not tag_layer_id in check_map:
+          is_vulerable = secscan_endpoint.check_layer_vulnerable(tag_layer_id, cve_id)
+          check_map[tag_layer_id] = is_vulerable
+
+        logger.debug('Result of layer %s is vulnerable to %s check: %s', tag_layer_id, cve_id,
+                     check_map[tag_layer_id])
+
+        if check_map[tag_layer_id]:
+          # Add the vulnerable tag to the list.
+          tag_map[tag.repository_id].add(tag.name)
+          repository_map[tag.repository_id] = tag.repository
+
+    # For each of the tags found, issue a notification.
+    for repository_id in tag_map:
+      tags = tag_map[repository_id]
+      event_data = {
+        'tags': list(tags),
+        'vulnerability': {
+          'id': data['Name'],
+          'description': vulnerability['Description'],
+          'link': vulnerability['Link'],
+          'priority': priority,
+        },
+      }
+
+      # TODO(jzelinskie): only add this notification if the repository's event(s) defined meet
+      # the priority minimum.
+      spawn_notification(repository_map[repository_id], 'vulnerability_found', event_data)
+
+
+if __name__ == '__main__':
+  if not features.SECURITY_SCANNER:
+    logger.debug('Security scanner disabled; skipping SecurityNotificationWorker')
+    while True:
+      time.sleep(100000)
+
+  worker = SecurityNotificationWorker(secscan_notification_queue, poll_period_seconds=30,
+                                      reservation_seconds=30, retry_after_seconds=30)
+  worker.start()

From 954d9884521146f65352b3b9f97a5ad37ac7ec9a Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Mon, 9 Nov 2015 19:19:18 -0500
Subject: [PATCH 18/36] pylint: ignore constant names and too many locals

---
 pylintrc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pylintrc b/pylintrc
index e1d21d338..7cecd0de7 100644
--- a/pylintrc
+++ b/pylintrc
@@ -9,7 +9,7 @@
 # --enable=similarities". If you want to run only the classes checker, but have
 # no Warning level messages displayed, use"--disable=all --enable=classes
 # --disable=W"
-disable=missing-docstring
+disable=missing-docstring,invalid-name,too-many-locals
 
 [TYPECHECK]
 

From 52962b3732524eddb3bca8e11a6a37e9b5634976 Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Tue, 10 Nov 2015 13:06:03 -0500
Subject: [PATCH 19/36] close db connections when calling out to clair

---
 workers/security_notification_worker.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/workers/security_notification_worker.py b/workers/security_notification_worker.py
index 2c89d4623..8ec95f7d8 100644
--- a/workers/security_notification_worker.py
+++ b/workers/security_notification_worker.py
@@ -6,10 +6,10 @@ from collections import defaultdict
 
 import features
 
-from app import secscan_notification_queue, secscan_endpoint
+from app import app, secscan_notification_queue, secscan_endpoint
 from data import model
 from data.database import (Image, ImageStorage, ExternalNotificationEvent,
-                           Repository, RepositoryNotification, RepositoryTag)
+                           Repository, RepositoryNotification, RepositoryTag, CloseForLongOperation)
 from endpoints.notificationhelper import spawn_notification
 from workers.queueworker import QueueWorker
 
@@ -55,8 +55,9 @@ class SecurityNotificationWorker(QueueWorker):
         logger.debug('Checking if layer %s is vulnerable to %s', tag_layer_id, cve_id)
 
         if not tag_layer_id in check_map:
-          is_vulerable = secscan_endpoint.check_layer_vulnerable(tag_layer_id, cve_id)
-          check_map[tag_layer_id] = is_vulerable
+          with CloseForLongOperation(app.config):
+            is_vulerable = secscan_endpoint.check_layer_vulnerable(tag_layer_id, cve_id)
+            check_map[tag_layer_id] = is_vulerable
 
         logger.debug('Result of layer %s is vulnerable to %s check: %s', tag_layer_id, cve_id,
                      check_map[tag_layer_id])
@@ -79,7 +80,7 @@ class SecurityNotificationWorker(QueueWorker):
         },
       }
 
-      # TODO(jzelinskie): only add this notification if the repository's event(s) defined meet
+      # TODO(jschorr): only add this notification if the repository's event(s) defined meet
       # the priority minimum.
       spawn_notification(repository_map[repository_id], 'vulnerability_found', event_data)
 

From da31714fb56c32a04a8b848f1013f1c2214a5d6d Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Tue, 10 Nov 2015 13:07:47 -0500
Subject: [PATCH 20/36] specify securityworker skip message

---
 workers/securityworker.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/workers/securityworker.py b/workers/securityworker.py
index 1deba196a..65d71a8fe 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -307,7 +307,7 @@ class SecurityWorker(Worker):
 
 if __name__ == '__main__':
   if not features.SECURITY_SCANNER:
-    logger.debug('Security scanner disabled; skipping')
+    logger.debug('Security scanner disabled; skipping SecurityWorker')
     while True:
       time.sleep(100000)
 

From 270010105d59c31230bd35c9ab552dc92261e144 Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Tue, 10 Nov 2015 13:23:16 -0500
Subject: [PATCH 21/36] add security notification worker to init

---
 conf/init/service/security_notification_worker/log/run | 2 ++
 conf/init/service/security_notification_worker/run     | 8 ++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 conf/init/service/security_notification_worker/log/run
 create mode 100644 conf/init/service/security_notification_worker/run

diff --git a/conf/init/service/security_notification_worker/log/run b/conf/init/service/security_notification_worker/log/run
new file mode 100644
index 000000000..262fed98e
--- /dev/null
+++ b/conf/init/service/security_notification_worker/log/run
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec logger -i -t securitynotificationworker
diff --git a/conf/init/service/security_notification_worker/run b/conf/init/service/security_notification_worker/run
new file mode 100644
index 000000000..83c94e686
--- /dev/null
+++ b/conf/init/service/security_notification_worker/run
@@ -0,0 +1,8 @@
+#! /bin/bash
+
+echo 'Starting security scanner notification worker'
+
+cd /
+venv/bin/python -m workers.security_notification_worker 2>&1
+
+echo 'Security scanner notification worker exited'

From 8e2868737b095e56e5c7cd9c9147e6c9eec2ce85 Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Tue, 10 Nov 2015 15:01:33 -0500
Subject: [PATCH 22/36] rename secscan_endpoint and move db close to API

---
 app.py                                      |  4 ++--
 endpoints/api/sec.py                        |  4 ++--
 endpoints/api/secscan.py                    |  4 ++--
 util/secscan/{secscanendpoint.py => api.py} | 26 +++++++++++++--------
 workers/security_notification_worker.py     | 21 +++++++----------
 workers/securityworker.py                   |  4 ++--
 6 files changed, 33 insertions(+), 30 deletions(-)
 rename util/secscan/{secscanendpoint.py => api.py} (74%)

diff --git a/app.py b/app.py
index bbc8ecee1..964a79536 100644
--- a/app.py
+++ b/app.py
@@ -35,7 +35,7 @@ from util.saas.metricqueue import MetricQueue
 from util.config.provider import get_config_provider
 from util.config.configutil import generate_secret_key
 from util.config.superusermanager import SuperUserManager
-from util.secscan.secscanendpoint import SecurityScanEndpoint
+from util.secscan.api import SecurityScannerAPI
 
 OVERRIDE_CONFIG_DIRECTORY = 'conf/stack/'
 OVERRIDE_CONFIG_YAML_FILENAME = 'conf/stack/config.yaml'
@@ -150,7 +150,7 @@ dockerfile_build_queue = WorkQueue(app.config['DOCKERFILE_BUILD_QUEUE_NAME'], tf
 notification_queue = WorkQueue(app.config['NOTIFICATION_QUEUE_NAME'], tf)
 secscan_notification_queue = WorkQueue(app.config['SECSCAN_NOTIFICATION_QUEUE_NAME'], tf)
 
-secscan_endpoint = SecurityScanEndpoint(app, config_provider)
+secscan_api = SecurityScannerAPI(app, config_provider)
 
 database.configure(app.config)
 model.config.app_config = app.config
diff --git a/endpoints/api/sec.py b/endpoints/api/sec.py
index d080d2fe1..4e77750f9 100644
--- a/endpoints/api/sec.py
+++ b/endpoints/api/sec.py
@@ -5,7 +5,7 @@ import features
 import json
 import requests
 
-from app import secscan_endpoint
+from app import secscan_api
 from data import model
 from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_param,
                            RepositoryParamResource, resource, nickname, show_if, parse_args,
@@ -18,7 +18,7 @@ logger = logging.getLogger(__name__)
 def _call_security_api(relative_url, *args, **kwargs):
   """ Issues an HTTP call to the sec API at the given relative URL. """
   try:
-    response = secscan_endpoint.call_api(relative_url, *args, **kwargs)
+    response = secscan_api.call(relative_url, *args, **kwargs)
   except requests.exceptions.Timeout:
     raise DownstreamIssue(payload=dict(message='API call timed out'))
   except requests.exceptions.ConnectionError:
diff --git a/endpoints/api/secscan.py b/endpoints/api/secscan.py
index 9a1773ccb..56fcea95d 100644
--- a/endpoints/api/secscan.py
+++ b/endpoints/api/secscan.py
@@ -5,7 +5,7 @@ import features
 import json
 import requests
 
-from app import secscan_endpoint
+from app import secscan_api
 from data import model
 from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_param,
                            RepositoryParamResource, resource, nickname, show_if, parse_args,
@@ -18,7 +18,7 @@ logger = logging.getLogger(__name__)
 def _call_security_api(relative_url, *args, **kwargs):
   """ Issues an HTTP call to the sec API at the given relative URL. """
   try:
-    response = secscan_endpoint.call_api(relative_url, body=None, *args, **kwargs)
+    response = secscan_api.call(relative_url, body=None, *args, **kwargs)
   except requests.exceptions.Timeout:
     raise DownstreamIssue(payload=dict(message='API call timed out'))
   except requests.exceptions.ConnectionError:
diff --git a/util/secscan/secscanendpoint.py b/util/secscan/api.py
similarity index 74%
rename from util/secscan/secscanendpoint.py
rename to util/secscan/api.py
index 2cd24fab1..e03a19369 100644
--- a/util/secscan/secscanendpoint.py
+++ b/util/secscan/api.py
@@ -2,11 +2,13 @@ import features
 import logging
 import requests
 
+from app import app
+from database import CloseForLongOperation
 from urlparse import urljoin
 
 logger = logging.getLogger(__name__)
 
-class SecurityScanEndpoint(object):
+class SecurityScannerAPI(object):
   """ Helper class for talking to the Security Scan service (Clair). """
   def __init__(self, app, config_provider):
     self.app = app
@@ -41,7 +43,7 @@ class SecurityScanEndpoint(object):
       body = {
         'LayersIDs': [layer_id]
       }
-      response = self.call_api('vulnerabilities/%s/affected-layers', body, cve_id)
+      response = self.call('vulnerabilities/%s/affected-layers', body, cve_id)
     except requests.exceptions.RequestException:
       logger.exception('Got exception when trying to call Clair endpoint')
       return False
@@ -61,8 +63,11 @@ class SecurityScanEndpoint(object):
 
     return True
 
-  def call_api(self, relative_url, body=None, *args, **kwargs):
-    """ Issues an HTTP call to the sec API at the given relative URL. """
+  def call(self, relative_url, body=None, *args, **kwargs):
+    """ Issues an HTTP call to the sec API at the given relative URL.
+        This function disconnects from the database while awaiting a response
+        from the API server.
+    """
     security_config = self.security_config
     api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'
     url = urljoin(api_url, relative_url % args)
@@ -71,9 +76,10 @@ class SecurityScanEndpoint(object):
     timeout = security_config.get('API_TIMEOUT_SECONDS', 1)
     logger.debug('Looking up sec information: %s', url)
 
-    if body is not None:
-      return client.post(url, json=body, params=kwargs, timeout=timeout, cert=self.keys,
-                         verify=self.certificate)
-    else:
-      return client.get(url, params=kwargs, timeout=timeout, cert=self.keys,
-                        verify=self.certificate)
\ No newline at end of file
+    with CloseForLongOperation(app.config):
+      if body is not None:
+        return client.post(url, json=body, params=kwargs, timeout=timeout, cert=self.keys,
+                           verify=self.certificate)
+      else:
+        return client.get(url, params=kwargs, timeout=timeout, cert=self.keys,
+                          verify=self.certificate)
diff --git a/workers/security_notification_worker.py b/workers/security_notification_worker.py
index 8ec95f7d8..1679e80b6 100644
--- a/workers/security_notification_worker.py
+++ b/workers/security_notification_worker.py
@@ -6,10 +6,10 @@ from collections import defaultdict
 
 import features
 
-from app import app, secscan_notification_queue, secscan_endpoint
+from app import secscan_notification_queue, secscan_api
 from data import model
 from data.database import (Image, ImageStorage, ExternalNotificationEvent,
-                           Repository, RepositoryNotification, RepositoryTag, CloseForLongOperation)
+                           Repository, RepositoryNotification, RepositoryTag)
 from endpoints.notificationhelper import spawn_notification
 from workers.queueworker import QueueWorker
 
@@ -42,11 +42,11 @@ class SecurityNotificationWorker(QueueWorker):
                                          Repository, Image, ImageStorage)
 
       # Additionally filter to tags only in repositories that have the event setup.
-      matching = (tags
-                  .switch(RepositoryTag)
-                  .join(Repository)
-                  .join(RepositoryNotification)
-                  .where(RepositoryNotification.event == event))
+      matching = list(tags
+                      .switch(RepositoryTag)
+                      .join(Repository)
+                      .join(RepositoryNotification)
+                      .where(RepositoryNotification.event == event))
 
       check_map = {}
       for tag in matching:
@@ -55,9 +55,8 @@ class SecurityNotificationWorker(QueueWorker):
         logger.debug('Checking if layer %s is vulnerable to %s', tag_layer_id, cve_id)
 
         if not tag_layer_id in check_map:
-          with CloseForLongOperation(app.config):
-            is_vulerable = secscan_endpoint.check_layer_vulnerable(tag_layer_id, cve_id)
-            check_map[tag_layer_id] = is_vulerable
+          is_vulerable = secscan_api.check_layer_vulnerable(tag_layer_id, cve_id)
+          check_map[tag_layer_id] = is_vulerable
 
         logger.debug('Result of layer %s is vulnerable to %s check: %s', tag_layer_id, cve_id,
                      check_map[tag_layer_id])
@@ -80,8 +79,6 @@ class SecurityNotificationWorker(QueueWorker):
         },
       }
 
-      # TODO(jschorr): only add this notification if the repository's event(s) defined meet
-      # the priority minimum.
       spawn_notification(repository_map[repository_id], 'vulnerability_found', event_data)
 
 
diff --git a/workers/securityworker.py b/workers/securityworker.py
index 65d71a8fe..26d360754 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -12,7 +12,7 @@ from endpoints.notificationhelper import spawn_notification
 from collections import defaultdict
 from sys import exc_info
 from peewee import JOIN_LEFT_OUTER
-from app import app, storage, OVERRIDE_CONFIG_DIRECTORY, secscan_endpoint
+from app import app, storage, OVERRIDE_CONFIG_DIRECTORY, secscan_api
 from workers.worker import Worker
 from data.database import (Image, ImageStorage, ImageStorageLocation, ImageStoragePlacement,
                            db_random_func, UseThenDisconnect, RepositoryTag, Repository,
@@ -256,7 +256,7 @@ class SecurityWorker(Worker):
           # callback code, etc.
           try:
             logger.debug('Loading vulnerabilities for layer %s', img['image_id'])
-            response = secscan_endpoint.call_api('layers/%s/vulnerabilities', request['ID'])
+            response = secscan_api.call('layers/%s/vulnerabilities', request['ID'])
           except requests.exceptions.Timeout:
             logger.debug('Timeout when calling Sec')
             continue

From 5655c084679bf8c7e13955bcab07b1789c61caeb Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Tue, 10 Nov 2015 15:05:06 -0500
Subject: [PATCH 23/36] fix security worker service permissions

---
 conf/init/service/security_notification_worker/run | 0
 conf/init/service/securityworker/run               | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 conf/init/service/security_notification_worker/run
 mode change 100644 => 100755 conf/init/service/securityworker/run

diff --git a/conf/init/service/security_notification_worker/run b/conf/init/service/security_notification_worker/run
old mode 100644
new mode 100755
diff --git a/conf/init/service/securityworker/run b/conf/init/service/securityworker/run
old mode 100644
new mode 100755

From ca7d736db2de56823f0f7af0266b8c9dae000992 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 10 Nov 2015 15:08:14 -0500
Subject: [PATCH 24/36] Only send vulnerability events if the minimum priority
 is gte to that specified

Fixes #770
---
 endpoints/api/repositorynotification.py       |  9 +-
 endpoints/common.py                           |  2 +
 endpoints/notificationevent.py                | 48 ++++++---
 .../directives/ui/repository-events-table.css | 10 ++
 .../directives/repository-events-table.html   | 11 +++
 .../directives/ui/repository-events-table.js  | 12 +++
 static/js/services/notification-service.js    |  3 +-
 static/js/services/vulnerability-service.js   | 84 +---------------
 templates/base.html                           |  1 +
 util/sec/__init__.py                          |  0
 util/sec/secendpoint.py                       | 51 ----------
 util/secscan/api.py                           | 97 ++++++++++++++++++-
 workers/notificationworker.py                 |  3 +-
 13 files changed, 175 insertions(+), 156 deletions(-)
 delete mode 100644 util/sec/__init__.py
 delete mode 100644 util/sec/secendpoint.py

diff --git a/endpoints/api/repositorynotification.py b/endpoints/api/repositorynotification.py
index 30c71cf54..538bbe25e 100644
--- a/endpoints/api/repositorynotification.py
+++ b/endpoints/api/repositorynotification.py
@@ -22,12 +22,19 @@ def notification_view(note):
   except:
     config = {}
 
+  event_config = {}
+  try:
+    event_config = json.loads(note.event_config_json)
+  except:
+    event_config = {}
+
   return {
     'uuid': note.uuid,
     'event': note.event.name,
     'method': note.method.name,
     'config': config,
     'title': note.title,
+    'event_config': event_config,
   }
 
