From 2006917e03750ff2834de3ce064f30331e53e0aa Mon Sep 17 00:00:00 2001
From: Joseph Schorr <jschorr@gmail.com>
Date: Thu, 27 Mar 2014 18:33:13 -0400
Subject: [PATCH 1/6] Add support for pull credentials on builds and build
 triggers

---
 data/database.py                           |   1 +
 data/model/legacy.py                       |  29 ++++++-
 endpoints/api/build.py                     |  37 +++++++-
 endpoints/api/trigger.py                   |  44 +++++++++-
 endpoints/common.py                        |   4 +-
 endpoints/webhooks.py                      |   4 +-
 initdb.py                                  |   8 +-
 static/css/quay.css                        |  34 ++++++++
 static/directives/trigger-description.html |   2 +-
 static/js/app.js                           |  16 +++-
 static/js/controllers.js                   |  20 ++++-
 static/partials/repo-admin.html            |  46 +++++++++-
 test/data/test.db                          | Bin 194560 -> 540672 bytes
 test/test_api_security.py                  |   4 +-
 test/test_api_usage.py                     |  94 ++++++++++++++++++++-
 util/names.py                              |   3 +
 workers/dockerfilebuild.py                 |  46 ++++++----
 17 files changed, 355 insertions(+), 37 deletions(-)

diff --git a/data/database.py b/data/database.py
index d99f56c77..b0cb60bb6 100644
--- a/data/database.py
+++ b/data/database.py
@@ -176,6 +176,7 @@ class RepositoryBuildTrigger(BaseModel):
   auth_token = CharField()
   config = TextField(default='{}')
   write_token = ForeignKeyField(AccessToken, null=True)
+  pull_user = ForeignKeyField(User, null=True, related_name='pulluser')
 
 
 class EmailConfirmation(BaseModel):
diff --git a/data/model/legacy.py b/data/model/legacy.py
index 00d9c9b26..116a39a96 100644
--- a/data/model/legacy.py
+++ b/data/model/legacy.py
@@ -154,6 +154,16 @@ def create_robot(robot_shortname, parent):
     raise DataModelException(ex.message)
 
 
+def lookup_robot(robot_username):
+  joined = User.select().join(FederatedLogin).join(LoginService)
+  found = list(joined.where(LoginService.name == 'quayrobot',
+                            User.username == robot_username))
+  if not found or len(found) < 1 or not found[0].robot:
+    return None
+
+  return found[0]
+
+
 def verify_robot(robot_username, password):
   joined = User.select().join(FederatedLogin).join(LoginService)
   found = list(joined.where(FederatedLogin.service_ident == password,
@@ -1449,6 +1459,20 @@ def create_repository_build(repo, access_token, job_config_obj, dockerfile_id,
                                 display_name=display_name, trigger=trigger,
                                 resource_key=dockerfile_id)
 
+def get_pull_credentials(trigger):
+  if not trigger.pull_user:
+    return None
+  
+  try:
+    login_info = FederatedLogin.get(user=trigger.pull_user)
+  except FederatedLogin.DoesNotExist:
+    return None
+
+  return {
+    'username': trigger.pull_user.username,
+    'password': login_info.service_ident,
+    'registry': 'quay.io' # TODO: Is there a better way to do this?
+  }
 
 def create_webhook(repo, params_obj):
   return Webhook.create(repository=repo, parameters=json.dumps(params_obj))
@@ -1506,11 +1530,12 @@ def log_action(kind_name, user_or_organization_name, performer=None,
                   metadata_json=json.dumps(metadata), datetime=timestamp)
 
 
-def create_build_trigger(repo, service_name, auth_token, user):
+def create_build_trigger(repo, service_name, auth_token, user, pull_user=None):
   service = BuildTriggerService.get(name=service_name)
   trigger = RepositoryBuildTrigger.create(repository=repo, service=service,
                                           auth_token=auth_token,
-                                          connected_user=user)
+                                          connected_user=user,
+                                          pull_user=None)
   return trigger
 
 
diff --git a/endpoints/api/build.py b/endpoints/api/build.py
index f14d097bb..c08ee37ec 100644
--- a/endpoints/api/build.py
+++ b/endpoints/api/build.py
@@ -33,6 +33,13 @@ def get_job_config(build_obj):
 
 
 def trigger_view(trigger):
+  def user_view(user):
+    return {
+      'name': user.username,
+      'kind': 'user',
+      'is_robot': user.robot,
+    }
+
   if trigger and trigger.uuid:  
     config_dict = get_trigger_config(trigger)
     build_trigger = BuildTrigger.get_trigger_for_service(trigger.service.name)
@@ -41,7 +48,8 @@ def trigger_view(trigger):
       'config': config_dict,
       'id': trigger.uuid,
       'connected_user': trigger.connected_user.username,
-      'is_active': build_trigger.is_active(config_dict)
+      'is_active': build_trigger.is_active(config_dict),
+      'pull_user': user_view(trigger.pull_user) if trigger.pull_user else None
     }
 
   return None
@@ -88,6 +96,29 @@ class RepositoryBuildList(RepositoryParamResource):
           'type': 'string',
           'description': 'Subdirectory in which the Dockerfile can be found',
         },
+        'pull_credentials': {
+          'type': 'object',
+          'description': 'Credentials used by the builder when pulling images',
+          'required': [
+            'username',
+            'password',
+            'registry'
+          ],
+          'properties': {
+            'username': {
+              'type': 'string',
+              'description': 'The username for the pull'
+            },
+            'password': {
+              'type': 'string',
+              'description': 'The password for the pull'
+            },
+            'registry': {
+              'type': 'string',
+              'description': 'The registry hostname for the pull'
+            },
+          }
+        }
       },
     },
   }
@@ -116,6 +147,7 @@ class RepositoryBuildList(RepositoryParamResource):
 
     dockerfile_id = request_json['file_id']
     subdir = request_json['subdirectory'] if 'subdirectory' in request_json else ''
+    pull_credentials = request_json.get('pull_credentials', None)
 
     # Check if the dockerfile resource has already been used. If so, then it
     # can only be reused if the user has access to the repository for which it
@@ -130,7 +162,8 @@ class RepositoryBuildList(RepositoryParamResource):
     repo = model.get_repository(namespace, repository)
     display_name = user_files.get_file_checksum(dockerfile_id)
 
-    build_request = start_build(repo, dockerfile_id, ['latest'], display_name, subdir, True)
+    build_request = start_build(repo, dockerfile_id, ['latest'], display_name, subdir, True,
+                                pull_credentials=pull_credentials)
 
     resp = build_status_view(build_request, True)
     repo_string = '%s/%s' % (namespace, repository)
diff --git a/endpoints/api/trigger.py b/endpoints/api/trigger.py
index 1eb7cd169..0d846d889 100644
--- a/endpoints/api/trigger.py
+++ b/endpoints/api/trigger.py
@@ -15,7 +15,8 @@ from endpoints.common import start_build
 from endpoints.trigger import (BuildTrigger as BuildTriggerBase, TriggerDeactivationException,
                                TriggerActivationException, EmptyRepositoryException)
 from data import model
-from auth.permissions import UserAdminPermission
+from auth.permissions import UserAdminPermission, AdministerOrganizationPermission
+from util.names import parse_robot_username
 
 
 logger = logging.getLogger(__name__)
@@ -133,7 +134,19 @@ class BuildTriggerActivate(RepositoryParamResource):
     'BuildTriggerActivateRequest': {
       'id': 'BuildTriggerActivateRequest',
       'type': 'object',
-      'description': 'Arbitrary json.',
+      'required': [
+        'config'
+      ],
+      'properties': {
+        'config': {
+          'type': 'object',
+          'description': 'Arbitrary json.',
+        },
+        'pull_robot': {
+          'type': 'string',
+          'description': 'The name of the robot that will be used to pull images.'
+        }
+      }
     },
   }
 
@@ -154,7 +167,27 @@ class BuildTriggerActivate(RepositoryParamResource):
 
     user_permission = UserAdminPermission(trigger.connected_user.username)
     if user_permission.can():
-      new_config_dict = request.get_json()
+      # Update the pull robot (if any).
+      pull_robot_name = request.get_json().get('pull_robot', None)
+      if pull_robot_name:
+        pull_robot = model.lookup_robot(pull_robot_name)
+        if not pull_robot:
+          raise NotFound()
+
+        # Make sure the user has administer permissions for the robot's namespace.
+        (robot_namespace, shortname) = parse_robot_username(pull_robot_name)
+        if not AdministerOrganizationPermission(robot_namespace).can():
+          raise Unauthorized()
+
+        # Make sure the namespace matches that of the trigger.
+        if robot_namespace != namespace:
+          raise Unauthorized()          
+
+        # Set the pull robot.
+        trigger.pull_user = pull_robot
+
+      # Update the config.
+      new_config_dict = request.get_json()['config']
 
       token_name = 'Build Trigger: %s' % trigger.service.name
       token = model.create_delegate_token(namespace, repository, token_name,
@@ -185,6 +218,7 @@ class BuildTriggerActivate(RepositoryParamResource):
       log_action('setup_repo_trigger', namespace,
                {'repo': repository, 'namespace': namespace,
                 'trigger_id': trigger.uuid, 'service': trigger.service.name, 
+                'pull_user': trigger.pull_user.username if trigger.pull_user else None,
                 'config': final_config}, repo=repo)
 
       return trigger_view(trigger)
@@ -214,8 +248,10 @@ class ActivateBuildTrigger(RepositoryParamResource):
     dockerfile_id, tags, name, subdir = specs
 
     repo = model.get_repository(namespace, repository)
+    pull_credentials = model.get_pull_credentials(trigger)
 
-    build_request = start_build(repo, dockerfile_id, tags, name, subdir, True)
+    build_request = start_build(repo, dockerfile_id, tags, name, subdir, True,
+                                pull_credentials=pull_credentials)
 
     resp = build_status_view(build_request, True)
     repo_string = '%s/%s' % (namespace, repository)
diff --git a/endpoints/common.py b/endpoints/common.py
index 4832aaaf0..99ca4ef1a 100644
--- a/endpoints/common.py
+++ b/endpoints/common.py
@@ -100,7 +100,7 @@ def check_repository_usage(user_or_org, plan_found):
 
 
 def start_build(repository, dockerfile_id, tags, build_name, subdir, manual,
-                trigger=None):
+                trigger=None, pull_credentials=None):
   host = urlparse.urlparse(request.url).netloc
   repo_path = '%s/%s/%s' % (host, repository.namespace, repository.name)
 
@@ -112,7 +112,9 @@ def start_build(repository, dockerfile_id, tags, build_name, subdir, manual,
     'docker_tags': tags,
     'repository': repo_path,
     'build_subdir': subdir,
+    'pull_credentials': pull_credentials,
   }
+
   build_request = model.create_repository_build(repository, token, job_config,
                                                 dockerfile_id, build_name,
                                                 trigger)
diff --git a/endpoints/webhooks.py b/endpoints/webhooks.py
index d92e7095e..69ba97b58 100644
--- a/endpoints/webhooks.py
+++ b/endpoints/webhooks.py
@@ -73,8 +73,10 @@ def build_trigger_webhook(namespace, repository, trigger_uuid):
       # This was just a validation request, we don't need to build anything
       return make_response('Okay')
 
+    pull_credentials = model.get_pull_credentials(trigger)
     repo = model.get_repository(namespace, repository)
-    start_build(repo, dockerfile_id, tags, name, subdir, False, trigger)
+    start_build(repo, dockerfile_id, tags, name, subdir, False, trigger,
+                pull_credentials=pull_credentials)
 
     return make_response('Okay')
 
diff --git a/initdb.py b/initdb.py
index a4b1709f0..fb55ca8fd 100644
--- a/initdb.py
+++ b/initdb.py
@@ -257,7 +257,7 @@ def populate_database():
   new_user_1.stripe_id = TEST_STRIPE_ID
   new_user_1.save()
 
-  model.create_robot('dtrobot', new_user_1)
+  dtrobot = model.create_robot('dtrobot', new_user_1)
 
   new_user_2 = model.create_user('public', 'password',
                                  'jacob.moshenko@gmail.com')
@@ -268,6 +268,8 @@ def populate_database():
   new_user_3.verified = True
   new_user_3.save()
 
+  model.create_robot('anotherrobot', new_user_3)
+
   new_user_4 = model.create_user('randomuser', 'password', 'no4@thanks.com')
   new_user_4.verified = True
   new_user_4.save()
@@ -330,7 +332,7 @@ def populate_database():
   token = model.create_access_token(building, 'write')
 
   trigger = model.create_build_trigger(building, 'github', '123authtoken',
-                                       new_user_1)
+                                       new_user_1, pull_user = dtrobot)
   trigger.config = json.dumps({
     'build_source': 'jakedt/testconnect',
     'subdir': '',
@@ -354,6 +356,8 @@ def populate_database():
   org.stripe_id = TEST_STRIPE_ID
   org.save()
 
+  model.create_robot('coolrobot', org)
+
   oauth.create_application(org, 'Some Test App', 'http://localhost:8000', 'http://localhost:8000/o2c.html',
                            client_id='deadbeef')
 
diff --git a/static/css/quay.css b/static/css/quay.css
index ac7c01e66..919c0ddc9 100644
--- a/static/css/quay.css
+++ b/static/css/quay.css
@@ -3589,4 +3589,38 @@ pre.command:before {
 .auth-info .scope {
   cursor: pointer;
   margin-right: 4px;
+}
+
+.trigger-pull-credentials {
+  margin-top: 4px;
+  padding-left: 26px;
+  font-size: 12px;
+}
+
+.trigger-pull-credentials .context-tooltip {
+  color: gray;
+  margin-right: 4px;
+}
+
+.trigger-description .trigger-description-subtitle {
+  display: inline-block;
+  margin-right: 34px;
+}
+
+.trigger-option-section:not(:last-child) {
+  border-bottom: 1px solid #eee;
+  padding-bottom: 16px;
+  margin-bottom: 16px;
+}
+
+.trigger-option-section .entity-search-element .twitter-typeahead {
+  width: 370px;
+}
+
+.trigger-option-section .entity-search-element input {
+  width: 100%;
+}
+
+.trigger-option-section table td {
+  padding: 6px;
 }
\ No newline at end of file
diff --git a/static/directives/trigger-description.html b/static/directives/trigger-description.html
index 2a081aa69..1ce32ec32 100644
--- a/static/directives/trigger-description.html
+++ b/static/directives/trigger-description.html
@@ -10,7 +10,7 @@
       </span>
     </div>
     <div style="margin-top: 4px; margin-left: 26px; font-size: 12px; color: gray;" ng-if="!trigger.config.subdir && !short">
-      <span>Dockerfile:
+      <span><span class="trigger-description-subtitle">Dockerfile:</span>
         <a href="https://github.com/{{ trigger.config.build_source }}/tree/{{ trigger.config.master_branch || 'master' }}/Dockerfile" target="_blank">
           //Dockerfile
         </a>
diff --git a/static/js/app.js b/static/js/app.js
index 87f73c724..00dc325ac 100644
--- a/static/js/app.js
+++ b/static/js/app.js
@@ -2504,7 +2504,8 @@ quayApp.directive('entitySearch', function () {
       'isOrganization': '=isOrganization',
       'isPersistent': '=isPersistent',
       'currentEntity': '=currentEntity',
-      'clearNow': '=clearNow'
+      'clearNow': '=clearNow',
+      'filter': '=filter',
     },
     controller: function($scope, $element, Restangular, UserService, ApiService) {
       $scope.lazyLoading = true;
@@ -2628,6 +2629,19 @@ quayApp.directive('entitySearch', function () {
             var datums = [];
             for (var i = 0; i < data.results.length; ++i) {
               var entity = data.results[i];
+              if ($scope.filter) {
+                var allowed = $scope.filter;
+                var found = 'user';
+                if (entity.kind == 'user') {
+                  found = entity.is_robot ? 'robot' : 'user';
+                } else if (entity.kind == 'team') {
+                  found = 'team';
+                }
+                if (allowed.indexOf(found)) {
+                  continue;
+                }
+              }
+
               datums.push({
                 'value': entity.name,
                 'tokens': [entity.name],
diff --git a/static/js/controllers.js b/static/js/controllers.js
index b74071928..2daf27c30 100644
--- a/static/js/controllers.js
+++ b/static/js/controllers.js
@@ -1158,7 +1158,7 @@ function RepoBuildCtrl($scope, Restangular, ApiService, $routeParams, $rootScope
   fetchRepository();
 }
 
-function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams, $rootScope, $location) {
+function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams, $rootScope, $location, UserService) {
   var namespace = $routeParams.namespace;
   var name = $routeParams.name;
 
@@ -1462,6 +1462,10 @@ function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams
   $scope.setupTrigger = function(trigger) {
     $scope.triggerSetupReady = false;
     $scope.currentSetupTrigger = trigger;
+
+    trigger['_pullEntity'] = null;
+    trigger['_publicPull'] = true;
+
     $('#setupTriggerModal').modal({});
     $('#setupTriggerModal').on('hidden.bs.modal', function () {
       $scope.$apply(function() {
@@ -1470,6 +1474,10 @@ function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams
     });
   };
 
+  $scope.isNamespaceAdmin = function(namespace) {
+    return UserService.isNamespaceAdmin(namespace);
+  };
+
   $scope.finishSetupTrigger = function(trigger) {
     $('#setupTriggerModal').modal('hide');
     $scope.currentSetupTrigger = null;
@@ -1479,7 +1487,15 @@ function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams
       'trigger_uuid': trigger.id
     };
 
