From cd53550beabe33e9790f5aa6fd38d6a88f4da11c Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Fri, 2 Jul 2021 10:41:07 -0400 Subject: [PATCH 1/2] add verification key Signed-off-by: Asra Ali --- api/envoy/extensions/wasm/v3/wasm.proto | 9 ++++- bazel/repositories.bzl | 6 ++- .../envoy/extensions/wasm/v3/wasm.proto | 8 +++- source/extensions/common/wasm/wasm.cc | 3 +- test/extensions/common/wasm/BUILD | 1 + test/extensions/common/wasm/test_data/BUILD | 2 + .../wasm/test_data/test_cpp.signed.wasm | Bin 0 -> 59730 bytes test/extensions/common/wasm/wasm_test.cc | 35 ++++++++++++++++++ 8 files changed, 60 insertions(+), 4 deletions(-) create mode 100644 test/extensions/common/wasm/test_data/test_cpp.signed.wasm diff --git a/api/envoy/extensions/wasm/v3/wasm.proto b/api/envoy/extensions/wasm/v3/wasm.proto index b4566c826ed08..cbb64aeb11342 100644 --- a/api/envoy/extensions/wasm/v3/wasm.proto +++ b/api/envoy/extensions/wasm/v3/wasm.proto @@ -40,7 +40,7 @@ message SanitizationConfig { } // Configuration for a Wasm VM. -// [#next-free-field: 8] +// [#next-free-field: 9] message VmConfig { // An ID which will be used along with a hash of the wasm code (or the name of the registered Null // VM plugin) to determine which VM will be used for the plugin. All plugins which use the same @@ -83,6 +83,13 @@ message VmConfig { // The Wasm code that Envoy will execute. config.core.v3.AsyncDataSource code = 3; + // A hex-encoded Ed 25519 public key to use for verification. + // The runtime must verify an embedded signature over the + // Wasm code if specified before executing. + // TODO: May want to expand this field to a "VerificationOptions" message containing + // repeated public keys, options for all or none, and signature types. + string public_key = 8 [(validate.rules).string = {len: 64}]; + // The Wasm configuration used in initialization of a new VM // (proxy_on_start). `google.protobuf.Struct` is serialized as JSON before // passing it to the plugin. `google.protobuf.BytesValue` and diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 9967b86504382..94883dc0f4101 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -858,7 +858,11 @@ def _proxy_wasm_cpp_sdk(): external_http_archive(name = "proxy_wasm_cpp_sdk") def _proxy_wasm_cpp_host(): - external_http_archive(name = "proxy_wasm_cpp_host") + native.local_repository( + name = "proxy_wasm_cpp_host", + path = "/usr/local/google/home/asraa/git/proxy-wasm-cpp-host", + ) + #external_http_archive(name = "proxy_wasm_cpp_host") def _emscripten_toolchain(): external_http_archive( diff --git a/generated_api_shadow/envoy/extensions/wasm/v3/wasm.proto b/generated_api_shadow/envoy/extensions/wasm/v3/wasm.proto index b4566c826ed08..c6512d9a7bbf8 100644 --- a/generated_api_shadow/envoy/extensions/wasm/v3/wasm.proto +++ b/generated_api_shadow/envoy/extensions/wasm/v3/wasm.proto @@ -40,7 +40,7 @@ message SanitizationConfig { } // Configuration for a Wasm VM. -// [#next-free-field: 8] +// [#next-free-field: 9] message VmConfig { // An ID which will be used along with a hash of the wasm code (or the name of the registered Null // VM plugin) to determine which VM will be used for the plugin. All plugins which use the same @@ -83,6 +83,12 @@ message VmConfig { // The Wasm code that Envoy will execute. config.core.v3.AsyncDataSource code = 3; + // A hex-encoded Ed 25519 public key to use for verification. + // The runtime must verify an embedded signature over the + // Wasm code if specified before executing. + // TODO: May want to be repeated + string public_key = 8 [(validate.rules).string = {len: 64}]; + // The Wasm configuration used in initialization of