From fbc7dbb151c3296e5daff6b8a2057b31facd7039 Mon Sep 17 00:00:00 2001 From: Tana M Berry Date: Mon, 23 Jun 2025 18:53:49 -0500 Subject: [PATCH] more content --- .../flows-stages/stages/user_login/index.md | 2 +- website/docs/sys-mgmt/events/event-actions.md | 308 +++++++++++++++++ .../docs/sys-mgmt/events/event_matcher.png | Bin 47347 -> 0 bytes website/docs/sys-mgmt/events/index.md | 313 +----------------- .../docs/sys-mgmt/events/logging-events.md | 5 + website/docs/sys-mgmt/events/notifications.md | 32 +- website/docs/sys-mgmt/events/transports.md | 27 +- website/sidebars/docs.mjs | 7 +- 8 files changed, 372 insertions(+), 322 deletions(-) create mode 100644 website/docs/sys-mgmt/events/event-actions.md delete mode 100644 website/docs/sys-mgmt/events/event_matcher.png create mode 100644 website/docs/sys-mgmt/events/logging-events.md diff --git a/website/docs/add-secure-apps/flows-stages/stages/user_login/index.md b/website/docs/add-secure-apps/flows-stages/stages/user_login/index.md index cefef51426..2a7730a61d 100644 --- a/website/docs/add-secure-apps/flows-stages/stages/user_login/index.md +++ b/website/docs/add-secure-apps/flows-stages/stages/user_login/index.md @@ -40,7 +40,7 @@ When creating or editing this stage in the UI of the Admin interface, you can se When configured, all sessions authenticated by this stage will be bound to the selected network and/or GeoIP criteria. - Sessions that break this binding will be terminated on use. The created [`logout`](../../../../sys-mgmt/events/index.md#logout) event will contain additional data related to what caused the binding to be broken: + Sessions that break this binding will be terminated on use. The created [`logout`](../../../../sys-mgmt/events/event-actions#logout) event will contain additional data related to what caused the binding to be broken: ```json { diff --git a/website/docs/sys-mgmt/events/event-actions.md b/website/docs/sys-mgmt/events/event-actions.md new file mode 100644 index 0000000000..35b57b2652 --- /dev/null +++ b/website/docs/sys-mgmt/events/event-actions.md @@ -0,0 +1,308 @@ +--- +Title: Event actions +--- + +Whenever any of the following actions occur, an event is created. Actions are used to define [Notification Rules](notifications.md). + +### `login` + +A user logs in (including the source, if available) + +
+Example + +```json +{ + "pk": "f00f54e7-2b38-421f-bc78-e61f950048d6", + "user": { + "pk": 1, + "email": "root@localhost", + "username": "akadmin" + }, + "action": "login", + "app": "authentik.events.signals", + "context": { + "auth_method": "password", + "http_request": { + "args": { + "query": "next=%2F" + }, + "path": "/api/v3/flows/executor/default-authentication-flow/", + "method": "GET" + }, + "auth_method_args": {} + }, + "client_ip": "::1", + "created": "2023-02-15T15:33:42.771091Z", + "expires": "2024-02-15T15:33:42.770425Z", + "brand": { + "pk": "fcba828076b94dedb2d5a6b4c5556fa1", + "app": "authentik_brands", + "name": "Default brand", + "model_name": "brand" + } +} +``` + +
+ +### `login_failed` + +A failed login attempt + +
+Example + +```json +{ + "pk": "2779b173-eb2a-4c2b-a1a4-8283eda308d7", + "user": { + "pk": 2, + "email": "", + "username": "AnonymousUser" + }, + "action": "login_failed", + "app": "authentik.events.signals", + "context": { + "stage": { + "pk": "7e88f4a991c442c1a1335d80f0827d7f", + "app": "authentik_stages_password", + "name": "default-authentication-password", + "model_name": "passwordstage" + }, + "password": "********************", + "username": "akadmin", + "http_request": { + "args": { + "query": "next=%2F" + }, + "path": "/api/v3/flows/executor/default-authentication-flow/", + "method": "POST" + } + }, + "client_ip": "::1", + "created": "2023-02-15T15:32:55.319608Z", + "expires": "2024-02-15T15:32:55.314581Z", + "brand": { + "pk": "fcba828076b94dedb2d5a6b4c5556fa1", + "app": "authentik_brands", + "name": "Default brand", + "model_name": "brand" + } +} +``` + +
+ +### `logout` + +A user logs out. + +
+Example + +```json +{ + "pk": "474ffb6b-77e3-401c-b681-7d618962440f", + "user": { + "pk": 1, + "email": "root@localhost", + "username": "akadmin" + }, + "action": "logout", + "app": "authentik.events.signals", + "context": { + "http_request": { + "args": { + "query": "" + }, + "path": "/api/v3/flows/executor/default-invalidation-flow/", + "method": "GET" + } + }, + "client_ip": "::1", + "created": "2023-02-15T15:39:55.976243Z", + "expires": "2024-02-15T15:39:55.975535Z", + "brand": { + "pk": "fcba828076b94dedb2d5a6b4c5556fa1", + "app": "authentik_brands", + "name": "Default brand", + "model_name": "brand" + } +} +``` + +
+ +### `user_write` + +A user is written to during a flow execution. + +
+Example + +```json +{ + "pk": "d012e8af-cb94-4fa2-9e92-961e4eebc060", + "user": { + "pk": 1, + "email": "root@localhost", + "username": "akadmin" + }, + "action": "user_write", + "app": "authentik.events.signals", + "context": { + "name": "authentik Default Admin", + "email": "root@localhost", + "created": false, + "username": "akadmin", + "attributes": { + "settings": { + "locale": "" + } + }, + "http_request": { + "args": { + "query": "" + }, + "path": "/api/v3/flows/executor/default-user-settings-flow/", + "method": "GET" + } + }, + "client_ip": "::1", + "created": "2023-02-15T15:41:18.411017Z", + "expires": "2024-02-15T15:41:18.410276Z", + "brand": { + "pk": "fcba828076b94dedb2d5a6b4c5556fa1", + "app": "authentik_brands", + "name": "Default brand", + "model_name": "brand" + } +} +``` + +
+ +### `suspicious_request` + +A suspicious request has been received (for example, a revoked token was used). + +### `password_set` + +A user sets their password. + +### `secret_view` + +A user views a token's/certificate's data. + +### `secret_rotate` + +A token was rotated automatically by authentik. + +### `invitation_used` + +An invitation is used. + +### `authorize_application` + +A user authorizes an application. + +
+Example + +```json +{ + "pk": "f52f9eb9-dc2a-4f1e-afea-ad5af90bf680", + "user": { + "pk": 1, + "email": "root@localhost", + "username": "akadmin" + }, + "action": "authorize_application", + "app": "authentik.providers.oauth2.views.authorize", + "context": { + "asn": { + "asn": 6805, + "as_org": "Telefonica Germany", + "network": "5.4.0.0/14" + }, + "geo": { + "lat": 42.0, + "city": "placeholder", + "long": 42.0, + "country": "placeholder", + "continent": "placeholder" + }, + "flow": "53287faa8a644b6cb124cb602a84282f", + "scopes": "ak_proxy profile openid email", + "http_request": { + "args": { + "query": "[...]" + }, + "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/", + "method": "GET" + }, + "authorized_application": { + "pk": "bed6a2495fdc4b2e8c3f93cb2ed7e021", + "app": "authentik_core", + "name": "Alertmanager", + "model_name": "application" + } + }, + "client_ip": "::1", + "created": "2023-02-15T10:02:48.615499Z", + "expires": "2023-04-26T10:02:48.612809Z", + "brand": { + "pk": "10800be643d44842ab9d97cb5f898ce9", + "app": "authentik_brands", + "name": "Default brand", + "model_name": "brand" + } +} +``` + +