 
@@ -160,7 +167,7 @@ class TestRepositoryNotification(RepositoryParamResource):
       raise NotFound()
 
     event_info = NotificationEvent.get_event(test_note.event.name)
-    sample_data = event_info.get_sample_data(repository=test_note.repository)
+    sample_data = event_info.get_sample_data(test_note)
     notification_data = build_notification_data(test_note, sample_data)
     notification_queue.put([test_note.repository.namespace_user.username, repository,
                             test_note.event.name], json.dumps(notification_data))
diff --git a/endpoints/common.py b/endpoints/common.py
index 7469c58be..fba900580 100644
--- a/endpoints/common.py
+++ b/endpoints/common.py
@@ -22,6 +22,7 @@ from werkzeug.routing import BaseConverter
 from functools import wraps
 from config import frontend_visible_config
 from external_libraries import get_external_javascript, get_external_css
+from util.secscan.api import PRIORITY_LEVELS
 
 import features
 
@@ -183,6 +184,7 @@ def render_page_template(name, **kwargs):
                                        config_set=json.dumps(frontend_visible_config(app.config)),
                                        oauth_set=json.dumps(get_oauth_config()),
                                        scope_set=json.dumps(scopes.app_scopes(app.config)),
+                                       vuln_priority_set=json.dumps(PRIORITY_LEVELS),
                                        mixpanel_key=app.config.get('MIXPANEL_KEY', ''),
                                        google_analytics_key=app.config.get('GOOGLE_ANALYTICS_KEY', ''),
                                        sentry_public_dsn=app.config.get('SENTRY_PUBLIC_DSN', ''),
diff --git a/endpoints/notificationevent.py b/endpoints/notificationevent.py
index ebd7e10b6..365b815d3 100644
--- a/endpoints/notificationevent.py
+++ b/endpoints/notificationevent.py
@@ -1,9 +1,11 @@
 import logging
 import time
+import json
 
 from datetime import datetime
 from notificationhelper import build_event_data
 from util.jinjautil import get_template_env
+from util.secscan.api import PRIORITY_LEVELS, get_priority_for_index
 
 template_env = get_template_env("events")
 logger = logging.getLogger(__name__)
@@ -37,13 +39,18 @@ class NotificationEvent(object):
       'notification_data': notification_data
     })
 
-  def get_sample_data(self, repository=None):
+  def get_sample_data(self, notification):
     """
-    Returns sample data for testing the raising of this notification, with an optional
-    repository.
+    Returns sample data for testing the raising of this notification, with an example notification.
     """
     raise NotImplementedError
 
+  def should_perform(self, event_data, notification_data):
+    """
+    Whether a notification for this event should be performed. By default returns True.
+    """
+    return True
+
   @classmethod
   def event_name(cls):
     """
@@ -71,8 +78,8 @@ class RepoPushEvent(NotificationEvent):
   def get_summary(self, event_data, notification_data):
     return 'Repository %s updated' % (event_data['repository'])
 
-  def get_sample_data(self, repository):
-    return build_event_data(repository, {
+  def get_sample_data(self, notification):
+    return build_event_data(notification.repository, {
       'updated_tags': {'latest': 'someimageid', 'foo': 'anotherimage'},
       'pruned_image_count': 3
     })
@@ -99,18 +106,27 @@ class VulnerabilityFoundEvent(NotificationEvent):
 
     return 'info'
 
-  def get_sample_data(self, repository):
-    return build_event_data(repository, {
+  def get_sample_data(self, notification):
+    event_config = json.loads(notification.event_config_json)
+
+    return build_event_data(notification.repository, {
       'tags': ['latest', 'prod'],
       'image': 'some-image-id',
       'vulnerability': {
         'id': 'CVE-FAKE-CVE',
         'description': 'A futurist vulnerability',
         'link': 'https://security-tracker.debian.org/tracker/CVE-FAKE-CVE',
-        'priority': 'Critical',
+        'priority': get_priority_for_index(event_config['level'])
       },
     })
 
+  def should_perform(self, event_data, notification_data):
+    event_config = json.loads(notification_data.event_config_json)
+    expected_level_index = event_config['level']
+    priority = PRIORITY_LEVELS[event_data['vulnerability']['priority']]
+    actual_level_index = priority['index']
+    return expected_level_index <= actual_level_index
+
   def get_summary(self, event_data, notification_data):
     msg = '%s vulnerability detected in repository %s in tags %s'
     return msg % (event_data['vulnerability']['priority'],
@@ -126,10 +142,10 @@ class BuildQueueEvent(NotificationEvent):
   def get_level(self, event_data, notification_data):
     return 'info'
 
-  def get_sample_data(self, repository):
+  def get_sample_data(self, notification):
     build_uuid = 'fake-build-id'
 
-    return build_event_data(repository, {
+    return build_event_data(notification.repository, {
       'is_manual': False,
       'build_id': build_uuid,
       'build_name': 'some-fake-build',
@@ -165,10 +181,10 @@ class BuildStartEvent(NotificationEvent):
   def get_level(self, event_data, notification_data):
     return 'info'
 
-  def get_sample_data(self, repository):
+  def get_sample_data(self, notification):
     build_uuid = 'fake-build-id'
 
-    return build_event_data(repository, {
+    return build_event_data(notification.repository, {
       'build_id': build_uuid,
       'build_name': 'some-fake-build',
       'docker_tags': ['latest', 'foo', 'bar'],
@@ -193,10 +209,10 @@ class BuildSuccessEvent(NotificationEvent):
   def get_level(self, event_data, notification_data):
     return 'success'
 
-  def get_sample_data(self, repository):
+  def get_sample_data(self, notification):
     build_uuid = 'fake-build-id'
 
-    return build_event_data(repository, {
+    return build_event_data(notification.repository, {
       'build_id': build_uuid,
       'build_name': 'some-fake-build',
       'docker_tags': ['latest', 'foo', 'bar'],
@@ -222,10 +238,10 @@ class BuildFailureEvent(NotificationEvent):
   def get_level(self, event_data, notification_data):
     return 'error'
 
-  def get_sample_data(self, repository):
+  def get_sample_data(self, notification):
     build_uuid = 'fake-build-id'
 
-    return build_event_data(repository, {
+    return build_event_data(notification.repository, {
       'build_id': build_uuid,
       'build_name': 'some-fake-build',
       'docker_tags': ['latest', 'foo', 'bar'],
diff --git a/static/css/directives/ui/repository-events-table.css b/static/css/directives/ui/repository-events-table.css
index 82909d022..f471a997c 100644
--- a/static/css/directives/ui/repository-events-table.css
+++ b/static/css/directives/ui/repository-events-table.css
@@ -1,3 +1,13 @@
 .repository-events-table-element .notification-row i.fa {
   margin-right: 6px;
+}
+
+.repository-events-table-element .notification-event-fields {
+  list-style: none;
+  padding: 0px;
+  margin-left: 28px;
+  margin-top: 3px;
+  font-size: 13px;
+  color: #888;
+  margin-bottom: 0px;
 }
\ No newline at end of file
diff --git a/static/directives/repository-events-table.html b/static/directives/repository-events-table.html
index 3a463f54c..a83a45931 100644
--- a/static/directives/repository-events-table.html
+++ b/static/directives/repository-events-table.html
@@ -44,6 +44,17 @@
                     <i class="fa fa-lg" ng-class="getEventInfo(notification).icon"></i>
                     {{ getEventInfo(notification).title }}
                   </span>
+
+                  <ul class="notification-event-fields" ng-if="getEventInfo(notification).fields.length">
+                    <li ng-repeat="field in getEventInfo(notification).fields">
+                      {{ field.title }}:
+                      <span ng-switch on="field.type">
+                        <span ng-switch-when="enum">
+                         {{ findEnumValue(field.values, notification.event_config[field.name]).title }}
+                        </span>
+                      </span>
+                    </li>
+                  </ul>
                 </td>
 
                 <td>
diff --git a/static/js/directives/ui/repository-events-table.js b/static/js/directives/ui/repository-events-table.js
index 05b3e3226..8f7346e1c 100644
--- a/static/js/directives/ui/repository-events-table.js
+++ b/static/js/directives/ui/repository-events-table.js
@@ -43,6 +43,18 @@ angular.module('quay').directive('repositoryEventsTable', function () {
         $scope.showNewNotificationCounter++;
       };
 
+      $scope.findEnumValue = function(values, index) {
+        var found = null;
+        Object.keys(values).forEach(function(key) {
+          if (values[key]['index'] == index) {
+            found = values[key];
+            return
+          }
+        });
+
+        return found
+      };
+
       $scope.getEventInfo = function(notification) {
         return ExternalNotificationData.getEventInfo(notification.event);
       };
diff --git a/static/js/services/notification-service.js b/static/js/services/notification-service.js
index bd4c8b70c..31ff5af2c 100644
--- a/static/js/services/notification-service.js
+++ b/static/js/services/notification-service.js
@@ -129,7 +129,8 @@ function($rootScope, $interval, UserService, ApiService, StringBuilderService, P
       'message': 'A {vulnerability.priority} vulnerability was detected in repository {repository}',
       'page': function(metadata) {
         return '/repository/' + metadata.repository + '?tab=tags';
-      }
+      },
+      'dismissable': true
     }
   };
 
diff --git a/static/js/services/vulnerability-service.js b/static/js/services/vulnerability-service.js
index 752861adb..12c1a172f 100644
--- a/static/js/services/vulnerability-service.js
+++ b/static/js/services/vulnerability-service.js
@@ -3,89 +3,7 @@
   */
 angular.module('quay').factory('VulnerabilityService', ['Config', function(Config) {
   var vulnService = {};
-
-  // NOTE: This objects are used directly in the external-notification-data service, so make sure
-  // to update that code if the format here is changed.
-  vulnService.LEVELS = {
-    'Unknown': {
-      'title': 'Unknown',
-      'index': '6',
-      'level': 'info',
-
-      'description': 'Unknown is either a security problem that has not been assigned ' +
-                     'to a priority yet or a priority that our system did not recognize',
-      'banner_required': false
-    },
-
-    'Negligible': {
-      'title': 'Negligible',
-      'index': '5',
-      'level': 'info',
-
-      'description': 'Negligible is technically a security problem, but is only theoretical ' +
-                     'in nature, requires a very special situation, has almost no install base, ' +
-                     'or does no real damage.',
-      'banner_required': false
-    },
-
-    'Low': {
-      'title': 'Low',
-      'index': '4',
-      'level': 'warning',
-
-      'description': 'Low is a security problem, but is hard to exploit due to environment, ' +
-                     'requires a user-assisted attack, a small install base, or does very ' +
-                     'little damage.',
-      'banner_required': false
-    },
-
-    'Medium': {
-      'title': 'Medium',
-      'value': 'Medium',
-      'index': '3',
-      'level': 'warning',
-
-      'description': 'Medium is a real security problem, and is exploitable for many people. ' +
-                     'Includes network daemon denial of service attacks, cross-site scripting, ' +
-                     'and gaining user privileges.',
-      'banner_required': false
-    },
-
-    'High': {
-      'title': 'High',
-      'value': 'High',
-      'index': '2',
-      'level': 'warning',
-
-      'description': 'High is a real problem, exploitable for many people in a default installation. ' +
-                     'Includes serious remote denial of services, local root privilege escalations, ' +
-                     'or data loss.',
-      'banner_required': false
-    },
-
-    'Critical': {
-      'title': 'Critical',
-      'value': 'Critical',
-      'index': '1',
-      'level': 'error',
-
-      'description': 'Critical is a world-burning problem, exploitable for nearly all people in ' +
-                     'a installation of the package. Includes remote root privilege escalations, ' +
-                     'or massive data loss.',
-      'banner_required': true
-    },
-
-    'Defcon1': {
-      'title': 'Defcon 1',
-      'value': 'Defcon1',
-      'index': '0',
-      'level': 'error',
-
-      'description': 'Defcon1 is a Critical problem which has been manually highlighted ' +
-                     'by the Quay team. It requires immediate attention.',
-      'banner_required': true
-    }
-  };
+  vulnService.LEVELS = window.__vuln_priority;
 
   vulnService.getLevels = function() {
     return Object.keys(vulnService.LEVELS).map(function(key) {
diff --git a/templates/base.html b/templates/base.html
index c3f09c8ce..47eaa66ea 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -38,6 +38,7 @@
       window.__config = {{ config_set|safe }};
       window.__oauth = {{ oauth_set|safe }};
       window.__auth_scopes = {{ scope_set|safe }};
+      window.__vuln_priority = {{ vuln_priority_set|safe }}
       window.__token = '{{ csrf_token() }}';
     </script>
 
diff --git a/util/sec/__init__.py b/util/sec/__init__.py
deleted file mode 100644
index e69de29bb..000000000
diff --git a/util/sec/secendpoint.py b/util/sec/secendpoint.py
deleted file mode 100644
index 9e9e57413..000000000
--- a/util/sec/secendpoint.py
+++ /dev/null
@@ -1,51 +0,0 @@
-import features
-import logging
-import requests
-import json
-
-from urlparse import urljoin
-
-logger = logging.getLogger(__name__)
-
-class SecEndpoint(object):
-  """ Helper class for talking to the Sec API. """
-  def __init__(self, app, config_provider):
-    self.app = app
-    self.config_provider = config_provider
-
-    if not features.SECURITY_SCANNER:
-      return
-
-    self.security_config = app.config['SECURITY_SCANNER']
-
-    self.certificate = self._getfilepath('CA_CERTIFICATE_FILENAME') or False
-    self.public_key = self._getfilepath('PUBLIC_KEY_FILENAME')
-    self.private_key = self._getfilepath('PRIVATE_KEY_FILENAME')
-
-    if self.public_key and self.private_key:
-      self.keys = (self.public_key, self.private_key)
-    else:
-      self.keys = None
-
-  def _getfilepath(self, config_key):
-    security_config = self.security_config
-
-    if config_key in security_config:
-      with self.config_provider.get_volume_file(security_config[config_key]) as f:
-        return f.name
-
-    return None
-
-  def call_api(self, relative_url, *args, **kwargs):
-    """ Issues an HTTP call to the sec API at the given relative URL. """
-    security_config = self.security_config
-    api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'
-    url = urljoin(api_url, relative_url % args)
-
-    client = self.app.config['HTTPCLIENT']
-    timeout = security_config.get('API_CALL_TIMEOUT', 1)
-    logger.debug('Looking up sec information: %s', url)
-
-    return client.get(url, params=kwargs, timeout=timeout, cert=self.keys,
-                      verify=self.certificate)
-
diff --git a/util/secscan/api.py b/util/secscan/api.py
index e03a19369..b0138eeef 100644
--- a/util/secscan/api.py
+++ b/util/secscan/api.py
@@ -2,12 +2,103 @@ import features
 import logging
 import requests
 
-from app import app
-from database import CloseForLongOperation
+from data.database import CloseForLongOperation
 from urlparse import urljoin
 
 logger = logging.getLogger(__name__)
 
+# NOTE: This objects are used directly in the external-notification-data and vulnerability-service
+# on the frontend, so be careful with changing their existing keys.
+PRIORITY_LEVELS = {
+ 'Unknown': {
+   'title': 'Unknown',
+   'index': '6',
+   'level': 'info',
+
+   'description': 'Unknown is either a security problem that has not been assigned ' +
+                  'to a priority yet or a priority that our system did not recognize',
+   'banner_required': False
+ },
+
+ 'Negligible': {
+   'title': 'Negligible',
+   'index': '5',
+   'level': 'info',
+
+   'description': 'Negligible is technically a security problem, but is only theoretical ' +
+                  'in nature, requires a very special situation, has almost no install base, ' +
+                  'or does no real damage.',
+   'banner_required': False
+ },
+
+ 'Low': {
+   'title': 'Low',
+   'index': '4',
+   'level': 'warning',
+
+   'description': 'Low is a security problem, but is hard to exploit due to environment, ' +
+                  'requires a user-assisted attack, a small install base, or does very ' +
+                  'little damage.',
+   'banner_required': False
+ },
+
+ 'Medium': {
+   'title': 'Medium',
+   'value': 'Medium',
+   'index': '3',
+   'level': 'warning',
+
+   'description': 'Medium is a real security problem, and is exploitable for many people. ' +
+                  'Includes network daemon denial of service attacks, cross-site scripting, ' +
+                  'and gaining user privileges.',
+   'banner_required': False
+ },
+
+ 'High': {
+   'title': 'High',
+   'value': 'High',
+   'index': '2',
+   'level': 'warning',
+
+   'description': 'High is a real problem, exploitable for many people in a default installation. ' +
+                  'Includes serious remote denial of services, local root privilege escalations, ' +
+                  'or data loss.',
+   'banner_required': False
+ },
+
+ 'Critical': {
+   'title': 'Critical',
+   'value': 'Critical',
+   'index': '1',
+   'level': 'error',
+
+   'description': 'Critical is a world-burning problem, exploitable for nearly all people in ' +
+                  'a installation of the package. Includes remote root privilege escalations, ' +
+                  'or massive data loss.',
+   'banner_required': True
+ },
+
+ 'Defcon1': {
+   'title': 'Defcon 1',
+   'value': 'Defcon1',
+   'index': '0',
+   'level': 'error',
+
+   'description': 'Defcon1 is a Critical problem which has been manually highlighted ' +
+                  'by the Quay team. It requires immediate attention.',
+   'banner_required': True
+ }
+}
+
+
+def get_priority_for_index(index):
+ for priority in PRIORITY_LEVELS:
+   if PRIORITY_LEVELS[priority]['index'] == index:
+     return priority
+
+ return 'Unknown'
+
+
 class SecurityScannerAPI(object):
   """ Helper class for talking to the Security Scan service (Clair). """
   def __init__(self, app, config_provider):
@@ -76,7 +167,7 @@ class SecurityScannerAPI(object):
     timeout = security_config.get('API_TIMEOUT_SECONDS', 1)
     logger.debug('Looking up sec information: %s', url)
 
-    with CloseForLongOperation(app.config):
+    with CloseForLongOperation(self.app.config):
       if body is not None:
         return client.post(url, json=body, params=kwargs, timeout=timeout, cert=self.keys,
                            verify=self.certificate)
diff --git a/workers/notificationworker.py b/workers/notificationworker.py
index 3d3e2f80f..9c747303f 100644
--- a/workers/notificationworker.py
+++ b/workers/notificationworker.py
@@ -34,7 +34,8 @@ class NotificationWorker(QueueWorker):
       logger.exception('Cannot find notification event: %s', ex.message)
       raise JobException('Cannot find notification event: %s' % ex.message)
 
-    method_handler.perform(notification, event_handler, job_details)
+    if event_handler.should_perform(job_details['event_data'], notification):
+      method_handler.perform(notification, event_handler, job_details)
 
 
 if __name__ == "__main__":

From 76ce63895f35f9ba2ae33f2e3aaa84f2c436a471 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 11 Nov 2015 15:52:30 -0500
Subject: [PATCH 25/36] New Quay Sec UI and fix some small bugs