-    ApiService.activateBuildTrigger(trigger['config'], params).then(function(resp) {
+    var data = {
+      'config': trigger['config']
+    };
+
+    if (trigger['_pullEntity']) {
+      data['pull_robot'] = trigger['_pullEntity']['name'];
+    }
+
+    ApiService.activateBuildTrigger(data, params).then(function(resp) {
       trigger['is_active'] = true;      
     }, function(resp) {
       $scope.triggers.splice($scope.triggers.indexOf(trigger), 1);
diff --git a/static/partials/repo-admin.html b/static/partials/repo-admin.html
index 6d2fe9665..80d45768e 100644
--- a/static/partials/repo-admin.html
+++ b/static/partials/repo-admin.html
@@ -270,6 +270,12 @@
                           Setting up trigger
                         </div>
                         <div ng-show="trigger.is_active" class="trigger-description" trigger="trigger"></div>
+                        <div class="trigger-pull-credentials" ng-if="trigger.is_active && trigger.pull_user">
+                          <span class="context-tooltip" title="The credentials used by the builder when pulling images" bs-tooltip>
+                            Pull Credentials:
+                          </span>
+                          <span class="entity-reference" entity="trigger.pull_user"></span>
+                        </div>
                       </td>
                       <td style="white-space: nowrap;">
                         <div class="dropdown" style="display: inline-block" ng-visible="trigger.is_active">
@@ -387,7 +393,45 @@
         <h4 class="modal-title">Setup new build trigger</h4>
       </div>
       <div class="modal-body">
-        <div class="trigger-description-element" ng-switch on="currentSetupTrigger.service">
+        <div class="trigger-option-section">
+          <table style="width: 100%;">
+              <tr>
+                <td style="width: 114px">
+                  <div class="context-tooltip" title="The credentials used by the builder when pulling images" bs-tooltip>
+                    Pull Credentials:
+                  </div>
+                </td>
+                <td>
+                  <div ng-if="!isNamespaceAdmin(repo.namespace)" style="color: #aaa;">
+                    In order to set pull credentials for a build trigger, you must be an Administrator of the namespace <strong>{{ repo.namespace }}</strong>
+                  </div>
+                  <div class="btn-group btn-group-sm" ng-if="isNamespaceAdmin(repo.namespace)">
+                    <button type="button" class="btn btn-default"
+                            ng-class="currentSetupTrigger._publicPull ? 'active btn-info' : ''" ng-click="currentSetupTrigger._publicPull = true">Public</button>
+                    <button type="button" class="btn btn-default"
+                            ng-class="currentSetupTrigger._publicPull ? '' : 'active btn-info'" ng-click="currentSetupTrigger._publicPull = false">
+                      <i class="fa fa-wrench"></i>
+                      Robot account
+                    </button>
+                  </div>
+                </td>
+              </tr>
+              <tr ng-show="!currentSetupTrigger._publicPull">
+                <td>                  
+                </td>
+                <td>
+                  <div class="entity-search" namespace="repo.namespace" include-teams="false"
+                       input-title="'Select robot account for pulling...'"
+                       is-organization="repo.is_organization"
+                       is-persistent="true"
+                       current-entity="currentSetupTrigger._pullEntity"
+                       filter="['robot']"></div>
+                </td>
+              </tr>
+          </table>
+        </div>
+
+        <div class="trigger-description-element trigger-option-section" ng-switch on="currentSetupTrigger.service">
           <div ng-switch-when="github">
             <div class="trigger-setup-github" repository="repo" trigger="currentSetupTrigger"></div>
           </div>
diff --git a/test/data/test.db b/test/data/test.db
index a69b3b9fbd4e166d21996bd23e461ea3433d1c61..96fd13c574015ddb8dd12b2cd23fc77ca838388c 100644
GIT binary patch
delta 19047
zcmeHvcYIXE_V~`+?Ys95J-tCf2w}6mfj~B$^g;@ugiW%Wgp`FeK!mW0T|~I*fP&})
z!HOViY=Gq<HZ0GlG!?``dwc;Eu|9w2-i;v=g1(=>_xt1b`Q`J;?36PzXJ*bhbLPyP
zyY#GP>C%{SB}KUn?Vf0_ueI6T9&MHkk{~2Wj*gZ{m|G+g$uju=?QibNapv?}B)X%q
zGRTsVV?x0^@)P-voFo4t$27NUhN-?$-K+{%-mMH(Y*Ez9&&uzSO_lyA-6kz&eqkQR
zK6C+fN?uy&3g^?7rJ)G^v)bYOeamL3y22DelM|4C6u+`=82|V(HJ?<+p>Td;T`mgc
zZ>ck&Fo;L+`|HN=Z+H?>==SrTAt*dQSRNEJ9Cb9b)Or?lw0T;qJk9QgCLtCAZCj#C
zg5*I7!_oYU0B!B94RbwJ4YdMLFn_1Vif4}CgFG=Ph<AD>@YmFap%MJ*S{=VBGYSod
zRzmqBnbG|0j36{@`+|%l#H%w#qM^Jl!_2Qrk3>WGZRyka-1Ja1n6FDu<d39{K!f-T
zX{GpTj=v!>iBCxk;m?j$@gF6QW&8}w&rCD&`^JXwo70?pP+}rt`4wrw{Pe^G{_(M6
zkycEd9UITzmJow9{Fa1Y`QZs>q^3s(!Bo^FB=F0|=#h$lYK)s7F~-MVGin(>Y*Yik
za^!XVLovtsxR_=9t<g(I!Q#xC1wn2x1XdRW(c>V93S}Wg<h+EO-#*xKhS?r%InpQK
zleIJW^NK+-@|}cyHvq&;{yPnq#*lN+l;qj~39wS_Lt3S#PJKpQrdFsPRcVxS6kjW*
zDb(^Ua!%GPJujUhWtnZvU_2LnkE+lh$y1UWc%#;(NGcWDk<fFUIF`Pck1OPnZw@_{
z7fI2R*hF&+aF8M{c0_}JL<B8*5}WC|0$e4vPI>WTdh1oVouJUajrB){sU)QmbBtd{
zw?^Yc>YRw{i0OuJKlMk1_LL;jm=#cRa3c1~hm8IrwK9Z0ydN9s{7E=Ysv2I+(EBIh
z9O>Yt8&1(Plki>gK~Eh@>>NQ)9{`{iCS#Xkd~or3f8=oLJqUPF3vS^4X}#c&7<RFP
z0<5DGthiS0{NQ6x<xu+YYJl8l#j(<18?XJI{%VB|9AlRMo95e~gV9elE$<vePp<)>
zFgs3`T83^%w91axDF%;oZ1P8NH0m8FTOEt*<U_{Aq*bzX=R1InEe=qQeeJzsS``N^
zjyw6mn{-PYv>30=3+q(V)1^>r(P(IK!i05S(_N$SI_V%!+E6+>9<P;~cAQJ8RM4Hb
z1JI#p94ptGm8v{BjmU)zdkjps<JC8L{|Fgv&V}i|DF&uH>EQWe^i&LPAC#0ZxYQrP
z{5IVT-8L1ErE5k4ipIAh{1KQ&<wLFUqhOlj!%HtzBDyml8s0w&hg88bcg=)g(Ig12
zjuL1wR{M;E94G%E&yc^7m1HTIORC9Kl18i~f?)0#_cphkqujOJ9IlAFiW|cXV}E8p
zWB<->VQ*(!*nHN`MzKomIqgC1GnddS5OeqTX9g88IofUs`G9nj6J!JT6p7@n<0cY@
z+smrh6=WV+r9H$JkaTV}cbtvp8i}9SSReZfm%t5YkFvYjCrBx&(ROpitV8>C|304G
z-aRazQGi4w=gF~4%0>PHL~{9KVUY@Q9Jq=c9{?tgKOPmXX2=c+ISJ_Q7yvAq-w~h6
zsbTIIvQt9-NluZS1AxZxJN21p&;X^4t1Pnr`-N#z7~<!`Jp7A%J^*GJ{O36%Rpbi^
zxj?=krw4$_<i9A0QIW$!TPMlk0iaU&!zH6t<cQGLDRN{0s8s$)d2F~=bF+lpOvZ7$
zIWNbse`8(RFSOTbb2O(kH}|a=d=G<XYx(?&n6CVyg6y1%$|CzzYhIBl#bwJ&vl{H_
zxsKw3tf|>kodwy3lrmdxr7_c(VR4nY%IxK-CE2!8hdm|JSynnrqmh^;epV?_s+83o
z3tO7pt#zKn8lSJJ)mQCn&r2yNG*?)P^Gb`X4r`&asIbUxo|09VQ<Ub)$jL7nnP*Nh
zR^(-*TQW*=D(snNlR3ShGQ(wa8K$OJlow>%)cn>8JM0+8D<Zmbo7<f8n@aON*$zX6
z$8N9}xu+%N=M<#XEXd4om9$oxEv2nZZnMiZKdYgs#alGTlG)-jCAZhRTN>MvYJAPp
zl^RKiUzVVfD3!`qkGs~>8f$XL8cne|t=`h&dPiQp!CYRDTi)tycFeUGbhH)BYqFF!
zwl&RdHFq_Xx1@F&3tJ0P-4!jZ^V_F3wD^pDTCY-QBr(uB%!X3g(bDN@ZSXdDYI}NU
z&&{?tvb{ywm6p0GInDNkE%V&=j^^C-hR({lCWF1W+*7!~XG&{taF$KYZp-neSsb<&
zpS8DxE?;w%JkUb`e|Jl*uUSw9dU~+Tch0jK=ViI)lzA+U>U3wmyU>?3C&w|ZxxBG+
zZh2vYJ}IdntFa|3-%^>=QBh~KmU&uymfjwG&2E`S;{0tvy{(?MdZGP9cZ;vRzRS}p
zE~>*+XelY4l9}ZwwdEN~)174%Q(zHGrxi}M<Ql9~GgC9mrdHb1QwlN)itSS}ib_p(
zv$fbz>9SfY%;_03r5Z_;UluP8qPLHpF=V8cw#_S=Q=DqewKbL(=QX;TI_f)$-1gM;
zP>-!Ozp>q!VlSW9Sk{?dI<4MW)8MG6cQo_QR>oUv>{DF&r1YYs0%x78Ak|_jzPhNU
zpmBb=&t~m#7T60t^Xv2tuAFLp`GP{1r^98`Cl&C+rdyM(E?1?i#86~*Sc<3QJJW1M
zB^8E@vh4D7>y%7aN@cmF$eul=!daeLnC~=HS}peU>@q`MMowyRhNU>QjK6t$xOH0A
zLW6HkM@fFmyterZ8Vwod+7?%V&p1D?t=-b8cV%Wbr<6NN7hY|4HhBz1)oso!Lo<JH
z`q*$SF-wSt<PkIZmK-Lpkw-}z2*$PKTC%(^-wL`;vbL7ty;UJy+91Y^F2iyfmWjHU
zujZH-<m+f}YpC`3TI*D5CIkiOUMZAZBvOTtZ0)5ec_`yVy=xO#|DNTS2_1O(x2l|g
z_-+aLnS4!7lh4Vg<NzT3F373l<V~{sQp5#K4R(?d)1{0GX@x)|Wt2!Q1S%m=3V}ih
z<U*-Th)IQj5t5i;lqzA@=;`x<*z57$exXP5?m&Htoj{*T&`IB|8O#6R(*W)dNXVDu
z2suPPBJY#8$sY0w*+d=yS^Q}KcK*RY8xjF;3AC}bZ3O*bI!fSAwvAXdLmIB-CQD%d
z*Kw1%>&f-xIQK3083`o{(#E}YX<NzKxwtD`>Ss~PUlhJtv6Vj(v6qvuY+n(p;RiPk
z?@|w864393r7DosSHdX+Sr=uJuUQeu>MKO#B4YoMm>7B)Il;F!S{wc<YvLfrs+!YQ
zQ}1hSO|JEHw!5pFJi=BWXm3((zXUY5CNh%S-+!G#n650T9L|(}R*V1YVr4ObmNfW3
zSg@|k?ul7A(3A}SM^k*68O}n1mN35jG>`xDB2ZvWDLEm5^VE5AhMc%`I(yhZn?L)F
zbd**qV-V6XLMX#h2C49WP+vy>CkKttO1aM@<T)}ASS{hw-jcN=;Xq`-@~*$UaMDZ}
z5CHm5maWgKbzM|tn4X6I>Z0Kc0U^}@OLobMC0=3I3QRdn;tya0IYB<VbP{`(ETu{z
zMF?T7H1Mlo0>3gWhkO;r0w;x{3lekzuVjWZKTG}6<FaPiA$gPhbEQ<-qCBK>t3FXr
zQLoS_G&8juw7;+!?1Su&TsFChdxK>6SX87Dsm19K-+oK99YN5^fQew8Xe_w%q6Hxv
zX|``kNI<=|hT@Ahh)XRLmoZ}WS~z^7#bb(S0a+wkM6yK_NgnEBH|e#f^fj|w74;|V
zGJj~@>0=4PotIdN(u5fuf;uFq1AT`dV+y5@$aJzN6`hJ-ly|GQYT`BB+G*M|?6ur0
zWG?p_c^+{R3RQ%^fsIi)YQH&L5i}hvRlXieRWN_`GOpK>RdoeR)*n{B2StLpX*i#M
zy&uJFfA9KP2#pjo(r%n99|bGxn#xbOF^vE4#za1RogT$*&t10{p*a45Cx-D!>ldKW
zJuwY`<9fosb3o1?S|7(xd`yqxw>Li)fzcQMh~gjFG8^{Y2cC%L&ur1~wkPJGv5>0b
zr@b_ZZ+cA0KlDThfAvc&pZuzp|MUsMA9*PkjT38<msx(=%e6?iedo*h2qp2`UXA0A
zzrq3NT%?Cofn1n($$#U#xmu>+zLJpZxUVi{vSe){!+&+p@G-XBsg9J4va*cSVzb#b
z&0blVR#aY|HpOB}&oUb-iYhG@YjH-olizi3oN``=dtp+8Pt6zJn>nTe&RB-hto*WR
z`PpT~mFX3BV`lMGQ(<XEK~A<I&0b*3cbY3JQlO?eR9)h0_C!zhw6#aO=FSyF02Yq^
z-(KnHzX6W^U~&V=ekt}nBBD}|>VwsyBv%WQh{)eSA-Wv&%0gBB45X2is#Gz<gIp}@
zt})teMz2w4aXY;_i^pr#Io#DAoySpAYqfjq9%qfE)ic*O-d)?=(9#ZwxBD7BEhdA}
zqBEFvCVRBWINs<SZ!{)3oMxNZA&dzT*x37R={?v^HpMfgsz1|jpsDXA<onAF1+>{J
z{`+oLMt%k@cmRkR{^u7|e;s0v>c3*@0J<diNXSldPk;0eGyFaK2vYNp>>CN;-hF0m
zfL#8V6o&SYLI56Yu|E%Jjh!x#4*%ol8U;BiT0;6GBAy!x_>;%N6a<*)Thfn-dKNZk
z1}hCiJ?EP?HP%Q&kjgi|#naj*Qsr>8MS`~A<4hs5p7~PhmDR}JlAGl_m5IuGRfAQ2
z)p2c{b}ze#Q*v9$coGXloFWlyeZrrVdR%BU%A~iskewb&Mp20i(iK4yV~{^eDDE=C
zEr9o0yG{`_d^lQGBr2Ni9(S|wZ{Tb8|2=r1!tFKtvk)@!j~$qWOuXh`4l?uQ2g{H}
z6risjtU)$D{?GyJHS;fiI|kYL#ovbT|Nb@>doBD_$Z$Z$M1JIXGjfVG8qYVN@!LN<
z--gfx!SWu)*Ip<?R|TRUT^Ng7oP79&5Lz_|4Mh{hY<l}3RD>o8@wsSnchO*!hfy+}
zJsORq_r)O<eRC+X(Y>)K3%LThXJgS2njMEsSUrhu9gW7Llt96IqmhCRi%0P|ZZcgG
zhf+~$Z##qN?sybI|7R$)7&;nhpo`I?krSl}5czaMJjzGuLVOIZiAO_)_9N)gcofMA
zQiTyn<VQI8og9Ej@)UAL3JSZDKX+!BikuY*kDMI<x<nwoP^GAaGH||BiRVk^&r}=K
zW57HmNX2i+sR4S(my4<rp!4f68QCl$n=c2rvXHAOM+!+PQt4ea)poPPP*bfly4@C?
zrN&^>IZY;muG;CT^;CNto|;-avuI=+Nb!;5qephSn>sur7x$5dM#p%wX}rmr<S^Lm
z24_Ho{RDVku4@os)$}I?QvVqVbyPx*4$#PyF%gVQ^+#A-NhaF_nfzx4A0UKg30NBL
zBhCHr3Es-k<}jr0QhSYVgVAlW>Wr2eyUtQ;Hs~B4t5@fCn2a8~-B#_c@i17Al@e5{
z0-{lS-43JCZMEsDtGx!D#c6lz946R~YCI0N(P?rRytPKm=#f|fNs!v@HQOu(qethg
zt%0?&+bue`vD%=sI^C9Fv&CRHdyNi;5tcx>ZUQNIZa_IWm7a@2K(iv)1#+(6zyjuz
zsRGT0Fu$2Zek0j45;$`WygwI1Ej9hYjI?40!ky<p<N$ai3V1+^;z@1*JcJgdVQP_g
z`Urc507v|IC60&@IYP}aaClH5HI~7TN|er6I6a;p@Z^|JPfS4J;x2J=z*#JyCnuxO
zP>t3Eyhf&Rr@6<uEcOSMXHD7z+Id>jCBp&w_fS(B3X8QF-PJa;-K(>?-Jpwj>^7al
zZmiXrEC#2|Q)91jSgPr~G?X^V=5d>9fKqhE8iNxcEkIXRr&H(lnv8b0)$Xiy(*0@3
z7V9<F+D#^hTUTu~0s(sL)jCHF5K6VvW;K{<ELM}Lnwrwl#8|J*XfoTXp^e&Fv(93x
zb?e*)i$&*f0GWEM4!fh;OZjw^5(}*xt?nAL&T26NjhbyXAUTs$=dpX;X1mF2b9jvO
zhjf$}YXvNg9yb(u+#a1p0C$*7W}UajX|j8(4Ni;6LbEcEE7t5a+1wVhQD=7m1zVi8
zcAcZzY}J_rKCqdLU`lq<$1_lPtli}C7@c0H&R}qWu2$==(K(GUtZJ{>=&Y%&wO4!G
z^mGQAGRo|&uJr=P)mUI6p#g`kx~A5kbJrLQ7OTbPt#%mcv`jQM)@|`ZuXel6V6-`a
zhYZy^U_7g?w%TlS)>=KaR<oOK&P3J}&<7nJ6U>Uq>ZsOPtVXjAWMVDg;x?My2Dj5<
z_X@10Aumbb+NH-10cOela6R`nSXE!TWbwtzEjs8l3Zj3{L9P%Ym5?yvAo-vVZ6dXB
zhb1Ko$Q}JP<7BO!>6RA2p*V_k3Kui~1BS$dU_{(Qc95sY!yuUMBDat((%G-a;0+Az
zEJ5MJRVqfIkxL{hqyoDpM4&Y#-CTkqVQYM?1UaqZX=E_kEkV0+Dt>_ZSXw6iRDPFY
zw4z&CsXV3Hs_xMIs%_97V@pV}<XXuRG#O2RE9pF`)Nd)Lxjc%cue#7Elts^-M8Wh|
z7dj&7EhA9|RlATspvqMC6n8_h9-%38n*s;Z%v4l^vIS*=zLW}^^s=eQj&cI+yig9O
z@xpQ><-d#`)h#PUa7TK!427Y*K;6hWNF!t@sI46K@x5he6z!^q^8DWNA#`^=6wN9}
zX{ew#S3_SbN8=ekmqXtzLoswv1GM2SL&H#E9~d$B!7`|Rx*p}CqTi5IQ?X+x9!@9C
zL6MX;pgL6iyW+*Dq<ifgREuc-H7Eg16$_VNgJz;qdg>Z9AC(C|VRXr26sx{|Y_TH9
z=|ngC=wpkK5tRpq{|S!<QTY<|i+beTj;5w6;eLcJco*J#9PozFv0dmx{tfRSRc{&p
z@_kXU0$p+hu8MyKYWbQRBS*<6K$m;K`1lXFNPL^TOkU_mD<JXd_9|2yMV=B2U4qp9
zihM}^4kQLQfw2GmMBV_hyX@`hIEi31=LB;#D_Gf70gJm3RjP%M0h_xDDaA5+xDG|f
z$pc7k=~0@%4*o@7<{{5Rzgzkvd596V0{UbPDv2V`|2D$Ya0zhnN<c8qKTme`uY81A
zS*W1TPe(aXWWBKCd<$0zU%?&7e&D7z$*bf=@-*2(){{;B>%Ps<^*-c{B5Ne%e%NyU
z1ylMOd4j9~ygvjM{t+g3?`1Tu;MW+srVR~^SE;mesR|}U6VTEWYVns*sKjiAQcSAo
z2W@DaM&w2$^tGlxDzH#%<|D1A(2<gx?MgKjmZeyWEm`R~4yQ9CHGN7-`m{=O=G0P4
zW?|*Df~>;wbYp6MS^=E(^9_~?gCQ*^#XhC9MA=V)G8>cZHnY)Y744&lydb$eoxnae
zvLFpE6;!srh=V``h+J7;yiU*;uMBdd0J1_tR`j2&j~Igwslfn%RB;^=iLKgN<F$hl
zWi(qrtb1WQtv14bVRzdd7IU@R=rtMWu3J&YpHWe-bP%UM-;4g>B;EsZ<)MkAzj8<G
zg^ofcB=pkJCu`jd4c&m=%CkoY6m?;R9TtPtSl!XkRI6)oH+uvPS1T))$ckm(%GWBg
z73Y<YX(XC9E!I*tf_)gI{(S96tdskaOd=bR2f0D&8*yzNZ9aiwQ8V?N1nCJfP)?sa
zfr3Ytd*wliL1>Zqj;x{CUFWHCx72_k#n;*<CYz|`1hR)-m*7zZ1qGoSjN;i<EE0o8
z+VT#HQvh00e^3K8oJ1Dn6MCs;{A0>!(MptorUyjy)|Dt52X>!qG^00<r9K`Frh9p0
zW|kFI(BO?|ESeb*sCzeojrXH5qiDhsklMkGU^jF=uI>I{BQhh#A5}tsUI}N&iau>c
zt%4oMw+iXFxT%Vu5-0NKh-0JM7NZetRj=rUhjL;Tns%|WR4Ao8>S06dT7~+^X?pi6
zRDdckLQ)NnCgcC+_$UI*8aKhdTNUWmuvu8MO(+iVIJ^lt(Cps)i7>-0o8gr0?#+_Z
zTQ(y?eS4u&6c4f48<CWr*^CB*A$$fkK8viVx({^TvoLKdo<;F6^WD$FhF;TKsHEgM
zWR9Gr2#Sb6H!Tv^zsXnUX=!g=_}g!7_w4789pAka$z)eFuhIRFBHbSeh(F|_KWjJp
zSVBI&l+AkVL8<iPT_`qM<R?v;1U8|oNi4U6o6afNr&zc4TkY*yho-Dg?PP5oLnANX
zkiotDX-zU3>?X67W?jIm3jU0=8o79?Mh*I$1W8;HxN`4*E;jcz>OPAnM5vi7fqZ%n
zkD-QhSW3S<izCASsJT$;IEQV2+-AbqB87k@;OUZ7DgO`$Ti>3|ze%sY0|}+sU*pKW
zV5WXx;$R;88b|#O!TxZ^zs6Jgwq)$r63pCiTKx@<3sd)QoBg5w_6;`VUjbmzNWnZO
zSW*J7BHBhS7Ir|bpvgSndxrQNREvF}k-P;YG=LVP@e2BsR?w%^8Zi{rEVW9Ei+Yw?
zA;#rmC=)~R9<<*nT1#G*KyR;sR(Mfg{1^Ec9xC*EPS8W@L+HzIp~-j8M(`Lx&=Q1t
zFMz^$3Qi`6;bF!HpbG6FFZUsJp`v&KT3M(SHMm_Lpp3A<gN{odSG;?r2OV_xK9n3r
zo)b(Efl1m0({uvVzfVAG9l$8DvQRB{y5kVa3gec8WeJqMjqrBDOESqAqT)_+Z*h-t
zmwEoO6Vv6NBDSj^gK8rg7wRR2e#M$A7pt#ath%(gOEk0fGP3g0^4}LLeplR&d*r_>
z?#B(X%M^E+#`ktE{atxKCSa~yjDKgk>sPzad--LsnmzC3)iGbH(^L;Ae^M4JHYp_X
za@nJBk?&@9Fe7ji+J%B8EufUxXjv+Lq<e$|pJckXj=_aYcT6}w%yb)r@iR;pFq*#&
zf~C_TxF!vPg*pfp1Pd&<Nb!bnAlOH?lT=Npx?CNmI;?tHb*u7q<#WpGlx@lyWr;FX
zX;zL>4plOWZxo*^K7doe3G#_@p|U|aO*uvBR3<1xlq$s!iW7<hiZ{TdpF|M1TeDg-
zi9`{$i~E{;pF6@m!)@eNaPzqt+$1gnj79%oA7U4=Ic%`@sP<uPvsR}$soAKxSu<Z#
zt;yEtHPLYN+D)F*4A#ih->JV)zpL(6uT?Km&s68DQ`Ba4jCzP#uDYQ5QuUGQP1Osk
z$5i*LR;sR5b*k!ArK)7r7!|8LqkM;iJPPNQPO=JK?ADVhq+Gd6xmCGQxmwxtSTkAs
zF{WcYIJ8T~5TswAVuFy~Xmsf3i|Njuv`yb3rrUec7JZwTZtY2%^z+2@+@7>S?-SE4
zfwaM)Zx+){J!zZ1QB2S2Nn7;31~H?)C&Q$#6Vu+Fv_bC?)3w4AGQHEPciQw$hrUL`
zg#DJR?h|(_nc-soY_V2VAZgam5|cBdnRFVn2Zu_XM*R#Lxd%rw@D@$T3X)dBn>Qgg
ztZUjZMu+qcv)*CRJFI$#P4BSlD+V+1zt1ceQR)RN6VV7HOT~U6K2_|uM1-_E^$vsH
zVbm9kkbz{82nq2*5wZXvyO7>))!S`)yIr3j02PyY0Z^+xR|L%w5waWfcB9^I(%a4Y
z>_9ia<xC0G6_Z(kx(0owST{qgYqRQYHoeWRw>k9bVqGyOTF6QhD+eG_#mW#*5i7gs
zmSZS}iC`wvZO2fkbh0po5DS7Uo+lb{aF;lJR;%7>(_8I&t3z*f>aP-e?3+13?6Egz
zyx3tN=@dJJxI^sFE<yrr8l8HpNpJgo(kfOAlv;#$i*#5c9+oL0(UWV}TO4|eQ*RQH
z=$mQm)0V}qH}q*sFFrJ*?rGRU_s+pAEt-Q<>EJmSTnCs%NGwoVO!`Cz(;=p;QY+&V
zV@6qmiD?j{NwP6|rbdh=%Hqc{GsWl_+2{nOT#Uw{IQm2#j+c&Na>R@%*(e}WF&Zu#
z39~FlL*Ue9tixeaafE=>(A20tLp0g-CWqeS)JOIiVjwf3&k!Leyw4EB=qp~VBW8VY
zpUfcofEPzb8uY{aWDXNo1ZHlixFSR7Lwj&ki11ib@6;O&dZR^8gy)}u6i08~gTuRw
zdhNwLje;2}6ocjh@<t`L4fLnC>y;v_3vq=AW7UHe12D2c|9X?&td|DF0mK;*#;Aw)
z07Ru1g*iLwqGjk9`3xRieh5<ZjV{>rcYtTZHhA*-Aeed95S}b2H-bc5L^_C%G>{rH
zla!Mpl0(wTWa5M;vN{q^V!%*4oDiY{KZswr3*0&G6!#@}m^;9I!0qMsa4&N&a8Gkj
za1V1ExOL!vv68!$yPoUf7IJM|GgrsC;S5m96>v3ExKwT;XXlJuA{WO+aUtALj^z{_
zVt-=KvuD^7?C0z!>^}B=_APLw*u_4_Zf757H?t40_p*1fE7+Ua>)6HYe0Cn&$a>f+
zb{bp4=CPTqi=Dt)Sv{M;j=DtW0#i+=p!#&jpGKeJE;jm#_BQemyenNx?glgTEo2#4
z0tV?;c(3Rsvq>fRndFl!l0vQ`Hew)S;letS1d|~|OXNht{Rpp6|A#xy9pygeKH}cv
z-sJwy?c|>2o&>#W6L&v%4|gYbdlz>TIHz30b#imTMWvRT#Z_>{TrQWvC3E9B3zq~g
zD<ipZZUhHco}85ZH~T&NHTy62EA|L`ko_n74*NR$3i~4a47-(mgx$#A$F62qvA3}|
zuuIvi*>-Sosb{O%8EhF_$Y!%?>?GE~n%HsdXc)Kfw|#`=<nJB0+Pb69p)YV3CiMcq
zbzpU@hqYqa-P}6O^_q#=nc4?gt9H2dG`m={mzjz8Dt}SNsUKJ5sn08)RyM=ta$fZz
zb6S;-C*ten9cqt!hvY*PA>A!2RY#!56*AeEvUQ5Pq>B}wNUg{tV^zzU2jx1+a-qB4
zzm@rF@c|*dZwbz#Ntt*h)mK66%nS%Nr$MkM9p6Fs7$Men0l5@`*L_mzcjIKb%ZQb<
zsv0Mwanz8G3+S;~09P&qyE3th&aHyHc&J8SnhCM4nNYC#8k|YXGH?z(k%2R)UC29T
zf`ACs){6}Y$z5il0W(x1Lb5Ae$g6_9<7tq$S-@|7h7g$W6lyR-Q(q-PY<&{s*^SW0
z&I@o=KSqx!-E4ror4fLpnjSace98%sdvuWN3KoW;gJF~>LE9U~;p?O@IZLSW5u7E&
z7E=RYSSB2<<JqSrVAcK#l(jd3ogW9ah9}pNc2WmKnn#j>X=8z1<-n*XxkKDLK!#hm
z`?%#mcTJ#m<$`0>I4+D+gYI=4c<nXz=}UNKd$M*b>VEnMl!M0!9S)IoN|Z-cIjZN?
z<J229jK<3j0S0`Z({X#0jfyW6Y4SYT7qXt~mt^g9q-dI}2(pJEdY2TBLi6eKQk)uJ
z=Tijf!;pWlXg!+msjm0=8o_*2-PBM6wxgbmPVtstybLEP+FKMsVbF+AhQV=@-XOyV
zxrk;(P+mOpmjp~uyA(K#-YmyMQ2WKJhZp5IP3f05DS}et5nZaldekP^UJAI5Mz~{u
z+ChQZE(IRJ39p^n8o)ZYu-#qPD!_%)0tHUMbyalD3t+zS(3f8T(^T_pI^k`&#_$Ts
zAbQQ)NC(!TN8Se0T3sOPUvGnLshWoGMdMJtkQGX6_96oqe(u~07efsJsCR{UE&XOM
z*q!DCvJCH_(ZK^*1G~W*xC;GAv!VlVxtv)tWMsWONEd{<#DNE_l7dB2uueAAis=^m
z?Flpiu)Jt+tOW$$JPFTm=61uK)=*R&Pl9?bs(VhHy~lJodu|6(+zc=J?}h8Q72p_k
z9a&7~gU4JWI9pVaX`}>*Gn2T;1n}0=lLRsfeD;F+lim=9f=H6l@L$o1A`%kV$od_v
z;kf-Y+&(-^Hjs6Mf-m5$aGLER3&EA685qG$rh^||0qFUuWFoN>BS|E2a0&_O-`}vn
zjY<TAKQ9wD&v*_lCeOoB{!=){KLKWm*I_J6U{BZxZP&y8SPXlk1KNuuLxIVD0wMki
zcpVmi2seW89?D7K9{eyIbsmJB@Mdli*YDLtvi4WhEmdQL|0}P|(xetR4@!ue+r@>k
z9om0tjhfrkfAs+Q0W)zpn65|(?DCkc&_1g9Nt2~sr8=OBP|i}UmG6@iS(>zyc@V#k
zene3K`uo4`xo&(1?tY~LPhz@lh4@XT+n<HInC>mf_#vDj$eAec@`YKJa<#DKmHh8G
z3Bw_{<^OvH|3B;%9GjhxewQ>rEItXD4J4ik&b?JEqpi`rqRCcoQ&)pEz^mM?%u_t2
z@WAC_gY0!#p|o3CFV!+l_$^$5o=1&{NPIvn35-8tQoslK;Pv2xocN~MUO6$~gS_Ad
z@Wh_<Q`;N#{u>0p=@;dd^vn(5H?42^HN0~?U49ifD!+ImPA2h7w{reS=Wkxl0jKiS
z?ch{C><0f&{s_lKpYIid&vys-d`lMx<yYDRPURnUfQL33y*88n+5tVqJgN86{7&d;
zRKwZ{otA)8dFXuXl1|QE-c76K<8>rr@1$4!5vGeR7l6C^nkE<nT72!YN@KvA+}<pB
zlZUOFL#vvh<v}s^Jl)a^ElX}&lGK?L@Fri>0tYzrtMP?&R}1)lqgkm@bhZzCzsD6O
zOsh-`c#$8RisR&puU5RDH<r5NVC42v@coXdcyF_RL;~FwC-{Ds;@QlT|FY3jrMO+8
z&lz^m9~n=VEQg{sWw=gZpS5tXKVmeEx?OPjE(cT%M`kUrj0-rI?=J^bmDf~nreV2&
zs$<%oo9UcfKvmZH$@iTj>FF4u(>y>`UlI2{U6co?PSpHdK*RI#+VRS|o2Ls@5hR%*
zAyM1{(3E4e^E5j(LF#7JtE!R8C5n9toqVb6Jz0dbj@g30#zp9H@W+_}R4|&B@nAPw
ze-m~y-FGa-bD8dt1^5`#y?!p_&=s@sXI;Y1Fji`nNUhRE(pO|ES)pvT?1+4fe6IXi
zg+!61xI?jD8Lg}bo6`4Sbh=6Po;p}PTm6vwtj3{Ps(D>INL!)3UwfQ2unX9i;K^$t
zc#t0f+v{BN?7$_xB9tbM!(8{wad-nG6II_poIZO2Wp#t+&1{A?iP1D68Vyl;{|tOb
z584Kabb<6GnezV}(o(~pMq4E+_OPM9w*V)1?^=vqnBMdqAXsrH{**3x7-w}anTfB(
zy()b`k?+3$8eu2`WH&%Q#L%mRO7}m6kI>g2#>qW92JCZH;P;=;{>p9uAy5s*!y*k<
zZvr9UQJz*#Rmv0(gAk~fot2f#l+wpQ2sGkva3$8DCqM`YX45gWdMkWIA$rl>8~hP7
z0@A>_4ajrISNq<qoF0${`?djj>Q{ZEq`z(h@(l6a{tL~2638<$>sxncML-&aZ3prk
z9kL*tR&56!#ph;O{1Igrc~tnM#F~vl%P*%cuPhC4zwJTbexu~z1zPnWv^-+}KNWP#
zgU~X&`qvGe#R2ZWdJ}N}xI6z%>8?#c`1a55-%Mw3#%rb0irf~uc{O|o!@0>|%gd+8
zCh*A`V9uc(udDqd@@SDwV9qu0VTNI+(l~l*4RGgGwmJ9sBXj7Iy#T%X9$c>&v2%~i
zACVpSh=lWA_(DVUHSz<MQv&S2?_OYkR5i0DFDt<Q1-C&D=BJCZ{Ub61?0^4lxJo|3
z`{R$D8NxRuEY!IiPi8*ZW21|f1IlshQ{SfHw*$%%4^C0i7jFlYuNoV4BrhfKEs5L}
z(4ZoC;!6JrSKwO`>sA2D32%Khir%^mP}aU{IOdOpH_mx59Ow18?kdTK#(xKx{#`*Y
zd6MJUI_(baAdOG`mO55-weo<{s<>VLg*;WZUi!T>pLqbE!;{cWl6NIbVBM#vi~K@$
zxHu%#_%wDQP4~x7<5=9i<uP2$bVuEfKV!Ogti`Di-htQPECD)LvPweIxD7yXv$W4^
zhiaPCuc%{G*C-DuZHl|#Gd2aXM`S8#E%Pc9i5H{&$PN|yC__S@^y80lX7{{L@Cw|W
z^d9~P)1CCX5Jo*K^yq&I&qShAQY3u%1e~_cfcYQ|PWw{rZJKYuHl77yMWI@u{7$)9
znWK0VzM8U1_5<{qFWmxPO}PvIj2{Q-whcZlW7NJ)tIhy%qwf|C@<&`P5I3y%5m?<p
zV^6kLE)<9xJ`wU6kf6+dbOo*Y3`kIyb|jx}`3y+Vvi+>1vr`~$Bfa`4kf1Jm-yL+<
zQCLs4e+Z?sKZo@sjz#O}=KZjqng@<<&ugWqQ)u%54pta$u+Q_4m`95`q1zh|;Mvl!
z2d0|osROuOn)KltT3T}u_$2(Z2-qcCF7inMd?dtq2#`$t$DO{)W??Tg(tU@31Z^$;
zWqC~kksE3L+t9-Vvj0~9h(>|PO?3U+c(z=X5wf6jj<B@>5_<vXiLMX3=%T%VGiMm@
zqT%lV&IzNG5%k4(0B4&!Xl$NWAZjDcc^6t_rrjd(kMIaYZK7-61)ODTnZfkd7vXy*
zW_$ME{1G)hnCjqrCadu{I$;O)$jQ=q{)p<p=5}xg@VIG>`go-~u(>VR3DRRsnt3<9
ze<w_E{NaUWdS)j~Fc*F_q;pnab9-?YPA-)nKJuur*Tl(ION9MIktOUX3Q6BR1$LY}
zF77Le{qniL-$7(Ygxy6xCa}NARudXC4qp}ccn>&0A!_&#D=0Y$#)p^of!$&CNx>-c
zA($b`Ux8rPqhNtJ@(ARu7m{|d;1RIC=pTjP!g=KCKK>GXpQ-!UD>wwvjptF;=9fOi
zn9e>AZx;)pvF>9haReHsRKpics<`L55Vl?Wfi_9AT;2C;Cdpa^g#U#|{vYEE^uGW<
C%kZH9

