From 21a582787d080ac515245b6c547342e99b15a193 Mon Sep 17 00:00:00 2001
From: manojmj <mmj@gitlab.com>
Date: Sat, 23 Nov 2019 16:53:10 +0530
Subject: [PATCH 1/8] Add new minimum password requirements

This change adds the ability for the admin
to configure new minimum password requirements
---
 app/helpers/application_settings_helper.rb    |   1 +
 app/models/application_setting.rb             |   8 +
 app/models/concerns/devise_validatable.rb     |  35 +++++
 app/models/user.rb                            |   9 +-
 app/services/users/build_service.rb           |   2 +-
 .../application_settings/_signup.html.haml    |   6 +
 ...equirements-for-new-user-passwords-mvc.yml |   5 +
 config/initializers/8_devise.rb               |   4 +-
 config/initializers/devise_controller.rb      |  10 ++
 ...password_length_to_application_settings.rb |  15 ++
 db/schema.rb                                  |   1 +
 ee/lib/ee/gitlab/scim/provisioning_service.rb |   2 +-
 locale/gitlab.pot                             |   6 +
 .../application_settings_controller_spec.rb   |   7 +
 spec/models/application_setting_spec.rb       |   6 +
 .../concerns/devise_validatable_spec.rb       | 141 ++++++++++++++++++
 spec/models/user_spec.rb                      |  28 ++++
 17 files changed, 281 insertions(+), 5 deletions(-)
 create mode 100644 app/models/concerns/devise_validatable.rb
 create mode 100644 changelogs/unreleased/36776-entropy-requirements-for-new-user-passwords-mvc.yml
 create mode 100644 config/initializers/devise_controller.rb
 create mode 100644 db/migrate/20191123062354_add_minimum_password_length_to_application_settings.rb
 create mode 100644 spec/models/concerns/devise_validatable_spec.rb

diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index d9416cb10c42..71e4195c50fc 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -232,6 +232,7 @@ module ApplicationSettingsHelper
       :metrics_port,
       :metrics_sample_interval,
       :metrics_timeout,
+      :minimum_password_length,
       :mirror_available,
       :pages_domain_verification_enabled,
       :password_authentication_enabled_for_web,
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index e764b6c56b05..238fc0881c11 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -6,6 +6,8 @@ class ApplicationSetting < ApplicationRecord
   include TokenAuthenticatable
   include ChronicDurationAttribute
 
+  DEFAULT_MINIMUM_PASSWORD_LENGTH = 8
+
   add_authentication_token_field :runners_registration_token, encrypted: -> { Feature.enabled?(:application_settings_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
   add_authentication_token_field :health_check_access_token
   add_authentication_token_field :static_objects_external_storage_auth_token
@@ -46,6 +48,12 @@ class ApplicationSetting < ApplicationRecord
             presence: true,
             numericality: { only_integer: true, greater_than_or_equal_to: 0 }
 
+  validates :minimum_password_length,
+            presence: true,
+            numericality: { only_integer: true,
+                            greater_than_or_equal_to: DEFAULT_MINIMUM_PASSWORD_LENGTH,
+                            less_than_or_equal_to: DEFAULT_MAXIMUM_PASSWORD_LENGTH }
+
   validates :home_page_url,
             allow_blank: true,
             addressable_url: true,
diff --git a/app/models/concerns/devise_validatable.rb b/app/models/concerns/devise_validatable.rb
new file mode 100644
index 000000000000..6fc7cf56439a
--- /dev/null
+++ b/app/models/concerns/devise_validatable.rb
@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+# Validations in this module are copied over from
+# https://github.com/plataformatec/devise/blob/v4.7.1/lib/devise/models/validatable.rb
+
+# TODO: Remove this concern and go back to using Devise's in built Validatable module as soon as
+# https://github.com/plataformatec/devise/pull/5166 is merged.
+module DeviseValidatable
+  extend ActiveSupport::Concern
+
+  # rubocop: disable Rails/Validation
+  included do
+    validates_presence_of   :email, if: :email_required?
+    validates_uniqueness_of :email, allow_blank: true, case_sensitive: true, if: :will_save_change_to_email?
+    validates_format_of     :email, with: Devise.email_regexp, allow_blank: true, if: :will_save_change_to_email?
+
+    validates_presence_of     :password, if: :password_required?
+    validates_confirmation_of :password, if: :password_required?
+
+    # This is the only validation that differs from the validations already present in Devise's Validatable module.
+    # We need this validation so that we can support dynamic password length without a GitLab restart.
+    validates_length_of :password, maximum: proc { password_length.max }, minimum: proc { password_length.min }, allow_blank: true
+  end
+  # rubocop: enable Rails/Validation
+
+  private
+
+  def password_required?
+    !persisted? || !password.nil? || !password_confirmation.nil?
+  end
+
+  def email_required?
+    true
+  end
+end
diff --git a/app/models/user.rb b/app/models/user.rb
index 698848c5b16a..6589fb96aa19 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -20,6 +20,7 @@ class User < ApplicationRecord
   include WithUploads
   include OptionallySearch
   include FromUnion
+  include DeviseValidatable
 
   DEFAULT_NOTIFICATION_LEVEL = :participating
 
@@ -51,7 +52,7 @@ class User < ApplicationRecord
   serialize :otp_backup_codes, JSON # rubocop:disable Cop/ActiveRecordSerialize
 
   devise :lockable, :recoverable, :rememberable, :trackable,
-         :validatable, :omniauthable, :confirmable, :registerable
+         :omniauthable, :confirmable, :registerable
 
   BLOCKED_MESSAGE = "Your account has been blocked. Please contact your GitLab " \
                     "administrator if you think this is an error."
@@ -158,7 +159,7 @@ class User < ApplicationRecord
   #
   # Validations
   #
-  # Note: devise :validatable above adds validations for :email and :password
+  # Note: DeviseValidatable adds validations for :email and :password
   validates :name, presence: true, length: { maximum: 128 }
   validates :first_name, length: { maximum: 255 }
   validates :last_name, length: { maximum: 255 }
@@ -1751,6 +1752,10 @@ class User < ApplicationRecord
   def no_recent_activity?
     last_active_at.to_i <= MINIMUM_INACTIVE_DAYS.days.ago.to_i
   end
+
+  def self.password_length
+    Gitlab::CurrentSettings.minimum_password_length..ApplicationSetting::DEFAULT_MAXIMUM_PASSWORD_LENGTH
+  end
 end
 
 User.prepend_if_ee('EE::User')
diff --git a/app/services/users/build_service.rb b/app/services/users/build_service.rb
index 8c85ad9ffd8b..ea4d11e728e0 100644
--- a/app/services/users/build_service.rb
+++ b/app/services/users/build_service.rb
@@ -23,7 +23,7 @@ module Users
         @reset_token = user.generate_reset_token if params[:reset_password]
 
         if user_params[:force_random_password]
-          random_password = Devise.friendly_token.first(Devise.password_length.min)
+          random_password = Devise.friendly_token.first(User.password_length.min)
           user.password = user.password_confirmation = random_password
         end
       end
diff --git a/app/views/admin/application_settings/_signup.html.haml b/app/views/admin/application_settings/_signup.html.haml
index 7c1df78f30c9..6ec214fceb0e 100644
--- a/app/views/admin/application_settings/_signup.html.haml
+++ b/app/views/admin/application_settings/_signup.html.haml
@@ -12,6 +12,12 @@
         = f.check_box :send_user_confirmation_email, class: 'form-check-input'
         = f.label :send_user_confirmation_email, class: 'form-check-label' do
           Send confirmation email on sign-up
+    .form-group
+      = f.label :minimum_password_length, 'Password Requirements', class: 'label-bold'
+      = f.text_field :minimum_password_length, placeholder: 'minimum password length', class: 'form-control', rows: 4
+      - password_policy_guidelines_link = link_to _('Password Policy Guidelines'), 'https://about.gitlab.com/handbook/security/#gitlab-password-policy-guidelines', target: '_blank'
+      .form-text.text-muted
+        = _("See GitLab's %{password_policy_guidelines}").html_safe % { password_policy_guidelines: password_policy_guidelines_link }
     .form-group
       = f.label :domain_whitelist, 'Whitelisted domains for sign-ups', class: 'label-bold'
       = f.text_area :domain_whitelist_raw, placeholder: 'domain.com', class: 'form-control', rows: 8
diff --git a/changelogs/unreleased/36776-entropy-requirements-for-new-user-passwords-mvc.yml b/changelogs/unreleased/36776-entropy-requirements-for-new-user-passwords-mvc.yml
new file mode 100644
index 000000000000..6b2e159c273e
--- /dev/null
+++ b/changelogs/unreleased/36776-entropy-requirements-for-new-user-passwords-mvc.yml
@@ -0,0 +1,5 @@
+---
+title: Allow administrators to set a minimum password length
+merge_request: 20661
+author:
+type: added
diff --git a/config/initializers/8_devise.rb b/config/initializers/8_devise.rb
index 8d4c5fa382c5..0a1b3c90145d 100644
--- a/config/initializers/8_devise.rb
+++ b/config/initializers/8_devise.rb
@@ -113,7 +113,9 @@ Devise.setup do |config|
 
   # ==> Configuration for :validatable
   # Range for password length. Default is 6..128.
-  config.password_length = 8..128
+  # config.password_length = 8..128
+  # Devise's `validatable` module is no longer used.
+  # Dynamic minimum password length is supported by DeviseValidatable concern.
 
   # Email regex used to validate email formats. It simply asserts that
   # an one (and only one) @ exists in the given string. This is mainly
diff --git a/config/initializers/devise_controller.rb b/config/initializers/devise_controller.rb
new file mode 100644
index 000000000000..53baf45dda3a
--- /dev/null
+++ b/config/initializers/devise_controller.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+DeviseController.class_eval do
+  # Overriding set_minimum_password_length from DeviseController.
+
+  # Sets minimum password length to show to user
+  def set_minimum_password_length
+    @minimum_password_length = resource_class.password_length.min
+  end
+end
diff --git a/db/migrate/20191123062354_add_minimum_password_length_to_application_settings.rb b/db/migrate/20191123062354_add_minimum_password_length_to_application_settings.rb
new file mode 100644
index 000000000000..809cd5ad3be9
--- /dev/null
+++ b/db/migrate/20191123062354_add_minimum_password_length_to_application_settings.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class AddMinimumPasswordLengthToApplicationSettings < ActiveRecord::Migration[5.2]
+  DOWNTIME = false
+
+  DEFAULT_MINIMUM_PASSWORD_LENGTH = 8
+
+  def up
+    add_column(:application_settings, :minimum_password_length, :integer, default: DEFAULT_MINIMUM_PASSWORD_LENGTH, null: false)
+  end
+
+  def down
+    remove_column(:application_settings, :minimum_password_length)
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index ac2372a63d09..93b0c54a2e62 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -363,6 +363,7 @@ ActiveRecord::Schema.define(version: 2019_12_08_071112) do
     t.string "encrypted_slack_app_secret_iv", limit: 255
     t.text "encrypted_slack_app_verification_token"
     t.string "encrypted_slack_app_verification_token_iv", limit: 255
+    t.integer "minimum_password_length", default: 8, null: false
     t.index ["custom_project_templates_group_id"], name: "index_application_settings_on_custom_project_templates_group_id"
     t.index ["file_template_project_id"], name: "index_application_settings_on_file_template_project_id"
     t.index ["instance_administration_project_id"], name: "index_applicationsettings_on_instance_administration_project_id"
diff --git a/ee/lib/ee/gitlab/scim/provisioning_service.rb b/ee/lib/ee/gitlab/scim/provisioning_service.rb
index 2eaa5ee9b9af..02bbc7fb2bc3 100644
--- a/ee/lib/ee/gitlab/scim/provisioning_service.rb
+++ b/ee/lib/ee/gitlab/scim/provisioning_service.rb
@@ -77,7 +77,7 @@ module EE
         end
 
         def random_password
-          Devise.friendly_token.first(Devise.password_length.min)
+          Devise.friendly_token.first(::User.password_length.min)
         end
 
         def valid_username
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 405d6948bade..7ef8b0ae2c68 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -12464,6 +12464,9 @@ msgstr ""
 msgid "Password (optional)"
 msgstr ""
 
+msgid "Password Policy Guidelines"
+msgstr ""
+
 msgid "Password authentication is unavailable."
 msgstr ""
 
@@ -15742,6 +15745,9 @@ msgstr ""
 msgid "SecurityDashboard|Unable to add %{invalidProjects}"
 msgstr ""
 
+msgid "See GitLab's %{password_policy_guidelines}"
+msgstr ""
+
 msgid "See metrics"
 msgstr ""
 
diff --git a/spec/controllers/admin/application_settings_controller_spec.rb b/spec/controllers/admin/application_settings_controller_spec.rb
index bc14e9112a15..fa575ba2eae1 100644
--- a/spec/controllers/admin/application_settings_controller_spec.rb
+++ b/spec/controllers/admin/application_settings_controller_spec.rb
@@ -95,6 +95,13 @@ describe Admin::ApplicationSettingsController do
       expect(ApplicationSetting.current.default_project_creation).to eq(::Gitlab::Access::MAINTAINER_PROJECT_ACCESS)
     end
 
+    it 'updates minimum_password_length setting' do
+      put :update, params: { application_setting: { minimum_password_length: 10 } }
+
+      expect(response).to redirect_to(admin_application_settings_path)
+      expect(ApplicationSetting.current.minimum_password_length).to eq(10)
+    end
+
     context 'external policy classification settings' do
       let(:settings) do
         {
diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb
index 9a76be5b6f19..a403aa296d45 100644
--- a/spec/models/application_setting_spec.rb
+++ b/spec/models/application_setting_spec.rb
@@ -68,6 +68,12 @@ describe ApplicationSetting do
 
     it { is_expected.to validate_numericality_of(:snippet_size_limit).only_integer.is_greater_than(0) }
 
+    it { is_expected.not_to allow_value(7).for(:minimum_password_length) }
+    it { is_expected.not_to allow_value(129).for(:minimum_password_length) }
+    it { is_expected.not_to allow_value(nil).for(:minimum_password_length) }
+    it { is_expected.not_to allow_value('abc').for(:minimum_password_length) }
+    it { is_expected.to allow_value(10).for(:minimum_password_length) }
+
     context 'when snowplow is enabled' do
       before do
         setting.snowplow_enabled = true
diff --git a/spec/models/concerns/devise_validatable_spec.rb b/spec/models/concerns/devise_validatable_spec.rb
new file mode 100644
index 000000000000..8ab3e10b3582
--- /dev/null
+++ b/spec/models/concerns/devise_validatable_spec.rb
@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe DeviseValidatable do
+  describe 'User' do
+    let_it_be(:existing_user) { create(:user) }
+
+    context 'password' do
+      it 'requires password to be set for a new record' do
+        user = build(:user, password: '', password_confirmation: '')
+
+        expect(user).to be_invalid
+        expect(user.errors[:password].join).to eq('can\'t be blank')
+      end
+
+      it 'requires password_confirmation to be set for a new record' do
+        user = build(:user, password: 'new_password', password_confirmation: 'something_else')
+
+        expect(user).to be_invalid
+        expect(user.errors[:password_confirmation].join).to eq('doesn\'t match Password')
+      end
+
+      it 'requires password to be set while updating/resetting password' do
+        existing_user.password = ''
+        existing_user.password_confirmation = ''
+
+        expect(existing_user).to be_invalid
+        expect(existing_user.errors[:password].join).to eq('can\'t be blank')
+      end
+
+      it 'requires password_confirmation to be set while updating/resetting password' do
+        existing_user.password = 'set_new_password'
+        existing_user.password_confirmation = 'something_else'
+
+        expect(existing_user).to be_invalid
+        expect(existing_user.errors[:password_confirmation].join).to eq('doesn\'t match Password')
+      end
+
+      it 'does not fail validations for password length when password is not changed' do
+        existing_user.password = existing_user.password_confirmation = nil
+
+        expect(existing_user).to be_valid
+      end
+
+      context 'password length' do
+        before do
+          expect(User).to receive(:password_length).twice.and_return(10..128)
+        end
+
+        it 'validates minimum password length' do
+          user = build(:user, password: 'x' * 9, password_confirmation: 'x' * 9)
+
+          expect(user).to be_invalid
+          expect(user.errors[:password].join).to eq('is too short (minimum is 10 characters)')
+        end
+
+        it 'validates maximum password length' do
+          user = build(:user, password: 'x' * 129, password_confirmation: 'x' * 129)
+
+          expect(user).to be_invalid
+          expect(user.errors[:password].join).to eq('is too long (maximum is 128 characters)')
+        end
+
+        it 'validates password length even if password is not required' do
+          user = build(:user, password: 'x' * 129, password_confirmation: 'x' * 129)
+          expect(user).to receive(:password_required?).twice.and_return(false)
+
+          expect(user).to be_invalid
+          expect(user.errors[:password].join).to eq('is too long (maximum is 128 characters)')
+        end
+
+        context 'min and max length values' do
+          it 'matches the values set by the `password_length` method' do
+            validators = User.validators_on :password
+            length = validators.find { |v| v.kind == :length }
+
+            assert_equal 10, length.options[:minimum].call
+            assert_equal 128, length.options[:maximum].call
+          end
+        end
+      end
+    end
+
+    context 'email' do
+      it 'requires email to be set' do
+        user = build(:user, email: nil)
+
+        expect(user).to be_invalid
+        expect(user.errors[:email].join).to eq('can\'t be blank')
+      end
+
+      it 'accepts valid formats' do
+        %w(a.b.c@example.com test_mail@gmail.com any@any.net email@test.br 123@mail.test 1☃3@mail.test).each do |email|
+          user = build(:user, email: email)
+
+          expect(user).to be_valid
+          expect(user.errors[:email]).to be_blank
+        end
+      end
+
+      it 'is case-senstive' do
+        user = build(:user, email: 'test@test.com')
+
+        expect(user).to be_valid
+
+        new_user = build(:user, email: 'TEST@TEST.COM')
+
+        expect(new_user).to be_valid
+        expect(new_user.errors[:email].join).to be_blank
+      end
+
+      context 'when email changes' do
+        it 'validates uniqueness, allowing blank' do
+          user = build(:user, email: '')
+
+          expect(user).to be_invalid
+          expect(user.errors[:email].join).not_to include('taken')
+
+          user.email = existing_user.email
+
+          expect(user).to be_invalid
+          expect(user.errors[:email].join).to include('taken')
+        end
+
+        it 'validates format, allowing blank' do
+          user = build(:user, email: '')
+
+          expect(user).to be_invalid
+          expect(user.errors[:email].join).not_to include('invalid')
+
+          %w{invalid_email_format 123 $$$ () ☃}.each do |email|
+            user.email = email
+            expect(user).to be_invalid
+            expect(user.errors[:email].join).to include('invalid')
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 49991dbd2d49..fafb21a29908 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -461,6 +461,34 @@ describe User, :do_not_mock_admin_mode do
       end
     end
 
+    describe '.password_length' do
+      let(:password_length) { described_class.password_length }
+
+      it 'is expected to be a Range' do
+        expect(password_length).to be_a(Range)
+      end
+
+      context 'minimum value' do
+        before do
+          stub_application_setting(minimum_password_length: 101)
+        end
+
+        it 'is determined by the current value of `minimum_password_length` attribute of application_setting' do
+          expect(password_length.min).to eq(101)
+        end
+      end
+
+      context 'maximum value' do
+        before do
+          stub_const('ApplicationSetting::DEFAULT_MAXIMUM_PASSWORD_LENGTH', 201)
+        end
+
+        it 'is determined by the current value of `ApplicationSetting::DEFAULT_MAXIMUM_PASSWORD_LENGTH`' do
+          expect(password_length.max).to eq(201)
+        end
+      end
+    end
+
     describe '.limit_to_todo_authors' do
       context 'when filtering by todo authors' do
         let(:user1) { create(:user) }
-- 
GitLab


From 89376a90b950ca5ba8e162320b6a58601e4ae5f1 Mon Sep 17 00:00:00 2001
From: manojmj <mmj@gitlab.com>
Date: Mon, 2 Dec 2019 10:44:01 +0530
Subject: [PATCH 2/8] Do not use DeviseValidatable module

This change removes the DeviseValidatable module
---
 app/models/application_setting.rb             |   4 +-
 .../application_setting_implementation.rb     |   3 +
 app/models/concerns/devise_validatable.rb     |  35 -----
 app/models/user.rb                            |   8 +-
 .../application_settings/_signup.html.haml    |   6 +-
 config/initializers/8_devise.rb               |   4 +-
 config/initializers/devise_controller.rb      |  10 --
 ...evise_remove_password_length_validation.rb |  20 +++
 db/schema.rb                                  |   2 +-
 doc/security/password_length_limits.md        |  37 ++++-
 .../img/minimum_password_length.png           | Bin 0 -> 27994 bytes
 .../settings/sign_up_restrictions.md          |   6 +
 locale/gitlab.pot                             |   3 +
 .../concerns/devise_validatable_spec.rb       | 141 ------------------
 spec/models/user_spec.rb                      |  31 +++-
 15 files changed, 105 insertions(+), 205 deletions(-)
 delete mode 100644 app/models/concerns/devise_validatable.rb
 delete mode 100644 config/initializers/devise_controller.rb
 create mode 100644 config/initializers/devise_remove_password_length_validation.rb
 create mode 100644 doc/user/admin_area/img/minimum_password_length.png
 delete mode 100644 spec/models/concerns/devise_validatable_spec.rb

diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 238fc0881c11..456b64300885 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -6,8 +6,6 @@ class ApplicationSetting < ApplicationRecord
   include TokenAuthenticatable
   include ChronicDurationAttribute
 
-  DEFAULT_MINIMUM_PASSWORD_LENGTH = 8
-
   add_authentication_token_field :runners_registration_token, encrypted: -> { Feature.enabled?(:application_settings_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
   add_authentication_token_field :health_check_access_token
   add_authentication_token_field :static_objects_external_storage_auth_token
@@ -52,7 +50,7 @@ class ApplicationSetting < ApplicationRecord
             presence: true,
             numericality: { only_integer: true,
                             greater_than_or_equal_to: DEFAULT_MINIMUM_PASSWORD_LENGTH,
-                            less_than_or_equal_to: DEFAULT_MAXIMUM_PASSWORD_LENGTH }
+                            less_than_or_equal_to: Devise.password_length.max }
 
   validates :home_page_url,
             allow_blank: true,
diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb
index e1eb8d429bb9..98d8bb43b93f 100644
--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -30,6 +30,8 @@ module ApplicationSettingImplementation
     '/admin/session'
   ].freeze
 
+  DEFAULT_MINIMUM_PASSWORD_LENGTH = 8
+
   class_methods do
     def defaults
       {
@@ -106,6 +108,7 @@ module ApplicationSettingImplementation
         sourcegraph_enabled: false,
         sourcegraph_url: nil,
         sourcegraph_public_only: true,
+        minimum_password_length: DEFAULT_MINIMUM_PASSWORD_LENGTH,
         terminal_max_session_time: 0,
         throttle_authenticated_api_enabled: false,
         throttle_authenticated_api_period_in_seconds: 3600,
diff --git a/app/models/concerns/devise_validatable.rb b/app/models/concerns/devise_validatable.rb
deleted file mode 100644
index 6fc7cf56439a..000000000000
--- a/app/models/concerns/devise_validatable.rb
+++ /dev/null
@@ -1,35 +0,0 @@
-# frozen_string_literal: true
-
-# Validations in this module are copied over from
-# https://github.com/plataformatec/devise/blob/v4.7.1/lib/devise/models/validatable.rb
-
-# TODO: Remove this concern and go back to using Devise's in built Validatable module as soon as
-# https://github.com/plataformatec/devise/pull/5166 is merged.
-module DeviseValidatable
-  extend ActiveSupport::Concern
-
-  # rubocop: disable Rails/Validation
-  included do
-    validates_presence_of   :email, if: :email_required?
-    validates_uniqueness_of :email, allow_blank: true, case_sensitive: true, if: :will_save_change_to_email?
-    validates_format_of     :email, with: Devise.email_regexp, allow_blank: true, if: :will_save_change_to_email?
-
-    validates_presence_of     :password, if: :password_required?
-    validates_confirmation_of :password, if: :password_required?
-
-    # This is the only validation that differs from the validations already present in Devise's Validatable module.
-    # We need this validation so that we can support dynamic password length without a GitLab restart.
-    validates_length_of :password, maximum: proc { password_length.max }, minimum: proc { password_length.min }, allow_blank: true
-  end
-  # rubocop: enable Rails/Validation
-
-  private
-
-  def password_required?
-    !persisted? || !password.nil? || !password_confirmation.nil?
-  end
-
-  def email_required?
-    true
-  end
-end
diff --git a/app/models/user.rb b/app/models/user.rb
index 6589fb96aa19..50297bffe95c 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -20,7 +20,6 @@ class User < ApplicationRecord
   include WithUploads
   include OptionallySearch
   include FromUnion
-  include DeviseValidatable
 
   DEFAULT_NOTIFICATION_LEVEL = :participating
 
@@ -52,7 +51,7 @@ class User < ApplicationRecord
   serialize :otp_backup_codes, JSON # rubocop:disable Cop/ActiveRecordSerialize
 
   devise :lockable, :recoverable, :rememberable, :trackable,
-         :omniauthable, :confirmable, :registerable
+         :validatable, :omniauthable, :confirmable, :registerable
 
   BLOCKED_MESSAGE = "Your account has been blocked. Please contact your GitLab " \
                     "administrator if you think this is an error."
@@ -159,7 +158,8 @@ class User < ApplicationRecord
   #
   # Validations
   #
-  # Note: DeviseValidatable adds validations for :email and :password
+  # Note: devise :validatable above adds validations for :email
+  validates :password, length: { maximum: proc { password_length.max }, minimum: proc { password_length.min } }, allow_blank: true
   validates :name, presence: true, length: { maximum: 128 }
   validates :first_name, length: { maximum: 255 }
   validates :last_name, length: { maximum: 255 }
@@ -1754,7 +1754,7 @@ class User < ApplicationRecord
   end
 
   def self.password_length
-    Gitlab::CurrentSettings.minimum_password_length..ApplicationSetting::DEFAULT_MAXIMUM_PASSWORD_LENGTH
+    Gitlab::CurrentSettings.minimum_password_length..Devise.password_length.max
   end
 end
 
diff --git a/app/views/admin/application_settings/_signup.html.haml b/app/views/admin/application_settings/_signup.html.haml
index 6ec214fceb0e..60765b63504d 100644
--- a/app/views/admin/application_settings/_signup.html.haml
+++ b/app/views/admin/application_settings/_signup.html.haml
@@ -13,9 +13,9 @@
         = f.label :send_user_confirmation_email, class: 'form-check-label' do
           Send confirmation email on sign-up
     .form-group
-      = f.label :minimum_password_length, 'Password Requirements', class: 'label-bold'
-      = f.text_field :minimum_password_length, placeholder: 'minimum password length', class: 'form-control', rows: 4
-      - password_policy_guidelines_link = link_to _('Password Policy Guidelines'), 'https://about.gitlab.com/handbook/security/#gitlab-password-policy-guidelines', target: '_blank'
+      = f.label :minimum_password_length, _('Minimum password length'), class: 'label-bold'
+      = f.number_field :minimum_password_length, class: 'form-control', rows: 4, min: ApplicationSetting::DEFAULT_MINIMUM_PASSWORD_LENGTH, max: Devise.password_length.max
+      - password_policy_guidelines_link = link_to _('Password Policy Guidelines'), 'https://about.gitlab.com/handbook/security/#gitlab-password-policy-guidelines', target: '_blank', rel: 'noopener noreferrer nofollow'
       .form-text.text-muted
         = _("See GitLab's %{password_policy_guidelines}").html_safe % { password_policy_guidelines: password_policy_guidelines_link }
     .form-group
diff --git a/config/initializers/8_devise.rb b/config/initializers/8_devise.rb
index 0a1b3c90145d..8d4c5fa382c5 100644
--- a/config/initializers/8_devise.rb
+++ b/config/initializers/8_devise.rb
@@ -113,9 +113,7 @@ Devise.setup do |config|
 
   # ==> Configuration for :validatable
   # Range for password length. Default is 6..128.
-  # config.password_length = 8..128
-  # Devise's `validatable` module is no longer used.
-  # Dynamic minimum password length is supported by DeviseValidatable concern.
+  config.password_length = 8..128
 
   # Email regex used to validate email formats. It simply asserts that
   # an one (and only one) @ exists in the given string. This is mainly
diff --git a/config/initializers/devise_controller.rb b/config/initializers/devise_controller.rb
deleted file mode 100644
index 53baf45dda3a..000000000000
--- a/config/initializers/devise_controller.rb
+++ /dev/null
@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-
-DeviseController.class_eval do
-  # Overriding set_minimum_password_length from DeviseController.
-
-  # Sets minimum password length to show to user
-  def set_minimum_password_length
-    @minimum_password_length = resource_class.password_length.min
-  end
-end
diff --git a/config/initializers/devise_remove_password_length_validation.rb b/config/initializers/devise_remove_password_length_validation.rb
new file mode 100644
index 000000000000..13c7dd0664a7
--- /dev/null
+++ b/config/initializers/devise_remove_password_length_validation.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+# Remove the default Devise length validation from the `User` model.
+
+# This needs to be removed because the length validation provided by Devise does not
+# support dynamically checking for min and max lengths.
+
+# A new length validation has been added to `models/user.rb` instead, to keep supporting
+# dynamic length validations, like:
+
+# validates :password, length: { maximum: proc { password_length.max }, minimum: proc { password_length.min } }, allow_blank: true
+
+# This can be removed as soon as https://github.com/plataformatec/devise/pull/5166
+# is merged into Devise.
+
+User._validators[:password].delete_if do |validator|
+  validator.kind == :length &&
+  validator.options[:minimum].is_a?(Integer) &&
+  validator.options[:maximum].is_a?(Integer)
+end
diff --git a/db/schema.rb b/db/schema.rb
index 93b0c54a2e62..9bc3554e86a1 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -351,6 +351,7 @@ ActiveRecord::Schema.define(version: 2019_12_08_071112) do
     t.string "sourcegraph_url", limit: 255
     t.boolean "sourcegraph_public_only", default: true, null: false
     t.bigint "snippet_size_limit", default: 52428800, null: false
+    t.integer "minimum_password_length", default: 8, null: false
     t.text "encrypted_akismet_api_key"
     t.string "encrypted_akismet_api_key_iv", limit: 255
     t.text "encrypted_elasticsearch_aws_secret_access_key"
@@ -363,7 +364,6 @@ ActiveRecord::Schema.define(version: 2019_12_08_071112) do
     t.string "encrypted_slack_app_secret_iv", limit: 255
     t.text "encrypted_slack_app_verification_token"
     t.string "encrypted_slack_app_verification_token_iv", limit: 255
-    t.integer "minimum_password_length", default: 8, null: false
     t.index ["custom_project_templates_group_id"], name: "index_application_settings_on_custom_project_templates_group_id"
     t.index ["file_template_project_id"], name: "index_application_settings_on_file_template_project_id"
     t.index ["instance_administration_project_id"], name: "index_applicationsettings_on_instance_administration_project_id"
diff --git a/doc/security/password_length_limits.md b/doc/security/password_length_limits.md
index 9909ef4a8e4c..cd07cd94d310 100644
--- a/doc/security/password_length_limits.md
+++ b/doc/security/password_length_limits.md
@@ -4,7 +4,19 @@ type: reference, howto
 
 # Custom password length limits
 
-The user password length is set to a minimum of 8 characters by default.
+By default, GitLab supports passwords with:
+
+- A minimum length of 8.
+- A maximum length of 128.
+
+GitLab administrators can modify password lengths:
+
+- Using configuration file.
+- [From](https://gitlab.com/gitlab-org/gitlab/merge_requests/20661) GitLab 12.6, using the GitLab UI.
+
+## Modify maximum password length using configuration file
+
+The user password length is set to a maximum of 128 characters by default.
 To change that for installations from source:
 
 1. Edit `devise_password_length.rb`:
@@ -18,15 +30,34 @@ To change that for installations from source:
 1. Change the new password length limits:
 
    ```ruby
-   config.password_length = 12..128
+   config.password_length = 12..135
    ```
 
    In this example, the minimum length is 12 characters, and the maximum length
-   is 128 characters.
+   is 135 characters.
 
 1. [Restart GitLab](../administration/restart_gitlab.md#installations-from-source)
    for the changes to take effect.
 