+ +### `source_linked` + +A user links a source to their account + +### `impersonation_started` / `impersonation_ended` + +A user starts/ends impersonation, including the user that was impersonated + +### `policy_execution` + +A policy is executed (when a policy has "Execution Logging" enabled). + +### `policy_exception` / `property_mapping_exception` + +A policy or property mapping causes an exception + +### `system_task_exception` + +An exception occurred in a system task. + +### `system_exception` + +A general exception in authentik occurred. + +### `configuration_error` + +A configuration error occurs, for example during the authorization of an application + +### `model_created` / `model_updated` / `model_deleted` + +Logged when any model is created/updated/deleted, including the user that sent the request. + +:::info +Starting with authentik 2024.2, when a valid enterprise license is installed, these entries will contain additional audit data, including which fields were changed with this event, their previous values and their new values. +::: + +### `email_sent` + +An email has been sent. Included is the email that was sent. + +### `update_available` + +An update is available diff --git a/website/docs/sys-mgmt/events/event_matcher.png b/website/docs/sys-mgmt/events/event_matcher.png deleted file mode 100644 index 61d659dfa0dcfaa1a35b1f7d6c665c895ea8ea7d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 47347 zcmc$`2T;>pw=RzQib_#lr6>ppqJju0Qj{)5nzYbEQxWM!ARwVx2p|YZ5tLp+C-hK4 zQ&13)P67e}k)9BGKtj7azWSYS&iwy#&z(8vUS=FLgq{6cd+oKJ^{i+4N>^Kzk&c~? zhK7bwT}>H6L-SWO4b9=fukT%|@m?MkkGtHpw6t6{7rzzP)_y}*R@UHfMph#u zBj&!oz8RjLp3_%-muhVdJ6kzi7aKRxCEGSSzW)74b(gn>Mo+}W#RKqSsBwLV0O(e5 za4?rhRD4!hSs8(dT5DMLFL}5=;=hHr@b~vOUEcn9DnPe<+NmyV5+ROT33QajS^AO`L$heqC7BcN60_&TP+SR#6M_44ft0OzzM^*^JKz&JNiKvOowRY1kN@qW>T!6$ z!NLOOZQV&`MZS&|;gMtHw4;kJnduOU8BDx-{6T6#YPE{UeEnR^TVu;_5$A9BgJp~m zGy+aSu`Im#TsTu(&Mm70vX#r)bo-Hj5Ow-!PhMdbVVjge!>cU3hP>(g-ke~WUn}bJ zgHNGDFuh{RFIsXUJj}izAfylmv(;Zg#w(-I=tdRD&ylUB1OExk-JU{3Y^r|3D@Mt& z-eWrO5}Yx<#%uUNNOQaUdY7d4#O|ylzUIl4-+U$<=g8qy`rOqyD_$S21#`i7RN=kM z4!E@Rjg5_&-JL7@?(WMvkm4AiVyA?{Q-{hO-lH7f$D6GW)(>FbFVsSKAo*L4{*CJ? z%RgrZiPB3o)|0YuZ7ZfKtqn|k7vZi789ftkMlsTzpx~;w<`E3)$JkjGoI>bQUf1(La62r#_Is5w zbY5a9FD{tLqmmBaMkp6(Hdq~sjxb&$xdx6#5s@Oy*eHZYJ8amcj^xL=P&WHFt>do) zqk1Sa9nWcmVyM`0MdZqp{L`ry3iLchAx|@Ks&qygTDfmj2kf8?SGFwsV2H&;CFZVC9JW=t-`C0M(hdVcgHCf}Yp7`-7I+#v zQQ+8R6Df z4n?kfu}r%4By-fMqALuivuw=&n3!c`O!u`&8(m)p)15~esUC^C75 z^mx&IX7ChnbLyjAx`w$sh|WB!K8fZdE1jE1Fy((`Y7aZAZnXB7n*ZOt`TSpW=hNS) zpd*|yW_KIB>vNAvLGQcZ^=@OV@^28(XGJ<1z#u7()3vSX! zZ&Z(SUnXTM@^y_W@*&I}Ze-)MjVdj?M(nR}x5jbsI+uNB4S2s;Hfxji_KI=`JWx~_ zq9*3GIGjn=_m;z&*2vMl=qKb3O6A#c8){}>AIqX%%zy6F@o4_IN%rex-_SS~KE`P# zbrn2{`NOb|3~_mS3UVms=*9NfcZ%F--F`|zYICUyEVHN5o@HgRyi*v#q~2pnJlACm z%V3o$V^Tl#N|DX+BXY?V2URC#6q~aaJVK~RxC+HWZ`%8ilNEX1{`MnN!AlLrH(oPW zB8a)YYUK1G=UP-MORK>30b8P`ip4}f?#^ z7Z;E6(djVn23hl({>)flVL~&Zo^T_p(T z*o%2Zb2-ZJXccZ1$n{rg<}(Qp_n_L?C`HbO99Gj!6{g}ef>o4w3PEWn0pVRB-H<~* zWhR3lreDy6Wk?Nf&>g{|uA|JjK*0LPO@RL^XE20Z&(~2xmK@aOWq0bHh^Fu&HB#rD zbSI0pOcR6TRw&3{4{_oUQAItzSkj@p;SkoPM^o?TZix7TQB8eDIO^-fj7 zv;WgcvhqjFcdmpo`B&JCh86RZA-8b1Ce{|eF>9# z;JJj=AVL`{~4GA(HN3F(gJiS#^fyuV#X73&ixaDLk$a+CQ3|IS{ z@_U(#AeEueP5KFp7emRVeC`h2tNxsqshjwcfHm5(-uMK)_&4yjxJJ5YF>b~hE>=d2 z+^~qKSa$+0D={r&{b~79QJ!VUfLy_K-{znbM;zXJCfhm564~)-D)KMV_cA5dd%f!e z7&0L{M%iz)VF*uFP~cZfxR8RSyrvM0%%OflIrl1d6@c z@orq_lsDOlH*;CI8^Jzv%xb9Cp%nL?_U+KK73?m<(IW-9%K=+;_^>J+w4C=yrTu=$ z@dAsG5lJ!Kz*Kwm^8B$gwEc4F%i5$-smE|>5wshsq-1$@hy3ycofEuHcEkD@#**KA zXZk%i)v&?Zed3vnuQHcEu0Ufb85^qSu0H4wEjXrD2ore_8h1sFu1&2x#_xRm%3pWD zyYKcLTre%8QE#j3KGTp=-7Syl!}+z$NsicEJO~eciSDN6MoF8FxPpMz>GoKE&4flv zNrV9%U%}q(0(q=8*r5zv^sfzeRQlIlQF#y^P+Ok6Y>em6BbAVpfU)8x4Lu|582{do zJ!`26k&k;0EnqP)6jfvI8#>fKWX!Q}aOLJX-t435td|iP5R>L-0@o%_yim+wh{!y+ zQ~r-Nxq&t5qs1mxe9&&C#R@POY@hb&#(ZDn=T}^#o&?bxoF-k$;E3W}Zqb|}bB=4{ z_UyhmY_%*02MvC8<_cv_{8l4vr;cz5G-&?uIG3YbV%olu|9sg#t_!WmCDcL%6kg*# zbIo&kc0SClemkQRn}ol)}%C8Hk7lf!#!S#qkQp9!j?`U8b7Vkc8ljX4XDLKUQzY@Bgg z{!G6NI-p9nB}QB;-#I_9#b4U-oWX`gkph^mYx1WIg0&-#^ zoM{DDu(kVGKNv$cNzguxW9b;YDN=S+63zW~M9!3$C)Ix=oAh`G(Iw(&l@6S{IFf+-Qx7a9aDPgEzs2g&u!oe0|9aBIhGZ7Jh{FIOOLvV~cfQrIGoxo{f}*0_ zki+pn%b4KPr8%eIpX!oF#x!%`gNWis4KUBKzRWM2Y9@p6-Hy=s2+8ppJ4@(gSsY`v zOBK0#wlG~~@|B!fXBLNDLk4CedQd>0mO8X;xIU;=(|lDZmn%2L3cZ^c<DgjAtyOPN6w64AH{A5(TTj?LQqc2 z{h+>Vd@Fs(AQvi}WI1{_EyG7(rF5wB8l6aGJzQ%tuBvu6*JrV2DpKw`#9PjJxyZ(- z9cqPM(|ei;(|?+gE@V2Cozq?+anPcqn z=xbLgW*;MuHb4XY;|WTW338h2+Qr8CJ&apN{EMNS2x4rN|3hNlT+?cV>rb1ZjdqFv zT7;VVZB|(PCCyr1PK)^K%g22*@38MO=%yJnJQWRRzhD~r=nll_oia6rQACydBWhgy zVEP3d#`v!UkN$D%kFUCI5+%+(ii3~4xMLN0x3{H^xsGsElip)`zR28%ooe{ ztH@YU(_V)XK^jf^=yEw@a{kokRGnbCcG4L$RjooBLGh*{|L4@i17L24f?zgO$nd5b zyWU%xeC5!;Kwj4VaL=iYDOXcEKq(UHU<^F7Oa;20{J(~sW-<#iAnvUL?G1KacVO`YW8;^EK11e zAhmyf;9pc#g~MX8+g6vW`g?o72X<8@XIcfH>QrKDOSTW+nk=bL2t;6~_E)lX;CYJP@51|FQ=U(t!uEd~C3r?E;EI#tw)5a{z`_ zj@?Z5aI7NIvQiQ9uQS&5r;GL?se~Gsr7+p^{n;%IL_1Wh;m5!2=;d>;BZwk$yz=g! zBRQ+s%w$jaa6J0%>EBjhxX#Lpbtx@&JS%;fomcD1@3T7_a823a{p|s?*x*);rrGwt zFRPNRh=l$*hm692^)B;HQ2C=!UFhoSx|4f#Kgy1(X-!poSqP@4-L#D)670OY&QupZ z4i$6P4OVllUk$D!RgI3doRVLZ+y803S-`y9xZ`4KlQ)!w6EUBt9}hg(YxdnImjp7_ zko(J4=Hw5)rND5eFX4gajeb6#<<}Q-)4T$Ar?~OtAuFp&*^=5>_AO8YxyMiqcm2B- zCmK`8QT@s>1wTEKm}oxr*xF+1GRHQJ{U-86abaO6y2s8_%PepRR`k>O0c3qzeUF>h z^x2>lPruSB*=hZ1YE2x$E?$sF1@cQPEvLLS!mmW$k2>vKg!Tr%zO7v#gurUDG@2pu@ZJ**D`TJ*oJ||>nSOan?mNc`u>TLw9^=0y+J5Etv|YCtG1_zBQJ|}< zgndn(e2E+}Y!sDILPp6^zHq_@^=e%d+afuME=_xzhw4^O-TF=wxL&~V%>hox&kgnr z9gKyKIhHhp;i}PSaZ2iRfblD)1yKGsjJkIU?d{4P?5R+daKDSxi*mMC1EI#qv7dV?TFNZZVl-@Sl!L=>!NGo&2Qoz=Zt^Nao!x@f z()>5yCyCl<^f5kmc1B502AvrLM*J>}ndhyZ2-w+P;ZL5eU+?C4!!hA<-?nJ@r$209 z90Zl(njc|yK9dMG+O9ibyZ3@YWpUCp3`&=c;Ant-e}0U0R`R?OvT|>Av7*NdP(>=R zh90?{4T{HrA|LFf;j^dv+jHyA)F5~NgCGkpHp+4$M9rBDbJ_f~TsN!!IXfUC`n|=- z-3{zhHUD$GDZn%cjyq_XT0%h~B-gCU>HSW-P5{I%LQL1}?1pOSMyJ)j`xj2-w{+2- zAKqrB$1vr)ZmC8*VD>U5IVUt#GEt9+hBo%PvO{r+V368Ck@Tp`P5rm&sD)ekpey&dKnaF~oy1~lg z5Sj#|DJ;Z;TW2{~uDM=eGxi{alWyH;Z+N|+y7x+&-;aIDP!mN;@3{MXMhJz845%!D zbG-SfFoyF_KK&hFy0NS!iI1xl@~!A9kIYS7ifW=@OXvmws7+BRv1cd(PKpc6!7a~c zMQsY5)?