From d0dac3de76d03bf0dc347d89ec5f730a47de958b Mon Sep 17 00:00:00 2001
From: Uladzimir Tsykun <tsykun314@gmail.com>
Date: Tue, 13 Jun 2023 00:27:51 +0200
Subject: [PATCH 1/5] OAuth2 integration allow login/register expression
 checker

---
 src/DependencyInjection/Configuration.php     |  1 +
 .../Base/BaseIntegrationTrait.php             | 42 +++++++++++++++++++
 src/Integrations/LoginInterface.php           |  8 ++++
 src/Integrations/Model/AppConfig.php          | 14 ++++++-
 .../Model/OAuth2ExpressionExtension.php       | 36 ++++++++++++++++
 .../Security/OAuth2Authenticator.php          | 16 ++++++-
 6 files changed, 115 insertions(+), 2 deletions(-)
 create mode 100644 src/Integrations/Model/OAuth2ExpressionExtension.php

diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php
index 83e9443c..43617b58 100644
--- a/src/DependencyInjection/Configuration.php
+++ b/src/DependencyInjection/Configuration.php
@@ -225,6 +225,7 @@ private function addIntegrationSection(ArrayNodeDefinition $rootNode, array $fac
             ->scalarNode('svg_logo')->end()
             ->scalarNode('logo')->end()
             ->scalarNode('login_title')->end()
+            ->scalarNode('login_control_expression')->end()
             ->booleanNode('allow_login')
                 ->defaultFalse()
             ->end()
diff --git a/src/Integrations/Base/BaseIntegrationTrait.php b/src/Integrations/Base/BaseIntegrationTrait.php
index 65a33527..502f0226 100644
--- a/src/Integrations/Base/BaseIntegrationTrait.php
+++ b/src/Integrations/Base/BaseIntegrationTrait.php
@@ -4,14 +4,17 @@
 
 namespace Packeton\Integrations\Base;
 
+use Okvpn\Expression\TwigLanguage;
 use Packeton\Entity\OAuthIntegration;
 use Packeton\Integrations\Model\AppConfig;
+use Packeton\Integrations\Model\OAuth2ExpressionExtension;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 
 trait BaseIntegrationTrait
 {
     protected $defaultScopes = [''];
+    protected ?TwigLanguage $exprLang = null;
 
     /**
      * {@inheritdoc}
@@ -21,6 +24,45 @@ public function getConfig(OAuthIntegration $app = null, bool $details = false):
         return new AppConfig($this->config + $this->getConfigApp($app, $details));
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function evaluateExpression(array $context = []): mixed
+    {
+        if (null === $this->exprLang) {
+            $this->initExprLang();
+        }
+
+        $script = trim($this->config['login_control_expression']);
+        if (!str_starts_with($script, '{%')) {
+            $script = "{% return $script %}";
+        }
+
+        return $this->exprLang->execute($script, $context, true);
+    }
+
+    protected function initExprLang(): void
+    {
+        $this->exprLang = new TwigLanguage();
+        $repo = $this->registry->getRepository(OAuthIntegration::class);
+        $baseApp = $repo->findOneBy(['alias' => $this->name], ['id' => 'ASC']);
+
+        $funcList = [
+            'api_cget' => function(string $url, array $query = [], int $app = null) use ($repo, $baseApp) {
+                $baseApp = $app ? $repo->find($app) : $baseApp;
+                $token = $this->refreshToken($baseApp);
+                return $this->makeApiRequest($token, 'GET', $url, ['query' => $query]);
+            },
+            'api_get' => function(string $url, array $query = [], int $app = null) use ($repo, $baseApp) {
+                $baseApp = $app ? $repo->find($app) : $baseApp;
+                $token = $this->refreshToken($baseApp);
+                return $this->makeCGetRequest($token, $url, ['query' => $query]);
+            },
+        ];
+
+        $this->exprLang->addExtension(new OAuth2ExpressionExtension($funcList));
+    }
+
     /**
      * {@inheritdoc}
      */
diff --git a/src/Integrations/LoginInterface.php b/src/Integrations/LoginInterface.php
index d23532dc..7cbfe515 100644
--- a/src/Integrations/LoginInterface.php
+++ b/src/Integrations/LoginInterface.php
@@ -41,4 +41,12 @@ public function fetchUser(Request|array $request, array $options = [], array &$a
      * @return User
      */
     public function createUser(array $userData): User;
+
+    /**
+     * Login/Register expression check.
+     *
+     * @param array $context
+     * @return mixed
+     */
+    public function evaluateExpression(array $context = []): mixed;
 }
diff --git a/src/Integrations/Model/AppConfig.php b/src/Integrations/Model/AppConfig.php
index 501e40f6..02a12d95 100644
--- a/src/Integrations/Model/AppConfig.php
+++ b/src/Integrations/Model/AppConfig.php
@@ -8,6 +8,8 @@
 
 class AppConfig
 {
+    protected $overwriteRoles = null;
+
     public function __construct(protected array $config)
     {
     }
@@ -32,6 +34,11 @@ public function isPullRequestReview()
         return $this->config['pull_request_review'] ?? false;
     }
 
+    public function hasLoginExpression(): bool
+    {
+        return $this->config['login_control_expression'] ?? false;
+    }
+
     public function isLogin(): bool
     {
         return $this->config['allow_login'] ?? false;
@@ -63,9 +70,14 @@ public function getClientSecret(): ?string
         return $this->config['client_secret'] ?? null;
     }
 
+    public function overwriteRoles(array $roles = null): void
+    {
+        $this->overwriteRoles = $roles;
+    }
+
     public function roles(): array
     {
-        return $this->config['default_roles'] ?? [];
+        return $this->overwriteRoles ?: ($this->config['default_roles'] ?? []);
     }
 
     public function getLogo(): ?string
diff --git a/src/Integrations/Model/OAuth2ExpressionExtension.php b/src/Integrations/Model/OAuth2ExpressionExtension.php
new file mode 100644
index 00000000..db8d2b6d
--- /dev/null
+++ b/src/Integrations/Model/OAuth2ExpressionExtension.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Packeton\Integrations\Model;
+
+use Symfony\Component\DependencyInjection\Attribute\Exclude;
+use Twig\Extension\AbstractExtension;
+use Twig\TwigFunction;
+
+#[Exclude]
+class OAuth2ExpressionExtension extends AbstractExtension
+{
+    public function __construct(
+        protected array $extendFunction = []
+    ) {
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getFunctions(): array
+    {
+        $functions = [];
+        foreach ($this->extendFunction as $name => $func) {
+            $functions[] = new TwigFunction($name, $func);
+        }
+
+        return array_merge($functions, [
+            new TwigFunction('preg_match', 'preg_match'),
+            new TwigFunction('json_decode', fn ($data) => json_decode($data, true)),
+            new TwigFunction('hash_mac', 'hash_mac'),
+            new TwigFunction('array_unique', 'array_unique')
+        ]);
+    }
+}
diff --git a/src/Integrations/Security/OAuth2Authenticator.php b/src/Integrations/Security/OAuth2Authenticator.php
index 95fc38b9..48edb145 100644
--- a/src/Integrations/Security/OAuth2Authenticator.php
+++ b/src/Integrations/Security/OAuth2Authenticator.php
@@ -81,10 +81,23 @@ public function authenticate(Request $request): Passport
 
     protected function loadOrCreateUser(LoginInterface $client, array $data): User
     {
+        $config = $client->getConfig();
+        $config->overwriteRoles();
         $repo = $this->registry->getRepository(User::class);
         $user = $repo->findByOAuth2Data($data);
+        if ($config->hasLoginExpression()) {
+            $result = $client->evaluateExpression(['user' => $user, 'data' => $data]);
+            if (empty($result)) {
+                throw new CustomUserMessageAuthenticationException('Registration is not allowed');
+            }
+
+            if (is_array($result) && is_string($result[0] ?? null) && str_starts_with($result[0], 'ROLE_')) {
+                $config->overwriteRoles($result);
+            }
+        }
+
         if ($user === null) {
-            if (!$client->getConfig()->isRegistration()) {
+            if (!$config->isRegistration()) {
                 throw new CustomUserMessageAuthenticationException('Registration is not allowed');
             }
 
@@ -95,6 +108,7 @@ protected function loadOrCreateUser(LoginInterface $client, array $data): User
             $em->flush();
         }
 
+        $config->overwriteRoles();
         return $user;
     }
 

From 2314c63a2801f302458895045c4fe6a0a9b3f12f Mon Sep 17 00:00:00 2001
From: Uladzimir Tsykun <tsykun314@gmail.com>
Date: Tue, 13 Jun 2023 00:40:02 +0200
Subject: [PATCH 2/5] OAuth2 integration allow login/register expression
 checker

---
 src/Integrations/Security/OAuth2Authenticator.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Integrations/Security/OAuth2Authenticator.php b/src/Integrations/Security/OAuth2Authenticator.php
index 48edb145..7bc42b3a 100644
--- a/src/Integrations/Security/OAuth2Authenticator.php
+++ b/src/Integrations/Security/OAuth2Authenticator.php
@@ -88,7 +88,7 @@ protected function loadOrCreateUser(LoginInterface $client, array $data): User
         if ($config->hasLoginExpression()) {
             $result = $client->evaluateExpression(['user' => $user, 'data' => $data]);
             if (empty($result)) {
-                throw new CustomUserMessageAuthenticationException('Registration is not allowed');
+                throw new CustomUserMessageAuthenticationException('Login is not allowed by custom rules');
             }
 
             if (is_array($result) && is_string($result[0] ?? null) && str_starts_with($result[0], 'ROLE_')) {

From 0b4aaea92d99c8a505e01c132dbbb30e7ca6cdd4 Mon Sep 17 00:00:00 2001
From: Uladzimir Tsykun <tsykun314@gmail.com>
Date: Tue, 13 Jun 2023 03:53:39 +0200
Subject: [PATCH 3/5] OAuth2 integration allow login/register expression
 checker

---
 config/services.yaml                          |  5 ++
 public/packeton/js/integration.js             | 22 ++++++++-
 .../OAuth/IntegrationController.php           | 29 +++++++++++-
 src/DependencyInjection/Configuration.php     |  9 +++-
 src/Entity/OAuthIntegration.php               | 10 ++++
 src/Form/Type/IntegrationSettingsType.php     | 10 ++++
 .../Base/BaseIntegrationTrait.php             | 46 ++++++++++++-------
 src/Integrations/Github/GitHubIntegration.php |  2 +
 src/Integrations/Gitlab/GitLabIntegration.php |  2 +
 src/Integrations/LoginInterface.php           |  3 +-
 src/Integrations/Model/AppConfig.php          | 19 ++++++--
 .../Model/OAuth2ExpressionExtension.php       |  3 +-
 .../Security/OAuth2Authenticator.php          |  8 +++-
 src/Repository/OAuthIntegrationRepository.php | 18 ++++++++
 templates/integration/index.html.twig         | 39 ++++++++++++++--
 15 files changed, 195 insertions(+), 30 deletions(-)

diff --git a/config/services.yaml b/config/services.yaml
index 64dac3ca..bb6e82f2 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -223,3 +223,8 @@ services:
             - [addTokenChecker, ['@Packeton\Security\Token\IntegrationTokenChecker']]
 
     Symfony\Component\HttpClient\NoPrivateNetworkHttpClient: ~
+
+    Okvpn\Expression\TwigLanguage:
+        arguments:
+            $options:
+                cache: '%kernel.cache_dir%/expr'
diff --git a/public/packeton/js/integration.js b/public/packeton/js/integration.js
index f3c713cf..60668485 100644
--- a/public/packeton/js/integration.js
+++ b/public/packeton/js/integration.js
@@ -2,8 +2,28 @@
     "use strict";
     let connBtn = $('.connect');
 
-    connBtn.on('click', (e) => {
+    let form = $('#debug_integration');
+    form.on('submit', (e) => {
+        e.preventDefault();
+        let btn = form.find('.btn');
+        btn.addClass('loading');
+        let url = form.attr('action');
+        let formData = form.serializeArray();
+
+        $.post(url, formData, function (data) {
+            btn.removeClass('loading');
+            let html = '';
+            if (data.error) {
+                html += '<li><div class="alert alert-warning">'+data.error+'</div></li>';
+            }
+            if (data.result) {
+                html += '<li>'+data.result+'</li>';
+            }
+            $('#result-container').html('<ul class="list-unstyled package-errors">'+html+'</ul>');
+        });
+    });
 
+    connBtn.on('click', (e) => {
         e.preventDefault();
         let el = $(e.currentTarget);
         let btn = el.find('.btn')
diff --git a/src/Controller/OAuth/IntegrationController.php b/src/Controller/OAuth/IntegrationController.php
index 2ce00ef0..22003783 100644
--- a/src/Controller/OAuth/IntegrationController.php
+++ b/src/Controller/OAuth/IntegrationController.php
@@ -14,6 +14,7 @@
 use Packeton\Integrations\Exception\NotFoundAppException;
 use Packeton\Integrations\IntegrationRegistry;
 use Packeton\Integrations\AppInterface;
+use Packeton\Integrations\LoginInterface;
 use Packeton\Integrations\Model\AppUtils;
 use Packeton\Integrations\Model\FormSettingsInterface;
 use Packeton\Integrations\Model\OAuth2State;
@@ -99,7 +100,7 @@ public function settings(Request $request, string $alias, #[Vars] OAuthIntegrati
 
         [$formType, $formData] = $client instanceof FormSettingsInterface ? $client->getFormSettings($oauth) : [IntegrationSettingsType::class, []];
 
-        $form = $this->createForm($formType, $oauth, $formData + ['repos' => $repos]);
+        $form = $this->createForm($formType, $oauth, $formData + ['repos' => $repos, 'api_config' => $client->getConfig()]);
         $form->handleRequest($request);
         $config = $client->getConfig($oauth);
 
@@ -192,6 +193,32 @@ public function deleteAction(Request $request, string $alias, #[Vars] OAuthInteg
         return new RedirectResponse($this->generateUrl('integration_list'));
     }
 
+    #[Route('/{alias}/{id}/debug', name: 'integration_debug', methods: ['POST'])]
+    public function debugAction(Request $request, string $alias, #[Vars] OAuthIntegration $oauth): Response
+    {
+        if (!$this->isCsrfTokenValid('token', $request->request->get('_token')) || !$this->canEdit($oauth)) {
+            return new Response('Invalid Csrf Form', 400);
+        }
+
+        $client = $this->getClient($alias, $oauth);
+        if (!$client->getConfig()->isDebugExpression() || !$client instanceof LoginInterface) {
+            throw $this->createAccessDeniedException('not allowed debug');
+        }
+
+        $context = $request->get('context');
+        $context = $context ? json_decode($context, true) : [];
+        $payload = $request->get('twig') ? trim($request->get('twig')) : null;
+
+        try {
+            $result = $client->evaluateExpression(['user' => $this->getUser(), 'data' => $context], $payload ?: null);
+            $result = is_string($result) ? $result : json_encode($result, JSON_UNESCAPED_SLASHES);
+        } catch (\Throwable $e) {
+            return new JsonResponse(['error' => $e->getMessage()]);
+        }
+
+        return new JsonResponse(['result' => $result]);
+    }
+
     protected function canDelete(OAuthIntegration $oauth): bool
     {
         return !$this->registry->getRepository(Package::class)->findOneBy(['integration' => $oauth]);
diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php
index 43617b58..480fd03e 100644
--- a/src/DependencyInjection/Configuration.php
+++ b/src/DependencyInjection/Configuration.php
@@ -225,7 +225,14 @@ private function addIntegrationSection(ArrayNodeDefinition $rootNode, array $fac
             ->scalarNode('svg_logo')->end()
             ->scalarNode('logo')->end()
             ->scalarNode('login_title')->end()
-            ->scalarNode('login_control_expression')->end()
+            ->scalarNode('login_control_expression')
+                ->beforeNormalization()
+                ->always(function ($value) {
+                    return is_string($value) && str_contains($value, '{%') ? 'base64:' . base64_encode($value) : $value;
+                })
+                ->end()
+            ->end()
+            ->booleanNode('login_control_expression_debug')->end()
             ->booleanNode('allow_login')
                 ->defaultFalse()
             ->end()
diff --git a/src/Entity/OAuthIntegration.php b/src/Entity/OAuthIntegration.php
index c6c919c0..afd8f9bf 100644
--- a/src/Entity/OAuthIntegration.php
+++ b/src/Entity/OAuthIntegration.php
@@ -222,6 +222,16 @@ public function isPullRequestReview(): ?bool
         return $this->getSerialized('pull_request_review', 'boolean');
     }
 
