From 98e473f95e34a5af36e3933110857925510dbb96 Mon Sep 17 00:00:00 2001
From: David Parrish <david@dparrish.com>
Date: Mon, 15 Apr 2024 11:39:00 +1000
Subject: [PATCH] feat: Add OpenID Connect support

---
 .../configuration/idps/openid/_index.en.md    |  36 ++++++++++++++++++
 .../configuration/idps/openid/domain-auth.png | Bin 0 -> 26799 bytes
 internal/config/oauth.go                      |  22 ++++++++++-
 internal/config/secrets.go                    |  21 +++++-----
 internal/data/models.go                       |   8 ++--
 swagger/swagger.yml                           |   2 +
 6 files changed, 76 insertions(+), 13 deletions(-)
 create mode 100644 docs/content/configuration/idps/openid/_index.en.md
 create mode 100644 docs/content/configuration/idps/openid/domain-auth.png

diff --git a/docs/content/configuration/idps/openid/_index.en.md b/docs/content/configuration/idps/openid/_index.en.md
new file mode 100644
index 00000000..170116e5
--- /dev/null
+++ b/docs/content/configuration/idps/openid/_index.en.md
@@ -0,0 +1,36 @@
+title: Login via OpenID Connect
+description: How to configure OAuth2 login via a generic OpenID Connect provider
+tags:
+    - configuration
+    - identity provider
+    - idp
+    - authentication
+    - OAuth2
+    - OpenID
+    - OpenID Connect
+seeAlso:
+    - /configuration/backend/secrets
+    - /configuration/frontend/domain/authentication
+---
+
+To let your users sign in with your OpenID Connect provider, follow the below steps.
+
+<!--more-->
+
+1. Create a client and secret with whatever your OpenID Connect provider is (for example Keycloak).
+2. Update the [secrets configuration](/configuration/backend/secrets) with the above data (**API Key** and **API Key Secret**; Bearer Token is not used):
+```yaml
+...
+idp:
+  openid:
+    key:           HgcP46jXCRbouchsgqJgkHPZF
+    secret:        Bqd7r8TaS5bcFReV7bcE2YQMt4xIrwrFSaUQ8KVJENk7JndSxV
+    callback_url:  https://comentario.my.domain/api/oauth/openid/callback
+    discovery_url: https://myauthprovider.my.domain/auth/realms/master/.well-known/openid-configuration
+...
+```
+3. Restart Comentario. You should now see OpenID under **Configured federated identity providers** on the Static configuration page of the Administration UI.
+4. Still in the Admin UI, navigate to the desired domain properties and tick off **OpenID** on the [Authentication tab](/configuration/frontend/domain/authentication), then click **Save**.
+    {{< imgfig "domain-auth.png" "" "border shadow" >}}
+
+That's it! Your users should now be able to login using the **OpenID Connect** button in the Login dialog.
diff --git a/docs/content/configuration/idps/openid/domain-auth.png b/docs/content/configuration/idps/openid/domain-auth.png
new file mode 100644
index 0000000000000000000000000000000000000000..ea51e728cfddd403bbbd20034962bb3875ea4873
GIT binary patch
literal 26799
zcmeAS@N?(olHy`uVBq!ia0y~yU{YpaVBE~X#K6E%bgaRGfq{Xuz$3Dlfr0M`2s2LA
z=96Y%$Vl{baSW-r^=5B<K=AW@|8Lv>a{qs${!71c@$cg^tND#@&onsfbLruoGb_JK
zAG@4=EbnmQHigZ;t0dGGFR9?Xe}k#4XT^mVZ70`R?*2H%EVpmzQq$aBmK~|dYZUTW
zPPZ)+^<&8lV48iS<q_Yf<dv4s?9NAN??1u6h?Vts-Pv>*&udlJHeai{_BrZ&|C+C7
zn%ViA7#J81toq2~!_2_Iu#Ay`f#EU(0|SErF9QR^3^oP^2A|KyoM(2;4ZpQkZ1Tp1
zM^D<^v`tToVUAtf`;2Y!($n1_176=XaqboE$_+{kOFPD9*R^)De_Fq7S?$UgEy32}
zNgG$zDKt!CU|@KC$7JzZUbe*-3nDb@9xeMAmuVvDnRdkpWYIjO%O847o^Z|ElIgT1
z+XdtR8_mmSqP!PbO`pcQRQGOS-<4&FG1r)jHU_BNTei7x%`c5}!8ua(`OY83HY!9%
z<?Lxv)L=Lum3w)Ie#941)t$4C2+rkDwVb_lqoN>J*d>#=>`sL(mW`V-x2`_1{F(`4
zdtLAkJBOgV{Z4!g5tEm3UX6@>dMM!P`pn+!)E{fSE^^H}mV2(hBRBeR#v+zGvA$`)
zS$rm6GKqb9Gx2iA>9;&ymJA7hXQ{o&4dM#h@cqo?sB?FFxR*RVyKl#tA6BoQ9O9jM
zs7r5#n(CQ`PC1QD*@v7SAF$!FWJs``t@a`_C}r)OOpedO&U?e#)E=8X-J2BTwL>&<
zR>_CmGPZy9?9;3m7_RNjY!bc}l-alK>imMQlIh($!}e<1r!S6BI3dDu)N;0Jlgj2f
zf6Zm*Ui<K1!ipW1n@o@04AJp4l2nZKG<f$;?Qr9yCS9S00aFwOI8`^vd@SlT5VrOG
z`t;Nv8N-wNJrt&SlxM8cjeXa$w&lQ@-P^C$tZ~|?I;DR7=A%or&rRk!X(-Zh#3*&=
z$#;Bjr`^AqW#v&GHessfiD^$(l|0Lff3&80?%Uq4p{hliyA5o`lU9~Yce{V%X`j7n
zPyUwOTQ7R>?e_5zyO$)xrBnLTLE2Vir}W9f6XrXc&ODiVELp16$Ep6U%ejl&CcScN
z7w=+XSR;8^CAsXtnv<MsweKkDUkjO%?ImJVxF|l)=xtQt8mA<m$6KXOo1QAjlAQe{
ztGBKD)2y)Xn<nkN85Jwx6|ZqNH1m|U))lSFkS0!_$K?@S=7qg-6Dy)SqoM<2G@hF7
z49tAdyYWzi=gi5niyc;aDT}HFEG}?AJmGq(?F4-v1;34pE^d9Iusc_3qrxVKgAdt^
zH+snJw`Q8T?ymIhlrvqv#<xru!;@F~XmtDvQ_!^wm^68+!u&@;v!ypNGOUTc%%ZkN
zN;5v))63`L)S^lEHeclSP3t}yBmOToy(jaAiSp-_a;v_dxu37|Kvv<D?Hwzt`C;#8
z?%!?~E+J)@HJ2m(X!XKr>rZV?2^Bx|`)G;W<mb<xKF{mia^u9aqA6RSUDI}6*Lm@v
z-exzcnPKiyp-!2Fy-Sx~x2(EsnvfsRzPu~-<XQ7%)0@$=57(+rdwn>XXNS*iCwFJz
zs|)57ZZU~EF;Qo_s!8wRC1=!s_Eg#(V%xZ7$-a%fXO|z&)0)`!d40yGho2Z2Y|1Vh
zY>wk!X)bFU`%P^2+KWl@UJCMQCuW?#zUt;Fx9~U9S02xt<F+!v)%S63Xg-gr5np`d
zrK8iYnEYF}Dj+@9uQ&OmUf(Py;U`CCiREwllP)$RS^Wg-oL{;NPsPS0&GlI%ylGKt
zQs(Om8s~2Y-nX2oBJJdR`qDn{WvY9!KkiL`vcg2m*=pjn?MGjw*ll_*x!V4s3<JaE
zBQw+-Ii_5j`Qy~xFqtUVtP;Jy-#*Stdl2!0&o=t9(DbV*%L=2P?9sfL*z-d+Bt`Y+
zL6M*QY}WiO)gQEOO~3N5Cswy-hwj>KvrJRCC!L(=ZtB}4n-b*}yq24RVRhy#UDd1Y
zrB7!~dKCL9W@d<v822WxN4|&8S1;Q-<BWj%tm9d;4orP@;qA@^CI{!Vsw|tCaYs;Y
z|4Ltz-~*|rxOFFp|6V+Q%CeW1I-Xgx9Ku60X1Le<IA!$P)IWNf^Ro@QkNQ8KH}u^Q
zD;-sCEO&{Sq2kZp^h_1;oyF%bZ87%0Vq&h#+EnmZd0+0NBPL5O@t^m+eQ`?0F2^ge
z|0mVPm|p%dx2!nU^`qHLi+!D(ml+u95|_=~y2{D)fm^KqgU(sU0_7$DWPDkgE4AB7
z`;*P~md)FhOE)TP3*9cY?4z}`>81}kOb^9Ue{O7ZTYa|5LVg(|!=ECb!xgdX0`)gv
zF}W!^H~W~$&S#xle2bT6CGYS}_Pn!<)4ncb$F1C1oo=BkdNn4jke-|P`Dd=G0WZS?
z@#I-2mo=?9aib#Lbw^r^RpNKfZ}T|$OAIq-slCX)BWl#Ea?+yrO=0ilFYeElJeAoe
zG*`)onc)ZP%wxF|-OZ&IrCmsSX0{{jlF4lOIyZ+MrJFV`x;uYaX43O{y+>3}+cu~_