|E|%F2s>Iu#MH4NJ}eZ}J|)8e5UtOa^wCFYnKY1PXYT_!3dobg=8LlMn)lX{UYr$x$gCcH{1c%T!s%r)d3oiXb>u>yOaOq}th1{v-20{cageQZ zS&ZQ38 zGbav<(Vc>0#wM#yynI{A&sY8?cMSd&lze$r4XPQ2F^8kwQrT-{&+!VGl%`KppnA{l zPilh0BgGjeu*!XFzs3+9Vx_P-DuF7YnS&fkm_yo^YMUo>r42 z%nVvzQ$Fn<*)<1l%C&pBZ$8LbrJ;mv0g{6z1|53Y%uhPj&h(?WZfR|_CH{t=thpC` zvY58MyL|sG#mQ&AR~-5i5P=_IIWkfev~+xi8qUuCq( zl?;v!$6PB*@}kG|Ym~#n4uc>AE`em2rH@jX5OvzTm_8@7b+MgKf55L9MdV%G=_iD z#@Wc#EX80ZdPym^=tgu5EZ@Zp-kmq|hM>`DEw95J%u83^9DjqJP59c#siH{1vabHf zT$!CLjDNxC1Czl5O(J{MQboKLf%R-Kl+I0w{hhR*1-=Uay41k^?MyOVo29<70_j*{ zwR5N2gx>uG&xPy+R!d`VWvZo)Xo_CzpV*RL(XF0~LB-JmZWC~l8bNB}Ek5`7@QcAs zvj(r21V~pFVIJ>TzRm|jB}o!p#F94e^ipx1HCj=@-Ms1Y={asTF++7A>G7#>oyBE#1U0@sdQ0*J0dUDENb%PZvb_pyVQ z`0Kat?QhhCLACknT;GFu+dT1x7!0*=aREhtri(WF#3k3CeWNx4uz_L@D4y?1IIY7; zv)XrVU)ivGxoH7}G-F2&$82QMZnkE^rbDgu=wU^P^MPKuigk~2FQ=XW^ ztP%LE6)m2m7wJQmzNp?9jpZ&5UV&?x^q0#&1*B;0ARG4E1R{`*wv#b>@n)r!4Wl9#B-CNOFMay%kxwBz%;3SEeFQuwk_I#o7#yAtjvjPH z;WvUUde)c`46NsaUg{=X1%-mFMf|Xq?`><|b4TxO2JB%H?9$zQwLwfDor!ejKp10B zM#p3*o~=h5(t(B|b+up|W)tp;$Wr0;FoYU=EJzK8j!84$xUnv@WRL!M zj@SNm-1uKSJ}z(;?Vzb2cF(>SWh$sx_&2Y@nXk*JP>r1 zsraU9VdrpFmGC1eiOv(z%{^Zzh+46cS&0(q<@$kY1wl0amvijW*r$8h7Cs6!kTy_4 zPT#NgptHw_|hpN6zrE8hyTuzgLtNm2(u%_iR{lyCCsoyl7|1aK{8 zxcGS>q9$rpiW>CMgN)aA$wC~{BlCN#4smCA5wLUn_5RsPNC)Q%hsCG|Pq$~2T<`X< z5KbDqgfa)*O?}ey6?Dvup90`TnyaI2ZFQwqWY<>?BcIEaO7K9m+tcv-U9JJKQcp`; zd&=G@py*OTgU(#CVX_O=YOcNyeQ&pzwsHl7{qbSk1F&q_!hqauZ)NUpdTSEz5UloK z3tc)t^yO;V7$|JY31wG!Aj9ke+u?9v!kP%I_%*Hk8_~?}e1SqjC}A{r?ooCMOf$~-623!OG`CDc}50{z_0=S**P05X=M|DJ%69IUg z6o>iu>r@FAmEDQ!w1}6HBvI}mEXp$7u9BQGb@<58Xz$Ln7uI7k{ zW95B?4lW10KD)Y5-(W+TL3NIGlx&qS*d~G~LwJAK3j_KTI6JSQb&}ylZc_)YwF zNY%c~yzLzxul8FN-#h9Ysca4!F5Zf-^WcW`N=TZlA!^(B4ZGf z{Z$@Fa;uco_h&~iFz&vHIu`~qJ*0g}@`2#r_31~a>K zo4U0QLCs(_XyeP1QhB4cd~Lp0ZB0QxG#_y<209dEeeemY@U~*C%sJ~N+8{KpnhV@l z(NiOFOzMMDUobcX3O=aO4gG>-EG>fREJ@R~DiVxr(>T0jrPsb(3~#*;QHWvTMNDl5 z@j%3@Owo#b^eou5>!uS0v7qX^LY@Wy)drgoNz~WAooz-h<9zIBLAzDdO?JPr9PIs3 z>eGTy)x!f(d(hg9p!X*}*BI!Uzu6-*)t04B#IW>hW#{OB$SyPOFx>}nes^U{u}o0wLPNIxQJQPaOnsW zB~RFlgh65Hm^x0D z{}>{)VALx@PIUhjU*dr=3N zv9#A~$5io7bTL0;k~4u_;@g)HHLcjoHJ~~klFRDr8i5NAjSqjPNN*UHHjG0J=DQ_4 zXq&oe4FvzO!Tr)PYiQ`8m~(-nqx}okE>+fNr}@Lk&DO{#Hzn}Hu&*Os zUE?ksihTF4pZ`w1E;LIw1V1YxMF58*uR^r5RHM8u-hJ&x&w7m?z7I;ljh>zqY47i(JDmx2Gu;03 zmePBFRsYN(j;+~nyBRQ6{QI_MDnVgKDOG#Wzq8zA^>qK$mDH6UZoid}M_i6U;RlDe zR(>A1>r{(lY_}Y|Pr2+1ZM73i+#fM!{l_9=l9D_9{rx}w(KOYGaB^}MS5yon6c-mO zzQ1X!t@jN8uDZ7%G+NIC3X7_Cn)Gpe1+alX;91_U-}99v%9d?so30IU;9sDPH)mcV zPPzZ*eIl9EQE!UOMh%TEX3_!yhZm-Z1WUC6+KWXo*R@u>Ago{qBFb0}m)`GJ1{7oM*V6em}%L%fAR}A!7_e4G6Dt zldeB_Ax&k9GD5frxdXoPfWtkY0IAUKMgbo}1&2|e?9I=YLK`ZIu*?NAolE*MHsLSzfj>HsL$iX*wWsFIV))?XQC9 zOn(FpL=40w@awBlESG1~xvu(_DOiolgq}($ zLPWzH>y|LYT_RmH&djx;*-uBBBz8cN-(Nj-@U$;e1+g8LgZ4pOV#xe(=vVsu&Q&pT zJlY*%mnCfbxIN~Q%AqJw@Jy*$40HK!=*f3YhH#G;GPOf_^FN=t_0Lnzm-yaOL?*}Z z#N>sWiYgbNP~<4rnn_yuFJ3_LR-(wqaYlW)@2rL@mk;t(0W;+JKTi3q5!1$}+#w*O ze3~(sGguAO@Sd?(bc7iiQC8Li6GK*k4S}+(y!qr9#(L*sz-(k1={Tey4>f%JXQv8Q zcNP4&rb?I4EUBAQCm>f%?!TyR0nw zPvYUvxb#o2?Y{wf3<_JBwI^5@TefSN>gDX$-80j3fOKpq=W7YT1VLn_hEbXiOjNi= z{d)F4i)=a+k%^2r7}>fFgzaA+m@Z8p{TTE`y2!9Uxq2RC;Q1@mhK)3}Z0-r%U$^V? zOyv5tzkNvc_N}3@!Rg;{(b3fz<}Ao%7AodAin5pso2#ShF@2L9Q)@VRPV1ha3tj?k z67vBEDXp|w(5&%FunO>T=yN=R|M58-KUV93Czdo>Vta1SC3}oLKgM+nIrKO6g9_|B z@~{@9;Ty$1xNAe0Ofjdbe8=HO7rA-GwGzKeNlRPoyuK^xNJN?YTE9#J{U*m$nO9)n zLg?!SpEiC8GhtXmJWvwWy58?)Ew!I6r+)SCV8;#Mv9o7GB?M4EGjg zx5fs8dxWeS$7CtY(oc)iN~o=gEhFSTyTJc%PAA=T)dna z$%uYz{|_Z(D|v`V`7rz?=r)jT|8W7OJMB#N8x%QZ2UH=f;z~f1ZsHYxQv&WR=q_&D zwE}@9%C--+=LHpb!f8m)p1l z>sK17d=_?SXvYN(?}-Z7xVY6Vz07RcM2(Q{W1a(A0k_3^+GDSNR z%h;`h0N9=;hmr=+CODd2zW46CaQ%v6Q@xJd_M-=hxvB7uuH@STI$7H(Pg>8p08uak zrc*ri@fi2w<~Lhz@5Qn<${e{dGV)~gqxP6`c@C--DH@g1qhHVMN^$5izGaAJelrFd zS_pSgfwF0Nv@lBkOrI_&EMAKWTn)GSdH)A`$Z|ajTdx}xB}L%(?h+sR`AmHvB;#vT z;I8$-Sf464X@7sKsqT!9OrN|_`uebS)OJ(sWbolAeH~fs!5--U)rAXVzUX*UlOV_l zoeg`Nqe}=j%axu582zISlZ=5b$%)0{rhPc~S364pEuN>{oqU~>4=Mv7kWQ)t-LyR- z;D|hynAD@t-Ry2Vk4|B}~o=OllF?+&Ex4-T~ec6W|j@QdJF1@-=>%PS&t?DZ|oG{XzI8=e=A zy7|kOZZ5WuveDvFZ+N{u84f3fMmU&*orweyX{2XrGI6)~LK6^((OVslQEAPUDE>JdJ zjJ%aOYMU3H(yAU)$)rAYVumqVxaRv|c@h<$igkespO_X1dY^t5a+>CP(yYX^M8D{T zXDFS#%?GOk1R%9FhF}s{w*5tkT50?ncxS;4@$_@~E>4=U+P~(ZkNEV06WuMKG8vN7 z_hEzw)^Iw)895~0sQWWfPDDtV?$~#2+G})S%yQrAXMlidWx($1Et(B}O_3ft<%C*|5wki>?5_*4V>{_KB zf98rR&)e}|o#US4N__M$nc)H^dYw6sK0Le=J6^(i8(#Fhfc%Y;T?_gNnO6Gx_yxA! z!DiK|i0tfwLl`;-IZAeQ z=_QCeXKW`gT?LSm{Bz@~?P7{lUsj=AJLv!@+5KM(Eap}d+a4BCgh52Uh zF{$SeccJSfzrR^5Rl1Qs<+}g(T3X1O)o1cDJkj*hzQ^i5Tdr-$(iNgxV;5^7t4DG5{bq9^`|Y-{XnE8$4`NVDZv~ysWF` z6Mh?gs{V};&Fj!WTt$jx%#K6;y5*&wwlb0^lMLV{m#DXGYleTT9yudNt-?SA?knse z^>~;B25uSa2PS*e7%f_X1B3;F*7dONhYNQBUWlc31S7cR8|Q1+d*mmm;+FXrgmK?x za?iry%}-}^JgG4>jg}>2WCXeeT1PivP`tU_ZJ=h^3^-vxd3d`O2u&hEt#_#GU<~A* z03VI*=~x{<+4_}cdf7%$Tc`QVz7M-*?V6BV;tve81OzSoGL1k%v%5z8;eFv7&mB36w_)HB|vjjGz94f}3h@`?qK+5_c+QM0d+yO97J2ogz+Kv-;_b|Gxb2qz|fza9hTeiI*&=3WK+#jM$Ywtg-6GD+A3^|H1KPu|tgdzQ)V&J!jua7|)6X0L zk4K3Xb^+l0{J|ELWB_29?Lgk0;%+F({0%ra-s*rd)QorzW!;^=BELE?|Gi^rf}<{-a2c?!?rT0d#E0|Zce>r^TO|LN74J;w0n{7P17b}N4V z@U17n$fWqlDVbg>8o$(X)W0}hm5AEYJ}LL}{(nFXig@=Jr&$SY)@(0D`b=-DqUBpvighGTw7!KX;2Lt<;&}f1!vY zrLNLRDglAI6SF+zqc`_GHCPRF74jS%9M;H1@Lt=HwCo<8!l_{&0peH&>Fr-(lKto-n2SWGSa4RqM&mn`HZyjCxU>G zod|4q!QAZ&PsqJ_hNKAQ&>4&AH1`gHM#JZg z=CHCyQ@4i^FN7I3OxT{5H0@)WYH(~-Xysl2^S%ypE|s-$ty_&ynumy9hl+Xzd|Bic z8YtX9_##v@%kGFZU=mEc&sn$;Gqu=^u2RzMEu1bX9md-cTrKhlmlf8_ORxDnFSO}( zcknN1q&NgVM{-2ErAn3M5uagH=4lPtY~fm+*-`_aOXBs{HOFZPd^zE)__JfMA&Y?b z>gr%VDk$KIOr@@3ZEpH%iOu8Ne(&G$Gov zjc$&E6#Y%7am#la6QSx6tg2umtEH?ez|(M zvw!NQ6)HB8SPAcY)}0tddlbhQ(kffNR6H^S`#QYMbGz3K2Y*EJnCwy=pBa3TVZ8<# z*Q@w<%(sF@r5t5r($0a=F^R$bbpJb&W?tR>GO;i9iH~)9h~`(lF51i)2-UgdHSbj< zgYH;J)aq3(^)RL48QlH@ln(P<2WfV6D`T}De^sjK+)1JE!*tFb zqyyF;4weoo$ko@CByoBAqm@MudLLWcTv9?pCZe-HH4-~+3wP!>6?q_wxecnR5VL8) z*bWJMP2!-FsC3O6%}>?8p0#X;^?|-Av}e0!@?GgD_HBf0P7^uR4gYX145;+5KKWBU zIL$d5p>Uimsa9qVe$<)5faY(S4CdI~FIIrg+4xK5GV-R7@$V%jiu`54Gh*{MZLqPM zEU2_d#+_5oWlGvMD`b|BDTD$kdE6bV9~l19?_Y$=S@=`jnosO23f7mY?JvjRZ!H|w z5<>~Ecpl2kWR=F*2$L>bt`8j5OO(NXTYS+i*E3tfA-0D~+ABKb4qMG9pFC*O5GvoW z#4F?oRRr8o@A;-;S}tw&lZ&{N75>l~_V9?SElMBgTb3ycvzh}7&0PdF$y$knO5tl1 z2E;iYi)lwVs$w&tGD&+hP0ZDzCYa1*cCzq_1x=!RUBsvO8-mImBd#jzl?Qjw;fupk z_R@K7l=8s{9ixO3_|Op4V`a%1iQ~@Mm`P0bu zx@3Eva2IWu(tBH3Aa*q!)!j+z=Jevy?L1EM#=W?S4pz_iL-jdhf~+`=jBiKV~pQc1kT*H6fe2ieJgAJX7iF=!4X7qmHAaVGiHrB zs?SJ~2le+VuVUU;vSw!*oqI5!VbkYr2^lAUmGX`wbmwdjKMfkO#IXywh8hs0%X24S zGv^b0h$3E*mCnUex}A?v-s_7TbWaAr@ZjZdDMIGe!?nE2-j7qKbkYhrlBREP$|Y=> zm*}?fn-BPCjtY>Zcze8UNBpdJ;Q1c$4)C#q@&WrQ4~`T$n-mYnEG-G$TXIC1no9 zjw-37#d_T-5@w@tE9nsh@iq4B7IDy_7zo<{^l_cSDI!nR`AxWq4v@^$cbYhuwQibO z!%zq4F8yl42pg9)sPP}}7%rOVzstZ$;W+P(%AhX2%rR!Gdn4S93IIyre>>ZN&%KeI z!