+    public function isUseForExpressionApi(): ?bool
+    {
+        return $this->getSerialized('use_for_expr', 'boolean');
+    }
+
+    public function setUseForExpressionApi(?bool $value = null): self
+    {
+        return $this->setSerialized('use_for_expr', $value);
+    }
+
     public function getClonePreference(): ?string
     {
         return $this->getSerialized('clone_preference', 'string');
diff --git a/src/Form/Type/IntegrationSettingsType.php b/src/Form/Type/IntegrationSettingsType.php
index 4fdd4937..aab49105 100644
--- a/src/Form/Type/IntegrationSettingsType.php
+++ b/src/Form/Type/IntegrationSettingsType.php
@@ -5,8 +5,10 @@
 namespace Packeton\Form\Type;
 
 use Packeton\Entity\OAuthIntegration;
+use Packeton\Integrations\Model\AppConfig;
 use Packeton\Util\PacketonUtils;
 use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\CheckboxType;
 use Symfony\Component\Form\Extension\Core\Type\ChoiceType;
 use Symfony\Component\Form\Extension\Core\Type\TextareaType;
 use Symfony\Component\Form\FormBuilderInterface;
@@ -61,6 +63,13 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
                     'Disabled'  => false,
                 ],
             ]);
+
+        $config = $options['api_config'];
+        if ($config instanceof AppConfig) {
+            if ($config->hasLoginExpression()) {
+                $builder->add('useForExpressionApi', CheckboxType::class, ['required' => false]);
+            }
+        }
     }
 
     /**
@@ -71,6 +80,7 @@ public function configureOptions(OptionsResolver $resolver)
         $resolver->setDefaults([
             'data_class' => OAuthIntegration::class,
             'repos' => [],
+            'api_config' => null,
         ]);
     }
 }
diff --git a/src/Integrations/Base/BaseIntegrationTrait.php b/src/Integrations/Base/BaseIntegrationTrait.php
index 502f0226..26e05182 100644
--- a/src/Integrations/Base/BaseIntegrationTrait.php
+++ b/src/Integrations/Base/BaseIntegrationTrait.php
@@ -27,37 +27,49 @@ public function getConfig(OAuthIntegration $app = null, bool $details = false):
     /**
      * {@inheritdoc}
      */
-    public function evaluateExpression(array $context = []): mixed
+    public function evaluateExpression(array $context = [], string $scriptPayload = null): mixed
     {
         if (null === $this->exprLang) {
             $this->initExprLang();
         }
 
-        $script = trim($this->config['login_control_expression']);
-        if (!str_starts_with($script, '{%')) {
-            $script = "{% return $script %}";
+        $script = trim($this->getConfig()->getLoginExpression());
+        if (str_starts_with($script, '/') && file_exists($script)) {
+            if ($scriptPayload === $script) {
+                $scriptPayload = null;
+            }
+            $script = file_get_contents($script);
+        }
+
+        $scriptPayload ??= $script;
+        if (!str_starts_with($scriptPayload, '{%')) {
+            $scriptPayload = "{% return $scriptPayload %}";
         }
 
-        return $this->exprLang->execute($script, $context, true);
+        return $this->exprLang->execute($scriptPayload, $context, true);
     }
 
     protected function initExprLang(): void
     {
-        $this->exprLang = new TwigLanguage();
+        $this->exprLang = isset($this->twigLanguage) ? clone $this->twigLanguage : new TwigLanguage();
         $repo = $this->registry->getRepository(OAuthIntegration::class);
-        $baseApp = $repo->findOneBy(['alias' => $this->name], ['id' => 'ASC']);
 
-        $funcList = [
-            'api_cget' => function(string $url, array $query = [], int $app = null) use ($repo, $baseApp) {
-                $baseApp = $app ? $repo->find($app) : $baseApp;
-                $token = $this->refreshToken($baseApp);
-                return $this->makeApiRequest($token, 'GET', $url, ['query' => $query]);
-            },
-            'api_get' => function(string $url, array $query = [], int $app = null) use ($repo, $baseApp) {
-                $baseApp = $app ? $repo->find($app) : $baseApp;
+        $apiCallable = function(string $action, string $url, array $query = [], bool $cache = true, int $app = null) use ($repo) {
+            $baseApp = $app ? $repo->find($app) : $repo->findForExpressionUsage($this->name);
+            $key = "twig-expr:" . sha1(serialize([$action, $url, $query]));
+
+            return $this->getCached($baseApp, $key, $cache, function () use ($baseApp, $url, $action, $query) {
                 $token = $this->refreshToken($baseApp);
-                return $this->makeCGetRequest($token, $url, ['query' => $query]);
-            },
+                return match ($action) {
+                    'cget' => $this->makeCGetRequest($token, $url, ['query' => $query]),
+                    default => $this->makeApiRequest($token, 'GET', $url, ['query' => $query]),
+                };
+            });
+        };
+
+        $funcList = [
+            'api_cget' => fn () => call_user_func_array($apiCallable, array_merge(['cget'], func_get_args())),
+            'api_get' => fn () => call_user_func_array($apiCallable, array_merge(['get'], func_get_args()))
         ];
 
         $this->exprLang->addExtension(new OAuth2ExpressionExtension($funcList));
diff --git a/src/Integrations/Github/GitHubIntegration.php b/src/Integrations/Github/GitHubIntegration.php
index cca3acd2..1a7cf47c 100644
--- a/src/Integrations/Github/GitHubIntegration.php
+++ b/src/Integrations/Github/GitHubIntegration.php
@@ -7,6 +7,7 @@
 use Composer\Config;
 use Composer\IO\IOInterface;
 use Doctrine\Persistence\ManagerRegistry;
+use Okvpn\Expression\TwigLanguage;
 use Packeton\Entity\OAuthIntegration as App;
 use Packeton\Entity\User;
 use Packeton\Integrations\AppInterface;
@@ -47,6 +48,7 @@ public function __construct(
         protected ManagerRegistry $registry,
         protected Scheduler $scheduler,
         protected \Redis $redis,
+        protected TwigLanguage $twigLanguage,
         protected LoggerInterface $logger,
     ) {
         $this->name = $config['name'];
diff --git a/src/Integrations/Gitlab/GitLabIntegration.php b/src/Integrations/Gitlab/GitLabIntegration.php
index 2a727e47..572166dc 100644
--- a/src/Integrations/Gitlab/GitLabIntegration.php
+++ b/src/Integrations/Gitlab/GitLabIntegration.php
@@ -7,6 +7,7 @@
 use Composer\Config;
 use Composer\IO\IOInterface;
 use Doctrine\Persistence\ManagerRegistry;
+use Okvpn\Expression\TwigLanguage;
 use Packeton\Entity\OAuthIntegration;
 use Packeton\Entity\OAuthIntegration as App;
 use Packeton\Entity\User;
@@ -50,6 +51,7 @@ public function __construct(
         protected LockFactory $lock,
         protected ManagerRegistry $registry,
         protected \Redis $redis,
+        protected TwigLanguage $twigLanguage,
         protected LoggerInterface $logger,
     ) {
         $this->name = $config['name'];
diff --git a/src/Integrations/LoginInterface.php b/src/Integrations/LoginInterface.php
index 7cbfe515..9a1de706 100644
--- a/src/Integrations/LoginInterface.php
+++ b/src/Integrations/LoginInterface.php
@@ -46,7 +46,8 @@ public function createUser(array $userData): User;
      * Login/Register expression check.
      *
      * @param array $context
+     * @param string|null $scriptPayload
      * @return mixed
      */
-    public function evaluateExpression(array $context = []): mixed;
+    public function evaluateExpression(array $context = [], string $scriptPayload = null): mixed;
 }
diff --git a/src/Integrations/Model/AppConfig.php b/src/Integrations/Model/AppConfig.php
index 02a12d95..796582ae 100644
--- a/src/Integrations/Model/AppConfig.php
+++ b/src/Integrations/Model/AppConfig.php
@@ -8,7 +8,7 @@
 
 class AppConfig
 {
-    protected $overwriteRoles = null;
+    protected static $overwriteRoles = null;
 
     public function __construct(protected array $config)
     {
@@ -36,7 +36,18 @@ public function isPullRequestReview()
 
     public function hasLoginExpression(): bool
     {
-        return $this->config['login_control_expression'] ?? false;
+        return (bool)($this->config['login_control_expression'] ?? false);
+    }
+
+    public function isDebugExpression(): bool
+    {
+        return $this->config['login_control_expression_debug'] ?? false;
+    }
+
+    public function getLoginExpression(): ?string
+    {
+        $expr = $this->config['login_control_expression'] ?? null;
+        return $expr && str_starts_with($expr, 'base64:') ? base64_decode(substr($expr, 7)) : $expr;
     }
 
     public function isLogin(): bool
@@ -72,12 +83,12 @@ public function getClientSecret(): ?string
 
     public function overwriteRoles(array $roles = null): void
     {
-        $this->overwriteRoles = $roles;
+        self::$overwriteRoles = $roles;
     }
 
     public function roles(): array
     {
-        return $this->overwriteRoles ?: ($this->config['default_roles'] ?? []);
+        return self::$overwriteRoles ?: ($this->config['default_roles'] ?? []);
     }
 
     public function getLogo(): ?string
diff --git a/src/Integrations/Model/OAuth2ExpressionExtension.php b/src/Integrations/Model/OAuth2ExpressionExtension.php
index db8d2b6d..36348ce0 100644
--- a/src/Integrations/Model/OAuth2ExpressionExtension.php
+++ b/src/Integrations/Model/OAuth2ExpressionExtension.php
@@ -30,7 +30,8 @@ public function getFunctions(): array
             new TwigFunction('preg_match', 'preg_match'),
             new TwigFunction('json_decode', fn ($data) => json_decode($data, true)),
             new TwigFunction('hash_mac', 'hash_mac'),
-            new TwigFunction('array_unique', 'array_unique')
+            new TwigFunction('array_unique', 'array_unique'),
+            new TwigFunction('dump', 'dump'),
         ]);
     }
 }
diff --git a/src/Integrations/Security/OAuth2Authenticator.php b/src/Integrations/Security/OAuth2Authenticator.php
index 7bc42b3a..451c79e7 100644
--- a/src/Integrations/Security/OAuth2Authenticator.php
+++ b/src/Integrations/Security/OAuth2Authenticator.php
@@ -91,7 +91,13 @@ protected function loadOrCreateUser(LoginInterface $client, array $data): User
                 throw new CustomUserMessageAuthenticationException('Login is not allowed by custom rules');
             }
 
-            if (is_array($result) && is_string($result[0] ?? null) && str_starts_with($result[0], 'ROLE_')) {
+            if (is_array($result) ) {
+                $probe = $result[0] ?? null;
+                if (!is_string($probe) || !str_starts_with($probe, 'ROLE_')) {
+                    $this->logger->error("OAuth2 expression error, return result must be list of a valid roles");
+                    throw new CustomUserMessageAuthenticationException('OAuth2 login failed by invalid expression configuration');
+                }
+
                 $config->overwriteRoles($result);
             }
         }
diff --git a/src/Repository/OAuthIntegrationRepository.php b/src/Repository/OAuthIntegrationRepository.php
index 169b8cb2..206a2151 100644
--- a/src/Repository/OAuthIntegrationRepository.php
+++ b/src/Repository/OAuthIntegrationRepository.php
@@ -5,7 +5,25 @@
 namespace Packeton\Repository;
 
 use Doctrine\ORM\EntityRepository;
+use Packeton\Entity\OAuthIntegration;
 
 class OAuthIntegrationRepository extends EntityRepository
 {
+    public function findForExpressionUsage(string $alias): ?OAuthIntegration
+    {
+        /** @var OAuthIntegration[] $list */
+        $list = $this->createQueryBuilder('e')
+            ->where('e.alias = :alias')
+            ->setParameter('alias', $alias)
+            ->orderBy('e.id')
+            ->getQuery()->getResult();
+
+        foreach ($list as $item) {
+            if ($item->isUseForExpressionApi()) {
+                return $item;
+            }
+        }
+
+        return reset($list) ?: null;
+    }
 }
diff --git a/templates/integration/index.html.twig b/templates/integration/index.html.twig
index cb875331..5399c48d 100644
--- a/templates/integration/index.html.twig
+++ b/templates/integration/index.html.twig
@@ -53,13 +53,22 @@
                     </div>
 
                     {% if canEdit %}
-                    <div class="btn-group btn-group-xs">
+                        <div class="btn-group btn-group-xs">
                         <a class="settings action onclick-confirm" data-msg="Please make sure you are using the same account.
 If a different account is used, you may lose access to the current organization and the webhooks will not be removed."
                            href="{{ path('integration_regenerate', {'alias': alias, 'id': oauth.id, '_token': token}) }}">
                             <button type="button" class="btn btn-danger">Regenerate Token</button>
                         </a>
-                    </div>
+                        </div>
+
+                        {% if config.hasLoginExpression() and config.debugExpression %}
+                            <div class="btn-group btn-group-xs">
+                                <a class="settings action" type="button" data-toggle="collapse" data-target="#collapse-expr" aria-expanded="false" aria-controls="collapse-expr">
+                                    <button type="button" class="btn btn-primary">Check login expression</button>
+                                </a>
+                            </div>
+                        {% endif %}
+
                     {% endif %}
 
                     {% if canDelete %}
@@ -70,11 +79,33 @@ If a different account is used, you may lose access to the current organization
                         </form>
                     </div>
                     {% endif %}
+                </div>
 
+                {% if canEdit and config.hasLoginExpression() and config.debugExpression %}
+                <div class="collapse" id="collapse-expr">
+                    <form name="debug_integration" id="debug_integration" method="POST" action="{{ path('integration_debug', { 'alias': alias, 'id': oauth.id }) }}">
+                        <p class="card card-body" style="font-size: 1.2em">
+                            Here you can dry run and test login expression checker config.
+                        </p>
+
+                        <input type="hidden" name="_token" value="{{ token }}"/>
+
+                        <div class="form-group">
+                            <label for="context_payload">OAuth2 fetch user context (JSON)</label>
+                            <textarea id="context_payload" class="form-control" name="context" style="resize: none" rows="6"></textarea>
+                        </div>
+
+                        <div class="form-group">
+                            <label for="twig_payload">Enter twig expression to test</label>
+                            <textarea id="twig_payload" class="form-control" name="twig" style="resize: none" rows="12">{{ config.loginExpression }}</textarea>
+                        </div>
+                        <div id="result-container"></div>
+                        <input class="btn btn-success"  style="min-width: 200px;" type="submit" value="Check Expression" />
+                    </form>
                 </div>
+                {% endif %}
             </div>
 