z{BYiDcANFKh3u)v%2pjTVQ7f&$y7Vjx{+B?Znlz5mhKd38AGc?nXi}JjeW25=r?M8
z{NPz*e%-<MM|sCg%UjoO$nSOE+pPZYyUA>!?J6A3Y>_A8H0%5~8!hX+v~9(WSIwCW
z4EsGU@AzTn^<{Bto6paQ^G~IFindEj&5mB%%lnIKr^Ty->O0$W-{yWRYuDd9Yt~B}
ziFGTVF1t{DNupnWYU!SDpH{Fh<NR#G*1h)VwG^{!V(zx$>drAqSzEVnFYRr+^y#~_
z@_CMozACqdy<t*SZVq2t+l`(of1T(0S7eGE)AF+~=g$0E9b;>j{KC`n3$IC5v9{$T
z+llNq5124Cd`*!0rDpQW=F|-Hg`V3_Ok?{WBRtW{&H2yczmMm?4lP)-u%`IU=dCvc
zMe_3}Kir`9Yh?zLXWhrfs^aVv9vh1!O%D5L9d9MwDbMr7xP|`hFp3ILHv9UF<vqV>
z&b1kRn#o2pRn6U1pUQ7pG1>n6nJdzZCD$*$nsZ?#x3d3Y!BbwVeAha^Ib(7x)m(nH
z#tjKezMV_As?}XjbHA-~b=IE~k58Cwvd-ImXxo9b>OR*@>tBK9)=w;(X84ONx%jwz
z+w7N{EtLC9ggch*Ho1CincT0A#+wVxzFD~Qb!endKX>6sZg=gA^j@`a8Oswpms;(;
zY4+e?DicFQ<z<^Ex96I7OzTnFFm=7}`ib7=T`z(sn0s-Xe7#mDAO1CbqEw`UP+nk|
zd0gUrNtv(QQ&k14qtEtikuv!tWBA=5Epy$bLkW8y#eMs${dwItwr?{}EwP-WD)xM8
zi0O@+><fNY^{8ITnW!*3<@^mJq5s=ne%L(6^-JUx&-qX1==^`ARpyd;MZ^2U+9lJ@
zG4)H;M}7L!>b9>g{f@ZQswqZ=X8$>|id3X`dm493=B^99u-sZ$FpFnxPIsEYDqa!k
zquXxIn9rqJb<KIn)vYOaTi%y5Ff>ekX$xvnB}k#PrW!Iq?JW~f6AO2X3#9J=NDWjo
zy2`UzhSu9ZY>(b&_+8}DO3osulbNnJ*%+2ZYEOvDd}bEc_$S2CPs4Jp1s}r!lWf)^
z?w;m`%Ulc%nE|SdbHW%Bq(VFymWwjXU|ZmID3g`pfXRwU41U@S2E40OK<a#$(ba_t
z9Y9le;PH>!E6xOct(ViTxuK9fv9vIXu_1Gw4u6{4^L@Lmo_||!e7S<HTCe1bh3)Fe
zzaHK4dUer6c-mPj)3bNw#rN&5I&LW$G4%>F|2wvVpUZ3Y3f5d(n)!!YcD|onRdLRJ
z>EzI_!Q0}Vy%Rot>QQ>sbM5_m!>)hVaDV(f)H69gOhcsTXmsv&`MSHe<^Md}nLe*F
zZ}rn}UGfw2v*T*s-FzOus(jttC32C*F*e&Szxr3T>f84`q2<5c9lsK+ywB>}=UdNq
zehL2lF!;Lm{!%fC@P~ryw&!2hn!A35+OEIZJG!Fwe2&~Z+j`!_75lG#-|_j(9Ltio
zQx64x4!tvLz5eAt6}!vySKhg)@!(&vZ+3Kr)27OzWjnuJ^L7z)5f2KE(w)3trsm~!
z$(j2NE#9x+l9?35_f1Brs^Z<z<ok9Hmt0$zIcHknx`gMlzcSTU-M#bu9LN8k@AH?(
zp9{ZY^8I$by;gYdycembf4-gRyxuBabJmN9)5~VgUa7?qD)LZcM`4=P-r5+;%Qv*v
z?+q&W`=s39Y?aa3zu#tMfB98;`S;!2Nsa99*554(YT%kKwqSSn$xYuCK8AmnyR&!t
zlBd#p|Lk>mljMKK<i6agnzqL~r}MnzQN8hf?}s<W=Tl_=n4L4}E*B~dyc-|mbFFym
zlhre(+-xqYHhlN5$na$C^Q2EcYJOTCW_9*^dzPlp;#L2avVUzv@G`}xH@_uU)c-AY
zJ$GbTB#+9QX%D?}k}j)6rtU1NJO54X?16>n94Z=jRu}%w>^`}^>FDve*n(x65~lU#
z`Ds=%-zTrO%9Eddf4ximQGNLe1M%$<tCCCg1J9>?5@x@=hG~2KDy=0;pNA~TOTE==
zzKXB6{#nXr;T_k%zx**T{HFHjs~4TGS#Q~`Xi%N>-lMVTPR{HH`?N0jZ1Ml}bHBA&
z@uE*va<|PUh5K#mzkELZpN(F9sY~R0%Y}-%_dkBy`QT1y{@SvZ*fWs}=5DZL_P=EE
zy*f@@Ab8J={k^}Q9i0{M|I**}-~Rq;75`VbI&(_C(w-lOxb^?6-+r!s!v8~`bGTpJ
zd_J%K;nM9gdots06&u8Vu-STb{q}uV1+(tod1v^h>Sb&E#iR4Zb8IWxa*h6eT|3<)
z=+brGRQ=2A=hfP6zVPL3(uL&6Nk+LH6IkO{{ha3iy1#4szlpIAe)de?8sAr_79sOH
zXt(KS`G{b<`8&5hI=%7tX|=5{a_)Tpw0?g2(_e?WKW*15$ZzzVw6Vlz^Fw?4AM2xI
z>aW;-=b!)9VxyXm^8M<$e^%$F{owli$;I)-;R%^1c&{x9EA8FuDSz{Gb<uUvRk3sL
zIj_HX{&R?V7JqEN(OKs6ss2~v%BCKgSX=+&C41Ta%UaJHEkEy@XtS<%L$XU;{qJ@4
z%fdYMG|Jh_Kjhv2>GNJIL0sXs?Z>Z5vrjs>|MfVy`g*qgv&~<;F5WnKue$%P$-48$
zl2`wj82!7;jq97=g->!3f7VPoyX5Zv68V#h{#i!vUA<t!-SvCT&%`_n4pHmoPXBj6
z|Np7gdO<(W6y(lwE)iB|-@(=Oa$Apf`3KREtD5`U*Lv9Knsdd;-u&Emy{2PrH`n^`
z+NyTzUB-LoX}x2Z#P!N|UsF?N*v$88ncQi|UCJK`{cgB({AuCx0Q-II_c-HL|N3kj
zWbtZ8aP$+d+IKoDzMpTcp0hIf82{dr^B!Mcwoh3!<8;K5qrU4LzMoN?<aDs~t@XUg
z`_s(>O)lDgKjO1F<NoxIZ;a3X?LK(3+F)`n%a?-fKfmt}u{po3Xx+y8vI|G&3Ce7l
zZ@!{#vS;?k`U=DP^9S|w3zk(rn;D<FCuYX~BC+UN?znVeN#nn5|9;k7JN@%^+$ja`
zzps{VXKOxq@A}KO6VDf|{ZjmD;qz_#-tWA-QRQhuzghF2sgW0**UvvzbIa{#`<b<^
zKiA~XJ6*Fm-EhZ^U`N)Uf9$p6*5CO4$$sP8O;zcymgN2Sbp8G`TvA_DYg^Y1nSa{1
zPfk-w&YY3fpZ6xNpzz7x|5m%US6`6l;Vb#~erv)kTlM8H-d>T8GY^md|4(YAp8u@l
zhnFe7OT7K@`uCT2Lw`rC52?Dl<j}0yYlDkQ@BdhMxaR8lnQ3_mUY@J(POLS}TX$>H
z|Hf(mznuD+wEO1X{=HdG^8Myy%v4^Ms9l()78SYwV43lo-GR}@YRkXA`MT>K!`nKG
zGpg0LdoG5D1m9<sTc251y?5Ksvg4|HfA0VFSa<oi?Ed9@CwhIB{XYNrOS`PRzXBb%
z-ScW%Wo}>3lTrHZI!UXf)=bPNZl=u(YtO5C_9kC%E)Nbp74TFz*wyC8Ih#{!t6zNo
zv#VMsCE9U&ueIRyDfzqj3(fbjt_wagG1yMma*1_}%Z+DM-+JE6ExOm788-VKXVsdi
zlXEKf-cO%v^N~;9?9#HxFW2{;+BW^>x3hN{!@Q%41UI!d*VrAZt2^l{eAB%v{6g+h
zTb|1H^faZj&nND>$NopuBd<p7q;0IhkH>Fjrp<r*+HzZK$#WK6H<hjGsk4r*?}|^z
ze!lU+-+cbGiPArNYGu1MeVj!nt@!@tseRu@^AP!*)c;1l6VficE}2>%R9iax_2TM@
zSMEsOlH2F>-~DQM`HSb`r&ch>RlIeonI1kx?ikPi?j^r#>Xc_sd;Fj~CvD%}{XgC=
zS37)r+4>u8)1UY2U+&G%-Zj^1Wqs=AAM!bE?_+L!&(2%lywYe}&g^GL=DiWl*?+S=
zzVDxZ!HV5Qx-;A|XXajyf1H2pZ_d^AU+b<HDW^ys3p?58J1_P1?4vh@wW8+F`|*x3
ze#6gMFAkRTJ~TV~*SI}%>CW@VwoU%CJ#$v;<McfC%X-f@+Ij~r+j-kO@<85~-LCKM
z)$}}3e1CR+n$xm}(&^jllfri<&aRvE*ra`5+GqQ(!J@WI%Adk-I-3i4T&R9FC+O0u
zw%rSP{(Ug4&N@?kaLH88&o`yFd|R>C<@CEVSLfSpuF9?T@ew^Z*LTqb!)?1H_HJ!|
zQox=oRkZBn>Y0h#w^evKhp*iGMd8NrYZbSm?e8oOdcUpGe)Bnt=Lxf}rZwnZTkrSn
z;-Ld`qwH3_`QDuTW~R2p&EkwbuRc^<oxS+YA>rEcorfO&%9)fc;Ty=j_gNvE+y!a3
zs@q0x)9q`L<*U6t^gP~iow@A3>*#a0bU(@CTcfVeyS{F7dG~eyxLT)WJMS*}(ca;=
zuXge_{<s^TuRc0FyKTOp!?j<c_V*tD<d1r9|M^h2{{P$8)~fvb*_v*_TOj&t{mwG~
z3z5#eU;fNnA2c&<;^{Np`LW$Si&@@(-kUCd@80qW`@SsFF#arm^WE<IH4{#meBb}*
zoA#6|kER#>`hGgUpEWo|XKvxF`v2eikGZ)$fA=$g>-)dow_dC+`^0xWdE4{Ht&-Mz
zU#d+tjTaWY%<`uu@tJk2T*>Ct8G48BnqB?9(@9!#`NO$|zW<K#ZkyAu$z9pHB=+3o
zS!pNTnjgP0^;jQp&*aOYCHFpEzf||$@b;Btv$J2Fug(0n{^yUpSB^VAH?KD5`m#M;
zsQ2=j4O#V1uLizN+-7uf!(^ilPNtJu!dcw=gyX6gpL_IrUeD`<@=e_B(q)a->QmQj
zadTewliB>}qkA)*74?7pE!En$+IRJQo3CH*oYBwO@{Dt4+MV6&8+6w{{CJ6>T<Ip0
z?W>2oIV>(0Ec|XYd6wFRz{fpCyz=V$ccZIVC%v8YdP%{T3!3+5+E=gYnztm=X4=~G
z#l?*Ccv;^T2Gvwnv-%i+J05X)!^HX*tKCh`u3uy%y!6!iuA9@2?|*0f=Q#VaN8<CN
zubFf&{42#fGfn*W_w(jwJCnCEi~qAJoxRig=fu#RVm`qi+9NLoE!@lyH+x0(XDRF3
zPY?3T@2<Ff=ke;CeFnmpuWWuRnk2RDo66SEIhkqxd!%xu^wiGvfO5s@na}wDeGuKX
z%}3bW@38Ea6DIo)+gA$BJa*aUSouWPt32&~XO|i9%JN8mn7d~G!P0KQ);SBxj|7Gu
z2`ziLS1$dAiPpNxDR)c`Ug)>la(!pwk|t-na)xD*xlG*4zipg5`<eAZF_r6=Qn*d7
z>k7QGUEG>mGm&qHs=kc<9I2;LYyZ^xKDfvKxG|yNrKrTt#XQsd)zhT<J%7nqhy8!#
z{r{7Yw0_!#!(v+|zxo%hb?Hu}+2;rGH=Qppt9q#DyZMB!*elz`Yx^C`ME(o<2$$^p
zdVb4ypO5O>l2aFD%747Jj(<*fj9Prn>4Wdi|Bjw+&g=Oqen+3hwy1~{br+l8O{ez#
zF!over~cpP2l;2KU;Mvcx4l_pe)j);iM%t~w(w`%7r*^d{@tyo+*-PgH50ABnC?FO
