From 1a74bcbc5cdc10a40bd6b252ef59836b6c39c959 Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Mon, 4 Apr 2016 17:19:49 -0300
Subject: [PATCH 01/23] Add client type to client creation form.

---
 .../migrations/0011_client_client_type.py     | 20 +++++++++++++++++++
 oidc_provider/models.py                       |  9 +++++++--
 2 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100644 oidc_provider/migrations/0011_client_client_type.py

diff --git a/oidc_provider/migrations/0011_client_client_type.py b/oidc_provider/migrations/0011_client_client_type.py
new file mode 100644
index 0000000..26e9fc3
--- /dev/null
+++ b/oidc_provider/migrations/0011_client_client_type.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.9 on 2016-04-04 19:56
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('oidc_provider', '0010_code_is_authentication'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='client',
+            name='client_type',
+            field=models.CharField(choices=[(b'confidential', b'Confidential'), (b'public', b'Public')], default=b'confidential', help_text='<b>Confidential</b> clients are capable of maintaining the confidentiality of their credentials. <b>Public</b> clients are incapable.', max_length=30),
+        ),
+    ]
diff --git a/oidc_provider/models.py b/oidc_provider/models.py
index 68ace73..69dcc39 100644
--- a/oidc_provider/models.py
+++ b/oidc_provider/models.py
@@ -10,6 +10,11 @@ from django.conf import settings
 
 class Client(models.Model):
 
+    CLIENT_TYPE_CHOICES = [
+        ('confidential', 'Confidential'),
+        ('public', 'Public'),
+    ]
+
     RESPONSE_TYPE_CHOICES = [
         ('code', 'code (Authorization Code Flow)'),
         ('id_token', 'id_token (Implicit Flow)'),
@@ -17,10 +22,10 @@ class Client(models.Model):
     ]
 
     name = models.CharField(max_length=100, default='')
+    client_type = models.CharField(max_length=30, choices=CLIENT_TYPE_CHOICES, default='confidential', help_text=_(u'<b>Confidential</b> clients are capable of maintaining the confidentiality of their credentials. <b>Public</b> clients are incapable.'))
     client_id = models.CharField(max_length=255, unique=True)
     client_secret = models.CharField(max_length=255, unique=True)
-    response_type = models.CharField(max_length=30,
-                                     choices=RESPONSE_TYPE_CHOICES)
+    response_type = models.CharField(max_length=30, choices=RESPONSE_TYPE_CHOICES)
     date_created = models.DateField(auto_now_add=True)
 
     _redirect_uris = models.TextField(default='', verbose_name=_(u'Redirect URI'), help_text=_(u'Enter each URI on a new line.'))

From fa2c7d314de541a435ab205b1120fb345074756f Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Mon, 4 Apr 2016 17:25:28 -0300
Subject: [PATCH 02/23] Edit CHANGELOG.

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d2c88b7..7a2b927 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
 
 ### [Unreleased]
 
+##### Added
+- Choose type of client on creation.
+
 ### [0.3.1] - 2016-03-09
 
 ##### Fixed

From a3247db273fd26b787dca71432cf3f9b699a5882 Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Tue, 5 Apr 2016 18:31:08 -0300
Subject: [PATCH 03/23] Improve handle of client_secret with client_types.

---
 oidc_provider/admin.py                        | 15 ++++++++++++--
 .../migrations/0012_auto_20160405_2041.py     | 20 +++++++++++++++++++
 oidc_provider/models.py                       |  2 +-
 3 files changed, 34 insertions(+), 3 deletions(-)
 create mode 100644 oidc_provider/migrations/0012_auto_20160405_2041.py

diff --git a/oidc_provider/admin.py b/oidc_provider/admin.py
index 9963b35..9b3bd0a 100644
--- a/oidc_provider/admin.py
+++ b/oidc_provider/admin.py
@@ -30,10 +30,21 @@ class ClientForm(ModelForm):
 
     def clean_client_secret(self):
         instance = getattr(self, 'instance', None)
+
+        secret = ''
+
+        print self.cleaned_data
+
         if instance and instance.pk:
-            return instance.client_secret
+            if (self.cleaned_data['client_type'] == 'confidential') and not instance.client_secret:
+                secret = md5(uuid4().hex.encode()).hexdigest()
+            elif (self.cleaned_data['client_type'] == 'confidential') and instance.client_secret:
+                secret = instance.client_secret
         else:
-            return md5(uuid4().hex.encode()).hexdigest()
+            if (instance.client_type == 'confidential'):
+                secret = md5(uuid4().hex.encode()).hexdigest()
+
+        return secret
 
 
 @admin.register(Client)
diff --git a/oidc_provider/migrations/0012_auto_20160405_2041.py b/oidc_provider/migrations/0012_auto_20160405_2041.py
new file mode 100644
index 0000000..c04b613
--- /dev/null
+++ b/oidc_provider/migrations/0012_auto_20160405_2041.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.9 on 2016-04-05 20:41
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('oidc_provider', '0011_client_client_type'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='client',
+            name='client_secret',
+            field=models.CharField(blank=True, default=b'', max_length=255),
+        ),
+    ]
diff --git a/oidc_provider/models.py b/oidc_provider/models.py
index 69dcc39..8d9ad39 100644
--- a/oidc_provider/models.py
+++ b/oidc_provider/models.py
@@ -24,7 +24,7 @@ class Client(models.Model):
     name = models.CharField(max_length=100, default='')
     client_type = models.CharField(max_length=30, choices=CLIENT_TYPE_CHOICES, default='confidential', help_text=_(u'<b>Confidential</b> clients are capable of maintaining the confidentiality of their credentials. <b>Public</b> clients are incapable.'))
     client_id = models.CharField(max_length=255, unique=True)
-    client_secret = models.CharField(max_length=255, unique=True)
+    client_secret = models.CharField(max_length=255, blank=True, default='')
     response_type = models.CharField(max_length=30, choices=RESPONSE_TYPE_CHOICES)
     date_created = models.DateField(auto_now_add=True)
 

From 2c4ab6695e2f781ee2314637a2509f6a59e2f0a6 Mon Sep 17 00:00:00 2001
From: Juan Ignacio Fiorentino <juanifioren@gmail.com>
Date: Tue, 5 Apr 2016 19:08:49 -0300
Subject: [PATCH 04/23] Removing print.

---
 oidc_provider/admin.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/oidc_provider/admin.py b/oidc_provider/admin.py
index 9b3bd0a..2a4fc61 100644
--- a/oidc_provider/admin.py
+++ b/oidc_provider/admin.py
@@ -33,8 +33,6 @@ class ClientForm(ModelForm):
 
         secret = ''
 
-        print self.cleaned_data
-
         if instance and instance.pk:
             if (self.cleaned_data['client_type'] == 'confidential') and not instance.client_secret:
                 secret = md5(uuid4().hex.encode()).hexdigest()

From 6e8af74f76ec327ea2cba7cca7987b6ad3bba944 Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Wed, 6 Apr 2016 18:03:30 -0300
Subject: [PATCH 05/23] First intent to implement PKCE.

---
 oidc_provider/lib/endpoints/authorize.py | 14 ++++++++++++--
 oidc_provider/lib/endpoints/token.py     | 24 +++++++++++++++++++++---
 oidc_provider/lib/utils/token.py         | 17 +++++++++++++++--
 3 files changed, 48 insertions(+), 7 deletions(-)

diff --git a/oidc_provider/lib/endpoints/authorize.py b/oidc_provider/lib/endpoints/authorize.py
index 56972a4..3bb6409 100644
--- a/oidc_provider/lib/endpoints/authorize.py
+++ b/oidc_provider/lib/endpoints/authorize.py
@@ -56,6 +56,10 @@ class AuthorizeEndpoint(object):
         self.params.state = query_dict.get('state', '')
         self.params.nonce = query_dict.get('nonce', '')
 
+        # PKCE parameters.
+        self.params.code_challenge = query_dict.get('code_challenge')
+        self.params.code_challenge_method = query_dict.get('code_challenge_method')
+
     def validate_params(self):
         try:
             self.client = Client.objects.get(client_id=self.params.client_id)
@@ -85,7 +89,11 @@ class AuthorizeEndpoint(object):
         if not (clean_redirect_uri in self.client.redirect_uris):
             logger.debug('[Authorize] Invalid redirect uri: %s', self.params.redirect_uri)
             raise RedirectUriError()
-        
+
+        # PKCE validation of the transformation method.
+        if self.params.code_challenge and self.params.code_challenge_method:
+            if not (self.params.code_challenge_method in ['plain', 'S256']):
+                raise AuthorizeError(self.params.redirect_uri, 'invalid_request', self.grant_type)
 
     def create_response_uri(self):
         uri = urlsplit(self.params.redirect_uri)
@@ -99,7 +107,9 @@ class AuthorizeEndpoint(object):
                     client=self.client,
                     scope=self.params.scope,
                     nonce=self.params.nonce,
-                    is_authentication=self.is_authentication)
+                    is_authentication=self.is_authentication,
+                    code_challenge=self.params.code_challenge,
+                    code_challenge_method=self.params.code_challenge_method)
                 
                 code.save()
 
diff --git a/oidc_provider/lib/endpoints/token.py b/oidc_provider/lib/endpoints/token.py
index a981eee..4acb005 100644
--- a/oidc_provider/lib/endpoints/token.py
+++ b/oidc_provider/lib/endpoints/token.py
@@ -1,4 +1,5 @@
-from base64 import b64decode
+from base64 import b64decode, urlsafe_b64encode
+import hashlib
 import logging
 import re
 try:
@@ -6,6 +7,7 @@ try:
 except ImportError:
     from urllib import unquote
 
+from Crypto.Cipher import AES
 from django.http import JsonResponse
 
 from oidc_provider.lib.errors import *
@@ -30,14 +32,16 @@ class TokenEndpoint(object):
 
         self.params.client_id = client_id
         self.params.client_secret = client_secret
-        self.params.redirect_uri = unquote(
-            self.request.POST.get('redirect_uri', ''))
+        self.params.redirect_uri = unquote(self.request.POST.get('redirect_uri', ''))
         self.params.grant_type = self.request.POST.get('grant_type', '')
         self.params.code = self.request.POST.get('code', '')
         self.params.state = self.request.POST.get('state', '')
         self.params.scope = self.request.POST.get('scope', '')
         self.params.refresh_token = self.request.POST.get('refresh_token', '')
 
+        # PKCE parameters.
+        self.params.code_verifier = self.request.POST.get('code_verifier')
+
     def _extract_client_auth(self):
         """
         Get client credentials using HTTP Basic Authentication method.
@@ -90,6 +94,20 @@ class TokenEndpoint(object):
                              self.params.redirect_uri)
                 raise TokenError('invalid_grant')
 
+            # Validate PKCE parameters.
+            if self.params.code_verifier:
+                obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
+                code_challenge, code_challenge_method = tuple(obj.decrypt(self.code.code.decode('hex')).split(':'))
+
+                if code_challenge_method == 'S256':
+                    new_code_challenge = urlsafe_b64encode(hashlib.sha256(self.params.code_verifier.encode('ascii')).digest()).replace('=', '')
+                else:
+                    new_code_challenge = self.params.code_verifier
+
+                # TODO: We should explain the error.
+                if not (new_code_challenge == code_challenge):
+                    raise TokenError('invalid_grant')
+
         elif self.params.grant_type == 'refresh_token':
             if not self.params.refresh_token:
                 logger.debug('[Token] Missing refresh token')
diff --git a/oidc_provider/lib/utils/token.py b/oidc_provider/lib/utils/token.py
index e512326..308364f 100644
--- a/oidc_provider/lib/utils/token.py
+++ b/oidc_provider/lib/utils/token.py
@@ -2,6 +2,7 @@ from datetime import timedelta
 import time
 import uuid
 
+from Crypto.Cipher import AES
 from Crypto.PublicKey.RSA import importKey
 from django.utils import timezone
 from hashlib import md5
@@ -95,7 +96,8 @@ def create_token(user, client, id_token_dic, scope):
     return token
 
 
-def create_code(user, client, scope, nonce, is_authentication):
+def create_code(user, client, scope, nonce, is_authentication,
+                code_challenge=None, code_challenge_method=None):
     """
     Create and populate a Code object.
 
@@ -104,7 +106,18 @@ def create_code(user, client, scope, nonce, is_authentication):
     code = Code()
     code.user = user
     code.client = client
-    code.code = uuid.uuid4().hex
+
+    if not code_challenge:
+        code.code = uuid.uuid4().hex
+    else:
+        obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
+
+        # Default is 'plain' method.
+        code_challenge_method = 'plain' if not code_challenge_method else code_challenge_method
+
+        ciphertext = obj.encrypt(code_challenge + ':' + code_challenge_method)
+        code.code = ciphertext.encode('hex')
+
     code.expires_at = timezone.now() + timedelta(
         seconds=settings.get('OIDC_CODE_EXPIRE'))
     code.scope = scope

From 9c071831fa1726d95a701c5d9ae4097e4887a074 Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Wed, 6 Apr 2016 18:12:19 -0300
Subject: [PATCH 06/23] Edit CHANGELOG

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7a2b927..f865fa5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ##### Added
 - Choose type of client on creation.
+- Implement Proof Key for Code Exchange by OAuth Public Clients.
 
 ### [0.3.1] - 2016-03-09
 

From 93c0bc2382174d274fe501f5a014f017bab475a9 Mon Sep 17 00:00:00 2001
From: Ignacio <juanifioren@gmail.com>
Date: Wed, 6 Apr 2016 21:28:13 -0300
Subject: [PATCH 07/23] Fix in example project.

---
 example_project/provider_app/settings.py      |  2 +
 .../provider_app/templates/base.html          |  5 +--
 .../templates/oidc_provider/authorize.html    | 40 ++++++++++---------
 .../templates/oidc_provider/error.html        | 18 +++++----
 example_project/provider_app/urls.py          |  4 +-
 5 files changed, 38 insertions(+), 31 deletions(-)

diff --git a/example_project/provider_app/settings.py b/example_project/provider_app/settings.py
index d2a28af..ec0c26f 100644
--- a/example_project/provider_app/settings.py
+++ b/example_project/provider_app/settings.py
@@ -87,3 +87,5 @@ LOGIN_REDIRECT_URL = '/'
 # OIDC Provider settings
 
 SITE_URL = 'http://localhost:8000'
+
+LOGIN_URL = '/admin/login/'
diff --git a/example_project/provider_app/templates/base.html b/example_project/provider_app/templates/base.html
index d0c1cf1..92ef156 100644
--- a/example_project/provider_app/templates/base.html
+++ b/example_project/provider_app/templates/base.html
@@ -19,13 +19,12 @@
         <a href="{% url 'home' %}" class=" item">django-oidc-provider</a>
         <div class="right menu">
             {% if user.is_authenticated %}
-            <a href="#" class="item">{{ user.email }}</a>
             {% if user.is_superuser %}
             <a href="{% url 'admin:index' %}" class="item">Admin</a>
             {% endif %}
-            <a href="{% url 'logout' %}" class="item"><i class="remove icon"></i></a>
+            <a href="{% url 'admin:logout' %}" class="item"><i class="remove icon"></i></a>
             {% else %}
-            <a href="{% url 'login' %}" class="item">Login</a>
+            <a href="{% url 'admin:login' %}" class="item">Login</a>
             {% endif %}
         </div>
     </div>
diff --git a/example_project/provider_app/templates/oidc_provider/authorize.html b/example_project/provider_app/templates/oidc_provider/authorize.html
index 6df2ed5..6bbab77 100644
--- a/example_project/provider_app/templates/oidc_provider/authorize.html
+++ b/example_project/provider_app/templates/oidc_provider/authorize.html
@@ -2,25 +2,29 @@
 
 {% block content %}
 
-    <div class="ui page grid">
-        <div class="nine wide centered column">
-            <div class="ui segment">
-                <h1 class="ui dividing header">Request for Permission</h1>
-                <p>Client <i>{{ client.name }}</i> would like to access this information of you.</p>
-                <form method="post" action="{% url 'oidc_provider:authorize' %}">
-                    {% csrf_token %}
-                    {{ hidden_inputs }}
-                    <div class="ui bulleted list">
-                    {% for scope in params.scope %}
-                        <div class="item">{{ scope | capfirst }}</div>
-                    {% endfor %}
+    <div class="ui container" style="margin-top:100px">
+        <div class="ui stackable grid">
+            <div class="row">
+                <div class="eight wide centered column">
+                    <div class="ui segment">
+                        <h1 class="ui dividing header">Request for Permission</h1>
+                        <p>Client <i>{{ client.name }}</i> would like to access this information of you.</p>
+                        <form method="post" action="{% url 'oidc_provider:authorize' %}">
+                            {% csrf_token %}
+                            {{ hidden_inputs }}
+                            <div class="ui bulleted list">
+                            {% for scope in params.scope %}
+                                <div class="item">{{ scope | capfirst }}</div>
+                            {% endfor %}
+                            </div>
+                            <div class="ui fluid large buttons">
+                                <input class="ui button" type="submit" value="Cancel" />
+                                <div class="or"></div>
+                                <input name="allow" class="positive ui button" type="submit" value="Authorize" />
+                            </div>
+                        </form>
                     </div>
-                    <div class="ui fluid large buttons">
-                        <input class="ui button" type="submit" value="Cancel" />
-                        <div class="or"></div>
-                        <input name="allow" class="positive ui button" type="submit" value="Authorize" />
-                    </div>
-                </form>
+                </div>
             </div>
         </div>
     </div>
diff --git a/example_project/provider_app/templates/oidc_provider/error.html b/example_project/provider_app/templates/oidc_provider/error.html
index 1dfc227..ce1eeb6 100644
--- a/example_project/provider_app/templates/oidc_provider/error.html
+++ b/example_project/provider_app/templates/oidc_provider/error.html
@@ -2,13 +2,17 @@
 
 {% block content %}
 
-    <div class="ui page grid">
-        <div class="nine wide centered column">
-            <div class="ui icon negative large message">
-                <i class="meh icon"></i>
-                <div class="content">
-                    <div class="header">{{ error }}</div>
-                    <p>{{ description }}</p>
+    <div class="ui container" style="margin-top:100px">
+        <div class="ui stackable grid">
+            <div class="row">
+                <div class="eight wide centered column">
+                    <div class="ui icon negative large message">
+                        <i class="meh icon"></i>
+                        <div class="content">
+                            <div class="header">{{ error }}</div>
+                            <p>{{ description }}</p>
+                        </div>
+                    </div>
                 </div>
             </div>
         </div>
diff --git a/example_project/provider_app/urls.py b/example_project/provider_app/urls.py
index 1757fa8..60d246c 100644
--- a/example_project/provider_app/urls.py
+++ b/example_project/provider_app/urls.py
@@ -6,10 +6,8 @@ from django.views.generic import TemplateView
 
 urlpatterns = [
     url(r'^$', TemplateView.as_view(template_name='home.html'), name='home'),
-    url(r'^accounts/login/$', auth_views.login, { 'template_name': 'login.html' }, name='login'),
-    url(r'^accounts/logout/$', auth_views.logout, { 'next_page': '/' }, name='logout'),
 
-    url(r'^openid/', include('oidc_provider.urls', namespace='oidc_provider')),
+    url(r'^', include('oidc_provider.urls', namespace='oidc_provider')),
 
     url(r'^admin/', include(admin.site.urls)),
 ]

From b1b8247cb082fde6bcc59ecea3fa38613c64ebc2 Mon Sep 17 00:00:00 2001
From: Ignacio <juanifioren@gmail.com>
Date: Thu, 7 Apr 2016 11:45:35 -0300
Subject: [PATCH 08/23] Add hidden inputs for PKCE. Fix bug with AES.

---
 oidc_provider/lib/endpoints/token.py                     | 3 ++-
 oidc_provider/lib/utils/token.py                         | 3 ++-
 oidc_provider/templates/oidc_provider/hidden_inputs.html | 4 +++-
 oidc_provider/tests/app/utils.py                         | 1 +
 oidc_provider/tests/test_authorize_endpoint.py           | 8 ++++++++
 oidc_provider/views.py                                   | 1 -
 6 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/oidc_provider/lib/endpoints/token.py b/oidc_provider/lib/endpoints/token.py
index 4acb005..3c703c9 100644
--- a/oidc_provider/lib/endpoints/token.py
+++ b/oidc_provider/lib/endpoints/token.py
@@ -9,6 +9,7 @@ except ImportError:
 
 from Crypto.Cipher import AES
 from django.http import JsonResponse
+from django.conf import settings as django_settings
 
 from oidc_provider.lib.errors import *
 from oidc_provider.lib.utils.params import *
@@ -96,7 +97,7 @@ class TokenEndpoint(object):
 
             # Validate PKCE parameters.
             if self.params.code_verifier:
-                obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
+                obj = AES.new(hashlib.md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
                 code_challenge, code_challenge_method = tuple(obj.decrypt(self.code.code.decode('hex')).split(':'))
 
                 if code_challenge_method == 'S256':
diff --git a/oidc_provider/lib/utils/token.py b/oidc_provider/lib/utils/token.py
index 308364f..b7260a3 100644
--- a/oidc_provider/lib/utils/token.py
+++ b/oidc_provider/lib/utils/token.py
@@ -4,6 +4,7 @@ import uuid
 
 from Crypto.Cipher import AES
 from Crypto.PublicKey.RSA import importKey
+from django.conf import settings as django_settings
 from django.utils import timezone
 from hashlib import md5
 from jwkest.jwk import RSAKey as jwk_RSAKey
@@ -110,7 +111,7 @@ def create_code(user, client, scope, nonce, is_authentication,
     if not code_challenge:
         code.code = uuid.uuid4().hex
     else:
-        obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
+        obj = AES.new(md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
 
         # Default is 'plain' method.
         code_challenge_method = 'plain' if not code_challenge_method else code_challenge_method
diff --git a/oidc_provider/templates/oidc_provider/hidden_inputs.html b/oidc_provider/templates/oidc_provider/hidden_inputs.html
index 59c7035..2bff39d 100644
--- a/oidc_provider/templates/oidc_provider/hidden_inputs.html
+++ b/oidc_provider/templates/oidc_provider/hidden_inputs.html
@@ -3,4 +3,6 @@
 <input name="response_type" type="hidden" value="{{ params.response_type }}" />
 <input name="scope" type="hidden" value="{{ params.scope | join:' ' }}" />
 <input name="state" type="hidden" value="{{ params.state }}" />
-<input name="nonce" type="hidden" value="{{ params.nonce }}" />
\ No newline at end of file
+<input name="nonce" type="hidden" value="{{ params.nonce }}" />
+<input name="code_challenge" type="hidden" value="{{ params.code_challenge }}" />
+<input name="code_challenge_method" type="hidden" value="{{ params.code_challenge_method }}" />
diff --git a/oidc_provider/tests/app/utils.py b/oidc_provider/tests/app/utils.py
index bd3989d..5164f4f 100644
--- a/oidc_provider/tests/app/utils.py
+++ b/oidc_provider/tests/app/utils.py
@@ -13,6 +13,7 @@ from oidc_provider.models import *
 
 FAKE_NONCE = 'cb584e44c43ed6bd0bc2d9c7e242837d'
 FAKE_RANDOM_STRING = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(32))
+FAKE_CODE_CHALLENGE = 'pG6flQqJa7INfIKb5cZVAXhTqvTKehIck6aQhdUuyWc'
 
 
 def create_fake_user():
diff --git a/oidc_provider/tests/test_authorize_endpoint.py b/oidc_provider/tests/test_authorize_endpoint.py
index fc92fcc..5a3eaa2 100644
--- a/oidc_provider/tests/test_authorize_endpoint.py
+++ b/oidc_provider/tests/test_authorize_endpoint.py
@@ -122,6 +122,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'redirect_uri': self.client.default_redirect_uri,
             'scope': 'openid email',
             'state': self.state,
+            # PKCE parameters.
+            'code_challenge': FAKE_CODE_CHALLENGE,
+            'code_challenge_method': 'S256',
         }).replace('+', '%20')
 
         url = reverse('oidc_provider:authorize') + '?' + query_str
@@ -140,6 +143,8 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'client_id': self.client.client_id,
             'redirect_uri': self.client.default_redirect_uri,
             'response_type': 'code',
+            'code_challenge': FAKE_CODE_CHALLENGE,
+            'code_challenge_method': 'S256',
         }
 
         for key, value in iter(to_check.items()):
@@ -169,6 +174,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'response_type': response_type,
             'scope': 'openid email',
             'state': self.state,
+            # PKCE parameters.
+            'code_challenge': FAKE_CODE_CHALLENGE,
+            'code_challenge_method': 'S256',
         }
 
         request = self.factory.post(url, data=post_data)
diff --git a/oidc_provider/views.py b/oidc_provider/views.py
index 01f5d1b..c7010bb 100644
--- a/oidc_provider/views.py
+++ b/oidc_provider/views.py
@@ -87,7 +87,6 @@ class AuthorizeView(View):
             return redirect(uri)
 
     def post(self, request, *args, **kwargs):
-
         authorize = AuthorizeEndpoint(request)
 
         allow = True if request.POST.get('allow') else False

From e495d6c41da361d9768c3d705d8fd40ce25ff0d0 Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Thu, 7 Apr 2016 16:18:47 -0300
Subject: [PATCH 09/23] Remplace AES encryption with database. For saving PKCE
 parameters.