a new VM // (proxy_on_start). `google.protobuf.Struct` is serialized as JSON before // passing it to the plugin. `google.protobuf.BytesValue` and diff --git a/source/extensions/common/wasm/wasm.cc b/source/extensions/common/wasm/wasm.cc index 22274d07acfdd..9bdf7ed53e077 100644 --- a/source/extensions/common/wasm/wasm.cc +++ b/source/extensions/common/wasm/wasm.cc @@ -392,8 +392,9 @@ bool createWasm(const PluginSharedPtr& plugin, const Stats::ScopeSharedPtr& scop return wasm_factory(config, scope, cluster_manager, dispatcher, lifecycle_notifier, toAbslStringView(vm_key)); }; + // TODO: May want to replace the public key with verification options defined in proxy_wasm. auto wasm = proxy_wasm::createWasm( - vm_key, code, plugin, proxy_wasm_factory, + vm_key, code, config.config().vm_config().public_key(), plugin, proxy_wasm_factory, getCloneFactory(wasm_extension, dispatcher, create_root_context_for_testing), config.config().vm_config().allow_precompiled()); Stats::ScopeSharedPtr create_wasm_stats_scope = diff --git a/test/extensions/common/wasm/BUILD b/test/extensions/common/wasm/BUILD index 54e6b7a24fcd6..c16b5c5ad3585 100644 --- a/test/extensions/common/wasm/BUILD +++ b/test/extensions/common/wasm/BUILD @@ -37,6 +37,7 @@ envoy_cc_test( "//test/extensions/common/wasm/test_data:bad_signature_cpp.wasm", "//test/extensions/common/wasm/test_data:test_context_cpp.wasm", "//test/extensions/common/wasm/test_data:test_cpp.wasm", + "//test/extensions/common/wasm/test_data:test_cpp.signed.wasm", "//test/extensions/common/wasm/test_data:test_restriction_cpp.wasm", ]), external_deps = ["abseil_optional"], diff --git a/test/extensions/common/wasm/test_data/BUILD b/test/extensions/common/wasm/test_data/BUILD index 95db303869db9..de60baf208e99 100644 --- a/test/extensions/common/wasm/test_data/BUILD +++ b/test/extensions/common/wasm/test_data/BUILD @@ -9,6 +9,8 @@ licenses(["notice"]) # Apache 2 envoy_package() +exports_files(["test_cpp.signed.wasm"]) + wasm_rust_binary( name = "test_rust.wasm", srcs = ["test_rust.rs"], diff --git a/test/extensions/common/wasm/test_data/test_cpp.signed.wasm b/test/extensions/common/wasm/test_data/test_cpp.signed.wasm new file mode 100644 index 0000000000000000000000000000000000000000..feb288ba7728b71fa6588d40a86ccebdf2760164 GIT binary patch literal 59730 zcmeIb3zS{gS?9UWIrmj{?yb6#O17j@;&U&OQ;wxrP8`{h9bCr`S+bp2NenSf=yF*q z+f}7Uy(G&W$EqYIC?tSs0)!9-C!~o<;>Obs3%YqkFwmV@9i|Oon$R%ahR&i{z*=L5 ztR_8V@cjPY-se8*Wjhb>YHaz`Id`A^`1ZHI*Z%gm_i>YpCnD!u^uB21?&zH3iq74g zoI6+C+}-gxlKDe=iFAIHb>r^b-4%Q6q!oGW{_w*p_^=9AeKwWhSLNJ8`pr}Fu-)Q^ zAC4ZnJAUX~^icfE@nAA_^31^8!l|gVpNsW-hyQ)w)Y8QLQX)zZB^RbnoH{er3)z{;Cd*s;~MScY~N#--__vlDqPSKrCFLk8IsQ)vlc*fkhHFtJiA!!MDK(R5OU0F)E0sz~5)TYi ztCdPQj>`@Li4u~kkzSSJbW0!e_}nwrN~vuM^2uiQn?0U#icloDGvzz zS0!^2xujC5#kEp7nv354_HrePmgD8PG63!6kNxb0IIaGhN~>}LoGv^VyVAW2Q&Vp6 zV&DJCd!{GOOf4)S+ z@%iXgYv(lRrcd72&H8;kxa_Uey+7L0Uxy#r?~g`0$qd=)DWI4H_3!OL{k^9arl#*Z zIdSjllb+T-5LE)b|F2Qy1f4o{)Lk=hCUSX{e&_33JCEh#Gp(Kf^s;w+_djXv+`j#; zoo_$#*6-N)mbcycFQX@-n{WQn=tI#}k43Gq?VpOaZ~wXIb+3Ef_Pvir|04QC^fS@N zqmMc-o%~kwRVZ0$(c5Pmhz9bXKvY%mGq+C zjt-W_^RKk{pJMsLS^U8K{@B%%lnl}SxSmB>X@6X+$EosfYgK^AK%l5vv1)4VSS`g= zxFgNtqF}6oQK}O8$V{8p083YryxIMgyH-S|gyOAgR-)^@StGKxsBkQ9s%V;3a|e8B zRsk0UC_Cv_yp(@p*G#)a8}!Hn57HV@{?!)$uk2hUZ{{Oeg=(|p;OLAXCil$^x*27a z{qZ*Sw%LxUD$3|b)AwqdVPT{lYb5N&NO(aPvhr9g_>=iOxuxOqueCD4nw1&5hrueS zVt}IsJ%NN7dpk_AEO`@H38f=O+0nBokLPcu`Eve2ji`p{gY7J#!hE^S|Dn+B=kfbrR4$hbOpS1hK8HSi*BD$-;KQ5 zRY=2Ar_n=c1(8Lb$Ut_S^<{-jMRT#IIge6Lb7eK;Y0g*d8-5x97K?Nz)0MWqo3?R3HcyM88bp2=(TZJLY`Udzv1VkxEhcDw|=mGb4~VM~eU+oh#^ z_>2LRl@?