From a65c1e482a5974cd39da2afc4b91ef1b49dc538c Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Tue, 30 Aug 2022 19:34:02 +0000
Subject: [PATCH 01/36] feat: implementation of pluggable auth interactive mode

---
 google/auth/pluggable.py | 103 ++++++++++++++++++++++++++++++---------
 1 file changed, 79 insertions(+), 24 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 42f6bcd81..3baff06bf 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -38,6 +38,7 @@
 import json
 import os
 import subprocess
+import sys
 import time
 
 from google.auth import _helpers
@@ -105,6 +106,7 @@ def __init__(
             raise ValueError(
                 "Missing credential_source. The credential_source is not a dict."
             )
+        self._interactive = os.environ.get("GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE") == "1"
         self._credential_source_executable = credential_source.get("executable")
         if not self._credential_source_executable:
             raise ValueError(
@@ -116,6 +118,9 @@ def __init__(
         self._credential_source_executable_timeout_millis = self._credential_source_executable.get(
             "timeout_millis"
         )
+        self._credential_source_executable_interactive_timeout_millis = self._credential_source_executable.get(
+            "interactive_timeout_millis"
+        )
         self._credential_source_executable_output_file = self._credential_source_executable.get(
             "output_file"
         )
@@ -132,6 +137,20 @@ def __init__(
         ):
             raise ValueError("Timeout must be between 5 and 120 seconds.")
 
+        if not self._credential_source_executable_interactive_timeout_millis:
+            self._credential_source_executable_interactive_timeout_millis = (
+                5 * 60 * 1000
+            )
+        elif (
+            self._credential_source_executable_interactive_timeout_millis
+            < 5 * 60 * 1000
+            or self._credential_source_executable_interactive_timeout_millis
+            > 30 * 60 * 1000
+        ):
+            raise ValueError("Interactive timeout must be between 5 and 30 minutes.")
+        if self._interactive and not self._credential_source_executable_output_file:
+            raise ValueError("Output file must be specified in interactive mode")
+
     @_helpers.copy_docstring(external_account.Credentials)
     def retrieve_subject_token(self, request):
         env_allow_executables = os.environ.get(
@@ -155,6 +174,10 @@ def retrieve_subject_token(self, request):
                 try:
                     # If the cached response is expired, _parse_subject_token will raise an error which will be ignored and we will call the executable again.
                     subject_token = self._parse_subject_token(response)
+                    if (
+                        self._interactive and "expiration_time" not in response
+                    ):  # Always treat missing expiration_time as expired
+                        raise exceptions.RefreshError
                 except ValueError:
                     raise
                 except exceptions.RefreshError:
@@ -171,9 +194,10 @@ def retrieve_subject_token(self, request):
         env = os.environ.copy()
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
-        env[
-            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"
-        ] = "0"  # Always set to 0 until interactive mode is implemented.
+        env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = (
+            "1" if self._interactive else "0"
+        )  # if variable not set, backfill to "0"
+
         if self._service_account_impersonation_url is not None:
             env[
                 "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"
@@ -183,31 +207,61 @@ def retrieve_subject_token(self, request):
                 "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"
             ] = self._credential_source_executable_output_file
 
-        try:
-            result = subprocess.run(
-                self._credential_source_executable_command.split(),
-                timeout=self._credential_source_executable_timeout_millis / 1000,
-                stdout=subprocess.PIPE,
-                stderr=subprocess.STDOUT,
-                env=env,
-            )
-            if result.returncode != 0:
-                raise exceptions.RefreshError(
-                    "Executable exited with non-zero return code {}. Error: {}".format(
-                        result.returncode, result.stdout
-                    )
+        if self._interactive:
+            try:
+                result = subprocess.run(
+                    self._credential_source_executable_command.split(),
+                    timeout=self._credential_source_executable_interactive_timeout_millis
+                    / 1000,
+                    stdin=sys.stdin,
+                    stdout=sys.stdout,
+                    stderr=sys.stdout,
+                    env=env,
                 )
-        except Exception:
-            raise
+                if result.returncode != 0:
+                    raise exceptions.RefreshError(
+                        "Executable exited with non-zero return code {}.".format(
+                            result.returncode
+                        )
+                    )
+            except Exception:
+                raise
+            else:
+                try:
+                    with open(
+                        self._credential_source_executable_output_file, encoding="utf-8"
+                    ) as data:
+                        response = json.load(data)
+                    subject_token = self._parse_subject_token(response)
+                except Exception:
+                    raise
+            return subject_token
+
         else:
             try:
-                data = result.stdout.decode("utf-8")
-                response = json.loads(data)
-                subject_token = self._parse_subject_token(response)
+                result = subprocess.run(
+                    self._credential_source_executable_command.split(),
+                    timeout=self._credential_source_executable_timeout_millis / 1000,
+                    stdout=subprocess.PIPE,
+                    stderr=subprocess.STDOUT,
+                    env=env,
+                )
+                if result.returncode != 0:
+                    raise exceptions.RefreshError(
+                        "Executable exited with non-zero return code {}. Error: {}".format(
+                            result.returncode, result.stdout
+                        )
+                    )
             except Exception:
                 raise
-
-        return subject_token
+            else:
+                try:
+                    data = result.stdout.decode("utf-8")
+                    response = json.loads(data)
+                    subject_token = self._parse_subject_token(response)
+                except Exception:
+                    raise
+            return subject_token
 
     @classmethod
     def from_info(cls, info, **kwargs):
@@ -264,10 +318,11 @@ def _parse_subject_token(self, response):
             )
         if (
             "expiration_time" not in response
+            and not self._interactive
             and self._credential_source_executable_output_file
         ):
             raise ValueError(
-                "The executable response must contain an expiration_time for successful responses when an output_file has been specified in the configuration."
+                "The executable response must contain an expiration_time for successful responses when an output_file has been specified in the configuration in non-interactive mode."
             )
         if "expiration_time" in response and response["expiration_time"] < time.time():
             raise exceptions.RefreshError(

From 6fcce53b52e2700019a5410791d5a4090d80283d Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Wed, 31 Aug 2022 17:21:41 +0000
Subject: [PATCH 02/36] adding test for interactive mode

---
 google/auth/pluggable.py |   6 +-
 tests/test_pluggable.py  | 240 ++++++++++++++++++++++++++++++++++++++-
 2 files changed, 243 insertions(+), 3 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 3baff06bf..6c5af1021 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -176,9 +176,13 @@ def retrieve_subject_token(self, request):
                     subject_token = self._parse_subject_token(response)
                     if (
                         self._interactive and "expiration_time" not in response
-                    ):  # Always treat missing expiration_time as expired
+                    ):  # Always treat missing expiration_time as expired and proceed to executable run
                         raise exceptions.RefreshError
                 except ValueError:
+                    if (
+                        self._interactive
+                    ):  # For any interactive mode errors in the latest run, we automatically ignore it and proceed to executable run
+                        pass
                     raise
                 except exceptions.RefreshError:
                     pass
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 80cde7972..240f95496 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -57,6 +57,7 @@ class TestCredentials(object):
     CREDENTIAL_SOURCE_EXECUTABLE = {
         "command": CREDENTIAL_SOURCE_EXECUTABLE_COMMAND,
         "timeout_millis": 30000,
+        "interactive_timeout_millis": 300000,
         "output_file": CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
     }
     CREDENTIAL_SOURCE = {"executable": CREDENTIAL_SOURCE_EXECUTABLE}
@@ -68,6 +69,12 @@ class TestCredentials(object):
         "id_token": EXECUTABLE_OIDC_TOKEN,
         "expiration_time": 9999999999,
     }
+    EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_ID_TOKEN = {
+        "version": 1,
+        "success": True,
+        "token_type": "urn:ietf:params:oauth:token-type:id_token",
+        "id_token": EXECUTABLE_OIDC_TOKEN,
+    }
     EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_JWT = {
         "version": 1,
         "success": True,
@@ -75,6 +82,12 @@ class TestCredentials(object):
         "id_token": EXECUTABLE_OIDC_TOKEN,
         "expiration_time": 9999999999,
     }
+    EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_JWT = {
+        "version": 1,
+        "success": True,
+        "token_type": "urn:ietf:params:oauth:token-type:jwt",
+        "id_token": EXECUTABLE_OIDC_TOKEN,
+    }
     EXECUTABLE_SAML_TOKEN = "FAKE_SAML_RESPONSE"
     EXECUTABLE_SUCCESSFUL_SAML_RESPONSE = {
         "version": 1,
@@ -83,6 +96,12 @@ class TestCredentials(object):
         "saml_response": EXECUTABLE_SAML_TOKEN,
         "expiration_time": 9999999999,
     }
+    EXECUTABLE_SUCCESSFUL_SAML_NO_EXPIRATION_TIME_RESPONSE = {
+        "version": 1,
+        "success": True,
+        "token_type": "urn:ietf:params:oauth:token-type:saml2",
+        "saml_response": EXECUTABLE_SAML_TOKEN,
+    }
     EXECUTABLE_FAILED_RESPONSE = {
         "version": 1,
         "success": False,
@@ -294,6 +313,48 @@ def test_retrieve_subject_token_oidc_id_token(self):
 
             assert subject_token == self.EXECUTABLE_OIDC_TOKEN
 
+    @mock.patch.dict(
+        os.environ,
+        {
+            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
+            "GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE": "original_audience",
+            "GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE": "original_token_type",
+            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1",
+            "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL": "original_impersonated_email",
+            "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE": "original_output_file",
+        },
+    )
+    def test_retrieve_subject_token_oidc_id_token_interactive_mode(self, tmpdir):
+
+        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
+            "actual_output_file"
+        )
+        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = {
+            "command": "command",
+            "interactive_timeout_millis": 300000,
+            "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
+        }
+        ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE}
+        with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file:
+            json.dump(
+                self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_JWT,
+                output_file,
+            )
+
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(args=[], returncode=0),
+        ):
+            credentials = self.make_pluggable(
+                audience=AUDIENCE,
+                service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
+                credential_source=ACTUAL_CREDENTIAL_SOURCE,
+            )
+
+            subject_token = credentials.retrieve_subject_token(None)
+
+            assert subject_token == self.EXECUTABLE_OIDC_TOKEN
+
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_oidc_jwt(self):
         with mock.patch(
@@ -316,6 +377,44 @@ def test_retrieve_subject_token_oidc_jwt(self):
 
             assert subject_token == self.EXECUTABLE_OIDC_TOKEN
 
+    @mock.patch.dict(
+        os.environ,
+        {
+            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
+            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1",
+        },
+    )
+    def test_retrieve_subject_token_oidc_jwt_interactive_mode(self, tmpdir):
+        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
+            "actual_output_file"
+        )
+        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = {
+            "command": "command",
+            "interactive_timeout_millis": 300000,
+            "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
+        }
+        ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE}
+        with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file:
+            json.dump(
+                self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_JWT,
+                output_file,
+            )
+
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(args=[], returncode=0),
+        ):
+            credentials = self.make_pluggable(
+                audience=AUDIENCE,
+                service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
+                credential_source=ACTUAL_CREDENTIAL_SOURCE,
+            )
+
+            subject_token = credentials.retrieve_subject_token(None)
+
+            assert subject_token == self.EXECUTABLE_OIDC_TOKEN
+            os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE)
+
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_saml(self):
         with mock.patch(
@@ -334,6 +433,42 @@ def test_retrieve_subject_token_saml(self):
 
             assert subject_token == self.EXECUTABLE_SAML_TOKEN
 
+    @mock.patch.dict(
+        os.environ,
+        {
+            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
+            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1",
+        },
+    )
+    def test_retrieve_subject_token_saml_interactive_mode(self, tmpdir):
+
+        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
+            "actual_output_file"
+        )
+        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = {
+            "command": "command",
+            "interactive_timeout_millis": 300000,
+            "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
+        }
+        ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE}
+        with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file:
+            json.dump(
+                self.EXECUTABLE_SUCCESSFUL_SAML_NO_EXPIRATION_TIME_RESPONSE, output_file
+            )
+
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(args=[], returncode=0),
+        ):
+            credentials = self.make_pluggable(
+                credential_source=ACTUAL_CREDENTIAL_SOURCE
+            )
+
+            subject_token = credentials.retrieve_subject_token(None)
+
+            assert subject_token == self.EXECUTABLE_SAML_TOKEN
+            os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE)
+
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_failed(self):
         with mock.patch(
@@ -353,6 +488,42 @@ def test_retrieve_subject_token_failed(self):
                 r"Executable returned unsuccessful response: code: 401, message: Permission denied. Caller not authorized."
             )
 
+    @mock.patch.dict(
+        os.environ,
+        {
+            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
+            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1",
+        },
+    )
+    def test_retrieve_subject_token_failed_interactive_mode(self, tmpdir):
+        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
+            "actual_output_file"
+        )
+        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = {
+            "command": "command",
+            "interactive_timeout_millis": 300000,
+            "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
+        }
+        ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE}
+        with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file:
+            json.dump(self.EXECUTABLE_FAILED_RESPONSE, output_file)
+
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(args=[], returncode=0),
+        ):
+            credentials = self.make_pluggable(
+                credential_source=ACTUAL_CREDENTIAL_SOURCE
+            )
+
+            with pytest.raises(exceptions.RefreshError) as excinfo:
+                _ = credentials.retrieve_subject_token(None)
+
+            assert excinfo.match(
+                r"Executable returned unsuccessful response: code: 401, message: Permission denied. Caller not authorized."
+            )
+            os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE)
+
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "0"})
     def test_retrieve_subject_token_not_allowd(self):
         with mock.patch(
@@ -642,7 +813,7 @@ def test_retrieve_subject_token_missing_error_code_message(self):
             )
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_without_expiration_time_should_fail_when_output_file_specified(
+    def test_retrieve_subject_token_without_expiration_time_should_fail_when_output_file_specified_non_interactive_mode(
         self,
     ):
         EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = {
@@ -670,7 +841,7 @@ def test_retrieve_subject_token_without_expiration_time_should_fail_when_output_
             )
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_without_expiration_time_should_fail_when_retrieving_from_output_file(
+    def test_retrieve_subject_token_without_expiration_time_should_fail_when_retrieving_from_output_file_non_interactive_mode(
         self, tmpdir
     ):
         ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
@@ -767,6 +938,22 @@ def test_credential_source_missing_command(self):
             r"Missing command field. Executable command must be provided."
         )
 
+    @mock.patch.dict(
+        os.environ,
+        {
+            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
+            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1",
+        },
+    )
+    def test_credential_source_missing_output_interactive_mode(self):
+        with pytest.raises(ValueError) as excinfo:
+            CREDENTIAL_SOURCE = {
+                "executable": {"command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND}
+            }
+            _ = self.make_pluggable(credential_source=CREDENTIAL_SOURCE)
+
+        assert excinfo.match(r"Output file must be specified in interactive mode")
+
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_credential_source_timeout_small(self):
         with pytest.raises(ValueError) as excinfo:
@@ -795,6 +982,34 @@ def test_credential_source_timeout_large(self):
 
         assert excinfo.match(r"Timeout must be between 5 and 120 seconds.")
 
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_credential_source_interactive_timeout_small(self):
+        with pytest.raises(ValueError) as excinfo:
+            CREDENTIAL_SOURCE = {
+                "executable": {
+                    "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND,
+                    "interactive_timeout_millis": 30000 - 1,
+                    "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
+                }
+            }
+            _ = self.make_pluggable(credential_source=CREDENTIAL_SOURCE)
+
+        assert excinfo.match(r"Interactive timeout must be between 5 and 30 minutes.")
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_credential_source_interactive_timeout_large(self):
+        with pytest.raises(ValueError) as excinfo:
+            CREDENTIAL_SOURCE = {
+                "executable": {
+                    "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND,
+                    "interactive_timeout_millis": 1800000 + 1,
+                    "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
+                }
+            }
+            _ = self.make_pluggable(credential_source=CREDENTIAL_SOURCE)
+
+        assert excinfo.match(r"Interactive timeout must be between 5 and 30 minutes.")
+
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_executable_fail(self):
         with mock.patch(
@@ -812,6 +1027,27 @@ def test_retrieve_subject_token_executable_fail(self):
                 r"Executable exited with non-zero return code 1. Error: None"
             )
 
+    @mock.patch.dict(
+        os.environ,
+        {
+            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
+            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1",
+        },
+    )
+    def test_retrieve_subject_token_executable_fail_interactive_mode(self):
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(
+                args=[], stdout=None, returncode=1
+            ),
+        ):
+            credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE)
+
+            with pytest.raises(exceptions.RefreshError) as excinfo:
+                _ = credentials.retrieve_subject_token(None)
+
+            assert excinfo.match(r"Executable exited with non-zero return code 1.")
+
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_python_2(self):
         with mock.patch("sys.version_info", (2, 7)):

From 3ea579961dbf92ca0743fd1caf62b03459ce6006 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Fri, 2 Sep 2022 17:27:18 +0000
Subject: [PATCH 03/36] addressing comments

---
 google/auth/pluggable.py | 103 ++++++++++++++-------------------------
 tests/test_pluggable.py  |  24 +++------
 2 files changed, 42 insertions(+), 85 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 6c5af1021..0c9259f5c 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -106,7 +106,6 @@ def __init__(
             raise ValueError(
                 "Missing credential_source. The credential_source is not a dict."
             )
-        self._interactive = os.environ.get("GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE") == "1"
         self._credential_source_executable = credential_source.get("executable")
         if not self._credential_source_executable:
             raise ValueError(
@@ -148,8 +147,6 @@ def __init__(
             > 30 * 60 * 1000
         ):
             raise ValueError("Interactive timeout must be between 5 and 30 minutes.")
-        if self._interactive and not self._credential_source_executable_output_file:
-            raise ValueError("Output file must be specified in interactive mode")
 
     @_helpers.copy_docstring(external_account.Credentials)
     def retrieve_subject_token(self, request):
@@ -160,12 +157,13 @@ def retrieve_subject_token(self, request):
             raise ValueError(
                 "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run."
             )
+        interactive_mode = os.environ.get("GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE") == "1"
 
         # Check output file.
         if self._credential_source_executable_output_file is not None:
             try:
                 with open(
-                    self._credential_source_executable_output_file
+                    self._credential_source_executable_output_file, encoding="utf-8"
                 ) as output_file:
                     response = json.load(output_file)
             except Exception:
@@ -175,14 +173,10 @@ def retrieve_subject_token(self, request):
                     # If the cached response is expired, _parse_subject_token will raise an error which will be ignored and we will call the executable again.
                     subject_token = self._parse_subject_token(response)
                     if (
-                        self._interactive and "expiration_time" not in response
-                    ):  # Always treat missing expiration_time as expired and proceed to executable run
+                        interactive_mode and "expiration_time" not in response
+                    ):  # Always treat missing expiration_time as expired and proceed to executable run.
                         raise exceptions.RefreshError
                 except ValueError:
-                    if (
-                        self._interactive
-                    ):  # For any interactive mode errors in the latest run, we automatically ignore it and proceed to executable run
-                        pass
                     raise
                 except exceptions.RefreshError:
                     pass
@@ -198,9 +192,6 @@ def retrieve_subject_token(self, request):
         env = os.environ.copy()
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
-        env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = (
-            "1" if self._interactive else "0"
-        )  # if variable not set, backfill to "0"
 
         if self._service_account_impersonation_url is not None:
             env[
@@ -211,61 +202,39 @@ def retrieve_subject_token(self, request):
                 "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"
             ] = self._credential_source_executable_output_file
 
-        if self._interactive:
-            try:
-                result = subprocess.run(
-                    self._credential_source_executable_command.split(),
-                    timeout=self._credential_source_executable_interactive_timeout_millis
-                    / 1000,
-                    stdin=sys.stdin,
-                    stdout=sys.stdout,
-                    stderr=sys.stdout,
-                    env=env,
-                )
-                if result.returncode != 0:
-                    raise exceptions.RefreshError(
-                        "Executable exited with non-zero return code {}.".format(
-                            result.returncode
-                        )
-                    )
-            except Exception:
-                raise
-            else:
-                try:
-                    with open(
-                        self._credential_source_executable_output_file, encoding="utf-8"
-                    ) as data:
-                        response = json.load(data)
-                    subject_token = self._parse_subject_token(response)
-                except Exception:
-                    raise
-            return subject_token
+        exe_timeout = (
+            self._credential_source_executable_interactive_timeout_millis / 1000
+            if interactive_mode
+            else self._credential_source_executable_timeout_millis / 1000
+        )
+        exe_stdin = sys.stdin if interactive_mode else None
+        exe_stdout = sys.stdout if interactive_mode else subprocess.PIPE
+        exe_stderr = sys.stdout if interactive_mode else subprocess.STDOUT
 
-        else:
-            try:
-                result = subprocess.run(
-                    self._credential_source_executable_command.split(),
-                    timeout=self._credential_source_executable_timeout_millis / 1000,
-                    stdout=subprocess.PIPE,
-                    stderr=subprocess.STDOUT,
-                    env=env,
+        result = subprocess.run(
+            self._credential_source_executable_command.split(),
+            timeout=exe_timeout / 1000,
+            stdin=exe_stdin,
+            stdout=exe_stdout,
+            stderr=exe_stderr,
+            env=env,
+        )
+        if result.returncode != 0:
+            raise exceptions.RefreshError(
+                "Executable exited with non-zero return code {}. Error: {}".format(
+                    result.returncode, result.stdout
                 )
-                if result.returncode != 0:
-                    raise exceptions.RefreshError(
-                        "Executable exited with non-zero return code {}. Error: {}".format(
-                            result.returncode, result.stdout
-                        )
-                    )
-            except Exception:
-                raise
-            else:
-                try:
-                    data = result.stdout.decode("utf-8")
-                    response = json.loads(data)
-                    subject_token = self._parse_subject_token(response)
-                except Exception:
-                    raise
-            return subject_token
+            )
+
+        response = (
+            json.load(
+                open(self._credential_source_executable_output_file, encoding="utf-8")
+            )
+            if interactive_mode
+            else json.loads(result.stdout.decode("utf-8"))
+        )
+        subject_token = self._parse_subject_token(response)
+        return subject_token
 
     @classmethod
     def from_info(cls, info, **kwargs):
@@ -322,7 +291,7 @@ def _parse_subject_token(self, response):
             )
         if (
             "expiration_time" not in response
-            and not self._interactive
+            and not os.environ.get("GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE") == "1"
             and self._credential_source_executable_output_file
         ):
             raise ValueError(
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 240f95496..588666d4a 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -505,7 +505,9 @@ def test_retrieve_subject_token_failed_interactive_mode(self, tmpdir):
             "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
         }
         ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE}
-        with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file:
+        with open(
+            ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w", encoding="utf-8"
+        ) as output_file:
             json.dump(self.EXECUTABLE_FAILED_RESPONSE, output_file)
 
         with mock.patch(
@@ -938,22 +940,6 @@ def test_credential_source_missing_command(self):
             r"Missing command field. Executable command must be provided."
         )
 
-    @mock.patch.dict(
-        os.environ,
-        {
-            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
-            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1",
-        },
-    )
-    def test_credential_source_missing_output_interactive_mode(self):
-        with pytest.raises(ValueError) as excinfo:
-            CREDENTIAL_SOURCE = {
-                "executable": {"command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND}
-            }
-            _ = self.make_pluggable(credential_source=CREDENTIAL_SOURCE)
-
-        assert excinfo.match(r"Output file must be specified in interactive mode")
-
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_credential_source_timeout_small(self):
         with pytest.raises(ValueError) as excinfo:
@@ -1046,7 +1032,9 @@ def test_retrieve_subject_token_executable_fail_interactive_mode(self):
             with pytest.raises(exceptions.RefreshError) as excinfo:
                 _ = credentials.retrieve_subject_token(None)
 
-            assert excinfo.match(r"Executable exited with non-zero return code 1.")
+            assert excinfo.match(
+                r"Executable exited with non-zero return code 1. Error: None"
+            )
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_python_2(self):

From 9eec181229dc2f52b90eb1858a84c1393dc6ae24 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Tue, 6 Sep 2022 22:13:27 +0000
Subject: [PATCH 04/36] move interactive source of truth to kwargs in
 constructor and make check in the retrieve_subject_token

---
 google/auth/pluggable.py | 26 +++++++++-----
 tests/test_pluggable.py  | 76 ++++++++++++++++++++++++++--------------
 2 files changed, 66 insertions(+), 36 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 0c9259f5c..d5788da08 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -93,6 +93,7 @@ def __init__(
             :meth:`from_info` are used instead of calling the constructor directly.
         """
 
+        self.interactive = kwargs.pop("interactive", False)
         super(Credentials, self).__init__(
             audience=audience,
             subject_token_type=subject_token_type,
@@ -157,7 +158,13 @@ def retrieve_subject_token(self, request):
             raise ValueError(
                 "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run."
             )
-        interactive_mode = os.environ.get("GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE") == "1"
+        if self.interactive and not self._credential_source_executable_output_file:
+            raise ValueError(
+                "An output_file must be specified in the credential configuration for interactive mode."
+            )
+
+        if self.interactive and not self.is_workforce_pool:
+            raise ValueError("Interactive mode is only enabled for workforce pool.")
 
         # Check output file.
         if self._credential_source_executable_output_file is not None:
@@ -173,7 +180,7 @@ def retrieve_subject_token(self, request):
                     # If the cached response is expired, _parse_subject_token will raise an error which will be ignored and we will call the executable again.
                     subject_token = self._parse_subject_token(response)
                     if (
-                        interactive_mode and "expiration_time" not in response
+                        self.interactive and "expiration_time" not in response
                     ):  # Always treat missing expiration_time as expired and proceed to executable run.
                         raise exceptions.RefreshError
                 except ValueError:
@@ -192,6 +199,7 @@ def retrieve_subject_token(self, request):
         env = os.environ.copy()
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
+        env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1" if self.interactive else "0"
 
         if self._service_account_impersonation_url is not None:
             env[
@@ -204,16 +212,16 @@ def retrieve_subject_token(self, request):
 
         exe_timeout = (
             self._credential_source_executable_interactive_timeout_millis / 1000
-            if interactive_mode
+            if self.interactive
             else self._credential_source_executable_timeout_millis / 1000
         )
-        exe_stdin = sys.stdin if interactive_mode else None
-        exe_stdout = sys.stdout if interactive_mode else subprocess.PIPE
-        exe_stderr = sys.stdout if interactive_mode else subprocess.STDOUT
+        exe_stdin = sys.stdin if self.interactive else None
+        exe_stdout = sys.stdout if self.interactive else subprocess.PIPE
+        exe_stderr = sys.stdout if self.interactive else subprocess.STDOUT
 
         result = subprocess.run(
             self._credential_source_executable_command.split(),
-            timeout=exe_timeout / 1000,
+            timeout=exe_timeout,
             stdin=exe_stdin,
             stdout=exe_stdout,
             stderr=exe_stderr,
@@ -230,7 +238,7 @@ def retrieve_subject_token(self, request):
             json.load(
                 open(self._credential_source_executable_output_file, encoding="utf-8")
             )
-            if interactive_mode
+            if self.interactive
             else json.loads(result.stdout.decode("utf-8"))
         )
         subject_token = self._parse_subject_token(response)
@@ -291,7 +299,7 @@ def _parse_subject_token(self, response):
             )
         if (
             "expiration_time" not in response
-            and not os.environ.get("GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE") == "1"
+            and not self.interactive
             and self._credential_source_executable_output_file
         ):
             raise ValueError(
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 588666d4a..00564d731 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -24,8 +24,9 @@
 # from six.moves import urllib
 
 # from google.auth import _helpers
-from google.auth import exceptions
+from google.auth import credentials, exceptions
 from google.auth import pluggable
+from tests.test__default import WORKFORCE_AUDIENCE
 
 # from google.auth import transport
 
@@ -123,6 +124,7 @@ def make_pluggable(
         service_account_impersonation_url=None,
         credential_source=None,
         workforce_pool_user_project=None,
+        interactive=None,
     ):
         return pluggable.Credentials(
             audience=audience,
@@ -136,6 +138,7 @@ def make_pluggable(
             scopes=scopes,
             default_scopes=default_scopes,
             workforce_pool_user_project=workforce_pool_user_project,
+            interactive=interactive,
         )
 
     @mock.patch.object(pluggable.Credentials, "__init__", return_value=None)
@@ -346,9 +349,10 @@ def test_retrieve_subject_token_oidc_id_token_interactive_mode(self, tmpdir):
             return_value=subprocess.CompletedProcess(args=[], returncode=0),
         ):
             credentials = self.make_pluggable(
-                audience=AUDIENCE,
+                audience=WORKFORCE_AUDIENCE,
                 service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
                 credential_source=ACTUAL_CREDENTIAL_SOURCE,
+                interactive=True,
             )
 
             subject_token = credentials.retrieve_subject_token(None)
@@ -377,13 +381,7 @@ def test_retrieve_subject_token_oidc_jwt(self):
 
             assert subject_token == self.EXECUTABLE_OIDC_TOKEN
 
-    @mock.patch.dict(
-        os.environ,
-        {
-            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
-            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1",
-        },
-    )
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_oidc_jwt_interactive_mode(self, tmpdir):
         ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
             "actual_output_file"
@@ -405,9 +403,10 @@ def test_retrieve_subject_token_oidc_jwt_interactive_mode(self, tmpdir):
             return_value=subprocess.CompletedProcess(args=[], returncode=0),
         ):
             credentials = self.make_pluggable(
-                audience=AUDIENCE,
+                audience=WORKFORCE_AUDIENCE,
                 service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
                 credential_source=ACTUAL_CREDENTIAL_SOURCE,
+                interactive=True,
             )
 
             subject_token = credentials.retrieve_subject_token(None)
@@ -433,13 +432,7 @@ def test_retrieve_subject_token_saml(self):
 
             assert subject_token == self.EXECUTABLE_SAML_TOKEN
 
-    @mock.patch.dict(
-        os.environ,
-        {
-            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
-            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1",
-        },
-    )
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_saml_interactive_mode(self, tmpdir):
 
         ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
@@ -461,7 +454,9 @@ def test_retrieve_subject_token_saml_interactive_mode(self, tmpdir):
             return_value=subprocess.CompletedProcess(args=[], returncode=0),
         ):
             credentials = self.make_pluggable(
-                credential_source=ACTUAL_CREDENTIAL_SOURCE
+                audience=WORKFORCE_AUDIENCE,
+                credential_source=ACTUAL_CREDENTIAL_SOURCE,
+                interactive=True,
             )
 
             subject_token = credentials.retrieve_subject_token(None)
@@ -515,7 +510,9 @@ def test_retrieve_subject_token_failed_interactive_mode(self, tmpdir):
             return_value=subprocess.CompletedProcess(args=[], returncode=0),
         ):
             credentials = self.make_pluggable(
-                credential_source=ACTUAL_CREDENTIAL_SOURCE
+                audience=WORKFORCE_AUDIENCE,
+                credential_source=ACTUAL_CREDENTIAL_SOURCE,
+                interactive=True,
             )
 
             with pytest.raises(exceptions.RefreshError) as excinfo:
@@ -940,6 +937,21 @@ def test_credential_source_missing_command(self):
             r"Missing command field. Executable command must be provided."
         )
 
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_credential_source_missing_output_interactive_mode(self):
+        CREDENTIAL_SOURCE = {
+            "executable": {"command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND}
+        }
+        credentials = self.make_pluggable(
+            credential_source=CREDENTIAL_SOURCE, interactive=True
+        )
+        with pytest.raises(ValueError) as excinfo:
+            _ = credentials.retrieve_subject_token(None)
+
+        assert excinfo.match(
+            r"An output_file must be specified in the credential configuration for interactive mode."
+        )
+
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_credential_source_timeout_small(self):
         with pytest.raises(ValueError) as excinfo:
@@ -1013,13 +1025,19 @@ def test_retrieve_subject_token_executable_fail(self):
                 r"Executable exited with non-zero return code 1. Error: None"
             )
 
-    @mock.patch.dict(
-        os.environ,
-        {
-            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
-            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1",
-        },
-    )
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_retrieve_subject_token_non_workforce_fail_interactive_mode(self):
+        credentials = self.make_pluggable(
+            credential_source=self.CREDENTIAL_SOURCE, interactive=True
+        )
+        with pytest.raises(ValueError) as excinfo:
+            _ = credentials.retrieve_subject_token(None)
+
+        assert excinfo.match(
+            r"Interactive mode is only enabled for workforce pool."
+        )
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_executable_fail_interactive_mode(self):
         with mock.patch(
             "subprocess.run",
@@ -1027,7 +1045,11 @@ def test_retrieve_subject_token_executable_fail_interactive_mode(self):
                 args=[], stdout=None, returncode=1
             ),
         ):
-            credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE)
+            credentials = self.make_pluggable(
+                audience=WORKFORCE_AUDIENCE,
+                credential_source=self.CREDENTIAL_SOURCE,
+                interactive=True,
+            )
 
             with pytest.raises(exceptions.RefreshError) as excinfo:
                 _ = credentials.retrieve_subject_token(None)

From 97fb34a1dab76f6a46aa6721c8c2ecba96f5f139 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Tue, 6 Sep 2022 23:33:39 +0000
Subject: [PATCH 05/36] implement revoke method and refactor some constants

---
 google/auth/pluggable.py | 65 ++++++++++++++++++++++++++++++++++++----
 tests/test_pluggable.py  | 49 ++++++++++++++++++++++++++++--
 2 files changed, 105 insertions(+), 9 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index d5788da08..c0415a5cb 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -48,6 +48,14 @@
 # The max supported executable spec version.
 EXECUTABLE_SUPPORTED_MAX_VERSION = 1
 
+EXECUTABLE_TIMEOUT_MILLIS_DEFAULT = 30 * 1000  # 30 seconds
+EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND = 5 * 1000  # 5 seconds
+EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND = 120 * 1000  # 2 minutes
+
+EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_DEFAULT = 5 * 60 * 1000  # 5 minutes
+EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_LOWER_BOUND = 5 * 60 * 1000  # 5 minutes
+EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_UPPER_BOUND = 30 * 60 * 1000  # 30 minutes
+
 
 class Credentials(external_account.Credentials):
     """External account credentials sourced from executables."""
@@ -130,22 +138,26 @@ def __init__(
                 "Missing command field. Executable command must be provided."
             )
         if not self._credential_source_executable_timeout_millis:
-            self._credential_source_executable_timeout_millis = 30 * 1000
+            self._credential_source_executable_timeout_millis = (
+                EXECUTABLE_TIMEOUT_MILLIS_DEFAULT
+            )
         elif (
-            self._credential_source_executable_timeout_millis < 5 * 1000
-            or self._credential_source_executable_timeout_millis > 120 * 1000
+            self._credential_source_executable_timeout_millis
+            < EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND
+            or self._credential_source_executable_timeout_millis
+            > EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND
         ):
             raise ValueError("Timeout must be between 5 and 120 seconds.")
 
         if not self._credential_source_executable_interactive_timeout_millis:
             self._credential_source_executable_interactive_timeout_millis = (
-                5 * 60 * 1000
+                EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_DEFAULT
             )
         elif (
             self._credential_source_executable_interactive_timeout_millis
-            < 5 * 60 * 1000
+            < EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_LOWER_BOUND
             or self._credential_source_executable_interactive_timeout_millis
-            > 30 * 60 * 1000
+            > EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_UPPER_BOUND
         ):
             raise ValueError("Interactive timeout must be between 5 and 30 minutes.")
 
@@ -244,6 +256,47 @@ def retrieve_subject_token(self, request):
         subject_token = self._parse_subject_token(response)
         return subject_token
 
+    def revoke(self, request):
+        """Revokes the subject token using the credential_source object.
+
+        Args:
+            request (google.auth.transport.Request): A callable used to make
+                HTTP requests.
+        Raises:
+            google.auth.exceptions.RefreshError: If the executable revocation
+                not properly executed.
+            
+        """
+        env_allow_executables = os.environ.get(
+            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"
+        )
+        if env_allow_executables != "1":
+            raise ValueError(
+                "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run."
+            )
+
+        if not self.interactive:
+            raise ValueError("Revoke is only enabled under interactive mode.")
+
+        # Inject variables
+        env = os.environ.copy()
+        env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
+        env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
+        env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = "1"
+        env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1"
+
+        result = subprocess.run(
+            self._credential_source_executable_command.split(),
+            timeout=self._credential_source_executable_interactive_timeout_millis
+            / 1000,
+            env=env,
+        )
+
+        if result.returncode != 0:
+            raise exceptions.RefreshError("Auth revoke failed on executable.")
+
+        # TODO: clear cache when the in memory cache feature implemented.
+
     @classmethod
     def from_info(cls, info, **kwargs):
         """Creates a Pluggable Credentials instance from parsed external account info.
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 00564d731..8a7697ef7 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -1033,9 +1033,7 @@ def test_retrieve_subject_token_non_workforce_fail_interactive_mode(self):
         with pytest.raises(ValueError) as excinfo:
             _ = credentials.retrieve_subject_token(None)
 
-        assert excinfo.match(
-            r"Interactive mode is only enabled for workforce pool."
-        )
+        assert excinfo.match(r"Interactive mode is only enabled for workforce pool.")
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_executable_fail_interactive_mode(self):
@@ -1058,6 +1056,51 @@ def test_retrieve_subject_token_executable_fail_interactive_mode(self):
                 r"Executable exited with non-zero return code 1. Error: None"
             )
 
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "0"})
+    def test_revoke_failed_executable_not_allowed(self):
+        credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE)
+        with pytest.raises(ValueError) as excinfo:
+            _ = credentials.revoke(None)
+
+        assert excinfo.match(r"Executables need to be explicitly allowed")
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_revoke_failed_non_interactive_mode(self):
+        credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE)
+        with pytest.raises(ValueError) as excinfo:
+            _ = credentials.revoke(None)
+
+        assert excinfo.match(r"Revoke is only enabled under interactive mode.")
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_revoke_failed_executable(self):
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(
+                args=[], stdout=None, returncode=1
+            ),
+        ):
+            credentials = self.make_pluggable(
+                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+            )
+            with pytest.raises(exceptions.RefreshError) as excinfo:
+                _ = credentials.revoke(None)
+
+            assert excinfo.match(r"Auth revoke failed on executable.")
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_revoke_successfully(self):
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(
+                args=[], stdout=None, returncode=0
+            ),
+        ):
+            credentials = self.make_pluggable(
+                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+            )
+            _ = credentials.revoke(None)
+
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_python_2(self):
         with mock.patch("sys.version_info", (2, 7)):

From 95b6ce66964ce1487c4b4733500439c3447a22b6 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Wed, 7 Sep 2022 00:15:32 +0000
Subject: [PATCH 06/36] adding 2.7 check in revoke()

---
 google/auth/pluggable.py |  6 ++++++
 tests/test_pluggable.py  | 14 ++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index c0415a5cb..9fc96278e 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -278,10 +278,16 @@ def revoke(self, request):
         if not self.interactive:
             raise ValueError("Revoke is only enabled under interactive mode.")
 
+        if not _helpers.is_python_3():
+            raise exceptions.RefreshError(
+                "Pluggable auth is only supported for python 3.6+"
+            )
+
         # Inject variables
         env = os.environ.copy()
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
+        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.service_account_email
         env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = "1"
         env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1"
 
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 8a7697ef7..a239f9ca9 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -1110,3 +1110,17 @@ def test_retrieve_subject_token_python_2(self):
                 _ = credentials.retrieve_subject_token(None)
 
             assert excinfo.match(r"Pluggable auth is only supported for python 3.6+")
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_revoke_subject_token_python_2(self):
+        with mock.patch("sys.version_info", (2, 7)):
+            credentials = self.make_pluggable(
+                audience=WORKFORCE_AUDIENCE,
+                credential_source=self.CREDENTIAL_SOURCE,
+                interactive=True,
+            )
+
+            with pytest.raises(exceptions.RefreshError) as excinfo:
+                _ = credentials.revoke(None)
+
+            assert excinfo.match(r"Pluggable auth is only supported for python 3.6+")

From 36b770996a6aa9e1fa6a83e10854dd31efdd6e88 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Wed, 7 Sep 2022 17:37:13 +0000
Subject: [PATCH 07/36] fix lint

---
 google/auth/pluggable.py | 2 +-
 tests/test_pluggable.py  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 9fc96278e..2d8719980 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -265,7 +265,7 @@ def revoke(self, request):
         Raises:
             google.auth.exceptions.RefreshError: If the executable revocation
                 not properly executed.
-            
+
         """
         env_allow_executables = os.environ.get(
             "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index a239f9ca9..7b60ea8b2 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -24,7 +24,7 @@
 # from six.moves import urllib
 
 # from google.auth import _helpers
-from google.auth import credentials, exceptions
+from google.auth import exceptions
 from google.auth import pluggable
 from tests.test__default import WORKFORCE_AUDIENCE
 

From 16504927ad9eaefc959c4c828012ab373785d18d Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Wed, 7 Sep 2022 18:15:49 +0000
Subject: [PATCH 08/36] chore: update token

---
 system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index 30a208ef5e1e6a09e1110541a05998d1db2559d6..e2b0f9afd2213641a93b60559b903c2da601cbc1 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTIX#i37a2Mg;HB-Q8);18cy4bk$l}`?PG_Wg$gYYr+z$PyjnQ
zDV#;Zdcm~*Iwfg~-aIrHEc#$&wWODNd4>uw{AQ#Kl~rBxG0acKsMgTmzaVa?wv)lk
zgS@E8rwrJd()g74FtDM_q<q=_*xNhBsJh-TWi<3b3a9|ENqcGr{dmFR+jVf#)8M-7
z0|5pNDm?I18NR|vJ!(3-83LHlo4)|=6UOuPP^pN)>uwFZczVtOsvg)VpuW*Gm`VlH
za)P4dSLR4Gk1>(|U@Ht|5Y<nSXIyA%zqntFwlWqbX^f+6`=E<Mkp?xMs`7upF-*fb
zG?U*dNX#jR$61MvcF~6L{A^fX)wbc9T}W0C=xE+0EXboEvCHw8WRsyin}K}H-q@J_
z*tx)5wEQWG26@t<2{|j>Wg?TMzXGbsDxs=XaPx6s@84U(SDc{3m?#C2#1mhFDRlh}
zQh^>g>%H^x?2x8Pt{7PVyAbmaKcR%a)2xfa^i{h!WGlY<yeG^#ISeKyAGJv}OLQCQ
zH3H+p0XrNxfhB0dI*0fLunlxzB*px{Nz^7&jF5T1r$AHuZ0q??1wKM?nVzNR{Hjyt
z;LLJ#@)T;)UF`HVoK-@%b=4P1eDbmKDw!|6N&)&DGN9;I|2b3~%j{IwG+5HG>^jP>
zoR&RBb}KaYUl6YD(F9;ms^w?1v5JWbE*l{wAj`apUDT($P?JMc*c3!ouj505CF|Ep
zc8HNg<yBpnm8QqTvrjeh?(q1+Ss#u8@{C_~1>i93v{Fu{yX63>Xj4sJ&OdW{Qb0v~
zVVO;N(?^GvRtgBE+L7^ruyPtmVc+^S`-a!D;CZGR;n(NW$@!yn_P{NSfXuIAZ)!L9
zzl;!%-mAfF=V3cM)D9f);}OXzQ|(bHt`2^`G<=~(#OV!9-j?PZM|Rxk!HJ$kFga-3
zVQNnrFWlAiw;$}<2+$oVEyzy7;u%%CJfW)TP)d)23ybzd&z8ym&}-)FntOAzGY8^r
z+4?#+s^7y6McH)ayrFb+pQJj=Lx3RXmmrJ}#@fzMybWRAOZ}j?1*Sg<Lm+j2uHk8&
z5CG!p9Lp$_gL_DQ@wbpqUP$_Wj+7>Lg9$kq^;kYim2n5wsNHPxHn8(;gs8J}qKFKr
zfyJx?EB*rC@9}w`btw`BDr{EEbF6>Sz+w`oD_ua(3jb)HG%xcC=AD2iq3L{HH(5pn
zrD)t5Evir%ec<abxcs1D82`kQf1UZ>{V2#n29B=^k57Z~BZ_)<@RnC?o+0suRF;I@
z##SD*REf=V5M9&6@=I5J(I+Pz{M}dI*+i?~N8hIPy+H=L`Tyr~`u9q4C!iqQ4e*dw
zHr@vh0esl>JZJQys|G>2@Or4B{P+ys`h*JSS>65*l?z>gh4MAY>)Gd&xbBE5Te^b?
zAJ8>uGadto0Iup?f=)aHEa`!I8x;<3t4en=AyS3X2E3pRDR0`i4-uG2^oM;@S)Eap
zZk6YAw1ZjC70^U(VR&1dbk0$B6e2iI3OnWEK$&;S+x?lZ6D<dk`<XiMHZx|DzZu$L
zdVV#bLUQ2AHTOwL192@q-s=JkHELW#I%kpaeh(_d^9|iiP*<bBSFZB*X)egN@`tW^
z>qQG0y|fn%h;ll4b4r=A`zlLP4nvW0+~w@-%f>WcELH+e9q;|}o_X!1-slRaK!1qT
zIh$1H^*bMf+_f3(>fZIj8URQEW3n(|2weJsz#(!&rdq{o>pRjhZGO~II}_cd%3z2=
z2sw{b9+)D>PeF$}PrtZ?;#E+s$0!)XPl7W4{0E!>t@C!>%$4*`aU3p$rR8Vh%S&L9
zb=xNDC#2D-$bNIxu>Yu%D0ZnZdD5MAVN&sMvpQRCXh&j6^`9|5LI$11u9N)&e4adB
zsgac$5C`yh5Y3q(e0~cQ4#J5n_scC#-hEMZ3lGLnO6m~21521ZvYmJ9#@PXESGZ=D
z+R9Umy?wY#xIv>SrH70^y^AQSl`pL=2mTd>hHpa+C1_6n_Un@*ah0f!X;^8wEMa&M
z8DUK@>K2kit8vplnY0&P6<y*+q#aZ3z<`hSmqn>a3z6fWJnUxs8FHXRl|K?}g;~2I
zauX)i)2Ii|65lLc1R6~h8?4ypNqKX=?r0!;IIz$2!mcnQM>_3K`P}v%(u3xCP;3qL
z(CfCJ?;C=TPnD^=Q;Pqqp+-w`CFFYfZrK3hjWdwbvGVesNg!z>v>Z(c_8ES~_t@7P
zl3x3x?c};Sxp%|WOk3JDK%H@pmk(qZDSg$C%9$~GW^84b4dAeHVz`_5C_{t8aQ`r9
z%ll?y0DY)Tc4aNdoalOpLNT;&(ng?AR(-3Of!|FIkxObM<+1BO8~6v?hGo4Ol+~X-
zu_r?Rl#wZX2Vg)t;gLU1j_Y1$w0K+bRy*a_2Q-y>4q&^+grfOd(|$*5rJ~VtKv6s7
zJL-$<T$40wG!M}vOB)wPGELCy?hbnUd=pxy(KASjow{|2*{{eF#n^Lj_t#q2XiSN7
zlrQ*Rzu{0P6;L2Ep8H9&Mh03Hn^>~UB0?QkfkAZ8%{Mn(W<;sMTEd!YgEZ7z&KN#2
zNPODMs0<zPRXGG>TpL%oT*`ETxeLmAM%DS8Vjs4El5Mvk;$mwX@d_Cw88@mnkn^_#
zM#7~_)$lDIfqWLkewU-3*uBWKFVpsv9S7~Ni$)2!PH0<Tvye1`jk*(2U&27~bq)pQ
z%Gh-ID)rfXImK*E46-VBGeH@D1V3r;j*-OsJMODAQQ6TMd1-pBZl}zr5@QGPLH%;g
z`}7iv)E8HGnu+{QkhC?xSc{Klc$`yV_2bD&5rJjtvTw#A!tfP`^mc9D&?2wt{^P6C
zq@0mSW36o<hvn9aryC*(^Kt(hZV5aUjBOyvGAW)`(~h4cHb=`iv4w6~+7Am>!#>+d
z>W66a(}6OF297Xw)3%m5l0^s>L21n?5=Vxrd<B)7%4S5b)QmkQBHo^}W8xMpk5x9*
zHfza43B9PMmDomL3Doo6^+`i!a`1>_HdaRQoYjOqftUnJzaFv7!jUiqORwxuy~<-S
z!0<g_eB?Jif#(rZyi|wNgYy+R>jjYP8l+uOO6Q|fuT6B25?69<<aV^!i-C=reuhEA
zoyD|4U?v!exJM!m-l3vxlnfgphVVELpH597)ES3wN%>akYNh4-1j9(O6dad9l|d%l
z(czNQpzJvApd9cE)}uJy#mqy2q4j+)poXmy@+JIJIvMkz2!7#D+n=H`I%X`5oYd2h
zN*{g!)|IApJ+U{JCTRJL^uZt~Z9b{a&?=}`l+<=U7IVLAX=uTg!camd7+Qk>;_JGg
z@HU)Ne2g4Tr_7%40pf7Ab|P&EJpuI0aa*PjMZxt^$}F#@v*ZaN;UCdGot9%KIHl`)
z*l^3U0)`QHP@=>zBy0}eGfLW4gyn%9GGgx-P&x1Nha6~z03~uqHiDWlI+m=nfWW(m
z@%Zg5)0RL3;QQQ3g?MaB9w>u9raD}=T=WkP5;tH-mKsT_IB|jsib>aDNhMCgxy)dh
zOE*M-N|#P|{Wf*;z_8&|L_q3rv&6WT%NXSW$UZ@(*OJyTH7Hug#6W1pe(Z@Xb>YqN
zS7H=oysC&^aM7TpXGzP~;ziKuPIvPKU8``#t9<sCvzLV2Y-<wVw3gqfSe)dZQ*W2H
z4s^JY>AJxq(tll4rBql!FXy*lX0}Hea5)o82zuZq=U$Grq7R##IMuGG8jWw}<ptB$
zsw2gWC&+gE#(}40oq&((@!FqVeu}Z+`PFwPe?$82R`W7=T`)?V-n6u&Hay;x@E-jd
zxPdX93(!c_9B<(FMu7m2kCC>(fm<OCxj{@AQuf)&gUF+dKV8DJ>1Gnw!%wE1N^r;I
zURc`lCMzN!Qw)tr5b>EhE?VXW&HX*{oCPna)dTBQ*^Cd7(<$DR&9O6rx~p77vKP9W
zH@!GKWk0S9Vh#FI(9rmxWO=O?r-8KBpcY7dF{fFjxyY+>3qt296cIN$G@<dL0Lqok
zq$S9{rs?>nfVzx~Et?7t$HDNK>0FR6VIlwrJptTuP<82rzh-6XSkj6XINS3ituce?
zmNdqe-r0fahCgFyg=#S4!JU=_Hl3nh1O4Hhii3=in(q%}w|!yGpMK&c4I(VzrD)G1
zb^#-q@uy3Q@K0j01)RBqRbS>hpWfrWCMWV_GU+pkGY1aYv+H20NXMioT93#%%$7kd
zLO7Q|f3|VPNe?5j3CZCT`rM~!WmpxJs0(ZMJA;fZvNlVLXF&k8d^{MW>cT%lRz#FE
zq1wWqLhEJ0S}wc!Qy-M$tp=QSg`^hfKwDZ_Ieo|Bd#Z(4ES|T;)AEHsaYmjd3iC{^
ze`1kyZhl?WxN>6EJVQn(xJC#WjGUlP?7ng0fib$=PE%DeKUU95x3H7?Q@E)pIS4?a
zKT59%!OD>C3J*5+T3ABm>#Lh7unRkp3L*c={Bn6rum0gLr>@8=kMxl{t{tKG+U6@$
zOus|!+esRZQpeJyBP1sj4r62Xd>`77tyZw>ooB6}E-}f+ryFF-6)KiP?REh4f*b&F
zOQVWOa1QWMlZ>w0Ih!)_Zr|BmS3TQ27zgVoM^aKi&jFYA4%vM2k3i?Qp{9RP9{HKF
zIG8>E$sbbB=Xx2xs$mPrIdn*Gm_e!-!j``Xz=?`AmLf40HX=>C_Zz;!=OHG|{r#dR
zCM_s~bbYqY5k7$Z*4UEhCZ77In&oz{4Bg`Gwf}qI!!U2y^tw`Vum*U9cM4$dTmZx2
zfSZVfTqyX29464~Y4~D6?#7aRfF}P(rGJ}TBvJKZ19(bi<LS^xyX8>iSN5m<;<=ke
z;JThr|L=sgMW@XjLy+y+-sB^!cpC8->UwWcP#e!WNtU`WEpUEJ^#H9G>|Hhr9!-wD
zi3oaWB)Gxi-gQ**s}K4o!gz;1^4AfqNXZ2av|KGyL6rWL9WW4^)`hO!E<4L)-x_m(
zZ&S!`L;#Vg8ojPNWOJzqfp7^HT`6Fre*MplQZ1Y`n>~AOOd~%=3qX%Ztt&hW7YgS_
zw?2^O*EVXfZM^&vU46s1krmFKeMlLhq)VZCwJlQpkvex&Vs24ImXj=Z%B9W<nj8cs
z2Bc`wm);iPLUp~ZhtIQF-#U{8%zDgC22BQ($v>x>nEZ#GSqE+A)(*9ntn6BMC8tUH
za3D*^(hdhlA?pUE*tA}swf2PkCRI-2w-(+i8)Q#15q1dI*)~R;Tn!vUQy#+9@Dc!)
zG|+t?meUv%ze)EmVBk%L%H<tO2~q}BA4^)4A-0b$$Rj6*+mi;>HZ^*q-hfhdfoTkN
z<cZsi@B8{8X(4m6SZ&NZ4jTl#9xF}Y+gEXp)<w<CO{z*I59X=iorP~?Fl^v?gIl4E
z{~{a2`*2L0q*IBR2zvW*6Bv!#+!T?ePzo*8O&+i-SDqwa<y1<Y`@N6D)+IOuXd!3^
zZQ$gjA0WraaY7}#&#DFMafJo{AJBY!=(horDNQ28T6Ml<NeuXZi-~H{?0vzkEj;5H
zlDq(Uh2T{iR;*_1UA%xMczk@ec~v*^-p`P*$fN*(z=X*R^lBRu;-*cG0fmb9VfPbo
zf+V9u1TT7N06X-44M2e|_(QB?6Fj4RuAWBr#l?OfvkT?Yf|u83!7-QZkZ7pa+=M2@
zwAHazmU#SrqhwiasN6J5RqLD>qKG%S$_6$zHQ5E^B(PijDLaS}{z#Iy<*$e=s$2-h
z#c(K|u0Q_mNeygR^*x@XT_5OQBes)D9zWD$)V507=d_K}s<dZ2kGJ*^)}5e3G^ci<
z8vmJZ5iK#adodjGfvbMZ3^mm!SoJu@VmJFVZjd5=H3qbhh2{WcF|@~q7WLGewf>eW
zwR?%3FzwmKxYYXP4li}G_EKNtEEUeB-#OTGm0e@DCX*dT7@5~_XLN+(fg^cQWpbNF
z>Uctc_DR&tG_8G5Drs7T<pm8vwL{xe9cL=0<Y>gGGOpGz_pE(#6yM!MK=O;2@g`76
zc+`&Sr!7l4{~<sbl09~4_nx*wBsojm@VPtaBMcCrZU4{lMq%5QFGlSs^Zec3d?TR$
z+o&3J&iIbTk$@kV_t=x=bC|zj3fcn*sAWwJ)Z`|wvHNtA{vMN|LxS(gr|;<b<4uu2
z;A8%&)jAmW;VRf0$(GtL;uySd<Re=PxF)kW#GdrNN3MruCWu@>Sy{sB>di$BNJj!J
z@tM!EsAaG-8Fil;;U>Yo%r~1xV{ZSTj4kHtj{CDd%3B$E&UTxddr-+)1g<;dwf42b
z_snkoX<;ErMg7%3;5aF<rmVlZDmWR+6C`44*{-DGtnNRN_JBS|vGt2m%yDb#g`SLF
zm@Kzu+CY$*<B>LD$#E`Ud{{Eb>`eIj3oc)UB#``6(P3~)9+1eWF(bYogzjs52$|j_
zp$WEr0iw?&G@`}jGAXRlR%OmXP96&(iG&1+@E8yCT>uSOTuZgO+4fd!rB)JQb{}L?
zs2Gx&@QjL}Dgp|s)V1cbC?aFy(T7*&*3KQ~oR@;c5lW=nI5t5bgF4(r&u9Q-@gJ=N
zGXoCW1T+0How6m`$HhjAfO#oF<|n()ic<mDX3`wV<etKE3TPMJ*(}i)XnpE!;><Jr
zTLGzt=n4$+&Pmj7?C2hK01~&o3*abP-%JCdLtqKeMtqDx9DEt`P4*%EKN|UT<{wy=
zX@HSP+QDMpEy80hH?JoOy+>WYX%%cF>T&#=?}%;E>RsFfF(?+=j&h60LjxiE<PcJ=
zyG<|yx9g@-9kTU4SujhqfJh8r63rJmb_?wklO#!2xe(w1O;_u~H9_r(C~N&bCk7ZE
zI)*MLA%H3M8IVwZdeqEav6(6YYwNLe{O*>24Dw%C)Yw9I_-`EJJ+V~+)amZn7}Kyl
zTRJaa8Ar|z<itxeuY^uM_XB_bR7n3?DPY9)Lx<xGQzM$BWUhtq4(&_%y5$~Ajn{%B
zRo6EDzySj4fc-?~DH{(`A7~t-tANzIJ|v<@k$g(cY@gOpj`EBRhh?ApF9i<vaYmf;
zvJm<Ev9A#EsGi-iwMlDn34<7V|LLj4aDT-(KvY@OlnP;ZfW!yBy|Y`x2FexF`^jcY
zhLq%yQQ<|{o`pjAJA|}as5ldD4YFqZqt)K@a}jRmlKnj@TS<5ckW1P;h@_>7p7d|-
z=-Kp+M9gEEHu3iTX*dYl^|;SZI+qLyqeKD^>wgAxXBMtL^8piXzKj&LE{%^DR{!Ur
zu$+EIm6BkR9%)Z@Sx{2T)wKu#S2Se`t2$IB_L6&VKNq9W9E5Qxf81G^R9Rp@)x4?^
z73hkkW7n_M3z+F?{W+M!fbKC$b*`7Tvt7?==f89zvP#aWM@VA>x^Jh8<WC=CAW~8!
zD)X$_J2kY%nuBiVxkXcxQGCqfQ!IF4qXx&2z^=fJAo<AV$e7%*=(h2WQFal|uO+ct
z3mlr{2kNBX^<+}ezq+qEkTupAq!^<Yv(w;IF#VS@7|l-Ur$86}r+Bm1ywRh147(?!
z7q%`c)qyjN<(cpx{wIq|;JKvMZ%^>g_PLd@@7|*>=>{r>!mf*xw@?y`K8fZ#&h!x%
zZ!?G?%=i%jQl8m3S^fyX7J0oh?SjCMrD1JEC^+*31OESqrx=SfWg$I}$TEBx?nWEe
z2@C_|`-0_F-;!C4AFi@#vePD4({wQ_<Kp&V{Bo8cw>q3WCza5wcmF=a+Qowal|+R?
zQjAao(-f~jl+>)$C4h-pQ}$PwYbr1SBdcC2wE=zst}#HR%ka5n6tI1x@1onWL+xgD
zI()9~9Qt<g-D*gwo?M$-I)}Qb`e%XY=A-Ke{{U$5N$5%yd^^>Ki9`tYAyI9_jn1n^
zx|ykazk%E4rZ=Ik1ESj8vp9mhWMa=pajY~cF!Feq`X97Sy}kE1QlE$?Cth)+3T7bq
zbxdMZau4d1ZHmSH?1^8YjI=;0Kr=a2*>HoEdO@;|sh06YK<35;u+|IlE{|6knIF^4
zks&@0vN}R36CU{xH5lF4)fv`)Uzi~F;#$P=#6M6z!66;{rcoSfYrzg>x(Le>>FX-K
zDu?10HC3;FpGJYOsdF641`<1;SO8qSz=^UJ^j&8)>F>o2$d@MW`WOS%u`RK|E)o7*
zl2z5DqZOk0o1B>ynOT}t{Pvv)@<RNo@DtA--Ll27G(#4+>~v7^YdGJu{^VKAUd}e?
zy3w+r4FY??YZ}yz?{c9vsSJcq3;(W?OmR{6DI!f16nM<d*O+tmgY+4d$$C0dm@QlD
zWgy4X%mkRph2n#lES*dsYN^2ohPz}gck1KPmon?4n4PIy+AA~BfmQ&3`7jsw$j{e!
z!2HtrKLx1m{|raoe;{x8heM)L^M8Uh<V(wg!!1ev)b^}@<-y?NMUPdQ#XV=0;mp>Q
zfOIFFaLtW%P_Q9h!FA!f);dG8#@xfBpI&o~;S}%(NfG9=9DbQQEkN)kNNL&E;M9!z
zVgcPP?@3*WgOea9rT&16h(Y^mnW!<vZ!3o*a<J)1@+D~t5%b)7!WcgOp_8c}@uth*
zFN;b>G@@k-<x?wS3#Z?Tj0hR`9ywo}=*lS4-v#@_%`4Q?H<?bGsVDaeEOXUlb`~>y
z?*BpY^<QWr&5s}gY-T)p$PmfAioWluL99X4L^WaV%F0bi{i0HgW)oX>Nfi<ixNWV_
z=1g9%<G=V@l*m%G@ht>5qil%~eZ{6;xnkdiOY+siHm#N^7<G5S9Xr4EcCDIm9fQ1>
z8JYY%2$|Ze5uMd(E-8q5S8hkw_IL%lNZu<RG=7+eZblM~V|p4s79(KIlD|Ijj=+P|
zT+|UwGJ2jZiFzxYWtGnpI(Zen(4g#WF-Tv$s*rmj;!tjwdcn?k61@wV99Qm+o1!JH
z4Y$_kGvW<d)RJL#4NJaqz2{2|RYRAK&@HvFk6^Vvpi7v_&=vRss2M1nmM<N^01oz<
z@Ma{TK!@zFWA5HgUj#GDPtW<vRQ7UlB>dt1nqjxdds9>j-!wbmXZ9Q@e&~I(gBsy1
zhOs-2&`+sehJGU9$Ic#Rj|I{ETrLsw{(^k?ByX{^JuNU*u_P(ZXRtZ_YuAzjD?E8L
z0fWB?IC(g1mFuvaTbdcmR_<E&!yni^U2ytDXp?NFs@!Q4FE#0E2dJQMt03-GAF}(g
z`JGq6NkGy|j>AmcImzLi(OtSSC7`ZS&n#fU-8=rH9eVn3V{aSnYG4X8_n9x>OuQjl
zQg(QGMcYPTC?F=C(%^x+*FCZns;^TviEJ{M>T8sVQ9SsP^tc)Il35ukqB65l@N?cY
z*1E&pk`;lFIYzhB24s=~JMJEtT3Z=_U78TTA<Z(ozDeQ2qHAcT>bpe~HEs%=+p_CT
z{*YDc<1Nv~>W)zyk4n<mjm87B$_R1?Lu1@1ft;ID)q*XxqS|6wU?PSQsaAS)($#+r
z^6EB52b(s37fjiYDw_s(LtK^O^*?J;i=>4%Dukn@4(s<Y!Qnj{%@L~nCMg~)_d|?N
zg%|1fD9E?R5T0~oa*nmLGc)NkZ=YiwVUYEhp#X}#h5heCx`261aweEWK$7sdn@=1S
z_A~O`{Avz$FZ~ABUpLrRlcJ}L$XTd@4e)OD)tj+X`J|fl^I!2Q8(??cW$=dI6-IPb
z=72yy`4#SMlldQ5I1_2Or|Hb+Bp+?5BNX;5X$3-R5pvsqelp5g1DX#mY3}ZCz0|En
zaV?K30KEr{KniXjxE2&AY7&*iUfA++x-LWW>kw!8=$9G^(z9E#8IMOR_8d*=t7kx8
zX-g8a6<eKT6WlGS_nR5g$bu8=Wgic=t7Fc(v!YM6tt;*v`p{nuk2*HVDXGbpaPou`
zCPxTO|6U}Ns%BcYffqEyXPx>^oBDHL_^$#1B{t9Zo>`pTqmb8{DnE3xGKjs84BZ0E
zuNBm_ii)S?u%qb{j52WcI^}>=tW(w4M>jkl%*Vuwk^xqo>cW=BxQAdM`*A6;9%h<$
z{MGAYQi?HM<F?oz68$+Br!rVR$iwxHvpVNuD}w)+G|b66B{KZ}LQrB=s&OHioSSKx
zK!SI#&|1}HT7WkuL`SjRsbD1&gGG4^CLd!1kfKXozx)q3;g^XkCYQrH$gec&ci+%1
za(kQLk41yhR6l{$quGK1A;++*rrjFJZEUtfi1M`T>~Toi%g&#{h7?y@%9kuK`kF~U
zBa{ni^ZRldb@xNt%Ry6r6HDkoL7BQW)up~IxN5G&pidDJmb)7?m&GougIF$+xjnA2
zy$U{;$x5bmE;L@O>L-pGcx=TW#$`#-btF4n#c0zK=$Aoa_YBMqPPH@5lHz6aajXGb
zV|GYDR5~82HML8fsk=XE0gLWcRIrdy;_Ko|1aN8rzK?G=^0+uRJUelF)ml|g{){Ne
z@fc8|_`665osK$LNu(A8M2AhHS2&Jr?X6GeIiNAiKGd@4<UzOWydyq7arlg|D$BD)
z-C3^^C;4kz`$!~PBAzM=w^0q{4b1$}-S$eQ&OZ`8;1F;)MYFVg*V>h_vC<m=W6KMx
zC7OvYjupFLW76<*<s(yQ1>^2Ov3{Ed{NeAtXV5~%ZlgV#wdk0A7fdV+$IoSkD`m#p
zL@LLIB7C44LeR3w_BK(&k0bWz2^9Bfv6NV~0Rfh*D*vrdI2U%a-5Ek^tfGz9i<y*5
z9@!NPO-L07iru!K1r&o-E!VCf(X2h1rq_FJL*OTBH6U2S;FW3-Mh+TC%L-4q;d&Qa
z^>jF7(BzjYr3#+|mNu{NE;aEtnkLoKvsVx+Qq;c`JTQUF%0H#%p`4wh01f%$e`J;<
zSQ>zcQc~DgW{O)i=}tUCi_vCzo0iLkDPVwb!t0OG`n$Md67q)W`%~B~)CrSQ>vC}z
z@mTPDnj9psSb@UQov-*ekfEt92q;^DoAQuWP>Rc4E_9dO{fy9hoeKwMR7{D^l!J-l
zl(x;48)mc7ot=Wtq_c&u4v3F0iXpR>DWK#M@KD{b0D#$bCAe8|n{EkUB|!O1+P?!a
zITyY=o>ZTt)INQz{>haJl6vy0Pd&GWD2d@zGgrgzkSwJb=K&62e%zdz*41~NVaAjr
z>uPk*cRQ(S)A8t{iw}U1wqxD3``AeITFo6jH_ZvB@GPagk~W)h=-$21PQBb^`7KIp
zb?YzBtaa;~Ly&vUk9`@*?jC4>3O1$Et+&H8h|A!ap8WqaiJ<YHRt08hwXg{!1(w<=
zQ(F3oWiaqZls4&kq`bC;OqV_)e&)F|2VUoP;|*6Zv_sT0-B9}NIWL-ahN9|^ojaor
zlq->zX+02&McHNAt{3cfaIEp1ue^XyP_*XW=c8=q#G6T--FBc~y74*d4NlI><}JDC
zfjG|4qYtqqBUXFRaUU@dxc@ALq`H>4)A*%;T%gSV|Cl>)fr->kYJy>TII<?pT*~7$
zVPa>`1l6UPS)e^5h%u+T4IVh)z~2;VY{2|n_N<nN32W=em+u!;&UcpBkkkQNRbQ`x
z{{>OvS2Wu0nf^M(!|^Z(5K&M#BSdNY>HS;V-Z_Cc2M{KL4BqezoxHbNdOnG2EwmlQ
ztik^s<^v>P8*w;F;#|9mW_&PrdgNOG+vo*Kv0qKeMsZ+%w7&1^_!8d$owasm4jRy;
z(n32wx5Mi0D>}_PlHBJj?+(yVm&Z-TU72WRnC;|S`2Fph&2nF`=$OXk%DmV-C(WDp
zY(^FcOMd9^+BMWd-gi4P4E`lhCfvBN6p_DHPr;D0TToq)S$g+$yQP9g;f~_5MtiH0
zRPL^An&F+5EA#`ff5amobL!dw-4r%LQ$@JxO6UnU=SB9?kz5Tr)Me#-yUcIe^jCtQ
zBSJm{dUL6=ZRG{w000LX-{pBaIfnVsRBq~w9k8f)`n<+$y#~3hD!s+$Bbnp-$2R?g
z{#$^S>)V5kS<d<0d~95lWO*Uy%K@qVrkGvvR^*wAyT)1>FsL=;A~|UhetE-fW$f}x
zb|%sk^L!)~hRyxumXO{A7H$m<Lu{VcR?#U3(7BrPXG2fl7l-g$v;|nWImyf_xduw=
zuxqQXc$1U=kxxM8fi2qQ1HJ@cXOf<S7g+o%-r+*maK=A2^iLUrrm(4Ko9A1iBZTyW
zEwl@}oyc;$-IT;3L0fFMpIk@mi%-LQ3vYIR%&ZaNde$D1Ic#UOK-o1C?Wd_(50A2X
zSWSX@;5?7u4WhI;jNat4*;8FvOuyo2rBEmp+?bT5wDijiWZrnCsx93<U@$k*8A$$b
zKM9<|`2XH?8Ss=kE^d}+x=EYTfqHf$j7?`5kl=3dyMIUdVJ6BmTz9EsQ$5Q4u-p8M
zrk(Kf^!Rm<OSpe~jqD5VY&RBE>A@7<vkdJthJuF2IHGGq_yd-8IY7KTFo&xJl!f?A
z+FTp8u2#?Ct()mtK$X`N-as<`IBi(I)BtT`nvOMDtEqY)eG0mK>RCSr0&6nm1a&dp
z%jx)C@tAfsD1d}^dYVi2CDc-&I|K$8ibmA%sAb}oG>5+yp#~mA<fLEiErOHK6KRO*
zI?x;hy=qz<q3~Q5+@;Ri8*mkB$n3c<)=gjM1gRa(?^r;5E}U8yl<QI35HEV7&PJ2Y
zBPFtY1|=eDTv8r0H$%JL&0>2_ncuF{VBCUfnQ>wQaBgFHk>}q}(K6kcpFf9Mc3tq;
zLNET7BC6L=_w*$i-Hy&9x2w{<k1bFBBBT2Ik~>1HoQY0&McreaSd)}hj{=r^j;2Sq
zXcUPl2;F+E1`OqQU2Glw4tcgiN)$;Jw--NnYd30k5Tb3O2=_t);Fal3KCbEQ20)lB
z9QiO#XT-m;IzxWE0-99Yjq7A9x5D&Oy6y5HHQrK#w2Cs03Z_}u8bz?u-I@{-lnrN!
zjm>bQy3eW?yS}uojK!;R^}a_O6|}=e%EiSV&9~tun^>QRAzpYl$xah=-^O7V6K@3=
z0^l<o_VA0wsT1@_`bgo+i+ff%o4=U^^!duPlD_HRGa`P;Ampn)P9SLtsQBHYXUgAL
zymRYS5q`~;W)2F>&(RcMQ?4{LQht-s<MLeA*Ya7JO)M2MZM?6FCD;BQF5sSCzRn}a
z*l*?sGVVeqebSKmcIji+9C&SZxv8R2a+&%}BPOBad5Tb1`&a+wIlFBDlRupr&V$Ak
z3mfcDw^%>TM^geVMd{&B@T4Frn-Ci{8BzdISI{<JdS?c}ny5eLxJ~WxGth*>0DUZI
zA87AfV&Xh+7(4Fa;^pwukbAI*N5hq@0krOzh+GH}_gpL1^=xC8>)_>JBm}y7u!ro8
zh?ubssL)7T_p!&z=id<hav&4QB_XON-&y)Rw)BkGn{sPH8v(Akb%TqS#;XjH7h)mY
zPG;_YRY{AN7wG8K9NaONV+=kS7GxA9F(0S81eVyNMYg^A+Ui`}<l2(Vr|$`p3u?6k
zm^NI<3?inLdfNMs9!W+1T~zj!ya56X-1r>w%2StvhtaEaA9s)qC^LPG_*-*{sb}71
zPN*ndSOKqUiOEM$+j0=rQFhrcs$!(@5I%dt6cdi?xMP!H;N*aX)j_x>{OqTb><t;K
m6wswqIHpi~<{qG}`dkcroN~OVimX<v{fU@LbSE_#$E!do7)WIR

literal 10324
zcmV-aD67{BB>?tKRTH{3BXDzvLUJpUDi~`7jG6(}g#EG@T^Y`{1quA`_xBR2PyjnQ
zDV!o|HdbOQg=!uXbtB&!84!^DjZPpW8>-Y-DZL1L%QFj$Z+TYSP^IVi5sqbx3+SiU
z1R(l_QhnrX>fMyzGdY7Ioq--dFd2*PfgTQfB<`!8{F?C9mi5=SD<P-Cxp<-0!>S@&
zIJSc&2_L;8Rb_$fDQpBl{|L5|E<oNSnd<Af3n%z8D2*pmO!Rb3X}2njq%O#|k~fII
zygAaAzABt5mR8-6$JV3};F1qelba0zDMd`qE7GQ|J_3%j!aixZH|6NHhDKhshjTrx
z6K@`bkN4ay#sP`W6Y)a{;WN(JV-T@(qCX1HQKEC`JG-#z%k!iuc0AqYrHls1YYd<7
z2qFWg<69xpP%8~c)a>n998}N}SdoprF+7+B;QWA_kz;deoX-e%GX*Rt?fhapqXk;d
z?;{h#&1~Eg>7?!?X-Mo-T@{>FEG6hmoT%ZdtI`|a%)vKZtptqU=j&#!nD#NXu@-)i
zR39M-m-5&*_;;gl0n|lu-Lr3J7}=a))T?<WcNf^sHXsZ@yrsd?p&s^*`004V{6b)y
zPgh@T#!dQ80+yk-l8C#N#W+vX*&5YB4D270j$H6(^vt@&x|t?~SFH5dRZfdT9cCW2
zhN*VW?2s1$oHvR!N8p1TF!kWv<?OGL&3m7lIk>?UPOeT18snF)R39rm1*Jwi5j|;n
z-&L;ERj<`_wDGXtE7O?-&_7g9dKygqq~Ab)sgveAs=nhtWW!ZWaF582cl+ehN5uW0
z^j>kEh%haMADzA(0VUTMO6Sf{4?r!$jb2cO$fj=7_0c&xXWOLVHjY`s?L-<)2U6XP
z&tN!ce|=PAejR{>6t#aB7iLiP7%|dT&)9;oadbTB4<!7?Yh|Ki4RdYLeo{br#M}bl
z!uaJ@;x*8D1jRyorut#l?NC!Q1t}y1)-7nBVzN8(I`euYq=rf*7b3_Ta0K&eNNU1z
zfO@nL_DX0LZkT{`gtU!W`P#mLFc=L(Xod-A-w;(ae87B5ZewQ##Ubf7J)L8e{*nBn
zf?Fi4`k12^3g`V-rCZ(mkFOq&?JdNHau{hTlC)_O&gjYxOr5=QDutiS^lTIwi4j^V
zI)%BAwnAQofZ|-&kT*v6Mu2x8GGi8dc~>=l%?gH={hPeGl{x}0x5AWhLbn5th8OQ`
zJ<+ly1H&2+7n!|TOFceKxEftJXGKb$QBZ4Z*^EADP$qPBJUk88iUG<=772JIQib-{
z@nhFNDvuAj8@tcZ^P}k&r)4ojARs8ip>qarrOE<q(rZDNUT{M@f<o93N$i$gE^?V4
zJzulcb0a7T+DkU6#ux?%1~Hnp7mj%UE+328g}ttlfCG)Lp%$qOO_2UUm!N*F{2G62
zSxl;ku9cnPoRk6W0hj<Csl1J8$2(J(!gce?j8~2-FOUb~>%hkNMVj{o(Z}_W!7r)s
zI-R1vw`0@fDQCQ&?jsAaaYc-c$LCMpWB%AwvL#Vz;#|bQvN3<5qLjL!w~M3#vNa~0
zXgI^H|J=W_7<77&#H>hq4v0oNYZ^7RCNH-)ySxqL@EEU^QJXfr<z4QhVoI1vh$av<
z9nX!)b?V!P0+T=qT(wDxC2(#*|9@MgDjnuHP3|Finnw-<AxqahNak1gcnrOm0T0`l
z@8M~c&539-ted<7`_?>x88Af;_3nr&h>bF(@(c7H%m7*weDPxvX}XQ6OD>K3iDq_5
zr*-cBthTEoO%rA-&J5Xi;{PiyC`1$gGl2YP$4<)A+P`IfrAp3t+%FGKY8bcDdKPvq
zbC79!eisMW22riAOgq$$eYY|L&^nGl7TG_VEa6?7LKw&<=hhmGvOI?xYsW!4Qc9l;
z_=-52rcb1#qLcs74Xi2}%K@S>HNH`j!C{v+Mk7swXijmT%ka!y7<(*mSM9C3)d|S=
z^9r{O9$f`W2sRqm+VG~VaEhJL1*j>xGPWdQGgD1um}OU=&7E+CIr@vgAO$r=o!V8d
zvFrSc*=u=WlZ~#i3hDM<505!M-J-)Em4M%_4uPFL$Mn~hT-(U=kpaUL3Es*5w`HP3
zgE=o6+Vkjqgf)B*63rux0dEE~FV^W(4eBO+oJ1qQu9#gbiEyRI<x4bBFwr95Q*O3N
zYy)V$izAwJEphYdiF5CuJ>br_t)*2gI2U{AW`e_5XAsdsS<TCS9UYZf??xitqS9}2
zfjoHwI<%o^cVxc4Q_?g1L2G`E2X&zO+)Ya*49`B~Hp$YZ0qGoG21u^j8X)0V`V;sD
z-PMoBh2(O$pObl=7*0^d)BisD`WC&^7jkMjDXAU`6X7{U*hMZrit^_fhA2Wv9YWW6
z?qC3<E6|b=0r{zJXo?%e3ZD(T5c@yHQ_4G*_MlHDo-intuM$dO)7ZjSMWLb4tn(e^
zg4q&c*uzxjb>ci>z7C2l&J_2ScQD_pmL{cC)q+j|{r+%}xS8EyR?XJ|bB#J_u8m8I
zxg3a~-fJ8u+Kqp`PnG7DcbSG|zsHI15PdD!y$j!jLdaCm*>+cd;iL43#^D!L+A0(1
zzZ4uJq_{x6<8#_L<yGzSa7X4MK&jrM7r6Zy=)LRQMbN{31<TJ73xw=Vz)8m>++|DA
zZIc*E$0T#X#h|I2a0Y{0L=(fArsvHSqz_9j1})WzAVc(~l!d-K#p?GX(20fsQ}&j+
zs)}+G364G9ELg(%<%v$3mT;@7h_81yId+ENbrTIK+H&n1Zfn8VqauV+Y<O^V@wnqb
zrGodAD60eoz=-0h`hrG~;@L3rltj&QD<R7>Y)IstHX6@z(V;}$;{s-Nj%xlA9bjPb
z_hW!nY<g#58Vu&Ka>mBuQU-z8b{#?2$>MA953NlUK5-Ul1RTKs7=NHBh2X>^rp+?%
zx(kaNn3Uz8pTeAZ6#6wZF*l*28ip3;3~Zvo@xn9@vj7`i>2%;MVt3roO7?f=kbQs#
zG-OB9V4)brC#DxFu$tRqA-fseer6f|-|LvX`4yp9K`yEN%F_#m+Jw>u@KXHvDrdEC
zl+g;K7v}C7PJY%1{MwLgs(r(mPIW{#B3HCcEC+r*UG;om<3W8BQ4Yx+Av;&rzYXWy
zobHWJn)*@&S^P3$6r<b=yx_1}<{DMJR#x@(=w!PJD^B9Trkh)|FnqTm(a6tBraNk^
znLW9L<l96HUu_|S)<qsa{SCh(MzC{PBQq5o+W$qD^apelF1G6#G)a*dag8V3{Jn+H
z(*!ft#GSlQ0orG818wvCI@5m}B}B#?2y^^J_Ji+N6eB-%@^t|eP|Oj@A-ON^@hqz!
zm_lpA=UPIpdenqW`fQE-BX;C1g74?BB7mG6hGlg+xtTDjaPKd$>$BkdmFT(4yswrQ
z+`JnWn$#{+%7fQSPUAbWV)T|X+~lJf3q2pQ&0D1teD*vmqo$$39K!jPo53<MA#Qya
zlrLR%-!p|GDywNK{MDC><^&(w4kLw}{<=*Mp?a<Nd-2ehe9)(ePtVXfPbc5R!)wbZ
zM^$7$r~Mx^HN`&{(1)MC>W)mYpS2H|131q#(U=c2YZk!ZJ6km(@I#4Td;!mOAMGS9
zIY?yj;2Vs1&>3iiLEp+)gPgKklzOVm2xQmu04p?>FK6zSht{6T4|~5`?^XBvWNx2e
zU*nLM0gqt3y+HdKAdJEUHYq09)#6;aN!4rjM9r{AH|dGGpz02Ye*+Gf2Y3D=3D~-~
zn~2RVU5U=Qpc(YT(S@tY^d?Av(`xJ3>RjPvvxnLFD%MVBSx<UZrJ_<qQ1OgEn-;(+
zrXVCVJ@EkBuK=2Xk(&u{WPqJ!ogUB|jwpKwB>&^gwHE2=2Zv}qe5{Y28=A3e2T8Eg
zC?EHTJNRA5EU{kbnn2dAFl&ftZq5!toIYQr(qfCaj9js(exTDe{n!XG-zlJaq(neL
zW~fU=eGYPkiIF{Or)lwg(F}f9kWVU-q$!6DPMHp`9~wglV=Nowwbv%NXyK39qL5WP
z>;~Gu*eqD^VhKFh%$jDa14eu30BGzyeltI7deKS|NLZS?E?)?`kQu8Gb!G7LCQ;rm
zQ@zU30&!r)4p^HxNx~T%K8M#rfao3(TU!r6^(1dMEndYchg~bbtH17pd25)A$)gPd
zwRF#<uKf<<821~#5m*}^@wDXB>LJP@3FtJEoI2_;Y>$?4`rbn}?&^(6*~8pxG>RaU
zImd<Q`?riHWFyRMZ02e!IrRS|HWrjEC4)hOZ@vqtdFgOpT_&oy7W;c>z%4g}!TH=#
zXj-7DL&_AJcP_V93U`mP4DP=bEB@(Cp6<MPUwE(i4LW7?abKQSK_>Ng{7tg`@7Bj=
z7--Cf<CeY3KwbGbH~%UG`V_4iuIP6b9+>AjE{LKVQ*>r!{6(Zk^PTOwIa6rkkxc)t
zg)E|o#Z%fEmJA)_`usYMy?4_|?2=q@W~jbQVm{fDI3zDSg-#;H#9f~;F6X9zG2#j%
zAOxI$K(En4w1`aDkoOZI{9e64iP3**^ld1tSV6|MR^q1NeTd~Y59^~}#JL^G6I6fC
z#(<F)eU`}d4$x6xowH8}oYgP0;-Ai>xKYaU2@~C6;HEQrUA}p%*@LD1N3Lfz>?||p
zJ{_R$cs!&b7sT2Il$d^X`;N(ND{?Q9udRRTv-OS}|E;)JT2$q&zY&-*PgSvMdRbO1
zi@q!Oa5f?dU3>0TL>(a`|BQwtaczZ5@)5jQ0)Sc$?;P>dnd>KwMwFu7bl3?RjPHsO
zfxYZyVMlORECG%CN>V26`PW6%N{cc_h7tj5c5Vjq=vfKYnVhwYyo9;IRY%&)D;Eh<
z`if3Di^%{sTg4jy>{#qhxb-Mx4{mabVjSS$$JPr|KY^e_IMyMeaF;eh;2AfiLq@5;
zYo69bliOJ&><BJUc0O;%$Hd<-9+M#D+-Z}d;l@t$=X1K#I?%6>7{u~&FY72AFGVA=
z=NI)@(hKh!#_YWA#?Ap&Q-x5nVbpZ)`+9#@`O7hhwGhvp&+YD?C)rw%lM$c+W%qY;
zbVydE*QKfGk~v;S9#wK?a9eMDrQc>RUm1NPyRSq<B*b7Hpvi2OlPnFZgD+Y56i~1j
z-c#2ak4}A>TX9p`TJ-jj`y%<`k@kH<w;7f#BxyL|GXNnjuIvoZ+PwB>#L;`9ahrg2
zu0chfnU1NO&S7gypfB{u4>JjU{S6d)vjfQ8>h>Cl9GA>Rjp6|w2G<6VtmBQE_D#f$
zbzex0;)%Wj@t4<ASD!vT2K1UB+szZ#6?+$$skQPHg#-8aU`y17QrmAmq-u2Aa8vz%
z&Z}aiAXzqvp5^%hvt0>THq#bgR}9}l*9vf2Gdb>;BnKJVKQ*x#*YO5T+~vE=xcr$m
zgLIY5?aKr6EjkEMdLvJ6*k?!>0G#Av&r07Mc+jexZa1+~-{=XmS3wi{j{NmrY|_WU
z6kp6kegBVqM)#`zqNHIk^KEELy}0jC^Gh;;kuiVNQ-jbn&d4`t7clw-a>>Q4yK7x!
z3I?dCIv=<{5!(k#l5fsPcDteyTS4fKs~B?M73ZCZoq^Z7k#B(`LbJ}$3No9{#r`+A
z7qUXuneMuc%}u;Mrct8Wj#3|fibpb#rkWO{S4I@~-EL}(O_(AXx(DKYjyw{zV07nN
zuI*N#PZ~`no7T*G`bhOR0b1S=51%Ic>ahD)dls#e55#8@B!N4YHq>R|z7T5@9V*Bg
z0p@j*n!_mlK|(@xSs{2RK=I%;YlkWtz*4|S=eEDBzA?Q>6+^w2aAI&iFhh)QDQy_p
zNULXemI_GHyccT5{qewr^7xhYyK(iKSyka%1K7bkjjw7LDW&v<gb04mHjGcFSn(?)
zY^`2^FXk!w+E2{S<ROjt<+39N4lhm&H7mJC@J8@{`hT_XiFaCX9ZsEnj!9W$4BU53
z)dF<HF-<lS_VgWV3FP}Qmwx5KyEZIQb?FJSRF5dDz)yC8ID^~>g~dai2Y-pmzIC>?
zvj%qpN#K26DJC){tfg;VTlm13)ZFSdbs55(uiT|(kvVYPRMpN(r7d~u*)tabe!hi&
zLXel&!OO;4?lS>=$!lgqu&b_Ilhyk9Fvji)J=aV1wp0QMLYbzjUL*s|2>t@?f@u7D
zKXAF5HtZGMutv*a@gFDN^q=}2QUD-IB-x=w*-+yIu*E#}kza#N>bb<0O}3Y=(*B6&
zy6y9X>cx$)i#Iw(O5@m|TA*`X9*AsL{fSg^CiY`J?J849GY$f+zL)8LgR6eoZQ8<l
ztobhs#wJ*r)T+pq?0BZU^E*65^$JwUU~Y)vKY<u>T1TNTLJ>uXMm&;Xw~9UD@1);V
zdE`4i1u=u%Lk+%R7heDca%PyT(#ov`7-#R=GW`5jta6b7EOaf!{$(#D-mM$6RMgUv
zRKTH>Vf;0NfRZLg&Vo=54kRX_SPC`~ieVHTX-0&Z3S=C-$%tZRuQY7<NVUN(bMiOI
zu|<CLfzis+?Ho5dAdY1sk&ZcfsxXp(%fY-M8GsY8EB7V-px+E1`sn~&y;y1CKg{QU
zYJF~gw(kWax;e-t;ygw^TdZ;=v9=B-(BMezx#{sga<n^Dd5319d9&hPK_2jp1AuN$
zrot?OenDI~<=K)Oi7EVmmOn##(|-Db$PLliPm#7;rX4Qqt|gqUgN$SJCm^3T!@($w
z7U*I{9VZA(Fw+>>T`?DVQM_t%uW686Req7e4Ckc~ulMIG9@80N%#B!i&#Q`JqdUzI
zVHVKaGm9TC7k@Px|4tu+N!U_#BXEnGH}+WZM?ZE_kj>tPFsgljvH($%y7@7iM+~dO
zpQ>Q_^W3P)Lg^{}&S)cIi8doh6I@M83N7s$ZhzJa?|7(OUo1zFID_&a2k2oLwTQ-L
zgAd#I)9uOm8tWeIWplgTN09BfPFcUM8b7J7GU3+l(rekK;|#zi<p9Wv`qL?|IK!rd
zzP>OCYz8C}qc9I}R!EKkf{+VS8s-EJ;1e~*t$wi=CDkV#btA5?4fONo;Ygp>=5_*;
z`!5oON?@y8bYwZ)Xh%xwYv|zMvNYsY!b>dwn5a}rpdp-4LbvU+i5cFsLrz_dU3E<y
zy@jP)P8WM-!u2S}a%w&AuB7<-nIhsD@sc_D+?XdYr0jlX+(aGT(ZB(?KgZxaiJ?(j
zkGNhPuV2;KQG!rG@34|sbhCrsSJB$M)pfCAn>5Upcf9D)ciVu+db=}uJqq}_(1%;J
zwjsDLhLc9Ds#<5-s>tz~$!PSuq~4$eBI065%l>lrps_dKenWU=R&CzVc5{D|Ptjah
zp+>QYWH72pl<oyx=c<4yCFV3wM)WAH|DAC>hNzz98<oK9#LM#-{qp_He8g5zIi5QB
z1KQ4JOf5L{Hn(zdI`jf;6mxA0cNUb&%|^F0i$bBGn9FI!z0(DVKr}BxPnNT$1#R@A
zcUj`AKS-2z4k28NSG>4xGQ_KVY;cK!@5v5JL&{=5w~m+kH^SzJJ|TaRTuXzt9$px%
z6@|l}yN>rJw(5QixX-sZG{(|aq`g<mvlipY&Y2tTl)LbWC*^>635eYk04?le(DY?^
z8J{)?e+Q7x4Pz|C9IE0XDODQ%4gNL)aWN0d!nE3kO{FSl%7t8dDP6d^M-b?wL;%@{
ziGNL$&>voGRMlOkKt%Fk!L0a6MFV&gINp0wGXGb6Y-<5N$pA$drv7)Zk%sA8nz`zw
zz@Y+NIBK}Q#l@lACVrk{Wwf}%Wu||?4QK+bJZi`bKyyF+QrP*J41x6T?Sww`{q~<X
z$b`L7IRgXn(;vq$?QcX~VGU=*jTPnG*#Y!qxI1;cQo0vw0gNYUy)b+PF0=b0bA?<u
z)DfG1ri5ces6;=Bck#dZbk$%N>cw?D<!8l)ZQaEY+@FY;PC)kd&NX0$d*ju4l7}9m
zAPHSI6aTeanZeyN$)GN411<f6HZhe#4P~r0!T){vIe7&_3bGm1$D4#&O=FhJhIEq$
z3F9SNJaFAEu~%>uT+uh@#7}#>a%D03il&NN8uuv#*Xigx7&~pPMc_A_aZFJW*?e>u
zQvXc04@^cCBk`Mym4chN4(Va0>E$GehDq6t(7Hp~z;5%jKYjs|VaR^;S$ZMwhhr&Y
z_WxOc8ki>5ZQ#bk!2x_1F*cSH&aBB>iLlrN>+M1o@m;Z`1{S+4yTmpPtSf91<uiaJ
zon?)z5g+`ysA?X4;Ploh2w;+Vdl9<hLH;fspd9_b3^$4R<I1zd36g4~h|>XlUhIOD
z@i{7L2O-Q)E=gs5G7u|(VgtorljoU&DrWw9U<z#O8t4LZQELox0$K0CqTus`pJ6`#
zM^5;nK(V>(R^8a5u|W7zn3rfh^3P6}<V7@{M|f66c&5uxiET8sR2VTCK93^oAq6Fr
z5~zGf1~^a95xf13@6}7XAc0aHeZXB2V;j2z=(yC<M#=|{u2rQpvr6#z!i?HiUp%Rt
z2a@%iz|)j!5pY^GnK>WMsy$+>{ar2){Sq2K{?>?`?wxaSMJaj|Tw#+)BVb@_{DI40
z@(W`uP@ts6p=~?LpiPeN1Pp|%q;<#bh$fRF7Cdpgm#DxmL!~>mt^>UfHlA!xDfLT=
zkDV4MafeI7S8ymaz@nC9bm-+a3x1>@*o0k;%}@}HVJ!!L^wrNhx)ho)pgfCO4K&)(
zO=~nQfI2iy2II@_IQY3aRMvD&uyR{4X@Y4JF<c9tB4=O-!94$8GGd~uRT9|Kub2p1
zZg*lU7Xu(y{Qn$TxjUn~w5HjMA0IK{CzTcx0DmV)kE0zBxJyF9N|e%|8Xa&wU#*hv
zO4XV)YuB&jOUo3%*JJqbC)<KUR-hP6Q*d`0ZX6?>7lT~<<&Q-m<19D0G8IsIA2UEH
zgbF!DdF~)A3aM>^d{ls#Y7N*yYL|{iXWfNtSZ+aOV=nacN?)K-K`&I52$B%^;T=aT
z`*G3%7|W&x(3*A~5x2T#kBl#9VlE2UR9CDsfz$x?eZXAvd}9?S&Hb_zSl_2k5t2`?
z#<tK2!`-R}y)VEY!Tv$hMPAJSOyDMPM|@wVXohYBZBPqs0K#t(h}Pt<M`yP>KA03G
zUux~7ds6(elVydC=yEhvzEU$RjoUV1;SU?hd#+{e!Yc<vjJy?ai@Lsw1$GcC=*OoI
z6eTd)ZadP`hQvP&CG8d>A=Fn?#KqagI}{QWM4VDNRE*C4ondpG_km-*QDe!wiJnNY
ztke;E6wueTNTvBz_AmjW7pc#>dB24lsbkL=#Bq|N^$+Fc<|~9r^1n(aH8S~g@68=j
zIgeWu^l=V1g9-CkbX-a=XvatFk-;J+(wg0i9ffeQLz`6+b)LK!1Ey?nN>#%b+RT&t
zxQz>(KW!+kz|#_-I^#aY<*FmmLP(N_PO>GMa6A8@aeQP*chxbj38y-(m_u&+thP8g
zE!W7fX5K$Z_PO|m;~QyOsQE6Nf^ipsN(QGb8H^k>e`&Czz3ULKcw!BC&lZtL>5^48
z3vaa?a95m|-be^<cUxF)84NLP;C;&!>QgB}xV;G4fcbp-hQ(I4zU~cl*Z)`jl?c(e
z*uVdJT?26tjLC<ssr>Q-^WS!1kDvQ}U2leXu?b8+YaB@sC$YiVI#D<&^MqA|rgs`5
z8#A5z7F!1M>ZX9H%11N-)rj<XxUj{k!#~C!){7+{`Acu=6TV>@lkW{t3-n$6B-*5p
zkBP8-@_7iQ#43t}_rU#Z-xli!{pSo%s7m_t#Q4szpy*zIB%H@++(7w<DmkKI=i16_
zy-iHuyKiKaVzQmUG*XHpcc=zEe@(pEc6=2i_1(bmnmqH@zt^4@S_MQ6!JWcwkc=Eh
z-8B7gAIz|GO&G2;(z06+=@0>*<`EYSyP&JCOmb{liyY9+;k^Cf55PW_gC0YgehTrJ
zlBgVm?wJenCh0Em@KRAt1j15?Kpsi`yYFw^HNQ_4N>?8U^|pGtTDEr`DKs?V-+OmD
z5(fbS?kWKj2MJ>Z0*+;z0_7sNNjOb00pNpIv)0rAsV;ciiS*4(sb4}vypL2>zDb3D
zLGakT3M<wWaj2_fT{tO4q3d|iE26KL==FJjHlJ@5@Lq?_K|%q64}t`V7EAChx4%xN
ziNr<3M&^?)Wv&+!HuI{H>-o(W9f8|hXfq#xUhB3)=z%Nc)x$<-Xq?>!A{f0Y`{fr!
zQ5c{UKuApkbvK%!K$bUoJ5wlY15Yo1VTwyjc8lyP8t7M7e>)&>x#CKje#JYi7}K2)
zV|8>u!jD)P{51Myhn*Q}5qS|ycjMH`R>n-1ecBQKE?9MB+MvO2OGnK%rK~%S&~n}<
zP%Lwi-4W?+ZrzF<`?8zbfKEsRr${#kdbhUJgHJX;Aihm|?jycarUxiGR8=qp-V%qE
zp6PC00c=Co0vu{+Y8&CtKpZMjMbaryk!JR<_&Nx2nX0{ge%ZlT-_?B`_a+UD0M?);
zBP4Gz9>p2fPGUKSL*`rD?f6RS0m!~job@(5{O;@AU6C$S)iPURnK+kWnAO{@I+!F_
zki9lPEdv*`Woae&`5{9hZqR#Q>c-R8;4<LyljX2KPR!#lQM>EkEn=%AQ)>vIdGZ<X
z4ID(CTZOV32QTh$0y}99*y@+pk(&aHcOkgj<py}cz1p!`&dWlGkpZPvu3C^}pm&&y
zWo>V-#N?LDzNY7?`NJ-JUX}JFqDMw+V|tV6XprxOh8jyN0sa6WksQ&rK}IA@W~I+t
zGgBbW?V2E-MWf9EiptJAf-#zC$^!6NO!~Qoj3|*Qcn$zsr}~uN>gc6q9Bvf|h|QOM
ze_urq8ojXA&TL?M4!OLmH_AnCXj@27_!oio!cB6nx>+$^-ZQw3r@6b!ZbN)(s8}iG
zI(R9#N)!)Jud>J$O;$sDxKjY~F>G9;lB8Y>f56`3h}UL~V>5xpY#upodgs|$LHGSE
z=ei(z7~eplWm|qE#dw+58_Xi)9s-NWEGg~@ook2sP(ub;TF1ux)@-fT;Nn{Pk~XDv
zQ+1GmHz?x~!P56}3Poh2ooqWb#;}C`7-nE>aB@Y^-c;M&dXxLfXMdJO5u|`f6TI@Y
z!KP*1)bF*n(0E*cf0vWu@4Ob(gxXbRb;H_yWt0K+XK*q4dX;_-U6GK)mIKCj2V&mh
zjI>l%Dd^2}q-q!h=r6X^u7M~mPd0-(3y`xz0k))4Gf=lIlV2DM5H{)vWRY0kDm7U&
z=D2Ew=Qsku(61q<gl}4f)HHirnzigL;fP-Kn?>EoF@f2!UkZ$#Ql)k8K2mpb*?wX0
znlxtUy?;XyaE~`%&xKg-66i4-p`weRX&hd5Ci|&>J{aN|*RIr>d>=Fb0db1BqOzk;
zmz<AmfW53jQkb(fiY5g?mG{Rxs~^wBmJFA+xn}DX_EsklkSWRVB(}9^fqZKj^4V-s
z{zwyCCdV=0aFl2IW-q2)61whFsn4x!aO$RA+0+U(%p;Mwc1sD6&MCxZn4{cqcdZPB
zy`XIZMqrmXZd1*zF+{GkZ-eqA1iSrhy|oHe`omQ(Zn%Fzwly_~HWnAsGdi7c)ulv2
zzuFBCFj)F&sv(35Vt`4e@1|)%D;j*}%kz!lw6@^ptP!8fnzhoW3zHud4>-4H2|ktk
zoU6JsIVVY+wN4k;Ku^`|kA_@t#wDE|2XH(w_?ph%<ZaQ<Olgd@8jLG3@xgr&=WbV*
zNvUveDcc|_my?^Wfy*dOQs+79Op<9;-b30fmFm_Bux{c_a{*C}f-KF3m@5W#d)vV~
zh38h`DYlvRBzC_r0m=fg`X_o3J~dxVt1&R1^M=$zqQaK-=m+xj5@3~D)g@s_D}r?9
zaS#1bPWcA7ClTY^PVlymv_p_r*p{Vhe_Xuf53amO8r7Bx)JR_p1zHb2bCK<Jf{4m#
ztEr^r0*Eiu+jn+EHnk-Pe!~QQwp+2VKs}N~gXL{W)9{wP8lNabYDJG)u=q=M3b+|&
z3>+koJNlt*mT_ZXIJw~G=&*81Rc4+N*u%LMv2j|%@!pmu*L}twmHhbDX6>Xw(3%O7
zviTDo=1W}>9%T|wA$KKJSn;I0X6g7`ncYr<I9z?YkXfBU4phBAn3q_=mA%;2x188c
znNz6OMKWo}wxt=o?uGl3P$x_<1av~Bf3{_$boNtf@2Z;!D06xU+#PBql1lq9w_oce
z(E-XkTgRt<7nLqGYudL=K@rX-$KiC;aAfyvZ10fHk-~F1qtK^KmFTGh*Kb={!rz~g
z_N(2aQGFcx$7_XW<;0-7Q0ip8BFALz%_^xeAgYQ#GS0v@Y>TIa7%G7ex4?IaGTQDm
z>ZsXK0BDef$pz+1?(+mP_Bq4P7kmz;*mUCVIx5CO*dN1Y#8xBYJWLXdo9YfXPu=9i
z4-1D3Y$;pm*c1@vP32(3u{KS35ZH9Q7S}nvW(#o}G4yZsk_F!tfybzCg~113KS3v`
zAK(D%wE8n!XpTcUVFh0?D;7_I!Sjx8{XvKaE#t$NMa%b_lE~4}j>RY0T*JEqHYw=r
zRAYjRh<r0KRcD@`H8)#`8RraXt@uc%DWot0qd0XL&-it~U}}$1(@P$8o7ue#e+tAD
z7}3|yLiKo4TkExKjRJxUXJI-}Y%@&&$~mEh{->Q{5xeyp_a`p~NXMmXXKawoeQq*R
z#=Ss)RE%X_^4-4lA3oQvp>O?8Nn^PkiZDbAhZCvm0jR>QT%I(>K$ekWC;khV#G^Tc
zHBs%=T7zH<sN*NYVTaHt=j*t`QnxA^TvLh)l>eYi-Ri=XsEs%B?oATz^RZC0jhPUG
zl@TXC9iAb+WaNzU-a=Tw9nBw`P(_NjrzPfwVQ7+cq2$(+G|lTsUV>O(4|kVl*#)%F
zxBnshyIcnT3>=l7H|*q30?mT!PI#m_H?EK8MFClzFNoXuHLQf3JO5+tO9;u_0C3_s
zk3TEBP>lAktc^Bw)XWs-xt2*}H!X6i`gi`1P(cMU+ycY)yeyzQkbtU0Z>IJJD>Sd=
z9PwGq?wPnBvT3U5gluFzj^AmFb8Lg8dG~V*5i#ZfZ-hQycK{~7%XzPcjUd}<_dHaG
zf8t>TfS&Ned`Ni?Gy&pydJ}FAP-%cj^x_-DaPr2;4M$IWVetT?=$;`eE8l3FyKh#C
zaifTqP6CFO&yQU6+)G3sN$y$sSA6Vx*yhUqEH<Abw*FkY+{sTjMl;;-0@cDtAHqoN
zR%LL1<#eHQa;4PySY=Zn&bJh5MEucP*}CEo>8B;ONJUiCi`=}J`VTa7;8bh8G^2J&
zpK|zxgytK<^R$cLSTCipXEHb<N7;z7#VQg5r8}?JF%p93?rT-Hn*7F~@+1lLXU{yT
z%ebYBkCNO8%buug3pkt>awERXi1dQx!DDK6zPQ9;DvSnrc=rGxb{r0{aGsETolWwq
zc%<VEdkH^6CN%L{7TLf-WJawv*FgT6;O7h~rZb~%VG78>oBK}VQ-anQu~kq&{K3c2
zm{R^t_v`nsY_lXv1y3V!naQ#r+x!1pA5k8f0b=llgE15DRY(YJ!HJ<xhAK=1j@;O>
mhsYFObeA$od2XKdI;50?5iWJD1Pm~@9to!z|BSVL70D3U1KfZB


From 27950766abeb7652e73fc2364019a7be85c67da4 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Wed, 7 Sep 2022 20:08:45 +0000
Subject: [PATCH 09/36] include error return code in exception

---
 google/auth/pluggable.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 2d8719980..b5e2e12ff 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -299,7 +299,11 @@ def revoke(self, request):
         )
 
         if result.returncode != 0:
-            raise exceptions.RefreshError("Auth revoke failed on executable.")
+            raise exceptions.RefreshError(
+                "Auth revoke failed on executable. Exit with non-zero return code {}".format(
+                    result.returncode
+                )
+            )
 
         # TODO: clear cache when the in memory cache feature implemented.
 

From f361340defa2f00fe2fb33a58fa50ff908e731ff Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Thu, 8 Sep 2022 17:31:12 +0000
Subject: [PATCH 10/36] unify the expiration_time check behavior.