-
             {% if orgs|length > 0 %}
             <div class="row">
                 <div class="col-md-12">
@@ -93,6 +124,7 @@ If a different account is used, you may lose access to the current organization
                     {% for org in orgs %}
                         {% set isConn = oauth.isConnected(org['identifier']) %}
                         {% set webhookInfo = oauth.getWebhookInfo(org['identifier']) %}
+                        {% if canEdit or isConn %}
                         <div style="padding-bottom: 25px; max-width: 440px; display: flex; justify-content: space-between">
                             <div>
                                 {% if org['logo'] is defined and org['logo'] %}
@@ -136,6 +168,7 @@ If a different account is used, you may lose access to the current organization
                                 {% endif %}
                             </a>
                         </div>
+                        {% endif %}
                     {% endfor %}
                 </div>
             </div>

From 0a6f52126689a9d193220d00cbb836e32d0579d4 Mon Sep 17 00:00:00 2001
From: Uladzimir Tsykun <tsykun314@gmail.com>
Date: Wed, 14 Jun 2023 23:09:34 +0200
Subject: [PATCH 4/5] oauth2 login condition expression checker

---
 .../Base/BaseIntegrationTrait.php             |  2 +-
 src/Integrations/Model/AppConfig.php          |  8 +----
 .../Security/OAuth2Authenticator.php          | 30 ++++++++-----------
 3 files changed, 14 insertions(+), 26 deletions(-)

diff --git a/src/Integrations/Base/BaseIntegrationTrait.php b/src/Integrations/Base/BaseIntegrationTrait.php
index 26e05182..eda0cb87 100644
--- a/src/Integrations/Base/BaseIntegrationTrait.php
+++ b/src/Integrations/Base/BaseIntegrationTrait.php
@@ -42,7 +42,7 @@ public function evaluateExpression(array $context = [], string $scriptPayload =
         }
 
         $scriptPayload ??= $script;
-        if (!str_starts_with($scriptPayload, '{%')) {
+        if (!str_contains($scriptPayload, '{%')) {
             $scriptPayload = "{% return $scriptPayload %}";
         }
 
diff --git a/src/Integrations/Model/AppConfig.php b/src/Integrations/Model/AppConfig.php
index 796582ae..5b1f9dbf 100644
--- a/src/Integrations/Model/AppConfig.php
+++ b/src/Integrations/Model/AppConfig.php
@@ -8,7 +8,6 @@
 
 class AppConfig
 {
-    protected static $overwriteRoles = null;
 
     public function __construct(protected array $config)
     {
@@ -81,14 +80,9 @@ public function getClientSecret(): ?string
         return $this->config['client_secret'] ?? null;
     }
 
-    public function overwriteRoles(array $roles = null): void
-    {
-        self::$overwriteRoles = $roles;
-    }
-
     public function roles(): array
     {
-        return self::$overwriteRoles ?: ($this->config['default_roles'] ?? []);
+        return $this->config['default_roles'] ?? [];
     }
 
     public function getLogo(): ?string
diff --git a/src/Integrations/Security/OAuth2Authenticator.php b/src/Integrations/Security/OAuth2Authenticator.php
index 451c79e7..32e7d127 100644
--- a/src/Integrations/Security/OAuth2Authenticator.php
+++ b/src/Integrations/Security/OAuth2Authenticator.php
@@ -82,39 +82,33 @@ public function authenticate(Request $request): Passport
     protected function loadOrCreateUser(LoginInterface $client, array $data): User
     {
         $config = $client->getConfig();
-        $config->overwriteRoles();
         $repo = $this->registry->getRepository(User::class);
         $user = $repo->findByOAuth2Data($data);
+
+        $em = $this->registry->getManager();
+        if ($user === null) {
+            if (!$config->isRegistration()) {
+                throw new CustomUserMessageAuthenticationException('Registration is not allowed');
+            }
+            $user = $client->createUser($data);
+        }
+
         if ($config->hasLoginExpression()) {
             $result = $client->evaluateExpression(['user' => $user, 'data' => $data]);
             if (empty($result)) {
                 throw new CustomUserMessageAuthenticationException('Login is not allowed by custom rules');
             }
 
-            if (is_array($result) ) {
-                $probe = $result[0] ?? null;
-                if (!is_string($probe) || !str_starts_with($probe, 'ROLE_')) {
-                    $this->logger->error("OAuth2 expression error, return result must be list of a valid roles");
-                    throw new CustomUserMessageAuthenticationException('OAuth2 login failed by invalid expression configuration');
-                }
-
-                $config->overwriteRoles($result);
+            if (null === $user->getId() && is_array($result) && is_string($probe = $result[0] ?? null) && str_starts_with($probe, 'ROLE_')) {
+                $user->setRoles($result);
             }
         }
 
-        if ($user === null) {
-            if (!$config->isRegistration()) {
-                throw new CustomUserMessageAuthenticationException('Registration is not allowed');
-            }
-
-            $em = $this->registry->getManager();
-
-            $user = $client->createUser($data);
+        if (null === $user->getId()) {
             $em->persist($user);
             $em->flush();
         }
 
-        $config->overwriteRoles();
         return $user;
     }
 

From 6eb03f496519b1f684866e03a291bc38d4b8f7c8 Mon Sep 17 00:00:00 2001
From: Uladzimir Tsykun <tsykun314@gmail.com>
Date: Wed, 14 Jun 2023 23:35:36 +0200
Subject: [PATCH 5/5] Login control expressions usage example

---
 docs/img/debug-expr.png         | Bin 0 -> 28297 bytes
 docs/oauth2.md                  |   3 +
 docs/oauth2/login-expression.md |  98 ++++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+)
 create mode 100644 docs/img/debug-expr.png
 create mode 100644 docs/oauth2/login-expression.md