z{h8k-&;QEmY;tD`Z7ml@^?w(8Yx~&hjz_YsN${g@i+-1VNIX@!LhPT_y6<bIo9%a!
zUK-4kA*WS4?}3yVul|+SUaGgF>webtWZtOVbGmfC#^L>vRSzVS>$gu|V>B~5<NuB1
ze_za2Hy$YGeb_7?>iR)=mJ@s9?tDF&{O{_fz01#M+m*gP6FTeg?wIBGAKSF;kGb4(
z+^qifl<ec#{|yRX@Ydamc)Qf$Nm%OfjH!j6j=X>QW633>a`U6PC;H#$Gkav^@9>{9
zXTjsu>-)C<-|>ZO&g+!*55r?im*>s3u{o7j_=IJy!v7n-##t3FcP`~+UB}$}H<8zT
z-p4ba7u8&y_h))s!ffj~nL83Er5nfH`}&K$+0$2e&wG<U`rE9%KWuumwU#UM+2`|V
zE6&~V3tf18iHvcN{kMPDp3kp+wzIy*^W!Y7`Lf5(SG+x>WWMdonPSQR-+o2suiD}B
zX+M|OypW8dgWW%?ziIxPdM>2m-TeE%zSVuW===Hi|G(}<Kg8Mo|5(0wxAnRTPut(u
z7iS+cSy;%FG{tXMa^Nz~b2YYc2gE)(zxTNowyF5iiy3B`%l_14SS^b^&zIDm&hll`
zWDYL3Z!gsSC60d=wfuZ<!DNn0de0mAY;T|6lfUPjm9@C7@`HPGX72qtIoxl;l<#ji
z`a{=Dytg^K=<JMbMk4usWq0;nKi3!a*3$I(&L?T6mQQ1N^zI(N;M2ZmulcJJg?28p
zMBezcFPX}@{m<4~xA&5}-yf0QvORZxso}ORjxT$Q=lV~+V)iD);ps{1hmwpRmp$~K
zlXd5gQSq~2^R>Tz?DQ}=`^xxpY>JYa^~=;dcXn2oU(tBE?al*r!AqWv!Lq^pO)I7L
z9NZ}wKX=;y)H~Yi`>vUtKYR4<YgT5T<JJpL+T7}N&e86Yom6{g*~6?LtJgZeF7MxD
zd|`*1=lkgB|DE&0w{5ksH@>rsv(NNxQhJ%~??ZOgMVBvl{XG=js$cZEcYfu&*6H7B
zKD?cKMYO8qlws9^%&R$PYwV_k7|s^ix%A)Z=;(UcQ%}~deIwISD=rqSUb_2v?$Pf5
z2mG7QP1yJEDR17S6N|skOEoq7S6S63yJ6pRx!*<KZ%HhF=qnsyu-}bq$!z(FeMY=L
z&)t0UZ270lPVZjwm8zYuE%#piB+adN?hj^JGmi5`%Y+wCz5b)@(!Gztwcnfg1J5-V
zhv&b2yv^g5_Qhojncw`Id}ojEwV<uKZ(5qRCe2dae@Eu`mbq(p|6Evi?3>zZ_Ejx6
zYI%w_Z+G9h*zxz1Ui-frW~^#f`H_63P-D+J+sfOu`s;2d7jC@!qHD>|b3D6!y6$am
z*sNN!Zf@oJo%Xw{<R6>#?<_5@e|EguxVUqZAjgIH%(J#GeD8m~uUz(C|MP8)O-FBQ
z-*nxT#eX7dkL|;qb6=SEbldqq(totG__p!HcbiTxsi`*%4C<e9@^^{ud1t$u2{YsK
z_U#R;+xc^X?MeP;LSml|G|znbySVf8%jTW8zuTOi_Auq?oVc))>jgJm+Z2A`mU^AM
zc&4p!`TN9IOP3tCKVlo@XzMcT&dzWDh2|SIsOPLpz1+}laQ0TE6fXnAvc}8=Dexf5
z47LL%3<pdYLN7gjKK*B%6hnekgVxKBjpcbv43`g>fJRstE-&z6vRI2W!s0Nsg@}=u
z*B4EmFge?V_?-U{IBA~UiA>j<ZVGa`7eMoK4fl*;BTC?@I$}nY5Ng09N{D&BA4_LF
zTlV<hsbgRKIart)D^5LLKJ)kHa;ER^?He)$I9QlA?%LNmo!6(?K|!EnD$k`&jZo3E
zQZv{Z9TWssOB?VqH99CHNU<<AIvg-T<$=s>$b`t*FkUv<XIEeIdhUPy$M1Jd|MP6p
z&WZ1;AsWKYnB@Pv|IhaS@wciM|8jno@O>=*N?LB$#&7*!rA{qB{`A%B?-d1%HaR|(
zzkbCeZ!dUKfAL`%-}hSkv;XQ7Zy3JWv2R04<Hmyz?Uw&9jNRP%`9sLeXSy$SKAx)A
zc)rU%wQ5cI;bn?%XJ^NL54&Yjcl_r0*I(VWwfkT7&9|yGEV)q2{B?Jz`?(+2s~BUw
zf6Dv{QP<CX^?7Z{Df4}XvWD~GI%jkGzklwYWw+mE=P|#e`pH$x-z7i4W&Nq+YTt@Y
zwHH@R3!g8&SbXd2!$qMt-QTI2hI;pU<^6bO2zHCe%xAB^ODavhfBIcb^|yEOpWf?a
zUi-5=t<Kfgxc1(T__#Hz|G$VieY5ZKd+96IS9j^(_1~FU6MnyX@hg|(UU$|WQQO+|
z^=`rDjc-mwvQNMA<3M|9+U*BiPcB@p-*&HHTmGw)+g)z=gx=y`cgQ4LCF#`d$2}`H
z?cL}5IOAGoukQ8h{h71+bp;mB`Fr@${CiOy?;U=Bmn{#wVDheSvX<-B>e`7`<u8Qi
z?zwTpOfI_lew4=z{f9HXf+By5*?3ktO<MbC=hh8O%RJ|tZ(S<=wbnV@a(0a0$<OlJ
zQ+$E~mzsHUsiek7xwp;h*fb^d`4z6WZ~Rx5nZ4BX+r@Lz!OGh1Zjnpqmv0VxGAHF2
zx^{X6#ozI&S~0z|J>D?$<yTdGw(Xa+t2389h@SgtTFzJ1`Sza{_Vu<KoL&3HXj;l~
zTTb82UnZ!Xa_;)_+izu=oUQF20rBg?X1$^Ate1cMsyVc9)~`LHCTE?Z=VtwO{C1`7
zan*Oub%x&A9~PY|pZ!|<>h1dQEw$h4{)(@=Ao=NgZDG)Atwr<2!(ZC(eZ{xl?$6n3
z_iv|9KHnd_l5bvCahvz&FGu@%Ufq48r4?ISY_XE{xa8(C{l78$zOQ&WN8PMl?)F5Z
zx9)oTI$}&#Up=->dg1!4Q(NZm2zvT?+U~bc0<Zd+6@Cp2o;|z9uI$(Xt+0*WtGfBj
z_;oGSuHXEl{X)w%f6kWL{RhIkkDtEsKCV~f;HgcgF2DP+Bx7Z$wEdrk`@vTmgP+GP
zoD$0{e{F-i+d@6-dv}h1jkmPB{?4@K$J3QwTf5Fa`N&`WcZ+DyI=w|V!%lXee&tzw
zr1ag1xFTnPU4L!ry~0oBm8Z{qcQ?PSmVe{sd7srotIs}nUcF_HaMaQ>AMPE!aL|9o
z>ZN~UQ)WJ1*8d|(LEm`ZyYl!gGSAEA$m|kJ|0Mf=-_D?=%h)3qYTe4tDBQR#Fl6qJ
zCm~Po?a);_{luT!IsNRNYu%@Mmpu->?Y!(GPuZLmI?3Bt1j+yWvq;<QdGpz+)!%39
z>AL)l{2Hfk%~SC6v+~odcL%cW+dZH0B(yduKl1O-3!ko^fBB>MVg73E;Old(9J%H_
zdht@#eDmbP%U`eR+R?N`mHqhqUrds}9_@J5@YA`@KXlcr^ZM57>uTosHoiIfadY3w
z_J}vnr)>{eEpP8wZP(S+!+csU>-^H-tgk1{_N~5Fyla<Fw&b(@yJUW8t;$)RI_p*N
zAI3Y8VU<Q9KPIPEoHRH%ePLAg_qx06%*p#EWL{wl{xM<F-W?N9n5?`MZ}Gn@@?ze%
z31X{H-;?)?%)8!`dCpwt7`K|tv`wOKY>VsH=mxcFUtq~?UG%oPzrN<8?X#l!_3`TW
zEAJeew&bC4+oHRn%Zk@+{P=QVpW55J(5K>We(o^+6SvbVwD{Yn4fktnZ<N*S-*csA
zqOIyXv*e3;cdMt{ygT`FpFWS)(SP56-OS#7cEzo=k0&jfKY4c34Ly<erCxEBWixE&
ziua~2(U8eZ*1vV~o$~I}KGTDr6fb;VJE?K9ZeQm4D<${U-Mh;+T|KD#|HjuoW$W&e
z_#MZOiBFT8;5F;N-SwvQJE@na=j#8T^VWaHw$Rl(yt{3U4!@r&dQnMYx`^ghmG;zQ
zefu81eE6^U*Iw6Elixht`}Efb-l<;xeP_PR_$)2_^Z#w;ymxW)uDGzzx+ODj<HObR
z;j6c2ujIdDZZq9pA$0lAM_)6|cdGBI+g6l5bLI5?w@#N$leM(9v9YtQ*%`S#+_iM}
zw{umucs|W_yJk{XRC(gG-?lIQyN}z7+grwM+5GD8zt)#ec1BgPf8VWCde?H3`{Dcb
zpW~Kh{q_r;xp49OUtcyX{_RpZ@lVBe>zjSQ#g4_SyUgC*^~$O(w$6W*uG-lp%lEJJ
zS$M71#Nf#+xm{OkTJEg*P`+$QlSa_hQj5GFcT>8TWL+%pIVxWLxIw+ddv|Q^zMAgP
zb9tppQxjga)t|XoxF{yHWY6riU-w;nud-AxB&6+pnAVPBM=iUc_iyY!d44|{cfH`u
z+Set~bEDSTUNy6LTekDoy_J*R+g8@uTxE5dC33qyyzGf^U3tkWrJv{iy8Fe;miby+
z&C+_Q`pmO_<NWA*LF?lxPhBgV+IL33dWHJ#ue+~)6~F21e#+pYV!h+t@|q3vr+bCm
z^gC?gVi5W@y{$b~?)cB(TdCj6J^!CQr**k<d-W;%nvYY;mPehxrgF!0b?x@sj$L{6
z?zNFW_P9Sy-1)`!Ns>)|m}ZImH{X8WWqWp9yVBE;y#9>Zm7cW2_t~S~ubYv1Ln`=h
zqjqbi*8VwtF$pn^3Ek6w-F;ZVedS}|)v~WEPur~${+V~rEr&m6`@V>!+4G*Q7ufn!
zss8ZOoi*DYEA5=E?3vkp<vqXqEv~50o9gdWO=nd-|0q^8z3}xb&eE%bwV{EsYY*8>
zKeI&4zFxc1uJf2oxUzBRG3yd*&xQVX7e0}Hwb#l-PRmwS{i!vt?&FiblUIDt`5m|I
zR@YnJg89meOt-YCotS9<ba(Ib<v*%_^6%%bt($iBz}g-6dQM#3QSfoD(a(d$haYaM
z-@NhD+rEce%FU9bW-Z(GZ;$<@8kOG>-+ANTtDg+biFZs%Ia+&cLu{eVp5~Zmo^vOa
z9DiJWUMSD7Qtf2njel-O>bEo$F5CIFcixnC{U6aD-@o7AvW2(*XzAI>mrFj1RWGh}
zIC?KfH>S_`Lh;Nn8F~I?X1!e;rjGJz)%*NfX8Q&+zn8W7mw4Yu+#}@u{X><_R$9gr
zA5DLjWWRaO(w$XO?X%{kzGIUA{iz~wtK;%VVawZNf3K|mwa|C*q+(Z-n%9vhXBlN0
zc27F^_2KD>mTB+$?>{g;b}#F~tM2&ea~99d2@0(AQ2#sQ-ewW;>$8l`-n3WAyS8V4
zd7f&zW$`(V@GmRfZ^b?@dGbgxx5Kljf6c0XIY0I5D%I?F-QNY@>)7`*wfmnnbIfv?
zoskpXUzM$VUL4)toxS~1*~xQCSEbvOtL(N^cRzV}t6l#rv--DHU!RMwC^|L!*9lo$
z!80Ov!vxE(&(WD5qc1-<tUTs-+d3cbTR&88pXQDA*>&5_@b&8cOQBv@w|uMdxa`s|
z7L&Ht!0r8mRUXZIjke5o=X*C@`$m>knaUk!uMd97(OQ=;cu&c&dni$DWi4%Z_UL3+
zYvsHL?<Ahw(M|spqxyPkUzXNUnf4{t^J?a(rFDB6TjpA?2-;h0dU3})rrb-KS6;oE