delta 15511
zcmbt52Y6If*6-f)X5LIffCN%VNF@;3<V`Oj32CH|MhYQ`LYPbmExmvuhOw<>1z}dN
zA_#~I>e3cu5T)1)y7m<j1VQNtSXLC3|GYN=11kD|n=hQ)ck8+5o_;U$=f}@K8#ub6
ztY~_NE6&~A)@bjDGjKdd2$vBT$8m5w$8kIG-=&}CMWYR4Zs#<IMkuf<6qwX-3tWKz
z!Z|nvN8u3chduBC{2ShYmtiMtgJ)m^JPl94N>~bPRd5`1&z+8gI-Cfary!V7i@;Td
zU}`yn>q-z*jYm+Hi(q^vf^n$`(ya(AdIY-B2u3F%7(N6+LL7p~C<Gw`5d;PyP%9-!
z;5!a~ul(5*7q<_*-^KP<z<)XT@223mQ{ert*mq<wJT3Kn{?E6AW9CEmvo~UIUps=$
zvk+{McC>aff~Ta-tS&|HSU!SBGY~vtL$FlB{((^l{*j2_zQG6<gd(`RFM_)S3Fky^
z3kS#Geb@qz!XlUtEl>}YkOL-&21<|8x9BFy=q+@}3|dB0>2Nxb{6sz{FOzj-0cj#7
z#6n_;iaW>c<+gZ(<J_CJ6qQ0D=i~5Ld~h6A(ajJ;Z>4Df^lhRh3!xPjbDxq@7)KwZ
z$4DHV2_7($X7V!~K|{$Q@(NiG6T!jxXgRTRU*n_=n|#-ofB;94yl@oB@hNzZHpd8X
z3@Hl7umVYZtb1^OC3iROjwF&bbRi6cxj44Vx9cF{=u19K#?rphmI1bNa01cWjsw?&
zcl*NZ#Vhy_feYjC_cjtr{!Z6IINZh>za-1p@*_mWLXMDoNguZ22yv1ipW-MPLA-CO
z26^97C$XkuWR!P2eoR%5pf?722dk1vf7bsviNI#Hca~~o-vD{p9UOcJCt(LJy8*mA
zmgf;3i$B8R4T`^3IxAs`{9DT%Bt>K~4WLuu3EX22Qm`-k>=@CJU}@np?>Zrj4Dh}p
zOk@QoNF*7^oF_;D3HA09YP?I72_($BU1?yGPm*vFzG;>snXpx-@Eju;IfuPO#n2u~
z9hL}u3JxQlAA$Gq#RN5c!NK?N1)RpJ{{Z`<ABk7P0jb*wIDmEU0Xq;&hN<D8)bAu5
z#Jcx^9TZ7oL;zRB!Cf$#zCztpK^`M{+!1aaSL6+j)6%H{?4B_sJ~J=3z+kJi<?1Gs
zo5$-)4HHWyYV(Wqwc3(`Dw{d4ENgsrZDCFIcvEI}nL$@sVwj{Ys>rrf8ph{WPS97H
z)vP#`Sh`h#T)amyLd~gEs^-p)_UTSnb6Z2A-kzw_CstMDSG2a~%&IlbXlvDGRXePC
zR%5BX+3c>Y*Nf%`y=_|O%);r;mii{`_?%pAc2#p@V^gy}qhp%AX=Zz}qq*@qA&?t%
zX@NGE-RWxUncP&8)s@*jyJb#sdr?hSY4P}3x#OC2uF}#9<BhGw4UVGBR&7UFduhY$
znU&=QH%zQ*ozr5pH#O^e&0eSUqpy<C?`-OFwM}<VcR71jn53UjJ}1xAVd-jXFU~12
znpz8r?8(-alJ<!mxp_BKR=8Wb8``VPRTE2FY`L8!McI}cYFnF{O}$r8^deB3y~)|!
z*x7!052Z8er)9U+PRMG{npQizqslnJHNGXet2%#LvUx^B+pO80a|%jIrnOYryQ-?&
zD<(Bo&v8^VH5)H4P}$r#nGfV*J&Gjx2;6P1_G!HqnA2jLW6HL<i^kWBg_+HT<<r|T
z&92(K+CsansHncNATP(+<+60-7ME2`Z*xt{)LEK4+17NDWU8=dX0_&4S8D4!#uZdJ
zr#WonYsQzBS!cFPbhVTf844%ankKb4ip@EV2C+G(qTOOIoWur>C8i8*URHTlQEhc`
zL4hf|sHmtsue7{UJE>?w`9zyFU#rzs7v^Qz3^}&4vdpsT9Bp=1QQ7$N0-deAU_xny
zwv^p9mJBu-GRvwuCl%yZ%$YSixyI3$oLn#3JDbhp+%v_>V!Pd#m0R5`w&gcFOYF``
z6SOzhc2pL!y<^G9hyZYNsAS#nEgXPXVF4-xA1s44C?w;78A{2Z+<+j6CH0**G|jTN
zHMrD$A)frozp4NjMEu+)NG-pzhEn?c^&HtNrDQBF_YMa?!Pjsab^KxY3_igHzlV2l
zxlO>{X(l71)r115)RJNpxSKfqeFZgO2YCba?VTu?Ztq4uiVX6;&1+~$n0Gy{A9YDf
zD46yu5=keAv;5N}o(yI)PLotrdlw;^M0=xoled|UA~BmDrXhrON3yiD#6V(M>seAr
zyQ0|LXNZ=>NuSYd&lxg&u%spf=xz=krMuyFL^%bLU@8<tI|L)j>nR(%fGE5FM-34W
z3L<IkwBL~7bai#u>u0$nc~*zO2y&%}tNc~H<x;?^1nkyZl9c{#zw&-_BWqhoOx^!0
zx6yDgsb{o1rZu;<U4g4iC;!oYf5qXx10Ny@dww=W#XSis9#kZN2Q~Y+nP`w9p61|7
zI0&D@f8afM3tmHS=>%**>Mn#R9yk&Z20G&CY_HRIG&W5$Oqf|+R$(p4V|y<0iR?r-
z3F{-V3WZr5x(u^$+*Ih!r%H6<JV608>wi3(eBz&p(*FnX;(u3GB_dJDBf9|KA)3d5
zo$Uri2<3sO>F+c)13w_3cWWyL&q6B>bwPKY0=Gy0=k3v4X&&|eXLIu260TN6(iteY
z91eefB#+SZva6$Cv@3_iOTyW~)_+aLkRei8WRc&HhM>gk@^P7!<Kikavx>&C{@;;s
z_P|$Ui0}1pNCY86+2`Mq+m*xQPVDrzDB~sH5rHlEjwJT+6YCrYKfpO8$CnT)@PrU_
zKa}`aO{s(p_s71>16ryO=n)QXrAKi5UdoQ7)6n6?ITc20X<1QW^@Q4NUD>4Etb*Fw
zTwQTqPDxRPr7X{?oit&bxmL?|j-^9YlE5ZUZ&tGjV`<*-!kWtbOq0o2l$TpsU@R!l
z*JhT~Sj#JGvU3Y+^DM=sh1Iq^+r(;VtYNUaqPfu(SLtf+h|6qgk+20am?MMfL1;jP
z`V#i9?}!+bbOni;&yz4eiIV<H?j&Rc+jtQjsh7VebI3@4IpjQvWMgwc$y(2op*?g$
zC-vJNCzTy7rRb$z!Gp+V!D^Y!WSvXkQB-$`#DmauJqhF{s@3tK;h8}}dV^DEx7WKg
z^$wd|W3<?entHdvqS4!QCbL;*Hn^<yZLXH)6uYx=dQ%7Pt)qFSt4Xib88upiMsJGK
zSyN2<6r(O#XVe;vR%zQjm&S2vbQ1kHOz{TCY1jkjiAYBIUOi8uDbe_M)%Pb7$lwB*
zN|G;E^kKJMAf0T(MH0%ey)Z!H2?BdK*n_zL8}vyqQT<m?_K!Qy!Fe3_6|nOQX^;Yb
zLMw&eUjzGTIaOcry;Gs;tKe!l{5?Z%p)W!UBA&-;ej@2a+Y7%Ne<DFF<03lg4__et
z*ukIBL)Kqz4`ls*#`c<@(SJAicKnQS3o%NqL)o!kNMC7S3o%I*r9E5gh0;!{zJ`A;
zb2lvEU<WM0JuCpW<Ra}y)a<E?Gy(s-eUTalO2k)kg&bE%ZYQTPj=BW^_hDh{G9jFp
z*@+BznU#D`lGywMieR??IX;wqoCOwQW&N^Y3bC=KY$zltY+E)|kufYd2j-Aec6SbZ
z(!+LFGueP1Ci4p~hMqsk!RHB7gUEvH$5;py;DqeABi5e*J0U`p04Sy3f-I#lJO~Yc
zkF(LPrh)t*qHdnu<Z5e|ITxhSKce|Lf#dgqpadzB7udNv7^sG`@`7*{+YZT^w|@@}
zFz7Dlwvhy~79!zpq(M4$8`#_9U^q!*3&z19)-M+l*>0&+oC`u=hs)mB=xVHYwT+e9
z)0iO_3?xG$!5}t27hELM`&?k;mOQ8-B#UJfKoslDM=E9e%SZF!QUG=pQb>nL0Te(8
zpbw;0OQZrgDOrqf;3Q(cAC$7D!%bm0sesiStj6kP;Fv@NZX!{OnHHDJVKZs98k@tV
z(-`eWr^e=Vx-@Qw!EAPGT~>op4|5aRQ2`~S#3gjuXLY&~=Jl3RbBflKVzMRcOj?v|
zzkFOk9B`p?z%HzZfGgxdmXAXm9K!ZJkQ@z}>OY>%FY~gQ*i53J+8Z2aWWfcHOmZaR
z%p$pd8ogcs6G@&gW;_&AlFv#@U=(9TV7^++&61e^l`YFU78*Ht2Ofb&M70iB;~5C(
zR=adMeSJM@GpEJo(iq)(B%RG|*Vv2(gVW%)S>09}P?4%QGEt2Tr8c=uM!m~v(72oy
zr^aY>S~XU)-KnWJJ9HMC-C{G>Ybknk@&Ll&0GHW<D$;~g+O4>P4OghIcWSJbdSiss
zsI%EzZXJOCw9%^lgvlf+FLM~!xr-9-%5~q%whrqgaft>%7fSM!)iUoZxVJg(Z8Db*
z!AwC4QuR6Zb`j*00*Q19>}(N)u<^y9r$f_OU<qWCLaD)_8Y_fn8i*%}iA55lm!jqP
zqyz?#BL6t77)=8**v-X|LW=!$j}(Kz4i!TZ8&e7;q~vl>C3BR*0BM<McBm9$dXfx?
zyp$c2*hkus$m532$W9QP!Me}=8;VlPeBVn)fYj?ukFzB8>V^RJLoDA%ElI?Wmn9-z
zmIyTf+I}?}e+B;W6NSQYDL-=@SJ@BjcpX1jRxl@I;z|mpnU6$Oew5>m5*K-i{sME5
zav!l384$})@3^6q9oxuz$OJayUwkboXXp9~5x)KZ;zdF#SjIj@1RJ`UcaTcv5rkN_
zW;1V&k=QJd)1z2I4LwcQ(tPp*@e)1v3D?T$7iA7)`kVNuM5o@Vb6K7B8swvTjZtf{
zXzXs2L!)=P>uq|Sv0m?Rv(}sVoFQ%}GKtZE%%Zg*?--FW>n%pT#^JWRw065)XLqnY
zH}U2~i^XVgTOCG?#p-fsjC!3`W3?I08oN$w*Xd04F00nX^z-<%M6<<U)#_aajos#O
zYm5dn@-OnEMrYC6EG~x@hv}Jj9-ozHbej-Ovs>eET8tW_PV3UxtwyV+9#PkuoNk-V
zZeu^p<3}YLEINbRWHV_DHtcRRyQQ8ky~gRZ=n;FH)>N-$`8V^Ki6*zfiW|~vY<h<t
zH)OSFY%aS6^%LUh)H`fuorA5tnID{J)7I-8h@Qr2cAC-QKq6TUCJT;n7_EA%zTRfC
zveP&71w&kRv)1L*Y79D@$Y?U6@S2@AoYLsj)oT$Wy`9x`^CJ`87MIpxv}iR>gVBH!
z8B7|h<ipt92D{m$H|k9;D_h;oo3boAm(!|sm^4O*ON(mMiPGzE)oUCE2d-^(>)kfH
zB(Q<7i^Jp-y7b7a$1$MYgQ?56Fp}PdT=yujT?_efgU}E`6j-4IP4W}q#7rL#bKpMN
zDLX=a{BrbKW1&mRPkn{K&|VCLUW4th8J<LCbwAt<-Oz>8l>_Tq&kqh&snH54G098R
zDs=!B(DxPC>h*jKCI(+!&)b3(em#2|$K6K9(6?YR@^uIMY%^~m6a8$Q{0x5&Vf~)v
z1$O&Zeju6TXXu-KJbETl?aN#F;Vj9=4`I)4L9<)ktNr{IUSwN+d=9DURU5aJPf3(W
z(igT#I_%0o@IzF*Z^A2>5Z{SAc>vh9i+o`$V6NBS^HS>kH4Nh3#{}P7@B%!CJr@Jp
z@(y1b3+sC9HwK4a^d>XTxEa=A&%6DKg#GIbUl9wNrC3SQJ4fIn%*1b&5`T!o1<cFu
zl@p%#!6-?C_LV|RbodBS^^v{<rJ{fq4sEbns!+*o?7#s&?h;wA!z?{_ifp7^NY+AD
zyA=b`@jfI{?PYSLuv1(4B67W7HC&=<DAR1^W7q@F@(pD2<)#oOZsTW?DZYod@lMi1
z!sU{N{1($BM=&q52N~i`cnO}z+k|zn9G<}K&IPu-pTZpr4{@*pmEkG8d3Y7p!$U}(
zkC4xPL_)qTdk3As9*R{ANK&c$D0ww*G|=xu2m$h65Y%$DpprjT?1Nav=s=l+h&1^_
zxY$CRLR9o|Rar}l^oD9%;kd%Gnu1AIt9jh`9AkD>byl&lI4{d=t~KhaiYu$LZ25U5
z#wuNAaY_D!s?ze@;_9sIiPfsB90T+;bjc{67QI#ufC)Uu$)~;%Cg$)Mmzw{_1^r@x
zH!3CER$?ZP;(4XBi_h^RNS&NAV(HKGlZl-zeV(69>ZLzXOx(^V2HbXCxe#u%kvq%S
z<n27>A7rUv|NL0d$G2%aiYt3-2mcehctD|4KriR0RDrD1>$^_+zK?_ZkcfAH*hJJA
zP!aXePR^irTb(9jy~bjf+zy9Uhx*v8)40)DGuZ3xCZk!$b~Y<=d(9Urr3zH?rbr2g
zA;S;!VJN_<(+PNnSFqxb6}iMIF<~@Yv4K~ymX8%d63_K#=^rTivxnbT^jF7L3gM+T
z;>l(!_bCRlmX8#}iQ7L0%OULbj}#iV>_3VE($H(BJ|8Q_Qezcc`@Uj4ndWbpx<^s;
z+u-Etcxj>H>i7x2BRPmfy!!)-d`Gd{fUzO+g3Jy&t<7k&)pt&x<<vCU8(sb*#7m-3
zI-Tx=nW$h;tCdY+>-Q)|lIi|)nYT}&_HFn;@hD--_9~pJY9ZV-ig@}-TMT6rK2`Aj
zrO>o}dPj5H4f5PGr7grrO+!^RLU<nbHu!tL{VCFH`KOA0WR|}VR#;TELU<we8RPFW
zWuKxS(;^^^QlCjzyQP>tRA_n~9J?ShMz0X=YARt=*@x$nIsDyBGJvtN6+$e9>)4Wg
z3KMB!@9tBSqB@D&udt97KVGT(6@Az(`xPTlm;7_TVlZj-J`xn>JFs67Pieyx_JvAF
zB5kaXS{U1d-#!lZA=Tdpwog<hqU$4t%oikr?vVYnvyiYoP*UN2Bo)5xvQ;~by5(ck
zLAz0bOX_<G@RDj|yPB1jQIdY_<+k;K7dY(tD(dfFHTx;phv~iDICLej7wVK_dtxuV
z6tr<`@IGiUIY%qK!Er-rV;w723nNH7o2?dd$W->cS{R9u{!z7%i;|igAdDtm(xxI=
zXMmtZseK|q7(!;VHv@zelv72ZFqF(;qXLDr2&WJp9!~Di$vM^OjrInY3~unv4-^)Y
zIR8#j<w%G=hqmG*8s7t$lKucS=WFl+qWiFHR20%q$3?*_m#kIq?6qvyu<PT%Ug=h5
zM8UI?+v+FRP9)fI%yaKYW8}~JJ=9~Rwl7rXN6~vRY(l;M80MDUkO#v-O;6C>^q=%z
zoUoCydmm8-bzc?^eX`MP#n7%#3}lkus?tl%f!A&hxOTJp>gI00WL}zGb#?od&B7JU
zx=V6>X|(c+X6@C@ir;CL*1t5I@7=DmT|FGG-AsGOroSC6i9;A(1>=vz`j@Ws<NxGN
z9~R?TO@{8RojCBBW(1q03;y*E1nZ>h@PAe#c(MY)nqmZxOLyX{vJtFIN3dMF7++>U
z@DNHr$3`N!e;5L9Jc32i75Tz&1os3ZxU&y}zbPp~3Qr;A{)JABT-X#E_Ym+8$H6$}
z*`|yPG#kVWY+o`OCNtgh$`J#GNt#qaLO2paW|H@)hQ5Z+5eS{+V!Pi}#F87?$#)eN
z>U6WlAR&?5#Fo9Mh-Xi~tB4s=+n@~Bgp=;+O-|PwS%m7^QIn!P)lGNG-}BhFLBbd`
z4BEbek=!het%qC8)7hJSg<+)IhoRE|(mj_9`Bj3B!snRu{|NDa14UpvUOR2X)c@n?
z-aG_exEKD0cgS<06PjT<IAAhNf-)$CaWEEaU;qtX#Kfah9SZ#bV?X*c{hpqqC+U~;
z0R4o1K;NdX(HH1*^clLIK1o;6W%y>Gdl9{d-cGye4YZv$(gtd$*U^czlorrznno>D
zM@P}2G?osc185KxC?OZfcjOE?P7ag(<YV$4*^Q3@c9LhwCbE{SCM(Iq<bJY{+(m9B
z^T=${iiCBMI#NR_NHNJHnV9l6VLo#N?i+u+p>gqY^zKV~TlpF7CUMvFX<-e%fLIC-
zV4!d}+y*ye$j}C}P*F^UT6_^v0{M^ysbB^zjD$qw{RjwwKA;4S{z$*2U(sXq5Zy=r
zL*J!u(wFHDx|RM5Rm&4}1zke_K^Jt>JMkICO|*-)&>7T8r_gFzPK#(R&7djNNR#nx
zMFJg6!)SlZtn=g-a-MumPLU(zAlXYkB>yI_lNZVJWDD6qp2EBHN63Sy$Nx_5AoIzM
zcwyH>rjdGbJ*grS$as>2=}{}ulhI@t?pylthQ&qu;`S@Qppj})Db+lOe)=>Rj0oRG
zt+>((Qi-x<BV-GkkgUq*vCBr*f3&~!G|L#_FFnB?{7jHrSFrvc_)8By@Ug$Jm<@l&
zU%Hpg-!0?^;v|3f-<|;Lzgn3wNq$+7M4sU=b$A37_nXL!Ytg6n!mZE&4M^-_$Uv4$
zL}pVWo1LJa(tjg4*U?Aly-2@V^m?RPDjiLuXaI)$$B<KACC?z{b;S3~&&ontC0Uvz
z2=B>y^q7Rp78Q-dCR}kfz7cvD!@Y(0BH>n;2ea{E%1m%U9n?St;*bZKFb1E&h%f?%
z;A5C@T;T<ZE`d_P2FD7=%V3aSx_)EG(6~K=p}~`|3a@q<zN)zg4Nf=QfY+FfxIsHy
zhwocTp#ZWW4J@F8Q7{x@VGu6x67{ENqebCxkI`Ph0S9wv9ckcx<`#H^<8Blhn}u*o
z6lL=i!Vt>c!B#4SY++iH5H4cnNd<Z`-0gmcJ5DJi$8<Id;Zafa*0Hi-p6#li*4#X^
z=MQ%qo2eA`3Nf>U@Zu!OiUh$(xm%@Z$su&jK(8Dt+f>3x%FUPjpa`}?5P0^iN*JN?
zC}s-b+1P$c5Jbv(F1H8!o#0mmA#~CR`7kJk<lmve{|t@&dUSPON21@1vi2C#WEyIl
za?~_dq(cl0z(c=)!to-$J1Rxd(4kNapgd-G4$$}L<EU5eqI0Q~Qd~!Te7ZpBHFEQd
z&+_;tNXLPl?xazqllzd<v9g0gj8A`)@IFK<xp)q)qnqgf(!#xoAH9Ek<!h7&AWYKZ
z0*9&J$AG5}a*~u2;8x=~Eb^{NtyWqNf1O*bWcIa!-fK+@7g9G`7J0%HY~xzN;JquY
zj*q-Ba*Fp<T89vPba1;T23YGsY*~`t(9d$)f(B1C#TbP%#Ct}0`=^ZZri^tfttoFE
zt|csZrJ!efmJ5l4)tW`}t(CwzIGBoC$-~!Ib%=(8Ga({zBpKmIZ=h`{Pc8qs=zZE&
z&G&Eo8|M{L3i)9t%fI$krQFYt3^h8uXHq)&#MPs}^fruH#w%Ape$=Z<T^eDW_f4m4
zuec2yRHCRUNDUV2aM}`lO%xng?4yq>CqTS(m_Zzx*~#20?gYL!nnQL`6`g=jxelT~
z)dH+6PL=ArcbBjVVx`V~xD_1!9>bgd-|On}#l0>}g$O^9>p7^yCub$(B3XsItLKck
zbZpP=8cmNt<Q>;}`<j>X)~-djd)Jw(d6hk7qc^}($R|e}FY(q`?pKbooL}A5pDh}s
z(s_qkGx^A-UGI8lSeHd=_n3>MWt8~H3zvBgAF|Ehwo8w`d=V>^CobV|4+nSBGpMw4
zP{#sy4<{va@_TSNuj}9=2RH(}E&65r@R#UFZ?Iu0pZ-GpFz-e~H9zLN871BzV<DgB
zt0vy-jrRwoFYj|*SC~pZ;W|8EjdzqOJwnl%INwihOtVzcCvm^k_zp^1si=qC)%OZ(
zC~I1weCjWeQShr+o_U@ZGJO5s5(a^+J`|jXg9^HeoFyq()XMbqALu7{3EdDSp`qfU
zIMhoK^m#g%%*9R5zzXz@>edQ{e0a#axoq89;eKW6;`1}Q61-of>Dk<MLI$tj`iY+H
zTqi8!g9?q4+0^yIQf1OF>Ls<YGV6MeX%qRu(;CCP{dI+WKenOKTc^7}EO20tYs8s3
z$f38Bm$+XzGvbx#>vxCn=A~n}THd%Du#3}w477HXcdbp&Ql1hLmFD=cqT-QWb&8%n
z@RShFr+qT=PPXwW;Q__6WpQ1@z2~su=BI@W!8qgGDNjt2cg7eK`|)YPC5UHlsq{n-
z^9H6G*hBvm+{ytvtghOj-ltOa%(7NU9Fe*!T|OqBdyxYZZ6FU|;YuBWWJ1RhQCsGF
z?-n8bukk!<c}KX9Z9SvRXT?XAg0K5S!9zo&li<099E?B#Xu(1{PAmG^fyM3=KKEtL
z7w)6ol2oOV;T*|Am!}wApBhvJE_8)j(IuLPuF+lSBHfR!(n@rh)}rh5EV@vypewMO
ze1LA%aq<nmv=nGCn$Mwl&tjw5=qL=Q#k7jn(<XW&y@M{MD^dHti2C+0{Th>}gV075
z!3?xx>w)|S(OSda@F^p^dFZDW70{1}3K?Ri0m~sWw8$`1hL}{r`a&6&%CJI)lVw;Z
zL#GVgGMpyE88VzD!zLNF$goX@9SZ2iNxS5aIRajyh&qv~@irCz>O}~ID1XTy^8Q+_
zR&@20^kPF#$tX_mDVfEYJteEy=r8HCVslSPFShoSjADCF$!-=qdx}<ZwhBUVL8~~x
zzp_=-*~Edp%Hh4rQN7Ayud-2k#3fCFWA$1wlm+d?5Y8Y*u=jQ-HK7)9a4;lY?qCu1
zRxz3_+@TD`=c)!N?ik3&MuJT$g_Agzz5_=~Aqsv+^9e(sP%6doLxw?_R2sr3j(|y0
zY1o*d5?>8M;U|EPwA^GV`3QNW3_aJq^f<i${ZYMJAQ%1MYD}p&qBnCVEJ1#F4Gtkg
zyn$|#Lz-wbpQMNBQc2{8o1j@L>G=^>=#)w(e&iUKE0wHd6w^Gf%;2+lk04cyQ5lV*
zW*nv=<*#o1GMdEXUIZ~(L~XC_<EIe`H4rqH2;#3XBI%GCzo|57MMJOIOnT9D<)>L@
zB9o|;&NN>%iDprd&qgX)M3sENCX;COSDHkVS+vPhU?rAK7BNM}@A9X~Dvn|AZ0k85
zj1vd)Y0~jvDV(IUo3|-rdMw|y>^gX&_1<8!fh~UmmDJ!*zEjoeyc^7VmbM!8U*eW0
zzbMvv`&jhsq18gTK%ZOpv?omTUT-n56RU+fCGGge+LbIDL^gkokSPR@SbfqHqwzLc
z4eY`ip+N|#NE_sd9_{UGGq9yk3hs!sH}*d5w@;WCufdRxl5%c2SAqwf)?=S`JSW&M
z>FR5lZScg{SpR`4{R69nX+p@TCEt3Yt!yJ!u$8NX24%wW6t337CWNYVZ0uvgP-Wlq
zj?=|vZ$G>gTlyI8C+XsXDo>cnTW2(|(~k*tyzt7n2ib(jg$^MlVgG(ljKSMtGO%AB
z7aF3|eEotYyp<ff<`Uit;^cPWhxFt7*e4wQiwatEL|Nj)kS64k6~&ygWT$^1x!ir+
zSfoR84;>md3oV!Ea4pw?c4f$xGwKXlPR+p56jpZzE$5J($xB%C3SlWe3K~?x`mGeI
zl`-#zH5R9`^&v=-M^*|Eg8GB3C{NfJb}<C0c4nn8RXK2q_lB+%?~gh?``e>JMnvkC
z*L;@`ERWtpP9UOJ9++|?9$2*0=?~0(alULs%_q@_j(#ld5Gy;0Mn7Qr=Z|*f%2qVy
zl#r>+e*t~iacD#h?7>sWJ5knC22XU3Y(#CRkw3@IRJ>K2EgR8~PYa2B;19K7?BZ$k
zBu4HY?`9=m3HK+)=TG^EA6<Njk94IfJg4oPlzh4L<F}~|KMN00cKrt7sUFW0b34`7
za3?LkvwMX#m(JtbK18W3L;H`S3<b`wSX^8p%aH9D@?6YKFR46X#j*_DeGFyDXr68C
zD)P%v+;Nm4<G@jIo|r;eh8{kSbcmU*uk}Qamt`pR1kxe+AD?ZhEs*_`y(fgkMD>kh
zUj0jZPW(~GhFGbql8cqd^9&6}Pjwf5{QBd|{;%-)rG5U1@~HBQTjm!iZu}$PUtc@X
zFK!3EKyfp?@bvuRN?F`ezr?M_cj>*JunJk+?)?(QEiClQvFz-ZC~l*+KCJV^l*!`u
z$PwJLs_eYd6FouJO=FJ=?ja#ZBjk&vKXdxo!Ow()%=)2_%XS<Pve+!i6^a|KVyrYt
zmCt;`RrfI=NtM~-!lILWJyIc%Ou5QQKKHdyeu)UzQbMfhAj;b4n60I(-{&Z6aA<NH
zTmL!An)2Z8ABt=JvX*`bWzFVWwcHa{<CnFChfvni4;~oURV~X}(qZ%?V+Y*xiYI20
ztkl?w!@{(PH16#lc1CBrm@@JiNw~_{Ue#AMnfTs0D<sfgkM?>DLc-D2d*jNZeKA0F
z`Dm}LQk=3}?i#Gh5cDtp@`NYGAq!?ow5mZc7CqVFiLRFgb8ocDtxWx}YGtim7R)&@
zszl!AP1Lg$F{(no{|iM+*_jyC{mS&Ht-)PWWJUFStSTcu;e|QBNPa;ecZ~bP7;d-k
z&Jn6+!gdbBvtxLGzVAn>29XKUz(jJ2!_3lmlwejX0rPzp%y(5|Ca@7RIk(eA7-v0+
zNBc6S%}xSf_@9c&02juQb1^}%1XFTb(7|{Y?+Ct>pW`eg-Le%no5U>H3S+@+7PDn5
z>@S-wVvcNuFMpb?;y8JfMJwjXqp)DniTUy<f7zlJ3*=FkKP?7vynmEQEb@;si5Bxr
zvDiOM`VcJ^vBclWCQk5ovWZr$Smy5|m#sRnT<&8vh?R05ELe@=M7fW@Y&D5h^75BI
zt!5G52t3>4I=r_PU56UUb-+?MUVNX~s*GX(-l~irEjukXF+lo{0isPrmo@O$VqfY1
z68LL%I<XJ)>{Jd0qu7rX>{P}U%UIbA;uL?uBu<slvzbJjS+w^m*UPB->upxi;a5({
zQW(9B4k8`g2VC-^%t+r^r3#ZOQtKbtm|3V~b!=~hDnf{wa(KNbY$hsMJsUMhHI*N<
zAtaV99Hi<HjC~i^dSa%dcGa`gNYykUe%P8@JkiroyXx8gNL7PUUD<xBwgI)Pj?Ily
z4ONB?8Z)`rjRs7|K90i4Ma$XGJYg<x4Mu;%2dkz=q^&#J{6}cV0HPfwv1<U)a=(+Q
z@L^ITl(0QXs!}#v;&Sp0M%l|ptDYt7*icnQj}vz-d&5dXRn^MWm*&kVZbNOWWBWr9
zO{H_-eV(vZ)V6w-9HyEYl<<_hv#aITe8EWeN|-8B7*P4?LQhOHs$M-C8;%4?$Z7cA
z6WxTWSI-WHBSFkrA$Qg`qDj-Sn<G?1BT~oN68>nv+tO9J<e9~)ztg|qeX@<gs-^tU
z>Hko%vJh1@Z#npIEL$6bY9ruqM-cld1l300h|s-VU8o{;?DYYvOunCE{f{hYplTUE
z%-~Y6bpusPBeYds<sTt*ECmlBR5}0w-~IiXO`<B0NdFCC4-QpLU@MYUc}zt5`;I27
zqKT3~9kSr2;JAsHS`Jn%O9*^%d#kiYAZO+9D)2@~q}%b%K_Huno%@zsz*&(?M^xgS
zE5V0?Tqf6mPuKqVW{=rZm1CmSaIG$%r74FqZJLs2U#2Rf2mjf0k<6N=H2?XWBSw}9
z5|)T(CRc|qkp2V*bMKXZa}6kMB$AC!SH|@2_M7WKCU54S>B`tE5d3YwW9iC*UNimn
zZckb;l+}+_4vo5u`0w<3bgWWqy+((*3DV<V>D{dVzdW@k%#)6nKnw>lc<uv%RgF;&
W3jWQNEt@|^xp>%LdGnDl@BaYX3Jx~_