Fixes #855
---
 endpoints/api/secscan.py                      | 31 +++----
 endpoints/secscan.py                          |  2 +-
 .../directives/repo-view/repo-panel-tags.css  | 42 ++++-----
 static/css/directives/ui/filter-box.css       | 31 +++++++
 .../ui/vulnerability-priority-view.css        | 19 ++++
 static/css/pages/image-view.css               | 20 +++++
 .../directives/repo-view/repo-panel-tags.html | 86 ++++++++++---------
 .../vulnerability-priority-view.html          |  5 ++
 .../directives/repo-view/repo-panel-tags.js   | 61 ++++++++-----
 .../ui/vulnerability-priority-view.js         | 18 ++++
 static/js/pages/image-view.js                 | 29 ++++++-
 static/partials/image-view.html               | 76 ++++++++++++++--
 workers/securityworker.py                     |  2 +-
 13 files changed, 307 insertions(+), 115 deletions(-)
 create mode 100644 static/css/directives/ui/vulnerability-priority-view.css
 create mode 100644 static/directives/vulnerability-priority-view.html
 create mode 100644 static/js/directives/ui/vulnerability-priority-view.js

diff --git a/endpoints/api/secscan.py b/endpoints/api/secscan.py
index 56fcea95d..9a1fee133 100644
--- a/endpoints/api/secscan.py
+++ b/endpoints/api/secscan.py
@@ -18,7 +18,7 @@ logger = logging.getLogger(__name__)
 def _call_security_api(relative_url, *args, **kwargs):
   """ Issues an HTTP call to the sec API at the given relative URL. """
   try:
-    response = secscan_api.call(relative_url, body=None, *args, **kwargs)
+    response = secscan_api.call(relative_url, None, *args, **kwargs)
   except requests.exceptions.Timeout:
     raise DownstreamIssue(payload=dict(message='API call timed out'))
   except requests.exceptions.ConnectionError:
@@ -40,32 +40,32 @@ def _call_security_api(relative_url, *args, **kwargs):
 
 
 @show_if(features.SECURITY_SCANNER)
-@resource('/v1/repository/<repopath:repository>/tag/<tag>/vulnerabilities')
+@resource('/v1/repository/<repopath:repository>/image/<imageid>/vulnerabilities')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('tag', 'The name of the tag')
-class RepositoryTagVulnerabilities(RepositoryParamResource):
-  """ Operations for managing the vulnerabilities in a repository tag. """
+@path_param('imageid', 'The image ID')
+class RepositoryImageVulnerabilities(RepositoryParamResource):
+  """ Operations for managing the vulnerabilities in a repository image. """
 
   @require_repo_read
-  @nickname('getRepoTagVulnerabilities')
+  @nickname('getRepoImageVulnerabilities')
   @parse_args
   @query_param('minimumPriority', 'Minimum vulnerability priority', type=str,
                default='Low')
-  def get(self, args, namespace, repository, tag):
+  def get(self, args, namespace, repository, imageid):
     """ Fetches the vulnerabilities (if any) for a repository tag. """
-    try:
-      tag_image = model.tag.get_tag_image(namespace, repository, tag)
-    except model.DataModelException:
+    repo_image = model.image.get_repo_image(namespace, repository, imageid)
+    if repo_image is None:
       raise NotFound()
 
-    if not tag_image.security_indexed:
-      logger.debug('Image %s for tag %s under repository %s/%s not security indexed',
-                   tag_image.docker_image_id, tag, namespace, repository)
+    if not repo_image.security_indexed:
+      logger.debug('Image %s under repository %s/%s not security indexed',
+                   repo_image.docker_image_id, namespace, repository)
       return {
         'security_indexed': False
       }
 
-    data = _call_security_api('layers/%s/vulnerabilities', tag_image.docker_image_id,
+    layer_id = '%s.%s' % (repo_image.docker_image_id, repo_image.storage.uuid)
+    data = _call_security_api('layers/%s/vulnerabilities', layer_id,
                               minimumPriority=args.minimumPriority)
 
     return {
@@ -94,7 +94,8 @@ class RepositoryImagePackages(RepositoryParamResource):
         'security_indexed': False
       }
 
-    data = _call_security_api('layers/%s/packages/diff', repo_image.docker_image_id)
+    layer_id = '%s.%s' % (repo_image.docker_image_id, repo_image.storage.uuid)
+    data = _call_security_api('layers/%s/packages', layer_id)
 
     return {
       'security_indexed': True,
diff --git a/endpoints/secscan.py b/endpoints/secscan.py
index 7576318e8..4326ea621 100644
--- a/endpoints/secscan.py
+++ b/endpoints/secscan.py
@@ -21,5 +21,5 @@ def secscan_notification():
   if not layer_ids:
     return make_response('Okay')
 
-  secscan_notification_queue.put(data['Name'], json.dumps(data))
+  secscan_notification_queue.put(['notification', data['Name']], json.dumps(data))
   return make_response('Okay')
diff --git a/static/css/directives/repo-view/repo-panel-tags.css b/static/css/directives/repo-view/repo-panel-tags.css
index 6bc6975e1..f2818187b 100644
--- a/static/css/directives/repo-view/repo-panel-tags.css
+++ b/static/css/directives/repo-view/repo-panel-tags.css
@@ -85,46 +85,34 @@
   margin-right: 2px;
 }
 
-.repo-panel-tags-element .fa-flag {
+.repo-panel-tags-element .security-scan-col span {
   cursor: pointer;
 }
 
-.repo-panel-tags-element .vuln-name {
-
+.repo-panel-tags-element .security-scan-col i.fa {
+  margin-right: 4px;
 }
 
-.repo-panel-tags-element .vuln-description {
-  color: #aaa;
-  font-size: 10px;
-  white-space: normal;
+.repo-panel-tags-element .security-scan-col .scanning {
+  color: #9B9B9B;
+  font-size: 12px;
 }
 
-.repo-panel-tags-element .fa-flag.None {
-  color: #00CA00;
+.repo-panel-tags-element .security-scan-col .no-vulns a {
+  color: #2FC98E;
 }
 
-.repo-panel-tags-element .fa-flag.Medium {
-  color: orange;
+.repo-panel-tags-element .security-scan-col .vuln-link,
+.repo-panel-tags-element .security-scan-col .vuln-link span {
+  text-decoration: none !important
 }
 
-.repo-panel-tags-element .fa-flag.High {
-  color: red;
+.repo-panel-tags-element .security-scan-col .has-vulns.Critical .highest-vuln,
+.repo-panel-tags-element .security-scan-col .has-vulns.Defcon1 .highest-vuln {
 }
 
-.repo-panel-tags-element .vuln-dropdown ul {
-  min-width: 400px;
-}
-
-@keyframes flickerAnimation { /* flame pulses */
-  0%   { opacity:1; }
-  50%  { opacity:0; }
-  100% { opacity:1; }
-}
-
-.repo-panel-tags-element .fa-flag.Critical {
-  color: red;
-   opacity:1;
-    animation: flickerAnimation 1s infinite;
+.repo-panel-tags-element .other-vulns {
+  color: black;
 }
 
 @media (max-width: 767px) {
diff --git a/static/css/directives/ui/filter-box.css b/static/css/directives/ui/filter-box.css
index 82e43c9c6..836a72b11 100644
--- a/static/css/directives/ui/filter-box.css
+++ b/static/css/directives/ui/filter-box.css
@@ -15,4 +15,35 @@
   margin-right: 10px;
   margin-bottom: 10px;
   color: #ccc;
+}
+
+.filter-box.floating {
+  float: right;
+  min-width: 300px;
+  margin-top: 0px;
+  position: relative;
+}
+
+.filter-box.floating .filter-message {
+  position: absolute;
+  left: -200px;
+  top: 7px;
+}
+
+
+@media (max-width: 767px) {
+  .filter-box.floating {
+    float: none;
+    width: 100%;
+    display: block;
+    margin-top: 10px;
+  }
+
+  .filter-box.floating .form-control {
+    max-width: 100%;
+  }
+
+  .filter-box.floating .filter-message {
+    display: none;
+  }
 }
\ No newline at end of file
diff --git a/static/css/directives/ui/vulnerability-priority-view.css b/static/css/directives/ui/vulnerability-priority-view.css
new file mode 100644
index 000000000..c3487d6cb
--- /dev/null
+++ b/static/css/directives/ui/vulnerability-priority-view.css
@@ -0,0 +1,19 @@
+.vulnerability-priority-view-element i.fa {
+  margin-right: 4px;
+}
+
+.vulnerability-priority-view-element.Unknown,
+.vulnerability-priority-view-element.Low,
+.vulnerability-priority-view-element.Negligable {
+  color: #9B9B9B;
+}
+
+.vulnerability-priority-view-element.Medium {
+  color: #FCA657;
+}
+
+.vulnerability-priority-view-element.High,
+.vulnerability-priority-view-element.Critical,
+.vulnerability-priority-view-element.Defcon1 {
+  color: #D64456;
+}
diff --git a/static/css/pages/image-view.css b/static/css/pages/image-view.css
index f91ceacc9..6b5cfa555 100644
--- a/static/css/pages/image-view.css
+++ b/static/css/pages/image-view.css
@@ -23,3 +23,23 @@
 .image-view .co-tab-content h3 {
   margin-bottom: 20px;
 }
+
+.image-view .fa-bug {
+  margin-right: 4px;
+}
+
+.image-view .co-filter-box {
+  float: right;
+  min-width: 300px;
+  margin-bottom: 10px;
+}
+
+.image-view .co-filter-box .current-filtered {
+  display: inline-block;
+  margin-right: 10px;
+  color: #999;
+}
+
+.image-view .co-filter-box input {
+  display: inline-block;
+}
\ No newline at end of file
diff --git a/static/directives/repo-view/repo-panel-tags.html b/static/directives/repo-view/repo-panel-tags.html
index 7d369f3f9..0f1125d8e 100644
--- a/static/directives/repo-view/repo-panel-tags.html
+++ b/static/directives/repo-view/repo-panel-tags.html
@@ -81,17 +81,17 @@
           style="min-width: 120px;">
         <a href="javascript:void(0)" ng-click="orderBy('last_modified_datetime')">Last Modified</a>
       </td>
+      <td class="hidden-xs"
+          ng-class="tablePredicateClass('security_scanned', options.predicate, options.reverse)"
+          style="min-width: 120px;"
+          quay-require="['SECURITY_SCANNER']">
+          Security Scan
+      </td>
       <td class="hidden-xs"
           ng-class="tablePredicateClass('size', options.predicate, options.reverse)"
           style="min-width: 62px;">
         <a href="javascript:void(0)" ng-click="orderBy('size')">Size</a>
       </td>
-      <td ng-class="tablePredicateClass('vuln_level', options.predicate, options.reverse)"
-          style="width: 60px;">
-        <a href="javascript:void(0)" ng-click="orderBy('vuln_level')">
-          <i class="fa fa-flag"></i>
-        </a>
-      </td>
       <td class="hidden-xs"
           ng-class="tablePredicateClass('image_id', options.predicate, options.reverse)"
           colspan="{{ imageTracks.length + 1 }}"
@@ -113,43 +113,51 @@
         <span am-time-ago="tag.last_modified" bo-if="tag.last_modified"></span>
         <span bo-if="!tag.last_modified">Unknown</span>
       </td>
-      <td class="hidden-xs" bo-text="tag.size | bytes"></td>
-      <td>
+      <td quay-require="['SECURITY_SCANNER']" class="security-scan-col">
         <span class="cor-loader-inline" ng-if="getTagVulnerabilities(tag).loading"></span>
         <span ng-if="!getTagVulnerabilities(tag).loading">
-          <i class="fa fa-flag-o" ng-if="!getTagVulnerabilities(tag).indexed"
-             data-title="Image is currently being checked for vulnerabilities"
-             bs-tooltip>
-          </i>
-          <i class="fa fa-flag None"
-             ng-if="getTagVulnerabilities(tag).indexed && !getTagVulnerabilities(tag).hasVulnerabilities"
-             data-title="Image has no vulnerabilities"
-             bs-tooltip>
-          </i>
-          <div class="dropdown vuln-dropdown" style="text-align: left;"
-               ng-if="getTagVulnerabilities(tag).indexed && getTagVulnerabilities(tag).hasVulnerabilities">
-            <i class="fa fa-flag"
-               data-title="Image has vulnerabilities"
-               data-toggle="dropdown"
-               ng-class="getTagVulnerabilities(tag).highestVulnerability.Priority"
-               bs-tooltip>
-            </i>
-            <ul class="dropdown-menu pull-right">
-              <li ng-repeat="vuln in getTagVulnerabilities(tag).vulnerabilities">
-                <a href="{{ vuln.Link }}" target="_new">
-                  <div class="vuln-name">
-                    <i class="fa fa-flag" bo-class="vuln.Priority"></i>
-                    {{ vuln.ID }}
-                  </div>
-                  <div class="vuln-description">
-                    {{ vuln.Description }}
-                  </div>
-                </a>
-              </li>
-            </ul>
-          </div>
+          <!-- Scanning -->
+          <span class="scanning" ng-if="!getTagVulnerabilities(tag).security_indexed"
+                data-title="The image for this tag is queued to be scanned for vulnerabilities"
+                bs-tooltip>Queued for scan</span>
+
+          <!-- No Vulns -->
+          <span class="no-vulns"
+                ng-if="getTagVulnerabilities(tag).security_indexed && !getTagVulnerabilities(tag).hasVulnerabilities"
+                data-title="The image for this tag has no vulnerabilities as found in our database"
+                bs-tooltip
+                bindonce>
+            <a bo-href-i="/repository/{{ repository.namespace }}/{{ repository.name }}/image/{{ tag.image_id }}?tab=security">
+              <i class="fa fa-check-circle"></i>
+              Passed
+            </a>
+          </span>
+
+          <!-- Vulns -->
+          <span ng-if="getTagVulnerabilities(tag).security_indexed && getTagVulnerabilities(tag).hasVulnerabilities"
+                ng-class="getTagVulnerabilities(tag).highestVulnerability.Priority"
+                class="has-vulns" bindonce>
+              <a class="vuln-link" bo-href-i="/repository/{{ repository.namespace }}/{{ repository.name }}/image/{{ tag.image_id }}?tab=security"
+                data-title="The image for this tag has {{ getTagVulnerabilities(tag).highestVulnerability.Count }} {{ getTagVulnerabilities(tag).highestVulnerability.Priority }} level vulnerabilities"
+                bs-tooltip>
+              <span class="highest-vuln">
+                <span class="vulnerability-priority-view" priority="getTagVulnerabilities(tag).highestVulnerability.Priority">
+                  {{ getTagVulnerabilities(tag).highestVulnerability.Count }}
+                </span>
+              </span>
+
+              <span ng-if="getTagVulnerabilities(tag).vulnerabilities.length - getTagVulnerabilities(tag).highestVulnerability.Count > 0"
+                    class="other-vulns">
+              + {{ getTagVulnerabilities(tag).vulnerabilities.length - getTagVulnerabilities(tag).highestVulnerability.Count }} others
+              </span>
+            </a>
+            <a bo-href-i="/repository/{{ repository.namespace }}/{{ repository.name }}/image/{{ tag.image_id }}?tab=security" style="display: inline-block; margin-left: 6px;">
+              More Info
+            </a>
+          </span>
         </span>
       </td>
+      <td class="hidden-xs" bo-text="tag.size | bytes"></td>
       <td class="hidden-xs image-id-col">
         <span class="image-link" repository="repository" image-id="tag.image_id"></span>
       </td>
diff --git a/static/directives/vulnerability-priority-view.html b/static/directives/vulnerability-priority-view.html
new file mode 100644
index 000000000..23bcce345
--- /dev/null
+++ b/static/directives/vulnerability-priority-view.html
@@ -0,0 +1,5 @@
+<span class="vulnerability-priority-view-element" ng-class="priority">
+  <i class="fa fa-exclamation-triangle"></i>
+  <span ng-transclude/>
+  {{ priority }}
+</span>
\ No newline at end of file
diff --git a/static/js/directives/repo-view/repo-panel-tags.js b/static/js/directives/repo-view/repo-panel-tags.js
index fcc5d950e..6f80d193f 100644
--- a/static/js/directives/repo-view/repo-panel-tags.js
+++ b/static/js/directives/repo-view/repo-panel-tags.js
@@ -34,8 +34,8 @@ angular.module('quay').directive('repoPanelTags', function () {
       $scope.tagHistory = {};
       $scope.tagActionHandler = null;
       $scope.showingHistory = false;
-      $scope.tagsPerPage = 50;
-      $scope.tagVulnerabilities = {};
+      $scope.tagsPerPage = 25;
+      $scope.imageVulnerabilities = {};
 
       var setTagState = function() {
         if (!$scope.repository || !$scope.selectedTags) { return; }
@@ -57,7 +57,7 @@ angular.module('quay').directive('repoPanelTags', function () {
 
           allTags.push(tagInfo);
 
-          if (!$scope.options.tagFilter || tag.indexOf($scope.options.tagFilter) >= 0 ||
+          if (!$scope.options.tagFilter || tagfOf($scope.options.tagFilter) >= 0 ||
               tagInfo.image_id.indexOf($scope.options.tagFilter) >= 0) {
             tags.push(tagInfo);
           }
@@ -150,51 +150,66 @@ angular.module('quay').directive('repoPanelTags', function () {
         setTagState();
       });
 
-      $scope.loadTagVulnerabilities = function(tag, tagData) {
+      $scope.loadImageVulnerabilities = function(image_id, imageData) {
         var params = {
-          'tag': tag.name,
+          'imageid': image_id,
           'repository': $scope.repository.namespace + '/' + $scope.repository.name,
         };
 
-        ApiService.getRepoTagVulnerabilities(null, params).then(function(resp) {
-          tagData.indexed = resp.security_indexed;
-          tagData.loading = false;
+        ApiService.getRepoImageVulnerabilities(null, params).then(function(resp) {
+          imageData.security_indexed = resp.security_indexed;
+          imageData.loading = false;
 
-          if (resp.security_indexed) {
-            tagData.hasVulnerabilities = !!resp.data.Vulnerabilities.length;
-            tagData.vulnerabilities = resp.data.Vulnerabilities;
+          if (imageData.security_indexed) {
+            var vulnerabilities = resp.data.Vulnerabilities;
+
+            imageData.hasVulnerabilities = !!vulnerabilities.length;
+            imageData.vulnerabilities = vulnerabilities;
+
+            var highest = {
+              'Priority': 'Unknown',
+              'Count': 0,
+              'index': 100000
+            };
 
-            var highest = null;
             resp.data.Vulnerabilities.forEach(function(v) {
-              if (highest == null ||
-                  VulnerabilityService.LEVELS[v.Priority].index < VulnerabilityService.LEVELS[highest.Priority].index) {
-                highest = v;
+              if (VulnerabilityService.LEVELS[v.Priority].index < highest.index) {
+                highest = {
+                  'Priority': v.Priority,
+                  'Count': 1,
+                  'index': VulnerabilityService.LEVELS[v.Priority].index
+                }
+              } else if (VulnerabilityService.LEVELS[v.Priority].index == highest.index) {
+                highest['Count']++;
               }
             });
 
-            tagData.highestVulnerability = highest;
+            imageData.highestVulnerability = highest;
           }
         }, function() {
-          tagData.loading = false;
-          tagData.hasError = true;
+          imageData.loading = false;
+          imageData.hasError = true;
         });
       };
 
