From 6a1fe4532a27576f707f51cec102b0c51fb0a0b9 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 28 Sep 2020 13:57:04 +0200
Subject: [PATCH 001/162] add sample shibboleth conf

---
 auth/shibboleth-conf/shibboleth2.xml | 37 ++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 auth/shibboleth-conf/shibboleth2.xml

diff --git a/auth/shibboleth-conf/shibboleth2.xml b/auth/shibboleth-conf/shibboleth2.xml
new file mode 100644
index 00000000..342e057e
--- /dev/null
+++ b/auth/shibboleth-conf/shibboleth2.xml
@@ -0,0 +1,37 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+clockSkew="180">
+<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
+<ApplicationDefaults entityID="https://samplesp3.eo.esa.int/shibboleth"
+REMOTE_USER="eppn subject-id pairwise-id persistent-id"
+cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSL
+v2:!SSLv3:!TLSv1:!TLSv1.1">
+<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+checkAddress="false" handlerSSL="true" cookieProps="https">
+<SSO entityID="https://eo-sso-idp.eo.esa.int:443/shibboleth"
+discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
+SAML2
+</SSO>
+<Logout>SAML2 Local</Logout>
+<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 192.168.24.1/24"/>
+<Handler type="Session" Location="/Session" showAttributeValues="false"/>
+<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+</Sessions>
+<Errors supportContact="root@samplesp3.eo.esa.int"
+helpLocation="/about.html"
+styleSheet="/shibboleth-sp/main.css"/>
+<MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+<AttributeExtractor type="XML" validate="true" reloadChanges="false"
+path="attribute-map.xml"/>
+<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+<CredentialResolver type="File" use="signing"
+key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+<CredentialResolver type="File" use="encryption"
+key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+</ApplicationDefaults>
+<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+<ProtocolProvider type="XML" validate="true" reloadChanges="false"
+path="protocols.xml"/>
+</SPConfig>
\ No newline at end of file
-- 
GitLab


From cdd1801bf29be506d819686520604c6cad126a1c Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 28 Sep 2020 14:10:17 +0200
Subject: [PATCH 002/162] add WIP auth folder structure

---
 auth/Dockerfile                        |   5 +
 auth/etc-httpd/conf.d/sp.conf          |  15 +++
 auth/index.html                        |  10 ++
 auth/shibboleth-conf/attribute-map.xml |   5 +
 auth/shibboleth-conf/idp-metadata.xml  | 122 +++++++++++++++++++++++++
 auth/shibboleth-conf/shibd.logger      |  76 +++++++++++++++
 6 files changed, 233 insertions(+)
 create mode 100644 auth/Dockerfile
 create mode 100644 auth/etc-httpd/conf.d/sp.conf
 create mode 100644 auth/index.html
 create mode 100644 auth/shibboleth-conf/attribute-map.xml
 create mode 100644 auth/shibboleth-conf/idp-metadata.xml
 create mode 100644 auth/shibboleth-conf/shibd.logger

diff --git a/auth/Dockerfile b/auth/Dockerfile
new file mode 100644
index 00000000..896601fb
--- /dev/null
+++ b/auth/Dockerfile
@@ -0,0 +1,5 @@
+FROM unicon/shibboleth-sp:3.0.4
+
+COPY shibboleth-conf /etc/shibboleth/
+COPY index.html /var/www/html/
+COPY etc-httpd/ /etc/httpd/
diff --git a/auth/etc-httpd/conf.d/sp.conf b/auth/etc-httpd/conf.d/sp.conf
new file mode 100644
index 00000000..92bbe24a
--- /dev/null
+++ b/auth/etc-httpd/conf.d/sp.conf
@@ -0,0 +1,15 @@
+ServerName idptestbed
+
+<VirtualHost *:80>
+    ServerName https://idptestbed:443
+    UseCanonicalName On
+
+    DocumentRoot "/var/www/html"
+
+    <Location />
+        AuthType shibboleth
+        ShibRequestSetting requireSession 1
+        require shib-session
+    </Location>
+
+</VirtualHost>
\ No newline at end of file
diff --git a/auth/index.html b/auth/index.html
new file mode 100644
index 00000000..7d20ce72
--- /dev/null
+++ b/auth/index.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>APACHE TEST</title>
+</head>
+<body>
+    <h1>TESTING APACHE</h1>   
+</body>
+</html>
diff --git a/auth/shibboleth-conf/attribute-map.xml b/auth/shibboleth-conf/attribute-map.xml
new file mode 100644
index 00000000..e9e9797a
--- /dev/null
+++ b/auth/shibboleth-conf/attribute-map.xml
@@ -0,0 +1,5 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid" />
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+</Attributes>
diff --git a/auth/shibboleth-conf/idp-metadata.xml b/auth/shibboleth-conf/idp-metadata.xml
new file mode 100644
index 00000000..caa418c0
--- /dev/null
+++ b/auth/shibboleth-conf/idp-metadata.xml
@@ -0,0 +1,122 @@
+<!-- The entity describing the SAMLtest IdP, named by the entityID below --> 
+
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="SAMLtestIdP" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://samltest.id/saml/idp">
+
+    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
+
+        <Extensions>
+<!-- An enumeration of the domains this IdP is able to assert scoped attributes, which are
+typically those with a @ delimiter, like mail.  Most IdP's serve only a single domain.  It's crucial
+for the SP to check received attribute values match permitted domains to prevent a recognized IdP from 
+sending attribute values for which a different recognized IdP is authoritative. -->
+            <shibmd:Scope regexp="false">samltest.id</shibmd:Scope>
+
+<!-- Display information about this IdP that can be used by SP's and discovery
+services to identify the IdP meaningfully for end users --> 
+            <mdui:UIInfo>
+                <mdui:DisplayName xml:lang="en">SAMLtest IdP</mdui:DisplayName>
+                <mdui:Description xml:lang="en">A free and basic IdP for testing SAML deployments</mdui:Description>
+                <mdui:Logo height="90" width="225">https://samltest.id/saml/logo.png</mdui:Logo>
+            </mdui:UIInfo>
+        </Extensions>
+
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDETCCAfmgAwIBAgIUZRpDhkNKl5eWtJqk0Bu1BgTTargwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwHhcNMTgwODI0MjExNDEwWhcNMzgw
+ODI0MjExNDEwWjAWMRQwEgYDVQQDDAtzYW1sdGVzdC5pZDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAJrh9/PcDsiv3UeL8Iv9rf4WfLPxuOm9W6aCntEA
+8l6c1LQ1Zyrz+Xa/40ZgP29ENf3oKKbPCzDcc6zooHMji2fBmgXp6Li3fQUzu7yd
++nIC2teejijVtrNLjn1WUTwmqjLtuzrKC/ePoZyIRjpoUxyEMJopAd4dJmAcCq/K
+k2eYX9GYRlqvIjLFoGNgy2R4dWwAKwljyh6pdnPUgyO/WjRDrqUBRFrLQJorR2kD
+c4seZUbmpZZfp4MjmWMDgyGM1ZnR0XvNLtYeWAyt0KkSvFoOMjZUeVK/4xR74F8e
+8ToPqLmZEg9ZUx+4z2KjVK00LpdRkH9Uxhh03RQ0FabHW6UCAwEAAaNXMFUwHQYD
+VR0OBBYEFJDbe6uSmYQScxpVJhmt7PsCG4IeMDQGA1UdEQQtMCuCC3NhbWx0ZXN0
+LmlkhhxodHRwczovL3NhbWx0ZXN0LmlkL3NhbWwvaWRwMA0GCSqGSIb3DQEBCwUA
+A4IBAQBNcF3zkw/g51q26uxgyuy4gQwnSr01Mhvix3Dj/Gak4tc4XwvxUdLQq+jC
+cxr2Pie96klWhY/v/JiHDU2FJo9/VWxmc/YOk83whvNd7mWaNMUsX3xGv6AlZtCO
+L3JhCpHjiN+kBcMgS5jrtGgV1Lz3/1zpGxykdvS0B4sPnFOcaCwHe2B9SOCWbDAN
+JXpTjz1DmJO4ImyWPJpN1xsYKtm67Pefxmn0ax0uE2uuzq25h0xbTkqIQgJzyoE/
+DPkBFK1vDkMfAW11dQ0BXatEnW7Gtkc0lh2/PIbHWj4AzxYMyBf5Gy6HSVOftwjC
+voQR2qr2xJBixsg+MIORKtmKHLfU
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEB
+CwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4
+MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0
+ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOE
+jj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1kl
+bN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF
+/cL5fOpdVa54wTI0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8n
+spXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0G
+A1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVz
+dC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF
+AAOCAQEASk3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn
+7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHT
+TNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nbl
+D1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcU
+ZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu
+3kXPjhSfj1AJGR1l9JGvJrHki1iHTA==
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+        <KeyDescriptor use="encryption">
+            <ds:KeyInfo>
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+MIIDEjCCAfqgAwIBAgIVAPVbodo8Su7/BaHXUHykx0Pi5CFaMA0GCSqGSIb3DQEB
+CwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4
+MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCQb+1a7uDdTTBBFfwOUun3IQ9nEuKM98SmJDWa
+MwM877elswKUTIBVh5gB2RIXAPZt7J/KGqypmgw9UNXFnoslpeZbA9fcAqqu28Z4
+sSb2YSajV1ZgEYPUKvXwQEmLWN6aDhkn8HnEZNrmeXihTFdyr7wjsLj0JpQ+VUlc
+4/J+hNuU7rGYZ1rKY8AA34qDVd4DiJ+DXW2PESfOu8lJSOteEaNtbmnvH8KlwkDs
+1NvPTsI0W/m4SK0UdXo6LLaV8saIpJfnkVC/FwpBolBrRC/Em64UlBsRZm2T89ca
+uzDee2yPUvbBd5kLErw+sC7i4xXa2rGmsQLYcBPhsRwnmBmlAgMBAAGjVzBVMB0G
+A1UdDgQWBBRZ3exEu6rCwRe5C7f5QrPcAKRPUjA0BgNVHREELTArggtzYW1sdGVz
+dC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF
+AAOCAQEABZDFRNtcbvIRmblnZItoWCFhVUlq81ceSQddLYs8DqK340//hWNAbYdj
+WcP85HhIZnrw6NGCO4bUipxZXhiqTA/A9d1BUll0vYB8qckYDEdPDduYCOYemKkD
+dmnHMQWs9Y6zWiYuNKEJ9mf3+1N8knN/PK0TYVjVjXAf2CnOETDbLtlj6Nqb8La3
+sQkYmU+aUdopbjd5JFFwbZRaj6KiHXHtnIRgu8sUXNPrgipUgZUOVhP0C0N5OfE4
+JW8ZBrKgQC/6vJ2rSa9TlzI6JAa5Ww7gMXMP9M+cJUNQklcq+SBnTK8G+uBHgPKR
+zBDsMIEzRtQZm4GIoHJae4zmnCekkQ==
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+            </ds:KeyInfo>
+
+        </KeyDescriptor>
+
+<!-- An endpoint for artifact resolution.  Please see Wikipedia for more details about SAML
+     artifacts and when you may find them useful. -->
+
+        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ArtifactResolution" index="1" />
+
+<!-- A set of endpoints where the IdP can receive logout messages. These must match the public
+facing addresses if this IdP is hosted behind a reverse proxy.  --> 
+        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SLO"/>
+        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SLO"/>
+        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SLO"/>
+
+<!-- A set of endpoints the SP can send AuthnRequests to in order to trigger user authentication. -->
+        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://samltest.id/idp/profile/Shibboleth/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ECP"/>
+
+    </IDPSSODescriptor>
+
+</EntityDescriptor>
\ No newline at end of file
diff --git a/auth/shibboleth-conf/shibd.logger b/auth/shibboleth-conf/shibd.logger
new file mode 100644
index 00000000..e9526645
--- /dev/null
+++ b/auth/shibboleth-conf/shibd.logger
@@ -0,0 +1,76 @@
+# set overall behavior
+log4j.rootCategory=INFO, shibd_log, warn_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+log4j.ownAppenders.XMLTooling.Signature.Debugger=true
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+log4j.ownAppenders.Shibboleth-TRANSACTION=true
+
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
+log4j.appender.shibd_log.fileName=/dev/stdout
+log4j.appender.shibd_log.maxFileSize=0
+log4j.appender.shibd_log.maxBackupIndex=0
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern=sp-shibd %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
+#log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
+#log4j.appender.warn_log.maxFileSize=0
+#log4j.appender.warn_log.maxBackupIndex=0
+#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+#log4j.appender.warn_log.threshold=WARN
+
+log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
+log4j.appender.tran_log.fileName=/dev/stdout
+log4j.appender.tran_log.maxFileSize=0
+log4j.appender.tran_log.maxBackupIndex=0
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern=sp-transaction %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.sig_log=org.apache.log4j.FileAppender
+log4j.appender.sig_log.fileName=/dev/stdout
+log4j.appender.sig_log.maxFileSize=0
+log4j.appender.sig_log.maxBackupIndex=0
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=sp-signature %m
+
+
-- 
GitLab


From d37d1818f35d4fef86e6d746f3a8a5f2e37aabc6 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 28 Sep 2020 16:21:57 +0200
Subject: [PATCH 003/162] Adding auth forwarding in preparation of shibboleth
 auth

---
 docker-compose.dem.ops.yml   | 12 ++++++++++++
 docker-compose.emg.ops.yml   | 12 ++++++++++++
 docker-compose.vhr18.ops.yml | 16 ++++++++++++++--
 3 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index b1f09109..345ea97b 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -32,6 +32,10 @@ services:
         - "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
+        # Auth forwarding
+        - "traefik.frontend.auth.forward.address=http://auth/auth"
+        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.dem-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.dem-renderer.loadbalancer.server.port=80"
@@ -74,6 +78,10 @@ services:
         - "traefik.http.routers.dem-cache_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-cache_referer-redirect.entrypoints=http"
+        # Auth forwarding
+        - "traefik.frontend.auth.forward.address=http://auth/auth"
+        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.dem-cache.loadbalancer.sticky=false"
         - "traefik.http.services.dem-cache.loadbalancer.server.port=80"
@@ -114,6 +122,10 @@ services:
         - "traefik.http.routers.dem-client-redirect.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
         - "traefik.http.routers.dem-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-client-redirect.entrypoints=http"
+        # Auth forwarding
+        - "traefik.frontend.auth.forward.address=http://auth/auth"
+        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.dem-client.loadbalancer.sticky=false"
         - "traefik.http.services.dem-client.loadbalancer.server.port=80"
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index fcc054e6..34a0dc82 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -32,6 +32,10 @@ services:
         - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
+        # Auth forwarding
+        - "traefik.frontend.auth.forward.address=http://auth/auth"
+        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
@@ -74,6 +78,10 @@ services:
         - "traefik.http.routers.emg-cache_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
+        # Auth forwarding
+        - "traefik.frontend.auth.forward.address=http://auth/auth"
+        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.emg-cache.loadbalancer.sticky=false"
         - "traefik.http.services.emg-cache.loadbalancer.server.port=80"
@@ -114,6 +122,10 @@ services:
         - "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
         - "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-client-redirect.entrypoints=http"
+        # Auth forwarding
+        - "traefik.frontend.auth.forward.address=http://auth/auth"
+        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.emg-client.loadbalancer.sticky=false"
         - "traefik.http.services.emg-client.loadbalancer.server.port=80"
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index e8665d49..068238d2 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -33,6 +33,10 @@ services:
         - "traefik.http.routers.vhr18-renderer_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.entrypoints=http"
+        # Auth forwarding
+        - "traefik.frontend.auth.forward.address=http://auth/auth"
+        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.vhr18-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-renderer.loadbalancer.server.port=80"
@@ -74,6 +78,10 @@ services:
         - "traefik.http.routers.vhr18-cache_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-cache_referer-redirect.entrypoints=http"
+        # Auth forwarding
+        - "traefik.frontend.auth.forward.address=http://auth/auth"
+        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.vhr18-cache.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-cache.loadbalancer.server.port=80"
@@ -97,7 +105,7 @@ services:
       replicas: 0
       placement:
         constraints:
-          - node.labels.type == internal      
+          - node.labels.type == internal
   client:
     configs:
       - source: client-ops
@@ -114,6 +122,10 @@ services:
         - "traefik.http.routers.vhr18-client-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`)"
         - "traefik.http.routers.vhr18-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-client-redirect.entrypoints=http"
+        # Auth forwarding
+        - "traefik.frontend.auth.forward.address=http://auth/auth"
+        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
+        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.vhr18-client.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-client.loadbalancer.server.port=80"
@@ -122,7 +134,7 @@ services:
         - "traefik.enable=true"
       placement:
         constraints:
-          - node.labels.type == external        
+          - node.labels.type == external
     networks:
       - extnet
   preprocessor:
-- 
GitLab


From 3f73c73529e8bbcdc552b1f7a0e53d255459465b Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 28 Sep 2020 18:04:30 +0200
Subject: [PATCH 004/162] Fixing auth forwarding using correct labels Setup of
 middleware in traefik-dynamic.yml

---
 docker-compose.dem.ops.yml   | 18 +++---------------
 docker-compose.emg.ops.yml   | 18 +++---------------
 docker-compose.vhr18.ops.yml | 18 +++---------------
 traefik-dynamic.yml          |  4 ++++
 4 files changed, 13 insertions(+), 45 deletions(-)

diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index 345ea97b..57d7b33e 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -14,7 +14,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.dem-renderer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.dem-renderer.middlewares=auth@file,compress@file,cors@file,shibAuth@file"
         - "traefik.http.routers.dem-renderer.tls=true"
         - "traefik.http.routers.dem-renderer.tls.certresolver=default"
         - "traefik.http.routers.dem-renderer.entrypoints=https"
@@ -32,10 +32,6 @@ services:
         - "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
-        # Auth forwarding
-        - "traefik.frontend.auth.forward.address=http://auth/auth"
-        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.dem-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.dem-renderer.loadbalancer.server.port=80"
@@ -60,7 +56,7 @@ services:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
         # router for basic auth based access (https)
         - "traefik.http.routers.dem-cache.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.dem-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.dem-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file,shibAuth@file"
         - "traefik.http.routers.dem-cache.tls=true"
         - "traefik.http.routers.dem-cache.tls.certresolver=default"
         - "traefik.http.routers.dem-cache.entrypoints=https"
@@ -78,10 +74,6 @@ services:
         - "traefik.http.routers.dem-cache_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-cache_referer-redirect.entrypoints=http"
-        # Auth forwarding
-        - "traefik.frontend.auth.forward.address=http://auth/auth"
-        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.dem-cache.loadbalancer.sticky=false"
         - "traefik.http.services.dem-cache.loadbalancer.server.port=80"
@@ -114,7 +106,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.dem-client.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
-        - "traefik.http.routers.dem-client.middlewares=auth@file,compress@file"
+        - "traefik.http.routers.dem-client.middlewares=auth@file,compress@file,shibAuth@file"
         - "traefik.http.routers.dem-client.tls=true"
         - "traefik.http.routers.dem-client.tls.certresolver=default"
         - "traefik.http.routers.dem-client.entrypoints=https"
@@ -122,10 +114,6 @@ services:
         - "traefik.http.routers.dem-client-redirect.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
         - "traefik.http.routers.dem-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-client-redirect.entrypoints=http"
-        # Auth forwarding
-        - "traefik.frontend.auth.forward.address=http://auth/auth"
-        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.dem-client.loadbalancer.sticky=false"
         - "traefik.http.services.dem-client.loadbalancer.server.port=80"
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 34a0dc82..46852d3f 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -14,7 +14,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file,shibAuth@file"
         - "traefik.http.routers.emg-renderer.tls=true"
         - "traefik.http.routers.emg-renderer.tls.certresolver=default"
         - "traefik.http.routers.emg-renderer.entrypoints=https"
@@ -32,10 +32,6 @@ services:
         - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
-        # Auth forwarding
-        - "traefik.frontend.auth.forward.address=http://auth/auth"
-        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
@@ -60,7 +56,7 @@ services:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.emg-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.emg-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file,shibAuth@file"
         - "traefik.http.routers.emg-cache.tls=true"
         - "traefik.http.routers.emg-cache.tls.certresolver=default"
         - "traefik.http.routers.emg-cache.entrypoints=https"
@@ -78,10 +74,6 @@ services:
         - "traefik.http.routers.emg-cache_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
-        # Auth forwarding
-        - "traefik.frontend.auth.forward.address=http://auth/auth"
-        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.emg-cache.loadbalancer.sticky=false"
         - "traefik.http.services.emg-cache.loadbalancer.server.port=80"
@@ -114,7 +106,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client.middlewares=auth@file,compress@file"
+        - "traefik.http.routers.emg-client.middlewares=auth@file,compress@file,shibAuth@file"
         - "traefik.http.routers.emg-client.tls=true"
         - "traefik.http.routers.emg-client.tls.certresolver=default"
         - "traefik.http.routers.emg-client.entrypoints=https"
@@ -122,10 +114,6 @@ services:
         - "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
         - "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-client-redirect.entrypoints=http"
-        # Auth forwarding
-        - "traefik.frontend.auth.forward.address=http://auth/auth"
-        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.emg-client.loadbalancer.sticky=false"
         - "traefik.http.services.emg-client.loadbalancer.server.port=80"
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index 068238d2..76a5948b 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -15,7 +15,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.vhr18-renderer.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.vhr18-renderer.middlewares=auth@file,compress@file,cors@file,shibAuth@file"
         - "traefik.http.routers.vhr18-renderer.tls=true"
         - "traefik.http.routers.vhr18-renderer.tls.certresolver=default"
         - "traefik.http.routers.vhr18-renderer.entrypoints=https"
@@ -33,10 +33,6 @@ services:
         - "traefik.http.routers.vhr18-renderer_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.entrypoints=http"
-        # Auth forwarding
-        - "traefik.frontend.auth.forward.address=http://auth/auth"
-        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.vhr18-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-renderer.loadbalancer.server.port=80"
@@ -60,7 +56,7 @@ services:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
         # router for basic auth based access (https)
         - "traefik.http.routers.vhr18-cache.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.vhr18-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.vhr18-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file,shibAuth@file"
         - "traefik.http.routers.vhr18-cache.tls=true"
         - "traefik.http.routers.vhr18-cache.tls.certresolver=default"
         - "traefik.http.routers.vhr18-cache.entrypoints=https"
@@ -78,10 +74,6 @@ services:
         - "traefik.http.routers.vhr18-cache_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-cache_referer-redirect.entrypoints=http"
-        # Auth forwarding
-        - "traefik.frontend.auth.forward.address=http://auth/auth"
-        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.vhr18-cache.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-cache.loadbalancer.server.port=80"
@@ -114,7 +106,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.vhr18-client.rule=Host(`vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`)"
-        - "traefik.http.routers.vhr18-client.middlewares=auth@file,compress@file"
+        - "traefik.http.routers.vhr18-client.middlewares=auth@file,compress@file,shibAuth@file"
         - "traefik.http.routers.vhr18-client.tls=true"
         - "traefik.http.routers.vhr18-client.tls.certresolver=default"
         - "traefik.http.routers.vhr18-client.entrypoints=https"
@@ -122,10 +114,6 @@ services:
         - "traefik.http.routers.vhr18-client-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`)"
         - "traefik.http.routers.vhr18-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-client-redirect.entrypoints=http"
-        # Auth forwarding
-        - "traefik.frontend.auth.forward.address=http://auth/auth"
-        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-        - traefik.frontend.auth.forward.trustForwardHeader=true
         # general
         - "traefik.http.services.vhr18-client.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-client.loadbalancer.server.port=80"
diff --git a/traefik-dynamic.yml b/traefik-dynamic.yml
index 87f49816..0291f929 100644
--- a/traefik-dynamic.yml
+++ b/traefik-dynamic.yml
@@ -20,6 +20,10 @@ http:
         realm: "PRISM View Server (PVS)"
         users:
           - "***REMOVED***"
+    shibAuth:
+      forwardAuth:
+        address: http://auth/auth
+        trustForwardHeader: true
     compress:
       compress: {}
     redirect:
-- 
GitLab


From 762e143b7077b58f171cdc465843b5c465636ff7 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 29 Sep 2020 11:08:10 +0200
Subject: [PATCH 005/162] rename folders

---
 auth/Dockerfile                               |   5 -
 auth/shibboleth-conf/shibboleth2.xml          |  37 ------
 shibauth/Dockerfile                           |  39 ++++++
 {auth/etc-httpd => shibauth}/conf.d/sp.conf   |   4 +
 {auth => shibauth}/index.html                 |   0
 .../shibboleth-conf/attribute-map.xml         |   0
 .../shibboleth-conf/idp-metadata.xml          |   0
 shibauth/shibboleth-conf/shibboleth2.xml      | 125 ++++++++++++++++++
 .../shibboleth-conf/shibd.logger              |   0
 9 files changed, 168 insertions(+), 42 deletions(-)
 delete mode 100644 auth/Dockerfile
 delete mode 100644 auth/shibboleth-conf/shibboleth2.xml
 create mode 100644 shibauth/Dockerfile
 rename {auth/etc-httpd => shibauth}/conf.d/sp.conf (73%)
 rename {auth => shibauth}/index.html (100%)
 rename {auth => shibauth}/shibboleth-conf/attribute-map.xml (100%)
 rename {auth => shibauth}/shibboleth-conf/idp-metadata.xml (100%)
 create mode 100644 shibauth/shibboleth-conf/shibboleth2.xml
 rename {auth => shibauth}/shibboleth-conf/shibd.logger (100%)

diff --git a/auth/Dockerfile b/auth/Dockerfile
deleted file mode 100644
index 896601fb..00000000
--- a/auth/Dockerfile
+++ /dev/null
@@ -1,5 +0,0 @@
-FROM unicon/shibboleth-sp:3.0.4
-
-COPY shibboleth-conf /etc/shibboleth/
-COPY index.html /var/www/html/
-COPY etc-httpd/ /etc/httpd/
diff --git a/auth/shibboleth-conf/shibboleth2.xml b/auth/shibboleth-conf/shibboleth2.xml
deleted file mode 100644
index 342e057e..00000000
--- a/auth/shibboleth-conf/shibboleth2.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
-xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
-clockSkew="180">
-<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
-<ApplicationDefaults entityID="https://samplesp3.eo.esa.int/shibboleth"
-REMOTE_USER="eppn subject-id pairwise-id persistent-id"
-cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSL
-v2:!SSLv3:!TLSv1:!TLSv1.1">
-<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
-checkAddress="false" handlerSSL="true" cookieProps="https">
-<SSO entityID="https://eo-sso-idp.eo.esa.int:443/shibboleth"
-discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
-SAML2
-</SSO>
-<Logout>SAML2 Local</Logout>
-<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
-<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 192.168.24.1/24"/>
-<Handler type="Session" Location="/Session" showAttributeValues="false"/>
-<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
-</Sessions>
-<Errors supportContact="root@samplesp3.eo.esa.int"
-helpLocation="/about.html"
-styleSheet="/shibboleth-sp/main.css"/>
-<MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
-<AttributeExtractor type="XML" validate="true" reloadChanges="false"
-path="attribute-map.xml"/>
-<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-<CredentialResolver type="File" use="signing"
-key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
-<CredentialResolver type="File" use="encryption"
-key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
-</ApplicationDefaults>
-<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
-<ProtocolProvider type="XML" validate="true" reloadChanges="false"
-path="protocols.xml"/>
-</SPConfig>
\ No newline at end of file
diff --git a/shibauth/Dockerfile b/shibauth/Dockerfile
new file mode 100644
index 00000000..a1c6d766
--- /dev/null
+++ b/shibauth/Dockerfile
@@ -0,0 +1,39 @@
+#------------------------------------------------------------------------------
+#
+# Project: prism view server
+# Authors: Stephan Meissl <stephan.meissl@eox.at>
+#
+#------------------------------------------------------------------------------
+# Copyright (C) 2020 EOX IT Services GmbH <https://eox.at>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies of this Software or works derived from this Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+#-----------------------------------------------------------------------------
+
+FROM unicon/shibboleth-sp:3.0.4
+
+MAINTAINER EOX
+LABEL name="prism view server cache" \
+      vendor="EOX IT Services GmbH <https://eox.at>" \
+      license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
+      type="prism view server shibauth" \
+      version="0.0.1"
+
+COPY shibboleth-conf /etc/shibboleth/
+COPY index.html /var/www/html/
+COPY conf.d /etc/httpd/etc-httpd/
diff --git a/auth/etc-httpd/conf.d/sp.conf b/shibauth/conf.d/sp.conf
similarity index 73%
rename from auth/etc-httpd/conf.d/sp.conf
rename to shibauth/conf.d/sp.conf
index 92bbe24a..091f85e9 100644
--- a/auth/etc-httpd/conf.d/sp.conf
+++ b/shibauth/conf.d/sp.conf
@@ -5,6 +5,10 @@ ServerName idptestbed
     UseCanonicalName On
 
     DocumentRoot "/var/www/html"
+    <Location /Shibboleth.sso>
+      Satisfy Any
+      Allow from all
+    </Location>
 
     <Location />
         AuthType shibboleth
diff --git a/auth/index.html b/shibauth/index.html
similarity index 100%
rename from auth/index.html
rename to shibauth/index.html
diff --git a/auth/shibboleth-conf/attribute-map.xml b/shibauth/shibboleth-conf/attribute-map.xml
similarity index 100%
rename from auth/shibboleth-conf/attribute-map.xml
rename to shibauth/shibboleth-conf/attribute-map.xml
diff --git a/auth/shibboleth-conf/idp-metadata.xml b/shibauth/shibboleth-conf/idp-metadata.xml
similarity index 100%
rename from auth/shibboleth-conf/idp-metadata.xml
rename to shibauth/shibboleth-conf/idp-metadata.xml
diff --git a/shibauth/shibboleth-conf/shibboleth2.xml b/shibauth/shibboleth-conf/shibboleth2.xml
new file mode 100644
index 00000000..f890b39c
--- /dev/null
+++ b/shibauth/shibboleth-conf/shibboleth2.xml
@@ -0,0 +1,125 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!--
+    To customize behavior for specific resources on Apache, and to link vhosts or
+    resources to ApplicationOverride settings below, use web server options/commands.
+    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+    
+    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://sp.idptestbed/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        You MUST supply an effectively unique handlerURL value for each of your applications.
+        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+        Note that while we default checkAddress to "false", this has a negative impact on the
+        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+        -->
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+
+            <!--
+            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+            <SSO entityID="https://idptestbed/idp/shibboleth">
+              SAML2 SAML1
+            </SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+            
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add attributes with values that can be plugged into the templates.
+        -->
+        <Errors supportContact="admin@idptestbed"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+        
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true"
+	      url="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+        -->
+
+        <!-- Example of locally maintained metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
+        -->
+        
+        <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolver for using a single keypair. -->
+        <CredentialResolver type="File" key="sp-signing-key-test.pem" certificate="sp-encrypt-cert-test.pem"/>
+
+        <!--
+        The default settings can be overridden by creating ApplicationOverride elements (see
+        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+        Resource requests are mapped by web server commands, or the RequestMapper, to an
+        applicationId setting.
+        
+        Example of a second application (for a second vhost) that has a different entityID.
+        Resources on the vhost would map to an applicationId of "admin":
+        -->
+        <!--
+        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+        -->
+    </ApplicationDefaults>
+    
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file
diff --git a/auth/shibboleth-conf/shibd.logger b/shibauth/shibboleth-conf/shibd.logger
similarity index 100%
rename from auth/shibboleth-conf/shibd.logger
rename to shibauth/shibboleth-conf/shibd.logger
-- 
GitLab


From 70c6543feef529e295dd0698f9c8dda0343bac5e Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 29 Sep 2020 13:25:29 +0200
Subject: [PATCH 006/162] add shib testing stack for now

---
 docker-compose.test.ops.yml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 docker-compose.test.ops.yml

diff --git a/docker-compose.test.ops.yml b/docker-compose.test.ops.yml
new file mode 100644
index 00000000..69f4143b
--- /dev/null
+++ b/docker-compose.test.ops.yml
@@ -0,0 +1,34 @@
+version: "3.6"
+services:
+  shibauth:
+    image: testing-shibboleth
+    deploy:
+      placement:
+        constraints: [node.role == manager]
+    deploy:
+      labels:
+        # router for basic auth based access (https)
+        - "traefik.http.routers.emg-renderer.rule=Host(`shib.pdas.prism.eox.at`)"
+        - "traefik.http.routers.emg-renderer.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.emg-renderer.tls=true"
+        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`shib.pdas.prism.eox.at`)"
+        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
+        # general
+        - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
+        - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
+        - "traefik.docker.network=shib-extnet"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.enable=true"
+      replicas: 1
+      placement:
+        constraints: [node.role == manager]
+    networks:
+      - extnet
+networks:
+  extnet:
+    name: shib-extnet
+    external: true
-- 
GitLab


From 5f1e9b004a836f5092d41dbb2168c0dc1a4593cf Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 29 Sep 2020 16:35:47 +0200
Subject: [PATCH 007/162] Using {{slug}}-secure for shibboleth authed routes

---
 docker-compose.dem.ops.yml   | 52 +++++++++++++++++++++++++++++++++++-
 docker-compose.emg.ops.yml   | 50 ++++++++++++++++++++++++++++++++++
 docker-compose.vhr18.ops.yml | 52 +++++++++++++++++++++++++++++++++++-
 3 files changed, 152 insertions(+), 2 deletions(-)

diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index 57d7b33e..a1f677ea 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -14,7 +14,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.dem-renderer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer.middlewares=auth@file,compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.dem-renderer.middlewares=auth@file,compress@file,cors@file"
         - "traefik.http.routers.dem-renderer.tls=true"
         - "traefik.http.routers.dem-renderer.tls.certresolver=default"
         - "traefik.http.routers.dem-renderer.entrypoints=https"
@@ -32,6 +32,26 @@ services:
         - "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
+        # router for shibboleth based auth based access (https)
+        - "traefik.http.routers.dem-renderer.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.dem-renderer.tls=true"
+        - "traefik.http.routers.dem-renderer.tls.certresolver=default"
+        - "traefik.http.routers.dem-renderer.entrypoints=https"
+        # router for shibboleth shibboleth auth based access (http)
+        - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.dem-renderer-redirect.entrypoints=http"
+        # router for referrer shibboleth based access (https)
+        - "traefik.http.routers.dem-renderer_referer.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem-secure.pdas.prism.eox.at|dem-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.dem-renderer_referer.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.dem-renderer_referer.tls=true"
+        - "traefik.http.routers.dem-renderer_referer.tls.certresolver=default"
+        - "traefik.http.routers.dem-renderer_referer.entrypoints=https"
+        # router for referrer based access (http)
+        - "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem-secure.pdas.prism.eox.at|dem-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.dem-renderer.loadbalancer.server.port=80"
@@ -74,6 +94,26 @@ services:
         - "traefik.http.routers.dem-cache_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-cache_referer-redirect.entrypoints=http"
+        # router for shibboleth based auth based access (https)
+        - "traefik.http.routers.dem-renderer.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.dem-renderer.tls=true"
+        - "traefik.http.routers.dem-renderer.tls.certresolver=default"
+        - "traefik.http.routers.dem-renderer.entrypoints=https"
+        # router for shibboleth shibboleth auth based access (http)
+        - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.dem-renderer-redirect.entrypoints=http"
+        # router for referrer shibboleth based access (https)
+        - "traefik.http.routers.dem-renderer_referer.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem-secure.pdas.prism.eox.at|dem-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.dem-renderer_referer.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.dem-renderer_referer.tls=true"
+        - "traefik.http.routers.dem-renderer_referer.tls.certresolver=default"
+        - "traefik.http.routers.dem-renderer_referer.entrypoints=https"
+        # router for referrer based access (http)
+        - "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem-secure.pdas.prism.eox.at|dem-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-cache.loadbalancer.sticky=false"
         - "traefik.http.services.dem-cache.loadbalancer.server.port=80"
@@ -114,6 +154,16 @@ services:
         - "traefik.http.routers.dem-client-redirect.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
         - "traefik.http.routers.dem-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-client-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.dem-client.rule=Host(`dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`)"
+        - "traefik.http.routers.dem-client.middlewares=shibAuth@file,compress@file"
+        - "traefik.http.routers.dem-client.tls=true"
+        - "traefik.http.routers.dem-client.tls.certresolver=default"
+        - "traefik.http.routers.dem-client.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.dem-client-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`)"
+        - "traefik.http.routers.dem-client-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.dem-client-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-client.loadbalancer.sticky=false"
         - "traefik.http.services.dem-client.loadbalancer.server.port=80"
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 46852d3f..5d00a095 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -32,6 +32,26 @@ services:
         - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
+        # router for shibboleth based auth based access (https)
+        - "traefik.http.routers.emg-renderer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.emg-renderer.tls=true"
+        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer.entrypoints=https"
+        # router for shibboleth shibboleth auth based access (http)
+        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
+        # router for referrer shibboleth based access (https)
+        - "traefik.http.routers.emg-renderer_referer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg-secure.pdas.prism.eox.at|emg-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.emg-renderer_referer.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.emg-renderer_referer.tls=true"
+        - "traefik.http.routers.emg-renderer_referer.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer_referer.entrypoints=https"
+        # router for referrer based access (http)
+        - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg-secure.pdas.prism.eox.at|emg-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
@@ -74,6 +94,26 @@ services:
         - "traefik.http.routers.emg-cache_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
+        # router for shibboleth based auth based access (https)
+        - "traefik.http.routers.emg-renderer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.emg-renderer.tls=true"
+        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer.entrypoints=https"
+        # router for shibboleth shibboleth auth based access (http)
+        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
+        # router for referrer shibboleth based access (https)
+        - "traefik.http.routers.emg-renderer_referer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg-secure.pdas.prism.eox.at|emg-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.emg-renderer_referer.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.emg-renderer_referer.tls=true"
+        - "traefik.http.routers.emg-renderer_referer.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer_referer.entrypoints=https"
+        # router for referrer based access (http)
+        - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg-secure.pdas.prism.eox.at|emg-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-cache.loadbalancer.sticky=false"
         - "traefik.http.services.emg-cache.loadbalancer.server.port=80"
@@ -114,6 +154,16 @@ services:
         - "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
         - "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-client-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.emg-client.rule=Host(`emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client.middlewares=shibAuth@file,compress@file"
+        - "traefik.http.routers.emg-client.tls=true"
+        - "traefik.http.routers.emg-client.tls.certresolver=default"
+        - "traefik.http.routers.emg-client.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.emg-client-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-client-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-client.loadbalancer.sticky=false"
         - "traefik.http.services.emg-client.loadbalancer.server.port=80"
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index 76a5948b..ee885d69 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -33,6 +33,26 @@ services:
         - "traefik.http.routers.vhr18-renderer_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.entrypoints=http"
+        # router for shibboleth based auth based access (https)
+        - "traefik.http.routers.vhr18-renderer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-renderer.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.vhr18-renderer.tls=true"
+        - "traefik.http.routers.vhr18-renderer.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-renderer.entrypoints=https"
+        # router for shibboleth shibboleth auth based access (http)
+        - "traefik.http.routers.vhr18-renderer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-renderer-redirect.entrypoints=http"
+        # router for referrer shibboleth based access (https)
+        - "traefik.http.routers.vhr18-renderer_referer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18-secure.pdas.prism.eox.at|vhr18-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.vhr18-renderer_referer.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.vhr18-renderer_referer.tls=true"
+        - "traefik.http.routers.vhr18-renderer_referer.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-renderer_referer.entrypoints=https"
+        # router for referrer based access (http)
+        - "traefik.http.routers.vhr18-renderer_referer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18-secure.pdas.prism.eox.at|vhr18-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.vhr18-renderer_referer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-renderer.loadbalancer.server.port=80"
@@ -74,6 +94,26 @@ services:
         - "traefik.http.routers.vhr18-cache_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-cache_referer-redirect.entrypoints=http"
+        # router for shibboleth based auth based access (https)
+        - "traefik.http.routers.vhr18-cache-renderer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-cache-renderer.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.vhr18-cache-renderer.tls=true"
+        - "traefik.http.routers.vhr18-cache-renderer.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-cache-renderer.entrypoints=https"
+        # router for shibboleth shibboleth auth based access (http)
+        - "traefik.http.routers.vhr18-cache-renderer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-cache-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-cache-renderer-redirect.entrypoints=http"
+        # router for referrer shibboleth based access (https)
+        - "traefik.http.routers.vhr18-cache-renderer_referer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18-secure.pdas.prism.eox.at|vhr18-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.vhr18-cache-renderer_referer.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.vhr18-cache-renderer_referer.tls=true"
+        - "traefik.http.routers.vhr18-cache-renderer_referer.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-cache-renderer_referer.entrypoints=https"
+        # router for referrer based access (http)
+        - "traefik.http.routers.vhr18-cache-renderer_referer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18-secure.pdas.prism.eox.at|vhr18-secure.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.vhr18-cache-renderer_referer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-cache-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-cache.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-cache.loadbalancer.server.port=80"
@@ -106,7 +146,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.vhr18-client.rule=Host(`vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`)"
-        - "traefik.http.routers.vhr18-client.middlewares=auth@file,compress@file,shibAuth@file"
+        - "traefik.http.routers.vhr18-client.middlewares=auth@file,compress@file"
         - "traefik.http.routers.vhr18-client.tls=true"
         - "traefik.http.routers.vhr18-client.tls.certresolver=default"
         - "traefik.http.routers.vhr18-client.entrypoints=https"
@@ -114,6 +154,16 @@ services:
         - "traefik.http.routers.vhr18-client-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`)"
         - "traefik.http.routers.vhr18-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-client-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.vhr18-client.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`)"
+        - "traefik.http.routers.vhr18-client.middlewares=shibAuth@file,compress@file"
+        - "traefik.http.routers.vhr18-client.tls=true"
+        - "traefik.http.routers.vhr18-client.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-client.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.vhr18-client-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`)"
+        - "traefik.http.routers.vhr18-client-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-client-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-client.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-client.loadbalancer.server.port=80"
-- 
GitLab


From 9a613a3ed1e598d1f360e37da4d04c66f4e5a961 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 29 Sep 2020 16:42:03 +0200
Subject: [PATCH 008/162] save temp

---
 shibauth/Dockerfile                           |   3 +-
 .../sp.conf => etc-httpd/conf.d/shib.conf}    |   4 +-
 shibauth/shibboleth-conf/idp-metadata.xml     |  24 ---
 shibauth/shibboleth-conf/shibboleth2.xml      | 104 +------------
 shibauth/shibboleth-conf/sp-metadata.xml      | 141 ++++++++++++++++++
 5 files changed, 150 insertions(+), 126 deletions(-)
 rename shibauth/{conf.d/sp.conf => etc-httpd/conf.d/shib.conf} (78%)
 create mode 100644 shibauth/shibboleth-conf/sp-metadata.xml

diff --git a/shibauth/Dockerfile b/shibauth/Dockerfile
index a1c6d766..986fbddc 100644
--- a/shibauth/Dockerfile
+++ b/shibauth/Dockerfile
@@ -35,5 +35,6 @@ LABEL name="prism view server cache" \
       version="0.0.1"
 
 COPY shibboleth-conf /etc/shibboleth/
+COPY etc-httpd/ /etc/httpd/
 COPY index.html /var/www/html/
-COPY conf.d /etc/httpd/etc-httpd/
+
diff --git a/shibauth/conf.d/sp.conf b/shibauth/etc-httpd/conf.d/shib.conf
similarity index 78%
rename from shibauth/conf.d/sp.conf
rename to shibauth/etc-httpd/conf.d/shib.conf
index 091f85e9..58a46d86 100644
--- a/shibauth/conf.d/sp.conf
+++ b/shibauth/etc-httpd/conf.d/shib.conf
@@ -1,7 +1,7 @@
-ServerName idptestbed
+ServerName shib-testing
 
 <VirtualHost *:80>
-    ServerName https://idptestbed:443
+    ServerName http://shib.pdas.prism.eox.at
     UseCanonicalName On
 
     DocumentRoot "/var/www/html"
diff --git a/shibauth/shibboleth-conf/idp-metadata.xml b/shibauth/shibboleth-conf/idp-metadata.xml
index caa418c0..6a91356a 100644
--- a/shibauth/shibboleth-conf/idp-metadata.xml
+++ b/shibauth/shibboleth-conf/idp-metadata.xml
@@ -1,18 +1,8 @@
 <!-- The entity describing the SAMLtest IdP, named by the entityID below --> 
-
 <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="SAMLtestIdP" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://samltest.id/saml/idp">
-
     <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
-
         <Extensions>
-<!-- An enumeration of the domains this IdP is able to assert scoped attributes, which are
-typically those with a @ delimiter, like mail.  Most IdP's serve only a single domain.  It's crucial
-for the SP to check received attribute values match permitted domains to prevent a recognized IdP from 
-sending attribute values for which a different recognized IdP is authoritative. -->
             <shibmd:Scope regexp="false">samltest.id</shibmd:Scope>
-
-<!-- Display information about this IdP that can be used by SP's and discovery
-services to identify the IdP meaningfully for end users --> 
             <mdui:UIInfo>
                 <mdui:DisplayName xml:lang="en">SAMLtest IdP</mdui:DisplayName>
                 <mdui:Description xml:lang="en">A free and basic IdP for testing SAML deployments</mdui:Description>
@@ -44,7 +34,6 @@ voQR2qr2xJBixsg+MIORKtmKHLfU
                         </ds:X509Certificate>
                     </ds:X509Data>
             </ds:KeyInfo>
-
         </KeyDescriptor>
         <KeyDescriptor use="signing">
             <ds:KeyInfo>
@@ -70,7 +59,6 @@ ZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu
                         </ds:X509Certificate>
                     </ds:X509Data>
             </ds:KeyInfo>
-
         </KeyDescriptor>
         <KeyDescriptor use="encryption">
             <ds:KeyInfo>
@@ -96,27 +84,15 @@ zBDsMIEzRtQZm4GIoHJae4zmnCekkQ==
                         </ds:X509Certificate>
                     </ds:X509Data>
             </ds:KeyInfo>
-
         </KeyDescriptor>
-
-<!-- An endpoint for artifact resolution.  Please see Wikipedia for more details about SAML
-     artifacts and when you may find them useful. -->
-
         <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ArtifactResolution" index="1" />
-
-<!-- A set of endpoints where the IdP can receive logout messages. These must match the public
-facing addresses if this IdP is hosted behind a reverse proxy.  --> 
         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SLO"/>
         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SLO"/>
         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SLO"/>
-
-<!-- A set of endpoints the SP can send AuthnRequests to in order to trigger user authentication. -->
         <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://samltest.id/idp/profile/Shibboleth/SSO"/>
         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SSO"/>
         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SSO"/>
         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SSO"/>
         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ECP"/>
-
     </IDPSSODescriptor>
-
 </EntityDescriptor>
\ No newline at end of file
diff --git a/shibauth/shibboleth-conf/shibboleth2.xml b/shibauth/shibboleth-conf/shibboleth2.xml
index f890b39c..2769ec5f 100644
--- a/shibauth/shibboleth-conf/shibboleth2.xml
+++ b/shibauth/shibboleth-conf/shibboleth2.xml
@@ -4,122 +4,28 @@
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     clockSkew="180">
-
-    <!--
-    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
-    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-    -->
-
-    <!--
-    To customize behavior for specific resources on Apache, and to link vhosts or
-    resources to ApplicationOverride settings below, use web server options/commands.
-    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-    
-    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
-    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-    -->
-
-    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
-    <ApplicationDefaults entityID="https://sp.idptestbed/shibboleth"
+    <ApplicationDefaults entityID="https://pass.copernicus.eu"
                          REMOTE_USER="eppn uid persistent-id targeted-id">
-
-        <!--
-        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
-        You MUST supply an effectively unique handlerURL value for each of your applications.
-        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
-        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
-        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
-        Note that while we default checkAddress to "false", this has a negative impact on the
-        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-        -->
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                   checkAddress="false" handlerSSL="true" cookieProps="https">
-
-            <!--
-            Configures SSO for a default IdP. To allow for >1 IdP, remove
-            entityID property and adjust discoveryURL to point to discovery service.
-            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
-            You can also override entityID on /Login query string, or in RequestMap/htaccess.
-            -->
             <SSO entityID="https://idptestbed/idp/shibboleth">
               SAML2 SAML1
             </SSO>
-
-            <!-- SAML and local-only logout. -->
             <Logout>SAML2 Local</Logout>
-            
-            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-
-            <!-- Status reporting service. -->
-            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
-
-            <!-- Session diagnostic service. -->
+            <Handler type="Status" Location="/Status" acl="10.0.0.0/24 127.0.0.1 ::1"/>
             <Handler type="Session" Location="/Session" showAttributeValues="false"/>
-
-            <!-- JSON feed of discovery information. -->
             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
         </Sessions>
-
-        <!--
-        Allows overriding of error template information/filenames. You can
-        also add attributes with values that can be plugged into the templates.
-        -->
-        <Errors supportContact="admin@idptestbed"
-            helpLocation="/about.html"
-            styleSheet="/shibboleth-sp/main.css"/>
-        
-        <!-- Example of remotely supplied batch of signed metadata. -->
-        <!--
-        <MetadataProvider type="XML" validate="true"
-	      url="http://federation.org/federation-metadata.xml"
-              backingFilePath="federation-metadata.xml" reloadInterval="7200">
-            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
-            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
-              attributeName="http://macedir.org/entity-category"
-              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-              attributeValue="http://refeds.org/category/hide-from-discovery" />
-        </MetadataProvider>
-        -->
-
-        <!-- Example of locally maintained metadata. -->
-        <!--
-        <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
-        -->
-        
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
         <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
-
-        <!-- Map to extract attributes from SAML assertions. -->
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-        
-        <!-- Use a SAML query if no attributes are supplied during SSO. -->
         <AttributeResolver type="Query" subjectMatch="true"/>
-
-        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-
-        <!-- Simple file-based resolver for using a single keypair. -->
-        <CredentialResolver type="File" key="sp-signing-key-test.pem" certificate="sp-encrypt-cert-test.pem"/>
-
-        <!--
-        The default settings can be overridden by creating ApplicationOverride elements (see
-        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
-        Resource requests are mapped by web server commands, or the RequestMapper, to an
-        applicationId setting.
-        
-        Example of a second application (for a second vhost) that has a different entityID.
-        Resources on the vhost would map to an applicationId of "admin":
-        -->
-        <!--
-        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-        -->
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
     </ApplicationDefaults>
-    
-    <!-- Policies that determine how to process and authenticate runtime messages. -->
     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
-
-    <!-- Low-level configuration about protocols and bindings available for use. -->
     <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
 
 </SPConfig>
\ No newline at end of file
diff --git a/shibauth/shibboleth-conf/sp-metadata.xml b/shibauth/shibboleth-conf/sp-metadata.xml
new file mode 100644
index 00000000..bfa4da80
--- /dev/null
+++ b/shibauth/shibboleth-conf/sp-metadata.xml
@@ -0,0 +1,141 @@
+<EntityDescriptor entityID="https://pass.copernicus.eu/shibboleth" validUntil="2040-01-01T00:00:00Z"
+                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+                  xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+
+        <KeyDescriptor>
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+MIIHijCCBnKgAwIBAgIQPWbuJob/1pRBDBHQrAelKDANBgkqhkiG9w0BAQsFADB4
+MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
+U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
+Q29tIENsYXNzIDMgT1YgU2VydmVyIENBMB4XDTE2MDUzMDIwMjAwNFoXDTE5MDUz
+MDIwMjAwNFowZDELMAkGA1UEBhMCQVQxDTALBgNVBAgMBFdpZW4xDTALBgNVBAcM
+BFdpZW4xHTAbBgNVBAoMFEVPWCBJVCBTZXJ2aWNlcyBHbWJIMRgwFgYDVQQDDA9l
+c2EubWFwcy5lb3guYXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCX
+GBReYwFVvkSrourZRd4zBBlo9apZHXxt+kk4bNbk1n70YNeFUaxJpwFQqkfwghrg
+9tctD2B9HLDZl+LMnO6IXAzXkn8OHzt9vf4lVLDYOSHcC/oAt4aQjr98Anl1q822
+/FJ6csFtFAmEIg8P6NHByHlwaSM1yxcrc7ZgR+xph0/sQijh4jxOlcNfCGRy0VBt
+lJE0rLSAmIN/LUX/hf1P4psbPlXNLl1U3Du6sh+pkgWV5gsKJBxAYJvptlahn9Ud
+b6FBFngM/Z9rk/M4R692z5WWLwfxFScEw3/FfF9aH5ztCAM1u3L5QjqANcdbVl86
+x2kUXZh9A7EjUhnI25xu4aEVJBHTcq46rZQw88lW/+Xxavon03dHuaHhrZXMF5mD
+rIGvumSlB1XzCz2lOQG4zrUnXtKw6rm7fr20Zn5KQEgiUD+d2Hs8lvkWmP0qKiP+
+EWdJrAfprv85tKqQMxldnrOK9FwH9TQh4TmhYlp+6vvsfZMZB4uDMlvKBtlI+7Yh
+O61HKIDSsEqq6tdy312ENOjZVZsPsNkZCdOm6irTTymB9Id1LJ+3jv+lakPzluW/
+rTeq2S0UMMvByRsTGiI3ettxgOwo/jWAJiMTWb26ldpxHqyvOIX7b40Wvk+KRx9T
+Vgx4kkuS5ycNi0YgUBs98imh8GXvBEufvpZCtcd5OQIDAQABo4IDIjCCAx4wDgYD
+VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAJBgNV
+HRMEAjAAMB0GA1UdDgQWBBRX3j8T9Ti5uurAxnFHSb/P6Q4Z9jAfBgNVHSMEGDAW
+gBSxPxySe5KwWiWzOPucB6QmUDLjUTBvBggrBgEFBQcBAQRjMGEwJAYIKwYBBQUH
+MAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5BggrBgEFBQcwAoYtaHR0cDov
+L2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLnNlcnZlcjMuY3J0MDgGA1UdHwQx
+MC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1zZXJ2ZXIzLmNy
+bDB4BgNVHREEcTBvgg9lc2EubWFwcy5lb3guYXSCFXRpbGVzLmVzYS5tYXBzLmVv
+eC5hdIIXKi50aWxlcy5lc2EubWFwcy5lb3guYXSCE29zbS5lc2EubWFwcy5lb3gu
+YXSCF3N0YWdpbmcuZXNhLm1hcHMuZW94LmF0MCMGA1UdEgQcMBqGGGh0dHA6Ly93
+d3cuc3RhcnRzc2wuY29tLzBRBgNVHSAESjBIMAgGBmeBDAECAjA8BgsrBgEEAYG1
+NwECBTAtMCsGCCsGAQUFBwIBFh9odHRwczovL3d3dy5zdGFydHNzbC5jb20vcG9s
+aWN5MIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAaPaY+B9kgr46jO65KB1M/HFR
+XWeT1ETRCmesu09P+8QAAAFVA3EKawAABAMARzBFAiAQMFKOGTFIZzbVuZ8R2C+u
+4QgL0vnSOBT3ylGgjAf+AQIhAOHkMTkhr0APu8jaCkos4c9k8vrn5DWq0k8WXT12
+ip4fAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFVA3EMcwAA
+BAMARjBEAiASftiRTzUpe+IDonZidGHzHKlKwPZoaOE2zqsH1AW9jgIgM7Jmphm1
+rGkakcVooaUudEfCTN/fTJ7cs3kPiljWmkgwDQYJKoZIhvcNAQELBQADggEBAIp2
+QqqJ6+TRRr7cBeiMw+4MrQhbaf+Y0bAsPOF9KOnQ9JMavEki08JRLYLVSraqDW1+
+mrlk+mbvh9mEFkTIvwW5wt/S5tgbRE/fmDBTElRwLPVlvbwRNKNg/54lXhwgETM8
+oTOfxC+dK7bg+EFj3r71d7wf/qhPCBYmN9yk2z4tby1nYI6c+8xXVxnrKGIOOb/X
+MAB1eHNvjMHHmhlSV33Z6nqrTzeUEDS5R6X1v3lCtP/058o6NDdLmJ/hTy/So5eB
+8NwcilckyoYeI64QXg61KmH+9+scQ2bddWtuDJvnNo0NH1XPOuxl9HpaxBSzIflK
+2Wfpr7x/2VCKeO7Mfpo=
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+
+        <!-- This tells IdPs that Single Logout is supported and where/how to request it. -->
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+
+        <!--
+            This tells IdPs where and how to push assertions through the browser. Mostly
+            the SP will tell the IdP what location to use in its request, but this
+            is how the IdP validates the location and also figures out which
+            SAML version/binding to use.
+            -->
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="3" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="4" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="5" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="6" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="7" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+        <AssertionConsumerService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+            Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+            index="8" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+
+        <!-- This tells IdPs that you only need transient identifiers. -->
+        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+    </SPSSODescriptor>
+
+    <Organization>
+        <OrganizationName xml:lang="en">eox</OrganizationName>
+        <OrganizationDisplayName xml:lang="en">EOX IT Services GmbH</OrganizationDisplayName>
+        <OrganizationURL xml:lang="en">http://eox.at</OrganizationURL>
+    </Organization>
+</EntityDescriptor>
-- 
GitLab


From 46e407024f768335a05fafbf61a5738acfd02198 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 29 Sep 2020 16:43:24 +0200
Subject: [PATCH 009/162] save temp

---
 shibauth/etc-httpd/conf.d/shib.conf | 25 ++++++-------------------
 1 file changed, 6 insertions(+), 19 deletions(-)

diff --git a/shibauth/etc-httpd/conf.d/shib.conf b/shibauth/etc-httpd/conf.d/shib.conf
index 58a46d86..2c7d35d2 100644
--- a/shibauth/etc-httpd/conf.d/shib.conf
+++ b/shibauth/etc-httpd/conf.d/shib.conf
@@ -1,19 +1,6 @@
-ServerName shib-testing
-
-<VirtualHost *:80>
-    ServerName http://shib.pdas.prism.eox.at
-    UseCanonicalName On
-
-    DocumentRoot "/var/www/html"
-    <Location /Shibboleth.sso>
-      Satisfy Any
-      Allow from all
-    </Location>
-
-    <Location />
-        AuthType shibboleth
-        ShibRequestSetting requireSession 1
-        require shib-session
-    </Location>
-
-</VirtualHost>
\ No newline at end of file
+ServerName shib.pdas.prism.eox.at
+LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
+<Location /Shibboleth.sso>
+  SetHandler shib
+</Location>
+DocumentRoot "/var/www/html"
\ No newline at end of file
-- 
GitLab


From e558d513682d3bd40ae303bacd819e25f23d0fc5 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 29 Sep 2020 17:36:25 +0200
Subject: [PATCH 010/162] rename test routers, fix syntax compose

---
 docker-compose.test.ops.yml | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/docker-compose.test.ops.yml b/docker-compose.test.ops.yml
index 69f4143b..df6bd812 100644
--- a/docker-compose.test.ops.yml
+++ b/docker-compose.test.ops.yml
@@ -2,24 +2,21 @@ version: "3.6"
 services:
   shibauth:
     image: testing-shibboleth
-    deploy:
-      placement:
-        constraints: [node.role == manager]
     deploy:
       labels:
         # router for basic auth based access (https)
-        - "traefik.http.routers.emg-renderer.rule=Host(`shib.pdas.prism.eox.at`)"
-        - "traefik.http.routers.emg-renderer.middlewares=compress@file,cors@file"
-        - "traefik.http.routers.emg-renderer.tls=true"
-        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
-        - "traefik.http.routers.emg-renderer.entrypoints=https"
+        - "traefik.http.routers.shibauth.rule=Host(`shib.pdas.prism.eox.at`)"
+        - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.shibauth.tls=true"
+        - "traefik.http.routers.shibauth.tls.certresolver=default"
+        - "traefik.http.routers.shibauth.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`shib.pdas.prism.eox.at`)"
-        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`shib.pdas.prism.eox.at`)"
+        - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.shibauth-redirect.entrypoints=http"
         # general
-        - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
-        - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
+        - "traefik.http.services.shibauth.loadbalancer.sticky=false"
+        - "traefik.http.services.shibauth.loadbalancer.server.port=80"
         - "traefik.docker.network=shib-extnet"
         - "traefik.docker.lbswarm=true"
         - "traefik.enable=true"
-- 
GitLab


From a66a83f8630637692970a5e0bf8bc07a9a666c47 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 29 Sep 2020 17:51:08 +0200
Subject: [PATCH 011/162] Removing traefik rules for referrer based auth in
 URLs using shibboleth

---
 docker-compose.dem.ops.yml   | 20 --------------------
 docker-compose.emg.ops.yml   | 20 --------------------
 docker-compose.vhr18.ops.yml | 20 --------------------
 3 files changed, 60 deletions(-)

diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index a1f677ea..907564ca 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -42,16 +42,6 @@ services:
         - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.dem-renderer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-renderer-redirect.entrypoints=http"
-        # router for referrer shibboleth based access (https)
-        - "traefik.http.routers.dem-renderer_referer.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem-secure.pdas.prism.eox.at|dem-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.dem-renderer_referer.middlewares=compress@file,cors@file"
-        - "traefik.http.routers.dem-renderer_referer.tls=true"
-        - "traefik.http.routers.dem-renderer_referer.tls.certresolver=default"
-        - "traefik.http.routers.dem-renderer_referer.entrypoints=https"
-        # router for referrer based access (http)
-        - "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem-secure.pdas.prism.eox.at|dem-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.dem-renderer.loadbalancer.server.port=80"
@@ -104,16 +94,6 @@ services:
         - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.dem-renderer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-renderer-redirect.entrypoints=http"
-        # router for referrer shibboleth based access (https)
-        - "traefik.http.routers.dem-renderer_referer.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem-secure.pdas.prism.eox.at|dem-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.dem-renderer_referer.middlewares=compress@file,cors@file"
-        - "traefik.http.routers.dem-renderer_referer.tls=true"
-        - "traefik.http.routers.dem-renderer_referer.tls.certresolver=default"
-        - "traefik.http.routers.dem-renderer_referer.entrypoints=https"
-        # router for referrer based access (http)
-        - "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|dem-secure.pdas.prism.eox.at|dem-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-cache.loadbalancer.sticky=false"
         - "traefik.http.services.dem-cache.loadbalancer.server.port=80"
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 5d00a095..86fb801d 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -42,16 +42,6 @@ services:
         - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
-        # router for referrer shibboleth based access (https)
-        - "traefik.http.routers.emg-renderer_referer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg-secure.pdas.prism.eox.at|emg-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.emg-renderer_referer.middlewares=compress@file,cors@file"
-        - "traefik.http.routers.emg-renderer_referer.tls=true"
-        - "traefik.http.routers.emg-renderer_referer.tls.certresolver=default"
-        - "traefik.http.routers.emg-renderer_referer.entrypoints=https"
-        # router for referrer based access (http)
-        - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg-secure.pdas.prism.eox.at|emg-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
@@ -104,16 +94,6 @@ services:
         - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
-        # router for referrer shibboleth based access (https)
-        - "traefik.http.routers.emg-renderer_referer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg-secure.pdas.prism.eox.at|emg-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.emg-renderer_referer.middlewares=compress@file,cors@file"
-        - "traefik.http.routers.emg-renderer_referer.tls=true"
-        - "traefik.http.routers.emg-renderer_referer.tls.certresolver=default"
-        - "traefik.http.routers.emg-renderer_referer.entrypoints=https"
-        # router for referrer based access (http)
-        - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg-secure.pdas.prism.eox.at|emg-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-cache.loadbalancer.sticky=false"
         - "traefik.http.services.emg-cache.loadbalancer.server.port=80"
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index ee885d69..4529ff57 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -43,16 +43,6 @@ services:
         - "traefik.http.routers.vhr18-renderer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.vhr18-renderer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-renderer-redirect.entrypoints=http"
-        # router for referrer shibboleth based access (https)
-        - "traefik.http.routers.vhr18-renderer_referer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18-secure.pdas.prism.eox.at|vhr18-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.vhr18-renderer_referer.middlewares=compress@file,cors@file"
-        - "traefik.http.routers.vhr18-renderer_referer.tls=true"
-        - "traefik.http.routers.vhr18-renderer_referer.tls.certresolver=default"
-        - "traefik.http.routers.vhr18-renderer_referer.entrypoints=https"
-        # router for referrer based access (http)
-        - "traefik.http.routers.vhr18-renderer_referer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18-secure.pdas.prism.eox.at|vhr18-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.vhr18-renderer_referer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.vhr18-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-renderer.loadbalancer.server.port=80"
@@ -104,16 +94,6 @@ services:
         - "traefik.http.routers.vhr18-cache-renderer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.vhr18-cache-renderer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-cache-renderer-redirect.entrypoints=http"
-        # router for referrer shibboleth based access (https)
-        - "traefik.http.routers.vhr18-cache-renderer_referer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18-secure.pdas.prism.eox.at|vhr18-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.vhr18-cache-renderer_referer.middlewares=compress@file,cors@file"
-        - "traefik.http.routers.vhr18-cache-renderer_referer.tls=true"
-        - "traefik.http.routers.vhr18-cache-renderer_referer.tls.certresolver=default"
-        - "traefik.http.routers.vhr18-cache-renderer_referer.entrypoints=https"
-        # router for referrer based access (http)
-        - "traefik.http.routers.vhr18-cache-renderer_referer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|vhr18-secure.pdas.prism.eox.at|vhr18-secure.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.vhr18-cache-renderer_referer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.vhr18-cache-renderer_referer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-cache.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-cache.loadbalancer.server.port=80"
-- 
GitLab


From 0a384d51582e2e1134abe3b8887a7c3c37a433d0 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 29 Sep 2020 20:49:09 +0200
Subject: [PATCH 012/162] update metadata to testing saml provider, still not
 working though

---
 shibauth/Dockerfile                      |  1 -
 shibauth/etc-httpd/conf.d/shib.conf      |  6 ------
 shibauth/etc-httpd/conf.d/sp.conf        | 19 +++++++++++++++++++
 shibauth/shibboleth-conf/shibboleth2.xml |  2 +-
 4 files changed, 20 insertions(+), 8 deletions(-)
 delete mode 100644 shibauth/etc-httpd/conf.d/shib.conf
 create mode 100644 shibauth/etc-httpd/conf.d/sp.conf

diff --git a/shibauth/Dockerfile b/shibauth/Dockerfile
index 986fbddc..3f278c26 100644
--- a/shibauth/Dockerfile
+++ b/shibauth/Dockerfile
@@ -37,4 +37,3 @@ LABEL name="prism view server cache" \
 COPY shibboleth-conf /etc/shibboleth/
 COPY etc-httpd/ /etc/httpd/
 COPY index.html /var/www/html/
-
diff --git a/shibauth/etc-httpd/conf.d/shib.conf b/shibauth/etc-httpd/conf.d/shib.conf
deleted file mode 100644
index 2c7d35d2..00000000
--- a/shibauth/etc-httpd/conf.d/shib.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-ServerName shib.pdas.prism.eox.at
-LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
-<Location /Shibboleth.sso>
-  SetHandler shib
-</Location>
-DocumentRoot "/var/www/html"
\ No newline at end of file
diff --git a/shibauth/etc-httpd/conf.d/sp.conf b/shibauth/etc-httpd/conf.d/sp.conf
new file mode 100644
index 00000000..9de6cc7a
--- /dev/null
+++ b/shibauth/etc-httpd/conf.d/sp.conf
@@ -0,0 +1,19 @@
+ServerName shib.pdas.prism.eox.at
+
+<VirtualHost *:80>
+    ServerName https://shib.pdas.prism.eox.at:443
+    UseCanonicalName On
+
+    DocumentRoot "/var/www/html"
+
+    <Location />
+        AuthType shibboleth
+        ShibRequestSetting requireSession 1
+        require shib-session
+    </Location>
+
+    <Location /Shibboleth.sso>
+      Satisfy Any
+      Allow from all
+    </Location>
+</VirtualHost>
\ No newline at end of file
diff --git a/shibauth/shibboleth-conf/shibboleth2.xml b/shibauth/shibboleth-conf/shibboleth2.xml
index 2769ec5f..8a916cfb 100644
--- a/shibauth/shibboleth-conf/shibboleth2.xml
+++ b/shibauth/shibboleth-conf/shibboleth2.xml
@@ -8,7 +8,7 @@
                          REMOTE_USER="eppn uid persistent-id targeted-id">
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                   checkAddress="false" handlerSSL="true" cookieProps="https">
-            <SSO entityID="https://idptestbed/idp/shibboleth">
+            <SSO entityID="https://samltest.id/saml/idp">
               SAML2 SAML1
             </SSO>
             <Logout>SAML2 Local</Logout>
-- 
GitLab


From c87648a08842d594521d683479306ddca04774fe Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 30 Sep 2020 12:19:58 +0200
Subject: [PATCH 013/162] use http internally for handler, overwrite shib.conf
 completely, do not validate metadata

---
 shibauth/etc-httpd/conf.d/shib.conf      | 13 +++++++++++++
 shibauth/etc-httpd/conf.d/sp.conf        | 19 -------------------
 shibauth/shibboleth-conf/shibboleth2.xml | 10 +++++-----
 3 files changed, 18 insertions(+), 24 deletions(-)
 create mode 100644 shibauth/etc-httpd/conf.d/shib.conf
 delete mode 100644 shibauth/etc-httpd/conf.d/sp.conf

diff --git a/shibauth/etc-httpd/conf.d/shib.conf b/shibauth/etc-httpd/conf.d/shib.conf
new file mode 100644
index 00000000..758f387c
--- /dev/null
+++ b/shibauth/etc-httpd/conf.d/shib.conf
@@ -0,0 +1,13 @@
+ServerName shib.pdas.prism.eox.at
+LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
+ShibCompatValidUser Off
+UseCanonicalName On
+<Location />
+  SetHandler shib
+</Location>
+
+<Location /secure>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  require shib-session
+</Location>
diff --git a/shibauth/etc-httpd/conf.d/sp.conf b/shibauth/etc-httpd/conf.d/sp.conf
deleted file mode 100644
index 9de6cc7a..00000000
--- a/shibauth/etc-httpd/conf.d/sp.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-ServerName shib.pdas.prism.eox.at
-
-<VirtualHost *:80>
-    ServerName https://shib.pdas.prism.eox.at:443
-    UseCanonicalName On
-
-    DocumentRoot "/var/www/html"
-
-    <Location />
-        AuthType shibboleth
-        ShibRequestSetting requireSession 1
-        require shib-session
-    </Location>
-
-    <Location /Shibboleth.sso>
-      Satisfy Any
-      Allow from all
-    </Location>
-</VirtualHost>
\ No newline at end of file
diff --git a/shibauth/shibboleth-conf/shibboleth2.xml b/shibauth/shibboleth-conf/shibboleth2.xml
index 8a916cfb..7bd47635 100644
--- a/shibauth/shibboleth-conf/shibboleth2.xml
+++ b/shibauth/shibboleth-conf/shibboleth2.xml
@@ -4,22 +4,22 @@
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     clockSkew="180">
-    <ApplicationDefaults entityID="https://pass.copernicus.eu"
+    <ApplicationDefaults entityID="https://shib.pdas.prism.eox.at/shibboleth"
                          REMOTE_USER="eppn uid persistent-id targeted-id">
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
-                  checkAddress="false" handlerSSL="true" cookieProps="https">
+                  checkAddress="false" handlerSSL="false" cookieProps="http">
             <SSO entityID="https://samltest.id/saml/idp">
-              SAML2 SAML1
+              SAML2
             </SSO>
             <Logout>SAML2 Local</Logout>
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-            <Handler type="Status" Location="/Status" acl="10.0.0.0/24 127.0.0.1 ::1"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
             <Handler type="Session" Location="/Session" showAttributeValues="false"/>
             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
         </Sessions>
         <Errors supportContact="admin@eox.at"
             helpLocation="/about.html"/>
-        <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
         <AttributeResolver type="Query" subjectMatch="true"/>
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-- 
GitLab


From 26454276a31a90d2641b17e9d3a7ea1ef3183e4e Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 30 Sep 2020 13:17:58 +0200
Subject: [PATCH 014/162] update config forwardauth url, remove not necessary
 files, add shibauth to base compose

---
 docker-compose.base.ops.yml              |  28 +++++
 shibauth/shibboleth-conf/shibd.logger    |  76 ------------
 shibauth/shibboleth-conf/sp-metadata.xml | 141 -----------------------
 traefik-dynamic.yml                      |   2 +-
 4 files changed, 29 insertions(+), 218 deletions(-)
 delete mode 100644 shibauth/shibboleth-conf/shibd.logger
 delete mode 100644 shibauth/shibboleth-conf/sp-metadata.xml

diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index f29bcc7c..1aecaffa 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -28,6 +28,32 @@ services:
       - emg-extnet
       - dem-extnet
       - logging-extnet
+      - shibauth-extnet
+  shibauth:
+    image: testing-shibboleth
+    deploy:
+      # labels:
+      #   # router for basic auth based access (https)
+      #   - "traefik.http.routers.shibauth.rule=Host(`shib.pdas.prism.eox.at`)"
+      #   - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
+      #   - "traefik.http.routers.shibauth.tls=true"
+      #   - "traefik.http.routers.shibauth.tls.certresolver=default"
+      #   - "traefik.http.routers.shibauth.entrypoints=https"
+      #   # router for basic auth based access (http)
+      #   - "traefik.http.routers.shibauth-redirect.rule=Host(`shib.pdas.prism.eox.at`)"
+      #   - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
+      #   - "traefik.http.routers.shibauth-redirect.entrypoints=http"
+      #   # general
+      #   - "traefik.http.services.shibauth.loadbalancer.sticky=false"
+      #   - "traefik.http.services.shibauth.loadbalancer.server.port=80"
+      #   - "traefik.docker.network=shib-extnet"
+      #   - "traefik.docker.lbswarm=true"
+      #   - "traefik.enable=true"
+      replicas: 1
+      placement:
+        constraints: [node.role == manager]
+    networks:
+      - shibauth-extnet      
 volumes:
   traefik-data:
 networks:
@@ -39,3 +65,5 @@ networks:
     name: dem-extnet
   logging-extnet:
     name: logging-extnet
+  shibauth-extnet:
+    name: shibauth-extnet
diff --git a/shibauth/shibboleth-conf/shibd.logger b/shibauth/shibboleth-conf/shibd.logger
deleted file mode 100644
index e9526645..00000000
--- a/shibauth/shibboleth-conf/shibd.logger
+++ /dev/null
@@ -1,76 +0,0 @@
-# set overall behavior
-log4j.rootCategory=INFO, shibd_log, warn_log
-
-# fairly verbose for DEBUG, so generally leave at INFO
-log4j.category.XMLTooling.XMLObject=INFO
-log4j.category.XMLTooling.KeyInfoResolver=INFO
-log4j.category.Shibboleth.IPRange=INFO
-log4j.category.Shibboleth.PropertySet=INFO
-
-# raise for low-level tracing of SOAP client HTTP/SSL behavior
-log4j.category.XMLTooling.libcurl=INFO
-
-# useful categories to tune independently:
-#
-# tracing of SAML messages and security policies
-#log4j.category.OpenSAML.MessageDecoder=DEBUG
-#log4j.category.OpenSAML.MessageEncoder=DEBUG
-#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
-#log4j.category.XMLTooling.SOAPClient=DEBUG
-# interprocess message remoting
-#log4j.category.Shibboleth.Listener=DEBUG
-# mapping of requests to applicationId
-#log4j.category.Shibboleth.RequestMapper=DEBUG
-# high level session cache operations
-#log4j.category.Shibboleth.SessionCache=DEBUG
-# persistent storage and caching
-#log4j.category.XMLTooling.StorageService=DEBUG
-
-# logs XML being signed or verified if set to DEBUG
-log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
-log4j.additivity.XMLTooling.Signature.Debugger=false
-log4j.ownAppenders.XMLTooling.Signature.Debugger=true
-
-# the tran log blocks the "default" appender(s) at runtime
-# Level should be left at INFO for this category
-log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
-log4j.additivity.Shibboleth-TRANSACTION=false
-log4j.ownAppenders.Shibboleth-TRANSACTION=true
-
-# uncomment to suppress particular event types
-#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
-#log4j.category.Shibboleth-TRANSACTION.Login=WARN
-#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
-
-# define the appenders
-
-log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
-log4j.appender.shibd_log.fileName=/dev/stdout
-log4j.appender.shibd_log.maxFileSize=0
-log4j.appender.shibd_log.maxBackupIndex=0
-log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.shibd_log.layout.ConversionPattern=sp-shibd %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-
-#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
-#log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
-#log4j.appender.warn_log.maxFileSize=0
-#log4j.appender.warn_log.maxBackupIndex=0
-#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
-#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-#log4j.appender.warn_log.threshold=WARN
-
-log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
-log4j.appender.tran_log.fileName=/dev/stdout
-log4j.appender.tran_log.maxFileSize=0
-log4j.appender.tran_log.maxBackupIndex=0
-log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.tran_log.layout.ConversionPattern=sp-transaction %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-
-log4j.appender.sig_log=org.apache.log4j.FileAppender
-log4j.appender.sig_log.fileName=/dev/stdout
-log4j.appender.sig_log.maxFileSize=0
-log4j.appender.sig_log.maxBackupIndex=0
-log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.sig_log.layout.ConversionPattern=sp-signature %m
-
-
diff --git a/shibauth/shibboleth-conf/sp-metadata.xml b/shibauth/shibboleth-conf/sp-metadata.xml
deleted file mode 100644
index bfa4da80..00000000
--- a/shibauth/shibboleth-conf/sp-metadata.xml
+++ /dev/null
@@ -1,141 +0,0 @@
-<EntityDescriptor entityID="https://pass.copernicus.eu/shibboleth" validUntil="2040-01-01T00:00:00Z"
-                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-                  xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-
-        <KeyDescriptor>
-            <ds:KeyInfo>
-                <ds:X509Data>
-                    <ds:X509Certificate>
-MIIHijCCBnKgAwIBAgIQPWbuJob/1pRBDBHQrAelKDANBgkqhkiG9w0BAQsFADB4
-MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
-U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
-Q29tIENsYXNzIDMgT1YgU2VydmVyIENBMB4XDTE2MDUzMDIwMjAwNFoXDTE5MDUz
-MDIwMjAwNFowZDELMAkGA1UEBhMCQVQxDTALBgNVBAgMBFdpZW4xDTALBgNVBAcM
-BFdpZW4xHTAbBgNVBAoMFEVPWCBJVCBTZXJ2aWNlcyBHbWJIMRgwFgYDVQQDDA9l
-c2EubWFwcy5lb3guYXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCX
-GBReYwFVvkSrourZRd4zBBlo9apZHXxt+kk4bNbk1n70YNeFUaxJpwFQqkfwghrg
-9tctD2B9HLDZl+LMnO6IXAzXkn8OHzt9vf4lVLDYOSHcC/oAt4aQjr98Anl1q822
-/FJ6csFtFAmEIg8P6NHByHlwaSM1yxcrc7ZgR+xph0/sQijh4jxOlcNfCGRy0VBt
-lJE0rLSAmIN/LUX/hf1P4psbPlXNLl1U3Du6sh+pkgWV5gsKJBxAYJvptlahn9Ud
-b6FBFngM/Z9rk/M4R692z5WWLwfxFScEw3/FfF9aH5ztCAM1u3L5QjqANcdbVl86
-x2kUXZh9A7EjUhnI25xu4aEVJBHTcq46rZQw88lW/+Xxavon03dHuaHhrZXMF5mD
-rIGvumSlB1XzCz2lOQG4zrUnXtKw6rm7fr20Zn5KQEgiUD+d2Hs8lvkWmP0qKiP+
-EWdJrAfprv85tKqQMxldnrOK9FwH9TQh4TmhYlp+6vvsfZMZB4uDMlvKBtlI+7Yh
-O61HKIDSsEqq6tdy312ENOjZVZsPsNkZCdOm6irTTymB9Id1LJ+3jv+lakPzluW/
-rTeq2S0UMMvByRsTGiI3ettxgOwo/jWAJiMTWb26ldpxHqyvOIX7b40Wvk+KRx9T
-Vgx4kkuS5ycNi0YgUBs98imh8GXvBEufvpZCtcd5OQIDAQABo4IDIjCCAx4wDgYD
-VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAJBgNV
-HRMEAjAAMB0GA1UdDgQWBBRX3j8T9Ti5uurAxnFHSb/P6Q4Z9jAfBgNVHSMEGDAW
-gBSxPxySe5KwWiWzOPucB6QmUDLjUTBvBggrBgEFBQcBAQRjMGEwJAYIKwYBBQUH
-MAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5BggrBgEFBQcwAoYtaHR0cDov
-L2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLnNlcnZlcjMuY3J0MDgGA1UdHwQx
-MC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1zZXJ2ZXIzLmNy
-bDB4BgNVHREEcTBvgg9lc2EubWFwcy5lb3guYXSCFXRpbGVzLmVzYS5tYXBzLmVv
-eC5hdIIXKi50aWxlcy5lc2EubWFwcy5lb3guYXSCE29zbS5lc2EubWFwcy5lb3gu
-YXSCF3N0YWdpbmcuZXNhLm1hcHMuZW94LmF0MCMGA1UdEgQcMBqGGGh0dHA6Ly93
-d3cuc3RhcnRzc2wuY29tLzBRBgNVHSAESjBIMAgGBmeBDAECAjA8BgsrBgEEAYG1
-NwECBTAtMCsGCCsGAQUFBwIBFh9odHRwczovL3d3dy5zdGFydHNzbC5jb20vcG9s
-aWN5MIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAaPaY+B9kgr46jO65KB1M/HFR
-XWeT1ETRCmesu09P+8QAAAFVA3EKawAABAMARzBFAiAQMFKOGTFIZzbVuZ8R2C+u
-4QgL0vnSOBT3ylGgjAf+AQIhAOHkMTkhr0APu8jaCkos4c9k8vrn5DWq0k8WXT12
-ip4fAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFVA3EMcwAA
-BAMARjBEAiASftiRTzUpe+IDonZidGHzHKlKwPZoaOE2zqsH1AW9jgIgM7Jmphm1
-rGkakcVooaUudEfCTN/fTJ7cs3kPiljWmkgwDQYJKoZIhvcNAQELBQADggEBAIp2
-QqqJ6+TRRr7cBeiMw+4MrQhbaf+Y0bAsPOF9KOnQ9JMavEki08JRLYLVSraqDW1+
-mrlk+mbvh9mEFkTIvwW5wt/S5tgbRE/fmDBTElRwLPVlvbwRNKNg/54lXhwgETM8
-oTOfxC+dK7bg+EFj3r71d7wf/qhPCBYmN9yk2z4tby1nYI6c+8xXVxnrKGIOOb/X
-MAB1eHNvjMHHmhlSV33Z6nqrTzeUEDS5R6X1v3lCtP/058o6NDdLmJ/hTy/So5eB
-8NwcilckyoYeI64QXg61KmH+9+scQ2bddWtuDJvnNo0NH1XPOuxl9HpaxBSzIflK
-2Wfpr7x/2VCKeO7Mfpo=
-                    </ds:X509Certificate>
-                </ds:X509Data>
-            </ds:KeyInfo>
-        </KeyDescriptor>
-
-        <!-- This tells IdPs that Single Logout is supported and where/how to request it. -->
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <SingleLogoutService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-            Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
-            xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-
-        <!--
-            This tells IdPs where and how to push assertions through the browser. Mostly
-            the SP will tell the IdP what location to use in its request, but this
-            is how the IdP validates the location and also figures out which
-            SAML version/binding to use.
-            -->
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="3" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="4" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="5" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="6" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="7" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-        <AssertionConsumerService
-            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
-            index="8" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-
-        <!-- This tells IdPs that you only need transient identifiers. -->
-        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-
-    </SPSSODescriptor>
-
-    <Organization>
-        <OrganizationName xml:lang="en">eox</OrganizationName>
-        <OrganizationDisplayName xml:lang="en">EOX IT Services GmbH</OrganizationDisplayName>
-        <OrganizationURL xml:lang="en">http://eox.at</OrganizationURL>
-    </Organization>
-</EntityDescriptor>
diff --git a/traefik-dynamic.yml b/traefik-dynamic.yml
index 0291f929..495ef4eb 100644
--- a/traefik-dynamic.yml
+++ b/traefik-dynamic.yml
@@ -22,7 +22,7 @@ http:
           - "***REMOVED***"
     shibAuth:
       forwardAuth:
-        address: http://auth/auth
+        address: http://shibauth/secure
         trustForwardHeader: true
     compress:
       compress: {}
-- 
GitLab


From 1dc82314529cc31453679294e7e4254d57565470 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 30 Sep 2020 13:26:38 +0200
Subject: [PATCH 015/162] update pass copernicus shib urls for traefik

---
 docker-compose.dem.ops.yml   | 4 ++--
 docker-compose.emg.ops.yml   | 8 ++++----
 docker-compose.vhr18.ops.yml | 8 ++++----
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index 907564ca..1f14e215 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -33,13 +33,13 @@ services:
         - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
         # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.dem-renderer.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.dem-renderer.middlewares=compress@file,cors@file,shibAuth@file"
         - "traefik.http.routers.dem-renderer.tls=true"
         - "traefik.http.routers.dem-renderer.tls.certresolver=default"
         - "traefik.http.routers.dem-renderer.entrypoints=https"
         # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.dem-renderer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-renderer-redirect.entrypoints=http"
         # general
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 86fb801d..019e638a 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -33,13 +33,13 @@ services:
         - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
         # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.emg-renderer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.emg-renderer.middlewares=compress@file,cors@file,shibAuth@file"
         - "traefik.http.routers.emg-renderer.tls=true"
         - "traefik.http.routers.emg-renderer.tls.certresolver=default"
         - "traefik.http.routers.emg-renderer.entrypoints=https"
         # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
         # general
@@ -85,13 +85,13 @@ services:
         - "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
         # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.emg-renderer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.emg-renderer.middlewares=compress@file,cors@file,shibAuth@file"
         - "traefik.http.routers.emg-renderer.tls=true"
         - "traefik.http.routers.emg-renderer.tls.certresolver=default"
         - "traefik.http.routers.emg-renderer.entrypoints=https"
         # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
         # general
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index 4529ff57..22c58ea4 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -34,13 +34,13 @@ services:
         - "traefik.http.routers.vhr18-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.entrypoints=http"
         # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.vhr18-renderer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-renderer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.vhr18-renderer.middlewares=compress@file,cors@file,shibAuth@file"
         - "traefik.http.routers.vhr18-renderer.tls=true"
         - "traefik.http.routers.vhr18-renderer.tls.certresolver=default"
         - "traefik.http.routers.vhr18-renderer.entrypoints=https"
         # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.vhr18-renderer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-renderer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.vhr18-renderer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-renderer-redirect.entrypoints=http"
         # general
@@ -85,13 +85,13 @@ services:
         - "traefik.http.routers.vhr18-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-cache_referer-redirect.entrypoints=http"
         # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.vhr18-cache-renderer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-cache-renderer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.vhr18-cache-renderer.middlewares=compress@file,cors@file,shibAuth@file"
         - "traefik.http.routers.vhr18-cache-renderer.tls=true"
         - "traefik.http.routers.vhr18-cache-renderer.tls.certresolver=default"
         - "traefik.http.routers.vhr18-cache-renderer.entrypoints=https"
         # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.vhr18-cache-renderer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-cache-renderer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.vhr18-cache-renderer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-cache-renderer-redirect.entrypoints=http"
         # general
-- 
GitLab


From 5d892ea5202811afbe7600e7d1901b3b08359e8d Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 30 Sep 2020 13:29:20 +0200
Subject: [PATCH 016/162] rename shibextnet

---
 docker-compose.base.ops.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index 1aecaffa..a7b647cb 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -53,7 +53,7 @@ services:
       placement:
         constraints: [node.role == manager]
     networks:
-      - shibauth-extnet      
+      - shib-extnet
 volumes:
   traefik-data:
 networks:
@@ -65,5 +65,5 @@ networks:
     name: dem-extnet
   logging-extnet:
     name: logging-extnet
-  shibauth-extnet:
-    name: shibauth-extnet
+  shib-extnet:
+    name: shib-extnet
-- 
GitLab


From ba5d76ee29773ea09df31dc72a28642ba0093cb9 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 30 Sep 2020 14:52:09 +0200
Subject: [PATCH 017/162] fix traefik labels to be unique

---
 docker-compose.dem.ops.yml   | 32 ++++++++++++++++----------------
 docker-compose.emg.ops.yml   | 32 ++++++++++++++++----------------
 docker-compose.vhr18.ops.yml | 32 ++++++++++++++++----------------
 3 files changed, 48 insertions(+), 48 deletions(-)

diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index 1f14e215..46c6a135 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -33,15 +33,15 @@ services:
         - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
         # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.dem-renderer.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.dem-renderer.tls=true"
-        - "traefik.http.routers.dem-renderer.tls.certresolver=default"
-        - "traefik.http.routers.dem-renderer.entrypoints=https"
+        - "traefik.http.routers.dem-renderer-shib.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.dem-renderer-shib.tls=true"
+        - "traefik.http.routers.dem-renderer-shib.tls.certresolver=default"
+        - "traefik.http.routers.dem-renderer-shib.entrypoints=https"
         # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.dem-renderer-redirect.entrypoints=http"
+        - "traefik.http.routers.dem-renderer-shib-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer-shib-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.dem-renderer-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.dem-renderer.loadbalancer.server.port=80"
@@ -85,15 +85,15 @@ services:
         - "traefik.http.routers.dem-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-cache_referer-redirect.entrypoints=http"
         # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.dem-renderer.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.dem-renderer.tls=true"
-        - "traefik.http.routers.dem-renderer.tls.certresolver=default"
-        - "traefik.http.routers.dem-renderer.entrypoints=https"
+        - "traefik.http.routers.dem-cache-shib.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-cache-shib.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.dem-cache-shib.tls=true"
+        - "traefik.http.routers.dem-cache-shib.tls.certresolver=default"
+        - "traefik.http.routers.dem-cache-shib.entrypoints=https"
         # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.dem-renderer-redirect.entrypoints=http"
+        - "traefik.http.routers.dem-cache-shib-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-cache-shib-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.dem-cache-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-cache.loadbalancer.sticky=false"
         - "traefik.http.services.dem-cache.loadbalancer.server.port=80"
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 019e638a..9054dbe2 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -33,15 +33,15 @@ services:
         - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
         # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.emg-renderer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.emg-renderer.tls=true"
-        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
-        - "traefik.http.routers.emg-renderer.entrypoints=https"
+        - "traefik.http.routers.emg-renderer-shib.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.emg-renderer-shib.tls=true"
+        - "traefik.http.routers.emg-renderer-shib.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer-shib.entrypoints=https"
         # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
+        - "traefik.http.routers.emg-renderer-shib-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-shib-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
@@ -85,15 +85,15 @@ services:
         - "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
         # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.emg-renderer.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.emg-renderer.tls=true"
-        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
-        - "traefik.http.routers.emg-renderer.entrypoints=https"
+        - "traefik.http.routers.emg-cache-shib.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-cache-shib.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.emg-cache-shib.tls=true"
+        - "traefik.http.routers.emg-cache-shib.tls.certresolver=default"
+        - "traefik.http.routers.emg-cache-shib.entrypoints=https"
         # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
+        - "traefik.http.routers.emg-cache-shib-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-cache-shib-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-cache-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-cache.loadbalancer.sticky=false"
         - "traefik.http.services.emg-cache.loadbalancer.server.port=80"
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index 22c58ea4..443001b6 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -34,15 +34,15 @@ services:
         - "traefik.http.routers.vhr18-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.entrypoints=http"
         # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.vhr18-renderer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-renderer.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.vhr18-renderer.tls=true"
-        - "traefik.http.routers.vhr18-renderer.tls.certresolver=default"
-        - "traefik.http.routers.vhr18-renderer.entrypoints=https"
+        - "traefik.http.routers.vhr18-renderer-shib.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.vhr18-renderer-shib.tls=true"
+        - "traefik.http.routers.vhr18-renderer-shib.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-renderer-shib.entrypoints=https"
         # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.vhr18-renderer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.vhr18-renderer-redirect.entrypoints=http"
+        - "traefik.http.routers.vhr18-renderer-shib-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-renderer-shib-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-renderer-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-renderer.loadbalancer.server.port=80"
@@ -85,15 +85,15 @@ services:
         - "traefik.http.routers.vhr18-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-cache_referer-redirect.entrypoints=http"
         # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.vhr18-cache-renderer.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-cache-renderer.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.vhr18-cache-renderer.tls=true"
-        - "traefik.http.routers.vhr18-cache-renderer.tls.certresolver=default"
-        - "traefik.http.routers.vhr18-cache-renderer.entrypoints=https"
+        - "traefik.http.routers.vhr18-cache-renderer-shib.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-cache-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.vhr18-cache-renderer-shib.tls=true"
+        - "traefik.http.routers.vhr18-cache-renderer-shib.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-cache-renderer-shib.entrypoints=https"
         # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.vhr18-cache-renderer-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-cache-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.vhr18-cache-renderer-redirect.entrypoints=http"
+        - "traefik.http.routers.vhr18-cache-renderer-shib-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-cache-renderer-shib-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-cache-renderer-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-cache.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-cache.loadbalancer.server.port=80"
-- 
GitLab


From 4f6d22d4e00ae6d3f26c99ee0a11f094a2f51d41 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 30 Sep 2020 14:54:27 +0200
Subject: [PATCH 018/162] fix typo

---
 docker-compose.base.ops.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index a7b647cb..bf6103e8 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -28,7 +28,7 @@ services:
       - emg-extnet
       - dem-extnet
       - logging-extnet
-      - shibauth-extnet
+      - shib-extnet
   shibauth:
     image: testing-shibboleth
     deploy:
-- 
GitLab


From 658e2e48d081f1c659ad57470d9800c8be5f3f69 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 30 Sep 2020 15:22:38 +0200
Subject: [PATCH 019/162] intnet shib network

---
 docker-compose.base.ops.yml | 23 ++---------------------
 1 file changed, 2 insertions(+), 21 deletions(-)

diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index bf6103e8..dbf099ee 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -28,32 +28,14 @@ services:
       - emg-extnet
       - dem-extnet
       - logging-extnet
-      - shib-extnet
   shibauth:
     image: testing-shibboleth
     deploy:
-      # labels:
-      #   # router for basic auth based access (https)
-      #   - "traefik.http.routers.shibauth.rule=Host(`shib.pdas.prism.eox.at`)"
-      #   - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
-      #   - "traefik.http.routers.shibauth.tls=true"
-      #   - "traefik.http.routers.shibauth.tls.certresolver=default"
-      #   - "traefik.http.routers.shibauth.entrypoints=https"
-      #   # router for basic auth based access (http)
-      #   - "traefik.http.routers.shibauth-redirect.rule=Host(`shib.pdas.prism.eox.at`)"
-      #   - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
-      #   - "traefik.http.routers.shibauth-redirect.entrypoints=http"
-      #   # general
-      #   - "traefik.http.services.shibauth.loadbalancer.sticky=false"
-      #   - "traefik.http.services.shibauth.loadbalancer.server.port=80"
-      #   - "traefik.docker.network=shib-extnet"
-      #   - "traefik.docker.lbswarm=true"
-      #   - "traefik.enable=true"
       replicas: 1
       placement:
         constraints: [node.role == manager]
     networks:
-      - shib-extnet
+      - intnet
 volumes:
   traefik-data:
 networks:
@@ -65,5 +47,4 @@ networks:
     name: dem-extnet
   logging-extnet:
     name: logging-extnet
-  shib-extnet:
-    name: shib-extnet
+  intnet:
-- 
GitLab


From 3fa843b0f64beca18fa7f9823c0975975a2e21bf Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 30 Sep 2020 15:38:20 +0200
Subject: [PATCH 020/162] correct typo intnet traefik service

---
 docker-compose.base.ops.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index dbf099ee..d16ac8c4 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -28,6 +28,7 @@ services:
       - emg-extnet
       - dem-extnet
       - logging-extnet
+      - intnet
   shibauth:
     image: testing-shibboleth
     deploy:
-- 
GitLab


From de7a16c83e521c3a0a85d6a4eaf5c0231c62216b Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 30 Sep 2020 16:04:01 +0200
Subject: [PATCH 021/162] latest progress

---
 docker-compose.base.ops.yml | 29 ++++++++++++++++++++++++++---
 traefik-dynamic.yml         |  2 +-
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index d16ac8c4..7ac26701 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -28,15 +28,37 @@ services:
       - emg-extnet
       - dem-extnet
       - logging-extnet
-      - intnet
+      - shib-extnet
   shibauth:
     image: testing-shibboleth
     deploy:
       replicas: 1
       placement:
         constraints: [node.role == manager]
+      labels:
+        # router for basic auth based access (https)
+        - "traefik.http.routers.shibauth.rule=Host(`shib.pdas.prism.eox.at`)"
+        - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.shibauth.tls=true"
+        - "traefik.http.routers.shibauth.tls.certresolver=default"
+        - "traefik.http.routers.shibauth.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`shib.pdas.prism.eox.at`)"
+        - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.shibauth-redirect.entrypoints=http"
+        # general
+        - "traefik.http.services.shibauth.loadbalancer.sticky=false"
+        - "traefik.http.services.shibauth.loadbalancer.server.port=80"
+        - "traefik.docker.network=shib-extnet"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.enable=true"        
+      # labels:
+      #   - "traefik.enable=true"
+      #   - "traefik.frontend.rule=Host:shib.pdas.prism.eox.at"
+      #   - "traefik.port=80"
+      #   - "traefik.frontend.passHostHeader=true"
     networks:
-      - intnet
+      - shib-extnet
 volumes:
   traefik-data:
 networks:
@@ -48,4 +70,5 @@ networks:
     name: dem-extnet
   logging-extnet:
     name: logging-extnet
-  intnet:
+  shib-extnet:
+    name: shib-extnet
diff --git a/traefik-dynamic.yml b/traefik-dynamic.yml
index 495ef4eb..9b51a489 100644
--- a/traefik-dynamic.yml
+++ b/traefik-dynamic.yml
@@ -22,7 +22,7 @@ http:
           - "***REMOVED***"
     shibAuth:
       forwardAuth:
-        address: http://shibauth/secure
+        address: http://shib.pdas.prism.eox.at/secure
         trustForwardHeader: true
     compress:
       compress: {}
-- 
GitLab


From 15a9e1176d6c116752706bbc3ab35508b8fb4322 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 5 Oct 2020 09:36:06 +0200
Subject: [PATCH 022/162] t

---
 docker-compose.base.ops.yml | 2 +-
 shibauth/Dockerfile         | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index 7ac26701..807af599 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -51,7 +51,7 @@ services:
         - "traefik.http.services.shibauth.loadbalancer.server.port=80"
         - "traefik.docker.network=shib-extnet"
         - "traefik.docker.lbswarm=true"
-        - "traefik.enable=true"        
+        - "traefik.enable=true"
       # labels:
       #   - "traefik.enable=true"
       #   - "traefik.frontend.rule=Host:shib.pdas.prism.eox.at"
diff --git a/shibauth/Dockerfile b/shibauth/Dockerfile
index 3f278c26..88efe7cb 100644
--- a/shibauth/Dockerfile
+++ b/shibauth/Dockerfile
@@ -33,7 +33,7 @@ LABEL name="prism view server cache" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server shibauth" \
       version="0.0.1"
-
+RUN mkdir -p /var/www/secure
 COPY shibboleth-conf /etc/shibboleth/
 COPY etc-httpd/ /etc/httpd/
-COPY index.html /var/www/html/
+COPY index.html /var/www/html/secure
-- 
GitLab


From 837253323372dd260e76ba4ee408855d62a7a03d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Wed, 7 Oct 2020 13:47:43 +0200
Subject: [PATCH 023/162] initial renderer service

---
 chart/.helmignore                        | 23 ++++++
 chart/Chart.yaml                         | 18 +++++
 chart/README.md                          |  1 +
 chart/templates/_helpers.tpl             | 63 ++++++++++++++++
 chart/templates/init-db-configmap.yaml   |  7 ++
 chart/templates/renderer-deployment.yaml | 93 +++++++++++++++++++++++
 chart/values-init-db.yaml                | 80 ++++++++++++++++++++
 chart/values.yaml                        | 96 ++++++++++++++++++++++++
 8 files changed, 381 insertions(+)
 create mode 100644 chart/.helmignore
 create mode 100644 chart/Chart.yaml
 create mode 100644 chart/README.md
 create mode 100644 chart/templates/_helpers.tpl
 create mode 100644 chart/templates/init-db-configmap.yaml
 create mode 100644 chart/templates/renderer-deployment.yaml
 create mode 100644 chart/values-init-db.yaml
 create mode 100644 chart/values.yaml

diff --git a/chart/.helmignore b/chart/.helmignore
new file mode 100644
index 00000000..0e8a0eb3
--- /dev/null
+++ b/chart/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
new file mode 100644
index 00000000..a91297c6
--- /dev/null
+++ b/chart/Chart.yaml
@@ -0,0 +1,18 @@
+apiVersion: v2
+name: vs
+description: A Helm chart for Kubernetes of the View Server (VS)
+
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0-beta.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
+appVersion: 1.0.0-beta.1
+
+maintainers:
+  - name: EOX IT Services GmbH
+    url: https://eox.at
diff --git a/chart/README.md b/chart/README.md
new file mode 100644
index 00000000..9ef273a0
--- /dev/null
+++ b/chart/README.md
@@ -0,0 +1 @@
+Chart for the View Server (VS) bundling all services
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
new file mode 100644
index 00000000..64cea4aa
--- /dev/null
+++ b/chart/templates/_helpers.tpl
@@ -0,0 +1,63 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "vs.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 53 chars leaving space for 10 additional chars because some
+Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "vs.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 53 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 53 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 53 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "vs.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "vs.labels" -}}
+helm.sh/chart: {{ include "vs.chart" . }}
+{{ include "vs.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "vs.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "vs.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "vs.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "vs.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/chart/templates/init-db-configmap.yaml b/chart/templates/init-db-configmap.yaml
new file mode 100644
index 00000000..c012c5c6
--- /dev/null
+++ b/chart/templates/init-db-configmap.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+data:
+  init-db.sh: |
+    {{- .Values.initDb }}
+kind: ConfigMap
+metadata:
+  name: {{ include "vs.fullname" . }}-init-db
diff --git a/chart/templates/renderer-deployment.yaml b/chart/templates/renderer-deployment.yaml
new file mode 100644
index 00000000..d8a8f83a
--- /dev/null
+++ b/chart/templates/renderer-deployment.yaml
@@ -0,0 +1,93 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "vs.fullname" . }}-renderer
+  labels:
+    {{- include "vs.labels" . | nindent 4 }}
+    app.kubernetes.io/service: renderer
+spec:
+{{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.renderer.replicaCount }}
+{{- end }}
+  selector:
+    matchLabels:
+      {{- include "vs.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/service: renderer
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "false"
+      labels:
+        {{- include "vs.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/service: renderer
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-renderer
+          image: "registry.gitlab.eox.at/esa/prism/vs/pvs_core:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.renderer.resources | nindent 12 }}
+          args:
+            - /run-httpd.sh
+          env:
+            {{- range $key, $value := .Values.config.general }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- range $key, $value := .Values.config.database }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- range $key, $value := .Values.config.django }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- range $key, $value := .Values.config.objectStorage.data }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            - name: INIT_SCRIPTS
+              value: /configure.sh /init-db.sh /initialized.sh
+            - name: INSTALL_DIR
+              value: /var/www/pvs/dev/
+            - name: INSTANCE_ID
+              value: prism-view-server_renderer
+            - name: STARTUP_SCRIPTS
+              value: /wait-initialized.sh
+            - name: WAIT_SERVICES
+              value: {{ .Values.config.database.DB_HOST }}:{{ .Values.config.database.DB_PORT }}
+          volumeMounts:
+            - mountPath: /init-db.sh
+              name: init-db
+              subPath: init-db.sh
+      {{- with .Values.renderer.affinity | default .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - configMap:
+            items:
+              - key: vhr18_init-db.sh
+                path: init-db.sh
+            name: init-db
+          name: {{ include "vs.fullname" . }}-init-db
diff --git a/chart/values-init-db.yaml b/chart/values-init-db.yaml
new file mode 100644
index 00000000..23118ada
--- /dev/null
+++ b/chart/values-init-db.yaml
@@ -0,0 +1,80 @@
+initDb: |
+    # Check if collection exits in database and initialize database only if not
+    if python3 manage.py id check "${COLLECTION}"; then
+        echo "Initialize database"
+
+        python3 manage.py coveragetype import /rgbnir_definition.json --traceback
+
+        if [ "${COLLECTION}" == "VHR_IMAGE_2018" ]; then
+            echo "Initializing collection '${COLLECTION}'."
+
+            # PL00
+            python3 manage.py producttype create "${COLLECTION}"_Product_PL00 --traceback \
+                --coverage-type "RGBNir"
+            python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 --traceback \
+                --red "red" \
+                --green "green" \
+                --blue "blue" \
+                --red-range 1000 15000 \
+                --green-range 1000 15000 \
+                --blue-range 1000 15000 \
+                --red-nodata 0 \
+                --green-nodata 0 \
+                --blue-nodata 0
+            python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "TRUE_COLOR" --traceback \
+                --red "red" \
+                --green "green" \
+                --blue "blue" \
+                --red-range 1000 15000 \
+                --green-range 1000 15000 \
+                --blue-range 1000 15000 \
+                --red-nodata 0 \
+                --green-nodata 0 \
+                --blue-nodata 0
+            python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "FALSE_COLOR" --traceback \
+                --red "nir" \
+                --green "red" \
+                --blue "green" \
+                --red-range 1000 15000 \
+                --green-range 1000 15000 \
+                --blue-range 1000 15000 \
+                --red-nodata 0 \
+                --green-nodata 0 \
+                --blue-nodata 0
+            python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "NDVI" --traceback \
+                --grey "(nir-red)/(nir+red)" --grey-range -1 1
+
+
+            python3 manage.py collectiontype create "${COLLECTION}"_Collection --traceback \
+                --coverage-type "RGBNir" \
+                --product-type "${COLLECTION}"_Product_PL00
+
+            # Create collections for all products
+            python3 manage.py collection create "${COLLECTION}" --type "${COLLECTION}"_Collection --traceback
+
+            # Register mask type
+            python3 manage.py masktype create --validity "${COLLECTION}"_Product_PL00 validity
+
+        else
+            echo "Provided collection '${COLLECTION}' not valid."
+        fi
+
+        python3 manage.py storageauth create auth-cloud-ovh "${OS_AUTH_URL_SHORT}" \
+            --type keystone \
+            -p auth-version "${ST_AUTH_VERSION}" \
+            -p identity-api-version="${ST_AUTH_VERSION}" \
+            -p username "${OS_USERNAME}" \
+            -p password "${OS_PASSWORD}" \
+            -p tenant-name "${OS_TENANT_NAME}" \
+            -p tenant-id "${OS_TENANT_ID}" \
+            -p region-name "${OS_REGION_NAME}"
+
+        python3 manage.py storage create \
+            ${UPLOAD_CONTAINER} ${UPLOAD_CONTAINER} \
+            --type swift \
+            --storage-auth auth-cloud-ovh
+
+
+    else
+        echo "Using existing database"
+    fi
diff --git a/chart/values.yaml b/chart/values.yaml
new file mode 100644
index 00000000..75b000cd
--- /dev/null
+++ b/chart/values.yaml
@@ -0,0 +1,96 @@
+config:
+  general:
+    COLLECTION: COLLECTION
+    CPL_VSIL_CURL_ALLOWED_EXTENSIONS: .TIF,.tif,.xml
+    GDAL_DISABLE_READDIR_ON_OPEN: "TRUE"
+    COLLECT_STATIC: "false"
+  database:
+    DB_HOST: database
+    DB_NAME: dbname
+    DB_PORT: "5432"
+    DB_PW: dbpw
+    DB_USER: dbuser
+    POSTGRES_DB: dbname
+    POSTGRES_PASSWORD: dbpw
+    POSTGRES_USER: dbuser
+  django:
+    DJANGO_MAIL: office@eox.at
+    DJANGO_PASSWORD: djangopw
+    DJANGO_USER: djangouser
+  objectStorage:
+    download:
+      OS_AUTH_URL_DOWNLOAD: https://auth.cloud.ovh.net/
+      OS_PASSWORD_DOWNLOAD: ospw
+      OS_REGION_NAME_DOWNLOAD: SERCO-DIAS1
+      OS_TENANT_ID_DOWNLOAD: tenantid
+      OS_TENANT_NAME_DOWNLOAD: "tenantname"
+      OS_USERNAME_DOWNLOAD: osuser
+      ST_AUTH_VERSION_DOWNLOAD: "3"
+    data:
+      OS_AUTH_URL: https://auth.cloud.ovh.net/v3/
+      OS_AUTH_URL_SHORT: https://auth.cloud.ovh.net/
+      OS_PASSWORD: ospw
+      OS_REGION_NAME: SERCO-DIAS1
+      OS_TENANT_ID: tenantid
+      OS_TENANT_NAME: "tenantname"
+      OS_USER_DOMAIN_NAME: default
+      OS_USERNAME: osuser
+      ST_AUTH_VERSION: "3"
+    cache:
+      S3_BUCKET: s3bucket
+      S3_ID: s3id
+      S3_SECRET: s3secret
+      S3_REGION: eu-central-1
+  preprocessing:
+    UPLOAD_CONTAINER: container
+    ENFORCE_FOUR_BANDS: "True"
+    SPLIT_PARTS_CHECK: "False"
+  redis:
+    REDIS_HOST: redis
+    REDIS_PORT: "6379"
+    REDIS_PREPROCESS_QUEUE_KEY: preprocess_queue
+    REDIS_QUEUE_KEY: seed_queue
+    REDIS_REGISTER_QUEUE_KEY: register_queue
+    REDIS_REGISTERED_SET_KEY: registered_set
+    REDIS_SEED_QUEUE_KEY: seed_queue
+    REDIS_SET_KEY: registered_set
+
+renderer:
+  replicaCount: 1
+  resources:
+    limits:
+      cpu: 1.5
+      memory: 6Gi
+    requests:
+      cpu: 0.5
+      memory: 2Gi
+  affinity: {}
+
+replicaCount: 1
+
+image:
+  repository: registry.gitlab.eox.at/esa/prism/vs
+  pullPolicy: IfNotPresent
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+  hosts:
+    - host: chart-example.local
+      paths: []
+  tls: []
+
+affinity: {}
-- 
GitLab


From f85f092ff6219d2cc9256ad02ca18818316359e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Wed, 7 Oct 2020 14:05:44 +0200
Subject: [PATCH 024/162] add postgres chart dependency

---
 chart/Chart.yaml  | 6 ++++++
 chart/values.yaml | 9 +++++++++
 2 files changed, 15 insertions(+)

diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index a91297c6..2f4a7b4e 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -16,3 +16,9 @@ appVersion: 1.0.0-beta.1
 maintainers:
   - name: EOX IT Services GmbH
     url: https://eox.at
+
+dependencies:
+  - name: "postgresql"
+    version: "9.7.2"
+    repository: "https://charts.bitnami.com/bitnami"
+    alias: database
diff --git a/chart/values.yaml b/chart/values.yaml
index 75b000cd..b411b1e0 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -55,6 +55,15 @@ config:
     REDIS_SEED_QUEUE_KEY: seed_queue
     REDIS_SET_KEY: registered_set
 
+database:
+  persistence:
+    enabled: true
+    existingClaim: eoepca-rm-db-pvc
+  postgresqlUsername: dbuser
+  postgresqlPassword: dbpw
+  postgresqlDatabase: dbname
+  postgresqlPostgresPassword: dbpgpw
+
 renderer:
   replicaCount: 1
   resources:
-- 
GitLab


From cfe694ef1137e29efddff76f5dc09ac23462b220 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Wed, 7 Oct 2020 14:25:13 +0200
Subject: [PATCH 025/162] adding initial ingress and service

---
 chart/templates/ingress.yaml             | 54 ++++++++++++++++++++++++
 chart/templates/renderer-deployment.yaml |  2 +-
 chart/templates/renderer-service.yaml    | 17 ++++++++
 chart/values.yaml                        |  9 ++--
 4 files changed, 77 insertions(+), 5 deletions(-)
 create mode 100644 chart/templates/ingress.yaml
 create mode 100644 chart/templates/renderer-service.yaml

diff --git a/chart/templates/ingress.yaml b/chart/templates/ingress.yaml
new file mode 100644
index 00000000..05de097d
--- /dev/null
+++ b/chart/templates/ingress.yaml
@@ -0,0 +1,54 @@
+{{- $fullName := include "vs.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "vs.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+    nginx.ingress.kubernetes.io/rewrite-target: /$1
+  {{- end }}
+spec:
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          - path: /(ows.*)
+            backend:
+              serviceName: renderer
+              servicePort: http
+          - path: /(opensearch.*)
+            backend:
+              serviceName: renderer
+              servicePort: http
+          - path: /(admin.*)
+            backend:
+              serviceName: renderer
+              servicePort: http
+          # - path: /cache/(.*)
+          #   backend:
+          #     serviceName: cache
+          #     servicePort: http
+          # - path: /(.*)
+          #   backend:
+          #     serviceName: client
+          #     servicePort: http
+    {{- end }}
diff --git a/chart/templates/renderer-deployment.yaml b/chart/templates/renderer-deployment.yaml
index d8a8f83a..59e9666d 100644
--- a/chart/templates/renderer-deployment.yaml
+++ b/chart/templates/renderer-deployment.yaml
@@ -87,7 +87,7 @@ spec:
       volumes:
         - configMap:
             items:
-              - key: vhr18_init-db.sh
+              - key: init-db.sh
                 path: init-db.sh
             name: init-db
           name: {{ include "vs.fullname" . }}-init-db
diff --git a/chart/templates/renderer-service.yaml b/chart/templates/renderer-service.yaml
new file mode 100644
index 00000000..93be22e3
--- /dev/null
+++ b/chart/templates/renderer-service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "vs.fullname" . }}-renderer
+  labels:
+    {{- include "vs.labels" . | nindent 4 }}
+    app.kubernetes.io/service: renderer
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "vs.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/service: renderer
diff --git a/chart/values.yaml b/chart/values.yaml
index b411b1e0..b748774f 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -91,15 +91,16 @@ service:
   port: 80
 
 ingress:
-  enabled: false
   annotations:
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
     nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
     nginx.ingress.kubernetes.io/enable-cors: "true"
   hosts:
-    - host: chart-example.local
-      paths: []
-  tls: []
+    - host: vs.local
+  tls:
+    - hosts:
+        - vs.local
+      secretName: vs-secret
 
 affinity: {}
-- 
GitLab


From fa4515ce7dd97c9d990aa8da9134588c989bf31a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Wed, 7 Oct 2020 14:31:11 +0200
Subject: [PATCH 026/162] adding dependency