|p!)OUeqI~Pj8HDFTzH=sR1Hw+~@p7US#pC+tB}2PJ*Qm8>UHfVa=~1<= zA#K&eMB-tabu)MQc4~>v%<}h=gQH7cI3dFjV3EX6$ynuJLqNacOpA(vhFoHi()>)j z3K7C^?Z~8=8UP`pcgdClZ9<~jqrO_(a9XDVr82bO6!D}Y0mHR4|4^I%sWv|sM1n&A z{mSlE0$4~g*9O}&EyjaZmH8a~O4B-{AbdAp+iav)MDaPsA}tubWUy7G^Ec}=K-ml52o!h)fXAa z45kdDdx4`}0-bkAgGj0aMX1Nau51bAvl4PTi<_g84=4}~VsDKaC0}P29iUd2%^h&V zxy+^SDMiUShHd$R6HLZ%%{OHZ0tNwK zQGLy#MJeQx@WcooQpQ$nJ@V(zAUXWJJ z_Q#n|+qFO5<)6m($7B9!&;EFif7-V{-shjL+8IkQ*Oxu$-Qf z0}hVuZ>4}Hp~AjeRtyJv8>n4+k;@zdmS?7e)r4!FO4A3TNF=|E^;I^SX9RC&q>x4z zO0v?>_2f-v8N+1_-*SAo9gQ|$nb|8Cqa@l(Kon4rMuz6F@;yv<5x@*Jyv4(O+BA*5 z97B}pF5fP!7DJ+O^K#14*XAV8uYrD=%JjW)RK}ppzp}ev*Zf&M!cZ|xn7R2Zp2lj7 zK*kQMz?s0MsyWyT(dY$}_#DzeM0raj$zu(J>d+9x0-X1yc4B5`mdt16gN>+O26Ct| za|aukkG=*CZj5oaqEI4sM;y>H)(@76%9pz3Wri69fjIb4Z!;vM@w6#2n|W1YiyBI4 z&E+57)O>|YZ-k9$S8_|pW;mfJv0=L`6ETcD5>JM+de@GDB4+$ch=vwmCFv+{U~={N zp!lC|Ti=`Cb@M+OeAm{(w-Pq#QS2(59QREo`QS{OZm6B`ih2#2gf6f9iW$&)r8cks z>Z0{u?OgxWE7yO;lxaOM#@2uJ>h)i}X8l)Jt^ex4`me5A|J83W|5*?Ef4jlE&u{SV z|JdN&?{4t!OB=j@f4yPw_Q-Qyd)`^*OK{?!KWKD)uYf3v~6U)$i_g$>^Q z<_7Qn?FR3j?t7OY$Zd*YqSXv31Z^3qE6ttnJJ@DoQAT)HX1vgECD?sZwo(`}0sT`} zZD9kI%%;H-yA{(Xf9z7T2B;>P$sb}C#YE?JbjxR2IhH9uhGjgv>zR!#VcqnmQ`Q_U z%vcf^VI4?(H}6ZEXm+pIv7v@`q-ljW&B1gp6OiWqcFZjDLz`u7NBMJb z$k+edebMcVnC7m&iCy*R_T3?zM&A8^wtq7k9%l|26N_ zShvcMnc9@G7eNT_hQVck8hrR&pUn3y*pS_zS?fip#TDyir6RNS9e+|>sytmOb zGY#_$R}2yJt%{hB9~vZXbFGS%=Z7lyJ`jpyH>*A&uQddNMz^(w0RzWWsTI?YVHwJC zHZiM>% zeA{WT?hcK%1`sWDtO21(6i{uF4VVi$i6bPy>`{2!mDo zlMRk$1I>{JlNkAs&GYN?XQk(>SyV+a7ZzLP>ql$YT=lcT^najT;q(tN*sj#3>@lC z%q7mu#wKF0G2Q|ws)dh^ac7<-yu}?bd$Bg^-3~S|-s8PaJ|Ki+0&VmH*$b)O^iKwO~t6&c+r-@cLa!)BjM4ncu!EV?rAjv)qKXJF{Fb zc;~ZZn%S(MO{(QqOqk^wMXTu&1vRVC%vR-EWpHaF&l_k~&n5iWIk~dxd{((- zlw|qivPilucQ&u>6p4x=WsMh;TFq~{F~5bRDz|85p|5n5=1thVB;@1TfLcw!@>}j4 z1hk~ICAxh1(pQtGmVZstc}DrE)<8TC|ETxE`%@pv2EHec7WK1Y%PDkQy_(P6Ej%QL z7x)`3Ex@Pe;F8*p{y@8SqjSr5d{3skb9c`Jb?xUMWTX|YHn~#Dhew--gEt{mCk_u- zE}9W`>3cHQ(n=2lV?GC@1fs()`9vyJ%D*b$ArBtpyL1rlS9j}fSl8N%&8%CII%ci3 z{R#+_KJQzj8Of;7T5n7Kz0J+l2GcofBL!t0tf}oNJ>WF=6aZc{n|$7aqz-D{;W%o3 z4}yCKX<2kxjLX`d7!~%%*r4rH6y+ zX=e^92oN&59Xh{yrnQCJH8ZVd?u6omp~@P_M&Z-LnKfo_^)}TTg{pI{hV(*|HITB% ziLvKU`j=TnHcGoH3W&U(sph+HL3r^ChQk{Z`QKV3!)mDt z+=?U`iU_A3lCj!~5PG{M)TE^b~LVl^>bO2k%fH zsVv_G=Vp;lwgQ{-M9NO)2v(_Z1$MN=Nha4G%CS2Ju{#X6WLz^rE+*Izux<`KwJON}^@eUU&`ND}aud@LJ~=9;QnSknc#c zgdvqLze}>VmF7`v6Tl=hf^|~^Pe*GL7j#J%;At{p7?x(NxRvk&3;3yZKTGp-x3X&F zvUHYWl^iEH{ZV!0{0nZTd1G51{)Vl8-44rx`I_*>z~`?q^lC`eE2ZuM>BR^XJxV&m zAoahpM_Qro=~2y)i@B?@k-FN{sL&ZanyWigMs%UqJZK^&Ddfe=eO7xmS_1c@4S5;`Ggp zErIZ>`4)}rFvbZ^#fwv(KwE@hA2y>3Vv%M^_?axtT$Z@2lW{=%8v43R;2NDMcHP& zUHRh}5JP$PCYD;pMR*!0bsCzk7^&x9bhk9NW>}9{GGp<$%$h-SiH$@f0|ClBgH}*C zC^1s>PaZCsQc0UAA4HDU zH>F~Fr6J~Ij(1Dbwuz0p!hmz>|<&===hQw;-fL^Clj5xLbIsF`M zGZanMe91AulvHliK}k2Hum)umQ+_~b(5PSMt_G4?wguCiOm#Y^&&2Kx+i}#NQ*JB5Q$kF9sO68WI~3V4Z1=m?o*gIwMD94K`bFm840H z1j8DX<8g+p^b}r4z<|v`l55%Eq0#mbx(up7p7BHSPVD8f;jGSD6`mZ%pEPEyCGmt3 zhL8`=GBNg+DJwD=^3g7hwyR7{cc@!$RD@^P&GZD+FbV)&UQ;bBqrNRm*Gtt;ku`5CpU ze!yJwSmC%!F!EVp7Mm&xjvJO~d{7hLwz4i+(D}K??Ugru3Yz--I zoFQugBEpzRg~e7$_2%czuVs^%NA!qUsnrJz_ufeicrnA*g0`5%)C=*T1v3Jd~{GI0@54FD&1DjDsATCOgY3E zNFSOS5T+2W(4PdLL_NlvSQL#x4P=+)CK9BElF~EUKu|VE_znIfoudZRDVH)P>U^uw z+lL%6l{MzGIy127>jS*B0pJL)7XUc(=03nR@Bwfrdt0*(9o1%#(9|eUfSeKBIZua5ls|ZYa#-ba#Fp zH&o2y@VM|VK8!yhj~Ip>GMh3jb;@$(SM%buO~{y0q3QmldC0e2kHZ{YfUuBh^#zn-Pw)4zdy>E7jJMgFtYn(X@{|v&+nv9!=(t<6F7{Vlw2{LS| za-J7-n_~ge*vNPX7VS(qOQP5)|DZaCOyxlnA%XJ2OLe!g!((e!WJ$~z(EU8E>kPHhGM9ykr)Bw}ND(IJ7^4B4+8Pd9p$2a6R|q=Z$9zhrcqW1| zA_mh(P>2BGmqqaO-2eBt4=~$b#v6QAm5GtyQK2C=i-dyaFOnBb)&m}gglv#8E@jPx zqx4T=gDU^<#X=F&&%4@@cX}c!$Zw>K%%EBMj8wH5;fR_|juxXPZY+yyqQ7JDkrq{p z`j2=Ir@3;*;+wvqO0O#_CEi3s94g({tyHi9;x-9D!N@Z%xU~QrE9x5St83@iQ`bmQ z7aZS#YmeLFeUo6LW{{?Dbj_b9Bz3p>4sc-j`|_o7|9*{`y-3xkJreF8>b^_MuK8^) z{QdmiC=JW*sX|fK`Un2MVr%dg-HY=}+B%)F2(>&#ER+@N=PYnj4j^2+ix^%RYkiuB zp#eY9_6z9CgmN(v%whpL?