---
 docs/user-guide.rst      |  3 +-
 google/auth/pluggable.py |  8 ------
 tests/test_pluggable.py  | 59 +---------------------------------------
 3 files changed, 3 insertions(+), 67 deletions(-)

diff --git a/docs/user-guide.rst b/docs/user-guide.rst
index e689b11c6..685a6cb70 100644
--- a/docs/user-guide.rst
+++ b/docs/user-guide.rst
@@ -450,7 +450,8 @@ Response format fields summary:
 All response types must include both the ``version`` and ``success`` fields.
 Successful responses must include the ``token_type``, and one of ``id_token``
 or ``saml_response``.
-If output file is specified, ``expiration_time`` is mandatory.
+``expiration_time`` is optional. Missing ``expiration_time`` while retrieving
+from output file will be treat as "expired" and proceed to run the executable.
 Error responses must include both the ``code`` and ``message`` fields.
 
 The library will populate the following environment variables when the
diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index b5e2e12ff..47c786a12 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -360,14 +360,6 @@ def _parse_subject_token(self, response):
                     response["code"], response["message"]
                 )
             )
-        if (
-            "expiration_time" not in response
-            and not self.interactive
-            and self._credential_source_executable_output_file
-        ):
-            raise ValueError(
-                "The executable response must contain an expiration_time for successful responses when an output_file has been specified in the configuration in non-interactive mode."
-            )
         if "expiration_time" in response and response["expiration_time"] < time.time():
             raise exceptions.RefreshError(
                 "The token returned by the executable is expired."
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 7b60ea8b2..280cc2aa1 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -812,64 +812,7 @@ def test_retrieve_subject_token_missing_error_code_message(self):
             )
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_without_expiration_time_should_fail_when_output_file_specified_non_interactive_mode(
-        self,
-    ):
-        EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = {
-            "version": 1,
-            "success": True,
-            "token_type": "urn:ietf:params:oauth:token-type:id_token",
-            "id_token": self.EXECUTABLE_OIDC_TOKEN,
-        }
-
-        with mock.patch(
-            "subprocess.run",
-            return_value=subprocess.CompletedProcess(
-                args=[],
-                stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE).encode("UTF-8"),
-                returncode=0,
-            ),
-        ):
-            credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE)
-
-            with pytest.raises(ValueError) as excinfo:
-                _ = credentials.retrieve_subject_token(None)
-
-            assert excinfo.match(
-                r"The executable response must contain an expiration_time for successful responses when an output_file has been specified in the configuration."
-            )
-
-    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_without_expiration_time_should_fail_when_retrieving_from_output_file_non_interactive_mode(
-        self, tmpdir
-    ):
-        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
-            "actual_output_file"
-        )
-        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = {
-            "command": "command",
-            "timeout_millis": 30000,
-            "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
-        }
-        ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE}
-        data = self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_ID_TOKEN.copy()
-        data.pop("expiration_time")
-
-        with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file:
-            json.dump(data, output_file)
-
-        credentials = self.make_pluggable(credential_source=ACTUAL_CREDENTIAL_SOURCE)
-
-        with pytest.raises(ValueError) as excinfo:
-            _ = credentials.retrieve_subject_token(None)
-
-        assert excinfo.match(
-            r"The executable response must contain an expiration_time for successful responses when an output_file has been specified in the configuration."
-        )
-        os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE)
-
-    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_without_expiration_time_should_pass_when_output_file_not_specified(
+    def test_retrieve_subject_token_without_expiration_time_should_pass(
         self,
     ):
         EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = {

From 2a7d288c526649352ca161da4ef9d218cb2902f4 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Thu, 8 Sep 2022 19:07:31 +0000
Subject: [PATCH 11/36] fix lint

---
 tests/test_pluggable.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 280cc2aa1..58db4876a 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -812,9 +812,7 @@ def test_retrieve_subject_token_missing_error_code_message(self):
             )
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_without_expiration_time_should_pass(
-        self,
-    ):
+    def test_retrieve_subject_token_without_expiration_time_should_pass(self,):
         EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = {
             "version": 1,
             "success": True,

From b15b9d5827ddbf2b3df8cfbf31ae851d669e70a4 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Thu, 8 Sep 2022 20:21:15 +0000
Subject: [PATCH 12/36] addressing comments

---
 google/auth/pluggable.py |  4 +++-
 tests/test_pluggable.py  | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 47c786a12..dad41d5cc 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -192,7 +192,7 @@ def retrieve_subject_token(self, request):
                     # If the cached response is expired, _parse_subject_token will raise an error which will be ignored and we will call the executable again.
                     subject_token = self._parse_subject_token(response)
                     if (
-                        self.interactive and "expiration_time" not in response
+                        "expiration_time" not in response
                     ):  # Always treat missing expiration_time as expired and proceed to executable run.
                         raise exceptions.RefreshError
                 except ValueError:
@@ -211,7 +211,9 @@ def retrieve_subject_token(self, request):
         env = os.environ.copy()
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
+        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.service_account_email
         env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1" if self.interactive else "0"
+        env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = 0
 
         if self._service_account_impersonation_url is not None:
             env[
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 58db4876a..fa9933a84 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -893,6 +893,21 @@ def test_credential_source_missing_output_interactive_mode(self):
             r"An output_file must be specified in the credential configuration for interactive mode."
         )
 
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_credential_source_timeout_missing_will_use_default_timeout_value(self):
+        CREDENTIAL_SOURCE = {
+            "executable": {
+                "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND,
+                "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
+            }
+        }
+        credentials = self.make_pluggable(credential_source=CREDENTIAL_SOURCE)
+
+        assert (
+            credentials._credential_source_executable_timeout_millis
+            == pluggable.EXECUTABLE_TIMEOUT_MILLIS_DEFAULT
+        )
+
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_credential_source_timeout_small(self):
         with pytest.raises(ValueError) as excinfo:
@@ -921,6 +936,23 @@ def test_credential_source_timeout_large(self):
 
         assert excinfo.match(r"Timeout must be between 5 and 120 seconds.")
 
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_credential_source_interactive_timeout_missing_will_use_default_interactive_timeout_value(
+        self
+    ):
+        CREDENTIAL_SOURCE = {
+            "executable": {
+                "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND,
+                "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
+            }
+        }
+        credentials = self.make_pluggable(credential_source=CREDENTIAL_SOURCE)
+
+        assert (
+            credentials._credential_source_executable_interactive_timeout_millis
+            == pluggable.EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_DEFAULT
+        )
+
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_credential_source_interactive_timeout_small(self):
         with pytest.raises(ValueError) as excinfo:

From 1460d6f2812341249272c77fd1a2ec77951faaf2 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Thu, 8 Sep 2022 21:31:45 +0000
Subject: [PATCH 13/36] chore: update token

---
 system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index e2b0f9afd2213641a93b60559b903c2da601cbc1..876b98d6fac3594ea71330bf6d26e5c8d5b1385a 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTE-x8MwOZU{H@!{Gq=IlnU;s+e|!-11rMCc+(Ug(4!KnPyjnQ
zDV*tvP2A5V3<}Ms^cc8zx`D~dU?6v(Lxt-mSL?ALX&20*?ZfJc%~CW4$m8?B3|M_E
z4WpU0Fp2tv;n!X3KppeKzA@T9AMAp74`Oba%nz2)O>?O5i1H!CYQbzTcr#l{%0KBX
zc(Dmt;`KYaXLnzAS5s0B2mq-X)L;z-gAQgRQ<hAk)HZR>C1kcNLUI~tS;N~T*5D0A
zxxV1Xn)K<(j4`jbka=aH3Deo;t0#!hj(9p3n+;o!mo&4OYZILxbv^j6^3Xy8Z0`E7
zDgb;d5@bsDwDGIOuCehe;5NX4;0|Wh9uAd?{i~Uc)Q6ic`Sdq{U<&1<HGQhjEnwyH
z%c#{!(1C0R1f|fu2U0iE_u$A`xboY;0PyholW@wkRjC<m;p68FuK2VJx^%5tY#PQ4
zl{Pad#vN?TBwBv}Ql=~xst;+%CL*w-g$@A7W*=lF&T@(@aTfB$&ol|s(L8)Oow49J
zhg5W2(!R1x+GX)hVFEX4)5VKtzxnEDY7gX@7ki8PzwY*Gia{|JR#wsRFO!RJkf%vF
z<}A*wElT<7FNeLj|H&m$<p{9%D`-9saTE7qi#0Ofg_?d@KIHa5H$Y~%(fr=G4<6WC
znW<fU!UJmif>jwdO4ki)2g?*v{x=<|Su%n-doY^e_FGuw!^d>m`D&jjScL6n@*301
zns*$kqn*%R;-zQ8aaR3H`LF6EIQ1Xc7|#7n%sdddpnDsu^>oqB9vurn1a9Pizdlp7
zPm57=`-24`pWKks&6a+{hd$cfDz(4mk8@a0>QeN>xNgM&fdi(c0Qb?JMeNp!<XsM`
z#)c(%L^MVT-$raY+BB}>06kX*4DSgK{T(vTSR~=+y=Zh`$Hm3uk9-S2zES~<MkM#<
zDmn840-P1O`PjEsSD$JK7XrhilSL<HFS<Cl*JJn&x#o+o_NQ+D1s`=ElBjzoPEqLr
zJg35Btm98Qk|?%fU>o$S&rNIEsqZ2+9{s@$J+Z3lPBn_cTT@AIyNUw7vBwVc1#z4*
z)&<E+efGLMg-2XSj~>Ra4pe+vvPQGfLnfR{la#CA{@YG;$9#`ut$h+mi&qt1SO3#l
zq}f(a4o4TU!DcqGsc??M>Mz+_<DG|Hd2ai)-E9Uy9So{e=w9xF0+e|P!uot#^^VZr
z*YKKQlc%Bq1SZgov+O?RZ^~jttHu|K5>C38++Q)?lqd*oDObsUZG7+v5b!YzWmp*u
zXbAJezt7#2>(*jsWWy0aST=s?z@a7wm*5h-f44X;TeM~L4l248U&X-V(cV7wm8uIZ
zMJ#XhSS~DpaG4j&a;f|z$bbT`ft2Bynq?tlu<sD&!uF1EY~5cOSQUT#+%VbwJZB>Z
z2*d=Or7k`p?#jG0s3{6cG&M}Slih^vOWAWA%a8wpSI<svmUZX(b4b!VVY~<~OBmg6
z5}Ax~7ZuvJ3Mr}pRA1u}M@Vv4FNU_%tTqyYG;Sg}xzrVO$+bSQ&A{|wU7ez&5Rj6R
zlM~x|f4@a(4^+N+1&S|nT0~hm>|ng?(>ruStUfVC^ImEZ3J3Y2#8s4W^i;W#_500-
z_=ZaygjJ|LXIh4-Zl~E#qsu)!zd{nlTz+6*$fDld*lM%V5=jA02IVfwC+zDoI(3ce
ztyf8=-&cOp?ijL)gM=P<!a(~hmwy1BN%o;^U$tJ$X2%;oRkpmVIeD-Pk-P?Za_<I`
z_IC57kYroE#QWBg3z<^I=VNJ7_#|6bYe2C|qDway31QL{ySfD0*ACpReC4oLnZUO@
zetxTN1@wvgRpF0fRC{Jz;LhdS-yR(aTAQ}hFtx{;2Svq1`KM@dl+{N~Z&PN|#HLT6
zd*_4>^^jQSj?fMJa~IRWt+Qw`4j#13XPt2Fc>@N=vK<);dtIQt$rTN>*xO_<sCu6C
zYV+}B*(Q3{ob?GYVJosZi;`bNyne6_?s<XAgfVY7(cNaqBhRwKSZ8(7%E=(4!|)I+
z`6x8b5)Qj?R!{4d5xoU7oE_W4)JX$zj?6{R<ZLZRM<bo~TpdA>hTUP4W1ol0dj;0G
zB>e>OtgAocN~Qz6&-0#hO|lGs<Y@xYwWAEpI!cDso{YECGNo-;-^(ZzBMYLaM7+~#
z!;EGxkoW;7HQRq>AqYmqA@(xV2vSw!|NDJ29=u~>9j*zmDB*WB+St{YrE-gHL@SH8
zcCc*@&pRd1?fDssQU7mH(aRjknt_J?*Mh{1c(n0*;6_PVnRT`Y<Z#f|)}DOaBfx`D
zm7eih^AHgF(MVL?){?VWm4O97+DKjTu<*B=&}9F^GQnF*M-hF~E+(OE{BJh-Y;c6O
zf45D%v&0i&2{ErpWN!%@rFj6NIAxooS3(UfMG?;~D^~46i%YGJyX18{ce9)-<WIO|
zqcN7zPq5RvteF`Had`&eCT>-2+0%JB@X9iNn5dcx4!Zj9RJjv||DTV=XEv=EYbN5z
z7m*JtP;ZPrQaf4tfN6TT$e$lOS4GEcb5Vt3^2Q?Hx@E+<+<ACnLo_(ol>_Q5=3hb?
z%~thgAsOv={d(ImMk)TT<;$D)tmNm%IDA8sP4%S><RPWHb_~4|O-obC#gllX4H=qe
z*FtH&%F0P%P~amYQ^NN5#5}~`Y5q?gu0mcyZPeT1IBr3dUcM{js`~sVG@Gx02Ru{T
zuu2F1^;2$*2WeM-_`qH;m-h=Kq%G>Befn1_)YYPF-Q)Nno$}V}>um;hQGZB&{4JHm
z$Cka1=smn9rF@*6Ct^B`l3D~P-^J6jUldHPZ#+L0_Jj_hkuwePdNdII?Sw*w*Jr8P
zLF2aV*79&n<?%3Jda~|=4=C{eBJ}n~R*ubhwPso3yL0<~-6G2_#gq{YyxLfiV(Li!
zeBS{Gk2&aBrC<&|{c{E8WiNfjI>&Q({j(CbWH}X{mt!(h+hL-#pc=V$Ufwwm6zVLs
z&(COjhS7@#GmKqhOI_LHy?v3JfC~Ba<w>p|+@56tNMba!kV7Iip@BNrkIh75RVmjB
z1CM@@c%$cCb=7X#KXv>$<W8x1$A*E2Jvo;MHuhh%UAez4*@I<BL4CnO>mxGCxx1b-
zv1<AhH9ham79<*==t_e~UEq7<qqg4~MxA(OWm}Y_Swmo%G)Hjiy8lxlN04?kbR+Y3
z8L$;WFhJEyxV*;)Z**=oE<;|Vw<t|G;d$BImQ1%Dk)9IK7UPNOpeJla!XM_YZ|k}t
zTx$J#FS6~PwY)$ftAjlk^kn5`yFL2&iUq*58Zx8y7u<Qu(Xri_BW*(epvd;>xfuDb
z9@jiLTVre|w@)eQ)*g)P2OZKx1;JU+4{v2AxzaH@a)^dunBzFOKl}XS1w6kXHIzbU
zHr;FPcKlBXmt1h@6OsLpGoxYnA$Hp$C-SmmdrCYFqS)+V#`Nb4@-~95a2HjX^GXxY
zW1&^Xc0^ku)1!8(*E^duXD6o=p1<Qxa8$}z^jj=uZowX4Jh6_xZ#n>O6WQN}?q-gi
z3rBqPHaqtTP%QQW0beC7Y8jrG%ljavUxYGYTVZt3!&5ZIE3!oWA6O!5QccXL8vjK(
z{Y2nuOVYh!_fap*@NarudrgN~Yl8OGX#N)Z0EsQ-Pn>Z29eY}~1X0gSz#IUSN|09;
zQg(1yI#bmZr#iq&D}H|FSYS><*y*9=d&-BX!F=;XkeIqh<hMX$aBFn0p#L=m!Z5>!
z5G9DVq{|eSbwBw!ovqtIN_qL3&`O*u=ElW6UNMUpyJk{P2$wPT6xL;E3%vQ2|J2Tp
z)4~YuEQ*Vut_GU$m2}F{WlAn`R<fFd>A;Iy3aDQP@B`UNP%@S&!Qb0>qTFskH|BVd
z;g}niRqU}I)5}Bxn}U1a#l)PcYC3slhEQLXV4%9Wh?jlg^xwNEY^J$Hw!xHEU%|6v
zKiQsds(^(H6=-tgxqtW*Q!g?KA6IKLCU?3Og5CjynsB!uz?Z32h(Sn=y8CvlYb%o)
zm)K4EB2_OFG5?^1%@k9N#gpW;(mGfMF-WVt!lb`CJrMNcvo4XfDmg+LYS~?k%M2U}
zz$TmHWtu2!wUK+8$rM+824`m2rfr37r8bBal?XlvI9>hET{q^k|B78`*8#nM+e#Bp
zqOP|rn*tX~pm2(}FB?MVx159vAJlUw8pL4M+X%O`3K%h+@Ed!E;49u9g5i!EbuhXV
zs^YqFh`Wv?>+=(8SMGpQ$`je@xUiy?n3Orf$SllGuw$$_#YQwx+|10=1(-ewSa?;T
zXuT!shV*E`^*!vP3T>uM&@hZ<12n=SAZfJl9UA*_G+45iPpX1XkP|j-a{uZkb*?Eq
zBSE}6){Ml1s(;$#3?rB5MoLP1LQYMwP&Hw~2R!Y5o})rpz8F{5F$TyeG`yqcKy@kJ
z?7&7ns+Y<2Ga7^$$+oT4WE@0SX*M{YKnAwZuYrRl9>?}rbHu$9bGg3?j~l-R$M{#I
zde&S1c%VyFM_d0=I={Q!;wFtQ;o8&;qf(U6k&R|eoDCei|BT!?kHYN?fsY5-?Rytm
zqab78XPPpawzX#s9FWhnhevF)1kJ+vByc{vQs{e0&t3x`i#l9~v<)A{r;+syOMEc2
z%qdP-!$C_rD#7P~znj5|OeX$l0?aT!OWyQ6TjPguu9}}$Kb8gQ^Fa@+D1x_0%O!H=
z0gOF3CSLsa@6)JuR-zosN*IS;+0j=L`1i5Pih^gb$emoU*0Zy>rP;~<`i;ecqsoBa
zI`d<UR0h&Wq2uq-HhOMr<Jbe#<p*9wQvaHhCVp^snjL9T`~P@@kXPjxUlDz|7N!7%
zXA3#RLw8MjZkZTf?HCJinCON#OVzZEO*N=Uj^a@I7$g{&0xDyZb3h1(p&43xHaqdq
z9@Qevva<7kyg&n{)cE-M%ynt71mQ8aU;tWG`%BN=fqcOtt><Z4W*%wwdR&MKDx<_%
z2s?eP=~>J*JS`U0>IWv|*&*be!Kdv2ZF3TxpxGFUXl0Q`HTVT0cJ<aXzyWrnSe$d9
zTX5UXImfioxG4K&^?sXKmqSZte#>e!_lMuje2oF#%GWR3BxZg!2PKoR;4nCO2%DjE
z7vA~F6IN;$-ptgcYK#I!!Z!dc_JMqY7TnT~;O%+$EJLZ{GCl+s93cqtF#3<g_Y4qJ
zebM6LW}bkav$NUd7t%L#7y|^?&{-A82{*|w5h`A;g~FlYx$QcBe2NHKsmbr?pIXs%
zU1K>>g3<Ixwu(dM)2bW-hfd8ml<2Jke^~pO=w3A2TDPrWne5gGCNje?_)=?2UOtA%
zJMRMPFO8&S?^0$b0{3p8J3!ywCYZAb_|JzTM@*2oX7<)f1<vLVpK=NXhNJh)cdXKb
z3s$`G(=J4-!;;b@J*T!|MAACFPj^a{tO-}DOagV~I{V4uT=`t(!MYk@GRO553n1&9
zMuHiF{LPFjs*|$HiqXS*GWS6*d2C2lvXzhr4@%U-)yoP^zgv+pC^mQhq#!MKz=Ojv
zBk30X!y17odxA9n%V<l9mvFL+<Hb>l)6VB_gS%I!h-~Fi9c^UiVKsNPp|5^{bNon)
zblc15kTHLSjpXpX#JNYfp{_3s@IST8o0a&)$anyqXy#3<S~;2>0auXmc<?n3_oR3+
z=vok7dt_aJ_u|QVni)@5CkDp&+qQbv$shv~_GAo8;h+gD*J34R8A?{K0RoKI$-$+@
zB+5x-=Ck-D0&r*r=C;9a*)4tHC;W|-U4RJJ$>|W*0|3y$z(R`4)Q;!b!|knTYP~O9
zScdP_9DjI+3f>dxLb9U0G*Y3%Kj=8Y&S*QZ`N(K$n4QLC(1`}#t@5y3r7^j98)MkJ
z9qTRJ4U0vlqeE8Mf(($aw<qeor1{of1aEjfG=lJcEZ4L{nHfMezd$%l?Tw}=Hfl|D
zD1MI<<tp_Z>dh^zx05Jf%sfPMIT%5Xr(0XuL<B3|M+0Hd>?kJOawQHT-iMdHAff4M
z`gic!9f>mWIQ*zdwwoGSg1nB1W|xqtAIhhy8r9zrpT{{mAnS8AYQ=#Ys9$$iR9L}n
zF+p2-XR}ryAQfv9j0^fyP_H{%_$3vsyqC|Ikz$zga)xn=UyaZFA3C{q!6K^Wrr5nA
zvUg*D=0F8H1vC1PR|%Srpb%l|xWj?O$MkedT9KdD;*`|)5(+8Pxst$AR&Z3P(6ak|
z@4Po56qc>Ki&b_Uc7;*3iQvf(cn2O`tpZ&tui%lLm%05^xVy8O@eNi2DMOg~N5$Bp
z?1qK5jw(qqwnlJ(PqG0?z&l1nR|y!$SPKTRCAD6I_9C>X23LW~5O!Yr>Q9(<?`Vdz
z`}4pIe%0EZhD$9s6&<K%b_<z8@6CH4+0vOv#5{|G)_Bu?odpqU7o9-u@s8)l8mV%~
z(!FB>O#4X?6-8Ps#_rJNxPpSy+;EJA6mAJ!F-HunUPduE99McI<sH&>@4Q5LI@4UD
zHHr0J1dLvo{D`&c-hJ@H-|uucr}d;WZp*xDz<*b)pos|+cUf_gSHyQ8Hp?t1;VxKK
zOnQ49BP(eGNMU~?JQ=c$xM4W#Z(MD7e!`2awqJOGQzi7R|2FVX6pI@%N6qazM-f*7
zl~ZN~)nnt$^|ChZ(w8;>uIQhJJTH2PpXmn{OjDFd?^{6^mzbFD*)z!0V$`wKcl{9L
zYwaWB%jXFFT=&=u@<T)S2kX@7R*gkZYuJJrjUX`@RyxUqb$MF*p$2e!_xQ7Np&XS|
zCWI_qmdE?}8A7@4t4`O#aq2nI+Yl-OqIw|*wrpl>DPaX=@+NTxS9TI8yefNY7qYt=
zs0ZP~!yyLqSiA;Fii}lSpnD>picaY72yU<1?0cShng~*$5>?1@%cqTX{BLU5>tmc9
zAadPxLPJ=oym`Quu+R%A4wqu0;>C4H?=n#$l~o^H5m?`7$aE5^%j|<JxsM@g%&s=!
z=jmZHdhbxEA>K28ol*f=5=`ytBp3|-1De+25OF1LkmVQTA|;ZX`=?8yQ8z&6MZ}oG
zFEw%JC#0=Bb7!c-seM9BZ>XUN6+UWlij6+7bLL~<K~_HrX%sKMgEm2m2z(_izO!&t
zksMK$&UAPy<T`SUl<71&3^eBEYzI+V{8JYf8<~3g%ahE^u!UM~Y(!;GWlx)jj%wV$
z0`DDDb2pu8S|CR>yiImS!RzJVtBp~c_2yB7Qvt{0JQ~(s=a&hHB>=7t?eAZ^wDYui
zr#3s#;La@|2B?XvXQj_+4nmqr*Xl&70izYxv4lS2a@$6+>l%36|JOSnt>px`&FXA2
zcPURxIh_i7K6t<U)KrvEP4dwtKbHg<t20a1`JydJB$w4#!eREd7xE_a^c!%Q)gM1G
zbmKS^Ayp&To*4|Z*F0Mlq>&A4l)nkwzH@kHJk=O@hU23hPrW?(+3#cuZTFVG<zK;$
zG|6G?!=;V?dR5Bw!%pz>wLE@9;OP-J7ZP@`P!BM&Zjhz9PifW<<7tho+HO7h&OEk;
z*Wjkbu9)`v1*qfbvVP+?3RU2^?WA@9!q8Sztx5?79hHoy^oLogo4vvykbH$iVEDwt
z&xt1g??-mGoX%2vfBz~}0Ws8G^i9GEpx*mjT%kdgu4Zj)?PT@9*P6N$@$zBEa6t6v
zHMixWjLH+vBwyEy-x0wQf5E#pwzXDQ3CSQa;YkKL|MTgn2ib&dFwF{rls5+Ug`iPb
zRErmeLBS5;cA>q%z(CPT-V=SYb?xS}JmnF<{8@A=qLP5v3|&E7Ln4B6+ibie|Lr1Z
z2xt$bZxPgQK$sdE-2nFL7<LPkHhyg*l%t#_k`}vQDmh83RCMjtJJ=<Pto>UpEPFbU
z6by@UJ1<I>V{)SBwQ}-+Bg(Tc_V@q_J;WZ#vSzD}NUohymDL=tC}g^OPBqNSPq1)z
z4f)5Aa{~?U<S<yH@^4^@a_#ikec6U&7G_7q;G(OUbK2MG%9nLaOEg38o%)QI^Ed#n
ziZWcZF*=pZ+G_Wg%oUc-c^&XNaG)aQ1bLV53qtNvcDF|W^xr>DVDe%zKteO+)}04y
zEY})Wu@WlHRy_{Cn=zCffI_mHz}f$)S8msaqMQ?9_717*)H~2QtJSYllWYLE>o)iA
zHp~-Pw+#V|QDQ{xoAJFURWLY(RnX9OB2QqtXQwZG7>N2HU3GZ1^9_DG8ZJ!WE!T8B
zIaD-UQXGY2$nlShT?CvMM=*-r^jZ#@?+;D|me&d3=pzC3g)+{IZtt-E_p+6{i$>!~
ze^Mv1(uiO@KzTttXBor2U<KX#ATD-S6WI||tasUdJa*+DBag7a@JYeB-|FG|L#<7H
zT9|1ghu}YqJRf?~J4o90ivYPtNxhTv>SPeG-V{r<zH~UT)t8mq&27OpX^CvD#5$3M
zP2tD3(PW@~ag<BKg|(?*vS;p}<^xc~f7kixVZ!}zuAA?GWk6+K&@=qjKt*Ozw%-?C
zEpS3Eu0l-`+mmR#WB^89+XtE33EtTvmPpx{5FX=|bcv&$oT1%GaJ%MMS-?>A`4P<R
zW{)J;iFyA38iGD0?-uYH&EHRiuZmvrZ&2d%$U3*hkY6`7kzDi}!U?Px37G82H~Jbx
ziwYLA9Bz_$sPKX@+q%I90l~Y_%T{%vbn!Tkx)Sp)Zoho&Q+H-GhW4t=Ue$GZCHmJ5
zW%1|_k`TkHjh?tQ+b6!I=Ygs7t~*wq3lJd%Zb<nkE>iG?jKf<~xdlRhgPc1p*x!9H
z9(!nlkXXyB-!d+sp+iFDF9vbFu4OhVm|_7xAI9c>Y}~qxoT^$$wA^lr=tH@y$HlVh
z4btFz-%9uhGEEWIf4-$`AQ+AkiJF&Eeo-5W)4q)_9A$em)~v)&@u10Qi5p6o%3m$y
z=B=o%^=0-TD5k_UpEAaWO!!zPPgaP!o#ssPDQE~Lp7x$Da&kdYOLX*-eQ5b0xg#qa
z^Emc-6-@yrDz`}W&B2w%MT+Pdi~Gq1Vm)Tu)IfW({2qj0yS8qKkku}3WB1E^#WPxA
zd_+!dq0g=Q0dSj?JAE65d^BB99eh(ZrZ=jz*lj})lH|ZJNSx`QllK)d=h3^=E)Sa`
z7xAK9-3W^W-j{15lUMSqXf)+XBBuwOj4S6lm%s}M1Y-<}6M^IY?6ljSXUA1EgTpjG
zbO$Uzk|ES?`Sd=aG7E;hOH6<IEAWxJ<bSu!M~w|DT&pj}vX#{xuRcfa_WYT8tP__V
z?GCxB80kOq31zUB=|(!`__`fk5UEQaquj_Bh0d0tx;MC0wzmCl$)W;_$D`tZIOzt=
zQyQKzIXzkcAQA^C`t(a~LQTY=SjH<d3+-fSR|#ho0Q02_mh{mcx@Ydi1l+up<06_K
z6ln6b)ns~GwujRiX>*X6db(S*u0*upTq?J05`F&?&OUbkG8Q=f{USLmJYL`o+oO#K
zEqL)CF`rUK;)Z{{8!w_#HCwwZcfD4Wb{7P;H`J8#iSUEA*=EwZ^_3Colqn%|M4Ng9
zq-axC$IKkwpm`AxtE=Lak^~zMW(l|!JJ#7O+Z`rnbm!w=|Mc;iDN229&0Cuc`jQIG
z0I*&*=9!Y*EBm8AP$Eggn9DFb7{xqt=Ykhohtb=GhT_?C=MHUE!KY_g1R6YGk)Kh7
z6uzUtvH!31K=;~3wVefL%p{uzfr466%~~-?*wOskl)Y`*c7Fx}3<o@l30}~G!Hr++
zM*GJ`0O2rbI_^(J51kx~u6m!eREn?`1X@j_SGb!O{ahr;esi9}Q|cm59K-rD_^v05
zCV=p$(WGpT7DZW13=Q!626tL&WNl+z1KZ@8H83l{#`Xm9#KqSX{G2Vdu_sl*%$eeN
z!AK@DF0YtGHUYXAq!8PWvPIAlGf-VkGwx@gQeh)jZEZCFfBX%oh8vm%c43Il>&qW9
zsX7ZBrS_;@wxSc>2_pI1)nSgD33m?9{^H;+8qBeq3Qte&tI{&Lhfm5Fo&aKZ{y^i{
z_wQ9-CjUYuH-B|bE}>X+xY`{u&LpQ4cRCmvpgxOTe^s*HbUhWPbfynPEod*3l#WXe
zi#UlcH>wXRKTb{{5<((82HL^i8^#>B58=I40EpM&&(BJKfZ!pqG-$aYXn%%-)kfr(
zJuNS-{+lu9$ap{2OxtA!2%fixMA<iCClO2Wa2nLC$Ew*o&Q)(i>yEhb5tdSsz64+l
z4(0}xzlSn%P2%u<PTqywmjT*pF@#d%_ihVDAi$TPjhNw95`RtpZ8QG3)$8cMHiE>O
zp}^lPT&RBr>c2-mgQwI*bmELTjCKyz>RuM=%M=0~fR&pgPP~?pD0&0;;8k&skLZo2
z5CdbB+w!OJ#nCQ`iwoE5G-;ZjvXbrN%%yqK<oe`Rt&PQOlqiS6JWDM+74|m#t;V2$
zn3wHMY3CSCrwyStAmkJa1b>TJ?%x|?6%ooV<~jtheN(e2fx@t|oheEQMkJD7i~-xV
z&=5PLS*U`_l!?bptdlGy$r&hwU^YU%K_7$zz^W`#%cfX7(Db*+YAKAM+c)jxmz}($
z(ok<v^NitE;#RZaEU4ibd$?5bDkQV9zo`D<;%;QS5dHgXWn6@-CctYXv?E8SVYsX8
zd91Y5%x4DaAIh)AV57jppJd28*h)f<OC&36g*M3XTg=T^i{I2Eiti$q0$pC3!6Ee$
z69+BTvX%B&O6Du2u-TdE(!UFEW9DM6BLip|Z8@35#+EQAC!o$7oc1t~u-@=WY2#wO
zBBKDqvy>7%j(3h7@^HF1^5Ln+QiPKJER&3UWzd5E&aw689QC(Of`zC1rWtg-2|?D+
zc9K=Dev>se2?&o9<+Kn&XL1sB7yE`5ZW5#VFGg#tFZr)?@r7<QHWSlf4dK&(i9y8r
zrs5{S3ulgdtYqzY3y2aJyFLQdjX4bYn$25)2ae^A-iHU5kudc2pkN0NL2%$HA(OQ8
zOMR2eN2WMo4f)TpRU3atEczlr);U7Re0t;Lx10_~q!v&JHvz@}Ziluf9{*7*DG%5t
zfSp4tOk`buFx#_A*7<pDVEk$ZQ2?|AkEYDt&7DEb;5H!Ll$j_=w(Rk84I`x9*q?JN
z%2K$>FuGzJ!J7rzAN2>4u<BoU)f;q8KjW^c=a}8?mBh$$vlg1Pr@6ZjcdCF%H>F{%
z>GQEYWSE|iJOpG_FTkYkYi_DUupJq{1MG)&Y(~^kHY+^v>Prt{;_~Vc!xJ_l3-Y0;
zr&wZs#r#=D>os3z9mScw<f01r5=jdf6@e<Ifvg|8KLo=CMIakkmdavH#6#|qUV^pT
zf~=FRAXo?0_^$sSSTm<%E>lvvORZwp)@sf8*o3FmxaiK(BjoA8?oFe~=4-HK=1TRH
z-x0)bSq}+|AG2`(cPq(*i{B0YYg-3bIw+Pm+|bb0SosJMxIVQ+zOz+IT*5_<n9>E~
zczFF9{Jtza_8M-Ph?#6LaioNj%2Ndx_h5OFD)&bhl}ONjA>a$Vcz20k`hZ{(awL9>
z?*sK`ciu`oQ@RsOjl{;^c{%b>+s%Qm?<=r^L{{k%O4xg70(S%4F&Pr@OX)uC_hj>|
zjQg0&YXSbLU+240%gF%pwV9j(h|N+g5a-4{wPmMJ*!(B7UTVwr;66G3ZB(Pt9Q^`L
zP9dDbsK<4SSahP7dnp9{VBsx|rHa)$?IYB!aY#&_!Shl$9n35lr!uWjgQOtc!I1`?
zq#SeyhDI$}Bc5#D=jUc>XgIS7{&Z}G&d_48F9f8N)kly=JCeUc`l5i3uGglXN$*Bi
zS6h0ayM`I$?Mh|m2cHfqW!@s<r!Sb&capN1Bp-92Od-aU33BF!Xz|9$Nyp)o4nEpO
z;xA%utwR#eJL<2Xs0E*F(0F!w6;tXUGtEantQr?O-9G6~W)Zx~fU4!6k|4Z;<&Hcn
z0&}1VmxRWSsYm37d2LBxG3od1zFY(}<>^Aj7-yQJ>=>fjN=L=T0GDSPB>w+wnfY+1
zRV(O8-UwLIz{kBxsx$gkrO0BELD3#Gk&!9ePc<!5J~yUgqu5>>3XikpfDNcQqP{Zi
zu$KN{&OBiAUWW3Zi=%?L;sJi9NdWn4)~+TwSXkmgMK7WF&ecu*u<NFS!Ypf$HZWDo
zC^H`@iLmLz4UmUGh|lL;fAldr&k}AOX<oMrE9orbrjoEfKx_EeG&Dv{qN(Zs@Gcu@
zE2$+L1T{3!FIIR7S?g$@)~0m$(X@Dc^RB|VU=WY}V~E8n8r0|Bdocmv^}uy}`t;eK
zTY5~$CS5xAiTIW{1dU5#w#tDJN-m2VZ$(d;Z=w!>o|M8XHia~Kfz(h<M@IWETBmB4
zfKpVm?TTPJ<FB`}FYWMp^(iWMd$sd!h&*OOacv<D)W3z5=0yYRjg2SD2vXL8TO-x>
zpV4Avf&({xotnpA<;+a<B5}2cKERLF8Pd933{F@B=!v(CO%B<Ngyhk+a@d-1s0k4G
zJHKnK)miwlM=~h^aICY4-}Giz<b6%>d&&Ppc5s+#^M+bzqR=L<(zPkz8BaZhg*bQo
zCN;7>sh`men(q$Nf&nWl1X|i3e$Jbu)DX%HHb4D2kQ>)BS_vq?l{kn<P36uzQ!zg1
zhb?sDHbcgqU*~B%G^z#Kvf7y(fMW_qpPhL~4Ddb)j7@_UWA{XyUpi2PW_=I=u3mfo
z!%8J8ZASKh@5{s5|5a4cN)T`H%|!vj0?d*gC+g-59QWdNDP9-!pM4NV#HM3uI*@Nw
zAK#xla&OA6fci5K4p+|oso~#I7pmrAV<43dHL-@rhNww#ZAYwXqeRE(z-OOdDdCk?
z3jY<?OCo<gqw)1wWk&C~BddWUu?0oCKVUTMDQCk4-<#9=1X^_&OrVV?e|ylcAJ2x3
zA~6S)S^(}iqI*GK7*$~U1CyPnO8~51*U0hy^w%Qi(h-k`T-;M6wjNmsd!VG_jreM@
z<0+cM`J4li(p0=tH6gw~y(OOY!OO6b7PYN_E`oeoYfKk}^S!+)aWUv*Zm%y9*=*{n
zFf{;8`=Kq@2xT=w%Y?!t01^D7c+1f6wm=E`9~6j9d>?}6#(QRodJ`}avfSF+E-o%l
z{KnUzcx|68mo{XZ%;B-V!oxYPk=KFCZqhLE&?QJnZES7@MHFeDSm+-ZEHx3BC`P3J
zq`N7TVm1fya<`Q?VZAoXTpM{GsK9EX>FH@mBuA?pBuQhkgTH=3Vyc}wc)%SCh~wo-
z;qLnUWh%^`m(41jaMNN^=VKMA<c}ngH_x)g$9`KVrw+s`$6n%oItSGDGeHpunT#vN
zD9(2dQ?z|?Oxg6(68iSx`C-l^b$}KC5vYVUT~j-vHq;3L!gd-UeJzHeoR?vj&5#>}
zq#yh47(vj2L5zL=n_lFgz|DhPLFAGTV%^ZZpjegWgAq)MU6}j%=zwD#ZUUKOpaByo
zC*PX>Kb+db4%_<kl?}gTjI~HXP??O-VfeRJDBndu<nkO$(redDc<}Z%gIPqg*+!aq
z*`;Eu(o#>HV>e*^r+#)enhP?)2A1VAcx|&PvMgLP|AV6$dr|5U1JA}h!x=~Fnj1?p
m%1m93@!nh*zbR7W4S}%Nt&_^I*0<>nL{1&LF|<|JPFs!pCMDAV

literal 10324
zcmV-aD67{BB>?tKRTIX#i37a2Mg;HB-Q8);18cy4bk$l}`?PG_Wg$gYYr+z$PyjnQ
zDV#;Zdcm~*Iwfg~-aIrHEc#$&wWODNd4>uw{AQ#Kl~rBxG0acKsMgTmzaVa?wv)lk
zgS@E8rwrJd()g74FtDM_q<q=_*xNhBsJh-TWi<3b3a9|ENqcGr{dmFR+jVf#)8M-7
z0|5pNDm?I18NR|vJ!(3-83LHlo4)|=6UOuPP^pN)>uwFZczVtOsvg)VpuW*Gm`VlH
za)P4dSLR4Gk1>(|U@Ht|5Y<nSXIyA%zqntFwlWqbX^f+6`=E<Mkp?xMs`7upF-*fb
zG?U*dNX#jR$61MvcF~6L{A^fX)wbc9T}W0C=xE+0EXboEvCHw8WRsyin}K}H-q@J_
z*tx)5wEQWG26@t<2{|j>Wg?TMzXGbsDxs=XaPx6s@84U(SDc{3m?#C2#1mhFDRlh}
zQh^>g>%H^x?2x8Pt{7PVyAbmaKcR%a)2xfa^i{h!WGlY<yeG^#ISeKyAGJv}OLQCQ
zH3H+p0XrNxfhB0dI*0fLunlxzB*px{Nz^7&jF5T1r$AHuZ0q??1wKM?nVzNR{Hjyt
z;LLJ#@)T;)UF`HVoK-@%b=4P1eDbmKDw!|6N&)&DGN9;I|2b3~%j{IwG+5HG>^jP>
zoR&RBb}KaYUl6YD(F9;ms^w?1v5JWbE*l{wAj`apUDT($P?JMc*c3!ouj505CF|Ep
zc8HNg<yBpnm8QqTvrjeh?(q1+Ss#u8@{C_~1>i93v{Fu{yX63>Xj4sJ&OdW{Qb0v~
zVVO;N(?^GvRtgBE+L7^ruyPtmVc+^S`-a!D;CZGR;n(NW$@!yn_P{NSfXuIAZ)!L9
zzl;!%-mAfF=V3cM)D9f);}OXzQ|(bHt`2^`G<=~(#OV!9-j?PZM|Rxk!HJ$kFga-3
zVQNnrFWlAiw;$}<2+$oVEyzy7;u%%CJfW)TP)d)23ybzd&z8ym&}-)FntOAzGY8^r
z+4?#+s^7y6McH)ayrFb+pQJj=Lx3RXmmrJ}#@fzMybWRAOZ}j?1*Sg<Lm+j2uHk8&
z5CG!p9Lp$_gL_DQ@wbpqUP$_Wj+7>Lg9$kq^;kYim2n5wsNHPxHn8(;gs8J}qKFKr
zfyJx?EB*rC@9}w`btw`BDr{EEbF6>Sz+w`oD_ua(3jb)HG%xcC=AD2iq3L{HH(5pn
zrD)t5Evir%ec<abxcs1D82`kQf1UZ>{V2#n29B=^k57Z~BZ_)<@RnC?o+0suRF;I@
z##SD*REf=V5M9&6@=I5J(I+Pz{M}dI*+i?~N8hIPy+H=L`Tyr~`u9q4C!iqQ4e*dw
zHr@vh0esl>JZJQys|G>2@Or4B{P+ys`h*JSS>65*l?z>gh4MAY>)Gd&xbBE5Te^b?
zAJ8>uGadto0Iup?f=)aHEa`!I8x;<3t4en=AyS3X2E3pRDR0`i4-uG2^oM;@S)Eap
zZk6YAw1ZjC70^U(VR&1dbk0$B6e2iI3OnWEK$&;S+x?lZ6D<dk`<XiMHZx|DzZu$L
zdVV#bLUQ2AHTOwL192@q-s=JkHELW#I%kpaeh(_d^9|iiP*<bBSFZB*X)egN@`tW^
z>qQG0y|fn%h;ll4b4r=A`zlLP4nvW0+~w@-%f>WcELH+e9q;|}o_X!1-slRaK!1qT
zIh$1H^*bMf+_f3(>fZIj8URQEW3n(|2weJsz#(!&rdq{o>pRjhZGO~II}_cd%3z2=
z2sw{b9+)D>PeF$}PrtZ?;#E+s$0!)XPl7W4{0E!>t@C!>%$4*`aU3p$rR8Vh%S&L9
zb=xNDC#2D-$bNIxu>Yu%D0ZnZdD5MAVN&sMvpQRCXh&j6^`9|5LI$11u9N)&e4adB
zsgac$5C`yh5Y3q(e0~cQ4#J5n_scC#-hEMZ3lGLnO6m~21521ZvYmJ9#@PXESGZ=D
z+R9Umy?wY#xIv>SrH70^y^AQSl`pL=2mTd>hHpa+C1_6n_Un@*ah0f!X;^8wEMa&M
z8DUK@>K2kit8vplnY0&P6<y*+q#aZ3z<`hSmqn>a3z6fWJnUxs8FHXRl|K?}g;~2I
zauX)i)2Ii|65lLc1R6~h8?4ypNqKX=?r0!;IIz$2!mcnQM>_3K`P}v%(u3xCP;3qL
z(CfCJ?;C=TPnD^=Q;Pqqp+-w`CFFYfZrK3hjWdwbvGVesNg!z>v>Z(c_8ES~_t@7P
zl3x3x?c};Sxp%|WOk3JDK%H@pmk(qZDSg$C%9$~GW^84b4dAeHVz`_5C_{t8aQ`r9
z%ll?y0DY)Tc4aNdoalOpLNT;&(ng?AR(-3Of!|FIkxObM<+1BO8~6v?hGo4Ol+~X-
zu_r?Rl#wZX2Vg)t;gLU1j_Y1$w0K+bRy*a_2Q-y>4q&^+grfOd(|$*5rJ~VtKv6s7
zJL-$<T$40wG!M}vOB)wPGELCy?hbnUd=pxy(KASjow{|2*{{eF#n^Lj_t#q2XiSN7
zlrQ*Rzu{0P6;L2Ep8H9&Mh03Hn^>~UB0?QkfkAZ8%{Mn(W<;sMTEd!YgEZ7z&KN#2
zNPODMs0<zPRXGG>TpL%oT*`ETxeLmAM%DS8Vjs4El5Mvk;$mwX@d_Cw88@mnkn^_#
zM#7~_)$lDIfqWLkewU-3*uBWKFVpsv9S7~Ni$)2!PH0<Tvye1`jk*(2U&27~bq)pQ
z%Gh-ID)rfXImK*E46-VBGeH@D1V3r;j*-OsJMODAQQ6TMd1-pBZl}zr5@QGPLH%;g
z`}7iv)E8HGnu+{QkhC?xSc{Klc$`yV_2bD&5rJjtvTw#A!tfP`^mc9D&?2wt{^P6C
zq@0mSW36o<hvn9aryC*(^Kt(hZV5aUjBOyvGAW)`(~h4cHb=`iv4w6~+7Am>!#>+d
z>W66a(}6OF297Xw)3%m5l0^s>L21n?5=Vxrd<B)7%4S5b)QmkQBHo^}W8xMpk5x9*
zHfza43B9PMmDomL3Doo6^+`i!a`1>_HdaRQoYjOqftUnJzaFv7!jUiqORwxuy~<-S
z!0<g_eB?Jif#(rZyi|wNgYy+R>jjYP8l+uOO6Q|fuT6B25?69<<aV^!i-C=reuhEA
zoyD|4U?v!exJM!m-l3vxlnfgphVVELpH597)ES3wN%>akYNh4-1j9(O6dad9l|d%l
z(czNQpzJvApd9cE)}uJy#mqy2q4j+)poXmy@+JIJIvMkz2!7#D+n=H`I%X`5oYd2h
zN*{g!)|IApJ+U{JCTRJL^uZt~Z9b{a&?=}`l+<=U7IVLAX=uTg!camd7+Qk>;_JGg
z@HU)Ne2g4Tr_7%40pf7Ab|P&EJpuI0aa*PjMZxt^$}F#@v*ZaN;UCdGot9%KIHl`)
z*l^3U0)`QHP@=>zBy0}eGfLW4gyn%9GGgx-P&x1Nha6~z03~uqHiDWlI+m=nfWW(m
z@%Zg5)0RL3;QQQ3g?MaB9w>u9raD}=T=WkP5;tH-mKsT_IB|jsib>aDNhMCgxy)dh
zOE*M-N|#P|{Wf*;z_8&|L_q3rv&6WT%NXSW$UZ@(*OJyTH7Hug#6W1pe(Z@Xb>YqN
zS7H=oysC&^aM7TpXGzP~;ziKuPIvPKU8``#t9<sCvzLV2Y-<wVw3gqfSe)dZQ*W2H
z4s^JY>AJxq(tll4rBql!FXy*lX0}Hea5)o82zuZq=U$Grq7R##IMuGG8jWw}<ptB$
zsw2gWC&+gE#(}40oq&((@!FqVeu}Z+`PFwPe?$82R`W7=T`)?V-n6u&Hay;x@E-jd
zxPdX93(!c_9B<(FMu7m2kCC>(fm<OCxj{@AQuf)&gUF+dKV8DJ>1Gnw!%wE1N^r;I
zURc`lCMzN!Qw)tr5b>EhE?VXW&HX*{oCPna)dTBQ*^Cd7(<$DR&9O6rx~p77vKP9W
zH@!GKWk0S9Vh#FI(9rmxWO=O?r-8KBpcY7dF{fFjxyY+>3qt296cIN$G@<dL0Lqok
zq$S9{rs?>nfVzx~Et?7t$HDNK>0FR6VIlwrJptTuP<82rzh-6XSkj6XINS3ituce?
zmNdqe-r0fahCgFyg=#S4!JU=_Hl3nh1O4Hhii3=in(q%}w|!yGpMK&c4I(VzrD)G1
zb^#-q@uy3Q@K0j01)RBqRbS>hpWfrWCMWV_GU+pkGY1aYv+H20NXMioT93#%%$7kd
zLO7Q|f3|VPNe?5j3CZCT`rM~!WmpxJs0(ZMJA;fZvNlVLXF&k8d^{MW>cT%lRz#FE
zq1wWqLhEJ0S}wc!Qy-M$tp=QSg`^hfKwDZ_Ieo|Bd#Z(4ES|T;)AEHsaYmjd3iC{^
ze`1kyZhl?WxN>6EJVQn(xJC#WjGUlP?7ng0fib$=PE%DeKUU95x3H7?Q@E)pIS4?a
zKT59%!OD>C3J*5+T3ABm>#Lh7unRkp3L*c={Bn6rum0gLr>@8=kMxl{t{tKG+U6@$
zOus|!+esRZQpeJyBP1sj4r62Xd>`77tyZw>ooB6}E-}f+ryFF-6)KiP?REh4f*b&F
zOQVWOa1QWMlZ>w0Ih!)_Zr|BmS3TQ27zgVoM^aKi&jFYA4%vM2k3i?Qp{9RP9{HKF
zIG8>E$sbbB=Xx2xs$mPrIdn*Gm_e!-!j``Xz=?`AmLf40HX=>C_Zz;!=OHG|{r#dR
zCM_s~bbYqY5k7$Z*4UEhCZ77In&oz{4Bg`Gwf}qI!!U2y^tw`Vum*U9cM4$dTmZx2
zfSZVfTqyX29464~Y4~D6?#7aRfF}P(rGJ}TBvJKZ19(bi<LS^xyX8>iSN5m<;<=ke
z;JThr|L=sgMW@XjLy+y+-sB^!cpC8->UwWcP#e!WNtU`WEpUEJ^#H9G>|Hhr9!-wD
zi3oaWB)Gxi-gQ**s}K4o!gz;1^4AfqNXZ2av|KGyL6rWL9WW4^)`hO!E<4L)-x_m(
zZ&S!`L;#Vg8ojPNWOJzqfp7^HT`6Fre*MplQZ1Y`n>~AOOd~%=3qX%Ztt&hW7YgS_
zw?2^O*EVXfZM^&vU46s1krmFKeMlLhq)VZCwJlQpkvex&Vs24ImXj=Z%B9W<nj8cs
z2Bc`wm);iPLUp~ZhtIQF-#U{8%zDgC22BQ($v>x>nEZ#GSqE+A)(*9ntn6BMC8tUH
za3D*^(hdhlA?pUE*tA}swf2PkCRI-2w-(+i8)Q#15q1dI*)~R;Tn!vUQy#+9@Dc!)
zG|+t?meUv%ze)EmVBk%L%H<tO2~q}BA4^)4A-0b$$Rj6*+mi;>HZ^*q-hfhdfoTkN
z<cZsi@B8{8X(4m6SZ&NZ4jTl#9xF}Y+gEXp)<w<CO{z*I59X=iorP~?Fl^v?gIl4E
z{~{a2`*2L0q*IBR2zvW*6Bv!#+!T?ePzo*8O&+i-SDqwa<y1<Y`@N6D)+IOuXd!3^
zZQ$gjA0WraaY7}#&#DFMafJo{AJBY!=(horDNQ28T6Ml<NeuXZi-~H{?0vzkEj;5H
zlDq(Uh2T{iR;*_1UA%xMczk@ec~v*^-p`P*$fN*(z=X*R^lBRu;-*cG0fmb9VfPbo
zf+V9u1TT7N06X-44M2e|_(QB?6Fj4RuAWBr#l?OfvkT?Yf|u83!7-QZkZ7pa+=M2@
zwAHazmU#SrqhwiasN6J5RqLD>qKG%S$_6$zHQ5E^B(PijDLaS}{z#Iy<*$e=s$2-h
z#c(K|u0Q_mNeygR^*x@XT_5OQBes)D9zWD$)V507=d_K}s<dZ2kGJ*^)}5e3G^ci<
z8vmJZ5iK#adodjGfvbMZ3^mm!SoJu@VmJFVZjd5=H3qbhh2{WcF|@~q7WLGewf>eW
zwR?%3FzwmKxYYXP4li}G_EKNtEEUeB-#OTGm0e@DCX*dT7@5~_XLN+(fg^cQWpbNF
z>Uctc_DR&tG_8G5Drs7T<pm8vwL{xe9cL=0<Y>gGGOpGz_pE(#6yM!MK=O;2@g`76
zc+`&Sr!7l4{~<sbl09~4_nx*wBsojm@VPtaBMcCrZU4{lMq%5QFGlSs^Zec3d?TR$
z+o&3J&iIbTk$@kV_t=x=bC|zj3fcn*sAWwJ)Z`|wvHNtA{vMN|LxS(gr|;<b<4uu2
z;A8%&)jAmW;VRf0$(GtL;uySd<Re=PxF)kW#GdrNN3MruCWu@>Sy{sB>di$BNJj!J
z@tM!EsAaG-8Fil;;U>Yo%r~1xV{ZSTj4kHtj{CDd%3B$E&UTxddr-+)1g<;dwf42b
z_snkoX<;ErMg7%3;5aF<rmVlZDmWR+6C`44*{-DGtnNRN_JBS|vGt2m%yDb#g`SLF
zm@Kzu+CY$*<B>LD$#E`Ud{{Eb>`eIj3oc)UB#``6(P3~)9+1eWF(bYogzjs52$|j_
zp$WEr0iw?&G@`}jGAXRlR%OmXP96&(iG&1+@E8yCT>uSOTuZgO+4fd!rB)JQb{}L?
zs2Gx&@QjL}Dgp|s)V1cbC?aFy(T7*&*3KQ~oR@;c5lW=nI5t5bgF4(r&u9Q-@gJ=N
zGXoCW1T+0How6m`$HhjAfO#oF<|n()ic<mDX3`wV<etKE3TPMJ*(}i)XnpE!;><Jr
zTLGzt=n4$+&Pmj7?C2hK01~&o3*abP-%JCdLtqKeMtqDx9DEt`P4*%EKN|UT<{wy=
zX@HSP+QDMpEy80hH?JoOy+>WYX%%cF>T&#=?}%;E>RsFfF(?+=j&h60LjxiE<PcJ=
zyG<|yx9g@-9kTU4SujhqfJh8r63rJmb_?wklO#!2xe(w1O;_u~H9_r(C~N&bCk7ZE
zI)*MLA%H3M8IVwZdeqEav6(6YYwNLe{O*>24Dw%C)Yw9I_-`EJJ+V~+)amZn7}Kyl
zTRJaa8Ar|z<itxeuY^uM_XB_bR7n3?DPY9)Lx<xGQzM$BWUhtq4(&_%y5$~Ajn{%B
zRo6EDzySj4fc-?~DH{(`A7~t-tANzIJ|v<@k$g(cY@gOpj`EBRhh?ApF9i<vaYmf;
zvJm<Ev9A#EsGi-iwMlDn34<7V|LLj4aDT-(KvY@OlnP;ZfW!yBy|Y`x2FexF`^jcY
zhLq%yQQ<|{o`pjAJA|}as5ldD4YFqZqt)K@a}jRmlKnj@TS<5ckW1P;h@_>7p7d|-
z=-Kp+M9gEEHu3iTX*dYl^|;SZI+qLyqeKD^>wgAxXBMtL^8piXzKj&LE{%^DR{!Ur
zu$+EIm6BkR9%)Z@Sx{2T)wKu#S2Se`t2$IB_L6&VKNq9W9E5Qxf81G^R9Rp@)x4?^
z73hkkW7n_M3z+F?{W+M!fbKC$b*`7Tvt7?==f89zvP#aWM@VA>x^Jh8<WC=CAW~8!
zD)X$_J2kY%nuBiVxkXcxQGCqfQ!IF4qXx&2z^=fJAo<AV$e7%*=(h2WQFal|uO+ct
z3mlr{2kNBX^<+}ezq+qEkTupAq!^<Yv(w;IF#VS@7|l-Ur$86}r+Bm1ywRh147(?!
z7q%`c)qyjN<(cpx{wIq|;JKvMZ%^>g_PLd@@7|*>=>{r>!mf*xw@?y`K8fZ#&h!x%
zZ!?G?%=i%jQl8m3S^fyX7J0oh?SjCMrD1JEC^+*31OESqrx=SfWg$I}$TEBx?nWEe
z2@C_|`-0_F-;!C4AFi@#vePD4({wQ_<Kp&V{Bo8cw>q3WCza5wcmF=a+Qowal|+R?
zQjAao(-f~jl+>)$C4h-pQ}$PwYbr1SBdcC2wE=zst}#HR%ka5n6tI1x@1onWL+xgD
zI()9~9Qt<g-D*gwo?M$-I)}Qb`e%XY=A-Ke{{U$5N$5%yd^^>Ki9`tYAyI9_jn1n^
zx|ykazk%E4rZ=Ik1ESj8vp9mhWMa=pajY~cF!Feq`X97Sy}kE1QlE$?Cth)+3T7bq
zbxdMZau4d1ZHmSH?1^8YjI=;0Kr=a2*>HoEdO@;|sh06YK<35;u+|IlE{|6knIF^4
zks&@0vN}R36CU{xH5lF4)fv`)Uzi~F;#$P=#6M6z!66;{rcoSfYrzg>x(Le>>FX-K
zDu?10HC3;FpGJYOsdF641`<1;SO8qSz=^UJ^j&8)>F>o2$d@MW`WOS%u`RK|E)o7*
zl2z5DqZOk0o1B>ynOT}t{Pvv)@<RNo@DtA--Ll27G(#4+>~v7^YdGJu{^VKAUd}e?
zy3w+r4FY??YZ}yz?{c9vsSJcq3;(W?OmR{6DI!f16nM<d*O+tmgY+4d$$C0dm@QlD
zWgy4X%mkRph2n#lES*dsYN^2ohPz}gck1KPmon?4n4PIy+AA~BfmQ&3`7jsw$j{e!
z!2HtrKLx1m{|raoe;{x8heM)L^M8Uh<V(wg!!1ev)b^}@<-y?NMUPdQ#XV=0;mp>Q
zfOIFFaLtW%P_Q9h!FA!f);dG8#@xfBpI&o~;S}%(NfG9=9DbQQEkN)kNNL&E;M9!z
zVgcPP?@3*WgOea9rT&16h(Y^mnW!<vZ!3o*a<J)1@+D~t5%b)7!WcgOp_8c}@uth*
zFN;b>G@@k-<x?wS3#Z?Tj0hR`9ywo}=*lS4-v#@_%`4Q?H<?bGsVDaeEOXUlb`~>y
z?*BpY^<QWr&5s}gY-T)p$PmfAioWluL99X4L^WaV%F0bi{i0HgW)oX>Nfi<ixNWV_
z=1g9%<G=V@l*m%G@ht>5qil%~eZ{6;xnkdiOY+siHm#N^7<G5S9Xr4EcCDIm9fQ1>
z8JYY%2$|Ze5uMd(E-8q5S8hkw_IL%lNZu<RG=7+eZblM~V|p4s79(KIlD|Ijj=+P|
zT+|UwGJ2jZiFzxYWtGnpI(Zen(4g#WF-Tv$s*rmj;!tjwdcn?k61@wV99Qm+o1!JH
z4Y$_kGvW<d)RJL#4NJaqz2{2|RYRAK&@HvFk6^Vvpi7v_&=vRss2M1nmM<N^01oz<
z@Ma{TK!@zFWA5HgUj#GDPtW<vRQ7UlB>dt1nqjxdds9>j-!wbmXZ9Q@e&~I(gBsy1
zhOs-2&`+sehJGU9$Ic#Rj|I{ETrLsw{(^k?ByX{^JuNU*u_P(ZXRtZ_YuAzjD?E8L
z0fWB?IC(g1mFuvaTbdcmR_<E&!yni^U2ytDXp?NFs@!Q4FE#0E2dJQMt03-GAF}(g
z`JGq6NkGy|j>AmcImzLi(OtSSC7`ZS&n#fU-8=rH9eVn3V{aSnYG4X8_n9x>OuQjl
zQg(QGMcYPTC?F=C(%^x+*FCZns;^TviEJ{M>T8sVQ9SsP^tc)Il35ukqB65l@N?cY
z*1E&pk`;lFIYzhB24s=~JMJEtT3Z=_U78TTA<Z(ozDeQ2qHAcT>bpe~HEs%=+p_CT
z{*YDc<1Nv~>W)zyk4n<mjm87B$_R1?Lu1@1ft;ID)q*XxqS|6wU?PSQsaAS)($#+r
z^6EB52b(s37fjiYDw_s(LtK^O^*?J;i=>4%Dukn@4(s<Y!Qnj{%@L~nCMg~)_d|?N
zg%|1fD9E?R5T0~oa*nmLGc)NkZ=YiwVUYEhp#X}#h5heCx`261aweEWK$7sdn@=1S
z_A~O`{Avz$FZ~ABUpLrRlcJ}L$XTd@4e)OD)tj+X`J|fl^I!2Q8(??cW$=dI6-IPb
z=72yy`4#SMlldQ5I1_2Or|Hb+Bp+?5BNX;5X$3-R5pvsqelp5g1DX#mY3}ZCz0|En
zaV?K30KEr{KniXjxE2&AY7&*iUfA++x-LWW>kw!8=$9G^(z9E#8IMOR_8d*=t7kx8
zX-g8a6<eKT6WlGS_nR5g$bu8=Wgic=t7Fc(v!YM6tt;*v`p{nuk2*HVDXGbpaPou`
zCPxTO|6U}Ns%BcYffqEyXPx>^oBDHL_^$#1B{t9Zo>`pTqmb8{DnE3xGKjs84BZ0E
zuNBm_ii)S?u%qb{j52WcI^}>=tW(w4M>jkl%*Vuwk^xqo>cW=BxQAdM`*A6;9%h<$
z{MGAYQi?HM<F?oz68$+Br!rVR$iwxHvpVNuD}w)+G|b66B{KZ}LQrB=s&OHioSSKx
zK!SI#&|1}HT7WkuL`SjRsbD1&gGG4^CLd!1kfKXozx)q3;g^XkCYQrH$gec&ci+%1
za(kQLk41yhR6l{$quGK1A;++*rrjFJZEUtfi1M`T>~Toi%g&#{h7?y@%9kuK`kF~U
zBa{ni^ZRldb@xNt%Ry6r6HDkoL7BQW)up~IxN5G&pidDJmb)7?m&GougIF$+xjnA2
zy$U{;$x5bmE;L@O>L-pGcx=TW#$`#-btF4n#c0zK=$Aoa_YBMqPPH@5lHz6aajXGb
zV|GYDR5~82HML8fsk=XE0gLWcRIrdy;_Ko|1aN8rzK?G=^0+uRJUelF)ml|g{){Ne
z@fc8|_`665osK$LNu(A8M2AhHS2&Jr?X6GeIiNAiKGd@4<UzOWydyq7arlg|D$BD)
z-C3^^C;4kz`$!~PBAzM=w^0q{4b1$}-S$eQ&OZ`8;1F;)MYFVg*V>h_vC<m=W6KMx
zC7OvYjupFLW76<*<s(yQ1>^2Ov3{Ed{NeAtXV5~%ZlgV#wdk0A7fdV+$IoSkD`m#p
zL@LLIB7C44LeR3w_BK(&k0bWz2^9Bfv6NV~0Rfh*D*vrdI2U%a-5Ek^tfGz9i<y*5
z9@!NPO-L07iru!K1r&o-E!VCf(X2h1rq_FJL*OTBH6U2S;FW3-Mh+TC%L-4q;d&Qa
z^>jF7(BzjYr3#+|mNu{NE;aEtnkLoKvsVx+Qq;c`JTQUF%0H#%p`4wh01f%$e`J;<
zSQ>zcQc~DgW{O)i=}tUCi_vCzo0iLkDPVwb!t0OG`n$Md67q)W`%~B~)CrSQ>vC}z
z@mTPDnj9psSb@UQov-*ekfEt92q;^DoAQuWP>Rc4E_9dO{fy9hoeKwMR7{D^l!J-l
zl(x;48)mc7ot=Wtq_c&u4v3F0iXpR>DWK#M@KD{b0D#$bCAe8|n{EkUB|!O1+P?!a
zITyY=o>ZTt)INQz{>haJl6vy0Pd&GWD2d@zGgrgzkSwJb=K&62e%zdz*41~NVaAjr
z>uPk*cRQ(S)A8t{iw}U1wqxD3``AeITFo6jH_ZvB@GPagk~W)h=-$21PQBb^`7KIp
zb?YzBtaa;~Ly&vUk9`@*?jC4>3O1$Et+&H8h|A!ap8WqaiJ<YHRt08hwXg{!1(w<=
zQ(F3oWiaqZls4&kq`bC;OqV_)e&)F|2VUoP;|*6Zv_sT0-B9}NIWL-ahN9|^ojaor
zlq->zX+02&McHNAt{3cfaIEp1ue^XyP_*XW=c8=q#G6T--FBc~y74*d4NlI><}JDC
zfjG|4qYtqqBUXFRaUU@dxc@ALq`H>4)A*%;T%gSV|Cl>)fr->kYJy>TII<?pT*~7$
zVPa>`1l6UPS)e^5h%u+T4IVh)z~2;VY{2|n_N<nN32W=em+u!;&UcpBkkkQNRbQ`x
z{{>OvS2Wu0nf^M(!|^Z(5K&M#BSdNY>HS;V-Z_Cc2M{KL4BqezoxHbNdOnG2EwmlQ
ztik^s<^v>P8*w;F;#|9mW_&PrdgNOG+vo*Kv0qKeMsZ+%w7&1^_!8d$owasm4jRy;
z(n32wx5Mi0D>}_PlHBJj?+(yVm&Z-TU72WRnC;|S`2Fph&2nF`=$OXk%DmV-C(WDp
zY(^FcOMd9^+BMWd-gi4P4E`lhCfvBN6p_DHPr;D0TToq)S$g+$yQP9g;f~_5MtiH0
zRPL^An&F+5EA#`ff5amobL!dw-4r%LQ$@JxO6UnU=SB9?kz5Tr)Me#-yUcIe^jCtQ
zBSJm{dUL6=ZRG{w000LX-{pBaIfnVsRBq~w9k8f)`n<+$y#~3hD!s+$Bbnp-$2R?g
z{#$^S>)V5kS<d<0d~95lWO*Uy%K@qVrkGvvR^*wAyT)1>FsL=;A~|UhetE-fW$f}x
zb|%sk^L!)~hRyxumXO{A7H$m<Lu{VcR?#U3(7BrPXG2fl7l-g$v;|nWImyf_xduw=
zuxqQXc$1U=kxxM8fi2qQ1HJ@cXOf<S7g+o%-r+*maK=A2^iLUrrm(4Ko9A1iBZTyW
zEwl@}oyc;$-IT;3L0fFMpIk@mi%-LQ3vYIR%&ZaNde$D1Ic#UOK-o1C?Wd_(50A2X
zSWSX@;5?7u4WhI;jNat4*;8FvOuyo2rBEmp+?bT5wDijiWZrnCsx93<U@$k*8A$$b
zKM9<|`2XH?8Ss=kE^d}+x=EYTfqHf$j7?`5kl=3dyMIUdVJ6BmTz9EsQ$5Q4u-p8M
zrk(Kf^!Rm<OSpe~jqD5VY&RBE>A@7<vkdJthJuF2IHGGq_yd-8IY7KTFo&xJl!f?A
z+FTp8u2#?Ct()mtK$X`N-as<`IBi(I)BtT`nvOMDtEqY)eG0mK>RCSr0&6nm1a&dp
z%jx)C@tAfsD1d}^dYVi2CDc-&I|K$8ibmA%sAb}oG>5+yp#~mA<fLEiErOHK6KRO*
zI?x;hy=qz<q3~Q5+@;Ri8*mkB$n3c<)=gjM1gRa(?^r;5E}U8yl<QI35HEV7&PJ2Y
zBPFtY1|=eDTv8r0H$%JL&0>2_ncuF{VBCUfnQ>wQaBgFHk>}q}(K6kcpFf9Mc3tq;
zLNET7BC6L=_w*$i-Hy&9x2w{<k1bFBBBT2Ik~>1HoQY0&McreaSd)}hj{=r^j;2Sq
zXcUPl2;F+E1`OqQU2Glw4tcgiN)$;Jw--NnYd30k5Tb3O2=_t);Fal3KCbEQ20)lB
z9QiO#XT-m;IzxWE0-99Yjq7A9x5D&Oy6y5HHQrK#w2Cs03Z_}u8bz?u-I@{-lnrN!
zjm>bQy3eW?yS}uojK!;R^}a_O6|}=e%EiSV&9~tun^>QRAzpYl$xah=-^O7V6K@3=
z0^l<o_VA0wsT1@_`bgo+i+ff%o4=U^^!duPlD_HRGa`P;Ampn)P9SLtsQBHYXUgAL
zymRYS5q`~;W)2F>&(RcMQ?4{LQht-s<MLeA*Ya7JO)M2MZM?6FCD;BQF5sSCzRn}a
z*l*?sGVVeqebSKmcIji+9C&SZxv8R2a+&%}BPOBad5Tb1`&a+wIlFBDlRupr&V$Ak
z3mfcDw^%>TM^geVMd{&B@T4Frn-Ci{8BzdISI{<JdS?c}ny5eLxJ~WxGth*>0DUZI
zA87AfV&Xh+7(4Fa;^pwukbAI*N5hq@0krOzh+GH}_gpL1^=xC8>)_>JBm}y7u!ro8
zh?ubssL)7T_p!&z=id<hav&4QB_XON-&y)Rw)BkGn{sPH8v(Akb%TqS#;XjH7h)mY
zPG;_YRY{AN7wG8K9NaONV+=kS7GxA9F(0S81eVyNMYg^A+Ui`}<l2(Vr|$`p3u?6k
zm^NI<3?inLdfNMs9!W+1T~zj!ya56X-1r>w%2StvhtaEaA9s)qC^LPG_*-*{sb}71
zPN*ndSOKqUiOEM$+j0=rQFhrcs$!(@5I%dt6cdi?xMP!H;N*aX)j_x>{OqTb><t;K
m6wswqIHpi~<{qG}`dkcroN~OVimX<v{fU@LbSE_#$E!do7)WIR


From 9b9ca6925ca2235f8c1f414a2aed5110d98a3840 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Fri, 9 Sep 2022 17:45:45 +0000
Subject: [PATCH 14/36] adding environment injection for revoke

---
 google/auth/pluggable.py | 9 ++++++++-
 tests/test_pluggable.py  | 5 +++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index dad41d5cc..16c67a87b 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -290,8 +290,15 @@ def revoke(self, request):
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
         env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.service_account_email
-        env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = "1"
         env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1"
+        env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = "1"
+        if self._service_account_impersonation_url is not None:
+            env[
+                "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"
+            ] = self.service_account_email
+        env[
+            "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"
+        ] = self._credential_source_executable_output_file
 
         result = subprocess.run(
             self._credential_source_executable_command.split(),
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index fa9933a84..f9f384239 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -45,7 +45,6 @@
 SUBJECT_TOKEN_FIELD_NAME = "access_token"
 
 TOKEN_URL = "https://sts.googleapis.com/v1/token"
-SERVICE_ACCOUNT_IMPERSONATION_URL = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/byoid-test@cicpclientproj.iam.gserviceaccount.com:generateAccessToken"
 SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt"
 AUDIENCE = "//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID"
 
@@ -1070,7 +1069,9 @@ def test_revoke_successfully(self):
             ),
         ):
             credentials = self.make_pluggable(
-                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+                service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
+                credential_source=self.CREDENTIAL_SOURCE,
+                interactive=True,
             )
             _ = credentials.revoke(None)
 

From 1dce93a2de1eee929b803ab4bf11f8405b960d95 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Fri, 9 Sep 2022 20:24:57 +0000
Subject: [PATCH 15/36] Revert "unify the expiration_time check behavior."

This reverts commit f361340defa2f00fe2fb33a58fa50ff908e731ff.
---
 docs/user-guide.rst      |  3 +-
 google/auth/pluggable.py |  8 ++++++
 tests/test_pluggable.py  | 61 +++++++++++++++++++++++++++++++++++++++-
 3 files changed, 69 insertions(+), 3 deletions(-)

diff --git a/docs/user-guide.rst b/docs/user-guide.rst
index 685a6cb70..e689b11c6 100644
--- a/docs/user-guide.rst
+++ b/docs/user-guide.rst
@@ -450,8 +450,7 @@ Response format fields summary:
 All response types must include both the ``version`` and ``success`` fields.
 Successful responses must include the ``token_type``, and one of ``id_token``
 or ``saml_response``.
-``expiration_time`` is optional. Missing ``expiration_time`` while retrieving
-from output file will be treat as "expired" and proceed to run the executable.
+If output file is specified, ``expiration_time`` is mandatory.
 Error responses must include both the ``code`` and ``message`` fields.
 
 The library will populate the following environment variables when the
diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 16c67a87b..b0501bc32 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -369,6 +369,14 @@ def _parse_subject_token(self, response):
                     response["code"], response["message"]
                 )
             )
+        if (
+            "expiration_time" not in response
+            and not self.interactive
+            and self._credential_source_executable_output_file
+        ):
+            raise ValueError(
+                "The executable response must contain an expiration_time for successful responses when an output_file has been specified in the configuration in non-interactive mode."
+            )
         if "expiration_time" in response and response["expiration_time"] < time.time():
             raise exceptions.RefreshError(
                 "The token returned by the executable is expired."
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index f9f384239..9ff458885 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -811,7 +811,66 @@ def test_retrieve_subject_token_missing_error_code_message(self):
             )
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_without_expiration_time_should_pass(self,):
+    def test_retrieve_subject_token_without_expiration_time_should_fail_when_output_file_specified_non_interactive_mode(
+        self,
+    ):
+        EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = {
+            "version": 1,
+            "success": True,
+            "token_type": "urn:ietf:params:oauth:token-type:id_token",
+            "id_token": self.EXECUTABLE_OIDC_TOKEN,
+        }
+
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(
+                args=[],
+                stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE).encode("UTF-8"),
+                returncode=0,
+            ),
+        ):
+            credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE)
+
+            with pytest.raises(ValueError) as excinfo:
+                _ = credentials.retrieve_subject_token(None)
+
+            assert excinfo.match(
+                r"The executable response must contain an expiration_time for successful responses when an output_file has been specified in the configuration."
+            )
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_retrieve_subject_token_without_expiration_time_should_fail_when_retrieving_from_output_file_non_interactive_mode(
+        self, tmpdir
+    ):
+        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
+            "actual_output_file"
+        )
+        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = {
+            "command": "command",
+            "timeout_millis": 30000,
+            "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
+        }
+        ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE}
+        data = self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_ID_TOKEN.copy()
+        data.pop("expiration_time")
+
+        with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file:
+            json.dump(data, output_file)
+
+        credentials = self.make_pluggable(credential_source=ACTUAL_CREDENTIAL_SOURCE)
+
+        with pytest.raises(ValueError) as excinfo:
+            _ = credentials.retrieve_subject_token(None)
+
+        assert excinfo.match(
+            r"The executable response must contain an expiration_time for successful responses when an output_file has been specified in the configuration."
+        )
+        os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE)
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_retrieve_subject_token_without_expiration_time_should_pass_when_output_file_not_specified(
+        self,
+    ):
         EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = {
             "version": 1,
             "success": True,

From e0d20993ee4560ecfc722e5d36dba83638b5f7ef Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Fri, 9 Sep 2022 20:59:56 +0000
Subject: [PATCH 16/36] adding stdin/out to revoke subprocess in case some
 prompts may needed

---
 google/auth/pluggable.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index b0501bc32..22451a3b5 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -304,6 +304,8 @@ def revoke(self, request):
             self._credential_source_executable_command.split(),
             timeout=self._credential_source_executable_interactive_timeout_millis
             / 1000,
+            stdin=sys.stdin,
+            stdout=sys.stdout,
             env=env,
         )
 

From e48cc4a325f2a3a4a17e4e621098e1bf54d528e6 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Mon, 12 Sep 2022 21:26:31 +0000
Subject: [PATCH 17/36] unifying the behavior of reading response for
 non-interactive and interactive

---
 google/auth/pluggable.py | 19 ++++----------
 tests/test_pluggable.py  | 57 ----------------------------------------
 2 files changed, 5 insertions(+), 71 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 22451a3b5..b6909563e 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -247,14 +247,13 @@ def retrieve_subject_token(self, request):
                     result.returncode, result.stdout
                 )
             )
-
-        response = (
-            json.load(
+        
+        response = json.loads(result.stdout.decode("utf-8")) if result.stdout else None
+        if not response and self._credential_source_executable_output_file is not None:
+            response = json.load(
                 open(self._credential_source_executable_output_file, encoding="utf-8")
             )
-            if self.interactive
-            else json.loads(result.stdout.decode("utf-8"))
-        )
+
         subject_token = self._parse_subject_token(response)
         return subject_token
 
@@ -371,14 +370,6 @@ def _parse_subject_token(self, response):
                     response["code"], response["message"]
                 )
             )
-        if (
-            "expiration_time" not in response
-            and not self.interactive
-            and self._credential_source_executable_output_file
-        ):
-            raise ValueError(
-                "The executable response must contain an expiration_time for successful responses when an output_file has been specified in the configuration in non-interactive mode."
-            )
         if "expiration_time" in response and response["expiration_time"] < time.time():
             raise exceptions.RefreshError(
                 "The token returned by the executable is expired."
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 9ff458885..9448a7809 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -810,63 +810,6 @@ def test_retrieve_subject_token_missing_error_code_message(self):
                 r"Error code and message fields are required in the response."
             )
 
-    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_without_expiration_time_should_fail_when_output_file_specified_non_interactive_mode(
-        self,
-    ):
-        EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = {
-            "version": 1,
-            "success": True,
-            "token_type": "urn:ietf:params:oauth:token-type:id_token",
-            "id_token": self.EXECUTABLE_OIDC_TOKEN,
-        }
-
-        with mock.patch(
-            "subprocess.run",
-            return_value=subprocess.CompletedProcess(
-                args=[],
-                stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE).encode("UTF-8"),
-                returncode=0,
-            ),
-        ):
-            credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE)
-
-            with pytest.raises(ValueError) as excinfo:
-                _ = credentials.retrieve_subject_token(None)
-
-            assert excinfo.match(
-                r"The executable response must contain an expiration_time for successful responses when an output_file has been specified in the configuration."
-            )
-
-    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_without_expiration_time_should_fail_when_retrieving_from_output_file_non_interactive_mode(
-        self, tmpdir
-    ):
-        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
-            "actual_output_file"
-        )
-        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = {
-            "command": "command",
-            "timeout_millis": 30000,
-            "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
-        }
-        ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE}
-        data = self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_ID_TOKEN.copy()
-        data.pop("expiration_time")
-
-        with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file:
-            json.dump(data, output_file)
-
-        credentials = self.make_pluggable(credential_source=ACTUAL_CREDENTIAL_SOURCE)
-
-        with pytest.raises(ValueError) as excinfo:
-            _ = credentials.retrieve_subject_token(None)
-
-        assert excinfo.match(
-            r"The executable response must contain an expiration_time for successful responses when an output_file has been specified in the configuration."
-        )
-        os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE)
-
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_without_expiration_time_should_pass_when_output_file_not_specified(
         self,

From 27648e76b5f89d3ced3e10354a128eeb34b7ab68 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Mon, 12 Sep 2022 21:38:45 +0000
Subject: [PATCH 18/36] adding the logic of getting external account id

---
 google/auth/pluggable.py | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index b6909563e..f482fb62f 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -132,6 +132,7 @@ def __init__(
         self._credential_source_executable_output_file = self._credential_source_executable.get(
             "output_file"
         )
+        self._tokeninfo_username = kwargs.get("tokeninfo_username", None)
 
         if not self._credential_source_executable_command:
             raise ValueError(
@@ -211,7 +212,7 @@ def retrieve_subject_token(self, request):
         env = os.environ.copy()
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
-        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.service_account_email
+        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id
         env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1" if self.interactive else "0"
         env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = 0
 
@@ -247,7 +248,7 @@ def retrieve_subject_token(self, request):
                     result.returncode, result.stdout
                 )
             )
-        
+
         response = json.loads(result.stdout.decode("utf-8")) if result.stdout else None
         if not response and self._credential_source_executable_output_file is not None:
             response = json.load(
@@ -288,7 +289,7 @@ def revoke(self, request):
         env = os.environ.copy()
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
-        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.service_account_email
+        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id
         env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1"
         env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = "1"
         if self._service_account_impersonation_url is not None:
@@ -317,6 +318,19 @@ def revoke(self, request):
 
         # TODO: clear cache when the in memory cache feature implemented.
 
+    @property
+    def external_account_id(self):
+        """Get the GOOGLE_EXTERNAL_ACCOUNT_ID which needs to be polulated to executable
+        When service account impersonation is used, it will be parsed from the impersonation url
+        in the form of:
+            byoid-test@cicpclientproj.iam.gserviceaccount.com
+
+        When no service account impersonation is used, it will be retrieved from the tokeninfo url
+        in the form of: (Currently phase we populate this variable from gcloud and carried here)
+            principal://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/subject/john.smith@acme.com
+        """
+        return self.service_account_email or self._tokeninfo_username
+
     @classmethod
     def from_info(cls, info, **kwargs):
         """Creates a Pluggable Credentials instance from parsed external account info.

From 2515fc7f0fb95061e3c14d9d4b04950150ac9cb6 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Mon, 12 Sep 2022 23:05:32 +0000
Subject: [PATCH 19/36] update token

---
 google/auth/pluggable.py     |   4 ++--
 system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index f482fb62f..161f31858 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -325,8 +325,8 @@ def external_account_id(self):
         in the form of:
             byoid-test@cicpclientproj.iam.gserviceaccount.com
 
-        When no service account impersonation is used, it will be retrieved from the tokeninfo url
-        in the form of: (Currently phase we populate this variable from gcloud and carried here)
+        When no service account impersonation is used, it will be retrieved from the token info url
+        (Currently phase we populate this variable from gcloud and carried here) in the form of:
             principal://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/subject/john.smith@acme.com
         """
         return self.service_account_email or self._tokeninfo_username
diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index 876b98d6fac3594ea71330bf6d26e5c8d5b1385a..6fe2da815472d710a3c6609ca6f673380b714552 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTHqcTlVS+o|cVnsm-6n7q><$xT7z!m?nUzC*M8Na<~$zPyjnQ
zDVz{Gr5BvRPBh6?0M^!L9CLhpsGqV>VbXK3ZjzLD*BtbUgXadz9CG(gQH)wf<#vk{
z3(tr2Xrka7tMbbVuSFxj@cRDZ%)c_+=70lfiFVqKa0o(I;G>Kx1dz=ALx=d({f=UI
znthh3!7-k1@7cB=!nBW9p_@db(ETC{3n7=bDjzqvU8~YyYZ$aSNdxsT{Snds9c5)K
ztS%&)=$NY8L$;WV80Ki;8Uvij_|~y0QYs7(%;P-hLN{EqYS(jWde~&P5fG8%e`H&4
z*`U2=>W@p)v+;q5g{CLm80RxW^U3gq#XJ4_s1kK?tLcm42gcyue$;F4WiF^p7;$q{
zjDxigqnDD2@lwfe!7UpD>1(I(ld?&6e`tIqt1=|wOfB%34kq5}8WW#$&KLo8vL2^$
z9^cUK&2SfuQ|ZIzsYH=*vAZAx%a$p1d%Sit@b>txm}`}Uk!i4S$j^(_0lAe=RcDNu
z3;$Fm$HQBVZG$oIjCgx1uoJax5&Cdog+;Gq3}@FK>Px$7!l&YIwQ|GcRztp#_Sm7R
zN6#^F;lb0%21lFN{C|e&g6Nj<Q+W32GWg=c_vMel)+7KPX8|D{$cWZN`3mxLD=dqF
zQ7JS66=|jcO7sVskn!-6yOSPMa+?UeP6nvO*C%jAOP1lc=tKD-wYW@21U=U2rc$xO
zZ!#PZpi&RjiT{a~Ma!14{SFD+(ec0g7ngWAMBG~Xgxx$+TGI*jU!wJmk8G}U;K1Y@
zu0uOjH`L40{`g}jvkp*(=N5}8q!p`fuk%zlCSpGjq{gguPJ`!gq}i*#bk&8IGIE04
z&x&i*CPuL7u=}O2=A$&3_J29;Edad&I6FDP1I1TB(LvuiFonPJAqCo*O|!?S-5NwA
zJLHVkegDcsJ{oCyJlI1(Bs(mv^aGC4(wx+6e$KYVxe6?%f0@R)91EDD^XANdr0;E_
z3ti`ld9Y^1669zPm(Y;g`R8w6(*z%+DXsTm9-GQmkN?sEIBf56{Bonv6UFcWgel>*
zw%&MCisMpAR;pTiZ(<Eo*k<5m8Q3^!9PU<eYLkNr(|kuyPx=Ob8E^&g+ztP6yBH?|
z4c}=x3zP_&#N!W__m1zj{m@7sVectjYkO!n^`!zZEGV6>oUCb3!H=`yxfmB%02M$#
zfr%?7iHdH6`?HAN{W@+&D(IBXbI+Dw8orq4#j(tT4i-Y#zH!mXDB$P|`aQ7bbhWQ$
zS2F&Ii5rCAspmExKfH54(;x3ca@<GV5Wh}f0Fz<?zm5+*vR`}F!<Di4^#q3BI3G2{
z*yvVd9Q7lxMld*8wpmwZ%cjkOw<Lb|d6p(LjTi<MLP@5zw<Z@C2j8wJ5{lEfVPcgw
zZvTut7wQ9k8>Vc3$VFq*KaW|rx|{h61#fht5+iN6#dm3-^m6z2!{B7WsWPcbVX@HJ
z9h7c+aI~0g1-g7d4VZ|_H-8$Y?!pltUB#tmt-Qj(<2$#d_SM&}U6A+?-J#|+`{9`n
zKi=I3XT{i2<a&J?cxU6I5QN^iF)8{0iKo<)_5A~!xXeGnc9GECL=YfTlEwCddqN;p
zfDyyOoRIMTDoamaL1VafV0IEBz^$oI<~s<hhW-cBcH@BfE;YjH2yb%9aeULS!V=RK
z_D>{q^?j2>j_67R8^EHalsMG&uLypth55sx2-MN4KsqNF>hh`B{5cC9y-oM0Y+>y%
zuMpIHA3Sw7cRIPGo<`Zchmbn8(TK)Dj$UA7sgIZWV;poMvG}InZXi7V=LNw^KH%2&
z>V6v410=^MiW`i#GUm0;Ia*=scO^4Uu=;8RlY9|>dwF1<1q7Ted_x-^>?zI#{aIVO
z-Q0KgypfilQQo45cx-jPXNT-Sp@ZmGulih==W2Z;Hxe!J$8<;uz9e*)Nx_|&`RZur
zfD!0ZoJWVZ@&^`;?{Gg9sqw^jSGbfN)ql=6WD&^@P~F>Yobh?l8jzJr&Q$cP0QX?s
zTL9b&=CmdlbM!)LnQ<tyM5`jcGsc9ZoEbdkCu@`Ag(i!K@V5@_wbr0N8Iz!RjiJ-{
zXfUW^BVsMBOikQSWvp->{2;thuZ3`p`Rjof+YIdMBgiIt@>vr+jl>{t?O-Q0?zN)`
zrX1~5`*gsIJz;hUlr?Kqme!z8CHZ4|lyXts7uu<6YNUs6YBzg?So>j{em?)?30Yf|
z3<lOduv>K8m6q<U#AU79wYjrS;uihR++fpQzYTwY(~LTVSMtCY&=_!mGSt<ox5Ol=
zj_y)-*umb~4`z?Jz?77u?Hw>JVwczi+WeUv$Bb(-V4n1)zy<eA=!RlO?wgS79i2k;
z!GjK;wP^N*24<KH6Jx!+Waz$VAqkD$Xo<RpuSmJ*pZZ=F8~L|kM^`UUdZfWzcl=9t
z(l@viyPL0$*Hh0#>_|=uI;9_sajHe*M>+z`gRmxxo5{{!$amo82CUv5D>DuZ$6|+Z
zLLoHqOFy<oux&nRAYAy$?r1uU{Ezk5XNL$dB9$p%1+OF+;@(|K!u73R`cngiER$3Q
z3t3QsM(tHM|9^oE*T2qd<(k?Pl%LnPaZ2vrTpoU#_oE7CW{J`_Q&CE>R4RGWt8P|%
zG!J$gxMPT3hp8~;PHdKQl0b@#fjMU&3Q~H*Y731OqemPjw=FeSTf0^?*)%1(5OQ1L
zRpxCM5bt?xd{5}E4F>&t`v}Yj?-4gJL@W@@PG(evhXMEe$E`QL4yTalP40_a_mJAr
z-AX&f(;JrDe(6wj)-l3LhfG<x!3?JY&V-~bPF3lkf^i)pwq+a|=SEkE3b(=jB+X<H
z_4lEI$3;8ni5DRdiy-H^bh(bf9fgi`y^e<+!@FThhK#1ba!J=B|7zT^*Xe9&edt^P
z`|&y|kk(>aS261)DG_ItStYRO%0QqDj~ciA#ZiDHHxmq*VLZ)*hded94(egp0XkOV
zeg!G8GDQ9pNx%uvRYoUGuh!g$XHDE$$eI_CRHxD^W>Qx)kKYBCf!eS+moXR~-$tew
zhvLim8)5=T{Ko!hB2||YV<Gl{4o5ZGt7FC>)nb$@U>|E0!9OZ<E(Eq#453<Nv9t-L
zyU)^)|M$p7|M;++PD*p+x_V|H<U^J`3Y}G6Pht&KmNJL*r%Pv57<(~GLOTY-TQh@r
zhNtR(BPZV6mYiYl%!F)V<|wT;KN3YuA7vZlL7Arjj}Ub_`;bL`KB}5{t|`{RDtrY%
zDZS{L*&I~~vw=r1)L-$!V|FvJwsqsU1No2TD7z8qi>Y40sD9`XpLR(na2gy*yf#HE
z>Ur&H55DJ~sU~1I<Zo4Qr$Tr9$|5Ap;olX)|2_kVU|952Z9J$f{vleQV=KrxS#JOm
zCNMoL+zXh>#qRj1a~+4WyqFTeIA=q0uw>92EeZjZg{}{7+VeR+yxhuhCH&KTal=c?
z!wtIRZ1Z`C%vIPu{B+!~)1!Xn5f7n^cl@I*{0w<CL^{V5W3D#pr6(6PuGPr{WV_Bk
zM@I(DCz(maT{zwaFfvQ?t=8%sBG@IeQ7fK8B&z5Hs3#B+L&8YMI)pa4+f|0{cG*<e
ztVDU7WUN3;i{iIg!L9JAQm|JLaJlH_O(f<rsX*=sysBztssN5(PM5>Zu&>KlhGEZ{
zj>Aidso5p8VDQL>HX7gr3Z}kw|2YOMd%1x01H*%7VVJEhOMh#^ZuD;ioX#k%{@g1$
z4UHJq-C}7F{SUSZ?y?Gylrd1=!v+s!E$(DOi(h*~EV~QhG4mqimna!VZone7G%oPn
zXS&h1&wjQwYj~iUsmOnISk|1J7+L|8=MH7&yRIdL<pEYnN5onGzUE$-;A_iV>AXJ0
z4%NR3@<ZsiE{2x#Xjp^PxvKHoQYOkZ8|+mwd`hVQNYV;nsA@>Uz{+hWeEO*zTE}%V
zbhHt&Fyx1trsllxHQwqV*-Z>KL=pcJqTOAsSbP_UBCCNd2pAL@J=%h`dp;Q{7whS@
z1;YZ>=3sSBuCbQ>lnkE~WhbHKCVZV4nyg8iy^1jm|C^umb(fW;ybRt?T?s>JU2;2=
zZt#A6rCFe~M6qX%Lq9M*dBQAe@>M7v_&|Osw?RY-G$Sd#vd1WZ{r&NP!ZSR+Epo~~
z9boVWFhw9R>7eQf6%Ho+jm}XZ(w}^ol4RmSbd3WX3E{}dgk9~v+^D&HAL54a^Utnn
z+iCtl)zUKdBKj4W0$D{qaYnjt)XikDQ(-I%ug7TjC={<9ckW&fYL9DjDdxzbfx0G)
zUr#ZsIt3-lo|+uZhXxsAm3J7!l14<<4v0>E<L7QV9(*nX{IKGuUxc8Bd9{uAN(xF|
z)+$vQ`~if`8Gl{Y(tMpq+TP|WgGEBN0RD*5Jx|_QT--TeAI={hjg*2pK6-r=aeE5c
znSw2u@l-pBDr@(3kYV2{a9dSsy<-*<qbo^$P+t2+k0;x*_YYZFt>u%L<eV^x_Z#eu
zZ)bYvj5GE6FKi%l3d<f~1vwh$pjU1c;Nh3!mN)~W{?ybPJyZ2LDL9<ERiwr^TM6m4
z)D9y4XcSYi-yc1BGqWKfRvo5dAh4%Z%6fS>gNh>0S+h5Ygon6j^%T$G{w*JsC$HX4
zk$OC<Lb3_(*n1EbC`}G9<*Ga^)Qi2DaLlg{TecIpp5#9tpxVi*h6L=*GA`E5BtzDV
zU=rB5x?|u?nBwAhDF@=}Zuwi-sHlf66qJt^F1%9K2w7Le%*Wr1nPfMbbiU%N{i6Xm
zuspoi!z$>ia0A&g<ja616;!|Bq^|x}j5;~TY}^GraAu#~VU*9;Ay50cul?{xMh1iY
z*wqi(ja{TpT*t27wNTWoGJ(+*01t-7BrsXr;+{@dGDA58woz3Q&PrNq2SVJCE(;3-
z6)}50&M)nV?8}t<=SuBfxqx7&R!@gb_)Sy6dxKuI?&}vf@KNU9yZiP5#<UU?-R+y^
z+b-SBK(`v=Kv}taz3h!gg?zdRG-yqv^X#e-x5Q$AkfbQboLI35L%VwiZ$~jH&WnWK
zCKSWTnaMQ}HV%uI1y6Aa`J4yT@B_gzly`_b63Y^Nl<Q=Wxe|R{#d>x2ju1@t`4+oP
zO-b35Ax#Epr2Veuy{;FILQ${|SzsKOU^UN`%5WWfXdA5t*^Q;)<Lp9m#R)eH%xwf9
zl_5xFfb+7qpIom5Bb#24pFd#RI2kE8f3)>vo*Dys)P5uKw-D9D$Oo{Aj+=j$D%Wgv
zzE|5Zvt^Xzia|Ugh)K}?>Wv=<_z@pMPFAK3b>)11<RLu^92C76pC#Hwxf0Xumx7U7
z3H-VoPEi&gdEh!2#+zL9uejvw&YOqVo0z{{?N}(f+_EIZ_xtq+`8GXtStmUFB++7P
zY^gdhTfrQ{Kf>%lw*FLW&6onIoM=JCQ?@?_bD2rd!x%JWRDi<!FF!lB0iPV>>OeF7
z`dL>L>m^8g4;6smatO?~W=vJkZHEw+XQ(vlm!lYgCBkM#z|@u4@wW}^dR7#lpC5Mp
z0f^la!nriWaIog~(_&FP<kYUH5WcCDEOR?>UONyF#2)y9(^Jaum}J_sJwd!pc07<8
z0v&fQvnKD)b2euMY>f~>K-Y$(Y{31EtHMM-EQuwg*EbocQ$LWN*eCY^-5uwGbF9LN
zCJiCxOT@`rr(~>oA(KKVgmP1PI0MW!yhT-{9ahbglN$}=oTl$(ds7W=a~`goM-_sT
zknK~cUMK1tSjtE$1`Rd~G&n8Ls@8i$@rjPDf}m;y1CD{pUA&cJ8<inzLT#qXD`kjF
zOYtjgr&bMiKbk8jYV&%3W5%VGSRL<?`@D(QC%lSf9s*!KIqu)+BJ^wCQufn2kU7|0
zgm@lRf5-S?3f*T9hp=Ui9tE~^jKU4$D-b(+BgE|(D4?-O@!=W8-8L81qhDvCL}(_H
zP5EG<VNnXt_j>iK1#TDd$Fw9mZ9DP+@X|Chgt7Ll{_lU`Ac&fa_G(jBg^^8H<^kEi
zvNT;6Z9cApj>h&ElR!SRJ7O0SJ}6amx^TtS&8$8?sl|69g2E^_;=Dyp1Dtqc14{Wl
z(&6e1gFuMvjmas37-&VkwV8W^S5kN2h|Sl1Qtpi~{#_zfOGPnjjD)!>qAc>}ewk{S
zllWydHraG3dm_8z2Ek`DX)`kwde17S>%Zgh5Q1Yz19U`{>j<EXJyPDnjIxUT_6Y`9
zg~@<vyH=XqyUCJAY-c$YpJx#M6($}jx5A7#u6#uG+|EF-T}uUg8!JDWTt;z+pz}Ns
zxk_Om3>|V||Byc_)u<rXzTTDsfuNV<JCrC=KAs1=PCay>SNckE9tT2Pjm3Fh2Wpw?
znX?A<gs<7mPI#F#LPDQ&)hy<Fs^WJC0t-tmugrQU-EctiYk+e6X+h)tSUW3W?DJ47
zM^5HJqsG-BE+R$S`El_$^Lz`e;J?W;FJDUAnh^|p>;QP5db`~P9L+70%hsmJ)x|jB
zR){bp@L`Q4K*{PrRPGkbLAs1U<{hKeApE}8yx*8*Nra!&e@>>JRGN{K6Gc`o(djuY
z2*}clHzY-X&5p`TD*Gpa*>gXK0bVm)#NCjH&VS*<sq{(rK!^QV*ucv%$u>XDTbvkf
zP1Zbu*=QbU^52jQHy-`B!Hf$ehZ9$>xu~z3iRWK_d!pNM)!P(B91-({fpsNav5~;6
z$k?g_{OA{yQ_StcH3X>6gp_^-NLN;cQ6EXaRSF-2q=4WA^hu3QMT46XBcX}r;7Y(H
zQ;EANDF1sr_=;N%lMxm0=U?s<n2r5VN`tU{I7<3dZp&qyQXLCAyG^|Rw>#Y|rw9rE
zAQfbDenTV;Fx5@RBZe6PY9il+`*=<x40=nE8L9)SVV8`u*`$ow@Xo8iF+TkyIsy42
z>$=7Ih~dBf8MBWx$w|h;`8`_4VR&s)i>{(*-#+V@f;0x{cath=-J4E7^bC=4QVvKI
z)G+*k|4Tku;9L=cYLc3?G$A$EH-MxA`k!qgoG7r{-1CM{T>AFncH(LvXe*X^Gwn*;
z)oni7(-95y-f?e`@<DJW*Sl8cJ)a52D*Nkl8&cL>^}0oWS%}nYkD@=cD*SFpL-*Nb
zM!dtSE6>`IVy)AE46;L4>!k1KC`<GEld3KsD8wP7dpxC}KOQHQ^q&>lob0dl|1{hr
zy2-9pOXqd-x|EsrPF_!wGWN03y5M$xoVs7xz<i$$-K0k_n}7mMQ)QpCtr)@C!P3ob
zpeblOwp(n0Qh|eVs(;h<u9RS}s}Vcd?9ic+FuY{F9e2WM=_l*829aYV`La??@Xz2x
zDXs+T=1xUg)Mtbu-Qhv^g2qUQMY?lOd1L$v4R~wpXmpBH(!ddnrb&0}FCURew2vh-
zq7ftH46H^Bt=GLHeKJ0agKe19O5FX|IPYS3BzAqd&T*Sffd<>tcv}WZT<xqcyNlu{
zM}@E{War2KUeX>6XHOD+{BM<4W*GC*W>2&H`pSi)W3Nf|@3eR9b9B8p^R`)-8T=VJ
zm=gT3lb7YPGl2K)Z^o4|KVnSqr+mqzbG0;aBZU73c6R#sw>zE-UgXfiNHt^hq<YoQ
z*fs6ZJ+2#^%zJjB26i5~3&#1iX{3>bc~XN9`&C|m_2Ut%ukUbFMtV_WWBh<q2tV$m
zf=Ou+93x`LHf3(WnHnc)Qk5Oz+ag}$EUl|Q_r6ZtlKHtZ(2pRqmKHhNI~&NEfi(z5
zGJdOauoOU?RyoPQI7$vy%uO6-m@#xj8Y7n~a}0zO-j)|15yUEd=sRApC^6%a$gKdG
zSY-!Z9(i!{k&2k2qUy@#YW&N;VR*;JJiHea%ihXXj-U6z-s$lsqAPLT+CmIrI}LHN
z3izpeVMFMTlC-9!*Yh{P2c8>T`F`yEk02#?r=pZKPtw9}LbomnMlP{M#6dP>7Nm0b
z0~qn9ZloTNCk4)D4*opZjvnYtjDfM93s@-1RDsZ4U8Oqp04o}&6^Us_VUG0t3s5Y{
zN{8Z#6W~GApgn!(!e-+(54aIE=VKxX^I9?QGKpfV;@yuiFGCJuhn#%EgWR`2(FUIl
zx0zyo%;z%@A{KH68`0N9V59>LLF$+zUomJwYNT*qX<|!2yh}jYbwrGMJMqBwjclz8
zrMm|h$N}Y{<ED(~DAxegqerovyhD|lYFTbMBEpfsU-d3H{)l#a#^E`Yt3M;U0Q>`R
z|4^`cSjl_RaZY@T1xNQI{@^Gx0shaxa5Za=*EZ(*1F*Z0t?P$1fRrko9*yy?*E&07
zLR$}e9-%T;F78~#WA^#m=d}jN6I+0?7zqB2Q_Ce4*v!&&{9~g#W7&Uf^Tn1?*JgsJ
z;>FkpVKUiT3ED%-Ad=2`N3lsWc7?6+F|Qlu_ZXh2GdwQvxQdh>S`&79^%k_WnrG#s
z``dxG*&OCUxmrueCRVY)vP_C3-+BfMylNVk>_Y9$Cj78|Wfdo~hgV3+P8Z$L3#Y|L
z>UiPTKdjZl(NB$S$Q4~g(kSXpCx;ma|I?#Svrj+FK)%jMmn!%mH!{fCO~$N9a41A&
z^ZY(AuW7d3Av~J=kG=ku74hQCIT;FXYr13s7~I_4Lr|k6vMXIX+c?aoU{6OQ9|Y2y
z*Rp9dgTHfkDMprmOcE(KM;ie=0%rq%oW^zX0@&-T3Pu&h5DWq8iAse;Q_m)L2(dls
zQHW2Lk&g81Gf?*QkQZ?5Y`=dR<M-7fB;y%it~x%m<yHQ(t^P4J0(O|$$n2NYvd#^q
zrG0;Gi*vw?^Xe1sHYgr=xrdMhRQq`B@3@&f<YRSlmKl4%n%<+yd<%TLha(!~M&l7b
zDw+pKb@9i|ESS_kK|jw;D3NUF6(d^F$jc&}B}=Tj>GdbJSq<sg3+Md~d3M7%6yWF(
zB^g#R*Fx@a`~RZlpn7157k8iQHy8f2>moXDz5^oz43J5KI8o6n@tXx=4GG<H2mD?#
zgl=uJKs8q0{mMTIi4RHwsjyu>OgZ4UT7uWWL*YpDRO7G|3>0?y&PtF5XuXd0)Sq3^
zJ>^-JnB~R#uSq86xOy`$H&O+iABa-HRBJY_D0>q2at9oHAZM^9%~QCkn(?WdKY$Vj
z?pzp4cf?3=x9>hT&*gYlE>@5^)i&R}3nBL}YPX_S)bJ=C;`XNlv74aB{#<MIs{e1H
z|Lq(jGK$SDEboaeDyw?p#{|_bLpj^I{4&phXVs?<h)W^voO^&8aQk&bgnddN1cev&
zQCi{&8EB=b)}u09_pVXOWI!+W&9p8}CjG@qM`QY48HafCMN^wmtAFGb7T=AtS{G#p
zTvq`@O)qYvIeN`jQ65?8nd;&}p_BA*%MFcAhJv{oui?6PI)Y+8o3#f`WVWs8>K~dk
zyIo9%@AXuX$3bNGqYdlO`vp&G(8y25JKpuOZEF|(B7u6Uc=jEw&s-XGAP~6DMwUgM
ze<WUvY&-4U6w%|ihW<+O;5#p*JPK4s8vV`Wz%_!ecL5SLWqS>fF)0$WxMAq}G0SRX
zjIhAv*eC8RE@plQu;Uv5W8g{sA#37zok~7}7;|RD4AccS(Jo2_w=QWdc8x2soXg|)
z+tC_T<mY6T>{l>tO8OWh<uUu&$aCn=i550UwZ4XHX$OzepUwh1J5&}J1i*_LLBB$Z
zCN^M75!V!V8HVdMEaln76ACN~=|EyF`FHtRqKMka{hlH3g=dM(5YZ8+?CpSRB!U^E
zO2Os-s3M!TKQ2mGyxu$%XdIx%UulDkno>hrG!BS5m<9acr;qmky2nkY8}{k&GmC&j
zVQhS%ix7ibx-uzO#-pX=rn8b}OgL@82JkvWL2W=*KKO;Zx6IqfqH~?2oWEEWB(!#f
zoV7Zym=ce^waiMp71r6{qBIPM66lyx1n$K)Zo(TJ%~L<`-sB`((~zziYj;Fv@J6i`
zY?c_=u2(Jn%5~@V<9Sair@`d7E6zO|zvS(l58z-H4N3F}k9MlL$pk=SpNVESkT+if
zgYOz#>PG1;PB=AmjFnx!!!&}eRwa}L5n4CkBlhcnBK<9I#krNchg?|~&(-PBQc#(A
zAlV!Vm#LZj+_=E0W213B{r*pFYjTiz{wrC`nxZ6Pqg|N4*~AhX!L>=F{C$FM-Ok#D
z!2Lbw^i36-NGMG6>Vx>>31gicwyQ*HkNJ*SuC|PlKFlC5LmouGe6WC@O=`c0FOlDY
zG0rQiV@EdA&a$nU@X+)k-P=}Hjv!CBJjwITM}S-C^RLSrIqej28Ux=w=r(S|blE?l
zZ455X!bz^^%rSU!Yg8bSB<^BhENl25!g?8EgM2{%mR`mk$5zG33v~iVW=CG+rz>8p
zlvT+K)Y4Vm9Ky>DS{%h$cyY?;XRja!NL`03OPhIwnW)ySMA8@ircBSo9_Z2`gbl~+
zq`TV#tM(}P{mpj|Dx<95q&as94wcOd71kU|7t+G6u$x+zC?9xU6(`=vDSO`e5uX_D
zaf=UPSA$ge$%K87fKFE#EeKf+Ajgs6;Ch`#-1|0?KQmY@HUC+cR;BkpG0s5^=H4_L
zNA#rJ7&F&5*0N!E?NX#7e0#T=nDjZBu(KsPI&}`^=jfsM8wF_|4IlK(_YHQ@ZZyAD
z4eE?MHh0^BAmXvr=8K@ONF0oCkn_bc*4`J8q^3qG(-Kq2UcCqR4PvJQOM$kjK8$kA
zPfpgUe?q~Ld-An02T6ZOj~IKT>|eoe=7>pUlKPLkgPuquXWy-8Wi<Xl6pt+?;PpQN
z>d~IJOe7!}sF#MBIB=+aG_~RKXerns-0G&!={wPAm$}sRZH(_%I5+a>sboen%rQZ>
z2>Kn^+%OS+oDN;@;KF$8{_P6d7y?}tgu-PtL12Sov?IfiK7aM0wzX*uym{w!(nqdH
z=;7eTCD`d1bRgZFAT}j!V3^yy^MGFb=>tCD95lwWr9)TT+w(rrM1_w*EIyp<X8c+?
zE$mIjF|hIK+5&h<P?>xT;I0@a^Q#4jTu0@|<F_iGu7pxtx6jpZwCwc;0WF1Zlj>Tm
zDHyi`KI472vc^K=?uh1a-|InnkA?{uZDm5YUDZ0E40Et<g77t~KCF|O*PX)hI~o_d
z<%fgcssCbNNv%Oo9k7JN^hApu616jCQFDviRC44n2A2=$<8Hw@s}TfYT;_AUaW!mH
z4B0IWUkHzGIZ)Gvpt1-X`)(yRfSAzj2L?cd_@zsA%m3bO&ryMBqci{eL^E6#vnVmd
zU>`YpgPuXdl!l#|r{6<*M7+Bt;UL4Zpg|Ltq)~TGdQEfiB3X!6a@#d?WOVH_f7m>$
z+sgtk@$;e4X+p#MMaj({VO>dYjBa(4z4ge*ZYv_LvMFFxN1<Jy^md7%Zw*H<`cEy-
zg@<$WD`j9yorKK&^aDDUC2)D!zmPrGtDLQLl5V(4qg2z=x=is9k|Q~F)FQPMS;=RG
zeyTk_VpYeo9g+$JI0Gr?nOQ;()N-EMI?YzTGE}2j;q;DqvvKYdUsr&1We_LS=KJN3
zjV0ZaaMzeo3g7JZ_L5c`7|KM+qFIWMs09e-Pr^+fX}Jn}6T+chg&ykJu~S*y%2jeN
zLio`mk-hMp+Y0rKkrjldU?;@MQBG*4U?U<D+EZ!dVH7Mwj|6Q+O@yIYeTdfC{0Kw6
z^M@mZ@w>(_ru@+5j5UbMURXz*NY0UnhLe{?Y*kNQzh`L$Vhm8}Q>hrJyO5V^DPbMs
zqRQR5@2(JH;+NmkQ)NT~h3?<U0peD1<JjHYFtmF?e)i;vv$fHvo4KWms25Hm?j45D
z%+S2~Ef%S6G;klOk(ONyg2kd;CB1tTrWez0W9~D4FJ=sq;JV1y_`Q4I{>aw{QF2!f
z2=bN{$%oxf-uSR=-XK*`n8246dZ5{5TUk$X`)D@kO0db~-cxv06}R+|pO_inZEjUq
zYAkKrL5RS;*6|qU^pQD&`~Sh{*-%snAU~M#)!7Y8&o*k0`J)4W*JSeX^*Gotow0eb
zb_ZDHpN{&A>c*wKzdh9d{Beqn>r5eBM5XifT8aUbikz)=!uX^b^w?;_+cfu%3bkhM
zY=)Ge8{NfF6KmjPN478mt6<2VipM~_A04CkTeDl{!Yx_<N6mbSYSbnBXj;U=iU9cN
zPf&P3cDVYWy;fTgB;d5yw__f~hy?TgllBPrftIv;d%Eo)EtT-wY)PKX+Ia@+q{)IX
zgSh{;0Bc!S=t_oUy^+3Qtz6W5-<>1bE>_1l65lC#l}0Qrll>-8%n`6K_L^)ff~)n~
zrq&q0JpaE!j-lIGBv{fTkM?ehK`PuG@uDF(HG*2pO6`6rPUu;a&PZJu|3B`x)L#G4
z_t3t&%O2HZ)S@GGg{`MH9|Nuy#=NyHW?I#by%zHC`pt?H3tP_i)0kL!xc$|_fIgx0
z-1`lJ9LDr^evvTd0y)F~Y&4#YP-`FyoO#l<^3xy_TjHzRCdDlIt-7?8j*y)~MCrJm
zxVMj@GtlT%UpE;6ak!HNc>MmiKBmq02d~wO!@Bsiq&b5_%OH;8D>vTeK4I@ua4~8J
z0;xR%`#p^Zp(>&mplO5$UR`N}$<IKq+XD>ze+k4AMIOm_W5aYi97BJEHbw=;y>o^J
znjGU5X>6F3VgBY`m5XzycJhR(b0fz_sDAC%NFu-+<sG5!&{I-c^XDyAC+Kq7l&R=g
z7Z@dicr|pI#;ERYS3X{n9#F4tFoZqE??q1FKVt&Tf|*iM>IFA4U+zlLFs{!kRH%aC
z#UxQ0!%fG~7O5FC31iv|jrToeXQ=6SUko5uB<lcs`;o&^<0(F*d3`rclpAGQWSA(V
zgY&O%Q@$SZAb{>u>(hyqRL$Lw#J=E9!s?d^<y6_*Mm0?|fCEm}APj2f@WKWC4#L+%
z77gXEHJSU~<9O>_bLd%`SY9YCnTS0-Wa7Vk4WzT%xYSwFn=}&xToQiWnJarsH(%v~
z{(>PDj9f4kSAU;GQpnSL9G02)x85SI<dFs6(*c^wy$)Tge~VQa^iK74;O#isHhSBw
z_Nv<-Q&f5j60`%qt*lE8<8P5wEl+!V3|08*!E57WunoruUL4NcaP&Thk<}tvQup9c
zAirD+02_z-pmfzU?Nv|pYT%(8lQtmdX{|31&Mj2`v1*~ixOJ%ts7@*hoaEF$8;{qF
zE;flpxrbwCyGL7oiUq-^JHooDzSA;<)gHkJbuX;1@UuV9K0F6P6UOwt)vb!xvlLgy
z&fH;2tXvy(!*TjUdZGB|Y0-VeljU)JP&C9v+|SNM052hxiE&^f-rU~H8NxFvMV@Tb
zZc9%$S9H2|9}g$HlLUsMwvbYM$ogA{YBgwu7-kbU?0_Nns^>1gWizjC1kpNiFl}~h
zDWTaQ#L>P;l65+BB#LT%K<Z`oVRh|0l;}5Y0r{w@S5{@d@MVZZ=<xT65I$rmC&q2J
zpy5j&JTTj0c?@zD^5Q;axCd?;XLS+T%Y;)RgN2QVwPZJJG?Bkx5j;<&eh<cnV6N*#
zy}$#Y>oIN~=TiTckv1ud@B_OAxwJ_P*V_8Mpu6s4MaPVhJW|{o!^#X~k()l9;IUe)
mM}>7e4xvurFeS*mUv<2<pVSR>+t5h%2b-+KHf7%m!yR4p)iX5!