---
 oidc_provider/lib/endpoints/token.py          | 18 ++++++-------
 oidc_provider/lib/utils/token.py              | 18 +++++--------
 .../migrations/0013_auto_20160407_1912.py     | 25 +++++++++++++++++++
 oidc_provider/models.py                       |  2 ++
 oidc_provider/tests/app/utils.py              |  3 ++-
 oidc_provider/tests/test_token_endpoint.py    | 20 +++++++++++++++
 6 files changed, 63 insertions(+), 23 deletions(-)
 create mode 100644 oidc_provider/migrations/0013_auto_20160407_1912.py

diff --git a/oidc_provider/lib/endpoints/token.py b/oidc_provider/lib/endpoints/token.py
index 3c703c9..636a9d1 100644
--- a/oidc_provider/lib/endpoints/token.py
+++ b/oidc_provider/lib/endpoints/token.py
@@ -1,4 +1,4 @@
-from base64 import b64decode, urlsafe_b64encode
+from base64 import b64decode, urlsafe_b64decode, urlsafe_b64encode
 import hashlib
 import logging
 import re
@@ -73,10 +73,11 @@ class TokenEndpoint(object):
             logger.debug('[Token] Client does not exist: %s', self.params.client_id)
             raise TokenError('invalid_client')
 
-        if not (self.client.client_secret == self.params.client_secret):
-            logger.debug('[Token] Invalid client secret: client %s do not have secret %s',
-                         self.client.client_id, self.client.client_secret)
-            raise TokenError('invalid_client')
+        if self.client.client_type == 'confidential':
+            if not (self.client.client_secret == self.params.client_secret):
+                logger.debug('[Token] Invalid client secret: client %s do not have secret %s',
+                             self.client.client_id, self.client.client_secret)
+                raise TokenError('invalid_client')
 
         if self.params.grant_type == 'authorization_code':
             if not (self.params.redirect_uri in self.client.redirect_uris):
@@ -97,16 +98,13 @@ class TokenEndpoint(object):
 
             # Validate PKCE parameters.
             if self.params.code_verifier:
-                obj = AES.new(hashlib.md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
-                code_challenge, code_challenge_method = tuple(obj.decrypt(self.code.code.decode('hex')).split(':'))
-
-                if code_challenge_method == 'S256':
+                if self.code.code_challenge_method == 'S256':
                     new_code_challenge = urlsafe_b64encode(hashlib.sha256(self.params.code_verifier.encode('ascii')).digest()).replace('=', '')
                 else:
                     new_code_challenge = self.params.code_verifier
 
                 # TODO: We should explain the error.
-                if not (new_code_challenge == code_challenge):
+                if not (new_code_challenge == self.code.code_challenge):
                     raise TokenError('invalid_grant')
 
         elif self.params.grant_type == 'refresh_token':
diff --git a/oidc_provider/lib/utils/token.py b/oidc_provider/lib/utils/token.py
index b7260a3..8317ecf 100644
--- a/oidc_provider/lib/utils/token.py
+++ b/oidc_provider/lib/utils/token.py
@@ -1,10 +1,9 @@
+from base64 import urlsafe_b64decode, urlsafe_b64encode
 from datetime import timedelta
 import time
 import uuid
 
-from Crypto.Cipher import AES
 from Crypto.PublicKey.RSA import importKey
-from django.conf import settings as django_settings
 from django.utils import timezone
 from hashlib import md5
 from jwkest.jwk import RSAKey as jwk_RSAKey
@@ -108,16 +107,11 @@ def create_code(user, client, scope, nonce, is_authentication,
     code.user = user
     code.client = client
 
-    if not code_challenge:
-        code.code = uuid.uuid4().hex
-    else:
-        obj = AES.new(md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
-
-        # Default is 'plain' method.
-        code_challenge_method = 'plain' if not code_challenge_method else code_challenge_method
-
-        ciphertext = obj.encrypt(code_challenge + ':' + code_challenge_method)
-        code.code = ciphertext.encode('hex')
+    code.code = uuid.uuid4().hex
+    
+    if code_challenge and code_challenge_method:
+        code.code_challenge = code_challenge
+        code.code_challenge_method = code_challenge_method
 
     code.expires_at = timezone.now() + timedelta(
         seconds=settings.get('OIDC_CODE_EXPIRE'))
diff --git a/oidc_provider/migrations/0013_auto_20160407_1912.py b/oidc_provider/migrations/0013_auto_20160407_1912.py
new file mode 100644
index 0000000..19cb444
--- /dev/null
+++ b/oidc_provider/migrations/0013_auto_20160407_1912.py
@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.9 on 2016-04-07 19:12
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('oidc_provider', '0012_auto_20160405_2041'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='code',
+            name='code_challenge',
+            field=models.CharField(max_length=255, null=True),
+        ),
+        migrations.AddField(
+            model_name='code',
+            name='code_challenge_method',
+            field=models.CharField(max_length=255, null=True),
+        ),
+    ]
diff --git a/oidc_provider/models.py b/oidc_provider/models.py
index 8d9ad39..2944231 100644
--- a/oidc_provider/models.py
+++ b/oidc_provider/models.py
@@ -86,6 +86,8 @@ class Code(BaseCodeTokenModel):
     code = models.CharField(max_length=255, unique=True)
     nonce = models.CharField(max_length=255, blank=True, default='')
     is_authentication = models.BooleanField(default=False)
+    code_challenge = models.CharField(max_length=255, null=True)
+    code_challenge_method = models.CharField(max_length=255, null=True)
 
     class Meta:
         verbose_name = _(u'Authorization Code')
diff --git a/oidc_provider/tests/app/utils.py b/oidc_provider/tests/app/utils.py
index 5164f4f..99f9874 100644
--- a/oidc_provider/tests/app/utils.py
+++ b/oidc_provider/tests/app/utils.py
@@ -13,7 +13,8 @@ from oidc_provider.models import *
 
 FAKE_NONCE = 'cb584e44c43ed6bd0bc2d9c7e242837d'
 FAKE_RANDOM_STRING = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(32))
-FAKE_CODE_CHALLENGE = 'pG6flQqJa7INfIKb5cZVAXhTqvTKehIck6aQhdUuyWc'
+FAKE_CODE_CHALLENGE = 'YlYXEqXuRm-Xgi2BOUiK50JW1KsGTX6F1TDnZSC8VTg'
+FAKE_CODE_VERIFIER = 'SmxGa0XueyNh5bDgTcSrqzAh2_FmXEqU8kDT6CuXicw'
 
 
 def create_fake_user():
diff --git a/oidc_provider/tests/test_token_endpoint.py b/oidc_provider/tests/test_token_endpoint.py
index b17408d..31a2de7 100644
--- a/oidc_provider/tests/test_token_endpoint.py
+++ b/oidc_provider/tests/test_token_endpoint.py
@@ -445,3 +445,23 @@ class TokenTestCase(TestCase):
 
         self.assertEqual(id_token.get('test_idtoken_processing_hook2'), FAKE_RANDOM_STRING)
         self.assertEqual(id_token.get('test_idtoken_processing_hook_user_email2'), self.user.email)
+
+    def test_pkce_parameters(self):
+        """
+        Test Proof Key for Code Exchange by OAuth Public Clients.
+        https://tools.ietf.org/html/rfc7636
+        """
+        import pdb;pdb.set_trace()
+        code = create_code(user=self.user, client=self.client,
+                           scope=['openid', 'email'], nonce=FAKE_NONCE, is_authentication=True,
+                           code_challenge=FAKE_CODE_CHALLENGE, code_challenge_method='S256')
+        code.save()
+
+        post_data = self._auth_code_post_data(code=code.code)
+
+        # Add parameters.
+        post_data['code_verifier'] = FAKE_CODE_VERIFIER
+
+        response = self._post_request(post_data)
+
+        response_dic = json.loads(response.content.decode('utf-8'))

From 559f90c5a6578c521cf0464f829db6f1d4ae8b6a Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Thu, 7 Apr 2016 16:36:42 -0300
Subject: [PATCH 10/23] Remove pdb.

---
 oidc_provider/tests/test_token_endpoint.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/oidc_provider/tests/test_token_endpoint.py b/oidc_provider/tests/test_token_endpoint.py
index 31a2de7..652d8ad 100644
--- a/oidc_provider/tests/test_token_endpoint.py
+++ b/oidc_provider/tests/test_token_endpoint.py
@@ -451,7 +451,6 @@ class TokenTestCase(TestCase):
         Test Proof Key for Code Exchange by OAuth Public Clients.
         https://tools.ietf.org/html/rfc7636
         """
-        import pdb;pdb.set_trace()
         code = create_code(user=self.user, client=self.client,
                            scope=['openid', 'email'], nonce=FAKE_NONCE, is_authentication=True,
                            code_challenge=FAKE_CODE_CHALLENGE, code_challenge_method='S256')

From 9adfa7e6bc5f10ed9c8c76a7685f6e8f013b2215 Mon Sep 17 00:00:00 2001
From: Ignacio <juanifioren@gmail.com>
Date: Thu, 7 Apr 2016 19:41:50 -0300
Subject: [PATCH 11/23] Edit templates in example project.

---
 example_project/provider_app/settings.py      |  2 -
 .../provider_app/templates/base.html          |  4 +-
 .../provider_app/templates/login.html         | 42 ++++++++++---------
 example_project/provider_app/urls.py          |  2 +
 4 files changed, 26 insertions(+), 24 deletions(-)

diff --git a/example_project/provider_app/settings.py b/example_project/provider_app/settings.py
index ec0c26f..d2a28af 100644
--- a/example_project/provider_app/settings.py
+++ b/example_project/provider_app/settings.py
@@ -87,5 +87,3 @@ LOGIN_REDIRECT_URL = '/'
 # OIDC Provider settings
 
 SITE_URL = 'http://localhost:8000'
-
-LOGIN_URL = '/admin/login/'
diff --git a/example_project/provider_app/templates/base.html b/example_project/provider_app/templates/base.html
index 92ef156..2bc7ab3 100644
--- a/example_project/provider_app/templates/base.html
+++ b/example_project/provider_app/templates/base.html
@@ -22,9 +22,9 @@
             {% if user.is_superuser %}
             <a href="{% url 'admin:index' %}" class="item">Admin</a>
             {% endif %}
-            <a href="{% url 'admin:logout' %}" class="item"><i class="remove icon"></i></a>
+            <a href="{% url 'logout' %}" class="item"><i class="remove icon"></i></a>
             {% else %}
-            <a href="{% url 'admin:login' %}" class="item">Login</a>
+            <a href="{% url 'login' %}" class="item">Login</a>
             {% endif %}
         </div>
     </div>
diff --git a/example_project/provider_app/templates/login.html b/example_project/provider_app/templates/login.html
index 8f3b7a9..ce89c09 100644
--- a/example_project/provider_app/templates/login.html
+++ b/example_project/provider_app/templates/login.html
@@ -2,27 +2,29 @@
 
 {% block content %}
 
-    <div class="ui page grid">
-        <div class="row">
-            <div class="six wide centered column">
-                {% if form.errors %}
-                <div class="ui negative message">
-                    <p>Your username and password didn't match. Please try again.</p>
+    <div class="ui container" style="margin-top:100px">
+        <div class="ui stackable grid">
+            <div class="row">
+                <div class="eight wide centered column">
+                    {% if form.errors %}
+                    <div class="ui negative message">
+                        <p>Your username and password didn't match. Please try again.</p>
+                    </div>
+                    {% endif %}
+                    <form class="ui form segment" method="post" action="{% url 'login' %}">
+                        {% csrf_token %}
+                        <input type="hidden" name="next" value="{{ next }}">
+                        <div class="field">
+                            <label>Username</label>
+                            <input type="text" name="username">
+                        </div>
+                        <div class="field">
+                            <label>Password</label>
+                            <input type="password" name="password">
+                        </div>
+                        <input class="ui submit big primary fluid button" type="submit" value="Enter" />
+                    </form>
                 </div>
-                {% endif %}
-                <form class="ui form segment" method="post" action="{% url 'login' %}">
-                    {% csrf_token %}
-                    <input type="hidden" name="next" value="{{ next }}">
-                    <div class="field">
-                        <label>Username</label>
-                        <input type="text" name="username">
-                    </div>
-                    <div class="field">
-                        <label>Password</label>
-                        <input type="password" name="password">
-                    </div>
-                    <input class="ui submit big primary fluid button" type="submit" value="Enter" />
-                </form>
             </div>
         </div>
     </div>
diff --git a/example_project/provider_app/urls.py b/example_project/provider_app/urls.py
index 60d246c..12e6abf 100644
--- a/example_project/provider_app/urls.py
+++ b/example_project/provider_app/urls.py
@@ -6,6 +6,8 @@ from django.views.generic import TemplateView
 
 urlpatterns = [
     url(r'^$', TemplateView.as_view(template_name='home.html'), name='home'),
+    url(r'^accounts/login/$', auth_views.login, { 'template_name': 'login.html' }, name='login'),
+    url(r'^accounts/logout/$', auth_views.logout, { 'next_page': '/' }, name='logout'),
 
     url(r'^', include('oidc_provider.urls', namespace='oidc_provider')),
 

From ed26f7bb40b555e516f0307b2d318a069b17c938 Mon Sep 17 00:00:00 2001
From: Ignacio <juanifioren@gmail.com>
Date: Thu, 7 Apr 2016 19:45:12 -0300
Subject: [PATCH 12/23] Edit gitignore.

---
 example_project/.gitignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example_project/.gitignore b/example_project/.gitignore
index 6ddd3e2..9dd04fe 100644
--- a/example_project/.gitignore
+++ b/example_project/.gitignore
@@ -1,3 +1,3 @@
 *.sqlite3
 *.pem
-
+static/

From e97c32acd1b081c59c9be85db4f45f0ebe949f01 Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Fri, 8 Apr 2016 13:22:05 -0300
Subject: [PATCH 13/23] Fix encoding problem when using Py34.

---
 oidc_provider/lib/endpoints/token.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/oidc_provider/lib/endpoints/token.py b/oidc_provider/lib/endpoints/token.py
index 636a9d1..2a687f5 100644
--- a/oidc_provider/lib/endpoints/token.py
+++ b/oidc_provider/lib/endpoints/token.py
@@ -99,7 +99,9 @@ class TokenEndpoint(object):
             # Validate PKCE parameters.
             if self.params.code_verifier:
                 if self.code.code_challenge_method == 'S256':
-                    new_code_challenge = urlsafe_b64encode(hashlib.sha256(self.params.code_verifier.encode('ascii')).digest()).replace('=', '')
+                    new_code_challenge = urlsafe_b64encode(
+                            hashlib.sha256(self.params.code_verifier.encode('ascii')).digest()
+                        ).decode('utf-8').replace('=', '')
                 else:
                     new_code_challenge = self.params.code_verifier
 

From c39a81e5f9acbb07cdb7036e999e076b4f747077 Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Fri, 8 Apr 2016 16:56:20 -0300
Subject: [PATCH 14/23] Update docs.

---
 docs/conf.py                     |   4 +--
 docs/images/client_creation.png  | Bin 0 -> 51150 bytes
 docs/index.rst                   |   7 ++++-
 docs/sections/clients.rst        |  24 -----------------
 docs/sections/relyingparties.rst |  43 +++++++++++++++++++++++++++++++
 5 files changed, 51 insertions(+), 27 deletions(-)
 create mode 100644 docs/images/client_creation.png
 delete mode 100644 docs/sections/clients.rst
 create mode 100644 docs/sections/relyingparties.rst