|*t|=<=!z{^Zj25W+a-2cN(jW5>Vn1_Te!^7cNWp?11dBc5A49qaHTYSF5-agsx(A?T?-78HPVj zk?se&j-*X4qWdG%Uxh5ZpZ~e!s3yqV7q`SxY134HrB3q*CIPSFP^><`*KRgvQ~Mm; zz1Wzj*42htTDYwFG9+Og|32Aue7QY!FrOfByZF)BwNI8k>lVr602=DhxWcLV!(ia^ z>7>m|C!*%?{+0wQ@3(rtG}71~Ex@(&>I5QFdmeqno{oX&yRwf)ElKxxxUZp4t0m<^ zznKW8n}j}+q?tULjGvyTEeE2ORB}a+2<#(g-323)9Qx~Z&kTp(!EQLSd0@)a3PT{B z8O68Y7NhlJ;I@j++P?x4yAyWo*d~`x8>VG2NGG$9>d&UMyImx*rE?vSk(BKfBwK6U zc|*AVjnEP=;4@{9*QNl)9Jp_72pkqe_=L*>+6**f%Y8+dWr1|mJgw23Iu>!5ug+%( zE_lD-Q795V=rh{w3Qdqf{oV1c$@5-oq%k(>D9N7ZO_jQl0-JAOEl&(gurl77Ae_tb z#6OsHO!l_O=Wfn+ruImGv>lpM><{KArsXU_h}pC-UV8FAcmLs>8mIAyF>I0x=ixNb z>t3K~kpIC5Uk)@apSxLrzO8IZLQ;Y$l=7)jdSI4gbVw7WTBHrTNAzfc z(G->v>{Qhg4F8(>Y&(h5>|{gnkf&bZ4SKQopytk%$65!3 zZRD`%EKqZ8n$<-Q){D^w=M0!|f@2-dvxgl5TS4FNM^tPcarPC;f>P|8`sNm%oaN2e z3~A*mdm_>dd-YGC4WMwl5FuG};=`^nIFdw1;r&D~dku{m?sE8*xcyZ- zvywbGj6b>5KP2j11wlNxm3B;r*lj&1`hoVl@v}$IL%Ak=mm3=BqAUFf+L`f(aW?HP z8&2C~?!QDDHeycEGtXx;2Ag&7+mwv17Qp%yS|(Quid7TSHl_WG8?7pxSPw5;?rv@9 zt1>J!>1t_xR}QP#GV46*+q93}t}zHj#@_%FZK(uRwl~m#q$YHFpG-;pTE`$Mey%)1q+&Ej zc3{c&X&RBlW51m6%YC+k_FhFc>GnC;gLL{P2u}pQ^hF1I~Bz9p~k(1caN?B|-} zbzY=<(4 zr-Q7sgEksVEj=4c4{E#5@P5W!Bt6D<-|$J$Z$l881BA3kd2WAz;ow1O@68*FocS@P zg4mQR$naRVT}k|f5bHF==(XCtn7Pmuzao;0g%H{j(?{PH)qmrRa8u;l%7Zcy+k^5U zL$*zfi$RNR)v`*t1HDd~RF^6T4pAmCx>VX2Y>tA^SI*@*jlDN^I_UT6dynf_}>NPk68*UE?y6NonZFVWo*oXo5Vr$&k{2ZVo4r~;L8C~W(UR2}AI=XeK#X+%1060%?Sa}IQ9yiJ5 zJjoW*?ovp{S+`r=;h-~^lejNQ4*B?Ke|NjFuB4lV;FaTl%}IdO_n(iU62kwR2DE;z zHrWRJhXBPnIjvf0a(K4AVGRq56cI9+d?`GDfzOnkgX6?+#ar-c=N=Iu-F-?(NXjDPozKV1t$q)8F{0@ z0Mo2#g*h>-zw}#9@q^e1AY>D>e?eSa^d#M6#}}ch-ANIQF5Stui+$GqHFG+N1X>!y zCc+V9RcmnOk`w1m+n*QgDOaujnCGl8sD;QA(4G)A&aSRvR7RsN1_}jh*X&FE5eT%X z{QtM8f7$rDxpG}aSMtY_UrkD&2lZwJZTlp`2#}cW%`=+ggNZxO(Y89{jn_*zUzb^r zz1I5IDApf2;r&}>O!;0@eV`HU>gr8Gq2!byomn}gE0|)S{KI0&HujDlH`|>55c}7Y zO+qV)9fGw2bip`iixx+%29I(%q-m31(toF@IW5iLn?=UdiQ(ax#jHd zCc%G$+T-6ftIw`d*;_p5TWYBMvI=d3g^^`@!Wd8g)z8@y*@Gw`Mnpbe0_}89swhIQ zmMZ0<7pd3X{9o+7XIN8PyDn^5SU}2B5DiTb3nE~l2~wmN>Aglor3Rz~G!Q_gs&oaV zSLq!B1R)9{D$)Xk5+EYd5-AD+A%>hWS-ReJ+TP!L&i?aV*YS^+5i;ADV?5(-&&zIr zxcUP?audfbVgD6!4cZ6OsSYN|z+V`-t-^B3M4PXU0X}(7z zr(KS$`RZXBMTo3t6cmY^=LqoBlFe;m3A$9M$s=ki%!Qp%eSE3A*YRWt&4G+FU-1AsVvdPEPzL-ZC< zP4(rNUs4^fzS%hjKq#x#G?hj`(^t(kg3Bf}Gqz}SOqx@gS2(=)Ml#h=Tn^*~&Y1rV^r`pZ_1{cvlaE~#-Vr*x^Tq#}UiK_?UK@Jp?os-xeJWRIb{p{!kLsA z#?}&JtkkOJCnZHcm?&otzTM-I7-l)R1gSp=pj=#4Y<__=8@O<0VFQq^O+>%TK+Q4^Q8XPv)$7gz zMl#JgbpQ76ZVIc|wdY`H_8NGK)zw}thBucZ`?RM4q&ao<0CXFny{SvgsoiEX0?LCknUtlw6Zb?CX18W! zaNqiehK9IjvXd;B?cYZ8%+C4)c>4#g&K9L7`67NM*YFD%XUHL2pXgK|17nZjykW%` zb^mDC^-W$TwN0CyPsCzX$}F2-uHtpa31)kzfeCh8iLqgzB)bmCtC^vxM-nZ|6*lL5 z28=Yhk_=Xi_vM9XcY3|rx%Y?5YW)WQKF4joRKa}l8<563+7wL1$agE5-@Yj++mvB4 zyb6rh<95D%>Ou6?G)yeHA5-6&2S~22rHBq*p94Y^gS!!eKiT z?E58wpNf!m~0SyK?B7CSh7HI|F>C`&YC zcHQi-4rbDGU^$7N!2u6`&gQ;+q!Wv3o@KMJNZ|h6sd2jiS5LWBOJC(j=$h#JW564R zQ{dsQa&Es8c ztHw`$Cg$#5&20o=DoaP4Bw*#j6`9(vG3~-U(%S`6=nxWLgBEJ?>Vlt ziaW2&bglHCexllHt92*){^; zId{n?9@Vv?K1ZGU`9o#XMl7M)^rBid`UG#BU1^xHw?Y>n$-Yt!L#J?V`A;F%9j+s} z_+-EjI1FbitCi_+ww%7buR{ogb_{rHjdw{}*6pz|f5g>g;&@4D}co+19hIcV}Pu6?-`ciGIkni*Y9MxuE6((*- zntZ_>CS?FnKAt3KbDBU;Z#ivzJ!PETJ& zbUrfTL(aWsu6-kc)K2$gTW@V6XUFlk?y!a0&G$4z?~Sh(-K`!z>tjB#0*>!q^j$_= z^I~;Qch@rkAzqoCCK4Fd0V%!gL=d=UesYY2hR{CangMLhgp|u%j(wLLCRh1CVFZoX7m|;WQSG*Zp9R^jP zmJD_gMq1Y&s3)sV@fO|GH6H%1DduuGhdpozehu8%I9$|Dl*&2-G0gp7Zp0-~0}U)$MCb=?to>g@YlsDHThf}f^ruiZY2=yW`zw_JqKIn<)7V|5 zqU8-a9LGf5-4F<|fE`}Yhz>C%-dcD5SwD>`^VwEVpRMEBlfc7ZAt-IAEul#W@GJ^N<)q^La+%N39icyn1w*Q2%u&`iuDQZRZ$9mC7 zjjF#vEDAM4vnolF2%fU8 z>svxU8uGpFJ=iase%#Lj{nM~T+DcXRfdtse{E906aRIgJJTy8=*0r&*DSv$Q;tSQI z@_z0G(E1I8vcHblT=XA*=}{n(d3ecT`x-wCodj|j!}F)kLPu2I7`*|u%V%anw~>p} z@c;Qrvh#o@^^17(szA}Ex{zCW!ce}g24wB+CoZd@s(_69orwA}+Nph~((-=tDZfr`~5m;pkd2j^S7 zrrvJQOlNb}f$qy=s|Cp8l>8b&)b)qJu0?B)Q4I8Ok7=E`339pAA_vL_rnDxbRZ`7L z%r`2vp4PXtD6T&P3&r#q>QXQx0B*Dz+?Bfubap^!FW=2TgFQoocH+s6#&}Ntd2oQH zE{Un1D?RJMz@^^ZvJ>&TA0%4R=~%sBu#aE#`1~fy14Jx+3x5ns zvwwM~ieV^zL0R4rr z1p=6UlAtZYC9P)3Z451><>UQ4<2_ob#o+B2(6p+^X~?lxzpn5!VMYX0dAE8p78s;~ zfq}`pF#HQ5*99v8US3GsGLIEDJ^a@^FgFg~-8@CDLtECK$5{1has+Q-?V<_~@W~A@ z==C_d*!mcksQH&IPeDA`tv_uND?gPGUOB=cpm&yc=n%N1UsHh7_NYD9rI4330|Z<1 zzT43UO94Qz@2xs9z%vg95;f72!bnllZq0TfH|JG~$eqH2!hME8$Q#+j&1m4aO;fnc zzrXXs_L~%^BETdCie-u~3GBPcOOQGYJ^JHVmWI7_Lru=P^+h)io08CUd~`8algy8h|)gG+|LUOt6FaPLB2I`2zk z)qaG}8-cw@(!hD=XXt9Lh~E3>)%|l0`@fiOSi!ALc4!N4oNS9|`t!KP4`c9>7nhWv zfmuQOED+MB0~{9^c3%COPf|y3to~cG+0N5Z1zVeso0dOE{lgS1qI#D+@3b%eH+K0U z_7@(zPW1Qpr<%QqEt_P~b;vbXG}Y)jc&0vZK1&b|rnIQ=E$xE;qV2Z#1K4>|r)r{N%^FE13WH## z8^aFNj&xY`TZMERnrzym4bs7G5!;JMWhWdMQ!&8 zxLeR4RPR_u18$$YGS^;(=v4=WWtjMG_4g3%z1q2=I%>zvE9@86o&5L58u;^*-C*TQsN$FhQo2Q7669Q6 zB7*pf@74scmj0aTM838>BQtR)7nJ%7NbZXK;c`hZqj^Mle#ot`aE|1($i$N$w=@H! zhbH5)<2De;f&}v>@%43Xc;F;I*tU4wEmI-E$FC@qnO3xAupc_5ze+)lx)e-%1OUGe z9U(WPAf;w3AzYS=3d-Z__wL^^KQd$|tscp#!0r3%B2b(21>*oK1DBz5ApQed57L=4 zz<5)Be_9PDa>cPejy@&x9X1TK%4HXHHMMW6 zHd}RC_QggezuovvlTfYH&9VM*n!8ESDo4@S&>vu=EN6n(;K^f^JmB+uLkC!vm(190 z)x|Xsmfyzi*dMsdAyU!>FD&ESdo0+YkfjB{yF^m?C3WAb7sSD51K-tFKK%q)As-Yp zSvx!U1J3%thJx{$;*V=?&Ytw$ zsCXn1D586!`Q!JJ>Z!87uQ8WdI_Q#SeaMsV{1|AgZuQX7a_c3sC}(~?2A9& zwN4iu#i0}y{KqR0W))>%&6M*N7;4|jYB1~WeynR# zt4}UQtn6Fa&`?WX^(qKwdwGsKW12@OU#t!G)ena;>#$kxNN34eG7Dpn%krklUUCG7 zeNR03PT$I$e>SgBf+}0j&F}$uvfmN5WWSG6Aj18S{=0D?4DV=}2HjM6mu*06 zh$-jfK?3hNX4q_l%;q=yt!o4n? z{TRx9^H|7vN#Ck^^hwsG6VFtwvUddl=bMOrIUHb98aXsrj{_o&y=jNRXr>o2|0cLR zcB)GMH2q3~_NRz*~Mn??i1ieZtf z!8!<}EJI78JZpo4^z5l}oYdpqLVFh;clbQ|GGbJ69gNV;Jyyeq&Xy>i=)3fqyk_S= zK2598Cn`_qEQZ@P%33t_lDN-v|u`1n%9CGCmjdId*C#7-yfH!)6=PJux z#wg~DaKHCp9D#%~5G};4$Hvq(JFV7tmq4z>U^|*kv}4(WF1|blC9oh)g*FO--BBx} zM+bK{V-WS^=V8km;aV=8l@7XcTcbE@INzy3O0CbmL3O5H>x}LdDClICd)!mdqy?Gv z41KHPYBR;uV3q0NL;-X7cLgUmyV`WQrMYJsyT#EO;T>ApX0r9qFg+6z4t(7*YUB@_ z5nmhTY_qQoD^ArdAs?IhDh^<8q$?$MPioH&1jhJ?C`IhtR zVYpU~rx%qqZ|-_8>dqUa-H`e?n069JKCwuIPn}fL10%<|?Nj?nhFQfvF6(-cDp|99BvdSyP`T5JmG_kR_ zw>LICQjP2^hV#x{>FG}sw$?WPZrlfT*0p(wK%B+Fk>vbqWPr+Nqs3MW9N$`Gjv^$Bq741<% zwm$-kB8bc@IA)hoN8{#t&q}qlDXS3gemvjt1=(Wpqhh_RTa=lZd4D`UDH~yEm?%uK z%^Diu4HQiG`F!$OH;|$()-)gpPFegFD_02TEqczNv$NOXqqkl8Oqv-;5B%LLl&n|7 z2i%&Tn^FnZLXM&Fq>a}yUHl;WN`MOY}NUBoRsx!*omRL`>?r`pN zn#jo-pWsXuB-15N6b8;NJR4+)9X9*79$f(eBYkJtq% z5?|Q=={i6>Cn~jCn*2D%%zU@7n40mc!)rm6dm09(!INPP=#wk{v*7k=UZF$WLi2RD z4&f5T{Ju+*prWVr=DrKZ6xC-Xl~i6TiZ7Y;0LD%bJcu-=zq9rLH;Mr2NE@oZteRQJ zt6j+r*IuDKg_(p7S33VlR{3+h!rsDVAXjZ^C!dTcq3t*c1VSI3bkfKcOh||O+OriY zmJI1+BeQzZhwHnn%lUKHZNZ~CePe~0>{U$cdq1k)#u#YRQ3&(>$aT7C=&_<>TW=+& zU_u#g?TTXNC6`&}Fa(Ia-gJRu^U{^3x~;5c2WqEmKlC{4nCle8FY^U|b=|WHa-9uR zINr|`^{OYcP60=yRH!eQigWC47r##B6tdcV=I6%O>%gfpttL@krm0~(mp5?