diff --git a/docs/img/debug-expr.png b/docs/img/debug-expr.png
new file mode 100644
index 0000000000000000000000000000000000000000..c3f2d7e69046c40c3403d7d72e39f6629cd4b3d6
GIT binary patch
literal 28297
zcmc$`byS?qlQ0@52}uYZJQ>`BI|LZqg6lwn3=Y9zun+<a?ry=|ePEE_?(VLG>tJ_y
zf4h6nJ^SsqyMNt2oKw&6^wV8kRoz|I?f+F?;_Yj~*N+}OdMhOfRC@I2nc|~IPgGt$
zLH$Pw%;bUsPwhmcR9?P(IlHW|g!=j3UQEMY*&1x`^xf9zk+O+{y}gmG!LOlLj~;z|
zBn1>!ah}<mch!k>xEDI)3IaXd@L8goku=yw^cfoc!ZQKPSd%`9et#RV73|k6>ikaX
zFA)Z<RQATvc{7({Q?}vj_#d0W2_gh>JbiHq8Bw&g-D@kA=0Uf2k8pp`#AHwJUTuZW
z6}uM?ZvPrIpM1=hvWe;#RhDRtLYe+~dSpoYzk**j9{*GSe-6F;n)Pq8#Aa_HuiVf4
zDhr=hW#QT5q8e$2^YEV&M%k>Z2bL_-a2z*Wy*gm<#jLimbI%58<5x!`_<!66UFmBD
zGtFvcd73G+&MJP~-Z;GZiZ*S|$yIv2oO$cnRL*x_k-X3Pu5_`VZucAFSOoF&(}X%?
zc5Z16cQoxp_4#CftTo`AACqF>yu{%>e0qGkAo)EUHHx2oqg^Gj4qVc~p8f+XE+<th
zyZqMYI}`2aFN|x(ag2oK*|KA<i(;;Wp$WbG=l8cgcUzu6Om2l8VZ9D%!y~dAJob${
zyMg0dxzv7X<>xYT(P{adreQ>orzi^hAIFtg78K?q3!bISCKUWY$RU);oUJN83`~1u
zq|fc&400EfY8{(qv-P@|w>YpNH(#A1tf}lDWQkRQd_Z1aK|#Gb=H7inZa$BcsIBOS
z)NE@Xf4@DLzT;hN<pURPI9M_MVaB8X0)9OC*K2-C;*_nKX`bqXxjJROiSEYg{NoMl
z=g(t%E!R0?9Z7z3d2*;=W4_XM`jJy0#$^r#4%)jG8C3CJj0De6lj{j`&0l3<im21Z
z2bwv|_S!M|`<CF|u>a<}K)e5$r;?krnz=>(15Z&^QLd$_XWY2(0x?sZ2!aRnT-^5F
z7z^H-kLbRR#>R}^-Kr-!?Iz8K%w+(=hP4GN?;joYTes4fj&dHG9QO3Tc^z1B6yE%n
zT}dJmZ?T|K$VYO8_%=btGd?U!OVo6{LzJsrV7_Tbk<ENExB-pOMrt=IJY+hro#+hX
zIHrhT(sPOJWG^`5PPtnkT*y3SZwE!E=Fvo#JxY@LY9|_`W)T}tDU)n8La5n<Iocs=
z97l&!WfF@=lApI~^%R!Kp~gB-L$_q!lM>WyaM4Fxz4)U5Y;@(%RuuyBkr%6~O82WU
zQ7^X0GVB*>P`5dQ!DoBVRbvYkj{lfBeVrrSVGr8q`%`0U>UYjEnREN?wXzb@%hj^g
zd~5zA7L>-8sA@r&j1+)=F{RuO=jLVnFw&8@I+01luI3e6pPYSMHrbuvRBiwKNWm=K
z`ELOlihl|=8#X^mYbI1;)m2oK#cuW68mlBWiwEocpButlRFw}C^FTFLh!1Ex`}eYE
z(K0W%>Jq)ZXU*MH*DG@rw0Z4!HEs>I+sn`A^{n;Wr~4qaJToVAB?-Uuq|Mt9d`=hk
zcBK_gSUe~SJ2BmB6$}IzYX?3z%!hd__qCg2*eUkD*85;(J*5+K?UNM)WzvL74(-az
z7)7?1gxLMS)9h7H@vJX}#Z|b1A@qxw@AP9XWp45==$LfMcVW|Kb!@7*?n(S&+4n)Y
z40$sAaN_z#746T(D{}<&;aQbGp<N52YuDk*ew&EjROUy<xDpcyF6nAdlk^gqAR8|A
zGl08U8(g5_=BJ%|G5UBkRX4q4Y;A|=3{;itK1`{sHa*t+%aVYT=NLkQnzHty5|d6t
z%mz|a)FVpQj}q7-VUoEzGJN=>>V!L3(smsY*rJwMKw?C^Fdt6>QV?GJG0-cdFh`Dn
z-SFw#v0*t%I3R<_OzVv4wi%P$8m8$-Td5=O>i_q~<U(@fO-6icE~Cu4mb6D|`Ff?{
z6CQsPYtD5K$yWsIH|~T833;IL#gGKimN+O&&K@K|0Z4&vZY2~qGM30@c7>0HXQlJc
zl*cui|7cvzipRnKl9;|#nr0fmE?Bwk-qTOnBs`XoW34tUfwq;FVj1aRbR8&5FW3~X
zC<O!~H~@ec=pM<h7gY*-OJCNrlO^8F2AFlXn~MK553BzvyRkPnlC|j^`Gq?-RC`S5
zL%g@@b;b9&X>Ffs+W>U4RaL_{$3kTB39qBHQKE}L5`S``uX!|4Xf!w~;>L$Fuz^I=
zl~0r2m31=nHiuh#m?}itu2}Ud-%v3oK*Ybon#i>{Q(p|c9sXj|I*UXH@6-scJ#Aw&
z&KEjA<ub}*V@NbTI7#h3=z3;(ab$OM1J4R-V(8IIGbP_Y5cgfIy=*nwQ7cmZ^;<$d
zvS&7&&%rWchH1;8=2h|ssUk7EWw4uLR&f<K)1RvRB7vir8#XTRt;t)$DXJBoPcl_7
zJ?nvc*x!>Z*p6y~P7?UC{zW(Ohe)2y&JoHSxui^op3mXPCs(u|UX8D<%|q|QJM~DP
zKYDbD?vj46nK!Hl*XgH&oPTvRo7B>XB}qY0IgO<XL`P>d>fZ<bt#D|M4s5cm!WA<P
zB^7dS+>&mo>X|8DY!tY&++P<r_Spl?CB4~HaC1`Ytr&C&<DRPV7^o<^lJ+>SF=qN;
zUQi5Tps~EQ@SDi~tL&$cggp8?KH_)H*m!&Lt~h;W*O-A*f%g@X_bNE!*HH(_)1H#9
zBuFU!RHW*?*m}5P2g1FVy^ThK=Oq-nHxr6Ad>3%vp+;ooK9N_@tY}SZMJ#U?*e7&b
zuy>-H<r+I)8*F!K=%1Oceotx3ujujZ=aJBT{>Zj}m;6n`eDqYJE48}%g{_;-ACfZJ
z5>FOYbL;&bhm+YSe!6zRBGTz0$2T7p(nT0CWx@|egU@jGBvMUiY^kd76}NCkigIkc
zO%xvAmU~wh&>n&yX+HrsTggSIkT>uFEKK;4M4b)0)$3@w?V?A3a=7O1qvO$0Kep}C
zkO8tklm^@VkB|W-r;;lbCcT&|6{eYFl*E6SuuYPJuzs1GKGPSW?c3Cq`*EDXgT2+K
z|C&f@nxWq%c4iJzFsczi0<7O0{+^6rea^ZwFq|ZOs>pekD#;8bHQSu&p5^|UM|)6g
z$Cs}5Zm)z(+_I^$LK^3&99!nx`)1~}q=BGuy(iZIY(zHs5kG={9?w3#QgqVSEn5$A
zKGCB~6QERe#QDLPq@>#BllJulx*Gw)sh!+$>tceN@z8i(L@}<0Emn{9W^`p-Ol^LU
zOAUuJA<b4n+^*2Mi!>v<id*)R#SaE<@v92^YQv=_hZ9e1Abfx>pI&`UMMl?(<Va+f
zfO*P@lna~)g{}?0=FprJ-(wuDwu{ff!NTO>_32{d!_d>q&kJ{{>o+mhEnn?v9%B_X
zt|3U?!@W1jvdvGZI_n7=w6<tyi<Bj%s>ycuFj_i~z%|aVa(X8#9Hy7}QP`-DX};Eg
zYH-04%x^3Kq`<m*Rj0{UJTMY=Kwnt$sEH4?U))Kj>|MK<Ni*O4fT>XJUhbU;%+J5}
zV4!huz(sE(fn9`Qh9|?DS4<Qbk&RUoZYMKU0SQ_#MKwmJ@4r<n%ObvfGqzSZKL<Jj
zt8}{GHYU#PMypMF)VrN2z}v(|dRwO3b?fS?BDz981*&|LP@8_4v;XuN0N^zy|Mi;$
z5U6$s9PgfQsQaFPg{e4N!O|zw7dR@muau8F&62Jaj{XYvIxC&<tf`-i2Oxksjj37C
z#08?stqQw>gd1q*B`+DJ)dwbj3z69(26PPM*BFbb+?6&B#Dr$K8+7~A*s&lcu~sFR
zOWXP~liB=%hQrEyz6?NlCW`l%<N#M+Ngy+AcLu%X>yH3^=!{HW(iWK1$P7x&o0DOs
zG@EGZ&%lec=SXJ3#JqZ&G4u!vn?*^VU2gZh9D|3}WLXygcr2<~?#j_N>ZfJCU0?wd
zu4MLJNKhgJeR$sfE}boK+fI(nXa_1AW%sk##-1&fVPOpU>4L?;+Cb@jcwSG`Ia^81
z*M+JC==l@1X6Krk*q1srK~9wA*yCD;h0VR*%YjyV4EZdI!6{G*py2_6UXfQ-Uanwh
z`Zc25_=Bd)SwJ8d?xVzU^ZRj#uE>HRrML+-R+!|s)dE~)sr3bOypa48>xiDRmRU;@
zxYo3cYxQk9b$Bv~<}+5l5gi)PiCewcW59gfZh>bJWjQ%O*~ZAsza6+9uddA;_F60!
zTF4>M$d!$&>A&}j|HFi8?UrW}RFdLjQQ)6L+bZ#HCPF4jzTPae!tDHfiwtfHNo`Hx
zD|rVaP&^R$B&{5tOcmQpUyyZtOrEtOOhPcs12C7X&eqbl90zgQG0#+-1MzN<C^7u9
z;i6$yaHh_*T{6G7KiZyAWI(IP=m~N^UP<o6n&PR>C6=+2o4+4pd|t%mNzZV$pYB%V
zE+=OczA>3t1)Lm6Zk)~rb%wC6(?{sZqXy#)EvhwKmK@ulbmg_XNFN>u>4M}Tg~;=*
z<{(m^|3n{fxA=4$xfpMenS)#x-g!}(M-Hm%<gaJF+qZ@3{J7>2uF=Rbc8J!K=Tdca
zAZ@IhW+`SFFA3c3sWjf(ljRT!S@9SV`uq46@raR6WSA`CCv^%GGrSqd*EzEJ))8Vy
zUlb?YZID;_lN0d~UGz!%98kKewnFZs;&>6iS`89sYNjs|+Orc$g#CrBQ)vTdCY@^B
zETFc)>Pb2g0nSlp%9kN6={mw=0`cUKA!aHfBUV8ma9t;(M@V+!?+D=zjS{adjH;$N
zzDTDvqj@2utYTvmSK;=^k#g^sZlmijUP;DrLW!L4<hq7bbBn#9J9)#}ahlPAxgEya
zIU(gS+pM_&Wh&)WMrUP9kY}8kKNP5PKkm~N(q*=g=utFmhq;HKly{^GjQ+kS20W81
zCHL)8!9U!=2+%6_5T6Yvv1y74;Z~XcSiYE4Szz|niF2>2+B=2ix3Ox`lq-jFi+IBv
zScV!rvykY7Mb7cgR1Uoc3&rW1asJ`SY96VS?V)Op-8~vdOukoU{cdv6WrfmP6GsGP
z-pO!LdM?`CFB3BfT39^1fxq9q`!%B#82uqU&gMPOT)pXeVWvZW)h{ynR33-@fCZGc
zH#XCscfO%2=QUtLt)EP4HTdJk=U!`84$l<>6DGj?<Dl1m3*!3L1b*Z$SLK&`{oX5V
zuZ@{yP*C9<fc4c<GkknO^l}f~@uJ6;T6RX}9CS~)KO!@Pbn&uyv^o&+1-P*rLl>D`
zSyCDeg?8CyXGan9!Wk_XtE@-Wx4^slbiD*84w0fc-G9{pSP*Xh$=*A~zIW&nv392O
z?~Yw#kuv`3ql5f!<Gvuo)+oq@$gtkKT!mW^^~ZlXIv6Dgfo8A~LTICOBO-ogso&%l
zA><ne!B2cY0FpzVu^uaqHE9?DBEqO;iZqdmaz(c$&|l90J8Kdk6rnRe$6EE!e*QVr
zMdSSb$P76R1lkKE#x%$Xb(u~)vrR{%KlwDQo7+X+nfsXOb{2hIDSS}~XqzZ%x_lB)
zr286Q2%is&mnIdzd#~t<65NrY8t3Od=5uuN9t%_RDhL~S*+6(OIrCe}0w;rh#X-L_
z9Q47IUJ?51dvW4%zhl5AaBdKpcO8&(m%~uskj25ZU2sxB`~tqmfFF??oqKO50zmDr
zRJBL+?-s@!ekAAQHs#B%F}*Wm4y(52$R#l?=BTUB=4^r*^J|GYzwBDjU1(994$yE4
zSJH?)x(yz0(x9*ssjlkM*3Y5++_9;4!Xz>{tM^8u&t<YOz_WCr=(+8n+U>mAxVp{m
zJCyyVw-D)`BGDyy-H`LEtb{|Iumm)QGZ}VPQ-MzcbKJXw7^AVO<AAseHl5-7usyQD
zYdGDts{4kBRM`SN<5<=IC_>A9(0WLYDpJ{R--8sWV$Q0oc(1a*kY|Th_H=wgWxm#S
z`Mc2KjMgRd0E^ll?rcwQ`#@oh&Sk8olR2%CpstHs(UfsWZ=8`Mo_qgb*#>>5oDe?L
zz46BxU4Gp$d|lUpCH`bX<!hnxU{w)`*u;*^#sPJ#-kg<(6(?W0b<vTtoWJfDU?!J)
zjqH#yq+oe9cLU2)KdGo>_bl6bvBJ~Rv0&){kz07a1KvNr2sJbGoEA>K$dNi2nReQa
z<c1hiS$0#cZ1t%jnPQ7~b9-@SczmE+TAb~Je+Ka*PeB2EUy7gsAwz#HX4@BBEAlO7
zO46iUO${;EH^x)HU0pp&28qzK(p-p2Pkl+$Agl`qXu>qV?B)zzZ6tn;mLs#u$U7L7
z_btvdRRzq~jz(7AiE35F0mdrtidoUgZoQP%FjGy124g|&=~YlOhsmB*=6H+bhKfuQ
zwk~8H6X6L1N=2tPV)3Es56v>4n*;a?VjJldTq&kHrFq<$jdQ8FRwm*P@p>-yXG=^}
zB_8qos#TwFI;I9mtp{WzRmV&n6KY~y+)4w=cLIAh$SkJU(>Hd;{j59AY~}@}0OcBE
zW}@;0e1qD#cg5TY+u)6$Q9QkxKLsyBp!J%&0;RV>YMHlZ;G1beThk=uKopbZI$jn8
z{0mx}s9J!bX1BkWu1;d~u1)nYZyJ}E+9s)|eKuY;JE37TOG0+dy<Q<?F$}Gi>Mj($
zHSt8AU_z%n;#m{zgFZF0=X}Q^WOt!)e&Km1kDyGxg>m25Zlo8NcciKMkqXT94x~&(
zRkLrNp6nW(I9T~zEE?~W8k|_5ji;5|rrFNE$&fQJ9e>j^p=eHq{DEtv@CT95g!p78
zcv;jxd3)!M@Gq+9s_4hR-Q&uhm!vN;%3>lz3*_)CE~>pLEq-0GTN2T(xE<ElLw)i_
z_Iws`RDd#Umi+baxh$)@6g9M4PdI?*Pr|#r`o^=h`h2NH=xKT4w_sk-+^V1?XS#_r
z^*gONwReSC6JIrD45`i5n<K>3LuS9B2DemZbLq-ipS`ADlzD<)a*n6btzS&T<GE~0
zN!1#;T=TSYF);@G9`i`d-kF7@gDl`CaG7aN)?>g@xYjQ>Ms|FIyi;0PW|$t;*3Z5Z
zV?R>)L{F{2BTuYtQ<RMU^0=gDi?1eWs75G8TM0yH+CNKvgR061{%_omKZW`YJbZ;U
zHC?(LZbyfsV|I;yXCa%e+{#CFZ_?g`HoL|(Siqf!zqaD*h;H)d9bP;*UsD)DulPd)
zWeRe#>7QHb{dFtv;mg3jdzMW3ZtK|thA~WIi=Owlowe7;$FIvODw-D-^vmMR%~B2r
zY#nVa=q*ngj3uOqxQKe)GbRSIp1%66qAcfjHOgzSr{y|R-$e5@q{1_MbN(RVY|=-G
zc6=fN4)>vNeSBWeLQ0Z^!z?KtWV?TNJb$p$+oyz|Ru!|ihv=bW+$yFP=2Ks$Pu7C3
z)1MvVWN<woTZqdrc(R3JC8{`UEfc)>=jmr3%6o_^|5Mn-|4;Qt|4aB^HGf#k^9TLW
zBM)ZX*ks2oiR5l6%=d*6e34M$R8&9wHa}7}{nKUqxA4nAe%S&^Agk0pK3dgK)3Z&C
z^VZ!fYPa_edVQqWshU6rg11SIqrV@o*66lfqQ-Pn#EKEi)9PfhvQ1_F8-&@Yf!9p(
zoTzh9a+P$l^FX-Xy`0WA_S|&Wy49;rRCHq9U_~HmfImF^fCVCaQwhzh=)7#mP2lDO
z{2_-uOaSX>mq+`(>AeD)ms5fs3akfzhSCI#6tqKSqMo*jxEsYmFbvLj9A4;a`m)(l
zp<|MtY#-3KR#~FP(Zw%klkl`R$M4P7=IljqSe_IbyW4yL8W_%U@Q2B1b?^PXy1OW6
z9wQJ4vyRyG!8kjZ9rWzFbV;;3jp-2E9yPwi0NF=0odkfDp$BVGy=SSxfiKT55Sx4-
zx#_;g&S*6GLySrf=43|^p@;D&Zr<v7mSbb~S6j%qZsEIIH}}P_!J3fVIH=@(f3{1c
zINIBP5c$)UDH^-WHDQ@rDBaaJ5C5!xNz@2OUitOuI<%b|fs%MRm;h6Y7pjY&RyQqs
zH=otSD)R)YL@Kji(Xy=Gy6dUJFOCGXoD!|B4aXyh5z8EkUbm15_;tU?{bQMmgVX5m
zgP9)RXJ1<%=<jxC6o7-(uP#myeC!s&`7;}|*p}dxx$aM*3x|kV1rD=wr1cv{Q*eb`
zeT8A4o{;JBi>mFmV=njW^OMv>-5R^ur<TJ;C4p~=j(x35)ZNjZNwj6+9aal1yb;|W
z$Wr`deTh6j!AK&W{Beh~S(wTpD9JIlcrl(Lpof?~8Bg&tAH!o^%d(W~-Lz8ZVm`)T
zNF`0*nH;?c{v#!Wp|fVW-vM4nua-L}ONr9f6Kec6?|jdaICfK{IKT&^gH$#h6f`~+
zmniBQo4~g?q4~VFuk(TB=B?hMN4{c(I?2Si0?0tO=hp+hA?G`rWZWJd8~l;|q!sTm