       $scope.getTagVulnerabilities = function(tag) {
+        return $scope.getImageVulnerabilities(tag.image_id);
+      };
+
+      $scope.getImageVulnerabilities = function(image_id) {
         if (!$scope.repository) {
           return
         }
 
-        var tagName = tag.name;
-        if (!$scope.tagVulnerabilities[tagName]) {
-          $scope.tagVulnerabilities[tagName] = {
+        if (!$scope.imageVulnerabilities[image_id]) {
+          $scope.imageVulnerabilities[image_id] = {
             'loading': true
           };
 
-          $scope.loadTagVulnerabilities(tag, $scope.tagVulnerabilities[tagName]);
+          $scope.loadImageVulnerabilities(image_id, $scope.imageVulnerabilities[image_id]);
         }
 
-        return $scope.tagVulnerabilities[tagName];
+        return $scope.imageVulnerabilities[image_id];
       };
 
       $scope.clearSelectedTags = function() {
diff --git a/static/js/directives/ui/vulnerability-priority-view.js b/static/js/directives/ui/vulnerability-priority-view.js
new file mode 100644
index 000000000..a257218f5
--- /dev/null
+++ b/static/js/directives/ui/vulnerability-priority-view.js
@@ -0,0 +1,18 @@
+/**
+ * An element which displays a priority triangle for vulnerabilities.
+ */
+angular.module('quay').directive('vulnerabilityPriorityView', function () {
+  var directiveDefinitionObject = {
+    priority: 0,
+    templateUrl: '/static/directives/vulnerability-priority-view.html',
+    replace: false,
+    transclude: true,
+    restrict: 'C',
+    scope: {
+      'priority': '=priority'
+    },
+    controller: function($scope, $element) {
+    }
+  };
+  return directiveDefinitionObject;
+});
\ No newline at end of file
diff --git a/static/js/pages/image-view.js b/static/js/pages/image-view.js
index d848440f2..22da844a7 100644
--- a/static/js/pages/image-view.js
+++ b/static/js/pages/image-view.js
@@ -10,11 +10,16 @@
     })
   }]);
 
-  function ImageViewCtrl($scope, $routeParams, $rootScope, $timeout, ApiService, ImageMetadataService) {
+  function ImageViewCtrl($scope, $routeParams, $rootScope, $timeout, ApiService, ImageMetadataService, VulnerabilityService, Features) {
     var namespace = $routeParams.namespace;
     var name = $routeParams.name;
     var imageid = $routeParams.image;
 
+    $scope.options = {
+      'vulnFilter': '',
+      'packageFilter': ''
+    };
+
     var loadImage = function() {
       var params = {
         'repository': namespace + '/' + name,
@@ -41,7 +46,7 @@
     loadRepository();
 
     $scope.downloadPackages = function() {
-      if ($scope.packagesResource) { return; }
+      if (!Features.SECURITY_SCANNER || $scope.packagesResource) { return; }
 
       var params = {
         'repository': namespace + '/' + name,
@@ -53,6 +58,26 @@
       });
     };
 
+    $scope.loadImageVulnerabilities = function() {
+      if (!Features.SECURITY_SCANNER || $scope.vulnerabilitiesResource) { return; }
+
+      var params = {
+        'repository': namespace + '/' + name,
+        'imageid': imageid
+      };
+
+      $scope.vulnerabilitiesResource = ApiService.getRepoImageVulnerabilitiesAsResource(params).get(function(resp) {
+        $scope.vulerabilityInfo = resp;
+        $scope.vulnerabilities = [];
+
+        resp.data.Vulnerabilities.forEach(function(vuln) {
+          vuln_copy = jQuery.extend({}, vuln);
+          vuln_copy['index'] = VulnerabilityService.LEVELS[vuln['Priority']]['index'];
+          $scope.vulnerabilities.push(vuln_copy);
+        });
+      });
+    };
+
     $scope.downloadChanges = function() {
       if ($scope.changesResource) { return; }
 
diff --git a/static/partials/image-view.html b/static/partials/image-view.html
index ee306150f..6e4b40767 100644
--- a/static/partials/image-view.html
+++ b/static/partials/image-view.html
@@ -25,8 +25,14 @@
               tab-init="downloadChanges()">
           <i class="fa fa-code-fork"></i>
         </span>
+        <span class="cor-tab" tab-title="Security Scan" tab-target="#security"
+              tab-init="loadImageVulnerabilities()"
+              quay-show="Features.SECURITY_SCANNER">
+          <i class="fa fa-bug"></i>
+        </span>
         <span class="cor-tab" tab-title="Packages" tab-target="#packages"
-              tab-init="downloadPackages()">
+              tab-init="downloadPackages()"
+              quay-show="Features.SECURITY_SCANNER">
           <i class="fa ci-package"></i>
         </span>
       </div> <!-- /cor-tabs -->
@@ -58,9 +64,57 @@
           </div>
         </div>
 
+        <!-- Security -->
+        <div id="security" class="tab-pane" quay-require="['SECURITY_SCANNER']">
+          <div class="resource-view" resource="vulnerabilitiesResource" error-message="'Could not load security information for image'">
+            <div class="filter-box floating" collection="vulnerabilities" filter-model="options.vulnFilter" filter-name="Vulnerabilities" ng-if="vulerabilityInfo.security_indexed && vulnerabilities.length"></div>
+
+            <h3>Image Security</h3>
+            <div class="empty" ng-if="!vulerabilityInfo.security_indexed">
+              <div class="empty-primary-msg">This image has not been indexed yet</div>
+              <div class="empty-secondary-msg">
+                Please try again in a few minutes.
+              </div>
+            </div>
+            <div class="empty" ng-if="vulerabilityInfo.security_indexed && !vulnerabilities.length">
+              <div class="empty-primary-msg">This image contains no recognized security vulnerabilities</div>
+              <div class="empty-secondary-msg">
+                Quay currently indexes Debian, Red Hat and Ubuntu packages.
+              </div>
+            </div>
+
+            <div ng-if="vulerabilityInfo.security_indexed && vulnerabilities.length">
+              <table class="co-table">
+                <thead>
+                  <td style="width: 200px;">Vulnerability</td>
+                  <td style="width: 200px;">Priority</td>
+                  <td>Description</td>
+                </thead>
+
+                <tr ng-repeat="vulnerability in vulnerabilities | filter:options.vulnFilter | orderBy:'index'">
+                  <td><a href="{{ vulnerability.Link }}" target="_blank">{{ vulnerability.ID }}</a></td>
+                  <td>
+                    <span class="vulnerability-priority-view" priority="vulnerability.Priority"></span>
+                  <td>{{ vulnerability.Description }}</td>
+                </tr>
+              </table>
+
+              <div class="empty" ng-if="(vulnerabilities | filter:options.vulnFilter).length == 0"
+                   style="margin-top: 20px;">
+                <div class="empty-primary-msg">No matching vulnerabilities found</div>
+                <div class="empty-secondary-msg">
+                  Please adjust your filter above.
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+
         <!-- Packages -->
-        <div id="packages" class="tab-pane">
+        <div id="packages" class="tab-pane" quay-require="['SECURITY_SCANNER']">
           <div class="resource-view" resource="packagesResource" error-message="'Could not load image packages'">
+            <div class="filter-box floating" collection="packages.data.Packages" filter-model="options.packageFilter" filter-name="Packages" ng-if="packages.security_indexed && packages.data.Packages.length"></div>
+
             <h3>Image Packages</h3>
             <div class="empty" ng-if="!packages.security_indexed">
               <div class="empty-primary-msg">This image has not been indexed yet</div>
@@ -75,19 +129,27 @@
               </div>
             </div>
 
-            <table class="table" ng-if="packages.security_indexed && packages.data.Packages.length">
+            <table class="co-table" ng-if="packages.security_indexed && packages.data.Packages.length">
               <thead>
-                <th>Package Name</th>
-                <th>Package Version</th>
-                <th>OS</th>
+                <td>Package Name</td>
+                <td>Package Version</td>
+                <td>OS</td>
               </thead>
 
-              <tr ng-repeat="package in packages.data.Packages | orderBy:'Name'">
+              <tr ng-repeat="package in packages.data.Packages | filter:options.packageFilter | orderBy:'Name'">
                 <td>{{ package.Name }}</td>
                 <td>{{ package.Version }}</td>
                 <td>{{ package.OS }}</td>
               </tr>
             </table>
+
+            <div class="empty" ng-if="(packages.data.Packages | filter:options.packageFilter).length == 0"
+                   style="margin-top: 20px;">
+                <div class="empty-primary-msg">No matching packages found</div>
+                <div class="empty-secondary-msg">
+                  Please adjust your filter above.
+                </div>
+              </div>
           </div>
         </div>
      </div>
diff --git a/workers/securityworker.py b/workers/securityworker.py
index 26d360754..fd0702d81 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -256,7 +256,7 @@ class SecurityWorker(Worker):
           # callback code, etc.
           try:
             logger.debug('Loading vulnerabilities for layer %s', img['image_id'])
-            response = secscan_api.call('layers/%s/vulnerabilities', request['ID'])
+            response = secscan_api.call('layers/%s/vulnerabilities', None, request['ID'])
           except requests.exceptions.Timeout:
             logger.debug('Timeout when calling Sec')
             continue

From e86a34286885414f064b9395da21f8503730e7d2 Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Thu, 12 Nov 2015 15:46:31 -0500
Subject: [PATCH 26/36] create class for security config validation

---
 util/secscan/api.py | 72 ++++++++++++++++++++++++++++++++-------------
 1 file changed, 52 insertions(+), 20 deletions(-)

diff --git a/util/secscan/api.py b/util/secscan/api.py
index b0138eeef..331e45294 100644
--- a/util/secscan/api.py
+++ b/util/secscan/api.py
@@ -98,6 +98,54 @@ def get_priority_for_index(index):
 
  return 'Unknown'
 
+class SecurityConfigValidator(object):
+  def __init__(self, app, config_provider):
+    self._config_provider = config_provider
+
+    if not features.SECURITY_SCANNER:
+      return
+
+    self._security_config = app.config['SECURITY_SCANNER']
+    if self._security_config is None:
+      return
+
+    self._certificate = self._get_filepath('CA_CERTIFICATE_FILENAME') or False
+    self._public_key = self._get_filepath('PUBLIC_KEY_FILENAME')
+    self._private_key = self._get_filepath('PRIVATE_KEY_FILENAME')
+
+    if self._public_key and self._private_key:
+      self._keys = (self._public_key, self._private_key)
+    else:
+      self._keys = None
+
+  def _get_filepath(self, key):
+    config = self._security_config
+
+    if key in config:
+      with self._config_provider.get_volume_file(config[key]) as f:
+        return f.name
+
+    return None
+
+  def cert(self):
+    return self._certificate
+
+  def keypair(self):
+    return self._keys
+
+  def valid(self):
+    config = self._security_config
+
+    if (not features.SECURITY_SCANNER
+        or not config
+        or not 'ENDPOINT' in config
+        or not 'ENGINE_VERSION_TARGET' in config
+        or not 'DISTRIBUTED_STORAGE_PREFERENCE' in config
+        or (self._certificate is False and self._keys is None)):
+      return False
+
+    return True
+
 
 class SecurityScannerAPI(object):
   """ Helper class for talking to the Security Scan service (Clair). """
@@ -105,28 +153,12 @@ class SecurityScannerAPI(object):
     self.app = app
     self.config_provider = config_provider
 
-    if not features.SECURITY_SCANNER:
+    config_validator = SecurityConfigValidator(app, config_provider)
+    if not config_validator.valid():
       return
 
-    self.security_config = app.config['SECURITY_SCANNER']
-
-    self.certificate = self._getfilepath('CA_CERTIFICATE_FILENAME') or False
-    self.public_key = self._getfilepath('PUBLIC_KEY_FILENAME')
-    self.private_key = self._getfilepath('PRIVATE_KEY_FILENAME')
-
-    if self.public_key and self.private_key:
-      self.keys = (self.public_key, self.private_key)
-    else:
-      self.keys = None
-
-  def _getfilepath(self, config_key):
-    security_config = self.security_config
-
-    if config_key in security_config:
-      with self.config_provider.get_volume_file(security_config[config_key]) as f:
-        return f.name
-
-    return None
+    self.certificate = config_validator.cert()
+    self.keys = config_validator.keypair()
 
   def check_layer_vulnerable(self, layer_id, cve_id):
     """ Checks with Clair whether the given layer is vulnerable to the given CVE. """

From f6a34c5d0627f4478dd0c25f2684166a485f1a90 Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Wed, 11 Nov 2015 15:41:46 -0500
Subject: [PATCH 27/36] refactor securityworker

Fixes #772.
---
 workers/securityworker.py | 291 ++++++++++++++++++--------------------
 1 file changed, 137 insertions(+), 154 deletions(-)

diff --git a/workers/securityworker.py b/workers/securityworker.py
index 26d360754..1f4328741 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -6,17 +6,16 @@ import features
 import time
 import os
 import random
-import json
 
 from endpoints.notificationhelper import spawn_notification
 from collections import defaultdict
-from sys import exc_info
 from peewee import JOIN_LEFT_OUTER
-from app import app, storage, OVERRIDE_CONFIG_DIRECTORY, secscan_api
+from app import app, config_provider, storage, OVERRIDE_CONFIG_DIRECTORY, secscan_api
 from workers.worker import Worker
 from data.database import (Image, ImageStorage, ImageStorageLocation, ImageStoragePlacement,
                            db_random_func, UseThenDisconnect, RepositoryTag, Repository,
                            ExternalNotificationEvent, RepositoryNotification)
+from util.secscan.api import SecurityConfigValidator
 
 logger = logging.getLogger(__name__)
 
@@ -25,12 +24,12 @@ INDEXING_INTERVAL = 10
 API_METHOD_INSERT = '/v1/layers'
 API_METHOD_VERSION = '/v1/versions/engine'
 
-def _get_image_to_export(version):
+def _get_images_to_export_list(version):
   Parent = Image.alias()
   ParentImageStorage = ImageStorage.alias()
   rimages = []
 
-  # Without parent
+  # Collect the images without parents
   candidates = (Image
                 .select(Image.id, Image.docker_image_id, ImageStorage.uuid)
                 .join(ImageStorage)
@@ -54,7 +53,7 @@ def _get_image_to_export(version):
                     'parent_docker_image_id': None,
                     'parent_storage_uuid': None})
 
-  # With analyzed parent
+  # Collect the images with analyzed parents.
   candidates = (Image
                 .select(Image.id,
                         Image.docker_image_id,
@@ -90,9 +89,8 @@ def _get_image_to_export(version):
                     'parent_docker_image_id': image[3],
                     'parent_storage_uuid': image[4]})
 
-  # Re-shuffle, otherwise the images without parents will always be on the top
+  # Shuffle the images, otherwise the images without parents will always be on the top
   random.shuffle(rimages)
-
   return rimages
 
 def _get_storage_locations(uuid):
@@ -102,12 +100,8 @@ def _get_storage_locations(uuid):
            .switch(ImageStoragePlacement)
            .join(ImageStorage, JOIN_LEFT_OUTER)
            .where(ImageStorage.uuid == uuid))
-  return query.get()
-  locations = list()
-  for location in query:
-    locations.append(location.location.name)
 
-  return locations
+  return [location.location.name for location in query]
 
 def _update_image(image, indexed, version):
   query = (Image
@@ -116,174 +110,163 @@ def _update_image(image, indexed, version):
            .where(Image.docker_image_id == image['docker_image_id'],
                   ImageStorage.uuid == image['storage_uuid']))
 
-  updated_images = list()
-  for row in query:
-    updated_images.append(row.id)
-
   (Image
-      .update(security_indexed=indexed, security_indexed_engine=version)
-      .where(Image.id << updated_images)
-      .execute())
+   .update(security_indexed=indexed, security_indexed_engine=version)
+   .where(Image.id << [row.id for row in query])
+   .execute())
+
 
 class SecurityWorker(Worker):
   def __init__(self):
     super(SecurityWorker, self).__init__()
-    if self._load_configuration():
+    validator = SecurityConfigValidator(app.config, config_provider)
+    if validator.valid():
+      secscan_config = app.config.get('SECURITY_SCANNER')
+      self._api = secscan_config['ENDPOINT']
+      self._target_version = secscan_config['ENGINE_VERSION_TARGET']
+      self._default_storage_locations = app.config['DISTRIBUTED_STORAGE_PREFERENCE']
+      self._cert = validator.cert()
+      self._keys = validator.keypair()
+
       self.add_operation(self._index_images, INDEXING_INTERVAL)
 
-  def _load_configuration(self):
-    # Load configuration
-    config = app.config.get('SECURITY_SCANNER')
+  def _get_image_url(self, image):
+    """ Gets the download URL for an image and if the storage doesn't exist,
+        marks the image as unindexed. """
+    path = storage.image_layer_path(image['storage_uuid'])
+    locations = self._default_storage_locations
 
-    if (not config
-        or not 'ENDPOINT' in config or not 'ENGINE_VERSION_TARGET' in config
-        or not 'DISTRIBUTED_STORAGE_PREFERENCE' in app.config):
-      logger.exception('No configuration found for the security worker')
-      return False
-    self._api = config['ENDPOINT']
-    self._target_version = config['ENGINE_VERSION_TARGET']
-    self._default_storage_locations = app.config['DISTRIBUTED_STORAGE_PREFERENCE']
+    if not storage.exists(locations, path):
+      locations = _get_storage_locations(image['storage_uuid'])
 
-    self._ca = False
-    self._cert = None
-    if 'CA_CERTIFICATE_FILENAME' in config:
-      self._ca = os.path.join(OVERRIDE_CONFIG_DIRECTORY, config['CA_CERTIFICATE_FILENAME'])
-      if not os.path.isfile(self._ca):
-        logger.exception('Could not find configured CA file')
-        return False
-    if 'PRIVATE_KEY_FILENAME' in config and 'PUBLIC_KEY_FILENAME' in config:
-      self._cert = (
-        os.path.join(OVERRIDE_CONFIG_DIRECTORY, config['PUBLIC_KEY_FILENAME']),
-        os.path.join(OVERRIDE_CONFIG_DIRECTORY, config['PRIVATE_KEY_FILENAME']),
-      )
-      if not os.path.isfile(self._cert[0]) or not os.path.isfile(self._cert[1]):
-        logger.exception('Could not find configured key pair files')
-        return False
+      if not storage.exists(locations, path):
+        logger.warning('Could not find a valid location to download layer %s',
+                       image['docker_image_id']+'.'+image['storage_uuid'])
+        try:
+          _update_image(image, False, self._target_version)
+        except:
+          logger.exception('Failed to update unindexed image')
+        return None
 