diff --git a/docs/conf.py b/docs/conf.py
index cf7b163..bb4f14f 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -53,9 +53,9 @@ author = u'Juan Ignacio Fiorentino'
 # built documents.
 #
 # The short X.Y version.
-version = u'0.2'
+version = u'0.3'
 # The full version, including alpha/beta/rc tags.
-release = u'0.2.5'
+release = u'0.3.x'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/docs/images/client_creation.png b/docs/images/client_creation.png
new file mode 100644
index 0000000000000000000000000000000000000000..fac2105cbe1e94b73a3117d4899a1ab0bc453808
GIT binary patch
literal 51150
zcmd43WmH>V^fpL^(n2Z4iWMjn*WwNZg1b8uhXyGcG(cP2-J!Tcad!!t6blYTgS$h>
z(BJ=kXU$skb!N@nFFE&SpMCe<=iGBop8f2Esw&H1W0GQ`p`l^R$pX~T(4O<4p*`Jr
z`SkHh%&*iJj~~xmB;+(-zI?f`s`B^ol*Cm^*Hy#O$`xelY>8&=;An5j>SFF}Y3bl%
z<LG+ytWy*X?E{(|KwQ%!V}HrpC;nnd>;V*SC{SddMiDo09>Q2R<(?3ajule*7tr?%
zKVuklHM=$2hPYm?IbdGs?aes!_FjiAZFlfN12pE|0$9WNnXRA8R~IxCR4Xmy+s75!
zr)_2I$=}}PVWedV*sNcAiTYfB7;^I!&E9h{QW8Ddb7{&=5__P2@@Os^8UStCmFT|~
z+84An{Qp`Z1R*N_H9n|+5dBZgUpC<S`G1$F(f>ae^7*lb?=USwh;g(Nm3io_m>lt)
z{mn!1gVpMVe02L+R@e{Fg`tx#CV3}Ht)CekyyZo>aoajC`RvgF{~fxNhK!pIrIiZ3
zyqA9Q_`0nGg!Q|P=M!0K-p{|Q1^ne>_!Z{5uXQwpi(chX^g7crQT9Q*-se2E{l)$m
zI(#%MzcDR!HQ41M_}}oOO@6&yiwDD}tfBIY&)9Fx2s_$b7b-^f9N1-jIyAj|gnTr_
z=UQDx3UfkG<tdVPSU5)g;D8hpWb^Sb2#eOTaivmLRFnCr`E=IG&<CZ24sR};^))>i
znx-KAr(dzrHcI8`6Q_E;Lkcf@?TkP4``T`zVDAyQx88g*2}SNdA+#>BTG{t(n}=b3
zTc77?bCA`WDH8vEam;Sf0s%$-aO*!R-o9S%f%8;Xw_<ED|8y`$-e}A1Mqkm@y|IT}
ztr*TWSXmvhNX3LarBL&&^_rQxzU|t~$FrX4Xi&W@>nzmcNm9b92t3J%8Qe_B7RYYU
zV0RBjFoz$2ueUDOEIKn7{>Ex)!e;dthdTDwwzBkaC=%b0i4zRN>+J{kpy7z0fG5%U
z9eVA1c8kY85Z=J2__!x?Qh|lob0Vn|qHE9TYQL`7)>HZ5(^YTQ*B@RjkKO=G?^Y#7
za`XLT82%<?-w4~wWX>wlXt+5teKnc#V^O|Ih1Cn~=J!S=KMs4i*lR1_qovub?p<FN
z{<Cfz%Q?>qveOo8#@mqGeRxx&N>SSi$G#x0AQ;t2Y6gRP)~R!AQgLcs^<uH|*|y0)
z!9A&fZ?7lL2MAD^;z!OuT>s#u#^m0ixYu3XYNhb|ExPIY@Gjo5cWgk5#8_ac5k=d|
z@)^)4YY2STP$3VZ54{a}jEzZg)`^(pq|QcWmGGb31Ju>%Z6}O|y5(H%0p&mtAz1gM
znsi~n6D}1BZuSqsCsiE2g3=~m7`_=N(b~&CtfxeIFB?qNmK4|P?j_^Lny9OZnIoE0
z;CuWm*l2%AUlE9*!1u8;X{G$s0c$6$dWADgSF<4@o!2=TQ<Br(87HWVBhuvY8Pplx
zr$$Gy-PC45YbVQtvcis4M%yzk-c77$EU#!S1k62}lW3{qAmt{R!s)NjL+H=l4@Ccr
z58}Q8?4ghbXVKdCxof9KIV{$fhYRnck$wks0XE2JX9P&7_0Hv7;4;~r+j*TFt#f0=
zalW+9-nX)Ys`CqKX-x&?b4lV$iR*W>mEK_6(jcM%8kPYh)H@$SHzy9cwDxfL^{DY=
z!M_W>NoD{M;fda(fYUzIT%m@JcGb#yhygF?ifOq6Rp~Lu^3a{sgYA^e1)RN`!vPY&
zL^!Min%ys=9Qa~cxIFjfr)Wc;nmw!63PRwxrt!yZZXEjQ3jBT@S$mZyd9lEJzyCQ(
zGSn&i;bz}m9QqKP7?8$J0d9vVtKD3&E{eh$k<G*Ecg4>Ltwm2_ykNj0j53K7zm?s7
z>t)}$jN|xV&geF9OH{(1pDX0vVc|=A{Q-N0j-zg-*Y=V~!-v>!Cs&mECKqrOW??`=
z-EkJANwTy2_%&_SD5IC1v7!IwPrTT&t*Oh}OqN&{zcF6H^O3YBZ}_{>cW)WF(eVr{
zF=Py_ZFg>hri9!VrLmWg=$QIU%I&3B5e)S#^gu52d&%kJoeUp)@JXSMnm=t0;ERCE
z{-!?ttAs0IZrC+kY}gmMAgciOF!+0M74^D}fbHQyau4|MFj)%?uy6zIw^g|9p~|?O
z0Dy?X?HwuBg*SE80LAYPXG})#N6?7_{#33w$vSR^^tGUFubw7XgN`{X7r|4`%?CNH
zJ|84PyF5-O1D@fIdiad6E>(42lzRS6_GWN014vjeU8=Vye#GmmGH$i$@W=W@EiiZ4
z>C&=DYk2?1f`>i38hp_<7a{ifX-=c%Rlu%vl&t7oCm+I%%=;O@lzz?m6}rTL@9v+I
z-iB&Y{NX<Oq?<;{Z%yo!^TYPT8lCUU8w2?2(bJQQ2KAzd)w(>ucjLUE>+wLXrElhm
zspF&G;84$ng&(0d;aO~-?3fRrdd;r&aVm<g;!M-LmoElQK<C%svzetAVSlcFhNSJ{
zV`CY-vz=QKSuZE(zY_7$Iq<FSft6}xITBqxzr$Pic3`#f6yF0|naroIvVuj^W3M*X
z1#-gl4=!t8GoP{!+jhEn+GC1c>A3Zh%_Xg@EF|rOJ{-FaqYGuLHHEv7n#gNY5?uyb
zk5*p0ADEMfOG=(XF;k~0<>hOtnC!f$+N~i0qmq>;IJTweRyv7OcJR0y@IaJRN#<;V
z>%u_m`SgKrp8D&;Q9CddOvgmT{LV9o&@&8cJ}exFkKPQ^Jy2P4aN#QjX@@WQ_!&2N
zDmfX2F@O{bJia%tOUQlc$6WWV4pV_zADq3-`?f3yyX~!~*zC}2Z5=rH8c*BsfY1l3
zTi+YdTM=jY<V*?i6(Kv~cH1TeI!oWxik~b{Zc!jy=J;k%s<^28U^()~_4@dfGN;t~
zOxQe!{_+}8`lhI^MT|cdB<kj<VEkdLH*6Fu^E+C$!nk`SV<{@0Zhbs@T`**j@UFFU
z#8Ltlw2*!($O-n=CjH=i6#)_n<~$|!GnrC=U;E0`zray>x5owr`t7%hcm`Xy&kFlg
zsm2vv1bT{G2IXhgoAFi8>5&5+?5<U$;CYk~_Xra=G&B=tsK#MDf}vzsI)YC5Ah$`;
zDms!jz_nx6txuWemw&~<jmT23gMw6~a?p6b9Teo?*FGr^csg`@WX;A4&vxb*(J2~K
zhCd8U$pGYy;0@Eu_81usx&G{Lb&4mn^%S3Bf3O;&CUJUJaq2(QjOa@Kp)|cG{y{H`
znKrj+u`jg%+A>nXcGFviFNVy1v-kW?(0<`cp9KKe_=@9b#JHaQ0JaL4Y&c^z0F_#u
z#px}S+^#l~BPn^`mn_*5u$UAWG&{KGRXcb30=`m(S4VS(hHNx*Q9{c-oca!WaeXR+
z4_27Qk4<>dLqqz~@CrNuK=!}&`vS+&s~20PMbjm@BD^@EJmIwMJ%;t=J%8y|N9{@l
zH#*xg`Ryn1=FjH41*1X;XmOUDi&p<W<h=W2J%_rK0nkh?HL$MUa}~W%j*s9UxzT|A
zZ1nBrz&hQT3iy5bH17t!<uh_QvsVtF2{Az-`@<tCGt;gOM<$as!kPJuyc_1ZbqmpU
zc!?V9gn&2-MsHEa^P??|I1~-|xF)UFQDZk-E1LYF3}4E8z|qShOa}oU-wVDyiO5DR
z^!W6~GDTUG2-c5NBxiS}-2EWgiPNf83VzdJgY||cYvDGXDcXH??Iy_YzOY9Uz-fOn
zSvK)?#lbcuf2&|b2Ns_xd`+ei6Oz!fxu6Z3b^kS{w85F}2afJmdPZ+n@X)UA?eQwH
z1#-lE2u2QWi@mjvs%ib&X8xW=d7)0;bK~O2rYJQY)VTS!IztjR<waNAB5t1SnIW_r
zP#XQ9CIv8Cav`(1PeTn$IrvCCDe0CB$3t?O4U}ijo+sU{1s)xY%n3}n@-h#T5~w)X
zENaGRIyvY{8vdP)NjwksWh8n54O&w)FJG<PrDWqq>`bzsqo~e&uPSXu&ilm9u5whx
zopP1y*B0ud8HaevEz{JFH_b`T=jc8CY~E+Y+eZm#Qr`I;+AsRFZcc#RCi%s;2(U6z
zrrYGmN=4(Y$dF%d$DFcl6xkQ&#JSDfR=X<D7o&V@U;Lo%Pu(KkGvc{owejj1X`skN
z1_vZHKAN&$;OJLf|3}l%TXODsrtpb9(2KKSKbk~%F$I4tjJ|W>w^hzrJC6B)9w^+%
zsa9(*qk7ZG4cQei0^??4FE92q6IXDObWct8^6C>IP=Arf!0`0|H@Y}GKSSHQznoI%
z&C$ZEO~U#u^mV^lcKhRm@j&=&%~q1witS=?DDp?D42{hJ?%Qk^eDr$>$(g~*->Vj(
z_9}!IEkHK|Wri0~J>~p4I?JBkV>mk8qz_rhht1+RX5(#eE4MWRh0x@C(7;VU)(U5Z
zTL0lbsTdBLf0fqn9ML+##7@XNP3s|6>-o)Qj^Wx&wgT#DTgShJw`W;tl;#3+ynluf
zZP{6MMR>7>)rMwEqO)UWe09m}a!_2M5drF|yWd7yxz(4To=>k{g=aR*S8bq$h7cEg
zm7{K+e|Bo26*{2GSB{WLNo*D<+T$BI0a^LhzX*;E;WrDF^|^`9&q#P0ba!r#q>!Z4
z5|DM7gx@E8SC^s1RU5Q)O_+H>Mzfo^w{eD_`(iErc*^1#W9X5gNS>?A!cPp`;__`{
zlbEg)mdBldOM|}OGXLDGUEZ|75j+b*)_@Jg`s!0z3GJv^RVeK!5s0!O7#V^Y`ofPs
zGn+zCY|>lg(1kfM+&6QfH*NfW>YgMi9s`4&@UDn{L7iTS&VasLuwJazLtLW5_S4rI
z%`8@!aofbVVpm<2r}4kiZOfKL-hM_`(n3Vjn3$&eHZUDg*Qb;k_GI*IYskQubat#T
zS&$qRs-K^*@yB@dmmuY%LR4s8zLsutn7ql1VEAM^HlmTFaK51QjJA=CX(V}c1h+9U
zn6Te`|JSCoXka#D%^pZ+Y&nCKwF>j70#7!{q8TTf+!seMf<>#SQb3G&;rXsIeE3K?
zc6#?&y!H~mWo1UbM3Ej1RE(t01w)R3^y+7|(e6Po*9wJ`$qF+nKRm9E&2qN&J62IV
z`_KB3)b+$L|3N)|{_a3EJx48Rt?Vo(I-lAaeB0^X)}fzKk%7yfHEyE@exutDk+rUe
zOcdCy6q7e{d4EN}BqF-RJm7kep-citdk%zOnERxrGSy|jKB|5dwo;Z5-z74_Wv-*!
z=>J!-V3_UOJNlpjW(r(f`V}{7y7J_%G7nfE5#2o3&H8?iHCMq#&2Vq9*efQcIOdjX
z&T&99wpGqD?z@b)xK(+)zIXIP)2lfNt&&;?I99-CI@jBT4Nb+8JE49jb<`|<m|@E(
z8YEsb@95cUl|TCFm)h3?rB&Kw44?RL%icZv{CtO3@TXvN1OPpCvBb-}`E%k&I?qzh
zU!W_$JWPBmVfPj6=oL`!`c(m|c2uf#f}yxJVsk|gXfM+oE=x@yI5%R_W!NQQcGDHE
z+Ut2Y>N(Cyom-q5ZWcipmBSi{*DnIRa~ahaJA@4osv_tL;}A&6ffsmesr2plMoacf
z)*GyPnQ81KehB^p=nAXAeJgEnW1(dr5-i<Miy87X@)-t2&Fr(jPfn6@9DN~D=*{ZX
zDv1@27GF_W{JP0G^B=VpoOic;PWn{n%p={f)8+)8Qsceb2v?q-mATJ&NxSO}U%tHd
zZ4?2ooL;0#P@CDaN=xaN`e&DhbHTZ@fyr#jTU_!=rM3P1ZHcSEB~R_Tot#85y^K^^
zL~TPu%c~bohIFbhgWLbnVIN(URY5-8G&roL54{RPv7K#V));p%Qr5w>lU3r9&BWP2
z`OC%z<3eIOo;Qn5OGlJnjoRdsx!Yb4aMs`e>s#lewlO&I={7{*CR2A|1I-bkAt^ui
zH=nxvh?dPz&;69awGdUute}3!E&(eFeqB3L>1k%U>=PN|lc}}!+3(jxipzq=6=9+U
z6Upfm$^L#m4|^<TW|pZRsRNeW=EpE<ZFc3$glL|q5zDieiMhD;#M1Hnt>aej8&CLU
zscC0^yYzS(J}vR-DJ7eCI^~qfdU+_88qrE$Xcu8{E6htQ)$`>#Ik4Dl>X@ccV~x%_
zjAn{5zaU>Ik!Hb?REz3KfQT%~k1C7OO5rCc#d<SWsEE}CNoTt*B9VuApe<Rf;3-yn
zc!Grp*@EC#E*;qRkr!Blo@)&VUHVuX$E;dK%t0J_pr%{$QH>-Ye)2=TDA(5F2(v0r
zQkKhC{(&DR{0g(oJJ(^_oh5E?B#5<P;F9M4a_OfN7wNz<g~;xgl6p5+?6<hp0EzLR
zRB#)Kt1y}xaF(mB>rMOk-Kd(1O)KZkL^m|M81BA0_?hNI!>z5h@W`LR`4?y@Y~^F7
zntcUyO$ZmG1*7sd<KLo*ueOVK;{(`B{VVM67M5oGJc7pD0kO@W5BYnfs<h{?>aIkD
zujRV-7X8Q}pjQ9|%z~*U_tK@+!(U3xp<D{-yDw@5Pot{;B6gx#IU-wICvWeU-(bn~
zdC?tI5eMn~UM=he04#*(t~>0%L2{<r*k=BI3GyFr%9Fl0-#woX4fb$q=pE?4%Ev4d
zoKT<%BG1#Wd{SlUcYV#aX1CcPB_Ln$srhPZ+&{Ly3=3~<-un4@{VF}TO@-j;2&rw7
za^vlx(A4EFLIFFks4IdkX7j#8EP}5?;e$cerZDH+!9A5kpck?wk@gu;=I086{UcNn
zr>{Vn-?EfL_HvD4vR93Z4JRJ3Y}vNWT*Gwl?BJt@Ii8hc3lD1)?vN1F;cl=858ZBh
zVTHmmA@;L~<IZ{sn7Sjz3#Ze!A@-wXrLwNeFhIO;xX?I1iDZ5eP~LotQ#H+0ug6T}
z>)qZ{<9&3)L>UXKv4(j^I1jL5Aw=3EOu*Zd$gQpfAeg4vY8igfg7#4zxMnD`vLrIy
z`MvnN=h|uB1JKbZqO!%Y&heX%1fcI~CBwQ|q>S%lQX*Cml2vK7D*n5ozbwD%lbrln
zG*2`7%xA3O7q8?Dm$<a?#Td#Da}3OV<w=D^Q{@9l0u|)cD)MrpnEw)?hs<_uI}NBg
zL?y)iP2{aH0#m5T@*hTi>OT3n6MkstwV$)Ah5ZUbmd9SFU_fs~|E0-kHzSr`XRLO)
z)U8OCfA#mCD-(j3h5VmV^1Qq^)YRg@)|k31fatV}>#pbF2acYYw<_T0{)63~!@ecq
zZtAAKKQad`zxA=Iu_k%EG3jo!$R3fC3u7SNr<EO+Q{-_^@P76L{UZ(OH7owhX#$(3
zHX`rS*Nr?nnj<BFTG(_g-wmo2CGLB}`y#FNqh~#yDfv*J28MVzKZ$0L?Tg0>X;SqM
zQ7e_l3$+=DvgZm3k=4qzt>nU?A^cr`z@N9=A*%o|Ux8RZ!+rtL#XrAm5#pzIf_DX+
zP02s0K0NF;u)_}Sm>q|X=;bcd(RgcE_J?nAsFSr}3}-U&XgZAB4`yCB{TL`sYN92r
zFqYAR(4}#?=>5vcGN@3XcU->{HM5UgdX=iMq4^LhX2;wtXku1Y<4Fo+HYu;jYQL>i
zYJrPwS8elo(9rR4)K~jX9o+wV3;-sz0ZIX^uB=>I-Lfe2q{tGs{QKqviJI6NRgOFp
zyHtIHYf_nzXanuABfZVR=FJkGzW%djkkS53X3sTVUEadl-i`gJB=6^UL{ezsak`M;
zpEx##sbbq5jX3~~Iz0dpvM?+l1!kHi&2WzgN6VqWP<s`24M*f)Ayn}j35&b;!fN#V
z8)j><Mqb1sFtIQcxV-m@A;0&5+v4l#Im*^B%a2-h`AqfX?|uBI)91Eb6ck~D=1Jl9
zLPe*1dl#zT_fKs^12mzYPc=$fPKHOFXkL=p;HxQR$VRD1aEhYen~x&)AcL)xCJV0d
zs;7Dv5kxAo6#)!MAq@N=y(Jv_!>{f8&Of_CZU<pa^pPq6D(Vj4{+P$%X979N^+?e)
z^?)03k`p@Cf#(CAEghxRKIP1ZAV(?0j-ZYuXr(dtAoytwh)Jv@<wU!7yOjN+?>uQG
z*_BSfeECk;*E)ERFv2V}<Y=j`h2u<qat$M}uQpnv;7PQ9u?m<xhzbqOXY4!nMV&2f
z)j4a@ZL0<z7iNoryRx9F1+jVJN4Hd_p--R09+ITw^QwOsLO&WWiOg3%$k7dtZrof(
zUHK-bzjpZ1f2z9MOTgd@jLT+D<z<6R8;MTc<3Y*|b8+cneuwF0Dq7ST_-uSVviY@*
zUdDN3+G0pL);mN{T+MSW+b)|azc>V9OPs%xjcsx>n)v>d(VSve;;8Iarg!LGK!J{U
zjpq%}9=KVm*SJ^&ydQ*DjN3ui+;keW-_-q<tbAjgC_4K&D!5jQYu#gtGW*k7#%KyZ
zb#6>Q|8Hp$+}L(=2>p<djuKveb;E$O)X8nn-`IBiQF)w6dprEf$>ykzJv!>_g9Omd
zZ4;b)Rm>^^&<;+Vm=Lqhyq0)^3yM5bxkkU~(J)_x;*gfvm5jK`1wGuH3>&-~`$Sp>
zQIh^;7-zrofCy*`9DgVF-+nup@2}t$`L6H7A%Uki7H&1KZ=&<~@N)%JK7sTHLgSMq
zS!!zaLe?#)oo_o-c}h&r$G7meA-jPOFzdd;FT)uZ_f@D$AMVL?U^qf!XC&z1U8g_8
zEUGH>>+-Z$pZ9`@KC%qyGRB3qwE$eXQqzrrUT8O9X*0`=iN#urW*jm4irAgXsk`H8
z@hEPpE=l`d)qKAplzFiQVIOkRBCo+8&)4EpPSt~2MT{`UG(O%i_LH@-1ZXUEFjSSA
zUliAiv%uo$ZR8};s)^QwE54Z3-HLTm;F7?rg69xyTe_|nd9r`_cKTj4X7hnvcxmu2
zaUo=gedUTSaS8?3z%yp*fM5DmmGH7q2DRzh(qFzxLqz=-T#fI^9kr1^X+)wcwl(!N
z{It{F@}_3NjK@9)e&`f~lgF#};c~1$&p<=NtytLpMSDN|0Dp;KI(i44GNH(2Q%tFL
zYybMqRC^>Uj}7k=mcwL8I~6rG+qYet5nPuAci-EsV9h5<KVOr;h?Sc|LPXT()9St8
z8qfBy7C;GtJsn^HP>Fbr(s<Jn5$};9gIc+Xx1<~jE89h-B+;4Y47k5}8PFO~UUIYZ
zajimOqR}e8Z0X;toEdkHWx+kXp)#x5QxXr?x}3vqVZoj#MEjlm5RkcIm+=bsRa1Of
z+~KHP#!a-Ty`c^)N*(gujYG%K=@M#RMbc2Iv{XkG!0_jrG3x$F@ZD)Sh&tDQW=1Jr
znUIU;(Fds>a}-?6CROMLQ47Oas5!A%zr#8^+Bfmn{ctxV8CqoQSW1dZ>wFo{lk4pa
zJ0dQtl3`G*GHG@Gz0Be*&rBv@W^WbFUkjaG$-th1->#n;NV@`mH|&yYh4YCe5Pp$k
zSk<_@IS4Ab&w4d=mLwW0(A4p5x<m(vK{mF&0<|8qZruAP$?H+_UTl-Jk#LA+H0x-p
z^N4I-$E5YEdsG)^IZ>4E*<9v8xjk|QXQuhcA3V9MrBZF^|6F316<O@|jZ~`}ev$ek
z+36yxTgnZRkUyz5E%qXul6%Ks%|R)4n$$g+&aUMyD(>MTa4snmLr^dGRMJ{q$M>#;
z_I>PUhU09(b6dX|_)nfA0d@V<`rD|Y7c;v{YJx4o;>nR3%mo0bsTS*7&O;3hQEW;i
zgMJJde;a62;~hBaAAs#R=Oo+g*-Kv5j@-k_o*Nf~f$vMnxRq0z8#0gR?TkSXXLgy0
zkO=Dr69d@71!4XD2~iQfb%*052&jFrO>zHie_WN(v)+#hvmJRQU@nFNOduyDm1=5T
zz=i^AbiODnMzQ7eDX{=5C-(zjf7^jyDv#L`6CM1v=%~T{{R6xz%@dH*mR{yprEzbi
zvlWOt^J?Yd`p1P!y7kqgwnC2k3+OV}(aJT(S@Ge^4g`X1H>{!sLyTfCq)_*ZCxRKL
z?l;8Ir_RA5CQj|RpOT0ZhN8U#pfKA)S*t4Qb)wlq7cYmONngg_%aHYU^8SR<Q%)6W
zA|5=x<oxEy^5bk<4(i)wYp)irTffMVMEb6ni=Zs(BH9%ESj@y0ldn#@(sXj9%9yiN
zX;Aw|y>Pzu|8h)KPM23Iul*Wc4^4F5149wl0c}J=JvjE~mq=?!0@Bg))QR$ddjAH7
znl8Tg+3pHnf42lad8O5p)L3`X{eZ}JtplqbFW_ppUT0-H78^{7Qa|Q*Q;2KtJ7`7%
z;4REM69Kk;G<~eNv(YI<f;Z1ALqFFD^SRdS3Mz`;An<ecKpdxsV_0oZG=_6d96HY=
zU&k&CQF^M=wl~rlO9cr_#<P5QM3=ohnZe(#D?p&+(ljjSm`fD+ce|pw9!+E^Tw%bW
zN4dJo*t0&E)4D~bh+Pw~c7=`)yhDm$UqvxFXv7Z#0u=jyQx<%{b<!a7B*Md6p&<5j
z8pdngiqd~;clt%_19PpqdV@WDn~gy3h*T+iBtK&UNr#5k#JL~ah@0UP|GUBAIlT!b
z)cbk&5I;4CsHxe%w|WAR<{>}l1O7?d8l70d#(5C>M+sOj?U?6N>TW`uSm*R<h=`$+
znvA<HbCQ9k1<U(o9NdsOE!J3TZbv9)XD&_D*vNsi_o+di4q9vOQ;h!LQrd*Y8V=fh
zGNZy82WaRoa3fWDw&@x<5Yw>c_)4R0Ngt0iBN^Cxuo~Z2l+mLY?awtJ{~)#Vuu8A?
zZsF#-!bpPJ$^%n8K;*M?e;@N3E(nZnzJOee{g`oq<bQJkoCAZ^_DeShgyTBhjH4Ve
z9#gmeFFBUZRDO2s_jR+OgJtP1whBNMDLY9E>)EJJ2R}jg<UdXunJxRV(v6#z&fMF3
zl)Ll$vIyrydbZBVDb~&9o~(N8twv@4t^9c6xnk?RN&)kpc1q4rlL&151QATOc)|8b
zxY$Mz)O$HQ4{@mQWHfRqR<pXmNR$%+VhVEo;1CkkjBb5Bm4LOVnR(;xb>O>FB3G*P
z&`0BrpPqZ5pV$wdk>_-&+z9EQSe_*>+GHn~M#<r#jD5?yhv?Nlu$P&SDK@s7ZW$y~
z+6;1WGd!KU92+U;Y@a=d&D<frnm2FNyqjO(V{be6mO7=1|McPY=!E;Di&bJ-H$!a$
z27%qCSQ;<cQ=VUK5;wB_!V$U_fv4<NSCTY(4mc{`flV|~MYGqw^-eEvh6oPVzF(#%
zjM4|!E@w}CJ$VeE&iX(EiJF=Y7uV(9_{<Eb+ICGw5l`w~&F6<=LC+bNMn_hUqFSQq
zXt1bHV4;90E*(j>zR*4oq|sf9QY`K^$yjiwZMSeZwG*?!foc1CwL&|W!Q1-$1i#sl
zCk&6MPGcaSc_1pMh{t~9$sA7jXj#|+@G*I=C*^yKs@!m#{ri%Vb0EPtW2O|i5Mw>3
z+4Cy&DTSP``Fv9C$p!x9H^urc@sq=eML7C^cWq?!=3CsA`O0~nG&e(=jIuM8gl=xz
zQs{$Ik^Q>xUOOLX7#%=h*~lD4ncZH-wolVypn*E}{N`f3XHH___(v-_vJ;bwBUp4a
zCpXF44axK2Q$6HhneR-MsA8DPbQTlZwp+`$uTISCQ^pv5J)J#zqqUxr%w1J-8x$bH
zwwHhv!k^Qf(1cvysNqNsd!#lrDHl%MM*E=N%bX~kTtJ@1THS6zOsbD>PE5!;&W0jy
zN9Pxh{CK_GA1N`9hoQ>KuXG4iP7DL_1&>P47qcbCr#0>`-#+di9uJ@C4uO-<KSu8r
zD%p0lM1CVms~g$sXq?7_=Zm~^-~1El>hvFUbgy-p6p;{ZWq|22#IzYPB6n{&QUH?*
zjb8dn)zjLsj}K8G@NhpWJ)te^;|_#Ar3B|+U$hyyJ_tSDl`k{t+4GGWNE=f8_OQ&8
z^hUE<d6Np?puE~{boD2o@0B8XDN2B2J%;2*>wo<^-mLt(`8Qk8(2i9O)45RpLvneT
zqx%1v_Y(MJJXdPc=s%7L8XEO^_J2lx-uUeEk9>rN7W?$%)qf2DW*_~3jkk<%|Cdny
z|8qib6;&F9`$cF41c3*r_P-l1me*FAT$hn;1J=>5Ermsj0BR{G@%c52)bE3P`^~B|
zu1&06N*xOXQnt=#eo31TBRTAy7B{uwTcRo4#P44q2jG`Dr9z7P#I2#`c%59Jfyio!
zAc@PvO7lck#QW|&?c&F5+l;WgL8<e$+ovyfJncGjwr`9SO4p5W)K2&|kY)|2s^Hzd
zfzrw{E_YfkjuitQg-PA^_5sP^bCho3RCe*=${c9PIg>i8+(!Ak^ZA|lm34i?;hx(2
zEL{$3X}g*TSdnP-0@Bg|RK^Zai|fhA-;TQc*x*kC9$@`?Xjn1ru7n_X4Cxo=NrG&^
zhpe`Zt&9T2qmnR%deIJER?E%r!kf*zeDhCDw4xmLOknzUG^zuAtYc#yG|KnG9P1%(
zr9P<KFHgKy0^L2}y9=oZgWLy<6i5!^Z?UqfN>%Yq*T7y7Y)z-t&d9uvKVnwTT0lYq
zYi9%;yRDeDym+n1@4cXl)Id9>1Bgc!P}a0`pkl*RX2^3NaxQwOrFjQP<mI7qlrl>9
zmjQgQi^!k)JhQ`V62m}%c~kX)KQt^W*4d@*YN`O5h3m}`hR&rmP60t+Q#caD=W1`l
zHZa)r#(HzVz^A>3NS%$OzV*Ztj>-M4Pf?cERmFbv8yD+j$bWWfssQt-T7{k5{Tx?K
zBe*sgw2tH}v`E2LGMN@x|24L=_gbx}cY5QCpO3<B+If_i?+zK<ycd>IF=k=!Cjh*S
zqoqzB5`RUjr(hkz?sLOaw@~#Oapm6f9Wb?Hb8Db@4&$66nT`T(uWfUYDQ)fPw4Fqn
z42|_RoC+z=@OMP5MNn;6OM<DXPk)BoerFT&MzYBnXGoV|wul02Kv%f2oehDx*8O{C
zBrY?Xk^I@U9BY;QkLF(^2y#wBbxS%Lzez_)d=~G_sortqc|#Pd8;>lL8f|{TOaD=O
z2xqRMuyZ;v472X0`YC+L_u8)4R)!KcR#r_tMJs{EjNyx&?VQfsl7J^LDm#t(qct$l
ze0!PGU}5{14zfs$KfR%btfT2)oGp`6k$o4}2)SIID-6$aI;D0Rs<?4E7|@UPa`+ze
z%A>6G;x4iy6cXwb1zm5Ly3;V*G|~48THcg%UPD(dtFSFjJUSAYe#{ldJhFlM69}vb
zXhVtD><$j@*iw{OVi_Ka8jG4cwtu~@R~|555($R!X1G6x`1-Z&u7x7rStR8%5)e4g
zmmejObtV*|AT>1TxP(w&ZR`6gm9h1iui5RBFem{d2_D26^%d7e8Ma&;-k_uTFf?eZ
z&UHAXB>N73&&9ZD_E_BD^RJ<YY3iXJm9jTNkDMuP&l@oXH{|9zo!t25iP2Nfdy(*o
zQ^Ln+d5?Eft_wc;_LcOK&zs-a581f485+1&sq=;}olf))U;FfJ_wk95@ajI9^>SjV
z>anDI`o)*#YA9tQN8=X_!x@>SafL~XNBA`TwWH>|(Xd+LKwrWrj6t55A9!T^iO*<~
zfk!-!&NND%X6wS!5Xv60#2XcoYcYK7NIPP74Jhv{s5lE>j-gW!(vb$7_Iq-McWZJ?
z5#sgJjChC^?Ku}=B7pm@{ef4cL6Jvmp|ulhj;b%O3F<&@e#={z>YDoz3H_X)NSO>m
zdIF8X<!Qa~Ez^S1O)f$+YWYd<W2`ifj*UmE9~axM&Y+MCO7^hUP6pQAnTMG?9>3;o
z^<69bHgVxu-Gt3g4V~{hjv+AbemUD{0@_=)X<_f{iDuPBa+mnE&=7hyeQsdM;zf5!
zS|*{p+&uP`bx1HDx72CMKJjXC@774a@aau&q2To*8y-WyFg0~Yu_`{3ko)SK3faZl
z&pRTz{xiB^g;?Uf$r<Fsm+2M3>l<_uzA!owE9fC+jBYuxF{fyr#UR2WxSuzmg|rvL
zUNq|Qruhb>>!LoTTZvo;m)BF2qtVgiv(hoKJ)PegPD^@|p@C*cDcQs@G8D2Jhf3ai
zz1&;Fqn@z7D&s4MEYB6Ye8Pf311hg1vlw|+Y8|ad_vU6pJ%|d<^C?$`S7(P+sK^gC
z9EQ)u`>wPJ&JLoe@P)DHHhm}pkZkVlUvn}H%MrW^388OR`*`X;+cVI7lF$6ka+9l_
zGPA^YJx+*9j{mrW;qW1syP^nLB?Cmwk8b)X=;TK1q5!eE1a%Gf^=-bh?}?4=+Bmg@
zZ%3m|hRi7q6WlM$F*H2u6CcgA;gILKA{rRNaMrRE)PL|e?qSYuO(01H(VRBNCJrp>
z78{g)qZHMuJ<AwNPq=OWPJD7)N1~_w-Ssrw@;A-+ZoX$JL)nmXZgr~+u~Bj2s}PUe
zSx<cuw*}>$ifIS1zL$g`J|~&J*xnnwJy9Ltt*~9jJCh!IDAD`Nch<G8@T({yUXBtH
zxmv)(y!2VgJDfcEYwh=3$Dz7~r>@!eJ+8Ua>^l93K@TdGtLhdujM%*TgKv`T-~VxJ
zQ^Iy4R0wPZR4R<F_q+Vg4x`CD#6)SO=v~3zx(%&CzH^J`4$R5I8WkiAC0FGgt&^~{
z$b(z7>ZpcZtL%|={)G+NK+XUv@dz(l!{XAK9mC+VA)DJlQhDXbB%G0{qa%$18faV;
z|M5ez>9aE#Zk0&4LP4TE=STh3$&pH<vC>L0L<@7^@?M0wZ#}j<y-8Y5NSb=&v4_S!
z46l!dEh=wbzIW$M@{rxK&YXhW5Z^F{Gsm715qWu4r+$9*s~<@0ycNp3w<+5NTmWVB
zGYsjXlDzdFyOk7KnnUL|_wRAl7`Dym)2=>5$r%bL^vv4@J#ffvi0Rl0&TM_UBgs@Q
z_||Y(w&PGE#BRu);T-;MJGbA?F)&d<HawD++SWBHVzRL*2!{@jVa-wV=Q&Y&bb6)<
zsnQY8n|!kDxZL$Cu&QZgt<c`CB9U)yhJ~CTdX4s^w~0I4?TyLuhYjqP)|SP1l_zo5
zxygkJ`$}V!#F>TAC>*xt)N2}hKl~+YcA)d+@A8td34*sacz~yvRooO}+Qa6VMnpn}