za|Y%rsU;Sd9wm{a=O>Pr6|laRdz-BnxbebfXI>^l{O#EpVzc0N$V`mq=2>zzwXalS
zo!Nv*w5O2X{Sx$&56$32Y#zDPK1Ptg<YLMTo8&ijTcTK-x{R-|b({)A#+TA1)^DDg
zcx*9e51@z6-zQ4JU2MDJjslxDwrtH#!=}*!c3;#T4h3v~67|i$v6jo%U9B-YB0@QQ
zmk#1w?9uT0<nvUDraT!oxAvV6{)T46g2$PEI-i|Sogwd7w9m7Oi864)woenbvT|VZ
zizzNQ8XGVc3-DeL%;(xt>HfQi+j&dF?BndEL(Jq@voC0@$+7`jVcowOWP~7lUB$nD
z_Ka;gMW8caC@J3#w}+!wBzebVy2ZzzZ|_Wh5=20uQ;xdcIYo0WTN(qNLdhdc#zz6C
zvs|QG7}P~gTSOJ>-v<2M&3zBAu_NBixhwx-60n-cPG2}c@FGD2#;?3(lrEC$Bb#!?
zoj!h&DhisroNi1$2r(~qkW;sJF~>t>eGe3rQveCxG%jvTCN07kg5PS#AQuhdXESgU
z6jrLIVLRP&8`$hl{l<Em#P^WZmot&2RQ1Om{S8i|J1-lutu%Smn0DCidy`f>L#UpY
zkL`W2BalLGwBoSoZAm(4;wv|w&irPL(b3VFs9frD9yGuH_^3XV_@0-87Rp1+_uU9&
zjF;UP+8+kAy53nDZml<lRE(tchGt99CsMHsx}J^9$%hj)aXao5RAE!{_{%6C$d~o2
zHtt^j&MWV0FR<eVjBW?pxW*s)U`lUHyk{7U3et{uxk>Ch`#!RV0WNG5=#dM3f~dZ-
zA+WflMzgbRln*)Y1F^cRk}9+rm+02E;#49F400N8dCyjzL~hpri2@UqiZB6|(aGHg
z{fMSM9+>s&n(+WbYV~F5ve$-q%f_~1_ls21-H}Elt0m~~*j)g!n7hV&*J$xFs>H7G
z)>iI)lhCK_uk&e^{4j2aoZ`WAzI#^&<NNZKXugcaf`jgjfP5z&0V_3DIjuShNypG)
zE67scVPkza*`{lV9FqN{z`a{0!w=rIU<Y9rI!zW;%Va>04s-+W4cwS5MhFLkQz5N4
z?PevHgYUqkx4bS%B4giWkNp*>d;TT9+kO1L0>ig%*PNHuV^j|PMO+-)v}WsVE?%}V
zk{=aA?l-@+42v#~d&U<U->e!ub?5ChL}&n*%#C@2osIRa{ZZZsbvcstto}ZWByEkR
zkDfj9CHD&x5vfOKs;R=aMr}rW@?3f82EKF}zCc8S$SS~{>0l<jU+4>W?_7L)11=eU
z?p|}blBT+~PZSgie7*RSlr`p)zM(f7ghi`p-!b~b;^B0Dv6Alxe_IPlvJo7d1=YRf
zF`b&Qxb6j3U+CEz=)2w3u_enuuZxs=ioP0iwD>XA5!u~+Ek`25R(vsx{bkxnDUFs}
zLNH6W_lEpwOxY9t_58z6DM&j)qKm+K$n%Ecurgp<7uuPpKQjYOqXOH(XeF3KXb5k`
zANn0CIVQh6IU8wtb$P_&>bQH8zJRVO4SXV=|1v0^#6)^F`a1>PK<@-U8_kqD-ACJV
zV!^RM<$@~ClTucT4N2xaw(tV|DU;|^eUHbBD?R9jX*R>ht5W`^@dYv2G8uTXDxcr_
zE+zl4j+bmM4QP&|SuFS7uGs`<Wc(bIks5z48~Sdm`8^A3Q*IgjttNpP0D!Il1fT&P
zlOy&JlX4<szexFFVXG2@Whdlrh72r)4W9OWCY-yYvY_707pWD-PHBUc&$0C`qG07C
z1G>^zMUFgI@<D3dnt;az!~)qErepa2P<sNt3PVhm40z@ffV$Y$+Q;qCcxw9#h5+a!
zNwBLiIhXCaAGv_o#r{q<+B-Y-NF(eA%2FACC~dQ1=gv|_GqOY%*Gfl{y6W;j;N%+m
zLsefC;80!}2ORC9bfu*-m$AY8m^a#`E)nG|=<VAl+2eYae@)qWQA<^rN8mvruB7Rj
z{|CVF;d#tr-H=R9U6-ld!ukC4=T&FUx(V?$685-c_obKk@7p4fk}<<h(w?t0kE^sI
zn)WGSC&J8GNrOXMTMmPGoT3G^nfR?ZPVN^a*Wk^Vv5cKX?i8r=Qwgt{K_e(H9gKGo
z>GubhenrkHd2>j2EL_AUCw>5g!>TxpsCiyEaxGtFS+mcSKCs}h`9}-b+{3rnEmz1U
z!|!>KL85!`@3{cB1NJO-yXU8ScD%*DP+3T%ifP@y1P4E`{~bFY4X-%-hho=I)TFm>
z=u6@;Q7W@5b_S*~wQi(+eZ>a8gR*@UG40SusiPrmH?Gu0!nZOq=k#1CN$gF$ER|X1
zHrzOm;qcbQ<@*66I~?|H(qzzAbZL3|+e;h}|7B9Te)_wyQyLn<l5rw-yG8DyCFiup
z7uYNwis&z>3tzsHJtM;6=I8Dzc`C}d#j>xTrkn1Z*J80fBiFJwhNB@l@wZM<C%5Q$
zZ`H`0lr!N&U$TE1Eqn4EMeYIh+v>A1J75er5D*CNol_{E11NXW0vWe=I?&`tsp=tc
z3iG4Wt>N;t8pX}}P>vfIDsJm+#)jcP(`^{6_Q4_}OQb$*eA~`Fq4)(iK%bb<steoS
z4UCxOR<a$$ZI~=gD=!U_b^i)IKOAOl+7c{A^)*4o8T%1MqG__xZd}Ea6ZmQ@b<=Y9
zYiOh9R#U_GD_I#UF!)(e?)2mDgmB{u2hJIXgWCkzm<^}zk%DYYtWsoArTX<Heeqp!
zf(DXiGLBAz*&I1nUU<&$0<Z1As(7er&7@r2SB#tQ@3b`wITnRMp^_W(Iiu8Q=cI3g
zPh!=~&NJ70k>XvJ{lOjB$B*gtxQZNjBPD^5<dhunfql)Kc}|13zW#9zHs9hIZTx+o
z+#NQD#D!;g0ymW=r_1_|&1+19g3f1*dOkJZtiGOf%GhDIilpDYlEAu6jB&4<PL~y0
z|L}L=SV~6z=C9}3%V~GmjBQf_I;kO~(tay(Ph=sd#;~(xY%XnBu<(<Ub+%gCj(4Z{
zgC;K+dg4J^U6C^uS7O!e4u7Ihm-O1Bujzoze_iw`?q&!WG|-Fe!1>%3O9}9j9gZK)
zKRIwq9$YV|3QDgCf_}gp-I_HAeOC+));CIF9bt#BNnOv=!qvORgi{=1!?pw8-aI}3
z*{9s0H#WEZsPSt7n}Ejdev_>M5bth4dM14oH<7e3CZR!RfzLjmq;TKd6|Q^#GGXGc
z7oHUSg@Q&{gIzH{^Hs9~<G~h_ty+$tQ;y0gkDOO?ML`mjpPDHsidgdl7B@T1&C{yM
zUmVH}z$R;v#fsx>yTq01qqN;Sfp9rcCGWuiC!V}(+2Oz(e{6}7At~qJSk;LNH||CX
zC%fwx+MCwRlKHwW?Rv{eM2^~AM(5PP>v-YO!-Rrgc7%-;>E^wIl9iF&$*;$+Fb)fU
zxEL$&#^!90{h<kGWdMtxUfVRzM3-p~9$}n5O*6%JIE*4>H@0U?C2hjUNQ!wcojT}j
zZZdRex*K>K%S7hw`e3BqWykx$e1gs<vM4A>c#S_F@#ir2$?<7@HFYgwrD6CAF%+9S
z=O^jJ9^4+2z%ZPJU?mjZACe{%_NN*v-?x-ZxbyYC`2D=xZ<2y^><1p}_Q?gqbkzKJ
z*<3PF;IY-~jT~}6rW1$V<EOJDmDR1{P=)QyKy@%4jvdv&AA#hYb;%h;ao*q#NuVJt
zsZQ|B>wd%kCiqJh6Nim!V+!?({j|B0(Y!0BafZXisMPd$gj4RFl(|kz&b{lF@O`5J
zU%a1KL0-Lgno@<a9jtm|nM3a5S(su=H!<7?x_Q7dl!P>i(NcH9Oq0)`EtjOQa`J4b
zV_zX5-EaY~qPdQ}i1euqjQ6J>6%#giQHO<@3b)HyKD&sBtg)W0JidM9xu)6LKRD9U
z@b)OLul9GIw3xF_Ci|*)Xj9!d$&(R}GOG2;7GPVlj9%qc6gy4ZAeiLC;?Qu)PB8i;
z8SR=gtBvn3>yZj3EKI#06m06|pEaQjFA!qMQgq=QlLl{TMgF?t?`uRP6|8pu-EP#3
ztW89JsVva^>Qx69`&Rs1FuL-wy$<EzHhY~}tNY4kSm`4f$V!BLRR|l3Q~g5rpY=Rb
z(?9r1&Um&&ydRyo<d~lGzWHJzLcm@=dsQUEX=Ki$OqnyemdCv43b~P=3kO{@S{Gd|
zB4(=#wK0iS-1*v4WI_np_{6;R1W@weN$1xIbJE;8u1XJ1bnGL6YYc{0$S&|vfd3%m
z#1`zhio*(}@4oecNsO_i_#n?^A=YuhZz&&(x(kJL+Y?-DBV;y!0_j{-Wd)oaFPO%U
zf@F^%T|1$jWA5>cJ7jQ`iqq9DOunQn271L1=<8d`=?R$7k8X%o6O)U0mk3;nLiJgP
z+X~5Nd#fOb=}PXmj%duPlVolorPx2NrSG=hmjnFuDj^<2T2Jd}Z~iXCb9}A8*Ci_*
zhFyof=wKLQn&FnOiizf}U~MYR^R7fA&5cNIT?iFya=wFpG>-Yc?oHiK;_5QmYMx;D
zb&QW1E8-W@qZv6cACE(03H~D|ewM;Pzv96b_OurQd8=FcvC_LJlq<HS0~H1-yyEsa
zr6U=X6mb6)W0|xEauSpP#Ksosey}~9un50Mtz-YBa^#w>z*Z5}t9#YrAq6~k9)zX%
zr-rkEx6uRxjJ&ge6h!Q4O;)Rhs*NE|$EO6yg^un16q6lZ7lgQDKQee!h2=%$)7{~I
zr<I#8fR!qgXhzsWLV#HDu?K}&ilFD2HS-3+yq;4dRh9dZZHM>cwiMA9#QdJ~QC<;f
zrYsprjaEJ<35>5+xp3^-AV^usL&b%PXL<M6iCERe^8{Q}dATDL5p-_90Pb2UIH>Aw
z(syfOG7XMY`I(HjUPBbO5MSz|tnoy_l+)}O@@i1*kdL$x+6L+9>cyRfYlmnJJ>;?&
z=?SCr?bpT=k_6|oZ`tz>{QfuTK_&I2R&#DUiv7;KvRD+TIvM5GS8&?ByV;-P;{&MT
zMdA<)c~Jr)741HLN75xEUX=yhVmn%QYo6Z6jG&>dx*E`=020<pw}_j>USYfT0)cHr
zW2pn7Gl;sCp(jE&?WjD*pPemt+vXAbhnT?tlS^g7S1J1wx7%;(B;=*ge8--X0<h}n
z++f|gSbA-(2RXMJxz);FO%Aj%dJHIfNMFY=cV?o}+E5WeZf-fV6?xDXjV0x)u*{r#
zhtQ|=kusG$rgiQ7nBhL7VCoX-aauH_^f1?<tJFHHc%+LY$g>yE>1Zq8A^sHBgGT+Z
zgpy+W<>b(|=P7=YGV{t&&=BeSa&AhL`_SIoRqQGT@ENuLs_%|$+k0|E;T|^JrRVE!
z>C2~5kR?}hdnvL`H0#gr$v-Oc`3yEc?_RyNnL}a6&!n(=`)|IqnyCzw5A31DKV)G2
z&tcdDcBt|{g()e08H)m-DvARqx1r1h4syd>y3fwK3Cn|X%>OjRpA|2W8XNIh0C?tW
zz36f0g>w7w=dTjMOJ)V8xjsu-no3DY*qvQWi^nDtbD363pZR(&UDnPM7H?nsJ|%Ku
z#jIx=y(oGaakCG<p;TTuFpp)Tmg%3SV`5`+`yP`bnM%m<?R&KkRMN??KS)vZ*8Tbl
ziRRZouliLeyMfc7zu_?L4&|@9_4Abl!8RSe+&1_ZJ-#P$I0aO#wY`N3v|;1s3=&m*
zmI-aee!w{8uunO@$!z8?1E-<b&LmG~sF9V6M4l%0kq6j2%VIfAR;lOs-1y{zzBddm
zz*Dm(IBUYuu-MQaAFpR@MJUQ=P?Jy8WIenqoe8Qh^R!_06l<yg%>=CpTsaw&3OdP@
zdzcvhto+U^4XUKjWAVHmPBP%xHebXzIeY&ebGtE)tZF~s_WZmrqto`T-c>AYtGQu&
zcW|E2sybSbgLZud<Z6P??eNFS-L~-+8qEXB{N3>qo<BxCI4!m<Jb7e*6lR+wjWjcx
zooghUR+ee<d~2BjuTGT6_-)ONET^z}>=n-uVotVGha6_;v2d$9WW!&9gWz`r*se>g
znBlo}p5}dPVPW4?QG9?CVq=E4S&OWFdoBY6XnG3y2)ot^N3EPFuSCAvetpqLM1mJt
zOb(bIR#lcjdyDaoki*rz+G}ec{$pnzo!l2g^{ulg2Uw12an6J2_wV3UQME;0oA2Fv
z9BwyijF?ByUGc?#Kl6Ko@$Pke16?9HU<Dn6A)XlP12MbXO#{NA<(Ci+8)SSrqk!t|
z8G?^z-F9_=Kc1hNUn2`5ip%Z3%L4$opJ%%m{PKR{_aZm}z5@-hiY_&=-bwEo7WNWV
z{ZvttvSCqUzWKLwxkb3un|x&yoz9;jp$N0(g!K&&h&P|owM3w|Wltbw!*?=1YwQ<9
z*tGS-d##mZ`XtzG>Z4``lE4ANRq`n7HxwG}fLQLv3a4Z?O6;)q5OK!vheDqfx(&@y
zW|$0aXtyHP_#Bc<Is;VZLDa}KQPmOhyy<9ek%wH@rS5+I2Bbu=Ux{@_7R&DLMfq~y
zHu5>dQ7gnPS9%|REax*@!6m6!nTMjCpNk+ivSoh^)a&bzt9_K3{%TiA`NF7JahuDk
zXNYUQ4w;^#)H3JdbM#sdM?hnO(!PB^+24y*W_coxL(IBxuHJKTA!}hLOUmz5?jn8g
z^4kLbUZxxx+x@k}4Du!A=&#!u!@jvN+2!tQrHca@8C}6@G?})|;*?bVSF^RAdRjd?
zp+P=mld0P<n5RKD1;lmWsDGJ+FzN>n2h%4B!Ryh!z7jSeZM^)Cuq477cD=eEPFlzo
zc<(iSQP8{=SyeIEEsZFtmXGmvX}~63fL^)E>5SBgo0dtG^~Ccc3$e&A6-FFe_{mFu
z<=6Y$j!aR=2;%k|8qv|+%Xo{Sx%gYk02_K`p=)-JZ{CpxJNyoQDT2kpvr~1Rk0Rr1
zc`KTyK0nzgpod>yeh&T{lv;ACqkB6Z#4m-)3<;0GzSvH1)Z()ylk(W-Ax?XkB8O{W
zQtZy7LhZ;|@CVx7AL1cUXfMxchW-!Fm}k1)NTPG&9nxI;4!+NoOe0<H?uM{*aeOPA
zI&-0J_p{`ofqu_B{f$opLj00c04#@h#B)5%yPZ^%lQwnnE+7dBWEDAT2Psd#KByrW
z80?C>d8)Uz#SKscI8c@6Vvu0ICEaAkeP5>A`l8&WbGM}R<g1u3ed2<7<~3EtABm|p
zQU=U$w%*s07joGXuCgFG;BoVzSGFj@S(*eUjuO6PW~0D5C9GaP?FTih?OF>a$~>ev
zLO<TDu&V@)xyar~T8X;t{Zeu4Y4~D#QZx)=qKGftei1Y|c1G`q9>Vkv<6WTCKt5lq
zTDJ`YJudsgi0WUpnAq|09ubN#p8*W|*%bRfrd!e7e73M&;&-Ss0jRt~Z(>r-Za|Dt
zt<qD))@x&Dc)0O81LihHj?uQfQ66%fnnDvItYN4w94O-y%}!U-a*t;bDAzz-4(Prn
z<=PL^E#X>YAdFPLACwliGP6x4%;93ia;k2>uEM?EAslq>w2+#LOd=MblbR9I->7UZ
z#`A8`h!gNUP18OKYq&zn(nQXK<l|E!VM63)H?Qf#=RCydjLrz3h9^P8VGBLv?*QS!
z(l(H%p5WQFuz80(Z!VrZZuIb<Yr>y;`cKA1xiGAp4j6g^HMBvy`5!n9rc1Y9oHb_F
zc4bx4fBI>pS^U-dlNooR_|wg~9<eX>d_movZK2$(21eP7`qeFNh8on_g%Rfbo)6S`
zl=7#ql?IM0M&JT_mExp!q@#Pz<3DIf5WfG_m&ty$EWQWEWlxJ)fsspIfBw;|mT;pM
z?ItBv**XwpKj0~*|L11ms5>~i=U2?0SyDM+GS+vHj*Iv5<H@;SFL=8C+7OR#V&tiB
zHAJV4+WW;QcseB;&seDag~;htaH2e_CY)dDYRl%ty#2T2yG*Iq2S6O*>HE0uEYz0N
zrkc2#dGxDnX4e72va6FWXB%t3COc{5i>DzrCv6)F;r>Yk$~GshfG`?~Mz-UEZfcM8
zpX%^v3&_5y;Gc_RchicKQ{7L}!Wj!Op{aZpN_+W*k{bg*4s~!3R)U)UiRO8Zk-PbN
zso?U=#Wj38Qv^|BhD)WUMucVVW8$LLfVlYYdqP|7v$H)fax<q*d8qUS3^RGuHSoXL
zHt}ky)Ue`}7FGyf6FH?eSMWFv^Na^zh^+P9(&c=8{yAQI^!2X%eq4Y9q_JC9qv=lf
zd41$A>5;_<kyb=wCM!YC@E9m7XHa^u==zQI(1bwxtme6rv46KA!0Te^4k?gmEl`&@
zx*c>ur#4a3v}br6Vn>Xrm?f+yHFB3<?2^aF&W{<-l#@e@`TUIvd#Wg5Rl(p_y?$e&
zT{4j6vORAIw6=jGQ2sn9m5fA4&heY6?PCRC8?5X_QE~SbvlJQuXo3SCDwU&XUI$}5
z%Neb(KQ6Wfc&T4L8!R+JzsTLaBgD!PNW!@w@KM-bWbb*2W3ZW5xf?;mU!|j$X<$V1
zFJ)>e)Ykd85ua<nP7S}&eD)Tm%ozuT?YYXk<a(R(k|@dK7^$bRT>PB?qTC2;g~1g!
zG=(@Pz;}-+ioB@r6dw74=`f#4iyv`x2JKsa7z4t4)!$Xu@qv(?i6@m&_#?)q^XPzs
zI@4WIi^T-MS6R6r-6s9JuKpx{AS#Yu*d|FkYQnrMj2^QUsTNG6Ww;_%9!7ajMBAhn