-    return True
+    uri = storage.get_direct_download_url(locations, path)
+    # Local storage hack
+    if uri is None:
+      uri = path
+
+    return uri
+
+  def _new_request(self, image):
+    url = self._get_image_url(image)
+    if url is None:
+      return None
+
+    request = {
+      'ID': image['docker_image_id']+'.'+image['storage_uuid'],
+      'Path': url,
+    }
+
+    if image['parent_docker_image_id'] is not None and image['parent_storage_uuid'] is not None:
+      request['ParentID'] = image['parent_docker_image_id']+'.'+image['parent_storage_uuid']
+
+    return request
+
+  def _analyze_image(self, image):
+    request = self._new_request(image)
+    if request is None:
+      return None
+
+    try:
+      logger.info('Analyzing %s', request['ID'])
+      # Using invalid certificates doesn't return proper errors because of
+      # https://github.com/shazow/urllib3/issues/556
+      httpResponse = requests.post(self._api + API_METHOD_INSERT, json=request,
+                                   cert=self._keys, verify=self._cert)
+      jsonResponse = httpResponse.json()
+    except:
+      logger.exception('An exception occurred when analyzing layer ID %s', request['ID'])
+      return None
+
+    # Handle any errors from the security scanner.
+    if httpResponse.status_code != 201:
+      if 'Message' in jsonResponse:
+        if 'OS and/or package manager are not supported' in jsonResponse['Message']:
+          # The current engine could not index this layer
+          logger.warning('A warning event occurred when analyzing layer ID %s : %s',
+                         request['ID'], jsonResponse['Message'])
+
+          # Hopefully, there is no version lower than the target one running
+          try:
+            _update_image(image, False, self._target_version)
+          except:
+            logger.exception('Failed to update image to be unindexed')
+        else:
+          logger.warning('Failed to handle JSON message "%s" when analyzing layer ID %s',
+                         jsonResponse['Message'], request['ID'])
+          return None
+      else:
+        logger.warning('No message found in JSON response when analyzing layer ID %s', request['ID'])
+        return None
+
+      api_version = jsonResponse['Version']
+      if api_version < self._target_version:
+        logger.warning('An engine runs on version %d but the target version is %d')
+
+    try:
+      _update_image(image, True, api_version)
+      logger.debug('Layer %s analyzed successfully', request['ID'])
+    except:
+      logger.exception('Failed to update image to be indexed')
+
+    logger.debug('Loading vulnerabilities for layer %s', image['image_id'])
+    try:
+      response = secscan_api.call('layers/%s/vulnerabilities', None, request['ID'])
+      logger.debug('Got response %s for vulnerabilities for layer %s',
+                   response.status_code, image['image_id'])
+      if response.status_code == 404:
+        return None
+    except:
+      logger.exception('Failed to get vulnerability response for %s', image['image_id'])
+      return None
+
+    return response.json()
 
   def _index_images(self):
-    logger.debug('Starting indexing')
+    logger.debug('Started indexing')
 
     with UseThenDisconnect(app.config):
       while True:
-        logger.debug('Looking up images to index')
-
-        # Get images to analyze
+        images = []
         try:
-          images = _get_image_to_export(self._target_version)
-          if not images:
-            logger.debug('No more image to analyze')
-            return
-
+          logger.debug('Looking up images to index')
+          images = _get_images_to_export_list(self._target_version)
         except Image.DoesNotExist:
-          logger.debug('No more image to analyze')
+          pass
+
+        if not images:
+          logger.debug('No more images left to analyze')
           return
+        logger.debug('Found %d images to index' % len(images))
 
-        logger.debug('Found images to index: %s', images)
-        for img in images:
-          # Get layer storage URL
-          path = storage.image_layer_path(img['storage_uuid'])
-          locations = self._default_storage_locations
-
-          if not storage.exists(locations, path):
-            locations = _get_storage_locations(img['storage_uuid'])
-
-            if not storage.exists(locations, path):
-              logger.warning('Could not find a valid location to download layer %s',
-                             img['docker_image_id']+'.'+img['storage_uuid'])
-              _update_image(img, False, self._target_version)
-              continue
-
-          uri = storage.get_direct_download_url(locations, path)
-          if uri == None:
-            # Local storage hack
-            uri = path
-
-          # Forge request
-          request = {
-            'ID': img['docker_image_id']+'.'+img['storage_uuid'],
-            'Path': uri
-          }
-          if img['parent_docker_image_id'] is not None and img['parent_storage_uuid'] is not None:
-            request['ParentID'] = img['parent_docker_image_id']+'.'+img['parent_storage_uuid']
-
-          # Post request
-          try:
-            logger.info('Analyzing %s', request['ID'])
-            # Using invalid certificates doesn't return proper errors because of
-            # https://github.com/shazow/urllib3/issues/556
-            httpResponse = requests.post(self._api + API_METHOD_INSERT, json=request,
-                                         cert=self._cert, verify=self._ca)
-          except:
-            logger.exception('An exception occurred when analyzing layer ID %s : %s',
-                             request['ID'], exc_info()[0])
-            return
-          try:
-            jsonResponse = httpResponse.json()
-          except:
-            logger.exception('An exception occurred when analyzing layer ID %s : the response is \
-                             not valid JSON (%s)', request['ID'], httpResponse.text)
-            return
-
-          if httpResponse.status_code != 201:
-            if 'Message' in jsonResponse:
-              if 'OS and/or package manager are not supported' in jsonResponse['Message']:
-                # The current engine could not index this layer
-                logger.warning('A warning event occurred when analyzing layer ID %s : %s',
-                               request['ID'], jsonResponse['Message'])
-                # Hopefully, there is no version lower than the target one running
-                _update_image(img, False, self._target_version)
-              else:
-                logger.exception('An exception occurred when analyzing layer ID %s : %d %s',
-                                 request['ID'], httpResponse.status_code, jsonResponse['Message'])
-                return
-            else:
-              logger.exception('An exception occurred when analyzing layer ID %s : %d',
-                               request['ID'], httpResponse.status_code)
-              return
-
-          # The layer has been successfully indexed
-          api_version = jsonResponse['Version']
-          if api_version < self._target_version:
-            logger.warning('An engine runs on version %d but the target version is %d')
-
-          logger.debug('Layer %s analyzed successfully', request['ID'])
-          _update_image(img, True, api_version)
-
-
-          # TODO(jschorr): Put this in a proper place, properly comment, unify with the
-          # callback code, etc.
-          try:
-            logger.debug('Loading vulnerabilities for layer %s', img['image_id'])
-            response = secscan_api.call('layers/%s/vulnerabilities', request['ID'])
-          except requests.exceptions.Timeout:
-            logger.debug('Timeout when calling Sec')
+        for image in images:
+          sec_data = self._analyze_image(image)
+          if sec_data is None:
             continue
-          except requests.exceptions.ConnectionError:
-            logger.debug('Connection error when calling Sec')
-            continue
-
-          logger.debug('Got response %s for vulnerabilities for layer %s', response.status_code, img['image_id'])
-          if response.status_code == 404:
-            continue
-
-          sec_data = json.loads(response.text)
-          logger.debug('Got response vulnerabilities for layer %s: %s', img['image_id'], sec_data)
+          logger.debug('Got response vulnerabilities for layer %s: %s', image['image_id'], sec_data)
 
           if not sec_data['Vulnerabilities']:
             continue
 
+          # Dispatch events for any detected vulnerabilities
           event = ExternalNotificationEvent.get(name='vulnerability_found')
           matching = (RepositoryTag
-            .select(RepositoryTag, Repository)
-            .distinct()
-            .join(Repository)
-            .join(RepositoryNotification)
-            .where(RepositoryNotification.event == event,
-                   RepositoryTag.image == img['image_id']))
+                      .select(RepositoryTag, Repository)
+                      .distinct()
+                      .join(Repository)
+                      .join(RepositoryNotification)
+                      .where(RepositoryNotification.event == event,
+                             RepositoryTag.image == image['image_id']))
 
-          repository_map = defaultdict(list)
+          repository_map = defaultdict()
 
           for tag in matching:
             repository_map[tag.repository_id].append(tag)

From 3b3f101ea668fd6aa5cfb18515fe91e611668c2f Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 12 Nov 2015 15:42:45 -0500
Subject: [PATCH 28/36] Vulnerability UI part 2

Fixes #860
Fixes #855
---
 endpoints/api/secscan.py                      |  22 +++-
 .../directives/repo-view/repo-panel-info.css  |  50 +++++++-
 .../directives/repo-view/repo-panel-tags.css  |   4 +-
 static/css/directives/ui/filter-box.css       |   2 +-
 .../ui/repository-events-summary.css          |  21 ++++
 .../ui/vulnerability-priority-view.css        |   2 +-
 static/css/pages/image-view.css               |  27 ++++-
 .../directives/repo-view/repo-panel-info.html |  20 +++-
 .../directives/repo-view/repo-panel-tags.html |  19 +++-
 .../directives/repository-events-summary.html |  22 ++++
 .../directives/repository-events-table.html   |   1 +
 static/img/lock.svg                           |  17 +++
 static/img/scan.svg                           |  14 +++
 .../directives/repo-view/repo-panel-info.js   |   3 +-
 .../directives/repo-view/repo-panel-tags.js   |   4 +-
 .../ui/create-external-notification-dialog.js |  17 ++-
 .../ui/repository-events-summary.js           |  77 +++++++++++++
 .../directives/ui/repository-events-table.js  |  29 ++++-
 static/js/pages/image-view.js                 |  19 +++-
 static/js/pages/repo-view.js                  |   5 +
 .../js/services/external-notification-data.js |   4 +-
 static/partials/image-view.html               | 107 +++++++++++-------
 static/partials/repo-view.html                |   6 +-
 23 files changed, 419 insertions(+), 73 deletions(-)
 create mode 100644 static/css/directives/ui/repository-events-summary.css
 create mode 100644 static/directives/repository-events-summary.html
 create mode 100644 static/img/lock.svg
 create mode 100644 static/img/scan.svg
 create mode 100644 static/js/directives/ui/repository-events-summary.js

diff --git a/endpoints/api/secscan.py b/endpoints/api/secscan.py
index 9a1fee133..c05e40fef 100644
--- a/endpoints/api/secscan.py
+++ b/endpoints/api/secscan.py
@@ -15,6 +15,13 @@ from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_pa
 logger = logging.getLogger(__name__)
 
 
+class SCAN_STATUS(object):
+  """ Security scan status enum """
+  SCANNED = 'scanned'
+  FAILED = 'failed'
+  QUEUED = 'queued'
+
+
 def _call_security_api(relative_url, *args, **kwargs):
   """ Issues an HTTP call to the sec API at the given relative URL. """
   try:
@@ -39,6 +46,13 @@ def _call_security_api(relative_url, *args, **kwargs):
   return response_data
 
 
+def _get_status(repo_image):
+  if repo_image.security_indexed_engine:
+    return SCAN_STATUS.SCANNED if repo_image.security_indexed else SCAN_STATUS.FAILED
+
+  return SCAN_STATUS.QUEUED
+
+
 @show_if(features.SECURITY_SCANNER)
 @resource('/v1/repository/<repopath:repository>/image/<imageid>/vulnerabilities')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
@@ -61,7 +75,7 @@ class RepositoryImageVulnerabilities(RepositoryParamResource):
       logger.debug('Image %s under repository %s/%s not security indexed',
                    repo_image.docker_image_id, namespace, repository)
       return {
-        'security_indexed': False
+        'status': _get_status(repo_image),
       }
 
     layer_id = '%s.%s' % (repo_image.docker_image_id, repo_image.storage.uuid)
@@ -69,7 +83,7 @@ class RepositoryImageVulnerabilities(RepositoryParamResource):
                               minimumPriority=args.minimumPriority)
 
     return {
-      'security_indexed': True,
+      'status': _get_status(repo_image),
       'data': data,
     }
 
@@ -91,14 +105,14 @@ class RepositoryImagePackages(RepositoryParamResource):
 
     if not repo_image.security_indexed:
       return {
-        'security_indexed': False
+        'status': _get_status(repo_image),
       }
 
     layer_id = '%s.%s' % (repo_image.docker_image_id, repo_image.storage.uuid)
     data = _call_security_api('layers/%s/packages', layer_id)
 
     return {
-      'security_indexed': True,
+      'status': _get_status(repo_image),
       'data': data,
     }
 
diff --git a/static/css/directives/repo-view/repo-panel-info.css b/static/css/directives/repo-view/repo-panel-info.css
index 1b39b3a6b..032fd7d4b 100644
--- a/static/css/directives/repo-view/repo-panel-info.css
+++ b/static/css/directives/repo-view/repo-panel-info.css
@@ -3,10 +3,56 @@
   float: right;
 }
 
+.repo-panel-info-element .right-sec-controls {
+  border: 1px solid #ddd;
+  padding: 20px;
+  border-radius: 4px;
+  max-width: 400px;
+}
+
+.repo-panel-info-element .right-sec-controls {
+  color: #333;
+  font-weight: 300;
+  padding-left: 70px;
+  position: relative;
+}
+
+.repo-panel-info-element .right-sec-controls .sec-logo {
+  position: absolute;
+  top: 17px;
+  left: 15px;
+}
+
+.repo-panel-info-element .right-sec-controls .sec-logo .lock {
+  position: absolute;
+  top: 5px;
+  right: 10px;
+}
+
+.repo-panel-info-element .right-sec-controls b {
+  color: #333;
+  font-weight: normal;
+  margin-bottom: 20px;
+  display: block;
+}
+
+.repo-panel-info-element .right-sec-controls .configure-alerts {
+  margin-top: 20px;
+  font-weight: normal;
+}
+
+.repo-panel-info-element .right-sec-controls .configure-alerts .fa {
+  margin-right: 6px;
+}
+
+.repo-panel-info-element .right-sec-controls .repository-events-summary {
+  margin-top: 20px;
+}
+
 .repo-panel-info-element .right-controls .copy-box {
   width: 400px;
-  display: inline-block;
-  margin-left: 10px;
+  margin-top: 10px;
+  margin-bottom: 20px;
 }
 
 .repo-panel-info-element .stat-col {
diff --git a/static/css/directives/repo-view/repo-panel-tags.css b/static/css/directives/repo-view/repo-panel-tags.css
index f2818187b..c0a1073c4 100644
--- a/static/css/directives/repo-view/repo-panel-tags.css
+++ b/static/css/directives/repo-view/repo-panel-tags.css
@@ -93,7 +93,9 @@
   margin-right: 4px;
 }
 
-.repo-panel-tags-element .security-scan-col .scanning {
+.repo-panel-tags-element .security-scan-col .scanning,
+.repo-panel-tags-element .security-scan-col .failed-scan,
+.repo-panel-tags-element .security-scan-col .vuln-load-error {
   color: #9B9B9B;
   font-size: 12px;
 }
diff --git a/static/css/directives/ui/filter-box.css b/static/css/directives/ui/filter-box.css
index 836a72b11..604930a0d 100644
--- a/static/css/directives/ui/filter-box.css
+++ b/static/css/directives/ui/filter-box.css
@@ -20,7 +20,7 @@
 .filter-box.floating {
   float: right;
   min-width: 300px;
-  margin-top: 0px;
+  margin-top: 15px;
   position: relative;
 }
 
diff --git a/static/css/directives/ui/repository-events-summary.css b/static/css/directives/ui/repository-events-summary.css
new file mode 100644
index 000000000..1ff4d60b2
--- /dev/null
+++ b/static/css/directives/ui/repository-events-summary.css
@@ -0,0 +1,21 @@
+.repository-events-summary-element .summary-list {
+    padding: 0px;
+    margin: 0px;
+    list-style: none;
+}
+
+.repository-events-summary-element .summary-list li {
+    margin-bottom: 6px;
+}
+
+.repository-events-summary-element .summary-list li i.fa {
+    margin-right: 4px;
+}
+
+.repository-events-summary-element .notification-event-fields {
+    display: inline-block;
+    padding: 0px;
+    margin: 0px;
+    list-style: none;
+    padding-left: 24px;
+}
\ No newline at end of file
diff --git a/static/css/directives/ui/vulnerability-priority-view.css b/static/css/directives/ui/vulnerability-priority-view.css
index c3487d6cb..88dd4d27c 100644
--- a/static/css/directives/ui/vulnerability-priority-view.css
+++ b/static/css/directives/ui/vulnerability-priority-view.css
@@ -4,7 +4,7 @@
 
 .vulnerability-priority-view-element.Unknown,
 .vulnerability-priority-view-element.Low,
-.vulnerability-priority-view-element.Negligable {
+.vulnerability-priority-view-element.Negligible {
   color: #9B9B9B;
 }
 
diff --git a/static/css/pages/image-view.css b/static/css/pages/image-view.css
index 6b5cfa555..a1cb55bab 100644
--- a/static/css/pages/image-view.css
+++ b/static/css/pages/image-view.css
@@ -21,7 +21,7 @@
 }
 
 .image-view .co-tab-content h3 {
-  margin-bottom: 20px;
+  margin-bottom: 30px;
 }
 
 .image-view .fa-bug {
@@ -42,4 +42,29 @@
 
 .image-view .co-filter-box input {
   display: inline-block;
+}
+
+.image-view .level-col h4 {
+  margin-top: 0px;
+  margin-bottom: 20px;
+}
+
+.image-view .levels {
+  list-style: none;
+  padding: 0px;
+  margin: 0px;
+}
+
+.image-view .levels li {
+  margin-bottom: 20px;
+}
+
+.image-view .levels li .description {
+  margin-top: 6px;
+  font-size: 14px;
+  color: #999;
+}
+
+.image-view .level-col {
+  padding: 20px;
 }
\ No newline at end of file
diff --git a/static/directives/repo-view/repo-panel-info.html b/static/directives/repo-view/repo-panel-info.html
index 5fdab5a4c..7faf2b417 100644
--- a/static/directives/repo-view/repo-panel-info.html
+++ b/static/directives/repo-view/repo-panel-info.html
@@ -65,7 +65,25 @@
 
     <!-- Pull Controls -->
     <div class="right-controls hidden-sm hidden-xs">
-      Pull Full Repository: <div class="copy-box" hovering-message="true" value="pullCommand"></div>
+      <div class="right-pull-controls">
+        <div>Pull this container with the following Docker command:</div>
+        <div class="copy-box" hovering-message="true" value="pullCommand"></div>
+      </div>
+
+      <div class="right-sec-controls" quay-show="repository.can_admin && Features.SECURITY_SCANNER">
+        <span class="sec-logo">
+          <img class="lock" src="/static/img/lock.svg">
+          <img class="scan" src="/static/img/scan.svg">
+        </span>
+
+        <b>Automated Security Scanning (Preview)</b>
+        <div>Continually scanning this repository for 17K+ known vulnerabilities. <a href="http://blog.quay.io/security-scanning-beta" target="_blank">Read more about this feature</a>.</div>
+        <div class="configure-alerts" ng-if="!hasEvents">
+          <a href="/repository/{{ repository.namespace }}/{{ repository.name }}?tab=settings&add_event=vulnerability_found"><i class="fa fa-bell-o"></i>Configure Vulnerability Alerts</a>
+        </div>
+        <div class="repository-events-summary" is-enabled="repository.can_admin" repository="repository"
+             event-filter="vulnerability_found" has-events="hasEvents"></div>
+      </div>
     </div>
 