zO7?}FiH+}TgJ8pdbptrT;GXSkPZqT`7Q*$N{ZhAUuO+BH(4SqS*aHxuDv>dExO3te
zS<z7Hp4=K;%szO5t42xoIxsLvqxDnpao@OJO^3Ti^7z4#(=0I4S3c3>!!I)tlX>3<
z)!#GAK&(?U!l${Sm13=5La=-f_WtqByZ9zuqmE7+_&RbZTNKC>)lzEXLPDw{tOu9O
zDQt3IjA@G%$l?>%1Rg9QFmVx-vkQ=*5LoiD?1w}q*_cib<A*;%4%I(pL?k0Q;Wtt`
z=VP`^2JQB<W&k7#6IdRp!y}qJBDJf@c=Vpj%DCOsAo%<H*q;!xQ8S60KLp8G__CYw
zrxauvF8eO$O$@Xe-9pRc##3KHuGL11mx7lmTU%(_o|_I@U0f0kSUSuui{V<hN+h4S
zhHr@oUH2^5BMm%@!etc!1gDo6U}3eO?}!6e?8OcoPwdJ+W`UYe7jB*lFCvJwe1)Np
zk3`o=rHHJn=iB7ZO!4uk1oOX9qGa1E*^lmqus5SF1Fvv4nKyB!T)sujUtYQI;m36*
z(uu)0PF21!;N#2T{mjouy_*`%X<Wn%>antZE@@2tgo|nT<qaF$jn(j5uX*F;ZpCG|
z^uh^l?ZDmBNc-i4@;<%8OMRFHQG|c!Ry?;_EtAuBg@1?)6$qAmn6JlWU7R5btSYN7
zn^}=re?hH7%yaxxg7G9@uVg6s%t9JjaE>n77ao>2FZJ&S$XhGHb^NG{^!>`5i@?PF
zi(TkRw#ei+)8E~L)epx~YIlapo$PAmvB!3YIXK_hOhWpo1+alOVV2HouRCIuSl9-g
z08bx0JWqDMzD#hYsuo2YFMco2q>cQJ`$v_4zKw&Or*~YR_bW#}P#42<iYjJz82=Rs
zyYcO>)@TW;D%gT2EtUdqENnRkXM2lom_cccyD`GhI+dtjHH6HiOYIkM#dhS&U(&UE
z<0v{}ivGF9?nMth7MNwb&laR&17{#RYvn=ez*`avJD5K`m^+@_yfdpI=zvn+S$)l_
zsF*UNga@p4wws)_iikS%@{+9iY4ZezpCZ4$JnqoEP0Au?GT8gLA*&vrVvDDT$ny;C
z>d95Q+(J)g(BF9dAYk1(v$27;e~`=5^z{1b4Os{Ta?a{wV3EIeUJjMid5oYxGj70{
z%J)m<Bn#)Ut}dSrIyr!7wEfq~5P@ijT*UV_y4Et3SZz4AV=ER{TtQAHR3D`KxJPq~
zr_T9gwav@rBB>qGhiKyGH#hF0EM~5z7EIz#XXg%VE0q5b&93~xKtW~pc}h%UL%aqJ
ztxd4LU+y+K2@|WNX!M9OwbAHj7MiHgNZQVB&wfxDMD%&*%)1T7b&LV|(8RPOC^@MK
zA6quWyrxz04XmkKZg6GewVc_;=|jFpuA)G+o0lOKHQX)dWB$+|mXOtR>6sA0jeAjc
z4$_@JB|9r(7DrZc3^bj<-^UcS);&$KA7C0%dJ&oM)eCMgZL}{F(%2w|phooUOJwT%
zjuJNe{&*tT7)zWNJ1;2;Tz<=5ku#MVx=J__KFy#7h9KaK&*|UqVaCZ$Ax>|+?@(v8
z@1;U>*Bz#0hYsxQYO|(5LO)N*2-YE^zILrbG}?pa!C!SgKvjp<2If8zyu1!!r)mIw
z(%=))HX;1C)J%tUUH=p`Ft`x!2Vrv8CZ3W_a2?9y*73P2o|yV&<gIJsuor!(Wl*bB
z8(?8*T5T=qStSceaN3zN7(XN*zuo5`jTWF)2zR9|;UEchk~*_q$yTf<G6;T0q@0zg
zoxm_dS9-)6V!3EU^xijqi-!dKUE)3E$4)A(yY_UA_{=R(y3FX%8{X;E*NQz?@4h-l
zB!69B@2q9`$Te#O-(7!CUetn71OLi>^$rkUfjsp+XC%9OJG-nQ-O2f}-6BXLJ>@#{
zrbHkth7SPnt^B~qQ%aVQ7ksXWUN!>~AY{DS8n9#_ba5OtWH~dj*}uTWMORXK!^X>&
z>SjoM(I;NH;66^D;hiTaIh@RluMOQlqT1QB1M<B#q*u2$^BL+P3p1xnQSMfejY{Mf
zEc22%7l||&T7M5X;>a_JjcumW$_Z5)g$^(B>o8J!Pl9`yS!qHQboEjiKB!eHX^v@O
z4z9n#Vv-6I81J6n%33bT7!oxx=cCu|M=<n{n>k4s`mDY#@xT2}6(A^{nEfG~Fg#w9
zQvlt_F60){&yi~psEem9m*Y^|9?qVfoTC_rnP+*L!JSwNJF|q%UOkf#wa(*{&&11S
z!XN63BT!mvOu#qB^7VaqD`#%`YOQQf=MmNL_Y=Tv?)cq#=SZ)A$eMBTm-7iaGUx?z
zrQ`gY1`BY|<^G&j&QyA6%`j+iZqm1ur@R8uXfV8Qez+~@lM6S9X{h@KSEsIOy;>AN
zuA1Ul*DdS}^ehVXZMeC&8#r(VhuFlm(NQUQ9VgM`J|G~CZR++U$a@dy^vS?0eT`4+
z59#rt67J~-ju8Fbd%%W}uXGjhprA!9DJT(i88K|?Y_6kYGTE<i=fS1$Zi9sm>R|7e
zmzx(HGP_(OjgU5)zv|0*1n0NgP8WU1m0CrMyscJ#+tS6t^wgYoesrs;cQ^p;KNr-_
z59q$(-w^gGl;SXHEul&Dfrh~;9GP%&Jq1_z#}*A@?*G<kQbVl{u5EIa8-9)12y((P
z*0oP(e<a;160svAIXg9CGzRJ6h&EkBcJU-j+r%)Gdl;*JMK7aEb#U(S)z-|qUw%VQ
zzgPH>kk~;{dm+p&Y8@mPDI*SFaaffAQ0X89TqM9|J!aTyG4*wzDX+)65Fn_oY>jII
z|9PZ6Q80+22I_*%Ekh>cX!Tkx8?xE*>!=}UAiWyT#-S#xt~7%MJ9`ju!7WJFwsq%Y
z;(n_Y>J<3B!#q-%WflGLk&O?#offh#Y<-QZLV%iFsBLmVpr(SXzx=CkLh}ivcJle3
zlCFE8#Q%nisHqXz08&4MA7xY6+`E5rXx}XV`2D{JCWRGubad>n{b$l6rf~beD$1Py
z|5#D>f43>{OAFS2K{|$&l$Dh=H#fJpFYUOt7*_7EL1mqr4Rcg!=;@1!ipn%gAFufT
zU!3g{OT4_i3=6}oofBR{Pi2af*3i{W$;fy-5&xgj_+~^d;-y(NqXJ^A3{oyKXt0|*
zPkQn{cwW~9?#t)$3JR?)ErqQgbX4-j6A}_$2KMYQp>09_3#K9E%K6`)A){7jtG&TR
z)o8dB+5E%V593uU)rugFN--D_yWK-HpAri$Zgmm}jLbs}i%c3m=1v|l-4`;^6v#ph
zdgNp8@jRI#=Bpj!&JlC|hO4esdEeyZ5Sr46#kEAB4nZH+q+vM_QH-)V3Rq86GJ20I
z7w3wuaHQKxEo3!nPZFw~3@h!p!T1Ll9aojMw<E~}5f+MG?Z!ouN+Yf}wvj4=BPQU7
zX*&C%X9g7T67xZGj*LfbP?SrH#~yoUI%6g@&WH@IemODe-HHjfzux?q`jt^Y@%D`J
z09j>{T(!_(8R!-9iN@+-AbYeEeB<5Wu_|V)Wq;F2#)W(O&mSLFCMKrB)|WGSQd0eO
zee{$39c8uqiAJ{(GFcwyhfnR>5=`?s<^`B}?e8{O7mKQr-bDD^(wQk8wbeD2Z4;^3
z>2t`CeY7OD^|9(6&K5qYy)p6zQ5<C)uKg=}>~e!oPhVi`%X@@9#;fkNPI|)wKK$G7
zskoc2JoJx2!W{F{KsN|ZM#Cb~=z#C^u(N2Z%Sq+oBd}J+6-^GYSk1Z92q_iRDG$lc
ziu+HaPHuCv=V|11TEU*qar7awj^{IgW>o*Iy=M#QUH1OIk9JR6PG$e5iRUwo;;2aj
zi^|8<vms!mu)g**q4#8(;~s&}S~%b-^aw}&(-*-O)Fj*=5Z}4K^)xa=<%te(b3D()
z_4%!fUMB1L-46hPD{nTlPzgxZs!C61*3AYc=Moe0({{zUGs4gLC`bB;M#{m_5p|or
zz;AT&3V2f<G+jADZY~j|Da5WrPEjiG8uDgeM0a^=B$kG;(POC>1S4tqxNsx2v)m3T
zD>tT&quE?`y$Wg#F8uv(61vR|TT_NU*c~m`48x71Xyk5~DQBCUJ?^{om5-L(j$Ji~
z_<p0lb|0EhvVbp>&k7_xH9OAWLfO;0?Et*Q!@_!;MG?R9SpB{<WisNWk00~!sdI^q
z#N9=l%(VuDI*}FNgUb>N2&p^rR%<JkUfY%2<Lq;D$B4rB?TB1AvY87%2T#OIr^up-
zCk%DYmAk!0pXK{Eon-r8^nEny8XHZre_ogN5TeKJf>y43#7hOr4t1-$+O9UNkJ?U1
zVn6L29udM1Rt)%#iM^T~`Ww%L>939)T-72R`ggUMpWfl@7y$rTLD5&>dD0K2!xL`I
z4$6Gwc2j<Z?7H=zb#9C^!>iKTKlK}28J}5nzry9=<3nt28f8nS*Vu-uv?x;84y3U9
zsIw!7@_PB~eG!E1=Y{nK@UMA#3Y*<Vt*C4D(W3_JO9_4^kZA3s`tQT>m9d!tRUM?Y
zH>mSeapoiJA^!^lV7p@RPQI${I-p{2YT|+5VUKnT)cIb1^_&@Y(69{`x!n-1_*uU_
za@lbnHYH@|PXc80UTuy}S;J@$&M31IE=>F3c<6OV=yf`Nlh?}}+`krSEVyL|lJ>sJ
z6HAp}QcTK(XkPBJX*Zt6(o?FbRjt;xS9RPzB|~lu*fEwIfiF=@kvIQk9!%(qCOtFN
z@i1>T++IAQyIP<%n-6d?Xpr+k2Ee+1Sz0G1<o)erq6>U%eE7nxH!te5j0+KAN&daG
zqfCEulp7!6S5nw3EUcenmWf8)j0tpaUmBj_8ddM4`SsMWaBz%j&coX2cIIXH*v7OW
zvIQrpQe>1y=~Mddi=1!8T(y(nfEDESKtbw>dQfaBqTFL6HodsCZjmDaZKl8)E_(V|
z&FX%WAZ<7br(A!O^v!;STE$(zinc|Wc|ONU>RD&2rAAo6m9v-(;v}<Rf0#9T+2~iK
zDY32M);$J=?`NaVtG~MO7X0k=Uub6Vh!oSv_w09vQQa!q?`+KTCx|aH62-2?MGe5Z
z(HEirCR$<O$YzV^D|8_ySgIEDVe{Pr-<VwZMZ>nidvge`k8L@__QmT!oF_$m3}J+i
z^>4Aj8qG)2B9|;+dCSEu;2b>=>)lr`CT9Jjcc6RVm{_XdbQ_^*xM%-{l}s|Po~}9<
zfFS;^E6MKSn1no{<uhw>^?3~e*IPP3w4!)2xzW7ENsPXH`Hlx|nfKqqV}h{LJTZGx
z4@&`KtMN+KH+y@bL+x@GR;k^R^Bg*_JCcqqPWOoe95(M)Hxs`i%9@@988>_md-D&e
z@*kwlyg9g-4+#0ej@OhX<M7sXTWlF9uQ;>gigm=mQY_@UZ3vmV`*dyE90H)OM4p3P
zP!HXe!?jy;v~%6_6M~TEwu-HepM4}0J@~MCWr?BdB-@H#*0{K2j>JtTg;Qb~Wocg{
zO!cU#qx&}^Q>)1Rc+8^<O2Q{QZ)dlRdiTQC`PJP#LkA*MDoszSODySMMoZ@7mG~b>
zq5fsSy6R#^HZ}GnNHRzyo}I1BfY}sB<%#sk49Lm^Njr;MZI{y0C(2ePqd7Eaws%g>
zc+{!X{LZNo<gXvBR6el~$<0rAYcFO@d;As)^lygm>j+$sYmm%K0RT=;P8v(+x2cua
zKTV0v$XUGYeX#+6K6kL1``=^R_7dO+t5yD}-0AqE85GKxT`rdv-)`$f^_;bHw#9kM
zf<#(S`Wto3OMbZb#gkz|E57qpE$f$$7NgC`=BOHGQyKg8@25M+V|94Ht=RiN{}-Tq
zoRDBR@cv7enDVDp&S^Im2HhA-LHPFLGN_i5yPh$`GZiQS02sTt==^5T9;QF~ty%a!
z^KB>~w@fes_*gs@D$jgT=U&Y{Ft46elf1HTc(V;E;%rUl@jYL3Dd6^7dS*a5Mxk3f
zqH)vX*Cucg_tK`v<9jS;pI2&1N(y5?8V6H-{>-2L$`HzW0iYM6;28&wFz41s(kf1&
zf7YkC4-E~?Aa3ZF2WmK{$D}|NouM!Uh8L+yQlyYZpO%hxp|1Ox2oC$E#-C~Zn-j>b
z8m{`MzppU0oT=QDOsgw7@{5X0rol57^K1AQ!sKV_dXafwrbu-u6f7fYEiV${O!sgS
z+&3M(+|9eEMIA)x<XE>WD7mtT8A_NWH!CJUYFisdoPa)y$7)U^2zJ)Kn!;<L*E~T`
z>h3-#2%*(K`UKh}n}~?-DFT8q23hu4KOOnJ?p?)m>G#LU8Ftv+*j|AUUG{c}Sb7$D
z^x96$Zc@@)+JQ7l;g8RL<WjO2Rvoy_8%9&``mE~W-h<BjLcSh+w9GE82s2fJtZ?*=
zGN%<so6f>Bf>Tm{Py5V4PovMxg)J=FoGsp2*53B=nD&3$zG#;uvq^qO@8+v{D|LPT
z#@*({=*x-4dZ~%CRt4;jqL)*YqBd&mW7!+45jts0DYkDV`;2>Oi2qsN^pq)4K5ty{
zaf8SeDSdV!mJwUXAxfoQ<?|?<CMJqHl}V(-Q0Nn6xq!HfTp2Rfu3>;wPGY}LM3_||
zt}EL&>4G8a+uT}72VScMXXA2x%FP1oV@9CH7BE7=F^No2q#R;e>Vqgq9u5Kpl<3&$
zmzDZ#HX9XTze%zb$qX6>89y9UnUuWu-h4*qvh;B;H@frq9BO{?4o87y?~|`u!&!6k
z@HEJgDeHdjL?>lQmsS-~+Qt(+q7=m(`t_d=e@hA9MWyXOVDlNta98Ys`iYPmdKcC0
z7?&O2evK#q@U)~IPClwsrf@CmmW`W*QTWzfP4lhzY&9jz{u)l{G&@Mb$j9(QW|WLb
zrs69ybVjIEd7LMI=UZ94yGQNN;uX6}0r`+!#}j8t$&G(1?>Bk>59Z!FEUu^P5+zCk
zA)#?6H15HJC%AiXcXzjj0HFyM+#$i;y>WMUclQPwXPW%p@0&aK&YgMZnYqt%`yUE8
zr>gp#s@kj8UVGOhw}+&TyQd3?(+MhBZAq}c8{#)#GIM6BFuUXjN%JlUCIyN|7VGY2
z$QJjcs{0myf{d;Oa}*W1nZa1XkCid`Psvh=pBTN9Z;~=HQ@f7tjo$Uh_Fg-V^=7yW
z!b0+1US8voc0vXykcahvCE|vw9fHb(rzKxE|MGBtdU26=F{@S?FVy&AFK_VmBa+nm
zRdG+JdY?tZ-d&!w@6(kCJ1*NPE;9Wrg2klpy@7%PbLgutk8c6<ZuONvdnb)@zbTxl
zo_Bv}aGOy$38v%-Q}_M5713pW0`EWGpO5W2_Q%pEEir%OBS{}RYd)qg7~_DikYcDQ
z@}>5N_0&U{f7`*yYHVywPhY#?!PvC;Gir*2jGSXJ)NA{%<Q`3ET3T9zgM){Mhu+Qn
z&$qKWIy>R3$i~LT`T4n-nuM#=e`W#E_2zl%IKuz8T7#>{S;%~CcCn|;6^K%nf}>UU
z7v(DRPn2}qVDfKzN;nDW&MOSD5!986yWK;%+X@y=j`^3qQ&U{-YE~Cq=CYi^IVgnm
zeea|urA~d+OD953eLm)y-n}IG81c&%t-?j&2%AUn_sCqillL;mWJ=Yvy2oLP<74?$
zSkFHSiWbcO{}=8?j}X3q-nFxGaMV;*E<jvtDsP{+$QyKrU7VhtUR+=z1!OG3cmF=O
zW>Ov=x2CXXzY*I%aab>$z&E9*r-0zjj736(F#FF0^z`(~1x|g@)L<(3c>na3@0oR8
zNeN~8@87>ikKVMrKsbh1<9fAnjlL2a8;eCuoHly&s>QFhyE`W<%c#-=KE`bMNzxE%
z;GOu;UytxZoDOT9i5`AW&&Pj+C<rS5X5rk$YP*t2KJc9ojKTPINYHRih;!i6fO{~q
zWlqDnq=fIXXR1sRxgU-SXUoL06pHAoL#>;2qjBB~hvJHr?X8u9R3?=gY)rzebx%E}
z`Lr-gaNyh2cqTaJo(7rkXc!(;#_`{mc%7C<IKh^xl2dMFl0>Tirn^D4V@-3^?OSp~
z40;I`E0dUB`unl9rI5ZcsLFuPp~gj9)1w(ZW!vHCW}AKztw%T1@f_LV!3G?sokaKr
zoBGOMyl)o1b$TK7W_NarhJH#NX|&+faNfc{35RD5LO=*12!y_s*XZT;sJuu2StQWN
z#HO94kf#*P?1C|k9&sp@Es-TLG*`yXshp)iub!ajX)J5pAd&TRa7KQC>FqizhM`eM
zffCI(%RLdN(9rs9Gv)|iB3-P-KRG$QaGe{AvwC0C&^18t;U<haqHJ8j8B1elsdK=r
zVhJLw!%Ix1vEWfORh3-W{Myi~-lj~SF2Ztd{PvPp92;)p`Y^qwTu?0gZK=!;DlfQM
zwrQSsg+&M(d7FP^CP>6Dt@OwH(A|^Wc%awySC90gZPk;RnyIT_GydXhK*h9(hS^k~
zi=_1{-YUIzMG1#Zc+?5~j^;}dl)37i0k$At!zrSxcHf(;DtxpTxc5PYFEC}w&6ayT
zGvpY5y3z15ohbK0Xkkj9duf^Zm>8J&<UZqxBEo#B`B}U#s-o{+i%QyMuWm-iIl+3)
z&9=q^yNtCQKC8>*;FPCogCe%JG$D6uWQkCDzfDJpVZ$C?!7@F~2~A<xYc+|c-MOZ(
z6h=H%!a_3bon`yMDA^tyuwFi`s)tJ9vc2?OLxSrPx(dyCT(*U`L{IN(r)AX>7&;q|
zxjp$S>B6_E$i!en<iaHF{_tcfB&5nhADsIq{SQm?ONs|R7B&Ov>_{+0R`H<JplTFf
zP;QZcP4%}8(>XC5*iBdwevM@ax`Kw9Z|g38vt4&8VS-+|JSWdpt5oOhgS*Y>P~7^9
zuD&hf;&A4ahlwxnSxjDU!W=J#)m$<28=r=B!C`DhkK#?Z6#ziJhAj$rj0$`9ReDT2
zy6!zG)m9K!!<`X-e2nh4nZ?n%?24dsavUa*5Zpz)b&$N+V*fz`v}e9|MneNQSz<`Q
zA+3yk;@~?#OyO-nentG?g2;(a1&-84q1qZtwuK)kdNY-7b38b(Tw9x;V;@gAtD(VR
z`NrofEe>tEN4uu)W?7MURYb+3_S0kfBtVeLPXauX_VzM(xkxkWoc%V3-Qp0EDB-r{
zeX-2v!RuZ-3C^?!qKVjW-pL2b^3CD+nnfX|NC7@3p090&<!sKwKhl9)VO5$CkyCEj
zeJPk!4hy|naM}>ArG!BtP<u2VV!E@W+p9yTSO~kz&?TC`0faq){uLd9Zuo?fQ<zE=
zUj!LgTD^<-)uUW8*kAB*FOdc}k(G;gG#KX)krS^-xuExU#g7?Z-r+PA{yw%QRy2+g
zmA>5NyGqJT<!~Vb)QVGvnoa+B{7B9*=`7*5sueXbDldM?<ZRiZ%Dnr|D~BiB$e5nl
zh_~^fa+N4zb1sLmS(8rEZ4T=GN!AL*{6ICLQ}+{!i}l~RQE$hW_Dd|HiIle#$~YE}
zg1`1W@2rKmdW&-%{YB8+yB~UY53#J57wsjK)OmEU7T*_c>LN6h>D52=rGv6-^*+Bv
ztfgAnm6bIaZE{UxGU$3qx8ydb`=?A^Er<W-w2=%}I6zk0#+{3DdlvziczND0I|dhd
z<;ZH>9HfCxM>H4n&DNL<JhzM!6wVmmU%EErRKF%ox;@L!4c?8~K7u&we0U;<S9Dt9
z;TB=^=*5>0MauYuyazEJ2#;qcvCj~E0^h;5|DkJFbY7kPBQv!99~W%<XUYr+-*=nB
zp0Bj7*naK`>ukn=JF-7uZlJF`*$%h~`D;G@WMy@BcboiQ%*WNuje614&5ip&I>Niw
zRojW_X^kRf9i8RTBRKA9x%UU90X_%n#cyqG!7K5A9fdmUAbd7Im?`7q<AZa|0)K4b
zCh%Xz=xJmksOWnA!+-xzI{o+JfA1QQlDd_d8E%a8Uu30w<>~3^y@u5d=aU{gr2iq&
zUHvb#{?_<^4o3W^v1ezmuB<Gj<DT<!LwNJ@IWaLY2n6~g_j%6isXteLy5JoNcP2(~
z|Mbq`aE^^AoDu`cjc3W!W&7ERGX(d?_2s-xds`c-JpAgFuYng@E%c$Gp*%#gbXcUx
z?-aXj?+;A)Ei5ew4x667!kt_XWeXf1(8s^LBJvl|la%a-zu2dH0|nqPK~D{fg>v~t
zcz63c7yOSWs9*k3%OVv2I|bL@XF-Y(CgrT3%j&C{?oRm<S$#bgM2G*>(c;xU>8W4P
z+ux^&Q2@7)Wx>qV`Bl|TCH)4|O--8@%c7E^3VGvlrJ!MNC$mR6MV;gd5J<-E{=)$a
zkLpph<*+I$5gs01m2OPEb4&kFf6|t}v1uXyZ{LQAkyrBt$$kxY?f6e$()H>@6!L;-
za=XZDD@6h+L{bM`9P?FOqKgXN4vUky?Ar(+pBmGcIj-PR#DWATd3M*$Pj_~1d{$zD
zQ8`UZch6s@Cyl<`$xewd?ZqNKmv)i1AO{5<&&|n+T~Z#Wq2PI)fih!Hg)`66ilZ>9
zE53_^q0aC#>tQ!Or+RRYM=NcbR068IPH|pHNC=!-%fBsg*cy;8n1p5MKlRUgb?q*w
zf@0fGA{{)<KUcxT;;^22uR#IWg-Un~+nj4JZx-@bkUB(2WGQq~lq{B10cL-y<SXTG
z6y9qn8hoSq=D9^wG^m_>9n7zU7QqQiNHf858SMUCr2#5aXh&rtrv;_vH>v;1Q^;GZ
zF;5XvN{h-@$iq6k-d<*b-+eY!gnLR8L&Hb9FD0sy{NsCJh-(ZSl1MM+7MB4cD)cQH
zBrqZJ+%s`oC+%vCO_62wBe2ef{;H~Pk26HY9^~u7gDDZp_Uk{a*1l(|wW5C)G#Nx{
zl5L%E+a@MHR90~r2m(_KBziQPYu8vWqJo}0Tdt<IOlhB9HzrVh;u@=2KmMAx$Jl(Q
zkOJ5!tE|{+>9eAwNdbuOic2`mMpS7)%0&gs_&yn|pW&2L_bn6>ICON?jK2sH!>QOh
z3<YQ*w+r=ca>t6I0;uDf8`-?grOaQ-CtZfLieDHdYQU3@Wj=ON0?kLb(5J1%!*$OC
z=Bu|Rqoi+Tw(tYo<p&gZgM4cwmbB_}+QfloQu>;j`h^7OO#F%5k26|3o_mcokphiD
zLala5HI!~T424c;5f^8o`;qAaf`WqEnN13++hoA)PA7-0LaxgD>&#d3e^!y1-)mK)
zO%h3{pO~{P@+A{oTwUgK2jKp3VApa+11yeO%BG;h$8XGe`i;o&SOM4IWymYS3+w3x
z+)VZDP3dsT?FEX(tvdN(i$XYRb7G`G);YN=j*R$0onGg#J(R$bvpx(TM+w|6M<0kp
zp9T`cnm*rdvir`3X^<Eh8j5}U@x(S3E2^;N9lshJph!icXVB;F<bF-9-Gb%iH9vYa
zV9N^{HBvFNtIG%}2updYoRa{}RHZC`{Sw2$!6zmpI|~&L{m2{_!#1IUu@kfrB>poj
z`$g20advj`Y$Oe3{=hgMjXkRsS%`;M_f)6`d)M2%qQaIHGU2l+UXOAGO#Zf71OR|@
zpJ9sWPdJP&32kuB>!<*>{c|VG7z%}0Q+hepRp%ReT-9N-I6E1>FoAB)aYB%Wck?I0
zrw^A3i?c?)1#DLbj(5c1E%Iw0RxuyQtZrdXp5IYo7YsGVZ8WqyR;xnxuP5D>7|rwZ
zCA3piuhxPCTzHge6RU2CUnQVZn@<ZbiUut;-gxGmbbf<hho$^Y>y9e#=p-1z;2nNl
zb;OA-l?s1+ErKDz*O^e~vT5{FnWRDX9uz_Y3schcJ`St`C4SI@e*&0^#qt<UAP)>q
z9{8jI3l$IlXg-30kv4+<%DFqLc&InV9$1d6K4AO<Osxh(j@iTBm%srg)mg<`wR~77
zJNu<lq_Y_fj?{MZj^zmYj;^!7vn{hKO889pGcUFEb3jlwKM{G+ZN7D>t!`ss6P3H?
zIMjg>+#pB{@|F?(=`@uOwU$z=qGnSfL-M}6ezg<_%`YU)i#2Uq4{YLsX`APYvFa(0
zeGjU}uW9a9JS9}5isykF4xd1L?6h!fnrQoc%MoSPsJ1xp-X!khGNdM2Lk5(2BBzSC
zBRr9<34MqiB8H+#U~2zZAlZ8iD=GHM7|$?Ey6kxdM3Rz1Lcfra*kIka5+Xx6i|B*T
zzDA=*ysTefF{)_V()@i&I11&0_*uqrJGu1Sp1w`dXrz?EP_xlUxtB!gbf52&QvLMj
zk!WgOxxS2>$<bx{N3JoYG=Y40Q5-zYfePr`Hbw+ghDDlqbcpwp!;=~Mz$-J9=5O@C
z_dWM4bbI=!w|BO}=@3!_juvNXB0{EBjCv7t&MAuYvubYbd-4aQLBDTw(XZbI4UiLi
z%IWS9Dl}{;07Y(FeH-xb0oNk@n9@S;<aPD!RbBFaG`Ki#9Due%7hb1}2aW#RITvEo
zuO!|utyC|fIQIL{XDMVzHB)A1pq#q;@b1++GNe>|y25)=D;Tb$_ClrZP=4^x+g9`*
zb*CH$2=vk_2PSk3AQy?K5!-24KOoj^^lA)nSb}KI(=$4?f$RSczGF5@LN3^(%Jxtm
ziwKsLdlI(`1H}^nTUqVu^c28|u78Z0jsoIX9r?bfOJp}%_|YDS=*E*O6k+kc`Ch3q
zcdaAh1){y=z}S~n-N~Oo?`9?unXSl$wnS|QV0!5}N>G%))!YJ4Q3AM!<1)__nBLN{
z)U0=qg=+2)hOrkAg{HF{Rs7NHU_VetRzX1x-VEYdWr&iDkc>t`cBYV`dDpSay(tAx
z6GM=UrFT~8l*C3Mt(%R@9|xHm#|T*Rz-N<H>kA`V&g19<_v17F%#euty%T><@$q8}
zZ^zU305!%(!RgZvn_vN!$nT8JFzsGK%7}`i@@&JC7){{lOTc1Ye#IsAYNa~vG4*OI
z(0=M+Jp;7xz$f~Tf7v&99|8tv>h-E|_NsYt{7i>MYwz7Th%9A=6c2t4t|rp1tdbpV
zkE=&gnCW7PV|RW~i>QB;qCr8eG!<P+Cv0TD>T3jNdab<`&*0eFJYV{fUb;c&)GQ-%
zMAcO3x6-{q2vc5a)haoXNxT3G!VNjIa{))U8@l{jaX7op(%oHQjpYV@Ow(<~V1>|f
zRbolWN(jtZrO4gxYptokPGNUO_8S{?_)N8VFs*Tb79eLY8;jvR6kyj3hvHj4CucRA
zT;CgP*0#OnA12(>?!-(!@9S&BPD_ZPO!-WEas5hB#?z@=VuM%gNs@)|*!M3)SKFx^
zQS;b>NLgvT`J>tCA-n8QYKyV@+iQl$Lfs<$Xb;%QxOo*E2xlw?BPvKrN;*28{|l-i
zu5R5F%Wtq^c-jhBybqZ#Cw2OTY4lV(!pVBe-CJAaE!ifHfhVe_MGyh{-=V--=%4$x
z96E<PGZOJw*Jyl14RL0Cy4{=V3DhS@b$uEzg{`%=e+rSJz(4%EEBpsJK700T+55Jr
zeYJ(I?^E5PbzuAHVa@XEmoG!$(EV=(ciz~x@7q7YK`0z$()EWq>kuKp8|&`wUS8Ir
z!hrw&9}PYIL|8#8JpKn||636A{|Q4^jEsyz;Q;x@c50vX73i^~TvA<2`kvQJ4lKnw
zz<c-u3SzukTTqFstjFtj-Ne9cp0@Y~y589^y3NFmB3n-BJM8*dQj*a544sU>LS@s-
zQDHxsl{E9wTSl-IL<AWjxO$X{d9R$&uWEZ<$<5l<t#IDEEQQ{VII&uHar3jlSiGh5
z!)=a9$xZ(#W23RuK3mIWenW<i#Em81Yn6&48#mA+oXVAoXLnivUmh$p+kt(naB0q+
z^O}`b^hEnr_SV_Xa20uy>q)fn6jU4x5+(Tu$3fvpB5g)_H{C(aDfE!c0<+8aDO^o3
zruvXHV%~fHKY(ZL^*-(*W+yL>x$3l02&bVhN97E-U*??N>BxG^D?|CwbEMC1;E5Ru
z>h_vLpX)4_@k4FpQFts3R1ig`jz&`IQ(ZQi{aLcZiHBb8luz8jP|i|5UeBUVFP$)w
zm`E>yQfq%7{w^@POSl8Q5<|RfpHy{Jx)1nDG|J1x(65q4bl)J6n@ln0bVt$#y7FT_
z@qcepa_lxHI+7OQ<sRbS-wrvuZ5n^JLV1$mg@@qDU!ABJuqnOXwjN8>qw4)fAtNFy
zM<(vQfh_zXc{)XL+ivk>g@^$kA8I}^K;%`_sH25tV4IQx=&5I<y&rCgDVO;f=wpQ1
z3)(wzXldp)07xHT)E{u;>dM=&Dh=HPMqoS>e_l@+6-<5uzi9U(Bhro)&dEk8Uq)p_
z$%1gMiox!PG-GMB{OI)Deh3H^6DunYQ+dIBp)b(K6<i~aapp<zEb?=me(=|MhS|WZ
zr4*~GmC=aU8#q*55Jf`g)2EdKX>xAQM9;H{&=_5pBB^i<@)#QByz^Bb4$^-CJe^M)
zfoZNZ(V6YnV1inxSQpeI^?dagRn(ZE+rquTYXoom5BDgjJh}&6eH3Vc-QE7zP-?k@
z(wL-0YwTHk3AWA{>Gx})Nvzx?BnrmVgS_&+Nf-kK1r}L$ef}G>mx`1$ghCUx!nBeh
z)?6_fL=Q?go(XC$5{gSJsQsJPKq5e$B^!BK++;N~*<~<T2aR_8k-R44Z7P{ry^(Q8
zD^vl^KM_6VJ+M0<9O^pEV27Pjs~hf0<Hf!k{Ik!xs$QH*Wk@n4ZEuxt!YGf13tsQX
zNSZD3E?G<$D;qjaWistZtbNJBZ^FWJ6oE<bke!a1FCM#PipC)R^7ujaRDErGPdUZW
z?HH@~F7ia=nG`)q60(@P^ww*=(WjF79*Z?I#n={o@2ZbfdgM;*@;?2V)>S0S5{YVZ
zp(Tm*g#^7YVU&nxSog@Kgwg&<%N;bXsJqus6?+qPs`a<k*MUj?XSx0zR3M=Jd_F6P
zb9ti6HK2>UTlUZ?*nlI}d}vx7r{<IGCHmWO4{IK+K}>j8Un8Dol2o9tx8*7;X1aWK
z6%Np$7vF0za$<`kqP2{?J)IknW)HHj9@8o)shM#lIqf|~>h;Oka(aJYnN3#HgS*kK
zI)DWcOZbIBTQrF=$wknh7!VzgL2E@diLp<ARE$nqWeP=_TN_{Z-@NYv<!3^(UN&c^
zdpo@j>apel<%`*@x?R75ljy<{=7!x~e~R)Ub^bWOnk<1Rl?h$rhG@c!^*xWJKrYgu
zn-bQ}N#h@`<s;WYP)szBZ%bw7YT%JE%d)zAV@gUYykOQzt9L2GjBE5r48sMf*Oq-s
z5fx39a*9?YjCBi#*&l&GlZ@ir+O`8*=!X2;AbER-N76kOiE$J{M4}Dr2~5o0M4Y`n
zMHsH-2mvjMwAc3`m%}RE`s-lHGs<y&uWR_K*S&2dn>~DtM123AEPgbFrr3Z01uvBK
zI%rn`Xg`UK9i6l&W%rQa)(Z{l(N;_bHT?+!$ozBz>eYuFmuofurskN#sZnJ*4!X))
z3wwV@F|n|3ek{X1RO}6{U)BteW=<HSOHRA=*HLWlAM<Xk{he7Yy|YQ_P|K@bzgGV}
zT$20`vqr{jTTgl{UC_tFJSd8FAZK&SeFqx9)pk-M(<NL&CtF<MT?(_Y5eQmf>`5ag
zt5BKHHf2`FLrH8_mRw7fMp@Sy=C+^8_B`9Q1p<SMKZzO`clcJs(FN_eYt+rr@bTLP
zU`IV9iRl>#%geiIB_(aMnK|nV7|J3Ya4?hH%k0=>ONu(@bx5Fe=JdT|=XiUcj)s<T
z=h4`E>!n;<a2EE>wRaKaD0d=S&Ld5^-o*3ZrcKl9yn@=h>Ym|ZSHb)7!?(N~inDWV