---
 chart/Chart.lock                  |   6 ++++++
 chart/charts/postgresql-9.7.2.tgz | Bin 0 -> 47550 bytes
 2 files changed, 6 insertions(+)
 create mode 100644 chart/Chart.lock
 create mode 100644 chart/charts/postgresql-9.7.2.tgz

diff --git a/chart/Chart.lock b/chart/Chart.lock
new file mode 100644
index 00000000..737d729e
--- /dev/null
+++ b/chart/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 9.7.2
+digest: sha256:a59e13b07f7f8f203ada856c39d69e9a4d2f4810e1265d9b80d8fe661331979e
+generated: "2020-10-07T14:27:02.464388398+02:00"
diff --git a/chart/charts/postgresql-9.7.2.tgz b/chart/charts/postgresql-9.7.2.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..6189f2c85ae6627787637a101759f2ce6acefca7
GIT binary patch
literal 47550
zcmV)uK$gEBiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POvJciT9UI12CI`V{q3dNy{iCEI!J(X-k8Ikr3TY1`3SPI~9*
z>1#tIBw<1kYyh;Qj&nczJ$NHQiliu6cI+AA%ycXgC=`l?LZMKoiYOOjhWQ`C_WlGh
z(Vd}b@NeraJ3Bi&uV21Y|L*MU<p14$zVrIucAvj~{(R@v&a3Co|7~aY`HP(w{{}m2
z#-p&rTp;#uJGbsDKe$IyP#98y1fe1CwE#RM@R+h$4-Sw(L&R|lMdTA^oY1fbSGz3~
zMaj?I-R@tzJ1rk`kC8~IXNrqpL>croYYqPAcneSnbodYKi4Mbo>JA0qn=W9ALNvxx
z917qwF7UJku<_yS;O)s^6RwGv$o6;|O%Nv>XbAX=z#%6?5)d&16#DWZ7bx@*^LfXk
z(<mS)^l-O@!!ZeQ55`nPL2E*%xCav<BHr8H9uqN%hh2|Ow}(W8XiBy{i9X*J4CC!7
z;sUeeRXSB##FIm{U`z!C2XT%C-{t~&pSjayn@q>f&yK3l+1=gwvb+1b8-?T6XFR*6
z%;&vU2b`|bAFWP8u~rB4JBFixc#5E{4tPN<F>Xx}2?Zh{W(pdfA`<k#qxRwdbuexL
zgh&$Qt$yaz$37$8|MfAK;HHQP5_U%{X^?r*($5^kIgOcz6#^CXHve{f>V3wnlNq>e
zc71)_O<!~=8*jI+ED!#*`?~wA^}VOjqb&}HUZEhy{0<g?YWe^2+3vGB`Ty$WP9y*C
zqda*6?*ckR0UW3q2xN-J7$U^b6bsCF>&X-72N-d@1tAp}!~_Wt6T;z|1Od=1%oy?I
zb3E603rOe%u}{J=_&CC$k3)}Oz9ogxh>T-~eGn94uG^0_DvA?j$NMp3a#cWAhy-XD
zBsEHq?dd0HcucrpdSy^g`f(5pu*a~F18Qj~a=}aazXxBxwVnWELG)lcvwxqWDNbuR
zAbaX5K*y>43!dq>Nh>ZWLu0%jAkHP&f%Cg1M{6Xovv8UL8eu2vFg!{Z9w|(<;8ZfT
zXsOy3Xw0|em=!2FWR?ugv?WwMjVLEVt^EZn9)Lh&yW)3zJR~UW?Cx~f^A|0ECr@Ay
zVULVvfKux8X+XT0etm#PC=LXdU;F7^aE)gCDUgvFpg?0F9G(V9U@o3+0S-6@j)kgz
zG&-fC&oIZKc&foAWaw>ge~yQkg;-$TC3M@T9^Z~RW}R_Ne7vnX;M-3khC5Ll1SA}H
z^fLuXvOt1r58SSFPah(!tpqdRc8DP$#?TDtXpR-Sh8p@8Ok*x!s5G2d!SEPH0{cKh
z#qe^~<PnmJN_JelcwhqY&wM+XJe`R8on&3#mLt)F>qLxPA%Q#gV{hBhK2hUM7*{^1
zVq7~M^(6$0vHWN=8pAb>10MqN8Ot{uW2uxe1SA|$HdPvlRLTN6)`W&50U~B0hqrr!
z_iARI?wuTgkB9MiECmD!VM;>c<Do-~D&4`<?x>FW_7e%dL&MGx@ku9vYX`0#^k9Sn
zj@5J<2qwD~R0<G5)aOa0nWJxv;vkUU2?U--l0#ubNj|G(sSnApl9B3zZp!KQME&`}
z!0Y9DlrU@drh(bV8GsVzQAmWN+PT6|zP_SCJjH#?ri62)<x34c9BX+?uS3iv8_OS&
zlrmhHCNQOOC?ZNi_36*zaF2iFnDs{d9iwq1yPpT%0>GgZ)V`&(k(TmJndm7NJ}EC4
z*)!D2t^B<}-mG2XtW)L~cFf8hji2pl1(~zD)VX`PlZ<#y_AHV<T5x1ITn;j3a@)60
zLxH~-F?~t}?y13f6M7w5o|YRX7}3C&$^r+UhDKaz7zRX_S?<=rq;LwUP!NVVpx5)$
zsJj5fuM-?X@=W$^cuRdytK&c$#e%k_nv@x%k}pz$5fr@1HC3NY19nFwD9HA{obFQ+
zVqYp!?BB<7er`d`rLghnbc#Zs_u!KF(1|a5>fd*8170kk<F}y=ozb&P4PGN8@x=zy
zU?!oC;y`WcKSVejOvp&U^@Mm6m>>?^^Ykv=pUIi)DJ+Q3VM7vfM*@@7L_t8WvA=1S
zy1&sFrf3G&NJ|*40}{Rrt>0L5LpjbN3H7=ok<pz*)Svs<MnJt$@=1MbKAC<}op!y+
zl=|5kcKyhKF#;_Si?E|a{6_^6P#`c1<yyhL3HIXvvn{~gaTnTB4gB2h&M9-Hvkv)E
z6iV6GF&lhmB2ME#kSM^Nq#v#AJxM#3GfA&Med^CopIgs<OBnSCe-Wzx0%|1-gH$70
z0A?ZS!S2q^uEKA>e3IV{mdWeEVsxEPogl0U%C3lqVbAmAig|lX)8|}+?jQ}?5LP`i
zy%jFFQXEPRf{rvRGK~Bg;4g#=DG>|=Fi^WvyHhXp>{D{dCtL#MN(9O|CN(-Q-&C(F
zgobKLYqQWiqnTy723<TFdN>k%J5o)yC0&y5W}ZnJL_AW)O0}xFD&4+%!hz8MD{(c*
zP)k-h!+*p?ZabBUa?qFX*bsRI03G96A)RBz46@cmtOb9BIKQUMH&5+PDLn#oh0ioV
z-h<s#ujaGRn=l&Em@8pT1Wc)qdqBf2prg?iFg&FKU!W)oX34K>Mue7L0rgN&uze^n
zn<*;)wfkzD#i1Zm+|j(&xkf>EBBsHUcOUmVzwRA(jt@T_9w(A7#c*FC*n_8ZG%{PU
zpBbHMts<TdwKjQ~8SN$bc%)V*G^AH}ORt2P24X_Fu`H;iZ-TCHhA^(3Q#1I7^TVFp
zQ+UdPEw!Eh$`aXPAI8%`3Mu^rI~veg3K{mbcm+vm`%E%*SBiDJ0;<8t>0(8%iySB}
zCF$nU0j1<HOlKF)Gc#L~{l1d*2^+yi%&`yGQkS?)Kcy5x60J+SvL^2?H|M6=GB(%k
zVL*r0?0t5)cW`ppo%&DoEDy&W)UgKWj?#8%*clPVMTf;9Y{)%eNCo~so2@6#j>e3R
z_wC%sk6D6(4W&rL5oYSAR3k}%$Cyi%JvIZD<GtgtaxDuxVuCx2Qqi&BA~RSegyz0S
zYW~g-F%bmc730iTDf=1;?`ieXSv90qE-TwdT2Jq#ZxpB#wJ<mU^=m*J5R6EGfrMOO
z<jZ+4J5#-cSA@|}od8`SMx>x^J(1tt;`uWP3M4(C^ho5M7{7|B_RMUKs7h(~3A+O%
zv#cmFI3TPCMW#TBg~DvlZYJdh!uO5krsyLm^Y71;0sexfQGk1z0R%&b;g$L!w{M#H
zfBx`6KLD*n^q@UNtgVTZwn_ei-+ouvB)W=J_C{oUf+D*W(i~`zlSuI_v`>if{S#wc
zF*{{zh9bfr0%Bu+M?`l&{E_NykBxa27X)6+1)ZujTCERq1(9o?!yJO4kRwmM4(Rya
z(ESw!l2!7&YSmA@J~@LiIzzUCV{g(^+$Ww$_MT{pgMD>$Aoo5J*w;3nAcp<7@o0n@
zZ}*`6a%bn{ZTp*IOtWnwS6He#GaAeF9imvsznN<%lUP6;s%`KDE6KvQ<s8GFpln{<
zEYpTOeZ;WMh176!ijh)^^3>aR$3I6tbu{f`f1Zwe+$uoBSb)?5RK*KrS)E{IPb_G)
zfFwT_Q$jxM`Z<EE!ckAuw!LFk8Qu}JGsK;MA|Lym5u?+N>aat_1hbBqpir$uzP7$O
zfFwqFQXU#&Ns{*L7Eo_~z<d~csQr|KW^1(x(Z-LVwqmM-|KZHOAR#DZY)i#==gEPU
z8V`7ka&Bv6G&reJM~q$(ALnXK$arFpqLk->g8VlcYrrAahgr$~4WjY;A<D2zVm&uT
z551?*JFgK&Lbg(-6s6P`;%BxYvhS9r$Q~a^3cQ^a?*_pT?mgwA=RW9DCg!JqK-7s_
zEG9S<w$oCfpmx)tcKC?K7n33Cnh$Laus!gp(o*&ADqm~iluxTyPWJ+0_u!_ZPTn*z
zk^cB{KhK4FKA~JBk5wi0Bv)ZNOC42aT&btKe|^^7ef3j!r@OQL>;+8ymk#sF^-F!j
zDxs?PFX!{es3menv*p|nTTil}6AXF_5GoT>$qU&u2hFUh+S!M@Tp)!$p&??*K5Z(P
z87lV%NPtqBU`VN`^VKbg{1-Rk35SBs)Y(KwBh~dYlCEWu9cVcEfOa~&kWVi(@GhV9
z;KrQX!ju2AJtW~apV$Z3n^0&UP~dcm#e{_8Zo7!4H3nPytur|0an2E6YumN@gblfn
zNPbO?${aWjIgtc+kLWgY_{ooOP1$Ea0aZtG4nja#35I#p&CVdB3gwiZWJ{;`+U_}|
zMEruiSQvML9K)Fh$_SVI%I;+LVxI`GtJUg@o&-Zesf@MM-#u+DIHqGOA*F0k2Pt-|
zAJFl8^DJYFQ*CG%Vl_v&UGDX2<uu+;>&&(H33os^jSey|GVMM@*vJlbP9W)`)v{=;
zskC7hX}Ks#0nM@4Ob*3$ont!gLA&h?1PK(-aTd~iqkUbi2W>hUIn4ung|!()Q!yEe
z{&_;e6U;dpW8MSI7&WIU=l0}Pwv^omB*YLgJR)BzhY`^6F$r;B)y$4Ws(F9X5Ia@R
z%_CJ&F|X29Wk*usfq)DdVnpqVoK2Um)z_7dZJi#pqp>2phIN9zkZC*xL4{n|ov)bz
zc7ndRjF4&Sa*^Fg*p_NWWkFfXOA7CpOo><w(;gSjgFH}^uMpt*ejh$#9HD?*VGbk|
zm|dYD+y2~(eo5*anJUHY{Qy_B^#fek&Ki2l8t!Yexjv3ZLVKM`UZ8QVS@QZ^ztxS-
z@RVL<v>3&VTuWxPQc<a4CTDLQj^!Rn(lbIrE_+HWZKQ@vZRC^9&2G^FzM1=^<H-<d
z6n-XwKILyYC&u6>ie?BLdo=X9VG~~|s9OA}<3c%~#teB_IV03MkV*{na*dGO&bK3~
z|FiwXLM1fp&{0Re&`YuN;+^cTj~Su<Kx5Z~=lbOA_+YO;rzf=nA4SE+cNX;E=~Hzu
zCk3hb5lNla{Anh=t`v{bA5xb)IJG}W=x2T;X8WE3j+i&OKtiyjJN0Cw$Zwx{6D*~^
z`XK`DTB<UpFnxS7H%jxuEHZt{<=1vwh*^{fD*1QM+NzKGN~8DeuO6IgnWhQx^2PIK
zt*nEVvb<9tOYPsB_SkuUOp*T<1t|0|(;hmuo{I;s>8q45i)qX|Ar_KxNI167wx39d
z9f^-bICWC881@YIeX}D&;S7*37iY!pj{CYfke;HMQi{wmPZtj57}fMs_6h4&(@iY&
zjt4w^{pL74<tgG4K~5tj;v^O{l=EkeM6r<7KD#qC2&B{r9JG%5iEe^?NRid<*9*p9
z<Mi3{Fy|fT%%b2F+6!pxcg(Jtbw-5YYZL_APZ;Kc5l?gsm=R@aOm;~2h_iTT12u*-
z6iR(Sz3ss6PFMd=?!2rRXTll>)Ny`*uJ8umltNGbBSkBX1q5=jGR#6l;FBp#@su(x
z``*sLDiT^BRIrj`SzmiIM3i$f3})8EkepZ>!x2{+wdx5jw|#uI%_q}K$t{<!UYuO&
zQxfF}ASTLY{hR5Ga315|Hwv^>qn&EyW0n|nw^a+i{bKjkrb5*MbWkn_npSfEG$5b9
zdii2=O9In#%2U36Lv_3ZIHd7-B9*PII<H;Nf&d3<2Z0%f2}V~$FD<Ra$D)_cu*=l(
z!pL_`DZyf_{!%_@fFQ)zAg0mCI)})2Os#?%n6jUwpEsG?`7`{~l`-w(Qu%zq>({R#
z{a$jzt@am*OM;m%YL`SKy~Ii_XH2DrNJelu@3)c+ig378E5c=>@5)ZK4@nluqLYKZ
z_RN!-iY6Br-(k?s!%v>T(a4^%Ze<*e^`YZ`x{v<L)He=E?M}O>NxQvezJB5hVBLGv
zJeMQX8zc!!?$h-d?}l=_(i3S@ZW&ECVH^Zo5YoA>lt&a0uFnoQ7F*y=DCOECA%T_l
zidh$6V;nt`Uuo~x!B%qf2efSk;N35WTk;kByLMO-$os4{DN9Mc*cR}|Ug|ZcuO;~f
z<d@TJKR{$^Jk%WG_do3?{&!Z7P9P5Ph%#)MSQ!I`7=|<seal|htjUA}E|%O|!0DD+
zv(2H*R^rsB_V3!!UJ|E!X1r1<gRZ)mmC9Lril>HQS6SJ8gp3}W!&1#fiHkDttK)EW
zFs*ljJ{gTLOT4D@F6=y+k_t>8iAmuZm4gS5hlxqYy7Q&8UrPo-6I_TK_?3Hz#ZzZK
z8e-^wQZ!3W?d<}bV8-L2#_Q=*g+|U{zul3WN4<`nP#+ry#txie<p0Wuz#l@jka6-S
z?!iy*NP%)8*)xuOB=A7UJ;8XEyDFzQC8Icya!Ora5L_>4+<i5Fs8vr}m$IJGK)H!=
z1CC>{{X`?x;TkKm#m!>cOLWgOs(e~Ms@K*L*%`x$UW+rANQ|wzXWcb@yai}9k}`I-
z1%d{~Si!f91)fkw#LSb#PwY9`%uMBk;AE`6@{(#-M)ls-V3hxrR5-Vv$p3O2D6U&C
zWINUl3jGcW1?ku)>+MIbR)VWu9HMrHSfGwMVYpR?vM2j-IuXNo8YNyiEl_&<z!1==
z({`NZr-PL`0tN`s5C>NIo>#{s>L0r`BI@tWS28F$E7()xpmdlV2s?iA_LUN#iBvQv
z%SZ0Q&kf6_2i-pHBt~KT&bqn7Fy^x%{gOU64!Aw|?Ws?nZo$)}?bF{AJ*A*mbv&+@
zq;$VCKgm8h-ugTPPrp(A7?#rYfE9tsLI6&D>>-vIGb8FdM9er0s3*4m94%)wX2x|q
zOgz3Fa;EQdulhya^QMB_N~T?b)17>i?MHtiLv^*|gxzQ6Qj-$q2J!TBd~k2P6>jPE
zLW9h81>-%eclc(9sRe0nr<>i#7s%CtTnBPuRjmz;RBfc{eM;3rd39qhbd-omeb-}7
zO6tc8g=C4`(lcT`GSG$9h`@D-KqZ@QApz}88f9upy(L_Ws`_TeJ%Z<V%gMP^cGp+5
z<xc%h7}lmUWkSSUaP4GGrX;6zFT4ik(P<Q`yHLg$r<~W5U-~Yt?n9%ctx-LA_VU#U
zQBS-mmOpo<`f$_tGZs%lwL^p2B}W0BVLw5i>-!DUDGl@Ux@Am`hIfoAq-kqC`sI%6
z)UB2R?!t#Kn88sfw`?2)lcGrO;6dBOjc<KOujlPB#w?y}@(k=L^>Ltv6Gg$St8Y&k
z!+~nDrEIKnjyVS{9%XWWsG*rtSta!xCvr1Xvu{i1D$Dq&D(jJCkVK=Sp}|6O$d+4I
zI}v$Oif0ec7@aEfv?h}Vvyn#@d@Q%!)>)j1&D0Pb1oZmwi?;k))>Kf)2=Eul;zV7G
zQ&;!6T@NJk%HkA`9dpaqZ-!)sE`6#Ff{*~jaB>gO{lHIodM_~DIjbg9B)o~Wc*>nF
zBS;$^XowA1MQwG5pHg3chAm}|U>JFt1P5=85$$a(v|9z4V!j2}*!V-KI>xI(e=wrF
zqo_SC)<o8bB*>~L1KI@WDPO~DZ3nRz%8YefVwBKK-2s$;%T77Y0CS@pRL}_cM43fV
zz!k#w3kB+c0{dNOH8{+y1m)i{5!j02W_?ZtHKWQ2nkk<vKU4ScOC)Eby@ab9bl~e}
zJnN};TR@dRfK(uk!YyrOk}}<b`~6$G=9S`SZ5XMz)b6(0BC0jXfL!5FPBzIu3?rYY
zUlF52T+41z_j;7=sFQTk(Vc8RaT=>9%J^sN_vND^^Pg0x2nr5xfM)LTq*_7TBg<X+
z%p4jg4_~$bMu-G4!{-x*`Gf|34_+zDl454(>29l)AiW$qFYg8$6>LKtJ|El9rzodZ
z5%uCYL%oC%bfYuue&w{$S$2@7l{&UR9?YME3d8PpHIkLg`cmlHsOmZjf{i1hkA$Cc
z-3y5(>PiV#7D^9uU`V%^AT0>BczLR9fx6y6LD*MKd1@b49a@KV+0wXWDRGgwS}Bm2
z2{Ixc5=xnLf7*)^+CZT|?x(Mnr<+mGWUHUe&(iw8;90)SFL+kmY_F^*WyCfIcz(fp
zm%4+hud+QD94A6~IJ0_;vDr@nxdT?<YhO*1U3H}LPkpZaul1Pr_mUwc<B?C?y8<XP
zyfb`d-R_SG7wUpvkOIldu_+decw7oU%7pfNG0#feYEwl{tF+D`e$gR)b`#dpYInrc
zJ_pB2`f-mT+3cxgx2J_wjDN#lcYk`VE6g7S8$3>ENX(K_fIc{<=$U<>y~wEqe-EY_
zO1g!!emzn!nt%nM@wRR<u)AZ{Tq7L%$q3G3y_^rRJutcTv4?I}>)fOCT7^d$rhGf4
zbjPlhPqY}bpIYDj%lP0$nZYejZHLxRlTZ`qN-2?=+CO40?0`A2IFK4jq(_H*6bU`w
z1l4}C%Ec#%>TrTSW8jjzwOcwD3=yMfDNt4)w!Zf1oU~k&Mu?F0d-j*qEl_|ZFTRh*
z*ttY`jK*mtrAx3LMB@v`h5aHx<F5w(oA%eQX<(IhK_HYibm7~#j+u+?Z?Fx|U+wI`
zf2m8fNk=28o$OBCM?s=LIa^(huP{?~6RF7(eRVc@KQ~2_c9|fDu0Ouy$a-VQ?>LZ-
zdo!HL_L2@iXlDNQtu1R$Xv{YFW;cg_Je?xBNpyg@=qwM|1TqM4vcq37Vv8MkCy}8^
z?3SJGPuZ|h&z`-S3xbjhz64Dulzb?Z10^(F2Poq)Xl6&Xn7d{)#yrG9@}(~9mwF;W
zhT~3%ukB3hToKek_J+7r6|{Lqb$F7lj1ui=eBmc|AN3=EKVmGoqdho0KHNVCzw0Aq
zc!IrwBKsEX?+p&&*Y}5~5`gh6?oJR-fL$c_fH#unTkv%M!|Cba{`u2QIL|e95V_#w
zPp8=?93Br2VFwOR4<rWi?Zt2=Fo&PdKAe;Q0d@PDsX#Ic_mB$7IvY>zeBXJx1<8+H
z`NI<T>1I2j#WYJV#~$ZAktOEJ=GQ*ndwY1?&b`dYpth@qT727?4$?7}b@OiT<GaJ^
zZU*Gfxo#v06x_B|#VRh9s(YKci%|uV;>i=>xHvd#72`Sw{+;yJYM~7lGWSN!BWo7z
zzq>g6-~NZQ^TV@?gQLOT+vCHFgTtTqJ|3T6oE)B?9qkV+ne6RWsin1BIjCxjV|*YA
zqOGh!#LP!Bfr<z<1-eK+lF1ryT5(gZwZxTe31-}L`}+B<bj4=6cspIZp)T7}mu#v5
z<~R8d1vfck)pS)BN=^A0nkp--HYPiURuvh%%#&2^lvMiz)l4Z7-#e^nQ)(7BQmFZ!
zeEamn`Qe}|zKHeoQ62wxcjx8v=ehX5FL!rdH}QY(qx|@ziS8?v<Om6MSa3Zd0ZwPW
z+*1s(iQ%hHnST7S)pD=5qA<1DV;`;v(q}AX8zcGBY>ISnJLlHS!Ku~{wXt6cArk7{
ztvMQ0-ilCj)7Aa@HL(YD6N|Qd!LPioy&|q}2y0)yZRO18ob9x}e(eAmLHCo6knL=@
ztcx#v`?ds5YHeH|F>|1k#S4e3bBm)~CpV;$x`F>l5S|ZJlOosN+=LCv3hL$q_rQh@
z=A0c_%<*9+AWR#&o0|%ya|&Z~k0QC@DHrv$Z>fryuc;L}=zkcTzdJh|T<jg39GzbD
z_XdMsKb#%B`C&uqB%TNqNE1`0(@9Tb%BWfTNqDliGK|=v@DEPI2#Lv?_E))YKn^vM
z+o4H(oo{WpQCEpxy?{=~#~$_ZX6Boe5}*txdn;CBR7IYLM3_o?NFo@PO{`SOHiE_Z
z$!{G&^r-F7WWAbG%ba(1I&2D^ju12G5cvyBIWOKkJ;hg;J*`Kfj^4?acCFr8B6V<h
z^`_l_mwuVKkJScumf9JYIbpN{WmC`M;yRg=;!PuaIvs8As%=rzlzO9fF_5w?bUNlE
zK&Jx{|094-M+HKtY31sCR1__jJ+h7uIiWfqMal4JWd((HpzGQS?ogr{E0C0(ck)qm
zOxghnJ)HBUAl&W(<{TTe1H&qx&^qcPduE=_I(0an3G!hgqvWJj=|t7%?y=z3>BmMU
zaj)yo&0^k5)}`cZtZnZUwi7y9Q?t5P_w8Fo;GKRrIJ`LO=fs?HD6Bb$v%-rAJmtUb
z{NCjPiI{hh?=z{hsAuNKxAx{73jGgf=Q$)+>7GZ}Q>>@@vyM;S+R1H%nqPj?Y8zx!
zyewOxEURw<eEa4IrgpJpGK}EP_#X`Uq0>>M_#vUi1DfTU$JF}_qq%oCE14~cB{@Yi
z5a=@o1S5P6Qxe7k^Wy8VM}6z4Vsle;Th@T~tMZpIp@~GSXLb*sW>)GeuO<gw*W`((
znTazvJo|LCUodxScU)K8chXv4zskjjsrd36B=qqYuoKNar|c5rJGQf_zHV3k$9&E9
zH#_}mbN8yuos!7%ca81J!{__t(0PG`wM-!g*BMcEjhJ7LGx(LaU6VT&Q?yru=>L8%
z46*y{b$6$`)7^bQAGy8?liLaw5a|j9#76>aY-G#MTy^a++Py|BB;lBMnZD|Ej>aiB
zX{9)6`-3I^Ck>y_@Q^XeIP~7k0lrG=@a|QfD#>T$ZP@UMC!o#Ep0e<(JG{0jdr)TY
zHvF(zJ}?zjhIiv=%#e@M4!d|7iCNO^Rc<J4*a(P}8D(QF=>L10c50PE``^U`2N7nx
zE24Fz0;{(FJ%9cD<!;XY_iCrH|J_gd`gQw9xFXY@avUC!0LwMv%~X=bo8TV&xc%*0
zOV(-~eu+$&0d1Z$XM*~0pk?ZHjAKt`p6WT;Nh_!e-P$uptt{!5%1LnpHy~IXdhqJG
z`jbotDu@fTJ1H<J^UP%5{;`!t1vY)?JUf5HC?F$(eLzv9BYL-f#TvS*FJvEbARLC+
zLovt7KN)^W&cTdDlHkDS$}vY>2+#o^)$VFzs6(q5>!k{r9AR&>nlh;bvjcM0lYGvf
zq)ustS`?FOjs5Y18dmR3{g2|{nW!8ZN=8>mam_qk8o`K>P>i7c7vA}cT(UCIbid26
zN%`N8k$dzN!vZE+{j>g%<ezd{Z!G=_n~S-2fd#$fi>C;+^>Ev_VImjas(hoF<qV6M
zY3n75B1R)d6f-2*a`hz`ZT8W*D;5aJtTictlMxLZPp>fBr_)GsQTxB%>~>#tcDCR@
zce}4UJ8kIhqeus*C75?50~#pZcSKmkB)qmsp-V%)eYHEp0`0al`-xmn|IgALq;ZY9
zpMO$*1Xs3;Qlgp}s85}e@Q^0`At0_prJ1>+YbkqKHDy)BcBx2lr-uI9j^jpo*2zsz
z`#;*yzNpE1WqcyJ1he_{j>-kQY5>O0oXk<?B&3w{G^3bz?OV6Lb=E6uVc(~11RBp*
zln-w}P?N|mk(}>wFokE`-Cf{uq|94-VkGy8b$oa2g(#@{Q@iRUxj{&%f`^+ZBEUTw
z;jPv%7GQw?Rq?{J?(Pow6!Y+@u$=)BTfiw?<0J+%nMQ#L?I*=68Fdt22XsulZfh^#
z)Ls*MD%7n31e}E9K(W3R;sN?|X1$S(Yo*F#6&e?n^qV=N%_JyI&I1cxcC$%JO;uYx
zWzX%u@Sft(s@D0Bt3F)E={}K!)tzLSYB5xI4!b?v3VJP(>n5vkgI}guHmc^5{nIfS
z6f97N)CKJd&PAP(uhc$6$3lBTVUv8Hb$f8zG8FoIK{P?9@f3D<R{IFG$i6bQSEce2
z)U8R?d!c3~nNS_dy1LYoRCby!N9Ll2WppmWuaMHE74MAJ_PD*0zUi6#lAP-p3zy>D
zq+RLQD-4sBWT?Y)wP@mgswL^;G*y`~m*qFrXdz|t2(GxgFtK1QarMf|VH*p)3Z`0X
z$Zms$!?pJPC{ufhq1sy!Nj9abVJFV!%gzYL>b=yANZKuy<(aDG^JN}losFJR;8U$#
z=VwjQDVy+gQ5piWl8*BMBkL;qB`udy{mWr2+zga8ZMFx^_Tam34~lo%_Ihv49k;2z
za6%>~vUYMkF8v@GAWO~7e9O`qnRKu7n3wh4Ow49te!q$NF7E@Y4|S`JcCHs{Ej1&X
zmJ$kw)rJib1@(cLliVVeBUiJSjJf_6Kre-{@a((3aAdI>#dQ+CCe{hdv#3>nngW+^
z=L<Q$<O}IrgP02ArN@V?Co~=Y1AD>_HjT+#Z7^1K3dR=d<VrQY;8z)koh#X3YH7|X
zef(63d?p{*N#X1%&KXvCUXo$pl6FOmoU^oNTCRtsEvbrAnJq;#H|g0T+7%{9TTHs*
zW;G~h8{P#8=Vp!WV~QeY#@N8$)j91dwJ8aqinf%&M)zkDVBUQf&>^&SwznKtw>OJx
zrP*@Yn+1ElY#zPj{d{i51zf)RWH$FZ$)CC(o4#!s4$UTBE9T7N<ZO#sv!q=O-jppn
zW;pAe)FmV{3&fK2%1iQklqguG3sJROi)B8iY2$uKhpaZ%$qE!L+X@}%EF(v1`;#c4
zW{AqUbMXnJ6KA9SUH1?=&D$C_5em>9Z6hkS5Dp<_&HS@o%NV%FxK8slhQZgb+8gw1
z>I~|tu8wA=w}nm!l9G*MQH?U|Pqh4~3L7pQPZmZw!pp;|Ikd$T&+oDt>VGfl7mDm$
zBnf+8X~CI?8_Ho{x6pF112=ZM7fS5ZVBR&i_3#($K{UP~T!Nh$hx3x1MRFzd2L6bt
zu-@lwe<)wPDQW0*s@>3&n}?R(B1lpcWu9fD?J0+U9>|AfU5SA2<HT8?^WZa{EvWko
zp6Tl8w`)UZ;`-p%a(w@qde5(ethb_){3drusrFarR=|psN+(I?%7~5N)h>4oQuO@|
zIwRPoktj&rvn{64b~n-6un)h(&5dbNP(53<-bTgMXtF7=DosgF9-l|7xKyYcol3K%
zJN`L~qLf+q59PpC(QGr*E^nlo&mQ*o_TSs>xxUhgS{F`%8MSgWmTM}FsP4gG8X3ME
za3!(IAk0&2HM&((Z&?~HIbN5Xr6jJhC@)LuTNC;I*|PSyDhYQ>KVv7C*8;P;Q?Z_p
z@qg}icV8^!`kT-W+9-;wfAO;_=j^0r9oK7#8VRt<ePA!D0ST3eHru$V&LXa}-gvU&
z2$2PD!ujiQ$yu8LrtY(;TVRE6P^7}orq2ph!E7hpz(-NW2z8<YA7{4qx9=t5(V8KO
zfR{tG`Bu}1?Rjd-ivOS_g!bRVwo|p^1hYx%=4~W@4?pc4e>@z(r@iB&gT3>k52wAq
zhw8w}Hn~w>yaqR!n|vmcFqeydKN&Z4;AjN$D|KTQ05KluVuDpjBJgSWRG9U9f=y<E
zOkO3~b_upC=Llzpy6UOI&FZHcPWYc`Bxc!KF$*>~%U|oD>6<!uPl{kK8U7YH^^_R<
z8;!x_G3QvokctUh+Ul1I&r7GxC77fNT=~wBskt+6B2Yy($1}ts`6I?~t)oe%aU+ip
z_WHWX2~}w<MpS}a6jt1XH`bxW6+SAi_^tV(Kj=H5JmBo@-o9fuw~qy-%P@eNtR){i
z;*mL=%0?n#L*$tkb6+oQvjt8)Ma2?~$=uLL2$cDl>1>q)75m_tvd<MCqbm88z7M0a
zUM0~i&9f)+BT+{FB;i;;Bbcvcjf|*oJFB>lldn^Mk=$8zku121Q@K<cO3l|@k(bYp
z2hh>kZsebCa2igN2+E)G)|q9PTCEo)Ozm#4GhAJoP<f8W9S~bk+D!3k!7!C1SHm<3
zrsg03;&6?FKqsM65!Ky<4(i@4S1E9Gc+Lq1M#dB2x&n5Wa9>g>cxjSHLcy<AUJ}EC
z1#T1IL%S&BgB*QQ<2oTpXi3tZGj$|}j+<l^E;9tk>U{ezyv~)V{765WWEQnXt4t%+
z19p>REI()`kH+1Ndw*}4kGz-t%=K}quw5;O?%8ooRL_nJk0})bX(Eo>4y6E6(Iorc
z7wsQtDUAP+cmZ^0XnOky5Y_P?cAo9LdX<m=@Vtrta6iQfefJ=oFmfUGid`|(`kyLh
zJ-FI!eI}vbOV8k2Q!J2=1nRXQJuRvgQ!nGz;${)~S`bf0zwL5?LLce)LpKnT(8r;G
z7uu@yHSc_tOUkHgWmB{kbS0wT%HD1Xeazah0ZFu)7`H1raAMQIW-)^1Xh4(9n&E1(
zgA%m$>UQ^xe+k@xLE%~clzI{GeAC%#Gmv}c08XDL{_q*kwrtK5$4Ocds}^__Yf6HF
z8{i@Oj6Hp8<&B$5rRdl(UF{Z6k_x)H^_HU9yi=1VR|-&*s;WiO&5OB_*}uNG)N0DQ
zO5ysSb2;qXQXg2b{_j42_By-%Kihr&qFMj%r8xWXG6g_>{jR_LWBKBK==iqg7Vtv1
z*UdXzzKh*u|Ap6a<+i)<vl{tcx!5GDfCgE~1{xu1VgS`xq`T``d7A}lxl$(o8R`Ut
zi?wV37s&seXD^@S_kS;*KX2s!eUz_rmm6#zpVB>+%B8B}Xy@dcYyOFXPg<C56pA*t
zpG@G)RHo(S&iAI&KW8bN|5@kz+p2#H^}m-dU(V@&&tEn3|2|3${ZHR)?%+_cSwu-F
zI{KP~QXanY$rk@3kpJ(F|NQ2thnc$+Ijykx#>t(Ub=<2e|8m-3l^$66dG%*i+ToCd
zh|LZXz0#<05fYOv_(5mVO!c_0UsWm?{T{x3Q{U+a+dUTM#SIK!y}+U8_~4dkbc+?*
zI(+(VDMh!F)pRplYv2g_H#7|te^h{ZxJy`}{I?lk*K`iBNdJ5Nawn(%y?*_2w~_z%
zQ3}rE?Ujza)4P41$pE}ok?q`yGh*alOH5lTX$sqGfNJt-q8VXR`9X>$Y1#L$od5jF
zTgL`)q5k(QKmT97eEqVS|MyXH(<49k%VzgL2OL{n9ZM6I-+qeclJ?h|@x|TU%QUy0
zmrQ3H%*`2A9vqLbCx<F#k+}v}0>dVJflTH(CpBbYgKX-g&C<$lPM@Q`k=U7MmB<w}
z&yY!7%F#)a?UlcY5Rt<?vdCIJ`0MUZugwF2*cgkxdYr4zaezHR*#dT(BH>Mr)!&62
z2f%26d!QqdKX4VVvJ}eyY}E2wuK<huKb}8-k=Os8y=?4%_fm4gvM}wT<ZCVVGg%BX
zD?^#sFOO=kG`v;UkAFGU&`SJ>`U6LX0XU+nSGue%5^Jw?e<m%PhVumWf`DEF35PTe
zeJAfQHxk(q&*_8mFX-Gw&0O}XnNl-tH)3>}?KVdfTjprv-tSr>!DbKID#d0idq1pv
z-h7Dy;t`P~P2(27>@~9_)mn=Fyp~@ZbYg+neU|Mer+TbPv{e{u_r?5;MZI+Lz<Nv1
zA!s=-Vswhd1jih>$54b9FrHEY9`RcIJxbyFKYt72F6}?NFJI;D|2w-c8vD<^l>8;#
z^ny`t>z55uP<2bDo9YXFDP(j-qcb!M{;~@`BUdEAW9;`}gaR&QroNw&?2Mjz*4Fma
zKGD$+lb^{QWub5J><5TUleg+F-~nN2bw>YzJ%N4sWJ0+xdS8lxe0bE~&pzlM9i$If
z9PaUt9GlgJ#Zu@$J&CzElW$IGct)whkmF+##$Ph^RGqzWrryVq35$S&cZ|jnF9xa6
zSH}{`;?RL9345^HN>{fpJ$Uu<<@1*<fDu>l)&-7X<bMc*nH-opo|tigr<NoSb73l$
z|H;BDiE`@=;3E0|;>Fzl@5Qs`{P$kU3ikh$JI*9`l$Z*qG$evD5{|nbWtb{yxSbdf
z`xzjsFAH;rbR}4ZPX6MSqj?twky_VUQwK5R`$Vn{DA4+I+S)l<tg<COzD2DrX{7Km
z=#L$_-&w#Rnmc|-Hy#R(t{(-kVd=UFKRC$#^r(()*H#MUzucj%=jxX#i{$_Av*$Va
z|MJ=EM*iPR$w?0<KtQU+pV0tkWV@<m@9FC#J4uSiM#HZw47FIAM>@L)lkyHl#3;V-
zn-eXd{kv9CF{d%}uzH){nh|WPU12s<Rbq~FEtN4T)p2WouYWyp`A=6$<^Pa`zEs}s
z;r##E^Ev<TSI?g{^8Y?cUHSi3vqQ5CtbZAx0Y1YcIb3JCU7Bciji~r6Egq|E7>cwV
z$ar$>c^-{J(Xz)9s^=vC_ku9wkh%!)47jeF|1h`ba&w3$JF{jPx#v<S|F!jyuWJji
zNdCW`zyGtd+xUOoOZi$6wmO>zr(5oxud6g7zplvFZd)HB^hb;nr_TaQTt!A_6UFb3
zg1SjA*o5Nk%}vOKP3YJ^J2op<{)lHT52uq|xLfGBKj*!bcDAsOTA)j^3Og3aOs`Iz
z#TXQ)QLZ&mJBLccGG-o1#rnebu$jkMR>>k;-gq%?ivu8)$bYqnBeRI#vHgGN)yv(y
z{r~yP=KlY^6xS`ZM2Aa)?q#lU6)1XD3q(fAbQg--Oa3L7n#Z(I+`T$nHUG^K&Rx&{
zXU|^0oIC&9ZS24IQdT(sGu&}vxMQ{Rzd;5_vFf;J*I6{3OOUKS{#&Z;n$HRAj-dFQ
zu+Bw-QV1ouJj#>B#9s!7zPkLG92Q1J_W<hCorD6jE7$$hKB>by^R4HcG3%kB9U#xi
z6w_FwjWdtyAXEY;gH?fBYT_6=e^gLx$jM%{Sf`tEV<K8-DPI56BoQ6ur+Yh7Q1$x%
z;^ph-uk!w%&l>yB{gis!>N+<)$})>M?w|uxWl(4=YS;A1R~*@1!{R&VhoT^xhER6D
zKOYrw#rucf@%CZKxKR;`wVaUb+H2OD(`7D#PB8KV%(?QPRLsXS>zK=t3ePiB>uy(>
zqN@saIHoU$fitHj^|qn11eseFOEd9L?%fI()shb!QUAD_w~L&hiUAeer_D`-S{*1I
z#&A!8GQ_<J_TvDvQ|BB>YCX<lEjY?rwC5F^uO%_7=5yRSh`%aT*fdE(>f`xKKJL?^
zyFCSMv!tr0Gn)B38j+BQne#o&lk%>UHmi3lXn<Ls6P$<Tox3ep>0e+rC7}ZFjv){C
zF(c~20S$c@m#S(RSyL0>Lb@0SoP8~lv-WAlzu5|U+eD{Cl!1VDlA_?o(y~wvEJm%!
zwC7^xzCT^>LGVH>ofNs6LsXc!qmYPwovIQuo;9<V=K4_4tcp^!Wl|+2y-lY2V#J)$
zBYopdrqoZ2q4q>YZwOrkbE51)U|W=HWfL;@0rm2wqGYMI9l5qSH}{luEMMPBa`$GI
zy9A6Bvid$yX8Kj-|JBvA2OYM|>9EEhE?diSlPj>9q>Y@*i;M43f=wNqy(-y(?I8)b
z`6TzW<9*3JxhcrHSduhxZnEau;6Gpk1RV%Q!ZB=AkTox$lDj&vxe09)3)-IV#hcLU
z5H5)io%ph+{(T2G;Kf2EzJ)e)M$azY@982xl~SOuV}TW*U!2=gcj-X%>?|9Uj^Nw3
zo~sVz>X{oqI@Rw=h~~e)EYr_EVI~dlBADB9UP0BdyQ-ZD$*uw-ZPr9u1@<k+RZVVq
zy|eQekR6fGuLA};Q#ofNF@as^Owkwnw{yjOY4kg?RY#ws>ln#jodnFz%PtR5#3xj=
zGmitx#ea-w9I93O@84z80(?Pi%*{;doGqNcwddv><hz-sb*EtEi`+82^!iygi#liU
z`t@tr_VLv=pG=oTsbEbm=qLh}SX(DQ`mr?mwtoK|7ls<VwLJ1w%fg+p+zM!x3))v&
z&=%@U`2_EEAm9BbUA#G2*a@_gUJ5rXg^JbOr!GXKJ`Q#J%~M!IK9LK<TmXzERWqwq
z=TvD~lGUrXf+E7>VP#YEKHso}Rr6cKIq6t7s(F#;jH*y5*2ADeAlkkey6(6c7%T8d
zq-P-@$Mvcvyei>PJ=l8ol%hSavDZa;3rbPlytVCC$V7}#HK}aw^R)ils|-6XY(Ce&
zH@AaceATnistSvDt2Otgu3>R*E1KFC3#fO$d(gQPhmy6ha8fOn_hs;^tx~lx$Kh3e
z=d8c@+oSW-y_2JhgTuEU-{oebIt(!%mxYMUOn4?}t4Is&+&A;_Fdi3M4$}Vm9|q^|
z&JG9vbA0jX!|}(H!;6EXv*Lc+H3W8hQ78QmXXh8EA5Y#MR`jwUj8?l!h}K$462#se
z?49qGl6l_8_y7rXKv)@7OXPf>4i{&K{o|v3mB0Ps<io*X2`Q2jznY*v4$7!n!}&Kh
z?$g@*UphR8)G^1_FZ*W_EM&0^s{Ose;MWgl2Nypd9hVKiY{@a#G`1JGJkPU9ky>2~
z%OV7S&O~FgMdS7ho|&sn`BE*{b?eh2$!^PMJnJoT_Fjo6_m4jg&JWKn_WJ#c)4h|D
zk5Y0%iK681>~dGq*~y;j>-~qpd4-T$X5}mIWTD6@_5arbr+P9d58`DnC1lLr6_*`~
z(26-e{6e@O;W)jbvbpA|n*Oogc{+FdV#P^1hu;I9p>t!dyERz6V_5pLuK8=;@*_Ti
zZ+8oc`aj1Pho^gQj}I@-j|YoYxf$kdXos|2xF4*yBG=eKI@p~b4=(y=hd&>lT?`J-
zJ{_K2>>u^tAD*p@Y{c+LYRl{jvwadx<hHE7{wdMfKRi3HV9o^=r5cNZ>F1ZjzpdU)
zvEi!VQ{>Xk*CfH-ikR({kf6Tt!ObaO6WO!l6|p@#UJliI6YluKJEc_AQeaT*6VVOm
z_&w!94Z1$F%8vFwoSq);OGUAK#?1A#pN11&vb%$$!Ad<I5biDRG{+7}>thn)KEosO
zr6!ukN2iBMtQ`GseH@)$mfKpDp?yxK_)i+vrS19A$>IP1!|4({lXS2Ke53K6{P&oS
zYoObIxA*bj=v<;*6I%!T?e?wN-Y@p|&i7WqVjl?<lp|Bn>;Cc4;pzFs$<gV>$>CtI
z_wKMR|LZ{3CnP+<oTD*bX3`Db@0}eUNM1hvuy=5AeDwBg@9d~X*Qux*Oc29<pW%Qa
z|CkIJVx%00yeT6AbArCOa$_;-Cwu?9lz1xb>Q>x6zqLt0ACoB&br>$$pC-e(I6gW#
zD&IHO?|n^!I~dAc-tt5HI5<3$3)O9gR^0cR26pa6zhE4pfLvjIG<T(^bYSQE{fl1?
z5Bqz^N1qM{7e}Y(hi9Mmj+Yo#anE-$EPwI7sbEM46*^Cy9@jJ!b+cfKLos)=sdOZR
z^S$%K6DdyRqW9tBGTb)T-CDnhCeJ>N!#d;0eUbeSA5WJV%6ymW5_RLr5S`&Ey~00}
zK$v5!1%v6od;fOt;_UF`!>2>3P@h-r!fN%o%xH3X1za437j@EpawsJSB>m+QU=+|#
zeuofq-e+`Jasr#FlEoH(NnPnv<O&=Vq0~tcjHBY*!zwQ@9|<%>>gZ+80;d5=%pe+H
z5Y902XVCdrW^OFDzbiiye<)wPDQV~+p}o)M9DiK1K;`}vI1l8*vaT}wY+3m;o-L@G
zY?f2bYeQ!OyU$*Cce*>>UE@DkpK}~WF7eP>1KDpyMfuI{kdkfJA8$>RoELB=8TJ7V
z(5&dvKz7C!)XoEpO79<JK}E&44|EZF;aLnNTQLuY$DW5dKc6tnCp7RY0OhOZL5&az
zVutI0%2zG%26B(IRf@}F7fO{-gt9w6i}KPJ^;43cewCAXISI)E@t&=7fAYNp9b7E*
z3lB_PB=<E6xzs<emYqpC>fCB7<zTHkmvUfkF`06ZZZ(^7uvVQ;XBjY+TzJa~mFwv?
zGpfoxZ<RBlMTZ=<oWJau&<YCk_jk8@jE;;I!=el}3bMm{G#sf+@XD2cvtaXZ_(kB*
z$NoMIQ{rIfVUp6i1~1umCWm^(hb!_Wq~XXSyu=4B8MzzLQIEZ_*7#yFMCH`UT#`uN
zkKYeb@hdNLt6~Y#txB;K4|^7{{2e-orWu2JAXto7kshfV=qE=o7PTt8f;-=`TpZ6|
zqR!*NiH|*G{Z(%f-yjFBEVx0@ZSq`ptOA-<EDZG)1ugBfi%)u{zQVbC!MA=yQ@Wad
zbF(=~R+c4TwabDxcSY+~^t-FYV5x;*B|^9;tU{1QqOXR7eGT?!_>Y({>_dCcys|bj
z5{}{gcmOVJAUthxJ;9->K{zDt#d$M>ZK)l<7JPw{Vc4v9J@{IOaJBTc5?w9nDnqj=
z_DMYL!3myHHp`Ne{E5{GMh|x1k(zw&M&~Th>GJVAwS#_9y`lkS6~9$!mtS*uzVf0)
zikF2y$#fn^J`#8!7!r6q(^Q{Jm7lHTWXexXo%j!EpJ5#ayIs{Vp&6q=K*I4yRiy`E
z90V;WTsbpwo(nYah2Kecd6njKJh$<?Y~;Iqgc_Ltm|yb&Ufho60s`rh3wM+PQn?c0
zhtGJn1wW`29eQu(?cJ&deEX)phN)L2yXGFa0b>A=+DM;JKfmN_bP5NSHpwEV1KJgx
z85A&gdYL1$Z~i03Jij&Nf--v{rEs4^{wzESD=~x`aOze~doFw3*JT3aEsFnk_xWF5
zy?(ZnkN^7Wbrb*Xe#*T>b}IusMO<KZSJ?ovDF$^{!D=}cAAN*3GyDe>;%)b#uhaJv
zTTXwN#}QmE!L?9xFf5h{GB>Z-EfKb=1p30rbIbSl$Rp4h+SCX^SEOSXwO%Q<n3XZ*
zVdyHlcLLF^-u1#zbQK6>gVC*kLlceeaYdtBjHYur%`iz5kFJSF*Tkc1;?X$<@g^SK
zq7IsPbWJ?Ev^4SPns{_gJh~<xT@#OP-41V$(U0qKc*y;$2BfRl^=6x_YUQrzpwj2(
zcH>z&sNLfBa~L#H?V6}|4<f4F`UB40OX$4(8ke9Y#f3lIlPdp$!CxGm9-SY&z1TZ@
zx6EBar-L=!h|~~&MZp1Kb&>vc@3@qj6=<7IZiP5ekc_Ij=*vrV2m5D7{qsR`pL-$J
z<vlEeVG<^6IV`K9E)`%|)=Nz$c!1Fu3m3;dJ`gDM-_GjBPpTEduB;FJ`#t3gFFG$1
z#ICxxK4mN3advFtMS1dWOUTM#n5%uP$`G368(P~)_fpVm$<UrnJkBN_=Q08RtcBEx
zB$-JAI19ZAqals?KAlRPu1!ay_U0lA4*qt!|NiX5>4%Sli~SELCr9TML1)WS5YF{o
zQw5VkD}#ago{LoyxBD=j4pIz~REW0>!+Vz@Ppdz36E(Dn8k#M488vi{5KAvicfS}l
zp-JyBG-=hzVO0#1Il3IYEoGa<z;C6dD_hxNcvV<!u^q0^441&Hc`>{81WQA|9v|%W
z7aKh0!>I;7ik1xinrX5aL5Z1(`?_%5Q=qwu>slAG+_2Px8&zyfO7Y%*e^_I^)_8jp
zT)aN#i6??Ov6>VDr6GOWyDRM*60+3`oT&*{88EYybRU1N-2;zDEA;SoZ*X{Va9Xbm
zDIE?@YlA*IJ*W?wg#J8eD+{&uHI2k<zSV^luJbBVC1#Ic*^pzbTsvw@j=i(}_ZNHT
z=e5NLV&3Ee2~k^ym_Bqow556(sVHc5`}ugbI5wez9<#adhqbBJ!~$<(fj6<hn^@pY
zEbs+5HnG5)Sl|`CHnG5)Sl~@8@Fo^`6AL^qUz%9pO)T(R#{w@gyM989@1M-Md(9g)
zI%#~TLX$>n&~UQ)=6Wdz72d=wZ(^1=G0U5n<t`<gnB`5(@+M|^7XKz@c@wkzb`$D8
zW0seMDfOxM8M6)!1)D{bgrcK;kyYr@uY9t_{|My&yW>B<IZ;e?rGdvtBzPL9wD5JA
z9<FJi`s;9AH8;^RSF6eqU18slL2y3A=K?f4`Y>=cYzx{h^a=hKjW)idgVXnpv;X)*
zeSi0BkpFBKOdmsV?K-@AfAR9&`<hF}n=fs;TEKY&Zfz0g^YH41oX?|$1tVT%WNlN$
z8Rvp)ofhWu0gN&&7lkb<8Og%%VNmO~WeK=tE?d^SYAI{|V9hGfd*j3+KMH{|A2Sft
zgci3S17<Xa5My7ylzn5EBu&)iOxw0OZFAbTZB^U0Z5z|JyQgg%)3$9JTkn4R?Ec<g
z^<-w;jLL}0h<ooj_tYNp)2KNF6bd8mkXy|H_XxHR-YhXpdq%Za_m`=chf^{R>TzH4
zo25j=L<F`r?i$~&qrgxs^H7o}`MX3uBi9P|b_bUCi+i)5hL0bS5g8h(xjZGNozl9v
zNQV18CZSR6YF3XuqcEEvwQ}^=J<Ff2S6Fp4TIf80HF;K6@zwW|(cg^3zjc<Dhg1PT
z;y;>iBQ>T~nknH-EJh-2zS=dz*OUH>Uny&ac&xJ=*?`_ynZEL-Q`qu0E?jpdw--SM
z2@gTI_8#-rMM#y3OJP2e<Z^hs!DCBQmXnm?im@oigV0NhlcfH+<d8`Ci7wwgxIj@;
z)rYc66-k!!k^0AwE4g$Oo0esiV2z~-b*L*WK$)pmdo?>!aEXz3vtIJSi*b$%K82jo
zZbIsuMJH822bP7-ZuG-U-tgr_mgZ^R(rPba6;&k*FY3t170k)&0!9WI_nzQm=?Y6(
z?>P>uQBzzh_zB~0Obq>e<M`yiFP~d`8XhpI;_+<1-v9WTy7Wl%ZS_L_d9TAwljlwV
zx{3EEtVtel*T7$4Yr<3cYQjAHts;Sl2jS&gw{ueZY*BM}`c8f2^GXzQmA)$=c$t&F
zhsu^+8J|aV3sH0P=uKrwx%Bg0R-qGFaaJ^xuqjC?CCNV<`;9$`G*MtBbW*Gs?x#hd
z70VxC>SqWX$Zdv7S;_U~4HYsCYX2fW4jl~4N2gJKDA>Ole3D@l`BgCmPj)&8G8E{0
zoJqR*4~wiB(^@lQ^fy?*WI2itt!i<<64rK-S*+ur2&f(VZLDs3JQ~q|?>CysevQ0S
z+J22x>Sj$Tnn`PsBmq2zdmaxQb+T<7=s`E!B)iPPyQYm=2?vz~dCpo69Bsd@`l#R?
zXaH&Do%P6cZi2!@?88FZHb*;cRPZ$2;uc^1m@%zi$JE7lxrPU|q_5XTuiqd4WyL<W
zJ=)eszuzgHD75b#Y+`Djf~NA1p@z3`Zzy3HpOu<aDQG!TSa3X)3U_oVmM30m``LOc
zt?N8m&kPB6m_)y{(eh@Kgjyj^h}Ma=C9hmm-9U?-b0rVE5yk==N>nM0sgDvQm-2DC
zD9#sj+)lH2K9tV@=xQEJFSBY>!t#0&J8p$35(&*1F$YW~LB9(7u{+@`u_q(_Q(i1-
zm68rh)^eWcrzsyMN^T&&NY`sF)y#37gkArba!vHn6lcLGb(A%Rp!y-;KHJ!&G~M7P
zKWV-P(PCMV2xJG82#GeiJ!ppwwn=3Wq|N&+7ySU8lnoQ{BuA>E9fvdNUR!Q3-lefx
zia%IWQ@SUxCNp{4&Q#%7#W?k2&_4#EGQhO>=e6EAb7szCLJ!R%J)~cCyDq{LFSQ#w
z?{=7L+PUxLnJ&VY+rl-@VvXV@&f*nvh3mIgW)4O=;!yb6iQgtPLWwb+Qt0yf2*{`1
z@!{1(_Sf^rqHW>#rnCo$4;h##F{GfNpU-7EOSI%pl06*q9bX~S(dH5=XD$)~PwWC1
zBwwH4k9~gxK?i>55$#@kf3UXx@tjSMSfQRrFd?3$uXtQ8OYWyfi?8q1i~l(OKjBrS
zBTz)r1qFmQY+Mi_FhK>eZGl;Mw#%LQuOHt1?v>oXjI=-13%Ab@zKz$<dY<}>JL$dw
zes`7j+~BMtTgRLrhltB>^%J#)OL3dTZyRs*G$o4XBi}8LV0^@4=99Z8JMk^;$c5j%
zf6QGX;{G+)jGXWjjA!eWaNd7k*kA7))Nwy9Z;Bs&_}zZ2-fu3qy?$RjMlDZ$^u*nP
z$q>!<edD!g^%V2_Zl^;b-)=oUJw7&h6{j@ZKK(*MpakPezRxQx<$+g>*UQK$K#Eb-
z5&2K21dW{!$hqXjwmyT76Y8Be59Hhx5LV!8%Z8H_7?dfeW(BJ(zmF9!RTL<~Sg>jG
zErHv*wh=@#SVbMd@<l~Gw8Z*{cFlyG<WBi`en1kyAt-ZW)5o~AbZ*~=A2bbS)2sz7
zdwRY7zTT-?Z13!RFdwz>*XH-vAywt~_a>A9)ahEj=-#hfuCbE?)li@exRO+qUuFPA
z9V%FOA%TkgYKk)2bmZQun2bd#_I(P2KLvNyX|TFpTL9j^^Iz<JBZ>lMXIB3d0zb$J
zj4+G>+8|cfx4yD@&QRJdnuNmJbjSw52JC?BDOslY{mZ+t5?ui}={noW$E8`>c~~B_
zek9?^OUt}=am7Jp^V}&^wgOo!#Um0r?BQKbE|3V=3#%8hzbkk2oGRHw2*T0ANa?UX
zukS#R94BnvO}z9QRy>~!d0WZ08lNSQ4hx(KA*A;0l7(x?C=f6-8YtG_B^uY#^Dxsu
z8jkhY5o~Mcy7+v_Qndm2jhx=1g)cFN(6PB`_WkedB!DN0U*N9m<FT`29@{A3&&2bm
zJQ9<q=z%Q`O9$r!lQf=DTN{+=9cqI8AQC3+lgMP<F2hjF6DYM~)3il@@m>C}6q1M!
zi#D}Q$R3&1mj-oK<y3=br`0rsag%OZH{&FdORx^G1~_xEvwh@9(4QGr2zO3^m+CmI
zOrzINzioFEa(?!JbErNfB>Gm6q;7B~!T!6FkVu~!K*?BnXi0}f(-*Ao$8EL<|JO<o
zpdWlxF^kxVMVua8(pcTo)elY*`STDm{Ib%95K_b7ajm#{;3FiMV`>iLUc{7|of`5z
zUw3ZKLPQu324O%$;Cuc{86n*144LeLOg2N<uR(y##l5I9bPp~MOAZ}%?Du{|FGxfU
z&k32cPZD9y2Sllg!7DO?F|4%4<}Dkvk_7Z~IXNs+m=zwF?g=ja&`!PvWwBkjxDw4%
z`P)Um%x17WtExCF)JfAB5<KW6eyS9wBbM>YL^yQVn6hIe^e@_73jnowlkJ>uzFb=X
zXq6q61ijsOA^jb|(pRJ2=e(p*N3+>inZUm7a-`E@v$q)9p^yY7XP0R=aEg8c`zfaa
z0a9u|m~<5;-J<zT#C+V1lEWT5G4DZ}!S=dN-Xyqa;;*=wg$#h{-+x*)Okop&!&&Dz
zcFIdySJ^(+H77<-^@_GqD-;$Rbu$CBZi9TBNw6Qx>xEKga^eOwtFX0!Qm#tBpuz?&
zK5hRP*6TpRd->!#9?y+HfKaCLjpimY?#82FC;OYHALOTS8xcBvZIsF!7@Dn!V?XGW
z)XTBmi4M>sc5fiRbEdJ~?Hxl*&!tJdQl;`;`NWka@FO->CHW-U_h}LD4k_H@J{wQi
zvJ#b3I|-b@Au)w!c71@-bJ)MGU#HdWDo?5=Lmj+xS+j~bAf?+?eDFWygFF!z@U<BA
znh-t{`280CbpfadqBuWi>Cg->8I+EzD$?6bhSXUi@o@%oY#uc*_i}d59X5Swoq*S|
z^b4ZTuVhpV^&uIL$b-cy^Y=+UETxL8+vq*)9Oy;yKB$Wm*yn<WT@lYSjq%JrgrM*F
zbKRw^3Ef>y<cs$tId4Ww<CC0<emaRO>mdWY94A()@_>EBnawgsYnyA5JI<SS>0mGy
zhc{()BI}_uR54v?+lBXZd&^i;?_GQ$ES9&1wN1Q(iUY|9$7J7G0V=6{)dcJv3Vb@?
zrQs6jP%b_PF}=`%IfH`cXXAp0Krsm_AWinJ!RGIrnRq%$d%1uv|6osU)E%@BZsO1$
zcKBP*xFxJPF}&$}tVMg!5NF+rbIy7wnA}tshw!vEVlBl<!73w!i`mx|Ae@sD6D(2$
z4HZrJB(m+bh(s(U_zPi2g6IZXIgQP%j;R2S=g`-Ow-3%NdyxNoa5r&im*9JpsY8Xn
zC5`lcpemhDRr-m|Bp27C$ysw^k8OqzJ#-M4bNnvGc5|#w3Lxu^XF_K>;P^zvNVa5_
zJDmBl69r(;PK<wXZ^c7ZZII6=uIGDaT^fYcCwniOFrlf@OSw=sm#6|}=Gbog(r{Zh
zU~B$W&CRJVcBlK?m8bi4I(vQ){YwA+0iX$rKqY-P7Pbybd+~P<Bdchfr|sW*gZh`O
zIu5Vnt9w{SVxb@BlYKb@KkB!8BJgT15j$$r$F3p~k9@a)E-`)h6&`#;+`nreBnCnm
zl>UMgmMiRuZyT^s<5CdK9tm#4!CmG>!(rd%1bg-GB5A@#4gMNptB|IvuNlK81xhgj
zTY&m+WIIDlLM`6e08Oh<)$dvNa1%P*XCUz_rJQ29u>Ktn7-A;<fROb_Hi@}V_T`{h
z2E;^hMK;aRaLIb)nb4`34e>EmLLQ0T505kgu=bdsh4D9pt4&GAOK>*qKAwS_XRza~
zwtQsic1u_|fdAvN$4^*@kvSUt>$BziE5?ge$uC-hi1GdNdE2jNN^2weaQtm04B)D2
z_U#8M?jz7W!+5L&ix5Mbcu}~_0$$d^EG664)4=x>0dwVy{#-^97kcX)o&oQ8a1*05
zz=IRIqCBCgOyH<l_;CBnT}wEuJs@DoNrlDNLX}`lFi7l(rv_+@EXX?#80YJNKF=mZ
z{1HZw#l}=fpsu;US1feDl*m`!k?!(Xz;#75B8EAaDm-4oj<w!b-XNMZtB<`{Qq@!C
za2qKu-G~^8bLFvMlEcj~*f|!mp~i5-zR}2SH-<tz$C<}OLOjEiusUVcO9NO*=BBkW
zBed}=|KVOJG=TGGwy7GXC^#13xqSOOERll}0~HSjS2dpsv9v1ACp3INXr3!-8N0Zj
zUfex9h3N@Pb&P24W*n5k%9s%4?Q!LJ2kk_HC0x}UY_TM_1o%XHPi^6M^@EX~e@pK*
z73b~eNNKGMa|0(gRmDq=1~)C59G_)hyG`gQuIS$fz5Dvq1)b|lc$SR#zJ~g1^_KW%
z_+Zm&D|Vb^J&cDM<l&2pTYdics2o`h5QUUtaoAhRNsDvIvbRiV>@VM+jK^?!wu`?1
ze#!{h3jP;A?42uDT13=v_5;?wqCA*Wq&NAk71rxNy&^mMfTx|r&@}CaC@S<95K%=&
zCtrOQ5@5no0TKL&fC@hbCpY(<ile3I3GY4l);YdGEC9=~Sf0dn0p0}t*5E(Qn>L*t
zd!T$%U$+!9yf7RfG+~w_dw`m1CHr7oRx_%y^L@3*n-M53Mgkd&%jl8RS6(4U)qaz(
zuZUL$&wE#^aAL^cD7dcyg%X>kdX=Ay+nPO1pN-f?#z6H{etu-_sl!AixSZ`;){Z(D
zqn{x#Z2O5l!`yemUC!smOS}aZE*p28o)d{;elmbcVhoxaEtZ}U94%?mrqhm}!GG+j
za>oiyq=ZJv4?CJc9c6%Sr@pXv`2)@y4P97CF*!M9>Nje?fUt?n{NJUPTqsD|Z=o?0
zEZoPU4uXz2VT}7_9cqv?AL>MulZULkb97(z0#c2(+=SpzN`gI3A43mOHv^VhYxbxW
zPvC0Li1y|T)4@&cM0B^%jv|7JHmp1uZYFf5gVr+BFr)L8T|nT3?P4&Xj1zru9v_<X
z5XCScF}2xyt(YCxlL$2~ovRgw@%zbQk}s~gO7m@!+>hq0o)TY2nZQJ|@rrcy*k5I>
z_IL%-yWc<rwC8uXyEAY@fMtHx?}tcRC$07*ML;&qwhs_SbX$yh;6q88ay}-<;)1KS
zY#+Z4VNsC%5%!-FPjP0CQ1nUg3{a-538n!jenul~_TU#q=N7kO&(%^Mm7A7~RPy3_
z$HhG~Q@5Xz*M6*l{vl`>D%vVt>&6I2)uZ`%CT4A6Jd|JS$nasLyXh@SMYkc=;P9=A
z$(h|aDV1A4Ur#}v&d>2Wd4U*SO^;Y6G{=MT?VmOv^Spr#rceJW6(_0TRygc2!UARL
zb=%*<^Qkaep?B|J#xqxsZ=!nh<9x=ji|0nvDs~FteL!Wj7fZu~1vF7=R-HWlGGY48
zG!Q&t_YfA~1dcqEku04m7nyrAVHeaGho>l-k3Z97`WOs=sV|Q}Ua4>DAX(DW_&}fz
z)@_?{=8f|I5)Q>0TWz!xP!E(?4(wG6f{&9cEgNtMPG6%24~`P+<k=}OhK&65XsOA(
zY`g%%Oc&=n)WM-c9ksZeg8HMZe**JBz}c~)U`E%I#nrA(26+$j0g3mVRYrtfP9q@J
zJg0>2n$P(|H>4v~fgWe|@>e@uRESMg89vipCz#QsXz?_YaY6yB=rDH|PTkvKGm>;f
zC2Kfh^T}THZsUBuiqXd&Pq#rwgP#eh9mcsnIGD!bIRHX=wT?^9%sXA+5SbCh_bTH>
zIx!Ei(yvW#3MfGb*SK^LvmU;uxLkJ*ClPZED0_zZspWeeaa?oM=^Jb+vWoyi#r(Sf
zGZ=_ytems1bb!8!1#IRW(zw>jNK{+iJiswTc+w;HpJ7PHF8oSz=@^xWftC<iR!y|D
z@>N$=f)5Zv8Z-K$G9Wb7X8*V!1=@*gR(Jfw?<v)xZ8iVNQFr{l11>_%k2>$KZCC3b
zn>BQLo7@CuF1cd%F97^tl_GB+0XjfTgRqI+`k{5)6Zm7cw?l@Usz;0gx5GMdNM&n~
zXWdHrCYTTWXvrWTe>YwgZIGI@K{5jcmU;&WZ-Ehd^_s-A$6-+Z4`k@D+BJa7c#S>}
z_5uT$81w?h1h*_AGiM(r>v3YzRdEj#lJOIC48-N+aKoSc95~2RsYiuoI{AR0*<VQZ
zqB%Fo1rDI!oPFQ)#M1ap43Y9Ac&1p)@(d~UdHs8<Z^fF$BbaD$_q1e;bG0MAzOg^m
zVa7lx0;~zVSZ6=Cei&uO^Pf#?Tfa>~P1tvX5kX(%XSBw+kUIZ391M2@6S|8+hIe=#
zF_L;lg%Nl>q^5dtYY1m!I~d1JPZN>MJKk}e)nh={O85OwEimv8a4+hiX)ximZ{#wz
z@NZ=25kL0mNB;?&)lxBQ!ZHb|Ueb#M<UYQ5d&yYq@n`CD{Z2Kd94DHU&WdbZLR{XL
zfaJ%<nSz&ejyx;#t+Cq}m|3fRT}M1elF^id8e|jYYGK@^I|V3V@>Xy7^5h6AtJdop
z;2Z)sa#5ZQ^hWdB(-HU&6htQ2`d&PUcJk3wn*G`2Yc<=QxnNDcv)b(W{s#GKl`HH;
z&1Mbw+Y+8&M^GT=l*g~R;bp8&UczTXe^4l7ZlqZUJ*LDvw_#~W`VdB7@rsX{Q&)+O
z5OhO83p=M|!>%o0qIR3!uu#NH2P>CofbZx3WPmC)VC{&s;YTTVaf(5Z5z<EFQcRD(
z>?gE}<0ddcaaa&@^BJ$(@;`jAj!d&cupo>ZPRb~EKE{*q4wz@TAl8yQD1WgY(G|yW
z^!ef$sAYqZZx_PHl%ptq3=&%);Ht=2`{M13Zx5PzjGFMynK6Hg1i43InlZaLX6ykO
z>yW{HDVCKBc{YUlHuqyHpXnqy?i3F$TdnZj&^~7qewlZSK#vawqxPaQ(~QuLx!9Kt
zwR|PiKez!a(DFyEeoylrrC}aCGXm8>_d*OkTi7F07Rq$-bj}m8D*2_|y8U8T8qhn&
zW$pC+Wm1~r;C$t`rjH(1;+@vu`@|&K{sbygGSnvX{-2x{D9n7aUYZZAu(@E#x*b)-
zLN-0mLc<^KD^V)g@y($FZFDBpkR^qW{3gPMba+BdstF54Abr-you|r(z{MB`(Wk$T
zqRbV`35(LOA~cCW6gcFr@6EsIm@i0yVxDbJHx0AtN<-KumU(A~HZ!4VnRh!AYnTiN
z9_ja}XKCB_i5HEf6#-Stj5GUm|3yXEVqdk<P#?q(H;Jb%N5zP*jatYvQn@T2;?Zs9
z8o(D9xAo%`U$gW<)7hHK&$z<&jMeLDL}N1H^z8DHxArtS)XQah{T|pm923!YQLTXB
z558CsE@kYEHZIQnx<308K=VU_l=4+;Rfx~SX`tgX_Ktu}d4;Q9snRYqP!B}wO+=*u
zoC1*ZZbQ2HGt((5RF=R}lj1$^UwE*{B!+RHKd*AFVZONj(imSL1pAqkiCE5kk=}qn
zTxS(|T6qc|n@cV#TDeMzCOXt>cMRMRIEp(OBp!$LL)`>daU2GD)Ta;JJJ#5|{WK~4
zxp8jz8=I>>Tamno&lckhfYQn|cYg?^OzVv``@U>kYc&jcJUqSJsY<D55%(m^^Qc!^
zA-s*Ry>~Q=62ILrZ$xp)@yKLF+yuZ66S1<~5*?+4f~D?JK=K!Cc%QL+E4)BlZK>^E
z>7p>FOU@iGHTZ3;F7Efbk{k~FJx{lz_=U2MEaMCx{65c8gWS{Z;0OV=PCYa4)oZsg
z#)Qyn(?s3O85Y|i!GzXosajqP?g}i3=TwXr56FL>&#r<oLza~4n~46R#kertxk}Et
zs8pFjE}4SR09Rbm2Kc*s3bH;mFc4q4nIWaJGS2-!I2?v9>W53<qpmSb`!9DUr`Kbu
zmd+qfduV4)Wg1-5HJ$2f=BzaV>|hnv7ME^eO=+oQp7)dOYbu6m6HmTAB7G?}15TLm
z(ztE-iFk$68Egy-_kF`u?gYNKmN_FBREJ8&yDG!n5&b1p5@G@M){@3u$E{EpN5Hj5
zoe7<pUZ&64Z(RCoo0YoR0XpEf@|+H>bjM|fdr+9rnhX_tTX1C8nOl$N@P3G&z$upJ
zH5+)_3WY!B`DhS(DnGVvO>8k7;70sgmF8o~iA#TOvtmCj{NGe+O@~f+{dXVx37kv5
z$831JL*TVJP#UWZk3}c;&Jds-4`R&*{JY9Fv+mY<onbbl*3#&IEphDz{7Qf`P@cAE
zg>5$w0M^OnDBE`4Ahy_Ms#Ves?Eai5&=K-N`O;crd%bQqH%uRB$Of3e^uVS5vGg2f
zwl~FbNSxLrl7g8oD_J&8xW#m^%V!$=272*tHg~>Am0IVO<X@t2v`;lVE+^J7$|NO1
z;Ob@AN^%E{RRW(RQa_iytwGPX!#kKfRTlX!Y``g0r8hT`^4!6PAMGK;L)b;%VPjgY
z+~{HINBh~boS{^tw^t6rbkw2)I6U|lNjtyV`@6S-bXqcZbN*WAK109AI9WdCU^h(g
zD)EMAZ3P7K)6(ycl8u_G<4KwkK3H3=^k^=p&iQ0<^`)d4;2F}d*ngbV0K!L<ScJs9
z>6nb0df?l>vAMe1h5t_Gx-S@`I!Ui5S$LSrSgP3=@AKSHQny2Xq5L<JJW3t>oAodu
zxrtV<_+sFHtH)*-uW=9&wpyu=ivz<L6S}ChdX8%#MR))_v$2xv9F@K(t8bVJy%iGl
zenlY23I$AHz@Vf7b1+aYfrtPm5ZfKDav{)|HB7i{V-YGW9%iRia@3o{gf1-^mS5K+
zjvd)8F@kwULe_)!zmxz_ALV}&Wm*}rui!tV_ItyyV~B}znTSUJazr);G%y><w#7AI
zY*GyF0aKhlI7oJa-tcC(TrS$xe1Rq2BMqrTG!uN3P$!SOm;svMFb8Y!c(XU<3L|L2
zhBqLA!ui*_ls0RHhT*(E0i{%k9UCDJuPESyq(T*(JVFFV8NJXPb&x%S!jnR@jF2uZ
zBWem^Hzgj7pfv=-=|2LI3zb{{AlZSC;jv8qh6)uU-2)QNMauQ0pKMaQyr`_|-;G@e
zQBVXG?EOJmX*gYaem+8kx{F}TJrIN^?-gDIHFTL{?I0)Px_3KOKHXoSs<v5;5^T>~
z<&g#mQ(2QtiY3cF?uP8;mGJy=1noFCB@`@4A1;XYOYYD(sf((b2^gLV{k%=Vb@%81
znzIOzg|B{(Y^}Ss*pSBTy<eXx?<90AyILwG;&Vq_CGjrTZ!VO|?OC;*UL`$=AVEu-
zQwEYtaIbOp%zSaD{}hNX(7WKYn4|f#IZSfPg#~8{ao<lrLX`wSRu!$oy$c-iPLxNB
zqt%Qz`-nu=Egy}^;uPwn9%V`^ryda!3d5EjOV<lnqeKK57Q(0j#QU5chvIo_eQG`g
zEGFN%o)ps1jS%YEr;D55&AB)EcAq#2bLFZLR>ND2sxRVh#h+KK)#><Eb9}h|@j~99
zIcd~*sF2WWzS4SlgUI#T^`ZXnjFz;XU;eQkSuM;PEk@T;;<En9E8c=x{Yg`5=a<k-
zmxLbrgC?zKHF<5%tP?|`I>wmE^M!5P+wkXIl^H{o@gFi0T|)isH75p+D;S@|WO&WB
zpiXje9_*P2IyDESY4QR83I#i55IJy#9D^uYgmf~hAsj#j{LwCut>Z)fO~L=XUxX*g
zZ(uPT#*>Gg#EVg6?Hddau#o^P?<lA$z8D5A=3_RlUr|gteR`)J>s7(SzkT$QHm@k5
z=On{M6A9}cPJ?Rj`yDw6zfB#L;#gxnyhg~T0Ti%(w(3uDLb^AP_5K~7*n_`03CAK>
zLC4F>g-LC-?-9egjs6a0zxdo{ac<7@U^jILb)lc}tk%1hxfe);EBQ4V$OYZVl!bKm
z$IB|=>z?P?&As@alo@6laYeSFJ)=-^lq}|j)CrirnNCeeeeGLYuCqO@v`1aRjjymL
zwk(SfdT|CNHf>sPm%8Kon&OSN*A)eJu~=?OAYiLCb()t0>*($E=nw83zZPDUy`;~G
zti7g+@H~K_5F0UDB9w%jK{UEgWh6QjIce?%p{Dq;_O)$!U?LA$H(8?;4P#@fqA*^(
zMFr3Fe1%T`5%~0kc)tdZ3&?|#e^p6mYGyVb$sJZ|Ezw)>o$~lDe5}-p=Ss}pV8@u_
zEyNe#Dt*bk#23*X%<aihb+V)t`5mdefKfSoZoJ?BE}MZxzLzO-;ylHj1ASx;Gf&q#
z&Vk0i?zI<ghbNLe29KgcNmY9E{q#nkIX1|Fe?yCa+~CnK9+)_I2<(8tN%~3JW=xz=
z5GkJbj?IYTh#gMT3dDMJC$;$f`kfeT1D$3^Jj2xbg}bC!?^Zy9N7me&>9Mu=_4n_8
zBQg+}(RNk5wQa`}FscuFL)bJT3^al+7a_<(uf`uKiW#@X8b$caROj+PzGj~UN&7~W
zRDKqS$MCI{JhHD8R#qh(TX|fe`@mpdlEfYTzDU+I8~V*nq1Fc8c9h+7cdVy*4D;rV
zbFMQ~#CH9G&i6ddr9Nv$aIRxNxeQ31PQ=S97l@UeMMoX7|Mb?KfnST9gLYC&k=ip3
z)Y0+#`BnsjZTZo;)f=|mJgk{IYFnwgBppf;KV7LN!t$$8jcAXU@Q|vkOq<onVtD_b
zws}R9jm#PHgsTLjX&<+vXrWH7zrm^mh2-Dn&DNP?y#{EUhh0=IBj0f`9n(|in)(XB
zn3EAbg`BFYQN@-I&-rl_A4d^k<PN^H5B-(5iI!-thy=OkBIzv2gXTJ(FJK1#6ww`H
z9@;MBew^hwg{D|NQ#3a^7Gt}0MjZHg<zRb$+{hp4(#_-j^>nx!mDEu;%XX4<pcrh3
zU?=ONqMBGGT<yyOyiG2Ge&hv@N#f9bwiU)gtvI3cV)^4kJ8@SqxHqSZBE+ZjQvY+y
z6IRo%8YPz4O{t;8%SFFwU@&dOU~))&iN5$NL%w|cgp7>dPVK8h4t^KnQe6qo`7y57
z)$-D-PwHIK%NbkFu~DSlcm<Z>ExNoYkD-HDjrsT~k&%Bfj31N0_1ed)mEYer`zYOi
zl#o++DZz=+vWelQ))v1K#&ecoB&n8P|67%KajmQ3lO27TrIxi^KD|+Ac(bDD<d2&e
zbC+=fy6cbi?mVy`G^yG@xGFyMPukMT?jBEAC<b@Ans@&@TnYXEI)w01i=^*~rT)hB
zydvk^#Cs^m{GWxgO?}I(_~g!N?403Yqw=6h$@#VE;1Sc4kK*zFH5s$|zfGbJQYeV0
zG#I2UhQ;n>4x$MBLia?@?yT<n?Vj6+KM_~a`d@XzDfe!nFk9O8*m&~fNl*!WjMd7V
zg=1$6A9R9?%xpJjmMI_T_?{j2{~(yxF@I@1v>_prvLfupneiYjV*gEP;CDpOiIo`h
zxYohfUncQsS-3O*{D7Y6%0tw^CJ3TBr#^8?FL9O{j2GY~f#_-MWeX!;=D`L1PHG5O
z96Qo(tj;*(e|~iaEQZ#5o3Uag1(!JYqe*8;<L75R@X9wtcLL^1cb;EON4{RQb7!5C
zgN7`BN%&0`K=0O1nxj4X+yzO*IGxB9{=0rgN2DWJdWmf%A2U9~mU(XygnClv9RH(C
zRV#|aCpvH`^1VSNg*P9KP-ZMoq0F%0C#)O{3^c#O7X)x(CYVT_iE7XQ{27$g)P29a
zCw0^lyUUj-SfNA+%m$qiQR(B#uDL^Z{w3eYa8Fn80!Gm1p<yMru`RdlSP=@Ni<wjd
zC0I9!lRw^XhOh^9Mvy>IQX^RK3ikbB9V0c_Erj6HUoH+jt1@Tf*`;x!EiyMPd^+>5
z)^q11Suxwc$q)&2?hg8b=wDk#4HbU*#74B=4O<+y&>fGs7S`7b#_F^fa~?jJ--wPf
zkCT>1+QxHaI*`_S9XK<OvDBGOo{ZjxAczwA@apg*C8e?{Cso(CJ~96r-;Xb5E_664
zUdbz6yU9*mj~S*C2~W_Z-cw{Hr&4|yFao#AAq!6n6>yJMtQz3)&*wJX;%mcmlGLCT
zv|&Q`sIXwPraJFMinib}3O>q6pN)nL*B$5|;wdBz*9OhD3I_usJ&43KilJMGzJ<4N
zKmCy@CNq^#8m$JQtpx)T%^K<sk}6neU5Av)O^NHCp${DtZNnt^B8dmRti|Zu!X+f*
z9kDpt#tYMnoqI|DP+5om<>af`_xM?4VEQ^ja`>%?FDe3|QXRWCsB;!zwQt%q{}wKz
z_tUAjlJDwQbQR;G#_t2m<0wfB#E9fZ&H-@QqZsHTUP<%u;veXo1nGr51?AWvPv`1S
zKhii+LS~~wA(Bl2;TqM+W|NM}sUmo!hi;2UN>OV!8_P$&b<+MR=HB|>OwvxF9rL6N
z_hbIW6=vA~Xu@fKvK@5N=dFZLiEyRJQRlkJ^7E!5|BeZApf*a7&THZ!MMZ9C<3%5e
z%X3a+9kO4kdeTs*wVjrmorD{sB>GC%tDmb=^LNOW_Y{pWs<<3)JxV#(h@XtJx_;7)
zNY$^poD4J4We91ME}*(Vjj^wjbfsOxHQIRQ0nO#Z7IQ8_@*oi!LMpqi2M5qD9PKfo
zP#uTUo}|blkW!hxYqa8vo;@8~3;o7eW+M2P$%7YQhW;H#BF|8!q7z91*9Db2AG`<Q
zXr&e$a;Up*j%PZn_zMN4o(4lur4Egrr#z-Iincyh6RUwZ?y=1ZSaNbLU<_cUf&j_-
zA-@=3A6&eK8T}3U#?A|b-nbkyg)_BmQTjhBB0@eQ!`ig8eC%f_QI_p(%Un>^X=Ob|
zbr1x(JyuTDN-4pwqSk!b7>GlsCHF!JQWY=|vI_j+Gw3B@>yC7aG8S45z2z3_3&nh@
zrz75e!)~$-a<X3%K@9wg#YQn7s{>z0hhlc+#6b`kTTSs4mdulLbBUy4)Kd6~x3G6I
zG!Ga`c*U?S*E>E#>Ca<+le^WUH6V^!9HB|2*ZC2&=HAP_E|uF@SDpjUtPN5q)n{;N
zXx^N+(8&vK8->d-8XXHWY@UtijZY&~FKS_xT53hbSJHGj4i>B2v)O18I!AT?p#RnL
z`F)C8B%7#0X$Xp>0rMziqh^o}hP*Qg=0d*Kgmp*BRu>uYYUz}OAt`1z0vg$arkWrn
zGZgb3_$yQXM=HiH=;j$~o<FW>;oepo0j!MfKHhVM=1@r(v68^$Q3PB&k?cvcDz?@<
z%A{37w{kD6$9SMjktrmpbiux#Y_fj<b2EPDE-juOT>9?hQsARH*dW{rZDJ5jdZVM-
zWEn}Maxsrj7$diaf=tU`4L4`NTVOooYHSVGEOb<CnK5_pD`~E``8boT<_oR5wi<g!
zQQNj{kNeWc2?tIo6I1>YD-jtf2*~8P(L-xC?SO#@W1j>p5=`JIeC6iv8g13`v_NT;
z$n=Chm8O(c$yCb~HEH*6CF99i#TrS$2pqFz3BOi<i2z35n5nSH&@6)D60d|jsXVL_
zoS~vE4EFLeLyULy=yPCa!armv_oie}H4F~~A-j(0+473|nUHA+gaBf_N+Es-B%C)K
zSwcSv$@2LS#NxVE2+yhsn=vk<h7UC)O02eA&4P*J#Oc7_tjO(8$XR=-XXcAdDS0~K
zJ=T_mchx;bAF;jcU|Ic8w;*B^UEI8k*=dS0yGZHPZ!`*Tsc<r=P^88fO&p^^yzm%R
znmd^q%mUnph*|eCxWX2G8pjfT)`poSsrx%<=Ng$DQHaO(qnKhB@d)lsA0tjtlrkY(
zgk$@zdSM)7Oy5O423TYzO476FxEfRc-T=pJM`K1yuq=u*uNj%#qs{phIFeC1jD+w}
z7l((Lg>yuWR6j`}R&SYR{JXqnvN3q7qL#q7Y}QCLf*)45NkB|zVL&S|rZ{1X!h&1^
zZ2tEEGi#6phBSg#&WLb=oO3x37HGL7I&SHi^w2XlTW(cCp%e>~WI&XKxldug1_nt+
zay+uwZI+LI>^t{aE`I@^g5JwK;b&<r2c{khb=fJ}QR`ZoS(n&8Fp^@)w9012=m}ki
zfWz0&vhB+ioxAQ3=ca}gG>gD~{~HPQdXTTMuTD5_lo=sX9+9w^MMfJ_;>kFh&#mHS
ztxJxXhSK4-*?HL>DIc3qVx$M#$<Bms<;d)I{l`Z$KPP`@&h5Q!46(z>5inhOQeu5M
zJvFISzHN_nW?Ojc|Iw?QahV=INSV;@eUT#D8;Lh35Zw+x8^pb)`*^R*XCR1?k?KrC
ziqV)1Nv`3pNyhuRdA|^FT<)6tMyEQCIJdTJsg$y;lEMa1OlrexbRV(J=enpMd`}6#
zgXT6n4VGRJg|PV(NG*cyU|;^>h#~)n{dlrjv%(kyF{-jWxrh6_G79Kdm@?@;j_@aB
zQe~@ke7Lv}=%!K4KesmQbVde>v=+g>#?eVPjkl5$hn7w%betyv;4EbUBt~{*XuaF^
zR8DGMI6aLP4;%dXoz|E9o(&x>vP$d)R62Z^qEdybNvhISsakLWg<`SQ9LocElC*do
znf?!EsrU_Rc~{wWG^uip^*F&sRDwT@uTe3KX<0>*!)Wu$|Kc&5BSE<cJ)>nC|B}cY
zsjFr!2I2K0*~xQFwSW!A!s)og%5_Ufl!z9yR1gc@q@Rvepw!!mR3;l%LaeQYF86|Z
zdLfG_(Lya=#XC2V4-z1HVH3V6;-iIpzS&JQlcG=rfEqtWCWlwVLVV5JAQ=r8eLd~$
zRls(6^#*vHffKQRIP;_1&DiWT)BldHIaTTBi0|yUDYek(YM{d)<qvb#%GvA+dkkWK
zn}8@Y>F!q?cv6QdE0iE+@DFQ{xG*8Uan<7BNg|btc(#Lyxy?rES$CIPUvq$(q*x6^
zeU?1FEwmYm93lxyE#Bi&OzVx>+&ckv;f@rC7D3xJL-N4;dfo(BIQwSOB`}h`M9I60
z1l)>bNZjfN1+sV)&aiVVwM`Ezpx9VSCZUe6ygDI82*NUH)bHAJ#N@}g=-XP<5@~!n
zqu5ySO$F*kVTmI6OW8B{hcw=z^L-^WCevUPj35b!TNZPeyvmiKaAPn16bYbYiT@|X
zpp+>}M^>Ypz=GX4dX~GDd4@}g;sq=tcqr?lk>foh_TP2h8kWEZan7}`t&lvLk*E_-
zz?v-!mju59MMDh6`Sc<I#h6cqZ4<7+&X}dzs!yJIq%|p%F^xzR-1o06S$HaIl6~2t
z;oV+NYcI!PT~Pb}gQNrb7yYxlc{5A&a_LEt+8CF%T}KJfH&NR)tg0K6nWi3dZPk1C
zNn2&A$9ATc$5oP*sa{dw#J3XJ<-G$A0clHJ>*_Mp@u(rH${f{Q{99|Gv4nC}!v+B>
ziVPGZ!m3Lat+Lc^7;CG%G(*rN_k*$q{kT!sm~S?PTR_^?5H*uKQDBe>Rsi`#AXLh6
zs-Ub2^k+>`4e$I?hlY;&jDfhqmZD5d;^VD3=y;%daNY-7e?c=Vi`QHvgHzEDa0>AR
zH2`ihQ%3nW$K)vY7ah$-jaGhhI-4L2WR3}-jE=kXT}e|QZQk(Ea%py6raH4UEoS6w
zG*RYi0q2`&(Ci`<gvqc3NY_h^M-1Z`Eu5qXW6BSalky@g^b2kac4GTA3a2uI5aQB0
zYN}g5SkbGm;)$V_=hI#?pOf(qdy2WMfCuDf&`93o+!B^6Xs@Egv?g`i<jS$K*|<!R
z_3#h6B5bxv!9GOE0?og^Q#QJ}WURPZ9vZO=cB~g<%yeFfg}_zA(cM0#=!pXW?PxXY
z5)VU_Bke0*TuKQnb&f)R`9qj<5kH{s$<4S29oM#3`w_Yuyp^r({cdAbD9~*~qG{lq
zpcWIH=k8N9NZC4<QYRx>kJ62PXr9cBV_5?VF%9V7Jl`WeL^e2MMffX#7Zz0BZ1uyI
zHuA4e<OY*Bl66!vd;)tnw1@`7F9uzc18GA3wN1hXxfjX}tHz&RczpRepif2j=KR*z
zh=l)c#;ydp-5ZuY_Xz(AvG1@x{rRgz+>mcA>b+yog=d$2=|<pX_WlmJF1BqE!Ah+f
zEMjmG4@TET)PZC$4Q6m79t_e81_t(ELXGQ?NF3LOXGNUZX`G>DjTW<Gt0jHR<jWY#
zXy9dAzmiCF7n+$Uuvh2}miS|80gD6zN-f1u+9wcCn>JveCku`OJLTFqDir238Ewa6
zw+Ov~r~v3L{ouhngLv!lQcmy!W#7AHH>xc#|6I9jhZ-=LKeL3-VOgn+?UDaVdpqt`
zH1sFootW3iIXZk*QQ6ZP@|fH!&*B(9LJ|*gUseolbf=v2Z;SVnE<B+NW@QgdwW-jq
zzi0In*bK_58s0Eq1Eju!rYiQpT{7e4`o1)c0Yb9xmQB?^<3ViL{A^tPY`E^<nqF@U
zo9Ev|@r6v>&55oxR9lD_kaO*AlAb#Psq!wq2D)^+porqgs9;-JdsoV}MdMH99&Cn{
z7f7r!L(^a#SVj8~iOn@p6=Dk{6$jDbL*VqCR%r+k326_EU!+L5=*SEb%q0H=B(Ay8
zEWCqrY}T`zLZ=(SH(CuFF?+qGYu9s<*~JEY#H+*jXNx(-@NTUEgmZ;rLLsSxr9c}u
zHRe?cXWVRd;Mk<fl7okpp8+<>`}i?4p@lnz8b!1sE)cX5KGw#YzmKFREQhNN6PX>q
zD%@T__KKdLj<?2!<Zka@GVb?3>XzRR7l-Qa&mIm>4{sY=!Z2sN8twdk^KkQZ{YcN{
z=jZF>c^J#@MwDI+zQa=SYZ8W}Vf=fF5WQ!+Rq*DidPL7f>0%_0j|PL{d2CtL9BG`_
zXsJ7=Gl3?gZTCo%&v%OfQyq~&kd{0%s+q^9whc1u4(@8)8q+P0uxkqFHDW)&R@-Z^
z6rq82Ny3Raf{W7l3tH0bDHQ}adA0L5(K3t1gOb%!3%P@p^MG0Ul}KC;dYGfcLIcL0
zrZL&kWyL?_UuE!67Zaf=%v@yp3MMzv1f^!AL+j2mmxhK>VRfh>{NcUIfn<JcOo_p3
zcCm8y?=$rhOK?y+d>5-L<|8p(pS2>7Uzyxa1#cu&>lu~W446s#&<*~+jDN!GKG0M6
zPZW$V`U5ib1u*0iyg%Y$0LCU4^8{};Jza%O(Gl^9R?-Ys@Rt%~E?Mrb+&q9pn&xW9
zeC$Rm<+f3^U|<=ov6%m4EPGUWOBE=@oK}$lD9$Ry2?&XM_Ui$5ig{!YOYP4gK5CNR
z0>KWJ=SQl#e-fD3T*=SSusDYq?d8-^8F|@MIuz4aT-Lq>3u$5S?;k9r;fqtE7x>}R
zTte%!=dG)vu-MpMe`6Q38pjM<G*d}VE+mMcBfwgD`a@8@2`z3#p05M&p&_o~0Eqyr
zX<1nZiwF^gzS4u1Ucg^f84J8fNmdsGz4bJCpdw4a4<0+6wF+g_%C9P!^4hh{pb4(K
zWQL)P3~|X|F*Qqp!<Cnb^f9h4W)wU@yi=JD@~KA$Pr!8gx0h*L;kH!D8N|oK)X>=L
z>gm7T!_&$%QQrONAf7@RqET-mmOt25X=DXIaf9Ha$n2~}ZZKZ=S{`}3=$dPPe*8F5
za4?K7HvhEAm`fCvr$y6-#(EJ!hMQ#qbzyWK{HLoRX)b{}g|L_ZbK6g4!k<?C^+2I2
z4@H1sRL`rWQ6W^gz9;2CaX~3$S1rWUxW9}Y9cy-Hvx!Tw_b1u@&LlINI!$4A3F|ag
zR@86ztxD2>FM1^w!JdDd$-#lFvdRe~`A+JiBqeDTb;b%GZ;Wwha@Hvuk08{bILuQU
z1-kq<4W>PYPP@&}UnXuAU3TdubLKii(6;hylZIq9eeS}!=&Zj;U@jwVc%QxxzpcCi
z%rY7oOwq9i?`5RpKIPW0d06?-YP02fFQFA!rT|0si_Vy1!xICT6lFD^9dC_pzV6O<
z&rwOsrCsyt4Bub(ueZC0V-7h=KpC^G4xY}BHu2HzIA5O5R$4!99)5~id3qHu1mdp_
z<igQy+4RVs>t?rgz4!WMUkNU+%`S?~&#<q;5idl-7B@n|`0Mpc*Q^h3j|aD;oTF<|
zr$3>C+uZoy^=srIP#hqEDDBGCe3%qrBj3M*(=Ez4x+Vsqq#vJm?@`S*Vz2tGP=&bY
z@V>x7GLZH}qCK67rsgR57Kz_r3K{=VGAe1y{~%o`$UhBO>rNJDvogie3@3?6Vnw$|
z`|$qy*t>ZN{;+rVbamWdJGK>SG?2+`YP2L7@*LTZe|S(ktFJo$y0J(cZF?jZBd`vo
z#}m|TvVh=$)7+p-H&a|Iiw6jgod{1C)ETq2Ti7;mxQ&+F)@_MYbZExPH$ZcHn0vC+
z@za+D&zp7i)>1_(%k5dy90V=Mb?+`{!;#5aR_UkyS}=9#(*PBx+}E!C!d%~);CR;i
zJo0T_x8Z+U@3`z5d5<IH*J)_WeZluzwzh$<*Plf^#&1dO3B5(hZ>mzvu8lIi`kGT;
zKIx`1a_-EELaJE&t&*4Dy;$40Ot1EKP9&K_kx7;VO4<wx7kc}1a+qZ1C_8m0)Fj)p
zStpO$fP!Qrbjqxc`-i5!js+l6$))m%$zu2<{I1m?1^8DV&oLBSjDm3q&|LDX@jV<u
ztr9FMv#Y<{r4m()Nsy4&sG#c50%uB@_w%ybjp}bX8K-|9b_^Bh0@4^XQz^KOg|?Xj
ztvhDPrYz%>*`o!{i$z=AgJV4p61EkE`Qd~s^M59~xq7?nrGCqLq*LG6YI!PnE07I#
z@YM5Ntr^+~kOu|a%OoO8Y-mUR04j7_kEn{%I0UrX;jd3b*<6N(a$u?mkrFlc47c+;
z47o%k^Z0!x#p!8=)_Q)uQ3SrhqC!Ngz4Qo<mnHHB?9x3TXKC%B3Of$1vgyQIcFW}`
z%65IoR@b@pJEZ5p>y8jGp7Q<9w;0SY!4(|*xpJ8hAJ)6w_K%Yd3pAmix4a7{Wt7ST
zkCEAc_7}{Uf5xBQ1ZZ(6t>~QLqEJmWU;$$?cbqGs8&bJNKO5)!6Z_Pv*sq8#FutvD
z-wXwG)YbO02SI^RfSNU0=8bG?h?J&(#HjMGdnn$;{dN}tzvl^T`YgCRNu!MgLw(h{
z=icpS!YK(t?&8XMN|3`4(%bcfes0FnIrc5~%T!l(=dP!`B@c(ejJTX9gwvfNFEe$+
z91EA_?dLHnYB+<<g-PNQohkTsD>G0XE`>-zKIgB8z)*4DG?Gw$F&T-E7w%r89yJtU
z4IcMA{Oc*%TF@A|5f@uG{=bAglpDK!uY4?uU_zBgp%Eh>07{_ljhH!Y3Fhrf&P5^z
z1b1z1?WUDsLadfE(OngKqt)sekMCWb>ZlJ5+LoB^+Z>LtSR;=KYG(1rC$(-ejdj*L
zY_C!^N4!bvrMZV@hk?JRq$x=;=?(}58bIklf@G2Dhk)|p?5Um=98hl48jlcy97`As
zti;`-8ksIgtNse-D*<clj(m=R7NjvC5@mgNqe`yf-vp#NNSQ8}L1(Bcfy`J_0bj*P
z$3}g{5=GuYQri-`l|m3g_88pN)U~rulnuM**}|ktQ7kcF*B|0qVppnH>D4crh%{#S
zbb?S1`R?JAe=G>{<V}B-+I}_>5)r3)$BJB0;j$_(XWCr`FJ}_8e~-pdRQdE>4si**
zaxMg#Wj{?yz017s5-|l7J5x64xXgXPo+xDvJ#Kx`ia;BXNBzorHijgoQ{!^*(%jx6
z8S-bE%KMkXu99m4H3!re`O2DzL+BfVJbsy6x!$kDBAz8j7DR$c`jR&0Z-%C-38tOC
zAP8bRuAT%!1O~*J_M&jKBHavS#<73mIz{rL4=0Okaq{$t@~Vr{fEGpb+C^e*_uf8P
z%^1`+E{AxgS*<EdKXO%_(*5h#HJmZdKcGp~=8;cOnKz1-*(wGSy%;|!FhgnxqOto1
zi8)#6HwI&n9ZH1JldHnF1&-IejfpS8_x*|Fl`+idDwFR=R>{@`9{Wxwj<?R|g|9ze
zZ)X^QB01B|IZRm-;fZXvrwF~{ny#NhLzd}LdMu~-1;OAd8cd9D0Z|bvA;IiDKH($R
z#a`kCnsIxnc3V^VfH%8%1XI9L-L}Ph+(&a70T280_E8c}Ue*0s)L=N|iVUsL(Rb`J
zhDxjpEE{s5{mv6g!@)O))9o6E|E!_K--x|fPa9dZYAelEm9pzuvIm|gVvc<F`DVUA
z`fVLJg-d1}JqH_blLtg^W<%mq?5L7ROkanuv%R~ULz6TO2CEgi;VDnCgfq)pfOxi&
zOZ9zTBMQrG<B@jy;bUf&4MZ8Ek=9pWBd%Q(8hn}J&hnOU(C#<cSc%k8z`1woD^e4r
z3cL#&!pyYZ=iSr6(CcB3&ANOkmtwu@Am&OK3G+^#p)w?L%ywJa@8N<;_!98tFLPec
zA(DhLMYL`-uj!>a9#sD{vtns6Ck_=6FvawB0CM~YzED`Cj@etLg2<%CN`Ry{8?_{f
z&?$#plPIFp5vy3NuzoSOv3M8)_K_l(ub=T`fk=P|&GU~vquw1>)?z)2W3{56xCa@D
zraP>{Vp!hfh6}5I^`Sth23j4ZV&^_H%TJ@|;k1qP3*3yDc86?IV7R8*uJc7P+oQ5*
z)1236eP)a7m!(Kj;nKTIEu4EUzbC%cbK#V5Xt34deId7!r^%0-p)RXThEZ-<A4X|f
z8|T!Mu}VbYv#cMzC@^c~<K(u0sHwx8_*gFl$i`U@7dO4cO7m(*Y)Oql$gQi17zp)d
zoQcr(ABzdQ&A6}6yTwDvnVBs!?nY2HWUtB1bpuN~(X%GsNdM8wUP@f~$F50?t#J_l
zmdi0?z}%$expFEN_`krDfct)MPoS^*OQobmB-nTYiVA_ppkQcFqNl><!fvJ!$OzLE
z;Q50*E8f3Y-KMByWJV@NYCy9wpp&!PyQ{_1ND;w%qWD7%GM;*C`=1m|W`dRJ4L#+|
zEW46u?AeM-;UF$5CUnGeW3^N)A_HPB{?kL6U!oejq?Q!x80t32E7BzQJWtJFm-7<@
zL~M5N5Ow;X*1^1+KREsP9qmnBRtNcCrfja3^4Q|iw;+2-A}>?#{=fYo;BpfjApYdv
zh!8_TE=r`$U!t6{8U;cnE}S&@u>U5Pq*{>T{CB}kv3KkrIf00pF5;#p9~LJ}-HDSo
z3n{X~^O}?RND!rfI&H`Vj$H}}2FZXqbf0Vf3R`sePXXx2qvpIHR*a^oT3Gi#hnPc|
z$>-yU<xP&}<nl5R7!dLv(){PB?{jVA8PO$~5>cYRTeRh_2N$J}5{nQ13&X6T?e&Su
z!!;Cp-G$6=?D)95yggp_&@RB}AnZ~zv5R5G?fr7@Xb9?&LDMeYn5b{)aHg}h_OzVj
z<#a<V{IvO7yzuDcdbJ}F!e3@_R0{czN}vAOwyeiJJ@0P2cIbY#Y_6_<YMWjE+tPc_
z^QmijZgD-{+1)DaNqG8{akx#QIeNFdl)tLvYO_1Y(7d$``VqD_;b28O*g?N4qjY59
zYa)(s`RB-ookq0FYFK=~N}9cE`pA>U7ggTl+p0R^m=mxqOep>Q?c34t{fzkJw*3Ar
z&4YUoP26a{M^`XBz$RIY{hLd*vz{y{TReX-%QNHje+3UX@W;3Xb@AhP?1n=3*VN!E
zeaib^jwfi#?P-U?@IFYvvi;xQdsyE8yNV}R@Bc6HSXT#i?pMNT|Jh?(KcD|`_CH2v
zyf`^LesSVY!u#uE>G{9AS2_P5w)fWi|BF0FBAF7C^dX(O_oi{!5@}5cX_L((!_b^M
zD%XT2>!bdgdS>>&4nlmNWMJ9;fAnyM|KDw|<^M18tQZgbQ-fd!WinGA3fpg7La5zx
zbZZ{}j<MA$ga&PxXc*dv)@*@1^5?~~egUfXcxdxGyqRlAMR3>MEr`ZOX~Gz~Y&kKW
z+5hvSGvApeEZhGN+ZFxaZfCdsaJ~P(#Pjd^4XTa9%E6aKTEt#P8eqb8)0CO`;2{Z%
zBnx;kG7us&*S;p#)-86$9k&B_4E{U{G5$<o^KHii+W)gx;Lm-W{jaT%Fpg0qf_L}T
z$Flvuw^!x=_uFgz-<NsHX7DC%E8Yq;h_g?+)-+g0{&Ld=>c1PrSV442+kfPD8X+Gs
znRSUA)7|}p?xTn8N00Y*pX`Tw?anX^I|q-4bQlgOeRR+c+3q7c*nc=^4~KgPgZ<9l
z{^KWfpYHB=_S=tk2ag}`H>|gNmo(9r?1{Jg@Us1++dk;-J@nfTpLE&>k00&*PjfAY
ztn$p;|M#T&hi9q$|8Re1{~zqH_y3o8%KN{F+-xa8X-mKN-@~h0l7&BelIv&g<Lv+X
zOoaE)$Kw6J-`RgObN}C7-~WG^XJdmr#~`FSHW0?lay&;iHpr}(@SJor)yg~Czpv_W
zw^PZ7VvN0QJk%&>kmndZ5}Y`sqlJU*;+qRL;xg00iEPMv%xIw|q~oM2dRO3omwfox
z*f25fO%q)*nVP>}(g`a{I8Aopts<U9;h)$PzuH>bC+#SrQmSTq&TnuioEyQ+n3isA
zkdzGzlDl$tLN#X$=np)dnVPQ4MTOI=u|y>#qoXeAbo?iN+tblEJ8duBd)OdkV}tZ;
zHpNPg0Q~G`r`g1$0h@#mi=2yuOR|Z<FgAAxizLIixq@t-4quAwJY|x_*(Nq;!B8LO
zGM6m%MmY~z3v(s5Hj<QiNsfuD@g20JP{2uN;C6*Qy(*Fr*o2WWp=nB|N~W!%g0G>W
zV>p@ASQ8rOn8*Ok@WPqUlYV7h3*&d%&Eq8^EHZF|ud&YKkfi*IX3R5--7>S?fcaX)
zRWBAHu9*&+=B7DQiw3roV2FtZqXOI{G3%O}Dhi!q5YXf_gCL)hJUi_D2s`uT;fqre
zvO$hnKzIyMaYHt6V6n&{QJ40hW7*nJ&3hvD22_qc+pd{7yf9arYAf}!RNI~=G|f0H
zkELdgBG3396rKrNK=~$=$JXxJ7;&qD+iJUQ5Z7O!Tj^1?xnghFSk(an8f@s)a&B%G
zH!}Ff#%u_^u1Ti~X1-uXsZ}%D!>|<14W08dK`u<7y{-=Br@EhQeD)IAWD?PQV;$+K
zCq4x(XxcM?NVV{L3B9>@igTYdN26nz?l@^w?nZO&PIW#%-LW&Cp*_o}4-$?Nh7%LI
zk?7csSjYtaWh8*q*d}c}_*P>2L6c_>$km)MlGvE`uy@>GZV`zRoA_nSVkZVBxM612
z<;w6lL`SUzS3+lwm@XNO%Y*SX8vJ9!?u;@)RQ*tG_X)VPC?xz}5ctDpltt5i*(H4*
z5-;y};os-vh6H&=ys$}{#2fDRv3VR2c)sb8MpM=5Fpt3L!N&e{BV`1E&U3BfcdAkF
zP?9YL$hL8s)d~K#^-=e4kwfTE>m6tUUfw?Hr;c(l;4z*%YB1PIBEp%)E=BW1_qB!b
zJ~jGQn$ZN!l10+S0Flt7O$C5n1YsVrRA=;UDmL(4)1P7HZWFD$*oc!n%6Jkn&-R1d
z-bT@}+DUl+oQrUF`+V~5H-Ldx?0p9P*FdYBlb@KFuwBw=w>vPtqxqZs^Ney{JlMM7
zI!kQ_i~vO!v%?@zC+4S*w0N(**F1_%Yrw)g-CON}tH@!I+|fk;cal8ffOV_j(W<?U
z)$Rkjq|N`(k4fz@#nA=TsyZ2_h+#{k=4ckt^s&4GTmlgXEXiaGBb2ukT<p5(cM1lH
zOw`2jRC8InBX}dxiA9mCUI|*N$OURS(S_^0cdpt?2Q;W@&<UkbhY&g7f-3YjN4jtP
zWb|9}QxT7dUa<=u!mdkp3$|KL<6xYMSYRxY3D3wxgse+MyhFrrxT9k*yroGJP3<qd
z?*^YO5zwecdYI?s|HMCNrFoq32{UP~u4#m>{?C6t@_soy^Uh9QpPX63SB&ro2G}J{
z5jU~RAB^8$k#VJ8nrvSOg$~iNZpUUrDJo!SCmnq(iqLz_g^RNg8ogg#o^+K&QG^iw
zXBoz3@Nqur6)hDj(7}c-oM;(GI!~L<xQ~HXA?@hT#rX%5QJcjO-g3YVg`>O>EuE%-
z3X{q7t@BRrl_KYmqV$fRAcjFwoP=XophyrpOzU&ie(P_~Y_i*D;n3OP>|OtcNqFl~
z&p2aw!0UpMK`JvZ&115qB*0i??7y}f8*b=c{g(;h+pW$S9MZOcjmQ(0!cWI>j1Qp%
zNJLzI?zw8a4=)=th!^jfwJ1#%NYKoBbPGqm$`maf_)|x`Q4>&kW;HDCA@f*C46F*9
zSIDJzi!adB3pf@^L0=#@F4*pX$$%63N_93b2S8&(t-BfL4?L=&^G-C8FNOGvfNByf
z%>dQJocRocETf{1Yu+Vwia-c*u7+@EL`fw+grU~k)Fxt3#Y<V10Rgg<p2S!1qqs2o
z;ngdAL6C*$lIDP>O$1U=$Noj${Dw($45#AcPS?B;VxS%zM06^*_L`>h=!I6TXgS#^
zp?DS!2u(-wGXdRQ_*3ZZFooD(CDnvBqk+WuCf{2n8h)12Skk~mkojW6{e?yfRjRmJ
zG9q&)qgjTES)CIJ9=3SMgUm{vbi$$|xHwRfk812gQ;uoM!e{w#$WqztlIDK9{o+~k
zBOqpdPX8p&>W!207=+-lwis*`ah+zMxGdz6%oKlH;fsJLszUF`o&OB@tYPB}91o>o
zfChO+6c+#m-x}X{i1IgEYY9jm)I&lW@s<H{Co3ut+C5_r>1DzjFc0k^iv;G<1A9m>
z8`Bt0BI8F`G^9pU1?7nbmI7(l2!J|fkzN>+Ja<!?a5EU%OB-hD=$VkKOn>09HqO*F
z0q=?gMi_(#^R}79ye<a^u}if1Yq`{zkH+RA3PNc@%l|gPhMa7YdJ4(t#{oSmd&QOG
z5ZLVhT-soKph&?$2zBGrLWt^Hr=mWTJq3Yh(|TEuXu$m_WY%?GKoaJe?T^WuXr7H(
zoS9DN5(SW@V+>&H_y{x#^=sDzfzt5@Dy5cgdB^c!(RQx^c9-0EaPNk|q`3G>c#|2t
z9}Ah;*H8%FR0>R{HUz<BDuF%iJlXX-2M~j}wfm4v!hHvM)%oQ{F0Cc1D8F3JUZT#S
zGl-TmQ*3OMo3<n9E*a1~GG#xgs+HFCnX2Ojx>%ryJ{K`fK|8GrnCQ=WOlam9g08aa
zrito`&$mr3QM!g1Y!BPP>)FZlt$O<w8~5e7OK$YNE!p_5)_}(?IW{j?FczeFEQ)m9
zezSD8S59#&qm*JFsV$CHu{K_u3qkz?bV~MDnKiF0;R>*wi&`a+R6$f(Yh><M>XU4#
zbBm%ckY?N@kt~)R%<7%{!0pQT)S5$HL>dXW|8oXJL^@}L)uC%a1jcPHPDtqZAxjpB
zIFvSxmZH=cK^nB?iYkp#8Zfw%TS+f#^;Bx~>M)e8MBsl~8>Uq*VowY`i0}?L>3n#u
z`a5SS7hw-a*Cl(XK%R{Qu4+diO={_To<?2LY=VAToqzgA0vY!4PY9B33gyG%hazgn
zFU=1ghov7@ebt4=X&Q{*(kx4DckpJ&)m}F5f-zIF0Q|@z>56QJdB`*CSaElLL^Z=>
z#V0r5?=C8G&cw(ZUW#nP4VTfvL}K)#epgbGLY*SAso}(I@K96vs3<d2KjhL4j#^YY
zE`2D~du0PX!3B<j3v$fK2%)rP{7LxG#2wtW)(TkWOpG*~%|vKMBQYwsG+XHii*-p;
z42Mqjh+Q$%a3K`!RPg5u9=~8x(h-wg9ZnIdUYaX$Ra12z@tA3pTR4qKjLvw>&Ryix
zLs1;~e?-ijqL=y=6a)eVVub2QZ9fw6K}u5&0;?krW2tj2bY{wQNi!J%*s-k_^gW;C
z6OxIHMx{`<rN&;+_bwuos=8QYWIP)o3zWm9ri@aoXzz?qc(%MvbB{aQ<S`s0wGCb#
zokQMY8u2R#6`ry5ibm!7mqGHAEpw`i)YlIqwy16xvD$h@13$0g5#DE@odnIm4jFJk
z<dtgn^Cf=8N*9o4qQo&OWR!Km-{Df!lT3-Pm^v*}90`!6twN_<grV1hywmu0Wl2Zl
z0mUKw03=b)@Yd$?WQMrw51Nvl3#poPYh=^J?gsUD*XXKG&w-;4%&#tai5my$|Ng_h
z-A36w3pDQ{WQzOOcRdEV&IApg(TK)@j_Uc+lyk=+SF}{JXQZwyy&|`<dDq%dEqZD^
zYQTkwk{MxFkN#XsWHg=<8mbcjPWdA9uhiGk6FSA5BY4T<lM^*ZYTXBoQH^gk^iJd>
z^5LUn?o@?{3j{^DZNPaEE4JYtfnr()IoliP0Tj@QoMD}w+XIk>q!=tFkytYS74DuP
zM4#u}S=8J?2a(7_PfN|IH{>b1rcu<|NSVx19%P<wW++malbMpa;H;lo59V+Iaa~bz
z^+>1f<NuW8WoSj3&BUVJlG}>cQ~#KRHjpA&Ba4WM98buEO(2it#s+y-gp5X}!{n96
zOW6=@8FcL2sZlZ5`)aK?lEC6ZPo&=p*;Px9CzulZ;Ngot-jaYBKsE-Q^&8z8#K^66
zbki&lo^VsE(A6>bTMs)2+a`1&H0TU@expSp_fOsA-ogIE?H$z^?y10pT!bKqvB*bb
zb)uK0A2d9RA{GHl&r(Uoj9zi%s2im)BYKDR3$u&a<l&fqG><c#nkkzkLt`3(AsiK{
z#l}E?QY^3C+tmx(!jQ4(qYoAz<k6!?q*yN{aFbHTUcFy*oKBOSm&YTa*bqJ>{aLFO
zJ1H(nAM+<!rb=~+79{0C*4-SOo5Z9UL2wamIZV)Wcw>W{4$Up=PRYy|FCG8eef3XW
zUYjE|y=GmNX46Exx0V3LxCi#Rnjv!Gsx2j_;~npo;|;y7WH{YToJY|PiN#D;nDdQG
zygQIA+abYN2<xqFHl^*Ar9L5BqhwdD(%~<?9aI3)G$g27A>{c_Cp+pB`Cn+Rl+oZF
z9@j;R*SZURC8ZQLa}yfV5esX;ueRG!MEOM9r#Zkse|==F?+mkMTh#d^ZE9%rZy$&}
z4h?$g1fgJmRZqEhh!hw?*GWL>1UN2|SNRv(CRL=wKN?f_fHk*xFb#9cUP7c*lc=;j
zO4y5PETG<p>u^lq2`gpehg%k=WWX-%mb8g=YwxI>akz<oD>=0-Wypjb3s)1raxbxD
zVag|BM$TVj%yM&UZw_EPGMNu>TuQ=FAS#>dH$5ex;5qg}giM<+dgOx9@RyWl>{Sd0
zndJXrUGn%juVF3}dX{q)q7_O3E+@SrIxl3>MEiF>&0cD)rle4`J{1udi8)E9S{pbh
zPvWSw9914^*Ychh0xVj8#(37+4B45(3p|TUE+kr4-8IIVAuEE*@3@iWceDnci<D>6
zKmosq#sF$&p*Do%BUt5IvRx(CyM@hw^_5~cTN~=XQpZ-m-<Hi>JsO7|jWh0<H}~65
z26@||7YC@`fMwLvHw>TDq3X#jj+dm2O%iLB(;%hn0h*mQ^VC0`QNa~3!Gy$y`JQFR
z6A_-dB@z)H&KA-`DxF}Oq8H-AERMc*Ox>-<1Fn$q3z##Qfv(nAT{Gnth~yy)XlfNs
zi3lxauH3i78&h8YEbiQ=B2Ts5b!^S0iE&VJzgIq;*O{K{0!k7qx*|?@>PxvF^;iZH
z1UAyy)gD1W3-!R^vLAI{uDe*RMC|02C`@lrK-K~p(xHl=SeAop$Wjk;RFtR^kk&O(
zS`(!&Oq5Qnm5SrKV?M#wcL)Lyl2cb2nWY4w@a#?13>g^Yayk(2i}%_mpiACthGKJv
zY}&e;zm>>WrPn2N5O>)9&{VgrHA%e>k_xo$6DX>2Yr)7@)_B2HaKf6IMBP>4)!s#v
zg|IpaxG)1T=}?^<g^;FV!YfShQlG3qOp+WNleBIOEXnOJbd1G5a9F4u>XP04gBKj$
z1WB%bwkLR@6^11RBxZQhLaWYbY@0`CgKDUCkO{N~P~(m!0tj1UUath8mu|75VV}H;
zqbWI!l>{Y8mMYSw1ZsjebK1~77T2?C5q&vlWiH+JM1(AY=_E-s_0g3{%kfZU2jjja
zB6O7NI)yH_rf=eaiaIvkda7ECD)wqxG8qMBjzSPi%S5b4p)h2poEkBTpt&R~Uzns~
z0@`8(6E?F|9V`i%l7fxxcA9M$df_M%*C+2$5o=HrTH!;&-YXR6;G+h9bkdwJYVe={
zibsz2<HJV{G7Xn=0oTzq)9DL!G81QkH)Y|ZR|v9D1#=K<1*8%@Q%-kG(iYvU&HpkI
zBE)6b(WzgkPGEfeOzX6s<r!Kz@ClPU<eF*oBq*bA{dJ}moi$9~5F(IqAa=0e^6w^l
zxkj~w@$S;fYBeGYGjPb$*|M2rrN-Ql0}Ehe62m~|u>rFy6v2G~3w`G_I4PY3^ViZ6
zY=F2v?+Zem3b08|!2~KSl|6Z%sNHBhVzGipKD=YoF4Wu6$$k_=avJaGQ0ZOr#x(ca
z$KuSJJ3gaQD99yRzoLQ?In#(=u~=<3OsPmi4!@FA4A@F)gjIc&Oh=yW#KTTn8%||-
z1G+d<{#?DP)5hueZO1I4Q`blWP7v2{qNCpFi$eQyzd^{5@+eQ)<v3+>ETXVW4nWZZ
z$n3oBG#Yl$w;Rs>=NSz|zJLqIGqZdEIXFe&!&wP>77?)01#?%qsB}@Dq^<>5wP(HA
zYspNbyE%<iA$`8oS{g!Ghe0qwJ<y(FQ(`YX8H0xh)9I`wNohHlCX$y;P|abv9<*=-
zRb`>Bg$|AVxT>kmmVjJXQzU4Tr5PXcfM&o<x<8E{1G47O<Wcb%49_%!rfU75f6guc
z6Ps4+{KTg9)eh(N1UhAXpBC1fcZGE(tV*lbJF`T2Fg1LPR-sP_bteqXuk0wMy7H84
zAVP`e&^V`~LpvoqAN9sH-KVALU9c--1%Jk62Htj2(MXw&O<0!lKq}%V(hO}K^t)Qc
zeZdcDj@G$Sue&lY%XAIox|0;7AeIC1lR-*VwWjK$SzAOKSv~1IeuM>PFJ|>PUWl0M
z6QyS75a&+2Bvu-yN}&5)GQn1mEmGf%DTktqI(PuVaU07B(rN1>SJQ@bJA;cHPxApY
z*B76B34zsCx`mkQ<PeCI3E3(j?U|!;1F4u<YV^b_nO!BN$=x2>4y>C^6B+?y5-UdS
z_grRX!jhzUq!^S0XGcStWVqcjfmW<wXJ{iVys+7A(MVioDdn2af~E{RY%JfMu)rFN
zif9e0eAoO^tObpj!o?r+5p!G`&*-Qq1gu2bCCTWmV^ID!qN5MG{in?jABrF+&6=Pj
zP2!V}A3ePln;%Jw>>ae*<e%VAX*(J!=A<)mUqzOEawJ{Ju2>3c7{$nP^kcQ(XSS%V
zhl%wPwDNYX;}u4(HixRfK`{o+V5;gXIDCi5{PAN`l^%;c-ICjWW&HVMLY0i@H0BQH
z_6_Tx0ui$U{vD&In2CFqgxWYNZU1pOgwyWs!AwAsN+2Y%4ogxEOL7cE(=|uZMq+w*
zEGBc;smPg(S!7r0ty!rJ)nq(^h{d`s?}}588h35QDWG-+I($(ajB41)=xt~{5%Cov
zf8<PIN3(Zwc5-w{LO-OScOr*90Q(L(I_#a0Uw%A!sT$D6r2d#n+t^#{mAhrD?~u)-
zS1(_l99?d1lgmnFXCQAS|Bq8`o1C2WPDq=aygXJTP+!Rp7q4E-sZPKPI)!j9FzQ%9
zj?b-4v(wv~JH-Czs2>Kbo7+tbg-IDwjv~%^qn=!Xvafk|`0V7YS@~F^K24YZG~;cS
zI#9EFJD6rn&g<s+;m^-c7I)KAAgXkuKmhHUtFC#Do!~oJaZakC4;vdqGIncpbuQh#
z!gI7%@k&a*oBEZ}g`Piud-AXIR~MHj7jKVGdxy`?PTn4${BZd5+2z|8CzlteM?C`~
z<6&xevr?-d*JwM0ns_JoKv-sDiI4>`Vrn>$YAlg^7}FgkapVo}tU%E7o)P9}dGrMm
zbiE8+FGbIjqvuG{gv?6zU&+}1?8u+^%*227G3~McyA<&~^|2)W^TUIO)%dUboz6P`
z^A~wOGze*ahil&KlBT{(QLFE1Oc3d)g@0}|cT{mDPph(G@H-1Ke3zt3Ov^Zv%`W)>
zNZ*`|kzv0%tw;!p2(93Io<;EC5Tc>vlBLDRp-3l9XWxF@sdi=j=Wf-Nt+c$O;`XYp
z2L~ird=@P5UhxE_H}gkX8R@JssA{TI*cp52eahmHrO-vhLkFxlBzX6N$IUM3)P14v
zn{Zs!eET`(nQHerZ`zL^8}7dbepXSl3iRx(ZP2C*Tiq6N_#{<y!QEl)>MmU>TYJuO
zRR+DNE%=7_iZkyQBfz3{UB0$uV7`C>Kp-q8v)O_rL}<_Z4A`*Se)xD!0fQ1R9F!mh
zBG}SFlK+XYI6D9No&eFFSHJ*bQh`IG?(cb<#_AMS**109?QEq&KXJ@5$|Jd)Txo`B
z-WC`L5iuIiAzAwR!0C7{xhmkW<IqYsuGhRF@Hk_mDoL|LKx-1)#!A$3%)^kyv-=m=
zq^9QPE6AMCY^?fo7OZ7pcZ>C&@g?|_qvkGaHxDM&HHFZug@I7Hkt$)nm$1Xj&KIMa
z{K5b$2+G_$j1`c+JfnvC|HscPC%E~aA%RB=%~V>Ts=uEM5KH*~PJ91RHUC5BV4eTz
zi#!!2dq6Wb0!8v^JWQ#~(mVkBOq%f5CJ)S2r$LkCbtTi2tFAgE=xseEKeA{-0GB|U
z0HKME2QEgu;sF`3?3%IID6ff5CDR}}P6Slf(GJnJ3aHOuN_Zw&H1r!R9`TrU$w*{L
z)EJ9Ny&B7C$2F>FDPtyFmi>f@Z+M{QVVZE0+JxddMt6!xjD)nY3MMpt=O^)~@s3TE
zECK1XbZZ_NvnXL{!z;qNdt{i$V6N2g%*-1mraahqdW20VkGhVH=>Ks>(jZ!Krt?NL
zN|}4CU7NQY5W0-M3w9^lsO0ndv(a_^-19S+{@+91fAcKO|Fu`m|8?-Nv(EqdMV^ff
zQlWg9s)I}GM6c-V(P``Gm}Ejk(u7D0n3PQV4XxjQjVgI;!~<MfQ;V<vnY;hZIVD?f
zwYLOk($A7RP=h7=fB#^wGn4;!?_j<Ezr^$5L+b&#;*&1eDi3+Yl$`T)qQDZ2S(iL$
zef-#HsA7!^mgQ+oD3M~Afuq2o_M;(%F%D^b_@J|XG15e2@*NBUcP3x8&?H+S4>Hnx
z$EHov{NdHBrk1W{lWavwCTu=CylATb{!epzn|L2THefg(K6u(@X;}}d3fd5+EIfw9
z#68T5z~j;BC>Hkh2?T1>q24{mK+%|o)mir917^J+J`n#Mo05-(aPQjq+LzkY*O3L)
zY*LVoef;RQ0d~V5z+|OTg~g$HdCmA}oOMa3VLo`Xi#DcdIB(HbS~Jza=Up@GK~*tl
z&+1F&dU;*4bYdN}ztVMEuu`9}NOpZdTS1z*3qH$g;X>h@_>izah!3H0bf0?O@O3q6
z;5!XMHl|Xmh#R+Q6>F4Q)$m>bdmwFz2o3yO;M$k*+pk9=!U~-W#3T_hi!-|x+J2x(
zzFQggPP1kz-`R#q_o<DT(QFdG_;7bZSinMUE3*M2*Mp<j6|SoUfPAY8Av6T^oq{k<
zfWtPqAu*3bHQ-KrcI)Uka$9VYWK(C_+ts2ZNqL+NNs}gtUpA$%mAd2~vgyKZ5ruVZ
zLme7`TU-y`7`pn_Q=_Pyi9|$VH2q0Yobq@~w8C2w^7}*45?Q}L6fJ1^ZBX>~bl<B-
z#rs3V$1Y;5jD??$gB1*%#lID?Zx!5IfNl4NXkX@N!k+HoWOC^2{T)os&RBLXeIfpT
z75Oiq35GnsqXf82|KB;7k^lA|w%79Cmv~l_|6Gy)8Nrey6-mk=35&fM&<T=~NK7Xz
z&iuLiwS-Vkg`%nA<lsXh+2o3)M`DuDl#%9tcl^#nuiYg6k=xEs`GD!#{&Sw0F`0IN
z8j~gjI0rePb=4WLjCP8yU~gB-(<D(Pn=|`!F3DU1AC8{dD+0%q{t6*eM6UGTJ%;0C
zw%VUZ*VfN!&nomE;yvF{_xHEu^nZ7Ew@Uxp4|h9j`u`=KThRZ@aSE|N0UdPozhsnB
z$nLN6g#k-!0>|rQk~$^<c>n0Y%23X4G=2sL2$T@6Xv9Ofi9S&swA)HjsPa-pA?X`?
zWgd?r=0lT~$AoV`0c)AiZ0u*kH=}B|74r$sJob;5;1|{$au$V9Mdwg!x0~CA3{xFp
z=W~s)bBhsn><DLuqW3K>60^<A*^#)@vix_=ip+vwyDTB9!_XRQ+B_H#bW5VNR_%>=
zCM~*Wb94IOB22{4DNWE4(B`3l!*&M}dc$oMq8`u4wTL$}l8sYwji~BFzj~C!Gmapo
z{>~|88`8qm+{1YpNDH363M#3P<#)kjka}mK;7Tks4r}Vqh<c~;XB>yFtviM>YM6GP
zlIE}R`C+g3%d3my9yz(Vcy$3$jBr1iR7c>jYCTWw{&hAvbJN`a!^&9LrxtZfUC&P7
z2K*zw4!LLj;Iqp4uVc7=w)1~)f3JG}?;Wh=zc2FKP5wjEN%Z(7T7xum{Ajd+f0|^A
z;AsOtFNDaN#D9(FqdEVwF~icNIf}%9M&?MFM~%xp*mK%A`GRX^_bKshpT7Cz7B<e)
zwZ+ZHqC!STl~U@>4atN##|rt($9a^rL-wt1!HmeL{${7}bWRPI0@smJhcY++AzS~D
zUC=g`+OEzYrngkS)$4zZ!Rt?9&Frvr6c$iKF2D=N=emL&mIIlKAf280-*&eP^f86-
z_bRwl8kKXJJMY!%!|*<WpXvOi)|Z3s+Bxp=cKK?0cuFuoWcjUMyW-_vjZ)V*sZurl
zCHX=F;X|_JYRjEwwqZT0VChyyTIv{jG5*5t^=e63KIfM8&nC5B<+IB9uWw2|*ZJS+
zbarRX|A%Y;&oA=a;{5-~-W?Sw7Z5e(5><^krZ`g6+50fNpQ}d&TzdIM)RxAWMH63+
z5my&ff$zG`Y=1mfBMLMPac|D*%j;AS-e6j;(bK_JYmZC3Q#66lM65OAzD!u)n}E*l
z^&@7lxeCf9mch1kfBC84y)CHL<n>#BR-ylhCU++POXa`z!-rM+zuVbc)Bi8=+=Bj}
zyiatZDa<yb{r3QE=4;Gc8sim3!2Sc{!67v<thy>`BU;~(EY0J99PGiLeA0vbrKIW2
zUNYezk1)+Nx(wNjyxNO}P>DJH2Ge5bc!n*TfId)W#VSw9RHcdF-{zL>1|ovdfRX0+
zP11bZy!)i61stTRC4b~J;zQ0t#iYYz{l+g0TZi(Q>O+lOk^u{-I)|i~Fyfr#03y&T
zONem?p|vrSIRx?D(x5ti34x-Ne5;P9ZNG6kG}=I&e8>dcbYRajn?MNQ4nYLf;Pq%1
z!@P*t=8DuBPs~S)E2hlc0xQAYz3BWd)*6A8@zoip1qZfLK057KOK)#Iz$zA&TEl*C
zgKTS+?EibuD(An{@%-+}0W3NH_c~So-`)29!P@`hi#)eD|DUs%rRrQke9$DkxWk<h
zFAUxw4cE7gCi7fR-*49G@ycaLQ`28X){uNPNpmu_e^xIb&z<YWN>d&=slG5#Eqy2d
z9Y$g`b@ha$iBsvgMv@V~VzJ>TAT2Z6T-qa#%Z$;`hVIiRiHMm`zUT2!e43x~h8ZIc
z5vDu?E%%DGm@PW_!5ASo0UwfUhM5B(E-Q_y^OovBaqYXx_o~Ngecemd%Q3T`O_E_7
znpH;@hJ2m#*nlzu%^b@!CcRa*p)lvwycBW}H2^9#{gebWGw1gF!VZt-VIGVs;#Ql5
z0oK<qj`F51Ue5|vH{m-rU1<-3ne8WRK{V5S$KaNrx!z~QQ=qRmUT{N#szPS_K-J~g
z4xqNEqZ;TwMIWUS7T4ffaT!tms4BmpNn&oNtg2r%`jqfEWbYT%`Ofyf(2u5q#iq`h
zmHdjImH0o*g!;MozfR|1M*p+FzvlnG$aDMqfA<2ooQS&a_|d2XITMR(UN?$j?eXIj
zSk)My(v_u2-?@o=fs{Ip`=yUHH}_us)%{F0*K4QT<I}~J7SdBbtTa}l@>}c=kmE~5
zwky}Uh9uAC`2Mx|YqME(ZCSA{5coMGn>(BJA@KD*tI+=}i8L#Aw-aCq{cj(%tMY%R
zv$u}_^+ldr(f>GPsU%eAd8wpX()i*p5Jn0_(jhwSfq+33YmWkWH6!HDI|XLDs8Db<
zy;Erei)!Efs^evrMCOYTB1@(wB~n>b+0u1xNGASGC((9&?XSo-WtIJ(XZ%ylKbG=;
z2M=fbKX&)m`~QnPx7h#Z;P=I23<_v+o{m^XsL@6M_AjCUh)P-#9<faCd##wL_&j)V
z+37*Qg*u*jxguSd)3M{*ks7s9{g|P@OMyuyjQcLe_9U3q2OIeK@#%M4@A3f)vIu~q
zLF0KvvdU$C+fYE)`}mP~g8VK;tcc>%<_ABd8TC~O7!vvT@ne(RkO7tK;34t6kOd-S
z+cmnQXE~2TlMe(h=uoXf@dj||x>aC+i)I#LGWCq(Ky&#@RGM-uE#V8O+meVwxB#jC
z0FMyG?doYeHS#23=@FIehncEir#WL6S?!~w6PedqVG22~#1?@s#3$SH3?j7$$lK=p
zR=(`XunPTmU7GH43M{7oyPf@m{VM<Wa2@~a%RINB|F01Zj9zwChdzu9cqHN>y7bNW
zf73MilbrLM-a7Z&+X6?s8lS(ii=7E;Qgy8>!KQ8sHSTrgWvKer!7S_5(p9y)8Ff4|
z`5tG~?mL9}qpqUu@{h=RyEUORbFS6hEx8(ST@Dj?)%PpONMCD&Et!dwg{6+|xgtHi
zSTF#64lL^*i<NZnkU^`yi{{*Ot7efWd6e;_aP2IJzP7TrAvC=O@j-6yG3wiew%BXf
z1%tTylytDCd>OVtRa4pRM%-Jt-Iq^lzWeKhrksX@0=<^)$r7ir-XCA@{wSky**6vz
z;t<l+m03LB#qVkzaA++x1w2ajYVf=IWRYAe5@vQ}rRR!nKw-DjV7($$CwxuW6=&CY
ze;H>y)wm;uWb+?#6Yn(PCes8p`mUH&$q{yjODxUzDcREZbI!mD26F}oPff)|9yu^i
zx0vnH3PEa<IWm$hGGf^gx(UCYS&x$cvLQ$%c73L&TS;3^{pv8D+T|gaD3iLWbTM7v
zuko+3QP})L{u(!D4G88)iT?KDwK9EU`>_5q)Y8cm9Fk4XQ|#71<kRm|VUzh+OeQoA
zeX!-T$Wr`ep*A!9rONj*LDv+wi12JZ^*@owOTS9Y<vihD)AU<V?^%Lcf8|~xs6f38
z$4XO1R->P{VFG4nJmbs{E^rmvWGj~M-M8nL!@MNr{b-i(-1_WSq~7A{YEH8n+jT=l
zJCz-0I=T=ddx2F=Sul~EcdDmCWIs!m)*bJDfeOy)jukys(K+Ym45t`xA)n8FTR3_P
zsJife^Pm<E{9LkhyL9<i8QX2ZRL}n`1W+ApJ{3N7uqlTloQ2jr5IISZW^lI-v5MlW
zA(qqpt#PZU`&qzPH<#t0T!Fe)1dbW;vSv^PiLFWii`;h?o*zzX`p<BLI62!_Jw;?b
z&<+}qm22i$IsepS#F_D}&l2cV50H4|8Rm~F@#DXYSvF>=+l{f!q_U_iQUzF_9HVuc
z$tZk_!>S&(4m(}3Dyvb4J53l}N7bIN)S%w^tF@$4Z<U)coBw<!$>(aVzGGASR@zjb
zwZn9?<K1S&E;U*@dZ&|<+dxOnBb}uzroS4N<GU(vvBmx<mITvhZ{LZbD9Y6?N|kCa
zTEn?I3@58=4VC^B`dl-LD!b%D%EgK*&=vq>#S?8c3|R?E%g?p@f!d<;tyV(%;%D39
zv+OW`&m&G#n}SP;U?B^5$P~c`TC5G!8PS$tdYFq2v)L`1OXeH%wNmDUcWmm3p=Z7=
zI<V&28N<bqwt+UI4Z#wf$9mM}Y^spxxktw08I)~|D{S8!gSpyLPCpgCNZTSWtpygz
zH{_38Wb97tOf3o+#X-tPW34s-&xML<^zCq<dOX@t>nmMcFK^E|YY<LWGxG`fS?y%r
zPIK^~;BlPgFoyVB)g^VtQsFuDs&1F3Q?XNAsgK(>d{4-tDYi4iTOy3%f<75jOhe_3
zTf0!!bpNV3v;Ew)DhYD6%i*?EtN74ud;+PS2YTaiF~jZMas}paj7A2r(grdEi^YvU
zgY#c`MxTXt)a3nNfqnqLI=e9!pe=E?STe)Xm96#aD$SOR=VJEE5mevf{nL?>qT^14
zq%53#!$@2^pZlY2^A%Q0>0GtdB~9HgwX4&F-GSiMik9Cnw#=Q=5{#LH5lLl}yXdf}
z+}9mYVHNwYYnsM99^Kglc&Yzad&d9k(cU`$>lb-$VgL0Dq5+`;k!L#Kdn%$x{hQIz
zBC}tMLAv}U9W4m|dLcx%h|#TW&GnfA{g?GjXc|}ECUF9~ZtJ*|)#$A^BxNJ^{s$h1
zr0J!<{u+M&-Hja6-Ti}Z6GK-1a(MCb^yTv|xhQ5&LYA>W$=_QaKDhmmj~~10jVkl;
z<F>s9j+NjFE)*EQTxO|=N0FlDYMLw#F$xd85<HxRHkcMrlB6O;V{F3WE1rrNJ@dik
z*?K&OB9NuD-bF(3)>vG7nP}zU+mX>Y^mH$t>cw+PHXPrDua%swpIbh2>Ayc_(S$?V
zwNLG1ng7@R?m;#G_uj#yHU0k*&jvZCS;kUy=D_vFu>XUcN08bhp}{+djojEEmt#e$
z@+1*yCW#!gC<4g{^X>6?v_n!B(Trbdd#K_)jl;$UiP;GC=vzt3hWx!&Sd#zR_Q|U_
zni3I1O*JHvu#`kRW`4sz?!E10B4v#Yas&uUULW;H$Wz(yM?7o6e{uK?fAF8Q1^+cK
z#-o<{kNGLD;#SenfClgK1kOI$c;L(Hr18KX(07doel|%O5B|T#26;_WE^<juk56R7
zPg3za3$ljKLq=OzE)~Bw{3{uVkhQ)cia2-wUz{8szc}$H;ivbpc>nJ`>a;8VU!DE^
zb^OOK^K6i3$QPL1aK;BIO{WAx-8CAA<js#Pnv`Gvwq-aA6OUJM7_CesJdmvji@w$P
zw4usugTOjUMGgT)5XVR)Mm!(`mR&PNaP&a1p5JI}Y>>;d|9yPXX!QI2DV;=(kR^&S
ziUZEHtckI0u{{vQbg0KJY5VW}_eMI?%vccwMt9;eMfz{m8T2@ya@_cisNoaa@s#9A
zNHb<j!MKX_Y+Z8IX}sfc*d<3I9`ex(nlvUXqan>G<f&d9jMoWXr1&gTYcfR}M$-I|
zMUf!Ch%^eDIEal6avEor5o|PoNTW=v^Sekw4a{u-rZI~WmP&Fx=E0Z*G`691;4bWn
zMIs?FyVmQWSx~@+nf2c`hXlb;$*JFHJS#0{sRN++Z+^-Lj3$XJT6?G8z;bL?(g^}r
zkIlnRF(iPQN7z1(Nf6~SW2yA<n1ZhehB1|7pl~c>GJ}9uBom2h;*A-m6BF~iV5%?j
zIO7vm9-?BpeJ)ztWb4^a=NH>PIfhXZ^~?H1=9!qlh1}&?j|42u_>c!mpx#k<KLSZg
z%}B%wHPufwUr5A56RS?p``|ofaQi8F#$==6xx?-Fo!##n9?o}H{U9R6UweMr8?cP-
zeUGislunoekwOwih9Zi@HA)nNh`}|#1htYu4thm-1mCoQxZd0vYrqI55D5bV@{kW9
zXFm8m7K7g)hc*Lhqj94~2FXK07Au&rl*~Ri<e14I<)AdG`M&(QAt&z>l*mrwB+u^B
zMB~O=<yo!N=WW5eY21*0eJXTFW81fIDd#$$lWcw=Wc#kRe_86@em!L84t7k_ux7B3
z_4;cXY$C!EU}qq^TIS^1!7fU}T{py)2I~TL2C{$BV1Yci$x2rx5T${9R$8$t6}Z>!
zys!m#jhCm=?U$B&_3XVfFzWk#JZx=HM;Au*Bbv=$JF~S{%$HlYY70jMsD+v5ZiQ5z
zj!s|bxrY<3uGQP1`#qdnU*`Ed19j1Uac0QATCP(a4V}d@PuZ;LG#V9SNCr^BTr+r6
zWLc#;+CDiQl72P6VxMpcx9CMGOw}7^!lbdz+p2g@crO(P4AC@oen$#Cn_m$2PfQG2
zJ_q!Mgj`{(Y{;*I1H4Ud%lFM!!6)9PHwV4lRC|3F#<N-B6ox^J{~|r$!d2?uDKTJw
zhe*cAn^RNmx2+8*lM0b-+xu}0R+Fd9H>*^gl9OL-_NZJr(cSzheXeYF_8`TLg(-l(
zf{pbRYy@|eD=DaE*pK;Ht(HPz0sBE}hTvpsx<5o)I0Qfp%)|KQ@!}4A^q0hoA}>vU
zW)5@H+z^pMHm`nN_K*H;@uIBpb40V%^S#Vlh}#VT=GHGYa8x95NupfZ3_7dh!V0LV
z$?jJ`w7!DpE7%`j!Q&#Q8~(q<bJ!sG)lI5>nU{jv9MGRN8ATr%lyV^a-?l2D<ZD@#
zIw-tj)AAOrO9gN%g!>dIl=A_6!c-UT2&57iX812mCH}%&e<ii_J?f<I7+Ks%6X(U(
z-?lcKvU9d6An0X+7VH1dA7p=FJYMN>k-Zv-*m8%fg;8DrWJf)-a?IrZP7zDW#;_uC
zEb=HMI6ySNHvR7unR`+e<Sfpjsi_>4xVrv#eZ>|lc2DnzpELedNTRoC=$pb^7td<q
zCG`O^HrlJP3ME%G<#3lf8~U|gy*@v{>*9Nz8Q4}vTM4k#CpTo};KK7dF{Ayo7{V5Z
zUl$I_ces-JMs5+l;-h5lbBF7=ulmd=o^N81@VGmAN!Y)FP~4CeLQ4Lrs5NuAt`soV
zk5`LM**A0y^yA>VPg6!jk&rJY0hJ)sPK%qM9mgIAFK$dMNJ7b2TpKd!kWQcU6fgVQ
z4JZ5C)`kf$3-j0}OBS&lj-gPSx?$vWk@*3E$!SJXVC@yZBga&68F&w+*l7yaQ#PXJ
zy)WYZgx&402G2j~S+<PT=yY1(`eh7<KeBS%SoigftBkJJFL~rmMQ&Ke9PpIGA#LDL
z6AMaVvAvPJEjG*^=_Y)aoC!*>#L(pHd6q0!U3@0R9)UrlO9bZKA%7akKWSz&%jE>7
zDQM;bN78<QYC0&bwB!+}W&pT1fE4FU2^|>ii)Y$CR}vBHfL#h#0Z<B49Zyqi-YEDH
zqIa0L<`T6_+&3fad@Ev(yGv@k{ZPPJ=8w1>o_%|H+`r3ZvPJ{aOIW~ZL^!O94909i
zrDN`(8Z2zZQ+=z~Z4gLC)FqgTs6j|rU`W?o1)AbcfM~o5=aNJspcxArgs}H?l0>Xa
zLa60)(P%hk?@PM6D7+Qb&M5Bf-ImSK5RZ8LzR}3&Xj!w^PDV#=GabKk;CH-`4LFUx
zPTNZl_8N^OkD_xC@nGp#0ocPSq1gPnt!O>P;ZWK<jIQZaZW2B$#-U)giLsJ5chG}d
zvJ8r!4quAwJY|x_*(Q!h-%b?+qG?K}4MKRv(A9nMNR7vPG$qmuI>ttb7#73V{rHVW
z$OgFs)d4!s&p-f&3^b4rk<tNSjQBgIz9>{?@3WK=9uGx2L5C~!w~+2yphvwz;lmgh
zNE!!BH#T71#)ic{7qK=<4i#mz*ic}ev&b97S!Ln^ys<%W>Uu=ltzm;W>eylf>39lD
z;bh_rV0q$ZeRP4K;Mi!mxeS+~;PbJN7$dzHU`AexD4(!$O3WQ{Iy5NO^qM<lHj`qr
zscq>)F4Z_C38xC60s3x8E)<a~jkxJG8x0x+Ov)D`WXpzo2qnoxghkkhx#KQ%biru&
zOUg6$3Kl@}|19mS$N$4_(Zl2CywOks*0OfbbzuHMv5;Y@CF{Pk2%Qb;;G%DomIL9s
zK^(wV0I)#-0x;+eaBp<FwK!Y81S`-M9DkO~(v3e_$%<W?>}0B2FOoEOt8JO&&Bnb7
z+tduiJ2pivV4bOhle4;J5IBA@01wDTz(!9eJJb#04t9eO%d@INCOXGYY-&NNU<nge
z1Irbq`bAqsLf};*Su8oYn!;WLhSqf$0uOl{_zsa`!brv^OsWR1X$+fEiP-AjT(T6E
z+li2p4<epTu~*<G#*C+OCQrFvEbay=;$>)1!F$j1>Yc+hQ10#-Mzoa@o<lTAR<DXH
z_$r})<ji`Q6^rrVgL9{#rHUIeIC#k7z=quW__0x%beKfNjD6qNv6fhT)wQuFjkn(U
zVXybgtBYeN*fIzpKcr&PZMZBNg7POey<o%gmj&Q*%?6g{yszGCSHjwqyL`u{3wvB8
z$$tGsy44s#uL^#R4L8vUfVHxr%6os=W+El^h2CE;UtON`{OmoFsX)Y1MC?<tH?`Ye
zHh)vQbB7F0tEMto7LfFlb2-7<oDLO18j3Vf2d9u$ou&hOf-$!uSzxry7*aACu{4vV
zWz(*zK#P@J&tyg>Qytp~@=a8h>S?pNQ-S8wW)pCJvr=@$gcj8fzB60>t!ko@=3;)P
zj)vWLI>DmT%<}At#%Rt70AH6u(ZR#|1d4Tl=-deq9TyOt`vFAfGXSDf4+!IB{8FHs
oXfUQR81cVs9ezWh4%W~5SwHJ%{W#D69{>RV|Cvx^{s3$R05KO~M*si-

literal 0
HcmV?d00001

-- 
GitLab


From e8a045823630b55f67bdb7711f6739cdef7547a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Wed, 7 Oct 2020 14:31:40 +0200
Subject: [PATCH 027/162] adding test

---
 chart/templates/tests/test-connection.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 chart/templates/tests/test-connection.yaml

diff --git a/chart/templates/tests/test-connection.yaml b/chart/templates/tests/test-connection.yaml
new file mode 100644
index 00000000..5ca4058f
--- /dev/null
+++ b/chart/templates/tests/test-connection.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "vs.fullname" . }}-test-connection"
+  labels:
+    {{- include "vs.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "vs.fullname" . }}-renderer:{{ .Values.service.port }}']
+  restartPolicy: Never
-- 
GitLab


From c5b598170d00ae39f8194d3a28289e18d0975a8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Wed, 7 Oct 2020 14:32:47 +0200
Subject: [PATCH 028/162] fix

---
 chart/templates/renderer-deployment.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/chart/templates/renderer-deployment.yaml b/chart/templates/renderer-deployment.yaml
index 59e9666d..aa45c6d8 100644
--- a/chart/templates/renderer-deployment.yaml
+++ b/chart/templates/renderer-deployment.yaml
@@ -6,9 +6,7 @@ metadata:
     {{- include "vs.labels" . | nindent 4 }}
     app.kubernetes.io/service: renderer
 spec:
-{{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.renderer.replicaCount }}
-{{- end }}
   selector:
     matchLabels:
       {{- include "vs.selectorLabels" . | nindent 6 }}
-- 
GitLab


From 1cbfc9630c1818801ea65a67f892e0c1d9645a6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Wed, 7 Oct 2020 14:38:39 +0200
Subject: [PATCH 029/162] fix init-db

---
 chart/templates/init-db-configmap.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chart/templates/init-db-configmap.yaml b/chart/templates/init-db-configmap.yaml
index c012c5c6..a0516d5b 100644
--- a/chart/templates/init-db-configmap.yaml
+++ b/chart/templates/init-db-configmap.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 data:
   init-db.sh: |
-    {{- .Values.initDb }}
+    {{- .Values.initDb | nindent 4 }}
 kind: ConfigMap
 metadata:
   name: {{ include "vs.fullname" . }}-init-db
-- 
GitLab


From d32e91254ee91d20463accc9fe0809885c685f20 Mon Sep 17 00:00:00 2001
From: Bernhard Mallinger <bernhard.mallinger@eox.at>
Date: Wed, 7 Oct 2020 14:54:28 +0200
Subject: [PATCH 030/162] Disable persistence in chart db

---
 chart/values.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/chart/values.yaml b/chart/values.yaml
index b748774f..04230e4f 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -57,8 +57,8 @@ config:
 
 database:
   persistence:
-    enabled: true
-    existingClaim: eoepca-rm-db-pvc
+    enabled: false
+    # existingClaim: eoepca-rm-db-pvc
   postgresqlUsername: dbuser
   postgresqlPassword: dbpw
   postgresqlDatabase: dbname
-- 
GitLab


From 93a878e640cd6f4130d093f64b38e1bf9c34815d Mon Sep 17 00:00:00 2001
From: Bernhard Mallinger <bernhard.mallinger@eox.at>
Date: Wed, 7 Oct 2020 15:03:38 +0200
Subject: [PATCH 031/162] Fix volume name confusion

---
 chart/templates/renderer-deployment.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/chart/templates/renderer-deployment.yaml b/chart/templates/renderer-deployment.yaml
index aa45c6d8..36f65516 100644
--- a/chart/templates/renderer-deployment.yaml
+++ b/chart/templates/renderer-deployment.yaml
@@ -87,5 +87,5 @@ spec:
             items:
               - key: init-db.sh
                 path: init-db.sh
-            name: init-db
-          name: {{ include "vs.fullname" . }}-init-db
+            name: {{ include "vs.fullname" . }}-init-db
+          name: init-db
-- 
GitLab


From 43096bc9e05af7028da071517cfbd36e99c4c2bc Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 7 Oct 2020 16:05:55 +0200
Subject: [PATCH 032/162] update client deploy labels

---
 docker-compose.emg.ops.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 9054dbe2..88c5411b 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -135,15 +135,15 @@ services:
         - "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-client-redirect.entrypoints=http"
         # router for basic auth based access (https)
-        - "traefik.http.routers.emg-client.rule=Host(`emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client.middlewares=shibAuth@file,compress@file"
-        - "traefik.http.routers.emg-client.tls=true"
-        - "traefik.http.routers.emg-client.tls.certresolver=default"
-        - "traefik.http.routers.emg-client.entrypoints=https"
+        - "traefik.http.routers.emg-client-shib.rule=Host(`emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client-shib.middlewares=shibAuth@file,compress@file"
+        - "traefik.http.routers.emg-client-shib.tls=true"
+        - "traefik.http.routers.emg-client-shib.tls.certresolver=default"
+        - "traefik.http.routers.emg-client-shib.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.emg-client-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-client-redirect.entrypoints=http"
+        - "traefik.http.routers.emg-client-shib-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client-shib-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-client-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-client.loadbalancer.sticky=false"
         - "traefik.http.services.emg-client.loadbalancer.server.port=80"
-- 
GitLab