diff --git a/test/test_api_security.py b/test/test_api_security.py
index 5fa026700..8c46e9b11 100644
--- a/test/test_api_security.py
+++ b/test/test_api_security.py
@@ -962,7 +962,7 @@ class TestBuildTriggerActivateSwo1DevtableShared(ApiTestCase):
     self._run_test('POST', 403, 'reader', {})
 
   def test_post_devtable(self):
-    self._run_test('POST', 404, 'devtable', {})
+    self._run_test('POST', 404, 'devtable', {'config': {}})
 
 
 class TestBuildTriggerActivateSwo1BuynlargeOrgrepo(ApiTestCase):
@@ -980,7 +980,7 @@ class TestBuildTriggerActivateSwo1BuynlargeOrgrepo(ApiTestCase):
     self._run_test('POST', 403, 'reader', {})
 
   def test_post_devtable(self):
-    self._run_test('POST', 404, 'devtable', {})
+    self._run_test('POST', 404, 'devtable', {'config': {}})
 
 
 class TestBuildTriggerSources831cPublicPublicrepo(ApiTestCase):
diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index 977c20f2c..20d216df2 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -982,6 +982,33 @@ class TestRequestRepoBuild(ApiTestCase):
     
     assert len(json['builds']) > 0
    
+  def test_requestrepobuild_with_credentials(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Ensure where not yet building.
+    json = self.getJsonResponse(RepositoryBuildList,
+                                params=dict(repository=ADMIN_ACCESS_USER + '/simple'))
+    
+    assert len(json['builds']) == 0
+
+    # Request a (fake) build.
+    pull_creds = {
+      'username': 'foo',
+      'password': 'bar',
+      'registry': 'baz'
+    }
+    self.postResponse(RepositoryBuildList,
+                      params=dict(repository=ADMIN_ACCESS_USER + '/simple'),
+                      data=dict(file_id='foobarbaz', pull_credentials=pull_creds),
+                      expected_code=201)
+
+    # Check for the build.
+    json = self.getJsonResponse(RepositoryBuildList,
+                                params=dict(repository=ADMIN_ACCESS_USER + '/building'))
+    
+    assert len(json['builds']) > 0
+   
+
 
 class TestWebhooks(ApiTestCase):
   def test_webhooks(self):
@@ -1642,7 +1669,7 @@ class TestBuildTriggers(ApiTestCase):
     trigger_config = {}
     activate_json = self.postJsonResponse(BuildTriggerActivate,
                                           params=dict(repository=ADMIN_ACCESS_USER + '/simple', trigger_uuid=trigger.uuid),
-                                          data=trigger_config)
+                                          data={'config': trigger_config})
 
     self.assertEquals(True, activate_json['is_active'])
 
@@ -1654,7 +1681,7 @@ class TestBuildTriggers(ApiTestCase):
     # Make sure we cannot activate again.
     self.postResponse(BuildTriggerActivate,
                       params=dict(repository=ADMIN_ACCESS_USER + '/simple', trigger_uuid=trigger.uuid),
-                      data=trigger_config,
+                      data={'config': trigger_config},
                       expected_code=400)
 
     # Start a manual build.
@@ -1667,6 +1694,69 @@ class TestBuildTriggers(ApiTestCase):
     self.assertEquals(['bar'], start_json['job_config']['docker_tags'])
 
 
+  def test_invalid_robot_account(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    database.BuildTriggerService.create(name='fakeservice')
+
+    # Add a new fake trigger.
+    repo = model.get_repository(ADMIN_ACCESS_USER, 'simple')
+    user = model.get_user(ADMIN_ACCESS_USER)
+    trigger = model.create_build_trigger(repo, 'fakeservice', 'sometoken', user)
+
+    # Try to activate it with an invalid robot account.
+    trigger_config = {}
+    activate_json = self.postJsonResponse(BuildTriggerActivate,
+                                          params=dict(repository=ADMIN_ACCESS_USER + '/simple', trigger_uuid=trigger.uuid),
+                                          data={'config': trigger_config, 'pull_robot': 'someinvalidrobot'},
+                                          expected_code=404)
+
+  def test_unauthorized_robot_account(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    database.BuildTriggerService.create(name='fakeservice')
+
+    # Add a new fake trigger.
+    repo = model.get_repository(ADMIN_ACCESS_USER, 'simple')
+    user = model.get_user(ADMIN_ACCESS_USER)
+    trigger = model.create_build_trigger(repo, 'fakeservice', 'sometoken', user)
+
+    # Try to activate it with a robot account in the wrong namespace.
+    trigger_config = {}
+    activate_json = self.postJsonResponse(BuildTriggerActivate,
+                                          params=dict(repository=ADMIN_ACCESS_USER + '/simple', trigger_uuid=trigger.uuid),
+                                          data={'config': trigger_config, 'pull_robot': 'freshuser+anotherrobot'},
+                                          expected_code=403)
+
+  def test_robot_account(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    database.BuildTriggerService.create(name='fakeservice')
+
+    # Add a new fake trigger.
+    repo = model.get_repository(ADMIN_ACCESS_USER, 'simple')
+    user = model.get_user(ADMIN_ACCESS_USER)
+    trigger = model.create_build_trigger(repo, 'fakeservice', 'sometoken', user)
+
+    # Try to activate it with a robot account.
+    trigger_config = {}
+    activate_json = self.postJsonResponse(BuildTriggerActivate,
+                                          params=dict(repository=ADMIN_ACCESS_USER + '/simple', trigger_uuid=trigger.uuid),
+                                          data={'config': trigger_config, 'pull_robot': ADMIN_ACCESS_USER + '+dtrobot'})
+
+    # Verify that the robot was saved.
+    self.assertEquals(True, activate_json['is_active'])
+    self.assertEquals(ADMIN_ACCESS_USER + '+dtrobot', activate_json['pull_user']['name'])
+
+    # Start a manual build.
+    start_json = self.postJsonResponse(ActivateBuildTrigger,
+                                       params=dict(repository=ADMIN_ACCESS_USER + '/simple', trigger_uuid=trigger.uuid),
+                                       expected_code=201)
+
+    assert 'id' in start_json
+    self.assertEquals("build-name", start_json['display_name'])
+    self.assertEquals(['bar'], start_json['job_config']['docker_tags'])
+
 
 class TestUserAuthorizations(ApiTestCase):
   def test_list_get_delete_user_authorizations(self):
diff --git a/util/names.py b/util/names.py
index 7e48468bb..b705bec36 100644
--- a/util/names.py
+++ b/util/names.py
@@ -24,3 +24,6 @@ def parse_repository_name(f):
 
 def format_robot_username(parent_username, robot_shortname):
   return '%s+%s' % (parent_username, robot_shortname)
+
+def parse_robot_username(robot_username):
+  return robot_username.split('+', 2)
diff --git a/workers/dockerfilebuild.py b/workers/dockerfilebuild.py
index 398b33842..31cd6bfde 100644
--- a/workers/dockerfilebuild.py
+++ b/workers/dockerfilebuild.py
@@ -56,15 +56,21 @@ def unwrap_stream(json_stream):
 
 class DockerfileBuildContext(object):
   def __init__(self, build_context_dir, dockerfile_subdir, repo, tag_names,
-               push_token, build_uuid):
+               push_token, build_uuid, pull_credentials=None):
     self._build_dir = build_context_dir
     self._dockerfile_subdir = dockerfile_subdir
     self._repo = repo
     self._tag_names = tag_names
     self._push_token = push_token
-    self._cl = Client(timeout=1200)
     self._status = StatusWrapper(build_uuid)
     self._build_logger = partial(build_logs.append_log_message, build_uuid)
+    self._pull_credentials = pull_credentials
+
+    # Note: We have two different clients here because we (potentially) login
+    # with both, but with different credentials that we do not want shared between
+    # the build and push operations.
+    self._push_cl = Client(timeout=1200)
+    self._build_cl = Client(timeout=1200)
 
     dockerfile_path = os.path.join(self._build_dir, dockerfile_subdir,
                                    "Dockerfile")
@@ -99,6 +105,13 @@ class DockerfileBuildContext(object):
     return float(sent_bytes)/total_bytes*percentage_with_sizes
 
   def build(self):
+    # Login with the specified credentials (if any).
+    if self._pull_credentials:
+      logger.debug('Logging in with pull credentials.')
+      self.build_cl_.login(self._pull_credentials['username'], self._pull_credentials['password'],
+                           registry=self._pull_credentials['registry'], reauth=True)
+
+    # Start the build itself.
     logger.debug('Starting build.')
 