zd-IAJ`1)`?VXqVNA9(>J*DxbfNsk(SG=jlqQ<(W|#)!Rb=#lPeArEo0us(MLTOB=Z
z^xA+j&LIEtFq@sLCi&o0F>o}~bTDg-bmU2G08{HgQMsZ~DB&_L3kF^q21n3zKI0@y
zUq^==$!P7YZ1zAbl&hdZ2`i4{lP?SQ(EBZ?1;3emHu5T|o`#M9KxB5`+E6}@i=32#
ze(j9BN^#XoN(T9#L0yBM_Tr{6ugnUW0*myK+D!6_EaUrtGxrZV8X7di(cC~q7M3(=
zq{3!7u2OJ8om9qVclJFy3-4ED5AFFKAh3&&ho6&;lvmrFs-#p5<E^ZaYmgwi0{Zu>
z*gdGbwv@WD@tmicqHs}B4h1Ajnw@2Hc3|NATEHuBXpD*Iu4iLlc_2cKr*f=JMfx<L
zYlM8*m@kRBv8Z827p5AX6d^>J^+3T(J)xkiX+dePit{)#F)%PtX)5B;s(YL(g_m+R
zk2y?ngU6W6!R5iFtf;hrdL!g+Y;3Ni;bvFVxINR)rtadXZoE~|D<PSXJx75eDJA!_
zF?w+|Gb#z=v^Q^8_6K)Ce@N@wJY2I=1wpd_qhA?EbNz#gT{)S?nIei#YDHRHyi6oY
z2bfJ{)Kh84m1?f5lBt6Op6v40bo*={S#|Hsz+AnPs@j_SY>Zx=Hi{;}R$<zc=jKD<
zq8r)2XDC6CwOO~wIeV>&{&hE)r%3Vz_RsUN>)nI|c+YWzgNx^bdN!SVGolnhQK>i+
zne-gUITU0xoogc<6aK%7qYum(7{`ze#*_`ShoJklcPU-^(xG&G_caM-6>jxw=KU@q
z3b2IogcOpuPjzPdtMy6Zzt-$(yi8=Jrio|Tp=YpXSBmfav$|;K*y8)CJeT~`x6Q7C
zyZtTT)Nd`yq~Fc=lsY(D0^B1#mYcb3%pe=h5p9vAX_z+=Jxi+Kopfy(nf@S<S9a{S
zUpoh3BvdhQlYhm?PS3)^tE~<n2nRr54L23MN3v84_l%NoSn?{vX03wOI|+?`6UBSC
zK43M7x>;OSVXo51$$FVnatrZnqe3x~6e5U^;_Za;@IctJX<1xkMH<;h-q70jCI*T%
zbZ&sxCz(J0T6sjZn7Y7$cFW0AB6i2BQ5*L&vscK8!k?})<_x-3_;{Ky)wVLy8lGPs
zHwg%~lQhXO%9g@*H#KUJKX07SBH~lxWm~nq>88js&Lr;%?c5HP8J;dp+JKHRt7LYA
zFFH3HWyj^>a1lb@!(lY6j;>1D8Yv`|FdOw%)we|&4!j4-WUv?>+S>6ja!l+(xmq$A
z7SvV9vrK93zB9gJc0{6WWM?Pu>$?odSO=;@&Xkl;6*g-XJUwBV7cC{QOh@cjNu0(|
zL2(6>XPK&)5Lt}G)r1p>{tQ{MN8$n->B1Ta#9t>Gk@YaJN@5itAqOtc=9yU&rQzMg
znidq;I8<U1-m-)*SpT?-w+RxXia`njZ<C|f&mS<H?NJ|N;sB@2f`@CU1v8>jcN&)@
zsi5U4({~q05&d1C&~k#oVgyuCuI8PK*D@{%7K3Z0*G-;4HA4k;Dp`SzOSy14hE?<k
zn|J|LtJ2!GJ3|4<*}MjOU{2?t!zUpj9y73}kdQBcgeSChE7B#E*1;;O-EwGn@^rzv
zi@thBYXZPd=p@p`s7yivR5SIjY^Wc_%{y^z;(qPV2#q^?NAiFMjO+~v={y25%8D)q
zQAYoC6C#Usdz-=z33eZ}3Cd(1)4H<AO44*jBsBpG-6!qif_hh+s@YiUAz>t9eJt(=
z-rc(q9;ZQK4A>B>cU5dCu#h+OMi&^7I8;F3<L-FpbrqHhDj>*EAGjvDDbTfo<GKsr
z#M@gu<3utunSLk45d5ciRNaN9CU)DI#X7a)=nUUJy8a}Kxi_Y~jfW$mA_g$KNJf1A
zMH~Ys&lX!nBV8bWU~L!bG4?&nxy4uN0>2?O>@@ae@0F0J8+fM3WWiaZXjYH9|JH%C
zZZSl|*g>wurkcCt(%K5;B7}!s6&^fbXGU#Jv@AjveeHJ2s~O84JUf6a@dg7B!K2#7
z;?dxE4_QW50KJ`@<<8N){m}YbWqRd!nUCP6`5~uiJ^uT4XW&mQ>D2z-Y}y<eSD@Es
z9+zL|B<R!pI}t>;!LU@mZ&)-@Y)lGvFxnR)U5hmV5!y7Kc|fpBQ(>kOC$-~4lwRYs
zM-Z=<vSYIHhoWDBMqXZwP7tG(KpHo50Wx%G(3N-JNA0rFEhJo9l;EI_CK6^ofDV9~
zk=DvyZksi-(XPcvB>w9&9IGcE0-O}<v95-Q^--#<t0dY>iXEIEFAa~=<44RNQmmc2
z-b=pj%IZWsg@+1bKrZI=&ifZ_n{vy)Vnw9_tZ8p*OPxo)r-Ysgqw%@9v-)7i|4J>~
zsrR*G``{feDdhP$vz)0B@><Z!O*_F=doR7%Nr}BNJCpCKcY?ENLN&SII!u`dO`J@q
zI-g`8aN2X|%ob<SM<;J4D-#!a3JsU!B`Af!PM{6I$T5AdTTrztpP=CCMKkVQamG={
z@pAmQT;^zhY$iPtnwlf1w}jYEmTTX!?!bBt<>s(DXVFzl3wI0G4&|B<(mlWa9)2i=
z+ziZ!<E>yE&pgyNyr8LGW%@NYdGQT0UXg{i`koS;&p%%8`@=2d*$kE&)66Sn6(`;9
zZ^}3+b#hAJV4%3*;0;f!`{4;WpVJ~+h2i%%#bp(oHY8CV@F(6gXyyDFF7Wd#;_H}X
z+qtb_)H`YDFs+j#i|Hlv1gb!Pbx+wnt8XUE2P;uHAoD&fH?I5jE`gwL7%_u@B<&@$
zy17O4e9A{@zwnmpRQI^~Xm4tmGqovmV1fAsb?4lCVGGu<k?Bw2u0of5X=+}KEC@JW
zs>`nyfNz7|kOekf3B<IzHr@#sY556K#RlG-=6)@JSm)A|n3CIp*B)`TtpwbD#}jm!
z3mRmM?tBEIg?%6tosd(Lw<%-AqdCWtg_(Lb`HOCR!o%};;9tUZO2+bQO2y4Qe)ywZ
zZT^&!Gp|Px8%1+@6LW`=RmG9+S2+jA`&!8z(-iQ63<scYFL=_8OGQ_8q5<a>+d{dc
z%1$+>+t^3yv}Eb3i?G$|wz$APf+~^V;2vdY-3@eKX87WhG&^NP!K~ak1xmyze8y2l
z1z#JMjB_{*;@4S;R7CX{P2uCJ*}_!XJ>7B#^hT1jgf_}q)!mi7U0)%-P0D}g3}<fh
zt;$CLcMBu7VeY@fG%(?t3f#!6UU<fT_KE5+9xA6*NkPMjOdET&I=YK$Z%ii+j**jL
zutxTY1AakLvQY6>B3>YmV|??#%I0=I%XA{VjndBxLLG6`8%jEhD`dd9qO#dtx9(?)
z&X7avvgQ*19^>4LtA`y3_Oi>3qxNA8g<5ybf|e-z!i!Y^li$L%<egySTs{gGHh?n;
z-%79qa*FhBE#U%12B>1NtMi~R=Ycuy(;vx*9L;p$WHnKiJZO;6`aXGkkHwAaYI1Y+
ze&2pB<;8nH%81+R+gs;ibMhu329k2zkkG-d`lU2LEM8-)T#<!slnU6gr6Vp5C?;j~
ztsYNsFu<U$?iKGo<Og0t7?!AO-e;7w0w@Zw^PCg9b;WeimCCYyTA^=Pbk24nI0@~J
zXdK-F+OzM5hS15ecdfG>n6j&D3Jt;iJBB3MjY&H$32r>n2q%hda5^f4m5!-b-cj4*
zYX)WN=TAT;5-H#x{|*Z2)0hgpHMdvYWL;NKdcR@a^EOzh4A^u`DfPbKD-jiiKG+Zt
zyfz?gG)bP5@21bc=@|~wDIdvQ`H5V^p!r6gZg-{)8JxO1?YP+%<k>v(g=w*zgR2MB
zVhsp3=1A>@FUF^tKW92V@?G54#~l+#;e1naq{~U}UKbbKW{e2Fo&GAM{pZh^`CwT(
zx!K#%QRczC@Pfq-^uP|D)#-ch80ql$bW~i~SdtqL%yy!QxDA*faTAPR{^SD|BN(2A
zq^V@4&ff*dpfIKI`9gXn>{)^h4iE9#Xjysr^6!du=4BJhIuv9{{lXovNQl!lXsVK_
zZN;q@>8+CyySS==rk@D(G%ZL}pm|65ZTXPS=e64|G9infVVltaSsb(qDow5(jxoPe
z+X+D_;}au^fD<J>qT}9)+}S^v!ftTK-WDSim^6ORJ8c6N*cwK@(S+K)AC{yzblG&|
zh{ND7rETXY1$ui5<Ys?{4O;`nP46P}B7Jq7J$UAR$6tTVVXXs2h>`23!WsQcux#!$
z#`YF!cz2XA1;Z&TWYi*>D~DRxyMk0G@s595%;>?MF*WoQwcFzmbH6{18biB2`;Bl~
z?=$%xpBJZ&P2^u!y*J6b`En+F+eOO3!c3tiNPJU(a5566pogD-L|Q=3`iAnOW&AEY
zp{YClHM<^(yC5|gm5%NSZ|&d35n`G85x=(cq;hkVH&#iGA{#ulB^0)w(+26676cPd
zJl^k{e~!_}7rT|-_%)qI#!8WXqh!>plk{BBNPyYJ8mlj_T6MhR&Al;&e>mx)&w99c
zvK8Z4tm%1!UDOu2zoduuE<f}AluPK9LIN*$c{UYePBNGhIfZz09(v&)IQ+9!<CL(g
zB<<o+j*vFm)%?2|)osC?zTL_9ZE{)6pk$(Az0|k?dFO*+>Gw5stlr|NX>`2O=Zym$
z@D!yo=m>Z5|KY6nVSzhU!<&($+w}v#)+RGFfn|%k#td@kpyO#cy|S%*nVN%HZaJ1^
zW~4W2nm)Ik+81$}_sJ%TKeYMYB7DGjqHf>CEy^Y9C~VuJ%M#&5f${Cjbr?S@>mw(}
zg_J#s0AKwluj|T3^p{GleSZB<lB@q?h41_{MR0jSh{QiRwLW>m>1cktV1v2&dC(fg
zU%><dPumT{znI*Oe-4>jLHge;Jeay5{O13mmzbESuC9*r0~fAcu#J|ZI*02Zp-}Yy
zt`2h9GXp#53N1*LO33^5Nr;}NGo*djk@pOY27r5?i71||-Pptg8QQ54Gj-eB7F2(M
zCMgQcpqJ9pq5qOqzP)}~o0XL%3<SV=aRj1wXuUJBSpUc)R=oeJBXC}`P$IOGVVs@D
z!vigO41fKjrSYNtcM3#>o@46eUYpsnA#`Qg=o%_b$`hW%djy&JN7+8>2g((@mna#S
zIZrtvR!CYViS3P&oG8NxxN|rl;A7tFvP_e)H32eSM&u3T*pkr5aD2U@L7g-{(fo~W
z&sY4lG*>~hHqivU?l%${epl<nYPFV~V<&bUc;U@;>xH4<9?-0Y8h@M%Cc6$-tXIQ%
zc1(}Q*xflMuKbeFgnQM;Thmbv<+bp%`cLb1Su716-$1a1Vh)GU2*yT;0QE<G{9(f0
zp=owbF#>{=^M$jtz&AHA#HSbU{ca(dzf5K8Zg++JI5Q4L#OJvZY9e5r>*9UoWO0o4
ze7O`%-9*}8W+-j+%48_v#_C@CTdQopw%2)!_;|>+b5pa;@SIoy1vf0;PYku(^0w6v
zQo|5^No{$f54touj;22*_B62o#uyPdPDo6sdtb=~S*+gh9yeFG!Ot`DZ5Q53<yB`S
z<o2$(wK)h~N3?I2=YdTf!Cd$_uD4DbMT_S_`7fR{2v^wMy`E!t7rl~&djSJ8sBa@$
zIA{)WV>U$8j;oX#v5m?G>t&s-)$8mx`!41knye{+)mzKcCCd(LQM@HqH_Nmt)^l#@
zT{4E#hic7_`N8M6(}j;PyeWroUFoozhvS&P7aZhQRUjz4+xf0UT=y$y`iG<c62j$n
zXy`Yzf2SN>#r=JoK?`f0@uQvCM27wJVv=$>2)Zf#)v!+>K<MN9Ahp7?CNKGAryqxy
zb$jzHTenV!%Z{f%>9178<?VfSHLpryW$cw=l5B6DW}r8k<^W~kH=Asq+*ES5@1@I!
zOEnB_>lla@Jf}ykCFJ5Z1fNeXS?slj0<(&QgbLeDQ_Joq7av`Ye^5aaNOPpgg63*%
z4&U)nPZQ0+Z1ht1^h3Ls_?=0w5;!i8?hPUr7Mx%-LGH$f$Zwy;>*7jB=Dn5V##Vz5
zHl4Dtv_H}Bm6bn{Uk7Yfa8J1>l*A@A=7=CVHjULK%YVdz_F5l`eSUv`YT#}(SH8RC
zWwCoxqWY!KY2?%2r3!|L4SieIak)V3Eh=vypP<(Ck)Hj_$CFTX9zk6?$ZQ!F<qA_)
ziH{hwk@1`63uCAY=y5P{Xt(eocwGMl8QL<~|5a<s{HyhBA%BuoTc7)}rOAS6n+2^6
zIr`hlPpNP8q;(95Yw}YyxP-q%_J-eZ(>!?RMUYPw($+cF6byuZCsm;^&J_I#aX}AB
zy9U=DNkufp^jK4I8(i6i{gwUktZYC}pQE9oID8FV-1`Vkn4V7FokO)W5nq7#`^Yj(
zv4wPun^!}-U#)+28;Z=;=E?<5op1ipnhj)Vtp2*mtF$`>GCt-Vq-cz05|k1m3)g_8
zGu>Ws?}tUgNGt9-4atF*&a0#SXGTd%>$%hD6l=J+w2EQ*ux8D*wcEjDPD9$KX=bZq
z$CUP_A;z97kEJ}^iJ@KJ;=y45YxmjWzQAj&Sl3|cs|2kQzA0LjQnuv+t)Q9~Bm0>k
zRQb={*0qkEr(#l9pMhUnGN3QQh$k0~zAgEQ$lPA6drWpE&{oqY&S;4gOUxHakOK8f
zKv&)U3^q(2(5qRI!2O-1f^g^9S;)~~fJO}+vOJx7l@kB}s7jr;+e|uL^Ob(;TuZo5
z)IP+MSR+4OQq;bQeU{tX><XQ*K=V`Q_+aiwvQ;Lx#oo3)<5;j&@wGa~MAX3ZG9UGQ
zDd%wEm(TKX*OGGjL+AkWg^;leZXL`0&^|mKV&3|h?25gE1C}4ku~o}d(>T<+T~}Y*
z-_EN#?#QWqnfnoPqTMVm?W|}(E7_r5vXwSbuDC4=!=h3-;IBPiY4t+<a5P_GPjgDD
z<NjD>MDkp}h@!#|e9(2aaF>0`VzLek_&a~_G?V#BB83c_&f3aIDQlX~{{&wxMH!^I
zanef&OmLOLyKmKwoaX6jIFCmgF$3ya8^9$aRxQjpi0(wDIOe>b+Rx@c>LI{!Ap;B-
zYCE2^r&u7pJoCZrqfS{)n0HD$U`#&i3p23|=W_2F)UKOKEa1DdZ~D7Nm+A`-{O&JS
zz3;uV(PU6)E>~YH>wKIpF(L==4;d44EpL28Lma-jkTio2ou~xbuwz~|BPXZIDiUE|
z#SicYe=?3UzO=+Q=Y_EIXVRQf8VLvPt>yV-y~r#qD*9x`5D<>=Ws3iCvHF0-|Gh8>
z`0oDCFFnnSMPwhu7wxtF0;_*L&;M9KxDhU!C;a<AzeVriZc+BRMtC!|X}@HBH16*1
zl4asL$9||`_>g=G>DM=N;8Nq~fBe5GKC`pCVzH3hKRsFAFf^n9K0aoCe$bOA7%ox$
zPhIMi%Rdm~-wif^_W~{v{U1aooQP&k!j-1-X8(vte++kbZ&O;^J%v-qE|C4b-A5FT
z6#kYpegBnV;eWT#N__Yp;k^5kl%k@dq~w3|t@*sYz5lDqHPp<;hWL;V;anGIE6L^@
z2+#onkOO*#5mK2#`mJ3)rxc44$ph2j)2;pGKEy`@j*o<Za1<l_`5Df4xt_S*Okl+C
zyga-ADw>4{l2nS3t^L*Keg)#rkLlz7_2w_gK2bRD+I6>H>c;yE@DYvww@>~*U%~%-
zq0=u$R$a2XWZ^srzMeYj@ApmrOcaF(w%{Iwl4>X)-{g3Kfkl&hH8q9WjSq+E5Pr29
zZ}q~55n|<L4JKRE1CAzFSopq5i8r)1g3wZDyzaotV!CAMR}pccSo5<=jlt}Bj*zL=
zpC0*t?hYqQ@(~Z)VN<U5^EZXZcIw0rl5o|)N^AT7B2I!;RR|hLXT9PQZ(GZaxWwWy
zE&6;eaT)Uq(}P`9;s=eg7xV4atj$rq*a5#w=hmhoxlndR_pk=(^nqqJ0p&-?s?_CZ
zTRwy#QYN+8QMfDPEHy=Ky?2qDH7r0wM*|D^@oDjoI1sQ(`8&bm%glEtw56AMYxV~<
z4K^f?i{+5OGyB93r#@4o7wL~<HRWsWlMDD3G~B6P4GlwIH+an+$~STIPyGl&)<s4m
z4(=>mv^<Y{E8>b&^CMwR-nY&zEc;mtZAq=THbwE|ac_Fy&m=7J=+^EyAZbaRU0%02
zn@^iWe74f6RjBvl#W~&=W+ISNw;Dbm;<3D@+<VC_#B#lkboP3V0x`%BP7rH6Kz{)m
z$E9A)FYRDsP!ugd6{7tI;=+uG85_;W&r(_Wy@W-gVJ?%CAXT2Jk?qKn&vcF|Im+9y
zS~c}z1UweAKSSbu($3o9Ni0@$036VuM&@l<#EZU7#^X>F0PB8OBgl3;Fp_YeXrG$o
z1SR-{(5$L3uW;oZe)8Q67<NaZx?abU^CBHBy=%2=E6`q(x43ETrdYvpJ)v<n?mJ8M
zp&RQLT{g8&G$3%w-1!%e{n=+<AA<UfKxD#Tj^iL?+dF7aamMW?dIi?C%aJt=Z@w8Y
z(s|POa}(@pFoAYyjwciZJzr{^6*Xz7%cn)E)aG)&GcKtCSTy!aY?r82<gPQsG7^#{
zqk61wEM-jRl+2W?ZCcTARqlh;uY2%fa^6@p=kuM+F2=_#NhKWA+Z)<kLY_YsW-Y?*
z@3~hJibiG5>J&H8o&n0jAj)<dKL;f#UC!lsw7&=yPVPkx$=#q}$=tmE7(h4gZHsHc
z^RN|G&=|IR<-1_hrqWbp_WJSWR4WihbPC!J$P?`B@qQk;%oo3KfxVw42$B7XO$#4}
zjF%=l?_I6?Z<&^|(*+^r;WW!<Jj#nVAA+~>ZU`c}^_WsP9j_uE9g>!V-j>D^&bge+
z<=Kz4JgNL)h?G!q=rko`Sw2ca8Od|tS*V1ENEWxMu^}<?E=_BqOv6Jx!|EXix@VBp
z6yfbjlmkZ*+50dzW2Y^HCd<KQ8?GJI6P#T~4!oks-e7H2m=ezJr6pIc3*b<v!h7q-
z;v?3S7qM}(9oKgIcUoiYAir;B&HW)LsHpN5n?WBYP0o$cZVO@`G>kQUe0sDU*4jyh
zRR$T(lo{OhE)?}5x6-GpF{RZ$HoFhyE|lK7=v{hyoDN%o?o|m#2l<Oe89g^+YD<>)
z_Si#kJTks$vDqDw{s>+KWK{`xeer4<YK5h-E4D=XfWd57DNM3n*3gV+Xuz}gzt905
z7b6yk#h=0D91nJv+0!N|&3!|vnD{`FNS?&X(v#3~q;cRQ0x%u2J&|)bTG3@u;=-=y
z@`fl#<FY`k&d2mDgQX$(oC48l1KmTo_~tU?+FPZs{>GqjUSb{l^(`!E&Omxov|QGF
zpJ0QR?X(UPo)uU8lig7Xu~z08HflhwF`}pQO?J$;Q1o|Hy(Qc_gM8(8DiSu&B50_O
zHt@6J1|$Wa_c$Ped(`bb<8IcZ5ka0C<yFJ<zm}Cv4!J>bI~5$$%0+kMbGB2SaUB)k
zUv$A1Op=;hZ$sNe(z^&Xth1Y|-F$03tONPI)yIBr24|n#zFX12RearrQ@y)}sc}*g
znZEHn{X~a8#Zg<!T0chyP}-G#Ab34}RG%4@fjM<_cDZj-J{j=MMT_ixD#UW~Y)Mho
zkk3WQD)D}-+V(BL!sX?#Ry}K%&KC@{i`=`4$RuTjP*O<Kikvfi*Z6QH3fv6S=Kg?#
zCCgU2w!kM!M*NvhXoHt~vu>7&L?3uMaE(rVTb~dbwH^!y)jq`N*lGNFMeZ!Ggf8e%
z0RH#ZuqGz}(J_+hdXUQpZ+da}^%mcnw1|CsJ~}IMpgy4pG-R{n=%LwzLnvXGfYS;n
zKGEf6VR9l~ciGaUz3Q*J-s?wcGo)Gr54+(Q+fWI=>#j2fnlo_KHiNZJx*HLl8$St`
zJivhH^83?>%Z%lWGqtdmC4P!h;bV~MY}wFqp$T@Ohli+fyzYv2)7z3GZ$0K91Ney#
z-8KSbXRrFFjfXk}N{;;+Q$XkCp0njR$45~n^!<GHsrou|b+@v#MC2AG=6c8MTs=<0
zjV|*)E()fPJ}WuS%Y4TzSn{M+mx@w3xK`}Ku>Y+2ysWkYc)tMs4=n&znW|J6giaE^
z4c}F5a+^BK%;UxGsXZ}bq&rki?oNEjtGJO?ai(Li-w7ukryY-#K322nn6u&5bQwPI
zayp#jx14u6h)f^{mg}e-e*>W>pHAH#TS^-a8yA$!iKCuDv)&RqAQ$fT8AZV+cI|z;
zBQ1{u**ccc^a-7vOW&gc67XLrR3FS%P?N5>A3cnVC>S<0nytE?JziMcPXCYu6Ho;9
zyK{QX6HgU;T^xRBW-S+b*1S;dkiajFZS7?OeQv`XL%^j@c(-72-26EAv$qENA&tG<
z3(*#ge_kB-QvX?*G9ti&$8DuTg9KOO^1uyFE7s7aeJ&;%WN_@TTB`6Eo_g6Td=Vkp
zh$gbnKY8t9piFmk^$t}^+*|MZAZ$jrN!|J~6_4<XVF{mmZV!(`r-ny$i53+*?BGyO
zm1lC~5zO-rS^moaBeqi^xxulrR>NQ#Pe1W0e4Du<`lPj`E8~T6F3V4-DjCNziUp&f
zzVXb!8b-zGw|36_;nN-6^c>h5oj`Iol{6^G6VZ>2Iy-30{i@^PD70p}^9n720do;U
zG>cp+;!RfoeOLrX>{Mm7Hg6HO5WRFf5FnOKW@yZpwWnDJOiMt;T%!fJE)>`({^dUS
z;pfJFKp9taO3*z$i`V{OHdB)J_`^8+PJvVA<J*KPTX&NcT{Y~wBP6B%ilxQ-sh>d{
z{M^wX1J@6R^92s!%c*rdYSfok`6Q2WK_Bhh6yOSbkBpU`m>}HUh{pc%_lRz?$w_6#
z^IMxVG{Z}vIiZfFyR}HCwGsv3=5sr-0Y=J->3%7~d%cUmYB(6%4b}9spB=+R3n!=k
zEb^73`Lm59s>Ng)ecrxxzak<SOz~*nG^PPez^S0qyIX`G33{(>e5kBUz)Wv6nLSwG
zy{qMP=QB3~a(uqVe!Ni6W8U!PlXutiSIh1ms^KljUBjM2nl9O5%Mykh(J4%htS0rU
zdKWqkbX__?+!9S3>;*OTLQm`dH0__r5pT#y!bNT&16@Z6m{Ymb6Nr@L?_FI3*t{aV
z7V_P#cQKxoIc2F3M#VnRC@=sJg*u)18(4Nq-{tDnwzn<uHCf&7IoTNNoJ#hBJK~<A
z>G|2=+a0uDKBn>frv^1#J)T<^Y$o;WFXz?v94vq<QNi$|D_vib$Xcn=e|EmPFA_ai
zk1i88GizE`h4jjVNrKcJ@(Q9C4s3t<k(~_%ioJXmPW}>A{#XYUT03p)hxM-aZgZ67
zAbqgRK0Wo;s#}ZOjURXnBBen+>Ghafz+HbObe7wR+}-SOlmuZlD$N=8$R8(G*{95D
z%)(IIZ&860X<V8VI`vk&LU6cHgB-3M%Q&BjC)x<2lVmoSgn;(0GC&G92f^Gl=S96N
zMeNv%LtbuP)+W>sq$xU=$k7E$oMMG)IZH8KwWenjF*%XzO2b9<Zc2?7l1-8X1iX_;
zg{-cKHz${IQInQN)W3&Mq|}=37l-(7P3UgUVjSY6GvDlL`8R50ajLoQ#>QM3*3_Bq
zxu9qvo`!_PP>W99>M+=y-Wv}cBsY~N5_sA)`wmxBWcTk4OEfWYihXgWy-4)0_qvR9
zvUhiVBpbOIK4{FD&5UC<2IsB2;g&sKdCS(k<E8Vm*s(a#14wCJUN#vSP7*KIz$4qr
zr`!4AZ|THfMV}AgO1tT(U}8wTulb{M>aKgrFKiPs9q^8h?i5S$garaWaAbP%od(PI
zsTt*{Z>cAcxHPm<I79c~X!`-blv@$)Bgyp|hcn%glgYF?4FzO&3D;5GMk%qOz3t|F
zeq5XN>X7suwgr#JO?JC8G*tRJMWdX<8tiGNk?Es~IM45n)X;c+NntT<%pKvg3=30$
z6IN=X(?353wtu}leO}E4OCS6?i?8BhZL?4&{<uF~O&&s7zQ@O7y8yTy+ZrOy*SAUK
zo8Pe|^m4cu9cuHKZmhH2j};Q#RfAS$#)k=ic@6|(i#KF>K2&}?E>0XRz;<5eFNvqj
zPrrLb_G|d++K|h(b4PV0k1RsBtDMb-krW7A@3oqnw-3_&_5M!JI8CpDON?OTQF%d+
z2i7^bqQejmq&T~KrpuL-qP6w7u*G5U{AD4ZN4s`lpa79LMzFFKJcpG~(YCYZwQ)l{
zxZzc?i0ES!e9^3jWty!fPIJh{j4Y-Xatu2+8#X$P?-7odEMM+-!}3E}R4g@E%PLa&
zwoCWHh@6c50xyZoua5Ner0e^g&cwcf<9j^L7Q}jI_c;zRzH`ElQGlCq%4wHtzG@}m
zxUdaRt8$mSu@g!z<+_&jbeFGUZ3bucQ2{Z7a9&3fS~bMl(GmQG?)MZ|RHF+3@-UN{
zf;hZb8ubN;<x&kmt@>D7mAhhrF4<ANG~#7dIbMtVRzlh3AbE6XE|i@3h|@K@SVuAS
z5(tC?e+os~`O)@1e8D2N7qTx&`m2d~{)6y2@-$vq#FV(6sB5j3G%2n^i@1+fUS^{O
z5adK^@_RS54U}(5<_s?r@;itu_oDmiH$@gdG)|aOPHEb09W0*a_aO9UBylIrxRgTm
zLKf%Iy3orwWQc~EaGUnBHjX6aeruLB7o4QVC<YN<kKLBgBLm(XV46&J_lLaK$1k~S
zT;SqUpr&lys7?6358}5lB?o$}PfAV}2^lsP@+GH$E*K==k7uDZ_S=Z~%s7bK$4k4Y
z0nOPk2p`X^Z4U-~zH)yNa)bs$-DxeF3;OxBDBr7GJo0Kb3F^4>z=H9MI;xe^IOjKt
zk|!x;(fid2$u5y&k$b!$2Ln#irIai|Rfz+S{2nl3>`AZV+lTen#y)|5f`}WUC#yp4
zfKWbWBGc<pjpQlPUtS-R{4J3)Az?L(5eLB%0+puc;O>svP%<3&vBx>0Gex=;l5NEY
z_}@RcAVO#}--_O}e6;0o_7u~7CxvVBxdrd{5<i0QtBmVT=B89oZ(>!`^04~%Vvglw
zmm)m?ZvA;+exhvC=}8Ut^_72@$gLLF1w=9fm=RX}Xq2|#G{d%K<!bw<IfP3c&)daK
z9bbjdIVer<#;1R0QxUG{|FfSusOD_d(80ep|Do?1#&=f%4$(HZx`iG-Xd7Fu$}seg
z5X;^*9He|WY-hgN4u7}@)jcNy*9LD#zyqC!1wz*;fe*BF+@Le%PHvAhHwUSP7erE?
z<+drkI>w34>lLPp75to+#+^_%20-(#Kn3~_y_WFIa%z!@=enodj0e?^j%h}F+77KX
z-e>0l9JIk{ZWdAvC?9w)&+EzgfPeCm9v}LWx-YjHIVqNY<Yp!#HdmQ`T^mn2EKxZC
zZ51&c{|X#OrlSDWouWjr5RyO0Q;P#iRCt=Fn<_q?`u%L@Y2HVMhGr6P-{lpS+eW>_
z!Qv;lKsgSY*L<|u;(^v+@|P^sxvAa}fgeY^Do2vupR?S5<~ZDrK}1@@MQ;XQ5%VTt
z*<0*K6;~=xf_Ny1<FM}Z?EC%rX_hW^j2omcIPQ14#UC}DbUh~HuY^5sMUxc%OMCAb
z)<oO&{p#hVUW$l-bOA*H>C&aE1duKwoq+UC=)Ks000Ppb3rG#2Lx51FcL}{E(n3uj
zbV7i4yzcwnd%w@#&+*>R-tTejFVB2QW-^(~d1lU8=ls@xttGF}5j;(_VSyd5J`53U
z7b2JgI-n7GiDAo@z0F`WVp^2ra^zC*{?c|>M9(dM{x5P_=c_299C@Tq7_Vu@(b9$A
z-t=7SD$@-f;EF|I@n$EA9*SrSMC08~PVUuiJGruenw_z)$05=reKdv<!U#4@AnB8o
z5>Lglc25;OUZBL!X3hf&%HDcZpZCMItLwWuPMI#0P%&A9Pl(WC>1zI?Q@M+i_wX87
zjDEE=@p+3T2t?AewxL&zAsrPoc~VxuSZ~K-Bub+yK1cXyUWD0I?`5Q3KpfS8yn0}X
z3ijpj3zKSW3+cG~!go3A$caeT@(yZ6q2S{^WHQOix0a6++Osl<i$BT@K1udAnLFPT
zB#;>-W*i|9{$hY_I%XR{`W<W-PhK*foSSR(AvkTfURHA_<j8PvSeL?p2_;!>-^t$*
z;ds@5xH|2D94o*#ztR5RRtqB)a|u3O*oK?G(7y<u?L<=RO99p<Ky~ux1{FR1QxT7D
z0p9C)h`jv6_wR}S=Vz5J3ojHH+$FCwC|q`KU;6!y#>!*i$25lj=A~8{=#lUXPidB6
z&MadVdKW+G%=*%+uehQVsp$(%>z;f9&hA|q!$06%&D)^Aac9jx!00Qoe{TLSt?p#T
zn_Rzk4g3A?=pAqVCr@^G@UDQfMXzO%|98{hDh~V&ng1WU0QmIMf8Ig=)2C>6@Ff@F
zm~Quz-Ie$6-;a!p0PQ+@2xJ*(ZEgMX<xZ5M@MI0(3&Es#A8d@*mtL+LS|R`u^8UWQ
zb|Q=d0%i65*N<`u1lO4Ez2p{>)jBE<1X!wO^MUOT4aUs@)BXMZ!^1HyAL@k&%*T4c
z2YSf@rkR_D0KVS-qWO*g%9SgmE=K!rBevIo#x?-HSiICSbz%S7+T(|uudWCP2<Se$
zd}(L=A>g3Dbm@QHl}{e#m1(AIGP-mVhca<#n~VUvrF))u(&6<~=1|fdn{VzgY&^NY
zKF2&B7D=IpXjpByGw@OZDatQYfc8|9LZ%*CWAE9YN?-2O$)dKK@jI*%8PUsNNU1)m
zIzsEziV49hPpeqYeIJuEC8dao2iBtGy4zH|ai!^l2ftg64=f(wq`n241Ts}xm5CWU
zmiRd@EkxIsu8!6X>*&7Gc@w9J4-7nzLZoX*Ry!nmxqU=ci{hiHK5jZ%8LUi8^*^g3
zdpYB~^)vJ(u3+0Y1EmA@sy16ZmuADYRx~+$l+(NssBTqnm)`>{R<0>&F+q6khH#YE
zeXiYW{cds=g(=^_HMm#U5b$jAwsba-gi1}|J}2j@`##{mXnw*y#A((`8`=5#m2so2
z+IK`nl_@A8^XSmvwYi0b1@)*nv$IzubYGkmosjvo!pVY=5=5D2VXER-;=2?bwO#=%
z>uG(Q^76s%C;0>6U}3U8&f5rPjhHC)>brChweYAYbv1#fX4;^Rc|(IQcF{m!T9kUl
zmVcQNC8d@lXN228e7ByLnkt*jcuGvOhZcyxdDqswt)(f2g^4N6WG-8chC0o_F0H0m
zSex^U`Lqp=juPQ%;pph7;(DF>Gxi-y_wdIl%nQrkl0;#wp2&H+vNY4DN&dJrsV_OE
z`NB6ivW(n>riFX4bTRxfcw8VkV@nqVs-}c3>RrXm6U3{>z3#8}=EiCJ*1}-8{p^~v
zFgLM)8|{Mqw?#a`?#;aCRdl>;IZ*@C4I5k8^4`+sHNJb;*#Lm+VIv~;!n;RCfyE5&
zyhU>(G8`3-(rO@_AcnbkP?e)O_o8Uhy!7Ys!U9gkwjLz|vrYbIDoXC-*j3DC*3+Q!
z8XMO`eB*d1x(lV=36I!+BZsJ{u9*B<D=RhaQ<3ell)q7AXOZbXh#&VI&gVPa7u(`;
z_TYhsW%=hVnEM>!>9W9ltLUKf`VAIW@fOQz?b#xAA89FxE%SCBrbwf*`I`(>UXGe#
zQ0N2S)8>M>a|f(>ELwQ*b}X8x7}m3>=03%%qvMP=9$9<BVI#+qo9=&Fzgp}MqOO(n