literal 10324
zcmV-aD67{BB>?tKRTE-x8MwOZU{H@!{Gq=IlnU;s+e|!-11rMCc+(Ug(4!KnPyjnQ
zDV*tvP2A5V3<}Ms^cc8zx`D~dU?6v(Lxt-mSL?ALX&20*?ZfJc%~CW4$m8?B3|M_E
z4WpU0Fp2tv;n!X3KppeKzA@T9AMAp74`Oba%nz2)O>?O5i1H!CYQbzTcr#l{%0KBX
zc(Dmt;`KYaXLnzAS5s0B2mq-X)L;z-gAQgRQ<hAk)HZR>C1kcNLUI~tS;N~T*5D0A
zxxV1Xn)K<(j4`jbka=aH3Deo;t0#!hj(9p3n+;o!mo&4OYZILxbv^j6^3Xy8Z0`E7
zDgb;d5@bsDwDGIOuCehe;5NX4;0|Wh9uAd?{i~Uc)Q6ic`Sdq{U<&1<HGQhjEnwyH
z%c#{!(1C0R1f|fu2U0iE_u$A`xboY;0PyholW@wkRjC<m;p68FuK2VJx^%5tY#PQ4
zl{Pad#vN?TBwBv}Ql=~xst;+%CL*w-g$@A7W*=lF&T@(@aTfB$&ol|s(L8)Oow49J
zhg5W2(!R1x+GX)hVFEX4)5VKtzxnEDY7gX@7ki8PzwY*Gia{|JR#wsRFO!RJkf%vF
z<}A*wElT<7FNeLj|H&m$<p{9%D`-9saTE7qi#0Ofg_?d@KIHa5H$Y~%(fr=G4<6WC
znW<fU!UJmif>jwdO4ki)2g?*v{x=<|Su%n-doY^e_FGuw!^d>m`D&jjScL6n@*301
zns*$kqn*%R;-zQ8aaR3H`LF6EIQ1Xc7|#7n%sdddpnDsu^>oqB9vurn1a9Pizdlp7
zPm57=`-24`pWKks&6a+{hd$cfDz(4mk8@a0>QeN>xNgM&fdi(c0Qb?JMeNp!<XsM`
z#)c(%L^MVT-$raY+BB}>06kX*4DSgK{T(vTSR~=+y=Zh`$Hm3uk9-S2zES~<MkM#<
zDmn840-P1O`PjEsSD$JK7XrhilSL<HFS<Cl*JJn&x#o+o_NQ+D1s`=ElBjzoPEqLr
zJg35Btm98Qk|?%fU>o$S&rNIEsqZ2+9{s@$J+Z3lPBn_cTT@AIyNUw7vBwVc1#z4*
z)&<E+efGLMg-2XSj~>Ra4pe+vvPQGfLnfR{la#CA{@YG;$9#`ut$h+mi&qt1SO3#l
zq}f(a4o4TU!DcqGsc??M>Mz+_<DG|Hd2ai)-E9Uy9So{e=w9xF0+e|P!uot#^^VZr
z*YKKQlc%Bq1SZgov+O?RZ^~jttHu|K5>C38++Q)?lqd*oDObsUZG7+v5b!YzWmp*u
zXbAJezt7#2>(*jsWWy0aST=s?z@a7wm*5h-f44X;TeM~L4l248U&X-V(cV7wm8uIZ
zMJ#XhSS~DpaG4j&a;f|z$bbT`ft2Bynq?tlu<sD&!uF1EY~5cOSQUT#+%VbwJZB>Z
z2*d=Or7k`p?#jG0s3{6cG&M}Slih^vOWAWA%a8wpSI<svmUZX(b4b!VVY~<~OBmg6
z5}Ax~7ZuvJ3Mr}pRA1u}M@Vv4FNU_%tTqyYG;Sg}xzrVO$+bSQ&A{|wU7ez&5Rj6R
zlM~x|f4@a(4^+N+1&S|nT0~hm>|ng?(>ruStUfVC^ImEZ3J3Y2#8s4W^i;W#_500-
z_=ZaygjJ|LXIh4-Zl~E#qsu)!zd{nlTz+6*$fDld*lM%V5=jA02IVfwC+zDoI(3ce
ztyf8=-&cOp?ijL)gM=P<!a(~hmwy1BN%o;^U$tJ$X2%;oRkpmVIeD-Pk-P?Za_<I`
z_IC57kYroE#QWBg3z<^I=VNJ7_#|6bYe2C|qDway31QL{ySfD0*ACpReC4oLnZUO@
zetxTN1@wvgRpF0fRC{Jz;LhdS-yR(aTAQ}hFtx{;2Svq1`KM@dl+{N~Z&PN|#HLT6
zd*_4>^^jQSj?fMJa~IRWt+Qw`4j#13XPt2Fc>@N=vK<);dtIQt$rTN>*xO_<sCu6C
zYV+}B*(Q3{ob?GYVJosZi;`bNyne6_?s<XAgfVY7(cNaqBhRwKSZ8(7%E=(4!|)I+
z`6x8b5)Qj?R!{4d5xoU7oE_W4)JX$zj?6{R<ZLZRM<bo~TpdA>hTUP4W1ol0dj;0G
zB>e>OtgAocN~Qz6&-0#hO|lGs<Y@xYwWAEpI!cDso{YECGNo-;-^(ZzBMYLaM7+~#
z!;EGxkoW;7HQRq>AqYmqA@(xV2vSw!|NDJ29=u~>9j*zmDB*WB+St{YrE-gHL@SH8
zcCc*@&pRd1?fDssQU7mH(aRjknt_J?*Mh{1c(n0*;6_PVnRT`Y<Z#f|)}DOaBfx`D
zm7eih^AHgF(MVL?){?VWm4O97+DKjTu<*B=&}9F^GQnF*M-hF~E+(OE{BJh-Y;c6O
zf45D%v&0i&2{ErpWN!%@rFj6NIAxooS3(UfMG?;~D^~46i%YGJyX18{ce9)-<WIO|
zqcN7zPq5RvteF`Had`&eCT>-2+0%JB@X9iNn5dcx4!Zj9RJjv||DTV=XEv=EYbN5z
z7m*JtP;ZPrQaf4tfN6TT$e$lOS4GEcb5Vt3^2Q?Hx@E+<+<ACnLo_(ol>_Q5=3hb?
z%~thgAsOv={d(ImMk)TT<;$D)tmNm%IDA8sP4%S><RPWHb_~4|O-obC#gllX4H=qe
z*FtH&%F0P%P~amYQ^NN5#5}~`Y5q?gu0mcyZPeT1IBr3dUcM{js`~sVG@Gx02Ru{T
zuu2F1^;2$*2WeM-_`qH;m-h=Kq%G>Befn1_)YYPF-Q)Nno$}V}>um;hQGZB&{4JHm
z$Cka1=smn9rF@*6Ct^B`l3D~P-^J6jUldHPZ#+L0_Jj_hkuwePdNdII?Sw*w*Jr8P
zLF2aV*79&n<?%3Jda~|=4=C{eBJ}n~R*ubhwPso3yL0<~-6G2_#gq{YyxLfiV(Li!
zeBS{Gk2&aBrC<&|{c{E8WiNfjI>&Q({j(CbWH}X{mt!(h+hL-#pc=V$Ufwwm6zVLs
z&(COjhS7@#GmKqhOI_LHy?v3JfC~Ba<w>p|+@56tNMba!kV7Iip@BNrkIh75RVmjB
z1CM@@c%$cCb=7X#KXv>$<W8x1$A*E2Jvo;MHuhh%UAez4*@I<BL4CnO>mxGCxx1b-
zv1<AhH9ham79<*==t_e~UEq7<qqg4~MxA(OWm}Y_Swmo%G)Hjiy8lxlN04?kbR+Y3
z8L$;WFhJEyxV*;)Z**=oE<;|Vw<t|G;d$BImQ1%Dk)9IK7UPNOpeJla!XM_YZ|k}t
zTx$J#FS6~PwY)$ftAjlk^kn5`yFL2&iUq*58Zx8y7u<Qu(Xri_BW*(epvd;>xfuDb
z9@jiLTVre|w@)eQ)*g)P2OZKx1;JU+4{v2AxzaH@a)^dunBzFOKl}XS1w6kXHIzbU
zHr;FPcKlBXmt1h@6OsLpGoxYnA$Hp$C-SmmdrCYFqS)+V#`Nb4@-~95a2HjX^GXxY
zW1&^Xc0^ku)1!8(*E^duXD6o=p1<Qxa8$}z^jj=uZowX4Jh6_xZ#n>O6WQN}?q-gi
z3rBqPHaqtTP%QQW0beC7Y8jrG%ljavUxYGYTVZt3!&5ZIE3!oWA6O!5QccXL8vjK(
z{Y2nuOVYh!_fap*@NarudrgN~Yl8OGX#N)Z0EsQ-Pn>Z29eY}~1X0gSz#IUSN|09;
zQg(1yI#bmZr#iq&D}H|FSYS><*y*9=d&-BX!F=;XkeIqh<hMX$aBFn0p#L=m!Z5>!
z5G9DVq{|eSbwBw!ovqtIN_qL3&`O*u=ElW6UNMUpyJk{P2$wPT6xL;E3%vQ2|J2Tp
z)4~YuEQ*Vut_GU$m2}F{WlAn`R<fFd>A;Iy3aDQP@B`UNP%@S&!Qb0>qTFskH|BVd
z;g}niRqU}I)5}Bxn}U1a#l)PcYC3slhEQLXV4%9Wh?jlg^xwNEY^J$Hw!xHEU%|6v
zKiQsds(^(H6=-tgxqtW*Q!g?KA6IKLCU?3Og5CjynsB!uz?Z32h(Sn=y8CvlYb%o)
zm)K4EB2_OFG5?^1%@k9N#gpW;(mGfMF-WVt!lb`CJrMNcvo4XfDmg+LYS~?k%M2U}
zz$TmHWtu2!wUK+8$rM+824`m2rfr37r8bBal?XlvI9>hET{q^k|B78`*8#nM+e#Bp
zqOP|rn*tX~pm2(}FB?MVx159vAJlUw8pL4M+X%O`3K%h+@Ed!E;49u9g5i!EbuhXV
zs^YqFh`Wv?>+=(8SMGpQ$`je@xUiy?n3Orf$SllGuw$$_#YQwx+|10=1(-ewSa?;T
zXuT!shV*E`^*!vP3T>uM&@hZ<12n=SAZfJl9UA*_G+45iPpX1XkP|j-a{uZkb*?Eq
zBSE}6){Ml1s(;$#3?rB5MoLP1LQYMwP&Hw~2R!Y5o})rpz8F{5F$TyeG`yqcKy@kJ
z?7&7ns+Y<2Ga7^$$+oT4WE@0SX*M{YKnAwZuYrRl9>?}rbHu$9bGg3?j~l-R$M{#I
zde&S1c%VyFM_d0=I={Q!;wFtQ;o8&;qf(U6k&R|eoDCei|BT!?kHYN?fsY5-?Rytm
zqab78XPPpawzX#s9FWhnhevF)1kJ+vByc{vQs{e0&t3x`i#l9~v<)A{r;+syOMEc2
z%qdP-!$C_rD#7P~znj5|OeX$l0?aT!OWyQ6TjPguu9}}$Kb8gQ^Fa@+D1x_0%O!H=
z0gOF3CSLsa@6)JuR-zosN*IS;+0j=L`1i5Pih^gb$emoU*0Zy>rP;~<`i;ecqsoBa
zI`d<UR0h&Wq2uq-HhOMr<Jbe#<p*9wQvaHhCVp^snjL9T`~P@@kXPjxUlDz|7N!7%
zXA3#RLw8MjZkZTf?HCJinCON#OVzZEO*N=Uj^a@I7$g{&0xDyZb3h1(p&43xHaqdq
z9@Qevva<7kyg&n{)cE-M%ynt71mQ8aU;tWG`%BN=fqcOtt><Z4W*%wwdR&MKDx<_%
z2s?eP=~>J*JS`U0>IWv|*&*be!Kdv2ZF3TxpxGFUXl0Q`HTVT0cJ<aXzyWrnSe$d9
zTX5UXImfioxG4K&^?sXKmqSZte#>e!_lMuje2oF#%GWR3BxZg!2PKoR;4nCO2%DjE
z7vA~F6IN;$-ptgcYK#I!!Z!dc_JMqY7TnT~;O%+$EJLZ{GCl+s93cqtF#3<g_Y4qJ
zebM6LW}bkav$NUd7t%L#7y|^?&{-A82{*|w5h`A;g~FlYx$QcBe2NHKsmbr?pIXs%
zU1K>>g3<Ixwu(dM)2bW-hfd8ml<2Jke^~pO=w3A2TDPrWne5gGCNje?_)=?2UOtA%
zJMRMPFO8&S?^0$b0{3p8J3!ywCYZAb_|JzTM@*2oX7<)f1<vLVpK=NXhNJh)cdXKb
z3s$`G(=J4-!;;b@J*T!|MAACFPj^a{tO-}DOagV~I{V4uT=`t(!MYk@GRO553n1&9
zMuHiF{LPFjs*|$HiqXS*GWS6*d2C2lvXzhr4@%U-)yoP^zgv+pC^mQhq#!MKz=Ojv
zBk30X!y17odxA9n%V<l9mvFL+<Hb>l)6VB_gS%I!h-~Fi9c^UiVKsNPp|5^{bNon)
zblc15kTHLSjpXpX#JNYfp{_3s@IST8o0a&)$anyqXy#3<S~;2>0auXmc<?n3_oR3+
z=vok7dt_aJ_u|QVni)@5CkDp&+qQbv$shv~_GAo8;h+gD*J34R8A?{K0RoKI$-$+@
zB+5x-=Ck-D0&r*r=C;9a*)4tHC;W|-U4RJJ$>|W*0|3y$z(R`4)Q;!b!|knTYP~O9
zScdP_9DjI+3f>dxLb9U0G*Y3%Kj=8Y&S*QZ`N(K$n4QLC(1`}#t@5y3r7^j98)MkJ
z9qTRJ4U0vlqeE8Mf(($aw<qeor1{of1aEjfG=lJcEZ4L{nHfMezd$%l?Tw}=Hfl|D
zD1MI<<tp_Z>dh^zx05Jf%sfPMIT%5Xr(0XuL<B3|M+0Hd>?kJOawQHT-iMdHAff4M
z`gic!9f>mWIQ*zdwwoGSg1nB1W|xqtAIhhy8r9zrpT{{mAnS8AYQ=#Ys9$$iR9L}n
zF+p2-XR}ryAQfv9j0^fyP_H{%_$3vsyqC|Ikz$zga)xn=UyaZFA3C{q!6K^Wrr5nA
zvUg*D=0F8H1vC1PR|%Srpb%l|xWj?O$MkedT9KdD;*`|)5(+8Pxst$AR&Z3P(6ak|
z@4Po56qc>Ki&b_Uc7;*3iQvf(cn2O`tpZ&tui%lLm%05^xVy8O@eNi2DMOg~N5$Bp
z?1qK5jw(qqwnlJ(PqG0?z&l1nR|y!$SPKTRCAD6I_9C>X23LW~5O!Yr>Q9(<?`Vdz
z`}4pIe%0EZhD$9s6&<K%b_<z8@6CH4+0vOv#5{|G)_Bu?odpqU7o9-u@s8)l8mV%~
z(!FB>O#4X?6-8Ps#_rJNxPpSy+;EJA6mAJ!F-HunUPduE99McI<sH&>@4Q5LI@4UD
zHHr0J1dLvo{D`&c-hJ@H-|uucr}d;WZp*xDz<*b)pos|+cUf_gSHyQ8Hp?t1;VxKK
zOnQ49BP(eGNMU~?JQ=c$xM4W#Z(MD7e!`2awqJOGQzi7R|2FVX6pI@%N6qazM-f*7
zl~ZN~)nnt$^|ChZ(w8;>uIQhJJTH2PpXmn{OjDFd?^{6^mzbFD*)z!0V$`wKcl{9L
zYwaWB%jXFFT=&=u@<T)S2kX@7R*gkZYuJJrjUX`@RyxUqb$MF*p$2e!_xQ7Np&XS|
zCWI_qmdE?}8A7@4t4`O#aq2nI+Yl-OqIw|*wrpl>DPaX=@+NTxS9TI8yefNY7qYt=
zs0ZP~!yyLqSiA;Fii}lSpnD>picaY72yU<1?0cShng~*$5>?1@%cqTX{BLU5>tmc9
zAadPxLPJ=oym`Quu+R%A4wqu0;>C4H?=n#$l~o^H5m?`7$aE5^%j|<JxsM@g%&s=!
z=jmZHdhbxEA>K28ol*f=5=`ytBp3|-1De+25OF1LkmVQTA|;ZX`=?8yQ8z&6MZ}oG
zFEw%JC#0=Bb7!c-seM9BZ>XUN6+UWlij6+7bLL~<K~_HrX%sKMgEm2m2z(_izO!&t
zksMK$&UAPy<T`SUl<71&3^eBEYzI+V{8JYf8<~3g%ahE^u!UM~Y(!;GWlx)jj%wV$
z0`DDDb2pu8S|CR>yiImS!RzJVtBp~c_2yB7Qvt{0JQ~(s=a&hHB>=7t?eAZ^wDYui
zr#3s#;La@|2B?XvXQj_+4nmqr*Xl&70izYxv4lS2a@$6+>l%36|JOSnt>px`&FXA2
zcPURxIh_i7K6t<U)KrvEP4dwtKbHg<t20a1`JydJB$w4#!eREd7xE_a^c!%Q)gM1G
zbmKS^Ayp&To*4|Z*F0Mlq>&A4l)nkwzH@kHJk=O@hU23hPrW?(+3#cuZTFVG<zK;$
zG|6G?!=;V?dR5Bw!%pz>wLE@9;OP-J7ZP@`P!BM&Zjhz9PifW<<7tho+HO7h&OEk;
z*Wjkbu9)`v1*qfbvVP+?3RU2^?WA@9!q8Sztx5?79hHoy^oLogo4vvykbH$iVEDwt
z&xt1g??-mGoX%2vfBz~}0Ws8G^i9GEpx*mjT%kdgu4Zj)?PT@9*P6N$@$zBEa6t6v
zHMixWjLH+vBwyEy-x0wQf5E#pwzXDQ3CSQa;YkKL|MTgn2ib&dFwF{rls5+Ug`iPb
zRErmeLBS5;cA>q%z(CPT-V=SYb?xS}JmnF<{8@A=qLP5v3|&E7Ln4B6+ibie|Lr1Z
z2xt$bZxPgQK$sdE-2nFL7<LPkHhyg*l%t#_k`}vQDmh83RCMjtJJ=<Pto>UpEPFbU
z6by@UJ1<I>V{)SBwQ}-+Bg(Tc_V@q_J;WZ#vSzD}NUohymDL=tC}g^OPBqNSPq1)z
z4f)5Aa{~?U<S<yH@^4^@a_#ikec6U&7G_7q;G(OUbK2MG%9nLaOEg38o%)QI^Ed#n
ziZWcZF*=pZ+G_Wg%oUc-c^&XNaG)aQ1bLV53qtNvcDF|W^xr>DVDe%zKteO+)}04y
zEY})Wu@WlHRy_{Cn=zCffI_mHz}f$)S8msaqMQ?9_717*)H~2QtJSYllWYLE>o)iA
zHp~-Pw+#V|QDQ{xoAJFURWLY(RnX9OB2QqtXQwZG7>N2HU3GZ1^9_DG8ZJ!WE!T8B
zIaD-UQXGY2$nlShT?CvMM=*-r^jZ#@?+;D|me&d3=pzC3g)+{IZtt-E_p+6{i$>!~
ze^Mv1(uiO@KzTttXBor2U<KX#ATD-S6WI||tasUdJa*+DBag7a@JYeB-|FG|L#<7H
zT9|1ghu}YqJRf?~J4o90ivYPtNxhTv>SPeG-V{r<zH~UT)t8mq&27OpX^CvD#5$3M
zP2tD3(PW@~ag<BKg|(?*vS;p}<^xc~f7kixVZ!}zuAA?GWk6+K&@=qjKt*Ozw%-?C
zEpS3Eu0l-`+mmR#WB^89+XtE33EtTvmPpx{5FX=|bcv&$oT1%GaJ%MMS-?>A`4P<R
zW{)J;iFyA38iGD0?-uYH&EHRiuZmvrZ&2d%$U3*hkY6`7kzDi}!U?Px37G82H~Jbx
ziwYLA9Bz_$sPKX@+q%I90l~Y_%T{%vbn!Tkx)Sp)Zoho&Q+H-GhW4t=Ue$GZCHmJ5
zW%1|_k`TkHjh?tQ+b6!I=Ygs7t~*wq3lJd%Zb<nkE>iG?jKf<~xdlRhgPc1p*x!9H
z9(!nlkXXyB-!d+sp+iFDF9vbFu4OhVm|_7xAI9c>Y}~qxoT^$$wA^lr=tH@y$HlVh
z4btFz-%9uhGEEWIf4-$`AQ+AkiJF&Eeo-5W)4q)_9A$em)~v)&@u10Qi5p6o%3m$y
z=B=o%^=0-TD5k_UpEAaWO!!zPPgaP!o#ssPDQE~Lp7x$Da&kdYOLX*-eQ5b0xg#qa
z^Emc-6-@yrDz`}W&B2w%MT+Pdi~Gq1Vm)Tu)IfW({2qj0yS8qKkku}3WB1E^#WPxA
zd_+!dq0g=Q0dSj?JAE65d^BB99eh(ZrZ=jz*lj})lH|ZJNSx`QllK)d=h3^=E)Sa`
z7xAK9-3W^W-j{15lUMSqXf)+XBBuwOj4S6lm%s}M1Y-<}6M^IY?6ljSXUA1EgTpjG
zbO$Uzk|ES?`Sd=aG7E;hOH6<IEAWxJ<bSu!M~w|DT&pj}vX#{xuRcfa_WYT8tP__V
z?GCxB80kOq31zUB=|(!`__`fk5UEQaquj_Bh0d0tx;MC0wzmCl$)W;_$D`tZIOzt=
zQyQKzIXzkcAQA^C`t(a~LQTY=SjH<d3+-fSR|#ho0Q02_mh{mcx@Ydi1l+up<06_K
z6ln6b)ns~GwujRiX>*X6db(S*u0*upTq?J05`F&?&OUbkG8Q=f{USLmJYL`o+oO#K
zEqL)CF`rUK;)Z{{8!w_#HCwwZcfD4Wb{7P;H`J8#iSUEA*=EwZ^_3Colqn%|M4Ng9
zq-axC$IKkwpm`AxtE=Lak^~zMW(l|!JJ#7O+Z`rnbm!w=|Mc;iDN229&0Cuc`jQIG
z0I*&*=9!Y*EBm8AP$Eggn9DFb7{xqt=Ykhohtb=GhT_?C=MHUE!KY_g1R6YGk)Kh7
z6uzUtvH!31K=;~3wVefL%p{uzfr466%~~-?*wOskl)Y`*c7Fx}3<o@l30}~G!Hr++
zM*GJ`0O2rbI_^(J51kx~u6m!eREn?`1X@j_SGb!O{ahr;esi9}Q|cm59K-rD_^v05
zCV=p$(WGpT7DZW13=Q!626tL&WNl+z1KZ@8H83l{#`Xm9#KqSX{G2Vdu_sl*%$eeN
z!AK@DF0YtGHUYXAq!8PWvPIAlGf-VkGwx@gQeh)jZEZCFfBX%oh8vm%c43Il>&qW9
zsX7ZBrS_;@wxSc>2_pI1)nSgD33m?9{^H;+8qBeq3Qte&tI{&Lhfm5Fo&aKZ{y^i{
z_wQ9-CjUYuH-B|bE}>X+xY`{u&LpQ4cRCmvpgxOTe^s*HbUhWPbfynPEod*3l#WXe
zi#UlcH>wXRKTb{{5<((82HL^i8^#>B58=I40EpM&&(BJKfZ!pqG-$aYXn%%-)kfr(
zJuNS-{+lu9$ap{2OxtA!2%fixMA<iCClO2Wa2nLC$Ew*o&Q)(i>yEhb5tdSsz64+l
z4(0}xzlSn%P2%u<PTqywmjT*pF@#d%_ihVDAi$TPjhNw95`RtpZ8QG3)$8cMHiE>O
zp}^lPT&RBr>c2-mgQwI*bmELTjCKyz>RuM=%M=0~fR&pgPP~?pD0&0;;8k&skLZo2
z5CdbB+w!OJ#nCQ`iwoE5G-;ZjvXbrN%%yqK<oe`Rt&PQOlqiS6JWDM+74|m#t;V2$
zn3wHMY3CSCrwyStAmkJa1b>TJ?%x|?6%ooV<~jtheN(e2fx@t|oheEQMkJD7i~-xV
z&=5PLS*U`_l!?bptdlGy$r&hwU^YU%K_7$zz^W`#%cfX7(Db*+YAKAM+c)jxmz}($
z(ok<v^NitE;#RZaEU4ibd$?5bDkQV9zo`D<;%;QS5dHgXWn6@-CctYXv?E8SVYsX8
zd91Y5%x4DaAIh)AV57jppJd28*h)f<OC&36g*M3XTg=T^i{I2Eiti$q0$pC3!6Ee$
z69+BTvX%B&O6Du2u-TdE(!UFEW9DM6BLip|Z8@35#+EQAC!o$7oc1t~u-@=WY2#wO
zBBKDqvy>7%j(3h7@^HF1^5Ln+QiPKJER&3UWzd5E&aw689QC(Of`zC1rWtg-2|?D+
zc9K=Dev>se2?&o9<+Kn&XL1sB7yE`5ZW5#VFGg#tFZr)?@r7<QHWSlf4dK&(i9y8r
zrs5{S3ulgdtYqzY3y2aJyFLQdjX4bYn$25)2ae^A-iHU5kudc2pkN0NL2%$HA(OQ8
zOMR2eN2WMo4f)TpRU3atEczlr);U7Re0t;Lx10_~q!v&JHvz@}Ziluf9{*7*DG%5t
zfSp4tOk`buFx#_A*7<pDVEk$ZQ2?|AkEYDt&7DEb;5H!Ll$j_=w(Rk84I`x9*q?JN
z%2K$>FuGzJ!J7rzAN2>4u<BoU)f;q8KjW^c=a}8?mBh$$vlg1Pr@6ZjcdCF%H>F{%
z>GQEYWSE|iJOpG_FTkYkYi_DUupJq{1MG)&Y(~^kHY+^v>Prt{;_~Vc!xJ_l3-Y0;
zr&wZs#r#=D>os3z9mScw<f01r5=jdf6@e<Ifvg|8KLo=CMIakkmdavH#6#|qUV^pT
zf~=FRAXo?0_^$sSSTm<%E>lvvORZwp)@sf8*o3FmxaiK(BjoA8?oFe~=4-HK=1TRH
z-x0)bSq}+|AG2`(cPq(*i{B0YYg-3bIw+Pm+|bb0SosJMxIVQ+zOz+IT*5_<n9>E~
zczFF9{Jtza_8M-Ph?#6LaioNj%2Ndx_h5OFD)&bhl}ONjA>a$Vcz20k`hZ{(awL9>
z?*sK`ciu`oQ@RsOjl{;^c{%b>+s%Qm?<=r^L{{k%O4xg70(S%4F&Pr@OX)uC_hj>|
zjQg0&YXSbLU+240%gF%pwV9j(h|N+g5a-4{wPmMJ*!(B7UTVwr;66G3ZB(Pt9Q^`L
zP9dDbsK<4SSahP7dnp9{VBsx|rHa)$?IYB!aY#&_!Shl$9n35lr!uWjgQOtc!I1`?
zq#SeyhDI$}Bc5#D=jUc>XgIS7{&Z}G&d_48F9f8N)kly=JCeUc`l5i3uGglXN$*Bi
zS6h0ayM`I$?Mh|m2cHfqW!@s<r!Sb&capN1Bp-92Od-aU33BF!Xz|9$Nyp)o4nEpO
z;xA%utwR#eJL<2Xs0E*F(0F!w6;tXUGtEantQr?O-9G6~W)Zx~fU4!6k|4Z;<&Hcn
z0&}1VmxRWSsYm37d2LBxG3od1zFY(}<>^Aj7-yQJ>=>fjN=L=T0GDSPB>w+wnfY+1
zRV(O8-UwLIz{kBxsx$gkrO0BELD3#Gk&!9ePc<!5J~yUgqu5>>3XikpfDNcQqP{Zi
zu$KN{&OBiAUWW3Zi=%?L;sJi9NdWn4)~+TwSXkmgMK7WF&ecu*u<NFS!Ypf$HZWDo
zC^H`@iLmLz4UmUGh|lL;fAldr&k}AOX<oMrE9orbrjoEfKx_EeG&Dv{qN(Zs@Gcu@
zE2$+L1T{3!FIIR7S?g$@)~0m$(X@Dc^RB|VU=WY}V~E8n8r0|Bdocmv^}uy}`t;eK
zTY5~$CS5xAiTIW{1dU5#w#tDJN-m2VZ$(d;Z=w!>o|M8XHia~Kfz(h<M@IWETBmB4
zfKpVm?TTPJ<FB`}FYWMp^(iWMd$sd!h&*OOacv<D)W3z5=0yYRjg2SD2vXL8TO-x>
zpV4Avf&({xotnpA<;+a<B5}2cKERLF8Pd933{F@B=!v(CO%B<Ngyhk+a@d-1s0k4G
zJHKnK)miwlM=~h^aICY4-}Giz<b6%>d&&Ppc5s+#^M+bzqR=L<(zPkz8BaZhg*bQo
zCN;7>sh`men(q$Nf&nWl1X|i3e$Jbu)DX%HHb4D2kQ>)BS_vq?l{kn<P36uzQ!zg1
zhb?sDHbcgqU*~B%G^z#Kvf7y(fMW_qpPhL~4Ddb)j7@_UWA{XyUpi2PW_=I=u3mfo
z!%8J8ZASKh@5{s5|5a4cN)T`H%|!vj0?d*gC+g-59QWdNDP9-!pM4NV#HM3uI*@Nw
zAK#xla&OA6fci5K4p+|oso~#I7pmrAV<43dHL-@rhNww#ZAYwXqeRE(z-OOdDdCk?
z3jY<?OCo<gqw)1wWk&C~BddWUu?0oCKVUTMDQCk4-<#9=1X^_&OrVV?e|ylcAJ2x3
zA~6S)S^(}iqI*GK7*$~U1CyPnO8~51*U0hy^w%Qi(h-k`T-;M6wjNmsd!VG_jreM@
z<0+cM`J4li(p0=tH6gw~y(OOY!OO6b7PYN_E`oeoYfKk}^S!+)aWUv*Zm%y9*=*{n
zFf{;8`=Kq@2xT=w%Y?!t01^D7c+1f6wm=E`9~6j9d>?}6#(QRodJ`}avfSF+E-o%l
z{KnUzcx|68mo{XZ%;B-V!oxYPk=KFCZqhLE&?QJnZES7@MHFeDSm+-ZEHx3BC`P3J
zq`N7TVm1fya<`Q?VZAoXTpM{GsK9EX>FH@mBuA?pBuQhkgTH=3Vyc}wc)%SCh~wo-
z;qLnUWh%^`m(41jaMNN^=VKMA<c}ngH_x)g$9`KVrw+s`$6n%oItSGDGeHpunT#vN
zD9(2dQ?z|?Oxg6(68iSx`C-l^b$}KC5vYVUT~j-vHq;3L!gd-UeJzHeoR?vj&5#>}
zq#yh47(vj2L5zL=n_lFgz|DhPLFAGTV%^ZZpjegWgAq)MU6}j%=zwD#ZUUKOpaByo
zC*PX>Kb+db4%_<kl?}gTjI~HXP??O-VfeRJDBndu<nkO$(redDc<}Z%gIPqg*+!aq
z*`;Eu(o#>HV>e*^r+#)enhP?)2A1VAcx|&PvMgLP|AV6$dr|5U1JA}h!x=~Fnj1?p
m%1m93@!nh*zbR7W4S}%Nt&_^I*0<>nL{1&LF|<|JPFs!pCMDAV


From 7d3e7bfa8585ef85fac8bf885215662a92f2d22e Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Tue, 13 Sep 2022 19:56:28 +0000
Subject: [PATCH 20/36] explicity inject subprocess environment variables

---
 google/auth/pluggable.py | 32 ++++++++++++++------------------
 1 file changed, 14 insertions(+), 18 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 161f31858..032f2d58a 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -212,18 +212,15 @@ def retrieve_subject_token(self, request):
         env = os.environ.copy()
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
-        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id
+        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id or ""
         env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1" if self.interactive else "0"
         env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = 0
-
-        if self._service_account_impersonation_url is not None:
-            env[
-                "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"
-            ] = self.service_account_email
-        if self._credential_source_executable_output_file is not None:
-            env[
-                "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"
-            ] = self._credential_source_executable_output_file
+        env["GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"] = (
+            self.service_account_email or ""
+        )
+        env["GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"] = (
+            self._credential_source_executable_output_file or ""
+        )
 
         exe_timeout = (
             self._credential_source_executable_interactive_timeout_millis / 1000
@@ -289,16 +286,15 @@ def revoke(self, request):
         env = os.environ.copy()
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
-        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id
+        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id or ""
         env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1"
         env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = "1"
-        if self._service_account_impersonation_url is not None:
-            env[
-                "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"
-            ] = self.service_account_email
-        env[
-            "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"
-        ] = self._credential_source_executable_output_file
+        env["GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"] = (
+            self.service_account_email or ""
+        )
+        env["GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"] = (
+            self._credential_source_executable_output_file or ""
+        )
 
         result = subprocess.run(
             self._credential_source_executable_command.split(),

From a703e573666b9c1378071ad672ca9ebb52200149 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Tue, 13 Sep 2022 21:23:19 +0000
Subject: [PATCH 21/36] using a dummy value instead of None as a temporary
 solution

---
 google/auth/pluggable.py | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 032f2d58a..ab49328c0 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -132,7 +132,8 @@ def __init__(
         self._credential_source_executable_output_file = self._credential_source_executable.get(
             "output_file"
         )
-        self._tokeninfo_username = kwargs.get("tokeninfo_username", None)
+        # TODO: remove this when the tokeninfo endpoint query implemented in auth library
+        self._tokeninfo_username = kwargs.get("tokeninfo_username", "")  # dummy value
 
         if not self._credential_source_executable_command:
             raise ValueError(
@@ -212,15 +213,18 @@ def retrieve_subject_token(self, request):
         env = os.environ.copy()
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
-        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id or ""
+        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id
         env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1" if self.interactive else "0"
         env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = 0
-        env["GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"] = (
-            self.service_account_email or ""
-        )
-        env["GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"] = (
-            self._credential_source_executable_output_file or ""
-        )
+
+        if self._service_account_impersonation_url is not None:
+            env[
+                "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"
+            ] = self.service_account_email
+        if self._credential_source_executable_output_file is not None:
+            env[
+                "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"
+            ] = self._credential_source_executable_output_file
 
         exe_timeout = (
             self._credential_source_executable_interactive_timeout_millis / 1000
@@ -286,15 +290,16 @@ def revoke(self, request):
         env = os.environ.copy()
         env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
-        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id or ""
+        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id
         env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1"
         env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = "1"
-        env["GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"] = (
-            self.service_account_email or ""
-        )
-        env["GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"] = (
-            self._credential_source_executable_output_file or ""
-        )
+        if self._service_account_impersonation_url is not None:
+            env[
+                "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"
+            ] = self.service_account_email
+        env[
+            "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"
+        ] = self._credential_source_executable_output_file
 
         result = subprocess.run(
             self._credential_source_executable_command.split(),

From 38267f10691445002b17912642fdbef1b48ea88c Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Tue, 13 Sep 2022 22:03:34 +0000
Subject: [PATCH 22/36] fix environment variable injection

---
 google/auth/pluggable.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index ab49328c0..da105da57 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -215,7 +215,7 @@ def retrieve_subject_token(self, request):
         env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
         env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id
         env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1" if self.interactive else "0"
-        env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = 0
+        env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = "0"
 
         if self._service_account_impersonation_url is not None:
             env[

From 5b242dbfc6050fda3ef83c7893b1902991b1a81a Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Tue, 13 Sep 2022 23:34:55 +0000
Subject: [PATCH 23/36] chore: update token

---
 system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index 6fe2da815472d710a3c6609ca6f673380b714552..9c05a6d500d15f1f54ee5fa37632cc0b30d300d8 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTB-k*4jFgj-WcbJ%z)}sz8PLB28oFXz*m%im{lHb{-O{PyjnQ
zDV)od>6GSaZssZf{(X&crr6AdVWP!_F=x>mi6I?L;EXzJ_)or`rFPRUUBBUU@QMX2
zdH~^u8R$QcKIySuvUnq@#+;m%L0?OPx&}|9Yt+sz{%&As_>D4KRhm_S%10Bt{{;p}
zns3o)(9rN@;<Ov=FB5N2FN3uiau)8Ty2f5^YZou&J+-PZve?{@+R*IxcbGp>@7M#6
z(&nI8DFg73|0jrv>%)|3vbUrsW1&g^-zoGJD&IKmmyQ)6N8leZ_IydHAgk(wO>ndM
zWBj#txVk0>NXij-u{1(D*QK987~S`_4uodr{<e(dXhI;+=mc`$m`t_`_skhA28(X|
z-q~1`tnM?ziMsIaC{i-^g7O>AXl`os?o;`xruu_G4*95y&jDc5O>(+|QfIlq4yR+=
zx{HhpjjXjo{k7dEAE#YIhm$f(gML#>nJI&mH0n{{9+T^uOkxB{)Nh)YH=5<r)OtSc
z%5SU@1C=938e@}6F5p6Q#jS@zoy)ny3ErCU_ml~TmZS1RDNN~if&jrEzxghc^I`_%
z&BwWYiKF{JALRGC@_mG;LfjA5i(nOf$Pxuc4aUIM#ln&SLfdsmcs)QqXnBb|D&2*v
zY8~lPY0Y3nCy~7|tho&zdoy%C6GaDMJCl{Q8BDmsF}bBFR|=%@P*Qv;qS)gD+;_)U
zk9bUX&HRueD8_2cOxn?gflf~7@7Z1~b3P<qmbmZNBa$0N`$Br_&}wDjIkm8VAvgdx
z!7fHdZez23SP-ua$u?Ny)RG<mQ#-;jm=G^ok1Zb2XFTrK<V=eHi)*WP`<p9!4|zgU
z^-?{WzbKRWU$b2i4BuBUJi0q{Z8TA1l)4!$JqrWmFNTzftPvg``uoNQCTgDzuz(?D
z5)DISgucqG0sZz$<xS8lRR9+2XmfU3xgn_ZDYP0Re6t`Ki>jNR2qC~dR@%OX{F8;o
z78~hiE*L6zekdPf!<`t*BuuGa>10Or*vzl&y`q;$3ntx{zNeymEyiMzFG7{UUeI4b
z?4&;O3Gs(vo%{2&95{W~(U&#nYiKqm7}>y@Hqj+|Jd}@>fdX$q*{e+l%P=-b)ur9P
z8Av04voh<G8BhZUyX;igVA3AdZv^8lMEZ=`eh!wBZ}SpxYctOe6#yXGX*2v9YB7!7
znb72gANHvEs9HW5GiM0jJm7nW=eWbXHG}Lb0-e3Pau^X{f{t&2UO?-ym`7Lj%NGq2
zlufa;e)INwXgLO#DG&t$d}?DR=SZuotoJKW)EGtPWuh-Bw;6&y3EO!eRv9i{Jy6k+
zZ$U?3|6L$n4GGz?M3XSR-qfjUZ0RZy-azX#WMkO~hq)!pmQQsfr{oD&Mu+fCj$Y1S
zqh?tn{OYrxv{J8f$DuN!)%RJ5?v^u_tmvi2o+4X7k|Ya$#!uhIDL+|J65^0#f#%~=
zTF*wE7JU?DX4dpP3wJ<~dwx0=SM^~k-EX;YNk&1>173<E9~Ee!{XEAQzd-MKxn|ia
z@5dAQJ}^RJuhXfQl8?5nF5e-1+|O||G|66InrjqZhdYhd;g=Af3N^{7NOBn5F|M{Y
z66!SvBt*tHeBwFU(`N6Fv!&BIj6PlAf*bK10zX^9V|KbH`N^|gxs-DW3xfUes0tct
z*O%L<5VnCmqE-sCLR;cSjz7klnx21N?IW8#z$2z;8ihX-HJCOjvSfda7bmfNjQB5_
zEL^l)2hGK~10@v%+jxoU!XrfJ2ZBU&#ck<S023IrL+#?IFC0nm^O~=)<<TYd#f@<D
z8N15D36;2kg;t1mJ2&H9K4dD&)#z^(JYWlqZ>DX-G`k`X^`394_--GO&)7(3m3h~!
zEs~z)pX||9wbG+(WdVt%`RHZvpk4ygN)lkwi>{Ye@aiGsx#6jJEp}iVca>#l5f4=g
zrWNp81wkK=vg3s0tRDpEb_bjFIU{TOo7q%1n5-crxMx=;(@<S0t0$5l2S^%Y40X^Q
zj<=m<TjG@I(SUd1Xim9;7RJmQ==4jNd#SPV#HNb|j8w4!oPcV#cjz2M@-keSH*YL@
za6K!_TBwrFSIJJM3QI!Y_KGMtIUt|wPf$ukCEE_c1<Ah~w`F3o9q~NZ>|ornrL1KE
zqCI-Z5|Qi|fL^?HH^vTIwtyJhr$%X{M5V!_*7E$~{mwtPTh6T;Y}i+8v%S(*&dTmb
zy*4OvKf)o+I`!{fAth{I0-i3@5I^W!PN5jI1x*KOC_&AM3LTQWAMdO&_CU+lCZ?Wa
zYHQzdXp+yHuv^}CN8478xhT40V)P~@&%0nJ_pO~$_@)0!sZsGpOd~r|M(L)?eF0wz
z2$s~BGb~D~_tkz59eY6_Ruv|sr3y!K<32HpsGfgK<RD%q%9?vi@st$m2xiu2@OS-J
zK9(C8e5&Dx0hNna=7VCL@>Ij~YTM0Rt+7r3km#McSQ6HXSW-=i_4&=(DIR#bO^|HR
z*|zJnbB=XS?|miiSIfKgSBElA@;5h?MhQ4Js=?ZpQ*v2iEHIMO2YNE_GoqxYVwj3&
z;cRY<Er{hR!cUK&%7&mkc&N8&GlX(Us`e^V=Sf&d3+O}6y`h*aWrVi`VJORUr8t0?
z58<wda#J8AWEow7s&TUMYB8yfk_%SKf{UOv5)lZHQEgIAtI3w%Gnn=<yRwwj_!!=6
zW!mCTTHE*GYGY>5b<kA1pWkh8Kl>v2pPJz7Glm)|phWS&j5znX?Ijbf><-Cl0|Z1`
zIH^KcYd;WBwzO00W%D)g2vk*%7Lkbl)d}EiqlrYVd$@dCu<Grf$WUzJHDCxHm)|A2
z7Lz@;Jokx)ndAuQgbf(93ZJ^y+~L$$*ePcbJe<Ys4Ed=m>_g#D53Ho4B3b|G#)?i&
z-|+LOwf9VCU-|0B5b7$jrO(KtMQ+Y7ExYIeu6AO}rfK)<st|gix>`NNa6=2CK6)jd
z7(`iYe|g>nI~~d4#nFS*&oDR$<Rw&n%X4|X$9TqSC?w&W5JaWY<1p^pZEo^Ezk{SX
z=^%bZLd45N;OqDs^haCxyZ8KVf9FWo=&uzw7@YU6Ldb(1qPxI=n=Aw#d9;o(IJUIb
z8(vW)g{|G>tlC<lc67J)%HZ#PcDhDxvb!z(@loybq6~`u>cg=kvEJT7PKdgqGU<-2
z*9+M?Zfph0s3c|<D}FCN8U3;-iRvTzBn2~T+tJNSza42F6p~Ue$Rq-^yPb`p$($jw
zC&ZL|(0h4VAa2?hEo+Q~T5v(nao;r8w<u&V6h;&^=wR#&#645}V8gZu0^nr66xYu%
zG)m1wPJdT?$`RP9k%$=c`5`+2=EsI>1l?TAoT`K9Yj84j6bgy`J?;UvbUC;tzeI&>
zGaC(p^hQ(|cQvjd&4R22p*ns?>_)~0_Vd9kO;2zEtdtB!c8>J4bYjr?(47F65?Dh}
zP@lObGIJ?)1805Ltal)t{ud~zk}kki`HF-{1syx0RB>G;*15dDEwrMFNE?tY1Oxio
z!4I-fyNIj72U@ck0-pGGLqv=vp5>ECYR5o;os0!=fGc?%-Zm=qPS6Q~U%nm-R2vB|
zm35?8qQfYV%GO{$z=v9bxoxyMFxnE1KgJ-bL33S5b}>w|<$r$s;V|lKx00-E+We+2
zBY|;{pWsZ|c-YSayR+;{=mCJnmZD}%URb&lCplm%1~irXYHw%IoX+Vl-@P93iW4>w
zECcbNNjY&A8W`ySIqbV1=GWL7+=~r?yk9)APDP}6L;w847v_&%)_ND`6lvwH>>~||
zhHHRgNLf2IPLQXOQr;G(!Ud*{aX{%?hfEI$ePcGC>Gg{4wFt?PDHJm+sm$vs-MZ}R
zrI$)<W2uK+i5qB(HR)G(GErQdP$q>IM^A2X96zO5$Ai8)Es1bywlFhW<+A{|R3Dvc
zzw5!4wkXDw7#fc&Hh{(&VjbpRY`vp7l;eg$V|50V42B+(gNdf+S4tX@t?`xG=9?De
z!I&)c<Qnyaimp6!)of%DY5KzR4uC-hD*`NwQ+AQ+uifziD$Qt1a`vGXi6I3&9CW9I
zyA^q6eio`IME(&^<BoVYf=mMfQj)m!Hb$9|8iVh;pze<$DTnkrHr+qI^rL!<kQ)-S
zJ>$~L+nH+sANa3YHi)o}rHVho$@#L+4CRVQS)P|`Z-*$T7r7>Xq+qMow!O-TY&PTm
z_W+s&zeee>yTy2C66zl-B9ZV=YSQk?XXDHh@CVo6L5r%K`+Rm<{209M@$9^M%~eO@
za5EaONAXzH(x%%|+rgNZt|`)pkuyLuL<Hx+qh#`)@0z<4yc)_!);VeQ71xll+~XZ;
z+tdA+T<$S7o-nY;kOWuL$GnS&of?`q?1)oFIFS+Bo>KH^Enec8)W8spT>)Cm-4@d7
z;4Y*sA9rd3Ru9&NSZF|=s^=VUa`(azp;t7GT;|7|0U%Mp4l^pdcNK~f0e>ZPa}r`O
zr_9wTcgkE!@Qbh|C2aGDRA&)$d$UV`Gb8Uym~xzQyLOISr6>!sSPiOYK3-DLHx9(e
zIu%;3Vj(hDEla$fk0Su5UHed+{@Sr|AI<eNZU2G9UX&kov;Xypt(+UI$enfyd3f&o
zfeqnW)j5Nj9rDV)0R!+W4T0+Q5>KkTx-jS69!RY&F|J3seDxbB`5Hh>*<iSg8spM)
zf?wagF;*nWX^>ths2idaOqwci<9;W`jvV%mp=@vthP(1GV2{hqpGuF1Tz6<#wQ8Wp
z2m8q5M!Moor^FETO<%<YB%mZJRO790SWD)d>Ys*Q`2VwP-+x$|_BMYd$^;jl7Dn2R
zFMbq{+@8~-c|tiWeu0u^Xniu0SC0??sp-;K<QXiKx9GcOm{z#t8yeh8yj^Un`~dn5
zIabn+*~Ay8%i#4c3u9E3yt^~#dLz2XB~-8q`W10(&gy1+kKC674FXj{0@@x{!teVh
zT?EJ+PaHfIviK0IZn&#RH~lgQ0NH&!=BsGhu4-i78IVM%DvO#U3Q_9;x`xI1zQ%+9
zXnzcvcag^<P!`nBNI%jsyUeRIB9Ops&VuP&t3`x97Ejq9ArikJ>FW*I0I42b3Ay(^
zA=5n*yIQ{~&Kp47?$hL1jYS)#q&LS%)`|2rP_9lr^eP!l*!GC!Uns+%aPsT2iaq0s
zD$l~n^K6uBgu4)EceQrt`6Cr2yeBpjfn1}3rRdzjk5-X8pU!8FxQW~cB}v~Edm(Yg
zK|AF+yzR^cGC4=`D3hv8QFug$Q68g7np1L13KN27a}irub$)moJEDL<;O&b5qBYNE
z+uUDjb3qJ@->+?FH}l6GFv-DBz{-Er)8W0&re~~*WGGOV;03*fzh(L|m6}Z-ZA4gf
z+FxIGFlmN4oQmkIZ9dD`(BT2q4YleMCx9L->Yl)0SVUgdv8nnoD=WrJxKj-@4fklj
z_L=}fDvZM}*7f``Lwl2j1?Z_#$b>@G=11skNEIDURvYken@X%I!az`*>sV&=lJRn(
zvgDO5?i*}@sbkSa%dYUWvR!0{bLq8Eac($$Elh?FyiH76DDzKoMa`qOumtI-Ol{K!
zb9EJp-A~ql>thiXMgQNp8Pi_e&Ip9dHcIXG2KKf32pgP}(H+i~SP`%Km5)Ba**pw5
zn#~uN+r3GUdxj$TsZCKRPlLf&{Gx~_hdZb-HR~;2)V(;)VgJTFJ*V7q6D{2ced!`O
zc&x<;!dK^Qb8AR+e}d_`ECb<n3Jnm2s!cSjTE8}gsvLyTH0_&8<ard7p=O)pf&Et-
zeqaN*ovx*&Q1(PZg<TW%yK4J~4q_1F`0wd@wTznEj@sl?9?1LW6Crh!Fw}nOa3&pw
zURd!!UfE|gUff00P~;vL-HRnC_@b0|aLKp&^viCl4Jyiu33eKK;hqbh3T8Y}IFpU4
z`{tUTe{p5bJJM?9U<7LQOx&y8dF-XfOd7~~|A@#xkQkD_>6uSyMaltoP|>AW0hIjI
zsSGEp@&m+@{YEe^n&-G3nwAr(g&dJC{F4GTmQ;v3kT|VcfN*6o%_Zx<mHwL|)OSf+
z3JX3OyR8WP-kM<bB+kV09ja|FJHRhJ<<|02@@^Q|ue0le1OgS8=OfzE-Csax8I;AW
zLj*Wr71`;F<}}}1P?!F7ynSpN+6sn9w7!_W8I+L^del;9pJ2Y8i33C{s?N}M1-B*|
zBoOgj)6D{F4M))(Xp8+h6R6zFYB{W)z!~L%+F6qjibQCly(i=%C55(%J-UE&$B+}*
zI$a#=XjShx?5*`ffJ_Tb%IAh&5Dq=Z9KrL9vH^Z!jHET|-lbmDW+|7*$YZata1N*H
z*1L78pq>7{JCB17=6QHfDatXgi;iL|+*JafXF`2GL&{gIq9K&4#KEcMnCReb8?DV`
z#fV7$$Eu5MxkvkUjo9t=GMDQ##GfP@{s%Im{YoUdU<vTddE!c+1l|uSh^5v+cPnyU
z6l~RCKvgWr2<1e+T&|F}aU_;M|5sZXm^|-a4Rg|=s(I6uV70!H*26uXSjzcmS*R)$
zVC@5?bzHePpt4xQ#MqCJoW8jV8aZ*eJ$Ip0lpzS#P_nF>ozsm!5j&w`QgXPG%FDE`
z`-eyuO67S%tKFR!4`>@Sv|;uo$5SsGfB*wt6<NX@d$EnUyg-A&LQ#0m%nvPwvcFrh
z;-Y4W{qi00IG)<;u65j`lB_CGJ+CqpTkr?j55i(v&rYw+R5(Gq;E4)sH$<ZUDK?w!
z$EJNFq1oOb+Uwh5S>_g|ph}J|qHk%%b&2{CfsY!SedaBjVxd%3PsSE(yQ8{Fs|^g?
z#1+S73q$ugltKVS{}?achxBt|Awghqf`>@*VBrjYOJHXkIV+6fhFt#aY;7;fpK#<T
z%NlJhl48-)9Hn{FNPESYX2y7@P}#FDY{G*#+2$fOY9GReELD^E;GH;hJA{$Y@2e#4
zT#DMjO(rl6BT&|N;~u!EDW&ApP7Msu*&%QYS0GA@8b56IYp>N(#|d8mn`{w<D(#<d
zyfE<fg4ZbUwuo1<tC*c;26%cxorY=N8r2=fUOHux)HwpsuID59x#hrp>*kE0h*Avi
zG6+w;>OmAEfu7sX{M89`uz6IO_xLKa@`hN*h6x248t@O<Oyost0U!*}Y@;yx@WzjR
zT#TzPhU=hPSv=u;#GB5Ox%zOnP*#t*y^zd4murc{I3Q4?@}EH+%d~t1R`uROGIcNI
zvGOL0*E2>#v0u{^4NPq7JUAP!q-xKXEz!6vuW|(ypd^MnY4d5~)ObFw9Oa3)qaH`%
z5Udglo|EA!U7`a=)C`ummMH&<Sq@3&$@+I35|PX~bfI$`gH){W(j=f}*Nsp<2z+D|
zSVayWxInQlRGRST4TN{u*n#p=DIfJEVq@j=*QI=Y{lK(zEeUhA3qnR93_{fCTnSru
z+s+vQEuLL-4byjb%`(R6WvT#P`0;`TXFezuhRmX9Q(RY2Qx+C)I~)n0i)kME@J2bn
zk93*(bf8NN>hj_6MBPtPtd#z&nkE5xj0KDYM>!?72!QbV`-Q?Om{=G9Z^LisXrd^J
z?Nrm82e@D;-1OrWZ7kEZrglA}?o(?mqo<)I9JU_2=QYWohRR4t+m(dl0*b>?o*$*e
z8EPkJcfJm1kNjyiq6cYrcYsjf23}44wW4PMIlz_)F>gW)$27A2K+)LiUP?XmB!Mp^
ziLM5f(#8+8d^`Z3AXRpb3_5~DhQaL#JZYA}A~o?xqoWsC+Q#kA3?n$(eXeN8N>AX8
zX`*>HgGe~l85gLU)^}|qVKWq(R4=ZhR|Nu+IjQ`TXS)=L&mZ95y<BVk#$oY8@8t5Q
zxgOVR5vQV_!e))zTQ$>9iX5Zb-<(gqk+MF4%^qddAq~Qt7#<@(-v+k7=OMnk{r@S1
ze{DY7$y-qBa<XmD47Jt{GEY5JV5dzA051!%MslrI)O+R3JKVn`7ChrMGOtn@Sv$}w
z7)=Vk%M~g>2y>7<s^;e|QvxQhvj=k86@X$DsA8==MmE6rnD9m;MLkj#S#&9SH#mX%
zS$ky=EY_^TNsNPl!tz>&N>c3R^BbS$jjjj_+>N3@!EQUKG=qgDNf0~oClvl`t+QPN
z+P6W?F?|;z*B%;mo!Kghd!f4DW~b(M#Ck{WH0@07lh8^i`3kn=s7Zg64i#x0VfX?@
z1~&3x!<K9>16uDOHgixA3AJ-<*+#^yq?~)~%3w`(uX?RgLG8UBEhk-?)l$*s+?J8|
zV7|G;kVlm>^P9FY465;NWqX-`Lh_Aw>Al4qXy$`&)7#(vA*{i3slF%-<*<;?iP7$S
zC<ZII#Ce;wnMK~6w&*E7B{<BrviI!siy2spgH;)$lQ#9&jxm0jQYRjgo)XGZ2eJ)A
z^5AP^)7my>Q{_Wd#Ovk3ktPEUl4o{z8&bc|Bv*7&V7*@!)S8`WV5r_#6~o{0qM`M^
z_%k{yQAYu(mD8^wZ*k~FgVKtWMasZEoxi|?)<}LqHcIf_RZNXnkn$QoqX^Y{b}*p%
zivk%;5ddM#?DNaiE2R?bgPNnJ2wHEEMBj5uHlZdik_QR9{*rebhD_;pR_3K7eRX4Z
zFv(W_l!LNw7!0uL2l)DIy?JOiI2uzPhUZd{_81mZ;g#MF`xopOH2G&*#7XKhZw_yL
zBuc$=+j=XWOVwEPW&1+~VRulsg#{*I>zejN1J`pnk}A#LxBaVmzCU08g230{ubIMK
zStJH8Y1Fjx{>)VkmMhs}tDT{CudM?5KDa!ai14nNP1)WhQ}W?9U<~MQcSbeW+dZXg
zJAs`<Pn1bo8&WI1mIk<G%_GtCM91`@5?C=eGouQzqT|bK*ETEPQd`{vu8x(Cfyh4s
zT|9R8kRpdv!`=`Rvn8U^D?%v%Lcnv)C_57KiN#GC1HhBx`1xCCwS!(~LwGPkQ7SdV
z1kT*UZ_gViHK0?bi|inOtA#YucUUl$>yms&Yl;P0D3(z@n_#tis&-h=*zvxGjO^|4
zi8g*;vbWrtc{x*HL|rnlUA$-4J)M7RsC?0UD6VyC&9f0Q;@!u|zAst`06~v<_MER|
zytOz`!Q}0i<9h=`td$gdi|Fpj@_;8U?^UbbU?1MTm8wrk9uAUBh-SdFHSeqrB)-oo
z_(7l}OO;-Q=YO}{3~PfW;$zzVld4u-^7CfXu+d7;YO|!K^JYT;uK<OS#!tUK$UDrR
z17f3%tWTWdEKN>9nEr`9N8MI(NDuvSwk4h1$;<rAsG;~r`Y*DSf?JD(Q!JI3cRccH
zS<(G`)GKJ+yaJx$J~B8_G}=s7J1yrn`!`!$mIjkh<4C1rYHgo2Qo9DDlRaeH2R8h6
z-Oo%w!mBw&hL}XI%*ducAOtIV>$sv=pUJ|6G;>6;0=cq$G|fpjWJ2jy6V2>H1`C<J
zb=?#o<P_2XngL2ZPW_*P@%pxkgIg3}lqzBebtLASgh%Y6Je7I!Wd#4-vzzV3*y=5>
zbIY?VdMIek2XK564z-}&$U6i1i;Az#vg?%-j$Hg$8KSk<D{n*5uFM>qx1cUr_`S-_
z2#Fl)@diA8+<BQuL!W|_uJ`(FD9RN;$=@uFc!L|uHwF02x>rrwP-_dFl*vH`$-pw(
zAzH1070o=(SGU6B`71ALT8E33;?$<asAgc~8QD^-=J7B!O)f&*7!s&benoC!@0SSX
z6<Agza!^xF_E<Tl&)Hav%5_~!$*2Eq%pl2-EqLP!Nz>YGkzPFLSY<s>n~<fBaz?U;
zl+Hfn-7QJ0z)kwnwPHVIp@c`M@;%GQRcqPasi$|#NEBJ6z{z$Jb^k6g<_J@ihW{7L
z*HZ4_{jb;esEDg_OywzzNU!)cfU6ePKOwTu7M-LODK?a3Fh4^Gu91Z04LdDlYtzN!
zJk9EBVYHEWk{N!f@IpNI{dK(C3%0!&D2fhUeo3&Q^CI9fvgot=mQNgoVpc~YhjFtv
zUXu*M$wPkQvwl}T>O}3@LQxI-Kf4;dvOGh13UiLSV0^=|xO2LSk#m3hX2)`}L6pfh
z*so1HC0B*fBE1S7-R-;z_(H#+#xphotyrVSM4k|gyUVUN(_kyjfv-~)gGCFX(}l_b
zFP~@5g~>N`sLn|fn16Sy5kM0^23JtvNmzJjfj(P2-r1^CGNQxLLQ<!qnORV*eZ)$T
ze0vTV@ObN^fIrBWBR8Ay)r$;aIQ#~kCKRSUkn{<LpGl&B8-t>FTs0Oac-+XYNcNfa
zRH%U{<Xem7I2eYCo%%Xm^C`D$ZS~O~b|k1AHoq6*(;^c>+*#j@mwNcxf_th^NB|)9
zHgX(f?m@T`7*0_f{6Ac={MpN(REV}n>;ndRupkO>?#vt&snCIEn@0#qWMolw55(du
z&-^nDpau_O2c=|GL-++LhSU2+F`0!~wDD%~1rdMTkFXI^QBn5yKipq`VmpY=HM2cp
zLmd8bNB1nu$W>MGmdB)KpOg$F@$fD4FvR{P^$juA(hRNXp?5nu-s(8n74z0Hrj3Lp
zNM{6?Z_Mf<$LSesKOQ1}4iKIWMp9)3-N^Tr(9=mVLS3=^q_B7>op5f<6NWf}&MYjb
z9pr(?`;X$P*)g(io;rEq<#ZatgKCmd2HzD;d18M#isa2*`%x$KgXbffB46LHK>x<W
zzQ-Ld?@RyTP27Roz+d4%scv<#l5DG%#a5B5mHOc{C`|7&t_x$QNV<NaGAcZMP@4D?
zZ|IbF;i(Ag<9V@e@cOoVX8aC{o8|F*MU9uw^C2z4EB#NznSLCU`h=aEy6#ZR*6!bp
zR6XL^>TdYQ6f~6CAHV*ev@b#~LM1dhAsHvM8p@)RC)U-77y8P8K4yB%xKhVxvoeyd
zaQlEuML0v$vyLwg@5to$DfA)du4Vu|>oIgv(?8B`_2eI@z{kGudM+KofJa}?DnnG<
z6|!zm2)v1lZ7k8heRJrCnMYj#IBFm0fTpqU&S;Q_&3SC?75RIlxx}-CM1d+GR{{q;
z^xVCsHOJs1uO`%3Sq1hh+#|VcS&LVsY|vSYlwn=fCR0Co^OYB=1<+-25}zSHPa6-F
zV`PjKzVXcdB!tA6u)|_vQ9~AAYxplP5f0dEpRXy^;zEGfy}^igWy81^YnphTdqh<S
zyH<O_+|&ZU3q2D|uEu!xrB@k&E<evM5SV7njJA~{CirxW0y`4Z*;X@WnD@z}H6@nA
zWZlQO(H}y=WcJhk35r$+%9`kT*z=WZN(yK$s_Vaq+028xh-EvNW#gV{6=&sBeb#K%
zv7|(<)(OgY*Du#K(rBpJ{;t?Rg0nVh;XQP~C>-UmpzM#EYiLF*S^-B?T@gSX<2(nW
zv<I%@NS5ibo6COXXav;;mD}=JE3015c90h%Y#3N)N#nacq5h=~_l*Mm9Zu9tBXb;9
zUwz<19teT!rg#yj%Icq@XXZi@`45d6KbL{E4&;^DKsZly48(fit;MDXx8=#DXovrK
z>*@sZV}U<{_ZMsi!gfeJc!=2*=`Uq2m-JztNWo5$4R`qI-oqE8s`80>x;QWne)MYh
zdCJO99S}8`$NE`dtPG@)xdhZDv|+)^^;v412by&XfKgD=<;(1pDIz^SHX<*Wc0w!i
zI#l97SbJI9?eZZ%^YH(Mg~x>==M*WvJ&jb#zz@?nGKeCeKoxA)`YyuSLuioRL{?!(
zy<ahE6}hN9et){k&3{j<ypMx&;_pfgHDva`a3XI5qZ?2tFN9d&*H$5`S}9K^h<`)O
z>`!_ubyCrq#aKo(5Tki~B`YnKPbgi?4&F%a08FJqO3qvoX|B0|wj8^ihxMeCSpFFX
zJMt0K$+PxL-6ji3{o5mRi;g&Y_OAI+A$-gIfY|@ES+oqak8dpBNI^+lwuNim6BOYN
zuA_Z;;!&Do0L>ra0;jh>J504r$3T0bP9Z_cAo%uRGDi$|PG~{0Z0F@(3ZFl9!W3&@
z_OJj6^MT(ocYx@0^u~i*$giteWNrC-6G`;Ev9&Iq^bM16p9_Yqm}?<NSM1=Lgiga#
z#Lie?hC0DwOnOs5ZyL=5-W=d}jpQ;tBb4SvPt;qw<4-M(jheaFLJVMBK+lur!H?9)
z)K{7fj7p%~gW^%66NuG^I5n)K?NtGyTr7pQnOj9Dv-)K0%qg;aqKQXsBVO=h<3gVy
zalrr2eyhwKQ*E$|f$M5e`<4AISymk1)rkk`wzLp^C-V}Y6{eBDE(=2(^(`}(vPE}Q
zA;C&(J#=eRYz*8=)&+j&`)LiPaA<YR+d6Hu)M6*a)ZV<7TfGY`@HfE8w^j>4RUNB!
z@m_Jkm0w=J`+3~W(i#q6fgb82Jzr8<$Sz7ztcnnZc1WK`U&cqsZbAh7)Wyv<zk%rB
zx4J6$hPrBUe6X$Eza4BBhwa*-wu{kz&uY1@CI_i(jdhD|Y6$XXW&R}4#ET#m@O_$i
zBog>6Rk7H|8{1B=zis_!o5b))o2g4S>~W1q1^lZ1Nt<Qkb?~Rhu9z+FnOmo;rNXjR
zd%ekkI6htd%iv}shPT35@EDKv_TMmEJpInAtqctCz;TBgYo}ad=7xccSel(Jn_pRX
zda(i)YYBz(+@~V^yfzVqk(>@Xu}U<Ul2ufA)rPB=>%j_wk~I*Va&Q*`E&OBJy8OZe
zvEmrhNy+Q0C8uLMke)BqauC&$3AomyV2xaXA0Rx6HGI&l8CS<IQ;?()pd>k2`dNr|
z$(DrNs4E7=c3(D0l5^~NcD(e}Q_+yu$X3+LGI1`@gY5N$xP2b#I(6t_ddtWg9&S*0
zvIjWa>vL4#Yp2b9kU_j-;sVgpi~N!@yq8`UL;~Z^drEq@*5@Bcey0HbKsMxe!s+BY
zuQuryfDA_9hJ!GSPiII_yO^EuZO06wLN^CC7ShVr7#`m=Y@(^}esJorXj&io{s72@
zaY)9!D=Mf5ICH(cfD=8i^LY}P(Oj~-(t#JahL;W@2Gmzq9(FuCJYbFC`XLPsrz$;2
z*Dm%zWw%;tPT_sYHrz4#j=2v=YWk<;?+g0q=0%6)%7m*Sa4F@3Erm`wZ58vJkW@rZ
z#?7XOK+$mr3O7FmTzk0QdsW;4)!-Yv<9*!u{lP)voK$n!Hex|tZs#1SvgRa!RLNF*
z18OpTKX<0nvkNJ~Fk%>(9{qlcHhm`tW+R4|yygR}4M~|a$ug{?Q-he&yhysn!>{ki
z1&{Bs4}tmIS1a<~jF7&u7ta^snc$A@jw8W*227JVsJE#C?ik#O%Ex7ga+<%LK>P`M
zJIu^=Q4f8`;)9>d&MnOF3<GyM_$&?gE?Q4JjC@Wo4LIEWCH`9MZwYs+6y#C{9VC0>
zvijRYID`tCw{{a~VuZX-uSf1Uh?wpsPQ6SMEv5qR3VKB-Six#20;oIHolyC6+#!n5
zHBZ3lDI{4R|ISA5+gY2wTb-N&?DH}=t-UOYB{R3Wh=t4c$WubC-{^QB_LdRdfhJBl
zrgJ)@`wB+7HiDKjvy&T`=3vu|r_m*t85fVU3gJwq+m-nH`1`Y~-HePa8l;AZ(y{Fp
mAnhZ{t4Y!$QXB_a3#Wx>tP%dY*`#Drf^K>?u)$}ragV@{D;9hJ

literal 10324
zcmV-aD67{BB>?tKRTHqcTlVS+o|cVnsm-6n7q><$xT7z!m?nUzC*M8Na<~$zPyjnQ
zDVz{Gr5BvRPBh6?0M^!L9CLhpsGqV>VbXK3ZjzLD*BtbUgXadz9CG(gQH)wf<#vk{
z3(tr2Xrka7tMbbVuSFxj@cRDZ%)c_+=70lfiFVqKa0o(I;G>Kx1dz=ALx=d({f=UI
znthh3!7-k1@7cB=!nBW9p_@db(ETC{3n7=bDjzqvU8~YyYZ$aSNdxsT{Snds9c5)K
ztS%&)=$NY8L$;WV80Ki;8Uvij_|~y0QYs7(%;P-hLN{EqYS(jWde~&P5fG8%e`H&4
z*`U2=>W@p)v+;q5g{CLm80RxW^U3gq#XJ4_s1kK?tLcm42gcyue$;F4WiF^p7;$q{
zjDxigqnDD2@lwfe!7UpD>1(I(ld?&6e`tIqt1=|wOfB%34kq5}8WW#$&KLo8vL2^$
z9^cUK&2SfuQ|ZIzsYH=*vAZAx%a$p1d%Sit@b>txm}`}Uk!i4S$j^(_0lAe=RcDNu
z3;$Fm$HQBVZG$oIjCgx1uoJax5&Cdog+;Gq3}@FK>Px$7!l&YIwQ|GcRztp#_Sm7R
zN6#^F;lb0%21lFN{C|e&g6Nj<Q+W32GWg=c_vMel)+7KPX8|D{$cWZN`3mxLD=dqF
zQ7JS66=|jcO7sVskn!-6yOSPMa+?UeP6nvO*C%jAOP1lc=tKD-wYW@21U=U2rc$xO
zZ!#PZpi&RjiT{a~Ma!14{SFD+(ec0g7ngWAMBG~Xgxx$+TGI*jU!wJmk8G}U;K1Y@
zu0uOjH`L40{`g}jvkp*(=N5}8q!p`fuk%zlCSpGjq{gguPJ`!gq}i*#bk&8IGIE04
z&x&i*CPuL7u=}O2=A$&3_J29;Edad&I6FDP1I1TB(LvuiFonPJAqCo*O|!?S-5NwA
zJLHVkegDcsJ{oCyJlI1(Bs(mv^aGC4(wx+6e$KYVxe6?%f0@R)91EDD^XANdr0;E_
z3ti`ld9Y^1669zPm(Y;g`R8w6(*z%+DXsTm9-GQmkN?sEIBf56{Bonv6UFcWgel>*
zw%&MCisMpAR;pTiZ(<Eo*k<5m8Q3^!9PU<eYLkNr(|kuyPx=Ob8E^&g+ztP6yBH?|
z4c}=x3zP_&#N!W__m1zj{m@7sVectjYkO!n^`!zZEGV6>oUCb3!H=`yxfmB%02M$#
zfr%?7iHdH6`?HAN{W@+&D(IBXbI+Dw8orq4#j(tT4i-Y#zH!mXDB$P|`aQ7bbhWQ$
zS2F&Ii5rCAspmExKfH54(;x3ca@<GV5Wh}f0Fz<?zm5+*vR`}F!<Di4^#q3BI3G2{
z*yvVd9Q7lxMld*8wpmwZ%cjkOw<Lb|d6p(LjTi<MLP@5zw<Z@C2j8wJ5{lEfVPcgw
zZvTut7wQ9k8>Vc3$VFq*KaW|rx|{h61#fht5+iN6#dm3-^m6z2!{B7WsWPcbVX@HJ
z9h7c+aI~0g1-g7d4VZ|_H-8$Y?!pltUB#tmt-Qj(<2$#d_SM&}U6A+?-J#|+`{9`n
zKi=I3XT{i2<a&J?cxU6I5QN^iF)8{0iKo<)_5A~!xXeGnc9GECL=YfTlEwCddqN;p
zfDyyOoRIMTDoamaL1VafV0IEBz^$oI<~s<hhW-cBcH@BfE;YjH2yb%9aeULS!V=RK
z_D>{q^?j2>j_67R8^EHalsMG&uLypth55sx2-MN4KsqNF>hh`B{5cC9y-oM0Y+>y%
zuMpIHA3Sw7cRIPGo<`Zchmbn8(TK)Dj$UA7sgIZWV;poMvG}InZXi7V=LNw^KH%2&
z>V6v410=^MiW`i#GUm0;Ia*=scO^4Uu=;8RlY9|>dwF1<1q7Ted_x-^>?zI#{aIVO
z-Q0KgypfilQQo45cx-jPXNT-Sp@ZmGulih==W2Z;Hxe!J$8<;uz9e*)Nx_|&`RZur
zfD!0ZoJWVZ@&^`;?{Gg9sqw^jSGbfN)ql=6WD&^@P~F>Yobh?l8jzJr&Q$cP0QX?s
zTL9b&=CmdlbM!)LnQ<tyM5`jcGsc9ZoEbdkCu@`Ag(i!K@V5@_wbr0N8Iz!RjiJ-{
zXfUW^BVsMBOikQSWvp->{2;thuZ3`p`Rjof+YIdMBgiIt@>vr+jl>{t?O-Q0?zN)`
zrX1~5`*gsIJz;hUlr?Kqme!z8CHZ4|lyXts7uu<6YNUs6YBzg?So>j{em?)?30Yf|
z3<lOduv>K8m6q<U#AU79wYjrS;uihR++fpQzYTwY(~LTVSMtCY&=_!mGSt<ox5Ol=
zj_y)-*umb~4`z?Jz?77u?Hw>JVwczi+WeUv$Bb(-V4n1)zy<eA=!RlO?wgS79i2k;
z!GjK;wP^N*24<KH6Jx!+Waz$VAqkD$Xo<RpuSmJ*pZZ=F8~L|kM^`UUdZfWzcl=9t
z(l@viyPL0$*Hh0#>_|=uI;9_sajHe*M>+z`gRmxxo5{{!$amo82CUv5D>DuZ$6|+Z
zLLoHqOFy<oux&nRAYAy$?r1uU{Ezk5XNL$dB9$p%1+OF+;@(|K!u73R`cngiER$3Q
z3t3QsM(tHM|9^oE*T2qd<(k?Pl%LnPaZ2vrTpoU#_oE7CW{J`_Q&CE>R4RGWt8P|%
zG!J$gxMPT3hp8~;PHdKQl0b@#fjMU&3Q~H*Y731OqemPjw=FeSTf0^?*)%1(5OQ1L
zRpxCM5bt?xd{5}E4F>&t`v}Yj?-4gJL@W@@PG(evhXMEe$E`QL4yTalP40_a_mJAr
z-AX&f(;JrDe(6wj)-l3LhfG<x!3?JY&V-~bPF3lkf^i)pwq+a|=SEkE3b(=jB+X<H
z_4lEI$3;8ni5DRdiy-H^bh(bf9fgi`y^e<+!@FThhK#1ba!J=B|7zT^*Xe9&edt^P
z`|&y|kk(>aS261)DG_ItStYRO%0QqDj~ciA#ZiDHHxmq*VLZ)*hded94(egp0XkOV
zeg!G8GDQ9pNx%uvRYoUGuh!g$XHDE$$eI_CRHxD^W>Qx)kKYBCf!eS+moXR~-$tew
zhvLim8)5=T{Ko!hB2||YV<Gl{4o5ZGt7FC>)nb$@U>|E0!9OZ<E(Eq#453<Nv9t-L
zyU)^)|M$p7|M;++PD*p+x_V|H<U^J`3Y}G6Pht&KmNJL*r%Pv57<(~GLOTY-TQh@r
zhNtR(BPZV6mYiYl%!F)V<|wT;KN3YuA7vZlL7Arjj}Ub_`;bL`KB}5{t|`{RDtrY%
zDZS{L*&I~~vw=r1)L-$!V|FvJwsqsU1No2TD7z8qi>Y40sD9`XpLR(na2gy*yf#HE
z>Ur&H55DJ~sU~1I<Zo4Qr$Tr9$|5Ap;olX)|2_kVU|952Z9J$f{vleQV=KrxS#JOm
zCNMoL+zXh>#qRj1a~+4WyqFTeIA=q0uw>92EeZjZg{}{7+VeR+yxhuhCH&KTal=c?
z!wtIRZ1Z`C%vIPu{B+!~)1!Xn5f7n^cl@I*{0w<CL^{V5W3D#pr6(6PuGPr{WV_Bk
zM@I(DCz(maT{zwaFfvQ?t=8%sBG@IeQ7fK8B&z5Hs3#B+L&8YMI)pa4+f|0{cG*<e
ztVDU7WUN3;i{iIg!L9JAQm|JLaJlH_O(f<rsX*=sysBztssN5(PM5>Zu&>KlhGEZ{
zj>Aidso5p8VDQL>HX7gr3Z}kw|2YOMd%1x01H*%7VVJEhOMh#^ZuD;ioX#k%{@g1$
z4UHJq-C}7F{SUSZ?y?Gylrd1=!v+s!E$(DOi(h*~EV~QhG4mqimna!VZone7G%oPn
zXS&h1&wjQwYj~iUsmOnISk|1J7+L|8=MH7&yRIdL<pEYnN5onGzUE$-;A_iV>AXJ0
z4%NR3@<ZsiE{2x#Xjp^PxvKHoQYOkZ8|+mwd`hVQNYV;nsA@>Uz{+hWeEO*zTE}%V
zbhHt&Fyx1trsllxHQwqV*-Z>KL=pcJqTOAsSbP_UBCCNd2pAL@J=%h`dp;Q{7whS@
z1;YZ>=3sSBuCbQ>lnkE~WhbHKCVZV4nyg8iy^1jm|C^umb(fW;ybRt?T?s>JU2;2=
zZt#A6rCFe~M6qX%Lq9M*dBQAe@>M7v_&|Osw?RY-G$Sd#vd1WZ{r&NP!ZSR+Epo~~
z9boVWFhw9R>7eQf6%Ho+jm}XZ(w}^ol4RmSbd3WX3E{}dgk9~v+^D&HAL54a^Utnn
z+iCtl)zUKdBKj4W0$D{qaYnjt)XikDQ(-I%ug7TjC={<9ckW&fYL9DjDdxzbfx0G)
zUr#ZsIt3-lo|+uZhXxsAm3J7!l14<<4v0>E<L7QV9(*nX{IKGuUxc8Bd9{uAN(xF|
z)+$vQ`~if`8Gl{Y(tMpq+TP|WgGEBN0RD*5Jx|_QT--TeAI={hjg*2pK6-r=aeE5c
znSw2u@l-pBDr@(3kYV2{a9dSsy<-*<qbo^$P+t2+k0;x*_YYZFt>u%L<eV^x_Z#eu
zZ)bYvj5GE6FKi%l3d<f~1vwh$pjU1c;Nh3!mN)~W{?ybPJyZ2LDL9<ERiwr^TM6m4
z)D9y4XcSYi-yc1BGqWKfRvo5dAh4%Z%6fS>gNh>0S+h5Ygon6j^%T$G{w*JsC$HX4
zk$OC<Lb3_(*n1EbC`}G9<*Ga^)Qi2DaLlg{TecIpp5#9tpxVi*h6L=*GA`E5BtzDV
zU=rB5x?|u?nBwAhDF@=}Zuwi-sHlf66qJt^F1%9K2w7Le%*Wr1nPfMbbiU%N{i6Xm
zuspoi!z$>ia0A&g<ja616;!|Bq^|x}j5;~TY}^GraAu#~VU*9;Ay50cul?{xMh1iY
z*wqi(ja{TpT*t27wNTWoGJ(+*01t-7BrsXr;+{@dGDA58woz3Q&PrNq2SVJCE(;3-
z6)}50&M)nV?8}t<=SuBfxqx7&R!@gb_)Sy6dxKuI?&}vf@KNU9yZiP5#<UU?-R+y^
z+b-SBK(`v=Kv}taz3h!gg?zdRG-yqv^X#e-x5Q$AkfbQboLI35L%VwiZ$~jH&WnWK
zCKSWTnaMQ}HV%uI1y6Aa`J4yT@B_gzly`_b63Y^Nl<Q=Wxe|R{#d>x2ju1@t`4+oP
zO-b35Ax#Epr2Veuy{;FILQ${|SzsKOU^UN`%5WWfXdA5t*^Q;)<Lp9m#R)eH%xwf9
zl_5xFfb+7qpIom5Bb#24pFd#RI2kE8f3)>vo*Dys)P5uKw-D9D$Oo{Aj+=j$D%Wgv
zzE|5Zvt^Xzia|Ugh)K}?>Wv=<_z@pMPFAK3b>)11<RLu^92C76pC#Hwxf0Xumx7U7
z3H-VoPEi&gdEh!2#+zL9uejvw&YOqVo0z{{?N}(f+_EIZ_xtq+`8GXtStmUFB++7P
zY^gdhTfrQ{Kf>%lw*FLW&6onIoM=JCQ?@?_bD2rd!x%JWRDi<!FF!lB0iPV>>OeF7
z`dL>L>m^8g4;6smatO?~W=vJkZHEw+XQ(vlm!lYgCBkM#z|@u4@wW}^dR7#lpC5Mp
z0f^la!nriWaIog~(_&FP<kYUH5WcCDEOR?>UONyF#2)y9(^Jaum}J_sJwd!pc07<8
z0v&fQvnKD)b2euMY>f~>K-Y$(Y{31EtHMM-EQuwg*EbocQ$LWN*eCY^-5uwGbF9LN
zCJiCxOT@`rr(~>oA(KKVgmP1PI0MW!yhT-{9ahbglN$}=oTl$(ds7W=a~`goM-_sT
zknK~cUMK1tSjtE$1`Rd~G&n8Ls@8i$@rjPDf}m;y1CD{pUA&cJ8<inzLT#qXD`kjF
zOYtjgr&bMiKbk8jYV&%3W5%VGSRL<?`@D(QC%lSf9s*!KIqu)+BJ^wCQufn2kU7|0
zgm@lRf5-S?3f*T9hp=Ui9tE~^jKU4$D-b(+BgE|(D4?-O@!=W8-8L81qhDvCL}(_H
zP5EG<VNnXt_j>iK1#TDd$Fw9mZ9DP+@X|Chgt7Ll{_lU`Ac&fa_G(jBg^^8H<^kEi
zvNT;6Z9cApj>h&ElR!SRJ7O0SJ}6amx^TtS&8$8?sl|69g2E^_;=Dyp1Dtqc14{Wl
z(&6e1gFuMvjmas37-&VkwV8W^S5kN2h|Sl1Qtpi~{#_zfOGPnjjD)!>qAc>}ewk{S
zllWydHraG3dm_8z2Ek`DX)`kwde17S>%Zgh5Q1Yz19U`{>j<EXJyPDnjIxUT_6Y`9
zg~@<vyH=XqyUCJAY-c$YpJx#M6($}jx5A7#u6#uG+|EF-T}uUg8!JDWTt;z+pz}Ns
zxk_Om3>|V||Byc_)u<rXzTTDsfuNV<JCrC=KAs1=PCay>SNckE9tT2Pjm3Fh2Wpw?
znX?A<gs<7mPI#F#LPDQ&)hy<Fs^WJC0t-tmugrQU-EctiYk+e6X+h)tSUW3W?DJ47
zM^5HJqsG-BE+R$S`El_$^Lz`e;J?W;FJDUAnh^|p>;QP5db`~P9L+70%hsmJ)x|jB
zR){bp@L`Q4K*{PrRPGkbLAs1U<{hKeApE}8yx*8*Nra!&e@>>JRGN{K6Gc`o(djuY
z2*}clHzY-X&5p`TD*Gpa*>gXK0bVm)#NCjH&VS*<sq{(rK!^QV*ucv%$u>XDTbvkf
zP1Zbu*=QbU^52jQHy-`B!Hf$ehZ9$>xu~z3iRWK_d!pNM)!P(B91-({fpsNav5~;6
z$k?g_{OA{yQ_StcH3X>6gp_^-NLN;cQ6EXaRSF-2q=4WA^hu3QMT46XBcX}r;7Y(H
zQ;EANDF1sr_=;N%lMxm0=U?s<n2r5VN`tU{I7<3dZp&qyQXLCAyG^|Rw>#Y|rw9rE
zAQfbDenTV;Fx5@RBZe6PY9il+`*=<x40=nE8L9)SVV8`u*`$ow@Xo8iF+TkyIsy42
z>$=7Ih~dBf8MBWx$w|h;`8`_4VR&s)i>{(*-#+V@f;0x{cath=-J4E7^bC=4QVvKI
z)G+*k|4Tku;9L=cYLc3?G$A$EH-MxA`k!qgoG7r{-1CM{T>AFncH(LvXe*X^Gwn*;
z)oni7(-95y-f?e`@<DJW*Sl8cJ)a52D*Nkl8&cL>^}0oWS%}nYkD@=cD*SFpL-*Nb
zM!dtSE6>`IVy)AE46;L4>!k1KC`<GEld3KsD8wP7dpxC}KOQHQ^q&>lob0dl|1{hr
zy2-9pOXqd-x|EsrPF_!wGWN03y5M$xoVs7xz<i$$-K0k_n}7mMQ)QpCtr)@C!P3ob
zpeblOwp(n0Qh|eVs(;h<u9RS}s}Vcd?9ic+FuY{F9e2WM=_l*829aYV`La??@Xz2x
zDXs+T=1xUg)Mtbu-Qhv^g2qUQMY?lOd1L$v4R~wpXmpBH(!ddnrb&0}FCURew2vh-
zq7ftH46H^Bt=GLHeKJ0agKe19O5FX|IPYS3BzAqd&T*Sffd<>tcv}WZT<xqcyNlu{
zM}@E{War2KUeX>6XHOD+{BM<4W*GC*W>2&H`pSi)W3Nf|@3eR9b9B8p^R`)-8T=VJ
zm=gT3lb7YPGl2K)Z^o4|KVnSqr+mqzbG0;aBZU73c6R#sw>zE-UgXfiNHt^hq<YoQ
z*fs6ZJ+2#^%zJjB26i5~3&#1iX{3>bc~XN9`&C|m_2Ut%ukUbFMtV_WWBh<q2tV$m
zf=Ou+93x`LHf3(WnHnc)Qk5Oz+ag}$EUl|Q_r6ZtlKHtZ(2pRqmKHhNI~&NEfi(z5
zGJdOauoOU?RyoPQI7$vy%uO6-m@#xj8Y7n~a}0zO-j)|15yUEd=sRApC^6%a$gKdG
zSY-!Z9(i!{k&2k2qUy@#YW&N;VR*;JJiHea%ihXXj-U6z-s$lsqAPLT+CmIrI}LHN
z3izpeVMFMTlC-9!*Yh{P2c8>T`F`yEk02#?r=pZKPtw9}LbomnMlP{M#6dP>7Nm0b
z0~qn9ZloTNCk4)D4*opZjvnYtjDfM93s@-1RDsZ4U8Oqp04o}&6^Us_VUG0t3s5Y{
zN{8Z#6W~GApgn!(!e-+(54aIE=VKxX^I9?QGKpfV;@yuiFGCJuhn#%EgWR`2(FUIl
zx0zyo%;z%@A{KH68`0N9V59>LLF$+zUomJwYNT*qX<|!2yh}jYbwrGMJMqBwjclz8
zrMm|h$N}Y{<ED(~DAxegqerovyhD|lYFTbMBEpfsU-d3H{)l#a#^E`Yt3M;U0Q>`R
z|4^`cSjl_RaZY@T1xNQI{@^Gx0shaxa5Za=*EZ(*1F*Z0t?P$1fRrko9*yy?*E&07
zLR$}e9-%T;F78~#WA^#m=d}jN6I+0?7zqB2Q_Ce4*v!&&{9~g#W7&Uf^Tn1?*JgsJ
z;>FkpVKUiT3ED%-Ad=2`N3lsWc7?6+F|Qlu_ZXh2GdwQvxQdh>S`&79^%k_WnrG#s
z``dxG*&OCUxmrueCRVY)vP_C3-+BfMylNVk>_Y9$Cj78|Wfdo~hgV3+P8Z$L3#Y|L
z>UiPTKdjZl(NB$S$Q4~g(kSXpCx;ma|I?#Svrj+FK)%jMmn!%mH!{fCO~$N9a41A&
z^ZY(AuW7d3Av~J=kG=ku74hQCIT;FXYr13s7~I_4Lr|k6vMXIX+c?aoU{6OQ9|Y2y
z*Rp9dgTHfkDMprmOcE(KM;ie=0%rq%oW^zX0@&-T3Pu&h5DWq8iAse;Q_m)L2(dls
zQHW2Lk&g81Gf?*QkQZ?5Y`=dR<M-7fB;y%it~x%m<yHQ(t^P4J0(O|$$n2NYvd#^q
zrG0;Gi*vw?^Xe1sHYgr=xrdMhRQq`B@3@&f<YRSlmKl4%n%<+yd<%TLha(!~M&l7b
zDw+pKb@9i|ESS_kK|jw;D3NUF6(d^F$jc&}B}=Tj>GdbJSq<sg3+Md~d3M7%6yWF(
zB^g#R*Fx@a`~RZlpn7157k8iQHy8f2>moXDz5^oz43J5KI8o6n@tXx=4GG<H2mD?#
zgl=uJKs8q0{mMTIi4RHwsjyu>OgZ4UT7uWWL*YpDRO7G|3>0?y&PtF5XuXd0)Sq3^
zJ>^-JnB~R#uSq86xOy`$H&O+iABa-HRBJY_D0>q2at9oHAZM^9%~QCkn(?WdKY$Vj
z?pzp4cf?3=x9>hT&*gYlE>@5^)i&R}3nBL}YPX_S)bJ=C;`XNlv74aB{#<MIs{e1H
z|Lq(jGK$SDEboaeDyw?p#{|_bLpj^I{4&phXVs?<h)W^voO^&8aQk&bgnddN1cev&
zQCi{&8EB=b)}u09_pVXOWI!+W&9p8}CjG@qM`QY48HafCMN^wmtAFGb7T=AtS{G#p
zTvq`@O)qYvIeN`jQ65?8nd;&}p_BA*%MFcAhJv{oui?6PI)Y+8o3#f`WVWs8>K~dk
zyIo9%@AXuX$3bNGqYdlO`vp&G(8y25JKpuOZEF|(B7u6Uc=jEw&s-XGAP~6DMwUgM
ze<WUvY&-4U6w%|ihW<+O;5#p*JPK4s8vV`Wz%_!ecL5SLWqS>fF)0$WxMAq}G0SRX
zjIhAv*eC8RE@plQu;Uv5W8g{sA#37zok~7}7;|RD4AccS(Jo2_w=QWdc8x2soXg|)
z+tC_T<mY6T>{l>tO8OWh<uUu&$aCn=i550UwZ4XHX$OzepUwh1J5&}J1i*_LLBB$Z
zCN^M75!V!V8HVdMEaln76ACN~=|EyF`FHtRqKMka{hlH3g=dM(5YZ8+?CpSRB!U^E
zO2Os-s3M!TKQ2mGyxu$%XdIx%UulDkno>hrG!BS5m<9acr;qmky2nkY8}{k&GmC&j
zVQhS%ix7ibx-uzO#-pX=rn8b}OgL@82JkvWL2W=*KKO;Zx6IqfqH~?2oWEEWB(!#f
zoV7Zym=ce^waiMp71r6{qBIPM66lyx1n$K)Zo(TJ%~L<`-sB`((~zziYj;Fv@J6i`
zY?c_=u2(Jn%5~@V<9Sair@`d7E6zO|zvS(l58z-H4N3F}k9MlL$pk=SpNVESkT+if
zgYOz#>PG1;PB=AmjFnx!!!&}eRwa}L5n4CkBlhcnBK<9I#krNchg?|~&(-PBQc#(A
zAlV!Vm#LZj+_=E0W213B{r*pFYjTiz{wrC`nxZ6Pqg|N4*~AhX!L>=F{C$FM-Ok#D
z!2Lbw^i36-NGMG6>Vx>>31gicwyQ*HkNJ*SuC|PlKFlC5LmouGe6WC@O=`c0FOlDY
zG0rQiV@EdA&a$nU@X+)k-P=}Hjv!CBJjwITM}S-C^RLSrIqej28Ux=w=r(S|blE?l
zZ455X!bz^^%rSU!Yg8bSB<^BhENl25!g?8EgM2{%mR`mk$5zG33v~iVW=CG+rz>8p
zlvT+K)Y4Vm9Ky>DS{%h$cyY?;XRja!NL`03OPhIwnW)ySMA8@ircBSo9_Z2`gbl~+
zq`TV#tM(}P{mpj|Dx<95q&as94wcOd71kU|7t+G6u$x+zC?9xU6(`=vDSO`e5uX_D
zaf=UPSA$ge$%K87fKFE#EeKf+Ajgs6;Ch`#-1|0?KQmY@HUC+cR;BkpG0s5^=H4_L
zNA#rJ7&F&5*0N!E?NX#7e0#T=nDjZBu(KsPI&}`^=jfsM8wF_|4IlK(_YHQ@ZZyAD
z4eE?MHh0^BAmXvr=8K@ONF0oCkn_bc*4`J8q^3qG(-Kq2UcCqR4PvJQOM$kjK8$kA
zPfpgUe?q~Ld-An02T6ZOj~IKT>|eoe=7>pUlKPLkgPuquXWy-8Wi<Xl6pt+?;PpQN
z>d~IJOe7!}sF#MBIB=+aG_~RKXerns-0G&!={wPAm$}sRZH(_%I5+a>sboen%rQZ>
z2>Kn^+%OS+oDN;@;KF$8{_P6d7y?}tgu-PtL12Sov?IfiK7aM0wzX*uym{w!(nqdH
z=;7eTCD`d1bRgZFAT}j!V3^yy^MGFb=>tCD95lwWr9)TT+w(rrM1_w*EIyp<X8c+?
zE$mIjF|hIK+5&h<P?>xT;I0@a^Q#4jTu0@|<F_iGu7pxtx6jpZwCwc;0WF1Zlj>Tm
zDHyi`KI472vc^K=?uh1a-|InnkA?{uZDm5YUDZ0E40Et<g77t~KCF|O*PX)hI~o_d
z<%fgcssCbNNv%Oo9k7JN^hApu616jCQFDviRC44n2A2=$<8Hw@s}TfYT;_AUaW!mH
z4B0IWUkHzGIZ)Gvpt1-X`)(yRfSAzj2L?cd_@zsA%m3bO&ryMBqci{eL^E6#vnVmd
zU>`YpgPuXdl!l#|r{6<*M7+Bt;UL4Zpg|Ltq)~TGdQEfiB3X!6a@#d?WOVH_f7m>$
z+sgtk@$;e4X+p#MMaj({VO>dYjBa(4z4ge*ZYv_LvMFFxN1<Jy^md7%Zw*H<`cEy-
zg@<$WD`j9yorKK&^aDDUC2)D!zmPrGtDLQLl5V(4qg2z=x=is9k|Q~F)FQPMS;=RG
zeyTk_VpYeo9g+$JI0Gr?nOQ;()N-EMI?YzTGE}2j;q;DqvvKYdUsr&1We_LS=KJN3
zjV0ZaaMzeo3g7JZ_L5c`7|KM+qFIWMs09e-Pr^+fX}Jn}6T+chg&ykJu~S*y%2jeN
zLio`mk-hMp+Y0rKkrjldU?;@MQBG*4U?U<D+EZ!dVH7Mwj|6Q+O@yIYeTdfC{0Kw6
z^M@mZ@w>(_ru@+5j5UbMURXz*NY0UnhLe{?Y*kNQzh`L$Vhm8}Q>hrJyO5V^DPbMs
zqRQR5@2(JH;+NmkQ)NT~h3?<U0peD1<JjHYFtmF?e)i;vv$fHvo4KWms25Hm?j45D
z%+S2~Ef%S6G;klOk(ONyg2kd;CB1tTrWez0W9~D4FJ=sq;JV1y_`Q4I{>aw{QF2!f
z2=bN{$%oxf-uSR=-XK*`n8246dZ5{5TUk$X`)D@kO0db~-cxv06}R+|pO_inZEjUq
zYAkKrL5RS;*6|qU^pQD&`~Sh{*-%snAU~M#)!7Y8&o*k0`J)4W*JSeX^*Gotow0eb
zb_ZDHpN{&A>c*wKzdh9d{Beqn>r5eBM5XifT8aUbikz)=!uX^b^w?;_+cfu%3bkhM
zY=)Ge8{NfF6KmjPN478mt6<2VipM~_A04CkTeDl{!Yx_<N6mbSYSbnBXj;U=iU9cN
zPf&P3cDVYWy;fTgB;d5yw__f~hy?TgllBPrftIv;d%Eo)EtT-wY)PKX+Ia@+q{)IX
zgSh{;0Bc!S=t_oUy^+3Qtz6W5-<>1bE>_1l65lC#l}0Qrll>-8%n`6K_L^)ff~)n~
zrq&q0JpaE!j-lIGBv{fTkM?ehK`PuG@uDF(HG*2pO6`6rPUu;a&PZJu|3B`x)L#G4
z_t3t&%O2HZ)S@GGg{`MH9|Nuy#=NyHW?I#by%zHC`pt?H3tP_i)0kL!xc$|_fIgx0
z-1`lJ9LDr^evvTd0y)F~Y&4#YP-`FyoO#l<^3xy_TjHzRCdDlIt-7?8j*y)~MCrJm
zxVMj@GtlT%UpE;6ak!HNc>MmiKBmq02d~wO!@Bsiq&b5_%OH;8D>vTeK4I@ua4~8J
z0;xR%`#p^Zp(>&mplO5$UR`N}$<IKq+XD>ze+k4AMIOm_W5aYi97BJEHbw=;y>o^J
znjGU5X>6F3VgBY`m5XzycJhR(b0fz_sDAC%NFu-+<sG5!&{I-c^XDyAC+Kq7l&R=g
z7Z@dicr|pI#;ERYS3X{n9#F4tFoZqE??q1FKVt&Tf|*iM>IFA4U+zlLFs{!kRH%aC
z#UxQ0!%fG~7O5FC31iv|jrToeXQ=6SUko5uB<lcs`;o&^<0(F*d3`rclpAGQWSA(V
zgY&O%Q@$SZAb{>u>(hyqRL$Lw#J=E9!s?d^<y6_*Mm0?|fCEm}APj2f@WKWC4#L+%
z77gXEHJSU~<9O>_bLd%`SY9YCnTS0-Wa7Vk4WzT%xYSwFn=}&xToQiWnJarsH(%v~
z{(>PDj9f4kSAU;GQpnSL9G02)x85SI<dFs6(*c^wy$)Tge~VQa^iK74;O#isHhSBw
z_Nv<-Q&f5j60`%qt*lE8<8P5wEl+!V3|08*!E57WunoruUL4NcaP&Thk<}tvQup9c
zAirD+02_z-pmfzU?Nv|pYT%(8lQtmdX{|31&Mj2`v1*~ixOJ%ts7@*hoaEF$8;{qF
zE;flpxrbwCyGL7oiUq-^JHooDzSA;<)gHkJbuX;1@UuV9K0F6P6UOwt)vb!xvlLgy
z&fH;2tXvy(!*TjUdZGB|Y0-VeljU)JP&C9v+|SNM052hxiE&^f-rU~H8NxFvMV@Tb
zZc9%$S9H2|9}g$HlLUsMwvbYM$ogA{YBgwu7-kbU?0_Nns^>1gWizjC1kpNiFl}~h
zDWTaQ#L>P;l65+BB#LT%K<Z`oVRh|0l;}5Y0r{w@S5{@d@MVZZ=<xT65I$rmC&q2J
zpy5j&JTTj0c?@zD^5Q;axCd?;XLS+T%Y;)RgN2QVwPZJJG?Bkx5j;<&eh<cnV6N*#
zy}$#Y>oIN~=TiTckv1ud@B_OAxwJ_P*V_8Mpu6s4MaPVhJW|{o!^#X~k()l9;IUe)
mM}>7e4xvurFeS*mUv<2<pVSR>+t5h%2b-+KHf7%m!yR4p)iX5!