     <h4 style="font-size:20px;">Description</h4>
diff --git a/static/directives/repo-view/repo-panel-tags.html b/static/directives/repo-view/repo-panel-tags.html
index 0f1125d8e..6c182bfe3 100644
--- a/static/directives/repo-view/repo-panel-tags.html
+++ b/static/directives/repo-view/repo-panel-tags.html
@@ -115,15 +115,26 @@
       </td>
       <td quay-require="['SECURITY_SCANNER']" class="security-scan-col">
         <span class="cor-loader-inline" ng-if="getTagVulnerabilities(tag).loading"></span>
+        <span class="vuln-load-error" ng-if="getTagVulnerabilities(tag).hasError">
+          Could not load security information
+        </span>
         <span ng-if="!getTagVulnerabilities(tag).loading">
-          <!-- Scanning -->
-          <span class="scanning" ng-if="!getTagVulnerabilities(tag).security_indexed"
+          <!-- Queued -->
+          <span class="scanning" ng-if="getTagVulnerabilities(tag).status == 'queued'"
                 data-title="The image for this tag is queued to be scanned for vulnerabilities"
                 bs-tooltip>Queued for scan</span>
 
+          <!-- Scan Failed -->
+          <span class="failed-scan" ng-if="getTagVulnerabilities(tag).status == 'failed'"
+                data-title="The image for this tag could not be scanned for vulnerabilities"
+                bs-tooltip>
+            <i class="fa fa-times-circle"></i>
+            Failed to scan
+          </span>
+
           <!-- No Vulns -->
           <span class="no-vulns"
-                ng-if="getTagVulnerabilities(tag).security_indexed && !getTagVulnerabilities(tag).hasVulnerabilities"
+                ng-if="getTagVulnerabilities(tag).status == 'scanned' && !getTagVulnerabilities(tag).hasVulnerabilities"
                 data-title="The image for this tag has no vulnerabilities as found in our database"
                 bs-tooltip
                 bindonce>
@@ -134,7 +145,7 @@
           </span>
 
           <!-- Vulns -->
-          <span ng-if="getTagVulnerabilities(tag).security_indexed && getTagVulnerabilities(tag).hasVulnerabilities"
+          <span ng-if="getTagVulnerabilities(tag).status == 'scanned' && getTagVulnerabilities(tag).hasVulnerabilities"
                 ng-class="getTagVulnerabilities(tag).highestVulnerability.Priority"
                 class="has-vulns" bindonce>
               <a class="vuln-link" bo-href-i="/repository/{{ repository.namespace }}/{{ repository.name }}/image/{{ tag.image_id }}?tab=security"
diff --git a/static/directives/repository-events-summary.html b/static/directives/repository-events-summary.html
new file mode 100644
index 000000000..d5f5c45f2
--- /dev/null
+++ b/static/directives/repository-events-summary.html
@@ -0,0 +1,22 @@
+<div class="repository-events-summary-element">
+  <div class="resource-view" resource="notificationsResource"
+       error-message="'Could not load repository events'">
+       <ul class="summary-list">
+         <li ng-repeat="notification in notifications">
+            <i class="fa fa-lg" ng-class="getMethodInfo(notification).icon"></i>
+            {{ getMethodInfo(notification).title }} for
+
+            <ul class="notification-event-fields" ng-if="getEventInfo(notification).fields.length">
+              <li ng-repeat="field in getEventInfo(notification).fields">
+                {{ field.title }} of
+                <span ng-switch on="field.type">
+                  <span ng-switch-when="enum">
+                   {{ findEnumValue(field.values, notification.event_config[field.name]).title }}
+                  </span>
+                </span>
+              </li>
+            </ul>
+         </li>
+       </ul>
+    </div>
+</div>
\ No newline at end of file
diff --git a/static/directives/repository-events-table.html b/static/directives/repository-events-table.html
index a83a45931..fd40d9789 100644
--- a/static/directives/repository-events-table.html
+++ b/static/directives/repository-events-table.html
@@ -100,5 +100,6 @@
   <div class="create-external-notification-dialog"
        repository="repository"
        counter="showNewNotificationCounter"
+       default-data="newNotificationData"
        notification-created="handleNotificationCreated(notification)"></div>
 </div>
diff --git a/static/img/lock.svg b/static/img/lock.svg
new file mode 100644
index 000000000..748961f52
--- /dev/null
+++ b/static/img/lock.svg
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="13px" height="19px" viewBox="0 0 13 19" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
+    <!-- Generator: Sketch 3.4.1 (15681) - http://www.bohemiancoding.com/sketch -->
+    <title>Artboard 1</title>
+    <desc>Created with Sketch.</desc>
+    <defs></defs>
+    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
+        <g id="Artboard-1" sketch:type="MSArtboardGroup" stroke-width="2" stroke="#1D3447">
+            <g id="Oval-121-+-Rectangle-443" sketch:type="MSLayerGroup" transform="translate(0.000000, 1.000000)">
+                <g sketch:type="MSShapeGroup">
+                    <path d="M9.75,3.41251359 C9.75,1.5540428 8.29492544,0.0474545455 6.5,0.0474545455 C4.70507456,0.0474545455 3.25,1.5540428 3.25,3.41251359 L3.25,7.41109091 L9.75,7.41109091 L9.75,3.41251359 Z" id="Oval-121"></path>
+                    <rect id="Rectangle-443" fill="#2FC98E" x="0" y="5.77472727" width="13" height="11.4545455" rx="2"></rect>
+                </g>
+            </g>
+        </g>
+    </g>
+</svg>
\ No newline at end of file
diff --git a/static/img/scan.svg b/static/img/scan.svg
new file mode 100644
index 000000000..91ea19e43
--- /dev/null
+++ b/static/img/scan.svg
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 17.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 width="33.223px" height="31px" viewBox="0 0 33.223 31" enable-background="new 0 0 33.223 31" xml:space="preserve">
+<polygon fill-rule="evenodd" clip-rule="evenodd" fill="#1E3547" points="31.311,16.034 33.223,9.604 27.315,10.646 "/>
+<g>
+	<path fill="#1E3547" d="M3.552,11.75c1.638-5.762,6.937-10,13.217-10s11.579,4.238,13.217,10h1.805C30.107,5.013,24.021,0,16.769,0
+		S3.43,5.013,1.747,11.75H3.552z"/>
+	<path fill="#1E3547" d="M30.06,18.96c-1.54,5.909-6.907,10.29-13.292,10.29S5.018,24.87,3.477,18.96H1.672
+		C3.25,25.845,9.413,31,16.769,31s13.519-5.155,15.097-12.04H30.06z"/>
+</g>
+<polygon fill-rule="evenodd" clip-rule="evenodd" fill="#1E3547" points="1.913,14.434 0,20.864 5.909,19.822 "/>
+</svg>
diff --git a/static/js/directives/repo-view/repo-panel-info.js b/static/js/directives/repo-view/repo-panel-info.js
index 2902699ec..f11894732 100644
--- a/static/js/directives/repo-view/repo-panel-info.js
+++ b/static/js/directives/repo-view/repo-panel-info.js
@@ -10,7 +10,8 @@ angular.module('quay').directive('repoPanelInfo', function () {
     restrict: 'C',
     scope: {
       'repository': '=repository',
-      'builds': '=builds'
+      'builds': '=builds',
+      'isEnabled': '=isEnabled'
     },
     controller: function($scope, $element, ApiService, Config) {
       $scope.$watch('repository', function(repository) {
diff --git a/static/js/directives/repo-view/repo-panel-tags.js b/static/js/directives/repo-view/repo-panel-tags.js
index 6f80d193f..1ea285f45 100644
--- a/static/js/directives/repo-view/repo-panel-tags.js
+++ b/static/js/directives/repo-view/repo-panel-tags.js
@@ -157,10 +157,10 @@ angular.module('quay').directive('repoPanelTags', function () {
         };
 
         ApiService.getRepoImageVulnerabilities(null, params).then(function(resp) {
-          imageData.security_indexed = resp.security_indexed;
           imageData.loading = false;
+          imageData.status = resp['status'];
 
-          if (imageData.security_indexed) {
+          if (imageData.status == 'scanned') {
             var vulnerabilities = resp.data.Vulnerabilities;
 
             imageData.hasVulnerabilities = !!vulnerabilities.length;
diff --git a/static/js/directives/ui/create-external-notification-dialog.js b/static/js/directives/ui/create-external-notification-dialog.js
index cbf8696e3..874769216 100644
--- a/static/js/directives/ui/create-external-notification-dialog.js
+++ b/static/js/directives/ui/create-external-notification-dialog.js
@@ -11,7 +11,8 @@ angular.module('quay').directive('createExternalNotificationDialog', function ()
     scope: {
       'repository': '=repository',
       'counter': '=counter',
-      'notificationCreated': '&notificationCreated'
+      'notificationCreated': '&notificationCreated',
+      'defaultData': '=defaultData'
     },
     controller: function($scope, $element, ExternalNotificationData, ApiService, $timeout, StringBuilderService) {
       $scope.currentEvent = null;
@@ -98,6 +99,13 @@ angular.module('quay').directive('createExternalNotificationDialog', function ()
         ApiService.createRepoNotification(data, params).then(function(resp) {
           $scope.status = '';
           $scope.notificationCreated({'notification': resp});
+
+          // Used by repository-events-summary.
+          if (!$scope.repository._notificationCounter) {
+            $scope.repository._notificationCounter = 0;
+          }
+
+          $scope.repository._notificationCounter++;
           $('#createNotificationModal').modal('hide');
         });
       };
@@ -154,6 +162,13 @@ angular.module('quay').directive('createExternalNotificationDialog', function ()
           $scope.currentEvent = null;
           $scope.currentMethod = null;
           $scope.unauthorizedEmail = false;
+
+          $timeout(function() {
+            if ($scope.defaultData && $scope.defaultData['currentEvent']) {
+              $scope.setEvent($scope.defaultData['currentEvent']);
+            }
+          }, 100);
+
           $('#createNotificationModal').modal({});
         }
       });
diff --git a/static/js/directives/ui/repository-events-summary.js b/static/js/directives/ui/repository-events-summary.js
new file mode 100644
index 000000000..50d667334
--- /dev/null
+++ b/static/js/directives/ui/repository-events-summary.js
@@ -0,0 +1,77 @@
+/**
+ * An element which displays a summary of events on a repository of a particular type.
+ */
+angular.module('quay').directive('repositoryEventsSummary', function () {
+  var directiveDefinitionObject = {
+    priority: 0,
+    templateUrl: '/static/directives/repository-events-summary.html',
+    replace: false,
+    transclude: false,
+    restrict: 'C',
+    scope: {
+      'repository': '=repository',
+      'isEnabled': '=isEnabled',
+      'eventFilter': '@eventFilter',
+      'hasEvents': '=hasEvents'
+    },
+    controller: function($scope, ApiService, ExternalNotificationData) {
+      var loadNotifications = function() {
+        if (!$scope.repository || !$scope.isEnabled || !$scope.eventFilter || $scope.notificationsResource) {
+          return;
+        }
+
+        var params = {
+          'repository': $scope.repository.namespace + '/' + $scope.repository.name
+        };
+
+        $scope.notificationsResource = ApiService.listRepoNotificationsAsResource(params).get(
+          function(resp) {
+            var notifications = [];
+            resp.notifications.forEach(function(notification) {
+              if (notification.event == $scope.eventFilter) {
+                notifications.push(notification);
+              }
+            });
+
+            $scope.notifications = notifications;
+            $scope.hasEvents = !!notifications.length;
+            return $scope.notifications;
+          });
+      };
+
+      $scope.$watch('repository', loadNotifications);
+      $scope.$watch('isEnabled', loadNotifications);
+      $scope.$watch('eventFilter', loadNotifications);
+
+      // Watch _notificationCounter, which is set by create-external-notification-dialog. We use this
+      // to invalidate and reload.
+      $scope.$watch('repository._notificationCounter', function() {
+        $scope.notificationsResource = null;
+        loadNotifications();
+      });
+
+      loadNotifications();
+
+      $scope.findEnumValue = function(values, index) {
+        var found = null;
+        Object.keys(values).forEach(function(key) {
+          if (values[key]['index'] == index) {
+            found = values[key];
+            return
+          }
+        });
+
+        return found
+      };
+
+      $scope.getEventInfo = function(notification) {
+        return ExternalNotificationData.getEventInfo(notification.event);
+      };
+
+      $scope.getMethodInfo = function(notification) {
+        return ExternalNotificationData.getMethodInfo(notification.method);
+      };
+    }
+  };
+  return directiveDefinitionObject;
+});
\ No newline at end of file
diff --git a/static/js/directives/ui/repository-events-table.js b/static/js/directives/ui/repository-events-table.js
index 8f7346e1c..8aca804b6 100644
--- a/static/js/directives/ui/repository-events-table.js
+++ b/static/js/directives/ui/repository-events-table.js
@@ -13,11 +13,29 @@ angular.module('quay').directive('repositoryEventsTable', function () {
       'repository': '=repository',
       'isEnabled': '=isEnabled'
     },
-    controller: function($scope, $element, ApiService, Restangular, UtilService, ExternalNotificationData) {
+    controller: function($scope, $element, $timeout, ApiService, Restangular, UtilService, ExternalNotificationData, $location) {
       $scope.showNewNotificationCounter = 0;
+      $scope.newNotificationData = {};
 
       var loadNotifications = function() {
-        if (!$scope.repository || $scope.notificationsResource || !$scope.isEnabled) { return; }
+        if (!$scope.repository || !$scope.isEnabled) { return; }
+
+        var add_event = $location.search()['add_event'];
+        if (add_event) {
+          $timeout(function() {
+            $scope.newNotificationData = {
+              'currentEvent': ExternalNotificationData.getEventInfo(add_event)
+            };
+
+            $scope.askCreateNotification();
+          }, 100);
+
+          $location.search('add_event', null);
+        }
+
+        if ($scope.notificationsResource) {
+          return;
+        }
 
         var params = {
           'repository': $scope.repository.namespace + '/' + $scope.repository.name
@@ -73,6 +91,13 @@ angular.module('quay').directive('repositoryEventsTable', function () {
           var index = $.inArray(notification, $scope.notifications);
           if (index < 0) { return; }
           $scope.notifications.splice(index, 1);
+
+          if (!$scope.repository._notificationCounter) {
+            $scope.repository._notificationCounter = 0;
+          }
+
+          $scope.repository._notificationCounter++;
+
         }, ApiService.errorDisplay('Cannot delete notification'));
       };
 
diff --git a/static/js/pages/image-view.js b/static/js/pages/image-view.js
index 22da844a7..2783c49a6 100644
--- a/static/js/pages/image-view.js
+++ b/static/js/pages/image-view.js
@@ -55,26 +55,33 @@
 
       $scope.packagesResource = ApiService.getRepoImagePackagesAsResource(params).get(function(packages) {
         $scope.packages = packages;
+        return packages;
       });
     };
 
     $scope.loadImageVulnerabilities = function() {
       if (!Features.SECURITY_SCANNER || $scope.vulnerabilitiesResource) { return; }
 
+      $scope.VulnerabilityLevels = VulnerabilityService.getLevels();
+
       var params = {
         'repository': namespace + '/' + name,
         'imageid': imageid
       };
 
       $scope.vulnerabilitiesResource = ApiService.getRepoImageVulnerabilitiesAsResource(params).get(function(resp) {
-        $scope.vulerabilityInfo = resp;
+        $scope.vulnerabilityInfo = resp;
         $scope.vulnerabilities = [];
 
-        resp.data.Vulnerabilities.forEach(function(vuln) {
-          vuln_copy = jQuery.extend({}, vuln);
-          vuln_copy['index'] = VulnerabilityService.LEVELS[vuln['Priority']]['index'];
-          $scope.vulnerabilities.push(vuln_copy);
-        });
+        if (resp.data && resp.data.Vulnerabilities) {
+          resp.data.Vulnerabilities.forEach(function(vuln) {
+            vuln_copy = jQuery.extend({}, vuln);
+            vuln_copy['index'] = VulnerabilityService.LEVELS[vuln['Priority']]['index'];
+            $scope.vulnerabilities.push(vuln_copy);
+          });
+        }
+
+        return resp;
       });
     };
 
diff --git a/static/js/pages/repo-view.js b/static/js/pages/repo-view.js
index c5ae7f093..e7088d399 100644
--- a/static/js/pages/repo-view.js
+++ b/static/js/pages/repo-view.js
@@ -17,6 +17,7 @@
     var imageLoader = ImageLoaderService.getLoader($scope.namespace, $scope.name);
 
     // Tab-enabled counters.
+    $scope.infoShown = 0;
     $scope.tagsShown = 0;
     $scope.logsShown = 0;
     $scope.buildsShown = 0;
@@ -119,6 +120,10 @@
       $scope.viewScope.selectedTags = $.unique(tagNames.split(','));
     };
 
+    $scope.showInfo = function() {
+      $scope.infoShown++;
+    };
+
     $scope.showBuilds = function() {
       $scope.buildsShown++;
     };
diff --git a/static/js/services/external-notification-data.js b/static/js/services/external-notification-data.js
index 14de1d24e..b9356f671 100644
--- a/static/js/services/external-notification-data.js
+++ b/static/js/services/external-notification-data.js
@@ -47,12 +47,12 @@ function(Config, Features, VulnerabilityService) {
     events.push({
       'id': 'vulnerability_found',
       'title': 'Package Vulnerability Found',
-      'icon': 'fa-flag',
+      'icon': 'fa-bug',
       'fields': [
         {
           'name': 'level',
           'type': 'enum',
-          'title': 'Minimum Severity Level',
+          'title': 'Minimum Priority Level',
           'values': VulnerabilityService.LEVELS,
         }
       ]
diff --git a/static/partials/image-view.html b/static/partials/image-view.html
index 6e4b40767..0693097cb 100644
--- a/static/partials/image-view.html
+++ b/static/partials/image-view.html
@@ -67,45 +67,67 @@
         <!-- Security -->
         <div id="security" class="tab-pane" quay-require="['SECURITY_SCANNER']">
           <div class="resource-view" resource="vulnerabilitiesResource" error-message="'Could not load security information for image'">
-            <div class="filter-box floating" collection="vulnerabilities" filter-model="options.vulnFilter" filter-name="Vulnerabilities" ng-if="vulerabilityInfo.security_indexed && vulnerabilities.length"></div>
+            <div class="col-md-9">
+              <div class="filter-box floating" collection="vulnerabilities" filter-model="options.vulnFilter" filter-name="Vulnerabilities" ng-if="vulnerabilityInfo.status == 'scanned' && vulnerabilities.length"></div>
 