``>9r= z9HS%#bbA@$<#QX8^;m803aifQWmRH{p#iIaje*o~sgc>ot*fbH<{iYA_t8WK^SGq@ zE0nOvj!MB((h&v*Eb-q*q|0i^56CTr-<+b4$(y^Z{E;7~g@PBdg$jnDeaa{H<_`;4 zhufD(>@UH!ND^cM~hYt$f6jP-NrmYmjacG5PRzGJR=?mDSEbX+)yh^&OiWkv55zyT zW2k@(;uWW{OQMvt6u&gxjY|i1pf9P(-MNwOR#zW0b|O z&vHF=NdlI7!UKiLqj14e z-V7E5s^$gO>ouPm$f`x>IcPc@*J5=Xui#L2cuvOdDmr)7=vWq(ldn5($ehpc$BW4* zYYeOk6RT6Dq_(s>b>HYocMLjzPX-Lb9E8~7OH~yqQ-rFLf=Lmtfn3#|x@@l*C{>`I zXjm7hl2=ZkA9EgmTuihXYpktI7KNwS`DQ0wXn0W z#xsvNN#D>>8oQ=ozp6MmtESjtoBiZI7tc)Ddd11y7~|%e{cpLBS;V;!&(m9ab3{5Unl<;)EtY4dt8#uuY1@zP+G~O;rTDGEYVzb` zy)-x6%iO8#*82@6n@Y^B((g9hP z2sW4J(vQ`nWu@j?H|kdPUJkOz+Y{bNv~TTe8=p(NFlvE%ImkU&Q(0hajjq0Vl6s_4 zyGZIDLaSNH-FT`po@X)98G76J#%GqRTsrlb<8wM{a4lCuqQtv- z_U$F`w_oP`< z^0nK=LObQSPhYFjez!36vK4M3n#aaj4Z`wIUVb6R9y&Ww>sYScTei32VQWnTT=7s> zI%oIY7aD-^2hoSLy6MlJ!l^;q61Ki#Az#>YZ2qNdwr zM=#NgaXrheu)_a0b zK1DXEqP-Nw8dvBxjs?cJSWMs?vTii%`Yvjr6!;!FE0{|tGf6mn5=dW`Enj?+vvqTU zlDGdwO*a$P;81}V2Z5;(Lt6tw_9`bn9G|a5+p6llIfNC1~bo@6z+3~&3RvjVB=Z63iHd) zjFbqS;lpzrW6fn2;T6d{bpxJI+oN`+G+cS-j^5N0VOmm3BNGu?xjZmiAB0|ct&}u4 zX^#kjzXO1{q6G2X@;^9=im)H}F3*v?^BtCD@;CR|{2~!{ta3eX8)4&p|67c^$TY9v-`{Zh0&@-EaAjo4`v_h4&%1Sl(Vz^w_kM$7-;Cf3#%KQ|$$xz&`q%Hz+4pgX$ec13Ry%V?|8HU61QgEr7mW75K-T^%KZ3zv zfiCXuzFj~b2u%3Nko@Ua<45nCKpn;RVYtds{wav92>o?RSu(%Xh5tJuX#2$fdv54I z`pEDgFuLdeB8|XbI!6IK2-1em|Mj%8)-nGB`}2Q+oc^CvPXFdX8$Vz?#<6Vm^Gi+{ zci$?2ERn4x5TCg%o9fC`%H#{L{udGU{}InMK4IDDoi7he>EjUQ2wGTPgm1?LL4f|& z7SQXBk^G?WejL}a`6Yl66x^UJ16f2P2>lWIwpE51{Q#lcjkq?XSrx6KX;H4;Yf6L7 zRYK`+(ku6ru>fdm_YQDX(u$`?L2`iisA&ID212_eWjZ2mH_jpfG?PLJ6b}A~E zu|@X@cC$kgjWqeDA00HbnYHm~4BJiYH24R1w^;~;f0wvF0dw_Pe;O3Jxs(A!AvlxB zCohKWmD@wLtZ}`-9Q{c^=FajpHury=5e36BpNZLOc_hZ*wZMosxKj-nX`-hehgXdl zo?}us>P(hcXK1JjGhGEJYBOkG@sJS!z*>lHQT$SseH(~5tUWF*J#m})HsmCXs=q%TSLCeZ(&AP4p~0|}O*Z{HRDL#z+=LvgBu$&We4 z6cTtTm3GzE z*|8fSfBx%|5&-Oc>bc}k8Q0F$0hXrg^}_T&*-CWWE&&#M&OIkUv(a1KX-9cx3ZVe~ z4!4a-jvAotAd-}Ve*PFkw1;a!^2TY9zV8h()pW<%Rx|#=$>u2*7Z-nsI1h%<^@ts} zK;+3HV847s%}d`kox%ei(-97~L)tjzWZ}$9@xA{4WNbGJnOF{gnK^B&m3uc#vH*zA z#{B@?JF9RC4>5YDdVr|24Sj4C6z!X|mHqMV6L}Co4dOm3`cVgky#9I+tB<8ewn)UW zy(fCPQ-NDoxG{b!FESnN$C4E5rM%&^6L1U8Q-!H*&wfhBd zIh!Uwgi+6UrNaaEG(rU&KCl8Y4G_zly!+QxW{musEb;#--~FFXK02R^aEepnFYgHb zi+?x#V3>j0e6Dv`h?VrMqx_a~@NeGU_m&|3^>K==s-DzuwX__dySFE4*P@o3 z@~o>6lMV*R!0{o()Z1tXTK0ver(htMo#j2ZV{YeJwPFG30Vx@2Y)ZPn@1Xp`r&9#Q zJ2?3CNdo_+EF4c`XV2K2(cZ=f>suD!VWlqsil7{h3-b8(xjlUmYIH;V#Xdb<|Gt_Q z2RTV5O$v}eD36#8d+lNG& zhpJolMTToJe}U%r`s?k?;+P#-5usXp-K!dTa;`ZO1sWV|JfE|Gh%)z~p6Fo|OL)yr zE!;I;Ky`T*hGsu(p_~86dDH=R|BzI#BV22mqh4t>+C7`}Ap@{MTSwm5MV4s31N2T4 zG8h`SOc7eH%AuTR+Q-FVTg$1WpKsUkXVew?4P%Wx9gAG(x?Bg`&uH=?P2GpnVz0+& z7xl=rS0g1r4ssMS|DfW!bbHm;7!*7Py#gu%8tPe(B2ZoIQ11DYHQw7tNL@vEMr~Kz z5K}HHxbV+lkl^>l0|$f>fj!BPo?i7|+*f>|#?!7PAFv|Rj_K4d0p&!{-NPJzQD08) z;sk>%A4`4cR$>Iocz@Ai*oIk6h84`18Y*YgIR6m2TGbc=VDvYAa^$TSFJ24_N?Qry z&v)=n0qqT*t=^h|HlSOmRN<<~zwV4qnuVgG|QxF&o5WQ!bFr|7*c4O507 zQk@5%wIB-;03I>NgVntGO?W#1t`?VSE=j5>?5e#gzXlZXX&}Q=|8vlw^jw1r(Kpyv zAaAfO5M$J7vD>bv|2tQqGauAiic!C-urfPyRk1HXuOgdRXSa!4(;nTNM*_J}?=b4{ zcz3O%2=ha*ocS`aD7ZnIY#&1jQ7$mF;21_ zS8dVEBzQ{l)!+{5nXiwK>g)5i{P^>CLF<~Ij6oiC8a{k7e5Ex%JynH#ugE8Q;Si#r zt1EvckMIr99&0ppnl2@AVE0KN01v{u9pz(D(CjdxTGMno%xGfR(gqa#tCJPpDRgnj zOXi|e_o^!US9%fZn(8s#D$m*j3OybM0nO*s@GHJJ>NPypjfhNb=B^F)Xq-N50f&<& zrKryfkPd7T+v56NsB4jVS<@i8_&c{BcCJ6}xLqY#1%7BgTo4a3e*)QebgAcr-xEJP z_yZp&O0Dc8kzFg!UGeoQe57v2(VYQWlPV&ON?BB;o&o>#Bdw>P|G;VPiO9F);(Hb0 z_rtwh?4V%FU=mc34jFM5xC)2T;J@+Z?m@fUF{s0ydq0 zX#o;pE3QY1-WajxIlp^x)0MCGa+s#Ilax-vS_$S##|-El_Vsq^!h>4yl1jT;S!+sV z4TjWc#KDq_A29Dbo23=;_Q=b~Zo~AxAUtVOQLoqlg-$;tC1Z-GRaOjgG41wa zJ7=xQ8iuD0g*TjehR4`~yt}(#tZmxjr#P<_w#e1}=81$v7PnsH>FMhT1q!+K`(FfsgOKHpxE zTe3EmUsKl`!n2*nSG&+!&1wVZ%-b%=2@8ARTzOhEeESx3N+LGg9eoAnha;|pzzBpN zJ*Z4A-$>(8kQiH&H^r}zaGM1yy2kB8mzt()?2GDTxo!p^cY;gF4+7g9=JRzore<>$Tvho$0 zD|O`6%+zJhX%EEs~S`K_8h} zRH$&6R-fPzKO1v}vnSPzJ*8Qjqxerz!V=dMqxS5!q9mL3;P2mSSbx$QQVu)--DJK$ zSq}{mkGVA0s0i~prSgcDOuQZ3P5s`xp~LFGa6C-aI(!$8g8AzQ_l3p}FYaaWEag8r zcuGul_F=8uI5$PdI#QU7$i4ke6)|i7li_soSjopOko2hU1aU^G>tZ$g`a$U`sVK_VT^h> z>1qyt3l>gOrHT~Ip4kxs5LkBRc=xSccJIop>xxYx!N?Wgw_syLBgl%V9kiP}Nrzck zAAj2tb=B<$PZ$gHg&dzVUqD{pBb>c1u{fCe=z7jVwY_$`f-90)BMi zjGpC8an|#1u3h%{Oj>4;qa0XiDzU0ng2sZRV*-G3Y0T#Es*QFHb$h1`7(H-rk&#cR zf89}wV!-IVa%Lc<)T-l-eI0bV@|bCd9V_U2gs@fUy{lXAQW!_o!nauP)lJ=;O*-d` zL6!I@TchzD(&_AGq{JYXN(lnjLh{^(3}{0;m78&PP0p%A7K<2-T~pmP**mhhFMc)u z;ac5VqRJtbfzNAIa`qYGup2zZ1)Fod1oK*L2M7~G64YxLZ(5xXui}q6Ygi& zAA|LevBwPD-pmErX;Ex~DKiz~D`5M+5^I*L)x2i_P?4}(34jzd2zA~c5m^*}EwK(p zweH21ye>o#Hr;}lsR{23ULUSkYGt{#us4;_&d=k2ugpQ5oSo&EuTijNUYQdWjMz%7 z-IGJVkP`lB4!p9eJ$jpF_0Ewu5=%?I@r=h9hiZ|(<@4|FGt?w463+=p-I3hsg%9dt zj>nT76p5Bv=i;b}RmYS&4HXRcJ;Ma$Gw-QAOU>y=xs?l0`77maybjrAT0#O2sF@3W ze)9@1))TkbW+ln4kx$G#6DQ!(f3_?L=<%1~5WCPscJj`GI5kSiF%x2f0UED}ca*w| z9LvL@^UFishs!2vEJ<+w$|CB>p$x(oQ zwUS>mh4Ky+;<}Z8dtdHa)m9K_dH2&Pl69%t-o4M!5L7Co(45m3G)NJZH5(rYGJ57l zF(h*o#SJ}b!Jy3MkC1(?()6j9e^xOgD)a~l!7_dx8Is^%gMWYgs$P{{9+AmIHmyrM z3mIRqCmc568p1=JsVrYVsK4e~PYe{8l=!nfj2mldHr1Ws#%gXf)e{aIu6X%|?iv?V zcUlhj;OT9=zFS-QDM}+2y0cA}OFM}9bioAjAJ{*op z$s?fJi%#b;Ke#^^6z!q9irKCgG?FVA5wAn2A^T4~)ep$Dd~i7}^s)=Rnrt=d6)T^V zQqgX&i9B;)Pi^^TdtDxf$j=k1QYfiD&mWzB4&$*lOU{vbvtWX=qDs%x^WV03)J!}< zu~R$;YnJa2eHJWUx2|ZKqm6rCIF2S$be^R5xUrm`p{9 zjYy=4)b>tsm0MamIM^y)(ZGF(xQET~1=XZr}lQ=DpD>3lJE@~_Hxhv^QfFVrqf&{NiN zP135HWfscQ`MZx)IKudD*Oh}Z!khz7o$cm3tHWJ#ZZjVlbkl2Y8mQsgVTb}SNr=5> zn?3NWDxqWW_#1c_e@^x}*ulL0U5GmgC@!^N9o~Vb4Oo1#%N;=nf0rWvB=U1q?pkQZ zy&b(g5QBrt&x5~&P$Wa%-$>I9d@N_7q_i}4X66=@iqHun{OPfBg>!qQO8+OH#y0-6 zdh$15^WO`BxBv71=O0P>&KbhPS$Sr{*##CMr@yY5+0&Bp^0j=B)m{aY$lCGPps$}lV2JHc1#Tt@c$8Gz zmAmJDZ$qH3eB(#W3D%F?O5OMl@T6+h-rRpN4s%fh9fJb{UsUqI#wC&OKL1~!eu$1F zz`SjV@E7)&G^ zaul)CrUV#sq7*1e)*l2#(-=wsN^7JQ0N)FS6cj*Goe$Z~wk+5WVP+s-Ix*m*XE4pC z9_Z75bgV9sNH~#NTdC^4`Y%4M#(0hy>mT26^*oly^Y;`x_n=QLH;SUHbhtHiv_TLJ|2R=k7+ zz8zPeUpQe=H28xxqNNLLo0Z;9>|jm+F%_}`lJiRdaZgGg>-ZATYHX11T-9r&5S+7K zW>xc+RPVPis=r>eXpN4sSp-g_i~qbcFP!5{i+2>oNn2T1MoI>PjaJG|`u_OMhfr$@ zi(!a>1Z`}Z09m%7tX)6P03EOZ+>{wG0qN2`L9%fFPg3#E$#b$&X<}L+Xrf}c553Q4 z+he9I&61#V^cbR8`gxev-q=zfR;fW?q*4d!?$4GVA*)V@Wuz~Vc28#%I9zs!Jz*9| zb!LXrez(pCGiam{@J)XK;;W0&M+J=q^7aRFeRpQdg_?_6K!R6Ki*v%Dtu<(r(Krj4 zx3(})9}WgWA>RE?Z20%nrg%q?dC}ed%PBT@0#W_%!0Be#s6(eV<7WRy`-@;gcw>6d z=6uUROV50OO}tT>c1W-Fp`IKM04R_u9@Kst%39OeS^%yptGOD{! z-qbLf$ry;xqCQyn0$Kg#H*ci#)XgrI=a&M^S=R??upzTYr5VU`CA` z?^N;t`7?G|6QIydsnQ7R#c#~W<2TXH+{NKK(_0&DkNU^EirTP7!Gwpnc^7 zxAL<0Pcd&b1cU|`mXE9CO^AD3Unp#ds{4Hu8aT@TRv>V*F$$Z@1qkt)O&PJM^3Xx$tj(Wb$u0Fo$bF5DjR_b}F;-I4TlI+8ZEVpnm~a41K_G7Dk>}29!ku z-~^l#af`or7AXb;IPn^%JCpr8DNsCrnN59pPsT;&vK7iug+EZLKY?b0>m*h5YcR>s z6;09)FyP&C_;l(IV6L21%{{PGmk}7WCnN(}Sl)mA2bogE?GJu8kqCSt%-CZeExlHL{T9$EGr<3_tY5DL_&1XdGDgT5aDA^>_2-7p}Vil66W+SCPKj&&H6LZOnN>mA#zAe7Y75 zmVmR|f7+G0jepxPE?