From 5082d5a2bd3bdb658f9711f034704078ab3f507a Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Thu, 15 Sep 2022 19:59:43 +0000
Subject: [PATCH 24/36] addressing comments

---
 docs/user-guide.rst      |  3 +-
 google/auth/pluggable.py | 42 +++++++++++++-------
 tests/test_pluggable.py  | 82 +++++++++++++++++++++++++++++++++++++++-
 3 files changed, 111 insertions(+), 16 deletions(-)

diff --git a/docs/user-guide.rst b/docs/user-guide.rst
index e689b11c6..dbbb5edb7 100644
--- a/docs/user-guide.rst
+++ b/docs/user-guide.rst
@@ -450,7 +450,8 @@ Response format fields summary:
 All response types must include both the ``version`` and ``success`` fields.
 Successful responses must include the ``token_type``, and one of ``id_token``
 or ``saml_response``.
-If output file is specified, ``expiration_time`` is mandatory.
+``expiration_time`` is optional. Missing ``expiration_time`` during retrieve
+from file will be treat as "expired".
 Error responses must include both the ``code`` and ``message`` fields.
 
 The library will populate the following environment variables when the
diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index da105da57..79ef2dae8 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -305,31 +305,32 @@ def revoke(self, request):
             self._credential_source_executable_command.split(),
             timeout=self._credential_source_executable_interactive_timeout_millis
             / 1000,
-            stdin=sys.stdin,
-            stdout=sys.stdout,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
             env=env,
         )
 
         if result.returncode != 0:
             raise exceptions.RefreshError(
-                "Auth revoke failed on executable. Exit with non-zero return code {}".format(
-                    result.returncode
+                "Auth revoke failed on executable. Exit with non-zero return code {}. Error: {}".format(
+                    result.returncode, result.stdout
                 )
             )
 
-        # TODO: clear cache when the in memory cache feature implemented.
+        response = json.loads(result.stdout.decode("utf-8"))
+        self._validate_revoke_response(response)
 
     @property
     def external_account_id(self):
-        """Get the GOOGLE_EXTERNAL_ACCOUNT_ID which needs to be polulated to executable
-        When service account impersonation is used, it will be parsed from the impersonation url
-        in the form of:
-            byoid-test@cicpclientproj.iam.gserviceaccount.com
-
-        When no service account impersonation is used, it will be retrieved from the token info url
-        (Currently phase we populate this variable from gcloud and carried here) in the form of:
-            principal://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/subject/john.smith@acme.com
+        """Returns the external account identifier.
+
+        When service account impersonation is used the identifier is the service
+        account email.
+
+        Without service account impersonation, this returns None, unless it is
+        being used by the Google Cloud CLI which populates this field.
         """
+
         return self.service_account_email or self._tokeninfo_username
 
     @classmethod
@@ -400,3 +401,18 @@ def _parse_subject_token(self, response):
             return response["saml_response"]
         else:
             raise exceptions.RefreshError("Executable returned unsupported token type.")
+
+    def _validate_revoke_response(self, response):
+        if "version" not in response:
+            raise ValueError("The executable response is missing the version field.")
+        if response["version"] > EXECUTABLE_SUPPORTED_MAX_VERSION:
+            raise exceptions.RefreshError(
+                "Executable returned unsupported version {}.".format(
+                    response["version"]
+                )
+            )
+
+        if "success" not in response:
+            raise ValueError("The executable response is missing the success field.")
+        if not response["success"]:
+            raise exceptions.RefreshError("Executable returned unsuccessful response.")
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 9448a7809..05b3cc100 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -1063,11 +1063,67 @@ def test_revoke_failed_executable(self):
             assert excinfo.match(r"Auth revoke failed on executable.")
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_revoke_successfully(self):
+    def test_revoke_failed_response_validation_missing_version(self):
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(
+                args=[], stdout=json.dumps({}).encode("utf-8"), returncode=0
+            ),
+        ):
+            credentials = self.make_pluggable(
+                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+            )
+            with pytest.raises(ValueError) as excinfo:
+                _ = credentials.revoke(None)
+
+            assert excinfo.match(
+                r"The executable response is missing the version field."
+            )
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_revoke_failed_response_validation_invalid_version(self):
         with mock.patch(
             "subprocess.run",
             return_value=subprocess.CompletedProcess(
-                args=[], stdout=None, returncode=0
+                args=[], stdout=json.dumps({"version": 2}).encode("utf-8"), returncode=0
+            ),
+        ):
+            credentials = self.make_pluggable(
+                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+            )
+            with pytest.raises(exceptions.RefreshError) as excinfo:
+                _ = credentials.revoke(None)
+
+            assert excinfo.match(r"Executable returned unsupported version.")
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_revoke_failed_response_validation_missing_success(self):
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(
+                args=[], stdout=json.dumps({"version": 1}).encode("utf-8"), returncode=0
+            ),
+        ):
+            credentials = self.make_pluggable(
+                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+            )
+            with pytest.raises(ValueError) as excinfo:
+                _ = credentials.revoke(None)
+
+            assert excinfo.match(
+                r"The executable response is missing the success field."
+            )
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_revoke_failed_response_validation_missing_error_code_message(self):
+        INVALID_REVOKE_RESPONSE = {"version": 1, "success": False}
+
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(
+                args=[],
+                stdout=json.dumps(INVALID_REVOKE_RESPONSE).encode("UTF-8"),
+                returncode=0,
             ),
         ):
             credentials = self.make_pluggable(
@@ -1075,6 +1131,28 @@ def test_revoke_successfully(self):
                 credential_source=self.CREDENTIAL_SOURCE,
                 interactive=True,
             )
+
+            with pytest.raises(exceptions.RefreshError) as excinfo:
+                _ = credentials.revoke(None)
+
+            assert excinfo.match(
+                r"Executable returned unsuccessful response."
+            )
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_revoke_successfully(self):
+        ACTUAL_RESPONSE = {"version": 1, "success": True}
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(
+                args=[],
+                stdout=json.dumps(ACTUAL_RESPONSE).encode("utf-8"),
+                returncode=0,
+            ),
+        ):
+            credentials = self.make_pluggable(
+                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+            )
             _ = credentials.revoke(None)
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})

From be691f92b5c4797a0a6e804294946362c94e1a23 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Thu, 15 Sep 2022 20:19:15 +0000
Subject: [PATCH 25/36] fix lint

---
 tests/test_pluggable.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 05b3cc100..92c868562 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -1135,9 +1135,7 @@ def test_revoke_failed_response_validation_missing_error_code_message(self):
             with pytest.raises(exceptions.RefreshError) as excinfo:
                 _ = credentials.revoke(None)
 
-            assert excinfo.match(
-                r"Executable returned unsuccessful response."
-            )
+            assert excinfo.match(r"Executable returned unsuccessful response.")
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_revoke_successfully(self):

From 1a3915540be6f79beefb7ddedcdaab9ba8f53325 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Fri, 16 Sep 2022 00:15:05 +0000
Subject: [PATCH 26/36] chore: update token

---
 system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index 9c05a6d500d15f1f54ee5fa37632cc0b30d300d8..85983ddd6d5b71e129e959715f5764e446fb4bf8 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTCfGm>JdvbahkJLIEx)!Uq=bC)|?|Lh18`=LwUyJNFW*PyjnQ
zDV)^er~`T+%qalwf2Rc06t+p+j|$j~0m6<`zKuK03h#x-Fz|z*262!gn_d=*h;3se
z;7T8qWLf{Nm`cQlLWRk#oYA)RLyeYmcc|K%XvCddsNpWym>K5^<!Yc9*H(^rtKT9C
zi2ZlIoDW6B5*(&ug7dluOtBNn)VL7wqeY)e`os#Ij7!Aj*&mo1+`_MNgbNdb=%DH{
zgAhXK!m05-o`;J$GsqZ}E75MTMfZe?ZYO|{;Xt?G*4S#PGl;*RI8d75tpMgEelzI^
ziqkunXHAA;G%MUY(*~E8`?M(t)zB@fp!=wKQ_$SN6eU?1cxDtWQQ27g<kkRV2c5;7
zzb?@En|i$Ce^qYAz{AaYPlq`(be>AkAjW2>r+k&R6=g^8?~v&~q2$Icv6Aec(pH3i
zPFv3oWTSM(cmwF$GixF)bgGWllzE&xbX;_nWY>*w>5-MK83z4bV|gsCS<p<Q)tR<*
zB()#6JvzyG2}Y*Y>gTYJhEbA21?MiPj##N?qoRY%Bqiv&?#R}%ly6QXH)j}x$}>D5
zn6SATC%?c<3Za-v-yOT*jrJf-7qfgdBwuMlU*KaHM+6fzCs@Ui3pX_Kv>&^1+@YP!
z)T&6$G>VThh@`%Mxkf#`4d#kU0PEIouD5BOz9zmMCwOs~zYW?hG=h%Oai}MTaKaSh
zj}|~ToBy7~DUF$Wbgqir@6S3?r{|uO2IMMCQCCaNaNb(J#9Pg-)i!2tGAxUl?-9p2
z2jI#F6mv^Ruc4im8fi2GlCQ(AyjnBc-IS8e)vb;sX9Q{^i;-+ZA)4rAdovci->|6l
z`TR|W%~6x`|6aZyAs|QOsR+di`4HVLf^X@*YF2&t($7{f>0~4u7$2oVw|dzMSDde1
zTo$_NK1^ie;fLf`ovRnf+YUW~kmeOEDTW4;)-V*XOZ~+e*rPw~g47;*CqXK`lM-_8
zeaSeMeF1@EcAK{3C?Yx6F^LA9V3uEY{``=xfLXN<&ti%}!|gPhaBE(ly{Kp}?0KXQ
zWfMOh7farrIj)t)(%|skd%n7nT#rB){w$nHvk3wOLp9kSBIS?CT?wVD5!*s`AZO63
zVeOv$?ZJHRlvToDy-rgBs@}4by^G!h)1K|%u_oqk{@8>uL2(7@`jX%9mS_fGwT~s{
zGz?G(vqqB%;C<yS6JC7sazI-{!UqNHc9GjW4m2RU37u;E6uQ$#Ttk;V0@1+a;f>H~
z9D$%97Y3h!^%?ik#nKp!MPu`d_RcRCi-U|7oVMh+KPdax=RgNt91X5C*7JCVsxAaj
z@yb<h9XDSDD+>Nm2`+&87m5>8T6t*UmVE}9F!NsqWmhycg0G5vS0Gx81aKK?u(wUS
zjD;6X&%*F%SGMg*-G$zmcQ8tUK1KFoS9jx1Gru***YCZ!-d((9l{zzRcp4%<2eZ6c
zU}+{mH4|jqcdNRPE_@`9L=ljJHEs`Y@j7%dJxF$7pcV%>29k7Y5x`rUx>!#cK)xoh
zmy-nUwYhqeF1=QGEC|a`ObS%=cOZI8wsSIoWWrxT);bI4s5Girx-PD#kZu7m_JGpZ
z;9Vspvkv1*Tx>FP9N1ALdZ->9N}>6xGP7`VZrLi2nlHD`p|wIRhlC1<uFDz!TJZQ|
zM5|zD9_}y}fD3uOy^t}88P*$=38frJ84U;{SmBHtS@}9P=H{AV&?qq#q8))xme|V7
z1$81D2T=zY!>id2N&4zQr7y=S5!h7}FJ@MT{1k?Q&9LE7uy(oH5&;h;t>`w4(H+Dk
z$X=L5h<%(;>U?y5oM#PX2)G5dXxse&x79^X*i?zGfk-Cc!?KcuiH+7T&V@hq>I|9D
zoNkIj)ms(aMe3BGpQWiXJSg$h%ZQ~8T$n4iCbOE!?#IHRg=Z_DasO|uPbYhAvPxjX
zR|6S@R}B1(%6rS`Ju&rutnRGC>-}+R(E^XBChedDY<)!tdO}WYYuJzC2VKTwC;-p6
zz<gQx2E|SKl7%%5nf-z8{;?dc7=RM@RUk<F>c%T3*s=3x0VRnHLkvTo!P>nv2Rm^>
z1jImCVJ<KcU(=O=6y>rh=kcz2s_B{pioj}L0%cR!Q*3}9oose~ZJbSd0-eBLHp=nT
zGl<tiaDL{Q7&PS6P)AwB6LKmj9&sFo$SvYsot98}mthZBPg~sLGq`+&WcNhg{`ji)
zjH@XqXGo53nRA+3k8_%<FICcB;2^q(3Q3ZO{LU~>FybHL8=3^Q-8vojpE1Dm+*l_X
z6wgi<&fu{x#()-5+Oh{5tulv$nZLswTy-67oaPkb>QIQ^|4nWH%7B0&By~=Zr&#yv
zP-1BZ=lM@{5E@!E%s9uL*_qZ#P2Cq=1nTp_yBOku9OI7pWJ*US(Ej-v)>KtpXkKu&
zQkZ@51X3?mxrtABedtfrN8*vQX6j?91hHXA58o$_YroVh*vsjvE?dm)4p~uOpMJ7Q
z#;^mG#XoKBk&Cni5i&hi`6zNnvHoDolnLdvf^VMQ7AOBr{e&?|e~fHSDwd<r?z}Tg
z#+KJihY-<HmpOjmK19`qhyfJ^lO_+d`bbNJN=Y5ydCjr>w$iR{tSiZw^^UEaM7FYU
z=#~Ntr{<dPZ`EE7^_Gc8YJ|$LCx;NUDC-r?lC9CGDulNs60_bdUFr%qCfXHMP!4%<
zO)2*?%z&G?qN$s$7BBz9wC$E=;lfX7eI}i4B;Od=1Bz~r^r;l@>E+rr72hoi0+y&N
zFch6lT9?8LeE4F@nI%ACWg1O`<Ob%Zr@|4^>~umX`)_u<ydqcI22J&BCB;c-UF1xu
z;L36J2${yw>5}bjOOz@h)C0VZxs>sUE_}jW4t&0V$Rn_0^*@0b=#+D&HM{T^)g>Z(
zDC*1YeSHQ;!;r#&iriq&1ioBgHq-{horK~zr~%bS;^1~jwTu;7t(X2|x6ny%*w4x@
zpddsHtxt0@x;2`OW<=j4OwItsu#tn=3QA+(X*R{+<Co^>o!<g~tMU7j#K$W+iBfDi
z?9(lh;_&EN1tuA5dS?7ENhT^-L$R?3g{9rHFo1ITfAtV)>9G49pc2Mj5ir8FL(2_@
z7WdgKe$I}2kNIu)9191HeOZ@|a{{sgvecVrFj}>IW>9d<E#YCG+c2gTyDqgc%!5wK
zBA#@0tT-#dh+&l+LkuoEJ=@jTbV=fjAQw(3D_F{(>`;L2gUx-e@0A`{j5UfwFq?$|
zWivU_(R7ZJ;Sn#-`(h3=d{|<>H*<xWkUxY7tnrhf>pte|63mBan`w?elXFX(PWNm2
z&=9vTsxeWWm6^DD9-MCXPoF3(MGVimh!Tq71x?Gh**8fDP6x93ZlmRprvie=8pAJR
zE71x*`k^e))~kE-e|y8rg7bN*wo7^|Q!`y#aH{+7y=h~4VDbbT>8vD1+=+)M5{4ik
zfdF)NVlUoh%Se7TZ!~zL@Qc?QIer%s5MnxklM~w$&n1JlGQ<6xfw1RAzib&=*n&X#
zG;ISMBmorWaxU#LS{?BK>@Hag`FqU~IYR|D+(qk0d%Mxg$j0BZLxH&&d~3iePt-z(
zjwH%ORa-7HtlJF9tnr@;>%Kt!JWYF83WFX?05#MbMO(~*6G0*wTNkHY?cI_(f?P_S
z!;vI~Y8hf1%79nbXHJu1cR9&nsP6rvuB+$&n{*qJqmAG+VV^IzF$A2+c`%V`JD$bJ
zi~?@+=l(K+z_P106L<lsctDvqSSSByzzag=0Xe?8Ww~=Pd~M9y63m$!1VJJ+6pLWw
z>+-8Dw#z`Sgahsjf=ER9^k7`x`^tKJ!n0$KBFTLdl#B-jBT~z{4f{6}b(O9Z=R@Op
zL)A*W2lO4_p`M_S&@D!hU)M5{7sByy1ODYnh~jRXDhFcB^C}OX9`a>erfR8Iib|Fv
zOs;O#fc+L|J$crL4|-nrzRE6pERCt<P*}K1j28bt!87gFh=sGPhmX$MAC4m^89E3{
zY&iU5QRI$qix(*?d3s2jfDb49I!`k#2?Wj$*RVOVM*Jy*Qoch!)(Kcl1?N3!eGKbG
zY%Gpa1j#L&uMOcJ?ttyI-NAMYNe}G6DYLfm__V>1Tkxckd&!f2-)?N(yzDvC*o%E@
z*nQi<YKw8f&NAs{Aekf)QL{SmDu+8`b$~|-RM^S~e#6Txagi{z=w8?cyn54))xW-;
z0!K=p*O{S{;NJ7y#j0=$buGjv;56F==h8ppQNtflOX)}TWlNW$zZznTFA-ZB7OAwU
zek{WMZ-n~1dcD88otX8FUEqBx|GliCLRn@qXZ*Vr;j7zJSyym+@qw->h@Q>Hku+?d
zbAj(a4`SyGF6p;qC4m3j)d5C_)3hSJjulZ>OZ=avjOQG<zIu>`XhDgVQD(>HQCbdB
zyBl%+UrG%b_W@TPnBbC48+W_LFPy2RZ4o`p|KWD5l+%JNn<ony$_d?EOn`|JVcc<4
zD;y1q6pr1WKpcxj(0*7lDFaq6S+;Fn1dW5-Zlc(4cK4$78D&Ptxbcb<1D`igV=;V`
zm#m=VU$wE*{9Bmhjxs5=W0fYK7H700U|rH=1ntgt)&e9PdqizPH_oR8e7vX(x%~e=
zJ=>w{^86*ryb0LDiMovuY#ooBR4rF|^E39b3TL_op)wy$Gd~7LP8v)x#>NmfgYoW%
z1LfLz*IbY>T2EnN&WV<Z#IiTCmb$`i1N9(^ZU*<kWV}QV{h50LMPf;~ivkNqV!yKg
z9l;1&<diI7;mxA<(Hf&Ac7<=+h5)U|*YN}tyj0fj{HRiUuIFkk$(%ecTEa(2*H(mz
z(a@USzc^wRx@jgeC$hWZLF`~VW<Vl&Z4A7B`A*Zon8~gl!g9K?_T?mL=T|@8>6d#|
zOp2B*^l#vRJs_bUD_{Z;VFgOfA8IKo24Q$|=}5toaRrg^wPE&7U?*LYcz!;*=lZSv
zZ_~4I%N(8`II<2*dOHC#n6ho*`>K6v)Yns}(6<B_oH_}E5IIz|cH2e|+|b)M&IoFR
zjmo3f3{;g+T9hHT%q74<P&xMM1Z^vJI8LjGMiU2$+S__swwcCeUEV9qwt_;Uc<BwP
zS+gHyX=wdT;d}k)M0JaIf&t|;EcB~pTU%x+dX?4F_N7C2HX^a{BknFFA#bEIblLeP
zzAz(_7^3e$boZUNJnEpNVP0pM5pPU4f5s$;T+ATxu*}$p>UYB_9)kX^W#v6H(A_X)
zeGF!mi#$wiR7OajS92R)8eb<!5wkR&&S6-`I)PT!X}vN3P~T-!+Y89gaPYE=$ldCx
z93y?7n(V}=U_mlQ13379mx}cDOvn-F;8P5|pJ1kp-lW@&>O0#658lo=RQa<FW-F@9
z3U0KWxk@Z*!6ZT$6(SV|aL<u}#OJJ_C$wezSTW<2YUd1Mr9A!HDMGGe<Zf?|;odmK
z<3&o4wf3s0lEu$!pDx9vUqA;HnXd6>O;RIy{ENgfCZPLZCV&eqhP{r*%a1sjWAA^|
z!62t%RhMz)7DSF5{6CPiF@eK6eQ%sNaNo=ooHzQPGyAD2od@ys>8Y*PIIxdif5XJI
z%_}hQ_0~)k-yMvnl-9S&F6KZ5!h0lcbVui-ho~W}%R_|z64?232#M`cD`#inlb=3i
zSy^(CSMCrq!qk?LPN=<X^1#Axu^K-E!P#br<pnGvNJfFSj-zB)fB9X-9xT`m+Fwi$
zB%cOf2dtND60TDAf4G`Wd+x3f?t+>gpVBDOFzy|^&9Dhnqt<H+QwBn#opY~cNK;d@
zbmeS8skL&>M0601UY+~0az$t{8c_xHX`C<p;^ASGfDu&G@V<b>Ynt_+;l=6ExMfa@
zbz|f(%wBT>j;5*CtRFUR*{=~KX8~kz+g7Y@`{!!yf$p2&^qX~VQPI(z66B*2Fro*L
zYo;6t1j?uhLIt2|#8#BeV8h^(B}=~No)19jv#5}SDZ@U5IdH7n6J(NJS>sYN!nJ6u
zjfY+B8%Hx<$q|lJmyp|PJcXoAGYJkjYgrbm5zY7HXAB0Ba<N(&WrLjPp@EORTjUzq
zTL6NI>@C1uRHNTTC1$54X~sZTB`g*uUd(j0N&{@#365~fCzET0nU9Fp^}HbOQg3^4
z!t@3LAKv^CYJ-^i#-%YUL)9Su%50e^U-$}n-;LSj#*(F@-xXIGK&4Q($R8UAgk22C
z`Bp^ax#xkXi^jTsu`vD7({`c8>Egf*w(5?KGMFvg{GK3}iSez~r|B@z`F>up`1+A*
zTpWOSlob-;4I;p-C~_!*LgZxWoU4ILWx%<SWqv@DaiR^ea8H~r?+SEX=gR#SL@DJs
z6IF1)Cf)mjbO%t!l$NF6@eSup$^lIMscSf66q^6@-)6i4(ljDkT*!LwM_SH*BTrM7
zXHjy+^Yz{X;$D;zFkycPtjHyffAm?JBNgth6yaLou~({n-A<ld;axXh;)H@lycC#X
zmQ)Z5W&ACjhCKnGM0z0C_pTF1uPp~TW1d$xNPB0$`#}O<T|CpMG0s}{T%$`Pb~seF
zUe0r20uWdYCvKhF%E&ueZ4-VIy^mcwfdq_D{SC(D*U1xS)*55n!G)-hFQ3y%Mu7>(
z4kR3V#k$6iHE@M?bToO2<?J%%D<|vp1`6BlrD-y)a-^P1(3y6OV`wRhX-Iz)Db8$$
zZgde!rWc)W*tS<hZk#2VPQ(?rvfA!z^0@v6i$H@7L29j77|0uV=Gp7@sS|ZwmF#5A
z!~}Dz?341K%xCS*SiY+rMHW-EzoWLt^U3#pB<e9G0aNWngGy`VrIBT~sejFFITPwW
z7>pFpYzT4wk_}9AijG2B`1isC#D_q?6c=V-oZ)ZX*IaZmR?>$17n3g6j%0BxoOE**
zy8~t>iXJK;gHWp+`uJ0lS3S1Ft>Jk)W#pJ})b^<x%&Sov*=xCQ$$TL!4>^!E5S?P?
zt(b3hcoTcrp0dEr)<mr}KhyU$v4x}$N-<-ZY~^tzV+P<O!Rl{VlAxImdvRINNpYhN
zt|tmnS)m!Q&1(ekeP+)%S#r3Wz8Z?_snU7kmu_sc_RRndf1iUh^CjgK{A~!gfwmXS
z%a`eMZo4t;zT!i8BShAZ8<|_4$28h<x0r@{y8N#%>PG;I1xZza6#}UeCk*6ax|?67
zCQ$U})nD;u#h%$XLey<dBXw;Z_KF*$Jzl&Ma=KLlgDdC#n5QVsvBlo5^}~lKNMgkz
zMWqis*LerN1?6bW@TF<fUb?2-HNFcmM8O;gGP`XkIRCr3B;yNBmebsNF^(l9O4TS^
zAm{-Yb;|4k<n!a>%h>iKtE(%DY(G<XIo*aNvadwn{TsSNSR{{m*=TLqPlTx>Kk`~E
zZ=arwv}P9B)UjO=ZypzEjMY7$?bo2SUf-PLzoxJr7S{N{Fo{c;EosVonHXgq07U^i
zSv9aCxph!zO7Wo6`p@gxMOvj~U!>76O3OvN4WI=G<E|*AAzaVm{)FwBhWP-}p;EpZ
zs%%Va{5?)}e@o;>5BsDHTG&Lf6c2wNfE$M;WW@q=6xFYaTL9)%85wOCP^90EC>?Mz
zA^%B|O;|r7NZsmR{{_KzAxahJ2QW;Lse$*1O~wZX`LwGt4b?KzdpqWwx<U2>ZM<`{
zsei>XteND_^sPp809nJQx`3^yF*g*oQx{Cd%*gUEwxhTldJ3_F>A7WKyMaRt0>knw
z{zXWGrst8Lb>B5%KR8*X=FtqGfEIe7%6Ny(MIqyUlc)SZvgS{&A15b_&||%ugZQoh
zy$LsYnj_Z09?#RJf$U$Lb&<&g04j33&1FAlT&f*nSbB{Cl7F$<z+<*S{+UFhhB-Z|
zNUWj@v`sha<UYnt;oKFATYCehaW%W(_<?$bfLEZ$-YO0dowC#MJQ@Rlne^vT^P*KV
zOlZ(FmOJpWK4iA}SK?uIpSi5PZ}I*cMDkyzX-85;<mi+2K@(-z$><za5><_n3an2V
zlNc9=(M7hR+~}WRMHHd7^+IrN0GpcUK~OTeGDmBfQ~Q}H*+kZT<4qs8pYi+x4=7Up
z*A-T&cmSW}WQPjTe~@C8mR0x)dZz9E0MJaK+o^wn97!Cw!J4(yHap|~x7`fAT!0fR
z=x*zT>p0QR5%=9PwI4DWqMU=VM)#|k^FOhJ&O+}fBwcAx+JfiVVp8^s@}Vq?1-BWa
zj6W-YJ70DL91*1P$d|v3mNqsHIIpEZv8#5#8ip(5j4+Qm_9DMI`kVm_Qr?sDe>ch0
zXKD_~8!Wh?u{ry+3s#%JW`Z(9s6muG-G`~EjUxubtt%{O_|`k?Qo=JnU77^8#Vh0x
z0j=T94l@9G6OKebtv1-gA>MxC>?iO;s5j+~2%?EnVYv)<yUhJ_p6DX&P!bzj)K-No
zQ7=H$ZA3*Ptyo`vr`#o4Y=g36`L?yhGBF_7QCGbJUM*A59hQ?@yGDjU<8%-QL-O5{
z;-ndZ3jfEvYk`oPKVuGP<CheMQ3ry@IWxq4s_!n^;eZ!6r5I~z9=$(su<Ees0e1F&
z`lE0Ot8d(8-)o2i#Jg7&{|r#GFibqH`4Jx5V^(602Uxam=&piE^(eJk_LdwEOzZcO
zUkft-VdM;{<>?-U#dy&V3_Li{Gmg*%^F!(s53#X7tMHEf7w{sOyxC~l)l3ZjJ&QfI
z4?me2u_aC7%Q8NM*JDuX#ejs80b&k5oTr5Igw{a^3^qUkm;7|~^7*_Zb9m8=FP@0a
z=3O5%Dv?bMV6!-Gq|o!7BG;@-uEE2VwZ0o0K`21Rj`O-yz`{9Mx7h*x(d~5YW|9d&
z%h^+82WW9%i<tls-4?>eP~SEm1nO6_Xg+e3?0c?j^WV_W5^35A^XYJc`tI!f0CWP}
z2S+`&5r-KF#Ibs4lG^laJZN7U(=u<O6pm*#DikmA#KL<<IHLE;vk%BvU`4|LM?A0^
zQDLXesboAGlXT1oRckA4@&<E9wO?Ul<4k2}C7K12FjQK7ErUv<=010AJGbQpbl++A
z@St_!7)o~R2e-3)rH-sw+167HEdR!4ZTtZKYxvreXU6EmO^%_zxH9k18ENB&rCPAc
zOZN8lRP-;(iIW4di%4a^98!Q!YnEBsmQEO-EJwoOvsB^Uc4lW|woYNxuF~X2@R&$!
zX_^54oSc(nVS-@727i9LOygx#@YI1X?L!z~gWKE<`vLs~&y4c+2NdfAwgoc1M8an2
z0+%@K+28^<>Zt`~+NUB8gn6jg&5opUPyYqTZDX8ABC5tel&V-_|Jn$yYWi;Zq4&g6
zVnY3w$FKCI1^B7)&Er!o*?H@hziMZQ(u@|yVgDAdVcC-oRf7*~6RzLLSUU&;v>Lbf
znJj@_YHL*Dn{Gq(W@6bz3^E=W3;Fwvp1N<bWJUh39$)H0EX|v3|Exg9yK+dxHX?DK
z^{>xKQ~o92O8z-$*$Fx-34vbp9h#L!&I0wqZJ1d7Bw_?DM7Y3RvK$R|jskZO|8*Y3
zAwYhBW(@!s&Bpp61NEUIM<ol7fODUj`cvaLJ|M#ZJet9|_61930mQo#w#;%ypA9-T
zN-{-XGPr;MCZQ>_2_y2gc99WVJfB7n*Vo~>=O1voZ2Xjua@EU6Q&f~^ht%Q7@*<s<
z7kMvGGuKHwZ)932g0iRy&Xh_bkAd|gi23W#z~`M~I29>h8b%%{1y1=@CyztYgP@`Y
zIh~xl-MIzH9)@}g-yO#oF%_uc1OHQIY@rY<iv)xBt4|1WCk<hmtYLj!0Ou<;`rBsP
zZ$?uc^9~A(PkxG|4+H?QV9Ead59)1E!7SmZzWH}dch$MO)~>$mu4!I%v_dndohJq|
z0j3~=wWw<53ZEMWMDMmUZ22+Zd6HE;L4ijN)L*k8$xeE4n@}5fm9$o|Dz^NuGW{zP
zm1`6+q&|d@G-tf@>t?T>I1x?_bQ<h=`49q2ZE&Q38J{H-7SwXMbfv=1#+3+N)M_ep
z0&S7|L%antF)E#VD;Dg|zW4)s%KsmpjedpLHh$hmGN-e4GMdGAuk6g7Lp;hZFDEzo
z<mmh_@(R=gx<fU1{0?yIjN(<3Xd@R4{fbpLh`C4FLJx6&z^Kw8f$<m8f<DRQ1CHPg
zgG+T;<g=rC#ZBvNu)rM^>=+8OHmVbHz&0Z=-K?0E#?XV!O-EmvWK3#HcK%6B^k}y!
zcd%p38g%ws8pmo(_~pPW98O?((tcN_b9@&1G>GExvTSa`V53$HlZ#B1-@+W{CNfO!
z=>b&h7|~9Eu*y+jnBm<z5?s*Tyw%(EQe8wvY}~)~Cb3w+E<OiXy(kjYtV@H^zzpDA
zme>P<BRG^%p{cv;Km9Q1u_7$UQouK!uXOIxU+d|0=Dxp2ghGdX@>8*ZOwhJFPI<F&
zQGX4H+j<C}tnYe1zw!gFRHc;EI@Zgyt^w0O3z8q`%(k-@h?_{1)KEg{np8LT(H3X=
zSc@=PM+rB(;-Sm;+HWptrhpBSMS31c3!m-TN|ItDbT;CV*iz@S<wT*bw3CT};}s2J
zF>y9`5O;+$Mb?{2v2Nk|%Z9=oh^rnLFbb<_pD4^E!LYsf&eQiXss@VI_8GfPv2?1e
zY%A)Pl0Z4?POA%%vspl>vcGA-6v-8YqQ|!$I8M>wMve%zzg?8*=;!gu7-~5u(h0Qg
zK1y+;Np;zmJej7wRbq|Sk(;*KoRbdPZ%##f(0SQ%?X}JnSf^cUwU<VXBHFq5NAu!D
zb5OpX-1o#<S_7yZCd42#z`k0^R(U+}Qhu(j^sHCnS%rqcn^4~0tBXMQ)a_v`Cca6)
zR{ltH0TIEd?uU}EOHC~ejTg)gV+IT248&zEju5fp$bK}|^<?$J2ah~oxE$*dwC#$f
zhT?ftzS5id42mDYBoJk((q(@|jwx&uz7X8!GOCZ#nJXzn-u;{o%6IfUf)dsHxSB`8
zggB#CZo<Q<Tp11MpAu>bjkp83;w#{#bb>LhB;wZ8egg$$l-Gs;M<Aek@dna=L+w*F
z{+m}w3_O*G1+w=T%z82H?4JrtOd^xNy}ETe`REQTEd#xhV9I6E?YKKnlWEE%!99-v
z#zlFjM`HLHMr4wV6T__79&N4)rN+8FONPe>rJ8vPB1a`>3^>HSgTR62RMq5nywp*4
zq<th`AKzIs_2(-qmGH7gfua3j8}+^DjDrq~AP8eS4?aBT1q*vyvD*j+o@DHmul9np
zG=hB#kdL@Wi&6jN_4<Je)SvGFy%t*bl_#c8z0DeCzAM#Tluy<e1A+0(O8;f<@T|}w
z6;@6tNgbKhP|hqP0H|x0D;^HC+B|R1%bZLwqjtqS(dg!_(&P?YUyq9rEl*Ycb4t>7
zyROXV(v+pFcfI;5pNd(m-@wxlOt$`@kH1V<7FduXl;^n5khz(~BF)Tnz9L3F+Xtpx
z%*22JDg$k$+F0`Yb273dh53nF>hLDoL-qz-31#gCE(Otxsg&8_W$WLoh)DPypF^l1
zSXS#t-<8__LttWcXn8o&O?VG+qQ&HG>S?@7gE>pf^@5S~<b$hGk*F7EB{D@{SAHdc
zUEs1thNUUgcR#z41+-w~Nfy|kniqumRzKG>y-v)1ofHf=i?7ziUvKT>4G+;)(4TZy
z&tKcRnw)MQ3^__e))I2COwJpQMaoOr&d7P&E_+e+GrZ1E{sJe2h<{*=mK7C+dSs9a
zR_nXYEVbN0nobQLt{F!Ss)BCH>7=gUCqhi2s3s-est+8#g$u{gM=^$}=Aa%X^i-4V
z4ZDbV>-e!gwp8xgFA7;g(kVD1+icN*45^1P@<+nvTz~=ogsVe-`*+)gzRrER8AT$l
z*<6CIr0t<tPTX1#6=~aysTM?}byx<!qYeoTipo!Djb?fP&nKpQRrD!sTWG#SK7yLz
zYx-Xd)amONrUk}TK<#Ui_;38`ljzBjJX6ckA|s=8jo_b@oX&q%5~QVzy3^<_G<R6P
z$-;nr83IGeKie1JTt*(A47NypWY6phgg3wkY#TP&^-&T7hrIpz28K+ZC}>C8mU>w@
zC=a`1I{!4|H@=lWsh#@3uyG}D{9Z^XDwir~7G)7&D7>LX)G@}~A5{~Z7g01};q8A3
zUF7OqFUvj0^>HW2<~@4N#&uwgGj0dLT_dL@Tf)mHL(v0-2JhHC#Zni46NsDJ{E)J|
z_7biNP5h(e1fzYcqNv8`qY?IGt81JZ5PcN0)Th$@W;J@!7D%9DN(Kqx>cS?jZoSp#
z2v&&;Tgk!$Qb|Q{FnDI6>1`J11&)?mD5kB2cjW%08NR6K5J1_%qheXFl@441zW^g%
zKyB0)=1w|7jFx03TZg~lH-Bw-Ch3-vB-ipRn9FG{?~S7`1Zo4fl#V5Hx5EXjsYvXm
z!qRu*`*z-Wl7WlE)DQvl*j0x|REoex`TOR_Z_Q!7{vbIGO=e#+bi~2mMRc6aK2{Yx
zBT8k5KiDl@HmeVKV?MZ)D=r~IU}Q*L&Vue>F9rM*Jxz6w$nh4{ay>`Thg!8zLLGJw
zW@PbKGcG>T&WqG;DWCtM`5vsdp4gQZ>y!aE+(3H}+8qtf6oTMs@25&5jsiiY%-sFn
zAYa!2=^{vHDpI~!5SQJ#Aa7uMoFrn0PKA~&>^dgHmh*q#jK$+(f}8#J)z6cA4{o$u
z@77z67wL^{7oDXv|CzUFtWU#%9UlWKuG1()NhcTQ$0J1Ag8KBCU)ts3uMsaqYkN{t
z@5OQ{Jz&lfh47T*I4zqZQ><swMvs-Zh9hPxI9aZ8grE@Iv~ie1>J$itJ&Fak8oJq9
zh+G9e`Zwt*!JDA$%%g@0|F~QHu`NWSe9JGrt}Mg;G+e>H1wPWiS^w7hnV8KZ-8z6v
zb^`*~NVcUk>GrBe0Ql#CV^m7nCg*w66)12aw_9vfXF@SL19{AD`H0tCp8Er4XB*{9
zOn81PnuWK}w#yJ5(J@S{B9J)DoFCj39qHHabg^7}0!fqcmtfHXv?)~b;xaUyA{!yb
z3b|t#ghXGY#BRW(Es|bx^9NBtNe>CmX9>98xk|!wnhLXx?;Qf`_ksT+78)6rzT<(u
zGfuPeKtGmRpWlecRJnuoQvWWJL2XtN<uw)>_Xo-;2YXS7g2vcl@mjH0^-f;&3e>rn
zP6**U0tJ%Z*@sD@oWYPR`-3s0*{g*j2e`BeX<F(8H{8NElih2kOrm8%+@;=P0=h(;
zpp%!>ANzoL&cH^|mvIeU4k1=K4jFMMv+jpMtAi`Tt2|<*t)O4fPGv6bm0c445;P!-
z5btFzT{Ce^P3JkA)p?7oXX<dPsDH7j#r<zO8RGk3-NuMnY73%!Mtrk@*;~ene7M}O
zy_3r!PJkGppOso?VSai+RKNSOzdib>u4^<yW;8fFzb3#a`^dAjjxJ$TLW4CpYsiOY
zUsl>#wtGCS!XJh%{kcXV#PG?!r-C)hC*i1(aa-s$?EJ|u^%qCDf|Wx&Q8p#`TLNPM
zZoR1xWyx>SdW;l}ekk{=BUbKafZMvw!C=j^k2tm0$-#4;AFNIRyr5@$S)^C0b=fc$
m%(EMmarz$M><H<S)F|L@SG;(v#9`^%$Eqz{I(qu@r|Pyaqxu5?

literal 10324
zcmV-aD67{BB>?tKRTB-k*4jFgj-WcbJ%z)}sz8PLB28oFXz*m%im{lHb{-O{PyjnQ
zDV)od>6GSaZssZf{(X&crr6AdVWP!_F=x>mi6I?L;EXzJ_)or`rFPRUUBBUU@QMX2
zdH~^u8R$QcKIySuvUnq@#+;m%L0?OPx&}|9Yt+sz{%&As_>D4KRhm_S%10Bt{{;p}
zns3o)(9rN@;<Ov=FB5N2FN3uiau)8Ty2f5^YZou&J+-PZve?{@+R*IxcbGp>@7M#6
z(&nI8DFg73|0jrv>%)|3vbUrsW1&g^-zoGJD&IKmmyQ)6N8leZ_IydHAgk(wO>ndM
zWBj#txVk0>NXij-u{1(D*QK987~S`_4uodr{<e(dXhI;+=mc`$m`t_`_skhA28(X|
z-q~1`tnM?ziMsIaC{i-^g7O>AXl`os?o;`xruu_G4*95y&jDc5O>(+|QfIlq4yR+=
zx{HhpjjXjo{k7dEAE#YIhm$f(gML#>nJI&mH0n{{9+T^uOkxB{)Nh)YH=5<r)OtSc
z%5SU@1C=938e@}6F5p6Q#jS@zoy)ny3ErCU_ml~TmZS1RDNN~if&jrEzxghc^I`_%
z&BwWYiKF{JALRGC@_mG;LfjA5i(nOf$Pxuc4aUIM#ln&SLfdsmcs)QqXnBb|D&2*v
zY8~lPY0Y3nCy~7|tho&zdoy%C6GaDMJCl{Q8BDmsF}bBFR|=%@P*Qv;qS)gD+;_)U
zk9bUX&HRueD8_2cOxn?gflf~7@7Z1~b3P<qmbmZNBa$0N`$Br_&}wDjIkm8VAvgdx
z!7fHdZez23SP-ua$u?Ny)RG<mQ#-;jm=G^ok1Zb2XFTrK<V=eHi)*WP`<p9!4|zgU
z^-?{WzbKRWU$b2i4BuBUJi0q{Z8TA1l)4!$JqrWmFNTzftPvg``uoNQCTgDzuz(?D
z5)DISgucqG0sZz$<xS8lRR9+2XmfU3xgn_ZDYP0Re6t`Ki>jNR2qC~dR@%OX{F8;o
z78~hiE*L6zekdPf!<`t*BuuGa>10Or*vzl&y`q;$3ntx{zNeymEyiMzFG7{UUeI4b
z?4&;O3Gs(vo%{2&95{W~(U&#nYiKqm7}>y@Hqj+|Jd}@>fdX$q*{e+l%P=-b)ur9P
z8Av04voh<G8BhZUyX;igVA3AdZv^8lMEZ=`eh!wBZ}SpxYctOe6#yXGX*2v9YB7!7
znb72gANHvEs9HW5GiM0jJm7nW=eWbXHG}Lb0-e3Pau^X{f{t&2UO?-ym`7Lj%NGq2
zlufa;e)INwXgLO#DG&t$d}?DR=SZuotoJKW)EGtPWuh-Bw;6&y3EO!eRv9i{Jy6k+
zZ$U?3|6L$n4GGz?M3XSR-qfjUZ0RZy-azX#WMkO~hq)!pmQQsfr{oD&Mu+fCj$Y1S
zqh?tn{OYrxv{J8f$DuN!)%RJ5?v^u_tmvi2o+4X7k|Ya$#!uhIDL+|J65^0#f#%~=
zTF*wE7JU?DX4dpP3wJ<~dwx0=SM^~k-EX;YNk&1>173<E9~Ee!{XEAQzd-MKxn|ia
z@5dAQJ}^RJuhXfQl8?5nF5e-1+|O||G|66InrjqZhdYhd;g=Af3N^{7NOBn5F|M{Y
z66!SvBt*tHeBwFU(`N6Fv!&BIj6PlAf*bK10zX^9V|KbH`N^|gxs-DW3xfUes0tct
z*O%L<5VnCmqE-sCLR;cSjz7klnx21N?IW8#z$2z;8ihX-HJCOjvSfda7bmfNjQB5_
zEL^l)2hGK~10@v%+jxoU!XrfJ2ZBU&#ck<S023IrL+#?IFC0nm^O~=)<<TYd#f@<D
z8N15D36;2kg;t1mJ2&H9K4dD&)#z^(JYWlqZ>DX-G`k`X^`394_--GO&)7(3m3h~!
zEs~z)pX||9wbG+(WdVt%`RHZvpk4ygN)lkwi>{Ye@aiGsx#6jJEp}iVca>#l5f4=g
zrWNp81wkK=vg3s0tRDpEb_bjFIU{TOo7q%1n5-crxMx=;(@<S0t0$5l2S^%Y40X^Q
zj<=m<TjG@I(SUd1Xim9;7RJmQ==4jNd#SPV#HNb|j8w4!oPcV#cjz2M@-keSH*YL@
za6K!_TBwrFSIJJM3QI!Y_KGMtIUt|wPf$ukCEE_c1<Ah~w`F3o9q~NZ>|ornrL1KE
zqCI-Z5|Qi|fL^?HH^vTIwtyJhr$%X{M5V!_*7E$~{mwtPTh6T;Y}i+8v%S(*&dTmb
zy*4OvKf)o+I`!{fAth{I0-i3@5I^W!PN5jI1x*KOC_&AM3LTQWAMdO&_CU+lCZ?Wa
zYHQzdXp+yHuv^}CN8478xhT40V)P~@&%0nJ_pO~$_@)0!sZsGpOd~r|M(L)?eF0wz
z2$s~BGb~D~_tkz59eY6_Ruv|sr3y!K<32HpsGfgK<RD%q%9?vi@st$m2xiu2@OS-J
zK9(C8e5&Dx0hNna=7VCL@>Ij~YTM0Rt+7r3km#McSQ6HXSW-=i_4&=(DIR#bO^|HR
z*|zJnbB=XS?|miiSIfKgSBElA@;5h?MhQ4Js=?ZpQ*v2iEHIMO2YNE_GoqxYVwj3&
z;cRY<Er{hR!cUK&%7&mkc&N8&GlX(Us`e^V=Sf&d3+O}6y`h*aWrVi`VJORUr8t0?
z58<wda#J8AWEow7s&TUMYB8yfk_%SKf{UOv5)lZHQEgIAtI3w%Gnn=<yRwwj_!!=6
zW!mCTTHE*GYGY>5b<kA1pWkh8Kl>v2pPJz7Glm)|phWS&j5znX?Ijbf><-Cl0|Z1`
zIH^KcYd;WBwzO00W%D)g2vk*%7Lkbl)d}EiqlrYVd$@dCu<Grf$WUzJHDCxHm)|A2
z7Lz@;Jokx)ndAuQgbf(93ZJ^y+~L$$*ePcbJe<Ys4Ed=m>_g#D53Ho4B3b|G#)?i&
z-|+LOwf9VCU-|0B5b7$jrO(KtMQ+Y7ExYIeu6AO}rfK)<st|gix>`NNa6=2CK6)jd
z7(`iYe|g>nI~~d4#nFS*&oDR$<Rw&n%X4|X$9TqSC?w&W5JaWY<1p^pZEo^Ezk{SX
z=^%bZLd45N;OqDs^haCxyZ8KVf9FWo=&uzw7@YU6Ldb(1qPxI=n=Aw#d9;o(IJUIb
z8(vW)g{|G>tlC<lc67J)%HZ#PcDhDxvb!z(@loybq6~`u>cg=kvEJT7PKdgqGU<-2
z*9+M?Zfph0s3c|<D}FCN8U3;-iRvTzBn2~T+tJNSza42F6p~Ue$Rq-^yPb`p$($jw
zC&ZL|(0h4VAa2?hEo+Q~T5v(nao;r8w<u&V6h;&^=wR#&#645}V8gZu0^nr66xYu%
zG)m1wPJdT?$`RP9k%$=c`5`+2=EsI>1l?TAoT`K9Yj84j6bgy`J?;UvbUC;tzeI&>
zGaC(p^hQ(|cQvjd&4R22p*ns?>_)~0_Vd9kO;2zEtdtB!c8>J4bYjr?(47F65?Dh}
zP@lObGIJ?)1805Ltal)t{ud~zk}kki`HF-{1syx0RB>G;*15dDEwrMFNE?tY1Oxio
z!4I-fyNIj72U@ck0-pGGLqv=vp5>ECYR5o;os0!=fGc?%-Zm=qPS6Q~U%nm-R2vB|
zm35?8qQfYV%GO{$z=v9bxoxyMFxnE1KgJ-bL33S5b}>w|<$r$s;V|lKx00-E+We+2
zBY|;{pWsZ|c-YSayR+;{=mCJnmZD}%URb&lCplm%1~irXYHw%IoX+Vl-@P93iW4>w
zECcbNNjY&A8W`ySIqbV1=GWL7+=~r?yk9)APDP}6L;w847v_&%)_ND`6lvwH>>~||
zhHHRgNLf2IPLQXOQr;G(!Ud*{aX{%?hfEI$ePcGC>Gg{4wFt?PDHJm+sm$vs-MZ}R
zrI$)<W2uK+i5qB(HR)G(GErQdP$q>IM^A2X96zO5$Ai8)Es1bywlFhW<+A{|R3Dvc
zzw5!4wkXDw7#fc&Hh{(&VjbpRY`vp7l;eg$V|50V42B+(gNdf+S4tX@t?`xG=9?De
z!I&)c<Qnyaimp6!)of%DY5KzR4uC-hD*`NwQ+AQ+uifziD$Qt1a`vGXi6I3&9CW9I
zyA^q6eio`IME(&^<BoVYf=mMfQj)m!Hb$9|8iVh;pze<$DTnkrHr+qI^rL!<kQ)-S
zJ>$~L+nH+sANa3YHi)o}rHVho$@#L+4CRVQS)P|`Z-*$T7r7>Xq+qMow!O-TY&PTm
z_W+s&zeee>yTy2C66zl-B9ZV=YSQk?XXDHh@CVo6L5r%K`+Rm<{209M@$9^M%~eO@
za5EaONAXzH(x%%|+rgNZt|`)pkuyLuL<Hx+qh#`)@0z<4yc)_!);VeQ71xll+~XZ;
z+tdA+T<$S7o-nY;kOWuL$GnS&of?`q?1)oFIFS+Bo>KH^Enec8)W8spT>)Cm-4@d7
z;4Y*sA9rd3Ru9&NSZF|=s^=VUa`(azp;t7GT;|7|0U%Mp4l^pdcNK~f0e>ZPa}r`O
zr_9wTcgkE!@Qbh|C2aGDRA&)$d$UV`Gb8Uym~xzQyLOISr6>!sSPiOYK3-DLHx9(e
zIu%;3Vj(hDEla$fk0Su5UHed+{@Sr|AI<eNZU2G9UX&kov;Xypt(+UI$enfyd3f&o
zfeqnW)j5Nj9rDV)0R!+W4T0+Q5>KkTx-jS69!RY&F|J3seDxbB`5Hh>*<iSg8spM)
zf?wagF;*nWX^>ths2idaOqwci<9;W`jvV%mp=@vthP(1GV2{hqpGuF1Tz6<#wQ8Wp
z2m8q5M!Moor^FETO<%<YB%mZJRO790SWD)d>Ys*Q`2VwP-+x$|_BMYd$^;jl7Dn2R
zFMbq{+@8~-c|tiWeu0u^Xniu0SC0??sp-;K<QXiKx9GcOm{z#t8yeh8yj^Un`~dn5
zIabn+*~Ay8%i#4c3u9E3yt^~#dLz2XB~-8q`W10(&gy1+kKC674FXj{0@@x{!teVh
zT?EJ+PaHfIviK0IZn&#RH~lgQ0NH&!=BsGhu4-i78IVM%DvO#U3Q_9;x`xI1zQ%+9
zXnzcvcag^<P!`nBNI%jsyUeRIB9Ops&VuP&t3`x97Ejq9ArikJ>FW*I0I42b3Ay(^
zA=5n*yIQ{~&Kp47?$hL1jYS)#q&LS%)`|2rP_9lr^eP!l*!GC!Uns+%aPsT2iaq0s
zD$l~n^K6uBgu4)EceQrt`6Cr2yeBpjfn1}3rRdzjk5-X8pU!8FxQW~cB}v~Edm(Yg
zK|AF+yzR^cGC4=`D3hv8QFug$Q68g7np1L13KN27a}irub$)moJEDL<;O&b5qBYNE
z+uUDjb3qJ@->+?FH}l6GFv-DBz{-Er)8W0&re~~*WGGOV;03*fzh(L|m6}Z-ZA4gf
z+FxIGFlmN4oQmkIZ9dD`(BT2q4YleMCx9L->Yl)0SVUgdv8nnoD=WrJxKj-@4fklj
z_L=}fDvZM}*7f``Lwl2j1?Z_#$b>@G=11skNEIDURvYken@X%I!az`*>sV&=lJRn(
zvgDO5?i*}@sbkSa%dYUWvR!0{bLq8Eac($$Elh?FyiH76DDzKoMa`qOumtI-Ol{K!
zb9EJp-A~ql>thiXMgQNp8Pi_e&Ip9dHcIXG2KKf32pgP}(H+i~SP`%Km5)Ba**pw5
zn#~uN+r3GUdxj$TsZCKRPlLf&{Gx~_hdZb-HR~;2)V(;)VgJTFJ*V7q6D{2ced!`O
zc&x<;!dK^Qb8AR+e}d_`ECb<n3Jnm2s!cSjTE8}gsvLyTH0_&8<ard7p=O)pf&Et-
zeqaN*ovx*&Q1(PZg<TW%yK4J~4q_1F`0wd@wTznEj@sl?9?1LW6Crh!Fw}nOa3&pw
zURd!!UfE|gUff00P~;vL-HRnC_@b0|aLKp&^viCl4Jyiu33eKK;hqbh3T8Y}IFpU4
z`{tUTe{p5bJJM?9U<7LQOx&y8dF-XfOd7~~|A@#xkQkD_>6uSyMaltoP|>AW0hIjI
zsSGEp@&m+@{YEe^n&-G3nwAr(g&dJC{F4GTmQ;v3kT|VcfN*6o%_Zx<mHwL|)OSf+
z3JX3OyR8WP-kM<bB+kV09ja|FJHRhJ<<|02@@^Q|ue0le1OgS8=OfzE-Csax8I;AW
zLj*Wr71`;F<}}}1P?!F7ynSpN+6sn9w7!_W8I+L^del;9pJ2Y8i33C{s?N}M1-B*|
zBoOgj)6D{F4M))(Xp8+h6R6zFYB{W)z!~L%+F6qjibQCly(i=%C55(%J-UE&$B+}*
zI$a#=XjShx?5*`ffJ_Tb%IAh&5Dq=Z9KrL9vH^Z!jHET|-lbmDW+|7*$YZata1N*H
z*1L78pq>7{JCB17=6QHfDatXgi;iL|+*JafXF`2GL&{gIq9K&4#KEcMnCReb8?DV`
z#fV7$$Eu5MxkvkUjo9t=GMDQ##GfP@{s%Im{YoUdU<vTddE!c+1l|uSh^5v+cPnyU
z6l~RCKvgWr2<1e+T&|F}aU_;M|5sZXm^|-a4Rg|=s(I6uV70!H*26uXSjzcmS*R)$
zVC@5?bzHePpt4xQ#MqCJoW8jV8aZ*eJ$Ip0lpzS#P_nF>ozsm!5j&w`QgXPG%FDE`
z`-eyuO67S%tKFR!4`>@Sv|;uo$5SsGfB*wt6<NX@d$EnUyg-A&LQ#0m%nvPwvcFrh
z;-Y4W{qi00IG)<;u65j`lB_CGJ+CqpTkr?j55i(v&rYw+R5(Gq;E4)sH$<ZUDK?w!
z$EJNFq1oOb+Uwh5S>_g|ph}J|qHk%%b&2{CfsY!SedaBjVxd%3PsSE(yQ8{Fs|^g?
z#1+S73q$ugltKVS{}?achxBt|Awghqf`>@*VBrjYOJHXkIV+6fhFt#aY;7;fpK#<T
z%NlJhl48-)9Hn{FNPESYX2y7@P}#FDY{G*#+2$fOY9GReELD^E;GH;hJA{$Y@2e#4
zT#DMjO(rl6BT&|N;~u!EDW&ApP7Msu*&%QYS0GA@8b56IYp>N(#|d8mn`{w<D(#<d
zyfE<fg4ZbUwuo1<tC*c;26%cxorY=N8r2=fUOHux)HwpsuID59x#hrp>*kE0h*Avi
zG6+w;>OmAEfu7sX{M89`uz6IO_xLKa@`hN*h6x248t@O<Oyost0U!*}Y@;yx@WzjR
zT#TzPhU=hPSv=u;#GB5Ox%zOnP*#t*y^zd4murc{I3Q4?@}EH+%d~t1R`uROGIcNI
zvGOL0*E2>#v0u{^4NPq7JUAP!q-xKXEz!6vuW|(ypd^MnY4d5~)ObFw9Oa3)qaH`%
z5Udglo|EA!U7`a=)C`ummMH&<Sq@3&$@+I35|PX~bfI$`gH){W(j=f}*Nsp<2z+D|
zSVayWxInQlRGRST4TN{u*n#p=DIfJEVq@j=*QI=Y{lK(zEeUhA3qnR93_{fCTnSru
z+s+vQEuLL-4byjb%`(R6WvT#P`0;`TXFezuhRmX9Q(RY2Qx+C)I~)n0i)kME@J2bn
zk93*(bf8NN>hj_6MBPtPtd#z&nkE5xj0KDYM>!?72!QbV`-Q?Om{=G9Z^LisXrd^J
z?Nrm82e@D;-1OrWZ7kEZrglA}?o(?mqo<)I9JU_2=QYWohRR4t+m(dl0*b>?o*$*e
z8EPkJcfJm1kNjyiq6cYrcYsjf23}44wW4PMIlz_)F>gW)$27A2K+)LiUP?XmB!Mp^
ziLM5f(#8+8d^`Z3AXRpb3_5~DhQaL#JZYA}A~o?xqoWsC+Q#kA3?n$(eXeN8N>AX8
zX`*>HgGe~l85gLU)^}|qVKWq(R4=ZhR|Nu+IjQ`TXS)=L&mZ95y<BVk#$oY8@8t5Q
zxgOVR5vQV_!e))zTQ$>9iX5Zb-<(gqk+MF4%^qddAq~Qt7#<@(-v+k7=OMnk{r@S1
ze{DY7$y-qBa<XmD47Jt{GEY5JV5dzA051!%MslrI)O+R3JKVn`7ChrMGOtn@Sv$}w
z7)=Vk%M~g>2y>7<s^;e|QvxQhvj=k86@X$DsA8==MmE6rnD9m;MLkj#S#&9SH#mX%
zS$ky=EY_^TNsNPl!tz>&N>c3R^BbS$jjjj_+>N3@!EQUKG=qgDNf0~oClvl`t+QPN
z+P6W?F?|;z*B%;mo!Kghd!f4DW~b(M#Ck{WH0@07lh8^i`3kn=s7Zg64i#x0VfX?@
z1~&3x!<K9>16uDOHgixA3AJ-<*+#^yq?~)~%3w`(uX?RgLG8UBEhk-?)l$*s+?J8|
zV7|G;kVlm>^P9FY465;NWqX-`Lh_Aw>Al4qXy$`&)7#(vA*{i3slF%-<*<;?iP7$S
zC<ZII#Ce;wnMK~6w&*E7B{<BrviI!siy2spgH;)$lQ#9&jxm0jQYRjgo)XGZ2eJ)A
z^5AP^)7my>Q{_Wd#Ovk3ktPEUl4o{z8&bc|Bv*7&V7*@!)S8`WV5r_#6~o{0qM`M^
z_%k{yQAYu(mD8^wZ*k~FgVKtWMasZEoxi|?)<}LqHcIf_RZNXnkn$QoqX^Y{b}*p%
zivk%;5ddM#?DNaiE2R?bgPNnJ2wHEEMBj5uHlZdik_QR9{*rebhD_;pR_3K7eRX4Z
zFv(W_l!LNw7!0uL2l)DIy?JOiI2uzPhUZd{_81mZ;g#MF`xopOH2G&*#7XKhZw_yL
zBuc$=+j=XWOVwEPW&1+~VRulsg#{*I>zejN1J`pnk}A#LxBaVmzCU08g230{ubIMK
zStJH8Y1Fjx{>)VkmMhs}tDT{CudM?5KDa!ai14nNP1)WhQ}W?9U<~MQcSbeW+dZXg
zJAs`<Pn1bo8&WI1mIk<G%_GtCM91`@5?C=eGouQzqT|bK*ETEPQd`{vu8x(Cfyh4s
zT|9R8kRpdv!`=`Rvn8U^D?%v%Lcnv)C_57KiN#GC1HhBx`1xCCwS!(~LwGPkQ7SdV
z1kT*UZ_gViHK0?bi|inOtA#YucUUl$>yms&Yl;P0D3(z@n_#tis&-h=*zvxGjO^|4
zi8g*;vbWrtc{x*HL|rnlUA$-4J)M7RsC?0UD6VyC&9f0Q;@!u|zAst`06~v<_MER|
zytOz`!Q}0i<9h=`td$gdi|Fpj@_;8U?^UbbU?1MTm8wrk9uAUBh-SdFHSeqrB)-oo
z_(7l}OO;-Q=YO}{3~PfW;$zzVld4u-^7CfXu+d7;YO|!K^JYT;uK<OS#!tUK$UDrR
z17f3%tWTWdEKN>9nEr`9N8MI(NDuvSwk4h1$;<rAsG;~r`Y*DSf?JD(Q!JI3cRccH
zS<(G`)GKJ+yaJx$J~B8_G}=s7J1yrn`!`!$mIjkh<4C1rYHgo2Qo9DDlRaeH2R8h6
z-Oo%w!mBw&hL}XI%*ducAOtIV>$sv=pUJ|6G;>6;0=cq$G|fpjWJ2jy6V2>H1`C<J
zb=?#o<P_2XngL2ZPW_*P@%pxkgIg3}lqzBebtLASgh%Y6Je7I!Wd#4-vzzV3*y=5>
zbIY?VdMIek2XK564z-}&$U6i1i;Az#vg?%-j$Hg$8KSk<D{n*5uFM>qx1cUr_`S-_
z2#Fl)@diA8+<BQuL!W|_uJ`(FD9RN;$=@uFc!L|uHwF02x>rrwP-_dFl*vH`$-pw(
zAzH1070o=(SGU6B`71ALT8E33;?$<asAgc~8QD^-=J7B!O)f&*7!s&benoC!@0SSX
z6<Agza!^xF_E<Tl&)Hav%5_~!$*2Eq%pl2-EqLP!Nz>YGkzPFLSY<s>n~<fBaz?U;
zl+Hfn-7QJ0z)kwnwPHVIp@c`M@;%GQRcqPasi$|#NEBJ6z{z$Jb^k6g<_J@ihW{7L
z*HZ4_{jb;esEDg_OywzzNU!)cfU6ePKOwTu7M-LODK?a3Fh4^Gu91Z04LdDlYtzN!
zJk9EBVYHEWk{N!f@IpNI{dK(C3%0!&D2fhUeo3&Q^CI9fvgot=mQNgoVpc~YhjFtv
zUXu*M$wPkQvwl}T>O}3@LQxI-Kf4;dvOGh13UiLSV0^=|xO2LSk#m3hX2)`}L6pfh
z*so1HC0B*fBE1S7-R-;z_(H#+#xphotyrVSM4k|gyUVUN(_kyjfv-~)gGCFX(}l_b
zFP~@5g~>N`sLn|fn16Sy5kM0^23JtvNmzJjfj(P2-r1^CGNQxLLQ<!qnORV*eZ)$T
ze0vTV@ObN^fIrBWBR8Ay)r$;aIQ#~kCKRSUkn{<LpGl&B8-t>FTs0Oac-+XYNcNfa
zRH%U{<Xem7I2eYCo%%Xm^C`D$ZS~O~b|k1AHoq6*(;^c>+*#j@mwNcxf_th^NB|)9
zHgX(f?m@T`7*0_f{6Ac={MpN(REV}n>;ndRupkO>?#vt&snCIEn@0#qWMolw55(du
z&-^nDpau_O2c=|GL-++LhSU2+F`0!~wDD%~1rdMTkFXI^QBn5yKipq`VmpY=HM2cp
zLmd8bNB1nu$W>MGmdB)KpOg$F@$fD4FvR{P^$juA(hRNXp?5nu-s(8n74z0Hrj3Lp
zNM{6?Z_Mf<$LSesKOQ1}4iKIWMp9)3-N^Tr(9=mVLS3=^q_B7>op5f<6NWf}&MYjb
z9pr(?`;X$P*)g(io;rEq<#ZatgKCmd2HzD;d18M#isa2*`%x$KgXbffB46LHK>x<W
zzQ-Ld?@RyTP27Roz+d4%scv<#l5DG%#a5B5mHOc{C`|7&t_x$QNV<NaGAcZMP@4D?
zZ|IbF;i(Ag<9V@e@cOoVX8aC{o8|F*MU9uw^C2z4EB#NznSLCU`h=aEy6#ZR*6!bp
zR6XL^>TdYQ6f~6CAHV*ev@b#~LM1dhAsHvM8p@)RC)U-77y8P8K4yB%xKhVxvoeyd
zaQlEuML0v$vyLwg@5to$DfA)du4Vu|>oIgv(?8B`_2eI@z{kGudM+KofJa}?DnnG<
z6|!zm2)v1lZ7k8heRJrCnMYj#IBFm0fTpqU&S;Q_&3SC?75RIlxx}-CM1d+GR{{q;
z^xVCsHOJs1uO`%3Sq1hh+#|VcS&LVsY|vSYlwn=fCR0Co^OYB=1<+-25}zSHPa6-F
zV`PjKzVXcdB!tA6u)|_vQ9~AAYxplP5f0dEpRXy^;zEGfy}^igWy81^YnphTdqh<S
zyH<O_+|&ZU3q2D|uEu!xrB@k&E<evM5SV7njJA~{CirxW0y`4Z*;X@WnD@z}H6@nA
zWZlQO(H}y=WcJhk35r$+%9`kT*z=WZN(yK$s_Vaq+028xh-EvNW#gV{6=&sBeb#K%
zv7|(<)(OgY*Du#K(rBpJ{;t?Rg0nVh;XQP~C>-UmpzM#EYiLF*S^-B?T@gSX<2(nW
zv<I%@NS5ibo6COXXav;;mD}=JE3015c90h%Y#3N)N#nacq5h=~_l*Mm9Zu9tBXb;9
zUwz<19teT!rg#yj%Icq@XXZi@`45d6KbL{E4&;^DKsZly48(fit;MDXx8=#DXovrK
z>*@sZV}U<{_ZMsi!gfeJc!=2*=`Uq2m-JztNWo5$4R`qI-oqE8s`80>x;QWne)MYh
zdCJO99S}8`$NE`dtPG@)xdhZDv|+)^^;v412by&XfKgD=<;(1pDIz^SHX<*Wc0w!i
zI#l97SbJI9?eZZ%^YH(Mg~x>==M*WvJ&jb#zz@?nGKeCeKoxA)`YyuSLuioRL{?!(
zy<ahE6}hN9et){k&3{j<ypMx&;_pfgHDva`a3XI5qZ?2tFN9d&*H$5`S}9K^h<`)O
z>`!_ubyCrq#aKo(5Tki~B`YnKPbgi?4&F%a08FJqO3qvoX|B0|wj8^ihxMeCSpFFX
zJMt0K$+PxL-6ji3{o5mRi;g&Y_OAI+A$-gIfY|@ES+oqak8dpBNI^+lwuNim6BOYN
zuA_Z;;!&Do0L>ra0;jh>J504r$3T0bP9Z_cAo%uRGDi$|PG~{0Z0F@(3ZFl9!W3&@
z_OJj6^MT(ocYx@0^u~i*$giteWNrC-6G`;Ev9&Iq^bM16p9_Yqm}?<NSM1=Lgiga#
z#Lie?hC0DwOnOs5ZyL=5-W=d}jpQ;tBb4SvPt;qw<4-M(jheaFLJVMBK+lur!H?9)
z)K{7fj7p%~gW^%66NuG^I5n)K?NtGyTr7pQnOj9Dv-)K0%qg;aqKQXsBVO=h<3gVy
zalrr2eyhwKQ*E$|f$M5e`<4AISymk1)rkk`wzLp^C-V}Y6{eBDE(=2(^(`}(vPE}Q
zA;C&(J#=eRYz*8=)&+j&`)LiPaA<YR+d6Hu)M6*a)ZV<7TfGY`@HfE8w^j>4RUNB!
z@m_Jkm0w=J`+3~W(i#q6fgb82Jzr8<$Sz7ztcnnZc1WK`U&cqsZbAh7)Wyv<zk%rB
zx4J6$hPrBUe6X$Eza4BBhwa*-wu{kz&uY1@CI_i(jdhD|Y6$XXW&R}4#ET#m@O_$i
zBog>6Rk7H|8{1B=zis_!o5b))o2g4S>~W1q1^lZ1Nt<Qkb?~Rhu9z+FnOmo;rNXjR
zd%ekkI6htd%iv}shPT35@EDKv_TMmEJpInAtqctCz;TBgYo}ad=7xccSel(Jn_pRX
zda(i)YYBz(+@~V^yfzVqk(>@Xu}U<Ul2ufA)rPB=>%j_wk~I*Va&Q*`E&OBJy8OZe
zvEmrhNy+Q0C8uLMke)BqauC&$3AomyV2xaXA0Rx6HGI&l8CS<IQ;?()pd>k2`dNr|
z$(DrNs4E7=c3(D0l5^~NcD(e}Q_+yu$X3+LGI1`@gY5N$xP2b#I(6t_ddtWg9&S*0
zvIjWa>vL4#Yp2b9kU_j-;sVgpi~N!@yq8`UL;~Z^drEq@*5@Bcey0HbKsMxe!s+BY
zuQuryfDA_9hJ!GSPiII_yO^EuZO06wLN^CC7ShVr7#`m=Y@(^}esJorXj&io{s72@
zaY)9!D=Mf5ICH(cfD=8i^LY}P(Oj~-(t#JahL;W@2Gmzq9(FuCJYbFC`XLPsrz$;2
z*Dm%zWw%;tPT_sYHrz4#j=2v=YWk<;?+g0q=0%6)%7m*Sa4F@3Erm`wZ58vJkW@rZ
z#?7XOK+$mr3O7FmTzk0QdsW;4)!-Yv<9*!u{lP)voK$n!Hex|tZs#1SvgRa!RLNF*
z18OpTKX<0nvkNJ~Fk%>(9{qlcHhm`tW+R4|yygR}4M~|a$ug{?Q-he&yhysn!>{ki
z1&{Bs4}tmIS1a<~jF7&u7ta^snc$A@jw8W*227JVsJE#C?ik#O%Ex7ga+<%LK>P`M
zJIu^=Q4f8`;)9>d&MnOF3<GyM_$&?gE?Q4JjC@Wo4LIEWCH`9MZwYs+6y#C{9VC0>
zvijRYID`tCw{{a~VuZX-uSf1Uh?wpsPQ6SMEv5qR3VKB-Six#20;oIHolyC6+#!n5
zHBZ3lDI{4R|ISA5+gY2wTb-N&?DH}=t-UOYB{R3Wh=t4c$WubC-{^QB_LdRdfhJBl
zrgJ)@`wB+7HiDKjvy&T`=3vu|r_m*t85fVU3gJwq+m-nH`1`Y~-HePa8l;AZ(y{Fp
mAnhZ{t4Y!$QXB_a3#Wx>tP%dY*`#Drf^K>?u)$}ragV@{D;9hJ


From f18009a56f797d724750a8147ebc1bf9fc392960 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Mon, 19 Sep 2022 23:48:04 +0000
Subject: [PATCH 27/36] refactor the common code between retrieve_subject_token
 and revoke

---
 google/auth/pluggable.py | 103 +++++++++++++++++----------------------
 tests/test_pluggable.py  |  25 +++++++---
 2 files changed, 64 insertions(+), 64 deletions(-)

diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index 79ef2dae8..ab32b76d1 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -165,20 +165,7 @@ def __init__(
 
     @_helpers.copy_docstring(external_account.Credentials)
     def retrieve_subject_token(self, request):
-        env_allow_executables = os.environ.get(
-            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"
-        )
-        if env_allow_executables != "1":
-            raise ValueError(
-                "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run."
-            )
-        if self.interactive and not self._credential_source_executable_output_file:
-            raise ValueError(
-                "An output_file must be specified in the credential configuration for interactive mode."
-            )
-
-        if self.interactive and not self.is_workforce_pool:
-            raise ValueError("Interactive mode is only enabled for workforce pool.")
+        self._validate_running_mode()
 
         # Check output file.
         if self._credential_source_executable_output_file is not None:
@@ -211,21 +198,10 @@ def retrieve_subject_token(self, request):
 
         # Inject env vars.
         env = os.environ.copy()
-        env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
-        env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
-        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id
-        env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1" if self.interactive else "0"
+        self._inject_env_variables(env)
         env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = "0"
 
-        if self._service_account_impersonation_url is not None:
-            env[
-                "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"
-            ] = self.service_account_email
-        if self._credential_source_executable_output_file is not None:
-            env[
-                "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"
-            ] = self._credential_source_executable_output_file
-
+        # Run executable
         exe_timeout = (
             self._credential_source_executable_interactive_timeout_millis / 1000
             if self.interactive
@@ -250,6 +226,7 @@ def retrieve_subject_token(self, request):
                 )
             )
 
+        # Handling executable output
         response = json.loads(result.stdout.decode("utf-8")) if result.stdout else None
         if not response and self._credential_source_executable_output_file is not None:
             response = json.load(
@@ -270,16 +247,9 @@ def revoke(self, request):
                 not properly executed.
 
         """
-        env_allow_executables = os.environ.get(
-            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"
-        )
-        if env_allow_executables != "1":
-            raise ValueError(
-                "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run."
-            )
-
         if not self.interactive:
             raise ValueError("Revoke is only enabled under interactive mode.")
+        self._validate_running_mode()
 
         if not _helpers.is_python_3():
             raise exceptions.RefreshError(
@@ -288,19 +258,10 @@ def revoke(self, request):
 
         # Inject variables
         env = os.environ.copy()
-        env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
-        env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
-        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id
-        env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1"
+        self._inject_env_variables(env)
         env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = "1"
-        if self._service_account_impersonation_url is not None:
-            env[
-                "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"
-            ] = self.service_account_email
-        env[
-            "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"
-        ] = self._credential_source_executable_output_file
 
+        # Run executable
         result = subprocess.run(
             self._credential_source_executable_command.split(),
             timeout=self._credential_source_executable_interactive_timeout_millis
@@ -365,17 +326,23 @@ def from_file(cls, filename, **kwargs):
         """
         return super(Credentials, cls).from_file(filename, **kwargs)
 
+    def _inject_env_variables(self, env):
+        env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience
+        env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = self._subject_token_type
+        env["GOOGLE_EXTERNAL_ACCOUNT_ID"] = self.external_account_id
+        env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "1" if self.interactive else "0"
+
+        if self._service_account_impersonation_url is not None:
+            env[
+                "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"
+            ] = self.service_account_email
+        if self._credential_source_executable_output_file is not None:
+            env[
+                "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"
+            ] = self._credential_source_executable_output_file
+
     def _parse_subject_token(self, response):
-        if "version" not in response:
-            raise ValueError("The executable response is missing the version field.")
-        if response["version"] > EXECUTABLE_SUPPORTED_MAX_VERSION:
-            raise exceptions.RefreshError(
-                "Executable returned unsupported version {}.".format(
-                    response["version"]
-                )
-            )
-        if "success" not in response:
-            raise ValueError("The executable response is missing the success field.")
+        self._validate_response_schema(response)
         if not response["success"]:
             if "code" not in response or "message" not in response:
                 raise ValueError(
@@ -403,6 +370,11 @@ def _parse_subject_token(self, response):
             raise exceptions.RefreshError("Executable returned unsupported token type.")
 
     def _validate_revoke_response(self, response):
+        self._validate_response_schema(response)
+        if not response["success"]:
+            raise exceptions.RefreshError("Executable returned unsuccessful response.")
+
+    def _validate_response_schema(self, response):
         if "version" not in response:
             raise ValueError("The executable response is missing the version field.")
         if response["version"] > EXECUTABLE_SUPPORTED_MAX_VERSION:
@@ -414,5 +386,20 @@ def _validate_revoke_response(self, response):
 
         if "success" not in response:
             raise ValueError("The executable response is missing the success field.")
-        if not response["success"]:
-            raise exceptions.RefreshError("Executable returned unsuccessful response.")
+
+    def _validate_running_mode(self):
+        env_allow_executables = os.environ.get(
+            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"
+        )
+        if env_allow_executables != "1":
+            raise ValueError(
+                "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run."
+            )
+
+        if self.interactive and not self._credential_source_executable_output_file:
+            raise ValueError(
+                "An output_file must be specified in the credential configuration for interactive mode."
+            )
+
+        if self.interactive and not self.is_workforce_pool:
+            raise ValueError("Interactive mode is only enabled for workforce pool.")
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index 92c868562..db7a065f0 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -1032,7 +1032,9 @@ def test_retrieve_subject_token_executable_fail_interactive_mode(self):
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "0"})
     def test_revoke_failed_executable_not_allowed(self):
-        credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE)
+        credentials = self.make_pluggable(
+            credential_source=self.CREDENTIAL_SOURCE, interactive=True
+        )
         with pytest.raises(ValueError) as excinfo:
             _ = credentials.revoke(None)
 
@@ -1055,7 +1057,9 @@ def test_revoke_failed_executable(self):
             ),
         ):
             credentials = self.make_pluggable(
-                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+                audience=WORKFORCE_AUDIENCE,
+                credential_source=self.CREDENTIAL_SOURCE,
+                interactive=True,
             )
             with pytest.raises(exceptions.RefreshError) as excinfo:
                 _ = credentials.revoke(None)
@@ -1071,7 +1075,9 @@ def test_revoke_failed_response_validation_missing_version(self):
             ),
         ):
             credentials = self.make_pluggable(
-                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+                audience=WORKFORCE_AUDIENCE,
+                credential_source=self.CREDENTIAL_SOURCE,
+                interactive=True,
             )
             with pytest.raises(ValueError) as excinfo:
                 _ = credentials.revoke(None)
@@ -1089,7 +1095,9 @@ def test_revoke_failed_response_validation_invalid_version(self):
             ),
         ):
             credentials = self.make_pluggable(
-                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+                audience=WORKFORCE_AUDIENCE,
+                credential_source=self.CREDENTIAL_SOURCE,
+                interactive=True,
             )
             with pytest.raises(exceptions.RefreshError) as excinfo:
                 _ = credentials.revoke(None)
@@ -1105,7 +1113,9 @@ def test_revoke_failed_response_validation_missing_success(self):
             ),
         ):
             credentials = self.make_pluggable(
-                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+                audience=WORKFORCE_AUDIENCE,
+                credential_source=self.CREDENTIAL_SOURCE,
+                interactive=True,
             )
             with pytest.raises(ValueError) as excinfo:
                 _ = credentials.revoke(None)
@@ -1127,6 +1137,7 @@ def test_revoke_failed_response_validation_missing_error_code_message(self):
             ),
         ):
             credentials = self.make_pluggable(
+                audience=WORKFORCE_AUDIENCE,
                 service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
                 credential_source=self.CREDENTIAL_SOURCE,
                 interactive=True,
@@ -1149,7 +1160,9 @@ def test_revoke_successfully(self):
             ),
         ):
             credentials = self.make_pluggable(
-                credential_source=self.CREDENTIAL_SOURCE, interactive=True
+                audience=WORKFORCE_AUDIENCE,
+                credential_source=self.CREDENTIAL_SOURCE,
+                interactive=True,
             )
             _ = credentials.revoke(None)
 

From 65869a2dcb5cec349e6ffe6d110828f0f97b24f9 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Tue, 20 Sep 2022 20:26:55 +0000
Subject: [PATCH 28/36] chore: update token

---
 system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index 85983ddd6d5b71e129e959715f5764e446fb4bf8..fa53f6eece0a4410b873f1b300ba4078f76b74df 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTKQ@5^8o>!|mGId1~Bk!q7*DAn(0$y9LtoQeh$@LGTi)PyjnQ
zDV##$OyMsTh?Ss7hXReE#d>u%$1)$zTD{q<yk|tr;T;yS;x2*bJ{}$sxK2x&wqJ>%
zUOS0&SVKGhKYE9JePKUk*i3C+?;c}9bgz;Bv@(3v4vHUZSUsRV!SK}VgpCc90jkk1
zF9bur5^Le@4-~kD27p}tkZwwy3H_b#mSnxf;GolbVVqp`h)0_0`vLI4ECrNA0Cf&E
zoAX<zWdoGB8bf`EupCJzQD>9(MYa?574l|ts{rJrG$=-I_&VT&ASa=mGX&?~&2erY
zzraIHjY!2x$(3!gC0cr*Vj`D`rKcjnW+fWJq)_+8VvsrBje8Fk_GlIqqvL{2d{#b6
zmUaJ6S8)>$(d$4PF<;}{L;&UhNb_m!+3hq6I@Wz5xB$veBh*k1p207BaM2WULN!8I
zT{V$(avIUY4mppTF$LE&R7RygJ1JprwlTb-jag{#W|J1#B*#TY*b#PHK*?LJpeVJz
zjw}gdn!x8?bo6$ohIFbh@_2CGl7NbJCkbyVgJtipF3l+NIav59V3O0AdAdY>=j7fF
zcO{#P1lK1}k}ffTiOlmR8E_K|AQL05yg_D%Jf@-4s4N06lCkb0YqG+gO(_%egcUMn
zKynM+y3dS<TA^!%qNR+^UfMK>@Gq_LcT>?epFj^oTO8b5MYG^1UM#uKSWvD3Tv>J?
z6ZVTUB9ovWoAZNmlRa?LxeeDwMd38#JA<+{hMz1NF5NUaT*0Ys$P|OV0hp1se7Ocl
zhDEeLBbX0Fk#M!sXg=T7(~gD06{f{xYhx75_zk6TnVL4!xXL#$FDmBVX|~#&JvRXs
z7SC5H`0Tr0{EXgQ0((a_copRX4_|RIWtK``^=!2jVzdKX{<8J5zptu$A$0a{R?4gc
z7RLl~2GAaBVUqO1XwL=4jHNl8a=V%+k~fAHx$oSO=)%1m&HC13e*;FE7rkeGaC$`9
z9A4d*ydx^wR}haSY)8BPG!gvK^kZJGPIB^=zd_0qc+=QNQj}&gM;BTCV4+QS=%M&5
zOSY#6<xvovcHrG1md*13VYv1q1(;GAic0t`<V>Mb2>cb;MGY_<XJmJw##>Rc1Vu}8
zc7*<tXBa%(H2T$%0mBx#`qa6TK{`bvv@Bmmv^k@fNK%j)cAZ1p+6%~zml^qKNP8Sz
z{5<Q0g~3rFC-m9oXkLo7&|J`uFngv;@|ECSgoxyxffz6A(U`eEBpx2d_Bx1)o{O6S
z7^&4+-9+w2R%6;va`b!#g5ib`hw?<$pEB7OEy%l7Pwi8nC*F8Rej-FieMpGgQNzYL
z2`Yt+j0almF@MyRCJEIE&o9d-tZJY5Sc$fei(a{O=`go{X&$|7q&igqP$gL3Zkz-_
zGDcjR%1K+WWDqcrsV8Kt+&=G4p=Jg*2@nC^25a{BpUU4>TNpBWgP+T=$buaHy_#~n
zg?bH1u=qAJJFVa2_;L0VRS}gt%DM6H{p4br+zQkj?ubj-H+BAIq(S~LY_lwHXi&S^
z;&A)*#T_8>Y@EQ3kdYBWdYeXbCp7bzVICS)w)`m0@ntxV=BUb1KMRtVbSJFDN_30b
z$5krX9+JPTB+Qm&rJw$K?~wdkxICzPeBJ%)qq#(4hz>f7U<8k@zg5VGD;m6*)6K-Z
zECK%&V6%`>$ARR+KFI?H-gznVY2Fd4CZ2E2-9P~JZN2+GS1SpJ3zV*LK*8Q1bE1#b
zUjX!o{QpxeJ(~Hmgmxr|gHdDo`yNmtu&`t2{DaTJ_DUKZ*s!WSdn6ULxpd{a^OwYl
zIBxXoJ_s)BN`WbkJVK2K$+65~$%^2T7MzD&nJUg^Z{@hG7hYFS<l~WLnQ~c#(d%OJ
z<rHH=fIfozY3B{9<12eqSotb4;x{5&(P!r{7*q}@2b-VDmjB^*JCX^6y!gFf@HCq!
z=gC;r=d{xnbi(#1k=a$%zpjAP{(7%@*Ow~H3lHt;wF(vtWl6la%dDIs(k<x*==zRS
zte%Jb{fXzTqYjlsL%EX(w04Z}aO=UDKPUaS&l+@Y#dF$#71X&5*3=+MS>Zb!Vl)Qh
z>ROg;FGri|J3=FK$3yvTHsYz$DSp^5@^w~7QdT~cwTKal>q8^~agmOnlNYoG6rgqF
z(iZN`;AD2&&tG|VaxY>J-l&=t7bbaPQQs)&y7Y^h17Qu#-PV@F07)+Uq~%d-O@{;5
z*gwYosqV}xgTgY<j)a(#YEi)2cnozt4U`Ocf2+XX4|zu#BY;bnJlE9uZeWtg2;7j#
zfw+&;V{s06B8|$c9SFT9^cxXO3#dmjL<y<|@CDMQNTZ$aOTIzvsZHP0r7AU`8uBFE
z>$FrG8r!Z=B(~4b+;ZZjnE6~Mi~B%>r->R|0IF{Fs0gO!!V%&i=&z3Rf&8Ta<Tynl
zuf;R^e|kN{Ip&X7a)T%Gww&zPP)nW!@?DEixpr!O<m{#UMYV$CYb#MNxJ=TvhanRn
z9c&&Rn-1{Q0q63eF-KAr&U3OWtQABw%Q2q?VD>O%-3~wbJ`alHB>R#*>+8Ug`nN68
z<CzY@qNoJC=?X75L(XP)ZE)uvaz{LlW646~F&kb7sJ$wxAhIL}4<6J}A;BOn=|t)Q
z$N_XLH?C~fD~Nu>4NC`&X*O6D#0$juR@UR{y5#6*R*^;%MC3y_X6-?YW=!eBe29jW
zmrze66KZ00?<0me>>Y6aa(FAP9j!5h??oLx$L{)6^AshIgNIlil0Bz;MFGTq@aoPC
z{>up^09&q^+=*tX9C*Jl(!kRTw{$>cbUS`K4lJ2nFc+jQyp$=T@mX!rUq$KFLf*IU
zLXxm#N-RFWS$Po#>+MX<@q0^X1x`&@)+S^S9MA<fQPN)(2{0xt7ygqOIT+wjnOti^
zlBGQ__0PZt@`RitflL+89x)FX*JdfICa4QsESs(P!bZ}&obN6punqpjzzf70G*-#F
zt~kU8XL<q`FgAOBk_P~MnIJ#XUG9E{Tz=S_O!*t+n_;P0d9)ed)DHRaN=NvjF1W__
zRd|#Bv1JT;aNP3|<@GG6ZV%;`SAQ4rw51$zuk6g2_c?=WEA3UztzbgYWNKuxv3uic
zZBK!fX;#^SyZ7>q`UhMkQA<OA&RZoxzHLvo92BFob<VY5gSSsQPpn(Xa1)Ey)8W~w
z0ay`KXg9GA$rB~c_0X30;Jlmrv81tcAMy8PxY2<=^eB7!<{??#7Mo|>P9jJ&^ODx~
zK5(){bF*q49TXYi2YK!QznhFw#4(g@Q46F0Xe(V<Kp^8ZsL}MhV!k_I#Gn>>9T3S9
zwgUbPcx)`Jmj^=6NJ{2A%$;QH-2SJEV&qvIw>qYav6q!z3bGQ{ZbxiJWT>X1q(FeX
zI5g~D*i7eB^vbCaR?jql98c(fIasW~+57#}U8K<dlV!4QaGav?7Frw!^C2?ZHDLzO
zX(<i@5kRtq0~-Q~F9|=*B*ijIAfG^j4`LEolpxUA=M^z_Ytu>ViGmp?*PuEiefQnu
zglDqRGd_3yBE{xSnXg^w!${d?yJxmK`c>CPorcyjykokWXY|6f@ZNyQZ;W@E;EJP_
zrE0=Uv(dJq`9oH1n`~R3wA4QN-ry}J<x?M$sbSz|2!y9KQDRHx0f<74ypCsU)mp>E
zTdK)Ci5WJmG1u~6E)HFYV#}uvlHJB7#BEXzXY}}{6kASE<(6E*l07$}9E**&_w+@o
z2wAC$0D>y~HwZAo)?)472ITvEyL6KjOf)Jt6L&@)zI#iWJOqJvGTXq&nfwMuVz-?1
zlQUms>^@Fg1@PY?Xm`F^n<z0QUtS;g8+_Lv7NgSJ>z3+e47R4vkfhh2Ns?P#c~|w+
zWTWsc551n@Jf@1l1Pq5Qh9RssL!Y|^h(~N#axfYP*9y6{lE)rz7DIg0bI4d6y!9v;
zNQEeRMR_LlZxcV58uDJv@1TcX(;_DpsNYbfz}Xchpp<6Jt@~u{E6Gdz&*8f7-i@!W
zn5r?W68G~TC|ey%88>jd;Kmvqu_p4&K%j->5`wsmm5nVP5e9%<(C;_1jIs!Hp%@VG
zLp#DtbyNX7XjwY?ci}K_XN1w=$w#10YX+h&&{SQA+;m}3z5pDTWJ*$*UzEKmgQ|DP
z3@c#NSW@C+4ngw;W0_LbECP*-0&N=^yI%|cge>lK!m0FL;D{dM$KAhxW?5<IDWPZ8
zs~dxtH2RM~ANt1qc<49p{l#nJp^uKNW$?z%+BWBxy#a0Z64Djb4~i=SQUeMh{$~n4
z1$*s+aPL?J;UV!9VnQ=)GRrvVF%i1yQ+<vH2jzk%gOn*wx!D`}%s8{Vn1@LIQ-)_F
z51ZKobKdW2u~i?ofK@hxyi2ZtRaAU|tZSaa{_0_xg|I#`lQA(!UPvk$u;E;`?pSr`
zQAe|BQkHq{kjJ9}F&XxZ5KUIsFEJXXs41JMm^dXD-L;m;?dRrhu4x!5*2ru%xlUQA
zRBZ@yd(G_Qv}vwZ6k+Wbc?JS%&sHi!M@H<@G40v9Z#VZ=Nv^4K)9sV?L)dDK4X{KH
z<szf2y?0}0M02fmlJu=c9E#N!0!p^GuH?SxalNOiw)NNi>mOetUqrjiUZ^3`Tqy*t
zb3UE1yRHAOn$_<ps&ss^xx^U8Tlc_{WmSO&nbMnFHO=3Vq{YuiChR=UiG>SJ`dYy<
znqfb~hVh=pb>i<gc-WRD;Rk%sNQ3o*3%x5We6+Pvi<r7m6`^eY=t>rVpdQ%Y&4d*R
zg5h}=5?eym<R})^s!<37$SjtLBD$`do1R*J;kA`V-k8eTrE+6jJ)$!#MWza*r?5xA
z+FP%gxLi*j?_giB!8;TSU)~Xcg2n^-=jf%U5M!f3f*>sJcIs|3L_E<bY47zv*iE&9
zYZ&mxOKp(3A3tkw)GJ-lxCG9R?(yG92Ztx`Zl`VpbR;$pA(abYdF>Y@b^=w=&BH%+
zk!b^cz5{x~r)&36t7dfDs^c}0#+R`$k2PrqGqwwyj&W{56?C1|8y%+(UkE3F7IlxR
z3)>_9f8ix4E~?Cut6zr6oA@P!s5VS!wrF$C(T~C!#s~CA%zRweN3}Fg6JXStP;orQ
z9)XMB_^{>fupX+7j=aYr_f|-(9sa!~q;_%ZQ?cCe21g7f=XC%T1IV1+ki=MS;?)m%
zSz#jxu6_HrYi5ql-{Sr-JRq8nxe2ZO1k66n+!&l`<-4JJ^YvoUt`FLuF{WrBf|MhP
zZiJ3w(6kr>50jppbGLLeKTH%{X-0}tYO1j5Fb)#8de(BtR+V>u50Ew->L_nLj6Qkb
zo~b&1l9uSue5$No1IX)&T6zb&q_`vsS&)E(d<s<r09%$MSg2-#xxoo0{~0h7kVyc@
zMx!-LVwK$Mq*>@JIeyZSZH^1k(DjV67;_1+L6yV-+Ozq8$RHZa%+4M4VQyryXf1!5
zyp<&7-~CXjnS{e|sye|hUc561nK^77$S?}U7C82WG$~)=R($hLM$kgf#JV%Q`#O5k
z<&av6I0QA2wiVL9jz|%bR_3eK>kFqWlzU$%)xqLZ72E;=K>TSrqGveXMuj*9-Nw#1
zgV7jD6MJKy1`ZZqIGz?NaN=ASY1B|L5TEkSu5g;TU(P<rRKKGome-*+Z^zDyAlt``
zLsH9z9&y_q?J1M4ZQrE*!cQZt##eE>CIerhFBDfO+%uVf$L0`Sq97ojTftj>%!6{I
z`ERXt*%GIx&yasYon64~*I6X}Y>)JjA9YHKUrXnlECZmpGv)eTzKzpt=18yvD~t%|
zPKcr)T@LFK*`YL7Y_c^2D$h$LVQIslLweR4BtGn27*s#v{{btW3Ii>ne%)d=g-yS&
z36vAWBPE;pH|<s!TLZmzP!REkvKdU;jyhiK-$#sH!RrgruMM^T*)1XI!S0BO{*V=f
zm@!(FrVwpN_Z)HY4eKKb#PE7g1t<5d@RRKs9u`pkLd@>GFl*UY2hS|td`<*Vd4|W^
zFSsFCp~%#(+Zt@_9OGZL?lQ^M<-jZoSiE_j?(Z>Cf38q}+M6P?K00^B)Rwm8CBzou
z9xhAU#{<T%CPbi!*T9(tj#JSJ;JJ1nt5`^LFpU#)&he-Q!?<Ev1AUa-y8|Bz9&e+g
zY!7&vR~M)o>v?z5&_!+z#I0|NqV9D)cSzOrrGQ74ohybFq&hHrP$>COd7@$fNYvBr
z;Pt_2d;n`7+`O3#H;ve5qWskcuf<r9WCCXY-fyl;FbE*;h1q*Jm+z41K=VC|6D}$}
z^vYJk++t;bzR2#4EBczsJtZU+8Vc1N9PuWy%TYn<BVJ3OF|>L^5y1-O@<3!o6Hl4e
z6dW_j_gquVGnt{k3b!f+kZ7o{a8>M^72CfA&U;ElJVQYoPbb*us4i!R__T{Nq5z>K
zQv=mtfapzP+TC%_N%{c?uC66Otrt9K9JT(4-jN5^MQ3~NV&s~;CziJoNgZZy(Sx%g
zNDs=W#`x*X<^b8O(tsM>#p7)1I<kdzx#>ccaO!`&30J^jqH5XzGytCQ^@ZY&-z=PK
zC(-oq&K=jUSvu4;$QRuW7{j!FN}`V@oiG^lrLv;r2by+-VosE*n?%w|>0%_PHjUu5
z|K(8P;ODWVWE*yY9lb}?y#SvhadPnh6_V@SYD{c3h1z&Wj)XkQ_Z?O4_zm#7ic6{C
z9x%ZH-n7|$Z0bm2J58}-b2SzxiCB*8mQ_)-#lpA&Q<=|SBJFedVcMJhOA_c_e_9|h
zd@q?Md>Wi3dqXF~)Q@dR2a)gCgVo>5Z9)X8`UKX-Xx1<X@eB*^ec*v)e@-!sN0JiO
zC}D|XhvWlXNzctePkZPn9%ABIqAF+BMBy~Oqu$@tO@WgZ$+=<-W5^-nT6P@kv}wy7
z!r=<jO&+sS@%~ht#eM-BFkAcVsY%OX-Jk+5dEA0D-Yu02&eeW*ZEoJw<0LhGLi15g
zwz}EIklq+WLXgV%^adNN!Ah{MNbqVWVdM5dp;KBuBp_h*gVn8KCYM8W?1$VR+XT&{
zIVD!TnKW!!03o64Mj?Ex3mag~#-A_Ad@wCx+!=$;=VAKwNb9a^C-a-otwT3p!)XZ2
zvgQ$jVfJNIyuK0ODPTwXLwYXIJW|Pp_2e--pp0QXnZ}V$&tVk2Z*^{UAsIL2yQ^?x
zk4@vMfOA2dVK_}34R5n#H#PGjO+ID<Uqwd^GSsp;puXQ8-KRo64TzauT-)a`Y`y)G
z-7vDD0562nbPlyQ(FX~|Aola}4L?8zZL{J{h|m%<2uZF$uRDDv&K)%HSXLd!!wQTf
z9}h(YTsdG%C4QgM)_#cQ8U#Sjx4z*2rhv^pb4OjIP~aMo^PmEXZpjaI`!2hwSeBJw
zSrLletDy7)T^P`;%YTEe{b#^@?Y&oQ+E_RGZ3^JV!J5W<ym(KHfCPjfC3nRItV>q_
zBUv+Uf+Np!Y`BmiXkLAM_i)(t8;ebc(@YK&5-1YE-r*Z~<i@~NeR2QDt?X4KO%x(K
zl8&s&v5fRov|&=?2L@S9q7vKFJ!I`0plXL^ZYc)vu*;iZvpjXm9pq!9fc*XKK7Kql
z>(1W5LnrBU_VY~fo31LJKdH2M3FlGq(i7uOhC}}l!^z{9KB;Zd=I_kVj*fM8hlI@y
zeXGA*Kc49-6@r&%i5C5@*1i%^J(o2Q^ATxDG|lEXGKA2ZjbfPAZ?veXXsBnR^_-U9
zqP!nP)3x1k_;D)x73{P^ntY}m=6@<e3o+JRm>~J$hEK3tp%)KbN^nk}TU30}f~A0@
ze6jJn`IV%d6|`lmPRk2<oSBzEKo4ueXRuWX^F1dCQ!^Ekeuknj^;SK*KeC&4*g+MQ
zsLx6QP%P(e`(HY+Z#0MP08FL@sq@2teZI9s<a9zYZ^fr|a?~zdT;)MNL=Zwl5{Z~^
z#ofs0d{7tK+3<<*)4_dGNF{#%zLP230^|YKcVW;`3lvYC!tl3Tyn(!K<XK4DBW*RY
zoGT#p$+CZ6xaUk#VH$9G#*P^}OIOS9cjb#}yIcP@s|D;!g=f(m0<UHU;EOmzfdlBZ
zq0tDa5Z+~#(I^#lKym&U+11Ux#b_ND`{6cxD_21k+wDS8=CxeIBUmbcrrVfur+j)l
zdaT~g^wu0T&TNXex53!q34$nzd;#XV2awZS?YrmXYIakbM<JbZC+de$!7iTN+Hgdc
z^Wp$*Zn?TEkY&?rx#eVWXJo!Vna37tzRilX3*~eB{<}H#!lbQK{<nZ?$ALPf1RI`S
zYxtvozcKf1nNcHl0d3p7p()e+@0w~^#16smdskMUX*)Dbepk*%wMeZ^sb4-QfgKyD
zIe2Jyvut<UA}23FU8rHU_NXXVKl0bkh2LRPM!pg>F!&*PJT!wO(8vF;wL04xclcP$
z`OYpas;yL%n<kf9FRs65ZhWE=Cs&us4)I@Zb|gMUc)Dcnx>;-BoVbaJz|;}?$vvpv
zRfLrFw`z|#O&ZXm8nHi1lEE^sD(jpZ8hu~-Lc^nwF~4{|nIT=pT>3|8zIHH-dXe|d
zd+riRBsaWu1sqeC{lNAjXlIvRtXK{O!vJKdoe+w_y7#mso)atfZY&>!%7xDYV5>B&
zG8UJ+<iy^my<bFkvzHcvMgoOq0q2FS394A#6eeOmYZuXF?t+Vu?bk8_eOU$F4r~~I
zlc#a`qOEX7hC$xkjIBZ^pcTxC{;wZM^(KkLUj(aH*9kyTIO!;s4X45jfM{(UI#(EX
z&KP?6kW_&lCyKEam<*V!8KlKdT>UtbwxxAeEhH-K16cuX0&jWJ5Ni<z<x5%u6~C0M
z5!*pvB3Odx(f!t%2XYa)!xBB?Iw>T%+=kj4228qJj1dd&NvhOpD#K?8h-})|DM1;c
zUeXo0X(Y+v{hj@NU?EpQYR<x#N$6{n*~)(8&w(<&!IMlOHt5&siF1jN8rm;O7?F%I
zJUpV8C@*8x5WEm!A*2)oL$^pWXcHF**>_N0)5#Rw(|DaIcd2)V_o`GxayP%4hPS>&
z`L!Z+ml0X7==x)V2BcqC_pZsu7#x)fj{NbD(=$P&&mnQYGnIl`-M=lVH6`Sw;A;mi
z^tUtio!_lv4q<K3L6}Q%&<h_ls^79*C6~)wr=yA?Pa%5CS-Rw4#|D*JXN$tlbAE3w
zbNrSLevbLy4tiZ^NtEZ+uWGasc&9&>g2HpsDvl~IO+N^C!lKy}yiT3+LpEP$^WIoB
z`mW0keb_zRPaRlW18q&OJ#Tm5%YL}%rx*GS1mpeeIt{3^p2h!D8X`|ycv$9tB3-CC
zrqGUOscNue{gnWxJi|+zO9i_}e{4JASd#3#Z8eve;*@mKh%QbccNA4I`=3;TQ#zYx
z59tb%BI+IO#b^r<%f)4#1W^pC7f4|HfE{D|=gCa{5Gq!Ewh%ZbpEXbC?*VOdZEJR?
zZ0yW`loG1;z-2s<dzr;#Z(U?$))RQ;sa2SWo0m>Q?r$J6Hj_7YBJyg~>N0kqGx*Jb
ztSa_MXBXzWy{yeOOK5p`JFXEy9JU1tkE1y-fvI0;Yb9Kec8I~*Y}}(72(#KJM(guV
z+$vuSf_d->Zo1Gx7%80ww?N|}gW((!80VpZ+8n!Fq&V0j59QV_dlAT7(ToN_nY5js
zl0a8|EH&VM8K@j6rC+5Wf!T1$SftK;$7z{H#IlI{hT#Z}b;uFm_@9t_jsSu8&GlQ<
zg|*Yt;ZViziE)x94~6M4QOy>)0&>^y1fX~jOLil&ak-PIr?20IO;8}(^GIPuJ9A4j
z#jZbu^3s&<XzxT4_I?sr{@F2bPpBWV3O0nQ@OKqN_HU5-;Zfk2l?O8HLORIg1z-^$
zaV4fC!m+@$@Cc^)<5<5JVdWnEg(HeN2(<olGJ5y#XAZ7JTn`YNSl02QY-ppLW20}b
z5ISBo_NE(m#fu}}bEVd3`OyBuCXVd3_b+ORUJ>w?S8`2L=KGi;oecOy)m86FbVc)6
zZIYtY^DEW?RIK*;MxHV7Z~1-!>F58AxfV%|cG%W2uqg#x*Z4R^eAI_TW1054FL7fF
zqclto=N<7aRla6Kk>iew(|2sojErw@y0tO?Wh{NKG7B<?#Vy{QI`r#IVO@?2!tPvP
zo;GCnF0RX0HT(YU&N=KN1OcT<&SYQ$f?`T&(N+-}@d4C5?f^>$=j<AaC&WFetqymA
zqO!`kY!BC+>h+bes9w?f5m8E#qPEh$C}z@H<-YSk9}`>nJy|F9VTq1?j)izFLiHmu
z@!L}YhLY~x1P7e~E>a@=XcB6~w|>?Km9TBqKYi~WV^h+F+x9UEALsuqh14==jotA8
zxrMXJZURc%F-igN1m$Az#S!WIQlXWFw7<ap0{=qc6#tf2nhrF3`{hkmS8vT*g%|`h
z9Il`jb)l`OG?mD5`?;eM-Hp0DfHw6sJEKjRJDm3?G6n8fH`34ZyZO^mlY@2~9kb&b
z@&6h_$LUUYAIyc&GD+VT5|HQS8GsjqlSzYFcWh=#ZP7;ofg()zxR+?~5we?it6{d)
zHCYrPY;1@o?j~hzv^sc|ZPRH!qVF`5KHha8SR#n{q!MLjuNb)zpU9^aJ>=4$2A}0z
z+Ufsl2f#6j$AY|E&Ha&f*OW6r(&ye0@zw%{6C^iV5}YgB4%a!hzN5_E%ovADcw0-_
z3vbNxbUc=B1?{KgUU|4Ctc4w*dv@(b;0pH5Q)l}zTE4J}xm*9Zb$Q6@v2R<<uEv(r
z2i*jIv^)5s^0^pd-E+XZ<0e_+XiU;0{<Cl|sdqW#N7YyrL%{h&{<QNK6{BKm^T-O~
z=nIqB!wKYDucd8R{+R@laT+vRnGxv&>^jh!-;{EAMre{*a>h^k2~s6m5I%I3C>wT+
z7c%3^-Ew3&q$=m6$6$yYTXjia$nKpn)~fTw-Z2n;`Mu)b;3#pPY+}|Bt&NOfl8JMl
zqA$C4Dp1kHXpJ9;!TnJFxg5k;U#^v>B-;8ZG*+JYoE`h~?xrmT(UP{*YzHlw%=$V?
ziAU$U>fU&Q0}Zb;i?{pi^G^>!D5nRcF|J2)T&v5|8%9SS@$=b832g<rz~F2Gs)_U9
zwjmc7vR(wwRk;2mCzl9BVSI3B$}yb*QegSut4@i}Y$Kp&*RkaDh%L`tCj_^``r2p~
z4n4JON||tPvM)OMcEd+Zc+gjT8>+h#NH@2Jp;*KlmIN}r0A9{zVbTsKCG_a5O5swr
zkSiJNO0msIZD59K@JZ(_R|*p+Dii<yrbN6Gdf>(?$5LQ9q?3mGNNJ~*Oh4CSjIc^D
zA;K&*qz5ZK{W$9*N@?}!LZR8J+n7C_#@<bj^kuJWtH0hjizr!i#X*sK^o!j;Y(C*4
z@^K?C(LG(KHEvD4lR=g#06QkF#R|!Nol^A=-w8BloOMFGE_$B|f?&2m+nDMewd!i;
zONjxmfD3RFi12|Sw;g1=(gxIDxlRPx0Q?gYAW?g;wkQx|JKe%yz%L=_^6PMs(VVW^
z?Pi70ls|7!+h`d_zoNHwmO}`|t?6CNJ>EX@){x1kcjYPPaD`J0CA-FU;i4yO6IrH%
zrH8dLK=`@GK$X_T4;_I1miK1k80D+BE@tbH*HY7#DyS2!&<C)BjG=VbLVs9Kdov8}
zeB?kkS<+bJ+26JU3`^)mEG#f3-xYrDJCVbvkW%0;HB$0T{?8UD?yP;EyzGw(;!oH*
zV#zC+f}mB`(WnL1iA1M0@;10P4rQ_RR8i5^xw;Seuh%KSOYSI-K2Q*NR-KYYb?3VW
zpwcm-GUW5>w7>`>#PcE&pvuy8&-8oK2f%%{7kuVkxR`EG>tGJa>=XZ;aL>}v{dfrM
za{Z?DyV!NC=0CpdId!3Lm4&eZFnBgn+Ot8pIAZpWRg)>}TaoHk4AERReVueXWP^Gj
z7e+1MoQf-pU5$DA(l#3sZFYZq`@zkkXK~qbRl7bH%M%O-47+1p3|YHZS0d(eBFnSA
zTjuTGk)rOVvIq}4&s6%+<S1`c*0Ocz+11D4u<~SL&Gt34OBcy2`?+xQ&xx2GTD~Fp
zaGx_;L&_5r^bb*Ke6Mto{vdy(l?gS9jp}*RG}Hfh;)5<oH({^o^)%L9Rhv_1dN12s
zZ%d<6U;7sIuXZN$)HKH3@U!)*(!0AtCq+sm7bNZlmzamSNjAy?W!#40t=3rw%YYe4
z3K1^I^+M+-%F<h`5%=`41gxGYy%_0Dc7I7-^`a@_3%T|s#f8uT95xy!=!~Gn`sGr}
zZ9=&tsGXp1Gdw9;@lxS&#pu#)+pBf$EE|Jlut%xHIAC1+ccE!zUglLglkm2H8ai*D
zJ$i(L4f2tG?2_FCt&%Eb%5RciNy~&Cpb@_JsY{!ujj9QDj~GexgtHkop8Ii*pd~$S
zjQ#S3cSufex1D^@wh$jtA;Hyt+b!EF?i}4vs20~Fk?Ru@FaOkK;G=hTfpI-3tWH@)
zq5ZZvJSq&o6{`tu(CP^W<f<66s0sCE>>rvQ7hbZYt6?rfeuSKMnOM!5{LcWpNrVev
z9p$rRa38s84miHO<w1fy`N&@6pw3@4QU91gEFrXzBNW|4Zxr=6vY{V>Jyd(V0|b1f
z!RM~m`J|?VpbObg*+YbL7T+}(xZOdOXkmthSbPHVdUeH#`K=QiJH(s?1{uP-<clo=
zZCn#c%PAjFSFZnios{4hVIim^Nus1yM4Raso*^(PQN{=fa>94*tw$Kvxk1z>+S?pB
z_2pH7nv0e$E;RHMRexY>Upoo#xRx^@>LdBBp}t1NRp(UgPJanREQvD6HhJoCf=Pr)
zDRw=(2mIuD*?_0Q*{c&%B%Bray#wa=f6~siG7kmWxmuFs_Pb*sSG)S3t3A`5QSQ|v
zxXOS#0N5cc6{x6od?DX|g*FDp9L_kXy^9wp`^fP-dupJn$In#?*hf4ASi@ysCGqjh
zkWbQCbhgNH730qKhzg5-g$s4YPBj5=KnU7g+|ce)IJ-E6;AtY$JUl<8xu+p&%H=OY
zk5>lbc)oM~P>j%Y1(Tj9TntChsWWLR=|F-88zl{%eGx&`L?iW^`S)tblz?x>DtM}j
zh67XzDuf_QbL9Lkee-(2Nc)aXl*P{w$N~IXVVk_vz8EGFGqxF3c3&ewzPP4)Rhjrp
zgH3h?@hD%T|E%H+#*A{rf6y{d6-ZkpgUJb4d~?5H-F95R@N>vr*SU9Q*mE3H+5SOZ
zqb)IB;MnL+QNfWime&6g#v(nB$HS?Ahxfl?QU+MkigWnUapBS=!oUqCGyf5cNsb8h
zH}~P?Sd2rb)o~=XD~=C6dfkLNArk{_sTYQmKw<6)cjt!Ao}Apm37TMB3S)(lm_OD0
ziENWiu0#fhUKZ+~M*-2aKDU&$VdCmDOwqHSB=K;&ch-!%Ov;!UuQ$U3!e!-AnYu$6
zeobw=OgC{FzBOa$$Gbr~pzj+u8s^)b`kqMT42&f&1uONxsm)a2-{SCIN;fb1f@7{=
zk@=SvgvB@tjusMS@0WH=KnZY|3<o|%hkp1IK-<1UJir2+Qp;+9<B-i^m=Ferk3#~~
mA-n2;$SnQ&NNeoAb}o?f`I@Vv_g;31<~4pyIg>>`Zt{TrNde*j