zIL!sfNzoxB@le?jFU+z2siXi@$(zQGj57L&DQY2cA9u9?Tw`;+Y8#gtZdLyQ1gN)n
zUG=tt5}DNn!P{<3EZ-}eQt)}`JE)4@sy}ON`kET|nHNfK8}qzRgHzR}WN0iG^mNlh
z14d;t@|8rPO)`2FTkXwQp<c?Qaf@RXo8o;PTWFA8L%)-DRJ!@sINSZdf4)o@AHyhX
z?$X00w+nPU*e5@*)(ZQ`we#%8X5-<+Vz<_IHTbnt|L%c84TXETScxW?QyUuN$n`S=
z?$XFg-l$GNGt;dwS-eAldkrKm^6R*+Z+CskaUSOK9SzFl7)C$*c)3TJq0Cz{&#fhn
z(#2QVm-QGAvH92BO==WUasuag7PWuhJp{FX3U!cz9$`R_5{bJ#>S$#KcWvcO`MTCI
z_zu6?Y#`rEk4e4!NAo^>zr>Gm!;~}myH9#^#w8RK_kJN*_+Kl?za4RDHuz~i`+&uN
ztDE1wFe?gm!+#fAyfwZUt@k;OCE%aWhKP+^H>!*YN*w<-8E({l`)p0PAENk>9`NYr
zh7Ntr9$znfNNww|i%Ixj!D7_*H&tm($!!<x<Q!G^?B7g+6!5=A-2V@ebWhc^w6uRR
z4p2tVgZA=Z{QNs~$?c<#=wQ0;xUuI%WgV<W)yh8IV0)<392x2IhFUqMFQJj4qRrOB
z+`g}Iu`g#*oB<hnwCv}#RePE)UXrXsQnn@35kTGx5EL}!dy0z)jBh+EymIR)jB{_o
z#3b<KbvYL<0MqhbS+0_32N^fb!5EmRs5l?~z{}-Degi~|o{s0E9<H#pBe`1fWa~a8
z4FocmjZKM1?Eiqs;h0g%37WFUVcfAzVGrn|BX(drlStW=YF_}^vDLHVW~o(Vwe@L2
zVxUG}K)Ze!Jw4vcO_T-$xZUbpzf6O{@e^Pb!}NMUa7!}^ouIy=%86C=?8?12CM!`d
z{zGhBEdz^<roR4O?S996??lq)yZBq(TT$eFG6TeoAOqzAe$jVDQ|<b_N01`~_<)eJ
z3Nh(q2z^iAJ~QOyE|zbg#-619M1K{Nw+g<IJM6n&WB6YC@f~)CxIHE|0S2QqY~eaO
zqOedTLv!m2yk=5^O`BQ}NLP?t9|R2{Wx&V6CDE+-glHHR0ox)t9QWIFiw%dft*03E
z%7K)oVI~?*>SbZi^ttd^Fmbcm8F|O~1V0U}4&W6R>tjV~FyIA}(90i4BKIsXJsl>b
zI*rl#Q!>o-Z0>rCwD0X2(_`8|Pcx|U)<RT{MjJU&!MLi}<FDt@Wc?9&po(o^`0};W
zrpG`7KZ{M_%1ug9g07wZbz(&|V-LfckBZ{(U6Bvl#<LPo<+aK|Zi>iinpkh~#WpA+
z{w#2q!DM#VGo2b)7uhe4Ib0P<+g-1q!+!k4CN}JH>amlSai4DFVb*M0?cu&YYsv!r
z`=&o2<+qi<LIP`9=-N$VX4FB6dQ#}{OVG7==ZoI{nL>q{>`lFr%9pc^xrF$bQ)03z
zwR~VS>?x_pJNNLizk4&}ZUeLKbI*f24`#Zf80!`AR1=;TgKk=>eeIo!h%y42f9}=`
zU01iU>04T0AokzVQp<E(48{Binu1TZ84VwIBrAwu)bXXZ$NT^0Cj3X44__jSuW6#G
z<~;CIxVsWobD6)7)ooBQt2$O^2GQ1N6}jD2n~qL+s%sfk#h6zQ##b++EtplscvOAd
zOMPXk?p!dgm6Y<H6FjqnouyU~eSdc1L`^}$jQUdTP8#%T;<#aa6l~R`Vo)`)W)0N}
zOGCZ6Il}!;M!Z^7<D}xTKBD^2UaH(|N-?dqO8v16zKpecpO)SB{YKxM$I*l<PeD%q
zY>FPZN=v3mTgVdJLs@Xvvw4zZ$<wP{q-HMXVoGaWrFDfZ^}RRr<SdmZh2670y8~i$
zP=ByLa;R2twzG+jXB>s<wtM^_TL(7ZJXqB*Znj>P${bhv5g~0C3_JBaS-AUnt5i2`
zRz%BO0vqi+W}971u0Zm^$IYs=0@<+AchDIGZ(1rZEA<P;^9MCPyR>3(IE=5Ha4qcY
zBplx;EGAbUJEOiIzgz5MvGxpe@j(q#H34CFSBIoP;U^J7thxA{BlgaEp)#|z9fbg6
z)9F>yg8XIv)B`=E4+mcz6briLHDnhb));4-JW$q=pO)@Z#uUV9Q@d#5K<%!=O6Oq`
zE*)$mm;<gPwpl>4YBsvc6pl_MO%eT7k#o_KQ@Z<~sLGQBj*7TH=GGMal$@h%R&YCy
z%C=%#4t(s*{~Nfr0GH8@-G5vH!wMhDaCNeg@-Mqf^72Eaz|2+EOK6(fO$Lo0NbY^I
zW~Klf1$r%8JDR#FCTlEopE<TCsN9}%<;<(L%xeN{5%W!cn(pOL9f7%iV+`YDMwZAg
zdpnRx+Q8l!tk8X1VV{jBi*R-PPnglFDlgmh0ck&>R-ng|9ADOHDFA84-@aX>j|vf3
za^)Ykb?@j}zl{m>m;8vwH{l+)j6NzP-I$($JFhJQR5`x2u~b+6lM@D=)5F-ZT|eEX
z642*yT^TDX#)H;}es#$WO)bpb{YmQm!uh3tSD8#`@k)ewR<NLk^NOLv!52@bPniDe
zUe=8oQSRj^^OvjlX~)~Jz~?{}Mf>2`rXev&V4=>wRwf*rapK<vFEa1Gs=&QO{<Be#
z26x(6YAZr?_Ka~$;1!2r+6QW}F={x;@(B(N`}%Z^5xRwe&)&2yyv9C%vr5w#skFmf
zpFc!8UBj%cEewoNvMl0X8g8pn8YsL4SWTqCroM5aU#n=e!E>0w?+~*!hDfzg!Hmw3
zeZ(;Lxr%C7##hOp#Dc3eYw;b5i4<OQ_ImZNKAa`MeZ~^=KN@cJiXvR<He#C3!-vE(
zg0jT%>k9su)_BxqK)IT7VXD7}P1p;R7n1Ai_fx?ga=OB6Q>6v;(gmRU#m1e%>3%s4
z#THD=@W5R}Y3IxR9q;myo)@_9VKAOpf?zybYH<derZeF(KR@o()9HYe`F2WU4)MVS
z(rP{xL5n&1z)9eMDx*9xBmPp@KY4sPA5Wa0F-;G-UqpmD7Pv~#9zZ6C<rvQ0*sP@f
zthGpUq{?fih%2J6y4GT;8Zrh7UYnRP;|2Q6qj_?7me}ND)?T~}*uhju6Q~4V?VK75
zy>Ya@EN)XZp~?HRFCfx7c*kd|Se@uv;&0csZH^@$phrwHUQtZb_=~>iBNjGhyv!S1
zeT*`Mc$w7-ENGbK6Zb`YdFDl)7@1{HMCY?w>^fL&fNSs_ce!f@gwqYnJEI_RN<;r+
zz6^PERu<UCDJB=`;l8x7ucKyL{{(E1@zOr9^g8#4%bo;F8EJ8d)%;=#)==M1GYpIS
zwB97SNLZi^_ruBHX7a<hVoU5^T+$6C?;`YsXY)@X1Qq8=40(L@%8E*Vt8yh%=+`Mh
zuv#q4Xg8;0H%pmar6XlXPweJ_gJtv=20S8}fSnTL&Mm|V5nKPD!spS@=6%ekp=C|*
zhqetmLMG~BHW?}G@d8Wq>Xa^ivxhFs2UC{^Kq=s@2C;3O{r*T#5Dcx~U+;qub!Lm!
z{bpgGULVl#j#6N?p`m7E+%aPf?ust&cDD#%!_=e;(g7*>&r_~2r47^VR|M<fVTQYw
zG?HFjpO4q{Su}vzvBNVoEE;XIn66&pJceHuRz`}WW2z<zglXpP&90_&XEbK;o+9W4
zZ?A??4XT=tHr;f$megF&lei+=t~`O1Oxop!%SpomI*IfZYp`K>;1jQZytbs6ekgbH
z-~CmCMWp?1`IcogP^3(vdA6)&@0M(ba{o&0+qrM;6t<OqTK#eKf+YvzT<TG5B(;2a
z{x+k)+qw&qnN8sFUKca}ViGRV7CuLg#qPvq*X}qlq!_dilyY+ads8_!>qdpv9w#D0
zqPf<j?q_cOPJcBSW2)`nI`vDxNC;ZULAk}51Usi&*a%1xI8M2#U@kRX-=a$}Nea3g
ztKE(b247dh0qLp;e+|A2u227-3!oj0<wzjF<#ruoG%8fE^n7JMV`cMlF~pd(Wz>6+
zs&IPJU8*#P4v7dT($)v?u!WZ*dNVe~&uwroUJ@r&u`scY!aeQ(ZZR2bzObHs&*e@O
z{&h~3V-q2GF+fUf%aPAj4}DJBQt?;$E}5Nv+yd{VfL>?->7JE=xw`uD1)10l2FrQS
zP<w`i<Z0AnQfFSGhb`cyd(Sz=6DX!2qyaOnb+tQ4S!6Nyc3FvlHVxy-ZKOwT>w#~-
zny_m-r=Ub>n}}bHvdO_a_-H6S?r*c4GK9bE4CC$F`3hqNnVQC!MjAz;_iR}TuAeYf
zaWdPAXh<#&wn*ieyb8Ee%MUXGO63#<etdoq`x`m2eP&I*F~o56{nWsTJppIgL3UJa
z+s~;F(btOx3_hfAZ*o_(dpWR`lwx>uKm0Badm|u1=_I+6Xiguc-U=okaD0FL<e%g6
z{O<97Q~ND;*xoEp6bkUYscE>ZoSk@I{WkoRy-L5#wqS<T;GF!)WBz1F^<mJ5QD9P&
z@;fr(rfpNR&}R5W?d8Ji=hA;(#Z70R|M4MR0{`n4h5zO<h5y$G_;+LAe+K`XX8)@@
z9R9c68Is!n3!i_#H{gE=oA0d;_FFUPFn-@Jh8c<wi1=YWp^}s`dQ7R5Yf|_T<Llg#
zvVpceBYhyfIlba^ZZtk9@2*ruCXKnY_^(=Kv{~MBGashXEE8N!14WH5&+%RrNc|3r
zqLm8kd%tlZ@#NRfD#3Pq<dqJ*m<n~^cWzTKQs?9>iO1xD==~@M%b$m^3p<LrKOd~D
zp$A(s0ks7D$HSM0dl3F}?f>Gl|ET>R5C4Zw{&R2t-`fAVxBnk-yX>7&T^y^CSzAg|
zuJu1vuGwkYj$_&PH<Q48^oTot(9z$m(VXH|B_+@_T9QJR9VP2&+)=NKw3BD#YOCL(
zyqH5tsLV(dJ)5^vRI^b;{J)X(|H6rXX!F35FDDJuMvF|arF$KFo8Eh0Sq-fVCWT_H
zdWgaN_1uuF?*G%?mqs;}ZR=XsYl%fEsD+4hg^H9SQh<WAu>b)<K&1ymO6l838$!BM
zC5?y>kxtqOC@5W|Z$c790qLcOgd`w6Bm@!?2oQ2N?~QxjIPaW$?tO3EAMeK-BR|&2
z*jan6Z>`Mr&H2qecfJ4gR(DB7(C)ZgUh`b4xy^0_OVoYIf7DR8lfAjiEY2%)Vj0xs
z0Bb!|0yh>zb*M%2VF5THjpBpZ-01mMo(if$w(WN45c}uh?C$wv@|(SP7rfDd$u^^}
zFuR#6-$(9ZoK09^*d7szhd^()-;^jHr$kxm09!|~+%duQn|%d=Nxcc`!im0)G?^PZ
z);!w%OuPB16t_Fl?GTZ`B#rHM*WM-iJN4vV_qYp>-kfyyX5bl^v9<E-YQd0?8m$>*
zss{<Dr5(x4muVesDq09{@%oTBr0DLZvqe&2liuorOOxIC*>@8r$g4YxLMN|yNl0|q
zde4`<ZtrJbekkz&IKE!@#%k}u%GLlC57za%;alozxI%}oEE|JIGD@3!oHx~Jgh!#%
zcW00b2TqW2A-x;LgMtP~n$!umc_eCZwF*l&d>t~ql|V@R-a&19MD<#d5^UVsP6hkr
zsP#%QCc=;HM!@H<kF$po7j|1}p+kKT)FxHD%m1XG3(?G`aV0yf#`s~kI>}JDkh6R&
z&NRB?K?7Qp@kdq%s2a(Uc9IbCo*hq-T-G+y;~plD+voT`%hlazPI!~ae{vQ23oNiB
z0$ZtuuMnptUSQbiz2~Ony+y1tNFn`2)H7jyUxIT$-rFdM9@kV=_u<Z90<6y+EY;cH
z+t<8^TVNRcY;P$1<QL}Xq-^ZHdHfBGe*L|NFQp0D-UII+J8yh8{5m_1omLOoNVeX}
z`<DY#Masg*jM-60rQF5`vYMXCp!1${=h%GZ={=!((#uEP%_Rz7M0>jfO-eC$>U_I~
zr4R4@KK;x+rBsFeOV;+dk7Bc)PE30eSMf{Ub;J^?DTv|jwyM!RD)b)_256tJJfrXq
z5gg>Txtibu36#?~ueJBBnYQ3Qq7qXPA26jO(i5g9&Z{@->DU{hXT~t1bVYf20~NUs
z0v(#}VgLjEiaF`_5Q_?M=<k#`+WA9)Mob0yzHZ<uHlHcwH@Q9D`v#`I$Su-nQer~%
zp?6njo5=Yix+jdkZ8FHH-|RYbRpLC^jEzqrFws<bER5$OnA-hye!(ivEB20)TWW^X
zH!Fs~B1+#pz;RMPq)kQ(-SQfGdDwu*dU2$tMlt6R+FLBbR`ifI950>bT{2>*!&58)
z>1}jEa}iMm<$oxjByCL69(1+J_Uj5PlW%)tzxjELovJv)S?nq7ku)CagQxm9CAWyA
zA)QC5iiD={d5-z2Y`x!}1VoXuc+$x`{%a#adq7upW!xGt8RoqgN%cW9lV#*bozK<p
zYtD*8<aXBj<~z<Fe2UjoIbr;zhwOVN*kLXt^QMDgT{ZGUx)bkdjAW?!PdqgUp?GfQ
z?7{ZQtFwz!x;CSNgP{$T)YHZ^_E<1Wf4R$D9n^5;_?a<0HMH+03aj_#Zd1)AZf;oE
zkg-KKi>6wG^cle^+@OX*8&QkxGBDe0zCGT}>TtVjzT6UIcg{UU(%2iXieGNvHZ26W
zMbBi19Mm^A7Ax?Z;go2q6TK}WUBz4$(0);)%|1GD^**y^+QQ|`fU;%dFUv1!+PPCH
z4I@JITr(Y`QxClyBUv4vEW8(Al7W{{ig_N{{^YJn^^mcc%favYlufgdPW)|sfu)V_
zPS;$7N&Ef$92sK(UMobo8&N4Gi)y%&RH6u}tEs%`8M*p$PFn21U$8B9$ovv^V@EQv
zUM=RijQ%{4vz|H1DtlLf2<9*1`~2X>-jVobNdU&xmpdg!iK+U(-<TcC=~`KKA|qGd
zQ`Jk|c#GLd3FQ$voWp6_xD3CHv2zXU0}*a~9918+z}C6OCtcXImH1iTlTYMW>7Fa;
zz=N;;y7HFRskdu=USGfL3VpY;FuBRRQiBR{lVu1dSw$H-7^<`M_vejg3p*vOQOLdB
zL4042f*wC3=P9B={?X()=z^s+`1K5RC?k(ng$4(K#gtxq`6yQ6dulDj5=_NZvR<cF
z%$}dSXJ=<e;OCc(DbN!w&>kL(*CP8iCJ%v{5F6!R{xa~UAz9Cf4;)EjGy}HP4l~)s
zq(d!RbLypeLtH8;3*?IB_ThKdvr9_rH=2Dz9Xr}vnTPr-dMGa=_MDQNPTm+@!;sd;
zAnHxtLFmg`m@U`^iQes@gJK1%?<TNh2ZIZUB?*kn)fH8>EPE%!YuOX&*CJeKHO6m`
z_?fGXYL|J8HjVX?M5TQll~;Bq%Pycrr8%V;7@ytOn3cWR&tX`^>#>w|?~W5IrPz&I
z*49CUWDMUW0~Dq#UtJxhj^mFv()~Ir=W+{WOQgXK2-f2Ux{={d=1|<WGGMOGv5Gis
zu4lxTQZ;DP6;;@yyXXn5bju*J_559~S<no^UHdi9kPIDp3JL61jJoS6HgQnB%a!08
zL2FuAP$b+Qq0BkltWn$<*o|K$2W;ruI_5?lxMpjMbBI{VI~m-B3f$`K>0n&nW%6u|
z_AJlFeBJ6Q!a^6XF}JAYZ;m#G`}WR&qMJ(vX^vnA2OvZf1m|uBg@LF=9v&VuM-+7Z
zr4OUl3po(rpfre)^v};0l@U$U4Mm2x16&;)sT9uG3Vp^>vxeg3$hr*uK`G{InXj|w
zT#E`!8(S0tbFe-elbz?#yD+J@+0}nEDJiKV7$EaTp*HLA{G>2^OH?p7Go|&2mCq?0
zGl8hCNQ1S~GNpa;L_ADRq#%80wK50I0G%4qj(eW2AH{q|O{CBL)L+#dX@I%0dC^w6
zviTQPz+9;7fqKv_>_+#F{Bp4rCR3=@f!?cno|Pp?NJg2b(XWMkp^i1=!FLaQU!Jc)
z;BeTsE60t0$=}7=rr&l8-#h5!9sArc>c$L~gck6#+iQ0poD|KKPD*CeH9mY1Ft++4
zYP>Vha5J!2R+T#jwgYPqr*3b}W|ak)c%S!-kku6Mzk48}z>GqNBQP!|DoEI7&(avW
zs{W$ZprA!V%c>tMM=qF|bJuJ3ZF_b%6EwWSCUJ!tD)&1F`pBH-KG@_g#>rbEZ*7ew
zO}kFq_(P^aM8hthG4USFy4hf(n8|CmgV})XN7Ay=PjxEX(G<KWm#j{nFqI(N9XNoj
z&Fw-sU_7q{p?>cnM(Ch`BU)a|#CKA-u@MqRVG!0bK%zd6YvLVPdNi+#pw6-U7r?$0
zk7APaX^k~V*!c#xj*Kw#h--BT%*mJ10HMx}8x);^HM73TlB<HZE6!o0&ML)7t^oVW
z4&TLlxKF;mLgw}#rTYL$8vVz_@Gs=Q*hS%&4H0}Mow)P0z{FbyAe{xH6>hLqpbS}w
zjbiuw1Q7wl8KKUmJUIvyrpvu^HYG|hmuc(A&20^!9+THQ9|hbBc09q<hWF-yQUCtP
z`u3UkKV$CM3ns(0LGDXwZwN*TTqy{;zwz)GZqPcd_Y8tzceLd9e4YNL2VGqh?1%H{
za5Dgkd4a`ScSt=8EITy^pE1MAL!ws<6T3|2UUUNKR>9j=5)TB1Gm7_d2FodN47wKo