>F0V->Qc>bzCS1MbR(ezb)h@+rr>6mimuPlal2dw5>uJOR1d1(|-p7D*-``r11nlOBx*Xo_!? z^Ul3lY|%#JYk*Dh#QSJuBe%fH;ti}LOSg#-VD3 zrq5UjBBOy`M4A;8f+uo0T*ex_wrp0PidxKgz?)HZxJr`;QY4P~g?iE=QqVY?X!@9y zN80!9QMqr2gb-Nt;31Vfo#H94@|WLrECA+Cqd|Rvn@eiN3Cj%7%7;!OSS}R_;(_L1 zP$UuuTw4L4|Kmec=8IFnO#4%#Zqoq% z{n#9YMmNI?Ks&-%qmXQR#gO3xIBR>I+Ykuyb_-)YA|^8$*S`SSWrANO6(CrLL=fn< za0hEUtrDO1MNzRO2-fecK^0>;hP13e7|qht>lL}4U)nBt*9O-K0GYblT{?AWr9}y- zE4AdO9$)lc2es1B5-|5fS3`{gg7lx&BEeI%?gl26;cPZ%C18AU3T^AfPpG<>GHNeV zr4J6WbVcXPx&?OvV3q=xDBbHad!XxeE}{;dwVt`lt1oCkdJbJc^S$f|Y&$Pu80{s! zasDzBtU-rf{Ya1kpkY|#3g*%IL?}j`Q9)3jod8dCSi+_vf5EolwnIb*WVYQpLJk_t z2Vw+aLcrkhW&zbvxLlGpq{Rqc?DsY`?J!;1R@^&uXi>NnhHfC7#u|mJW6hQpE*DQ# zV6#@7N9Ef2Ks^6e#ib8wf(0H!UicNRGvXj{xs7Hmh_-F+l9QOJA-UtW?MZNizhdUj z$$%d~DY4Si?^xGmjRPT0Z#)y%kPQNlHZJRouCLka2EdcZKM(vRQPtrTn!mri&1eK- zkC^4^bB8lWN?N&tUH*MT1#U^DP*?)Cu)qB~m^Y_qBYH_tV-nAo55--P4(m{FtC1Qf z+MXnRIqaPQrhM_AoTY_xL{*lcoB`+FO(^gJ%J-8Aty{G2hDZ%~8w`f+nz1p;#lr?r ztcXN@H|{sCPu$Xx@p7P9j6Yz2X&r7ywZS$T2w`DtFy_4QhGsu4?l0J9gG?2$VAlil zIb$$6Yj&x;y0KDf8fc*l*HqAF6$2n-WXw~7o&d9J1e(>ZrzoO!E-b`->5r&QdEtwYQKhAp-k`eo4pS*0~>|$EtkFFm_88 zT@>IQb3`_gGh46H%jAqd&Kixj^q}BL-~S$!M}$CQ zG0&~R!YXAEm{3&9M!$OToXQC5csuK(zV>{Ws8>!K+t=$C#N+zBIoakEx$K6?Rm^8s z{bjW)#9vYCJ%*SXw<=zBWCVZ=yf5K>Y7u*_RCQKrgb|6b-B@LP8j@d1JVAUILCjUa z;RzSr@09F)04sI9mNK`zGi*O|sJqpf&2Uoq*j%c&l!{8&0Vfl_zO|yh+_oBY9g=3#_~^Ros!pEQX& z?c2xT@;f4*B>m0Lx>-+N;xKlJOJgR${!zHrWPt3ZRjFL|)b-b1*_oOyG(`$}gm2dA zFX+ecK8H5vo+6_hk15wNElD-J#Q0pR8N_%1c|d@>qiM7_9iiF);-k=qN;)EZE{1hh z4Y58Ff3+Yq3`5EZT081C2Y==HS?O$fWvsns4(Wc!+;+E3G!yNGId`R3w4nkiylA>+ z!HQB8a?IgKVM0*u!YYB@ zcJwO2vti{XK&!PUH3p$I`FL=tblng}J!jN&Vvs59hz9jNiWJ&$VIeJh=urTB(VUkT z^#|k*S184k0|@~&&p1R%_&dT*FyCt9(B7$T8*<3Fw}2X1vYumaO?YHTRcXG2FVu`8 zx2#3S#Ip*X5mwW&(HL#iph{*gTxE`L?Wt2ChyX&{tJg7ig~KIyl#)M4tX;W&o~B6Z z3903Hf8Ume*_Afjx^Z1GHen4-pjAKl`)PazPMy2GOsUu`O;ur5_CBUm>Z>ZxKfuuI z13oL9?+LZ)X<@t2huC&XqcxoF=A-UBUTR^Sc3nj{*VBo*P_(@8L&eK=wv*8*;fzX>mC{ltFkpZM6^cqoV2>}#HfRN-Jf_mrvaqqkD``&vWf01+c z+Iy|t)>-AZnq-ZF!oFvzp5{jB@LEO^^`Zbs3#Tc$6ZXy|4NesN(&O`YD4#6ig6vO` z_SoVqfHc$th3C~ce?|4%+jqY5m{)-Oap^0jFx!>)U=-IObyIZ_%%tr>`|;6zH8xxy z=M?9wtC@qlYU!U_KpBMty;ke_9)DD4!83BlGHWvNQ;2%gvzyB~_Wbh#=WnhQN%mI; zN%-O`Hss|+BliEQXm`0yf5poAm!~AH(R2fjbER!jdvbBys=v`rknf{8HvyxMbWQnu zkc+&lFeaXK|5jXH=^7UeSp3`i)q?Z@kBlj<9HT~#;05k5>iqK?!h`$z@PJeC0@r=B z6Rs=4*Z0bkndl?!BqZt4WPwWl=-vG~He@~;mWx(9W8*yb1i(Lq8R}fN1mhV3-uZgv zUBBL;IW^%J#5R93wqwy(JV0AH&Dz7?F_lm3Lb6wNGpYnmL|LiQgcaX=*!V}43~VShyR`Im7fnu;Hce0gA8jtvtt zS2@BbWTb)pGc0R358)E$j5>1t^QFzst1gA3vJJzsJ=Z<<%lw|+DK@$*-aYYr^qP@8 zl~b9@dBv;$FMLFEQ@Mb);s@z^;3R{s+;tXSO?7!Wr!@iGYt%R{PV>FC$lB>5RAG#N z?#s5tp~^MDZ2sysLnY0jCpqsx)C?|K(K`Wwix#*}<%CdO{Wy&N7~PDdOP8ES54;BS zlla$ISS@{Zcd5h0(z3bp~qh*sak3k|z zo$U6WfHb7CIi~=bLH3ZVX0XRIEQ>2^7QK zHqYWA;};GEOT44dO6eq0wY<9kCotefIkI-A_iB@r zMgGg*FV5jcXO2qEgq@0SITmp_;!&M|H#*xOwNx2BDMJ1HYuc!EMdPQa>nYx<07%de zW6rmqB^dt&stVf-^gni{Xh(6cL5E*Dy00%!xxb6%!CGFs_L@X;fdC}{j~W4aGX>_> z)<3|od((P(|MzlOVE>IXg3Zt>=>N-gbm#9$xjQyBr{f@DH9({5xBL+m{o?nZUa(?j ztLD&E$PxgkZtvq$p?W}oj9;}okf~Gd*!=bf|DlGTJZs9Z zQqM{GDEF ziAV$0rH|U^eA2mqqC(E+VSm2`lYEXNpR+3ahfm zD`u`6Y4Aus$?Q|SAVMP^I3$5ew~^V}QJWXx!*WU?>z+!t-u(grJQa3+e$}!H3JQ<& zYHDgMib_hvb#jh??(gKSA$SoW9^mi$zuUM6z(W5n^KH|3#I_2uO`QEmOy~P7Y=`BT zZ6E2EO#b$8&(1#De(2V6F|dX1-g29B++s;4z*@bk_nQ4z6dlYw`_|0#FzWbkH^_@& zp^xcAS_pvsu0m92y!Ebip+t%VT|9wzC@2p^i0x3jcckd3Hd<7OmK^Lu?HI2wwX1sT zHol&4!3&x;Y@2(aKRY|$k_8+O`Z zGf)?)dJ-PAD!5o0HS^uFe~ZFu>Izl98PhfKlzMS>>|$xtA*7TzDDPapWi7uJ`sg#3 z_d0p8Gl|Sl8DDMz(K5s#v|84XxC1Ra{sG5+!-*!5gRHi;Fkz|&OI-`CCafM*6VAvd zgS|Sf%6cZ4R3}IS#WbXikwt0q5Asy~!4v>lH|I_9iP<7c%ROlbNBR(r7apT`0j^NB zsYee$O;lE6sMP{P+RDSzV_#F}4}7t0m9WSNx>g_OK1tX@2xP1*tAU5&weBfUdMxl1 z0j;&+SSZtD<5sJRD96YOpBBtHX`*8C0%o1soaQRhz{?)Fj5_(mJ=y&Peh z753^3?KzRC*e4v=)fVP(8i0fNgKoOjE3@fh9|dJhm&s0?FEH(qDVVA^9iQ!Ftz1xQ zUX2)=LI-RyNL)~{(?29p^gvspD?&o4X{aJeNm(eeb$bq+m0rSDdc`Q~4BxOezO$mEW`|MXL536r!EXlH;+xueEBRKr=na05y z$#jC3+EgY02iQhr*eqU93cF$IYqu2o*(hKG0;YB1eRRUf%=!}6)S2e`OV(iDKfad& zd1P=*2*lV-IK1VWB@Z>ZESAv1+2HnNfVEs}ys4;p72kM;1HmVBTE>Vb1-~NLO`UBH zB_md+k6M4R?RdEGjAfg zMoXCZsS6x@$5zWc!tWtub(boz-$a@IX@wa-_NnE4u>`H%uV>dz?~gE;avOX&HxX2_ zrKWBrzhI0jT<{{ft^TzN#SSGP>YbxUNq&MB+Gr$yXdh0>uKbC6-wNG3dX<&VD5p;c zElo4l!+*1*gtxoRO^d$PcK`Fww7ss(%Ieog4Cxx^Y#1VT&)btL*b!n+==!yVZv{P! zyYcxG-KkT^yklhrYgXU$r;dQG0r5{ckh>Nhe012l7Vz!=d)1q%jskvv$=PuF%8J0J zGpTbn>dAa(q;3NEitSVst(t)A&n7Ce-Mrdd+iRP5eTOPOrBmDs1h^fR?bC3WVv>0>!rhE7 z_fFOJ0BC8yZJ8m_m=`YHDZ*!$GB;^?zz6&#UrMIOtO;RX&z8y!{TS=gmA6@uFKje< zH^)9CX~-pnvsU0>G(4lrVREsEmdwuw8u6@t%R7m*&+;Qqg1=O*2Bm(#ynrPE1lW$R zjVd|DwPbc?ZjK*RaRRH!D(#zZ4G&2IN{oH5ZG3r|eWSt=EKQeA;F}Y5l zNxC#Hra|}wLq8XU)!jG&V$}YQ{S&D_MbO}HTng@3Rb|SEnv`z%-=c)dZoV<)DAT-> z_<%Nj#Benxki(ttgXBW+%){x$x3wwtxo5-sj0_VKOHxKSi6Y?rp_?~=?1M@GHAMbG zEt3fW?kSIMhj|D@EcwjTadJ@p>u111sVKQ>*wp`%lcrNT=4NklCuOpyO9mVIM4zVx z$42Hz{q{t|y7?J(^h1(xX30h@TqB)g5;zw6^5!*nZ)k-6N^<$yW%Ii9fSHhtU~CxP zsFu+@izOcq5%i5_aM(dueu}x8#w$V*IG$Q%rc6Lbs87g}n9qWJ*2XS{UL_i*soyeAJf)mqR8DPNhfvV+nf6l9fkva6SMYCLb zChYYf?TAqWF>Isk?2f0L{l&&1c63J^FH#~5Z~26ykeb`~D9g?4-hv@UQ+asbj2~Bd~s1nr|7UwiYP(KA3!WNY2?q zOX44WR-7a((aT*l!-wPmkA#bCb;IH(mvE*95EO8DvaPzNral?v=iZ;$(2!hjt919n ziJ_Oon|~)DYxpmr3;v-FY$Bp9R}v|qzyVMj0B&+i+%430np^jlwrif)?kKS{Zt%p9 zb+E#;OGyc6N^;FcU-MYJP@r*oplaj3cS+Lv+y|Vz14-)f8ShL8Gb<>p*1f0E!rWV{ z!^)zE68fwUem)qJ3GD&N?b1M5E0yB2ut1kjR`c7Eg#Z zII&%2X)shr0Nm|Ayhes+F~2pS?zS2&nJr)$Ycw!Z8sa$5cs#MK5m^Q3kgCJ3m_*^e zd}La;Glyt;vV)7PW$&$9l*P|chBW-cFI(%9^WgA$2XR7AGXqv=^OX?H*Wlq1&cHpz zwCpuUgx{h8+S$DUVH8zlTr|$W$;qjGq`lo)=ZdMwnuGh<6n_5p>FH^@iD@G4EU|Pb z`We?z6N$2!U(tr*kLdoPOTxfFN|Zs2Kv(e*a?B34CN+0ew)G_k6x>dV$vNPlaqu6IyS zP@a;V^qen%wEpJ)sq8khas5d`9?bB+k)I++5|<_ovTcdT3A0i|inyQq+Q3 zjjIwULYo~;(ZxZGy2Iw>)HyIHVsF9@LnuRW0y@P-kj?C%!MeGdIQw<8Dy(J0eI6K9 zjLrAmfemvCN!&cH07U@gu*=yBe^0*0sG45`1VvU?+m=aJk5SNl^RYlpAR{V`)+Q_@ zWO;7OiTm(jh1>H@fy}L-Zwn(;c*b>VbI;`aD$G>+)}t&$6D=uE*<7Hlgkin=XEV4ahd$a{OL zn_lB;-tb9>Fhbj~3jm38F8IZvSOiYBxKoSKHDXT<4m@D#b|u}75PD;$-Z z^R>`f^GOp+QV}%pRdUQ+ADz=S{6sHzS=SOOThejfb0iM6GyeJ<$3nPd@wZ{yk$aeR z9$3|%JW^B;#Z#w4FMA7!Z&w6eYfrIZ4?;ox$iM{=g$t*yg+42b7y-WK! zMqgbVUTv@W$Zhyax>l;Y&M4en=So{HKr2flRbHgE<9wZL9=luHwYPS{7Y~u+I9Z62f$wq}8KqF)sbrX77WkKNl{l3RZB;0=g1>`bg!-#soI#98LJI`i zi8Roa#mC3#PDS%2LntJNU)cR5%qTm`ceUr%o1W_O=75D9Ey@JA%;%A^t83wb5sGpv z@4jZwpoC$kGr`jmVCeulX!2qIhiFS23{a-F2?L8@_v0l!