     with self._status as status:
@@ -110,7 +123,7 @@ class DockerfileBuildContext(object):
     logger.debug('Final context path: %s exists: %s' %
                  (context_path, os.path.exists(context_path)))
 
-    build_status = self._cl.build(path=context_path, stream=True)
+    build_status = self._build_cl.build(path=context_path, stream=True)
 
     current_step = 0
     built_image = None
@@ -158,7 +171,7 @@ class DockerfileBuildContext(object):
       logger.debug('Attempting login to registry: %s' % registry_endpoint)
 
       try:
-        self._cl.login('$token', self._push_token, registry=registry_endpoint)
+        self._push_cl.login('$token', self._push_token, registry=registry_endpoint)
         break
       except APIError:
         pass  # Probably the wrong protocol
@@ -166,15 +179,15 @@ class DockerfileBuildContext(object):
     for tag in self._tag_names:
       logger.debug('Tagging image %s as %s:%s' %
                    (built_image, self._repo, tag))
-      self._cl.tag(built_image, self._repo, tag)
+      self._push_cl.tag(built_image, self._repo, tag)
 
-    history = json.loads(self._cl.history(built_image))
+    history = json.loads(self._push_cl.history(built_image))
     num_images = len(history)
     with self._status as status:
       status['total_images'] = num_images
 
     logger.debug('Pushing to repo %s' % self._repo)
-    resp = self._cl.push(self._repo, stream=True)
+    resp = self._push_cl.push(self._repo, stream=True)
 
     for status_str in resp:
       status = json.loads(status_str)
@@ -204,20 +217,20 @@ class DockerfileBuildContext(object):
 
   def __cleanup(self):
     # First clean up any containers that might be holding the images
-    for running in self._cl.containers(quiet=True):
+    for running in self._build_cl.containers(quiet=True):
       logger.debug('Killing container: %s' % running['Id'])
-      self._cl.kill(running['Id'])
+      self._build_cl.kill(running['Id'])
 
     # Next, remove all of the containers (which should all now be killed)
-    for container in self._cl.containers(all=True, quiet=True):
+    for container in self._build_cl.containers(all=True, quiet=True):
       logger.debug('Removing container: %s' % container['Id'])
-      self._cl.remove_container(container['Id'])
+      self._build_cl.remove_container(container['Id'])
 
     # Iterate all of the images and remove the ones that the public registry
     # doesn't know about, this should preserve base images.
     images_to_remove = set()
     repos = set()
-    for image in self._cl.images():
+    for image in self._build_cl.images():
       images_to_remove.add(image['Id'])
 
       for tag in image['RepoTags']:
@@ -237,13 +250,13 @@ class DockerfileBuildContext(object):
     for to_remove in images_to_remove:
       logger.debug('Removing private image: %s' % to_remove)
       try:
-        self._cl.remove_image(to_remove)
+        self._build_cl.remove_image(to_remove)
       except APIError:
         # Sometimes an upstream image removed this one
         pass
 
     # Verify that our images were actually removed
-    for image in self._cl.images():
+    for image in self._build_cl.images():
       if image['Id'] in images_to_remove:
         raise RuntimeError('Image was not removed: %s' % image['Id'])
 
@@ -291,6 +304,7 @@ class DockerfileBuildWorker(Worker):
     tag_names = job_config['docker_tags']
     build_subdir = job_config['build_subdir']
     repo = job_config['repository']
+    pull_credentials = job_config.get('pull_credentials', None)
 
     access_token = repository_build.access_token.code
 
@@ -325,7 +339,7 @@ class DockerfileBuildWorker(Worker):
 
     with DockerfileBuildContext(build_dir, build_subdir, repo, tag_names,
                                 access_token,
-                                repository_build.uuid) as build_ctxt:
+                                repository_build.uuid, pull_credentials) as build_ctxt:
       try:
         built_image = build_ctxt.build()
 
@@ -379,4 +393,4 @@ else:
   handler = logging.StreamHandler()
   handler.setFormatter(formatter)
   root_logger.addHandler(handler)
-  worker.start()
\ No newline at end of file
+  worker.start()

From 126363dce9c2037a3843816416a7ef042daa9a8b Mon Sep 17 00:00:00 2001
From: jakedt <jake@devtable.com>
Date: Tue, 1 Apr 2014 11:38:17 -0400
Subject: [PATCH 2/6] Use our patched version of docker-py with build
 credentials patched in. Fix the hostname in the build credentials block to be
 variable.

---
 data/model/legacy.py   | 2 +-
 requirements-nover.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/model/legacy.py b/data/model/legacy.py
index e398d8b97..9ddda72e1 100644
--- a/data/model/legacy.py
+++ b/data/model/legacy.py
@@ -1471,7 +1471,7 @@ def get_pull_credentials(trigger):
   return {
     'username': trigger.pull_user.username,
     'password': login_info.service_ident,
-    'registry': 'quay.io' # TODO: Is there a better way to do this?
+    'registry': app.config['URL_HOST'],
   }
 
 def create_webhook(repo, params_obj):
diff --git a/requirements-nover.txt b/requirements-nover.txt
index bac4ba690..8bd0d7946 100644
--- a/requirements-nover.txt
+++ b/requirements-nover.txt
@@ -21,7 +21,7 @@ xhtml2pdf
 logstash_formatter
 redis
 hiredis
-docker-py
+git+https://github.com/DevTable/docker-py.git
 loremipsum
 pygithub
 flask-restful

From ca1970a2f496592d500e0a09a8b0801113b63d8e Mon Sep 17 00:00:00 2001
From: jakedt <jake@devtable.com>
Date: Tue, 1 Apr 2014 19:00:11 -0400
Subject: [PATCH 3/6] Use the real registry endpoint in the login command.

---
 data/model/legacy.py       | 2 +-
 workers/dockerfilebuild.py | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/data/model/legacy.py b/data/model/legacy.py
index 9ddda72e1..a2cac1d26 100644
--- a/data/model/legacy.py
+++ b/data/model/legacy.py
@@ -1471,7 +1471,7 @@ def get_pull_credentials(trigger):
   return {
     'username': trigger.pull_user.username,
     'password': login_info.service_ident,
-    'registry': app.config['URL_HOST'],
+    'registry': '%s://%s/v1/' % (app.config['URL_SCHEME'], app.config['URL_HOST']),
   }
 
 def create_webhook(repo, params_obj):
diff --git a/workers/dockerfilebuild.py b/workers/dockerfilebuild.py
index ea165060e..6e8be1f4d 100644
--- a/workers/dockerfilebuild.py
+++ b/workers/dockerfilebuild.py
@@ -143,7 +143,8 @@ class DockerfileBuildContext(object):
   def build(self):
     # Login with the specified credentials (if any).
     if self._pull_credentials:
-      logger.debug('Logging in with pull credentials.')
+      logger.debug('Logging in with pull credentials: %s@%s',
+                   self._pull_credentials['username'], self._pull_credentials['registry'])
       self._build_cl.login(self._pull_credentials['username'], self._pull_credentials['password'],
                            registry=self._pull_credentials['registry'], reauth=True)
 

From 93fd48d6b03e8c1f06b19d63a1cee281d66ecaa3 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <jschorr@gmail.com>
Date: Tue, 1 Apr 2014 19:30:29 -0400
Subject: [PATCH 4/6] Disable the finish trigger setup button if a robot
 account permission is selected but no robot account is given

---
 static/partials/repo-admin.html | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/static/partials/repo-admin.html b/static/partials/repo-admin.html
index 80d45768e..172b6d9f8 100644
--- a/static/partials/repo-admin.html
+++ b/static/partials/repo-admin.html
@@ -438,7 +438,9 @@
         </div>
       </div>
       <div class="modal-footer">
-        <button type="button" class="btn btn-primary" ng-disabled="!currentSetupTrigger.$ready" ng-click="finishSetupTrigger(currentSetupTrigger)">Finished</button>
+        <button type="button" class="btn btn-primary"
+                ng-disabled="!currentSetupTrigger.$ready || (!currentSetupTrigger._publicPull && !currentSetupTrigger._pullEntity)"
+                ng-click="finishSetupTrigger(currentSetupTrigger)">Finished</button>
         <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
       </div>
     </div><!-- /.modal-content -->

From 2a72e91bdb166564b7c644f61fd861e2f1e9a95e Mon Sep 17 00:00:00 2001
From: Joseph Schorr <jschorr@gmail.com>
Date: Tue, 1 Apr 2014 19:33:11 -0400
Subject: [PATCH 5/6] Prevent the entity search typeahead "no users found"
 message from being displayed when the entity is set from code

---
 static/js/app.js | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/static/js/app.js b/static/js/app.js
index 7ac0219f2..311b531fb 100644
--- a/static/js/app.js
+++ b/static/js/app.js
@@ -2728,7 +2728,7 @@ quayApp.directive('entitySearch', function () {
           entity['is_org_member'] = true;
         }
 
-        $scope.setEntityInternal(entity);
+        $scope.setEntityInternal(entity, false);
       };
 
       $scope.clearEntityInternal = function() {
@@ -2738,8 +2738,12 @@ quayApp.directive('entitySearch', function () {
         }
       };
 
-      $scope.setEntityInternal = function(entity) {
-        $(input).typeahead('val', $scope.isPersistent ? entity.name : '');
+      $scope.setEntityInternal = function(entity, updateTypeahead) {
+        if (updateTypeahead) {
+          $(input).typeahead('val', $scope.isPersistent ? entity.name : '');
+        } else {
+          $(input).val($scope.isPersistent ? entity.name : '');
+        }
 
         if ($scope.isPersistent) {
           $scope.currentEntity = entity;
@@ -2854,7 +2858,7 @@ quayApp.directive('entitySearch', function () {
 
       $(input).on('typeahead:selected', function(e, datum) {
         $scope.$apply(function() {
-          $scope.setEntityInternal(datum.entity);
+          $scope.setEntityInternal(datum.entity, true);
         });
       });
 

From 9a79d1562ad2aaf8452910cec82a5db33e19b940 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <jschorr@gmail.com>
Date: Tue, 1 Apr 2014 21:49:06 -0400
Subject: [PATCH 6/6] Change to store the pull robot on the repository build
 and only add the credentials to the queue item. This prevents the credentials
 from being exposed to the end user. Also fixes the restart build option

---
 data/database.py                |   3 +-
 data/model/legacy.py            |  31 ++++++++++++----
 endpoints/api/build.py          |  64 ++++++++++++++++----------------
 endpoints/api/trigger.py        |   8 ++--
 endpoints/common.py             |   8 ++--
 endpoints/webhooks.py           |   4 +-
 initdb.py                       |   2 +-
 static/js/controllers.js        |   9 ++++-
 static/partials/repo-admin.html |   4 +-
 test/data/test.db               | Bin 198656 -> 544768 bytes
 test/test_api_usage.py          |  39 +++++++++++++------
 util/names.py                   |   3 ++
 workers/dockerfilebuild.py      |   3 +-
 13 files changed, 110 insertions(+), 68 deletions(-)

diff --git a/data/database.py b/data/database.py
index b0cb60bb6..d6a67bd80 100644
--- a/data/database.py
+++ b/data/database.py
@@ -176,7 +176,7 @@ class RepositoryBuildTrigger(BaseModel):
   auth_token = CharField()
   config = TextField(default='{}')
   write_token = ForeignKeyField(AccessToken, null=True)
-  pull_user = ForeignKeyField(User, null=True, related_name='pulluser')
+  pull_robot = ForeignKeyField(User, null=True, related_name='triggerpullrobot')
 
 
 class EmailConfirmation(BaseModel):
@@ -245,6 +245,7 @@ class RepositoryBuild(BaseModel):
   started = DateTimeField(default=datetime.now)
   display_name = CharField()
   trigger = ForeignKeyField(RepositoryBuildTrigger, null=True, index=True)
+  pull_robot = ForeignKeyField(User, null=True, related_name='buildpullrobot')
 
 
 class QueueItem(BaseModel):
diff --git a/data/model/legacy.py b/data/model/legacy.py
index a2cac1d26..3cfa6c27f 100644
--- a/data/model/legacy.py
+++ b/data/model/legacy.py
@@ -1453,27 +1453,42 @@ def get_recent_repository_build(namespace_name, repository_name):
 
 
 def create_repository_build(repo, access_token, job_config_obj, dockerfile_id,
-                            display_name, trigger=None):
+                            display_name, trigger=None, pull_robot_name=None):
+  pull_robot = None
+  if pull_robot_name:
+    pull_robot = lookup_robot(pull_robot_name)
+
   return RepositoryBuild.create(repository=repo, access_token=access_token,
                                 job_config=json.dumps(job_config_obj),
                                 display_name=display_name, trigger=trigger,
-                                resource_key=dockerfile_id)
+                                resource_key=dockerfile_id,
+                                pull_robot=pull_robot)
 
-def get_pull_credentials(trigger):
-  if not trigger.pull_user:
+
+def get_pull_robot_name(trigger):
+  if not trigger.pull_robot:
     return None
   
+  return trigger.pull_robot.username
+
+
+def get_pull_credentials(robotname):
+  robot = lookup_robot(robotname)
+  if not robot:
+    return None
+
   try:
-    login_info = FederatedLogin.get(user=trigger.pull_user)
+    login_info = FederatedLogin.get(user=robot)
   except FederatedLogin.DoesNotExist:
     return None
 
   return {
-    'username': trigger.pull_user.username,
+    'username': robot.username,
     'password': login_info.service_ident,
     'registry': '%s://%s/v1/' % (app.config['URL_SCHEME'], app.config['URL_HOST']),
   }
 
+
 def create_webhook(repo, params_obj):
   return Webhook.create(repository=repo, parameters=json.dumps(params_obj))
 
@@ -1530,12 +1545,12 @@ def log_action(kind_name, user_or_organization_name, performer=None,
                   metadata_json=json.dumps(metadata), datetime=timestamp)
 
 
-def create_build_trigger(repo, service_name, auth_token, user, pull_user=None):
+def create_build_trigger(repo, service_name, auth_token, user, pull_robot=None):
   service = BuildTriggerService.get(name=service_name)
   trigger = RepositoryBuildTrigger.create(repository=repo, service=service,
                                           auth_token=auth_token,
                                           connected_user=user,
-                                          pull_user=None)
+                                          pull_robot=pull_robot)
   return trigger
 
 
diff --git a/endpoints/api/build.py b/endpoints/api/build.py
index 3ff6dfd9d..9fa130054 100644
--- a/endpoints/api/build.py
+++ b/endpoints/api/build.py
@@ -10,8 +10,10 @@ from endpoints.api import (RepositoryParamResource, parse_args, query_param, nic
 from endpoints.common import start_build
 from endpoints.trigger import BuildTrigger
 from data import model
-from auth.permissions import ModifyRepositoryPermission
+from auth.auth_context import get_authenticated_user
+from auth.permissions import ModifyRepositoryPermission, AdministerOrganizationPermission
 from data.buildlogs import BuildStatusRetrievalError
+from util.names import parse_robot_username
 
 
 logger = logging.getLogger(__name__)
@@ -33,13 +35,14 @@ def get_job_config(build_obj):
     return None
 
 
+def user_view(user):
+  return {
+    'name': user.username,
+    'kind': 'user',
+    'is_robot': user.robot,
+  }
+
 def trigger_view(trigger):
-  def user_view(user):
-    return {
-      'name': user.username,
-      'kind': 'user',
-      'is_robot': user.robot,
-    }
 
   if trigger and trigger.uuid:  
     config_dict = get_trigger_config(trigger)
@@ -50,7 +53,7 @@ def trigger_view(trigger):
       'id': trigger.uuid,
       'connected_user': trigger.connected_user.username,
       'is_active': build_trigger.is_active(config_dict),
-      'pull_user': user_view(trigger.pull_user) if trigger.pull_user else None
+      'pull_robot': user_view(trigger.pull_robot) if trigger.pull_robot else None
     }
 
   return None
@@ -75,6 +78,7 @@ def build_status_view(build_obj, can_write=False):
     'is_writer': can_write,
     'trigger': trigger_view(build_obj.trigger),
     'resource_key': build_obj.resource_key,
+    'pull_robot': user_view(build_obj.pull_robot) if build_obj.pull_robot else None,
   }
 
   if can_write:
@@ -103,28 +107,9 @@ class RepositoryBuildList(RepositoryParamResource):
           'type': 'string',
           'description': 'Subdirectory in which the Dockerfile can be found',
         },
-        'pull_credentials': {
-          'type': 'object',
-          'description': 'Credentials used by the builder when pulling images',
-          'required': [
-            'username',
-            'password',
-            'registry'
-          ],
-          'properties': {
-            'username': {
-              'type': 'string',
-              'description': 'The username for the pull'
-            },
-            'password': {
-              'type': 'string',
-              'description': 'The password for the pull'
-            },
-            'registry': {
-              'type': 'string',
-              'description': 'The registry hostname for the pull'
-            },
-          }
+        'pull_robot': {
+          'type': 'string',
+          'description': 'Username of a Quay robot account to use as pull credentials',
         }
       },
     },
@@ -154,7 +139,22 @@ class RepositoryBuildList(RepositoryParamResource):
 
     dockerfile_id = request_json['file_id']
     subdir = request_json['subdirectory'] if 'subdirectory' in request_json else ''
-    pull_credentials = request_json.get('pull_credentials', None)
+    pull_robot_name = request_json.get('pull_robot', None)
+
+    # Verify the security behind the pull robot.
+    if pull_robot_name:
+      result = parse_robot_username(pull_robot_name)
+      if result:
+        pull_robot = model.lookup_robot(pull_robot_name)
+        if not pull_robot:
+          raise NotFound()
+
+        # Make sure the user has administer permissions for the robot's namespace.
+        (robot_namespace, shortname) = result
+        if not AdministerOrganizationPermission(robot_namespace).can():
+          raise Unauthorized()
+      else:
+        raise Unauthorized()
 
     # Check if the dockerfile resource has already been used. If so, then it
     # can only be reused if the user has access to the repository for which it
@@ -170,7 +170,7 @@ class RepositoryBuildList(RepositoryParamResource):
     display_name = user_files.get_file_checksum(dockerfile_id)
 
     build_request = start_build(repo, dockerfile_id, ['latest'], display_name, subdir, True,
-                                pull_credentials=pull_credentials)
+                                pull_robot_name=pull_robot_name)
 
     resp = build_status_view(build_request, True)
     repo_string = '%s/%s' % (namespace, repository)
diff --git a/endpoints/api/trigger.py b/endpoints/api/trigger.py
index fc734d3db..c62367f52 100644
--- a/endpoints/api/trigger.py
+++ b/endpoints/api/trigger.py
@@ -190,7 +190,7 @@ class BuildTriggerActivate(RepositoryParamResource):
           raise Unauthorized()          
 
         # Set the pull robot.
-        trigger.pull_user = pull_robot
+        trigger.pull_robot = pull_robot
 
       # Update the config.
       new_config_dict = request.get_json()['config']
@@ -224,7 +224,7 @@ class BuildTriggerActivate(RepositoryParamResource):
       log_action('setup_repo_trigger', namespace,
                {'repo': repository, 'namespace': namespace,
                 'trigger_id': trigger.uuid, 'service': trigger.service.name, 
-                'pull_user': trigger.pull_user.username if trigger.pull_user else None,
+                'pull_robot': trigger.pull_robot.username if trigger.pull_robot else None,
                 'config': final_config}, repo=repo)
 
       return trigger_view(trigger)
@@ -254,10 +254,10 @@ class ActivateBuildTrigger(RepositoryParamResource):
     dockerfile_id, tags, name, subdir = specs
 
     repo = model.get_repository(namespace, repository)
-    pull_credentials = model.get_pull_credentials(trigger)
+    pull_robot_name = model.get_pull_robot_name(trigger)
 
     build_request = start_build(repo, dockerfile_id, tags, name, subdir, True,
-                                pull_credentials=pull_credentials)
+                                pull_robot_name=pull_robot_name)
 
     resp = build_status_view(build_request, True)
     repo_string = '%s/%s' % (namespace, repository)
diff --git a/endpoints/common.py b/endpoints/common.py
index e22df6226..e25d7c797 100644
--- a/endpoints/common.py
+++ b/endpoints/common.py
@@ -107,7 +107,7 @@ def check_repository_usage(user_or_org, plan_found):
 
 
 def start_build(repository, dockerfile_id, tags, build_name, subdir, manual,
-                trigger=None, pull_credentials=None):
+                trigger=None, pull_robot_name=None):
   host = urlparse.urlparse(request.url).netloc
   repo_path = '%s/%s/%s' % (host, repository.namespace, repository.name)
 
@@ -118,18 +118,18 @@ def start_build(repository, dockerfile_id, tags, build_name, subdir, manual,
   job_config = {
     'docker_tags': tags,
     'repository': repo_path,
-    'build_subdir': subdir,
-    'pull_credentials': pull_credentials,
+    'build_subdir': subdir
   }
 
   build_request = model.create_repository_build(repository, token, job_config,
                                                 dockerfile_id, build_name,
-                                                trigger)
+                                                trigger, pull_robot_name = pull_robot_name)
 
   dockerfile_build_queue.put(json.dumps({
     'build_uuid': build_request.uuid,
     'namespace': repository.namespace,
     'repository': repository.name,
+    'pull_credentials': model.get_pull_credentials(pull_robot_name) if pull_robot_name else None
   }), retries_remaining=1)
 
   metadata = {
diff --git a/endpoints/webhooks.py b/endpoints/webhooks.py
index 69ba97b58..93d5e413c 100644
--- a/endpoints/webhooks.py
+++ b/endpoints/webhooks.py
@@ -73,10 +73,10 @@ def build_trigger_webhook(namespace, repository, trigger_uuid):
       # This was just a validation request, we don't need to build anything
       return make_response('Okay')
 
-    pull_credentials = model.get_pull_credentials(trigger)
+    pull_robot_name = model.get_pull_robot_name(trigger)
     repo = model.get_repository(namespace, repository)
     start_build(repo, dockerfile_id, tags, name, subdir, False, trigger,
-                pull_credentials=pull_credentials)
+                pull_robot_name=pull_robot_name)
 
     return make_response('Okay')
 
diff --git a/initdb.py b/initdb.py
index edad2f2b1..854f83f8a 100644
--- a/initdb.py
+++ b/initdb.py
@@ -332,7 +332,7 @@ def populate_database():
   token = model.create_access_token(building, 'write')
 
   trigger = model.create_build_trigger(building, 'github', '123authtoken',
-                                       new_user_1, pull_user = dtrobot)
+                                       new_user_1, pull_robot=dtrobot[0])
   trigger.config = json.dumps({
     'build_source': 'jakedt/testconnect',
     'subdir': '',
diff --git a/static/js/controllers.js b/static/js/controllers.js
index e907398eb..08bcca561 100644
--- a/static/js/controllers.js
+++ b/static/js/controllers.js
@@ -962,9 +962,13 @@ function RepoBuildCtrl($scope, Restangular, ApiService, $routeParams, $rootScope
 
     var data = {
       'file_id': build['resource_key'],
-      'subdirectory': subdirectory
+      'subdirectory': subdirectory,
     };
 
+    if (build['pull_robot']) {
+      data['pull_robot'] = build['pull_robot']['name'];
+    }
+
     var params = {
       'repository': namespace + '/' + name
     };
@@ -1486,7 +1490,8 @@ function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams
     }
 