From 1233ece3dd7f9c08b7a60658b157c1452f4367cd Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 7 Oct 2020 16:06:05 +0200
Subject: [PATCH 033/162] fix shib internal url

---
 traefik-dynamic.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/traefik-dynamic.yml b/traefik-dynamic.yml
index 9b51a489..495ef4eb 100644
--- a/traefik-dynamic.yml
+++ b/traefik-dynamic.yml
@@ -22,7 +22,7 @@ http:
           - "***REMOVED***"
     shibAuth:
       forwardAuth:
-        address: http://shib.pdas.prism.eox.at/secure
+        address: http://shibauth/secure
         trustForwardHeader: true
     compress:
       compress: {}
-- 
GitLab


From 87e4a8efcd7f235a4c61667b3e8d3d4bb5e4d160 Mon Sep 17 00:00:00 2001
From: Bernhard Mallinger <bernhard.mallinger@eox.at>
Date: Wed, 7 Oct 2020 16:56:11 +0200
Subject: [PATCH 034/162] Enable postgis in chart

---
 chart/values.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/chart/values.yaml b/chart/values.yaml
index 04230e4f..adfec900 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -63,6 +63,10 @@ database:
   postgresqlPassword: dbpw
   postgresqlDatabase: dbname
   postgresqlPostgresPassword: dbpgpw
+  initdbScripts:
+    enablePostgis.sh: |
+      echo "Enabling postgis"
+      PGPASSWORD="$POSTGRES_POSTGRES_PASSWORD" psql -U postgres -d "${POSTGRES_DB}" -c "CREATE EXTENSION postgis;"
 
 renderer:
   replicaCount: 1
-- 
GitLab


From 14376141e3dd30c71ba1c55f357ddafb7bf42e3d Mon Sep 17 00:00:00 2001
From: Bernhard Mallinger <bernhard.mallinger@eox.at>
Date: Wed, 7 Oct 2020 17:47:39 +0200
Subject: [PATCH 035/162] Fix service name in ingress

---
 chart/templates/ingress.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/chart/templates/ingress.yaml b/chart/templates/ingress.yaml
index 05de097d..770ce776 100644
--- a/chart/templates/ingress.yaml
+++ b/chart/templates/ingress.yaml
@@ -33,15 +33,15 @@ spec:
         paths:
           - path: /(ows.*)
             backend:
-              serviceName: renderer
+              serviceName: {{ $fullName }}-renderer
               servicePort: http
           - path: /(opensearch.*)
             backend:
-              serviceName: renderer
+              serviceName: {{ $fullName }}-renderer
               servicePort: http
           - path: /(admin.*)
             backend:
-              serviceName: renderer
+              serviceName: {{ $fullName }}-renderer
               servicePort: http
           # - path: /cache/(.*)
           #   backend:
-- 
GitLab


From 09fbdb4c171e1e2fae97c2bfaf7038a3ebca18a1 Mon Sep 17 00:00:00 2001
From: Bernhard Mallinger <bernhard.mallinger@eox.at>
Date: Wed, 7 Oct 2020 18:15:14 +0200
Subject: [PATCH 036/162] Add client deployment to chart

---
 chart/files/index.html                 | 475 +++++++++++++++++++++++++
 chart/templates/client-configmap.yaml  |   6 +
 chart/templates/client-deployment.yaml |  62 ++++
 chart/templates/client-service.yaml    |  17 +
 chart/values.yaml                      |  11 +
 5 files changed, 571 insertions(+)
 create mode 100644 chart/files/index.html
 create mode 100644 chart/templates/client-configmap.yaml
 create mode 100644 chart/templates/client-deployment.yaml
 create mode 100644 chart/templates/client-service.yaml

diff --git a/chart/files/index.html b/chart/files/index.html
new file mode 100644
index 00000000..23b59e21
--- /dev/null
+++ b/chart/files/index.html
@@ -0,0 +1,475 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
+<meta charset="UTF-8">
+<title>PRISM View Server</title>
+<link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
+<link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
+</head>
+<body>
+<header id="header" style="width: 100%; height:70px;">
+    <h3 style="width:100%;text-align:center;
+    color: #006699;">PRISM View Server (PVS) Client powered by
+    <a href="//eox.at"><img src="//eox.at/wp-content/uploads/2017/09/EOX_Logo.svg" alt="EOX" style="height:25px;margin-left:10px"/></a>
+    </h3>
+</header>
+<div id="app" style="width: 100%; top: 60px; bottom: 0; position: absolute; margin: 0; padding:0;"></div>
+<script src="prism.js"></script>
+<script>
+var baseUrl = '//vhr18-dev.vs.hub.eox.at/';
+var baseUrlsWMTS = [
+    '//vhr18-dev.vs.hub.eox.at/cache/ows/wmts',
+];
+var baseUrlsOws = [
+    '//vhr18-dev.vs.hub.eox.at/ows',
+];
+var config = {
+    "settings": {
+        "rightPanelOpen": true,
+        "leftPanelOpen": false,
+        "leftPanelTabIndex": 0,
+        "tutorial": "once",
+        "uploadEnabled": true,
+        "selectFilesDownloadEnabled": false,
+        "downloadEnabled": true,
+        "searchEnabled" : true,
+        "searchDebounceTime": 500,
+        "language": "en",
+        "timeDomain": [
+            "2017-01-01T00:00:00Z",
+            "2019-12-31T23:59:59Z",
+        ],
+        "constrainTimeDomain": true,
+        "displayTimeDomain": [
+            "2017-01-01T00:00:00Z",
+            "2019-12-31T23:59:59Z",
+        ],
+        "displayInterval": "P1096D",
+        "selectedTimeDomain": [
+            "2018-08-01T00:00:00Z",
+            "2018-08-31T23:59:59Z",
+        ],
+        "selectableInterval": "P1096D",
+        "timeSliderControls": true,
+        "maxTooltips": 1,
+        "center": [12, 49],
+        "zoom": 5,
+        "maxZoom": 17,
+        "footprintFillColor": "rgba(0, 0, 0, 0.2)",
+        "footprintStrokeColor": "rgba(0, 0, 0, 1)",
+        "filterFillColor": "rgba(0, 165, 255, 0)",
+        "filterStrokeColor": "rgba(0, 165, 255, 1)",
+        "filterOutsideColor": "rgba(0, 0, 0, 0.5)",
+        "selectedFootprintFillColor": "rgba(255, 0, 0, 0.2)",
+        "selectedFootprintStrokeColor": "rgba(255, 0, 0, 1)",
+        "highlightFillColor": "rgba(246, 182, 0, 0.5)",
+        "highlightStrokeColor": "rgba(246, 182, 0, 1)",
+        "highlightStrokeWidth": 3,
+        "translations": {
+            "en": {
+                "Cloud Cover": "Cloud coverage (%)",
+                "Error: NoApplicableCode": "Search timed out. Please refine the filter criteria.",
+            }
+        },
+        "filterSettings": {
+            "time": {
+                "hidden": true,
+            }
+        },
+        "downloadFormats": [
+            {
+                "name": "TIFF",
+                "mimeType": "image/tiff"
+            },
+            {
+                "name": "JPEG 2000",
+                "mimeType": "image/jp2"
+            },
+            {
+                "name": "HDF",
+                "mimeType": "application/x-hdf",
+            },
+        ],
+        "downloadProjections": [
+            {
+                "name": "WGS-84",
+                "identifier": "http://www.opengis.net/def/crs/EPSG/0/4326"
+            },
+            {
+                "name": "Web Mercator",
+                "identifier": "http://www.opengis.net/def/crs/EPSG/0/3857"
+            },
+            {
+                "name": "ETRS89 / LAEA Europe",
+                "identifier": "http://www.opengis.net/def/crs/EPSG/0/3035"
+            }
+        ],
+        "downloadInterpolations": [
+            {
+            "name": "Bilinear",
+            "identifier": "http://www.opengis.net/def/interpolation/OGC/1/bilinear"
+            },
+            {
+                "name": "Nearest Neighbour",
+                "identifier": "http://www.opengis.net/def/interpolation/OGC/1/nearest-neighbour"
+            },
+            {
+                "name": "Average",
+                "identifier": "http://www.opengis.net/def/interpolation/OGC/1/average"
+            },
+        ]
+    },
+    "baseLayers": [
+        {
+            "id": "terrain-light",
+            "displayName": "EOX Terrain-Light",
+            "display": {
+                "id": "terrain-light",
+                "visible": true,
+                "protocol": "WMTS",
+                "urls": [
+                    "//a.s2maps-tiles.eu/wmts/",
+                    "//b.s2maps-tiles.eu/wmts/",
+                    "//c.s2maps-tiles.eu/wmts/",
+                    "//d.s2maps-tiles.eu/wmts/",
+                    "//e.s2maps-tiles.eu/wmts/",
+                ],
+                "matrixSet": "WGS84",
+                "format": "image/png",
+                "projection": "EPSG:4326",
+                "style": "default",
+                "attribution": "Terrain-Light { Data &copy; <a href=\"//www.openstreetmap.org/copyright\" target=\"_blank\">OpenStreetMap</a> contributors and <a href='javascript:;' onClick='toggle(terrain_attribution)'>others</a>, Rendering &copy; <a href=\"//eox.at\" target=\"_blank\">EOX</a> }"
+            }
+        }, {
+            "id": "terrain",
+            "displayName": "EOX Terrain",
+            "display": {
+                "id": "terrain",
+                "visible": false,
+                "protocol": "WMTS",
+                "urls": [
+                    "//a.s2maps-tiles.eu/wmts/",
+                    "//b.s2maps-tiles.eu/wmts/",
+                    "//c.s2maps-tiles.eu/wmts/",
+                    "//d.s2maps-tiles.eu/wmts/",
+                    "//e.s2maps-tiles.eu/wmts/"
+                ],
+                "matrixSet": "WGS84",
+                "format": "image/png",
+                "projection": "EPSG:4326",
+                "style": "default",
+                "attribution": "Terrain { Data &copy; <a href=\"//www.openstreetmap.org/copyright\" target=\"_blank\">OpenStreetMap</a> contributors and <a href='javascript:;' onClick='toggle(terrain_attribution)'>others</a>, Rendering &copy; <a href=\"//eox.at\" target=\"_blank\">EOX</a> }"
+            }
+        },  {
+            "id": "s2cloudless",
+            "displayName": "EOX Sentinel-2 cloudless",
+            "display": {
+                "id": "s2cloudless-2018",
+                "visible": false,
+                "protocol": "WMTS",
+                "urls": [
+                    "//a.s2maps-tiles.eu/wmts/",
+                    "//b.s2maps-tiles.eu/wmts/",
+                    "//c.s2maps-tiles.eu/wmts/",
+                    "//d.s2maps-tiles.eu/wmts/",
+                    "//e.s2maps-tiles.eu/wmts/"
+                ],
+                "matrixSet": "WGS84",
+                "format": "image/png",
+                "projection": "EPSG:4326",
+                "style": "default",
+                "attribution": "<a xmlns:dct=\"//purl.org/dc/terms/\" href=\"//s2maps.eu\" property=\"dct:title\">Sentinel-2 cloudless - //s2maps.eu</a> by <a xmlns:cc=\"//creativecommons.org/ns#\" href=\"s://eox.at\" property=\"cc:attributionName\" rel=\"cc:attributionURL\">EOX IT Services GmbH</a> (Contains modified Copernicus Sentinel data 2017 &amp; 2018)"
+            }
+        }
+    ],
+    "layers": [
+        {
+            "id": 'VHR_IMAGE_2018_Level_1',
+            "displayName": 'VHR Image 2018 Level 1',
+            "displayColor": '#eb3700',
+            "display": {
+                "id": 'VHR_IMAGE_2018_Level_1__TRUE_COLOR',
+                "visible": false,
+                "protocol": 'WMTS',
+                "urls": baseUrlsWMTS,
+                "format": 'image/png',
+                "projection": 'EPSG:4326',
+                "matrixSet": "WGS84",
+                "style": 'default',
+                "useMilliseconds": false,
+                "maxZoom": 17,
+                "options": [{
+                    "name": "Style",
+                    "target": "display.extraParameters.LAYERS",
+                    "values": [{
+                    "label": "VHR Image 2018 True Color",
+                    "value": "VHR_IMAGE_2018_Level_1__TRUE_COLOR",
+                    }, {
+                    "label": "VHR Image 2018 True Color with masked validity",
+                    "value": "VHR_IMAGE_2018_Level_1__masked_validity",
+                    }, {
+                    "label": "VHR Image 2018 False Color",
+                    "value": "VHR_IMAGE_2018_Level_1__FALSE_COLOR",
+                    }, {
+                    "label": "VHR Image 2018 NDVI",
+                    "value": "VHR_IMAGE_2018_Level_1__NDVI",
+                    }]
+                }],
+            },
+            "search": {
+                "protocol": "OpenSearch",
+                "url": baseUrl + "opensearch/collections/VHR_IMAGE_2018_Level_1/",
+                "id": "VHR_IMAGE_2018_Level_1",
+                "histogramBinCount": 28,
+                "format": "application/atom+xml",
+                "method": "GET",
+                "histogramThreshold": 600,
+                "lightweightBuckets": true,
+                "searchLimit": 600,
+                "loadMore": 600,
+                "pageSize": 200,
+                "countZeroRecords": true,
+                "parameters": [
+                    {
+                        "type": "eo:sensorMode",
+                        "name": "Sensor",
+                        "title": "Sensor Mode"
+                    },
+                    {
+                        "max": 100,
+                        "min": 0,
+                        "step": 1,
+                        "range": true,
+                        "type": "eo:cloudCover",
+                        "name": "Cloud Coverage",
+                        "title": "Cloud Coverage in percent"
+                    },
+                    {
+                        "max": 360,
+                        "min": 0,
+                        "step": 1,
+                        "range": true,
+                        "type": "eo:acrossTrackIncidenceAngle",
+                        "name": "Offnadir angle",
+                        "title": "Across Track Incidence Angle in degrees"
+                    },
+                    {
+                        "max": 360,
+                        "min": 0,
+                        "step": 1,
+                        "range": true,
+                        "type": "eo:illuminationAzimuthAngle",
+                        "name": "Sun elevation",
+                        "title": "Illumination Azimuth Angle in degrees"
+                    },
+                ],
+                "parametersFilterSettings": {
+                    "collapsed": false,
+                },
+            },
+            "download": {
+                "protocol": "EO-WCS",
+                "url": baseUrl + "ows",
+                // "method": "GET",
+                "rewrite": {
+                // add __coverage to the coverageId
+                "from": "({{id}})",
+                "to": "$1__coverage"
+                }
+            }
+        },
+        {
+            "id": 'VHR_IMAGE_2018_Level_3',
+            "displayName": 'VHR Image 2018 Level 3',
+            "displayColor": '#37eb00',
+            "display": {
+                "id": 'VHR_IMAGE_2018_Level_3__TRUE_COLOR',
+                "visible": true,
+                "protocol": 'WMTS',
+                "urls": baseUrlsWMTS,
+                "format": 'image/png',
+                "projection": 'EPSG:4326',
+                "matrixSet": "WGS84",
+                "style": 'default',
+                "useMilliseconds": false,
+                "maxZoom": 17,
+                "options": [{
+                    "name": "Style",
+                    "target": "display.extraParameters.LAYERS",
+                    "values": [{
+                    "label": "VHR Image 2018 True Color",
+                    "value": "VHR_IMAGE_2018_Level_3__TRUE_COLOR",
+                    }, {
+                    "label": "VHR Image 2018 True Color with masked validity",
+                    "value": "VHR_IMAGE_2018_Level_3__masked_validity",
+                    }, {
+                    "label": "VHR Image 2018 False Color",
+                    "value": "VHR_IMAGE_2018_Level_3__FALSE_COLOR",
+                    }, {
+                    "label": "VHR Image 2018 NDVI",
+                    "value": "VHR_IMAGE_2018_Level_3__NDVI",
+                    }]
+                }],
+            },
+            "search": {
+                "protocol": "OpenSearch",
+                "url": baseUrl + "opensearch/collections/VHR_IMAGE_2018_Level_3/",
+                "id": "VHR_IMAGE_2018_Level_3",
+                "histogramBinCount": 28,
+                "format": "application/atom+xml",
+                "method": "GET",
+                "histogramThreshold": 600,
+                "lightweightBuckets": true,
+                "searchLimit": 600,
+                "loadMore": 600,
+                "pageSize": 200,
+                "countZeroRecords": true,
+                "parameters": [
+                    {
+                        "type": "eo:sensorMode",
+                        "name": "Sensor",
+                        "title": "Sensor Mode"
+                    },
+                    {
+                        "max": 100,
+                        "min": 0,
+                        "step": 1,
+                        "range": true,
+                        "type": "eo:cloudCover",
+                        "name": "Cloud Coverage",
+                        "title": "Cloud Coverage in percent"
+                    },
+                    {
+                        "max": 360,
+                        "min": 0,
+                        "step": 1,
+                        "range": true,
+                        "type": "eo:acrossTrackIncidenceAngle",
+                        "name": "Offnadir angle",
+                        "title": "Across Track Incidence Angle in degrees"
+                    },
+                    {
+                        "max": 360,
+                        "min": 0,
+                        "step": 1,
+                        "range": true,
+                        "type": "eo:illuminationAzimuthAngle",
+                        "name": "Sun elevation",
+                        "title": "Illumination Azimuth Angle in degrees"
+                    },
+                ],
+                "parametersFilterSettings": {
+                    "collapsed": false,
+                },
+            },
+            "download": {
+                "protocol": "EO-WCS",
+                "url": baseUrl + "ows",
+                // "method": "GET",
+                "rewrite": {
+                // add __coverage to the coverageId
+                "from": "({{id}})",
+                "to": "$1__coverage"
+                }
+            }
+        },
+    ],
+    "overlayLayers": [
+        {
+            "id": "overlay_base",
+            "displayName": "EOX Borders and Labels",
+            "display": {
+                "id": "overlay_base",
+                "visible": false,
+                "protocol": "WMTS",
+                "urls": [
+                    "//a.s2maps-tiles.eu/wmts/",
+                    "//b.s2maps-tiles.eu/wmts/",
+                    "//c.s2maps-tiles.eu/wmts/",
+                    "//d.s2maps-tiles.eu/wmts/",
+                    "//e.s2maps-tiles.eu/wmts/"
+                ],
+                "matrixSet": "WGS84",
+                "style": "default",
+                "format": "image/png",
+                "projection": "EPSG:4326",
+                "attribution": "Overlay { Data &copy; <a href=\"//www.openstreetmap.org/copyright\" target=\"_blank\">OpenStreetMap</a> contributors, Rendering &copy; <a href=\"//eox.at\" target=\"_blank\">EOX</a> and <a href=\"//github.com/mapserver/basemaps\" target=\"_blank\">MapServer</a> }"
+            }
+        },
+        {
+            "id": 'VHR_IMAGE_2018_Level_3__outlines',
+            "displayName": 'VHR Image 2018 Level 3 Outlines',
+            "displayColor": '#187465',
+            "display": {
+                "id": 'VHR_IMAGE_2018_Level_3__outlines',
+                "visible": false,
+                "protocol": 'WMS',
+                "urls": baseUrlsOws,
+                "format": 'image/png',
+                "projection": 'EPSG:4326',
+                "style": 'red',
+                "useMilliseconds": false,
+                "maxZoom": 17,
+                "synchronizeTime": true,
+            },
+        },
+        {
+            "id": 'VHR_IMAGE_2018_Level_3__masked_validity__Full',
+            "displayName": 'VHR Image 2018 Level 3 True Color with masked validity Full Coverage',
+            "display": {
+                "id": 'VHR_IMAGE_2018_Level_3__masked_validity__Full',
+                "visible": false,
+                "protocol": 'WMTS',
+                "urls": baseUrlsWMTS,
+                "format": 'image/png',
+                "projection": 'EPSG:4326',
+                "matrixSet": "WGS84",
+                "maxZoom": 17,
+                "synchronizeTime": false,
+                "style": "default",
+            },
+        },
+        {
+            "id": 'VHR_IMAGE_2018_Level_3__Full',
+            "displayName": 'VHR Image 2018 Level 3 True Color Full Coverage',
+            "display": {
+                "id": 'VHR_IMAGE_2018_Level_3__Full',
+                "visible": false,
+                "protocol": 'WMTS',
+                "urls": baseUrlsWMTS,
+                "format": 'image/png',
+                "projection": 'EPSG:4326',
+                "matrixSet": "WGS84",
+                "maxZoom": 17,
+                "synchronizeTime": false,
+                "style": "default",
+            },
+        },
+        {
+            "id": 'VHR_IMAGE_2018_Level_3__FALSE_COLOR__Full',
+            "displayName": 'VHR Image 2018 Level 3 False Color Full Coverage',
+            "display": {
+                "id": 'VHR_IMAGE_2018_Level_3__FALSE_COLOR__Full',
+                "visible": false,
+                "protocol": 'WMTS',
+                "urls": baseUrlsWMTS,
+                "format": 'image/png',
+                "projection": 'EPSG:4326',
+                "matrixSet": "WGS84",
+                "maxZoom": 17,
+                "synchronizeTime": false,
+                "style": "default",
+            },
+        }
+    ]
+};
+
+    var app = new Application({
+    config: config,
+    container: document.getElementById('app'),
+    });
+    app.start();
+</script>
+</body>
+</html>
diff --git a/chart/templates/client-configmap.yaml b/chart/templates/client-configmap.yaml
new file mode 100644
index 00000000..4b130f7e
--- /dev/null
+++ b/chart/templates/client-configmap.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "vs.fullname" . }}-client
+data:
+  {{ (.Files.Glob "files/index.html").AsConfig | nindent 2}}
diff --git a/chart/templates/client-deployment.yaml b/chart/templates/client-deployment.yaml
new file mode 100644
index 00000000..31e8ebd6
--- /dev/null
+++ b/chart/templates/client-deployment.yaml
@@ -0,0 +1,62 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: {{ include "vs.fullname" . }}-client
+  labels:
+    {{- include "vs.labels" . | nindent 4 }}
+    app.kubernetes.io/service: client
+spec:
+  replicas: {{ .Values.client.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "vs.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/service: client
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "false"
+      labels:
+        {{- include "vs.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/service: client
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-client
+          image: 'registry.gitlab.eox.at/esa/prism/vs/pvs_client:{{ .Values.image.tag | default .Chart.AppVersion }}'
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.client.resources | nindent 12 }}
+          volumeMounts:
+          - mountPath: /usr/share/nginx/html/index.html
+            name: client
+            subPath: index.html
+      {{- with .Values.client.affinity | default .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+      - configMap:
+          items:
+          - key: index.html
+            path: index.html
+          name: {{ include "vs.fullname" . }}-client
+        name: client
diff --git a/chart/templates/client-service.yaml b/chart/templates/client-service.yaml
new file mode 100644
index 00000000..587cba40
--- /dev/null
+++ b/chart/templates/client-service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "vs.fullname" . }}-client
+  labels:
+    {{- include "vs.labels" . | nindent 4 }}
+    app.kubernetes.io/service: client
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "vs.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/service: client
diff --git a/chart/values.yaml b/chart/values.yaml
index adfec900..a779f6ca 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -79,6 +79,17 @@ renderer:
       memory: 2Gi
   affinity: {}
 
+client:
+  replicaCount: 1
+  resources:
+    limits:
+      cpu: 0.5
+      memory: 1Gi
+    requests:
+      cpu: 0.1
+      memory: 0.1Gi
+
+
 replicaCount: 1
 
 image:
-- 
GitLab


From 1e6900784570ebae24c2d33825cd5099ccc0a38e Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Thu, 8 Oct 2020 09:18:54 +0200
Subject: [PATCH 037/162] fix traefik auth labels on basicauth access hosts

---
 docker-compose.dem.ops.yml   | 4 ++--
 docker-compose.emg.ops.yml   | 6 +++---
 docker-compose.vhr18.ops.yml | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index 46c6a135..af14f652 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -66,7 +66,7 @@ services:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
         # router for basic auth based access (https)
         - "traefik.http.routers.dem-cache.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.dem-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.dem-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
         - "traefik.http.routers.dem-cache.tls=true"
         - "traefik.http.routers.dem-cache.tls.certresolver=default"
         - "traefik.http.routers.dem-cache.entrypoints=https"
@@ -126,7 +126,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.dem-client.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
-        - "traefik.http.routers.dem-client.middlewares=auth@file,compress@file,shibAuth@file"
+        - "traefik.http.routers.dem-client.middlewares=auth@file,compress@file"
         - "traefik.http.routers.dem-client.tls=true"
         - "traefik.http.routers.dem-client.tls.certresolver=default"
         - "traefik.http.routers.dem-client.entrypoints=https"
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 88c5411b..909dab1b 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -14,7 +14,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
         - "traefik.http.routers.emg-renderer.tls=true"
         - "traefik.http.routers.emg-renderer.tls.certresolver=default"
         - "traefik.http.routers.emg-renderer.entrypoints=https"
@@ -66,7 +66,7 @@ services:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.emg-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.emg-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
         - "traefik.http.routers.emg-cache.tls=true"
         - "traefik.http.routers.emg-cache.tls.certresolver=default"
         - "traefik.http.routers.emg-cache.entrypoints=https"
@@ -126,7 +126,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client.middlewares=auth@file,compress@file,shibAuth@file"
+        - "traefik.http.routers.emg-client.middlewares=auth@file,compress@file"
         - "traefik.http.routers.emg-client.tls=true"
         - "traefik.http.routers.emg-client.tls.certresolver=default"
         - "traefik.http.routers.emg-client.entrypoints=https"
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index 443001b6..75e0c25a 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -15,7 +15,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.vhr18-renderer.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-renderer.middlewares=auth@file,compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.vhr18-renderer.middlewares=auth@file,compress@file,cors@file"
         - "traefik.http.routers.vhr18-renderer.tls=true"
         - "traefik.http.routers.vhr18-renderer.tls.certresolver=default"
         - "traefik.http.routers.vhr18-renderer.entrypoints=https"
@@ -66,7 +66,7 @@ services:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
         # router for basic auth based access (https)
         - "traefik.http.routers.vhr18-cache.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.vhr18-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file,shibAuth@file"
+        - "traefik.http.routers.vhr18-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
         - "traefik.http.routers.vhr18-cache.tls=true"
         - "traefik.http.routers.vhr18-cache.tls.certresolver=default"
         - "traefik.http.routers.vhr18-cache.entrypoints=https"
-- 
GitLab


From 59c28d0cd1e25de365ba6d04015628e788839afd Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Thu, 8 Oct 2020 16:27:24 +0200
Subject: [PATCH 038/162] testing emg.pdas.prism.eox.at directly

---
 docker-compose.base.ops.yml |  5 -----
 docker-compose.emg.ops.yml  | 12 +-----------
 2 files changed, 1 insertion(+), 16 deletions(-)

diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index 807af599..421d65ce 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -52,11 +52,6 @@ services:
         - "traefik.docker.network=shib-extnet"
         - "traefik.docker.lbswarm=true"
         - "traefik.enable=true"
-      # labels:
-      #   - "traefik.enable=true"
-      #   - "traefik.frontend.rule=Host:shib.pdas.prism.eox.at"
-      #   - "traefik.port=80"
-      #   - "traefik.frontend.passHostHeader=true"
     networks:
       - shib-extnet
 volumes:
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 909dab1b..cd0cbafd 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -126,7 +126,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client.middlewares=auth@file,compress@file"
+        - "traefik.http.routers.emg-client.middlewares=shibAuth@file,compress@file"
         - "traefik.http.routers.emg-client.tls=true"
         - "traefik.http.routers.emg-client.tls.certresolver=default"
         - "traefik.http.routers.emg-client.entrypoints=https"
@@ -134,16 +134,6 @@ services:
         - "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
         - "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-client-redirect.entrypoints=http"
-        # router for basic auth based access (https)
-        - "traefik.http.routers.emg-client-shib.rule=Host(`emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client-shib.middlewares=shibAuth@file,compress@file"
-        - "traefik.http.routers.emg-client-shib.tls=true"
-        - "traefik.http.routers.emg-client-shib.tls.certresolver=default"
-        - "traefik.http.routers.emg-client-shib.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.emg-client-shib-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client-shib-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-client-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-client.loadbalancer.sticky=false"
         - "traefik.http.services.emg-client.loadbalancer.server.port=80"
-- 
GitLab


From 9e879ebd007ec48af5e6396cefc54a9884fafa89 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Thu, 8 Oct 2020 16:29:48 +0200
Subject: [PATCH 040/162] try https for shibAuth

---
 traefik-dynamic.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/traefik-dynamic.yml b/traefik-dynamic.yml
index 495ef4eb..896eaef8 100644
--- a/traefik-dynamic.yml
+++ b/traefik-dynamic.yml
@@ -22,7 +22,7 @@ http:
           - "***REMOVED***"
     shibAuth:
       forwardAuth:
-        address: http://shibauth/secure
+        address: https://shibauth/secure
         trustForwardHeader: true
     compress:
       compress: {}
-- 
GitLab


From 24c8bffd85469a2f2f36b1af2e9a550a921c2b55 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Thu, 8 Oct 2020 16:55:34 +0200
Subject: [PATCH 041/162] new test

---
 docker-compose.emg.ops_test.yml | 147 ++++++++++++++++++++++++++++++++
 1 file changed, 147 insertions(+)
 create mode 100644 docker-compose.emg.ops_test.yml

diff --git a/docker-compose.emg.ops_test.yml b/docker-compose.emg.ops_test.yml
new file mode 100644
index 00000000..7b66a1ea
--- /dev/null
+++ b/docker-compose.emg.ops_test.yml
@@ -0,0 +1,147 @@
+version: "3.6"
+services:
+  database:
+    volumes:
+      - type: tmpfs
+        target: /dev/shm
+        tmpfs:
+          size: 536870912
+  renderer:
+    environment:
+      INSTALL_DIR: "/var/www/pvs/ops/"
+      INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
+    deploy:
+      labels:
+        # router for basic auth based access (https)
+        - "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.emg-renderer.tls=true"
+        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
+        # router for referrer based access (https)
+        - "traefik.http.routers.emg-renderer_referer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.emg-renderer_referer.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.emg-renderer_referer.tls=true"
+        - "traefik.http.routers.emg-renderer_referer.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer_referer.entrypoints=https"
+        # router for referrer based access (http)
+        - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
+        # general
+        - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
+        - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
+        - "traefik.docker.network=emg-extnet"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.enable=true"
+      replicas: 0
+      resources:
+        limits:
+          memory: 8G
+      placement:
+        constraints:
+          - node.labels.type == external
+    networks:
+      - extnet
+  cache:
+    configs:
+      - source: mapcache-ops
+        target: /mapcache-template.xml
+    deploy:
+      labels:
+        - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.emg-cache.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.emg-cache.tls=true"
+        - "traefik.http.routers.emg-cache.tls.certresolver=default"
+        - "traefik.http.routers.emg-cache.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.emg-cache-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.emg-cache-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-cache-redirect.entrypoints=http"
+        # router for referrer based access (https)
+        - "traefik.http.routers.emg-cache_referer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.emg-cache_referer.middlewares=cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.emg-cache_referer.tls=true"
+        - "traefik.http.routers.emg-cache_referer.tls.certresolver=default"
+        - "traefik.http.routers.emg-cache_referer.entrypoints=https"
+        # router for referrer based access (http)
+        - "traefik.http.routers.emg-cache_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
+        - "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
+        # general
+        - "traefik.http.services.emg-cache.loadbalancer.sticky=false"
+        - "traefik.http.services.emg-cache.loadbalancer.server.port=80"
+        - "traefik.docker.network=emg-extnet"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.enable=true"
+      replicas: 0
+      resources:
+        limits:
+          memory: 8G
+      placement:
+        constraints:
+          - node.labels.type == external
+    networks:
+      - extnet
+  registrar:
+    environment:
+      INSTALL_DIR: "/var/www/pvs/ops/"
+      INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
+    deploy:
+      replicas: 0
+      placement:
+        constraints:
+          - node.labels.type == internal
+  client:
+    configs:
+      - source: client-ops
+        target: /usr/share/nginx/html/index.html
+    deploy:
+      labels:
+        # router for basic auth based access (https)
+        - "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client.middlewares=shibAuth@file,compress@file"
+        - "traefik.http.routers.emg-client.tls=true"
+        - "traefik.http.routers.emg-client.tls.certresolver=default"
+        - "traefik.http.routers.emg-client.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-client-redirect.entrypoints=http"
+        # general
+        - "traefik.http.services.emg-client.loadbalancer.sticky=false"
+        - "traefik.http.services.emg-client.loadbalancer.server.port=80"
+        - "traefik.docker.network=emg-extnet"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.enable=true"
+      placement:
+        constraints:
+          - node.labels.type == external
+    networks:
+      - extnet
+  preprocessor:
+    volumes:
+      - type: bind
+        source: /var/vhr
+        target: /tmp
+    deploy:
+      replicas: 0
+      placement:
+        constraints:
+          - node.labels.type == internal
+  sftp:
+    deploy:
+      replicas: 0
+  ingestor:
+    deploy:
+      replicas: 0
+networks:
+  extnet:
+    name: emg-extnet
+    external: true
-- 
GitLab


From 5529378266fe47f3537a9e81e0ecb65db99ad955 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Thu, 8 Oct 2020 20:53:45 +0200
Subject: [PATCH 042/162] add sp-metadata.xml

---
 shibauth/shibboleth-conf/sp-metadata.xml | 84 ++++++++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 shibauth/shibboleth-conf/sp-metadata.xml

diff --git a/shibauth/shibboleth-conf/sp-metadata.xml b/shibauth/shibboleth-conf/sp-metadata.xml
new file mode 100644
index 00000000..ef565636
--- /dev/null
+++ b/shibauth/shibboleth-conf/sp-metadata.xml
@@ -0,0 +1,84 @@
+<!--
+This is example metadata only. Do *NOT* supply it as is without review,
+and do *NOT* provide it in real time to your partners.
+ -->
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_39d8816bc1e042f7504211e40505eeef8fbbc87c" entityID="https://shib.pdas.prism.eox.at/shibboleth">
+
+  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+  </md:Extensions>
+
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:Extensions>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/Login"/>
+    </md:Extensions>
+    <md:KeyDescriptor>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>https://https://shib.pdas.prism.eox.at/shibboleth</ds:KeyName>
+        <ds:KeyName>https://shib.pdas.prism.eox.at</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=https://shib.pdas.prism.eox.at</ds:X509SubjectName>
+          <ds:X509Certificate>MIIEVDCCArygAwIBAgIJANYdDHsBg6ulMA0GCSqGSIb3DQEBCwUAMCkxJzAlBgNV
+BAMTHmh0dHBzOi8vc2hpYi5wZGFzLnByaXNtLmVveC5hdDAeFw0yMDEwMDgxNDI2
+MjBaFw0zMDEwMDYxNDI2MjBaMCkxJzAlBgNVBAMTHmh0dHBzOi8vc2hpYi5wZGFz
+LnByaXNtLmVveC5hdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMKW
+psgoJpT33XXQDzFiWXPkTW8deYIjaRN4iXuVpMa9/RpuQsSTTPCxwFXhp31lgsay
+3DA3WNK5KVCx5ccnLbb5CiuZBrzFFttfzK1LIgf0rieGtpFj0cTEQwfFGM+3T/5p
+cdTi/CyT7xUCGOn6rzU9NjIpQ7Z0DrIkN4vcRbljExMALZwrfg0E00JB/rg7nUga
+Tc5rkM8DuqsvOe9IfRv9ZOe2sDimido13jzhE/Y/NTHtq8qleVxeT42P/hiZlJX4
+rioMtigG7nXmz0/6nfBR3y2tnViWURNF3DXy+7BAKIfTUU5Dy8diFpPVolEuoF3r
+7hK+TMrOjOm+XZ/oyM2AlxiDGHtMMVkVs/m92jewUnyZoOYawCs0O/Eysri302Ve
+e1S7oj67NRB2X/x98iejBYP76Y4ssJvKyYn96M+Va3B+SOfrdMLJwTUZxTQmFMmk
+iJsyCM9b7ZNb745mClkcoTy22HtA0qtcnd/sZJ6ljOCe8RxA9fhFYu+5oO9SHQID
+AQABo38wfTBcBgNVHREEVTBTgh5odHRwczovL3NoaWIucGRhcy5wcmlzbS5lb3gu
+YXSGMWh0dHBzOi8vaHR0cHM6Ly9zaGliLnBkYXMucHJpc20uZW94LmF0L3NoaWJi
+b2xldGgwHQYDVR0OBBYEFOj3ABr8n1Af0GDfg5+aYtGAFM3kMA0GCSqGSIb3DQEB
+CwUAA4IBgQC9jN3ZLU6z6UCngdY16vlPdyMjIdko3/bstXlNWGvAwx0lPmPnV4b5
+ej+4l1vd3S3OAFYUKPJJG8rTInHt2tyYNIjytjIzYnonksdnS/iSlrd38q1FdWH8
+3ny1gyegunJutXqaFLHlBw77oNau8swXSegs/60pgYNNH+eMJbrToeAAM8zGqN1z
+wXh4KWcwHmmH2ozJ468DYnv6I4/U9WydBoXNdQa3cKDv6/g4xfiyS4ByorVmNvOW
+0C6OrCYwucS1CYxbmHk1E9ygIFEeKv1Z29leTIJxUHZXljfg7BDst2I2EfhyQ+fT
+vB7rAipb+M2xckJJrCZJe5skBWsvP5ZcM3FA/GctWnc+5P/CO+2CZkdNFan7NBIx
+focLOwyc7q3iCpqDxBY+EIkVlmSeg8mZdU9B9y0SkJxIcsePwSX8CSaFj5ndBY/T
+aFiImaHsFzO4bZDEdaA0AdeJ5PalOTopbbVYO2FLMfvaXdu+GjDS6PGi/HrSX+P0
+FDXpx00p+0g=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+    </md:KeyDescriptor>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/ECP" index="4"/>
+  </md:SPSSODescriptor>
+
+</md:EntityDescriptor>
\ No newline at end of file
-- 
GitLab


From 85d24a59d1d4624e3cbda0fbd950c46a1b50f338 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Thu, 8 Oct 2020 23:53:11 +0200
Subject: [PATCH 043/162] https

---
 shibauth/shibboleth-conf/shibboleth2.xml |  4 ++--
 shibauth/shibboleth-conf/sp-metadata.xml | 20 ++++++++++----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/shibauth/shibboleth-conf/shibboleth2.xml b/shibauth/shibboleth-conf/shibboleth2.xml
index 7bd47635..568b8f4d 100644
--- a/shibauth/shibboleth-conf/shibboleth2.xml
+++ b/shibauth/shibboleth-conf/shibboleth2.xml
@@ -7,9 +7,9 @@
     <ApplicationDefaults entityID="https://shib.pdas.prism.eox.at/shibboleth"
                          REMOTE_USER="eppn uid persistent-id targeted-id">
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
-                  checkAddress="false" handlerSSL="false" cookieProps="http">
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
             <SSO entityID="https://samltest.id/saml/idp">
-              SAML2
+              SAML2 
             </SSO>
             <Logout>SAML2 Local</Logout>
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
diff --git a/shibauth/shibboleth-conf/sp-metadata.xml b/shibauth/shibboleth-conf/sp-metadata.xml
index ef565636..25280b3d 100644
--- a/shibauth/shibboleth-conf/sp-metadata.xml
+++ b/shibauth/shibboleth-conf/sp-metadata.xml
@@ -25,7 +25,7 @@ and do *NOT* provide it in real time to your partners.
 
   <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:Extensions>
-      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/Login"/>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/Login"/>
     </md:Extensions>
     <md:KeyDescriptor>
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -70,15 +70,15 @@ FDXpx00p+0g=
       <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
       <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
     </md:KeyDescriptor>
-    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/Artifact/SOAP" index="1"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/SOAP"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/Redirect"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/POST"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/Artifact"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST" index="1"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/Artifact" index="3"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/ECP" index="4"/>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/ECP" index="4"/>
   </md:SPSSODescriptor>
 
 </md:EntityDescriptor>
\ No newline at end of file
-- 
GitLab


From c79249027b5b11bbf04edfb6f810294fadc8e228 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Fri, 9 Oct 2020 00:00:34 +0200
Subject: [PATCH 044/162] test

---
 shibauth/etc-httpd/conf.d/shib.conf |  6 ------
 shibauth/etc-httpd/conf.d/sp.conf   | 13 +++++++++++++
 2 files changed, 13 insertions(+), 6 deletions(-)
 create mode 100644 shibauth/etc-httpd/conf.d/sp.conf

diff --git a/shibauth/etc-httpd/conf.d/shib.conf b/shibauth/etc-httpd/conf.d/shib.conf
index 758f387c..191c4328 100644
--- a/shibauth/etc-httpd/conf.d/shib.conf
+++ b/shibauth/etc-httpd/conf.d/shib.conf
@@ -5,9 +5,3 @@ UseCanonicalName On
 <Location />
   SetHandler shib
 </Location>
-
-<Location /secure>
-  AuthType shibboleth
-  ShibRequestSetting requireSession 1
-  require shib-session
-</Location>
diff --git a/shibauth/etc-httpd/conf.d/sp.conf b/shibauth/etc-httpd/conf.d/sp.conf
new file mode 100644
index 00000000..9749dc2b
--- /dev/null
+++ b/shibauth/etc-httpd/conf.d/sp.conf
@@ -0,0 +1,13 @@
+ServerName shib.pdas.prism.eox.at
+
+<VirtualHost *:80>
+    ServerName https://shib.pdas.prism.eox.at:443
+    UseCanonicalName On
+
+    DocumentRoot "/var/www/html"
+    <Location /secure>
+      AuthType shibboleth
+      ShibRequestSetting requireSession 1
+      require shib-session
+    </Location>
+</VirtualHost>
\ No newline at end of file
-- 
GitLab


From 884634f171f18b0dd24f96bb536a81e1d437d8e0 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Fri, 9 Oct 2020 00:15:04 +0200
Subject: [PATCH 045/162] change modes for debugging

---
 shibauth/Dockerfile                        | 0
 shibauth/etc-httpd/conf.d/shib.conf        | 0
 shibauth/etc-httpd/conf.d/sp.conf          | 0
 shibauth/index.html                        | 0
 shibauth/shibboleth-conf/attribute-map.xml | 0
 shibauth/shibboleth-conf/idp-metadata.xml  | 0
 shibauth/shibboleth-conf/shibboleth2.xml   | 0
 shibauth/shibboleth-conf/sp-metadata.xml   | 0
 8 files changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 shibauth/Dockerfile
 mode change 100644 => 100755 shibauth/etc-httpd/conf.d/shib.conf
 mode change 100644 => 100755 shibauth/etc-httpd/conf.d/sp.conf
 mode change 100644 => 100755 shibauth/index.html
 mode change 100644 => 100755 shibauth/shibboleth-conf/attribute-map.xml
 mode change 100644 => 100755 shibauth/shibboleth-conf/idp-metadata.xml
 mode change 100644 => 100755 shibauth/shibboleth-conf/shibboleth2.xml
 mode change 100644 => 100755 shibauth/shibboleth-conf/sp-metadata.xml

diff --git a/shibauth/Dockerfile b/shibauth/Dockerfile
old mode 100644
new mode 100755
diff --git a/shibauth/etc-httpd/conf.d/shib.conf b/shibauth/etc-httpd/conf.d/shib.conf
old mode 100644
new mode 100755
diff --git a/shibauth/etc-httpd/conf.d/sp.conf b/shibauth/etc-httpd/conf.d/sp.conf
old mode 100644
new mode 100755
diff --git a/shibauth/index.html b/shibauth/index.html
old mode 100644
new mode 100755
diff --git a/shibauth/shibboleth-conf/attribute-map.xml b/shibauth/shibboleth-conf/attribute-map.xml
old mode 100644
new mode 100755
diff --git a/shibauth/shibboleth-conf/idp-metadata.xml b/shibauth/shibboleth-conf/idp-metadata.xml
old mode 100644
new mode 100755
diff --git a/shibauth/shibboleth-conf/shibboleth2.xml b/shibauth/shibboleth-conf/shibboleth2.xml
old mode 100644
new mode 100755
diff --git a/shibauth/shibboleth-conf/sp-metadata.xml b/shibauth/shibboleth-conf/sp-metadata.xml
old mode 100644
new mode 100755
-- 
GitLab


From 0871f92585164a318b506aac331b275aecb3d242 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Fri, 9 Oct 2020 18:35:50 +0200
Subject: [PATCH 046/162] updating current progress

---
 docker-compose.base.ops.yml         | 6 +++---
 shibauth/etc-httpd/conf.d/shib.conf | 2 +-
 shibauth/etc-httpd/conf.d/sp.conf   | 5 ++---
 traefik-dynamic.yml                 | 2 +-
 4 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index 421d65ce..56a2e14f 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -19,7 +19,7 @@ services:
     environment:
       HTTP_PROXY: "http://172.30.252.68:3128"
       HTTPS_PROXY: "http://172.30.252.68:3128"
-      NO_PROXY: "172.0.0.0/8,192.168.0.0/16,10.0.0.0/8"
+      NO_PROXY: "172.0.0.0/8,192.168.0.0/16,10.0.0.0/8,shibauth"
     deploy:
       placement:
         constraints: [node.role == manager]
@@ -37,13 +37,13 @@ services:
         constraints: [node.role == manager]
       labels:
         # router for basic auth based access (https)
-        - "traefik.http.routers.shibauth.rule=Host(`shib.pdas.prism.eox.at`)"
+        - "traefik.http.routers.shibauth.rule=Host(`emg.pdas.prism.eox.at`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
         - "traefik.http.routers.shibauth.tls=true"
         - "traefik.http.routers.shibauth.tls.certresolver=default"
         - "traefik.http.routers.shibauth.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.shibauth-redirect.rule=Host(`shib.pdas.prism.eox.at`)"
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`emg.pdas.prism.eox.at`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
         - "traefik.http.routers.shibauth-redirect.entrypoints=http"
         # general
diff --git a/shibauth/etc-httpd/conf.d/shib.conf b/shibauth/etc-httpd/conf.d/shib.conf
index 191c4328..635aa462 100755
--- a/shibauth/etc-httpd/conf.d/shib.conf
+++ b/shibauth/etc-httpd/conf.d/shib.conf
@@ -1,4 +1,4 @@
-ServerName shib.pdas.prism.eox.at
+ServerName emg.pdas.prism.eox.at
 LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
 ShibCompatValidUser Off
 UseCanonicalName On
diff --git a/shibauth/etc-httpd/conf.d/sp.conf b/shibauth/etc-httpd/conf.d/sp.conf
index 9749dc2b..edfa7e84 100755
--- a/shibauth/etc-httpd/conf.d/sp.conf
+++ b/shibauth/etc-httpd/conf.d/sp.conf
@@ -1,7 +1,5 @@
-ServerName shib.pdas.prism.eox.at
-
 <VirtualHost *:80>
-    ServerName https://shib.pdas.prism.eox.at:443
+    ServerName https://emg.pdas.prism.eox.at:443
     UseCanonicalName On
 
     DocumentRoot "/var/www/html"
@@ -9,5 +7,6 @@ ServerName shib.pdas.prism.eox.at
       AuthType shibboleth
       ShibRequestSetting requireSession 1
       require shib-session
+      RequestHeader set Referer X-Forwarded-Uri env=X-Forwarded-Uri
     </Location>
 </VirtualHost>
\ No newline at end of file
diff --git a/traefik-dynamic.yml b/traefik-dynamic.yml
index 896eaef8..495ef4eb 100644
--- a/traefik-dynamic.yml
+++ b/traefik-dynamic.yml
@@ -22,7 +22,7 @@ http:
           - "***REMOVED***"
     shibAuth:
       forwardAuth:
-        address: https://shibauth/secure
+        address: http://shibauth/secure
         trustForwardHeader: true
     compress:
       compress: {}
-- 
GitLab


From 239272ffad54e29c9dc199dc43cead751e70bba0 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Fri, 9 Oct 2020 18:38:10 +0200
Subject: [PATCH 047/162] add debug loggers

---
 shibauth/shibboleth-conf/native.logger | 41 ++++++++++++++
 shibauth/shibboleth-conf/shibd.logger  | 75 ++++++++++++++++++++++++++
 traefik.yml                            |  2 +-
 3 files changed, 117 insertions(+), 1 deletion(-)
 create mode 100644 shibauth/shibboleth-conf/native.logger
 create mode 100644 shibauth/shibboleth-conf/shibd.logger

diff --git a/shibauth/shibboleth-conf/native.logger b/shibauth/shibboleth-conf/native.logger
new file mode 100644
index 00000000..d360b124
--- /dev/null
+++ b/shibauth/shibboleth-conf/native.logger
@@ -0,0 +1,41 @@
+# set overall behavior
+log4j.rootCategory=DEBUG, native_log
+
+# fairly verbose for DEBUG, so generally leave at WARN/INFO
+log4j.category.XMLTooling.XMLObject=WARN
+log4j.category.XMLTooling.KeyInfoResolver=WARN
+log4j.category.Shibboleth.IPRange=WARN
+log4j.category.Shibboleth.PropertySet=WARN
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=WARN
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# define the appender
+
+log4j.appender.native_log=org.apache.log4j.RollingFileAppender
+log4j.appender.native_log.fileName=/dev/stdout
+log4j.appender.native_log.maxFileSize=0
+log4j.appender.native_log.maxBackupIndex=0
+log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.native_log.layout.ConversionPattern=sp-native %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
+#log4j.appender.warn_log.fileName=/var/log/shibboleth-www/native_warn.log
+#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+#log4j.appender.warn_log.threshold=WARN
diff --git a/shibauth/shibboleth-conf/shibd.logger b/shibauth/shibboleth-conf/shibd.logger
new file mode 100644
index 00000000..c12b4089
--- /dev/null
+++ b/shibauth/shibboleth-conf/shibd.logger
@@ -0,0 +1,75 @@
+# set overall behavior
+log4j.rootCategory=DEBUG, shibd_log, warn_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+log4j.ownAppenders.XMLTooling.Signature.Debugger=true
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+log4j.ownAppenders.Shibboleth-TRANSACTION=true
+
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
+log4j.appender.shibd_log.fileName=/dev/stdout
+log4j.appender.shibd_log.maxFileSize=0
+log4j.appender.shibd_log.maxBackupIndex=0
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern=sp-shibd %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
+#log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
+#log4j.appender.warn_log.maxFileSize=0
+#log4j.appender.warn_log.maxBackupIndex=0
+#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+#log4j.appender.warn_log.threshold=WARN
+
+log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
+log4j.appender.tran_log.fileName=/dev/stdout
+log4j.appender.tran_log.maxFileSize=0
+log4j.appender.tran_log.maxBackupIndex=0
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern=sp-transaction %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.sig_log=org.apache.log4j.FileAppender
+log4j.appender.sig_log.fileName=/dev/stdout
+log4j.appender.sig_log.maxFileSize=0
+log4j.appender.sig_log.maxBackupIndex=0
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=sp-signature %m
+
diff --git a/traefik.yml b/traefik.yml
index 2986bbf2..4a4135d7 100644
--- a/traefik.yml
+++ b/traefik.yml
@@ -19,7 +19,7 @@ providers:
 api:
   dashboard: true
 log:
-  level: WARN
+  level: DEBUG
 accessLog: {}
 certificatesResolvers:
   default:
-- 
GitLab


From 33e32828e996ecea73f0b39eec70b391b1b1c71e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Tue, 13 Oct 2020 14:33:27 +0200
Subject: [PATCH 048/162] fix client ingress

---
 chart/templates/client-deployment.yaml |  2 +-
 chart/templates/ingress.yaml           | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/chart/templates/client-deployment.yaml b/chart/templates/client-deployment.yaml
index 31e8ebd6..ae66fa84 100644
--- a/chart/templates/client-deployment.yaml
+++ b/chart/templates/client-deployment.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "vs.fullname" . }}-client
diff --git a/chart/templates/ingress.yaml b/chart/templates/ingress.yaml
index 770ce776..deb7100d 100644
--- a/chart/templates/ingress.yaml
+++ b/chart/templates/ingress.yaml
@@ -43,12 +43,12 @@ spec:
             backend:
               serviceName: {{ $fullName }}-renderer
               servicePort: http
+          - path: /(.*)
+            backend:
+              serviceName: {{ $fullName }}-client
+              servicePort: http
           # - path: /cache/(.*)
           #   backend:
-          #     serviceName: cache
-          #     servicePort: http
-          # - path: /(.*)
-          #   backend:
-          #     serviceName: client
+          #     serviceName: {{ $fullName }}-cache
           #     servicePort: http
     {{- end }}
-- 
GitLab


From fd01235df8c84dbe106a0bf464e14ff190d58a66 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 14 Oct 2020 12:52:11 +0200
Subject: [PATCH 049/162] test change to esa sso

---
 .../shibboleth-conf/idp-metadata-esa-test.xml | 116 ++++++++++++++++++
 ...metadata.xml => idp-metadata_samltest.xml} |   0
 shibauth/shibboleth-conf/shibboleth2.xml      |   4 +-
 3 files changed, 118 insertions(+), 2 deletions(-)
 create mode 100644 shibauth/shibboleth-conf/idp-metadata-esa-test.xml
 rename shibauth/shibboleth-conf/{idp-metadata.xml => idp-metadata_samltest.xml} (100%)

diff --git a/shibauth/shibboleth-conf/idp-metadata-esa-test.xml b/shibauth/shibboleth-conf/idp-metadata-esa-test.xml
new file mode 100644
index 00000000..647078b2
--- /dev/null
+++ b/shibauth/shibboleth-conf/idp-metadata-esa-test.xml
@@ -0,0 +1,116 @@
+<EntityDescriptor entityID="https://umssoidp.cdsv3.eu:443/shibboleth" validUntil="2030-01-01T00:00:00Z"
+                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+                  xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+
+        <Extensions>
+            <shibmd:Scope regexp="false">esa.int</shibmd:Scope>
+        </Extensions>
+
+        <KeyDescriptor>
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+MIIEQjCCAyqgAwIBAgIJAJw83mLahxpQMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
+BAYTAklUMQ4wDAYDVQQIEwVMYXppbzENMAsGA1UEBxMEUm9tZTEZMBcGA1UEChMQ
+Q0RTVjMgQ29uc29ydGl1bTEOMAwGA1UECxMFU3BhY2UxGjAYBgNVBAMTEXVtc3Nv
+aWRwLmNkc3YzLmV1MB4XDTE1MDQwMjE2Mzg1M1oXDTI1MDMzMDE2Mzg1M1owczEL
+MAkGA1UEBhMCSVQxDjAMBgNVBAgTBUxhemlvMQ0wCwYDVQQHEwRSb21lMRkwFwYD
+VQQKExBDRFNWMyBDb25zb3J0aXVtMQ4wDAYDVQQLEwVTcGFjZTEaMBgGA1UEAxMR
+dW1zc29pZHAuY2RzdjMuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCrDTGZEQj7uMw347TnyMac0HnkLY046e/4V+boJBuQsP7Moxh6xHH2qcdS2UbW
+xtSBOUuS/aAz92udzY8wBrKUUvvWKEnyh3v84+kfNYugBp4ZpW7pJbfUh9KjUvWh
+G3LtZfyuRaCdyYF6TKh0K+96IRSpwe5wFXqRev7a6+8fDcTL73cFFBLjDaMFelIz
+szskhsGalXAq5WP20aDog0eiEbf8oTa5NDPY1UZDnwDmF0lNDm4lsYGAv59h+8kU
+ODGmmGVo5zrz7ujcU1sChc9iy9GlGEzekFAoEj6y9fbieyE4Wz6QW4nLeO1YZtjz
+kvOi6yp2raNQSI4hwVEWNDK/AgMBAAGjgdgwgdUwHQYDVR0OBBYEFKXpmub0bNGS
+gtwbyAUqu2kD1e8WMIGlBgNVHSMEgZ0wgZqAFKXpmub0bNGSgtwbyAUqu2kD1e8W
+oXekdTBzMQswCQYDVQQGEwJJVDEOMAwGA1UECBMFTGF6aW8xDTALBgNVBAcTBFJv
+bWUxGTAXBgNVBAoTEENEU1YzIENvbnNvcnRpdW0xDjAMBgNVBAsTBVNwYWNlMRow
+GAYDVQQDExF1bXNzb2lkcC5jZHN2My5ldYIJAJw83mLahxpQMAwGA1UdEwQFMAMB
+Af8wDQYJKoZIhvcNAQEFBQADggEBAGMnf0UOmtKB2VF/TsjG1Lz7fJ48sySGC9R6
+TLy3lbUplogZsIBdt/cc+DP6O6l2z16hDb9B0X9QjJjO1qvM4oQPjlm8dZGCnyFV
+EsstRM9EgOdnFIh16+q6x+u6c2XhnnLDdRsjsP7p53dT+iShgjI448voZDE3DLcs
+b2eQu+iN5rmNfvg6DdaP/+2cvkoMvKL5dF+YRk5KNLn2vHi3Fti6uIpWAfgiICHr
+dadCFX5qVlnadZP9Av35lM4VaDz+5eOFvjl1G+7+yEyaoi/m6gjrgrOI4Mqc1zcu
+DhMOi9NqX4P9LSI1seXUf0feKA5wB+ei7MgqSSpooJc2PEnFyRg=
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+        
+        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                                   Location="https://umssoidp.cdsv3.eu:8110/idp/profile/SAML1/SOAP/ArtifactResolution" 
+                                   index="1"/>
+
+        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+                                   Location="https://umssoidp.cdsv3.eu:8110/idp/profile/SAML2/SOAP/ArtifactResolution" 
+                                   index="2"/>
+                                   
+        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" 
+                             Location="https://umssoidp.cdsv3.eu:443/idp/profile/Shibboleth/SSO" />
+
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
+                             Location="https://umssoidp.cdsv3.eu:443/idp/profile/SAML2/Redirect/SSO" />
+                                   
+        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
+                             Location="https://umssoidp.cdsv3.eu:443/idp/profile/SAML2/Redirect/SLO" 
+                             ResponseLocation="https://umssoidp.cdsv3.eu:443/idp/profile/SAML2/Redirect/SLO"/>
+    </IDPSSODescriptor>
+
+    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+
+        <Extensions>
+            <shibmd:Scope regexp="false">esa.int</shibmd:Scope>
+        </Extensions>
+
+        <KeyDescriptor>
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+MIIEQjCCAyqgAwIBAgIJAJw83mLahxpQMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
+BAYTAklUMQ4wDAYDVQQIEwVMYXppbzENMAsGA1UEBxMEUm9tZTEZMBcGA1UEChMQ
+Q0RTVjMgQ29uc29ydGl1bTEOMAwGA1UECxMFU3BhY2UxGjAYBgNVBAMTEXVtc3Nv
+aWRwLmNkc3YzLmV1MB4XDTE1MDQwMjE2Mzg1M1oXDTI1MDMzMDE2Mzg1M1owczEL
+MAkGA1UEBhMCSVQxDjAMBgNVBAgTBUxhemlvMQ0wCwYDVQQHEwRSb21lMRkwFwYD
+VQQKExBDRFNWMyBDb25zb3J0aXVtMQ4wDAYDVQQLEwVTcGFjZTEaMBgGA1UEAxMR
+dW1zc29pZHAuY2RzdjMuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCrDTGZEQj7uMw347TnyMac0HnkLY046e/4V+boJBuQsP7Moxh6xHH2qcdS2UbW
+xtSBOUuS/aAz92udzY8wBrKUUvvWKEnyh3v84+kfNYugBp4ZpW7pJbfUh9KjUvWh
+G3LtZfyuRaCdyYF6TKh0K+96IRSpwe5wFXqRev7a6+8fDcTL73cFFBLjDaMFelIz
+szskhsGalXAq5WP20aDog0eiEbf8oTa5NDPY1UZDnwDmF0lNDm4lsYGAv59h+8kU
+ODGmmGVo5zrz7ujcU1sChc9iy9GlGEzekFAoEj6y9fbieyE4Wz6QW4nLeO1YZtjz
+kvOi6yp2raNQSI4hwVEWNDK/AgMBAAGjgdgwgdUwHQYDVR0OBBYEFKXpmub0bNGS
+gtwbyAUqu2kD1e8WMIGlBgNVHSMEgZ0wgZqAFKXpmub0bNGSgtwbyAUqu2kD1e8W
+oXekdTBzMQswCQYDVQQGEwJJVDEOMAwGA1UECBMFTGF6aW8xDTALBgNVBAcTBFJv
+bWUxGTAXBgNVBAoTEENEU1YzIENvbnNvcnRpdW0xDjAMBgNVBAsTBVNwYWNlMRow
+GAYDVQQDExF1bXNzb2lkcC5jZHN2My5ldYIJAJw83mLahxpQMAwGA1UdEwQFMAMB
+Af8wDQYJKoZIhvcNAQEFBQADggEBAGMnf0UOmtKB2VF/TsjG1Lz7fJ48sySGC9R6
+TLy3lbUplogZsIBdt/cc+DP6O6l2z16hDb9B0X9QjJjO1qvM4oQPjlm8dZGCnyFV
+EsstRM9EgOdnFIh16+q6x+u6c2XhnnLDdRsjsP7p53dT+iShgjI448voZDE3DLcs
+b2eQu+iN5rmNfvg6DdaP/+2cvkoMvKL5dF+YRk5KNLn2vHi3Fti6uIpWAfgiICHr
+dadCFX5qVlnadZP9Av35lM4VaDz+5eOFvjl1G+7+yEyaoi/m6gjrgrOI4Mqc1zcu
+DhMOi9NqX4P9LSI1seXUf0feKA5wB+ei7MgqSSpooJc2PEnFyRg=
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+
+        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" 
+                          Location="https://umssoidp.cdsv3.eu:8110/idp/profile/SAML1/SOAP/AttributeQuery" />
+        
+        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+                          Location="https://umssoidp.cdsv3.eu:8110/idp/profile/SAML2/SOAP/AttributeQuery" />
+        
+        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+        
+    </AttributeAuthorityDescriptor>
+    
+</EntityDescriptor>    
diff --git a/shibauth/shibboleth-conf/idp-metadata.xml b/shibauth/shibboleth-conf/idp-metadata_samltest.xml
similarity index 100%
rename from shibauth/shibboleth-conf/idp-metadata.xml
rename to shibauth/shibboleth-conf/idp-metadata_samltest.xml
diff --git a/shibauth/shibboleth-conf/shibboleth2.xml b/shibauth/shibboleth-conf/shibboleth2.xml
index 568b8f4d..424920c7 100755
--- a/shibauth/shibboleth-conf/shibboleth2.xml
+++ b/shibauth/shibboleth-conf/shibboleth2.xml
@@ -8,7 +8,7 @@
                          REMOTE_USER="eppn uid persistent-id targeted-id">
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                   checkAddress="false" handlerSSL="true" cookieProps="https">
-            <SSO entityID="https://samltest.id/saml/idp">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
               SAML2 
             </SSO>
             <Logout>SAML2 Local</Logout>
@@ -19,7 +19,7 @@
         </Sessions>
         <Errors supportContact="admin@eox.at"
             helpLocation="/about.html"/>
-        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata-esa-test.xml"/>
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
         <AttributeResolver type="Query" subjectMatch="true"/>
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-- 
GitLab


From 289e44b31a7b7d27a348f56f593781269370a49a Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 14 Oct 2020 13:08:49 +0200
Subject: [PATCH 050/162] update certs with emg url as source

---
 shibauth/shibboleth-conf/shibboleth2.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shibauth/shibboleth-conf/shibboleth2.xml b/shibauth/shibboleth-conf/shibboleth2.xml
index 424920c7..e3a18eaf 100755
--- a/shibauth/shibboleth-conf/shibboleth2.xml
+++ b/shibauth/shibboleth-conf/shibboleth2.xml
@@ -4,7 +4,7 @@
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     clockSkew="180">
-    <ApplicationDefaults entityID="https://shib.pdas.prism.eox.at/shibboleth"
+    <ApplicationDefaults entityID="https://emg.pdas.prism.eox.at/shibboleth"
                          REMOTE_USER="eppn uid persistent-id targeted-id">
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                   checkAddress="false" handlerSSL="true" cookieProps="https">
-- 
GitLab


From 3c0266a6bcb2faf30b87987eb00f7542dc1eb398 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 14 Oct 2020 13:32:38 +0200
Subject: [PATCH 051/162] fix

---
 shibauth/shibboleth-conf/sp-metadata.xml | 76 ++++++++++++------------
 1 file changed, 38 insertions(+), 38 deletions(-)
 mode change 100755 => 100644 shibauth/shibboleth-conf/sp-metadata.xml

diff --git a/shibauth/shibboleth-conf/sp-metadata.xml b/shibauth/shibboleth-conf/sp-metadata.xml
old mode 100755
new mode 100644
index 25280b3d..28a4e91f
--- a/shibauth/shibboleth-conf/sp-metadata.xml
+++ b/shibauth/shibboleth-conf/sp-metadata.xml
@@ -2,7 +2,7 @@
 This is example metadata only. Do *NOT* supply it as is without review,
 and do *NOT* provide it in real time to your partners.
  -->
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_39d8816bc1e042f7504211e40505eeef8fbbc87c" entityID="https://shib.pdas.prism.eox.at/shibboleth">
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_81a5b755d46cba9eb30ea45a18e11e7370ae1462" entityID="https://emg.pdas.prism.eox.at/shibboleth">
 
   <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
     <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
@@ -25,38 +25,38 @@ and do *NOT* provide it in real time to your partners.
 
   <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:Extensions>
-      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/Login"/>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/Login"/>
     </md:Extensions>
     <md:KeyDescriptor>
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:KeyName>https://https://shib.pdas.prism.eox.at/shibboleth</ds:KeyName>
-        <ds:KeyName>https://shib.pdas.prism.eox.at</ds:KeyName>
+        <ds:KeyName>https://emg.pdas.prism.eox.at</ds:KeyName>
+        <ds:KeyName>https://https://emg.pdas.prism.eox.at/shibboleth</ds:KeyName>
         <ds:X509Data>
-          <ds:X509SubjectName>CN=https://shib.pdas.prism.eox.at</ds:X509SubjectName>
-          <ds:X509Certificate>MIIEVDCCArygAwIBAgIJANYdDHsBg6ulMA0GCSqGSIb3DQEBCwUAMCkxJzAlBgNV
-BAMTHmh0dHBzOi8vc2hpYi5wZGFzLnByaXNtLmVveC5hdDAeFw0yMDEwMDgxNDI2
-MjBaFw0zMDEwMDYxNDI2MjBaMCkxJzAlBgNVBAMTHmh0dHBzOi8vc2hpYi5wZGFz
-LnByaXNtLmVveC5hdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMKW
-psgoJpT33XXQDzFiWXPkTW8deYIjaRN4iXuVpMa9/RpuQsSTTPCxwFXhp31lgsay
-3DA3WNK5KVCx5ccnLbb5CiuZBrzFFttfzK1LIgf0rieGtpFj0cTEQwfFGM+3T/5p
-cdTi/CyT7xUCGOn6rzU9NjIpQ7Z0DrIkN4vcRbljExMALZwrfg0E00JB/rg7nUga
-Tc5rkM8DuqsvOe9IfRv9ZOe2sDimido13jzhE/Y/NTHtq8qleVxeT42P/hiZlJX4
-rioMtigG7nXmz0/6nfBR3y2tnViWURNF3DXy+7BAKIfTUU5Dy8diFpPVolEuoF3r
-7hK+TMrOjOm+XZ/oyM2AlxiDGHtMMVkVs/m92jewUnyZoOYawCs0O/Eysri302Ve
-e1S7oj67NRB2X/x98iejBYP76Y4ssJvKyYn96M+Va3B+SOfrdMLJwTUZxTQmFMmk
-iJsyCM9b7ZNb745mClkcoTy22HtA0qtcnd/sZJ6ljOCe8RxA9fhFYu+5oO9SHQID
-AQABo38wfTBcBgNVHREEVTBTgh5odHRwczovL3NoaWIucGRhcy5wcmlzbS5lb3gu
-YXSGMWh0dHBzOi8vaHR0cHM6Ly9zaGliLnBkYXMucHJpc20uZW94LmF0L3NoaWJi
-b2xldGgwHQYDVR0OBBYEFOj3ABr8n1Af0GDfg5+aYtGAFM3kMA0GCSqGSIb3DQEB
-CwUAA4IBgQC9jN3ZLU6z6UCngdY16vlPdyMjIdko3/bstXlNWGvAwx0lPmPnV4b5
-ej+4l1vd3S3OAFYUKPJJG8rTInHt2tyYNIjytjIzYnonksdnS/iSlrd38q1FdWH8
-3ny1gyegunJutXqaFLHlBw77oNau8swXSegs/60pgYNNH+eMJbrToeAAM8zGqN1z
-wXh4KWcwHmmH2ozJ468DYnv6I4/U9WydBoXNdQa3cKDv6/g4xfiyS4ByorVmNvOW
-0C6OrCYwucS1CYxbmHk1E9ygIFEeKv1Z29leTIJxUHZXljfg7BDst2I2EfhyQ+fT
-vB7rAipb+M2xckJJrCZJe5skBWsvP5ZcM3FA/GctWnc+5P/CO+2CZkdNFan7NBIx
-focLOwyc7q3iCpqDxBY+EIkVlmSeg8mZdU9B9y0SkJxIcsePwSX8CSaFj5ndBY/T
-aFiImaHsFzO4bZDEdaA0AdeJ5PalOTopbbVYO2FLMfvaXdu+GjDS6PGi/HrSX+P0
-FDXpx00p+0g=
+          <ds:X509SubjectName>CN=https://emg.pdas.prism.eox.at</ds:X509SubjectName>
+          <ds:X509Certificate>MIIEUDCCArigAwIBAgIJAJtainQ0t+tRMA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV
+BAMTHWh0dHBzOi8vZW1nLnBkYXMucHJpc20uZW94LmF0MB4XDTIwMTAxNDExMjcy
+MFoXDTMwMTAxMjExMjcyMFowKDEmMCQGA1UEAxMdaHR0cHM6Ly9lbWcucGRhcy5w
+cmlzbS5lb3guYXQwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDKkqzn
+QsDnXSa+BHA10ZVkvw/PBfJVsby1C+zazCo32GpIHv5P+RFZj3FoC+N+gYatqijZ
+57flt93krtqO/l/RrEosxwpWCXc54qXcFrPrlfXFr51dOW/BH6z1wpW9z67Pkr2M
+v8Jqgs0t/k8BFlZ2jmiAZGrG+G+DrCefiy9JuKwBSiVh7Tg5P31fZv0qliNKwo5k
+EbkeUuVrAvuNFV9NPdl35aevYZ0Mxy5N+/AbaaZScfmRnlTsRdHXL/k5anIceqk3
+k+qA1cHEXXqD7WtfQN4GQh9Oxqng//PBcH/9oe2h5axrkcw8YCC22YXp/OST4isk
+lL1noCuRYPluvVDFqrh6z9S94QFuO3PdUckl7S7Gsty6X0MSYPYpBFZgivalIena
+2vLC3sn5AGLrm3xmp4Io/iD0UtpnHHypCRghr8GE/yiZKPtq8bEk5d/NWMRgT5Ef
+t77vZByeDxgN0Pl5gf8WtN0yKSPauxS3llNy9UFfoQP9OGV3FjzOo3DGuTUCAwEA
+AaN9MHswWgYDVR0RBFMwUYIdaHR0cHM6Ly9lbWcucGRhcy5wcmlzbS5lb3guYXSG
+MGh0dHBzOi8vaHR0cHM6Ly9lbWcucGRhcy5wcmlzbS5lb3guYXQvc2hpYmJvbGV0
+aDAdBgNVHQ4EFgQUzMF2sJVjzVscd6vLPMLWx2gD4uEwDQYJKoZIhvcNAQELBQAD
+ggGBAIFFdjkcQyTWx30mwuJON4Bfi0IjBXyQ7YnbvB36sk9ohaPBz4uU1wKl5In+
+c/usuBgHS9JsBm2JIwnLKko6dS8h79pMnY8rDZxBxAPHkTUwTvzMraWHNXhblO9U
+Oqp2NJqy4hyV1OzDWM5yYHiTSZIOewDS8inUvoDwUSYgQr9fSKljUmeI0In9f6wf
+vvHA4hQQHVGYMNPO+rvpw8XeWZ8e+HdSxSM1RcL1m29s42HdycXTsmh4ghex4u16
+XvHNMGojW6ih0Oja69PKCraaLTUHPRjxwqx1ipaNbK/1pT7DPnLXHNGIOFW2JE9e
+XIi3xy/d+C2Z/Ejwt4Xd+FVA9mhhbLkss7YI+SMJi73e31//sBiKOXBT1yBv8l0n
+xTJsPmg2dbWQvNuJ89UIH8yPffcxdbT0xohgOiek+hBxZj0UU1ZSV5q2/X9aPKGZ
+PMQ/PFgQJvdjegNZPupgBspcNlvYsdtln9vvyXWoNsNioSa6Uvntb8KEHnnh035S
+VorGcA==
 </ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
@@ -70,15 +70,15 @@ FDXpx00p+0g=
       <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
       <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
     </md:KeyDescriptor>
-    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/Artifact/SOAP" index="1"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/SOAP"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/Redirect"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/POST"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SLO/Artifact"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST" index="1"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/Artifact" index="3"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://shib.pdas.prism.eox.at/Shibboleth.sso/SAML2/ECP" index="4"/>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SAML2/ECP" index="4"/>
   </md:SPSSODescriptor>
 
 </md:EntityDescriptor>
\ No newline at end of file
-- 
GitLab


From d803c8ea8a08473c5ab851a196a283fd74db9c07 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 20 Oct 2020 13:35:47 +0200
Subject: [PATCH 052/162] Initial implementation of modular registrar

---
 core/registrar/__init__.py   |   0
 core/registrar/backend.py    | 138 ++++++++++++++++++++++
 core/registrar/context.py    |  13 +++
 core/registrar/exceptions.py |   4 +
 core/registrar/registrar.py  |  52 +++++++++
 core/registrar/scheme.py     |  99 ++++++++++++++++
 core/registrar/source.py     | 214 +++++++++++++++++++++++++++++++++++
 core/registrar/utils.py      |   0
 core/registrar/xml.py        |  37 ++++++
 9 files changed, 557 insertions(+)
 create mode 100644 core/registrar/__init__.py
 create mode 100644 core/registrar/backend.py
 create mode 100644 core/registrar/context.py
 create mode 100644 core/registrar/exceptions.py
 create mode 100644 core/registrar/registrar.py
 create mode 100644 core/registrar/scheme.py
 create mode 100644 core/registrar/source.py
 create mode 100644 core/registrar/utils.py
 create mode 100644 core/registrar/xml.py

diff --git a/core/registrar/__init__.py b/core/registrar/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/core/registrar/backend.py b/core/registrar/backend.py
new file mode 100644
index 00000000..b20c0396
--- /dev/null
+++ b/core/registrar/backend.py
@@ -0,0 +1,138 @@
+import os
+import re
+import sys
+import logging
+
+import django
+from django.db import transaction
+from django.contrib.gis.geos import GEOSGeometry
+from eoxserver.resources.coverages import models
+from eoxserver.resources.coverages.registration.product import ProductRegistrator
+from eoxserver.resources.coverages.registration.browse import BrowseRegistrator
+from eoxserver.resources.coverages.registration.mask import MaskRegistrator
+from eoxserver.resources.coverages.registration.registrators.gdal import GDALRegistrator
+
+from .exceptions import RegistrationError
+from .context import Context
+from .source import Source
+
+
+logger = logging.getLogger(__name__)
+
+class RegistrationResult:
+    pass
+
+
+class Backend:
+    def register_item(self, item: Context) -> RegistrationResult:
+        raise NotImplementedError
+
+
+class EOxServerBackend(Backend):
+    def __init__(self, instance_base_path: str, instance_name: str, mapping: dict, simplify_footprint_tolerance: int=None):
+        self.mapping = mapping
+        self.simplify_footprint_tolerance = simplify_footprint_tolerance
+        path = os.path.join(instance_base_path, instance_name)
+        if path not in sys.path:
+            sys.path.append(path)
+
+        os.environ.setdefault("DJANGO_SETTINGS_MODULE", f"{instance_name}.settings") # TODO: from config
+        django.setup()
+
+    def exists(self, source: Source, item: Context):
+        return models.Product.objects.filter(identifier=item.itentifier).exists()
+
+    def _get_storage_from_source(self, source: Source) -> list:
+        return []
+
+    @transaction.atomic
+    def register(self, source: Source, item: Context, replace: bool) -> RegistrationResult:
+        # get the mapping for this particular item
+        mapping = self.mapping.get(item.product_type, {}).get(item.level_name)
+        metadata_file = item.metadata_files[0]
+
+        storage = self._get_storage_from_source(source)
+
+        try:
+            models.ProductType.objects.get(name=item['product_type_name'])
+        except models.ProductType.DoesNotExist:
+            pass
+
+        product, _ = ProductRegistrator().register(
+            metadata_locations=[storage + [metadata_file]],
+            type_name=item['product_type_name'],
+            replace=replace,
+            extended_metadata=True,
+            mask_locations=None,
+            package_path=None,
+            simplify_footprint_tolerance=self.simplify_footprint_tolerance,
+            overrides=item.metadata,
+        )
+        if product.footprint.empty:
+            raise RegistrationError("No footprint was extracted. full product: %s" % product)
+
+        # insert the product in the to be associated collections
+        for collection_id in mapping.get('collections', []):
+            collection = models.Collection.objects.get(
+                identifier=collection_id,
+            )
+            models.collection_insert_eo_object(collection, product)
+
+        # register coverages and link them to the product
+        for raster_identifier, coverage_type_name in mapping.get('coverages', {}).items():
+            raster_item = item.raster_files.get(raster_identifier)
+
+            report = GDALRegistrator().register(
+                data_locations=[storage + [raster_item]],
+                metadata_locations=[storage + [metadata_file]],
+                coverage_type_name=coverage_type_name,
+                overrides={
+                    "identifier": f'{product.identifier}__{raster_identifier}__coverage',
+                    "footprint": None,
+                },
+                replace=replace,
+            )
+            logger.debug("Adding coverage to product")
+            models.product_add_coverage(product, report.coverage)
+
+        # register browses
+        for raster_identifier, browse_type_name in mapping.get('browses', {}):
+            raster_item = item.raster_files.get(raster_identifier)
+            BrowseRegistrator().register(
+                product.identifier,
+                storage + [raster_item],
+                browse_type_name,
+            )
+
+        # register masks
+        for mask_identifier, mask_type_name in mapping.get('masks', {}):
+            mask_item = item.mask_files.get(mask_identifier)
+            MaskRegistrator().register(
+                product.identifier,
+                storage + [mask_item],
+                mask_type_name,
+            )
+
+
+BACKENDS = {
+    'eoxserver': EOxServerBackend
+}
+
+def get_backend(config: dict, path: str) -> Backend:
+    cfg_backends = config['backends']
+
+    for cfg_backend in cfg_backends:
+        if cfg_backend['filter']:
+            if re.match(cfg_backend['filter'], path):
+                break
+        else:
+            break
+    else:
+        # no source found
+        raise RegistrationError(f'Could not find a suitable backend for the path {path}')
+
+    return BACKENDS[cfg_backend['type']](
+        *cfg_backend.get('args', []),
+        **cfg_backend.get('kwargs', {}),
+    )
+
diff --git a/core/registrar/context.py b/core/registrar/context.py
new file mode 100644
index 00000000..81ded127
--- /dev/null
+++ b/core/registrar/context.py
@@ -0,0 +1,13 @@
+from dataclasses import dataclass, field
+
+
+@dataclass
+class Context:
+    identifier: str
+    product_type: str = None
+    product_level: str = None
+    metadata: dict = field(default_factory=dict)
+    raster_files: dict = field(default_factory=dict)
+    metadata_files: dict = field(default_factory=dict)
+    masks: dict = field(default_factory=dict)
+    mask_files: dict = field(default_factory=dict)
diff --git a/core/registrar/exceptions.py b/core/registrar/exceptions.py
new file mode 100644
index 00000000..81a2e41e
--- /dev/null
+++ b/core/registrar/exceptions.py
@@ -0,0 +1,4 @@
+
+
+class RegistrationError(Exception):
+    pass
diff --git a/core/registrar/registrar.py b/core/registrar/registrar.py
new file mode 100644
index 00000000..53e2379e
--- /dev/null
+++ b/core/registrar/registrar.py
@@ -0,0 +1,52 @@
+import re
+
+from .source import get_source
+from .exceptions import RegistrationError
+
+
+
+def register(config, path):
+    # TODO: select registration scheme (config, path)
+    source = get_source(config, path)
+    scheme = select_registation_scheme(config, path)
+    context = scheme.get_context(source, path)
+
+    for pre_handler in get_pre_handlers(config):
+        pre_handler(config, path, context)
+
+    for backend in get_backends(config):
+        if backend.exists(source, context):
+            if config.replace:
+                backend.register(source, context, replace=True)
+            else:
+                raise RegistrationError(f'Object {context} is already registered')
+        else:
+            backend.register(source, context, replace=False)
+
+    for post_handler in get_post_handlers(config):
+        post_handler(config, path, context)
+
+
+def select_registation_scheme(config, path):
+    cfg_schemes = config['schemes']
+    for cfg_scheme in cfg_schemes:
+        if cfg_scheme['filter']:
+            if re.match(cfg_scheme['filter'], path):
+                break
+        else:
+            break
+    else:
+        # no source found
+        raise RegistrationError(f'Could not find a suitable scheme for the path {path}')
+
+
+def get_pre_handlers(config):
+    pass
+
+
+def get_post_handlers(config):
+    pass
+
+
+def get_backends(config):
+    pass
diff --git a/core/registrar/scheme.py b/core/registrar/scheme.py
new file mode 100644
index 00000000..d68a911a
--- /dev/null
+++ b/core/registrar/scheme.py
@@ -0,0 +1,99 @@
+import re
+
+from os.path import join
+
+from .xml import read_xml, parse_metadata_schema, Parameter
+from .context import Context
+from .exceptions import RegistrationError
+
+
+class RegistrationScheme:
+    def __init__(self, source, path):
+        self.source = source
+        self.path = path
+
+    def get_context(self):
+        raise NotImplementedError
+
+
+
+
+class Sentinel2RegistrationScheme(RegistrationScheme):
+    MTD_TL_SCHEMA = {
+        'begin_time': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PRODUCT_START_TIME/text()', False, parse_datetime),
+        'end_time': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PRODUCT_STOP_TIME/text()', False, parse_datetime),
+        'identifier': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PRODUCT_URI/text()'),
+        'level': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PROCESSING_LEVEL/text()'),
+        'type': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PRODUCT_TYPE/text()'),
+        'generation_time': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/GENERATION_TIME/text()', False, parse_datetime),
+        'cloud_cover': Parameter('/n1:Level-2A_User_Product/n1:Quality_Indicators_Info/Cloud_Coverage_Assessment'),
+        'image_file_paths': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/Product_Organisation/Granule_List/Granule/IMAGE_FILE/text()', True),
+        'mask_file_paths': Parameter('/n1:Level-2A_Tile_ID/n1:Quality_Indicators_Info/Pixel_Level_QI/MASK_FILENAME', True),
+    }
+
+    S2_NAMESPACES = {
+        'n1': "https://psd-14.sentinel2.eo.esa.int/PSD/User_Product_Level-2A.xsd"
+    }
+
+    def get_context(self):
+        metadata_file = join(self.path, 'MTD_TL.xml')
+        mtd_tree = read_xml(self.source, metadata_file)
+
+        # get MTD metadata
+
+        metadata = parse_metadata_schema(mtd_tree, self.MTD_TL_SCHEMA, self.S2_NAMESPACES)
+
+        band_re = re.compile(r'.*([A-Z0-9]{3})_([0-9]{2}m)$')
+        raster_files = {
+            band_re.match(image_file_path).groups()[0]: f'{join(self.path, image_file_path)}.jp2'
+            for image_file_path in metadata['image_file_paths']
+        }
+
+        mask_type_re = re.compile(r'.*/MSK_([A-Z]*)_([A-Z0-9]{3}).[a-z0-9]+$')
+        mask_files = {
+            mask_type_re.match(mask_file_path).groups[0]: mask_file_path
+            for mask_file_path in metadata['mask_file_paths']
+        }
+
+        return Context(
+            identifier=metadata['identifier'],
+            raster_files=raster_files,
+            mask_files=mask_files,
+            metadata_files=[metadata_file],
+            metadata={
+                'begin_time': metadata['begin_time'],
+                'end_time': metadata['end_time'],
+                'generation_time': metadata['generation_time'],
+                'cloud_cover': metadata['cloud_cover'],
+            }
+        )
+
+
+
+class GSCRegistrationScheme(RegistrationScheme):
+    pass
+
+
+REGISTRATION_SCHEMES = {
+    'gsc': GSCRegistrationScheme,
+    'sentinel-2': Sentinel2RegistrationScheme,
+}
+
+def get_scheme(config: dict, path: str) -> RegistrationScheme:
+    cfg_schemes = config['schemes']
+
+    for cfg_scheme in cfg_schemes:
+        if cfg_scheme['filter']:
+            if re.match(cfg_scheme['filter'], path):
+                break
+        else:
+            break
+    else:
+        # no source found
+        raise RegistrationError(f'Could not find a suitable scheme for the path {path}')
+
+    return REGISTRATION_SCHEMES[cfg_scheme['type']](
+        *cfg_scheme.get('args', []),
+        **cfg_scheme.get('kwargs', {}),
+    )
+
diff --git a/core/registrar/source.py b/core/registrar/source.py
new file mode 100644
index 00000000..2230ee2a
--- /dev/null
+++ b/core/registrar/source.py
@@ -0,0 +1,214 @@
+import re
+from os.path import normpath, join, isabs
+import shutil
+from glob import glob
+from fnmatch import fnmatch
+
+import boto3
+from swiftclient.multithreading import OutputManager
+from swiftclient.service import SwiftError, SwiftService
+
+
+class RegistrationError(Exception):
+    pass
+
+
+class Source:
+    def list_files(self, path, glob_pattern=None):
+        raise NotImplementedError
+
+    def get_file(self, path, target_path):
+        raise NotImplementedError
+
+    def get_vsi_env_and_path(self, path):
+        raise NotImplementedError
+
+
+class SwiftSource(Source):
+    def __init__(self, username=None, password=None, tenant_name=None,
+                 tenant_id=None, region_name=None, user_domain_id=None,
+                 user_domain_name=None, auth_url=None, auth_version=None,
+                 container=None):
+        self.username = username
+        self.password = password
+        self.tenant_name = tenant_name
+        self.tenant_id = tenant_id
+        self.region_name = region_name
+        self.user_domain_id = user_domain_id
+        self.user_domain_name = user_domain_name
+        self.auth_url = auth_url
+        self.auth_version = auth_version  # TODO: assume 3
+        self.container = container
+
+    def get_service(self):
+        return SwiftService(options={
+            "os_username": self.username,
+            "os_password": self.password,
+            "os_tenant_name": self.tenant_name,
+            "os_tenant_id": self.tenant_id,
+            "os_region_name": self.region_name,
+            "os_auth_url": self.auth_url,
+            "auth_version": self.auth_version,
+            "os_user_domain_id": self.user_domain_id,
+            "os_user_domain_name": self.user_domain_name,
+        })
+
+    def get_container_and_path(self, path: str):
+        container = self.container
+        if container is None:
+            parts = (path[1:] if path.startswith('/') else path).split('/')
+            container, path = parts[0], parts[1:].join('/')
+
+        return container, path
+
+
+    def list_files(self, path, glob_pattern=None):
+        container, path = self.get_container_and_path(path)
+
+        with self.get_service() as swift:
+            pages = swift.list(
+                container=container,
+                options={"prefix": path},
+            )
+
+            filenames = []
+            for page in pages:
+                if page["success"]:
+                    # at least two files present -> pass validation
+                    for item in page["listing"]:
+                        if glob_pattern is None or fnmatch(item['name'], glob_pattern):
+                            filenames.append(item['name'])
+                else:
+                    raise page['error']
+
+            return filenames
+
+    def get_file(self, path, target_path):
+        container, path = self.get_container_and_path(path)
+
+        with self.get_service() as swift:
+            results = swift.download(
+                container,
+                [path],
+                options={
+                    'out_file': target_path
+                }
+            )
+
+            for result in results:
+                if not result["success"]:
+                    raise Exception('Failed to download %s' % path)
+
+    def get_vsi_env_and_path(self, path):
+        container, path = self.get_container_and_path(path)
+        return {
+            'OS_IDENTITY_API_VERSION': self.auth_version,
+            'OS_AUTH_URL': self.auth_url,
+            'OS_USERNAME': self.username,
+            'OS_PASSWORD': self.password,
+            'OS_USER_DOMAIN_NAME': self.user_domain_name,
+            # 'OS_PROJECT_NAME': self.tena,
+            # 'OS_PROJECT_DOMAIN_NAME': ,
+            'OS_REGION_NAME': self.region_name,
+        }, f'/vsiswift/{container}/{path}'
+
+
+class S3Source(Source):
+    def __init__(self, bucket_name=None, secret_access_key=None, access_key_id=None, endpoint_url=None, **client_kwargs):
+        # see https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html#boto3.session.Session.client
+        # for client_kwargs
+        self.bucket_name = bucket_name
+        self.secret_access_key=secret_access_key
+        self.access_key_id=access_key_id
+        self.endpoint_url = endpoint_url
+
+        self.client = boto3.client(
+            's3',
+            aws_secret_access_key=secret_access_key,
+            aws_access_key_id=access_key_id,
+            endpoint_url=endpoint_url,
+            **client_kwargs,
+        )
+
+    def get_bucket_and_key(self, path: str):
+        container = self.bucket_name
+        if container is None:
+            parts = (path[1:] if path.startswith('/') else path).split('/')
+            container, path = parts[0], parts[1:].join('/')
+
+        return container, path
+
+    def list_files(self, path, glob_pattern=None):
+        bucket, key = self.get_bucket_and_key(path)
+        response = self.client.list_objects_v2(
+            Bucket=bucket,
+            Prefix=key,
+        )
+
+        return [
+            item['Key']
+            for item in response['Contents']
+            if glob_pattern is None or fnmatch(item['Key'], glob_pattern)
+        ]
+
+    def get_file(self, path, target_path):
+        bucket, key = self.get_bucket_and_key(path)
+        self.client.download_file(bucket, key, target_path)
+
+    def get_vsi_env_and_path(self, path: str, streaming: bool=False):
+        bucket, key = self.get_bucket_and_key(path)
+        return {
+            'AWS_SECRET_ACCESS_KEY': self.secret_access_key,
+            'AWS_ACCESS_KEY_ID': self.access_key_id,
+            'AWS_S3_ENDPOINT': self.endpoint_url,
+        }, f'/{"vsis3" if not streaming else "vsis3_streaming"}/{bucket}/{key}'
+
+
+class LocalSource(Source):
+    def __init__(self, root_directory):
+        self.root_directory = root_directory
+
+    def _join_path(self, path):
+        path = normpath(path)
+        if isabs(path):
+            path = path[1:]
+
+        return join(self.root_directory, path)
+
+    def list_files(self, path, glob_pattern=None):
+        if glob_pattern is not None:
+            return glob(join(self._join_path(path), glob_pattern))
+        else:
+            return glob(join(self._join_path(path), '*'))
+
+    def get_file(self, path, target_path):
+        shutil.copy(self._join_path(path), target_path)
+
+    def get_vsi_env_and_path(self, path):
+        return {}, self._join_path(path)
+
+
+SOURCE_TYPES = {
+    'swift': SwiftSource,
+    's3': S3Source,
+    'local': LocalSource,
+}
+
+
+def get_source(config: dict, path: str) -> Source:
+    cfg_sources = config['sources']
+
+    for cfg_source in cfg_sources:
+        if cfg_source['filter']:
+            if re.match(cfg_source['filter'], path):
+                break
+        else:
+            break
+    else:
+        # no source found
+        raise RegistrationError(f'Could not find a suitable source for the path {path}')
+
+    return SOURCE_TYPES[cfg_source['type']](
+        *cfg_source.get('args', []),
+        **cfg_source.get('kwargs', {})
+    )
diff --git a/core/registrar/utils.py b/core/registrar/utils.py
new file mode 100644
index 00000000..e69de29b
diff --git a/core/registrar/xml.py b/core/registrar/xml.py
new file mode 100644
index 00000000..4a088b26
--- /dev/null
+++ b/core/registrar/xml.py
@@ -0,0 +1,37 @@
+from tempfile import NamedTemporaryFile
+from dataclasses import dataclass, field
+from typing import Union, Type, Optional, List, Callable, Any
+
+import lxml.etree
+
+from .source import Source
+
+
+def read_xml(source: Source, path: str) -> lxml.etree._ElementTree:
+    with NamedTemporaryFile() as f:
+        source.get_file(path, f.name)
+        return lxml.etree.parse(f)
+
+@dataclass
+class Parameter:
+    xpath: str
+    multi: bool = False
+    parser: Optional[Callable[[str], Any]] = None
+    namespaces: dict = field(default_factory=dict)
+
+
+def parse_metadata_schema(tree: lxml.etree._ElementTree, schema: dict, namespaces: dict=None) -> dict:
+    out = {}
+    for key, param in schema.items():
+        values = tree.xpath(param.xpath, namespaces=param.namespaces or namespaces)
+        if param.multi:
+            value = [
+                param.parser(v) if param.parser else v
+                for v in values
+            ]
+        else:
+            value = param.parser(values[0]) if param.parser else values[0]
+
+        out[key] = value
+
+    return out
-- 
GitLab


From 882c1aef96f1e806ea7abae753e38ea2045a36f7 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 20 Oct 2020 16:07:04 +0200
Subject: [PATCH 053/162] Adding CLI and daemon files Adding config schema

---
 core/registrar/cli.py             | 80 +++++++++++++++++++++++++++++++
 core/registrar/config-schema.yaml | 67 ++++++++++++++++++++++++++
 core/registrar/config.py          | 39 +++++++++++++++
 core/registrar/daemon.py          | 26 ++++++++++
 core/registrar/registrar.py       | 20 ++------
 5 files changed, 215 insertions(+), 17 deletions(-)
 create mode 100644 core/registrar/cli.py
 create mode 100644 core/registrar/config-schema.yaml
 create mode 100644 core/registrar/config.py
 create mode 100644 core/registrar/daemon.py

diff --git a/core/registrar/cli.py b/core/registrar/cli.py
new file mode 100644
index 00000000..2703bdf8
--- /dev/null
+++ b/core/registrar/cli.py
@@ -0,0 +1,80 @@
+from os.path import join, dirname
+import logging.config
+import json
+
+import click
+import yaml
+import jsonschema
+
+from .registrar import register_file
+from .daemon import run_daemon
+from .config import load_config
+
+
+def setup_logging(debug=False):
+    logging.config.dictConfig({
+        'version': 1,
+        'disable_existing_loggers': False,
+        'formatters': {
+            'brief': {
+                'format': '%(levelname)s %(name)s: %(message)s'
+            }
+        },
+        'handlers': {
+            'console': {
+                'class': 'logging.StreamHandler',
+                'level': 'DEBUG' if debug else 'INFO',
+                'formatter': 'brief',
+            }
+        },
+        'root': {
+            'handlers': ['console'],
+            'level': 'DEBUG' if debug else 'INFO',
+        }
+    })
+
+
+def validate_config(config):
+    with open(join(dirname(__file__), 'config-schema.yaml')) as f:
+        schema = yaml.load(f)
+
+    jsonschema.validate(config, schema)
+
+
+@click.group()
+def cli():
+    pass
+
+
+@cli.command(help='Run the registrar daemon, attaching to a Redis queue')
+@click.option('--config-file', type=click.File('r'))
+@click.option('--validate/--no-validate', default=False)
+@click.option('--host', type=str)
+@click.option('--port', type=int)
+@click.option('--listen-queue', type=str)
+@click.option('--write-queue', type=str)
+@click.option('--debug/--no-debug', default=False)
+def daemon(config_file=None, validate=False, host=None, port=None, listen_queue=None, write_queue=None, debug=False):
+    setup_logging(debug)
+    config = load_config(config_file)
+    if validate:
+        validate_config(config)
+    run_daemon(config, host, port, listen_queue, write_queue)
+
+
+@cli.command(help='Run a single, one-off registration')
+@click.argument('file_path', type=str)
+@click.option('--config-file', type=click.File('r'))
+@click.option('--validate/--no-validate', default=False)
+@click.option('--replace/--no-replace', default=False)
+@click.option('--debug/--no-debug', default=False)
+def register(file_path, config_file=None, validate=False, debug=False):
+    setup_logging(debug)
+    config = load_config(config_file)
+    if validate:
+        validate_config(config)
+
+    register_file(config, file_path)
+
+if __name__ == '__main__':
+    cli()
diff --git a/core/registrar/config-schema.yaml b/core/registrar/config-schema.yaml
new file mode 100644
index 00000000..ed85899e
--- /dev/null
+++ b/core/registrar/config-schema.yaml
@@ -0,0 +1,67 @@
+$id: https://example.com/address.schema.json
+$schema: http://json-schema.org/draft-07/schema#
+type: object
+properties:
+  source:
+    description: Input sources definitions
+    type: array
+    items:
+      description: A single source definition
+      type: object
+      properties:
+        type:
+          description: The source type.
+          type: string
+          enum: ['local', 's3', 'swift']
+        filter:
+          description: Optional filter to only be used for these paths
+          type: string
+        args:
+          description: Constructor arguments
+          type: array
+        kwargs:
+          description: Constructor keyword arguments
+          type: object
+  schemes:
+    description: Registration schemes definitions
+    type: array
+    items:
+      description: A single registration scheme definition
+      type: object
+      properties:
+        type:
+          description: The registration scheme type.
+          type: string
+          enum: ['gsc', 'sentinel-2']
+        filter:
+          description: Optional filter to only be used for these paths
+          type: string
+        args:
+          description: Constructor arguments
+          type: array
+        kwargs:
+          description: Constructor keyword arguments
+          type: object
+  backends:
+    description: Registration backends definitions
+    type: array
+    items:
+      description: A single registration scheme definition
+      type: object
+      properties:
+        type:
+          description: The registration scheme type.
+          type: string
+          enum: ['eoxserver']
+        filter:
+          description: Optional filter to only be used for these paths
+          type: string
+        args:
+          description: Constructor arguments
+          type: array
+        kwargs:
+          description: Constructor keyword arguments
+          type: object
+
+  # TODO: describe type specific args/kwargs
+
diff --git a/core/registrar/config.py b/core/registrar/config.py
new file mode 100644
index 00000000..77534e94
--- /dev/null
+++ b/core/registrar/config.py
@@ -0,0 +1,39 @@
+import os
+from typing import TextIO
+import re
+
+import yaml
+
+
+ENV_PATTERN = re.compile(r'.*?\${(\w+)}.*?')
+
+def constructor_env_variables(loader, node):
+        """
+        Extracts the environment variable from the node's value
+        :param yaml.Loader loader: the yaml loader
+        :param node: the current node in the yaml
+        :return: the parsed string that contains the value of the environment
+        variable
+        """
+        value = loader.construct_scalar(node)
+        match = ENV_PATTERN.findall(value)  # to find all env variables in line
+        if match:
+            full_value = value
+            for g in match:
+                full_value = full_value.replace(
+                    f'${{{g}}}', os.environ.get(g, g)
+                )
+            return full_value
+        return value
+
+
+def load_config(input_file: TextIO):
+    tag = '!env'
+    loader = yaml.SafeLoader
+
+    # the tag will be used to mark where to start searching for the pattern
+    # e.g. somekey: !env somestring${MYENVVAR}blah blah blah
+    loader.add_implicit_resolver(tag, ENV_PATTERN, None)
+    loader.add_constructor(tag, constructor_env_variables)
+
+    return yaml.load(input_file, Loader=loader)
diff --git a/core/registrar/daemon.py b/core/registrar/daemon.py
new file mode 100644
index 00000000..7c943627
--- /dev/null
+++ b/core/registrar/daemon.py
@@ -0,0 +1,26 @@
+import logging
+import json
+
+import redis
+
+from .registrar import register_file
+
+
+logger = logging.getLogger(__name__)
+
+
+def run_daemon(config, host, port, listen_queue, write_queue):
+    """ Run the registrar daemon, listening on a redis queue
+        for files to be registered. After preprocessing the filename
+        of the registered files will be pushed to the output queue.
+    """
+    # initialize the queue client
+    client = redis.Redis(
+        host=host, port=port, charset="utf-8", decode_responses=True
+    )
+    logger.debug("waiting for redis queue '%s'..." % listen_queue)
+    while True:
+        # fetch an item from the queue to be registered
+        _, value = client.brpop(listen_queue)
+        # start the registration on that file
+        register_file(config, value)
diff --git a/core/registrar/registrar.py b/core/registrar/registrar.py
index 53e2379e..f7f984e8 100644
--- a/core/registrar/registrar.py
+++ b/core/registrar/registrar.py
@@ -1,14 +1,13 @@
 import re
 
 from .source import get_source
+from .scheme import get_scheme
 from .exceptions import RegistrationError
 
 
-
-def register(config, path):
-    # TODO: select registration scheme (config, path)
+def register_file(config: dict, path: str):
     source = get_source(config, path)
-    scheme = select_registation_scheme(config, path)
+    scheme = get_scheme(config, path)
     context = scheme.get_context(source, path)
 
     for pre_handler in get_pre_handlers(config):
@@ -27,19 +26,6 @@ def register(config, path):
         post_handler(config, path, context)
 
 
-def select_registation_scheme(config, path):
-    cfg_schemes = config['schemes']
-    for cfg_scheme in cfg_schemes:
-        if cfg_scheme['filter']:
-            if re.match(cfg_scheme['filter'], path):
-                break
-        else:
-            break
-    else:
-        # no source found
-        raise RegistrationError(f'Could not find a suitable scheme for the path {path}')
-
-
 def get_pre_handlers(config):
     pass
 
-- 
GitLab


From 352cc2368c345a60f8049753a3590608ed22468b Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 20 Oct 2020 16:07:29 +0200
Subject: [PATCH 054/162] Adding additional dependencies for registrar

---
 core/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/Dockerfile b/core/Dockerfile
index 33baf310..e583326e 100644
--- a/core/Dockerfile
+++ b/core/Dockerfile
@@ -43,7 +43,7 @@ RUN apt update && \
   rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 RUN pip3 install . && \
-    pip3 install python-keystoneclient python-swiftclient redis
+    pip3 install python-keystoneclient python-swiftclient redis click setuptools jsonschema
 
 ENV INSTANCE_ID="prism-view-server_core" \
     INSTANCE_NAME="pvs_instance"\
-- 
GitLab


From 2f3c0a34164acee32935adcc9a2cfc393b6b95e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Wed, 21 Oct 2020 11:40:38 +0200
Subject: [PATCH 055/162] fix database host

---
 chart/templates/renderer-deployment.yaml | 4 +++-
 chart/values.yaml                        | 1 -
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/chart/templates/renderer-deployment.yaml b/chart/templates/renderer-deployment.yaml
index 36f65516..33a17953 100644
--- a/chart/templates/renderer-deployment.yaml
+++ b/chart/templates/renderer-deployment.yaml
@@ -56,6 +56,8 @@ spec:
             - name: {{ $key }}
               value: {{ $value | quote }}
             {{- end }}
+            - name: DB_HOST
+              value: {{ .Release.Name }}-database
             {{- range $key, $value := .Values.config.django }}
             - name: {{ $key }}
               value: {{ $value | quote }}
@@ -73,7 +75,7 @@ spec:
             - name: STARTUP_SCRIPTS
               value: /wait-initialized.sh
             - name: WAIT_SERVICES
-              value: {{ .Values.config.database.DB_HOST }}:{{ .Values.config.database.DB_PORT }}
+              value: {{ .Release.Name }}-database:{{ .Values.config.database.DB_PORT }}
           volumeMounts:
             - mountPath: /init-db.sh
               name: init-db
diff --git a/chart/values.yaml b/chart/values.yaml
index a779f6ca..77a4950c 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -5,7 +5,6 @@ config:
     GDAL_DISABLE_READDIR_ON_OPEN: "TRUE"
     COLLECT_STATIC: "false"
   database:
-    DB_HOST: database
     DB_NAME: dbname
     DB_PORT: "5432"
     DB_PW: dbpw
-- 
GitLab


From 25264f56446144540f39cb40602d09a5d14ada69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Wed, 21 Oct 2020 11:59:50 +0200
Subject: [PATCH 056/162] adjust init-db.sh loading

---
 chart/README.md                        |  9 +++
 chart/files/init-db.sh                 | 79 +++++++++++++++++++++++++
 chart/templates/init-db-configmap.yaml |  5 +-
 chart/values-init-db.yaml              | 80 --------------------------
 4 files changed, 90 insertions(+), 83 deletions(-)
 create mode 100644 chart/files/init-db.sh
 delete mode 100644 chart/values-init-db.yaml

diff --git a/chart/README.md b/chart/README.md
index 9ef273a0..acc5e453 100644
--- a/chart/README.md
+++ b/chart/README.md
@@ -1 +1,10 @@
 Chart for the View Server (VS) bundling all services
+
+Useful commands:
+
+```bash
+helm dependency update
+
+helm template testing . --output-dir ../tmp/ -f values.yaml
+
+```
diff --git a/chart/files/init-db.sh b/chart/files/init-db.sh
new file mode 100644
index 00000000..5b05895c
--- /dev/null
+++ b/chart/files/init-db.sh
@@ -0,0 +1,79 @@
+# Check if collection exits in database and initialize database only if not
+if python3 manage.py id check "${COLLECTION}"; then
+    echo "Initialize database"
+
+    python3 manage.py coveragetype import /rgbnir_definition.json --traceback
+
+    if [ "${COLLECTION}" == "VHR_IMAGE_2018" ]; then
+        echo "Initializing collection '${COLLECTION}'."
+
+        # PL00
+        python3 manage.py producttype create "${COLLECTION}"_Product_PL00 --traceback \
+            --coverage-type "RGBNir"
+        python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 --traceback \
+            --red "red" \
+            --green "green" \
+            --blue "blue" \
+            --red-range 1000 15000 \
+            --green-range 1000 15000 \
+            --blue-range 1000 15000 \
+            --red-nodata 0 \
+            --green-nodata 0 \
+            --blue-nodata 0
+        python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "TRUE_COLOR" --traceback \
+            --red "red" \
+            --green "green" \
+            --blue "blue" \
+            --red-range 1000 15000 \
+            --green-range 1000 15000 \
+            --blue-range 1000 15000 \
+            --red-nodata 0 \
+            --green-nodata 0 \
+            --blue-nodata 0
+        python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "FALSE_COLOR" --traceback \
+            --red "nir" \
+            --green "red" \
+            --blue "green" \
+            --red-range 1000 15000 \
+            --green-range 1000 15000 \
+            --blue-range 1000 15000 \
+            --red-nodata 0 \
+            --green-nodata 0 \
+            --blue-nodata 0
+        python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "NDVI" --traceback \
+            --grey "(nir-red)/(nir+red)" --grey-range -1 1
+
+
+        python3 manage.py collectiontype create "${COLLECTION}"_Collection --traceback \
+            --coverage-type "RGBNir" \
+            --product-type "${COLLECTION}"_Product_PL00
+
+        # Create collections for all products
+        python3 manage.py collection create "${COLLECTION}" --type "${COLLECTION}"_Collection --traceback
+
+        # Register mask type
+        python3 manage.py masktype create --validity "${COLLECTION}"_Product_PL00 validity
+
+    else
+        echo "Provided collection '${COLLECTION}' not valid."
+    fi
+
+    python3 manage.py storageauth create auth-cloud-ovh "${OS_AUTH_URL_SHORT}" \
+        --type keystone \
+        -p auth-version "${ST_AUTH_VERSION}" \
+        -p identity-api-version="${ST_AUTH_VERSION}" \
+        -p username "${OS_USERNAME}" \
+        -p password "${OS_PASSWORD}" \
+        -p tenant-name "${OS_TENANT_NAME}" \
+        -p tenant-id "${OS_TENANT_ID}" \
+        -p region-name "${OS_REGION_NAME}"
+
+    python3 manage.py storage create \
+        ${UPLOAD_CONTAINER} ${UPLOAD_CONTAINER} \
+        --type swift \
+        --storage-auth auth-cloud-ovh
+
+
+else
+    echo "Using existing database"
+fi
diff --git a/chart/templates/init-db-configmap.yaml b/chart/templates/init-db-configmap.yaml
index a0516d5b..6e130e1c 100644
--- a/chart/templates/init-db-configmap.yaml
+++ b/chart/templates/init-db-configmap.yaml
@@ -1,7 +1,6 @@
 apiVersion: v1
-data:
-  init-db.sh: |
-    {{- .Values.initDb | nindent 4 }}
 kind: ConfigMap
 metadata:
   name: {{ include "vs.fullname" . }}-init-db
+data:
+  {{ (.Files.Glob "files/init-db.sh").AsConfig | nindent 2}}
diff --git a/chart/values-init-db.yaml b/chart/values-init-db.yaml
deleted file mode 100644
index 23118ada..00000000
--- a/chart/values-init-db.yaml
+++ /dev/null
@@ -1,80 +0,0 @@
-initDb: |
-    # Check if collection exits in database and initialize database only if not
-    if python3 manage.py id check "${COLLECTION}"; then
-        echo "Initialize database"
-
-        python3 manage.py coveragetype import /rgbnir_definition.json --traceback
-
-        if [ "${COLLECTION}" == "VHR_IMAGE_2018" ]; then
-            echo "Initializing collection '${COLLECTION}'."
-
-            # PL00
-            python3 manage.py producttype create "${COLLECTION}"_Product_PL00 --traceback \
-                --coverage-type "RGBNir"
-            python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 --traceback \
-                --red "red" \
-                --green "green" \
-                --blue "blue" \
-                --red-range 1000 15000 \
-                --green-range 1000 15000 \
-                --blue-range 1000 15000 \
-                --red-nodata 0 \
-                --green-nodata 0 \
-                --blue-nodata 0
-            python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "TRUE_COLOR" --traceback \
-                --red "red" \
-                --green "green" \
-                --blue "blue" \
-                --red-range 1000 15000 \
-                --green-range 1000 15000 \
-                --blue-range 1000 15000 \
-                --red-nodata 0 \
-                --green-nodata 0 \
-                --blue-nodata 0
-            python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "FALSE_COLOR" --traceback \
-                --red "nir" \
-                --green "red" \
-                --blue "green" \
-                --red-range 1000 15000 \
-                --green-range 1000 15000 \
-                --blue-range 1000 15000 \
-                --red-nodata 0 \
-                --green-nodata 0 \
-                --blue-nodata 0
-            python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "NDVI" --traceback \
-                --grey "(nir-red)/(nir+red)" --grey-range -1 1
-
-
-            python3 manage.py collectiontype create "${COLLECTION}"_Collection --traceback \
-                --coverage-type "RGBNir" \
-                --product-type "${COLLECTION}"_Product_PL00
-
-            # Create collections for all products
-            python3 manage.py collection create "${COLLECTION}" --type "${COLLECTION}"_Collection --traceback
-
-            # Register mask type
-            python3 manage.py masktype create --validity "${COLLECTION}"_Product_PL00 validity
-
-        else
-            echo "Provided collection '${COLLECTION}' not valid."
-        fi
-
-        python3 manage.py storageauth create auth-cloud-ovh "${OS_AUTH_URL_SHORT}" \
-            --type keystone \
-            -p auth-version "${ST_AUTH_VERSION}" \
-            -p identity-api-version="${ST_AUTH_VERSION}" \
-            -p username "${OS_USERNAME}" \
-            -p password "${OS_PASSWORD}" \
-            -p tenant-name "${OS_TENANT_NAME}" \
-            -p tenant-id "${OS_TENANT_ID}" \
-            -p region-name "${OS_REGION_NAME}"
-
-        python3 manage.py storage create \
-            ${UPLOAD_CONTAINER} ${UPLOAD_CONTAINER} \
-            --type swift \
-            --storage-auth auth-cloud-ovh
-
-
-    else
-        echo "Using existing database"
-    fi
-- 
GitLab


From 80aea98846f664e4ec7437662ae5752eca00e4ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Wed, 21 Oct 2020 17:14:36 +0200
Subject: [PATCH 057/162] use index.html like a template

---
 chart/files/index.html                | 10 +++++-----
 chart/templates/client-configmap.yaml |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/chart/files/index.html b/chart/files/index.html
index 23b59e21..e5c65647 100644
--- a/chart/files/index.html
+++ b/chart/files/index.html
@@ -17,12 +17,12 @@
 <div id="app" style="width: 100%; top: 60px; bottom: 0; position: absolute; margin: 0; padding:0;"></div>
 <script src="prism.js"></script>
 <script>
-var baseUrl = '//vhr18-dev.vs.hub.eox.at/';
+var baseUrl = '//{{ index (index .Values.ingress.tls 0).hosts 0 }}/';
 var baseUrlsWMTS = [
-    '//vhr18-dev.vs.hub.eox.at/cache/ows/wmts',
+    '//{{ index (index .Values.ingress.tls 0).hosts 0 }}/cache/ows/wmts',
 ];
 var baseUrlsOws = [
-    '//vhr18-dev.vs.hub.eox.at/ows',
+    '//{{ index (index .Values.ingress.tls 0).hosts 0 }}/ows',
 ];
 var config = {
     "settings": {
@@ -274,7 +274,7 @@ var config = {
                 // "method": "GET",
                 "rewrite": {
                 // add __coverage to the coverageId
-                "from": "({{id}})",
+                "from": "({{ "{{" }}id}})",
                 "to": "$1__coverage"
                 }
             }
@@ -369,7 +369,7 @@ var config = {
                 // "method": "GET",
                 "rewrite": {
                 // add __coverage to the coverageId
-                "from": "({{id}})",
+                "from": "({{ "{{" }}id}})",
                 "to": "$1__coverage"
                 }
             }
diff --git a/chart/templates/client-configmap.yaml b/chart/templates/client-configmap.yaml
index 4b130f7e..c3cc92b7 100644
--- a/chart/templates/client-configmap.yaml
+++ b/chart/templates/client-configmap.yaml
@@ -3,4 +3,4 @@ kind: ConfigMap
 metadata:
   name: {{ include "vs.fullname" . }}-client
 data:
-  {{ (.Files.Glob "files/index.html").AsConfig | nindent 2}}
+  {{ (tpl (.Files.Glob "files/index.html").AsConfig . ) | nindent 2}}
-- 
GitLab


From 831c082cc52c785c89770192c8b73fca7eb49b7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Mei=C3=9Fl?= <stephan.meissl@eox.at>
Date: Wed, 21 Oct 2020 17:36:04 +0200
Subject: [PATCH 058/162] treat init-db.sh like a template

---
 chart/files/init-db.sh                 | 7 +++++++
 chart/templates/init-db-configmap.yaml | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/chart/files/init-db.sh b/chart/files/init-db.sh
index 5b05895c..58ff7402 100644
--- a/chart/files/init-db.sh
+++ b/chart/files/init-db.sh
@@ -4,6 +4,12 @@ if python3 manage.py id check "${COLLECTION}"; then
 
     python3 manage.py coveragetype import /rgbnir_definition.json --traceback
 
+{{- if .Values.initDb }}
+
+    {{ .Values.initDb | nindent 6 }}
+
+{{- else }}
+
     if [ "${COLLECTION}" == "VHR_IMAGE_2018" ]; then
         echo "Initializing collection '${COLLECTION}'."
 