zyv*NPk6(S)#3w!u@3yX=zxvM3`&Y!n{H`?az3R)dSiQ+JcUBAYl_zEy>fuF6N=I2Y
zrOZ$XdVZ|Wf62}p=XLTk*UdY(Q10I&jk~Eu`}$V&&nca}OiuJn#qo)E6_ah(WG>?S
z5%IaO^5e<wm0gi<R9@aIelN*0b*k0cZC+b9ckJ$)*7t$eEW3P@tzKZIhxXqW+Db={
zZoO9LAN={hUhcIi|KjW4=kMITX#a9W*1Z`oeQ!?r{pjX9yYNp^H8$r=_Aaluyk~!W
zoMgG8t5(MT$4SSJzn9X!s#UpjCSO88rf6nwdT#u@?juW8WoLak=383y;M4ElnI{)4
z-@j(xVb@o!%IV93B`4llx-VK)-?Xl#?#9C}Jl5x4iJYE!?D?X->F##<uS<D(tJ}^^
zcwLa{<J@<qZ0p0rFYe~NTXvYCKW!F^Is40ZZ-OqnTy1k+oiJ;O^}m2+o)bLJXC}>>
z96tH1!l#)1x4s>HuAa53t8Cg!zuh*RUi-XKWhB%>Me8TnF4s;Lt<zSS;cmctcAH{j
z=A?K9?d)0eBkx^`v0dxztNre=nfq};(OlsRabK9z+pW&5VoCk|(6_kF-1k$G*wyN?
ze@n8;L;p@^u5Etz@ZswBdnX<-ImfchQ~fW?GS7;_wWgP2{`jYLX3o-j9{xv?(Rq3Q
zC*!k=&bd!?a_<k{BsFJs`r==A4%G^7G2C}sz%%#N>?+ag6L&qZD8E)_dF7z#&)&Gu
zkjh)mlZ;k&pVC>Es&-;x)S5Rt*5%lT%bfh%`s#;g?8m^{U#H~i-w&M}C7O5ZGT+iv
zU*j7w+cv*)b}xA^86NY;@T!s}(^CF)sVdJmeU|4=U)i8pb^c!1>3$cr!X3Y@?DFKw
zmhasxsLFHv+lL9O=D+1G`oCq;GS6L)GiRw~s=X|{QTO0Y!Jf=@{5ST!;N$PP9Je*;
z^U)pJHE((x*BQOwU*)7a({@83r{DLDwyu3UE*aH??Ov04!l)*=)0*|&=lN#y%a`qN
z2)khdDLA6qZ#}PC9}^l`yrtu``c8jcyH)FN``=nTZ~nXgXYOr2t^Skm{F9?PuiCcy
zsa`L4|2ogrNBDAe*|`(u?u$N6aQn3}+@-5Ko7b*)*=uDrtFWg#(<d`8Gn%?;+0RcK
z>Thi~c(#B!X_Zx;gHGo9D*~B<;_`n#d@`}jefMv()zq%}a%PqVi?(>=zL1!;WdAQa
ze|D#zE0ew~Tks|2^mh}}a(me-UjE}J%jIj|3;CWZu6=NL*5YN}g-i=(>v5H?DV}@O
z_4eWKZJwV!xq|~si|3zyFSoC1SKj|`_g8*-F191oZ$*br`(5uW|M2#_<zB!49r&=L
ze#idDEn!<@4}M>@+1&J)*z)_vPj}YbTJS6OhKZr4s`1$`Kg_>YcV8)${bJX#<?Xo{
z+S%uLm+tx0zTaZk-WxZH?!NzcG^STBi22=}`1)yny2bou^EH<H%J|>1mR{QOa@*sQ
zE5B^seo=@tS|#$^ce?np@GB;s<$u)cXUD0ox3e~xS=H@n{PLyk(y%EnXUD#aUUFyN
z<>_r{EIT}6m#x|ov()*^cAMP%_xI<0h%4F?y?=K`^_3OP?X$B!ww`{w`+Xtro^l6Q
zt>cMx^E?7CPTbu0k@Y-pcz2`B?WaD@*<z&^51!Y*{PF0^)AMEYwbGW~P~GnkcFn|o
z`<|uSt7f(T`m{UscD=aVxrL?gzTID`JXeX|Uim=DIbZ)@PtU*P>A3tZ<hS(Q1vTaW
zzwLFq{r&Pg>37}pWz?q|Tvtm=XSpy_;czhbyoW0)c`sIaDA!trx^MjNa(s(=>dx5i
zWtHAm(z2_+ww!(aFmw8wCw`AD|EZ~7{c-%u(f+>G<)2oE?316F{X+81iu&fc>bp{k
zo=-U~HtUOLIOqAZUwuCZC%-iD-FoeY;gp15JD-1Hv|4TS<wH|qaAt_NMx|ZnrM?ZD
zEw^i*5c7Z8)xG6U3G@G_{3RvRr~gaJPJGd`QO88|_mSOhLDN5$FEig~Sh#t`%PW^A
zyL%m;?&uTb>FeBg=KJ#>%8NB7O_#EJ5>=u3>dQmEy|bRR-1BumZ@YM=O=Q@aG^1A?
zOLuNI^qL`KS8G!ebmHHpZ&8VtRc;p+&9AuU(=Bkl!EfWyl$k2LPxX7U>cYMkPFCD>
zbYr)#)w_TR>rXA_O3c|>y3cQK?C+leA&e4s=lwUUrANjdu4>A+s9SeC`iOjV^TM2)
zX1uxv%<^)YkM&l+*y~r;xMo9UU0S7g{#O%z)46*VcZi7Yt2L<nKhbA#kZk($shgj#
zc=NXJ!%Oe5GmFljsAfOyq`v*-5k}GL<_@P<eS1<}8hYoX)+(OAMv7+qr<cDko@?hJ
z{vi65=jpe%jL**eb+n|;ZL`sN+u5_^ihXy>uads_eEDjXU$K+YYpUKHb9%Hk#(xXf
z>?=1`{VAwDI9F-%WbTvSv>(3Te8+s*V>P$sK3W$i{n>MGOMk(p_!T>aWj40okNkJ#
zclhtl#Ln_LIltQM-+r2@F?stRPa}W6R`o)~o>vzx)IIWxNH`|+M=Dt{GSh$S^~s%^
z=YC<Tv}w0}`)S&}SEuD(h2B^%&3XRfC&_OrJ6j^nb?Sqr`OXg!G;B@zs=sb(WwyiP
z*Pm~l*}r^VQCqsDvH*Yef5SV8dbexul*zU;eLP(^&G?>wv%{Km&7WROnf8{;N~Jm7
zUO53YL=-W#fPZ&;zRm*+1u)-1K>#x10~r*84;ak~?bs+?Trc~f_O9W_)XyuPUb!&;
z-|P0i?#cJ-%xh0qi@UOeMww>Km%d;7Klrh_pVEvUKh_(sdu@Ma(H8{)4i=x!FAAT%
ziEujZ;(mSU{)G&RU@?u4t#5yAn)PteX6{Xn3IZH6o+&Q=y-EF^#{8P9wM$EN64PgW
zzI8va2Q<{R%+ow3x!kYz&;5^9KVLWW*Hr&&vOYM&x10MYN27znyt>O3%Y^K=94>zS
zQ0|%Ghqd~N`ZuTM*Qwn9_w&x#miza1Shi1UaZnI=eaqysE~tm!7B}&AacxB8vHg)9
z`x=ie;M==$>Astym6|6cH&3e#Z?AbDc-hi_*6mksenrnxHo5rm?*kq$A*M!$HTjoY
z;*-zKYOBpP{{2k;*RJ<>cYW8ZyfgW7ZM;MX*SDj$?C;8F8?P#R?ejb)`SF|Q*8TI!
zmTg`8Y?}NdS0^c}!`J_+{JZkU+39l3t9eeIP6`4Y%P*UJnff5>v+F<C=y|8pt@W(L
zGZwo?FR81yxWsm8)hVGp-dc_-BAkUh-*d0WFB8(caLK9->>dB*nakFfU!T76Np-3F
zy`OikJ(PMJ&vvIaC4J&6-ot{n^0)T7e%j7{>E^ZixrIv$I{#*uAIkq<bh8<vdu8T}
z`E|#S_VwR44O<oZsmQo?`?nN!!`^EZ*S<a7=@H}Q&9*XHx8Bo)an_Ls_4nPtt}V@#
zsy{6ldhvGPGR>zxo559m<*ffTpQQJ$TJdR1yG}xo_|!<b)K4GF@BbIk7dl>kIfnh#
zhmQY6`Aj!^{2!Etf`%^7rCWaAyT5+-ts9TNR4=oc?k^p(|M6{;FP|?>*1aFhyW{t4
z?ef)MbHDs|p8x8}?*4t{nYTV)u08*?kw3d{mfptGUrOiLy)II}f8mPmv0q0|2u=KB
zP^P|zVdJ?;`M2Lb)^G#a@vq*$__1{G(pi3~|K@sy)_(F>+4bIbcG1mOtGYzq=scgB
zI`w^>@fqH$KbGl7^<BPs{)u*LRQ4N*U9R@~|M=bfc4?Vi{He6FSLa`vfB(;Xd0s)w
zg%XMa97lec^Gd&yzMTBH^ViB{%Z{(}-<^N7_TA_Hoy(3dTVx;e;Z9VY^GUaVkDD_%
zQ^BcI?y}9fAFmtCw<i0U{`>wlaE}E8B*O?Mn?H-%@Ac<hLtppg3P~v@&@ipG@H*+@
zzW2-Y<9<bZzmB*b|L@!1tMl{v&M&?L&P<^3UJl3zuK{HA7nO%9_}Zv$RwHC!c$Q(c
zI>Tj<8A+njCWv8Vtv<!IGb_%jn1S|{Y-mDW-3VF>3EFdl7^G%EU+@Uh1ll9Q;E^^f
z|6kQ|m&d=(nmyOv?<?@6_>*oVTRT4k!-2&!+BBZr=UT5?;!`pq_0mM%%lVquuWYX_
zSi#7^u#D63miFnaHttPNie8@ImVHE0+Nk)fu*J1(vGU1otG4j47N{^V^q)34X?0ep
zY_aa-J=eo@rie^`!ku#Lh-hR(qEOvAm7jBdYyJJpeMC>zV^h(Cg+i&thUabWEW3R3
z+N8aHWdfJ(uXKoVFSs&A|3-|xK*X+Qo^|{T2ef9YwMK1wX5Fj4JY=bTi+$v?w4H&T
zt2fN{<yshWUq182mJF3k&0?F~)I?I!IF4N6x}C9N*5@+m?(G-S0^FvlY+sal;(X|=
z*sHTuUbQV-mHQ^#Y2~d)OTIqva6agkSsK2=Yf1g7FMAILb_d0*FqWCpz1hgvtmDY;
z9@}-=%YyQX7tIMeeW6A}-~4UW(vS^}u{rL!-QC`&(sidkxe~(}deiT)nP=n7>;pfo
zdQ~kC`OM-itgD=C>{$Ay{KM{TioqI}XUJ~W+-{n!>h7HVWWP`cH{We{_SvUC|7c!d
z5cja}p!1t4%TF(O6g+vF8PAWO#ftX=^UXfY6c@jCN$>0d(Z6CFC-??T(AC_2S!d_%
zEKwoB?O&S?ug%+1%D~Wn*2KlQey5N2S?}q8U(P(1dP{AR)SNAk!a9$zA9k9tb(M#z
zM^0htmB-Rq*Pe15d9^JvPSmNeabflq>({bdLURQ<y`%T8$voxxcSm66t_Pp0V%{GA
z#2R_Zjej?1<gy<O^FL)c*R{D^KYU^Kmmc0pNx|Zt^;=duDxMQb@$5buekY~)+b^bt
zD-Im`_RNs)uh_(h)R#LgU(YWwndZehyJYT`xNoNKggE(2T74d0$UiqlYGvl1vr-EU
z;_sV2{QjFwM>VN2<bA}Z>-)rdBNSHWN`Cxldv02@(ZOR~-)4r~-lS!0yy@vLv*ovq
z4KH|vofFBKB7MX5t%+tU)6B#P`ISqy2m3kC^N4XWd-8eLo2yU$i^kTydypgG$$x__
z@7J9^wXer~J|?aT+F!nCx!*KLBjcB!CqJ&Z?Bv&Y=*@>;>38oQYsv}q*vP=J!D?CM
z>b#`?jnXmhH(R^w)$i-+{qwJU+PlT)v5D8_Prk~I`<leUxBNc5OpwzndZvf1-lSO`
zrN_R=Oi6iS+S6uTu&XqQaW+%-tR}bk6@>|!Cnkk_Z+o*T@Ve*aSq9==M{=B7%Gh(c
z%GnLyMiqu^66~H3!`U)tV?<ii)tgGLll5COGfMR@mVR2>-YGYG?Pby1t7a~#T+J0-
zy3c#RbLI>Gt-7m&RMx!clIiuGX=$ohYgkq~ZN&|<-vZWGy<#GgzP8;8Uz@Uf*0;)k
z4qsb7U9EJ`xpDPL?|a+V>qUdN7oIj;ES_^MuV*78L)cl9%GT>ArmKAUIyt^P=<J={
z-xoZ3a5h79sYlfUH!Y1VJAQJV_tUzTG+RGOYOU=hbJfSQ?B-}Ky2at6y)ymkS)OdE