     ApiService.activateBuildTrigger(data, params).then(function(resp) {
-      trigger['is_active'] = true;      
+      trigger['is_active'] = true;
+      trigger['pull_robot'] = resp['pull_robot'];
     }, function(resp) {
       $scope.triggers.splice($scope.triggers.indexOf(trigger), 1);
       bootbox.dialog({
diff --git a/static/partials/repo-admin.html b/static/partials/repo-admin.html
index 172b6d9f8..f1ee224f5 100644
--- a/static/partials/repo-admin.html
+++ b/static/partials/repo-admin.html
@@ -270,11 +270,11 @@
                           Setting up trigger
                         </div>
                         <div ng-show="trigger.is_active" class="trigger-description" trigger="trigger"></div>
-                        <div class="trigger-pull-credentials" ng-if="trigger.is_active && trigger.pull_user">
+                        <div class="trigger-pull-credentials" ng-if="trigger.is_active && trigger.pull_robot">
                           <span class="context-tooltip" title="The credentials used by the builder when pulling images" bs-tooltip>
                             Pull Credentials:
                           </span>
-                          <span class="entity-reference" entity="trigger.pull_user"></span>
+                          <span class="entity-reference" entity="trigger.pull_robot"></span>
                         </div>
                       </td>
                       <td style="white-space: nowrap;">
diff --git a/test/data/test.db b/test/data/test.db
index b52ec7fe126611a7256b4d1fc9673b523ab1a3d5..a2d06594804813bac40b14a63510edfab6653493 100644
GIT binary patch
delta 18485
zcmeHv2Y6IP*YM8V?Ys95JwPfUkc6<=-l*C1LOLl#Fzjx2lR!d35<(N=+7$uuiUU|c
zQLzE~qDE1vV#kgY6;Py$6vgi6f9~A?F(JNwpa1(m|MUF+KIAgx%$aj%&YU^t%$$4u
zUE1r{3>jHmIH9)17v*ngs&}_UnI*j>2uYHnq9hV#sYD{V8U8N)W-c3PPFpI`eH9~v
zA{jX@R5X!a$q(c_`Gy?VEYkE-eW$uz6{fsbIasklQ6oPmUnQF;{YCn$w21kgS&tjg
zkEm6$ZJ8^KPrWG>h4Wul_2(bFX|k#<R1q>h9tDQ-%c}eF>u*x?iPanm<HuG{K!f=^
zstqU<(&7BR>Nx%_UjiDu>7uU>3d<WP4;j)Q&8nSI<(o6B+1FI*t9RGd38_JV+Y(hA
zA`gl0k7i#1Xl`k$ZS+;vRtZ1@`Fng;JY@hM;v0fOc&BePe_d558o;lp((#XFM56wH
zWiWp@BZ{Az9)kL9nv<T0cy)R->dWiW&HUYI5vULUY}zD#LfT-|o3Bnw;18z`K)v`M
zQ%mqXj=v=#kxxz-#Gf0X;y+Co!2}qVpOR|i_l_9EuS<3EAqfeH<(H-o<gZDH=hu%I
zfwW@o+=y8I&iEln!*7WHgYO@2MrwMv7Yv0rKAyiRPLEXlb8&8dKwJZV-O!u(enV^d
zWzjeCj}JM)4;yk5zbNYZp)fhuR>EUK5j?CectnkaN914@o`_tOkc*poTh20@qAZ6y
zJ@_Q;Wd5R}myG-%AwTp0F@^s@!=*ChJfM=?7-RvK(XP`fG=BBB>JqhF^`uIzoTj*-
zn50n4H^@0zz4W4VvXo_>WqRXA^b@K?y(G^`ZsCnumm;x5z$2mO7vdQDN+~Xv8w0(@
z=0;Go1DoiCG902XKBsy)Fd&>3?!adHKpC!-DvwX?PZy=)7BVs<=U5;jR3#~qn1=*(
z^qDxEK%Hs0nuMU+hX%q2chn@%Arxv3q+!3@y7J*Q6@%y#C$N#uPRGNf{W2eEq-)Y~
zj?|cS>r8q!9WR$h_f7k(bpSnc5`bRLz%IqGKfb*o5YeCdPXS$Y46Y%gFT8pn5Z>=f
z4`o<KM~}r-a@6-3eMMjT#2NtII~K=C?MM3GN&grNJq#H7RT#}12R-!PZ9%QQ=$VHA
zD0Dnd>ec)3hXsLfa_L<d`s@iDPwyFzYve;7ff|lR9t7AGBXPCddjE|-SFm);K_Jhj
zgLmljVec4Pse>Mdg>LoH4Layy%v1MdwW{fvDbQ+uB2JQOUWjwht%>*nDVmQSr&IO#
ze!1kyyL1%_y5(K~`YaB|$j$RTMY(bsJ`oD+@i6|fIF~jsKt}5)!ua17592@n7yaAx
zbUbcR*thlD6o_Ex!V;)kIRaNJh9@b02!vxASqdei5@5UynI|_^AiAX#5bjIBg9OgJ
zehNIU8wZd1kpff3XkU<!6XYZE0(qD$BiEBg;vo}BDzTDqg1O_|yWA#@ayM|(xI%6W
z7svHue`CL7Ut>40OV}A~9&2YKS*7;8_JH<<E{qFY-M;CCUinOpwp~I#Chg=TS<5{~
zBDfp5v4r7vvnqBenMv-}e#YjLG;RfVf{o&)lK`=?4eak+JlCK7irvL-BqhYFZRd(u
zhxS7EK3?3^-Y<_)fM_Ha$?-1r;z9#LCh*5YBNXHWEH84R2bf&`L}ZwnA+JivDIoXN
z9>AjbS7TE+HH;lYwn)e)<TTmR1LzQbi#`MO>Y;Y}-4@yZ`N~u&yy6jI9KIn(dY~+w
zKavxzB410$kK}7|rU$4D{_Ff9Dso7`b&4G70V<h4R6JZo4hy(WlfykgrSON#qM`(b
z)M{>*klV>fZWrh081`Y-rTtoaqc%r#T625n#sgO|blgT9o#f0jR%B<VmKJ1YyE0t4
zrXqtO*Or-)o09EFE-9UqQsywGm)i65^DKta;<AYqj?DCA`$S7cdUk%ME6<ou*KEX5
zNv@oNjI7eK<ceaW&0K8FvKUQHYf*+HKe@>4DsosSr6gC_3kqG9^ekstT4s7lS#oY#
zxod){(3+KM%S@#?kK<D7%rd_}y`ng$p`^HVZtdJjhME#X#Vq|KyR)UDHQDF&%}lMC
zSL2(Wl2v7|%c`0?ZBCY<n11>=j<Zg(R?lei<z}VN&7at8o7-T_DJ`FuI5Q=CT3$n4
zN@Afuxu$q_V{O6QjMBu6GI!Zbm%~+0%}?Nw)|~7KMMihM!IxH0T$7S!Y4W%e=O#88
zEM+M^V^LyuligQgm^i~zJUg-4(_$(wHdLE4=siNy?5f1sw#)`=V?#@BvAdz!P-V%>
z$=4g))4X+dzco3tu{F)$w>u_f<jk0xmF_Ig$;k21i%(!<TSa;P#FUiGNd?7au8FSX
ztctYK)QJ_PnJ%*-tvEf$n4eW{H5b_nk_!w)$p!YZa`VK3ya|(R>8bg)TtlH_ic}+s
z49H?t5~Wh<Z}K(Q2--o6$sJ=f#nku`^X(a_^$k@8t#f9U&uul#(l_T@GO9BDxfRn}
zW@Qxib>&!Q)Ya!_r<ErbTFYlztIAU7i%;TMYjwRnuca<^c2jeyC(-M*m}_97^Zgku
zjj6L6@~dl`CV8yh>9uvX{PdI=neLkE;@O2Z+V3fBO)_O9r<<MWnHg#3RAZshKB2^3
zk(Ze}p`bj=QdFLjQIK0)QDibzlv^h{a!eBot;yz!bgRqen&8N;D438*Z+{AhS*zwW
zHK!G}`e$aOq)lpRa23wVx7Ez5&d+z{*^`SVxF=Z*8T00OXS!Pr)yCFYGxKUv3sdNU
zr||G7L9A$rSwegymzc@-<PdqCJVly8%-m0IAd5S%06~RF(pE9Nx$>h>vP(jKBNxaS
za)cZt`vLxaSa2uE+hkYQHiGT}B5?q}%R9QGL$UFXV)GN15kOP&e$R~?l0wNt5^|Ir
zCZCZ{$%o`!@&?&K9wQHdG<d2@yY{FT(I*VQws}ghM{c}?Jj{*fZYDZ%GdaP1&wWV-
z69sAJ-s#d3Ua=AL<EP2m{^>&3rbz=V`X4WJMaN3#-=0>J^iP?eZ<=nc{ioc9Ll~=S
zTC=yNp{XgU%GcWB_SE?jy$$t(9F=nWB(SO1k!WsT_aPm`v}H==V0Q#qE&itio5=(*
zY4CqzaNDjbMl*2`l??yW5za(GOc-B%m`DBnRV^$^DLE+to%<p=OHOtj&W;6@&7b>D
z%AaW)sQG)aGXC57AsX&W33&;)Kc39&iZ@9c&CoRtEN}bAQzXrh!BnIF&IEOupSCOe
z9Mgg5pH2@>7YI`IFgac3CgCqcZg6s75Pt@X_$2wV>mYVaPBQ=HqM>63qaP*cN4$*b
z&-^A0NKeS>WuM9G<VTcJ<qYL#D!1wjb(VUmMxmLaU90__O=llvf8nypZQNTVyTgE%
zhNl#zL3-02QFa86Rt7A>2SnTOo+}1pHqva`5Fd{&o0dgaOwO(b=~Zmj%LZ+OXy9gv
z2Jd{)0L~UI;#}0pOulSBcebj>ME(sk{NEb$oeY26+Qli5Du|grXqE)cLO<ZAnF8sP
zGM(&SidMz%%6rw%Xks<(+DY28><!!w(#X9|HX}|#p^5P8+4qp64w%CfA=iLoqM^ev
zF_52k6L;BhQTZ2+i+|gA6^a1wLVrH*<^US9>4TfEMJQS<NWHaDJ``rwHIW~EYbd|x
z)&xH60X>S@G~t2W2o2*O+SrdzTs;R3??`F*TUQhQz5R0jv(>}+u}|w!?56ss!!e2j
zfJpwy4O3A(q@wt<8#KIa<1{n^a+Um~ZR7a5r<MHU8wc_8wy}KDPAz|MBjFEkn}9}&
zEy;G4pR~OS={9ZIo`+B(|Lo3T{D~bLfHopM<nrahxJ&*MR>caLf;%Q5H*&|iuA(Gu
z0>d9$)jzJ-V#-L*%gxPA&aQA}nX__BQ!-o?#p%V)wCq%Sku^JeQf5U#S}wo!zF~ak
zefe?arktW2rz^`*o}CTq^`uOTCAqLH*O2TgNVTVBSc{U4lXC4DPH5oL3X2&FmfZJ$
zWy!4tOAcHqAdS0{*|FFwL`nSfI<1U640^`Zpq3S=Y9=F%q(r3}(m%w-vSypbVe{F&
zI={nd(pl_2o6h01San8^xyn*iRpquitxdkhhEeXS`q~*SzUG#ehUvZ;CWFzUGr&Jn
zl)*5{Y#L><CK??Mqtht73nH)yciVnDs2p#KWlB_kr{5r|pCsg`tGx>7a+Ul~?W~Oa
z20CC55MKVbmsS59;tkb*#9{@;Bda823t82j{6h@CYOlY8HU7@DAJQrWKiY3SdeW{D
z+2fZZ8U;Be8n4|u6*c61{?zeM1%VauJ?XY0IwmoPKXy7|Tz|Adf;Qk2OaZf+IV$zb
zys~%XX89Ing7Q99Z&g5bLOV>mo1M=oxo5~I5(8|RED@YA!cR(lE;Jlv&^ukoPLC&{
z$b>m*ijc8GP#{vMZZm?P)_;RtrwHlaAKg?as(CFwcfIgu;Jy1^8`x9jChxvXgpB;t
z`>#bNUUMJ^nfbB<rN|=6yqyQU$i~NhwjcY={43wbAv?d|`$7DFeIJAU7JecWIG|uG
zAAQk`oMMaV7i-a|O?xgjBQ#p@jfV17KbE2~!Q`huj=(dVeAthJXk{<d7mXE*>5^Wk
z5RDVkjc9y(VQ-X+Q4*ax97WRyhanYxyDzfQ-7zQ=xq_wVVo)ENJq($!dK`UbI2whL
zgB2ePM+(|67RBOW<LSa-C<Ucl#?y=Libdh{+rEHt@NlGoE`|?BPLwJ@<k8WwC=aCx
z={V|*MSTVQ;q<Fm6u}A7lo1%=7qEX$^}q_b{He2{DsoO_D{`&}sAB%yul@fH)OWo)
z97v}HG4>rf-2=ir{`4P%Wn`U%th*Y-vI5Rqh7^(#q|&?m4!a%XmqX_;m_dMf>`tB2
zVFm%_a60{No6+d;x|#XW%?<Uw=uuJ8t?s&6zUT#)<(DzaWE^F&j<OgM9X6ZEXbuXU
zUxC1@bqzwtLw{8u_1}>xUrESUJs`=73uj!ae@De%Nl}|1MgPvr2Pe8-0+#WEq`n(H
z1D|1NeJIkj87*d;*J7~is*E<T&SLbqbsmeaO6PWZtroY%>$MyG4Ax_%1eK`3gi;%;
zs%$>1(V+9XjY0#5UFY^Y-8vs^9VV;K<A%}1j2?*%kOZl1cCXv!sItLc<EheFY<?5;
zVDszDKDWgY;&EI22A_>#gc%V0{UFND_bALJ(({q1pDGCUBRSvgy@J;ML_y{aVi+l-
zLYQGxsvz>S5-@0b-bjm}m74x+Mq050;n1lkZU8zG1UdktXeRYQhk#K^ztf{WDgw;^
z%U>}+J#9yW6@oE!u}7mTkDeTj!bCxSs>d<Pr>DlF!Gkqg6D%Y$i95rs=Q7!!S)Mg%
z_iJZrO<jlu=JrujDhiD;J8UMur^>DK`z>~z#cKBGJWi)m=kWSH4v*7qsdD=0%v6*b
z<Mde^R*%7|Gn<^i1O|s&=kVK1I+NMyv>2^6m~SWDpNgz8&MK?L3O}8}=dtQ6kk)z3
zpmW&Wevb)$Ua!+kO=)OsjLq%vgB#MJ14Krh#cXxz+y;+B=K*X+P)qzqhnw<gC^^Pq
zuo?UYj~5uv>(g1he!tG`_4svmhudH=S>0}r*G7L%LkTe!yVp?V@jHM!4K@%HPM^->
zt}^SYyjFwFVRPH8RaG=I9l2s`R;$A=^yxQLIe|{U5nkKm&;d5Lv&!goJMDJ5J{^U{
zn7wAF#csFhJXQ<P>F|1WPLt3(fEX-Bv)$u%(lhBOGsaw1W$-u+UY*@&g;BEDVU%pJ
zUVKik+vD(AoOY9$PRc+dzzJw{8|)6N&SZzRXR%rBIv7WT4i=in?{}CSZnKB3%Ru0Q
ztMZ!t9<y6#fH8sPXE*4aZl_0Qg3e72kH_vYh{~9TY?FXHyTgbFFWEjg_IMZkYuma^
z|D{8NzI0m-N*hF^5)w)rBoFkH$4C_%4M@oxa#wc^HA!n{+NJpjp-9py_`AOa@7MwG
zjJ-i#CC`y3K<q3hcaS#H+O5NZYZ=;FjFuRBqn#486T9$g=74mf^m93{h*3PRELWaX
zZBRFBe%DrOkFtfNM6y6K7mY`w;Vdr`Nom%7D3<PYp`j>~p1*(w(m!12h@eYEqjaiv
zp+Hc*sOYF}hiW}SS@c<g2hxlb<VD%S22Z!8z{YvgL}W)fK|C*)fl*sfhNS$_sG;q$
z5(EcI=Sop1$_=)Sn1(b$fr8q~U~k=BiiXm*8mP~^T;GT8s)4F&%TOxHzg()Jua}`w
zOn}Rw@0X$>v{x<Q@Ry=~sGt*!So&xwG(S^=CZNJgM5?LSF;w@b<EEhqN^4OyD*99P
z0#w|7|1?yE=+g^PJenw0o?eKipc1;h4TaLGHZ&QP3hD9W=8;8;5T_H}-YlwD^uv{C
z0Ns5j8i2}z1EISQ^=j8HMhucQHFz3Y=$ySMtX;nZ3Zy~--M#}w4vQDWDo5Z<?KhbJ
z3*<QYihKc#_6E4(K7tdMcgc40a<|zB5luH$qM}Ih95{o-v;AXa4|xrk298W%zxtKD
z1&nmnV<x((8s)|WyWP;Co`3`P>(2a5HUp*&-Mjsa5vB3Jyr?*mY`#SE8E_k4aUu&|
z;LT)f_r`~rWd#bl`5KfHNmdI&|9fyg9|MQ=KH&Jb$xiYLd7f+_tI1>C+rG=t)eXoW
zNmfe88rTB9fkAqmY$Pjz?me)~eu3fIeHEQ&;Oh)s*^KIBLc^8a@xnN+oQ*VoOG$Bd
zs--BkqM|U{Whl!oDXTE%n9C>GN(;+VjCm=>?0j=xsi~mE?kYAJ(+e|7QYYAK<;ifM
zQJkNaSEB5$kXRE94yVyz!@^J_^0MUW^9Wl<bbcy0npOXlhG0K`t$*Dp=wE*ga;pHc
zL_(HyAFVx%p%JOU1V*Z1;Kgx*z%_uLsIyxwurv7GX4q}aex1)@_E|wZ`>Om#x^)q9
zX*$N>pP8HVx77$N(!Zwu-@YJ`GD!6|=%K%@Ln;-UA|ZpgL^h@CU?gd8LA?Ss3@hl;
zC4p-~T|-n7ddDUdL+3t$9*pnMjls4zS<NP^XI5=pm2QT+-WRCBe{M7WNwlLAxY6n`
znmU13ArU<HQWu{KUF1H6R<&K}!eF(V4OiL-dMhh!kVqS3y=7bF(-i#`@2Y32zt%Ks
zm0HS%vrlNZvrcve`zu)o*9#)y0#N{(T>9M@?^lF`grHlDqGYSBcUSwwN1f>IN{fQS
zy9sGgbpEF(R11xyfskp6km3+T%@<&kXry<Y2l1SH0rjHGFCZhXsHGpCM^UIjsOU%K
z7tk<VRYRwrM=@xIP&Qs2h$~fulsHiU#QiE1Mz^j+vJR<v{Yo?lT@#e>hK)!@53dBd
zzhxzocK{@9gxw1Ydv)Yf??Xjsa@Phk?gJZf_kGB$zB#&FA>8P>eLjtR8uq^_L2<o%
z1Gr>AjT=h!i(z-DTMTYK=Xx#u_-QnQ2}BmtCs%>_Sl$)wyQ^R~3%?KPaKc3T+e(yy
zCUpggScM3ky$TssaV39x$@xp6_lmCI^Ohn`*r9sS)!Tw^tD!fyA@YCs7=5UTZk$zD
zS9y7-tDxuBqdD|cAJj{AxklXbXw3#>LY0@_TTWlvfUZSTFBi-~?#pR8y<;N`U&9_G
zrwfFEocc5<FK0KR-b_F{nI77J!on}3Z-EPAg2%17wxywIuDBjNS1_rsz)|3tus&Dv
z&@MVYz)YdWZODqeSK83rZJ^C8-G*Y7*D6BN5>P-dFlaxj-Hup#Xd5D^>N2#FlI_SG
zQK<+C4@bAn7Z*=mL$z;4OViv-|NGjfZbx?9Va(qGzCLmb+1ORML|NWq=q;O2+uyN{
zeg%80U9h(<bnM67v5C&95_;if)c4<mg-IC+0<%vdn0=BCv+r->zC%Jbk<ZB;-AUNZ
z&^z8htsOTuN+qBq%p)<}tK2o5f_;v4Yroen(K<AxomwVos~H-hU_wcUq;n)13`UdP
zNi!A9-T8lK_laIGQKJ?vOCpI&Qms;7#cyy4>2f!d)vcq0h>4>H7>(senGs!Up~Yb8
zKul`a3JT5Q>2v5RltWEQS8x$eHf9pKRtR|F=+l_db*njnnbNL>fTut8FpRNl1$~%d
z#w2$c#QD*JH&AfwH2K_BzNY5r1%d*h71X-Tmu;RSpl9s`_3Ry(uO3u74c+`c$_XXg
zB>?w2sH;~L*>8XsJ|*vTnp43EddXVqL$`m7#@{;?NyD^)dL*=a85{<u!3a78HxfPu
zjqVMy{c5e36==b8CZpRvLunm18M<CZc>k|%GSFRz5Zp$1NpNNaUvDeC;7QP8zW{Z*
z2lvLZ0=209zIp^@hH{I+MFl$RBXAqRPcldxQE{iZcetmyt6aI*g6ZO8h+NvSFR`39
zf^nhlisPkf&0klm|GHY$y}C{C)?LD`>|WowT5+Y?tTQ<-`T8!kmj9{R-nCkG)#|p(
zolE~zZ|mBe`Ri(Y#RCYmb!*+};`7ZgmmL?M)koElsj7#RzbcCqk0~VbGTBoyEOj%l
zG6QfO+KL8BW`JpIqoq0c$@T$B_!QIri~$!g?L%VlA*S6Jg<oLWV1eAw43EGy@K}%v
zk9j(H%pE8!o%xEl1gmB*h`<!hV0D=~RCP%8ylRp1P323<8<ovUud-N~qBJXqD*GxK
z#dnG$ijTpRIZ3`y&Q;bbCn>X(PG!7ukW!`iS#eUaU-1@r{u2q}c4<~<#*s+Ews9A@
z54pqK3)~~zQf@XknH$H2gInq&_HlMTo5K#&ex-dvTd&n=PH7&|+^(6e@o2I&dQB8q
zguBQ~n%)|j`Umyb>i5;{>ig9T)l<}Y>SVQ9Jw)9HE(8ClI;#3q^|tC|)zhjqs%5Gh
zRIRFNRf#G|6{ljAXO-`fK~I74)k^M$8<#aCi<Bw1DxXn4qFkZuxM-K8{T$P{dOWyI
z#t@{Rqhdmk-e`2_XN&pPj=W7jOU$=)<SqJUG2hgYH|b}J`NodCLEj+eX9V*GhrV9S
z*LCD=`sreRT1VcZZ>SXuYB~x``f4%n@5meUJ~3a#F+-5vY1KPzdZ$D0)i9x#vYt+9
zx02~EmQNL1RR*(W{k39tN)(euhwR0JrB0)MGL6`aBbdRAQz#0NR)jESA=R&KQa?tA
z^bWJ$VbMFRdWTK#u<OfvGqHazEE7q(3|1<V5zLl|{X%-8*l)22X?N-!2ED_mFA^bx
z*+LN#(gh-9K0vl1z1^y}+w^w3J}(F=W^;p}R{aDKG)E-JZqVC}db>$)H|w*5-CQck
z3bqxqnZdROeTLXJU2JQ!>TNc?&91jO^l4&Su_Q_;N);OiAyUM~kWLmGyXc0qXb2O|
zjHl0@MT4c|g&~Ag2%H3MY{moI#No4A^;VnSYS&vGdaF}EM(nY3;b^hP%O#`44ue^z
z*de4HVuyAS5_r?-)LTt@+n=*mv0<>*0&|FHzh>MoLnNZ3)ULNU^cJVyBofiN(AWu=
z#jZDW!lf6llu@@ETj=g4%+kUpoI-my;Uwv3W<C-tlopdd!NJTDb5^O9X%JIJS-gp<
z6_bgwI6dPPlL@lek<1h^87CVa&y<PDVQ3iL*nnfDLzx`0AW}9I*i=l0$)aJD#pEEc
z(~J!`R4Tq95Y;y&vePS??0S<!Z*uA*I=y1BFuc<%LP=PsR}7^)W?&sL>j!o!451Ir
zz!4D!eg95{{lpo8k?SkYNFVz6UK}}yWg=m*>5T@x(V{16W>80tqqpzHVQoge_DY#X
z!SofX)gl6wh#UA%Z`Uiur7oluB8*ip7hz<<{`DrkSuYKW14uI>j8TuJ3{mMtVa^V{
z;@&z=zJx1_dq9f5)dqY1t8g>@S-52RDEO*Y5}qt3w}M2RPiBz@QcJvK3MnInB!{Gt
z@x%$2GIb=D3;~aDe?o`~?y>*Q{m7l?PIE`OL)?DuV{SM12DhDinR}kw$UVWW<sN|h
z^UJtJ+|67YH<xSX>bYvp4T^FJm(O{#xD;+IXXlJu0ym6{<OXqlIhIp!i2aql$ev|S
zvPal2*uCtB>^pE3ek=PDyNO-Tu45l!?_-y<OWE7m8`%ZyY<4C)o%OMm>?F3B&1ExK
z7dx7@vU)b29oj|X0uNQIp!l@MUPK3R8yh7I%n#(;)t!dqafl1JpWF-n?mNg$WFdII
zo8VHRpG+kc5GRmFGD$KSLu|xAM!>mt1Q|&B5G|1t3HJ-!>im{F!F|Pj&V9;#z`f1A
z#%<wV<o*R()nnWmZWVVAx1^1`4T1}<<65~!2r;PQuI0+PB5neg&Lwf9I185uAqUZ1
z7&m}}BU4Vw{ulcbdx8CiJ;okp53rxG@3C*PJJ?s)7uaXmC)r2X2f+_=H+v_03wu2~
zk8Obvg&NkwPG(El0ydjXWyi4&*2Iovhr@ddzfA)yr~Vv?)7&2QGx{30VNxRi+yt)E
z8kj4V-Nikixmhz-J4O2_Yt{DGo?#bgb~97(ZsqUFVe0jYT=hle^U8YITrR5iFlSV0
zcr3nIK1=PBzbe^-!lk=pCF*drULlhml|7(XE?uDbLTW`m8LL{%JSx{o77N{7{w>Q>
zi+BI%gSX&JnwXE5QGGR}&Q`%=-2`~Nk&Ex5Z#W^<{0DL=f*13oG*F9^=vF6I(#mN#
z35}$NT%1pj`vI;@cx=tbF4|ZPWwFqVZu3E^%?B0hZo(O~G!N&{lX*Cu+J&;?qu@b=
zW~)U6LU!wD0l{c!Mucozu25DDWhW*;**bx~)p^2W6wacC(SYih4N|LZP-b^RA6x!_
z6a6?lrgWVH%B~*<WUA>22hO9M0QrU$N?lRHYgpkm%4~pptp(pGg~4f~%FQ@aNG+rW
zps-Z%j>WRiOTgKF43xFEVL7h{wT34*k`_`8OqxrQVA00Fa+SkEJ;i;-y$5W#fqRf!
z418AyTGs>!Y#GUga%#}MPQY4woqfK`n%R`3eFn8Zk8lniDRkIJ)+$kcrOHulR*zIa
zqG2?Cwht`84>=w8hH|>%YelL&SN656<D4f+dks?5%~XWgLlIrB#Y4f9vRR8$Vyhb!
zA^K1h=q-lI&Gva}8XBfoHqP?Y)q25+(NQp4Jh&Le;zUJDgCZmpkTkHkKWe47u=oHM
zK0^_b8;b(PA`-fl;81!yhv8!0mD7+{IGm~sNb40LDY1xNPp}@f2#$_?ZdM%}dqC@u
zU~3n_1Gp<rmlk(*vj7)H^9hc})l=!pohTOh>GqvyJg#@s(VxJ{O0|#;q1SzabjU-W
z`~;0aHNm29J^>G+mxk>@BT=nTG?;q#AOm<=?%4z0vS~r6_l2~Nezyk=L(_vrhELJ(
zfj#*x+h=@=?ncpN)$)*p5Hw$;T=ZyGx@UOdVpc;_vzV<9dMMKc&tzu@WfIWR#f3Rs
z@mEeylfpJ#5fTeS_ud6G1kG%RBeuS%D3*kD9CmlunwL#$usSyZ8?J-9@b|%)-%<!@
zxsfa&vmx4PI$Z6qB$G%nFlGjEk<k!orH9+ULm}QOq&wU7VJL_r84Xk5lZ9kZa1-lh
zRD+@YJRF}qLDrH72!%MVMPSFak+~2!P!Eg1O|F3$s(jG#Q^;6iCq|M$hJgh#sC$3?
zf=5E(8hoTw*f?W3IQ_f`M*KlA;5ULR;Z1m#g|Hty0=R2nZ!Cg+(E<1(NMBfBzk&eY
z0TE;QAij+txchQaIBh=!X3nFq3*OGn=ek|INYeg++NFIk!vB%0WvNmN*n$$`=C*R7
z>@4jkTBGJpupa-J@%S+_wm<lwNHOg2m@U^nrTJBpslHpaUlk6n#rx%Z<wTY$ZDk(C
zAEIBtB`<`6cK)?D*5bQx`;Mu29Mf(q$8R(3fdbsdv~S47kK=Sf#zaD>CXBL_^RlPe
zqW?*xCm6sp{(ora{|lj=G1>i|+5bq8YZ@eED)4#+L}*q5*LXEMG}-EB)gEvO_?5eq
zxr*l$K7~qND|=H`AZ?e{NVQBIeg_w$&1gCzk_O<KcqR}&E*MC9U@-)e#*JCaRE!M<
zlFnHIVYLx`zWNtkvjl=(hcfrPOwTTXpx3c2yuEc4U7QNhrmrl;NhEg5{+K|7^HNxC
zFhqF8br2%ld(o470^yD;0lZWQ;9UR#y!f{z^%eGDi14QiAiUQ6^~yr}#{%dn&eeD?
z&07dP#j3{-ZnXqMga@}_mo#pe^>td=h94l-Q?0)T!cA8&mqGCH$`*JBW~BFIg)tZ!
zY@Y@15YqIun^w*O%$7&P4$uv=0JAZ2{r#<p!O-COtzg9scUi;f)>a7IH7yz_p;Ko=
z;I3><;?9bMU<mMm$#|H2%<`1Jxg)4sCj{<Jfxz8}7YAnq2E@~6bwc3o6bRfkj4q6%
zr>8*RuG)3{&Ok&gUASBb+`Se8cO&}RG=cEpH1b{{aJLd@4VCVdR}2e=2Jfo`TBG;=
z@H`Ej2(*U%@xv2z+C-qWPjvO%)@XVrUg)(1XpP?%{~4WM0<=04_CG_zO7Z=ptO<))
zfh|HLlO-gQn*;jt5baFO7EOq{UbRydtz4+stI)}>mwg}$msT?y@C96m)<fvbWMG5g
zwDdmko~^zMyP5X8Zo`dC`=IObai)Fs94MhnYw(wC!X7a~YL!T>()rRIGL@`AwnBDT
z9w%><zo?KXG8K0z_9>&3HQ-tL30zONsXkB-R8Lhuu0E%6Xs*}1sqLjL*RIi?U=8dX
zb{pJ}Er2-S!{C2yBro<{b6J$q1PkWcr&#b>MkXr2!8CpG50u#sp)*q%S|=ta2+1f&
z(lu51t`4#d66qZ2HktB&AJJ07-zHlns`s$9e{elcYTtS@-1(um{TC2eem_1)7rulu
z+ZX!q4fwKRA5`bt*W4t$iU8RTkdHHTjL>M!i})~o^Cg_rv3GzJsD$Y4JoXQEEl2?m
zxDX5B+<u)}0aD;wWr<R*coM!6P%AqxE0?LH>)|T_b@+RH4c4M(;41;56ri4M_yL9U
zt2f^Ygij8N1Lt;N&;I)LA5~lv6bE~^1AC6EuCJhfYzOv?YCnc)-VT91>1#i>mIuW_
z=uTiyY3TPa(aN2|BF%iYF%VvQWswSB2w3?XV3r(NzN(@mxcqI;!}7;RcORpb&jaT0
z*FUn*4bKDS-lMY5wH5`J|GXDq`G=;ywwG>w0T>?-n0g1D+K%s++7^v&rt8+gXAQXA
z^*OnD6pa(s$wRO@?Ue_Q1_tEP!g0dtd<a%&#P?G^rl%i*)hTORlN*T0p$oqN=oJs+
zS~;43XCOQ~_yqvxT3pQykKKCbq%5WQ;e%NCR={LDg6><3V`P1HT$`I2lmhwpKtI~v
z#+88q89^zq<{n%rkGg%%8?EWWcL6Naxg3v^hQEE_1v-B@P(JXn<M+_8dx7%Aci*~$
zzH%>6&JJAiL2h#Jg8&mKU>xwqf^&fZuHXj&9-u(EHR{8IbkUtaIlA?lt$_%*7cG1c
zz_}P#k3kO)dn~y2-xm~>e{mdJt$kJ7OVgl!M;)V@r`)f!DwfE<mZ!*8OMjB)F%RMM
zcpSP-^1fstto|%@VL)gOhi!x!cVQROw12(}$Kdu2uizr4J@Og+CDZ=uBRB<~EAUF3
zDL@aD+$|xg+*;tfYqguTeKmFJ9qJ*f>y)1<ZHndaagu!5lfZ9P%uXf(FF^Z{9U64f
zj)Xqx=ilIr_L*n!Qrw<+7=OgHC+-uTk#7n;242HckQjRu0oxVCW}O9JLMoX4jCPUc
zf@ZBI1GrqSTB5wDd`y`QT&|KYll>%nLY50$u4V4Qzv8EH0dP5imwbm-{sBBbGE8?g
z5I#@fahUdV@SO+qng<70%oTVXzVmP%IB}fIGJsZ|2To+&^VZT0=YbPP>(<}c+A8q4
zk<PmSoH*|0rz~{q1(;9m$2v-<eh2e8;zjQfy6yzb=fGF@Uz6KJ(Lw>|Njy-|uW>uf
z=S*6-5W2nfB%UgD-jkh5PoKms(%}b>Mp5r6ST45P>@x%5Gp;O`GT=DpY2jlOdwPFc
zQ7`OiM!NSj>_qHHoSIuF@Vb%aeGWZ@pV{mT445wPx{0p-98Z-GZQuG(>oj4D10ucv
znq!Z>zL(Db0%-2#a-X4L2Z3gV3%^BQIS4dc-gtdyu3zA4Bh5Jk7{?zi*%=t%6S&$$
z?>_`I4}UnMoGyA7c+i>q!2UplH@LSscf;Nm|4QS+K)5Hkw;k9m?8A>V$5*(6d)u7%
zKzNwvEeg;z@4>*Di-(M&XWxT?wQVf=ruEw3-uBA-IH_cG;_C;6t!9{Pg+$m+6q&+?
zqL6gnQeeZm>&mvG*e7rN^9CY2ENm|FxZw68TS4d$3my~v6br;RA!;~^6_oq}9*Awn
z!TGS_7r`@f6nqh7AHiem%ixAMycx<?3t78Zu^C)2`j_GH<L}7Te&Pf8+D`lNkMJNw
zANd_+uG@ALV><PBxKmjG$l8zpg2Pcir5Zj%QORxQ2C*&LkF|-K#p=$Vq)5^tVEFGv
Kw*LmFqyGgex9W2M