@@ -73,6 +79,7 @@ if python3 manage.py id check "${COLLECTION}"; then
         --type swift \
         --storage-auth auth-cloud-ovh
 
+{{- end }}
 
 else
     echo "Using existing database"
diff --git a/chart/templates/init-db-configmap.yaml b/chart/templates/init-db-configmap.yaml
index 6e130e1c..01b1be69 100644
--- a/chart/templates/init-db-configmap.yaml
+++ b/chart/templates/init-db-configmap.yaml
@@ -3,4 +3,4 @@ kind: ConfigMap
 metadata:
   name: {{ include "vs.fullname" . }}-init-db
 data:
-  {{ (.Files.Glob "files/init-db.sh").AsConfig | nindent 2}}
+  {{ (tpl (.Files.Glob "files/init-db.sh").AsConfig . ) | nindent 2}}
-- 
GitLab


From 6d6ba6b07acac4303a162a64fd59458e54b987fc Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 10:06:06 +0200
Subject: [PATCH 059/162] Fixing backend registration issues

---
 core/registrar/backend.py | 90 +++++++++++++++++++++++----------------
 1 file changed, 54 insertions(+), 36 deletions(-)

diff --git a/core/registrar/backend.py b/core/registrar/backend.py
index b20c0396..4d453e80 100644
--- a/core/registrar/backend.py
+++ b/core/registrar/backend.py
@@ -2,23 +2,20 @@ import os
 import re
 import sys
 import logging
+from typing import List
 
 import django
 from django.db import transaction
-from django.contrib.gis.geos import GEOSGeometry
-from eoxserver.resources.coverages import models
-from eoxserver.resources.coverages.registration.product import ProductRegistrator
-from eoxserver.resources.coverages.registration.browse import BrowseRegistrator
-from eoxserver.resources.coverages.registration.mask import MaskRegistrator
-from eoxserver.resources.coverages.registration.registrators.gdal import GDALRegistrator
+from django.contrib.gis.geos import GEOSGeometry, Polygon
 
 from .exceptions import RegistrationError
 from .context import Context
-from .source import Source
+from .source import Source, S3Source, SwiftSource, LocalSource
 
 
 logger = logging.getLogger(__name__)
 
+
 class RegistrationResult:
     pass
 
@@ -40,35 +37,49 @@ class EOxServerBackend(Backend):
         django.setup()
 
     def exists(self, source: Source, item: Context):
-        return models.Product.objects.filter(identifier=item.itentifier).exists()
+        from eoxserver.resources.coverages import models
+        return models.Product.objects.filter(identifier=item.identifier).exists()
 
-    def _get_storage_from_source(self, source: Source) -> list:
-        return []
+    def _get_storage_from_source(self, source: Source, path: str) -> list:
+        return [source.name] if source.name else []
 
     @transaction.atomic
     def register(self, source: Source, item: Context, replace: bool) -> RegistrationResult:
+        # ugly, ugly hack
+        from eoxserver.resources.coverages import models
+        from eoxserver.resources.coverages.registration.product import ProductRegistrator
+        from eoxserver.resources.coverages.registration.browse import BrowseRegistrator
+        from eoxserver.resources.coverages.registration.mask import MaskRegistrator
+        from eoxserver.resources.coverages.registration.registrators.gdal import GDALRegistrator
+
         # get the mapping for this particular item
-        mapping = self.mapping.get(item.product_type, {}).get(item.level_name)
+        mapping = self.mapping[item.product_type][item.product_level]
         metadata_file = item.metadata_files[0]
 
-        storage = self._get_storage_from_source(source)
+        storage = self._get_storage_from_source(source, item.path)
 
         try:
-            models.ProductType.objects.get(name=item['product_type_name'])
+            models.ProductType.objects.get(name=mapping['product_type_name'])
         except models.ProductType.DoesNotExist:
             pass
 
+        footprint = GEOSGeometry(item.metadata.pop('footprint'))
+
         product, _ = ProductRegistrator().register(
             metadata_locations=[storage + [metadata_file]],
-            type_name=item['product_type_name'],
+            type_name=mapping['product_type_name'],
             replace=replace,
             extended_metadata=True,
             mask_locations=None,
             package_path=None,
             simplify_footprint_tolerance=self.simplify_footprint_tolerance,
-            overrides=item.metadata,
+            overrides=dict(
+                identifier=item.identifier,
+                footprint=footprint,
+                **item.metadata
+            ),
         )
-        if product.footprint.empty:
+        if not product.footprint or product.footprint.empty:
             raise RegistrationError("No footprint was extracted. full product: %s" % product)
 
         # insert the product in the to be associated collections
@@ -96,8 +107,14 @@ class EOxServerBackend(Backend):
             models.product_add_coverage(product, report.coverage)
 
         # register browses
-        for raster_identifier, browse_type_name in mapping.get('browses', {}):
+        for raster_identifier, browse_type_name in mapping.get('browses', {}).items():
             raster_item = item.raster_files.get(raster_identifier)
+
+            raster_item = '/'.join(raster_item.split('/')[1:])
+
+            logger.info(f"Adding browse {browse_type_name or 'default'} {raster_item} to product")
+            logger.info(f'{storage + [raster_item]}')
+
             BrowseRegistrator().register(
                 product.identifier,
                 storage + [raster_item],
@@ -105,34 +122,35 @@ class EOxServerBackend(Backend):
             )
 
         # register masks
-        for mask_identifier, mask_type_name in mapping.get('masks', {}):
+        for mask_identifier, mask_type_name in mapping.get('masks', {}).items():
             mask_item = item.mask_files.get(mask_identifier)
-            MaskRegistrator().register(
-                product.identifier,
-                storage + [mask_item],
-                mask_type_name,
-            )
+            if mask_item:
+                logger.info(f"Adding mask {mask_type_name} to product")
+                MaskRegistrator().register(
+                    product.identifier,
+                    storage + [mask_item],
+                    mask_type_name,
+                )
 
 
 BACKENDS = {
     'eoxserver': EOxServerBackend
 }
 
-def get_backend(config: dict, path: str) -> Backend:
+def get_backends(config: dict, path: str) -> List[Backend]:
     cfg_backends = config['backends']
 
-    for cfg_backend in cfg_backends:
-        if cfg_backend['filter']:
-            if re.match(cfg_backend['filter'], path):
-                break
-        else:
-            break
-    else:
-        # no source found
+    backends = [
+        BACKENDS[cfg_backend['type']](
+            *cfg_backend.get('args', []),
+            **cfg_backend.get('kwargs', {}),
+        )
+        for cfg_backend in cfg_backends
+        if not cfg_backend.get('filter') or re.match(cfg_backend['filter'], path)
+    ]
+
+    if not backends:
         raise RegistrationError(f'Could not find a suitable backend for the path {path}')
 
-    return BACKENDS[cfg_backend['type']](
-        *cfg_backend.get('args', []),
-        **cfg_backend.get('kwargs', {}),
-    )
+    return backends
 
-- 
GitLab


From 03775abc49cb7823533d414bb92b55a20e8999fa Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 10:07:18 +0200
Subject: [PATCH 060/162] Fixing parsing XML from downloaded files

---
 core/registrar/xml.py | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/core/registrar/xml.py b/core/registrar/xml.py
index 4a088b26..519d8a54 100644
--- a/core/registrar/xml.py
+++ b/core/registrar/xml.py
@@ -1,16 +1,25 @@
-from tempfile import NamedTemporaryFile
+from os import remove
+from os.path import join, basename
+from tempfile import gettempdir, gettempprefix
 from dataclasses import dataclass, field
 from typing import Union, Type, Optional, List, Callable, Any
+import logging
 
 import lxml.etree
 
 from .source import Source
 
 
+logger = logging.getLogger(__name__)
+
 def read_xml(source: Source, path: str) -> lxml.etree._ElementTree:
-    with NamedTemporaryFile() as f:
-        source.get_file(path, f.name)
-        return lxml.etree.parse(f)
+    out_filename = join(gettempdir(), basename(path))
+    try:
+        source.get_file(path, out_filename)
+        tree = lxml.etree.parse(out_filename)
+    finally:
+        remove(out_filename)
+    return tree
 
 @dataclass
 class Parameter:
-- 
GitLab


From d3160156c040c79a2fc7375d1ad3276a2e4912f4 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 10:09:50 +0200
Subject: [PATCH 061/162] Fixing passing of replace parameter

---
 core/registrar/cli.py       |  7 ++++---
 core/registrar/daemon.py    |  9 +++++++--
 core/registrar/registrar.py | 27 +++++++++++++++++----------
 3 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/core/registrar/cli.py b/core/registrar/cli.py
index 2703bdf8..bfae3d6a 100644
--- a/core/registrar/cli.py
+++ b/core/registrar/cli.py
@@ -49,17 +49,18 @@ def cli():
 @cli.command(help='Run the registrar daemon, attaching to a Redis queue')
 @click.option('--config-file', type=click.File('r'))
 @click.option('--validate/--no-validate', default=False)
+@click.option('--replace/--no-replace', default=False)
 @click.option('--host', type=str)
 @click.option('--port', type=int)
 @click.option('--listen-queue', type=str)
-@click.option('--write-queue', type=str)
+@click.option('--registered-set-key', type=str)
 @click.option('--debug/--no-debug', default=False)
-def daemon(config_file=None, validate=False, host=None, port=None, listen_queue=None, write_queue=None, debug=False):
+def daemon(config_file=None, validate=False, replace=False, host=None, port=None, listen_queue=None, registered_set_key=None, debug=False):
     setup_logging(debug)
     config = load_config(config_file)
     if validate:
         validate_config(config)
-    run_daemon(config, host, port, listen_queue, write_queue)
+    run_daemon(config, replace, host, port, listen_queue, registered_set_key)
 
 
 @cli.command(help='Run a single, one-off registration')
diff --git a/core/registrar/daemon.py b/core/registrar/daemon.py
index 7c943627..efdf1ff5 100644
--- a/core/registrar/daemon.py
+++ b/core/registrar/daemon.py
@@ -9,7 +9,7 @@ from .registrar import register_file
 logger = logging.getLogger(__name__)
 
 
-def run_daemon(config, host, port, listen_queue, write_queue):
+def run_daemon(config, replace, host, port, listen_queue, registered_set_key):
     """ Run the registrar daemon, listening on a redis queue
         for files to be registered. After preprocessing the filename
         of the registered files will be pushed to the output queue.
@@ -23,4 +23,9 @@ def run_daemon(config, host, port, listen_queue, write_queue):
         # fetch an item from the queue to be registered
         _, value = client.brpop(listen_queue)
         # start the registration on that file
-        register_file(config, value)
+        try:
+            item = register_file(config, value, replace)
+            client.sadd(registered_set_key, item.identifier)
+
+        except Exception as e:
+            logger.exception(e)
diff --git a/core/registrar/registrar.py b/core/registrar/registrar.py
index f7f984e8..53c9b102 100644
--- a/core/registrar/registrar.py
+++ b/core/registrar/registrar.py
@@ -1,11 +1,19 @@
 import re
+import logging
 
 from .source import get_source
 from .scheme import get_scheme
+from .backend import get_backends
 from .exceptions import RegistrationError
 
 
-def register_file(config: dict, path: str):
+logger = logging.getLogger(__name__)
+
+
+def register_file(config: dict, path: str, replace: bool=False):
+    """ Handle the registration of a single path.
+    """
+    logger.info(f"Handling '{path}'.")
     source = get_source(config, path)
     scheme = get_scheme(config, path)
     context = scheme.get_context(source, path)
@@ -13,26 +21,25 @@ def register_file(config: dict, path: str):
     for pre_handler in get_pre_handlers(config):
         pre_handler(config, path, context)
 
-    for backend in get_backends(config):
+    for backend in get_backends(config, path):
         if backend.exists(source, context):
-            if config.replace:
+            if replace:
+                logger.info(f"Replacing '{path}'.")
                 backend.register(source, context, replace=True)
             else:
                 raise RegistrationError(f'Object {context} is already registered')
         else:
+            logger.info(f"Registering '{path}'.")
             backend.register(source, context, replace=False)
 
     for post_handler in get_post_handlers(config):
         post_handler(config, path, context)
 
+    return context
 
-def get_pre_handlers(config):
-    pass
 
+def get_pre_handlers(config):
+    return []
 
 def get_post_handlers(config):
-    pass
-
-
-def get_backends(config):
-    pass
+    return []
-- 
GitLab


From 26a30c2587eb37fecfc46e8184d589aae2d024f1 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 10:10:27 +0200
Subject: [PATCH 062/162] Adding mandatory source name

---
 core/registrar/source.py | 37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

diff --git a/core/registrar/source.py b/core/registrar/source.py
index 2230ee2a..e513ae9f 100644
--- a/core/registrar/source.py
+++ b/core/registrar/source.py
@@ -3,17 +3,23 @@ from os.path import normpath, join, isabs
 import shutil
 from glob import glob
 from fnmatch import fnmatch
+import logging
 
 import boto3
 from swiftclient.multithreading import OutputManager
 from swiftclient.service import SwiftError, SwiftService
 
 
+logger = logging.getLogger(__name__)
+
 class RegistrationError(Exception):
     pass
 
 
 class Source:
+    def __init__(self, name: str=None):
+        self.name = name
+
     def list_files(self, path, glob_pattern=None):
         raise NotImplementedError
 
@@ -25,10 +31,12 @@ class Source:
 
 
 class SwiftSource(Source):
-    def __init__(self, username=None, password=None, tenant_name=None,
+    def __init__(self, name=None, username=None, password=None, tenant_name=None,
                  tenant_id=None, region_name=None, user_domain_id=None,
                  user_domain_name=None, auth_url=None, auth_version=None,
                  container=None):
+        super().__init__(name)
+
         self.username = username
         self.password = password
         self.tenant_name = tenant_name
@@ -57,7 +65,7 @@ class SwiftSource(Source):
         container = self.container
         if container is None:
             parts = (path[1:] if path.startswith('/') else path).split('/')
-            container, path = parts[0], parts[1:].join('/')
+            container, path = parts[0], '/'.join(parts[1:])
 
         return container, path
 
@@ -114,13 +122,16 @@ class SwiftSource(Source):
 
 
 class S3Source(Source):
-    def __init__(self, bucket_name=None, secret_access_key=None, access_key_id=None, endpoint_url=None, **client_kwargs):
+    def __init__(self, name=None, bucket_name=None, secret_access_key=None, access_key_id=None, endpoint_url=None, strip_bucket=True, **client_kwargs):
+        super().__init__(name)
+
         # see https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html#boto3.session.Session.client
         # for client_kwargs
         self.bucket_name = bucket_name
         self.secret_access_key=secret_access_key
         self.access_key_id=access_key_id
         self.endpoint_url = endpoint_url
+        self.strip_bucket = strip_bucket
 
         self.client = boto3.client(
             's3',
@@ -131,15 +142,21 @@ class S3Source(Source):
         )
 
     def get_bucket_and_key(self, path: str):
-        container = self.bucket_name
-        if container is None:
+        bucket = self.bucket_name
+        if bucket is None:
+            parts = (path[1:] if path.startswith('/') else path).split('/')
+            bucket, path = parts[0], '/'.join(parts[1:])
+        elif self.strip_bucket:
             parts = (path[1:] if path.startswith('/') else path).split('/')
-            container, path = parts[0], parts[1:].join('/')
+            if parts[0] == bucket:
+                parts.pop(0)
+            path = '/'.join(parts)
 
-        return container, path
+        return bucket, path
 
     def list_files(self, path, glob_pattern=None):
         bucket, key = self.get_bucket_and_key(path)
+        logger.info(f'Listing S3 files for bucket {bucket} and prefix {key}')
         response = self.client.list_objects_v2(
             Bucket=bucket,
             Prefix=key,
@@ -153,6 +170,7 @@ class S3Source(Source):
 
     def get_file(self, path, target_path):
         bucket, key = self.get_bucket_and_key(path)
+        logger.info(f'Retrieving file from S3 {bucket}/{key} to be stored at {target_path}')
         self.client.download_file(bucket, key, target_path)
 
     def get_vsi_env_and_path(self, path: str, streaming: bool=False):
@@ -165,7 +183,9 @@ class S3Source(Source):
 
 
 class LocalSource(Source):
-    def __init__(self, root_directory):
+    def __init__(self, name, root_directory):
+        super().__init__(name)
+
         self.root_directory = root_directory
 
     def _join_path(self, path):
@@ -209,6 +229,7 @@ def get_source(config: dict, path: str) -> Source:
         raise RegistrationError(f'Could not find a suitable source for the path {path}')
 
     return SOURCE_TYPES[cfg_source['type']](
+        cfg_source['name'],
         *cfg_source.get('args', []),
         **cfg_source.get('kwargs', {})
     )
-- 
GitLab


From 217c6fee3b759906a565384a8d18f000dbe3133d Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 10:11:11 +0200
Subject: [PATCH 063/162] Improving on S2 registration schema

---
 core/registrar/context.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/registrar/context.py b/core/registrar/context.py
index 81ded127..63844611 100644
--- a/core/registrar/context.py
+++ b/core/registrar/context.py
@@ -4,6 +4,7 @@ from dataclasses import dataclass, field
 @dataclass
 class Context:
     identifier: str
+    path: str
     product_type: str = None
     product_level: str = None
     metadata: dict = field(default_factory=dict)
-- 
GitLab


From 02973c9755b5ea5ef53f99dc5d62964cf836d15d Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 10:11:20 +0200
Subject: [PATCH 064/162] Cleanup

---
 core/registrar/backend.py |  2 --
 core/registrar/scheme.py  | 44 +++++++++++++++++++++++++++++----------
 2 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/core/registrar/backend.py b/core/registrar/backend.py
index 4d453e80..a9681039 100644
--- a/core/registrar/backend.py
+++ b/core/registrar/backend.py
@@ -111,9 +111,7 @@ class EOxServerBackend(Backend):
             raster_item = item.raster_files.get(raster_identifier)
 
             raster_item = '/'.join(raster_item.split('/')[1:])
-
             logger.info(f"Adding browse {browse_type_name or 'default'} {raster_item} to product")
-            logger.info(f'{storage + [raster_item]}')
 
             BrowseRegistrator().register(
                 product.identifier,
diff --git a/core/registrar/scheme.py b/core/registrar/scheme.py
index d68a911a..b0a7652d 100644
--- a/core/registrar/scheme.py
+++ b/core/registrar/scheme.py
@@ -1,21 +1,36 @@
 import re
-
 from os.path import join
+import logging
 
 from .xml import read_xml, parse_metadata_schema, Parameter
 from .context import Context
+from .source import Source
 from .exceptions import RegistrationError
 
 
-class RegistrationScheme:
-    def __init__(self, source, path):
-        self.source = source
-        self.path = path
+logger = logging.getLogger(__name__)
 
+class RegistrationScheme:
     def get_context(self):
         raise NotImplementedError
 
 
+def parse_datetime(value):
+    return value
+
+
+def pairwise(iterable):
+    "s -> (s0,s1), (s2,s3), (s4, s5), ..."
+    a = iter(iterable)
+    return zip(a, a)
+
+
+def parse_footprint(value):
+    coord_list = ','.join(
+        f'{x} {y}'
+        for y, x in pairwise(value.split())
+    )
+    return f'POLYGON(({coord_list}))'
 
 
 class Sentinel2RegistrationScheme(RegistrationScheme):
@@ -23,10 +38,11 @@ class Sentinel2RegistrationScheme(RegistrationScheme):
         'begin_time': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PRODUCT_START_TIME/text()', False, parse_datetime),
         'end_time': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PRODUCT_STOP_TIME/text()', False, parse_datetime),
         'identifier': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PRODUCT_URI/text()'),
+        'footprint': Parameter('/n1:Level-2A_User_Product/n1:Geometric_Info/Product_Footprint/Product_Footprint/Global_Footprint/EXT_POS_LIST/text()', False, parse_footprint),
         'level': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PROCESSING_LEVEL/text()'),
         'type': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PRODUCT_TYPE/text()'),
         'generation_time': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/GENERATION_TIME/text()', False, parse_datetime),
-        'cloud_cover': Parameter('/n1:Level-2A_User_Product/n1:Quality_Indicators_Info/Cloud_Coverage_Assessment'),
+        'cloud_cover': Parameter('/n1:Level-2A_User_Product/n1:Quality_Indicators_Info/Cloud_Coverage_Assessment/text()'),
         'image_file_paths': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/Product_Organisation/Granule_List/Granule/IMAGE_FILE/text()', True),
         'mask_file_paths': Parameter('/n1:Level-2A_Tile_ID/n1:Quality_Indicators_Info/Pixel_Level_QI/MASK_FILENAME', True),
     }
@@ -35,9 +51,9 @@ class Sentinel2RegistrationScheme(RegistrationScheme):
         'n1': "https://psd-14.sentinel2.eo.esa.int/PSD/User_Product_Level-2A.xsd"
     }
 
-    def get_context(self):
-        metadata_file = join(self.path, 'MTD_TL.xml')
-        mtd_tree = read_xml(self.source, metadata_file)
+    def get_context(self, source: Source, path: str):
+        metadata_file = join(path, 'MTD_MSIL2A.xml')
+        mtd_tree = read_xml(source, metadata_file)
 
         # get MTD metadata
 
@@ -45,18 +61,23 @@ class Sentinel2RegistrationScheme(RegistrationScheme):
 
         band_re = re.compile(r'.*([A-Z0-9]{3})_([0-9]{2}m)$')
         raster_files = {
-            band_re.match(image_file_path).groups()[0]: f'{join(self.path, image_file_path)}.jp2'
+            band_re.match(image_file_path).groups()[0]: f'{join(path, image_file_path)}.jp2'
             for image_file_path in metadata['image_file_paths']
         }
 
         mask_type_re = re.compile(r'.*/MSK_([A-Z]*)_([A-Z0-9]{3}).[a-z0-9]+$')
         mask_files = {
-            mask_type_re.match(mask_file_path).groups[0]: mask_file_path
+            mask_type_re.match(mask_file_path).groups[0]: join(path, mask_file_path)
             for mask_file_path in metadata['mask_file_paths']
         }
 
+        logger.info(f'{mask_files} {metadata["mask_file_paths"]}')
+
         return Context(
             identifier=metadata['identifier'],
+            path=path,
+            product_type=metadata['type'],
+            product_level=metadata['level'],
             raster_files=raster_files,
             mask_files=mask_files,
             metadata_files=[metadata_file],
@@ -65,6 +86,7 @@ class Sentinel2RegistrationScheme(RegistrationScheme):
                 'end_time': metadata['end_time'],
                 'generation_time': metadata['generation_time'],
                 'cloud_cover': metadata['cloud_cover'],
+                'footprint': metadata['footprint'],
             }
         )
 
-- 
GitLab


From 9777947153810f736e36abf6c4bcb02c0878ee0e Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 10:11:52 +0200
Subject: [PATCH 065/162] Fixing run-registrar.sh

---
 core/run-registrar.sh | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/core/run-registrar.sh b/core/run-registrar.sh
index 348b4f75..a1bae617 100644
--- a/core/run-registrar.sh
+++ b/core/run-registrar.sh
@@ -6,13 +6,10 @@ if test "$REGISTRAR_REPLACE" = true; then
     replace="--replace"
 fi
 
-python3 /registrar.py \
-    --mode redis \
-    --redis-host ${REDIS_HOST} \
-    --redis-port ${REDIS_PORT} \
-    --redis-register-queue-key ${REDIS_REGISTER_QUEUE_KEY} \
-    --redis-registered-set-key ${REDIS_REGISTERED_SET_KEY} \
-    --redis-registered-set-key ${REDIS_REGISTERED_SET_KEY} \
-    --reporting-dir ${REPORTING_DIR} \
-    --service-url ${SERVICE_URL} \
+registrar daemon \
+    --config-file /config.yaml \
+    --host ${REDIS_HOST} \
+    --port ${REDIS_PORT} \
+    --listen-queue ${REDIS_REGISTER_QUEUE_KEY} \
+    --registered-set-key ${REDIS_REGISTERED_SET_KEY} \
     ${replace} >&2
-- 
GitLab


From fa6220bceb9d978eecde355ca760e901766087ab Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 10:12:39 +0200
Subject: [PATCH 066/162] Adding missing requirements Fixing installation of
 registrar source

---
 core/Dockerfile | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/core/Dockerfile b/core/Dockerfile
index e583326e..35900bb4 100644
--- a/core/Dockerfile
+++ b/core/Dockerfile
@@ -43,7 +43,7 @@ RUN apt update && \
   rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 RUN pip3 install . && \
-    pip3 install python-keystoneclient python-swiftclient redis click setuptools jsonschema
+    pip3 install python-keystoneclient python-swiftclient redis click setuptools jsonschema boto3
 
 ENV INSTANCE_ID="prism-view-server_core" \
     INSTANCE_NAME="pvs_instance"\
@@ -77,12 +77,22 @@ ADD rgbnir_definition.json \
     configure.sh \
     run-httpd.sh \
     run-registrar.sh \
-    registrar.py \
     entrypoint.sh \
     wait-initialized.sh \
     initialized.sh \
     /
 
+RUN mkdir /registrar
+ADD registrar/ \
+    /registrar/registrar
+
+ADD setup.py \
+    /registrar
+
+RUN cd /registrar && \
+    ls && \
+    python3 setup.py install
+
 RUN chmod -v +x \
     /configure.sh \
     /run-registrar.sh \
-- 
GitLab


From aac4ccb99d48acb429acee8a95f921185d5166fc Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 10:20:00 +0200
Subject: [PATCH 067/162] Adding missing setup.py

---
 core/setup.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 core/setup.py

diff --git a/core/setup.py b/core/setup.py
new file mode 100644
index 00000000..f64ba39c
--- /dev/null
+++ b/core/setup.py
@@ -0,0 +1,28 @@
+from setuptools import setup, find_packages
+
+# with open("README.md", "r") as fh:
+#     long_description = fh.read()
+long_description = ""
+
+setup(
+    name="registrar", # Replace with your own username
+    version="0.0.1",
+    author="",
+    author_email="",
+    description="preprocessor for PVS",
+    long_description=long_description,
+    long_description_content_type="text/markdown",
+    url="https://gitlab.eox.at/esa/prism/vs/-/tree/master/core",
+    packages=find_packages(),
+    classifiers=[
+        "Programming Language :: Python :: 3",
+        "License :: OSI Approved :: MIT License",
+        "Operating System :: OS Independent",
+    ],
+    python_requires='>=3.6',
+    entry_points={
+        "console_scripts": [
+            "registrar = registrar.cli:cli",
+        ],
+    }
+)
-- 
GitLab


From b8866e1d75c29308e87ec3925406311dbd1812cc Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 22:10:17 +0200
Subject: [PATCH 068/162] Small fix for S3 path listing

---
 core/registrar/source.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/registrar/source.py b/core/registrar/source.py
index e513ae9f..d752712e 100644
--- a/core/registrar/source.py
+++ b/core/registrar/source.py
@@ -163,7 +163,7 @@ class S3Source(Source):
         )
 
         return [
-            item['Key']
+            f"{bucket}/{item['Key']}"
             for item in response['Contents']
             if glob_pattern is None or fnmatch(item['Key'], glob_pattern)
         ]
-- 
GitLab


From 1d9a5ff917d6ee4f50ef0e5322e4087d6e908f8e Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 22:11:39 +0200
Subject: [PATCH 069/162] Fixing S2 metadata retrieval Getting masks from
 granule metadata

---
 core/registrar/scheme.py | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/core/registrar/scheme.py b/core/registrar/scheme.py
index b0a7652d..f3057fbe 100644
--- a/core/registrar/scheme.py
+++ b/core/registrar/scheme.py
@@ -34,7 +34,7 @@ def parse_footprint(value):
 
 
 class Sentinel2RegistrationScheme(RegistrationScheme):
-    MTD_TL_SCHEMA = {
+    MTD_MSIL2A_SCHEMA = {
         'begin_time': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PRODUCT_START_TIME/text()', False, parse_datetime),
         'end_time': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PRODUCT_STOP_TIME/text()', False, parse_datetime),
         'identifier': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/PRODUCT_URI/text()'),
@@ -44,35 +44,46 @@ class Sentinel2RegistrationScheme(RegistrationScheme):
         'generation_time': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/GENERATION_TIME/text()', False, parse_datetime),
         'cloud_cover': Parameter('/n1:Level-2A_User_Product/n1:Quality_Indicators_Info/Cloud_Coverage_Assessment/text()'),
         'image_file_paths': Parameter('/n1:Level-2A_User_Product/n1:General_Info/Product_Info/Product_Organisation/Granule_List/Granule/IMAGE_FILE/text()', True),
-        'mask_file_paths': Parameter('/n1:Level-2A_Tile_ID/n1:Quality_Indicators_Info/Pixel_Level_QI/MASK_FILENAME', True),
     }
 
-    S2_NAMESPACES = {
+    MTD_TL_SCHEMA = {
+        'mask_file_paths': Parameter('/n1:Level-2A_Tile_ID/n1:Quality_Indicators_Info/Pixel_Level_QI/MASK_FILENAME/text()', True),
+    }
+
+    MTD_MSIL2A_NAMESPACES = {
         'n1': "https://psd-14.sentinel2.eo.esa.int/PSD/User_Product_Level-2A.xsd"
     }
 
+    MTD_TL_NAMESPACES = {
+        'n1': 'https://psd-14.sentinel2.eo.esa.int/PSD/S2_PDI_Level-2A_Tile_Metadata.xsd'
+    }
+
     def get_context(self, source: Source, path: str):
         metadata_file = join(path, 'MTD_MSIL2A.xml')
-        mtd_tree = read_xml(source, metadata_file)
-
-        # get MTD metadata
+        tree = read_xml(source, metadata_file)
 
-        metadata = parse_metadata_schema(mtd_tree, self.MTD_TL_SCHEMA, self.S2_NAMESPACES)
+        # get product metadata
+        metadata = parse_metadata_schema(tree, self.MTD_MSIL2A_SCHEMA, self.MTD_MSIL2A_NAMESPACES)
 
-        band_re = re.compile(r'.*([A-Z0-9]{3})_([0-9]{2}m)$')
+        band_re = re.compile(r'.*([A-Z0-9]{3}_[0-9]{2}m)$')
         raster_files = {
             band_re.match(image_file_path).groups()[0]: f'{join(path, image_file_path)}.jp2'
             for image_file_path in metadata['image_file_paths']
         }
 
+        # get granule metadata
+        mtd_files = source.list_files(join(path, 'GRANULE'), '*/MTD_TL.xml')
+        logger.info(f'{mtd_files}')
+        tl_tree = read_xml(source, mtd_files[0])
+        tile_metadata = parse_metadata_schema(tl_tree, self.MTD_TL_SCHEMA, self.MTD_TL_NAMESPACES)
+
         mask_type_re = re.compile(r'.*/MSK_([A-Z]*)_([A-Z0-9]{3}).[a-z0-9]+$')
         mask_files = {
-            mask_type_re.match(mask_file_path).groups[0]: join(path, mask_file_path)
-            for mask_file_path in metadata['mask_file_paths']
+            mask_type_re.match(mask_file_path).groups()[0]: join(path, mask_file_path)
+            for mask_file_path in tile_metadata['mask_file_paths']
+            if mask_type_re.match(mask_file_path) is not None
         }
 
-        logger.info(f'{mask_files} {metadata["mask_file_paths"]}')
-
         return Context(
             identifier=metadata['identifier'],
             path=path,
-- 
GitLab


From cc625aff30bb3a8ee07bc9f364d1b0b9b9919640 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 22:11:55 +0200
Subject: [PATCH 070/162] Fixing paths in EOxServer backend

---
 core/registrar/backend.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/registrar/backend.py b/core/registrar/backend.py
index a9681039..980cd40c 100644
--- a/core/registrar/backend.py
+++ b/core/registrar/backend.py
@@ -54,7 +54,7 @@ class EOxServerBackend(Backend):
 
         # get the mapping for this particular item
         mapping = self.mapping[item.product_type][item.product_level]
-        metadata_file = item.metadata_files[0]
+        metadata_file = '/'.join(item.metadata_files[0].split('/')[1:])
 
         storage = self._get_storage_from_source(source, item.path)
 
@@ -92,6 +92,9 @@ class EOxServerBackend(Backend):
         # register coverages and link them to the product
         for raster_identifier, coverage_type_name in mapping.get('coverages', {}).items():
             raster_item = item.raster_files.get(raster_identifier)
+            raster_item = '/'.join(raster_item.split('/')[1:])
+
+            logger.info(f"Registering coverage {raster_item} as {coverage_type_name}")
 
             report = GDALRegistrator().register(
                 data_locations=[storage + [raster_item]],
-- 
GitLab


From 4518044a24dbee7ebc190652a84399b2efad5656 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 22 Oct 2020 22:12:19 +0200
Subject: [PATCH 071/162] Going for latest tag

---
 core/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/Dockerfile b/core/Dockerfile
index 5e32a8c8..2266a9ba 100644
--- a/core/Dockerfile
+++ b/core/Dockerfile
@@ -25,7 +25,7 @@
 # IN THE SOFTWARE.
 #-----------------------------------------------------------------------------
 
-FROM eoxa/eoxserver:release-1.0.0-rc12
+FROM eoxa/eoxserver:latest
 
 LABEL name="prism view server core" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
-- 
GitLab


From 933cd4c41181368677ed38ccb290d8c7f32d7fbc Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 27 Oct 2020 10:22:12 +0100
Subject: [PATCH 072/162] sample ac for emg, save work

---
 shibauth/etc-httpd/conf.d/sp.conf          | 7 ++++---
 shibauth/shibboleth-conf/attribute-map.xml | 5 ++---
 shibauth/shibboleth-conf/pass-ac.xml       | 9 +++++++++
 3 files changed, 15 insertions(+), 6 deletions(-)
 create mode 100644 shibauth/shibboleth-conf/pass-ac.xml

diff --git a/shibauth/etc-httpd/conf.d/sp.conf b/shibauth/etc-httpd/conf.d/sp.conf
index edfa7e84..ad617192 100755
--- a/shibauth/etc-httpd/conf.d/sp.conf
+++ b/shibauth/etc-httpd/conf.d/sp.conf
@@ -1,12 +1,13 @@
 <VirtualHost *:80>
-    ServerName https://emg.pdas.prism.eox.at:443
+    ServerName PassEnv APACHE_SERVERNAME
     UseCanonicalName On
 
     DocumentRoot "/var/www/html"
     <Location /secure>
       AuthType shibboleth
       ShibRequestSetting requireSession 1
-      require shib-session
-      RequestHeader set Referer X-Forwarded-Uri env=X-Forwarded-Uri
+      ShibAccessControl /etc/shibboleth/pass-ac.xml
+      RequestHeader set Referer "%{X-Forwarded-Uri}e"
+      Header set Referer "%{X-Forwarded-Uri}e"
     </Location>
 </VirtualHost>
\ No newline at end of file
diff --git a/shibauth/shibboleth-conf/attribute-map.xml b/shibauth/shibboleth-conf/attribute-map.xml
index e9e9797a..d20c5140 100755
--- a/shibauth/shibboleth-conf/attribute-map.xml
+++ b/shibauth/shibboleth-conf/attribute-map.xml
@@ -1,5 +1,4 @@
 <Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid" />
-    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
-    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:cds-spci-es_oa-signed-tcs" id="spField1" />
+    <Attribute name="urn:mace:dir:attribute-def:cds-spci-es_oa-user-category" id="spField2"/>
 </Attributes>
diff --git a/shibauth/shibboleth-conf/pass-ac.xml b/shibauth/shibboleth-conf/pass-ac.xml
new file mode 100644
index 00000000..13465660
--- /dev/null
+++ b/shibauth/shibboleth-conf/pass-ac.xml
@@ -0,0 +1,9 @@
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
+    </Rule>
+    <RuleRegex require="spField1">.+</RuleRegex>
+  </AND>
+</AccessControl>
\ No newline at end of file
-- 
GitLab


From 9e0418378ec191c47a0a80947fa12b8d5e92f7a0 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 27 Oct 2020 10:32:24 +0100
Subject: [PATCH 074/162] use certs as secrets

---
 docker-compose.base.ops.yml              | 10 ++++++++++
 shibauth/shibboleth-conf/shibboleth2.xml |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index 56a2e14f..a307b9dd 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -31,6 +31,11 @@ services:
       - shib-extnet
   shibauth:
     image: testing-shibboleth
+    environment:
+      APACHE_SERVERNAME: "https://emg.pdas.prism.eox.at:443"
+    secrets:
+      - SHIB_CERT
+      - SHIB_KEY
     deploy:
       replicas: 1
       placement:
@@ -67,3 +72,8 @@ networks:
     name: logging-extnet
   shib-extnet:
     name: shib-extnet
+secrets:
+  SHIB_CERT:
+    external: true
+  SHIB_KEY:
+    external: true
diff --git a/shibauth/shibboleth-conf/shibboleth2.xml b/shibauth/shibboleth-conf/shibboleth2.xml
index e3a18eaf..15399b0d 100755
--- a/shibauth/shibboleth-conf/shibboleth2.xml
+++ b/shibauth/shibboleth-conf/shibboleth2.xml
@@ -23,7 +23,7 @@
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
         <AttributeResolver type="Query" subjectMatch="true"/>
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
     </ApplicationDefaults>
     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
     <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
-- 
GitLab


From 69620bed780dea094b6064d4151fb07b33151265 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 27 Oct 2020 19:11:38 +0100
Subject: [PATCH 075/162] fix apache config syntax

---
 shibauth/etc-httpd/conf.d/shib.conf | 2 +-
 shibauth/etc-httpd/conf.d/sp.conf   | 8 +++-----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/shibauth/etc-httpd/conf.d/shib.conf b/shibauth/etc-httpd/conf.d/shib.conf
index 635aa462..cb82c34e 100755
--- a/shibauth/etc-httpd/conf.d/shib.conf
+++ b/shibauth/etc-httpd/conf.d/shib.conf
@@ -1,7 +1,7 @@
-ServerName emg.pdas.prism.eox.at
 LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
 ShibCompatValidUser Off
 UseCanonicalName On
+DocumentRoot "/var/www/html"
 <Location />
   SetHandler shib
 </Location>
diff --git a/shibauth/etc-httpd/conf.d/sp.conf b/shibauth/etc-httpd/conf.d/sp.conf
index ad617192..5186e84f 100755
--- a/shibauth/etc-httpd/conf.d/sp.conf
+++ b/shibauth/etc-httpd/conf.d/sp.conf
@@ -1,12 +1,10 @@
 <VirtualHost *:80>
-    ServerName PassEnv APACHE_SERVERNAME
-    UseCanonicalName On
-
-    DocumentRoot "/var/www/html"
+    PassEnv APACHE_SERVERNAME
+    ServerName "${APACHE_SERVERNAME}"
     <Location /secure>
       AuthType shibboleth
       ShibRequestSetting requireSession 1
-      ShibAccessControl /etc/shibboleth/pass-ac.xml
+      Require shib-plugin /etc/shibboleth/pass-ac.xml
       RequestHeader set Referer "%{X-Forwarded-Uri}e"
       Header set Referer "%{X-Forwarded-Uri}e"
     </Location>
-- 
GitLab


From 405f1e216003122b9a8ad172b9bcbaa950c0de3d Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 28 Oct 2020 10:48:01 +0100
Subject: [PATCH 076/162] [shibauth] update docker compose files for other
 collections

---
 docker-compose.base.ops.yml  | 37 -----------------------------
 docker-compose.dem.ops.yml   | 44 ++++++++++++++++++++++++++++++++++
 docker-compose.emg.ops.yml   | 44 ++++++++++++++++++++++++++++++++++
 docker-compose.vhr18.ops.yml | 46 ++++++++++++++++++++++++++++++++++++
 4 files changed, 134 insertions(+), 37 deletions(-)

diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index d4a0eb35..002a236d 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -28,40 +28,9 @@ services:
       - emg-extnet
       - dem-extnet
       - logging-extnet
-      - shib-extnet
     secrets:
       - BASIC_AUTH_USERS_APIAUTH
       - BASIC_AUTH_USERS_AUTH
-  shibauth:
-    image: testing-shibboleth
-    environment:
-      APACHE_SERVERNAME: "https://emg.pdas.prism.eox.at:443"
-    secrets:
-      - SHIB_CERT
-      - SHIB_KEY
-    deploy:
-      replicas: 1
-      placement:
-        constraints: [node.role == manager]
-      labels:
-        # router for basic auth based access (https)
-        - "traefik.http.routers.shibauth.rule=Host(`emg.pdas.prism.eox.at`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
-        - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
-        - "traefik.http.routers.shibauth.tls=true"
-        - "traefik.http.routers.shibauth.tls.certresolver=default"
-        - "traefik.http.routers.shibauth.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.shibauth-redirect.rule=Host(`emg.pdas.prism.eox.at`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
-        - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.shibauth-redirect.entrypoints=http"
-        # general
-        - "traefik.http.services.shibauth.loadbalancer.sticky=false"
-        - "traefik.http.services.shibauth.loadbalancer.server.port=80"
-        - "traefik.docker.network=shib-extnet"
-        - "traefik.docker.lbswarm=true"
-        - "traefik.enable=true"
-    networks:
-      - shib-extnet
 volumes:
   traefik-data:
 networks:
@@ -73,13 +42,7 @@ networks:
     name: dem-extnet
   logging-extnet:
     name: logging-extnet
-  shib-extnet:
-    name: shib-extnet
 secrets:
-  SHIB_CERT:
-    external: true
-  SHIB_KEY:
-    external: true
   BASIC_AUTH_USERS_APIAUTH:
     external: true
   BASIC_AUTH_USERS_AUTH:
diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index cb1223d8..72615fca 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -165,7 +165,51 @@ services:
       placement:
         constraints:
           - node.labels.type == internal
+  shibauth:
+    image: testing-shibboleth
+    environment:
+      APACHE_SERVERNAME: "https://dem-secure.pass.copernicus.eu:443"
+    secrets:
+      - SHIB_CERT
+      - SHIB_KEY
+      - BASIC_AUTH_USERS_AUTH
+    deploy:
+      replicas: 1
+      placement:
+        constraints: [node.role == manager]
+      labels:
+        # router for basic auth based access (https)
+        - "traefik.http.routers.shibauth.rule=Host(`dem-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.shibauth.tls=true"
+        - "traefik.http.routers.shibauth.tls.certresolver=default"
+        - "traefik.http.routers.shibauth.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`dem-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.shibauth-redirect.entrypoints=http"
+        # general
+        - "traefik.http.services.shibauth.loadbalancer.sticky=false"
+        - "traefik.http.services.shibauth.loadbalancer.server.port=80"
+        - "traefik.docker.network=dem-extnet"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.enable=true"
+    networks:
+      - dem-extnet
+    configs:
+      - source: access-control-conf
+        target: /etc/shibboleth/pass-ac.xml
 networks:
   extnet:
     name: dem-extnet
     external: true
+configs:
+  access-control-conf:
+    file: ./config/dem_pass-ac.xml
+secrets:
+  SHIB_CERT:
+    external: true
+  SHIB_KEY:
+    external: true
+  BASIC_AUTH_USERS_AUTH:
+    external: true
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 4f344da8..30ab1f09 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -155,7 +155,51 @@ services:
       placement:
         constraints:
           - node.labels.type == internal
+  shibauth:
+    image: testing-shibboleth
+    environment:
+      APACHE_SERVERNAME: "https://emg-secure.pass.copernicus.eu:443"
+    secrets:
+      - SHIB_CERT
+      - SHIB_KEY
+      - BASIC_AUTH_USERS_AUTH
+    deploy:
+      replicas: 1
+      placement:
+        constraints: [node.role == manager]
+      labels:
+        # router for basic auth based access (https)
+        - "traefik.http.routers.shibauth.rule=Host(`emg-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.shibauth.tls=true"
+        - "traefik.http.routers.shibauth.tls.certresolver=default"
+        - "traefik.http.routers.shibauth.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`emg-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.shibauth-redirect.entrypoints=http"
+        # general
+        - "traefik.http.services.shibauth.loadbalancer.sticky=false"
+        - "traefik.http.services.shibauth.loadbalancer.server.port=80"
+        - "traefik.docker.network=emg-extnet"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.enable=true"
+    networks:
+      - emg-extnet
+    configs:
+      - source: access-control-conf
+        target: /etc/shibboleth/pass-ac.xml
 networks:
   extnet:
     name: emg-extnet
     external: true
+configs:
+  access-control-conf:
+    file: ./config/emg_pass-ac.xml
+secrets:
+  SHIB_CERT:
+    external: true
+  SHIB_KEY:
+    external: true
+  BASIC_AUTH_USERS_AUTH:
+    external: true
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index 738fc6f0..7ce490bc 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -165,7 +165,53 @@ services:
       placement:
         constraints:
           - node.labels.type == internal
+  shibauth:
+    image: testing-shibboleth
+    environment:
+      APACHE_SERVERNAME: "https://vhr18-secure.pass.copernicus.eu:443"
+    secrets:
+      - SHIB_CERT
+      - SHIB_KEY
+      - BASIC_AUTH_USERS_AUTH
+    deploy:
+      replicas: 1
+      placement:
+        constraints: [node.role == manager]
+      labels:
+        # router for basic auth based access (https)
+        - "traefik.http.routers.shibauth.rule=Host(`vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.shibauth.tls=true"
+        - "traefik.http.routers.shibauth.tls.certresolver=default"
+        - "traefik.http.routers.shibauth.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.shibauth-redirect.entrypoints=http"
+        # general
+        - "traefik.http.services.shibauth.loadbalancer.sticky=false"
+        - "traefik.http.services.shibauth.loadbalancer.server.port=80"
+        - "traefik.docker.network=vhr18-extnet"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.enable=true"
+    networks:
+      - vhr18-extnet
+    configs:
+      - source: access-control-conf
+        target: /etc/shibboleth/pass-ac.xml
 networks:
   extnet:
     name: vhr18-extnet
     external: true
+configs:
+  access-control-conf:
+    file: ./config/vhr18_pass-ac.xml
+secrets:
+  SHIB_CERT:
+    external: true
+  SHIB_KEY:
+    external: true
+  BASIC_AUTH_USERS_APIAUTH:
+    external: true
+  BASIC_AUTH_USERS_AUTH:
+    external: true
-- 
GitLab


From c2d3e07eb59009379a416c16e89438a72f96b09b Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 28 Oct 2020 12:15:42 +0100
Subject: [PATCH 077/162] access control as external config

---
 .../pass-ac.xml => config/dem_pass-ac.xml                | 0
 config/emg_pass-ac.xml                                   | 9 +++++++++
 config/vhr18_pass-ac.xml                                 | 9 +++++++++
 3 files changed, 18 insertions(+)
 rename shibauth/shibboleth-conf/pass-ac.xml => config/dem_pass-ac.xml (100%)
 create mode 100644 config/emg_pass-ac.xml
 create mode 100644 config/vhr18_pass-ac.xml

diff --git a/shibauth/shibboleth-conf/pass-ac.xml b/config/dem_pass-ac.xml
similarity index 100%
rename from shibauth/shibboleth-conf/pass-ac.xml
rename to config/dem_pass-ac.xml
diff --git a/config/emg_pass-ac.xml b/config/emg_pass-ac.xml
new file mode 100644
index 00000000..13465660
--- /dev/null
+++ b/config/emg_pass-ac.xml
@@ -0,0 +1,9 @@
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
+    </Rule>
+    <RuleRegex require="spField1">.+</RuleRegex>
+  </AND>
+</AccessControl>
\ No newline at end of file
diff --git a/config/vhr18_pass-ac.xml b/config/vhr18_pass-ac.xml
new file mode 100644
index 00000000..13465660
--- /dev/null
+++ b/config/vhr18_pass-ac.xml
@@ -0,0 +1,9 @@
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
+    </Rule>
+    <RuleRegex require="spField1">.+</RuleRegex>
+  </AND>
+</AccessControl>
\ No newline at end of file
-- 
GitLab


From 934956e9730a602720e4255079efc96e43c07981 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 28 Oct 2020 12:16:12 +0100
Subject: [PATCH 078/162] enable basicAuth in apache using secret users file

---
 docker-compose.dem.ops.yml          | 40 ++++-------------------------
 docker-compose.emg.ops.yml          | 30 ++++------------------
 docker-compose.test.ops.yml         | 31 ----------------------
 docker-compose.vhr18.ops.yml        | 40 ++++-------------------------
 shibauth/etc-httpd/conf.d/shib.conf | 24 ++++++++++++++++-
 shibauth/etc-httpd/conf.d/sp.conf   | 11 --------
 6 files changed, 38 insertions(+), 138 deletions(-)
 delete mode 100644 docker-compose.test.ops.yml
 delete mode 100755 shibauth/etc-httpd/conf.d/sp.conf

diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index 72615fca..283fc571 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -14,7 +14,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.dem-renderer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.dem-renderer.middlewares=shibAuth@file,compress@file,cors@file"
         - "traefik.http.routers.dem-renderer.tls=true"
         - "traefik.http.routers.dem-renderer.tls.certresolver=default"
         - "traefik.http.routers.dem-renderer.entrypoints=https"
@@ -32,16 +32,6 @@ services:
         - "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
-        # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.dem-renderer-shib.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.dem-renderer-shib.tls=true"
-        - "traefik.http.routers.dem-renderer-shib.tls.certresolver=default"
-        - "traefik.http.routers.dem-renderer-shib.entrypoints=https"
-        # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.dem-renderer-shib-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`, `a.dem-secure.pass.copernicus.eu`, `b.dem-secure.pass.copernicus.eu`, `c.dem-secure.pass.copernicus.eu`, `d.dem-secure.pass.copernicus.eu`, `e.dem-secure.pass.copernicus.eu`, `f.dem-secure.pass.copernicus.eu`, `g.dem-secure.pass.copernicus.eu`, `h.dem-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer-shib-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.dem-renderer-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.dem-renderer.loadbalancer.server.port=80"
@@ -66,7 +56,7 @@ services:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
         # router for basic auth based access (https)
         - "traefik.http.routers.dem-cache.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.dem-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.dem-cache.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
         - "traefik.http.routers.dem-cache.tls=true"
         - "traefik.http.routers.dem-cache.tls.certresolver=default"
         - "traefik.http.routers.dem-cache.entrypoints=https"
@@ -84,16 +74,6 @@ services:
         - "traefik.http.routers.dem-cache_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-cache_referer-redirect.entrypoints=http"
-        # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.dem-cache-shib.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-cache-shib.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.dem-cache-shib.tls=true"
-        - "traefik.http.routers.dem-cache-shib.tls.certresolver=default"
-        - "traefik.http.routers.dem-cache-shib.entrypoints=https"
-        # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.dem-cache-shib-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `a.dem-secure.pdas.prism.eox.at`, `b.dem-secure.pdas.prism.eox.at`, `c.dem-secure.pdas.prism.eox.at`, `d.dem-secure.pdas.prism.eox.at`, `e.dem-secure.pdas.prism.eox.at`, `f.dem-secure.pdas.prism.eox.at`, `g.dem-secure.pdas.prism.eox.at`, `h.dem-secure.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-cache-shib-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.dem-cache-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-cache.loadbalancer.sticky=false"
         - "traefik.http.services.dem-cache.loadbalancer.server.port=80"
@@ -134,16 +114,6 @@ services:
         - "traefik.http.routers.dem-client-redirect.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
         - "traefik.http.routers.dem-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-client-redirect.entrypoints=http"
-        # router for basic auth based access (https)
-        - "traefik.http.routers.dem-client.rule=Host(`dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`)"
-        - "traefik.http.routers.dem-client.middlewares=shibAuth@file,compress@file"
-        - "traefik.http.routers.dem-client.tls=true"
-        - "traefik.http.routers.dem-client.tls.certresolver=default"
-        - "traefik.http.routers.dem-client.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.dem-client-redirect.rule=Host(`dem-secure.pdas.prism.eox.at`, `dem-secure.pass.copernicus.eu`)"
-        - "traefik.http.routers.dem-client-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.dem-client-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-client.loadbalancer.sticky=false"
         - "traefik.http.services.dem-client.loadbalancer.server.port=80"
@@ -168,7 +138,7 @@ services:
   shibauth:
     image: testing-shibboleth
     environment:
-      APACHE_SERVERNAME: "https://dem-secure.pass.copernicus.eu:443"
+      APACHE_SERVERNAME: "https://dem.pass.copernicus.eu:443"
     secrets:
       - SHIB_CERT
       - SHIB_KEY
@@ -179,13 +149,13 @@ services:
         constraints: [node.role == manager]
       labels:
         # router for basic auth based access (https)
-        - "traefik.http.routers.shibauth.rule=Host(`dem-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
         - "traefik.http.routers.shibauth.tls=true"
         - "traefik.http.routers.shibauth.tls.certresolver=default"
         - "traefik.http.routers.shibauth.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.shibauth-redirect.rule=Host(`dem-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
         - "traefik.http.routers.shibauth-redirect.entrypoints=http"
         # general
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 30ab1f09..17528ced 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -14,7 +14,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.emg-renderer.middlewares=shibAuth@file,compress@file,cors@file"
         - "traefik.http.routers.emg-renderer.tls=true"
         - "traefik.http.routers.emg-renderer.tls.certresolver=default"
         - "traefik.http.routers.emg-renderer.entrypoints=https"
@@ -32,16 +32,6 @@ services:
         - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
-        # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.emg-renderer-shib.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.emg-renderer-shib.tls=true"
-        - "traefik.http.routers.emg-renderer-shib.tls.certresolver=default"
-        - "traefik.http.routers.emg-renderer-shib.entrypoints=https"
-        # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.emg-renderer-shib-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer-shib-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
@@ -66,7 +56,7 @@ services:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.emg-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.emg-cache.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
         - "traefik.http.routers.emg-cache.tls=true"
         - "traefik.http.routers.emg-cache.tls.certresolver=default"
         - "traefik.http.routers.emg-cache.entrypoints=https"
@@ -84,16 +74,6 @@ services:
         - "traefik.http.routers.emg-cache_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
-        # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.emg-cache-shib.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-cache-shib.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.emg-cache-shib.tls=true"
-        - "traefik.http.routers.emg-cache-shib.tls.certresolver=default"
-        - "traefik.http.routers.emg-cache-shib.entrypoints=https"
-        # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.emg-cache-shib-redirect.rule=Host(`emg-secure.pdas.prism.eox.at`, `a.emg-secure.pdas.prism.eox.at`, `b.emg-secure.pdas.prism.eox.at`, `c.emg-secure.pdas.prism.eox.at`, `d.emg-secure.pdas.prism.eox.at`, `e.emg-secure.pdas.prism.eox.at`, `f.emg-secure.pdas.prism.eox.at`, `g.emg-secure.pdas.prism.eox.at`, `h.emg-secure.pdas.prism.eox.at`, `emg-secure.pass.copernicus.eu`, `a.emg-secure.pass.copernicus.eu`, `b.emg-secure.pass.copernicus.eu`, `c.emg-secure.pass.copernicus.eu`, `d.emg-secure.pass.copernicus.eu`, `e.emg-secure.pass.copernicus.eu`, `f.emg-secure.pass.copernicus.eu`, `g.emg-secure.pass.copernicus.eu`, `h.emg-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-cache-shib-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-cache-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-cache.loadbalancer.sticky=false"
         - "traefik.http.services.emg-cache.loadbalancer.server.port=80"
@@ -158,7 +138,7 @@ services:
   shibauth:
     image: testing-shibboleth
     environment:
-      APACHE_SERVERNAME: "https://emg-secure.pass.copernicus.eu:443"
+      APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
     secrets:
       - SHIB_CERT
       - SHIB_KEY
@@ -169,13 +149,13 @@ services:
         constraints: [node.role == manager]
       labels:
         # router for basic auth based access (https)
-        - "traefik.http.routers.shibauth.rule=Host(`emg-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
         - "traefik.http.routers.shibauth.tls=true"
         - "traefik.http.routers.shibauth.tls.certresolver=default"
         - "traefik.http.routers.shibauth.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.shibauth-redirect.rule=Host(`emg-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
         - "traefik.http.routers.shibauth-redirect.entrypoints=http"
         # general
diff --git a/docker-compose.test.ops.yml b/docker-compose.test.ops.yml
deleted file mode 100644
index df6bd812..00000000
--- a/docker-compose.test.ops.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-version: "3.6"
-services:
-  shibauth:
-    image: testing-shibboleth
-    deploy:
-      labels:
-        # router for basic auth based access (https)
-        - "traefik.http.routers.shibauth.rule=Host(`shib.pdas.prism.eox.at`)"
-        - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
-        - "traefik.http.routers.shibauth.tls=true"
-        - "traefik.http.routers.shibauth.tls.certresolver=default"
-        - "traefik.http.routers.shibauth.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.shibauth-redirect.rule=Host(`shib.pdas.prism.eox.at`)"
-        - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.shibauth-redirect.entrypoints=http"
-        # general
-        - "traefik.http.services.shibauth.loadbalancer.sticky=false"
-        - "traefik.http.services.shibauth.loadbalancer.server.port=80"
-        - "traefik.docker.network=shib-extnet"
-        - "traefik.docker.lbswarm=true"
-        - "traefik.enable=true"
-      replicas: 1
-      placement:
-        constraints: [node.role == manager]
-    networks:
-      - extnet
-networks:
-  extnet:
-    name: shib-extnet
-    external: true
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index 7ce490bc..9466f7f4 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -15,7 +15,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.vhr18-renderer.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.vhr18-renderer.middlewares=shibAuth@file,compress@file,cors@file"
         - "traefik.http.routers.vhr18-renderer.tls=true"
         - "traefik.http.routers.vhr18-renderer.tls.certresolver=default"
         - "traefik.http.routers.vhr18-renderer.entrypoints=https"
@@ -33,16 +33,6 @@ services:
         - "traefik.http.routers.vhr18-renderer_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.entrypoints=http"
-        # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.vhr18-renderer-shib.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.vhr18-renderer-shib.tls=true"
-        - "traefik.http.routers.vhr18-renderer-shib.tls.certresolver=default"
-        - "traefik.http.routers.vhr18-renderer-shib.entrypoints=https"
-        # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.vhr18-renderer-shib-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-renderer-shib-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.vhr18-renderer-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-renderer.loadbalancer.server.port=80"
@@ -66,7 +56,7 @@ services:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
         # router for basic auth based access (https)
         - "traefik.http.routers.vhr18-cache.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.vhr18-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.vhr18-cache.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
         - "traefik.http.routers.vhr18-cache.tls=true"
         - "traefik.http.routers.vhr18-cache.tls.certresolver=default"
         - "traefik.http.routers.vhr18-cache.entrypoints=https"
@@ -84,16 +74,6 @@ services:
         - "traefik.http.routers.vhr18-cache_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-cache_referer-redirect.entrypoints=http"
-        # router for shibboleth based auth based access (https)
-        - "traefik.http.routers.vhr18-cache-renderer-shib.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-cache-renderer-shib.middlewares=compress@file,cors@file,shibAuth@file"
-        - "traefik.http.routers.vhr18-cache-renderer-shib.tls=true"
-        - "traefik.http.routers.vhr18-cache-renderer-shib.tls.certresolver=default"
-        - "traefik.http.routers.vhr18-cache-renderer-shib.entrypoints=https"
-        # router for shibboleth shibboleth auth based access (http)
-        - "traefik.http.routers.vhr18-cache-renderer-shib-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `a.vhr18-secure.pdas.prism.eox.at`, `b.vhr18-secure.pdas.prism.eox.at`, `c.vhr18-secure.pdas.prism.eox.at`, `d.vhr18-secure.pdas.prism.eox.at`, `e.vhr18-secure.pdas.prism.eox.at`, `f.vhr18-secure.pdas.prism.eox.at`, `g.vhr18-secure.pdas.prism.eox.at`, `h.vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`, `a.vhr18-secure.pass.copernicus.eu`, `b.vhr18-secure.pass.copernicus.eu`, `c.vhr18-secure.pass.copernicus.eu`, `d.vhr18-secure.pass.copernicus.eu`, `e.vhr18-secure.pass.copernicus.eu`, `f.vhr18-secure.pass.copernicus.eu`, `g.vhr18-secure.pass.copernicus.eu`, `h.vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-cache-renderer-shib-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.vhr18-cache-renderer-shib-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-cache.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-cache.loadbalancer.server.port=80"
@@ -134,16 +114,6 @@ services:
         - "traefik.http.routers.vhr18-client-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`)"
         - "traefik.http.routers.vhr18-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-client-redirect.entrypoints=http"
-        # router for basic auth based access (https)
-        - "traefik.http.routers.vhr18-client.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`)"
-        - "traefik.http.routers.vhr18-client.middlewares=shibAuth@file,compress@file"
-        - "traefik.http.routers.vhr18-client.tls=true"
-        - "traefik.http.routers.vhr18-client.tls.certresolver=default"
-        - "traefik.http.routers.vhr18-client.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.vhr18-client-redirect.rule=Host(`vhr18-secure.pdas.prism.eox.at`, `vhr18-secure.pass.copernicus.eu`)"
-        - "traefik.http.routers.vhr18-client-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.vhr18-client-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-client.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-client.loadbalancer.server.port=80"
@@ -168,7 +138,7 @@ services:
   shibauth:
     image: testing-shibboleth
     environment:
-      APACHE_SERVERNAME: "https://vhr18-secure.pass.copernicus.eu:443"
+      APACHE_SERVERNAME: "https://vhr18.pass.copernicus.eu:443"
     secrets:
       - SHIB_CERT
       - SHIB_KEY
@@ -179,13 +149,13 @@ services:
         constraints: [node.role == manager]
       labels:
         # router for basic auth based access (https)
-        - "traefik.http.routers.shibauth.rule=Host(`vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
         - "traefik.http.routers.shibauth.tls=true"
         - "traefik.http.routers.shibauth.tls.certresolver=default"
         - "traefik.http.routers.shibauth.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.shibauth-redirect.rule=Host(`vhr18-secure.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
         - "traefik.http.routers.shibauth-redirect.entrypoints=http"
         # general
diff --git a/shibauth/etc-httpd/conf.d/shib.conf b/shibauth/etc-httpd/conf.d/shib.conf
index cb82c34e..91216960 100755
--- a/shibauth/etc-httpd/conf.d/shib.conf
+++ b/shibauth/etc-httpd/conf.d/shib.conf
@@ -1,7 +1,29 @@
 LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
-ShibCompatValidUser Off
+ShibCompatValidUser On
 UseCanonicalName On
 DocumentRoot "/var/www/html"
+
 <Location />
   SetHandler shib
 </Location>
+
+<VirtualHost *:80>
+  PassEnv APACHE_SERVERNAME
+  ServerName "${APACHE_SERVERNAME}"
+  <Location /secure>
+    <If "-n req('Authorization')">
+      Require valid-user
+      AuthType Basic
+      AuthBasicProvider file
+      AuthName "/secure"
+      AuthUserFile /run/secrets/BASIC_AUTH_USERS_AUTH
+    </If>
+    <Else>
+      AuthType shibboleth
+      ShibRequestSetting requireSession 1
+      Require shib-plugin /etc/shibboleth/pass-ac.xml
+      RequestHeader set Referer "%{X-Forwarded-Uri}e"
+      Header set Referer "%{X-Forwarded-Uri}e"
+    </Else>
+  </Location>
+</VirtualHost>
\ No newline at end of file
diff --git a/shibauth/etc-httpd/conf.d/sp.conf b/shibauth/etc-httpd/conf.d/sp.conf
deleted file mode 100755
index 5186e84f..00000000
--- a/shibauth/etc-httpd/conf.d/sp.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-<VirtualHost *:80>
-    PassEnv APACHE_SERVERNAME
-    ServerName "${APACHE_SERVERNAME}"
-    <Location /secure>
-      AuthType shibboleth
-      ShibRequestSetting requireSession 1
-      Require shib-plugin /etc/shibboleth/pass-ac.xml
-      RequestHeader set Referer "%{X-Forwarded-Uri}e"
-      Header set Referer "%{X-Forwarded-Uri}e"
-    </Location>
-</VirtualHost>
\ No newline at end of file
-- 
GitLab


From 6e64fafd17d94a437bd8192587e7b9160edb381e Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 28 Oct 2020 14:09:34 +0100
Subject: [PATCH 079/162] move shibboleth related files to config/shibboleth,
 use source image directly

---
 .../shibboleth}/attribute-map.xml             |   0
 config/{ => shibboleth}/dem_pass-ac.xml       |   0
 config/{ => shibboleth}/emg_pass-ac.xml       |   0
 {shibauth => config/shibboleth}/index.html    |   0
 .../shibboleth}/native.logger                 |   0
 .../shibboleth/shib-apache.conf               |   0
 .../shibboleth}/shibboleth2.xml               |   2 +-
 .../shibboleth}/shibd.logger                  |   0
 config/{ => shibboleth}/vhr18_pass-ac.xml     |   0
 docker-compose.dem.ops.yml                    |  34 ++++-
 docker-compose.emg.ops.yml                    |  34 ++++-
 docker-compose.vhr18.ops.yml                  |  36 +++++-
 shibauth/Dockerfile                           |  39 ------
 .../shibboleth-conf/idp-metadata-esa-test.xml | 116 ------------------
 .../shibboleth-conf/idp-metadata_samltest.xml |  98 ---------------
 shibauth/shibboleth-conf/sp-metadata.xml      |  84 -------------
 16 files changed, 94 insertions(+), 349 deletions(-)
 rename {shibauth/shibboleth-conf => config/shibboleth}/attribute-map.xml (100%)
 rename config/{ => shibboleth}/dem_pass-ac.xml (100%)
 rename config/{ => shibboleth}/emg_pass-ac.xml (100%)
 rename {shibauth => config/shibboleth}/index.html (100%)
 mode change 100755 => 100644
 rename {shibauth/shibboleth-conf => config/shibboleth}/native.logger (100%)
 rename shibauth/etc-httpd/conf.d/shib.conf => config/shibboleth/shib-apache.conf (100%)
 rename {shibauth/shibboleth-conf => config/shibboleth}/shibboleth2.xml (98%)
 rename {shibauth/shibboleth-conf => config/shibboleth}/shibd.logger (100%)
 rename config/{ => shibboleth}/vhr18_pass-ac.xml (100%)
 delete mode 100755 shibauth/Dockerfile
 delete mode 100644 shibauth/shibboleth-conf/idp-metadata-esa-test.xml
 delete mode 100755 shibauth/shibboleth-conf/idp-metadata_samltest.xml
 delete mode 100644 shibauth/shibboleth-conf/sp-metadata.xml

diff --git a/shibauth/shibboleth-conf/attribute-map.xml b/config/shibboleth/attribute-map.xml
similarity index 100%
rename from shibauth/shibboleth-conf/attribute-map.xml
rename to config/shibboleth/attribute-map.xml
diff --git a/config/dem_pass-ac.xml b/config/shibboleth/dem_pass-ac.xml
similarity index 100%
rename from config/dem_pass-ac.xml
rename to config/shibboleth/dem_pass-ac.xml
diff --git a/config/emg_pass-ac.xml b/config/shibboleth/emg_pass-ac.xml
similarity index 100%
rename from config/emg_pass-ac.xml
rename to config/shibboleth/emg_pass-ac.xml
diff --git a/shibauth/index.html b/config/shibboleth/index.html
old mode 100755
new mode 100644
similarity index 100%
rename from shibauth/index.html
rename to config/shibboleth/index.html
diff --git a/shibauth/shibboleth-conf/native.logger b/config/shibboleth/native.logger
similarity index 100%
rename from shibauth/shibboleth-conf/native.logger
rename to config/shibboleth/native.logger
diff --git a/shibauth/etc-httpd/conf.d/shib.conf b/config/shibboleth/shib-apache.conf
similarity index 100%
rename from shibauth/etc-httpd/conf.d/shib.conf
rename to config/shibboleth/shib-apache.conf
diff --git a/shibauth/shibboleth-conf/shibboleth2.xml b/config/shibboleth/shibboleth2.xml
similarity index 98%
rename from shibauth/shibboleth-conf/shibboleth2.xml
rename to config/shibboleth/shibboleth2.xml
index 15399b0d..2504a528 100755
--- a/shibauth/shibboleth-conf/shibboleth2.xml
+++ b/config/shibboleth/shibboleth2.xml
@@ -19,7 +19,7 @@
         </Sessions>
         <Errors supportContact="admin@eox.at"
             helpLocation="/about.html"/>
-        <MetadataProvider type="XML" validate="false" path="idp-metadata-esa-test.xml"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
         <AttributeResolver type="Query" subjectMatch="true"/>
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
diff --git a/shibauth/shibboleth-conf/shibd.logger b/config/shibboleth/shibd.logger
similarity index 100%
rename from shibauth/shibboleth-conf/shibd.logger
rename to config/shibboleth/shibd.logger
diff --git a/config/vhr18_pass-ac.xml b/config/shibboleth/vhr18_pass-ac.xml
similarity index 100%
rename from config/vhr18_pass-ac.xml
rename to config/shibboleth/vhr18_pass-ac.xml
diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index 283fc571..1459c1f1 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -136,7 +136,7 @@ services:
         constraints:
           - node.labels.type == internal
   shibauth:
-    image: testing-shibboleth
+    image: unicon/shibboleth-sp:3.0.4
     environment:
       APACHE_SERVERNAME: "https://dem.pass.copernicus.eu:443"
     secrets:
@@ -169,13 +169,41 @@ services:
     configs:
       - source: access-control-conf
         target: /etc/shibboleth/pass-ac.xml
+      - source: shib-shibboleth2
+        target: /etc/shibboleth/shibboleth2.xml
+      - source: shib-apache
+        target: /etc/httpd/conf.d/shib.conf
+      - source: shib-attribute-map
+        target: /etc/shibboleth/attribute-map.xml
+      - source: idp-metadata
+        target: /etc/shibboleth/idp-metadata.xml
+      - source: shib-index
+        target: /var/www/html/secure/index.html
+      - source: shibd-logger
+        target: /etc/shibboleth/shibd.logger
+      - source: native-logger
+        target: /etc/shibboleth/native.logger
 networks:
   extnet:
     name: dem-extnet
     external: true
 configs:
-  access-control-conf:
-    file: ./config/dem_pass-ac.xml
+  shib-access-control-conf:
+    file: ./config/shibboleth/dem_pass-ac.xml
+  shib-shibboleth2: # this will vary for collections
+    file: ./config/shibboleth/shibboleth2.xml
+  shib-apache:
+    file: ./config/shibboleth/shib-apache.conf
+  shib-attribute-map:
+    file: ./config/shibboleth/attribute-map.xml
+  shib-index:
+    file: ./config/shibboleth/index.html
+  native-logger:
+    file: ./config/shibboleth/native.logger
+  shibd-logger:
+    file: ./config/shibboleth/shibd.logger
+  idp-metadata:
+    external: true
 secrets:
   SHIB_CERT:
     external: true
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 17528ced..0c4f9978 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -136,7 +136,7 @@ services:
         constraints:
           - node.labels.type == internal
   shibauth:
-    image: testing-shibboleth
+    image: unicon/shibboleth-sp:3.0.4
     environment:
       APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
     secrets:
@@ -169,13 +169,41 @@ services:
     configs:
       - source: access-control-conf
         target: /etc/shibboleth/pass-ac.xml
+      - source: shib-shibboleth2
+        target: /etc/shibboleth/shibboleth2.xml
+      - source: shib-apache
+        target: /etc/httpd/conf.d/shib.conf
+      - source: shib-attribute-map
+        target: /etc/shibboleth/attribute-map.xml
+      - source: idp-metadata
+        target: /etc/shibboleth/idp-metadata.xml
+      - source: shib-index
+        target: /var/www/html/secure/index.html
+      - source: shibd-logger
+        target: /etc/shibboleth/shibd.logger
+      - source: native-logger
+        target: /etc/shibboleth/native.logger
 networks:
   extnet:
     name: emg-extnet
     external: true
 configs:
-  access-control-conf:
-    file: ./config/emg_pass-ac.xml
+  shib-access-control-conf:
+    file: ./config/shibboleth/emg_pass-ac.xml
+  shib-shibboleth2: # this will vary for collections
+    file: ./config/shibboleth/shibboleth2.xml
+  shib-apache:
+    file: ./config/shibboleth/shib-apache.conf
+  shib-attribute-map:
+    file: ./config/shibboleth/attribute-map.xml
+  shib-index:
+    file: ./config/shibboleth/index.html
+  native-logger:
+    file: ./config/shibboleth/native.logger
+  shibd-logger:
+    file: ./config/shibboleth/shibd.logger
+  idp-metadata:
+    external: true
 secrets:
   SHIB_CERT:
     external: true
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index 9466f7f4..f82fd145 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -136,7 +136,7 @@ services:
         constraints:
           - node.labels.type == internal
   shibauth:
-    image: testing-shibboleth
+    image: unicon/shibboleth-sp:3.0.4
     environment:
       APACHE_SERVERNAME: "https://vhr18.pass.copernicus.eu:443"
     secrets:
@@ -169,19 +169,45 @@ services:
     configs:
       - source: access-control-conf
         target: /etc/shibboleth/pass-ac.xml
+      - source: shib-shibboleth2
+        target: /etc/shibboleth/shibboleth2.xml
+      - source: shib-apache
+        target: /etc/httpd/conf.d/shib.conf
+      - source: shib-attribute-map
+        target: /etc/shibboleth/attribute-map.xml
+      - source: shib-idp-metadata
+        target: /etc/shibboleth/idp-metadata.xml
+      - source: shib-index
+        target: /var/www/html/secure/index.html
+      - source: shibd-logger
+        target: /etc/shibboleth/shibd.logger
+      - source: native-logger
+        target: /etc/shibboleth/native.logger
 networks:
   extnet:
     name: vhr18-extnet
     external: true
 configs:
-  access-control-conf:
-    file: ./config/vhr18_pass-ac.xml
+  shib-access-control-conf:
+    file: ./config/shibboleth/vhr18_pass-ac.xml
+  shib-shibboleth2: # this will vary for collections
+    file: ./config/shibboleth/shibboleth2.xml
+  shib-apache:
+    file: ./config/shibboleth/shib-apache.conf
+  shib-attribute-map:
+    file: ./config/shibboleth/attribute-map.xml
+  native-logger:
+    file: ./config/shibboleth/native.logger
+  shibd-logger:
+    file: ./config/shibboleth/shibd.logger
+  shib-index:
+    file: ./config/shibboleth/index.html
+  shib-idp-metadata:
+    external: true
 secrets:
   SHIB_CERT:
     external: true
   SHIB_KEY:
     external: true
-  BASIC_AUTH_USERS_APIAUTH:
-    external: true
   BASIC_AUTH_USERS_AUTH:
     external: true
diff --git a/shibauth/Dockerfile b/shibauth/Dockerfile
deleted file mode 100755
index 88efe7cb..00000000
--- a/shibauth/Dockerfile
+++ /dev/null
@@ -1,39 +0,0 @@
-#------------------------------------------------------------------------------
-#
-# Project: prism view server
-# Authors: Stephan Meissl <stephan.meissl@eox.at>
-#
-#------------------------------------------------------------------------------
-# Copyright (C) 2020 EOX IT Services GmbH <https://eox.at>
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to
-# deal in the Software without restriction, including without limitation the
-# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-# sell copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies of this Software or works derived from this Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-# IN THE SOFTWARE.
-#-----------------------------------------------------------------------------
-
-FROM unicon/shibboleth-sp:3.0.4
-
-MAINTAINER EOX
-LABEL name="prism view server cache" \
-      vendor="EOX IT Services GmbH <https://eox.at>" \
-      license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
-      type="prism view server shibauth" \
-      version="0.0.1"
-RUN mkdir -p /var/www/secure
-COPY shibboleth-conf /etc/shibboleth/
-COPY etc-httpd/ /etc/httpd/
-COPY index.html /var/www/html/secure
diff --git a/shibauth/shibboleth-conf/idp-metadata-esa-test.xml b/shibauth/shibboleth-conf/idp-metadata-esa-test.xml
deleted file mode 100644
index 647078b2..00000000
--- a/shibauth/shibboleth-conf/idp-metadata-esa-test.xml
+++ /dev/null
@@ -1,116 +0,0 @@
-<EntityDescriptor entityID="https://umssoidp.cdsv3.eu:443/shibboleth" validUntil="2030-01-01T00:00:00Z"
-                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-                  xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-
-    <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
-
-        <Extensions>
-            <shibmd:Scope regexp="false">esa.int</shibmd:Scope>
-        </Extensions>
-
-        <KeyDescriptor>
-            <ds:KeyInfo>
-                <ds:X509Data>
-                    <ds:X509Certificate>
-MIIEQjCCAyqgAwIBAgIJAJw83mLahxpQMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
-BAYTAklUMQ4wDAYDVQQIEwVMYXppbzENMAsGA1UEBxMEUm9tZTEZMBcGA1UEChMQ
-Q0RTVjMgQ29uc29ydGl1bTEOMAwGA1UECxMFU3BhY2UxGjAYBgNVBAMTEXVtc3Nv
-aWRwLmNkc3YzLmV1MB4XDTE1MDQwMjE2Mzg1M1oXDTI1MDMzMDE2Mzg1M1owczEL
-MAkGA1UEBhMCSVQxDjAMBgNVBAgTBUxhemlvMQ0wCwYDVQQHEwRSb21lMRkwFwYD
-VQQKExBDRFNWMyBDb25zb3J0aXVtMQ4wDAYDVQQLEwVTcGFjZTEaMBgGA1UEAxMR
-dW1zc29pZHAuY2RzdjMuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQCrDTGZEQj7uMw347TnyMac0HnkLY046e/4V+boJBuQsP7Moxh6xHH2qcdS2UbW
-xtSBOUuS/aAz92udzY8wBrKUUvvWKEnyh3v84+kfNYugBp4ZpW7pJbfUh9KjUvWh
-G3LtZfyuRaCdyYF6TKh0K+96IRSpwe5wFXqRev7a6+8fDcTL73cFFBLjDaMFelIz
-szskhsGalXAq5WP20aDog0eiEbf8oTa5NDPY1UZDnwDmF0lNDm4lsYGAv59h+8kU
-ODGmmGVo5zrz7ujcU1sChc9iy9GlGEzekFAoEj6y9fbieyE4Wz6QW4nLeO1YZtjz
-kvOi6yp2raNQSI4hwVEWNDK/AgMBAAGjgdgwgdUwHQYDVR0OBBYEFKXpmub0bNGS
-gtwbyAUqu2kD1e8WMIGlBgNVHSMEgZ0wgZqAFKXpmub0bNGSgtwbyAUqu2kD1e8W
-oXekdTBzMQswCQYDVQQGEwJJVDEOMAwGA1UECBMFTGF6aW8xDTALBgNVBAcTBFJv
-bWUxGTAXBgNVBAoTEENEU1YzIENvbnNvcnRpdW0xDjAMBgNVBAsTBVNwYWNlMRow
-GAYDVQQDExF1bXNzb2lkcC5jZHN2My5ldYIJAJw83mLahxpQMAwGA1UdEwQFMAMB
-Af8wDQYJKoZIhvcNAQEFBQADggEBAGMnf0UOmtKB2VF/TsjG1Lz7fJ48sySGC9R6
-TLy3lbUplogZsIBdt/cc+DP6O6l2z16hDb9B0X9QjJjO1qvM4oQPjlm8dZGCnyFV
-EsstRM9EgOdnFIh16+q6x+u6c2XhnnLDdRsjsP7p53dT+iShgjI448voZDE3DLcs
-b2eQu+iN5rmNfvg6DdaP/+2cvkoMvKL5dF+YRk5KNLn2vHi3Fti6uIpWAfgiICHr
-dadCFX5qVlnadZP9Av35lM4VaDz+5eOFvjl1G+7+yEyaoi/m6gjrgrOI4Mqc1zcu
-DhMOi9NqX4P9LSI1seXUf0feKA5wB+ei7MgqSSpooJc2PEnFyRg=
-                    </ds:X509Certificate>
-                </ds:X509Data>
-            </ds:KeyInfo>
-        </KeyDescriptor>
-        
-        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
-                                   Location="https://umssoidp.cdsv3.eu:8110/idp/profile/SAML1/SOAP/ArtifactResolution" 
-                                   index="1"/>
-
-        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
-                                   Location="https://umssoidp.cdsv3.eu:8110/idp/profile/SAML2/SOAP/ArtifactResolution" 
-                                   index="2"/>
-                                   
-        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-
-        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" 
-                             Location="https://umssoidp.cdsv3.eu:443/idp/profile/Shibboleth/SSO" />
-
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
-                             Location="https://umssoidp.cdsv3.eu:443/idp/profile/SAML2/Redirect/SSO" />
-                                   
-        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
-                             Location="https://umssoidp.cdsv3.eu:443/idp/profile/SAML2/Redirect/SLO" 
-                             ResponseLocation="https://umssoidp.cdsv3.eu:443/idp/profile/SAML2/Redirect/SLO"/>
-    </IDPSSODescriptor>
-
-    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
-
-        <Extensions>
-            <shibmd:Scope regexp="false">esa.int</shibmd:Scope>
-        </Extensions>
-
-        <KeyDescriptor>
-            <ds:KeyInfo>
-                <ds:X509Data>
-                    <ds:X509Certificate>
-MIIEQjCCAyqgAwIBAgIJAJw83mLahxpQMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
-BAYTAklUMQ4wDAYDVQQIEwVMYXppbzENMAsGA1UEBxMEUm9tZTEZMBcGA1UEChMQ
-Q0RTVjMgQ29uc29ydGl1bTEOMAwGA1UECxMFU3BhY2UxGjAYBgNVBAMTEXVtc3Nv
-aWRwLmNkc3YzLmV1MB4XDTE1MDQwMjE2Mzg1M1oXDTI1MDMzMDE2Mzg1M1owczEL
-MAkGA1UEBhMCSVQxDjAMBgNVBAgTBUxhemlvMQ0wCwYDVQQHEwRSb21lMRkwFwYD
-VQQKExBDRFNWMyBDb25zb3J0aXVtMQ4wDAYDVQQLEwVTcGFjZTEaMBgGA1UEAxMR
-dW1zc29pZHAuY2RzdjMuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQCrDTGZEQj7uMw347TnyMac0HnkLY046e/4V+boJBuQsP7Moxh6xHH2qcdS2UbW
-xtSBOUuS/aAz92udzY8wBrKUUvvWKEnyh3v84+kfNYugBp4ZpW7pJbfUh9KjUvWh
-G3LtZfyuRaCdyYF6TKh0K+96IRSpwe5wFXqRev7a6+8fDcTL73cFFBLjDaMFelIz
-szskhsGalXAq5WP20aDog0eiEbf8oTa5NDPY1UZDnwDmF0lNDm4lsYGAv59h+8kU
-ODGmmGVo5zrz7ujcU1sChc9iy9GlGEzekFAoEj6y9fbieyE4Wz6QW4nLeO1YZtjz
-kvOi6yp2raNQSI4hwVEWNDK/AgMBAAGjgdgwgdUwHQYDVR0OBBYEFKXpmub0bNGS
-gtwbyAUqu2kD1e8WMIGlBgNVHSMEgZ0wgZqAFKXpmub0bNGSgtwbyAUqu2kD1e8W
-oXekdTBzMQswCQYDVQQGEwJJVDEOMAwGA1UECBMFTGF6aW8xDTALBgNVBAcTBFJv
-bWUxGTAXBgNVBAoTEENEU1YzIENvbnNvcnRpdW0xDjAMBgNVBAsTBVNwYWNlMRow
-GAYDVQQDExF1bXNzb2lkcC5jZHN2My5ldYIJAJw83mLahxpQMAwGA1UdEwQFMAMB
-Af8wDQYJKoZIhvcNAQEFBQADggEBAGMnf0UOmtKB2VF/TsjG1Lz7fJ48sySGC9R6
-TLy3lbUplogZsIBdt/cc+DP6O6l2z16hDb9B0X9QjJjO1qvM4oQPjlm8dZGCnyFV
-EsstRM9EgOdnFIh16+q6x+u6c2XhnnLDdRsjsP7p53dT+iShgjI448voZDE3DLcs
-b2eQu+iN5rmNfvg6DdaP/+2cvkoMvKL5dF+YRk5KNLn2vHi3Fti6uIpWAfgiICHr
-dadCFX5qVlnadZP9Av35lM4VaDz+5eOFvjl1G+7+yEyaoi/m6gjrgrOI4Mqc1zcu
-DhMOi9NqX4P9LSI1seXUf0feKA5wB+ei7MgqSSpooJc2PEnFyRg=
-                    </ds:X509Certificate>
-                </ds:X509Data>
-            </ds:KeyInfo>
-        </KeyDescriptor>
-
-        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" 
-                          Location="https://umssoidp.cdsv3.eu:8110/idp/profile/SAML1/SOAP/AttributeQuery" />
-        
-        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
-                          Location="https://umssoidp.cdsv3.eu:8110/idp/profile/SAML2/SOAP/AttributeQuery" />
-        
-        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-        
-    </AttributeAuthorityDescriptor>
-    
-</EntityDescriptor>    
diff --git a/shibauth/shibboleth-conf/idp-metadata_samltest.xml b/shibauth/shibboleth-conf/idp-metadata_samltest.xml
deleted file mode 100755
index 6a91356a..00000000
--- a/shibauth/shibboleth-conf/idp-metadata_samltest.xml
+++ /dev/null
@@ -1,98 +0,0 @@
-<!-- The entity describing the SAMLtest IdP, named by the entityID below --> 
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="SAMLtestIdP" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://samltest.id/saml/idp">
-    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
-        <Extensions>
-            <shibmd:Scope regexp="false">samltest.id</shibmd:Scope>
-            <mdui:UIInfo>
-                <mdui:DisplayName xml:lang="en">SAMLtest IdP</mdui:DisplayName>
-                <mdui:Description xml:lang="en">A free and basic IdP for testing SAML deployments</mdui:Description>
-                <mdui:Logo height="90" width="225">https://samltest.id/saml/logo.png</mdui:Logo>
-            </mdui:UIInfo>
-        </Extensions>
-
-        <KeyDescriptor use="signing">
-            <ds:KeyInfo>
-                    <ds:X509Data>
-                        <ds:X509Certificate>
-MIIDETCCAfmgAwIBAgIUZRpDhkNKl5eWtJqk0Bu1BgTTargwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwHhcNMTgwODI0MjExNDEwWhcNMzgw
-ODI0MjExNDEwWjAWMRQwEgYDVQQDDAtzYW1sdGVzdC5pZDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAJrh9/PcDsiv3UeL8Iv9rf4WfLPxuOm9W6aCntEA
-8l6c1LQ1Zyrz+Xa/40ZgP29ENf3oKKbPCzDcc6zooHMji2fBmgXp6Li3fQUzu7yd
-+nIC2teejijVtrNLjn1WUTwmqjLtuzrKC/ePoZyIRjpoUxyEMJopAd4dJmAcCq/K
-k2eYX9GYRlqvIjLFoGNgy2R4dWwAKwljyh6pdnPUgyO/WjRDrqUBRFrLQJorR2kD
-c4seZUbmpZZfp4MjmWMDgyGM1ZnR0XvNLtYeWAyt0KkSvFoOMjZUeVK/4xR74F8e
-8ToPqLmZEg9ZUx+4z2KjVK00LpdRkH9Uxhh03RQ0FabHW6UCAwEAAaNXMFUwHQYD
-VR0OBBYEFJDbe6uSmYQScxpVJhmt7PsCG4IeMDQGA1UdEQQtMCuCC3NhbWx0ZXN0
-LmlkhhxodHRwczovL3NhbWx0ZXN0LmlkL3NhbWwvaWRwMA0GCSqGSIb3DQEBCwUA
-A4IBAQBNcF3zkw/g51q26uxgyuy4gQwnSr01Mhvix3Dj/Gak4tc4XwvxUdLQq+jC
-cxr2Pie96klWhY/v/JiHDU2FJo9/VWxmc/YOk83whvNd7mWaNMUsX3xGv6AlZtCO
-L3JhCpHjiN+kBcMgS5jrtGgV1Lz3/1zpGxykdvS0B4sPnFOcaCwHe2B9SOCWbDAN
-JXpTjz1DmJO4ImyWPJpN1xsYKtm67Pefxmn0ax0uE2uuzq25h0xbTkqIQgJzyoE/
-DPkBFK1vDkMfAW11dQ0BXatEnW7Gtkc0lh2/PIbHWj4AzxYMyBf5Gy6HSVOftwjC
-voQR2qr2xJBixsg+MIORKtmKHLfU
-                        </ds:X509Certificate>
-                    </ds:X509Data>
-            </ds:KeyInfo>
-        </KeyDescriptor>
-        <KeyDescriptor use="signing">
-            <ds:KeyInfo>
-                    <ds:X509Data>
-                        <ds:X509Certificate>
-MIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEB
-CwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4
-MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0
-ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOE
-jj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1kl
-bN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF
-/cL5fOpdVa54wTI0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8n
-spXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0G
-A1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVz
-dC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF
-AAOCAQEASk3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn
-7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHT
-TNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nbl
-D1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcU
-ZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu
-3kXPjhSfj1AJGR1l9JGvJrHki1iHTA==
-                        </ds:X509Certificate>
-                    </ds:X509Data>
-            </ds:KeyInfo>
-        </KeyDescriptor>
-        <KeyDescriptor use="encryption">
-            <ds:KeyInfo>
-                    <ds:X509Data>
-                        <ds:X509Certificate>
-MIIDEjCCAfqgAwIBAgIVAPVbodo8Su7/BaHXUHykx0Pi5CFaMA0GCSqGSIb3DQEB
-CwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4
-MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQCQb+1a7uDdTTBBFfwOUun3IQ9nEuKM98SmJDWa
-MwM877elswKUTIBVh5gB2RIXAPZt7J/KGqypmgw9UNXFnoslpeZbA9fcAqqu28Z4
-sSb2YSajV1ZgEYPUKvXwQEmLWN6aDhkn8HnEZNrmeXihTFdyr7wjsLj0JpQ+VUlc
-4/J+hNuU7rGYZ1rKY8AA34qDVd4DiJ+DXW2PESfOu8lJSOteEaNtbmnvH8KlwkDs
-1NvPTsI0W/m4SK0UdXo6LLaV8saIpJfnkVC/FwpBolBrRC/Em64UlBsRZm2T89ca
-uzDee2yPUvbBd5kLErw+sC7i4xXa2rGmsQLYcBPhsRwnmBmlAgMBAAGjVzBVMB0G
-A1UdDgQWBBRZ3exEu6rCwRe5C7f5QrPcAKRPUjA0BgNVHREELTArggtzYW1sdGVz
-dC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF
-AAOCAQEABZDFRNtcbvIRmblnZItoWCFhVUlq81ceSQddLYs8DqK340//hWNAbYdj
-WcP85HhIZnrw6NGCO4bUipxZXhiqTA/A9d1BUll0vYB8qckYDEdPDduYCOYemKkD
-dmnHMQWs9Y6zWiYuNKEJ9mf3+1N8knN/PK0TYVjVjXAf2CnOETDbLtlj6Nqb8La3
-sQkYmU+aUdopbjd5JFFwbZRaj6KiHXHtnIRgu8sUXNPrgipUgZUOVhP0C0N5OfE4
-JW8ZBrKgQC/6vJ2rSa9TlzI6JAa5Ww7gMXMP9M+cJUNQklcq+SBnTK8G+uBHgPKR
-zBDsMIEzRtQZm4GIoHJae4zmnCekkQ==
-                        </ds:X509Certificate>
-                    </ds:X509Data>
-            </ds:KeyInfo>
-        </KeyDescriptor>
-        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ArtifactResolution" index="1" />
-        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SLO"/>
-        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SLO"/>
-        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SLO"/>
-        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://samltest.id/idp/profile/Shibboleth/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ECP"/>
-    </IDPSSODescriptor>
-</EntityDescriptor>
\ No newline at end of file
diff --git a/shibauth/shibboleth-conf/sp-metadata.xml b/shibauth/shibboleth-conf/sp-metadata.xml
deleted file mode 100644
index 28a4e91f..00000000
--- a/shibauth/shibboleth-conf/sp-metadata.xml
+++ /dev/null
@@ -1,84 +0,0 @@
-<!--
-This is example metadata only. Do *NOT* supply it as is without review,
-and do *NOT* provide it in real time to your partners.
- -->
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_81a5b755d46cba9eb30ea45a18e11e7370ae1462" entityID="https://emg.pdas.prism.eox.at/shibboleth">
-
-  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
-    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
-    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
-    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
-    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
-  </md:Extensions>
-
-  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <md:Extensions>
-      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/Login"/>
-    </md:Extensions>
-    <md:KeyDescriptor>
-      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:KeyName>https://emg.pdas.prism.eox.at</ds:KeyName>
-        <ds:KeyName>https://https://emg.pdas.prism.eox.at/shibboleth</ds:KeyName>
-        <ds:X509Data>
-          <ds:X509SubjectName>CN=https://emg.pdas.prism.eox.at</ds:X509SubjectName>
-          <ds:X509Certificate>MIIEUDCCArigAwIBAgIJAJtainQ0t+tRMA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV
-BAMTHWh0dHBzOi8vZW1nLnBkYXMucHJpc20uZW94LmF0MB4XDTIwMTAxNDExMjcy
-MFoXDTMwMTAxMjExMjcyMFowKDEmMCQGA1UEAxMdaHR0cHM6Ly9lbWcucGRhcy5w
-cmlzbS5lb3guYXQwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDKkqzn
-QsDnXSa+BHA10ZVkvw/PBfJVsby1C+zazCo32GpIHv5P+RFZj3FoC+N+gYatqijZ
-57flt93krtqO/l/RrEosxwpWCXc54qXcFrPrlfXFr51dOW/BH6z1wpW9z67Pkr2M
-v8Jqgs0t/k8BFlZ2jmiAZGrG+G+DrCefiy9JuKwBSiVh7Tg5P31fZv0qliNKwo5k
-EbkeUuVrAvuNFV9NPdl35aevYZ0Mxy5N+/AbaaZScfmRnlTsRdHXL/k5anIceqk3
-k+qA1cHEXXqD7WtfQN4GQh9Oxqng//PBcH/9oe2h5axrkcw8YCC22YXp/OST4isk
-lL1noCuRYPluvVDFqrh6z9S94QFuO3PdUckl7S7Gsty6X0MSYPYpBFZgivalIena
-2vLC3sn5AGLrm3xmp4Io/iD0UtpnHHypCRghr8GE/yiZKPtq8bEk5d/NWMRgT5Ef
-t77vZByeDxgN0Pl5gf8WtN0yKSPauxS3llNy9UFfoQP9OGV3FjzOo3DGuTUCAwEA
-AaN9MHswWgYDVR0RBFMwUYIdaHR0cHM6Ly9lbWcucGRhcy5wcmlzbS5lb3guYXSG
-MGh0dHBzOi8vaHR0cHM6Ly9lbWcucGRhcy5wcmlzbS5lb3guYXQvc2hpYmJvbGV0
-aDAdBgNVHQ4EFgQUzMF2sJVjzVscd6vLPMLWx2gD4uEwDQYJKoZIhvcNAQELBQAD
-ggGBAIFFdjkcQyTWx30mwuJON4Bfi0IjBXyQ7YnbvB36sk9ohaPBz4uU1wKl5In+
-c/usuBgHS9JsBm2JIwnLKko6dS8h79pMnY8rDZxBxAPHkTUwTvzMraWHNXhblO9U
-Oqp2NJqy4hyV1OzDWM5yYHiTSZIOewDS8inUvoDwUSYgQr9fSKljUmeI0In9f6wf
-vvHA4hQQHVGYMNPO+rvpw8XeWZ8e+HdSxSM1RcL1m29s42HdycXTsmh4ghex4u16
-XvHNMGojW6ih0Oja69PKCraaLTUHPRjxwqx1ipaNbK/1pT7DPnLXHNGIOFW2JE9e
-XIi3xy/d+C2Z/Ejwt4Xd+FVA9mhhbLkss7YI+SMJi73e31//sBiKOXBT1yBv8l0n
-xTJsPmg2dbWQvNuJ89UIH8yPffcxdbT0xohgOiek+hBxZj0UU1ZSV5q2/X9aPKGZ
-PMQ/PFgQJvdjegNZPupgBspcNlvYsdtln9vvyXWoNsNioSa6Uvntb8KEHnnh035S
-VorGcA==
-</ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
-    </md:KeyDescriptor>
-    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/Artifact/SOAP" index="1"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SLO/SOAP"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SLO/Redirect"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SLO/POST"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SLO/Artifact"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST" index="1"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SAML2/Artifact" index="3"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://emg.pdas.prism.eox.at/Shibboleth.sso/SAML2/ECP" index="4"/>
-  </md:SPSSODescriptor>
-
-</md:EntityDescriptor>
\ No newline at end of file
-- 
GitLab


From 8f43fcc5ece65b104e86d6ba823749d12ddb25e0 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 28 Oct 2020 17:43:38 +0100
Subject: [PATCH 080/162] minor updates

---
 config/shibboleth/attribute-map.xml | 2 +-
 config/shibboleth/dem_pass-ac.xml   | 2 +-
 config/shibboleth/emg_pass-ac.xml   | 2 +-
 config/shibboleth/shib-apache.conf  | 2 --
 config/shibboleth/vhr18_pass-ac.xml | 2 +-
 5 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/config/shibboleth/attribute-map.xml b/config/shibboleth/attribute-map.xml
index d20c5140..ddc1eeef 100755
--- a/config/shibboleth/attribute-map.xml
+++ b/config/shibboleth/attribute-map.xml
@@ -1,4 +1,4 @@
 <Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-    <Attribute name="urn:mace:dir:attribute-def:cds-spci-es_oa-signed-tcs" id="spField1" />
+    <Attribute name="urn:mace:dir:attribute-def:cds-spci-es_oa-signed-tcs" id="spField1"/>
     <Attribute name="urn:mace:dir:attribute-def:cds-spci-es_oa-user-category" id="spField2"/>
 </Attributes>
diff --git a/config/shibboleth/dem_pass-ac.xml b/config/shibboleth/dem_pass-ac.xml
index 13465660..a93f5255 100644
--- a/config/shibboleth/dem_pass-ac.xml
+++ b/config/shibboleth/dem_pass-ac.xml
@@ -1,9 +1,9 @@
 <AccessControl
 type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
   <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
     <Rule require="spField2">
       Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
     </Rule>
-    <RuleRegex require="spField1">.+</RuleRegex>
   </AND>
 </AccessControl>
\ No newline at end of file
diff --git a/config/shibboleth/emg_pass-ac.xml b/config/shibboleth/emg_pass-ac.xml
index 13465660..a93f5255 100644
--- a/config/shibboleth/emg_pass-ac.xml
+++ b/config/shibboleth/emg_pass-ac.xml
@@ -1,9 +1,9 @@
 <AccessControl
 type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
   <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
     <Rule require="spField2">
       Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
     </Rule>
-    <RuleRegex require="spField1">.+</RuleRegex>
   </AND>
 </AccessControl>
\ No newline at end of file
diff --git a/config/shibboleth/shib-apache.conf b/config/shibboleth/shib-apache.conf
index 91216960..88f0a4ed 100755
--- a/config/shibboleth/shib-apache.conf
+++ b/config/shibboleth/shib-apache.conf
@@ -22,8 +22,6 @@ DocumentRoot "/var/www/html"
       AuthType shibboleth
       ShibRequestSetting requireSession 1
       Require shib-plugin /etc/shibboleth/pass-ac.xml
-      RequestHeader set Referer "%{X-Forwarded-Uri}e"
-      Header set Referer "%{X-Forwarded-Uri}e"
     </Else>
   </Location>
 </VirtualHost>
\ No newline at end of file
diff --git a/config/shibboleth/vhr18_pass-ac.xml b/config/shibboleth/vhr18_pass-ac.xml
index 13465660..a93f5255 100644
--- a/config/shibboleth/vhr18_pass-ac.xml
+++ b/config/shibboleth/vhr18_pass-ac.xml
@@ -1,9 +1,9 @@
 <AccessControl
 type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
   <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
     <Rule require="spField2">
       Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
     </Rule>
-    <RuleRegex require="spField1">.+</RuleRegex>
   </AND>
 </AccessControl>
\ No newline at end of file
-- 
GitLab


From eaa3c2ccc1c2d9f1ff6a4edcd6859383534e85c1 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Thu, 29 Oct 2020 09:35:03 +0100
Subject: [PATCH 081/162] update AC for other collections

now set on download+view, as separation is not easy now
---
 config/shibboleth/dem_pass-ac.xml   | 2 +-
 config/shibboleth/vhr18_pass-ac.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/shibboleth/dem_pass-ac.xml b/config/shibboleth/dem_pass-ac.xml
index a93f5255..08e4b9ba 100644
--- a/config/shibboleth/dem_pass-ac.xml
+++ b/config/shibboleth/dem_pass-ac.xml
@@ -3,7 +3,7 @@ type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
   <AND>
     <RuleRegex require="spField1">.+</RuleRegex>
     <Rule require="spField2">
-      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space TP_Data_Providers Data_Access_Services Ops_Space_Inf_Services
     </Rule>
   </AND>
 </AccessControl>
\ No newline at end of file
diff --git a/config/shibboleth/vhr18_pass-ac.xml b/config/shibboleth/vhr18_pass-ac.xml
index a93f5255..43130937 100644
--- a/config/shibboleth/vhr18_pass-ac.xml
+++ b/config/shibboleth/vhr18_pass-ac.xml
@@ -3,7 +3,7 @@ type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
   <AND>
     <RuleRegex require="spField1">.+</RuleRegex>
     <Rule require="spField2">
-      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth Int_Org_NGO
     </Rule>
   </AND>
 </AccessControl>
\ No newline at end of file
-- 
GitLab


From 07ca2aaf5c63c8ca21dbc2c6d2322910c686c7a4 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 29 Oct 2020 18:14:28 +0100
Subject: [PATCH 082/162] Adding initial configs for registrators (emg/vhr)
 Adding GSC scheme Fixing EOxServer backend: multiple files per coverage type
 possible

---
 config/dem_registrar-config.yml   |   0
 config/emg_registrar-config.yml   | 270 ++++++++++++++++++++++++++++++
 config/vhr18_registrar-config.yml | 174 +++++++++++++++++++
 core/registrar/scheme.py          |  38 ++++-
 4 files changed, 481 insertions(+), 1 deletion(-)
 create mode 100644 config/dem_registrar-config.yml
 create mode 100644 config/emg_registrar-config.yml
 create mode 100644 config/vhr18_registrar-config.yml

diff --git a/config/dem_registrar-config.yml b/config/dem_registrar-config.yml
new file mode 100644
index 00000000..e69de29b
diff --git a/config/emg_registrar-config.yml b/config/emg_registrar-config.yml
new file mode 100644
index 00000000..5a1f37dc
--- /dev/null
+++ b/config/emg_registrar-config.yml
@@ -0,0 +1,270 @@
+sources:
+  - type: swift
+    name: !env '${UPLOAD_CONTAINER}'
+    kwargs:
+        username: !env '${OS_USERNAME}'
+        password: !env '${OS_PASSWORD}'
+        tenant_name: !env '${OS_TENANT_NAME}'
+        tenant_id: !env '${OS_TENANT_ID}'
+        region_name: !env '${OS_REGION_NAME}'
+        auth_version: !env '${ST_AUTH_VERSION}'
+        auth_url: !env '${OS_AUTH_URL}'
+        user_domain_name: !env '${OS_USER_DOMAIN_NAME}'
+        container: !env '${UPLOAD_CONTAINER}'
+
+schemes:
+  - type: gsc
+
+backends:
+  type: eoxserver
+    filter:
+    kwargs:
+      instance_base_path: /var/www/pvs/dev
+      instance_name: pvs_instance
+      mapping:
+        CS00:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_CS00'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              CS00: sar_hh_gray
+        CS01:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_CS01'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              CS01: sar_hh_gray
+        CS02:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_CS02'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              CS02: sar_hh_gray
+        CS03:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_CS03'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              CS03: sar_hh_gray
+        CS04:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_CS04'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              CS04: sar_hh_gray
+        DM01:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_DM01'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              DM01: RGNirByte
+        DM02:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_DM02'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              DM02: RGBNir
+        EQ02_3:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_EQ02_3'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              EQ02_3: RGB
+        EQ02_4:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_EQ02_4'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              EQ02_4: RGBNir
+        EW01:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_EW01'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              EW01: grayscale
+        EW02_3:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_EW02_3'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              EW02_3: RGB
+        EW02_4:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_EW02_4'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              EW02_4: RGBNir
+        EW02_8:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_EW02_8'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              EW02_8: CBGYRReNirNir2
+        EW03_3:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_EW03_3'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              EW03_3: RGB
+        EW03_4:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_EW03_4'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              EW03_4: RGBNir
+        EW03_8:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_EW03_8'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              EW03_8: CBGYRReNirNir2
+        GE01_4:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_GE01_4'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              GE01_4: RGBNir
+        GE01_3:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_GE01_3'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              GE01_3: RGB
+        GE01_1:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_GE01_1'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              GE01_1: grayscale
+        GY01:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_GY01'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              GY01: RGBNir
+        IK02:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_IK02'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              IK02: RGBNir
+        KS03:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_KS03'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              KS03: RGBNir
+        PH1A:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_PH1A'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              PH1A: RGBNir
+        PH1B:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_PH1B'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              PH1B: RGBNir
+        RE00:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_RE00'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              RE00: BGRReNir
+        RS02_2:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_RS02_2'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              RS02_2: sar_hh_gray
+        RS02_3:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_RS02_3'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              RS02_3: sar_hh_vv_gray
+        RS02_7:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_RS02_7'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              RS02_7: sar_hh_hv_vh_vv_rgb
+        SP04:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_SP04'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              SP04: RGBNirByte
+        SP05:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_SP05'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              SP05: RGNirByte
+        SP06:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_SP06'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              SP06: RGBNir
+        SP07:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_SP07'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              SP07: RGBNir
+        TX01_2:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_TX01_2'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              TX01_2: sar_hh_gray
+        TX01_3:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_TX01_3'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              TX01_3: sar_hh_vv_gray
+        TX01_7:
+          ~:
+            product_type_name: !env '${COLLECTION}_Product_TX01_7'
+            collections:
+              - !env '${COLLECTION}'
+            coverages:
+              TX01_7: sar_hh_hv_vh_vv_rgb
+
diff --git a/config/vhr18_registrar-config.yml b/config/vhr18_registrar-config.yml
new file mode 100644
index 00000000..fc26c38a
--- /dev/null
+++ b/config/vhr18_registrar-config.yml
@@ -0,0 +1,174 @@
+sources:
+  - type: swift
+    name: !env '${UPLOAD_CONTAINER}'
+    kwargs:
+        username: !env '${OS_USERNAME}'
+        password: !env '${OS_PASSWORD}'
+        tenant_name: !env '${OS_TENANT_NAME}'
+        tenant_id: !env '${OS_TENANT_ID}'
+        region_name: !env '${OS_REGION_NAME}'
+        auth_version: !env '${ST_AUTH_VERSION}'
+        auth_url: !env '${OS_AUTH_URL}'
+        user_domain_name: !env '${OS_USER_DOMAIN_NAME}'
+        container: !env '${UPLOAD_CONTAINER}'
+
+schemes:
+  - type: gsc
+
+backends:
+  type: eoxserver
+    filter:
+    kwargs:
+      instance_base_path: /var/www/pvs/dev
+      instance_name: pvs_instance
+      mapping:
+        PL00:
+          Level_1:
+            product_type_name: !env '${COLLECTION}_Product_PL00'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_1'
+            coverages:
+              PL00: RGBNir
+          Level_3:
+            product_type_name: !env '${COLLECTION}_Product_PL00'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_3'
+            coverages:
+              PL00: RGBNir
+        DM02:
+          Level_1:
+            product_type_name: !env '${COLLECTION}_Product_DM02'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_1'
+            coverages:
+              DM02: RGBNir
+          Level_3:
+            product_type_name: !env '${COLLECTION}_Product_DM02'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_3'
+            coverages:
+              DM02: RGBNir
+        KS03:
+          Level_1:
+            product_type_name: !env '${COLLECTION}_Product_KS03'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_1'
+            coverages:
+              KS03: RGBNir
+          Level_3:
+            product_type_name: !env '${COLLECTION}_Product_KS03'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_3'
+            coverages:
+              KS03: RGBNir
+        KS04:
+          Level_1:
+            product_type_name: !env '${COLLECTION}_Product_KS04'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_1'
+            coverages:
+              KS04: RGBNir
+          Level_3:
+            product_type_name: !env '${COLLECTION}_Product_KS04'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_3'
+            coverages:
+              KS04: RGBNir
+        PH1A:
+          Level_1:
+            product_type_name: !env '${COLLECTION}_Product_PH1A'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_1'
+            coverages:
+              PH1A: RGBNir
+          Level_3:
+            product_type_name: !env '${COLLECTION}_Product_PH1A'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_3'
+            coverages:
+              PH1A: RGBNir
+        PH1B:
+          Level_1:
+            product_type_name: !env '${COLLECTION}_Product_PH1B'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_1'
+            coverages:
+              PH1B: RGBNir
+          Level_3:
+            product_type_name: !env '${COLLECTION}_Product_PH1B'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_3'
+            coverages:
+              PH1B: RGBNir
+        SP06:
+          Level_1:
+            product_type_name: !env '${COLLECTION}_Product_SP06'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_1'
+            coverages:
+              SP06: RGBNir
+          Level_3:
+            product_type_name: !env '${COLLECTION}_Product_SP06'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_3'
+            coverages:
+              SP06: RGBNir
+        SP07:
+          Level_1:
+            product_type_name: !env '${COLLECTION}_Product_SP07'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_1'
+            coverages:
+              SP07: RGBNir
+          Level_3:
+            product_type_name: !env '${COLLECTION}_Product_SP07'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_3'
+            coverages:
+              SP07: RGBNir
+        SW00:
+          Level_1:
+            product_type_name: !env '${COLLECTION}_Product_SW00'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_1'
+            coverages:
+              SW00: RGBNir
+          Level_3:
+            product_type_name: !env '${COLLECTION}_Product_SW00'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_3'
+            coverages:
+              SW00: RGBNir
+        TR00:
+          Level_1:
+            product_type_name: !env '${COLLECTION}_Product_TR00'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_1'
+            coverages:
+              TR00: RGBNir
+          Level_3:
+            product_type_name: !env '${COLLECTION}_Product_TR00'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_Level_3'
+            coverages:
+              TR00: RGBNir
diff --git a/core/registrar/scheme.py b/core/registrar/scheme.py
index f3057fbe..e5225a4d 100644
--- a/core/registrar/scheme.py
+++ b/core/registrar/scheme.py
@@ -104,7 +104,43 @@ class Sentinel2RegistrationScheme(RegistrationScheme):
 
 
 class GSCRegistrationScheme(RegistrationScheme):
-    pass
+    GSC_SCHEMA = {
+        'identifier': Parameter('//gml:metaDataProperty/gsc:EarthObservationMetaData/eop:identifier/text()'),
+        'type': Parameter('//gml:using/eop:EarthObservationEquipment/eop:platform/eop:Platform/eop:shortName/text()'),
+        'level': Parameter('//gml:metaDataProperty/gsc:EarthObservationMetaData/eop:parentIdentifier/text()'),
+        'mask': Parameter('//gsc:opt_metadata/gml:metaDataProperty/gsc:EarthObservationMetaData/eop:vendorSpecific/eop:SpecificInformation[eop:localAttribute/text() = "CF_POLY"]/eop:localValue/text()'),
+    }
+
+    def get_context(self, source: Source, path: str) -> Context:
+        gcs_filenames = source.list_files(path, 'GSC*.xml')
+        metadata_file = gsc_filenames[0]
+
+        tree = read_xml(source, metadata_file)
+        metadata = parse_metadata_schema(tl_tree, self.GSC_SCHEMA, tree.nsmap)
+
+        tiff_files = {
+            metadata['type']: source.list_files(path, '*.tif') + source.list_files(path, '*.TIF')
+        }
+
+        match = re.match(r'.*(Level_[0-9]+)$', metadata['level'])
+        if match:
+            level = match.groups()[0]
+        else:
+            level = None
+
+        return Context(
+            identifier=metadata['identifier'],
+            path=path,
+            product_type=metadata['type'],
+            product_level=level,
+            raster_files=tiff_files,
+            masks={
+                'validity': metadata['mask']
+            },
+            metadata_files=[metadata_file],
+            metadata={
+            }
+        )
 
 
 REGISTRATION_SCHEMES = {
-- 
GitLab


From b09d1de2838a6344b38329ef3c23b4332a741f2c Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 29 Oct 2020 18:14:42 +0100
Subject: [PATCH 083/162] Fixing EOxServer backend

---
 core/registrar/backend.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/core/registrar/backend.py b/core/registrar/backend.py
index 980cd40c..05507470 100644
--- a/core/registrar/backend.py
+++ b/core/registrar/backend.py
@@ -91,13 +91,16 @@ class EOxServerBackend(Backend):
 
         # register coverages and link them to the product
         for raster_identifier, coverage_type_name in mapping.get('coverages', {}).items():
-            raster_item = item.raster_files.get(raster_identifier)
-            raster_item = '/'.join(raster_item.split('/')[1:])
+            raster_items = item.raster_files.get(raster_identifier)
+            raster_items = [
+                storage + '/'.join(raster_item.split('/')[1:])
+                for raster_item in (raster_items if isinstance(raster_items, list) else [raster_items])
+            ]
 
             logger.info(f"Registering coverage {raster_item} as {coverage_type_name}")
 
             report = GDALRegistrator().register(
-                data_locations=[storage + [raster_item]],
+                data_locations=raster_items,
                 metadata_locations=[storage + [metadata_file]],
                 coverage_type_name=coverage_type_name,
                 overrides={
-- 
GitLab


From 8d31a4a04227cc75f146cb70ac89237d4eeb0074 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 29 Oct 2020 18:21:10 +0100
Subject: [PATCH 084/162] Mounting registrar configs for each stack

---
 docker-compose.dem.yml   | 8 +++++---
 docker-compose.emg.yml   | 7 +++++--
 docker-compose.vhr18.yml | 7 +++++--
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/docker-compose.dem.yml b/docker-compose.dem.yml
index 8381edda..71f3fe9a 100644
--- a/docker-compose.dem.yml
+++ b/docker-compose.dem.yml
@@ -125,7 +125,7 @@ services:
       OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
     configs:
       - source: preprocessor-config
-        target: /config.yaml      
+        target: /config.yaml
     deploy:
       replicas: 1
     networks:
@@ -166,6 +166,8 @@ services:
     configs:
       - source: init-db
         target: /init-db.sh
+      - source: registrar-config
+        target: /config.yaml
     deploy:
       replicas: 1
     networks:
@@ -188,7 +190,6 @@ services:
     configs:
       - source: sftp-users-dem
         target: /etc/sftp/users.conf
-
     ports:
         - "2222:22"
     deploy:
@@ -218,6 +219,8 @@ configs:
     file: ./config/dem_index-ops.html
   preprocessor-config:
     file: ./config/dem_preprocessor-config.yml
+  registrar-config:
+    file: ./config/dem_registrar-config.yml
 volumes:
   db-data:
   redis-data:
@@ -233,4 +236,3 @@ secrets:
     external: true
   DJANGO_PASSWORD:
     external: true
-  
\ No newline at end of file
diff --git a/docker-compose.emg.yml b/docker-compose.emg.yml
index d725f610..660c5229 100644
--- a/docker-compose.emg.yml
+++ b/docker-compose.emg.yml
@@ -135,7 +135,7 @@ services:
       OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
     configs:
       - source: preprocessor-config
-        target: /config.yaml      
+        target: /config.yaml
     deploy:
       replicas: 1
     networks:
@@ -172,11 +172,12 @@ services:
       WAIT_SERVICES: "redis:6379 database:5432"
       OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
       OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
-      
       REPORTING_DIR: '/mnt/reports/'
     configs:
       - source: init-db
         target: /init-db.sh
+      - source: registrar-config
+        target: /config.yaml
     deploy:
       replicas: 1
     networks:
@@ -219,6 +220,8 @@ configs:
     file: ./config/emg_index-ops.html
   preprocessor-config:
     file: ./config/emg_preprocessor-config.yml
+  registrar-config:
+    file: ./config/emg_registrar-config.yml
 volumes:
   db-data:
   redis-data:
diff --git a/docker-compose.vhr18.yml b/docker-compose.vhr18.yml
index 128aea0e..f70165b9 100644
--- a/docker-compose.vhr18.yml
+++ b/docker-compose.vhr18.yml
@@ -138,7 +138,7 @@ services:
       OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
     configs:
       - source: preprocessor-config
-        target: /config.yaml      
+        target: /config.yaml
     deploy:
       replicas: 1
     networks:
@@ -179,6 +179,8 @@ services:
     configs:
       - source: init-db
         target: /init-db.sh
+      - source: registrar-config
+        target: /config.yaml
     deploy:
       replicas: 1
     networks:
@@ -203,7 +205,6 @@ services:
         target: /etc/sftp/users.conf
     deploy:
       replicas: 1
-
     ports:
       - "2222:22"
   ingestor:
@@ -225,6 +226,8 @@ configs:
     file: ./config/vhr18_index-ops.html
   preprocessor-config:
     file: ./config/vhr18_preprocessor-config.yml
+  registrar-config:
+    file: ./config/vhr18_registrar-config.yml
 volumes:
   db-data:
   redis-data:
-- 
GitLab


From 380c569cd2fcfc8656aad78b90ac32b2a21e3051 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Fri, 30 Oct 2020 17:06:36 +0100
Subject: [PATCH 085/162] Implementing GSC registration scheme Improving on
 EOxServer backend Storages/StorageAuth are now created when necessary

---
 core/registrar/backend.py | 90 ++++++++++++++++++++++++++++++++++++---
 core/registrar/scheme.py  |  9 ++--
 core/registrar/source.py  | 38 ++++++++++++-----
 3 files changed, 115 insertions(+), 22 deletions(-)

diff --git a/core/registrar/backend.py b/core/registrar/backend.py
index 05507470..46c07a12 100644
--- a/core/registrar/backend.py
+++ b/core/registrar/backend.py
@@ -3,6 +3,7 @@ import re
 import sys
 import logging
 from typing import List
+import json
 
 import django
 from django.db import transaction
@@ -10,7 +11,7 @@ from django.contrib.gis.geos import GEOSGeometry, Polygon
 
 from .exceptions import RegistrationError
 from .context import Context
-from .source import Source, S3Source, SwiftSource, LocalSource
+from .source import Source, LocalSource, S3Source, SwiftSource
 
 
 logger = logging.getLogger(__name__)
@@ -41,7 +42,75 @@ class EOxServerBackend(Backend):
         return models.Product.objects.filter(identifier=item.identifier).exists()
 
     def _get_storage_from_source(self, source: Source, path: str) -> list:
-        return [source.name] if source.name else []
+        from eoxserver.backends import models as backends
+
+        created_storage_auth = False
+        created_storage = False
+        storage_name = None
+        if isinstance(source, LocalSource):
+            storage, created_storage = backends.Storage.get_or_create(
+                name=source.name,
+                url=source.root_directory,
+                storage_type='local',
+            )
+            storage_name = storage.name
+        elif isinstance(source, S3Source):
+            params = json.dumps({
+                'ACCESS_KEY_ID': source.access_key_id,
+                'SECRET_ACCESS_KEY': source.secret_access_key,
+            })
+
+            storage_auth, created_storage_auth = backends.StorageAuth.objects.get_or_create(
+                name=source.endpoint_url,
+                url=source.endpoint_url,
+                storage_auth_type='S3',
+                auth_parameters=params,
+            )
+
+            bucket, _ = source.get_bucket_and_key(path)
+
+            storage, created_storage = backends.Storage.objects.get_or_create(
+                name=source.name,
+                url=bucket,
+                storage_type='S3',
+                storage_auth=storage_auth,
+            )
+            storage_name = storage.name
+
+        elif isinstance(source, SwiftSource):
+            params = json.dumps({
+                'auth-version': str(source.auth_version),
+                'identity-api-version': str(source.auth_version),
+                'username': source.username,
+                'password': source.password,
+                'tenant-name': source.tenant_name,
+                'tenant-id': source.tenant_id,
+                'region-name': source.region_name,
+            })
+
+            storage_auth, created_storage_auth = backends.StorageAuth.objects.get_or_create(
+                name=source.auth_url,
+                url=source.auth_url_short or source.auth_url,
+                storage_auth_type='keystone',
+                auth_parameters=params,
+            )
+
+            container, _ = source.get_container_and_path(path)
+
+            storage, created_storage = backends.Storage.objects.get_or_create(
+                name=source.name,
+                url=container,
+                storage_type='swift',
+                storage_auth=storage_auth,
+            )
+            storage_name = storage.name
+
+        if created_storage_auth:
+            logger.info(f'Created storage auth for {source.name}')
+        if created_storage:
+            logger.info(f'Created storage for {source.name}')
+
+        return [storage_name] if storage_name else []
 
     @transaction.atomic
     def register(self, source: Source, item: Context, replace: bool) -> RegistrationResult:
@@ -53,9 +122,13 @@ class EOxServerBackend(Backend):
         from eoxserver.resources.coverages.registration.registrators.gdal import GDALRegistrator
 
         # get the mapping for this particular item
-        mapping = self.mapping[item.product_type][item.product_level]
-        metadata_file = '/'.join(item.metadata_files[0].split('/')[1:])
+        type_mapping = self.mapping[item.product_type]
+        mapping = type_mapping.get(item.product_level) or type_mapping.get(None)
+
+        if not mapping:
+            raise RegistrationError(f'Could not get mapping for {item.product_type} {item.product_level}')
 
+        metadata_file = '/'.join(item.metadata_files[0].split('/')[1:])
         storage = self._get_storage_from_source(source, item.path)
 
         try:
@@ -63,7 +136,10 @@ class EOxServerBackend(Backend):
         except models.ProductType.DoesNotExist:
             pass
 
-        footprint = GEOSGeometry(item.metadata.pop('footprint'))
+        if 'footprint' in item.metadata:
+            footprint = GEOSGeometry(item.metadata.pop('footprint'))
+        else:
+            footprint = None
 
         product, _ = ProductRegistrator().register(
             metadata_locations=[storage + [metadata_file]],
@@ -93,11 +169,11 @@ class EOxServerBackend(Backend):
         for raster_identifier, coverage_type_name in mapping.get('coverages', {}).items():
             raster_items = item.raster_files.get(raster_identifier)
             raster_items = [
-                storage + '/'.join(raster_item.split('/')[1:])
+                storage + ['/'.join(raster_item.split('/')[1:])]
                 for raster_item in (raster_items if isinstance(raster_items, list) else [raster_items])
             ]
 
-            logger.info(f"Registering coverage {raster_item} as {coverage_type_name}")
+            logger.info(f"Registering coverage{'s' if len(raster_items) > 1 else ''} {raster_items} as {coverage_type_name}")
 
             report = GDALRegistrator().register(
                 data_locations=raster_items,
diff --git a/core/registrar/scheme.py b/core/registrar/scheme.py
index e5225a4d..ba857f34 100644
--- a/core/registrar/scheme.py
+++ b/core/registrar/scheme.py
@@ -109,17 +109,18 @@ class GSCRegistrationScheme(RegistrationScheme):
         'type': Parameter('//gml:using/eop:EarthObservationEquipment/eop:platform/eop:Platform/eop:shortName/text()'),
         'level': Parameter('//gml:metaDataProperty/gsc:EarthObservationMetaData/eop:parentIdentifier/text()'),
         'mask': Parameter('//gsc:opt_metadata/gml:metaDataProperty/gsc:EarthObservationMetaData/eop:vendorSpecific/eop:SpecificInformation[eop:localAttribute/text() = "CF_POLY"]/eop:localValue/text()'),
+        'footprint': Parameter('//gsc:opt_metadata/gml:metaDataProperty/gsc:EarthObservationMetaData/eop:vendorSpecific/eop:SpecificInformation[eop:localAttribute/text() = "CF_POLY"]/eop:localValue/text()'),
     }
 
     def get_context(self, source: Source, path: str) -> Context:
-        gcs_filenames = source.list_files(path, 'GSC*.xml')
+        gsc_filenames = source.list_files(path, ['GSC*.xml', 'GSC*.XML'])
         metadata_file = gsc_filenames[0]
 
         tree = read_xml(source, metadata_file)
-        metadata = parse_metadata_schema(tl_tree, self.GSC_SCHEMA, tree.nsmap)
+        metadata = parse_metadata_schema(tree, self.GSC_SCHEMA, tree.getroot().nsmap)
 
         tiff_files = {
-            metadata['type']: source.list_files(path, '*.tif') + source.list_files(path, '*.TIF')
+            metadata['type']: source.list_files(path, ['*.tif', '*.TIF'])
         }
 
         match = re.match(r'.*(Level_[0-9]+)$', metadata['level'])
@@ -152,7 +153,7 @@ def get_scheme(config: dict, path: str) -> RegistrationScheme:
     cfg_schemes = config['schemes']
 
     for cfg_scheme in cfg_schemes:
-        if cfg_scheme['filter']:
+        if cfg_scheme.get('filter'):
             if re.match(cfg_scheme['filter'], path):
                 break
         else:
diff --git a/core/registrar/source.py b/core/registrar/source.py
index d752712e..fc0e0494 100644
--- a/core/registrar/source.py
+++ b/core/registrar/source.py
@@ -33,8 +33,8 @@ class Source:
 class SwiftSource(Source):
     def __init__(self, name=None, username=None, password=None, tenant_name=None,
                  tenant_id=None, region_name=None, user_domain_id=None,
-                 user_domain_name=None, auth_url=None, auth_version=None,
-                 container=None):
+                 user_domain_name=None, auth_url=None, auth_url_short=None,
+                 auth_version=None, container=None):
         super().__init__(name)
 
         self.username = username
@@ -45,6 +45,7 @@ class SwiftSource(Source):
         self.user_domain_id = user_domain_id
         self.user_domain_name = user_domain_name
         self.auth_url = auth_url
+        self.auth_url_short = auth_url_short
         self.auth_version = auth_version  # TODO: assume 3
         self.container = container
 
@@ -70,9 +71,12 @@ class SwiftSource(Source):
         return container, path
 
 
-    def list_files(self, path, glob_pattern=None):
+    def list_files(self, path, glob_patterns=None):
         container, path = self.get_container_and_path(path)
 
+        if glob_patterns and not isinstance(glob_patterns, list):
+            glob_patterns = [glob_patterns]
+
         with self.get_service() as swift:
             pages = swift.list(
                 container=container,
@@ -84,8 +88,12 @@ class SwiftSource(Source):
                 if page["success"]:
                     # at least two files present -> pass validation
                     for item in page["listing"]:
-                        if glob_pattern is None or fnmatch(item['name'], glob_pattern):
-                            filenames.append(item['name'])
+                        if glob_patterns is None or any(
+                                fnmatch(item['name'], join(path, glob_pattern)) for glob_pattern in glob_patterns):
+
+                            filenames.append(
+                                item['name'] if self.container else join(container, item['name'])
+                            )
                 else:
                     raise page['error']
 
@@ -154,7 +162,10 @@ class S3Source(Source):
 
         return bucket, path
 
-    def list_files(self, path, glob_pattern=None):
+    def list_files(self, path, glob_patterns=None):
+        if glob_patterns and not isinstance(glob_patterns, list):
+            glob_patterns = [glob_patterns]
+
         bucket, key = self.get_bucket_and_key(path)
         logger.info(f'Listing S3 files for bucket {bucket} and prefix {key}')
         response = self.client.list_objects_v2(
@@ -165,7 +176,9 @@ class S3Source(Source):
         return [
             f"{bucket}/{item['Key']}"
             for item in response['Contents']
-            if glob_pattern is None or fnmatch(item['Key'], glob_pattern)
+            if glob_patterns is None or any(
+                fnmatch(item['name'], glob_pattern) for glob_pattern in glob_patterns
+            )
         ]
 
     def get_file(self, path, target_path):
@@ -195,9 +208,12 @@ class LocalSource(Source):
 
         return join(self.root_directory, path)
 
-    def list_files(self, path, glob_pattern=None):
-        if glob_pattern is not None:
-            return glob(join(self._join_path(path), glob_pattern))
+    def list_files(self, path, glob_patterns=None):
+        if glob_patterns and not isinstance(glob_patterns, list):
+            glob_patterns = [glob_patterns]
+
+        if glob_patterns is not None:
+            return glob(join(self._join_path(path), glob_patterns[0])) # TODO
         else:
             return glob(join(self._join_path(path), '*'))
 
@@ -219,7 +235,7 @@ def get_source(config: dict, path: str) -> Source:
     cfg_sources = config['sources']
 
     for cfg_source in cfg_sources:
-        if cfg_source['filter']:
+        if cfg_source.get('filter'):
             if re.match(cfg_source['filter'], path):
                 break
         else:
-- 
GitLab


From 1fb6af2c4c827601bd9023a58da54fa1ed88ca28 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Fri, 30 Oct 2020 17:07:01 +0100
Subject: [PATCH 086/162] Adjusting EMG registration config

---
 config/emg_init-db.sh           | 17 -----------------
 config/emg_registrar-config.yml |  5 ++---
 2 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/config/emg_init-db.sh b/config/emg_init-db.sh
index 5944a22d..7ce4d7e7 100644
--- a/config/emg_init-db.sh
+++ b/config/emg_init-db.sh
@@ -975,23 +975,6 @@ if python3 manage.py id check "${COLLECTION}"; then
         echo "Provided collection '${COLLECTION}' not valid."
     fi
 
-    python3 manage.py storageauth create auth-cloud-ovh "${OS_AUTH_URL_SHORT}" \
-        --type keystone \
-        -p auth-version "${ST_AUTH_VERSION}" \
-        -p identity-api-version="${ST_AUTH_VERSION}" \
-        -p username "${OS_USERNAME}" \
-        -p password "${OS_PASSWORD}" \
-        -p tenant-name "${OS_TENANT_NAME}" \
-        -p tenant-id "${OS_TENANT_ID}" \
-        -p region-name "${OS_REGION_NAME}"
-
-    python3 manage.py storage create \
-        ${UPLOAD_CONTAINER} ${UPLOAD_CONTAINER} \
-        --type swift \
-        --storage-auth auth-cloud-ovh
-
-
-
 else
     echo "Using existing database"
 fi
\ No newline at end of file
diff --git a/config/emg_registrar-config.yml b/config/emg_registrar-config.yml
index 5a1f37dc..6f85f7d3 100644
--- a/config/emg_registrar-config.yml
+++ b/config/emg_registrar-config.yml
@@ -9,14 +9,13 @@ sources:
         region_name: !env '${OS_REGION_NAME}'
         auth_version: !env '${ST_AUTH_VERSION}'
         auth_url: !env '${OS_AUTH_URL}'
-        user_domain_name: !env '${OS_USER_DOMAIN_NAME}'
-        container: !env '${UPLOAD_CONTAINER}'
+        auth_url_short: !env '${OS_AUTH_URL_SHORT}'
 
 schemes:
   - type: gsc
 
 backends:
-  type: eoxserver
+  - type: eoxserver
     filter:
     kwargs:
       instance_base_path: /var/www/pvs/dev
-- 
GitLab


From 1cd24b7f5fcc77b03b3869468da15e7a61a1b573 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 2 Nov 2020 09:31:34 +0100
Subject: [PATCH 087/162] Adjusting VHR18 registration config

---
 config/vhr18_init-db.sh           | 16 ----------------
 config/vhr18_registrar-config.yml |  5 ++---
 2 files changed, 2 insertions(+), 19 deletions(-)

diff --git a/config/vhr18_init-db.sh b/config/vhr18_init-db.sh
index 46c09742..3f1451df 100644
--- a/config/vhr18_init-db.sh
+++ b/config/vhr18_init-db.sh
@@ -401,22 +401,6 @@ if python3 manage.py id check "${COLLECTION}"; then
         echo "Provided collection '${COLLECTION}' not valid."
     fi
 
-    python3 manage.py storageauth create auth-cloud-ovh "${OS_AUTH_URL_SHORT}" \
-        --type keystone \
-        -p auth-version "${ST_AUTH_VERSION}" \
-        -p identity-api-version="${ST_AUTH_VERSION}" \
-        -p username "${OS_USERNAME}" \
-        -p password "${OS_PASSWORD}" \
-        -p tenant-name "${OS_TENANT_NAME}" \
-        -p tenant-id "${OS_TENANT_ID}" \
-        -p region-name "${OS_REGION_NAME}"
-
-    python3 manage.py storage create \
-        ${UPLOAD_CONTAINER} ${UPLOAD_CONTAINER} \
-        --type swift \
-        --storage-auth auth-cloud-ovh
-
-
 else
     echo "Using existing database"
 fi
diff --git a/config/vhr18_registrar-config.yml b/config/vhr18_registrar-config.yml
index fc26c38a..eb5ed8c7 100644
--- a/config/vhr18_registrar-config.yml
+++ b/config/vhr18_registrar-config.yml
@@ -9,14 +9,13 @@ sources:
         region_name: !env '${OS_REGION_NAME}'
         auth_version: !env '${ST_AUTH_VERSION}'
         auth_url: !env '${OS_AUTH_URL}'
-        user_domain_name: !env '${OS_USER_DOMAIN_NAME}'
-        container: !env '${UPLOAD_CONTAINER}'
+        auth_url_short: !env '${OS_AUTH_URL_SHORT}'
 
 schemes:
   - type: gsc
 
 backends:
-  type: eoxserver
+  - type: eoxserver
     filter:
     kwargs:
       instance_base_path: /var/www/pvs/dev
-- 
GitLab


From 05b7711516350d16b3e85d17c57b726b82d434a4 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 2 Nov 2020 09:32:21 +0100
Subject: [PATCH 088/162] Fixing cases for multi-bucket/container setup

---
 core/registrar/backend.py   | 5 +++--
 core/registrar/registrar.py | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/core/registrar/backend.py b/core/registrar/backend.py
index 46c07a12..3bdb14d7 100644
--- a/core/registrar/backend.py
+++ b/core/registrar/backend.py
@@ -54,6 +54,7 @@ class EOxServerBackend(Backend):
                 storage_type='local',
             )
             storage_name = storage.name
+
         elif isinstance(source, S3Source):
             params = json.dumps({
                 'ACCESS_KEY_ID': source.access_key_id,
@@ -70,7 +71,7 @@ class EOxServerBackend(Backend):
             bucket, _ = source.get_bucket_and_key(path)
 
             storage, created_storage = backends.Storage.objects.get_or_create(
-                name=source.name,
+                name=source.name if source.bucket else f'{source.name}-{bucket}',
                 url=bucket,
                 storage_type='S3',
                 storage_auth=storage_auth,
@@ -98,7 +99,7 @@ class EOxServerBackend(Backend):
             container, _ = source.get_container_and_path(path)
 
             storage, created_storage = backends.Storage.objects.get_or_create(
-                name=source.name,
+                name=source.name if source.container else f'{source.name}-{container}',
                 url=container,
                 storage_type='swift',
                 storage_auth=storage_auth,
diff --git a/core/registrar/registrar.py b/core/registrar/registrar.py
index 53c9b102..7630613d 100644
--- a/core/registrar/registrar.py
+++ b/core/registrar/registrar.py
@@ -35,6 +35,7 @@ def register_file(config: dict, path: str, replace: bool=False):
     for post_handler in get_post_handlers(config):
         post_handler(config, path, context)
 
+    logger.info(f"Successfully {'replaced' if replace else 'registered'} '{path}'")
     return context
 
 
-- 
GitLab


From ab41b313232c43bc6a440ea074c66bdd14f34b99 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 2 Nov 2020 12:25:14 +0100
Subject: [PATCH 089/162] Implemented direct geometry masks Adjusted VHR 18
 registration configuration to include masks

---
 config/vhr18_registrar-config.yml | 40 +++++++++++++++++++++++++++++++
 core/registrar/backend.py         | 14 ++++++++++-
 2 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/config/vhr18_registrar-config.yml b/config/vhr18_registrar-config.yml
index eb5ed8c7..0295be2a 100644
--- a/config/vhr18_registrar-config.yml
+++ b/config/vhr18_registrar-config.yml
@@ -29,6 +29,8 @@ backends:
               - !env '${COLLECTION}_Level_1'
             coverages:
               PL00: RGBNir
+            masks:
+              validity: validity
           Level_3:
             product_type_name: !env '${COLLECTION}_Product_PL00'
             collections:
@@ -36,6 +38,8 @@ backends:
               - !env '${COLLECTION}_Level_3'
             coverages:
               PL00: RGBNir
+            masks:
+              validity: validity
         DM02:
           Level_1:
             product_type_name: !env '${COLLECTION}_Product_DM02'
@@ -44,6 +48,8 @@ backends:
               - !env '${COLLECTION}_Level_1'
             coverages:
               DM02: RGBNir
+            masks:
+              validity: validity
           Level_3:
             product_type_name: !env '${COLLECTION}_Product_DM02'
             collections:
@@ -51,6 +57,8 @@ backends:
               - !env '${COLLECTION}_Level_3'
             coverages:
               DM02: RGBNir
+            masks:
+              validity: validity
         KS03:
           Level_1:
             product_type_name: !env '${COLLECTION}_Product_KS03'
@@ -59,6 +67,8 @@ backends:
               - !env '${COLLECTION}_Level_1'
             coverages:
               KS03: RGBNir
+            masks:
+              validity: validity
           Level_3:
             product_type_name: !env '${COLLECTION}_Product_KS03'
             collections:
@@ -66,6 +76,8 @@ backends:
               - !env '${COLLECTION}_Level_3'
             coverages:
               KS03: RGBNir
+            masks:
+              validity: validity
         KS04:
           Level_1:
             product_type_name: !env '${COLLECTION}_Product_KS04'
@@ -74,6 +86,8 @@ backends:
               - !env '${COLLECTION}_Level_1'
             coverages:
               KS04: RGBNir
+            masks:
+              validity: validity
           Level_3:
             product_type_name: !env '${COLLECTION}_Product_KS04'
             collections:
@@ -81,6 +95,8 @@ backends:
               - !env '${COLLECTION}_Level_3'
             coverages:
               KS04: RGBNir
+            masks:
+              validity: validity
         PH1A:
           Level_1:
             product_type_name: !env '${COLLECTION}_Product_PH1A'
@@ -89,6 +105,8 @@ backends:
               - !env '${COLLECTION}_Level_1'
             coverages:
               PH1A: RGBNir
+            masks:
+              validity: validity
           Level_3:
             product_type_name: !env '${COLLECTION}_Product_PH1A'
             collections:
@@ -96,6 +114,8 @@ backends:
               - !env '${COLLECTION}_Level_3'
             coverages:
               PH1A: RGBNir
+            masks:
+              validity: validity
         PH1B:
           Level_1:
             product_type_name: !env '${COLLECTION}_Product_PH1B'
@@ -104,6 +124,8 @@ backends:
               - !env '${COLLECTION}_Level_1'
             coverages:
               PH1B: RGBNir
+            masks:
+              validity: validity
           Level_3:
             product_type_name: !env '${COLLECTION}_Product_PH1B'
             collections:
@@ -111,6 +133,8 @@ backends:
               - !env '${COLLECTION}_Level_3'
             coverages:
               PH1B: RGBNir
+            masks:
+              validity: validity
         SP06:
           Level_1:
             product_type_name: !env '${COLLECTION}_Product_SP06'
@@ -119,6 +143,8 @@ backends:
               - !env '${COLLECTION}_Level_1'
             coverages:
               SP06: RGBNir
+            masks:
+              validity: validity
           Level_3:
             product_type_name: !env '${COLLECTION}_Product_SP06'
             collections:
@@ -126,6 +152,8 @@ backends:
               - !env '${COLLECTION}_Level_3'
             coverages:
               SP06: RGBNir
+            masks:
+              validity: validity
         SP07:
           Level_1:
             product_type_name: !env '${COLLECTION}_Product_SP07'
@@ -134,6 +162,8 @@ backends:
               - !env '${COLLECTION}_Level_1'
             coverages:
               SP07: RGBNir
+            masks:
+              validity: validity
           Level_3:
             product_type_name: !env '${COLLECTION}_Product_SP07'
             collections:
@@ -141,6 +171,8 @@ backends:
               - !env '${COLLECTION}_Level_3'
             coverages:
               SP07: RGBNir
+            masks:
+              validity: validity
         SW00:
           Level_1:
             product_type_name: !env '${COLLECTION}_Product_SW00'
@@ -149,6 +181,8 @@ backends:
               - !env '${COLLECTION}_Level_1'
             coverages:
               SW00: RGBNir
+            masks:
+              validity: validity
           Level_3:
             product_type_name: !env '${COLLECTION}_Product_SW00'
             collections:
@@ -156,6 +190,8 @@ backends:
               - !env '${COLLECTION}_Level_3'
             coverages:
               SW00: RGBNir
+            masks:
+              validity: validity
         TR00:
           Level_1:
             product_type_name: !env '${COLLECTION}_Product_TR00'
@@ -164,6 +200,8 @@ backends:
               - !env '${COLLECTION}_Level_1'
             coverages:
               TR00: RGBNir
+            masks:
+              validity: validity
           Level_3:
             product_type_name: !env '${COLLECTION}_Product_TR00'
             collections:
@@ -171,3 +209,5 @@ backends:
               - !env '${COLLECTION}_Level_3'
             coverages:
               TR00: RGBNir
+            masks:
+              validity: validity
diff --git a/core/registrar/backend.py b/core/registrar/backend.py
index 3bdb14d7..2a83de1b 100644
--- a/core/registrar/backend.py
+++ b/core/registrar/backend.py
@@ -206,13 +206,25 @@ class EOxServerBackend(Backend):
         for mask_identifier, mask_type_name in mapping.get('masks', {}).items():
             mask_item = item.mask_files.get(mask_identifier)
             if mask_item:
-                logger.info(f"Adding mask {mask_type_name} to product")
+                logger.info(f"Adding mask (file) {mask_type_name} to product")
                 MaskRegistrator().register(
                     product.identifier,
                     storage + [mask_item],
                     mask_type_name,
                 )
 
+            mask_item = item.masks.get(mask_identifier)
+            if mask_item:
+                logger.info(f"Adding mask (geometry) {mask_type_name} to product")
+                models.Mask.objects.create(
+                    product=product,
+                    mask_type=models.MaskType.objects.get(
+                        product_type=product.product_type,
+                        name=mask_type_name,
+                    ),
+                    geometry=mask_item,
+                )
+
 
 BACKENDS = {
     'eoxserver': EOxServerBackend
-- 
GitLab


From f267ca1ad50eafcff219e4107d54c1b5e8d1d532 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 3 Nov 2020 09:47:23 +0100
Subject: [PATCH 090/162] Improved error handling in XML parsing

---
 core/registrar/xml.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/core/registrar/xml.py b/core/registrar/xml.py
index 519d8a54..cc7b37ee 100644
--- a/core/registrar/xml.py
+++ b/core/registrar/xml.py
@@ -8,6 +8,7 @@ import logging
 import lxml.etree
 
 from .source import Source
+from .exceptions import RegistrationError
 
 
 logger = logging.getLogger(__name__)
@@ -29,6 +30,9 @@ class Parameter:
     namespaces: dict = field(default_factory=dict)
 
 
+class ParserError(RegistrationError):
+    pass
+
 def parse_metadata_schema(tree: lxml.etree._ElementTree, schema: dict, namespaces: dict=None) -> dict:
     out = {}
     for key, param in schema.items():
@@ -39,7 +43,10 @@ def parse_metadata_schema(tree: lxml.etree._ElementTree, schema: dict, namespace
                 for v in values
             ]
         else:
-            value = param.parser(values[0]) if param.parser else values[0]
+            try:
+                value = param.parser(values[0]) if param.parser else values[0]
+            except IndexError:
+                raise ParserError(f'Failed to fetch single value for parameter {key}')
 
         out[key] = value
 
-- 
GitLab


From 3e97dfceb791efa2c7f7a3ebc93c0b28eb2dd4ea Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 3 Nov 2020 09:48:18 +0100
Subject: [PATCH 091/162] Fixed GSC footprint parsing Added option to extract
 level via RE

---
 core/registrar/scheme.py | 43 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 4 deletions(-)

diff --git a/core/registrar/scheme.py b/core/registrar/scheme.py
index ba857f34..2e17a487 100644
--- a/core/registrar/scheme.py
+++ b/core/registrar/scheme.py
@@ -102,16 +102,51 @@ class Sentinel2RegistrationScheme(RegistrationScheme):
         )
 
 
+def parse_ring(string):
+    raw_coords = string.split()
+    return [(lon, lat) for lat, lon in pairwise(raw_coords)]
+
+
+def parse_polygons_gsc(elem):
+    def serialize_coord_list(coords):
+        return ','.join(
+            f'{x} {y}' for x, y in coords
+        )
+
+    interior = serialize_coord_list(
+        parse_ring(
+            elem.xpath(
+                "gml:exterior/gml:LinearRing/gml:posList", namespaces=elem.nsmap
+            )[0].text.strip()
+        )
+    )
+
+    exteriors = [
+        f'''({
+            serialize_coord_list(
+                parse_ring(poslist_elem.text.strip())
+            )
+        })'''
+        for poslist_elem in elem.xpath(
+            "gml:interior/gml:LinearRing/gml:posList", namespaces=elem.nsmap
+        )
+    ]
+
+    return f"POLYGON(({interior}){',' if exteriors else ''}{','.join(exteriors)})"
+
 
 class GSCRegistrationScheme(RegistrationScheme):
     GSC_SCHEMA = {
         'identifier': Parameter('//gml:metaDataProperty/gsc:EarthObservationMetaData/eop:identifier/text()'),
         'type': Parameter('//gml:using/eop:EarthObservationEquipment/eop:platform/eop:Platform/eop:shortName/text()'),
         'level': Parameter('//gml:metaDataProperty/gsc:EarthObservationMetaData/eop:parentIdentifier/text()'),
-        'mask': Parameter('//gsc:opt_metadata/gml:metaDataProperty/gsc:EarthObservationMetaData/eop:vendorSpecific/eop:SpecificInformation[eop:localAttribute/text() = "CF_POLY"]/eop:localValue/text()'),
-        'footprint': Parameter('//gsc:opt_metadata/gml:metaDataProperty/gsc:EarthObservationMetaData/eop:vendorSpecific/eop:SpecificInformation[eop:localAttribute/text() = "CF_POLY"]/eop:localValue/text()'),
+        'mask': Parameter('//gsc:opt_metadata/gml:metaDataProperty/gsc:EarthObservationMetaData/eop:vendorSpecific/eop:SpecificInformation[eop:localAttribute/text() = "CF_POLY"]/eop:localValue/text()', True),
+        'footprint': Parameter('(gsc:sar_metadata|gsc:opt_metadata)/gml:target/eop:Footprint/gml:multiExtentOf/gml:MultiSurface/gml:surfaceMembers/gml:Polygon', True, parse_polygons_gsc),
     }
 
+    def __init__(self, level_re: str=r'.*(Level_[0-9]+)$'):
+        self.level_re = level_re
+
     def get_context(self, source: Source, path: str) -> Context:
         gsc_filenames = source.list_files(path, ['GSC*.xml', 'GSC*.XML'])
         metadata_file = gsc_filenames[0]
@@ -123,7 +158,7 @@ class GSCRegistrationScheme(RegistrationScheme):
             metadata['type']: source.list_files(path, ['*.tif', '*.TIF'])
         }
 
-        match = re.match(r'.*(Level_[0-9]+)$', metadata['level'])
+        match = re.match(self.level_re, metadata['level'])
         if match:
             level = match.groups()[0]
         else:
@@ -136,7 +171,7 @@ class GSCRegistrationScheme(RegistrationScheme):
             product_level=level,
             raster_files=tiff_files,
             masks={
-                'validity': metadata['mask']
+                'validity': metadata['mask'][0] if metadata['mask'] else None
             },
             metadata_files=[metadata_file],
             metadata={
-- 
GitLab


From b6e54acbd3caf7e5fe2e33602e2ebc79b5c689b0 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 3 Nov 2020 09:49:03 +0100
Subject: [PATCH 092/162] Implemented DEM registrar config

---
 config/dem_init-db.sh           | 18 +--------
 config/dem_registrar-config.yml | 68 +++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+), 17 deletions(-)

diff --git a/config/dem_init-db.sh b/config/dem_init-db.sh
index 648f4b05..cfc2c4ec 100644
--- a/config/dem_init-db.sh
+++ b/config/dem_init-db.sh
@@ -42,7 +42,7 @@ if python3 manage.py id check "${COLLECTION}"; then
         python3 manage.py browsetype create "${COLLECTION}"_Product_COP-DEM_GLO-90-DGED --traceback \
             --red "gray" \
             --red-range -100 4000 \
-            --red-nodata 0 
+            --red-nodata 0
 
         python3 manage.py collectiontype create "${COLLECTION}"_Collection --traceback \
             --coverage-type "float32_grayscale" \
@@ -66,22 +66,6 @@ if python3 manage.py id check "${COLLECTION}"; then
         echo "Provided collection '${COLLECTION}' not valid."
     fi
 
-    python3 manage.py storageauth create auth-cloud-ovh "${OS_AUTH_URL_SHORT}" \
-        --type keystone \
-        -p auth-version "${ST_AUTH_VERSION}" \
-        -p identity-api-version="${ST_AUTH_VERSION}" \
-        -p username "${OS_USERNAME}" \
-        -p password "${OS_PASSWORD}" \
-        -p tenant-name "${OS_TENANT_NAME}" \
-        -p tenant-id "${OS_TENANT_ID}" \
-        -p region-name "${OS_REGION_NAME}"
-
-    python3 manage.py storage create \
-        ${UPLOAD_CONTAINER} ${UPLOAD_CONTAINER} \
-        --type swift \
-        --storage-auth auth-cloud-ovh
-
-
 else
     echo "Using existing database"
 fi
diff --git a/config/dem_registrar-config.yml b/config/dem_registrar-config.yml
index e69de29b..905b3ce7 100644
--- a/config/dem_registrar-config.yml
+++ b/config/dem_registrar-config.yml
@@ -0,0 +1,68 @@
+sources:
+  - type: swift
+    name: !env '${UPLOAD_CONTAINER}'
+    kwargs:
+        username: !env '${OS_USERNAME}'
+        password: !env '${OS_PASSWORD}'
+        tenant_name: !env '${OS_TENANT_NAME}'
+        tenant_id: !env '${OS_TENANT_ID}'
+        region_name: !env '${OS_REGION_NAME}'
+        auth_version: !env '${ST_AUTH_VERSION}'
+        auth_url: !env '${OS_AUTH_URL}'
+        auth_url_short: !env '${OS_AUTH_URL_SHORT}'
+
+schemes:
+  - type: gsc
+    kwargs:
+      level_re: '([A-Z0-9-_]+)/.*'
+
+backends:
+  - type: eoxserver
+    filter:
+    kwargs:
+      instance_base_path: /var/www/pvs/dev
+      instance_name: pvs_instance
+      mapping:
+        DEM1:
+          COP-DEM_EEA-10-DGED:
+            product_type_name: !env '${COLLECTION}_Product_COP-DEM_EEA-10-DGED'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_COP-DEM_EEA-10-DGED'
+            coverages:
+              DEM1: float32_grayscale
+          COP-DEM_EEA-10-INSP:
+            product_type_name: !env '${COLLECTION}_Product_COP-DEM_EEA-10-INSP'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_COP-DEM_EEA-10-INSP'
+            coverages:
+              DEM1: float32_grayscale
+          COP-DEM_GLO-30-DGED:
+            product_type_name: !env '${COLLECTION}_Product_COP-DEM_GLO-30-DGED'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_COP-DEM_GLO-30-DGED'
+            coverages:
+              DEM1: float32_grayscale
+          COP-DEM_GLO-90-DGED:
+            product_type_name: !env '${COLLECTION}_Product_COP-DEM_GLO-90-DGED'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_COP-DEM_GLO-90-DGED'
+            coverages:
+              DEM1: float32_grayscale
+          COP-DEM_GLO-30-DTED:
+            product_type_name: !env '${COLLECTION}_Product_COP-DEM_GLO-30-DTED'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_COP-DEM_GLO-30-DTED'
+            coverages:
+              DEM1: int16_grayscale
+          COP-DEM_GLO-90-DTED:
+            product_type_name: !env '${COLLECTION}_Product_COP-DEM_GLO-90-DTED'
+            collections:
+              - !env '${COLLECTION}'
+              - !env '${COLLECTION}_COP-DEM_GLO-90-DTED'
+            coverages:
+              DEM1: int16_grayscale
-- 
GitLab