zz>TI?c%NnlO}MqkdR5x~11##Zxi&4i`nNDNJ!h@d-mi^TD;2zQYHDjYXt!oIO<wzS
zwrf-G&!g<Uy=BYI_oc7&RzDLImHw#D?Ne^yvQC*^U8TC{n&iIwA5F@$I!ppuE;UV>
zl%!YY!FuGHUe+v)K-SJHtkyy^)gEN&Oyuz3niVy9Yxb4?Y!-$Mr*frUPrv-|{QG;g
z0i_u=p3|c)wai?%s<-5i!-S*m$J%^?jCTdkPMfWve$3>JY;D%%4WZk9I85K|DY;JX
zvgujFl?l-?Z|fD7X1<ue*;zbinUrs%i^`2f(N>MWomvf6t2Aa#%Fj;qbvB!#sA*_o
zX4<xRW$B6e+cIxFeph-!x_9fVTp`D@eGALQu5&UZi26D&+S+?<)^}$964Q4-4$e+_
z`RlgHA)TEoZ(Ew2INq?;X^w0Dy2-QKUak>vpXInkeYst`^iq%1SqrX5DG5wpQQonn
zw5IOTnkj#`2{mq5qMFlMS-o?H^xGM|YyW2Ui$(u7c3wN}*t-CAxy%)v#@y3<9_-6J
z$!ofHhniEhv-584quau6n8d9PQn<3^$Vxrm%N4(K(`Fx*zqT+)MPuW_L}rGF*vk`s
zJl;Le>+ac>%Pf;rUT>au<Z1w;yXngHD+4FZR6D^VwKQ^4Quk$f4x@Q`wF^B?m^KH^
zYU``y@ciwW#*wOi*30t6`&GB5%v`+nqTQmOon=;4>oY&HIqNd_UNt>^#{bI<?<3Mb
z%y|FS1h-!GEPhme;V1X2XE&GrUMIv|E>Z1a)wBNi5|Om&5w@D!wjNr>dG5w(^R#Cf
zIVHE`GV3BsSywH)I0du`N%E%D>nA$G3g1-BSvF<u?q1{T=eSkJI7^G2fnm*r%&-UF
zO(q{<Nh*DPDQ<eBRgmv>K9)(d)K2(q)V*=SZ{uBsQ-K@5e%-X}VV%5|aocjQ<<Xjx
zPn8@wc3wTsNcm>=`e$h&mwz4+Jv!TI>;FBQ4NaP7`Z2BBs6K<`&08Z4)i*iMd=4%X
za$dnZB_&!rSIX+Qj)`ZKz)1(L%Pje~t_aQ2E_-z_r(e^gclI2n)E6QQ3<tPorMb=*
z{E%T#*MI)EK&)AbSn0Z#7mW{}`LXAoi+#_>Uwe!@^Ikl!jmz^ZSXKL>(sr}Yt=myQ
zn=Kv}tDka6V%i+num8#0|I_m)E#iCA7#c#2&YrUS{>JdiioD%^S|MhBk8+q84p<rb
z7RcJ3o;g=^n&JXyYYA@#hK8>xvr1e3FFXCVHI)JT&QnB#05NO5q0D!4-aJ7D28ION
zS#26B`n}KRJ+*!LeBRI4KE~zxAIllze<${y+}P*O^SF@DLhX@Uoq_eO_Y$=|{NdmF
zEZAZ;A8a_i=Hk{nN4_#KL?~Wfb7u1#_gSk<zIxwx-?`|BotgczX>u!0i%-8HWOKg$
z?}jIe{}r2$?Xyk1+F5llD%$njv|D~QcO@A%C@qU@{C-(rS80;tzRV|_GujHTcprUp
z`uH{D?6W3cR2`x``R;YGF+>PnUJ`KnTFvs0Po}K;(w=(%-JU&}5^bKBo+UgJzM96k
z$;oQj$E{O3mX`LpoMgM~SvK?h<n(IGNh&Amgy)}s>T7&n#k%Uu;TpM=Aepx}%CGTC
zeJo>RIPhv#TgEf}>6x<SFE{;vKI7Q!T%CJL&+bLejJ{|h@^Zq*QYr7EO*g|s^Ukc_
zwCjgf!KHQKUaW7j^;#=Mdl!CZRx#tPm0cbpFLri;VR>@ry%5FJ$)b6kRjbn`r8L*I
zTYd@i-Lz-r{P=m28$)xG?=R6@kiY27lH6sTZcA0JpO9yH)}-ftXur&?x}}qz%(}5&
zV*1wwF>{W-yZ%h*Z!2dWXZhlwIpGVhpJI`AIeIqb^_dmE)3u*%kB-$k?U6I<%pK;h
zuXNvJdv5-G`mnpEh4qz)gKOt0PSJX`YtO>cySZDrIy>q;Up%~4uzb<}`-`S^Dxdy5
zdq&3kheh6Ho448M8$WxyBHCpquU?E9L&H>)v(cr(zxnSxusWp|^T+yUS>ea}Q`-49
zyE5IRxLO`DIbUB<e$6^#^(`f#Y1^utP1h?#=k0j#>AVk*NoLWeC0F+@5i6a!t@DW1
z>4x^iv^l-1lX`TIEp!OFY>+G3q~q(o<L9Fl=WkBX)Z6%FN6o#7dWZE2kEzA-|22!;
z<a6HfQ+@32>}&5!qqbh^>D_g%a^0k}BH204_agV7j?)$9^v+4S?94VZVfN9pc{@Kh
zs5DzOn@--pH9}+MyEN;$S}ILvMZ?<r--Ivs)I2juQikVxmf~set<%1((_S36?Xtf@
zn8a>3+kF?;wLR*cdD3UHqNZW_?mcqh%L6q<PVh9pVS6k3NGGy%_Gx?j*ZTry&sGg9
zw%nPi$R3keR`GZ9yS!w_Z7U9(S#>BiFy*s))8CkwoaA_>+-ck`Kd<KcZEv5`+9l&S
zCG&(`SO=@B8P7EahOjd@Dp=bknK!Cz)+d_$DX%d6Ru`F7;AVA@?^L(0p4IJD-%q{p
z$*8mz^z1BETbX%h$)Y<U(kmBqW^VeV{JvH$^Mq)}>9;<gQfhm>wCwj8eYJ{OQ+DfB
z(wnTrw8qx_z8`bTvNt#9?b>gq?wzUnKY3k<XUb7kqlInjPM5rFdDK<5X|AWY<Fp-n
zbZs^nUEJZVa^-?dz~!7PUt4CW%-!goc4f->nQi-2Z=F8Ib9koP#V6faDJjon7VBE1
zUAibdbM-T$r=2^_d-5H<;&#XU%nR1pTW7y>J)h`#Y}<!tFDe(ZPxjvM%u7RdeyC*b
ztOpYU)h2vg#?H_%HS==B{yBX0b>H7LuX29uz3YnHB@^LiP7`;iWeK!qhNgF3Im?sF
zlG1tVZRey<yQ6%pzUo!x#qBGZY~j4XCs8U&G_P|N*Yp``1xvG%(;6$4TsQq&ck9j@
zpM`6d>^XPo(tGZ!JI^$D>WOp|mxYFy->AxKvwyehmPXii!w}2pSL|%PK}s`zK5&>j
z<@(iDF2&`GcE}v-JMu%SyyFP_`WA8STI=l4jj~B9C!)%ypW#TjWxA+9`S9)AORi57
z$vJ&~>d7OKE)s7F`F418`zlNk%gFM*wl1*#hs%U*6Zh;`(!zaI%uw{UPPJ9kVP*4;
zk4-)*u`@Kx&zBNfo4bW+pM1rF)rH6T@7Zk0+}2r?<ddu(DlNP8!)>A2Y7ds&jqytM
zUSIs>*^w2Y$|t;1r7npG<gAnT$eWdQ&gA6erz%%6H^0!HV(Apvr)CsAYv!IyNrqu7
zQx55L9y-JO#^7z##vcXY=M6RQ>fchEFy;1Kmla3Dwmm&KGfhpaz0=n?QEi!}Oum%f
z?HrcJ&*x2C+s&etB~>5Y8lj<`|3*rpaA$tp#pkJRvgyZOZ!nk2zIt1w=}nFEd!2Nt
zhka4S$-&7MIehPJzSeSG*0J5g04k&vKOQf)ow{o_=W<S)ocEG%U+6z!GmH53x_HOL
zwg%_@kyE4#nT)U8Nq9GlqtC=+^N)oc0p{Uamw&8PW!kvTcxGl^6xWV>n^R7*#k>{s
zuFj}jw%yEK;p*h0YP+R$*E)X=jE%neC+yEz)uyvvN7FJ(^>3%FoZRWHEpoG{u21Y{
z(zGR7M&>u%U*~PxDV!};m14B0&*#(5^o@JdH~DPqJz<&`wYchh1*E;BY_iGeH``4!
z0nsH1?pHb=2&<$k21h;bnc*gxJgZSEvuP^>!-GWM%|-i{PYjJO=-qY5@L_t>nFWEf
zR5iC*{B2Zt{PL1`SIh2McOLF4P429maHr7t9rxFrPM0iZ@K)t?=>)#psQ3NMn%jx1
zCv_UJoO1IIy3E4<dTC_Q=aea#EJ`mM!)|3iDUbA4l@yZw`!n%UinB56o;MMG$(<9t
z&n9c16BCtKx8tSE#?EP6nH5P)*0*&h`^h96iaygL#q@FOlu62gxBaZ|q_wY++UO8<
z_w13~En8=~+<o%JxTk!B=U&a9Jq>3?uN{nRn<=|t3J0rE-XhsThhuKOi!VR_zRSwj
z>tmbGy4EA-MK<hy@nYig)w5=F{`KX#eBRF?qu_#O*5`HKq?R7?P}ky_7}gz;`Rco2
z<IRg<b4|3X=Cqj=E|QL8VEE9nEOKT#i@@a^4qk(TgQk2pJh!t--}Kxr?P95w?0-YF
zv2)ttB17xF7Ru4f)Xb8y9|W#;(@L=yc^-Z>!=p6j?)*C@Ik!7zyNRy)zLcwX((IHu
z8v{>%lU?d%R<U_&*6bPQH(MC>-l$$UZ@%^(#b5#3=vl8jtpu{RvB+GVZM1lq*@nx@
zynkk1E{Qg?JGdi^+c@RolY+?$RZnH*PBQb|=25sKZsSB>UGG(V=g)mBds*(`<i2&^
zssNRMBKGuc$3rF^eycfmhm75Wp50Sz1#^xav3_;i(w05u8rRH*yS@+2Vt@9nFzda)
zPRx7Nu8+5U84jE`JDXhjPV({hAA2~{PaAEH>p#DLOWRWUWj`l-Zg<sF@$GWRc`xZ(
zHqFyIGVR!NwbSY+zO`Kc?GgHR&-vL32U~W}KbG`{@yqe&{j(Q|@!!0BveSiq&fUd7
zLSM9OUn;+A_LM_=E;O<-G|W$)^`NSLn(<?kC!Qj{!iLKj?S<Fxt(n~Ow^f*dVNFZs
zHCw&eRh#FWb8pBDYwL8I>XTS_$e4j)hT1Q=J5Qe-tCR@o*S_Favb)BD3wEdoXp8GI
z&}k#!rkw$3fCp_g<AKF9)9M;${wl0GV>?yn#P*b#>NE0>J(lU%lk_Rw2-K$gy2yZm
z;lN`f-oO)QPevDWcWZ_z-=CBkbTVzpO0UI%)7{)#Z*ENb>G$W?H236}ua7b?Fs#{>
z=~1n^HSN$QMQ^pgv-Zt*TV#=AB60ZQ1tTWV7?h7NPv6evmtrihPU^hBQ?hZU|0f%x
zHqSq04L6P|FXJ>gDeSfF?G0bh@YRQsnQ3J!HY$am**C*mBlJpX<zfA~G8;p4CtoNp
z;Cvx{$;z2o{a;;olv<yTyjky(CBGKTsXaQ=V@;2ad`e8%zt27gLCvMk58L+MJ@!a9
zCn$2#ovvky^>Z?x%~e}!vV2LVNdHq7hKABCseh@5bM^lJS@YW|H*Z?R-7}#d!&jMi
z7H!$4cz#X!k#+ha+*98~&yN*z-L~Vv1=Ck^OUtFXHyyq6+oUtIBcUies$H!%uYGOJ
zW{-$lr}ido+UulrBPOx*#~)+ixoS%dyweIc+>^-E5cuR-$(|b;?X<eZ_wWv>sb750
z*cxj{FfeS;^VzHztTFLf&LidRef#R?%`Exi@~mg4PvxRH$tCj|_D3q8xVEKb^^b#X
zj}F}`tKaZ^gGzGr;fxhqFBJzI+Iw;4EVrQB!dd(muWt5Q^Q0SEoqu}u^jNIY!ei$)
zyiR-4I+@ETQM_nbW>JKxOW>|DelJ!AhBdRzdbjL3d9QL|H@|xP@9OH=Uv5om%Kf?1
zXr_g>@$$A=X)FA+IwVxjwCpr6c2?5Y(|qW((RI#2zVkYB1r07un5}ws@)W%gj?Gi9