z^>o|4IlqduIGuSt!!52!a+Bk-*&a*J#1oq&l>6BpK2&#b?@!GS!eI1T#D)2Vgir~!
zdAmPqo?p__o(`?~dk;G!K+4#dtuw>|_v|!Sys}J0>lCna%`QtC0J-F513jFUXDUmJ
z1W;^~NuFFz*8#+_&}i%<;cI|h#sysTUXf6ajg9S}z?zVWmsTlp!eaX83})d_D5`qe
za;DtdCg0A$+7nZA0#=ztGbu4}<QIVD&Wd)CJi<$vL8e4l<`cNg&wRBkjA*-+*32OX
zU%&LLS_!`1YDWWOEIO3wN+N8%CU@T9h^5DX<$ex%G^Sjbvl3aGrwK|Z-GHaKQiCDQ
zUWzK-2NNQrV>f*BXVyzGY4IYinf}{;*zsF>MVqZPk@#Xvxub#eM^#I6vDum2dA7^2
z%B6xc=D^hB<Kw!zx^TJf&Q2gd3&tuOFkq_Livg&UzW5kf;#&N$j%Qy)W4o_vjf%~9
zxJfL{)$5TrYw5l-bc_b%=n!uCfkYUi%&ZP06M-~!fnti{)2)34Vk_T`A~K^W8LD-?
zy(W^gs11x=%5AmVnm-Qn(@N+WK+@*CJBc6C_tT|S6QEOu%!>>jk+vd?86%BnJr%i1
z-f86ciCyCJkrH$hM5*oY!#E>@V>-P(CFMwH_oI#hy4VvQssU9`MR%fkY-G)#Os(*Q
zNo;2dc4xY{c;l`CX{>qv>ebmSLtZyL$f3o{Zm4-N@G95B2c!B_FXt)$2Sp`CaCngF
zGh7nicwkO7^HllD@)aq~TF(slfNSE4a}ka@wt2?Mh}){YBENPt43*H_E47O6n<EcP
zNZ+V(QV&zx-ky6sE!uQ~ALT3U86V})JILUN{4AaSiX><|2i5c=GNkL>Q+THhgPSEe
zUjR3lafCg@X?B_#$;Rk~OMP4vG#h$_wSZY>c6_4TdwQKu;yTCnE>NEagfEc^6cP3@
zj6`Z^e&$b?NjiHc{dW2u>wT5k_j65jaeYIzHRIb6PwSmjJrSVgH!T-_>3>>XG^{Mw
zZZ64IfoUlT9^k*wuLB$M^2GGGFkVaF<S{4wnwE3B?>4O*VSz0|eEJFbO%hT@YGJ7}
zGpT)X{9E(oHEp7<GKh>@Xs<;_BixYASv>P&@O3e1FmricGaPO<d8Njv^dLY9NKi&;
z=lXoUVE8D!Zm2nMV#%&pa+7M^L1Ox>b*Anu<qfD>giB5J+{w$~8bRu7fDGyt1<h)F
zdAD~9kd0xs$^zS8k5Y$tJZACU{sv8-jb~&!%^-(JfuwK8h?yNl#+3aOYpy&A9~(>0
z+0~6X?0SA(-DfHw_IY>Kych!7MQ?qFQjoq~p~K7_<AN+2w*_@9X+6SDf83<LwaT68
zzdJI<nd#rY@za(jto`Al-4v;5YHHibc?Vj@{IQA#qBdmAi!yMinJ~E<-Y1B;E9zXL
z!k;8d$e7xeCiE##x=Kk4*Fcq3j82sGNZ7gKw{S5b_wD!K6bdL{;QY-_lAL-e4R7dY
zRtXFL+8-GWT$D7L{tiZZ$_JE--FL%<*4?M1T$lCTKYLdVm*~Gz-3Ak126?F8B3Bc|
zcxP*VV6Bt&LwOU|PG{-{bSMeagueCNe565mc4WT+6T>%h{mi5$m4>ti8rLRM^f&d{
zdNZAOwh!YFj**)%8A-}lA~0SF7~6*{*0x>a<=(2EtzDH)gv)F*D@OL1GBhpgw{gYN
zz<~PwjEn;biz;JUO3HBKw7W$#BZ?iJGQT8)&1MX^7GHy^5z+HpHaresf)t|Tx<gGH
z!N{vrM<XfAQ~79pV~@hpdC-{U8@WlMok3p8T0<rAN8B7dCDzcXV}@M$vJGt3x!G+M
z(P?TLh<bAN$hui&rl-2@T`iHnb6hu2jO~>0t7_aS0yX}V=1a8~o8~p?JG_D5QmIT@
z3BgZ4egPJ$cu{8Z>cG$)3k~HF<vta=p#3}zhpMHbM6*4GYq`57v$7J3IU@|66TE_&
z%+uAcEvlLcbD1-GUT-+hCCv<lS(LWF^#sg|dnjhSgh0yV9~s}PWdSY?o0R7(wVn;R
zl@#Y*S=p;<ozbf>Zm)#YU?;%Ra9E!%G(L`kLKQ8Z3`t(*nM<!fPSi_PRaJPzE&RZE
zIW#SQQ-{HW?W5WB^&@sBj$y9PX7RJG2S@c+lGNd)f0<;&bLEHx&K1<ta#y$YUlHL%
z5)<lTz?r|kr_q`}4g~YB2cL$oKs22UP^(n+V)ogOBXqq3kMJ|Od=1~>u<9IeV!g_=
zA$r*`Ls}bJ#|QV?W%^cz)cj*YBk}G|>lMSvZhi$Irl73MYc^>H>QrOIaa}P1AAj9M
z)~^AsITEp3Vau9z_G<ET@=DUY^Q{iU8$Tl+Bk<Ub3;i2U)W=K7qyPFc%8E?*#h?7A
zK#OmE<fcV3V6!B4SBl8<&(n;Iy}lKRxf8k19i#@l5|eC7<G`H5nK*|V8a(~$QW-|m
z9%6M0Ox|yIQML-!B_uI=iOZLsIlW2O%wNMgSeh3C{UlRTTU^z+_(|%4v7ez-jl^lC
z6GZyrwT=F6l`pJ@g_1HuQP}sbJ3%!}iabMSkS+DAh(&^+RPlb|&?2*fj37$iQ_E68
zqf*P7rKDU3=i97RB?<AbG&Aq4(8!JK)yTx?V@Qg=fnJ~6%pCB7Se%h0Ttog#PiN$K
z-pYb6t@|<PS^Z;ef@R;JPKb@7PJ)+iixym2Ohwb7fHTlrOJ8XvQ+$XaZtv@&C+yv~
zw^2YB2)T-HY}nh!ufYCb`RlMcK$<}~p;;`M^Qn+NjQpp4f~=L>r1H$Ko=bz3bMZAy
zY}SsZuu<;Gu<-_ap5e$-QhdLry$DN;5~xq}h`k_OmnUK~KWQ7}0xGYYA>IxD83ElT
zbgQ&pxontnmehcB>z~Ni5g5~u8B(>A`hvuHpe{;e8zl9O4<uk-^ZAGrfyjV9HP|n!
z*i`v#M7<d3Pc_e!q|wTi<&kgKt4qlO<2m8`p2$bX?=Qi{^kG`g3{`*qb@OKj&aXuX
zS6Y=m;FkzOay!*;zOt&%QJ<|0sISybGcsZR#*2{_%~RL9J0k0%7tH<{sKonCj5`w}
zszB|WE`XYyn<)dQcrSN$TU5g#dI?FoqE9`{7;g**;A*z$E1GvndjbYlol62N1L+NU
z6lC6G$-1JFw*)sS=-4+NNw3ySPH@soI`DAYJB5BaC<9{-tR?rF+kIi=gL%VpEvrsS
zZ*~tSca!Wr!;vvt8j*2b#V8bN!#ZZjWl2!bcN4hzcM^B0n<Ai}(%f@E&e5ERH&)e+
zhcm=KKf-Hss;hId^(=luef*d<m^L<t>$f+=+m3GF+*A#pjrJ$nfO9-1w+E+p3?qR#
zubL6cYwcMef~~Z6BN+x(mQZe^x|dwrSaxWuodvBM%5+TeaeL7*lfD90q8Rt)VN)?R
z3Opm%TtO*zD80mlgd6$f!5em8ygIyaw6&KEBzkCTpJhK9JXO*>Qr@YwdLFo~$;$wN
z!DWJRYnR}4GYvMuRTj_Et!iFNX$6|Lzn8c9IO>)(>?aTRNL<0=4E=vS!yfRiY`EKf
z&{Mb;xt{^&mGf_Mfp;Acx&ud*D6H#wvpDVt?S(?)k+nLt^`M02{60GFQ(ddBs}6cA
z->-@^8BdHAKsUEWk~Qro4Rx=+1fgbr?Iluc>fjxUo%Yl`GU91n4}WHd$|``?WsNXD
z1L-gWRVI1w>IQo7!BTt<@oXTbl%z)m7<|Nlv1sCZqG1F3qH|UN;8`70NL=FVQs<PN
z^T6@o`q(zZ6yi-k6>L3?t6U0g@(jPKq;XdbBjo$=Zf4+4kJ<b_#Rn>JX4wj5=O<0V
zV3m_FuK3{Sio1G7&fIE9k)}eSrkB?FM)m7ZPs7dB6G_VOK9fNCn+>_e14^<amn4%r
zcP@U6fQ=AN`UjOpRgdiCr?Us%#{P0rqTre}(QhKzjqn;E^R}K@mqS6z_x$Slyj4*`
zPA<#EHTmqRF$y3yv4q3}r`Z~>lTnrtKIOjYdhQeAK7Tk=HFC<oG7lmTDo5!WoDnML
z=Ef=GS+AGPr=PS^D`|S!U>&8t#3P;H>#tloimU6aQb*&Z9ytXxI`&^ARxh-!3(XIP
zXl}&@{93DZniVVYYvX&Kzm**0Y$Uq56OPjL+HWklAdM0(#3~*<KAkM^cABmc^IqNP
z$#~vB;oM`KCo#JXn9s{FF)Z)!e5ItjLm+OZ=vsBZO#^Qh<K60hgboYY)WM6PVzBdw
z^jno#-FhBjebAz}PII~YY|`<{S&q>m#)~=7*Yh2e7xTIn;ol!xr{d&dIX6=mP9VeW
zIw_gz*5XtQ&nuKX`p;*Rnh3CM>8Arei6GF2B@|np06*Vr9=3kr_z%T~C^hY1-}&tp
z3|$JtQN0NXkUn8&8ew{6L!RWOPxCA=xth&5s4otoL}k;gOhO%G74Zh<Rv)H6YCKMB
z=X%avv|;jdZtfnyn+n+XbyiDcQs02nm?R3Ue&HWGT}O!-Px)1D;ghcq+P{5!pMwKS
z<^WXgo_p{AHfXY`XWl@^&|ia=a~mx~so_F#V`vV^{%tozU?J+$G3qfmQD98barWeD
zD4_m-!r7d(#90?s^p*tV(;u()Hp0!w3j_=$r!Mg<+D|p$0*2nt>6ki7o00wm2o(ze
z!E)jP{`d<BTzFUCO8PsH06<0W8-RzF&oME>o;2@(m(%0p0Z$-%&YX7-=c{CZ1ce{n
z|HHk1iST6n&OeVrMMWh91Sd#K4?Mn!?d$OVWqQ7w{N>9R03QLd61O*(vL#t!R(DtW
z0m74;o9hlH!z%&%1B~gxg9kuT?^1`$mwq+N|C8eV??74qfdr!6QJcV-r|<vvQT`gb
zdhJ?Jr_9iA&Zt-B5~KSsEx;W6Z?H4~{Rdtg`|!5}@fqJgWSjrB)gS()WS5+=1Rvt*
zDS+-26&0}!K-2=B0m!TgwEOw<=l^K8EYer6%p_xz@!ci>6hp}9{s5LMSI$TzY{R|Z
z`?t5Z1HHzd?9dy>4!S#s{QW0nX0lM;prFXwd;y>{PJ$d4-m^sReZ#F=xBk3#ZRqbm
z3kDqIH!=jsXVt^3XJFt2zD``d)M|rWUG4ruV{Y`{YSf}bqGke?89O!A@xfYQZrcFB
zLZcM3*anV(2aZ<xz9S(xcW_s-<M&=F$zkKA^i4@?k=Mx^u;I#R=v4pGD#M<UqGd;F
z-jO=|bYK|DP$aA=2Fy#JDE!Y54lI^!bTWp=A@}0QvuZ-mv3>2GVVYA3Oo+@L03i+X
zBGiN69(M~my1EQYoL#e~pTgHV?)FD-=pq0TVEl!i$pJl5{8zK>P=4i^m3qARzL!Jq
z`EC*tIqQUh2pOi9vM!bMKj})IZf>O-?=^A0J^0Fw3K+*nqB_|48=>Qyd%L@pdQALc
zx-tlYOZPl8bLQ8~l+4OEM+{PW_a-7DiX%2|4})3g4}45a(8TJ*zItM^7{2^4xa-{2
zCSBcXR<*>7l9HifGQm;6p+3zYADdLU8~ZsRetYbi|NMFW8tK*&opJugRCMyxz)2B+
znt#jntp5%EmPwygu0v<Z(bd(J4^(+&N|!z+l1jrDA`?F3L~(_utjGx0+>gM4M#j3L
z!iM)f?#dA@6XiieG8at=i_u8><0mCO1GV~MG|apal!R(Se~9#i(>y&BlfSpRISLA&
zqhghWprxC7UprGX*l~T14#LKuDgsj=qy=x@5!h{T!jbr=b!~_AhkPd^*+nPy*tJ&}
z-{!8dGinQ7+-dG=N@+~=XOYCQV?(#HZfYZSW&eO6`$8ymv_VdE#=8=E7#n_$4KXay
zpsYyjJlznEo>j2?p2yq&Jxkn4sUk5YAeZmNfS`ER=$lPA5moPYA5?7GZv1&nl0-s#
zprSluUlX%vAY-RPqe?c3H5j3-B}cCQh>77e@nLbv+~o<a2gn+i9BI?sdY2q6o2co@
z-}~cWnsE1sr|=N$&+uzE$(9cCg-*xXa8_1BV<aEb`s|=wi56?2jp^vsuCSpralnx*
znfra+D^{~&a#`ch?TpvDjzienBMLsSwaH|<>zUOCMBB(_{F}hf+}~nUm7I>9TSDsj
z=(L29Mf5dTC7XmWc38OjTQx0YPTOCDie*?sSTdDIY+K^uY<`#nU@pJ|{PxhTNwn`s
z-&+VoGX`FB4hn->TfLZy>bC!(%UPzOVUmrE<PcmpKYcktI9xz?y}(4w%`p~~*#-Nb
z!YKMt$wM(BPJShgXIn{~RNmE-2FclU06$Z&J>I1~?Rf?cb@EpX8ihgyVI+hVLv}p5
zB%FQX=UmB}gG@E6Kve-Y?SRdkr~f4%W3Lk<Jzj<dGC0WXKxeA0bwYbaAXR!9sRx-M
z>%a5zyiqi~DZD$Y?QktLY&e<TLCjKp=uF$Oc8v`-IDHyD?X^}hwtKwmRj?P3onUa2
z(<VO3*wM|<-f<`vz3a0%%Ag?5ao0bpljPyAsJ^}PZrq$_;Blj1_EcZx>;3>TqidzN
z5qCq9Y`$xtr+Mh$hhs}PoM@4s4cNI$PO=J(W3HVvNEh8Ut@qk_som?^n+mnkaB#K{
z^0x<$wsXREMkpz9Lqg%a?XPXPx0zYawS5Eng$+(2;&!D?G7W`RKEDDC_QwnceAKPC
z)(n~04Nmy5l}jfhRbIf*#M1%Jkk&0pQ{UYYJ&yA_wrv;mYdFf#Ge^%-p{*^)0}Mme
zE#R=!@C=?!e+AlA=DB3*(y!NB5EVgPU06;!)@izja0M<z^)J-;gcK;g+#eGS0uSHx
zEz<3}VqyN-(C(f{$5-koZ($|J^7DF54xT5ESm!dR9ti~&f{-FMrUaV?#xHqA^+k$J
zF9UQZ+GqP`aBNvZGF*}m$Jclk9r$?-!AYhQLR74f&*Dr4vbB?mA`E-|rGYYn)0;kx
zWzZ>m6~=vosCtg3vhUbcM)mHrEnol>PW#<+2aAfDHMEr@+24Qy)D`%=Oq<Yppe!>%
zryi%unB~w2s37_tj)yAMUeGRBG%n3-pC(*m@Chvoq(U{I5NexSHIU6lm8$ioZojRP
zarT_#kT(lwzmSaEb<UO;(|f^plAm+d?PT8Ib>s}=a(F_Ui2!XX>?fUtuu~)@B39`l
zdOnPic;iR(EWa0(I6um3d<<kfeIzPpL5OWA+H>SC8eKJ1Z)Ouhy?(tUlB{{Ctt<O_
zm4~g%7&f0XxvB7IoT}xQPrv#{=25%BkP~X9?O{wyNn=-S%M-s)2lI--u@R6Ajy>te
z;pZhB?b6o#?}*LNh&|=0CFGvD$j4Q*tns*U!+O*wQ=_@2k8Ezvn)X|ny@B^G{9CcK
zBlJ=6WDBBf!e#U$0QnM@C(FFR;Ti4<(vve%-q7TdOlM>3%i#B}x64W5;DC60eJv=+
zCM6Py%>KF;SeHH<@E;$ikBJeVpIU)Bjz+y{DMy&1nl;k)x~@2Svhxu_inKp+{chSr
z22W}P?$E2ixb)=?>?_fuXr7CTyP0qjk}t1`C==)x(qOTMaq;pNIaI_P_w^_cM2B9%
zbpy&gOFqv@(o!-q7uO)BluDCVtEUy#eIB`>$3pLnR_`ip;k@8zdOw^?(}Z&sW~y}5
zne|4LINC2H-4ht>B&ww`6TSWXpS?{lwB7lraYje0bj*;{rv*GJeSA>^9k!{`k+$^*
zsRL6ZP^jCAUQ7uwkvFi2G*b>tVCq_mo@UXT4{&iwDjRSO#x#%FIeAIf2st+QynTaq
zn6=<=CW<z=6itNhOU|*xYGw)Njm*z{ATUJ}Puzx_+<idR07%&tR#Ef94p5w<Hg2&k
zu5GzSYH_l$%qoQSkX$mX-LB6s{#gZ#l!1lSA;%I(X-nbvlH)&0ugWG<BAq(K$Bsh%
z4-S{uz1({bXcjdbl)<*nqaAlbAhy*er!Hpxs?CJ1r1XiLoTNNgV(O2|!+er0VA=+z
zUL_NqwZZm<PaOu{*JtI)A_t4s)cs-|DCHry#`!gz>;(h|@3sZV=gQN-ob3PXMdRPR
zSdtI4B1%%4HkqU!8tFw(IjE$nomj=2J!54oZpxfX$4$@*rsPR4RqU=6a~LI!cz2}I
zr25&!+;f>xx*J#+gmn<IP*SACePA6k7*rsf)LR)$7%wq<0@BFli8qbsmJ!a)ihq+?
zfcmI?{|$X=>Zkp3NKuAiU0>7R-jUEFzFrBZhBUfb@6@Ufj(xDzv*cvz7_BQPJl<(u
zy=hWhXzK#iwMiFX%h2ge930JT%ll1u1U?=NJI%S)H8$3@?gmu7)b~4#Fsd9OofuLM
ze{);1jYetJ=e|`U_<Nt$Sq}Wr+vXWc3a_|gig{&PftX6y_CDcT=}t=*GDpzTh#jX^
zsWl6kJ5-8ID}fXZ`})h^cj!{|BdIc^L?5$teKywiSJsMh0$FyTUu%yFv9W15WUu(F
zou@V|G1UH;6H0?V#c4R%26z-gn~F-luRGi80cGP5F+EUtzU>98{OhWm0)^OD?xoWP
zCLWEQTx>&!4XGRj(5FTv6JDzzU)S2RkQLlRAyiPKOYmuXeNtMI^P0K=;h|^<yZRxe
zjXzj<urqwHHnq}0^U@tkQ|+K6w4wgQass81db31Lp`E2=2lj4L@7)ccl}qdsJcz)r
zAI;}Y&1+(wI*BSMY-^@>s!dwvN9U(Phh&1Jb7d~DqJSLX*SQD9GPQc0Yx7HpJK*TB
zLdVjv#*EZ9gS89|$AA3{u>&F9M%!$tf80AL+v1X;OQQEWt+lp)Ud=-my`^FFfLw<L
zg4i&hXgM_Z`|^pCPMRf;kPd_U4GZGV)spLwyT6E^$}@=(C{%H1Tj98`QZ#KzBYUPT
zIZr#N!@7xZl{*t1N(?0u-JLTr2c3VZ^BI?w`F4CYbfya*;wCXkB)lCcPCE_>E^IFP
zDKadu<=-tI?AOREFJLa^d}87p1qS}DXw`{oAM-LUJHZvrG;_;=vZCI~Ri)Fxv{kwc
zoe4|tzL(muE70Yn6~)cLQ`G^!lO&-uNPw1dsPIvnZ*z7LdmLq%=S+roKs@t?k&WQc
zp8u16d%qg%U=sO5_H2Xh&4}+E_ntz~jX%fEJjDunUTT}!D{A#aq4e$!_HIfMYC(G>
zwUEP-)CMEHq%gy1R>Vu?7hg?n6{n%D@1b)$f4;ln=WYO2-Y1N;`UZ`Jc&QG$suq?N
zm0RX+pIZer6OVJesw6DCT)!$etGWw2hH$jBUa#8V7&Zq+m%P%b{orF*FY`(F*qkJ~
z=Z{ORfso(Yh}DK`zZ!t*20-<-;n}{IszLk3`8jBgel-|lx~D<@51-A0X`@=I_<FnG
zenQz+$bIV3{Aj7o*V`^P23NOAxhB8<th~^);wv(6YqY`|SO5>ZQ36;w?YGf|K4&*}
z*hdOj5P2Gyw*!!hK`lO0He^kHr}&KJe$DunT#&DwS>uSM-75LROP8L_1Myyy2~}r4
zW?F-+0z6byh;v(V0Xjgrar6h)`#G3C?%Jha?u&BTbEEk82ZY}bp?K>5@Cf_gt3a>(
zn?jcV?yLXqtN*@K{u52y@4L(Yw$6E179PbUKID0$byeXvzB`tjs&ie6eW>&sJngal
z7HZAy{l$4a^S9n@ZWeee3Dh<NwzlVoQBP$3a(EZ;hbK^9jhTfdbCVmGUy9G&)rh_)
zAtWumwYe#U(7Bv-{hwmJCr_SC>HzXHiaODBXisbFv$t=5rB7T9;NL4XX_A~2y)+5r
zZYQJT{}WiQT_c{H40=icKO`I)76y<oWB$oFc2yC^LF42r0g8aEEV_GXeS4dgo}Qk8
zA?0ron$0nh2q@34UA+pBR?UB@%qIR#wb}1}{XbNG+x7gH>SB=xdOA@b8Repqq0q?}
zdkqN+h@i9vC%BmUa-YkEK-rgyOl=+A7NrUHYxAhHDJzF@t}>;GK<~xe?C6bRcZ!Q0
z$bN94-)W=LQb8=iRRC=HV%NK+C_cN^RL8UH>`8m!*{;gjRu_L(vE<58PXlNh+eiHo
zyCu3niU-aHdsqD7D^_*=U5Zhgzt|_E>XC+qXFrlcPGOr;Q~d(me6#l!`7Dxyk0y{U
zReVH;CF5j|uzkUlO%SXU24Fh8(p=0lT$i7QPR8pWbbjf#SHFnas~hH&!p`4J?vzg=
zYvR(AY+Y(IB*#g;J9TTh1HIv9@;2z=Gf<hgln4fVG^w3S+qaUWJ)zsZQ<vOU%`ts9
zhvq2QaFfXi?@B-^rLZa+f2UbNrFg?LhFnMJ)g0o~uTc`7ree;<0dXb6WZ6p%)mtrl
z5AHzZzdsLJ-G}<j6SGl!K}`pZ?GH_eJ=+|?lWTHgx@Qx<XKYbbm~|G@W8A)IzvpC-
zP&aW_Bf}ogoXO2&S^QV0*J82_>EQvs|8{{A#BZ5W`wQY0SW^1}$zNb&Onr!JF|lYQ
zmFcYNTH5fB?_ZQ|m}X$k%o;{ut78K2AUnk8n-Xa-&0DEedJgA16UgW<A&VYQ=S;dT
zgy%`>7rj)a-~|QK#cu#9uiLIT|8rw$9e%MQ5JZSHB`wm4@(l@6GO!*+2-#R-ExUS7
zx=J6+?=FkR2JI!w#3j+QokblCqQf`OhvJ$PF$YL&KlN!?TGa*K@G0d=Turk)WawO~
zzX9T3qdzRA5Sspx7$zKKTVWZjH|m?;$<@cc$(3fNUTbBZrGbEcj!YgQeQYsm84~eo
zuILY>D|j+CyZ-ajr<1{*SkxYCfutv9uvS0lYvWGb!C3I^@SdsTuMaq6_O4I&E@X*Z
zv<Z3z9+?$zJ`x-?uPBKmh+Kp@t%cThiT1|{2Ytz)U2%5a(zPsHN~jUvEvw>7QXBon
zS^}nG5yi}}&@;Jv9r$!iABGEw`K(v!z5IUe)$(=cvr>S#j4<bHN!3~QIG2Sm*bI0k
z7r3#+`6`QP)jNtjJXvvdm7Oh!c*58zBf^pDaC+P8=+<qDOutP!6CqiAY)EDcpeSf@
zIj@G`1PgHS3q14Nx}LsKG5%dmq_8f_=Ah<N?}H1XQmi1Nd#UX6Q=}~6rlv_DO)P|?
zjEwb&F3iVn|C$`-_6gZX5ho2RHIJ;_E5fpK2B-b1CPG^TpAfhS-6G#&y<M`Pjb03|
z%I(pJmp!{HL89QH3Kz<ejWbY(k<CvZ$M&VkV3D(ZMw=z%c<>#q^d*yamRP%XI>wJJ
z2<X}iQl7tUz`)2sZ+W|x_V}WxES}-W{q_m3D6wYdo(33kR7nqq<KmxNY#;xiZ+Fs^
z&mFY`bvQJe2+KYd5j*Zx*Yima76*i?$zi9r=Cm6Xx*%vQO)ZDi*^GX#{zaY<1rwe6
z@<X}w+T+=IUCd8vf_RGSbGK<j9l3GT8-eq4v>Vdw4?v4cAUK2o-kb1bL{Ierr^@hl
z@g`i%qJdDVq3N7SAvSRlMpP`Yo5%1@_U2t2CEHlbIp-Lco$xq+MT&~CuuTl@p)Dw3
z4-c}cYigq?)^lmmxR|pjJ)n&4FVzkb|6F`yqb1w@0SdB_r-q#QGUNxQEU9)jkfxFQ
zGOPYHlnm~scs)?pd_*$8@hV>*Cs?MPZ4n-0{4}VjUyvimSW?Ge)DJmrjF!wbBfX9s
z<YUX(udcnlnR`oouGxW(@jz(#US`GDkfr3I;2h}Z18<L8OwMxC_H)9eBTS@5t3u=+
z^)TP`R#!fGEYZxUz(Nhwm7bgt0YyCE?iige;*A*Fq~+V&mceYYdeZgVf~*^VSoD4Q
z!3!ki*vWfK`q%j6$P#dT`BHqoAq*kgSLlnVo!Nv4QB%jM7icu;oL>ht$KYjeR>6UC
zth|Fr*?JK|H!(6fIXTE`_u=#B{T4qo(*0nlVa%PJBPP8r1>_pi;q$?PPRpGUUJ<xK
ze!Ql2*(+oZ3EFE9=f9w!9HGydkghc5wCLLhlRQ!v`kfVS3Ex9<RH6+JB3&sjUhX}_
z>?bp5k9UMKs&Sl!d&9WTJRUsoi>mAHa^BP4Z1EV}Kog0k=Pw#TRZlpqqD(fOpdv40
z_*J&~&<k3Ac2SM9HbVYka~>h`-(j`I!iw-1HNZ1{RQpda({Cg7?6*K2SjIm7fADYp
zC%&=9)$fyldrM;dx9Gh!gY4EVQiOl{Z@G9`o$Bu&{Yts_cRI7etAD3UduRBM<X!(i
zt}ese^31lo;NARDL!Qj0kTXs<bL|MJyOgsF`%?pbnPoZJo%4`QTc?`(mWUys3C-xn
z)rNN|pS?)D7m0Gw>H!PPcgzf{oWUEYs|bmli;oSXRB7k%`&nh*Tb1SM7&p%ErZ!j?
zUFc132EMRE$5vKIoJ~P)CfRS39)o`zPX6%hnvPy88uH!G8!9RjfyIz&pIV0o(#(b@
zd)=M%x*fs6`v7T+$*0eNzPw0jA8vUwKDRmYiQN){Y2p%m+2J&Q+_aji0K#&z`a&=@
z6A3I1gy>|n?CPDA7W1>%hiP~$FL2s;(+y@h-<@^6n0pd#-#vzjkopZ1-|R*U+rvO5
zTofl-%IRVwBJIhT??#h0Ykl*E^EMeCtFrm+=>|+H5h<a@R4pWEJ>ip6Cv`8C1{rf^
z{dy!K<?xMRq&VKrq+(kfsBksEu$&q3Avu+Xa=j=BU%zppsdIkbj?t54A0L(p&M^gf
zU>~vu9WOvAy5>+F(bz;}@ZKqf9LdQ_>#*c^b>&}*#rNb=hB$2%Hn0UaBU6cquZMCI
zfA$uh4O9gC!7BXqff%5?i)GFt)$e&eo0}OHY+-x5tU-q>!TOSZ3vW)+AQvNoVm005
z?M(8_kQM{ijfdS|{{-ccme;$Ji7_UUwM!wlwc{?X7l3a_9g*&TTf&L+U^YFVrZ2ZF
zF5Vh2Z#-nvGmLHu+S<=DX1lC~F};Xq<@G$XKO(!p-|>YUU7U?H$RH>FjG7rvxEM8J
z^`g+kSD3%=S<BNdYdJquimrHf-GVj!rjQ=vp)(9z>5hqyY(|Y_`bQw^i?yiZX~zvs
zJxkwOebxmfL@#oR%?{jPfz{MZTD<hJ$H?}pWB~rm*H6AWd+AN8wn4b{#IfI#y6&B-
zx1ku)Jog(swY0i+c4k+uB8-^g!8>ov>vSy@+;XyWrm;!%-h1Kh4a*k2ig2jl377kN
z=mz$DKj9mLk!?WkM0~&_0YPJ)9CGoE=65`R^V22x)%J0(h^(r4vX7K(WlY4B=2^*N
zu0j%>s;VjJ^twRP9x+@s_dNeYoH~WC>R3K1E?9rVedVKgB&JfX@#NV$>}ti?cH{X_
z$hxX*X}}KAp&&HwrU_r*L4kv!X44_IzSk_JpRRHACdF1jz(}HY8LO;l>i(#nDh0_>
z*=A)}V_IRkFJ<y#{mMo6VL}p%kJtoZ8`3=fATp?YyR-X6$Ct|0i|HDUm!Xo;G<qJP
zh9<m$o;Dk6>*6sPOmQQskfy_l5GdzSBXL7>^j36Hz#_!YZB%pO6P1SbWN?15LHzNU
z_B4--4R=}@d~@e%s*@lx*hyw@w%yujJ%7<!0l@oHGYmRAo0xmO>4Ln*xpvN%E?s9(
z20eeHwuJZenH%)ae8S0*3dA)S*_b?`O3*JaYrXdfuvHUA%#raHA3#6>AKM=_)NP6|
zVcQPe&cKAGW{lDtr`PiLM_pa1?hzVOc>6nl0T;Hcm*z4xC950*6C)GN4Y0P)+u`{9
z`>a{t!s1x=y*y3p?b=QfV>ALqXb*gdsH?K)suLyQE`j^+13hL6JTqkTyC--FM+DQ#
zE^}XLFMCJ!M_ir?Ykvf@o`w~iFWVR*tixM|KjanN2<^9#EQRtOPhbO2Gc|4<5Ddy6
z5whQzA<y!st#j$nr>!)xwL^E8ms%b_@a(m<S;~8Gx=yS2a-*T+Rq(|(8izQxd=2Zi
zI2zS(PQ(c2)kul*fH5V@-m!|N#rVNHHbwUrb-EzBs`Db6j}z4K@h!TgnlU#hi2GU*
zZ7f#Jf`p=vD~U=slQMbc^*yk)sx$NOysJ8?2d9-$-Ucn*4;R<QR~iq|DVU3f*0=N8
zudI;$9KUZ*+QooK-^@e5F|aWZq{z%V-sHL1PFAYL%HSELJT|57e|r|p7Ci|#|7+SH
zBWwGbVV#)rw`@$upMo6J3!$GS^F2i@S>qNcE(EvRi}<c}m-l?gCM$?;8l76FKcI9a
zSN$|++2d)Y*1&^sDoLNA66MyrCyyp$b4HZ13a=NHZKY@Fm%red`P!}Lclaj5HBH-D
zg;mnxnABzxri8b~C%9_Yc#bZ!W(C$ZoaY&)#nrhb)tktS4?9UxHaG1GmpD#Bdlst)
zzTQvyN~YV`HZube44T;iv^<yaQ2|1J3+-eUq5H2`D<;pj2D`o;ga~kk68~XE7SfIm
z$PVJ)eagaD@ut|l`ynu<8G27Xmra(<ZRLlAe=CZK<ra2{bweO@Oy=~pe1TJw8}^{R
zz!JRBEE>t73p1{(H@kRu6^$m#<ezR_^h4y*$?h{$QBVLm=<uQN=8c?NCUeIb#3DYO
ziSvYgrjO9>1^TgpNjrS$3iXQ3k5M=C4<Hb%3B0w2pmloeWy2zq$|75@kUJV)pri$=
zW{a3zpv*9<MSGe_x~6aHEE6T^$a$85J2w8)1~7p?^iKCXJ5bE}<ay({kmLqE?FCff
z8Y@GC2exU*;UlMPkgQwYtgHw(8H*vc=-6w2Eb2?oTB0f+tMOM^YKJy?ha5#Cv}B;2
zt;gEy_O#BjmdU_TQu!<G*By!4oU-LH5uZ)!f9|&BJ%}AyctE%j_2js}uqm&!Qxrb=
z0D0C|2px{wP79DkOSmpXKyOVC2fE-RfWTMT<)eazuHS*LXMDlwe$7*BiDaviTaABN
zS*s{{>Xbde)nLZdj}P#F4%TmUorh~Wac&sR=j><sF1b{3aL8=n@kAP<10DrP`nnzv
z!gQ_(Y@IHo(Mm|u4SNg^6W_Mgc<R$G|Nf&nO0RAcQ;6WoncC=w<7w7;Y?$thbm~({
zA9Uu~5NSGfPZgVN6o@JlJ%D?8?#4lM7Rk;&TK8E;d(kjn4ZI=17Kxf*_ef~@a+I01
zkp1cV<Cd6vdWs4iHp=#>kDc3%<+JCbfk_=eLQ-_e)P>s0SD)+B$8b-|eD?FnYofG|
zWSgeX{W{NW(2RSxeV;b9n(wxl1tq_<-N3fA>|!gLd?C@{z~q=~wGF~|Q$_#ii~=37
zk`jf!Ou<p=+p}X<VBzzImiI|sSMw2eb2h@=gx9#~$LsP^QkKc=A-WuD3fi)ujpsEa
zERS-PwbaXPe~NjqpIyivL@jfx=AP8R9@0A7Lw8b&wk()iFklxe_xPl!8bz*iAk!<z
zmLr_b6U26yE`N)sk^(Qbxm-${DG<2v>k!Q>^}0p)accRegRsZ}NmnEB;If`4XXET=
z6N?cVF&@t6Cb;D!n(M(v&bNo9eSRL2GC7;8lsfLj2kyMJK6X5N`NbC#YZDofsS4kP
zKH%`j;0}Qda;+l&f<oTU)*lD$_hJh+xaAH6!QOcVLc#@YyPFT!OKt;~@2kt>!`pu}
ztKo+fm4{S005R{S!jFEd-j_`;XPmgy_?AWjTUzg8|4xSYitJyn|8Jr=|4SjC|6%9<
zYXs=|g%|GYwRiN;_uu|lIR4ngxuZ~Q8_DoTsh-fKBWo;SaeBV{H~wiM0W<A)Hv<7v
z|7H!42Y!3;n`F@t0ncOMPoON_vyk7!j(Z;<J+HEXAd>&}uCkXU&6VEZFuA~SE-5Q$
LfJ$Gy{qR2kK_qV5