+NOTE: **Note:**
+From GitLab 12.6, the minimum password length set in this configuration file will be ignored. Minimum password lengths will now have to be modified via the [GitLab UI](#modify-minimum-password-length-using-gitlab-ui) instead.
+
+## Modify minimum password length using GitLab UI
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/merge_requests/20661) in GitLab 12.6
+
+The user password length is set to a minimum of 8 characters by default.
+To change that using GitLab UI:
+
+In the Admin area under **Settings** (`/admin/application_settings`), go to section **Sign-up Restrictions**.
+
+[Minimum password length settings](../user/admin_area/img/minimum_password_length.png)
+
+Set the **Minimum password length** to a value greater than or equal to 8 and hit **Save changes** to save the changes.
+
+>**Note**: Changing minimum or maximum limit does not affect existing user passwords in any manner. Existing users will not be asked to reset their password to adhere to the new limits.
+The new limit restriction will only apply during new user sign-ups and when an existing user performs a password reset.
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues
diff --git a/doc/user/admin_area/img/minimum_password_length.png b/doc/user/admin_area/img/minimum_password_length.png
new file mode 100644
index 0000000000000000000000000000000000000000..44fca68728f47929c605bed936413647a559e84d
GIT binary patch
literal 27994
zcmeFZbx@S;|38X^l)^3|9ZRD~s^k*V2!erxbO}iJ(h|ZV4N6EoV4%`ScXx<@#L|m&
zcXO_NKA-RR5ud-#%$YfJ=KP!;2iV>Fy07<D?^nF<kcX-YSBYqdu&}VMDk;i7#=^pJ
zz{0w8mEbb?OFHq&B>2V4Qby*Xl8g-Op`+b%OKUSMEY4^XL&KX&w>aC3j0_Fiy18x;
zIl4VYBEudV);894*EPbL44Yx83A(ydRFJ90m)E>1Tj~fhc$fXV?r)#C_kSw(I-?NG
zOLWv=6D`~IyX1ENg@XVN4hw!%O7i36WMb2KtP#<6JUKS0y(=)C(y9+wO%j((L&-1E
z6PQk3D(GigA%(e;C3H7oYg{9ny<)12HG-`KDY=YHAu-Z<IowViazm;Fzl{e;TlccR
zQLcWh?(tCc%Sxro<su*X#H7-jW8YEITyeyQbn+qi%J?|>5^huRX$dR{2*-WUc=M86
zbe>Y3!t9gz8%|+t8NsLZB9f(l6|oj8D%9WR)mBreZ>#%`^?`)k9P(Zg-|vArxmYBm
z)1a-+@Jm-+-B<ub`CUt0zBegOK+}!Dgbw)S%RW|@gKXxB$U@1cNz6}Lq>%>6&#iHd
zwuSlm@+XeZ&%e>&;2g7F4ywI&eturPaDHAJ>bHl3UXdcfVs*2e3bP_31>=xnsjlU$
z^*}|`#LkAt$kfi*j0a(355@@#3yu&4KiZf%8^I7Z*0xTf2yy1WKOqW!#{8L=8TR)_
zoUO!}wH`c#$=ErX!S3?h;o)PJAcDbQa7WYUqK{?e|NC|Dn>e$Dv$MS@FRz=M8;{#<
z9y>>KUVae~5net4UI77a@Cj}wcUxy81h=gd%YQENKi82pb24$Xw0E|&vxQ-<Yh-Na
z;w;Y0jA`h9|NZAa%@CIVv}Eh_-)?~p@?zfM<>%q!{oiYYufj2Z6@6%lFtgT@wX`v_
zbpmZj2n+MW|Ni{H-ub7+-@d8+&o>1GMSlP0Z}0r~n{ZxC2Y&0&f1>sGUqQGeh~T{c
z8+r*MD>tvFSXfe6O0xIV5tmj{@ZXTj4F&Ovm`8`n5;AkX=KKuvPiQ9KJo7j15i#!)
zIX1%jW{ic$54#VMC1>&XzyFw3xhLOO5^r#?r)RC}R^<v$)qZl~T5fLcSDy+uwOS{;
zah^L?KeO+|hP)&|UVM=gV88l-%>`i@gvm+a%3geB=TrUhaqufS9X6Q*-uyGm56m#^
zi!Zh0wM$UQ#TTa{?raE`qNcLR^^0!|FA^#?t?rb*#QLKRa#l<Oi!Us*FJ2v6O#D(v
zS;`p&1nXiWe*Usj%(*Z<?(nA<dtjK!0fUzIPhw;Lai<TX2o#&Hf5`e+@cLpnR(5b%
zXIzhTq_F-71rZr&+uynPj>aEtr=-4=9aHrsCb)PZq|`lT7*sPVH?HO8#VF<XUyDMb
z7VR!w`gf#QXNZ0b{?PhkBwRf}K*UbDVOW0z1TW;JtnR&vXEa$ChqX>sO^Vqzvlb8c
z;&{sb1%pN*|L+b4>eh^)&8X@2T=%#2n&Tdy<5eM@a!0eVZG%eJoU07*;g$$`TDMxF
zZAm}5P>PY|yxO%~C)+T=QdDm^f7XKw@fx1MCHjaLm!hhfr@zXuaK2xAKJxWx){nb=
zB{n*hGq1U<d&T#!bQ*YV%6V?o<B#tp+0|Hb>y%vCxBO@b5#AqjN+IBV@+nLw?v}QI
z0)8rLb$-EcFyTV?XQ6%>Ba3d`@9w(()HWZ9lsu!_-^i;y8?A6#x5c@9g%6ir<AY*!
zzU_1aY6a^G>c{;TxEpWwmWO)ji}oixE0^C`6U&7@Uv^a*I+<;cT^-aka53XZw)bBx
zo%ESLOSX`-R^hrZ68QmSZ9kugFuCa0J<Zh}QI$M(MwzF1TlXZ3>}|F(1~bJ{>N!Vy
z?+$9VG`jbuis#6O(`cki<5~4(G?To(eV#_aFhDACP<PcC1o=jYaMR@HNAIoks`m<4
zJf_dij@R?gz4yn3Qjnb?d)w#NzY|=TAciOcQ{^V_qs2_4JWT`dVtThR2iv6JEt3e5
zmI%=$PL2hFZ^?o-@9x@7j6tp-eDcF-g+z_!1xtLmwF{e`_as~HE)SL7e|xk1$17sW
z3O4_A-Ezmpj{EUEHi5hR9Ck|sUu;MIx)+c?@$-4?vuvHxo;Y5EwI%T1#Qis%PzHtL
zu&X9l!ps_ju9i42KGvLDe$tXG)uLW%JMNsSpvgbSHF~+BM619!;(GGCyH*rG*++NN
ze9sD~Z$B62Nj7<o{dzm$u2o!jn&c!EC3@qQrG4}3>vM^P;eVN+wjbPKulj<|fcWeB
zO?71BZK`bs>iL=G&>W4NXBwHRDb7RG5$9*eb_lvFi<3?dK6>|rOJp$U)66A%A=Y^+
zS7ur|5I*OpZu>0KRVKnbP_d=93kw@232FP8To$V;+Wtu;ai-<G>vpeJFbVyS6yk<(
z(x0Cm&}M1myc0iO`L=g}j;t(<H}DyOcv1PIJGk<kLmuhg+Ze2Hv8r6otz1E}MA*ye
zRk{`{Ft|4nX1cD9mKW+*dz1$saHM$&cv+aY?hYBO!vk_3#~6T6eY46fZyEeFiH?+%
zfNveI*OvCHignu<*w^C)xow8>*5niOR(*dv?$j&32bR>RGH*3GLqL@0!F2HIUjZaU
zoyM9OHe(2M_}<BOuNXxai`Q~asjkb>b6cjc4A&l!`LZ*p&xFLuhK$KAefy&=262xv
zCz;O<5y@8BE=vRLQwbI-)t>t$A=fx68hy_W=O0QjO{5}b2q`6KZIYIKI=M@SnS$wN
zUYAo=)xG|?J#;H;FU{x3vX#?=F1cJknBG-O>!c2cG!TuLPjS;dKhyvC7{qF9Or<Hg
z)O7f;;@O3*RZ9O_+t1me&zS_5{9lH=4jy-#9FLGVve=)##}FDX`KsK7BNbsRdPzY~
zK#y6yuyDFD7zO5h{5^7*Y1Q|(rGw<r{e}0DpRU;#g+63bYAtg>$1GiDBI6n$kdcG8
z#Pu7VpPkC|wF~OA!!yokATvwhtO8&m1W&4XP}`|&lC(G>_D0Nu8*V%cE?{vjWn;Oq
z-|ar15`V9*k2IOLaz()N*IUg7+xPp_`w!LY9)<83u4&tq*Y}j>e7v~3T=ugLDXZ~5
z4l=nX4EsdzO>C=;Wwiul>qNTR7rdD7*hPfRauc5Fxh4W;O>eSL_@Rq7b?bCNBhJpi
z6EzXi&^$0<*N+Ev4Vcw8Os~?54s`Es>2rv-cqUxIUvga=8%b$>AT&PP@L;`aTlICy
zxW{sid||?nzGrvJ?N@1DTOnK~Dck!&b;nzsyfzJigc^DJ;+k;NHpu=G{;2!@xSRJ=
zA={-1&-H2}ZD%&oPZsXZ^t?YmD8=eRr(**yUoGS}Y58#NJ_5~`%e^05nw4A85xzSc
ztF|Xc9fu&P=Cm8mPd5pJ$iO{i%37~gj<L+A`PNi#w$Qq6Hd7ui<yMb;Gp}4V9eIUs
zC3oSx-Aa%unQOwtLiNg+*LL?JoW9Ev-53Bj@&k8o!zntGV(x59?}93|TmKr(`3m2q
z%0_!chE#l3`tFy;Dgo(R1(N3{{oIGltearJCMtc;W!f|5GNkujZsb`lh+4Ra2bKR%
zbKNFlS?0*mVk`3z9^=m7caNcJtaJs9q>^wIiH76`WuEdT0<k9f2)e~WU-|i0IR>>8
zt0t;+%s+yQA1fXhy}kK#%%_IRX~2qdjX=Y=m3*91FOulFw50bBnkuBOj4Tzl)!JCO
z#<%AW+)_?9!}!0Qd8b$$6BK}5yIe2up};xWW*C&{{({B8@ZL-~-~A?-F%`O^sYkEt
zwO)~4PU!EMfRsL2TO87)E>K-y9%;&eZjCGjtEk=m=}9ujoC?!d$cw}fD(R7`Lrv(x
zY5=K(urf55vM2b3;}z1yiG=sRR>7eo2!FI0<~C-Ng>1xG#G~_m!>#i(M0j0Xy2{k`
z%twXQKZK@Tsp=F=2cA3qcCi-CNt9Vg171Ypx8T;LmpCN$A*Km=NUi&W#;tEgHoNe5
zT9QjYGuc9mwVt;>%-BWem=8+KugWExLv7wG$Mf_(nCISO?wMpMujkRr9KDdG_|dUP
z*+A!8`#vaLLkBSNL3sNPwOQoD@+G{F4wj~4D)cv|nO<Li0*)Ax<rbZg-6`4XN1IFY
z8j1UGIaFp>Xqkmzi$%(U$DIJyU&Iu*2;8n|ywkS$LdvxAGbc&;Ncu793OKOs87EpV
z>*TiH$V?_HN$k46k}yMmt$VC}7g^0t7pu3~Qc$qk8gauTQZ~`y7KK>q<B#`kMxcj1
zS6!p$iZA9{BC0SmXfQr{yI0Z;r~X>Y@pKi_hYc)#a}wSwbMp*`qCQG`426lMfeDSr
zvI(C`8GR1w^KARKDwcDdn2?(^OnBbe(HRmiHk<A_p9@WTT^n~^_KBdPeVV1woiF+5
z-tN+1<4xAfo7$p{4LMxRp_Fb`1Z;r<+IN+Z(o`(duaJ_%0;J&^jjykBwFnkGK<Ub?
zU20+-iZ&Y%>&RmDLNbr=Kk;t&v_94i{XE>NyvY5|=0`l+w=OQ%_OJ&o7Y{22zc<&C
zqCN)%l6xgo1`Toi)X3GPrf9x)-^Y9)R@y)OGyfzPN7zGY*+*5RyiBbd8t$~>9z_N&
z%KG}LZ<&Tq#L%CE6Yj~nn=oj7ZPDenD{8KsJ_+7y+iO!UO<b3ERV)l3p%ea2D1^({
zu=_qzf@q%L2So<YPh&i*l{3?lcG;!w;G0J_b8VY92_-h?*tTp-WGQSWJ%vvB`&QDr
zrj-XvUg>@H{!(*s$0YZABkmCRfuFQ1l&8wJYK1m(EJH3dxeiIhC_wl8xwz-vm1_^8
zelTn*1j*nMZLgHX%i&?oH)|=X`bV)6n=+$au)E|M5tHwPMv)$aUhWxYopIcH$eY_&
zse3WmW|adX12LJ(cx_#?v9dW?a>=;rGu>Q%Sdh`t_lAWNarjr$FzeAG%LaGP#PGyf
zrnBqVrURy`hT$}KlPx~jgjp@UvMf5U55TXKWkb44)(rcUDR>>5_ObF4uQJ^i$CpLy
z=s6VFn3km6tn3<nRDPj%)@s-{LWM66<rzqdO$T0UfQbGWZM`jkb9CsqxyK@iU@Gxd
z^j#@vZFo^N;OR+Nezdz>>3l4q@<#p4iw`%omz<h}r?9~%rVKV~yb6|ZB=`LnNqo{j
zwvOY&8k5up-U-<;)VxWKQZCdmMktzG?Kyk3g3MkJaY*(Zaa(a{x8A;wr{5Cs7qfGJ
z=*U7r-~ND{xRvQT>y?4p6)}%6gZ1Hp_nqI{NpTP&y`syvYPoc`mT(JWpSM0Xici^d
z3A@ml**ku38gEczZO3e!ZN$tY<mcKb^%3>e?>pBO5)j)?@3kaOcly^}btB2bZpFsy
zdwfZ1{k44jQ8Hq6p<<HpYUqwxJI`hfz2{27;#U?`#r}0}{TLDf`>idDDwzpLZq;+9
zcl`b9+nosX{;}4U=%tBzilpLLZvw^x<~BZAnsqT2F0*X@ngy}>;a(BBN%Q&EnfL;m
z0~<!4rP9+FP4PO|&!iSBcEwyWas0WiK1t~xNwq=(R_FEjjCUr|C{YsoSB#S=J3TwI
zukI=2r5UKbO<7k^z5qemxUgUOi`ZJCeuxAgf1p4TG5jE0RBk~qj)qa+)_p2{=e-g?
z0$R2|H5Dz*YE8=GKujpA_$E3L275zFN)l8iygTq@Ty#2upxp)<o131%OBM*BA=IRD
z@4NP-+a_15puwz^b>;3Oy+TRb;rx2Vs2Ih%=4CE@>Jec|Uj3B`LdvTtVVd!0BBiG5
zl%s}cOx}<}rNTGKMe4)9Olw~#UpP`9GezatcUa&f?j&TAdxtnX`)Vu)-q>oezp{Rv
zP(*Qz->4zb*{PG@3ratT5Ba=Z<>REqT$6f)vN|QdQk%H|*dRpEv0+S?zmWyD7eRG`
zhp?Jzh+riVlRc{Ero&x}w~~C|U-GwGEpA*usi>qn!O$`r>WydxhDH6KDjG6mPEDR^
zy8CP6;gkZM7q+FpF{ZzzG>S&GJO@H(V0uP19gCQ&;?Ildif5hO*p5G`snXwih9|&f
z%!+4}EpTBt!0|H7fV-vJB&QZ5@))obgx6eU_bv4<gaOkYj1e*84E=Y@F&t4jnpapS
zt6p44IR8F`XITMiPyX<w<j=3c;sN>aOTh3h?}csyR41Y&#mvKD`IY<6yKFN9D7^fN
zR`-ST9W*1QN*0CeRC@Qv(19i$69GQw!O_^hfEEE45fuw)2FI9BqhuF35s05II}94%
z`Es!8!ny<u$^YwJ!AuA|Vv6CN#eN%rt;+?}M}3c1OIN`TT;h9vI;4-7#?vV<mdo9F
z`y`wMq_t-Nm?XbYUHyaJK}spYP|RzcytPF#BqB|st}7O;^lr(k-+ConC%yMaKwj6_
zQtD!Mc5;||S~}s;IoF+JE_t#MAincmMi4+38ynHq2n8(?z&!lS(V;9M3<k6W&)Cn7
z2!$z-LFJb_&95OiN@A0tlJIak5l0RYos>`i6VAE_d6*8f?O2%u1|tb?wgh}1E-+aI
zD81Be!o9TzB%pLAJI#~^TE9BpUWEofl)a;xz*oPAva6+AHqoJdciTK-9H6d}7lU7I
zZ0@&G!mx+*+)^GS3Vg&0*OCb*n^O3!!03JF*$0<@CJ-kdZXw&uTE#LC$7cXa1+pH!
z4|@9LakHq~n)UvqZ|!!|DZqv#SQEFGiY)tE1|xR|=-p?d1+9nqI0(Kt{ZQh-uow#w
zA4#ihmE&&lFIDf2S_zu8ToF5*jSYt=Tlar@um_N9SqT&|;Jf%Seq}Dn&h^;9=g_Qj
z?w!?G#d!rFHd3ZcX-P+a#T(eF!8Zfx5mSD9JN;^vFA#kmyGy@Xx)bCh8CFTvN>2b5
zSn((3u{Q&dECT~SrhTL(^2%n2hAyKS@4iqki+p=8;PME6D;;`|1u0UB*aK*ISdLPU
zeC=o{D=*t>C^rbvWGE#@V7UVNRXS1aS-I^OKuLp)s9di>4Q?8o9`Ba|U^`^@Nk<?R
zWn0-@-2cs7jaJzHuVpU1k2$o-977y0>}3K?z(Mas+7*^mu(eU;fNsh6(5SjyDL-AW
zqj_*?8X$5vIQ2RvDbw(i)Wy&)Rufg_l?t0wPLht3_NzwMul9GZoJ{w)8*ZfA*lFwa
z%U<!Ky>)w8>{)AGBmUVKM_6br%b9B#Z<SfgKEU8^=>7R_Dv`8EiK8~grLu$C(0u!4
zBFVXfTD!GAD2x1uEa_uDbCsgbNdAebbAWz@&sOFS05n0ZyQaEL3J!4|)drYY_MYcW
z{iXfwdHMGKIqh)T$T`K)ujI1>G^tw`2mtL~*7e`!1_AD43WqN5BoU`i^ezLBsCy!V
zbA%=kjW33BZI*}fgcv^6p6=;zkXJY_&fxy!E*&FdP!I!5ROMinW^ZoI(F>hwk7DtI
zsQ}yaf>s7A0L&A%o0z0Xgr~5E*h%}&F1^Lq#2p5BbTJU7e~)30ps@+T8GhB>WU}EE
zapNfgKf~V9-s-Znko!ydy0<)fqqb$!mocozHjfAYEXmlBT&?%fj)M-|KGnW~aN3rE
z985vWAp_s)w_KV%wiS!)%F4=4$L<^QSSz4+s-^-A46f)`8G;ty>m<%kw!ilaJ@2C8
zm`Y$lK1dSm77r7&9UI2*5}<Qw#a2T-?)XN(+)G~!cIX3!%-JYSH!F@?r@}SEfFK(~
zfnfN?eaJeV=tL-DuUGPX_{T@({?(au53oRU!>o<~m`1(T)VBmIMCvs!0)|^qyIiA{
zyN>wsHB;^GVA18Sy{o5nSUsMX2vE*>R-9aSLnAw3+@Y1e$H}YXM&>ZJdGa(a#}HBH
z(#c`H|1lKpam+|arq`cMRn}7CV>akklxh&%+sf!`y<WYaS{Zy;dGDdxyF2Yq+h6nU
zU$JIaOI=xVyn@pA+IEviop`s<4DAEpUm{@EQO1Zr<p`Ez(Eg><RM$~UTUz;5RH>Wq
zGRUcX>t0@3Yh^s!OO&}!9k+5Gu>jX?NGzWevL2oqoq`J-Px{xP&!PH0xopgj+5b7E
z@Lo&7ZaprX8d@%T-u><)9;uf$gOJyOy(TY0>dG=6bHiJ_hK{#=sv9pU*GL(Dj-LTY
zQdvl8;KjcR_!E--^P}aw#RyV{EB*fXt@gef59jyrN#k>G5p1duGq5(EX5$)jaYNK|
zZy}J*y8-w=@>MrriSm{8jYV9<45s6*FtP^GzPD59cg7P&S~vaNxU(<g^y~tPz}3u8
z_yIA4ZsTb^P9}<xRhF>x<UY)LyapCFaGl<v32G_sv7<-~N7{;Q@O^v~glBv+d>PFR
zNnIPBx+G%Lmmy~>4)L=sH9rIk@fcu9C-bh(cwW*@o|=Q1BCEV=!Lf*3zEljE_UsJ>
z!9bDWL;}|`I02r)kd3F`%zH^%6OnFJR^)<3E_kVrCdTk}(NYT)H2INxj0hxssFY&R
z13c!ow|EmUx7BMYk~Wu9GdB)ohwgA)He#v2|8+&2F}FZyEqJQ+N@*g}ZX-Z$^og4I
zucgZja5p=L)w1<dak7(*=_HbPKZNr>@?4CtDYkOXPm^nfQr@qOD3Y+sz|yYf@cFy>
z-pSHZ!-#j4wb*LUo@JcVpRL0;?jJYy`!mvw?Gk5T=~8=VZq>3`EB?kJKg1#+fAG{{
zCcR<fotfDQS#RDBSS?qxrrjG3uBY*-ggq3rs}G3RX};Z@H>*vp&n3-$_-c|imAA_8
zYzSeHI#{ThBB}u>*L<Q>Zunh9M@HO>l6DNC03W*zt0G^=X9xfgG{`8e#u#RM@}lh4
z)30xeZBReiT<Tf;gZ=m(%`wc}sQ3JlE`zUG3l4;y_xCQVjc%ozbq!@1)Yi~Df4|q0
z)k<ck9LxS7+o&<f$iU~LVl;CuT`zlTtW=jaOsZc`*+3|fjVT||u(3k#v5?*q8X62$
z4su($`+9FtoDb1o<-j-wI5(eu?)O6h$D}N{yP0V|j?1i{>&pc1TK!a6JUOK*toWqO
zZ%=P`+Ck!3)vRk^m!nfkBK|$(U~9h>{v<5l2>uT7R_Ua^c>b)ek=p84XS|#Kiw5;W
zoq2|736qdMUWPHi4+jSy9TrZ6hP4jsyq6CTduV>E?>quf+=q>Yy3hB0mE*!+Wd2V|
z0CFoF>>I&P0Hr*5RcvFbiC&_C8Is4tnj;%R)*|yo2$zuJ#A7`)OmyNk#RKgppR7V%
zGi;7s-z&FJ7B3ud&L0$-byncJGt3=AC|Y!L)o*#|_eluaO{}~dF^kvxu?t01ghjO?
zS{gZxZDyK6c+?%iM&dfy_M;s~n3<I21J8zT#Sp)J%HFUEspeX(Fut^ckrdK+ihir|
z2RETP`qBy5y&YVjx&%$xVO9*q78&tiW)8j@5wLCGB$Yg|XQ^a~yRyz%Yr&X(?DO83
zse}aeis(8~Xm#6s^2yzx>qA)eF-wOWP7l5rLr89EDHYpA?D}ffq%2H6Vy*$Jt+vtt
zqDr9UV{vcR$$&q;=Ui$EwWo|L(vaX8!Dy9W)%Jt-l=%}nalSc{Z8OXy_Hc4KPuxa!
z$UCX8wx07^t-)^yi}N$?V~q#!hubgJu%lsNJmUd0?YxS%{_*(hgsB2>t%>EC*av(<
zmOA11vPXsyR8H%BfjAS_&xzp^*bIVD?yw}bkb4klA~nO+rKpYf_S4)nl)MkBf}1R8
z^{He#XL7dd!sDTN;rl8NBg;LIt%x8+7E9t*d)s7U25vIBx`ZJyL+e<>X3z98l1FG4
zNS7LofGH9^bIn<HIlt$ypC{zzN%3p;N@Py&;gtL4WhXm(Vrh{SO48^KI@UQUJfoK_
zCpjxyd#g^2-zAj<6+ihqq_~&DPTkjY^Lk^BFUyog?~<dbaxXDQl*EYm;!?&fykj?>
zq8T}Qd-HgqVDsm-&0T3p0vl)ltJ48U6P_{N+LM_;uPWC>-w^z$53rLIT&C~SUK&g2
zdUP=Md8q=mlNhugG0q2fJoClbC)lTQvblD;zA-~O-L9)0#whamuJ7q%an;>_G#^+V
z;fIwFlRDPwDZhAA7#zO&y+=j_JL2IjhBb)CiGW%mvRC4`%fFm&uZ<;AI1fr1Ct_rt
z;u1%EiRA`?_Dv|;BRj10I07+&K7Li{qYQ=&gozZcgDtBzEU_J|$R%mP+n$-^O1gZw
z<b)D2{4L7NVPJ!w2w^OgCA+-z&7-Bn4>Db~k#QKT(L_i3J+LRb4TnWNcAHfeGRLYJ
zLc<JIqc^gu`owg5{he<<$sBvR+m`srM&lZd0_t@xIwxH+CLWftIpyBCEWP(&jhLY#
zz+Gbv-E8!=%Db|UZU2(L-*IHVS`5<uRDigh&5OcFB~B$_rcYKY=0gzvv1w1*L-oKg
z%Iv=rx{Uc4mC3%N5D@rgndZrx`(!g$1FjB1nL1Ce_d<+MQeX%ree&+E``%<N8>RAv
z*VdFqIdIr+K`eKgz2(R#;6AL-hAho==~sd0Vh7LwMq|aUM&ZpR2_QCZ1|?cjr?(>*
z%I%a$0;0)7&TW1}uWjp?v>x&D*QE~gr>w<d{(c|Rk^=J$Z7CKzdCO<X_8)fVoxwTf
zxM}7n^fFbSqiT}z<>qpy7pIKK))V(z?BS&EOuw6uP?L^?#Yai68*M8uc{FCd;t0ie
z9+i&zE?=Z)5YHy<XWt3L#Gm2K>)R$fs9WCJ>r>aUOzUQu;-ci?kc|K<I6D1puznz&
z^wn*qH+>?0=Be(Vwppi{<ly~k+0luS!B$m<iJ%d<Jqr)?5>k6KtTj{+a;ZomO&153
zS(?FQWrOtzt3E}`0HEdUB@CG-5_cDACXbqnf8pc7>&GkINDYYATcz&yPB6B56DY%D
zlUXJ-d`t~{%mwDvd;`gydQFlwpAX%E;z+W`weQg9Fh-KjFZBvR4Mw;2A?a_am_8xt
za!qy=pruaBl!+$L$GYq1$F=89Xm*{f_4w>e<clgBUB)#w+{ZxE(<QE2^WSr)#~vdH
zHlx>QKUtsB=U`1dE3ZAEZO(w7XmLj7e(Nr0et0+;h-iYioP3{Z6xU0y`3K{}7|A%v
z3I5uNO?*tpYV`0!d}~&$wlIuz<76gngf5Z1@=De=!%c=VFJY!k{{%xHRrOl}twHv!
z!{stYG7cIRq1*QbL$Fu3|4Qf>qm}N4s0Vt_ePBv<KZua{ezfOq_{#;q%l-ZUFPg<N
zSnW9))n=_!m^56j(pRxEZzRs}Ufo>*wYxkry=bruS)WjuJJ}qQn@6+J$Y@+SanD!z
zv~F=KyDU;Kq|dm4mIxI<=Cn>i)9W_F(9}B5eUn1Y+@cim`Y5@6%<Nvz3p=A0o39f-
zXgaP8am()bt&@2K*58nwS$_SzPSzV#(8~%4hV-YV!z}9jxAQdgBZPR5=Zq4fo{)v|
z1xHcJ{>j-8G5BF~&(w7%$8DlpEBQF*Lir_?v3bzp$X0**d-~QY2PPV+v0(~XvKN^c
zSS^HegPEuH<$&-%_wpZ`fuSd)O~W{Lm7i~y>7Ru4zuZSuG~hzy*>6JsWIVi-0pT*K
zPjgk}Vnb560vKMUO_uFn?1>$Qyg@0y_xsb&A|($v8tTN)f84Va?iM#7g1kH}@9_PD
zy#6C>v?+q-S+2eP7fVsY2ACK--tf!6CEx$K6Kc@BnP~>uzb;h@Se>oak9~E2Mh3<L
znh#S^XZ|xRhjAb(HPv@$E?OAC&6u)+=A%RI|Landn5dM-%i~=8Gm>GTc>#e(A^#*c
z|LN4M4v5O(-VY1Ie?{{D--F_pK^<DilUUoe^47sp(0GeIsUSc9`pq{rKF{81pMFis
zQ4VEx^*EN+$dNue)wZ!2Eoujt%dB#>B<cE%$E?{$>$T^jKxZ}2Om=(?&@j)f$q~)x
zT?t099BL)Ne!>2PTqc;LSbT4|k>-v?lx0e`tJnGIeu>wi<MQ`(8I8drwTpA!Pz<U#
zaxM6!r-RBnZY}-cj<*6_ngXYpDk0&vj4q#(!Z3~v+uBoC6kyyic+RyG!=B9brmd5l
zPX{xuqz5w;etD9~-an@L1fK`!-wJW_o)}imZPGj547Be9Y$AX>$}@W^cl^iHDq-<^
zBS*(jM&@^(t7vZ;cCE*H+rw%I@$EWS)x==Bt$-^!Txj%Q6Kw;a>t46e<ZzuI4kn>>
zoqk1G(MT#X3rXTL`r9SbekW7(&$*W0NT#UW1eMkn?s-HjlvAp|DujAs{-#LW%8uZr
zjq`L|NZUue&G<>5;~b`eXGIo9W*u)FrhR#<HvIK`4u6%nZ$D?T-T>TG31A`1<_Oj+
z0k+QuAj$P)vlRuhSi2!zr||0S9x+=<{c23UVq3kdA+}M6qlfY_&_FXeZ-8v52zXtB
z2mhuY`ZFU@slXTGvN}5Gb9QLHj4I7rPV)v{2y-n-SF_d8;vk{0ZIfGoU;37#RluAr
z?~CzmIQ59M7Q6kIlcQRjAKSd|Xbns~DRpcscV4_#h%8wfudGBH1)1NzO$$byxHgd9
z`$vtC*8ckBWC{z~8#p+^ms$Q;y={`XGi?Rg_^othTBKuh-LyHX%~xIT4gC<b93`Ta
zG;^8y!u8ImMz<=C81E{X^dV4+P_b$fmQM3ME`u)yJ{tjIffU!oh~w*ASE7l2m9FP%
z@g7h`sQmFC4FYY7BQTDen0*Bgz!Erz6a}xowWhxN$Gd=vu`T~aq4Vu|I4W&~(%%Yv
zTUGc-lz^v$uZbQlyxny>d@}`vM9}-lnd2`3t0a2`T-NQw9%1yA<C#$26~HFAt!~Pp
zkUao1jsUBaO_pX}2|lCO_tnWVhxgm^XMj3YJ#hiHhPB#rAB<<A5v`f?%uG|y<t_0&
zxmoY6b`IBew)nu~_gn$^q^|z<V7j_wxJ@^_as_jhc0RoNa4u;N%=L;xC#3r5OvOb9
z57^sD{a}0oo+Tm#DXf0&X~aZ2qjOhXTa}u_T6jEcBi`OZaekDC${?dbYCGypBWP`b
z@x9oNSA0~qmwu1rgsTaSJIAJYEPcskY`EpQyYx1<x8p4r3OIAtWMRhnCan=Xtk+2U
zOK42C(^K*3>|drJW<mswfyn?Mw*I@_$u&$eLBi2N98eU%dtn=onqB~cTu&S1GAlu}
zw)V@{xipG8c`Ccy`){g$HY9~_yd2EY5mH(3k6!~S>-~6(+1$#t!bTFYF8WAAxmndj
zfo354t#zCX0aAP!_cp`*E4B)B4uRgl!IFDYKA-BeDgj2u_MDI-*$}u)B6Wu1FK+r$
zXRs)4Xz+ZFO=I_-O4^UT1CA`4k^A4Om*b1XCKGHr1&0cM_)+p)M*(|9O7LPvC{JNt
z%~6MYAc5G)VrE)0*6R{L-TIb4i1`a)HB$JIxDlkDP%FeH->AaCDG<|blVs@wb>z7d
z?UfA}r{{8%V%c-;)^oOh-D)oi38xqPnL@m5I@$zzuipf{xtIgkP}}Rg)F$%ZBj`ka
zywW0*zt3q7Xlrkm(y*TEJIg!t*Bt<v<K)duW<*;I942CRbQ#-#M<a0qevOV-4ncU&
z{zx6#oUp%q$;oNtrb8ALNb;5_)!G#*SHyiQt|u?N@l6w@Y$B+Ac=KLIhcyiYheRO5
z1n?8_a4|cLXUHG0l^Ee{ua!_am2b?-UA;tBY~1|%RT5wa9k=Tn{0(1~BR0cIOt?n{
zr3(NFAirReeaH`dHsd#+ew}q?8B;ur%-?C*1bo2hdJLpSiGWRhm@|)Xqv89Ixpoy|
z)Bc-jJ50~QumHU|@5k{yRAEWaYqL3sVDI>JbEOeD>sF=VrPhl&7k7Vv>rOJMV(19n
zc@$k96{)j{t)@$^hWcF1mVX=L+IRk3r~Kws?De5I_Ajw2s$r662aT^tV?GDwD_ltr
z3MMwu*BL+r(*?Em3^6e&-IT|^E>SQyc`x|kmQ5_%?Vk%M&#uqP%+Ww!Y1Q~9>atWO
zAd3Pl=={&bq2N}on==A*WyLRjERr5}KP!Gw{#g2kiOr7>O0M7U;g=i7G=aX{L(Ggc
zUQ;;uD%A40#9Eu<C#2AnkS&Z%h9H7gsAq4&)6PKeHzoj+U-`k=qY9BG40P*Au4f<0
z-hS5Vtr&xkf7ReL-v0UYn}FH56$w6tOLt*UivN5#L}somIuN(M(JMDI)uZE;Y++gx
z!-OKIBiJ%4H<SzI1nh3TeW*C8TE*6Ig-K?Tm1$bsx{3n~+l$4ox6QAR(wQ7jo}bO{
zxkqXjF(0E!Y?fnQZEQJ8vn0Ch0l|q%Nj^irbiu)Ay!J28gN<pPZ0IF?Vz}ocmIC7R
z&xrm6O~n}UDysr{ve;Gz&#tARJUg(H<pZBUM|gMv?3svpMC+5GTs<+2S4;pQY=Rmn
zxw!7?_SiPkmhKl$@^HT{i}&8nEz4-W|16y-+~(}a#qTB8{Ifco;Fmg-vXqa7qM>tb
z$I}oYQ_CHrXuxv0=0T?rjM9tofzO!lY>-X&F~6Uw-k+d#{Wah43a_4sDfsLF<K;@1
z6ZMs)^T+RdCF}tNxc7rAueoyVM|i2ZCb;#3>jY9aJucyXB_);{5C_(@p6y@D3a!`m
zT4NQ?Kb+1}1wM^r5O0Y8%L(qHxFk)X($bhPU0;sawuy<t>t)X)nF_FHad^Ei8WSBO
z65K^OE7NdYKYas3$$ly#znF2hnE)ky|7Ch*Ov&LrigV4DkJP+db14ownV(;^_R}y3
z<Blz^5^EO|P3H!31+H&S2;e>fi&-G&{BS-^%r16cee<j=;@)1n*m_mJ+3T*II&#-2
z*$-ZaTZ<71aQDKbJdAQ6RP#|eKFDeO$J4NH)BOjnJtCn`?#e)!5?I-de4ag*r<c`T
zNk9*(sk`a4(Bw(J{R0!s(t)f-x5p*rG;YHdDy_sW2Uo4Sm1G_9p`$lK@xCkTBdCHu
zB=O=fz9g`=!^V5uv}tS;NE;%#@z7=Ad%gQij1om5_e(;#S-fG^v$h8XW!xqM1%Ko@