-            <h3>Image Security</h3>
-            <div class="empty" ng-if="!vulerabilityInfo.security_indexed">
-              <div class="empty-primary-msg">This image has not been indexed yet</div>
-              <div class="empty-secondary-msg">
-                Please try again in a few minutes.
-              </div>
-            </div>
-            <div class="empty" ng-if="vulerabilityInfo.security_indexed && !vulnerabilities.length">
-              <div class="empty-primary-msg">This image contains no recognized security vulnerabilities</div>
-              <div class="empty-secondary-msg">
-                Quay currently indexes Debian, Red Hat and Ubuntu packages.
-              </div>
-            </div>
-
-            <div ng-if="vulerabilityInfo.security_indexed && vulnerabilities.length">
-              <table class="co-table">
-                <thead>
-                  <td style="width: 200px;">Vulnerability</td>
-                  <td style="width: 200px;">Priority</td>
-                  <td>Description</td>
-                </thead>
-
-                <tr ng-repeat="vulnerability in vulnerabilities | filter:options.vulnFilter | orderBy:'index'">
-                  <td><a href="{{ vulnerability.Link }}" target="_blank">{{ vulnerability.ID }}</a></td>
-                  <td>
-                    <span class="vulnerability-priority-view" priority="vulnerability.Priority"></span>
-                  <td>{{ vulnerability.Description }}</td>
-                </tr>
-              </table>
-
-              <div class="empty" ng-if="(vulnerabilities | filter:options.vulnFilter).length == 0"
-                   style="margin-top: 20px;">
-                <div class="empty-primary-msg">No matching vulnerabilities found</div>
+              <h3>Image Security</h3>
+              <div class="empty" ng-if="vulnerabilityInfo.status == 'queued'">
+                <div class="empty-primary-msg">This image has not been indexed yet</div>
                 <div class="empty-secondary-msg">
-                  Please adjust your filter above.
+                  Please try again in a few minutes.
                 </div>
               </div>
+
+              <div class="empty" ng-if="vulnerabilityInfo.status == 'failed'">
+                <div class="empty-primary-msg">This image could not be indexed</div>
+                <div class="empty-secondary-msg">
+                  Our security scanner was unable to index this image.
+                </div>
+              </div>
+
+              <div class="empty" ng-if="vulnerabilityInfo.status == 'scanned' && !vulnerabilities.length">
+                <div class="empty-primary-msg">This image contains no recognized security vulnerabilities</div>
+                <div class="empty-secondary-msg">
+                  Quay currently indexes Debian, Red Hat and Ubuntu packages.
+                </div>
+              </div>
+
+              <div ng-if="vulnerabilityInfo.status == 'scanned' && vulnerabilities.length">
+                <table class="co-table">
+                  <thead>
+                    <td style="width: 200px;">Vulnerability</td>
+                    <td style="width: 200px;">Priority</td>
+                    <td>Description</td>
+                  </thead>
+
+                  <tr ng-repeat="vulnerability in vulnerabilities | filter:options.vulnFilter | orderBy:'index'">
+                    <td><a href="{{ vulnerability.Link }}" target="_blank">{{ vulnerability.ID }}</a></td>
+                    <td>
+                      <span class="vulnerability-priority-view" priority="vulnerability.Priority"></span>
+                    <td>{{ vulnerability.Description }}</td>
+                  </tr>
+                </table>
+
+                <div class="empty" ng-if="(vulnerabilities | filter:options.vulnFilter).length == 0"
+                     style="margin-top: 20px;">
+                  <div class="empty-primary-msg">No matching vulnerabilities found</div>
+                  <div class="empty-secondary-msg">
+                    Please adjust your filter above.
+                  </div>
+                </div>
+              </div>
+            </div>
+
+            <div class="level-col col-md-3 hidden-sm hidden-xs">
+              <h4>Priority Guide</h4>
+              <ul class="levels">
+                <li ng-repeat="level in VulnerabilityLevels | orderBy: 'index'">
+                  <div class="vulnerability-priority-view" priority="level.title"></div>
+                  <div class="description">
+                    {{ level.description }}
+                  </div>
+                </li>
+              </ul>
             </div>
           </div>
         </div>
@@ -113,23 +135,24 @@
         <!-- Packages -->
         <div id="packages" class="tab-pane" quay-require="['SECURITY_SCANNER']">
           <div class="resource-view" resource="packagesResource" error-message="'Could not load image packages'">
-            <div class="filter-box floating" collection="packages.data.Packages" filter-model="options.packageFilter" filter-name="Packages" ng-if="packages.security_indexed && packages.data.Packages.length"></div>
+            <div class="filter-box floating" collection="packages.data.Packages" filter-model="options.packageFilter" filter-name="Packages" ng-if="packages.status == 'scanned' && packages.data.Packages.length"></div>
 
             <h3>Image Packages</h3>
-            <div class="empty" ng-if="!packages.security_indexed">
+            <div class="empty" ng-if="packages.status == 'queued'">
               <div class="empty-primary-msg">This image has not been indexed yet</div>
               <div class="empty-secondary-msg">
                 Please try again in a few minutes.
               </div>
             </div>
-            <div class="empty" ng-if="packages.security_indexed && !packages.data.Packages.length">
-              <div class="empty-primary-msg">This image contains no recognized packages</div>
+
+            <div class="empty" ng-if="packages.status == 'failed'">
+              <div class="empty-primary-msg">This image could not be indexed</div>
               <div class="empty-secondary-msg">
-                Quay currently indexes Debian, Red Hat and Ubuntu packages.
+                Our security scanner was unable to index this image.
               </div>
             </div>
 
-            <table class="co-table" ng-if="packages.security_indexed && packages.data.Packages.length">
+            <table class="co-table" ng-if="packages.status == 'scanned'">
               <thead>
                 <td>Package Name</td>
                 <td>Package Version</td>
@@ -146,7 +169,7 @@
             <div class="empty" ng-if="(packages.data.Packages | filter:options.packageFilter).length == 0"
                    style="margin-top: 20px;">
                 <div class="empty-primary-msg">No matching packages found</div>
-                <div class="empty-secondary-msg">
+                <div class="empty-secondary-msg" ng-if="options.packageFilter">
                   Please adjust your filter above.
                 </div>
               </div>
diff --git a/static/partials/repo-view.html b/static/partials/repo-view.html
index cd3cbca2b..e16ba85ed 100644
--- a/static/partials/repo-view.html
+++ b/static/partials/repo-view.html
@@ -17,7 +17,8 @@
 
     <div class="cor-tab-panel">
       <div class="cor-tabs">
-        <span class="cor-tab" tab-active="true" tab-title="Information" tab-target="#info">
+        <span class="cor-tab" tab-active="true" tab-title="Information" tab-target="#info"
+              tab-init="showInfo()">
           <i class="fa fa-info-circle"></i>
         </span>
 
@@ -56,7 +57,8 @@
         <div id="info" class="tab-pane active">
           <div class="repo-panel-info"
                repository="viewScope.repository"
-               builds="viewScope.builds"></div>
+               builds="viewScope.builds"
+               is-enabled="infoShown"></div>
         </div>
 
         <!-- Tags -->

From 37ce84f6af86c9fa5e246d308ebdee9f24a9c11f Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Thu, 12 Nov 2015 17:02:18 -0500
Subject: [PATCH 29/36] tiny fixes to securityworker

---
 util/secscan/api.py       | 26 +++++++++++++-------------
 workers/securityworker.py | 25 ++++++++++++++++++-------
 2 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/util/secscan/api.py b/util/secscan/api.py
index 331e45294..277fd3f6d 100644
--- a/util/secscan/api.py
+++ b/util/secscan/api.py
@@ -134,13 +134,11 @@ class SecurityConfigValidator(object):
     return self._keys
 
   def valid(self):
-    config = self._security_config
-
     if (not features.SECURITY_SCANNER
-        or not config
-        or not 'ENDPOINT' in config
-        or not 'ENGINE_VERSION_TARGET' in config
-        or not 'DISTRIBUTED_STORAGE_PREFERENCE' in config
+        or not self._security_config
+        or not 'ENDPOINT' in self._security_config
+        or not 'ENGINE_VERSION_TARGET' in self._security_config
+        or not 'DISTRIBUTED_STORAGE_PREFERENCE' in self._security_config
         or (self._certificate is False and self._keys is None)):
       return False
 
@@ -155,10 +153,12 @@ class SecurityScannerAPI(object):
 
     config_validator = SecurityConfigValidator(app, config_provider)
     if not config_validator.valid():
+      logger.warning('Invalid config provided to SecurityScannerAPI')
       return
 
-    self.certificate = config_validator.cert()
-    self.keys = config_validator.keypair()
+    self._security_config = app.config.get('SECURITY_SCANNER')
+    self._certificate = config_validator.cert()
+    self._keys = config_validator.keypair()
 
   def check_layer_vulnerable(self, layer_id, cve_id):
     """ Checks with Clair whether the given layer is vulnerable to the given CVE. """
@@ -191,7 +191,7 @@ class SecurityScannerAPI(object):
         This function disconnects from the database while awaiting a response
         from the API server.
     """
-    security_config = self.security_config
+    security_config = self._security_config
     api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'
     url = urljoin(api_url, relative_url % args)
 
@@ -201,8 +201,8 @@ class SecurityScannerAPI(object):
 
     with CloseForLongOperation(self.app.config):
       if body is not None:
-        return client.post(url, json=body, params=kwargs, timeout=timeout, cert=self.keys,
-                           verify=self.certificate)
+        return client.post(url, json=body, params=kwargs, timeout=timeout, cert=self._keys,
+                           verify=self._certificate)
       else:
-        return client.get(url, params=kwargs, timeout=timeout, cert=self.keys,
-                          verify=self.certificate)
+        return client.get(url, params=kwargs, timeout=timeout, cert=self._keys,
+                          verify=self._certificate)
diff --git a/workers/securityworker.py b/workers/securityworker.py
index 1f4328741..664e91472 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -129,6 +129,7 @@ class SecurityWorker(Worker):
       self._keys = validator.keypair()
 
       self.add_operation(self._index_images, INDEXING_INTERVAL)
+    logger.warning('Failed to validate security scan configuration')
 
   def _get_image_url(self, image):
     """ Gets the download URL for an image and if the storage doesn't exist,
@@ -149,9 +150,18 @@ class SecurityWorker(Worker):
         return None
 
     uri = storage.get_direct_download_url(locations, path)
-    # Local storage hack
     if uri is None:
-      uri = path
+      # Handle local storage
+      local_storage_enabled = False
+      for storage_type, _ in app.config.get('DISTRIBUTED_STORAGE_CONFIG', {}).values():
+        if storage_type == 'LocalStorage':
+          local_storage_enabled = True
+
+      if local_storage_enabled:
+        uri = path
+      else:
+        logger.warning('Could not get image URL and local storage was not enabled')
+        return None
 
     return uri
 
@@ -161,12 +171,13 @@ class SecurityWorker(Worker):
       return None
 
     request = {
-      'ID': image['docker_image_id']+'.'+image['storage_uuid'],
+      'ID': '%s.%s' % (image['docker_image_id'], image['storage_uuid']),
       'Path': url,
     }
 
     if image['parent_docker_image_id'] is not None and image['parent_storage_uuid'] is not None:
-      request['ParentID'] = image['parent_docker_image_id']+'.'+image['parent_storage_uuid']
+      request['ParentID'] = '%s.%s' % (image['parent_docker_image_id'],
+                                       image['parent_storage_uuid'])
 
     return request
 
@@ -182,7 +193,7 @@ class SecurityWorker(Worker):
       httpResponse = requests.post(self._api + API_METHOD_INSERT, json=request,
                                    cert=self._keys, verify=self._cert)
       jsonResponse = httpResponse.json()
-    except:
+    except (requests.exceptions.RequestException, ValueError):
       logger.exception('An exception occurred when analyzing layer ID %s', request['ID'])
       return None
 
@@ -245,18 +256,18 @@ class SecurityWorker(Worker):
         if not images:
           logger.debug('No more images left to analyze')
           return
-        logger.debug('Found %d images to index' % len(images))
+        logger.debug('Found %d images to index', len(images))
 
         for image in images:
           sec_data = self._analyze_image(image)
           if sec_data is None:
             continue
-          logger.debug('Got response vulnerabilities for layer %s: %s', image['image_id'], sec_data)
 
           if not sec_data['Vulnerabilities']:
             continue
 
           # Dispatch events for any detected vulnerabilities
+          logger.debug('Got response vulnerabilities for layer %s: %s', image['image_id'], sec_data)
           event = ExternalNotificationEvent.get(name='vulnerability_found')
           matching = (RepositoryTag
                       .select(RepositoryTag, Repository)

From 25b8b7590fdf0abb07326e2946a3061c45f156f9 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 12 Nov 2015 17:47:19 -0500
Subject: [PATCH 30/36] Fix all the things!

---
 data/model/tag.py                       |  3 +-
 util/secscan/api.py                     | 28 +++++++---
 workers/security_notification_worker.py |  4 +-
 workers/securityworker.py               | 68 ++++++++++++-------------
 4 files changed, 58 insertions(+), 45 deletions(-)

diff --git a/data/model/tag.py b/data/model/tag.py
index fcaa7f342..002be14b2 100644
--- a/data/model/tag.py
+++ b/data/model/tag.py
@@ -22,7 +22,8 @@ def get_matching_tags(docker_image_id, storage_uuid, *args):
             .distinct()
             .join(Image)
             .join(ImageStorage)
-            .where(Image.id << image_query, RepositoryTag.lifetime_end_ts >> None))
+            .where(Image.id << image_query, RepositoryTag.lifetime_end_ts >> None,
+                   RepositoryTag.hidden == False))
 
 
 def list_repository_tags(namespace_name, repository_name, include_hidden=False,
diff --git a/util/secscan/api.py b/util/secscan/api.py
index 277fd3f6d..5041ec8ff 100644
--- a/util/secscan/api.py
+++ b/util/secscan/api.py
@@ -134,12 +134,24 @@ class SecurityConfigValidator(object):
     return self._keys
 
   def valid(self):
-    if (not features.SECURITY_SCANNER
-        or not self._security_config
-        or not 'ENDPOINT' in self._security_config
-        or not 'ENGINE_VERSION_TARGET' in self._security_config
-        or not 'DISTRIBUTED_STORAGE_PREFERENCE' in self._security_config
-        or (self._certificate is False and self._keys is None)):
+    if not features.SECURITY_SCANNER:
+      return False
+
+    if not self._security_config:
+      logger.debug('Missing SECURITY_SCANNER block in configuration')
+      return False
+
+    if not 'ENDPOINT' in self._security_config:
+      logger.debug('Missing ENDPOINT field in SECURITY_SCANNER configuration')
+      return False
+
+    endpoint = self._security_config['ENDPOINT'] or ''
+    if not endpoint.startswith('http://') and not endpoint.startswith('https://'):
+      logger.debug('ENDPOINT field in SECURITY_SCANNER configuration must start with http or https')
+      return False
+
+    if endpoint.startswith('https://') and (self._certificate is False or self._keys is None):
+      logger.debug('Certificate and key pair required for talking to security worker over HTTPS')
       return False
 
     return True
@@ -150,6 +162,7 @@ class SecurityScannerAPI(object):
   def __init__(self, app, config_provider):
     self.app = app
     self.config_provider = config_provider
+    self._security_config = None
 
     config_validator = SecurityConfigValidator(app, config_provider)
     if not config_validator.valid():
@@ -192,6 +205,9 @@ class SecurityScannerAPI(object):
         from the API server.
     """
     security_config = self._security_config
+    if security_config is None:
+      raise Exception('Cannot call unconfigured security system')
+
     api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'
     url = urljoin(api_url, relative_url % args)
 
diff --git a/workers/security_notification_worker.py b/workers/security_notification_worker.py
index 1679e80b6..e54847abf 100644
--- a/workers/security_notification_worker.py
+++ b/workers/security_notification_worker.py
@@ -18,9 +18,7 @@ logger = logging.getLogger(__name__)
 
 
 class SecurityNotificationWorker(QueueWorker):
-  def process_queue_item(self, queueitem):
-    data = json.loads(queueitem.body)
-
+  def process_queue_item(self, data):
     cve_id = data['Name']
     vulnerability = data['Content']['Vulnerability']
     priority = vulnerability['Priority']
diff --git a/workers/securityworker.py b/workers/securityworker.py
index 664e91472..f6e053c40 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -119,7 +119,7 @@ def _update_image(image, indexed, version):
 class SecurityWorker(Worker):
   def __init__(self):
     super(SecurityWorker, self).__init__()
-    validator = SecurityConfigValidator(app.config, config_provider)
+    validator = SecurityConfigValidator(app, config_provider)
     if validator.valid():
       secscan_config = app.config.get('SECURITY_SCANNER')
       self._api = secscan_config['ENDPOINT']
@@ -143,10 +143,7 @@ class SecurityWorker(Worker):
       if not storage.exists(locations, path):
         logger.warning('Could not find a valid location to download layer %s',
                        image['docker_image_id']+'.'+image['storage_uuid'])
-        try:
-          _update_image(image, False, self._target_version)
-        except:
-          logger.exception('Failed to update unindexed image')
+        _update_image(image, False, self._target_version)
         return None
 
     uri = storage.get_direct_download_url(locations, path)
@@ -182,10 +179,14 @@ class SecurityWorker(Worker):
     return request
 
   def _analyze_image(self, image):
+    """ Analyzes an image by passing it to Clair. Returns the vulnerabilities detected
+        (if any) or None on error.
+    """
     request = self._new_request(image)
     if request is None:
       return None
 
+    # Analyze the image.
     try:
       logger.info('Analyzing %s', request['ID'])
       # Using invalid certificates doesn't return proper errors because of
@@ -199,43 +200,36 @@ class SecurityWorker(Worker):
 
     # Handle any errors from the security scanner.
     if httpResponse.status_code != 201:
-      if 'Message' in jsonResponse:
-        if 'OS and/or package manager are not supported' in jsonResponse['Message']:
-          # The current engine could not index this layer
-          logger.warning('A warning event occurred when analyzing layer ID %s : %s',
-                         request['ID'], jsonResponse['Message'])
+      if 'OS and/or package manager are not supported' in jsonResponse.get('Message', ''):
+        # The current engine could not index this layer
+        logger.warning('A warning event occurred when analyzing layer ID %s : %s',
+                       request['ID'], jsonResponse['Message'])
 
