From e0da056c107f1e0cf34cdf4ef82b7d1349d5cb14 Mon Sep 17 00:00:00 2001 From: Sylvain LE GAL Date: Wed, 22 Feb 2017 03:58:01 +0100 Subject: [PATCH] create a new module sql_request_abstract --- sql_request_abstract/README.rst | 93 +++++++ sql_request_abstract/__init__.py | 3 + sql_request_abstract/__openerp__.py | 23 ++ sql_request_abstract/i18n/fr.po | 145 ++++++++++ .../i18n/sql_export_abstract.pot | 140 ++++++++++ sql_request_abstract/models/__init__.py | 3 + .../models/sql_request_mixin.py | 255 ++++++++++++++++++ .../security/ir.model.access.csv | 4 + .../security/ir_module_category.xml | 9 + sql_request_abstract/security/res_groups.xml | 23 ++ .../static/description/icon.png | Bin 0 -> 9455 bytes 11 files changed, 698 insertions(+) create mode 100644 sql_request_abstract/README.rst create mode 100644 sql_request_abstract/__init__.py create mode 100644 sql_request_abstract/__openerp__.py create mode 100644 sql_request_abstract/i18n/fr.po create mode 100644 sql_request_abstract/i18n/sql_export_abstract.pot create mode 100644 sql_request_abstract/models/__init__.py create mode 100644 sql_request_abstract/models/sql_request_mixin.py create mode 100644 sql_request_abstract/security/ir.model.access.csv create mode 100644 sql_request_abstract/security/ir_module_category.xml create mode 100644 sql_request_abstract/security/res_groups.xml create mode 100644 sql_request_abstract/static/description/icon.png diff --git a/sql_request_abstract/README.rst b/sql_request_abstract/README.rst new file mode 100644 index 000000000..5c151fc74 --- /dev/null +++ b/sql_request_abstract/README.rst @@ -0,0 +1,93 @@ +.. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg + :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html + :alt: License: AGPL-3 + +===================================== +Abstract Model to manage SQL Requests +===================================== + +This module provide an abstract model to manage SQL Select request on database. +It is not usefull for itself. You can see an exemple of implementation in the +'sql_export' module. (same repository). + +Implemented features +-------------------- + +* Add some restrictions in the sql request: + * you can only read datas. No update, deletion or creation are possible. + * some tables are not allowed, because they could contains clear password + or keys. For the time being ('ir_config_parameter'). + +* The request can be in a 'draft' or a 'SQL Valid' status. To be valid, + the request has to be cleaned, checked and tested. All of this operations + can be disabled in the inherited modules. + +* This module two new groups: + * SQL Request / User : Can see all the sql requests by default and execute + them, if they are valid. + * SQL Request / Manager : has full access on sql requests. + +Usage +===== + +Inherit the model: + + from openerp import models + + class MyModel(models.model) + _name = 'my.model' + _inherit = ['sql.request.mixin'] + + _sql_request_groups_relation = 'my_model_groups_rel' + + _sql_request_users_relation = 'my_model_users_rel' + + +.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas + :alt: Try me on Runbot + :target: https://runbot.odoo-community.org/runbot/149/8.0 + +Bug Tracker +=========== + +Bugs are tracked on `GitHub Issues +`_. In case of trouble, please +check there if your issue has already been reported. If you spotted it first, +help us smash it by providing detailed and welcomed feedback. + +Credits +======= + +Images +------ + +* Odoo Community Association: `Icon `_. + +Contributors +------------ + +* Florian da Costa +* Sylvain LE GAL (https://twitter.com/legalsylvain) + +Funders +------- + +The development of this module has been financially supported