zVuF6yH)dQ{lrz5lal}LXx(H2EL<P3dMG6-eK1SUp1&;Jzmz-TL>hR#=BN!Z_=P0WB
z=XbVV0_?ybr5XRn9WY1ffqZ|2Eff7mg7<$K`TtnB9^M(m(ahDg1fuk}Q;<iMAU0>p
zf;EA1{O*pWvFBQO=38zZLE99>t0Y02LU6>6*jBDSmwQbfqRH0U0gU5z$3Tx=`4Fqx
zQ6Tul#sYYt_Q0vG0}RgAAVU$f{J|;)+$>LQ*jty*!4d~s`1%O&+!+IDt+T*&JA-LW
zt=9>-u`w=o6u=j$ne%Vs;-2SKZN0|m$3KB9ys9ok;vZ^K3fC12Yzp|DMe02!z?+JJ
zIvhneHFN3qzq2XF3G-{zc)4T13;JgW#pCl3j?{dhC16SbvQ-iVTn8R0jDWqtZt&~V
zP>t?_T_E?3@l-4@CkdF{k0?&OFN3kaV$i^v-x<h0U71ZVPy|>cpDq6Q_{8!i$^}}G
zZwt~DEA;<3s4tVyS%6*Apaj)TiZ21sz??hJv!XUa;kCRfa<#E}0^zkvVxBUXq~Q;$
z-`5Kf4C7k!J>QL|ciyPiD1PyjOa1f1u_qHC#mfeMLqXTBgtB83V!NtM`D2g|jmx;5
z9_`wI{Mi-w{85;~ffToikenJBYc#d!(Zc&xAXK`|_gA?)?Hkrs<I<%t|D0Nt8v`C|
zW2AGF+r3h*+%n_JZIz}lM)8d*=47)A%Nnfd8@(YqwLUU&*b#oPHHiDb15;t_O$jC#
zz)I5$_WM9Q@B~0CIr9Z5BFGJK-<}&`i`O*<ptXP{68<CA_spH;gp3xB$lv^~`uQ0+
z#`IDEgyI@gOL_EOzWlpVL@SQ`f}w_>@0pio<Pkz`t>)NPr_$91(FVYyd9}x`qc^?p
z$>!cq9lJ!g7wj~oyPHkZhsISP4|(ss)2GlQBZJ?cspj^p$f=9JRcn2sTCWzPQ||)Y
z1M*wZA-gmQ@0C0$_1d$e<p@F-?fnvu-4~v-(F(e>JKG?^9|eN+_*$yC=P1UK0UY8k
z-cTRm|JodE>izL@N#;Y_c2uU%!Mr$_(@R5?0uKkB5QFp+k@&8#y|v193AY?0kL_+D
z+VqG7$$6mIQ+bs!>Vs+$wCGgyFVQjk#;dkrHK)KzfRSeA_NK>YwCo<G*4+BWwjXB~
z>_cs`^USICqhl(-aU|<cN7=IbX@{)4eliM``KGzgQM={t9DkP~9RY6q*|LX|x2Gi*
zC#oyO)U*zk(WtP}+4bq-A${f2&}A7Ns(mu%voD#cM901$ZSOv>{wVg4_V+P8d@a?%
zoNFIFORDsV$DcHE0AwiEY7&PZx>Ll4E`0?akz%{a2_i}!Yg$3;{M$XkjhIS?%B>Er
zl+PX@Ba*2vv>p+ljA--91$OjNApS2i7@jt64}5u&qWOHh!bLTKi4Fou908WY)$_CU
z^A(Ke24lO(VfkDo)nJ8u$+ENkH7mCeRAp2I8{<ObEZ}fMv^xrncM2>^r!<%NQ8P{m
ze~*aMobYs8<EgfJ%C8P6Edl?^JF8rWY>%A<BQX7gQrzbfgAP`K1(LG}Vi=a_O^^dz
zEt7<L5ehqec72hTCX$6tJsiAHHl^kGrvW&<Ty&7!t`QS2Dzw~{0pMbASA~Xy`j@{@
zl<Uh8Vr%xPPv^!Q#G&LElR?%}Zz38RLoep)Y=gmFx!%GoJ`fQqCk~)-SaTdfhr1f9
zc77<^fE~bAlBqT|ldEku)JgvPmJIg%@JD6Jq1L}W6VV;+0z82lz^*%9d{evd11+T!
z1Al{CxgDR6Gb}8j{Jm~kG>d}hr4ajO__Z<&UL8k;-KJi@V~qM{AC6}b7A}$lh7@}Z
zXsY&f<!%gMDQukCzujT`jnj*gB;@1ZxlRmMwXDzEB_vHJafvOMO25lZkfs8xZHdRY
z89dyGhYwHy8jHaR#GQYEt0)YQfk~4@0bi(GHC&5DF(R|<&!Gx*(G&>vvAvwqi6x-W
zuS}mw1(p})!wP4PiL34#Sx$*46XV99NCK6g!F(DvA5nF&DT}S-H;$djqSGI5d{1=+
zl~iR%UU>Sk8(#iR{I=G9oLBe1IZn9Ge{|5FFvPtr*(1eSX46qn7aL0f&puwV1OV{G
zGgw&T>M;Ka!1ZefQi_#m3o*z8qf@DuWv9Ryoz7+A3uA9Q<;%FGh`1Jac)g{*23Ua(
zGw$?67Q)(9-btDdo9KGBbWl~}r82jstV(fa;!T%K-z5mFK~WM|YKnK<hVbU5Eu5lJ
zbP`@=C<UE~siv~2mj$US?w1<|2GhhnOT^+l*8o(%Pu%omSYv9?X*t;d1|JtSI6K0d
z8F=f?e&+GGO?(&t=u*k7JgKovJjvG|vKqu`k%F2n)lKe)4j>lYDsH|X#I!E1w;-tw
zrx{0?*BDO-k2UE!q+M{rYx}|c4PpkLluQo9f$R9?8P1i|?~-te2`*V|@;NtmE3l3h
z1{(u{Io^W`CZE#n9fX>mR+-DIvxL$>w+0>9_b^iV1k@#bx+tCic72(cj|Y5J*)3?4
zO3{aIt@j3Y2+#Z}qcQHyBd{zv=x~(aHHUMw^Lk8P<Rq*^iY--?SvIH=qg_lrjDugb
zPy=)Ip#!9lI%(%JFGQYzW9a%eQx4+%1YQ830BV&*%o3oTY+ydOP2z?7OoTR9iBq91
zP2q@%;Z}j`Xssh#aL6O5CX~YX(dkVw;%a1v_G^KEkx{&+jP>LdMBUsc9AfqeFZV&{
zZ^9M0-_a4|rI5z5I={8={yZ(thO!j+nX6YBCALeA5uN4)KE~aAdNYw-{r8L&<f^m8
z(D~k^d})b56qLEO@upFLpJvNbChI=h<-jpK$KmVE63!IdN0VPRAJQf9v6j@>#j{NZ
zvfY1UpPt<3SlfdzMxig!ZKop(Rux*&D5WCSH+Oy-H%qOYEeJ9pCH#o6kp-I`NYk#{
z`}58GJ6GdBw;7^zH0Bo~?;&D#E~9Cf-#|C@lbglNCw-i2D4Y%;N`ZmQ`54bsmz?sT
zuv!mO$Dn~&?@Pg0aWw>{HqJJceLAhHHt;lxNhTZQQPe?{s{ttms5f%Q5fRt?l&GE$
zWJsDG)LyNfyuF9&vr^Ws+TL?1{vGlFj_&M<s5_`g(??uW{5f4s))kAMrbFvFBjWk=
z#a^~GCiuP@V%xhnuo`wa!}RV@9*M<EruaHKu@7ILYyv&kx(Rk*VN$Z~OvFR>kjtd)
z5;7dx^qX~v$j8rZ?D8BXc_UfrS>g4Hm5f#svD7+iiE7EhebuV|r-+=XnY?=|{Mt6h
zdk`CpUoz|U=cc6BNT6MR6NNX{z&`Z5&m;u5-Tfue{z5`O=yC}KA5Tw+d&Jo;4uY2-
z?)Qa8I>g;IGsX4YF`_`k=LE6;KEN*WIIafjG4_P2b>>T$$EnvTLb>eF#AM%z*YVuL
zgsvcHp2}fWd>}0Pxb&}D7QQ`rG50^aofwT@SZ*q=xgr%UHdFK?jzslc0_=t*j3X@m
z5+uD2r=s^=>lrBT84%ZvvGyllWgUj;Ft$I4DKI37_LO43LDb4(?G;ypXuWpU(s-*O
z249aMn{fBaoJjeS=^@%LX%Av&`jSr6`Ev?jtvBCw#tP^cs+KX$x8r#6QFd21Fo`Av
zU8SwaPTANo`pZXhjIb2=&Rcb7$YuH9Q`l+h;d=z#z{8)&pd{F6#oG20xu7&ibN9t8
zF3dRDl(D|5RXxdm_q3S3o+v#qaLZAg+G-%{tu=bg;DqYl-lLdM`*lN8tMI#IKc~cJ
zYnYVTm=Z*GS+JPiCX=>XQ_1k13zT@4K4^JF<*29V=zs9$ci=f|hke6yhCt`os>fh0
z8?b(m{S}D)K)Nk+BXON>>3phZPq*(jlR=lI%pF7IJ^dSX0fMBb@C627vr#=LnDiXd
z+7Alu@@!8~kk?`#p>Z#huYwV@A5r#Nq}@W^+al+f7-sLTBGogou4;H0rPgqrzmQu%
z@Kztfi(XQqcC~TUtK6WFF?47xPMo@yuu_I9wj?!Qrb+^-T2eio&T?HcQ4q>Ik+pdI
ztDaF6IA1fxa3k4=m~QrX>)iy#4#qyVnM8gEZoWV=|B&zMzS#!yk=x6C+vYwqpfpui
zUTLo}?a=rPvBW;p?tn-^q~Pt-_+Lg(Y|XC_`SVWlp!!^DCwawOmS)#*B3c_2C?2of
zmaL8OY-dy(<_khdD@N1Du4Ma=e9oJXA23T1B%_`ocUb%8yTuZi7QYbrs|FUprY*t0
zhTj7F9YwcI;u1w0v%O`CxtS8IGNBfyO-9JD1+_=AN%pcQN+gg5azs4jd)(4``)HO)
zP*jLhzZzi{xXwiOo|#p@+JZWdMatClCnIS+fnV320;(g+CBe+KN7qOCX7$TZA^9rj
z!0}(|2`T$WW`pKc4ozI|b3Pk}YI2MS{8+!8$IH=zr@5BWRd)Lm(0wLe9jpO%))q<E
zxXcgnA(%+!YltwJKk4JiyC*fgy(WJ42^uWoFd@SKy!dxDH0mw}S0DxSJGwbC!|@kd
z!fDM%tTjlRwHc^ZWZ7Q)3c<p<F^hQ?fW=1-FXrjT1;)*?<8y~+**zkO!EOv|PFt5G
zYfIz^UZ_&*ew$I141}VY8Us2{#2Oe5{aD4Ejs<Altg%xOyN?gk*(Nq`{vN;K8r;Ww
zO*WI$Uxc8;1%!Nd;epJEzX*@bc#_mU#U`2e=qkxt0W9hGjrRAI&KyMyq(#R|U*G+{
z9sbSljWI_#x^|4wAV>cw?+5QHssL$~pJnhrLhC>O`+3P=Bwt;ktN+qz$v|zqa+l)W
z-;o&RXV@eJsGdUc(l~#Rz!1MCaBF0@A7A~K8Y=|e*y{fHUFu&K;|FSNQ<%EUzZjLP
z7?s%R#vRC?7yCb5`G0OyN<xvecVD~#nRq7vH2WV^;e$s?cfa08sZ4?L>H>^%_vt|r
zMQIK&t@d5MN<;28xpxa=N*@yjptVxG@~Oe^Fp4=}4^#h+QSpFiVvF&^1>MU9HJ>06
zLhsd{Y<1e60~l%rWF@^%q~`_UAD&6>A#CPJ{1|;t`t-I9d{6J%;$z@P^+p4+!~QP~
zCV$3hs_WJ=L025my44;owk}z&zf&BtuwG1yhkZ4mD0Yz{^#-Ge;|GwIbv#u9PUuc>
z#*b}8&;bL#tyrJt*WGKynWthrexO>a9ndp^Kx^xc@Qe|?ePNCvA;av@U@e&<xmCc>
zMA}yDV#*PC%BHXz8-Z3ODmIs3vH~ce(n~m(sr0Kc1?v+Y%iJhHC&cX@@2}foYUKZh
z=fL1UiYfL@U^heHX=ZCpM=%Q6CNG<8Ow~_oX=NJh$+bpVCmG4;Xy#V$JsX+;Oht~}
zWR0yZ<{1STWyfd`;JslWmdrPC%^w1^OKmm*9`Rs>kyp2M_twTyfKyp;8v#D-RUj3)
z&UYM+gKFQNSVE^BG@zmhmcgCn<gS3AJDJ(1_W<keT*-WQ()?0C38QQwqxqX=jB*)F
z=ZHLA_dR!Ny~-#trbio5j*bwcE6wj`)mVtH+35Ol8LeC6RW639jdwGd4StzqThTr!
z0vzSzF1rux#>)B_ymubCMQ-3=`G?!|VE6${Nyjh%jjLbNfK;~EbWQC*W;|x27Zj(K
z)i5HaE+t9&`c$0$QPS$K_?Lw%zTPJl>a1tQUpFB>fQ2f5p0FMC(qg=#m^f|6hF8C8
z7-Qd`Pj3`!6=m!ik{f_#02$8n+4J4SZvX)8fv|}=)NKN#z;VXE{28cHDFA&O0p(YV
zqY4D>IwjVLTr#q<n8?@A*Cqp$V?`Q`h2QiY%ywHqng})Zf;pdT{|gR<5vWLC#XQr1
zL)ge=t$ZGc8-puF{i;sJvw%S=1z;Y-->m>kXhFJ6@F-yAY(a!-ukm%s1ql63)B&Vm
z1xUaGFaW5xOcsDEoXNd(3i5iC`)5cyaPK>KeMV~TfJbW-s7am<0ES_ur_mr1<WkQL
zw|<Qyax0c@4%q_2X9bA-&dcpS(20d(o1xqkG2a$Kp(e58MIf@T7Xgj5vLJ#%eDnZV
z`$#pa5Dqfx%!T}G#JK!J#7v=eSpYDVb$fhy{PD+C(sW{++^gPXOP;_(@G0y4#oe0I
z0=K07TJV8kZqh#1v_qq+@O0n@VK2aO>;e8Vi1a7C&K&c22`2`zDmi!?x>|Yw(c1^`
zN!;MH!@iAG5-1_PGb&Zb<hoJx095OQT!AYih7!11sGwhvytr)A<QS!PwXl=t8z%E|
zPlVi|Vvt#h)3N2R@=2b@&>Br@tr7I&61Zpp)5b+-T0B333R|WqYFg}EAhE0JGV^T`
zJq}U~qhXE}=xO)d1g3Ojv?xD=WXS@5V$QKoFML}i-V|4D8I&u`w=A@F6(EOsYYrMV
z-U!HtF=9jN_3Iqg=z7P5aw~;o?LsNI$JkQ^;Tew_#S|)$Ps7R`i@1J2s3Cs-Duzk2
z$!X{y1WQO0sH?C7RYgUhXo!vJ8ZN0m2j=M@j-8;?slu#^7p?-|FhMd|W0dnw43gx2
zPkN9GtJhR5a&Lkv2-|6tJO0WBrQNx$fF#xiOi7ADI7DL38mgfv5|kOWA$?`@ax18C
z82hT3w+2^zb4>s_-OQ{K`@JrJM6|6ql&XPKW&<__DMB*A)vs}=I%7xhGwtvN^6HC8
zq=>pWn)O+yBlt-{$%$r9{A4gk{=;->4REg<XAMMz8Yi2`T1+K}_sJnTeEae@ptY7i
z@D(R))Ge}z=0d;2)PCf!442u(+~p;r7TdqFA3WE?rmVL6`@y}%<!2rI#8DbfcU-Os
zmV_f|d*FAr?Z3k6Hs%;-PF<_mrd<kxVD%8{&09+@Bl$)$K{rP%Z<j>Juqg-0NhC+s
z5KuOm1ldbDGf8yBanpLl5Y)3~1EZ=w93JD9;CWd_nmXyO)pJaZ2TF~8u8nB`qi7Cs
zFbGM@Lk+xAJ(h0FyJV;}G0yeUK3e1!RW*<oHXeYB;bxRt&|(NgrZ6o)s)u{xY%4c?
z?WLo(xjnIKkN<p|OLT9+rQ^Ai=tYCu7M`EYR+GbJOp%osR2sE0hp@Y^pQ;C(+q(OR
zuT_T+WolENbYfKbyUlR1m>fgo^(G4Aj$rke1lAX<6!k1_K!vQRkZ_KQlB}}q@@<p}
zX>0rzG#>#`gxewSNwc*^GOkC+)g9(H07qzxOFwwTPU%i6mo&V(j{!WSq4F@}igIml
z8e>L;^I7{lNuNmZy?k2RvU=|XN#y*G_0F$3dafhQt1YpI{c4isE-`Ig$s)JcjPm1t
zM>@#59x1~lxC54S5z|Bhaf|LvGPBuYCi{(ssYT}UW>6bN+e6v8SO9!Cy=;W{boqp$
zd@v7yAWQg8>D0I(%3PK)0?kxOH0~0Tv5pRF4pots*}TQ<Wf8gZ7WsI|<nD_Bdu3UA
zrUa@H#!cgBNOLdOPDaFr2AMx!rZq5$tQ{Sc2ds2<Rk$qA$u5GkbA7JSjP0+P;(JKW
zhSXVB1o37K6QA-M&S)bZ{VMckA(?!~Ca6TQpN>ksS0up<bq&mZ+#CE*e%az;&8aIZ
zHY&ReVuPu2?#x)2cW{@||K7}V>QlQj9p#f~eL9Rj74*Lh4J>1gCYTA)q%$?Eu`}Rs
zMa8%BKuHl(5Z$iHhWGMi%-Xkm#n$2T;xb(jfhD}lHjJP&LjDJ76JvU8)z@^-{WaS)
zI_#kAZ~}M)+k56!jA)xq+1VQ^b0_8z*|yVYf>^LtLqeKj3>n-p(3E*fi^DlKs;4V#
zmIDFh59E}NarbT?1qAz&zzfH#3!$?-T{bMUv3z3)iq7Pf6r{btlZGAeHqrd{AzCS;
z@sK5^{AWU~uUE=~KuP3+#2?SAxCeX4Nq{r9CBNp+H%i{x_GS8&GFz5$q282>sVdEv
zqr{=+EMhMz^P;N_ki_`7!Q@-|U+SpPgjeQ%LiLphewEPViM%AtgDC!_k~Bf~@G9?V
z8AMtqBRjIG4l4S7fn992Y>SAvC(Qx&kT9j`m?A~9T^MS&NhOaOsJNiQk~?Fg=u{Ka
zE^SDq(PH!LB`<QMzI@N1e>d$V+n#W3%2UB!^;eO0w<iQ{dd#dwYPJlQ%GLEfe{Maq
zOUW&BvUMh<zcpTHrpz%0u@BU4NmXWU>2odS`G>#&StMR!9m#4)XE$-<@lT3dT87}z
zE6k8{v*1onqWWe{n>USwvLu(rx^+gsjV*uK)%eDulPtyc_d?^9Ish|Vr$V!yT-d)s
zRr4l+wUcoyJ!wdf;=h0fF8~@Ro;G)WbCdrEAGJvVXoN#{{a<#}GmH%En-?zsZ#ybb
zj?JVpurK73;A(BP7yz_h-1nzpN*0C#n!lo`{>M|%VAzN8KvF)d7Nq%?9&QQ)&0h*3
z`h83O8<?GwalT7Q2lj;?jHwJ`{wgXeTDkLoHFxHZP_=&_FDawKOzv#O*s^4e5?Mo}
zA}Q-wvSc5!&5$i6jk2YXFj^_=Ap2NClx?(F#=edi``DK}*SWvn`+iE#AMpHs&YW{y
z=Q^MB`FyVT`!z3YcOH5DzJUH)eLgXZGUzk*5ul?UiH#eJz^z5!Nz?ZxD|lrAOD*JA
z7c)0$C7PGYIA8mH+MZV<x`=*|6t9L&(%cb(7#-$I$j2oqVsqj|uhxSui~itk=jz{z
z129B_GE5v*)C}xBH-O2gd49$K^9rFJ&Y<_lO!C81cRgdAesUx}A1APG!1tuoL-hN<
z*5UtPU8<whceOkjZZ3R%S@{Mc!MiC#<hK<CT|H(5%)IB(cU*s#%K~5;{axGhe_QF`
zVUNm#M{-m<W8ZIu22}a3K*9hXRH69J%P8o9rPA;y<Ln;~UKw(#HyBC$;Z%<T<#m(C
zYiIr6XBIfsqpL9p4@lk!P;Vv!m4UUgrulZ^02!uKI}XxL7OLa#te?N1y>iIQiPK&f
zfH6CVX*V<`-`RU03uMDZPT$f9cOjP85=1q7z%IoTp8(Xc=A93A4jZR-i>`Dsd;?^#
zXz23;?Hl>^zO)b+ZhRtY3)1O)5ZA*}fphCz=KsY6Q0FyP_5h`qjLQ5$1V{@E{V9nK
zuA`qG0m2(Xai(M>OFNp!sN`mjbCYlFl|NQBpdb3B#l!Nz>PrL2npOyx1}#wNV+D#F
z6W(g4n4QZhhMj)lQr!vd86vH<0HR~8FHYD3tQ-Lt@Dxbqmbdj&cb=jThm9uUs9)ba
zwDA0V%;=?NcnmAQ8`$J70;v#T2TbnomvS5NNfv<xEGI?8%7A`znqJDJ9PmOPk?8n6
zMnYkt+KA3iX!w~N+8I<miO_DVJqeG7Ku<uHXaa~0*&rJ$Q`>n{ymTJ0QD;n}V=zos
zM*kKN-zClSl!C3lPN=Rj?k)9lC<n!J;9-fKOHz&A2KLv51LA4oO)V4O(orMzkp)?g
zCtCr~%>-mGS)OB!?|3rScU~|?ig7dyGpt#hBrGYG0Zp-U@$zq}#NTh2>#-OIuVL@K
zJL88My#b&(CY+Jw{<WR<_iXuTfj5EFmT9~5O*o$d;@M=gcj(S_H_8cKHzkeSsGVcu
z^?`6M{VPCjO!@Br6|r*=gvW3-*%v9EwZOCubV)@(+BsTpvNK5BhE2ig+b%h#_Y#2k
z2xy+5Or;3y*7}Wljy!m)`}=){&|Tcca@35mB^1-hB=&^OB!emUmw4)W6z`19_ybh2
z_s%Z9Cm_wZ33gRJ#hq}tSU1*q{`=dVBgLtyL*_;y*DHtroKeq6Fh4mj3~P4|Glm95
zF#J2SKO&ep6v12^+X*`_G^!MWKIHM5v<ZL^5RgDYHUE;CIY2~$q__#-8e?D7Hz&%X
z>u?CpMz4%P&?WI6Pr5oi9WmW(`o7x|sVv*6w-p_1)Kxy>P`;dyW#WFBCDp#k*!@%C
zPsgW0X|1OAO-66}Nez!F-Q%h)B=3NC3&XwXq`n2722Hd>_dCq5-^@`Lx^o4xXZro;
zK=kSXi@8s1-}zUd`q5RKeEZ6C+5$%WItcbwJ!j45Y(ZjJ0`-p|CB*}wOHZ%M+BXyS
zuqd^GxN}2wYw<A<+4OczTa|jgQJ$}3#ekZs%hG>(EJ^2<f?KbA55f9wJ5UAAoLE!^
zf;9-aFg!!bAW*YYdq}bgVTO(I;?524v(cwhzSbO%li-PGUyKtiNFW<Z1v#W+-X;uP
zgQIjw$Y(hL#THE^W#h=a^1~9btC1@MKP&6pf|j%u^DHcq7B_6DD;;({nP-o=biQ{k
z!+6<@^h`XQ&L0;hr_zkVTDXg_Oyyhe<BL%3GS;R>Vl2#f=dlZi3-ly1KW4`t&h=&J
z{aH`K^y&DUj653?ztS@wW&CSMRQo9mM8hk<9RLY(AlXnpXg(;MIPE)k-5;V#facDp
z`2wu~Wzd8%0{s#y&^{OfRV<(fB9l%!#WHc1jlDqfVS%fjW0s&%ZSC87+$hV@vTkg(
z+LQ1>H|cAZal<-h=u3G|ePq&fgIb%il3hm1a-00dT)c*O+h;}M+G#cwZ+jP)PGUy3
zS-}?}J(TNd;=<i*Sckj3U-T0WZ$|p|@9EKb`)@pW<83Yzhq&3Wd<5-)Mcd_ClG~2Q
ziMmxan>v%2Q{5VRPc&*RQ(X<k1cRhL5m0B$hH6T^JiH2~?Ks{={jz%1X5awPh624N
zpvvxqHi)#^LHS7SD=*&KS{ZoZ;0C^Lkhr896f-UWaasskHQfM=!>L4Y3m@DBHODk)
z_T+)&f`g|pid)eP#L^M`*xXR9MLFcf^Y`G1`|+5RnOo@$exaOJABj}$uiXCWU%op0
zaQcfj(g!Wu0s42<j6}Qsr+V@fs0WdU`v}$Ez&8SqdU&%nWDi64<{GWf4}y^9=$Y{4
z%lI$5LVZ-$WEl7|pvq_w*K~@_PRy0~vFO!ujk)%%>tb#U7CtL*jB967Qrx4u@hvQn
zR;-&;-U}D0P&`FYrW$&qH`hBo{XOcC%kx+-^vbib>DS9XSq&eS@_Sb{)2n()-W@<!
zzhNl3WgBdIz4PE^e}BokS|+=1wcNg%d|HdZbUcs$nahYflR0M}Tm0Z1S*v=!{f*__
zEIkEf>#)~4gqC$hdd9f&sdWVl+R@nC#aSTeDZ6iIT319h%IEwbda{eZvf(q+b*gdU
zg*WQVEmR|dPO!KKU#w+a#Tn-?+Y|mn$6bul?^qyl<y%QphtM_ItY&2D(7fDeJ+o1^
zjSlL_9C5osbopmzF!@0>wNnND0Gr&=I5}m|Ejh8B9VcbcyuRdoxQMpeHjs=9SZc&r
zCt8)Bm|N!VwJ|Q=`W|2T$#27~BhzkNX{|7jJ)+cw%7y8_%8IV)%j`<D;0jxsE3<6R
zPAm_@Rw$Dj8So{UmmO!8g@->X^lr3D$(<}=k)yXs-5Bh^`<KbpFc;-$_E6RX5TWRq
zo|60uc(3rogxrG1EWIs}1OD=_I*Wsr^4%__pbW9ud<2H5&DyX_t4;RJR!;YebDR>6
zeyek4n6mpd8uuhrvz?2xNe$JLk(vgby#gq&dW9w5V0Qrt#GIOy$ebYhJ?IK|0ek=7
z9iSKSkX{hl^Ujg9VIgr3&p-@7yexempssRa1%3N~Uj(tg#PJQllbQl#fH~q$3=8HH
z-+g%x6Clqk#z)*1Fkb+~n?lfR>;Wc{DfQF$4{{E7)2tv4kAy|pcg9x!a}VU*k=98Z
zw!J`7)OY3}=+xWc&a109(ZE9Y9Kz?QAF?_^hq!l``6+Xvbc5gPGgGCRtXu_@-2BXa
z0prUw>4BASMma^ee>A=#*XQ7*`Fssl&acB@<#{SuMSVtPZ3c-d#k_KH7>%a6cHA+P
zQ-Nc;a)TuboPwo_(+Zo){fzo%xX_t*%1-+Xd{ZV`tr+mG);D|mB;=U6YY6{D&jy}q
zkd*htQuB>{I=4BaBZ_^F$T3*HXDbqi>*2m$i=@$(?b`-U?Wx3W$pS!VO`q*l@%7}q
zA{F^48o9)&X}+^!@vid57jI!TH|9`LuZA3!MnVUZm?DDcRvS!Hv|8UJJtrEt78D7=
z4MHpNhj7nL1P(4QWp*p>Zm6tc&n*fz&be&NbhbR8C4S9|7N1pkuc@PS%RE<;D9=Fo
zYq(HZc#bY=^(V6YB>efjc(+{V_}%bea+0k*`JDDCM$I6LBXeY=oX0vpR^(0s6(z*6
zoe~n0jet#TAD}0&%m>b9k})G<s@;s!lU*7P)3%QtqzX}11D*p7RMc+*!cuKs6utzw
zO}ZINfW@k1bx^1FVF!Rcj5}$-_-p_>XYuCGE+CrxL3zs^v^um55J)ArAf^gmDEtxx
zDFU7jxs=YPRJocgux^6B9XquKwi;@tL4VB*Y#G*|jo?pkGBu)zSPtt%Q&WJ6a4qh`
z9B7CTo`KrPLoZ=qGa}Ch1B7>_OOh64B_1QY>zeBG0;KDkHx-n8nyW_cR%=`nl2N*D
zwN=)(9xT(xMbGo-nc)R;&^;^w+j)C<rO4wKYTed)eOGe~DnpYJd?xaAQyL=H3{%XE
zuw$7W=w@#u`nqcCYG?Q9Oy|_S{BEgg%@K*j>J|;#phRkwr>HOnE`l8B|J<UxQKh$(
zO|rEjv(^S(JY6*%saE|xv*?XQ9h=;6lpgqOSyTH;L%4%GIW}%}vkeVm?B@&l;b(l)
z;7A90OVz2oYQ=hDK}Z66o(Ip>ob3|yp-nAj(`f~tXPlPZvVo0cTKA0S>u*(knU{J0
z{?t2`bn@mKm+7~GE@URDZMd%xyF!@Y@im9fT#9A7*$2`5%>=XE?CvmW;*0*lFzHJl
zEq?}tW#T!df|*$sozUq%S>uyN+4^54Stw&$hXo^a>cy6;4y?!$iCs^tX=jEv{95ng
zux<&1D!0}aFf;4;fa?}L)YzeA&q2e$=cN9S6`#_zweXJ*{wfMQVpx<IqV`)K&o!8i
ze8>Zs7>j_IuuS@F-FJYTaui(R4Va6NZ6$zoxKx%?!PCxHOHhOF;TVVvk%Gs3r(pLY
zxOj4W!`epV-9u&glci<s__J)zCFdqJ9&+a=%iU)>LaF~mRCQgNlwg_8Y7jd0VS_?S
z*y;zn2M#yY&+Flp$SqBP7?qOLIZmyUOg%`CK)NektHRvy9}myugzZz(wnHT&e1|9u
zFX>STKzbBWwMl)}Dj<6jc387|=meh<yvcbW<m`DqS~(Ye%|m+b*}j_uS~agA0;Q77
z9OBu=Q=WEF@+%)KvhJ}q4q2~J$$ryyg!`2{eR8p+zwu>};ahuYyIysqc^ocZeoYC{
zc7IIEO6l==2z$l+;&!MLe_4LMYLO6f0-k)gSg5eEXJp(JvHIl0^tbAQd$6B^CUPw5
zr?4!Ob!Lf&P(NLbvNuRB_jzlY?n~@fKTJAUBYgF+N4W16XXpu=(Cna<@k7Oxb|2ZK
z`m=c7pL~SNMD%Kay@8uOeRnsM;lUjIkyLN=phaZ&EK1gbr@~4CJ3H+~)|PZ?9y<Hh
zu}7XS>x=DgO{^G2h(fTb50?%AJh3TyGAL$~85*lRpR3>7Uzu^P^V=OpIaq-sCl!|J
ztEJA0Ec*NtxL8YBsIaq|)_NSYPMBXEs^0GePo2Z}xieZ!yFahh6#!{NkC0xnBg`U}
zFsA?^4+Cm^mk>&QEZxJOGmkb$_t+LcFv{>n7{^Jgs|za5n6}(oHOw@r@oNoG+>&y3
zLGGQHL>OWjXj!YoU@vVKworBZ!szA7<oq_qT@+uwrv$4zH%mRvD!lOG;0q7!KGzbB
z9-&B#TL}uCZ3vTZcp{0fjCAx5+FBTSW|p}g7vYU8%y?2H^g*F*d9pea7k51GUU(0z
z@&d!l2bKBxEvN<)Vps4TnIe^%m9p!4ytLu4y)Ry*yH>E}En%1_oz|gA>shg(F$*7<
ziOW|rIdsxu?I&hgkd>3iwJQ(JFId0vwHHh1i#_=UQ+?mhx4k$@^s9N8VQ|G})Q_d%
z_1I&Nmx)Ugz0#Lj^NnvRSNg5qWLJ5JT?|HEW+8?wr6ja=b{hQBRk^+aKfkHTEz7KA
z_<CKt1d;zEQalbPPjvEq53)ylp!xH$!JP?ZA115Q^TnPI@a*+yP>4Rdk*FA-$id%?
zI8jI4^Atsil=Evjn}uzjb<i<!$k#IXt43&E$R_mOAxW-N6gsWQwZJzQw^s(KD~Jm^
zs}xY`%&Pd(@Bs@t!iRMBvy$dw;m0{hFc&IkD06Hn!dCLhX-d#mxo5=zM#0VKHKY5z
zbBPs-ZbcSeHndACecvnY9e5?kq?&s|UJ&lB)P>~1>8#hj`Ys1ksN?9FbJsDqm3+i_
z1E)&72O6pcVeL(vv&Vam9<3v)xPBjP9tfxObfsU3(?7Z<6OTK!UP~SOC^=#+iL^N>
zmRWFWOx0FsZGX{qve^djoH?eaD#|6nFMxe7zNPpsp-D8vLCR9(Si^@OU0cqIB-E_N
zkrIz9QS%peDLreUUi0n=EgK$Nh>vTKMo6VD?)!rA+>ls-^IWYF&ou1j7Y|f@Cs|r)
zn=Vec7>zz;Db^o6zE@<09p9H3<vyd*oNgO+^s_zYwej`Wjk>?0RHR^bGx4A7PByb@
za6H0={`C_lqQ0*RNHkAxA7trJ*_axsBZEw6TAlH;<{H4|C0#zGF2hRnfh-Ug?bSsn
z5F<*-aK7wD4mXcfoq+X|P$|g2xxO+x+imS;rX-O3sB96*)G+#HF!c61OSlfKDeKz1
zSlX&?s!CtDmXcSV7UqKGo7>pPW7G9b8Q~(3$<rcCkBEy1@rt^IwC!niE;pUtzr5uB
z(7Z!K$*s6*&C4X^(p`V6Grc@887Y8+i$6>8GGyVID(KeU<NrPThi2CxFW=|0EybZ+
z{J4G&<!^pt0q2Fh2y?tC+lzH-L<yKuU{y)PBZqVOl3{zg%RDbg=QbiW*qVFpXmW&#
zxjlUJH8n5x80*=3UwBgbUb@p_0zE=Qu~>!%KDEjrZg-NdXSfOx_JP%BbGMIq4RgPk
zHq6Byv&7h9Ue&;$W5~fU6d{P2n6FNdJouP!WvY$0T%eOWt)@>im`$?U5-kwAt0`(q
z<G&U+XPkdERxQlWmtA=yG9_TZ1celgCbLof=G<oRrEY^Pl8KC_`Y7|0;_x9<PNyw$
z)0z7&a^I&i9ZX~RZdH1paB-!i9vL2Pv0u8QF$y88l24kc<q@%9W7s=U2;m_p@L^7i
z8;GslDqP9=m>NdmF5v7N>>sJ$Je{wx{NqdQwD8eG9!sE>Q?%A{JeDi=<NG@x#ojo_
z)&v>8ErYjwAeQomK0_|gYz8D0Pz()P^{r+7q@*lkZNL%|KEHpr%9U5a#D{jh0T2;i
zvALjj4+olcR=`rLl?j5`TZFYZqO!ayiQdU0???*6=bA6wWMiaYwoWf}bu_mgi1mnZ
zn*X7wrSQe)VvG^Kj_+u#xiAHzyf$>w|D<o1ebV~tHHTIc`;8y>ws1!%rl+zCZv14|
z(IdRYK9p|KUY{AUe69Nu5ix}ucW2^T#LE@iQrW$J_$q(k4jI%Ol&+e>^RD4YFwX2F
z7SZN4j(Mo<?d2KEQyIJm_sm^+l<n%tcn8M|dpSz?RRo5asFQi_B%USy@yxxHqW;?z
z>^2VW!fzw#lTX`wW0gPS+g%?dI`E2<ldERe;t5DvF?O~)h6f14V^bIDD5YBC4%}96
zDN+r}QewB#7(^vdyGAS4tnW?4U3~OZf=kb3qI7-E)4|u^!P`Cq&GvY{yj-3>uKZPP
zv!Kf#OpIeLUG7LH1+#UPnlNW>)alOOs=%%|@;&~`-AQz^U#ZWMW714jo7TzGba^Jp
z_UmwhWq+1@qQub!&hFrwTPrV5k$Cz=P!<8I>ziY%0doB_?ox~Dl)%VcyXoj*a9*|R
zG&=T1c>PC4MVDS#WzUK5rnyg9bP63Zuch}|_95NYo-Uf`n&#!<6IzG`1f5&&)0Umb
zl7Uc9DsSPG2C^U*wY8v%QIGn3>S}Vf^NI7;{%jH&$F7z{1d5WDssc7VhAAECTj&&r
zrna(0v-YizMk)R#lvjZgNj|A#X+4};Pus;@q`EU4o^JcI*?fkR4wB5>d}fBuB!xBz
zh?(10m5%w{U0Nsax5lh}6)X_7BvW|Net1;HKvgBB>g+JNEMI=5z*35~{FRC|NM4f9
z{d-uq!T6F`S9AH@yrRb%>06C?_YQs7h^{S{VV|3CZ6EqL(?Sc}g%wbP4usB-zA`wQ
zg9{fv6QOpI?#2Z>)2#(UR*|oNN$_|l{<g$NVYdIw*X>;)82ZJ!!p9dMf!X`#?6#2V
z`TTv{n#VQ&ISTsKlf2JyF1+FD|9hO;bL8%G=BlM^qW_(K=m(f!BEwwgU&5is@!uc(
zp{<7Kyqt6H!ao;KyREi|?m@}ESP}YPuCR{KuUmTT^61dNC-S!4zRjN#BDg=~p9c(X
qIEel)kF8O&*Z<DU|EF6EqLXq7saU)weHZ#GE}e6FnmOv%@B9y8PJG1x