From d760cb32551cbda5ef30886887315fe19f290e69 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 3 Nov 2020 09:49:19 +0100
Subject: [PATCH 093/162] Fixed wrong logging backend config

---
 docker-compose.dem.dev.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/docker-compose.dem.dev.yml b/docker-compose.dem.dev.yml
index 8ac49a6c..1b36628d 100644
--- a/docker-compose.dem.dev.yml
+++ b/docker-compose.dem.dev.yml
@@ -35,8 +35,6 @@ services:
       - type: bind
         source: ./core/
         target: /core/
-    logging:
-      driver: "fluentd"
   cache:
     ports:
       - "83:80"
-- 
GitLab


From e3f032b5f457f5711d0117d280d270ee905aec5f Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 3 Nov 2020 17:38:01 +0100
Subject: [PATCH 094/162] create separate shib rules for cache, add
 shibAuthCache to client

---
 config/shibboleth/dem_pass-ac-cache.xml   |  9 +++++++++
 config/shibboleth/dem_pass-ac.xml         |  2 +-
 config/shibboleth/emg_pass-ac-cache.xml   |  9 +++++++++
 config/shibboleth/emg_pass-ac.xml         |  2 +-
 config/shibboleth/shib-apache.conf        | 16 +++++++++++++++-
 config/shibboleth/vhr18_pass-ac-cache.xml |  9 +++++++++
 config/shibboleth/vhr18_pass-ac.xml       |  2 +-
 docker-compose.dem.ops.yml                |  8 ++++++--
 docker-compose.emg.ops.yml                |  8 ++++++--
 docker-compose.vhr18.ops.yml              |  8 ++++++--
 traefik-dynamic.yml                       |  4 ++++
 11 files changed, 67 insertions(+), 10 deletions(-)
 create mode 100644 config/shibboleth/dem_pass-ac-cache.xml
 create mode 100644 config/shibboleth/emg_pass-ac-cache.xml
 create mode 100644 config/shibboleth/vhr18_pass-ac-cache.xml

diff --git a/config/shibboleth/dem_pass-ac-cache.xml b/config/shibboleth/dem_pass-ac-cache.xml
new file mode 100644
index 00000000..29cc048b
--- /dev/null
+++ b/config/shibboleth/dem_pass-ac-cache.xml
@@ -0,0 +1,9 @@
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space TP_Data_Providers Data_Access_Services Ops_Space_Inf_Services Public_Auth Int_Org_NGO
+    </Rule>
+  </AND>
+</AccessControl>
diff --git a/config/shibboleth/dem_pass-ac.xml b/config/shibboleth/dem_pass-ac.xml
index 08e4b9ba..ef16ad42 100644
--- a/config/shibboleth/dem_pass-ac.xml
+++ b/config/shibboleth/dem_pass-ac.xml
@@ -6,4 +6,4 @@ type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
       Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space TP_Data_Providers Data_Access_Services Ops_Space_Inf_Services
     </Rule>
   </AND>
-</AccessControl>
\ No newline at end of file
+</AccessControl>
diff --git a/config/shibboleth/emg_pass-ac-cache.xml b/config/shibboleth/emg_pass-ac-cache.xml
new file mode 100644
index 00000000..91372acf
--- /dev/null
+++ b/config/shibboleth/emg_pass-ac-cache.xml
@@ -0,0 +1,9 @@
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
+    </Rule>
+  </AND>
+</AccessControl>
diff --git a/config/shibboleth/emg_pass-ac.xml b/config/shibboleth/emg_pass-ac.xml
index a93f5255..91372acf 100644
--- a/config/shibboleth/emg_pass-ac.xml
+++ b/config/shibboleth/emg_pass-ac.xml
@@ -6,4 +6,4 @@ type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
       Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
     </Rule>
   </AND>
-</AccessControl>
\ No newline at end of file
+</AccessControl>
diff --git a/config/shibboleth/shib-apache.conf b/config/shibboleth/shib-apache.conf
index 88f0a4ed..8e5d486b 100755
--- a/config/shibboleth/shib-apache.conf
+++ b/config/shibboleth/shib-apache.conf
@@ -24,4 +24,18 @@ DocumentRoot "/var/www/html"
       Require shib-plugin /etc/shibboleth/pass-ac.xml
     </Else>
   </Location>
-</VirtualHost>
\ No newline at end of file
+  <Location /secure-cache>
+    <If "-n req('Authorization')">
+      Require valid-user
+      AuthType Basic
+      AuthBasicProvider file
+      AuthName "/secure"
+      AuthUserFile /run/secrets/BASIC_AUTH_USERS_AUTH
+    </If>
+    <Else>
+      AuthType shibboleth
+      ShibRequestSetting requireSession 1
+      Require shib-plugin /etc/shibboleth/pass-ac-cache.xml
+    </Else>
+  </Location>
+</VirtualHost>
diff --git a/config/shibboleth/vhr18_pass-ac-cache.xml b/config/shibboleth/vhr18_pass-ac-cache.xml
new file mode 100644
index 00000000..6a152812
--- /dev/null
+++ b/config/shibboleth/vhr18_pass-ac-cache.xml
@@ -0,0 +1,9 @@
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth Int_Org_NGO Public
+    </Rule>
+  </AND>
+</AccessControl>
diff --git a/config/shibboleth/vhr18_pass-ac.xml b/config/shibboleth/vhr18_pass-ac.xml
index 43130937..2a0fb352 100644
--- a/config/shibboleth/vhr18_pass-ac.xml
+++ b/config/shibboleth/vhr18_pass-ac.xml
@@ -6,4 +6,4 @@ type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
       Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth Int_Org_NGO
     </Rule>
   </AND>
-</AccessControl>
\ No newline at end of file
+</AccessControl>
diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index 1459c1f1..285d973c 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -14,7 +14,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.dem-renderer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer.middlewares=shibAuth@file,compress@file,cors@file"
+        - "traefik.http.routers.dem-renderer.middlewares=shibAuthCache@file,compress@file,cors@file"
         - "traefik.http.routers.dem-renderer.tls=true"
         - "traefik.http.routers.dem-renderer.tls.certresolver=default"
         - "traefik.http.routers.dem-renderer.entrypoints=https"
@@ -167,8 +167,10 @@ services:
     networks:
       - dem-extnet
     configs:
-      - source: access-control-conf
+      - source: shib-access-control-conf
         target: /etc/shibboleth/pass-ac.xml
+      - source: shib-access-control-conf-cache
+        target: /etc/shibboleth/pass-ac-cache.xml
       - source: shib-shibboleth2
         target: /etc/shibboleth/shibboleth2.xml
       - source: shib-apache
@@ -190,6 +192,8 @@ networks:
 configs:
   shib-access-control-conf:
     file: ./config/shibboleth/dem_pass-ac.xml
+  shib-access-control-conf-cache:
+    file: ./config/shibboleth/dem_pass-ac-cache.xml
   shib-shibboleth2: # this will vary for collections
     file: ./config/shibboleth/shibboleth2.xml
   shib-apache:
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 0c4f9978..04c8beda 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -56,7 +56,7 @@ services:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.emg-cache.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.emg-cache.middlewares=shibAuthCache@file,cache-stripprefix,compress@file,cors@file"
         - "traefik.http.routers.emg-cache.tls=true"
         - "traefik.http.routers.emg-cache.tls.certresolver=default"
         - "traefik.http.routers.emg-cache.entrypoints=https"
@@ -167,8 +167,10 @@ services:
     networks:
       - emg-extnet
     configs:
-      - source: access-control-conf
+      - source: shib-access-control-conf
         target: /etc/shibboleth/pass-ac.xml
+      - source: shib-access-control-conf-cache
+        target: /etc/shibboleth/pass-ac-cache.xml
       - source: shib-shibboleth2
         target: /etc/shibboleth/shibboleth2.xml
       - source: shib-apache
@@ -190,6 +192,8 @@ networks:
 configs:
   shib-access-control-conf:
     file: ./config/shibboleth/emg_pass-ac.xml
+  shib-access-control-conf-cache:
+    file: ./config/shibboleth/emg_pass-ac-cache.xml
   shib-shibboleth2: # this will vary for collections
     file: ./config/shibboleth/shibboleth2.xml
   shib-apache:
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index f82fd145..6d517bc9 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -56,7 +56,7 @@ services:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
         # router for basic auth based access (https)
         - "traefik.http.routers.vhr18-cache.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.vhr18-cache.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.vhr18-cache.middlewares=shibAuthCache@file,cache-stripprefix,compress@file,cors@file"
         - "traefik.http.routers.vhr18-cache.tls=true"
         - "traefik.http.routers.vhr18-cache.tls.certresolver=default"
         - "traefik.http.routers.vhr18-cache.entrypoints=https"
@@ -167,8 +167,10 @@ services:
     networks:
       - vhr18-extnet
     configs:
-      - source: access-control-conf
+      - source: shib-access-control-conf
         target: /etc/shibboleth/pass-ac.xml
+      - source: shib-access-control-conf-cache
+        target: /etc/shibboleth/pass-ac-cache.xml
       - source: shib-shibboleth2
         target: /etc/shibboleth/shibboleth2.xml
       - source: shib-apache
@@ -190,6 +192,8 @@ networks:
 configs:
   shib-access-control-conf:
     file: ./config/shibboleth/vhr18_pass-ac.xml
+  shib-access-control-conf-cache:
+    file: ./config/shibboleth/vhr18_pass-ac-cache.xml
   shib-shibboleth2: # this will vary for collections
     file: ./config/shibboleth/shibboleth2.xml
   shib-apache:
diff --git a/traefik-dynamic.yml b/traefik-dynamic.yml
index a04d0958..932dc5fc 100644
--- a/traefik-dynamic.yml
+++ b/traefik-dynamic.yml
@@ -22,6 +22,10 @@ http:
       forwardAuth:
         address: http://shibauth/secure
         trustForwardHeader: true
+    shibAuthCache:
+      forwardAuth:
+        address: http://shibauth/secure-cache
+        trustForwardHeader: true
     compress:
       compress: {}
     redirect:
-- 
GitLab


From cd3b7f8a6ad51804d8e432de0bc89717c8eea7de Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 4 Nov 2020 13:06:28 +0100
Subject: [PATCH 095/162] open /secure-cache endpoints, add index.html there
 too

---
 docker-compose.dem.ops.yml   | 8 +++++---
 docker-compose.emg.ops.yml   | 8 +++++---
 docker-compose.vhr18.ops.yml | 8 +++++---
 3 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index 285d973c..e891f57f 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -106,7 +106,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.dem-client.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
-        - "traefik.http.routers.dem-client.middlewares=auth@file,compress@file"
+        - "traefik.http.routers.dem-client.middlewares=shibAuthCache@file,compress@file"
         - "traefik.http.routers.dem-client.tls=true"
         - "traefik.http.routers.dem-client.tls.certresolver=default"
         - "traefik.http.routers.dem-client.entrypoints=https"
@@ -149,13 +149,13 @@ services:
         constraints: [node.role == manager]
       labels:
         # router for basic auth based access (https)
-        - "traefik.http.routers.shibauth.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
         - "traefik.http.routers.shibauth.tls=true"
         - "traefik.http.routers.shibauth.tls.certresolver=default"
         - "traefik.http.routers.shibauth.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.shibauth-redirect.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
         - "traefik.http.routers.shibauth-redirect.entrypoints=http"
         # general
@@ -181,6 +181,8 @@ services:
         target: /etc/shibboleth/idp-metadata.xml
       - source: shib-index
         target: /var/www/html/secure/index.html
+      - source: shib-index
+        target: /var/www/html/secure-cache/index.html
       - source: shibd-logger
         target: /etc/shibboleth/shibd.logger
       - source: native-logger
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 04c8beda..941b1f09 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -106,7 +106,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client.middlewares=shibAuth@file,compress@file"
+        - "traefik.http.routers.emg-client.middlewares=shibAuthCache@file,compress@file"
         - "traefik.http.routers.emg-client.tls=true"
         - "traefik.http.routers.emg-client.tls.certresolver=default"
         - "traefik.http.routers.emg-client.entrypoints=https"
@@ -149,13 +149,13 @@ services:
         constraints: [node.role == manager]
       labels:
         # router for basic auth based access (https)
-        - "traefik.http.routers.shibauth.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
         - "traefik.http.routers.shibauth.tls=true"
         - "traefik.http.routers.shibauth.tls.certresolver=default"
         - "traefik.http.routers.shibauth.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.shibauth-redirect.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
         - "traefik.http.routers.shibauth-redirect.entrypoints=http"
         # general
@@ -181,6 +181,8 @@ services:
         target: /etc/shibboleth/idp-metadata.xml
       - source: shib-index
         target: /var/www/html/secure/index.html
+      - source: shib-index
+        target: /var/www/html/secure-cache/index.html
       - source: shibd-logger
         target: /etc/shibboleth/shibd.logger
       - source: native-logger
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index 6d517bc9..c17b88c9 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -106,7 +106,7 @@ services:
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.vhr18-client.rule=Host(`vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`)"
-        - "traefik.http.routers.vhr18-client.middlewares=auth@file,compress@file"
+        - "traefik.http.routers.vhr18-client.middlewares=shibAuthCache@file,compress@file"
         - "traefik.http.routers.vhr18-client.tls=true"
         - "traefik.http.routers.vhr18-client.tls.certresolver=default"
         - "traefik.http.routers.vhr18-client.entrypoints=https"
@@ -149,13 +149,13 @@ services:
         constraints: [node.role == manager]
       labels:
         # router for basic auth based access (https)
-        - "traefik.http.routers.shibauth.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
         - "traefik.http.routers.shibauth.tls=true"
         - "traefik.http.routers.shibauth.tls.certresolver=default"
         - "traefik.http.routers.shibauth.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.shibauth-redirect.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/secure`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
         - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
         - "traefik.http.routers.shibauth-redirect.entrypoints=http"
         # general
@@ -181,6 +181,8 @@ services:
         target: /etc/shibboleth/idp-metadata.xml
       - source: shib-index
         target: /var/www/html/secure/index.html
+      - source: shib-index
+        target: /var/www/html/secure-cache/index.html
       - source: shibd-logger
         target: /etc/shibboleth/shibd.logger
       - source: native-logger
-- 
GitLab


From b729deeb9057777c1680db2ce0afab3baf6bf5f5 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 4 Nov 2020 16:14:12 +0100
Subject: [PATCH 096/162] separate shib/basicauth traffic between pdas and pass

---
 docker-compose.dem.ops.yml      |  76 ++++++++++++-----
 docker-compose.emg.ops.yml      |  76 ++++++++++++-----
 docker-compose.emg.ops_test.yml | 147 --------------------------------
 docker-compose.vhr18.ops.yml    |  74 +++++++++++-----
 4 files changed, 158 insertions(+), 215 deletions(-)
 delete mode 100644 docker-compose.emg.ops_test.yml

diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index e891f57f..d6023b09 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -12,16 +12,16 @@ services:
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
     deploy:
       labels:
-        # router for basic auth based access (https)
-        - "traefik.http.routers.dem-renderer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer.middlewares=shibAuthCache@file,compress@file,cors@file"
-        - "traefik.http.routers.dem-renderer.tls=true"
-        - "traefik.http.routers.dem-renderer.tls.certresolver=default"
-        - "traefik.http.routers.dem-renderer.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.dem-renderer-redirect.entrypoints=http"
+        # router for shib auth based access (https)
+        - "traefik.http.routers.dem-renderer-shib.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer-shib.middlewares=shibAuth@file,compress@file,cors@file"
+        - "traefik.http.routers.dem-renderer-shib.tls=true"
+        - "traefik.http.routers.dem-renderer-shib.tls.certresolver=default"
+        - "traefik.http.routers.dem-renderer-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.dem-renderer-redirect-shib.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.dem-renderer-redirect-shib.entrypoints=http"
         # router for referrer based access (https)
         - "traefik.http.routers.dem-renderer_referer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-renderer_referer.middlewares=compress@file,cors@file"
@@ -32,6 +32,16 @@ services:
         - "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.dem-renderer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.dem-renderer.tls=true"
+        - "traefik.http.routers.dem-renderer.tls.certresolver=default"
+        - "traefik.http.routers.dem-renderer.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.dem-renderer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.dem-renderer.loadbalancer.server.port=80"
@@ -54,16 +64,16 @@ services:
     deploy:
       labels:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
-        # router for basic auth based access (https)
-        - "traefik.http.routers.dem-cache.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.dem-cache.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
-        - "traefik.http.routers.dem-cache.tls=true"
-        - "traefik.http.routers.dem-cache.tls.certresolver=default"
-        - "traefik.http.routers.dem-cache.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.dem-cache-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.dem-cache-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.dem-cache-redirect.entrypoints=http"
+        # router for shib auth based access (https)
+        - "traefik.http.routers.dem-cache-shib.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.dem-cache-shib.middlewares=shibAuthCache@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.dem-cache-shib.tls=true"
+        - "traefik.http.routers.dem-cache-shib.tls.certresolver=default"
+        - "traefik.http.routers.dem-cache-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.dem-cache-redirect-shib.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.dem-cache-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.dem-cache-redirect-shib.entrypoints=http"
         # router for referrer based access (https)
         - "traefik.http.routers.dem-cache_referer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-cache_referer.middlewares=cache-stripprefix,compress@file,cors@file"
@@ -74,6 +84,16 @@ services:
         - "traefik.http.routers.dem-cache_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.dem-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-cache_referer-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.dem-cache.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.dem-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.dem-cache.tls=true"
+        - "traefik.http.routers.dem-cache.tls.certresolver=default"
+        - "traefik.http.routers.dem-cache.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.dem-cache-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.dem-cache-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.dem-cache-redirect.entrypoints=http"
         # general
         - "traefik.http.services.dem-cache.loadbalancer.sticky=false"
         - "traefik.http.services.dem-cache.loadbalancer.server.port=80"
@@ -104,14 +124,24 @@ services:
         target: /usr/share/nginx/html/index.html
     deploy:
       labels:
+        # router for shib auth based access (https)
+        - "traefik.http.routers.dem-client-shib.rule=Host(`dem.pass.copernicus.eu`)"
+        - "traefik.http.routers.dem-client-shib.middlewares=shibAuthCache@file,compress@file"
+        - "traefik.http.routers.dem-client-shib.tls=true"
+        - "traefik.http.routers.dem-client-shib.tls.certresolver=default"
+        - "traefik.http.routers.dem-client-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.dem-client-redirect-shib.rule=Host(`dem.pass.copernicus.eu`)"
+        - "traefik.http.routers.dem-client-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.dem-client-redirect-shib.entrypoints=http"
         # router for basic auth based access (https)
-        - "traefik.http.routers.dem-client.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
-        - "traefik.http.routers.dem-client.middlewares=shibAuthCache@file,compress@file"
+        - "traefik.http.routers.dem-client.rule=Host(`dem.pdas.prism.eox.at`)"
+        - "traefik.http.routers.dem-client.middlewares=auth@file,compress@file"
         - "traefik.http.routers.dem-client.tls=true"
         - "traefik.http.routers.dem-client.tls.certresolver=default"
         - "traefik.http.routers.dem-client.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.dem-client-redirect.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
+        - "traefik.http.routers.dem-client-redirect.rule=Host(`dem.pdas.prism.eox.at`)"
         - "traefik.http.routers.dem-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.dem-client-redirect.entrypoints=http"
         # general
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 941b1f09..86bea982 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -12,16 +12,16 @@ services:
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
     deploy:
       labels:
-        # router for basic auth based access (https)
-        - "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer.middlewares=shibAuth@file,compress@file,cors@file"
-        - "traefik.http.routers.emg-renderer.tls=true"
-        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
-        - "traefik.http.routers.emg-renderer.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
+        # router for shib auth based access (https)
+        - "traefik.http.routers.emg-renderer-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-shib.middlewares=shibAuth@file,compress@file,cors@file"
+        - "traefik.http.routers.emg-renderer-shib.tls=true"
+        - "traefik.http.routers.emg-renderer-shib.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.emg-renderer-redirect-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer-redirect-shib.entrypoints=http"
         # router for referrer based access (https)
         - "traefik.http.routers.emg-renderer_referer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-renderer_referer.middlewares=compress@file,cors@file"
@@ -32,6 +32,16 @@ services:
         - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.emg-renderer.tls=true"
+        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
@@ -54,16 +64,16 @@ services:
     deploy:
       labels:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
-        # router for basic auth based access (https)
-        - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.emg-cache.middlewares=shibAuthCache@file,cache-stripprefix,compress@file,cors@file"
-        - "traefik.http.routers.emg-cache.tls=true"
-        - "traefik.http.routers.emg-cache.tls.certresolver=default"
-        - "traefik.http.routers.emg-cache.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.emg-cache-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.emg-cache-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-cache-redirect.entrypoints=http"
+        # router for shib auth based access (https)
+        - "traefik.http.routers.emg-cache-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.emg-cache-shib.middlewares=shibAuthCache@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.emg-cache-shib.tls=true"
+        - "traefik.http.routers.emg-cache-shib.tls.certresolver=default"
+        - "traefik.http.routers.emg-cache-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.emg-cache-redirect-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.emg-cache-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.emg-cache-redirect-shib.entrypoints=http"
         # router for referrer based access (https)
         - "traefik.http.routers.emg-cache_referer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-cache_referer.middlewares=cache-stripprefix,compress@file,cors@file"
@@ -74,6 +84,16 @@ services:
         - "traefik.http.routers.emg-cache_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.emg-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.emg-cache.tls=true"
+        - "traefik.http.routers.emg-cache.tls.certresolver=default"
+        - "traefik.http.routers.emg-cache.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.emg-cache-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.emg-cache-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-cache-redirect.entrypoints=http"
         # general
         - "traefik.http.services.emg-cache.loadbalancer.sticky=false"
         - "traefik.http.services.emg-cache.loadbalancer.server.port=80"
@@ -104,14 +124,24 @@ services:
         target: /usr/share/nginx/html/index.html
     deploy:
       labels:
+        # router for shib auth based access (https)
+        - "traefik.http.routers.emg-client-shib.rule=Host(`emg.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client-shib.middlewares=shibAuthCache@file,compress@file"
+        - "traefik.http.routers.emg-client-shib.tls=true"
+        - "traefik.http.routers.emg-client-shib.tls.certresolver=default"
+        - "traefik.http.routers.emg-client-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.emg-client-redirect-shib.rule=Host(`emg.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.emg-client-redirect-shib.entrypoints=http"
         # router for basic auth based access (https)
-        - "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client.middlewares=shibAuthCache@file,compress@file"
+        - "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`)"
+        - "traefik.http.routers.emg-client.middlewares=auth@file,compress@file"
         - "traefik.http.routers.emg-client.tls=true"
         - "traefik.http.routers.emg-client.tls.certresolver=default"
         - "traefik.http.routers.emg-client.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`)"
         - "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.emg-client-redirect.entrypoints=http"
         # general
diff --git a/docker-compose.emg.ops_test.yml b/docker-compose.emg.ops_test.yml
deleted file mode 100644
index 7b66a1ea..00000000
--- a/docker-compose.emg.ops_test.yml
+++ /dev/null
@@ -1,147 +0,0 @@
-version: "3.6"
-services:
-  database:
-    volumes:
-      - type: tmpfs
-        target: /dev/shm
-        tmpfs:
-          size: 536870912
-  renderer:
-    environment:
-      INSTALL_DIR: "/var/www/pvs/ops/"
-      INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
-    deploy:
-      labels:
-        # router for basic auth based access (https)
-        - "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
-        - "traefik.http.routers.emg-renderer.tls=true"
-        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
-        - "traefik.http.routers.emg-renderer.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
-        # router for referrer based access (https)
-        - "traefik.http.routers.emg-renderer_referer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.emg-renderer_referer.middlewares=compress@file,cors@file"
-        - "traefik.http.routers.emg-renderer_referer.tls=true"
-        - "traefik.http.routers.emg-renderer_referer.tls.certresolver=default"
-        - "traefik.http.routers.emg-renderer_referer.entrypoints=https"
-        # router for referrer based access (http)
-        - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
-        # general
-        - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
-        - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
-        - "traefik.docker.network=emg-extnet"
-        - "traefik.docker.lbswarm=true"
-        - "traefik.enable=true"
-      replicas: 0
-      resources:
-        limits:
-          memory: 8G
-      placement:
-        constraints:
-          - node.labels.type == external
-    networks:
-      - extnet
-  cache:
-    configs:
-      - source: mapcache-ops
-        target: /mapcache-template.xml
-    deploy:
-      labels:
-        - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
-        # router for basic auth based access (https)
-        - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.emg-cache.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
-        - "traefik.http.routers.emg-cache.tls=true"
-        - "traefik.http.routers.emg-cache.tls.certresolver=default"
-        - "traefik.http.routers.emg-cache.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.emg-cache-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.emg-cache-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-cache-redirect.entrypoints=http"
-        # router for referrer based access (https)
-        - "traefik.http.routers.emg-cache_referer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.emg-cache_referer.middlewares=cache-stripprefix,compress@file,cors@file"
-        - "traefik.http.routers.emg-cache_referer.tls=true"
-        - "traefik.http.routers.emg-cache_referer.tls.certresolver=default"
-        - "traefik.http.routers.emg-cache_referer.entrypoints=https"
-        # router for referrer based access (http)
-        - "traefik.http.routers.emg-cache_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
-        - "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
-        # general
-        - "traefik.http.services.emg-cache.loadbalancer.sticky=false"
-        - "traefik.http.services.emg-cache.loadbalancer.server.port=80"
-        - "traefik.docker.network=emg-extnet"
-        - "traefik.docker.lbswarm=true"
-        - "traefik.enable=true"
-      replicas: 0
-      resources:
-        limits:
-          memory: 8G
-      placement:
-        constraints:
-          - node.labels.type == external
-    networks:
-      - extnet
-  registrar:
-    environment:
-      INSTALL_DIR: "/var/www/pvs/ops/"
-      INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
-    deploy:
-      replicas: 0
-      placement:
-        constraints:
-          - node.labels.type == internal
-  client:
-    configs:
-      - source: client-ops
-        target: /usr/share/nginx/html/index.html
-    deploy:
-      labels:
-        # router for basic auth based access (https)
-        - "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client.middlewares=shibAuth@file,compress@file"
-        - "traefik.http.routers.emg-client.tls=true"
-        - "traefik.http.routers.emg-client.tls.certresolver=default"
-        - "traefik.http.routers.emg-client.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-client-redirect.entrypoints=http"
-        # general
-        - "traefik.http.services.emg-client.loadbalancer.sticky=false"
-        - "traefik.http.services.emg-client.loadbalancer.server.port=80"
-        - "traefik.docker.network=emg-extnet"
-        - "traefik.docker.lbswarm=true"
-        - "traefik.enable=true"
-      placement:
-        constraints:
-          - node.labels.type == external
-    networks:
-      - extnet
-  preprocessor:
-    volumes:
-      - type: bind
-        source: /var/vhr
-        target: /tmp
-    deploy:
-      replicas: 0
-      placement:
-        constraints:
-          - node.labels.type == internal
-  sftp:
-    deploy:
-      replicas: 0
-  ingestor:
-    deploy:
-      replicas: 0
-networks:
-  extnet:
-    name: emg-extnet
-    external: true
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index c17b88c9..12a692eb 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -13,16 +13,16 @@ services:
     deploy:
       replicas: 3
       labels:
-        # router for basic auth based access (https)
-        - "traefik.http.routers.vhr18-renderer.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-renderer.middlewares=shibAuth@file,compress@file,cors@file"
-        - "traefik.http.routers.vhr18-renderer.tls=true"
-        - "traefik.http.routers.vhr18-renderer.tls.certresolver=default"
-        - "traefik.http.routers.vhr18-renderer.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.vhr18-renderer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.vhr18-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.vhr18-renderer-redirect.entrypoints=http"
+        # router for shib auth based access (https)
+        - "traefik.http.routers.vhr18-renderer-shib.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-renderer-shib.middlewares=shibAuth@file,compress@file,cors@file"
+        - "traefik.http.routers.vhr18-renderer-shib.tls=true"
+        - "traefik.http.routers.vhr18-renderer-shib.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-renderer-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.vhr18-renderer-redirect-shib.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-renderer-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-renderer-redirect-shib.entrypoints=http"
         # router for referrer based access (https)
         - "traefik.http.routers.vhr18-renderer_referer.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-renderer_referer.middlewares=compress@file,cors@file"
@@ -33,6 +33,16 @@ services:
         - "traefik.http.routers.vhr18-renderer_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-renderer_referer-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.vhr18-renderer.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.vhr18-renderer.tls=true"
+        - "traefik.http.routers.vhr18-renderer.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-renderer.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.vhr18-renderer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.vhr18-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-renderer-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-renderer.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-renderer.loadbalancer.server.port=80"
@@ -54,16 +64,16 @@ services:
     deploy:
       labels:
         - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
-        # router for basic auth based access (https)
-        - "traefik.http.routers.vhr18-cache.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.vhr18-cache.middlewares=shibAuthCache@file,cache-stripprefix,compress@file,cors@file"
-        - "traefik.http.routers.vhr18-cache.tls=true"
-        - "traefik.http.routers.vhr18-cache.tls.certresolver=default"
-        - "traefik.http.routers.vhr18-cache.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.vhr18-cache-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.vhr18-cache-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.vhr18-cache-redirect.entrypoints=http"
+        # router for shib auth based access (https)
+        - "traefik.http.routers.vhr18-cache-shib.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.vhr18-cache-shib.middlewares=shibAuthCache@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.vhr18-cache-shib.tls=true"
+        - "traefik.http.routers.vhr18-cache-shib.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-cache-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.vhr18-cache-redirect-shib.rule=Host(`vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.vhr18-cache-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-cache-redirect-shib.entrypoints=http"
         # router for referrer based access (https)
         - "traefik.http.routers.vhr18-cache_referer.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-cache_referer.middlewares=cache-stripprefix,compress@file,cors@file"
@@ -74,6 +84,16 @@ services:
         - "traefik.http.routers.vhr18-cache_referer-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`, `a.vhr18.pass.copernicus.eu`, `b.vhr18.pass.copernicus.eu`, `c.vhr18.pass.copernicus.eu`, `d.vhr18.pass.copernicus.eu`, `e.vhr18.pass.copernicus.eu`, `f.vhr18.pass.copernicus.eu`, `g.vhr18.pass.copernicus.eu`, `h.vhr18.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|vhr18.pdas.prism.eox.at|vhr18.pass.copernicus.eu)/?`)"
         - "traefik.http.routers.vhr18-cache_referer-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-cache_referer-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.vhr18-cache.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.vhr18-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.vhr18-cache.tls=true"
+        - "traefik.http.routers.vhr18-cache.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-cache.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.vhr18-cache-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `a.vhr18.pdas.prism.eox.at`, `b.vhr18.pdas.prism.eox.at`, `c.vhr18.pdas.prism.eox.at`, `d.vhr18.pdas.prism.eox.at`, `e.vhr18.pdas.prism.eox.at`, `f.vhr18.pdas.prism.eox.at`, `g.vhr18.pdas.prism.eox.at`, `h.vhr18.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.vhr18-cache-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-cache-redirect.entrypoints=http"
         # general
         - "traefik.http.services.vhr18-cache.loadbalancer.sticky=false"
         - "traefik.http.services.vhr18-cache.loadbalancer.server.port=80"
@@ -104,14 +124,24 @@ services:
         target: /usr/share/nginx/html/index.html
     deploy:
       labels:
+        # router for shib auth based access (https)
+        - "traefik.http.routers.vhr18-client-shib.rule=Host(`vhr18.pass.copernicus.eu`)"
+        - "traefik.http.routers.vhr18-client-shib.middlewares=shibAuthCache@file,compress@file"
+        - "traefik.http.routers.vhr18-client-shib.tls=true"
+        - "traefik.http.routers.vhr18-client-shib.tls.certresolver=default"
+        - "traefik.http.routers.vhr18-client-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.vhr18-client-redirect-shib.rule=Host(`vhr18.pass.copernicus.eu`)"
+        - "traefik.http.routers.vhr18-client-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.vhr18-client-redirect-shib.entrypoints=http"
         # router for basic auth based access (https)
-        - "traefik.http.routers.vhr18-client.rule=Host(`vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`)"
+        - "traefik.http.routers.vhr18-client.rule=Host(`vhr18.pdas.prism.eox.at`)"
         - "traefik.http.routers.vhr18-client.middlewares=shibAuthCache@file,compress@file"
         - "traefik.http.routers.vhr18-client.tls=true"
         - "traefik.http.routers.vhr18-client.tls.certresolver=default"
         - "traefik.http.routers.vhr18-client.entrypoints=https"
         # router for basic auth based access (http)
-        - "traefik.http.routers.vhr18-client-redirect.rule=Host(`vhr18.pdas.prism.eox.at`, `vhr18.pass.copernicus.eu`)"
+        - "traefik.http.routers.vhr18-client-redirect.rule=Host(`vhr18.pdas.prism.eox.at`)"
         - "traefik.http.routers.vhr18-client-redirect.middlewares=redirect@file"
         - "traefik.http.routers.vhr18-client-redirect.entrypoints=http"
         # general
-- 
GitLab


From 6fbb8e8ec04c3375c3e9e1bb3d82365e7e95dbe5 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Wed, 4 Nov 2020 18:20:08 +0100
Subject: [PATCH 097/162] Improving Helm templates Improvin on init-db template
 Adding initial templates for preprocessor- and registar-configs Improved
 'values' with new config structs

---
 chart/files/init-db.sh                        | 199 ++++++++-----
 chart/files/preprocessor-config.yaml          |  26 ++
 chart/files/registrar-config.yaml             |   0
 .../preprocessor-config-configmap.yaml        |   6 +
 .../templates/registrar-config-configmap.yaml |   6 +
 chart/values.yaml                             | 261 ++++++++++++++++--
 6 files changed, 406 insertions(+), 92 deletions(-)
 create mode 100644 chart/files/preprocessor-config.yaml
 create mode 100644 chart/files/registrar-config.yaml
 create mode 100644 chart/templates/preprocessor-config-configmap.yaml
 create mode 100644 chart/templates/registrar-config-configmap.yaml

diff --git a/chart/files/init-db.sh b/chart/files/init-db.sh
index 58ff7402..80121bbe 100644
--- a/chart/files/init-db.sh
+++ b/chart/files/init-db.sh
@@ -1,85 +1,148 @@
-# Check if collection exits in database and initialize database only if not
-if python3 manage.py id check "${COLLECTION}"; then
-    echo "Initialize database"
+{{/*
+    Template to create the invocation of a browse type from a given
+    product type name, browse type name and browse type definition
 
-    python3 manage.py coveragetype import /rgbnir_definition.json --traceback
+    Expects '.' to be a dictionary in the following shape:
 
-{{- if .Values.initDb }}
+    {
+        product_type_name: "<product_type_name>",
+        browse_type_name: "<browse_type_name>", // or nil
+        browse_type: {
+            // either
+            grey: {
+                expression: "",
+                range: [low, high], // optional
+                nodata: nodatavalue, // optional
+            }
+            // or
+            red: {
+                expression: "",
+                range: [low, high], // optional
+                nodata: nodatavalue, // optional
+            },
+            green: {
+                expression: "",
+                range: [low, high], // optional
+                nodata: nodatavalue, // optional
+            },
+            blue: {
+                expression: "",
+                range: [low, high], // optional
+                nodata: nodatavalue, // optional
+            },
+            // optionally:
+            alpha: {
+                expression: "",
+                range: [low, high], // optional
+                nodata: nodatavalue, // optional
+            }
+        }
+    }
+*/}}
+{{- define "browsetype.cli" }}
+    python3 manage.py browsetype create "{{ .product_type_name }}" {{ if .browse_type_name }} "{{ .browse_type_name }}" {{- end }} \
+    {{- if hasKey .browse_type "grey" }}
+        --grey {{ .browse_type.grey.expression | quote }} \
+    {{- if hasKey .browse_type.grey "range" }}
+        --grey-range {{ range .browse_type.grey.range }}{{ . }} {{ end }}\
+    {{- end }}
+    {{- if hasKey .browse_type.grey "nodata" }}
+        --grey-nodata {{ .browse_type.grey.nodata }} \
+    {{- end }}
+    {{- else if and (.browse_type.red) (and .browse_type.green .browse_type.blue) }}
+        --red {{ .browse_type.red.expression | quote }} \
+        --green {{ .browse_type.green.expression | quote }} \
+        --blue {{ .browse_type.blue.expression | quote }} \
+    {{- if hasKey .browse_type.red "range" }}
+        --red-range {{ range .browse_type.red.range }}{{ . }} {{ end }}\
+    {{- end }}
+    {{- if hasKey .browse_type.green "range" }}
+        --green-range {{ range .browse_type.green.range }}{{ . }} {{ end }}\
+    {{- end }}
+    {{- if hasKey .browse_type.blue "range" }}
+        --blue-range {{ range .browse_type.blue.range }}{{ . }} {{ end }}\
+    {{- end }}
+    {{- if hasKey .browse_type.red "nodata" }}
+        --red-nodata {{ .browse_type.red.nodata }} \
+    {{- end }}
+    {{- if hasKey .browse_type.green "nodata" }}
+        --green-nodata {{ .browse_type.green.nodata }} \
+    {{- end }}
+    {{- if hasKey .browse_type.blue "nodata" }}
+        --blue-nodata {{ .browse_type.blue.nodata }} \
+    {{- end }}
+    {{- if hasKey .browse_type "alpha" }}
+        --grey {{ .browse_type.alpha.expression | quote }} \
+    {{- if hasKey .browse_type.alpha "range" }}
+        --alpha-range {{ range .browse_type.alpha.range }}{{ . }} {{ end }}\
+    {{- end }}
+    {{- if hasKey .browse_type.alpha "nodata" }}
+        --alpha-nodata {{ .browse_type.alpha.nodata }} \
+    {{- end }}
+    {{- end }}
+    {{- end }}
+        --traceback
+{{- end -}}
 
-    {{ .Values.initDb | nindent 6 }}
+# Check if collection exits in database and initialize database only if not
+if python3 manage.py id check "${COLLECTION}"; then
+    echo "Initialize database"
 
-{{- else }}
+    python3 manage.py coveragetype import /rgbnir_definition.json \
+        --traceback
 
-    if [ "${COLLECTION}" == "VHR_IMAGE_2018" ]; then
-        echo "Initializing collection '${COLLECTION}'."
+    echo "Initializing collection '${COLLECTION}'."
 
-        # PL00
-        python3 manage.py producttype create "${COLLECTION}"_Product_PL00 --traceback \
-            --coverage-type "RGBNir"
-        python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 --traceback \
-            --red "red" \
-            --green "green" \
-            --blue "blue" \
-            --red-range 1000 15000 \
-            --green-range 1000 15000 \
-            --blue-range 1000 15000 \
-            --red-nodata 0 \
-            --green-nodata 0 \
-            --blue-nodata 0
-        python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "TRUE_COLOR" --traceback \
-            --red "red" \
-            --green "green" \
-            --blue "blue" \
-            --red-range 1000 15000 \
-            --green-range 1000 15000 \
-            --blue-range 1000 15000 \
-            --red-nodata 0 \
-            --green-nodata 0 \
-            --blue-nodata 0
-        python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "FALSE_COLOR" --traceback \
-            --red "nir" \
-            --green "red" \
-            --blue "green" \
-            --red-range 1000 15000 \
-            --green-range 1000 15000 \
-            --blue-range 1000 15000 \
-            --red-nodata 0 \
-            --green-nodata 0 \
-            --blue-nodata 0
-        python3 manage.py browsetype create "${COLLECTION}"_Product_PL00 "NDVI" --traceback \
-            --grey "(nir-red)/(nir+red)" --grey-range -1 1
+    {{- range $product_type_name, $product_type := .Values.config.products.types | default dict }}
 
+    #
+    # {{ $product_type_name }}
+    #
 
-        python3 manage.py collectiontype create "${COLLECTION}"_Collection --traceback \
-            --coverage-type "RGBNir" \
-            --product-type "${COLLECTION}"_Product_PL00
+    # create the product type
+    python3 manage.py producttype create {{ $product_type_name | quote }} \
+        {{ range $_, $coverage_type := $product_type.coverages }}--coverage-type { $coverage_type | quote }} \
+        {{- end }}
+        --traceback
 
-        # Create collections for all products
-        python3 manage.py collection create "${COLLECTION}" --type "${COLLECTION}"_Collection --traceback
+    {{- if hasKey $product_type "default_browse" }}
+    {{- template "browsetype.cli" dict "product_type_name" $product_type_name "browse_type_name" nil "browse_type" (get $product_type.browses $product_type.default_browse) -}}
+    {{- end }}
 
-        # Register mask type
-        python3 manage.py masktype create --validity "${COLLECTION}"_Product_PL00 validity
+    {{- range $browse_type_name, $browse_type := $product_type.browses }}
+    {{- template "browsetype.cli" dict "product_type_name" $product_type_name "browse_type_name" $browse_type_name "browse_type" $browse_type -}}
+    {{- end }}
 
-    else
-        echo "Provided collection '${COLLECTION}' not valid."
-    fi
+    # create mask type
+    {{- range $mask_type_name, $mask_type := $product_type.masks }}
+    python3 manage.py masktype create {{ $product_type_name | quote }} {{ $mask_type_name | quote }} \
+        {{ if $mask_type.validity -}} --validity \ {{- end }}
+        --traceback
+    {{- end }}
+    {{- end }} {{/* range .Values.config.products.types */}}
 
-    python3 manage.py storageauth create auth-cloud-ovh "${OS_AUTH_URL_SHORT}" \
-        --type keystone \
-        -p auth-version "${ST_AUTH_VERSION}" \
-        -p identity-api-version="${ST_AUTH_VERSION}" \
-        -p username "${OS_USERNAME}" \
-        -p password "${OS_PASSWORD}" \
-        -p tenant-name "${OS_TENANT_NAME}" \
-        -p tenant-id "${OS_TENANT_ID}" \
-        -p region-name "${OS_REGION_NAME}"
+    # set up collection type
+    {{- range $collection_name, $collection := .Values.config.collections }}
+    python3 manage.py collectiontype create "{{ $collection_name }}_type" \
+    {{- range $coverage_type := $collection.coverage_types }}
+        --coverage-type {{ $coverage_type | quote }} \
+    {{- end }}
+    {{- range $product_type_name := $collection.product_types }}
+        --product-type {{ $product_type_name | quote }} \
+    {{- end }}
+        --traceback
 
-    python3 manage.py storage create \
-        ${UPLOAD_CONTAINER} ${UPLOAD_CONTAINER} \
-        --type swift \
-        --storage-auth auth-cloud-ovh
+    # Instantiate a collection for the collection itself and all levels
+    python3 manage.py collection create {{ $collection_name | quote }} \
+        --type "{{ $collection_name }}_type" \
+        --traceback
 
-{{- end }}
+    {{- range $product_level := $collection.product_levels }}
+    python3 manage.py collection create "{{ $collection_name }}_{{ $product_level }}" \
+        --type "{{ $collection_name }}_type" \
+        --traceback
+    {{- end }}
+    {{- end }} {{/* range .collections */}}
 
 else
     echo "Using existing database"
diff --git a/chart/files/preprocessor-config.yaml b/chart/files/preprocessor-config.yaml
new file mode 100644
index 00000000..bfedb5c3
--- /dev/null
+++ b/chart/files/preprocessor-config.yaml
@@ -0,0 +1,26 @@
+{{- define "preprocessor.storage" }}
+  type: {{ .type }}
+  kwargs:
+{{- if eq .type "swift" }}
+    username: {{ .username }}
+    password: {{ .password }}
+    tenant_name: {{ .tenant_name }}
+    tenant_id: {{ .tenant_id }}
+    region_name: {{ .region_name }}
+    auth_url: {{ .auth_url }}
+    auth_version: {{ .auth_version }}
+    user_domain_name: {{ .user_domain_name }}
+{{- else if eq .type "s3" }}
+    bucket: {{ .bucket }}
+    endpoint_url: {{ .endpoint_url }}
+    access_key_id: {{ .access_key_id }}
+    secret_access_key: {{ .secret_access_key }}
+    region: {{ .region }}
+{{- end }}
+{{- end -}}
+source:
+  {{ template "preprocessor.storage" .Values.config.objectStorage.download | indent 2 }}
+target:
+  {{ template "preprocessor.storage" .Values.config.objectStorage.data | indent 2 }}
+
+{{ toYaml .Values.config.preprocessor | indent 2 }}
diff --git a/chart/files/registrar-config.yaml b/chart/files/registrar-config.yaml
new file mode 100644
index 00000000..e69de29b
diff --git a/chart/templates/preprocessor-config-configmap.yaml b/chart/templates/preprocessor-config-configmap.yaml
new file mode 100644
index 00000000..ab379486
--- /dev/null
+++ b/chart/templates/preprocessor-config-configmap.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "vs.fullname" . }}-preprocessor-config
+data:
+  {{ (tpl (.Files.Glob "files/preprocessor-config.yaml").AsConfig . ) | indent 2 }}
diff --git a/chart/templates/registrar-config-configmap.yaml b/chart/templates/registrar-config-configmap.yaml
new file mode 100644
index 00000000..1eaf7ab5
--- /dev/null
+++ b/chart/templates/registrar-config-configmap.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "vs.fullname" . }}-registrar-config
+data:
+  {{ (tpl (.Files.Glob "files/registrar-config.yaml").AsConfig . ) | nindent 2}}
diff --git a/chart/values.yaml b/chart/values.yaml
index 77a4950c..37f53ad8 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -18,32 +18,34 @@ config:
     DJANGO_USER: djangouser
   objectStorage:
     download:
-      OS_AUTH_URL_DOWNLOAD: https://auth.cloud.ovh.net/
-      OS_PASSWORD_DOWNLOAD: ospw
-      OS_REGION_NAME_DOWNLOAD: SERCO-DIAS1
-      OS_TENANT_ID_DOWNLOAD: tenantid
-      OS_TENANT_NAME_DOWNLOAD: "tenantname"
-      OS_USERNAME_DOWNLOAD: osuser
-      ST_AUTH_VERSION_DOWNLOAD: "3"
+      type: swift
+      username: "username"
+      password: "password"
+      tenant_name: "tenant_name"
+      tenant_id: "tenant_id"
+      region_name: "region_name"
+      auth_url: "auth_url"
+      auth_url_short: "auth_url_short"
+      auth_version: "auth_version"
+      user_domain_name: "user_domain_name"
     data:
-      OS_AUTH_URL: https://auth.cloud.ovh.net/v3/
-      OS_AUTH_URL_SHORT: https://auth.cloud.ovh.net/
-      OS_PASSWORD: ospw
-      OS_REGION_NAME: SERCO-DIAS1
-      OS_TENANT_ID: tenantid
-      OS_TENANT_NAME: "tenantname"
-      OS_USER_DOMAIN_NAME: default
-      OS_USERNAME: osuser
-      ST_AUTH_VERSION: "3"
+      type: swift
+      username: "username"
+      password: "password"
+      tenant_name: "tenant_name"
+      tenant_id: "tenant_id"
+      region_name: "region_name"
+      auth_url: "auth_url"
+      auth_url_short: "auth_url_short"
+      auth_version: "auth_version"
+      user_domain_name: "user_domain_name"
     cache:
-      S3_BUCKET: s3bucket
-      S3_ID: s3id
-      S3_SECRET: s3secret
-      S3_REGION: eu-central-1
-  preprocessing:
-    UPLOAD_CONTAINER: container
-    ENFORCE_FOUR_BANDS: "True"
-    SPLIT_PARTS_CHECK: "False"
+      type: S3
+      bucket: "bucket:"
+      endpoint_url: "endpoint_url:"
+      access_key_id: "access_key_id:"
+      secret_access_key: "secret_access_key:"
+      region: "region:"
   redis:
     REDIS_HOST: redis
     REDIS_PORT: "6379"
@@ -54,6 +56,217 @@ config:
     REDIS_SEED_QUEUE_KEY: seed_queue
     REDIS_SET_KEY: registered_set
 
+  client:
+    layers:
+      VHR_IMAGE_2018_Level_1:
+        display_color: '#eb3700'
+        title: VHR Image 2018 Level 1
+        layer: VHR_IMAGE_2018_Level_1__TRUE_COLOR
+        sub_layers:
+          VHR_IMAGE_2018_Level_1__TRUE_COLOR:
+            label: VHR Image 2018 True Color
+          VHR_IMAGE_2018_Level_1__masked_validity:
+            label: VHR Image 2018 True Color with masked validity
+          VHR_IMAGE_2018_Level_1__FALSE_COLOR:
+            label: VHR Image 2018 False Color
+          VHR_IMAGE_2018_Level_1__NDVI:
+            label: VHR Image 2018 NDVI
+      VHR_IMAGE_2018_Level_3:
+        display_color: '#eb3700'
+        title: VHR Image 2018 Level 3
+        layer: VHR_IMAGE_2018_Level_3__TRUE_COLOR
+        sub_layers:
+          VHR_IMAGE_2018_Level_3__TRUE_COLOR:
+            label: VHR Image 2018 True Color
+          VHR_IMAGE_2018_Level_3__masked_validity:
+            label: VHR Image 2018 True Color with masked validity
+          VHR_IMAGE_2018_Level_3__FALSE_COLOR:
+            label: VHR Image 2018 False Color
+          VHR_IMAGE_2018_Level_3__NDVI:
+            label: VHR Image 2018 NDVI
+    overlay_layers:
+      VHR_IMAGE_2018_Level_3__outlines:
+        display_color: '#187465'
+        title: VHR Image 2018 Level 3 Outlines
+        layer: VHR_IMAGE_2018_Level_3__outlines
+      VHR_IMAGE_2018_Level_3__masked_validity__Full:
+        display_color: '#187465'
+        title: VHR Image 2018 Level 3 True Color with masked validity Full Coverage
+        layer: VHR_IMAGE_2018_Level_3__masked_validity__Full
+      VHR_IMAGE_2018_Level_3__Full:
+        display_color: '#187465'
+        title: VHR Image 2018 Level 3 True Color Full Coverage
+        layer: VHR_IMAGE_2018_Level_3__Full
+
+  # cache related options
+  cache:
+    metadata:
+      title: PRISM Data Access Service (PASS) developed by EOX
+      abstract: PRISM Data Access Service (PASS) developed by EOX
+      url: https://vhr18.pvs.prism.eox.at/cache/ows
+      keyword: view service
+      accessconstraints: UNKNOWN
+      fees: UNKNOWN
+      contactname: Stephan Meissl
+      contactphone: Please contact via mail.
+      contactfacsimile: None
+      contactorganization: EOX IT Services GmbH
+      contactcity: Vienna
+      contactstateorprovince: Vienna
+      contactpostcode: 1090
+      contactcountry: Austria
+      contactelectronicmailaddress: office@eox.at
+      contactposition: CTO
+      providername: EOX
+      providerurl: https://eox.at
+      inspire_profile: true
+      inspire_metadataurl: TBD
+      defaultlanguage: eng
+      language: eng
+    services:
+      wms:
+        enabled: true
+      wmts:
+        enabled: true
+    connection_timeout: 10
+    timeout: 120
+    expires: 3600
+    key: /{tileset}/{grid}/{dim}/{z}/{x}/{y}.{ext}
+    tilesets:
+      VHR_IMAGE_2018__TRUE_COLOR:
+        title: VHR Image 2018 True Color
+        abstract: VHR Image 2018 True Color
+      VHR_IMAGE_2018__FALSE_COLOR:
+        title: VHR Image 2018 False Color
+        abstract: VHR Image 2018 False Color
+      VHR_IMAGE_2018__NDVI:
+        title: VHR Image 2018 NDVI
+        abstract: VHR Image 2018 NDVI
+        style: earth
+      VHR_IMAGE_2018_Level_1__TRUE_COLOR:
+        title: VHR Image 2018 Level 1 True Color
+        abstract: VHR Image 2018 Level 1 True Color
+      VHR_IMAGE_2018_Level_1__FALSE_COLOR:
+        title: VHR Image 2018 Level 1 False Color
+        abstract: VHR Image 2018 Level 1 False Color
+      VHR_IMAGE_2018_Level_1__NDVI:
+        title: VHR Image 2018 Level 1 NDVI
+        abstract: VHR Image 2018 Level 1 NDVI
+        style: earth
+      VHR_IMAGE_2018_Level_1__TRUE_COLOR:
+        title: VHR Image 2018 Level 3 True Color
+        abstract: VHR Image 2018 Level 3 True Color
+      VHR_IMAGE_2018_Level_1__FALSE_COLOR:
+        title: VHR Image 2018 Level 3 False Color
+        abstract: VHR Image 2018 Level 3 False Color
+      VHR_IMAGE_2018_Level_1__NDVI:
+        title: VHR Image 2018 Level 3 NDVI
+        abstract: VHR Image 2018 Level 3 NDVI
+        style: earth
+
+  preprocessor:
+    metadata_glob: '*GSC*.xml'
+    type_extractor:
+      xpath:
+        - /gsc:report/gsc:opt_metadata/gml:using/eop:EarthObservationEquipment/eop:platform/eop:Platform/eop:shortName/text()
+    level_extractor:
+      # xpath can also be a list of xpaths to be tried one after another
+      xpath: substring-after(substring-after(/gsc:report/gsc:opt_metadata/gml:metaDataProperty/gsc:EarthObservationMetaData/eop:parentIdentifier/text(), '/'), '/')
+    preprocessing:
+      defaults:
+        move_files: true
+        data_file_globs:
+          - '*.tif'
+          - '*.jp2'
+        output:
+          options:
+            format: COG
+            dstSRS: 'EPSG:4326'
+            dstNodata: 0
+            creationOptions:
+              - BLOCKSIZE=512
+              - COMPRESS=DEFLATE
+              - NUM_THREADS=8
+              - BIGTIFF=IF_SAFER
+              - OVERVIEWS=AUTO
+      types:
+        PH1B: # just to pass validation
+          nested: true
+
+  # mapping of collection name to objects
+  collections:
+    VHR_IMAGE_2018:
+      product_types:
+        - PL00
+        - DM02
+        - KS03
+        - KS04
+        - PH1A
+        - PH1B
+        - SP06
+        - SP07
+        - SW00
+        - TR00
+      product_levels:
+        - Level_1
+        - Level_3
+      coverage_types:
+        - RGBNir
+
+  products:
+    type_extractor:
+      xpath:
+        - /gsc:report/gsc:opt_metadata/gml:using/eop:EarthObservationEquipment/eop:platform/eop:Platform/eop:shortName/text()
+        - /gsc:report/gsc:sar_metadata/gml:using/eop:EarthObservationEquipment/eop:platform/eop:Platform/eop:shortName/text()
+      namespace_map:
+
+    level_extractor:
+      xpath:
+      namespace_map:
+
+    types:
+      PL00:
+        coverages:
+          PL00: RGBNir
+        default_browse: TRUE_COLOR
+        browses:
+          TRUE_COLOR:
+            red:
+              expression: red
+              range: [1000, 15000]
+              nodata: 0
+            green:
+              expression: green
+              range: [1000, 15000]
+              nodata: 0
+            blue:
+              expression: blue
+              range: [1000, 15000]
+              nodata: 0
+          FALSE_COLOR:
+            red:
+              expression: nir
+              range: [1000, 15000]
+              nodata: 0
+            green:
+              expression: red
+              range: [1000, 15000]
+              nodata: 0
+            blue:
+              expression: green
+              range: [1000, 15000]
+              nodata: 0
+          NDVI:
+            grey:
+              expression: (nir-red)/(nir+red)
+              range: [-1, 1]
+        masks:
+          validity:
+            validity: true
+
+  coverages:
+    # only RGBNir? SAR? complete list with all options here?
+
 database:
   persistence:
     enabled: false
-- 
GitLab


From 0abaff01d7bf777b6b592d161c6264ad5b3dd58e Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Thu, 5 Nov 2020 20:23:51 +0100
Subject: [PATCH 098/162] Fixing templates for registrar and preprocessor

---
 chart/files/preprocessor-config.yaml          | 35 +++++++++---
 chart/files/registrar-config.yaml             | 56 +++++++++++++++++++
 .../preprocessor-config-configmap.yaml        |  2 +-
 chart/values.yaml                             | 14 +++--
 4 files changed, 92 insertions(+), 15 deletions(-)

diff --git a/chart/files/preprocessor-config.yaml b/chart/files/preprocessor-config.yaml
index bfedb5c3..5bdc957e 100644
--- a/chart/files/preprocessor-config.yaml
+++ b/chart/files/preprocessor-config.yaml
@@ -1,7 +1,8 @@
-{{- define "preprocessor.storage" }}
+source:
+  {{- with .Values.config.objectStorage.download }}
   type: {{ .type }}
   kwargs:
-{{- if eq .type "swift" }}
+  {{- if eq .type "swift" }}
     username: {{ .username }}
     password: {{ .password }}
     tenant_name: {{ .tenant_name }}
@@ -10,17 +11,33 @@
     auth_url: {{ .auth_url }}
     auth_version: {{ .auth_version }}
     user_domain_name: {{ .user_domain_name }}
-{{- else if eq .type "s3" }}
+  {{- else if eq .type "s3" }}
     bucket: {{ .bucket }}
     endpoint_url: {{ .endpoint_url }}
     access_key_id: {{ .access_key_id }}
     secret_access_key: {{ .secret_access_key }}
     region: {{ .region }}
-{{- end }}
-{{- end -}}
-source:
-  {{ template "preprocessor.storage" .Values.config.objectStorage.download | indent 2 }}
+  {{- end }}
+  {{- end }}
 target:
-  {{ template "preprocessor.storage" .Values.config.objectStorage.data | indent 2 }}
-
+  {{- with .Values.config.objectStorage.data }}
+  type: {{ .type }}
+  kwargs:
+  {{- if eq .type "swift" }}
+    username: {{ .username }}
+    password: {{ .password }}
+    tenant_name: {{ .tenant_name }}
+    tenant_id: {{ .tenant_id }}
+    region_name: {{ .region_name }}
+    auth_url: {{ .auth_url }}
+    auth_version: {{ .auth_version }}
+    user_domain_name: {{ .user_domain_name }}
+  {{- else if eq .type "s3" }}
+    bucket: {{ .bucket }}
+    endpoint_url: {{ .endpoint_url }}
+    access_key_id: {{ .access_key_id }}
+    secret_access_key: {{ .secret_access_key }}
+    region: {{ .region }}
+  {{- end }}
+  {{- end }}
 {{ toYaml .Values.config.preprocessor | indent 2 }}
diff --git a/chart/files/registrar-config.yaml b/chart/files/registrar-config.yaml
index e69de29b..1dbc0876 100644
--- a/chart/files/registrar-config.yaml
+++ b/chart/files/registrar-config.yaml
@@ -0,0 +1,56 @@
+sources:
+  - kwargs:
+    {{- with .Values.config.objectStorage.download }}
+    type: {{ .type }}
+    name: name # TODO
+    kwargs:
+    {{- if eq .type "swift" }}
+      username: {{ .username }}
+      password: {{ .password }}
+      tenant_name: {{ .tenant_name }}
+      tenant_id: {{ .tenant_id }}
+      region_name: {{ .region_name }}
+      auth_url: {{ .auth_url }}
+      auth_version: {{ .auth_version }}
+      user_domain_name: {{ .user_domain_name }}
+    {{- else if eq .type "s3" }}
+      bucket: {{ .bucket }}
+      endpoint_url: {{ .endpoint_url }}
+      access_key_id: {{ .access_key_id }}
+      secret_access_key: {{ .secret_access_key }}
+      region: {{ .region }}
+    {{- end }}
+    {{- end }}
+
+schemes:
+  {{- range .Values.config.registrar.schemes | default list }}
+  - {{ toYaml . }}
+  {{- end }}
+
+backends:
+  - type: eoxserver
+    filter:
+    kwargs:
+      instance_base_path: /var/www/pvs/dev
+      instance_name: pvs_instance
+
+      mapping:
+        {{- range $product_type_name, $product_type := .Values.config.products.types }}
+        {{ $product_type_name }}:
+          {{- range $level := list "Level_1" "Level_3" }}
+          {{ $level }}:
+            product_type_name: {{ $product_type_name | quote }}
+            collections:
+              {{- range $collection_name, $collection_conf := $.Values.config.collections }}
+              {{- if and (has $product_type_name $collection_conf.product_types) (has $level $collection_conf.product_levels) }}
+              - {{ $collection_name }}
+              {{- end }}
+              {{- end }}
+            coverages:
+              {{ toYaml $product_type.coverages }}
+            masks:
+              {{- range $mask_name, $_ := $product_type.masks }}
+              {{ $mask_name }}: {{ $mask_name }}
+              {{- end }}
+          {{- end }}
+        {{- end }}
diff --git a/chart/templates/preprocessor-config-configmap.yaml b/chart/templates/preprocessor-config-configmap.yaml
index ab379486..f74f8202 100644
--- a/chart/templates/preprocessor-config-configmap.yaml
+++ b/chart/templates/preprocessor-config-configmap.yaml
@@ -3,4 +3,4 @@ kind: ConfigMap
 metadata:
   name: {{ include "vs.fullname" . }}-preprocessor-config
 data:
-  {{ (tpl (.Files.Glob "files/preprocessor-config.yaml").AsConfig . ) | indent 2 }}
+  {{ (tpl (.Files.Glob "files/preprocessor-config.yaml").AsConfig . ) | nindent 2 }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 37f53ad8..f9703715 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -41,11 +41,11 @@ config:
       user_domain_name: "user_domain_name"
     cache:
       type: S3
-      bucket: "bucket:"
-      endpoint_url: "endpoint_url:"
-      access_key_id: "access_key_id:"
-      secret_access_key: "secret_access_key:"
-      region: "region:"
+      bucket: "bucket"
+      endpoint_url: "endpoint_url"
+      access_key_id: "access_key_id"
+      secret_access_key: "secret_access_key"
+      region: "region"
   redis:
     REDIS_HOST: redis
     REDIS_PORT: "6379"
@@ -193,6 +193,10 @@ config:
         PH1B: # just to pass validation
           nested: true
 
+  registrar:
+    schemes:
+      - type: gsc
+
   # mapping of collection name to objects
   collections:
     VHR_IMAGE_2018:
-- 
GitLab


From 952e5223820d7371603330d7c5d8daa5e5302190 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Fri, 6 Nov 2020 11:15:44 +0100
Subject: [PATCH 099/162] initial Dockerfile versions and bumpversion config

---
 .bumpversion.cfg        | 25 +++++++++++++++++++++++++
 .gitlab-ci.yml          |  5 ++---
 cache/Dockerfile        |  2 +-
 client/Dockerfile       |  2 +-
 core/Dockerfile         |  2 +-
 fluentd/Dockerfile      |  2 +-
 ingestor/Dockerfile     |  2 +-
 preprocessor/Dockerfile |  2 +-
 8 files changed, 33 insertions(+), 9 deletions(-)
 create mode 100644 .bumpversion.cfg

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
new file mode 100644
index 00000000..62416300
--- /dev/null
+++ b/.bumpversion.cfg
@@ -0,0 +1,25 @@
+[bumpversion]
+current_version = 1.0.0-rc.0
+commit = True
+tag = True
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-(?P<release>[a-z]+)\.(?P<build>\d+))?
+serialize = 
+	{major}.{minor}.{patch}-{release}.{build}
+	{major}.{minor}.{patch}
+tag_name = release-{new_version}
+
+[bumpversion:part:release]
+optional_value = final
+first_value = alpha
+values = 
+	alpha
+	beta
+	rc
+	final
+
+[bumpversion:file:.bumpversion.cfg]
+search = current_version = {current_version}
+
+[bumpversion:glob:**/Dockerfile]
+search = version="{current_version}"
+replace = version="{new_version}"
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index de2ece8a..fd043347 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,7 +5,7 @@ stages:
   - build
 
 
-build-master:
+build-tags:
   image: docker:latest
   stage: build
   services:
@@ -52,7 +52,6 @@ build-master:
     - docker push "$IMAGE_6":$VERSION_6
     - docker push "$IMAGE_6":latest
   only:
-    - master
     - tags
 build:
   image: docker:latest
@@ -83,4 +82,4 @@ build:
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
   except:
-    - master
+    - tags
diff --git a/cache/Dockerfile b/cache/Dockerfile
index 4653a2a7..82eeebfe 100644
--- a/cache/Dockerfile
+++ b/cache/Dockerfile
@@ -31,7 +31,7 @@ LABEL name="prism view server cache" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server cache" \
-      version="0.0.1-dev"
+      version="1.0.0-rc.0"
 
 USER root
 ADD install.sh \
diff --git a/client/Dockerfile b/client/Dockerfile
index 9da01c45..dc028801 100644
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -31,6 +31,6 @@ LABEL name="prism view server client" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server client" \
-      version="0.0.1-dev"
+      version="1.0.0-rc.0"
 
 COPY html/ /usr/share/nginx/html/
diff --git a/core/Dockerfile b/core/Dockerfile
index 4bdce96b..2ce3281f 100644
--- a/core/Dockerfile
+++ b/core/Dockerfile
@@ -31,7 +31,7 @@ LABEL name="prism view server core" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server core" \
-      version="0.0.1-dev"
+      version="1.0.0-rc.0"
 
 USER root
 
diff --git a/fluentd/Dockerfile b/fluentd/Dockerfile
index fb2dfae9..d61f9bec 100644
--- a/fluentd/Dockerfile
+++ b/fluentd/Dockerfile
@@ -32,7 +32,7 @@ LABEL name="prism view server cache" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server fluentd" \
-      version="0.0.1-dev"
+      version="1.0.0-rc.0"
 
 USER root
 RUN gem install fluent-plugin-elasticsearch \
diff --git a/ingestor/Dockerfile b/ingestor/Dockerfile
index 61afce21..9691c29b 100644
--- a/ingestor/Dockerfile
+++ b/ingestor/Dockerfile
@@ -32,7 +32,7 @@ LABEL name="prism view server cache" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2020 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server ingestor" \
-      version="0.0.1-dev"
+      version="1.0.0-rc.0"
 
 USER root
 ADD install.sh requirements.txt \
diff --git a/preprocessor/Dockerfile b/preprocessor/Dockerfile
index b7da584f..f85b597a 100644
--- a/preprocessor/Dockerfile
+++ b/preprocessor/Dockerfile
@@ -32,7 +32,7 @@ LABEL name="prism view server preprocessor" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server preprocessor" \
-      version="0.0.1-dev"
+      version="1.0.0-rc.0"
 
 ENV LC_ALL=C.UTF-8
 ENV LANG=C.UTF-8
-- 
GitLab


From 25c0f8cbec0e7a4e39dd0b019d2c34eeadbf91d7 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Fri, 6 Nov 2020 12:31:04 +0100
Subject: [PATCH 100/162] add versioning of ops docker compose files, adapt
 bumpversion conf

---
 .bumpversion.cfg               | 6 +++++-
 docker-compose.dem.ops.yml     | 7 +++++++
 docker-compose.emg.ops.yml     | 7 +++++++
 docker-compose.logging.dev.yml | 2 ++
 docker-compose.logging.ops.yml | 2 +-
 docker-compose.vhr18.ops.yml   | 7 +++++++
 preprocessor/setup.py          | 2 +-
 7 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 62416300..2b848625 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -6,7 +6,7 @@ parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-(?P<release>[a-z]+)\.(?
 serialize = 
 	{major}.{minor}.{patch}-{release}.{build}
 	{major}.{minor}.{patch}
-tag_name = release-{new_version}
+tag_name = {new_version}
 
 [bumpversion:part:release]
 optional_value = final
@@ -23,3 +23,7 @@ search = current_version = {current_version}
 [bumpversion:glob:**/Dockerfile]
 search = version="{current_version}"
 replace = version="{new_version}"
+
+[bumpversion:glob:preprocessor/setup.py]
+search = version="{current_version}"
+replace = version="{new_version}"
diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index 6cccbfbd..275ee605 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -7,6 +7,7 @@ services:
         tmpfs:
           size: 536870912
   renderer:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -48,6 +49,7 @@ services:
     networks:
       - extnet
   cache:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:1.0.0-rc.0
     configs:
       - source: mapcache-ops
         target: /mapcache-template.xml
@@ -90,6 +92,7 @@ services:
     networks:
       - extnet
   registrar:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -99,6 +102,7 @@ services:
         constraints:
           - node.labels.type == internal
   client:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:1.0.0-rc.0
     configs:
       - source: client-ops
         target: /usr/share/nginx/html/index.html
@@ -126,6 +130,7 @@ services:
     networks:
       - extnet
   preprocessor:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:1.0.0-rc.0
     volumes:
       - type: bind
         source: /var/vhr
@@ -135,6 +140,8 @@ services:
       placement:
         constraints:
           - node.labels.type == internal
+  ingestor:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:1.0.0-rc.0
 networks:
   extnet:
     name: dem-extnet
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 7517f1ae..e3f915bb 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -7,6 +7,7 @@ services:
         tmpfs:
           size: 536870912
   renderer:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -48,6 +49,7 @@ services:
     networks:
       - extnet
   cache:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:1.0.0-rc.0
     configs:
       - source: mapcache-ops
         target: /mapcache-template.xml
@@ -90,6 +92,7 @@ services:
     networks:
       - extnet
   registrar:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -99,6 +102,7 @@ services:
         constraints:
           - node.labels.type == internal
   client:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:1.0.0-rc.0
     configs:
       - source: client-ops
         target: /usr/share/nginx/html/index.html
@@ -126,6 +130,7 @@ services:
     networks:
       - extnet
   preprocessor:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:1.0.0-rc.0
     volumes:
       - type: bind
         source: /var/vhr
@@ -135,6 +140,8 @@ services:
       placement:
         constraints:
           - node.labels.type == internal
+  ingestor:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:1.0.0-rc.0
 networks:
   extnet:
     name: emg-extnet
diff --git a/docker-compose.logging.dev.yml b/docker-compose.logging.dev.yml
index d749cb97..38af28cf 100644
--- a/docker-compose.logging.dev.yml
+++ b/docker-compose.logging.dev.yml
@@ -1,5 +1,7 @@
 version: "3.6"
 services:
+  fluentd:
+    image: registry.gitlab.eox.at/esa/prism/vs/fluentd:dev
   elasticsearch:
     ports:
       - "9200:9200"
diff --git a/docker-compose.logging.ops.yml b/docker-compose.logging.ops.yml
index 53434247..d54897a2 100644
--- a/docker-compose.logging.ops.yml
+++ b/docker-compose.logging.ops.yml
@@ -1,11 +1,11 @@
 version: "3.6"
 services:
   fluentd:
+    image: registry.gitlab.eox.at/esa/prism/vs/fluentd:1.0.0-rc.0
     deploy:
       placement:
         # this is not strictly required, but feels right
         constraints: [node.role == manager]
-
   elasticsearch:
     environment:
       - bootstrap.memory_lock=true
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index fef2a0d2..fec8db21 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -7,6 +7,7 @@ services:
         tmpfs:
           size: 536870912
   renderer:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -48,6 +49,7 @@ services:
     networks:
       - extnet
   cache:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:1.0.0-rc.0
     configs:
       - source: mapcache-ops
         target: /mapcache-template.xml
@@ -90,6 +92,7 @@ services:
     networks:
       - extnet
   registrar:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -99,6 +102,7 @@ services:
         constraints:
           - node.labels.type == internal      
   client:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:1.0.0-rc.0
     configs:
       - source: client-ops
         target: /usr/share/nginx/html/index.html
@@ -126,6 +130,7 @@ services:
     networks:
       - extnet
   preprocessor:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:1.0.0-rc.0
     volumes:
       - type: bind
         source: /var/vhr
@@ -135,6 +140,8 @@ services:
       placement:
         constraints:
           - node.labels.type == internal
+  ingestor:
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:1.0.0-rc.0
 networks:
   extnet:
     name: vhr18-extnet
diff --git a/preprocessor/setup.py b/preprocessor/setup.py
index 56f894a9..cd6abc1e 100644
--- a/preprocessor/setup.py
+++ b/preprocessor/setup.py
@@ -6,7 +6,7 @@ long_description = ""
 
 setup(
     name="preprocessor", # Replace with your own username
-    version="0.0.1",
+    version="1.0.0-rc.0",
     author="",
     author_email="",
     description="preprocessor for PVS",
-- 
GitLab


From 129bb073b91189fde59e1032545ce12bd5192b96 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Fri, 6 Nov 2020 13:32:58 +0100
Subject: [PATCH 101/162] update image versioning to contain release-{vrs},
 increment version in all ops docker compose files

---
 .bumpversion.cfg               |  7 ++++++-
 docker-compose.base.ops.yml    |  1 +
 docker-compose.dem.ops.yml     | 13 +++++++------
 docker-compose.emg.ops.yml     | 13 +++++++------
 docker-compose.logging.ops.yml |  3 ++-
 docker-compose.vhr18.ops.yml   | 13 +++++++------
 6 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 2b848625..187318cd 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -6,7 +6,7 @@ parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-(?P<release>[a-z]+)\.(?
 serialize = 
 	{major}.{minor}.{patch}-{release}.{build}
 	{major}.{minor}.{patch}
-tag_name = {new_version}
+tag_name = release-{new_version}
 
 [bumpversion:part:release]
 optional_value = final
@@ -27,3 +27,8 @@ replace = version="{new_version}"
 [bumpversion:glob:preprocessor/setup.py]
 search = version="{current_version}"
 replace = version="{new_version}"
+
+[bumpversion:glob:docker-compose*ops.yml]
+search = :release-{current_version}
+replace = :release-{new_version}
+
diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index 5aac2ba8..a99190f3 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -1,4 +1,5 @@
 version: "3.6"
+x-vs-version: :release-1.0.0-rc.0 # bumpversion
 services:
   reverse-proxy:
     image: traefik:2.1
diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index 275ee605..f75600ad 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -1,4 +1,5 @@
 version: "3.6"
+x-vs-version: :release-1.0.0-rc.0 # bumpversion
 services:
   database:
     volumes:
@@ -7,7 +8,7 @@ services:
         tmpfs:
           size: 536870912
   renderer:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -49,7 +50,7 @@ services:
     networks:
       - extnet
   cache:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:release-1.0.0-rc.0 # bumpversion
     configs:
       - source: mapcache-ops
         target: /mapcache-template.xml
@@ -92,7 +93,7 @@ services:
     networks:
       - extnet
   registrar:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -102,7 +103,7 @@ services:
         constraints:
           - node.labels.type == internal
   client:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:release-1.0.0-rc.0 # bumpversion
     configs:
       - source: client-ops
         target: /usr/share/nginx/html/index.html
@@ -130,7 +131,7 @@ services:
     networks:
       - extnet
   preprocessor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:release-1.0.0-rc.0 # bumpversion
     volumes:
       - type: bind
         source: /var/vhr
@@ -141,7 +142,7 @@ services:
         constraints:
           - node.labels.type == internal
   ingestor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.0.0-rc.0 # bumpversion
 networks:
   extnet:
     name: dem-extnet
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index e3f915bb..057f8bf0 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -1,4 +1,5 @@
 version: "3.6"
+x-vs-version: :release-1.0.0-rc.0 # bumpversion
 services:
   database:
     volumes:
@@ -7,7 +8,7 @@ services:
         tmpfs:
           size: 536870912
   renderer:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -49,7 +50,7 @@ services:
     networks:
       - extnet
   cache:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:release-1.0.0-rc.0 # bumpversion
     configs:
       - source: mapcache-ops
         target: /mapcache-template.xml
@@ -92,7 +93,7 @@ services:
     networks:
       - extnet
   registrar:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -102,7 +103,7 @@ services:
         constraints:
           - node.labels.type == internal
   client:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:release-1.0.0-rc.0 # bumpversion
     configs:
       - source: client-ops
         target: /usr/share/nginx/html/index.html
@@ -130,7 +131,7 @@ services:
     networks:
       - extnet
   preprocessor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:release-1.0.0-rc.0 # bumpversion
     volumes:
       - type: bind
         source: /var/vhr
@@ -141,7 +142,7 @@ services:
         constraints:
           - node.labels.type == internal
   ingestor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.0.0-rc.0 # bumpversion
 networks:
   extnet:
     name: emg-extnet
diff --git a/docker-compose.logging.ops.yml b/docker-compose.logging.ops.yml
index d54897a2..f40b5326 100644
--- a/docker-compose.logging.ops.yml
+++ b/docker-compose.logging.ops.yml
@@ -1,7 +1,8 @@
 version: "3.6"
+x-vs-version: :release-1.0.0-rc.0 # bumpversion
 services:
   fluentd:
-    image: registry.gitlab.eox.at/esa/prism/vs/fluentd:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/fluentd:release-1.0.0-rc.0 # bumpversion
     deploy:
       placement:
         # this is not strictly required, but feels right
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index fec8db21..ee235e5f 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -1,4 +1,5 @@
 version: "3.6"
+x-vs-version: :release-1.0.0-rc.0 # bumpversion
 services:
   database:
     volumes:
@@ -7,7 +8,7 @@ services:
         tmpfs:
           size: 536870912
   renderer:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -49,7 +50,7 @@ services:
     networks:
       - extnet
   cache:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:release-1.0.0-rc.0 # bumpversion
     configs:
       - source: mapcache-ops
         target: /mapcache-template.xml
@@ -92,7 +93,7 @@ services:
     networks:
       - extnet
   registrar:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -102,7 +103,7 @@ services:
         constraints:
           - node.labels.type == internal      
   client:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:release-1.0.0-rc.0 # bumpversion
     configs:
       - source: client-ops
         target: /usr/share/nginx/html/index.html
@@ -130,7 +131,7 @@ services:
     networks:
       - extnet
   preprocessor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:release-1.0.0-rc.0 # bumpversion
     volumes:
       - type: bind
         source: /var/vhr
@@ -141,7 +142,7 @@ services:
         constraints:
           - node.labels.type == internal
   ingestor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:1.0.0-rc.0
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.0.0-rc.0 # bumpversion
 networks:
   extnet:
     name: vhr18-extnet
-- 
GitLab


From 6433573e0edfe8dd5b3bc2b01fc8154c41e9bef5 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Fri, 6 Nov 2020 15:18:11 +0100
Subject: [PATCH 102/162] show current version in ops client config <meta> tag

---
 .bumpversion.cfg            | 3 +++
 config/dem_index-dev.html   | 1 +
 config/dem_index-ops.html   | 1 +
 config/emg_index-dev.html   | 1 +
 config/emg_index-ops.html   | 1 +
 config/vhr18_index-dev.html | 1 +
 config/vhr18_index-ops.html | 1 +
 7 files changed, 9 insertions(+)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 187318cd..b9c5ee5b 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -32,3 +32,6 @@ replace = version="{new_version}"
 search = :release-{current_version}
 replace = :release-{new_version}
 
+[bumpversion:glob:config/*ops.html]
+search = release-{current_version}
+replace = release-{new_version}
diff --git a/config/dem_index-dev.html b/config/dem_index-dev.html
index 6251a3c1..fa840fcb 100644
--- a/config/dem_index-dev.html
+++ b/config/dem_index-dev.html
@@ -3,6 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
+  <meta name="application" content="VS Client release-1.0.0-rc.0">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
diff --git a/config/dem_index-ops.html b/config/dem_index-ops.html
index c8c60831..5077f021 100644
--- a/config/dem_index-ops.html
+++ b/config/dem_index-ops.html
@@ -3,6 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
+  <meta name="application" content="VS Client release-1.0.0-rc.0">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
diff --git a/config/emg_index-dev.html b/config/emg_index-dev.html
index 9fdbd8e5..a1f40cc2 100644
--- a/config/emg_index-dev.html
+++ b/config/emg_index-dev.html
@@ -3,6 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
+  <meta name="application" content="VS Client release-1.0.0-rc.0">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
diff --git a/config/emg_index-ops.html b/config/emg_index-ops.html
index d53feee5..a4320968 100644
--- a/config/emg_index-ops.html
+++ b/config/emg_index-ops.html
@@ -3,6 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
+  <meta name="application" content="VS Client release-1.0.0-rc.0">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
diff --git a/config/vhr18_index-dev.html b/config/vhr18_index-dev.html
index 800b881a..03e39a73 100644
--- a/config/vhr18_index-dev.html
+++ b/config/vhr18_index-dev.html
@@ -3,6 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
+  <meta name="application" content="VS Client release-1.0.0-rc.0">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
diff --git a/config/vhr18_index-ops.html b/config/vhr18_index-ops.html
index 2fe8a273..43081909 100644
--- a/config/vhr18_index-ops.html
+++ b/config/vhr18_index-ops.html
@@ -3,6 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
+  <meta name="application" content="VS Client release-1.0.0-rc.0">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
-- 
GitLab


From 058fb7c8abfeed9875315004aeb2badcf39f2b98 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Fri, 6 Nov 2020 15:58:20 +0100
Subject: [PATCH 103/162] update gitlab ci

---
 .gitlab-ci.yml | 92 +++++++++++++++++++++++++++++++++-----------------
 1 file changed, 61 insertions(+), 31 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index fd043347..0b8a9197 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,7 +4,6 @@ variables:
 stages:
   - build
 
-
 build-tags:
   image: docker:latest
   stage: build
@@ -13,46 +12,76 @@ build-tags:
   before_script:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
-    - VERSION_1=`grep 'version="*"' core/Dockerfile | cut -d '"' -f2`
     - IMAGE_1="$CI_REGISTRY_IMAGE/pvs_core"
     - docker pull "$IMAGE_1":latest || true
-    - docker build --cache-from "$IMAGE_1":latest -t "$IMAGE_1":dev -t "$IMAGE_1":$VERSION_1 core/
-    - VERSION_2=`grep 'version="*"' preprocessor/Dockerfile | cut -d '"' -f2`
+    - docker build --cache-from "$IMAGE_1":latest -t "$IMAGE_1":dev -t "$IMAGE_1":$CI_COMMIT_TAG core/
     - IMAGE_2="$CI_REGISTRY_IMAGE/pvs_preprocessor"
     - docker pull "$IMAGE_2":latest || true
-    - docker build --cache-from "$IMAGE_2":latest -t "$IMAGE_2":dev -t "$IMAGE_2":$VERSION_2 preprocessor/
-    - VERSION_3=`grep 'version="*"' client/Dockerfile | cut -d '"' -f2`
+    - docker build --cache-from "$IMAGE_2":latest -t "$IMAGE_2":dev -t "$IMAGE_2":$CI_COMMIT_TAG preprocessor/
     - IMAGE_3="$CI_REGISTRY_IMAGE/pvs_client"
     - docker pull "$IMAGE_3":latest || true
-    - docker build --cache-from "$IMAGE_3":latest -t "$IMAGE_3":dev -t "$IMAGE_3":$VERSION_3 client/
-    - VERSION_4=`grep 'version="*"' cache/Dockerfile | cut -d '"' -f2`
+    - docker build --cache-from "$IMAGE_3":latest -t "$IMAGE_3":dev -t "$IMAGE_3":$CI_COMMIT_TAG client/
     - IMAGE_4="$CI_REGISTRY_IMAGE/pvs_cache"
     - docker pull "$IMAGE_4":latest || true
-    - docker build --cache-from "$IMAGE_4":latest -t "$IMAGE_4":dev -t "$IMAGE_4":$VERSION_4 cache/
-    - VERSION_5=`grep 'version="*"' fluentd/Dockerfile | cut -d '"' -f2`
+    - docker build --cache-from "$IMAGE_4":latest -t "$IMAGE_4":dev -t "$IMAGE_4":$CI_COMMIT_TAG cache/
     - IMAGE_5="$CI_REGISTRY_IMAGE/fluentd"
     - docker pull "$IMAGE_5":latest || true
-    - docker build --cache-from "$IMAGE_5":latest -t "$IMAGE_5":dev -t "$IMAGE_5":$VERSION_5 fluentd/
-    - VERSION_6=`grep 'version="*"' ingestor/Dockerfile | cut -d '"' -f2`
+    - docker build --cache-from "$IMAGE_5":latest -t "$IMAGE_5":dev -t "$IMAGE_5":$CI_COMMIT_TAG fluentd/
     - IMAGE_6="$CI_REGISTRY_IMAGE/pvs_ingestor"
     - docker pull "$IMAGE_6":latest || true
-    - docker build --cache-from "$IMAGE_6":latest -t "$IMAGE_6":dev -t "$IMAGE_6":$VERSION_6 ingestor/
+    - docker build --cache-from "$IMAGE_6":latest -t "$IMAGE_6":dev -t "$IMAGE_6":$CI_COMMIT_TAG ingestor/
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
-    - docker push "$IMAGE_1":$VERSION_1
+    - docker push "$IMAGE_1":$CI_COMMIT_TAG
     - docker push "$IMAGE_1":latest
-    - docker push "$IMAGE_2":$VERSION_2
+    - docker push "$IMAGE_2":$CI_COMMIT_TAG
     - docker push "$IMAGE_2":latest
-    - docker push "$IMAGE_3":$VERSION_3
+    - docker push "$IMAGE_3":$CI_COMMIT_TAG
     - docker push "$IMAGE_3":latest
-    - docker push "$IMAGE_4":$VERSION_4
+    - docker push "$IMAGE_4":$CI_COMMIT_TAG
     - docker push "$IMAGE_4":latest
-    - docker push "$IMAGE_5":$VERSION_5
+    - docker push "$IMAGE_5":$CI_COMMIT_TAG
     - docker push "$IMAGE_5":latest
-    - docker push "$IMAGE_6":$VERSION_6
+    - docker push "$IMAGE_6":$CI_COMMIT_TAG
     - docker push "$IMAGE_6":latest
   only:
     - tags
+build-staging:
+  image: docker:latest
+  stage: build
+  services:
+    - docker:dind
+  before_script:
+    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+  script:
+    - IMAGE_1="$CI_REGISTRY_IMAGE/pvs_core"
+    - docker pull "$IMAGE_1":staging || true
+    - docker build --cache-from "$IMAGE_1":staging -t "$IMAGE_1":dev -t "$IMAGE_1":staging core/
+    - IMAGE_2="$CI_REGISTRY_IMAGE/pvs_preprocessor"
+    - docker pull "$IMAGE_2":staging || true
+    - docker build --cache-from "$IMAGE_2":staging -t "$IMAGE_2":dev -t "$IMAGE_2":staging preprocessor/
+    - IMAGE_3="$CI_REGISTRY_IMAGE/pvs_client"
+    - docker pull "$IMAGE_3":staging || true
+    - docker build --cache-from "$IMAGE_3":staging -t "$IMAGE_3":dev -t "$IMAGE_3":staging client/
+    - IMAGE_4="$CI_REGISTRY_IMAGE/pvs_cache"
+    - docker pull "$IMAGE_4":staging || true
+    - docker build --cache-from "$IMAGE_4":staging -t "$IMAGE_4":dev -t "$IMAGE_4":staging cache/
+    - IMAGE_5="$CI_REGISTRY_IMAGE/fluentd"
+    - docker pull "$IMAGE_5":staging || true
+    - docker build --cache-from "$IMAGE_5":staging -t "$IMAGE_5":dev -t "$IMAGE_5":staging fluentd/
+    - IMAGE_6="$CI_REGISTRY_IMAGE/pvs_ingestor"
+    - docker pull "$IMAGE_6":staging || true
+    - docker build --cache-from "$IMAGE_6":staging -t "$IMAGE_6":dev -t "$IMAGE_6":staging ingestor/
+    - cd ./testing && ./gitlab_test.sh
+    - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
+    - docker push "$IMAGE_1":staging
+    - docker push "$IMAGE_2":staging
+    - docker push "$IMAGE_3":staging
+    - docker push "$IMAGE_4":staging
+    - docker push "$IMAGE_5":staging
+    - docker push "$IMAGE_6":staging
+  only:
+    - staging
 build:
   image: docker:latest
   stage: build
@@ -62,24 +91,25 @@ build:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_core"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev core/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev core/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_preprocessor"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev preprocessor/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev preprocessor/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_client"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev client/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev client/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_cache"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev cache/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev cache/
     - IMAGE="$CI_REGISTRY_IMAGE/fluentd"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev fluentd/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev fluentd/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_ingestor"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev ingestor/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev ingestor/
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
   except:
     - tags
+    - staging
-- 
GitLab


From 5cb08490420da296dc581bcd969d5d846c34a995 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Fri, 6 Nov 2020 17:22:04 +0100
Subject: [PATCH 104/162] Implementing cache configmap and mapcache template

---
 chart/files/mapcache.xml             | 131 +++++++++++++++++++++++++++
 chart/templates/cache-configmap.yaml |   6 ++
 2 files changed, 137 insertions(+)
 create mode 100644 chart/files/mapcache.xml
 create mode 100644 chart/templates/cache-configmap.yaml

diff --git a/chart/files/mapcache.xml b/chart/files/mapcache.xml
new file mode 100644
index 00000000..c84abb6d
--- /dev/null
+++ b/chart/files/mapcache.xml
@@ -0,0 +1,131 @@
+<mapcache>
+  <default_format>mixed</default_format>
+  <format name="mypng" type="PNG">
+    <compression>fast</compression>
+  </format>
+  <format name="myjpeg" type="JPEG">
+    <quality>75</quality>
+    <photometric>ycbcr</photometric>
+  </format>
+  <format name="mixed" type="MIXED">
+    <transparent>mypng</transparent>
+    <opaque>myjpeg</opaque>
+  </format>
+  {{- if .Values.config.cache.services.wms.enabled }}
+  <service type="wms" enabled="true">
+    <full_wms>assemble</full_wms>
+    <resample_mode>bilinear</resample_mode>
+    <format>mixed</format>
+    <maxsize>4096</maxsize>
+  </service>
+  {{- end }}
+  {{- if .Values.config.cache.services.wmts.enabled }}
+  <service type="wmts" enabled="true"/>
+  {{- end }}
+  {{- with .Values.config.cache.metadata }}
+  <metadata>
+    <title>{{ .title }}</title>
+    <abstract>{{ .abstract }}</abstract>
+    <url>{{ .url }}</url>
+    <keyword>{{ .keyword }}</keyword>
+    <accessconstraints>{{ .accessconstraints }}</accessconstraints>
+    <fees>{{ .fees }}</fees>
+    <contactname>{{ .contactname }}</contactname>
+    <contactphone>{{ .contactphone }}</contactphone>
+    <contactfacsimile>{{ .contactfacsimile }}</contactfacsimile>
+    <contactorganization>{{ .contactorganization }}</contactorganization>
+    <contactcity>{{ .contactcity }}</contactcity>
+    <contactstateorprovince>{{ .contactstateorprovince }}</contactstateorprovince>
+    <contactpostcode>{{ .contactpostcode }}</contactpostcode>
+    <contactcountry>{{ .contactcountry }}</contactcountry>
+    <contactelectronicmailaddress>{{ .contactelectronicmailaddress }}</contactelectronicmailaddress>
+    <contactposition>{{ .contactposition }}</contactposition>
+    <providername>{{ .providername }}</providername>
+    <providerurl>{{ .providerurl }}</providerurl>
+    <inspire_profile>{{ .inspire_profile }}</inspire_profile>
+    <inspire_metadataurl>{{ .inspire_metadataurl }}</inspire_metadataurl>
+    <defaultlanguage>{{ .defaultlanguage }}</defaultlanguage>
+    <language>{{ .language }}</language>
+  </metadata>
+  {{- end }}
+  <errors>empty_img</errors>
+  <lock_dir>/tmp</lock_dir>
+  <threaded_fetching>true</threaded_fetching>
+
+  <!-- Cache -->
+  {{- if eq .Values.config.objectStorage.cache.type "swift" }}
+  <cache name="cache" type="swift">
+    <auth_url>{{ .Values.config.objectStorage.cache.auth_url_short }}</auth_url>
+    <auth_version>{{ .Values.config.objectStorage.cache.auth_version }}</auth_version>
+    <tenant>{{ .Values.config.objectStorage.cache.tenant_id }}</tenant>
+    <username>{{ .Values.config.objectStorage.cache.username }}</username>
+    <password>{{ .Values.config.objectStorage.cache.password }}</password>
+    <container>{{ .Values.config.objectStorage.cache.container }}</container>
+    <key>{{ .Values.config.objectStorage.key | default "/{tileset}/{grid}/{dim}/{z}/{x}/{y}.{ext}" }}</key>
+  </cache>
+  {{- else if eq .Values.config.objectStorage.cache.type "S3"}} # TODO
+  {{- else }}
+  <!-- no storage configured -->
+  {{- end }}
+
+  {{- define "mapcache-layerid" -}}{{ .collection_name }}{{ if .level_name }}__{{ .level_name }}{{ end }}{{ if .sub_layer_name }}__{{ .sub_layer_name }}{{ end }}{{- end }}
+
+  {{- range $collection_name, $collection := .Values.config.collections -}}
+
+  {{- $sub_types := list nil -}}
+  {{- range $product_type_name := $collection.product_types }}
+  {{- $sub_types := concat $sub_types (get (get $.Values.config.products.types $product_type_name | default dict) "browses" | default dict | keys) }}
+  {{- $sub_types := concat $sub_types (get (get $.Values.config.products.types $product_type_name | default dict) "masks" | default dict | keys) }}
+  {{- end -}}
+
+  <!-- Sources for {{ $collection_name }} -->
+  {{- range $level_name := (concat (list nil) $collection.product_levels) }}
+  {{- range $sub_type_name := ($sub_types | uniq) }}
+  {{- $layer_id := (include "mapcache-layerid" (dict "collection_name" $collection_name "level_name" $level_name "sub_type_name" $sub_type_name)) | trim }}
+  <source type="wms" name="{{ $layer_id }}">
+    <getmap>
+      <params>
+        <LAYERS>{{ $layer_id }}</LAYERS>
+        <TRANSPARENT>true</TRANSPARENT>
+        <STYLES>{{ get (get $.Values.config.cache.tilesets $layer_id | default dict) "style" }}</STYLES>
+      </params>
+    </getmap>
+    <http>
+      <url>http://renderer/ows</url>
+      <connection_timeout>{{ $.Values.config.cache.connection_timeout | default 10 }}</connection_timeout>
+      <timeout>{{ $.Values.config.cache.timeout | default 120 }}</timeout>
+    </http>
+  </source>
+  {{- end }}
+  {{- end }}
+
+  <!-- Tilesets for {{ $collection_name }} -->
+  {{- range $level_name := (concat (list nil) $collection.product_levels) }}
+  {{- range $sub_type_name := ($sub_types | uniq) }}
+  {{- $layer_id := (include "mapcache-layerid" (dict "collection_name" $collection_name "level_name" $level_name "sub_type_name" $sub_type_name)) | trim }}
+  <tileset name="{{ $layer_id }}">
+    <metadata>
+      <title>{{ (get $.Values.config.cache.tilesets $layer_id | default dict ).title }}</title>
+      <abstract>{{ (get $.Values.config.cache.tilesets $layer_id | default dict ).abstract }}</abstract>
+    </metadata>
+    <source>{{ $layer_id }}</source>
+    <cache>cache</cache>
+    <grid max-cached-zoom="15" out-of-zoom-strategy="reassemble">WGS84</grid>
+    <format>mixed</format>
+    <metatile>1 1</metatile>
+    <expires>{{ $.Values.config.cache.expires | default 3600 }}</expires>
+    <dimensions>
+      <assembly_type>stack</assembly_type>
+      <store_assemblies>false</store_assemblies>
+      <subdimensions_read_only>false</subdimensions_read_only>
+      <dimension type="postgresql" name="time" default="2017/2019" time="true" unit="ISO8601">
+        <connection>host={{ $.Values.config.database.host }} user={{ $.Values.config.database.user }} password={{ $.Values.config.database.password }} dbname={{ $.Values.config.database.name }} port={{ $.Values.config.database.port | default 5432 }}</connection>
+        <list_query>SELECT to_char(MIN(mapcache_items.begin_time), 'YYYY-MM-DD"T"HH24:MI:SS"Z"') || '/' || to_char(MAX(mapcache_items.end_time), 'YYYY-MM-DD"T"HH24:MI:SS"Z"') FROM mapcache_items WHERE mapcache_items.collection = '{{ $layer_id }}';</list_query>
+        <validate_query>SELECT * FROM (SELECT to_char(mapcache_items.begin_time, 'YYYY-MM-DD"T"HH24:MI:SS"Z"') || '/' || to_char(mapcache_items.end_time, 'YYYY-MM-DD"T"HH24:MI:SS"Z"') AS "interval" FROM mapcache_items WHERE (mapcache_items.collection = '{{ $layer_id }}' AND ((mapcache_items."begin_time" &lt; to_timestamp(:end_timestamp) AND mapcache_items."end_time" &gt; to_timestamp(:start_timestamp)) or (mapcache_items."begin_time" = mapcache_items."end_time" AND mapcache_items."begin_time" &lt;= to_timestamp(:end_timestamp) AND mapcache_items."end_time" &gt;= to_timestamp(:start_timestamp)))) AND mapcache_items."footprint" &amp;&amp; ST_MakeEnvelope(:minx, :miny, :maxx, :maxy, 4326) ORDER BY mapcache_items."end_time" DESC LIMIT 20) AS sub ORDER BY interval ASC;</validate_query>
+      </dimension>
+    </dimensions>
+  </tileset>
+  {{- end }}
+  {{- end }}
+</mapcache>
+{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/cache-configmap.yaml b/chart/templates/cache-configmap.yaml
new file mode 100644
index 00000000..d72924e9
--- /dev/null
+++ b/chart/templates/cache-configmap.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "vs.fullname" . }}-cache
+data:
+  {{ (tpl (.Files.Glob "files/mapcache.xml").AsConfig . ) | nindent 2}}
-- 
GitLab


From a5a222a097af86f48ea177bedc56b6b5cc56b76e Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Fri, 6 Nov 2020 17:27:27 +0100
Subject: [PATCH 105/162] update readme and gitlab ci

---
 .gitlab-ci.yml | 51 +++++++++++++++++++-------------------------------
 README.md      | 14 +++++++++++++-
 2 files changed, 32 insertions(+), 33 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0b8a9197..596bb59c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,7 +4,7 @@ variables:
 stages:
   - build
 
-build-tags:
+build-tag:
   image: docker:latest
   stage: build
   services:
@@ -33,20 +33,14 @@ build-tags:
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
     - docker push "$IMAGE_1":$CI_COMMIT_TAG
-    - docker push "$IMAGE_1":latest
     - docker push "$IMAGE_2":$CI_COMMIT_TAG
-    - docker push "$IMAGE_2":latest
     - docker push "$IMAGE_3":$CI_COMMIT_TAG
-    - docker push "$IMAGE_3":latest
     - docker push "$IMAGE_4":$CI_COMMIT_TAG
-    - docker push "$IMAGE_4":latest
     - docker push "$IMAGE_5":$CI_COMMIT_TAG
-    - docker push "$IMAGE_5":latest
     - docker push "$IMAGE_6":$CI_COMMIT_TAG
-    - docker push "$IMAGE_6":latest
   only:
     - tags
-build-staging:
+build-master-staging:
   image: docker:latest
   stage: build
   services:
@@ -54,34 +48,32 @@ build-staging:
   before_script:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
+    - if [[ "$CI_COMMIT_BRANCH" = "master" ]] ; then TAG_USED="latest"; else TAG_USED="staging"; fi
     - IMAGE_1="$CI_REGISTRY_IMAGE/pvs_core"
-    - docker pull "$IMAGE_1":staging || true
-    - docker build --cache-from "$IMAGE_1":staging -t "$IMAGE_1":dev -t "$IMAGE_1":staging core/
+    - docker build --cache-from "$IMAGE_1":"$TAG_USED" -t "$IMAGE_1":dev -t "$IMAGE_1":"$TAG_USED" core/
     - IMAGE_2="$CI_REGISTRY_IMAGE/pvs_preprocessor"
-    - docker pull "$IMAGE_2":staging || true
-    - docker build --cache-from "$IMAGE_2":staging -t "$IMAGE_2":dev -t "$IMAGE_2":staging preprocessor/
+    - docker build --cache-from "$IMAGE_2":"$TAG_USED" -t "$IMAGE_2":dev -t "$IMAGE_2":"$TAG_USED" preprocessor/
     - IMAGE_3="$CI_REGISTRY_IMAGE/pvs_client"
-    - docker pull "$IMAGE_3":staging || true
-    - docker build --cache-from "$IMAGE_3":staging -t "$IMAGE_3":dev -t "$IMAGE_3":staging client/
+    - docker build --cache-from "$IMAGE_3":"$TAG_USED" -t "$IMAGE_3":dev -t "$IMAGE_3":"$TAG_USED" client/
     - IMAGE_4="$CI_REGISTRY_IMAGE/pvs_cache"
-    - docker pull "$IMAGE_4":staging || true
-    - docker build --cache-from "$IMAGE_4":staging -t "$IMAGE_4":dev -t "$IMAGE_4":staging cache/
+    - docker build --cache-from "$IMAGE_4":"$TAG_USED" -t "$IMAGE_4":dev -t "$IMAGE_4":"$TAG_USED" cache/
     - IMAGE_5="$CI_REGISTRY_IMAGE/fluentd"
-    - docker pull "$IMAGE_5":staging || true
-    - docker build --cache-from "$IMAGE_5":staging -t "$IMAGE_5":dev -t "$IMAGE_5":staging fluentd/
+    - docker build --cache-from "$IMAGE_5":"$TAG_USED" -t "$IMAGE_5":dev -t "$IMAGE_5":"$TAG_USED" fluentd/
     - IMAGE_6="$CI_REGISTRY_IMAGE/pvs_ingestor"
-    - docker pull "$IMAGE_6":staging || true
-    - docker build --cache-from "$IMAGE_6":staging -t "$IMAGE_6":dev -t "$IMAGE_6":staging ingestor/
+    - docker build --cache-from "$IMAGE_6":"$TAG_USED" -t "$IMAGE_6":dev -t "$IMAGE_6":"$TAG_USED" ingestor/
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
-    - docker push "$IMAGE_1":staging
-    - docker push "$IMAGE_2":staging
-    - docker push "$IMAGE_3":staging
-    - docker push "$IMAGE_4":staging
-    - docker push "$IMAGE_5":staging
-    - docker push "$IMAGE_6":staging
+    - docker push "$IMAGE_1":"$TAG_USED"
+    - docker push "$IMAGE_2":"$TAG_USED"
+    - docker push "$IMAGE_3":"$TAG_USED"
+    - docker push "$IMAGE_4":"$TAG_USED"
+    - docker push "$IMAGE_5":"$TAG_USED"
+    - docker push "$IMAGE_6":"$TAG_USED"
   only:
     - staging
+    - master
+  except:
+    - tags
 build:
   image: docker:latest
   stage: build
@@ -91,25 +83,20 @@ build:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_core"
-    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev core/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_preprocessor"
-    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev preprocessor/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_client"
-    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev client/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_cache"
-    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev cache/
     - IMAGE="$CI_REGISTRY_IMAGE/fluentd"
-    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev fluentd/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_ingestor"
-    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev ingestor/
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
   except:
     - tags
     - staging
+    - master
diff --git a/README.md b/README.md
index fff3c496..768ded19 100644
--- a/README.md
+++ b/README.md
@@ -294,7 +294,6 @@ You will log in  into`/home/eox/data` directory which contains the 2 logging dir
 
  **NOTE:**  The mounted directory that you are directed into is *`/home/user`*, where `user` is the username, hence when setting / editing  the username in configs, the `sftp` mounted volumes path in `docker-compose.<collection>.yml` must change respectively.
  
-
 # Documentation
 
 ## Installation
@@ -323,6 +322,19 @@ The documentation is generated in the respective *_build/html* directory.
 
 # Create software releases
 
+## Release a new vs version
+
+We use [bump2version](https://github.com/c4urself/bump2version) to increment versions of invividual docker images and create git tags. Tags after push trigger CI `docker push` action of versioned images. It also updates used image versions in `.ops` docker compose files.
+Pushing to `master` branch updates `latest` images, while `staging` branch push updates `staging` images.
+For **Versions* in general, we use semantic versioning with format {major}.{minor}.{patch}-{release}.{build}.
+First check deployed staging version on staging platform (TBD), then if no problems are found, proceed.
+Following operation should be done on `staging` branch.
+```
+bump2version <major/minor/patch/release/build>
+git push
+git push --tags
+```
+Then `staging` branch should be merged to `master`, unless only a patch to previous versions is made.
 ## Source code release
 
 Create a TAR from source code:
-- 
GitLab


From 9c291bde4c499198e277ab946182dad19eed8d59 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Fri, 6 Nov 2020 17:58:17 +0100
Subject: [PATCH 106/162] Adjusting index.html template

---
 chart/files/index.html | 186 +++++------------------------------------
 chart/values.yaml      |   3 +
 2 files changed, 24 insertions(+), 165 deletions(-)

diff --git a/chart/files/index.html b/chart/files/index.html
index e5c65647..bb8c6bb8 100644
--- a/chart/files/index.html
+++ b/chart/files/index.html
@@ -184,12 +184,13 @@ var config = {
         }
     ],
     "layers": [
+        {{- range $layer_id, $layer := .Values.config.client.layers }}
         {
-            "id": 'VHR_IMAGE_2018_Level_1',
-            "displayName": 'VHR Image 2018 Level 1',
-            "displayColor": '#eb3700',
+            "id": {{ $layer_id | quote }},
+            "displayName": {{ $layer.title | quote }},
+            "displayColor": {{ $layer.display_color | default "eb3700" | quote }},
             "display": {
-                "id": 'VHR_IMAGE_2018_Level_1__TRUE_COLOR',
+                "id": {{ $layer.layer | quote }},
                 "visible": false,
                 "protocol": 'WMTS',
                 "urls": baseUrlsWMTS,
@@ -202,120 +203,20 @@ var config = {
                 "options": [{
                     "name": "Style",
                     "target": "display.extraParameters.LAYERS",
-                    "values": [{
-                    "label": "VHR Image 2018 True Color",
-                    "value": "VHR_IMAGE_2018_Level_1__TRUE_COLOR",
-                    }, {
-                    "label": "VHR Image 2018 True Color with masked validity",
-                    "value": "VHR_IMAGE_2018_Level_1__masked_validity",
-                    }, {
-                    "label": "VHR Image 2018 False Color",
-                    "value": "VHR_IMAGE_2018_Level_1__FALSE_COLOR",
-                    }, {
-                    "label": "VHR Image 2018 NDVI",
-                    "value": "VHR_IMAGE_2018_Level_1__NDVI",
-                    }]
-                }],
-            },
-            "search": {
-                "protocol": "OpenSearch",
-                "url": baseUrl + "opensearch/collections/VHR_IMAGE_2018_Level_1/",
-                "id": "VHR_IMAGE_2018_Level_1",
-                "histogramBinCount": 28,
-                "format": "application/atom+xml",
-                "method": "GET",
-                "histogramThreshold": 600,
-                "lightweightBuckets": true,
-                "searchLimit": 600,
-                "loadMore": 600,
-                "pageSize": 200,
-                "countZeroRecords": true,
-                "parameters": [
-                    {
-                        "type": "eo:sensorMode",
-                        "name": "Sensor",
-                        "title": "Sensor Mode"
-                    },
-                    {
-                        "max": 100,
-                        "min": 0,
-                        "step": 1,
-                        "range": true,
-                        "type": "eo:cloudCover",
-                        "name": "Cloud Coverage",
-                        "title": "Cloud Coverage in percent"
-                    },
+                    "values": [
+                    {{- range $sub_layer_id, $sub_layer := $layer.sub_layers -}}
                     {
-                        "max": 360,
-                        "min": 0,
-                        "step": 1,
-                        "range": true,
-                        "type": "eo:acrossTrackIncidenceAngle",
-                        "name": "Offnadir angle",
-                        "title": "Across Track Incidence Angle in degrees"
-                    },
-                    {
-                        "max": 360,
-                        "min": 0,
-                        "step": 1,
-                        "range": true,
-                        "type": "eo:illuminationAzimuthAngle",
-                        "name": "Sun elevation",
-                        "title": "Illumination Azimuth Angle in degrees"
+                        "label": {{ $sub_layer.label | quote }},
+                        "value": {{ $sub_layer_id | quote }},
                     },
-                ],
-                "parametersFilterSettings": {
-                    "collapsed": false,
-                },
-            },
-            "download": {
-                "protocol": "EO-WCS",
-                "url": baseUrl + "ows",
-                // "method": "GET",
-                "rewrite": {
-                // add __coverage to the coverageId
-                "from": "({{ "{{" }}id}})",
-                "to": "$1__coverage"
-                }
-            }
-        },
-        {
-            "id": 'VHR_IMAGE_2018_Level_3',
-            "displayName": 'VHR Image 2018 Level 3',
-            "displayColor": '#37eb00',
-            "display": {
-                "id": 'VHR_IMAGE_2018_Level_3__TRUE_COLOR',
-                "visible": true,
-                "protocol": 'WMTS',
-                "urls": baseUrlsWMTS,
-                "format": 'image/png',
-                "projection": 'EPSG:4326',
-                "matrixSet": "WGS84",
-                "style": 'default',
-                "useMilliseconds": false,
-                "maxZoom": 17,
-                "options": [{
-                    "name": "Style",
-                    "target": "display.extraParameters.LAYERS",
-                    "values": [{
-                    "label": "VHR Image 2018 True Color",
-                    "value": "VHR_IMAGE_2018_Level_3__TRUE_COLOR",
-                    }, {
-                    "label": "VHR Image 2018 True Color with masked validity",
-                    "value": "VHR_IMAGE_2018_Level_3__masked_validity",
-                    }, {
-                    "label": "VHR Image 2018 False Color",
-                    "value": "VHR_IMAGE_2018_Level_3__FALSE_COLOR",
-                    }, {
-                    "label": "VHR Image 2018 NDVI",
-                    "value": "VHR_IMAGE_2018_Level_3__NDVI",
-                    }]
+                    {{- end -}}
+                    ]
                 }],
             },
             "search": {
                 "protocol": "OpenSearch",
-                "url": baseUrl + "opensearch/collections/VHR_IMAGE_2018_Level_3/",
-                "id": "VHR_IMAGE_2018_Level_3",
+                "url": baseUrl + "opensearch/collections/{{ $layer_id }}/",
+                "id": {{ $layer_id }},
                 "histogramBinCount": 28,
                 "format": "application/atom+xml",
                 "method": "GET",
@@ -373,7 +274,8 @@ var config = {
                 "to": "$1__coverage"
                 }
             }
-        },
+        }
+        {{- end -}}
     ],
     "overlayLayers": [
         {
@@ -397,12 +299,13 @@ var config = {
                 "attribution": "Overlay { Data &copy; <a href=\"//www.openstreetmap.org/copyright\" target=\"_blank\">OpenStreetMap</a> contributors, Rendering &copy; <a href=\"//eox.at\" target=\"_blank\">EOX</a> and <a href=\"//github.com/mapserver/basemaps\" target=\"_blank\">MapServer</a> }"
             }
         },
+        {{- range $layer_id, $layer := .Values.config.client.overlay_layers }}
         {
-            "id": 'VHR_IMAGE_2018_Level_3__outlines',
-            "displayName": 'VHR Image 2018 Level 3 Outlines',
-            "displayColor": '#187465',
+            "id": {{ $layer_id | quote }},
+            "displayName": {{ $layer.title | quote }},
+            "displayColor": {{ $layer.display_color | quote }},
             "display": {
-                "id": 'VHR_IMAGE_2018_Level_3__outlines',
+                "id": {{ $layer.layer | quote }},
                 "visible": false,
                 "protocol": 'WMS',
                 "urls": baseUrlsOws,
@@ -414,54 +317,7 @@ var config = {
                 "synchronizeTime": true,
             },
         },
-        {
-            "id": 'VHR_IMAGE_2018_Level_3__masked_validity__Full',
-            "displayName": 'VHR Image 2018 Level 3 True Color with masked validity Full Coverage',
-            "display": {
-                "id": 'VHR_IMAGE_2018_Level_3__masked_validity__Full',
-                "visible": false,
-                "protocol": 'WMTS',
-                "urls": baseUrlsWMTS,
-                "format": 'image/png',
-                "projection": 'EPSG:4326',
-                "matrixSet": "WGS84",
-                "maxZoom": 17,
-                "synchronizeTime": false,
-                "style": "default",
-            },
-        },
-        {
-            "id": 'VHR_IMAGE_2018_Level_3__Full',
-            "displayName": 'VHR Image 2018 Level 3 True Color Full Coverage',
-            "display": {
-                "id": 'VHR_IMAGE_2018_Level_3__Full',
-                "visible": false,
-                "protocol": 'WMTS',
-                "urls": baseUrlsWMTS,
-                "format": 'image/png',
-                "projection": 'EPSG:4326',
-                "matrixSet": "WGS84",
-                "maxZoom": 17,
-                "synchronizeTime": false,
-                "style": "default",
-            },
-        },
-        {
-            "id": 'VHR_IMAGE_2018_Level_3__FALSE_COLOR__Full',
-            "displayName": 'VHR Image 2018 Level 3 False Color Full Coverage',
-            "display": {
-                "id": 'VHR_IMAGE_2018_Level_3__FALSE_COLOR__Full',
-                "visible": false,
-                "protocol": 'WMTS',
-                "urls": baseUrlsWMTS,
-                "format": 'image/png',
-                "projection": 'EPSG:4326',
-                "matrixSet": "WGS84",
-                "maxZoom": 17,
-                "synchronizeTime": false,
-                "style": "default",
-            },
-        }
+        {{- end -}}
     ]
 };
 
diff --git a/chart/values.yaml b/chart/values.yaml
index f9703715..068a15ac 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -133,6 +133,9 @@ config:
     expires: 3600
     key: /{tileset}/{grid}/{dim}/{z}/{x}/{y}.{ext}
     tilesets:
+      VHR_IMAGE_2018:
+        title: VHR Image 2018 True Color
+        abstract: VHR Image 2018 True Color
       VHR_IMAGE_2018__TRUE_COLOR:
         title: VHR Image 2018 True Color
         abstract: VHR Image 2018 True Color
-- 
GitLab


From b6c62f3b5623258a121a653fb0eab399ca93785e Mon Sep 17 00:00:00 2001
From: baloola <baloola-mu@hotmail.com>
Date: Mon, 9 Nov 2020 11:07:56 +0100
Subject: [PATCH 107/162] documentation_review

---
 documentation/operator-guide/configuration.rst |  2 +-
 documentation/operator-guide/intro.rst         |  5 ++++-
 documentation/operator-guide/management.rst    |  4 ++--
 documentation/operator-guide/setup.rst         | 14 ++++++++++----
 4 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/documentation/operator-guide/configuration.rst b/documentation/operator-guide/configuration.rst
index c4cbddd6..27b245cd 100644
--- a/documentation/operator-guide/configuration.rst
+++ b/documentation/operator-guide/configuration.rst
@@ -494,7 +494,7 @@ preprocessing
     defaults.
 
 Sensitive variables
-^^^^^^^^^^^^^^^^^^^
+===================
 
 Since environment variables include credentials that are considered sensitive,
 avoiding their exposure inside ``.env`` files would be the right practice.
diff --git a/documentation/operator-guide/intro.rst b/documentation/operator-guide/intro.rst
index 3d2975e2..3ee54989 100644
--- a/documentation/operator-guide/intro.rst
+++ b/documentation/operator-guide/intro.rst
@@ -51,7 +51,10 @@ the used images:
 - mdillon/postgis:10
 - redis
 - traefik:2.1
-- fluent/fluentd
+- elasticsearch:7.9.0 
+- kibana:7.9.0  
+- atmoz/sftp
+- registry.gitlab.eox.at/esa/prism/vs/fluentd:latest
 - registry.gitlab.eox.at/esa/prism/vs/pvs_core:latest
 - registry.gitlab.eox.at/esa/prism/vs/pvs_cache:latest
 - registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:latest
diff --git a/documentation/operator-guide/management.rst b/documentation/operator-guide/management.rst
index b7fcc9a0..d453d28c 100644
--- a/documentation/operator-guide/management.rst
+++ b/documentation/operator-guide/management.rst
@@ -62,8 +62,8 @@ shutting down of the stack and new deployment.
 Inspecting reports
 ------------------
 
-Once registered, a xml report containes wcs and wms getcapabilities of the registered product is generated and can be accessed by sftp into `SFTP` image,
-
+Once registered, a xml report containes wcs and wms getcapabilities of the registered product is generated and can be accessed by connecting to the `SFTP` image
+via the sftp protocol.
 In order to log into the logging folders through port 2222 on the hosting ip (e.g. localhost if you are running the dev stack ) The following command can be used:
 
 .. code-block:: bash
diff --git a/documentation/operator-guide/setup.rst b/documentation/operator-guide/setup.rst
index bb91533c..1ccaea90 100644
--- a/documentation/operator-guide/setup.rst
+++ b/documentation/operator-guide/setup.rst
@@ -113,8 +113,10 @@ Now the relevant images can be pulled:
     docker pull registry.gitlab.eox.at/esa/prism/vs/pvs_cache
     docker pull registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor
     docker pull registry.gitlab.eox.at/esa/prism/vs/pvs_client
+    docker pull registry.gitlab.eox.at/esa/prism/vs/fluentd
+    docker pull registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor
+    
 
-.. # TODO: ingestor image?
 
 
 Logging
@@ -138,9 +140,13 @@ container.
 Stack Deployment
 ----------------
 
-Now that a Docker Swarm is established, it is time to deploy the VS as a stack.
-This is done using the created Docker Compose configuration files. In order to
-enhance the re-usability, these files are split into multiple parts to be used
+Before the stack deployment step, some environment variables and configurations -which
+are considered sensitive- should be created beforehand, this can done following 
+the ``Sensitive variables`` steps that are included in the next :ref:`configuration` section.
+
+Now that a Docker Swarm is established and docker secrets and configs are created,
+it is time to deploy the VS as a stack. This is done using the created Docker Compose
+configuration files. In order to enhance the re-usability, these files are split into multiple parts to be used
 for both development and final service deployment.
 