><-+uMSYcfe1G!6Ir+WM(z;hsZiOMGGa7 zszb3V#Vk)Bi`uR+H4z$7ka6aS|3d}DvkMe*ON2%9%grjRtj$ASKa)2}R3FL~Fh~() zjpQA1{Tb1PCE?Zti*^| zh$3*H(m)$cNF-`hQW-IY^AH~*L@#-y8v{XzAR)h+bSfZJga*Px^rJbGvEQ=6ZwXeB z$_mYvu(IJMl339-86qedhoo>yG~3Q3l|o#Z_R=Fb#sVq9lvD)Q;dVSqDIt}ID08;T zV13_)NpG}NZ4*QCLOs?c8OZ%wL<8iCRQxlFqf9v6Q@CPXXjhxfM^UL2b$@99Mg0Db>d)Y z*5Y8xa>e;LSk=%I2MZt2$KE(tB4cGE^u)nJH&~aT2zM`Wu+aMwwv+3NgRS+9M*`L{ z%WZ$rqeC5-L?mknWppsUgug1{ zRcMm;0fT_RQU)r)DZRu9di?`F7X(I})s}#mUc>2CI9dbYf3MH$-G#(T+5R*8TV8;#OM;M4=oV|9qo*DM0HbT>63K>bUH$03})JS!wYBHJ*DvEQLU z+b$-rj24#H|J0}X6+O5j91ke>| zBsl5|yD3VQzo)z4`_k?k&RtElPw&2A`7v8&)vqt?#(!0x$>-+tFMaC&{8V{SEkCo{ zcjd`&U(QmkrGrEi5b@y%BLZ6o^3SO5HcPVkC+vyUG-g2=ifa(>6|+nF_vCJ@HW;9R zbs1~(Mp5LmyIYRogLYh-#T!up>j!Wcir_YdPVx+O$U0+Ey^Rq*caXUk>veQNh49VW z`oB~*h?xa-32VU8iulcO4G2gkYx&=KVNwq83M(GoMDFe?Z8L8}z}?nRDVk!y?6#Y=!tWA87<_Yh4e4GShT13B;Pi9M%FjpnN%ajpa&I!raz|>}VVrGafqRKxg4upyWyCofV zi)L~n!b|z1?fj2~4l>K*>-M@j?l{RD(GjhSdO?~78OLu)H75DlED0@Yh1*)hx->Rl zZij75;2UhAuha?96Pl*NHJX;W6R@dpi2{pRq-azvi%~_9hrKldXd(P-jSjXFZanb%U9x0$m#~=%G~w0Jn-SS%c_(7|fEG zf8riccV(>%#(MC3fy{=I0_ZVI**gf|OQFTyChqJVEOoYZQN){`kd|#^AwQasnj>Gd zB5p^aO49Z3;ere5a$5L;Dk0;`6kJ)vhVj+;1?OmKia|@z&}D>GZ&s!|ibtzR7gAJ$ zLH))Til#0=>Dj}jHiQL=h!87l?j3~kYqocg00!0^w1>;*HnSCPtU{;gmfyo={m|Y) z^02>$^stA^UT68qfI*IK z@McZ4QSDl%U*|5ZHLX*GjJHlv=&N^W(fH1+su?iI4K|vrTqBU_aGnTs9p%r;E7Gh*%ZD|GHNw8$`N(wyNp+&7r5Q=OJ?a(q?3y-8cI#k;P z6(YxN+ybV!X-BNAmJJ1~fLbY7Svu(0Mymv?I+VXkL3}2pOZj)1$ehXF0^>7a+Bs|9 zyirY}V|I91e1d|2KIyC`P$0bD2AxUP<$#DuOMa1`{7RDFa@%R|P9h|E zA6aJyE2-Mu;yYn;OG*TCWair41lq!z{ld2niX0^@AV+RtCas&1qXL;cQTV-sY!SfZ zhmEy&kk((!oJkJQo;ee<(_+pP7jq_Iq<8NioUxN6KarKO6UY(6SpJEMP0Arh*xAU@ z`apjKyzLt-8C4>)p-She5>d9ADoY1(kvmV7m@K%5NGJQJSCFBg|wi zj0=g&Z(+1*j8XG5R1vU=Wn*=`6ayM|CsQgEG0Zc-8iz!}Qc<8*B(aG}VYH*C6lDwf z^TaxwCvzxWs*|LS6|t_-&JtS@yXycU)`~0Oc#%A6ZM%KO&*(I&BQW2dN^|r z5LzO>?-$CYRU2zfDElcC6)|SQA5|ItNH?zozx86IcmYIlJ}fH$PE(&Sx&r4CkKjz} z2PKT$Varf>&6BKiXv1=Y&M;{zl&Wb{t?8PR=bOkSfZ^E#{_nB}&Au4+(87HWdz8EE zQ7+g6t7tWQ1pX`rPFw;86)gjYlnV|amad0GB(URkS)-hcqtoFMb3MdnQj0a@(JD~_R+u4T4NEm9?V)o@bRBrwg9KehqDxk{95(>zp-VUhf-$2> zZY5-(r^`W4mw_q=%v2cYmUp3Pftfi)2I=sFFN|sUQglWd*9V7XXrYss#Ri zs+7gQf+~ff9tR|5Y@kZ?%u2T-IRixo?*J<~j9!`1%e;ic?Z~5zpVzernpDGK)*A0j zR6rfVBrJm%F}I_7E#CrYmvLjLWqBE0whMsMpNaUJ6EOdJI%l?YtQAO0x=IPyQgRQH zpgpQKeA~G3i@5Y$Ggjr=7oJqpeuaf)vQPD9TRYDEvp|3>@a^@KfK#oCqM$Xrp9Uzp zi+L1{rs?+(g{K63S$(ib1_xMd4+5i7w3^cmAQM)$Y44!b&n*<`t$mQj1aR|?b;H{y zc-z_Px!0h0@Tb6mXli0+$07i^*Ge14XIV_bc4$E6qbz-x5U~u!g7hEqf!lV zp5Bovc#9V}UYKS1ZI|5AgQMCd4#(vuSwf?_<{oVN5{=^-%u3BsVh8L8gv+E|zae5K z@I@k7d%&R-<%+NFbye*H&^G;D zZ24|(ap^E`sLYSho6~emPtx8wClJsL%}IO<5rJG8e`?M7HzY3oj~6AI&c&SA1@fN+ z)&X!epyAmA-lJb_U+hC;qK~wrUu|8SM=hc}h9wl)5FEl{M)Lovl>ASJ^FP)`VU{aK zM$^_s@pyKz?QEb&UwzKKx99mSf;G>;+X#_>ZIx2Qn1yFtl#N(;#@`O-&kZ9SSTdo; zWHkTl;rwrgvqV8+(LJMi(lj`jnC5$CnylGn(PQoCCKvv@hb9Oc7>oDdilRHRC75h& zqQ-2Yy*dA5n@C-h6Et*@(&pQZ(N-OplRU+?%n`JV9MUb+n2oo#L&w|0&wb+`Z*9l4 z#?4icC0gI>T)tO)wLObIl5PLkV;`|aO@Q707(W%`v&q1b?>WEZbh`o_EIyHKYG!TQ zbTE+b(@_8ejF>!RBYC{gf-dQR#R{?edI&g&XEgL`H{Y9I&P0!m21-F2%#+XhSOv~% zTZb7$KM}xvCO-;j(Wf*{Mq!FGe|mTZsI!LcD#0)Diy!OhTm&i{$c=O(ovQqEtat?q<);2(g#J8$n1g8Xm~+S0oPg)5>bKZ%HcvueyX&16ID zruAW=zDW|8PO|)O6k^0t53xJi>2I6TLx7JJfb$L1b~ywAp?yI55bh)3cOm?TPzFyq z^x}|@r0qaDDWVa^EgB?