literal 10324
zcmV-aD67{BB>?tKRTCfGm>JdvbahkJLIEx)!Uq=bC)|?|Lh18`=LwUyJNFW*PyjnQ
zDV)^er~`T+%qalwf2Rc06t+p+j|$j~0m6<`zKuK03h#x-Fz|z*262!gn_d=*h;3se
z;7T8qWLf{Nm`cQlLWRk#oYA)RLyeYmcc|K%XvCddsNpWym>K5^<!Yc9*H(^rtKT9C
zi2ZlIoDW6B5*(&ug7dluOtBNn)VL7wqeY)e`os#Ij7!Aj*&mo1+`_MNgbNdb=%DH{
zgAhXK!m05-o`;J$GsqZ}E75MTMfZe?ZYO|{;Xt?G*4S#PGl;*RI8d75tpMgEelzI^
ziqkunXHAA;G%MUY(*~E8`?M(t)zB@fp!=wKQ_$SN6eU?1cxDtWQQ27g<kkRV2c5;7
zzb?@En|i$Ce^qYAz{AaYPlq`(be>AkAjW2>r+k&R6=g^8?~v&~q2$Icv6Aec(pH3i
zPFv3oWTSM(cmwF$GixF)bgGWllzE&xbX;_nWY>*w>5-MK83z4bV|gsCS<p<Q)tR<*
zB()#6JvzyG2}Y*Y>gTYJhEbA21?MiPj##N?qoRY%Bqiv&?#R}%ly6QXH)j}x$}>D5
zn6SATC%?c<3Za-v-yOT*jrJf-7qfgdBwuMlU*KaHM+6fzCs@Ui3pX_Kv>&^1+@YP!
z)T&6$G>VThh@`%Mxkf#`4d#kU0PEIouD5BOz9zmMCwOs~zYW?hG=h%Oai}MTaKaSh
zj}|~ToBy7~DUF$Wbgqir@6S3?r{|uO2IMMCQCCaNaNb(J#9Pg-)i!2tGAxUl?-9p2
z2jI#F6mv^Ruc4im8fi2GlCQ(AyjnBc-IS8e)vb;sX9Q{^i;-+ZA)4rAdovci->|6l
z`TR|W%~6x`|6aZyAs|QOsR+di`4HVLf^X@*YF2&t($7{f>0~4u7$2oVw|dzMSDde1
zTo$_NK1^ie;fLf`ovRnf+YUW~kmeOEDTW4;)-V*XOZ~+e*rPw~g47;*CqXK`lM-_8
zeaSeMeF1@EcAK{3C?Yx6F^LA9V3uEY{``=xfLXN<&ti%}!|gPhaBE(ly{Kp}?0KXQ
zWfMOh7farrIj)t)(%|skd%n7nT#rB){w$nHvk3wOLp9kSBIS?CT?wVD5!*s`AZO63
zVeOv$?ZJHRlvToDy-rgBs@}4by^G!h)1K|%u_oqk{@8>uL2(7@`jX%9mS_fGwT~s{
zGz?G(vqqB%;C<yS6JC7sazI-{!UqNHc9GjW4m2RU37u;E6uQ$#Ttk;V0@1+a;f>H~
z9D$%97Y3h!^%?ik#nKp!MPu`d_RcRCi-U|7oVMh+KPdax=RgNt91X5C*7JCVsxAaj
z@yb<h9XDSDD+>Nm2`+&87m5>8T6t*UmVE}9F!NsqWmhycg0G5vS0Gx81aKK?u(wUS
zjD;6X&%*F%SGMg*-G$zmcQ8tUK1KFoS9jx1Gru***YCZ!-d((9l{zzRcp4%<2eZ6c
zU}+{mH4|jqcdNRPE_@`9L=ljJHEs`Y@j7%dJxF$7pcV%>29k7Y5x`rUx>!#cK)xoh
zmy-nUwYhqeF1=QGEC|a`ObS%=cOZI8wsSIoWWrxT);bI4s5Girx-PD#kZu7m_JGpZ
z;9Vspvkv1*Tx>FP9N1ALdZ->9N}>6xGP7`VZrLi2nlHD`p|wIRhlC1<uFDz!TJZQ|
zM5|zD9_}y}fD3uOy^t}88P*$=38frJ84U;{SmBHtS@}9P=H{AV&?qq#q8))xme|V7
z1$81D2T=zY!>id2N&4zQr7y=S5!h7}FJ@MT{1k?Q&9LE7uy(oH5&;h;t>`w4(H+Dk
z$X=L5h<%(;>U?y5oM#PX2)G5dXxse&x79^X*i?zGfk-Cc!?KcuiH+7T&V@hq>I|9D
zoNkIj)ms(aMe3BGpQWiXJSg$h%ZQ~8T$n4iCbOE!?#IHRg=Z_DasO|uPbYhAvPxjX
zR|6S@R}B1(%6rS`Ju&rutnRGC>-}+R(E^XBChedDY<)!tdO}WYYuJzC2VKTwC;-p6
zz<gQx2E|SKl7%%5nf-z8{;?dc7=RM@RUk<F>c%T3*s=3x0VRnHLkvTo!P>nv2Rm^>
z1jImCVJ<KcU(=O=6y>rh=kcz2s_B{pioj}L0%cR!Q*3}9oose~ZJbSd0-eBLHp=nT
zGl<tiaDL{Q7&PS6P)AwB6LKmj9&sFo$SvYsot98}mthZBPg~sLGq`+&WcNhg{`ji)
zjH@XqXGo53nRA+3k8_%<FICcB;2^q(3Q3ZO{LU~>FybHL8=3^Q-8vojpE1Dm+*l_X
z6wgi<&fu{x#()-5+Oh{5tulv$nZLswTy-67oaPkb>QIQ^|4nWH%7B0&By~=Zr&#yv
zP-1BZ=lM@{5E@!E%s9uL*_qZ#P2Cq=1nTp_yBOku9OI7pWJ*US(Ej-v)>KtpXkKu&
zQkZ@51X3?mxrtABedtfrN8*vQX6j?91hHXA58o$_YroVh*vsjvE?dm)4p~uOpMJ7Q
z#;^mG#XoKBk&Cni5i&hi`6zNnvHoDolnLdvf^VMQ7AOBr{e&?|e~fHSDwd<r?z}Tg
z#+KJihY-<HmpOjmK19`qhyfJ^lO_+d`bbNJN=Y5ydCjr>w$iR{tSiZw^^UEaM7FYU
z=#~Ntr{<dPZ`EE7^_Gc8YJ|$LCx;NUDC-r?lC9CGDulNs60_bdUFr%qCfXHMP!4%<
zO)2*?%z&G?qN$s$7BBz9wC$E=;lfX7eI}i4B;Od=1Bz~r^r;l@>E+rr72hoi0+y&N
zFch6lT9?8LeE4F@nI%ACWg1O`<Ob%Zr@|4^>~umX`)_u<ydqcI22J&BCB;c-UF1xu
z;L36J2${yw>5}bjOOz@h)C0VZxs>sUE_}jW4t&0V$Rn_0^*@0b=#+D&HM{T^)g>Z(
zDC*1YeSHQ;!;r#&iriq&1ioBgHq-{horK~zr~%bS;^1~jwTu;7t(X2|x6ny%*w4x@
zpddsHtxt0@x;2`OW<=j4OwItsu#tn=3QA+(X*R{+<Co^>o!<g~tMU7j#K$W+iBfDi
z?9(lh;_&EN1tuA5dS?7ENhT^-L$R?3g{9rHFo1ITfAtV)>9G49pc2Mj5ir8FL(2_@
z7WdgKe$I}2kNIu)9191HeOZ@|a{{sgvecVrFj}>IW>9d<E#YCG+c2gTyDqgc%!5wK
zBA#@0tT-#dh+&l+LkuoEJ=@jTbV=fjAQw(3D_F{(>`;L2gUx-e@0A`{j5UfwFq?$|
zWivU_(R7ZJ;Sn#-`(h3=d{|<>H*<xWkUxY7tnrhf>pte|63mBan`w?elXFX(PWNm2
z&=9vTsxeWWm6^DD9-MCXPoF3(MGVimh!Tq71x?Gh**8fDP6x93ZlmRprvie=8pAJR
zE71x*`k^e))~kE-e|y8rg7bN*wo7^|Q!`y#aH{+7y=h~4VDbbT>8vD1+=+)M5{4ik
zfdF)NVlUoh%Se7TZ!~zL@Qc?QIer%s5MnxklM~w$&n1JlGQ<6xfw1RAzib&=*n&X#
zG;ISMBmorWaxU#LS{?BK>@Hag`FqU~IYR|D+(qk0d%Mxg$j0BZLxH&&d~3iePt-z(
zjwH%ORa-7HtlJF9tnr@;>%Kt!JWYF83WFX?05#MbMO(~*6G0*wTNkHY?cI_(f?P_S
z!;vI~Y8hf1%79nbXHJu1cR9&nsP6rvuB+$&n{*qJqmAG+VV^IzF$A2+c`%V`JD$bJ
zi~?@+=l(K+z_P106L<lsctDvqSSSByzzag=0Xe?8Ww~=Pd~M9y63m$!1VJJ+6pLWw
z>+-8Dw#z`Sgahsjf=ER9^k7`x`^tKJ!n0$KBFTLdl#B-jBT~z{4f{6}b(O9Z=R@Op
zL)A*W2lO4_p`M_S&@D!hU)M5{7sByy1ODYnh~jRXDhFcB^C}OX9`a>erfR8Iib|Fv
zOs;O#fc+L|J$crL4|-nrzRE6pERCt<P*}K1j28bt!87gFh=sGPhmX$MAC4m^89E3{
zY&iU5QRI$qix(*?d3s2jfDb49I!`k#2?Wj$*RVOVM*Jy*Qoch!)(Kcl1?N3!eGKbG
zY%Gpa1j#L&uMOcJ?ttyI-NAMYNe}G6DYLfm__V>1Tkxckd&!f2-)?N(yzDvC*o%E@
z*nQi<YKw8f&NAs{Aekf)QL{SmDu+8`b$~|-RM^S~e#6Txagi{z=w8?cyn54))xW-;
z0!K=p*O{S{;NJ7y#j0=$buGjv;56F==h8ppQNtflOX)}TWlNW$zZznTFA-ZB7OAwU
zek{WMZ-n~1dcD88otX8FUEqBx|GliCLRn@qXZ*Vr;j7zJSyym+@qw->h@Q>Hku+?d
zbAj(a4`SyGF6p;qC4m3j)d5C_)3hSJjulZ>OZ=avjOQG<zIu>`XhDgVQD(>HQCbdB
zyBl%+UrG%b_W@TPnBbC48+W_LFPy2RZ4o`p|KWD5l+%JNn<ony$_d?EOn`|JVcc<4
zD;y1q6pr1WKpcxj(0*7lDFaq6S+;Fn1dW5-Zlc(4cK4$78D&Ptxbcb<1D`igV=;V`
zm#m=VU$wE*{9Bmhjxs5=W0fYK7H700U|rH=1ntgt)&e9PdqizPH_oR8e7vX(x%~e=
zJ=>w{^86*ryb0LDiMovuY#ooBR4rF|^E39b3TL_op)wy$Gd~7LP8v)x#>NmfgYoW%
z1LfLz*IbY>T2EnN&WV<Z#IiTCmb$`i1N9(^ZU*<kWV}QV{h50LMPf;~ivkNqV!yKg
z9l;1&<diI7;mxA<(Hf&Ac7<=+h5)U|*YN}tyj0fj{HRiUuIFkk$(%ecTEa(2*H(mz
z(a@USzc^wRx@jgeC$hWZLF`~VW<Vl&Z4A7B`A*Zon8~gl!g9K?_T?mL=T|@8>6d#|
zOp2B*^l#vRJs_bUD_{Z;VFgOfA8IKo24Q$|=}5toaRrg^wPE&7U?*LYcz!;*=lZSv
zZ_~4I%N(8`II<2*dOHC#n6ho*`>K6v)Yns}(6<B_oH_}E5IIz|cH2e|+|b)M&IoFR
zjmo3f3{;g+T9hHT%q74<P&xMM1Z^vJI8LjGMiU2$+S__swwcCeUEV9qwt_;Uc<BwP
zS+gHyX=wdT;d}k)M0JaIf&t|;EcB~pTU%x+dX?4F_N7C2HX^a{BknFFA#bEIblLeP
zzAz(_7^3e$boZUNJnEpNVP0pM5pPU4f5s$;T+ATxu*}$p>UYB_9)kX^W#v6H(A_X)
zeGF!mi#$wiR7OajS92R)8eb<!5wkR&&S6-`I)PT!X}vN3P~T-!+Y89gaPYE=$ldCx
z93y?7n(V}=U_mlQ13379mx}cDOvn-F;8P5|pJ1kp-lW@&>O0#658lo=RQa<FW-F@9
z3U0KWxk@Z*!6ZT$6(SV|aL<u}#OJJ_C$wezSTW<2YUd1Mr9A!HDMGGe<Zf?|;odmK
z<3&o4wf3s0lEu$!pDx9vUqA;HnXd6>O;RIy{ENgfCZPLZCV&eqhP{r*%a1sjWAA^|
z!62t%RhMz)7DSF5{6CPiF@eK6eQ%sNaNo=ooHzQPGyAD2od@ys>8Y*PIIxdif5XJI
z%_}hQ_0~)k-yMvnl-9S&F6KZ5!h0lcbVui-ho~W}%R_|z64?232#M`cD`#inlb=3i
zSy^(CSMCrq!qk?LPN=<X^1#Axu^K-E!P#br<pnGvNJfFSj-zB)fB9X-9xT`m+Fwi$
zB%cOf2dtND60TDAf4G`Wd+x3f?t+>gpVBDOFzy|^&9Dhnqt<H+QwBn#opY~cNK;d@
zbmeS8skL&>M0601UY+~0az$t{8c_xHX`C<p;^ASGfDu&G@V<b>Ynt_+;l=6ExMfa@
zbz|f(%wBT>j;5*CtRFUR*{=~KX8~kz+g7Y@`{!!yf$p2&^qX~VQPI(z66B*2Fro*L
zYo;6t1j?uhLIt2|#8#BeV8h^(B}=~No)19jv#5}SDZ@U5IdH7n6J(NJS>sYN!nJ6u
zjfY+B8%Hx<$q|lJmyp|PJcXoAGYJkjYgrbm5zY7HXAB0Ba<N(&WrLjPp@EORTjUzq
zTL6NI>@C1uRHNTTC1$54X~sZTB`g*uUd(j0N&{@#365~fCzET0nU9Fp^}HbOQg3^4
z!t@3LAKv^CYJ-^i#-%YUL)9Su%50e^U-$}n-;LSj#*(F@-xXIGK&4Q($R8UAgk22C
z`Bp^ax#xkXi^jTsu`vD7({`c8>Egf*w(5?KGMFvg{GK3}iSez~r|B@z`F>up`1+A*
zTpWOSlob-;4I;p-C~_!*LgZxWoU4ILWx%<SWqv@DaiR^ea8H~r?+SEX=gR#SL@DJs
z6IF1)Cf)mjbO%t!l$NF6@eSup$^lIMscSf66q^6@-)6i4(ljDkT*!LwM_SH*BTrM7
zXHjy+^Yz{X;$D;zFkycPtjHyffAm?JBNgth6yaLou~({n-A<ld;axXh;)H@lycC#X
zmQ)Z5W&ACjhCKnGM0z0C_pTF1uPp~TW1d$xNPB0$`#}O<T|CpMG0s}{T%$`Pb~seF
zUe0r20uWdYCvKhF%E&ueZ4-VIy^mcwfdq_D{SC(D*U1xS)*55n!G)-hFQ3y%Mu7>(
z4kR3V#k$6iHE@M?bToO2<?J%%D<|vp1`6BlrD-y)a-^P1(3y6OV`wRhX-Iz)Db8$$
zZgde!rWc)W*tS<hZk#2VPQ(?rvfA!z^0@v6i$H@7L29j77|0uV=Gp7@sS|ZwmF#5A
z!~}Dz?341K%xCS*SiY+rMHW-EzoWLt^U3#pB<e9G0aNWngGy`VrIBT~sejFFITPwW
z7>pFpYzT4wk_}9AijG2B`1isC#D_q?6c=V-oZ)ZX*IaZmR?>$17n3g6j%0BxoOE**
zy8~t>iXJK;gHWp+`uJ0lS3S1Ft>Jk)W#pJ})b^<x%&Sov*=xCQ$$TL!4>^!E5S?P?
zt(b3hcoTcrp0dEr)<mr}KhyU$v4x}$N-<-ZY~^tzV+P<O!Rl{VlAxImdvRINNpYhN
zt|tmnS)m!Q&1(ekeP+)%S#r3Wz8Z?_snU7kmu_sc_RRndf1iUh^CjgK{A~!gfwmXS
z%a`eMZo4t;zT!i8BShAZ8<|_4$28h<x0r@{y8N#%>PG;I1xZza6#}UeCk*6ax|?67
zCQ$U})nD;u#h%$XLey<dBXw;Z_KF*$Jzl&Ma=KLlgDdC#n5QVsvBlo5^}~lKNMgkz
zMWqis*LerN1?6bW@TF<fUb?2-HNFcmM8O;gGP`XkIRCr3B;yNBmebsNF^(l9O4TS^
zAm{-Yb;|4k<n!a>%h>iKtE(%DY(G<XIo*aNvadwn{TsSNSR{{m*=TLqPlTx>Kk`~E
zZ=arwv}P9B)UjO=ZypzEjMY7$?bo2SUf-PLzoxJr7S{N{Fo{c;EosVonHXgq07U^i
zSv9aCxph!zO7Wo6`p@gxMOvj~U!>76O3OvN4WI=G<E|*AAzaVm{)FwBhWP-}p;EpZ
zs%%Va{5?)}e@o;>5BsDHTG&Lf6c2wNfE$M;WW@q=6xFYaTL9)%85wOCP^90EC>?Mz
zA^%B|O;|r7NZsmR{{_KzAxahJ2QW;Lse$*1O~wZX`LwGt4b?KzdpqWwx<U2>ZM<`{
zsei>XteND_^sPp809nJQx`3^yF*g*oQx{Cd%*gUEwxhTldJ3_F>A7WKyMaRt0>knw
z{zXWGrst8Lb>B5%KR8*X=FtqGfEIe7%6Ny(MIqyUlc)SZvgS{&A15b_&||%ugZQoh
zy$LsYnj_Z09?#RJf$U$Lb&<&g04j33&1FAlT&f*nSbB{Cl7F$<z+<*S{+UFhhB-Z|
zNUWj@v`sha<UYnt;oKFATYCehaW%W(_<?$bfLEZ$-YO0dowC#MJQ@Rlne^vT^P*KV
zOlZ(FmOJpWK4iA}SK?uIpSi5PZ}I*cMDkyzX-85;<mi+2K@(-z$><za5><_n3an2V
zlNc9=(M7hR+~}WRMHHd7^+IrN0GpcUK~OTeGDmBfQ~Q}H*+kZT<4qs8pYi+x4=7Up
z*A-T&cmSW}WQPjTe~@C8mR0x)dZz9E0MJaK+o^wn97!Cw!J4(yHap|~x7`fAT!0fR
z=x*zT>p0QR5%=9PwI4DWqMU=VM)#|k^FOhJ&O+}fBwcAx+JfiVVp8^s@}Vq?1-BWa
zj6W-YJ70DL91*1P$d|v3mNqsHIIpEZv8#5#8ip(5j4+Qm_9DMI`kVm_Qr?sDe>ch0
zXKD_~8!Wh?u{ry+3s#%JW`Z(9s6muG-G`~EjUxubtt%{O_|`k?Qo=JnU77^8#Vh0x
z0j=T94l@9G6OKebtv1-gA>MxC>?iO;s5j+~2%?EnVYv)<yUhJ_p6DX&P!bzj)K-No
zQ7=H$ZA3*Ptyo`vr`#o4Y=g36`L?yhGBF_7QCGbJUM*A59hQ?@yGDjU<8%-QL-O5{
z;-ndZ3jfEvYk`oPKVuGP<CheMQ3ry@IWxq4s_!n^;eZ!6r5I~z9=$(su<Ees0e1F&
z`lE0Ot8d(8-)o2i#Jg7&{|r#GFibqH`4Jx5V^(602Uxam=&piE^(eJk_LdwEOzZcO
zUkft-VdM;{<>?-U#dy&V3_Li{Gmg*%^F!(s53#X7tMHEf7w{sOyxC~l)l3ZjJ&QfI
z4?me2u_aC7%Q8NM*JDuX#ejs80b&k5oTr5Igw{a^3^qUkm;7|~^7*_Zb9m8=FP@0a
z=3O5%Dv?bMV6!-Gq|o!7BG;@-uEE2VwZ0o0K`21Rj`O-yz`{9Mx7h*x(d~5YW|9d&
z%h^+82WW9%i<tls-4?>eP~SEm1nO6_Xg+e3?0c?j^WV_W5^35A^XYJc`tI!f0CWP}
z2S+`&5r-KF#Ibs4lG^laJZN7U(=u<O6pm*#DikmA#KL<<IHLE;vk%BvU`4|LM?A0^
zQDLXesboAGlXT1oRckA4@&<E9wO?Ul<4k2}C7K12FjQK7ErUv<=010AJGbQpbl++A
z@St_!7)o~R2e-3)rH-sw+167HEdR!4ZTtZKYxvreXU6EmO^%_zxH9k18ENB&rCPAc
zOZN8lRP-;(iIW4di%4a^98!Q!YnEBsmQEO-EJwoOvsB^Uc4lW|woYNxuF~X2@R&$!
zX_^54oSc(nVS-@727i9LOygx#@YI1X?L!z~gWKE<`vLs~&y4c+2NdfAwgoc1M8an2
z0+%@K+28^<>Zt`~+NUB8gn6jg&5opUPyYqTZDX8ABC5tel&V-_|Jn$yYWi;Zq4&g6
zVnY3w$FKCI1^B7)&Er!o*?H@hziMZQ(u@|yVgDAdVcC-oRf7*~6RzLLSUU&;v>Lbf
znJj@_YHL*Dn{Gq(W@6bz3^E=W3;Fwvp1N<bWJUh39$)H0EX|v3|Exg9yK+dxHX?DK
z^{>xKQ~o92O8z-$*$Fx-34vbp9h#L!&I0wqZJ1d7Bw_?DM7Y3RvK$R|jskZO|8*Y3
zAwYhBW(@!s&Bpp61NEUIM<ol7fODUj`cvaLJ|M#ZJet9|_61930mQo#w#;%ypA9-T
zN-{-XGPr;MCZQ>_2_y2gc99WVJfB7n*Vo~>=O1voZ2Xjua@EU6Q&f~^ht%Q7@*<s<
z7kMvGGuKHwZ)932g0iRy&Xh_bkAd|gi23W#z~`M~I29>h8b%%{1y1=@CyztYgP@`Y
zIh~xl-MIzH9)@}g-yO#oF%_uc1OHQIY@rY<iv)xBt4|1WCk<hmtYLj!0Ou<;`rBsP
zZ$?uc^9~A(PkxG|4+H?QV9Ead59)1E!7SmZzWH}dch$MO)~>$mu4!I%v_dndohJq|
z0j3~=wWw<53ZEMWMDMmUZ22+Zd6HE;L4ijN)L*k8$xeE4n@}5fm9$o|Dz^NuGW{zP
zm1`6+q&|d@G-tf@>t?T>I1x?_bQ<h=`49q2ZE&Q38J{H-7SwXMbfv=1#+3+N)M_ep
z0&S7|L%antF)E#VD;Dg|zW4)s%KsmpjedpLHh$hmGN-e4GMdGAuk6g7Lp;hZFDEzo
z<mmh_@(R=gx<fU1{0?yIjN(<3Xd@R4{fbpLh`C4FLJx6&z^Kw8f$<m8f<DRQ1CHPg
zgG+T;<g=rC#ZBvNu)rM^>=+8OHmVbHz&0Z=-K?0E#?XV!O-EmvWK3#HcK%6B^k}y!
zcd%p38g%ws8pmo(_~pPW98O?((tcN_b9@&1G>GExvTSa`V53$HlZ#B1-@+W{CNfO!
z=>b&h7|~9Eu*y+jnBm<z5?s*Tyw%(EQe8wvY}~)~Cb3w+E<OiXy(kjYtV@H^zzpDA
zme>P<BRG^%p{cv;Km9Q1u_7$UQouK!uXOIxU+d|0=Dxp2ghGdX@>8*ZOwhJFPI<F&
zQGX4H+j<C}tnYe1zw!gFRHc;EI@Zgyt^w0O3z8q`%(k-@h?_{1)KEg{np8LT(H3X=
zSc@=PM+rB(;-Sm;+HWptrhpBSMS31c3!m-TN|ItDbT;CV*iz@S<wT*bw3CT};}s2J
zF>y9`5O;+$Mb?{2v2Nk|%Z9=oh^rnLFbb<_pD4^E!LYsf&eQiXss@VI_8GfPv2?1e
zY%A)Pl0Z4?POA%%vspl>vcGA-6v-8YqQ|!$I8M>wMve%zzg?8*=;!gu7-~5u(h0Qg
zK1y+;Np;zmJej7wRbq|Sk(;*KoRbdPZ%##f(0SQ%?X}JnSf^cUwU<VXBHFq5NAu!D
zb5OpX-1o#<S_7yZCd42#z`k0^R(U+}Qhu(j^sHCnS%rqcn^4~0tBXMQ)a_v`Cca6)
zR{ltH0TIEd?uU}EOHC~ejTg)gV+IT248&zEju5fp$bK}|^<?$J2ah~oxE$*dwC#$f
zhT?ftzS5id42mDYBoJk((q(@|jwx&uz7X8!GOCZ#nJXzn-u;{o%6IfUf)dsHxSB`8
zggB#CZo<Q<Tp11MpAu>bjkp83;w#{#bb>LhB;wZ8egg$$l-Gs;M<Aek@dna=L+w*F
z{+m}w3_O*G1+w=T%z82H?4JrtOd^xNy}ETe`REQTEd#xhV9I6E?YKKnlWEE%!99-v
z#zlFjM`HLHMr4wV6T__79&N4)rN+8FONPe>rJ8vPB1a`>3^>HSgTR62RMq5nywp*4
zq<th`AKzIs_2(-qmGH7gfua3j8}+^DjDrq~AP8eS4?aBT1q*vyvD*j+o@DHmul9np
zG=hB#kdL@Wi&6jN_4<Je)SvGFy%t*bl_#c8z0DeCzAM#Tluy<e1A+0(O8;f<@T|}w
z6;@6tNgbKhP|hqP0H|x0D;^HC+B|R1%bZLwqjtqS(dg!_(&P?YUyq9rEl*Ycb4t>7
zyROXV(v+pFcfI;5pNd(m-@wxlOt$`@kH1V<7FduXl;^n5khz(~BF)Tnz9L3F+Xtpx
z%*22JDg$k$+F0`Yb273dh53nF>hLDoL-qz-31#gCE(Otxsg&8_W$WLoh)DPypF^l1
zSXS#t-<8__LttWcXn8o&O?VG+qQ&HG>S?@7gE>pf^@5S~<b$hGk*F7EB{D@{SAHdc
zUEs1thNUUgcR#z41+-w~Nfy|kniqumRzKG>y-v)1ofHf=i?7ziUvKT>4G+;)(4TZy
z&tKcRnw)MQ3^__e))I2COwJpQMaoOr&d7P&E_+e+GrZ1E{sJe2h<{*=mK7C+dSs9a
zR_nXYEVbN0nobQLt{F!Ss)BCH>7=gUCqhi2s3s-est+8#g$u{gM=^$}=Aa%X^i-4V
z4ZDbV>-e!gwp8xgFA7;g(kVD1+icN*45^1P@<+nvTz~=ogsVe-`*+)gzRrER8AT$l
z*<6CIr0t<tPTX1#6=~aysTM?}byx<!qYeoTipo!Djb?fP&nKpQRrD!sTWG#SK7yLz
zYx-Xd)amONrUk}TK<#Ui_;38`ljzBjJX6ckA|s=8jo_b@oX&q%5~QVzy3^<_G<R6P
z$-;nr83IGeKie1JTt*(A47NypWY6phgg3wkY#TP&^-&T7hrIpz28K+ZC}>C8mU>w@
zC=a`1I{!4|H@=lWsh#@3uyG}D{9Z^XDwir~7G)7&D7>LX)G@}~A5{~Z7g01};q8A3
zUF7OqFUvj0^>HW2<~@4N#&uwgGj0dLT_dL@Tf)mHL(v0-2JhHC#Zni46NsDJ{E)J|
z_7biNP5h(e1fzYcqNv8`qY?IGt81JZ5PcN0)Th$@W;J@!7D%9DN(Kqx>cS?jZoSp#
z2v&&;Tgk!$Qb|Q{FnDI6>1`J11&)?mD5kB2cjW%08NR6K5J1_%qheXFl@441zW^g%
zKyB0)=1w|7jFx03TZg~lH-Bw-Ch3-vB-ipRn9FG{?~S7`1Zo4fl#V5Hx5EXjsYvXm
z!qRu*`*z-Wl7WlE)DQvl*j0x|REoex`TOR_Z_Q!7{vbIGO=e#+bi~2mMRc6aK2{Yx
zBT8k5KiDl@HmeVKV?MZ)D=r~IU}Q*L&Vue>F9rM*Jxz6w$nh4{ay>`Thg!8zLLGJw
zW@PbKGcG>T&WqG;DWCtM`5vsdp4gQZ>y!aE+(3H}+8qtf6oTMs@25&5jsiiY%-sFn
zAYa!2=^{vHDpI~!5SQJ#Aa7uMoFrn0PKA~&>^dgHmh*q#jK$+(f}8#J)z6cA4{o$u
z@77z67wL^{7oDXv|CzUFtWU#%9UlWKuG1()NhcTQ$0J1Ag8KBCU)ts3uMsaqYkN{t
z@5OQ{Jz&lfh47T*I4zqZQ><swMvs-Zh9hPxI9aZ8grE@Iv~ie1>J$itJ&Fak8oJq9
zh+G9e`Zwt*!JDA$%%g@0|F~QHu`NWSe9JGrt}Mg;G+e>H1wPWiS^w7hnV8KZ-8z6v
zb^`*~NVcUk>GrBe0Ql#CV^m7nCg*w66)12aw_9vfXF@SL19{AD`H0tCp8Er4XB*{9
zOn81PnuWK}w#yJ5(J@S{B9J)DoFCj39qHHabg^7}0!fqcmtfHXv?)~b;xaUyA{!yb
z3b|t#ghXGY#BRW(Es|bx^9NBtNe>CmX9>98xk|!wnhLXx?;Qf`_ksT+78)6rzT<(u
zGfuPeKtGmRpWlecRJnuoQvWWJL2XtN<uw)>_Xo-;2YXS7g2vcl@mjH0^-f;&3e>rn
zP6**U0tJ%Z*@sD@oWYPR`-3s0*{g*j2e`BeX<F(8H{8NElih2kOrm8%+@;=P0=h(;
zpp%!>ANzoL&cH^|mvIeU4k1=K4jFMMv+jpMtAi`Tt2|<*t)O4fPGv6bm0c445;P!-
z5btFzT{Ce^P3JkA)p?7oXX<dPsDH7j#r<zO8RGk3-NuMnY73%!Mtrk@*;~ene7M}O
zy_3r!PJkGppOso?VSai+RKNSOzdib>u4^<yW;8fFzb3#a`^dAjjxJ$TLW4CpYsiOY
zUsl>#wtGCS!XJh%{kcXV#PG?!r-C)hC*i1(aa-s$?EJ|u^%qCDf|Wx&Q8p#`TLNPM
zZoR1xWyx>SdW;l}ekk{=BUbKafZMvw!C=j^k2tm0$-#4;AFNIRyr5@$S)^C0b=fc$
m%(EMmarz$M><H<S)F|L@SG;(v#9`^%$Eqz{I(qu@r|Pyaqxu5?


From 7b9451fedad1957714763fc138f7e8b30d3bae75 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Wed, 21 Sep 2022 20:56:02 +0000
Subject: [PATCH 29/36] refactoring tests

---
 docs/user-guide.rst      |  11 ++-
 google/auth/pluggable.py |   7 +-
 tests/test_pluggable.py  | 179 ++++++++++++++-------------------------
 3 files changed, 74 insertions(+), 123 deletions(-)

diff --git a/docs/user-guide.rst b/docs/user-guide.rst
index dbbb5edb7..682b58a76 100644
--- a/docs/user-guide.rst
+++ b/docs/user-guide.rst
@@ -434,8 +434,10 @@ Response format fields summary:
 - ``version``: The version of the JSON output. Currently only version 1 is
   supported.
 - ``success``: The status of the response.
-    - When true, the response must contain the 3rd party token, token type, and expiration. The executable must also exit with exit code 0.
-    - When false, the response must contain the error code and message fields and exit with a non-zero value.
+    - When true, the response must contain the 3rd party token, token type, and
+      expiration. The executable must also exit with exit code 0.
+    - When false, the response must contain the error code and message fields
+      and exit with a non-zero value.
 - ``token_type``: The 3rd party subject token type. Must be
     - *urn:ietf:params:oauth:token-type:jwt*
     - *urn:ietf:params:oauth:token-type:id_token*
@@ -450,8 +452,9 @@ Response format fields summary:
 All response types must include both the ``version`` and ``success`` fields.
 Successful responses must include the ``token_type``, and one of ``id_token``
 or ``saml_response``.
-``expiration_time`` is optional. Missing ``expiration_time`` during retrieve
-from file will be treat as "expired".
+``expiration_time`` is optional. If the output file does not contain the
+``expiration_time`` field, the response will be considered expired and the
+executable will be called.
 Error responses must include both the ``code`` and ``message`` fields.
 
 The library will populate the following environment variables when the
diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
index ab32b76d1..6be8222c1 100644
--- a/google/auth/pluggable.py
+++ b/google/auth/pluggable.py
@@ -132,7 +132,6 @@ def __init__(
         self._credential_source_executable_output_file = self._credential_source_executable.get(
             "output_file"
         )
-        # TODO: remove this when the tokeninfo endpoint query implemented in auth library
         self._tokeninfo_username = kwargs.get("tokeninfo_username", "")  # dummy value
 
         if not self._credential_source_executable_command:
@@ -201,7 +200,7 @@ def retrieve_subject_token(self, request):
         self._inject_env_variables(env)
         env["GOOGLE_EXTERNAL_ACCOUNT_REVOKE"] = "0"
 
-        # Run executable
+        # Run executable.
         exe_timeout = (
             self._credential_source_executable_interactive_timeout_millis / 1000
             if self.interactive
@@ -226,7 +225,7 @@ def retrieve_subject_token(self, request):
                 )
             )
 
-        # Handling executable output
+        # Handle executable output.
         response = json.loads(result.stdout.decode("utf-8")) if result.stdout else None
         if not response and self._credential_source_executable_output_file is not None:
             response = json.load(
@@ -372,7 +371,7 @@ def _parse_subject_token(self, response):
     def _validate_revoke_response(self, response):
         self._validate_response_schema(response)
         if not response["success"]:
-            raise exceptions.RefreshError("Executable returned unsuccessful response.")
+            raise exceptions.RefreshError("Revoke failed with unsuccessful response.")
 
     def _validate_response_schema(self, response):
         if "version" not in response:
diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index db7a065f0..af71d8f58 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -283,51 +283,8 @@ def test_info_with_credential_source(self):
             "credential_source": self.CREDENTIAL_SOURCE,
         }
 
-    @mock.patch.dict(
-        os.environ,
-        {
-            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
-            "GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE": "original_audience",
-            "GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE": "original_token_type",
-            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "0",
-            "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL": "original_impersonated_email",
-            "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE": "original_output_file",
-        },
-    )
-    def test_retrieve_subject_token_oidc_id_token(self):
-        with mock.patch(
-            "subprocess.run",
-            return_value=subprocess.CompletedProcess(
-                args=[],
-                stdout=json.dumps(
-                    self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_ID_TOKEN
-                ).encode("UTF-8"),
-                returncode=0,
-            ),
-        ):
-            credentials = self.make_pluggable(
-                audience=AUDIENCE,
-                service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
-                credential_source=self.CREDENTIAL_SOURCE,
-            )
-
-            subject_token = credentials.retrieve_subject_token(None)
-
-            assert subject_token == self.EXECUTABLE_OIDC_TOKEN
-
-    @mock.patch.dict(
-        os.environ,
-        {
-            "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1",
-            "GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE": "original_audience",
-            "GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE": "original_token_type",
-            "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1",
-            "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL": "original_impersonated_email",
-            "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE": "original_output_file",
-        },
-    )
-    def test_retrieve_subject_token_oidc_id_token_interactive_mode(self, tmpdir):
-
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_retrieve_subject_token_successfully(self, tmpdir):
         ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
             "actual_output_file"
         )
@@ -337,80 +294,72 @@ def test_retrieve_subject_token_oidc_id_token_interactive_mode(self, tmpdir):
             "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
         }
         ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE}
-        with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file:
-            json.dump(
-                self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_JWT,
-                output_file,
-            )
-
-        with mock.patch(
-            "subprocess.run",
-            return_value=subprocess.CompletedProcess(args=[], returncode=0),
-        ):
-            credentials = self.make_pluggable(
-                audience=WORKFORCE_AUDIENCE,
-                service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
-                credential_source=ACTUAL_CREDENTIAL_SOURCE,
-                interactive=True,
-            )
-
-            subject_token = credentials.retrieve_subject_token(None)
-
-            assert subject_token == self.EXECUTABLE_OIDC_TOKEN
 
-    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_oidc_jwt(self):
-        with mock.patch(
-            "subprocess.run",
-            return_value=subprocess.CompletedProcess(
-                args=[],
-                stdout=json.dumps(self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_JWT).encode(
+        testData = {
+            "subject_token_oidc_id_token": {
+                "stdout": json.dumps(
+                    self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_ID_TOKEN
+                ).encode("UTF-8"),
+                "impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL,
+                "file_content": self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_ID_TOKEN,
+                "expect_token": self.EXECUTABLE_OIDC_TOKEN,
+            },
+            "subject_token_oidc_id_token_interacitve_mode": {
+                "audience": WORKFORCE_AUDIENCE,
+                "file_content": self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_ID_TOKEN,
+                "interactive": True,
+                "expect_token": self.EXECUTABLE_OIDC_TOKEN,
+            },
+            "subject_token_oidc_jwt": {
+                "stdout": json.dumps(
+                    self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_JWT
+                ).encode("UTF-8"),
+                "impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL,
+                "file_content": self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_JWT,
+                "expect_token": self.EXECUTABLE_OIDC_TOKEN,
+            },
+            "subject_token_oidc_jwt_interactive_mode": {
+                "audience": WORKFORCE_AUDIENCE,
+                "file_content": self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_JWT,
+                "interactive": True,
+                "expect_token": self.EXECUTABLE_OIDC_TOKEN,
+            },
+            "subject_token_saml": {
+                "stdout": json.dumps(self.EXECUTABLE_SUCCESSFUL_SAML_RESPONSE).encode(
                     "UTF-8"
                 ),
-                returncode=0,
-            ),
-        ):
-            credentials = self.make_pluggable(
-                audience=AUDIENCE,
-                service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
-                credential_source=self.CREDENTIAL_SOURCE,
-            )
-
-            subject_token = credentials.retrieve_subject_token(None)
-
-            assert subject_token == self.EXECUTABLE_OIDC_TOKEN
-
-    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_oidc_jwt_interactive_mode(self, tmpdir):
-        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(
-            "actual_output_file"
-        )
-        ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = {
-            "command": "command",
-            "interactive_timeout_millis": 300000,
-            "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE,
+                "impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL,
+                "file_content": self.EXECUTABLE_SUCCESSFUL_SAML_NO_EXPIRATION_TIME_RESPONSE,
+                "expect_token": self.EXECUTABLE_SAML_TOKEN,
+            },
+            "subject_token_saml_interactive_mode": {
+                "audience": WORKFORCE_AUDIENCE,
+                "file_content": self.EXECUTABLE_SUCCESSFUL_SAML_NO_EXPIRATION_TIME_RESPONSE,
+                "interactive": True,
+                "expect_token": self.EXECUTABLE_SAML_TOKEN,
+            },
         }
-        ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE}
-        with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file:
-            json.dump(
-                self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_JWT,
-                output_file,
-            )
-
-        with mock.patch(
-            "subprocess.run",
-            return_value=subprocess.CompletedProcess(args=[], returncode=0),
-        ):
-            credentials = self.make_pluggable(
-                audience=WORKFORCE_AUDIENCE,
-                service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
-                credential_source=ACTUAL_CREDENTIAL_SOURCE,
-                interactive=True,
-            )
 
-            subject_token = credentials.retrieve_subject_token(None)
+        for data in testData.values():
+            with open(
+                ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w"
+            ) as output_file:
+                json.dump(data.get("file_content"), output_file)
 
-            assert subject_token == self.EXECUTABLE_OIDC_TOKEN
+            with mock.patch(
+                "subprocess.run",
+                return_value=subprocess.CompletedProcess(
+                    args=[], stdout=data.get("stdout"), returncode=0
+                ),
+            ):
+                credentials = self.make_pluggable(
+                    audience=data.get("audience", AUDIENCE),
+                    service_account_impersonation_url=data.get("impersonation_url"),
+                    credential_source=ACTUAL_CREDENTIAL_SOURCE,
+                    interactive=data.get("interactive", False),
+                )
+                subject_token = credentials.retrieve_subject_token(None)
+                assert subject_token == data.get("expect_token")
             os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE)
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
@@ -1125,7 +1074,7 @@ def test_revoke_failed_response_validation_missing_success(self):
             )
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_revoke_failed_response_validation_missing_error_code_message(self):
+    def test_revoke_failed_response_validation_with_success_field_is_false(self):
         INVALID_REVOKE_RESPONSE = {"version": 1, "success": False}
 
         with mock.patch(
@@ -1146,7 +1095,7 @@ def test_revoke_failed_response_validation_missing_error_code_message(self):
             with pytest.raises(exceptions.RefreshError) as excinfo:
                 _ = credentials.revoke(None)
 
-            assert excinfo.match(r"Executable returned unsuccessful response.")
+            assert excinfo.match(r"Revoke failed with unsuccessful response.")
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_revoke_successfully(self):

From 7c39fd892166f2ecc9715aeebfa0a3e274619a39 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Wed, 21 Sep 2022 21:25:59 +0000
Subject: [PATCH 30/36] chore: update token

---
 system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index fa53f6eece0a4410b873f1b300ba4078f76b74df..6dc14d78e8d934436d54ec752357b030ac692e0d 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTH`rAqxYc;b%!iwIvO%uT-H!vd3K5veDzI{EpwNRAUmVPyni{
zhrDV)<%1pTfE^<qVUfprSK>jm0I$@2FilGlwA{2s;ILR{yt0|+v2$@)kqDSP++1=8
z+2z;8vnRD!kx(ISZT|#_#SA2zy5bXOB1<`5FIY8JCWP(_HVZB)^J6=g>>85g<#y}3
z{lz_(NRy<S_l}JB2bFMt$dVn{tYMU~&0Ze9z7!@;$84WQudLBAFTNX|{@F#*RAfiX
zu2BRo2hO7E1Zz{AoDXzh9Wkc)D1hZe#@dSu`4XJbQ0rt%N5oN2Wv5KBx`l-zYS$g7
zJ!i%Ntuu<@)hqyy<iP+d=ze*gwaY{UWQ88zcM2GTMvsdnM~mO%sk1p9C=dbd%J;Wk
zAKB0WjVw)5R<i#jY}h;vNz1Om8gA!NY?QMG$LEx%hI{`NwWBN~P1dsa(7Kv15czB1
zzOs|B_=yoBhX4ahlf<Pg@nkcsN@n6L-aS2vQ%qO7x-6tPxkI4}2%nwZ9yBUKZhD=-
zQu;)ztc!gHJv~riu3R9kvCElJ<gwULC3IV+Hm>5C1^mchPwbUHA<gfbc3H#mEVi$G
zYskz1%7{oRziBP&=!mDJzTnpFv`oh}uk7cBq~#!lP15O;#5H)Xb7pK{qXsJwvECT~
zpDSn7>d-9&A|)rPDp<}TL6uLi>ycKq+vg9|5jo=$(xyIVGF;a9{`ycPMS6NTFf@Y8
z8#b1JvN74@+7eBIhzwtuIY59vXt=%AMo0jqxa^XEG35qo;1U@UXP`$oaw^r37{iP-
zCZz)Ze0))r*LFB8M-aTe(qp5>bSpGzZJau=r#*tiUgV8fEw}|c<<rLp><m;EOxw#=
ze8^9Y8N_gM{SS52YW|9}jLB7(Xrd7k^ZOTX`lvbycBAH91}|dW%0evx=M3wNp#W=T
zrPjlTc?bS5f^UrVqSse_Q;w_4kN;Um8sFHRBN{9|^VDISZIFv`oWPM*myQ4#*~tNH
zh^EgihuD@;4+OB3G#B@W&%ObZW7u*(J|huE3^^It{EJWKD=wZc&rA|M$-KSp+^2?r
zk?ao~<uYy#D{>)o7bmv>L4irU_$C_?-u)XQpMh#<&f|kg5=sm>ZE(O)*692zHLemF
z(I=_t*nT=~TC6;lmg>lk&mJB3cUpCh3or)V#&w=)Hz8{U8kNbSeLgem&a`&vyQ=QW
z4t?NL@tS7tP-rYJDVf60MV%23Rc6iC@2dooaS*2F`CJyufFz_RS*eLD`W$Pb&<g+;
zMqJJ}h92ZIIaThHoXbtV|31>c;@EX*wRqQ>nQ_8gT07LFL2c=(awW(70%e#V6ZSsq
z$}0dWo^-!a($1BIgblIt^0gEM5wQyB(vPky*~?_rYjTL1DOyeElusZmw?Wpm88k$o
z{TnRp(`TMHKvJkNDTryVHVgbEFsH*A*V6`wGR}^d#PaE(mLN)@AYuUoyKF$BWclVe
ztNotDic#9DvqNs_$ptW`LYK%9u_np<V;Qg0S_^LCZ&`V7q>;sX`Wix$**9+(4D8pp
zUZkNX%Lss8cIM)1ZB7pE#-Ws+BlbL?9L4ojK$ra}9{4)z(jjUEF;1?S^+#FjnMda6
zA5Jy8T8`}BAYx><aa%_<|9uLf8F4-lSt?zHnWexWU^n~*tX|`K>z4HoOQ9~-cUe;q
zL+Ds{IL3G}ZjiTBNnuyo!H+2V&!eWKomwbn|G?XM^j5D2V8(ZPrg9xW3Uq91-U`{d
zR5g$b5h{ykPGVT3s<kcnqBfpaU_DN4?&e2P7#%>ctP#0a&$xbySB%dxl>xl>?GX9I
zo0JrMVgNU$r_vP}s|%@?=&yA6;Vt6)W-QBv<$~gf$jfz}a+)om9{G7eYR6M?8Y*Bn
zCn{5$UvLwrcv)G9SFVcaJoXr-CWqRtAIh)P4}FjcUd%X5>nVI2akP!)S21-DMpm2i
z%M2qC`T9u`bGjX-TLCxpyuAK``YMJKJ3<r+f4sxW#5M`G@w+5HZZt(%iF6o^1K8In
zq=``Yr%Id)pEI^hkB;6@2E4BuNI^@v*9Q5lM=TmZZ^?v~Z&hF!)A*8Ef#)QcZN2(~
zdk(iXwyrrIc~AK8XJwDl@*D=QkxnsN66o$Lft5l8*|@QZB3zRyX$0_Snc3De&#E*T
zv}u&TZt^EH%e0-EzP*b)!DifBvuDO4TQ2Lixa)j6#|=I^-P_PQX6R>@V)$1%sze)E
zrLVCz<zKhf?!K883>kk1TDhkHOh!q0f|>ZZpo=wnT{+|4fvJEYm=zzqtn&J+v=+aF
z$sT@zZ?dm~+5CMh(16=~6GmGZB1_*ayf8>vo=R(5u2+-1puT66Rz@rV9%>!G*dci1
z#F}{a1L7k5ja%y&M_d`_ie`$zV7%#hOo2#QCa0FxEJO7xKAR7Y&5DFWFEtznzi5i=
zhe89FG3|yN9Uq;a?TuKDMma@9aKC_+zy91%DFbeDulX!hv=W9B2SK{sYz$BgL<f2N
zVS{Vr@+qa|7f#s9-2;)+@_5k9UASGg&x3(aWKUkQ2(>DlO*B^X9FMV(<7%5$nf7u`
z{sQw?vMGFqN+LPmwRxCp@AP?Ooa(qiyKL)Vi|C<sLvE1&Rf*>8m%#%{`2^~gOkKOh
zlIBT`y`4Ei(dWkX(b+OtaT~3V#3dn3O@~{#T4OQoB6@tvrM3U`qI6&N&4Ei%e~r$q
zwHFA+5ZYp8Xq-CqTH26X<uH5{vLoXm+X+woN{@&15vFhv4<X?cDBZS@pe&`$K09v7
zx>d)^1P9e9KI>Yy2`NCEm|P-AcR|Zq!+bZCI-0Ak7<>^i&TSvQg>j-T99@%F>7kui
zFMFfW?Av|p{2gza{Z#Azm+?9p!4YkceSrB9+)C?`c-`^KyOkMryJTTLVh}xmOPMwX
zRSnJipS!6oW-11dn*>^U9gkDr0lHnk;&WkA>Dp)AH4HnoMEm3c2q<>f&hZ&xR2~Tl
zNN|R#lncdM3$#MJ(rC^JV<CKsn3i;NqZHcWpWb*AJs%@BAVYI-?$kY-{D>L-#GBVH
zS!)4@uV*lqtyu|)9Wf)oNNftSFeK>C6sxN_xY>jW!3CLd+T7EDkp<T6(LCdf^h9{P
zAPo56h48`>bb_ces38x@3HUem0h&+*J%k0x((CGcU`Pc>!ZYtCUOx%%F;aMM7B6yu
zz|YGL2&{B2jdQ`bbmUv|y~9Hnha`d6er%w%cL6+UxIQhLyYtXg1mJsLN6IYDd+Dss
znKv+U^$-0{abY$Hl>W7kmF-dXhS|k7@&31zTP$5D)Q70&>RQyW1_>G)Fv<uS{V{!3
z_io~DPl1DfO0E3V;fOujO}h=dGxIg?HE3KoJRpSC^<IF58@ANQxjPYkY6O-Xf+NBo
zvD)z(r{we;6R>>3kJ<V=8O`rawLc1rw<bTk8UnT4{tpDS<H<s$Qu*MVISaZW&p?i)
zM`=+&B|QxiO=uvG0(3zNy8{@hQnc|=GY2#&JP}(Pwhoe31eWCo8=w?GvOF=T8xUgp
zibKA}4d4LXJ8Ot{##`cOoTIRmFH9)M7M?Ouwq#xs;D^|tdretO9%M@Kx+}%THBUjI
zTDgLLfLw!#S?k`lw8QTM*6UaHIPxkBNBa7`c1RFtDXJR>6KNcg5Qu45BrFI@^2r+N
z`hsgBPlv6^J*NPvLSD<@{jSW&C>1J@@uK_m;leOwbhp98<0C6;tccJ=@^oXRpI<tw
zZ8$lI1+D#8W86do+(IsFjO&YC-N^_eS8RLu-D*B$xqWO3mG(QCF))s@0pO1!%eBBh
z89RDAPI<(s(-`&}#@Kmh#PH?D0DZiL;W{kLgb7(j1!5@Dg=vPls!+Nvd+m||3jU{A
z^vl}YjOr9ul&Y`MHw^4W@fkInu+sPNo;9^l<-$lR`X=0bnTAp_-Ig1+*bL2xdU=y)
zO|_0FG8qhVwZwz+Fu;>TBZj<CTK9w4wHsXHq^@zjSwxQN>eX5e{KzMX_&M>u6k?CW
z#a5h(N?y*F?I9oa9M-~;e6Om*M%`#xsCXY819S1~FmNrK2M91W65#mUc20+1zul0h
zwoA0NljK!5ZI`ZESd+2q5%K=)iM&I~h{U-7C4J=-Qj>ZgXgY@z@qC>-p{M1b&7wbc
z@X&`4HLA~7f5wW6AgWc+Vwa+hizr8ZdE3jLX<^3T>{4yXCv149@0}Q5wwtWI%!W#3
znX1=}2WYo2d)tl8TqQ+;paQ`XSUT6v<R2jqnmR!25*@I%4+vW|d_2Q(GTHV3{}bzn
zz=ahH^mGOW4SMMMsgbPk2uE`z=~jn8s#)=_rW(~jO~b2ewbXfi$e+w!f_??a2P>Ov
z(C^l6w#}mX?7x%*MYTYuIFp|$!OcK;1)kGV)le#={pIf3GZTh+5Lw{F`Zd~_Sg?3H
z84P^z^($g{X+&ZJB<#L6KmbnGTseuNk)Y=uf?cqzEVMy+G5g5&uO)(Csmrg3&fpkJ
zDN;xtk<}+-LyZd3E5<yJwQ7Myf&4~acB1dgH?!-v`{#9|)9c4rSGQg-wF=cB{89Uf
z1K6tt^?_ZKk=Fj4MC_+nNpw1cvzGIGz`pH(!IO4;sD<?_Ly2Nwi2M}{z2fEHSnn&e
zd`ZicBZ#G3BiF?;XsWnYV6x#c>3yH_C9+^oO@Wn3Sf8PNU{n(EVei7<-4hi)|9XX+
zx_}lA6<Cm2W6U3&Lj|JtxK1Y6xSQ<;YwDoGHme<N(Eb!k6rE9JW)LsDre$~1s)6kH
zAIfxVK#uyV1<6kBX{dML%j?krhnz<En6-x5Qk_vc2nGfCh!30h2l@91AuQFSvFI#>
z7D?g99`x*9Bd_by9W?ekHydB`?S+QR3xAm86j!xnYQ92ci(AAwJ4^Sum*PhvvmV4_
zHkX9{-<4S4fWG$ydc)UIApr$5q5`etQJgM6&Z25}Cx+2P<?}Jtvv9b=?2muE8WUr|
z*!~;%_9@)>dY&7?et`<{^-WrRrd^j46$;giB?KXz8etupsqe;h*28n)IYvGP!y9(;
z=0d<KXhz265mhjcABx_(F*@*35dyqRiPqPRLfArK|Jh8!5=LEjHSviVlo(T#wC(#7
z5eENsP0t&<_pro};<dT%R*r#qkBR<NK#Fw)Q>n}Rrk?O~joak~NL4bLJ9yPDf{&{d
zy#!}GXXj-F2j^RWtM(1vw6{C!<W1$tZ04Km(u7Ap*99D91R|waFXf@g@&z1pPF`FE
zRKKiAZsn=TM;YdOh;j@>BjQE~E-a%bo|`H=VPg_N!Avx)LNdN;yTkks-EAY{@UfNd
z{Dl*8Nd-!Bd$#n$Ol;)TB?gxClJbZ|UIq>I&^2t#f=g#pv<Vd)$Yy@ZPj6QCu^+bN
zs7LWJUt3Kmr8Rp~ah%bKkX)2Tcb`Wtz-I3f<DL+)lM{&$sD$^Ii!yuA5&`hv>|D*6
z&S)f>^sl#<)H&c|Q*gu`W#S*ZL{NZeSO~DHac=t%vxis7Dy!i5*JRY2n|M|?`D27o
zlBgAXx@+{i6@1r{&s6|o$SgcqAN8PfCKpYk{yUPW*`@H9CywtmKt*NNOJogV(OXG|
zjl`PP(!Q!?9IIfi+U%Qnm6Yzh_o<;&3L{Fb5K~SzwH}y~eu7ZqKtOdO5tr%mak4RA
z_lfLa)@pt9avjz>+b@pJ40G5Lh;vq4Z50BuM2Pad&p=RC<>;=09I>8nTWjDWbaeP{
z8egKz^~d{Od>R!iGhrCGA<HI(#;L&x$aCfvFD7>zqAkJ7rHqyUucdZ->pn4wg8yGi
z9JIJdJuFPzk0)&_4kdbvnsrJ8sXko)Nzii>i566ptf8x-p?L0R55j)s9jN(z;Pbel
z`RZ6*PRYzsFy>pGs!i1R<K635+Y?_O`21!05tQXR1p>RNos*jqIoB8%KknCOAF2rd
zA*m`LZ*FXql?gsVltox#5sEjzwJE|fmFc`EGHIsA3fC68tx^(1TAA*j@nD`!vs5~0
z_Io%mQajV#R@Os}3td>2KlG@hSthpH|ItRrY42<U#j&W)GU%xsQLEzGBgC3$;yxBM
zN5cU~U$QYMr>^DM3Pz_W%6lTrcRW@Q*Fb&^(z57;^6}0<`2<V1=hi>GW3vLbjGhBY
zgR9OXL58ew!HG4h#&AQ$hlBOBa^Hbd+%W=y8`$i%7+HXy+B{EPPrH^M{FAbrTm*6@
zGPt(UTG0#>oRkWt(=1xQ>)$ht)OoM=L%~iJnKYnzf^WJPesGxtYr@n?W7Q5}#kit|
zO<8qV%i#C3N19QM&)Yl=JSVAWTXB8u#s6V6f_)YM67xS$*p{+lD?F?HNnYZq6Y3-q
z#q-x2S{R@V-+BrK6n}Zt9?DLgHiP))12b5VVpG5UMTU;z)CK7KPr4%iO)qqQQ)0*<
zLDhH0nlUX7u@0?JkX7gR<F@*TtCb4b1QqYXqk|u98%?Up!w}MMc8?$!_+I8M?b1I`
z&6dj0GZk_JPycVrQm3oCb^a_av$1lspH(bmG{=sVMIPo_g6ffTS?9aV<uu(~u|ca`
zqKMRmdSok|y997^obdv7a{v6Gt_o{(?xK{;OxsK6rP4ncP*aMCpnWkCqCz7WA7CYq
zM)PECG@SWhn#x74P2l|3V&F%m)bTn4M&gQK_sqyn0AgF#sr$rJS1Cn2GkVeH(cxW4
zWwDn?hp>90H>IdMhfj>v?Ky?cAXGsOygg;uMaZ(cj4T3*h-RvZx0=0z)2eUYQN;20
zF1F=>se(b{#j6^fb@VTqnx#^su)eBIxS+q9EPEXC#z-2BWlDvQSw@#I!H%lce5X>t
z{|~e4wKDlme|NPrQgg82xD8pvOwt={`c%On%1LUq-T0zqqmrX*HOHni6$tY-&^L?>
ziRf4oot2%o<sfwwUHD<BQxang_UY};)9p4v6sW!~-TW7$_hY8HcjA2n8YM8H0Z2qG
zs|$>CwRv<ar5h<=+Mnil(Cu2Q-~9Vb3yh$e`+3&n>-SF22ku26&Xu1UEPhR^9t`e1
zzU(hb+{GiPulhg}F~sLykSU5<rB0nCo!%oKCKDwpZ--7H2XBB95sy!|E~@+RQ8b9%
zc5%m(_;m#63Sq}`*&Sl;A30@=P(oXb4pNq^wf%}-oa?`#zh<nO@NB}VYsCyvF|&gG
z*9P6!R|r4E5in)v%Iu`=X(#l8WmTk!DyV2~c(F-#IBx-Q*p=biB1&&U1CsWilsgyP
z8J=!><|IlEYo`~%zuR4E*FRGnz;g*`s_|KBQ|lenV=W=>U9jP>77rppj1@!|u8Y)v
zP6H4<Lo%9Tv!BK2SQ+Ni59ymr7L+c{!{x$*%R({WmEjNCwNV>kW9`LMMPd5nxKLBX
z&KiFBU=0!m0_uGuEOBD-dygX$x75@FD2{G&#X3N<DG*23-Jfeuay!W>_{{R4-(wew
zK?53ea3`-L3*c7VeX#mGimL65R?aWVPbp9htDQ2%CF(A#DsbpC9T`hQMjewd7ZceA
zkGTL>BI~W~{;A{fo)%(&)a^2H1Zr;|XcEM2BiPjh>D0XSB@7Wv2K7Aq4MEZ_w3qXu
zQKK%?q3ouUwS!9A8}~5fJ!wJ*h7b{Uu({be+HD=tZO*g1cMLqrnQ_DNixWoU+bCrS
zD#re~oxPfsDj!$zcdbeek|xDVBZ02a1VnjMNL2<w)*rf#IU#TV1)bt$5f4{kt-5zc
ztc8_*609mfVHbY+;TU7X$$sM+II+!+Ye+1s46NzFl5kQz6vqZL>b;FoGdDn-1@UUC
zzuQ#2sOr{WyI+g=Qc&c5E(*S(g-#z-Yo;cM=hB}UuM4=EV5JKwTIw9&R_op~vYR}=
zu4m1aeAHjO3q&N$utusZsYqlKWPFK0jo2c6r^t%X0WkEN4Dz*&M%~t}UYP}Wq68a{
zwT%OD^_@J$Z<HssheWQJwQ|cMu=L^bzqQYVk<MiEq7P0p<s`7p3E;Qi0-q0JkiLfY
z11J2WNfEt3!(2rqGNAE-{u6GcEHnIn1hMJRDg7I0&99w+rt@E$Obskv2%_QHbQE;n
za9(J$h3ci#36X!O2=Cu=+zcv17FUS;1H?FaMJl`CZ}wG}*DI~_qLO-;&^XJSbGXOi
zC+=0G2Ty1uw*^O0LHmummTU$v<=UULgdHd4y}Q<lQg=L7oa)KZzQ8!%igY*61wEld
zAKMtv!%W+Uy}ANL5-Nt5CLXusN%U?y>pUN~35&JHB<_;?K49jRzQwTx43316b8Se;
zD9-npU!QIA82QbWd<v>x0VcTFJ)>PuUFK{1l(C@~>{00ke`BGwr-!L1mkWRXMUEhY
z)=FuePs-w5J@oU{s8Q^B{`-t_rGp^Xy~vT%B}dw@`Q|c%@9@YHsTIneX>lHl71gl+
z92I=UAY}IMpvoU4MC)@q6Fl)Ly{@tO+Wf7?shjXz?W9sGIr1cIQ^dSYW*q?6_fEVY
z8evZVD(i1h=J2nAFtuMp1&NH~D-%R@ced5g6Y-&&3AS*OdXYt3LlyV;=wIO41_gs=
z430Zj)x&B~GSmA&8(yZpOR#j$?I!$1G+p(D3P%St_Ub7xnxq5g<4{~H7ySi3{pVk9
z9;|>^l1J}j@@&i*PuLjD*+)~W?>6o~#@7_n#N%v1o629B3{zV*Znz_zXZ-h^KsSAM
zV-f9or)$&03X{a!2|0_iv~3mZA_Ouc=J=WgudZTgCpSqUKWv+4k#V`hLr&cywBsd|
zOsI-kOJij`5%vcU>-4NQn2h4*r%7R1Z~Cp%<K#9KQ8`g<H8rVbcDmM2O(g1Wau_w7
z53G*s+CH4ZLw0M12YU%v(Y6%eXN)kd5!Vn>&08%M5t&&YDRXIr5WH6psRfBuemQe=
zHPi26K;l}o8>bzB0sgtdgXAyns9jmsn$6|#(j|9&D|kfpmHbM7wK*x+_MJ9R#}EU<
z=KoTI3Ro!Gm6)RKF1vofQej|+6+vX)32I_gLbb1gC8jd#mmY<gxTdf7HzG=mb5-PY
zE(cW&jN)xFi$op5wyJ=oYljL?EJL%0$-rIUfD1!H)a(8f7zZ1Ma@NfXj&4GZ`v$%}
z<#0mjc#jZ}XSQvj*zo`5nyxHCxklE$4~4k(UyCP~u4s`L7Vw<6ZWTA!v#Y5sM#F`2
zZ)Mxu4qCvr`CFTE%>=X>t7+{0i8EM|i_TMHM+qPVY_-0jw<^ga_Bli6cBDn9|LxH}
zwZzNb&Au`$vDfn{c(W$&YNtOim1X7H&ajL@Usa7(AQ!S}WW^3^9ZcWti3Mqo3YpjE
zimQ;5@gBz9>%GuZ_3g)n5l_l>HqDtKbe+UFKpc#9P*zH$kMM!~I<ZSf(fr>7y_sMK
ze_Ef9#b7LwOi?Jlw|kh)blWlr-dn3y07VHyex}0}o(3m}x=HC?POSafdx(15M9WoZ
zWRQn3a%9;aY=3iL9Bn`@j!(Gt6BPBdwXz;)#+5ua+JIh8^o=jIAskwh7;tq4$xF~N
zAD4A0(L)JYUIGh(OMy<5&ghXZOK;XWB_m`Dd;N3~tO9A%18j?9zz{>%b`~98A=BXR
zVSRu>*<9ln`{DkTpntnp(Y_i{Sxd*FR9!rc-zlT8Pa4|HFJ0);>3t5AmexI9gb9~B
z5L!Epf*F;03ZiS`SpQDR%_ELVE{xQlp$2W6>zDf>jaMTut|S4GO!G^%35P$KS?&5n
z`)lW?Mqg{;7!H2BAO0=t01)PzZ9@KnIqR@??!A2;v2h|(gr#1BxE8ZofCl=>-`Dky
z@rpOU3#&IjV(ltuJuNUpYiUnv$M#MPW|mqB-yd6>nCwg2McMIdH++~Pt1d-9Ro+pZ
zY)(tym|c!YsbfWl=C(R(7~j^mCnKXYc{K;#_&z)CPi+RWFBFc9mvePkSQW=~@zUqA
z9(F-AZ@LdFlq_%rZd&%jLD8Z1-l$#}H%N|Mi}8cC3gCqPSLz(=AOLSu9|(2#D*&yV
zE0E57)~wkn#P{(1qZj!4C01@~=s?AQ>qB6|wB1K4g1FtZz*a9qN~8aM@9E4(A|azR
zod~z>P2S9j-GPFL0gP{XxgaPY&(A<G?;sq}odais(mS4jupaK*stjmta8R6G5MkzR
zYngE`jerq%D0d)Evc`<_Nm+cuaGbj<FEt#dAqX}Fr3*M`zKlbY*&@3v<4qGLfM5A)
z@&?b_5VxD309so|a&P9tO5P2_&ELrLV=2<p8Ct2@#UAb!;AYr^#3GH%&tOrqrdqQw
zj#YACw_Q6F3jkzK)oL_cy$32wb7$3@E+$8lG&dKYQg<q;pKZcE@9-I8a8a2(zn%+V
zNnb15nZ_5E;j7Dslh<Mz_qMZ)KfuJ(e@;>9wq;*&d&P1mUxm9Ry)KxoeZR`Pg4cXO
zXg&h7HI&xvHH+seUZp|<xc-rcIoB){qMcFFpcFRmLA$3poXB$=_qp=T&@0Su;3R3p
zr5KFhD}jP_Ab_^@J;QZI{K~hm6J-72m{V5FgJ<BHiSiVvoTbC})u~dHMip{y-TeG8
z<Mqvl!~aVue$|{C{LB@d(@lU_;;h`KE1B>>7?9g8yGw7StdMQmIph8AhdBj=&Bi5B
z)_N7lMXbID909jxu{C_F9bxIi6pM39SNOUyncqj|&j5NfH3iVE1&-zyrrwg(KGiC#
zz}0GBwj03yr=_er2%P*>wl}@<5`9$~^UOcP^%jhj;@%uHyLRm>&ytzmm+r0~;V`Lv
zwvb(*p7LHfrClUI7c)WM&=?i~hHXJeo|mg{hHa$EG+(1Y5zZ%Je7=;&{Ii+*q&O2K
zAVuDwSr>*j2}dXGM&<q`h$&60`l}5GT}t|OJnYAlI!DN$Fg7H6-Bh0JtegImA0KeW
zj%wOkEVgDAoYe}}6^$%*=6v~EEXqTk^Y>NWmgR1VIM`W?P2+4`%+*LyHY4`5!Ml(P
zOa|Kc{ph`~2;q*<toouI_cyNlfD3Zz{<2FwLt8*5TH9VSqgPa`gH2Nf3k=Okq5G9q
zEC&;o@zWt}0gbKLD0_cvUG>;1+eyX&*@3yHhXKhO$Nz8ec(dk;SAB^a$C3dN=)V^Z
z;jqWQSs*bVtWYx|8aX|aT4|jl=Ad}jGrmfDhPS5i3%d-`jYe{tn5Q2LadmSOHtzXl
zqL6REcucVki9~jPPG}D_ky;>gm*&3#(I9T#PAeQM*k{^sKhXgK=0KOWT}Mrvo!B|E
z7eWE|XDxb<qBk3|MkvjWEqrfW;IGx&T?4_yA%~qb5w|HEtX=3yOn06xCB*Ro53kOg
z-w>&3xVf3>tAWq_MTcY7y{`X4`Sz0HEnYk;Qm~UgAdfOzlJKB4<826%v?9lNcjb@y
zQrd9K8O4LjZ~jO@p3_^WBtM1dAX5|Dio$)6yxH_GO<{4f*Wwe3t!AIl;~ZVV?gFQm
z*^|R+dW9eb25T5>nZ&{#5uQM6GkOj<=NJVZs{5APAxnKI3X(9Qzfxk8ySO%soMD|5
z0_SrJQuH=#g#U;?INOn2NSMPjr*9P4@=(+m4#$7l(HAe}X$uAR7>(^{g-`fLCbm!0
z)w<0;9jZ2fP~ES}EL<4$ZBaKZX#eJkK2?v*`;=@LM^j-OK!DaqCz@s!p^0>$`RQln
zN5Wq^Cd;jq*AWKI8A^M9r-dL{5Y~V~8;X3a2v9~@)&TpF!f1lO94H`oDOTU~cM%_9
zyW^J&Xn4C!!BblEO}0Zy(YZHo;Iv){UoJW>^qGmsXw+SQorMcc-97sy9o+e)?^p>#
zHgn1sW%?%17ko})h-6*p^z$P~dg|jmf3hdz6CP;74gluXP|qLY2%J{rU-f<BojpOI
za-C8XZo=*=vn)4pdSV}^!v~!kg1-$q{j3Y9|Ex!&+5R#ZaVCZrdx;m6GRPm&n3|M%
z(O9aVt+X+KT5Oj(gT=iC>Yt|za57*o@@`7AtQc4MTnOxB9JG3=x+jP%U8M7kYzWvu
z_~UkeJpDny>5p}5+R!QxLHLiZ`48t&Jy7-i?un#TPcF|k!QSn#5OH5#H}cTkx@D&1
zDvRiE`X4A_Jr6n~T(&h<W;F2I3W@{pgp9e|D(2T2AP&~gA_odCEAST0SaJLcy|L03
zLREAFf2*n!sfyBEgZ3+k74D(9|C&|%4ueYuRb&vin@wZi;}<m+58+?v3z*Lj`|R@f
zKh)68eN8v^ftY|vXvlNt{^8~KuvyI+E8ftB`<@dCcor6#zE=LvHTr*J^-!@q+PA_Q
z<YY;OJEt_fDg7$Mv1Tk@(E2sR{tqyrO}d3fNjKaf$%jNLVK*Duc;!NHlP}Wp<761{
zGN6l{K^j*jcqsJA`*#?1<er5cvIrXy{@E7c5CZkhOZ9JGq#5c5DS7g=%Eu=$9lJ7N
zdrC!U*abkt=j>~dWD>(aJ(4uaCu$1{4q^S~QEFG$tf_Py>3u;Q#3<5zK9iyGc>-Io
z+i_r4(!v&HsdpaOY96)kJ&;02)|<)1WA4#nwv&W$vfUZyxWPlrdp#p+J*NLPE`1i*
zmoPJeq*gAsj${eyPuu)vsCGi}=-d&}p_Qlb-gk9+uRT3LNGi<N3FKaJb4eGMxr&R1
zZ1Md(r5!2rc9m)QumKJh6%mb^`h#`{7}Y@SSRmH8RN*KAqNXS@+M&@&6D`|SUM>_)
z-~UdeiKt4n;ro`?JC!y{Mr@o(5!WmrU)Cy@IU63XtHCL`e|vNGWnbN(-QbsSv^r|}
z?5l=PR%dHluZYb&NESC<B=;Lb10Wwog1ueu_=R@Yv59!00x7EK^DHR68+0sp^Nh$S
z$!HQl4l7xoS+}MbQ1GUc+I(wt$DqZ$5l&U?hRi=%&0DX(ig_<uPM#fK+1bB$LD*c9
zItE<6QE_~w(NE}d&r~8j?;GJGYQ|`P$RCJ{@PzSYjyN7fKK?({!A=EWgd(a-)|c8}
z3|=?tP9(Is{apKuoZIEafsua4grg7R1LP;mRR8YlSI6VB%TX@z8C;hDBsJ02h;aml
z*a8^T!jZh$$(f2IXB}6<9GX`#ZdQlUVPYFH2S0FJE{iznzDpcdnh++~opKHw%T8w{
z{#)k4nvThTDo(tmxGgsKhB!QThF4+$+=l7uXyim?Fb<%5>EZA$2OC(yl>cer<muXp
zR^6C%gS+-i@%Ubn>?DlerD8b1y~~g?^cA?$$ABR|RA?ls^T*j5feH2h;fW?Ir?jHY
z2&}wMO~9CN@{2|$Kr!gVQlw8$h=WIaGs2k&8AIc3=!VB{H>(&6$|1#(P2d;ovg9kv
z<#Z$^vDNOrU<wFg5_>kztxEOK3(7>*^T(u?DT@e)OmiW4?OnNPYo0Ry%AvmMJ3mQ4
zm6x4k6s}m_fyf%{=T*xiQ)O$$3HPpK9*<C#D}Os5LSJtNeCE&h*#p>9l3IAv{`+%|
z<xwH7Wp3DNLmUcH4S*!43fNW+UCd0cV8<^c_(Df`STIsTH->C_nj|jc=F~BmgB<-Y
z4nsOX1zz%mm&%*X*{U6u2M9~Ug<dzlHaQ=e=Y<yfZ>^nO%Ax67PqsAuqlt)0o$z8&
mK3--${Xpd4G}gDTKb_+1J7x++s{v~1H0yUednU0B1m~l%u>!6D

literal 10324
zcmV-aD67{BB>?tKRTKQ@5^8o>!|mGId1~Bk!q7*DAn(0$y9LtoQeh$@LGTi)PyjnQ
zDV##$OyMsTh?Ss7hXReE#d>u%$1)$zTD{q<yk|tr;T;yS;x2*bJ{}$sxK2x&wqJ>%
zUOS0&SVKGhKYE9JePKUk*i3C+?;c}9bgz;Bv@(3v4vHUZSUsRV!SK}VgpCc90jkk1
zF9bur5^Le@4-~kD27p}tkZwwy3H_b#mSnxf;GolbVVqp`h)0_0`vLI4ECrNA0Cf&E
zoAX<zWdoGB8bf`EupCJzQD>9(MYa?574l|ts{rJrG$=-I_&VT&ASa=mGX&?~&2erY
zzraIHjY!2x$(3!gC0cr*Vj`D`rKcjnW+fWJq)_+8VvsrBje8Fk_GlIqqvL{2d{#b6
zmUaJ6S8)>$(d$4PF<;}{L;&UhNb_m!+3hq6I@Wz5xB$veBh*k1p207BaM2WULN!8I
zT{V$(avIUY4mppTF$LE&R7RygJ1JprwlTb-jag{#W|J1#B*#TY*b#PHK*?LJpeVJz
zjw}gdn!x8?bo6$ohIFbh@_2CGl7NbJCkbyVgJtipF3l+NIav59V3O0AdAdY>=j7fF
zcO{#P1lK1}k}ffTiOlmR8E_K|AQL05yg_D%Jf@-4s4N06lCkb0YqG+gO(_%egcUMn
zKynM+y3dS<TA^!%qNR+^UfMK>@Gq_LcT>?epFj^oTO8b5MYG^1UM#uKSWvD3Tv>J?
z6ZVTUB9ovWoAZNmlRa?LxeeDwMd38#JA<+{hMz1NF5NUaT*0Ys$P|OV0hp1se7Ocl
zhDEeLBbX0Fk#M!sXg=T7(~gD06{f{xYhx75_zk6TnVL4!xXL#$FDmBVX|~#&JvRXs
z7SC5H`0Tr0{EXgQ0((a_copRX4_|RIWtK``^=!2jVzdKX{<8J5zptu$A$0a{R?4gc
z7RLl~2GAaBVUqO1XwL=4jHNl8a=V%+k~fAHx$oSO=)%1m&HC13e*;FE7rkeGaC$`9
z9A4d*ydx^wR}haSY)8BPG!gvK^kZJGPIB^=zd_0qc+=QNQj}&gM;BTCV4+QS=%M&5
zOSY#6<xvovcHrG1md*13VYv1q1(;GAic0t`<V>Mb2>cb;MGY_<XJmJw##>Rc1Vu}8
zc7*<tXBa%(H2T$%0mBx#`qa6TK{`bvv@Bmmv^k@fNK%j)cAZ1p+6%~zml^qKNP8Sz
z{5<Q0g~3rFC-m9oXkLo7&|J`uFngv;@|ECSgoxyxffz6A(U`eEBpx2d_Bx1)o{O6S
z7^&4+-9+w2R%6;va`b!#g5ib`hw?<$pEB7OEy%l7Pwi8nC*F8Rej-FieMpGgQNzYL
z2`Yt+j0almF@MyRCJEIE&o9d-tZJY5Sc$fei(a{O=`go{X&$|7q&igqP$gL3Zkz-_
zGDcjR%1K+WWDqcrsV8Kt+&=G4p=Jg*2@nC^25a{BpUU4>TNpBWgP+T=$buaHy_#~n
zg?bH1u=qAJJFVa2_;L0VRS}gt%DM6H{p4br+zQkj?ubj-H+BAIq(S~LY_lwHXi&S^
z;&A)*#T_8>Y@EQ3kdYBWdYeXbCp7bzVICS)w)`m0@ntxV=BUb1KMRtVbSJFDN_30b
z$5krX9+JPTB+Qm&rJw$K?~wdkxICzPeBJ%)qq#(4hz>f7U<8k@zg5VGD;m6*)6K-Z
zECK%&V6%`>$ARR+KFI?H-gznVY2Fd4CZ2E2-9P~JZN2+GS1SpJ3zV*LK*8Q1bE1#b
zUjX!o{QpxeJ(~Hmgmxr|gHdDo`yNmtu&`t2{DaTJ_DUKZ*s!WSdn6ULxpd{a^OwYl
zIBxXoJ_s)BN`WbkJVK2K$+65~$%^2T7MzD&nJUg^Z{@hG7hYFS<l~WLnQ~c#(d%OJ
z<rHH=fIfozY3B{9<12eqSotb4;x{5&(P!r{7*q}@2b-VDmjB^*JCX^6y!gFf@HCq!
z=gC;r=d{xnbi(#1k=a$%zpjAP{(7%@*Ow~H3lHt;wF(vtWl6la%dDIs(k<x*==zRS
zte%Jb{fXzTqYjlsL%EX(w04Z}aO=UDKPUaS&l+@Y#dF$#71X&5*3=+MS>Zb!Vl)Qh
z>ROg;FGri|J3=FK$3yvTHsYz$DSp^5@^w~7QdT~cwTKal>q8^~agmOnlNYoG6rgqF
z(iZN`;AD2&&tG|VaxY>J-l&=t7bbaPQQs)&y7Y^h17Qu#-PV@F07)+Uq~%d-O@{;5
z*gwYosqV}xgTgY<j)a(#YEi)2cnozt4U`Ocf2+XX4|zu#BY;bnJlE9uZeWtg2;7j#
zfw+&;V{s06B8|$c9SFT9^cxXO3#dmjL<y<|@CDMQNTZ$aOTIzvsZHP0r7AU`8uBFE
z>$FrG8r!Z=B(~4b+;ZZjnE6~Mi~B%>r->R|0IF{Fs0gO!!V%&i=&z3Rf&8Ta<Tynl
zuf;R^e|kN{Ip&X7a)T%Gww&zPP)nW!@?DEixpr!O<m{#UMYV$CYb#MNxJ=TvhanRn
z9c&&Rn-1{Q0q63eF-KAr&U3OWtQABw%Q2q?VD>O%-3~wbJ`alHB>R#*>+8Ug`nN68
z<CzY@qNoJC=?X75L(XP)ZE)uvaz{LlW646~F&kb7sJ$wxAhIL}4<6J}A;BOn=|t)Q
z$N_XLH?C~fD~Nu>4NC`&X*O6D#0$juR@UR{y5#6*R*^;%MC3y_X6-?YW=!eBe29jW
zmrze66KZ00?<0me>>Y6aa(FAP9j!5h??oLx$L{)6^AshIgNIlil0Bz;MFGTq@aoPC
z{>up^09&q^+=*tX9C*Jl(!kRTw{$>cbUS`K4lJ2nFc+jQyp$=T@mX!rUq$KFLf*IU
zLXxm#N-RFWS$Po#>+MX<@q0^X1x`&@)+S^S9MA<fQPN)(2{0xt7ygqOIT+wjnOti^
zlBGQ__0PZt@`RitflL+89x)FX*JdfICa4QsESs(P!bZ}&obN6punqpjzzf70G*-#F
zt~kU8XL<q`FgAOBk_P~MnIJ#XUG9E{Tz=S_O!*t+n_;P0d9)ed)DHRaN=NvjF1W__
zRd|#Bv1JT;aNP3|<@GG6ZV%;`SAQ4rw51$zuk6g2_c?=WEA3UztzbgYWNKuxv3uic
zZBK!fX;#^SyZ7>q`UhMkQA<OA&RZoxzHLvo92BFob<VY5gSSsQPpn(Xa1)Ey)8W~w
z0ay`KXg9GA$rB~c_0X30;Jlmrv81tcAMy8PxY2<=^eB7!<{??#7Mo|>P9jJ&^ODx~
zK5(){bF*q49TXYi2YK!QznhFw#4(g@Q46F0Xe(V<Kp^8ZsL}MhV!k_I#Gn>>9T3S9
zwgUbPcx)`Jmj^=6NJ{2A%$;QH-2SJEV&qvIw>qYav6q!z3bGQ{ZbxiJWT>X1q(FeX
zI5g~D*i7eB^vbCaR?jql98c(fIasW~+57#}U8K<dlV!4QaGav?7Frw!^C2?ZHDLzO
zX(<i@5kRtq0~-Q~F9|=*B*ijIAfG^j4`LEolpxUA=M^z_Ytu>ViGmp?*PuEiefQnu
zglDqRGd_3yBE{xSnXg^w!${d?yJxmK`c>CPorcyjykokWXY|6f@ZNyQZ;W@E;EJP_
zrE0=Uv(dJq`9oH1n`~R3wA4QN-ry}J<x?M$sbSz|2!y9KQDRHx0f<74ypCsU)mp>E
zTdK)Ci5WJmG1u~6E)HFYV#}uvlHJB7#BEXzXY}}{6kASE<(6E*l07$}9E**&_w+@o
z2wAC$0D>y~HwZAo)?)472ITvEyL6KjOf)Jt6L&@)zI#iWJOqJvGTXq&nfwMuVz-?1
zlQUms>^@Fg1@PY?Xm`F^n<z0QUtS;g8+_Lv7NgSJ>z3+e47R4vkfhh2Ns?P#c~|w+
zWTWsc551n@Jf@1l1Pq5Qh9RssL!Y|^h(~N#axfYP*9y6{lE)rz7DIg0bI4d6y!9v;
zNQEeRMR_LlZxcV58uDJv@1TcX(;_DpsNYbfz}Xchpp<6Jt@~u{E6Gdz&*8f7-i@!W
zn5r?W68G~TC|ey%88>jd;Kmvqu_p4&K%j->5`wsmm5nVP5e9%<(C;_1jIs!Hp%@VG
zLp#DtbyNX7XjwY?ci}K_XN1w=$w#10YX+h&&{SQA+;m}3z5pDTWJ*$*UzEKmgQ|DP
z3@c#NSW@C+4ngw;W0_LbECP*-0&N=^yI%|cge>lK!m0FL;D{dM$KAhxW?5<IDWPZ8
zs~dxtH2RM~ANt1qc<49p{l#nJp^uKNW$?z%+BWBxy#a0Z64Djb4~i=SQUeMh{$~n4
z1$*s+aPL?J;UV!9VnQ=)GRrvVF%i1yQ+<vH2jzk%gOn*wx!D`}%s8{Vn1@LIQ-)_F
z51ZKobKdW2u~i?ofK@hxyi2ZtRaAU|tZSaa{_0_xg|I#`lQA(!UPvk$u;E;`?pSr`
zQAe|BQkHq{kjJ9}F&XxZ5KUIsFEJXXs41JMm^dXD-L;m;?dRrhu4x!5*2ru%xlUQA
zRBZ@yd(G_Qv}vwZ6k+Wbc?JS%&sHi!M@H<@G40v9Z#VZ=Nv^4K)9sV?L)dDK4X{KH
z<szf2y?0}0M02fmlJu=c9E#N!0!p^GuH?SxalNOiw)NNi>mOetUqrjiUZ^3`Tqy*t
zb3UE1yRHAOn$_<ps&ss^xx^U8Tlc_{WmSO&nbMnFHO=3Vq{YuiChR=UiG>SJ`dYy<
znqfb~hVh=pb>i<gc-WRD;Rk%sNQ3o*3%x5We6+Pvi<r7m6`^eY=t>rVpdQ%Y&4d*R
zg5h}=5?eym<R})^s!<37$SjtLBD$`do1R*J;kA`V-k8eTrE+6jJ)$!#MWza*r?5xA
z+FP%gxLi*j?_giB!8;TSU)~Xcg2n^-=jf%U5M!f3f*>sJcIs|3L_E<bY47zv*iE&9
zYZ&mxOKp(3A3tkw)GJ-lxCG9R?(yG92Ztx`Zl`VpbR;$pA(abYdF>Y@b^=w=&BH%+
zk!b^cz5{x~r)&36t7dfDs^c}0#+R`$k2PrqGqwwyj&W{56?C1|8y%+(UkE3F7IlxR
z3)>_9f8ix4E~?Cut6zr6oA@P!s5VS!wrF$C(T~C!#s~CA%zRweN3}Fg6JXStP;orQ
z9)XMB_^{>fupX+7j=aYr_f|-(9sa!~q;_%ZQ?cCe21g7f=XC%T1IV1+ki=MS;?)m%
zSz#jxu6_HrYi5ql-{Sr-JRq8nxe2ZO1k66n+!&l`<-4JJ^YvoUt`FLuF{WrBf|MhP
zZiJ3w(6kr>50jppbGLLeKTH%{X-0}tYO1j5Fb)#8de(BtR+V>u50Ew->L_nLj6Qkb
zo~b&1l9uSue5$No1IX)&T6zb&q_`vsS&)E(d<s<r09%$MSg2-#xxoo0{~0h7kVyc@
zMx!-LVwK$Mq*>@JIeyZSZH^1k(DjV67;_1+L6yV-+Ozq8$RHZa%+4M4VQyryXf1!5
zyp<&7-~CXjnS{e|sye|hUc561nK^77$S?}U7C82WG$~)=R($hLM$kgf#JV%Q`#O5k
z<&av6I0QA2wiVL9jz|%bR_3eK>kFqWlzU$%)xqLZ72E;=K>TSrqGveXMuj*9-Nw#1
zgV7jD6MJKy1`ZZqIGz?NaN=ASY1B|L5TEkSu5g;TU(P<rRKKGome-*+Z^zDyAlt``
zLsH9z9&y_q?J1M4ZQrE*!cQZt##eE>CIerhFBDfO+%uVf$L0`Sq97ojTftj>%!6{I
z`ERXt*%GIx&yasYon64~*I6X}Y>)JjA9YHKUrXnlECZmpGv)eTzKzpt=18yvD~t%|
zPKcr)T@LFK*`YL7Y_c^2D$h$LVQIslLweR4BtGn27*s#v{{btW3Ii>ne%)d=g-yS&
z36vAWBPE;pH|<s!TLZmzP!REkvKdU;jyhiK-$#sH!RrgruMM^T*)1XI!S0BO{*V=f
zm@!(FrVwpN_Z)HY4eKKb#PE7g1t<5d@RRKs9u`pkLd@>GFl*UY2hS|td`<*Vd4|W^
zFSsFCp~%#(+Zt@_9OGZL?lQ^M<-jZoSiE_j?(Z>Cf38q}+M6P?K00^B)Rwm8CBzou
z9xhAU#{<T%CPbi!*T9(tj#JSJ;JJ1nt5`^LFpU#)&he-Q!?<Ev1AUa-y8|Bz9&e+g
zY!7&vR~M)o>v?z5&_!+z#I0|NqV9D)cSzOrrGQ74ohybFq&hHrP$>COd7@$fNYvBr
z;Pt_2d;n`7+`O3#H;ve5qWskcuf<r9WCCXY-fyl;FbE*;h1q*Jm+z41K=VC|6D}$}
z^vYJk++t;bzR2#4EBczsJtZU+8Vc1N9PuWy%TYn<BVJ3OF|>L^5y1-O@<3!o6Hl4e
z6dW_j_gquVGnt{k3b!f+kZ7o{a8>M^72CfA&U;ElJVQYoPbb*us4i!R__T{Nq5z>K
zQv=mtfapzP+TC%_N%{c?uC66Otrt9K9JT(4-jN5^MQ3~NV&s~;CziJoNgZZy(Sx%g
zNDs=W#`x*X<^b8O(tsM>#p7)1I<kdzx#>ccaO!`&30J^jqH5XzGytCQ^@ZY&-z=PK
zC(-oq&K=jUSvu4;$QRuW7{j!FN}`V@oiG^lrLv;r2by+-VosE*n?%w|>0%_PHjUu5
z|K(8P;ODWVWE*yY9lb}?y#SvhadPnh6_V@SYD{c3h1z&Wj)XkQ_Z?O4_zm#7ic6{C
z9x%ZH-n7|$Z0bm2J58}-b2SzxiCB*8mQ_)-#lpA&Q<=|SBJFedVcMJhOA_c_e_9|h
zd@q?Md>Wi3dqXF~)Q@dR2a)gCgVo>5Z9)X8`UKX-Xx1<X@eB*^ec*v)e@-!sN0JiO
zC}D|XhvWlXNzctePkZPn9%ABIqAF+BMBy~Oqu$@tO@WgZ$+=<-W5^-nT6P@kv}wy7
z!r=<jO&+sS@%~ht#eM-BFkAcVsY%OX-Jk+5dEA0D-Yu02&eeW*ZEoJw<0LhGLi15g
zwz}EIklq+WLXgV%^adNN!Ah{MNbqVWVdM5dp;KBuBp_h*gVn8KCYM8W?1$VR+XT&{
zIVD!TnKW!!03o64Mj?Ex3mag~#-A_Ad@wCx+!=$;=VAKwNb9a^C-a-otwT3p!)XZ2
zvgQ$jVfJNIyuK0ODPTwXLwYXIJW|Pp_2e--pp0QXnZ}V$&tVk2Z*^{UAsIL2yQ^?x
zk4@vMfOA2dVK_}34R5n#H#PGjO+ID<Uqwd^GSsp;puXQ8-KRo64TzauT-)a`Y`y)G
z-7vDD0562nbPlyQ(FX~|Aola}4L?8zZL{J{h|m%<2uZF$uRDDv&K)%HSXLd!!wQTf
z9}h(YTsdG%C4QgM)_#cQ8U#Sjx4z*2rhv^pb4OjIP~aMo^PmEXZpjaI`!2hwSeBJw
zSrLletDy7)T^P`;%YTEe{b#^@?Y&oQ+E_RGZ3^JV!J5W<ym(KHfCPjfC3nRItV>q_
zBUv+Uf+Np!Y`BmiXkLAM_i)(t8;ebc(@YK&5-1YE-r*Z~<i@~NeR2QDt?X4KO%x(K
zl8&s&v5fRov|&=?2L@S9q7vKFJ!I`0plXL^ZYc)vu*;iZvpjXm9pq!9fc*XKK7Kql
z>(1W5LnrBU_VY~fo31LJKdH2M3FlGq(i7uOhC}}l!^z{9KB;Zd=I_kVj*fM8hlI@y
zeXGA*Kc49-6@r&%i5C5@*1i%^J(o2Q^ATxDG|lEXGKA2ZjbfPAZ?veXXsBnR^_-U9
zqP!nP)3x1k_;D)x73{P^ntY}m=6@<e3o+JRm>~J$hEK3tp%)KbN^nk}TU30}f~A0@
ze6jJn`IV%d6|`lmPRk2<oSBzEKo4ueXRuWX^F1dCQ!^Ekeuknj^;SK*KeC&4*g+MQ
zsLx6QP%P(e`(HY+Z#0MP08FL@sq@2teZI9s<a9zYZ^fr|a?~zdT;)MNL=Zwl5{Z~^
z#ofs0d{7tK+3<<*)4_dGNF{#%zLP230^|YKcVW;`3lvYC!tl3Tyn(!K<XK4DBW*RY
zoGT#p$+CZ6xaUk#VH$9G#*P^}OIOS9cjb#}yIcP@s|D;!g=f(m0<UHU;EOmzfdlBZ
zq0tDa5Z+~#(I^#lKym&U+11Ux#b_ND`{6cxD_21k+wDS8=CxeIBUmbcrrVfur+j)l
zdaT~g^wu0T&TNXex53!q34$nzd;#XV2awZS?YrmXYIakbM<JbZC+de$!7iTN+Hgdc
z^Wp$*Zn?TEkY&?rx#eVWXJo!Vna37tzRilX3*~eB{<}H#!lbQK{<nZ?$ALPf1RI`S
zYxtvozcKf1nNcHl0d3p7p()e+@0w~^#16smdskMUX*)Dbepk*%wMeZ^sb4-QfgKyD
zIe2Jyvut<UA}23FU8rHU_NXXVKl0bkh2LRPM!pg>F!&*PJT!wO(8vF;wL04xclcP$
z`OYpas;yL%n<kf9FRs65ZhWE=Cs&us4)I@Zb|gMUc)Dcnx>;-BoVbaJz|;}?$vvpv
zRfLrFw`z|#O&ZXm8nHi1lEE^sD(jpZ8hu~-Lc^nwF~4{|nIT=pT>3|8zIHH-dXe|d
zd+riRBsaWu1sqeC{lNAjXlIvRtXK{O!vJKdoe+w_y7#mso)atfZY&>!%7xDYV5>B&
zG8UJ+<iy^my<bFkvzHcvMgoOq0q2FS394A#6eeOmYZuXF?t+Vu?bk8_eOU$F4r~~I
zlc#a`qOEX7hC$xkjIBZ^pcTxC{;wZM^(KkLUj(aH*9kyTIO!;s4X45jfM{(UI#(EX
z&KP?6kW_&lCyKEam<*V!8KlKdT>UtbwxxAeEhH-K16cuX0&jWJ5Ni<z<x5%u6~C0M
z5!*pvB3Odx(f!t%2XYa)!xBB?Iw>T%+=kj4228qJj1dd&NvhOpD#K?8h-})|DM1;c
zUeXo0X(Y+v{hj@NU?EpQYR<x#N$6{n*~)(8&w(<&!IMlOHt5&siF1jN8rm;O7?F%I
zJUpV8C@*8x5WEm!A*2)oL$^pWXcHF**>_N0)5#Rw(|DaIcd2)V_o`GxayP%4hPS>&
z`L!Z+ml0X7==x)V2BcqC_pZsu7#x)fj{NbD(=$P&&mnQYGnIl`-M=lVH6`Sw;A;mi
z^tUtio!_lv4q<K3L6}Q%&<h_ls^79*C6~)wr=yA?Pa%5CS-Rw4#|D*JXN$tlbAE3w
zbNrSLevbLy4tiZ^NtEZ+uWGasc&9&>g2HpsDvl~IO+N^C!lKy}yiT3+LpEP$^WIoB
z`mW0keb_zRPaRlW18q&OJ#Tm5%YL}%rx*GS1mpeeIt{3^p2h!D8X`|ycv$9tB3-CC
zrqGUOscNue{gnWxJi|+zO9i_}e{4JASd#3#Z8eve;*@mKh%QbccNA4I`=3;TQ#zYx
z59tb%BI+IO#b^r<%f)4#1W^pC7f4|HfE{D|=gCa{5Gq!Ewh%ZbpEXbC?*VOdZEJR?
zZ0yW`loG1;z-2s<dzr;#Z(U?$))RQ;sa2SWo0m>Q?r$J6Hj_7YBJyg~>N0kqGx*Jb
ztSa_MXBXzWy{yeOOK5p`JFXEy9JU1tkE1y-fvI0;Yb9Kec8I~*Y}}(72(#KJM(guV
z+$vuSf_d->Zo1Gx7%80ww?N|}gW((!80VpZ+8n!Fq&V0j59QV_dlAT7(ToN_nY5js
zl0a8|EH&VM8K@j6rC+5Wf!T1$SftK;$7z{H#IlI{hT#Z}b;uFm_@9t_jsSu8&GlQ<
zg|*Yt;ZViziE)x94~6M4QOy>)0&>^y1fX~jOLil&ak-PIr?20IO;8}(^GIPuJ9A4j
z#jZbu^3s&<XzxT4_I?sr{@F2bPpBWV3O0nQ@OKqN_HU5-;Zfk2l?O8HLORIg1z-^$
zaV4fC!m+@$@Cc^)<5<5JVdWnEg(HeN2(<olGJ5y#XAZ7JTn`YNSl02QY-ppLW20}b
z5ISBo_NE(m#fu}}bEVd3`OyBuCXVd3_b+ORUJ>w?S8`2L=KGi;oecOy)m86FbVc)6
zZIYtY^DEW?RIK*;MxHV7Z~1-!>F58AxfV%|cG%W2uqg#x*Z4R^eAI_TW1054FL7fF
zqclto=N<7aRla6Kk>iew(|2sojErw@y0tO?Wh{NKG7B<?#Vy{QI`r#IVO@?2!tPvP
zo;GCnF0RX0HT(YU&N=KN1OcT<&SYQ$f?`T&(N+-}@d4C5?f^>$=j<AaC&WFetqymA
zqO!`kY!BC+>h+bes9w?f5m8E#qPEh$C}z@H<-YSk9}`>nJy|F9VTq1?j)izFLiHmu
z@!L}YhLY~x1P7e~E>a@=XcB6~w|>?Km9TBqKYi~WV^h+F+x9UEALsuqh14==jotA8
zxrMXJZURc%F-igN1m$Az#S!WIQlXWFw7<ap0{=qc6#tf2nhrF3`{hkmS8vT*g%|`h
z9Il`jb)l`OG?mD5`?;eM-Hp0DfHw6sJEKjRJDm3?G6n8fH`34ZyZO^mlY@2~9kb&b
z@&6h_$LUUYAIyc&GD+VT5|HQS8GsjqlSzYFcWh=#ZP7;ofg()zxR+?~5we?it6{d)
zHCYrPY;1@o?j~hzv^sc|ZPRH!qVF`5KHha8SR#n{q!MLjuNb)zpU9^aJ>=4$2A}0z
z+Ufsl2f#6j$AY|E&Ha&f*OW6r(&ye0@zw%{6C^iV5}YgB4%a!hzN5_E%ovADcw0-_
z3vbNxbUc=B1?{KgUU|4Ctc4w*dv@(b;0pH5Q)l}zTE4J}xm*9Zb$Q6@v2R<<uEv(r
z2i*jIv^)5s^0^pd-E+XZ<0e_+XiU;0{<Cl|sdqW#N7YyrL%{h&{<QNK6{BKm^T-O~
z=nIqB!wKYDucd8R{+R@laT+vRnGxv&>^jh!-;{EAMre{*a>h^k2~s6m5I%I3C>wT+
z7c%3^-Ew3&q$=m6$6$yYTXjia$nKpn)~fTw-Z2n;`Mu)b;3#pPY+}|Bt&NOfl8JMl
zqA$C4Dp1kHXpJ9;!TnJFxg5k;U#^v>B-;8ZG*+JYoE`h~?xrmT(UP{*YzHlw%=$V?
ziAU$U>fU&Q0}Zb;i?{pi^G^>!D5nRcF|J2)T&v5|8%9SS@$=b832g<rz~F2Gs)_U9
zwjmc7vR(wwRk;2mCzl9BVSI3B$}yb*QegSut4@i}Y$Kp&*RkaDh%L`tCj_^``r2p~
z4n4JON||tPvM)OMcEd+Zc+gjT8>+h#NH@2Jp;*KlmIN}r0A9{zVbTsKCG_a5O5swr
zkSiJNO0msIZD59K@JZ(_R|*p+Dii<yrbN6Gdf>(?$5LQ9q?3mGNNJ~*Oh4CSjIc^D
zA;K&*qz5ZK{W$9*N@?}!LZR8J+n7C_#@<bj^kuJWtH0hjizr!i#X*sK^o!j;Y(C*4
z@^K?C(LG(KHEvD4lR=g#06QkF#R|!Nol^A=-w8BloOMFGE_$B|f?&2m+nDMewd!i;
zONjxmfD3RFi12|Sw;g1=(gxIDxlRPx0Q?gYAW?g;wkQx|JKe%yz%L=_^6PMs(VVW^
z?Pi70ls|7!+h`d_zoNHwmO}`|t?6CNJ>EX@){x1kcjYPPaD`J0CA-FU;i4yO6IrH%
zrH8dLK=`@GK$X_T4;_I1miK1k80D+BE@tbH*HY7#DyS2!&<C)BjG=VbLVs9Kdov8}
zeB?kkS<+bJ+26JU3`^)mEG#f3-xYrDJCVbvkW%0;HB$0T{?8UD?yP;EyzGw(;!oH*
zV#zC+f}mB`(WnL1iA1M0@;10P4rQ_RR8i5^xw;Seuh%KSOYSI-K2Q*NR-KYYb?3VW
zpwcm-GUW5>w7>`>#PcE&pvuy8&-8oK2f%%{7kuVkxR`EG>tGJa>=XZ;aL>}v{dfrM
za{Z?DyV!NC=0CpdId!3Lm4&eZFnBgn+Ot8pIAZpWRg)>}TaoHk4AERReVueXWP^Gj
z7e+1MoQf-pU5$DA(l#3sZFYZq`@zkkXK~qbRl7bH%M%O-47+1p3|YHZS0d(eBFnSA
zTjuTGk)rOVvIq}4&s6%+<S1`c*0Ocz+11D4u<~SL&Gt34OBcy2`?+xQ&xx2GTD~Fp
zaGx_;L&_5r^bb*Ke6Mto{vdy(l?gS9jp}*RG}Hfh;)5<oH({^o^)%L9Rhv_1dN12s
zZ%d<6U;7sIuXZN$)HKH3@U!)*(!0AtCq+sm7bNZlmzamSNjAy?W!#40t=3rw%YYe4
z3K1^I^+M+-%F<h`5%=`41gxGYy%_0Dc7I7-^`a@_3%T|s#f8uT95xy!=!~Gn`sGr}
zZ9=&tsGXp1Gdw9;@lxS&#pu#)+pBf$EE|Jlut%xHIAC1+ccE!zUglLglkm2H8ai*D
zJ$i(L4f2tG?2_FCt&%Eb%5RciNy~&Cpb@_JsY{!ujj9QDj~GexgtHkop8Ii*pd~$S
zjQ#S3cSufex1D^@wh$jtA;Hyt+b!EF?i}4vs20~Fk?Ru@FaOkK;G=hTfpI-3tWH@)
zq5ZZvJSq&o6{`tu(CP^W<f<66s0sCE>>rvQ7hbZYt6?rfeuSKMnOM!5{LcWpNrVev
z9p$rRa38s84miHO<w1fy`N&@6pw3@4QU91gEFrXzBNW|4Zxr=6vY{V>Jyd(V0|b1f
z!RM~m`J|?VpbObg*+YbL7T+}(xZOdOXkmthSbPHVdUeH#`K=QiJH(s?1{uP-<clo=
zZCn#c%PAjFSFZnios{4hVIim^Nus1yM4Raso*^(PQN{=fa>94*tw$Kvxk1z>+S?pB
z_2pH7nv0e$E;RHMRexY>Upoo#xRx^@>LdBBp}t1NRp(UgPJanREQvD6HhJoCf=Pr)
zDRw=(2mIuD*?_0Q*{c&%B%Bray#wa=f6~siG7kmWxmuFs_Pb*sSG)S3t3A`5QSQ|v
zxXOS#0N5cc6{x6od?DX|g*FDp9L_kXy^9wp`^fP-dupJn$In#?*hf4ASi@ysCGqjh
zkWbQCbhgNH730qKhzg5-g$s4YPBj5=KnU7g+|ce)IJ-E6;AtY$JUl<8xu+p&%H=OY
zk5>lbc)oM~P>j%Y1(Tj9TntChsWWLR=|F-88zl{%eGx&`L?iW^`S)tblz?x>DtM}j
zh67XzDuf_QbL9Lkee-(2Nc)aXl*P{w$N~IXVVk_vz8EGFGqxF3c3&ewzPP4)Rhjrp
zgH3h?@hD%T|E%H+#*A{rf6y{d6-ZkpgUJb4d~?5H-F95R@N>vr*SU9Q*mE3H+5SOZ
zqb)IB;MnL+QNfWime&6g#v(nB$HS?Ahxfl?QU+MkigWnUapBS=!oUqCGyf5cNsb8h
zH}~P?Sd2rb)o~=XD~=C6dfkLNArk{_sTYQmKw<6)cjt!Ao}Apm37TMB3S)(lm_OD0
ziENWiu0#fhUKZ+~M*-2aKDU&$VdCmDOwqHSB=K;&ch-!%Ov;!UuQ$U3!e!-AnYu$6
zeobw=OgC{FzBOa$$Gbr~pzj+u8s^)b`kqMT42&f&1uONxsm)a2-{SCIN;fb1f@7{=
zk@=SvgvB@tjusMS@0WH=KnZY|3<o|%hkp1IK-<1UJir2+Qp;+9<B-i^m=Ferk3#~~
mA-n2;$SnQ&NNeoAb}o?f`I@Vv_g;31<~4pyIg>>`Zt{TrNde*j