zt<XH}>^3u@yHLYnl2B*%qO|>nYhUS1+%+@Nce3U^6~P=1(+!~HA$(com2LKF0q)eN
zy|K*7df(4#|FXGf!hF(K`A%SVUQQNI``L%R^Q)hAnfiu&zn*c!<hF~Y;j)dwmqprr
zCT|RkTsJArL+jSZ!%_?k5$BgB-ZE8k^vn)<FPSg3f33@e*o$`ZQ5P<!nr-DfYy389
zV?z5;+39~S-P;_-dw<H#OwiCvX)F7e+OVk}0k>Z98_g9>a!d>f`uo)qG-&kN_H>BJ
z&!*3Odwo<wZr))O;bCBi*q#fj8&HeUj}NuiXuo+X?Rx2OnR(%np3NIWoMu}zDqN1&
z7wr(`<+F0ly>~TkafrmrA9mKt4Ser+KbL&AZ0{_IMMsWpbF0x^S`xDVubT7oosp(V
zjazoj?rN7b@!G6%RBZWtmDi9;=7uNx#p3gBI;>8Cj?Kcs=NT9h_Rdm!@%GaD2^T7l
zNxN9C`nAewqQlK2U&AlnJTu$%PWU6)uWu*U7@xQs6}=&FisFLJ(+<zSe9t(tHBNc)
z=0)ZyT-&d@xqbS}SG>~agx-9`bL%(lJansI`$o@?(dOR@r2GEb_TCOtIy33z?}wnk
zHNCv%j4@Ntp^DmjGmnJswEr01bKiJkh3NkCuYJG#+;jf*Oy4i8o~NFFeSC$P;lO0$
zv!`sn^Dr=gMvxy=RZKGm^+0o_Kx5C~VhEJ^kq<orl~15t&VVSNHUusE`D}f;m&v;O
zImP=v-DYvLQ@=kcwcrN>1A|RhW{1<iwI8CKj=Qi&rum*cX8lN_;9>7f28IoCKF+YA
zXQQq4=KqzRH^t6+#rEy4@gMPTSxb-E%t#O|&tCg$f$q1bvwi%Vm)&{e@pI1B$X~~d
z*UF}gFfd$e%$!s@OZAPL_rxz5i-R;Kh{$AQY`MASSyZb^@Q%|)r}myJT6TKDMbo1E
z^^!ROCrrZr<(eE+Y}WaeI!m!Th07~CQHp_~!pmo}lWz3qxyL34uev0EXugW?jpSes
z*PY8&Ob_ofd6L$7^=zSR%-^k#bawuHc4}r@qQstgk_-&j7H4*({VSST_2^RS|4qw2
znrX5|s$QEZA<1(?=USZn>xIi6^?unq?X9TL!U_9Wf+y%slPlKApVhE8Yw?mjx+-%|
zs<Ha2r_74oTD5e_zE)%Jpn@Ck+VU9~65h^!wsu$NU-rBL*;H}8e{*Yg@AzT=bgKC@
z)3Xk}Cdu7}8j-Q~;5_l2ZKmY>-M#zRZ(TUQpMA1v@4CCzujg|fcUf$dBvm?X#SY7q
zS+l1xG5WS|4s@Hg=FY2vYPGgoS;ei3m`=0!889%c$-MkTG)_5w(uM2(b$2~Yi{IaC
z?rJt)96Ckk?m6a1J$u;d66%j#&D_3y^Tn56TxYil-LH0&QZ1a=mg&OOYx{-ua;3wh
zjcXG{(j^!eu2sxF_UmcMkI%cy<wInp;x8?orgL}R;YmD^D}0@g|4F^18&nv!Y{R1L
z%F8xMv(?hv7~bwXz3znzyA%V%n!?KyGIAF;>wZU!wCy_kspn1Cw;7IqIExc!E%P+>
zo4hV_4X8?7BaAZYrDk(!g0_J8?HcX8Sw#z1+%S_i^Ua%d&-m7gQ_k-t85q`hUS4zI
zeP&uU-)WYcKd+wk(_i^-=FPy}fr{tOB&yFiIwS3ZhN#EtH+F5FhfN%(XGSjz$dsIw
zD6#(Xs;Ox?9Ww<3?!NjoIe%9#t5aa(%~oL^28Qg5CfeV77~=h#)xu?@u8Mn!9(U^J
z>@f2^ka<s0jl1CN+|+vi$M4Ox%r<dysj%J>$_$z9784b{)%Q%EpUT<|y^CJ+Ffd$O
zmKpYIXL`?l<A>kQEc<ge^}_qFKWBc~e73^Yb9(xoKP{j`F|x0iINF?+WMDXuH5+v9
z7-IAX_jC|=o(P;xueE1B6Q8kCe);h`!6%z)yr)HSTOX*H!`#QomM+A=aBX5{hf|*4
zy;;!_J{zTePSe@ECTGuG->O{CgWLXqvSZtY<~c9Xvg6<Hr+UnuaGPD_f3Wc^1H*<s
zP)1&9Dm;xh(r7BP)KsU&B@Y~&7oSZty{@G)^H8kVKhJ;0v24BT3S0i#*M8r8%<AO&
zsV~+tf}+wUc9~?c|I(dBt5j{xS_7tJ7r8~*D)a7)Oe+2S=9234`sZmTJjUl$%zPUX
zFLbgoFzlDPTrqn}(;A`IK3~!|Gn;j9onCu?^YWDyi+%2&-xBW8;uLtS&Bt+D#HoFK
z#w#-=!cQmewCLW)?5i*_+<f<p4VfycSJ`*2cS%~h@pAWNE(V7E43~MXco=V!XrE;2
z>-7FkN?Of3v$+uy@?SiUkDqqL<jeuXl?lPEr5BE$`OW52q?pO(`)QeC)5*1&va`PI
zl->5}tWsj8b__EEga7_aEB+4SPf|Y`|4N20zkBbT+w#lexl&$Ld(-b7)Mj26aQ=3W
z??hF-{Q^e5S3dnq<IVMUG-Y7;aAo$g=NnX<#j-A6Fsz?h(j78qs^*#(RVJ4=%*{Xc
zNhmchZeNI+V2;4l+m)A(oZ(oo*fD4?bGjG<!@RP~JD|Bl@fT<DL*?0RFIP_FG|TkK
z?NhwoQhi~OfQn%+_cBI?hWNJ3jN48MdfR@69W!avzA6;hnA-He_?TGktQq$<hxHnG
zciuB*VEDm0L(SrLafI55bL;cUsyt7(&6M3LE&Aw;Oj%Q8PbOP$P~(<U?;bzX2)>-N
zCPT8Ycb8M)<>M@|%l7y@T-U~Ue$D@9qMO}jZFF3cms)W-M?hR+*PYKi#g`$&J_5W9
z41a`toIiXu$tXHn5@*D_Fr-lD%Z!GM%Pe!A$tG=LxPE8hvYQhmg>UXU=WyYDhQ_oD
zKQBl!c{=*8RkAj|{^XI5@`TVArbdjrHxxwY?q**u%D`}KTV~iRNk&D9{pp9^&h-7e
z+H3#y=joR`wSFem&A;9~KaYvwK$XE+E<12N7xDdk5gVxO=8IaDA@=@&GZ^%YKad)5
zJs5V%q{5AXfuSMP<m|5McQfxll_>aCpvTCNaCb%;>-?v0-sWA(_U795RQ%1Q5c8He
z$qkoE<OI0OOdrlQVPM#h=d(HJ{c_3N5H8k9P0YN#X0xxxte%j<RUYZa49W%vOth1v
z`h68ep3a&xG3|_pGpIdlBfUAIA#svP$&5<1v*(3ps%36sU|^Uhgq{J+O%@bgUKj3l
zQ#`fnh;>$Uj8BT8H|zgp=W=H5de~+ErS*PdV18o!Zq0N0=9AneU8*rYXL82HyEkag
z(S7yC>la<*e8|9XAUF%$U=n*AuxX#sv4!`QgjVa=ny3Gr+;=Q!Wy0ijlS8|1M=6P%
zS`|I_p5*-%d+owCv^MOBI1d`|@A5vWWw-tEy8DXf1fFbuU*2bSHs`tH%7o(9tA-E1
zTdfs+^8YJy0WSlC&D3RzTkGB84r_cr-n060UVi%G$#Yen<zM4yIpyY`@p5KZ={Apx
zPq^9UwCT>YH0|3U+t#y*$1~TzVNH<IiLR)lf%7Merc3!xR`QO?<6rChe@e*rM>@<5
z2QFvKf>t%gHx^7dxg>hYqcuK>uHv~LuXwU1@(0%R?shrU9P7A$t%bKpAnU?t^>dSE
zt2aBd%~aSm(PYL6lUS>VY#T!&gJKS~#^{{T*>>)c2{Xfi;0&qlk@F_TUX;6BY?`RY
zGxOPukPW)$OxSld85b^lxwdzP+qOBGdLbOFL8Z>Y$;m3W+%MF!F);Wq&V1ox+_>Y$
zGw%#g3s*rWlk>dzjP29AU0J7fCLCCJe~#wb;<oFOxhKxwSn)dLQJCkA>Ss#QQ$tD}
zbr~2wcpLZ@Y<s@JXTse0yKlZsnl&Gq3+E*B{aU(zbyjd%-!-#W>a%8M*lP&qT-mZA
z`PX8xoeI%;FTNSRNilAXn3A1x)HqrHzQ!cE4As>Ja_y0-o+io(hgJ!3r&#5w&E9^0
zk=~k&j}Jg$CuMy0l&$iC>z5Zie6BrNz)SSFQa@*cTh7zUq<7j2eUi&s+=FZ8x~1}2
z`&ue{2RVdsex31icW+nko#&U5)&|WvVB+Gz7rfF(<HQ*S#VIRw{p|gW7#P-=US9L1
z_&hXM?$9uP{JBcFR(QtOs+xa4@|jdje_38$Dx9Xd_M{w-!TZmCzy2`JiDv*GIJxd@
zx}`DSU%jOV-zoh|P}|MZx<&T!F-~x&Z<Z;iamrOuj~nSMIRZ~t^vsoLU}RvJkrvuw
z{P^>^$43|$Ak`wc_CqvM(K^v!HK44kYuC#LO8m*QL@N$0JHGCE#+9Xo3k}Q8>C9iQ
z*zHz$<K5Adj0_FSubOCoxYi)qel^8J!t;uF{<$+Z7A5}AH<^*coN05U{>rLg>0LWm
z@A^uuyd+e0^;yno#>l+8qI1j`7$WX3i(F{F@MGSFRYt6{uDQR<kT!kFZFZgi!?KT&
zQ<dJWoomP<q4toQX;Lj81H*&=`S1V5-`e%tuJ6C@&%_B00*)5;925U;xNt8b#gt{s
z(!ENLlEgbWO7ncQHTpDnW-Q=xQkcH|@Hf7e)fru9bz}FweR^f*t`n~&9i6elGt1;+
z@@LoLNivgv7yB)8>kXS5Y#h&jj^C{F<Jzg8pA?@n{3$&>EiBqkvn=lI{rpu^J*4YX
zzP(%Z?44Bp)S!5&zi(20^Lm}xs~WX%gGbQv_mcvrOsMYO>{Ph%(u6w2^!qE8MQQzM
zx#Quv|IJCA8TT^tMYW~&2Tv2}I1=Cg=)VNRgQ}@*lDUhHcrn*+Q~MF)spME|d+Pq{
zizm64{*ktPzpp**!h6a08lp9~Odj#Fm`m<IziPEW=hb6pey=hN^NmzodZk~V?a#S~
z?oS@G{hKj+>E<WG6MvLN-~aGri*d{UWQK;<p|h?$D~J^gH9u3J9((1A?$Sw<w)AdZ
zDU!QJ$osbL$}9iMv+bU}h`g{wY;wli7)ytLnj)*u&aTO9St_Odub7cxU3#WR!j#sK
z*DBLxRt2TY=T7mE-|K5=Z`P^m`}mBem$COW>!g)FE7y4Civ}&+u;=v2>B}1aGcYi$
zOU(@WSJ%2B#M<_b!`*j<OJ+>WS5=jr_L6Vqjzo*U8-%B&{jy%^u;|K{uixM1{atob
z!Hb!p;H~%Ms4J(rPOTQ16dkpWEydLNZou_>%d&iD7Hg^N^xj_}&~=r${l5eIQbvXy
z@0NO6?mp$xbT?S@OoptgkjR_4g(vlTqvJI-f~5B-{;NuTcVhO3dG`dL%<q?5r!6*h
zMeiM}Hr}&Rvr?}9<(tCBz_8S_aCyX%roB_SlGiP75v?lMa?cFvJ{HyK@u73YsS|4}
z{y6)pvMvdFy36&S@!G$osZ$zupNdrZ6S7j0JHeNkVFLS7%l7LW7V$YJ-gCeC%lj<t
z!2A2<Z;hPUjjr1=GdRRec_tGFs#YJ&xU}R$)Hw!*58=~6jnt)#3=AL#Fu)iApe`jy
zBtYs!;@rNd+}HnqzWjUO!Jd8PWgl9LYmzF@ZJg+l^SGUvL4)^C<mb=Q_Ftks6ZrD=
z+hSI)p8Z3R(LruH+j_x*mvR5zJDoe0l5hY2(P4frhEJPJ!he;XpK;(#bhq^n^Z)Tb