literal 0
HcmV?d00001

diff --git a/docs/index.rst b/docs/index.rst
index 466355f..f33b663 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -3,6 +3,11 @@ Welcome to Django OIDC Provider Documentation!
 
 Django OIDC Provider can help you providing out of the box all the endpoints, data and logic needed to add OpenID Connect capabilities to your Django projects. And as a side effect a fair implementation of OAuth2.0 too.
 
+Also implements the following specifications:
+
+* `OAuth 2.0 for Native Apps <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-01>`_
+* `Proof Key for Code Exchange by OAuth Public Clients <https://tools.ietf.org/html/rfc7636>`_
+
 --------------------------------------------------------------------------------
 
 Before getting started there are some important things that you should know:
@@ -19,7 +24,7 @@ Contents:
    :maxdepth: 2
    
    sections/installation
-   sections/clients
+   sections/relyingparties
    sections/serverkeys
    sections/templates
    sections/claims
diff --git a/docs/sections/clients.rst b/docs/sections/clients.rst
deleted file mode 100644
index e3f5ab8..0000000
--- a/docs/sections/clients.rst
+++ /dev/null
@@ -1,24 +0,0 @@
-.. _clients:
-
-Clients
-#######
-
-Also known as Relying Parties (RP). User and client creation it's up to you. This is because is out of the scope in the core implementation of OIDC.
-So, there are different ways to create your Clients. By displaying a HTML form or maybe if you have internal thrusted Clients you can create them programatically.
-
-`Read more about client creation from OAuth2 spec <http://tools.ietf.org/html/rfc6749#section-2>`_
-
-For your users, the tipical situation is that you provide them a login and a registration page.
-
-If you want to test the provider without getting to deep into this topics you can:
-
-Create a user with ``python manage.py createsuperuser`` and clients using Django admin:
-
-.. image:: http://i64.tinypic.com/2dsfgoy.png
-    :align: center
-
-Or also you can create a client programmatically with Django shell ``python manage.py shell``::
-
-    >>> from oidc_provider.models import Client
-    >>> c = Client(name='Some Client', client_id='123', client_secret='456', response_type='code', redirect_uris=['http://example.com/'])
-    >>> c.save()
diff --git a/docs/sections/relyingparties.rst b/docs/sections/relyingparties.rst
new file mode 100644
index 0000000..1c6d80c
--- /dev/null
+++ b/docs/sections/relyingparties.rst
@@ -0,0 +1,43 @@
+.. _relyingparties:
+
+Relying Parties
+###############
+
+Relying Parties (RP) creation it's up to you. This is because is out of the scope in the core implementation of OIDC.
+So, there are different ways to create your Clients (RP). By displaying a HTML form or maybe if you have internal thrusted Clients you can create them programatically.
+
+OAuth defines two client types, based on their ability to maintain the confidentiality of their client credentials:
+
+* ``confidential``: Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials).
+* ``public``: Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.
+
+Using the admin
+===============
+
+We suggest you to use Django admin to easily manage your clients: 
+
+.. image:: ../images/client_creation.png
+    :align: center
+
+For re-generating ``client_secret``, when you are in the Client editing view, select "Client type" to be ``public``. Then after saving, select back to be ``confidential`` and save again.
+
+Custom view
+===========
+
+If for some reason you need to create your own view to manage them, you can grab the form class that the admin makes use of. Located in ``oidc_provider.admin.ClientForm``.
+
+Some built-in logic that comes with it:
+
+* Automatic ``client_id`` and ``client_secret`` generation.
+* Empty ``client_secret`` when ``client_type`` is equal to ``public``.
+
+Programmatically
+================
+
+You can create a Client programmatically with Django shell ``python manage.py shell``::
+
+    >>> from oidc_provider.models import Client
+    >>> c = Client(name='Some Client', client_id='123', client_secret='456', response_type='code', redirect_uris=['http://example.com/'])
+    >>> c.save()
+
+`Read more about client creation from OAuth2 spec <http://tools.ietf.org/html/rfc6749#section-2>`_

From 3f5992100a4721ff6114b667f290339b4d6c3c5f Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Fri, 8 Apr 2016 18:09:24 -0300
Subject: [PATCH 15/23] Not auto-approve requests for non-confidential clients.

---
 oidc_provider/tests/app/utils.py              | 11 ++++++---
 .../tests/test_authorize_endpoint.py          | 24 +++++++++++++++++++
 oidc_provider/views.py                        |  4 ++--
 3 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/oidc_provider/tests/app/utils.py b/oidc_provider/tests/app/utils.py
index 99f9874..cd547d1 100644
--- a/oidc_provider/tests/app/utils.py
+++ b/oidc_provider/tests/app/utils.py
@@ -33,7 +33,7 @@ def create_fake_user():
     return user
 
 
-def create_fake_client(response_type):
+def create_fake_client(response_type, is_public=False):
     """
     Create a test client, response_type argument MUST be:
     'code', 'id_token' or 'id_token token'.
@@ -42,8 +42,13 @@ def create_fake_client(response_type):
     """
     client = Client()
     client.name = 'Some Client'
-    client.client_id = '123'
-    client.client_secret = '456'
+    if is_public:
+        client.client_type = 'public'
+        client.client_id = 'p123'
+        client.client_secret = ''
+    else:
+        client.client_id = 'c123'
+        client.client_secret = '456'
     client.response_type = response_type
     client.redirect_uris = ['http://example.com/']
 
diff --git a/oidc_provider/tests/test_authorize_endpoint.py b/oidc_provider/tests/test_authorize_endpoint.py
index 5a3eaa2..9b24d95 100644
--- a/oidc_provider/tests/test_authorize_endpoint.py
+++ b/oidc_provider/tests/test_authorize_endpoint.py
@@ -25,6 +25,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
         self.factory = RequestFactory()
         self.user = create_fake_user()
         self.client = create_fake_client(response_type='code')
+        self.client_public = create_fake_client(response_type='code', is_public=True)
         self.state = uuid.uuid4().hex
 
     def test_missing_parameters(self):
@@ -310,8 +311,31 @@ class AuthorizationCodeFlowTestCase(TestCase):
 
         response = AuthorizeView.as_view()(request)
 
+        # Search the scopes in the html.
         self.assertEqual(scope_test in response.content.decode('utf-8'), True)
 
+    def test_public_client_auto_approval(self):
+        """
+        It's recommended not auto-approving requests for non-confidential clients.
+        """
+        query_str = urlencode({
+            'client_id': self.client_public.client_id,
+            'response_type': 'code',
+            'redirect_uri': self.client_public.default_redirect_uri,
+            'scope': 'openid email',
+            'state': self.state,
+        })
+
+        url = reverse('oidc_provider:authorize') + '?' + query_str
+
+        request = self.factory.get(url)
+        # Simulate that the user is logged.
+        request.user = self.user
+
+        with self.settings(OIDC_SKIP_CONSENT_ALWAYS=True):
+            response = AuthorizeView.as_view()(request)
+
+        self.assertEqual('Request for Permission' in response.content.decode('utf-8'), True)
 
 class ImplicitFlowTestCase(TestCase):
     """
diff --git a/oidc_provider/views.py b/oidc_provider/views.py
index c7010bb..2af287d 100644
--- a/oidc_provider/views.py
+++ b/oidc_provider/views.py
@@ -40,12 +40,12 @@ class AuthorizeView(View):
                 if hook_resp:
                     return hook_resp
 
-                if settings.get('OIDC_SKIP_CONSENT_ALWAYS'):
+                if settings.get('OIDC_SKIP_CONSENT_ALWAYS') and not (authorize.client.client_type == 'public'):
                     return redirect(authorize.create_response_uri())
 
                 if settings.get('OIDC_SKIP_CONSENT_ENABLE'):
                     # Check if user previously give consent.
-                    if authorize.client_has_user_consent():
+                    if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public'):
                         return redirect(authorize.create_response_uri())
 
                 # Generate hidden inputs for the form.

From 32950bc65561b4fcecb95297aebb9a62800833bd Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Fri, 8 Apr 2016 18:11:51 -0300
Subject: [PATCH 16/23] Edit CHANGELOG.

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f865fa5..bb60ca8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,9 @@ All notable changes to this project will be documented in this file.
 - Choose type of client on creation.
 - Implement Proof Key for Code Exchange by OAuth Public Clients.
 
+##### Fixed
+- Not auto-approve requests for non-confidential clients (publics).
+
 ### [0.3.1] - 2016-03-09
 
 ##### Fixed

From b05894bf6d6f7f418b2e5363ca5203e9d911aea9 Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Tue, 12 Apr 2016 18:19:16 -0300
Subject: [PATCH 17/23] Add prompt parameter to authorize view.

---
 oidc_provider/lib/endpoints/authorize.py | 3 ++-
 oidc_provider/views.py                   | 7 +++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/oidc_provider/lib/endpoints/authorize.py b/oidc_provider/lib/endpoints/authorize.py
index 3bb6409..83624ad 100644
--- a/oidc_provider/lib/endpoints/authorize.py
+++ b/oidc_provider/lib/endpoints/authorize.py
@@ -55,6 +55,7 @@ class AuthorizeEndpoint(object):
         self.params.scope = query_dict.get('scope', '').split()
         self.params.state = query_dict.get('state', '')
         self.params.nonce = query_dict.get('nonce', '')
+        self.params.prompt = query_dict.get('prompt', '')
 
         # PKCE parameters.
         self.params.code_challenge = query_dict.get('code_challenge')
@@ -91,7 +92,7 @@ class AuthorizeEndpoint(object):
             raise RedirectUriError()
 
         # PKCE validation of the transformation method.
-        if self.params.code_challenge and self.params.code_challenge_method:
+        if self.params.code_challenge:
             if not (self.params.code_challenge_method in ['plain', 'S256']):
                 raise AuthorizeError(self.params.redirect_uri, 'invalid_request', self.grant_type)
 
diff --git a/oidc_provider/views.py b/oidc_provider/views.py
index 2af287d..bd5a6f8 100644
--- a/oidc_provider/views.py
+++ b/oidc_provider/views.py
@@ -68,8 +68,11 @@ class AuthorizeView(View):
 
                 return render(request, 'oidc_provider/authorize.html', context)
             else:
-                path = request.get_full_path()
-                return redirect_to_login(path)
+                if authorize.params.prompt == 'none':
+                    raise AuthorizeError(authorize.params.redirect_uri, 'login_required', authorize.grant_type)
+                else:
+                    path = request.get_full_path()
+                    return redirect_to_login(path)
 
         except (ClientIdError, RedirectUriError) as error:
             context = {

From 31632442bda97bd25fa112d1bfcac12f4779ffe2 Mon Sep 17 00:00:00 2001
From: John Kristensen <john.kristensen@dpipwe.tas.gov.au>
Date: Wed, 13 Apr 2016 17:02:05 +1000
Subject: [PATCH 18/23] Add py35 environment to tox/travisci

Django v1.7 is not compatible with Python v3.5 so it is not tested.
---
 .travis.yml | 5 +++++
 tox.ini     | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 56c5e66..d947e99 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -2,10 +2,15 @@ language: python
 python:
   - "2.7"
   - "3.4"
+  - "3.5"
 env:
   - DJANGO=1.7
   - DJANGO=1.8
   - DJANGO=1.9
+matrix:
+  exclude:
+    - python: "3.5"
+      env: DJANGO=1.7
 install:
   - pip install -q django==$DJANGO
   - pip install -e .
diff --git a/tox.ini b/tox.ini
index 92540ff..2b107d0 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,7 +1,7 @@
 [tox]
 
 envlist=
-    clean,py{27,34}-django{17,18,19},stats
+    clean,py{27,34}-django{17,18,19},py35-django{18,19},stats
 
 [testenv]
 

From 61f0c209af7a4e4f229029c66cdadba4d2ae336b Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Wed, 13 Apr 2016 17:19:37 -0300
Subject: [PATCH 19/23] Refactoring prompt=none logic.