by: + +* Akretion () +* GRAP, Groupement Régional Alimentaire de Proximité () + +Maintainer +---------- + +.. image:: https://odoo-community.org/logo.png + :alt: Odoo Community Association + :target: https://odoo-community.org + +This module is maintained by the OCA. + +OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use. + +To contribute to this module, please visit https://odoo-community.org. diff --git a/sql_request_abstract/__init__.py b/sql_request_abstract/__init__.py new file mode 100644 index 000000000..cde864bae --- /dev/null +++ b/sql_request_abstract/__init__.py @@ -0,0 +1,3 @@ +# -*- coding: utf-8 -*- + +from . import models diff --git a/sql_request_abstract/__openerp__.py b/sql_request_abstract/__openerp__.py new file mode 100644 index 000000000..f909dcc3c --- /dev/null +++ b/sql_request_abstract/__openerp__.py @@ -0,0 +1,23 @@ +# -*- coding: utf-8 -*- +# Copyright (C) 2017 - Today: GRAP (http://www.grap.coop) +# @author: Sylvain LE GAL (https://twitter.com/legalsylvain) +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). + +{ + 'name': 'SQL Request Abstract', + 'version': '8.0.1.0.0', + 'author': 'GRAP,Akretion,Odoo Community Association (OCA)', + 'website': 'https://www.odoo-community.org', + 'license': 'AGPL-3', + 'category': 'Tools', + 'summary': 'Abstract Model to manage SQL Requests', + 'depends': [ + 'base', + ], + 'data': [ + 'security/ir_module_category.xml', + 'security/res_groups.xml', + 'security/ir.model.access.csv', + ], + 'installable': True, +} diff --git a/sql_request_abstract/i18n/fr.po b/sql_request_abstract/i18n/fr.po new file mode 100644 index 000000000..5c8fb87c8 --- /dev/null +++ b/sql_request_abstract/i18n/fr.po @@ -0,0 +1,145 @@ + +# Translation of Odoo Server. +# This file contains the translation of the following modules: +# * sql_request_abstract +# +msgid "" +msgstr "" +"Project-Id-Version: Odoo Server 8.0\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2017-02-27 12:11+0000\n" +"PO-Revision-Date: 2017-02-27 12:11+0000\n" +"Last-Translator: <>\n" +"Language-Team: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: \n" +"Plural-Forms: \n" + +#. module: sql_request_abstract +#: field:sql.request.mixin,group_ids:0 +msgid "Allowed Groups" +msgstr "Groupes autorisés" + +#. module: sql_request_abstract +#: field:sql.request.mixin,user_ids:0 +msgid "Allowed Users" +msgstr "Utilisateurs Autorisés" + +#. module: sql_request_abstract +#: field:sql.request.mixin,create_uid:0 +msgid "Created by" +msgstr "Créé par" + +#. module: sql_request_abstract +#: field:sql.request.mixin,create_date:0 +msgid "Created on" +msgstr "Créé le" + +#. module: sql_request_abstract +#: field:sql.request.mixin,display_name:0 +msgid "Display Name" +msgstr "Nom affiché" + +#. module: sql_request_abstract +#: selection:sql.request.mixin,state:0 +msgid "Draft" +msgstr "En brouillon" + +#. module: sql_request_abstract +#: field:sql.request.mixin,id:0 +msgid "ID" +msgstr "ID" + +#. module: sql_request_abstract +#: code:addons/sql_request_abstract/models/sql_request_mixin.py:135 +#, python-format +msgid "It is not allowed to execute a not checked request." +msgstr "Il n'est pas autorisé d'exécuter une requête non vérifiée." + +#. module: sql_request_abstract +#: field:sql.request.mixin,__last_update:0 +msgid "Last Modified on" +msgstr "Dernière modification le" + +#. module: sql_request_abstract +#: field:sql.request.mixin,write_uid:0 +msgid "Last Updated by" +msgstr "Dernière mise à jour par" + +#. module: sql_request_abstract +#: field:sql.request.mixin,write_date:0 +msgid "Last Updated on" +msgstr "Dernière mise à jour le" + +#. module: sql_request_abstract +#: model:res.groups,name:sql_request_abstract.group_sql_request_manager +msgid "Manager" +msgstr "Responsable" + +#. module: sql_request_abstract +#: field:sql.request.mixin,name:0 +msgid "Name" +msgstr "Nom" + +#. module: sql_request_abstract +#: field:sql.request.mixin,query:0 +msgid "Query" +msgstr "Requête" + +#. module: sql_request_abstract +#: selection:sql.request.mixin,state:0 +msgid "SQL Valid" +msgstr "SQL Validé" + +#. module: sql_request_abstract +#: model:ir.module.category,name:sql_request_abstract.category_sql_abstract +msgid "Sql Request" +msgstr "Request SQL" + +#. module: sql_request_abstract +#: field:sql.request.mixin,state:0 +msgid "State" +msgstr "Etat" + +#. module: sql_request_abstract +#: help:sql.request.mixin,state:0 +msgid "State of the Request:\n" +" * 'Draft': Not tested\n" +" * 'SQL Valid': SQL Request has been checked and is valid" +msgstr "Etat de la requête:\n" +" * 'En brouillon': non testée\n" +" * 'SQL Validé': La requête SQL a été vérifiée et est valide" + +#. module: sql_request_abstract +#: code:addons/sql_request_abstract/models/sql_request_mixin.py:248 +#, python-format +msgid "The SQL query is not valid:\n" +"\n" +" %s" +msgstr "La requête SQL n'est pas valide:\n" +"\n" +" %s" + +#. module: sql_request_abstract +#: code:addons/sql_request_abstract/models/sql_request_mixin.py:217 +#, python-format +msgid "The query is not allowed because it contains unsafe word '%s'" +msgstr "La requête n'est pas autorisée car elle contient un terme non sécurisé '%s'" + +#. module: sql_request_abstract +#: code:addons/sql_request_abstract/models/sql_request_mixin.py:156 +#, python-format +msgid "Unimplemented mode : '%s'" +msgstr "Mode non implémenté : '%s'" + +#. module: sql_request_abstract +#: model:res.groups,name:sql_request_abstract.group_sql_request_user +msgid "User" +msgstr "Utilisateur" + +#. module: sql_request_abstract +#: help:sql.request.mixin,query:0 +msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE" +msgstr "Vous ne pouvez pas utiliser les termes suivants : DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE" + diff --git a/sql_request_abstract/i18n/sql_export_abstract.pot b/sql_request_abstract/i18n/sql_export_abstract.pot new file mode 100644 index 000000000..43f61b722 --- /dev/null +++ b/sql_request_abstract/i18n/sql_export_abstract.pot @@ -0,0 +1,140 @@ +# Translation of Odoo Server. +# This file contains the translation of the following modules: +# * sql_request_abstract +# +msgid "" +msgstr "" +"Project-Id-Version: Odoo Server 8.0\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2017-02-27 12:11+0000\n" +"PO-Revision-Date: 2017-02-27 12:11+0000\n" +"Last-Translator: <>\n" +"Language-Team: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: \n" +"Plural-Forms: \n" + +#. module: sql_request_abstract +#: field:sql.request.mixin,group_ids:0 +msgid "Allowed Groups" +msgstr "" + +#. module: sql_request_abstract +#: field:sql.request.mixin,user_ids:0 +msgid "Allowed Users" +msgstr "" + +#. module: sql_request_abstract +#: field:sql.request.mixin,create_uid:0 +msgid "Created by" +msgstr "" + +#. module: sql_request_abstract +#: field:sql.request.mixin,create_date:0 +msgid "Created on" +msgstr "" + +#. module: sql_request_abstract +#: field:sql.request.mixin,display_name:0 +msgid "Display Name" +msgstr "" + +#. module: sql_request_abstract +#: selection:sql.request.mixin,state:0 +msgid "Draft" +msgstr "" + +#. module: sql_request_abstract +#: field:sql.request.mixin,id:0 +msgid "ID" +msgstr "" + +#. module: sql_request_abstract +#: code:addons/sql_request_abstract/models/sql_request_mixin.py:135 +#, python-format +msgid "It is not allowed to execute a not checked request." +msgstr "" + +#. module: sql_request_abstract +#: field:sql.request.mixin,__last_update:0 +msgid "Last Modified on" +msgstr "" + +#. module: sql_request_abstract +#: field:sql.request.mixin,write_uid:0 +msgid "Last Updated by" +msgstr "" + +#. module: sql_request_abstract +#: field:sql.request.mixin,write_date:0 +msgid "Last Updated on" +msgstr "" + +#. module: sql_request_abstract +#: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_manager +msgid "Manager" +msgstr "" + +#. module: sql_request_abstract +#: field:sql.request.mixin,name:0 +msgid "Name" +msgstr "" + +#. module: sql_request_abstract +#: field:sql.request.mixin,query:0 +msgid "Query" +msgstr "" + +#. module: sql_request_abstract +#: selection:sql.request.mixin,state:0 +msgid "SQL Valid" +msgstr "" + +#. module: sql_request_abstract +#: model:ir.module.category,name:sql_request_abstract.category_sql_abstract +msgid "Sql Request" +msgstr "" + +#. module: sql_request_abstract +#: field:sql.request.mixin,state:0 +msgid "State" +msgstr "" + +#. module: sql_request_abstract +#: help:sql.request.mixin,state:0 +msgid "State of the Request:\n" +" * 'Draft': Not tested\n" +" * 'SQL Valid': SQL Request has been checked and is valid" +msgstr "" + +#. module: sql_request_abstract +#: code:addons/sql_request_abstract/models/sql_request_mixin.py:248 +#, python-format +msgid "The SQL query is not valid:\n" +"\n" +" %s" +msgstr "" + +#. module: sql_request_abstract +#: code:addons/sql_request_abstract/models/sql_request_mixin.py:217 +#, python-format +msgid "The query is not allowed because it contains unsafe word '%s'" +msgstr "" + +#. module: sql_request_abstract +#: code:addons/sql_request_abstract/models/sql_request_mixin.py:156 +#, python-format +msgid "Unimplemented mode : '%s'" +msgstr "" + +#. module: sql_request_abstract +#: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_user +msgid "User" +msgstr "" + +#. module: sql_request_abstract +#: help:sql.request.mixin,query:0 +msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE" +msgstr "" + diff --git a/sql_request_abstract/models/__init__.py b/sql_request_abstract/models/__init__.py new file mode 100644 index 000000000..72dc9ae94 --- /dev/null +++ b/sql_request_abstract/models/__init__.py @@ -0,0 +1,3 @@ +# -*- coding: utf-8 -*- + +from . import sql_request_mixin diff --git a/sql_request_abstract/models/sql_request_mixin.py b/sql_request_abstract/models/sql_request_mixin.py new file mode 100644 index 000000000..bd6ad4085 --- /dev/null +++ b/sql_request_abstract/models/sql_request_mixin.py @@ -0,0 +1,255 @@ +# -*- coding: utf-8 -*- +# Copyright (C) 2015 Akretion () +# Copyright (C) 2017 - Today: GRAP (http://www.grap.coop) +# @author: Sylvain LE GAL (https://twitter.com/legalsylvain) +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). + +import re +import uuid +import StringIO +import base64 +from psycopg2 import ProgrammingError + +from openerp import _, api, fields, models +from openerp.exceptions import Warning as UserError + + +class SQLRequestMixin(models.Model): + _name = 'sql.request.mixin' + + _clean_query_enabled = True + + _check_prohibited_words_enabled = True + + _check_execution_enabled = True + + _sql_request_groups_relation = False + + _sql_request_users_relation = False + + STATE_SELECTION = [ + ('draft', 'Draft'), + ('sql_valid', 'SQL Valid'), + ] + + PROHIBITED_WORDS = [ + 'delete', + 'drop', + 'insert', + 'alter', + 'truncate', + 'execute', + 'create', + 'update', + 'ir_config_parameter', + ] + + # Default Section + @api.model + def _default_group_ids(self): + ir_model_obj = self.env['ir.model.data'] + return [ir_model_obj.xmlid_to_res_id( + 'sql_request_abstract.group_sql_request_user')] + + @api.model + def _default_user_ids(self): + return [] + + # Columns Section + name = fields.Char('Name', required=True) + + query = fields.Text( + string='Query', required=True, help="You can't use the following words" + ": DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE") + + state = fields.Selection( + string='State', selection=STATE_SELECTION, default='draft', + help="State of the Request:\n" + " * 'Draft': Not tested\n" + " * 'SQL Valid': SQL Request has been checked and is valid") + + group_ids = fields.Many2many( + comodel_name='res.groups', string='Allowed Groups', + relation=_sql_request_groups_relation, + column1='sql_id', column2='group_id', + default=_default_group_ids) + + user_ids = fields.Many2many( + comodel_name='res.users', string='Allowed Users', + relation=_sql_request_users_relation, + column1='sql_id', column2='user_id', + default=_default_user_ids) + + # Action Section + @api.multi + def button_clean_check_request(self): + for item in self: + if item._clean_query_enabled: + item._clean_query() + if item._check_prohibited_words_enabled: + item._check_prohibited_words() + if item._check_execution_enabled: + item._check_execution() + item.state = 'sql_valid' + + @api.multi + def button_set_draft(self): + self.write({'state': 'draft'}) + + # API Section + @api.multi + def _execute_sql_request( + self, params=None, mode='fetchall', rollback=True, + view_name=False, copy_options="CSV HEADER DELIMITER ';'"): + """Execute a SQL request on the current database. + + ??? This function checks before if the user has the + right to execute the request. + + :param params: (dict) of keys / values that will be replaced in + the sql query, before executing it. + :param mode: (str) result type expected. Available settings : + * 'view': create a view with the select query. Extra param + required 'view_name'. + * 'materialized_view': create a MATERIALIZED VIEW with the + select query. Extra parameter required 'view_name'. + * 'fetchall': execute the select request, and return the + result of 'cr.fetchall()'. + * 'fetchone' : execute the select request, and return the + result of 'cr.fetchone()' + :param rollback: (boolean) mention if a rollback should be played after + the execution of the query. Please keep this feature enabled + for security reason, except if necessary. + (Ignored if @mode in ('view', 'materialized_view')) + :param view_name: (str) name of the view. + (Ignored if @mode not in ('view', 'materialized_view')) + :param copy_options: (str) mentions extra options for + "COPY request STDOUT WITH xxx" request. + (Ignored if @mode != 'stdout') + + ..note:: The following exceptions could be raised: + psycopg2.ProgrammingError: Error in the SQL Request. + openerp.exceptions.Warning: + * 'mode' is not implemented. + * materialized view is not supported by the Postgresql Server. + """ + self.ensure_one() + res = False + # Check if the request is in a valid state + if self.state == 'draft': + raise UserError(_( + "It is not allowed to execute a not checked request.")) + + # Disable rollback if a creation of a view is asked + if mode in ('view', 'materialized_view'): + rollback = False + + params = params and params or {} + query = self.env.cr.mogrify(self.query, params).decode('utf-8') + + if mode in ('fetchone', 'fetchall'): + pass + elif mode == 'stdout': + query = "COPY (%s) TO STDOUT WITH %s" % (query, copy_options) + elif mode in 'view': + query = "CREATE VIEW %s AS (%s);" % (query, view_name) + elif mode in 'materialized_view': + self._check_materialized_view_available() + query = "CREATE MATERIALIZED VIEW %s AS (%s);" % (query, view_name) + else: + raise UserError(_("Unimplemented mode : '%s'" % mode)) + + if rollback: + rollback_name = self._create_savepoint() + try: + if mode == 'stdout': + output = StringIO.StringIO() + self.env.cr.copy_expert(query, output) + output.getvalue() + res = base64.b64encode(output.getvalue()) + output.close() + else: + self.env.cr.execute(query) + if mode == 'fetchall': + res = self.env.cr.fetchall() + elif mode == 'fetchone': + res = self.env.cr.fetchone() + finally: + self._rollback_savepoint(rollback_name) + + return res + + # Private Section + @api.model + def _create_savepoint(self): + rollback_name = '%s_%s' % ( + self._name.replace('.', '_'), uuid.uuid1().hex) + req = "SAVEPOINT %s" % (rollback_name) + self.env.cr.execute(req) + return rollback_name + + @api.model + def _rollback_savepoint(self, rollback_name): + req = "ROLLBACK TO SAVEPOINT %s" % (rollback_name) + self.env.cr.execute(req) + + @api.model + def _check_materialized_view_available(self): + self.env.cr.execute("SHOW server_version;") + res = self.env.cr.fetchone()[0].split('.') + minor_version = float('.'.join(res[:2])) + return minor_version >= 9.3 + + @api.multi + def _clean_query(self): + self.ensure_one() + query = self.query.strip() + while query[-1] == ';': + query = query[:-1] + self.query = query + + @api.multi + def _check_prohibited_words(self): + """Check if the query contains prohibited words, to avoid maliscious + SQL requests""" + self.ensure_one() + query = self.query.lower() + for word in self.PROHIBITED_WORDS: + expr = r'\b%s\b' % word + is_not_safe = re.search(expr, query) + if is_not_safe: + raise UserError(_( + "The query is not allowed because it contains unsafe word" + " '%s'") % (word)) + + @api.multi + def _check_execution(self): + """Ensure that the query is valid, trying to execute it. A rollback + is done after.""" + self.ensure_one() + query = self._prepare_request_check_execution() + rollback_name = self._create_savepoint() + res = False + try: + self.env.cr.execute(query) + res = self._hook_executed_request() + except ProgrammingError as e: + raise UserError( + _("The SQL query is not valid:\n\n %s") % e.message) + finally: + self._rollback_savepoint(rollback_name) + return res + + @api.multi + def _prepare_request_check_execution(self): + """Overload me to replace some part of the query, if it contains + parameters""" + self.ensure_one() + return self.query + + def _hook_executed_request(self): + """Overload me to insert custom code, when the SQL request has + been executed, before the rollback. + """ + self.ensure_one() + return False diff --git a/sql_request_abstract/security/ir.model.access.csv b/sql_request_abstract/security/ir.model.access.csv new file mode 100644 index 000000000..beacf42c2 --- /dev/null +++ b/sql_request_abstract/security/ir.model.access.csv @@ -0,0 +1,4 @@ +id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink +access_sql_request_mixin_all,access_sql_request_mixin_all,model_sql_request_mixin,,0,0,0,0 +access_sql_request_mixin_user,access_sql_request_mixin_user,model_sql_request_mixin,sql_request_abstract.group_sql_request_user,1,0,0,0 +access_sql_request_mixin_manager,access_sql_request_mixin_manager,model_sql_request_mixin,sql_request_abstract.group_sql_request_manager,1,1,1,1 diff --git a/sql_request_abstract/security/ir_module_category.xml b/sql_request_abstract/security/ir_module_category.xml new file mode 100644 index 000000000..2c7663336 --- /dev/null +++ b/sql_request_abstract/security/ir_module_category.xml @@ -0,0 +1,9 @@ + + + + + + Sql Request + + + diff --git a/sql_request_abstract/security/res_groups.xml b/sql_request_abstract/security/res_groups.xml new file mode 100644 index 000000000..893449251 --- /dev/null +++ b/sql_request_abstract/security/res_groups.xml @@ -0,0 +1,23 @@ + + + + + + + User + + + + + + Manager + + + + + + diff --git a/sql_request_abstract/static/description/icon.png b/sql_request_abstract/static/description/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..3a0328b516c4980e8e44cdb63fd945757ddd132d GIT binary patch literal 9455 zcmW++2RxMjAAjx~&dlBk9S+%}OXg)AGE&Cb*&}d0jUxM@u(PQx^-s)697TX`ehR4?GS^qbkof1cslKgkU)h65qZ9Oc=ml_0temigYLJfnz{IDzUf>bGs4N!v3=Z3jMq&A#7%rM5eQ#dc?k~! zVpnB`o+K7|Al`Q_U;eD$B zfJtP*jH`siUq~{KE)`jP2|#TUEFGRryE2`i0**z#*^6~AI|YzIWy$Cu#CSLW3q=GA z6`?GZymC;dCPk~rBS%eCb`5OLr;RUZ;D`}um=H)BfVIq%7VhiMr)_#G0N#zrNH|__ zc+blN2UAB0=617@>_u;MPHN;P;N#YoE=)R#i$k_`UAA>WWCcEVMh~L_ zj--gtp&|K1#58Yz*AHCTMziU1Jzt_jG0I@qAOHsk$2}yTmVkBp_eHuY$A9)>P6o~I z%aQ?!(GqeQ-Y+b0I(m9pwgi(IIZZzsbMv+9w{PFtd_<_(LA~0H(xz{=FhLB@(1&qHA5EJw1>>=%q2f&^X>IQ{!GJ4e9U z&KlB)z(84HmNgm2hg2C0>WM{E(DdPr+EeU_N@57;PC2&DmGFW_9kP&%?X4}+xWi)( z;)z%wI5>D4a*5XwD)P--sPkoY(a~WBw;E~AW`Yue4kFa^LM3X`8x|}ZUeMnqr}>kH zG%WWW>3ml$Yez?i%)2pbKPI7?5o?hydokgQyZsNEr{a|mLdt;X2TX(#B1j35xPnPW z*bMSSOauW>o;*=kO8ojw91VX!qoOQb)zHJ!odWB}d+*K?#sY_jqPdg{Sm2HdYzdEx zOGVPhVRTGPtv0o}RfVP;Nd(|CB)I;*t&QO8h zFfekr30S!-LHmV_Su-W+rEwYXJ^;6&3|L$mMC8*bQptyOo9;>Qb9Q9`ySe3%V$A*9 zeKEe+b0{#KWGp$F+tga)0RtI)nhMa-K@JS}2krK~n8vJ=Ngm?R!9G<~RyuU0d?nz# z-5EK$o(!F?hmX*2Yt6+coY`6jGbb7tF#6nHA zuKk=GGJ;ZwON1iAfG$E#Y7MnZVmrY|j0eVI(DN_MNFJmyZ|;w4tf@=CCDZ#5N_0K= z$;R~bbk?}TpfDjfB&aiQ$VA}s?P}xPERJG{kxk5~R`iRS(SK5d+Xs9swCozZISbnS zk!)I0>t=A<-^z(cmSFz3=jZ23u13X><0b)P)^1T_))Kr`e!-pb#q&J*Q`p+B6la%C zuVl&0duN<;uOsB3%T9Fp8t{ED108<+W(nOZd?gDnfNBC3>M8WE61$So|P zVvqH0SNtDTcsUdzaMDpT=Ty0pDHHNL@Z0w$Y`XO z2M-_r1S+GaH%pz#Uy0*w$Vdl=X=rQXEzO}d6J^R6zjM1u&c9vYLvLp?W7w(?np9x1 zE_0JSAJCPB%i7p*Wvg)pn5T`8k3-uR?*NT|J`eS#_#54p>!p(mLDvmc-3o0mX*mp_ zN*AeS<>#^-{S%W<*mz^!X$w_2dHWpcJ6^j64qFBft-o}o_Vx80o0>}Du;>kLts;$8 zC`7q$QI(dKYG`Wa8#wl@V4jVWBRGQ@1dr-hstpQL)Tl+aqVpGpbSfN>5i&QMXfiZ> zaA?T1VGe?rpQ@;+pkrVdd{klI&jVS@I5_iz!=UMpTsa~mBga?1r}aRBm1WS;TT*s0f0lY=JBl66Upy)-k4J}lh=P^8(SXk~0xW=T9v*B|gzIhN z>qsO7dFd~mgxAy4V?&)=5ieYq?zi?ZEoj)&2o)RLy=@hbCRcfT5jigwtQGE{L*8<@Yd{zg;CsL5mvzfDY}P-wos_6PfprFVaeqNE%h zKZhLtcQld;ZD+>=nqN~>GvROfueSzJD&BE*}XfU|H&(FssBqY=hPCt`d zH?@s2>I(|;fcW&YM6#V#!kUIP8$Nkdh0A(bEVj``-AAyYgwY~jB zT|I7Bf@%;7aL7Wf4dZ%VqF$eiaC38OV6oy3Z#TER2G+fOCd9Iaoy6aLYbPTN{XRPz z;U!V|vBf%H!}52L2gH_+j;`bTcQRXB+y9onc^wLm5wi3-Be}U>k_u>2Eg$=k!(l@I zcCg+flakT2Nej3i0yn+g+}%NYb?ta;R?(g5SnwsQ49U8Wng8d|{B+lyRcEDvR3+`O{zfmrmvFrL6acVP%yG98X zo&+VBg@px@i)%o?dG(`T;n*$S5*rnyiR#=wW}}GsAcfyQpE|>a{=$Hjg=-*_K;UtD z#z-)AXwSRY?OPefw^iI+ z)AXz#PfEjlwTes|_{sB?4(O@fg0AJ^g8gP}ex9Ucf*@_^J(s_5jJV}c)s$`Myn|Kd z$6>}#q^n{4vN@+Os$m7KV+`}c%4)4pv@06af4-x5#wj!KKb%caK{A&Y#Rfs z-po?Dcb1({W=6FKIUirH&(yg=*6aLCekcKwyfK^JN5{wcA3nhO(o}SK#!CINhI`-I z1)6&n7O&ZmyFMuNwvEic#IiOAwNkR=u5it{B9n2sAJV5pNhar=j5`*N!Na;c7g!l$ z3aYBqUkqqTJ=Re-;)s!EOeij=7SQZ3Hq}ZRds%IM*PtM$wV z@;rlc*NRK7i3y5BETSKuumEN`Xu_8GP1Ri=OKQ$@I^ko8>H6)4rjiG5{VBM>B|%`&&s^)jS|-_95&yc=GqjNo{zFkw%%HHhS~e=s zD#sfS+-?*t|J!+ozP6KvtOl!R)@@-z24}`9{QaVLD^9VCSR2b`b!KC#o;Ki<+wXB6 zx3&O0LOWcg4&rv4QG0)4yb}7BFSEg~=IR5#ZRj8kg}dS7_V&^%#Do==#`u zpy6{ox?jWuR(;pg+f@mT>#HGWHAJRRDDDv~@(IDw&R>9643kK#HN`!1vBJHnC+RM&yIh8{gG2q zA%e*U3|N0XSRa~oX-3EAneep)@{h2vvd3Xvy$7og(sayr@95+e6~Xvi1tUqnIxoIH zVWo*OwYElb#uyW{Imam6f2rGbjR!Y3`#gPqkv57dB6K^wRGxc9B(t|aYDGS=m$&S!NmCtrMMaUg(c zc2qC=2Z`EEFMW-me5B)24AqF*bV5Dr-M5ig(l-WPS%CgaPzs6p_gnCIvTJ=Y<6!gT zVt@AfYCzjjsMEGi=rDQHo0yc;HqoRNnNFeWZgcm?f;cp(6CNylj36DoL(?TS7eU#+ z7&mfr#y))+CJOXQKUMZ7QIdS9@#-}7y2K1{8)cCt0~-X0O!O?Qx#E4Og+;A2SjalQ zs7r?qn0H044=sDN$SRG$arw~n=+T_DNdSrarmu)V6@|?1-ZB#hRn`uilTGPJ@fqEy zGt(f0B+^JDP&f=r{#Y_wi#AVDf-y!RIXU^0jXsFpf>=Ji*TeqSY!H~AMbJdCGLhC) zn7Rx+sXw6uYj;WRYrLd^5IZq@6JI1C^YkgnedZEYy<&4(z%Q$5yv#Boo{AH8n$a zhb4Y3PWdr269&?V%uI$xMcUrMzl=;w<_nm*qr=c3Rl@i5wWB;e-`t7D&c-mcQl7x! zZWB`UGcw=Y2=}~wzrfLx=uet<;m3~=8I~ZRuzvMQUQdr+yTV|ATf1Uuomr__nDf=X zZ3WYJtHp_ri(}SQAPjv+Y+0=fH4krOP@S&=zZ-t1jW1o@}z;xk8 z(Nz1co&El^HK^NrhVHa-_;&88vTU>_J33=%{if;BEY*J#1n59=07jrGQ#IP>@u#3A z;!q+E1Rj3ZJ+!4bq9F8PXJ@yMgZL;>&gYA0%_Kbi8?S=XGM~dnQZQ!yBSgcZhY96H zrWnU;k)qy`rX&&xlDyA%(a1Hhi5CWkmg(`Gb%m(HKi-7Z!LKGRP_B8@`7&hdDy5n= z`OIxqxiVfX@OX1p(mQu>0Ai*v_cTMiw4qRt3~NBvr9oBy0)r>w3p~V0SCm=An6@3n)>@z!