zzZV~OH=cY?tv>FUz9GYt_{?)}x6b)HZQpyTRa&R=Pl|5U{Uw;M=6$AR+o~w*x@}Pv
zUpFzGT-+JF<fP%1%RiPnmF<oRySu<Js(jy?;};gJFs?ZF`nkjw2~*xvU&1rZBbwga
zoS*gU`qjg(mA~w_DSmc3*PJPrFR}kP!-Vvumh-<a|2XrNiqghCD^Dj#8N9f?da0Aw
z#pC<ad6F+)zxsOl`LbybOO__4?LO7|=+dpey2HiE@!^NpE^^9ztsyVnzccjji4wb|
zg|nr+xHMi)pSx>cU2J<)l!{j1>^tdItG0f9QUCwL?}u}4<h*`z&pi3woaZ?os(Bc$
zZ#3zfSHyTV;a=>H4d>R~Rx14aVPgAj3AN*~Zx%)uPiwP$6gl(ZE~SfW=k5LO!p&#e
z(dxd>Q)+YNmxB&%mY?iyg+zx`cqiYiWk|kwPwPhY=2ybD|NHFUl$=|fvVZU6dr#gT
z7c4(l{gQW%F>}M~@L7?$D;Mm@RLOq$Xug3|+uD@=6FjB?M}5<#wWNHxxO~#BdH;^x
z{_{JnYw6ai?6m18tIp_74QcfF;F;*THEi*;X*JeWJ4_C4|8?uqndkRjN_>@<NV*&n
ztuX23CNaI)ewz<kyi-1(|8|mh$}XScCb8PLy-x2cSA4R{y)E0>RPBF0`Pk`4<{GU@
zUm51sMxR)qBN8UP^W476_q4*Ye%(qDdiS$cs5MQg<V=6br{_<F=Pf*WFJ>M8k5IOT
z?C@DrV)cc)kBH{hCeLG5*PZd)E3wfkc9zvfkAO8VeqDU|-SX`HsodNmwfnwIS`nn7
zS8tM1`rGF5UtU$Gi5u#EBxKI{W$ik}$N1HU_B+W@k%FPAJa6QcOg?Q5QP5la*68f7
z@8(Tgv+_i|w$@}e9WFhp^ve71kE8>+vU%$lu)HiifAMkZ?7XQQr>bPyoquco|8{lS
zxk>&mNtMqJSohZ#Zh9@Js$u)%LC!MqbB7fbxn<|;J8fgUTyyTypHF41`%f_x{Pl9~
zN;2Q7y~HVRVL;T?OZM-Qi>A3<+djGd=-jRXNr9<b{ET*cx4b%Zc&TLmM2@`o@3zkT
zn6G-M`Y-!*)0~8u>jmA9uDg9=>&<-L)v)Fg%g)M8LQb~=HiXZTd2Fb--~K@UooKKA
z8edMWU;J~X7QWVE4Y};G%j8f{Z)v(<+LQg?7x$Mw<>Acq`E_q)e2t~NK}y_#^+pUa
z$1kODJ=i+qYi_7H7pv>k*grda{w~#AWAsMG_tV$=niEX=miAYPUYj+emVGhbv}21W
zce6}7rM1*(@7<k_snZ18H!2=q5qLSklhal8tJ?p6m(FB)wVH3)ynFr+z1=33#~%AR
zPOO>a8?o~9GLMHWMSmMF74&Q7NvCh#HT7TSj4My7<t=uZ=(oij-;(mhe%_q#e*brM
z#iugtC|jEN!olG8E2Cq#N~5RPl@|6b6%60<^4G85W#)@h@6T$Bu6bjv`N({w=E5y^
zi&mH{U9Q19U$4$vKYqswlioMo?1yzr@;?8xOwH_z-@4~)DWl0vvFT0Vq!cD~ZKbAY
z;QhX|_kla->et&ne!MhM_wD@7C9>D96uO_6D7IByb3wk?(9n2^*r(Hdw%t`TH*CnO
z_<zxOagavXySbOP&skt{b4}FBfFScZQ%(LI={Ko8@n*`>ne*>k$OyG3E7vmQR$6{~
z?bCOo#mVrG7W09v(U*7p7JbxoY1cka_Ok`->+7zZ>hiGBQMamcyCxa?)XD4OSF-~X
z&YN!a<SvR4Jh12O6t0!lwqo|D<3p~k+Oc@+o7?T|>hiT=9(P~MRJhMmKl($bt!m{0
zkIWD6_bWB1C2CBm%PnHrdHlsH)yQy`ISWiyUO2Hmh%xl0UCP(Xiu+3=7Ej<%;Z3tD
zZM$T^ll|xWoyG}k*5<yoYY2IMV6XE3=f~a~GCYaQJonO+Nuqt@+jHq5&!)6RR6Vzz
zJp2CPc}q+*k7Z_Ph<=){z3*;7^t9KvHj6wq+j_E#o7L%EVu<VVo7EXy_fw|tnzKJ@
zR{g3?Y<Hvoolc$JrjqGXy?jQ!Pve$VagKA>nfx)mDV5r3@i&yqTV(Dt*Jls7UZyO4
zIL-7Nzxw`tKjUjRtN8t}Woxj}KKpauJ4t8uKl?67mbV>jn7`ZV=HkiXL2IWi-sg1T
z`Nzx0{SLML+1K#@N3o<%<vfQ8o`#EkA2GEatpAl6+4fuO`A4qPi}P*Nb$Cw-)par|
z{P&u?i)sDSH|DESzy7^!_wK~)HIA`LQ|zREpWY{voVkDb1s?0>oUV_3Sx=^Xi2J`(
ze!`|(*ZT8)-t+HY|DczdL80Ee_-D;xsnnG->~)U)y}R$=ukd|$xQw$iy#Djn|5D|2
zTX(Gc<NC{ipFbp>JJaL8=lJY}j0|4IdYl|f|66@(+9y?OcYNQuo#w9t+mn-vPMN2~
z&G>cnc}eXLfg@AX7#c1yFfc4IVSq5an2{J7plKwK2#5hv!XO?nD>*JgSlTS-#)ib-
zFWO9b85kbCkc1e(08@s?NU#*lNCr^T=4)=gdil21YQ_>?%nTFu_ufpa?9|q=Rg@H6
z%E)j+J!QG~x4Zjq9}3;t_y5<Os?S{cDK<tbl2fA}|LF_^xk-Gc<U5B*n|Ui%&D~wO
z)p+yniGe2%)a0DI!99hI;lZOY<CN*MJvQ(he&U^WNm_D7&s?8*8znS&84euP&4?(o
zp6HR2m-jS0^TdHanX`@cvIC?T8n{pK#7mipb+;a#_(zLZaz>ADoBzDb*yc+N3^4(j
z+qPeBKbN#Hz+%6bGn-oS<cB{en}W;>J>&B%s=-A`u-E8d!n~<%JU++N4liHNZINpZ
zGPGOU*Jj?0TS;~`9AN8G-rUu`0Fuy-oAu(Dn*qeM#U>04;d@PVPESoMHrDrc1{tAm
z@0`iNur48UQvLc%bM$0DmT9`|nJ5|lh-c}|dw$c^=AB>K`FVX)+a-nrTMwMuAN4XL
zHo&&TbX)a&UxSU^QFDB3H%>QQe>q*(SLfK&wq^dIQq_Maf4y!T{n`7>pZtZ6e}k63
zS>z4zO`sIR4mF|VDEFJO>9_e`KMUUyxIIL3yE&iB|7A-zn(`TJtf+amG=BN#uY4_c
zCN6nDb-B<|Mus2U{qepPDMs$!^WVJF&1>HLX5H^ngX*(~kM()+&+gf{Gp}E*Sg$AP
z;*->A&(@Xe%qp@ke|s<Jr;1FX<m1D8k59R~_4E_<b8TnTc4vcp+jnr^zk6k$XCK&C
z`&aAlj+?n9OYHexMaiW8`KTJXH~qrFG`rQs>z;W&xcQw=a;JCN`iqy|`Q%U9XMXzY
z)j#LL?ZVe{|1#RX`Lq7sRlonNi+Nb}r)}q)OLyYubuE9!yKYUim{nEyt&ls%yWU?<
zpEmhr&9Ag;vsa(oz9FGx<GaSCn|#9O><zp2_tM$Fn-5+6tL1h4XH>QGuKYI|ybKP0
z7vr{W-K1V~W$$^pTUyaf*G$dC?nvcqy&tmnOz~5X8PO;5%Gc#8you{R-(MkW6n$IT
zPP1>S)Xu#>E02i#{8;w4_j~TD<#)0=<O;*XEOy_|xp;6#X~N2&cU8~!PFb8@ENibC
z^zp})14WOU|7Htb?J}J;r~YB6=9{VfwaM8lPe}K_DUSZj;C$)!jJT&O{(k=0vU6_D
zqnO*XU2;s9WS45m>6G}Z1g(}nD++RKpQ^9R_XDe5+_if2uBBS-%{|K=vDqJ{oSc5<
zpikzhefK+3Z9RFzMfS<uXQ|oE{wQwO>;Im=Z)B`Lwd#U<*}fNIKcC-wtpB5nVdv(v
z5|8$;RC&wA|4k=l9Y?^9S^MKxoxF1B+8?cnQCurd#PT!0tEky9^R&=R%Wb<3hPpr9
ze(a{<+jCZKM@2iLWfz$+FtmGZUV1w3K;py~ub1C@mNwn%?V6v5>Vl_*&Z=koKJ_vC
zB<*8AriL!G{*p7XH*IHV*#0Yb=G_eWesX!c-pgCY+0RbIJwNrp#pKYk7n<?D&ps^p
ze$(T|tAsmo$K3aIE-hVWV)WeD{nGcOl|IkjZ2c@>bB<TuQ?>Tni8DO=|B5ZWIVIG-
z{SpJilZdT6X6bAFjE<jKlzdp)I6KB^$Kv#}+UwJ|-8s!uUgz|0<0YFjky5j!xP4VI
z_>okbKRZotp^0d5m;SR;oALrn+Ldz--O1X$GH#>Wq|eIQxw_n|s;)ntFEsN~&AHm_
zjj6i=eXkkDc;$au+PU%L%IE*?Ew7F~9$q$ujX{BZ`^C}+UYk$&%gyYu@87f~NV)ul
zjJu5O>A+b}rj*57DqZ`UuCFX;b}4pl-GPHCF$I|^cOOdBYvjK__UnL+_pxo7Cn_ce
z%(nUcB669D`TmHRoyU&f%Q+g;ct$sV?e55LrORc*EtwhSIH-L2(YSTfQTwfDmfcXv
zU2c8C-r9V}-v76%7T;NRseQ-g-(kC)Q+I1dOT<_&Gg&#~>hcNaOZRk5at%t!T>QAP
zSEn%P&eY56HgQeQ)AF<HTiaF@9dq~co79-<XNK$5l*@MQKB_tSb_)NrlHkq|lS_XO
zXg$^|@9Y1nqp@mk?_KH77elgUt~=k7zOK6M&F#sb{pVVXn_HJ&OUbeP@k6n**Y~2-
zjH1?)lR>4o`vbkydzQ;owy)mu`t!{F^E`LO?-G4E`APX)S*z_%X4n7TE?oMs?6|(I
zY5C>d$-7^1zU^BsFFgNMY`_Fr^ZL*&UbFZ86*_l$itPu9<ug2LmT$iIVe_?}U#2qk
z-%p8?QQRhD=6@vk;)ln-t-BR3E&MS}Z@22zcj?A47QstqT>Nq6@=~ugnG6heO0yPR
z7n*puzU}0uC*SVW&#M$MlZ@=Xd~uHd)Ysp*b<W=7l%5*A(4t~%#LZgwv(2^YMRu2T
zKUGY9EK>in6O^i2i#5(J%>z|{UZ84XfeDBSA;AI+U=l+h=HR6xk7F{;%s#C#Nl7p=
zlavE>;CC%m{BcR;(@qo4Pr6I?i-YR1Ra4crM$cNS`|NQ01^ay)o_nXASdo%oR2G)$
z_x<f+69xwHkXdivzIAEpb(@)BU}L%UQ~xacPYTAS^%DY59!SYCs(E%p5>(wz^*(Iy
z(IcgMS@Y`E+3)YKudq4o?fqU{d@ncm%d^ERrOlZo+j?Bslpjx2JPESF3{)$#FHMXz
zlk=bO)lox4vHF8UgWB#-Q>QkZcQ^b0>C@Bv6dofU$xa@(W6I8x0#6?Jv(OmiWUu3D
z#Xlt@C66S1T&t@lbB~8jSz20glX-mne}`>bx1PR#Y4U`LClVmlInSIETxT=)mxDAm
zc}?ECCUHiEiBz}CwnGos24qZLBYh(8Z&yx=gprVBPmg<>%HntN7eMLf=Y}<kzw<T)
zB+QVwId!rt^G!4J#o;O5=MS5!xwWY*{x_4A7v$@SOK*1b-YkCqt<C@3JF(qYbdBAr
zR?R*3XXaNPko3dTvr2M)9L|_|Z;AP)=>1B!-+5T~-aLCovijry`;5=73(n=+51QKc
MboFyt=akR{05>Z_=l}o!