 For a development deployment one would do (replace ``name`` with the actual
-- 
GitLab


From a56093f9fa7f3097b5091820b84ecaee180c5942 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 9 Nov 2020 12:25:24 +0100
Subject: [PATCH 108/162] Adding service and deployment yamls for registrar

---
 chart/templates/registrar-deployment.yaml | 93 +++++++++++++++++++++++
 chart/templates/registrar-service.yaml    | 17 +++++
 2 files changed, 110 insertions(+)
 create mode 100644 chart/templates/registrar-deployment.yaml
 create mode 100644 chart/templates/registrar-service.yaml

diff --git a/chart/templates/registrar-deployment.yaml b/chart/templates/registrar-deployment.yaml
new file mode 100644
index 00000000..e12537f8
--- /dev/null
+++ b/chart/templates/registrar-deployment.yaml
@@ -0,0 +1,93 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "vs.fullname" . }}-registrar
+  labels:
+    {{- include "vs.labels" . | nindent 4 }}
+    app.kubernetes.io/service: registrar
+spec:
+  replicas: {{ .Values.registrar.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "vs.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/service: registrar
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "false"
+      labels:
+        {{- include "vs.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/service: registrar
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-registrar
+          image: "registry.gitlab.eox.at/esa/prism/vs/pvs_core:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.registrar.resources | nindent 12 }}
+          args:
+            - /run-httpd.sh
+          env:
+            {{- range $key, $value := .Values.config.general }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- range $key, $value := .Values.config.database }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            - name: DB_HOST
+              value: {{ .Release.Name }}-database
+            {{- range $key, $value := .Values.config.django }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- range $key, $value := .Values.config.objectStorage.data }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            - name: INIT_SCRIPTS
+              value: /configure.sh /init-db.sh /initialized.sh
+            - name: INSTALL_DIR
+              value: /var/www/pvs/dev/
+            - name: INSTANCE_ID
+              value: prism-view-server_registrar
+            - name: STARTUP_SCRIPTS
+              value: /wait-initialized.sh
+            - name: WAIT_SERVICES
+              value: {{ .Release.Name }}-database:{{ .Values.config.database.DB_PORT }}
+          volumeMounts:
+            - mountPath: /init-db.sh
+              name: init-db
+              subPath: init-db.sh
+      {{- with .Values.registrar.affinity | default .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - configMap:
+            items:
+              - key: init-db.sh
+                path: init-db.sh
+            name: {{ include "vs.fullname" . }}-init-db
+          name: init-db
diff --git a/chart/templates/registrar-service.yaml b/chart/templates/registrar-service.yaml
new file mode 100644
index 00000000..6762a3b0
--- /dev/null
+++ b/chart/templates/registrar-service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "vs.fullname" . }}-registrar
+  labels:
+    {{- include "vs.labels" . | nindent 4 }}
+    app.kubernetes.io/service: registrar
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "vs.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/service: registrar
-- 
GitLab


From 1e9804deecc19ed4e39c2c8b5d1d263a7004641b Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 9 Nov 2020 12:26:31 +0100
Subject: [PATCH 109/162] Commenting out VHR specifics in values Adding
 preprocessor and registrar service values

---
 chart/values.yaml | 292 +++++++++++++++++++++++++---------------------
 1 file changed, 157 insertions(+), 135 deletions(-)

diff --git a/chart/values.yaml b/chart/values.yaml
index 068a15ac..a784994f 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -57,46 +57,46 @@ config:
     REDIS_SET_KEY: registered_set
 
   client:
-    layers:
-      VHR_IMAGE_2018_Level_1:
-        display_color: '#eb3700'
-        title: VHR Image 2018 Level 1
-        layer: VHR_IMAGE_2018_Level_1__TRUE_COLOR
-        sub_layers:
-          VHR_IMAGE_2018_Level_1__TRUE_COLOR:
-            label: VHR Image 2018 True Color
-          VHR_IMAGE_2018_Level_1__masked_validity:
-            label: VHR Image 2018 True Color with masked validity
-          VHR_IMAGE_2018_Level_1__FALSE_COLOR:
-            label: VHR Image 2018 False Color
-          VHR_IMAGE_2018_Level_1__NDVI:
-            label: VHR Image 2018 NDVI
-      VHR_IMAGE_2018_Level_3:
-        display_color: '#eb3700'
-        title: VHR Image 2018 Level 3
-        layer: VHR_IMAGE_2018_Level_3__TRUE_COLOR
-        sub_layers:
-          VHR_IMAGE_2018_Level_3__TRUE_COLOR:
-            label: VHR Image 2018 True Color
-          VHR_IMAGE_2018_Level_3__masked_validity:
-            label: VHR Image 2018 True Color with masked validity
-          VHR_IMAGE_2018_Level_3__FALSE_COLOR:
-            label: VHR Image 2018 False Color
-          VHR_IMAGE_2018_Level_3__NDVI:
-            label: VHR Image 2018 NDVI
-    overlay_layers:
-      VHR_IMAGE_2018_Level_3__outlines:
-        display_color: '#187465'
-        title: VHR Image 2018 Level 3 Outlines
-        layer: VHR_IMAGE_2018_Level_3__outlines
-      VHR_IMAGE_2018_Level_3__masked_validity__Full:
-        display_color: '#187465'
-        title: VHR Image 2018 Level 3 True Color with masked validity Full Coverage
-        layer: VHR_IMAGE_2018_Level_3__masked_validity__Full
-      VHR_IMAGE_2018_Level_3__Full:
-        display_color: '#187465'
-        title: VHR Image 2018 Level 3 True Color Full Coverage
-        layer: VHR_IMAGE_2018_Level_3__Full
+    layers: {}
+      # VHR_IMAGE_2018_Level_1:
+      #   display_color: '#eb3700'
+      #   title: VHR Image 2018 Level 1
+      #   layer: VHR_IMAGE_2018_Level_1__TRUE_COLOR
+      #   sub_layers:
+      #     VHR_IMAGE_2018_Level_1__TRUE_COLOR:
+      #       label: VHR Image 2018 True Color
+      #     VHR_IMAGE_2018_Level_1__masked_validity:
+      #       label: VHR Image 2018 True Color with masked validity
+      #     VHR_IMAGE_2018_Level_1__FALSE_COLOR:
+      #       label: VHR Image 2018 False Color
+      #     VHR_IMAGE_2018_Level_1__NDVI:
+      #       label: VHR Image 2018 NDVI
+      # VHR_IMAGE_2018_Level_3:
+      #   display_color: '#eb3700'
+      #   title: VHR Image 2018 Level 3
+      #   layer: VHR_IMAGE_2018_Level_3__TRUE_COLOR
+      #   sub_layers:
+      #     VHR_IMAGE_2018_Level_3__TRUE_COLOR:
+      #       label: VHR Image 2018 True Color
+      #     VHR_IMAGE_2018_Level_3__masked_validity:
+      #       label: VHR Image 2018 True Color with masked validity
+      #     VHR_IMAGE_2018_Level_3__FALSE_COLOR:
+      #       label: VHR Image 2018 False Color
+      #     VHR_IMAGE_2018_Level_3__NDVI:
+      #       label: VHR Image 2018 NDVI
+    overlay_layers: {}
+      # VHR_IMAGE_2018_Level_3__outlines:
+      #   display_color: '#187465'
+      #   title: VHR Image 2018 Level 3 Outlines
+      #   layer: VHR_IMAGE_2018_Level_3__outlines
+      # VHR_IMAGE_2018_Level_3__masked_validity__Full:
+      #   display_color: '#187465'
+      #   title: VHR Image 2018 Level 3 True Color with masked validity Full Coverage
+      #   layer: VHR_IMAGE_2018_Level_3__masked_validity__Full
+      # VHR_IMAGE_2018_Level_3__Full:
+      #   display_color: '#187465'
+      #   title: VHR Image 2018 Level 3 True Color Full Coverage
+      #   layer: VHR_IMAGE_2018_Level_3__Full
 
   # cache related options
   cache:
@@ -132,40 +132,40 @@ config:
     timeout: 120
     expires: 3600
     key: /{tileset}/{grid}/{dim}/{z}/{x}/{y}.{ext}
-    tilesets:
-      VHR_IMAGE_2018:
-        title: VHR Image 2018 True Color
-        abstract: VHR Image 2018 True Color
-      VHR_IMAGE_2018__TRUE_COLOR:
-        title: VHR Image 2018 True Color
-        abstract: VHR Image 2018 True Color
-      VHR_IMAGE_2018__FALSE_COLOR:
-        title: VHR Image 2018 False Color
-        abstract: VHR Image 2018 False Color
-      VHR_IMAGE_2018__NDVI:
-        title: VHR Image 2018 NDVI
-        abstract: VHR Image 2018 NDVI
-        style: earth
-      VHR_IMAGE_2018_Level_1__TRUE_COLOR:
-        title: VHR Image 2018 Level 1 True Color
-        abstract: VHR Image 2018 Level 1 True Color
-      VHR_IMAGE_2018_Level_1__FALSE_COLOR:
-        title: VHR Image 2018 Level 1 False Color
-        abstract: VHR Image 2018 Level 1 False Color
-      VHR_IMAGE_2018_Level_1__NDVI:
-        title: VHR Image 2018 Level 1 NDVI
-        abstract: VHR Image 2018 Level 1 NDVI
-        style: earth
-      VHR_IMAGE_2018_Level_1__TRUE_COLOR:
-        title: VHR Image 2018 Level 3 True Color
-        abstract: VHR Image 2018 Level 3 True Color
-      VHR_IMAGE_2018_Level_1__FALSE_COLOR:
-        title: VHR Image 2018 Level 3 False Color
-        abstract: VHR Image 2018 Level 3 False Color
-      VHR_IMAGE_2018_Level_1__NDVI:
-        title: VHR Image 2018 Level 3 NDVI
-        abstract: VHR Image 2018 Level 3 NDVI
-        style: earth
+    tilesets: {}
+      # VHR_IMAGE_2018:
+      #   title: VHR Image 2018 True Color
+      #   abstract: VHR Image 2018 True Color
+      # VHR_IMAGE_2018__TRUE_COLOR:
+      #   title: VHR Image 2018 True Color
+      #   abstract: VHR Image 2018 True Color
+      # VHR_IMAGE_2018__FALSE_COLOR:
+      #   title: VHR Image 2018 False Color
+      #   abstract: VHR Image 2018 False Color
+      # VHR_IMAGE_2018__NDVI:
+      #   title: VHR Image 2018 NDVI
+      #   abstract: VHR Image 2018 NDVI
+      #   style: earth
+      # VHR_IMAGE_2018_Level_1__TRUE_COLOR:
+      #   title: VHR Image 2018 Level 1 True Color
+      #   abstract: VHR Image 2018 Level 1 True Color
+      # VHR_IMAGE_2018_Level_1__FALSE_COLOR:
+      #   title: VHR Image 2018 Level 1 False Color
+      #   abstract: VHR Image 2018 Level 1 False Color
+      # VHR_IMAGE_2018_Level_1__NDVI:
+      #   title: VHR Image 2018 Level 1 NDVI
+      #   abstract: VHR Image 2018 Level 1 NDVI
+      #   style: earth
+      # VHR_IMAGE_2018_Level_1__TRUE_COLOR:
+      #   title: VHR Image 2018 Level 3 True Color
+      #   abstract: VHR Image 2018 Level 3 True Color
+      # VHR_IMAGE_2018_Level_1__FALSE_COLOR:
+      #   title: VHR Image 2018 Level 3 False Color
+      #   abstract: VHR Image 2018 Level 3 False Color
+      # VHR_IMAGE_2018_Level_1__NDVI:
+      #   title: VHR Image 2018 Level 3 NDVI
+      #   abstract: VHR Image 2018 Level 3 NDVI
+      #   style: earth
 
   preprocessor:
     metadata_glob: '*GSC*.xml'
@@ -192,33 +192,33 @@ config:
               - NUM_THREADS=8
               - BIGTIFF=IF_SAFER
               - OVERVIEWS=AUTO
-      types:
-        PH1B: # just to pass validation
-          nested: true
+      types: {}
+        # PH1B: # just to pass validation
+        #   nested: true
 
   registrar:
     schemes:
       - type: gsc
 
   # mapping of collection name to objects
-  collections:
-    VHR_IMAGE_2018:
-      product_types:
-        - PL00
-        - DM02
-        - KS03
-        - KS04
-        - PH1A
-        - PH1B
-        - SP06
-        - SP07
-        - SW00
-        - TR00
-      product_levels:
-        - Level_1
-        - Level_3
-      coverage_types:
-        - RGBNir
+  collections: {}
+    # VHR_IMAGE_2018:
+    #   product_types:
+    #     - PL00
+    #     - DM02
+    #     - KS03
+    #     - KS04
+    #     - PH1A
+    #     - PH1B
+    #     - SP06
+    #     - SP07
+    #     - SW00
+    #     - TR00
+    #   product_levels:
+    #     - Level_1
+    #     - Level_3
+    #   coverage_types:
+    #     - RGBNir
 
   products:
     type_extractor:
@@ -231,47 +231,47 @@ config:
       xpath:
       namespace_map:
 
-    types:
-      PL00:
-        coverages:
-          PL00: RGBNir
-        default_browse: TRUE_COLOR
-        browses:
-          TRUE_COLOR:
-            red:
-              expression: red
-              range: [1000, 15000]
-              nodata: 0
-            green:
-              expression: green
-              range: [1000, 15000]
-              nodata: 0
-            blue:
-              expression: blue
-              range: [1000, 15000]
-              nodata: 0
-          FALSE_COLOR:
-            red:
-              expression: nir
-              range: [1000, 15000]
-              nodata: 0
-            green:
-              expression: red
-              range: [1000, 15000]
-              nodata: 0
-            blue:
-              expression: green
-              range: [1000, 15000]
-              nodata: 0
-          NDVI:
-            grey:
-              expression: (nir-red)/(nir+red)
-              range: [-1, 1]
-        masks:
-          validity:
-            validity: true
+    types: {}
+      # PL00:
+      #   coverages:
+      #     PL00: RGBNir
+      #   default_browse: TRUE_COLOR
+      #   browses:
+      #     TRUE_COLOR:
+      #       red:
+      #         expression: red
+      #         range: [1000, 15000]
+      #         nodata: 0
+      #       green:
+      #         expression: green
+      #         range: [1000, 15000]
+      #         nodata: 0
+      #       blue:
+      #         expression: blue
+      #         range: [1000, 15000]
+      #         nodata: 0
+      #     FALSE_COLOR:
+      #       red:
+      #         expression: nir
+      #         range: [1000, 15000]
+      #         nodata: 0
+      #       green:
+      #         expression: red
+      #         range: [1000, 15000]
+      #         nodata: 0
+      #       blue:
+      #         expression: green
+      #         range: [1000, 15000]
+      #         nodata: 0
+      #     NDVI:
+      #       grey:
+      #         expression: (nir-red)/(nir+red)
+      #         range: [-1, 1]
+      #   masks:
+      #     validity:
+      #       validity: true
 
-  coverages:
+  coverages: {}
     # only RGBNir? SAR? complete list with all options here?
 
 database:
@@ -287,6 +287,28 @@ database:
       echo "Enabling postgis"
       PGPASSWORD="$POSTGRES_POSTGRES_PASSWORD" psql -U postgres -d "${POSTGRES_DB}" -c "CREATE EXTENSION postgis;"
 
+preprocessor:
+  replicaCount: 1
+  resources:
+    limits:
+      cpu: 1.5
+      memory: 6Gi
+    requests:
+      cpu: 0.5
+      memory: 2Gi
+  affinity: {}
+
+registrar:
+  replicaCount: 1
+  resources:
+    limits:
+      cpu: 1.5
+      memory: 6Gi
+    requests:
+      cpu: 0.5
+      memory: 2Gi
+  affinity: {}
+
 renderer:
   replicaCount: 1
   resources:
-- 
GitLab


From db9006a7e04d035964a13b625a8bd2d5a89086c2 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 9 Nov 2020 12:30:51 +0100
Subject: [PATCH 110/162] Fixing registrar invocation in testing

---
 testing/registrar_test.sh | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/testing/registrar_test.sh b/testing/registrar_test.sh
index 1d3e0aae..020235fb 100755
--- a/testing/registrar_test.sh
+++ b/testing/registrar_test.sh
@@ -8,10 +8,8 @@ IFS=","
 
 while read product; do
     docker exec -e OS_PASSWORD=$OS_PASSWORD -i $(docker ps -qf "name=emg-pvs_registrar") \
-        python3 /registrar.py \
-            --objects-prefix $product \
-            --service-url $SERVICE_URL \
-            --reporting-dir "/mnt/reports" \
+        registrar register \
+            --config-file /config.yaml \
             <<<$product
 
 done < "$product_list_file"
-- 
GitLab


From ecc3e02c74f1783ad42629bb0e1b872f8993c44d Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 9 Nov 2020 13:04:25 +0100
Subject: [PATCH 111/162] Fixing invocation of registrar

---
 testing/registrar_test.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/registrar_test.sh b/testing/registrar_test.sh
index 020235fb..6f8e7fb4 100755
--- a/testing/registrar_test.sh
+++ b/testing/registrar_test.sh
@@ -10,7 +10,7 @@ while read product; do
     docker exec -e OS_PASSWORD=$OS_PASSWORD -i $(docker ps -qf "name=emg-pvs_registrar") \
         registrar register \
             --config-file /config.yaml \
-            <<<$product
+            "$product"
 
 done < "$product_list_file"
 
-- 
GitLab


From 63384b458ab4531d8e8dc7bcd167dd695fc171c1 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 9 Nov 2020 13:40:31 +0100
Subject: [PATCH 112/162] Fixing `replace` argument for one-off registrations

---
 core/registrar/cli.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/registrar/cli.py b/core/registrar/cli.py
index bfae3d6a..0a2943ff 100644
--- a/core/registrar/cli.py
+++ b/core/registrar/cli.py
@@ -69,13 +69,13 @@ def daemon(config_file=None, validate=False, replace=False, host=None, port=None
 @click.option('--validate/--no-validate', default=False)
 @click.option('--replace/--no-replace', default=False)
 @click.option('--debug/--no-debug', default=False)
-def register(file_path, config_file=None, validate=False, debug=False):
+def register(file_path, config_file=None, validate=False, replace=False, debug=False):
     setup_logging(debug)
     config = load_config(config_file)
     if validate:
         validate_config(config)
 
-    register_file(config, file_path)
+    register_file(config, file_path, replace)
 
 if __name__ == '__main__':
     cli()
-- 
GitLab


From 4743176b273f90ae52235ff6ec89275719afad1d Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 14:34:37 +0100
Subject: [PATCH 113/162] cleanup, separate shibboleth2.xml for collections

---
 README.md                                     |  7 +++++
 .../{shibboleth2.xml => dem-shibboleth2.xml}  |  4 +--
 config/shibboleth/emg-shibboleth2.xml         | 31 +++++++++++++++++++
 config/shibboleth/index.html                  |  5 +--
 config/shibboleth/native.logger               |  2 +-
 config/shibboleth/shibd.logger                |  2 +-
 config/shibboleth/vhr18-shibboleth2.xml       | 31 +++++++++++++++++++
 docker-compose.dem.ops.yml                    | 12 +++----
 docker-compose.emg.ops.yml                    | 12 +++----
 docker-compose.vhr18.ops.yml                  | 12 +++----
 traefik.yml                                   |  2 +-
 11 files changed, 95 insertions(+), 25 deletions(-)
 rename config/shibboleth/{shibboleth2.xml => dem-shibboleth2.xml} (88%)
 create mode 100644 config/shibboleth/emg-shibboleth2.xml
 create mode 100644 config/shibboleth/vhr18-shibboleth2.xml

diff --git a/README.md b/README.md
index ec20c42b..393f27a0 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,13 @@ The following services are defined via docker compose files.
 * provides the endpoint for external access
 * configured via docker labels
 
+### shibauth
+
+* based on the external unicon/shibboleth-sp:3.0.4 Apache + Shibboleth image
+* provides authentication and authorization via SAML2
+* docker configuration files set access control rules
+* traefik labels determine which services are protected via Shib
+
 ### database
 
 * based on external postgis:10 image
diff --git a/config/shibboleth/shibboleth2.xml b/config/shibboleth/dem-shibboleth2.xml
similarity index 88%
rename from config/shibboleth/shibboleth2.xml
rename to config/shibboleth/dem-shibboleth2.xml
index 2504a528..2892d9ed 100755
--- a/config/shibboleth/shibboleth2.xml
+++ b/config/shibboleth/dem-shibboleth2.xml
@@ -4,7 +4,7 @@
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     clockSkew="180">
-    <ApplicationDefaults entityID="https://emg.pdas.prism.eox.at/shibboleth"
+    <ApplicationDefaults entityID="https://dem.pass.copernicus.eu/shibboleth"
                          REMOTE_USER="eppn uid persistent-id targeted-id">
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                   checkAddress="false" handlerSSL="true" cookieProps="https">
@@ -23,7 +23,7 @@
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
         <AttributeResolver type="Query" subjectMatch="true"/>
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
+        <CredentialResolver type="File" key="/run/secrets/DEM_SHIB_KEY" certificate="/run/secrets/DEM_SHIB_CERT"/>
     </ApplicationDefaults>
     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
     <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
diff --git a/config/shibboleth/emg-shibboleth2.xml b/config/shibboleth/emg-shibboleth2.xml
new file mode 100644
index 00000000..1f158494
--- /dev/null
+++ b/config/shibboleth/emg-shibboleth2.xml
@@ -0,0 +1,31 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://emg.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/EMG_SHIB_KEY" certificate="/run/secrets/EMG_SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file
diff --git a/config/shibboleth/index.html b/config/shibboleth/index.html
index 7d20ce72..d1b18250 100644
--- a/config/shibboleth/index.html
+++ b/config/shibboleth/index.html
@@ -2,9 +2,10 @@
 <html lang="en">
 <head>
     <meta charset="UTF-8">
-    <title>APACHE TEST</title>
+    <title>Authentication Success</title>
 </head>
 <body>
-    <h1>TESTING APACHE</h1>   
+    <h1>Your login was successful and you were granted access to the service.
+      Please access the URL, which you originally requested. Proper redirection is not implemented yet.</h1>
 </body>
 </html>
diff --git a/config/shibboleth/native.logger b/config/shibboleth/native.logger
index d360b124..1a854391 100644
--- a/config/shibboleth/native.logger
+++ b/config/shibboleth/native.logger
@@ -1,5 +1,5 @@
 # set overall behavior
-log4j.rootCategory=DEBUG, native_log
+log4j.rootCategory=INFO, native_log
 
 # fairly verbose for DEBUG, so generally leave at WARN/INFO
 log4j.category.XMLTooling.XMLObject=WARN
diff --git a/config/shibboleth/shibd.logger b/config/shibboleth/shibd.logger
index c12b4089..909609df 100644
--- a/config/shibboleth/shibd.logger
+++ b/config/shibboleth/shibd.logger
@@ -1,5 +1,5 @@
 # set overall behavior
-log4j.rootCategory=DEBUG, shibd_log, warn_log
+log4j.rootCategory=INFO, shibd_log, warn_log
 
 # fairly verbose for DEBUG, so generally leave at INFO
 log4j.category.XMLTooling.XMLObject=INFO
diff --git a/config/shibboleth/vhr18-shibboleth2.xml b/config/shibboleth/vhr18-shibboleth2.xml
new file mode 100644
index 00000000..d18baeff
--- /dev/null
+++ b/config/shibboleth/vhr18-shibboleth2.xml
@@ -0,0 +1,31 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://vhr18.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/VHR18_SHIB_KEY" certificate="/run/secrets/VHR18_SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file
diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index d6023b09..76fd6746 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -170,8 +170,8 @@ services:
     environment:
       APACHE_SERVERNAME: "https://dem.pass.copernicus.eu:443"
     secrets:
-      - SHIB_CERT
-      - SHIB_KEY
+      - DEM_SHIB_CERT
+      - DEM_SHIB_KEY
       - BASIC_AUTH_USERS_AUTH
     deploy:
       replicas: 1
@@ -226,8 +226,8 @@ configs:
     file: ./config/shibboleth/dem_pass-ac.xml
   shib-access-control-conf-cache:
     file: ./config/shibboleth/dem_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
-    file: ./config/shibboleth/shibboleth2.xml
+  shib-shibboleth2:
+    file: ./config/shibboleth/dem-shibboleth2.xml
   shib-apache:
     file: ./config/shibboleth/shib-apache.conf
   shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
   idp-metadata:
     external: true
 secrets:
-  SHIB_CERT:
+  DEM_SHIB_CERT:
     external: true
-  SHIB_KEY:
+  DEM_SHIB_KEY:
     external: true
   BASIC_AUTH_USERS_AUTH:
     external: true
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 86bea982..9e9a9c8c 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -170,8 +170,8 @@ services:
     environment:
       APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
     secrets:
-      - SHIB_CERT
-      - SHIB_KEY
+      - EMG_SHIB_CERT
+      - EMG_SHIB_KEY
       - BASIC_AUTH_USERS_AUTH
     deploy:
       replicas: 1
@@ -226,8 +226,8 @@ configs:
     file: ./config/shibboleth/emg_pass-ac.xml
   shib-access-control-conf-cache:
     file: ./config/shibboleth/emg_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
-    file: ./config/shibboleth/shibboleth2.xml
+  shib-shibboleth2:
+    file: ./config/shibboleth/emg-shibboleth2.xml
   shib-apache:
     file: ./config/shibboleth/shib-apache.conf
   shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
   idp-metadata:
     external: true
 secrets:
-  SHIB_CERT:
+  EMG_SHIB_CERT:
     external: true
-  SHIB_KEY:
+  EMG_SHIB_KEY:
     external: true
   BASIC_AUTH_USERS_AUTH:
     external: true
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index 12a692eb..8c529ad5 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -170,8 +170,8 @@ services:
     environment:
       APACHE_SERVERNAME: "https://vhr18.pass.copernicus.eu:443"
     secrets:
-      - SHIB_CERT
-      - SHIB_KEY
+      - VHR18_SHIB_CERT
+      - VHR18_SHIB_KEY
       - BASIC_AUTH_USERS_AUTH
     deploy:
       replicas: 1
@@ -226,8 +226,8 @@ configs:
     file: ./config/shibboleth/vhr18_pass-ac.xml
   shib-access-control-conf-cache:
     file: ./config/shibboleth/vhr18_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
-    file: ./config/shibboleth/shibboleth2.xml
+  shib-shibboleth2:
+    file: ./config/shibboleth/vhr18-shibboleth2.xml
   shib-apache:
     file: ./config/shibboleth/shib-apache.conf
   shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
   shib-idp-metadata:
     external: true
 secrets:
-  SHIB_CERT:
+  VHR18_SHIB_CERT:
     external: true
-  SHIB_KEY:
+  VHR18_SHIB_KEY:
     external: true
   BASIC_AUTH_USERS_AUTH:
     external: true
diff --git a/traefik.yml b/traefik.yml
index 4a4135d7..39a93c19 100644
--- a/traefik.yml
+++ b/traefik.yml
@@ -19,7 +19,7 @@ providers:
 api:
   dashboard: true
 log:
-  level: DEBUG
+  level: INFO
 accessLog: {}
 certificatesResolvers:
   default:
-- 
GitLab


From 4d4a9d88d70a660adde5a155fb86fc2cc816fa65 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 14:41:30 +0100
Subject: [PATCH 114/162] update readme

---
 README.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 768ded19..5eac5836 100644
--- a/README.md
+++ b/README.md
@@ -325,16 +325,18 @@ The documentation is generated in the respective *_build/html* directory.
 ## Release a new vs version
 
 We use [bump2version](https://github.com/c4urself/bump2version) to increment versions of invividual docker images and create git tags. Tags after push trigger CI `docker push` action of versioned images. It also updates used image versions in `.ops` docker compose files.
+
 Pushing to `master` branch updates `latest` images, while `staging` branch push updates `staging` images.
-For **Versions* in general, we use semantic versioning with format {major}.{minor}.{patch}-{release}.{build}.
+For **versions** in general, we use semantic versioning with format {major}.{minor}.{patch}-{release}.{build}.
 First check deployed staging version on staging platform (TBD), then if no problems are found, proceed.
-Following operation should be done on `staging` branch.
+Following operation should be done on `staging` or `master` branch.
 ```
 bump2version <major/minor/patch/release/build>
 git push
 git push --tags
 ```
-Then `staging` branch should be merged to `master`, unless only a patch to previous versions is made.
+If it was done on `staging` branch, then it should be merged to `master`, unless only a patch to previous major versions is made.
+A hotfix to production is developed in a branch initiated from master, then merged to staging for verification. It is then merged to master for release.
 ## Source code release
 
 Create a TAR from source code:
-- 
GitLab


From 664d474d093b213965da846335aa64d177fef8a2 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 14:46:13 +0100
Subject: [PATCH 115/162] do not pull when we build from specified cache in ci

---
 .gitlab-ci.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 596bb59c..0a8cf8e6 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,22 +13,16 @@ build-tag:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
     - IMAGE_1="$CI_REGISTRY_IMAGE/pvs_core"
-    - docker pull "$IMAGE_1":latest || true
     - docker build --cache-from "$IMAGE_1":latest -t "$IMAGE_1":dev -t "$IMAGE_1":$CI_COMMIT_TAG core/
     - IMAGE_2="$CI_REGISTRY_IMAGE/pvs_preprocessor"
-    - docker pull "$IMAGE_2":latest || true
     - docker build --cache-from "$IMAGE_2":latest -t "$IMAGE_2":dev -t "$IMAGE_2":$CI_COMMIT_TAG preprocessor/
     - IMAGE_3="$CI_REGISTRY_IMAGE/pvs_client"
-    - docker pull "$IMAGE_3":latest || true
     - docker build --cache-from "$IMAGE_3":latest -t "$IMAGE_3":dev -t "$IMAGE_3":$CI_COMMIT_TAG client/
     - IMAGE_4="$CI_REGISTRY_IMAGE/pvs_cache"
-    - docker pull "$IMAGE_4":latest || true
     - docker build --cache-from "$IMAGE_4":latest -t "$IMAGE_4":dev -t "$IMAGE_4":$CI_COMMIT_TAG cache/
     - IMAGE_5="$CI_REGISTRY_IMAGE/fluentd"
-    - docker pull "$IMAGE_5":latest || true
     - docker build --cache-from "$IMAGE_5":latest -t "$IMAGE_5":dev -t "$IMAGE_5":$CI_COMMIT_TAG fluentd/
     - IMAGE_6="$CI_REGISTRY_IMAGE/pvs_ingestor"
-    - docker pull "$IMAGE_6":latest || true
     - docker build --cache-from "$IMAGE_6":latest -t "$IMAGE_6":dev -t "$IMAGE_6":$CI_COMMIT_TAG ingestor/
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
-- 
GitLab


From e0dfc6eeda2a850a15fa4ee423355f770733b76e Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 14:51:55 +0100
Subject: [PATCH 116/162] manually update version to release-1.0.0-rc.2 to
 start the versioning

---
 .bumpversion.cfg               |  2 +-
 cache/Dockerfile               |  2 +-
 client/Dockerfile              |  2 +-
 config/dem_index-dev.html      |  2 +-
 config/dem_index-ops.html      |  2 +-
 config/emg_index-dev.html      |  2 +-
 config/emg_index-ops.html      |  2 +-
 config/vhr18_index-dev.html    |  2 +-
 config/vhr18_index-ops.html    |  2 +-
 core/Dockerfile                |  2 +-
 docker-compose.base.ops.yml    |  2 +-
 docker-compose.dem.ops.yml     | 14 +++++++-------
 docker-compose.emg.ops.yml     | 14 +++++++-------
 docker-compose.logging.ops.yml |  4 ++--
 docker-compose.vhr18.ops.yml   | 14 +++++++-------
 fluentd/Dockerfile             |  2 +-
 ingestor/Dockerfile            |  2 +-
 preprocessor/Dockerfile        |  2 +-
 preprocessor/setup.py          |  2 +-
 19 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index b9c5ee5b..9485b618 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.0.0-rc.0
+current_version = 1.0.0-rc.2
 commit = True
 tag = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-(?P<release>[a-z]+)\.(?P<build>\d+))?
diff --git a/cache/Dockerfile b/cache/Dockerfile
index 82eeebfe..57abc976 100644
--- a/cache/Dockerfile
+++ b/cache/Dockerfile
@@ -31,7 +31,7 @@ LABEL name="prism view server cache" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server cache" \
-      version="1.0.0-rc.0"
+      version="1.0.0-rc.2"
 
 USER root
 ADD install.sh \
diff --git a/client/Dockerfile b/client/Dockerfile
index dc028801..2255e745 100644
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -31,6 +31,6 @@ LABEL name="prism view server client" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server client" \
-      version="1.0.0-rc.0"
+      version="1.0.0-rc.2"
 
 COPY html/ /usr/share/nginx/html/
diff --git a/config/dem_index-dev.html b/config/dem_index-dev.html
index fa840fcb..c4f904b8 100644
--- a/config/dem_index-dev.html
+++ b/config/dem_index-dev.html
@@ -3,7 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
-  <meta name="application" content="VS Client release-1.0.0-rc.0">
+  <meta name="application" content="VS Client release-1.0.0-rc.2">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
diff --git a/config/dem_index-ops.html b/config/dem_index-ops.html
index 5077f021..77b34692 100644
--- a/config/dem_index-ops.html
+++ b/config/dem_index-ops.html
@@ -3,7 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
-  <meta name="application" content="VS Client release-1.0.0-rc.0">
+  <meta name="application" content="VS Client release-1.0.0-rc.2">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
diff --git a/config/emg_index-dev.html b/config/emg_index-dev.html
index a1f40cc2..09e3e675 100644
--- a/config/emg_index-dev.html
+++ b/config/emg_index-dev.html
@@ -3,7 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
-  <meta name="application" content="VS Client release-1.0.0-rc.0">
+  <meta name="application" content="VS Client release-1.0.0-rc.2">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
diff --git a/config/emg_index-ops.html b/config/emg_index-ops.html
index a4320968..171adcd8 100644
--- a/config/emg_index-ops.html
+++ b/config/emg_index-ops.html
@@ -3,7 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
-  <meta name="application" content="VS Client release-1.0.0-rc.0">
+  <meta name="application" content="VS Client release-1.0.0-rc.2">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
diff --git a/config/vhr18_index-dev.html b/config/vhr18_index-dev.html
index 03e39a73..d517d334 100644
--- a/config/vhr18_index-dev.html
+++ b/config/vhr18_index-dev.html
@@ -3,7 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
-  <meta name="application" content="VS Client release-1.0.0-rc.0">
+  <meta name="application" content="VS Client release-1.0.0-rc.2">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
diff --git a/config/vhr18_index-ops.html b/config/vhr18_index-ops.html
index 43081909..7000f3f1 100644
--- a/config/vhr18_index-ops.html
+++ b/config/vhr18_index-ops.html
@@ -3,7 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
-  <meta name="application" content="VS Client release-1.0.0-rc.0">
+  <meta name="application" content="VS Client release-1.0.0-rc.2">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />
diff --git a/core/Dockerfile b/core/Dockerfile
index 2ce3281f..b8c8148d 100644
--- a/core/Dockerfile
+++ b/core/Dockerfile
@@ -31,7 +31,7 @@ LABEL name="prism view server core" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server core" \
-      version="1.0.0-rc.0"
+      version="1.0.0-rc.2"
 
 USER root
 
diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index a99190f3..2d6ade93 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -1,5 +1,5 @@
 version: "3.6"
-x-vs-version: :release-1.0.0-rc.0 # bumpversion
+x-vs-version: :release-1.0.0-rc.2 # bumpversion
 services:
   reverse-proxy:
     image: traefik:2.1
diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index f75600ad..012016bd 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -1,5 +1,5 @@
 version: "3.6"
-x-vs-version: :release-1.0.0-rc.0 # bumpversion
+x-vs-version: :release-1.0.0-rc.2 # bumpversion
 services:
   database:
     volumes:
@@ -8,7 +8,7 @@ services:
         tmpfs:
           size: 536870912
   renderer:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.2 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -50,7 +50,7 @@ services:
     networks:
       - extnet
   cache:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:release-1.0.0-rc.2 # bumpversion
     configs:
       - source: mapcache-ops
         target: /mapcache-template.xml
@@ -93,7 +93,7 @@ services:
     networks:
       - extnet
   registrar:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.2 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -103,7 +103,7 @@ services:
         constraints:
           - node.labels.type == internal
   client:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:release-1.0.0-rc.2 # bumpversion
     configs:
       - source: client-ops
         target: /usr/share/nginx/html/index.html
@@ -131,7 +131,7 @@ services:
     networks:
       - extnet
   preprocessor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:release-1.0.0-rc.2 # bumpversion
     volumes:
       - type: bind
         source: /var/vhr
@@ -142,7 +142,7 @@ services:
         constraints:
           - node.labels.type == internal
   ingestor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.0.0-rc.2 # bumpversion
 networks:
   extnet:
     name: dem-extnet
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 057f8bf0..94ec7a18 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -1,5 +1,5 @@
 version: "3.6"
-x-vs-version: :release-1.0.0-rc.0 # bumpversion
+x-vs-version: :release-1.0.0-rc.2 # bumpversion
 services:
   database:
     volumes:
@@ -8,7 +8,7 @@ services:
         tmpfs:
           size: 536870912
   renderer:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.2 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -50,7 +50,7 @@ services:
     networks:
       - extnet
   cache:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:release-1.0.0-rc.2 # bumpversion
     configs:
       - source: mapcache-ops
         target: /mapcache-template.xml
@@ -93,7 +93,7 @@ services:
     networks:
       - extnet
   registrar:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.2 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -103,7 +103,7 @@ services:
         constraints:
           - node.labels.type == internal
   client:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:release-1.0.0-rc.2 # bumpversion
     configs:
       - source: client-ops
         target: /usr/share/nginx/html/index.html
@@ -131,7 +131,7 @@ services:
     networks:
       - extnet
   preprocessor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:release-1.0.0-rc.2 # bumpversion
     volumes:
       - type: bind
         source: /var/vhr
@@ -142,7 +142,7 @@ services:
         constraints:
           - node.labels.type == internal
   ingestor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.0.0-rc.2 # bumpversion
 networks:
   extnet:
     name: emg-extnet
diff --git a/docker-compose.logging.ops.yml b/docker-compose.logging.ops.yml
index f40b5326..2a6437f7 100644
--- a/docker-compose.logging.ops.yml
+++ b/docker-compose.logging.ops.yml
@@ -1,8 +1,8 @@
 version: "3.6"
-x-vs-version: :release-1.0.0-rc.0 # bumpversion
+x-vs-version: :release-1.0.0-rc.2 # bumpversion
 services:
   fluentd:
-    image: registry.gitlab.eox.at/esa/prism/vs/fluentd:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/fluentd:release-1.0.0-rc.2 # bumpversion
     deploy:
       placement:
         # this is not strictly required, but feels right
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index ee235e5f..024ac46c 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -1,5 +1,5 @@
 version: "3.6"
-x-vs-version: :release-1.0.0-rc.0 # bumpversion
+x-vs-version: :release-1.0.0-rc.2 # bumpversion
 services:
   database:
     volumes:
@@ -8,7 +8,7 @@ services:
         tmpfs:
           size: 536870912
   renderer:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.2 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -50,7 +50,7 @@ services:
     networks:
       - extnet
   cache:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:release-1.0.0-rc.2 # bumpversion
     configs:
       - source: mapcache-ops
         target: /mapcache-template.xml
@@ -93,7 +93,7 @@ services:
     networks:
       - extnet
   registrar:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.0.0-rc.2 # bumpversion
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
@@ -103,7 +103,7 @@ services:
         constraints:
           - node.labels.type == internal      
   client:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:release-1.0.0-rc.2 # bumpversion
     configs:
       - source: client-ops
         target: /usr/share/nginx/html/index.html
@@ -131,7 +131,7 @@ services:
     networks:
       - extnet
   preprocessor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:release-1.0.0-rc.2 # bumpversion
     volumes:
       - type: bind
         source: /var/vhr
@@ -142,7 +142,7 @@ services:
         constraints:
           - node.labels.type == internal
   ingestor:
-    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.0.0-rc.0 # bumpversion
+    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.0.0-rc.2 # bumpversion
 networks:
   extnet:
     name: vhr18-extnet
diff --git a/fluentd/Dockerfile b/fluentd/Dockerfile
index d61f9bec..0bc13cb9 100644
--- a/fluentd/Dockerfile
+++ b/fluentd/Dockerfile
@@ -32,7 +32,7 @@ LABEL name="prism view server cache" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server fluentd" \
-      version="1.0.0-rc.0"
+      version="1.0.0-rc.2"
 
 USER root
 RUN gem install fluent-plugin-elasticsearch \
diff --git a/ingestor/Dockerfile b/ingestor/Dockerfile
index 9691c29b..e1b80dcf 100644
--- a/ingestor/Dockerfile
+++ b/ingestor/Dockerfile
@@ -32,7 +32,7 @@ LABEL name="prism view server cache" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2020 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server ingestor" \
-      version="1.0.0-rc.0"
+      version="1.0.0-rc.2"
 
 USER root
 ADD install.sh requirements.txt \
diff --git a/preprocessor/Dockerfile b/preprocessor/Dockerfile
index f85b597a..987d52b4 100644
--- a/preprocessor/Dockerfile
+++ b/preprocessor/Dockerfile
@@ -32,7 +32,7 @@ LABEL name="prism view server preprocessor" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server preprocessor" \
-      version="1.0.0-rc.0"
+      version="1.0.0-rc.2"
 
 ENV LC_ALL=C.UTF-8
 ENV LANG=C.UTF-8
diff --git a/preprocessor/setup.py b/preprocessor/setup.py
index cd6abc1e..34c7a2e8 100644
--- a/preprocessor/setup.py
+++ b/preprocessor/setup.py
@@ -6,7 +6,7 @@ long_description = ""
 
 setup(
     name="preprocessor", # Replace with your own username
-    version="1.0.0-rc.0",
+    version="1.0.0-rc.2",
     author="",
     author_email="",
     description="preprocessor for PVS",
-- 
GitLab


From d470e2948e557f2a2dd63bcd95eb9d27c8598e01 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 15:34:54 +0100
Subject: [PATCH 117/162] updated testing base image

---
 .gitlab-ci.yml         |  6 +++---
 testing/Dockerfile     | 35 +++++++++++++++++++++++++++++++++++
 testing/gitlab_test.sh |  4 ----
 3 files changed, 38 insertions(+), 7 deletions(-)
 create mode 100644 testing/Dockerfile

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0a8cf8e6..b8b7ced9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,7 +5,7 @@ stages:
   - build
 
 build-tag:
-  image: docker:latest
+  image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
   stage: build
   services:
     - docker:dind
@@ -35,7 +35,7 @@ build-tag:
   only:
     - tags
 build-master-staging:
-  image: docker:latest
+  image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
   stage: build
   services:
     - docker:dind
@@ -69,7 +69,7 @@ build-master-staging:
   except:
     - tags
 build:
-  image: docker:latest
+  image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
   stage: build
   services:
     - docker:dind
diff --git a/testing/Dockerfile b/testing/Dockerfile
new file mode 100644
index 00000000..e423222b
--- /dev/null
+++ b/testing/Dockerfile
@@ -0,0 +1,35 @@
+#------------------------------------------------------------------------------
+#
+# Project: prism view server
+# Authors: Stephan Meissl <stephan.meissl@eox.at>
+#
+#------------------------------------------------------------------------------
+# Copyright (C) 2020 EOX IT Services GmbH <https://eox.at>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies of this Software or works derived from this Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+#-----------------------------------------------------------------------------
+
+# this image is built manually and pushed to registry.gitlab.eox.at/esa/prism/vs/docker-base-testing
+
+FROM docker:latest
+
+RUN apk update && apk add bash postgresql-dev gcc g++ python3 python3-dev musl-dev py-pip libffi-dev openssl-dev make gdal==3.1.4-r0 gdal-dev==3.1.4-r0
+
+ADD requirements.txt /
+RUN pip3 install -r requirements.txt
diff --git a/testing/gitlab_test.sh b/testing/gitlab_test.sh
index 8ce6b51f..8cb3e2c1 100755
--- a/testing/gitlab_test.sh
+++ b/testing/gitlab_test.sh
@@ -38,10 +38,6 @@ printf $sftp_users_emg | docker config create sftp_users_emg -
 
 docker stack deploy -c ../docker-compose.emg.yml -c ../docker-compose.emg.dev.yml emg-pvs
 
-# installing the requirments
-apk update && apk add bash postgresql-dev gcc g++ python3 python3-dev musl-dev py-pip libffi-dev openssl-dev make gdal==3.1.4-r0 gdal-dev==3.1.4-r0
-pip3 install -r requirements.txt
-
 ./docker-stack-wait.sh -n renderer -n registrar -n preprocessor -n ingestor -n sftp emg-pvs
 
 docker service ls
-- 
GitLab


From 299312d47bdf90282d0ceb6d2a6e5df00d9c96b8 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 16:30:05 +0100
Subject: [PATCH 118/162] put back docker pulls into ci as it perhaps should be
 there

---
 .gitlab-ci.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b8b7ced9..0bc73a58 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,16 +13,22 @@ build-tag:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
     - IMAGE_1="$CI_REGISTRY_IMAGE/pvs_core"
+    - docker pull "$IMAGE_1":latest || true
     - docker build --cache-from "$IMAGE_1":latest -t "$IMAGE_1":dev -t "$IMAGE_1":$CI_COMMIT_TAG core/
     - IMAGE_2="$CI_REGISTRY_IMAGE/pvs_preprocessor"
+    - docker pull "$IMAGE_2":latest || true
     - docker build --cache-from "$IMAGE_2":latest -t "$IMAGE_2":dev -t "$IMAGE_2":$CI_COMMIT_TAG preprocessor/
     - IMAGE_3="$CI_REGISTRY_IMAGE/pvs_client"
+    - docker pull "$IMAGE_3":latest || true
     - docker build --cache-from "$IMAGE_3":latest -t "$IMAGE_3":dev -t "$IMAGE_3":$CI_COMMIT_TAG client/
     - IMAGE_4="$CI_REGISTRY_IMAGE/pvs_cache"
+    - docker pull "$IMAGE_4":latest || true
     - docker build --cache-from "$IMAGE_4":latest -t "$IMAGE_4":dev -t "$IMAGE_4":$CI_COMMIT_TAG cache/
     - IMAGE_5="$CI_REGISTRY_IMAGE/fluentd"
+    - docker pull "$IMAGE_5":latest || true
     - docker build --cache-from "$IMAGE_5":latest -t "$IMAGE_5":dev -t "$IMAGE_5":$CI_COMMIT_TAG fluentd/
     - IMAGE_6="$CI_REGISTRY_IMAGE/pvs_ingestor"
+    - docker pull "$IMAGE_6":latest || true
     - docker build --cache-from "$IMAGE_6":latest -t "$IMAGE_6":dev -t "$IMAGE_6":$CI_COMMIT_TAG ingestor/
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
@@ -44,16 +50,22 @@ build-master-staging:
   script:
     - if [[ "$CI_COMMIT_BRANCH" = "master" ]] ; then TAG_USED="latest"; else TAG_USED="staging"; fi
     - IMAGE_1="$CI_REGISTRY_IMAGE/pvs_core"
+    - docker pull "$IMAGE_1":"$TAG_USED" || true
     - docker build --cache-from "$IMAGE_1":"$TAG_USED" -t "$IMAGE_1":dev -t "$IMAGE_1":"$TAG_USED" core/
     - IMAGE_2="$CI_REGISTRY_IMAGE/pvs_preprocessor"
+    - docker pull "$IMAGE_2":"$TAG_USED" || true
     - docker build --cache-from "$IMAGE_2":"$TAG_USED" -t "$IMAGE_2":dev -t "$IMAGE_2":"$TAG_USED" preprocessor/
     - IMAGE_3="$CI_REGISTRY_IMAGE/pvs_client"
+    - docker pull "$IMAGE_3":"$TAG_USED" || true
     - docker build --cache-from "$IMAGE_3":"$TAG_USED" -t "$IMAGE_3":dev -t "$IMAGE_3":"$TAG_USED" client/
     - IMAGE_4="$CI_REGISTRY_IMAGE/pvs_cache"
+    - docker pull "$IMAGE_4":"$TAG_USED" || true
     - docker build --cache-from "$IMAGE_4":"$TAG_USED" -t "$IMAGE_4":dev -t "$IMAGE_4":"$TAG_USED" cache/
     - IMAGE_5="$CI_REGISTRY_IMAGE/fluentd"
+    - docker pull "$IMAGE_6":"$TAG_USED" || true
     - docker build --cache-from "$IMAGE_5":"$TAG_USED" -t "$IMAGE_5":dev -t "$IMAGE_5":"$TAG_USED" fluentd/
     - IMAGE_6="$CI_REGISTRY_IMAGE/pvs_ingestor"
+    - docker pull "$IMAGE_6":"$TAG_USED" || true
     - docker build --cache-from "$IMAGE_6":"$TAG_USED" -t "$IMAGE_6":dev -t "$IMAGE_6":"$TAG_USED" ingestor/
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
@@ -77,16 +89,22 @@ build:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_core"
+    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev core/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_preprocessor"
+    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev preprocessor/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_client"
+    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev client/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_cache"
+    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev cache/
     - IMAGE="$CI_REGISTRY_IMAGE/fluentd"
+    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev fluentd/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_ingestor"
+    - docker pull "$IMAGE":staging || true
     - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev ingestor/
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
-- 
GitLab


From d61d49e32600d02d8ac0e31937b5c580fcfd78a7 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 16:36:27 +0100
Subject: [PATCH 119/162] test

---
 .gitlab-ci.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0bc73a58..a1fa3064 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,7 +8,7 @@ build-tag:
   image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
   stage: build
   services:
-    - docker:dind
+    - docker:19.03.12-dind
   before_script:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
@@ -44,7 +44,7 @@ build-master-staging:
   image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
   stage: build
   services:
-    - docker:dind
+    - docker:19.03.12-dind
   before_script:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
@@ -84,7 +84,7 @@ build:
   image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
   stage: build
   services:
-    - docker:dind
+    - docker:19.03.12-dind
   before_script:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
-- 
GitLab


From aaed066ce0bf9a96e5400f015c8de69f6ea78960 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 17:11:03 +0100
Subject: [PATCH 120/162] test

---
 testing/gitlab_test.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/gitlab_test.sh b/testing/gitlab_test.sh
index 8cb3e2c1..6d5c35b8 100755
--- a/testing/gitlab_test.sh
+++ b/testing/gitlab_test.sh
@@ -35,7 +35,7 @@ printf $OS_PASSWORD | docker secret create OS_PASSWORD -
 
 # create docker configs 
 printf $sftp_users_emg | docker config create sftp_users_emg -
-
+swift list
 docker stack deploy -c ../docker-compose.emg.yml -c ../docker-compose.emg.dev.yml emg-pvs
 
 ./docker-stack-wait.sh -n renderer -n registrar -n preprocessor -n ingestor -n sftp emg-pvs
-- 
GitLab


From f5ce203b9edbe30f964c26484e840f69b2573987 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 17:29:05 +0100
Subject: [PATCH 121/162] wait for registrar initialized in test

---
 .gitlab-ci.yml            | 6 +++---
 testing/Dockerfile        | 2 +-
 testing/registrar_test.sh | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index a1fa3064..d0841394 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,7 +8,7 @@ build-tag:
   image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
   stage: build
   services:
-    - docker:19.03.12-dind
+    - docker:19.03.13-dind
   before_script:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
@@ -44,7 +44,7 @@ build-master-staging:
   image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
   stage: build
   services:
-    - docker:19.03.12-dind
+    - docker:19.03.13-dind
   before_script:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
@@ -84,7 +84,7 @@ build:
   image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
   stage: build
   services:
-    - docker:19.03.12-dind
+    - docker:19.03.13-dind
   before_script:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
diff --git a/testing/Dockerfile b/testing/Dockerfile
index e423222b..c210be98 100644
--- a/testing/Dockerfile
+++ b/testing/Dockerfile
@@ -27,7 +27,7 @@
 
 # this image is built manually and pushed to registry.gitlab.eox.at/esa/prism/vs/docker-base-testing
 
-FROM docker:latest
+FROM docker:19.03.13-dind
 
 RUN apk update && apk add bash postgresql-dev gcc g++ python3 python3-dev musl-dev py-pip libffi-dev openssl-dev make gdal==3.1.4-r0 gdal-dev==3.1.4-r0
 
diff --git a/testing/registrar_test.sh b/testing/registrar_test.sh
index 1d3e0aae..cbf978fb 100755
--- a/testing/registrar_test.sh
+++ b/testing/registrar_test.sh
@@ -8,7 +8,7 @@ IFS=","
 
 while read product; do
     docker exec -e OS_PASSWORD=$OS_PASSWORD -i $(docker ps -qf "name=emg-pvs_registrar") \
-        python3 /registrar.py \
+        /wait-initialized.sh && python3 /registrar.py \
             --objects-prefix $product \
             --service-url $SERVICE_URL \
             --reporting-dir "/mnt/reports" \
-- 
GitLab


From af78bcd2d7b7fbc17d3022c7082aebbac1163cda Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 18:02:59 +0100
Subject: [PATCH 122/162] add default MIT License

---
 LICENSE | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 LICENSE

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 00000000..451c3f0c
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,7 @@
+Copyright (c) 2019-2020 EOX IT Services GmbH <https://eox.at>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-- 
GitLab


From c67124f1545b42f65804fcbbb6f1463d24212ba1 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 18:03:07 +0100
Subject: [PATCH 123/162] see inside registrar container

---
 testing/gitlab_test.sh    | 2 +-
 testing/registrar_test.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/testing/gitlab_test.sh b/testing/gitlab_test.sh
index 6d5c35b8..89f1eff8 100755
--- a/testing/gitlab_test.sh
+++ b/testing/gitlab_test.sh
@@ -35,7 +35,6 @@ printf $OS_PASSWORD | docker secret create OS_PASSWORD -
 
 # create docker configs 
 printf $sftp_users_emg | docker config create sftp_users_emg -
-swift list
 docker stack deploy -c ../docker-compose.emg.yml -c ../docker-compose.emg.dev.yml emg-pvs
 
 ./docker-stack-wait.sh -n renderer -n registrar -n preprocessor -n ingestor -n sftp emg-pvs
@@ -43,6 +42,7 @@ docker stack deploy -c ../docker-compose.emg.yml -c ../docker-compose.emg.dev.ym
 docker service ls
 # perform the testing
 bash ./preprocessor_test.sh preprocessed_list.csv
+sleep 120
 bash ./registrar_test.sh product_list.csv
 
 if [ $? -ne 0 ]
diff --git a/testing/registrar_test.sh b/testing/registrar_test.sh
index cbf978fb..1d7ba6ed 100755
--- a/testing/registrar_test.sh
+++ b/testing/registrar_test.sh
@@ -8,7 +8,7 @@ IFS=","
 
 while read product; do
     docker exec -e OS_PASSWORD=$OS_PASSWORD -i $(docker ps -qf "name=emg-pvs_registrar") \
-        /wait-initialized.sh && python3 /registrar.py \
+        /wait-initialized.sh && ls / && python3 /registrar.py \
             --objects-prefix $product \
             --service-url $SERVICE_URL \
             --reporting-dir "/mnt/reports" \
-- 
GitLab


From eff48988d943faf48bc8267ec878e274d4cef1c4 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Mon, 9 Nov 2020 18:15:30 +0100
Subject: [PATCH 124/162] fix test due to syntax error

---
 testing/gitlab_test.sh    | 1 -
 testing/registrar_test.sh | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/testing/gitlab_test.sh b/testing/gitlab_test.sh
index 89f1eff8..08920c0a 100755
--- a/testing/gitlab_test.sh
+++ b/testing/gitlab_test.sh
@@ -42,7 +42,6 @@ docker stack deploy -c ../docker-compose.emg.yml -c ../docker-compose.emg.dev.ym
 docker service ls
 # perform the testing
 bash ./preprocessor_test.sh preprocessed_list.csv
-sleep 120
 bash ./registrar_test.sh product_list.csv
 
 if [ $? -ne 0 ]
diff --git a/testing/registrar_test.sh b/testing/registrar_test.sh
index 1d7ba6ed..0e0b6ea8 100755
--- a/testing/registrar_test.sh
+++ b/testing/registrar_test.sh
@@ -5,10 +5,10 @@ echo "inside registrar_test"
 OS_PASSWORD=$(docker exec -i $(docker ps -qf "name=emg-pvs_registrar") cat /run/secrets/OS_PASSWORD)
 
 IFS=","
-
+docker exec -i $(docker ps -qf "name=emg-pvs_registrar") /wait-initialized.sh
 while read product; do
     docker exec -e OS_PASSWORD=$OS_PASSWORD -i $(docker ps -qf "name=emg-pvs_registrar") \
-        /wait-initialized.sh && ls / && python3 /registrar.py \
+         python3 /registrar.py \
             --objects-prefix $product \
             --service-url $SERVICE_URL \
             --reporting-dir "/mnt/reports" \
-- 
GitLab


From d628f09dd62a699440de452a3d93162d91a9d0fa Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Mon, 9 Nov 2020 22:50:37 +0100
Subject: [PATCH 125/162] Fixing wrong item lookup in S3 source

---
 core/registrar/source.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/registrar/source.py b/core/registrar/source.py
index fc0e0494..20e079b9 100644
--- a/core/registrar/source.py
+++ b/core/registrar/source.py
@@ -177,7 +177,7 @@ class S3Source(Source):
             f"{bucket}/{item['Key']}"
             for item in response['Contents']
             if glob_patterns is None or any(
-                fnmatch(item['name'], glob_pattern) for glob_pattern in glob_patterns
+                fnmatch(item['Key'], glob_pattern) for glob_pattern in glob_patterns
             )
         ]
 
-- 
GitLab


From a19754e60232e86a48bfdcfe2fa77790b3624e2b Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 10 Nov 2020 09:35:06 +0100
Subject: [PATCH 126/162] Fixing typo in backend

---
 core/registrar/backend.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/registrar/backend.py b/core/registrar/backend.py
index 2a83de1b..d48e64d2 100644
--- a/core/registrar/backend.py
+++ b/core/registrar/backend.py
@@ -71,7 +71,7 @@ class EOxServerBackend(Backend):
             bucket, _ = source.get_bucket_and_key(path)
 
             storage, created_storage = backends.Storage.objects.get_or_create(
-                name=source.name if source.bucket else f'{source.name}-{bucket}',
+                name=source.name if source.bucket_name else f'{source.name}-{bucket}',
                 url=bucket,
                 storage_type='S3',
                 storage_auth=storage_auth,
-- 
GitLab


From 3dcd1eece590103e1fe64f2ef3529012738abb27 Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 10 Nov 2020 09:48:36 +0100
Subject: [PATCH 127/162] Further developing chart and templates

---
 chart/Chart.lock                          |   7 +++--
 chart/Chart.yaml                          |   4 +++
 chart/charts/redis-10.9.0.tgz             | Bin 0 -> 60374 bytes
 chart/files/init-db.sh                    |  35 +++++++++++++++++-----
 chart/files/registrar-config.yaml         |  18 +++++------
 chart/templates/registrar-deployment.yaml |  31 ++++++++++---------
 chart/templates/renderer-deployment.yaml  |   6 ++++
 chart/values.yaml                         |  19 ++++++++----
 8 files changed, 83 insertions(+), 37 deletions(-)
 create mode 100644 chart/charts/redis-10.9.0.tgz