From 7de8944b0bafd96545e4ced016b4529456e395cd Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Thu, 22 Sep 2022 20:59:53 +0000
Subject: [PATCH 31/36] refactor tests

---
 tests/test_pluggable.py | 155 +++++++++++++---------------------------
 1 file changed, 51 insertions(+), 104 deletions(-)

diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
index af71d8f58..293d5c6ed 100644
--- a/tests/test_pluggable.py
+++ b/tests/test_pluggable.py
@@ -990,112 +990,59 @@ def test_revoke_failed_executable_not_allowed(self):
         assert excinfo.match(r"Executables need to be explicitly allowed")
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_revoke_failed_non_interactive_mode(self):
-        credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE)
-        with pytest.raises(ValueError) as excinfo:
-            _ = credentials.revoke(None)
-
-        assert excinfo.match(r"Revoke is only enabled under interactive mode.")
-
-    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_revoke_failed_executable(self):
-        with mock.patch(
-            "subprocess.run",
-            return_value=subprocess.CompletedProcess(
-                args=[], stdout=None, returncode=1
-            ),
-        ):
-            credentials = self.make_pluggable(
-                audience=WORKFORCE_AUDIENCE,
-                credential_source=self.CREDENTIAL_SOURCE,
-                interactive=True,
-            )
-            with pytest.raises(exceptions.RefreshError) as excinfo:
-                _ = credentials.revoke(None)
-
-            assert excinfo.match(r"Auth revoke failed on executable.")
-
-    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_revoke_failed_response_validation_missing_version(self):
-        with mock.patch(
-            "subprocess.run",
-            return_value=subprocess.CompletedProcess(
-                args=[], stdout=json.dumps({}).encode("utf-8"), returncode=0
-            ),
-        ):
-            credentials = self.make_pluggable(
-                audience=WORKFORCE_AUDIENCE,
-                credential_source=self.CREDENTIAL_SOURCE,
-                interactive=True,
-            )
-            with pytest.raises(ValueError) as excinfo:
-                _ = credentials.revoke(None)
-
-            assert excinfo.match(
-                r"The executable response is missing the version field."
-            )
-
-    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_revoke_failed_response_validation_invalid_version(self):
-        with mock.patch(
-            "subprocess.run",
-            return_value=subprocess.CompletedProcess(
-                args=[], stdout=json.dumps({"version": 2}).encode("utf-8"), returncode=0
-            ),
-        ):
-            credentials = self.make_pluggable(
-                audience=WORKFORCE_AUDIENCE,
-                credential_source=self.CREDENTIAL_SOURCE,
-                interactive=True,
-            )
-            with pytest.raises(exceptions.RefreshError) as excinfo:
-                _ = credentials.revoke(None)
-
-            assert excinfo.match(r"Executable returned unsupported version.")
-
-    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_revoke_failed_response_validation_missing_success(self):
-        with mock.patch(
-            "subprocess.run",
-            return_value=subprocess.CompletedProcess(
-                args=[], stdout=json.dumps({"version": 1}).encode("utf-8"), returncode=0
-            ),
-        ):
-            credentials = self.make_pluggable(
-                audience=WORKFORCE_AUDIENCE,
-                credential_source=self.CREDENTIAL_SOURCE,
-                interactive=True,
-            )
-            with pytest.raises(ValueError) as excinfo:
-                _ = credentials.revoke(None)
-
-            assert excinfo.match(
-                r"The executable response is missing the success field."
-            )
-
-    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_revoke_failed_response_validation_with_success_field_is_false(self):
-        INVALID_REVOKE_RESPONSE = {"version": 1, "success": False}
-
-        with mock.patch(
-            "subprocess.run",
-            return_value=subprocess.CompletedProcess(
-                args=[],
-                stdout=json.dumps(INVALID_REVOKE_RESPONSE).encode("UTF-8"),
-                returncode=0,
-            ),
-        ):
-            credentials = self.make_pluggable(
-                audience=WORKFORCE_AUDIENCE,
-                service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
-                credential_source=self.CREDENTIAL_SOURCE,
-                interactive=True,
-            )
+    def test_revoke_failed(self):
+        testData = {
+            "non_interactive_mode": {
+                "interactive": False,
+                "expectErrType": ValueError,
+                "expectErrPattern": r"Revoke is only enabled under interactive mode.",
+            },
+            "executable_failed": {
+                "returncode": 1,
+                "expectErrType": exceptions.RefreshError,
+                "expectErrPattern": r"Auth revoke failed on executable.",
+            },
+            "response_validation_missing_version": {
+                "response": {},
+                "expectErrType": ValueError,
+                "expectErrPattern": r"The executable response is missing the version field.",
+            },
+            "response_validation_invalid_version": {
+                "response": {"version": 2},
+                "expectErrType": exceptions.RefreshError,
+                "expectErrPattern": r"Executable returned unsupported version.",
+            },
+            "response_validation_missing_success": {
+                "response": {"version": 1},
+                "expectErrType": ValueError,
+                "expectErrPattern": r"The executable response is missing the success field.",
+            },
+            "response_validation_failed_with_success_field_is_false": {
+                "response": {"version": 1, "success": False},
+                "expectErrType": exceptions.RefreshError,
+                "expectErrPattern": r"Revoke failed with unsuccessful response.",
+            },
+        }
+        for data in testData.values():
+            with mock.patch(
+                "subprocess.run",
+                return_value=subprocess.CompletedProcess(
+                    args=[],
+                    stdout=json.dumps(data.get("response")).encode("UTF-8"),
+                    returncode=data.get("returncode", 0),
+                ),
+            ):
+                credentials = self.make_pluggable(
+                    audience=WORKFORCE_AUDIENCE,
+                    service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
+                    credential_source=self.CREDENTIAL_SOURCE,
+                    interactive=data.get("interactive", True),
+                )
 
-            with pytest.raises(exceptions.RefreshError) as excinfo:
-                _ = credentials.revoke(None)
+                with pytest.raises(data.get("expectErrType")) as excinfo:
+                    _ = credentials.revoke(None)
 
-            assert excinfo.match(r"Revoke failed with unsuccessful response.")
+                assert excinfo.match(data.get("expectErrPattern"))
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_revoke_successfully(self):

From 06fff40ad9050651024e7b61cbfc5da22fa27f9b Mon Sep 17 00:00:00 2001
From: Carl Lundin <108372512+clundin25@users.noreply.github.com>
Date: Thu, 22 Sep 2022 21:52:10 +0000
Subject: [PATCH 32/36] feat: Retry behavior (#1113)

* feat: Retry behavior

* Introduce `retryable` property to auth library exceptions. This can be
  used to determine if an exception should be retried.
* Introduce `should_retry` parameter to token endpoints. If set to `False`
  the auth library will not retry failed requests. If set to `True` the
  auth library will retry failed requests. The default value is `True`
  to maintain existing behavior.
* Expanded list of HTTP Status codes that will be retried.
* Modified retry behavior to use exponential backoff.
* Increased default retry attempts from 2 to 3.
---
 google/auth/_exponential_backoff.py      | 111 ++++++++++++
 google/auth/exceptions.py                |  17 +-
 google/auth/transport/__init__.py        |  14 +-
 google/oauth2/_client.py                 | 171 +++++++++++++-----
 google/oauth2/_client_async.py           |  95 ++++++----
 google/oauth2/_reauth_async.py           |   5 +-
 google/oauth2/reauth.py                  |  12 +-
 tests/compute_engine/test_credentials.py |   2 +-
 tests/oauth2/test__client.py             | 192 ++++++++++++++++++--
 tests/oauth2/test_reauth.py              |  11 +-
 tests/test__exponential_backoff.py       |  41 +++++
 tests/test_exceptions.py                 |  55 ++++++
 tests_async/oauth2/test__client_async.py | 214 +++++++++++++++++++++--
 tests_async/oauth2/test_reauth_async.py  |  16 +-
 14 files changed, 841 insertions(+), 115 deletions(-)
 create mode 100644 google/auth/_exponential_backoff.py
 create mode 100644 tests/test__exponential_backoff.py
 create mode 100644 tests/test_exceptions.py

diff --git a/google/auth/_exponential_backoff.py b/google/auth/_exponential_backoff.py
new file mode 100644
index 000000000..b5801bec9
--- /dev/null
+++ b/google/auth/_exponential_backoff.py
@@ -0,0 +1,111 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import random
+import time
+
+import six
+
+# The default amount of retry attempts
+_DEFAULT_RETRY_TOTAL_ATTEMPTS = 3
+
+# The default initial backoff period (1.0 second).
+_DEFAULT_INITIAL_INTERVAL_SECONDS = 1.0
+
+# The default randomization factor (0.1 which results in a random period ranging
+# between 10% below and 10% above the retry interval).
+_DEFAULT_RANDOMIZATION_FACTOR = 0.1
+
+# The default multiplier value (2 which is 100% increase per back off).
+_DEFAULT_MULTIPLIER = 2.0
+
+"""Exponential Backoff Utility
+
+This is a private module that implements the exponential back off algorithm.
+It can be used as a utility for code that needs to retry on failure, for example
+an HTTP request.
+"""
+
+
+class ExponentialBackoff(six.Iterator):
+    """An exponential backoff iterator. This can be used in a for loop to
+    perform requests with exponential backoff.
+
+    Args:
+        total_attempts Optional[int]:
+            The maximum amount of retries that should happen.
+            The default value is 3 attempts.
+        initial_wait_seconds Optional[int]:
+            The amount of time to sleep in the first backoff. This parameter
+            should be in seconds.
+            The default value is 1 second.
+        randomization_factor Optional[float]:
+            The amount of jitter that should be in each backoff. For example,
+            a value of 0.1 will introduce a jitter range of 10% to the
+            current backoff period.
+            The default value is 0.1.
+        multiplier Optional[float]:
+            The backoff multipler. This adjusts how much each backoff will
+            increase. For example a value of 2.0 leads to a 200% backoff
+            on each attempt. If the initial_wait is 1.0 it would look like
+            this sequence [1.0, 2.0, 4.0, 8.0].
+            The default value is 2.0.
+    """
+
+    def __init__(
+        self,
+        total_attempts=_DEFAULT_RETRY_TOTAL_ATTEMPTS,
+        initial_wait_seconds=_DEFAULT_INITIAL_INTERVAL_SECONDS,
+        randomization_factor=_DEFAULT_RANDOMIZATION_FACTOR,
+        multiplier=_DEFAULT_MULTIPLIER,
+    ):
+        self._total_attempts = total_attempts
+        self._initial_wait_seconds = initial_wait_seconds
+
+        self._current_wait_in_seconds = self._initial_wait_seconds
+
+        self._randomization_factor = randomization_factor
+        self._multiplier = multiplier
+        self._backoff_count = 0
+
+    def __iter__(self):
+        self._backoff_count = 0
+        self._current_wait_in_seconds = self._initial_wait_seconds
+        return self
+
+    def __next__(self):
+        if self._backoff_count >= self._total_attempts:
+            raise StopIteration
+        self._backoff_count += 1
+
+        jitter_variance = self._current_wait_in_seconds * self._randomization_factor
+        jitter = random.uniform(
+            self._current_wait_in_seconds - jitter_variance,
+            self._current_wait_in_seconds + jitter_variance,
+        )
+
+        time.sleep(jitter)
+
+        self._current_wait_in_seconds *= self._multiplier
+        return self._backoff_count
+
+    @property
+    def total_attempts(self):
+        """The total amount of backoff attempts that will be made."""
+        return self._total_attempts
+
+    @property
+    def backoff_count(self):
+        """The current amount of backoff attempts that have been made."""
+        return self._backoff_count
diff --git a/google/auth/exceptions.py b/google/auth/exceptions.py
index e9e737780..7760c87b8 100644
--- a/google/auth/exceptions.py
+++ b/google/auth/exceptions.py
@@ -18,6 +18,15 @@
 class GoogleAuthError(Exception):
     """Base class for all google.auth errors."""
 
+    def __init__(self, *args, **kwargs):
+        super(GoogleAuthError, self).__init__(*args)
+        retryable = kwargs.get("retryable", False)
+        self._retryable = retryable
+
+    @property
+    def retryable(self):
+        return self._retryable
+
 
 class TransportError(GoogleAuthError):
     """Used to indicate an error occurred during an HTTP request."""
@@ -44,6 +53,10 @@ class MutualTLSChannelError(GoogleAuthError):
 class ClientCertError(GoogleAuthError):
     """Used to indicate that client certificate is missing or invalid."""
 
+    @property
+    def retryable(self):
+        return False
+
 
 class OAuthError(GoogleAuthError):
     """Used to indicate an error occurred during an OAuth related HTTP
@@ -53,9 +66,9 @@ class OAuthError(GoogleAuthError):
 class ReauthFailError(RefreshError):
     """An exception for when reauth failed."""
 
-    def __init__(self, message=None):
+    def __init__(self, message=None, **kwargs):
         super(ReauthFailError, self).__init__(
-            "Reauthentication failed. {0}".format(message)
+            "Reauthentication failed. {0}".format(message), **kwargs
         )
 
 
diff --git a/google/auth/transport/__init__.py b/google/auth/transport/__init__.py
index 374e7b4d7..8334145a1 100644
--- a/google/auth/transport/__init__.py
+++ b/google/auth/transport/__init__.py
@@ -29,9 +29,21 @@
 import six
 from six.moves import http_client
 
+TOO_MANY_REQUESTS = 429  # Python 2.7 six is missing this status code.
+
+DEFAULT_RETRYABLE_STATUS_CODES = (
+    http_client.INTERNAL_SERVER_ERROR,
+    http_client.SERVICE_UNAVAILABLE,
+    http_client.REQUEST_TIMEOUT,
+    TOO_MANY_REQUESTS,
+)
+"""Sequence[int]:  HTTP status codes indicating a request can be retried.
+"""
+
+
 DEFAULT_REFRESH_STATUS_CODES = (http_client.UNAUTHORIZED,)
 """Sequence[int]:  Which HTTP status code indicate that credentials should be
-refreshed and a request should be retried.
+refreshed.
 """
 
 DEFAULT_MAX_REFRESH_ATTEMPTS = 2
diff --git a/google/oauth2/_client.py b/google/oauth2/_client.py
index 847c5db8a..7f866d446 100644
--- a/google/oauth2/_client.py
+++ b/google/oauth2/_client.py
@@ -30,9 +30,11 @@
 from six.moves import http_client
 from six.moves import urllib
 
+from google.auth import _exponential_backoff
 from google.auth import _helpers
 from google.auth import exceptions
 from google.auth import jwt
+from google.auth import transport
 
 _URLENCODED_CONTENT_TYPE = "application/x-www-form-urlencoded"
 _JSON_CONTENT_TYPE = "application/json"
@@ -40,17 +42,22 @@
 _REFRESH_GRANT_TYPE = "refresh_token"
 
 
-def _handle_error_response(response_data):
+def _handle_error_response(response_data, retryable_error):
     """Translates an error response into an exception.
 
     Args:
         response_data (Mapping | str): The decoded response data.
+        retryable_error Optional[bool]: A boolean indicating if an error is retryable.
+            Defaults to False.
 
     Raises:
         google.auth.exceptions.RefreshError: The errors contained in response_data.
     """
+
+    retryable_error = retryable_error if retryable_error else False
+
     if isinstance(response_data, six.string_types):
-        raise exceptions.RefreshError(response_data)
+        raise exceptions.RefreshError(response_data, retryable=retryable_error)
     try:
         error_details = "{}: {}".format(
             response_data["error"], response_data.get("error_description")
@@ -59,7 +66,45 @@ def _handle_error_response(response_data):
     except (KeyError, ValueError):
         error_details = json.dumps(response_data)
 
-    raise exceptions.RefreshError(error_details, response_data)
+    raise exceptions.RefreshError(
+        error_details, response_data, retryable=retryable_error
+    )
+
+
+def _can_retry(status_code, response_data):
+    """Checks if a request can be retried by inspecting the status code
+    and response body of the request.
+
+    Args:
+        status_code (int): The response status code.
+        response_data (Mapping | str): The decoded response data.
+
+    Returns:
+      bool: True if the response is retryable. False otherwise.
+    """
+    if status_code in transport.DEFAULT_RETRYABLE_STATUS_CODES:
+        return True
+
+    try:
+        # For a failed response, response_body could be a string
+        error_desc = response_data.get("error_description") or ""
+        error_code = response_data.get("error") or ""
+
+        # Per Oauth 2.0 RFC https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1
+        # This is needed because a redirect will not return a 500 status code.
+        retryable_error_descriptions = {
+            "internal_failure",
+            "server_error",
+            "temporarily_unavailable",
+        }
+
+        if any(e in retryable_error_descriptions for e in (error_code, error_desc)):
+            return True
+
+    except AttributeError:
+        pass
+
+    return False
 
 
 def _parse_expiry(response_data):
@@ -81,7 +126,13 @@ def _parse_expiry(response_data):
 
 
 def _token_endpoint_request_no_throw(
-    request, token_uri, body, access_token=None, use_json=False, **kwargs
+    request,
+    token_uri,
+    body,
+    access_token=None,
+    use_json=False,
+    can_retry=True,
+    **kwargs
 ):
     """Makes a request to the OAuth 2.0 authorization server's token endpoint.
     This function doesn't throw on response errors.
@@ -95,6 +146,7 @@ def _token_endpoint_request_no_throw(
         access_token (Optional(str)): The access token needed to make the request.
         use_json (Optional(bool)): Use urlencoded format or json format for the
             content type. The default value is False.
+        can_retry (bool): Enable or disable request retry behavior.
         kwargs: Additional arguments passed on to the request method. The
             kwargs will be passed to `requests.request` method, see:
             https://docs.python-requests.org/en/latest/api/#requests.request.
@@ -104,8 +156,10 @@ def _token_endpoint_request_no_throw(
             side SSL certificate verification.
 
     Returns:
-        Tuple(bool, Mapping[str, str]): A boolean indicating if the request is
-            successful, and a mapping for the JSON-decoded response data.
+        Tuple(bool, Mapping[str, str], Optional[bool]): A boolean indicating
+          if the request is successful, a mapping for the JSON-decoded response
+          data and in the case of an error a boolean indicating if the error
+          is retryable.
     """
     if use_json:
         headers = {"Content-Type": _JSON_CONTENT_TYPE}
@@ -117,10 +171,7 @@ def _token_endpoint_request_no_throw(
     if access_token:
         headers["Authorization"] = "Bearer {}".format(access_token)
 
-    retry = 0
-    # retry to fetch token for maximum of two times if any internal failure
-    # occurs.
-    while True:
+    def _perform_request():
         response = request(
             method="POST", url=token_uri, headers=headers, body=body, **kwargs
         )
@@ -129,32 +180,44 @@ def _token_endpoint_request_no_throw(
             if hasattr(response.data, "decode")
             else response.data
         )
-
-        if response.status == http_client.OK:
+        response_data = ""
+        try:
             # response_body should be a JSON
             response_data = json.loads(response_body)
-            break
-        else:
-            # For a failed response, response_body could be a string
-            try:
-                response_data = json.loads(response_body)
-                error_desc = response_data.get("error_description") or ""
-                error_code = response_data.get("error") or ""
-                if (
-                    any(e == "internal_failure" for e in (error_code, error_desc))
-                    and retry < 1
-                ):
-                    retry += 1
-                    continue
-            except ValueError:
-                response_data = response_body
-            return False, response_data
-
-    return True, response_data
+        except ValueError:
+            response_data = response_body
+
+        if response.status == http_client.OK:
+            return True, response_data, None
+
+        retryable_error = _can_retry(
+            status_code=response.status, response_data=response_data
+        )
+
+        return False, response_data, retryable_error
+
+    request_succeeded, response_data, retryable_error = _perform_request()
+
+    if request_succeeded or not retryable_error or not can_retry:
+        return request_succeeded, response_data, retryable_error
+
+    retries = _exponential_backoff.ExponentialBackoff()
+    for _ in retries:
+        request_succeeded, response_data, retryable_error = _perform_request()
+        if request_succeeded or not retryable_error:
+            return request_succeeded, response_data, retryable_error
+
+    return False, response_data, retryable_error
 
 
 def _token_endpoint_request(
-    request, token_uri, body, access_token=None, use_json=False, **kwargs
+    request,
+    token_uri,
+    body,
+    access_token=None,
+    use_json=False,
+    can_retry=True,
+    **kwargs
 ):
     """Makes a request to the OAuth 2.0 authorization server's token endpoint.
 
@@ -167,6 +230,7 @@ def _token_endpoint_request(
         access_token (Optional(str)): The access token needed to make the request.
         use_json (Optional(bool)): Use urlencoded format or json format for the
             content type. The default value is False.
+        can_retry (bool): Enable or disable request retry behavior.
         kwargs: Additional arguments passed on to the request method. The
             kwargs will be passed to `requests.request` method, see:
             https://docs.python-requests.org/en/latest/api/#requests.request.
@@ -182,15 +246,22 @@ def _token_endpoint_request(
         google.auth.exceptions.RefreshError: If the token endpoint returned
             an error.
     """
-    response_status_ok, response_data = _token_endpoint_request_no_throw(
-        request, token_uri, body, access_token=access_token, use_json=use_json, **kwargs
+
+    response_status_ok, response_data, retryable_error = _token_endpoint_request_no_throw(
+        request,
+        token_uri,
+        body,
+        access_token=access_token,
+        use_json=use_json,
+        can_retry=can_retry,
+        **kwargs
     )
     if not response_status_ok:
-        _handle_error_response(response_data)
+        _handle_error_response(response_data, retryable_error)
     return response_data
 
 
-def jwt_grant(request, token_uri, assertion):
+def jwt_grant(request, token_uri, assertion, can_retry=True):
     """Implements the JWT Profile for OAuth 2.0 Authorization Grants.
 
     For more details, see `rfc7523 section 4`_.
@@ -201,6 +272,7 @@ def jwt_grant(request, token_uri, assertion):
         token_uri (str): The OAuth 2.0 authorizations server's token endpoint
             URI.
         assertion (str): The OAuth 2.0 assertion.
+        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, Optional[datetime], Mapping[str, str]]: The access token,
@@ -214,12 +286,16 @@ def jwt_grant(request, token_uri, assertion):
     """
     body = {"assertion": assertion, "grant_type": _JWT_GRANT_TYPE}
 
-    response_data = _token_endpoint_request(request, token_uri, body)
+    response_data = _token_endpoint_request(
+        request, token_uri, body, can_retry=can_retry
+    )
 
     try:
         access_token = response_data["access_token"]
     except KeyError as caught_exc:
-        new_exc = exceptions.RefreshError("No access token in response.", response_data)
+        new_exc = exceptions.RefreshError(
+            "No access token in response.", response_data, retryable=False
+        )
         six.raise_from(new_exc, caught_exc)
 
     expiry = _parse_expiry(response_data)
@@ -227,7 +303,7 @@ def jwt_grant(request, token_uri, assertion):
     return access_token, expiry, response_data
 
 
-def id_token_jwt_grant(request, token_uri, assertion):
+def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
     """Implements the JWT Profile for OAuth 2.0 Authorization Grants, but
     requests an OpenID Connect ID Token instead of an access token.
 
@@ -242,6 +318,7 @@ def id_token_jwt_grant(request, token_uri, assertion):
             URI.
         assertion (str): JWT token signed by a service account. The token's
             payload must include a ``target_audience`` claim.
+        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, Optional[datetime], Mapping[str, str]]:
@@ -254,12 +331,16 @@ def id_token_jwt_grant(request, token_uri, assertion):
     """
     body = {"assertion": assertion, "grant_type": _JWT_GRANT_TYPE}
 
-    response_data = _token_endpoint_request(request, token_uri, body)
+    response_data = _token_endpoint_request(
+        request, token_uri, body, can_retry=can_retry
+    )
 
     try:
         id_token = response_data["id_token"]
     except KeyError as caught_exc:
-        new_exc = exceptions.RefreshError("No ID token in response.", response_data)
+        new_exc = exceptions.RefreshError(
+            "No ID token in response.", response_data, retryable=False
+        )
         six.raise_from(new_exc, caught_exc)
 
     payload = jwt.decode(id_token, verify=False)
@@ -288,7 +369,9 @@ def _handle_refresh_grant_response(response_data, refresh_token):
     try:
         access_token = response_data["access_token"]
     except KeyError as caught_exc:
-        new_exc = exceptions.RefreshError("No access token in response.", response_data)
+        new_exc = exceptions.RefreshError(
+            "No access token in response.", response_data, retryable=False
+        )
         six.raise_from(new_exc, caught_exc)
 
     refresh_token = response_data.get("refresh_token", refresh_token)
@@ -305,6 +388,7 @@ def refresh_grant(
     client_secret,
     scopes=None,
     rapt_token=None,
+    can_retry=True,
 ):
     """Implements the OAuth 2.0 refresh token grant.
 
@@ -324,6 +408,7 @@ def refresh_grant(
             token has a wild card scope (e.g.
             'https://www.googleapis.com/auth/any-api').
         rapt_token (Optional(str)): The reauth Proof Token.
+        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, str, Optional[datetime], Mapping[str, str]]: The access
@@ -347,5 +432,7 @@ def refresh_grant(
     if rapt_token:
         body["rapt"] = rapt_token
 
-    response_data = _token_endpoint_request(request, token_uri, body)
+    response_data = _token_endpoint_request(
+        request, token_uri, body, can_retry=can_retry
+    )
     return _handle_refresh_grant_response(response_data, refresh_token)
diff --git a/google/oauth2/_client_async.py b/google/oauth2/_client_async.py
index cf5121137..428084a70 100644
--- a/google/oauth2/_client_async.py
+++ b/google/oauth2/_client_async.py
@@ -30,13 +30,14 @@
 from six.moves import http_client
 from six.moves import urllib
 
+from google.auth import _exponential_backoff
 from google.auth import exceptions
 from google.auth import jwt
 from google.oauth2 import _client as client
 
 
 async def _token_endpoint_request_no_throw(
-    request, token_uri, body, access_token=None, use_json=False
+    request, token_uri, body, access_token=None, use_json=False, can_retry=True
 ):
     """Makes a request to the OAuth 2.0 authorization server's token endpoint.
     This function doesn't throw on response errors.
@@ -50,10 +51,13 @@ async def _token_endpoint_request_no_throw(
         access_token (Optional(str)): The access token needed to make the request.
         use_json (Optional(bool)): Use urlencoded format or json format for the
             content type. The default value is False.
+        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
-        Tuple(bool, Mapping[str, str]): A boolean indicating if the request is
-            successful, and a mapping for the JSON-decoded response data.
+        Tuple(bool, Mapping[str, str], Optional[bool]): A boolean indicating
+          if the request is successful, a mapping for the JSON-decoded response
+          data and in the case of an error a boolean indicating if the error
+          is retryable.
     """
     if use_json:
         headers = {"Content-Type": client._JSON_CONTENT_TYPE}
@@ -65,11 +69,7 @@ async def _token_endpoint_request_no_throw(
     if access_token:
         headers["Authorization"] = "Bearer {}".format(access_token)
 
-    retry = 0
-    # retry to fetch token for maximum of two times if any internal failure
-    # occurs.
-    while True:
-
+    async def _perform_request():
         response = await request(
             method="POST", url=token_uri, headers=headers, body=body
         )
@@ -83,26 +83,36 @@ async def _token_endpoint_request_no_throw(
             else response_body1
         )
 
-        response_data = json.loads(response_body)
+        try:
+            response_data = json.loads(response_body)
+        except ValueError:
+            response_data = response_body
 
         if response.status == http_client.OK:
-            break
-        else:
-            error_desc = response_data.get("error_description") or ""
-            error_code = response_data.get("error") or ""
-            if (
-                any(e == "internal_failure" for e in (error_code, error_desc))
-                and retry < 1
-            ):
-                retry += 1
-                continue
-            return response.status == http_client.OK, response_data
+            return True, response_data, None
+
+        retryable_error = client._can_retry(
+            status_code=response.status, response_data=response_data
+        )
+
+        return False, response_data, retryable_error
+
+    request_succeeded, response_data, retryable_error = await _perform_request()
+
+    if request_succeeded or not retryable_error or not can_retry:
+        return request_succeeded, response_data, retryable_error
+
+    retries = _exponential_backoff.ExponentialBackoff()
+    for _ in retries:
+        request_succeeded, response_data, retryable_error = await _perform_request()
+        if request_succeeded or not retryable_error:
+            return request_succeeded, response_data, retryable_error
 
-    return response.status == http_client.OK, response_data
+    return False, response_data, retryable_error
 
 
 async def _token_endpoint_request(
-    request, token_uri, body, access_token=None, use_json=False
+    request, token_uri, body, access_token=None, use_json=False, can_retry=True
 ):
     """Makes a request to the OAuth 2.0 authorization server's token endpoint.
 
@@ -115,6 +125,7 @@ async def _token_endpoint_request(
         access_token (Optional(str)): The access token needed to make the request.
         use_json (Optional(bool)): Use urlencoded format or json format for the
             content type. The default value is False.
+        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Mapping[str, str]: The JSON-decoded response data.
@@ -123,15 +134,21 @@ async def _token_endpoint_request(
         google.auth.exceptions.RefreshError: If the token endpoint returned
             an error.
     """
-    response_status_ok, response_data = await _token_endpoint_request_no_throw(
-        request, token_uri, body, access_token=access_token, use_json=use_json
+
+    response_status_ok, response_data, retryable_error = await _token_endpoint_request_no_throw(
+        request,
+        token_uri,
+        body,
+        access_token=access_token,
+        use_json=use_json,
+        can_retry=can_retry,
     )
     if not response_status_ok:
-        client._handle_error_response(response_data)
+        client._handle_error_response(response_data, retryable_error)
     return response_data
 
 
-async def jwt_grant(request, token_uri, assertion):
+async def jwt_grant(request, token_uri, assertion, can_retry=True):
     """Implements the JWT Profile for OAuth 2.0 Authorization Grants.
 
     For more details, see `rfc7523 section 4`_.
@@ -142,6 +159,7 @@ async def jwt_grant(request, token_uri, assertion):
         token_uri (str): The OAuth 2.0 authorizations server's token endpoint
             URI.
         assertion (str): The OAuth 2.0 assertion.
+        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, Optional[datetime], Mapping[str, str]]: The access token,
@@ -155,12 +173,16 @@ async def jwt_grant(request, token_uri, assertion):
     """
     body = {"assertion": assertion, "grant_type": client._JWT_GRANT_TYPE}
 
-    response_data = await _token_endpoint_request(request, token_uri, body)
+    response_data = await _token_endpoint_request(
+        request, token_uri, body, can_retry=can_retry
+    )
 
     try:
         access_token = response_data["access_token"]
     except KeyError as caught_exc:
-        new_exc = exceptions.RefreshError("No access token in response.", response_data)
+        new_exc = exceptions.RefreshError(
+            "No access token in response.", response_data, retryable=False
+        )
         six.raise_from(new_exc, caught_exc)
 
     expiry = client._parse_expiry(response_data)
@@ -168,7 +190,7 @@ async def jwt_grant(request, token_uri, assertion):
     return access_token, expiry, response_data
 
 
-async def id_token_jwt_grant(request, token_uri, assertion):
+async def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
     """Implements the JWT Profile for OAuth 2.0 Authorization Grants, but
     requests an OpenID Connect ID Token instead of an access token.
 
@@ -183,6 +205,7 @@ async def id_token_jwt_grant(request, token_uri, assertion):
             URI.
         assertion (str): JWT token signed by a service account. The token's
             payload must include a ``target_audience`` claim.
+        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, Optional[datetime], Mapping[str, str]]:
@@ -195,12 +218,16 @@ async def id_token_jwt_grant(request, token_uri, assertion):
     """
     body = {"assertion": assertion, "grant_type": client._JWT_GRANT_TYPE}
 
-    response_data = await _token_endpoint_request(request, token_uri, body)
+    response_data = await _token_endpoint_request(
+        request, token_uri, body, can_retry=can_retry
+    )
 
     try:
         id_token = response_data["id_token"]
     except KeyError as caught_exc:
-        new_exc = exceptions.RefreshError("No ID token in response.", response_data)
+        new_exc = exceptions.RefreshError(
+            "No ID token in response.", response_data, retryable=False
+        )
         six.raise_from(new_exc, caught_exc)
 
     payload = jwt.decode(id_token, verify=False)
@@ -217,6 +244,7 @@ async def refresh_grant(
     client_secret,
     scopes=None,
     rapt_token=None,
+    can_retry=True,
 ):
     """Implements the OAuth 2.0 refresh token grant.
 
@@ -236,6 +264,7 @@ async def refresh_grant(
             token has a wild card scope (e.g.
             'https://www.googleapis.com/auth/any-api').
         rapt_token (Optional(str)): The reauth Proof Token.
+        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, Optional[str], Optional[datetime], Mapping[str, str]]: The
@@ -259,5 +288,7 @@ async def refresh_grant(
     if rapt_token:
         body["rapt"] = rapt_token
 
-    response_data = await _token_endpoint_request(request, token_uri, body)
+    response_data = await _token_endpoint_request(
+        request, token_uri, body, can_retry=can_retry
+    )
     return client._handle_refresh_grant_response(response_data, refresh_token)
diff --git a/google/oauth2/_reauth_async.py b/google/oauth2/_reauth_async.py
index 30b0b0b1e..6b69c6e67 100644
--- a/google/oauth2/_reauth_async.py
+++ b/google/oauth2/_reauth_async.py
@@ -292,7 +292,7 @@ async def refresh_grant(
     if rapt_token:
         body["rapt"] = rapt_token
 
-    response_status_ok, response_data = await _client_async._token_endpoint_request_no_throw(
+    response_status_ok, response_data, retryable_error = await _client_async._token_endpoint_request_no_throw(
         request, token_uri, body
     )
     if (
@@ -317,12 +317,13 @@ async def refresh_grant(
         (
             response_status_ok,
             response_data,
+            retryable_error,
         ) = await _client_async._token_endpoint_request_no_throw(
             request, token_uri, body
         )
 
     if not response_status_ok:
-        _client._handle_error_response(response_data)
+        _client._handle_error_response(response_data, retryable_error)
     refresh_response = _client._handle_refresh_grant_response(
         response_data, refresh_token
     )
diff --git a/google/oauth2/reauth.py b/google/oauth2/reauth.py
index 2c32bda2a..ad2ad1b2e 100644
--- a/google/oauth2/reauth.py
+++ b/google/oauth2/reauth.py
@@ -319,7 +319,7 @@ def refresh_grant(
     if rapt_token:
         body["rapt"] = rapt_token
 
-    response_status_ok, response_data = _client._token_endpoint_request_no_throw(
+    response_status_ok, response_data, retryable_error = _client._token_endpoint_request_no_throw(
         request, token_uri, body
     )
     if (
@@ -339,12 +339,14 @@ def refresh_grant(
             request, client_id, client_secret, refresh_token, token_uri, scopes=scopes
         )
         body["rapt"] = rapt_token
-        (response_status_ok, response_data) = _client._token_endpoint_request_no_throw(
-            request, token_uri, body
-        )
+        (
+            response_status_ok,
+            response_data,
+            retryable_error,
+        ) = _client._token_endpoint_request_no_throw(request, token_uri, body)
 
     if not response_status_ok:
-        _client._handle_error_response(response_data)
+        _client._handle_error_response(response_data, retryable_error)
     return _client._handle_refresh_grant_response(response_data, refresh_token) + (
         rapt_token,
     )
diff --git a/tests/compute_engine/test_credentials.py b/tests/compute_engine/test_credentials.py
index ff01720c4..ebce176e8 100644
--- a/tests/compute_engine/test_credentials.py
+++ b/tests/compute_engine/test_credentials.py
@@ -609,7 +609,7 @@ def test_refresh_error(self, sign, get, utcnow):
         request = mock.create_autospec(transport.Request, instance=True)
         response = mock.Mock()
         response.data = b'{"error": "http error"}'
-        response.status = 500
+        response.status = 404  # Throw a 404 so the request is not retried.
         request.side_effect = [response]
 
         self.credentials = credentials.IDTokenCredentials(
diff --git a/tests/oauth2/test__client.py b/tests/oauth2/test__client.py
index bd4cc5001..13c42dc52 100644
--- a/tests/oauth2/test__client.py
+++ b/tests/oauth2/test__client.py
@@ -47,12 +47,14 @@
 )
 
 
-def test__handle_error_response():
+@pytest.mark.parametrize("retryable", [True, False])
+def test__handle_error_response(retryable):
     response_data = {"error": "help", "error_description": "I'm alive"}
 
     with pytest.raises(exceptions.RefreshError) as excinfo:
-        _client._handle_error_response(response_data)
+        _client._handle_error_response(response_data, retryable)
 
+    assert excinfo.value.retryable == retryable
     assert excinfo.match(r"help: I\'m alive")
 
 
@@ -60,8 +62,9 @@ def test__handle_error_response_no_error():
     response_data = {"foo": "bar"}
 
     with pytest.raises(exceptions.RefreshError) as excinfo:
-        _client._handle_error_response(response_data)
+        _client._handle_error_response(response_data, False)
 
+    assert not excinfo.value.retryable
     assert excinfo.match(r"{\"foo\": \"bar\"}")
 
 
@@ -69,11 +72,33 @@ def test__handle_error_response_not_json():
     response_data = "this is an error message"
 
     with pytest.raises(exceptions.RefreshError) as excinfo:
-        _client._handle_error_response(response_data)
+        _client._handle_error_response(response_data, False)
 
+    assert not excinfo.value.retryable
     assert excinfo.match(response_data)
 
 
+def test__can_retry_retryable():
+    retryable_codes = transport.DEFAULT_RETRYABLE_STATUS_CODES
+    for status_code in range(100, 600):
+        if status_code in retryable_codes:
+            assert _client._can_retry(status_code, {"error": "invalid_scope"})
+        else:
+            assert not _client._can_retry(status_code, {"error": "invalid_scope"})
+
+
+@pytest.mark.parametrize(
+    "response_data", [{"error": "internal_failure"}, {"error": "server_error"}]
+)
+def test__can_retry_message(response_data):
+    assert _client._can_retry(http_client.OK, response_data)
+
+
+@pytest.mark.parametrize("response_data", [{"error": "invalid_scope"}])
+def test__can_retry_no_retry_message(response_data):
+    assert not _client._can_retry(http_client.OK, response_data)
+
+
 @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
 def test__parse_expiry(unused_utcnow):
     result = _client._parse_expiry({"expires_in": 500})
@@ -154,8 +179,8 @@ def test__token_endpoint_request_internal_failure_error():
         _client._token_endpoint_request(
             request, "http://example.com", {"error_description": "internal_failure"}
         )
-    # request should be called twice due to the retry
-    assert request.call_count == 2
+    # request should be called once and then with 3 retries
+    assert request.call_count == 4
 
     request = make_request(
         {"error": "internal_failure"}, status=http_client.BAD_REQUEST
@@ -165,7 +190,55 @@ def test__token_endpoint_request_internal_failure_error():
         _client._token_endpoint_request(
             request, "http://example.com", {"error": "internal_failure"}
         )
-    # request should be called twice due to the retry
+    # request should be called once and then with 3 retries
+    assert request.call_count == 4
+
+
+def test__token_endpoint_request_internal_failure_and_retry_failure_error():
+    retryable_error = mock.create_autospec(transport.Response, instance=True)
+    retryable_error.status = http_client.BAD_REQUEST
+    retryable_error.data = json.dumps({"error_description": "internal_failure"}).encode(
+        "utf-8"
+    )
+
+    unretryable_error = mock.create_autospec(transport.Response, instance=True)
+    unretryable_error.status = http_client.BAD_REQUEST
+    unretryable_error.data = json.dumps({"error_description": "invalid_scope"}).encode(
+        "utf-8"
+    )
+
+    request = mock.create_autospec(transport.Request)
+
+    request.side_effect = [retryable_error, retryable_error, unretryable_error]
+
+    with pytest.raises(exceptions.RefreshError):
+        _client._token_endpoint_request(
+            request, "http://example.com", {"error_description": "invalid_scope"}
+        )
+    # request should be called three times. Two retryable errors and one
+    # unretryable error to break the retry loop.
+    assert request.call_count == 3
+
+
+def test__token_endpoint_request_internal_failure_and_retry_succeeds():
+    retryable_error = mock.create_autospec(transport.Response, instance=True)
+    retryable_error.status = http_client.BAD_REQUEST
+    retryable_error.data = json.dumps({"error_description": "internal_failure"}).encode(
+        "utf-8"
+    )
+
+    response = mock.create_autospec(transport.Response, instance=True)
+    response.status = http_client.OK
+    response.data = json.dumps({"hello": "world"}).encode("utf-8")
+
+    request = mock.create_autospec(transport.Request)
+
+    request.side_effect = [retryable_error, response]
+
+    _ = _client._token_endpoint_request(
+        request, "http://example.com", {"test": "params"}
+    )
+
     assert request.call_count == 2
 
 
@@ -219,8 +292,9 @@ def test_jwt_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError):
+    with pytest.raises(exceptions.RefreshError) as excinfo:
         _client.jwt_grant(request, "http://example.com", "assertion_value")
+    assert not excinfo.value.retryable
 
 
 def test_id_token_jwt_grant():
@@ -255,8 +329,9 @@ def test_id_token_jwt_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError):
+    with pytest.raises(exceptions.RefreshError) as excinfo:
         _client.id_token_jwt_grant(request, "http://example.com", "assertion_value")
+    assert not excinfo.value.retryable
 
 
 @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
@@ -348,7 +423,104 @@ def test_refresh_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError):
+    with pytest.raises(exceptions.RefreshError) as excinfo:
         _client.refresh_grant(
             request, "http://example.com", "refresh_token", "client_id", "client_secret"
         )
+    assert not excinfo.value.retryable
+
+
+@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+def test_jwt_grant_retry_default(mock_token_endpoint_request, mock_expiry):
+    _client.jwt_grant(mock.Mock(), mock.Mock(), mock.Mock())
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=True
+    )
+
+
+@pytest.mark.parametrize("can_retry", [True, False])
+@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+def test_jwt_grant_retry_with_retry(
+    mock_token_endpoint_request, mock_expiry, can_retry
+):
+    _client.jwt_grant(mock.Mock(), mock.Mock(), mock.Mock(), can_retry=can_retry)
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
+    )
+
+
+@mock.patch("google.auth.jwt.decode", return_value={"exp": 0})
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+def test_id_token_jwt_grant_retry_default(mock_token_endpoint_request, mock_jwt_decode):
+    _client.id_token_jwt_grant(mock.Mock(), mock.Mock(), mock.Mock())
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=True
+    )
+
+
+@pytest.mark.parametrize("can_retry", [True, False])
+@mock.patch("google.auth.jwt.decode", return_value={"exp": 0})
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+def test_id_token_jwt_grant_retry_with_retry(
+    mock_token_endpoint_request, mock_jwt_decode, can_retry
+):
+    _client.id_token_jwt_grant(
+        mock.Mock(), mock.Mock(), mock.Mock(), can_retry=can_retry
+    )
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
+    )
+
+
+@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+def test_refresh_grant_retry_default(mock_token_endpoint_request, mock_parse_expiry):
+    _client.refresh_grant(
+        mock.Mock(), mock.Mock(), mock.Mock(), mock.Mock(), mock.Mock()
+    )
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=True
+    )
+
+
+@pytest.mark.parametrize("can_retry", [True, False])
+@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+def test_refresh_grant_retry_with_retry(
+    mock_token_endpoint_request, mock_parse_expiry, can_retry
+):
+    _client.refresh_grant(
+        mock.Mock(),
+        mock.Mock(),
+        mock.Mock(),
+        mock.Mock(),
+        mock.Mock(),
+        can_retry=can_retry,
+    )
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
+    )
+
+
+@pytest.mark.parametrize("can_retry", [True, False])
+def test__token_endpoint_request_no_throw_with_retry(can_retry):
+    response_data = {"error": "help", "error_description": "I'm alive"}
+    body = "dummy body"
+
+    mock_response = mock.create_autospec(transport.Response, instance=True)
+    mock_response.status = http_client.INTERNAL_SERVER_ERROR
+    mock_response.data = json.dumps(response_data).encode("utf-8")
+
+    mock_request = mock.create_autospec(transport.Request)
+    mock_request.return_value = mock_response
+
+    _client._token_endpoint_request_no_throw(
+        mock_request, mock.Mock(), body, mock.Mock(), mock.Mock(), can_retry=can_retry
+    )
+
+    if can_retry:
+        assert mock_request.call_count == 4
+    else:
+        assert mock_request.call_count == 1
diff --git a/tests/oauth2/test_reauth.py b/tests/oauth2/test_reauth.py
index ae64be009..df0636b18 100644
--- a/tests/oauth2/test_reauth.py
+++ b/tests/oauth2/test_reauth.py
@@ -260,7 +260,7 @@ def test_refresh_grant_failed():
     with mock.patch(
         "google.oauth2._client._token_endpoint_request_no_throw"
     ) as mock_token_request:
-        mock_token_request.return_value = (False, {"error": "Bad request"})
+        mock_token_request.return_value = (False, {"error": "Bad request"}, False)
         with pytest.raises(exceptions.RefreshError) as excinfo:
             reauth.refresh_grant(
                 MOCK_REQUEST,
@@ -273,6 +273,7 @@ def test_refresh_grant_failed():
                 enable_reauth_refresh=True,
             )
         assert excinfo.match(r"Bad request")
+        assert not excinfo.value.retryable
         mock_token_request.assert_called_with(
             MOCK_REQUEST,
             "token_uri",
@@ -292,8 +293,8 @@ def test_refresh_grant_success():
         "google.oauth2._client._token_endpoint_request_no_throw"
     ) as mock_token_request:
         mock_token_request.side_effect = [
-            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}),
-            (True, {"access_token": "access_token"}),
+            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}, True),
+            (True, {"access_token": "access_token"}, None),
         ]
         with mock.patch(
             "google.oauth2.reauth.get_rapt_token", return_value="new_rapt_token"
@@ -319,8 +320,8 @@ def test_refresh_grant_reauth_refresh_disabled():
         "google.oauth2._client._token_endpoint_request_no_throw"
     ) as mock_token_request:
         mock_token_request.side_effect = [
-            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}),
-            (True, {"access_token": "access_token"}),
+            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}, True),
+            (True, {"access_token": "access_token"}, None),
         ]
         with pytest.raises(exceptions.RefreshError) as excinfo:
             reauth.refresh_grant(
diff --git a/tests/test__exponential_backoff.py b/tests/test__exponential_backoff.py
new file mode 100644
index 000000000..06a54527e
--- /dev/null
+++ b/tests/test__exponential_backoff.py
@@ -0,0 +1,41 @@
+# Copyright 2022 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import mock
+
+from google.auth import _exponential_backoff
+
+
+@mock.patch("time.sleep", return_value=None)
+def test_exponential_backoff(mock_time):
+    eb = _exponential_backoff.ExponentialBackoff()
+    curr_wait = eb._current_wait_in_seconds
+    iteration_count = 0
+
+    for attempt in eb:
+        backoff_interval = mock_time.call_args[0][0]
+        jitter = curr_wait * eb._randomization_factor
+
+        assert (curr_wait - jitter) <= backoff_interval <= (curr_wait + jitter)
+        assert attempt == iteration_count + 1
+        assert eb.backoff_count == iteration_count + 1
+        assert eb._current_wait_in_seconds == eb._multiplier ** (iteration_count + 1)
+
+        curr_wait = eb._current_wait_in_seconds
+        iteration_count += 1
+
+    assert eb.total_attempts == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS
+    assert eb.backoff_count == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS
+    assert iteration_count == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS
+    assert mock_time.call_count == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS
diff --git a/tests/test_exceptions.py b/tests/test_exceptions.py
new file mode 100644
index 000000000..6f542498f
--- /dev/null
+++ b/tests/test_exceptions.py
@@ -0,0 +1,55 @@
+# Copyright 2022 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import pytest  # type: ignore
+
+from google.auth import exceptions  # type:ignore
+
+
+@pytest.fixture(
+    params=[
+        exceptions.GoogleAuthError,
+        exceptions.TransportError,
+        exceptions.RefreshError,
+        exceptions.UserAccessTokenError,
+        exceptions.DefaultCredentialsError,
+        exceptions.MutualTLSChannelError,
+        exceptions.OAuthError,
+        exceptions.ReauthFailError,
+        exceptions.ReauthSamlChallengeFailError,
+    ]
+)
+def retryable_exception(request):
+    return request.param
+
+
+@pytest.fixture(params=[exceptions.ClientCertError])
+def non_retryable_exception(request):
+    return request.param
+
+
+def test_default_retryable_exceptions(retryable_exception):
+    assert not retryable_exception().retryable
+
+
+@pytest.mark.parametrize("retryable", [True, False])
+def test_retryable_exceptions(retryable_exception, retryable):
+    retryable_exception = retryable_exception(retryable=retryable)
+    assert retryable_exception.retryable == retryable
+
+
+@pytest.mark.parametrize("retryable", [True, False])
+def test_non_retryable_exceptions(non_retryable_exception, retryable):
+    non_retryable_exception = non_retryable_exception(retryable=retryable)
+    assert not non_retryable_exception.retryable
diff --git a/tests_async/oauth2/test__client_async.py b/tests_async/oauth2/test__client_async.py
index 91874cdd4..402083672 100644
--- a/tests_async/oauth2/test__client_async.py
+++ b/tests_async/oauth2/test__client_async.py
@@ -29,10 +29,10 @@
 from tests.oauth2 import test__client as test_client
 
 
-def make_request(response_data, status=http_client.OK):
+def make_request(response_data, status=http_client.OK, text=False):
     response = mock.AsyncMock(spec=["transport.Response"])
     response.status = status
-    data = json.dumps(response_data).encode("utf-8")
+    data = response_data if text else json.dumps(response_data).encode("utf-8")
     response.data = mock.AsyncMock(spec=["__call__", "read"])
     response.data.read = mock.AsyncMock(spec=["__call__"], return_value=data)
     response.content = mock.AsyncMock(spec=["__call__"], return_value=data)
@@ -62,6 +62,27 @@ async def test__token_endpoint_request():
     assert result == {"test": "response"}
 
 
+@pytest.mark.asyncio
+async def test__token_endpoint_request_text():
+
+    request = make_request("response", text=True)
+
+    result = await _client._token_endpoint_request(
+        request, "http://example.com", {"test": "params"}
+    )
+
+    # Check request call
+    request.assert_called_with(
+        method="POST",
+        url="http://example.com",
+        headers={"Content-Type": "application/x-www-form-urlencoded"},
+        body="test=params".encode("utf-8"),
+    )
+
+    # Check result
+    assert result == "response"
+
+
 @pytest.mark.asyncio
 async def test__token_endpoint_request_json():
 
@@ -95,8 +116,9 @@ async def test__token_endpoint_request_json():
 async def test__token_endpoint_request_error():
     request = make_request({}, status=http_client.BAD_REQUEST)
 
-    with pytest.raises(exceptions.RefreshError):
+    with pytest.raises(exceptions.RefreshError) as excinfo:
         await _client._token_endpoint_request(request, "http://example.com", {})
+    assert not excinfo.value.retryable
 
 
 @pytest.mark.asyncio
@@ -105,10 +127,11 @@ async def test__token_endpoint_request_internal_failure_error():
         {"error_description": "internal_failure"}, status=http_client.BAD_REQUEST
     )
 
-    with pytest.raises(exceptions.RefreshError):
+    with pytest.raises(exceptions.RefreshError) as excinfo:
         await _client._token_endpoint_request(
             request, "http://example.com", {"error_description": "internal_failure"}
         )
+    assert excinfo.value.retryable
 
     request = make_request(
         {"error": "internal_failure"}, status=http_client.BAD_REQUEST
@@ -118,6 +141,61 @@ async def test__token_endpoint_request_internal_failure_error():
         await _client._token_endpoint_request(
             request, "http://example.com", {"error": "internal_failure"}
         )
+    assert excinfo.value.retryable
+
+
+@pytest.mark.asyncio
+async def test__token_endpoint_request_internal_failure_and_retry_failure_error():
+    retryable_error = mock.AsyncMock(spec=["transport.Response"])
+    retryable_error.status = http_client.BAD_REQUEST
+    data = json.dumps({"error_description": "internal_failure"}).encode("utf-8")
+    retryable_error.data = mock.AsyncMock(spec=["__call__", "read"])
+    retryable_error.data.read = mock.AsyncMock(spec=["__call__"], return_value=data)
+    retryable_error.content = mock.AsyncMock(spec=["__call__"], return_value=data)
+
+    unretryable_error = mock.AsyncMock(spec=["transport.Response"])
+    unretryable_error.status = http_client.BAD_REQUEST
+    data = json.dumps({"error_description": "invalid_scope"}).encode("utf-8")
+    unretryable_error.data = mock.AsyncMock(spec=["__call__", "read"])
+    unretryable_error.data.read = mock.AsyncMock(spec=["__call__"], return_value=data)
+    unretryable_error.content = mock.AsyncMock(spec=["__call__"], return_value=data)
+
+    request = mock.AsyncMock(spec=["transport.Request"])
+    request.side_effect = [retryable_error, retryable_error, unretryable_error]
+
+    with pytest.raises(exceptions.RefreshError):
+        await _client._token_endpoint_request(
+            request, "http://example.com", {"error_description": "invalid_scope"}
+        )
+    # request should be called three times. Two retryable errors and one
+    # unretryable error to break the retry loop.
+    assert request.call_count == 3
+
+
+@pytest.mark.asyncio
+async def test__token_endpoint_request_internal_failure_and_retry_succeeds():
+    retryable_error = mock.AsyncMock(spec=["transport.Response"])
+    retryable_error.status = http_client.BAD_REQUEST
+    data = json.dumps({"error_description": "internal_failure"}).encode("utf-8")
+    retryable_error.data = mock.AsyncMock(spec=["__call__", "read"])
+    retryable_error.data.read = mock.AsyncMock(spec=["__call__"], return_value=data)
+    retryable_error.content = mock.AsyncMock(spec=["__call__"], return_value=data)
+
+    response = mock.AsyncMock(spec=["transport.Response"])
+    response.status = http_client.OK
+    data = json.dumps({"hello": "world"}).encode("utf-8")
+    response.data = mock.AsyncMock(spec=["__call__", "read"])
+    response.data.read = mock.AsyncMock(spec=["__call__"], return_value=data)
+    response.content = mock.AsyncMock(spec=["__call__"], return_value=data)
+
+    request = mock.AsyncMock(spec=["transport.Request"])
+    request.side_effect = [retryable_error, response]
+
+    _ = await _client._token_endpoint_request(
+        request, "http://example.com", {"test": "params"}
+    )
+
+    assert request.call_count == 2
 
 
 def verify_request_params(request, params):
@@ -128,8 +206,8 @@ def verify_request_params(request, params):
         assert request_params[key][0] == value
 
 
-@mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
 @pytest.mark.asyncio
+@mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
 async def test_jwt_grant(utcnow):
     request = make_request(
         {"access_token": "token", "expires_in": 500, "extra": "data"}
@@ -161,8 +239,9 @@ async def test_jwt_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError):
+    with pytest.raises(exceptions.RefreshError) as excinfo:
         await _client.jwt_grant(request, "http://example.com", "assertion_value")
+    assert not excinfo.value.retryable
 
 
 @pytest.mark.asyncio
@@ -200,14 +279,15 @@ async def test_id_token_jwt_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError):
+    with pytest.raises(exceptions.RefreshError) as excinfo:
         await _client.id_token_jwt_grant(
             request, "http://example.com", "assertion_value"
         )
+    assert not excinfo.value.retryable
 
 
-@mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
 @pytest.mark.asyncio
+@mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
 async def test_refresh_grant(unused_utcnow):
     request = make_request(
         {
@@ -246,8 +326,8 @@ async def test_refresh_grant(unused_utcnow):
     assert extra_data["extra"] == "data"
 
 
-@mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
 @pytest.mark.asyncio
+@mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
 async def test_refresh_grant_with_scopes(unused_utcnow):
     request = make_request(
         {
@@ -298,7 +378,121 @@ async def test_refresh_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError):
+    with pytest.raises(exceptions.RefreshError) as excinfo:
         await _client.refresh_grant(
             request, "http://example.com", "refresh_token", "client_id", "client_secret"
         )
+    assert not excinfo.value.retryable
+
+
+@pytest.mark.asyncio
+@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+async def test_jwt_grant_retry_default(mock_token_endpoint_request, mock_expiry):
+    _ = await _client.jwt_grant(mock.Mock(), mock.Mock(), mock.Mock())
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=True
+    )
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize("can_retry", [True, False])
+@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+async def test_jwt_grant_retry_with_retry(
+    mock_token_endpoint_request, mock_expiry, can_retry
+):
+    _ = await _client.jwt_grant(
+        mock.AsyncMock(), mock.Mock(), mock.Mock(), can_retry=can_retry
+    )
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
+    )
+
+
+@pytest.mark.asyncio
+@mock.patch("google.auth.jwt.decode", return_value={"exp": 0})
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+async def test_id_token_jwt_grant_retry_default(
+    mock_token_endpoint_request, mock_jwt_decode
+):
+    _ = await _client.id_token_jwt_grant(mock.Mock(), mock.Mock(), mock.Mock())
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=True
+    )
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize("can_retry", [True, False])
+@mock.patch("google.auth.jwt.decode", return_value={"exp": 0})
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+async def test_id_token_jwt_grant_retry_with_retry(
+    mock_token_endpoint_request, mock_jwt_decode, can_retry
+):
+    _ = await _client.id_token_jwt_grant(
+        mock.AsyncMock(), mock.AsyncMock(), mock.AsyncMock(), can_retry=can_retry
+    )
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
+    )
+
+
+@pytest.mark.asyncio
+@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+async def test_refresh_grant_retry_default(
+    mock_token_endpoint_request, mock_parse_expiry
+):
+    _ = await _client.refresh_grant(
+        mock.AsyncMock(),
+        mock.AsyncMock(),
+        mock.AsyncMock(),
+        mock.AsyncMock(),
+        mock.AsyncMock(),
+    )
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=True
+    )
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize("can_retry", [True, False])
+@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
+@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
+async def test_refresh_grant_retry_with_retry(
+    mock_token_endpoint_request, mock_parse_expiry, can_retry
+):
+    _ = await _client.refresh_grant(
+        mock.AsyncMock(),
+        mock.AsyncMock(),
+        mock.AsyncMock(),
+        mock.AsyncMock(),
+        mock.AsyncMock(),
+        can_retry=can_retry,
+    )
+    mock_token_endpoint_request.assert_called_with(
+        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
+    )
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize("can_retry", [True, False])
+async def test__token_endpoint_request_no_throw_with_retry(can_retry):
+    mock_request = make_request(
+        {"error": "help", "error_description": "I'm alive"},
+        http_client.INTERNAL_SERVER_ERROR,
+    )
+
+    _ = await _client._token_endpoint_request_no_throw(
+        mock_request,
+        mock.AsyncMock(),
+        "body",
+        mock.AsyncMock(),
+        mock.AsyncMock(),
+        can_retry=can_retry,
+    )
+
+    if can_retry:
+        assert mock_request.call_count == 4
+    else:
+        assert mock_request.call_count == 1
diff --git a/tests_async/oauth2/test_reauth_async.py b/tests_async/oauth2/test_reauth_async.py
index 8f51bd3a7..40ca92717 100644
--- a/tests_async/oauth2/test_reauth_async.py
+++ b/tests_async/oauth2/test_reauth_async.py
@@ -279,7 +279,7 @@ async def test_refresh_grant_failed():
     with mock.patch(
         "google.oauth2._client_async._token_endpoint_request_no_throw"
     ) as mock_token_request:
-        mock_token_request.return_value = (False, {"error": "Bad request"})
+        mock_token_request.return_value = (False, {"error": "Bad request"}, True)
         with pytest.raises(exceptions.RefreshError) as excinfo:
             await _reauth_async.refresh_grant(
                 MOCK_REQUEST,
@@ -291,6 +291,7 @@ async def test_refresh_grant_failed():
                 rapt_token="rapt_token",
             )
         assert excinfo.match(r"Bad request")
+        assert excinfo.value.retryable
         mock_token_request.assert_called_with(
             MOCK_REQUEST,
             "token_uri",
@@ -311,8 +312,8 @@ async def test_refresh_grant_success():
         "google.oauth2._client_async._token_endpoint_request_no_throw"
     ) as mock_token_request:
         mock_token_request.side_effect = [
-            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}),
-            (True, {"access_token": "access_token"}),
+            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}, True),
+            (True, {"access_token": "access_token"}, None),
         ]
         with mock.patch(
             "google.oauth2._reauth_async.get_rapt_token", return_value="new_rapt_token"
@@ -339,11 +340,16 @@ async def test_refresh_grant_reauth_refresh_disabled():
         "google.oauth2._client_async._token_endpoint_request_no_throw"
     ) as mock_token_request:
         mock_token_request.side_effect = [
-            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}),
-            (True, {"access_token": "access_token"}),
+            (
+                False,
+                {"error": "invalid_grant", "error_subtype": "rapt_required"},
+                False,
+            ),
+            (True, {"access_token": "access_token"}, None),
         ]
         with pytest.raises(exceptions.RefreshError) as excinfo:
             assert await _reauth_async.refresh_grant(
                 MOCK_REQUEST, "token_uri", "refresh_token", "client_id", "client_secret"
             )
         assert excinfo.match(r"Reauthentication is needed")
+        assert not excinfo.value.retryable

From b4a1ae6f817ef8c3316e0e96428b2f2ef61f5734 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Thu, 22 Sep 2022 23:41:27 +0000
Subject: [PATCH 33/36] Revert "feat: Retry behavior (#1113)"

This reverts commit 06fff40ad9050651024e7b61cbfc5da22fa27f9b.
---
 google/auth/_exponential_backoff.py      | 111 ------------
 google/auth/exceptions.py                |  17 +-
 google/auth/transport/__init__.py        |  14 +-
 google/oauth2/_client.py                 | 171 +++++-------------
 google/oauth2/_client_async.py           |  95 ++++------
 google/oauth2/_reauth_async.py           |   5 +-
 google/oauth2/reauth.py                  |  12 +-
 tests/compute_engine/test_credentials.py |   2 +-
 tests/oauth2/test__client.py             | 192 ++------------------
 tests/oauth2/test_reauth.py              |  11 +-
 tests/test__exponential_backoff.py       |  41 -----
 tests/test_exceptions.py                 |  55 ------
 tests_async/oauth2/test__client_async.py | 214 ++---------------------
 tests_async/oauth2/test_reauth_async.py  |  16 +-
 14 files changed, 115 insertions(+), 841 deletions(-)
 delete mode 100644 google/auth/_exponential_backoff.py
 delete mode 100644 tests/test__exponential_backoff.py
 delete mode 100644 tests/test_exceptions.py

diff --git a/google/auth/_exponential_backoff.py b/google/auth/_exponential_backoff.py
deleted file mode 100644
index b5801bec9..000000000
--- a/google/auth/_exponential_backoff.py
+++ /dev/null
@@ -1,111 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import random
-import time
-
-import six
-
-# The default amount of retry attempts
-_DEFAULT_RETRY_TOTAL_ATTEMPTS = 3
-
-# The default initial backoff period (1.0 second).
-_DEFAULT_INITIAL_INTERVAL_SECONDS = 1.0
-
-# The default randomization factor (0.1 which results in a random period ranging
-# between 10% below and 10% above the retry interval).
-_DEFAULT_RANDOMIZATION_FACTOR = 0.1
-
-# The default multiplier value (2 which is 100% increase per back off).
-_DEFAULT_MULTIPLIER = 2.0
-
-"""Exponential Backoff Utility
-
-This is a private module that implements the exponential back off algorithm.
-It can be used as a utility for code that needs to retry on failure, for example
-an HTTP request.
-"""
-
-
-class ExponentialBackoff(six.Iterator):
-    """An exponential backoff iterator. This can be used in a for loop to
-    perform requests with exponential backoff.
-
-    Args:
-        total_attempts Optional[int]:
-            The maximum amount of retries that should happen.
-            The default value is 3 attempts.
-        initial_wait_seconds Optional[int]:
-            The amount of time to sleep in the first backoff. This parameter
-            should be in seconds.
-            The default value is 1 second.
-        randomization_factor Optional[float]:
-            The amount of jitter that should be in each backoff. For example,
-            a value of 0.1 will introduce a jitter range of 10% to the
-            current backoff period.
-            The default value is 0.1.
-        multiplier Optional[float]:
-            The backoff multipler. This adjusts how much each backoff will
-            increase. For example a value of 2.0 leads to a 200% backoff
-            on each attempt. If the initial_wait is 1.0 it would look like
-            this sequence [1.0, 2.0, 4.0, 8.0].
-            The default value is 2.0.
-    """
-
-    def __init__(
-        self,
-        total_attempts=_DEFAULT_RETRY_TOTAL_ATTEMPTS,
-        initial_wait_seconds=_DEFAULT_INITIAL_INTERVAL_SECONDS,
-        randomization_factor=_DEFAULT_RANDOMIZATION_FACTOR,
-        multiplier=_DEFAULT_MULTIPLIER,
-    ):
-        self._total_attempts = total_attempts
-        self._initial_wait_seconds = initial_wait_seconds
-
-        self._current_wait_in_seconds = self._initial_wait_seconds
-
-        self._randomization_factor = randomization_factor
-        self._multiplier = multiplier
-        self._backoff_count = 0
-
-    def __iter__(self):
-        self._backoff_count = 0
-        self._current_wait_in_seconds = self._initial_wait_seconds
-        return self
-
-    def __next__(self):
-        if self._backoff_count >= self._total_attempts:
-            raise StopIteration
-        self._backoff_count += 1
-
-        jitter_variance = self._current_wait_in_seconds * self._randomization_factor
-        jitter = random.uniform(
-            self._current_wait_in_seconds - jitter_variance,
-            self._current_wait_in_seconds + jitter_variance,
-        )
-
-        time.sleep(jitter)
-
-        self._current_wait_in_seconds *= self._multiplier
-        return self._backoff_count
-
-    @property
-    def total_attempts(self):
-        """The total amount of backoff attempts that will be made."""
-        return self._total_attempts
-
-    @property
-    def backoff_count(self):
-        """The current amount of backoff attempts that have been made."""
-        return self._backoff_count
diff --git a/google/auth/exceptions.py b/google/auth/exceptions.py
index 7760c87b8..e9e737780 100644
--- a/google/auth/exceptions.py
+++ b/google/auth/exceptions.py
@@ -18,15 +18,6 @@
 class GoogleAuthError(Exception):
     """Base class for all google.auth errors."""
 
-    def __init__(self, *args, **kwargs):
-        super(GoogleAuthError, self).__init__(*args)
-        retryable = kwargs.get("retryable", False)
-        self._retryable = retryable
-
-    @property
-    def retryable(self):
-        return self._retryable
-
 
 class TransportError(GoogleAuthError):
     """Used to indicate an error occurred during an HTTP request."""
@@ -53,10 +44,6 @@ class MutualTLSChannelError(GoogleAuthError):
 class ClientCertError(GoogleAuthError):
     """Used to indicate that client certificate is missing or invalid."""
 
-    @property
-    def retryable(self):
-        return False
-
 
 class OAuthError(GoogleAuthError):
     """Used to indicate an error occurred during an OAuth related HTTP
@@ -66,9 +53,9 @@ class OAuthError(GoogleAuthError):
 class ReauthFailError(RefreshError):
     """An exception for when reauth failed."""
 
-    def __init__(self, message=None, **kwargs):
+    def __init__(self, message=None):
         super(ReauthFailError, self).__init__(
-            "Reauthentication failed. {0}".format(message), **kwargs
+            "Reauthentication failed. {0}".format(message)
         )
 
 
diff --git a/google/auth/transport/__init__.py b/google/auth/transport/__init__.py
index 8334145a1..374e7b4d7 100644
--- a/google/auth/transport/__init__.py
+++ b/google/auth/transport/__init__.py
@@ -29,21 +29,9 @@
 import six
 from six.moves import http_client
 
-TOO_MANY_REQUESTS = 429  # Python 2.7 six is missing this status code.
-
-DEFAULT_RETRYABLE_STATUS_CODES = (
-    http_client.INTERNAL_SERVER_ERROR,
-    http_client.SERVICE_UNAVAILABLE,
-    http_client.REQUEST_TIMEOUT,
-    TOO_MANY_REQUESTS,
-)
-"""Sequence[int]:  HTTP status codes indicating a request can be retried.
-"""
-
-
 DEFAULT_REFRESH_STATUS_CODES = (http_client.UNAUTHORIZED,)
 """Sequence[int]:  Which HTTP status code indicate that credentials should be
-refreshed.
+refreshed and a request should be retried.
 """
 
 DEFAULT_MAX_REFRESH_ATTEMPTS = 2
diff --git a/google/oauth2/_client.py b/google/oauth2/_client.py
index 7f866d446..847c5db8a 100644
--- a/google/oauth2/_client.py
+++ b/google/oauth2/_client.py
@@ -30,11 +30,9 @@
 from six.moves import http_client
 from six.moves import urllib
 
-from google.auth import _exponential_backoff
 from google.auth import _helpers
 from google.auth import exceptions
 from google.auth import jwt
-from google.auth import transport
 
 _URLENCODED_CONTENT_TYPE = "application/x-www-form-urlencoded"
 _JSON_CONTENT_TYPE = "application/json"
@@ -42,22 +40,17 @@
 _REFRESH_GRANT_TYPE = "refresh_token"
 
 
-def _handle_error_response(response_data, retryable_error):
+def _handle_error_response(response_data):
     """Translates an error response into an exception.
 
     Args:
         response_data (Mapping | str): The decoded response data.
-        retryable_error Optional[bool]: A boolean indicating if an error is retryable.
-            Defaults to False.
 
     Raises:
         google.auth.exceptions.RefreshError: The errors contained in response_data.
     """
-
-    retryable_error = retryable_error if retryable_error else False
-
     if isinstance(response_data, six.string_types):
-        raise exceptions.RefreshError(response_data, retryable=retryable_error)
+        raise exceptions.RefreshError(response_data)
     try:
         error_details = "{}: {}".format(
             response_data["error"], response_data.get("error_description")
@@ -66,45 +59,7 @@ def _handle_error_response(response_data, retryable_error):
     except (KeyError, ValueError):
         error_details = json.dumps(response_data)
 
-    raise exceptions.RefreshError(
-        error_details, response_data, retryable=retryable_error
-    )
-
-
-def _can_retry(status_code, response_data):
-    """Checks if a request can be retried by inspecting the status code
-    and response body of the request.
-
-    Args:
-        status_code (int): The response status code.
-        response_data (Mapping | str): The decoded response data.
-
-    Returns:
-      bool: True if the response is retryable. False otherwise.
-    """
-    if status_code in transport.DEFAULT_RETRYABLE_STATUS_CODES:
-        return True
-
-    try:
-        # For a failed response, response_body could be a string
-        error_desc = response_data.get("error_description") or ""
-        error_code = response_data.get("error") or ""
-
-        # Per Oauth 2.0 RFC https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1
-        # This is needed because a redirect will not return a 500 status code.
-        retryable_error_descriptions = {
-            "internal_failure",
-            "server_error",
-            "temporarily_unavailable",
-        }
-
-        if any(e in retryable_error_descriptions for e in (error_code, error_desc)):
-            return True
-
-    except AttributeError:
-        pass
-
-    return False
+    raise exceptions.RefreshError(error_details, response_data)
 
 
 def _parse_expiry(response_data):
@@ -126,13 +81,7 @@ def _parse_expiry(response_data):
 
 
 def _token_endpoint_request_no_throw(
-    request,
-    token_uri,
-    body,
-    access_token=None,
-    use_json=False,
-    can_retry=True,
-    **kwargs
+    request, token_uri, body, access_token=None, use_json=False, **kwargs
 ):
     """Makes a request to the OAuth 2.0 authorization server's token endpoint.
     This function doesn't throw on response errors.
@@ -146,7 +95,6 @@ def _token_endpoint_request_no_throw(
         access_token (Optional(str)): The access token needed to make the request.
         use_json (Optional(bool)): Use urlencoded format or json format for the
             content type. The default value is False.
-        can_retry (bool): Enable or disable request retry behavior.
         kwargs: Additional arguments passed on to the request method. The
             kwargs will be passed to `requests.request` method, see:
             https://docs.python-requests.org/en/latest/api/#requests.request.
@@ -156,10 +104,8 @@ def _token_endpoint_request_no_throw(
             side SSL certificate verification.
 
     Returns:
-        Tuple(bool, Mapping[str, str], Optional[bool]): A boolean indicating
-          if the request is successful, a mapping for the JSON-decoded response
-          data and in the case of an error a boolean indicating if the error
-          is retryable.
+        Tuple(bool, Mapping[str, str]): A boolean indicating if the request is
+            successful, and a mapping for the JSON-decoded response data.
     """
     if use_json:
         headers = {"Content-Type": _JSON_CONTENT_TYPE}
@@ -171,7 +117,10 @@ def _token_endpoint_request_no_throw(
     if access_token:
         headers["Authorization"] = "Bearer {}".format(access_token)
 
-    def _perform_request():
+    retry = 0
+    # retry to fetch token for maximum of two times if any internal failure
+    # occurs.
+    while True:
         response = request(
             method="POST", url=token_uri, headers=headers, body=body, **kwargs
         )
@@ -180,44 +129,32 @@ def _perform_request():
             if hasattr(response.data, "decode")
             else response.data
         )
-        response_data = ""
-        try:
-            # response_body should be a JSON
-            response_data = json.loads(response_body)
-        except ValueError:
-            response_data = response_body
 
         if response.status == http_client.OK:
-            return True, response_data, None
-
-        retryable_error = _can_retry(
-            status_code=response.status, response_data=response_data
-        )
-
-        return False, response_data, retryable_error
-
-    request_succeeded, response_data, retryable_error = _perform_request()
-
-    if request_succeeded or not retryable_error or not can_retry:
-        return request_succeeded, response_data, retryable_error
-
-    retries = _exponential_backoff.ExponentialBackoff()
-    for _ in retries:
-        request_succeeded, response_data, retryable_error = _perform_request()
-        if request_succeeded or not retryable_error:
-            return request_succeeded, response_data, retryable_error
-
-    return False, response_data, retryable_error
+            # response_body should be a JSON
+            response_data = json.loads(response_body)
+            break
+        else:
+            # For a failed response, response_body could be a string
+            try:
+                response_data = json.loads(response_body)
+                error_desc = response_data.get("error_description") or ""
+                error_code = response_data.get("error") or ""
+                if (
+                    any(e == "internal_failure" for e in (error_code, error_desc))
+                    and retry < 1
+                ):
+                    retry += 1
+                    continue
+            except ValueError:
+                response_data = response_body
+            return False, response_data
+
+    return True, response_data
 
 
 def _token_endpoint_request(
-    request,
-    token_uri,
-    body,
-    access_token=None,
-    use_json=False,
-    can_retry=True,
-    **kwargs
+    request, token_uri, body, access_token=None, use_json=False, **kwargs
 ):
     """Makes a request to the OAuth 2.0 authorization server's token endpoint.
 
@@ -230,7 +167,6 @@ def _token_endpoint_request(
         access_token (Optional(str)): The access token needed to make the request.
         use_json (Optional(bool)): Use urlencoded format or json format for the
             content type. The default value is False.
-        can_retry (bool): Enable or disable request retry behavior.
         kwargs: Additional arguments passed on to the request method. The
             kwargs will be passed to `requests.request` method, see:
             https://docs.python-requests.org/en/latest/api/#requests.request.
@@ -246,22 +182,15 @@ def _token_endpoint_request(
         google.auth.exceptions.RefreshError: If the token endpoint returned
             an error.
     """
-
-    response_status_ok, response_data, retryable_error = _token_endpoint_request_no_throw(
-        request,
-        token_uri,
-        body,
-        access_token=access_token,
-        use_json=use_json,
-        can_retry=can_retry,
-        **kwargs
+    response_status_ok, response_data = _token_endpoint_request_no_throw(
+        request, token_uri, body, access_token=access_token, use_json=use_json, **kwargs
     )
     if not response_status_ok:
-        _handle_error_response(response_data, retryable_error)
+        _handle_error_response(response_data)
     return response_data
 
 
-def jwt_grant(request, token_uri, assertion, can_retry=True):
+def jwt_grant(request, token_uri, assertion):
     """Implements the JWT Profile for OAuth 2.0 Authorization Grants.
 
     For more details, see `rfc7523 section 4`_.
@@ -272,7 +201,6 @@ def jwt_grant(request, token_uri, assertion, can_retry=True):
         token_uri (str): The OAuth 2.0 authorizations server's token endpoint
             URI.
         assertion (str): The OAuth 2.0 assertion.
-        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, Optional[datetime], Mapping[str, str]]: The access token,
@@ -286,16 +214,12 @@ def jwt_grant(request, token_uri, assertion, can_retry=True):
     """
     body = {"assertion": assertion, "grant_type": _JWT_GRANT_TYPE}
 
-    response_data = _token_endpoint_request(
-        request, token_uri, body, can_retry=can_retry
-    )
+    response_data = _token_endpoint_request(request, token_uri, body)
 
     try:
         access_token = response_data["access_token"]
     except KeyError as caught_exc:
-        new_exc = exceptions.RefreshError(
-            "No access token in response.", response_data, retryable=False
-        )
+        new_exc = exceptions.RefreshError("No access token in response.", response_data)
         six.raise_from(new_exc, caught_exc)
 
     expiry = _parse_expiry(response_data)
@@ -303,7 +227,7 @@ def jwt_grant(request, token_uri, assertion, can_retry=True):
     return access_token, expiry, response_data
 
 
-def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
+def id_token_jwt_grant(request, token_uri, assertion):
     """Implements the JWT Profile for OAuth 2.0 Authorization Grants, but
     requests an OpenID Connect ID Token instead of an access token.
 
@@ -318,7 +242,6 @@ def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
             URI.
         assertion (str): JWT token signed by a service account. The token's
             payload must include a ``target_audience`` claim.
-        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, Optional[datetime], Mapping[str, str]]:
@@ -331,16 +254,12 @@ def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
     """
     body = {"assertion": assertion, "grant_type": _JWT_GRANT_TYPE}
 
-    response_data = _token_endpoint_request(
-        request, token_uri, body, can_retry=can_retry
-    )
+    response_data = _token_endpoint_request(request, token_uri, body)
 
     try:
         id_token = response_data["id_token"]
     except KeyError as caught_exc:
-        new_exc = exceptions.RefreshError(
-            "No ID token in response.", response_data, retryable=False
-        )
+        new_exc = exceptions.RefreshError("No ID token in response.", response_data)
         six.raise_from(new_exc, caught_exc)
 
     payload = jwt.decode(id_token, verify=False)
@@ -369,9 +288,7 @@ def _handle_refresh_grant_response(response_data, refresh_token):
     try:
         access_token = response_data["access_token"]
     except KeyError as caught_exc:
-        new_exc = exceptions.RefreshError(
-            "No access token in response.", response_data, retryable=False
-        )
+        new_exc = exceptions.RefreshError("No access token in response.", response_data)
         six.raise_from(new_exc, caught_exc)
 
     refresh_token = response_data.get("refresh_token", refresh_token)
@@ -388,7 +305,6 @@ def refresh_grant(
     client_secret,
     scopes=None,
     rapt_token=None,
-    can_retry=True,
 ):
     """Implements the OAuth 2.0 refresh token grant.
 
@@ -408,7 +324,6 @@ def refresh_grant(
             token has a wild card scope (e.g.
             'https://www.googleapis.com/auth/any-api').
         rapt_token (Optional(str)): The reauth Proof Token.
-        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, str, Optional[datetime], Mapping[str, str]]: The access
@@ -432,7 +347,5 @@ def refresh_grant(
     if rapt_token:
         body["rapt"] = rapt_token
 
-    response_data = _token_endpoint_request(
-        request, token_uri, body, can_retry=can_retry
-    )
+    response_data = _token_endpoint_request(request, token_uri, body)
     return _handle_refresh_grant_response(response_data, refresh_token)
diff --git a/google/oauth2/_client_async.py b/google/oauth2/_client_async.py
index 428084a70..cf5121137 100644
--- a/google/oauth2/_client_async.py
+++ b/google/oauth2/_client_async.py
@@ -30,14 +30,13 @@
 from six.moves import http_client
 from six.moves import urllib
 
-from google.auth import _exponential_backoff
 from google.auth import exceptions
 from google.auth import jwt
 from google.oauth2 import _client as client
 
 
 async def _token_endpoint_request_no_throw(
-    request, token_uri, body, access_token=None, use_json=False, can_retry=True
+    request, token_uri, body, access_token=None, use_json=False
 ):
     """Makes a request to the OAuth 2.0 authorization server's token endpoint.
     This function doesn't throw on response errors.
@@ -51,13 +50,10 @@ async def _token_endpoint_request_no_throw(
         access_token (Optional(str)): The access token needed to make the request.
         use_json (Optional(bool)): Use urlencoded format or json format for the
             content type. The default value is False.
-        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
-        Tuple(bool, Mapping[str, str], Optional[bool]): A boolean indicating
-          if the request is successful, a mapping for the JSON-decoded response
-          data and in the case of an error a boolean indicating if the error
-          is retryable.
+        Tuple(bool, Mapping[str, str]): A boolean indicating if the request is
+            successful, and a mapping for the JSON-decoded response data.
     """
     if use_json:
         headers = {"Content-Type": client._JSON_CONTENT_TYPE}
@@ -69,7 +65,11 @@ async def _token_endpoint_request_no_throw(
     if access_token:
         headers["Authorization"] = "Bearer {}".format(access_token)
 
-    async def _perform_request():
+    retry = 0
+    # retry to fetch token for maximum of two times if any internal failure
+    # occurs.
+    while True:
+
         response = await request(
             method="POST", url=token_uri, headers=headers, body=body
         )
@@ -83,36 +83,26 @@ async def _perform_request():
             else response_body1
         )
 
-        try:
-            response_data = json.loads(response_body)
-        except ValueError:
-            response_data = response_body
+        response_data = json.loads(response_body)
 
         if response.status == http_client.OK:
-            return True, response_data, None
-
-        retryable_error = client._can_retry(
-            status_code=response.status, response_data=response_data
-        )
-
-        return False, response_data, retryable_error
-
-    request_succeeded, response_data, retryable_error = await _perform_request()
-
-    if request_succeeded or not retryable_error or not can_retry:
-        return request_succeeded, response_data, retryable_error
-
-    retries = _exponential_backoff.ExponentialBackoff()
-    for _ in retries:
-        request_succeeded, response_data, retryable_error = await _perform_request()
-        if request_succeeded or not retryable_error:
-            return request_succeeded, response_data, retryable_error
+            break
+        else:
+            error_desc = response_data.get("error_description") or ""
+            error_code = response_data.get("error") or ""
+            if (
+                any(e == "internal_failure" for e in (error_code, error_desc))
+                and retry < 1
+            ):
+                retry += 1
+                continue
+            return response.status == http_client.OK, response_data
 
-    return False, response_data, retryable_error
+    return response.status == http_client.OK, response_data
 
 
 async def _token_endpoint_request(
-    request, token_uri, body, access_token=None, use_json=False, can_retry=True
+    request, token_uri, body, access_token=None, use_json=False
 ):
     """Makes a request to the OAuth 2.0 authorization server's token endpoint.
 
@@ -125,7 +115,6 @@ async def _token_endpoint_request(
         access_token (Optional(str)): The access token needed to make the request.
         use_json (Optional(bool)): Use urlencoded format or json format for the
             content type. The default value is False.
-        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Mapping[str, str]: The JSON-decoded response data.
@@ -134,21 +123,15 @@ async def _token_endpoint_request(
         google.auth.exceptions.RefreshError: If the token endpoint returned
             an error.
     """
-
-    response_status_ok, response_data, retryable_error = await _token_endpoint_request_no_throw(
-        request,
-        token_uri,
-        body,
-        access_token=access_token,
-        use_json=use_json,
-        can_retry=can_retry,
+    response_status_ok, response_data = await _token_endpoint_request_no_throw(
+        request, token_uri, body, access_token=access_token, use_json=use_json
     )
     if not response_status_ok:
-        client._handle_error_response(response_data, retryable_error)
+        client._handle_error_response(response_data)
     return response_data
 
 
-async def jwt_grant(request, token_uri, assertion, can_retry=True):
+async def jwt_grant(request, token_uri, assertion):
     """Implements the JWT Profile for OAuth 2.0 Authorization Grants.
 
     For more details, see `rfc7523 section 4`_.
@@ -159,7 +142,6 @@ async def jwt_grant(request, token_uri, assertion, can_retry=True):
         token_uri (str): The OAuth 2.0 authorizations server's token endpoint
             URI.
         assertion (str): The OAuth 2.0 assertion.
-        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, Optional[datetime], Mapping[str, str]]: The access token,
@@ -173,16 +155,12 @@ async def jwt_grant(request, token_uri, assertion, can_retry=True):
     """
     body = {"assertion": assertion, "grant_type": client._JWT_GRANT_TYPE}
 
-    response_data = await _token_endpoint_request(
-        request, token_uri, body, can_retry=can_retry
-    )
+    response_data = await _token_endpoint_request(request, token_uri, body)
 
     try:
         access_token = response_data["access_token"]
     except KeyError as caught_exc:
-        new_exc = exceptions.RefreshError(
-            "No access token in response.", response_data, retryable=False
-        )
+        new_exc = exceptions.RefreshError("No access token in response.", response_data)
         six.raise_from(new_exc, caught_exc)
 
     expiry = client._parse_expiry(response_data)
@@ -190,7 +168,7 @@ async def jwt_grant(request, token_uri, assertion, can_retry=True):
     return access_token, expiry, response_data
 
 
-async def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
+async def id_token_jwt_grant(request, token_uri, assertion):
     """Implements the JWT Profile for OAuth 2.0 Authorization Grants, but
     requests an OpenID Connect ID Token instead of an access token.
 
@@ -205,7 +183,6 @@ async def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
             URI.
         assertion (str): JWT token signed by a service account. The token's
             payload must include a ``target_audience`` claim.
-        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, Optional[datetime], Mapping[str, str]]:
@@ -218,16 +195,12 @@ async def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
     """
     body = {"assertion": assertion, "grant_type": client._JWT_GRANT_TYPE}
 
-    response_data = await _token_endpoint_request(
-        request, token_uri, body, can_retry=can_retry
-    )
+    response_data = await _token_endpoint_request(request, token_uri, body)
 
     try:
         id_token = response_data["id_token"]
     except KeyError as caught_exc:
-        new_exc = exceptions.RefreshError(
-            "No ID token in response.", response_data, retryable=False
-        )
+        new_exc = exceptions.RefreshError("No ID token in response.", response_data)
         six.raise_from(new_exc, caught_exc)
 
     payload = jwt.decode(id_token, verify=False)
@@ -244,7 +217,6 @@ async def refresh_grant(
     client_secret,
     scopes=None,
     rapt_token=None,
-    can_retry=True,
 ):
     """Implements the OAuth 2.0 refresh token grant.
 
@@ -264,7 +236,6 @@ async def refresh_grant(
             token has a wild card scope (e.g.
             'https://www.googleapis.com/auth/any-api').
         rapt_token (Optional(str)): The reauth Proof Token.
-        can_retry (bool): Enable or disable request retry behavior.
 