{&#{?ys#6Av4n3KFoYBm+fWUGALnN=_K>jqWiKC2oq(-a8 z2q2$2MV`%%cAlNP*A_BAt+61aNGgYMWL{%4i(m4CF!kHNoqxQSoWUX3NABnxhZ=tM zM$5u|xzSjfzd{$APDH{rMGfILRU~@-iPp9oT)Ux(301I0kY*Qu5|u(-7L9~Y7Kl^zP;E%|T4rsRkl6sE84k1h ztjAl0j?q&nhIcGLX)DZNzI`SiI01dNwi3nmr|zIO>f}fsqI${n06ig2l@YC=0=Oy6 z(qb|R@G~M7%-NPREh0&?ElcPN0`?pdz3P$gcW)?1mYU>Cvif{BbetT*b(`=z9}nAC zbC#-`m5lKg3K$bOF?453AcF?b43A+O_C1+gfJ;YVCd2F!Q<^zNLM_oL#-HcMrXPIH+N8Jx6DJ&G};Ii<`2w> zBv@tBrr{y5YSCB3#OIIPJwq`4AdZ6}wk8c6XF&2Q=%+=RK2AEn54GytXdfY_cH?o{ ztz=DMY3sqPDL{u|Ha3^TI@Ga+T{nSap1D3eJX<_`_4;fJm9vyxKR6m*l2*yKvc9$@ zs~;Y1ZNDip89jbuct3t)Ml32p!jd_JT)FHblcqAUwtoaM8zD!Ra)wr6cQ38B3qzy4({G4N`BX)ej zVzpaIdgrauf$|-*y9xuI=dyy>B=_5!(N_Z|%9_HS+R>;D@k65zDOSMn;GEG~*t)=2 ziq?`jGSTCDFFipR(vo6JJhra2nZPo72Hnvgu3JU^B*CPECdEPynKo-?f|#?-3+*jX zF9D*a3XqN{FI~6N73t(5wWpY`O^`k7yKJLFI}|Ds1>`B$>s%>IN6rddVEhKVq9V6u z<+b(Wrflo1pct9ShG%9p>Zp%Cd!t{aXllsl7)(%(^oqiD*}$i#fd#l#f}ol;ZX-s; z2XRZL)(CyAP>@-qMwQJVKInb`+gUS3C32e6q0#iQ*ckz_G{7ih>_5O7 zNyQ@&0A)N2BLT%DU~Y&RR-Ayt&!hvgP}O=j4)%wSHHR{W@E4Ep=t_3M@3o(+;S4Rl!{J#r(a{wI(1y#jbe;7}Bvl&e;weBsA2jly*cK zbSJ!Nax42VMq15~j~N$l{jMp$1tLx#jyY`>XWOr~lN+u&|4HTzOx*Z;OX;D^=H*dV zXe{R@ON6wPI|GXZe=Q{J4XRm+cbJUZj z4cFYCKZXa-_S^r5k{y}}bvxr#ncJK&C6AQtnvVUZKxW3z;s#geBJwFrkd2ITOgJQN zgzD(orRY_ekij%Z2X7G=W$Ww&hyo`5CkqgD{_G^GlZ%!R+9Dj)&gvpf;i#cr3q=jv z8|5idd^Vne5T6ZsV!cu?o)tS{jN4obH!QBhgQ?*4JE$X56>O2N_-YYU)TM!>|4F;7 zibDvGj#5ySm^u7mbsI)9N3KKs`@UABw)kH-=t+?q#i_J8hrt&#!1iT|t9l&Hb;!x4 z7zAcltZ7@fW5tso9aLB^v>FA13axq%t(+x2HFIVVZG{dPH9mg_3UJG-I$$Z*fiAe_ zLNEYYD(DB-h{Y3uH&ECF<2M~|Lc9TEE}EqC&4<&^hHd#)#^!VWU@}i&B_9IZin)8o zpIig6>OOy|5g5efql9f2&l<#KQOWFyglZYjk{$92am9X9KD1!OrA_51IwP(?AE936 zfH--4AhTJzwqseP*bPrDx3z{~b==w|v-yTJ1Q8MR#gy5qgwp4*`yeDHl^Vs8nf{WT z$OT4m(6@#wA3Cu2cw>wt1UOH`c53&4W*vTCeysT!svE0m2D2B}jwT}|=!v)@`M31~{Y1@5{F}U}I-BfFbyNHT!+}WYcn{?Pg<- zzM4^=0yq)9?SK=}mQ<#SzyT?7g)wcJSqUiYhoTE8=XQl#H)A|brNu@FD%|TL3^56m zR)ofqO0^Q$UpTFN-F7yB@s|`oysCu^4MG-iN(Cvx+uB(3`|_<5R3O2!PCjpZ!hK*; zwTotjR69n?r}d^7Ifuzp$r~hrNqjE&>5)rU@Y8vpkf#4S(t#WA!fhy7>^B?0T09q< z4V*R`M8)ZJn%PE8&Qy!J`;bD`MGkYS*Ezpo`zgQco!thd8=dV`*WLLY4yCZep~dP6 z6<|JP@wDG)v`(_T0YN6&i)G>whcs+31sUJmAx$jFl8wB#eJY+A$3^QR`C-Idcvp0iO zcoP>W2igE68i02wSwW0g_difoUNu_8VhPcOH2iDZj~>SRNv~x+8Z4J}NMLJcR7Qw+ zX_}3%#Tg5J#aL%7lzLARl!MRM*gH5>v}M!wjvk~0TwQ8gI7o%FB5@9L5)R#8m4fg%E2^kS4=xj@kht5Bta#paY++Z=C@nTDs zz3QSZUx%;@YkLI}`ozX7;*GuPu;!V>nrR^^FM=2Un*#A+E2>G*Sv-nJ&jf|#t211- zB!;YPg;#ZNc3CyFY`ZFSC{6mwmnjCN{4&K96l2?OWHvxx5KWg*uGPvFnnTbTA?|kQ6X6Bi#Xl?+#IRkOemUlBF36uu&@vB{pUD)TNfM!p#>TLiRg4Jq zCY{dd^@m03g*;V>%@=HI6<}cHOCn0M%exWOwic$)z-SX&_}BToUU*2?5a)uI*_XvO zqXWo)07wj?P!W>dPW9!j;v>nej5w))S%7;5the%1Aa$^-LME%Nw=VVH%mk|{i^GwW z=zZf?&1G8=z*_u{ot;bTs#et_kF0hNLeWq4tku`ufaMk=7^ucr7=#f=_ZtnKj>#rdL~uHC|~fNN!tw$}QU#@Cm-yG~m)tMxBBs)frPO0w%MS zV4ilGNkL1vB6p&%cu!4~r`fFtLVlaM)RasnozOZKUy-(cZI?mipkqJnv|X91C!;#D zj)4eHJoYWJ-YaJj$=h<@wyoMCzH?Tw_oV50nzZ*?lYFs&TEEtZQ+lTZrvUUY?a2uX zqRrf08`*kzfyFpSWA$KBH2iw?Kc_HDDtp~kScg7D)S#!s*eh&N>*=>1t=E=lz2>R2 z7T!N*e#EwI!jF<(Ss((xO@|7a2UZTWFS2tJ+vK;cT_R0C7W<>b$6*dp7~_gzbXF{a z|4a0&C%GvgcZN3q(iW}#!=66U0HhItPf%O#@>lu8mZ5F12SWzvz?F`xRvoBr+Q3YN zq^Z|aAPKN12Vz5L?DCKXE%Nr{RL_-bPn+`am#Ucs<0S3$<)Nm7qy7=B7LUXx6t(&` zM5a9LYcL`m{PRR{qgx)g*(99vKfp*S{prZFB`AU|Ei%JMqPbN;a6G~UcF)g`G{4jK zgA=E#bKXbj2zXMcgrN(Z2wlv=3Ut9F!VSzN+|V?=5?O#6jT^OtClCW?Xa_MrI7*y6 zX-h)E0OTu4Aj4xjeUr{`mz*)f$noF}KyN=K5U6HIj2<_=p)m=gNZ1S_UsEL;f!Q>r z;^t+XhlHI0_5n&~JS&Za%fSlcEQ;Y6!#49F0gjU&dtAN5GS_0N9i&ut`Tx5q{jmtw zn3r#5AyN)6Eh~AsVFM3%oV8F&#$$8T^u9Mw2_4tsr*|(=1JVq@^G~z<-Mpd=nq`NR z_$Ks>Ic9jhMBoi495i=8SuzHbrjFo_ny@w zK0g5RArfO@jU>^k^0GlD#pegiHM-(-E|mAmuMqTCXhZM6Lty6*5pRNV-MpT`G>xvf zKcZz6LBWATZyMzfYM1xS0FZ0uizxtrV#S39BTpNDtpGV>(OR>R8PW%$>G@g#5h`p6 zJ|A}?d?4!l6nhXh4DYG*hxY(#2=C#E-mD1kDJ#53o+fA&Z-~~S51VVm>;c6D4ZP^^ zo@!5c4>P__IFBa0)?MwWfJ?fuJQdg-v>Deq=5U%%`&b^&K|WRoCSR_llSm-X>(f!^>la|$yv#)-Yf+c{8vRiC zu{Zi;NN3ns$T-h>0~N7~Vow-D2z8+Dn z1VIZZmMbGB9@L{846B(d=`Ti}9v@@F8At+fwnCk6=8r0KJT73sg1LXHipWrmbJW7P z%YRx5Q40eAeU-oMB$?