diff --git a/chart/Chart.lock b/chart/Chart.lock
index 737d729e..cd2ee36b 100644
--- a/chart/Chart.lock
+++ b/chart/Chart.lock
@@ -2,5 +2,8 @@ dependencies:
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
   version: 9.7.2
-digest: sha256:a59e13b07f7f8f203ada856c39d69e9a4d2f4810e1265d9b80d8fe661331979e
-generated: "2020-10-07T14:27:02.464388398+02:00"
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 10.9.0
+digest: sha256:19a4b34c5ee40a44b18979a052b53a54569b69bd8b37e6f805826482dc6432ea
+generated: "2020-11-09T16:57:52.383912+01:00"
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 2f4a7b4e..90fc7b43 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -22,3 +22,7 @@ dependencies:
     version: "9.7.2"
     repository: "https://charts.bitnami.com/bitnami"
     alias: database
+  - name: "redis"
+    version: "10.9.0"
+    repository: "https://charts.bitnami.com/bitnami"
+    alias: redis
diff --git a/chart/charts/redis-10.9.0.tgz b/chart/charts/redis-10.9.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..9bd7302ed264e66fd07a668e3fb42df646e79265
GIT binary patch
literal 60374
zcmV)VK(D_aiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POwyciT3$Fo2$)^;hhXb586YQ?i{$XM9fPey*LizD*oo+v$9>
z(ykaHAqiuOU;)sMCeHV_--Q<mK1DtJNGi^()FOcmU<26LFYL{5KzRRfjF{+6(Iotj
zJ9u_>c6Pph@k0G~XJ@DQ-`%~vXaBML?E7asyE`xTo`3%zJG*<&cJ}@QcJ87x#V6qc
zvH#dvx~<~izLEz;5fw-f8u9%OfR6+oQ8wL&BP7rOaoj;M`4uxxXtWR4yB!qA>CczF
zo!(zN0p>m<u~4tx#W(^^6XxS>K*2SNd>p_Po_g0POfYak8ScTc0K$O|1&)B>A!ZB*
zASfUX2m&Nf2Y?Hf_#$B#IA+(F0Vk1<B`gj;iomClKqQjoNHpTxFh+cg`8I@v3%(5;
z3l1m>fKw)LAR%JGdmS8&NQC!cL`58S#&m-BVJt+<_xt@35#wag^Xa5NAR<B&()Z=w
z;C;a`?oSXGn5Cc8=IIb$4%|X8-xLVMWs7|-kblK>={}i^^k1HO?d|RDeA;{Vycb8K
z&J~{CP!{n0jt3gHCx@#r*YOly)RasRQA5W}6~z-o!hMSm%=rItI?(}$kR0L<`khlA
z2aNdtC%{~Sn;<4g)Elz2LheIHztg?a^Q+o!K%Dun7f}BSGtUl4*4XcB9P|k7cdqSn
z+TH2>t+&&8=q>T5di0`HD~#XO0nkkUUwr@l%jZS<|KjC~HT}PjXJZ3?3h4laaHO^=
zkO>-Lh!H~*EHLApjSV;rG2(a|A}TP5F%lrggu@L9L!j4~F%ro4xKw!?NaTk}K%x-@
zIL1+cBcDhb?bB#TMu{Q&3D@;Ux+|LCZEV0{!WfPOpld`zGzilYHJ#npZ_e<DaKWaE
z`l~mmNf@4EpJ5>f)X`Anfwz&bu@94}{rdz>a8|;Bpz8s6PT^nhRDVrt$&(I^@L`BJ
zmtfDG-yP7DbRRx{>BxZ^;tXf<tr?b~i}EwW!|a5SbXL<;MQ#hnQD2}D@5@0dDEq1@
zJ2+E~Q1v#ZoCtN;=MOZ1njQ%>(jRmEX-WDwcoN6zB=%$%Jro5V!#u{mAlKLw9g+}x
zA&IVZFFGLGG>nE9-~mCAx4Yx99o>)f82e;61(eOvDGiA~)t`^>5GA4Da)~`X2yf7o
zKLs+(MkAS!ry&xUi>KRwLoRs@p^6_5PpCL$nBz!1EsT1<-@i%*m_=A%b%q7h=lz6Z
z=8X~(;J#{r_cvmOy*LR&5{*3l&JHV1ySfi<Q@W*hikm`VI0bHp7y)7oO@R(e3$kah
zp?|?7;Q|I2CMZf244+{nZ~!DyyG$PCJVrk5Rm^6^zy#t~yr1q^FQ$Q)G8=t45<NIC
zX5<<P?AZm^x1-%q<88ft<dQ#ET%DYXSTZ1L94W2Q%)>AVLpc@@coNH5giS?~EPJE|
z%djF|YS3G9TWqL5-x*N*g~lYz*$rtp_H`cCVVFoJQ7$AQ`O=QBU&vwOND{GN9|TJz
zmEa+|#)mYC#6Ik)+V8n(6y$0k5e^|8h<qE<pa&Nz^$iGDWKkB-%&F#hC0xZe6CW!k
zSi;uJ0BDpop$fna5o3^hQ|%N9D{Wjt%UUN97m}mr9a|tbsv!zF)@$kv|B(<TX*1`N
zrv;RVv8>}OVFPHCZ-)qu!(qjGO!-7XW8(9^t<eE_YMdJIDMm|_>s*x=vWXm3Ew|K6
zS3TRXA+Tm;r$n}n%r+2O&l$@Mn!7O7P1~5C{F)Kgk>Fk1ttKM8ax%P1LYxk;ffz4J
zju$7$cTbYjahJ&QY`#VlnR6^8OQV0tT@VpTq7TQ|zq%k3OcSvWFFF8!B$Oo+N!$Pe
zdJ`QC1!iwa7!r<s8U=hGUP^Yk129A+lyo<(zx!AHL9%yYh{N+~<nw)y>rO7@eb{^X
z?EAmzjeHOUM9-1gJQg*Y+6*bnlbeVJ<}7ZeHX4lG?E2RP#rwMIYeo2gvXl;Ufduih
zc8-s@Y8)efED1qKd}P`^9@<)g{+w1)lzoIF%p|!+z)%#>36KDgkS#Eg#3>9ze7EyW
zXc%L83Lx2SNwx(XA4$5a8<Su>14k)aWXF$>azy;lt}no!1Vcd8KF}j_sVfd4B-c2?
zTq|4{MgdX3Vnzp*h@N{*XYXxOUfPVOo9S;jmDQUqJ3L$GRKC_Ly?7R<tM~|qNG^K4
zJYQ%Eff=De;ib?kweXfFzK=P-7&FYrGz|2L)$2Q9*m?g#ap7hRciOYv1$yQuT+qpz
z9O9(7V!xc_d#*pJlRvjG7}nY%VEB&&bEA?A$%KgFx|m7LeL9H~Ma+x_N*%*#6DenD
zo3g(FCU~OG-@O+v-;(sLA1C{;yR$Q??D@Ijj$%e*%mh*E*sx6dmQdGK64O{uo&00p
zGKI&ddLm5e(;OKyGNFE{-W5++bym;-%OYAxPAS_Pih>_dD48?O0-o4%-02Z-eZcrM
z@^LIAzonT-FT&!6vMUme?7RMkgz3p1NrId|S?m~XKkV_M#+bdd{W)dyS~A=yngYs*
zxuc$jn=$dnFhNs!lrqg<T4vZsk$jtQrBARx6%$cJj*Ab;Vo2tY$+l<|PFIW{3)>4R
z3cP{of{Q3u|E{+XK!^r7bbdO$KRz`Ai&_x`b2YwS(*D_n_LRdBm2wcsbGs+y6(fe|
z*ZW|8_Co5Tu+uTUH(Zb_UCTyp##oHy!h#dG9Plws!a!o)a5R?Q7DNIK?_!L>RGiQN
zhf3ie$KkXG{}|)Q@_eewwwewp?r<%h$Z`6VG3*-|*$)YhghrNg+?jy@Qnb#>Gje@e
zwwfyg0ggyyv>7xq9gy^P+Z0m}C6HLi12mF+vO4=1ov2l+X^w`lS?nSNm<tkV?n5@d
z)yrgI6o&NX^(VbF43#%*jQmn=jw<A*Tq5T^`2R|lQX))`Uy_0JyA}a+-xMA<so`U@
z&X8!tFy|-dZ;|lFZ`_5KembQ=@oUGd@B`mh!fX9{InNcWUoiS-j{CSUoUvrFC29+x
zwA!$jGC~p62$6#~k}lz9N|6Rcc*<4<kZ>jPk1>?Rdt(CWbl3p-wWB-x;ovYkeA<pp
z9{M!QPLQ)C#A==DV#+o)q;etX%`FQXvBL<@mXgYfDc9}+ipfumCb7fGgC{vR97&0n
zXK!-{racV7Q>z5~2_s?}%Y90)Q|TJBL9s%@aT%(lIK_e^ANP_-3L_-MBZV3;1Aq^|
zE0T6*^&3)bQhkv8r@)^?$9Bs6uF|9oxf;7V&LvmFlIVcH=a{8$<asdVz6evzjM^C`
zt%*cJx>q;gedN>0L{b_pK&YxPz;dIi(?d?1QC~+`^nA*2kJAbIB)73qWv5$T_rNeF
zo-wqQs~HYORo;j0t`w2FseY(Nr_w3wLo&45Dw_i;#-%}TbqZp7Ds=4bc>WkM<g4;w
zJVsG6!A#0HT4zS`JJ0EZ-F_tnc58*PMz$x$*wZFp&yK^RkvAla3y&p{Jl*1S;N7mp
z6aGZFnk}v*SlA?^h%zjt5`0Z)lA&d*vyqn8;_kk(d)Sd&;i<%m;yVN*_!<YAGM^be
znyjLgf_X3&!Y_EL5AL^`3>w7%;xHs~`;&+Zi~>pOaCA)=jntC6MvTaH&fU5Fk%SpB
zk-fx>6E2i_SkGOo-zW$)OePpMbw}T-dEe@!1vDosPo7LUF+mX;;lRR`P=3`=<OCmv
zh)i-iJ`N7JUU6d@Nf!@EB&F2TUk_7th}D9mEf4UJGHm;-PT&EC0Zk%FFf3+O4<t5I
zlEFl$#5&8#*no>S=Xq6te4lPWBfrZ+f}!D%_?6mBRrVi-=nHCjPs4%e{gUlOr4NXx
zkSCLTeW*)i2vOipatE7Qp31Oh1YS-0eJOS*s;>yK`_ryc3-2)drj}Hs)itupkLG7}
z;a~8ySm75ut*CR*)W+dKxrTgW$0K*)(a+ja$6=F1Kv|%%Y4nov^8iWy-6!!FGcCJA
zFg{gvGVo?*-36UDS9UaY+joUJNyFvpMQoJFo#j&a!<_7pYWQrGkVH7Ex2@GVpU@-@
z&E8RpAysxCx_y>JJwEQvrIs?}cr{8X-H;<g<pweg(P-Ymt2z|}*IJ<;<yZ3pJm`Af
z1bx!-wijz||C)wKkPv%9gk85J!*S>hkbf1@k;louG3@T_J)aD^YP+YvC5vDbQj-bt
zIF|D*DTid_<u1xivf7YFwN^h;tFbFom4meG2FR10M%KJ`Xv<i_<Wq?Yfx~I0$s5R8
z@+gZ&TG1wnLj-sdi>Wy>tE_HiD~ImFh6XH8K|1s-7wFmU+ToezZ4Wi`<-w0{-k<+`
z^n?5B;LV$kyH3moa+Ztaz_bLa=)EJLwo~J!k}<uO3_HH*8?o4vLXt-Z|H8iDeceP~
zDRYCI;1Sc{pdb}j^!O{%D@k4iMSwyj@d*svALAeiG1~^*8}*>e1!Y&=xy-RBn2<;w
zy38}8yrUwWB%vU2h`qEW?$~0}mnWK_I!7TNBZdQr8CBAACQ_0}@)a~teUvA<E3Ct2
zpn1nFqlQk^wtBCyB$5E^zRkdH8@pmAzMmc+z1l4{qJ=m~Df=->IL@FVu5_bmhvgd3
zA2EuRnEr1%84v}RZ!5448QXTm!NC-e(QE?#gng~LmW`;xE2Pm#o>ya}5TU;1wX8iC
zkIFwrX)wsJN|P#igeo<v<e3$Pk^^zN4v1kuzMo7INlFb7fwQGl>T0q*gE}vr6uDB=
zr&Imq#D195HefdD+A{EMSq6&JZ}yBvtD1goU^QAR^CKizX5p|g_d{a<f41kbF%G}a
zy?mkH8BZ9wht!TB!vacrc}^Yr`MK;>xFx7fQ)SrDq+9s$xfDP}O5o#6qEK%t(Y?E)
zKUN@oquN-~0PI;cFxy7e%Gv-$vC>XkZnTpsfx78#@o*&AG^QjHUFZ7%8J^Yr_I&r3
zo)<qPTB~SxnWlojbuR-X@a1n^xP=kJF}(YwyO{l`;+Q|70S1mk><h{?4G}cN3}w_t
zGAxL5GEy@0oJ>lNA@6H2ioQr@yuYDXa?|>1A<O9y+6}`QkT<{rc|(ju!ki^5tDKu|
z?8E1-EY-_5j+j60?n4(%f|t*`$`<EhD&wK^f)fq;5;#cdHzH!%N0A_&{bhS#f7i{@
zJf^Zjl}1BZ{B796qP4keadVeOq5Jk+aph+y8Y%U0cXy|!{@4F&_xDcDGs96#8GV0Q
zsio9ObBhd_ip|sNs*J%dDA%e^ZDZYtk+B*TG+q;$M3N^(Vq4DfFbUyij3YCIfDDJ2
zIqpf0yO>$j67W9s%|)8DJ)R5#!W0#mTIG{zT2S382%5G@A_(xctB|x_Q)*Yy2*c^G
zT8VDtjnw6^XV{9tsp?6$n=LfiSEZ^fPla)j2J0hT(jK}#)k=7Q|8-ye-Kk?lhpyMH
zs@Cmpn+;|}XAZ$sitUQ;zb2eeV;{8elF0M|HYM7uzynHOpqh%3Fx-ZSmYP#q6(H$|
z)J3Fi@W+&<HYfuxYaO#5z~(640~*1>KhEVSP!u305uZW&>6h2r@-zIGx_WgkkbkvR
zu*Bya(Yv0W3vC~LE6+E*O65r}&*XnFBJjJ&*DIBif8%}l>rW)5T%}n{PiI@C6&=x?
zs@g{z&VdUsDH$fsyVsv$hB+_j2;RqmlCXu8>PFLTODfGAol)fjXi8BAG&;f|7Ff!E
zW)6%P-XxDCf--_ab+t>#z2c!*IbNx=et<afz4Q~uqQ8;I7D+TpUvsQ>lk-zggDQy6
zP5<}vJx(V9F`>>3Q#>8-JX0Xaw<N3Tm0&bfY67Q2{f*eRW9@*<?M>Q?{VJY7vSl$N
zR2lB<R!C`N@q;sk2iCPxP<b{Q`4UIhaE+KD)IV11B40<>zar*nBaMO0whWn3Ei=qz
z<&?zov0VB`Mko8}D}W)vVIXC1=bd@0>0SC~>JQ=ePFXx1De5hXwU0x7r2AEs58pb~
zjp3keU1Kva2G>l9ey;7F8Sl2S0Vh=8eM`=Jig_R$5J<rSsq-V%xp&Oz!mw7xDu0Vq
zA+IzSm?&A$`X2yg+ftrOY3jB<`bad!j7TPia!C^XP-&w`lv`P{@5*Xv4fCq|tyoZZ
zysa3}jhvCGBoVGT(ltlgk|Q;iV&h_<<|D6McnpRp-Mv-Xp)^^tR;MbP&YKoCoW<=M
z=hmlVK{3~HtvinyMuDW+^0bxG`||3C><o^n{>KwErXd|oJ+9jG{H#4khws4zeLBCw
zH(FIE4<TFe7d+ipb7<a6(cyi>ksy4iyb1Q<h@Mb!Zp;9ZPO7Gyk);?|8wS>ffmIs@
z^q%}??E*@JTdlx-oR)!_u9??s+rZj3@W^ZfnoT*wnG5zRZ1v?9=CwPlN>BgQxD6E9
z+5j@o4TUqUxS8L{BLi5eLTJ<<taZO@-S1lWyVm`#b-(wi`(0~o??r11r;JXp7~_P)
z>rX161A{)i#exxEdq3+xD*|&Y8?FMI_O!HsM*Fba+uiN$=AuIE=|gB8QK4N#1-&H9
z^nu0jJ$Scn6xe2me^P5QRWzzYzSzN9Z}0<_IfH{g#{QLeg{LY2)-QOvJ(<3fyY&~W
zbZ$<StoafyX0Vk9`3ROEk5RKjBsRFuP%KY<$$)h$3TQE|`?uY_T`kw-S=EyAh74g!
zlc&sbl@+&|e9AE8{j432#*)ET$C_c2-qJ{JvI3WA#nGH$0lDh7Aw(Dl<_6tH_GKR?
z8e+=2NMPXr`B&*B*o<^omLrKm%(=Z@m_k)*^J^4J$tXSA-TPrTV<evPRQR6K#N1hg
zL(1^GbNJxUspE(X6o%@*EYTNRf8Sgz<Yom<H$)gP%lG6OwxXC`FRN^_;+?mf_2HLf
zfZ<*`Vs{DGja&A~vUORNeUMbb%U;;SOsi<J&YmS9HkaKD*V{>j2yN9O9I*UL5nL6q
z)n1(422Qv0id2zSliZjN0w~$q-kAx^MH%!|{NV~Qw$+~6&^iN4%2cOQ#wE^;t9G|#
z7Ow)k>FlpekTE8~Y<|^ER!7>Bk~_ojFL_ECOqfF35bI&10L98UHj&7l(uApvogH;=
z(Up|in3{~t2%zr-+dISRmY4~Wn2YJvvrJp=k}!CHLM-W>8p091iPBG!>xh{N@%k}|
zKO0D|x}QI15!Sl-h-h8t!Iv+d;W@fr;MFVGaX=0!+lRf0^TycLoHugSUSp>0E|@XH
z`|EG0NZivZ$z*~gi*l9=Oa`AngY54U-Apfi|K&>;zI;(Jh;ndp!HegEC1u$hxIA*-
zDs|J(WHfdg)Hwcot`7#~T0iws($tTGsla@(8Tbx%cXsmd`wh)a(5EF@%LD#9{A~wb
z{co`Y<wa1r3L2I{{W@55At-Z-j`>GnlK5kz9?S#Jt&ZFLH(0bqTTW9&{q;W;*DKk)
zG}5W=Pp@uy{eq{juZi!(18~+?p{w?i`lg<FEbHOmqh!oJ3Mx>z(A<A`G5LK9{to52
z-sO*KuE$6oSZd5FdidSVvD;GBH0$8yMn(w{7w`fmBua$UnmHj6>Y3qrRH6kRm>M6K
z_dHeKy~#N{*z3-i3qWZU3LEC^_;lMsP(t_(;TS@Ut}zTk6kSz#N?8Ai8EzNGKj}Ck
z!ij6{M*5YXwbtkqvk9@vpu;hWMmib;y@@bO9g@r?d86`F`c7r(P@17MScC~9A)7A)
zueuz*pg=t#5ee`hlcWa;x01ChJL_nPYpJ;uhcGX=&S?SK-TP~`1<1KCE=QzpxtGFM
z)VRTHY;-ag7`XLZ!SUeTkG0hulfedxC421AD4cq#Z2<jBc??XoT^x?=)#alfT!X{5
zYQ{Btppan{Ozo<bv&!Y>?CMw|=Q<pU++>G#&g6URfD~gkq-<itrf7a!ir~s%5Xj~C
zi(C*+M3qe~oC24uF_~y46<t#jzzt%NEVI?o@Q&@yDebA$iAlK#wU1t%ZL0j1s@zcP
zD9fO!;Lntc^C{2Je`j0kRN1W6y>=4@tQeZ3z2lUQET9~w>|J>iZ9v67kBdz;gs3Wa
zt8FAFtrSsic@PlJ61AXUkOU(Y4rXCLunZWt!#PS{{h+{C?wkpU4lDy{9m6K*)B6ay
zZ{7I+CT6^0`FQ{2-Nozkp7<nIm}8(h|HJOf-JN3opXWO}->>sO+{g3XcP6`oT<tLu
zDyH7en3$O2N*g6bmjO0896~z90etser}O!<r<~Yq#G2l(I*W+bTJ>_i<6W1nl$@}w
z9Z`{1bYn-U60!h_0@!p*<subYN1iR%tp1*hwYMd~cD&U-9r(w=*~#(APui9Ghx9O!
z2<uiL<5eCPa)4cD=&#gf?kb(?7+q`q)P!=O{G`IEk_FTWJ;rJLDeX~>%{arUvM$j?
zXm{>>m@rMQ{V|FNpY(LEf2;_5vJE%NxJaXsJRy_ONJ;@JN|Edvzac`$H|eJGL>G)G
z*R>Ar-5wn9)Q5#!<84*hSB@>5x=>sk<dpT-L?sYGaE(F|WU<U>1YP^1o5=>f)lacp
ztT+nnx-I`{m$O}jHoB%+p3Z`|C2V|Dw}|0Awbfc1>2Uzp1nKydpFfvt+l7_Jzmig>
z39hd-@+$Pw$+?bzsDhTswLv1Sb4-&HbY@EaJ=wm|+V)c4Px*mg`#q;~xk#h3KSRot
zf1Y-HP5DUP>HKKE^lumu*!i>#D!f}7#xq^(X{24#iuL6nuI_|HvoYod;gy}t;z4qW
zsX+H$VGRxFHSXz2R?+F_nyYqG!<U*H&(N8rr>Ha$E!tMjTFW=>6<0@bf87=89~ASQ
z!Z2MLQ8*AUD2%YsJxqxpOCocLN9%~-?Df&{`Nz|P^YeeaJ3D&yWK;5;Qht+lO(aAw
zbLxh=jzh)Jc`7~V!GlNPUz|oU6606h&%FQ%q>-LRYW&iLTNT*t<#X`70Q)q+Te&e`
zP#f_!wS;8Hnwo^&9-Ji+ASXs>dJM^BkZ`Q+P&y*teu*55kh^pi04!2i5-p64!a^_s
zi9L^D6<z<;(-VA+*;DX599@^@CI1^dE!|bMqdr)K+t^>=dB8)AV<3^a#UjUbNaLx-
zp$dKIL=4PAAqRTFSQPkiI}G&YEcXTN>w)$p@YZPA?~6(7)?7souJClR4qPe!gT>oF
zJXmD(rj|nfdlND?qegaK1qCF82_08CVd@r&=Ls<dkF;NyzeyNoV<@hA7Drvrb(gqm
z&(q4=HU<RU9nIpwZw@5@Xg3X>Cke_pcP8BRmY!q?FK=*z*?Q95js*Pn`LlzHM?X_7
z>6J5AhT!k@;Ls5KjOo&({qW6knR-_+(;0r6_-SkFRM!){@$3l)FK*3cH_tbM!tADV
zo3EEYndBl1xg_$Ex)ez!c%Gzq1wtlEqpZ9kGHG+_GFS!cy>i?X`01|)J*h;YSxLLL
z9Lh2uq6|m)l^|e&@hN`)D;i!=WdD;)Y+0^Y^;y!<Q6kP&UhaHm5W=&}RE10)>ilUT
zSh=T9$6k-oewaClL08VE)~gXJZ2D}IQzH@FrmZyxjAE=3QNx(={j$n4Q*$+HKfip*
zNoXhUj$VH}J}ro5>ehWr1}HCe5rHTC!_MzLE|5rg4+Q~}GO>DRethX}mAY{H?(Cw_
ziA9>{G4^{Zd!%g7Mwa-}&GJvS-C0}4UhZtlCk9#a^m&r@x_J0M-c6V-%iOxjtAJ;(
zos)MLulM0tsOTF4U12~l#5dM?q&m=ucHfYj#wx~o9qZTf52VztW1X@t(OYvLp5~MV
z*M7?daWi|0pXRo}`RlV^j}I$$LF+bK@GD+c;PYq6?lR>YvPq%<e*(K(T<?^gNqPf2
zTWYQJ)Pm7d+5KYoP=0}CLn&}bh1raa8tQ9bx{k8H4b8KYD~In5DZ4=|Xg9<B+V8ie
z9Cb>+{W@jff0bu)ckg=@wPm+3kGXnZ+3Zzw0xBnaicob+!(27HKqIaZYYw}7QDuNZ
z0_#zjf)8!NTt7=ZMf?B9F%DzQcu&OPs@iC_|37>FV(&%K{{Q{%&f5NeAJ6B{{qNwK
zO!n0+*&zwBGEq+?TKqBIhwu7|fb_rXy#5s1Y~XHMHsvDF>zHz$xin%ahNjeB_Dx+o
z(ic7yxzA(`CzCqdf?!GH!^>ytPck`AhC}iRx?ToMQZ!E!s(kOX(?T33JeU0)HkD)B
zVCoc7vdC6l=T(`k!I+Uq459m<-1|>S{M<q4zkk)q#cR5FsI$_c6b(Ar{2vJl)#WQd
zajbgU>-+<21gP>tqCxhB!vOm#&Jm}RT-rx%#v(WjbVML^Q&4;HsY`2{X4J;yrIKRB
z*x%}Pj)!?9r3bx6kj|SY((nX21`(I+XA*{{w>9X?PHL}g|1KuaPs`L6XtgG+04RSv
zQJvp^)qdGI{Y>$oq2ySUtgpGZb9b<~pmNZ3yYp;>y1(`6JHsMj+60Q?n9-OKwYp+r
zSFK7Ssik=BN>?$n1&u&jIXA}~Pp&aLq?1^##qQr<?e?B~JKONTyS?wd9l3K*j0Pkm
zf?(d0%h*8a{X|4@4=E%;H_Kz#zup~Sfp(jans$^#qu$kDmB-!nZZpbep-Fj$D<qXX
z1}hL%@<8la5VKIV`+QLx=~-*WONPhgu;DJ6h4ImH@hppxb}OcFg|)$u4n69IWYIAU
zYRIE8lcdzj`tzO`s%0sZD%Z1L-SXB2x~_)(p4Aa(R4yoA-h!a#I-{d!5B#5TIDx(1
z?yk+zru}fTm`9QYK<0L*N<3)u722DlIyzt)v<A3OW4zrNBmxZZzbU2UUT=2?0*ZO`
zRHO;vh}Z^B;RdUVkt$N?Bo493#i?#$dukp-IwF3ra}aW>eAav<!6>Hy;3OJ_N`kdV
zXNdkiwf9%$iXmJ%A)?4cs>`O!Iju$^9iY%?jf+B{{-}{@U9D|VTRbE6{r}|qirP2T
zE>5nRIL~Q5UBJza<QLU!sO~a%TUZMEVjCzm%QWqz)C$#hGvzDHwW~^1XKt@TjrBfT
z@3Y6W&$5jLn`tUabKy{Zs}+n)sn)wLSAMQdSFAa6&*dwux7>QmJ@zd}a+h4q4OK7B
zE}qWVjHQdJt+!=O&AB#cJ&c)KwXW)V)2=t|<Jhz+Mkh^kaV!03t-4Eu{1ChPLYpE1
zx>cF8<wU0?REW=uH|KJJ8oN+8XDo6PdBbfw_CAe8KNqE~FH1^{)G11v#&>0sfzKM_
zFL*j@m~LM2`G@MHAitB*9v-xu(1SKpdU&wJP_xwOcQVo}>-wy*9{sFStyijRWp9hQ
z*h_lM#$LCARKG2a^1Nt$uvg!Z@0$>|lF-(T(v&{Xg-_~q)A?dOee2huJ*h%@vtS=}
zY|~qH&{XfMX<7=mYyRlA0#b{!pG^9d^s<P)zfrpg-0K|`Xu+Qd7bF^)0G4Gfc6V0M
z8tr$t8IiLWM`@svkZIo+CglNqjRWoWWp9?Wz=JjH=ZKy0qN^Ea^=k*v97wCGRf)g+
zeVaLSmgY8%saS`MGGKFUcT*>|FYpcdN?R_A(pWM-#_A?As9puwYDjKLhN9pgjK}CC
znZWK&drX-K7>XyVT{No9Oy1ks<2Iayv&*x{81t#7a`kE%@3d(h8l$@1HTS*dz8?qo
ztwrV|wM{@RPDoK=2(EG%Yc#Mp0bIHdx|r3vTE%KsfbM8LH>_m`k+Nj*-G0YV*b#11
zJqzFc`LlK-`&{9rPlhTyXwF*Y#JH(Z`c;*1DO}a}I$cCO|EMb~&Kz$ZM*V>1hgCQ9
z`60DL((Jh{5|;HmfBW<7l6g2BWB*D{yBK4pgXNm^0wB;R4UuRPMAf=y6&+U#T>56_
zwQQx*Zmp5rTz%PWw2j{a!z29ZM-m0l_1JH}1^@lzmXFcii<kS|EyeAcXfSE^200)I
zu)r!R<fh|TTvC+g{gty0eEG7K#tn|Bl7f*uLnL)i1GF&g)5!!!fj&=k&^3L(vWQxh
zr!LTuxZM;lz0QA=Xh_qDRRQ&R&tT33VYZ<d`(t|J3EEGh05g@H#51jUvK7xMSzHxu
zCa2ccTAZb36YEN+tKR;bpSOxGeOnV)$+5XCTP~N6P7<Uu_tu#c&HVu<S<P3>t2J;~
zUZcq1j=#jslOb&4Ka}5JL$$43y&|t(&V}?__qT4h)RuEYvL&1f5vFl8b_q2KFb;;y
z3UPv4*28ba*$hBs{4IvXW?asT(ZxpZ;<y&?O(Ncc_+J&~?|<daJIY3E&JuB(38uPZ
zU8`zR0hiX~a!oD^Lrz%`wLq4qmd$V;C$U^;?5m`eb97)uXutnOJLeb|Bb0}95|a=E
z3d1ydG>}NqETj3FV9wD9Z!3D_%Ys8h!dk;l@&00}AUAM0?7xDLa8dn5$KrP070p(8
z_`OnE^_)2?2inH#%wBfO-IE3XMM(tR-=eNl)N>+Gre$qqNT>9-=+}cc?_Zz8uLp0A
zj}9)5-<|CL7Ae)Ot#qsKH+yd2S2I$5j_@pjzgJ8q&jp8H{>tInc<8s9nkv*4h5N!q
zf&bm@?Y?Y#PhhLCl1t60)>O~-%h~bOIzFWVT$q&maIT7g3qW>CMZU<wQqo9a0{;FA
zWM_5cRVkZJD8nEnH#RXz&cq^NqhlI)!gR^gz4o%qL5?6-$CxNtFk=p+keW*A_Ks+;
z^Pa27?d6-qA`TT+yRaD$UqJU-|H>?MV%!t7C&pO6(#fasC((r`N*b^8PDlY4Xs(#X
z_?Sy-CFT7t^lY|`9QhG(XutGKgHSw8E2?aoI=3L`KhY%Is;*rYj34?^=NwP*{%@MX
zpf^R672N=CzW=-P?B$E+h5NrR_I97I@BiM%lU>5vhwI(W6^VlVEWv4Kf&~hYK>HoY
zRK3j+89KS7X?4*ZI{CanD2^*Z=fHx#lUiBOT-8lWjxi%blBrw|&W*Q_DP%6bmU}4+
z*kK#^G#aX`9tCDE-7glVN~Xg+DGh}L2l*5S+KiycQK^0pZXqI3Amyaz1!X!I1zOe(
z*;GJSMZ6K0DN~MMW%0@Z*4TFwTVuu$O3<1{Qr#1ii2Kk)TB@;?)RxtADc4FG9o1MQ
zpxdp|UaC3_tF+CHI4$$J7NxSV`s!t|i>H{ET*(xGnV8o3?q?vn2x|^J>#D8LTw8Pz
zEEl^`8Kg0NTbhY(Urb^h2Yw*=q#YHYMJF7q4e)IO?dTb@m&i<V)XEBaVVz^qE-0uj
z?(Otu7ae01gqZWigJajnp(&5!kA$*hQW|<dZz2y3WuGS`3<<|Rl~dXV6{P|a*nx!g
z)&*5;QVJ3D8Z%Fj36^5bLTy<n7Y0bNl^8J;hB);2H1Zc5kA-orKs2n_*;_abOh026
zmm$vD$mY+xIRA_MpIxz@T$n3j0cY@kyOP-}@P9A&*70BN<*DTV44bqF_m`5q$H4|R
za(J!yL>^;bcCMT`(YJr^!wHRWM;}RMB-S%Rb<0SWI@5R!MK@&xVk0b0RY_a7)gfAF
z(zB)N+O9k<E82Gf<=Cfus_B+9*Ek;!y%+wBPX+xC#n@Y^8em5LuV*h`>=o$$%jYj%
zuIc}MJgb-gJ-vh;2mN228XzXo=%W<%NQ6267*ZdFJw8swm5smj2PEpJ!S1VrME*#^
zv{`#!;Uh{uy}I;~fG3~x!6QHZc>Lz|mrFNrYB7a?3#38tDrAz803-SlC1U*1SXN#=
z+5GSUx=%Kpn3$f?*>82>)&B$M%ZuK3Tk!ku@L&H0*dJ5yyoh=dnrEPG<wb3kR5GR!
z$FH7j+LOj`^&W?3@MKpfQOL#Q{H?_()WKJZx(QDTqcgCa4ylS`Q1dvZT$EcYCymjS
zV%yrqn{yqF__yq%3gqejHbFWo)~a*8Pzlk$)md|8N914*Rq#)qx7wMYp*8TUpo0l0
zT3<!oc&g}AbrAIeRt!ce&@H!+`k}+<k|D?iXIDlS{_+aCr|(XF>ca2;17eILQ&TN5
zr=WfPi3pYB5@1N|4h_jQUT@I#23>E^yWOC2WtBg^d3SJheDaeGfyPzpcbnlwo}?TL
zAd$%yywE;xB@8K2kYy-Y6M>dQ;G3iZ=dVvLj!#~{Ny)*-llO0bczw2}3YA!Txbqt^
zj?-Psd+6pW-M4)b_u=!8@7|vreLOyWwW~YTmzynpuhLoAFD!{jkbXLQe{y_ezx}08
z;#*ns))q1yB170rn|QUmm3{y?K7I9M_kSS$y7NEglf{m`#<c15B@aSp+t~e|^o3J0
z16Ks3d!C1s`SYYY=c|a`M5(G~wkrHTx&D858;(!6Ro}MZ$&MYNZnZGTg88f<5LqAo
zyP>sj56&-MpUoz@g>q}kTcErJ{In;)`T9S<JI^syaS?uw%C;ofe;OM6fKt(Vmwp98
z(t4AA&71VWB%^8_<wq0+72BTsjKtz&K-jD9lg)rI6;Y`BWT(5;?O50!b&8}{+To)6
zB&*b~QHOTr9=N^D)qe8-nOQyUUqgL0*eA}1YL(Ajj<=*-nrpaaB0Se<??(S$wEvh3
z>0Zp}1dB0F`0^H@8TS9ZooCMq_Mh)}zF*sa?&bMhk!9EhCCG9@7QdKiWN)=oRaWrJ
zmyT;tGEP?{8ufh2Fy-nFa?#DeKv~e&wCGS+-NPtvb1GP-=Bk?)qubfIawp0ocX)s-
zSk?%`lPf&kh9}w)z9P(W0aw;3AOoZzz?Uzoy(iY8{*QzTT;WA;y)AGQ#FRwZo5C~R
z3#QFZ1q)Hr9TEx5uCq{0_II0UFV<~vewZNPkKZ`c+InJJOqhbz%ijX==_IBRj>JB6
zP4~O*VmvQ*PpwGnn^L<}ztUR_>u1rY?)+b&``=9ezwf^<=6`$fVs~$S{@=$_Lq{Fa
zZ{;3>85w^B4kD{LFI!XSSqE274>otrO<z8nRiofR45gd5Ga5!wM1^u$HUhZwV!us4
zTmYrcR2=czp|buQPSeOLF2eGt_>boD`OL~&^;mO?9iN(omV4LOx2o!S?ReQ0)Ma0+
zL+0Oh_jau&$??3*imu+vGVf4cr2qN+Z>u>0X3+oV&v#4yf4eW9t?B=LJO!$dPw(fP
z0-EgSa{T8`hTNj8PZFq>=vRBGaCP3~DjVKCi4esbi`s3y;4q=4>S7vaGQzP=g>HVm
zwm-1?Ll@eBgD|8w5JVgp<}^%Hh*4d`p@7+oeR%QAQPjqa3hL8vAKo9G=0MU!3}_Om
z`;!s&^|2x-P%*~Ly537P^5*86z3p53*4KcnaiTAr1&X@UeBTPwZ=Z@~V4v2@!9FdP
zMcPG^_dY+ZBq~k8*MaQMS&;H-!iMDdUVjppMVWvPDnk6S(=?m^)j8bvp(|LDs`4Mp
zs;Hc(Jo3z1IXQoubt^x0HF}6v*qfzzny)YEoG2|+rgv)4M&&zGumiP4%_$9Pd$ic9
zS`aTy9k~nC6kg7LHCq4$ha_cY3E)0MF*e~P9oD**I;Fh!{oSs7{7;epkAuMqBY)^;
z=Kas-JH`C}J3DLs|6ZQL_KRt7L^w-StoR?2V1z}TE-0T`*$4=y<@yV<`*+63TNb><
z$R{K^NP{=2M%*_!=A>Qq9PMk<0rcs8gbH2Ay_?;M3J`Z>%4jc0&84DPKX>?)=zn^^
zvLwW-ISOXc|K~4@_Wzg9o~`fy-^=s4oYShvf)(FqOXN&0k(%RShVB0}2V}Lj|3U}n
zvi&#L{aS7R1wOu6P307peZL`MJPS=I2#7p$P?*UXuF0SwzKK4L+cqSLl96IYj3#kG
z#a@feC(g+uLF{Ki{%jw&;EB`CzrwwSVR^8pMF06JBme1VmjBn@&i5t$|M@!p-@QC#
zCiEQp2_s@^Gzlj8Wr4cqHd?t-N#&nP2l;|uuPI>pzyekdQM$-eMy^SSNBA}OQK%zF
z!4QQUcL0X`CrRt{NF@2%ho^57F3ytZfIro5Q8dCS$L>ivrJy_2Xg}2POM3>StCyLe
zPwlIWDHq45hgl!x3u7J1zdSuY%3j2Fm_hcAVHCWJ!s!{MD#J0Ka)BrAcb!f5h|$=M
z>}x6i!J9X-l*Gk*j@c@)lmeXxPlZYxzadfbDc3F4rGscHd!^!ssp$A9{K+}e9?uAL
zHmDTePkkF5<f(n5^QERgRnpEQ!qOLM{6z7qf^`@oGI{#Vo~d8cQ#}9my%iJUkP9U6
zFbO#p%P<Aa=l_eBdpiaF-`>vN&ieenm&ZNSQ5<u}JKIeD`C=+OvxXkWX}vnb{k=N=
zGAhr26p_aH=w$v#e72<NwKJRY2@58tIc$pasQg;m9t(r6vJsg;$22HfwW{3IiiHa@
zUX7h<5xq#e{*+3$>yYb?=b#_^S3H@Rux$#lHYWe3x+V@!dKWfu{||`cQzXXFtq$|n
z-BOae&X32lNV2(>(kks6Tc8!qQM7NuBy?|vU%QMBioTCC*U~|yv*YR)RO_BqS83BV
zOWD#+=5soflPJ5|oR_uOEi#oQACE$TY*AZrXHNNLM*BKDYR&>~UR8Rx)>W^>Xw7uz
zUKrwi;QKU*L@f<37t7JmnkCE#Rh_lTda??oPy5iVh#6l2pxd;P^SU|>1PzBIBEm^_
zZr`-iwl!~@LSqpPQty(itoydwX}O~IGTjg~#H_eKotI6WaO*D92R=p&pEBxWJ$DXM
zr50Y*=e+K_6`Z!c@y9qwLd^2(F!#E$_3C=1R<pdM`vs4q_I^-`rd1YKU#iPX8mP5a
zx$b9~k@d%FpP6}yV<UkCaP=K?i~lv=J0_-oz8Md)=n(n$o?m!zTj3&Pa+__=?%yqt
zNNmB*R@v7m;h3Qy$c0i)J3Xd15qM|%W5u$nOWiO78DK8?e*iBkMy*m|E#UY34gKty
zFJPGav<V)Tuc2=Jm;3w|@P^Q*vFO{(%393F!tXoTI^-BChv3ImwI}jK!hu(WGP|MW
zdz~d=S)$VpkeSWQ>T<hq8TvUm`|14EX4muN^md`U)7`2l@!zV52)Qk0myHcu_GLyj
zA2Z<%Nr($|4_}{M=p{D;z!jcW)&J%7KU-DzQGFK<T0u~;SG0R9FF-hWfARCj!#BsT
zPcF{OU@B%K7@s1BCj3Vds+=X&(~`9vjJ;S@sOtaG&mT_@&JNz5*9@bUhE&B|t6mf-
zk*J*M#s+4`mMIR{=+tACIksD*PfgRLceR|TRu!AauR+F)>TK)Yga#7x5p6&I42+Rm
zy3n1uxf{ke6N*FDW-UWg6n_#7{TQNArTcA7mZPRhrnf5jPR4D_w<cSxrF5h^*H4w}
zaBWd|@>%xs!~glc{f@Bd2G})ba&1`v-8TKl(RGn?(LAAEp=Ym8-y9#Rl$RghzB_td
z0I9s43reR-oHXpOcEPi%yO-k(s{2;89<|oPD(x+w&@FYV3g6WosA~Ji+^q=v=(c~s
z(=$9Qe{E0`>xw1G)_tz<w4tg+YZ}F=Jl^thorQ*jH*enk<KyeMrx*WhM8-aJr<hlu
zxZGqO!}1t;eRA-_o7XjP)p%Ki*i<*6=wKy-QR9{0o+T;wOrAQm-74Sdsp)}*3)ScL
zqT_aBgSBrtWqTT$Z3rkf3%uou=7nCpYODHxFhBf*n*J}qA64`y&jroXv7?`LW2@V*
z8MCzfvTf)>&1wERy8ach($QR@KAn{kw+d=5DQ>12+TCl@anozcnwmI#+w@gydQ0bP
z`5c&yp~JW32~7P5Do>86MnBXHb>S(j8msK2K57>3VKvycx2B+Yg$ZghO4%n>ik-H)
zhgpXh8=>x$(E+YLJaR?y9V8JE1cgU9MALJf7_bUW`9>-#6|oj$MwH`NJBYdBMOYi~
zF2bPG7D7m)5oRF9D6-nGG@d6P(<BTaX82m}y%CO#t`_JJ{!J$Xf+5zrQp|g~HVg>2
z!zc)Ln|qzFRO~iSeA&{)m|;GqVK5sD#TrG3Lqx)a;W;1{YZM{kPnjJlTbC6&MZK5{
z3Pq?=D(aWUSXmQ-ab~}pFq@t-6=F}q1)aQcK{f4!20ecjq<X5}=F+JFoW{@0?blqz
ze36CrYoV1@Y}f+G#vR*oHx)oGznuyISFxW8ARotuD#vi0-Sefk)L9M|G%eSeo2me7
z&RxYYrwQ|Mqm?c#)Bs(3NWP^>RCj2nInmrl>84MS81LIDS%E?!uM22sv0j}pk8rD-
z3y?tdO)X-T;mM#)WmBxKcbe6l3ki<Fpkcsb5_=V9f@aWI_+{MAC$XEb;+P3CBt8<j
z$O$(0Kvpc)u>RNkAXtKD&3%O%OEI8KyYL=*JcTT!kQryYIY}~w<rrwY#Y#06+I-!$
zskUsY{pKv4X(kl4=W-dh=d&MXfLudj9^hQfmztf&fK!?JMH$T`<|@~GF6&ESdb{xV
zzpu9UY2ntxa4b=G)V)em$IMSvgW>`S;vXNioS4a!1n^{2#qNLd^SkqllY_Uf;TC9&
zBhEwMW3&smfNrkf>1QzBjeGFr>DFD2ytI*YZh@b$5F{D_iH4L-w4{p$QWEwP#w63j
zl1L?=NE0*_?J^tilgeR`0T?nm0sM(@k*iqjfGLoretPv}GnZGRl9+2b<Zz7rs|!>3
z%NKC-elT<c-gvgBG<XQQrN!sPmF?OHkoJYqt$@v+l?`*|ek@w-OqPc-KDuU^NLpuk
z_j0l<xCMc+9L$_+r_;Fn@6xrQE;ZXCt`0d^%lJIx04?eKknhw|UJyA@&F&C+cnrs(
z<Q3IzOl4xZPxpyjx0myy&>u?dt7A2uj}!3RglP?HK4*+>X?|YYjn{VL!bB`)H_q*!
z$7w*WqvEyQtd8i|&a_)g1{X!j{MO~_lcu5l1<lNr2hqIEw6Zr>9aD2Pba#g5hV!F!
z4{ejHHb3WbrmkkSFJuk$D%2>@XcnxErCKlj+^uo2rkSOz4K*;AGB?z~T*BT^192&X
zLk-NwVR3Nsa<}O7ytamn#arHh*9dDl6J84Xj*WPA?W|^Ft<sQJ2Xqx%Yn8^lI-p<2
z=33H{SJ)9t+VYyAt<;+5AYg6J`xDvoDi!#Zux-JGY<qb%!;(_fqcHN-g{iFx&<(YT
zZlLkPr3E+t#mijHnO40!GMNqGX^l4JX`S7y#`d-8BLOwAifXcw4qp}js3BwaxpnqN
z<+6Cd)Fl(}yewPet1JfmmoJN4xHx!oe9$D4&xr7rJrxFLSDCiyCV423)Y4tjKcVhw
z5q-|<|10I$*JoNAptLJ@q<*MxZ<T75O7zs9@ppVq&vPn&g=a^jwxWD8Kv_-U<V1tn
zURs8dHL-P-kqe$g7zbR(qdUcHLO55E81`S~Xw7x8Kso`NDj!`wpi7ydNlUwQDp$Z*
z`&3N4E!djnc(RorhIaL@8%zpIMK3v4CuL~?Nm1~y6ji|huY;V{wo|JS<;7W<bPg*$
zdi16(qqow*r-=`!0WpIku>1gg=qesS1rq3PL)SZ#|F(40*>4r1rU0;>XYT%<_OHRC
z$nhuI>9pG=WgJ!RmmL>Fbp&#Tq_C8nu&9(UD>g~v`nLm;`@qvBi%YlaTvi1u`PQn{
z8sH&HLIK@wWv7}K>kQG>firtr8!)4$?q|xy`IOJI62_D(#MP~XeyKpkxsh(j86&h8
zHR{IKuyNezvxTFqVoz1BsoaZPU{q+*4y0F}^2cJ^P>L1G1hbyr(g5$n&i5}~)J<>$
z`!bVtF;Up^TQp^5=jU{Zz>^YZungl15UUkdGlGg`R;x)^Zi<T7cTf8UuAri0-Hfif
z)?yn|cOO0%<n)4-sxbYvti~K|SBCG+qsf=AN}-)vH9kxKP&uqNWUGNZsle27<#ftx
zsXv2I&2$8>ovJ(Vo1UxvW|Y<l7p(+~7KFlv@rLe!`DFQi5{*ENF}Sc*RyX<b;>|e-
zhK57p1K}Bzn=y{mM-qYQb>6J+LaV-wnIoZlFJ3mPzgEoVE6~^3Zn7~g(<s};7_Csx
zbrr+6&Y2XlRZ!NJ0q^zW<UY?u)NmtB0w86Bk=S?oUK<a^#idg-->?UTm?%xlKVzzL
z$oM0{yePhML0LNV2DX&^yE0{>6U5YNJx$Cz4Oc~7EX)fpWr(c41L(FtsY~?ehAD2i
z>Qo1-&QS6>mtTIaUcUYmGh7rU)2=#S=jyKuwOyxk>mrE*B=EUlNZ`>_W4@fF-cDT>
z8a-dnHdc)Zw;rQmNTShuRs9q(p>pUH>TlvdpnHaO8je!jfckEvdV*Xl`w%5zn8J6N
zhkQAMuh{l#77k{QrI7P;9r*uIJk9a{ul-dd1Dcip=f#Us{{QFCUaaH)-^WuSuT=4$
zZkm8BLx4W~*VzG@=)Jivq6d&3mGy^Op+X^XTJZ#HZWI-xhr2=KTl4`{h7zyN;MQ<d
z8ffx+iKmvwTT}V&8;XJ-P>3QQv+h<cwwzMOr)JIM-Zk~Cs&<_aa0eYeSA6K1O6^nb
zy8G4Ut*r{b-3IdKb~*V9qjwBCRY7P<iTVp2%Db2f#70<XOOFesc_l|Q!1*XP_DxgE
z<yxQXGvBr(D>I2jE`P<N=X9#ie>sNLr2(9o|GRYlzj(Iua(({a$5YsLY=C^5^3N-r
z`|2A?#F#SjZ*?m4uKvn<gl0K|&gjCqT)zoEK<5@Mp2|&06(vbUF)^9n;KS3|nH5!8
z-R-Bpck-$X`0zBQfwh6C6zv3aQ|ubEfhv-4T&Stgybm8{&eZRn2KGa(5JfxEJgpT>
zMzK_O4(++;kXQKop?Au+`P9?@0f_<<jaG0B%%cB0&z=|Mzn9OxU(^5lcvesUf6(jZ
zPkju~5E~akORpQy*8y-&&-TdT$>3kumz=o=If2|H4{8Ecn`UTDasOOTHT^fs1L@_l
z>=7`7{_nha_Od|#zkl{}&HvxaQ@WPs(uKN{pr`?~1g90rZ^&@=O%VUDi-Okd{}5f{
zRi*!(mH+qqXS>ge`G0qw?XLI#eLRKzU-U^SZ2Z+`2v)1?TiNzn3tl9ra)g!kVQ#I=
zmHv)Z)tc0`Cd5zvmad&k1?^B0TdVe5G>z~BBtN!m<jyh}w{m}(GtF_X=M~CrJ-_Yp
z1sBV%(-*JP7v~p7+Z@4_71qg%D{;F{UVQh-i_LmmICpV<{l?VAr5-GpO1Pr(LRow@
zoP`nzm#Z$(gQe35w*u3$FY_i5Zmc$|O=~rd8Aib&jU;bIB9WVjn1*yTJuen%^r9%i
zYd<?V1HT^J9i`V^=TlbC;}6pP`C;=Z8*2M!OsAan`R&2^#p|=>yIuun)(8r9R-G5x
zh>*+YSa!g)XlfN5U#Es%r-uG2Vj(~7RMOcX6s@O22b3W`KfgP__)>n|7`eOtK5A1J
zR-B=_Ks^5piK<;HJ8M$(;XYrY>e+SfDNnWTNSid(#ga3#Oh3{*)vju>3W~E^s{yq2
z&-ZqE?G?nmI^}(jU;DkXV)}?q5Q&QTtsKcbL8V)zd;O|Ivsa^N9SYukmWe9Rh~KY&
zcr|o&)-10xq^~oiuQQ}K_vp`^A>H8!SC=5Y0_ckKqnBH7(xaC@E}9*^vYFD{&6ym%
z4bVj=ZxyN0+d{4EW97?x&Wx@HaL2h1D%w~sK6?eg<zll}09+<6dj+`VVzO5NELJGM
zyQ6UICBsC0ET0Tc`wZvvPXsi|vNKx$h@#-5HD|4=BbD2{7-wEf>MKa$Pzz|u{0$0j
zb@GOM#ig=0RJF1K(y-FJ4OI}ACJrmj*iZ%WfzmZBPam2Swl6Sjy>(C=-4pkVF7CES
zaMxWt1b26LcXtVa#bt4KcXvpFySo#DLx2#RAc4#Cd+WYcx9V2)KWFBgnc1zGIj6h7
z{TWgaML1)tNUS95N}8YDP;)fnsaPE^TDaJ_0OD{m6XR3aYy$7$b23R364r^)?z0ac
z@lPB2&m7u%#{nk)v)P76ubzi@+v1`<d)ZE4>3wjdNYy%q?^P&B_xkduVKM5(hU-*V
zyXIJ+_u>C*9cUhTKfg(zeVh4X6utc3`TrULP-o?_J7*bP0aXjjdESomW+~jKvhkpH
z@pHrfOazl)MPS+o!+*uDXVtDJL*>SZ0-@*}?y6Alo5m&Ajd#by)(_88zVZuazfO+y
zZ_i>aKC2`BuE{<fKG^Ga-SGP5m-z+@SsIkKq<~U+a>ms<Y$WTJ^0>|7k9iLvDBXW3
z%N`cwx>+QTKHluNCx_Ok2h7S|2n|Ntt=O{Qe*QDP8@QZ!@Xh*oxwg}*`p>&bH(5d0
zd`6k7j%QGXg4oZzYflSU?QW0V{TI!ZhxJFA2pz&{y4>kG@s0{8Gg?XS%!@P^4&{9D
zvr1XkidUjbm9_@yu4OX}O!(tGxhm<JWmjR0*`qzt3VqTfHfA<*nMx;@)5j@=YVdrr
zME#SJG>;QrU)Jzgg|92XZ-e#=BC}I(FYXnoZ+?G<X9V5`0|nWf9~^n<BDFQm57&!&
ztERB;QonmSpG;ielts*hW`5%G47@|cl{kh>PoWv9eP^F^hgG|=3ePus^oT8;WBK*_
zGgFb53A4F$2YjB1yV6-TG|bOK;`q5u)&4{<Dm|;nM(gRbNpum9T>!VE!rdcBhWhDs
zBR2);`6Wnu>h1oYz}w<KLAE`d+9%Jq^x3<mPaHv-e7Wa5JlWBgwbsWX+c}i1?gK=-
zU6J3<zXq6Ur%xATC6|DC&cJ-fc0bEsk7o%&dOFs|bsQV0VYD{!8gZB8CQ}-%4nwAX
z_)?kOoBoa^-e-f$=W%^DpKn@S?X`&5X#&9v-~1exY-{GVJ`4(c3<STO-4LC<{Cv2X
z+V_bR!C{x>UPw=>D{pOV?&Iqt^<-&x?&$mAS+gGMEJG3V$NW|%<P#y5-_7BdaCwpL
z`Wnfm{>fwhYa@%k<FuoU<>y|$k=-yT^~5DJq1J9z)|=mhl-b*#?zJBVf8Hkv-W_}t
zh~AKx>YRe;rW_Iq3OsHcrSvNSiP`p<W8ZM5>yBJ)CdG~gSp*36muQZmEcZrw4ibuc
z+`9|omrz{T0*gb=RFBJR5fOQShuONl$6+AkOBAkAm{iU54FPP8os9e-&|Pwqa2&$9
zwH_=XkTr+=MMy9*7_|K>F6yKv$m`)#cYm**$v+1Zs7&Bv!oTr`k}m+;;FlWO2r3lt
zpU<oNd~V0zwqcCCdd{NdwjM9uym)tXhLDx`$tb#y^4>Emy^S0KLb#?&tB1gUtE;w<
zx#zd@yZ-sj)owXg1}E-|x9;w|?(X8(poha2uh)kFKi(b1apF9z)81Z}`0%KQXL=-*
zqJM0ZWU2^^o$1MHFgm`czgXafuSa#?m6^`d<YZ`ing5s3kzD)E=r}+@Hf$UsLK!rr
z_IJg7e6JYXDH-$k8FQy4xpD&12#<Uw6(2zS35Z|rO+_Kgq=2WUXFRH=*tdh~$;wcD
zxH7J2X@Vtkc|AU<UF`b)U2|20cL$Dze1spCPQcCl7-b9(8yL@2NC~sgj)6=1x%a0I
z8Qh<&RiOgqTA8+YAsM?WaKQ4E_#W0>c(obLSwxu_1J@*J;Q0d8*B`FSyXDw8_g)J8
z`d%$h>Pi-Ut58v5+iU*;kc!HlDgLRGMaJ7za)_U}^Fzzq9o(sj*-@3Tqge2MqA~+N
zt|$%4$$RyLUKrxc%C6Q^waf`2a1)<)O8_SDFL7i_ty^?3Ifcu*1{yu1IL(xQ-V7EX
zi3DQbg#n`7A{VRn!ylbdt)C+0$z(e;Iq=l4=f^NkFhg$UaIM@;8M{w^=<ELhbOV}_
zLHZ0&{<%r4r(Fz=tBf+d5yh9_4CcD9{Gp$PnvzDCh0x$sdaDrUnSw`9GCJ|N)2CTJ
zzg$lK())to?!T<9ZD0<MIhs1b0~wAxkIWXXI799E;%7UT7kKXZDu>st#e<Kp<g~aK
z@wE><pR077NuoTAhtvBNOi#t@FlJZb_R((aKMKm3Ld4@UhJmZZz+5XTvLYvGnLh_B
z)sKrVHF!q{{1uEZRmy(lyXME&aqEgD{vR*F=E+EBUhE_8Oex3_K)ENTaaPlVgz0K=
z^qL+lJKzE-ZruH+JOlV|zda02Cii`vKXq(>p8bCK=eX<l)<D-`E`uDSESb3%GbZ+^
zR?9(ZMLJLWVZeJ`j$$+Zb_F-2$#4T1U|AaD%6j1{ypt<gf<1^q11F&<M{AmL=Hvg%
z<#6<B1#`8k-;8TGq<*O5qI%YA|8MO2DUtQ+zaBYyniiwq%ICxLwv*6(4#Wjjty#yL
zm?s||Oh3&6&e|=*k2sk=0_2u9Oy~FB53k?$?Zn#|f?#+of9tu7lA1#D$NyCHicg*J
z?1o7v^DM@ykXt4<)2apQRYvhgN1&J0=9&@U&zh-Nd1xEXr4p;ne2vj$nxGHTKa!L}
z`8w5^Hu(>#mL2;oS#rUcV(vDLG+Fu%NLIRL(FdI|J{r3+zup?T6hkB$aEHA1bm3Hp
zv<F*E_c0x5LdJVSfHY=V=x78;*tCizsu;3-i@#nz^gLgL4E+r3z;Zz*q8zmcOiasp
zRbf-*EKIFGM=k9NHWfU<Vm8e&gvOdi#xm`1ERDxxBu!q18Czg_n;U)Ck2J!J@;Jq#
zWerVZgB21hs@|zZm~OT?S&1u`AwlLwZVLVF*?i!DbQeJZ&XwLM23ia(WUYL6Q6W#U
zi~Y?@MrL-wg<I1V#F}uPM!vSi)0+nGeU+VO&`B2V89eo`flH9uu<@6bP<xR2@UE;J
z_tO_3NW*Ep%kZ`<d@?GmEzh}HZ>Y}>H$p#dwq}<AoEZOOYf;tyGu@+1Fi_$lG}WN<
z<?@-%5rFUE1uG#x=kLBpi>`E>TCb5JN+zlZ-;*{Ne5PWOFpUpi&i}Xhd%92gwe5Aw
zzNUJ^v!8Yg;JQ3Yz*gHdO2Y%Edjy&U<I$<e@{>iULl6+v<?%5TZmpdg5Kl4uI_vLM
z#lt2femp3F2@gJ$oFnERvk+}^PuO|CPO_jiax_c;0!dp{#%QqUL)&6b!TWW6cDr00
z{V!hDJJp6vhHmMTX;TZ?hYpQA&D;!%bh!En3Ks39n#I$AkuXt#wt`4b2Je#UaaYu;
zm>V3jNCkEA^<$ri!dV1&v}1W2js$J5Ur6D*_~(8weilL25S<WM&ZjSHn$=C2yFiC8
zLJTzQu8FMCu$w=%bzQ-fEHgq+pZwB?M0Yu5xpEDBXWfi9vroAwF1o@M`rpMWoyFy`
zusrz^+1%>M2K;jL@KdG8)y%D{J=?n;Xc+;qwJ@QO?>}c1<7FSm=cv}~(-9W>-=_*w
z4bCy9(I{N-ND}A~`vR(E=uUJ1-a%ll49PUxK~?$jeEO>pF&sjR8iMmKWPFeCsV&t<
zH4_LcnD@D%=3q!HLOeSY4)l^S@rxa%io=+z<zwKzZdtJK${q(9RX@>wrH4vS`1{5I
zlW6bRQ6dEARmX@#Ap?D^ZjE!=YP?I^e30wcncoaMx?3rUzGya#s3)|!1IRL&Oox`=
zvQJr6QAbf?HpdZ>#0u-dC8~DHRc&q3+<ksZT#hkd@VzhPf7NPU%8$yr5oU<GU&B41
zb=Mv-^k&c5Gj_g`3{jFTjjm_R5edpOVmgcJ#f6ENk=TTJTt-%nxf;CC#?GR1`B<rz
zzr_Z=b*O#O1`bvddYA9N<^UW#khuN*wY1q)bLW~c-u6~=jgqwxkJ#?bsEp;t4&Uz6
zgwVCTLO!A&I`;2+H}_XwG#|HL?Ov2>sic(xS5-iZ^v6#>Icj{-G763t(MowpL9X(l
zsI*%H38`t3HJ>HSK;fByks^b2y9Mg|!ykeQ=7sbN7J2PkbFc;qSK)tCf~R2#EZ8VX
z#^nN*n10FCl>a%`b0=CFQmkzwstk@9m9fh#=cYUvq}nB9_wn)e)(MAj_ZYSr7Vaqv
zvm?}!zzd-2*G->nRSz88WA>$f(G6o|BF?I@MC#%A_?nN|qA`nQD@4^#_RbnnleFYm
zB*E?*<wk)&<SPvR(S^`PE27#Locoi$W_@^V4F#Ij1M(M}Zp<KC`n(@ppzcO_!^XyP
z&TKD_-UxebGxdE_+Ycl6pQ~%;FwVC(g2r1CRiG*NkWhM<Z$$SY;f!TbWY+1%=vq8c
z6%$x>EE9wVe=Ocr2Ezb*|9OaVM$q3W>`h9h`K0B5WURtI(@d=G3F29sFc5AoH))3h
zA4j-Ef-cyI(q{Yd&hf$8Ab0}!-lwj=4?agVqcwMhj<re;{%7G~D-;4iJLR+c$VO*u
zw~g3f1r~KoRZQJ4wTeWd6?c3R!Pc0GP9>ji%fqsmay_&{AW3$Z^7b~qzv(jPji4f#
z9_IQvaLj>*-WvtU1ki=cN*TnLFO9w6BDwG+LWPHJ$?H&R2K&Sa70d3qJwZDo#(t{Y
zwaD;HCZ8OLGI!Un?a+UGk)=PFVdv%+>bN9SVa&N0JbYKKx{M$4lI8dO)Zx4-T_^1u
z4o*sZFAHsk=V9GrODs|wb0qD_gm-uG?~W~t63-&YLKj?<q^i&!oM6#ab8=m3JjTz}
z8Nwq3C7!~t-#B&0PLq#$2J>0$B^a?{W3on5|CSQ*X*def_9VmyiBdz>z0@qepouJ!
z0;|I*qFtHaSu5znYxK*I=`ahRVjaaZFZ%R{VA$&h%SUuA6{jM)G&-M9SW?Z3DA==6
zc1A-w`16k;N!@^EKUv~0KA7mwo}B$^!J&0dK-%}}CJWfHhpMll8KVlQHst7^y=hzj
zsn6OI4>O}zBI{uE9L6tC0r1tpO}uf!iW1*UdN&L@xjXXXRWcHx%zLp~>rhNonZknz
zMXfU4OyERDF|7v9DUrUKZFMa`gGB)22C}_z36Cj5du56Ofo)yNJR%#70Vkq$Y71bX
zU9F8_yHARI=-nU*8!RIQJA-{H*7tQW=%B<!@($$GGb;ACWgW{<ld22U2%cGf?ID7S
z(i>J3H#Qm1ctploWHBvX3K^@+$ij}u0G91*d6ppUAshlw@WQ`~2?Z_BzHZ&hVj@?4
z@rdh^52nb-55IV<`4d?~L-Vb`jnKnZ0KAuA(Il$5cK%;Y!%msHN4DI_ybLc4H;KIT
ze$lqm7ee7mtgOBQtuvertjgIuoj`&ym0OQjsX%;ldRgwLO3}LxsH`b=8^$Z}Sx38<
zvI92;CP+Mmf2f-TowbZ@wrl{rZOR;=#6u@&b(@W#`!MlWHeVlmZ<Y0Nn)-wOrQSU&
zqs?eN-v`?Sd4!5ya%Q9eBe~I~b?zw@$xs3}fx6MA+&57r_bY+TrV0E?UlA*MGK-X3
z<ixf1ZOe^ONhb0?!+A%9?9cAFghFWcT%|hokQ+;E?DDX3?vt2)u^1xHS^s2%&U5b!
zel%u~YQXa~;f#k4+b>m=?ik>Ue`ht$v=C;eW>4u*0TG55&~-sQjlURr3ZV~hEtC(P
zF~6fs5JZ~+p}zJ<_5Goy=nw|lufja~VCZ#)dtAF5ekzPA(0j%Dw>5BR5=31ih(@2*
z6ZVyjuTDF+4k;9^Mn`XXO+Vg3F24}~uPjinP*JB|T`v<Hv20o>OtorN&z8r8)~Q5H
z@7M03@$hm{{KlOCZ|hlF5;<ki0)St(>u1LhF>MK>Lo^iJYN5_=jGM33mhn8YAG%mJ
z2e8axl>#%JxE<QFg@7d5p|Dm0Up^SU#pqg~qawjK+<8%dh`U_96;^}tuet%W!l+4f
zSJXOgQ$v5a$=mdV%$e!)){;-{Zh9~3aRK>T#{>R2=qiQo-sw<pqK_B`O(c|leP;1*
z?jPdjr_QCD*twU$g}SbX|07hkgV6)e9g5D)Gk*3hKbyT~4RC5OFMn76bV}2v-qfiq
zcF<C%Si+6<XdAEiaOU4>JiPxw)cJogZlJ>5397t{?{AYp^_yJDv#c+THgde+X)<mV
zUlM{zw-m`jXKnmHnp-VAdgeQaEq~tHD^KUfKm8op-8Ss`>g$m&-ImHqJ?LgjjaB-%
z*Lz_zULsyhKxh8BlHG3ResA{2FHLCyhJ1LygeH1>!<(M&e4hF8sA6J~xB~nlvhzEM
z@TQPo(&>6JqeSsU0crbsKcLb^PQVuDnFht}rjBNL#Vmr0Aa=J2fyLlO59jqu|Kd91
z)czk-l~sOEH(%d5bAs)G-TsbF^o$WxkT%%&QITwWV18C$i9=@!-3k(uU66k!BQgjh
z=eEIc^|!|&rr}i&vrXE<Y=Czbx|OPtwJY0L75}?_KjoM08ZW|a+4SmIJ@}g@SV7oK
z1V^AR_IjO40KuWw=|QZGqJPS*&#Hh<En#&neAB#8X(v5*W<)Y!M#@gk=#n$`Q}4|j
zTg^NZQkVkyUsV;8(4R$L%_Sm#{q^!A0PBP{Vj?|sv^eixOFWG7{h19Cek%Hg@ihCc
z1^CMK8%h^<nn0E9Mas~DrYankVE9NC4XS+RW+At>Xb^tsF;zl>ckj;E@i#i&oG{x7
zdlxQn3~AOoDoYDEF9*KQ2VI}~;O^XsAx}|{`xnBV^R&K?-wmpKe87~pQF<+EVr^bY
z=?<;6TP)=7YuVCNQXDW%;}siOrh8x0djeJn6TNnzdEg%yGa0)@VANnSJ#FyaN!Q$s
zLx^a-#vRn%)0@_tJ0%g14M2YQjGk%C=7U9*0O?eV){cg)lL^p8XDtz6G3`4VufJ)p
z>I<&BHr3Vr&2IZW2Cjo{(EVa${GZ7Hs9PU}&e4OQY-M)G?5fcmo!dyt?rUr^#lJvf
zDZMLpR~g^>mtV80+ylRa!oL2&ijIAMFqiKRsC7R3KJ_#-09K83dKljJ4=)%T(8CT$
zWHN6wq>=87PdZ$a8fD8)p>TzRRBQg~LlpRHaN{4gN0S;!C~gG-wEGIGzF`vFLZiZM
z*Vk;7I-ov@30JqjVWIVmR&N1A!)%5<x{fBx7L+5<xxNqIoX%|gEjV9J1CS*qJkL)f
zjo?{Ega2dssfqWqy;wkLY=)XCk+P#AiNF0`J_YyT9qN7oTW2QNW#WcS=?qoijD9I@
z?#@}@|5jl?C!qu<s0`<YHH}Y3PgPhXxdb#yu|;^-CD8HC6xZV^0TYenfzHve8vgWf
zQ=%TBI<oy}EOKlB?MA>mSue{Em^vHMx($yTvYd;Eh`vMy2yZFme?byJzp%u3Z~eU1
zQ|%L-HoLT)4Ixk+fCJcLhPphmGMW}1f&Qk?!u?Or#C&{GdhN~2pFF>*$nsfFBV|OO
zuKs>>Z!SS?fZz(c`_q$?5~!Sz@D~@}2i&;C7U+Rhq*NHej4tS!3eYu{C~i>8Gv}px
ziq}dRG&(hBz!GABws;$oI4D87G6`%bo$e30j|${54{B;hpPGAfavo0`$k_9+Hz&}A
zxJ9Ox?}C|gZZNEL3?}O#oB$H)ob3U(FDGByGf01TNAeqS=GzGYn5lExNBaW(zw=)y
zGSE`Pl23W@wPC`iB`IxMyo)1q<<S{K$G0{MasJ;;H2K>Dhhn~=<sPN5Z9FyLM5)u2
z*<4^}(BW>f4a6PC#f~@EiBEHmoRZ~|(|b@5kR50Jp8kG_54XA@I{?i&a@VwF9}YCv
znJRk3Tcmv}T({*Nw7*yN)n$6`dfZZXj3tGX-jq+YB3iPJ?Yyfr?(C}#etWRzHDvo>
z%S$@bNGgoat{npLR&J|utd#l1zg(?*v{9kma*_@9pV++{A6^$x`T3#1P*$=M+l9re
z%4oZ0#k^39cWA}9jYR5UU-Mfw&)iH^dzsGfz?8vvH_$ZKzN7!^QhUtSzG-2ehLahQ
zAa2EmmBpGJdMj6cM|*w+as7oA9cvD3JsiB($PHrc@dG55j;BluSoz=n%&lh<T^_(G
z^q7s6{^67NW=)z!;f(JW5yF(Nq|VaeQq=!Oxh$F&gXd;^jok?Gt3{AM>W=IE*Ahgl
zjtu%EGhkE;u@b848E7fYyL!3GN1W6c@O~fk$ZBgN*t^+cx~tWiZ1mrNL@0Um)#qQ(
zMpXFU;s$)9?K7Tm4?&aGkBf~)wr4I}?Ow$2cSUu*(`zdPz)B3Ke@-Lq>=uQ>t#=*7
zn_tZ_mLl3;c`Xbwz^W7*Pn%FDqfp4i+{#aDM~6Y2Hq`%b_l+i^DRhVLhK3f)3m?LG
zyo-<10gKoxzFKZ^I)b(Dn-RZhx$cMWljwK{X{oqbZ%C;Y;D`(1jbA)u@nL`0;EIG0
z;w){3sRqGtPmv;TSN+1?)OHi@nHHtcMp-<v_7Fq7l6B^7h&Z$*`c3a)l3*MB%v>Lb
z5k&I<iBJ5t!%rBby;r-;zBdm|lp#jZwfbH_2Tzh^M9u{bksy)7j9voNb%$dS{SSJx
zYp4ZVp`5PIL183cw(<`1+}FK)eZT#wq+l~xB>(NBz%MTTxO_pk4szhdFd9ei_*Rm9
zaedRulCTp$u>kB#ddH#~AciXYbk)6QUqnpNe^_bN5yGR4Rz%&9PMkIsYSlF{mD_C&
z?wjjr)eHw)6VEtEut;3AuI{Ey?<}s-VbK{HE0=%8@-U}LfVFTIdM}YX70>xm4V`_8
z&3+ZZohoM*`}#Ga%r;Fb#%sJ)8+hRGocfO(w`XFARw2uf74Ry{sE|!l(8u=jrpd$u
zDw9h>7RBBr{f15cUl5~P%apQ^Z@ypE^gca|YS)URbb$o9QP!<+7I_>1yGv<SXYE-x
z0-M3{?m2p=mxW14iu=du{lE;y1wikNN<<rwNg&}ZF->h`NQM`$UWmYVqVWHro~}mv
z3;h>gpk-@4giNB|YnM0tnPe5I^&4p_z4|yT8hZ|8lCea|{+fF^mrx2H`$KiiqA<?K
zJ7Co@w)pvS##sBl4Y>0^ITFvLP&$KV`0n4R<8|s3ny|s6tGOq8r0UG+rkQv6sT@C|
z6_bW-VN%$rBrZopsMb}Olk@p>PrXgyj~du7>u3H_=-fZn9DI!a^fWa#8_n&F82|R_
zre^VNn60)P<mJ1!He3y$6nyuEm7+^d8_ulk(aZRX)c6re4C)pZLLJFRlUMIzfQ=m0
ziE{w>U-F$DHd-&D&KS9xDTDg*e+$vxU2CH6Fl*ld?;S|sAHHI1$3e;iYA`aiV>K_y
z|J2o=ayxn$)ZA&+DLQu|VI6AOjc;tN=<igo2<@0_2^8~owCR64&RDAO>B7BuU!7t;
zv2ES_@j7qU@qs|>k^Viq%@z<v*DNHqcGcZE880^jZQl>KSFK(3^sfN5MgZ;oXw1gT
z)ugZg@=<+S0nAvTU9%z2dq@{>@M)3#B|>Q0;wYP2D^KmSA@Aq9IILdTs<HL@X4+n}
z<fMk_k6*7o`6O4?zW=nAu55r9JATzI(^`AJtS-i`0IZC1`qiox4MCdOJw@nhwfpGx
zU|n2-3ZK@*me<Y<b}hhRV+rtjeB9fqNMJy6F`4Zktp=$QZ!XxK{oR((o%!;<O!D;=
zA7&bK=l0ks#Dw37`zFA&;s*`n%*~$DGM0x`9B}WV=xhc^3(PIcN9yy%(|Jj1T*Rs>
z{dV+eUUH5qR-dv!#UqhDcnQhU&d5TK@p)x+;PV85xW2Em@eeQZD~D_d_9<Xm_1owb
zs3XBo%b20Shc`B0dB0~_Nsd5sp7=8ZeW7{L3K5^Z!E>Mge_9`s{<p92BL7XXi@yQl
zjpnlG@N6-GXn5bnDo|P^ryR7N@kgjf)Q9kkwlConemu!)U#Og%g8r;U8L~VON243o
zUwBY<sVsPo3}-$IO|ue!P$BhyVkLBBET%pIRrXmtb4{$|(yzLH$jXiQ+j!1D!a0Nz
zEMRqfpX9qj0@sw^UjE@?lhU2$M;X3ZkSPaC8Ww`SpZ6!E!oG&lyG3<;%A1^=gx%Yp
z!E=r6w>$-tnGb<qR$%Ai^nTvyWX~%aty`f4=VH_DdJ7O)pxcTza1n-E^lQD<anIJ%
zl{F_?`rPz!1mw*?x`5L4Zu~z02ycSE&wvQpA%Rgu6&n-8`nhpN^}Hx4awG~V_iHB@
zolauBG#&|zb?Oxg8v3KrWIk?;hjLq7ZL0l0mp^=nXkRbB1^#7F(zL<NS82ZLhrN0(
zzp+rz5h)T62%9XqV<vw0&D~J0L1v0Z>Z6J#h82UgOGkIgE`R)7h!W{jLu~n8NTq2#
zzL%*{pY@l~rVFUc{yP1%dLoVP@Bpu8bhR7G1d^A++OD~)Qnf{*n`a*-UhHG8UFe#R
z6*X~!qlQ6&Ff^$a>Cw45{%J72#}MbB!q8mM$cTz6y`I6hPvnz?{wA!73cHbanIg}%
z$Tf?0%{Tqq_}tO^+tMdlS`wN9IT*`3lM6JcXgIy>sV!+BQ({a}u$Ntz^s~Mdcn70<
z^sfncPsEvitu;Z=rNnjD^Mn`9{WbaP^6Vp-3VpP6lPJw`xu$5~HW#B>;3RwE?da_Y
zUTc9QthHew<K>i-kIKMhZn8n%OcP8O24cxPW2#NqRwX~`?XuZN7ur=sN*u~A!w|`5
zJBvUxJ=`2}LnsOonOj+E?n2oAvP%R^sEjMHsb2CVqS1x8GQy~XRhZ3Ch(eE6vvXL^
z<^v>O5doGMvq^tnU;e`L%N+9DOrbZ;X$^uu3Ntcp+I6PK#adz!leKqjcQU6K?Zku=
zJVQwodUQfDchU^6DxhbJPZ)Jq0EK31E;vk5_9^r|d+P5`uEIro_~K8eN4s^KDETE5
zLESJ?q5EeydYAo~iM@CQ*R|q12nttD;TNsU_UqeuppP#8>Nk*F?K_-Ka(Dzer0~2s
zyk6WEO}4>2eEr9|l_}|`mcHUJ$v7kKbXiuh5@`)?^JpWBVO+ZQC~y-)Oh1VvV*j6y
z$5T@??6worf4)3yGrSamxGH*&e@nU0qI`%`p1BO^2X~6r!SW@i8jl)t&=m37xzc<>
z<gT9sC?(-%qXZkCKuVhjjQl_F<HF81eUNenz?~z_%oz6xw4v?hfciQR&2gXm>x46?
zYne=~{`rQm&yjlIFdh3;@AsOz_)-EII{)nub(hD{hkT$42gpDyV6u?$J8{nQ2^(?f
zU5f$TN%YVcoHhg}S^~|<CjIY?P&i6zbXZ|=HT0A9%?fvBG&Fh3UED*8)uJCV*n=T3
z!>-8ur6i>b>RTfr^e{)}2Wr8zP-AV&aWq3)4lH4f{zWnOU@Ijwzn|!n*zx%B6Xx|o
z&LH4jumNnZ1EY{{Ar%3#$4MQYt=*Vm$fjOQ7YB3_JQC)Wj4%+%uFD_NC|W+00RvFm
z*p#Tzbr{O&e`Qr|;-?^S5`xWw{Dm{4XFrXI7TU8BaFY@C76=JMF`9RclQt1$6rv;?
ztrJ)Di+cx8(R*ikXfwE$1>e{myJF_jrRx{k1b$;>>myeS<D4UR)rC8gx0xD+=oaTM
zQDxixnoSV{y2?t*`^|)~(u6^)!jgXmp!QM+J007KIUc(PCGr)Qx%7Pi1<<y3B&_tu
zn19bQL#0u+3RSkv`M}&KN5b{XR(<d-7bB7rHx-s+4o4nc2cDZv<{|tT3@l%r4_?BN
zX2o3HwI5)#q>RGiM;6dUeENw%qxm|;3v*8a(<FjsG|#Hs$25?lq&;v>Bhd#kjO>R}
z3%X&mk8gza8JfKEkzfGg&iRSLhv;Tinqs72gGHH})$oG3VT0@mCS|T?D0JrN4dHdr
zfMTfiAxbg{lu(4*v>&)Di%F&Wy+~wG>Anv9YuvlEC&V@WNmR!?tNx>b1iGzN5MOpU
z<iLA$+ZZ4;Z*adCy`icI#mr_IDBF_6zG&?Zf)NL(XU4-!yOj{v=B;K-E4SFd&|}a@
z<3w@32)E1<lFi8LyNj1_^li<fS!Sx+%Jy}umZmT5jEFL>tW`)3RY;G@44K=95EgDD
zbgJ9ok4?i>N|9Atgm_a)5RHyJqBbE*;=+M>Kl37cj|JmpBMxTI)6-m=!U*BvN50hR
z^oQVu=Fg>L%PU$fNo2)p;=Zi$lir%Q&}iGzm!*k1@bds&Y%!W)nu(LchKLo$c&n&j
zx_HHS7f-=hdoYj{oG1(le?Xr;<sv$lV1TwGkvQY_Fhi*{I_eO%g0ej<_O5Enu&h%Q
z76M=9Pr}7)Mv_x**SH8(bG?(=kB{ry!jcsTY@V#baCIfYK+=dzOH5DSdm73_H!_$I
z{BUELUp!$#94jBF1z+KbtElEA#!ylOc$zIRTJlq2E@)$gnOI)zTm~gET8@em<&hNE
zqG~itL$bcuJH~Ve+B>33XQ5x-gF!={15#Q81e4RO4?|$#)(Bkdt1P=x(%|DrY7OE?
zI2`XZ@*O(_GDEz4|7f$WkH%Y~KptyrPFK-a%|{P3gcrtK3<pFsOJY-FJgP}Nv4N?|
zthET#0a=NnaQZb?bqFuy;WAUrPZc2%`RdXDwaHhAVF2whFq8{GnM@EBu16wzf{<Xc
z1&RRm7CNz;z2f~I6#qLd@j7*KFSx=pw{0v<!nBdno%X$Z$2l!z#~bEePH#{+@sXf4
z;y1)@+VWTHh6rq35yDge1jZDEd^;Fsyu(rinQOlXI)+VKkbR!4TJ+4%U8v*%w&t^8
zK_fnfIvhCu6bMH5_|m_`hOt&BQxNh|Z~F=}-7ileldXa6n0JbpZFIdDCzP2DW+Pai
zR{x-$KMYY{%}Fm4=ZIAH4MGd)I*twR;ZXB%V@6JsD*<~DVSh$Td8zJG4AW)w(CXiw
zxbx&Kr*_@2w2Vd(SIta<iNopAflI|GCBdLQawISemWmdKFDgW#Q|IkA-GiRWo&H&^
zK9Xyox<M(CJ%~l<P}KG`Ush2M>dmk%FkHJz6ervjO`RjDHZJ5IkLp9eJ`CepJF|@y
zbj->>%t~Aeplls$TVYbmWAo|kg*A^}3mqM40w%;o?cRrqZKMuFk?MZMsxMbk6cm5N
zC!=_c0FpFr%F>82K})wdXKVrRm%C_jW_4tCUVqrm4&InoPY#Wv%r4bW2~^iHpD)cv
z_JY`U=y*9Dc*w<B^@o2GBxWRz<}Wwj(Ql;xylN%z6~`@sbz|agA+;%%!_W(>#7ro%
zObCTUFbYYvT;MQ41Hyz@iZhG+qPTHoyNA*fti3sj+RTwrT089Aq<E`B9U2k+ROY6F
zN$u2OmlaAeca&n=Aqx&y;^D>>7R<5|WWfX9iBTI$(D}bVuha9G`Yj>QA&_ONC#d<W
z#IlDKf>U6b>Bm2-OH}Tzr+8+z?Sul_fRoLc`!?JU`HT!G3T!Yjdx2!O31%z)AJF#=
z7`h_S&q$HusNtp*luy4`Iv#OALLRL``pAg`fb(37!7T1Y?n9<aEa><*gi0`Y_@)9O
zgv__n;$y!zKuxl=xL^w07)POUnrjpq!Z0^N6%J2RWBocJ7e20j=aA`JbHcE>rnoFb
zM*!B^ka&}2<8r)>8q^QNkxNY$ZQinqwMTQTNqkB@(JUg(+e==-n|*>>O_bSsq>UsX
zhpMlf^IxzDVxkU)qm|1}eV+x!Q0}fUm>X$<G@^{2m<p!Qp&i!{tuXYfOKC~-!I(Do
z{e6*j`uyd=RXR2;Bl@UxhiqlsoWhykj3T}nex*`r@?~?T5dw65crvui)=}LTUfG5w
zb&{42Kuu(^D7mI)x3a6R-oG4ZgCSU|j4_Y3EkE!FgrRH?HiR!V;##oM$j>cKDh1P-
zcR#kH0V*Ux=fVv-OHAjB+s3Rz1FVJ_zh&-|GkT;0Wy5v3EqwOdpH=jZ^z|W`;{#tJ
z>B=L;W`|cCz1i7U{B0`htk!&`o2LAAUEvBDKA}9%^FQMp;BwRRNS5$plzzfc+>&44
z^Q_t3+3w{QA&=AON+qgaN*2J4xj?VGRL4cdaHd6=LO`%hXJ<^5G+oI-a2HoP6%_nU
z+`^i^TwN}RCJ$6?8g5+tK7JG%E}TjFcb16Cf-zS7H^;Q(g>D0qtZ~%dTBsM7x*~rO
z7fpi{d_AS_FKie-6+FoI8hMy)fOLdMPCiN_gL)8HGv*BSS1c&q!A9UHuuqR87Zx=M
zkDI-9+w$x;Deo63SCs}SN({+98S-o4?Fk9g4U=qt%3ua~yk~9`@Qf3DuImEZ(g4km
zo!<ZtjVBLD7E$#NhmB+FIyDN_C?FxntBURmhw)2?+uVUgZ2=h0?XF_}cut`Cdqz~4
zV;L#XJ3Zpa0UmiOWM5<NZ`J<p5KaXg&+}F~HG4dt6iv3dyaM*Vzw#1Goj}DMBhIIT
z+N?0_QcNM5)bu7tMLgAn(NBhJ$r{n<G^kX8i<aOg5kgbfr*J2P6Ea{Khx!0E37yGG
z1#<R$>91NgO}6#$6>r=o6xT*kXdcy@!CCii;LOzY##mSx@shM5iWZ>&RLWDAGZYQh
zWbEXt`>k{=26LESuq}|q7964PV_QE?ghnUMM2|dhO(&l8{)wU_0XiC{7G`D|TFK6t
z{3S6O8YS^RFf@>3&M&ZqA|J&1Q0(3EP*(e<y!}5oAj&UWnB$xjXnh}uZXpcJuSTi+
zG`YBUb5;BqifT#J_!pp8HS3C(hmp+$+!VC=O3kW`^(CJ9sF~>z6^KBN{6aZuPNVB<
zzWxL^mXoB~WizLNKW=Cpe-+I7>DJ2P2MsH358Sy};Xg`gn&=xVv$I0@R9*a;2^mJ*
zm=>S`hGvgGM_Q776C9Z#0*O8prEKmCHg8DNhyGkm><LEYGL#|o5s=E+N1SZZZGZHl
z?!eZVU0K(Nvm0?Tikxl&k|l$WMx{&FL!SNs@kAWt33_?7#=oIbPaUYNb@~=9wa^vr
z`XlcgJijC=0_#1NzUJ%U0dX@bhr@$=lreb$E)`*QTSeq*;x5c$d|L?$WG90$;z>!I
zHCx%4RQ@!!)qUwhla#-YAq)tP>KA3ad(4KBHu|(Pic2x15}6XeyvR+(#948Q;9^8Y
z!5jWC=t^)C`ayQq?DT{;l>gEyRYlJb_r&wfL)<)?$nq(^p19h4EDg<JJi+QWMT_v)
z%MyO1=ca>Aks36R{#B<)nMfnKNZkk*)%bB5x-HpaUTbK=I3&*a1=XFi;4+Mt@d$5Q
z$?~d4y+Pt797dttcN(GjGiy8(_jk<N@`6nAh_0Hysj*;E;=7MwA=c;n$cndLR}vtq
z>S1~{e8k=8kEpPz`kG<$@J!~OnE<|D`0K#<DkwtQ^v6*kiuNX!OS`cQW4~iqq6!=>
z!l3b(j6u_A(3lohTmlgGE2eos#HV3AFxbbHP%x54g>reHo0IDonrCKGsk;yy@tYJK
z^BWa5P*Iw)%cEM5rfB(?%U!}Bm_oCu{<tIM8mdedu5pyr2PbHd%dNqXt5zQjAE}cG
z%Xq*K|4=@BuQy9bnoWj7ij$0svt%CB#mBpV^vy0>nz~>qhmoaMI6s<X$F30#9Y!xc
zbg>Cc7=W6k<5Uk{uL+kNb}!E|B<@*T0B{I2ccGFv@bX{j#f{7!aU76csGW&PI)&8>
zF4<_bDaE`&B+4JpQ|cCc-Nd8O0v7SiS*ut#N3DmH#<^wt+99=nVInb1LfZ+!yCkq4
zLx#Jqpw(hlhh+*O_lL~$SK*m+HZqGM!nm6usz{reH9flm_+ytDkS4_NB`&BATor}0
zKlOz$`Li9@XJZIR<zRGEp&`db@c0;<f`N7`cfnO$u;hK^?jdt-zxxTV7UH@j8U%)D
zU|Zq6Hrkni6NCOB(&^acPPXkfVZ_Z@-<v{Xfh5AO1eo@EUKsG{pX)%As-himwgdoN
zrh-d-(iJ~k7B$<sMAYP!OugZBCu@%$>?v#x6UpzdQy5mj_aX%P#u)8=wjohq8?Dtc
zQVEQ?D6u$mFkO$1RIHJ;pe1aKl`BjR9=<n>cf#B+rBla<n|?b|a|9|aF<`S56FH$u
ziuM-WE~*f*`2ZU#j9^Z+#!Mc~QG99$bO*s2Qllv<xpd03v8OopHCA0#0W%ts*1#%7
zlL0q|%&9vrfIOEH8#1})0i!2K2P!tU^}%D?bpAbN@zI_lU8Tu29zA8u5mSMt4Wxr4
zO^_(7ZskD+ubpIRepf39)2w^(BU1&~Qpi3+?PqP~t{zD$2Lm(Doa2HMDsRx#VjC6p
zcj+K08fE^fDu2t#ng;c^p5^e<6pJ23m8t_%TysYu+*W0I?S;q<%mi}q6LUDIqx-jM
zaEpz;Yl7|{HTB3}af)H_!UZ4_Jqsj#_@a_HYunb~YuHV$TbpD%R~~g-7^?Ui$^o8C
z)bCBEBHlHH1X+-AP(-y&6S{C!2}()7Y$LJfdZu1CYKbik`iDcm?|V}cm!Ayrq;Z1r
zgIAz8tS<Zd>6C~x`qA;SMU%nVJ}fVw4YN{)sSrN)*!f%0>{!)ch$`~>S5Ixa*Yo+h
zP)xd73O*^gSIXE~$$bF)VH!vJ``kB<Yd+7N9;bm^lp<i5r2@1QmvNZ7@5FVt50;Z*
zoQA5=e>5+$MRO>PBsU&ASVz4<tuG@oL>tZq{d=M95kE=5q;n<ELyp=jaGsFu;{UlT
z7|U3S^5Og1)W(orVix?W^b8IGohf&1N8&fbl`t_|m-hh0H2%}ye`Oz^VoO1aaJlsO
zcv*vuwjFc$z9fG%0ZwRb2yyVB-Q-GfYs?)Xl6_r)InwK>y$gaCQI+%$haWSpX7b0`
zhN4{{f_VZpAFTv-(&kFSV5~t9QHTbrp<H1iYW{ahQ620b2$lJ$^GslIxrLX%6k`fq
z@Jj;|)4^vFx@)06ndx#(8l0ktR0*c7WTbcO*mKtKV078O%s!Cg&dJq`f2arL5!5-o
zh2aSOg5GxzF}^Q09FAjKN__N}p`iDUNfykv@*scITqp5_;3%ne>}Uj0T63#-8>@f|
z^%g@CNh(6JkzOHHE!iY_aR}*StCrnfu{(^bdTU)AFprh5T)crc3|JcjxyA7Bvrp+f
zYN!EzH{LlgJq+lxkffx86--!mH(C0m>8wY0y|dlPl|&EEq|8s53bbfKEZva`^an+K
zU=sN2ld?ntt=*dVYqk$v1L%F?{Sp$Fbv=Yy_&^KHU^sMxC94f$X7MY7dnu%I{V+&P
zfDJ5Nvc(#xo5_mA(A93C%Ne1>lm6x6%d~oC=QiB9g-I9v)Y8e2Q<okBztn)UktkA{
zfXMmL%59?QF7Z(6o{~e2rB0#PSkCOCw!MX5dufoGv-PMVp8M$g9$BtW58&&^;NfQD
zmlv8ZMJ@H;;+tZ0<$tdE3k3M;KPDB|YnCPzJH6-;>*y*<!;#s0a5c`ehRPQ;lUV#P
z0uq@ZGr;xXcvM?p6?OmU6?uyjVMLV?^A~H^hUwCQ<v=(q07}r}M!$Uiyz@q#G<F}9
zq<QYdkp3hmWuBBUv^lFxd!OY0ykS-xWPT~~1XkmAZpHhTG1_dj^_EQGNl;XlnBt(@
zK?M<wC9*d=5VrUX&;@0HG~nXqEfcQP80;<Z;s6|fgDU@|M`Q<qM}Pj^z38RWPmvgT
z!zcHB{P&RL`}}u(D@dd%VYc_-t#^NP7%_I~<ggQf7AcmEK5DPVCQ-n}sOk&1QWd_h
z&k}>DV4;$)rY;9W&P$$SlI@$*jbvziJ+S8{K=uJy=b7nWe$HJI1xx%}7zY$Hj5}V?
z0S__rY4sPf*1vVGl^DYqyEQrEMA=QB|GDZ+Z~WYU2HOU&J9X`bZYJ&0rHx<5w`UJW
zxQg(j{PMN^c#Ca>NP;N_gGPpoT%Yiacy}*^7)6WnUWeMgpIUCkYH5ruUI87kpm{tG
z&H(tu7(_#&Q<9;5vn!|MC^Gd1$NnidxzrH&NvKFt4#rd)1}-X_J4*#rP%Vo=HJA9+
zkQ*%k9ZHOxRsah}N5$ZlC(4Qol(HpfGKAsuk%p#_eV$HGC5~Ev#XuMk>LBU+jVVce
zAgThLQ_c0Wp%ls37R}LmD|(}i0pGiWfhdsvFiwg>oAYK?yEHiPtEz1&LadD-k;SwI
z>IPhC;yT7Hkqx@|3>yj8ak|}E4!z?cx5>%Q=nq|pSVJoi`+J}K+#UjeCM#hPAp>JB
z)~F86`Y+2WQt)Tg1vhbwnk4#N0e-{Kmo82EH~=8VZ3NLLDp~h2(}g@d_8w++0P!`u
z&y&EG3m7x;w*;apa&B?fvj%kMJu48Rp=djbv&wUXc~Vwmn{ahUGs8`5Oa}tDC;cyU
zEu~{6xQHg=&Qc3q=*?vtTF@bu!nUa}J}qV6aN^+}G68d_#TwZ7MEt88)rN+RmLrfi
zDRyQ5ygLxB5)O$L%T5$#@KV6MKYUf;_cg+M;K~3_4bM<`sU``!S-7S_{H=TI1Xv3F
zixo`HU=zncGe>_5+_wHJ%;Bq3>15p1Y7<AxK!(|l$WZ?qKjACG6{w>xV`r~7HttPW
z_;uF8()kBl<26MKk72Zx!Vr%qzLT0aKlV-2C`dDo4?AVeLbt}t4jybmA3RiU>p%%W
zD}s|BZ?GbXiteZBPQsLg+?-Iq)iI|B!EF{guT9QqEul*)WfkgnCrJz{;>bCZwP({R
z7L8c{5RH3WrrmX@$B{g*CFPCax}yWDNAGeQXeXbAdK|Wsz}>+LQ6~oB+?GURBKZ<w
z0KVdY{=tY3rA}B%*{uZviTFa@`3rr8Vu)<=&6yCVHId<N2g*4m9Z3IWm~C9=evt3O
zpb;JP?YblxWFSAkuC>owtHc9N^oxOepAbXLE1`|Pca2zeEOd=3PBloBQNy6k+^3TO
zhd)JcOH)HZ7S^bEQfF;V+N4OO1oukKcT@8$vX6BzB~l|Y$W)AH`zD9g1pamX2uZ{#
z@wmxm&dBjimXYRfBcM`S)FE2o9yi(tO*0Upxp|W8=IK-yTrkKppPq`W<xyBy@?WuZ
z>w0iJ<_m6=Tbbg#*rh$T{v417w>a`Li!D67HH1yU-mMHS;Sq6d2eYN^cddP!T2OW$
z<E;RqSs`q1xUVdPE+#7Q=n(D+KbROc%uz|t(c!%5V7U6pl(J(;G8GGl#L{;L|E0Qg
zEH?Pcc{jH)YYMD*&V;y(;#iRw-S~s7X2YwM{L%QtR2dle_>Kl^cY#PJupqiyqrSww
z>tegaffn%{FLqjS2}wG&%}UodSX82<vSz#fnR1wOPE^=BKqdqs%mXMdNjKa(_Y6wf
zL^6~-w?xl9#hb+x>r$r%JZ0y}>C5!i?@pc*J*)381f!|B5l0+`-c~G+(S~o^(&9tI
zwmA7w)Iaf3#>WY+aQQ_;xhJ(WG6B_Tavw@2-{IXT!Cn6D<D@(!Ytazv{V42Tp(FNr
z#1f21cRS9Xq!i^;xvM0mkbqkfwn<?{RN#>4=BAAz?91{)*Y<v;RBTdAe)&c-C{g^j
zEy1_)RzIYN`8<q{4#o0iQ%VFMj+lQCR2D#=glg@WLLc4m=^)V{+S6jpqpTIsVkO>w
zkwBdU^`o$Cg$yYi;p|u!?JyZr%qU!tLC7X6v5h|J0}%CBTL<5S+c26=1{n#ib&*hz
zw^Q)Z84n>`vg1M_CB-fAZGiae&lBg+1U;FLw4Yj{mP)Bu6~Dm@Vpx`{xo}<r{S<@s
zwh~xX>Q3ks(7>=^xFZR8`j)aGtBeJp2`AD_#$u}mnBBE6mD<?iDKoghgvt+wFueY(
zL$>MMwT=UpP&axfw%3hxDRnj1--+4q<s-HW;i`7{W(WB&?!kL&UH0f4=y1mu)oAJE
z5>2q&G$MWFipDImf~LH%r9pPYurrL!T{W|4q&|LrJDm!Xb8gz7ZsF2m0u{WXtPIxa
zFY5e11*~n#{>q)AB1FMo@5Iq5{O%gzXlS!AAjkzpqqYmY@%1omFhRS!E6^q?nI@cD
zN7$FN8~;(dic&}u(r3E>yEoE<Y{?fLD`2_svopm$ZyTA56r@b!h=&zGG$o*he;#Ha
z&2DBbJ_CJE0inzUg)6}zWm5(gdht18fy0P#oKk7?%~Rp{Q??@itdA>L#vblV<3{}3
zJZj$qMbi<(ln>dFeK3p-8_)bC@-j5IJyMT47B2-Z3jc_fRyTAQx+n#{{QQr6S>M{C
zhZ9q_D=cOS7KH~aG=*EyXDiy7M2sbBJyYuwYv{7TRP-;CXcgW&WspdEqX%&l9dmG4
z;B;gn-^vB-@A0$gO5btCT^JX+Wsm*i2kcEriBn{SPdVu1xu-C62YtESQ2M;Y3GY{h
z7&K%3&bO}{a2P}T&2@xuLZYvGduBN+L>GJJ7B4=KrHL+r=OAII#VR&j_6q+^FE=hA
zPBfmyoyWf|m^v0&ku}-Z;c#XpA2B!;<d0TINTi!v3_EBuzBV+hsRw6b^4(Co$zl<|
zHkD36G@`=vveC*lZy{NPK(>w~gr3`)rI&*SRyAKa?iRdrajII06RK~}GTo{fQNq;e
zisFFapB8*bh;Z(?ez@LQ&{7X<UTaOQyi|QPp=xTn|7>dJjDuzEt9Es{p?i=iQt^8i
zfiY0n^gIfVL)u^b)ztqZRQy(4!dEP>U?E0~=Om4acR+)M>(!+63yftf(W{(kDs_%(
zHa93!vXanz=6#uQB=AO8V#K2NkyW0vPEH~PfI+n*UF=Kv>B3CVJmRfXK5_kT5JAXW
z2YyKVXhLf6l;6O<&9!}pZ1XgkH*eV-$eW`|(sYWR`-?VK;2hV;D@JKhs;^;qn{j!T
zSty93b~*X=vmS1Uhr^SiCxKl!6(T5~+s6!p&>BwI&g<JS^=)$+hL4?*%v17AX`RnV
z{5*+emnmojn#0X;OhohY(W67kG}_AjsQaB=MKkcirh56-OnV-_fpDK*1lM4Z+mgz!
zWEtl+LT_qMW7dajp8J-+(Mizyp+N`E4h@l#l1%)J$MC{Zx}qOJ-{E6Nw1|>tZ6_<o
z62=fm@ZhyO<TD}HlgK6)KPHKui60v77zzmyXnU715m8A!(+<IWKhIzsBaD;)WC_2@
z9N3*#gqq*0L6|?5P5S<6U{z{A0!2g9`vEU*Cet@_o4(h7#Trj6B<?x%9Lou$uP&8+
zUT^kYZ$0UxPE>Dps0Yo-X1OYqyc@)2Cpa<RU-Cvb42UfsaX!e-K7<H*1ieS1={U%b
z=kCOVtm5st^p)UeY-63mj56C3RL%J@@Xo6hNopx`=9<QD*A}>PkLLF124Hwj__0Ih
zb6>6)Q*v2!Ek7*9$){0!G4s(^4W>#8n-KL2DD)YWt>WmK3#jLVUucePX)V`K{it)J
zTUrq3Qb9k^f9Ow$jDT@1glG&HG5_YLCK3-vTvH%kZGfZ^Y#<&E)46%;w--=GNw<%v
zkK-tQ|FS%%SV2C<i7iNqW(g4sS==O<RAb)!jLa6a9n`@jb}EWVb*mm<ZFp_7N%KIc
z;3*@gL{t9{gq+lfwQ#FUZZvDY3MxrpoctZ0qX;@6vJq+=i@T5`x~uj@#SEM$;TStE
z(uqN#P)$A}w_jLNX*5C}oES59Gd%cBHhIvHO*yV)=A0o2HK9<h%{#%+7lCN7l?@$t
zswGN1G)Xk+TCh14&>{vqPF#V~ww^M%7dsPGWj*}4jL+QPh(CtD4Z##_zC3w=gIC9w
z+zDWXN321~eBw-8nRJWMMDEnV7YpcW94<h3sni<z5%P%l0bbrFZD2}d&VOX<{plbf
zs0QgZJT#EOivEPDQ#VGf*N(Q5a$Ny<lWD)X9Lz@KNSQha!kSK+K5-=Tdgwp~liE3S
z-)v%gFqdU^-S8QQQjrfhc_fmh)j=5<%Fz<FBUKOQ#JM)KtSBFR?bKZ<JCjw#&FaiD
zw~-gWyYl_Oqq3xLK$o^TV{%n9V^%n69yZ~~{6usJ_ZMH2{%{r~{c`up)IK&Wf3_~J
z{FtHg^lmAiaYZikK4Li}Jp_f!kShHt(Db88BdFPNR`MWwX5bzUGKtL|&<DPi|34gE
zby(By*VeBnf&z+!w2}(a-3rnrEmG3b&8Q6(1SF-q8-&pv!swKS!8Xa!qX&#_?|$#U
zyRPT6r%v7HKF>M6;JQ8e_Ym*k>#nEk%*|J~6Y~4=@V>qcGrlSWV~oF)*Tjeaauc%h
zbid&`VBl4`s%q~FQK!A^8J@G&Do#lsfZj(xCQ%823E1z}8j4|+WNvzHQbI0x@O#F%
zdGKwO<uz&!{K6!?nsy*%?{vM=v8}bXiPW@R31<v>woIfK`D0-ITl&Wxw&c^$I|J~C
zf;fh^Xyku8f0-g1CVpP#q4hlLthW3`n4%K1Ur~_69}<}+pb{R^TQ^GhT1B}iB=8J#
zj0?ctJ+``>%OoVdDHY#Vq%QUg1xI&X-7|`qg1%VVSp0gXa546uVCmfFF^XSb))-%;
zMm`0*PRRADJaviHq%8eUWMAuE8&P|;f8GBwNbZKtWGTx(%2Qv$JOi0pZL00-dtElZ
z@YdWGla?Z^WlGKc4ebPY_Y&C3@`Ym=jW@mCQPA}FCcaD3R{W66f#RMebf7x*B>T4@
z=><U(^9>K~exu@gl6k>7sKWGUmf>d@m5T_4M&13yKX~P2-Eb$-0p@7e^fxJu2``o^
z|2wEMx}5v5@GABVZ!>*5HN}(8+a$&2Q_UC6<1Yu<TPpX_d07vQ!OUcni9V_GwIU>8
zj>7j-iGTlhw}R|Vl9rg`5;Wv7m;IDrv#PtM-t)U4$nrs>S$-JTo39QjEz5cj?|VFa
zwe{$8Q<%#IZP(LheVIMgkwzhV+HEf+Q<dyeXC6Iy_py5aN6SQ^ezVm#fAm<NnXo!w
z?7DCGelF3SVl}pJlr;?{w9_iN>34Y<jMpEOgBHF|gwvJu4mAI2myn@VrBrTirTi?b
z%6af-crfz#?27K3s#=WFAUC`rrgk;V(Dotc9}lv-znINbTD#v4b@knWiauaHc{ywQ
zeCk|eJmA(}Lyyd1pZ)n{`V$^L`?Dwl$qN#0#cGkp{UTqZv6GA5V)+FpCs9#kaNooE
ztgz`}fs!32x9GJtPR?o?Vi)y#Lq1ZMTmQ%7fIIZc!?OH*euGibR;z7>^5tS&wrV&h
zOMwKr9_jsw*wDaV1RmG~%acRTU-OLVyed&inqNN(Z`o(&<KQHZ`}$cEeDN0iblL<H
zN~_#(B=PXk6DvqKR6C#JNh9ff{=1>HkY2=nqD1SW?(;xRXFXftK%V`{>U^8;7t#l)
zxM5Jl2e!a{QWMKR`<^4!e}lvL{{uhoV@%ND_J8+T=Bhq}n;~O!l0EeP;X^ylf0IIv
zva!y%h2{9m>9~tO-)mDHcuR3AIlf}#<uqo(4;F6oq-}7j)l9;Sxzq+C5=u65>8W!W
zUyO1f(V;<tD!0ZyzG9`@wCRbnue8Bb&UX6mFHZ9rzpt6?yv%~KN=+vn-u*;Rsv7l2
zgy?ryL9cIH^>cO;;VqVr;&kF)zf?()CL3CL(x#<eQ2tjZpm9wK{1zwR<rl&!5j8#V
zPKlA5L~Fm!mQUf=PbMNr%fV_lHEzwFbpDf`3O7lcQf6w_E2H-9M}J=_PWBXfN3RMm
z%<Nl=Xhm}1s<Sx#pMI_-Z-|;}j4=uR*0ek@0JnBj-b$9-6=Z*R*|#lY-u%ezj*O6I
zHrf8+ip}#tBDQ}M!=IynG<d466$ERwaxo5ahl-j?(!S%BFeEk8cA$Ej`Q7?+(e;mt
zUhjp;sp7j1Hg->E$u>R8M~wbEwyE^<wrV_5RZwdBtH!%-a1tzA(NF48L>|0x(#N`R
zkh30qKc53P#r3AqjC-GFe(%SPcwMe*n};6;Z)42!lwRNJ7kv_@cXYXEKq)B0p85w#
z;5RMndx-SE@6wNEK1<JOoKg}>E%P2D@c5jX3l{u4Nkz44Xtby}gophfw+Wrk9)9mR
z{}i6*B<1R-%PIawT?vHW#$!=e8M)6{uG@k9cb32^DnGbZmb;)6lSkA;<c9|b2Sf;P
zn~TGuJttGbJLgAtee1nb!V3^)9EC2jN*(GDa}LVY&ri73%v}4Ml0T^Yt)cu`^`402
zf!eESams}E>`ww7_0Jg84I9$0AELO)64b-GDMwzN%hquEXhz5>BvifMWRBobWvVW#
zm;Fmi6k9b-Ec7&vRxRaqH{6P?L73{N+}*bEa?Nm+^Nf$IkDo*h?2!Eno3`Qjw?uMm
zK)=RKW>b2^{WM|RR#?#h>LKW8R52hIm>oH}fUzsoz7wZ{VE=FYjdIRavBS{Vz4GtJ
z?-L|+_f0=Pp5hyy-ri6S)st1oEa$3EDla@p*n0|3*gWpntx5b~{PVHSAlCQ2SEn*>
z8ud@R%D)K@@VY|y$grh@^K)Gsy;{_2xpvZZ#jF`eL0!cU97xTv;FE74VL@W7FMp24
za(efj@2w^%`8y>Rf3^*;dQVd+b~F4R;qBv?!K+OHrT6Xcxha?uer@VMPoiZ`C`{5l
z4VD@*q@=IWJk#H-Ok#aBTx^zNamY;)J64p`^pqResa~D0mprq!{jr35l8Tq^CCOOi
zi!(~=Brk*a$)A#Pm~)vGXV^#;`sE}a7{;)C9Dh|*^*;3_L+-CkahZ`tLsos;2n}<N
zf)V8s!tXSR<w8yy>yK+FGt@bv&dFy7Dhv~FN{zZ1ZhtluRdXZ?Uhp;v5Nf)!rOX(N
zMAVtrYzmX?tUa}JS*NnZ!YHj{X{L0TUaOIe{L%%D4qw^!rD;Bzm{%!%{-sWeTU{*i
zIfwCI$u?FgHD|tJJGR0?o1*z-ZrSNHy&*1#=k+SKI~yuA?BPF~Ubh!NVd)yy;T*kS
zaT7oWMU<rjH@Cm8B}<A(ahfC%n&duvmKu#&C#?|C5o6`$mal%L{f>j2LQO2oi#_v>
ztKax58FiaT@u%&&KSu10)n0K-?{5|j8^BcMGqfE)#K#D#a<HA9c5Sgew9$L2Jtmx(
zl58Q)J^JO6jY{&TR2QIGOeMieXy5kkI*|-}F#Ah&9a8=BdtTP8N_uL1bh^(AHN*yE
zG@}!THiz}r3sWFnY<i?gW*kC&fMWl!FRfMYjee!lm#V8JaCE5KerAUJ{Nh<}^**<X
z-5@a;{E%n#&Wp5XcBHW*mvIL1rvqnR*gw5LFvI$Gx)QleMf1)jBO`ZP*{45`{<^LZ
z3GaKVhuC?XD3;h(Do_D#NfyZHE4H#n$w=xJtErMaL2|?h4WyqI)<0E^e=J^>WuRmL
za<MJw<<~^!<&Uc7rx1v-@o;&z7mCR=&O%&)L)(MH<Dg0^{bJQZZcWW-DkNc!pB%q*
zR=wY5S?4D6P8nV@B>}(kk3EhPSwD4u$#!rc(6Mv;Yp$;Z0AkK-J)Vw_U@-`1VU3U=
z-)XT@c)v3jN}TL)EZT}HZEZD}E(Fvs4$7o=2pmoRrOvy4V{x#A%84gdwYEtrH?y8w
zf5g&sk^=6UmVeW1x^4>N0$rHSelymd08TYl-=3CU7?N`|UDMhdQ)fSawy>KFSat5z
zx%3S{<Jij_j7z(Z=A5C8j<bPU2AbJou9@~d66`WEt7s>>?Sq5P{wEma#Tu5u>kh3f
zvBOByJh!#AwNbYcrktD{alhX#vrW#6kCO1jqRvTc%fR_e(Wt>2=~??JIfEdpB#9m|
zNI}`~q$_A>dwbh-o|;b{RFrd_@cA5<7jlHbVNeXDq^$8F>=GBTej?_ku%@;)lXFiO
z9o<ye+HzMJygdbYd~6k9gUw-6iR)BM%v-FcWA?9=+?!CYFm)WdjO}?dn%(ia*H)#1
z)Ej`Ree+ku6FK=3gGSNXg~X@id;qq%sK&3dbVH4yfZ<gN`QQ+{&1`1}c^yfwTmR>A
zX!HSmw~NDqFo2@#WQ^Z<3Y5EUX@KNQP!)T{EzKh1^H9D`<Za{TdmYq)xB{e48z`!G
zQ(W*4Wb1|(sw;$b2Apm4nR5Dzv7fVNlg+p2wA{waT^A=y;GSA^-R18*1!2T*&OOsZ
zd`@Q(?(MDZ&9If#W4qC=B9-_fjH<vVgBh8EHwzO5EnrByuBigq1Kqz37%TOX8N9B1
zkppnEbMF*Ulj5ox75PQl9e2x*ek|J~RIhPR|EEQmOXkbU?EyM06XCr>yvQmd?{;)`
zQ4?_~O?s44!_qOkyn?Cb=!OQoYjD?bzwvkr+*Al@v1r-mB09`kkstpcdLStF`EAzD
z&W`IffMzi^7<RSe2Q|(J!W^!&pn_0~kWxRn#?o8Zy8+mgR#@z#nw09CPZl!={@CLK
zwP>1)=f(ybm2I_xg;sy&_RQ^faaas^Zq8@b$7*4F0xo(cJvXUqL=<uoXy=arE4w+h
zbnHyyQoO(0yR2+mD)KUI?ymrsu5Lo3Bq60T0eT-5V*?s=b%nstijy(zl3A62xRrTt
z*iLms6%Q2)pM^|$tB>o_+$5GGQM?y2TV-Qpyyg45Yq1NrO>~Uf7{a+pqO%xK<~<@f
zc)`Rb9i(W*QIrZhR`(<H5z0jpk1czeBQtb3`eo-CC;#hmmm}e_U1WExbVRcDRKVGU
zc#mb$zsCLEHTckFaIo!W44v?MC`;E$qcidi4VUOS$r!hwq1fW2qts$cou`MRO2??A
zb^@C3@Ce$p-~BnyH}5fv+-)ofOX$0JnIp<!-pu8?B(0=-8e6z|F=}rP*RT8NxwJMi
zTXwZ2J5aXR>Wngn0{0J)FayK9hfxmf#%Z+fOVaoGD-eq^r2>AA`6HmIT-j&E4QV9G
zZZ2m>9VofBhKtk6FnzfT@t_4zbrqkni*V}0d#jtI0~Mr7o3RYyg`-=#Dc;%KkoLz}
zogC=f<5L|Qrz-ABVU$4{Pct(4A$GM}U#&;qwbGkv9g*_0Y$9Ed|CP&o-)j`Z<xxsn
zc4zKvBi6+vf}E)vs~qHMn9>V@KsFXCQuOy30l_PsKH9TWn5;A-UYGpR=#!`z9%FDf
z9tNlreQlE%9rYjJ5Sk+4mR;+w9C7naIE(vx(PAE7&nL<2U$@vC=?IxyEP9?Kz?Nby
z9i95d#H;g4d}vVkaGxiO*oA^OV+L%x((H<o2X(&sGD9m`W(>#_v>B}A4h3Q}|3M}1
zF}4s#Ol0t7!JI88Q`fd$B5B^3wXz0wuQ)b^tPBckUnHE_V-4br!||7pcH$Im4&AMn
zaw^){SD*J6s(s^fC`1=0Ty8x6j0Rpjty}VEtJL`_*x9=l9a&iT2a7?2D}{W@E%pB!
zEPp5`5Y&#?B7sR=JmGto=_Boo=x?@rHz2*oct#<b2U}zmMHz&iyO>-Yoq)*VK@1;P
zk5=zG&i_?IUy2NhOB{@Ix5cJCmY|>CERUM_nAR<cTz%XX;&m{b5GU`(X&zOUUCw7|
zc1UnBEKcE=2#VC7)HX*(KW-)@&|41&8n`I5tE#xff#ln}dW+p<LPixv;20Bjnd)53
zP1ySS4=qfe)3YdN<m0Q`GR?(WlUYPaHMVKPB8ZkqYi2x0+<pCY>tk%=;%4a-QUoaR
z*=i%LDmTT@eO{W0?@+q674`!-)O9%-SPev$pR$9Y+<2$5oz1AO7Fr2k?<|C%l+;aQ
zpc~?@o7<#fM4V%~VOSdD1D>4e<mS?vaTtVc6K$#UyN1wqB->*CWU0=ks&c`v%9!H5
zuw+oc@^=ud-`X=nToOE~OBc}PrM-3NZCTTdB^o*@4+~Rzm*fNk2E+d+HI5g{aj`QX
z!m;VOBckPvq_F3^wy0GWYX-&`6jLq?b3-r#I#pAXU%U>ccPM4c-QJ5Ap8i`HLrof_
z(Uyg}e~)6Q5rMCCy!v7n=sGV}n@b%;+d<)px!A1FpcSjI8D(*q09S)Jjx^68q7F2C
zX8squ6Q>p4+ddhBHp<|3vnKV6-P0|^r9MK=$k@A-)frJGI+Lw9F~4<hk0)#2mbTwI
zI3x?I(V-$f4(;&R)r)8qHa>!7ogJ@1_%Fp+&```I9ZI2L8L4Jkw>Byb{BM_SV_{XU
z6Lg?`b8SWPbt~%MjVNeHz06oD<($N=GRqSA@pKEKST$@>qTRc}oMXw(XzJs+J)O-v
zsjzmlg0@df9aWv#=;FvI+h>-`zM?a^!jSY73)*m+J?6t-ZNwRad`H_s*qh>`@46<m
zVw5YVH7yLx&(8i0trCjQ<wKx$ePJZtwEWEHwSv<XK%^X^l>M<cZ)$awpHp^7ZCm?o
zBIZd82qo8>c7yy;*ficA_<8Tb*OdRT$M4HFj~~pT*_CkaOT|&r;tks^V6^si%(=K(
z-Ab$H26|r^0~8H(Mka2T-Rs&Q4;FH{U9}st-v`0JiOUD=;g5vzpbh5%VhU!n?%+1q
zS!oal&#*=JjmDie`G8X*v#dsBU#l>K*CZKzLzTd;T5oI+Fk(~s4TIkCQ;B*>t?AQ5
zC=vF1H|*wOA5dKBr2E&m>$1$%9JUR}hPI*lPrb@)hT=n7J*-y#{rl&DR?iJFVYi?$
zSao)yE%WoU@uThP67q_BBew9eTW05?RTw=LJ8V|xY@C;6xRpY<5|-Dy%NapsI(f|v
z`mSE9#Zo6qkc|#nu_g*qQZMv*b|(M@x5ZW;`b=agMv$4BH(k1hH)ii@8H797@q+ii
zK+^%{3#G0r)GN&wk4Z@bPj`atl`dZ+Nqoy#??SQGW(RQOgkq_WCp|jyVU+Zla*G=n
z7~rOCVzNvd1l%=6giLQ>GAx3Gn9cn@KEu?VSRe0{)gX?bqRC4Q&i(ZoTb7pX=&jyu
zi~1l#wj){Xq_ocN(<RjYI)9{bcB+r3M|v<H@`L$AMvZ$9Y++=iV(M3Lgeb|@esn)e
z-iIG!wz~r-J@~-&KM>0}u2?!@jY_$;;KdrbloB9C%mNDcZ|3Oa-+~LwoMwN4?3nlw
z4X@M-aO>%;A1Pyn13E*QzokW<^dB$aG#|+&CL@!anS72TSo7uRSr%-)!|qIp<++4D
zr%`0N<y}hsN`nH2PFWQ<muDtWBvvUp@cHXK>W*<hUi*;%R?KcNhR#w#*1(0%Fu~jH
zZxWYI%>h0?spGB34#A+9BLbaII|JNtLVSLIg?j|xO*`p+yZwB#?()IY8{?^~XLlxL
zhK~HlCOr;64=FTU?-2}n6@X@S)*d9(y*qtPZ3_nE$wp?+ub_^^Ez(eCOLMpt-}`IY
zijNQ<y8<s3O4q{*D4-9Aj#PnjZu7rQ$W{1tUaPm?oB@Kb)YaAL<qB2}ZjIuZ7j?jK
z%K}b0u%I^NVwq@)4De>I=bszP)X`AWlugKT=C8|6!HW^aCNcbEJPTuvyg;dpqX+O^
z%iuL8)AuwnoX}j^4s@dd4N5Zu(~7~DZ~h%k20?nc_5|-t0rTiu^4(ibE}CAZp{c+%
zeNe<rK$#^rC;DEm>zk>nhq*1>js0A&<^9It0L&ooiTQJpim4QxK?K>)$gBKG&*;w0
z<AUw-fJ-f8AAh7}T}R-B6V#6T@_2P1+JU_~St*T+>~}Rc(U+sME=8H}wvv#P6WqDm
zy@<4kO&(yH&mk<xqt0bH{NKL+$k(0u34rl@itF&P2o=?xn4r!6pVElrM~ju!fwhp%
zF2v2@?c%>jzeDiGPqdHbUL8L6@H$-l)?>iz;^uU)x3hD1X9!xH5{@xea4K$*|KjCB
z;o*giw4<N~Lt}Y5p+?>(S*;HuVlg1uy7!t0^~OTQQOEU82c6Sg86dqm^Lh}zHx#IX
zq%bp2!75`jUkJ>=z{m^v)j>BS_nygsfPk|3pJ1S<Jtj*{O>JRQKziY*OVoM6rBi%4
zc>!o|dKjN2|5)n9Z$AG2&PCd6)xmBXEQr`Ui;IFy8VVjs0BqNo#en{x+e1*}OaELi
z!-mlKtegsVr@_x7O?;tS94!s%4;Uxhyyga=T}cVLsf?ZInUyMejLV1FT5r?i#PCtV
zPMb57h>so|oCjiKEkl?rnAbOSuzOEb5q(i*VTMHFBN`7F%~v+lS)9?6!7Z)*=RPg#
zevYq4MxKSp*0Gn~?wK}`aC~-C{<HA@{rg&%37wS^Vf#rl*NFw6MsM1Oav$r9TRg_a
ze)}tr|N7nm?A#!iA#D3zSm(P7=k_~a#Xx@#o*dW{AKelZZlSgHHZhZzId<70FAkOw
z@=2DAfB9i8F7}<)3PozQY=>G-ep{onZ78HLKqGCEzNO<;d$3X&w6bhI?S7M?&QLIO
zXSuPs^waJht+Ve|_n3fQa4(Ik{s#Zi8?s*Ulf*>D2@Rep(GM#F;3ZlA<NRY>_azG<
zq<NJ)-GizvY$42I>ks*?dljX2+X7;|94pn+TxmU?N+7SbFVpQgtIUX&txO*9rPKPn
zs_XF3j7UsOEKwv~XModJy?PB>3=UG)|C8Js@9t(0oT)hrf5xe~lwY%FoK&BW3qx#e
zS?NosUGK_QoINKuL0IT#@-@15TG%_Z_>^BytPkEq9=M<{Yyj=lX`EB(f@~V6C)m95
z$|?l#jVy2$7?`A!H>d?<@W$>xk}?d(-1_16hkw6uF*_-06b#~waoG{}tL?zF{4e0U
z@U=g_W4yTIr4#`Lqm0tT4G&-iuU<>CYiG`J?EHjn<UPuki?$TA!Q=kYNBNPF`>9{Q
z@w1%W81s(YU{OlrDRe@?s`+{>>HuYh#rb;KB1sas=_tY+b0JZk(rAV~3$ylxicOQn
z8uJeOJWB+c4XkP9>8NQmvOw5rY7SHJ1DNS+Z6}n$sphTPT2tJ4mj;kH{-gZ0*<@dS
z5p(DRGUy9=TSTc=7LN*XYD7f1_U~vKZDJXbCqhu8a0-3yl%@Q4mrxdQl=NxAScFEJ
zQ}e}@m7jYLS-_%QLtvDpxwz99E_9YqwtO<gJOD$u-~4Tm^BSA4KiD#S7fVj?aHr%t
zn)j)Qhkg=Mgg;9YFSEDR%#vv%d*K_fNP&Kw`43f9F?dA@3s?I-jrgn>aY@%9EWdtx
zQ)hj8{*`2c5JjempeosbaZK`{&!hWYN&$;~5ppu?Ui)*Smy?r|-pC1WzN0Oh#T`m>
z>7km&jmejTgwA1J*H~xaF1c9K^%db?eiUS6)D=3HcPSn194+@QYah|_y&o82v7mq3
zb+VoHH4FBe@EEa@*!~KgJ4J4X#~Q!G5KBe5UsP(^@4Sko9)3^-9wYAd3c|)_ev1v_
zW6%?@8%c!Mxxwg}5n0}ws&jy7pcF8p+YL{#uZ)y!i{~-qMt-}u;*RLXsu~*F`uM1H
zY*iUG1>BtPCOqR}UEh$_DAqg9*hVtBQ!v-z{sCAtI;5nu-QAoFRwYiYE_GJ=rFSxa
zdLz5<hCh1f@%Z7xrJlttWtYS3yVSi%^iNDE51k3r0Wo5y*e)eGA&AHEbcc8i<tjc>
zA^-~^8?oXCLc+q2hT`Qt{{3<0O1-+9Z+1|IS}oC_JwCp@W(Iejsz+$&kee-wSM0C2
zhkWoDS;h5+63?$xd}9!I6ETy&4b<vW2&9*w^mWN|yF3adW|258(4hPyak(P+3Wq)g
z1nuKWPS9W98(du>zt59kgWhT>jyk6#S(+att?(U<qb*~T7m67jO`po3KA$bS5Ac)+
zb+DjK52~8trO&YTLUyutj6~9p&H+V>4773ni?uG@RKPBsP6bc5{@H)q#OAG2%GVv!
zmI)4W9hS!80sBVssMgw?Yd|-i)wQ<ea%k>>`v#9kNb_@R_neCknYE^{urNaS0Co#%
zUnPGQ-2pls;nJZ8VW3T;c8P_yf6hy%%D5Few11I(&5RV~0JcxGviin_n~Rw9Yq;pc
zML&^uS9w-uAKcm+&1Kzbr_9B4bT#QP$x$dME0*{xMZ8E0@K|&Bt|6_w3Lx^30k?Nb
z@-G0b=Ns>Oi28ctnD!6_I5fpP-ZbF8n9D~*wCP0xeQa6fUeYpkl=^iGs*CkT;u5zp
zltA!{bbv)nT_)aZ6CD7Q+%l$9(0^qzhv(-8i=E}I@{@GSN0Htpzq1r|5?~jQ2FMqv
zY0U=%D)DWel+mp$@iMXE*2^EyJP(W{1N3Gg8y32d2vpwIE8s?T3+E93qgC|T6ws3q
zwVQ(-1aQCp)dlnl8LoVD7_>Q@;I300Gu{DQ*cjyR`Mp%T7JDST0tzZ5j@!Vp$OV6C
z1uhg#5p*yk6B7XeIRu+`JcxX^Op>C=k0R$W`aO(W;~63u7_i<-5bx%B)<eU@1l-&l
zIhp`ss@7bZ0epuN?3^zPyx2U=iYsWyy6}h2Oj3YcFM~Gx@+?9=Tio5+UTwB*iUrZ?
z$+mx`^1c3FV*bY#H+>6~EC&!)j>F+(bKt-kOV)%pynB>?nOs~`Uh_8x9+u^G2cGXt
zH;(Ioq?_tx|J~`llnH1mzTVB0YM6@aBcAMrvT(&ecW}d;O@1Ff+aK~foOf1Ur9|v_
zEwlN<c_Premw~Y9Z(AlR+m{Hxv!s)+zp6ipejcB^Z4C!QUHJn=b|S#SNVB%YlrI0#
zsM?CfNp>Rs$C()o6k^PYv_Y3|4Uf-E2s#TT4eCr<JZcy3nKtv_%cU)CYaDwz<oVTs
z|BG#rGH*?^n?6fh9dvh<YM?A9<jQHY*s~+LCO66_>bbDJqxsw0m9C(vTic~8XX+Ge
zAHg&k(taLLc-S5kn{@$cpN@j=MU}U<{&<(*U>v3egiL!%`G52dyx7fJfzHwTI2C{Y
z(-XUa@i}`P3_q7Z!H<ScS;Ui8qL_iYw6&0{vAPz(JU%@OxHsDj>lzH8NxO_-)OEBw
zgUyuYVT{5tJ_k!D3mKy3eAE^pIjxLA5Mfr<!g1r3{rN=;OzrRSuGU8UgFk?IV=)Au
zt5aY{{Y20r5Aye$R)8Y`vNay1E#qo!Z};1o;Sl0+zRu{<5Agy|%6xblTxX4<QW{xs
zof;kOkMbj+NGth0j0Q>d|FXUZZS1T#NW1A71F5LibWN!Zasoapde|8K^e8vIt^d=U
zk&zK3Cl`FmHkAN=Kuj!O)l)9twQU4e9xVWcS-Ph9kNf@UF)}b9H2U@sq>rtl?60aZ
zo^0#3cIv^(yN#H;j_qF_l|nbmp+r~C340y6Yfqm}Z}B`>G|H&rcQ7JCjIYedaB?*h
z@MII(p6Og8chlO>y{5h`+CM}kVkWpHO_qN{G_>K2<PsNTbh&60B1EO+=J%xHjvzsf
zJvRp1f&zF+qrS{auv8W+&l$js57LZ-F$5vYlLH0@PBc&C1U~GM^<3}g4`QBhsth1g
zJ-0C;BH%`Hp6gXQ^b9tmij#LaWmsAJ)TP@Cg@Q|5{1#GmtEy6wjM9Dw7{h6pQ?Uk@
z*u0OU&(Bm?H8lTf?tFzpr)G-8!mz1xk>C=-LQd9q9z;}}CO&wP&3X4*xx-h_w~l#t
zkn4WP><F@ZE%-)gkJd)UX8~p3>v;%q+74P1pRXTJK&(p1OfVL)ycF~+|7vGhy|xIC
zY(Zfi6>HPC`D!g-&~KcrW$)JdH>3K@xx=dS-lFDB#?$?clVxK|$rqkFhFMRD*-Php
z5#2?<LX0_S<cz>Oz@5uB{sEL6&+i1MOYyw>X9v*Z%+P+<jZ&>LqoMQi1ZKw;hpAkf
z3FDhHj>%9&Hy#>lNn=OOPjM0(6-Tb7nQe-^y1{KXygij(NKU<Vb2%KSHm6D{c@)Yy
zZ*gs>yS;|CbndBia*Yr4WqE-zcF2sI*p<NVY#LTQm{X1S0X3Mm)L?H&qU}1wi7cnM
z>7D?~ucMO-m+n8Jc_WU;5m27hZn@1}F`{=Lo#i5?GAxW1g#GFOKB17o6p9*SZf2O=
z;(8Jp!~3d*-#=edj9AwCpTs!MO3kUd>$rIl4T<gO_P#9?%4V0P!ECluw><Jk5^$k_
zua3#vj83`tH<2w2-Pzr`o`;1XRDqV^yU=L6BsgfF_l<-^L$B4rp|ErNK>%DP7fWa(
zM({|=zug|`tc-=n;!7t_rd3#gbCV+#w@X`n3JsFgy9$SYu1ZiM3kWrJEhYi03u94-
zg;$qaE@Rv-6>=BxEM@Q;=;6oRbHcOT^~?zDb>q#!xZ)`qeME+{!Y*axf%atVr-)SQ
zKHher_w5^&<x!uq%sc!zI618cEPpd~2=|l*i0PU(RkxefS)t<Ci<b|LPv4+SU>RYv
zdkumoCnrd$YPGn?FZ(p6m++Yq4gR=jE&S<WXJ==l_PcN2x{SaUId#JLII)koO=v;J
z+uFL879B=md!v!F!7)Toj|KH@@XlZ?12NG6@9w^Pt;X}qFL&p9uMCN#7vSDimK#35
zeQpfO072w2mQvzhwj?}E7Gf_~vVnW^8_}KIVCMA9<b;Hio$E+SPtVz+Gr}j~-QIbC
znb{5$A*LT7$bxa1R2K$bs3f}(zl^IiHweB>{(oF14hDu9aP*uWVpOzqWo{k&$5HaJ
zJB=c(wyTH2P_n4e8S1%-B#%c=YicsObnEbczSS0i&_f5@2c-TNgiQh_;QYU-sIRwr
zqAapa^o_j-L;9X2z*1I_-9$5GW_;qS*VD+6BrX#|AnpFV>1gD-Yl7v@wEO4V8MGW5
zc4#q30o!}#ARfxoNDGYTbRl~h2b<=6`Lb8}F1*P>2fh9m=8oR+#IErV&E}%ax>wzP
zg8kMVY%lCjV;1%s#yF-h%<0gr{X*d8`fEEo*~42to#PQ~ulG3l%~|&P)1c8Kxv{0<
zOrW2ZTMMi=qk}(w$4I^~zuZ=58V-gz^>k-RSxwc=#JTeaLXUS^s>I#3fmg?C1KUir
zA`xJw%nFvNU1<$EAd<(ACFIuga!VHSo!+fYGgrtiWReE?QZX=|L42~OIAA9xL--`>
zF$Bx=(#DTExAL`R1E1)IaW}cghX%yAJP>_Smw%M=xXRnheYu9itwbb*5Jj$H1Ij?1
z{>?>=IR-$l)3)q~DeAs_tymp0chD)_buq3Gmy$Oq!zAuzcJbg=w1Y={Ortbd`G$6$
zw++reJ6VI(nO=KY;aufzq1kBY)eXE33pKYtDe}$;f<w9GZSyiSGut~{2%ruF>5+MR
zYnjSM(OHJRJR5e`)P2e7-8<~}@86qgxaI&PAp6#<i^O^%w901u8Vi-G`29r+qRk+H
z9>~T2eb~^(ItxwB)T*gEOeVlr+v7}{z(~2g&UIegwDJ4PG}{xrGU<UF;{B#2fB7UX
z0QIYLef=m2v6)Ld2omzKh5Xi~4g$#G>zeo8U2NrPG+x|;@I?;XXejoW9z2`<_c_>o
ze+v+VSeb2w8!?#_5TZ>0a{b})L<wwzns9YmYA5~|a92#&s>hxW^8i{92Wgp^^mbJY
zO+iJLJu?$oUCzZS>Ph-~{gMu_>glDu(NJMH^PABQ8gjX7ZH^QkD&9A01emld2+jAW
zY^BBB{ib9rRX?;EzS1>awHTw)lS4f0b+p=sdTHxe(wHpo?v^R$yzrgCU^H=9<h-VZ
zTUsEmzJ#3pR=Z;&2BO0o+(zXr)?l6?@1uF=&6n&_wRcwmAL?9Y!vCpI_nsNiY0yYT
z!qjuVOA`|l-@BotqS|x^wT?!8RV7bd?n(n-Jwgfux_e(DyMBbKNKnv=boN?}gn!mo
zI+oemwC`B72Q(7A_OwquE|43W)2J;^jbNRssui))w}HVO+`2D&0FD4+;)wfS^%j1=
zmS0_+Yi)N@EV~i?Dlsl)+P&_PwFT&Sk5n2a*zzV4;N1W-+ThQADjnoGQa?s)_4gR{
z9dc!}+5=IUOx;Z+Q&l;I9H)t|3HX3{o43QIj(luILXB&gT$_lk6SBLi^6}Ayv(P(Q
z)9)0?evM=HhrluKa0(V2mQUDjfHxR?<#PxnpO}~+AVG3t;Z(z?r`&st8)(r*E!P{5
zuVXeByeB+_WCK|2!`wFtsf&*(zf|BdZ7wqoo6UeMzqx>Z7N?pZmduDA{+>_EgKoWr
zO2lz2sP~DRyP_*bIfQviqJx7&LtDiPq-{Nni23)HU9EJ1hv&~UZmmbboKsoy__;K;
zPN(8?jMiQ4SZVn$q_0?RckJue4W(O_>fOi0;f%F<VnO)WqBCP-Al?r<QP70$uHnN2
zSIQ|1@)$b3&A;b<W)OG%l=H%(Nyuxm%m%RS;4;r!b++VL+cq^`>RqCBmj!4N;+?y0
z*pZa?IO{cI2iyK!+0(McbD3s*sJ1Z*mZb=jp)<!hy1AybN}VCedQ-wJGlw>ZN+)0O
z<_I}xr`<pw@eK%TqXKT6-ES7q;9K1O&+CP3$2>Pb)C5cVaRu%)mmJ&!`l4}kZD^<l
zNlI)VZ1=_3-on0?+)e&n5bu0{%JrYq@+U)mND(<XIdRWz;8YC323U_8Z#TQHG!wGv
z<!jUK`gg?@Bs&p4HSQaw|8Ab%C#>}nFxJ)s?wU=JjRjC-V`VsAvq8FAeXy}v;?zSl
z{w_iA)sF>jFDeQcOU1FPEeZ6WEI)h*Le=z`lKXd>gtQ?>hb1G>T24LfmHS2e-rosi
z0?V$m4VtgXrZ*<5-CjWL<25%DMMMwgOnZQTh{lbe?9cyvjf{+J-nF#r#KVL96!YNe
zEY#GZ;ydNe_xoIe0A{aEr3nqqB90>?sR{S{Zm1+7U%tqKLL>mXa==Grj^^gJW3%0w
z{AW|%sj4MaRoUW1Q_^#t3$&4@v~ycn;>TZvJJP0bZCJ>5YD#sr`Dp^MOq*pg2LnId
zN^dzT%Ox)LtH?eLL>U_9#X;|cp-fMJ?OX0I;sALvzI&sqXZ!BhR=Zl$)%6j>-YLxL
zZ*EJfMs0hsth?QSXiF*H`n<M@+QN1~A7q7{iwms&ahdN?WWIS1^~U{#5}<;$4bz~O
z|C725nOQy;CuC%KIe8BVeNx;?sKq8ke<vNp<a9Hbo#`SwJzwPCzaL(Rg%owYl9#A<
zR{qg>NHF--??2%8c3}@D&D(tzs!f+&p)HnbFd4`Eay6Bdf~l;mb^@ru(x&z!55rm=
z7~$yQP?m3k0MZ6+43dpcfrn<xbYQYF7Ig%7{4NdSK_d`z$)*w?UT)y_ufeydWi&*x
zx%SOhFK<6j$)=WKTcf<M;tuG`Bwot6`wDx6|GW2q+=os=;8d-5v*g2TPvO6a>WS}4
z(KRgBe@g<TMUSBu`(F+EQ-4}y%ymb<VJkvbfx82@S`bpZ7dL%<3V$~IJUkxav5U`)
z!4^Oz@S?oq7mq;!X~v--a$YLn&2AZ5hrErL4@SUD*LHVdzVfd7i1X{t$qy_-&Nujw
zyvDg@ri2i4%s(#7wq^j@<Tx&JN?!W6l(Cb8g99zoQ<iQy5$AQhd(SSON4^<{#}^~y
zF=xa$Jmv8u6pvUj-ot|N_>dtT4Lsg>hCs_>ev8MST-@9A^K*TG+rZ(ijU6NBRt)J`
z6CU0R9teTp<p)&q)%v3g^=-LXg<t$h-!xang`DHj8Z34v_{EV&i9k}(A4+tM5{m|(
zHRmHKlg`<csnZi<91GZ#ok)y-YL=*_wy7)VZ`k?dzLDV*8{m?xe8HhiZCXAVsU|eI
zrSXd7NL+}2a)ps5@h!W4+ezVYYcOFL-9C510H<=a9&0S5C_Li%{H~s^>XquulP5w#
ztSWg0k7l`OpPV@QXf}#Sa`Bm`GD~p-HdPZo@?WO*x2fA^{$)*3V?gRtF{#sLCQ?;y
zdi>B#eG@&N7Nio(j>SS!bf?4Et6$AoR#BWWXB_d9s!iX7$44a;4><y79IIceCFv)t
zwyWFz1l{%g!5K?I=Qt_OMRoPsx?h)4Q0=N+T_H))jHBKqL`lKIUqSh8yUenT&<NKg
zzm8(&ZbDRlvCk_15B12Y`FKWVa7?^5cX6`4cS6Nm_MeF=KO7Zoc52tuOO!<uxi#sP
z_KV(AS|YNuf2}q~%J`~l$0f%^Mx9*5M}8oXtfbTnQ=&b*eKdQAuWCQ4`Fu1hkJqeR
zOgM>(d{{@|-@SL<C};mEnEfF>k+#xiHYuh(>@l}NmJK6y0_RUH)n{B)g*J`W0e9$<
z_Of!2Sx*K3djsKm`LbUVleMG!vhq7o1|Wgmh^6d8hjVA?zXbIH&y-<3Wx|OW)+GKt
zXzhC(YN_zHP*UsA)gxtihbUzEVJN3@2CLvu$ydj)EiUfpnBAFlA6M&Og$G;QBoho3
zG2@2YWfW5<{E@Tkl1kn0gOziAT0^??eyWnZK0TQ)Wq*4AWgQ(|LJ_HuSJTt(f*F5(
zW{y)00lRqi({KlsX-_9tFWY2=+%n;<$`WpqPao5(*hR#@pN?n?s3#47$WYK=S2HYC
zt^Pz;6VG_WRPYcTO`&!XJ0Xn3T<z-ha~Ji+$Dk94etCk_Kx;TiN#!eJwJ+~<b1BjT
z=<nR7VYa~%L8s5U-9c_ndqoz9N8li2=Fr2IKh9M>7!S9l*7T>*+d6FmdmFmW4eE%I
zqgo+TrQaFX%h2JMg0E-p<*X9tdF2<%fTnPEO<$6t1@jg0ZPASVo+zKg07bov^Qd6B
za$6;?BQXe4dA^@(&FVOxVs749Onjp>#o&Se+(O9LJur&_5lCfUXXYUg;?`i1^8JVg
zq3(wiX~Xg%4g1rM_<xYQNd$Q3`nvlX0J{Brx+#W8A(qaO@+Cc<AV0JSx@cO|cGcth
zOUO&W+gg417OFwdxU`A-;CLI9)<36Ff>6iknk6(*?zU1Fu7q#0Ced(E&l}o|?ZWkQ
z+R?cylE~6|`j^}ZE?T2uH6*bm0+$@pWNLogdiCyh7<sruo5p~EaNZRD3?p|A43^*M
zMsHn!s!?a4?wX$NUg6owQfrkSmQO9=u8&=hxzRR5aqo<bm{yvc0lvmzcjGoTxOAA8
zS_Of;*?FMXYqJsJN6gF-?guZW(0fg`P}~w^5sdB(Lf5PfFZF7yYF<>AzB%|i3%bb~
z693jL>0Md`pa~%m=x%N>7#7Nv7QS4+!XWe!HlTCk8k99t-=M!(y??Q@fXj`h;U!&_
z>zbz&*Ke7FYqYqx+#Nj|&k!af{;>m>&r9jFR%&sBwKrkY6PxS*BG@Vm3t2sk{n5`f
zf;dZ_Qy?=lu;sE~!}@PcE5&Nc!U*{MNT<7%o$q?^!g1e@LvMIHR3ni5Fnu5`-Vfj&
z#IrUrS6NxP-W&KuXDY_RxW>Y@<2HE*QWK`wU|LO2S%A7asXoS@2`{vzi1V}Ph<$9f
zpRf*foUWGZ3=-yC5iCgR#(f`4!)j>2s_s!27J55JkWSUqlXbKKhQBx<?RIy)siW?e
z{D?m`Zu;+Jq6>yO-%YY#(Ega{Wj4glyuObFoQ^-)h_8V%6Of!Tt+XSfFnbpHJkeF(
z$K6Z*{!}8?@A*|!R2Yg%xODQ4tUHH8+~6PKsAFAM^P*l?#A>c+rN&}S4M)QD&!6&p
zmtH$W$!?a2bNUENyVUQ>J;E6aHq6;mdoC`WJ|mQ{nc?@KgE3rNTN^F<NkNa+@`lFc
z>0yu8pNX->x=;-+8%zi4VV6gti^f;ykud6e_nP4&W7%SXmIm0%s|TGTGfd<LX3P;A
zevhQ+`N`91HrmG`dK}(-PmeIWvfI76_|>`&Fs@H?UrD+5$<Y(q(n6hcu(`f{8El%l
zgqU)N_x*4UaUpOmF)s&t;%ccF+v+0jq@IkW+3phIZ=@rT^U1D)tsyU0GN&8?<Hmfe
zn>nK5(ktv)grdb(%pYl;+~UmfK>2S63wC}Mhl70P?PjY__hu*lypZHrw87n85BQp*
zUE_cI@Z@-$`sXVI3b`C7)b>W}AMLp_wgeu{SA8pK=0Xy47c<nY5W~AWH#a`9GDH@Z
z7fhTli-sGTY4m<r0=YWIHE7RcF@#~&x4@yeYz>Mb;`=6Nl8`|ERNs%jeC$$uZV>mL
zShfyoC7A3Cr<B-bTR@oZPj{1(Gvrk~6dJ9c9ZqmZFS&?Dssw)vHBh~YeWmZyGN)4`
z$c{XOjm5|PG)Z3H1opSMV6K0!rBD!93Jg<8+qj$kcyaV-2mO?(xU`O7fwMfyW{O+G
zOk*MbQ))`n`L4c6MRibQNxtGiRsC0m(*pO3!)-Ah-jH1BnARSFfe}6l`P+kUVF0lc
zcRRvLoAj9&Ff3nwGktX0hcD{=EfDxyzwHHDJTUC8LLY7QxVo5SuiFwMBl66w*3iv6
zxUc5I^8ImR>yK1n=SI2z>61syR_Jp@f@Kf>{&-X&HBj=2huTdeCfuX`nFY8;@ONgH
zH}W5guTP?Ww$uY;1fGgvYzkJ}+eEY{xIRJF_Y!w_Ne|(!P9b$wG(WTq!BRg)?V(hI
z_|o?E{@Zmy)4IS~bxpm10Ki5-VddW5brAYg!&N8HlvF5DUtc5j{Q0Kde;3E2>i{qh
z!v3=iYFf~;H@8g3uJG^QO)9RASuPzMJ0<p$&8xi@y}H(e(G)Xq(`8#<W6ht^@exl}
z-w^l1*Alp!k;Az}xaWqdd9YiY_e@v2EAd4vQdVk{=T$ZW{?^ld6HBM#=6kG~cU>Bs
zX~q{10##aS2bg!+Jb#(;DM!w`G|&nZvW{DZ>~81sar`|##Qk^Dl(RF>`le&hW8rl|
zj(+<x;n*)dD;V+^Z|9_8<Bqc>Q570ut-P{&?N*u>)<3LPvxer)XCE-4sj2qP;}+U;
zjybCaJ&ZuzJ#9l@o=*lCN(y|g@-I}7Z<{D2xS%eknc1BiZ!b&YS>Rh{fe!<GGE$G#
z|FJv~@VWY}AsZ{^2Hote4u;GDb-z~A(b2``$w*3ie{$*2A)~dg<_DWLyO`uv0%nuq
zId=`=T0&M_^l1P1xT-4Wn&YnPQ~jTWd&Lb%(J2bv(6=X(^4j^UvtC8OjP-~H<ehD{
zJvWc0i|sNp)P&_l`qIP#yQ(K2f0t?ZIoJ{iI$CA1SV-Bwiz9&m8!rO+12AIr&u@t3
zfwf|15{cF_GQ4a>6FA3;?OdLFEdixjSh2S9qHh<CZm3uW)|&t@W_P3-TXW8e+s>ZT
zeVXIbh6|jY-W3Blsf)`1&+Ii7`i7BHd7(wvT}YCNaj*)f2zfJuNO_9UpJvCQDs5hr
zi*;h4V^X}gly8#DS+gq#89(#;ZqRvy(RG<<>OJD-#Z0-SVVVxn!Xra>;tZn$930jG
zaIdP`w_NZwD4m~ctEi|D4QI_si5hT)Hku@RB?NUnWME5Le%0(U@){iEXW%|}9)(EQ
z;ldzfsx_HJN6zL;4>DBXa#e36uBL@$PYzdh-fCcNI5?72mQ`d)V?J(Qtsms`aNr7%
zi-s~c5DhRSDuss{JtluS4#p+7DW`)!HVt;WU;|(M)x#g`y_5R!;|J}&h2(oUW?Fhh
zx9^$DEA!R>Z@kn<agJ3Ems?hIW3yN=Oh5rM&r><x*n0D_UG@NU@V5ZcR%bWsdbFDD
zxgz?~YIFJ5J7hyR7n9bEG<P$iem+E}yYG*_$L;Bv;Tq`r^73+(kVY=c!nzc~5Tj1$
zQ7APHNCyQTh$Es^P>i52&gvba1pv~o;omkH;+dq4G<c-feB%d=ebu<MTj!Z*O!iuO
z^aM;C@Qrhq4~+H!s0B;-)Q}cu0|^BMn&Lx${IdfJgU3s)Lg%yP;gvN{ub<ujo}C{m
zd=LF^`_sO-yW7~*-t$`D(KX1K&jP6R^5mM%xmFjo7fr+WDXcs0N}#MMZULh_X*MhP
zn(%eFxvt#lVNSrnCgj{WnreUH;*+0g(BW*93HbXN^*8Gi_j{$Tq&hX#WO?;zGV?nU
zCNG|twf#y+@I((X_t_t|c_aC|Zh;z8p>U@2L<AVlg5I`(gu2`dhnpu|MD!n8bToMF
z{xyx@w82bVL#e$_sd}ZDf|#J>EWWS5-OxdQLU94Rl!~$OHHT5JYAht_Ht)Q2oonDq
zvKiQ7b~M|#Kz`@Y@ENM6J9xK;gU{=K0B*J9A!R!oNseDi7nK|x9p!w%iMXiz;0w1Z
zX+Co6xjh|gOUBeRsRWPNyCdA#y4z@L4Y?RwI%F4`q&`@&SG6q-4b1!MMkT>2d%vV5
zTR>Wa53L%`sB(bH-Fw?tYbBNyha*OiB4(!cPp^D<zxj}2BR1U-@ZF7}c!H)|;I~l;
z#0&L(2g|xx<rc<QS65?NJz+6OStzri{O;1vXI~q1rYI~EGb__%U997osN3JYd)N5<
zqtu(5*Tr1e2|nNcvu38)Yy03s{htA(WlzJ^>U0*R&7}8Co3D5EGyeF`+1b2j50qj@
z?4-Ld`|VD2$(PlfOU5GPS2palDugSd@wIxMtel*j4*N##dH`@znsJ142gki@C<Gcn
z%1!*3acTK)t-K{>`-Y%qUE%G92!D8cf9Iz|0`Sp6!NTX{{<%qD3!ZXj0`ZlZvAb9d
zPu7-bd-dVvgsextxI9mZ?I(b+{_KK2TFF;DSDaw`T_gR5EFQ&1sPJmGNqd?hYM@Lp
z<5$oiXke=E@h9gVpK-q6jG@!+sZ#CMihYx9J2y8FfmzPQr>*VnbOSa?$jNE<-Ru6R
z!O-O;Ud%yzgXsKJ$JXdwrrnSr%tKqU`N`k@Q=4`kdCn9)Jf7f;3@_d;oor~YjPg)S
zIOcR%oi&Z;XG90a$K+UK?q_zqJmk{orI@Q;FM1>;LHvN8n~F3ok%X>HCth@Jp84d&
zwd9^>h+1qYp@H{cW>nYdH*e%5Fpz)w27b0D+?Imn8t8xgNV3Hq2P;x5-QJD~^f@~{
z<_a0_h+`6gKlO5JtlGb&j~M8F#>Mwh_SLz?=<!el)puS#4&XNAI>cTFN(~31Vz^$H
zrJ`5R1;{*-f5E&a>w4Y3PF4q1$1|$v?6(7UM@gZ1j6p;4zJb@9&1&zj7p{jwr5W;s
z#P^mP1U9p$$8Po?1hQHBsatjvyiY*4fIRHc(22HeP&0vOO5ZYB;EmW~exJ2Z%RgDu
zW5F(yxJ3Sni~(4$@3xw*_i4wC+~8A}E=qc9b2BXEb$i~&85?Hz)1wKn4)q(0al!q?
zskz?XT7ry+7um-x5%Bx81qY=c{rB8yY11y`mg7Xz#CCsVn~QSI*VP?{K3aY-c)>6f
z7)YaDvl2h%Cj#>3nfzqB=y5rcbkwuG#jEbg@L}EA!b--;9!y9UDj_VH0?TUn+CF^j
zW0Gk#4FZnk^+AaJ!QQPHWTcoYbm=!U@#C=R$;m%QwVCaJn}mM9Z_)}<G9kF&(aho;
zjkCc(;wuck_13`Jvrf_4nl*o-jNg)zIT!TB%3)R;)-eUHAi3u^4J}AFRaLdje!;1k
zQO_>hH5L^UlO4;@M9~HHkQZiSLoQl|$bfFIM!b<`iV8PSo0io6&Q^*%3#&ShlXbR7
z(pk{=aPOaSap5midAPV7th`P;^$VvH5`F-38<m3m?b-iZyZBvSEO4&iF6@2Q5q*Od
zl76k`pqJ1Xs&X^XbsD*|w8Z8xnf)`i`jeQwR^PHlnx8@PkdlfHSgLItc(BCQ6BDB`
zHm>=p_HBpHmq9Y~sTjAE`HXjN9IpqRS-`F9EejUbY%&E^hBe~Xd&=OZmS?G@rF%e^
zR)J{m{MhJ{KLEo&jp<@05QhVc3}XWk5db8-i3C}x&D&#Y$$$Nsii+xdXlSs#&Agrb
z^@(VY#-ks_lGVQ7^Wc(?#a72{-0Vxgtx!USHTZqB7=td3VA2!6%~9~KXn9~TZGiL|
z*=@l|N=nPrmPIbzPsrDRIxEEr1p$xMPZ)A}{H?cVa43x6U3K!@PZIy!LNOkN^*^4C
z;L2Z<$6eWUz7@b9EPHO$U%_T4Zq5&@%oD9OlTU9%{Ltg+dZr@RYv0Lb7ugw?I@?^Q
ztCzm9hd9;G|45|FF+tTJQs*ruDFjdG#B260mZn#*IvE-OhgEvy;bG1yC{0Bz>ZJbQ
zz$A_D{a^<1!?RibF8-{K3?Lh5#nCs?2B1djo9VR8tx>{@h@oe*yd~m;dp-g}(JZg(
zez^%Vw0r##NQ+3)of?)nlO=rm#|~FZ1rLJ8!+Tv6!7!`s+e{Tkd->)@7~!788ddpn
z##HiOsM6ikA!&;|K}S#cQUTpq>V!$tXl=Rm!REjsF=(gT>(3NR;e)`tafiCxU4qrl
zX?*{Jb*4~yn^mD<VgDC9Da6(s2^);ZnQK`JijEgt9#*`+i)Yz6*+6**>9)tod9~VW
zcK`YA@xIi_`C2!o-E8kEI68A*Mo37=;*_c@#ryZ_tW;=64iq>_w_Q8#Tefgxfq%N0
zG;hF>dO=*EVn9iO|M24d;jKLd^NTaWdlm)Ah53rMMZRy2)(a8>6`UE5uG&iTj@1iX
z0~MUIof)@gefn@?Y<>^vw$mqk1)ZdMqU4@M0UJtB)(iRsDmZCrX@?3{^h!@lJ47YS
zy-}QDwA4+SXVzZ2?Ovh()FqQG_Hc><Yy%ZmhYD7>+<RR+$x_ho-o&wEkJgtp1S;%?
zM?DJMQ80V5g+=G0fCq5?>8cY2D|%|>w<`*WDfBl!RIp-a;`J>f0u@nVji=5Rtk}8u
z`j!uY3f{}>1uI4!KV>Y7+hy$e%33zid~eG2h%?1r`D@OFh(be!<y)t^ySpEH-|zw$
zyUR?+9GPwd+1PX%8TZ;H(`xF)0|{}_adDN8_dQvVl%ylwS8q=~{Id<nojx7X)o$&U
z(reMGRffloAMewrPpf@V^`pJLJBCL@xZd{XuC1^$DY_ZebHs=dvNtzp9KC+MXZ`h}
z2k|$4TAtVV;mvJRbMrRDgY&L3nN94g+BO)5B_<^aU)Ge`7%dGfmi4h0U!8q(-we}!
z{d5`{8XV-c-Nt%)PM9#E)s70?JB?Wdxw${&<>i6&=PzC?TfTfAC~RxnxxK#S?9#Af
zHKiLm>+3JDms~q^;ewv<#FE1|_7Ka`)922e`@`YeopXaC9oKnw&0CX|wN$WWB7CDb
zvgT@`>FCj;r`s5AkA4>XYhK>nB$Jsk^p|`0f*;-3(>2+^dcoo8hl(RBFXsF8OH53p
z^i6N?6weoFah37KD+hS)DlF{WcloKth*Ps$wYG`4Vj2JbSqU%?TuS!kCmUFEhYaa%
z{m0WE8s9ugbxdf4EG>2O^Ye2zEIT1{JmxFNm)`oLhw#J_r@AWzosEnZuUOH|Um#eN
zf@E$9*cM!OrJ!xQc5}=;42MTqI=;Qry0p;!xP!^*^>2M8e8WZFn~v_d;Fz2>e8%FG
zs&2!h9{m&@?GPUyKYg&#vWyIKewTc$2hK6wCM$Z{iw~`Lns?**bhCEt+8H{?AYiBb
z`m0%Kr28BPlhavx$1`f5SDz`}Lxj4F8DnZ{>P+^^N$EXu@#f9_$;UT(3=G)X%{Zys
z>=(}l=ABOp9{Z}k==O<%qFakAc7#^emTk$c?0-6AV8GKqJ*{(q9d;moPmP0_)`QAa
z3yEW5X1KaDL{G7=nKJ}$b$-kl3&b%oBOHeNEYR&S_vA_UqPGLv4=cNT8RBw(aB_08
znzgjg9_<H5XXZX|cF#YbHQeCi$B*tlJ~JM^3O{#vo=)kO0PC~aqk_n8>75@q_s+e4
zG%qi<_Oiv>h6amTCxjPR7~JOlhY!yxQ%5aM8Qt+tyhGBK2S<^-HEC(He;FB<TU>ng
zVR>~5r+xd#@~Jc6$`ea-H>4Rmn4GUZ-5~SGH(KguxYTXaG@YqKk<;C1UDEzed~wRa
z`$r$<T`R(Z;u{}s^4=HUxPRx)!McVvKaslOt<ERa4U2PJH&GF?qlYn{{7EX^`Y6+D
z7H|0Qp8TwiuU@^%-Eh%M=6DRhAMcRoe=cOuAN%)Dm^iU-U3I#|YD%$|kB`p*voWxP
z$>}@4HKgtLKXc{`P#>>XFRT3FhablO{IdmLd(Mj-7yLrfqr7Vh!N5RE{R*qpUI76C
zI@Z?KrM7L?>6xd;If{5?j5}pz_3!S}%+1Yft`w}TF_bQSkuwE9pCr!XN8WSkHEQOR
z1@2Xr6%`e2_4EvkkMbfNSNLpgNXzpNN_Zu(oVxe&U7M<S&y|*k*9{|FN@N4q>Agx5
zI`*<EOL+Ghe*5%p$N5ls?90+I&&mRV7Ny+PcQC1~tciE<2bO#mUw*IklL3AK0Xme{
zJvjA6j(5uWB<DOna=P2cf<0pkf)4if+vMHd*!hx!Np1DX_^VSDZQ8VH+qUiYy0IQT
z-oJkzt)<uRZv5u#{V(7d`6-Ok<=g|)YIjdhXPIn!jp3SO4dX|}Jvh46*UQIe3`y=h
z7vOgK#SP-Z-KTet<_g0&51fZTTCKMan2(UT`SFb}((EJ^zqje!xw9&Ft>-S<3$trT
zPm5KVnFh7BwJs$We>|V``YPYVJ~KQ%eniOGRj`k}@8*2JO~D@;U*!tJet6&<C(hDa
z>p5h^h+Y*H6|Y66^OX*nHHR85_MZIU=tkdyf&$mI_L4{E+&K5|-kk%q6<hzMFLI{t
zKAYr~w|Ca3nIm3b6{d)~D*pImosRa$*3L;CkCz9{;_(+KA{}?0S=q2X-`~J$%I4E=
zR$VxKdhWDs*xtg656LSB>v;nPjDGX@=FN}Ld8K=1{E+iWQ5AM3_8GN1(M#L0+m2&?
z-?Oel>^6NmWG}t3@bu}iQx3%Uc=qgBnpwNNyuAJc2F&%|<Qx;Tr)Kl$`kVVQeYQI+
zWJlL{sI}gmeNPS$W^2!MH!zs|1oATK+0#~XZE!aOgQ5E_1zPHx_3b-pR&dGj<2k!`
z>-QWg6-U+VPByR(e*gAae{1V8a`}*Hvp&e((-Zq;$9IW|iQ!5&9_?u2xFpGBW+166
zsEnWT;PDICFaH*CVPyXS18}poXUfXTfJq%zzSVf*wrNYxo*n1!?;kj7R%O=xWa|U7
z%{(09-`YHX{`}&$pi$y$JKNokf6;;D8&kJMnNK&SPBrcw_sDjM(GX6XHf;iTi+fz#
z6_NDf!G+|#d!mL%-up53&0~6j9ZY5~&AXQ4tRrwtOL%tA_5HispB8v;+VOEk)-a-P
zZC%~ko2YlTBN&C&p|ULjwlU8|$4W{zC={I7{k<PPe7HT(GWy=4eoyZvndENX+&10p
z?xTtwTC*D)W8YVrd>UW<t~h8f+0N0?F;}?R=)t@ft*!<toSd9es=DOv-D{L-9kl!7
zzCZrxm7kxVX4Wo0KmXk0!J|IB?0O>A1luq4pgb;G<=Kg=hGM;~rtTGeK(CXV8tT!b
z3p(UVw>n>b`)P|=`1_BMj+3_LeLA@2wttcICTG^HS(nSphrTN=4LkO{`pnv!=n^;6
z+}zyXiXuyMT?6;W4$*>!4mG&BZ$?Snll@8Cx7!3->UZnb?Wawb?!Iq$v3cv(1r_2G
z%S^|}p51fJyzM<E(ofzCjJ^1<P+@Lvo@Ul=;Kbj4^786%He}F&kBt%T>4^#NUJu!K
zY20eNHrRoNzLxs!ae^p#(0b;FGS_soN4F1}9D0>q%g^d~eYd2wR<Gevy6I+pMvV%(
zTEEM{MA`a|Pg+kK9%O%d9FR67;>!BM!qV7H`M>>k?C?CDwfiSNsm=^qVCLZv`?9|l
zWMR=RcK?Bjh}Q=i?yn8W+=raepD^@NpZM3eBiHGj*O@NNKXKxO;;}s1YwOf~3y25j
z?>@+$<tCBTo6MXlmk$AJnGlqtP$=}LzMkLSV7mQU<V;<7+?&V8UtAbvP0_~3x4+*+
z9mNC6T$A<TTYto)h)n0lRxTa-^vYyxQA$quI=%Ye5s=?nr{nai+hLGz#5z^f4&tte
za@iSPkwf~@ZVGwbl`yfmo3V45gUL1IO#IdO5oHS(wiO{r#oDFa`kR`zUf$QMi?MT8
z2a{{Uy7;S86cJZ`JN)wDrTT?#W0Ao|%hJ*y{(`<T$DJit8n*9Ygh>4<H%|4#hYkA-
zW-U)p*3{~xufL#Ra?!OlOS|<SHf%MP#~pM&DeCGVlc<c^9OtA?-Mb@~V%%5v^;(l?
zIwoadN{+=kz54B;j*kWiw4!VCH~Gix?9o`3Vm#a?>QP{+?chZ(a%R3hpL8>CQea@)
zS+i!Xy)fo<PI+DA^C}PZT#gp)irHEBhuM{DyCORG>^YFXU}L1?<ul6~WSjk49V#hF
zy3lLOk_z#HZQHih7)s~7$Z<?LpL8@Y_URobLGN|tStFmHG<6_r($q6KPp9_^KQeD-
zaqkDtBdb>F{XDk2){&z}mn~mj`LsIig^2Rg%$3nXtiZq3`pHGo{uUO?fD8;hzs@PO
z_ehr#S;RWM>U6?U#1m*eeg1s()TvqG%rPlj^7Eap@0PfhKr+V_?vH`=9Y{NGfb@-h
z^LS}(ZMaInS_`x`7Zl9jw5gxflwt_TZ*?C|jrKY{M0N!T`8jn@wr;-kFk0;4WM^l0
zaaTk@scnrOqXQK9uhs44&}n$oBiXg;OHWph>#J)t*j-JNn5NLOkz5<xdsm5TU#~UC
zX1EG^oKLDN4tAX4t2p%P&5s9PoF6`6{P;UB>+mrR4GlHdb`7+bTr=ZyD(1YnJ7w!S
zz08aOTI)u}>9=atDsZ=Wwdd9gQ!S_N?KWr59ETZ?*VXi|(mJ0+6vsMFnWXT#ckkZ%
z^18@7hgxM$+jb?sp*pjsbc2pQZ;~0Gb86v>K6(>g^!e4l)t#zS%MI<thDVMZ87~l2
zKd%ee(bVlz_2W9dcZ+_}gY&M5fL6=l97(o5u<%T#b^9|p+SS$7tA<4AFVHhdS+Sy9
zY2?W^4ko-!D;hdYQ+VBqd0>2F=DT`OV8DO@E+rFI{QkS$*>%IZ&bSe&GqGTjIlp7O
zLk(|*W7p~(UlG1suw`OS+?&U%M#TJn{a~M)MYm@rpFHVK)?e$sC19JrN{PKUcGszQ
zPY$N)n8bJb@a|2?wOtW#VW7(xe9?&$ZomD!Lp$N!>*LOPBNMBtM5W7EHF;(D@^$Na
z9XoO2NO`$I*M8oKr$m3=Fy5S#)9QK=R+8ARD=-wsWjh-0*|R5CxQrunTruWZUhIaJ
z97BiSea<mt_`tb`zd$kc+8&}Gm&?7l$;ag7!%I4YLe3r<W0H^vq*h9lUtV6`)!mYw
z8-21<;-2g`XsxaLlSpLt=bwMNj4|zSFMi>MYrgwSpH-H0HZe&J{Ut{Gz<~q6ju`Fi
zTsZyk55I2Qc<<Pvu2$###*f!pek!p|dwpo|;BJQxAFlZ`uYKQft7Z?0xB^*QU&xC|
z+2&iWrPWIA;o{_fa(|@b6wj`CjgwtnU2Rs6TbP{e?C#z+_RZrCK0ZE%y4p(&ZGV_B
zVFHj&R|+O4`8YQGxO(;KljqL4Mn>9>9XodX#EA>mtTECmPvuOTIB`LGdY5hn2Bt%Y
z8mwNu`fb&6pY2iglm2M9zxJ;^My1;vOwQ+>^4-6>u`#ySsF}UuUO#g3_3fh1o0N!N
z+IaWjrfj$9Xotqv_3cNE8b#J!=>RnF>$@eL>06_@&Pg3>t`ziq|Ni~OA}lB|DX9`v
z5sNK9zS=gckA+1$(BQOby^V~FT!3{O=~z{1pEuT}ieo9@a(fi|FIp%%=4;MP@9dee
z(B17{OBC@0zW@#5m#SeOOs@1OKK|*U;-S`;FHO?-|0uu$3R+e~BQ{yZz!LGlb;s<>
z_y2|r9Xe!a)BArzhYb3D|L?!?XKD(K5o5uy7;>SWTBn~tS3_N(Uh$?tj4UB3Mj{Xy
z29q>48U?J1MIktjifH_Wrj;!rR4Nq9MHIj)1qOvkg(yN;DxU$TpPiQzbp23zC=@wz
zD7Y#b>_`QX68go#^63=z@pB42uIZcZ98*&c-3tAbxke4X+SBPun2n|_e9b%SO#wnB
zF@9>lISe8X3w!~Mrr)zy2c3nOi;T_QNDq?-TQTqA3o(hc3Neg6%Oo61P!FOjaVoz4
zIen@H`q}iBMnuA)Uxw{s+hP98qx<7g&6*N&8HH#f;(;OZV5x|QBZLeQl4umd6b(Ve
z2v3YkBMA2Wb?RMzdn+3&2X){{8%`6<JmntI@40iDVc7MfVF3C;XozYy5K2J(#4w2v
zWIsy?5fe&C(|+nWmi@jJgpo!Kwl<aF2u~)bz&+`g{FT%C0%YcQm;wr^g2ZX8CWwMd
zrRJgJHJT_zD)^%Q6ibr8C^a}5JdFXK0|hN8j2Y^mK1@^mCY^yc|GFc(9X46BEe2^v
z36Q~Ip44v+&<fFD+|HO>O7fvWRBZvlbP54#K&6NnQci?|p~FO0kiU}qGC0dr0UAG$
z;(08{It?2Ql0e%u8Bhq*Y!_4kXa-7#QK0)ulsRSR6g<1KcNYAJ;IIW+MDw69RU+jm
z4tO&`%)oFF1k1@VP=`kIg)pgRKPX8c;*b{Tu_<;6TZ01usWF~uUb&*pIF}z)o&;TJ
zaMk8LeVMQF*p3+n%TV?|LfBQC%U|%^zs+@(eSACnRbutD%z|y31D7^u!v8uO{x=!1
za)RISi@zF#iDoi>2nkdg`Uf}#QWUUg=P*PV;g3oXOiuElAsh&blw-JD!iVfQ5QUuR
z6hb1n7b+H`1R}(wB7zUu19h1LK_M_I27Fgp-`0W70P3AsjEMbWq(XuZ*-}8jILU|X
z><0}UMjvD+C8DPWniB&vLt&I^up22RLYhJ=e*x%;#ez|SJu%qHG}IG@EBP>klBVp(
z!-YmvMqptWU<6`R2s8b9gs`<lbhfe*#o0p<DS`ub4MR9A6=4zx6+tiwdcaA!OxXs*
zd@VJ*pxX!oQUIpmL}4ijdAI<+OLqpE;W6zni0P=%!$pIMJG1mfLpMVhbq?qmsdHCE
z42jVwM2ZkJay5>?B9!_i!?EBN7y6rNT9wXr#Zz{}qr0&-RjW*;Sg_M$>x>7<O>kiu
z$)TiT7eovLqNmAo2+bi79HlUW)DuaXQk$d_a-k3*2>&n~A;K`Rh^APYzU4TgmOg~i
z!kIbzM@MG+H%3O|?2gk|I2s*_&hgb8IRhMJ+LSQ<^VsI!f>mWV#J)wWs+LCX$7n|~
z9Frk9iBfc|0j+3i3Vp5;86!hJ3%|&o^zj;OjIjynL@KSRgr#H!CPF|F24<P%Z0Z<}
z)CzmE<p{MA5nnA}l&D**63LSy<O~dtK&7E<nzbotlLtlw7_z2hVduz>gB35-994<z
zc*f&c6i~QfX^a{?vpQxZG$RZZhCvcI28dFe)-PFQSO`l&Dg$H3HcBZGO&3RfJ%EZq
zp`U}kFsV4^UtS-!ZJro|MZ92U2<i*<7oeEb&n8%!91T!2Fh5V__*g>gM?fwZu!A5V
zx2-6oLOO>|=0nU+D={X7#T*VZ`oBa@^HwkSdDJvb7N&v}XX;5X5hA8=0%bCBj1?3R
zhDceJkCH!@)NTN4hoG$!3i=wuaYV?N$U-rSNJ)CF)TA9V4+y4Moe~Ql90W$ICLl2d
zmPjM#o0>wHlo<dRt0hy6Y7sOdqtHmDh>#I|I3}Tplx8_}3;ml85fUK;iArhZ19Wa-
zr80$Ku^5}-8ckD%#tJ!6nEK7SqkvXbN+Lm6L1TeN2^Nf=Ki~q&eA)uk$fMS=KgOuB
zs==VrP#hr$Z$B@X6ozSlp)0e-W1^<H9EQN1ghI-8{XDt&X%zfglszT6P)0Wc=h~zx
z+G}W~)PtlLy&z!njG>DX%$CA*LnxutszfXlbQl6Px9({mcs_@N2gAb8&dztVle0?p
zeC^zT%*Vtk0piPoyVJ$2AP*7>!2lu9XB!k&qVU3M*w30U?>q>Wp%jp<I)X9}C~k<9
zVBqnYR1JBlgg)j`RKlPlQn-pJqE;yi!GoJtkTZDt8m$6`)3jiy5V4X=fh~fHkx*)B
zG=Ps)DEpWQVv!kv`bi?uB!?Xo^SdQS3IpOxNpqmo;7WL3HU)?S8q`#YTnbJ`Gp7ky
z1m#&Zg#=O|CXoP6L)#BjRVWw%2bB^YG|V<Fni0}Uh~bD8fl1(KaEuvGw({uHBVhCr
z9!+H}RAUqrsxlwq+5!uSt8@>2#-+k(?ha8cD_f<1Fh+(oo3sU|iIuLjIc#ls!Y~+z
zg;aU5EDV;)B?wO8K~pX>RP*Gije$LW&HUG2?JuSmn@5HrJiu@eoX5_Che>%MC{B<(
zTrQ=+KiP@1i-bg@1hrKJWxYcE(NHOdBfug-qEJk(S`!P7sj@U}>Qap;rxAg~fF+@H
z4iZO^C`3fFWnadJ2CC2wLCt2^7Cey{T4;OGJdkk;zyyUgOgq&OSOoYSB8@_EOiIyP
z6pW*Q$O-k0bwkA}P69^BU|fq}5~ep!2?neLzV1&C)Qj453yvCEFvHrMRE`M=EQLc6
z5!)_kWg^`Q*j;Baj7l{8dxSdpuvODj$ym8a2r2~@>iCJyN>>Q$0a5lGjD%n~!j72|
zzrhF;jLD^dTd*rjjR35sl3(B?r<vMJBZ>Qu^J|7S%Tb;_#&!pVNE{9cL4_@PGO4lw
z4991X(NP>>)DQZwsE#4!3y@+Y5KAE0nJ%ST5UM$E4XH+vClyp<j9r@V3xUZ&v3!aP
ztN&!Flx@#hl}C}3ly=pCDsIfrmJ53#F-<FYA~7x0ar#mp&Q8s1fE0E<;1s&J(@{DC
z>W@kx3>VR>$@nBeb}$TdcOfbZLvY$|heToHsXD6WnVnT9Xw6V1hh}Yjb%Tz<mWE(F
zR1Qv-I(v84up5-#J+_J%l_IKomb5D;8kWe!%-K<guI5_fa;X&&#{DLj6vK=E9fuU%
zk(&LaF_9249Qv)3r|PsYaoQu~26CAMhzD_bJP904+u95?GdR#NiHZ>(Ns77ZC2>S1
z<^{vT2r(AQBhXj`vbC`rED7dP$6eVtjR;OTqa+fTM<8Io0p|c(JUB%fn@k-@#;x}G
znX=xxCRM>CSzQAHVjYvRp*3f=49l2=7+4Du5yz;!c)_3+kYmzN+Q|l(gA_s}GBSpd
zmn}uynnyV3A(+w)0}+UY@K_a)#}1dB9@9NLLR$0UL2ly&e(o-#)qgpS8^=+n6XpP^
zkqc12XzP>W_iD!J*SYYNRxuU@v~^^LHDeO<fQ7`vg2NFZNm$ceSW}K%k%rYF!$eL^
zEaDbM{Qr<o3FsoQ6oSQ+xkn-pAq+!AaxsEiLWotU6~rY-43FS`Qz#Y|Nl+<D;dC=*
zyqbGdA{UdWOpNf9JrQbgSY@I&%}~`uArS`ShzOG57-c%E>`7D#^a@NwjS)z6bxR%U
zFQOGk3&sVlblK8p1(!=f1MIm~HEYSl6jiqScn_D6woN;sEjYj_t!1#BKvb>51mzc1
z4j9k?or%CQ%0`dHB*7@vE@4SEtH#DG)oj7w7zk#(nh+9=2x+%9=!6npVoVwe<W(3<
zEd-UP>0z}}Uq|Y04CTH+Lt65p0v(|x7b;MgDGmiDqBe90#t{e>3gr?xV5JNbfqegw
zJDu8W9<y{j<)#2ip|Zx)Io@o>H^v2+gZe!x@P8{R&~*EmGea*cwf%H(m2p`yKg4JR
zLpXRCArv#g??HAvJPZ*J)kqvdr!lu+z!{=W1RBz0Nvt$Ab;w$CFRfa*l0Y4rmVz2I
z>n4RVKVW^5N(L`eSrk-Ci_2|mLua<I;HE7HO1{w8pq3kB`)G->Od*P6DF@AJqa39N
zh^ss;JVZ+3F)|F5l3ca?V3^TancqC2`Y(E4gkqF-DYB=G=7LkW(?u|eOrOGq;-OF+
zkwHG5+`kt)YC+6<V<H415HTVoF`VWhBqm01SjBCC!U7Wn8cNyB->9T$DCE|3GZcRT
z%DA;DrIItf|GO=N?I7tZ7-|#Z1tTQP3qfE~j;oO@sN%;AgAc`VK`ATE&S6{_#^pm?
zSR%3?%%$RR>MNzvp*0OBOk@ojhk*4fMadXzSW2Qi_7^(>_V?#@>082NO{#n`NGAKg
z5eJig4|V<hP#3*~>ZyK|R_+T+Ln+@e*Ve|0`af$2?o^J(tqe8C6yxk~?$n~(N#ATT
zs9bD3+Fhkmu$ws7T9VpKXhQ}wA)_W9F9{}>0-Y2lEx{g#$i>i%Fht5sL4<~cAh_Dq
zB(<wz3{iuI`H-~;CSmpd2zjsw#VIZl!#basu1SpU6(TWZpQscPAyMiMN%qDRb*eBa
z0*#+Yd(atsLwViMicu?q$5SKWa#e%|#!9&=n{NekJsM)~M>q2xs^6!kj2CExdXl4B
z9maIv^0+Nk<8m#T1IC!n1SE<9W;><#N1+6YF~LE$J-L(_1=Jrb8*A`Dl)r%LN-7tN
zEg>n^tUJo90-?$o0oF)bLc%Z%QwE@z_EfzixD^ET50%+Lm=tmf@B_1er6L#y3$JQv
zjHjz5$cFktJ~Bk=N5aAgizZQcjZ5fU9=#WIaMTOPH=0U;qz5uN07ps0M=GQ#l|W+=
zKIAY4RdTLoyQY-RY>}_xBlMtJI!C5z0vCcL&7zV_nrpNSM+l;ck3b+3Q5H4{th&$`
zOO{nKd*q8z_y3qu7!F}l7etJZ2(bT{Jz&i6FWDn<62nng45k5-;H>aq8FlH3lJ&tb
zfeLxbECL~|P353RR2r&GCJ^d0sr{t4fhvgjG2`cJj##+~Fiui3gDI|@@3(9LVBdhP
zQb{C^i77XM+JLN0Wo$oe5D-@%jdB$HmUIH3mdS7wqoQ`~QBd;8rWtBm=)_*DBrzZx
z8T%5EMnO?9&M<1XmVJ?~(x{0ruI7zoqHAo=kSe04ipr_VQ5H*3^U`iOCgCfSASeVy
z#3EpOtEDliG`~~+Q+XFceRNc~Q_YI<f@Smt2hExCTdM5rrB<B@9DHqECT74yTUAbU
zKRW2C(%no=A#aRC_$)iOqLc@efM5t17BD40ls<P3BVBNWcE(bdEtC#<%5#CBlr6|!
zK7cUX64-M}o@z;pK2#cp;3!aHFaoedp_uYUp;8UX0%NB_mTXj>8va+Qpz8DeDh1S3
zBgoXuBK)qAe%DC9QX^#|#mxNzYCklc3;zp&D0+DRW*mxUOKjAsrI^mRuZZFN{rH9-
zd!gfRnz?G%>ilFl0*e682GSN-@BiHWppwBdjQ$@b`Ua1n`r`>z{i*rzd5{E-_KQGf
z(5^ZlgxHFnNDQCaLna-V4gx6wlPD2F-6r5eE|@n)`Y~Yuz$dA$)Mln!f$xEV?}34T
zJ1{_>$^Wx)0m_5hvIF;jGcxd*p)twdV*}q~1OH>O0a{J*MO62%|BYCE^B%r6?(lE<
z>HnX(Hqcb96+x<-8`PT7j+<}4<e_S?MHj*s{RiKDzu$eo-+jN|eZSv*zyD3&?{}~5
zf5mGHjmI$wLWUu70&<O}9&^AUYsd>Baa2g(ey0D~{0o_X`cehLbVnNta3~+LwX(If
zvekGH!j6_f-yc)>y2lh~iePpRVpsUTaJkjAiPo&9K2ap8^fOX2zUcrzdl}pbSKS4N
zgkgv<f)|0rP;Xy(A~BYd7$0z0JrT;~rdCDOeY3Ur3$0RJi==5!c|gEw5JDW50ih3$
z0Jnt#v=zr4W@~3ln>Cu6YBS#r8Un>&@_sn0RJQO%lMurZjIdVq!^31izo(=cqa}G^
zQgFzcD2c2!su5R!)xB*YkQ6~g%-3_KsvJHfp<7gHE}$`SFf5EvegLcD9IVD6mx>XB
zU_UKXwn}-;qhK*GjFggH{oAk^VKCW`P}<%xn4I}u5pu?G#K#Ystj4B1qy!0z#ngXs
z`e{L8YX2{M2__7KagwkmaRjlZKaEgkwXmk9q*#QrYL7<8tR+U%%fH!W3u!!C)fhbG
z!3gwU83=ny2)c7tdt$XZRTVx2xCBp?z{)b(L!%n3uUw2U-?}kMFGp!Z&_OMffDrI6
zis8Zp1S>z9wS)-FQqzx0DysoyjDG(QXth?p%$r;o4p}*aNw;9de$|;WrCkOrE29Rj
z)LUd4^ZM**Qw6-5Xq#&1OJ&C}5kb}dQeUyE8C$?`#}OzTNGWC|m_nA2jGi_uf@M@}
zOac}=29x8|!B&YnFE|1iZ8)_Vsu%$MJuv&dF!hlb^FE@+b6!@g&ZhB!FvNpkF#`A<
zH3b)JhE$malnxorr<)0q%i@@pMsnlgRFA81H6KIcLRL^h0*_HSxCzk6k&umAlOY(+
zhwLP3DNJZhEd@|*6oOM>7X-%{)t}CTn=*H06}dzL0~N(r<4rOsE)D|YHKV(+Ql=*)
zaG`_*>iHp!c0>pv#8FBc`PR08DXY<(=Hhx$-X?c6G)%oidW{`5#=tB&?Vbt(JT)jd
zhD3<Jw*vzpTN@kA_N~9rodk~l2fb-F><A6BfkuvKI)LUx&>|Ilfeb!R2Y;6ksAvlP
z+#d!><iaq<JE+;X26e=1=0ShAN46Zz73o}aO6vt`p7N1XdOTL2BQH-R#x)8Rs=WoE
zMqf>a%6_2UpWb-{)I&r;Krss<F%lO4t-YT-L^9O^a)g@iwJq^Kwbx-V5LnclAu#9v
z+#aj<)Y3Ln-Lp1|7$!()2qZzJa*}nLsXd4Ad1d%pJfcmmz<lP4i-1si@5X7|bzr}C
zMhFsul`l}RFPwRdw`5zOZ15Q<fk0vejzXYdF)WQ};i3e4ec~@}T`<>^JftY83K<jX
zkNkpc+G#W%!6hi`3vv#FrJ?jo4A=}Qf-CPMG2h5D9#6{MNd-D6$B^=&2<8b1(0%j9
zTlzNqZyMARREmm_V3j2uEGJmYTHSW0A4>dgH8*>LP}6Yz#sHA5okPn3AhplM!HlSn
z+?zdJ@tIpNrluU#4Hzh%r*1ep`M7<yx?04*6qW(?n1@NlF+8eo2%?jy3j;B9SR8U;
zzg%`1tsZZ%q`Fa$dca~FfkiPa)q-6mz~SW5?}+%(PoaQA=FILHNN4XK$q+mQ!zJvK
zDYU)~OmHe*AOhs)2?#>%HI@FfaS9PYHAW@0k_ty*s0f+?<5Ez@f<w3G!JeFEXG(d8
ziMk>5^$%C84wdGSYVkmQe_$D+xu82nkbW_QYWe?TM{7J4vZg+3XPy9S`ZCAY-<zTz
z7NG7+v7gE_j}1`Ip39nc^@ZoDnh)!1UvZ+HBGj!sNQ4r&oFXVFSS|{sUW57D*T7Vb
z5$tqalu4th=36{D5>)EMDv<2GFbNzjkizPz&EEf4$A7RQgkgvTwhAXO>A#6F@MZi5
zTU)!qgPY<%*x1^A$A9>5{Kat~h-*e~JeLn~8MiVZ0UkpR7#?a(|I?HUls+!dBtcpF
zIR`pTb@iIdhvFzX&Q*K2NSUZsJs88p2rT7VDl<@0Oyzvxl`B<gAfLEuvGoKxhb#L+
zm-HhXE%c}yXG_g1)70z*Q0bq(n5F703>AqGsoIDkh)bPGE_1*wRp~OAq%M)DuP&3D
zps^6l9gmjQL2c(W*MWV!-j9*$UtW(EHl0dmn3G207dHNL?Q0H=(Whv~D37`%qS-=|
z-D#mb1mnUmlthH297njyx(RBlt9p_DbE8M4Bod0?+?Ge_$6QaMpJD#GDYmftU!njF
zDqt`2uuHC1DuL7VUz+qmugo`*hw}Xu=9OvUACZZgzWTYvZZZ<h(TrEqch%nV!@p_q
zKQlP!^K=aT6)k_MKd2>|R$qu_g<B@;ufO5M)o3uG2^|q=Y}3VuzQ8fRunDT$JfO*M
zS`QqNiYQ9t5@J-;<ZRKyq|&`mumrZB%Y~!4l*;*;e1Q}NhnhPEZQlN8jv(|G#}HCK
zicH8xZD(3Km5|2Cgj(1VwVN+r+L;!P2K2d|p&oE$LZ`}z)RzgP>0O(DcPMHNe{MYA
zz{zM~@GXptX4Buu$Nr9#{tSOk_^&fZLSx3?dE<B9sGk3y=8Y8feP@kdGn9XqH8yi)
ze+`@b|3j~*{QXK_B=JSnp1B>5YJ>==&n6L4`Ee=~f{8^44!8k3cNTSux`xbz1DJPb
zDSsGco{_8<F9emsV)d8YxqqclGvTqXSmBn$i;5&vw+omiArV5tsF?WAY>~?Pqu)($
zp?@|A^~G&rs>2Y0iV&U<#x*wwv_Z7g`ezBIWeZK?64kfJ#{ZN!`@;J9Fc($WFV5Lf
z|CJ<DE~REY`nyM17@^!4M!q%g@!O=#zoP%rL;6b2{xv*|1O7juxzqCd-}k@of8YPU
V|NY~?|1SUl|No;4jrRaz1OQ6-)@lF%

literal 0
HcmV?d00001

diff --git a/chart/files/init-db.sh b/chart/files/init-db.sh
index 80121bbe..7ef87270 100644
--- a/chart/files/init-db.sh
+++ b/chart/files/init-db.sh
@@ -85,13 +85,36 @@
 {{- end -}}
 
 # Check if collection exits in database and initialize database only if not
-if python3 manage.py id check "${COLLECTION}"; then
+if python3 manage.py id check {{ index (keys .Values.config.collections) 0 | quote }}; then
     echo "Initialize database"
 
     python3 manage.py coveragetype import /rgbnir_definition.json \
         --traceback
 
-    echo "Initializing collection '${COLLECTION}'."
+
+# TODO: deleteme
+
+    python3 manage.py coveragetype create S2L2A_B01 --field-type B01 B01 "Solar irradiance" "W/m2/um" 1913.57
+    python3 manage.py coveragetype create S2L2A_B02 --field-type B02 B02 "Solar irradiance" "W/m2/um" 1941.63
+    python3 manage.py coveragetype create S2L2A_B03 --field-type B03 B03 "Solar irradiance" "W/m2/um" 1822.61
+    python3 manage.py coveragetype create S2L2A_B04 --field-type B04 B04 "Solar irradiance" "W/m2/um" 1512.79
+    python3 manage.py coveragetype create S2L2A_B05 --field-type B05 B05 "Solar irradiance" "W/m2/um" 1425.56
+    python3 manage.py coveragetype create S2L2A_B06 --field-type B06 B06 "Solar irradiance" "W/m2/um" 1288.32
+    python3 manage.py coveragetype create S2L2A_B07 --field-type B07 B07 "Solar irradiance" "W/m2/um" 1163.19
+    python3 manage.py coveragetype create S2L2A_B08 --field-type B08 B08 "Solar irradiance" "W/m2/um" 1036.39
+    python3 manage.py coveragetype create S2L2A_B8A --field-type B8A B8A "Solar irradiance" "W/m2/um" 955.19
+    python3 manage.py coveragetype create S2L2A_B09 --field-type B09 B09 "Solar irradiance" "W/m2/um" 813.04
+    python3 manage.py coveragetype create S2L2A_B11 --field-type B11 B11 "Solar irradiance" "W/m2/um" 245.59
+    python3 manage.py coveragetype create S2L2A_B12 --field-type B12 B12 "Solar irradiance" "W/m2/um" 85.25
+
+
+
+
+
+
+
+
+    echo "Initializing collection {{ index (keys .Values.config.collections) 0 | squote }}."
 
     {{- range $product_type_name, $product_type := .Values.config.products.types | default dict }}
 
@@ -101,9 +124,8 @@ if python3 manage.py id check "${COLLECTION}"; then
 
     # create the product type
     python3 manage.py producttype create {{ $product_type_name | quote }} \
-        {{ range $_, $coverage_type := $product_type.coverages }}--coverage-type { $coverage_type | quote }} \
-        {{- end }}
-        --traceback
+        {{ range $_, $coverage_type := $product_type.coverages }}--coverage-type {{ $coverage_type | quote }} \
+        {{ end }} --traceback
 
     {{- if hasKey $product_type "default_browse" }}
     {{- template "browsetype.cli" dict "product_type_name" $product_type_name "browse_type_name" nil "browse_type" (get $product_type.browses $product_type.default_browse) -}}
@@ -116,8 +138,7 @@ if python3 manage.py id check "${COLLECTION}"; then
     # create mask type
     {{- range $mask_type_name, $mask_type := $product_type.masks }}
     python3 manage.py masktype create {{ $product_type_name | quote }} {{ $mask_type_name | quote }} \
-        {{ if $mask_type.validity -}} --validity \ {{- end }}
-        --traceback
+        {{ if $mask_type.validity -}} --validity \ {{- end }} --traceback
     {{- end }}
     {{- end }} {{/* range .Values.config.products.types */}}
 
diff --git a/chart/files/registrar-config.yaml b/chart/files/registrar-config.yaml
index 1dbc0876..66a887ea 100644
--- a/chart/files/registrar-config.yaml
+++ b/chart/files/registrar-config.yaml
@@ -1,10 +1,10 @@
 sources:
-  - kwargs:
-    {{- with .Values.config.objectStorage.download }}
-    type: {{ .type }}
+  {{- with .Values.config.objectStorage.data }}
+  {{- $type := ( .type | lower ) }}
+  - type: {{ $type }}
     name: name # TODO
     kwargs:
-    {{- if eq .type "swift" }}
+    {{- if eq $type "swift" }}
       username: {{ .username }}
       password: {{ .password }}
       tenant_name: {{ .tenant_name }}
@@ -13,12 +13,12 @@ sources:
       auth_url: {{ .auth_url }}
       auth_version: {{ .auth_version }}
       user_domain_name: {{ .user_domain_name }}
-    {{- else if eq .type "s3" }}
-      bucket: {{ .bucket }}
+    {{- else if eq $type "s3" }}
+      bucket_name: {{ .bucket | default "null" }}
       endpoint_url: {{ .endpoint_url }}
       access_key_id: {{ .access_key_id }}
       secret_access_key: {{ .secret_access_key }}
-      region: {{ .region }}
+      # region: {{ .region }}
     {{- end }}
     {{- end }}
 
@@ -37,7 +37,7 @@ backends:
       mapping:
         {{- range $product_type_name, $product_type := .Values.config.products.types }}
         {{ $product_type_name }}:
-          {{- range $level := list "Level_1" "Level_3" }}
+          {{- range $level := list "Level_1" "Level_3" "Level-2A" }}
           {{ $level }}:
             product_type_name: {{ $product_type_name | quote }}
             collections:
@@ -47,7 +47,7 @@ backends:
               {{- end }}
               {{- end }}
             coverages:
-              {{ toYaml $product_type.coverages }}
+              {{- toYaml $product_type.coverages | nindent 16 }}
             masks:
               {{- range $mask_name, $_ := $product_type.masks }}
               {{ $mask_name }}: {{ $mask_name }}
diff --git a/chart/templates/registrar-deployment.yaml b/chart/templates/registrar-deployment.yaml
index e12537f8..1e4b4374 100644
--- a/chart/templates/registrar-deployment.yaml
+++ b/chart/templates/registrar-deployment.yaml
@@ -31,22 +31,10 @@ spec:
         - name: {{ .Chart.Name }}-registrar
           image: "registry.gitlab.eox.at/esa/prism/vs/pvs_core:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /
-              port: http
-          readinessProbe:
-            httpGet:
-              path: /
-              port: http
           resources:
             {{- toYaml .Values.registrar.resources | nindent 12 }}
           args:
-            - /run-httpd.sh
+            - /run-registrar.sh
           env:
             {{- range $key, $value := .Values.config.general }}
             - name: {{ $key }}
@@ -66,6 +54,12 @@ spec:
             - name: {{ $key }}
               value: {{ $value | quote }}
             {{- end }}
+            {{- range $key, $value := .Values.config.redis }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            - name: REDIS_HOST
+              value: {{ .Release.Name }}-redis-master
             - name: INIT_SCRIPTS
               value: /configure.sh /init-db.sh /initialized.sh
             - name: INSTALL_DIR
@@ -75,11 +69,14 @@ spec:
             - name: STARTUP_SCRIPTS
               value: /wait-initialized.sh
             - name: WAIT_SERVICES
-              value: {{ .Release.Name }}-database:{{ .Values.config.database.DB_PORT }}
+              value: {{ .Release.Name }}-database:{{ .Values.config.database.DB_PORT }} {{ .Release.Name }}-redis-master:{{ .Values.config.redis.REDIS_PORT }}
           volumeMounts:
             - mountPath: /init-db.sh
               name: init-db
               subPath: init-db.sh
+            - mountPath: /config.yaml
+              name: registrar-config
+              subPath: registrar-config.yaml
       {{- with .Values.registrar.affinity | default .Values.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
@@ -91,3 +88,9 @@ spec:
                 path: init-db.sh
             name: {{ include "vs.fullname" . }}-init-db
           name: init-db
+        - configMap:
+            items:
+              - key: registrar-config.yaml
+                path: registrar-config.yaml
+            name: {{ include "vs.fullname" . }}-registrar-config
+          name: registrar-config
diff --git a/chart/templates/renderer-deployment.yaml b/chart/templates/renderer-deployment.yaml
index 33a17953..0bcb7cd0 100644
--- a/chart/templates/renderer-deployment.yaml
+++ b/chart/templates/renderer-deployment.yaml
@@ -43,6 +43,12 @@ spec:
             httpGet:
               path: /
               port: http
+          startupProbe:
+            httpGet:
+              path: /
+              port: http
+            failureThreshold: 30
+            periodSeconds: 10
           resources:
             {{- toYaml .Values.renderer.resources | nindent 12 }}
           args:
diff --git a/chart/values.yaml b/chart/values.yaml
index a784994f..51f042be 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -47,7 +47,6 @@ config:
       secret_access_key: "secret_access_key"
       region: "region"
   redis:
-    REDIS_HOST: redis
     REDIS_PORT: "6379"
     REDIS_PREPROCESS_QUEUE_KEY: preprocess_queue
     REDIS_QUEUE_KEY: seed_queue
@@ -287,6 +286,16 @@ database:
       echo "Enabling postgis"
       PGPASSWORD="$POSTGRES_POSTGRES_PASSWORD" psql -U postgres -d "${POSTGRES_DB}" -c "CREATE EXTENSION postgis;"
 
+redis:
+  usePassword: false
+  # persistence:
+  #   existingClaim: redis
+  # master:
+  #   persistence:
+  #     enabled: true
+  cluster:
+    enabled: false
+
 preprocessor:
   replicaCount: 1
   resources:
@@ -295,7 +304,7 @@ preprocessor:
       memory: 6Gi
     requests:
       cpu: 0.5
-      memory: 2Gi
+      memory: 0.5Gi
   affinity: {}
 
 registrar:
@@ -306,7 +315,7 @@ registrar:
       memory: 6Gi
     requests:
       cpu: 0.5
-      memory: 2Gi
+      memory: 0.5Gi
   affinity: {}
 
 renderer:
@@ -317,7 +326,7 @@ renderer:
       memory: 6Gi
     requests:
       cpu: 0.5
-      memory: 2Gi
+      memory: 0.5Gi
   affinity: {}
 
 client:
@@ -336,7 +345,7 @@ replicaCount: 1
 image:
   repository: registry.gitlab.eox.at/esa/prism/vs
   pullPolicy: IfNotPresent
-  tag: ""
+  tag: "registrar-modularization"
 
 imagePullSecrets: []
 nameOverride: ""
-- 
GitLab


From 02fc7e642060359af2c0fafc0198a8ccdaea2d2d Mon Sep 17 00:00:00 2001
From: Fabian Schindler <fabian.schindler.strauss@gmail.com>
Date: Tue, 10 Nov 2020 11:01:12 +0100
Subject: [PATCH 128/162] Fixing S3 endpoint URL in GDAL friendly format

---
 core/registrar/backend.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/core/registrar/backend.py b/core/registrar/backend.py
index d48e64d2..10fd8782 100644
--- a/core/registrar/backend.py
+++ b/core/registrar/backend.py
@@ -61,9 +61,15 @@ class EOxServerBackend(Backend):
                 'SECRET_ACCESS_KEY': source.secret_access_key,
             })
 
+            endpoint_url = source.endpoint_url
+            if endpoint_url.startswith('https://'):
+                endpoint_url = endpoint_url[len('https://'):]
+            elif endpoint_url.startswith('http://'):
+                endpoint_url = endpoint_url[len('http://'):]
+
             storage_auth, created_storage_auth = backends.StorageAuth.objects.get_or_create(
-                name=source.endpoint_url,
-                url=source.endpoint_url,
+                name=endpoint_url,
+                url=endpoint_url,
                 storage_auth_type='S3',
                 auth_parameters=params,
             )
-- 
GitLab


From 40bf5cfa50e362b87780c194d5ec3a49c3cce426 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 10 Nov 2020 12:35:09 +0100
Subject: [PATCH 129/162] operators guide additions

---
 .../operator-guide/configuration.rst          |  2 +-
 documentation/operator-guide/ingestion.rst    | 30 ++++++++++++++---
 documentation/operator-guide/management.rst   | 32 +++++++++++++++----
 3 files changed, 51 insertions(+), 13 deletions(-)

diff --git a/documentation/operator-guide/configuration.rst b/documentation/operator-guide/configuration.rst
index 27b245cd..72de645c 100644
--- a/documentation/operator-guide/configuration.rst
+++ b/documentation/operator-guide/configuration.rst
@@ -397,7 +397,7 @@ preprocessing
 
         force_north_up
 
-          TODO
+          Circumvents the naming of corner names and assumes a north-up orientation of the image.
 
         tps
 
diff --git a/documentation/operator-guide/ingestion.rst b/documentation/operator-guide/ingestion.rst
index 16be9b8c..8efdac75 100644
--- a/documentation/operator-guide/ingestion.rst
+++ b/documentation/operator-guide/ingestion.rst
@@ -162,12 +162,23 @@ it is passed as a command line argument, which is then processed normally.
 
 .. code-block:: bash
 
-    python3 /preprocessor.py \
-        --mode standard \
-        --replace \
-        --tar-object-path /data25/OA/PL00/1.0/00/urn:eop:DOVE:MULTISPECTRAL_4m:20180811_081455_1054_3be7/0001/PL00_DOV_MS_L3A_20180811T081455_20180811T081455_TOU_1234_3be7.DIMA.tar
+    preprocess \
+        --config-file /preprocessor_config.yml \
+        --validate \
+        --use-dir /tmp \
+        data25/OA/PL00/1.0/00/urn:eop:DOVE:MULTISPECTRAL_4m:20180811_081455_1054_3be7/0001/PL00_DOV_MS_L3A_20180811T081455_20180811T081455_TOU_1234_3be7.DIMA.tar
 
-In this mode, the item will not be placed in the resulting set
+In order to preprocess a ngEO Ingest Browse Report, an additonal ``--browse-report`` parameter needs to be added:
+
+.. code-block:: bash
+
+    preprocess \
+        --config-file /preprocessor_config.yml \
+        --browse-report \
+        --use-dir /tmp \
+        browse_report_test1.json
+
+In this "one-off" mode, the item will not be placed in the resulting set
 (``preprocessing_set``, ``preprocess-success_set``, and
 ``preprocess-failure_set``).
 
@@ -273,3 +284,12 @@ Deregistration
   .. code-block:: bash
 
     manage.py coverage deregister "${product_id}_coverage"
+    
+Preprocessing vs registration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The preprocessing step aims to ensure that cloud optimized GeoTIFF (COG) files are created in order to significantly speed up the viewing of large amount of data in lower zooms. There are several cases, where such preprocessing is not necessary or wanted.
+
+- If data are already in COGs and in favorable projection, which will be presented to the user for most of the times, direct registration should be used. This means, paths to individual products will be pushed directly to the register queues.
+
+- Also for cases, where preprocessing step would take too much time, direct registration allowing access to the metadata and catalog functions, while justifying slower rendering times can be preferred.
\ No newline at end of file
diff --git a/documentation/operator-guide/management.rst b/documentation/operator-guide/management.rst
index d453d28c..9ba0fec6 100644
--- a/documentation/operator-guide/management.rst
+++ b/documentation/operator-guide/management.rst
@@ -62,9 +62,9 @@ shutting down of the stack and new deployment.
 Inspecting reports
 ------------------
 
-Once registered, a xml report containes wcs and wms getcapabilities of the registered product is generated and can be accessed by connecting to the `SFTP` image
+Once registered, a xml report containing wcs and wms getcapabilities of the registered product is generated and can be accessed by connecting to the `SFTP` image
 via the sftp protocol.
-In order to log into the logging folders through port 2222 on the hosting ip (e.g. localhost if you are running the dev stack ) The following command can be used:
+In order to log into the logging folders through port 2222 on the hosting ip (e.g. localhost if you are running the dev stack) The following command can be used:
 
 .. code-block:: bash
 
@@ -74,8 +74,8 @@ this will direct the user into `/home/<username>/data` directory which contains
 
 .. Note::  The mounted directory that the user is directed into is *`/home/user`*, where `user` is the username, hence when changing the username in the `.conf` file, the `sftp` mounted volumes path in `docker-compose.<collection>.yml` must be changed respectively.
 
-Inspecting logs
----------------
+Inspecting logs in development
+------------------------------
 
 All service components are running inside docker containers and it is therefore possible to inspect the logs for anomalies via standard docker logs calls redirected for example to less command to allow paging through them.
 
@@ -95,8 +95,24 @@ It is possible to show logs of all containers belonging to a service from a mast
 
     docker service logs <stack-name>_<service-name> -t 2>&1 | sort -k 1 2>&1 | tail -n <number-of-last-lines> 2>&1 | less
 
-The docker service logs is intended as a quick way to view the latest log entries of all tasks of a service, but should not be used as a main way to collect these logs. For that it would be appropriate to use a logging driver, and extract the logs from the nodes to a central log aggregator.
-The docker service logs is intended as a quick way to view the latest log entries of all tasks of a service, but should not be used as a main way to collect these logs. For that it would be appropriate to use a logging driver, and extract the logs from the nodes to a central log aggregator.
+The docker service logs is intended as a quick way to view the latest log entries of all tasks of a service, but should not be used as a main way to collect these logs. For that, on production setup, an additional EFK (Elasticsearch, Fluentd, Kibana) stack is deployed.
+
+Inspecting logs in production
+-----------------------------
+
+Fluentd is configured as main logging driver of the Docker daemon on Virtual machine level. Therefore for other services to run, Fluentd service must be running too. To access the logs, interactive and multi-purpose Kibana interface is available and exposed externally by traefik.
+
+For simple listing of the filtered time-sorted logs as an equivalent to `docker service logs` command, a basic ``Discover`` app can be used. The main panel to interact with the logs is the ``Search`` bar, allowing filtered field-data and free-text searches, modyfing time range etc. The individual log results will then appear in the ``Document table`` panel in the bottom of the page.
+
+For specific help, please consult  `Kibana official documentation <https://www.elastic.co/guide/en/kibana/current/discover.html>`_ 
+
+Kibana discover image here.
+
+Kibana also allows to aggregate log data based on a search query in two modes of operation: 
+
+- ``Bucketing``, 
+
+- ``Metrics``, keeping track of computed metrics over a set of documents (buckets).
 
 Increasing logging level
 ------------------------
@@ -112,7 +128,9 @@ A restart of respective service for the change to be applied is also necessary.
     cd ${INSTALL_DIR}/pvs_instance
     sed -i 's/DEBUG = False/DEBUG = True/g' settings.py
 
-In order to increase logging level of registrar and preprocessor services to `debug`, the respective Python scripts need to be run with an optional parameter **-v 4**.
+In order to increase logging level of registrar and preprocessor services to `DEBUG`, the respective Python commands need to be run with an optional parameter **--debug**.
+
+Ingestor service by default logs its messages in DEBUG mode.
 
 The cache services internally uses a Mapcache software, which usually incorporates an Apache 2 HTTP Server. Due to that, logging level is shared throughout the whole service and is based on Apache `.conf` file, which is stored in $APACHE_CONF environment variable. To change the logging level, edit this file, by setting a **LogLevel debug** and then gracefully restart the Apache component (this way, the cache service itself will not restart and renew default configuration). 
 
-- 
GitLab


From 0104046a50a35f551ec4278012d27685cc163279 Mon Sep 17 00:00:00 2001
From: baloola <baloola-mu@hotmail.com>
Date: Tue, 10 Nov 2020 12:39:59 +0100
Subject: [PATCH 130/162] fixing typo

---
 documentation/operator-guide/configuration.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/documentation/operator-guide/configuration.rst b/documentation/operator-guide/configuration.rst
index 27b245cd..cc97e4a9 100644
--- a/documentation/operator-guide/configuration.rst
+++ b/documentation/operator-guide/configuration.rst
@@ -494,7 +494,7 @@ preprocessing
     defaults.
 