|o-$HvDK z|3D2ZMJkLE5loMKl6R^ez@Zz%S$&mbeoqH5`Bb){Ei21q&VP)hWS2tjShfFtGE+$z zzCR$P#uktu+#!w)cX!lWN1XU%K-r=s{|j?)Akf@q#3b#{6cZCuJ~gCxuMXRmI$nGtnH+-h z+GEi!*X=AP<|fG`1>MBdTb?28JYc=fGvAi2I<$B(rs$;eoJCyR6_bc~p!XR@O-+sD z=eH`-ye})I5ic1eL~TDmtfJ|8`0VJ*Yr=hNCd)G1p2MMz4C3^Mj?7;!w|Ly%JqmuW zlIEW^Ft%z?*|fpXda>Jr^1noFZEwFgVV%|*XhH@acv8rdGxeEX{M$(vG{Zw+x(ei@ zmfXb22}8-?Fi`vo-YVrTH*C?a8%M=Hv9MqVH7H^J$KsD?>!SFZ;ZsvnHr_gn=7acz z#W?0eCdVhVMWN12VV^$>WlQ?f;P^{(&pYTops|btm6aj>_Uz+hqpGwB)vWp0Cf5y< zft8-je~nn?W11plq}N)4A{l8I7$!ks_x$PXW-2XaRFswX_BnF{R#6YIwMhAgd5F9X zGmwdadS6(a^fjHtXg8=l?Rc0Sm%hk6E9!5cLVloEy4eh(=FwgP`)~I^5~pBEWo+F6 zSf2ncyMurJN91#cJTy_u8Y}@%!bq1RkGC~-bV@SXRd4F{R-*V`bS+6;W5vZ(&+I<9$;-V|eNfLa5n-6% z2(}&uGRF;p92eS*sE*oR$@pexaqr*meB)VhmIg@h{uzkk$9~qh#cHhw#>O%)b@+(| z^IQgqzuj~Sk(J;swEM-3TrJAPCq9k^^^`q{IItKBRXYe}e0Tdr=Huf7da3$l4PdpwWDop%^}n;dD#K4s#DYA8SHZ z&1!riV4W4R7R#C))JH1~axJ)RYnM$$lIR%6fIVA@zV{XVyx}C+a-Dt8Y9M)^KU0+H zR4IUb2CJ{Hg>CuaXtD50jB(_Tcx=Z$^WYu2u5kubqmwp%drJ6 z?Fo40g!Qd<-l=TQxqHEOuPX0;^z7iX?Ke^a%XT<13TA^5`4Xcw6D@Ur&VT&CUe0d} z1GjOVF1^L@>O)l@?bD~$wzgf(nxX1OGD8fEV?TdJcZc2KoUe|oP1#=$$7ee|xbY)A zDZq+cuTpc(fFdj^=!;{k03C69lMQ(|>uhRfRu%+!k&YOi-3|1QKB z z?n?eq1XP>p-IM$Z^C;2L3itnbJZAip*Zo0aw2bs8@(s^~*8T9go!%dHcAz2lM;`yp zD=7&xjFV$S&5uDaiScyD?B-i1ze`+CoRtz`Wn+Zl&#s4&}MO{@N!ufrzjG$B79)Y2d3tBk&)TxUTw@QS0TEL_?njX|@vq?Uz(nBFK5Pq7*xj#u*R&i|?7+6# z+|r_n#SW&LXhtheZdah{ZVoqwyT{D>MC3nkFF#N)xLi{p7J1jXlmVeb;cP5?e(=f# zuT7fvjSbjS781v?7{)-X3*?>tq?)Yd)~|1{BDS(pqC zC}~H#WXlkUW*H5CDOo<)#x7%RY)A;ShGhI5s*#cRDA8YgqG(HeKDx+#(ZQ?386dv! zlXCO)w91~Vw4AmOcATuV653fa9R$fyK8ul%rG z-wfS zihugoZyr38Im?Zuh6@RcF~t1anQu7>#lPpb#}4cOA!EM11`%f*07RqOVkmX{p~KJ9 z^zP;K#|)$`^Rb{rnHGH{~>1(fawV0*Z#)}M`m8-?ZJV<+e}s9wE# z)l&az?w^5{)`S(%MRzxdNqrs1n*-=jS^_jqE*5XDrA0+VE`5^*p3CuM<&dZEeCjoz zR;uu_H9ZPZV|fQq`Cyw4nscrVwi!fE6ciMmX$!_hN7uF;jjKG)d2@aC4ropY)8etW=xJvni)8eHi`H$%#zn^WJ5NLc-rqk|u&&4Z6fD_m&JfSI1Bvb?b<*n&sfl0^t z=HnmRl`XrFvMKB%9}>PaA`m-fK6a0(8=qPkWS5bb4=v?XcWi&hRY?O5HdulRi4?fN zlsJ*N-0Qw+Yic@s0(2uy%F@ib;GjXt01Fmx5XbRo6+n|pP(&nodMoap^z{~q ziEeaUT@Mxe3vJSfI6?uLND(CNr=#^W<1b}jzW58bIfyWTDle$mmS(|x-0|2UlX+9k zQ^EX7Nw}?EzVoBfT(-LT|=9N@^hcn-_p&sqG z&*oVs2JSU+N4ZD`FhCAWaS;>|wH2G*Id|?pa#@>tyxX`+4HyIArWDvVrX)2WAOQff z0qyHu&-S@i^MS-+j--!pr4fPBj~_8({~e1bfcl0wI1kaoN>mJL6KUPQm5N7lB(ui1 zE-o%kq)&djzWJ}ob<-GfDlkB;F31j-VHKvQUGQ3sp`CwyGJk_i!y^sD0fqC@$9|jO zOqN!r!8-p==F@ZVP=U$qSpY(gQ0)59P1&t@y?5rvg<}E+GB}26NYPp4f2YFQrQtot5mn3wu_qprZ=>Ig-$ zbW26Ws~IgY>}^5w`vTB(G`PTZaDiGBo5o(tp)qli|NeV( z@H_=R8V39rt5J5YB2Ky?4eJJ#b`_iBe2ot~6%7mLt5t8Vwi^Jy7|jWXqa3amOIoRb zOr}WVFP--DsS`1WpN%~)t3R!arKF^Q$e12KEqU36AWwnCBICpH4XCsfnyrHr>$I$4 z!DpKX$OKLWarN7nv@!uIA+~RNO)l$$w}p(;b>mx8pwYvu;dD_unryX_NhT8*Tj>BTrTTL&!?O+%Rv;b?B??gSzdp?6Uug9{ zd@V08Z$BdI?fpoCS$)t4mg4rT8Q_I}h`0d-vYZ^|dOB*Q^S|xqTV*vIg?@fVFSmMpaw0qtTRbx} z({Pg?#{2`sc9)M5N$*N|4;^t$+QP?#mov zGVC@I*lBVrOU-%2y!7%)fAKjpEFsgQc4{amtiHb95KQEwvf<(3T<9-Zm$xIew#P22 zc2Ix|App^>v6(3L_MCU0d3W##AB0M~3D00EWoKZqsJYT(#@w$Y_H7G22M~ApVFTRHMI_3be)Lkn#0F*V8Pq zc}`Cjy$bE;FJ6H7p=0y#R>`}-m4(0F>%@P|?7fx{=R^uFdISRnZ2W_xQhD{YuR3t< z{6yxu=4~JkeA;|(J6_nv#>Nvs&FuLA&PW^he@t(UwFFE8)|a!R{`E`K`i^ZnyE4$k z;(749Ix|oi$c3QbEJ3b~D_kQsPz~fIUKym($a_7dJ?o+40*OLl^{=&oq$<#Q(yyrp z{J-FAniyAw9tPbe&IhQ|a`DqFTVQGQ&Gq3!C2==4x{6EJwiPZ8zub-iXoUtkJiG{} zPaR&}_fn8_z~(=;5lD-aPWD3z8PZS@AaUiomF!G8I}Mf>e~0g#BelA-5#`cj;O5>N Xviia!U7SGha1wx#SCgwmn*{w2TRX*I literal 0 HcmV?d00001