-          # Hopefully, there is no version lower than the target one running
-          try:
-            _update_image(image, False, self._target_version)
-          except:
-            logger.exception('Failed to update image to be unindexed')
-        else:
-          logger.warning('Failed to handle JSON message "%s" when analyzing layer ID %s',
-                         jsonResponse['Message'], request['ID'])
-          return None
+        # Hopefully, there is no version lower than the target one running
+        _update_image(image, False, self._target_version)
       else:
-        logger.warning('No message found in JSON response when analyzing layer ID %s', request['ID'])
-        return None
+        logger.warning('Got non-201 when analyzing layer ID %s: %s', request['ID'], jsonResponse)
 
-      api_version = jsonResponse['Version']
-      if api_version < self._target_version:
-        logger.warning('An engine runs on version %d but the target version is %d')
+      return None
 
-    try:
-      _update_image(image, True, api_version)
-      logger.debug('Layer %s analyzed successfully', request['ID'])
-    except:
-      logger.exception('Failed to update image to be indexed')
+    # Verify that the version matches.
+    api_version = jsonResponse['Version']
+    if api_version < self._target_version:
+      logger.warning('An engine runs on version %d but the target version is %d')
 
-    logger.debug('Loading vulnerabilities for layer %s', image['image_id'])
+    # Mark the image as analyzed.
+    logger.debug('Layer %s analyzed successfully; Loading vulnerabilities for layer',
+                 image['image_id'])
+    _update_image(image, True, api_version)
+
+    # Lookup the vulnerabilities for the image, now that it is analyzed.
     try:
       response = secscan_api.call('layers/%s/vulnerabilities', None, request['ID'])
       logger.debug('Got response %s for vulnerabilities for layer %s',
                    response.status_code, image['image_id'])
       if response.status_code == 404:
         return None
-    except:
+    except (requests.exceptions.RequestException, ValueError):
       logger.exception('Failed to get vulnerability response for %s', image['image_id'])
       return None
 
@@ -246,6 +240,7 @@ class SecurityWorker(Worker):
 
     with UseThenDisconnect(app.config):
       while True:
+        # Lookup the images to index.
         images = []
         try:
           logger.debug('Looking up images to index')
@@ -256,9 +251,10 @@ class SecurityWorker(Worker):
         if not images:
           logger.debug('No more images left to analyze')
           return
-        logger.debug('Found %d images to index', len(images))
 
+        logger.debug('Found %d images to index', len(images))
         for image in images:
+          # Analyze the image, retrieving the vulnerabilities (if any).
           sec_data = self._analyze_image(image)
           if sec_data is None:
             continue
@@ -267,7 +263,7 @@ class SecurityWorker(Worker):
             continue
 
           # Dispatch events for any detected vulnerabilities
-          logger.debug('Got response vulnerabilities for layer %s: %s', image['image_id'], sec_data)
+          logger.debug('Got vulnerabilities for layer %s: %s', image['image_id'], sec_data)
           event = ExternalNotificationEvent.get(name='vulnerability_found')
           matching = (RepositoryTag
                       .select(RepositoryTag, Repository)
@@ -275,9 +271,11 @@ class SecurityWorker(Worker):
                       .join(Repository)
                       .join(RepositoryNotification)
                       .where(RepositoryNotification.event == event,
-                             RepositoryTag.image == image['image_id']))
+                             RepositoryTag.image == image['image_id'],
+                             RepositoryTag.hidden == False,
+                             RepositoryTag.lifetime_end_ts >> None))
 
-          repository_map = defaultdict()
+          repository_map = defaultdict(list)
 
           for tag in matching:
             repository_map[tag.repository_id].append(tag)

From 030c69d7d295eb96ea10074483edd9da60ba4e32 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 12 Nov 2015 21:59:52 -0500
Subject: [PATCH 31/36] Further merge fixes

---
 data/database.py          |  4 ----
 initdb.py                 |  4 ----
 workers/securityworker.py | 42 ++++++++++++++++++++-------------------
 3 files changed, 22 insertions(+), 28 deletions(-)

diff --git a/data/database.py b/data/database.py
index d1431eeed..00735b49b 100644
--- a/data/database.py
+++ b/data/database.py
@@ -576,10 +576,6 @@ class Image(BaseModel):
   security_indexed_engine = IntegerField(default=-1)
   parent_id = IntegerField(index=True, null=True)
 
-  security_indexed = BooleanField(default=False)
-  security_indexed_engine = IntegerField(default=-1)
-  parent = ForeignKeyField('self', index=True, null=True, related_name='children')
-
   class Meta:
     database = db
     read_slaves = (read_slave,)
diff --git a/initdb.py b/initdb.py
index de97ec691..ce51c1749 100644
--- a/initdb.py
+++ b/initdb.py
@@ -99,10 +99,6 @@ def __create_subtree(repo, structure, creator_username, parent, tag_map):
     new_image.security_indexed_engine = -1
     new_image.save()
 
-    new_image.security_indexed = False
-    new_image.security_indexed_engine = maxsize
-    new_image.save()
-
     creation_time = REFERENCE_DATE + timedelta(weeks=image_num) + timedelta(days=model_num)
     command_list = SAMPLE_CMDS[image_num % len(SAMPLE_CMDS)]
     command = json.dumps(command_list) if command_list else None
diff --git a/workers/securityworker.py b/workers/securityworker.py
index 7989821ed..11492fbf2 100644
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@@ -31,14 +31,13 @@ def _get_images_to_export_list(version):
 
   # Collect the images without parents
   candidates = (Image
-    .select(Image.docker_image_id, ImageStorage.uuid, ImageStorage.checksum)
-    .join(ImageStorage)
-    .where(Image.security_indexed_engine < version,
-           Image.parent_id >> None,
-           ImageStorage.uploading == False,
-           ImageStorage.checksum != '')
-    .limit(BATCH_SIZE*10)
-    .alias('candidates'))
+                .select(Image.id, Image.docker_image_id, ImageStorage.uuid)
+                .join(ImageStorage)
+                .where(Image.security_indexed_engine < version,
+                       Image.parent_id >> None,
+                       ImageStorage.uploading == False)
+                .limit(BATCH_SIZE*10)
+                .alias('candidates'))
 
   images = (Image
             .select(candidates.c.id, candidates.c.docker_image_id, candidates.c.uuid)
@@ -56,18 +55,21 @@ def _get_images_to_export_list(version):
 
   # Collect the images with analyzed parents.
   candidates = (Image
-      .select(Image.docker_image_id, ImageStorage.uuid, ImageStorage.checksum, Parent.docker_image_id.alias('parent_docker_image_id'), ParentImageStorage.uuid.alias('parent_storage_uuid'))
-      .join(Parent, on=(Image.parent_id == Parent.id))
-      .join(ParentImageStorage, on=(ParentImageStorage.id == Parent.storage))
-      .switch(Image)
-      .join(ImageStorage)
-      .where(Image.security_indexed_engine < version,
-             Parent.security_indexed == True,
-             Parent.security_indexed_engine >= version,
-             ImageStorage.uploading == False,
-             ImageStorage.checksum != '')
-      .limit(BATCH_SIZE*10)
-      .alias('candidates'))
+                .select(Image.id,
+                        Image.docker_image_id,
+                        ImageStorage.uuid,
+                        Parent.docker_image_id.alias('parent_docker_image_id'),
+                        ParentImageStorage.uuid.alias('parent_storage_uuid'))
+                .join(Parent, on=(Image.parent_id == Parent.id))
+                .join(ParentImageStorage, on=(ParentImageStorage.id == Parent.storage))
+                .switch(Image)
+                .join(ImageStorage)
+                .where(Image.security_indexed_engine < version,
+                       Parent.security_indexed == True,
+                       Parent.security_indexed_engine >= version,
+                       ImageStorage.uploading == False)
+                .limit(BATCH_SIZE*10)
+                .alias('candidates'))
 
   images = (Image
             .select(candidates.c.id,

From 819d461ed693d94e4d51cfa4f996f5048bdc61b3 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 12 Nov 2015 22:02:26 -0500
Subject: [PATCH 32/36] Remove migration re-added by merge accidentally

---
 ...c20cc_backfill_parent_ids_and_checksums.py | 21 -------------------
 1 file changed, 21 deletions(-)
 delete mode 100644 data/migrations/versions/2fb9492c20cc_backfill_parent_ids_and_checksums.py

diff --git a/data/migrations/versions/2fb9492c20cc_backfill_parent_ids_and_checksums.py b/data/migrations/versions/2fb9492c20cc_backfill_parent_ids_and_checksums.py
deleted file mode 100644
index afd589809..000000000
--- a/data/migrations/versions/2fb9492c20cc_backfill_parent_ids_and_checksums.py
+++ /dev/null
@@ -1,21 +0,0 @@
-"""backfill parent ids and checksums
-Revision ID: 2fb9492c20cc
-Revises: 57dad559ff2d
-Create Date: 2015-07-14 17:38:47.397963
-"""
-
-# revision identifiers, used by Alembic.
-revision = '2fb9492c20cc'
-down_revision = '57dad559ff2d'
-
-from alembic import op
-import sqlalchemy as sa
-from util.migrate.backfill_parent_id import backfill_parent_id
-from util.migrate.backfill_checksums import backfill_checksums
-
-def upgrade(tables):
-    backfill_parent_id()
-    backfill_checksums()
-
-def downgrade(tables):
-    pass

From b7206a8cfc6c31056a3f9971de9e9120b7a68500 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 12 Nov 2015 22:03:13 -0500
Subject: [PATCH 33/36] Remove file added accidentally by merge

---
 endpoints/api/sec.py | 105 -------------------------------------------
 1 file changed, 105 deletions(-)
 delete mode 100644 endpoints/api/sec.py

diff --git a/endpoints/api/sec.py b/endpoints/api/sec.py
deleted file mode 100644
index 4e77750f9..000000000
--- a/endpoints/api/sec.py
+++ /dev/null
@@ -1,105 +0,0 @@
-""" List and manage repository vulnerabilities and other sec information. """
-
-import logging
-import features
-import json
-import requests
-
-from app import secscan_api
-from data import model
-from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_param,
-                           RepositoryParamResource, resource, nickname, show_if, parse_args,
-                           query_param)
-
-
-logger = logging.getLogger(__name__)
-
-
-def _call_security_api(relative_url, *args, **kwargs):
-  """ Issues an HTTP call to the sec API at the given relative URL. """
-  try:
-    response = secscan_api.call(relative_url, *args, **kwargs)
-  except requests.exceptions.Timeout:
-    raise DownstreamIssue(payload=dict(message='API call timed out'))
-  except requests.exceptions.ConnectionError:
-    raise DownstreamIssue(payload=dict(message='Could not connect to downstream service'))
-
-  if response.status_code == 404:
-    raise NotFound()
-
-  try:
-    response_data = json.loads(response.text)
-  except ValueError:
-    raise DownstreamIssue(payload=dict(message='Non-json response from downstream service'))
-
-  if response.status_code / 100 != 2:
-    logger.warning('Got %s status code to call: %s', response.status_code, response.text)
-    raise DownstreamIssue(payload=dict(message=response_data['Message']))
-
-  return response_data
-
-
-@show_if(features.SECURITY_SCANNER)
-@resource('/v1/repository/<repopath:repository>/tag/<tag>/vulnerabilities')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('tag', 'The name of the tag')
-class RepositoryTagVulnerabilities(RepositoryParamResource):
-  """ Operations for managing the vulnerabilities in a repository tag. """
-
-  @require_repo_read
-  @nickname('getRepoTagVulnerabilities')
-  @parse_args
-  @query_param('minimumPriority', 'Minimum vulnerability priority', type=str,
-               default='Low')
-  def get(self, args, namespace, repository, tag):
-    """ Fetches the vulnerabilities (if any) for a repository tag. """
-    try:
-      tag_image = model.tag.get_tag_image(namespace, repository, tag)
-    except model.DataModelException:
-      raise NotFound()
-
-    if not tag_image.security_indexed:
-      logger.debug('Image %s for tag %s under repository %s/%s not security indexed',
-                   tag_image.docker_image_id, tag, namespace, repository)
-      return {
-        'security_indexed': False
-      }
-
-    data = _call_security_api('layers/%s.%s/vulnerabilities', tag_image.docker_image_id,
-                              tag_image.storage.uuid,
-                              minimumPriority=args.minimumPriority)
-
-    return {
-      'security_indexed': True,
-      'data': data,
-    }
-
-
-@show_if(features.SECURITY_SCANNER)
-@resource('/v1/repository/<repopath:repository>/image/<imageid>/packages')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('imageid', 'The image ID')
-class RepositoryImagePackages(RepositoryParamResource):
-  """ Operations for listing the packages in an image. """
-
-  @require_repo_read
-  @nickname('getRepoImagePackages')
-  def get(self, namespace, repository, imageid):
-    """ Fetches the packages added/removed in the given repo image. """
-    repo_image = model.image.get_repo_image(namespace, repository, imageid)
-    if repo_image is None:
-      raise NotFound()
-
-    if not repo_image.security_indexed:
-      return {
-        'security_indexed': False
-      }
-
-    data = _call_security_api('layers/%s.%s/packages', repo_image.docker_image_id,
-                              repo_image.storage.uuid)
-
-    return {
-      'security_indexed': True,
-      'data': data,
-    }
-

From 46745ee30f82438c29e87502c898c05212782ecb Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 12 Nov 2015 22:07:47 -0500
Subject: [PATCH 34/36] Remove file added accidentally by merge

---
 util/migrate/backfill_checksums.py | 67 ------------------------------
 1 file changed, 67 deletions(-)
 delete mode 100644 util/migrate/backfill_checksums.py

diff --git a/util/migrate/backfill_checksums.py b/util/migrate/backfill_checksums.py
deleted file mode 100644
index 42c1fed44..000000000
--- a/util/migrate/backfill_checksums.py
+++ /dev/null
@@ -1,67 +0,0 @@
-import logging
-from app import storage as store
-from data.database import ImageStorage, ImageStoragePlacement, ImageStorageLocation, JOIN_LEFT_OUTER
-from digest import checksums
-
-logger = logging.getLogger(__name__)
-
-def _get_imagestorages_with_locations(query_modifier):
-  query = (ImageStoragePlacement
-           .select(ImageStoragePlacement, ImageStorage, ImageStorageLocation)
-           .join(ImageStorageLocation)
-           .switch(ImageStoragePlacement)
-           .join(ImageStorage, JOIN_LEFT_OUTER))
-  query = query_modifier(query)
-
-  location_list = list(query)
-
-  storages = {}
-  for location in location_list:
-    storage = location.storage
-
-    if not storage.id in storages:
-      storages[storage.id] = storage
-      storage.locations = set()
-    else:
-      storage = storages[storage.id]
-
-    storage.locations.add(location.location.name)
-
-  return storages.values()
-
-def backfill_checksum(imagestorage_with_locations):
-  try:
-    json_data = store.get_content(imagestorage_with_locations.locations, store.image_json_path(imagestorage_with_locations.uuid))
-    with store.stream_read_file(imagestorage_with_locations.locations, store.image_layer_path(imagestorage_with_locations.uuid)) as fp:
-      imagestorage_with_locations.checksum = 'sha256:{0}'.format(checksums.sha256_file(fp, json_data + '\n'))
-      imagestorage_with_locations.save()
-  except IOError as e:
-    if str(e).startswith("No such key"):
-      imagestorage_with_locations.checksum = 'unknown:{0}'.format(imagestorage_with_locations.uuid)
-      imagestorage_with_locations.save()
-  except:
-    logger.exception('exception when backfilling checksum of %s', imagestorage_with_locations.uuid)
-
-def backfill_checksums():
-  logger.setLevel(logging.DEBUG)
-
-  logger.debug('backfill_checksums: Starting')
-  logger.debug('backfill_checksums: This can be a LONG RUNNING OPERATION. Please wait!')
-
-  def limit_to_empty_checksum(query):
-    return query.where(ImageStorage.checksum >> None, ImageStorage.uploading == False).limit(100)
-
-  while True:
-    storages = _get_imagestorages_with_locations(limit_to_empty_checksum)
-    if len(storages) == 0:
-      logger.debug('backfill_checksums: Completed')
-      return
-
-    for storage in storages:
-      backfill_checksum(storage)
-
-if __name__ == "__main__":
-  logging.basicConfig(level=logging.DEBUG)
-  logging.getLogger('peewee').setLevel(logging.CRITICAL)
-  logging.getLogger('boto').setLevel(logging.CRITICAL)
-  backfill_checksums()

From da07823e20a856849e7c8ddf57ef6303bd77ab26 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 12 Nov 2015 22:28:22 -0500
Subject: [PATCH 35/36] Small test fix

---
 test/test_api_security.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/test/test_api_security.py b/test/test_api_security.py
index 290008f2b..a50a21bda 100644
--- a/test/test_api_security.py
+++ b/test/test_api_security.py
@@ -49,7 +49,7 @@ from endpoints.api.superuser import (SuperUserLogs, SuperUserList, SuperUserMana
                                      SuperUserSendRecoveryEmail, ChangeLog,
                                      SuperUserOrganizationManagement, SuperUserOrganizationList,
                                      SuperUserAggregateLogs)
-from endpoints.api.secscan import RepositoryImagePackages, RepositoryTagVulnerabilities
+from endpoints.api.secscan import RepositoryImagePackages, RepositoryImageVulnerabilities
 
 
 try:
@@ -4224,10 +4224,10 @@ class TestOrganizationInvoiceField(ApiTestCase):
     self._run_test('DELETE', 201, 'devtable', None)
 
 
-class TestRepositoryTagVulnerabilities(ApiTestCase):
+class TestRepositoryImageVulnerabilities(ApiTestCase):
   def setUp(self):
     ApiTestCase.setUp(self)
-    self._set_url(RepositoryTagVulnerabilities, repository='devtable/simple', tag='latest')
+    self._set_url(RepositoryImageVulnerabilities, repository='devtable/simple', imageid='fake')
 
   def test_get_anonymous(self):
     self._run_test('GET', 401, None, None)
@@ -4239,7 +4239,7 @@ class TestRepositoryTagVulnerabilities(ApiTestCase):
     self._run_test('GET', 403, 'reader', None)
 
   def test_get_devtable(self):
-    self._run_test('GET', 200, 'devtable', None)
+    self._run_test('GET', 404, 'devtable', None)
 
 
 class TestRepositoryImagePackages(ApiTestCase):

From 49ab87bab4758754a9d09c11589889670b9c272d Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 12 Nov 2015 22:45:52 -0500
Subject: [PATCH 36/36] Fix log permissions

---
 conf/init/service/security_notification_worker/log/run | 0
 conf/init/service/securityworker/log/run               | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 conf/init/service/security_notification_worker/log/run
 mode change 100644 => 100755 conf/init/service/securityworker/log/run

diff --git a/conf/init/service/security_notification_worker/log/run b/conf/init/service/security_notification_worker/log/run
old mode 100644
new mode 100755
diff --git a/conf/init/service/securityworker/log/run b/conf/init/service/securityworker/log/run
old mode 100644
new mode 100755