literal 0
HcmV?d00001

diff --git a/doc/user/admin_area/settings/sign_up_restrictions.md b/doc/user/admin_area/settings/sign_up_restrictions.md
index ff26a1ee09c1..fc8494d73c0e 100644
--- a/doc/user/admin_area/settings/sign_up_restrictions.md
+++ b/doc/user/admin_area/settings/sign_up_restrictions.md
@@ -19,6 +19,12 @@ their email address before they are allowed to sign in.
 
 ![Email confirmation](img/email_confirmation.png)
 
+## Minimum password length limit
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/merge_requests/20661) in GitLab 12.6
+
+You can [change](../../../security/password_length_limits.md#modify-minimum-password-length-using-gitlab-ui) the minimum number of characters a user is required to have in their password.
+
 ## Whitelist email domains
 
 > [Introduced][ce-598] in GitLab 7.11.0
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 7ef8b0ae2c68..7db324966d6e 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -11314,6 +11314,9 @@ msgstr ""
 msgid "Minimum length is %{minimum_password_length} characters."
 msgstr ""
 
+msgid "Minimum password length"
+msgstr ""
+
 msgid "Minutes"
 msgstr ""
 
diff --git a/spec/models/concerns/devise_validatable_spec.rb b/spec/models/concerns/devise_validatable_spec.rb
deleted file mode 100644
index 8ab3e10b3582..000000000000
--- a/spec/models/concerns/devise_validatable_spec.rb
+++ /dev/null
@@ -1,141 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe DeviseValidatable do
-  describe 'User' do
-    let_it_be(:existing_user) { create(:user) }
-
-    context 'password' do
-      it 'requires password to be set for a new record' do
-        user = build(:user, password: '', password_confirmation: '')
-
-        expect(user).to be_invalid
-        expect(user.errors[:password].join).to eq('can\'t be blank')
-      end
-
-      it 'requires password_confirmation to be set for a new record' do
-        user = build(:user, password: 'new_password', password_confirmation: 'something_else')
-
-        expect(user).to be_invalid
-        expect(user.errors[:password_confirmation].join).to eq('doesn\'t match Password')
-      end
-
-      it 'requires password to be set while updating/resetting password' do
-        existing_user.password = ''
-        existing_user.password_confirmation = ''
-
-        expect(existing_user).to be_invalid
-        expect(existing_user.errors[:password].join).to eq('can\'t be blank')
-      end
-
-      it 'requires password_confirmation to be set while updating/resetting password' do
-        existing_user.password = 'set_new_password'
-        existing_user.password_confirmation = 'something_else'
-
-        expect(existing_user).to be_invalid
-        expect(existing_user.errors[:password_confirmation].join).to eq('doesn\'t match Password')
-      end
-
-      it 'does not fail validations for password length when password is not changed' do
-        existing_user.password = existing_user.password_confirmation = nil
-
-        expect(existing_user).to be_valid
-      end
-
-      context 'password length' do
-        before do
-          expect(User).to receive(:password_length).twice.and_return(10..128)
-        end
-
-        it 'validates minimum password length' do
-          user = build(:user, password: 'x' * 9, password_confirmation: 'x' * 9)
-
-          expect(user).to be_invalid
-          expect(user.errors[:password].join).to eq('is too short (minimum is 10 characters)')
-        end
-
-        it 'validates maximum password length' do
-          user = build(:user, password: 'x' * 129, password_confirmation: 'x' * 129)
-
-          expect(user).to be_invalid
-          expect(user.errors[:password].join).to eq('is too long (maximum is 128 characters)')
-        end
-
-        it 'validates password length even if password is not required' do
-          user = build(:user, password: 'x' * 129, password_confirmation: 'x' * 129)
-          expect(user).to receive(:password_required?).twice.and_return(false)
-
-          expect(user).to be_invalid
-          expect(user.errors[:password].join).to eq('is too long (maximum is 128 characters)')
-        end
-
-        context 'min and max length values' do
-          it 'matches the values set by the `password_length` method' do
-            validators = User.validators_on :password
-            length = validators.find { |v| v.kind == :length }
-
-            assert_equal 10, length.options[:minimum].call
-            assert_equal 128, length.options[:maximum].call
-          end
-        end
-      end
-    end
-
-    context 'email' do
-      it 'requires email to be set' do
-        user = build(:user, email: nil)
-
-        expect(user).to be_invalid
-        expect(user.errors[:email].join).to eq('can\'t be blank')
-      end
-
-      it 'accepts valid formats' do
-        %w(a.b.c@example.com test_mail@gmail.com any@any.net email@test.br 123@mail.test 1☃3@mail.test).each do |email|
-          user = build(:user, email: email)
-
-          expect(user).to be_valid
-          expect(user.errors[:email]).to be_blank
-        end
-      end
-
-      it 'is case-senstive' do
-        user = build(:user, email: 'test@test.com')
-
-        expect(user).to be_valid
-
-        new_user = build(:user, email: 'TEST@TEST.COM')
-
-        expect(new_user).to be_valid
-        expect(new_user.errors[:email].join).to be_blank
-      end
-
-      context 'when email changes' do
-        it 'validates uniqueness, allowing blank' do
-          user = build(:user, email: '')
-
-          expect(user).to be_invalid
-          expect(user.errors[:email].join).not_to include('taken')
-
-          user.email = existing_user.email
-
-          expect(user).to be_invalid
-          expect(user.errors[:email].join).to include('taken')
-        end
-
-        it 'validates format, allowing blank' do
-          user = build(:user, email: '')
-
-          expect(user).to be_invalid
-          expect(user.errors[:email].join).not_to include('invalid')
-
-          %w{invalid_email_format 123 $$$ () ☃}.each do |email|
-            user.email = email
-            expect(user).to be_invalid
-            expect(user.errors[:email].join).to include('invalid')
-          end
-        end
-      end
-    end
-  end
-end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index fafb21a29908..570d03db3fc1 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -98,6 +98,33 @@ describe User, :do_not_mock_admin_mode do
   end
 
   describe 'validations' do
+    describe 'password' do
+      before do
+        allow(described_class).to receive(:password_length).and_return(10..130)
+      end
+
+      context 'length' do
+        it { is_expected.to validate_length_of(:password).is_at_least(10).is_at_most(130) }
+      end
+
+      context 'length validator' do
+        it 'has only one length validator' do
+          validators = described_class.validators_on :password
+          length_validators = validators.select { |v| v.kind == :length }
+
+          expect(length_validators.size).to eq(1)
+        end
+
+        it 'supports dynamic minimum and maximum length validation' do
+          validators = described_class.validators_on :password
+          length_validator = validators.find { |v| v.kind == :length }
+
+          expect(length_validator.options[:minimum]).to be_a_kind_of(Proc)
+          expect(length_validator.options[:maximum]).to be_a_kind_of(Proc)
+        end
+      end
+    end
+
     describe 'name' do
       it { is_expected.to validate_presence_of(:name) }
       it { is_expected.to validate_length_of(:name).is_at_most(128) }
@@ -480,10 +507,10 @@ describe User, :do_not_mock_admin_mode do
 
       context 'maximum value' do
         before do
-          stub_const('ApplicationSetting::DEFAULT_MAXIMUM_PASSWORD_LENGTH', 201)
+          allow(Devise.password_length).to receive(:max).and_return(201)
         end
 
-        it 'is determined by the current value of `ApplicationSetting::DEFAULT_MAXIMUM_PASSWORD_LENGTH`' do
+        it 'is determined by the current value of `Devise.password_length.max`' do
           expect(password_length.max).to eq(201)
         end
       end
-- 
GitLab


From cf594d81d82e8e2aa3b15aa91ceb386d9377b08f Mon Sep 17 00:00:00 2001
From: manojmj <mmj@gitlab.com>
Date: Fri, 6 Dec 2019 11:44:49 +0530
Subject: [PATCH 3/8] Add post-deploy migration

Adds a post-deploy migration to set the value of
`minimum_password length`, if the user had already
set a value different than 8, using the devise initializer.
---
 ...05084057_update_minimum_password_length.rb | 26 ++++++++++++++++
 .../update_minimum_password_length_spec.rb    | 30 +++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 db/post_migrate/20191205084057_update_minimum_password_length.rb
 create mode 100644 spec/migrations/update_minimum_password_length_spec.rb

diff --git a/db/post_migrate/20191205084057_update_minimum_password_length.rb b/db/post_migrate/20191205084057_update_minimum_password_length.rb
new file mode 100644
index 000000000000..4e5e3dfdb864
--- /dev/null
+++ b/db/post_migrate/20191205084057_update_minimum_password_length.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class UpdateMinimumPasswordLength < ActiveRecord::Migration[5.2]
+  DOWNTIME = false
+
+  def up
+    application_setting = ApplicationSetting.current_without_cache
+    return unless application_setting
+
+    value_to_be_updated_to = [
+      Devise.password_length.min,
+      ApplicationSetting::DEFAULT_MINIMUM_PASSWORD_LENGTH
+    ].max
+
+    application_setting.update(minimum_password_length: value_to_be_updated_to)
+  end
+
+  def down
+    application_setting = ApplicationSetting.current_without_cache
+    return unless application_setting
+
+    value_to_be_updated_to = ApplicationSetting::DEFAULT_MINIMUM_PASSWORD_LENGTH
+
+    application_setting.update(minimum_password_length: value_to_be_updated_to)
+  end
+end
diff --git a/spec/migrations/update_minimum_password_length_spec.rb b/spec/migrations/update_minimum_password_length_spec.rb
new file mode 100644
index 000000000000..0a763e5ce0ff
--- /dev/null
+++ b/spec/migrations/update_minimum_password_length_spec.rb
@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require Rails.root.join('db', 'post_migrate', '20191205084057_update_minimum_password_length')
+
+describe UpdateMinimumPasswordLength, :migration do
+  let(:application_settings) { table(:application_settings) }
+  let(:application_setting) do
+    application_settings.create!(
+      minimum_password_length: ApplicationSetting::DEFAULT_MINIMUM_PASSWORD_LENGTH
+    )
+  end
+
+  before do
+    stub_const('ApplicationSetting::DEFAULT_MINIMUM_PASSWORD_LENGTH', 10)
+    allow(Devise.password_length).to receive(:min).and_return(12)
+  end
+
+  it 'correctly migrates minimum_password_length' do
+    reversible_migration do |migration|
+      migration.before -> {
+        expect(application_setting.reload.minimum_password_length).to eq(10)
+      }
+
+      migration.after -> {
+        expect(application_setting.reload.minimum_password_length).to eq(12)
+      }
+    end
+  end
+end
-- 
GitLab


From 4802b9fdf73ffa6f7adbd44525a27c9c8efc17cc Mon Sep 17 00:00:00 2001
From: manojmj <mmj@gitlab.com>
Date: Fri, 6 Dec 2019 17:16:19 +0530
Subject: [PATCH 4/8] Use raw SQL Update to update `minimum_password_length`

---
 ...191205084057_update_minimum_password_length.rb |  14 ++++++--------
 doc/security/password_length_limits.md            |   5 +++--
 ...=> minimum_password_length_settings_v12_6.png} | Bin
 .../admin_area/settings/sign_up_restrictions.md   |   3 ++-
 4 files changed, 11 insertions(+), 11 deletions(-)
 rename doc/user/admin_area/img/{minimum_password_length.png => minimum_password_length_settings_v12_6.png} (100%)

diff --git a/db/post_migrate/20191205084057_update_minimum_password_length.rb b/db/post_migrate/20191205084057_update_minimum_password_length.rb
index 4e5e3dfdb864..d9324347075f 100644
--- a/db/post_migrate/20191205084057_update_minimum_password_length.rb
+++ b/db/post_migrate/20191205084057_update_minimum_password_length.rb
@@ -4,23 +4,21 @@ class UpdateMinimumPasswordLength < ActiveRecord::Migration[5.2]
   DOWNTIME = false
 
   def up
-    application_setting = ApplicationSetting.current_without_cache
-    return unless application_setting
-
     value_to_be_updated_to = [
       Devise.password_length.min,
       ApplicationSetting::DEFAULT_MINIMUM_PASSWORD_LENGTH
     ].max
 
-    application_setting.update(minimum_password_length: value_to_be_updated_to)
+    execute "UPDATE application_settings SET minimum_password_length = #{value_to_be_updated_to}"
+
+    ApplicationSetting.expire
   end
 
   def down
-    application_setting = ApplicationSetting.current_without_cache
-    return unless application_setting
-
     value_to_be_updated_to = ApplicationSetting::DEFAULT_MINIMUM_PASSWORD_LENGTH
 
-    application_setting.update(minimum_password_length: value_to_be_updated_to)
+    execute "UPDATE application_settings SET minimum_password_length = #{value_to_be_updated_to}"
+
+    ApplicationSetting.expire
   end
 end
diff --git a/doc/security/password_length_limits.md b/doc/security/password_length_limits.md
index cd07cd94d310..235730eb8256 100644
--- a/doc/security/password_length_limits.md
+++ b/doc/security/password_length_limits.md
@@ -51,11 +51,12 @@ To change that using GitLab UI:
 
 In the Admin area under **Settings** (`/admin/application_settings`), go to section **Sign-up Restrictions**.
 
-[Minimum password length settings](../user/admin_area/img/minimum_password_length.png)
+[Minimum password length settings](../user/admin_area/img/minimum_password_length_settings_v12_6.png)
 
 Set the **Minimum password length** to a value greater than or equal to 8 and hit **Save changes** to save the changes.
 
->**Note**: Changing minimum or maximum limit does not affect existing user passwords in any manner. Existing users will not be asked to reset their password to adhere to the new limits.
+CAUTION: **Caution:**
+Changing minimum or maximum limit does not affect existing user passwords in any manner. Existing users will not be asked to reset their password to adhere to the new limits.
 The new limit restriction will only apply during new user sign-ups and when an existing user performs a password reset.
 
 <!-- ## Troubleshooting
diff --git a/doc/user/admin_area/img/minimum_password_length.png b/doc/user/admin_area/img/minimum_password_length_settings_v12_6.png
similarity index 100%
rename from doc/user/admin_area/img/minimum_password_length.png
rename to doc/user/admin_area/img/minimum_password_length_settings_v12_6.png
diff --git a/doc/user/admin_area/settings/sign_up_restrictions.md b/doc/user/admin_area/settings/sign_up_restrictions.md
index fc8494d73c0e..851a984c285d 100644
--- a/doc/user/admin_area/settings/sign_up_restrictions.md
+++ b/doc/user/admin_area/settings/sign_up_restrictions.md
@@ -23,7 +23,8 @@ their email address before they are allowed to sign in.
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/merge_requests/20661) in GitLab 12.6
 
-You can [change](../../../security/password_length_limits.md#modify-minimum-password-length-using-gitlab-ui) the minimum number of characters a user is required to have in their password.
+You can [change](../../../security/password_length_limits.md#modify-minimum-password-length-using-gitlab-ui)
+the minimum number of characters a user must have in their password using the GitLab UI.
 
 ## Whitelist email domains
 
-- 
GitLab


From 6b1d97622c7c36a18fbe1c6ff9804a1485b9c5f3 Mon Sep 17 00:00:00 2001
From: manojmj <mmj@gitlab.com>
Date: Mon, 9 Dec 2019 13:46:22 +0530
Subject: [PATCH 5/8] Use `change` for migration

---
 ...4_add_minimum_password_length_to_application_settings.rb | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/db/migrate/20191123062354_add_minimum_password_length_to_application_settings.rb b/db/migrate/20191123062354_add_minimum_password_length_to_application_settings.rb
index 809cd5ad3be9..0a7ad9d81a9a 100644
--- a/db/migrate/20191123062354_add_minimum_password_length_to_application_settings.rb
+++ b/db/migrate/20191123062354_add_minimum_password_length_to_application_settings.rb
@@ -5,11 +5,7 @@ class AddMinimumPasswordLengthToApplicationSettings < ActiveRecord::Migration[5.
 
   DEFAULT_MINIMUM_PASSWORD_LENGTH = 8
 
-  def up
+  def change
     add_column(:application_settings, :minimum_password_length, :integer, default: DEFAULT_MINIMUM_PASSWORD_LENGTH, null: false)
   end
-
-  def down
-    remove_column(:application_settings, :minimum_password_length)
-  end
 end
-- 
GitLab


From b5d283f146ef6e7295859610136b90a46e7cc44c Mon Sep 17 00:00:00 2001
From: manojmj <mmj@gitlab.com>
Date: Fri, 13 Dec 2019 14:36:44 +0530
Subject: [PATCH 6/8] Make changes to devise validator initializer

---
 ...evise_remove_password_length_validation.rb | 13 +++++--
 spec/models/user_spec.rb                      | 38 ++++++++++++++-----
 2 files changed, 38 insertions(+), 13 deletions(-)

diff --git a/config/initializers/devise_remove_password_length_validation.rb b/config/initializers/devise_remove_password_length_validation.rb
index 13c7dd0664a7..8322cb02560e 100644
--- a/config/initializers/devise_remove_password_length_validation.rb
+++ b/config/initializers/devise_remove_password_length_validation.rb
@@ -1,20 +1,25 @@
 # frozen_string_literal: true
 
-# Remove the default Devise length validation from the `User` model.
+# Discard the default Devise length validation from the `User` model.
 
-# This needs to be removed because the length validation provided by Devise does not
+# This needs to be discarded because the length validation provided by Devise does not
 # support dynamically checking for min and max lengths.
 
 # A new length validation has been added to `models/user.rb` instead, to keep supporting
-# dynamic length validations, like:
+# dynamic password length validations, like:
 
 # validates :password, length: { maximum: proc { password_length.max }, minimum: proc { password_length.min } }, allow_blank: true
 
 # This can be removed as soon as https://github.com/plataformatec/devise/pull/5166
 # is merged into Devise.
 
-User._validators[:password].delete_if do |validator|
+default_password_length_validator = User.validators.find do |validator|
   validator.kind == :length &&
   validator.options[:minimum].is_a?(Integer) &&
   validator.options[:maximum].is_a?(Integer)
 end
+
+def default_password_length_validator.validate(*_)
+  # always return true to discard any validations using this specific validator.
+  true
+end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 570d03db3fc1..db26b8720454 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -99,7 +99,10 @@ describe User, :do_not_mock_admin_mode do
 
   describe 'validations' do
     describe 'password' do
+      let!(:user) { create(:user) }
+
       before do
+        allow(Devise).to receive(:password_length).and_return(8..128)
         allow(described_class).to receive(:password_length).and_return(10..130)
       end
 
@@ -108,19 +111,36 @@ describe User, :do_not_mock_admin_mode do
       end
 
       context 'length validator' do
-        it 'has only one length validator' do
-          validators = described_class.validators_on :password
-          length_validators = validators.select { |v| v.kind == :length }
+        context 'for a short password' do
+          before do
+            user.password = user.password_confirmation = 'abc'
+          end
+
+          it 'does not run the default Devise password length validation' do
+            expect(user).to be_invalid
+            expect(user.errors.full_messages.join).not_to include('is too short (minimum is 8 characters)')
+          end
 
-          expect(length_validators.size).to eq(1)
+          it 'runs the custom password length validator' do
+            expect(user).to be_invalid
+            expect(user.errors.full_messages.join).to include('is too short (minimum is 10 characters)')
+          end
         end
 
-        it 'supports dynamic minimum and maximum length validation' do
-          validators = described_class.validators_on :password
-          length_validator = validators.find { |v| v.kind == :length }
+        context 'for a long password' do
+          before do
+            user.password = user.password_confirmation = 'a' * 140
+          end
+
+          it 'does not run the default Devise password length validation' do
+            expect(user).to be_invalid
+            expect(user.errors.full_messages.join).not_to include('is too long (maximum is 128 characters)')
+          end
 
-          expect(length_validator.options[:minimum]).to be_a_kind_of(Proc)
-          expect(length_validator.options[:maximum]).to be_a_kind_of(Proc)
+          it 'runs the custom password length validator' do
+            expect(user).to be_invalid
+            expect(user.errors.full_messages.join).to include('is too long (maximum is 130 characters)')
+          end
         end
       end
     end
-- 
GitLab


From c5ef9212ffda859b9d654b6d8012c60f2fd6f358 Mon Sep 17 00:00:00 2001
From: manojmj <mmj@gitlab.com>
Date: Fri, 13 Dec 2019 15:00:38 +0530
Subject: [PATCH 7/8] =?UTF-8?q?Reword=20=E2=80=98Minimum=20password=20leng?=
 =?UTF-8?q?th=E2=80=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../application_settings/_signup.html.haml    |   2 +-
 ...evise_remove_password_length_validation.rb |   2 +-
 ...minimum_password_length_settings_v12_6.png | Bin 27994 -> 29714 bytes
 locale/gitlab.pot                             |   2 +-
 4 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/views/admin/application_settings/_signup.html.haml b/app/views/admin/application_settings/_signup.html.haml
index 60765b63504d..b9d9d86ca30a 100644
--- a/app/views/admin/application_settings/_signup.html.haml
+++ b/app/views/admin/application_settings/_signup.html.haml
@@ -13,7 +13,7 @@
         = f.label :send_user_confirmation_email, class: 'form-check-label' do
           Send confirmation email on sign-up
     .form-group
-      = f.label :minimum_password_length, _('Minimum password length'), class: 'label-bold'
+      = f.label :minimum_password_length, _('Minimum password length (number of characters)'), class: 'label-bold'
       = f.number_field :minimum_password_length, class: 'form-control', rows: 4, min: ApplicationSetting::DEFAULT_MINIMUM_PASSWORD_LENGTH, max: Devise.password_length.max
       - password_policy_guidelines_link = link_to _('Password Policy Guidelines'), 'https://about.gitlab.com/handbook/security/#gitlab-password-policy-guidelines', target: '_blank', rel: 'noopener noreferrer nofollow'
       .form-text.text-muted
diff --git a/config/initializers/devise_remove_password_length_validation.rb b/config/initializers/devise_remove_password_length_validation.rb
index 8322cb02560e..0c0eb3e0acbf 100644
--- a/config/initializers/devise_remove_password_length_validation.rb
+++ b/config/initializers/devise_remove_password_length_validation.rb
@@ -13,7 +13,7 @@
 # This can be removed as soon as https://github.com/plataformatec/devise/pull/5166
 # is merged into Devise.
 