}Q-$-pi(d1TnkvFn!5 zOMu{yaT%@JIHy`{L8);tH diff --git a/website/docs/sys-mgmt/events/index.md b/website/docs/sys-mgmt/events/index.md index 715137e1e3..b872f72f7b 100644 --- a/website/docs/sys-mgmt/events/index.md +++ b/website/docs/sys-mgmt/events/index.md @@ -4,319 +4,14 @@ title: Events Events are authentik's built-in logging system. Every event is logged, whether it is initiated by a user or by authentik. -Events can be used to define [notification rules](notifications.md), with specified [transport options](transports.md) of local (in the authentik UI), email or webhook. +Events can be used to define [notification rules](notifications.md), with specified [transport options](transports.md) of either local (in the authentik UI), email, or webhook. Certain information is stripped from events, to ensure that no passwords or other credentials are saved in the log. -## Event retention +## Event retention and forwarding The event retention is configured in the **System > Settings** area of the Admin interface, with the default being set to 365 days. -If you want to forward these events to another application, forward the log output of all authentik containers. Every event creation is logged with the log level "info". For this configuration, it is also recommended to set the internal retention pretty low (for example, `days=1`). +If you want to forward these events to another application, forward the log output of all authentik containers. Every event creation is logged with the log level "info". For this configuration, it is also recommended to set the internal retention time period to a short time frame (for example, `days=1`). -## Event actions - -Whenever any of the following actions occur, an event is created. - -### `login` - -A user logs in (including the source, if available) - -
-Example - -```json -{ - "pk": "f00f54e7-2b38-421f-bc78-e61f950048d6", - "user": { - "pk": 1, - "email": "root@localhost", - "username": "akadmin" - }, - "action": "login", - "app": "authentik.events.signals", - "context": { - "auth_method": "password", - "http_request": { - "args": { - "query": "next=%2F" - }, - "path": "/api/v3/flows/executor/default-authentication-flow/", - "method": "GET" - }, - "auth_method_args": {} - }, - "client_ip": "::1", - "created": "2023-02-15T15:33:42.771091Z", - "expires": "2024-02-15T15:33:42.770425Z", - "brand": { - "pk": "fcba828076b94dedb2d5a6b4c5556fa1", - "app": "authentik_brands", - "name": "Default brand", - "model_name": "brand" - } -} -``` - -
- -### `login_failed` - -A failed login attempt - -
-Example - -```json -{ - "pk": "2779b173-eb2a-4c2b-a1a4-8283eda308d7", - "user": { - "pk": 2, - "email": "", - "username": "AnonymousUser" - }, - "action": "login_failed", - "app": "authentik.events.signals", - "context": { - "stage": { - "pk": "7e88f4a991c442c1a1335d80f0827d7f", - "app": "authentik_stages_password", - "name": "default-authentication-password", - "model_name": "passwordstage" - }, - "password": "********************", - "username": "akadmin", - "http_request": { - "args": { - "query": "next=%2F" - }, - "path": "/api/v3/flows/executor/default-authentication-flow/", - "method": "POST" - } - }, - "client_ip": "::1", - "created": "2023-02-15T15:32:55.319608Z", - "expires": "2024-02-15T15:32:55.314581Z", - "brand": { - "pk": "fcba828076b94dedb2d5a6b4c5556fa1", - "app": "authentik_brands", - "name": "Default brand", - "model_name": "brand" - } -} -``` - -
- -### `logout` - -A user logs out. - -
-Example - -```json -{ - "pk": "474ffb6b-77e3-401c-b681-7d618962440f", - "user": { - "pk": 1, - "email": "root@localhost", - "username": "akadmin" - }, - "action": "logout", - "app": "authentik.events.signals", - "context": { - "http_request": { - "args": { - "query": "" - }, - "path": "/api/v3/flows/executor/default-invalidation-flow/", - "method": "GET" - } - }, - "client_ip": "::1", - "created": "2023-02-15T15:39:55.976243Z", - "expires": "2024-02-15T15:39:55.975535Z", - "brand": { - "pk": "fcba828076b94dedb2d5a6b4c5556fa1", - "app": "authentik_brands", - "name": "Default brand", - "model_name": "brand" - } -} -``` - -
- -### `user_write` - -A user is written to during a flow execution. - -
-Example - -```json -{ - "pk": "d012e8af-cb94-4fa2-9e92-961e4eebc060", - "user": { - "pk": 1, - "email": "root@localhost", - "username": "akadmin" - }, - "action": "user_write", - "app": "authentik.events.signals", - "context": { - "name": "authentik Default Admin", - "email": "root@localhost", - "created": false, - "username": "akadmin", - "attributes": { - "settings": { - "locale": "" - } - }, - "http_request": { - "args": { - "query": "" - }, - "path": "/api/v3/flows/executor/default-user-settings-flow/", - "method": "GET" - } - }, - "client_ip": "::1", - "created": "2023-02-15T15:41:18.411017Z", - "expires": "2024-02-15T15:41:18.410276Z", - "brand": { - "pk": "fcba828076b94dedb2d5a6b4c5556fa1", - "app": "authentik_brands", - "name": "Default brand", - "model_name": "brand" - } -} -``` - -
- -### `suspicious_request` - -A suspicious request has been received (for example, a revoked token was used). - -### `password_set` - -A user sets their password. - -### `secret_view` - -A user views a token's/certificate's data. - -### `secret_rotate` - -A token was rotated automatically by authentik. - -### `invitation_used` - -An invitation is used. - -### `authorize_application` - -A user authorizes an application. - -
-Example - -```json -{ - "pk": "f52f9eb9-dc2a-4f1e-afea-ad5af90bf680", - "user": { - "pk": 1, - "email": "root@localhost", - "username": "akadmin" - }, - "action": "authorize_application", - "app": "authentik.providers.oauth2.views.authorize", - "context": { - "asn": { - "asn": 6805, - "as_org": "Telefonica Germany", - "network": "5.4.0.0/14" - }, - "geo": { - "lat": 42.0, - "city": "placeholder", - "long": 42.0, - "country": "placeholder", - "continent": "placeholder" - }, - "flow": "53287faa8a644b6cb124cb602a84282f", - "scopes": "ak_proxy profile openid email", - "http_request": { - "args": { - "query": "[...]" - }, - "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/", - "method": "GET" - }, - "authorized_application": { - "pk": "bed6a2495fdc4b2e8c3f93cb2ed7e021", - "app": "authentik_core", - "name": "Alertmanager", - "model_name": "application" - } - }, - "client_ip": "::1", - "created": "2023-02-15T10:02:48.615499Z", - "expires": "2023-04-26T10:02:48.612809Z", - "brand": { - "pk": "10800be643d44842ab9d97cb5f898ce9", - "app": "authentik_brands", - "name": "Default brand", - "model_name": "brand" - } -} -``` - -