delta 15564
zcmbt52Y6J))_3OI-MeWdv{X_Efe^yxZZCn5-bglu5K;ugZn7H!giu2h!m9Wbm9|eu
z6a?ix+fxB4i&XX5MX{nH3W`!iihu|z|G9S;44^#!&;8=z+^J{IoH=dAd8>NQTO2&F
zs<O0Ysx!gWHo4V4H9^nu93fm*LITIZLXP8J!T+xOCN3GM&sfN*ze!PGQ8+A>D(-|!
za2`&>_iz}#fiK}R_z2#Ex8POS30q(ztcCx;6Yv-;2L?;mcTM=2cFY-z{o0)fCN&@!
ze+z=<8U#&M2u4>TxTOrih@l873lI#=Mvy-k!4L}qvkrlFAcBF(2>SOykeGlVItD?v
z9teU$5CkYCNZ=fYe^-C&V-mgw&$;+81)S&LJks<%c+QJm26To0NR3|l-z&mC^Ppq<
zENs1X3WCk!5o~Beux=EB=SLuTx*Wk1MF{?tg<zEx!J`u452Ye_FbToZUI-TVL~vgh
z1osLOxk=n64vxTwun8WAB`^;rf&+#_9vC4OC_PMf(e;$k+i9P%w2}^{{b>*K3;CM7
zN}eYR$plhH%p{(uxYOKTZj+~Lf@}Sz(sC%_yd3U~7mmVex&h+o9W(=gzDokgBAA3*
z`2{J5eEJYQLK5gWaD$1okzZ*F?Mc2NuaPxS4UL?a4kH%s3=Z17-aE1k1UQVGg~P~>
zFTiuSElz+V$Wb_g1^d8rq@!1ul3T!W3rG@qiY|g4FdO@}dtW+$G<wqxl1$n~S~9?P
z4vryt+p*&s@N8d{yL1)bP2j>&%(y#APjVl94kF-A*7_Y;!B!q3D%R}~xt|2HRfk9u
z3GpfplN924TNUNm6_Cs(93iQmq4+U6Acf8f@$^!qkuVl^ltf~6fM>jFK$k#y+8rEx
z498&yPP-O7J60AF9?^@ibgkmAVW%W2>pA>8KuXC{8c0XO6S&4a<X{)})e)j4U8RXD
zJ<ki_q`T)ep_&yRBhjP>YdS`XNl#CxQ0IAAnMlGt+m(7Y>NtrY5$ne*(g<7qJ?>*9
zBd4*IsOanG)Io{C-@`$q^AqqKyqp*S-*WI1d<!SAXb-S&LrL!d*e^9Z2K%w>17Q2(
zNxuL%AhkOV2e9lzU<X8!&_z1P1TG=uo`p+TaS9Uu6DTn!81x)C!3KIb3;W@9JjPRy
zS<B&exF6ef2c|D4AI89I9Q*=j-~=3mui$fRu^T5j0&l}>*y`WFUTYwO!lg|XxZ61V
zdkuGUDtQZK=WY)Qr)M1>L!vzI@@iTZ?pXs-B<9MB6-@I3iKe3>SkVd6oAhF1Pmsa5
zg_j|g#Cl?Rqo<9glDPGc&~AiwM6--jL{H+`q*J7Xw#TpqCy9n6NT0Fnvy-HMg1jo4
z$<a(aSZX>S=ED(smVOP<NX!)a4$>P>S>{5b=*Z5`uFJ_QuODGE*VPqjaw~=xROIUQ
zHAN-*g3|1=>Y>`~`l=dRVRg1G&rnceuoM*OwK{{LxU9M&e}v5#oX@*MNL^XAL0?vz
zlU-DxwdM^SW~t4tuhi#P4YTHGbBnX9Yz0Nt#pNcg-j-ccHzKc~u%t?pQ=OM<6)MXt
z<t4?r?CphQOjflqzpNmys;Dl%s(yq~UzS^Btr%Wo7>;dh=E9o#GP9+=q_VoU*jQX!
zJ=9WSsm!gbG@6WshG9A8n#w9Rc@Z&o6cpr}YRd8p%C!0A=31SlxVE$;zr>VXP+p|T
zE3c@uX-s)mO-@OkNozFcm<%Q6!s7CLy{^z~E~vF-SJ4PC28^B3IHqm#<g6xV`&7GQ
zyfdw_t<@(ivKag%3&N4BqJTmGyCvD;xb+bUD^VEQNLCCy#=&=R0KR}d@B!?CH{cc7
zLL7tt;1;-nJ=Q@Q!X%O5>1Q0O!SRqtKf|gwX-5&SMEm3p38sH{i;BQEQV{)rY*WXz
z`{duIBI+ATLI3Vn6%pS^l>YH{rT_K)lD371qZ}Hub8r%lBL6-IcB%su?1!BsBIw4d
zHsINbH6${Ke$C;jcoEG)3ikSdb`&a*<>YU(ocE9O|6sVx?~bbn!_RQ=5A=80O$(%j
z1^fxKuku>|KM#i_tO_oV!@rB<QF=kPbGjuj<&oZ!Hk-=UoFRiq9|;#(^pB)DBq?`T
ze)jPEgyGparTHxE9Eo5L{y_S8-~5q864IA_eU{8u_LCd26K7E=mYpL4TX>Enh52^&
zYYu)!x9cc;E$tDoulJKal>2k@^`M3-1bT>rJLn<ov6r$#Luk+bMa4BW*+UC7g_Y*I
z>Y}=#<#|?vrAS+tUtMh-UYS>Kt*afHt1r)CJ2PotR+LH0`<DzaFE6p#%JYU+lvWyy
zCToS&tkc?znwm15re=htEVr<3n7+D9>XPlVTBH|8deH;Wj5Bv3?1ghg3`xF*18o;b
zxQ_$L=gHlKq_B0D(MZ1f6PZB<`0#EQNHojL10|buf%FZQ*gz!*<gDKTVTa2pdLZcR
zp~&MzM^W4*nf|$f1}ork4j#wChhV};62w&p1oZA1ksT7Eb-JuBqf@IkTU-{k!KkyS
zEzU-rTI<l8>?WPnu5%bBJ14fK+nZWjCQNlsnL4#?oO6Osqcx~C_@_<KY16gFbgdyx
zV>N5dCRuNB861~EYv_A$tEX#%nmu@dh$Pkf`UMh8iQ2cEF29f<2A9Zal6JKqnB94a
zOk-;=lb#IgOJqw-0JWf`|K0;#GE@ir6_O?95V*j>1?=|&unUW5hys2=TaDjmfc>(P
z23+&KQ=vj<ppL`8ljL^#3QR=83t8PSWC+o8qHoqOB!p#MM$hY!OC*#X_yye_-PQUa
z7WymJ*Zqo4nclnOS9C^+L8|S`j{HWtNF65<qf}7tUs@-UcG7^GI9;;*!owWwfQNAn
z3xPd+nYwyN>{fCm99Kf-lN0C;-wuG3o7wZ(5J61rSQfm>%6=lrY~FrFSN6qLz9;)M
z2h7C6LUZ9(Vr3I@p@gKfEx9m)3}RjLU<Mh?7UaR_ehIr#o<bp5kV1!F<ly0$U(7DX
zLy!Q+WWNgu{0i7H5n=?uBX<_$BM0nICd37T)aW9b%467UA2w@%m;g8>j|Zo)>>F86
zhxykwjN^uJTSy{#4jq*RxV9nGrDyNvLw}ON7Un|~3oU>o_Kt+v3P1>&>a@4EI$Isi
z$(d4p2GbXSo@7Z&i(>N%z)7+_TZ5uE6+#^$IV`IfV%W4ITz#$&KU@S?{NwA0YJ;8u
za9lcHKf-Y&^h;pJ7eTZFp5)+3{9XZ#HALX5Nr0H$sI?mmc59PbXD~IY4H{#U+ODyi
z)q0n~Zq_;U8okj7vlFMZwK@~i6B66)<EJ?j=X5$(T1&dllCIaK>5Mv)!QzwXOE@`B
zbQ;*DH4u1>1j`cr4F}&~{b!IC3)umGKAP{8$_je}iGf;A*8~IWS`29<Ph!G&QsCpo
zo5fH~3cYbd!A40DD=&jo#!A6-{lPRz2lKBiS(+H2l|wiAQD{X{8-TT*grE+S-DT42
z?MAglYqzQmR=q)OZ?bCCjwY?Xv8l1K$*FSy6{(6N)dA=O1?pTTm({M<sT&<Gz1m=C
zva0P`t5)rBG+Fd6jj_>WF;NgP62uOKBY{qRlgXqpJJqfxlU8joJ6&pv!(>$(tp-g~
zgwAC#Sd5JT5~Bf5OX7H17Vv|>PG5!|0lu=I;51T=Ws+`<1>hloP=J5{X=MuTU5<N~
z%%*)XUQ0)&Ze{P5LJ=vJIG4yyl|nZ*)CM}*cL)nAgIrP~RWzzHg@|lDaVImeRFda%
z)bXE}L3dK>>xTscX<!zcYlC!R^OZen1A%>GgJd?S9Lh-9)s{-uSPtE#X=2$o<q+o&
z^>9H_nnIEuX+a{73p(ldj<D=&|0(`4lkX;1ob+1}siFe{+0XHOuq^x+I|+X|A1z3Z
z)H&I|!sBqXf$t?Nfnzf3Bqh+sN26vv%yEZ_ll+(d1~ZT^pRiR~5YM+vomtKft>fLK
zg0*CUnXP<*??Z;MNgpX9*@3nELAGN(UrMUjx-YPx&j!Ac3}@~LA)Y<4fj7lTEDz#z
zc=(`>o}kasBJwlw5FPh9H;L0N$?m~)xA8Gat|pWRXQM`KHJNp4gAO;|;V?VYO%}6G
z*N6trY|yYtxAA#N8oQ;*Wigx87K6#GHZ<C`YOB6UqjqYI8nlGiv&qOlzl}F0=}cIm
z!{gm(F*l*~Ihxc~2aaxZ>NJg7r?t_bu`t~nJ|jt|Gwbb6lv9nV3CGl;oLZbto!X&u
z8Ljq4ld;iYWS%*EPLkEq=rS~F9cq`si~_20Sk(@T-k~;{99D}_tGBweX7=+OJ~hei
z(mOR~g9C@tJJkl0%cQp2jX1jAqHA>MU0MUSESk$_C%KFkgVv(et2K7L28G^*2h5<+
zsLf3li(ThLGI93j=JLIgjCeen^msg+S_gUp29rZ=aXArlG#Lzfr(L6S8rX@sd{L4^
z+tjGTFSXNYN7bftp=#6WkZcW(fc}uP$z@`79sGbKJ!&9_-RMx8kXJaS8R^to%xbF+
z7jM!#T~4Q!J=wt<b2LpFjl-^Usa=hB1Fjv<rQPYU<Jt|44x>Zou-hHd$qa&*IE?lE
zPCbU)pJAqG7l!9Ap%6a~?4?C~eiZN=#DE3L&{#eJO_*5WVFoOg{iH+G%dg}KiHCM6
z9q<E&VtX+Rdjqz^26!5k(gUynI-nhg8wRX>4Zkp$=kCNjA00$@!6=m7schc{-b|`}
zQX1mryLi(#@^c6ad65^`9h><cq{b((Yd7=htgn~v!@Qd?%&)y#8pO_T;zhQ}%jc20
zPNi|!AxT<h7uX^xpz8z5-BMlw(~3Khx(9)6xy+Zu1E$M-Ew3aX-@ushL(Gxvf|p?{
zwp<Eq({8>z9-jBxSWJw3+nIGZ;s$sgTQ2Zxffr8lRq?Qa!yrgf8i(K$%x7+pawn*_
zFJX3bubeYl3~a-GzSI}1a+t=vh5MeYqwUC~5>~sJPhv%0Tz7q^75>A^i!`T{t$UI0
zEio*GjPxC7<W)B|=0)B^MqMokV*R%8lgX{#Wn1_r;%CfCNok$Mgv%jJ%Y24g_cr_&
zwqd6Ac~}Wg;38%NTN$cw#ltcVR-v-`9<#Eq!x~tIi~a;9;v%x=UD;kw1GX$)F<v3H
zT!uXt;kT#=at$pj9adD7XDzGAt~Zq!w8IK3H8mx5!*Yh|DvjEjoZ?cAxxh5sRG6Qg
zpI@Lcn#;3w`U+!FxiPz}XoR6cb)(@$_gHVR=ycR)$G39w&a8u~Jj|2?{M`v<t4g2c
z=(7+G|HPF%O4+Ylk+}_WGKme|#*ZR)_V6}-I&nz<#4z=CKFM#zJ2@5Q3Un$ueK$zo
zi#S+>W6lRn8wteFfdurO#&LFy#_nn~>C`%h8MT1RsZra_XupkmjoH}b((BA-JKNEw
z$PSjMquf&*_Y_onx+W|Soj+ih5Mi~Fd)nkI3d`Q32xslv`Eb%G9jaJXu}2Zap2$PD
zuHzu)x-QaqHX&Z<%}hJ^+xclzoRhuVckuD#!A*Q3pW^Oc#aj0$`mnS;iV)T%QV3*m
zA1Z>0QxdyaHt$n~N~#+CC#${cf%gF5WGl{-N{&>LpXrlOjO)%Of$qM;g@`IEahI^i
z_9=S!#;o{Ip^%ATT|ZPr5m%?_q$;-bQ$=#*#A)NlH%JsWv@|8AxKpczh#DNHs?#{;
zPZUXHOsC#h(1k7fM4=6cA0b4PWAofj&A<3q5y)14tOzG9o%&#@nT3C<C?#XBmX_Wa
zV=Pi!8}{571_cC=0uG|7h7{o1EhN<448f91TkXCjCcAe4<`or5Z2G&3NBjFdR1|HK
z#%j<yrnQW3QctkAI^E6mnl3}$Q@oP=dut3b4dza*8;RW7CQrb=IH~B%Y`YZ?TYm3h
zFj|e4-+M>`#dCOX(37^%eJ~C`Q9)PM3K6NP<nB6V`$*A;jFUv^Hx_o11Ty-$qK>_@
zgYUu??^m?3;{A#+M)o4dChk?}NUOxLIQH^h#jRw54<GV{Vlruy@EX7WbQi{;a2KpW
zrpy3#*GWakANWt`CS6vbn{>vnlCkl(z|Mp!yI)rpC%KK+`i?x8#^K)vk_C)at`*`b
zjARe*Qy9raA5A~(Q)p2+CVZ(dlgYlK!CxwZ+3jB{Qpm0B*)J8n$P~|`A>rQrUn+W2
z+T6gtjTDkG`w|=_Wcrt}fP?k04;CP0w*gy_sci3@1Apa84*caHNlyh!R%pvrV|x%4
z>8Gf0-$5HBS)hl}0yQX0V&G*COJ7H8^Sd4T9w*rYQcn3XU@x~RGyTyV-U3;<r|<$`
zDLGAtd%7m{rLCixElNnixPN+-kcVn&Ta++>OlOCqgaXu7Y0<(!GDBKJG@BMJXi!Hy
z5iRr~GuhkGLON+;iWs3UnZ;6Lgp5e15D^hU?$XM7rKQ#0?3BT5@4OgcDe<Mi0hO;r
z=vK6B$I<-n$F%)NXc69kmyz5@WD}@hFLfyM{n`CLw8Gd_%I+^xVnX*t4l|5C&g?|q
z9K{6imuNbDX_#exo4S3avM7e$j{zFmtAAng-35iv9|Gtx`VM`TN|y?)l->WlGPJ`l
z_{KE7&Z0M2g5w~Y+-Op+R0rL>I`HPz0XJ56NO9+t(N#CrcdizGuhy$|mW1m_S6)+X
zzP?)Vht(ZdC+DxJH(lQyZeC4)kAac48+v!T#NB~=_4_4m{Qthi9R(fR&<1iZwjuDg
zAXwjs;05XSb8Rhx=cKFLXKV<bl&(Pkor_@g5Co4&_n<5F2p+-n&Mg~&fb~Q0KyL&d
z=|*%(1cLj!B3KZN;2tGKNZ}cT+$MCuWMqBMgk`|5NPv9iep?wGWYUXSSigKAjAGhd
z%9QT?BrT~RVH^n~Eo3)MrLW_0`z^7?rHn|8AhTO0G&yI;r=!6>p%D{%ZIh?SpSLkX
ztY9I{Y|aO0nC7zW?<;z<^|3-c8mZnNC=y5qI~yyc3z02o6C+S$-&cr~n<uq%sBSlp
z6(W+8Dcc<<^roEKdpb_&PC90jK7N&mj@x1Q8ZSRS!Iiv)M`1f&%C5uPwSS}gwhTOQ
zKl}qP4`;(PXoD7Lgi%lfl~4ltkO@}2jZ;H1^hWo-Cxk)(Ug7>qf1;=9arzzIPd}$0
z(Rb+^^kur0Zlr7I({wdmftSS{OX$6HKJB10=@i;Zo2i}NLaS*xEvC6NgPN%p+0&QC
z(<s`VhERbLa*3QHC&^KAkbFr#B_EJ?$ZKRLd6BFq&ygp|W8@L?09i!tA$O2DWICBd
z#$j~ZK<Y>pv5`WOjp=S9<~&ny-T3qLOz15q47|x-D!-x~BthcFc{ugQo;W;(H+0M4
zK@3?Iz@0D`gO|y83*>^)P>)yPWl#h;Fc?grfdP<&ryvr#K`<zRqZjc;?+1E>ena=s
zJ@kG0Hhq=upquFnsA8U=tLVe@pLAgdy&Lb(Z=>yWA{|Sc=&iJt4x^>CfM(HjYM^O&
zsh&uC(Qq1uH@ZCeja(pS$oJ$BIY9Q3kI8%FP4WuaMmCYP<QeiW@+f%-_4$3|E;5hI
z!rRRWWDIeTkz@p^AVWzWrcf<JM+TC9xNhm^2~UXiCY(@yOQQqGaH(V`Mi*nC7ZQ9Y
zwct#v$Z*t$RzkM0iXo~Z9-C}rVS|0x8kS}CVNbD#eh}o^$644xANKHrhkeLDS^xb$
zY!RFHg-{fPgDmvjoB#{+Dzj?j<a{#O$YC<_5GwGuQ5c`Yn85>gz*J~PX4@bOMJ@@2
zO^IT5jDA7iLv}t-AEoyr|Hjji$hE<AAdR7cn0h#ZlJYv)h?F-F@5T_JgpQERXfj0j
z6D@wzaMg&Skywv2K8f!`9>KtK5!{0_&w=T9^)wDIpBtbKs*r|4$c91q{y~Hk=!35y
zB5;P6DMJn_ST9jHS_x6U({+PELnF5lL!YN%HLSn~C`;g8G&~(J6YsKHae;QY1s^t)
zLowt+2ADw$sn8eVAqpq>FZEp?#AXTy{l<GC2OP|x4Wya-m0RfPnlMXfohU?@V<?-`
zQ^4z&yV+wsg<N4wn-C#l;qjj6#c==d#UKgcLR#Fk2|`3n480>$Hqg_ZjxlX*<NW_{
zcd>Ed!d@Y+Rfw>m1}TjY43wKMMT3n(`#6jkuyAsuFo1HmOYTo3TNNSj?8QhSMdenE
z7b0@8{`&|4mC+qn>$|el&3qVpJwoVNlOk^h#pJ*_H2hzo(O-k!&6~*dxp>z8g*+L9
z+GZGP8Vm9v4!Yx}U&6!j3O+a~$D^UeL(!e`m}%NiKcN3cy>btoO{FB}^Tf-S354Dx
zf4}q;kB>pL9N6hj8bhXWA9LCz*|A>jeZof&tK@ofa0}f)yOW9B+xXG>=N-0LxgY$G
z2r$+BFW_k-IZlQV;GV=?SmJqdaIJFCM|EG>l+3<e(0R-m5rSpI$EV%l3bt;$p!eLJ
z(ZHv_n%d?$o-sA7-}*<MbjLveSIy~ryVX2fcTpJNSvI7ZH*Gr~<KZ)xD~DwM^R{}z
zx~>y+?6WmOQm^RkXZlD6Mc^7a7>!FP#OF2*NI)ZJL=qB68o~jdK<jcoB(c|O&okCq
zzW0oj;~r&t39lE0QcrdI1H9#2-cHXC=~H?2rfi+ZHE0FTpRC;G5e6@h9JFtvoJUY_
zYdIK>M@&KL5N*I=%kcR~*94oFZd6u4Z)p=lI5f1QxYgV-d|)zzyhK&B0^jZ&K!0i?
zuu6?;u=oD=h1C!*H4f%h;qxQz2tJ4Sqo!_e!e_#0i1e+_!9fGQF)AaM$!c7kgEQdN
z@&47d8dvbf?`(~pE~e%DfbTwu@jP#;<s)~+T<`>%OL&7roZ_i7KcF<Vd^EE?jGelG
zThY&wB}6=D@9K^VWi3DBR;;o#NAr`Hzc0<F#OFOY-&TCWG?v>gJ@@fOu2UYnLd?A!
z+)YoS*3LsE3*5b&lzuAm6LUd3l@}r(nD3dWTfryqt^B~#Rll64*{N$h>-4p}%D!c_
zC&W;~$7cSr%QMpOK!_=R&VB9SDtXr%JfZ1oPpWZ9WLVVecgmguhuNVK^l4mpEuzv)
zrGCEGt`MH0Y{FXQGk=Mnf=|ct%)Lv<@`mmcqCnOk3eL?z6<tkEk#s~gGGl!^`}s1V
z17ajHR9p;)iYbzAqrJ#%T=ZBhKo6;5yHLW5$xAM<=eG+FD0@}T+t;4xIgz1bvv&wt
zeCqibtJ%&S!U}$1my|th^iE;9(zK)O<NA16hCN3#N&F!1Lq(o2Z3#c*?sxv}Y0y3p
zPCR#w^R3;)K^~n?{>%NwnUJm|Z|H-<+gG;X`Xk59#3oI?ZJ_n3o@cE(mcB(uQV!fZ
z{b$<%k1Acq9^4{C@QDF)gW0+*NN>-@lM37Wdro1^+^s^EpxIpd4|iO$r)7|lUEC@-
zh4j0+g}P(=c>)LP*|KedOR4C#^~d_Yo~H-vn0dR9lrjWHej(Ay<C8=%(q{4?BG>8(
ztVRD4X<Om_V5u<VuSq|fxL;VzHeXg2G22f{!Q1hz;HKStGhyN<1&_i+ZV@*GhZTMD
zz~XlcUwg9`3yW!obiM|Y{v63cr^klQPaP@+Cptru&?%aO&e1*SBt3x6(qrf}J%`TI
zi|9nXhR(n{<Rf&fj*=hok)1%hq5<uTmpfLPi>^X{YNI2lgHE8c=v{OveGK*QE2wb~
z(lZz`N1>G}g|TSK)&SXqWIe^+dP5oA!9!?(sDMx+DrAU>4#d03&@97j85YQ}M26)u
ztdij<88*nUNro;Nj*;P58Dgps$DAO;i87ol!>J1Bz>0SHV}^h?H=<Ug0eAz8|LQ~t
zf*2pB7kOW)Mk6}?m`-f=V+OIskD0`Ae#|1a`Y^3VZ1ZC}agrZ1h*SKS-6T%)qZV<x
z3VPy%7O}f;W{aq`iak2v`2IzrNG^}*go~YULl@|MrHxJ__GBTuF`Uzjk?e!_l<J;l
zu~%0}zS_Vn>MUX`TlAi?C%#nFOEE|fK0X?(5*9%c*pT<Iw-m16cPyXS2TCL?f$!4~
zDkZEBpOgYM64q}}UrDZ_@bnWPdg3C>$tNfymFT<frAO%{2t!40h6412YcajwivG;q
z@G#258}JPZ#9QbnHA({w<db#KB4Hxm-w16IrsGpAFipaY{D46)Tf!_Pm8o|rv-lj|
zEl34}R0e~nmL9RmUmf^mFp6oN7-BGsnoi5dPXjWu2dJ+w#8+aliaO-R4TVOHsP8nI
zQ70O&{WQr!WE7Rso)(El(Ig7;-bk2PRLL7`G>R5qp;0uNM5{am79wsmi|I0bS3ivw
zaS+@6wtsstX6(UdNZW&01R28SzO9V&+rXPycyPz+JY7wCwsI3Hseuc!7S?M$YfU<q
z;Y9`5<v*(i+cchFvyLtE3K7D99`_pD;i6}xS<jAng$8BRl-8Hq(`3uY+?!Dm_PEnn
z=8jX#rjcFREHn!tj*4g8u>(CJRy|w(qTq@glD|@ZRifZ9^<Rfk9VNpMEyJD8@LQ-I
z?+ErQ+WKY|9NckM*7l>IXJkE2HF#9a9qw2Q3p<M?kFS>&bo7~f>dkD;S@e6dHsFfV
z*2KJMGkHP{I<|ZRu1Ji@72M%QPlG|vPHYewcq+c0#VR%mQw2rs#DVTOy=S6P&wkq|
zG{+M4zuuD+sggtYTq0aSnz)znL;86?eM30>7ge<Syt2%TVNJIyhIFydRR4^r+QnQZ
zG9t~-h~`&?iB}kLGw*@6XUWDh<}w;j^@sB_Si@yBp32ZZQLJsPu$=FH%ODR6T_@Bk
z`@X+=ylpV+at2wlavicDcJ6D`9X^QNdIq_6Y8~!spQ^iFXixWC)auwjUJ$Y((>8xU
z)@N67#|r7a<QNiq?T#s5#vO~58vTjIw-w2D)N~2$sCGct3#{@I+EMMNJ65+B$aXaD
z7Zjg>OY@Gp<MPpt>e)lT;Fg+CmFBr)^JF_}{S|lAdUWfT^|`Vg{q$EMiI4d22T|<u
zujoxge>QaoEBj4&AW3`fkt`p*_zoL=AgaQR+RjP2m@7Y@S#1tcEu(DYOTsgLHxyGn
zwKwrC&E8YTgr}}-$j$wTa`_m2^%DwRnCHV%TbX=}(k~##dz*A|?r@uYjPAXFLT7&W
zojCTx1z{>5+7`TvxqcQNRi=Ix?T#HPADfJexN!65pMG3lEITJ(TojU$`c2C?{FfG)
z6sXFDUQ*LQd{~6h(Lnkdbx|OXlWgu=?hdX51x{oogUJYEOXZlcQ>(_-SjUd5uG9=O
zPM<I(r*+!6T7z}+`0Tb>x#jJ7#+F&btJ0>`H95^iMV6sCEjqRbT?S)$dCjcqdY9d%
zw~Nh1Q>WHU%AZ)^EUs=Zscg~a78Z@yX$z}!D;$Oi)w9M_PN{9x*G`(o^ciHJalF3O
zXsR7nIxbspb5-X}t7@Jxqo%ypGP%9jZmF%SpJ|v<U0`XMINdm=eRA5Q<|;!;Qw#g2
z)YWF2G;`(@OA9_1)(sm!b7pqy*y{4~+VSRb!)I!=)m2kmRd#Jr^@N<6MytcsWGS7j
z%bmu~We{!0-+gU4iVx!A-HPM@PNh=0COfB$k?w_(boL~zF3CPr(^@~Jq-5yyY5BIX
z`D1EbGj%y>Q%20vm`sMTIp)0P?v9di`XWc$_|h>gxti8m+bq{Kws{CiHs<A2R^o;F
zaBFc*o~2D^YpZD-KgC&6ZJe%~swtjXF>ZRARX?VBhJKt$EG}y-Yi}N2TElu|5@XgM
zKeN61^7DT_{ABlJl3vEibwjHR+LET~na%mbZBv?@RgU%%Y3(gDE7MBNGg@c1j%k@z
zRh+A7EGwxQS75Jbon$GhVtX@5Ki}OT43TbXhpg|KpaXW#Ad;B%cV9QN<AX>-!~gf8
z?e*_$r8A)9;w7E1k#@xp?Iry9{pZb9s=mH*xNl}OS;$#bshY*~CHCA|RH@<ZZ_c$1
zmyJrsIXvHLsJ-kCuab?*!gF}OMfJ;%v(x9$s055%+TxC@l#R;D^QhobJD%9)j;)Yw
zaMn+PtB*c1Y2IH6bJ>9(gagd-tx&*roD_1{c**5Yu&5X-H>--6*P>d?1hXpJAFE+B
zI1*PKL~gw<8az!^!>%m)X112KokEKOv)lKwu+zAFUH?gqZ0%{GmQP+(6~Thfpb8$W
zdu0{7<qRrz)!J!$+G}MK(*H-aNdYIU^=$l)!iq@C>*r;^L=GQql##DU;&tKU>NwRX
zvT?U6k;Y%$vXK~7M_}mk*0o#qO7!nrc5?&SBwLxC165f<*n0^p-Eobwm9eT-%>w<Y
z<)S;*AzPWfYLzP_WAKk3)!Tisbut@$K~S?<X{tot{A{I$tx8js@PRvP1$Ht`^?)+D
zvT08Ht+M&uCaSV}YoFa#ByC_2cZB=XEX6zCyRE7=!giW)uNZEa_osAK6seFpCXw$s
z%$c5}1oO3tn8`L{Cbt%I+^v|SoKKfv0^w=g%2zQVd>jB1TZ1vp<-|<MY*g+KW3qV@
zI?nIoE!cPR+qUJTL-sCBMlnbBE)g-A#9Z0C^x-D6m?wLeS3gY_F<<Uw)`*32FGS2*
zu}JRa!_7LeSnhT8)2tVV`g$3~QeQ8lXf}-#ZN6^OhiEp7WxhsMvBKBLDq1vRrLT>Q
zTeRXZxs63H4wu^?Vljx-avL9RF^VJP>92lTOkxeoddu$;fAA){#C4KOj93J|S~>Zq
zGLF6Xrn2`y*%`Nrfr0q{=ZIDjL$RRW(Jmnn?=RJA#bD;%t?UH`F_abWR>s?8s;qkP
zRv%&%N6X|{jiS{g+B@M6nN(l7)gm_fBsopW4{f1QWGeR&m$oE3+IuQo_2JDur}5}H
zXxZoeRgpr**8hxfhmS+gLB|H9s7CXd=br7y7N)4C@(Is9xriwTs8$H!^Z$9?9XkeH
z2OZltK-H`a)`m^5Z${Ta%Vwpj`YJ<0#yD**^vASpPb!WY@l4rycevA2i|LHyfvVAw
zR&KWJqAT$N`+9ogx+A?YlAHz-4fh90I4|bwdJ^`TSyj%aOX5vHmE~PISoI=dM~td0
ze^hca?}^#^s%n)(287M9O-8k<W&8RfnIz-s`R?#Zs8)4M-47QZwXkRyThdQ8RZxC8
zJ<1)|hH6#Eh9s-T2!p(5hPq=Xpjy?j{mICKv`ddYQQwL_nU>Azuj(5aF*)VzpKZyO
zGF1WbE)7%NNB=?y#n$##E$91`kGz{zB&urp#Q8;cvS$-fM_Bia64<3g)DfBG;vMbn
zs1CL4jXtVuJ~a5ThgfiuY6VXRb|kUql2pqhwR8JF@@Ets8H!BrDKTBZ7qh=7N2v-V
zcK=A&Lq=5vTQx*g$VBA1_wW!^EKw3@!2LrzTn#L=w`xUV>Mp&Ul?~!79Nuitf+V^f
zug(Orf!MjT+(OQRBAGHAUkea?V#{T7%>jXb@a*`?WiqpuDvLv}yCY_pw(id~HYLx#
zD^(7-p&I){GmA}`cS8+!Oko>r%9uZ@$-SXa9%yKpGWCWUnSy7_l<FI5j+7}!+)#)E
z^<<86rS^uJ$IF$22VS?n*@@DNbm@`zWT(B!IeALr9BJDK#BmUZyzT*PM9CklVP1)H
NX}`bn$|`Zr{{b0alkorm

diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index 20d216df2..f03a48d87 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -964,7 +964,7 @@ class TestRequestRepoBuild(ApiTestCase):
   def test_requestrepobuild(self):
     self.login(ADMIN_ACCESS_USER)
 
-    # Ensure where not yet building.
+    # Ensure we are not yet building.
     json = self.getJsonResponse(RepositoryBuildList,
                                 params=dict(repository=ADMIN_ACCESS_USER + '/simple'))
     
@@ -982,24 +982,20 @@ class TestRequestRepoBuild(ApiTestCase):
     
     assert len(json['builds']) > 0
    
-  def test_requestrepobuild_with_credentials(self):
+  def test_requestrepobuild_with_robot(self):
     self.login(ADMIN_ACCESS_USER)
 
-    # Ensure where not yet building.
+    # Ensure we are not yet building.
     json = self.getJsonResponse(RepositoryBuildList,
                                 params=dict(repository=ADMIN_ACCESS_USER + '/simple'))
     
     assert len(json['builds']) == 0
 
     # Request a (fake) build.
-    pull_creds = {
-      'username': 'foo',
-      'password': 'bar',
-      'registry': 'baz'
-    }
+    pull_robot = ADMIN_ACCESS_USER + '+dtrobot'
     self.postResponse(RepositoryBuildList,
                       params=dict(repository=ADMIN_ACCESS_USER + '/simple'),
-                      data=dict(file_id='foobarbaz', pull_credentials=pull_creds),
+                      data=dict(file_id='foobarbaz', pull_robot=pull_robot),
                       expected_code=201)
 
     # Check for the build.
@@ -1007,7 +1003,28 @@ class TestRequestRepoBuild(ApiTestCase):
                                 params=dict(repository=ADMIN_ACCESS_USER + '/building'))
     
     assert len(json['builds']) > 0
-   
+
+
+  def test_requestrepobuild_with_invalid_robot(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Request a (fake) build.
+    pull_robot = ADMIN_ACCESS_USER + '+invalidrobot'
+    self.postResponse(RepositoryBuildList,
+                      params=dict(repository=ADMIN_ACCESS_USER + '/simple'),
+                      data=dict(file_id='foobarbaz', pull_robot=pull_robot),
+                      expected_code=404)
+
+  def test_requestrepobuild_with_unauthorized_robot(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Request a (fake) build.
+    pull_robot = 'freshuser+anotherrobot'
+    self.postResponse(RepositoryBuildList,
+                      params=dict(repository=ADMIN_ACCESS_USER + '/simple'),
+                      data=dict(file_id='foobarbaz', pull_robot=pull_robot),
+                      expected_code=403)
+
 
 
 class TestWebhooks(ApiTestCase):
@@ -1746,7 +1763,7 @@ class TestBuildTriggers(ApiTestCase):
 
     # Verify that the robot was saved.
     self.assertEquals(True, activate_json['is_active'])
-    self.assertEquals(ADMIN_ACCESS_USER + '+dtrobot', activate_json['pull_user']['name'])
+    self.assertEquals(ADMIN_ACCESS_USER + '+dtrobot', activate_json['pull_robot']['name'])
 
     # Start a manual build.
     start_json = self.postJsonResponse(ActivateBuildTrigger,
diff --git a/util/names.py b/util/names.py
index b705bec36..57fafdd10 100644
--- a/util/names.py
+++ b/util/names.py
@@ -26,4 +26,7 @@ def format_robot_username(parent_username, robot_shortname):
   return '%s+%s' % (parent_username, robot_shortname)
 
 def parse_robot_username(robot_username):
+  if not '+' in robot_username:
+    return None
+
   return robot_username.split('+', 2)
diff --git a/workers/dockerfilebuild.py b/workers/dockerfilebuild.py
index 6e8be1f4d..9d552a4ae 100644
--- a/workers/dockerfilebuild.py
+++ b/workers/dockerfilebuild.py
@@ -352,13 +352,14 @@ class DockerfileBuildWorker(Worker):
                                                   job_details['repository'],
                                                   job_details['build_uuid'])
 
+    pull_credentials = job_details.get('pull_credentials', None)
+
     job_config = json.loads(repository_build.job_config)
 
     resource_url = user_files.get_file_url(repository_build.resource_key)
     tag_names = job_config['docker_tags']
     build_subdir = job_config['build_subdir']
     repo = job_config['repository']
-    pull_credentials = job_config.get('pull_credentials', None)
 
     access_token = repository_build.access_token.code