-default_password_length_validator = User.validators.find do |validator|
+default_password_length_validator = User.validators_on(:password).find do |validator|
   validator.kind == :length &&
   validator.options[:minimum].is_a?(Integer) &&
   validator.options[:maximum].is_a?(Integer)
diff --git a/doc/user/admin_area/img/minimum_password_length_settings_v12_6.png b/doc/user/admin_area/img/minimum_password_length_settings_v12_6.png
index 44fca68728f47929c605bed936413647a559e84d..f75d9e9bb298c565286850da364a91dbee14abbb 100644
GIT binary patch
literal 29714
zcmeFZWmHsc-#4s+FoeQ@beD81IWVN4v`R^rfYK-oEj=^{2nY;<U;xr7-6^S((jihq
zNXK)`dENJQo_KzJ*LvQy-j_8WhS_@`$KFT&fAQa8n(9i|@Tu`HUAlDbuCl`YOP8>m
zFI~D!1i=BnthK0p1^;;4%FAosm6vDKba8xaYiD)o5=WecsVUc89*#~kGgH&fFWj8?
zF7Ee{$jJMq4K0md8e14!P1_hz$%ckAl*BVFFG#&>+8ZHR{Hp=I_jXP^hToNYpOK3c
zrnu;^NmTvzzwCbRiL($E77K1{dfNT8Gy==zOJfpUR~6Z0_6QjbDr>VZwMt*MjJR=`
z4q`cdxp<gqjfl~WB>7A06&+HN1wu=eOJi5=5?A0L)32Kuycq4G3geWi!0qHi(lovp
zZc%KSY`i}b_oC)5PPKTBfTT=jTl{MZYC;!W;vNBnK$QT8K(a8UfS%A#A+cB4Iteds
zNGwx4B)58JoxmY>MP5X^NgQ7Jri`^*S*b~wUtdG1sk3q5Qug&5*2Hh&xc+L^HzZ?-
zdrUeTO+WTFHckc-tGsS+Eb<}33T)*JO74c?;P^hp39(<sCy5}Ly>5NdE{8Npdu)eo
zwj(AeP&9RXeqKtAg>}q|6VgC>etur}^ZdLa!ha8Ieof~3C02LanaHOkM4%tiZ6E4A
z(^FHGuyC~JGqZFwx8g(CJAr<>bP0x#0AKB`o|!Qs?Cl&}B@j}~f1M!#zGHsoXJ-8C
zlxI(+nDx{&8RZ>atQc?e-Qp8qmd0mfWQ4g`K9;zzaOZz62meVi+dO;bB*D+`?(WX#
zF3jiXV$CloE-ub5AjB^u#0$>gb@gy~W`^K(aAo;VA^%&Bf|aX<i>=c$TSo^*Ou1&}
zj?bS-F*9Q-`tRR=?$Zik`*%$auK)8`-~stDNB9N#1o;13Hn<dq`Bg&G7GY(lr(kPu
z<=_hHkQNgYg#C5?zmEJ}<3Fy{|NBZI(F<4p<H-M93FF5+z&{@7KdtrGub{c4@nQV`
zZF*^ZewwJoOP6FW-Bpl%h`79#el=NJdq0%I=zbQnDKRrLD2wvLi!*IIL9Mlojg9_|
zleOzSH&h9+wG_0pZeYpYe<UZd<TrKo*w>nGzwg@P<ja1m9!se4=ToJduw(a;@#6$;
zWUot^phf#avV51K47S3>Pk5kAwYP$y^TT|hKaPNZUD!3H_j$URt}ruR{AfPHW}Uki
zQTvPRGL-nAAAcA`xpncfn*N`Ky(t3+63IQjabGNn@rnm=EV2jdbqVqX<ibbB78;A>
z=H1TK{qvr;85yBTxVNmJ|Ew8&_a9<rgz7$8&@Q}K(hJCftPC?Bkxe)ApOxn*$}ks{
zb><mge2mM`&cGK6hV%moihovqF9IB}jnl3BvrS@gFNamZ-f%|zS$P6EI55Oq==o>s
zGZI}ParTgTK>lat9K7H_j-v7J@ITvx9<=-Ri+4PKR{sCm4$<UccIbM^CgMD&aJ)C+
zxISXySMGOq$i8^mn*pDm^4?LS5iphMUX{?_!&6O{_-5?ArRdkkHaPy0uYq+uU+6-c
znQD`8=o0JKll7%bj^OT|pKkiu_oaykhmW~U*sq`L^jC`5kF)l{4;SLyI_TUFwtDy*
z?Cd8h)C`CFe#y=xJWzLr8o#}BZCdBkqjEhO<Do^0rxx1D7dkBAihuawcX7ulnB;5_
zsol?kOwNddUwMW3Ui%w+Ums{t1zgY5%#>rcKiqDc!&XgrpT34S!&$f0P9xRw%D`cz
zpL1f8jC<*a6^S+>jYu!b@5}=(jc&xUPqnYOYsekFO&V;gbYW0^m$~8*(~0+y;EKa~
z`AEgvXo>EM@h99gl5Y8R=V!-Zv0cLbu;KcXZ50bA--FpugFu{X`EKju-#<TJy-mFQ
z%UK1XIqiFF@3=OUqvA^9jBM~dJsKl7uroXKoNbR`$oSy5`l*tSbuRqv$+vmV4~Z8B
zPb`Cft>R=TgKzSOt*i*XlGFX^=@_bn&6>^niv20Cnl~)H+m+M4rJ%{E0xtIxRUo#^
zDcpREPAragSN4`O{2s;MRLghx@!8j{JAt!aQQ&L7e(6B<uWxxYW<I@LG}7Kxj;SK{
zuazrnNApDp$a#wNOCNiTKPrEspU9<6a>$WUVOHi}!SkrB^KozT?6RC^pCEgzh<(}M
zonTlDN??V>7^k`7e$Kr<e09)-`pmbXg?^{MlcK0^cUL>btYF{R7xdh<NxfzJa*%Hv
zs&{{8ZLE}6V3AU`!+9q4qZ;CY`=qlHw{8LLn6AK*)KH)8@H_ptccScCu8H#Orp+Gg
zPy4ZNH^m-djTm+>Pkmt7n9VWW;0)R?DD9J&(is;vZ-tygnY8J*t<06EQ!b7b5&zod
zRyuEV)80-$-0PUZ_rPp*vf4G%OSWn&^!d+$re7n4jxn%p<PZ00AK#5J>x|pj3?VaB
zGXVtNW;ftapEAekDTmK1Hz!>CrA{A?6d0{<)NH!Vel508g1axoDIGDM`Qy?n6OLCq
zjaemCTMv+09S*+NV5m8mi;%kgo8GDMa#-55&we_cb1T%>`)K7o%~YEP{Pb&|*gPTJ
zedmkl1b@Scc|UANm6=Fxqo8J^B;9SC)0xkM-MF1h*U&5mepXd#N<Yh8SUcDCF||5a
zAbg^WJ!9=R%Sk}pPM_o*gMb;rWg^Knfd<ha>iy2Tn-hFBYvxY9U*B28NPWj4qF)>H
zJK5?8dLdW)!|(i*UYdqKb=mj#H{FRo$<4L*D+IEpZNtIVIu8$tq;_M4!<Pev`=9Rr
zaMwtyKi!)kT}Oa1Uwby7d-rRBkz__{STez@Yc;Vt1{c;u4z(*D8mbXq;lzxP<SNAI
zvtc#+44=I%IL@|S?(K)k2JQp0xMU<w*;Y9!LHD%wKqHQSs+{^9z#-F#ovHQkZ0@sL
zztsK>5~qX+O|!UYe=OX`+SlY*^*=yE!V#*{8vZfTM>cZLTq2Y3Vr&pNK~*>w(3I7}
z25H*Ib!y+<Jxtl6MLiq3i#K~iLw*8U!(GbEdAbBv10&f+Euu6~w4v8V^)kt~_G2m^
z4!#*>1xf)Q5xu)b1XfQkZg_2KjE+$ExiI#d;{i@Gs?f)kBgS51<s-(cfqMt05^-X-
zxc*QI`WUIbWS`wZr42O;Un8wM(l9r~3wm#~?0!+uu4CPAol)K`Ub(9pI-65<J_WjH
z2`#~?7CW(6w-F=v-^W$k-P}@>yCF0VGi4LEM+_}^$ak6v_z$F9w*!f!(XMN*=S{?j
z48ODLYt*+osYM;u-h2K2wOHu;CJijlQmnt-;`hK(b~i0zvvuMIoME~n;<jZcF<kM$
zvL7Y&$?yCuIEZ9QEYe!#9O5<`OyOxjB)$;q^dy)U)xy}Fdi&{8B-9+aYzo<bXr3hP
zGH&~ROohMB(mMUQj`GH06qRs$OsQ2;XFlD<K32Tq(H}N}n2$0dG<^O|I~YdSYdas~
z4>R*mGIY5s_bmH!|G}ih&_+?qbyQ^Veaa8>_T1eYwL9uW-&n8hbVG_;??ltC7)V3z
z(uz75&WY8xbf<uY&-mn_@p0u3w^TtTBKd(3GK#G$#jzbYG<KSn)yPl8PwvUV;+$Id
zMlE7m=U93<VaIEwQAP4=^D*$fZ}9n@W^z8mpCienp-4irPid?tMaFfWzUf5cwEN?1
zd<v3X_TeTGn;ln$Gc(KvscVric?HTVPn(1Az89Iv`>8X*?NxRClu7v+m@2w%rXH}#
zaisW#A=)8V*`D2UpvB#~L&;`NEEu_E_;Q(#yp7MeVDG|?2g0TW-Z>iqro>)xbHNz?
z`h#Y$1>o-I28nC*rpP^H`Z^RwDK{1ntP2gAS5KE9<D5e`2WzTr3n&w{(|$57tUt<~
z4ZCMmJMUnnNK4<zIP<~cQ~7rnC`GLjGU?eq!+5KlfU|}3OH=siZhYwD5DW50c;u~I
zbD|LArM21Oao^*0A110LZsu1m<qIM?J^kK|roA2!G;`!y5jh5gY$)k(zFLc})3U8s
z$+v{SHe7j-=@k)(B=E^*9VN?sh<jnP(Tv2_xz`%(R%SEUe9%HniA*{;$*=c09(V4b
zqj<?)k$o+Ih)Am>`N>qR2eW-{x+RhNBuyfh&)swa)O*BX8UZt3J+%c)%^O}Hz`D$?
zfl8}V)wBIPFhndj`pH1lWH(q*stA5|&~lDopt19y52g3C$?COpdpVK7rQyA(j#And
zX40sii>mEfWUu6$Qkv`Sj9{yL4|by-zE)|K0Hb`w`h}oNrkJEtrFFLHU?E<kmI={}
zfEx+~-JoY&>YWX4YMy)>d(-Z24`Zr_3R1jQBghu#`0RMIW#gVbf8FkVB3V^!h{^yv
zjmp;!-b68^$@$T0;e2R4!xGZDXyfy0fs@p5*zXY&cwA7hY%^DSSbUE=mu|tD7lbWH
zDDO!LBfeQ=5C!v@X%FmHGtuhTkMV}B_vm&ASFn(GQ7jWx?g_eggNPM%I(mPzZFVj0
z@XVPr@LLrfJc*w*6qy(@Pg0vmxN{-Yc!{@AUW7;Ryom9tU$0TiYP{X~$&SX{L$1sl
zeC<-4JVj8^B`>m2=shIIz26-wor1O6P10aO6s;N<8yhDujW$cpD~Be_DqOXo*DGi@
z{A8NYRx{houvk3K!vEuOJx!i`iNw!g4fuNVwWd%fpUt{`5?5?a0<9#wu7KNzo+2Ij
z3e-G7Tp<=qom*UZXZOFTEc~!b;W73_JA}ZtzQI#klJY(g))=nd_q@0`T)*PsF$cK|
zswFl;{6LI}(pP_c@cwfnl7K-+Ow}61F9`EYyjNvPC&kT7SAsp<^1A1)yg1I{<xvla
zwIu6QZC}MsjtJSRFE>qq?&k*Yq*Q>w@Hesc63q~b!o+*9&KZ$~m^QW{-PCQVX-k6-
znb&@xT`GzUH47PNJ~)wr<>ph4m00ye?(7Yfr?km8b7Sji#f$rcCDdt9d5p6E7GxN4
z>R5mHj{jjmGSRw9L8vrIw>6m>`QuEOg6+%;NK6AaUv=cOj_MK>-RQoEe}?vrxy-Ri
z$hXd-Q;4^8h#CJdVu@Gf8dmv)luJE1pQA@-f=A6_eL-v9e7SXhQ=4t!^)1`Ep7l@x
ztykO2MDjDiiOi%?5$jIriiX54U2anz%WN6lzmf&yUM&*wQ-zB9IY0fDt38*q5M)^L
zge@fW*4PZKac6XA_%!KZb5DKzj+JXKHyMITG9Y~53*+N?kNM4y5nkW*>f!|k&?TD)
zRMB*f3WZ5#JOd8e1?AL?H+$c_Cy!Jw{T4${u#xm4cg%&j=mxugZ8N9srJa}PGxW>l
zhwa^Q8nCUPhPT{?O3By+u5U-BcL(Ipnjb6RwR6QUr@2P=&*QJOh%C&D)iV@yv@o|+
z+f^c_0bXd3>w>cL3^VY2W2Vb*?CN>Db^WS*)%NS)gYcBuN2Bka_*J#P8o@(fuUOEQ
ztPVl@^9K;hXK&RD>*T14j8ph6(~eZXKR8~KGiVm6j&!1J)@X4a-Ok0OWc3<Ge8G;$
zYu)r0cl{a@OGtin=kxYv)%^AOQ;)92VQb=vT0LpK&q7u7e!gaKUAIhn`->~{El5Jd
zQYBfwUE2*PdAZC(0cG}Vewuk78xUM>X9wA|Q?$(}&NKxED&fZ!aYY6j=)DOH78=64
zB6o<MF-1nuOL-nh&qhPK5~1<NnnSn*LB!N}x|CN3;}d#`tou>xc?KkVuQ_@1;Cvu9
z)?;Lgf1#qSo9mk2E^a@5%a7d<_Do3o(XZvHl6C%srW5&JjF$0j_rr%>%yiR!=ki>b
zKAo>*re+hi@X<B`8k}b&D+j-`_V6Ao1kX}Vag#5Y&PK}y;*h;IxTE|dS13r<JF(aB
zS5#qIvP!+GEi^vJ`?1CCr{8a#l?b+)Y6S?S3cVagQ@>cyz0CR^ujBA*KYnUkUH4-f
z4ZbzGKN<-G*vO%kLf59A7S^3ueaU~)*-ZO!ihZQc%Y8n$SLnh`0wUp{l9c0>Q+Hyp
z@&WTs2PC6am?F~SdA@g70Ik{C{VJVt1LM5L?r_S8fB~J0p*Wxp5^nhmG0n}1cF}(H
z*jZvDUqhM<*IyWy;G~lYyaaLRzM~)GXTLvd=LnaXDx~Dd)ifgggITx?<)8wPoUKJW
z=fds)=CDi{;4iqL`CJb#th9jtxEBJLf-WcRj~BK;z@%t0W7reyJp6yLCoh=*fgxn5
zo%`o)CqMv)K+=>ecVP?yD(8(QhF2lfP2~EM+F+9d)P_P)uI9fU^Z)jv_?ttW<JmPT
zrv1);EPYAUWsb@|(KYe;R)6%1`}laXVLgl;RWw#=ouq8krfma4T>FL2xHj#y?mr2i
z%j`w>nKuCRs!VsE8vFcg#T;DSU|;@C#|;F2<0pqZ5!W`e@5a}j=o)*p-BeGr0ae!h
z@K{b4@jgJC=UG@0$m!J|E~QqOHU%hXIURr%hqPl{e+N<vu!)FSbI|S0_A@s3Rw4}s
z0CE}@9G<8Cw=<uTV1RR@Kh`=34cxZcWo#N>Ty_IkYz&O`$M4hK9u*57?G9_$1Arr<
zKr06w6tfv%oOqmSAO0yik=JHzwAihUOm{R*+*PN7W6>lEV(7V&g8`C-cX)Lk%wr!w
zf1$iK!ZL>bF^KcYvA4;cMSnbtC&&emafJGojp^@S-%5?#e|&SOSr^%FjiM3lyF4Ss
zq856c4(3zx-l4E=uSDACsEU#GOA{`GoqXu^-?d-;N9+N7zw?>G7}0bmirOla)&&VQ
z598G@X{84smY>F7>Bt)8(O&TR7gxjCT511y8->Z*@$5Xn1<p-fg7jqo8}@HBocm6I
z&}}_4lz!V1F&GWoR(2G%KLY2=?a56LNgp(-!%v^VG3aaz0Fn4A_0HwP<%~_Mfiu8S
zuoV;!ms)E~0Bn3J5s>VqVg-OyTDr$lN|=g??_tjK_3>}SF_eTHxJ*%X0Pwo46?Yt+
zHZno3DRlUq?J#JNO4Ix7YDq38JZLt{<Xx}c8-H4t)<OiIMEM@s7UpSYE#gkH_p>`V
z$p={oTlei=7G8h%i4aA>Z=9xVd}H%jKS!L$;dMA8Er8K|@q50fzemDY(V;zBN_19$
zA=;J>??^sVZkQcw;i7++x^Xt!=VOY_Tr*Xa8dfEgqp}<RMyEl#H;d(WgttED)#@JV
z3+17k-mE|Fn_$>T6>))s9ox9`mtpfhv$G4RXenq@6a)F|gI{V&_u7&!Zd<4d902ZS
zy)R>RfdTI8UA2bV*A(gJIBN*3O`tf_jkVqVIp}*n>xVTmeCn8Kys-iRI~rElaORn1
zy#6;|Dx=R10tkzZ34rQsy+F12`yHmMIZ4JP*F;7e0fez3eAjTeL_>jJvtE%(ke^pr
zFA*2x0{8%lr;}C1M$ZNnMcg+GYv!XRPmaL-SOfZ}#%qq45p2PANnMN*gql=U%#Gt^
zw)1ktg^Ynx%>sfrIbBSShN(hU_vR$zBAcebto@mpO85rq^es=f5>RiGfc@B<YGVw6
z&2JO^lG>=6KS5qz27E?xRj*9(lW)0hfYZ?b^7{6AH+NxKK){uTzDAnMMZdor)O2P`
z5xPAH&H{YiS7|`!1-&l>u#;~lnFR@ErlT~a{Zwr=hM#boj}m><5l#0)5|Y<gV^rg|
z2WUVF{Nn}va{GzzJz;)~MHnjN7=+nA#0=OHQxOmM0LUGSq!PwAGS@uqho2vaqgD(Y
z>#QgYo&3{1e|_XTAcpDPoPxD1ST9gnFrXKtM+_XL{2rt47=|9LSUcH%{SZfxb}x}@
z3>3PFnwKY%`Wh|1L`jhb<IewZyo^h5#L~WV9Zq8D`A$&~-Tcb$hPFG*Xf(7RtWJ)O
zwOb+kX7!?wUrh2Lh?iLhL)NCkcB29sD)iBT2TNXe#=PP2QOjOKciHs;$92+ixhl=I
zPdv<5rcR00If$XfCX~(%z3EA8jQ0EW@%>2$L;Z0t(<1Gw_4DWhm|=6u%4P&P@3v4?
z%(HU?V#Eo&xu?HWL81F^Lf*8Ti8w4gjrZvHXVcOzBHTzEZ^b1aK*>lM-I7twj!+27
zhzLr|c$;SPBB_f0+V|6=GTY&k$#@NE{i1&9W7dN6?H>N%Z6&Oh0GpX)aK^6_&s$Zy
zu3AWI*;}!yhSuyP23O<WY`YFJ4h<_|4Jo{~VbqtY9yA^ASH#kXM=QuNt9i3iCy+l8
z9_eK87$NC0ZLB*xn2+)0BYA&yu<^FD6t&aQZyVW!*6JcsJc9=E;JBlYQu~voGXVN?
zBVkBiT90IWu~0?x+!xEFJR~TTC^aJmhCSYAf&NUw>VdM{30er_-B(Yw{_;9e%>BE*
zHJPDH7hBl;!S!{I8Gqcl_xQ~IkBGm}?705;{G1z!?L2psENDTp-rFkqP59o8GH+az
z^VBXD%9-_<)YY~5-%9l6)=<1I1+6&9wriYdXNJ$a<M+LtI|-c`D=Fk{j9SWN@!ZFa
zq1LpKXT+z;v!N*mci?(AU<WgSD3R?MkLkIw!A*IFFy8}+B6~#~Vpp1^o;?n+ZB6e{
zPV&2%gG4tB7Pp@_vzTPU2RS+P#f@0{;Bg)fv%Q*f<{q@^v5<Iuj3A4F_T*4e>ymHu
zXV=5&mmJEH|J{t3HQVtX_A1%WWj3Q<lUbdR^cU{(8dRvVw(JCLaZ8&eQ)b#VW%(y<
z&ZW%hZf6k|l4ZU+X=Whor<iI)KlK(f`RWGv(6T6zagI3besUBw%*wgvd3hJ06xd2|
zae|WOP8%&W->au9j9M#GhNTvzj_Ty;e5v^1W?=I5Y7B%Pr&%Gz3;7;<^X_tAy3{EE
zx|{UZbkN!P#E;s&>u##O9#xlIUoe)cKo~qKvoQmcUgay98`r}RGs|0cbK+sGX^L0M
z21*HSOUFpAM6eU~Po1AmpI1{*5V5?vwz*(^qfi)Oihg(XEyJW!%eC2o%B^MD^A?Eg
z>1-&2cgEEx0w}eXkZZ1=&j&)XP_|lxwR4LMheaI*y*t;w1A-w4SAx`}-mh1<4MNlY
zHcU4q7>?N6C4!}Ofydz8zfbzE+dW-c4sH>l#ZN!koyg5z5^`A56cO1WHhMGF&OAuM
z0(8Vzz%f{IyQFTOzhWl%rucVY#bI^DBlrPWO+Qbqbq2<l96}<LYdw`80fswL)>Z%;
zkNnh=L7mDrKs!IVrXVs&QM{`obFC=H$2p=hW@o|V>8EmU#(q;2ytz5KCo!UJliRoh
zkok4V&%f)x*QASk-vjYbwIaL&eHw^Mw5Qp{TRAxtUwn@p%SnO$j<V50_3nruI!$ES
z+ZE0rU4<*BWF~_&U!cQJ!nen>wz%XAcwnzb*c4ZaIp$M3c<TpLV(6t{y|3Iz?^Jit
zdr{^|nvbEQcOpibd_Rctk-r>vGAuBxZe3yAu6~b>G;0%<DO&J6AA=2NQL<8#uP;0j
z^=R4WN+3O_x0<W@;WpvnCo9HedYE}NPNTt`&*;FPF@dfE;u0k26V326`Dv#J<!|P9
z5A<i+V%R=L){dQQLi$lcbH|yz2kruWtcD{xe}~RGN>{46-~HsH(iCpAz8uF9Suh|I
z)yA(kiOo+mMG6$zqJR-L9+9TW?8MtR$gfSbf=g3o5ZqesSqen$RYDOcZ&@lYK_DaZ
z5EcEkp`sb3!|k4De8#UI2DT!oWGP$wbH=S3qmrP7YG~Ei=xR@7$HNe1i$U^jC&x(w
zdS3GI7lMWEjbe}e6K8_w#9O0AWCh?KbqkIA*mwq@8ZFZM8r3`xp(t(d;)sRaNg`B|
zsQ?j9B}c+=9Rm4qiBS-j3m@y&lH+2JWP%3#jW79_sUTV8a&OJmkNgOCdC!Vn8p7H3
z-1n3o2pptXclXj6)KKr8_3JQyijor+-My{ak9)#f*W}>%_RpF^(6X(96dUg|d|j9_
zat)VE<}O=m5!bV8L7tgQbFXa8Y{|<WY&b_(rz34^9VqFm(GC96atsy)_V3Q=WKWo2
zDcliTEJ_9BD3gN21mnLO`Chz?F-nZOH;aN0p-&jpL>lOZvj`EBE2f-e+C8vBwJ}Q{
z{bY$)Y90l;#kw&I&Z{;v_B5w}&=<uVki3V?_vWT9$?-zn@)eXM@m3<dkoU_kLtE>L
zJFi5fcmsusz9eNM{XWlJ0Mi@285Wwibv!{^V12JSFiTW!mTAdFby+bgRPoo^m<@y{
zTU=86NlV~i8uY{^BM8!*)}}odqTKpGX_UIqR(aWo0BhC8;blYoCYW8@*0lWG^)Zzp
zM|!o`&?sDfN@EJ0>1-2$pV3SDhbF|K)!Ww>+begmu(3{KiZsZfvxhkZU2NXuX1!b~
z0&Q=@iY()(arVY0;h7&GDU5m%p6^m9TQ}KKKhLiSuUpSWgobZ&`QUAZG=(f9V{`m+
zgn}riNwN7ODB5%%vq=%Oqm3+zNsm|;ORuo;5ZiuLY%qtC!+d#|gLDglAV+oXj%LAu
zw-yNyt+(bK14cRL$>VX?pquj^+0!LrgzZ_%Cyw!9|0RB8^l!#iA}ucUT;j^l?Ht;G
z;8d77kTeHW>+_iS?u}U=zj<wPO2yH}OTR=u&93%&-U;Q;>^g#eCXn3fMP4hoVEv{G
z-?Nv=B38`{kCTwTqKM62p!N}>g!0V;@_-<rxy6t&J1BmTf%JAK%hW3;-ZDYj(re4n
zQO1`W@skP7@oZbMF2k$d3E_Mq^n|)VZu10bwl8DT1E{lcw^=?M@eXBaVI_?-f@m6|
z3bezSM5-uUGJhrXU@MDI;nJcOd;cYWWNe3xBut-^grC6v3D`@`rA=>6t^C?;PVz(B
z9m-zTaN6JaLCPOYWY4H?%CJ31WEN)q(yMi%JBG0Luy^U~V@$015v<)O#|v~tkVx^D
zcN>VKhu&2qP7Nss_jP{C2kDpxB{RDqqPG|nPv*9XbfOiNw`wtRjiYE@d5EX}?;BcC
zl~K#`CUT7HB|Ut`R|;$1cpHaa5^Xjc3)L1mm;AXJ#QFe!8nMYiz6>32K0J`_nB=~a
zc&>(2BGl?2y2dm)tno|!@7d8!>F*MEzzK`vjKLwnY1`gLJRb_i5_+*rasJHJa{I&g
zQZzjmjv-T8?1ZeU0GyqVJjFu3%3^ymGwW9l&j$B|;th@re{()pN62k?P3WF}T8PtQ
zG#$f0$Tn5c_Ghdmm{o4lUa^gmUhmC>IENl{(Jt4NIos+!Qz^2yh8`U~*NzX-goV$Q
zzloMs`@!6|4iPEinl}QS80<<vN}{BPeVx&2+PEh_t(|eYRu1T)_-Wmp8WTf4qQa+}
zrc7iCCMC*$F-2cBCaQ7An@n;y)pBbk*#9O7a%A7=0TaV5*w-#v8rYqnCMZhDhKzd+
znw#90N49-7Q9&4jCvIg1T_WBNu=#^%Y5b*VT2A3S^H{wH@TRk7n!OYjzOS$+!|9+g
zS7!riN0ZSVSul3)rSDXKZ;%+1h<}NUX%w-u)#dE*KkOuoSMma6rU+8=!`nYzzjzVm
zx@JI^;O`8?{fiW_1)Pl4(bfm&zvH0)l&qNys24MO36ei}9DgA-K#His>2It5-QWL-
zjPXeUjngZy^sl1c;Q@kWrQ>b;-xK#gGg!t9R3Gf|Q~A%Lx^DrpM(7mrRqW4a;ZOzD
z3lP!$tEiNlfcSaG5JUZsUi#0S1cU0ymNHrXRn#zOmG0ent@*zr`~O&b-Uxu|n_<sb
z|L*Yr6lL`qv`UIE>`B_6EqMb|eR62@zlu`Dw90UdQq-S}*#Fl%<spxE@{hsnl*j$o
zc#7&<UX6a>T>NBM-F%3T-}^eh=BwLNqo(Nb%(QQXMhBi+N-D2-iU;2+O|;WE+L3WR
zRAxQJ@LW-%Q$-l`_~d(jirBg1G}Y}V3D<yWWDjh+WgMRS8}_M=_0_il-E03ki_aTC
zG?Ay@c`yzGt*&Qk7l)lG8F6P1Y3K{D5<h=6l=jpU9pOCva<oYlSHvl`t#WFVT88uw
z4BnprJdqtnJO{j#@l#;l*k1c5D`ppdJd*9-1E8(R!s(Rf>ZiT+%4zbHcON2vyCJg<
z-Atg!HhBBuX!O@sVC08};uhRnXvrg9RCj4k;We_MOXV-Ww@BehJ@nW@*U&lGXRD0@
z<DeM>_}d<M6w0pA!$vXSyuTg*`H45Ofp);)(e+L&=TDx`|Mp86W9De$?rlyNKI4*s
z=t;AWQV3P;r=?9<kWq7@%3g&6#_)!drBp}4Okj(7ny2+PB=lTrtCbX^g^YnvI;yBi
z{<?VUO%2pq8+6KjB`4_-AjsBUU|lb&obv49t3NRJ0u6E^VO-b2;5S)Ny+n;+w(8cL
zK7H6DmZ-w0^v%Hpq+OsqI!O$bae#5f6d2Wv14hP%9fimm=`W9CQMx(AzKO9mp+lVg
z$`*6;3Q7Qz$^KHyBtzO~4KRg!+t;NJOlc&Z+004oN9(?<1=3X&fnl@yJlOFw^ucZ^
z1@A@My(>jYd3heNt$m2!4s1FaRATt;m0jol<9X7Sx8)yelvSV%KIf}yvtECdy+&T6
z&!ZywrJd@VkA8%lh)mQUcsMM4%&Thlu6~%46oJngv<>Ph$E8O!-c(JV>B2CGl50is
ztdu=9AE<%n=;{_g%1NVu__2r3D|`cE^rxK7Qm;+3u_Y<H`m@VIU^vzQ14}+2+1)Tc
zk6MqN6VJ~?*du^@T4@%{mUVKzE<ZUK4HWb#n`ztk>5m)E&uR!hJhLL*K)$e)o)+w&
zwaD;2`e+3BA7grkgs7i(|KgzL+9H0?90CW%=YxsoBSz~L6Aq<-tAWM&0mIi{rUM8U
z^Cqw}6qWW%OFB!{?|{z#%s2@KtkJG|icnj$#4nEd`r;%L-!b6KpwEDZD(CQ^B2+KV
znm2aD$N=V@${ekqtOUuCX@*nyulPz<i3%)lAeJmFKK*)>y6{lI93r?qAWw8?Qu_GI
z8VKvkf!&Gh(M*sWR11MBsNKG|I`}qpL_T>jPKjRsLm!w|6TpEYP2rDh;xqb;P`*k3
zF7fs_xttUjGG3BD-vs6Z4zL37eq>y)#eM2Lf4jtmutN=iK_U{Z)%pYg+0#jk%Ld$h
z_2$UO2OWLDV6y-2TY=GpL&K@tgw5M15`xb&Ie!s-ytiD2)kMcYg&T*^eB>nPg)yLK
zFD^HCu*AUT0;q`Ca4G?NGK`7o;pgD?J*tV|Cq*W3j4LhgQ^mHA&)-DiUt3#(G@!O=
zQI+<oyyc-Wc@FzN0wa&lEGn$xbKP20EbNws?&wHuH!qq4mL27l+y~r6$AA<1!J;ra
z3yPk(!eRWq%6a}IR#7tmL&LQQv<MosQX9h}x1rB5<}HR&P2Aa6&OJ9Lg|d~Zu09>i
z3Lc@WeLf2_&>3&VA*7tyZ<gk^H%AUK&Os6hE5;tD9`YFrjYqyY1u#OY^`*dlIdOvu
zJF1t*BGS47YY*HFTY2@08dnuqn?)Qf+9RDEX|r~+<JIpO=IVTU9qN2j-R7d_PT|c%
zyoGmV=4!kQVP%)$>ZMF9uSUm=o{pc`;E(lNER74FCh2|h9DJGRK~2wo29Y}H_dA=<
zV-_0WbqF#sk02M^bVw0QBG53NBxZEZd-(DGToE82r5Sjfna9oejJe*fSw<v9Y3AS0
z35Omf+hs<9p<Ms%lfei-%cR~mgBexiNfVdO$+QKNcRcaE$RaIcQsN*p<^Bqn#qO|{
zT<y1uax5wi8dXFve_7bejr`I+AqA%@`fb;1dB%00LlJzEL+>x{;xe`*2N{n#Gs*H@
zo9<JP<$Wt>*`T$}m>T^`{Wb52^_hF*xBQV?+rGTquWpUyhi!pn4spOpkVw3TWcrGB
zGV6UBL9-d#f*uXN#iRT(qWA^AUl;k5Y^Wx_Rq4IQC0g$2<hWPC3L>MXfeV%uvmrD`
z;tCVM?XY>=yV^2OM&ZnDY3Li^$&sr01t<!K`f{A{_MNdz6~pS1hqmNlO)n<`(XFMS
z?9u3Nre#(b6H0MNtW~0BGlyW%43JUmdw44eyUPF2#5jN}C`@drX)C%aoQ%sLQ6kE|
zGS9d2`BUAZFoItOQRQd4tk-#lUX#`N;-f_62vg?UnOPz9ORiFYdZQ=ldQQFvX%Arb
zS}P6>H7R+-y3_807fiUAJ<i-qEcEpYGiz;V)PDB2LX!qfm!-&A|F`xSSLx{^baET1
zix04~{BDy&c!+1l^-3PEyw8YKyfbH9iKs7PFdjGsQ_fS5<;rz(#NJ$cGha~FoSKC(
zQ$+TRk%|bpU^Q@0e!3ff^ZUmK?5iV%8I@5LjE}0Vx92~ujuyWK6VjC%Ar{~BwfJH;
zHs-RR;cbcX={4mAGyKO(M$Tm1+T||gsT0}31k9IphgF)eLSGmVD^k1^iH9zA9?ues
z<_}ReGfz}HZWclr{UDiy1^}E>Bf`)&#aVNJDth^Wt2bCB4e16ECp?^Ao<D~0zS>c0
zWkL`eA>RVw?KY~n4}R`#a{97j?#JA7h}{FKLJFBTAw`-BKQIIUsxVf1s^CBx1^Z<^
z=C{q5e;sTXtttau8r0;^&B#>8<x^*y>aYo{N*D=HYQ}Vp49!u&4+2Kw$T(A6JH2Jk
z^qhiqIU*?qnQ!ELy7;s*oFp6+by$R7664jvb+-H*O#Qc*9jB-&y~7`65#DPBk1F{j
z)J3PkZSH<MUGqM|kt*N=aA4UE`)zlzZ`k9bxTY9J*dF<81GgJGk$L!W@9dQb<kwv7
zJk4mcmXJg5y0g<`uVY{>jZ0qD;V=siEQ<8oPAk1}S656Ca+4rl0M45phXYNTTza@7
zoMV(y@h(?m`Hwg_JQRc<1&CbZ>icL1s9e{*a6}qHUnEbw<e{%LGv~zjRz+HZpw2(8
zQUL0=p1mS1|Mxpp#b{jmT;N)+VdqP2lheTw$VAp&N)3kJyU$agN|X49#ohD^ThVxU
z)$RSbpM8H8$|&WZl@z6#p`rWd5uiBxg8-jXM)#t_7eJy|egFx)yErp0wm#6zuYd#h
zUleftsVg&@0C02o@`3clNDm0%SHXdtOGeuN62j{--gLJ2-hV_V%$oQZx%=|x+#7$Q
zF>iov7FE;_|9p}+H!!01m1o+Ve?pi;5|AvAl(zjZ0L6(>;jjM8y?=3km%-j<1IYsX
z;*0+RF!w<gfiC`lcFvz|vY-Nz1x#GJ{{_WzWB_`*@h0!ypKa2a1lqlRAwlEM%KvY7
z2-i~l7KjImfqFd%)J<Jr#D3Jx47}OaypPI?fVejL=;^0KA+_B2KLJW&_Gn)e1AGc&
zJC_7YX~d^qLxLj!1=fIcSOP{eChW5V>-+b&N->5JoE5vk{9B2!!Mpv;41EOn{fJMK
zLmbF6DnuVjYGTUo+-JffM(W=0dVGBRwd!S5DV_V|;A?O{)Orv9xsx?MQGa82>jO{c
zZ+e_-)RrLPa>*<Q!tVQCAYwnGuqc1>tpr4ad{(ay?hXOqa{3+Ep;LveqrZL7YT29e
za+F*z8_oyn@>X_R#W}DtkEU3oY~kl8uEmKdDzXgTXn$Z9@Q{83U(GKyw1oZs`e5&i
z=(HYC(Oo&YHp`HDdX*UE@Bm2n>yg5JMSy-C$3!5tJ-h@|jv)LZfB_xk*Ollq?bmZ*
zzR@q<PN(}Gtyo=-zd&mgy@mojCh9vWHUTyO0}#0bc<93E=#l>XdoghCkH0uOePFC1
z?Sb(CbjGpx4E)HxOL`3C|8<NFAFN#%AHl0M?<lc$;WD7RjoMfKSlS=X)#hdxE#$ha
zl!LsDz=c)<=tRRzw^jFf0to93-5!t4+hgbv#?Zct=9*5hgt^WEA^2hTi?>WjNd<aa
zVX8ivS`7&D`zM3rOBkzoB|tIFQrap>e7~77W(n&Ip9+kL9kf2b7w~vTp;gvEQ{BQ@
z56Z=8^TU(ChaI+>y#jW(Q1zD#M3k9<ietcU0i#>lLY*wb&x;Rtmf1_ZkJl^RfSKLX
z2$$CBMICS_lhdZAjLUn%oDualn**8h>vj86u0+?!PCz{2i*f<@*F+LHa_gp63u^i>
z8h_31kV@SYP^bIa6|;_j7vb5>Y%BOEK*AWq{GQN<Wnh&k=6vw(U=gGLgAmdbXyl(q
z6c1)UXuVyFmA_ux70>QPy+IL2mE3#|j^Vd?r6VfUr4KC~i84P<sz|)81tRdbjN7V(
z!1KWJ6-ux_S?OpJNOU?22GK1P7QH^I1;}$7_JoT>v|<C8kh~$pJ)*X04%Slr%-~3e
zBh=H@;zWOV+NHW5^cT;dE@x6vpDC>LtjBNi&AIdmy2ZEftJiY6`#4DGm^V~rNFLDm
z?7q3Nj~9XVmP`3q;mu%-m<^UoLP#eB4<-?B0Rx3;)|nE$M{D!`C(S!_{|wU;s6b#;
zwM|yi|4Qu<HUs@f&|BZ>5i^%l1<V4lo(#P4Uk7TbPQAB>L77b)oolb42*_l>05`*j
zKLDb_YZ7u@QYBKdlpX=Xy$$H13?kE(8IJ?>>_(z~k*Pm{a1hoN=5$`es)1<0wjKjr
zeH~=bZ24eo6DuRGL7jqpF?WmcIWyc~K^Cd5o4trywg-^FO}1k24vhzri(Wa>Et*d9