 Sensitive variables
-===================
+-------------------
 
 Since environment variables include credentials that are considered sensitive,
 avoiding their exposure inside ``.env`` files would be the right practice.
-- 
GitLab


From 65a4330bcb56ae8d650c266007d68606246090c4 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Tue, 10 Nov 2020 13:12:17 +0100
Subject: [PATCH 131/162] add some info + images on kibana op guide

---
 .../operator-guide/images/kibana_1.png        | Bin 0 -> 33557 bytes
 .../operator-guide/images/kibana_2.png        | Bin 0 -> 265421 bytes
 documentation/operator-guide/management.rst   |  21 +++++++++++++-----
 3 files changed, 16 insertions(+), 5 deletions(-)
 create mode 100644 documentation/operator-guide/images/kibana_1.png
 create mode 100644 documentation/operator-guide/images/kibana_2.png

diff --git a/documentation/operator-guide/images/kibana_1.png b/documentation/operator-guide/images/kibana_1.png
new file mode 100644
index 0000000000000000000000000000000000000000..40efe5567ff541250adc10f91d1a23a1c96223b0
GIT binary patch
literal 33557
zcmbrlV{~Or)Ggdmr{j)o+wLSC+qOEkZQJPBww;bnY};1HJjp%%yzl+S{r~;gW1Lfa
z?^RX1s#eW8Ypn<cIdKG79M~^kz92|Sh$wye0%i=l`oDbzmGA_XRe=83S_lg(SQvxK
zsS;cgx}}8_u>gLShGnw~K_WpxqCtUZBF3vTB*doiiv`QIf8xfwr6jCo=DxFu(EA_&
zp_{)}LkTKCA|n8yeCUZ=pUMn^bH>}R<BqeA53`Q_`IKfNP36Bu7DpmyBE6-e(()hU
z+UmI5@5ow~@Z-jao$&M!)|Gn_s&sc;pL1=TMwbUv%eza>$3*^(w*OUFK)Z!ZFn2rJ
z^tayrPdo(dHWlCEf%;H8g&z&aUOjhRWlqlqp&ZbV-VQBfI0QH(q-vEdzB!mgO;0a{
zpUNF58ST;kETL$U4UQhDB%P>freC(JokvF?`@zEw?{F{@#YtqT+F@E`Dmp!)o>$`d
znOpihJImblDLDUWsDWRsuO0e9cl?#RzUq~lD`&T2;W3T8^ptVdZ9U`j+t-$zy^iYQ
z$6ZI<E_u&62@bL_87~gF>*JYR|2|&(YK}(BYNy9<H?kfD+FV@0%&P)*k8qLGW(y*v
z>JFd*fU%d*bo%lI4&~nkHn-{f{^bkN7fBI875A)*Y-n$^A<SVvxAuE*;`}GMlWw>8
zEp&?ll1NypK>sqL$h~bunu72ZIM{D<f}SZ`UT}Q*A>Zf5flrgBPC(mhM{4`)akEtp
zUf#|$;N?1}ohh3q4A<V7s==f6&T(!)85I%z<SsGdtYyHCL7t8FP7J5NSj?9ginkXQ
z_<<k(<`<C;Qm}uYw*NpAei@F{#56=vU}XHWj{Els+S~h!zCJfSer__E{ORdWvCzXC
zvN6%fFF{|y_5onUQtdalSfPdl@YYcdMg?^JtfpU{t|0)U68@6j1O30ETAa-Cj6^jh
zgoXV7{L~EJ-}7H@4QMnAn9MwksInege{V|GPoijm(yLTM)MFW7lKB|uz!DdSFa~^y
z!W=KKgxBn5w*sFQKx(o>N~VW9aXy>EK!vzi0rURktMlcvzs@PAN=nh`=J|V=*6<c+
zhy@U?L)&*c_BYFgYO!H;k&dSgtlCyA^ry^)gvD?MR+X1Gq{yUlMzCs*X_6;aUELlA
za69?O;_C`P4=_zY1eaqa@fOGv8tjWHe==we#PP$*WKzI2bmrXwZ=jh>VD0xq`=lrY
z8FX=;FFEr}q@S|m46!J33nsNl+y>vSA+%f4VI2a%|2*IP>GHTjHzJ|>=6=P!Q=01!
ziw-}FMmCnl2*KD5nI&+&<plcp2g1LYDQ@15aCh#eO)vw&RcB;#5xX8Rc8=4Wit}K9
zHUy69Thon*$Bw8ud3#S~XM!ptB#OG(>i$ES`vnFjln)L0<|y+|6yw;gB{zbo(nK~~
zGOgK)*sgsP23W2S1tTkHgp17Y9UMG=+(6b@|L)@xoJAf88&73<iE>JMxeG`jJsg39
zg8i-CfmWu@=r*1xuj$MSYp2f>R_Jz}?mOBRs1}rAD9Y3*#O_S>{U`^V1%96m2N($D
z`2*P0hyK$x&~)<G4cvH8SP}^rg?wtYp{O}kqVWpT&Ux)(*sMv~%BR2dw!~fIZHFCL
zo;haTfwGc^kYg#l8WFLt^(W#>jslf|t2TWiZ@6CnT-tC4z(yk;n<8%JWW9Ac>I8;7
zF<*grr?%H05&yPE1<h}xnYPZUG+$?T_fLiD&w)^GzmNGOf86z|>$_VpOFtOMrI8m$
zjeNj|4VUjz3mxD}1ZDpWYQVmVU%Zw{MlWxuM)zwUsdS~6Tb^uY7d?9OUZEHz7+9!{
zTao<jbx)&pdm6(14YfqZJ<?w1lvsbAeqJv!bXKmdc6h`++Rk6;x%Zs)v0eD#>y2bT
zN;lF&j~^TW2cA$vN62c)Vtmb9<Kd$m+CKz*Uf>VsxcmdB%AP~8J8SIqo(B`n*104O
zdniSO9W<#AiVic|@?UN3+`NfkZWjp~eSFhuh=p@m@o5xu<X&?(Z*ZC5NekKQBdG`J
zdQ}n?ONCJ>Gt`Kb2EJR0U49*bUCQk>X^_=kf|gLTxDl&$kmd%h#BV_`G6hf1`*Qdj
zbrzl0+1}TFxR;c9X~Lt4j;J<)bge10#03Hk5hW5#_W}GfgX2DS=2mH6t_an01s$zh
z#&>>a^+#`!GIJWi#`?`HIWPBMpRic+op}S1_^XahbGZf%oZyXg3Pi3{V!0t64wjnA
zH(=xF+%q085_nn0D8!BC6?aO_6lh)%Sw@5qll8>v$2SyCewaR4pGFy}9z{BT3c*2C
zdxDX6KnQwhv4k345JfS+z?H9$84YFetmK=VBbL=hhrp3bvuWz}dZ2PSfK%yC9@6D*
zW`=ttH2A6D?nL$EoBVawB)tDilh2>TGUX$BK*P`OAD5GQH0QYB(C)HNI|pa|$a>2W
zYIuw9*!)9v<!~9%qr*8t98xh4c6cC6cj~H=m0D9s<`>yX{fQ-x=auA7>i{{&lMGUt
z-oS@bd0|!?Mm-IJQ%6n5*e`jW>>ifeNYCzU_FnXLyRLee6Owxlt}mtThCdnE>^5Pt
zzjg&8Es2t7u6Emf<>ADSj8kVA3?8PIMY{LAl+Wt$1^1J~3T3F~EtKqKe%|&IbAcFD
zue)kop6%5(OX!&{ldpf4QPR`F8%Q_!zW=_K&+9^=(pGocVpX%e7ssDu?GsisJzfa(
zr%C#vj~l}yQAWDe@20+<x34qGBQG_ag+J@=vx%NIo<xgg3AvC`WAilH#UP2H_v*e8
z*%`-GNKL_j4d|7-zqN3`>W*pCJ%{N6UXj7qqD2)a4I9p-W@=ing#+eZpcUK}GSfM_
zIFva2f{+IUhGIhpm>xEf-9_AB{kq=hT}u^2U4FFm+|f`}$^R@orr4i%(-)%L^mBhp
zajU<LeG{U<2B81qgi_r~vEM`GOTw%Dqs(;0`&(#32W`Le*LO+{zY_|TTQL!L6oOtQ
zNWvwp;M>tK8SNbtjz@PNGcfPEz9!0cBv+ALKm5Bpd&R9pB53fm>th$ehQFKdFdY&}
z<N?3$l%IXB^foLxF#Ke%z;1YKl~FUSgqa>X7v0Mr6jVlJH1AeNvF6tF*Yr`Am#_Mo
z0ypdJe_A=nY<hLp-vY<Eh$C$Fqg|d2t!UP~-@zz29x#VFDv#qvdhGV!=v!y1<qgO8
zm}D4;qnIB?FcRHlz43*r!AEPWgLf4nzGLF}p(V3X7x-h!4Q9CV+*^?fJVR{?1_eQj
zI$c01s?YFuVQo>}QS<CX-$(T7u?1cAvSGs^=`>GpQTMtTk#&b$4UX$$zXV5rg<!IB
zSH^nsPIR>dqww*S&}(;tDlND#<7gv*N6~~tI7<t;?nmWf)a+=$g3h;3?`sx$d4Yry
zda-)Exe2J{cWTN|rnIMF|2kUh9OR+uGBb2O_elqk*)lBq!)kk3lBiSuhqO%I1Pa9v
zM|*lG)xB`c!}y*!$UX5p<*Vp^L}8fBoJ|`#c}WJ;08`@zoJK3VBFdij(dy{);T=;I
zua|$2<e$45b<d8>q8&?fz22HrF`(Fib*oDGjCA1EOQGA14)#2QVRul}(aCRY0CMO@
zbal)|mOhgma(WJ8Oq8x=Y{dns4$A$Z?{mUW;=$?cAHP_Evz@K8HwS{z<_7DQ84DZj
zRLNPCU|haRIUMf@GU-skF5qhdKeNAtBnvGX;bgsEe}O01!(D0pBuN|>%L|NytNvc8
zCJf~R&#;9k((Y(-P~L`-FwC%*8ag18-X*HWjbglib9IaR6yu%!Tdj*97yr;(Wm#Va
zD33qbPlcXhCmErU>j>dQSn0nVJ8Urj;-y&=F?<$sEa2xb#=MgPbL(i%owxX%d+Ir0
zF0%sbT}PPC=NdQqoeFH49Y%a&P5<vpgh7*Et#oSd3bmB;V4WHqli`tedLj$f=2+40
z#CtCDT^^y{a}CrP+E{?;5qu$vW^}oUwsqBfihH|SfZKU$xppAU{l<)DEDiD0K^EBv
z=@_AKC5r<U@&;NfN+b~lGya1#*Y(z@B2FA6N6f^zQd>v?-&VhlcaXgA3%VVnypY1p
z*~!C}O7!JPg&ijveu-abT+b`4lke-d%BvG(tzu*`UoMPkwW)xqG%NrN+d_@(;7yGt
z>67sVWIF}G<qXRxN-|hHb}%7LU%Yy3O57i-aJ5UvWzEGUllW>4OD8HR)AY^#WoPwk
zW}}PmnfdUl)l3x-_wOVzDknG8s~k{;(yjO%en3OKB|0h5ztJokV;?l#3dIN(1mgo)
z9GiImCNc=<W_y+R8hra0K{FyD=YwiRjU}cdvU_DW#X8y*`rs%WtHbBLZKL8?X_0l!
zr&5q{MtJ(RQ#41z7nf*mR+PoDibkLi9g=Q{)e2gSqDt1AmM5RY0`;EF7VT6MF=7d>
z5UA3rY1PKi(Nuak{CdRS9uo@H$1$sdwvYunis9u77u%YHfOJ&y*{yGPCRk$VU&%Wh
zp;mggE!0J0g~01gqKGeIb<h?oMr|YEI4=k*0~I8_9~Z4+ze2mNIIB0oF-CHuo4~o7
zZ+2Y|w0Y+DbF*F~I>%Y8kb}0CufpgoA#wDYiD9Dk{Q(f6J<%{IL}y$hF{BCcjL&lO
zi0LXdusi3u&3p=L{H<E})@8FJHph<8^J8j>n^J7;141P~Snl2mj6@#qjIjXZ@D*Z6
z2L+;kXluU=MI9R^u;jNLGxo$oQ>x}2bzQD^0#$wyf7V)~GatGUAkc<}JY?=yN12hs
zaf@}xQ?HIIR3a~Nz%a+bPcnIgA@cM8lsba&d13iG&UkAt?t#!QW6ox7j44_u){xmh
zKrC1iVVE8UO+S{*T$MmIoeihco8v~V^!#eoULOV?6Y+G>_)^h`8)}H<mOnJkI6i<&
zt<&~J=67Oi0y^6XRm_#4H9DsqqVsvGn~4!t=%`>52<PTSCe$W-5BmY3-rt?Jl21Ss
z<ldZ!f2%I0;|Y&Fvf2nl6||ZP7>yf(As`U6%cI7gwxJ)dCO79cdJwvvN$g*nh?V?F
zs5;!BJ6tC>8<;={nZ(gt`}5<^PG1SJF(xCpJU=zk$8TJPq>IrcdfH185`T;NgH$*8
z0VX8s1}x=c-uY69hx2i8iFgywTe6wX){Va;lo7FCLlL2lCRs1Xk^nuVaNQuR!6yKs
z8w7>3=P_D{@!CdzzU*|(V%d>RkxPT;dV~LXOn=k%&E|&qaR(2An-{feM6ILib`ZwH
zS~*VB1Ug$in8i^c6};lpIVHB~?|+u{NrBDFJI&72Gc7iHX#n!JWsXn>!V=k491cj+
z$wXjF8pG%kv+ROO2F+_KW18;Q!*R3E2{f@M;FF`TqGCz)sQI@tW@91}zN(1cUxH~l
ztm43SDj~Ao2nR=&t`W}MT;2yWEQ;kiYjv5)nBJGKSONrGz8ge|WO%)wh}J7aZ;82{
zuw^={9@5+tVzEolkJ>vYio!vtP-k2@RlAZ&L^wqn#(N@J=Q9xK(qXtQ-5)%47D;%N
zx{W0kukSMj@gVYqm}(?r3xo2@QT7Lr&Hg05&*vw))pE@!LlmJOBo5n`uL$6;_w{xj
zN`8X};Q8{7w*pDH!6GXwI3;&;5~OIWg0^sWynNxRW&Xj=0;eVh_YruhtI27>Z5GPI
z>T(IVXp#j0qY_MHRi@A|T<^2TJYW7YLepE1N=ZAov7nN__QMvJg3SAzcHp8>T3hNJ
zErTL?63D|Z@#yj|XtX6)9VgeJJ)ULnI$+~WuJwFNGSym+`sfhQW1DI?0^auubHXi-
z#dKMRW1~Lst=80Vcc}6sABW-u33tS^B`yu2)I33heH!7T;I<nYwvn<|-@Syg@XI#r
zy2*RZC5X&}Q7!dkmn~v8I|Do)4$dj-3!2WCM)jeJtD?Qc85t}aWKSiZX;i`0s=kvZ
zh2I0}=UejLgcx~vFjL|nv+2Al3{-i)(W-jRy_}32_d~u|1$lPRs(gEXHs(fXx8-q7
zHf}4gI`CZU+4S^XD0NPvaLnTDW)c<-*d564CN#^q%Jn<Aqj5MRTWgXVRuuh<(3tb+
z`z*L6|FnQ-vJKF|3CJ?M#llzZUlBtYr6we5)5SyszAHax^Ml1WjQ>DEY_Kn1WswC0
z%D%BZzHJo?iYiB?{G8Yia`2i_D8fu8xOGyjfV0ziWO+&=k|dha?Fk8HqFp9SDZCgl
z``+M7f5mAPv4T1LE!QSrz&9Z7zM$>nb-j)KqP^<iLmaVS?+^dX+w1NTEoy>J3m*8>
zrJ#AOo&>ED8ozpNM%MQAy`+kFRj2c$)&?Fs#wa>1>CTLAFyAYcl2meFZSu#;s@2H1
zc>0^ane{}+qal^84%<|@DA!#Pb=$ro-a&xy>>mi&A7I~B+YpJ9C`nDXiFID=O9tMQ
zF80{bQl~IKH}3vM#)wX=EQ<`vtW0kYnC*$^jQ&maosLV;XhhuGdik<7yR7KG#W`}a
zhEB<OEhwg7ucntDg_*Z-z8|mDz;@O3gP?q_85)nrUq}EL9J%hgbCSqDV-_lc(PfWN
zeA>mzA9mf|*v5JyS%g6!x<jA&ox}%yXfsOupfwaAVwkY3AS6ZT@qx29@qsA&n9}gX
zImUzp-C=pC>dd9=z%<he&GPY#zvgk5$L%Ba(WJT;fIbnjobf&Br!-P+kBY^K*S-Ja
z%dujaB|DlU5C>8(;MUB36(uCE)loKMu`)j?n5)oC{+U4|m?W~+Yh!$dvnp<{kze##
znsFqxEchx!K3`H+^mWOGY9Y_il!3IU$z_-I$fVxX`??Fz`^`oPWp2stXa15+LyK9H
zHSG58boe2SNt9_b$wKHT{$d(~DOK%JZ}trEk(A{tLg2J~Z(iN4Bd)+#Y(|hk$Ei>1
z-p_S{%iiM02s;u;7*CgCHcb$0*71!k=uKLmX;IN~PJ_BPZTE8(o+>-kRD}k**1=fO
zW|`vGkIWaP4j<etLb;$GEl4(ASCWa5;-uMp`u9-2knm>dcxKBcZ`lyINROS-eF<K7
zto(Z@A(`Z{jbhY5&MNU>4j9kVAyaQ8DRhM9=gEdg^u`Y_78%!e0-t#s4~vHV*a;C}
zeB0cyHQ<hs$Y#^C=<}7AC5PavPx07oDH{y#5KSg#_!8?-ns=z@DJo~7ms^oENjyUY
z>Ewf|Qz<6L<#lhQ2S8g{mKGnROED)@{kj}Ozimm!GUu@N?-7PRX$;n&Fn(@q!0pF6
zwG!;K#=e)$5V9j1BmwRa-yU~luuQ#(@tdx7Vmz_zo4i2%WJGWN740!Js9ssCg#J2l
z12Iq8W16TY&j2^}*<|QWeHqy6&+8U{^NNen^AJre9K0^vX<2;e5yl76O)^NLjKI?2
zl9o1|(<m{`<RPeF@Fg$^e3L~{Z*_9|MQ=?qnLJ93O)-^@ax#H*1}}x;%=d20#JtRi
zj$8CwPLBc=kx$84xmnvSdY;{e1WFJ~gZ(i}hSTwo#{;{S=7ln(x-j!JTU-~BU9GK2
zG_Pm5N)7nr7GG!=qb{00n5Wf%;H>)3X3H57Zr5IOxf~Reg`Oup)4pUzIG@yB4eyjP
z5&ibWLqMH9cR|SeAi!dPg%+j|;c!8rkT8Ss9Zv83gPkU6tIm7O+4|>8R|@^Kwg^Ar
zW*8n8TclwYV0j&Gi(5h9up;H+H6Gi!|F8YYdNZmrhKgiKxD7#gjqC}zpjub6q7ba9
zR)<ttwv;ID5U=)tcW2|Nji3+}(80V$`zhg!*9DwL3t2;3Bg!CeJGdqDvrpr#nk7UN
z)k)n|`gdAs!o4E`jG~`j=&1Ow6V|+0%Z)vwy3od#4!ie)D!k3yVr?pQ3@$e{47o;m
z+sTwlqng@yZY}2$dDJvU&FOQaqS1;i#n+LjvoVR|URMMQxX;u#yD2N0k;$3)QrVy$
zQR%1ST#FQi;=1<cD(0*43`0kM=TZ9wvtK{YuhfQqbJ5-q7}uOwjUWg%(W+@&%vWhJ
zl#V(Z#@l65(1%=MBfW`OxB;OjMOhsX5JL1CG@8*0Oejb)jK%Z0ePwj9&lfSTzR?dE
zA47<EkTtakeKutJMac9vtd7UbSg&W09{<7$xp!WL%p)KkiFA1q;Y!*v9@J1VeR&al
z1CW`I2u+D}dUH1kd_wwM^2{h3V+wgHo66*XZ*;?L?gTUl=y(QMK3)f5vIo~2HAhDF
z1w)>E{lV~-bqdYzh^4oHn<GW5u2K;a(r0x6S_XC;o4+$)FB8dU@c0k*@a=P=dwfKT
ziykXAXM6>w**rsQ?1o)SY0&7)wAD3+wJh1oy9SHAn{%gwL-(V8<538|dda0l6Qb<H
z-;FSF3VNKYBH~>z8_A@EpEmXeQ1IY%bhzYMEn{?qBJ3>IBHa%~5(7K0W!^Ker{To`
zZR+`&jbA%p4|nkKzUd|bW?F6F_}FckQCFe^AVU1DTC78B9Le3Gp?<3O65P+Vv+%fa
zJX>BWwlU55<|1{+Avxo(3#&JNb>{07Uaq3<lEw&A{}j(}|Na}oZTRb)G&S%zHzefZ
z;r-hQO=?(;mD$N!OF)ed_Q_gPsOz}t@XLxn3Bw6_Ikywe7P6|SZ^x}kKJW<lS9I<U
z0L~CgdX9`(Z7^MdHlrqw!cJDovSU-l;uPCxY-EP_5@J-g>r?OB<!F+Gk0lmM^gzYL
zOb!>~HI!f9`3dp~1Vn;jCx=ofLRe4U1Hn$$NXKTQ_H)L3CcC)jfY`SReeG|HKtAZI
zquTWc!tc0I&Z8AY)OE6O=C+%Iz<o3L7b%ak58bGRKH+%9siu8$*$qB->7|b48)Fis
zAQF6*G4-EX%eH&(u`~nDxSW5ijuDIC{SZAH%V2T|$>2C28I<%q7VonXRj*m^Sbr^4
zMJ(v~$gn1V7<7MTA=LuC^7&|Wh5enkrBZ~n!eS+?=H+bF<dzvymc2%eiXKiPoKK|(
z4tl8GJRih597Lk-#icyXKXf4`Cviv0RB=Zc<3b+C$WMwe4bT1vj+Fh;En|r#CZ4xs
zpYgC5Itb64Th>tU&kZk|Id#Uk3d#DT*W)^rF2cpGYJ#eR6fnqLCyHA1cp5gC>*ti7
zGe}#e$XC>S?H?@qc_0LX9eVTl=twofX}2Y0;9vXQm~pgiPD!KucYYFTfi<msXR)mG
zIJUqTgrF4cdr22Hovzjr*`RQ%FaCQNBF2)=*mDF%*t4v!uExf~w_rNi?0XnOCU^gD
zPtrL|)JP10hCfi**T^&TwNN=j+T%DWbue3Qo2;-Y$s|dVYqL?gC6rKvA~6zatD|36
zW-zJ3i{wqir_G#%`r$^hiLgtNV8w1f`9;R&rw=S|umMR4WawbN934B8WHcEYXuq(}
z^X5H9kr5J2tS40ya4{M-^9<t9jrymN958EPw<}Y%rX>rq6zfsu&KCms7d+*09F7@B
zPs=kEM{!c;mqYYUw~`Fgbp&Hvi_hmns*9uZiPsexkVS>cgS(Ic>zg4CA0&2OsSZX;
z73*>nOz=sW&u^=CXWr~*UjyHPJ4qJU<NU_+T!#G_UpkeOQ@VaoG{t~GK9;OlNgNg+
z-=-wB?xmsIW|cg*Mb{KW;WX!158^lBB{eL5lh7n{8(x(#wT4#PI6;vUVi<=S{zyDn
zU^_`v4#7I_k_cvHq5V78D6~Q61vSN;CK?-lvmKRYu%y0ia9@TwQ)@>!4E>M2vGnlk
z{e774)25Wy)6+6U*M4L+JWCv*7Idwge*OTudq2;XYP4I@`+i<hGMBonT`_z`@PNJU
zc@l`ae0#+I`4+1?m<4JyGMYpFb2NH;F+WZ8ehh-|uQ#J}M8bykK`t5|9Ao`#BG`w`
z)<(rDbH#sF<leAB{2Y#~OUQ`TCH0k4Ew%bd-B7dLOvV*zmEOqv@xtQ=rx96)^Hs29
zZ4BqC_<2+IqcTXtPk;ZS3BblK!KgEF7QKRTZ1DkDExkuE_P%}vZ3&{;9nIAx9!>g$
zDisP~wb7aWX=2^}Q`v;0R~D)c_an^SZ<{}|xV<p?`iM`KidjPu@kzXep^*pxZ8xaQ
z7JKgRFUR0I-M$F2IPCo=X<|k#&U~MjTS5IH12<#oX^Oo$`SY2omCJk6FMh;lVr*l{
zG%=J#?^>;v3AD=tOwn)O72)sYo1U4hQP-PsP?;ZDPW`v$;;a*D;rI`%wE={_@6<h+
zyz3?3X=i+;#7`TgwJd3jjE!YWo`WHi*f1G&`=6I7`lQc8mMLXLY6&*~j@$L_uiN#q
zN<JM2hPa=dQZnC15U+IjK#TnlfL$c1FdW0JjRJnY?G#ouRjPkR$@6Ci98G2#-e%So
zicR9Uzh%2Q>=;}<Fi$W=XO7HCS7Y4_kW8&e$kWs7#pu$mpu?@w&!P=YbXZK-@`%Tq
z&;5!Ef%^!Ji$mJ-@PZYB4gON?uibiWFgj<_&!gsU^!E?l_~W+AIkHwB(bpdz=^DML
zPSClN??M^Fc?#xKzPSQ~K5zGcaO8oZk5u}M{rC1ejUI3Ev&Cv-&2OL~r^o(RdvG<|
zJrNwXr}kt%zWN!rF|k0r1K{Co0RR#a@E_u7_tx9*8kVMWc*81EXvc-JB=<uR>YY~|
zMa0BRZQvO3a+)vBkHhkIhz2}O&Hj##QcK9l^rz6OJ3O4R)4dEc(V+m-kryjEF4sV-
zhMeUsH+~bH>1=2GM;q2}EgR|)sa%W}d$D*z31$W=&2j{sg~m*P7PO~l49j5G-LZ;q
z_($A>@UdJ8znwlIG^smi<qFKw_!<qd=ck0BH7?ywg%Wj+hrQ1{$||-CL1iUY9eRmD
zL|$!n>ffK}r;0_oCi;KzLu1sF(HK4)PaDq|8IzM}zysufrf<w1Wr<&8r%=xLTgc!V
zR^n*Gb)@&w38}zM*{{A5GD_pK1-E*WbB_1Nb;5qp*-mvNNZfXkEW@2YU@P@^0u%4v
z7_QczNKU=kVQ!^<AX#s!z5O1vj@bZ4R@M(^F+PJ#s745MLfbM<O|coU-OzKg`JuOo
z4{xJkgyAzBk>PnWE&0M<GgY>@rKhiSMX@IOL;Q>v&)BJSikJXhY&g0d2XbWu158&U
zu3xpUQzqF`7KLNxuyl|gbunC}lQuu1%VBOqUCzR++&K6^bDoy#Y?_PZmgODjlYjRZ
z7}tu_q=#e9u7!*!-654UIzlM6zaL=(2(+1lZm?l)Ip&>eG0`b?r6;bNDsn?Nn@U>$
z3kOo2=+HjvSo*`h9;LXJ6#8JTcWJIypVio$ujrW&#NGEXO$bMjjz7P@NcXcm-W2Pt
zn+KbZvXm$m7-HQ7iKy1crbr@B&?!!C81OeVHDcTfYX=N7!S9DxjqzlnTc`RcYK)Z4
z%_@X?{H%6D#-Ibh54e+Q#_&bc+$NjOgiZy?46Iut4j0uoO!l=;8Zw(=0gRdNwPidj
zTr%hE<o|Ch096Tq*bbv?+Z_Ere~U`{@wHuh5<aQT_%8Sna&^PA#epQr8|@;perw2`
z8|1CJ2C*+2md2*^qIeteOU^kq(PN=jYp|3j@Ii;!L7_O84K_ojYHO=7@{QX0$0V-O
zRrB>&tnha``C6T9sTlPekXm}2A`%)>HL_N#qhmjy-i$7aLt0zYHqN`1SO1+)GZb_Z
zNLETTN_66tEMsK|X@?dgpV{bX@7h}4Dv#~dK@sRCXTTX_g?jAN@%(Lcfa4LS{b5yo
zT=nE&T?i)!T{i|gF77k8?m&+Y({tPiF@3By{;zW=F)?EJp#Y+hjhybgvIqP|P`maM
zG^_;8>NlwZ_+(vv;b$IMZ1R}?&&Rsb*{Ua6Z*|ngMqb1E&j8N3SS9=UV%aAwZ`&E~
ze~*zebA+bMaCoJ-h89{IPwVbV3~EM$FocE-?HL`e9~Dp~o$#=%y@@9+!~)Qfgjt}1
zH^>BkXP?h{_H*7D3<KPn2awHE74u}sc%`9U?ajRS``__7T^7F&L5t@vRIGMdHVhKF
zrz=zLjxhW_7bZ38PHL>s8}o^wrC0OWDN!k|Gt+s0VyGzQ0Vaaj-<|#Low~Kb#n)WC
zb^p4z`b|*vxTemx4R}exy$<7K{I75O%<$d6IwqNG9!w{UcbMS^xcW1`b*_llt6HCM
z{xbxRmfyTzQx{>gUB3w?GimVeCDMAzCLF7`O$&VOgTnvjlT*DpcUV?q>|~<$A0v=A
z9^M<_aXsWx|93N#xxeCC!-B`Gb%5|K$50&Mr^dg}Vt%37u4VOhX>RMPgZ^*MGMQ>L
z##Wa)AbN2({A=%TF055h_vtA?6!7I=$-v5BD7_Wy#N@*V&3`5&qQxIZwA7uVd6{_x
z{xvol0d2dUw|@h#88pNHP4m%ImkS}45Watp8*W72@wF$o|2Nk8=2Z+@ggOg7l|uB7
zuU!8IFw_CXNj-$O0A$-KeFy|6)>~{mbm2n{tBf{zrr;XL0n0V|;_bI7G9_X$nR`Q+
z;`?*O<5x7sv2%5b%8FM&Xv8+YYh_A#!;7{Xch8kZ30YYeuaBC!7F}qE$@Lby>GJ|6
znVvr#R{h?ad^NDzZIdiDD(xsVYE*HZZpQVN50>zFY>+oMH&<g@^lUauB*VeWI40vM
z!cSMaH}}f&{p;(z>Qkdk(T%^9jj}I}SJZfPAEgWpUgrFEj*p|x6%|jGswr!9J3|*i
zyZEg5TgN#X5}va_PsW3Z9%hgsR&%)CAwDIsgbF*3m(W!kCg;9#`=*&rmj?4fxw1B$
zeis(?QA9*UI>#m7ZhskuB81Nye`vL~EU;|d?IJ$-&7r>6Hwch^|BBl`22!Ml!;kev
zs@EPA8r5{`@vuD<FL=Ekv+CT}n{47t#?|sf$2mwQ)9d%`KR<jDLSv&MBQeH-uMfi~
zX?iVGZ*zXB5#DRf=jqKcItWeGN{5ydhxuu-dl~sAfxdV&yf)gczCLR06)M#=XFREN
zFXBa|Z^A{TrJ$Xk$7p@qj}dttgHD5N2^zsuXt7&XPOdMRT6yS2tJyZ{a9q9OjToCE
z?Bwpmph}}1V8|mSY~cj!RIYMdVUM^tZ0`6o+Stg*{{7jZUZ+h0nb~i5Nb&h2j1XC?
z?7LR0Z44@<{NAbIfWyv?V7=e<RyP*Uy~V|PFQICsT2O8+<I(gdT%q`QAhy#J!>a)Q
z7pvuuC>-{RLfdQ}BafLp;x;!%hVzY9+fBei>ozhYBucqoD&5e;Z~br|-A-4GRGQfa
zQ8+g9nLh;=_&hC`77QX{d$)(QM(e2)W36iR+64xE;F=bvcnGX_D;*w{>4dzV@NQQd
zg7)@IAUI~?VTY$9-e@{`;9c~VmY5irG#B;L;o)MnQG5c)bgS`*KBK&&b-uJWPTv<O
zyAc-%CCuzGhPKh=A-x$l%EbL=fm44Vdb+oPcBCn8PGN0Bu)31uxC>y5x(@~cT_`@y
zZ@yYVZ@bYJA(Y7Fe7&R^-hVWytx&DS{{C@3{k-Ehf3wv&AG|0|BIJE@s6H|>@~5se
zHxbeqd8tY>f<zS7czTPkAkqHgT>u&12O<a>Veq21XAo0=;?JLeIJhY1ms@mA6QbSM
zm*MMr``ujkyUFFD7Mpdq@E37HU!n*_!TKLpi|T{z6EN`bBAqRl2m39fDcX@KtKD9l
zQTLl2Zs>Qi+AZNPN7W5f0=E*-&(F^qMQ+acqEQ%v#Zu@Y-;;>0H(MFcSNML9M~-mV
zZB6WUlUF|1Lcxi?%JYAGA5Ucf$j<>s?RvZcjb-Y+h^EsShRX5i#3gLWOUm|{)6X;c
z!kXjx`T6OeZ?!`4X(o|}lA}h2BT&W+S#fB0q~fuW+?utJnyH;`mlINM2X$SaPXb3#
zqhxV#m@{n-q%TI!Jg4)$B^ouF!mbD#-MIS;F7YQyP-GGIy}my6UQf1)FH7a~q!<>R
zE|)Yqkn62>nBZmK+*)mQtB)>Ec*2hoU1Y9eAfORp>x-S-PUj@s^iPJI&lW6h=E{^i
zIeg!MNDk4}US5~4>}2HR5f3%Ghb)T;RX20R(k7Z8@JW~|<vNPtmm{;rL!M8zw~cmm
zgUJ-7^=FX^hVNQ!sWCJ+7jFqR`y9;t9((Ec{`z92Q@SCQB*M9d4ZVtmVpw;#R7o~q
ziDlnd?7~T(#+2m|(bY<sK~9nB9=d`Z>$PSp9ua@7Z+n}N*Y)ZT$mNhRON$L7;(td$
zu})~ws4wVO6~wrh%I2-N+xE?5fMs76j30WtW9*eO^8Pt?{pD=2GA#Cz_Z#!a>2PlF
z38%$|MwdI9^``c|0GswWe3E)P97{r`kPMd+jFW>)Qw;@@_WH&dYmH7jN{4gmw!Oah
zO-lN583FN88iOuc|6GHK^fNT10q`}3%j+m>MZMCMo>^T7vA+IEp;L}eQBhP88+oxZ
z;<8C*c;0y*K%X#txqb%B)r#?MKloY)1>^AcXd`N}SykJEvF>?a=d4KOJiYPM7nU2Y
zVWiCfD>UiCX0xX9E|JM$gM2EHmC2q49O(U^(C&}yU778sCx+?D&CQi)Gz!si5MO!(
zf%VI6DiAnF6U^bgrer=W`L3Oa`eE?k(a{ZV2V$s0-iH;cT=YIl%A(jlo=LS$PHDF8
zN57B%9wZI?4f=IRy>wKTzzAEJN|Vvyd>IfM=Zu1`r828lAOZuA!}Vo%clX(C)ARmf
z5i<xHX{d6a(x9(jbnYXuVqC4oTJy!bP!Eu0*W38JMm+AyNR9zkU!TzVVx`Y?twy&a
z{AISV0j@v8PE&BwMS<Kf28aDSCZ)PeOLB19`*BL8%GB)x$8^<+le1kp%Wb{*TSOD8
zerB*<_uFoHX(-Hj_CIRdBaH!MDCzoc#J)dY-XCHdjpWdYwOpnNVYA+XJgz^HL0;9>
z?$nE%d-N+|?%3})OYzOn1op|CXiGsRn*|+BDu^>hjf}uaNXriF#|eZon)xt1Ci&BA
zFzGk&@JhXrIy{dc6ASfzKC()sC@})AyMP#H(ijK8HwP})_w-3;l?Y5C&2$ma7LAOC
z_KUUJUX{(7Dpm4;>Z~8bvbNBq<WO3T=fyn&<2Sg>$8-3%)qXW6J4$(9Wfc@9y;j?;
z<f}dvG)BdZ-EJc+`98&P?V1!)a`tTeaMSqQHWyrOnuBphe$esi=3R#b{6O1p<<hA>
z{a4S07x%vPbxb`F39v}~@bIt@MaWjGB(4<qZl|@CTN7Ltg*cVzWt<#p*mBNH+{)0`
zTrK&=<c9VOaDVzKe1}mT{5_3cTTFxn1mCI4;y7Jf!+sB~L<@(-5fKv;$Yyf%J#A0#
z^OIu%AV!do#V$$=Kxm8ELHWdcr+8lITvQG=#$GrcSFp1Fuw;g0o|3o)tCL!0sj=>|
z!hjPLMnfR$TNfJhAL<%~{)hTNF<qx}_9aj3{{zJWoNVFTI=Ik){{fy+imUHt|KKdv
z%3r1x7v7avc307?{{gKR5vI1{+W(n2;EJ_+{0~9hg8c{7eq-sNa&s<a)BjhfvNIBv
zwK-e(?>)o+ePZ>GE+WGJ0A*wK0M`DqD(!wn&wmB!-e3L)sRgs27ZCPqj{hD41z1oJ
z{)3J1`*J!>MgOlIhW(yY&;ROt`SM>wNpB1MV0lpgnULWpS~vP}SLu<?ehgjtMj`+9
zO*}Sd;)?o~&#nsyHkB3S?A0SFIqLrAm%DpXuWUQLj=p5G5o+i6JbBjRbWD1)bT5yL
z>&2KRJp?*Nv#pPo4F6bn`h%}|=;ixt1EyA^mrHwmdvhZOTw_-(lF+EhV&n}*hfNvN
zf&c^iF!Fix^BRiEFvN0c6OEQmrHUmVSKHUy@NxS!{HtKma<<Zo5{()!XIa!iqAw6?
zrqm46-OKCPMG@;LK;$@9=4`n<!U>b4-e43Ko{;B{X~&3k8u_eV6zy^iF%{FdOD#^}
z%v9OxlFbfd&e&|OkU%I{qw4@+^VuTe*T=KKwzr$TAEk2H=&8nhqmCC##eDDHK0^+G
zw`M&pHY*iEz7AKkeleXcZ>XrWnuIZXd?=y7*%npSCd)0Z^Q>X{9I?|x@;Z}Y26xF}
zHmi-Fc=Fy{`&K%g1mvm9)+>S3wK0P38u?W$gk0`uevH~77D>axg$dc8%*<{#kDsPH
z)snT}&S%qmG3bT8l~6(vPIH@Wp0<KC>RlnWe0{1$f^>)mLJ>s{BM%2Z_}&l=CtoMq
zaJ`U*qR<7WYvS^xif=WKJ>141gCU_Kng}Hi=@p2urUmYTy)V;hcE-5{cKqym86rxi
zO!WZ0eI2sv_WB*A4`)jv?!*Jl8BTmOIE3CDxVe7!vCe+#hVw0-gOALprA9l(-NkPj
zgxJ{F8ttYKu9tlN$qOnf6&eISUd~e;Vb0Zjoi6<))w~YpkN7H;S}<`BXQ3g|>U#^P
zjdR;VVAQpGWh#O_nAFte&u_UYT=viDWnksHg**h;%h~$hCLki#Y5sn_Kc|NLTZce+
zbIHq`4!oQ$Lso>U?d8FNAh?Wh!EH5iIuf>uVKrmSGm!XRBIAy&%hQaGbho?>4E!SL
zJ{;#kFpYp4J)T(h@v)4OptqWvlM|aJ&L4yshBP$FdRz?cnzAAv`0%iyuTU$8(8cV_
zMsT@_V8v;RTu^9#^)7ni%+mz~aKZao#(zH?5SI)0sqOgz?ouRwBfi$$PdQ(z5pFe!
zqnePF71*dm0Q*LsPo-YcB&t;)*saCI&}}cFf`&-I9UAIlWfIZO99HB=r&<5i$ICTk
zOhBs3ya%|eu9I>lXl^cumO^*JI`@F`w2%7TWxu42po0){GiogHOXBzS@hGC!d8yOl
znO-+H85~ZO-TeHOhRsJi6B#>61H$up{KK(SjHhzRfexd$z2Zs-tykGoH?N0c<ZlQt
z33`YEB<zd!Kwh`Yfkt@*v|f3Y1qAQgAx`tvCgc)%9|RXmk)7q2sKz;lMBim?w=08w
zTE?B`dd5A#q_#$@VPypiOSHo@vZa^p_^6=NCI#UB_gdpRsYabUHVSGI-J{)R4{i!s
z<$1zmbug2tgqnOVfo|}j$vHTj<Y|YqWf(Y=@Xqyd7;5Phj3M?)FDGnRSiVeoA{I|w
z?majc@s#A7@%83_au9*==-!Y*iL)fUS3z$&s&)|zTa~)D#(oIdO@&@Hi>K>V_^0dj
zG>@5q0TGXjIX&Ga?BQ6R+$0VcA$3&c)VOqbky?ht%mh>tU4s@oseL$IvkW3Z;$X9{
zP35wBzPIKx^t1FKKkX7KIql2AsgqDq^-b;l9+5*8vZ5x9A5{jYO?bzg`e=?%*pRR1
zY&Msd99?c|aI02Iq)^c)35A^0l1WT>Ma3=2d6RbO;~tdoQ^z=|jiOLP&f-sfVz$|z
zN6xwCzkPG@JIV8XJma4?M;>m?b8YwZa`>Hy&sUb{Gs5p?w<R_+78MKJ6>nPi&i6?l
zhc>!tuTYVlIK^IL#$d-YY7Fo1<Rf}9Lp{DbL}d!)n>328bbd0W(&<MD0=<4;bb10i
z?qPIhe`$v}7CT()W!ckH<t_mrGi^wh!8HYHyB~T+T~VA+4A=D4Q1l%2sb+#?lf2*A
zb=usqy%6!n*5sF(Zp>`V&B2nog1~{uY4LeSw@_q{y}*~&?-}Wx^#wB1%LGR3^bsBd
zJk4b1FH~m>k>3?jRhCfZq6YCg0F}!Hf8YAapN(e)G}q^q<`oJ%=;}Zc=}y{9)ZpzY
z>oFN~O)&2qCX8m`!E#)3O}3t1>}>&XHc?f##2F@uMI|}-+Og#Dg6;qyAuT;{AJ@yY
zDyNU)Mi!t-r9ebxwK^^hmn-v>r16ycsiR!%`1&U3S<W$x)H{{dBSNCs>?pcWtqWow
zXs+en@JY*Us?m}<62SsFFEJtP5=d>$@^)s#V1z7rxkHcf@di8*1JmIx^qDZUGesM=
z@K-fj?Saql#Og!EwCW))IB00*tbCe%xzitd-W7ygjxr!VDoXo<`!91cmEyv$%v+Xn
zjh<*S+tKjIo`9spkc}Q2xQ!ksOsi!(4Bx-~{eg7pE^!x!qBBur=@-5Q2`TSuD+w6u
z5br?UvAC+&^4d657r6WWm*+d~ll4Y8t#n`y{2kHGqZr{(Bt{?UrS^Utlyp3erVwng
zRPvwSPRFuyN)mVx=5_e>EG56{3le8GL<|i4zoTc2WdB50I1r*D*Yv|=)MvlxQxg5I
zsuHnJ9(8y2P*!DZL1INu&o{Y5O`nG;6^gG|Anyn(&g*_cg(#ss;OTOqpQK{yc!S5~
z3|}gjn>4rF<gv9k_aMIAVWQ;w+MuB4s5i$~Mxq&hfKot`NSkN$($Ejf?|$EAZ(KGS
zMe&M1ozrQq6xxW%pp`s+<dawe-z_*1CG}EVY8F2BbKhyJ%|kqS9eu>}DM61w7I$$t
zDTn|aJzl#7l(NJaI%?%u1f@3&au6Y+F&JoC&F0Z}32Ak&+p=w_sHE>jQE9be!!6Y+
z+7rl&G{jt7SOUP7pWYwyrHnqQpN-ztEBe)zqQNsC0vM5H&<!$v$#ZkZ+_McH#y66k
zMh~95S9zhZPCcIpomt@t4Byd$mCdI1Z&R!=QVYQ~I}c#n9rjcIw(|s5?UK)R=cU2C
z@Y~GR+elYwwn~cVD1@B!K!`J)ujdvuVCg`!SE%+q>Ux1(f-6kIc<2U#*CRffEqt>_
zv(=)Eh?YWOc4n)s@#0!c8+G@}f>5t;)BRr2o9xHlpD%ujlFxU9QG>ujCkFjyM1gk}
zeT}=CzjuUw#=D6rd)E;k7>JULSp}lEepo~U8Uxj~kySF}(qS9u0KrccVph+=`Dd?H
z%c}Jz)!-JF(-jOGEe^$OMok6MTrZTU)SCXZ?UCw_3bpd!UEo{#Md?h-@5W=n%Gm;k
zppKKx!lV^>biTq|Kdt8`PTNfwKLP#vUhU(@it(R}8M%J?M7M;Wx8Dp6GlUf(1Hb~P
z^lO^R+#N-PCA-vXG~;SGXkO9ImaD00m_9e_p!^uLXlRb9BFPIX`Y`niElqaii2Uk>
znrTvsG3VKL0ScMw`=KrgRNXR|?~ULvFfisCtsFc}76J2Svc0y}ihKnPe{+?iy7e}B
zB3>bH3zNz|UyrvFe^N%)7AKJAG@S$Lp;f0CG`jEzy?JnPs>M{~l!8I}Yq+_R(!3Lc
z+JG=Ib5Z&>7|=7{vso$@$p91%$?b4U2Tm3wbG#2_myP7iQ*E9}^x-io2Vt3$HyRC3
zvLBm=<Z)=FXWN^H`5+P*C7;KsJ-uN*372O*jy%4Sls|2E`#Be<UM&^U#efJ3BK<}O
zunnf$!)`q4UtY$PNAO^)TqFePnxreTeN55fiQ5}!)*T>~_5kAl#pC~jjsF)}%kcaE
zKZrUB>7Qa7`oCo0|L<%6RO{Ogc#u|05Lcsih~lC96@=(@j{nZid+0)<{%a)s|5xLQ
zO6f)?W;!QQcoak=T0(3x;^H|%5(^~zWX!UK=5O3m=B?BOLyxTLeG9n(<ILOvF2a4s
znS(>}YgRd{oZg$4nDN5JwI0MZGjBQan824CshlIKm-MuOwjYnT`97zoq2~=Q(=oNG
zf}`tez$SLLWWc+3%a~#@>`ZCg`_mvu1LtAp_f+vUuhC^iXBD+hhF*K_Q>#k_tU+8(
z+$`PJH&3IE8J^=E8QJE<y|iEGhONErPS{;vBD}v)GWqc<v@u};k`yTc<7v3T=?Zjm
zfpjcZPR0{YzXj^12<+$yz1|2O9anh6s$Hy(8{F`xHjtW4WF^5k?7s59O5{xF)4=Zw
zmZ9#iw>q_9MGp&+bXz1{e89qtp3jYBO;wpta>6FD>U2PEbV94t+S>QEM;umirdK_k
z%xzV_9HX82007S~VCXa>snIXT_OATx)rZ0wcez^9#*<GMkzRdWcuP}ulZ0oHnFG2t
z-<|yG=%0c!-hSg_1}6eCGDRd&(V;dvOh#zAvHw0af3%vyp<J&v24wRFL}4EGjv5X5
zm&gXx=mxAcXOB;(+io84BqUMlP7Bk+z}%|j`Cqh*$|ffIzdZ%y5xsmIQh*XJK}mfP
z5$%3g-jSZnYBUkyk>~-J>xVY{{I_vZoXG?<TIzF(L)bo%b3r9V`7W=8h0sY9uZ5g)
z!gmWQ9=r*u6s4tIG1G$Ur|)cvo^B~YkJN{GE_aSpFI+TXy}dtL)e-lt$aft}@RqKi
zVX~X8*n0?_3B;eW=CE^x+Yv!OZu8jy%TjO2&~oj^wcTI6Uy23WPCHT@%XT-o^F-l@
zcyOpxVav2s`F)2G4MtH6Zj5$%KUF?0j;RlFJdW{SiiH>xH-7C38JsBWr0M%p=8SAQ
zv0{{=8jIFN=R*r{Y3QjDkXRul-7Yy%#58jjdt_YX4CvvYU^l<4td|}bGsbjVxu|pN
zbRSRYgf%;@b|7kT`nJzEu%_N5$&U&BaH3%HY@&OIjCiZjy&Ysi!a5sV`SDAtJ{**n
zlwA8|-=(2x(Yt1jl25Zcg%*@%ntoN-tJuI`qnS?j@k^DE_bVD5RVPb-e-<sT=7-rd
z_;B3#uo6Lje#`vuFa)LC$nXsJ`2tuZX4+Fi=h2m}$IGh=5sQ+Znhry3n*#)wqezaj
z=PihmRb26m$U5JZbjdg!Zrr<w=;Iz8b9-y_V03Ib9$Krn%<=I%iS-PlHE2|(dT&Mx
zFLY8z14HhK%6;6i0C;z4y!py6r4kHCuWwFE!(Dy?Ouxd*3Db2bu6y933GM1?E(L2K
zU#lnu)$<(VD|d_2==NJj(eD7bw{Ri>bKZZ!m>fu$?DOzsh3?PIB<AxW>TI)t4bIny
zRazz<NYvXF^LYBxMUsx4V1e(gY{(|#IKjVl1d<7L!<bcia(%(2QrR};z<-#>zXvMh
zdA)CW-SW9QiEa*rc61tVNC;`Fzx`#3<|VdjQX=Pm%!Ul6xyBPzqthHGV?bN>{`gU6
zh6IYdr<2<DJ?BEQykDqDp`%i{ao!EQK=e33UKRR$P@lg~qJ*gJ0$-?tsnVl|+X#U8
z6OHZY1I}!Q_;<tU_V#Ie+@#>NvKB9mlITl1ue$H3P7mGkuENkhD9d)+=lI#3hVZ2V
zCWH1^uVW$pXb97UxC9eQmp0-u(+>Q68RBw%{OfOU&9#H!QVBGk&?7YR`Mdxf@xQxa
zvEv7)CyPwJU3#^PG_ymVK9d=qK0<*N!q|X7b^XP2cASB2<ro}KV7J#<+;*E{EfNef
zo_<S}o`8Lx-sgUtC$L&O^_16j;T!_|{*~2CrnR*A^x@(B{K3%B)5o#F&}%5t(`T_F
z^dTC)yT?MgyXPlZ_s1Oh{0}9i``7Sq-95h~x$zy&lJ%}H>FqeDmT{Cz$Cg1!24hjJ
z5Gf&JvWMyejJ+erCGFf{NaMYVNfe$wo*kz>^~Q($M-%nEG2wB`=TR6bezohZ2<wDC
zDss8$Wi?fDb=HfXNuwBHu~~^9WF!xm40=oY?KstOkv-+T4(BcRlxT&$sHn6ho%Qvv
zD{WlB?zXqrw<pv=G{Rh>QT>AS#Kgp6YROzGS;;xOY&zgqBPqEA-&hqNOUsPeWE$XT
zv8K%F9I#k2+r+y1cde4u6w{Q^NAaOGK1c&>=rkNd%d^$xHcipG;R80|;mRPR!=jB#
z<-Xrr$YL}z-&4!05f05JHCw~oUMA*d&`r-3%RbGTacQoo*N&mqyH;DX&r$lyEmc$T
z+dH}_3{<gO{qkeeyhLkH#OJV0&b?DCq}zm3v5>;*R5Jf9ba2AS6iWAOmXqKI{n}w*
zy{7|}1FpWqyxP|WRoZZ6UBw)M_#$ReprHwCRXBYI1^26$yq%c}GKnTByjuJ4JJ-I`
ze3nRH9&C%{VpXoR1*DLX89h=lO6+ak7$dolNbu{qLu&75s=()I)>0m(#BY|G<J#w;
z@`44tia&+N`t7aGNGB#G)|_Ei*n+3LE{@$YNZd6cEwhuHQE)NWJnQsOw?37$&XZ%E
z<cy&Fa5fAjp>=aU-ju#y3A4g-^E-Wi2>nLt0V)<E$X_5|Y<b;UvY{pT{0IJTEC5U^
zee#bHSi9vZSDqnDwW_%+%R#}9bufqntJh;fZlR$6Q`KKa#nE+LplA{t0*$+d;O_1g
z+}$05y9Bq!C3tWM65QQ2xVyUscfG~)e&?QX_(j(!x_8mL)|55(F5D;uzA*%b4;?RN
zIN?XM;Q|X<V%ezU<-Zl%6Kqs*sqeZL21Ycp*O=LT-4mo>Ikuj@|G+eo@0=T6CD7OY
zn)J0_z5MTSxQkX%td8X_yc8iie*rnD5A|zFosYN6e&t+8DBWK~k*&L{amRxcCY98E
z+PSf^*7TySDn-(1Z}e?hMY`}=nI(nx))RW>Q$qzIhmV>y)v2^I1HZ5Zc%>q!IC77*
z@tULA`O#9r2>BRUpW0St;h8iuZXcy`4n7H^C>$Y{iz6=f*&iiX?dIDvpyGwIDxkFq
z@!M=gFyKefwta>DzE*~rPu1ih@8;}{u9}1SW8Zd7C-dz-Z<pUR?WedVxf`P9QGe`5
z2?oSR@7eYgUi5k4<&_hbIhSJibribQB%=6nCcA5);qNp-g9Fm1eki0nQl!<8lG%eq
zl7{N*UJyZG2tH5j=$r{QDUqrsbTjb~$V7k9s8Sh6n}xvFH7d}htlQxiuxngQ+GRF0
z%1$ABd1J9U2%BFAQ+y~5GJWbNn`GjT1U-KpM97DhyMOUC<b&O{V52`u7DRAVs{+ON
z$IJ6g`#*8RCY)sTQB{N_qm<G09cs)3$1^*J5<8D8AgZb^+2Rp`p09Umh`6R==e6wy
zZHM=>l6|or`33_D=6+r;E8y2pEd*DEb2AkXEw@gB({ia;F}gQdauc;LjR=uT`^rje
zkOhrI6j9KPrJ34QB*nf6Dxw3we-im*wL<J)%3l3lGWHKzPN!fKm4If_SA&`65flQR
zA#bkO8;N0bGQsxm-!E?Ox05p9y<eMX)zEi^FtnZdxkH}k`W2ye)JRAu{B0K$>JO+M
zI|+M21}90r=FT)nJ@<W`_<9npN87K^^i5PURMP8kO|cz*hBD~Ox1u=sI_BScH$@<X
zM<tCa;r1B#+Ne{em+0%3iJPC=`*-WRSQK!a##o4b%Um*I7$oSW<r*y4dCFv;UK~uf
zq@W1ls@^2Lv*AXb{zd{#+wJEE1Z>W82T8m}{Z)L^Zpe+AahbQwqAq`yME4yu^5OXI
z!M|Dsl+c%w)QBvlLP>ORAhu5=(lL-}{26~fjofn-dReaCv*`Gb<?jeRC=z}R+JUdS
zbrYE**KFMpAdkp^Y>-47t~C++3G|9}9f>#}e-{oUm3n>uCXC@Wvk@>P%>dO*QCnWG
zw?9Vku)<ono}E9bPMrZRPaYG&NL2}w^uXhLBJb_}dl#c;f1R8A!?+BFZ%JMs<C<A%
z`f(C&#x+M0;wSX|gYbWHCB_-AZo*R%ZHG(9R|@w~AnIDaB(7nwK8V~&z-C$m<e{D9
zdN4Z2!l5;dX`05(q;_%6Nz?Bs=?C$ZWKJp|U0J8ahad{K0eN_TEIl@yM#8t1#fG~*
zg9nuJQ?<%<)Df^NKCxNNN<^C6(CVCnuYWScyR6I(yKc$j%x8BL$_uc0*~G;vDjVl-
zQ-usdgNm_BA_^)ov3`xVQ#opd+Elsz<0k2KhA{KyQif$>vR;Vi^gQAG{w?eK-S*kO
zXA>{dmEJO^ZN`PY&ha>B8VD3zxf_hE-|huf5sAl;G!W&D19YRtmhO%k)vJ><Bb~6X
zCfLoNSj<wu$TvVXFQ~pQOw&(&i#_ac;J2|xtRwV13#vi%I0D_}*C0AJHmLCqPF$da
zIMM7P-O9X27XRXM#3nvCg;8nu_A&n7j<oH34hyw<S=hclHk}R*ymo`FNX1%Au2Ldy
zkzNhGc(f;uqT-~{`eMz#sL!Z&eV>4Ia-PGqS`n@yUY<T-#M9kb$<TIAUu$=CQWH!k
zObDSjw9(?_EYh?hu2dSZPPi{Ig2Vpo)y9%A%xV7%ipM{8)UwaJDR_-@2R;2gPQ?ET
z2E8zma`W9JoiFIXYHMVouxV~*+^1Ac@vVF|+(-o6kz0M?n<Wh9W{;luSGixK`+gfU
z|HhiQ#GpZO6F};Cdqk7V;t$M`N5ryRs<R3_p3e(9&}(+a8BV4f<9?khTTbEKwNWWm
z&_i9Mq}6){0Y0hmk+xm&*mh3u^X}=;gtScN`B;J^Hix3^^HhxlR*B`eP=Qn?ge>oC
zJzLCCkL$3;H002q`Qap;G*E7Nb{k7&A5>^jPDDvR-(|1KZf^C|(A^ZLG-F0}wirur
z%Va5!WW6P)P;f13m>wl?Ot!em1F;4y??=Aq(X<Bms_Uu4^V8ZtKNYb0NC|j0fI(Z#
z{3b)f=M8etf1o8!!lJu}sQW(K>vrYS2}CavOAWag*A)r<`*TD<XmeW5)#La6IYNQW
z_qWHX*cZ7cODtF>Vxd&Bv($;Drg1UnLjIM=_a2tnvk!R+79UPmC55R2;+6~ikE8h0
zD~+fhz{cJ94~R_yuY^WZjvY~+-@Y+QCDW6wd`6eefiB)TUTZ7Su$?I)kurfU%i?j<
z(`W{K@UCcrH^YtWoP(t{`8kKd>)atx3OIT=CdCpnM5dS~Jkq`ISMCRl70BdMR|m_n
z4sfWNsM@Hy#>stwWW7Pjk|scl(O*34<3k0@M@94T&Fj<}PM2Q=fT)ZgT{}O?Zl44*
z$vNlX{J!XK@EsBQRwXPPgonT4?+A8<R~(b&f7&7Sy6$>1^4QGnTd4O27jH+BzA;~i
zJe>m#dBcqjii`Px;3*0@U=JgYgxT$=RgyhJy7wVD6zD^fuN%<+1!W@hbQ5iwO6OUp
zGIv{0Q_v-U9&BRZyh*A;h(-40^Y%<aj)#p8U2pM~4|TMKcWiOB5$n^f$XxAv{4E(z
zc0B#69UbKUaG7Y73WO5F>xL3(41rjt(L)cYV0$`7K(Hi<E}cG}=hB^+>Fq}@R#F<o
zTk47s$`0513uOUVA`}kMd5!=4hE1j!|CvQ~pQT=HF@I|__44{E)PkWQ&(6g;26>bA
zt0K7&|9Up!&{I<f45xPM)vfkIqb0(7ye5Ld+_3xJfqnX?>eE=uG?UvJh|@*tG%u-p
zQ%X|J`fx-DPvF6s-1TfN;s%dB{2E8jS@$5Cm+;%jD!Oyqj7lmgHQ~2!UdarpS@V7F
z8xE_on+9L~2fedI!TUrQ!|%)cs}^{Y!oCWX|FD)Xe~gVlr;3~>Z>LV`_{9ffKDKa>
zj#u50j2qIs8i7V1VyoL?Fo(s`+a87n%*`j)M#o)hwQ`*(^?@jd=I&7f58lcYaJ|D<
zsO`<7voxbU84)ssn;fapoG8NV5Lv_wTLHZ`9C9CqCv$;z&yQ&1gf(d|p-Q_<g+_>2
z;p4oqt&hbk^I?~T5~IfrHt{^IhAGyU+3a9f?L1I$`R;dfxC^(*WCD1mi+_m-jj;(u
z#gro=eja%-C(%G074#9%t*tEfcv1YKu*)NVfG=%7lgHzmi%=%tzD8{-81^cTznaI7
zyoYzA(H19-kN0b@6f7Pblj;~(Pl&c+6X9w94$7Xxv8Y@W)&SsY9ce$Ox<T9Cp37t~
zGtmT<tqum#yYLH83<Y1bq<{m#d;vj*_#2+-Rf~YjW-UcqB?+5`Hqv2bZq2f{*`<|S
zO4}a^&Rdhs+1kW$I87NAmYJy1iQE6EVWn50ye<ph!yDPSW|fu*HW!+0{vi9=7-VHk
z?U)DZ?@?So=n;Y<>?sNX3O_c24#;L3Q(4B95oF_3ZKWLIv0y*Syaxsk((gs_-|vp`
zqW5kurG67_A&xo9qq^TTTnS^#V(M{cJlc*NrQ4oaIU~;W_{IoI{OuB5V8DxiGl|ZM
zqs{Vs4g@*<;^Uk_lMP#OzY6^42C)2tyA^3!VP}H99#=~^lMiBk`cO5Zqy;%!miYQJ
zCeY#rm6F^2xoE`kMq`5e>2UNfMp!IBmmYzJI{rxm&vh^uGwpLc-P9@Rk?SXCvG81z
zF5>$mG>5A_#Fg_~kw2d<LkS;yIad&A!>2GlZDgQ=OVsU%sXIaWBCV2x4p&1iy$_O~
zblH*lA5B);yb&%u>4bGCqaVeI_Ktz!E_Ssd1w0iPIO6FdhbPj989_a7Ztp@dbQpY#
z_$I~LXu#Gi7=-mRNP|Xm>=g<H^S78%fKEq_d}9Q*H)A*kUFZjWyFo@I@wjtj3tfCM
znKo1FHKTBeD^s1mRw#<H=?|s&RwFy?I8@(4+hTrLUYn;x&#)ezF)z#zSn(F1+~}8%
z$KDl^7YLqd!}|1-msNDs`mE>YHtPA`F~;bP?9c+UXC;d%9_B#V$l>Kkb|vw%ZdRv3
z5GH+ix6l#Uq-%dULBZ<?a3!bRS`l(SO)O0^T3%n2yhIdR?J40Qp*q*qBO;w|27Wv}
z3C1V*xf}Daaeb8JqVAWA1ZFr=)m(1;s-6t}_HJ1qI~k!v*dL(tBh<aR+!$ZfekUj^
zC=~SljFkJ49`&bk+%N2igS3kY?ZX`<#3KnXJCe;dFlCVD^iFk1Ms}E&vK7!LS9(?t
ztU_lWi7O4Tg#&*Ym>!tm;oRrg|Jj<5Snr*UXvn^}m9Us(gcNI;!>HtDs%Nj|7T}F6
zNf{_hYdAMa(dj~XHS9ySW+wh)^3RO>b1Qt3=&tZoR^cRykJwOl^#$~qAUYL>UpFJJ
zA1mboSx435-ozfM_jylGV|d-i!H2UjfC%}10_JRW;DZ6wN^2(Y8t*W00}OV+uzJC9
zB7of9Y$ROj2Z6S!=Y*Fzxxv5*2sYcVk*O!0q~45?P~~^#BOp*b!APD{<0K4l_8k5%
zB0_SW6!q8Y<p@Ka&o<leSmZn=8kV~Wr=mP6As(;}WeBpKDZq#7^l7C7HwtGt6hay(
zt%q^UU{tn?bO116t!&}Dhlf42LL7qX_HJ}wy4*RBo(dT6t|l$oeSA`$Pbq+o3k|zs
z%Six~utK33WHav+G)b3`(bLO4Wb55zvc+=spM^0-V2Or~ZtX~36boVWqn!xw6_lFf
zfeWn<e_AY-qFnzpSO<bT%RoyxCy#>Ba0HfQj5`Ah9*iYyU%(0cNg2JSW-Jb<pKW;I
zWD^d7CJ0j&&*Y!&Y%5cNFEauHW<{@)JSZqD;dC}R)5)qU6$YEkc6EVyuhHebiey!x
zfk2vFWxv?^`^$LZD8uSI5?ps0sSXzFNSpbm#HU>OlFD_!87+6DBusGcDTlW;UBy2}
zTn=8poHKW6=C?cAV0tfhhZ2O}+E*2eMXO3*hJSCn{o|wjC!chi+-vOJoZ~#WHTB~Q
zM1|}N@@%n6_j%4s&CvC3dX_zqR%pHI*NE7rNuY^(ow^_k$HK4_c>116>GW~%=X%{4
zF?YSCf95K8v;7a8w3LpO!GC>8Oxs<JYX_uceYThIyTh=Ck>Tx@Rd&bGd>So=G~8|$
zQIn*Z=<U0U>o3$e%Z_AYcD^rxh}y2%btZ-aOxX;mWL>XY$3&l>-kxEOInD$J>gg_K
zvVFcK4KW+f@%FAnVL(97l_;YPL}#JqO2=kr@&EW3bu>FRl%+$JvDDCCNfHy5+!MLD
zj<8<eJvhCO3{-`OG&ai*{ZSgnKNBUuX1w_O;$ZgE&nsO$XsGCvdvI`Jm`}DVt#mj-
z{1)_K_@l!K^!|;F?p0nKw}h_$xcu~fVw9=eCNgN_TFu$?XQZ^ip5G<YE<yYZUd1F>
zu8X~sPWm@<$WrOCOn-ei2^V!d+g(r4;_x^ErBa~=ClQmC6#3}P8e2cm-yilY@fk0&
zx$aBv1&S(-VfW6R!^Q*?5RUm~jgU0-wxSFX)W~Anua#a^7eWl!_>F`shZ~z=ZCDh0
zK=udo374aYRI}iR*jI7UI_e^|Cf@f(RW1{N;HZ|xs((@v`FUy4MWC-yhQF4Ix=0FQ
z2qRz$RvC%e9}clq=~W49Dmu8IAHb3H!^ET`)5AJ~DF?=1E<o|jaV}m@t}=7nO<EeE
zPOyMtv6|%mylvRXe)2OMyzjL`=I-H<<39NX^XV@t`8u6uuKAcgI)*pRylwY!MKpRY
zrJSMh3Tj)~oc5HfDN&fG$RPY$%^RcA54XMxw8F`JW4!q7ERWm{WOL&H<}wd*a20#O
z7mh~&%jP|8oX*c<@r;hg_==QExSyYCX-v!YB2d*VfFRQONqo$9@TN!*!q#=_6{V_D
z`EMSFBOSFzZKb8G*L%GAatXZKEcTO*A9tDOvdMI+%vRbxo^`=4a;J!wR2-%H($);A
znsDwM>~b2ztQbh3p5O@epqR8ls8Y5^dj%MPb?_XGpj?f09tsUvUkk0Yd&4ZhEmQQ;
zKK9F=EVK~``TKtn?#5kqJ;jJaeR*=0u;@azUTfFZsQDVX<7hFHO|SOSBAH%jzsdOA
z;*fSu20ED64H{%ix~)hOO-e!t#zcN{nHtWi`+5p*;*Av-t=r}k5!w$+gHBzq?1_40
zS~3qO;8>L#EM~eE7H@vO7c^PED%S782`pQbv8SsYEfv@Xn!@2>UZqe7ka?Cpp5%1r
zBZtd1HOQxAG;`tK!nS@Ax1Wz7qtl_%-+~Ax@Sp-9$l}(>gvW=Zx*spE<l!#JGO-sV
zcG_&G**$zye`50-;gHn!#~zgHv?z{5;c!<nB$a>0M8QM1RIGMqicGpx9~<9coP(zM
zCbN_I0VhU0ui-F=&FI-3@E$&AB>{U=E;m4skZ|en?&X+tLmB{!D2ChA=nTdQqgl*W
zx-Vz(WafT2TiUU$ZsrxDZ0sXs#9+0$@K4RxVQMj02Jljd-h^Cdi9Z(3{$1YrD<iw-
zvqU~`Kgn*&W5cL9zEV^*HK?VgS6n`(r9&ye8Cg;}o?=L=K+%6)`HngWPRD*N6DHV+
zMx{YtsDL9teow7Y6(asA#n*DuQA=wr5e(!3kHEUj75hN722cnfW$WmX;BBou(CI?(
zAd(KSjtR4<qLbyUE($zos3R7p&7rq{fDcq$eSh=UbNdJ?0DU+fH<Ed_H!Dp?b`baY
zwj7Rm`g<JsYNLn<`&CPCKK;e${@+^${C9xuaicvC2Q*N(H}Um9eh~DQi4Bry!%nNX
zddEsO4zcgw|2MR9;N1VX-z3-nU};p_#~s_vuxwI7N$LMa-?zZ~f1kt#{tpWrR+(=b
z@NZHLReGZMvHKzCX^lPI7nsd-`gm<K3>vTi*yNvr`5&~GPB$|{qV>2_0%S6hgeLWU
zfGVF`{xW8Y*MpD$ALvW6G-&%D^aZU>=46=m9U*Ge_#m|3-`lk8h88Ko0d>S-n5(Ae
zJrr=3+;KjJXROHCs-TBO@n(3MOWY8gtiF~IY<LL=(Dq+x-4+Y^)%nu7Kul*s8uKbj
zyP?W^o*$pv^AlQsB=Xh>Bl*J7cnT>sHb}fJty}J&n}!BSt;Ny@x-<^q4n18)%ae#u
z`EQ*8eKf1OdV7Zc@5C8xM!WyIlhVfs1_bi{)$n}|8?WJ1)JO^SnJi-eboGZur3sl_
zCO?H`6QOE}O7F&N8!|pRWptDC!>?LjD0(R;0evDMI)xW=d-}z@4VPa(CW|-lAtH%{
zo}N&ZTD=nu;?ablqSASn+j^y1nK~1+RBIhhPoRx(2Zw@(2NuAp=p0lw@2dxPDcQPc
zUq!~oCcZ7q&kx(aI}xC5lR;H%HgUK<n??lGHtN$mFg7NA>JnP`e}QppA`b1|yiaST
znIJIqd!nNBP_lzxU84)8Nq?ZjD6`t+L7wmfvr_eEQL%OOD~7%2P-*pYxR2y0QLXMc
z0x#{9EG?f$UQe-1zU_NB+#_EfFG2y8sOy)DcJ-xn@>J=g8yWzqfwyI8n+F%l_dgDC
z<DCe3JwK^eNEpXDN8_TXR$0$-m#)`}oJh;c0<d_6>~Y8p#0qsa&MD-w`jXdQzmCa2
zKio-KFV#z<p0m6AED#@N<aMb#`HELh#tL3DhegQ8mgg}1VzcxEBAr{yL~nwEf*(SV
zP9nZ+8fvtAwiPcQO#(LwBRQbSc+Ss)O|(kkeg^+Zoa*3whC6W9gQe3Dv=$)pfCCbB
z7{gy(@3v0gI@+#2#2hu=-uu>-B&xMx1qs3`27j20VCqK>@4{aGXuWN_t%r(7!QgS>
zq&Fn}V3fAs`>zjr0FKO$sQ@RC&e+%!g@8oRFIM49D{)rp$;`|}y+vJpYBn*}k59mR
zc#YZ3?9_BT)oDCEwQDELn8`vgfOC$cy+Im=xS;@x2?`qnh5Xj(62alLTP&HmEmd$i
zu?R*y20J{UTev{y&S)tijMMWO{SqPk{IVv-@Iy^87r7mS*Y#mXZ~(yw?NXDQjA^(J
zes12EUXPMGLLz$ou$7fh*QXey(GJpH7o-ScIO%1}ZsCqu-j_o6k133vJB)^^XFTqr
zvw1GsJGKn`^KcK5a2(<p%xcw<O?3<5Y|3hSB<<c_C!{xCGHaX(p2CeJ@DbrDrs-s*
zx=6k^L~KUb>`W1ty{R?WvB)u-l7YHkP#U#`lzP)EV~Gny$6FFok%{&de)7I#e|!mY
z(b2Z*N<7ioygZoa7>o0n5Nz2R9~nX!TIfA;ztw?mU-$k1CDu0*K8CtqCg;R)#qGhV
z>B8mV5&92@4!x?^FNptlq_zm|_2x>L`GLIwNN8okg6MiO<lKHZnWp35FRUTe>+7gn
z+~o_Q84irWP#GGd!wO~cbqrmzx<(nC_m=&U4EJm8HH24<lUs{zfe>cL_jp`nMHf8h
z(ehZ-rHUu}MX6G)21RS9;m1?1>1A5wf!AM&2;q4)82cf*0Y))!91>5zd&^)!ZZIcH
zKahJ;T#o<!3yzFP&4oByq#)|fs44j3abPer!~S4s_5HiU-igO`_&@(2dt;pp$-LvG
zD{Bi*+1_)z4+vNUullERoTHbY;gAB7CqpxtCM)OWx4rsJB_3HUU5B~r%|VJVYp^3}
zd;|z*8G%)KAuSr6bSM}Y{<LPA>T16T2BxN1mQ?K;L@cG$$e?7AZG${Hg7GOfsf;SF
zTkZ%j!x<Sm1Su5-^z{M%Ac>O*-6V!h&M?XLvQjiBT{$MpS!Wz$^NFZJa4Y+@+fGMG
zE4=hX=PM%4OnKVoDP$(7;rsNMDeUp{TGK7}Ikds?t%6szBf;sf8`2q$8RMQL0$~&o
z?u7d9&GL{JaP$|}uc5O!pS9Z`>qnU><go)^V3ft08djOr8Vz?&(S$=*WV`MLWrZ5K
zGPVjDy~yxr=BztA=I#0?(F&PtRhWHVr_GVE4;aR-keLXD9G+Eh`8Dc=MR{dXS=Su+
z)aP0QV`w_>1YWWD*INll!Jw{}5n&sU4%~pKgb@(<;&geW-5W^{U#3_dzPP^bmCyWv
z@6cu>#wYM(ga>^q-x(n<@P*dk)x+nar>M9bGdxlIw#IyA%`COm*zO|lE~4=$@t8fg
z=r{V6N+ZY0uOw)1<RHAfnne}P<0RUTYn~;NeyC{vd_Vj?;Oa_P_`PK&(c6TNNlJY}
zBFG&q43#sysz*<L;bKXQD&D4;-rW8N6{rZ34~$z(9-*AB0iCSlU!V@WZhDIla#L}B
zh^|6#RWE2u4ke0@zJj2Cih^;u{PSTWA-T9EzQRKy-XD!17?Xw=7OQ+Q8x&xHlHZ>J
z49GUxbvPvmJOOVvvdeF*wUK1+RIA<pl{ZLjha~W_Ka+R``5$1zywOf-{`J*|+zg53
z5_aa3%CV6X8H4L4P&_M$jY;{kNx~h_3hJJ&c{&nCp8vSSbN<aeG@AG<&|a(5k9Y;e
zWhey!0S+{&sj$K=#43`(oV15(zecf1QY#$A103*%$y_m)=@zjFme~56=VU?2y17@R
z4h%!ooFt1rp5t_i7Xxy$peUvw_Dq=-DhDH+iagZJB8G+B{|h$)uBa$7uEd7JH+R^w
zzuR+MtXWK(dlqSF0V3TZ&XD^P>}wO#y~;spfX5{S9Kn?8$pPkf_vj=${;weL0jy&K
zR$m!fka!joFhs@lRlU|6iUurT1a8WIgTcT*NlWopN6H>I$qK&9ah`NiRZU5^<%EQb
zOO(bO|IIy>ipnn(Ox#GxZ3*K`I%7Pn6H-{5OAC11YhY#`B~(pi$B1wKF~q#oe|>b@
z!9q7wxl{-O2NQ2Ak<ZyKgpZWs^ImrHW$2o3iAx;b{Wgko3}{T9EQrjAwlT$Yu+{tM
zbGfqpUfvu$hwIU;7hmbfqw&Im?$<ID)wj%q2y4dHGd~~sghM*i<jQ^8f#7XqWZJA^
z3T{1{P>jUS+{q2)QZAGcmDCKjH?%KRqhYsw!G(#z2R9YtRxwSc2%I7H-keg6b=;f|
zoL}9Dsfc2?FSli3{23?%E@-Uu&)=c3uD8|)Lc;qCofT%oT0Q}@)VC9L-%ePy+dzb~
z?<{XaQY>l}>jBf|Q-;RAa2F05tZ(#?P*Bbr7bw5t<azse&Wn^&?2Tu}%}a@S^G$b!
z2XEvLrcY4q7#MQC#-qZ7zW7$Ghi3?!42)RDUtAmCu^4{?yS=?qeb4ZmoF2=R@Ce3{
z=dJx90*%-?N5JFoY=Y~_+&7eXJsEF~Z#iCI4vRH-fFfCZseiL*mfm3>H)}~a>`QWa
ziBRd)x8y3om>Zwn=n`Nr^wL6tMffK^*p6lM4>dJP3x7d9-7f&-`u;UUi#V$UEi`By
zUu<3`{vD+gJkw*k_41O@s5PLEmnDF{J&Tyxrik--{StzN6RJoWvMF7V-t=iN{B<F0
z8j#9PtdKUl`U(n^V`Ly{^oN0d+7NIiH&#n<(jE(WuuLP<QDT*j`}glbmpf8(8La<L
z7C=Q+wZWq)jOwIjpZWad6oQhHx<7w})?wv{^$9PgdxGr|%>zB8Ba2~V_O?}mi~^_$
zcJ@ck+~S{!0*ptb_6S0h9_ueVT)MGKbsA7QUVD^29|6xTfOz66b<K^46JAcobNlr(
z5xA=>{0B-?vO7QAGX<yim#TBE@Ku_<V5W0B$({H%T9c_Unf}G$Gon1rWYNt@Niq+J
zfCY(Jj}vlwG9%(7mxm&AmuHhL4P`z3(tlfwz~=CTyhMlyntlG*5^_Mk6ZJz^_ii?r
zxE!KZ7JY`2SH~k7j}8CNz{x43dHaJahwE!4XiZPtOmv<(KRw!`rqFn^&51EdH;?Sq
z{j+j45K-=n%cDR+#oswdx1#Y~n{<EeCYz+<JeG*Rm|}@BnyVe;bf88|+$(mS4?G~g
zM9GLE=!V=Jv%tIF{L1S#k`kb7xqsdOdLwym-puK0w5LKVT&$|fi=X6Z=a^naJilQw
ze9OrL)<+0STBc%uoziok={Lt~2(yT=Y>;)<m=e!3FL}6fF5zGPn!v2S@XT}5YgsS>
zq59AQ7eHLjMsV7-m0>BZrxU475iPdVbd?)l*4PLs&~AlEsKq(12V0|*rT@%WTwHST
zIzUrtbtW{D>F}dvc+1cNE^26XQ7ni2&74rb7u|)CU$aV1RM8%57(re@iWIU1;(-{X
z<r+qu4FJPuZ_gW5gTpCubuptam2M0hXTDJ-5-SO<x47rG%d+sCVQi%^ASG6)Nh<5L
zq^)WJ^MdM4w`UV>uhupL#-mM3#_D8m5Q-t$D=ukSV_AXm+rdH>c+6+yl+ps8)epPL
zKw$6Su6pnm4@7+v!F8$R;+893t+`xumo^cuWPv9;DAmXXRBwwpc3~Q+NiK5byIJu2
zmkO?*oKVdrjWv})rnhK_lmsd*CEMxF?Uxn&e>C2)=Rk=JFR;fAlSDoZy=8l^{$oMH
zp8;yq2KiS)2Jo@96mf6mIw-nF0mM*niX@)N-YLj#qJrg+c(2p8@VTT4M36#_*{`b#
z{5YItd(swSe?S4bPQVFm%mqS3qUJ&l$B>hsZIb>g(nSswuvmYY$(sqAOl7P#P#_T>
ziJLzjAp@uYfP{UBc0T}FIT-K}UjdkiU?DgB!j0F~-eM()yc&LMDF2Rc3DDjew5#ew
z0gXrsg^^9#!l%W=0FHeU+eZ#USlVORd;0IJ0+X`x)AmQ?UKhXH33gOMVVYJ$is2Mu
zorCl282y)92KUp%c?UKM`HO1b@-^Zy-<N-<NU8~qVG7lega5>Ue<z)B>iG#z%F+pH
zL_U&4bjE}Z*A}@LVS}7g269lp5D|QL&D(@xK^~q?bUq<Z@RC-wJAfZ!2GJ)CBFLv9
zLRX1$-7MMqyknWeorBYd*xV-B+xM9eV1oU0t}F)}ee1<&07Kk=;4rz)*spl+e=gW|
z`6l3tBE7C1LP4Y#YS+FTNTaEaLO>7(b#*GZe!sTmiHEiqrQOlL1|gxKsvCGv1Pkyv
zOw`AI%XWg?2u0j)qR6(9^$(Gz{2fK1_5eH#CY+%RRON1=rnlI`0ZP|?u(+rZ{j9Yk
z9cM06<N2?53YSf_LNkw&kG*7r?RGLY2RF_*{{wMrWTyLmk8gJ4Z<+Mvx_#pM!jtaE
zKMh;Kg@odM9YkwS2l_>Savqp%VR!7b@B>|2{D^I#XC(b*p6C$$_X576Wx^SY8{L?v
zDQH@TWMwhbXek>qdl*|x5hpu$34PSKoKg;r{A?^W$KL^^zO~OxZ}>PP8SNZT5!v?}
zF0aqkT87o<wLh!U?ago`(}M>PIvahoM{vdx;b(ePd<u$&n9IG0e!RB209d170PM_X
z0{qOTH0RI3>;Zf23Bu>}l4(S_CEyL192D84QeGmI`Sat)4-(UTLO><qK5vfR#d@=0
zsV#~!d2bmJEbBCZgP}=zIP_0qaJXa=x=6W_UaSbB@%i9<ef2l@h;2V409mm)c7S}e
zPl09JWk!l|*i9-c9h=sZThRN5b<oohaFQ>U1>P_Ur^iX@*`eJ=GwF5k9d|PP)vTs_
zMORQ?&-7o>oy_Dg4(EK@F*=^E)(y&Y7xwW!d2El-8EYK|+B?lWMXHXNk0dh0aOeSc
zbncfPU^gI{8deGUbpMJNxC-7k$O75aP$7uN+}74y&F0z~Ec|7is^o;E90>pf_mi9z
z72(L&nK9-0TR)8RR)ywMi8Ytz#Wu>t0XJ3_lTgt$j&x5BS(XFB6%OcxC?-4mLr&~j
zlT(3_+KRc3qGkV>?h`U0CiM#LE{0jvzmeA-2}8z%z6$~#Ut|KGpZPC6Ya$D7lo(h0
zqnHog4Nrddir1mh)&pf|t0Aop$!cJ7fWq|`opq~`@am966D3AgD7hMr6d8suuCQC;
z!>6jYTntwPzunh|8BbQ&>992PK6|(s%&!IBKenuf!h(7t<oO~eVu>B1!Ce>Ec=gs2
zY#<wBwR@Hr24NG?l%r*mW)!Ml-A!mQx$iZo&GdwpS8fu$<A-;c^c2ro3OPTj&Sv}F
zoSp71)(VTZmli2wClQ0dQ_2=s-Xz-Hcoq$Ruj~hxR@9*WhsZ>61(YDI9f#xRvd|=5
zpd{Yp*o@f=0j#)I*oqoelx1nZAht22ds-kTCPF)~5l#_zaxl+{GB?29xHh<6vRedM
zE4vRKHWvqAi%L3_aG)FvU_K&`PVgTD0^B@YX<Lrp_?@q2F}XA%6A1lrC`2-Re;rH?
zFjkZVOq%lvOjAi@4um5zzaVg9(!^O9Fbi6!e(3^lZXx<w(6`xh4A&i{SfRM<kOR<a
ziEJcZfDg5eYXH^u{qw@dNJ7mNEbu08{yyQ~vjcqCHrn$)LYz7gD)+xr`=p2<bKvtW
z@Ew1k*hW8YPOu&X9?&M_QXL&9PNN2;Wy|3VLj}L92cTMC8KVXDa~f-<`X9hvu7iB1
zr;b|+=^-65vb`r@-aj#a^9ED;|KJ7aW;IB@D~6b{oUmO0HoRHI5W25Q)?cB<+b+4w
z_jaiCZpUZwdLJq}R#$VvrG961P+qpUKS)JbzTUm;y6*?dbLaDt-ShcgAO5mR>cFHP
zRlSelcnz}QX+J(Ku8o>9f<kYQ1C%2Bf$@6Rj9IcKtqZ5)i71%5D7Z4#;KG68Gc;d!
zkMPFX+5D=iCEmMk`ITdf$Sdjo8x}rTi0BDK(AUZ}z4(WmM4HbPzOGL9Y)qrpUN1R$
zan-$sBT-#nXJvI(0sPZ+WL0mcn0N)-WvCHx6K8^f(0tr<W9QKMGXe8Nob|YWPqfom
z`gmg`128Mi)R2_Fh({8z;k&JK1>$_Wjqa|lhA(~aLKyp<h4mzY24nczs(F5M<FKQs
zq7vYO*Dg9Yi!Uk`wC(@kmg81|?QmM=CJ>Uz2LC=e?X76N?Qk;PEk4%!K0!EMT~5|W
zuo9ZU^KerO|8A%jH=CZT5DQe&RgSoC)KFU^I6xs-92*ETyV<{E<)uQoTj5$&e4Cnb
zEM2X{usp<C$g4FJd}}X#b=o}Jrx|nN7<n(<-T5*)t<F&6d=JFT^kzo;peOscn0=#{
z0vkqkRZ@qE542j0SOxtdar$oirIsl-d4mhpbory#O&(AhO}3=;=4K?ctdO9}TD#YO
zq)BFkfSCDnxTZ=nYJRc;+C235H$)nW_rZq7+de%AOw-f2#+Q1@x5cTZq7&eRMQ_-h
zf<m8+fswqGahF^(%vW_E_r&P5Wa4$TN_g_^K`6bVq{is*X*kw_3+-+s)gPdm+cT*(
z8n+d7^bgicw}?N%j$|BYWcjA|2h+2{Rdv046-tc%>ciYEHdo)tw`1Y6TIs{5mOG;U
z>t(w>;|L$xOOG@v`%|zDgVM_tLPX`p>7wwT!mJLzw<nWC&h<{*Iye63AU09;;7@x|
z-TA}n=P`*{O*=JC^ZdPc;e8@^t5H61-n~p~3h(~T-6{{3n@m>s8m}C4{*z6FizS^m
zot2CSpL<^aF_+IZtXH$AcgtDBw7u;KTrNUUoyKBX3kDl~7Wb~aEJ1vs)svz*4h_lw
z2N;QJ&Tk371rP2-<wyqVOhLgw84OCxlQ1)X){Dx!Z$uSHc7U5Ml<TfSD+HbiL8;gD
zbbClP1`dHFy}7qE?2?jc`G+a<i*c#y?d&EkSP2OZNvZVobAg3K3^sLrg!E9QzvkX7
z8(U>1Oxv3Qb*AUZN3*V_V{Qw<PkK+YZ?GH@PB`B;ZWt(O`-yyCSb#-`LjE6fMVOLT
z)d4Y?>AfYixs8YfkG{{60@Z4DMgnZ)OorIcYbMLngYghp$^?f9*B#sS(uXJU=rP}b
zRCgGY#Yswgt)A)o3C?@Fmx<vvsXAP9XdXZR0AHzJ6l>d*wQ{}nBXk~NCiJb%xgR*w
z+u&_4v}@pmh~VjJVligXMp<{;!)F8<?_}Wj_Osux&$dv8a7v}KOj}wma8IW42DN$G
zb@}%UFz(J>EV!M+ic^3vI1WEov^F$gDY>2sx!Ur>!^6h`(C!mealYcRd1z@*X(YFm
z?X$HVxns2P4ZbnFExh4(WKXv+{<2W1P-S6-5K;-m{#jI#)im8w(CmVq`%4q*^8=pm
zch~6sfy641)o-Ny%+6gJbwv%8UfONinc+<HuhJCYw?c<LYLt-#UbmK7QLDomr_0`l
z#zu_+k5i>1)E!&+*FbiQ1_anGGr<hVZ)h!?ZX1I^;3pC=A`WfoN(!N3_ai=olcGJn
ziH=#t#c;5;vBnnhX8*$TEQcJGbyTx{6NZC|q-x)?977X3p|5>=M8N*HB%7y7IINLz
z-%IBj77`gI$Mt__>t5=tN_iT_i3yw^4o8e$e8xW_np%R_IqpjE(xJ}|Zggus5$xOn
z-mD-B1)y_0KRxZ`1Upb0bsjF=jn}v^FmO%}6rA=bfAHPjFon%;TPl+qP58A_GE~^7
zpW&b(mdsKo)c5{jIlOnC-KVz=9}D2XPoJuWpEMj0*fh*({98H;jaV_p+tJ+2J!d=1
zbIHQk_ajkr<CzWY*6VQBStHLM#A7Zib~({ibQltfX6tda@9`j2zl~j?olFd}$)nPQ
z%Y{g)62_kDe7)#~>cn6^(@+k0ilm_)%?%8v;X9q9tYD0=K~k5~ZUAp>`<8c|94ZGf
zm~AKP=eb!&Mqtcq0$V1)Be+c0R|J3Bje<QJ;fZ%edV5$xpwm-V(TVhi(J?N8L6kwx
z2-j|xLLqRiDO{)5q1UeWrMV<zqMh9QBDvUvH)x$j(+Ri*JTL7_0rO6Puc^_Wd6kaS
z(9?|@OR)Yr!4}*AV5ixquPfO9a%^<mP2f{oF#2Pp`qimg7|muF`$}!oSdoIo$b`Eb
z-!5#>26FY+Il&l1`WL={7xdo0nzMV9YU~GpCJcQ#O)dL}q}oY}$!>ciF?9Dsv`|mR
z8C}o)5k;({tao?B+UwULuJ<`0qpP9+F!&6WzSd>g_5DKB?!9=0yZBNZux@7^$yaJi
z3d-m4LJxy@G9LPUu`rgYsou?_u5WbL_<fc9+398<77-Cs5ySVXL%za$^RhqVOgR$p
z*$%AB`T`|sH9yhnE`8;dl<f3}xc=@D*aNeJ9hHf+&Kq-kKT7n51u#iu(hyLSE7aBc
z^s*fX+j&@6=USUz$6FmuygeSfowUPZ7R!}upYwoxLC?T)3Dd7`_dro)`<)~veS%*J
z7l;TTA+K$a^rE&T(PY@rvWacRRh-vLg^Nn?R6;5Gy9*4g>AOTx{>sb2%B!?<I6&Bm
zrR`?0*fAHHlqJ#F`n+Ns&DdiFElVzsJW3pO)PF615IC>rS^NV&nZ~4~?#Gc3@;uy;
zxlR08{5e3f_^t3p|9jWG=Us%KKmU`sV>z?^06SUsdgnM2*+6Rp;B4kLq=0Tj$VbVT
zX#`l)Z6g1>5lM*%E|_!!Oh-AKh`;8k<L@SG_)k+Af^OiLjf({;VJ_)kJhvviNWfwR
z&<@bh1VWY*FfW+^A8mpB?`6BjM<P9WK#H+*K!M+#${BwNWcnfwyWJd{|HNso(|tlI
z<YvDG=zR>eU(TF1mjC~n9q}>S)G;*r%N>sLHo$z2R?+{**D!yPy}O(L_cyudORk8R
zX=I^zaQ`kW|D$g4qX2b#zc$jptLUwu0JUhq`LuCTw!ikYUTsHvXJn3!S82M{fNXU*
zbzb61=S%ii_j%yCSj9MZ>{z+TSa|(8dx6#Q$}+N7Oiz`j;6HWlc@#(t_@_e}{8b28
zUnBae0?sGV%zx>2$6V}gz+6XQMd*ZpLpo;=QLtZMeP9s~{MWM2E~~@TVkPz~*I|Wp
zvSxD6r##YS#|7nX>aI|Wd^vVLkv@ds1yfKHf0$H6d2eKyy;xL}TI%X%REA2BQ!qhj
z#jLd%okyr=9iKFpY$aXf^@1D66vDMBf@M~|s_f|qx&|YzZMIEPsH~o80X-_M!#qWI
zaYXs<0-JR}v!Vk*sjcfjwO7I<G2d&`r^oesr|yzAXR$Ix0TpeOdOv&IuyLL0ys)4z
z?1hgx+JPV>^l@~`5s1@-svfg%jd#2RYcw_1*5X@nSc_>rLRIxX`@MQ!bUrto-(A_L
z-Ow#7Rk{qwwLb0HX=IeTKkUD)(jwX^=m8F!5zo6nZ1)VWUR_aL?ZssIY$21y9abm6
ziX~A<(pSdAarz&j1tbId68XbJy4vG6Ghilf8&iw{ZL00Qs=NXDo`Hd{I_OfRkJc;z
zJah*l>~~qP8jbF!ReAMkJzqaiER{+@SfQ^yoTKGvG<}+@YPRot2H49cpwDe@wA$7n
zK<jQX#sU-!L_F;;9|K{o(Vm(ff=fv>qDcZDx8t79#89jZ*jY@+hFgvM6WEW%i$pC&
z3;TqVm?ra8<`y^dOdwcia;l3yKw)4me9k-vfouvW@xIe2YA6H^;nI{&bQxTVSh#Zv
zdtDd(9WzjK2%M0u3r^)!K8jiM&f5s|oI%I>QZW;`#C@B_fembqW!P`<;XXVUFjHH5
z@)g~4zjRNKa-;sCkV7yX!I%%5w#3d%pad=%9UUFsiq%6Sx5(al#K`?%_Lj_ZW08U|
zs4H8-ULl*azid(W2k1|;>q?4A)hOMa0C0Jp{i56DTmq;A?Tbw?aVI{Q0-jk#ScL`6
z(Ch!!<cAtr6u+-n`fKM#Q2nI|h_U+|pcB2Mpqvs>lIYd$3UX&b)J)7e!&R75i0UqB
zqWm-6b#M&+pi4(Ry8Cyu7);L(O&-r6GmBAV$l&9dCwZOWAZtN4C}t+ahMR(Vdvz!3
zU5B$brK2;2Gr=)cNWj0X7G%CtNwV;)3SXjtQEsxE{fnwHt_Mwf<Y*4gxYBV|{P__i
z%~a(32^w?){@werxMZux_Eg~rPN&@wBUntV(U}Y3W-KWQey()AyPU3zLEjrGq+fhn
z%9Xu(QN+h^5RcxniKf@+kFgprRiu?T&)XYpZr;IBiNaWdZEQpQ<lpE-#t3W~p-1r>
zQETG(hh`<6CY?_a=n7_6e)1NaktYm{f0L<}aM5)}L=|<}ii`a>Vkv{>Qi8`9kddP^
zqxiSE&pwEX-gos-z<xYY5P48dA7{#o)>VP28`7W}Taa`YXKkjA&XN(?OFU82MNiiz
zkHma6Aar=|SD$G4Ad5hQ3^31fF~jYs*GH&dpE%Zo3%mRj2StKW<pq-c&+hOQTxilo
zB%+P)UV8wiKC?0?!;Zy&_PG7WnYC+FAw^%8D=xrMnwA5In?tz~8vHU=jBhY!F0u;2
z9M9hW`jf|ovD(E8BJ(u^Z}iSDiX}WexGt;jFK}nH+=Xq`8zKt_AsMWohQiBpBimBv
zt0PW2JfAw2SR-ZJzmTc-T`0ddM=D7IwVf61`#edunLmAc7K4O-vwpqAn;h(?vnv0~
z1vEUOtsJl5@t1K*p|%Lz-)@K)5U}9D9G|{Z0hBqsPM_Gr;tL>y4js$QV=U5nGeRmS
zkii%uJm_U}o({gE6eMoS6WO3#ywLDSzY2NjY3|xwHLLKr!32A{nlSI@=MB6A2xCo>
zA?=K<)$s5Wn#S+t;I#up0V4f-k3$6oH3Umqrzh_7ujoPMUt@~zFOU2Gk(8O__Y{w_
z!{zhZ-8x^4zKoJ|`FFo;n6h?{k7EIb36>NiN5==SQVdV|J_=TPLPksQcq+|4z-m-i
zL+aWIiC&EB?76Q0O(Q%Z{a!lW$>~{8>|t`bbO$Um^fT{kd6`U3OpHV`>xEVVV6UqF
z4S%@eA!3zm0E6y?00KD~tirTC-m^?Z&!pi=%9~nTv+!Nfuv|nTo5H%zOod&m9ba0N
z?EB)lIuW-2+T?3DI9<P3CuCcFt@8><LU9Ni8>4j3n0sqtD)-A;){UC4a31ueqV$~b
z8?{8_%9kwiUEO~P3W3~?$2b;67XzNc0x%-Q$*%s@k3cKQ@6a>woMs;b-LQYA0DEsC
z#R4Vx{~E-f7P&l9m@Qk2mpAygXht0O5j&e1+ItI2<|D?#eeIC<n{J*iSz>a>zV}hk
z%o`4?Q(+63LB2P~R3Ff&bEq`Kj{O{2rVXJ};b)$R7qYa65gGT*Hm4G48r}2J)hM)8
z?9S1{Yua;R)vqoc*l4iGs&7*H5N|oGq!roe_Y!i)MAj`jv=q|gBU;m~P4-&k@JfKz
zfDG@&l2s?boce;v$v%RSCP!?7*#Fl?9^{rYL43&M0}?BDa}kYH8=FOABdH!OM$Nk5
zX=DP6fUY9*q3OQ~`QXr_ON$~2Q-_b??iOilAJ+dex+m`B^co2YS_6+<{S(L~K=iO%
zCnJex2oEprm;b>-)z4SvljkGLs7;x;q~6EylA{TOa|vrN^wyGyxOnvd>Ig(aJ$_g?
z_H5dQ&un^KC$fAx`DwzIoUBCGLPIGN0aMwaa3=ER6u}Bid<eo!*wB+f{;288N?+%X
zub~r?hf(Jdk)}kfNYL9N^PiAMeCCzD(O#1W^<Ik?)%=)8kIeKI)(MA)i?r9tv&jdw
z%L8_n7}c);%tkVx^I)|x=+zIIgPWhouNB%(0_!HUjQ-0jO*jrVfS4Qc*GtHOC!n9A
zXN%L5h*uzQY~caYRimJ#9Jf~haFKrm?(ZbZJqw}?Fx%)Yv=0Nh&qJd-@m$}{H+qYj
zNGke-14@AD(gNn2;<`Tta82(W<)-BbXk@?vt54*2bn@p|vj|7r9U$A>T2|6}_<gNZ
z7^Q^!;5BHIzqu=k800+mptaBK;I7qvmagU_^Ga7ya^?N^xcGV`ec1lhwY)@$FX8CO
zi|F!4qTO&7_=;)&IPq2gx7|KB%}WR8K52ejq21xz?$cSCe5xctw<wmfQC$}dA|-vP
z_@86}=-?k+c?GzIQqG}ghv2=4MqTY0D&wYEB@Ni;n~EX$knK{1+5!hPSVt(Tj&?FJ
zQii-TuY{?;81X-ut*Ek+%GIxUm$YMUdB<;)CgVIQ`J6nQqj{TwYUyVH@iuyBz<g-P
z;_3V&y@K0xr6hS3-nHKBw+Ga3JF?@-Jj<N{tror9I@a%(ic)!d{8~d2hn{TXB367e
zyz+FW7G)Av<LNz#_B!}coutih1(Dveu#C=cXYv`$nT#JpV_>GHwbex-CkY$BoK8Zx
zACiR^5I4i&4Mor>n80^$Y>+Q6DCtI}D<Kr8RNvm-3d>Z20`e{NwE3i@tm3q7#L8qr
z3=AMq=m+AF2<;`8zpYw`x_%tEBW#pq#tdQ55V;~=C?tKn8ppA!Kyp|bf|i}&*}HX;
zrB^$jnUELze$>t{MgZE;@mB{DO%t5fj||nTqw<{w=UX1`r!R?KiBnBU&skc>lbQ2Q
z`NvItf6D~(J^y<56O@5lH&q<}QRXXN>Nebt?9fB!KgF%XynV)pZM}qNH2Vy@)!bz!
z2JEtPpx}Fd^l&MKsY6{H;`W<Ch8vGsy2N2|%U{p%RYvI8fSzMpSQ7C$*ULb^u;^o7
zqDv?uoS+@4`mJhXXF`R3EnIt%gsneLKD1r01kUE@Ey7|Gf~jZXPzp^96oMa@(}{4e
z`NEcu34c_<;0$X<!S(l{X=&+-E2rl){hs}rSZ>ez`r78egpf07C%tnd0{+S%37d1)
z=d|Rm7^kkJ<jwSu`M_k-#2gh6lKj3-h%-^^XG?yhcDmIP73gt^Bm196UE@`ADqdIK
znHA_+t7?3|nYD_+&#A*_s)wl!Y9P9C9UDG(y(yOOC4}wmJDJ4gJk}#xh;XbVf2aAy
z%tVV|iXE*KG^YJD;$fZxyyHx+{MLGW_&dkZ);wGoYqIM9T<o9h+X)xN$^SX@&lV(o
zcA_gX`Lbm-K}t=HyeZSL5bsI6G9Q5N<jphRd390cD_xPGR9dB^@sl@d%Bsj&rdf~5
zRWnoGYJcXpVzGqP9f^FNN>b93g&kk*ij|dR`7VpyKh41_lF;MN8DK*GF^I@TAL8kR
zz8hJ)&^op{%8D`x*+9gkX3rFxXW5B32wuMQ<UiA47-_h_uj-*yQp+ey>T>JbKi0V*
zS}+#XMFRcc707(OD(J$ppTaE6$2YJyH=?1FAM(nP)Ztaf238fo!%b!?*t{r1tUf7S
z5NkJeoXUfG*z)NuOI&V($dHr4UvG{bY?y6}Bod+iVjR<d`0$ZHQdCIgoP+(Jx<(U%
zFa`ISl$GE4H~n60JoU$-Izg9&)_f#W#LQ5HJ2An$3+q2c7(;9Jqqd>Muv^fgg*7>i
zt+;w0^`enl9RpDUWq6lzKk7X~tEA8sT{3n~n~C{o5`4F&-rhm<bYK3isAGzuh<%f!
zW#S}TLBRnfglsFNn1RSIrHe(Fd9Ya`BBTh#j3=_ZCDLXn|6LG$x!icq!7~~WI*;PZ
zC*DnSMN2%E{56_d!qogk&O!Q%OZG4Q>mQsFmpF|Bh(psN6@a}$Tm6uIgQNoaTV=mR
zR#%`BSX|m_#m*dZgYvMpzWgiJ)QV-DQV(Cd2A)*nUmk4^B7MAJ?e>YKaw8(TP7WZs
mM{za$_TjxOLptc5zxjXO7m|x+7x)1DNQ%jcmJ1sM{Qm$b%@s5N

literal 0
HcmV?d00001

diff --git a/documentation/operator-guide/images/kibana_2.png b/documentation/operator-guide/images/kibana_2.png
new file mode 100644
index 0000000000000000000000000000000000000000..bfc60b5b3958778a3770c201d543dfc152b3cdd6
GIT binary patch
literal 265421
zcmce-Ra6{G(=Ln?f(3U?aEIXT?iyS|aCdiicX!vp-QC?KID`8jf8Oui+26&#*10>U
z*P5Gw?y0V-u6my8>M#X4am3HKpTWSu5G5r<l)%8C#lXNI?LWc%`KH<(Wd{rl+}2E3
zSi#K52n>ue&MB@_x?cf(P+m*ajE2DRi`^%s!MwqI;%LnfdQqt={Y5f2Sxpkje(7*@
z_1?j}9pbhp)+eH4>K5ux{-mKCPgqX?iLgi3AWSp8mR9~LkE0uVh^Kijmh)^V{Zyps
z;`ljpZ`o51@lS%~OfsVrO_<DS-`lEl#GgcbLL+``PCIGm`J1!!EX(tZ(_Va;Mk{H?
zm%bvr{z5Yfy@$4kT>_7~{aNSwN!E6DpP`p0MF;BDuvo>?s3_`37~Vj_fTD0s?V;B|
zN}#HPaoWqLMM}$`aYCr5=qj~v1W0=evSXDE46|2sc`}4zHt?#p_UMYFHjxXTWmU^8
z3M=l8OT#xlj?64r=C|%_QIEZxHmB`!ZHP*jwI3fBoX$)HcA#6>wBDHyzCX&kR~3oI
z_>Cahy3NleLhhJjVS6|Iq-QS#OVXS7je*xEMn>3z>~&(OIOLnk@!ep1%je#?`jnb`
z8yCg@7HkS9`0cXbj|t#xC4M-7fx)Bx=L0^s>HP`@Mhqq?BB<h;dA<p&t$IKNb9Gc7
zLQGtbU+U{|8Mi*6q%2J%OEams$_&V&8&3vaHyb1ub4ocBCZ&7Ov|!;9k0``ZWq|m*
z9XM=T{h6T;o|oQiIgd6RwjHKhA*SCtFD*=0yFyUH13cIRLjR6qwZz!i*h`Oy&*rcw
ze}`g_0i%@2-=T^Wph)_6l-pxRqW=4TN&WhXe^&}E$A>BSJ4Zz2fDxPQ@1%U{kY38a
zlTcJS5yZm&&MF=IKm1fBbsM+}SGP`hAD)4U?KgVNkrB$xDOv<m-G0a%Hq*$iMT<mP
z$bZ+OCV?psMd^nB1j@N#)c|cZaqVz|mEJSzpJ*FQ#w$2J`4LFr(SpOn7wNDSt>?{#
zeobM>-_D-Y*si1K|96XR#&tAr_nGb}96WRk=on_#0xO34(+b4Tra`P$Vy3m2;bW8f
zly6AJM4TXxmx=4S%b0&R6K^<ZiezNZHMgZ3Q5k^3=*rpq{+7r1%?oM3lIB(L$4O6K
ziElIwb)o&8#yRu>LUKP<V{K2})3|ZB-oMKFjERn3=-o-?Kigk2T_EZ!U-l4p^ZFTk
zT36)~uK?9RMk-);?%|AIp>H<SO<=P``u>%SE7;O#RV6$<!K=6g>x{(M4(YE<*2czJ
zIhi~dk#t&3Mjw8}nH)}<I!i4EU~2%YC_>)0JVoITW)FJ1iUa<0sT#(iZ->G8T=05$
z#B_P4+@bFk_?n`BjjB=`)J@+%Fq{)KYdR1pPBc`0&}}&XvY2{v{?lo7;Ye>Vf3REC
zk%b1pT!C%1-Re?C*ln}iZM+b_$KuM-du$3RT(3rEHaiC^!KHRbFp^rJLK+av=UZB8
zdfyck1Z}?LC|+~1$!NWSy<qF0nld~%xc?42y!*b}&uD#q9BxVfj}IvZCCn(7i(t_`
z5%O*6J}*fom2SWw;`%BY4H<pB6MNqEu463By|P(t1z&c3z){G<>iHO<*+)+Ea^rNm
zZ>bdnTglqyQkHg~XjMMU@Xf`CNwuiO39S5{R53Oy=hj<cU8#=xQhuCmYWrGe`CcP~
z%PmqjS&^r+nnfB2!;)}w;~5<FT@RP@*O{F;zdpUGUzMI9S>RbLl<B}*a|%-Zl~a{0
zDIfFzOTx*CGoRywh(^KVuUfHeFpp`KovF)f-M=FUc?ER2jZI99>;yqB4oAA{yFxeP
zKOHA9#HFSNF6(&-S{W&h)Q#@{cBQsr)QrQ(DPr>0`|SN`RN+#KW5qDlLWgJ1B0w;C
z5St<I!s}q6jrnGkmJS;c9u|`pJUSEXogJ^Xsrop%%zW`?XodvRp_|Bi`U?-^i{ixl
zlXM6F86pQ4#}0@yM_nKO??Ix@j-=u`YIid)I&M6vDNjnFQLh;+1%>S2FYEdyD6;~D
z?$$HQCxYL-pN{*}usPj3xGqe8#BgeA&sn%0+=!a5BSR6Ytb5Wm@INc@5^`>}heXld
zKB$~9iFI>jW#fg1pVNrFV#bB_dejhix%>3Y9lmhGxnkng6Z-8|dAV9TNj$SQeNX=m
zrTHBihI;sJ5G3FVRcqiN+FY&xumJ6B8MsvBIF3-@2?d)!8C-bYcc~<MKi|8w80~Z(
zuNCkQ@!X`o{F>8gu|;9%xPx(jASm3@^>M)5+ee#N>W<F#g2`9!7IX#PyVx&}Q&8S$
z=j9#QH}g9_m9|*|+wM;vVUY=XpTgt|w5GWkZAacxLHiItjg2eLeos=b(}RG>8!Uzh
z?su&fo_e(Z9NThcHk++rNi;&m_GIZI(`mv@Mo>VS>2fsyH~e!e|51kgOtq|q6W;1W
zFKlo{Ocg>QuS3@}I$T(o>v<TJIdmE45Aw4qaj~-XbYv_AwQ@(sm)|Fi{^~!$DhhzU
z!3+>hQ_wbF^UM-(p7`=9Uc6lJB_{ha31(f*yj-7ITWDLB!Pc6=A&^xarK`(S$A68C
zjrIAE<f&JIfRCzAX78jtH#3x;@1r1dED)8lo|^Q?{M_92Q-ZSH@rWYN?eA|q_XALt
z>s|0QQ>kTqYC8PSocO%%`12)vQ6@R=`0Wqp{mRokHNhEgp!?uneTCtU8LO=hf~F?6
zQ+_rQ5`(e#9OazbNgRgVca;9C{toCrI(zlBdR6?vX85Eq;d#4w<CXVMOe!5)@!27U
zL0)Lft<h|dt3s!n7`R5RSpS4$qe7_lLn4&M&sxBjh@AJmQWLHs0fZVp#<e<Bh9448
zS)af#D4BPRVdQsK4ALqH^Ps+ff9wI#c?-XNKj?!45q-&Vi2sIe^$e}M_JiQkiYMc;
z?h+W<SLqEHZ@n*4>Bk7|(wMDkA@|~$4GbKpSjytYLV|^bMZob)xmhHXP5<6^u)^WA
zy8U4(B4LW{oq7wc2{5m=X2_wo+-StW!NFO1y2K0&%<5m(n-CjDvRb^4j*fOcS!A#C
znC5c?&MDH-rRd-7hBTrAWiy)dJ({ae9VA7~I@_EU>EBUv!+#h4q<wosmQi@`os~`J
zKypFuYS7mE`qzszNlCvt1oTa6HC6N)7~rzqsSlH4#7B)7(PWe<XR8c<$$ENfNPXW>
zKCO@8dxlWX@v0v&icJ<v%JLi?#5GmgL>=C5xS`XV=|ys0G@PZEXtiZ#sryci@3ql+
zWxu(495LThgeXuI!enTSn+z?c-MPO|S&^d3hDA@sAV88-n=~*Ok+M)TH6^EB)qXp*
zUT3(7i$M4S*5-H-iUeHG)$7(ZS8&_=Z3bvlMiv!auFhJ>;Bex?R#Q_me=0khYYli&
zC8X&+CTM=_<-VL8Dw3`Xm6s4WZnfp%bjxp=3{&R7@Px@~yC3)Jm^D?gDJv^$9Y0;F
z`n}8XPte?4D4aP{BL*)GY(b3<x9NVq3yuoXETYg$*Ph0eC!Bz1CPSC4ix@io`Yav6
zt{bUjGpS>~Gw&W_@V10b3r}0PH#b$!lcDX7mFRq_9&K~_JKTDdb(A9;RiCZ&(qplW
zJPOb7c@BEz>Jk$QhER!L@@aSYIrU>cb0b#C+Fi7ytS|YfQl<OuWFGR;>#6KzR9aiR
zgX>wjxjG9Vo2a$ERCU#NXHxCn5+#c=RQMO<Q0HlGZJoAcD1ona=~y^bqv0qw5|_w9
z|8Z-#NS>zpcw)!<aJ@y)!K%}ib`qhHqrGp`nib*LM~JnHitsEP#b+X$U5O2{J8qP~
zFrYbR+hl~!xC!Hm5~sHmXHP*-xl>O91K9m3n3so&W5s6-TxX>28jYYW-gc~~li`yc
zmQW6&Fi<e^V5Q5ioqgnO)$JY719ZNDFaO*;%NOiK_TbY8g7)jf^~(yK6XQ-#M1(Q!
z>2~K!)owOx^jz<%i}T3pEbj8nlY^ypb(fVDjf%6MY|XK?j0@!li2U6zr?P$Xsqk0^
z28u=7a{nL#m8m}<B51J!U?*%`IV&3BL*uBGmZnP-qeA#KrfTBbm(IAn($adJ6DOj^
zCUu*yaxexzR8Yv}q-1-8@31}DJHWj;opCaz$bUQM5N!>0+D9|IOi23%I<s#0US#>%
z6(q6fxygBnh<sCftrN?#lpKQ9DeL&5qpf|l(IAiB@^(3{ZZx^p&1f~Ie05b?HU-9z
zSJ<rw>FVaT6Vl4Rf3UnYG$2l-MkCUleG8e+ZUtdsVQ~kX7uNY0%4oQHGTM(zOABM@
zenyhTWfv-uBe2iekAC;Me$l!tM`Pw?Gt<7fi9_CqU_E;uN-V3<f9iDk%EpGI=lxcN
zn|-Qt^EY9R2~TG?8=T(OlqXPmJ-*3vxN%|6XZs))5MoC+arTy|#CbpV%dZe&2No87
z17y7P4URJ&oypU*+$YKZ=j3X~3C-f0C@C}6y(>D_WPBnjnQCzzgiKMcpII8t!`IS)
z(BXo}P*ZiJsXjZtMmwFHn}cArSQ^OX1{rO%FqOu!fG4z?WTyw7SJHZ3-#1Ih$oT8M
zxu5FycXc@}+;4ln!SSWPLGyw3d>E-eoGzE3r{(9{y4Kg$%Fj%EUZMG(j#;p25n8G&
zuw*<gB=4V{m?1lpl32@C8$?T@f%YjN5PQ$Eo@Zc9*E=E0mZy4^DFM&198VGp%)d~_
zEsp*O)jt}Sg-}v*)O>nL5c0Bzp__g%@ua47UE=W>_M%%oYev&wdDVIEN!)s+C2M)_
z;J|J2;v*<-c%&|wRe1b?cfk(>`C?PMoIv#_qx;jHTjQrIs>NG8wi^1IrZX)U!M$e_
zTfXbam(Hjn#Gz)I%`^3QBgWS^ZhbAeea+&c{*{kxQX5^&Bj0~A&GDbG^c<!Vb;187
zFzB{heHf1}6oH#EuT)0Bt7`QuqM#9&LIU6YW}VGd=VT|5%Vjl|aJ+cigv#G6At9mA
z4KrGJR=StKa9~u{f&L>+bgi+ffCZE6FstXT(owt39-S3GJxTrSFV+rKL3N~mb;1#g
zCXAW=Dqgy4BH*j0==O4l!}>jmTB!^@>GS-UkpJXdaE5W&4Z`;yy}Fh2V3$FeZSTR!
zY9n&f-C6AcSi=8HMGU@OB?>s+9$KZ|Zu0yOa^Gq(@a39~kEGJXX`5F6g&^j@qgTPV
z#qILYrdoj3dDb&Dha<-}B_Sg(;FY3wy#M%)XkLT^52^nh0!DcCLjA$aSf>f}?Vo&;
z&rH@!(Leo1iRt}|W4NGoN742kf}r4n&P`sXVfhLKg87#kywwf}R;P+EBfAtZ>GAqa
zJ7>1^wgt*{uYY-<Dk<jjcHwDkov;!2<6y)+E=1Eq>o`Hu!8WUPP}C%sivC&kLvjs&
zY*Nu?<j~xu!b4m`_w-wOqPNdqZXuF{P9rucad1q#9ei3<-`*UIl?(ue<K*>nV7lOp
z$S`ao(IJ>)ln3T}RWum>OFFG}5X5ZkQKQGA{<T4Pw9d)jgBkjNq?i8>nJfa``Xl35
z7BoDTs-xDwqK1wI)tIo}TPP^RzAQ@VDK3v=n4O$ROpgRIapR4B_=2B$wHgK1k*-Pq
zt0qSs7&sP#z+U~4R;qDYT74rcXe~TEV^y&(phJM7g@yD%UQ=ydqfiqG1r)0gqDa()
z$p0!Mp2c*vRP%~zw=_tx^@nEP*cwFINf1;)GA3qiZJqC|X&&!fq11xy{@ULNFCwBs
z>h4vd%UiA*t6A!2R=nEO+FPn?XpS3z8wFFG|G#qGG9Ic#AHrm~OQh>{>3_Eoh7*lq
zWJLd)9!c{vB;|_DMzE}P2^=+b03zFoW&c|e*vzN>L-qe%OoSab;NL?)`hU6PAjcFi
zi$3xE6Vb8@Y3PUWJ1fk<UK)<iUUb2U@p7BJzJz4Y9vQcyx>?1f!&u$KRuGjRoJ7@e
zaFT%Lo!dluJM^NiTJ*tl_s*RYan~o=vg2P#Lb%R0NFpW8%VtNv4u2tRU<Zw40${WU
z25@|g?pDt~TN#gzc$m<gvkj>`3jg(nPh?fth<s6X+^FL%RO~{Z58rChj7WjkTm3qA
zH$l}Jt6P}kn81OVTpEnc7DLGhjsU_O=-vAX+^2`U=oOwiPCiG;frXl;{jCCa6ApL#
zH(keVSLlFXr-5E9>;7aCfPVKIm}iRUR$}k{qzow6h(Ii7qWrk{%Rjg)3BF>Fe*ogD
zwts3-yf)X(B+{8#`-3DYkc16YFL>4HLAr`@Ox420OJ2Qlm=FOjTHM?Mc16_|FM=Fr
zo0cc2hrH?wZ!xB}L$dSrqmWHZmTBE@O16$AB(Ey#e1`zn*A^D=tl;}zi%Ewme-o!y
z!<1;gkAXekUcAjnjCHYpA`)qvQz9`oG(I<5Z%GM~;YPi}9f20|R*)qY5vu<v&6NJ=
z^Y@-rlx7zze`qhBonTj<j|Vw?{0;asO$(BhY_c=EbwRAx_g~xy^~^o7C;_uIu)W@%
z{GRK%mBB)Qz~0m_masJ63a5)XF<$Pyz)`i?Vfno<)?E#Z1c(*xT%Y0MC+l1+Peb8Z
zgC!h<%sKcPkf~L?z-3T#^L~wY=a-d1@ZdmrSC>`04sTMp+9tt%Oz$T*Q{F}ZO?&Jd
zDG$V@p6$T-HD7C9skdj82iwqBt%u!!1f1jb37FXo=iDhK<Vs8Ih+RAe(#>3e+33}a
zX}ZHh&El_<E<W!eK@H>w;l4xVvDOJNo((3CpB6j^7FxfC3nL^{9&AwM*I~X7K7buW
zOH!I+U_`@p=k&<i>$JA+s}|9*yq*J$!gynjQnLFf4AgxQq`#Xh5;=%L<yMT={k*>u
zyo*+NO*js$(LD=?a~{>GdtuDp^1x9{ORg<D3gYa~*cFUH?c@y~AbsU9_e}6*4_V(Y
zIoSOqqgsvp(WU`XP`;aNRTDxY>RrLuUGe_mCcCl0=w?deIoF|iVW)uzFK`IsM({hc
zWp^=e>}+O*?~(Jf$H&QX<g=U2Iysm_$V>ielEZOT$77Qu%i(JnnVeJX`>!*554yhx
zfLbUFbr^kRKMs_hzkZ^OttHWHC2UC<?2Q-MC^w06XDE-~*35R^L?qB&6~>s4dvVjy
zH-whr&?Z4)Xk^<~zt2(0Q$wa79BWF;*0OuiW{gFNyV-FibxZ5XYeI9O_eR8)E#Fxl
z(bNd?Yb9yfXu^@}T0=H4!s}__{$v!Ov^XsPAluLFXXm#5ffXI2tiuF|;zhu@PGvRW
z=X1FlJT&9AI}O8hy_%zP)OAEk89%4=T{w2tws#g}Z?4e8D{ykUyJy<ljxFp6A}P7v
z5M?+|n<au%Ue|veR5s=1m$6b-T(cCw?b=3-;1<6Z=>zfB6<RYFPw|IA8f(Owi#YLY
zmB93=0|g@V<abk8;DS1SrD?Q~p(4UMsZ7bcOw=U!r|}aF2FtWsqcWZO2tExIv$4sZ
z1*BrF8!i-m%vd<dT)44Os$cqdj<y`-t$%qjhmEuw8#pZTu+vNZ%9pl4V8Gzq2l40{
z`SzeN#Wx-!JSNKHA>y`mGUnz6;4S_ZxHpBNXs(4gYht%Otys#^!XmVN5+m%wxmO_?
zQb){m^p=;IK(r*1yIXrP#;LgU*gX7kcsZ1D1h`hOxqnw)t~l~y&}Dzp&&qs+i<+hS
zO{vKcArkID@Cp*d;!&E!4IsZaq5NA~ZZ1SkF~r?G)z|$nUupSGxm2i2Kn&FN!CYT&
z>Y1a@Ha$HI9g=;$+Sg(I(sjf$g-bhI)XMz@zbe=wI8cLDw!)99DoVpu1D+s;C<gkK
zccw<BJz(8%q@TCeMMCyxHb)dV(HrDZ+WPg%*2>10spG>4fX#hxj#r1m_9~L@{ppUG
z-d8plin17@nKeWX{4gWV$<Lp|!96>fW~O`__j^+f6p7ZwU-BbDzMd}L42*xpD>%4z
z&`8#BCRsm7MCjSVq=&8s_(pV+5w9OtZeI0XahaN%Ky$MnI1ys_str#Y_8J?-t#6dr
zDDxZ}!E>LPW3%-jSE26J^5$6v2ya_wePOFZaUaeZUg6Z*c^(tHd)vp4Ha^_0R_<0y
z-CBXZ-_*Y9@d9solY(d(l+en&+Phmv;awuq(E;x4si7sT)6^)L;!hpvim4s*wvZ9t
zSHakr;H^-I7!0A{d9qeRU)($Sr_@gyJOcXA$FV*C;Q9lq%`v!!5H<mIih~Z0<$?81
z3kVXdg|JBkxY1Abb|N1`i@Q~sXG2z6Uw5PE$%WN__UBtD%RDxyPlW;MyPz>yCwjQ?
z@)z~**Dm=@k9bGnEry@+Vlp4y0oTth&QC+rpHIaJmM~-2ltbb%lF<IiE~@TDQoNoX
zfIe71Ek?^hw}A}{n|gA@;jh(TaUlJM;qNOGFz0mFIrh^GJ!k<n_{03OtES%cFd=7d
zd(&)cPd|-lNex0|O{#MpTpsPQZ|5<qxSD!w#^_i{kTM`X`Wp}0XGrSc{XxGSndKyV
z!aEgL2;&3$>m*lDlHnW|$n&nvf8f2n^Mn=6%3cMFlX`Q;2lEAVE?kUK6iKm=evT^1
z8U091bLL<mF~W%&J~g+gYGgvRgRY(w(+;0gd+f-A*inQ8%0T{N$8vPy3W{P{J@(mT
z8)sLub!i&aGO+;{H)2zofEcgeInYDS8K>L->`Z{vFK&TU;N%D+M8W2Z+}QNgmex2p
zhFQI|8oIb1pB5b8A#`oBVtlZn)7um(($ktQX<Q3!zILSZ5PZyWE)z94)x2z2Zzjy#
zpuo*0+iDbW6Ax|Sn$cl(UP+gDG^sXi;oRx|)Z+y^)cMBXZLNYPtm(R&eaI>sTvgk5
zrMW2c@GFeXd#dLGDl=r=Y1;?Ke#_!HKV#I%!0~pV!1}<c@h{{`lBOE(#lPP8#P11u
zw&R&^bL;v%q@vMNXTpttyq9{3;;go0%L*ap!M*`Z2yT`m&%a&e_-?U*p!>db+)jz`
zF|@K110Rh&J3@FcI<*Q7>E0xWH;%rr>Wnn}($;s`y>I%cie0JsqHmbchJCo}3!mX^
zATwnYIYsE&a)H9r#*W0$6g{+|qV74r@v~C)L+q1#58ktuH5^uRJuZc+S+j}Lf<$QF
zgT~jjwnJpCqKLcTTbR2GYut2W5>Yl5x~uPW!5!dM^lTQej@Ikg-5we}x3{*m(v>kK
zS=Db}{scOiCsX9Z#jBynrEJ&o0yMrTt{_aUnp^D$!Y4aT2S-*KUx0%>tt$wxcMWb@
z?j#_uS5d>`H-uWvdJL5XPpzjW9>UmjBk}4v3Dua}()R4K$45}|2g+agq-tIy*Hv!;
z+Fia_(r7&ANIp{gvX(DPXYoy3+b<&H>*>)(2aD3RUO68inhxfBO|(PEw4rw@qS(u7
znZZeHx}-)M3F?`Jt6{Fg>Qp&lw-3MNFTxh{^O1!_%bqo*P9l3sm=Z`_gU3|N)Qw&|
zFHZvBM9YM#DmxQc_QIS`!{NM&p*GrDS+r6MHR_0=(ZYod!WT^JwbMc>hL~f_dy~~V
z@C*wwLko*XlS8``ePNRnjMF>OM|f!}kzxae;!;~oczq0plI4&ut{NM)Y<e+~VXJ2c
zf4uJJ;n+wInFeN={mK`@Ft;*74emNtU7#kG%X4er#TcNyACFgOhLsn`LkZ{*)7_PU
zv1d3h?agRRvi~_+)Fdz4hk%E#k?uWni7=*6eD@aZ<@%@LB;0&Mj-L(%8o0d46Z-C3
zN%muC#ESKeF5`f153*mKF&E*#w>`$HFl2tormVTF*$pyciK7|?S?+8C8S}$-!|Au5
zIx-{CdP!2RfYx_w_MFXH4eDqN-?<2)$zas)ZWD`F3Yv2em(HWWahF8`n6p7cMP>vW
zIfOynM}+--Xmy_=TSA>OAZOolM802Y;>ji*-99*ik&<4&r9p`dk?Y^S2*_|GB-!vU
zYAp?Irc4=4bRldk&wgcZY_Qskp>k##doRjxXMT_9@|E{qi^?7sTCgJ+kN!$XbP&Qe
zjNErC&Y2vsf`cFQLAM!(=~H5O<uy68+<4aE#543(384D+4PX8ZH&R;m)S$6q7pCcX
zEz+70`z#^Y#d|9v2BILz!2u@&DYJ(cUdWH!iLvxk{}*fvj(jI~{4Th*$PdE=yQ?dv
z$jx+H;4p{BZV}t+(_snZ6Uk9#jaC<OR^qag6S&dQ7UlJDOu_w;$JG*Cku03#3I=vG
zYnij@c^Q@)&1DMY@Rf#srG4d?Q@Qr=SGl#lB*N^|d)LlKy$iP-AM&F%j+m08i{X8W
z`2~TEPg)Bu%!ZQsP!L8FC6s>)*KN;9qZ8E3XfGLG&x~e|NZiJG@OCaoF;hGCIJm6j
zz$<|>O|tNr*r#cD-*9;?40A)kDbAKf)-w^xCE;B(tfU5yF`?z@RLY&#Ja#~%Rl5y)
z=!9t?qF6I99&JW@Q*qC=qPDguhmu1LH@;6_y;uB?n5$-Mt%N;iUYWC}TsjC-XGS1s
zrrV4vbCO1HPM`GcVOwaqqrr)?f&+(=-vM==hRUptbka=#T*Gk|Bv-4+A3V(bP$P^z
zUD>dF*$YVWFKLVJ?hC_XV%M&}=UGC>8dajp;QWJ^Rfk18<E*;aJa}$Qv9Q$%1|y3=
z*Y@U^JHJCOth9(t^$8N{Sm7zqOx}2y;gD-qgTzvjhG>Sb9gx{A*IlZ_f9yx2Wc@+l
ziac-gY&_Y8Jk`nEzvL{V;EcbMTS}_ftm1zR;1B!`T4z*VE7UI8*fxp#+Y7KS)-(*-
zdNILK!)7f7w`98%E~rH??!?n2ScYTqY`p&yg3OLOJMFh(sE*zO+qw)Q#KxR<vu@uV
z2UZLaucq^jjvZe~=e8}im>8h`-br#YHCk>9M|D2{Uz_vSg${__=aCjTkNsv$UL(-y
zl@3gLL}gO#z|;v(LZA_;ZSgh!)`~JD#*)7Mw^)%>_W7UXQ2u|{`ReX}sT^tBL7Gbu
zL&9iE=-A}JI3qq6)X!fKCnt;}%aI5`kLUC_q@TuRXA8!ws{)#u?^gFtWo5pzrJgy-
zw<`$ubueC?Nf?pI$-WzvRp44$#%X|u&Zwv+T9a1ARkcor@q?}twq(xjiWv2WG8>~3
zo@y)Zp4qy5J=MPgQ^)jDCLzOpe*^}QFrkFDBYYzRhl69J97n+_*@y`t;lz=UnOiC<
z1WUtV{2iEXu0ZweIB{oQe*~o4C;P11HTL+z_2vN&5A5=u?_OR$0ihJHQ-hd}L5oBs
zHZ<e1%}Jp83D2x9c`tq;A*D{QdO1A?J+hywkm`6nQ*!XK1Oy8;V(RKWqd2y9eu}NV
zqmr$cpN;NM8J&UUUh;oaFIk^{Vl^EZbg)jlerP0A-?W*Y5kv16yo#W7RBI`+;*Gia
z##3oH=6iEl62Dy9`2e9j*aT?kxMJ{v_cy@ODBqo}ijc&-z7jIAQ@!rCT35PHO|vR8
z&q0M5c7;z3zgW{EQ3X+ox8;l7$vV2@1nN*aVT$C41tTy0eA5{)nR+49T(zK+SKp{2
zsKS1G6;8~=q-POvXbk{vV}pIR7*eOjZiV-+PNREGF@AB_V+XUC_>J5$4h(?h<uQtg
zLSWHDgoQDFBQsCRM0Gw*$|&B=KJm&^|Cz2XeY#t?@oi-OQW{XWHo3u7qgkI`phicP
zmu&>-xHxfdcI*VTZEfmY7Sn?g^c61qsw-Izox_?(J*+#qJGS0*x<}pLT))kzwr^xO
z&M)_G-5~%fx&)gRX|(Q_DZU<oJja>!V`nt<ihX2TAqIx~ZAG8c6EoFWE6%?*o2wBr
zte;I+bq~EbWI$EI%$KibI>h6Zjn$nT^=f)lMIj-LSpcCHO2G?KD0YC5Mp<0GC0LPk
z>HRB}Zf?5nf31WO-FsYh+z0KXE!Y2it9eYNSG30Rz-)UGzZ9hd!O2@VU%@GBQ!JRF
zn^ziBP!^JO`jpnB8I<qsP+lCAzNphkzq42YdDGc&quS=Hu706jQB2p+<fquD!28q@
zMvW8or-17ETYH2v&LJ-Sv#@>qL#N8`A*v%9KHb)wLPSO4ezcKTs4+K{5DJB*3XJyp
z&W%EQb^hk!ye8U&8P(Mi!Rmm_FN?YA3xB{#g~B3}BJht}z1kyfTJ#(PAs5Pvpi2p}
zM=s_>5!L<{1g*vX6i<ICwYGTkBEUZM+ulGSn0(9&DZ)(@z9=B`Ot$-E!~~V8qaLd0
zmoEmQ{%mXQ)tDzJJ%cZ3X5UeU7ehuCNTxcAa?hpOE!OpuB>P&E6FA5@5wLs)Q|JEl
zCnSww&|xQq>y=4GMb1Ik<G}1{V<U{Q=Bq(VkGPZlfR~@2v!^H+%Nmd(q)8euhqNzO
zy0;MHTuxTHra9WGf>9`8i;T+XS*gT{M8xe`$=jF3aQuf)C@%Kv-;wKo;sNXL4Pb<V
zg)EUb+uUZ50!xp@`gKB5dXk!0yg7W|quf>^4XrQh0)S8;@=*c`>5PlR3mfC5Jq<g)
z%9d~3?ZW-m=H@<vSAs`SJ#dd3Q!EpSih(ptJfk8NYOfX&cJN=I1dy^e_i6Mg&tDtO
z&jU_X;k0A^^eN={+^pqlTZqBQBw36d6M-4+51j@o4mksDX5fYX@ft@f1Th*ExMBng
zwSL=kY=jayh@(D((9S|ta4E{77#1p-;j0PY!#UK#oo}5rL9RDs)p$b+dnDi1*iAZP
zTbmh6nlu?v1$PA-=Lc%8R8qM%1?4w^MH&T$;qrb)Y(x6rvVCNWCA}sK`YKgQOBHhW
z!xAoDa5wB$V+6`-1nO$#amLK0U_RIxY>+>dO6heH&lZlvx*+}$Pi2q^yNWot(__K<
z3bWk>++?cH_S&C~uMkT5h4$F}(WMhtVdx=IiU;RW(SHi&-cKxQG0Z;l{>;ospsn2k
z!$ZWF#N=F~Ad-waDd+I4$X|v0G+wg(9bOUAt3M2lF_RBkM9j>uJTf6YPgavGuS{@A
z91%XqVA|S>2=#p2L4wQy$i?V<8hB13tbe`+6eFVh%N9w3lYt(kKZd)qKGYnwtaVmb
z87)^KBD$A)YfX^9V8ZklMY!$zraP-IQ*bB+kYe==!;10qJDrO?J<~km^&BfpXY`DO
zx3Z}kqNYj>Hb52kmH?zo4`_t?7cM~N?4D`grHEjJj{5~AoXYH@@GKUC>vXt(Zgb-g
zt=rVB?34UA+~sFz{%^|bHFX;q@f~b)Vyt{a3x<T%=fHybMrM|<A>rcc1%dZW4PF{T
zF_Y`PrSZpU!R|c))tB`27+&8+jHSsD6X0@x;?JW|0BTjJW#zN|1%HtHmE$I#CIqKN
zYn6AX{|Pu1i-ki-1dUA6KS*T%F_5S}VI*ejZ^joP&*#QtOnnLIfVcFdTF?=L1`+?~
z@nchLCFRDn-urL`X=!Y_#Ec4-`i_pc*$(JAE@v_KGq#b+%M#hhpY+15*G?r`aaCvv
zHF3`41|t$7#!s9YM7*CfAUzDwT*1^xK6-_Q7*w~UnH3XB=;eULHm^oS^~iWX+gnKc
zr-@F0+~v)UQ#uBT=F0!oO!*v-g<AIo8_G46EAVn&!}i-}37K~As(j|7pAoPbZia^h
zh>8_$UUfvezrz*b#5#GZeH1q><Eslv$;i;Q2&Y7SVpZyZYtXdXpI$3EtdFJ+CRga#
z%WM<quQ^!)`<JnfXTXowFihuROlJhn=;cL%5|A+s4Sm0g`);=T0oVP|D128|Iz~tC
zsvloKlasO@HM}pBjQU^{IRC|@)I}qyPz#lcRrwi;w2DmE%ZOrR=v5ylY{Y!`Fo5u}
zqy~cb4EuGb{#jJ@$gT4Dn!?^bg@LPY9N14M6#9$Q#NR|RRKzZE8TP%T7E7R5z`+Gd
z<OG_n1?GzdfNKb*q2bb7%FN208!wN`LJDxA@>viM7tl>q{5?oSF!Z_$!R4{F-${j@
z%Lw2qwP0P{A-rC|<oOXB%~fZ`h5u{cq!AjQEJI3n8cB)4J64KXTa^q$-pVo9f@KUM
z<cS>Q*9Sb?<JcP^ir=b1QnvfMd8&R7r$wrPFVALv2q;N(We8P@kjHbP?UFlg2jLGS
zgYR#e_Ycton$XRWM|ilOCo*7Zbt_e^kO@BXJZ3f_|6{uPNU^V&gkjakzZ7t^ocAES
z6{o6t9pi7$^cgi%`QO31-Y{31ky|`DZAh`pUL9Rv*P5WkBEeqnAy1bk`5SmpHnEk8
z=u}tj@mRzv_O=?~G`jFtYQaOp=lYaS{6F47Jt=zT7@NYuVEw`1lNsuF|8V44#NueG
zv;ihj8_qG#BnPd`!06u6vH(~=WWJdpmPGniB`5Mtmm=ncQ8?2Di3+X+0a0q<s;3(i
zRqE*Io*ut7*|tsT6!$W0UR$shTfvNL-3#gaN0S`zDlN!{UuOI9|Gke?Od`f8aI|1P
zb%;YpN#Na_Nb4!dF<;CR(iQRW$o2Nxsc!cLT|jC!Es(pC<d4Y@fe2Wo+9jJ`02Y2^
z(v1o#5K3+}HXEPr&dZ!8Q+yzQ)BHCmZO)}eY_)}ZSXVeRrpJM|cQ5C?w6plJlq_B@
zuI?3CbU4O!KkDXsxb!SF<!eca6p<K3@;zWPdh^)ce7joK)0CiQ*^*WVO=bWt?(5$H
z%Z<pQ|CGLulYc4BB9<~57}R?1c(=%ALsckKG+ql^EJAF#LasExJ{{uG;Tuy*IiAJt
zGNiN4lN-dFE2e2wd3ji!??|Wk#_&OKIWM$rk1OE*O+Dk~?!Bhk__V*K0vD||^)&#W
zgMa_TF5;3ILel9bbUh*KSp?*3Ns1iEl3T}L|1q1E$F_&7DeL2KG&mYL7&1RXCa>0P
z)jv1I`Swah{)+wCo3;4NP?!x{(4=1%sq17uzy^GtsA_FVW?Jk-+2ca3zhhxlDS1xf
zTG1Lj=ZgGl)@wsQUW89&ukpu|_(!sXyi=%xKRb0jCc$>Tm>EKKau9ylkJ;a==a03&
z^jcfV7g2EnSi#e3fW1C_{qiMOwg;0CNhS@#^TSKDIr<-!jcF`?5<^4P=lq3$Fh{r4
z2Qd_#6$`K@tLJ}*`Z4E~94aA!&1LwfX%LdpnO5Hfc3>E?rUSxqO=Y&~AI_T3tU~6m
z7!ku4XmCl$ddJvg8dkaO9Z;uyM9SObb+mP`!9`l`_>+_^%@;UI0WiOT$MQ9sZ=`?t
zXCFmh9^ZTRcypCuvH6MOFOzS!2so}Z;1TX?X}uwNI<HsfJMFw5z7%$C!2oFy2e-xT
z8Z86H8$1l_Ejan*;WUzl<vRH{A|sB_!W)4RF5mmsA#sz%S-u}l_Y3{Xo|;ghP#=9i
zl|F#DqCJ#TLTNLj!?fXyc1U5-KR89|wti!5v-#SRC|yv)U^b7O>RgMn<x%Vq1n@gf
zCTCgf2GQ4gu-AHV+ul)Lfi8PenJ_k)|L6SYOHo2Q@NET_Xt{`L=A5=l@5d1NFK<ZP
zx!2+?HB}eWjtY%jf9YtWhl-dk0bgP>U1*`_!$bG&vUclT?cM$m1xe@)$XNSkScRW^
z({)_EXGP66H9c@yB6Njvw)fTkoaVd-oj#C-?Z-2@yxUcdd@tW#<y!9P?>sYno`1l8
z*wU?(V8*oL$2@j%k>&w9KsR7r_AdoOoljGr8rkq3phikjreBZlY+P2ARE|A%cF`Vg
zf}6e^AZ13$4lxw0C5kKS$6nMhF`d4hw_mEY&tfe<`*`=2tXtZxht9f|7V|0@$r(=G
z47wiOP<C){5G@&R{30#?R+;ESy6p~+{axZ2CkLWZbMT+m_0rI}d|{@$Bin_x2DIdg
zJjyR^Z(tB=1Nm0X!B0lDXdBhv_8;j=7<cBSQ$dy{k#-fHszIWMhrWmf>pi)zk9})s
z8a^CSI<$f(<DG9L;!PYB_;g(e_@DS<R8#K1-0~ztml%C4fOV`aq0lsa!}zmvTbEkF
z7as~HD|r#Pb^9~Q6#d3hZD5t%`DnE{$IEG3LMmsjVj6$Qu70c<ow*6@es1rwj{vyy
zMW|R-p0b^dgSeHSi7d~rlwkRf&tllGyXwI}vV5sx6Zr!o8uco?w>;sVI-^sKLFo7c
zL|N*c5Tr$N+ckhR{155VSGS#uc0XsJFQ-HJdy8a(?;FVPVBC+(N$UOe0N4Y*b5`TG
zqfadPY_QectyZOldV2`2=MC3!hiZG-={BzCfvC~0mLXB$bjEDPrV3$Z_Me;xT<ZzP
zz}QS5liZS40=_>V2`pD*Y~ucLxN;!`I3`#7DMd?*xz7e(<~?#cn0~|RdO}B_HUkUT
zl1#eI+14W1bngb}{p4W7nL>AVouE?d{o^JLpBK_C9S_oNdpL>vSoDXbQ29~X42sAu
z-zvB$#)W>tXL1VcDpkCkO#)w(_h{QmiT>+Y%8q*wQ)TEV1kYRTWzwN(iS^3op=m7=
z5>uk`=_rvbkjHN0rD!CVK}d5u)lok+q5RZFa1A}4Z!)-sdkMpf`$|u2ynjzXFLnbp
z0!o>?ghhm}?&OsbgM6by12}5@)n#=-i-nU)*WsG$(oklY?3DtY$4+?tWK%_R>n!zm
zYz%jf)9afydpNOO4cRkP8g}tv)Jt+sCQ;{PP^Yngo(v-6D)BDDyY3A;TXv*iyejKc
zV+UeEh_i@}2QVReVkJSN&Jpq<NLxU=IIHcwcUNbZ;;f&2=e~w?*2)*dxtcqu6qkU}
zXf5lCZQZ2Px$|l#*7<6RN|BWq!(^GE=MqnD*Rc5OX%jG{uK#ukO%bOKu-G*QWj&dW
z(WP^LDxj^s^(Y<<W-^ud{``l|_%>()_INLTO9Jgs302j&oxz$ni=l_<w9L_Tf28aY
z)s<2LQ;oGXlt11|=;WzSOG;;g<)8N8>0B#Dq;}=`q2(yMH9D_hb`DhSfTfX<V!)2{
zu1m`9T1FtN6y@3%@&80i<KEb~Q28$8feu_mJ6jbx*CW~(F7$ApOt0FCf`ps)%#*L@
zOx6lI9d~X}$>cAF`SX+NtnNPIRoH_(=ork!rDl)M>Py*wtPgPZ&FQTFSjfy>Y@k=;
z-NfBw5Z$X9r1<hlJQ7IYdl0j3)N|hXbf(0y)=d<G^XM`-eo`{?`bhb$M0<2ItIEV`
zVk)!`7XCqBTnZOS%E^3viQ_|pZh(j<V)#8$G+s-#!&99G->D&RJhNd9(#9fyHz2F_
zcH8LKffRZPaAvr*)AYn{fah*A`pmnqMkv2I55|q0HQ?p*tEVB0zw3A#)555EXNq9(
ziMuLtGgg0LbNC04%ce_)V)yu7qq`IQqrHHH5a<dlFClu!>^Jhs5*o7b0zh|ltr5wU
zl`)>LK^Lg_U?^{Qb*;P)Bd21_;=FNv7i954=18^9)&5TN(F`T%^kTHv2xB`MIn=bR
zzS}R_<m#bq(L#*tLw)w>z8Nh!pV3Q@QhQP&`eYwP!8dXeZWHGYgExKGzhZLfpVGiv
zUIEe$CAjcnbk<Z}kO}M2lUCbHFphRL`Dt`-7Nyu;SEt4w>ETRVuCo>sbi2F*((H1r
z3h}6mi3_b3{8gNSb4J!NJ^~hus60&D72fIfekmTk0KwHi`6&Dr{QP7D+&0B2-ihX>
zZexAU;x17=mZ}K|M-Wr5fnl=*%l1nC?_(fU_a=${aJ^`KcTL$!j}2s5+4vH)JV}Ah
z7gP0~KRwMg>BlBcNEt?v?8bi>kPUw%2q@uqrmd@?Og?R3V?~C;ywJMv=Yn)$Gm3G9
z8s+jLMmdGGyORV)Crlt_8d={$j`gT}SlQswoTg)Y6wb#=0*tiYmRh>+>^oFW%=D^*
zT+K)%N5`uUG3G(E`l<g9m!)9g8H1+@#L*v^LHtGt9H18du4=qsioW{U8cC;?O!z^a
z3Soe(KSRD?Bi5R()TmXvqFZ#r$N6A@hlBr0|Mk`Nd4RfR3uLo9BQ9s>lR;tYpm4_C
zdl2j*C@84FoU-ke(pml@zFlSr1CaWXiED}N{S1xGj#T=iL1P+dzuxaU@4&8Rvk{<o
zR4HDc#GUSV8U%uAQmSBSh_M-VkDzxo``Ml;FQ{$zSPF&jV?z}Et*OsSF1y9!<@;Sj
z(=?n)maRA}QROB^bi|c9kx^rL5ct=&e8s5@e$b4wrHpl?c+Od{nA#ejcyzOHl|J4`
z$4dQ3UmjI3qD=@){aORj#fdHYB~-}Qf)MUuUNUMLr7DU=QzfU1o!ltamz!|`(8IFN
z`MOPt56Iei&P&(v#2yIzA4qmg9vhVi6vQUXfN^c<-CFy;Ga;lcg}I|EVQ63lt`3sP
zRB2CJ-v}K_E@K0ff2DjfjBE1hNFnN4RoU1IqJO$tY`@Ao$qyWVvhya^4V!?e)Mnh;
z2G0}sw-;7aHAKe@Y#LDVVb||>az`1Y_{uo@>9}OF0p`WymjRGy_qmyyAj&GtX@;!_
z>63Kd%lx%OX9=Nm^hi%6Z`>2b-DlfZ9;8&B0pFjNpX8W+#QPJ}oz&V@u0U1vwa;NK
z^3rwGdDKI4c>$E)ws`Pa5k>ERbgNWX|0zyD^}pORW^%zrVCe}wsOwp5vPSe$<)Vp=
z(S1cC33=SBS@hZ2OhxG6tK*#$E{H|3gSwR4&b(y8Nn4y1pr?f6W=TM)HzA4+79-_)
zAk8PukNvR;iNm>$YXIv3>hNLAPxLBYI1L^uHW`^D;^i`TA(NhVt`5T`uK;Ex8nvaC
zT_p5UD&oX4Q5oNmm0{oAsd%%|@MkjUP;c!UTh4i0P`PT){UK5O9}7by_t&#SUHFUw
z@CFgWL&Q2Q3TLMbM6bvDamk5|ZYN5_loA!ORx@DOOc147kEd41L`!YwF2}h90V>{O
zspWIVZ;R>xW9T@m-z^39LkZ9OF&*JrI7SPrKk%>=%N-9~Cv;T2cVkEIe_D=CWl4Ki
z2CbI8R<5?Gwli#ArO=IQEjN}qv#2IIq$L#*m^9r;OJ8mYMBzR^=BZDO&A>5Z79va%
zFDp1UHoez$H}2v%G6!2J4pk>Ly}dQ7fztrvEJU7LOOa3%W~PN&qYJZcREL(6NRTc%
z8g_O~e{1}QU)wB4>r~&0Mfvi1fptTO?Ia`PB<2j8A5<XZ5ihTdC9SdYxH2