zuvh0;CLOl2wLT{LG;Swn%nqxyPWKWy2;8L+9m69*Zo)5{#giIvj(n;LLj&H03d^X(
z+n~QjY%Dwzr44V*D&u!lzdNwDp0PKe_;5~3+^N2);=RuXI6rm3W488PTa~0S((S71
zfD%jHATC$jEPbQ1`}%T<ujA!xsoq6LWQW94Su~<wrydpK&14Pi^*@d6=WS0eU}Xfi
zZWcjp!E;?~8YCl35COZNI%dG`r1YvPY}0$dZ(#ScH$SpEao6_9jkUh<zE>%92!MSr
z*XU|nw?ZCqihRk$>@xI*XmQ%~7O6g*Z&KDR`=ZnHi>zxX)#1?5{@yHNON%Cp<c3S$
zX#Q6DqF<$ZzTdr(qzC^+rg|GI2hn88vp*D7IbXd>w#MQiTT?{=mrg1bnTS+_8-wp;
zN=9DE-5t6!97OGkNMH9X?@w1gmz`l$jilzII>-N_(EtYhqM{ZP*DLO$?#%TzvACes
z*IXWs3_<5eVjfJBNk*Zojei!2E0qWdUe4nV^-~40UW69~)_t$Y>hclpm#+rpYd!Fy
zJ3U;<tiUI$n9yIXv}2bT8Zpnyk>2#jSUh8>IjEf4Cd@h8tLhsC?_}c2D-9%D3!dew
zPd@5!imq?rf$nG%!oBcpy2DT61;IR&vP67H82hx`(Sp!U`AwFvV+a2WWDAeS<|6#&
zHs>qfm7^XE#<ZoN$E-y=lE!bNg6W0<+D>CE3Gnw|829B~)k$lx-P{WdMjJCpJ4Yqe
z{!U@`9@f-6adhD0$<?j)h;_oLN`-Lh`|{cBtcKuKyWFVYrTXPK&vMZhS?Djz`NxfS
zW6V`ZA)PI_O1dNU`IA{G+n3taJ5=g3kPc$G`q-GYjGbiAczqzfMKn43=oeFjbSARm
z7jpER#*8Tb&y0%|lepW7JUPwzW>xWr1%j7mPx~p&8?jwcCYqz7wGabKq_Ficrrz5J
zta&cmDaxVqrFf{ZMWx{5>k8>-KXfaimw7f2BGfe`oZEU>I*oO-lfqeUwz#_R=gKPK
z0>$V|&<y@x4}9pj|1Hg>AsD=To?n?8&0>M5t~kp#C!|Cn>^djgXil&FrF2VH+4#Em
z*>uY{{%8anM4Q;1D%KriG=*=bc)_5Is?FblYXXIxYGa_adq6V?y;w}hpQLiQ+w#=S
z;(PCgSEcN%imzO;eSPm8t!$OJRH*_hx%ZBPqlNN#HKR=HH}?`)pqy~tqMHKxol&|a
zv2LlrtrD|Fb~9`6*rA(VO4oC)+Ug5n3&E&M>69HsJ3OxD-CW{)(x{?>|0M_V^4eo_
zxyh<6e$FbmPCvy`c@MUpr@U!I&`H;8T>6N|l9v8h*i^Xv<{nSo@X?U91QfXEI}zAm
zX~hn=%P{4>U2TcpAeODzy?ff$z}WaY58TsIzMMhO2^prWU=VDc*4Tx6@9c$aZ@Om4
zpfw0-lw$dYFO2l>EYCav#cEf1&o8nKsMWKb_2^-Lx8hZ@V)h1JUHKlu3AvJS7*c8r
z+`EjOx50gCf2oeAlB$5bm~N?@pQjPM@!4FPWp&M#&1*2I=1tv7?#odvMhp9J#Qn9n
z2OSwxy#3}_aP<4xKB;T(wnb>q!JwLa{4HPx+jTX;{w~w>1;xgtj6?d#vZ7?1b&KD8
zDJ{VsfW>271QQO6#`E-$x7lEq6bqoYAk=JqfKR$|@<fFW1Fd}i5?Y^Id<&!sorn#9
zW(j7?dew73@2_w5?*YJ?vk;Nqox@TDyLa~fY`#1KIKpyWS4JzWaxE3R7T{;xqpJ)s
zQ6c@lVoK+ri|_yZGL7?`n}c<VDa9loBKAG$*v$KVI=6=7;inYyEFZ-=xlZgreO1ZE
zI9`sqBW$giBPKp2_yEM<dx;g7D)c^gG2YqxbmdvBq-L}9Yy;c=dM)N^%-7;quMmaN
zw%o3V0-rWbV=+JYA;Y4hb?YbDrW<Q_Y<+zuYK{u=r(dKVH#Tc1d;q6*xm(9c8oQSK
zhH*P>C9Y&DzCEX7@1$b#mcDi`0#|sP26Q6hlhoMg!@cwnuG`sL<_N8{iL3R!9N7~a
zaR{ZCPHwpd7&i5c1&Cvsh_c<=`5YM$=C#?+LuRggu&L$ElvHx+IO7wBTG{o%6{`;8
zI%kZ1-v)f~4T~biyY7*9rV9To2N=K1J>+kpT&r{yBfSxI12=lf)>Ha`q_OWwL!^!R
zi}9un1XuNGu$mh4w6U+VsAoI3Fy)YoQjGKT*S*dpFZQlnf8RB)!#^a(&w9p477E%j
zdGC;w<;`AGLUW{&`Z)j_9}#_E8H~WXS8m7psP6ovLq4I&iIakSy;EO2XZbnzkD{jt
z9o(}2+sX7VAcBvXn35_8<mf^I2-!oQxsF}fae!hpNz75|<Kp5h`bv&LPG<}#WsGpp
zdL*y8Z(d$=N0nY=ysi9EC?VhATV2h}Omrfju`P~$kJp?aO?gtEbj)-niC?gG9<RRt
z+5{aoVCrFBY0+(wXhy9^%Ik(+v*&FqCprc01N`;9ssd?^6sh4Zk4M4zv%S6g8G%n`
z6)mnpjn3#-^CXWcpHRBW40saJqnrCvmGjQLdQt2QS;~dv*;%{J<$RyC9e+309961Z
z0{yN1U{1H}nXWFxDR)s*+(Jf6t(pu9?p9(nW@_>T7w)VwzP+B1cK!LY@PwG>LrVAV
zR;g^T?ZNd`niDlj=Nr<A8ADvoxfMNw6hC=A&uh#I{q=!_ju~?n?Ra`O+BM69f6?E?
z{1d&|Q=ncl*}T6y?KHDA-cHNw6plB*Fgx?F04n{=Ilg}9+j{Zylg7S^`u8rR%oufz
zyvG-??slHuvA;~Jd6VX$s|!^LbPsRa?mfC7Wm={KO@gWSa67)+kFsF^L9R-NE}0F2
zh515FOf+L8mmNXZJtFo#6N-7sad(KGU4{s(TlMaOmLlD5w*n)Rk$Su}v8Lk+Xi57a
z%VR*?O!)g`)!kaIZE{8Q5>q!vy-}Df%h56(=L3Zh*idN?`G-C~s^uA75-m1NSp)n~
z_hYyz->E%SO)&6PQx=#*?p|i*2DzmGDPXdDTq!)lIR;u0?fu)wJ>?w86X*)RX{E5r
zlbriT-AI;pN^PqZcU|o`T*8C>Rihc!Pk){P;$-*t!XI@R28C@y(B=bL;;UH-y`pas
zpB|c*a@LLqQrzUR?bSBO@P}2tEiHO79BglX{o~-5j$7Xh894+!4Cj5WWRjWI4_Ab%
zK?kw$QH_!Uz1dotlRWf?Ufjs7cI>TJFlwIj)jbOJ;1iLOLZUp#O6CwmJ{8lkd4Z84
z9WYcdwJjSLu>rt3b#=YqKJ}E^VkVipls<PDh!$*TjjTw-WWaX(-~w8aQq1g1fP1vi
z;zVtdlcP3Sm^8-1MzGTX3-TnB_?`t0&dUw^*apwZxa`-|8KFs1-OFFCnH-jce)+=A
z!W}pE9e1qP*fWAv?YwFo4ahK{X)-;7c!WTs5{#%`)~TE>Wh~a2r|Q&jKWgL-c%tP_
z?TQPSs$h9O*@&GoS~dl}<fP8XhPjJ;#i~e$29m70&qSkF$7@c?1QiV!N=aen^9UZO
z9rL|_xq8nhe0ex^*bioXMQxQDHoiqz%?_o$6sK3lauzazE5()0t6~V@s9MYedIHv_
z5B`|r?%rH0xFPqXL!wr0BsX~=-zojnh!ELV-6dHV`&hgyQ*BZXs{6yp$WgYOC`%e5
z2PQYdEhW;_!TeDAht}NGRnzKSko0A^hJx`E)ZVvUHLFZg#*a$pVHNJ%#<h>`?5&Gm
zEr-;wpq9l9ogfOWA!(WYR2%R%I^x3^^|@p<K?%5q?9{Aj>H(MjQFe4@Leh9KbY1H4
z7)aBrtIPR(k=26-B44iT)b4bfp--O-h!liVT_sH?p5rRy>cUOpea*@j4#m<K%D0+-
zN_S`c$}Z@fS$?798NRIJ-`e;aW;-v?6+MuCsAj<?|3so$q2TeA#TuTF^}u!S?GcYt
zJvs1|{!Nu3O-kg&mU&r^?FK`apTQc_WfFb)+QEJ+^#i+!@kf~(_r#R02D*ha{><F;
zsqGXC;>3aNqI)hDJ->VBdBZ~Nok`FcV=?fybWE&jzaGE#o>;-F#cCVIPT$c0iu<qg
z1dk$i#2VP_nM@QTH%r_+`N|dMsiR8gXXbJs!Cw@e9}WMj_Xaz&hC^Qu`_?JBA{rS~
z<qR2f0EUQf+z42QOQ1cNB-1U^y)Q>#QaHG02FEN}u?fD+R6aChcI+|`+iZculBi)n
z$7omOXQtEn4FewSqPo_UhGdsDwiXnecDvXsT=D+B=%vn7m8)rZ2sf~yHD#gAxTA1T
z_RM@QF=BG>c}j}i_3iq*G~1WaRnMeJI()Xt>xlD3D0h*n6?CgLJ{%heqze|hDxXNO
zt6ff#)yap^;fkMaS`47OGrDRbqyG4U>4r_Dhuiw3>^9B@|7@#0JyBE>=oSRf{u4o=
z(cn7<^PE3FO{Cq|3S-tt_mDl-mQEZZWYD#U$nja(?;`+Ka5d27SFd(@z#g#{lMMot
zjgrYkb<%hPlwsGfw=wkKh2~iq=#`v%&3ZnMmcUN)m{&Py)DjBh>;nHeE9B!+q~*_}
z4U5gBn;12+&q#W@pM2=Uc&P4OqRxay2M_RZOX7zL;nB&0k7TUikv6SjD_QX;gba$w
zlM&dW77VWYAuYPatd#~?VIIMxvy58`z=m!03kd=w)3vIIQhZQA(9`dL?_Tb!Q~yLb
z`dbC*?|t0ARgnI{)&DgG=D%GF+ZToY|JeRUdi?9+{I&59G{k>~+oxagg9i>A`)>ao
z0e@ZAzc&7ZP4qt%w*TkW_n(P||5-F=Uq}7F#qh6i{k8G;xcvuXTRR?{4@9a|P8_iV
z>Xqf*KAYl8+aAtOxCM$R1EN>lZgnzp@vG8dp#J5*hqMG~!G-B|8v9yl?thn7YCcD9
zL2QVG-{#t8qys?%*oHoN;YgEPw%mRJEc;ua*cG~HqeZvw+`K6Ib|oChwl<P0;TYJq
zlyXkeK-7uzK*&rn+b%NSXJ-)MeVO9wpfk5@-E>o=xqz#7!iZMk0Rd+uMwP3tG*8p@
z)eX6CRdiVQjXdUC76MKv9oNf+eS)pF)P{*U*oq!eaz`8zo=>1mm-2LuF&BOJ1=B2`
zA`NmZt(k+VY~oc7k^rCVE8;V#zq!dN()Hm?dB6pu7XBbXU5_)_?lUi1<0)Z{LcAiy
zk_Z7O^Gtjxx=;?YD`ivkO||L4j)zWW-~GKWs7!BtcK}D+!eau|ZB>`JucV}qgos!Q
zrMU>5_P^^TQpV$?P&n<mM&^Qd-1CW|twDtqN2tYh*Zn?Jg$F4%4;Pl>7exN3AP-lu
zbxt$$yN=!3v2op@FzMad)q$F`2hB3+ddrjL+1c5Yy3PB<`ne-J=LAVfN~UtZ0zemy
z8@MU7prS_>1tQm6*(1|ggv3)s?h%)TpMY@fVlyp3v4zK9njq(9<fP{z1hpOQJe#m*
zfK}XNA8f9#(00$HtxQf@h!yagO0-9aGac9T0U=3DsU{4+JNb2d{B*R`(ZurH&Dp+o
zNn-$;GXMJ&U@dnAMz6RAz~E+WiKuXwNJsAuZv3$&UXKPS2s!gkzvN1(e^-xXqNl_!
zS;$+C7Ap}m8-s_vC--2W(tsbcTzpQ^^icQft$>92zkuw@Ok0lt3H(#FBb5C-{{M4h
zF;z5aPzO!V@oG5@qz1fyjcayr8Vz!GTmPE8RpXs?u5bC#`T~~(JQ>w*zkl>W^OHtw
z#T4k%b;N!%t?Fw);8yXaT~rV?dFu=}Q5u+FNf38fh5r)L0-$_7DCd792>hM-`d|Ov
z{`hjM%{O-6_bz4f(V4acX4fD1wAsy_>&$=>G%6qWXmzB@(S009Q#dQErQ}#l$I`5}
zQKgW}=j3j$z7x#!I|k)p*6jO#&(u8`eGH9ISn=+i__g5zuYf5cWfQx#8=~JB&BX$V
z4<!)pYpG-EFT<u)F4f!jI@ge^tmh}dLz|x^Vj~ql*KY=1#MKLK03nIl<gNG&xg;rv
zp-U}q0Ux0@Fn?S|`5=Wwt)9c3a$x(RJplnMCQ>QJ-a9im%(D5X_CbDIz=BZ~4=AB$
z>^t(#ya9R?RP<{G-I)xX7^3<F(ix`#Y0qY9EjTkmWLomozDkIJI@hkStZN0HOK*)l
zsP>HAAy)seB9S#r+ET>Scrm7-T34FNMdg1U)KZ{aB^Nu8m2i2O2b6EID<$&R!<Opg
zyYnkqdOyP+l{?&QtCX>2Zdn_QEVcIU`H;7vm3|StwLYH?i2B~TETTH>Lh{yz7ntg)
zfGi6H3v_Umw3CB<3ST`aub4H|I{$L$<a>BWZ<)WzW-#MSzJ8;X+4bk;Z{Kdu7mleO
zM)F~wK0VtJA<zb%-V15Ti;*s4+ANdMj*L=vWmFOKh8Vb6oml@#tL&T4(Zzc&^G2QR
z^kEbA0x4_seqKsYo;Gg5k0DGI4xa1}d^-{Lr(&@bKX|h%yFy33>}}wf-?z0ZdB$QB
zaE36np?}yuZ8vJBmbK(`f0RpMIw}cM-#GE*a)hJbr110>CPo@MvB`Hy-B=uf7$E`!
z*|o8Fd07LslM_aUYFfaD7$MflD5q34?xoI{&E}81S$Qp9BqdwlKRz*B{o=czF+Am7
zb)XYCvjv*8IC&B9*S#Y%FMg`Iq}^h)BOoFMso0&+epQMvq}_H53wGGd5=WrRAl|;I
zVcfOc@;oXY?d#E5s)KtsPF6>LW5*-6U%dAj#OgdlJzRLfiqKCcJyj<P8`U>k^hVdl
ztDRIT#)rm>cFNUZOT(O^@~X#$`0@!?j%izRWS(Wb99r(c0UN85UU)t~NK?}!v_ApV
z^&&drQ}RTPtnn5Q+=Me&gBR3^4&H2Lt9C?<qeEJoNz`_4_cm_}M5OLU`S6t|3If|i
zJ@n_-2d&gb!Y6c<!JGYiOZ9Ckjo}p|F4BC|UMpaTc+iYV5vX78ZB~^(Y&so>j<PS~
zuj^Pjw#iChJwL^9n%w9=C@C~YW)Bfe9&A@u10kqr@3!JwZpY#zH3{hX7gyd@d(9=P
zz9{&{YZHcAMq^5a^Plq%R{TIfmj23b@7H!pi<LBfJ%7V)k%E3SMg+MxlnFen%$JpG
ztV+6@Uw35$;Rw1it%{c(%AbO~47)`DW9xd%;M_oiQBBzg{lAfcw=wzVW9w0ek7>vC
z*sxq<A0bm;^FQZ+0#p4BqJD{S%qnnjCp?p+q#;>_Rlw;~ii(b^ur~9}956cH{jEdl
zM!D6k$d#V$Z9|?4>BsViT%eQy-Ty}=xj-cEcQGX<^<G_|(*iJ)qy0|lL?UUJv~Ak`
zd^xqiI(jGL;G?M#a6E4K%HYM<5%M8>+)pNeRktqddAh+r%*d@;#GHu_S8L*gDX)Wi
zAXPzp{^xIA_*zBIQb7Dq_ko~~PCz||D*%xUUq#BWK7IUDWbH7jVjO**04_V(YxZR$
zV4qqGPG7ZcBgs$O#S-;v8SVtOEy&Qp4)d$rq>j(Ds9f(W$HD{UvG`(AdQiV@(8NNH
zyYU#4OMF|*@G>mEpFw!=U?imBh{d(hF;ES6vA2F%@72x-_ym5{e}vs?3#o^9S7&rj
zyGHnD%CzoDy26sYVh-+X)}{5`&2z*}N*`Nwt_x}JGwGGMs$gLsBYBCQ%OBG5fh`%V
zS1Tx=>${x8b#(zU0jjrlOQ;aTma(*H9NcRsPC0&Tz!^7wa!|j{N__f`SOtf2v-P8?
zHEQ{BQxQN+kTJPNA|u=0N<oe+fxmK1)QuxG|GZF*hR?*|bQ^nb<t)^xA-axvgF_zh
zeJF2y>H@+dv9_q<-h%e0AcK=o!>v}bjMLYUM{KQj@Jm`~oij?f&4Svv-6i79H`(sv
ztBohmRZu#N;J4T|nH#I&x7gz@OG=;nUTVHJnVFYYPK-24r32<9_mfjzogU(YkEOVt
zyXKUZGV$C_<X!=@(ati7z`sl#X?}ErKE-@iuAS0SDKB1Q;yX0G{F~4HLBldT3wt?>
zSjjUcIaXH;xK9;u1_Wz=Tj9s{#~t~!(s6DMxZ;Pyywg;|r>Q?zQ@=OeWR(l7iDUXe
z;TM!m5yC+wLyh{=GPmPYc;3C|r;c4vjb!Do2PfHUEG3NE#pSM7+{FbeW?zbAWf7HQ
z9wU4%N2`UIj#Xvm4H=z>P+L4Y?^-b@sy!%i{IIy)-o~d%HCW=9O9@?26Rm@B(Fy1q
zZJov`Am4irmKq|K-K-IMh=C`&7pXHkV=<D)GJ@bMtx7~I%9~4<=v(toX^7-)Nt?vS
zJM&j4*}8?)I>@TNhGCt$dqY%Pj?!yXF|1+mw=C9B4uAObLV1+Or;oL&)%xkjmgpA^
z>+q!MtdeewV`>*O#8WLI3^$$ubkV3TT`Q5`)WB|mx8)#OCcitdr8;~m#Ui&5;FS3O
zY(`PU5@{m<tePow>Wm|ABTQ`fb}<N`G|t*b-=O`Mt?d(lwW_q>AB=t_M4qyx`ket-
z%)vQ>|4az}cRGP=d5tUNIkFj!4q+d5ffNMAO1p@Bm69OaRG`cUa?xf4o)1!ZyEmwt
z3aLQPOF$h)ueJmi9#Qf%2MOQV&gSQ7jqekhKlZaEdw}0RY7UhE#`MqplE3#f{`Tts
fQhsR3W09f|;j|lB`?LhW;lQn%Hl~%vzyJAf(HQ)|