$H4)~)*WR2RC`nE|7Do`sCfw{*S@cHe3`J4*Mi zRfzoz#R0oXU+%xqsS}LS)8IxE4!B@{`~{3N41`30VAG9Z(?KF*r0 zu~zj)!nCK4p#Z5`_L1b8l_*8SO%;38j(+XowkDupQhqfkh3Y|a($aku#eYPQ=!6nq0jR3%)%#ig0Oj+hAf$e=nB zi^4j+NJN*+8n{R;SXsT%=~ik*JY$QmfoIb6yNu0bBHoJASUyK+?N;AY)(aHmML8lH ztjm%{VsD{c_!mcLK)5j=v`peYjaBZ_-%k*yu};a%a4eX5h>8_R+^_HDJZOoW<>d>{ z-S|+}`LX;f=N{4_($Nj2_tDsO=O58nbP5i?7Z!N8FSuO$CuA&jeqL}7F{6M4OGT9C z^7y-~bjZJ4`(CjRG;u@p-mIkD5|&50tpnJdeZStKEu=lb6o4e171Xai=Kzt4ibe?& zrO|T8`MKx*H}{%=$aZ~E-v##whSa;i%COEh7c)siFe{hz zbLY>^G#9d%uvg)RJH!|e#1H0amnGXCp@UEK;p>sr2#boI7a#}3&`yCE$>B`G31?3y z7wg84d@el_*+J|{e!+=6#CPK}PrR=c(?=5s7G{T3d7=%N9P6&GJi$1kf3wp2TBe^O zR?q2Ie05Sw-(nTU!~=yYC6TD|d@H)aTZ1D0I8;QHRy7rpn3c}+Jv3>&-Wvb2_>ZRD zEt(qne>Qc4W9<+icuMmnEwMR284~fs0V?4|xN@4Lg}DW?WshPy?2kq(K4gO12XHyn z%-N}CiK>>Izzx5M!0S6P$eJ_fk(I`Q;GIYGB$57+?nu{zO~Cl|({!t2s&x^fD6+OB zI?8T!>K>))$lK;-%Nx_ZP+$*Y&=>Hp1oBvX)uxh5bx5yO?$h?ksb~%M=Df4hU~lT} z>o<5v4XzE#5xshU?7*##9Oal?N3c=MIWU<)rG;Zsm(OwV(&w~SPFzba+cX3Y^6Pma zxdk@(RXLMi&@Y$A@+AnBktF>XAtpoEcwho0nC1R=}2 zVOxtbjyk1-*njrajUG_9=U-3}#u6uY2fS^fOTHUbFalgCd(0^2I(g16?tSOeZ`wqV z#Tx13>!crAC;fJ%f2wnt48LO%e=qeg3OY{mkq4+#{mK&y;NmIZ$H+PlNI@C=cjH0C;pq zpc{8nz+H^M2syCcIwKj4<*{&&y&cnB*K(!?Qq2~(Oj8?Q&jalF9uGPXvfa5>=i(b$)j+?PoXRX$Q zX=}AS(t*CU+Ws0iRloS|TTu*!SriM)Edm@V%Y=Wv<#n#XZ{SNafgWK~o3;aI`?x3w zPIf3g;Pj>4a<>vLRcb}nrLg=m9 zLXX&X)QKRo<}sxdK}OHy?l1UMo%0_6QB?vDQAXtmJhjn1-(HKghTnQCysV?OggMW5 zez8`8N@+>L{QED78yvri8NAOXrQR5kOzr(A$A-RB0HM$vpW@I&lyx87uq6$KHOQ}@ z__Q`1NUo3gIv-;&lB*J`0lXqwi}>|~AWMiRVavXvpdW=iN@bE1*%)w9XVnuXHwaVb z*n~ZJloCDI!9$noYYM}i?*cqUsJJFYW**`k;cE)b;w;WUasrA|Q*Hse?za@=(jjb~ z2$kU*okghV?tFyGaQ6&OX091gD8;uF*%2Y$k|q?J$*>}4KoM>Sj2_&iA6Cc|C)~mZb@%{y!~mSV^9tj)zz6~r5w7~# z8M%t_G~yPv69gQ;z(y<1BY_GK>MsZz$x3^j&Rp&bN^9#NWTDftS{NF5sVch2yhZw9 zE5h-Z>zsvL(^<&1;@n}z+@F!Gvyfx06LVI9?U=~Dsc*YCY_S+5Xx4z^MY-T0sD-9_ z&O(NeinEaMor3q`^kaT8H!ptC5Ob3Pf>z>3iydGkeVB-dd=P7bqVIrYb~o$1S`_1DB)YBL>EeHaWktYYar*t@dv~! zDmqcy2Rq?_Yy+{gkYjnh1#OFci?aEN-Gpx23Eg8qNarkMk13s#%$rD=HHAyEI>CW> zH3!J9buEoGHI$X^cU;<8$o?3H9+gQ%J)*Flh{pSS!DcH19c@9cUl{1D_yy2WARhFd zW1I`nVHAO`R4FbQgAq+w zj0LXq+DcpZOlbOd8U)iUXh*3=UouFcF>{>ty=R6SST&V@-G{cql3J8V8m3qLR0KmR z1ffIQ=DFg#yHS^jWoHx?SOgLGDnSpB$XP;~2*t>1(2ND>jl=^bW2>MKyX1>XC%)L9+eL7>&)AAKG2iz1V8C+n8w%dgD!-LGAE+ws9P6TH+l zgl$8(+rbAMJ|lFY|$&HVz;KZN}kbV`d_PFjlA7BnD>J00!aJ1B_w~ z&>++yVC-Xs5(<)~+7rd6bqpBo+w#Dm<2^8$HO`mk1p}cAxkvou3v><^dcmM~l@hG~4JswH zdLQV$lFXF6eQv;{$sRZc@g$qI)=?tH3P4`yk($gf1`xq$w%Ufg;zde_0r`ZOF<`AF zgV-}Cnn`XIv7?3HNFkXA(PxlC>Yb~J?`nlALp008>3uKW#cm8HK*#&!VbzCJ%J~ny zGXF2G>2@@U5YRam`ODJq8o*KBnNOe?T5LsH#awx|Jgr9I)L7f*(OSJ-BYg)> zQ$J^HcdDzaI?-s|SB~C8F&DJ&-3IDp94cRLZ&ms?Wxta9BrCZQD>SCdSym^q?1n#N zQnyc)(&79I+nOA!D`w#BAyQ*4y3;vRd9a7)808+H&A-;0`>sxIRH77QH#a6p{`;=E z$y(8xFwC1#MaI)!cX_+#`6(oWDED_Nzk6ln)bkAMD1X-r%h^u$xizvs zOZLCq(bLiM^e6OmnTLMhsehRn*Za5k6yQt4MS(|G7m(fByo4N4{?|L2yV{s+hR1j8FIh0-pX$(*_)8sRAE`9IzsG?|y zXIJnLq-i{KH@Q72_A$}(lVTqiZAglWYRKOh_z0rZI31x;W2wFFyH_*Pohun>W6F() zds)FsMqyqGKufE61KP^ZkM{7!FNq|5fhX50z`*n~)91SdF03e!XPP7ApBlZwxocgM z(fIi2Wo)>1nlgOEKN=GqaGMSN7eGp!Z-zq>g~cJnzNFd{FLc z9;MK~UcfQ8^)ieXO*e@)JPUd$`Dbdtv*0s4^a_uhS7R}$(1mBgzvyE@U*nf4r7ArO z{zaE~kx#OBY`#^efs;@UKI}UXO@~`}D|pAPluH^U$kDc;PjmY1jf9 zlOrA+G~nt2k|QP-iUN;!TX<}(0+J)9V~YYNM|=y&krgcnPuBp~FO1^3JK*&Agoy*0 zGV%|Qt7N)7O7Ad4b{(-Z+NQUtOF&`mJ~FiFit*0JzTq5J+KR?Up=hBwngRC1G9R|)z(tjBdk!t=y?K#sC zixvEg4utEglYUW$3M92NZt|mP`pnY-cR3xljf09zwAEDNU;TFIu&6`6V6CppVZ{Vt z1)A5C7M)%JSf<4$Qy)#*Ktd4Dm_PQPzWQ$SWU5^+CFoSiq=d)Tno^=uFTJe!O5sjT zDGgiZU8=oMY*9hbal)2`7aF!e8hG6pRY4dD{g5M{yXl(u9#6O*`^j-lN#y(Ue3Ho5 zXp*R7t*j-9(hk2D(}T4n(P$@EGnnveNut$K?bBUr=CQ(>`N?kDi=2L}mWQ()xQYo$ zzig6~wL-?lZ~}s=Y}!AM^Isgz8~JbPq|Vw7e*W*H%s>9)XuiE!)z4=~^Py&i>6Xbi z=K6m8Wd#ZmT0+K_tID2ZuE8Wm0etci>H4dx-`k*xykjEI%l(?;+5J)II(MqhW_(V@ ze6#G0D+oc8!4^(0Jw0m16^4$CD;MmQF@&YO0U1Q&;8ZVEk-=t2Uqh;e;7i5!83@Xa zoHUtQVRRp`YEz^cD@EORb?QE{vTo{; zcsEm}$bNq(``v3~N2uq|Y5r1VKikPZw?