     Returns:
         Tuple[str, Optional[str], Optional[datetime], Mapping[str, str]]: The
@@ -288,7 +259,5 @@ async def refresh_grant(
     if rapt_token:
         body["rapt"] = rapt_token
 
-    response_data = await _token_endpoint_request(
-        request, token_uri, body, can_retry=can_retry
-    )
+    response_data = await _token_endpoint_request(request, token_uri, body)
     return client._handle_refresh_grant_response(response_data, refresh_token)
diff --git a/google/oauth2/_reauth_async.py b/google/oauth2/_reauth_async.py
index 6b69c6e67..30b0b0b1e 100644
--- a/google/oauth2/_reauth_async.py
+++ b/google/oauth2/_reauth_async.py
@@ -292,7 +292,7 @@ async def refresh_grant(
     if rapt_token:
         body["rapt"] = rapt_token
 
-    response_status_ok, response_data, retryable_error = await _client_async._token_endpoint_request_no_throw(
+    response_status_ok, response_data = await _client_async._token_endpoint_request_no_throw(
         request, token_uri, body
     )
     if (
@@ -317,13 +317,12 @@ async def refresh_grant(
         (
             response_status_ok,
             response_data,
-            retryable_error,
         ) = await _client_async._token_endpoint_request_no_throw(
             request, token_uri, body
         )
 
     if not response_status_ok:
-        _client._handle_error_response(response_data, retryable_error)
+        _client._handle_error_response(response_data)
     refresh_response = _client._handle_refresh_grant_response(
         response_data, refresh_token
     )
diff --git a/google/oauth2/reauth.py b/google/oauth2/reauth.py
index ad2ad1b2e..2c32bda2a 100644
--- a/google/oauth2/reauth.py
+++ b/google/oauth2/reauth.py
@@ -319,7 +319,7 @@ def refresh_grant(
     if rapt_token:
         body["rapt"] = rapt_token
 
-    response_status_ok, response_data, retryable_error = _client._token_endpoint_request_no_throw(
+    response_status_ok, response_data = _client._token_endpoint_request_no_throw(
         request, token_uri, body
     )
     if (
@@ -339,14 +339,12 @@ def refresh_grant(
             request, client_id, client_secret, refresh_token, token_uri, scopes=scopes
         )
         body["rapt"] = rapt_token
-        (
-            response_status_ok,
-            response_data,
-            retryable_error,
-        ) = _client._token_endpoint_request_no_throw(request, token_uri, body)
+        (response_status_ok, response_data) = _client._token_endpoint_request_no_throw(
+            request, token_uri, body
+        )
 
     if not response_status_ok:
-        _client._handle_error_response(response_data, retryable_error)
+        _client._handle_error_response(response_data)
     return _client._handle_refresh_grant_response(response_data, refresh_token) + (
         rapt_token,
     )
diff --git a/tests/compute_engine/test_credentials.py b/tests/compute_engine/test_credentials.py
index ebce176e8..ff01720c4 100644
--- a/tests/compute_engine/test_credentials.py
+++ b/tests/compute_engine/test_credentials.py
@@ -609,7 +609,7 @@ def test_refresh_error(self, sign, get, utcnow):
         request = mock.create_autospec(transport.Request, instance=True)
         response = mock.Mock()
         response.data = b'{"error": "http error"}'
-        response.status = 404  # Throw a 404 so the request is not retried.
+        response.status = 500
         request.side_effect = [response]
 
         self.credentials = credentials.IDTokenCredentials(
diff --git a/tests/oauth2/test__client.py b/tests/oauth2/test__client.py
index 13c42dc52..bd4cc5001 100644
--- a/tests/oauth2/test__client.py
+++ b/tests/oauth2/test__client.py
@@ -47,14 +47,12 @@
 )
 
 
-@pytest.mark.parametrize("retryable", [True, False])
-def test__handle_error_response(retryable):
+def test__handle_error_response():
     response_data = {"error": "help", "error_description": "I'm alive"}
 
     with pytest.raises(exceptions.RefreshError) as excinfo:
-        _client._handle_error_response(response_data, retryable)
+        _client._handle_error_response(response_data)
 
-    assert excinfo.value.retryable == retryable
     assert excinfo.match(r"help: I\'m alive")
 
 
@@ -62,9 +60,8 @@ def test__handle_error_response_no_error():
     response_data = {"foo": "bar"}
 
     with pytest.raises(exceptions.RefreshError) as excinfo:
-        _client._handle_error_response(response_data, False)
+        _client._handle_error_response(response_data)
 
-    assert not excinfo.value.retryable
     assert excinfo.match(r"{\"foo\": \"bar\"}")
 
 
@@ -72,33 +69,11 @@ def test__handle_error_response_not_json():
     response_data = "this is an error message"
 
     with pytest.raises(exceptions.RefreshError) as excinfo:
-        _client._handle_error_response(response_data, False)
+        _client._handle_error_response(response_data)
 
-    assert not excinfo.value.retryable
     assert excinfo.match(response_data)
 
 
-def test__can_retry_retryable():
-    retryable_codes = transport.DEFAULT_RETRYABLE_STATUS_CODES
-    for status_code in range(100, 600):
-        if status_code in retryable_codes:
-            assert _client._can_retry(status_code, {"error": "invalid_scope"})
-        else:
-            assert not _client._can_retry(status_code, {"error": "invalid_scope"})
-
-
-@pytest.mark.parametrize(
-    "response_data", [{"error": "internal_failure"}, {"error": "server_error"}]
-)
-def test__can_retry_message(response_data):
-    assert _client._can_retry(http_client.OK, response_data)
-
-
-@pytest.mark.parametrize("response_data", [{"error": "invalid_scope"}])
-def test__can_retry_no_retry_message(response_data):
-    assert not _client._can_retry(http_client.OK, response_data)
-
-
 @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
 def test__parse_expiry(unused_utcnow):
     result = _client._parse_expiry({"expires_in": 500})
@@ -179,8 +154,8 @@ def test__token_endpoint_request_internal_failure_error():
         _client._token_endpoint_request(
             request, "http://example.com", {"error_description": "internal_failure"}
         )
-    # request should be called once and then with 3 retries
-    assert request.call_count == 4
+    # request should be called twice due to the retry
+    assert request.call_count == 2
 
     request = make_request(
         {"error": "internal_failure"}, status=http_client.BAD_REQUEST
@@ -190,55 +165,7 @@ def test__token_endpoint_request_internal_failure_error():
         _client._token_endpoint_request(
             request, "http://example.com", {"error": "internal_failure"}
         )
-    # request should be called once and then with 3 retries
-    assert request.call_count == 4
-
-
-def test__token_endpoint_request_internal_failure_and_retry_failure_error():
-    retryable_error = mock.create_autospec(transport.Response, instance=True)
-    retryable_error.status = http_client.BAD_REQUEST
-    retryable_error.data = json.dumps({"error_description": "internal_failure"}).encode(
-        "utf-8"
-    )
-
-    unretryable_error = mock.create_autospec(transport.Response, instance=True)
-    unretryable_error.status = http_client.BAD_REQUEST
-    unretryable_error.data = json.dumps({"error_description": "invalid_scope"}).encode(
-        "utf-8"
-    )
-
-    request = mock.create_autospec(transport.Request)
-
-    request.side_effect = [retryable_error, retryable_error, unretryable_error]
-
-    with pytest.raises(exceptions.RefreshError):
-        _client._token_endpoint_request(
-            request, "http://example.com", {"error_description": "invalid_scope"}
-        )
-    # request should be called three times. Two retryable errors and one
-    # unretryable error to break the retry loop.
-    assert request.call_count == 3
-
-
-def test__token_endpoint_request_internal_failure_and_retry_succeeds():
-    retryable_error = mock.create_autospec(transport.Response, instance=True)
-    retryable_error.status = http_client.BAD_REQUEST
-    retryable_error.data = json.dumps({"error_description": "internal_failure"}).encode(
-        "utf-8"
-    )
-
-    response = mock.create_autospec(transport.Response, instance=True)
-    response.status = http_client.OK
-    response.data = json.dumps({"hello": "world"}).encode("utf-8")
-
-    request = mock.create_autospec(transport.Request)
-
-    request.side_effect = [retryable_error, response]
-
-    _ = _client._token_endpoint_request(
-        request, "http://example.com", {"test": "params"}
-    )
-
+    # request should be called twice due to the retry
     assert request.call_count == 2
 
 
@@ -292,9 +219,8 @@ def test_jwt_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError) as excinfo:
+    with pytest.raises(exceptions.RefreshError):
         _client.jwt_grant(request, "http://example.com", "assertion_value")
-    assert not excinfo.value.retryable
 
 
 def test_id_token_jwt_grant():
@@ -329,9 +255,8 @@ def test_id_token_jwt_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError) as excinfo:
+    with pytest.raises(exceptions.RefreshError):
         _client.id_token_jwt_grant(request, "http://example.com", "assertion_value")
-    assert not excinfo.value.retryable
 
 
 @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
@@ -423,104 +348,7 @@ def test_refresh_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError) as excinfo:
+    with pytest.raises(exceptions.RefreshError):
         _client.refresh_grant(
             request, "http://example.com", "refresh_token", "client_id", "client_secret"
         )
-    assert not excinfo.value.retryable
-
-
-@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-def test_jwt_grant_retry_default(mock_token_endpoint_request, mock_expiry):
-    _client.jwt_grant(mock.Mock(), mock.Mock(), mock.Mock())
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=True
-    )
-
-
-@pytest.mark.parametrize("can_retry", [True, False])
-@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-def test_jwt_grant_retry_with_retry(
-    mock_token_endpoint_request, mock_expiry, can_retry
-):
-    _client.jwt_grant(mock.Mock(), mock.Mock(), mock.Mock(), can_retry=can_retry)
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
-    )
-
-
-@mock.patch("google.auth.jwt.decode", return_value={"exp": 0})
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-def test_id_token_jwt_grant_retry_default(mock_token_endpoint_request, mock_jwt_decode):
-    _client.id_token_jwt_grant(mock.Mock(), mock.Mock(), mock.Mock())
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=True
-    )
-
-
-@pytest.mark.parametrize("can_retry", [True, False])
-@mock.patch("google.auth.jwt.decode", return_value={"exp": 0})
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-def test_id_token_jwt_grant_retry_with_retry(
-    mock_token_endpoint_request, mock_jwt_decode, can_retry
-):
-    _client.id_token_jwt_grant(
-        mock.Mock(), mock.Mock(), mock.Mock(), can_retry=can_retry
-    )
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
-    )
-
-
-@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-def test_refresh_grant_retry_default(mock_token_endpoint_request, mock_parse_expiry):
-    _client.refresh_grant(
-        mock.Mock(), mock.Mock(), mock.Mock(), mock.Mock(), mock.Mock()
-    )
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=True
-    )
-
-
-@pytest.mark.parametrize("can_retry", [True, False])
-@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-def test_refresh_grant_retry_with_retry(
-    mock_token_endpoint_request, mock_parse_expiry, can_retry
-):
-    _client.refresh_grant(
-        mock.Mock(),
-        mock.Mock(),
-        mock.Mock(),
-        mock.Mock(),
-        mock.Mock(),
-        can_retry=can_retry,
-    )
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
-    )
-
-
-@pytest.mark.parametrize("can_retry", [True, False])
-def test__token_endpoint_request_no_throw_with_retry(can_retry):
-    response_data = {"error": "help", "error_description": "I'm alive"}
-    body = "dummy body"
-
-    mock_response = mock.create_autospec(transport.Response, instance=True)
-    mock_response.status = http_client.INTERNAL_SERVER_ERROR
-    mock_response.data = json.dumps(response_data).encode("utf-8")
-
-    mock_request = mock.create_autospec(transport.Request)
-    mock_request.return_value = mock_response
-
-    _client._token_endpoint_request_no_throw(
-        mock_request, mock.Mock(), body, mock.Mock(), mock.Mock(), can_retry=can_retry
-    )
-
-    if can_retry:
-        assert mock_request.call_count == 4
-    else:
-        assert mock_request.call_count == 1
diff --git a/tests/oauth2/test_reauth.py b/tests/oauth2/test_reauth.py
index df0636b18..ae64be009 100644
--- a/tests/oauth2/test_reauth.py
+++ b/tests/oauth2/test_reauth.py
@@ -260,7 +260,7 @@ def test_refresh_grant_failed():
     with mock.patch(
         "google.oauth2._client._token_endpoint_request_no_throw"
     ) as mock_token_request:
-        mock_token_request.return_value = (False, {"error": "Bad request"}, False)
+        mock_token_request.return_value = (False, {"error": "Bad request"})
         with pytest.raises(exceptions.RefreshError) as excinfo:
             reauth.refresh_grant(
                 MOCK_REQUEST,
@@ -273,7 +273,6 @@ def test_refresh_grant_failed():
                 enable_reauth_refresh=True,
             )
         assert excinfo.match(r"Bad request")
-        assert not excinfo.value.retryable
         mock_token_request.assert_called_with(
             MOCK_REQUEST,
             "token_uri",
@@ -293,8 +292,8 @@ def test_refresh_grant_success():
         "google.oauth2._client._token_endpoint_request_no_throw"
     ) as mock_token_request:
         mock_token_request.side_effect = [
-            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}, True),
-            (True, {"access_token": "access_token"}, None),
+            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}),
+            (True, {"access_token": "access_token"}),
         ]
         with mock.patch(
             "google.oauth2.reauth.get_rapt_token", return_value="new_rapt_token"
@@ -320,8 +319,8 @@ def test_refresh_grant_reauth_refresh_disabled():
         "google.oauth2._client._token_endpoint_request_no_throw"
     ) as mock_token_request:
         mock_token_request.side_effect = [
-            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}, True),
-            (True, {"access_token": "access_token"}, None),
+            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}),
+            (True, {"access_token": "access_token"}),
         ]
         with pytest.raises(exceptions.RefreshError) as excinfo:
             reauth.refresh_grant(
diff --git a/tests/test__exponential_backoff.py b/tests/test__exponential_backoff.py
deleted file mode 100644
index 06a54527e..000000000
--- a/tests/test__exponential_backoff.py
+++ /dev/null
@@ -1,41 +0,0 @@
-# Copyright 2022 Google Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import mock
-
-from google.auth import _exponential_backoff
-
-
-@mock.patch("time.sleep", return_value=None)
-def test_exponential_backoff(mock_time):
-    eb = _exponential_backoff.ExponentialBackoff()
-    curr_wait = eb._current_wait_in_seconds
-    iteration_count = 0
-
-    for attempt in eb:
-        backoff_interval = mock_time.call_args[0][0]
-        jitter = curr_wait * eb._randomization_factor
-
-        assert (curr_wait - jitter) <= backoff_interval <= (curr_wait + jitter)
-        assert attempt == iteration_count + 1
-        assert eb.backoff_count == iteration_count + 1
-        assert eb._current_wait_in_seconds == eb._multiplier ** (iteration_count + 1)
-
-        curr_wait = eb._current_wait_in_seconds
-        iteration_count += 1
-
-    assert eb.total_attempts == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS
-    assert eb.backoff_count == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS
-    assert iteration_count == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS
-    assert mock_time.call_count == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS
diff --git a/tests/test_exceptions.py b/tests/test_exceptions.py
deleted file mode 100644
index 6f542498f..000000000
--- a/tests/test_exceptions.py
+++ /dev/null
@@ -1,55 +0,0 @@
-# Copyright 2022 Google Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import pytest  # type: ignore
-
-from google.auth import exceptions  # type:ignore
-
-
-@pytest.fixture(
-    params=[
-        exceptions.GoogleAuthError,
-        exceptions.TransportError,
-        exceptions.RefreshError,
-        exceptions.UserAccessTokenError,
-        exceptions.DefaultCredentialsError,
-        exceptions.MutualTLSChannelError,
-        exceptions.OAuthError,
-        exceptions.ReauthFailError,
-        exceptions.ReauthSamlChallengeFailError,
-    ]
-)
-def retryable_exception(request):
-    return request.param
-
-
-@pytest.fixture(params=[exceptions.ClientCertError])
-def non_retryable_exception(request):
-    return request.param
-
-
-def test_default_retryable_exceptions(retryable_exception):
-    assert not retryable_exception().retryable
-
-
-@pytest.mark.parametrize("retryable", [True, False])
-def test_retryable_exceptions(retryable_exception, retryable):
-    retryable_exception = retryable_exception(retryable=retryable)
-    assert retryable_exception.retryable == retryable
-
-
-@pytest.mark.parametrize("retryable", [True, False])
-def test_non_retryable_exceptions(non_retryable_exception, retryable):
-    non_retryable_exception = non_retryable_exception(retryable=retryable)
-    assert not non_retryable_exception.retryable
diff --git a/tests_async/oauth2/test__client_async.py b/tests_async/oauth2/test__client_async.py
index 402083672..91874cdd4 100644
--- a/tests_async/oauth2/test__client_async.py
+++ b/tests_async/oauth2/test__client_async.py
@@ -29,10 +29,10 @@
 from tests.oauth2 import test__client as test_client
 
 
-def make_request(response_data, status=http_client.OK, text=False):
+def make_request(response_data, status=http_client.OK):
     response = mock.AsyncMock(spec=["transport.Response"])
     response.status = status
-    data = response_data if text else json.dumps(response_data).encode("utf-8")
+    data = json.dumps(response_data).encode("utf-8")
     response.data = mock.AsyncMock(spec=["__call__", "read"])
     response.data.read = mock.AsyncMock(spec=["__call__"], return_value=data)
     response.content = mock.AsyncMock(spec=["__call__"], return_value=data)
@@ -62,27 +62,6 @@ async def test__token_endpoint_request():
     assert result == {"test": "response"}
 
 
-@pytest.mark.asyncio
-async def test__token_endpoint_request_text():
-
-    request = make_request("response", text=True)
-
-    result = await _client._token_endpoint_request(
-        request, "http://example.com", {"test": "params"}
-    )
-
-    # Check request call
-    request.assert_called_with(
-        method="POST",
-        url="http://example.com",
-        headers={"Content-Type": "application/x-www-form-urlencoded"},
-        body="test=params".encode("utf-8"),
-    )
-
-    # Check result
-    assert result == "response"
-
-
 @pytest.mark.asyncio
 async def test__token_endpoint_request_json():
 
@@ -116,9 +95,8 @@ async def test__token_endpoint_request_json():
 async def test__token_endpoint_request_error():
     request = make_request({}, status=http_client.BAD_REQUEST)
 
-    with pytest.raises(exceptions.RefreshError) as excinfo:
+    with pytest.raises(exceptions.RefreshError):
         await _client._token_endpoint_request(request, "http://example.com", {})
-    assert not excinfo.value.retryable
 
 
 @pytest.mark.asyncio
@@ -127,11 +105,10 @@ async def test__token_endpoint_request_internal_failure_error():
         {"error_description": "internal_failure"}, status=http_client.BAD_REQUEST
     )
 
-    with pytest.raises(exceptions.RefreshError) as excinfo:
+    with pytest.raises(exceptions.RefreshError):
         await _client._token_endpoint_request(
             request, "http://example.com", {"error_description": "internal_failure"}
         )
-    assert excinfo.value.retryable
 
     request = make_request(
         {"error": "internal_failure"}, status=http_client.BAD_REQUEST
@@ -141,61 +118,6 @@ async def test__token_endpoint_request_internal_failure_error():
         await _client._token_endpoint_request(
             request, "http://example.com", {"error": "internal_failure"}
         )
-    assert excinfo.value.retryable
-
-
-@pytest.mark.asyncio
-async def test__token_endpoint_request_internal_failure_and_retry_failure_error():
-    retryable_error = mock.AsyncMock(spec=["transport.Response"])
-    retryable_error.status = http_client.BAD_REQUEST
-    data = json.dumps({"error_description": "internal_failure"}).encode("utf-8")
-    retryable_error.data = mock.AsyncMock(spec=["__call__", "read"])
-    retryable_error.data.read = mock.AsyncMock(spec=["__call__"], return_value=data)
-    retryable_error.content = mock.AsyncMock(spec=["__call__"], return_value=data)
-
-    unretryable_error = mock.AsyncMock(spec=["transport.Response"])
-    unretryable_error.status = http_client.BAD_REQUEST
-    data = json.dumps({"error_description": "invalid_scope"}).encode("utf-8")
-    unretryable_error.data = mock.AsyncMock(spec=["__call__", "read"])
-    unretryable_error.data.read = mock.AsyncMock(spec=["__call__"], return_value=data)
-    unretryable_error.content = mock.AsyncMock(spec=["__call__"], return_value=data)
-
-    request = mock.AsyncMock(spec=["transport.Request"])
-    request.side_effect = [retryable_error, retryable_error, unretryable_error]
-
-    with pytest.raises(exceptions.RefreshError):
-        await _client._token_endpoint_request(
-            request, "http://example.com", {"error_description": "invalid_scope"}
-        )
-    # request should be called three times. Two retryable errors and one
-    # unretryable error to break the retry loop.
-    assert request.call_count == 3
-
-
-@pytest.mark.asyncio
-async def test__token_endpoint_request_internal_failure_and_retry_succeeds():
-    retryable_error = mock.AsyncMock(spec=["transport.Response"])
-    retryable_error.status = http_client.BAD_REQUEST
-    data = json.dumps({"error_description": "internal_failure"}).encode("utf-8")
-    retryable_error.data = mock.AsyncMock(spec=["__call__", "read"])
-    retryable_error.data.read = mock.AsyncMock(spec=["__call__"], return_value=data)
-    retryable_error.content = mock.AsyncMock(spec=["__call__"], return_value=data)
-
-    response = mock.AsyncMock(spec=["transport.Response"])
-    response.status = http_client.OK
-    data = json.dumps({"hello": "world"}).encode("utf-8")
-    response.data = mock.AsyncMock(spec=["__call__", "read"])
-    response.data.read = mock.AsyncMock(spec=["__call__"], return_value=data)
-    response.content = mock.AsyncMock(spec=["__call__"], return_value=data)
-
-    request = mock.AsyncMock(spec=["transport.Request"])
-    request.side_effect = [retryable_error, response]
-
-    _ = await _client._token_endpoint_request(
-        request, "http://example.com", {"test": "params"}
-    )
-
-    assert request.call_count == 2
 
 
 def verify_request_params(request, params):
@@ -206,8 +128,8 @@ def verify_request_params(request, params):
         assert request_params[key][0] == value
 
 
-@pytest.mark.asyncio
 @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
+@pytest.mark.asyncio
 async def test_jwt_grant(utcnow):
     request = make_request(
         {"access_token": "token", "expires_in": 500, "extra": "data"}
@@ -239,9 +161,8 @@ async def test_jwt_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError) as excinfo:
+    with pytest.raises(exceptions.RefreshError):
         await _client.jwt_grant(request, "http://example.com", "assertion_value")
-    assert not excinfo.value.retryable
 
 
 @pytest.mark.asyncio
@@ -279,15 +200,14 @@ async def test_id_token_jwt_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError) as excinfo:
+    with pytest.raises(exceptions.RefreshError):
         await _client.id_token_jwt_grant(
             request, "http://example.com", "assertion_value"
         )
-    assert not excinfo.value.retryable
 
 
-@pytest.mark.asyncio
 @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
+@pytest.mark.asyncio
 async def test_refresh_grant(unused_utcnow):
     request = make_request(
         {
@@ -326,8 +246,8 @@ async def test_refresh_grant(unused_utcnow):
     assert extra_data["extra"] == "data"
 
 
-@pytest.mark.asyncio
 @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
+@pytest.mark.asyncio
 async def test_refresh_grant_with_scopes(unused_utcnow):
     request = make_request(
         {
@@ -378,121 +298,7 @@ async def test_refresh_grant_no_access_token():
         }
     )
 
-    with pytest.raises(exceptions.RefreshError) as excinfo:
+    with pytest.raises(exceptions.RefreshError):
         await _client.refresh_grant(
             request, "http://example.com", "refresh_token", "client_id", "client_secret"
         )
-    assert not excinfo.value.retryable
-
-
-@pytest.mark.asyncio
-@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-async def test_jwt_grant_retry_default(mock_token_endpoint_request, mock_expiry):
-    _ = await _client.jwt_grant(mock.Mock(), mock.Mock(), mock.Mock())
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=True
-    )
-
-
-@pytest.mark.asyncio
-@pytest.mark.parametrize("can_retry", [True, False])
-@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-async def test_jwt_grant_retry_with_retry(
-    mock_token_endpoint_request, mock_expiry, can_retry
-):
-    _ = await _client.jwt_grant(
-        mock.AsyncMock(), mock.Mock(), mock.Mock(), can_retry=can_retry
-    )
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
-    )
-
-
-@pytest.mark.asyncio
-@mock.patch("google.auth.jwt.decode", return_value={"exp": 0})
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-async def test_id_token_jwt_grant_retry_default(
-    mock_token_endpoint_request, mock_jwt_decode
-):
-    _ = await _client.id_token_jwt_grant(mock.Mock(), mock.Mock(), mock.Mock())
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=True
-    )
-
-
-@pytest.mark.asyncio
-@pytest.mark.parametrize("can_retry", [True, False])
-@mock.patch("google.auth.jwt.decode", return_value={"exp": 0})
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-async def test_id_token_jwt_grant_retry_with_retry(
-    mock_token_endpoint_request, mock_jwt_decode, can_retry
-):
-    _ = await _client.id_token_jwt_grant(
-        mock.AsyncMock(), mock.AsyncMock(), mock.AsyncMock(), can_retry=can_retry
-    )
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
-    )
-
-
-@pytest.mark.asyncio
-@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-async def test_refresh_grant_retry_default(
-    mock_token_endpoint_request, mock_parse_expiry
-):
-    _ = await _client.refresh_grant(
-        mock.AsyncMock(),
-        mock.AsyncMock(),
-        mock.AsyncMock(),
-        mock.AsyncMock(),
-        mock.AsyncMock(),
-    )
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=True
-    )
-
-
-@pytest.mark.asyncio
-@pytest.mark.parametrize("can_retry", [True, False])
-@mock.patch("google.oauth2._client._parse_expiry", return_value=None)
-@mock.patch.object(_client, "_token_endpoint_request", autospec=True)
-async def test_refresh_grant_retry_with_retry(
-    mock_token_endpoint_request, mock_parse_expiry, can_retry
-):
-    _ = await _client.refresh_grant(
-        mock.AsyncMock(),
-        mock.AsyncMock(),
-        mock.AsyncMock(),
-        mock.AsyncMock(),
-        mock.AsyncMock(),
-        can_retry=can_retry,
-    )
-    mock_token_endpoint_request.assert_called_with(
-        mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry
-    )
-
-
-@pytest.mark.asyncio
-@pytest.mark.parametrize("can_retry", [True, False])
-async def test__token_endpoint_request_no_throw_with_retry(can_retry):
-    mock_request = make_request(
-        {"error": "help", "error_description": "I'm alive"},
-        http_client.INTERNAL_SERVER_ERROR,
-    )
-
-    _ = await _client._token_endpoint_request_no_throw(
-        mock_request,
-        mock.AsyncMock(),
-        "body",
-        mock.AsyncMock(),
-        mock.AsyncMock(),
-        can_retry=can_retry,
-    )
-
-    if can_retry:
-        assert mock_request.call_count == 4
-    else:
-        assert mock_request.call_count == 1
diff --git a/tests_async/oauth2/test_reauth_async.py b/tests_async/oauth2/test_reauth_async.py
index 40ca92717..8f51bd3a7 100644
--- a/tests_async/oauth2/test_reauth_async.py
+++ b/tests_async/oauth2/test_reauth_async.py
@@ -279,7 +279,7 @@ async def test_refresh_grant_failed():
     with mock.patch(
         "google.oauth2._client_async._token_endpoint_request_no_throw"
     ) as mock_token_request:
-        mock_token_request.return_value = (False, {"error": "Bad request"}, True)
+        mock_token_request.return_value = (False, {"error": "Bad request"})
         with pytest.raises(exceptions.RefreshError) as excinfo:
             await _reauth_async.refresh_grant(
                 MOCK_REQUEST,
@@ -291,7 +291,6 @@ async def test_refresh_grant_failed():
                 rapt_token="rapt_token",
             )
         assert excinfo.match(r"Bad request")
-        assert excinfo.value.retryable
         mock_token_request.assert_called_with(
             MOCK_REQUEST,
             "token_uri",
@@ -312,8 +311,8 @@ async def test_refresh_grant_success():
         "google.oauth2._client_async._token_endpoint_request_no_throw"
     ) as mock_token_request:
         mock_token_request.side_effect = [
-            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}, True),
-            (True, {"access_token": "access_token"}, None),
+            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}),
+            (True, {"access_token": "access_token"}),
         ]
         with mock.patch(
             "google.oauth2._reauth_async.get_rapt_token", return_value="new_rapt_token"
@@ -340,16 +339,11 @@ async def test_refresh_grant_reauth_refresh_disabled():
         "google.oauth2._client_async._token_endpoint_request_no_throw"
     ) as mock_token_request:
         mock_token_request.side_effect = [
-            (
-                False,
-                {"error": "invalid_grant", "error_subtype": "rapt_required"},
-                False,
-            ),
-            (True, {"access_token": "access_token"}, None),
+            (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}),
+            (True, {"access_token": "access_token"}),
         ]
         with pytest.raises(exceptions.RefreshError) as excinfo:
             assert await _reauth_async.refresh_grant(
                 MOCK_REQUEST, "token_uri", "refresh_token", "client_id", "client_secret"
             )
         assert excinfo.match(r"Reauthentication is needed")
-        assert not excinfo.value.retryable

From 2db7eaf9fc80d36b7f2e193c3863df8c1ef9a40f Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Fri, 23 Sep 2022 17:10:04 +0000
Subject: [PATCH 34/36] chore: update token

---
 system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index 6dc14d78e8d934436d54ec752357b030ac692e0d..ae54fc9c36b4ea27d099b07b4798d7cd0f7ffa45 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTI?c21RdL$S~<>z+HUYYUCUE$PKQIr##w=r+0YJ8><qkPyni{
zhrF+5+MJ8rBNY1AYy}vEM;}t;?8FT8!Miv+U_jrVVzxzk>4AJAy5uvr4+x`zYF#gH
z3BSYs$YN?c_In;5Y1_kohNka&mnrSx3mM4c`iWH)P3cbEV6UDSbidL=>6o2BKy6U=
zbIb>i5mf!#*Wlq<wzsfHW7}(FJ>q1mz`7*Q6gc8WOk~h97<+Dc1oc5O-nDdXuha<s
zCG$GMisnZ}jehKDkFTyE=$vqLh0u|!AbX<Qk02FAZ6x7Dz{xzEVT${qqheU{!)XH&
z%a?=Af1ZX&=-{4e%JEfb9X|y*O2=4g3uBC^PbLJ`B<j|c7D)nLYIm}ZIF>#aG!Y5o
zL>d25rw$B;J|OGhqX4-zge0cbK@tJF)w1${<7oR?a=|k4f^_x}q?Ao>h0BSvwK&g<
zveQksnlMo!HY3H-;M32>H&%wxu?dz(^t$zHJEbbjZph_6sL|q#ibsgmb!@<`tyOB=
zlL7I)W$p3M(_fU+7I2VIcq!Ua2LU=^8oT~+hgaeOY^kvhUu?e*={V2a+GWHGC{?p9
zYdZe+-+X^rk>8KWF5<r7&MlDFfnbbl0=fDYt@P(^`2bWkNWQx~3ZhBV=Eqx?W=bRH
zcRr{FBq5bS`qtZnB&VHnF*ZAw64ZWzz5G%j@Lz*t><!SjmFa-vEt*rMq=ElJoIxH`
zlb_AP;Xd$RtvtQ^V9~*07Oc;Cp9|@H`>Bg3t(CSeT=$!OeWeCtf1QvB0ApF+q-;IL
zI>v6e8jWI>-VHC;7k0V87A`>X)I7Q#n-R8r;E8HT$A$~BWy=NrS_99+CEQpegG8uE
zCg??$X5`I8>byfv1evRHI#(TxtYf6Iv+pV5nbkG9pF>9C(nUAcJT(_wmVns~;Ek<T
zu6x>;^_Jqyxj4?ufh(7c)28d+D3EL}BvgaWd<37sX5F1u$f}JF`;t`P^rNJ?^hkL6
zcXA1pjE|IgR_FewBwpt8dm*|~5gE71U5tM-KR)z@o__BKN{z%j#_P5p@%(>@;c5z0
zjJ(lxp7+mMU?Q(L(T-knuXU5ZOOTLCLNfA~GJ{tZ#!(A@%-eS?1VMMl_75#Z*^R*7
z&B=@iG?#0H6jrKnVs&C!-=hxODYy+ob$)Iu_L%7BpZ9K?^EibZ^vXR2%qmz@;@W(b
z-Wl6ErNIz79dhaw%B^%<Px8*d*@8MufVEsru%5x_>7Iq0nR(5l&Bo#!2==ts0C%hJ
zF`HcN!As~3=P3H0Iy!A2Zx?}~L`31(%_dgEiz)O0!G}Q2(q&!%{{FOrOZL5J(!poO
zc=_6*?k$xaeKt7Ox=aS*Ys(eMOfa+EeTvqXZ3;tY92pc=JtnUocV87DxiA(qv%8r@
z;E=`_H{yY-{AoUdDtie$&N+3jPXyo91-2`qDM7mb%e|HK?4eY}xmfhTR7#L632xrA
z`O$LAYZ@@QpV9a3JRtZ^VRRi!^Ruc2&kX5?1)g9nS^R>e(}^x&38O{9gdZ@M2Y@F~
z7qhGrO^P()VjtkVzCpRea2<wWVAgv-9^Cxlt<e?g!E?K30^e(qcc4ri@fpeS^1IpM
zmKlr`iGsJ2fp%E|8Yx{96rfB(H>E+lkW?5C(#-b5b@b(s*z662*zf<S|Fr<kdNHba
z<sL?tsU;-ciORw8Jd@GH7^BcnCmXt6*We(hiw?XDBJ<dZ<nCEIS40NKq%;E()c6U-
zKjdfO8ZO-@DFObdWi#feI@Eg-7sl>T@21mzI=_QPv5Lorsy-ROJ}yawqjJawCSjXB
zFbQrwO^Snb-}<?`rs0CZEFmz$@<aKD&!+%Cq<0R|1)G50im~qmX-yUmg@^uU9d7Uh
z0{crg6nfy{E0OM;7Kuza3;_J7PTHCVA{e7`=oirpd;Wn-8zaC=F|At^`Y=RmJ)V^5
zmM+6*0QWvFKFi#Yf1Q8r^V0L`<mjy;k+DfQ9c>$EfP@hkaSwaQR_Ws<LM+pE+0&&Q
zz)K;4+ksK#b$w^VinQ*&K$u|Ja?D`Ec*9JNv{69;{zcsV>3u>({C9B@nwM$v8;GoI
z`l5T6<JTz{MkA|Mlue;WaQ%`L0=p_;Fso%3hqJQo58hI5<z)_;WcO>q#EZcMNw5tr
zZ0$Xa#Ou6*FIBNgLRdk;ReWD)73aXevYfOn2xY^Nd&;|3;}GvtMsOh;xyoC+DP@yQ
zu`Oh9&@6Z5Etr^mE^)iA-!8qii5k`9<0^I|<}8Uvo8`r-Sn@(d#(~ZVHSMlpD)PK%
zo_L{}wUq&xQZ|c-zJ{wtR(_Zt>b%=(Prh=kaOD8$X)3b348THWNm<$O7}EO_OAz_&
z>aC0#z%9XEr->ObHByAD^enOfb=NABD;E%>?B`~B@%I#GYA5=KhpYl5`@`}u>Kl%*
zq}aWxwNzxy{uH^4hFx`YHLHisxv<DIELF>x+4C@sS5bl5Z*ECv1*V1zW~7XO%z@eJ
z5H9z@6)EU*a!;Xn;p#XX*qfWs_kF{a9e^c+a_dI%7k*2WG*SzrKuQwm3!XwnUXwgh
zVBD}DmhubhL(9#|?t0zxG32l258pT?N7evU{XgKv80=Cr9BD9s_FGLtLxBlbc3OXw
z3F#?va6A@d>FGgE>8wSERnQ39&uP&*rq?_`r((W_p5_p{-Gxe77b5m66x57E;l^f;
z^4y&c-35^DYj<NPkz^b<hqqjXIwP^9+#S|ROeR*^C?cu^1BC%r&qLUXGBLZyoYXK>
z1ErX|FRj;(=m^v*E0!yKPSQkqPyj5A0_j;uI${OuOT}T@YL{CYv#kc*xklVs3#u~d
zI`0FL4%f9Q&x5_-cYWJQt*Z>{6y*2S2#QdSJ{i{t+d1A#x`+Qa1Z~Uw<{ph`w#yBv
zOwP*s#Km~{nUQn|3No$Kq}}M7%i83v1+sPkQ|?%!He*OVW>f>WW%7v@cq_61z-X4)
zTZX)T>=+c3a7GjW;cG>OL{Z*5VL!y>*Y5(}={D&;!2e>NOKEem2S~R-@z01B6hYZw
zd~}~oO$T-=<D0vLI^qla{#`?t#YVwFfcS(`dWbNjtM`zNX>8@W!#nRrhX7Cu$b9Xt
ztNx#qYLD59`k@z7x#E`1j%h^<i-@IIQ~qAyOck@mS5%IG%Av1{L(*QSm45foE(wFT
z5Wd%}ri}!kY<rFt?RONPZ#w21J#{+40f|8Z5xlL&y_rD`#>iF3*c8ELEHW#daz@ck
zB}=Ef!s^vOLuI%Thyre_eIQ~myYQXWEHrTUtX)m;qr)(2l6c$P7>qWs7cgD6X74MD
zMy%{qxm5P8;z7b2it`W<%zbyZ#_V^yE;l2XR$HUupW|#NVrybONJ;{RH{@^7Tvaq+
z-+H7XWg8??-y-_*zqXsj=^S5Y_(m)p*HU7cQEND^(xB~tH1sInW^>3rD3koRw|bMT
zYBpgfIf`~6JVY=N1XA!biseZ!I=VY#S;=n_h3^}n@D7*cU8-jHEkgPMw!QoXNWmU`
zS<85eADOvpY>~I_BA>Gsb4Cv+KApZcJH+=Ico4c+!BWB|enM3*;z|L!<V*#LvzbLi
zmmWplDQ3TxKB#e7+3pm!O?g4lO|4K~zap0B2N!1M5FpSKq}~ZhU3Cx|rQB6bu2d{C
z`&hw;o0Ivr^2mSTZk=XJ|BxmYoes))vuF$57Cv28;gtXE{@83r?nM~H8SS6p36(l<
zw_MhY^AeV&RRP-m%2b!@j@tbN?EkMp*TAbey;A`2N~5jJ7_Q@S5LE&>D{$hyO0&}@
zMv~Vx0<9-*$2cNK?%PV+w}dyz3Tzht>nvn6tyr}v{RyTHTi9|~RNc92&q2xRnfu9X
zDg;twU*sFlf|O9D``L9MK2`nJc$9hXSljJm<Oh3e;W!EjpeZ)^jM+Y^`H+hB-^&y`
zD2Tmbx{eR4E`MydF>pe=8MfZEJ4$0t=R<Ld+y-5Us8JP*gA$b;*=$I~e*Pmb*Br3Q
z1U9gcGw9W#vxqM<Y1W9+&>dnLX3MH502%Q{nN>T|Kly_eF=*EQ^#<BkF-celgLu-@
zV&ql{Ef&x7&%sv~F7!Se5@-$5H$EYK>%?ofVfT|bfD*UlP6Yq&K&uyy%9=AFDD?C~
z7T+)T;@QPQZb)dQXptMfYkB3qWIzRXzh`Zix2WBw3GRF3)Axfa0VFtV5(CdpH*g@-
zqd9C)x<H`Vk;_Cvbb)@R9Bhlz01#=!p&9|YEsA2V(McY91TRUn+#PEUYqg=Ga>bJ2
zm#B!%7h+<ay`N~S|Lf3QXB<+O*EU#0h}NYeQJuB|a`-7Etm8v!t=pwn-l@#vNE$Os
zoxVc7do^OSz77=my|L>Y2Tewt)gY2W4s|{;@(1At2t7<`LJC(}3C4hlL;G<z8)!_t
zJaR?cs%yhF#VFrBdr^-f<*`AWU*I&xP~33Us8sL0t_6(?#RLm#dmrX3!wvL}{_bX1
zjX^(M;R9t0q~;l=qIxL8JQ^xwATyPO|FzVQxyc%3`wa${3h;;GLa4h(e|BE*TubX?
zfuJxUgSyp^g$<F;#)OW_Q}?|QK42uH07zF<`$B9H9J~&B_Ih%yOzg4*4F=}DogQM?
zTuI!cej*?RK`#%BSe*Z~iel{Og}u1NumIVLlahEKnreJ`3`|0=Yee<~yd$LmFt~FR
zO0R`qd-#;?sF~?T>WaFRm$73?e&jQ_wxAR#`TV@K&P0ByEGei{DK7}dp*<@M;}OW@
z;RS6x=yxV!w|i8In~aj#4l$v&!m+1e_}<S~@ErK}o-tLTpt)C~qU!%Z8g12v(t+Hm
z7%W;*!87D@h&|NT{&srkq%FO9{qG7s3f&p=*sv?AJMR3|VkWc9;Lp8~ScNN_(Q0ma
zyo*B+Wq@~C5z`37Fz~k}>xwyd{C^xReTq=KUf_cw9T9|`pfeylf>x`uPbI5?gXY3r
zfzn`O%J#kGu2^~K(kV1YQ*E9z$H8%n?P9H@8K+FtWC*87E@#Lm?Vz1_g}2;3dhZC@
zuiD$<q^)$SO}ynsexp$!87V0g2EA~cP0gX{ri<$Ep8z%uqFH->rvDp<PQ4}^2jxt%
z9>{Boa=$W?H<5GGCKMW0OF3UHEjvYJ4{R%nG`)f0#;R}{_HcKUTK4&g)Yl<*4Ijvp
zb_|x+tMrKs(H{qo*-JNsB{x4a+VoC8CiF$l5Y*H(x->eoVpX`(MsrOX+#MI$P{J<;
zS3Q7NT(e8*#w|f&G@2yg9$EYpAC#H~1ho(A-riKbki4zxJ;o|xNS8Oeqj;cMBZ5n(
zxLo0MXVgc?l1vHV7IOSMkzp5Nr>z|HG~*y>%g;jx$B=P7`k+4MP!ycjGy2IQ{ETP0
zN$&?ma5LjgWyG=NG{cc1Cw|t}noPi6J?+|PN~w?`zxFyil=RQNXtgK^G*e9a#C@}5
zeaSkQvO_+m?-Cqm!nq$!1P$3-U$Il0+)ig2T!Ul038AFK#E-9K7XYvloRONExwZ9y
zm6`%<hRXlLPwc*QH*(g^^#Iq@Tu^MJb5`^xVW&H$z^5OHnUhIgRTp@6Kb$4~#{_Wr
zWlXjU%B$6(CHgGE#3VnQ|Aw0d{!oCdmAYgJV$xk4spd^O$;%Rhp(0NHO`MtSshluw
zu%JNx{2WnKtXiGVE;7B=G@mY}4PPb#ah4*-D=8|&JARm-#ua&O7Z7}%?g6l@eaO>F
z)g=S{B-#xDw~ZS`%b8&HoPIJp7|o3@7xv5qMsaU-`s85j7FaJ+6)f3;$pY^T1%alJ
z)IEC#F|CnR2aEoD=@2f)(rT=q%86k(Y$*;Uyw>YJ<!0!_Ey1%BqShY4X>V7#?8^o^
zV>gVDm2if)hVK$HieY(=OLR}>Cd3O??`kLpMMfjN4Es)@gAi!Koz_1wN%Atbsu2e*
z?H5^q$uQx8HlMt}1;q@Cl^R@G0mm3T%YUD{17#{7jVm)Z$R!=9U9KE$R9!pQ{IH#z
zQ^~<z)^|9>znv?URm@^u-1K5ZP-^0&nR^UgstG<=OK>^#EgD72qAv1yagBDNDNTBy
zRtJf^4y=!2sJSTIS2aO~VKli@%DzL>^;yn=rn1?{+j*S7)m%E)-bVs3LY5Me4$`>D
zAm4EfF$()+J1vk6#))eU$u$DdBQIuP-}Miu>;h341bnyltrwLRNxKy4A|NrBgiDm;
z<G?|E8*quoPjMJ;@k|P)Fn>Bdl(yk{K47XJm#UIoHnld@mR%LTj@IE_(l~zU0R0ZQ
zs!ITgHk~ne-t83clykgz+U--T<uoD~U-W!8yrjLEmoms1$xgD<8W2C(w*_blOesGI
zjNU1ujSqO4nsTgcEo8f|*QT%3>XYx62fhV4m4Ao>DYu~N^B28EywdReKpH!sX9cvL
z=Xr5+ZE_JJs3i`YpP^rcB#s0ro*~A&Ix&G@ey5FoP%u*~g6@m%LTZ;({2M>OL)Ia|
zBJg#%{&tD<CAS1<ed|vl?wycio?TlB0-__^>WY_29`7l2S+DPo;tt-8bVGpn8aE1-
zWB?9P@f9NT>pyRb$DC>jJ#x!l#B`PuQ$UQf_Xg%MK^^<+k7Z0fpQ%q;yxcP%xF*#x
zqdV;}SAE*nPDj3ZQd;+zd*Fo%HK0ZZCk(=zE!nrrP(8VaG4vTOEeJ6o)+%Dld!WW2
zopzo$+FOF<vj|y6q_(Qk>Y^eHU9(B0(I}r$k|em!$JP|?9zOL*yEMQDll~qrn7c9R
z$FO^MTUn^Jzu+w%`>^!Tt{qlm@Fj)HWuH6(Z8A6rtZqL1d(kt}I>E&$sXj1hXSQ{N
zRktO7W^7|gbKLv2^Ux&O0RoX#g&|zdijuoCN785Ja&^b3!<#W&=P<&Gv>P5Eo{Dc$
zQq<pVbkI45zf<0ActwShZA=SoNg_K_BN{OQiuco)C*#+&Tjo5nO?w<0qyVCtQ%!al
z4KxvgLVnFm7Nh0XX*}BVuw6PcnE@^=7u>1@=cR0`_x1Nb)ff6>rB4S?SZL8{<Zs#<
zq*lKE$b!>Wb~v+VT61YXpu!~vQqx?w1M8!ea8SS0R9w{3%w9A~EyAGzYpOHRPHfGh
zuv?ZGH+QIzA|(<lPF~3X3I}Q~ePIv>TM~%aKcyulb#q?Heq}tFvUjpCz7uc~QH&|k
z=b$nsr7$;TvC{sVAxG9piLlw)yzSwuIe={t#Ycu$NoqXL9wkgUUb|udyX7xQqHVK{
zNZwhSg{z?hieb*XVvjKN`O}K=#G70E=_)>jn~)Q}QX{R4k1UZR9_VOocjB@(WpEHb
z4R$oNLo|l{+{Yil;2p2WUlLsQny(skG;*?puooTS{#j>$Kq*mK2iD0X6_-M{6m&;u
zxItHtik;R%Zu+rWMRP3@(wIYhuS&fZ7(%4iESSw#HfnmQp*3(!s)6Y(A6I%Fqc#U|
zYM0@;DnHEwlv^{<fz`VNrxzG56r$Lh0-ft_xQTaZ{r*uVbf{nE40TE3Ez_MG9uzfm
zGP@TQ4pVQB7+zw<+@15M{)>PM`Fcq4U_rcA$Q>!exdrgLgL+r^{jNUlA}HEKI9W?p
ztpzcETMQfkKIf%_2wAQ^G>ae$9OA`^<@o_<LT82r+fKexLfllphng9h7XJTFaaFKP
znvh#gq&UO)9ndwT(XLO!4O8mvY}!E}I6LqAy!xM?yoWGgH!DywDSUsJ^H(}GEhKIK
zDOUlnasR+Rm)(2(8R%ACs^cH#twJ8r1Odi%)<ie~q@R#XgE@(vH0w)cT4Isp3zt=G
zjKix%5flBVb&d-@#Or-Sa)IklSh&+A7Wh2+F<mOQ%K6IC8x!-5t=1XZl&quytZyiw
zcioJ(l*NVAA(TZ5;=r6?NlO-dQ<Q~8-2Yx6AVzo4JL@f)X$UUDJO%_J#p7;wQ32&7
zn|+b`1bcVK0DnP%dV5u=C~wo*?q_cj*pF1K1P=(+2$qMZ{>uH&5>PzP=H`39s?i%*
ztf>@BQ~zHJ;0r)!>wnJN8#ubkin{55dd;1TIt>$xJOVwEM+)eBDz&seo(C}Hnn`8p
zCz0zX0VEwy|IC5Hy~7El*-0cpZ-qsti3q1%1Mg5Cw}4kbQ`YK}#^4E|1P4FrI*(U9
z3k=|=Ls`nS%xfyZ%px9~F$_-Zrq1w<Y9oT&-3aO#P36nEkU%uorrBaarbqdpdp^<&
zP01&F$mP-+`RbybC)4}>VkZsM&w@8TF<<*oG9Wj_QPc;m1VM-Lz=~(_DT%1yRk<&>
zg2@_9qGAxQ+6X06ZoJnu2FTHaf6XIi11_avzoLo!xOv=o8_x(0$Y@(S+zGFpyj`FC
zL0Z%_ujH14<t!ZyaPvDpfw|SDOT6smcHocfGYwTz6zbV3Oaa_T^?iXWzTgl6IrPit
zE%H`fCHZwy;JbohYxY@sf8Bt;o^J>6yi(=Nz-dxWIf+Vj{3F{3bNnLZ%6N274dQY8
zY^htjEJV`_gHsQ~>p-*U9s0`cP8vO6X8l(4S<&61wI3>V?3=^q4TCH6nc#ukQ@{gu
znTKU(#|FM2bFqPpX;oRC_T@Kr=^uwc(RdZM2SqVGko_o~4RJGFIF7R$;@q*wh!au5
zYNYieQo*S&U<V@Kob#|bYo$v`>P1Z#M197(|9(9sgW2@1H?|YLDBbDLm#O7scf3if
zc3T}A3~*Mi>w`HtE3sC9{1u~;T-UiZLapS&W5+WJw2NdQ#IgpMCuy7<>ZF;pruzL$
z+a7i8k<}YF$C)u5D1;pq8@tlL9)p}yhD+eZv&0WDy}X$i-2nBXMR{xXxWb_wJ}fty
znlvM^9m9Uj9}6d*&P%k{5&z5!vG>62bCp5C+*X=lF{ni@AefCiN+Xz{Diq&>lp9Q7
zU^{l-NVa8B|L@XzQ2rlqaRNJbAB$uk);N_GKTP689IQ&_bdUd`mr=-;KgQ*co_}g@
zy8l78g3iWz#E?UrA)9Sl{XI|lzCUY17W?uUlqCKFnx;G5NqI65Pz@5h-xN^89d+n&
zbl8vFz6p`J%{J(}@`BHP-k<))#f5se^5AFfJaKbMaiyg0;Z~AEI}{S&F`LOzn7Q&%
z8B0YUMYmyjDncJTy_lzCRRkQf4dP}yiKqcL>>xB-U&|hgh-61noO|d2Tyh2mE-UIV
zQe5L8toD5(W3Bs2ihHnuxA}zws5cdY!mvzIeANC$I5AQinHWyqT{=3n#`G3G3vYIR
zsi@hMM#Ljhh)-?|Imr#BtQ8-fwB1Xoz6;6|24iOIw7N4jR3jWGd*qHx&)0Jq+>zE!
zbc~;Ao8HUya*?BFV=IRDv;gY*Z5@YV7%p)$FLF4+pac4czz4s5W<UcC+1DX$mXoqH
z*Nh)TB&tj*jld;pA6N#lItjvLadLN)VSbR7F4y(cJL50RV~XNiPdo4|!>gtOHv=gR
z{V2xM$Xejmi7)~3T7b%q`-sJ5t`y!*8+7^Kb+{2(M6Y`_)O{F}lxjPVuUtpUhP!DL
zl(Q*Nf;M~#?zuRDcfZ=?;n}|lJ}j;9Yb}hr5!m2WOGl`1<h=-+ZDi`0$)G6eCgR^1
zJN|d6MFXp$t43`_rcNSqeo@(l`%f;RfIxjx|M@NZYxPr2%Ta29dB^JsFuA+1)!8vC
z2yyh<#IXoCklxHmogl_Ld#3$Eoau*%!W$$>`}|6p%^SU;*?TKJXiXd7s~6%Sn;<g1
zP|Z3#$dOu3w9FISrtV4Pw7^)FCRC<Ns2@Q5rw}gMQL3EOa-1e4LHf7-%A|Re(e>L2
zR=V8><h6HgdlI1Cv`qJ~5`OI=iMh6>ez+3!*w39I0$mq3?cx*c{7Z7sZ?5{n7!t(8
zm)KC0L+e@2U2UlZJ(KPk^;W{ad?gj=(iOVT^!ls}nG%kOglgg=+n2Jp-D3o^Drtwx
z!|~kh0-3+0qx(5e&}f9mdV-FqcS6tyZnW)`YRLPudXK6q(QsIjSy9XD&-TreuX@Cg
zwO{>1L@l^ZyD_8h00#*Eco<(Jc}BFKQ+@NeSo{Cc>$E}o;@FvTK6jOwot#()qRE*_
zEPTmu*irko@>>aSh^JEZ!rUhBpFoS-A>phze+%XI#oX<$Wr+j2my2)Y)M(Nixv7%|
zb}lvv>EiEsBB74Uj^ITHCy>kBN+FzpwhzA}%Vq7~NBL>YoWv8aX<(bW4`9uV5IC!3
z(o<);GdA#B+BHFv0R|2k?4qWT&~+=)BT6?LMRJ;PO=4U=*-Qw}pF*rMQ0KY8P1Y3m
zFo9e!gbWlY8wSaYmOez%y@`LoZq<HQm{^0`ZPPc0;X@j!b4%WdNh_rk)K?|ILHaw}
z-vKA^rpdFimUhQj3Z0#!a|y0hjgY1DGD6+G9~7+i=Ub{F8^Ywek~c?^MsI`7o3kRs
zSs&_kbPr%<{E>ngil4paD#bU}9?cv*4DYD008>A9Z(c}Ee&hW<m5uIgjZwWP`{CbZ
z3kgXBALcZN^H5ANhrA+||CIxvwuz#b5IeduL+<btmZ$_WJIQ7Gai-6+U+t(s9R~u!
z1_A^iuBi^IOb9_lDl{h<Wy)ZQs;=3yfe3Wx0%Sy5+n9;rJ1{7<DKGnEa;%WP41m{9
z_6;A1KOnv{7WW9a&G~)@cU$YSE)#9F*=N@#SZ^6JI4caa?EkQy6+8ARSsLKK2c|!m
z2#aC$KfSZ$!tLYA%}cXGds!vi22{Hqjv8H8-JnZ@yFt+wFKm(=j@~mEE1X&ZGrm0F
zYVs9(PlQZPd&*_b$WImhSlo%cY7Iiv$#^P+%0!RseY>TpJ)aD{Y&QI$JplCCac62%
zC<%3w=QPj0vO*m!ln)sXFff%Hs481B=hd0IPSK1y=5dk`2u;!4j@zOKty#!}Lv30>
zH)$BH0#CduQP<DQ<|&_gmfkk4!m0TXHOefPkJ`S)hp$_gPOop8X7L1CLCD7&81^$V
zoZSaBGQeP_GyM8*!mb^fVI4rzg3c;$mFg;%=>$;LXkT0f`L$MC5P<qSZSOZcRdJM+
z4w5%%O;DZXIt~#|RCR@io*=^dp_I$Y&K41j@FnDIQWpj>0;+xXIqs|Q8GC%oL$9b0
z?RqbN%q~%ud|?7b3r11q`;<Ci2=Q5XnMb|I5`c0dK6<E%wAE-kigpOX8sG%ek0vb~
zxpGdVHZoA_JSX$Ai^n)8C^(LVcN?<yCGj}teyQ&O{|+SaZz?YfkxD?db#Cp`Y#X|n
z7(qc!yCr;5uJ*fl*U6}9ywrQ?kthhk^D)d=ZGS)3jc*l!;st1j%IFwys4~qBFeizb
znE?Mz0aPW-^X&7r_3&U1yNmi9sdpx-e;B5+?~~9o>IfPA!7#5(K-S7x3bduQiC|jp
zDd?18vF~?i6cUd>^i4tJJO6=tU!_lZqYj+U!Pho7J!Wdh6*wG&=US%CxXrR(LPl^o
z085;ui-$N5SE%1?40qYiaHvp*@OcMCql7vI5l6pZHUKSF2B7nQ0*?IzyOEAytaDF*
zrDdh)@IrS7xoT1HU;Fv)%#x(2aF?tvV5J#l)Hq&Fm+M0IjFZehO2p0cJExIN=*mpK
zv`ifL4aI`1uovZ|Cb>xGq1a1)tMGVfEk0Gyp(c;|Rx3*4n&{P~zj9~zD9X@JE#<h2
zJchy*%KT**jZQ^;3H%hE&SfNXbxp2RQ6j4D<;31r>bG)CO=t#_m5-@Z^6sOIvOJZa
zH?j}z{nRo>tzJMLlsiciem&V8#SZbVX=;yr;R@s0tuuAQITH`)Q0&OA)!EJ^Vr#IU
zRZJrvSoK<g1Dp2@C92RsA&MoC1q<kYcmDx85FY!wdS{NQANeT5%Ot0vBk)v<2{dJU
zHDd4jj=X6h-_*or>;#P9c9s~280w`7g<aapM}!?zqBImoM0ENE6;RELw|!UW0`E}o
zE`Z!QQiK$0{pZcjMq41GZH7Zrp2ZtuJtkc#+?qHao~5inB3uN2(|?Q{<9eWIDFWy;
z;QKV^-xksL`swPFl1#RkUn41?KY|<JhzKyJAiI~|@|QE?1sZB6Ln{96(R$NOJ<YN?
zzH-ged6xP;`{tRGAhA^_O2#Jdpm1y~+}6tOoL<;yfd&Y+1=A?EnJ=*99ompZRn_mr
zeGSVgK@)+5Et+V>7r~VMGJQLF5o#9Z2Jv?xPrhg=8Z4ykVV)#X&M~O?FEnqW0K3hj
zz<1M{ceN^DC0vC_>cSI*C_Wex_hN@#p-@K>Z}Z=-{2SSQD~QXp0X_Mv!escPPBBs@
zq<bws0Lk*}s;vHQO;nbKZ6sz<Eo+h+)qN4ulSEbo9zWZSJzn8-U6&2BTtkzUmvuFl
zn4=(KUUkWs8;J}`BDVGWa&-%HYQO*+{VYTOZ4RUl?kKKNc7=)BNr?>J=`Yz4Tw^@5
z)N<LMFk#eb&w$8r|4OArJIJ5bq=3Kl2ar~OFHo8MLc}oGN?vN|#=kK6EPjJd6e|*s
zU!bx!(*I}U8P0~r1%drSWm63U@EC70NG7!2_6YA4xasFmm=2QGNYOj8Ppy-fh;V)z
z;V7(21Hw*0f-T5*4RQ<R)^@DEL+%$vldN``8dEcBdN-+lC7W_?TVRGjgP)+FyDl|P
z=9r`(`S{pdI|C6@A#TYu?vY%Z?aS<i<^P(i_;WiRuGoo$e+$KFf&KO-Odq105V9<Y
zt#ZoHiw@nLw#$t#1IZBocH^hEpUrKmSGZ>NdPx&!kuLlYn9DabMB-To7x5vc4%ta0
z4&VO$KczxdK{-9(5}+V|TY4i_CG1BP_n$ziy56nYO&4VHy|{@KG%S7+Li?^WK58dW
z@hR;|9wD^<1Prx8fu?i@9@7{=2DBCfC8Ptw|K(Ev`-uQ^0e_=O31vn8*weZ>Bb3`q
zS_Xq3<tNSE!<AT_ns_gZt-SOtmN=vOK)(vzbT-E%x0mSo{PUSw$ql(Ia#0hns=Ahq
z>-x?NJ|34SSH)3=adLo8=u-8-jUmAoNh8X>)5|J|z5h&IpDd3lvwT#zMJYM3UR0Hp
z#>{KrF?l2LB+>gUR6Jhv#ieYTr&qc%rn-6~@`3Ey-SQ=m724OAgn4U>2Spx~$T8E@
zS390{0B91n&Vrgdkr?j6VmJ>SSNx9O&&ns7)xdjyRg^ybQI3vw_TtqrRYyq8cfU}c
zmvt?(Nw;VCG(}7hiG}x2CYILLJn8S0%l|C{pBHMJk_}`aTao;w@fFG7w6sF%pl*8>
z@06S?8e(o8)pQPg9reD4HtkuoQGD#?n+|^6K!-x&OEp7!k`tHt`s?sMXw+x+SdUZ8
zJRFsw&D)TU3sO<T%10Y7_=HNd(i~lc1@v4$bdAD-A7#;=x3y1?6lF40ECZSudL!0$
zY^q4uhC^8BSEzF2(WVe@NRO`gZPM{<oH%?9a?nH1EV(jEo=NIO=UzGVj>rCc!e&0H
zyBZo<otAqGv`zce<`EESc@>Jruk=ce-$jI=MG0~2HJw(p^^4W-_Ec+|b;SYHd1RrN
z#CiyZ?9@0k&;>U}=K4>AWIR>wvtEQe^tR})`d(Z@ZDf`w${1dihC#C81YZ^3_jB;d
m-~w>yV0}WrcTx1h@{&x@)E$$T@^!eF%PsG5xg8sr3I?`;rtM<@

literal 10324
zcmV-aD67{BB>?tKRTH`rAqxYc;b%!iwIvO%uT-H!vd3K5veDzI{EpwNRAUmVPyni{
zhrDV)<%1pTfE^<qVUfprSK>jm0I$@2FilGlwA{2s;ILR{yt0|+v2$@)kqDSP++1=8
z+2z;8vnRD!kx(ISZT|#_#SA2zy5bXOB1<`5FIY8JCWP(_HVZB)^J6=g>>85g<#y}3
z{lz_(NRy<S_l}JB2bFMt$dVn{tYMU~&0Ze9z7!@;$84WQudLBAFTNX|{@F#*RAfiX
zu2BRo2hO7E1Zz{AoDXzh9Wkc)D1hZe#@dSu`4XJbQ0rt%N5oN2Wv5KBx`l-zYS$g7
zJ!i%Ntuu<@)hqyy<iP+d=ze*gwaY{UWQ88zcM2GTMvsdnM~mO%sk1p9C=dbd%J;Wk
zAKB0WjVw)5R<i#jY}h;vNz1Om8gA!NY?QMG$LEx%hI{`NwWBN~P1dsa(7Kv15czB1
zzOs|B_=yoBhX4ahlf<Pg@nkcsN@n6L-aS2vQ%qO7x-6tPxkI4}2%nwZ9yBUKZhD=-
zQu;)ztc!gHJv~riu3R9kvCElJ<gwULC3IV+Hm>5C1^mchPwbUHA<gfbc3H#mEVi$G
zYskz1%7{oRziBP&=!mDJzTnpFv`oh}uk7cBq~#!lP15O;#5H)Xb7pK{qXsJwvECT~
zpDSn7>d-9&A|)rPDp<}TL6uLi>ycKq+vg9|5jo=$(xyIVGF;a9{`ycPMS6NTFf@Y8
z8#b1JvN74@+7eBIhzwtuIY59vXt=%AMo0jqxa^XEG35qo;1U@UXP`$oaw^r37{iP-
zCZz)Ze0))r*LFB8M-aTe(qp5>bSpGzZJau=r#*tiUgV8fEw}|c<<rLp><m;EOxw#=
ze8^9Y8N_gM{SS52YW|9}jLB7(Xrd7k^ZOTX`lvbycBAH91}|dW%0evx=M3wNp#W=T
zrPjlTc?bS5f^UrVqSse_Q;w_4kN;Um8sFHRBN{9|^VDISZIFv`oWPM*myQ4#*~tNH
zh^EgihuD@;4+OB3G#B@W&%ObZW7u*(J|huE3^^It{EJWKD=wZc&rA|M$-KSp+^2?r
zk?ao~<uYy#D{>)o7bmv>L4irU_$C_?-u)XQpMh#<&f|kg5=sm>ZE(O)*692zHLemF
z(I=_t*nT=~TC6;lmg>lk&mJB3cUpCh3or)V#&w=)Hz8{U8kNbSeLgem&a`&vyQ=QW
z4t?NL@tS7tP-rYJDVf60MV%23Rc6iC@2dooaS*2F`CJyufFz_RS*eLD`W$Pb&<g+;
zMqJJ}h92ZIIaThHoXbtV|31>c;@EX*wRqQ>nQ_8gT07LFL2c=(awW(70%e#V6ZSsq
z$}0dWo^-!a($1BIgblIt^0gEM5wQyB(vPky*~?_rYjTL1DOyeElusZmw?Wpm88k$o
z{TnRp(`TMHKvJkNDTryVHVgbEFsH*A*V6`wGR}^d#PaE(mLN)@AYuUoyKF$BWclVe
ztNotDic#9DvqNs_$ptW`LYK%9u_np<V;Qg0S_^LCZ&`V7q>;sX`Wix$**9+(4D8pp
zUZkNX%Lss8cIM)1ZB7pE#-Ws+BlbL?9L4ojK$ra}9{4)z(jjUEF;1?S^+#FjnMda6
zA5Jy8T8`}BAYx><aa%_<|9uLf8F4-lSt?zHnWexWU^n~*tX|`K>z4HoOQ9~-cUe;q
zL+Ds{IL3G}ZjiTBNnuyo!H+2V&!eWKomwbn|G?XM^j5D2V8(ZPrg9xW3Uq91-U`{d
zR5g$b5h{ykPGVT3s<kcnqBfpaU_DN4?&e2P7#%>ctP#0a&$xbySB%dxl>xl>?GX9I
zo0JrMVgNU$r_vP}s|%@?=&yA6;Vt6)W-QBv<$~gf$jfz}a+)om9{G7eYR6M?8Y*Bn
zCn{5$UvLwrcv)G9SFVcaJoXr-CWqRtAIh)P4}FjcUd%X5>nVI2akP!)S21-DMpm2i
z%M2qC`T9u`bGjX-TLCxpyuAK``YMJKJ3<r+f4sxW#5M`G@w+5HZZt(%iF6o^1K8In
zq=``Yr%Id)pEI^hkB;6@2E4BuNI^@v*9Q5lM=TmZZ^?v~Z&hF!)A*8Ef#)QcZN2(~
zdk(iXwyrrIc~AK8XJwDl@*D=QkxnsN66o$Lft5l8*|@QZB3zRyX$0_Snc3De&#E*T
zv}u&TZt^EH%e0-EzP*b)!DifBvuDO4TQ2Lixa)j6#|=I^-P_PQX6R>@V)$1%sze)E
zrLVCz<zKhf?!K883>kk1TDhkHOh!q0f|>ZZpo=wnT{+|4fvJEYm=zzqtn&J+v=+aF
z$sT@zZ?dm~+5CMh(16=~6GmGZB1_*ayf8>vo=R(5u2+-1puT66Rz@rV9%>!G*dci1
z#F}{a1L7k5ja%y&M_d`_ie`$zV7%#hOo2#QCa0FxEJO7xKAR7Y&5DFWFEtznzi5i=
zhe89FG3|yN9Uq;a?TuKDMma@9aKC_+zy91%DFbeDulX!hv=W9B2SK{sYz$BgL<f2N
zVS{Vr@+qa|7f#s9-2;)+@_5k9UASGg&x3(aWKUkQ2(>DlO*B^X9FMV(<7%5$nf7u`
z{sQw?vMGFqN+LPmwRxCp@AP?Ooa(qiyKL)Vi|C<sLvE1&Rf*>8m%#%{`2^~gOkKOh
zlIBT`y`4Ei(dWkX(b+OtaT~3V#3dn3O@~{#T4OQoB6@tvrM3U`qI6&N&4Ei%e~r$q
zwHFA+5ZYp8Xq-CqTH26X<uH5{vLoXm+X+woN{@&15vFhv4<X?cDBZS@pe&`$K09v7
zx>d)^1P9e9KI>Yy2`NCEm|P-AcR|Zq!+bZCI-0Ak7<>^i&TSvQg>j-T99@%F>7kui
zFMFfW?Av|p{2gza{Z#Azm+?9p!4YkceSrB9+)C?`c-`^KyOkMryJTTLVh}xmOPMwX
zRSnJipS!6oW-11dn*>^U9gkDr0lHnk;&WkA>Dp)AH4HnoMEm3c2q<>f&hZ&xR2~Tl
zNN|R#lncdM3$#MJ(rC^JV<CKsn3i;NqZHcWpWb*AJs%@BAVYI-?$kY-{D>L-#GBVH
zS!)4@uV*lqtyu|)9Wf)oNNftSFeK>C6sxN_xY>jW!3CLd+T7EDkp<T6(LCdf^h9{P
zAPo56h48`>bb_ces38x@3HUem0h&+*J%k0x((CGcU`Pc>!ZYtCUOx%%F;aMM7B6yu
zz|YGL2&{B2jdQ`bbmUv|y~9Hnha`d6er%w%cL6+UxIQhLyYtXg1mJsLN6IYDd+Dss
znKv+U^$-0{abY$Hl>W7kmF-dXhS|k7@&31zTP$5D)Q70&>RQyW1_>G)Fv<uS{V{!3
z_io~DPl1DfO0E3V;fOujO}h=dGxIg?HE3KoJRpSC^<IF58@ANQxjPYkY6O-Xf+NBo
zvD)z(r{we;6R>>3kJ<V=8O`rawLc1rw<bTk8UnT4{tpDS<H<s$Qu*MVISaZW&p?i)
zM`=+&B|QxiO=uvG0(3zNy8{@hQnc|=GY2#&JP}(Pwhoe31eWCo8=w?GvOF=T8xUgp
zibKA}4d4LXJ8Ot{##`cOoTIRmFH9)M7M?Ouwq#xs;D^|tdretO9%M@Kx+}%THBUjI
zTDgLLfLw!#S?k`lw8QTM*6UaHIPxkBNBa7`c1RFtDXJR>6KNcg5Qu45BrFI@^2r+N
z`hsgBPlv6^J*NPvLSD<@{jSW&C>1J@@uK_m;leOwbhp98<0C6;tccJ=@^oXRpI<tw
zZ8$lI1+D#8W86do+(IsFjO&YC-N^_eS8RLu-D*B$xqWO3mG(QCF))s@0pO1!%eBBh
z89RDAPI<(s(-`&}#@Kmh#PH?D0DZiL;W{kLgb7(j1!5@Dg=vPls!+Nvd+m||3jU{A
z^vl}YjOr9ul&Y`MHw^4W@fkInu+sPNo;9^l<-$lR`X=0bnTAp_-Ig1+*bL2xdU=y)
zO|_0FG8qhVwZwz+Fu;>TBZj<CTK9w4wHsXHq^@zjSwxQN>eX5e{KzMX_&M>u6k?CW
z#a5h(N?y*F?I9oa9M-~;e6Om*M%`#xsCXY819S1~FmNrK2M91W65#mUc20+1zul0h
zwoA0NljK!5ZI`ZESd+2q5%K=)iM&I~h{U-7C4J=-Qj>ZgXgY@z@qC>-p{M1b&7wbc
z@X&`4HLA~7f5wW6AgWc+Vwa+hizr8ZdE3jLX<^3T>{4yXCv149@0}Q5wwtWI%!W#3
znX1=}2WYo2d)tl8TqQ+;paQ`XSUT6v<R2jqnmR!25*@I%4+vW|d_2Q(GTHV3{}bzn
zz=ahH^mGOW4SMMMsgbPk2uE`z=~jn8s#)=_rW(~jO~b2ewbXfi$e+w!f_??a2P>Ov
z(C^l6w#}mX?7x%*MYTYuIFp|$!OcK;1)kGV)le#={pIf3GZTh+5Lw{F`Zd~_Sg?3H
z84P^z^($g{X+&ZJB<#L6KmbnGTseuNk)Y=uf?cqzEVMy+G5g5&uO)(Csmrg3&fpkJ
zDN;xtk<}+-LyZd3E5<yJwQ7Myf&4~acB1dgH?!-v`{#9|)9c4rSGQg-wF=cB{89Uf
z1K6tt^?_ZKk=Fj4MC_+nNpw1cvzGIGz`pH(!IO4;sD<?_Ly2Nwi2M}{z2fEHSnn&e
zd`ZicBZ#G3BiF?;XsWnYV6x#c>3yH_C9+^oO@Wn3Sf8PNU{n(EVei7<-4hi)|9XX+
zx_}lA6<Cm2W6U3&Lj|JtxK1Y6xSQ<;YwDoGHme<N(Eb!k6rE9JW)LsDre$~1s)6kH
zAIfxVK#uyV1<6kBX{dML%j?krhnz<En6-x5Qk_vc2nGfCh!30h2l@91AuQFSvFI#>
z7D?g99`x*9Bd_by9W?ekHydB`?S+QR3xAm86j!xnYQ92ci(AAwJ4^Sum*PhvvmV4_
zHkX9{-<4S4fWG$ydc)UIApr$5q5`etQJgM6&Z25}Cx+2P<?}Jtvv9b=?2muE8WUr|
z*!~;%_9@)>dY&7?et`<{^-WrRrd^j46$;giB?KXz8etupsqe;h*28n)IYvGP!y9(;
z=0d<KXhz265mhjcABx_(F*@*35dyqRiPqPRLfArK|Jh8!5=LEjHSviVlo(T#wC(#7
z5eENsP0t&<_pro};<dT%R*r#qkBR<NK#Fw)Q>n}Rrk?O~joak~NL4bLJ9yPDf{&{d
zy#!}GXXj-F2j^RWtM(1vw6{C!<W1$tZ04Km(u7Ap*99D91R|waFXf@g@&z1pPF`FE
zRKKiAZsn=TM;YdOh;j@>BjQE~E-a%bo|`H=VPg_N!Avx)LNdN;yTkks-EAY{@UfNd
z{Dl*8Nd-!Bd$#n$Ol;)TB?gxClJbZ|UIq>I&^2t#f=g#pv<Vd)$Yy@ZPj6QCu^+bN
zs7LWJUt3Kmr8Rp~ah%bKkX)2Tcb`Wtz-I3f<DL+)lM{&$sD$^Ii!yuA5&`hv>|D*6
z&S)f>^sl#<)H&c|Q*gu`W#S*ZL{NZeSO~DHac=t%vxis7Dy!i5*JRY2n|M|?`D27o
zlBgAXx@+{i6@1r{&s6|o$SgcqAN8PfCKpYk{yUPW*`@H9CywtmKt*NNOJogV(OXG|
zjl`PP(!Q!?9IIfi+U%Qnm6Yzh_o<;&3L{Fb5K~SzwH}y~eu7ZqKtOdO5tr%mak4RA
z_lfLa)@pt9avjz>+b@pJ40G5Lh;vq4Z50BuM2Pad&p=RC<>;=09I>8nTWjDWbaeP{
z8egKz^~d{Od>R!iGhrCGA<HI(#;L&x$aCfvFD7>zqAkJ7rHqyUucdZ->pn4wg8yGi
z9JIJdJuFPzk0)&_4kdbvnsrJ8sXko)Nzii>i566ptf8x-p?L0R55j)s9jN(z;Pbel
z`RZ6*PRYzsFy>pGs!i1R<K635+Y?_O`21!05tQXR1p>RNos*jqIoB8%KknCOAF2rd
zA*m`LZ*FXql?gsVltox#5sEjzwJE|fmFc`EGHIsA3fC68tx^(1TAA*j@nD`!vs5~0
z_Io%mQajV#R@Os}3td>2KlG@hSthpH|ItRrY42<U#j&W)GU%xsQLEzGBgC3$;yxBM
zN5cU~U$QYMr>^DM3Pz_W%6lTrcRW@Q*Fb&^(z57;^6}0<`2<V1=hi>GW3vLbjGhBY
zgR9OXL58ew!HG4h#&AQ$hlBOBa^Hbd+%W=y8`$i%7+HXy+B{EPPrH^M{FAbrTm*6@
zGPt(UTG0#>oRkWt(=1xQ>)$ht)OoM=L%~iJnKYnzf^WJPesGxtYr@n?W7Q5}#kit|
zO<8qV%i#C3N19QM&)Yl=JSVAWTXB8u#s6V6f_)YM67xS$*p{+lD?F?HNnYZq6Y3-q
z#q-x2S{R@V-+BrK6n}Zt9?DLgHiP))12b5VVpG5UMTU;z)CK7KPr4%iO)qqQQ)0*<
zLDhH0nlUX7u@0?JkX7gR<F@*TtCb4b1QqYXqk|u98%?Up!w}MMc8?$!_+I8M?b1I`
z&6dj0GZk_JPycVrQm3oCb^a_av$1lspH(bmG{=sVMIPo_g6ffTS?9aV<uu(~u|ca`
zqKMRmdSok|y997^obdv7a{v6Gt_o{(?xK{;OxsK6rP4ncP*aMCpnWkCqCz7WA7CYq
zM)PECG@SWhn#x74P2l|3V&F%m)bTn4M&gQK_sqyn0AgF#sr$rJS1Cn2GkVeH(cxW4
zWwDn?hp>90H>IdMhfj>v?Ky?cAXGsOygg;uMaZ(cj4T3*h-RvZx0=0z)2eUYQN;20
zF1F=>se(b{#j6^fb@VTqnx#^su)eBIxS+q9EPEXC#z-2BWlDvQSw@#I!H%lce5X>t
z{|~e4wKDlme|NPrQgg82xD8pvOwt={`c%On%1LUq-T0zqqmrX*HOHni6$tY-&^L?>
ziRf4oot2%o<sfwwUHD<BQxang_UY};)9p4v6sW!~-TW7$_hY8HcjA2n8YM8H0Z2qG
zs|$>CwRv<ar5h<=+Mnil(Cu2Q-~9Vb3yh$e`+3&n>-SF22ku26&Xu1UEPhR^9t`e1
zzU(hb+{GiPulhg}F~sLykSU5<rB0nCo!%oKCKDwpZ--7H2XBB95sy!|E~@+RQ8b9%
zc5%m(_;m#63Sq}`*&Sl;A30@=P(oXb4pNq^wf%}-oa?`#zh<nO@NB}VYsCyvF|&gG
z*9P6!R|r4E5in)v%Iu`=X(#l8WmTk!DyV2~c(F-#IBx-Q*p=biB1&&U1CsWilsgyP
z8J=!><|IlEYo`~%zuR4E*FRGnz;g*`s_|KBQ|lenV=W=>U9jP>77rppj1@!|u8Y)v
zP6H4<Lo%9Tv!BK2SQ+Ni59ymr7L+c{!{x$*%R({WmEjNCwNV>kW9`LMMPd5nxKLBX
z&KiFBU=0!m0_uGuEOBD-dygX$x75@FD2{G&#X3N<DG*23-Jfeuay!W>_{{R4-(wew
zK?53ea3`-L3*c7VeX#mGimL65R?aWVPbp9htDQ2%CF(A#DsbpC9T`hQMjewd7ZceA
zkGTL>BI~W~{;A{fo)%(&)a^2H1Zr;|XcEM2BiPjh>D0XSB@7Wv2K7Aq4MEZ_w3qXu
zQKK%?q3ouUwS!9A8}~5fJ!wJ*h7b{Uu({be+HD=tZO*g1cMLqrnQ_DNixWoU+bCrS
zD#re~oxPfsDj!$zcdbeek|xDVBZ02a1VnjMNL2<w)*rf#IU#TV1)bt$5f4{kt-5zc
ztc8_*609mfVHbY+;TU7X$$sM+II+!+Ye+1s46NzFl5kQz6vqZL>b;FoGdDn-1@UUC
zzuQ#2sOr{WyI+g=Qc&c5E(*S(g-#z-Yo;cM=hB}UuM4=EV5JKwTIw9&R_op~vYR}=
zu4m1aeAHjO3q&N$utusZsYqlKWPFK0jo2c6r^t%X0WkEN4Dz*&M%~t}UYP}Wq68a{
zwT%OD^_@J$Z<HssheWQJwQ|cMu=L^bzqQYVk<MiEq7P0p<s`7p3E;Qi0-q0JkiLfY
z11J2WNfEt3!(2rqGNAE-{u6GcEHnIn1hMJRDg7I0&99w+rt@E$Obskv2%_QHbQE;n
za9(J$h3ci#36X!O2=Cu=+zcv17FUS;1H?FaMJl`CZ}wG}*DI~_qLO-;&^XJSbGXOi
zC+=0G2Ty1uw*^O0LHmummTU$v<=UULgdHd4y}Q<lQg=L7oa)KZzQ8!%igY*61wEld
zAKMtv!%W+Uy}ANL5-Nt5CLXusN%U?y>pUN~35&JHB<_;?K49jRzQwTx43316b8Se;
zD9-npU!QIA82QbWd<v>x0VcTFJ)>PuUFK{1l(C@~>{00ke`BGwr-!L1mkWRXMUEhY
z)=FuePs-w5J@oU{s8Q^B{`-t_rGp^Xy~vT%B}dw@`Q|c%@9@YHsTIneX>lHl71gl+
z92I=UAY}IMpvoU4MC)@q6Fl)Ly{@tO+Wf7?shjXz?W9sGIr1cIQ^dSYW*q?6_fEVY
z8evZVD(i1h=J2nAFtuMp1&NH~D-%R@ced5g6Y-&&3AS*OdXYt3LlyV;=wIO41_gs=
z430Zj)x&B~GSmA&8(yZpOR#j$?I!$1G+p(D3P%St_Ub7xnxq5g<4{~H7ySi3{pVk9
z9;|>^l1J}j@@&i*PuLjD*+)~W?>6o~#@7_n#N%v1o629B3{zV*Znz_zXZ-h^KsSAM
zV-f9or)$&03X{a!2|0_iv~3mZA_Ouc=J=WgudZTgCpSqUKWv+4k#V`hLr&cywBsd|
zOsI-kOJij`5%vcU>-4NQn2h4*r%7R1Z~Cp%<K#9KQ8`g<H8rVbcDmM2O(g1Wau_w7
z53G*s+CH4ZLw0M12YU%v(Y6%eXN)kd5!Vn>&08%M5t&&YDRXIr5WH6psRfBuemQe=
zHPi26K;l}o8>bzB0sgtdgXAyns9jmsn$6|#(j|9&D|kfpmHbM7wK*x+_MJ9R#}EU<
z=KoTI3Ro!Gm6)RKF1vofQej|+6+vX)32I_gLbb1gC8jd#mmY<gxTdf7HzG=mb5-PY
zE(cW&jN)xFi$op5wyJ=oYljL?EJL%0$-rIUfD1!H)a(8f7zZ1Ma@NfXj&4GZ`v$%}
z<#0mjc#jZ}XSQvj*zo`5nyxHCxklE$4~4k(UyCP~u4s`L7Vw<6ZWTA!v#Y5sM#F`2
zZ)Mxu4qCvr`CFTE%>=X>t7+{0i8EM|i_TMHM+qPVY_-0jw<^ga_Bli6cBDn9|LxH}
zwZzNb&Au`$vDfn{c(W$&YNtOim1X7H&ajL@Usa7(AQ!S}WW^3^9ZcWti3Mqo3YpjE
zimQ;5@gBz9>%GuZ_3g)n5l_l>HqDtKbe+UFKpc#9P*zH$kMM!~I<ZSf(fr>7y_sMK
ze_Ef9#b7LwOi?Jlw|kh)blWlr-dn3y07VHyex}0}o(3m}x=HC?POSafdx(15M9WoZ
zWRQn3a%9;aY=3iL9Bn`@j!(Gt6BPBdwXz;)#+5ua+JIh8^o=jIAskwh7;tq4$xF~N
zAD4A0(L)JYUIGh(OMy<5&ghXZOK;XWB_m`Dd;N3~tO9A%18j?9zz{>%b`~98A=BXR
zVSRu>*<9ln`{DkTpntnp(Y_i{Sxd*FR9!rc-zlT8Pa4|HFJ0);>3t5AmexI9gb9~B
z5L!Epf*F;03ZiS`SpQDR%_ELVE{xQlp$2W6>zDf>jaMTut|S4GO!G^%35P$KS?&5n
z`)lW?Mqg{;7!H2BAO0=t01)PzZ9@KnIqR@??!A2;v2h|(gr#1BxE8ZofCl=>-`Dky
z@rpOU3#&IjV(ltuJuNUpYiUnv$M#MPW|mqB-yd6>nCwg2McMIdH++~Pt1d-9Ro+pZ
zY)(tym|c!YsbfWl=C(R(7~j^mCnKXYc{K;#_&z)CPi+RWFBFc9mvePkSQW=~@zUqA
z9(F-AZ@LdFlq_%rZd&%jLD8Z1-l$#}H%N|Mi}8cC3gCqPSLz(=AOLSu9|(2#D*&yV
zE0E57)~wkn#P{(1qZj!4C01@~=s?AQ>qB6|wB1K4g1FtZz*a9qN~8aM@9E4(A|azR
zod~z>P2S9j-GPFL0gP{XxgaPY&(A<G?;sq}odais(mS4jupaK*stjmta8R6G5MkzR
zYngE`jerq%D0d)Evc`<_Nm+cuaGbj<FEt#dAqX}Fr3*M`zKlbY*&@3v<4qGLfM5A)
z@&?b_5VxD309so|a&P9tO5P2_&ELrLV=2<p8Ct2@#UAb!;AYr^#3GH%&tOrqrdqQw
zj#YACw_Q6F3jkzK)oL_cy$32wb7$3@E+$8lG&dKYQg<q;pKZcE@9-I8a8a2(zn%+V
zNnb15nZ_5E;j7Dslh<Mz_qMZ)KfuJ(e@;>9wq;*&d&P1mUxm9Ry)KxoeZR`Pg4cXO
zXg&h7HI&xvHH+seUZp|<xc-rcIoB){qMcFFpcFRmLA$3poXB$=_qp=T&@0Su;3R3p
zr5KFhD}jP_Ab_^@J;QZI{K~hm6J-72m{V5FgJ<BHiSiVvoTbC})u~dHMip{y-TeG8
z<Mqvl!~aVue$|{C{LB@d(@lU_;;h`KE1B>>7?9g8yGw7StdMQmIph8AhdBj=&Bi5B
z)_N7lMXbID909jxu{C_F9bxIi6pM39SNOUyncqj|&j5NfH3iVE1&-zyrrwg(KGiC#
zz}0GBwj03yr=_er2%P*>wl}@<5`9$~^UOcP^%jhj;@%uHyLRm>&ytzmm+r0~;V`Lv
zwvb(*p7LHfrClUI7c)WM&=?i~hHXJeo|mg{hHa$EG+(1Y5zZ%Je7=;&{Ii+*q&O2K
zAVuDwSr>*j2}dXGM&<q`h$&60`l}5GT}t|OJnYAlI!DN$Fg7H6-Bh0JtegImA0KeW
zj%wOkEVgDAoYe}}6^$%*=6v~EEXqTk^Y>NWmgR1VIM`W?P2+4`%+*LyHY4`5!Ml(P
zOa|Kc{ph`~2;q*<toouI_cyNlfD3Zz{<2FwLt8*5TH9VSqgPa`gH2Nf3k=Okq5G9q
zEC&;o@zWt}0gbKLD0_cvUG>;1+eyX&*@3yHhXKhO$Nz8ec(dk;SAB^a$C3dN=)V^Z
z;jqWQSs*bVtWYx|8aX|aT4|jl=Ad}jGrmfDhPS5i3%d-`jYe{tn5Q2LadmSOHtzXl
zqL6REcucVki9~jPPG}D_ky;>gm*&3#(I9T#PAeQM*k{^sKhXgK=0KOWT}Mrvo!B|E
z7eWE|XDxb<qBk3|MkvjWEqrfW;IGx&T?4_yA%~qb5w|HEtX=3yOn06xCB*Ro53kOg
z-w>&3xVf3>tAWq_MTcY7y{`X4`Sz0HEnYk;Qm~UgAdfOzlJKB4<826%v?9lNcjb@y
zQrd9K8O4LjZ~jO@p3_^WBtM1dAX5|Dio$)6yxH_GO<{4f*Wwe3t!AIl;~ZVV?gFQm
z*^|R+dW9eb25T5>nZ&{#5uQM6GkOj<=NJVZs{5APAxnKI3X(9Qzfxk8ySO%soMD|5
z0_SrJQuH=#g#U;?INOn2NSMPjr*9P4@=(+m4#$7l(HAe}X$uAR7>(^{g-`fLCbm!0
z)w<0;9jZ2fP~ES}EL<4$ZBaKZX#eJkK2?v*`;=@LM^j-OK!DaqCz@s!p^0>$`RQln
zN5Wq^Cd;jq*AWKI8A^M9r-dL{5Y~V~8;X3a2v9~@)&TpF!f1lO94H`oDOTU~cM%_9
zyW^J&Xn4C!!BblEO}0Zy(YZHo;Iv){UoJW>^qGmsXw+SQorMcc-97sy9o+e)?^p>#
zHgn1sW%?%17ko})h-6*p^z$P~dg|jmf3hdz6CP;74gluXP|qLY2%J{rU-f<BojpOI
za-C8XZo=*=vn)4pdSV}^!v~!kg1-$q{j3Y9|Ex!&+5R#ZaVCZrdx;m6GRPm&n3|M%
z(O9aVt+X+KT5Oj(gT=iC>Yt|za57*o@@`7AtQc4MTnOxB9JG3=x+jP%U8M7kYzWvu
z_~UkeJpDny>5p}5+R!QxLHLiZ`48t&Jy7-i?un#TPcF|k!QSn#5OH5#H}cTkx@D&1
zDvRiE`X4A_Jr6n~T(&h<W;F2I3W@{pgp9e|D(2T2AP&~gA_odCEAST0SaJLcy|L03
zLREAFf2*n!sfyBEgZ3+k74D(9|C&|%4ueYuRb&vin@wZi;}<m+58+?v3z*Lj`|R@f
zKh)68eN8v^ftY|vXvlNt{^8~KuvyI+E8ftB`<@dCcor6#zE=LvHTr*J^-!@q+PA_Q
z<YY;OJEt_fDg7$Mv1Tk@(E2sR{tqyrO}d3fNjKaf$%jNLVK*Duc;!NHlP}Wp<761{
zGN6l{K^j*jcqsJA`*#?1<er5cvIrXy{@E7c5CZkhOZ9JGq#5c5DS7g=%Eu=$9lJ7N
zdrC!U*abkt=j>~dWD>(aJ(4uaCu$1{4q^S~QEFG$tf_Py>3u;Q#3<5zK9iyGc>-Io
z+i_r4(!v&HsdpaOY96)kJ&;02)|<)1WA4#nwv&W$vfUZyxWPlrdp#p+J*NLPE`1i*
zmoPJeq*gAsj${eyPuu)vsCGi}=-d&}p_Qlb-gk9+uRT3LNGi<N3FKaJb4eGMxr&R1
zZ1Md(r5!2rc9m)QumKJh6%mb^`h#`{7}Y@SSRmH8RN*KAqNXS@+M&@&6D`|SUM>_)
z-~UdeiKt4n;ro`?JC!y{Mr@o(5!WmrU)Cy@IU63XtHCL`e|vNGWnbN(-QbsSv^r|}
z?5l=PR%dHluZYb&NESC<B=;Lb10Wwog1ueu_=R@Yv59!00x7EK^DHR68+0sp^Nh$S
z$!HQl4l7xoS+}MbQ1GUc+I(wt$DqZ$5l&U?hRi=%&0DX(ig_<uPM#fK+1bB$LD*c9
zItE<6QE_~w(NE}d&r~8j?;GJGYQ|`P$RCJ{@PzSYjyN7fKK?({!A=EWgd(a-)|c8}
z3|=?tP9(Is{apKuoZIEafsua4grg7R1LP;mRR8YlSI6VB%TX@z8C;hDBsJ02h;aml
z*a8^T!jZh$$(f2IXB}6<9GX`#ZdQlUVPYFH2S0FJE{iznzDpcdnh++~opKHw%T8w{
z{#)k4nvThTDo(tmxGgsKhB!QThF4+$+=l7uXyim?Fb<%5>EZA$2OC(yl>cer<muXp
zR^6C%gS+-i@%Ubn>?DlerD8b1y~~g?^cA?$$ABR|RA?ls^T*j5feH2h;fW?Ir?jHY
z2&}wMO~9CN@{2|$Kr!gVQlw8$h=WIaGs2k&8AIc3=!VB{H>(&6$|1#(P2d;ovg9kv
z<#Z$^vDNOrU<wFg5_>kztxEOK3(7>*^T(u?DT@e)OmiW4?OnNPYo0Ry%AvmMJ3mQ4
zm6x4k6s}m_fyf%{=T*xiQ)O$$3HPpK9*<C#D}Os5LSJtNeCE&h*#p>9l3IAv{`+%|
z<xwH7Wp3DNLmUcH4S*!43fNW+UCd0cV8<^c_(Df`STIsTH->C_nj|jc=F~BmgB<-Y
z4nsOX1zz%mm&%*X*{U6u2M9~Ug<dzlHaQ=e=Y<yfZ>^nO%Ax67PqsAuqlt)0o$z8&
mK3--${Xpd4G}gDTKb_+1J7x++s{v~1H0yUednU0B1m~l%u>!6D


From a093a266fc4d856a50d69bee98a50357a0997995 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Mon, 26 Sep 2022 20:38:07 +0000
Subject: [PATCH 35/36] chore: update token

---
 system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index ae54fc9c36b4ea27d099b07b4798d7cd0f7ffa45..80517e0a91ac28e439521502ede5f23e5a292342 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTIzH96*5Hpyk?UryLpP{LBn4F@?F7;5Yi7@@gVQW4scoPyni{
zhrICr`rj}%-L7PoaP<g5&Rx)2w^csJOW}piLADn^>cT>oc!}3TG_9yF;_<569iTch
zgo?(e{!AU1g*}u^_N+v#I@{(-Q2&^NY!pzyhHESSzPhJ6<;+pnCvhiS9hWV)TD^nn
ziMzJy)9qn<d?7=a^0FWN7VWXxla^F@A`4Od7TTtxrDSe{SAh3=+G}tr<X6ilK8iqK
ztPM%1VtY2Z3%iNWCZll<DI=}L_|%S~(zLEvW%e%BclE%Oq|{b%E*U9&nbp*UvuyU)
z?&qA+%X9ypVCF0|%it5*#lLr@h%dxb!$Bxr7kg_8rf9hdZ*SiLhKAu{@G0Bmn-0VW
zJ)j8o029F{Vg(mg?P7sVgV;fAHoFXj)P)X8-qt!Xdd6b3PJrxH<TGt{CRb?!$}i+%
z_1t2bSVqXD#O82D^pfDJ8HBbv-p5TCTeJ_HZ~~vak4nO=V%V$9ZzJq}=|AvAnQfo*
zR-6j!8`l3O9hiC9?7cl0z)3ZaMv~keVNNiqbuEQ1E`^XV<gIOwU5Bc83OW`9A`@^1
zNQPk%NV|T2RDqf%?ncw)QQGAZpHFkTDoUMN2viM=yb`a`H>y;6@<dsk3h5AQj|x}a
zmyb1Tmm1}2I7?sfT#HD9?#Ja*`f+U7DTk@h*krmugc%_huN~8W-z&GZztd%1p<M$@
zo9&^0r!aj04xc3IAKvF8VznWf<K$**H&dy;&}|Zq&fG!6-u%_vQfL8y=m~^R^L5&j
zbIzY*5t5rRP>BWII8cGxKzqTJlU&pEM6TESKNakm4Ci~pLvAYXCvcHd3%zkT8z{gV
zb)Em0<#*@P$xW`NM9_-}a(Wc8!zIL76VhYD$+H9@R+pI(lKSs}@mVZU9Xgd6mtC`N
zY{-~#eY366?pjMpnXHE3hZhF5p!F-V(})aiP>#VIEBc}wh}}eO2{4D=w%g7r3TaBB
zi17oK#~Gk9tPyWG+XrSYf!ukK+JBZw<Mfz@GZdi(b;B_tR>PHF*4PYiTv<UkwMIJv
z3oWx6@+#5qv{u-JJ90wG!OhZ^>_l4^fz6eu0}K6C2WB1mJDS$4V#Y<_2wf>^EE8b}
zB{t}^9hm=03zuW`KEfW@kxoULiOX)=icC^T=?dTWdF9gyJxdjWF##`Ls^HJ}Gk3sn
z^~ApJ1v=?&2CyDAKx>_Hdfbm(sfK{>j$KE9p%Sf6;3)p%H;PDNAiDUKxfg|t*5Q-m
zzGxg<QK<)M*eK*hqQiE-i1vRZ4b%{aKO17kYY$-4Lt59A3?sHY&8?9wubf**G}+YA
zV&m0;_*jU68_0eu@kgl=%l+-_A?9QM5_?R964T9r^kF^g&c*=<Gs*|DX^rg2@8=?y
z!k(qN3?e@j{bf*AdcYgaqro#$m0_H?ye43NKplOn1>jqfXsgPV0YCeiN_X^0tH5NH
zZLzfD+m&m!toA&wR@PRp$UwxM1Fs+xR)_!~d?(&zH!zG%KHV{cE4w<R@q5gNRsQQh
z1JWIwu5x_2sH+U^*LWv{yaFe%i6)Ho-e|e~4s8RWvt$NmLlr%tWm~Noxk1WKj+fY8
z<5C;4DPY&!dd()#nucE4?Ns_=JB?}1)M&k*chl)y64<zO>N=z;1}<6AtZ@89tt3xs
z%Wbl!VzEeIT`%j4h;To&Z7sfxx%*i3{nr+Cc9k~|!>6GTDe5xjtkQ_fxn0U+%~Y83
zh~1yyeW}~mXH=WVx(;6+?(z#bUL@i_I)R)~Ipq$h+X&!^?sa^X-?X9R>TJTvehwsq
zUBr;<!I~^qO#`iiR=|I_9yDQa(cjRW72P~yhUuf(zKW-cAPed3sSuv;pr6o>Ix8Fg
z!5R<nPBG^}d@qU6WpUB8jeyc#ksY*r%e*U$If=fs$Ad^nUq`?Dzr~LlwUR<<3w`mV
zfAmI?f6Zi%Mh?U5FmZ%~YA)~}>hcMAyljWv@pxPd4+ROUJwhIT73Pt;>u>~5wVrKy
zkUh9XwqpVy?tV(tf}6UO0AGBh%T)cJ96wq1CjOL3F-wY^Z2da$-eU4=@a<lOL+F3?
z(jFD>md163$XhH#WE2nK>Q_KQIrH~wpeQQJD2(YUZ&?7TR-)knnNwRfh?;mn4v!(q
zh6M&*v2>~zsSlPa^-24a=Kh8A>8*_@qRnhk^U1JZia~wnhZ3j@LUZMU%Nn#^6Pst8
zobYiWjfgB2geB}G^a+3PuU?mnlD~aY_YIo)tUg=L<tF5E=>aCQM~vy&SxcjWV!UE1
z?GVx$YrhoyfypH`eN9F_C+VP1z0}auQ>bMaJ^X*z2VFVQNN3Q{Zz%}N2<_T+t2hyQ
z;_oJ|+QY(SGMm<v_NRt_Sb4X>h>@Bsgg5*kBi3GK?nL`rtj0cbXW)iFFQgZ;F8xtj
zk02!!8l)(DWQ+6@D1LwEYL`6#N+DkqhG)P0ce{oiWU&$0uvdRmeFG}Ueo~ejrZwoS
zs%JfNfEPA{b1IpO=n+%C){Ia*Y^TY<=)et^CF1oz&gLBEoP;C|IT$xN7Ir6Nv^ep+
zE{E0Vnot5UN-y;h5sd)?=1ah>zh9*+PdsEUwA}V4(3Oqj?NnH%nz?W4RCb&M6Zw1l
z&T@B^xVST~Jh6BlP_JvSAJ?rWs!PD0Nx?VwH*0lbXnndJg?mO2X2t*A*7*5ZuRq)6
z$ij<TrlmFkQotR#{$1h+^0W`9`POT-aMC0X`!|-IJR2Sj#$Z2pYxL2I5dgBOe?=l4
zoRGdN5TM_aRR#Y?L<wvzZkS3l!!rCFR@)GC&TZq)jzx+O=irIZuwsK+<!SaPXVoAC
zzT@C`yIxsrHzYvjTi`D3&Lr2%8my&eo*aM+M`$s^8D-f7MyazZTV&$$FSAgbg(SL%
z#c2@^nWtPo!^J20j^UE;FdR9}R)8uq#?zZ|D3BFcT_86b;pU1zY3AektpOklY!CSs
zXzEKqB<+8Nhg6Z=+`7^ek|)iVOrP0QNtRW=E-!@FXnA$EE8DGH?)vkI{b0ikh!ejr
zc1>#p!7u7u+WSm2TQf-8iX)wXJc|q0Nsf~XFq1vMKrX_l2@)uGbkG6`FDR-&&+c<l
z{cNTPy@y*J66g~k!_S3TPw?~XvzPhp+xd_iz(yBDU*9NoN_<los%QV)E8m5lj>Pj{
zH;#%(mE(!Bwv?N>c@DY-RBzvx(q^YLSY%TF1cw>sE1#=Wzal*Sw<E+~I&uw`MwP}5
z+t#sa|0CbL&)Etp6#b1B4Mq@llZ*6<LPP?rK^RuBEY4NpiyJs&zB+RwF0HSArrQaE
zQFt@!qOuMVDs2PV!?YTc7dsS}8<OG*r&7KcJ3<2`QLB=Cx&dQ2r2(L=Vp~lN2EsXg
zRq_C~=J{y3s1-l)DUj)*V?X&?IdNk+%s#3;tRY4@8Wh~sM+DwFOdDKm$Bw9S{9r3&
zkfs>`J+NpPu!tGgu-I5lJ_XkoVeN*+zSjllwBF|@;PL_i)FU2@fqtO|Ydj&DHA@Hy
zE)G!E)&6KYQ7jZE@~0dP3@?SEU3VAnJv}*urD!%>Y9KkVtkzx(R09nJPvinvo{GrN
z!O279JWn6eLL10U$$lKWxd2Tp9dCXA8%_xMK48ZEHH>p7V}IqUWTFk>>SQ;s8g_0$
zMy?AkQ#y@2f!T}Wd}InOahZV_Pu#g2_n9swK(dOKj3<;_7pt?EioH)mj?1MSEH}-z
zY074dk6GW_m2^PPt!CkMw$-1$N0RIoCsaAPBJtjQEeVQvv5<)S4rK6a_>Y#VymT0a
zktwJgwUOGJwy%n(C_j&1_a?$m_gbWS)!c8vsH*6%|0U0%g@@u^V<q&kreYd?TA$=M
z(uILskWfBL&ZKC0qu_TzJ>+pib<;;wEq}6IM_EfaaEc&OH4oNF1GLHZsu}WUe(7JL
zX^xr(Cf`C30p-0xmxtb_qLOe7;89j=(`K;5GAI2Q|G$Fe$)cy;+py|`c0)7+nLu5Z
z>XT$B$ZI#v?%xfE+7(C3)hbi9q_-wrtt|WLcTk=w+0U~&E6qI+(^1(LCdGG)2sqp!
z3-KaJ5yz{UptXbY7-Nxh9v-9Yo(!x>yy{<G152zjv!zjO6#Zfq*$E1n1=j@-6pA09
zoxqixBlt@4EDqjm#Y^@S#B89s$hDtuH8FtNm!OJewV$8&P9^A-F1=}gZk!u{Tp$X+
z*t~g}-m1k?URJ;(e8Kvdu#gGB)d@Q2hkz{li{>;xTPx&8+`c4M1q_W;v~w~l3swlZ
zL)nCqJZrVsXUt4Z3PY)=#Lu8lMPH;MYMmDM8X$WZb<*i864V7|qFN7yS7KQXrCP*N
zj?wU|L&=tKkzPv8Fgss(KV>1U;y_`5#ynchWKBSzKtEImm|=99j%PqYh=d95x;L%D
ziGHG``ARh{RX<p2{Wbbs%gJ>*7t3q`E%5>qHTbau@&vsDXno@WfF$obR4NLOF6sgX
z8LYU{@`}kH@{ku7lx>{4tP5jWLMpBcDB)O!4%$w6BV_#)%kRSX5Xc<8GFR(tS<oR1
zdMd95b(q;^j?l}RxTJ2cgV2-8M-d2sZoVM<V8w;@ihjKSg)}hk-<OMh`13nZP@zFZ
zJP@>D{I<#}GpXwkRWKM;O}<a-wkLC>tk(4lI6R(Pj>=UhrE+u3Xxuti()E1f1<C`d
zq|no_Z8siMtlwY9AS?POVS(VUDkY~%HQGY#?=LFSNEJ%JN6P2FZ<_uW%OHe=Q@@)b
zs<D5SqIUGGtitFHB$8-|=pE0eYnkh7%!5$R2a|M>ZN8Hv{R6?sal@xXo)JMCV>%$w
z{gjQ@7f>wHip0fV)q(~7TFH49Aw|$CqDGr#P&)d=m~+`^l@rL4C0JFMAIJ|hMO=Nm
z;$9wx&NYp&pl%nSIOLo6vdVF!e?!SOPc)W6qgrlIKCC<77aJhwz!HCT5cr?vrs-XT
z?hlw6j!MW~vw&o@nPd>K4k@G0?&Drnr`Pb%H5(j=b7|Kh)bRgvbZIxtCc@8jvqsLc
zwCScU_5R)1)1svWmt|JTb2@*QNJyD^m=|S;O-scK$%-L_QY;$gp2G%Io>B`cO0i&%
z$Sp>`r2<hl!g$|wm|B8Qu#$MXmRD<!L|(1_rC-YQ-PnIZsaH6`KqR$<UsC$AUk=cO
zla`hMm^D-`)?ZW6i_&!mKuodF{mX9!tWhGNTtFx;T6B-6Q^8FLvSn@qqijn=B-N-A
z1<88DgSkuUuonu7x!|wvQmHyj98igpG3WCvPH>mdk=1Le-Xf)mipBf7Q9um0e@J`R
zEL*Xyg<Y^pOX}bXY+#v1CodF#4YE00Zo^W&m(JOMAV|35hM4+F6LV$H@?B%aFJarP
za5iF*=wq)~F{r)w54Rc20=9Ye7u?uhKZhGbXsyFqg^c|60J*4FqgFPCHj|2h_j^UG
z*;FW=6npy`x?N^tvRg-e=85s@LL-ud@bLzIYxL-HBZth>=E3ZvW2~zkjx$ut93Bnz
zhbQ7knnXcp*jdx^F&}9g?j@$eIEFb?tFu^La{O@#Z31A-&5y#mt#K!QuWoHgOy3mq
z%vV-2l>>U<gkbbS3#&_kyGWUl!v)ZtlrSRVc*;-995%~7=Et5)hnom2fa{ZIxH5dy
zNjw##cZj?hn<^8KeNB@kX5f1PR!xNpA)OIrvPtG@R8HsTu7nltv3MtLIB$z4gt+3B
zV_JiBLT{FHvN631Ou{9n4SHTV{@nV1gR$ATH3rQzJK3Daw<-_MzyMK!YQTo7Zojk?
zQQV^u86I+O&WFH)Kcyb|-BAGdR8MXu3tN$c`54%Hwge^^UWj{e52#V?te%*vSKqhC
zkTnQt;J|HPj=@}Kpjf#PzFk^XjL5FRk=0~{l>(q&tGu7Rfh2DE{NYdLPZ>hU6_j}x
zXCzFddqEgOdzPmE39|J?#{oKGS!3?wEnHJ;y2`7t-<)2UerA}!7tKU3XtrbBOk0;l
z4V{`hULbMsq(VMv9S3g?buO5*pJzLm=anCl?jAFya9AV-7!;;JR^i@!Oich#@R?~5
zE)mU@Vs*cgyfvuVW_x066?G8`Tr)qjlPZ80_Ppq!z&|GNbF-b06%>#j&1UP@f%4uJ
zE$v{p@ZuN=ItHNt-a<*wox_$^-L-tb1;Qa@TKo@Vg#aGeG*0fjPoGfl=Rfo6xY~_m
zup#iG?F?z`Eu==qnB>AyiopbY7`tIT8mP)u?K5l}@zo;%&-kpxWv=TX2~JbeSDN<J
z(zIN8h<?bP`p~Fz3ekQ>!g*lyYgJZX;FYnoST?rnjz*g9nUC`pN6SaDwfqv5O&@n?
zRp)~X_r2ipI6c)VYE=-`>V&jBC$;d3Yd7B%Tf-OX4<6qVp;CZO#>9v<@ULubuzfS&
zNA<`R&)t?(c(zk=d1zVmAb9uLJ8<gvHdyeBP~lk2Df?BJml9t8{qL?e=GwB+cP}E>
zZ8lHXC8-ezRzw&@CGr}eR0z11IEht^i_6pjVuQ}@^n+4TH&sUStcvLW$B&=ph4)T1
zwRqq~e)D`D-J=?7m5oxNA=%ye8inxZ`O3ts`|f+sfi-4-A%k3uTYFOL>~^Y9fOm&}
zN$=J#XR-Gk<tWtm1$Ay?j$#5qod8kvffdf;xLBKi)P#Co4r8BoT#|E6KK8|O+yvFc
z@o8S=05(Gr6-H@<B}r(uZMCI^q$HFF6<*QjMvxBrK(4DkQGzZSAB(_Vs$M7|*iQ(k
zV)0E7h?oF*HM)y)HOmSyBz<A3IZHb8z^-`!)IW%6en~nlHAx^HUSTQmGW>ge)yHoU
zr^|iwARBe|cp%YG{G>!<iFbp{`4OT`!9g<N^W^RXC*s(hDbr_(ogbIDV;9x$L{CpM
zq;E_ju&PEj4flFck%bqdYC7J*U2~@_2+;)kKk%H9r{Vm~b3t6PnCyFPN>35yV!Gkg
zaXk@3nMa?`qa!?w+<P$Dydx?Hl#YJkx+^6Rkv?LG=C~yV*JNOCASD;qKuxk}0`XoH
zW#;G}@^Eb4-gd5%Jv{ozvnnAi&KL?lQWq_v@Da|;Nav2@BHRYmVew|c<6MU#g?U!M
z_0Is#9qpfZfJbCQX6uK!)1OMk`HKos6OmMXpSVHe{dBV+J3GPo1+x1htzdSDmivM}
zIA;Hj=mYr!by?QY(&@&~U~h1#WTI}sQ~L!_VcmP<F#_64l)RR>by7qc1FORE%QDHy
zd$Yn3Q|g@hqUYI(IP@e1``nkIiQ7KwP;Z(Ov=mLyerZ-zVTFZ@V*hyw9ia~Sk|2hI
zq^lI^qhs3z@27B~Cl;f3p+}Tft+v1>>GvJYkk=r-1kA2e3>eYKm-L1)yD<7q5J_Np
zDMD5*wez#zZh>7jX{0na5i4n!kKTkY-BWT-Z~#|<DHg8|=$Q;&m|U0#v0D_njd<Vq
zOP3PsH`yUXo<p`s3JVZ<%?byX;>6Im-?X~+v6Y9z6l+i$yaeO6nYP80N%7)~aypUz
zZajd(bk0F#n4R6xvG1+ducpVcs@q67j!x0#S@rMR?^VBDM-*k3gcIlN0;uxVH^_8<
z=e<ypt!2=3`o@N&FP!FIHEN%a{*gOBN?<U<?&O8%73-GO#GCcc)HX<dTgNIm6(u)l
zjO_X6tFMzNu{|a~zmlRC+Mo@@y16EQe>fsds0peIRP+(TKG5LyU@sEAG+MvR9XM@m
zk4e%Qj3+nJv#GMr37bFz1u$4Kq%d%+q>t;V?Z>}MzOya#l?GNUd6uXd+1tOD3<&XF
z5z8ouZas!f6u}vWL`lx^LB0g19fH9m^WhB#9ASvrycV0Dc~z&0cx_)lTb&*BW81T*
z>|Mu_zk}7K0=mCh@%K3kl~iRaFZtl?^6dq)iDWTaZ{0B;`6XMgxV4sLz0u*bf(w8$
zja9hl7t6i%e6QB;8uQhfYo*!rxZH9&=S*b}3~C2(JdwbW2Ob_E!t|TM`dU)U83PdE
zuX$399pig7>Yl4v_^8bTlfv~!L!@vqb*<aI5Q}R4T8*@TZr?C0(yIf8FpU}W-}l^9
z7diul(YXVNnnEAuZ9A?!nk3b1>hCYf0FGJOE{bU9H0ClfhM3q?Twb$fuwKG2HZv>v
zuQH;qG~W<#2j@FP%2f~y$tVwvzT#caQ{Pt<b*`@FbveWxbCf4k(p`q!ThXUh`QGLK
z7?>-Ymi<(mEScfn4P7{g>Wm#h_TMH$Sl~aW$_`3<kUt|eTq3D98xv{UYdaB@b*gQc
zq1U0K7N90LI+tnZ1siy@ne4rryNzh}Too5-N@F_W>xzhmC6mb_J2TK0<}NR@dldmm
zfqQ$u)*&9gxq)KI)9iBc710Ee1CTFI5@;<xkL|pfz!FgSW-bndjR8KGIYBKdcThZi
z^!T2#dyQ#T4We(hy$Lf>T3IvKKeVTQ?h2L91Kd)I`AE<!kGLzDO5Z?iq))*uMd9I!
zUN>uv%SU`fSEWRf=RA!!%#CYJS-v00Klt%}$Ne90<w9{qGMmG}RUY>gS%R^9`friL
z98`Y?*rbIEEBwFH+HNh(%ZxTDpKrtK1pTL@y{+~nrIQfeFvJVSm@Yq)sY@L`!9>4g
zKP8so3Q1RSP~}aU+t^3gfx6eCK8<|N9Hc2dxza!AAcXc9H-ZZC+GD!Ts!0l;!1&Hd
ziJi031*WEt+Zy%z$XYGgD)Opor_w{Wz6;Q1SL42dVvofbkRdRlmueH~;>l^j8S@Oa
ztL3z5Z3SuG*7^cgb>9C@E`T|6px>~~!^k#rx&dhC8CBNlgRZ)OIAF@O6X&TW(9yPr
z$_`@UhjDODwfC%MQ{~VCF#?tJ2X%;l_Nv>Z;mF3d6f*JBNU`zaOR633UfPJ)3s<!r
z_;snB^_sw#S_psIVW^!Q=J}2fgt27sg7Bm5eYg5QLln+*V<L~NE2?HrI12|=je3dL
zi&eDtnUX+psQ(3$+;_ALc<aBVbpGYq6*tE@MGFEnHsms9yS*#xinxM_AIH}P;Y@a!
zCmuVk1jPKBWC@0HNFJMoqL_r6*b%6mIz?X30PzPYEuKdzY?3`CmA{h}VB$%da3X1p
z=-71l=D>a~M|G^0A!yZ43j)<4=@>;Owr{7wG%D9}HxKZ?PvLodo%OsotjA0){GM4H
zG!WJ~b-^1?jwj)q^44P*HgS4#BZS*ki3B-4FZBX+xVb)}%6Bha^V+O^N7TpugYjV3
zP{VPIz*M3Mkn{Dpi5h0WNdlSY(HYqzh?dnNR-W(Z^LLxrpbeZSZa^S|P%#QHtjqm%
z!oK<e1mMlU*v1OsVY-G>IJ&<AAz-_j9~Gy8A1r)b;iZqxGE@FH;{r?k@z`Wd<e9p@
z&~J?bjygL_vISAZ7=$^ZdYnt~zj%}AOjCcpB(DmaaII84|Nlg^rPDWOZusn$44w<Y
z5u(9JG(kMWxSI&z0DxQ=%d^pXOx7b+P$B^qmBp?n5)aO@?>1p^fu?j|jC-}YEd(07
z8F`x12fh6O)#f<?2#dmNq{KN5V5o$gIjqd;=1@XKh#6oXHNe8q0Fvs>Ez*F1(OJ3@
z9t)lIcuhTPllJBxBuTvetTG|f<$!0$of-1jYn-XZ*-va_|AMkA5WnX!Al{&1dVGEH
zI3d7VSUhIdgy&!&^kF~DL}CDv4v3}yxb;c*IU5+R;tGk@$a6~yFtaZbq6Iw>@m$X0
zKo-etSGpyZ7kmYchfv7p2qAu|klWr=PNr3kA_8&%H+lG3U~SfbVygPa*p^x=t#)ij
z-qDwJ`Xm;2q^y{<zoPLhtZ+#jE!}7%*Ho2cUGVKR3Oht&45o<pDmJP%;LONLw88;6
zmpPLty|fau?6`>@au}aN);J(@i<)6zl#D<!6;ud#Eoy%)X%cQ6=U>DpsXb*hTtUA;
z5T&IOwz+}ZsjkD<s;p8N{2>9HIu&}a1+cRy8GfNC;aJcjtX}G+F{Rzu@;B+w-j9TY
zt5RE%hX*~(qe_Grg23M>hU)mQM%V%))7wzYS*yC;UU7LSW7Ad*O89@*%5TW*YHQ_Q
zsNpXs<Sg9J0Pe)lGk>A|)W0je8+c*fxVW$uc8>2dw5Oh2l-5At;#>(4<b-PWGwoQd
zh^HTT1O(?M<sXrCS4O3Z2AB}oB{_sEJ??xBY^ol&E_0f#bsXo+g#&re8@ZV_(pi8a
z*YR5m)HAX1m#=bA_6NmPYJ|O<v91g=8WJ91_ad^Z4ylUY3LH2UWh4i^6B8evUf+4m
z2bk76rdTp+3^IclqNK174>bQSn@0>=^Wb6R1$!=@ojdD21kLOnkSBo4EZ#l;oB~(t
zK&;h@GjV(fxo38kZ-)g`At7c?;?f`RY)7uDTRvz9e~ub<a5WZTl#=8J61hR0U8c<h
zYub1|;-7`0l{=upmCEo{0UnO$aZclAMw?vt#k2~9Z65&vBRSzwh>x7&>6CnLK@?e)
zF?jT2wu~U?10s=#+-bb0l)&L{#=j{dacCnS{2W2rd}HI?nOd{<N+8fl@y*_O*hbKm
zv@@59`7u!Tk0%mn;vQ;Ib^k5UkESsenDDl+!G`6Edv6P=l|mvUNWI&Tw(<|;>nLU_
z@Y(<8oZXwzV{xm4K{O|o3yJjk?QamH4<Qv#V$s)oOO^bTx6n?YGZ%}wE&pZjoyX&{
zS@^S((c<3h&1Amz6!hVGY~uecM(bp)KlU^;@fUET?b^8^w@W~V4Ecn$2t4_V>y*Iz
zj8x=_wQ}Jt$CAcYS|$`&v+b;KZ1=ns29;)1`MgRyxwY#o^5Ah!ihu-ez~lAY>dA!Y
zuy@=5=MAWB4dpF7QYD2fk_^>Pd)wX78ZyH03vRcY^Iw*Z1^~>zEGjyLAF^l2yz0+8
zvVUxhLr=FqCko=3k2hkQM201Zgi8-d@AMf{c$s;Jb6#bi2@lp5ViymAn%+zG1Q1ly
zwmc*@ld*t9mk*gLB{mhMuJwO91X(8CXq(~53o6QiTO^9VBwY_EQB5Jj9qNC-D%6Q0
zr+-K^S-hiDZ+!$o=JH+4;b_l-zH-Eche^dg5ww`cZf3DIt^X{ikCgw2&?cfMUkm9_
z4;xTD@Qff*_b^DT2ufg!qbxO$tdC6PYeJUUz`yo5Y5C2>Mal;2V+!C#OMsI$=WlhS
z7YeY)(f=6VwMFYY0#C(I*A(=-0YuFsER;cA>xrxSHG|ROzMgk_H^qDk@M^XRIbDBy
zhWbLwsgDybSE`mjanABAC#0z0++6h@??P<-C^=b}k7a6sTZ`V$lW3;;voIY|t05u~
zhdsVc^;YA8`4;`1!I`f=8m!g0#<1Pxj?&fjkIvr6)RBGki%4!uzSkh>zp&skRB3VI
z$+KinXg~xV3Xvd9-oB0RByD8W!~HL-&@0r6c)t#Kriz5Dw8F8n(i1wCZhFnf+y4u{
zi-*D2EexM2;*;d}>YJJ3ANVH8>j(Hf0Sw}Kn86pq<NCVeSM)OoToC^3SOf`z4gPUy
z{2}n^F&fE}5dDPO#V=k0)0BAWCl2GPTgbk2l@2&SW`j4W^%(af-p1SHNx{?O&4y>0
zNPHi0E#Ug1v^H3u9i--=_fLxLNJWMHhy7@UOmrkbKwl`IcV(X+U`pr`!gb=&C#ZW3
z=hyN*GyBE6Jr1=#?v!kZS>^g5TmiO*HE!GepHXkC=>o6!k2ptLma#Fxg*4It`V0!;
zobRoHe|`EsJGuy_x=#uQlZcqZ@4=Qh-o~`b80wE0r0L(Q%|rEC?N9idXYy7yAH{ds
zYPEl*mmyNXZ;cznPwJ|XznSr`qvd3ZW+$(+Q&)F0`FOovE??P^mna38smcx?J_oNC
zrGkPe{}UO|qsR1$NJUmK<<uS(=&uK88t8`UFgU0uWd74Rk}4Z|w{}xDH5JCMqV9Qm
zp&*L*cYnBQf6uRj`QNm}6mnWLC*yFgz)bff+Xji~e?k$oBLm$NY1<Gzeg?l;wLbk$
zX)WRUQ!PF+bU!38p?AW%&$vfA>7|ZjIy?*Xg>SZ2Fflk!Yb?9JLihlMhJ9srx7q<8
z^#_(?5oyXYC#Q3@dD=e8?#*ApHpxS~MoH5dV;X69vzE*3>h9+vDFS$tWAN^qV`3Fv
zRxs+s?)o&TJSxY%D90BIIq-De2L~dUS%FY<B6ywqvCU|L;p>tBCLJC9en!)^hjJln
z2Y=_jYT9Sfax(Xtlgpj#w?rq}IHy#Hu0v$Y5S)2pwl^v~(X?Whv&9s%q5a*vHm??X
z7+ktwd`6TN%<R!B?1mR!ph3g!CI}aBescI0e!e=cdx*|c9C-*osx4y1(%w<B9$hqC
zyGo5{(m6=uoKX6w{Mnn{u0misWOy~u8oMT0ethw)Qc3slJ?Hq~%o$E2K0PAukcf19
z1@|$1a_T05y7Jji_0g<>KnQ6Zj3X#W-}#W!HQf>dB4XhNuuQgaa?OPlFf3q_NM>Qd
z+i+(411q;`ew31j5GJidh$IMn$l1IwM6mL0s(m?HjyLSP=2Tk&!sj4qE{xIhHWxHE
zffZAA22*T-80%R@u60D#P$)hzzcV`_mxemEe)=lKnUSvQ`a!opo;E>awn3=K{@KsO
zy?~(@PsU@SVF`(`GMSPTqLeZunTHiPz19S_<eS*|=vjR1#<0UI;CnD$g#Dl(?w5>*
zQ?6$uIzCEl(_S&yzZ-UFL4T3LCvK|$X;I>_G6GT!;mKzt>8VB|34H^qbj0e~yel<l
zUR}r`T-j`XD6WLapS(d^ju9lHti<=nujxE2?HBp&KqT?VobXMm-BOsy8*7JAZe0H2
zer1?|t}*V8khUN(;UaoF=J@XF_>s>r&`7={uc2Q65{0fKdvAkmZ)g1{lPLh#k@h}f
z9g|bOZj6CxzUWY`T^F1)g}`Kur!Q5@yFSJu?wFx^6;v(8wB9r@1kc)bPDcD(-4sVk
zXoBPLBqCe218oeITxMs;(3%+`pc?$;;fQiy7Qfyy50fA*5!|k1j)wykSzkE<<qXdn
zArR_3y|ZSh!*UQboo#@F^t-$ieaNpdd6FWgQZgkqyQpAGUA`peF`@2_cWj${H|{Px
zm7Byc3({>d;}&9m18i1-?E66S4iP4>VaU9wyjf#+@7Q@Woj;>FFqdnus&)26fvI?7
znG+g5^_rNEglRR0?zJx+v^1}{emtBg5E}K&vmXKf#2eO-=BDHU@*rQC>-&%M$6z@p
zSwt>pD%3u`z!+&b0>=L&$4z3yU{KB_`-#-zJd87)(uQBz66+rjeCR>WKk9z~_-WwU
zke#ZEu``WA+XLL>26}(dJKP%wD^7Yq`!SJJ0ki!cz(SD~Fr>(IGD%AB$GXX~@xmya
zAU9OXG@25W#K>ht8}CqGNB_}_wk%B_@8polo$2#jWC;7(XYPQ=t!=63E8SGv=d|&*
zWdr*wE-hQINiDP0^JW0Do$M0okBBh2o^QV^fyo4!0^9_Kn$~p#1)kJT-}$fN9ob@o
zudGm%MVmCmGR0)`%5D`dWrYmJGMlmsWoB`^h1Y=mNQ_mxp??bJ4h4EN>Rkf__4Yr%
mOMvA5S~`bs_Bg`Y$l)9&`crM~psUqw3HL4fU?Ev2*mFVQBo*!e