literal 0
HcmV?d00001

diff --git a/internal/config/oauth.go b/internal/config/oauth.go
index f800a8cb..0e884ea3 100644
--- a/internal/config/oauth.go
+++ b/internal/config/oauth.go
@@ -1,14 +1,16 @@
 package config
 
 import (
+	"strings"
+
 	"github.com/markbates/goth"
 	"github.com/markbates/goth/providers/facebook"
 	"github.com/markbates/goth/providers/github"
 	"github.com/markbates/goth/providers/gitlab"
 	"github.com/markbates/goth/providers/google"
 	"github.com/markbates/goth/providers/linkedin"
+	"github.com/markbates/goth/providers/openidConnect"
 	"github.com/markbates/goth/providers/twitter"
-	"strings"
 )
 
 // oauthConfigure configures federated (OAuth) authentication
@@ -19,6 +21,7 @@ func oauthConfigure() {
 	googleOauthConfigure()
 	linkedinOauthConfigure()
 	twitterOauthConfigure()
+	openIdConnectConfiugure()
 }
 
 // facebookOauthConfigure configures federated authentication via Facebook
@@ -137,3 +140,20 @@ func twitterOauthConfigure() {
 			URLForAPI("oauth/twitter/callback", nil)),
 	)
 }
+
+// openIdConnectConfiugure configures federated authentication via a generic OAuth2 provider
+func openIdConnectConfiugure() {
+	if !SecretsConfig.IdP.OpenIdConnect.Usable() {
+		logger.Debug("OpenID Connect auth isn't configured or enabled")
+		return
+	}
+
+	logger.Infof("Registering OpenID Connect provider for client %s", SecretsConfig.IdP.OpenIdConnect.Key)
+
+	openidConnect, err := openidConnect.New(SecretsConfig.IdP.OpenIdConnect.Key, SecretsConfig.IdP.OpenIdConnect.Secret, SecretsConfig.IdP.OpenIdConnect.CallbackUrl, SecretsConfig.IdP.OpenIdConnect.DiscoveryUrl)
+	if err != nil {
+		logger.Errorf("Error registering OpenID Connect provider: %v", err)
+		return
+	}
+	goth.UseProviders(openidConnect)
+}
diff --git a/internal/config/secrets.go b/internal/config/secrets.go
index 7cbdbb28..f281a63d 100644
--- a/internal/config/secrets.go
+++ b/internal/config/secrets.go
@@ -11,9 +11,11 @@ const (
 
 // KeySecret is a record containing a key and a secret
 type KeySecret struct {
-	Disable bool   `yaml:"disable"` // Can be used to forcefully disable the corresponding functionality
-	Key     string `yaml:"key"`     // Public key
-	Secret  string `yaml:"secret"`  // Private key
+	Disable      bool   `yaml:"disable"`       // Can be used to forcefully disable the corresponding functionality
+	Key          string `yaml:"key"`           // Public key
+	Secret       string `yaml:"secret"`        // Private key
+	CallbackUrl  string `yaml:"callback_url"`  // Callback URL
+	DiscoveryUrl string `yaml:"discovery_url"` // Discovery URL
 }
 
 // Usable returns whether the instance isn't disabled and the key and the secret are filled in
@@ -56,12 +58,13 @@ var SecretsConfig = &struct {
 
 	// Federated identity provider settings
 	IdP struct {
-		Facebook KeySecret `yaml:"facebook"` // Facebook auth config
-		GitHub   KeySecret `yaml:"github"`   // GitHub auth config
-		GitLab   KeySecret `yaml:"gitlab"`   // GitLab auth config
-		Google   KeySecret `yaml:"google"`   // Google auth config
-		LinkedIn KeySecret `yaml:"linkedin"` // LinkedIn auth config
-		Twitter  KeySecret `yaml:"twitter"`  // Twitter auth config
+		Facebook      KeySecret `yaml:"facebook"` // Facebook auth config
+		GitHub        KeySecret `yaml:"github"`   // GitHub auth config
+		GitLab        KeySecret `yaml:"gitlab"`   // GitLab auth config
+		Google        KeySecret `yaml:"google"`   // Google auth config
+		LinkedIn      KeySecret `yaml:"linkedin"` // LinkedIn auth config
+		Twitter       KeySecret `yaml:"twitter"`  // Twitter auth config
+		OpenIdConnect KeySecret `yaml:"openid"`   // OpenID Connect auth config
 	} `yaml:"idp"`
 
 	// Extension settings
diff --git a/internal/data/models.go b/internal/data/models.go
index fa161bab..9bb041ac 100644
--- a/internal/data/models.go
+++ b/internal/data/models.go
@@ -5,6 +5,10 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
 	"github.com/avct/uasurfer"
 	"github.com/doug-martin/goqu/v9"
 	"github.com/doug-martin/goqu/v9/exp"
@@ -15,9 +19,6 @@ import (
 	"gitlab.com/comentario/comentario/internal/api/models"
 	"gitlab.com/comentario/comentario/internal/util"
 	"golang.org/x/crypto/bcrypt"
-	"net/http"
-	"strings"
-	"time"
 )
 
 // AnonymousUser is a predefined "anonymous" user, identified by a special UUID ('00000000-0000-0000-0000-000000000000')
@@ -84,6 +85,7 @@ var FederatedIdProviders = map[models.FederatedIdpID]FederatedIdentityProvider{
 	models.FederatedIdpIDGoogle:   {ID: models.FederatedIdpIDGoogle, Name: "Google", Icon: "google", GothID: "google"},
 	models.FederatedIdpIDLinkedin: {ID: models.FederatedIdpIDLinkedin, Name: "LinkedIn", Icon: "linkedin", GothID: "linkedin"},
 	models.FederatedIdpIDTwitter:  {ID: models.FederatedIdpIDTwitter, Name: "Twitter", Icon: "twitter", GothID: "twitter"},
+	models.FederatedIdpIDOpenid:   {ID: models.FederatedIdpIDOpenid, Name: "OpenID Connect", Icon: "google", GothID: "openid-connect"},
 }
 
 // GetFederatedIdP returns whether federated identity provider is known and configured, and if yes, its Provider
diff --git a/swagger/swagger.yml b/swagger/swagger.yml
index a92c8c2d..da0ea298 100644
--- a/swagger/swagger.yml
+++ b/swagger/swagger.yml
@@ -459,6 +459,7 @@ definitions:
       - google
       - linkedin
       - twitter
+      - openid
     x-isnullable: false
 
   host:
@@ -1051,6 +1052,7 @@ parameters:
       - google
       - linkedin
       - twitter
+      - openid
       - sso  # SSO is a special case of federated authentication, which requires additional configuration for a specific domain
 
   pathDailyMetric:
-- 
GitLab