=jeY!jzNb_8~Tmu0xHx2qvK<41PdltrJj z`2qjPavd?3$w$a8Hc&%Tgy zc_$@PipCYdIPwD&pozL{|0mmC8h(e@zV!SKAKm$_^*j9PPMclG@9+zrbLDq1DseSbU+-%4_NKf@e{F9iA;Xl(dfa4qQf(aTz+d;8&77zmoP&&qE~5 ziHArD{7Q=PD+;mC?;r{I3`1pet(W}{cV~T5(JT^rP;f8C@9_E{7Ep{bX~wBy4d2<{ zr`y4#Lg7U~=b&{8owK^TXq#esl+acYl(uOaz%kb6gTDPIzvhrn8YkDdn%Mp?Wi4a3Wx2QbhTL~D2+%un;O=OI}C>j6~I*IMZK?hZpsi?6{Z2!fUD=I7Wi1;YP>mlomw?%xmL zf9YkyN65X1nd~>2@HfeChalqryEZw;uCxFC4<93TMKE_?8Yu zgAbZlp*a3F#nBp%_x}@*>}j)yfLsLR+gV%86U*%X(OJvo?*83~P!SzGsI!*Kb7{L) zY=QD;Im2o`QiWY5+Dxe$!lC^v_hAvVOWF#nv->lBB|zcBnrG=iRsTqNzeUMUNBatu zwR41c6n2h~*~%x~^8V46$0?43M$phHtsq?Y^>&H?n9wP0ShFoL&)X?BEfk&dkD*hT zsupk;vwlT}5q6?03aEMeFdIoV`TqKQI~L!m6a5p7^rsEa_g9Fpqib6_)v)nZmfMZMXUT3VPuInVc zJ3ZU-bfm3g+Ju=lyMKVx7`NE_tWCgW+q=k}(eL!t2lgAJ;(t%vz{+-LHb@!Ri6AMp z!*CfFlF<)WU$=DzNf+#%L(=LHFqHkYCfII5 zzIQOt`{Q?Lgz9jFtpyNBZ+-OK=OgIl%1nQ+%rTAqq92@)ZDZlzl_34Xzav3x=ep-o z(GaxN5&k8kpdi`GUig=T1nJ>&|M@gpM73pooY<`0E=9ouOMH{5g+9yFTqx39fhOOm8!^ zFIxE5HWvQ&$pz|t5yD>>^rYR?(Jbj-M*dJa((d%u2TxLhI%h!kOVX_MJac z@F@bsi~K;uszZC*;giUOfwy2_)NpzT<4tpB!9aw9%l4@hBEPo~f%o2m(b*7Cd~y0n zQ63@KEsqf5$4WK&kEgeyn>77Eg-{?bqqdn&7g9zTTT|zZEegI+aYW~J#%pNEhwt%9ztOKwa(RiXA4Ch04|J{KKny@Pumm= zfFb4r;2uTZUjtt|v0|d-fTtDxwD!YsH^tXZ{3yXrm|kE4!PHgcF^W8VnkdAYY4G!% zoUkd~f#CFKi3CO3`?V8&@)e9ysf>v%Ha%`#;ByZa=Glt7;5={1Qb&*bI;7ZGrCFiJ z>5~OB26K{|Hz&Ow7p;1$(uX0bCP7Ekk@UDfz9zGg&rFYJ!ei+ENLaa@32sqa58 z`D0uk?Zn0T#X3F!Z;N#Vn1L$-&n!;3h}{|^)rYiY{gGRiJ6jRbwm|?~z8BAhS|Bc% zp7Ep*CVf+>b7F;$Wn)D9W7!UMKtPK229H^F1UC1DvORy~+k3Q4t?1wVoyzZCqjIhE z_l2@Of8<+V?Rdot^eyA>?gbuI4jM@H;cejJ1JP<^JYrsQ+xSAzRIzMg1?9&jEi9Xm zG#66BA_*xL;IU>vR#*!rkF5ohC+!4Vxlm8=2a{)CNV&X|CkrW~ofKOrvUp1Nl>KFi zou6z3`-h^nZ+ofG+7En7X|1pJf26dATlW9?2d1{MmkPE0=(m*G`fC42Ms4|@Rht7k z@0yTa;!ZhEmhJ7sro_-?WAQZ{vXG|yZeB$$gyRoykB9vMb$sHXN)bEOMdxshuwPTh zgrNdUikHzrDx4Felp4A0JBAx)`moQ0mm(gQ5~;VFdtHrF_w2MUzHJcpZdR!iC!y>P zJT~l6L9xn)s93?0-=m^)7_>)4XW=ARptYX(XU?IMrBSt$__L~g(ObV1|6FYklAnnq zMwsHCOSVmglo^G5QixWwL1}oM;n~sgrO~#&KO%>lY8q|V*c&K^k{t$SKkP8D@|f!! z2F9UQXR=Ch6c-b-?qOhj6wrU_oG(-HT`T5h`l6@4rLHeWVNmHXFm@*@m(HBvFfgWO zIB|pmu*W>UI1G$03J@t!9RJ0yzQe%y-Fp}qK=hsaRnoa%rNt10V@I->TO%CF!rYCf zZ7!*E?BoI0eo7sarzg!NJI8_b&o|6%Y-cB!so(k7pv?vOiYRkIT&ay)aGlW|v-tpZ zOM56A>LR@|nx(k4Fc~=tY*-{v&nh}~CDlP*HT%40?@?ew!V{l}=R7fg6c|A3u)BIT ztX-VL;G#GRj2cQx&uF8TrOgpLr$nY|yUgjC__7!gn+9*fIPdfU>!*@!;vleFMs+6f z*8@1mc&!UKNO=K(>uj@Lz~IOL0n`aWjFMY_A57SC0)b#PW0g`sh zMM^1sRkWrLnJUmvU_X_q4;weBuY)jzsmf0K4@Y#H3KACZ9CIeZX+V5Qk$(>Mg!TfM6!fOt%uO!%au9ai*keJ0Qi~ zhRTpD+DJx}Q_=Q2I45htsaeygiYcH@xR)HZZ!_RWH^lgP9p_PEw(Ap7lBZ}LhC!~} z_K?>HrgJ#jte<2}AGjWUz{Hk<&g%o40-_H}K_8fo3ZJU!=mWaXzVntp3@}69OCLzC zVwW%T;1=`nq~l8 zbI263G`M3-AK(!}AK)UWuhIvNtkFffWOYX$m`MN+ihnrSl4Ue6RtLJLa5bb48XbK= zX0H$Qfob%C4$3U_0X3B12RtckOw+fo*VPBZU40PWfw1GwLZYVF@2D&)(3-LA3y}prw{5I>I3&8^Z}g6KLjv4U%fui?-d`mHo{~*Qu<&J z)-`=VDd_`_RXyCQL9_zSmuF?lAA9#Hbbddn62tePU z0bmE{!ZaukXwR8GKn!;rW~=mpI4kG_$=X66kc|G;A)BTTc<9v!h%4~3LLY40n6a>L zXkC3UXt)acz}D7=Y*A1rqVZGP61hnq3<*@7SjECZM;{f**ulz>KER8* zLLWrI&*zW$>d^;CetjLwZ;t(uSjYO96BPMl?fWy;%rAwXI-D>Wsb%?9fkPX?{Xrhx zjgu=T4rLSt{lVs8GGmH@LaKrq?JN*!ex7vDq@OOB<2syrSxgrUhMnF;#%@;4hQ??+ z%#U{YlzsljDHFvDcA6;bP5ySI`{H(=a#uG6|6cy=#i9iUftyDPPAVOY%o3vqICTAy z9o>xS`N(@tIcnT*DCYFNIxO^+i&VztzsG$Kcg|GCU7CNHpM1V2f2GEc*7&lFeU?SB zx_%FD^D~jCZl~0O2A^keX0BQu_w*!ZMKW$v{A!CH5T=y+*c6q_=JDxPge3Je#E5Zj zuLieHZ=*As?C1;XB$C9C+XV2iog%Ch9ROoxY|(CUMhi=}%T+eJD2JGel54&`O@DCf zE1bSf_twRwV+Ri0GkI*{-qRpreot`l7IT<5sn%k_S)4{-e`*N=1k6xYvieUj@5 zuBW(uf$MWzzs~hrT>p;ii(C=c-xs_O($-3te~7fT;Ql$%dtv`&ey@c8cSzfNd6s4S z?