---
 oidc_provider/lib/endpoints/authorize.py | 32 +++++++++++++-----------
 oidc_provider/views.py                   | 12 ++++-----
 2 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/oidc_provider/lib/endpoints/authorize.py b/oidc_provider/lib/endpoints/authorize.py
index 83624ad..dcdb8da 100644
--- a/oidc_provider/lib/endpoints/authorize.py
+++ b/oidc_provider/lib/endpoints/authorize.py
@@ -62,35 +62,39 @@ class AuthorizeEndpoint(object):
         self.params.code_challenge_method = query_dict.get('code_challenge_method')
 
     def validate_params(self):
+        # Client validation.
         try:
             self.client = Client.objects.get(client_id=self.params.client_id)
         except Client.DoesNotExist:
             logger.debug('[Authorize] Invalid client identifier: %s', self.params.client_id)
             raise ClientIdError()
 
+        # Redirect URI validation.
         if self.is_authentication and not self.params.redirect_uri:
             logger.debug('[Authorize] Missing redirect uri.')
             raise RedirectUriError()
-
-        if not self.grant_type:
-            logger.debug('[Authorize] Invalid response type: %s', self.params.response_type)
-            raise AuthorizeError(self.params.redirect_uri, 'unsupported_response_type',
-                self.grant_type)
-
-        if self.is_authentication and self.grant_type == 'implicit' and not self.params.nonce:
-            raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
-                self.grant_type)
-
-        if self.is_authentication and self.params.response_type != self.client.response_type:
-            raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
-                self.grant_type)
-                
         clean_redirect_uri = urlsplit(self.params.redirect_uri)
         clean_redirect_uri = urlunsplit(clean_redirect_uri._replace(query=''))
         if not (clean_redirect_uri in self.client.redirect_uris):
             logger.debug('[Authorize] Invalid redirect uri: %s', self.params.redirect_uri)
             raise RedirectUriError()
 
+        # Grant type validation.
+        if not self.grant_type:
+            logger.debug('[Authorize] Invalid response type: %s', self.params.response_type)
+            raise AuthorizeError(self.params.redirect_uri, 'unsupported_response_type',
+                self.grant_type)
+
+        # Nonce parameter validation.
+        if self.is_authentication and self.grant_type == 'implicit' and not self.params.nonce:
+            raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
+                self.grant_type)
+
+        # Response type parameter validation.
+        if self.is_authentication and self.params.response_type != self.client.response_type:
+            raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
+                self.grant_type)
+
         # PKCE validation of the transformation method.
         if self.params.code_challenge:
             if not (self.params.code_challenge_method in ['plain', 'S256']):
diff --git a/oidc_provider/views.py b/oidc_provider/views.py
index bd5a6f8..016bddd 100644
--- a/oidc_provider/views.py
+++ b/oidc_provider/views.py
@@ -66,13 +66,15 @@ class AuthorizeView(View):
                     'params': authorize.params,
                 }
 
+                if authorize.params.prompt == 'none':
+                    raise AuthorizeError(authorize.params.redirect_uri, 'interaction_required', authorize.grant_type)
+
                 return render(request, 'oidc_provider/authorize.html', context)
             else:
                 if authorize.params.prompt == 'none':
                     raise AuthorizeError(authorize.params.redirect_uri, 'login_required', authorize.grant_type)
-                else:
-                    path = request.get_full_path()
-                    return redirect_to_login(path)
+
+                return redirect_to_login(request.get_full_path())
 
         except (ClientIdError, RedirectUriError) as error:
             context = {
@@ -92,12 +94,10 @@ class AuthorizeView(View):
     def post(self, request, *args, **kwargs):
         authorize = AuthorizeEndpoint(request)
 
-        allow = True if request.POST.get('allow') else False
-
         try:
             authorize.validate_params()
             
-            if not allow:
+            if not request.POST.get('allow'):
                 raise AuthorizeError(authorize.params.redirect_uri,
                                      'access_denied',
                                      authorize.grant_type)

From 41dcb192bcbd1718b66f84b201f7c234c14a81bf Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Wed, 13 Apr 2016 18:38:38 -0300
Subject: [PATCH 20/23] Add support for the other values of the prompt param.

---
 oidc_provider/views.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/oidc_provider/views.py b/oidc_provider/views.py
index 016bddd..9ed42c9 100644
--- a/oidc_provider/views.py
+++ b/oidc_provider/views.py
@@ -40,12 +40,14 @@ class AuthorizeView(View):
                 if hook_resp:
                     return hook_resp
 
-                if settings.get('OIDC_SKIP_CONSENT_ALWAYS') and not (authorize.client.client_type == 'public'):
+                if settings.get('OIDC_SKIP_CONSENT_ALWAYS') and not (authorize.client.client_type == 'public') \
+                and not (authorize.params.prompt == 'consent'):
                     return redirect(authorize.create_response_uri())
 
                 if settings.get('OIDC_SKIP_CONSENT_ENABLE'):
                     # Check if user previously give consent.
-                    if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public'):
+                    if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public') \
+                    and not (authorize.params.prompt == 'consent'):
                         return redirect(authorize.create_response_uri())
 
                 # Generate hidden inputs for the form.
@@ -69,6 +71,13 @@ class AuthorizeView(View):
                 if authorize.params.prompt == 'none':
                     raise AuthorizeError(authorize.params.redirect_uri, 'interaction_required', authorize.grant_type)
 
+                if authorize.params.prompt == 'login':
+                    return redirect_to_login(request.get_full_path())
+
+                if authorize.params.prompt == 'select_account':
+                    # TODO: see how we can support multiple accounts for the end-user.
+                    raise AuthorizeError(authorize.params.redirect_uri, 'account_selection_required', authorize.grant_type)
+
                 return render(request, 'oidc_provider/authorize.html', context)
             else:
                 if authorize.params.prompt == 'none':

From bc6a0835714e6475dc62a876aff2baaeb503112a Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Thu, 14 Apr 2016 16:22:38 -0300
Subject: [PATCH 21/23] Refactoring tests.

---
 oidc_provider/tests/app/RSAKEY.pem            |  15 --
 oidc_provider/tests/app/utils.py              |  16 +-
 .../tests/test_authorize_endpoint.py          | 221 ++++++------------
 oidc_provider/tests/test_token_endpoint.py    |   3 +-
 4 files changed, 69 insertions(+), 186 deletions(-)
 delete mode 100644 oidc_provider/tests/app/RSAKEY.pem

diff --git a/oidc_provider/tests/app/RSAKEY.pem b/oidc_provider/tests/app/RSAKEY.pem
deleted file mode 100644
index bcad3a0..0000000
--- a/oidc_provider/tests/app/RSAKEY.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQC/O5N0BxpMVbht7i0bFIQyD0q2O4mutyYLoAQn8skYEbDUmcwp
-9dRe7GTHiDrMqJ3gW9hTZcYm7dt5rhjFqdCYK504PDOcK8LGkCN2CiWeRbCAwaz0
-Wgh3oJfbTMuYV+LWLFAAPxN4cyN6RoE9mlk7vq7YNYVpdg0VNMAKvW95dQIDAQAB
-AoGBAIBMdxw0G7e1Fxxh3E87z4lKaySiAzh91f+cps0qfTIxxEKOwMQyEv5weRjJ
-VDG0ut8on5UsReoeUM5tOF99E92pEnenI7+VfnFf04xCLcdT0XGbKimb+5g6y1Pm
-8630TD97tVO0ASHcrXOtkSTYNdAUDcqeJUTOwgW0OD3Hyb8BAkEAxODr/Mln86wu
-NhnxEVf9wuEJxX6JUjnkh62wIWYbZU61D+pIrtofi/0+AYn/9IeBCTDNIM4qTzsC
-HV/u/3nmwQJBAPiooD4FYBI1VOwZ7RZqR0ZyQN0IkBsfw95K789I1lBeXh34b6r6
-dik4A72guaAZEuxTz3MPjbSrflGjq47fE7UCQQCPsDSrpvcGYbjMZXyKkvSywXlX
-OXXRnE0NNReiGJqQArSk6/GmI634hpg1mVlER41GfuaHNdCtSLzPYY/Vx0tBAkAc
-QFxkb4voxbJuWMu9HjoW4OhJtK1ax5MjcHQqouXmn7IlyZI2ZNqD+F9Ebjxo2jBy
-NVt+gSfifRGPCP927hV5AkEAwFu9HZipddp8PM8tyF1G09+s3DVSCR3DLMBwX9NX
-nGA9tOLYOSgG/HKLOWD1qT0G8r/vYtFuktCKMSidVMp5sw==
------END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/oidc_provider/tests/app/utils.py b/oidc_provider/tests/app/utils.py
index cd547d1..684dac8 100644
--- a/oidc_provider/tests/app/utils.py
+++ b/oidc_provider/tests/app/utils.py
@@ -42,13 +42,12 @@ def create_fake_client(response_type, is_public=False):
     """
     client = Client()
     client.name = 'Some Client'
+    client.client_id = str(random.randint(1, 999999)).zfill(6)
     if is_public:
         client.client_type = 'public'
-        client.client_id = 'p123'
         client.client_secret = ''
     else:
-        client.client_id = 'c123'
-        client.client_secret = '456'
+        client.client_secret = str(random.randint(1, 999999)).zfill(6)
     client.response_type = response_type
     client.redirect_uris = ['http://example.com/']
 
@@ -57,17 +56,6 @@ def create_fake_client(response_type, is_public=False):
     return client
 
 
-def create_rsakey():
-    """
-    Generate and save a sample RSA Key.
-    """
-    fullpath = os.path.abspath(os.path.dirname(__file__)) + '/RSAKEY.pem'
-
-    with open(fullpath, 'r') as f:
-        key = f.read()
-        RSAKey(key=key).save()
-
-
 def is_code_valid(url, user, client):
     """
     Check if the code inside the url is valid.
diff --git a/oidc_provider/tests/test_authorize_endpoint.py b/oidc_provider/tests/test_authorize_endpoint.py
index 9b24d95..9a26761 100644
--- a/oidc_provider/tests/test_authorize_endpoint.py
+++ b/oidc_provider/tests/test_authorize_endpoint.py
@@ -6,6 +6,7 @@ import uuid
 
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.contrib.auth.models import AnonymousUser
+from django.core.management import call_command
 from django.core.urlresolvers import reverse
 from django.test import RequestFactory
 from django.test import TestCase
@@ -22,11 +23,35 @@ class AuthorizationCodeFlowTestCase(TestCase):
     """
 
     def setUp(self):
+        call_command('creatersakey')
         self.factory = RequestFactory()
         self.user = create_fake_user()
         self.client = create_fake_client(response_type='code')
         self.client_public = create_fake_client(response_type='code', is_public=True)
+        self.client_implicit = create_fake_client(response_type='id_token token')
         self.state = uuid.uuid4().hex
+        self.nonce = uuid.uuid4().hex
+
+    def _auth_request(self, method, params_or_data={}, is_user_authenticated=False):
+        url = reverse('oidc_provider:authorize')
+
+        if method.lower() == 'get':
+            query_str = urlencode(params_or_data).replace('+', '%20')
+            if query_str:
+                url += '?' + query_str
+            request = self.factory.get(url)
+        elif method.lower() == 'post':
+            request = self.factory.post(url, data=params_or_data)
+        else:
+            raise Exception('Method unsupported for an Authorization Request.')
+
+        # Simulate that the user is logged.
+        request.user = self.user if is_user_authenticated else AnonymousUser()
+
+        response = AuthorizeView.as_view()(request)
+
+        return response
+
 
     def test_missing_parameters(self):
         """
@@ -36,11 +61,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
 
         See: https://tools.ietf.org/html/rfc6749#section-4.1.2.1
         """
-        url = reverse('oidc_provider:authorize')
-
-        request = self.factory.get(url)
-
-        response = AuthorizeView.as_view()(request)
+        response = self._auth_request('get')
 
         self.assertEqual(response.status_code, 200)
         self.assertEqual(bool(response.content), True)
@@ -53,19 +74,15 @@ class AuthorizationCodeFlowTestCase(TestCase):
         See: http://openid.net/specs/openid-connect-core-1_0.html#AuthError
         """
         # Create an authorize request with an unsupported response_type.
-        query_str = urlencode({
+        params = {
             'client_id': self.client.client_id,
             'response_type': 'something_wrong',
             'redirect_uri': self.client.default_redirect_uri,
             'scope': 'openid email',
             'state': self.state,
-        }).replace('+', '%20')
+        }
 
-        url = reverse('oidc_provider:authorize') + '?' + query_str
-
-        request = self.factory.get(url)
-
-        response = AuthorizeView.as_view()(request)
+        response = self._auth_request('get', params)
 
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.has_header('Location'), True)
@@ -81,34 +98,20 @@ class AuthorizationCodeFlowTestCase(TestCase):
 
         See: http://openid.net/specs/openid-connect-core-1_0.html#Authenticates
         """
-        query_str = urlencode({
+        params = {
             'client_id': self.client.client_id,
             'response_type': 'code',
             'redirect_uri': self.client.default_redirect_uri,
             'scope': 'openid email',
             'state': self.state,
-        }).replace('+', '%20')
+        }
 
-        url = reverse('oidc_provider:authorize') + '?' + query_str
-
-        request = self.factory.get(url)
-        request.user = AnonymousUser()
-
-        response = AuthorizeView.as_view()(request)
+        response = self._auth_request('get', params)
 
         # Check if user was redirected to the login view.
         login_url_exists = settings.get('LOGIN_URL') in response['Location']
         self.assertEqual(login_url_exists, True)
 
-        # Check if the login will redirect to a valid url.
-        try:
-            next_value = response['Location'].split(REDIRECT_FIELD_NAME + '=')[1]
-            next_url = unquote(next_value)
-            is_next_ok = next_url == url
-        except:
-            is_next_ok = False
-        self.assertEqual(is_next_ok, True)
-
     def test_user_consent_inputs(self):
         """
         Once the End-User is authenticated, the Authorization Server MUST
@@ -117,7 +120,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
 
         See: http://openid.net/specs/openid-connect-core-1_0.html#Consent
         """
-        query_str = urlencode({
+        params = {
             'client_id': self.client.client_id,
             'response_type': 'code',
             'redirect_uri': self.client.default_redirect_uri,
@@ -126,15 +129,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
             # PKCE parameters.
             'code_challenge': FAKE_CODE_CHALLENGE,
             'code_challenge_method': 'S256',
-        }).replace('+', '%20')
+        }
 
-        url = reverse('oidc_provider:authorize') + '?' + query_str
-
-        request = self.factory.get(url)
-        # Simulate that the user is logged.
-        request.user = self.user
-
-        response = AuthorizeView.as_view()(request)
+        response = self._auth_request('get', params, is_user_authenticated=True)
 
         # Check if hidden inputs exists in the form,
         # also if their values are valid.
@@ -165,14 +162,10 @@ class AuthorizationCodeFlowTestCase(TestCase):
         the parameters defined in Section 4.1.2 of OAuth 2.0 [RFC6749]
         by adding them as query parameters to the redirect_uri.
         """
-        response_type = 'code'
-
-        url = reverse('oidc_provider:authorize')
-
-        post_data = {
+        data = {
             'client_id': self.client.client_id,
             'redirect_uri': self.client.default_redirect_uri,
-            'response_type': response_type,
+            'response_type': 'code',
             'scope': 'openid email',
             'state': self.state,
             # PKCE parameters.
@@ -180,11 +173,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'code_challenge_method': 'S256',
         }
 
-        request = self.factory.post(url, data=post_data)
-        # Simulate that the user is logged.
-        request.user = self.user
-
-        response = AuthorizeView.as_view()(request)
+        response = self._auth_request('post', data, is_user_authenticated=True)
 
         # Because user doesn't allow app, SHOULD exists an error parameter
         # in the query.
@@ -194,13 +183,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
             msg='"access_denied" code is missing in query.')
 
         # Simulate user authorization.
-        post_data['allow'] = 'Accept' # Should be the value of the button.
+        data['allow'] = 'Accept' # Will be the value of the button.
 
-        request = self.factory.post(url, data=post_data)
-        # Simulate that the user is logged.
-        request.user = self.user
-
-        response = AuthorizeView.as_view()(request)
+        response = self._auth_request('post', data, is_user_authenticated=True)
 
         is_code_ok = is_code_valid(url=response['Location'],
                                    user=self.user,
@@ -219,7 +204,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
         list of scopes) and because they might be prompted for the same
         authorization multiple times, the server skip it.
         """
-        post_data = {
+        data = {
             'client_id': self.client.client_id,
             'redirect_uri': self.client.default_redirect_uri,
             'response_type': 'code',
@@ -229,34 +214,25 @@ class AuthorizationCodeFlowTestCase(TestCase):
         }
 
         request = self.factory.post(reverse('oidc_provider:authorize'),
-                                    data=post_data)
+                                    data=data)
         # Simulate that the user is logged.
         request.user = self.user
 
         with self.settings(OIDC_SKIP_CONSENT_ALWAYS=True):
-            response = AuthorizeView.as_view()(request)
+            response = self._auth_request('post', data, is_user_authenticated=True)
 
             self.assertEqual('code' in response['Location'], True,
                 msg='Code is missing in the returned url.')
 
-        response = AuthorizeView.as_view()(request)
+        response = self._auth_request('post', data, is_user_authenticated=True)
 
         is_code_ok = is_code_valid(url=response['Location'],
                                    user=self.user,
                                    client=self.client)
         self.assertEqual(is_code_ok, True, msg='Code returned is invalid.')
 
-        del post_data['allow']
-        query_str = urlencode(post_data).replace('+', '%20')
-
-        url = reverse('oidc_provider:authorize') + '?' + query_str
-
-        request = self.factory.get(url)
-        # Simulate that the user is logged.
-        request.user = self.user
-
-        # Ensure user consent skip is enabled.
-        response = AuthorizeView.as_view()(request)
+        del data['allow']
+        response = self._auth_request('get', data, is_user_authenticated=True)
 
         is_code_ok = is_code_valid(url=response['Location'],
                                    user=self.user,
@@ -264,10 +240,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
         self.assertEqual(is_code_ok, True, msg='Code returned is invalid or missing.')
 
     def test_response_uri_is_properly_constructed(self):
-        """
-        TODO
-        """
-        post_data = {
+        data = {
             'client_id': self.client.client_id,
             'redirect_uri': self.client.default_redirect_uri + "?redirect_state=xyz",
             'response_type': 'code',
@@ -276,123 +249,59 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'allow': 'Accept',
         }
 
-        request = self.factory.post(reverse('oidc_provider:authorize'),
-                                    data=post_data)
-        # Simulate that the user is logged.
-        request.user = self.user
+        response = self._auth_request('post', data, is_user_authenticated=True)
 
-        response = AuthorizeView.as_view()(request)
-
-        is_code_ok = is_code_valid(url=response['Location'],
-                                   user=self.user,
-                                   client=self.client)
-        self.assertEqual(is_code_ok, True,
-                         msg='Code returned is invalid.')
-
-    def test_scope_with_plus(self):
-        """
-        In query string, scope use `+` instead of the space url-encoded.
-        """
-        scope_test = 'openid email profile'
-
-        query_str = urlencode({
-            'client_id': self.client.client_id,
-            'response_type': 'code',
-            'redirect_uri': self.client.default_redirect_uri,
-            'scope': scope_test,
-            'state': self.state,
-        })
-
-        url = reverse('oidc_provider:authorize') + '?' + query_str
-
-        request = self.factory.get(url)
-        # Simulate that the user is logged.
-        request.user = self.user
-
-        response = AuthorizeView.as_view()(request)
-
-        # Search the scopes in the html.
-        self.assertEqual(scope_test in response.content.decode('utf-8'), True)
+        # TODO
 
     def test_public_client_auto_approval(self):
         """
         It's recommended not auto-approving requests for non-confidential clients.
         """
-        query_str = urlencode({
+        params = {
             'client_id': self.client_public.client_id,
             'response_type': 'code',
             'redirect_uri': self.client_public.default_redirect_uri,
             'scope': 'openid email',
             'state': self.state,
-        })
-
-        url = reverse('oidc_provider:authorize') + '?' + query_str
-
-        request = self.factory.get(url)
-        # Simulate that the user is logged.
-        request.user = self.user
+        }
 
         with self.settings(OIDC_SKIP_CONSENT_ALWAYS=True):
-            response = AuthorizeView.as_view()(request)
+            response = self._auth_request('get', params, is_user_authenticated=True)
 
         self.assertEqual('Request for Permission' in response.content.decode('utf-8'), True)
 
-class ImplicitFlowTestCase(TestCase):
-    """
-    Test cases for Authorize Endpoint using Implicit Grant Flow.
-    """
-
-    def setUp(self):
-        self.factory = RequestFactory()
-        self.user = create_fake_user()
-        self.client = create_fake_client(response_type='id_token token')
-        self.state = uuid.uuid4().hex
-        self.nonce = uuid.uuid4().hex
-        create_rsakey()
-
-    def test_missing_nonce(self):
+    def test_implicit_missing_nonce(self):
         """
         The `nonce` parameter is REQUIRED if you use the Implicit Flow.
         """
-        query_str = urlencode({
-            'client_id': self.client.client_id,
-            'response_type': self.client.response_type,
-            'redirect_uri': self.client.default_redirect_uri,
+        params = {
+            'client_id': self.client_implicit.client_id,
+            'response_type': self.client_implicit.response_type,
+            'redirect_uri': self.client_implicit.default_redirect_uri,
             'scope': 'openid email',
             'state': self.state,
-        }).replace('+', '%20')
+        }
 
-        url = reverse('oidc_provider:authorize') + '?' + query_str
-
-        request = self.factory.get(url)
-        # Simulate that the user is logged.
-        request.user = self.user
-
-        response = AuthorizeView.as_view()(request)
+        response = self._auth_request('get', params, is_user_authenticated=True)
         
         self.assertEqual('#error=invalid_request' in response['Location'], True)   
 
-    def test_access_token_response(self):
+    def test_implicit_access_token_response(self):
         """
         Unlike the Authorization Code flow, in which the client makes
         separate requests for authorization and for an access token, the client
         receives the access token as the result of the authorization request.
         """
-        post_data = {
-            'client_id': self.client.client_id,
-            'redirect_uri': self.client.default_redirect_uri,
-            'response_type': self.client.response_type,
+        data = {
+            'client_id': self.client_implicit.client_id,
+            'redirect_uri': self.client_implicit.default_redirect_uri,
+            'response_type': self.client_implicit.response_type,
             'scope': 'openid email',
             'state': self.state,
             'nonce': self.nonce,
             'allow': 'Accept',
         }
 
-        request = self.factory.post(reverse('oidc_provider:authorize'),
-                                    data=post_data)
-        # Simulate that the user is logged.
-        request.user = self.user
-
-        response = AuthorizeView.as_view()(request)
+        response = self._auth_request('post', data, is_user_authenticated=True)
         
         self.assertEqual('access_token' in response['Location'], True) 
diff --git a/oidc_provider/tests/test_token_endpoint.py b/oidc_provider/tests/test_token_endpoint.py
index 652d8ad..0873b23 100644
--- a/oidc_provider/tests/test_token_endpoint.py
+++ b/oidc_provider/tests/test_token_endpoint.py
@@ -4,6 +4,7 @@ try:
 except ImportError:
     from urllib import urlencode
 
+from django.core.management import call_command
 from django.test import RequestFactory, override_settings
 from django.test import TestCase
 from jwkest.jwk import KEYS
@@ -23,10 +24,10 @@ class TokenTestCase(TestCase):
     """
 
     def setUp(self):
+        call_command('creatersakey')
         self.factory = RequestFactory()
         self.user = create_fake_user()
         self.client = create_fake_client(response_type='code')
-        create_rsakey()
 
     def _auth_code_post_data(self, code):
         """

From 8320394a674dcdc1093287d6bcd5ed8169d02c3f Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Thu, 14 Apr 2016 17:45:30 -0300
Subject: [PATCH 22/23] Refactoring variables.

---
 .../tests/test_authorize_endpoint.py          | 54 ++++++++++++++-----
 1 file changed, 40 insertions(+), 14 deletions(-)

diff --git a/oidc_provider/tests/test_authorize_endpoint.py b/oidc_provider/tests/test_authorize_endpoint.py
index 9a26761..dd22800 100644
--- a/oidc_provider/tests/test_authorize_endpoint.py
+++ b/oidc_provider/tests/test_authorize_endpoint.py
@@ -32,16 +32,16 @@ class AuthorizationCodeFlowTestCase(TestCase):
         self.state = uuid.uuid4().hex
         self.nonce = uuid.uuid4().hex
 
-    def _auth_request(self, method, params_or_data={}, is_user_authenticated=False):
+    def _auth_request(self, method, data={}, is_user_authenticated=False):
         url = reverse('oidc_provider:authorize')
 
         if method.lower() == 'get':
-            query_str = urlencode(params_or_data).replace('+', '%20')
+            query_str = urlencode(data).replace('+', '%20')
             if query_str:
                 url += '?' + query_str
             request = self.factory.get(url)
         elif method.lower() == 'post':
-            request = self.factory.post(url, data=params_or_data)
+            request = self.factory.post(url, data=data)
         else:
             raise Exception('Method unsupported for an Authorization Request.')
 
@@ -74,7 +74,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
         See: http://openid.net/specs/openid-connect-core-1_0.html#AuthError
         """
         # Create an authorize request with an unsupported response_type.
-        params = {
+        data = {
             'client_id': self.client.client_id,
             'response_type': 'something_wrong',
             'redirect_uri': self.client.default_redirect_uri,
@@ -82,7 +82,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'state': self.state,
         }
 
-        response = self._auth_request('get', params)
+        response = self._auth_request('get', data)
 
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.has_header('Location'), True)
@@ -98,7 +98,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
 
         See: http://openid.net/specs/openid-connect-core-1_0.html#Authenticates
         """
-        params = {
+        data = {
             'client_id': self.client.client_id,
             'response_type': 'code',
             'redirect_uri': self.client.default_redirect_uri,
@@ -106,7 +106,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'state': self.state,
         }
 
-        response = self._auth_request('get', params)
+        response = self._auth_request('get', data)
 
         # Check if user was redirected to the login view.
         login_url_exists = settings.get('LOGIN_URL') in response['Location']
@@ -120,7 +120,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
 
         See: http://openid.net/specs/openid-connect-core-1_0.html#Consent
         """
-        params = {
+        data = {
             'client_id': self.client.client_id,
             'response_type': 'code',
             'redirect_uri': self.client.default_redirect_uri,
@@ -131,7 +131,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'code_challenge_method': 'S256',
         }
 
-        response = self._auth_request('get', params, is_user_authenticated=True)
+        response = self._auth_request('get', data, is_user_authenticated=True)
 
         # Check if hidden inputs exists in the form,
         # also if their values are valid.
@@ -257,7 +257,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
         """
         It's recommended not auto-approving requests for non-confidential clients.
         """
-        params = {
+        data = {
             'client_id': self.client_public.client_id,
             'response_type': 'code',
             'redirect_uri': self.client_public.default_redirect_uri,
@@ -266,7 +266,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
         }
 
         with self.settings(OIDC_SKIP_CONSENT_ALWAYS=True):
-            response = self._auth_request('get', params, is_user_authenticated=True)
+            response = self._auth_request('get', data, is_user_authenticated=True)
 
         self.assertEqual('Request for Permission' in response.content.decode('utf-8'), True)
 
@@ -274,7 +274,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
         """
         The `nonce` parameter is REQUIRED if you use the Implicit Flow.
         """
-        params = {
+        data = {
             'client_id': self.client_implicit.client_id,
             'response_type': self.client_implicit.response_type,
             'redirect_uri': self.client_implicit.default_redirect_uri,
@@ -282,7 +282,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'state': self.state,
         }
 
-        response = self._auth_request('get', params, is_user_authenticated=True)
+        response = self._auth_request('get', data, is_user_authenticated=True)
         
         self.assertEqual('#error=invalid_request' in response['Location'], True)   
 
@@ -304,4 +304,30 @@ class AuthorizationCodeFlowTestCase(TestCase):
 
         response = self._auth_request('post', data, is_user_authenticated=True)
         
-        self.assertEqual('access_token' in response['Location'], True) 
+        self.assertEqual('access_token' in response['Location'], True)
+
+
+    def test_prompt_parameter(self):
+        """
+        Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
+        See: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+        """
+        data = {
+            'client_id': self.client.client_id,
+            'response_type': self.client.response_type,
+            'redirect_uri': self.client.default_redirect_uri,
+            'scope': 'openid email',
+            'state': self.state,
+        }
+
+        data['prompt'] = 'none'
+
+        response = self._auth_request('get', data)
+
+        # An error is returned if an End-User is not already authenticated.
+        self.assertEqual('login_required' in response['Location'], True)
+
+        response = self._auth_request('get', data, is_user_authenticated=True)
+
+        # An error is returned if the Client does not have pre-configured consent for the requested Claims.
+        self.assertEqual('interaction_required' in response['Location'], True)

From 2ec000e18afbaf98c95d4222bb9442b8cc9e81b2 Mon Sep 17 00:00:00 2001
From: Ignacio Fiorentino <juanifioren@gmail.com>
Date: Fri, 15 Apr 2016 11:35:23 -0300
Subject: [PATCH 23/23] Edit CHANGELOG.

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bb60ca8..811ee36 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ All notable changes to this project will be documented in this file.
 ##### Added
 - Choose type of client on creation.
 - Implement Proof Key for Code Exchange by OAuth Public Clients.
+- Support for prompt parameter.
 
 ##### Fixed
 - Not auto-approve requests for non-confidential clients (publics).