zdoWAjF{!#(Q$LFcvH2**NrDL>1iSzWUjqTXXzM0GnaRYDAOhpPw}ZZeepr-CIziGe
z@rH;rrXIhWVvGhZmPZUf-NRvpPBK+O)-ii#WfXz~Rn8XsY0T6Z+g`(~U-Lk9bnoYK
z-9Vrq;XQmcz40MlH{o(6U_cvxm&K)9SZtx%3hZo3mh=GXdi75wQ(>YVAg&iv2|qq~
zF6WD-0gqb>^tv;!Eq`Ud3h*QzbRar<&aA|@f47GC5hj9%=Yhz=vnF{539VOYXgV15
z7cgIn-u9M0JFuXLh3N7K_)h?m<(E&Y+vEB4J9fC_#(KN56UoEjpg*0!>QUjEy*UXC
zFJWi1VY~lKtkc|s2(a_%M!?js4i^5VDvb*%8`HaG!;5TYClHyi6F!enFp|Bc$*Wh3
zD7KD~BRV|+i+UW##!D4GP9)BeFYOnf?bW!ddxq1%7ev4u6V71b`sKE-6m=1Mff93X
zKbv~1o19OaE~m4|b{d(&m97|;+55y{84AZ@RA1P*M}Yz0)brh5EC+QN#iaMn7ZfU{
z^Xbc~44YX>M+4S-q$6YEV5uaiDl`=c(6_N>y>XJfqqoon>Rx5?XadWY2{GP$tFsG@
z@8KdvKLeg^ztUKo&AsdxY@~@F81pBzBP@a`Ro7Yi6bYtS`-17lo5}&j5%S>bB*Su+
z;$!?~sTTVAv0<HYN}lZ-;_lHbnTEu{6E{(^th=X=ShJ-((yUpHYf*@EJgfTSjT+ym
zl7OZ#x2DS$@QLHdppWkvgdayP=k%YVTZpd4A?_uRdHnXyIF1N<zqtcNnXsy#8k&-z
z*x6SCfl9Hns_3IISI>B)m90r~WXC#wLhBQDjK4l-c}uiZ^PD3=|AKGbDgd*1-jfS2
z09+A$MW{QnO~lyu&}u(HG0<dxS0T``P=rJ&>=)i?iv_e+j^{=5NrCD5M5PAeH+p8a
z>jQv?z}SPD`KXd+STFC>YtSqS<sq?YXSkC*0o*JmHdobZLwH`1G^4|xXmAJ*zY>a%
z@(i3^Z^~+_a@;zytC|f76DdM=jF|YXPmwh%%{I<akLjV!?SYvmY$4U*^G8>IAAx4(
zz+gAxl9bw?*Nhn>iPcfu<Z_R;&VoJ64IHX-Oe~%c0bHhE<F<a1Oa$|7ifF5qqMWzQ
zmO@NbwTn=&@ISA#8xxAVw#j-YbxYHHY>J)W&}lR14GDQTMSOiy?KszIkTuk=9R`OL
zB2e?>CbW=3BS<{!vqYyaRkKo7<->OQ79G)e8`<x98GLr*3KJdy50zcGCiOqUC4X(z
zH@(Ozr|BTFZKWzYCKo~-JetT_AyiONo9P;<3q_Y1JQ4OYUvJB=vg3`IM^o&=Zl+;H
z5UI|``)%^#^UE#L>v#ELE{l=NLF0R3D%lg_ZB;mIOV}d(7go0{<cM3Ya6uTy+gF)N
ziW^~*6doUF_?+XKoQtwH1Q%oxB|opV3oCH2%ms?6JnzpuIq>FPLNmRD;3=Bg7d7Fu
z8<rVH9WT(&8Mc%X5ON4l90!d6dhX}WExdEfGqyF5C1aJyt!td=u_aNJ?A=?9__5{2
zEP&S%X>bx6iT(i@!J2oX^{Yrzc|Ohbsp6l3uvK8=`9pQi3fw}9DQxmph%w$$m!Mb&
zf`V>}Epp^K<F>$($?WsH^vI*OY$BY&UQs!0?6}4(%9Th7^h-2-<v=uG%(|qMdo#@6
z^fFTuzHGry&;NzQy@^N|O03K63-$2e8EOh(r|j8aH$Yq7%pmH;1-V&;@iP*}+*Lu=
zv1#u=%xltT0eHK=pN+g%`w>~ikx=?!joUCnPT~h?2TTFQd7Ay<5W#(;=mdLx4wbx2
zX$*g{Ptrn~oX3=qZ0+6(RXQ*sPBrn~3O@fy-2Ha?zNlP`bZ{JnhSlUM#nAilX5Iz0
zdUccRbDXzyT_MYq&UCP^WpQUUpBq>N4yB*-{2j~#?<Cm|nEoW4nH?lZ_0DU%SGh{W
z#5(SaiMmJlFCbTOewuxQ6`W6>pJov8>DvXcjq95Reml~eWTlB%B0jv7qNvpwQ-qhd
zo71gvKoh7R#D-;r^F7G(&Q2OkJnuws<{hk+hFfND<HrQx0Y5x!OY9amE>W*y+V8p~
z{W@Z)&<QE}4&))$KVgT-Q`%HrcW++b0A4*4v8zx*qN+xA-M26~Vg2ObM0$O@kP+pg
zM=V+Fx)YZ1YKE7X+x6F2UhgMAg`%WkPs#O|5@I!tQSA0nUgagcX=iOQ(0u9cIp$ru
z$ZwD0qpm(h(+@f7<-8>BojZcQh`qNF+Gb}Xf9qVR+7te`O^b5dP;UWyi}RoGgrf#~
zd%G1{A>yzm){r+|{`7sVBsMMJ@Vn4g1V+}2JLq=~9hnv)#O;wdgo2&iS1E0Te_Fq(
z0ZdCZdfpRVP|QF`q>p|n7!z5fs`J#+DGDJ=T=L6=>#etrY$Umc^H#fHPjBeJ?eTVQ
zLdYSjA=IK=aXiH8iH0)iI7PI4m5~@jg<;42#G1A4@Qk1zOp*E(s3Q4VX{35|;B2M^
zr?1YqLM?XT;}1#x@HB_2S)Bd=rTArHie)BVJYegHJ|N#xO+}DX%HcIB*gWZ^so3&1
zgZrNMYOH}sv5=$d`GK$r&jP#sP1HimYU?V`&!-UT$a=DkF%1QVOvC8;<5|zq4WQ*t
z5p~9d#%L?ASeyB>`EV|<+fmBHn6mZg;=k#)&<@1%f!rHuD@&nP&N*2ASyv3PnX!4N
zN`vWD6`jM@pG0M{H~$`T%$ja^2^JoShN&I*R|thX;QF5xSt%D-W{6eHP--H-1sEV2
zw3((nR2khL;$`i;9W-;Fee8qQhbl)##6Db^TSm}bW@a(+Aq;?CSt;n~;ris0oKs`{
z`4Us2Y-7$77GsI#jd1Q>KE!EwuCTV`{q(o_Ri-M5AhVOFp})3%&W6HpMRKKT_#MU`
zD(_thGJGAGJrGhj%|uNGw0B0Gx6|MVeVVCDmju!<?*iyvybXbPP1SX{Q#<R??i<nC
z>rnl3L0Q3DSPYX-*t+j<7Cu2KBkDL++i4y_eS;!J@H29t`?lZB+4}&esD68O^gC-q
zJhe$O@OX}PCh1!VM3$E?@Tu11$4~)tm?gp~#ZPIJ1s=N~T*+@#6HhU7H<2%i;nDrY
z5%CKPw-O`2#$@hO)Dsf_+ZmU3zUygX6Wuav=(Qq<SV>s;A*@R>IG!mV`ZE8H)jxAv
zZU_U0!5k-d?q49E6(l1`Slty-zHt73V%%(YfZ9<}1^<kAG2dlUSO98Yq7S3~m%6zE
z$b=m0x7`11B+PfsB@CHRt(1lHFVeshP#G&@Kg0iI020K(0jrI;53+w27K;K%-&5rC
zzg{F@6^+qWy;z^b{#n@n|0w^@^-7*<>+jW(evHqYM$lYAhuB3eLp$?c*$_5B;OrQT
z3K$As75(qPtZFOewWsP~uZ=pH2_&jb-&yYO|2RI|5<2lVM*0bhQgkn;iSy0t_8G#~
z>dxe;?)vlXQKkQ@78#US-c?^z1u{}b3-~SNLH%vEEkJnG!hJxB_0w+N73u#D=k7~D
zEHMPB+n==abTA3HpPXn2DEP{*(@7ls#(=UyKY*<<D(XAB6LyN1PmdN(B>1SVV2t?I
zXTT<%oj(&TxlshbH}hioONp=<C9(Fa28G6Twdt<QeP2F5!tMsR(*ctb40vkzs&`wu
zK-npvbvQS&T=^V_vhP-acz6ORwvHITx$)s4!xoVE7Sk%Tg|mN&wi#Ii&ICi%xV2MR
zkDB<MYEQQ1!Txt{`}=WX?tkX@kP1H;HO%!4$aWPoiX0pq=xh+Sqh`%U0S_Vfow>65
z9e;^{k>OiB*iNso8xTvWjbjpvfiU_7LoG>yA3uQrll#F}>iB)o{##!D{L|C;WL)`z
z`#OfFH%W<)NZkO;w7!?S`uDVoCG$@tcShb;Fqj0derP+$+!U6PKHVL@Ml=y{mB0?9
zQ<P&k0F>u1&XzoPbQA6b$W%86h>llCD$@Z7v2W>sd4CUZAIF80LAEZ@CMTHOsYBfB
zv_GHMg4B+%iXx3V!-z_z2_e#}ywlYSFI8%5G3*M)u5NGINPgbtgGt2zxb-t)QF;^P
z6VDqKUB<%s3#X!b0BQ9dq!X+-bpa0943on?&AspbO<T8`opfok15})$?DggL$bq;5
zq`mMw+XEy-pCIO1!%!%f19{d^w|0FP5ZWp*61U&^u}S|vAS{kbnTVz+hnCF0su&?2
za|XKgy}sQOaR83gMx78lfiTGPHQ3F+WIX*~u{GC5-;OKkd&zW0O^;z;#ADl15;)@5
z0S~vmz@Gl>B_{2jDbEq_90p|RS_hm##H%4Hra--eOr}0IBe)M>UhtjS;UM{CcV(D&
zl4Tn2h=A6n|6ptWhnKR^*0RExDMp}8cj@Ltg&x!1e)6!&@<c3PKW_6f{no~h8UvVR
zjI?4kM*eqP$@mz#H@Im-5xJF(6LZt&H%KYjwL|C*C(2eW0#<J|k~7q|%Qc2(`YDRW
zXZ6F|Xct+^f(HzzX`6zFD+IgKrYjp(=$WPs@f;I6kjYG6LA75?{;lBIX-LI@hN-N<
z3<J?8wUJj@^&R%(WyS4LG!wumk@53*cB<@eWys$f^01fvL1$p4IiNCb<IDmfv@+vy
z9}QN~-ui^sfu*t}5UG#BNS>7MxRl^?RuoIF)$t-hR^#*T*Re9&2ggADGNO(3i&qnI
zc5X8KbWL<};JWw%G0TmpZKzz+<G!?&Wn$=-h^4_}4tBeaNUHfoL5@(YKwlUIVLcQc
zw9I5^iyQbH`(~gS4jQ7aC#cN&Y!k^6?Ih>|BqM#y8!^Dtbp!L>0F%B1rfw17Ec>n!
zx(?1n33AjfzA~7U+y-wIITFWK19trrD$Pxhkv>Dur681bMVit$5inHaxQB~9N&6xp
z%Y*s)!g<<xuPT>88vpJtp<H0+7OB3s0OR%FZfm21n;CA+*R)!n|EdM5oE?~$dle*Z
z9n;{&7LEX|h$yfz)4VldM0yxQ^s$Z8C7zRXtdZ7}i(+3TM2LL7`(YEj2Lh@wcf1?Q
z_+mugI=xkVoT4iG*ZbbXIZwk$=4kOso58GBsVR_|--kM0pkmS^PB5@9PlV?I<k<ye
zY_H9UOlL?G@%Jtwa%2Xu=5+$q^;bW$(*#)l@-;G~=}VLjwgIiP4!<#g(@OT-p}37a
zbF}r<q2I1#K9EhP7*d80z^g<g_5n35X>fGycsI;)UYyo#)NHEqCrkO$kv(5LYm||I
zuM89KwBs2Ztt2)Nl>X)Z1O_Kl|4uKE1ad;1RR-P?!ntV$GG_RsR|p_{trF88U*CTE
z`OTNFV1O-wfO2OOXWHMsVyrz_&}`;Jv+Z;TOI2t@b=raw4JRmos8Iex!!fmj<d?BW
z%Q6P030!KQ55eT+>X)wq^0*k>s<dEH-!1o$CN3;#952GJXlBMI0n12Phk}X{tGTOh
z2(f9g^l?1Fn_67r{H^gesp+qecV4=_75qj4Y5o`2R*@1BTp1uM8qz^rbM!0kM?{Mc
zCb5=}5TvoqjSxo?whQ8vHF391-X@%touEW+f_!m4K4>zbw>St%X_(_(Cm*2a0GX`c
z?wTc)X}<+q*^|e3S8BcPA{+=KZ7pnsJ)m5Kqf|eK??lQ<GmAmQHquWJ8HkN0;<`@;
zm3#6qj;<-@TGxaKC47r|{oFS3cYxO(@sM8ZPTV;?P%1dRg-Y^KxIAgr<0{w4lnfYF
zalgInyBo(Rl(K#s(+v#~JSbg=qe77>hS+MlM8rnE^yWx*x5<!ao8{o;HLZwQqX2%Z
z9q$$*=&sTDi(-afyQDqvX5pn!oQ)`#>r%U#6xz-)!d+WwTj%}^QUVIJ7_oG7-&>=K
z0>!kC;du{!qoEBHzK9vgHX;Iu<+k~3N2Kcdy>E`_s;zk(pBG+D1b3(3H#pN)A`FCl
zV!ArcuM$Gp|3*{(iEKqf%zQy8K{1wu6|hH&!mt3<-!m$LBZ5dTn&C_qFq0eiMkEJV
zGoQSU8o4|HIBg#qhMD6qLWVZ2CGgO;gj`!!)_?)Um<4sEmICpWvPk$nvPiDa0)dZ*
z)k5s(R10EyJCHo)9z(i}7ute0hrSD|Gy^Gs+b&Rf%4K301Phzj9705f^%$GhUhbzE
z#ANB#RwbY)52_EIWFl73I9CZqDBrNy{rdiCb&lV#zwFu})Q`~fkYGPXl#j9(U1d7!
zK@v?7MAlEM0Sz%Fz%qx&&9Wfn#?>=2{jy(6QZ(}fz85mK!}OWx+Az^fw0oR%=$3cU
z7m<nH$}LS9^#S(IKzG4O+!JE4%nVX<0^QmHJ<|=`L0sm@`jl=6R=b?Zo5BI5A_OEe
zLwUzv7yqqK8QI&yVWN2+PIsWzZ?9%<&c(G8JMWs*=0m#C@~V)U-wK0DC&nB!{dC|(
z1t!gxTLNROCipaJPgo{}t%A;|<=VEg+IXj4feE&K`^neN(oo_hg#I|ie|12ALy)y{
zTi(SJr^8I02#X9SDQF;vnuC4WYJif5aIVEUmltcsk^rmY;S}jmdmUd;C7Xe?)y*VX
zgh3H;ABEfsI=LyxpWFO}za8ZZ(ts}ha|9IaI}^7MBd#sLnh<wcde+KtIi^~kFt&2i
zMWv7=hKA`alK%`%Kl426dMg9@28|XK&s3jNG;wLwRX4(-z_uR9@{qke5=02sNCQU&
zk`?oD21)pZzwIdN`id;i+sDA)FVr$UL~k~ntJg2ciKVHIXkc*<U7cbgng}P;J;}BD
zRWnN!2VZ+Ylo?LBPmXY@1)>;x5J`vL$yrkR;k31lYnqC3KhfneJ!RdTdx^~dr@6C?
zt15fn{(z{2w1jl0f}ql!DlH-1DGgH6eUKDMNdf8ZIDmA6fYKZqq(PcP{MVV8-;6qM
zpBK*?KJa1hvtqB<>%PC&b>0U%Jd3#qJM%?mr-StZTY`G-hZ>LHvFqNtq_E`(Ld6u`
zISu(vJMA2JXm#VImk+x3Bu%w{4R=;#4gKgzf&g_P|6zq<#82U-C~V)a!ozFoBZ#0k
zFRIca(T{n#p0Wf(xxpE-I|{0$IIoB!LM=&Qz8z4ORW^e=S2$XbJe(Kzpf^A2dc}6p
zy0qLRa-G8Ad)iIuuejR0@KIuUL1T%?8~V@{hU0&S4UIRG0!5qH9Ffz|?Eq6_b9%mx
zru`A|iou<WQH@%{ok&q{R9~5RMlYe|IS@_uL_&|-WsJcZGN~n0NP|+YW-rjgfpq7B
z6PBrR!-MUXeX_PZR~Il-*fZ`)EtGW=ceOxeG)>iWAlA?39MQq{4B2!|et1rhfwbf`
z#Jfgj)|bKDFN2w?uMoB1UzbH3ifM4DC&pe@OEjR6b%r{`0joiEYXn)N3Uu=2Nt*e+
zO1$#!8Ije8rsW9U@BMs->CP;m>U5Z7*tXFx8D<{&B{ua^F2o#;?`1yw_&kpC?vWtY
zy8msyuegIhd-$B;s1FN9Ni##ZZZY=zE{yNLUeI#8o8m%<0#Xo5>xT9i0{7|Z7ZcvM
z(NIG$ZXJAWXv5+^MP``!<G^u`kFyrrz&-gIyfu18K_+MfSSusHC<=t$p<#~1c_hKS
zUPi@(;}oE8SeO+Y>|fgWu!aS~*Q$l4Y9xOT!yY7wx=F@IG-_;SwPVUBZcx9IM9Wn%
z!NG!*nni^(BJYwS<Cn<&Aj?!a+gDlmL@gX@hJ$sFxP6os&p?`(avdx@0&>}&0#+Zf
zALT~6YrgHpu!W`-E)$Dsg+5Q~d$N<niMwMEL95GH`*0|V*QtxlF|0(f=kh>yeUn<?
zk+P29o5MZIKlV;Xyc4G-DNT_QzqoM5`r2jLa(Lr$h|d|PapEMm+=wkEgX*Fh>_k#>
zpyq%_$Y42H{)y3mjp~5aKNsVSvnup;&*iP^Lk=%GUf?a_$w9q3u}|JEo+|G{0Q!6z
zjWyJiR#E(CD*-BUU&H-&YV<wShb}DrOXvi*MB|~D<8534;z8Ec>+cVOjZiRYAihKx
zAyldA%;iiNPQj0Rx)wZs5bpbo2eeQa=-iPydqSzum6wyc;cwS|M~oWvPVZIoHC&i7
z?2(-*)xZU5+*`99vKvl>nIiM=;t2?tcfsqpylYwO3=PWdkLKzLqn$H#IE$SkiM~%L
zc*QvH0hROT$F5G%yCFt|!Y!c?Y6;xv$_H9TE26h11#WB@Qlks7K`2`7lr=aV)pjKk
zsL=J_<}maxpr2_-1jD824hqY@c#C~F<*JLYd$1>aLgP3R2sP+S7ry_s#X~U_cV^Mz
zlIj@uN02fQi){<Iv}1ask`tz&QJA(r@FPG%!bc%)WvirD&Sh{q5WnFWcIE#$=e`$l
zE#QvuFT|!>xhi?B_Tzq7iO*%E*<S~syk}g-(E1VRSsjqL_>n<4^qeYP9m<%>_N{U6
z2GX_dDXeTBot+L_SLui8D<X?%IOa^9OOvCA^r?MN{Q~JKd-f|Cr8%RG7XH421#fYs
zIqs34M5R=u$SWB*`6jkYgA7Nn5`w1NFo-DU3C6AGos50LiTvGk?ziLIn%w6@6*o>*
z@z_zi;Dg`K79nl>gWD@blxiW?zyNYurG4TyfF$dXm?RFj5U+;isaP96k(V%0y7OWM
z!8#_hrV{L=Ia4X_$1Qli9V*C5xzn!9A*<^AgO_lMitODt0^HR);)A?X)(Ep0ZT3r+
z*@MN@^*QRp$Go=HU5CP{w#7q?x<cE_UGF{m(rr7_%%EGZ;fJ>a^z(UxsTH!FKW%Ww
z^c~1{3C5&A<&FeRRbO~zElA&K&-n=(Rg3#f!oH|RsHk+dL}O!uBCq6hF<pYI*>%Ap
z@Z|m*U%R$~w~Q?B&7M#?2i#f|T#iLHSo!MFt3-k8^M_c}cNDK>gPU{nJ@`MlU#TM;
z8CXRl^(KI&(H6T6TQ7bop6bPB#p08#>6#LE{zP~?GJe1X2X+PBt@b<h`=~{QFE{kA
z=TSbR&94~A)6&QbALc6m6D+$+1Y&NBG<gpH1S$Uh1wi6Vae;DbqWr3XzsIQ{A`&7r
z^0U9%gM$0iXhG!)hTC2!|IP@3%RT?Uxjfyl36=1^y8dXkTt%JZnx?3zXj2E%e}Jb#
zB^03UG(#xV-yCfqEC}CT!g?i<@0;BW@<CWG76B2bT7{_`tDY`aqoFq^i{h_PkA4+h
z>Ff0uNrLXxav(m$1>~rPL=GSokA}~n4g}i>XT}10l_#3N-Ui^T51;!JA0hlILCU<%
zu!x17h=e-Eb^dpn8^lKP(9#pX$ah!+@{#5tftbcjq}a-D!OOyDC|_jV`gQvtfV__{
zQ=$LGhV{=EEGAs=;OPBS1OG#6^&nuWd&MlO|EXgDh+>B5tA6}9K=Zeth7-YX1r<F1
z_YnTqOPntr!m@-$T{ZXj@f33h48rJz{1?9un{)}(7&KgNpkx3sya2$fS4!Bt_)jH2
ze-P7;4XFjtk2(U>Z^u`VEfuev1#jm-bUZzY@F)OB*>d3U)g5<VBl>CPPxI;TzVN-q
z%{^_Njh;;6bIR8NtO6o-VhKD9sC|zCXfln#4%G)tIkd`Zas)w)Ai`Y;L>Ei=VlUbv
z>c4IMmLL-1z6dNeZ4tVRMqpGh25<neT!e9DYApyoXn~_ek>z-?TC<lYDKMe?_?qv(
z&qZA-y<O0Ld#dWu)e8+E#6?e`0OL;X!{eSdHVmCFzQ1=Q#0Q_rUO~G$d2J|d_hSr#
z+yYRAX_DOf@6&r;PZIIblV6N|-&+>fbxK82SR*hP)naYlB&+ANKV?Jye5}`e$R=X#
z0P*x3YjCke;22h!;aunAf+(}4zt_T8CjDz0v-|Ou1vud63IaOEVr|gG{n7LPU~-mx
zzAujcjMEkaXk&A%D9Mq6$1dI0a;(q-cy8&8PHtZPUUMol<N}p;5Um&llJF?=WrQ6i
z9DwnhSAJC%qn)i)cJjYELjKvU6%IGwt)MT0Kt~Pmky-m7xBmNBL-Yt;rE=a-2>hj>
z=xpKdttzAggEST;ckA~7U&;c~2}RGR@@0OXBWlq;5;M<{Rh<79LH*xpMm-kH5jA@2
zZ}h+SGwU-E8XI~fmWKZn{~SR#!%nJSuaBrs%K!Jy0s^GR_)~ec57=>EHokEJtB$jM
zjpXl(0pv4@_#XoS&MY>4GVNe#8_JeVGz5kxG1A4gX^`H3Ps4v!RlNvp-dCLU<DW~+
z3OY?+&X=1QgcHEz!D?rwF3t@1Or=2J_x@1KM#B*cxs8Q{II<YpTEb|GC$ut<fA4P*
z6i&Qu)?`kjyyt%{96$g3f9!iySP3yY>$hL(oQ$TId7d4}{5(b2yD6MPa4K6Nt*P}J
zVE#tWkGC6I&ldUi5dq>$!k2E>oerJyDVFSB$7Uh3=ak+9)#J^?ODhU#jbA9<oNy;S
zaZw8SCf)M&k;j&75-;P)8yF>Li_n?Di>c$4-ca{z&(`u29#a;6>reH+G|dzoWNS>I
zC-cB|v>a>&r>wWsr7FNF5@Dhn-`#*?&RFu;6$ExKQZPQwf`MKQq(g|warqS?eEOQJ
zR1N4hpxgMi1&D(^>x0#S%X82IBQUs|w?SmJx`R+Fz_1*K1=usf2b#vDR;8l70$=Bv
zy}c1;u*$mZ8^+_7LS>ZK$?u+)t9^T0y<1H>5gS}xU2mx>pR70Q;zjXjl+ELZ*5+{C
zK6;Jc#49(=U9mN8-IAajLF*y8BE!IbTj;fE`|E~{vyaY-UEx;U5DVue);6oqY^Nfl
zJ|~P=EwbBl7eWJro*t0!<Wq%=+SwW_{c-Z)F)rO2sYPuieitb3%qz75<A%zjG)@gA
z=nIqDollh8BmUeqtC*IW+2zW=r4`E&eyArPtcmbJ+5(xHYLG*yOK=CF(`^85mI1J+
zd19Aj{|InmT8Qlx*f3XLoo`NqJcfyQ(48_^V?5?Lt^?Qya`&-7nmlN&5SUgFN@$mH
z7ZPJ=muG#B*cxdcoG???g1Y8mhNH~tGzLxMx?okh6vHNIQlOn$u9gcaT{SfkMPpUG
z2ZYn}bJ>$CL!P!3nU{UolLCyl8YKN*or=RXw@G3hdgJ8`QD(fjy-XRMX4_Mn(-XfH
zDNTBj@V8O8ow!V&oO>Pbhc`^sS3PPb${PBnQ|NIP?N&>#;mj5Gix*@1DH<^LG#&V0
zLTX+4&bqvZ0hSN`ngq#x%cZVJ1=m#&jC+Mxyf1+xvs#&<B;pi>kn9cnIBDEnL%8}P
zSk{3g?xDS0r}dGJsT$j~A8a6DqQiayI_rdJ?Hz>g%>C+Y&AJ_eyAuvy3}xQ}wmucW
z*SHTMiDFNxhJkIAZLi$Th;JdGEg1U*3h4m$z&!xV{a{YCkc<%NA@-$ROCZeKe;k5R
zmI93A)q%gXwjIs=>1ylElY25R%xmPA?J+2lO)+0h`31^s`E^@9ao!-CX8N%ua5?;R
z^Wex8ZryrcJe{mTM%i+-HX?q%uU6yOcusih(w1=|8`E;Kh2P3N*y)w_a#fcwnZb=<
zg|eK%N!TdnsYSWY#i7gbh$O$}QumE&9=x~)-J>!cPj%9hyVSWh8@&DEw=IT-l`f^X
zXWDPBvfhxAHt@x_exEx#<jL0?aoKF@>{Sytb^;H1C;i=wl)$aPIRYxDqnUHe<8~v?
z`)i5TgO-oqq^hjDDMtk*I3cxb@Nfr0qwM~&0j@&pc*#YZ2Extu&^=Ev)=20k#-@{`
zS%F?o{y?NF?6`C2c<kkpmGkn^G&SDaamwLAF72H9l*{kjY6WlT8}_@MLmYNCFAGAu
z*Vw-&@DMo{L!h21nk8oAN9LsRbu}f{OZCn_Zs<+cC?z#i+v?{C@k~@tR;H3SYgI__
zL5qo;r~A_u<VvtAG~Y4qWZcj?JCcRg25afUd)`Q2>MPM5uiqXggLU>jRVnpg)a4pl
z8)dR`++4Ms##a(f<g)Z7FJJ0}UCl3q3C}TXmaJG$Rn4C3k|4v^Bd<$!{W~XfpIuK-
zY?Dq+!mCR$X`FushJ96~^%FnzW(tWhCdMBF)#^kHvobUQM4P(+k3xj`y-zYVtK&~K
zC$QT_K%d8oeF(}NM1;f@LMPfBgKMY3;F@&|N+;!YFzy|jce4DFE-Lo91E1V&`5j=6
zxrGC%ma(US8Ji9nc#Y~isQ^f+48p2p41mxGx6@#oV-TtB!=OayQwI__+HRT!q7%$a
zOHVLJkxm0ED)__ilNCACG-zj8{a`|jv<V7|5>kfJ;0DG<CLEJI9us_#GF`YPW^|YZ
zG=s`>=T5f{7-7QQof3w-sqd?+*_1vUq@9ihg{LmuxO_d1S_hw>Zr(~e3vEn}43@7P
ze!n(B^scnc>mK*07pZWcrj26Xnub%u`lBTLPmSg7q?Ay-b6L96^XqjBvwjWp#@mrK
z+)ZSbIlEPP+tnTCy4M^o-Ub+i55l45Mb@Tt$vB_tNKS~hR&tv{)6NGsbI2>#K3^Z!
z=w&)HOt&&oo>aK@lwZUP9W)C5fbFu06u%8%cI;vc9W>ZZD%z%TZOOPE*!5U_|8DrK
zzNcdf`t&L8`5SXOzv%FX6GZGYEjP)=I~9^Fy{{`u6**D13*Guwhvbrl=Cb>>=f~Z2
z6J71G`<dG<-5r*1Zoy~uoaO06lr^AMsYBELU6Xy6($k6VH4up_spGHG-V^h4Id9ZZ
z*oSJQzFv{iP)}3gjYvx)^8}nW?XM6wEY^K=*6+gH9>lLMH!w1tc*4%Md6Ks=_6sr+
zO&wLkXal6i_DClHo+a^i9ofrp+L@UYv__?t=m#!qu?fP*KofgTRs~)t+d$q|S-}OE
zT9JsMw!8+3v`HVN8|ZG0t=6>tz@?fD%Twt+px~J8wX0sKZUSt4F@YR~J|oQTc>tZ1
zx~bAwh9m~UKN{b<6aNJ05#4K<S_yzQFFFO7b2l|3fZm4vKNd}B*}aLaO|QsO`Bvxl
zgFlO_m~sl}>s@hnP+ZQtSdzF&kc<_WPRHnV2{pKJr)^4j4eoj!F?P;3=oYaEv2P|{
zYSwp!ovAid>dXxdX_WG8Kk5A(6mdT7JYl5+XTr1Bk~GY|F6|M*4nH%|y`K7}y+x%6
zYqlXuOL9JBliR9wZ?1&HFEq`)re)swSZI4|)IlB;?jAL$e|o#JJ)x5{g~WYSQ{tt?
zKz3n>OIbnt(ccVx-(Gh4sBI@4YSho~em-LYYoi#RsaMN6i9qRj+OU%FU?h%ff7fm7
z;9xk&mEU@3H5Chc(tr2D^u1|+O=FFXalA0xb2%}2<Bmq|a>@FERT@^f8WX-j(37{d
zDB?Z~n3%V?0}R-Xw-_@8-1u}CC~Sm_8_9=1mF4KvIIHrre~9O1(|pK4S~B51G|{>D
z!|;-J$Z~F%q5d}R?hK!j@S9_3#FYp3q&@BQ;+D(yWOu<ExV@GXY+QqIl~FBU5mpT|
zwuV2#>;83>kpa7Z4bT@%BeL-Zevmvs5Rrtw!4Y!p=jfVf55d2b2Wa(DJ9!x~dVx9{
zV9|+~Ta2WcjA!=jfIADtnICR1#I9AH8s8xH{-W5FcC{<MhIIwVIl`n?FAW^m*hniY
z(xAC$uo}B&ZEVEB-XCAgVWQMPh`j{RszN2~S<hfXIA}CiejK@83x4D?_~Q@p?zl#%
zTidHF2PWMO!2>INh@oQBni}RT?I=GwfyCzp4r&1$){UtMrKi*f4IiXhLvQlIYN7Al
z^>LzsrMP^s$fU)=5&8qR5nlB0_V>~d%1$a_RGx_a2qkW0wh0@p;xwgp@_Pd}!nA@{
zkG7)ywInGT>31~vKW%d2N|A^mp^ZwsCNS~7uji5F_!_%K^Krh(NeWbU-Vw`&QY!U<
z#NO@UYSp{>brvxUldn`Xj=v>V%zNwdqu}ZaS-rZO@9J?^D6s(2*KTQiw-bU}eZJkj
z-X!dK%*hV>&Q$sMJ;V~{=p)s9H*`B&$vd*0GU(|NuMVEu%Ox(uv*+<}tI=*aOl_@c
zEwpnBH}I`Z5>3F9)R*v|j|3eG;K31n@bg))1;mS!D3|k=`iV&3ODu$oKV8+Sm+0e`
zTLy%}T|%vlv1RGcP^XvAf%E06_ZBURMqN2i*qLR3z~Y0YCUfk?M>ekHOF=%%UN0t}
zF{T&;hbyiCw$ReO@l0v#G=&5fLBAZhe4l`urS!oP*IaFcYJqmkdpxP95aW2RBf<6(
zuN0OYUW^riH>=ghx|Q0O*EKFS)DEf|#4wV|vXBHd@GTvz8?uImpNG}>7jMdWbo)#=
zw<kzRbWp=cB=&;1q3JY!M6zOG>|%7ZuO+NhBs?DGVwVxL%VhTWw+Wcux+N+Jl{l#>
za9(@umY+YJ@VV!VP-T1tgnxzR*u;totF8i-kJJk*7WbzviGt`k2+Bt}R^7dSH1{B-
zcVYyi!D+JlJaL2>ov>)>->EcYtW;e>bL_7jHBtDySa@?z_SPNmuJx7JlJe0fI~(eW
z>@3w9y=hx?#qPiK3}Z2rK75>z#l5d!`#Qf?jd6NZdubtf+lfi5Yv~k5Zix(hngz3i
ziY;~|H*1ZIJjtc%E!1M^0%LAF!*pze-EMNk>a`v2O3UlX`D1w3@Aq1Kk}!=-oyL*V
zAU;zJu1T-UZhhVCo_NAa$+SZR4}H#XVA8O&_&%py<BH<MXfaQf*)#6@_XFGQx5J<D
zm1Ec<Pc)G6qI^*3sF2W}>R;o3zp|`1#+1m9I`6WlHQ^v-iRH1E7=@T`&(uA-gN4Ol
z2I0se!kcVGYkekmYHV)K^zDm%@>H4gAdW=@k9Z|^di8x$$C1_aCwy^{2eO)LvY1MD
zM;JmF46_2G*)$)&LJF1g1Yi@4vgwRCFDA>DO|MBn5VBgN*DS;v0%?u8r-b+7W?xuk
z^}7T<hy$(E0~M}U%~#jkk<9c_hr%00Z1rm?d%d@>(Oh(!D!0qv#oBQrOz#$Q!doPV
zKQ0Ad=6{!U5TtqT&#{7IWNqseU?-RGqPP8wR`clxlf)G0e78tRx!^wC#(AlWu<acF
zgCUN+aii?y%!_+NJeJy#xi6iaHL$BZcrsH8o0-psKH%!LIC~$66Gy)5>x(<dam!mG
z4SzRKmf*~LkJjBJFDChRrp%CT0*&o>u>f;X=n#h{GS0B}lrVcE<F{C*m(}vPZ8lKA
zsmo6jtZ_AoOUOQ}xRB9nE9)Om+<pXy!<KjKHa~^t9KXGCnM7KFOB$aXFML`T6(oP+
z02v^Yeelq<Z(#qQ2Q)8&Z%!Hgy%cYw-7XA=MzocZ@oh{?NJxl^w-kz{zCIPNnURqZ
zb1V*hFEEY`x{v3VfHqtYoCE1N@LzCnTTMjKsG7uQk3~R;25Bu~ve@P2<%7VPBgZXQ
zj`h*Vy?cE}q3a2cZ!+F|ER4fI{h*?xgkACigg|4HrDz<Bg81l*?m~+9`=KWJA9y|i
z`QdZ)6bW378z<UfLe+z_>zC1i(t+f9m+W~Ic=qn!SBA2KG9SC17ug0eX8xdAx6i%v
zVyKGhs&w~t7@EAGm##yrZa8rMXSdEGS;V=tgf}azu;m!P@Rvkc&km>T?4I2rUWd~#
zOX=z<>LhC_9&~(Ae;GR@dh?)#DL}M-v57ePs*oU7mW*@Ezrs!RwH^PxS4mkiLWDzY
zNQvoP(-@SDA0xK{a6(9ga)i;Gzr2jNJLc@%wL!mL-=?Gz=oB>wDeaqLoKvt!$O<=P
z&8(+|KOrQ4_2JFj^+?Wkc9<A*irc&V=jW^&F{s^&!QAy0G}`;^?h9Q^6cy}T4lQWw
z{EjD~X`pje6yw92C{p%1y#)EMOlluqb^Vc_l&kDTe72x?@)}~b)AvT;<-ZdxJz2!<
zG|OY_YYx-%h_EoaPtTHh+MhnmP-<&yTR#FaxHdq}w4I*1ZY)V%l5RwS7^Ga+v*7l+
zsWKyJhyJHUSvoCm30Oz=$Aq;JmX`(~@?Zcz-d=AZ&UkZ}pCs(<#TU4_*DXaC#U~i^
z@LsTg$gr4?^l+`vu;g8CAc%}x{Wutbs&6l!5h-!6j@xQDL-LtH1rJe4o!*BCN1-La
z*Fv_*26@Y>Eq8mh%rF)@nL2$(7U{8@lah;XXA}ywQYVWS;aBNw&Q07)4H2$(8*(+i
z%DZRj5>{YGwid)!pnOhxqz6gX@Ayt=5vOqNNcChy${a<Ud_UV1-5{d!(~SY)uV02!
z=NG=)EzT?I9lPG8?0Fm2QPwdY_~5=*vhG~zhOI9ut{<HM1i8F;<h*cI!tI*aMOx*M
z&M#mX*=OjjMWDor9iGMTmmY|A<3V??o#X3_F$qQ%Qs%NqT~AGsiyKRVSVn45bkRpg
zJB`Tv!JP(m3Nx~<f-Y?u&$?08Fx&E`J^JP=RmLv_Sq62gg|*{3h%X>NGI*Y0+-?%j
zjK80XS5#+h{>;j0-}C&6BXzeEBh!C0Bg&)rnaDrSa!U_6xc#tWy@Rg;N`cEuW1l6R
zfvjPgb$4-o<;t$e2%<h9QO1!b{m3>z4q`s=7;rg)f`V>ui-)p=M#djppR)7&a`cBd
zjt%Jh7{Sem^P+j!OoV$AuakDYUQN%`kCsgqhJWSDP^)WJuW|GaIWnK?G@bP}9km`o
zRVwLMs<g3WqL79J-c=ZRr1fB&Vlev|kAPxr)||HGtbS^m8meIMKq78M;$Fr8(wOF2
zT*--a+8L2AocFwYy(-O3XyX`iUez!pFldJM^nb1Ly%g6^OR2rAxNjEw*_Y8r{PfUL
zFDTyd!Tb|e1@x0*4d;2H1p<1+mhty3Ujjexw&Cc=@0FrpsUerqapvn?;e8_<LcQjx
z7{=ezZ+y8c^G}yOO|M4@YgcvI)vo(%-}(DP6vdI{p81o&>T2%)`^ktx(*00gFS68H
zu>G`GfqQb<ky2{UcN$&Tez{yF%12)NCiein%>UZ+=f98W)A3)<HJ%LqTyH90bi6Mi
z1@qZ;#{abC&k~zJi5m?ku-|GZip*zEF!MP6*9v}(2PJx*!1&|;-bnu{nB}PmW3gY-
zYV@xqo+C=!g}JZ&v#cX77rBY{y<OFARJ;7wKG6du9?iP%YX94Ph^AA4rlZ?@kcs=H
y#0?oxVw3xB%CAi)paV^Bk#p?%wM0*}i(8Z~LRCm)HART8kbEX7FHtO}@ArQl=F6o3