%H?Ojh#Gw{P<-Ibv@-%AcJnxCgI;{Q21{^e^NFe*VEP}H$2GOWU%U@Edw||+(3mt zsjH}j%H_XPPa|^wCtsIxQzH~IAYAd?WUK1~jWnve{Kp&V*1D>TaT*>4P`L&Xn!5B>f1 zkiq%fP`VZPoPeYO0cpcZ7oHe4ApiAndfVDSx_wu^_H|die*e|iydl5g#+zEQ`J3HqT>hD68dY8X#b#Q5PXFP<*_6)R zGr2f@bYgL7Vfy5KZuc>_`?TAA{IrA5P92?GI<;`!o!@@oK=?H^wmALIrY4rMlb2<$ zI{B(>>g>^}sbh=TiOI9mCr+Qp7EjO3omyC$I+iJ)J2Q2Z3Y>AVvd)QxacgZ(f1?B| zx|({FADI2G7phYb<_6JgL6|8;OvyjtL=}H{^l$9O-vj;dv@}k=`&Ye zxqo6}@&4%(6P>I#E3fMLEO|e(D*x4#JwCa(xS|00zf9gQt(9Mc0eTBqtO4?m0MF|D zZ|w|216t@0YlXLPekA6_KMPTwmW_i{wPa9-BNdb#iI)_{#bo z4eg(y+(SJ7W~jRs>K-AzsCz5V7ja2~ZsXE_hk!{iZ0G9Dw}aoKTsyh?;Q{Z9(`%wn z_|CX!JAdY)H2zC?_SuWloy(-1cyMCj)TyP3>0^Ej&y)7LT@zQj{6iO~UygqX`uR4R z+Qqe->r$>)apCj{HP6pi z?=|Fk0~cP)jq3&Uk5R8+o;o{uV($3V;uQ}}E}pnz>g1VI4^G@WeOv>7|I*Ujgpwyh zrq>)jO5NXc;D9@I^3Lg_vu^CNjK{YvO)e~Pzwy+`d#CR^y)fmjyyj+K?OVYZ$xBmb zmw-v={Y~2ZJ+3RS?0+Y=_#;aX`EP()DWdeRkPfQ%ACcIF|7hvy4xK5qC>D0-o zaLe4GDJ0jP?157Y$B&Wt)~Ut0QzsXv4oyuSn_5_0oszlx{i_3+yKC>;!R6kgrx%w_ zop1;5xWgS4W=<~c6;C?h=!&`HlhY@!&5qtbxv)63^v2Um_wK!>lg&#RYh?cP)Z)?& zr;a_?|4XCs)+u}03sP@_vfMOvd}_%$We-Za{nUN_uYTOPFg0oK{X^!iyef=mcPzot zqu@tFd3BMRKlY0BpT|O*hUYC@#qfv|#J-eVf$)V-@-T$b(4uH2Jd8W?+G zZfT+Cm(t4MW)r~5iDQH()dg0_{T0ylM7ppxJ$Q8omf1&Fg*t?Oq`fn znmjhSG>PRo5-rDXU#?yFstart(plugin); } +TEST_P(WasmCommonTest, SignedModule) { +#if defined(__aarch64__) + // TODO(PiotrSikora): There are no Emscripten releases for arm64. + if (GetParam() != "null") { + return; + } +#endif + if (GetParam() != "v8") { + return; + } + Stats::IsolatedStoreImpl stats_store; + Api::ApiPtr api = Api::createApiForTest(stats_store); + Upstream::MockClusterManager cluster_manager; + Event::DispatcherPtr dispatcher(api->allocateDispatcher("wasm_test")); + auto scope = Stats::ScopeSharedPtr(stats_store.createScope("wasm.")); + NiceMock local_info; + const auto code = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/common/wasm/test_data/test_cpp.signed.wasm")); + EXPECT_FALSE(code.empty()); + + envoy::extensions::wasm::v3::PluginConfig plugin_config; + *plugin_config.mutable_vm_config()->mutable_runtime() = + absl::StrCat("envoy.wasm.runtime.", GetParam()); + plugin_config.mutable_vm_config()->set_public_key( + "95cf8acf16e0002805bcf303cf204d02d34537d435f20b1a53fa4c2253d35448"); + auto plugin = std::make_shared( + plugin_config, envoy::config::core::v3::TrafficDirection::UNSPECIFIED, local_info, nullptr); + auto vm_key = proxy_wasm::makeVmKey("", "", code); + auto wasm = std::make_unique(plugin->wasmConfig(), vm_key, scope, + cluster_manager, *dispatcher); + + EXPECT_TRUE(wasm->load(code, false)); + EXPECT_TRUE(wasm->initialize()); +} + class WasmCommonContextTest : public Common::Wasm::WasmTestBase> { public: From f4b0974cf2c6faeb81bdbecdbf53db67f207bbd3 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Fri, 16 Jul 2021 12:09:16 -0400 Subject: [PATCH 2/2] fix format, comment out local path Signed-off-by: Asra Ali --- bazel/repositories.bzl | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 94883dc0f4101..0312d73eb8d0b 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -858,11 +858,12 @@ def _proxy_wasm_cpp_sdk(): external_http_archive(name = "proxy_wasm_cpp_sdk") def _proxy_wasm_cpp_host(): - native.local_repository( - name = "proxy_wasm_cpp_host", - path = "/usr/local/google/home/asraa/git/proxy-wasm-cpp-host", - ) - #external_http_archive(name = "proxy_wasm_cpp_host") + # Use a local branch to pull in https://github.com/proxy-wasm/proxy-wasm-cpp-host/pull/177 + # native.local_repository( + # name = "proxy_wasm_cpp_host", + # path = "/usr/local/google/home/asraa/git/proxy-wasm-cpp-host", + # ) + external_http_archive(name = "proxy_wasm_cpp_host") def _emscripten_toolchain(): external_http_archive(