literal 10324
zcmV-aD67{BB>?tKRTI?c21RdL$S~<>z+HUYYUCUE$PKQIr##w=r+0YJ8><qkPyni{
zhrF+5+MJ8rBNY1AYy}vEM;}t;?8FT8!Miv+U_jrVVzxzk>4AJAy5uvr4+x`zYF#gH
z3BSYs$YN?c_In;5Y1_kohNka&mnrSx3mM4c`iWH)P3cbEV6UDSbidL=>6o2BKy6U=
zbIb>i5mf!#*Wlq<wzsfHW7}(FJ>q1mz`7*Q6gc8WOk~h97<+Dc1oc5O-nDdXuha<s
zCG$GMisnZ}jehKDkFTyE=$vqLh0u|!AbX<Qk02FAZ6x7Dz{xzEVT${qqheU{!)XH&
z%a?=Af1ZX&=-{4e%JEfb9X|y*O2=4g3uBC^PbLJ`B<j|c7D)nLYIm}ZIF>#aG!Y5o
zL>d25rw$B;J|OGhqX4-zge0cbK@tJF)w1${<7oR?a=|k4f^_x}q?Ao>h0BSvwK&g<
zveQksnlMo!HY3H-;M32>H&%wxu?dz(^t$zHJEbbjZph_6sL|q#ibsgmb!@<`tyOB=
zlL7I)W$p3M(_fU+7I2VIcq!Ua2LU=^8oT~+hgaeOY^kvhUu?e*={V2a+GWHGC{?p9
zYdZe+-+X^rk>8KWF5<r7&MlDFfnbbl0=fDYt@P(^`2bWkNWQx~3ZhBV=Eqx?W=bRH
zcRr{FBq5bS`qtZnB&VHnF*ZAw64ZWzz5G%j@Lz*t><!SjmFa-vEt*rMq=ElJoIxH`
zlb_AP;Xd$RtvtQ^V9~*07Oc;Cp9|@H`>Bg3t(CSeT=$!OeWeCtf1QvB0ApF+q-;IL
zI>v6e8jWI>-VHC;7k0V87A`>X)I7Q#n-R8r;E8HT$A$~BWy=NrS_99+CEQpegG8uE
zCg??$X5`I8>byfv1evRHI#(TxtYf6Iv+pV5nbkG9pF>9C(nUAcJT(_wmVns~;Ek<T
zu6x>;^_Jqyxj4?ufh(7c)28d+D3EL}BvgaWd<37sX5F1u$f}JF`;t`P^rNJ?^hkL6
zcXA1pjE|IgR_FewBwpt8dm*|~5gE71U5tM-KR)z@o__BKN{z%j#_P5p@%(>@;c5z0
zjJ(lxp7+mMU?Q(L(T-knuXU5ZOOTLCLNfA~GJ{tZ#!(A@%-eS?1VMMl_75#Z*^R*7
z&B=@iG?#0H6jrKnVs&C!-=hxODYy+ob$)Iu_L%7BpZ9K?^EibZ^vXR2%qmz@;@W(b
z-Wl6ErNIz79dhaw%B^%<Px8*d*@8MufVEsru%5x_>7Iq0nR(5l&Bo#!2==ts0C%hJ
zF`HcN!As~3=P3H0Iy!A2Zx?}~L`31(%_dgEiz)O0!G}Q2(q&!%{{FOrOZL5J(!poO
zc=_6*?k$xaeKt7Ox=aS*Ys(eMOfa+EeTvqXZ3;tY92pc=JtnUocV87DxiA(qv%8r@
z;E=`_H{yY-{AoUdDtie$&N+3jPXyo91-2`qDM7mb%e|HK?4eY}xmfhTR7#L632xrA
z`O$LAYZ@@QpV9a3JRtZ^VRRi!^Ruc2&kX5?1)g9nS^R>e(}^x&38O{9gdZ@M2Y@F~
z7qhGrO^P()VjtkVzCpRea2<wWVAgv-9^Cxlt<e?g!E?K30^e(qcc4ri@fpeS^1IpM
zmKlr`iGsJ2fp%E|8Yx{96rfB(H>E+lkW?5C(#-b5b@b(s*z662*zf<S|Fr<kdNHba
z<sL?tsU;-ciORw8Jd@GH7^BcnCmXt6*We(hiw?XDBJ<dZ<nCEIS40NKq%;E()c6U-
zKjdfO8ZO-@DFObdWi#feI@Eg-7sl>T@21mzI=_QPv5Lorsy-ROJ}yawqjJawCSjXB
zFbQrwO^Snb-}<?`rs0CZEFmz$@<aKD&!+%Cq<0R|1)G50im~qmX-yUmg@^uU9d7Uh
z0{crg6nfy{E0OM;7Kuza3;_J7PTHCVA{e7`=oirpd;Wn-8zaC=F|At^`Y=RmJ)V^5
zmM+6*0QWvFKFi#Yf1Q8r^V0L`<mjy;k+DfQ9c>$EfP@hkaSwaQR_Ws<LM+pE+0&&Q
zz)K;4+ksK#b$w^VinQ*&K$u|Ja?D`Ec*9JNv{69;{zcsV>3u>({C9B@nwM$v8;GoI
z`l5T6<JTz{MkA|Mlue;WaQ%`L0=p_;Fso%3hqJQo58hI5<z)_;WcO>q#EZcMNw5tr
zZ0$Xa#Ou6*FIBNgLRdk;ReWD)73aXevYfOn2xY^Nd&;|3;}GvtMsOh;xyoC+DP@yQ
zu`Oh9&@6Z5Etr^mE^)iA-!8qii5k`9<0^I|<}8Uvo8`r-Sn@(d#(~ZVHSMlpD)PK%
zo_L{}wUq&xQZ|c-zJ{wtR(_Zt>b%=(Prh=kaOD8$X)3b348THWNm<$O7}EO_OAz_&
z>aC0#z%9XEr->ObHByAD^enOfb=NABD;E%>?B`~B@%I#GYA5=KhpYl5`@`}u>Kl%*
zq}aWxwNzxy{uH^4hFx`YHLHisxv<DIELF>x+4C@sS5bl5Z*ECv1*V1zW~7XO%z@eJ
z5H9z@6)EU*a!;Xn;p#XX*qfWs_kF{a9e^c+a_dI%7k*2WG*SzrKuQwm3!XwnUXwgh
zVBD}DmhubhL(9#|?t0zxG32l258pT?N7evU{XgKv80=Cr9BD9s_FGLtLxBlbc3OXw
z3F#?va6A@d>FGgE>8wSERnQ39&uP&*rq?_`r((W_p5_p{-Gxe77b5m66x57E;l^f;
z^4y&c-35^DYj<NPkz^b<hqqjXIwP^9+#S|ROeR*^C?cu^1BC%r&qLUXGBLZyoYXK>
z1ErX|FRj;(=m^v*E0!yKPSQkqPyj5A0_j;uI${OuOT}T@YL{CYv#kc*xklVs3#u~d
zI`0FL4%f9Q&x5_-cYWJQt*Z>{6y*2S2#QdSJ{i{t+d1A#x`+Qa1Z~Uw<{ph`w#yBv
zOwP*s#Km~{nUQn|3No$Kq}}M7%i83v1+sPkQ|?%!He*OVW>f>WW%7v@cq_61z-X4)
zTZX)T>=+c3a7GjW;cG>OL{Z*5VL!y>*Y5(}={D&;!2e>NOKEem2S~R-@z01B6hYZw
zd~}~oO$T-=<D0vLI^qla{#`?t#YVwFfcS(`dWbNjtM`zNX>8@W!#nRrhX7Cu$b9Xt
ztNx#qYLD59`k@z7x#E`1j%h^<i-@IIQ~qAyOck@mS5%IG%Av1{L(*QSm45foE(wFT
z5Wd%}ri}!kY<rFt?RONPZ#w21J#{+40f|8Z5xlL&y_rD`#>iF3*c8ELEHW#daz@ck
zB}=Ef!s^vOLuI%Thyre_eIQ~myYQXWEHrTUtX)m;qr)(2l6c$P7>qWs7cgD6X74MD
zMy%{qxm5P8;z7b2it`W<%zbyZ#_V^yE;l2XR$HUupW|#NVrybONJ;{RH{@^7Tvaq+
z-+H7XWg8??-y-_*zqXsj=^S5Y_(m)p*HU7cQEND^(xB~tH1sInW^>3rD3koRw|bMT
zYBpgfIf`~6JVY=N1XA!biseZ!I=VY#S;=n_h3^}n@D7*cU8-jHEkgPMw!QoXNWmU`
zS<85eADOvpY>~I_BA>Gsb4Cv+KApZcJH+=Ico4c+!BWB|enM3*;z|L!<V*#LvzbLi
zmmWplDQ3TxKB#e7+3pm!O?g4lO|4K~zap0B2N!1M5FpSKq}~ZhU3Cx|rQB6bu2d{C
z`&hw;o0Ivr^2mSTZk=XJ|BxmYoes))vuF$57Cv28;gtXE{@83r?nM~H8SS6p36(l<
zw_MhY^AeV&RRP-m%2b!@j@tbN?EkMp*TAbey;A`2N~5jJ7_Q@S5LE&>D{$hyO0&}@
zMv~Vx0<9-*$2cNK?%PV+w}dyz3Tzht>nvn6tyr}v{RyTHTi9|~RNc92&q2xRnfu9X
zDg;twU*sFlf|O9D``L9MK2`nJc$9hXSljJm<Oh3e;W!EjpeZ)^jM+Y^`H+hB-^&y`
zD2Tmbx{eR4E`MydF>pe=8MfZEJ4$0t=R<Ld+y-5Us8JP*gA$b;*=$I~e*Pmb*Br3Q
z1U9gcGw9W#vxqM<Y1W9+&>dnLX3MH502%Q{nN>T|Kly_eF=*EQ^#<BkF-celgLu-@
zV&ql{Ef&x7&%sv~F7!Se5@-$5H$EYK>%?ofVfT|bfD*UlP6Yq&K&uyy%9=AFDD?C~
z7T+)T;@QPQZb)dQXptMfYkB3qWIzRXzh`Zix2WBw3GRF3)Axfa0VFtV5(CdpH*g@-
zqd9C)x<H`Vk;_Cvbb)@R9Bhlz01#=!p&9|YEsA2V(McY91TRUn+#PEUYqg=Ga>bJ2
zm#B!%7h+<ay`N~S|Lf3QXB<+O*EU#0h}NYeQJuB|a`-7Etm8v!t=pwn-l@#vNE$Os
zoxVc7do^OSz77=my|L>Y2Tewt)gY2W4s|{;@(1At2t7<`LJC(}3C4hlL;G<z8)!_t
zJaR?cs%yhF#VFrBdr^-f<*`AWU*I&xP~33Us8sL0t_6(?#RLm#dmrX3!wvL}{_bX1
zjX^(M;R9t0q~;l=qIxL8JQ^xwATyPO|FzVQxyc%3`wa${3h;;GLa4h(e|BE*TubX?
zfuJxUgSyp^g$<F;#)OW_Q}?|QK42uH07zF<`$B9H9J~&B_Ih%yOzg4*4F=}DogQM?
zTuI!cej*?RK`#%BSe*Z~iel{Og}u1NumIVLlahEKnreJ`3`|0=Yee<~yd$LmFt~FR
zO0R`qd-#;?sF~?T>WaFRm$73?e&jQ_wxAR#`TV@K&P0ByEGei{DK7}dp*<@M;}OW@
z;RS6x=yxV!w|i8In~aj#4l$v&!m+1e_}<S~@ErK}o-tLTpt)C~qU!%Z8g12v(t+Hm
z7%W;*!87D@h&|NT{&srkq%FO9{qG7s3f&p=*sv?AJMR3|VkWc9;Lp8~ScNN_(Q0ma
zyo*B+Wq@~C5z`37Fz~k}>xwyd{C^xReTq=KUf_cw9T9|`pfeylf>x`uPbI5?gXY3r
zfzn`O%J#kGu2^~K(kV1YQ*E9z$H8%n?P9H@8K+FtWC*87E@#Lm?Vz1_g}2;3dhZC@
zuiD$<q^)$SO}ynsexp$!87V0g2EA~cP0gX{ri<$Ep8z%uqFH->rvDp<PQ4}^2jxt%
z9>{Boa=$W?H<5GGCKMW0OF3UHEjvYJ4{R%nG`)f0#;R}{_HcKUTK4&g)Yl<*4Ijvp
zb_|x+tMrKs(H{qo*-JNsB{x4a+VoC8CiF$l5Y*H(x->eoVpX`(MsrOX+#MI$P{J<;
zS3Q7NT(e8*#w|f&G@2yg9$EYpAC#H~1ho(A-riKbki4zxJ;o|xNS8Oeqj;cMBZ5n(
zxLo0MXVgc?l1vHV7IOSMkzp5Nr>z|HG~*y>%g;jx$B=P7`k+4MP!ycjGy2IQ{ETP0
zN$&?ma5LjgWyG=NG{cc1Cw|t}noPi6J?+|PN~w?`zxFyil=RQNXtgK^G*e9a#C@}5
zeaSkQvO_+m?-Cqm!nq$!1P$3-U$Il0+)ig2T!Ul038AFK#E-9K7XYvloRONExwZ9y
zm6`%<hRXlLPwc*QH*(g^^#Iq@Tu^MJb5`^xVW&H$z^5OHnUhIgRTp@6Kb$4~#{_Wr
zWlXjU%B$6(CHgGE#3VnQ|Aw0d{!oCdmAYgJV$xk4spd^O$;%Rhp(0NHO`MtSshluw
zu%JNx{2WnKtXiGVE;7B=G@mY}4PPb#ah4*-D=8|&JARm-#ua&O7Z7}%?g6l@eaO>F
z)g=S{B-#xDw~ZS`%b8&HoPIJp7|o3@7xv5qMsaU-`s85j7FaJ+6)f3;$pY^T1%alJ
z)IEC#F|CnR2aEoD=@2f)(rT=q%86k(Y$*;Uyw>YJ<!0!_Ey1%BqShY4X>V7#?8^o^
zV>gVDm2if)hVK$HieY(=OLR}>Cd3O??`kLpMMfjN4Es)@gAi!Koz_1wN%Atbsu2e*
z?H5^q$uQx8HlMt}1;q@Cl^R@G0mm3T%YUD{17#{7jVm)Z$R!=9U9KE$R9!pQ{IH#z
zQ^~<z)^|9>znv?URm@^u-1K5ZP-^0&nR^UgstG<=OK>^#EgD72qAv1yagBDNDNTBy
zRtJf^4y=!2sJSTIS2aO~VKli@%DzL>^;yn=rn1?{+j*S7)m%E)-bVs3LY5Me4$`>D
zAm4EfF$()+J1vk6#))eU$u$DdBQIuP-}Miu>;h341bnyltrwLRNxKy4A|NrBgiDm;
z<G?|E8*quoPjMJ;@k|P)Fn>Bdl(yk{K47XJm#UIoHnld@mR%LTj@IE_(l~zU0R0ZQ
zs!ITgHk~ne-t83clykgz+U--T<uoD~U-W!8yrjLEmoms1$xgD<8W2C(w*_blOesGI
zjNU1ujSqO4nsTgcEo8f|*QT%3>XYx62fhV4m4Ao>DYu~N^B28EywdReKpH!sX9cvL
z=Xr5+ZE_JJs3i`YpP^rcB#s0ro*~A&Ix&G@ey5FoP%u*~g6@m%LTZ;({2M>OL)Ia|
zBJg#%{&tD<CAS1<ed|vl?wycio?TlB0-__^>WY_29`7l2S+DPo;tt-8bVGpn8aE1-
zWB?9P@f9NT>pyRb$DC>jJ#x!l#B`PuQ$UQf_Xg%MK^^<+k7Z0fpQ%q;yxcP%xF*#x
zqdV;}SAE*nPDj3ZQd;+zd*Fo%HK0ZZCk(=zE!nrrP(8VaG4vTOEeJ6o)+%Dld!WW2
zopzo$+FOF<vj|y6q_(Qk>Y^eHU9(B0(I}r$k|em!$JP|?9zOL*yEMQDll~qrn7c9R
z$FO^MTUn^Jzu+w%`>^!Tt{qlm@Fj)HWuH6(Z8A6rtZqL1d(kt}I>E&$sXj1hXSQ{N
zRktO7W^7|gbKLv2^Ux&O0RoX#g&|zdijuoCN785Ja&^b3!<#W&=P<&Gv>P5Eo{Dc$
zQq<pVbkI45zf<0ActwShZA=SoNg_K_BN{OQiuco)C*#+&Tjo5nO?w<0qyVCtQ%!al
z4KxvgLVnFm7Nh0XX*}BVuw6PcnE@^=7u>1@=cR0`_x1Nb)ff6>rB4S?SZL8{<Zs#<
zq*lKE$b!>Wb~v+VT61YXpu!~vQqx?w1M8!ea8SS0R9w{3%w9A~EyAGzYpOHRPHfGh
zuv?ZGH+QIzA|(<lPF~3X3I}Q~ePIv>TM~%aKcyulb#q?Heq}tFvUjpCz7uc~QH&|k
z=b$nsr7$;TvC{sVAxG9piLlw)yzSwuIe={t#Ycu$NoqXL9wkgUUb|udyX7xQqHVK{
zNZwhSg{z?hieb*XVvjKN`O}K=#G70E=_)>jn~)Q}QX{R4k1UZR9_VOocjB@(WpEHb
z4R$oNLo|l{+{Yil;2p2WUlLsQny(skG;*?puooTS{#j>$Kq*mK2iD0X6_-M{6m&;u
zxItHtik;R%Zu+rWMRP3@(wIYhuS&fZ7(%4iESSw#HfnmQp*3(!s)6Y(A6I%Fqc#U|
zYM0@;DnHEwlv^{<fz`VNrxzG56r$Lh0-ft_xQTaZ{r*uVbf{nE40TE3Ez_MG9uzfm
zGP@TQ4pVQB7+zw<+@15M{)>PM`Fcq4U_rcA$Q>!exdrgLgL+r^{jNUlA}HEKI9W?p
ztpzcETMQfkKIf%_2wAQ^G>ae$9OA`^<@o_<LT82r+fKexLfllphng9h7XJTFaaFKP
znvh#gq&UO)9ndwT(XLO!4O8mvY}!E}I6LqAy!xM?yoWGgH!DywDSUsJ^H(}GEhKIK
zDOUlnasR+Rm)(2(8R%ACs^cH#twJ8r1Odi%)<ie~q@R#XgE@(vH0w)cT4Isp3zt=G
zjKix%5flBVb&d-@#Or-Sa)IklSh&+A7Wh2+F<mOQ%K6IC8x!-5t=1XZl&quytZyiw
zcioJ(l*NVAA(TZ5;=r6?NlO-dQ<Q~8-2Yx6AVzo4JL@f)X$UUDJO%_J#p7;wQ32&7
zn|+b`1bcVK0DnP%dV5u=C~wo*?q_cj*pF1K1P=(+2$qMZ{>uH&5>PzP=H`39s?i%*
ztf>@BQ~zHJ;0r)!>wnJN8#ubkin{55dd;1TIt>$xJOVwEM+)eBDz&seo(C}Hnn`8p
zCz0zX0VEwy|IC5Hy~7El*-0cpZ-qsti3q1%1Mg5Cw}4kbQ`YK}#^4E|1P4FrI*(U9
z3k=|=Ls`nS%xfyZ%px9~F$_-Zrq1w<Y9oT&-3aO#P36nEkU%uorrBaarbqdpdp^<&
zP01&F$mP-+`RbybC)4}>VkZsM&w@8TF<<*oG9Wj_QPc;m1VM-Lz=~(_DT%1yRk<&>
zg2@_9qGAxQ+6X06ZoJnu2FTHaf6XIi11_avzoLo!xOv=o8_x(0$Y@(S+zGFpyj`FC
zL0Z%_ujH14<t!ZyaPvDpfw|SDOT6smcHocfGYwTz6zbV3Oaa_T^?iXWzTgl6IrPit
zE%H`fCHZwy;JbohYxY@sf8Bt;o^J>6yi(=Nz-dxWIf+Vj{3F{3bNnLZ%6N274dQY8
zY^htjEJV`_gHsQ~>p-*U9s0`cP8vO6X8l(4S<&61wI3>V?3=^q4TCH6nc#ukQ@{gu
znTKU(#|FM2bFqPpX;oRC_T@Kr=^uwc(RdZM2SqVGko_o~4RJGFIF7R$;@q*wh!au5
zYNYieQo*S&U<V@Kob#|bYo$v`>P1Z#M197(|9(9sgW2@1H?|YLDBbDLm#O7scf3if
zc3T}A3~*Mi>w`HtE3sC9{1u~;T-UiZLapS&W5+WJw2NdQ#IgpMCuy7<>ZF;pruzL$
z+a7i8k<}YF$C)u5D1;pq8@tlL9)p}yhD+eZv&0WDy}X$i-2nBXMR{xXxWb_wJ}fty
znlvM^9m9Uj9}6d*&P%k{5&z5!vG>62bCp5C+*X=lF{ni@AefCiN+Xz{Diq&>lp9Q7
zU^{l-NVa8B|L@XzQ2rlqaRNJbAB$uk);N_GKTP689IQ&_bdUd`mr=-;KgQ*co_}g@
zy8l78g3iWz#E?UrA)9Sl{XI|lzCUY17W?uUlqCKFnx;G5NqI65Pz@5h-xN^89d+n&
zbl8vFz6p`J%{J(}@`BHP-k<))#f5se^5AFfJaKbMaiyg0;Z~AEI}{S&F`LOzn7Q&%
z8B0YUMYmyjDncJTy_lzCRRkQf4dP}yiKqcL>>xB-U&|hgh-61noO|d2Tyh2mE-UIV
zQe5L8toD5(W3Bs2ihHnuxA}zws5cdY!mvzIeANC$I5AQinHWyqT{=3n#`G3G3vYIR
zsi@hMM#Ljhh)-?|Imr#BtQ8-fwB1Xoz6;6|24iOIw7N4jR3jWGd*qHx&)0Jq+>zE!
zbc~;Ao8HUya*?BFV=IRDv;gY*Z5@YV7%p)$FLF4+pac4czz4s5W<UcC+1DX$mXoqH
z*Nh)TB&tj*jld;pA6N#lItjvLadLN)VSbR7F4y(cJL50RV~XNiPdo4|!>gtOHv=gR
z{V2xM$Xejmi7)~3T7b%q`-sJ5t`y!*8+7^Kb+{2(M6Y`_)O{F}lxjPVuUtpUhP!DL
zl(Q*Nf;M~#?zuRDcfZ=?;n}|lJ}j;9Yb}hr5!m2WOGl`1<h=-+ZDi`0$)G6eCgR^1
zJN|d6MFXp$t43`_rcNSqeo@(l`%f;RfIxjx|M@NZYxPr2%Ta29dB^JsFuA+1)!8vC
z2yyh<#IXoCklxHmogl_Ld#3$Eoau*%!W$$>`}|6p%^SU;*?TKJXiXd7s~6%Sn;<g1
zP|Z3#$dOu3w9FISrtV4Pw7^)FCRC<Ns2@Q5rw}gMQL3EOa-1e4LHf7-%A|Re(e>L2
zR=V8><h6HgdlI1Cv`qJ~5`OI=iMh6>ez+3!*w39I0$mq3?cx*c{7Z7sZ?5{n7!t(8
zm)KC0L+e@2U2UlZJ(KPk^;W{ad?gj=(iOVT^!ls}nG%kOglgg=+n2Jp-D3o^Drtwx
z!|~kh0-3+0qx(5e&}f9mdV-FqcS6tyZnW)`YRLPudXK6q(QsIjSy9XD&-TreuX@Cg
zwO{>1L@l^ZyD_8h00#*Eco<(Jc}BFKQ+@NeSo{Cc>$E}o;@FvTK6jOwot#()qRE*_
zEPTmu*irko@>>aSh^JEZ!rUhBpFoS-A>phze+%XI#oX<$Wr+j2my2)Y)M(Nixv7%|
zb}lvv>EiEsBB74Uj^ITHCy>kBN+FzpwhzA}%Vq7~NBL>YoWv8aX<(bW4`9uV5IC!3
z(o<);GdA#B+BHFv0R|2k?4qWT&~+=)BT6?LMRJ;PO=4U=*-Qw}pF*rMQ0KY8P1Y3m
zFo9e!gbWlY8wSaYmOez%y@`LoZq<HQm{^0`ZPPc0;X@j!b4%WdNh_rk)K?|ILHaw}
z-vKA^rpdFimUhQj3Z0#!a|y0hjgY1DGD6+G9~7+i=Ub{F8^Ywek~c?^MsI`7o3kRs
zSs&_kbPr%<{E>ngil4paD#bU}9?cv*4DYD008>A9Z(c}Ee&hW<m5uIgjZwWP`{CbZ
z3kgXBALcZN^H5ANhrA+||CIxvwuz#b5IeduL+<btmZ$_WJIQ7Gai-6+U+t(s9R~u!
z1_A^iuBi^IOb9_lDl{h<Wy)ZQs;=3yfe3Wx0%Sy5+n9;rJ1{7<DKGnEa;%WP41m{9
z_6;A1KOnv{7WW9a&G~)@cU$YSE)#9F*=N@#SZ^6JI4caa?EkQy6+8ARSsLKK2c|!m
z2#aC$KfSZ$!tLYA%}cXGds!vi22{Hqjv8H8-JnZ@yFt+wFKm(=j@~mEE1X&ZGrm0F
zYVs9(PlQZPd&*_b$WImhSlo%cY7Iiv$#^P+%0!RseY>TpJ)aD{Y&QI$JplCCac62%
zC<%3w=QPj0vO*m!ln)sXFff%Hs481B=hd0IPSK1y=5dk`2u;!4j@zOKty#!}Lv30>
zH)$BH0#CduQP<DQ<|&_gmfkk4!m0TXHOefPkJ`S)hp$_gPOop8X7L1CLCD7&81^$V
zoZSaBGQeP_GyM8*!mb^fVI4rzg3c;$mFg;%=>$;LXkT0f`L$MC5P<qSZSOZcRdJM+
z4w5%%O;DZXIt~#|RCR@io*=^dp_I$Y&K41j@FnDIQWpj>0;+xXIqs|Q8GC%oL$9b0
z?RqbN%q~%ud|?7b3r11q`;<Ci2=Q5XnMb|I5`c0dK6<E%wAE-kigpOX8sG%ek0vb~
zxpGdVHZoA_JSX$Ai^n)8C^(LVcN?<yCGj}teyQ&O{|+SaZz?YfkxD?db#Cp`Y#X|n
z7(qc!yCr;5uJ*fl*U6}9ywrQ?kthhk^D)d=ZGS)3jc*l!;st1j%IFwys4~qBFeizb
znE?Mz0aPW-^X&7r_3&U1yNmi9sdpx-e;B5+?~~9o>IfPA!7#5(K-S7x3bduQiC|jp
zDd?18vF~?i6cUd>^i4tJJO6=tU!_lZqYj+U!Pho7J!Wdh6*wG&=US%CxXrR(LPl^o
z085;ui-$N5SE%1?40qYiaHvp*@OcMCql7vI5l6pZHUKSF2B7nQ0*?IzyOEAytaDF*
zrDdh)@IrS7xoT1HU;Fv)%#x(2aF?tvV5J#l)Hq&Fm+M0IjFZehO2p0cJExIN=*mpK
zv`ifL4aI`1uovZ|Cb>xGq1a1)tMGVfEk0Gyp(c;|Rx3*4n&{P~zj9~zD9X@JE#<h2
zJchy*%KT**jZQ^;3H%hE&SfNXbxp2RQ6j4D<;31r>bG)CO=t#_m5-@Z^6sOIvOJZa
zH?j}z{nRo>tzJMLlsiciem&V8#SZbVX=;yr;R@s0tuuAQITH`)Q0&OA)!EJ^Vr#IU
zRZJrvSoK<g1Dp2@C92RsA&MoC1q<kYcmDx85FY!wdS{NQANeT5%Ot0vBk)v<2{dJU
zHDd4jj=X6h-_*or>;#P9c9s~280w`7g<aapM}!?zqBImoM0ENE6;RELw|!UW0`E}o
zE`Z!QQiK$0{pZcjMq41GZH7Zrp2ZtuJtkc#+?qHao~5inB3uN2(|?Q{<9eWIDFWy;
z;QKV^-xksL`swPFl1#RkUn41?KY|<JhzKyJAiI~|@|QE?1sZB6Ln{96(R$NOJ<YN?
zzH-ged6xP;`{tRGAhA^_O2#Jdpm1y~+}6tOoL<;yfd&Y+1=A?EnJ=*99ompZRn_mr
zeGSVgK@)+5Et+V>7r~VMGJQLF5o#9Z2Jv?xPrhg=8Z4ykVV)#X&M~O?FEnqW0K3hj
zz<1M{ceN^DC0vC_>cSI*C_Wex_hN@#p-@K>Z}Z=-{2SSQD~QXp0X_Mv!escPPBBs@
zq<bws0Lk*}s;vHQO;nbKZ6sz<Eo+h+)qN4ulSEbo9zWZSJzn8-U6&2BTtkzUmvuFl
zn4=(KUUkWs8;J}`BDVGWa&-%HYQO*+{VYTOZ4RUl?kKKNc7=)BNr?>J=`Yz4Tw^@5
z)N<LMFk#eb&w$8r|4OArJIJ5bq=3Kl2ar~OFHo8MLc}oGN?vN|#=kK6EPjJd6e|*s
zU!bx!(*I}U8P0~r1%drSWm63U@EC70NG7!2_6YA4xasFmm=2QGNYOj8Ppy-fh;V)z
z;V7(21Hw*0f-T5*4RQ<R)^@DEL+%$vldN``8dEcBdN-+lC7W_?TVRGjgP)+FyDl|P
z=9r`(`S{pdI|C6@A#TYu?vY%Z?aS<i<^P(i_;WiRuGoo$e+$KFf&KO-Odq105V9<Y
zt#ZoHiw@nLw#$t#1IZBocH^hEpUrKmSGZ>NdPx&!kuLlYn9DabMB-To7x5vc4%ta0
z4&VO$KczxdK{-9(5}+V|TY4i_CG1BP_n$ziy56nYO&4VHy|{@KG%S7+Li?^WK58dW
z@hR;|9wD^<1Prx8fu?i@9@7{=2DBCfC8Ptw|K(Ev`-uQ^0e_=O31vn8*weZ>Bb3`q
zS_Xq3<tNSE!<AT_ns_gZt-SOtmN=vOK)(vzbT-E%x0mSo{PUSw$ql(Ia#0hns=Ahq
z>-x?NJ|34SSH)3=adLo8=u-8-jUmAoNh8X>)5|J|z5h&IpDd3lvwT#zMJYM3UR0Hp
z#>{KrF?l2LB+>gUR6Jhv#ieYTr&qc%rn-6~@`3Ey-SQ=m724OAgn4U>2Spx~$T8E@
zS390{0B91n&Vrgdkr?j6VmJ>SSNx9O&&ns7)xdjyRg^ybQI3vw_TtqrRYyq8cfU}c
zmvt?(Nw;VCG(}7hiG}x2CYILLJn8S0%l|C{pBHMJk_}`aTao;w@fFG7w6sF%pl*8>
z@06S?8e(o8)pQPg9reD4HtkuoQGD#?n+|^6K!-x&OEp7!k`tHt`s?sMXw+x+SdUZ8
zJRFsw&D)TU3sO<T%10Y7_=HNd(i~lc1@v4$bdAD-A7#;=x3y1?6lF40ECZSudL!0$
zY^q4uhC^8BSEzF2(WVe@NRO`gZPM{<oH%?9a?nH1EV(jEo=NIO=UzGVj>rCc!e&0H
zyBZo<otAqGv`zce<`EESc@>Jruk=ce-$jI=MG0~2HJw(p^^4W-_Ec+|b;SYHd1RrN
z#CiyZ?9@0k&;>U}=K4>AWIR>wvtEQe^tR})`d(Z@ZDf`w${1dihC#C81YZ^3_jB;d
m-~w>yV0}WrcTx1h@{&x@)E$$T@^!eF%PsG5xg8sr3I?`;rtM<@


From 8af219f1e0921c130aaacd412ca502f10c858833 Mon Sep 17 00:00:00 2001
From: Jin Qin <qinjin@google.com>
Date: Tue, 27 Sep 2022 22:19:30 +0000
Subject: [PATCH 36/36] chore: update token

---
 system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index 80517e0a91ac28e439521502ede5f23e5a292342..2bef7d971ed407a5c67431d403624e65b2c28877 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTFk_w18kmI}y6zOFeg-{S?R+ixu?HNaQlJZHoE6!Qv9CPyni{
zhrF?}jX2I^-%CD~_{MTdln;ysuG!I1$1mI*hedJVkS5(9k4~5XLnMpVs7McE21T$E
zPkfM$FKVuwuyAIFdLw*^1g6PlJ;Gi@|IVX+L!6~s*>^WY^+f!dbA@YT`+8~R+h>1&
zH{e#7zIl0pflh!qv!dgpfCw>fHE?cxj5z#JASSy^5Qd+!uvxVQ1j&QGVz@-!=BsGG
z7z0LVB*5=KD%GSWlua3adV@#L&+M$#Lm<F}A{!IGQHb|gYJ1na)<Asb0YsKe`(}ba
zIZ%G6q!iJoLJ&w~0?Ezw8RILOmz44O$h}2NypL~q<M3{D0F?wh*ew;}>}yxJ^Q<3K
zXN;o&(Pw`cO8647BE7bJ4)D#}Gea9Gyj~TNIbYtRtUo8FWk7*WObE866%{nX^3n-4
z<eR$zXy=JR7rtL$hpRp^7?f7vDZ|ZtuuOexr-G!&ev?NvZ>aQGQLSMIiqO@jnFi0I
zo2{a00Gu-jo~2U~U%A!5Vk_@#u-kVTpJZ~?&IBE8<83HRqK|8EptRE8kfJ34aO${7
zt5~q?eQSH|5*aKCP4Da)MPL!`b;}=cLUe-Vp#bBY<ke*wlogyq#5chotjewFc#$ux
zktJxa0N&!pN<56{abzem*a4a1c|tE~{bIZJRtai==l^KL835o@ONRIM%~TUfiW^)%
za7i>6=y{OMs}u~ELIa+@Bf$%!uX{RRthDJ!q2K9H(mv>1^JPg|jc&8k=Ea=hhB!}h
zDG|jCVK95Y_d`DlaFf4OCZ2DkuXmX`PQgQhq`aHMr%gizDxP8#T|l<~VCk6~SAM?A
zY4OTOV>E-GmIUK;GudckAoDF2a=jjsf;fEaonmm7R3=?>;lA~gzN&Dw$Z};5?6pD1
zXR%lkG;3=uz05!+jKw7h%@fOjhf@R_bJ>O7m1Z+DMM{y>)%<EVk`+M`1)<*x${<t2
z&Q9ObfEc4r#p};qebB}{*$(z?m^-ulNl|FmYx1{Hg;as%Wb;;_-1%OG#G%Asnky0I
z;RHM>d_w7GcNr|z6#e-w$Rk2nQ=k}?OzGXZH;ez+6&FxD|2?V$68*62Yt~e%E7~Ho
z6|d|$P_eT!LX|}xNaHcTN`OgIZ~$6(xjfW-SE5B8QM88^SM02J_aFf2y}X!{ti_w@
zswtLF`xNhGYE<nvxb)KUPhp}?!VpKHn7U|LP+m7pAs5)GpYlzPQ5CaOyAPQHyXYcL
z<p1m-_fUP!1Mt1=RG@|D0aIfz6~~Z~#tG#e9=?B(G{KOMr}W+_$C1+ZG+N=nziutM
zaX>KG5piO2Ikv-LV!@603mLt_2e^z39|epp8rA4l$^mBlrU)8r*gT))?7{^TFD^c+
z29kHHO$NMCnQ<4N!`DI2&bZ1`OWB|d#>)s3?N{c5*;YlN1d%)NfQ5j&<dXR}p%hNJ
zJo&9t*W95kc=>ly$A#-jj$F8zFHMzSf;QL{e0l?pUe%<nQKU`XaBsezhtA1<hhK1v
zoZ`HT-zuO#FD{N0lNDhK!;LoKAji${;hJ}_dQsM45-A_7`XL}Mbp*3HMV2|%BIoac
znV2W?W^y|MBlU~s8Ql6hhl{}^BAwc|OwTmUL_W4BM0j@XRRbkeE^INY=QR`#G76DU
zpwNUB>3$-K({OJlbVXC3iN}kz15R6qS>0-=r3!)@S$n<pKZn3faNHTkO?N^9w@PQe
z+B+9(Oz1mgYsfdU9O~APg(xdVw}SEWUd-!V9T*S^EcZm`M%{<;#|T7|8wBMjUWi+h
zaLz-*)TvCJ+Qg?w4xvy&0>|D@thNnFcnVPig4uCG%?toi*2-5X>XNtfO527&I+7F0
z2yIo&3MvRCy30WdCU#q%j@o4paXhm{Na(!oS)2fL#sG<XnW6qoh;UU51j1{Wylmzc
z-9WkaCF{C2P=8=gI|4aPY&99-S`=UNJ~(@gY(fil8$hYt-N6SEw=w@UH#yFOJKmmD
z=-yc{4d*cC6u{N}W%9(@*tx;WiyQukgjw}m0lWcCN3A`v66njG&5<JYUh5E`^j3&7
z=_nqD*tW<iwOZ<EknuGJ^im;^?@S&Xi{G^2KM6#r0P2D5O>PfW;V`*LD49S@48%w9
ztqq@`=_4df4%;~wd|St>xX&Ea<v?c7XCYv{NWwi-9Hq33q(Lktc0kWFYU8&SIP@V&
zmzL5x%tiL$^I)dy^;R479P}v-53UA~<d;Em$#bN?q8C=^FWF?vfT&o0kPHTX88M9c
z9Yh+G$469&;JW4Uf66O;^bH259?Kl8vaqH&-p;!UXw=^h#Zn^a_bL_C0N6^{%IP$3
zb@gmSv^rHmya#j=tiy71C%0CrA(w{!`l)BePy$%~TE<<X4Itg^^DH~jo~(c1m(1J^
z++2mOakg{FlO;&oIBD1v17kT#Xv}J6GbDHIS*(cO>O>s?oSUkDY|JKJO2to*NN;z7
zUTAJG_-*umn2UtP0xt>y*Q^taD168wi1b=-<{|=xB&A1*x43q9kfE;g=D<<u*Jx}^
z>3ML<@<Q#QW7-e0;Q{jyNamcs{ZsJoVi2m%xXjC+(4Vk8yRR857tfMF{7V3K|LhbS
z8-B&%O>f0V2CyMWnHUt^${A_IQ#aTBita!i*!)_;u{>VI6Ou1)1Hp)%N7_T=P$vik
z8|-c$d!@k!hC8b=wEYOh8T*eBL3)k~3X$N>)DcKEccqtZ0}ot)*B4HoeO42ky>cYR
zc9w}%G{&m{L6Qfq*kRsjSDDDCE13G&fB)?ln;FK*gW@$9LnI|bAMFl*y#x!rVIA6F
zb{?=Yk#RJv&zVW+iDCC;8ociGg*}D;q_q|Ui2-=RIb_59hUM?%mmAbbg|ln+D6H%#
zE{r0n1|DV+j-!!oArxy3X7@2hw@=jV05oA>amE%QSZM}(ZeB`2q@{qz<d*?fmw&z@
z^sC?GEEU4^5hddqN9oN_PhT!6wC3p&#jWhAeX7JMecMpprHMc|>;8n3p=`QNDfTSE
z^HfoOqPCM<WZDfKtoO9;Qr*FEGmP!AaaJvyohlyB{<LE;GJHU2TbOuNyZ4=FnP`4Y
z2tty&|L*fIN8ai8P@!BZfE=fT*AFh4QCz9%<boLdl?jjMD5_a*4r?EoJdM2%eyf%e
zck=tNx&Bj7Gu%MG>D4MY<uZe@#Yw<7tjdH|n1fmVL9Z@WmbJAeiFmkyPVm~NCJ-g1
zXUVmKffe2YgYqkdzEz#L$Lm&^eo>-t5^JrPg+o*A5KV&2T&_h%(frx!9~%B(c#MhL
z*80N;VK-|@Y21k#6es087~&B%vOF&1NoG)ZNuBQqLOwBa7z`u&-o%3ww@>Z)!W)`b
zr5atZ5A1(iYyb7GboVfvx2@|`sO>Z@Y?q<Yj`%UdcjuG8L~3~rZW}|&h_JD+1A|8I
z3!U$1I^YEY?gWqS)(9;q=c;Ll+&^MRFR=9gT1ZnnixLhMz#&F6SkF$$B;cPRcRyru
zT`Tm@s@|}%x8xPP<Y?@P0IXR|)EOZDSFR%&Gkig10#SLyC{v%i2zYYprWLg<UX00x
zc>5R^Vc~)I8~4m1jq0WPuSR#zQM`Fl)pa{6H!)6AM&G-yjLIO6ZE)<<#*&CI{~DoY
zmW`%0H!j?OvYJJR{0>NlSfcvW>)eY(0_+3<m|XPnY<OvuH?LH2B1sLDi+f<1jQK>|
zL|~7>0CIo&fALZ{&r7^#-4hTV2kU=_XD{Ar#hPzb1PAYVA6Q}Il?0TY5+~L3#A<!!
zW0$0CS8$bGsJf-__oJz~K|!;<G2R*q{{&T>SEuFb*MVeNlk?~Z(&=++?{5mRGD~&o
zL<lMTRX&&@y+`l7qrz@>m#p4=Y+0y}k2jizf_T@J?9!%9LTXg&kmkaQh$RRv3M#LT
z1g6VF5D-IyF!m9@zZ6CP(d`%)QPXayit@{%(N^D>;<4?lC7Uh)Z<KGstH*ZCdrRGe
zSjhde7-~k8AO|l{a`TFp<o<2#S|?;T2JX?pZE|N6ZiD46={JVK3S~%2Z_|vo{(Z1o
zG|NUdH6p7xAu7fWdL9wXs0w@Wa=xe$)rI#}K?03c^<6ci6h}<ZeG#)NPMHy^_pMz+
z$K7qP*5H=~i$m(4`H_7y%ChPFHKwYva5{!CCM$h(^2*_8IH2mhBp8io$Eui&r4*}4
zZy$E@HKX^m#NuG_z05k~$6?a}G5wPHR3SS7vG^_g&{dMiM1+x$)W1u>E*(f0w)S$^
zv|i^Z$Yk<@BEiH#9*^L$h_G%!U8h_}3dX6e#YEXqs*3<uy1N5?>eK`_#kSWmA#P3*
z<B7`y6?Er*4>l1u@^;-=bAxw>IN5o|#&I{2@7P&hFnuPRB4yl89=mYdNl2+kn7<Rf
zBwE1t4Stjz9z_@koGB`X0@is)*?F3UJNEG-+lOfgB<Wy~aEzehB_<p`C2yAH^_~VJ
zT?$Bj25=!rZ>6dq=zEkr&xz+`@v${TpIlHu#dKC*pRzWfNJ*N69Bl&AjLp0U{kj{U
zDZ^X@CoI>3kcFO<;6?glpSt_y&EqT&W8v1=WY^`>e(@+kDLs$no{S%uWI?HRfJGLr
z&${XSG23b&*2Mu&cJ99|O{I0*2~mA6%_`xn?aRg<=50fbfGZMmYq;McmeX|c&s$ei
z*8gQ{&=kVm$;#hU+EOV_X14QXc)7ST=Fn5T#py}ih~C`yHyB_z{eFG%`d`h0X}JW6
zUZ~8@*?9m3-*GQgDPIgPG9PB_fkCoL4Q0Jb*j4+0Qjt}ju=NVfy(c;{5@0?aXJOJ&
z(kgkp!w?nW=-_`s4Exu1z4zCj^->}iDu$O3s9{rYR)DK2{`GCxqVX6&EJ9o?>P#s!
zQqR^9KIp=Au^A`9(S-n(tSETj<t+@cPI!Oq3`nC8^TKI+Z~OiemBN}kq%13>PyY${
zpRKg}kx<MfN@9An=txA>9VmWUu9J}j<n|X@a7lir-YpYfsH}gxHPI|+8#5XBufc4m
z%+72XCaz7-h^?Ph^i%w*Bt&dQgGc|(-QtHqTiu*n%24%K<XsIM2kc#mKrF_JgNgnh
zE7wzAMQSa7tiX8Bqfya~GR;?1eJCxW<h8NOf^Y4(aIo&w6_WanGCSB47g%)gweE|?
z$|Rx5ET4fx4+j-`ZL#}s#AtRKKDX6v-N6*Ruag8&xmFA;3nm|bh&xL23Q1vOQ6=pz
zfLR0<rjj_n%SqMiG-@-<`V1OrExTYi`Qo}qy=<8z=cJ}y>B;EJPrs95d;aQ=U9XL-
zKa_$k`_zP7?Q_`{W9$?N?5ftm-mNcx#+mrAV(rOH=`#@_A`}FfPwb4dZoPma2t(~U
z*_yZqWsa@v`#7>fz{gzA+`Y@}ov%2Pmj!&!G`D9Fiho{yz<%c+Gls%u<Cadei)Tmm
z)wMLxy+&r=WUiLDPs>PXQEA?j-*P6dh1=&7BtM}%<y((TWKQmv6RKE|1|)2SwHLFR
z`j6QXt-{ExBt{|0zu)@e(pIBaa5S=q*p8EftV|Xb;E^!|(-;VCfVKyoM-6NcXZqRl
z<s>|cO*H{B3N6=!jGuOUVWR~+rk!lCDCayh&QBa*^@xa>-e;DME33ISgl1v)pCX-f
zr7&B!%x%P3@?MK0XZkd*d8>?Jwsj2!t;x^G)Dc6>M<diZ>CyWx1EnInjQIp~dYKh3
zrM-cc=SLHqk$o+#McQiz{kz%(Zb$!gCrh`|W7)xAgsJ{fN0%Rs((!G1Fk2`dCYKmp
z8@+Cy#IVnIvLKg26D%X(`3|*d|AGjy>Tku`gnw4Hjqxr)NFd8`k?ml(&_Ixj4rkQr
z77bBdhKQd3AN{Y``~(EWq+8-??Hd5edR&@72a$=XrwmmBwtu6H1Wu2B4l}xeT*6jM
zl8(Asacd7DG*m@2Pe<kp4Km;h7ME{|Yyre8!Xvhn^&!sE4@<~Df)domq7eGmp`BE@
zJsAd#S#|MHj#1RMj$=RV-=dkCArInHSdN-zIlpMhUMUJL0&W$^k4{2qWkq<Qfk{yw
z{d7C7TaY_&AD(+ZUtZf~P1!^tp2&a(zoA%!;0&0I9$CiH_RYxm;F;&vG`U}4^U5mf
z%gfB7g^_r(-t9uSbb(OP5;aZOGMDY1T#Zu~R?!87h3*LV?Mj88nn<^#?4020+A;Bw
zB`1zu09nMwq_<Xl8X8WRz%6$tnqAp?ykeEOE_kI8^CkQwFX&q}T^6IG*Kqi`L4e}X
z1eJ2Wp+X!H(2cKtm&UzE)s6?LZ<qV#9yjdmV{?WapDgy$^596V!|8G)8>c^un&LkI
zwk!p^V;`G8KeUZ-HZTathC0oTm$y;S>jMu|-216b6C&Fr9=C7qSpaW%*>YaQSfGKj
z_REV1jC@r16inqdUDT1o!2U34czKL;3d$W{&NfEsf`ki3K2SK(;CE*mr92tY02xKw
z=wqt^{zZ*(+pc|<;G?69MuxU=WADrPIL<`*++&NVsN&=cWoc^RmYeffoYH%?SnB&{
zz%(RY2MHJ`i;?rPcCg@I@g95!00osbgwZi|@`CdD?!$5lYrCi{v9<e9j5F}_VUNz`
zJ<mGgZe0i-)-(7;P2_tJyNA6+5#inG0NdesrEU@a9ZpeLb4#>tJ`cCx1X0!`%Y_H{
z|1s!6aJBm9XJK(R64s5OVv?<cgRheqwuQ4)|4g9AQAivvGHt10p^;AmWJXK*M*s!C
z)A~m+U0JycYr}m6U%02v@<5W)TGvb<DbW$KNCj=g#ZCcp%+<t(`Z5?b{Y@UwXIQBA
zNNm*DzGM%02v~)W{8<8~tre5I=>a{c(XBToDqd#i!)8N+Q~osV*C3VM;7n@-3A)H$
z_X0YXvh=s>!RRVPU|4Rr1~5(4GzG6gp~Wsm%OxMUV6?t7?_Wg>WiI23U*kmlnmo2C
z(iedZ4e|`phZ&r@6Esy!C9(rK1T*NRG@_nD^%cgLze?v->151;Rh2pQuLX~9$M0#m
zb+i5ROQGHK+51_`6|~t|!#~nNCWYtn+Ik`VZc?V<Z?c6B%R14j1<8>;#lk3^le&kL
z`t}(BXnEZDAXp2I(V&=N7=rk-u==B$y32ufdI8Yvi?2)_)WM`;K682z*Et;#;Ahrp
zWHpJXO-0K_rRiIg2pl{UF5bXRld3G^%-KZjr{~{8&LznFPiWXD4%Smjq$2wLO-MZY
zq%{#?%+ddI-y=W1vbHI(4STuKG=9Q7H}!r1y9+ntx;&VP{TcNR#Y9jZ6-b`3qKTqK
zqCzFB?@9}#qSg?$aP{+SlEh!;tIuN)tEHBk7Qx1i2``+hBC$>mZdL}ZeGO0cSMv>Y
z@!VW>WvIAhI=twNCrX{mkDo~m#%0@e#B99%Tb$*}!gg_ga;9mZrt6hy)<9M~y<zL(
zWzsj?4??3}GSPG1S}c~qvpLDbQOTNLOwj#(fr|d_kAuRnlA*BDO^;_ldZH#{4{B68
zQ{7f14%BpZMuvao-F|OPJCRem>i0P=apT|R{#mmf$`~YCbwE&ywSL|=Q;DkY;06h;
z=;<d^YKRvc&_R5>X0+r#f<IvIeVbZrEz<E87ph~=2BJ5+M3=GO@Q9o-%l8&DlUUmp
z6GV;sdw9Cv_@GJ{jKbTxttsx4U;Yj&W2$80VUM!OO`VI1tj@`UkkO#U!^sA0j(Lp;
zoL)vBWvOKb0rq<^ZZZ7x;4RCxb$iLBG@VN-?H|mbDdc>j$>Z=Ym@FIEB3J%a6;x<;
zsxH#_?6j$jCV-JO?8||e!z@}WHU`t(wcaICHA;;$hUzxauH&l_t?(`2;ZwDce$E4>
znZ^xkM#N(g4rC7!E#Z%w3rO>lxmzc8sTD|Z?!+}D-Au*Xp<pw1gej%0gAa!o(5%L@
zt{i1J4Q+h7S1!m>+6w`9vS12yqX;;&$&$N4X4E;RPk(o@u^*dV&Vcq)5#wq$Qss_a
zc@J=u?eAmiw8f4{p3e!`@ZiFDwDZ!skV|;BJLNP*PI=rivxly7z>yG8t^fRjXTm`j
z;veDMqfmcN{+LD~9EPXh7-fuRNT3PO&DlJ8@VpB(QYZ3U8q|b{B8V3P4a-%5<3=t0
zS3PR8yci-!J|OK!v64VAs041)m1ffP(jHW^PeZ?$kH=@IZG$P@d1X#3%))=ZEBTg0
zi5A)DEx+Gg;4w*k_?XCYJd~t#l87{K<&pVG0OGi$!={1=ZAnh@=JMQ^bpH-rkPCs<
zsF;WH(5AJQ8*712F)N12H0v9NabF)Ayz|4uk*^*!y?{3h{r@)Q1WP);GI~V8Ii8H^
ze;~0Rn#n);&WYYv6N|$t><Uv->G>!k{djVS?(O2Zq=9uQD8_eKQe5;RB^l2Nc;0rL
z4hNzhBxY_83zM0w)RKzSki0=r#~-%TNd0-`8xQ$k4R9kTj-s<vx@2V$%|cxcGyydW
zaO;BJm;y)H9l+hkGi^Rd{gD6nF3u(JHx+zI<rkzbnk0e^ZKcw}YC^cEZ%w!#7HZkp
z#m)lP6-psketQ0dAzU0a3b&{!%l5)$i{p+W$zwk3wIxIv_JNa>6K35dUn6#Z2L7n&
z5ZEYlj?7zZ5-#_QL7QV<O;9N+b3xYhs*i;?Y0svRguQ;n-a(hIm5yQ_#!aqN@0Cu|
z484J8NpjZOGXL8ceB@2s;93A#vsx#gTqWQ$>u;nm^SUz2h}cL9<S<ej#rzVIF}jTv
z4P=R@EIkDrvSBRhZdrN3d1lr~H0+@i!jc8K%wX^%j&s=mnIhf0)2gJI`zL*rfb_Z8
zb?+*_J3c%rD2e^iLh`eJ#VG)FoFQ=D%aP2ugES{_rmq)taO@E6MNqGSw^18dk6Fa{
zi*}NL_`UULu3g)~=ztvV0X);ydm-tTCNwZo0C(+v<ErhyesnBxN5QZEx8`ell!ZtL
zOn4A~bz!8~7~e9w<m?9?f5T$i8-dpm&g%{R!>L(}Y*;S(oZIaAfn60RhK$a0-no3S
z<W3*Y{7y)g6h}hsp0u%L7L;G&)T7lbQT*+r^%-zBL29nUIT0+QlN|h~zE^FL!b7D|
zV(@*B-?fGjI{yL2J!Z)2*9~%SEV<sXentETphbOrC?e$ab_VC0=L=l~W{Qrcb(W(y
z3>^o37)|kD8@V84340;|!!Gfl_21R1H0g!Iu;)Ai4=2Y?MdmD>Q4|sKcN&PLIX7hR
z9eV6>F%b=SOHk$K;{%Gk!WGvfDqqlBm)!57Zx^pdg5GU$OjZ^)+)mPY*b<sJbQs(b
zV{Nt6`4{In_WbX6DA@$0PCB6ED@V8IzZG(CmAeEBbms|JnU9-u37{h(a8=So0&=2>
zl9lJu8_qbTKVO*AT%$f{VT2$IdhI;V7XEawWa{UL8cbvX4fvLJmna7Zgy?}#>e>*2
zY{pTwRA4`3pl87`(+iC?lL(e95Lh3*m%|9bLKdaJ!q+CkfSRwRt=sWo`u;ZXJp3$2
zHY{Mw=jtyy{i8q55(FZzyz0~fg--HlACBOC@71#hCKZH{<U}E})Gc!@4#Drw&mKX0
zX3VT-0TX1xHp*S{aRvgtg>?`cZ9Lw1F@c0wGu!<SL)=+w7hT!S5qM6?W(bhE<ipp?
zt!*{QcnQV@JpNFc+HhKy>#=ka{Xg}t8Zj48CL!f1$R~f^2;eq?ZWJ(f*DkX>*gW0R
z=B7uvhV%>?d6I|^B341WITNTdgYNpL(L$8xboKv#u2oxXwMwWk>n4_T-F3<1#SmrO
zwV4tLSj*X>%J97^l|G;Znqlm=*<=LC=0D@)%g%-N`gs-2-{6#{A5o1B?8rB$mFN+^
zC6jUbY?(9w)9*&ORHWRQBDY%8wFybBuyLDN*tci1WoV&=LG$IjFn>7}&&>J3kWN^~
ze3BH>GP^3jWt5l5T|pddrZc85axF2fDMvCGbr1H=<GF$bphN4s=CN$@jm96~=q~}V
zr6rRs3@W3u{jg4Ljg*3!Q;bh$|0hil+L?xhF8=z!!<&~55=<k05;Yag75{~h8>>Vm
zPxrhEeA8EUCN5jKrwr}&$%o1KxpmUomOPJD8d+K;w0;EgB?|%pB1UC15*hqeXZ9SX
z+AUTZ{SUvo+r(rhLjVk%xGV_~t|eMO_a-ohtEWzn(;AH7kVpzacG-~~3MNIkhA`7k
zqO#8MP&6SdEQg;PZcY{Xy;0c<(}C2>r5N>gu@)MLow8BWBs`Vw;O+XB_E-7-rOhox
z!|P9PvpLG|I9vEljk?Z|FrAI<Jt-hcQyYXEs9i5MaJU3kQb=GlDb0wSRMzex`kuk9
zYd*4sYS9yt)Jbo-f(p^4zrBuAiw9(`gZMwpnpz(2;kZ2yf$DqzHLg<4PK2AToOolE
zhp$msU2J!06`_e6glxAWhS3Z$9+G9@lxt@WQDJp~K>pg6m%HDj?;S>peFyr)^^J4p
z$5R8M@HzEh2z9I{tP|H*?1BZf-l4`un}^fW_X*#B-#Qf|90gPOyVz<jMqn*djBVzt
z24b8ScICEXI<`QMg)>7u{209@hAr0k|7{Z;lNLn-J$3#$db>3rb$tjpQR|yd-Y%0N
zJCLoJQ>5sk!9f!ps@=aghb|)!nV_-k*?rQzjQZp5g(6PY0n7?xw~n3z5Lu*q1Atn-
z-4_#hBx%u~G=1P|eXl`c+c9k!r<I8zX@*?b{q#Fodz^FospH<ohd^8s?(+C51|wsW
zVP|wrd_fmoeP8a&j|kkaw!^#&=~L!cHCXQAJO~~zH6IcXEu$DN8;$30K1VOSm-`sM
z?VW?6RcMaXccjuZsx-wQT%~p9o(%IWo9j`O58K}<fI%Ck`W?51T11ONpwd?>9|b=3
z^vs~b$m&QxX8S_r7QOPu0r5aAq2he)X>mrf2)Hbw@A;_p=g;;ZfbE+=kzX(wF(@+|
zPD<@{*fXf8=tpVfa4@r%c``magq?J^=&F}23iRY)yqacd;Y6Fp7BtwCm>SUMDyVeE
zka3+M<%Mb&!%w&wP8Dw(#``OYGG43us>E!8$QKbWlgF{+PPGyZEA7?5-=7j)gH`x+
zE5MTZV=LfsJac;3C02pk(RJ*s@but9kh+9X@mxiXpYdm4RvVdkm9&8-tHGoK)koPx
zb704{X<NXkp#3{qI51?bgRczc!&EG*)|~ZaCgG9OdH|jnbbQ<{fSyW|1ZY50WGWkF
zlAy%iD;qOuoI@w0r<zlKQtAziC-TMl-0ts?fWr;Pn#s;uY5714v?oU7MZ6L`#>r{+
zDZZ1_Y4zCYv@pZj@IPVw=$&Nf@d#ADxj&8rU*^GIJx{YvS5&99vrE6{p0VbNO=V{{
zclCV-Q|lA5Teo}KxBcke&h;<+D}vUc#G>YY=FzV?0<EDX*3$V~+k$zQuQo7&tM8*8
z@?;5<=$9XwXIuNL;1c2HJGHf1c4ztPY1Er((bww**=F{EL+O2U`0KwTS3v#Sv+_+J
zPrikR16Tf&q~kPMPSH*qxcFFg!Eip#^%qK3d_#oYBxe_O{v0grZ-HT!3I&L2lCxcZ
zFKju?s`!8k<#XfYzXo;TB9izB@szEeDZTPIQdv*a+;d&PGoVa=WTz`N%B2`60R9{)
zFL`GP!meYY_43^Y3H{W~Cya^z=L?d2i4=nqzLJHxrKa90%&L9&|LkvP{k*}rWYhYm
zIfY9i4$=cURQq~Pf_7y<bTDk_1;kJko+2aEtNNChK7v0#hnZYK2Tov4N-1$l*3@AO
z>Fp`N3~io!zDt}|WK03m9KHw0(U;re<BY>_kY2hTO5^$efu<<zQ6Vb>P8UPqViTuk
zyrUG?t<tU<r=&GZTZYhobe?F1HFC`00MA)pwY^-HUUv^P!9#rP*IGIagjFGuB{SeG
zb#F)2jUe~oq56eSjUs`G5?ik_(LLY7vD1Dw`28as=$qrjWyR9C>c#K^%7hJLGNY6=
z{<pq)%>*;a9!o!^1}Gdh#CVe8j#ypb$e=`)PB9#2ybxl9!#i7m)2P{a+26*emEF>Y
zIkbkRUNn|}+bgMWmR=H&4M=9Pk*CosYw9}h6P!}Zov=I!r9KE4?OG+$m$-9Ck(Pi!
zOxO%Ed<ZI*8%|cre|G;K`pGV8jOXUaQHM*yGa8^D5%za-Fjtcw6kDF~8@3uvjXTxY
zMzUblhXe|{KVg_WLTPpNmg8U2biJSswatuj#gPU_D~n|rMec-qc&956GnQS1Wqlkz
zC;fSdapH9?d)L6;XJlq3;bwE$O#pV&Z(X-LvKo_onO95)F+7F$D=wbnmh7Aya84Oz
zhNbpHpNi_z3>3`PTSc>25)<)`SQz2HkFR|{uuRPPIwbaAPoIC;S2JmnfB2W5_gh*e
zjZ^MzH-#Ax|F0fv?&ekG*^o1KmU(%GTpM9#(J44%tsJ$`C$_k%#TmI%Ag!m2ER3*b
z7x$&&Rx9k7`aC%jX>0aZra8d~Rd|2^aoWX&WXi;wq9Z0prGEcTv`cOpKxAUK0EmWF
zfVQglqm|^MC;;ZW?EB7oa{3SvXR~=jf0xUu+alu>_Dr3n0A8`0l&@`AjX%wmr93!F
z2L_$19N(<_5FOS9+y8vmR+t;*;>?v6h0U20PgXq~H4{JfF&}t{ib=PM$B>!RLqy$6
zR0DS1Jo13i9tQW30Ct(5^h+KR<$mZ%UbeNd;vsWW?_wX1mYRFqW)NYz8XGfGzg!c_
zXtHI2?#o_T&vhyYbu<2EQiz5fOuZf!X7%nfNo)ywD{ac3bz+e@%8-^&?t8wLzTrl|
z&|9QktxM?(Bc%3G0u-t*e&eN2q9D#E8q4%bZA1utiVgX&TAgQgID~p<%>bv`J;p86
z3{}6)qYqvZ29x3Q9cbf=IO}ch_bL5iY?Npu63tKY=M*X4<uK#%Do8kQj-fu--@kK4
zW+ck;Yf_#V0}GgUI*~hCNrIup6oc;zuua<#D(+LgZhWT}{$|Uk)9Kpy8_>$M%Wi0~
z-#}1dT%LW<D2Ext@W#KAWa@*=v!n9{`Hdf-^VhWAk1#ApoLSeU+J+|BsYHhVBB;<G
zSqnb6Vdl{#)UHbGqIjmuCv}~ZkBQBNf^^{h!{lHTkQ^~>PnmM#>Jw_vLM462P~xKR
zNS&HxzKQeZf?kJ}vIzCQhGpHWJBVXD)sD`nS~UHRy&qk=aC)rA{5UjP7{mtlN!uxn
zzy240|4rW^%v-}@gCTPGSd~EWJ3?*QDv4XjA)Tl&YeIY~FBF!xydWlA^v{m4W0}-r
zoQ#_a<E*njKsRxLNO(nA6~e}rsK3z6a&gpwHTGpI!7+U$fC7o31pSqbvcJK|cItdN
z9?X_0&6@b`0C6R=rCuj}IJ65+>7+k2W2ol0K>R1^J!L!fN9h8V*Dr(UVfT!(mmq^3
zA_9)pdb;qlZ&0o;R~UH!2sfinORU?XL0-<Pg4*4&kCjY`1FKH&sQ5EY0@vY673kqm
zMgs8JcxN-O*r1Div*?d4a=8wpiSGvl;d*Y#$+YK0mRc^08lm#P3NC}GY#+|JH5DHd
m&ObF%dEF$+FWh>^-+5=<TwR_47^&zpSF)X6t{<&CK!`8<HYl3_

literal 10324
zcmV-aD67{BB>?tKRTIzH96*5Hpyk?UryLpP{LBn4F@?F7;5Yi7@@gVQW4scoPyni{
zhrICr`rj}%-L7PoaP<g5&Rx)2w^csJOW}piLADn^>cT>oc!}3TG_9yF;_<569iTch
zgo?(e{!AU1g*}u^_N+v#I@{(-Q2&^NY!pzyhHESSzPhJ6<;+pnCvhiS9hWV)TD^nn
ziMzJy)9qn<d?7=a^0FWN7VWXxla^F@A`4Od7TTtxrDSe{SAh3=+G}tr<X6ilK8iqK
ztPM%1VtY2Z3%iNWCZll<DI=}L_|%S~(zLEvW%e%BclE%Oq|{b%E*U9&nbp*UvuyU)
z?&qA+%X9ypVCF0|%it5*#lLr@h%dxb!$Bxr7kg_8rf9hdZ*SiLhKAu{@G0Bmn-0VW
zJ)j8o029F{Vg(mg?P7sVgV;fAHoFXj)P)X8-qt!Xdd6b3PJrxH<TGt{CRb?!$}i+%
z_1t2bSVqXD#O82D^pfDJ8HBbv-p5TCTeJ_HZ~~vak4nO=V%V$9ZzJq}=|AvAnQfo*
zR-6j!8`l3O9hiC9?7cl0z)3ZaMv~keVNNiqbuEQ1E`^XV<gIOwU5Bc83OW`9A`@^1
zNQPk%NV|T2RDqf%?ncw)QQGAZpHFkTDoUMN2viM=yb`a`H>y;6@<dsk3h5AQj|x}a
zmyb1Tmm1}2I7?sfT#HD9?#Ja*`f+U7DTk@h*krmugc%_huN~8W-z&GZztd%1p<M$@
zo9&^0r!aj04xc3IAKvF8VznWf<K$**H&dy;&}|Zq&fG!6-u%_vQfL8y=m~^R^L5&j
zbIzY*5t5rRP>BWII8cGxKzqTJlU&pEM6TESKNakm4Ci~pLvAYXCvcHd3%zkT8z{gV
zb)Em0<#*@P$xW`NM9_-}a(Wc8!zIL76VhYD$+H9@R+pI(lKSs}@mVZU9Xgd6mtC`N
zY{-~#eY366?pjMpnXHE3hZhF5p!F-V(})aiP>#VIEBc}wh}}eO2{4D=w%g7r3TaBB
zi17oK#~Gk9tPyWG+XrSYf!ukK+JBZw<Mfz@GZdi(b;B_tR>PHF*4PYiTv<UkwMIJv
z3oWx6@+#5qv{u-JJ90wG!OhZ^>_l4^fz6eu0}K6C2WB1mJDS$4V#Y<_2wf>^EE8b}
zB{t}^9hm=03zuW`KEfW@kxoULiOX)=icC^T=?dTWdF9gyJxdjWF##`Ls^HJ}Gk3sn
z^~ApJ1v=?&2CyDAKx>_Hdfbm(sfK{>j$KE9p%Sf6;3)p%H;PDNAiDUKxfg|t*5Q-m
zzGxg<QK<)M*eK*hqQiE-i1vRZ4b%{aKO17kYY$-4Lt59A3?sHY&8?9wubf**G}+YA
zV&m0;_*jU68_0eu@kgl=%l+-_A?9QM5_?R964T9r^kF^g&c*=<Gs*|DX^rg2@8=?y
z!k(qN3?e@j{bf*AdcYgaqro#$m0_H?ye43NKplOn1>jqfXsgPV0YCeiN_X^0tH5NH
zZLzfD+m&m!toA&wR@PRp$UwxM1Fs+xR)_!~d?(&zH!zG%KHV{cE4w<R@q5gNRsQQh
z1JWIwu5x_2sH+U^*LWv{yaFe%i6)Ho-e|e~4s8RWvt$NmLlr%tWm~Noxk1WKj+fY8
z<5C;4DPY&!dd()#nucE4?Ns_=JB?}1)M&k*chl)y64<zO>N=z;1}<6AtZ@89tt3xs
z%Wbl!VzEeIT`%j4h;To&Z7sfxx%*i3{nr+Cc9k~|!>6GTDe5xjtkQ_fxn0U+%~Y83
zh~1yyeW}~mXH=WVx(;6+?(z#bUL@i_I)R)~Ipq$h+X&!^?sa^X-?X9R>TJTvehwsq
zUBr;<!I~^qO#`iiR=|I_9yDQa(cjRW72P~yhUuf(zKW-cAPed3sSuv;pr6o>Ix8Fg
z!5R<nPBG^}d@qU6WpUB8jeyc#ksY*r%e*U$If=fs$Ad^nUq`?Dzr~LlwUR<<3w`mV
zfAmI?f6Zi%Mh?U5FmZ%~YA)~}>hcMAyljWv@pxPd4+ROUJwhIT73Pt;>u>~5wVrKy
zkUh9XwqpVy?tV(tf}6UO0AGBh%T)cJ96wq1CjOL3F-wY^Z2da$-eU4=@a<lOL+F3?
z(jFD>md163$XhH#WE2nK>Q_KQIrH~wpeQQJD2(YUZ&?7TR-)knnNwRfh?;mn4v!(q
zh6M&*v2>~zsSlPa^-24a=Kh8A>8*_@qRnhk^U1JZia~wnhZ3j@LUZMU%Nn#^6Pst8
zobYiWjfgB2geB}G^a+3PuU?mnlD~aY_YIo)tUg=L<tF5E=>aCQM~vy&SxcjWV!UE1
z?GVx$YrhoyfypH`eN9F_C+VP1z0}auQ>bMaJ^X*z2VFVQNN3Q{Zz%}N2<_T+t2hyQ
z;_oJ|+QY(SGMm<v_NRt_Sb4X>h>@Bsgg5*kBi3GK?nL`rtj0cbXW)iFFQgZ;F8xtj
zk02!!8l)(DWQ+6@D1LwEYL`6#N+DkqhG)P0ce{oiWU&$0uvdRmeFG}Ueo~ejrZwoS
zs%JfNfEPA{b1IpO=n+%C){Ia*Y^TY<=)et^CF1oz&gLBEoP;C|IT$xN7Ir6Nv^ep+
zE{E0Vnot5UN-y;h5sd)?=1ah>zh9*+PdsEUwA}V4(3Oqj?NnH%nz?W4RCb&M6Zw1l
z&T@B^xVST~Jh6BlP_JvSAJ?rWs!PD0Nx?VwH*0lbXnndJg?mO2X2t*A*7*5ZuRq)6
z$ij<TrlmFkQotR#{$1h+^0W`9`POT-aMC0X`!|-IJR2Sj#$Z2pYxL2I5dgBOe?=l4
zoRGdN5TM_aRR#Y?L<wvzZkS3l!!rCFR@)GC&TZq)jzx+O=irIZuwsK+<!SaPXVoAC
zzT@C`yIxsrHzYvjTi`D3&Lr2%8my&eo*aM+M`$s^8D-f7MyazZTV&$$FSAgbg(SL%
z#c2@^nWtPo!^J20j^UE;FdR9}R)8uq#?zZ|D3BFcT_86b;pU1zY3AektpOklY!CSs
zXzEKqB<+8Nhg6Z=+`7^ek|)iVOrP0QNtRW=E-!@FXnA$EE8DGH?)vkI{b0ikh!ejr
zc1>#p!7u7u+WSm2TQf-8iX)wXJc|q0Nsf~XFq1vMKrX_l2@)uGbkG6`FDR-&&+c<l
z{cNTPy@y*J66g~k!_S3TPw?~XvzPhp+xd_iz(yBDU*9NoN_<los%QV)E8m5lj>Pj{
zH;#%(mE(!Bwv?N>c@DY-RBzvx(q^YLSY%TF1cw>sE1#=Wzal*Sw<E+~I&uw`MwP}5
z+t#sa|0CbL&)Etp6#b1B4Mq@llZ*6<LPP?rK^RuBEY4NpiyJs&zB+RwF0HSArrQaE
zQFt@!qOuMVDs2PV!?YTc7dsS}8<OG*r&7KcJ3<2`QLB=Cx&dQ2r2(L=Vp~lN2EsXg
zRq_C~=J{y3s1-l)DUj)*V?X&?IdNk+%s#3;tRY4@8Wh~sM+DwFOdDKm$Bw9S{9r3&
zkfs>`J+NpPu!tGgu-I5lJ_XkoVeN*+zSjllwBF|@;PL_i)FU2@fqtO|Ydj&DHA@Hy
zE)G!E)&6KYQ7jZE@~0dP3@?SEU3VAnJv}*urD!%>Y9KkVtkzx(R09nJPvinvo{GrN
z!O279JWn6eLL10U$$lKWxd2Tp9dCXA8%_xMK48ZEHH>p7V}IqUWTFk>>SQ;s8g_0$
zMy?AkQ#y@2f!T}Wd}InOahZV_Pu#g2_n9swK(dOKj3<;_7pt?EioH)mj?1MSEH}-z
zY074dk6GW_m2^PPt!CkMw$-1$N0RIoCsaAPBJtjQEeVQvv5<)S4rK6a_>Y#VymT0a
zktwJgwUOGJwy%n(C_j&1_a?$m_gbWS)!c8vsH*6%|0U0%g@@u^V<q&kreYd?TA$=M
z(uILskWfBL&ZKC0qu_TzJ>+pib<;;wEq}6IM_EfaaEc&OH4oNF1GLHZsu}WUe(7JL
zX^xr(Cf`C30p-0xmxtb_qLOe7;89j=(`K;5GAI2Q|G$Fe$)cy;+py|`c0)7+nLu5Z
z>XT$B$ZI#v?%xfE+7(C3)hbi9q_-wrtt|WLcTk=w+0U~&E6qI+(^1(LCdGG)2sqp!
z3-KaJ5yz{UptXbY7-Nxh9v-9Yo(!x>yy{<G152zjv!zjO6#Zfq*$E1n1=j@-6pA09
zoxqixBlt@4EDqjm#Y^@S#B89s$hDtuH8FtNm!OJewV$8&P9^A-F1=}gZk!u{Tp$X+
z*t~g}-m1k?URJ;(e8Kvdu#gGB)d@Q2hkz{li{>;xTPx&8+`c4M1q_W;v~w~l3swlZ
zL)nCqJZrVsXUt4Z3PY)=#Lu8lMPH;MYMmDM8X$WZb<*i864V7|qFN7yS7KQXrCP*N
zj?wU|L&=tKkzPv8Fgss(KV>1U;y_`5#ynchWKBSzKtEImm|=99j%PqYh=d95x;L%D
ziGHG``ARh{RX<p2{Wbbs%gJ>*7t3q`E%5>qHTbau@&vsDXno@WfF$obR4NLOF6sgX
z8LYU{@`}kH@{ku7lx>{4tP5jWLMpBcDB)O!4%$w6BV_#)%kRSX5Xc<8GFR(tS<oR1
zdMd95b(q;^j?l}RxTJ2cgV2-8M-d2sZoVM<V8w;@ihjKSg)}hk-<OMh`13nZP@zFZ
zJP@>D{I<#}GpXwkRWKM;O}<a-wkLC>tk(4lI6R(Pj>=UhrE+u3Xxuti()E1f1<C`d
zq|no_Z8siMtlwY9AS?POVS(VUDkY~%HQGY#?=LFSNEJ%JN6P2FZ<_uW%OHe=Q@@)b
zs<D5SqIUGGtitFHB$8-|=pE0eYnkh7%!5$R2a|M>ZN8Hv{R6?sal@xXo)JMCV>%$w
z{gjQ@7f>wHip0fV)q(~7TFH49Aw|$CqDGr#P&)d=m~+`^l@rL4C0JFMAIJ|hMO=Nm
z;$9wx&NYp&pl%nSIOLo6vdVF!e?!SOPc)W6qgrlIKCC<77aJhwz!HCT5cr?vrs-XT
z?hlw6j!MW~vw&o@nPd>K4k@G0?&Drnr`Pb%H5(j=b7|Kh)bRgvbZIxtCc@8jvqsLc
zwCScU_5R)1)1svWmt|JTb2@*QNJyD^m=|S;O-scK$%-L_QY;$gp2G%Io>B`cO0i&%
z$Sp>`r2<hl!g$|wm|B8Qu#$MXmRD<!L|(1_rC-YQ-PnIZsaH6`KqR$<UsC$AUk=cO
zla`hMm^D-`)?ZW6i_&!mKuodF{mX9!tWhGNTtFx;T6B-6Q^8FLvSn@qqijn=B-N-A
z1<88DgSkuUuonu7x!|wvQmHyj98igpG3WCvPH>mdk=1Le-Xf)mipBf7Q9um0e@J`R
zEL*Xyg<Y^pOX}bXY+#v1CodF#4YE00Zo^W&m(JOMAV|35hM4+F6LV$H@?B%aFJarP
za5iF*=wq)~F{r)w54Rc20=9Ye7u?uhKZhGbXsyFqg^c|60J*4FqgFPCHj|2h_j^UG
z*;FW=6npy`x?N^tvRg-e=85s@LL-ud@bLzIYxL-HBZth>=E3ZvW2~zkjx$ut93Bnz
zhbQ7knnXcp*jdx^F&}9g?j@$eIEFb?tFu^La{O@#Z31A-&5y#mt#K!QuWoHgOy3mq
z%vV-2l>>U<gkbbS3#&_kyGWUl!v)ZtlrSRVc*;-995%~7=Et5)hnom2fa{ZIxH5dy
zNjw##cZj?hn<^8KeNB@kX5f1PR!xNpA)OIrvPtG@R8HsTu7nltv3MtLIB$z4gt+3B
zV_JiBLT{FHvN631Ou{9n4SHTV{@nV1gR$ATH3rQzJK3Daw<-_MzyMK!YQTo7Zojk?
zQQV^u86I+O&WFH)Kcyb|-BAGdR8MXu3tN$c`54%Hwge^^UWj{e52#V?te%*vSKqhC
zkTnQt;J|HPj=@}Kpjf#PzFk^XjL5FRk=0~{l>(q&tGu7Rfh2DE{NYdLPZ>hU6_j}x
zXCzFddqEgOdzPmE39|J?#{oKGS!3?wEnHJ;y2`7t-<)2UerA}!7tKU3XtrbBOk0;l
z4V{`hULbMsq(VMv9S3g?buO5*pJzLm=anCl?jAFya9AV-7!;;JR^i@!Oich#@R?~5
zE)mU@Vs*cgyfvuVW_x066?G8`Tr)qjlPZ80_Ppq!z&|GNbF-b06%>#j&1UP@f%4uJ
zE$v{p@ZuN=ItHNt-a<*wox_$^-L-tb1;Qa@TKo@Vg#aGeG*0fjPoGfl=Rfo6xY~_m
zup#iG?F?z`Eu==qnB>AyiopbY7`tIT8mP)u?K5l}@zo;%&-kpxWv=TX2~JbeSDN<J
z(zIN8h<?bP`p~Fz3ekQ>!g*lyYgJZX;FYnoST?rnjz*g9nUC`pN6SaDwfqv5O&@n?
zRp)~X_r2ipI6c)VYE=-`>V&jBC$;d3Yd7B%Tf-OX4<6qVp;CZO#>9v<@ULubuzfS&
zNA<`R&)t?(c(zk=d1zVmAb9uLJ8<gvHdyeBP~lk2Df?BJml9t8{qL?e=GwB+cP}E>
zZ8lHXC8-ezRzw&@CGr}eR0z11IEht^i_6pjVuQ}@^n+4TH&sUStcvLW$B&=ph4)T1
zwRqq~e)D`D-J=?7m5oxNA=%ye8inxZ`O3ts`|f+sfi-4-A%k3uTYFOL>~^Y9fOm&}
zN$=J#XR-Gk<tWtm1$Ay?j$#5qod8kvffdf;xLBKi)P#Co4r8BoT#|E6KK8|O+yvFc
z@o8S=05(Gr6-H@<B}r(uZMCI^q$HFF6<*QjMvxBrK(4DkQGzZSAB(_Vs$M7|*iQ(k
zV)0E7h?oF*HM)y)HOmSyBz<A3IZHb8z^-`!)IW%6en~nlHAx^HUSTQmGW>ge)yHoU
zr^|iwARBe|cp%YG{G>!<iFbp{`4OT`!9g<N^W^RXC*s(hDbr_(ogbIDV;9x$L{CpM
zq;E_ju&PEj4flFck%bqdYC7J*U2~@_2+;)kKk%H9r{Vm~b3t6PnCyFPN>35yV!Gkg
zaXk@3nMa?`qa!?w+<P$Dydx?Hl#YJkx+^6Rkv?LG=C~yV*JNOCASD;qKuxk}0`XoH
zW#;G}@^Eb4-gd5%Jv{ozvnnAi&KL?lQWq_v@Da|;Nav2@BHRYmVew|c<6MU#g?U!M
z_0Is#9qpfZfJbCQX6uK!)1OMk`HKos6OmMXpSVHe{dBV+J3GPo1+x1htzdSDmivM}
zIA;Hj=mYr!by?QY(&@&~U~h1#WTI}sQ~L!_VcmP<F#_64l)RR>by7qc1FORE%QDHy
zd$Yn3Q|g@hqUYI(IP@e1``nkIiQ7KwP;Z(Ov=mLyerZ-zVTFZ@V*hyw9ia~Sk|2hI
zq^lI^qhs3z@27B~Cl;f3p+}Tft+v1>>GvJYkk=r-1kA2e3>eYKm-L1)yD<7q5J_Np
zDMD5*wez#zZh>7jX{0na5i4n!kKTkY-BWT-Z~#|<DHg8|=$Q;&m|U0#v0D_njd<Vq
zOP3PsH`yUXo<p`s3JVZ<%?byX;>6Im-?X~+v6Y9z6l+i$yaeO6nYP80N%7)~aypUz
zZajd(bk0F#n4R6xvG1+ducpVcs@q67j!x0#S@rMR?^VBDM-*k3gcIlN0;uxVH^_8<
z=e<ypt!2=3`o@N&FP!FIHEN%a{*gOBN?<U<?&O8%73-GO#GCcc)HX<dTgNIm6(u)l
zjO_X6tFMzNu{|a~zmlRC+Mo@@y16EQe>fsds0peIRP+(TKG5LyU@sEAG+MvR9XM@m
zk4e%Qj3+nJv#GMr37bFz1u$4Kq%d%+q>t;V?Z>}MzOya#l?GNUd6uXd+1tOD3<&XF
z5z8ouZas!f6u}vWL`lx^LB0g19fH9m^WhB#9ASvrycV0Dc~z&0cx_)lTb&*BW81T*
z>|Mu_zk}7K0=mCh@%K3kl~iRaFZtl?^6dq)iDWTaZ{0B;`6XMgxV4sLz0u*bf(w8$
zja9hl7t6i%e6QB;8uQhfYo*!rxZH9&=S*b}3~C2(JdwbW2Ob_E!t|TM`dU)U83PdE
zuX$399pig7>Yl4v_^8bTlfv~!L!@vqb*<aI5Q}R4T8*@TZr?C0(yIf8FpU}W-}l^9
z7diul(YXVNnnEAuZ9A?!nk3b1>hCYf0FGJOE{bU9H0ClfhM3q?Twb$fuwKG2HZv>v
zuQH;qG~W<#2j@FP%2f~y$tVwvzT#caQ{Pt<b*`@FbveWxbCf4k(p`q!ThXUh`QGLK
z7?>-Ymi<(mEScfn4P7{g>Wm#h_TMH$Sl~aW$_`3<kUt|eTq3D98xv{UYdaB@b*gQc
zq1U0K7N90LI+tnZ1siy@ne4rryNzh}Too5-N@F_W>xzhmC6mb_J2TK0<}NR@dldmm
zfqQ$u)*&9gxq)KI)9iBc710Ee1CTFI5@;<xkL|pfz!FgSW-bndjR8KGIYBKdcThZi
z^!T2#dyQ#T4We(hy$Lf>T3IvKKeVTQ?h2L91Kd)I`AE<!kGLzDO5Z?iq))*uMd9I!
zUN>uv%SU`fSEWRf=RA!!%#CYJS-v00Klt%}$Ne90<w9{qGMmG}RUY>gS%R^9`friL
z98`Y?*rbIEEBwFH+HNh(%ZxTDpKrtK1pTL@y{+~nrIQfeFvJVSm@Yq)sY@L`!9>4g
zKP8so3Q1RSP~}aU+t^3gfx6eCK8<|N9Hc2dxza!AAcXc9H-ZZC+GD!Ts!0l;!1&Hd
ziJi031*WEt+Zy%z$XYGgD)Opor_w{Wz6;Q1SL42dVvofbkRdRlmueH~;>l^j8S@Oa
ztL3z5Z3SuG*7^cgb>9C@E`T|6px>~~!^k#rx&dhC8CBNlgRZ)OIAF@O6X&TW(9yPr
z$_`@UhjDODwfC%MQ{~VCF#?tJ2X%;l_Nv>Z;mF3d6f*JBNU`zaOR633UfPJ)3s<!r
z_;snB^_sw#S_psIVW^!Q=J}2fgt27sg7Bm5eYg5QLln+*V<L~NE2?HrI12|=je3dL
zi&eDtnUX+psQ(3$+;_ALc<aBVbpGYq6*tE@MGFEnHsms9yS*#xinxM_AIH}P;Y@a!
zCmuVk1jPKBWC@0HNFJMoqL_r6*b%6mIz?X30PzPYEuKdzY?3`CmA{h}VB$%da3X1p
z=-71l=D>a~M|G^0A!yZ43j)<4=@>;Owr{7wG%D9}HxKZ?PvLodo%OsotjA0){GM4H
zG!WJ~b-^1?jwj)q^44P*HgS4#BZS*ki3B-4FZBX+xVb)}%6Bha^V+O^N7TpugYjV3
zP{VPIz*M3Mkn{Dpi5h0WNdlSY(HYqzh?dnNR-W(Z^LLxrpbeZSZa^S|P%#QHtjqm%
z!oK<e1mMlU*v1OsVY-G>IJ&<AAz-_j9~Gy8A1r)b;iZqxGE@FH;{r?k@z`Wd<e9p@
z&~J?bjygL_vISAZ7=$^ZdYnt~zj%}AOjCcpB(DmaaII84|Nlg^rPDWOZusn$44w<Y
z5u(9JG(kMWxSI&z0DxQ=%d^pXOx7b+P$B^qmBp?n5)aO@?>1p^fu?j|jC-}YEd(07
z8F`x12fh6O)#f<?2#dmNq{KN5V5o$gIjqd;=1@XKh#6oXHNe8q0Fvs>Ez*F1(OJ3@
z9t)lIcuhTPllJBxBuTvetTG|f<$!0$of-1jYn-XZ*-va_|AMkA5WnX!Al{&1dVGEH
zI3d7VSUhIdgy&!&^kF~DL}CDv4v3}yxb;c*IU5+R;tGk@$a6~yFtaZbq6Iw>@m$X0
zKo-etSGpyZ7kmYchfv7p2qAu|klWr=PNr3kA_8&%H+lG3U~SfbVygPa*p^x=t#)ij
z-qDwJ`Xm;2q^y{<zoPLhtZ+#jE!}7%*Ho2cUGVKR3Oht&45o<pDmJP%;LONLw88;6
zmpPLty|fau?6`>@au}aN);J(@i<)6zl#D<!6;ud#Eoy%)X%cQ6=U>DpsXb*hTtUA;
z5T&IOwz+}ZsjkD<s;p8N{2>9HIu&}a1+cRy8GfNC;aJcjtX}G+F{Rzu@;B+w-j9TY
zt5RE%hX*~(qe_Grg23M>hU)mQM%V%))7wzYS*yC;UU7LSW7Ad*O89@*%5TW*YHQ_Q
zsNpXs<Sg9J0Pe)lGk>A|)W0je8+c*fxVW$uc8>2dw5Oh2l-5At;#>(4<b-PWGwoQd
zh^HTT1O(?M<sXrCS4O3Z2AB}oB{_sEJ??xBY^ol&E_0f#bsXo+g#&re8@ZV_(pi8a
z*YR5m)HAX1m#=bA_6NmPYJ|O<v91g=8WJ91_ad^Z4ylUY3LH2UWh4i^6B8evUf+4m
z2bk76rdTp+3^IclqNK174>bQSn@0>=^Wb6R1$!=@ojdD21kLOnkSBo4EZ#l;oB~(t
zK&;h@GjV(fxo38kZ-)g`At7c?;?f`RY)7uDTRvz9e~ub<a5WZTl#=8J61hR0U8c<h
zYub1|;-7`0l{=upmCEo{0UnO$aZclAMw?vt#k2~9Z65&vBRSzwh>x7&>6CnLK@?e)
zF?jT2wu~U?10s=#+-bb0l)&L{#=j{dacCnS{2W2rd}HI?nOd{<N+8fl@y*_O*hbKm
zv@@59`7u!Tk0%mn;vQ;Ib^k5UkESsenDDl+!G`6Edv6P=l|mvUNWI&Tw(<|;>nLU_
z@Y(<8oZXwzV{xm4K{O|o3yJjk?QamH4<Qv#V$s)oOO^bTx6n?YGZ%}wE&pZjoyX&{
zS@^S((c<3h&1Amz6!hVGY~uecM(bp)KlU^;@fUET?b^8^w@W~V4Ecn$2t4_V>y*Iz
zj8x=_wQ}Jt$CAcYS|$`&v+b;KZ1=ns29;)1`MgRyxwY#o^5Ah!ihu-ez~lAY>dA!Y
zuy@=5=MAWB4dpF7QYD2fk_^>Pd)wX78ZyH03vRcY^Iw*Z1^~>zEGjyLAF^l2yz0+8
zvVUxhLr=FqCko=3k2hkQM201Zgi8-d@AMf{c$s;Jb6#bi2@lp5ViymAn%+zG1Q1ly
zwmc*@ld*t9mk*gLB{mhMuJwO91X(8CXq(~53o6QiTO^9VBwY_EQB5Jj9qNC-D%6Q0
zr+-K^S-hiDZ+!$o=JH+4;b_l-zH-Eche^dg5ww`cZf3DIt^X{ikCgw2&?cfMUkm9_
z4;xTD@Qff*_b^DT2ufg!qbxO$tdC6PYeJUUz`yo5Y5C2>Mal;2V+!C#OMsI$=WlhS
z7YeY)(f=6VwMFYY0#C(I*A(=-0YuFsER;cA>xrxSHG|ROzMgk_H^qDk@M^XRIbDBy
zhWbLwsgDybSE`mjanABAC#0z0++6h@??P<-C^=b}k7a6sTZ`V$lW3;;voIY|t05u~
zhdsVc^;YA8`4;`1!I`f=8m!g0#<1Pxj?&fjkIvr6)RBGki%4!uzSkh>zp&skRB3VI
z$+KinXg~xV3Xvd9-oB0RByD8W!~HL-&@0r6c)t#Kriz5Dw8F8n(i1wCZhFnf+y4u{
zi-*D2EexM2;*;d}>YJJ3ANVH8>j(Hf0Sw}Kn86pq<NCVeSM)OoToC^3SOf`z4gPUy
z{2}n^F&fE}5dDPO#V=k0)0BAWCl2GPTgbk2l@2&SW`j4W^%(af-p1SHNx{?O&4y>0
zNPHi0E#Ug1v^H3u9i--=_fLxLNJWMHhy7@UOmrkbKwl`IcV(X+U`pr`!gb=&C#ZW3
z=hyN*GyBE6Jr1=#?v!kZS>^g5TmiO*HE!GepHXkC=>o6!k2ptLma#Fxg*4It`V0!;
zobRoHe|`EsJGuy_x=#uQlZcqZ@4=Qh-o~`b80wE0r0L(Q%|rEC?N9idXYy7yAH{ds
zYPEl*mmyNXZ;cznPwJ|XznSr`qvd3ZW+$(+Q&)F0`FOovE??P^mna38smcx?J_oNC
zrGkPe{}UO|qsR1$NJUmK<<uS(=&uK88t8`UFgU0uWd74Rk}4Z|w{}xDH5JCMqV9Qm
zp&*L*cYnBQf6uRj`QNm}6mnWLC*yFgz)bff+Xji~e?k$oBLm$NY1<Gzeg?l;wLbk$
zX)WRUQ!PF+bU!38p?AW%&$vfA>7|ZjIy?*Xg>SZ2Fflk!Yb?9JLihlMhJ9srx7q<8
z^#_(?5oyXYC#Q3@dD=e8?#*ApHpxS~MoH5dV;X69vzE*3>h9+vDFS$tWAN^qV`3Fv
zRxs+s?)o&TJSxY%D90BIIq-De2L~dUS%FY<B6ywqvCU|L;p>tBCLJC9en!)^hjJln
z2Y=_jYT9Sfax(Xtlgpj#w?rq}IHy#Hu0v$Y5S)2pwl^v~(X?Whv&9s%q5a*vHm??X
z7+ktwd`6TN%<R!B?1mR!ph3g!CI}aBescI0e!e=cdx*|c9C-*osx4y1(%w<B9$hqC
zyGo5{(m6=uoKX6w{Mnn{u0misWOy~u8oMT0ethw)Qc3slJ?Hq~%o$E2K0PAukcf19
z1@|$1a_T05y7Jji_0g<>KnQ6Zj3X#W-}#W!HQf>dB4XhNuuQgaa?OPlFf3q_NM>Qd
z+i+(411q;`ew31j5GJidh$IMn$l1IwM6mL0s(m?HjyLSP=2Tk&!sj4qE{xIhHWxHE
zffZAA22*T-80%R@u60D#P$)hzzcV`_mxemEe)=lKnUSvQ`a!opo;E>awn3=K{@KsO
zy?~(@PsU@SVF`(`GMSPTqLeZunTHiPz19S_<eS*|=vjR1#<0UI;CnD$g#Dl(?w5>*
zQ?6$uIzCEl(_S&yzZ-UFL4T3LCvK|$X;I>_G6GT!;mKzt>8VB|34H^qbj0e~yel<l
zUR}r`T-j`XD6WLapS(d^ju9lHti<=nujxE2?HBp&KqT?VobXMm-BOsy8*7JAZe0H2
zer1?|t}*V8khUN(;UaoF=J@XF_>s>r&`7={uc2Q65{0fKdvAkmZ)g1{lPLh#k@h}f
z9g|bOZj6CxzUWY`T^F1)g}`Kur!Q5@yFSJu?wFx^6;v(8wB9r@1kc)bPDcD(-4sVk
zXoBPLBqCe218oeITxMs;(3%+`pc?$;;fQiy7Qfyy50fA*5!|k1j)wykSzkE<<qXdn
zArR_3y|ZSh!*UQboo#@F^t-$ieaNpdd6FWgQZgkqyQpAGUA`peF`@2_cWj${H|{Px
zm7Byc3({>d;}&9m18i1-?E66S4iP4>VaU9wyjf#+@7Q@Woj;>FFqdnus&)26fvI?7
znG+g5^_rNEglRR0?zJx+v^1}{emtBg5E}K&vmXKf#2eO-=BDHU@*rQC>-&%M$6z@p
zSwt>pD%3u`z!+&b0>=L&$4z3yU{KB_`-#-zJd87)(uQBz66+rjeCR>WKk9z~_-WwU
zke#ZEu``WA+XLL>26}(dJKP%wD^7Yq`!SJJ0ki!cz(SD~Fr>(IGD%AB$GXX~@xmya
zAU9OXG@25W#K>ht8}CqGNB_}_wk%B_@8polo$2#jWC;7(XYPQ=t!=63E8SGv=d|&*
zWdr*wE-hQINiDP0^JW0Do$M0okBBh2o^QV^fyo4!0^9_Kn$~p#1)kJT-}$fN9ob@o
zudGm%MVmCmGR0)`%5D`dWrYmJGMlmsWoB`^h1Y=mNQ_mxp??bJ4h4EN>Rkf__4Yr%
mOMvA5S~`bs_Bg`Y$l)9&`crM~psUqw3HL4fU?Ev2*mFVQBo*!e