literal 27994
zcmeFZbx@S;|38X^l)^3|9ZRD~s^k*V2!erxbO}iJ(h|ZV4N6EoV4%`ScXx<@#L|m&
zcXO_NKA-RR5ud-#%$YfJ=KP!;2iV>Fy07<D?^nF<kcX-YSBYqdu&}VMDk;i7#=^pJ
zz{0w8mEbb?OFHq&B>2V4Qby*Xl8g-Op`+b%OKUSMEY4^XL&KX&w>aC3j0_Fiy18x;
zIl4VYBEudV);894*EPbL44Yx83A(ydRFJ90m)E>1Tj~fhc$fXV?r)#C_kSw(I-?NG
zOLWv=6D`~IyX1ENg@XVN4hw!%O7i36WMb2KtP#<6JUKS0y(=)C(y9+wO%j((L&-1E
z6PQk3D(GigA%(e;C3H7oYg{9ny<)12HG-`KDY=YHAu-Z<IowViazm;Fzl{e;TlccR
zQLcWh?(tCc%Sxro<su*X#H7-jW8YEITyeyQbn+qi%J?|>5^huRX$dR{2*-WUc=M86
zbe>Y3!t9gz8%|+t8NsLZB9f(l6|oj8D%9WR)mBreZ>#%`^?`)k9P(Zg-|vArxmYBm
z)1a-+@Jm-+-B<ub`CUt0zBegOK+}!Dgbw)S%RW|@gKXxB$U@1cNz6}Lq>%>6&#iHd
zwuSlm@+XeZ&%e>&;2g7F4ywI&eturPaDHAJ>bHl3UXdcfVs*2e3bP_31>=xnsjlU$
z^*}|`#LkAt$kfi*j0a(355@@#3yu&4KiZf%8^I7Z*0xTf2yy1WKOqW!#{8L=8TR)_
zoUO!}wH`c#$=ErX!S3?h;o)PJAcDbQa7WYUqK{?e|NC|Dn>e$Dv$MS@FRz=M8;{#<
z9y>>KUVae~5net4UI77a@Cj}wcUxy81h=gd%YQENKi82pb24$Xw0E|&vxQ-<Yh-Na
z;w;Y0jA`h9|NZAa%@CIVv}Eh_-)?~p@?zfM<>%q!{oiYYufj2Z6@6%lFtgT@wX`v_
zbpmZj2n+MW|Ni{H-ub7+-@d8+&o>1GMSlP0Z}0r~n{ZxC2Y&0&f1>sGUqQGeh~T{c
z8+r*MD>tvFSXfe6O0xIV5tmj{@ZXTj4F&Ovm`8`n5;AkX=KKuvPiQ9KJo7j15i#!)
zIX1%jW{ic$54#VMC1>&XzyFw3xhLOO5^r#?r)RC}R^<v$)qZl~T5fLcSDy+uwOS{;
zah^L?KeO+|hP)&|UVM=gV88l-%>`i@gvm+a%3geB=TrUhaqufS9X6Q*-uyGm56m#^
zi!Zh0wM$UQ#TTa{?raE`qNcLR^^0!|FA^#?t?rb*#QLKRa#l<Oi!Us*FJ2v6O#D(v
zS;`p&1nXiWe*Usj%(*Z<?(nA<dtjK!0fUzIPhw;Lai<TX2o#&Hf5`e+@cLpnR(5b%
zXIzhTq_F-71rZr&+uynPj>aEtr=-4=9aHrsCb)PZq|`lT7*sPVH?HO8#VF<XUyDMb
z7VR!w`gf#QXNZ0b{?PhkBwRf}K*UbDVOW0z1TW;JtnR&vXEa$ChqX>sO^Vqzvlb8c
z;&{sb1%pN*|L+b4>eh^)&8X@2T=%#2n&Tdy<5eM@a!0eVZG%eJoU07*;g$$`TDMxF
zZAm}5P>PY|yxO%~C)+T=QdDm^f7XKw@fx1MCHjaLm!hhfr@zXuaK2xAKJxWx){nb=
zB{n*hGq1U<d&T#!bQ*YV%6V?o<B#tp+0|Hb>y%vCxBO@b5#AqjN+IBV@+nLw?v}QI
z0)8rLb$-EcFyTV?XQ6%>Ba3d`@9w(()HWZ9lsu!_-^i;y8?A6#x5c@9g%6ir<AY*!
zzU_1aY6a^G>c{;TxEpWwmWO)ji}oixE0^C`6U&7@Uv^a*I+<;cT^-aka53XZw)bBx
zo%ESLOSX`-R^hrZ68QmSZ9kugFuCa0J<Zh}QI$M(MwzF1TlXZ3>}|F(1~bJ{>N!Vy
z?+$9VG`jbuis#6O(`cki<5~4(G?To(eV#_aFhDACP<PcC1o=jYaMR@HNAIoks`m<4
zJf_dij@R?gz4yn3Qjnb?d)w#NzY|=TAciOcQ{^V_qs2_4JWT`dVtThR2iv6JEt3e5
zmI%=$PL2hFZ^?o-@9x@7j6tp-eDcF-g+z_!1xtLmwF{e`_as~HE)SL7e|xk1$17sW
z3O4_A-Ezmpj{EUEHi5hR9Ck|sUu;MIx)+c?@$-4?vuvHxo;Y5EwI%T1#Qis%PzHtL
zu&X9l!ps_ju9i42KGvLDe$tXG)uLW%JMNsSpvgbSHF~+BM619!;(GGCyH*rG*++NN
ze9sD~Z$B62Nj7<o{dzm$u2o!jn&c!EC3@qQrG4}3>vM^P;eVN+wjbPKulj<|fcWeB
zO?71BZK`bs>iL=G&>W4NXBwHRDb7RG5$9*eb_lvFi<3?dK6>|rOJp$U)66A%A=Y^+
zS7ur|5I*OpZu>0KRVKnbP_d=93kw@232FP8To$V;+Wtu;ai-<G>vpeJFbVyS6yk<(
z(x0Cm&}M1myc0iO`L=g}j;t(<H}DyOcv1PIJGk<kLmuhg+Ze2Hv8r6otz1E}MA*ye
zRk{`{Ft|4nX1cD9mKW+*dz1$saHM$&cv+aY?hYBO!vk_3#~6T6eY46fZyEeFiH?+%
zfNveI*OvCHignu<*w^C)xow8>*5niOR(*dv?$j&32bR>RGH*3GLqL@0!F2HIUjZaU
zoyM9OHe(2M_}<BOuNXxai`Q~asjkb>b6cjc4A&l!`LZ*p&xFLuhK$KAefy&=262xv
zCz;O<5y@8BE=vRLQwbI-)t>t$A=fx68hy_W=O0QjO{5}b2q`6KZIYIKI=M@SnS$wN
zUYAo=)xG|?J#;H;FU{x3vX#?=F1cJknBG-O>!c2cG!TuLPjS;dKhyvC7{qF9Or<Hg
z)O7f;;@O3*RZ9O_+t1me&zS_5{9lH=4jy-#9FLGVve=)##}FDX`KsK7BNbsRdPzY~
zK#y6yuyDFD7zO5h{5^7*Y1Q|(rGw<r{e}0DpRU;#g+63bYAtg>$1GiDBI6n$kdcG8
z#Pu7VpPkC|wF~OA!!yokATvwhtO8&m1W&4XP}`|&lC(G>_D0Nu8*V%cE?{vjWn;Oq
z-|ar15`V9*k2IOLaz()N*IUg7+xPp_`w!LY9)<83u4&tq*Y}j>e7v~3T=ugLDXZ~5
z4l=nX4EsdzO>C=;Wwiul>qNTR7rdD7*hPfRauc5Fxh4W;O>eSL_@Rq7b?bCNBhJpi
z6EzXi&^$0<*N+Ev4Vcw8Os~?54s`Es>2rv-cqUxIUvga=8%b$>AT&PP@L;`aTlICy
zxW{sid||?nzGrvJ?N@1DTOnK~Dck!&b;nzsyfzJigc^DJ;+k;NHpu=G{;2!@xSRJ=
zA={-1&-H2}ZD%&oPZsXZ^t?YmD8=eRr(**yUoGS}Y58#NJ_5~`%e^05nw4A85xzSc
ztF|Xc9fu&P=Cm8mPd5pJ$iO{i%37~gj<L+A`PNi#w$Qq6Hd7ui<yMb;Gp}4V9eIUs
zC3oSx-Aa%unQOwtLiNg+*LL?JoW9Ev-53Bj@&k8o!zntGV(x59?}93|TmKr(`3m2q
z%0_!chE#l3`tFy;Dgo(R1(N3{{oIGltearJCMtc;W!f|5GNkujZsb`lh+4Ra2bKR%
zbKNFlS?0*mVk`3z9^=m7caNcJtaJs9q>^wIiH76`WuEdT0<k9f2)e~WU-|i0IR>>8
zt0t;+%s+yQA1fXhy}kK#%%_IRX~2qdjX=Y=m3*91FOulFw50bBnkuBOj4Tzl)!JCO
z#<%AW+)_?9!}!0Qd8b$$6BK}5yIe2up};xWW*C&{{({B8@ZL-~-~A?-F%`O^sYkEt
zwO)~4PU!EMfRsL2TO87)E>K-y9%;&eZjCGjtEk=m=}9ujoC?!d$cw}fD(R7`Lrv(x
zY5=K(urf55vM2b3;}z1yiG=sRR>7eo2!FI0<~C-Ng>1xG#G~_m!>#i(M0j0Xy2{k`
z%twXQKZK@Tsp=F=2cA3qcCi-CNt9Vg171Ypx8T;LmpCN$A*Km=NUi&W#;tEgHoNe5
zT9QjYGuc9mwVt;>%-BWem=8+KugWExLv7wG$Mf_(nCISO?wMpMujkRr9KDdG_|dUP
z*+A!8`#vaLLkBSNL3sNPwOQoD@+G{F4wj~4D)cv|nO<Li0*)Ax<rbZg-6`4XN1IFY
z8j1UGIaFp>Xqkmzi$%(U$DIJyU&Iu*2;8n|ywkS$LdvxAGbc&;Ncu793OKOs87EpV
z>*TiH$V?_HN$k46k}yMmt$VC}7g^0t7pu3~Qc$qk8gauTQZ~`y7KK>q<B#`kMxcj1
zS6!p$iZA9{BC0SmXfQr{yI0Z;r~X>Y@pKi_hYc)#a}wSwbMp*`qCQG`426lMfeDSr
zvI(C`8GR1w^KARKDwcDdn2?(^OnBbe(HRmiHk<A_p9@WTT^n~^_KBdPeVV1woiF+5
z-tN+1<4xAfo7$p{4LMxRp_Fb`1Z;r<+IN+Z(o`(duaJ_%0;J&^jjykBwFnkGK<Ub?
zU20+-iZ&Y%>&RmDLNbr=Kk;t&v_94i{XE>NyvY5|=0`l+w=OQ%_OJ&o7Y{22zc<&C
zqCN)%l6xgo1`Toi)X3GPrf9x)-^Y9)R@y)OGyfzPN7zGY*+*5RyiBbd8t$~>9z_N&
z%KG}LZ<&Tq#L%CE6Yj~nn=oj7ZPDenD{8KsJ_+7y+iO!UO<b3ERV)l3p%ea2D1^({
zu=_qzf@q%L2So<YPh&i*l{3?lcG;!w;G0J_b8VY92_-h?*tTp-WGQSWJ%vvB`&QDr
zrj-XvUg>@H{!(*s$0YZABkmCRfuFQ1l&8wJYK1m(EJH3dxeiIhC_wl8xwz-vm1_^8
zelTn*1j*nMZLgHX%i&?oH)|=X`bV)6n=+$au)E|M5tHwPMv)$aUhWxYopIcH$eY_&
zse3WmW|adX12LJ(cx_#?v9dW?a>=;rGu>Q%Sdh`t_lAWNarjr$FzeAG%LaGP#PGyf
zrnBqVrURy`hT$}KlPx~jgjp@UvMf5U55TXKWkb44)(rcUDR>>5_ObF4uQJ^i$CpLy
z=s6VFn3km6tn3<nRDPj%)@s-{LWM66<rzqdO$T0UfQbGWZM`jkb9CsqxyK@iU@Gxd
z^j#@vZFo^N;OR+Nezdz>>3l4q@<#p4iw`%omz<h}r?9~%rVKV~yb6|ZB=`LnNqo{j
zwvOY&8k5up-U-<;)VxWKQZCdmMktzG?Kyk3g3MkJaY*(Zaa(a{x8A;wr{5Cs7qfGJ
z=*U7r-~ND{xRvQT>y?4p6)}%6gZ1Hp_nqI{NpTP&y`syvYPoc`mT(JWpSM0Xici^d
z3A@ml**ku38gEczZO3e!ZN$tY<mcKb^%3>e?>pBO5)j)?@3kaOcly^}btB2bZpFsy
zdwfZ1{k44jQ8Hq6p<<HpYUqwxJI`hfz2{27;#U?`#r}0}{TLDf`>idDDwzpLZq;+9
zcl`b9+nosX{;}4U=%tBzilpLLZvw^x<~BZAnsqT2F0*X@ngy}>;a(BBN%Q&EnfL;m
z0~<!4rP9+FP4PO|&!iSBcEwyWas0WiK1t~xNwq=(R_FEjjCUr|C{YsoSB#S=J3TwI
zukI=2r5UKbO<7k^z5qemxUgUOi`ZJCeuxAgf1p4TG5jE0RBk~qj)qa+)_p2{=e-g?
z0$R2|H5Dz*YE8=GKujpA_$E3L275zFN)l8iygTq@Ty#2upxp)<o131%OBM*BA=IRD
z@4NP-+a_15puwz^b>;3Oy+TRb;rx2Vs2Ih%=4CE@>Jec|Uj3B`LdvTtVVd!0BBiG5
zl%s}cOx}<}rNTGKMe4)9Olw~#UpP`9GezatcUa&f?j&TAdxtnX`)Vu)-q>oezp{Rv
zP(*Qz->4zb*{PG@3ratT5Ba=Z<>REqT$6f)vN|QdQk%H|*dRpEv0+S?zmWyD7eRG`
zhp?Jzh+riVlRc{Ero&x}w~~C|U-GwGEpA*usi>qn!O$`r>WydxhDH6KDjG6mPEDR^
zy8CP6;gkZM7q+FpF{ZzzG>S&GJO@H(V0uP19gCQ&;?Ildif5hO*p5G`snXwih9|&f
z%!+4}EpTBt!0|H7fV-vJB&QZ5@))obgx6eU_bv4<gaOkYj1e*84E=Y@F&t4jnpapS
zt6p44IR8F`XITMiPyX<w<j=3c;sN>aOTh3h?}csyR41Y&#mvKD`IY<6yKFN9D7^fN
zR`-ST9W*1QN*0CeRC@Qv(19i$69GQw!O_^hfEEE45fuw)2FI9BqhuF35s05II}94%
z`Es!8!ny<u$^YwJ!AuA|Vv6CN#eN%rt;+?}M}3c1OIN`TT;h9vI;4-7#?vV<mdo9F
z`y`wMq_t-Nm?XbYUHyaJK}spYP|RzcytPF#BqB|st}7O;^lr(k-+ConC%yMaKwj6_
zQtD!Mc5;||S~}s;IoF+JE_t#MAincmMi4+38ynHq2n8(?z&!lS(V;9M3<k6W&)Cn7
z2!$z-LFJb_&95OiN@A0tlJIak5l0RYos>`i6VAE_d6*8f?O2%u1|tb?wgh}1E-+aI
zD81Be!o9TzB%pLAJI#~^TE9BpUWEofl)a;xz*oPAva6+AHqoJdciTK-9H6d}7lU7I
zZ0@&G!mx+*+)^GS3Vg&0*OCb*n^O3!!03JF*$0<@CJ-kdZXw&uTE#LC$7cXa1+pH!
z4|@9LakHq~n)UvqZ|!!|DZqv#SQEFGiY)tE1|xR|=-p?d1+9nqI0(Kt{ZQh-uow#w
zA4#ihmE&&lFIDf2S_zu8ToF5*jSYt=Tlar@um_N9SqT&|;Jf%Seq}Dn&h^;9=g_Qj
z?w!?G#d!rFHd3ZcX-P+a#T(eF!8Zfx5mSD9JN;^vFA#kmyGy@Xx)bCh8CFTvN>2b5
zSn((3u{Q&dECT~SrhTL(^2%n2hAyKS@4iqki+p=8;PME6D;;`|1u0UB*aK*ISdLPU
zeC=o{D=*t>C^rbvWGE#@V7UVNRXS1aS-I^OKuLp)s9di>4Q?8o9`Ba|U^`^@Nk<?R
zWn0-@-2cs7jaJzHuVpU1k2$o-977y0>}3K?z(Mas+7*^mu(eU;fNsh6(5SjyDL-AW
zqj_*?8X$5vIQ2RvDbw(i)Wy&)Rufg_l?t0wPLht3_NzwMul9GZoJ{w)8*ZfA*lFwa
z%U<!Ky>)w8>{)AGBmUVKM_6br%b9B#Z<SfgKEU8^=>7R_Dv`8EiK8~grLu$C(0u!4
zBFVXfTD!GAD2x1uEa_uDbCsgbNdAebbAWz@&sOFS05n0ZyQaEL3J!4|)drYY_MYcW
z{iXfwdHMGKIqh)T$T`K)ujI1>G^tw`2mtL~*7e`!1_AD43WqN5BoU`i^ezLBsCy!V
zbA%=kjW33BZI*}fgcv^6p6=;zkXJY_&fxy!E*&FdP!I!5ROMinW^ZoI(F>hwk7DtI
zsQ}yaf>s7A0L&A%o0z0Xgr~5E*h%}&F1^Lq#2p5BbTJU7e~)30ps@+T8GhB>WU}EE
zapNfgKf~V9-s-Znko!ydy0<)fqqb$!mocozHjfAYEXmlBT&?%fj)M-|KGnW~aN3rE
z985vWAp_s)w_KV%wiS!)%F4=4$L<^QSSz4+s-^-A46f)`8G;ty>m<%kw!ilaJ@2C8
zm`Y$lK1dSm77r7&9UI2*5}<Qw#a2T-?)XN(+)G~!cIX3!%-JYSH!F@?r@}SEfFK(~
zfnfN?eaJeV=tL-DuUGPX_{T@({?(au53oRU!>o<~m`1(T)VBmIMCvs!0)|^qyIiA{
zyN>wsHB;^GVA18Sy{o5nSUsMX2vE*>R-9aSLnAw3+@Y1e$H}YXM&>ZJdGa(a#}HBH
z(#c`H|1lKpam+|arq`cMRn}7CV>akklxh&%+sf!`y<WYaS{Zy;dGDdxyF2Yq+h6nU
zU$JIaOI=xVyn@pA+IEviop`s<4DAEpUm{@EQO1Zr<p`Ez(Eg><RM$~UTUz;5RH>Wq
zGRUcX>t0@3Yh^s!OO&}!9k+5Gu>jX?NGzWevL2oqoq`J-Px{xP&!PH0xopgj+5b7E
z@Lo&7ZaprX8d@%T-u><)9;uf$gOJyOy(TY0>dG=6bHiJ_hK{#=sv9pU*GL(Dj-LTY
zQdvl8;KjcR_!E--^P}aw#RyV{EB*fXt@gef59jyrN#k>G5p1duGq5(EX5$)jaYNK|
zZy}J*y8-w=@>MrriSm{8jYV9<45s6*FtP^GzPD59cg7P&S~vaNxU(<g^y~tPz}3u8
z_yIA4ZsTb^P9}<xRhF>x<UY)LyapCFaGl<v32G_sv7<-~N7{;Q@O^v~glBv+d>PFR
zNnIPBx+G%Lmmy~>4)L=sH9rIk@fcu9C-bh(cwW*@o|=Q1BCEV=!Lf*3zEljE_UsJ>
z!9bDWL;}|`I02r)kd3F`%zH^%6OnFJR^)<3E_kVrCdTk}(NYT)H2INxj0hxssFY&R
z13c!ow|EmUx7BMYk~Wu9GdB)ohwgA)He#v2|8+&2F}FZyEqJQ+N@*g}ZX-Z$^og4I
zucgZja5p=L)w1<dak7(*=_HbPKZNr>@?4CtDYkOXPm^nfQr@qOD3Y+sz|yYf@cFy>
z-pSHZ!-#j4wb*LUo@JcVpRL0;?jJYy`!mvw?Gk5T=~8=VZq>3`EB?kJKg1#+fAG{{
zCcR<fotfDQS#RDBSS?qxrrjG3uBY*-ggq3rs}G3RX};Z@H>*vp&n3-$_-c|imAA_8
zYzSeHI#{ThBB}u>*L<Q>Zunh9M@HO>l6DNC03W*zt0G^=X9xfgG{`8e#u#RM@}lh4
z)30xeZBReiT<Tf;gZ=m(%`wc}sQ3JlE`zUG3l4;y_xCQVjc%ozbq!@1)Yi~Df4|q0
z)k<ck9LxS7+o&<f$iU~LVl;CuT`zlTtW=jaOsZc`*+3|fjVT||u(3k#v5?*q8X62$
z4su($`+9FtoDb1o<-j-wI5(eu?)O6h$D}N{yP0V|j?1i{>&pc1TK!a6JUOK*toWqO
zZ%=P`+Ck!3)vRk^m!nfkBK|$(U~9h>{v<5l2>uT7R_Ua^c>b)ek=p84XS|#Kiw5;W
zoq2|736qdMUWPHi4+jSy9TrZ6hP4jsyq6CTduV>E?>quf+=q>Yy3hB0mE*!+Wd2V|
z0CFoF>>I&P0Hr*5RcvFbiC&_C8Is4tnj;%R)*|yo2$zuJ#A7`)OmyNk#RKgppR7V%
zGi;7s-z&FJ7B3ud&L0$-byncJGt3=AC|Y!L)o*#|_eluaO{}~dF^kvxu?t01ghjO?
zS{gZxZDyK6c+?%iM&dfy_M;s~n3<I21J8zT#Sp)J%HFUEspeX(Fut^ckrdK+ihir|
z2RETP`qBy5y&YVjx&%$xVO9*q78&tiW)8j@5wLCGB$Yg|XQ^a~yRyz%Yr&X(?DO83
zse}aeis(8~Xm#6s^2yzx>qA)eF-wOWP7l5rLr89EDHYpA?D}ffq%2H6Vy*$Jt+vtt
zqDr9UV{vcR$$&q;=Ui$EwWo|L(vaX8!Dy9W)%Jt-l=%}nalSc{Z8OXy_Hc4KPuxa!
z$UCX8wx07^t-)^yi}N$?V~q#!hubgJu%lsNJmUd0?YxS%{_*(hgsB2>t%>EC*av(<
zmOA11vPXsyR8H%BfjAS_&xzp^*bIVD?yw}bkb4klA~nO+rKpYf_S4)nl)MkBf}1R8
z^{He#XL7dd!sDTN;rl8NBg;LIt%x8+7E9t*d)s7U25vIBx`ZJyL+e<>X3z98l1FG4
zNS7LofGH9^bIn<HIlt$ypC{zzN%3p;N@Py&;gtL4WhXm(Vrh{SO48^KI@UQUJfoK_
zCpjxyd#g^2-zAj<6+ihqq_~&DPTkjY^Lk^BFUyog?~<dbaxXDQl*EYm;!?&fykj?>
zq8T}Qd-HgqVDsm-&0T3p0vl)ltJ48U6P_{N+LM_;uPWC>-w^z$53rLIT&C~SUK&g2
zdUP=Md8q=mlNhugG0q2fJoClbC)lTQvblD;zA-~O-L9)0#whamuJ7q%an;>_G#^+V
z;fIwFlRDPwDZhAA7#zO&y+=j_JL2IjhBb)CiGW%mvRC4`%fFm&uZ<;AI1fr1Ct_rt
z;u1%EiRA`?_Dv|;BRj10I07+&K7Li{qYQ=&gozZcgDtBzEU_J|$R%mP+n$-^O1gZw
z<b)D2{4L7NVPJ!w2w^OgCA+-z&7-Bn4>Db~k#QKT(L_i3J+LRb4TnWNcAHfeGRLYJ
zLc<JIqc^gu`owg5{he<<$sBvR+m`srM&lZd0_t@xIwxH+CLWftIpyBCEWP(&jhLY#
zz+Gbv-E8!=%Db|UZU2(L-*IHVS`5<uRDigh&5OcFB~B$_rcYKY=0gzvv1w1*L-oKg
z%Iv=rx{Uc4mC3%N5D@rgndZrx`(!g$1FjB1nL1Ce_d<+MQeX%ree&+E``%<N8>RAv
z*VdFqIdIr+K`eKgz2(R#;6AL-hAho==~sd0Vh7LwMq|aUM&ZpR2_QCZ1|?cjr?(>*
z%I%a$0;0)7&TW1}uWjp?v>x&D*QE~gr>w<d{(c|Rk^=J$Z7CKzdCO<X_8)fVoxwTf
zxM}7n^fFbSqiT}z<>qpy7pIKK))V(z?BS&EOuw6uP?L^?#Yai68*M8uc{FCd;t0ie
z9+i&zE?=Z)5YHy<XWt3L#Gm2K>)R$fs9WCJ>r>aUOzUQu;-ci?kc|K<I6D1puznz&
z^wn*qH+>?0=Be(Vwppi{<ly~k+0luS!B$m<iJ%d<Jqr)?5>k6KtTj{+a;ZomO&153
zS(?FQWrOtzt3E}`0HEdUB@CG-5_cDACXbqnf8pc7>&GkINDYYATcz&yPB6B56DY%D
zlUXJ-d`t~{%mwDvd;`gydQFlwpAX%E;z+W`weQg9Fh-KjFZBvR4Mw;2A?a_am_8xt
za!qy=pruaBl!+$L$GYq1$F=89Xm*{f_4w>e<clgBUB)#w+{ZxE(<QE2^WSr)#~vdH
zHlx>QKUtsB=U`1dE3ZAEZO(w7XmLj7e(Nr0et0+;h-iYioP3{Z6xU0y`3K{}7|A%v
z3I5uNO?*tpYV`0!d}~&$wlIuz<76gngf5Z1@=De=!%c=VFJY!k{{%xHRrOl}twHv!
z!{stYG7cIRq1*QbL$Fu3|4Qf>qm}N4s0Vt_ePBv<KZua{ezfOq_{#;q%l-ZUFPg<N
zSnW9))n=_!m^56j(pRxEZzRs}Ufo>*wYxkry=bruS)WjuJJ}qQn@6+J$Y@+SanD!z
zv~F=KyDU;Kq|dm4mIxI<=Cn>i)9W_F(9}B5eUn1Y+@cim`Y5@6%<Nvz3p=A0o39f-
zXgaP8am()bt&@2K*58nwS$_SzPSzV#(8~%4hV-YV!z}9jxAQdgBZPR5=Zq4fo{)v|
z1xHcJ{>j-8G5BF~&(w7%$8DlpEBQF*Lir_?v3bzp$X0**d-~QY2PPV+v0(~XvKN^c
zSS^HegPEuH<$&-%_wpZ`fuSd)O~W{Lm7i~y>7Ru4zuZSuG~hzy*>6JsWIVi-0pT*K
zPjgk}Vnb560vKMUO_uFn?1>$Qyg@0y_xsb&A|($v8tTN)f84Va?iM#7g1kH}@9_PD
zy#6C>v?+q-S+2eP7fVsY2ACK--tf!6CEx$K6Kc@BnP~>uzb;h@Se>oak9~E2Mh3<L
znh#S^XZ|xRhjAb(HPv@$E?OAC&6u)+=A%RI|Landn5dM-%i~=8Gm>GTc>#e(A^#*c
z|LN4M4v5O(-VY1Ie?{{D--F_pK^<DilUUoe^47sp(0GeIsUSc9`pq{rKF{81pMFis
zQ4VEx^*EN+$dNue)wZ!2Eoujt%dB#>B<cE%$E?{$>$T^jKxZ}2Om=(?&@j)f$q~)x
zT?t099BL)Ne!>2PTqc;LSbT4|k>-v?lx0e`tJnGIeu>wi<MQ`(8I8drwTpA!Pz<U#
zaxM6!r-RBnZY}-cj<*6_ngXYpDk0&vj4q#(!Z3~v+uBoC6kyyic+RyG!=B9brmd5l
zPX{xuqz5w;etD9~-an@L1fK`!-wJW_o)}imZPGj547Be9Y$AX>$}@W^cl^iHDq-<^
zBS*(jM&@^(t7vZ;cCE*H+rw%I@$EWS)x==Bt$-^!Txj%Q6Kw;a>t46e<ZzuI4kn>>
zoqk1G(MT#X3rXTL`r9SbekW7(&$*W0NT#UW1eMkn?s-HjlvAp|DujAs{-#LW%8uZr
zjq`L|NZUue&G<>5;~b`eXGIo9W*u)FrhR#<HvIK`4u6%nZ$D?T-T>TG31A`1<_Oj+
z0k+QuAj$P)vlRuhSi2!zr||0S9x+=<{c23UVq3kdA+}M6qlfY_&_FXeZ-8v52zXtB
z2mhuY`ZFU@slXTGvN}5Gb9QLHj4I7rPV)v{2y-n-SF_d8;vk{0ZIfGoU;37#RluAr
z?~CzmIQ59M7Q6kIlcQRjAKSd|Xbns~DRpcscV4_#h%8wfudGBH1)1NzO$$byxHgd9
z`$vtC*8ckBWC{z~8#p+^ms$Q;y={`XGi?Rg_^othTBKuh-LyHX%~xIT4gC<b93`Ta
zG;^8y!u8ImMz<=C81E{X^dV4+P_b$fmQM3ME`u)yJ{tjIffU!oh~w*ASE7l2m9FP%
z@g7h`sQmFC4FYY7BQTDen0*Bgz!Erz6a}xowWhxN$Gd=vu`T~aq4Vu|I4W&~(%%Yv
zTUGc-lz^v$uZbQlyxny>d@}`vM9}-lnd2`3t0a2`T-NQw9%1yA<C#$26~HFAt!~Pp
zkUao1jsUBaO_pX}2|lCO_tnWVhxgm^XMj3YJ#hiHhPB#rAB<<A5v`f?%uG|y<t_0&
zxmoY6b`IBew)nu~_gn$^q^|z<V7j_wxJ@^_as_jhc0RoNa4u;N%=L;xC#3r5OvOb9
z57^sD{a}0oo+Tm#DXf0&X~aZ2qjOhXTa}u_T6jEcBi`OZaekDC${?dbYCGypBWP`b
z@x9oNSA0~qmwu1rgsTaSJIAJYEPcskY`EpQyYx1<x8p4r3OIAtWMRhnCan=Xtk+2U
zOK42C(^K*3>|drJW<mswfyn?Mw*I@_$u&$eLBi2N98eU%dtn=onqB~cTu&S1GAlu}
zw)V@{xipG8c`Ccy`){g$HY9~_yd2EY5mH(3k6!~S>-~6(+1$#t!bTFYF8WAAxmndj
zfo354t#zCX0aAP!_cp`*E4B)B4uRgl!IFDYKA-BeDgj2u_MDI-*$}u)B6Wu1FK+r$
zXRs)4Xz+ZFO=I_-O4^UT1CA`4k^A4Om*b1XCKGHr1&0cM_)+p)M*(|9O7LPvC{JNt
z%~6MYAc5G)VrE)0*6R{L-TIb4i1`a)HB$JIxDlkDP%FeH->AaCDG<|blVs@wb>z7d
z?UfA}r{{8%V%c-;)^oOh-D)oi38xqPnL@m5I@$zzuipf{xtIgkP}}Rg)F$%ZBj`ka
zywW0*zt3q7Xlrkm(y*TEJIg!t*Bt<v<K)duW<*;I942CRbQ#-#M<a0qevOV-4ncU&
z{zx6#oUp%q$;oNtrb8ALNb;5_)!G#*SHyiQt|u?N@l6w@Y$B+Ac=KLIhcyiYheRO5
z1n?8_a4|cLXUHG0l^Ee{ua!_am2b?-UA;tBY~1|%RT5wa9k=Tn{0(1~BR0cIOt?n{
zr3(NFAirReeaH`dHsd#+ew}q?8B;ur%-?C*1bo2hdJLpSiGWRhm@|)Xqv89Ixpoy|
z)Bc-jJ50~QumHU|@5k{yRAEWaYqL3sVDI>JbEOeD>sF=VrPhl&7k7Vv>rOJMV(19n
zc@$k96{)j{t)@$^hWcF1mVX=L+IRk3r~Kws?De5I_Ajw2s$r662aT^tV?GDwD_ltr
z3MMwu*BL+r(*?Em3^6e&-IT|^E>SQyc`x|kmQ5_%?Vk%M&#uqP%+Ww!Y1Q~9>atWO
zAd3Pl=={&bq2N}on==A*WyLRjERr5}KP!Gw{#g2kiOr7>O0M7U;g=i7G=aX{L(Ggc
zUQ;;uD%A40#9Eu<C#2AnkS&Z%h9H7gsAq4&)6PKeHzoj+U-`k=qY9BG40P*Au4f<0
z-hS5Vtr&xkf7ReL-v0UYn}FH56$w6tOLt*UivN5#L}somIuN(M(JMDI)uZE;Y++gx
z!-OKIBiJ%4H<SzI1nh3TeW*C8TE*6Ig-K?Tm1$bsx{3n~+l$4ox6QAR(wQ7jo}bO{
zxkqXjF(0E!Y?fnQZEQJ8vn0Ch0l|q%Nj^irbiu)Ay!J28gN<pPZ0IF?Vz}ocmIC7R
z&xrm6O~n}UDysr{ve;Gz&#tARJUg(H<pZBUM|gMv?3svpMC+5GTs<+2S4;pQY=Rmn
zxw!7?_SiPkmhKl$@^HT{i}&8nEz4-W|16y-+~(}a#qTB8{Ifco;Fmg-vXqa7qM>tb
z$I}oYQ_CHrXuxv0=0T?rjM9tofzO!lY>-X&F~6Uw-k+d#{Wah43a_4sDfsLF<K;@1
z6ZMs)^T+RdCF}tNxc7rAueoyVM|i2ZCb;#3>jY9aJucyXB_);{5C_(@p6y@D3a!`m
zT4NQ?Kb+1}1wM^r5O0Y8%L(qHxFk)X($bhPU0;sawuy<t>t)X)nF_FHad^Ei8WSBO
z65K^OE7NdYKYas3$$ly#znF2hnE)ky|7Ch*Ov&LrigV4DkJP+db14ownV(;^_R}y3
z<Blz^5^EO|P3H!31+H&S2;e>fi&-G&{BS-^%r16cee<j=;@)1n*m_mJ+3T*II&#-2
z*$-ZaTZ<71aQDKbJdAQ6RP#|eKFDeO$J4NH)BOjnJtCn`?#e)!5?I-de4ag*r<c`T
zNk9*(sk`a4(Bw(J{R0!s(t)f-x5p*rG;YHdDy_sW2Uo4Sm1G_9p`$lK@xCkTBdCHu
zB=O=fz9g`=!^V5uv}tS;NE;%#@z7=Ad%gQij1om5_e(;#S-fG^v$h8XW!xqM1%Ko@
zVuF6yH)dQ{lrz5lal}LXx(H2EL<P3dMG6-eK1SUp1&;Jzmz-TL>hR#=BN!Z_=P0WB
z=XbVV0_?ybr5XRn9WY1ffqZ|2Eff7mg7<$K`TtnB9^M(m(ahDg1fuk}Q;<iMAU0>p
zf;EA1{O*pWvFBQO=38zZLE99>t0Y02LU6>6*jBDSmwQbfqRH0U0gU5z$3Tx=`4Fqx
zQ6Tul#sYYt_Q0vG0}RgAAVU$f{J|;)+$>LQ*jty*!4d~s`1%O&+!+IDt+T*&JA-LW
zt=9>-u`w=o6u=j$ne%Vs;-2SKZN0|m$3KB9ys9ok;vZ^K3fC12Yzp|DMe02!z?+JJ
zIvhneHFN3qzq2XF3G-{zc)4T13;JgW#pCl3j?{dhC16SbvQ-iVTn8R0jDWqtZt&~V
zP>t?_T_E?3@l-4@CkdF{k0?&OFN3kaV$i^v-x<h0U71ZVPy|>cpDq6Q_{8!i$^}}G
zZwt~DEA;<3s4tVyS%6*Apaj)TiZ21sz??hJv!XUa;kCRfa<#E}0^zkvVxBUXq~Q;$
z-`5Kf4C7k!J>QL|ciyPiD1PyjOa1f1u_qHC#mfeMLqXTBgtB83V!NtM`D2g|jmx;5
z9_`wI{Mi-w{85;~ffToikenJBYc#d!(Zc&xAXK`|_gA?)?Hkrs<I<%t|D0Nt8v`C|
zW2AGF+r3h*+%n_JZIz}lM)8d*=47)A%Nnfd8@(YqwLUU&*b#oPHHiDb15;t_O$jC#
zz)I5$_WM9Q@B~0CIr9Z5BFGJK-<}&`i`O*<ptXP{68<CA_spH;gp3xB$lv^~`uQ0+
z#`IDEgyI@gOL_EOzWlpVL@SQ`f}w_>@0pio<Pkz`t>)NPr_$91(FVYyd9}x`qc^?p
z$>!cq9lJ!g7wj~oyPHkZhsISP4|(ss)2GlQBZJ?cspj^p$f=9JRcn2sTCWzPQ||)Y
z1M*wZA-gmQ@0C0$_1d$e<p@F-?fnvu-4~v-(F(e>JKG?^9|eN+_*$yC=P1UK0UY8k
z-cTRm|JodE>izL@N#;Y_c2uU%!Mr$_(@R5?0uKkB5QFp+k@&8#y|v193AY?0kL_+D
z+VqG7$$6mIQ+bs!>Vs+$wCGgyFVQjk#;dkrHK)KzfRSeA_NK>YwCo<G*4+BWwjXB~
z>_cs`^USICqhl(-aU|<cN7=IbX@{)4eliM``KGzgQM={t9DkP~9RY6q*|LX|x2Gi*
zC#oyO)U*zk(WtP}+4bq-A${f2&}A7Ns(mu%voD#cM901$ZSOv>{wVg4_V+P8d@a?%
zoNFIFORDsV$DcHE0AwiEY7&PZx>Ll4E`0?akz%{a2_i}!Yg$3;{M$XkjhIS?%B>Er
zl+PX@Ba*2vv>p+ljA--91$OjNApS2i7@jt64}5u&qWOHh!bLTKi4Fou908WY)$_CU
z^A(Ke24lO(VfkDo)nJ8u$+ENkH7mCeRAp2I8{<ObEZ}fMv^xrncM2>^r!<%NQ8P{m
ze~*aMobYs8<EgfJ%C8P6Edl?^JF8rWY>%A<BQX7gQrzbfgAP`K1(LG}Vi=a_O^^dz
zEt7<L5ehqec72hTCX$6tJsiAHHl^kGrvW&<Ty&7!t`QS2Dzw~{0pMbASA~Xy`j@{@
zl<Uh8Vr%xPPv^!Q#G&LElR?%}Zz38RLoep)Y=gmFx!%GoJ`fQqCk~)-SaTdfhr1f9
zc77<^fE~bAlBqT|ldEku)JgvPmJIg%@JD6Jq1L}W6VV;+0z82lz^*%9d{evd11+T!
z1Al{CxgDR6Gb}8j{Jm~kG>d}hr4ajO__Z<&UL8k;-KJi@V~qM{AC6}b7A}$lh7@}Z
zXsY&f<!%gMDQukCzujT`jnj*gB;@1ZxlRmMwXDzEB_vHJafvOMO25lZkfs8xZHdRY
z89dyGhYwHy8jHaR#GQYEt0)YQfk~4@0bi(GHC&5DF(R|<&!Gx*(G&>vvAvwqi6x-W
zuS}mw1(p})!wP4PiL34#Sx$*46XV99NCK6g!F(DvA5nF&DT}S-H;$djqSGI5d{1=+
zl~iR%UU>Sk8(#iR{I=G9oLBe1IZn9Ge{|5FFvPtr*(1eSX46qn7aL0f&puwV1OV{G
zGgw&T>M;Ka!1ZefQi_#m3o*z8qf@DuWv9Ryoz7+A3uA9Q<;%FGh`1Jac)g{*23Ua(
zGw$?67Q)(9-btDdo9KGBbWl~}r82jstV(fa;!T%K-z5mFK~WM|YKnK<hVbU5Eu5lJ
zbP`@=C<UE~siv~2mj$US?w1<|2GhhnOT^+l*8o(%Pu%omSYv9?X*t;d1|JtSI6K0d
z8F=f?e&+GGO?(&t=u*k7JgKovJjvG|vKqu`k%F2n)lKe)4j>lYDsH|X#I!E1w;-tw
zrx{0?*BDO-k2UE!q+M{rYx}|c4PpkLluQo9f$R9?8P1i|?~-te2`*V|@;NtmE3l3h
z1{(u{Io^W`CZE#n9fX>mR+-DIvxL$>w+0>9_b^iV1k@#bx+tCic72(cj|Y5J*)3?4
zO3{aIt@j3Y2+#Z}qcQHyBd{zv=x~(aHHUMw^Lk8P<Rq*^iY--?SvIH=qg_lrjDugb
zPy=)Ip#!9lI%(%JFGQYzW9a%eQx4+%1YQ830BV&*%o3oTY+ydOP2z?7OoTR9iBq91
zP2q@%;Z}j`Xssh#aL6O5CX~YX(dkVw;%a1v_G^KEkx{&+jP>LdMBUsc9AfqeFZV&{
zZ^9M0-_a4|rI5z5I={8={yZ(thO!j+nX6YBCALeA5uN4)KE~aAdNYw-{r8L&<f^m8
z(D~k^d})b56qLEO@upFLpJvNbChI=h<-jpK$KmVE63!IdN0VPRAJQf9v6j@>#j{NZ
zvfY1UpPt<3SlfdzMxig!ZKop(Rux*&D5WCSH+Oy-H%qOYEeJ9pCH#o6kp-I`NYk#{
z`}58GJ6GdBw;7^zH0Bo~?;&D#E~9Cf-#|C@lbglNCw-i2D4Y%;N`ZmQ`54bsmz?sT
zuv!mO$Dn~&?@Pg0aWw>{HqJJceLAhHHt;lxNhTZQQPe?{s{ttms5f%Q5fRt?l&GE$
zWJsDG)LyNfyuF9&vr^Ws+TL?1{vGlFj_&M<s5_`g(??uW{5f4s))kAMrbFvFBjWk=
z#a^~GCiuP@V%xhnuo`wa!}RV@9*M<EruaHKu@7ILYyv&kx(Rk*VN$Z~OvFR>kjtd)
z5;7dx^qX~v$j8rZ?D8BXc_UfrS>g4Hm5f#svD7+iiE7EhebuV|r-+=XnY?=|{Mt6h
zdk`CpUoz|U=cc6BNT6MR6NNX{z&`Z5&m;u5-Tfue{z5`O=yC}KA5Tw+d&Jo;4uY2-
z?)Qa8I>g;IGsX4YF`_`k=LE6;KEN*WIIafjG4_P2b>>T$$EnvTLb>eF#AM%z*YVuL
zgsvcHp2}fWd>}0Pxb&}D7QQ`rG50^aofwT@SZ*q=xgr%UHdFK?jzslc0_=t*j3X@m
z5+uD2r=s^=>lrBT84%ZvvGyllWgUj;Ft$I4DKI37_LO43LDb4(?G;ypXuWpU(s-*O
z249aMn{fBaoJjeS=^@%LX%Av&`jSr6`Ev?jtvBCw#tP^cs+KX$x8r#6QFd21Fo`Av
zU8SwaPTANo`pZXhjIb2=&Rcb7$YuH9Q`l+h;d=z#z{8)&pd{F6#oG20xu7&ibN9t8
zF3dRDl(D|5RXxdm_q3S3o+v#qaLZAg+G-%{tu=bg;DqYl-lLdM`*lN8tMI#IKc~cJ
zYnYVTm=Z*GS+JPiCX=>XQ_1k13zT@4K4^JF<*29V=zs9$ci=f|hke6yhCt`os>fh0
z8?b(m{S}D)K)Nk+BXON>>3phZPq*(jlR=lI%pF7IJ^dSX0fMBb@C627vr#=LnDiXd
z+7Alu@@!8~kk?`#p>Z#huYwV@A5r#Nq}@W^+al+f7-sLTBGogou4;H0rPgqrzmQu%
z@Kztfi(XQqcC~TUtK6WFF?47xPMo@yuu_I9wj?!Qrb+^-T2eio&T?HcQ4q>Ik+pdI
ztDaF6IA1fxa3k4=m~QrX>)iy#4#qyVnM8gEZoWV=|B&zMzS#!yk=x6C+vYwqpfpui
zUTLo}?a=rPvBW;p?tn-^q~Pt-_+Lg(Y|XC_`SVWlp!!^DCwawOmS)#*B3c_2C?2of
zmaL8OY-dy(<_khdD@N1Du4Ma=e9oJXA23T1B%_`ocUb%8yTuZi7QYbrs|FUprY*t0
zhTj7F9YwcI;u1w0v%O`CxtS8IGNBfyO-9JD1+_=AN%pcQN+gg5azs4jd)(4``)HO)
zP*jLhzZzi{xXwiOo|#p@+JZWdMatClCnIS+fnV320;(g+CBe+KN7qOCX7$TZA^9rj
z!0}(|2`T$WW`pKc4ozI|b3Pk}YI2MS{8+!8$IH=zr@5BWRd)Lm(0wLe9jpO%))q<E
zxXcgnA(%+!YltwJKk4JiyC*fgy(WJ42^uWoFd@SKy!dxDH0mw}S0DxSJGwbC!|@kd
z!fDM%tTjlRwHc^ZWZ7Q)3c<p<F^hQ?fW=1-FXrjT1;)*?<8y~+**zkO!EOv|PFt5G
zYfIz^UZ_&*ew$I141}VY8Us2{#2Oe5{aD4Ejs<Altg%xOyN?gk*(Nq`{vN;K8r;Ww
zO*WI$Uxc8;1%!Nd;epJEzX*@bc#_mU#U`2e=qkxt0W9hGjrRAI&KyMyq(#R|U*G+{
z9sbSljWI_#x^|4wAV>cw?+5QHssL$~pJnhrLhC>O`+3P=Bwt;ktN+qz$v|zqa+l)W
z-;o&RXV@eJsGdUc(l~#Rz!1MCaBF0@A7A~K8Y=|e*y{fHUFu&K;|FSNQ<%EUzZjLP
z7?s%R#vRC?7yCb5`G0OyN<xvecVD~#nRq7vH2WV^;e$s?cfa08sZ4?L>H>^%_vt|r
zMQIK&t@d5MN<;28xpxa=N*@yjptVxG@~Oe^Fp4=}4^#h+QSpFiVvF&^1>MU9HJ>06
zLhsd{Y<1e60~l%rWF@^%q~`_UAD&6>A#CPJ{1|;t`t-I9d{6J%;$z@P^+p4+!~QP~
zCV$3hs_WJ=L025my44;owk}z&zf&BtuwG1yhkZ4mD0Yz{^#-Ge;|GwIbv#u9PUuc>
z#*b}8&;bL#tyrJt*WGKynWthrexO>a9ndp^Kx^xc@Qe|?ePNCvA;av@U@e&<xmCc>
zMA}yDV#*PC%BHXz8-Z3ODmIs3vH~ce(n~m(sr0Kc1?v+Y%iJhHC&cX@@2}foYUKZh
z=fL1UiYfL@U^heHX=ZCpM=%Q6CNG<8Ow~_oX=NJh$+bpVCmG4;Xy#V$JsX+;Oht~}
zWR0yZ<{1STWyfd`;JslWmdrPC%^w1^OKmm*9`Rs>kyp2M_twTyfKyp;8v#D-RUj3)
z&UYM+gKFQNSVE^BG@zmhmcgCn<gS3AJDJ(1_W<keT*-WQ()?0C38QQwqxqX=jB*)F
z=ZHLA_dR!Ny~-#trbio5j*bwcE6wj`)mVtH+35Ol8LeC6RW639jdwGd4StzqThTr!
z0vzSzF1rux#>)B_ymubCMQ-3=`G?!|VE6${Nyjh%jjLbNfK;~EbWQC*W;|x27Zj(K
z)i5HaE+t9&`c$0$QPS$K_?Lw%zTPJl>a1tQUpFB>fQ2f5p0FMC(qg=#m^f|6hF8C8
z7-Qd`Pj3`!6=m!ik{f_#02$8n+4J4SZvX)8fv|}=)NKN#z;VXE{28cHDFA&O0p(YV
zqY4D>IwjVLTr#q<n8?@A*Cqp$V?`Q`h2QiY%ywHqng})Zf;pdT{|gR<5vWLC#XQr1
zL)ge=t$ZGc8-puF{i;sJvw%S=1z;Y-->m>kXhFJ6@F-yAY(a!-ukm%s1ql63)B&Vm
z1xUaGFaW5xOcsDEoXNd(3i5iC`)5cyaPK>KeMV~TfJbW-s7am<0ES_ur_mr1<WkQL
zw|<Qyax0c@4%q_2X9bA-&dcpS(20d(o1xqkG2a$Kp(e58MIf@T7Xgj5vLJ#%eDnZV
z`$#pa5Dqfx%!T}G#JK!J#7v=eSpYDVb$fhy{PD+C(sW{++^gPXOP;_(@G0y4#oe0I
z0=K07TJV8kZqh#1v_qq+@O0n@VK2aO>;e8Vi1a7C&K&c22`2`zDmi!?x>|Yw(c1^`
zN!;MH!@iAG5-1_PGb&Zb<hoJx095OQT!AYih7!11sGwhvytr)A<QS!PwXl=t8z%E|
zPlVi|Vvt#h)3N2R@=2b@&>Br@tr7I&61Zpp)5b+-T0B333R|WqYFg}EAhE0JGV^T`
zJq}U~qhXE}=xO)d1g3Ojv?xD=WXS@5V$QKoFML}i-V|4D8I&u`w=A@F6(EOsYYrMV
z-U!HtF=9jN_3Iqg=z7P5aw~;o?LsNI$JkQ^;Tew_#S|)$Ps7R`i@1J2s3Cs-Duzk2
z$!X{y1WQO0sH?C7RYgUhXo!vJ8ZN0m2j=M@j-8;?slu#^7p?-|FhMd|W0dnw43gx2
zPkN9GtJhR5a&Lkv2-|6tJO0WBrQNx$fF#xiOi7ADI7DL38mgfv5|kOWA$?`@ax18C
z82hT3w+2^zb4>s_-OQ{K`@JrJM6|6ql&XPKW&<__DMB*A)vs}=I%7xhGwtvN^6HC8
zq=>pWn)O+yBlt-{$%$r9{A4gk{=;->4REg<XAMMz8Yi2`T1+K}_sJnTeEae@ptY7i
z@D(R))Ge}z=0d;2)PCf!442u(+~p;r7TdqFA3WE?rmVL6`@y}%<!2rI#8DbfcU-Os
zmV_f|d*FAr?Z3k6Hs%;-PF<_mrd<kxVD%8{&09+@Bl$)$K{rP%Z<j>Juqg-0NhC+s
z5KuOm1ldbDGf8yBanpLl5Y)3~1EZ=w93JD9;CWd_nmXyO)pJaZ2TF~8u8nB`qi7Cs
zFbGM@Lk+xAJ(h0FyJV;}G0yeUK3e1!RW*<oHXeYB;bxRt&|(NgrZ6o)s)u{xY%4c?
z?WLo(xjnIKkN<p|OLT9+rQ^Ai=tYCu7M`EYR+GbJOp%osR2sE0hp@Y^pQ;C(+q(OR
zuT_T+WolENbYfKbyUlR1m>fgo^(G4Aj$rke1lAX<6!k1_K!vQRkZ_KQlB}}q@@<p}
zX>0rzG#>#`gxewSNwc*^GOkC+)g9(H07qzxOFwwTPU%i6mo&V(j{!WSq4F@}igIml
z8e>L;^I7{lNuNmZy?k2RvU=|XN#y*G_0F$3dafhQt1YpI{c4isE-`Ig$s)JcjPm1t
zM>@#59x1~lxC54S5z|Bhaf|LvGPBuYCi{(ssYT}UW>6bN+e6v8SO9!Cy=;W{boqp$
zd@v7yAWQg8>D0I(%3PK)0?kxOH0~0Tv5pRF4pots*}TQ<Wf8gZ7WsI|<nD_Bdu3UA
zrUa@H#!cgBNOLdOPDaFr2AMx!rZq5$tQ{Sc2ds2<Rk$qA$u5GkbA7JSjP0+P;(JKW
zhSXVB1o37K6QA-M&S)bZ{VMckA(?!~Ca6TQpN>ksS0up<bq&mZ+#CE*e%az;&8aIZ
zHY&ReVuPu2?#x)2cW{@||K7}V>QlQj9p#f~eL9Rj74*Lh4J>1gCYTA)q%$?Eu`}Rs
zMa8%BKuHl(5Z$iHhWGMi%-Xkm#n$2T;xb(jfhD}lHjJP&LjDJ76JvU8)z@^-{WaS)
zI_#kAZ~}M)+k56!jA)xq+1VQ^b0_8z*|yVYf>^LtLqeKj3>n-p(3E*fi^DlKs;4V#
zmIDFh59E}NarbT?1qAz&zzfH#3!$?-T{bMUv3z3)iq7Pf6r{btlZGAeHqrd{AzCS;
z@sK5^{AWU~uUE=~KuP3+#2?SAxCeX4Nq{r9CBNp+H%i{x_GS8&GFz5$q282>sVdEv
zqr{=+EMhMz^P;N_ki_`7!Q@-|U+SpPgjeQ%LiLphewEPViM%AtgDC!_k~Bf~@G9?V
z8AMtqBRjIG4l4S7fn992Y>SAvC(Qx&kT9j`m?A~9T^MS&NhOaOsJNiQk~?Fg=u{Ka
zE^SDq(PH!LB`<QMzI@N1e>d$V+n#W3%2UB!^;eO0w<iQ{dd#dwYPJlQ%GLEfe{Maq
zOUW&BvUMh<zcpTHrpz%0u@BU4NmXWU>2odS`G>#&StMR!9m#4)XE$-<@lT3dT87}z
zE6k8{v*1onqWWe{n>USwvLu(rx^+gsjV*uK)%eDulPtyc_d?^9Ish|Vr$V!yT-d)s
zRr4l+wUcoyJ!wdf;=h0fF8~@Ro;G)WbCdrEAGJvVXoN#{{a<#}GmH%En-?zsZ#ybb
zj?JVpurK73;A(BP7yz_h-1nzpN*0C#n!lo`{>M|%VAzN8KvF)d7Nq%?9&QQ)&0h*3
z`h83O8<?GwalT7Q2lj;?jHwJ`{wgXeTDkLoHFxHZP_=&_FDawKOzv#O*s^4e5?Mo}
zA}Q-wvSc5!&5$i6jk2YXFj^_=Ap2NClx?(F#=edi``DK}*SWvn`+iE#AMpHs&YW{y
z=Q^MB`FyVT`!z3YcOH5DzJUH)eLgXZGUzk*5ul?UiH#eJz^z5!Nz?ZxD|lrAOD*JA
z7c)0$C7PGYIA8mH+MZV<x`=*|6t9L&(%cb(7#-$I$j2oqVsqj|uhxSui~itk=jz{z
z129B_GE5v*)C}xBH-O2gd49$K^9rFJ&Y<_lO!C81cRgdAesUx}A1APG!1tuoL-hN<
z*5UtPU8<whceOkjZZ3R%S@{Mc!MiC#<hK<CT|H(5%)IB(cU*s#%K~5;{axGhe_QF`
zVUNm#M{-m<W8ZIu22}a3K*9hXRH69J%P8o9rPA;y<Ln;~UKw(#HyBC$;Z%<T<#m(C
zYiIr6XBIfsqpL9p4@lk!P;Vv!m4UUgrulZ^02!uKI}XxL7OLa#te?N1y>iIQiPK&f
zfH6CVX*V<`-`RU03uMDZPT$f9cOjP85=1q7z%IoTp8(Xc=A93A4jZR-i>`Dsd;?^#
zXz23;?Hl>^zO)b+ZhRtY3)1O)5ZA*}fphCz=KsY6Q0FyP_5h`qjLQ5$1V{@E{V9nK
zuA`qG0m2(Xai(M>OFNp!sN`mjbCYlFl|NQBpdb3B#l!Nz>PrL2npOyx1}#wNV+D#F
z6W(g4n4QZhhMj)lQr!vd86vH<0HR~8FHYD3tQ-Lt@Dxbqmbdj&cb=jThm9uUs9)ba
zwDA0V%;=?NcnmAQ8`$J70;v#T2TbnomvS5NNfv<xEGI?8%7A`znqJDJ9PmOPk?8n6
zMnYkt+KA3iX!w~N+8I<miO_DVJqeG7Ku<uHXaa~0*&rJ$Q`>n{ymTJ0QD;n}V=zos
zM*kKN-zClSl!C3lPN=Rj?k)9lC<n!J;9-fKOHz&A2KLv51LA4oO)V4O(orMzkp)?g
zCtCr~%>-mGS)OB!?|3rScU~|?ig7dyGpt#hBrGYG0Zp-U@$zq}#NTh2>#-OIuVL@K
zJL88My#b&(CY+Jw{<WR<_iXuTfj5EFmT9~5O*o$d;@M=gcj(S_H_8cKHzkeSsGVcu
z^?`6M{VPCjO!@Br6|r*=gvW3-*%v9EwZOCubV)@(+BsTpvNK5BhE2ig+b%h#_Y#2k
z2xy+5Or;3y*7}Wljy!m)`}=){&|Tcca@35mB^1-hB=&^OB!emUmw4)W6z`19_ybh2
z_s%Z9Cm_wZ33gRJ#hq}tSU1*q{`=dVBgLtyL*_;y*DHtroKeq6Fh4mj3~P4|Glm95
zF#J2SKO&ep6v12^+X*`_G^!MWKIHM5v<ZL^5RgDYHUE;CIY2~$q__#-8e?D7Hz&%X
z>u?CpMz4%P&?WI6Pr5oi9WmW(`o7x|sVv*6w-p_1)Kxy>P`;dyW#WFBCDp#k*!@%C
zPsgW0X|1OAO-66}Nez!F-Q%h)B=3NC3&XwXq`n2722Hd>_dCq5-^@`Lx^o4xXZro;
zK=kSXi@8s1-}zUd`q5RKeEZ6C+5$%WItcbwJ!j45Y(ZjJ0`-p|CB*}wOHZ%M+BXyS
zuqd^GxN}2wYw<A<+4OczTa|jgQJ$}3#ekZs%hG>(EJ^2<f?KbA55f9wJ5UAAoLE!^
zf;9-aFg!!bAW*YYdq}bgVTO(I;?524v(cwhzSbO%li-PGUyKtiNFW<Z1v#W+-X;uP
zgQIjw$Y(hL#THE^W#h=a^1~9btC1@MKP&6pf|j%u^DHcq7B_6DD;;({nP-o=biQ{k
z!+6<@^h`XQ&L0;hr_zkVTDXg_Oyyhe<BL%3GS;R>Vl2#f=dlZi3-ly1KW4`t&h=&J
z{aH`K^y&DUj653?ztS@wW&CSMRQo9mM8hk<9RLY(AlXnpXg(;MIPE)k-5;V#facDp
z`2wu~Wzd8%0{s#y&^{OfRV<(fB9l%!#WHc1jlDqfVS%fjW0s&%ZSC87+$hV@vTkg(
z+LQ1>H|cAZal<-h=u3G|ePq&fgIb%il3hm1a-00dT)c*O+h;}M+G#cwZ+jP)PGUy3
zS-}?}J(TNd;=<i*Sckj3U-T0WZ$|p|@9EKb`)@pW<83Yzhq&3Wd<5-)Mcd_ClG~2Q
ziMmxan>v%2Q{5VRPc&*RQ(X<k1cRhL5m0B$hH6T^JiH2~?Ks{={jz%1X5awPh624N
zpvvxqHi)#^LHS7SD=*&KS{ZoZ;0C^Lkhr896f-UWaasskHQfM=!>L4Y3m@DBHODk)
z_T+)&f`g|pid)eP#L^M`*xXR9MLFcf^Y`G1`|+5RnOo@$exaOJABj}$uiXCWU%op0
zaQcfj(g!Wu0s42<j6}Qsr+V@fs0WdU`v}$Ez&8SqdU&%nWDi64<{GWf4}y^9=$Y{4
z%lI$5LVZ-$WEl7|pvq_w*K~@_PRy0~vFO!ujk)%%>tb#U7CtL*jB967Qrx4u@hvQn
zR;-&;-U}D0P&`FYrW$&qH`hBo{XOcC%kx+-^vbib>DS9XSq&eS@_Sb{)2n()-W@<!
zzhNl3WgBdIz4PE^e}BokS|+=1wcNg%d|HdZbUcs$nahYflR0M}Tm0Z1S*v=!{f*__
zEIkEf>#)~4gqC$hdd9f&sdWVl+R@nC#aSTeDZ6iIT319h%IEwbda{eZvf(q+b*gdU
zg*WQVEmR|dPO!KKU#w+a#Tn-?+Y|mn$6bul?^qyl<y%QphtM_ItY&2D(7fDeJ+o1^
zjSlL_9C5osbopmzF!@0>wNnND0Gr&=I5}m|Ejh8B9VcbcyuRdoxQMpeHjs=9SZc&r
zCt8)Bm|N!VwJ|Q=`W|2T$#27~BhzkNX{|7jJ)+cw%7y8_%8IV)%j`<D;0jxsE3<6R
zPAm_@Rw$Dj8So{UmmO!8g@->X^lr3D$(<}=k)yXs-5Bh^`<KbpFc;-$_E6RX5TWRq
zo|60uc(3rogxrG1EWIs}1OD=_I*Wsr^4%__pbW9ud<2H5&DyX_t4;RJR!;YebDR>6
zeyek4n6mpd8uuhrvz?2xNe$JLk(vgby#gq&dW9w5V0Qrt#GIOy$ebYhJ?IK|0ek=7
z9iSKSkX{hl^Ujg9VIgr3&p-@7yexempssRa1%3N~Uj(tg#PJQllbQl#fH~q$3=8HH
z-+g%x6Clqk#z)*1Fkb+~n?lfR>;Wc{DfQF$4{{E7)2tv4kAy|pcg9x!a}VU*k=98Z
zw!J`7)OY3}=+xWc&a109(ZE9Y9Kz?QAF?_^hq!l``6+Xvbc5gPGgGCRtXu_@-2BXa
z0prUw>4BASMma^ee>A=#*XQ7*`Fssl&acB@<#{SuMSVtPZ3c-d#k_KH7>%a6cHA+P
zQ-Nc;a)TuboPwo_(+Zo){fzo%xX_t*%1-+Xd{ZV`tr+mG);D|mB;=U6YY6{D&jy}q
zkd*htQuB>{I=4BaBZ_^F$T3*HXDbqi>*2m$i=@$(?b`-U?Wx3W$pS!VO`q*l@%7}q
zA{F^48o9)&X}+^!@vid57jI!TH|9`LuZA3!MnVUZm?DDcRvS!Hv|8UJJtrEt78D7=
z4MHpNhj7nL1P(4QWp*p>Zm6tc&n*fz&be&NbhbR8C4S9|7N1pkuc@PS%RE<;D9=Fo
zYq(HZc#bY=^(V6YB>efjc(+{V_}%bea+0k*`JDDCM$I6LBXeY=oX0vpR^(0s6(z*6
zoe~n0jet#TAD}0&%m>b9k})G<s@;s!lU*7P)3%QtqzX}11D*p7RMc+*!cuKs6utzw
zO}ZINfW@k1bx^1FVF!Rcj5}$-_-p_>XYuCGE+CrxL3zs^v^um55J)ArAf^gmDEtxx
zDFU7jxs=YPRJocgux^6B9XquKwi;@tL4VB*Y#G*|jo?pkGBu)zSPtt%Q&WJ6a4qh`
z9B7CTo`KrPLoZ=qGa}Ch1B7>_OOh64B_1QY>zeBG0;KDkHx-n8nyW_cR%=`nl2N*D
zwN=)(9xT(xMbGo-nc)R;&^;^w+j)C<rO4wKYTed)eOGe~DnpYJd?xaAQyL=H3{%XE
zuw$7W=w@#u`nqcCYG?Q9Oy|_S{BEgg%@K*j>J|;#phRkwr>HOnE`l8B|J<UxQKh$(
zO|rEjv(^S(JY6*%saE|xv*?XQ9h=;6lpgqOSyTH;L%4%GIW}%}vkeVm?B@&l;b(l)
z;7A90OVz2oYQ=hDK}Z66o(Ip>ob3|yp-nAj(`f~tXPlPZvVo0cTKA0S>u*(knU{J0
z{?t2`bn@mKm+7~GE@URDZMd%xyF!@Y@im9fT#9A7*$2`5%>=XE?CvmW;*0*lFzHJl
zEq?}tW#T!df|*$sozUq%S>uyN+4^54Stw&$hXo^a>cy6;4y?!$iCs^tX=jEv{95ng
zux<&1D!0}aFf;4;fa?}L)YzeA&q2e$=cN9S6`#_zweXJ*{wfMQVpx<IqV`)K&o!8i
ze8>Zs7>j_IuuS@F-FJYTaui(R4Va6NZ6$zoxKx%?!PCxHOHhOF;TVVvk%Gs3r(pLY
zxOj4W!`epV-9u&glci<s__J)zCFdqJ9&+a=%iU)>LaF~mRCQgNlwg_8Y7jd0VS_?S
z*y;zn2M#yY&+Flp$SqBP7?qOLIZmyUOg%`CK)NektHRvy9}myugzZz(wnHT&e1|9u
zFX>STKzbBWwMl)}Dj<6jc387|=meh<yvcbW<m`DqS~(Ye%|m+b*}j_uS~agA0;Q77
z9OBu=Q=WEF@+%)KvhJ}q4q2~J$$ryyg!`2{eR8p+zwu>};ahuYyIysqc^ocZeoYC{
zc7IIEO6l==2z$l+;&!MLe_4LMYLO6f0-k)gSg5eEXJp(JvHIl0^tbAQd$6B^CUPw5
zr?4!Ob!Lf&P(NLbvNuRB_jzlY?n~@fKTJAUBYgF+N4W16XXpu=(Cna<@k7Oxb|2ZK
z`m=c7pL~SNMD%Kay@8uOeRnsM;lUjIkyLN=phaZ&EK1gbr@~4CJ3H+~)|PZ?9y<Hh
zu}7XS>x=DgO{^G2h(fTb50?%AJh3TyGAL$~85*lRpR3>7Uzu^P^V=OpIaq-sCl!|J
ztEJA0Ec*NtxL8YBsIaq|)_NSYPMBXEs^0GePo2Z}xieZ!yFahh6#!{NkC0xnBg`U}
zFsA?^4+Cm^mk>&QEZxJOGmkb$_t+LcFv{>n7{^Jgs|za5n6}(oHOw@r@oNoG+>&y3
zLGGQHL>OWjXj!YoU@vVKworBZ!szA7<oq_qT@+uwrv$4zH%mRvD!lOG;0q7!KGzbB
z9-&B#TL}uCZ3vTZcp{0fjCAx5+FBTSW|p}g7vYU8%y?2H^g*F*d9pea7k51GUU(0z
z@&d!l2bKBxEvN<)Vps4TnIe^%m9p!4ytLu4y)Ry*yH>E}En%1_oz|gA>shg(F$*7<
ziOW|rIdsxu?I&hgkd>3iwJQ(JFId0vwHHh1i#_=UQ+?mhx4k$@^s9N8VQ|G})Q_d%
z_1I&Nmx)Ugz0#Lj^NnvRSNg5qWLJ5JT?|HEW+8?wr6ja=b{hQBRk^+aKfkHTEz7KA
z_<CKt1d;zEQalbPPjvEq53)ylp!xH$!JP?ZA115Q^TnPI@a*+yP>4Rdk*FA-$id%?
zI8jI4^Atsil=Evjn}uzjb<i<!$k#IXt43&E$R_mOAxW-N6gsWQwZJzQw^s(KD~Jm^
zs}xY`%&Pd(@Bs@t!iRMBvy$dw;m0{hFc&IkD06Hn!dCLhX-d#mxo5=zM#0VKHKY5z
zbBPs-ZbcSeHndACecvnY9e5?kq?&s|UJ&lB)P>~1>8#hj`Ys1ksN?9FbJsDqm3+i_
z1E)&72O6pcVeL(vv&Vam9<3v)xPBjP9tfxObfsU3(?7Z<6OTK!UP~SOC^=#+iL^N>
zmRWFWOx0FsZGX{qve^djoH?eaD#|6nFMxe7zNPpsp-D8vLCR9(Si^@OU0cqIB-E_N
zkrIz9QS%peDLreUUi0n=EgK$Nh>vTKMo6VD?)!rA+>ls-^IWYF&ou1j7Y|f@Cs|r)
zn=Vec7>zz;Db^o6zE@<09p9H3<vyd*oNgO+^s_zYwej`Wjk>?0RHR^bGx4A7PByb@
za6H0={`C_lqQ0*RNHkAxA7trJ*_axsBZEw6TAlH;<{H4|C0#zGF2hRnfh-Ug?bSsn
z5F<*-aK7wD4mXcfoq+X|P$|g2xxO+x+imS;rX-O3sB96*)G+#HF!c61OSlfKDeKz1
zSlX&?s!CtDmXcSV7UqKGo7>pPW7G9b8Q~(3$<rcCkBEy1@rt^IwC!niE;pUtzr5uB
z(7Z!K$*s6*&C4X^(p`V6Grc@887Y8+i$6>8GGyVID(KeU<NrPThi2CxFW=|0EybZ+
z{J4G&<!^pt0q2Fh2y?tC+lzH-L<yKuU{y)PBZqVOl3{zg%RDbg=QbiW*qVFpXmW&#
zxjlUJH8n5x80*=3UwBgbUb@p_0zE=Qu~>!%KDEjrZg-NdXSfOx_JP%BbGMIq4RgPk
zHq6Byv&7h9Ue&;$W5~fU6d{P2n6FNdJouP!WvY$0T%eOWt)@>im`$?U5-kwAt0`(q
z<G&U+XPkdERxQlWmtA=yG9_TZ1celgCbLof=G<oRrEY^Pl8KC_`Y7|0;_x9<PNyw$
z)0z7&a^I&i9ZX~RZdH1paB-!i9vL2Pv0u8QF$y88l24kc<q@%9W7s=U2;m_p@L^7i
z8;GslDqP9=m>NdmF5v7N>>sJ$Je{wx{NqdQwD8eG9!sE>Q?%A{JeDi=<NG@x#ojo_
z)&v>8ErYjwAeQomK0_|gYz8D0Pz()P^{r+7q@*lkZNL%|KEHpr%9U5a#D{jh0T2;i
zvALjj4+olcR=`rLl?j5`TZFYZqO!ayiQdU0???*6=bA6wWMiaYwoWf}bu_mgi1mnZ
zn*X7wrSQe)VvG^Kj_+u#xiAHzyf$>w|D<o1ebV~tHHTIc`;8y>ws1!%rl+zCZv14|
z(IdRYK9p|KUY{AUe69Nu5ix}ucW2^T#LE@iQrW$J_$q(k4jI%Ol&+e>^RD4YFwX2F
z7SZN4j(Mo<?d2KEQyIJm_sm^+l<n%tcn8M|dpSz?RRo5asFQi_B%USy@yxxHqW;?z
z>^2VW!fzw#lTX`wW0gPS+g%?dI`E2<ldERe;t5DvF?O~)h6f14V^bIDD5YBC4%}96
zDN+r}QewB#7(^vdyGAS4tnW?4U3~OZf=kb3qI7-E)4|u^!P`Cq&GvY{yj-3>uKZPP
zv!Kf#OpIeLUG7LH1+#UPnlNW>)alOOs=%%|@;&~`-AQz^U#ZWMW714jo7TzGba^Jp
z_UmwhWq+1@qQub!&hFrwTPrV5k$Cz=P!<8I>ziY%0doB_?ox~Dl)%VcyXoj*a9*|R
zG&=T1c>PC4MVDS#WzUK5rnyg9bP63Zuch}|_95NYo-Uf`n&#!<6IzG`1f5&&)0Umb
zl7Uc9DsSPG2C^U*wY8v%QIGn3>S}Vf^NI7;{%jH&$F7z{1d5WDssc7VhAAECTj&&r
zrna(0v-YizMk)R#lvjZgNj|A#X+4};Pus;@q`EU4o^JcI*?fkR4wB5>d}fBuB!xBz
zh?(10m5%w{U0Nsax5lh}6)X_7BvW|Net1;HKvgBB>g+JNEMI=5z*35~{FRC|NM4f9
z{d-uq!T6F`S9AH@yrRb%>06C?_YQs7h^{S{VV|3CZ6EqL(?Sc}g%wbP4usB-zA`wQ
zg9{fv6QOpI?#2Z>)2#(UR*|oNN$_|l{<g$NVYdIw*X>;)82ZJ!!p9dMf!X`#?6#2V
z`TTv{n#VQ&ISTsKlf2JyF1+FD|9hO;bL8%G=BlM^qW_(K=m(f!BEwwgU&5is@!uc(
zp{<7Kyqt6H!ao;KyREi|?m@}ESP}YPuCR{KuUmTT^61dNC-S!4zRjN#BDg=~p9c(X
qIEel)kF8O&*Z<DU|EF6EqLXq7saU)weHZ#GE}e6FnmOv%@B9y8PJG1x

diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 7db324966d6e..39c529dfc527 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -11314,7 +11314,7 @@ msgstr ""
 msgid "Minimum length is %{minimum_password_length} characters."
 msgstr ""
 
-msgid "Minimum password length"
+msgid "Minimum password length (number of characters)"
 msgstr ""
 
 msgid "Minutes"
-- 
GitLab


From 7e23f47db2fda7781169c10074fc277a7b2d18a7 Mon Sep 17 00:00:00 2001
From: manojmj <mmj@gitlab.com>
Date: Mon, 16 Dec 2019 11:52:28 +0530
Subject: [PATCH 8/8] Refactor devise password length initializer

---
 app/models/user.rb                            | 12 +++---
 ...vise_dynamic_password_length_validation.rb | 37 +++++++++++++++++++
 ...evise_remove_password_length_validation.rb | 25 -------------
 3 files changed, 43 insertions(+), 31 deletions(-)
 create mode 100644 config/initializers/devise_dynamic_password_length_validation.rb
 delete mode 100644 config/initializers/devise_remove_password_length_validation.rb

diff --git a/app/models/user.rb b/app/models/user.rb
index 50297bffe95c..7bb376e6e068 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -158,8 +158,7 @@ class User < ApplicationRecord
   #
   # Validations
   #
-  # Note: devise :validatable above adds validations for :email
-  validates :password, length: { maximum: proc { password_length.max }, minimum: proc { password_length.min } }, allow_blank: true
+  # Note: devise :validatable above adds validations for :email and :password
   validates :name, presence: true, length: { maximum: 128 }
   validates :first_name, length: { maximum: 255 }
   validates :last_name, length: { maximum: 255 }
@@ -378,6 +377,11 @@ class User < ApplicationRecord
   # Class methods
   #
   class << self
+    # Devise method overridden to allow support for dynamic password lengths
+    def password_length
+      Gitlab::CurrentSettings.minimum_password_length..Devise.password_length.max
+    end
+
     # Devise method overridden to allow sign in with email or username
     def find_for_database_authentication(warden_conditions)
       conditions = warden_conditions.dup
@@ -1752,10 +1756,6 @@ class User < ApplicationRecord
   def no_recent_activity?
     last_active_at.to_i <= MINIMUM_INACTIVE_DAYS.days.ago.to_i
   end
-
-  def self.password_length
-    Gitlab::CurrentSettings.minimum_password_length..Devise.password_length.max
-  end
 end
 
 User.prepend_if_ee('EE::User')
diff --git a/config/initializers/devise_dynamic_password_length_validation.rb b/config/initializers/devise_dynamic_password_length_validation.rb
new file mode 100644
index 000000000000..e71b28bc495f
--- /dev/null
+++ b/config/initializers/devise_dynamic_password_length_validation.rb
@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+# Discard the default Devise length validation from the `User` model.
+
+# This needs to be discarded because the length validation provided by Devise does not
+# support dynamically checking for min and max lengths.
+
+# A new length validation has been added to the User model instead, to keep supporting
+# dynamic password length validations, like:
+
+# validates :password, length: { maximum: proc { password_length.max }, minimum: proc { password_length.min } }, allow_blank: true
+
+def length_validator_supports_dynamic_length_checks?(validator)
+  validator.options[:minimum].is_a?(Proc) &&
+  validator.options[:maximum].is_a?(Proc)
+end
+
+# Get the in-built Devise validator on password length.
+password_length_validator = User.validators_on(:password).find do |validator|
+  validator.kind == :length
+end
+
+# This initializer can be removed as soon as https://github.com/plataformatec/devise/pull/5166
+# is merged into Devise.
+if length_validator_supports_dynamic_length_checks?(password_length_validator)
+  raise "Devise now supports dynamic length checks, please remove the monkey patch in #{__FILE__}"
+else
+  # discard the in-built length validator by always returning true
+  def password_length_validator.validate(*_)
+    true
+  end
+
+  # add a custom password length validator with support for dynamic length validation.
+  User.class_eval do
+    validates :password, length: { maximum: proc { password_length.max }, minimum: proc { password_length.min } }, allow_blank: true
+  end
+end
diff --git a/config/initializers/devise_remove_password_length_validation.rb b/config/initializers/devise_remove_password_length_validation.rb
deleted file mode 100644
index 0c0eb3e0acbf..000000000000
--- a/config/initializers/devise_remove_password_length_validation.rb
+++ /dev/null
@@ -1,25 +0,0 @@
-# frozen_string_literal: true
-
-# Discard the default Devise length validation from the `User` model.
-
-# This needs to be discarded because the length validation provided by Devise does not
-# support dynamically checking for min and max lengths.
-
-# A new length validation has been added to `models/user.rb` instead, to keep supporting
-# dynamic password length validations, like:
-
-# validates :password, length: { maximum: proc { password_length.max }, minimum: proc { password_length.min } }, allow_blank: true
-
-# This can be removed as soon as https://github.com/plataformatec/devise/pull/5166
-# is merged into Devise.
-
-default_password_length_validator = User.validators_on(:password).find do |validator|
-  validator.kind == :length &&
-  validator.options[:minimum].is_a?(Integer) &&
-  validator.options[:maximum].is_a?(Integer)
-end
-
-def default_password_length_validator.validate(*_)
-  # always return true to discard any validations using this specific validator.
-  true
-end
-- 
GitLab