literal 0
HcmV?d00001

diff --git a/docs/oauth2.md b/docs/oauth2.md
index 8c98b854..5f116fdc 100644
--- a/docs/oauth2.md
+++ b/docs/oauth2.md
@@ -3,6 +3,7 @@
 Table of content
 ---------------
 - [Pull Request review](pull-request-review.md)
+- [Login Restriction](oauth2/login-expression.md)
 - [GitHub Setup](oauth2/github-oauth.md)
 - [GitHub App Setup](oauth2/githubapp.md)
 - [GitLab Setup](oauth2/gitlab-integration.md)
@@ -21,6 +22,8 @@ packeton:
             login_title: Login or Register with GitHub
             clone_preference: 'api'
             repos_synchronization: true
+            login_control_expression: "data['email'] ends with '@packeton.org'" # Restrict logic/register by custom condition.
+
             pull_request_review: true # Enable pull request composer.lock review. Default false 
 
 #            webhook_url: 'https://packeton.google.dev/' - overwrite host when setup webhooks
diff --git a/docs/oauth2/login-expression.md b/docs/oauth2/login-expression.md
new file mode 100644
index 00000000..d3b7df22
--- /dev/null
+++ b/docs/oauth2/login-expression.md
@@ -0,0 +1,98 @@
+# Limit login/register with using expression lang
+
+You may limit login with using expression, like symfony expression for access control. For evaluate expression
+used TWIG engine with customization by this lib [okvpn/expression-language](https://github.com/okvpn/expression-language).
+It allows to create a complex expressions where called team/members API to check that user belong to Organization/Repos etc.
+
+Example usage 
+
+```yaml
+packeton:
+    integrations:
+        github:
+            allow_login: true
+            allow_register: true
+            github:
+                client_id: 'xxx'
+                client_secret: 'xxx'
+            login_control_expression: "data['email'] ends with '@packeton.org'"
+```
+
+Example 2. Here check GitLab's groups API.
+
+```yaml
+packeton:
+    integrations:
+        gitlab:
+            allow_login: true
+            allow_register: true
+            gitlab:
+                client_id: 'xx'
+                client_secret: 'xx'
+            login_control_expression: >
+                {% set members = api_cget('/groups/balaba/members') %}
+                {% set found = null %}
+                {% for member in members %}
+                    {% if data['username'] and data['username'] == member['username'] %}
+                        {% set found = member %}
+                    {% endif %}
+                {% endfor %}
+    
+                {% if found['access_level'] >= 50 %}
+                    {% return ['ROLE_ADMIN', 'ROLE_GITLAB'] %}
+                {% elseif found['access_level'] >= 40 %}
+                    {% return ['ROLE_MAINTAINER', 'ROLE_GITLAB'] %}
+                {% elseif found['access_level'] >= 10 %}
+                    {% return ['ROLE_USER', 'ROLE_GITLAB'] %}
+                {% endif %}
+                {% return [] %}
+```
+
+### Custom Twig function for expression lang
+
+- `api_get(url, query = [], cache = true, app = null)` - Call get method 
+- `api_cget(url, query = [], cache = true, app = null)` - Call get method with pagination with all pages.
+
+By default, the API call results are cached, but you may overwrite with `cache` param.
+
+
+`login_control_expression` - may return a bool result or list of roles. If returned result is empty - login/register is not allowed.
+
+## Debug expressions 
+
+You may enable debugging by param
+
+```yaml
+packeton:
+    integrations:
+        gitlab:
+            login_control_expression_debug: true
+            login_control_expression: "data['email'] ends with '@packeton.org'"
+```
+
+For localhost, you also can enable symfony dev env. But it's **strongly**  not recommended for prod for security reasons.
+Then you may use `dump` action.
+
+```
+APP_ENV=dev
+```
+
+```twig
+{% set members = api_cget('/groups/balaba/members') %}
+{% set found = null %}
+{% for member in members %}
+    {% if data['username'] and data['username'] == member['username'] %}
+        {% set found = member %}
+    {% endif %}
+{% endfor %}
+{% do dump(members) %}
+{% do dump(found) %}
+
+{% return [] %}
+```
+
+#### Example debug panel
+
+When `login_control_expression_debug` is enabled you may evaluate script from UI.
+
+[![Img](../img/debug-expr.png)](../img/debug-expr.png)