- -### `source_linked` - -A user links a source to their account - -### `impersonation_started` / `impersonation_ended` - -A user starts/ends impersonation, including the user that was impersonated - -### `policy_execution` - -A policy is executed (when a policy has "Execution Logging" enabled). - -### `policy_exception` / `property_mapping_exception` - -A policy or property mapping causes an exception - -### `system_task_exception` - -An exception occurred in a system task. - -### `system_exception` - -A general exception in authentik occurred. - -### `configuration_error` - -A configuration error occurs, for example during the authorization of an application - -### `model_created` / `model_updated` / `model_deleted` - -Logged when any model is created/updated/deleted, including the user that sent the request. - -:::info -Starting with authentik 2024.2, when a valid enterprise license is installed, these entries will contain additional audit data, including which fields were changed with this event, their previous values and their new values. -::: - -### `email_sent` - -An email has been sent. Included is the email that was sent. - -### `update_available` - -An update is available +## Audit logging diff --git a/website/docs/sys-mgmt/events/logging-events.md b/website/docs/sys-mgmt/events/logging-events.md new file mode 100644 index 0000000000..6329ac057f --- /dev/null +++ b/website/docs/sys-mgmt/events/logging-events.md @@ -0,0 +1,5 @@ +--- +Title: Logging events +--- + +shshhs diff --git a/website/docs/sys-mgmt/events/notifications.md b/website/docs/sys-mgmt/events/notifications.md index 035e1709b8..8a2b37d65c 100644 --- a/website/docs/sys-mgmt/events/notifications.md +++ b/website/docs/sys-mgmt/events/notifications.md @@ -3,16 +3,32 @@ title: Notifications --- :::note -To prevent infinite loops (events created by policies which are attached to a Notification rule), **any events created by a policy which is attached to any Notification Rules do not trigger notifications.** +To prevent infinite loops of cause and effect (events created by policies which are attached to a notification rule), _any events created by a policy which is attached to any notification rules do not trigger notifications._ ::: -## Filtering Events +An authentik administrator can create notification rules based on the creation of specified events. Filtering of events is processed by the authentik Policy Engine, using a combination of both 1) a policy and 2) a notification rule. -An authentik administrator can create notification rules based on the creation of specified events. Filtering is done by using the Policy Engine. You can do simple filtering using the "Event Matcher Policy" type. +## Workflow overview -![](./event_matcher.png) +To receive notifications about events, follow this workflow: -An event has to match all configured fields, otherwise the rule will not trigger. +1. [Create a transport](./transports.md#create-a-transport) (or use an existing default transport) +2. [Create a policy](#create-a-policy) +3. [Create a notification rule, and bind the policy to the rule](#create-a-notification-rule) + +## Create a policy + +First you need to create a policy, either the **Event Matcher** policy or a custom Expression policy. + +### **Event Matcher** policy + +For simple filtering you can [create and configure](../../customize/policies/working_with_policies.md) a new **Event Matcher** policy to specify exactly which events (known as _Actions_ in the policy) you want to be notified about. For example, you get chose to create a policy for every time a user deletes a model object, or fails to successfully log in. + +The authentik policy engine.... + +Be aware that an event has to match all configured fields in the policy, otherwise the notification rule will not trigger. + +### Expression policy for events To match events with an "Expression Policy", you can write code like so: @@ -23,14 +39,14 @@ if "event" not in request.context: return ip_address(request.context["event"].client_ip) in ip_network('192.0.2.0/24') ``` -## Selecting who gets notified +## Create a notification rule -After you've created the policies to match the events you want, create a "Notification Rule". +After you've created the policies to match the events you want, create a **"**Notification Rule\*\*. You have to select which group the generated notification should be sent to. If left empty, the rule will be disabled. :::info -Before authentik 2023.5, when no group is selected, policies bound to the rule are not executed. Starting with authentik 2023.5, policies are executed even when no group is selected. +Be aware that policies are executed even when no group is selected. ::: You also have to select which transports should be used to send the notification. diff --git a/website/docs/sys-mgmt/events/transports.md b/website/docs/sys-mgmt/events/transports.md index 533c6fdba5..90418037cb 100644 --- a/website/docs/sys-mgmt/events/transports.md +++ b/website/docs/sys-mgmt/events/transports.md @@ -2,9 +2,26 @@ title: Transports --- -Notifications can be sent to users via multiple mediums. By default, the [global email configuration](../../install-config/install/docker-compose.mdx#email-configuration-optional-but-recommended) will be used. +To receive notifications about events, you will need to [create](#create-a-transport) a transport object, then create a notification rule and a policy. For details on this workflow refer to -## Generic Webhook +## Transport types + +Notifications can be sent to users via multiple mediums, or _transports_: + +- Local +- Email +- Webhook (generic) +- Webhook (Slack/Discord) + +### Local transport + +This transport will manifest the notification within the authentik user interface (UI). + +### Email + +select this transport to send event notificstions to an email address. Note that by default, the [global email configuration](../../install-config/install/docker-compose.mdx#email-configuration-optional-but-recommended) is used. + +### Webhook (generic) This will send a POST request to the given URL with the following contents: @@ -31,6 +48,10 @@ return { } ``` -## Slack Webhook +### Webhook (Slack or Discord) This sends a request using the Slack-specific format. This is also compatible with Discord's webhooks by appending `/slack` to the Discord webhook URL. + +## Create a transport + +dfvfd diff --git a/website/sidebars/docs.mjs b/website/sidebars/docs.mjs index 3f853cf68b..7c9d616536 100644 --- a/website/sidebars/docs.mjs +++ b/website/sidebars/docs.mjs @@ -606,7 +606,12 @@ const items = [ type: "doc", id: "sys-mgmt/events/index", }, - items: ["sys-mgmt/events/notifications", "sys-mgmt/events/transports"], + items: [ + "sys-mgmt/events/notifications", + "sys-mgmt/events/transports", + "sys-mgmt/events/logging-events", + "sys-mgmt/events/event-actions", + ], }, "sys-mgmt/certificates", "sys-mgmt/settings",