From cb27dbdd395c27ed81b26b2665c7f47dda77d7a9 Mon Sep 17 00:00:00 2001
From: Andrea Morabito <andrea.morabito@pagopa.it>
Date: Wed, 13 Nov 2024 09:58:25 +0100
Subject: [PATCH 01/17] add skeleton project

---
 .gitignore                                    | 132 ++++++++-
 HELP.md                                       |  87 ++++++
 build.gradle                                  |  43 +++
 gradle/wrapper/gradle-wrapper.jar             | Bin 0 -> 43583 bytes
 gradle/wrapper/gradle-wrapper.properties      |   7 +
 gradlew                                       | 252 ++++++++++++++++++
 gradlew.bat                                   |  94 +++++++
 settings.gradle                               |   1 +
 .../activator/RtpActivatorApplication.java    |  13 +
 src/main/resources/application.properties     |   1 +
 .../RtpActivatorApplicationTests.java         |  13 +
 11 files changed, 639 insertions(+), 4 deletions(-)
 create mode 100644 HELP.md
 create mode 100644 build.gradle
 create mode 100644 gradle/wrapper/gradle-wrapper.jar
 create mode 100644 gradle/wrapper/gradle-wrapper.properties
 create mode 100755 gradlew
 create mode 100644 gradlew.bat
 create mode 100644 settings.gradle
 create mode 100644 src/main/java/it/gov/pagopa/rtp/activator/RtpActivatorApplication.java
 create mode 100644 src/main/resources/application.properties
 create mode 100644 src/test/java/it/gov/pagopa/rtp/activator/RtpActivatorApplicationTests.java

diff --git a/.gitignore b/.gitignore
index 524f096..572ccc0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,7 +10,80 @@
 # Mobile Tools for Java (J2ME)
 .mtj.tmp/
 
-# Package Files #
+# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
+hs_err_pid*
+
+######################
+# Project Specific
+######################
+/sonar-report/**
+**/sonar-report/**
+
+######################
+# Eclipse
+######################
+*.pydevproject
+.project
+.metadata
+tmp/
+tmp/**/*
+*.tmp
+*.bak
+*.swp
+*~.nib
+local.properties
+.classpath
+.settings/
+.loadpath
+.factorypath
+/src/main/resources/rebel.xml
+
+# External tool builders
+.externalToolBuilders/**
+
+# Locally stored "Eclipse launch configurations"
+*.launch
+
+# CDT-specific
+.cproject
+
+# PDT-specific
+.buildpath
+
+# STS-specific
+/.sts4-cache/*
+######################
+# Intellij
+######################
+.idea/
+*.iml
+*.iws
+*.ipr
+*.ids
+*.orig
+classes/
+out/
+
+######################
+# Visual Studio Code
+######################
+.vscode/
+
+######################
+# Maven
+######################
+/log/
+/target/**
+**/target/**
+######################
+# Gradle
+######################
+.gradle/
+/build/
+
+######################
+# Package Files
+######################
 *.jar
 *.war
 *.nar
@@ -19,6 +92,57 @@
 *.tar.gz
 *.rar
 
-# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
-hs_err_pid*
-replay_pid*
+######################
+# Windows
+######################
+# Windows image file caches
+Thumbs.db
+
+# Folder config file
+Desktop.ini
+
+######################
+# Mac OSX
+######################
+.DS_Store
+.svn
+
+# Thumbnails
+._*
+
+# Files that might appear on external disk
+.Spotlight-V100
+.Trashes
+
+######################
+# Directories
+######################
+/bin/
+/deploy/
+
+######################
+# Logs
+######################
+*.log*
+
+######################
+# Others
+######################
+*.*~
+*~
+.merge_file*
+
+######################
+# Gradle Wrapper
+######################
+!gradle/wrapper/gradle-wrapper.jar
+
+######################
+# Maven Wrapper
+######################
+!.mvn/wrapper/maven-wrapper.jar
+
+######################
+# ESLint
+######################
+.eslintcache
\ No newline at end of file
diff --git a/HELP.md b/HELP.md
new file mode 100644
index 0000000..e83eb6e
--- /dev/null
+++ b/HELP.md
@@ -0,0 +1,87 @@
+# Read Me First
+The following was discovered as part of building this project:
+
+* The original package name 'it.pagopa.rtp-activator' is invalid and this project uses 'it.pagopa.rtp_activator' instead.
+
+# Getting Started
+
+### Reference Documentation
+For further reference, please consider the following sections:
+
+* [Official Gradle documentation](https://docs.gradle.org)
+* [Spring Boot Gradle Plugin Reference Guide](https://docs.spring.io/spring-boot/3.3.5/gradle-plugin)
+* [Create an OCI image](https://docs.spring.io/spring-boot/3.3.5/gradle-plugin/packaging-oci-image.html)
+* [GraalVM Native Image Support](https://docs.spring.io/spring-boot/3.3.5/reference/packaging/native-image/introducing-graalvm-native-images.html)
+* [Azure Actuator](https://aka.ms/spring/docs/actuator)
+* [Spring Reactive Web](https://docs.spring.io/spring-boot/3.3.5/reference/web/reactive.html)
+* [Azure Cosmos DB](https://microsoft.github.io/spring-cloud-azure/current/reference/html/index.html#spring-data-support)
+* [Spring Boot Actuator](https://docs.spring.io/spring-boot/3.3.5/reference/actuator/index.html)
+
+### Guides
+The following guides illustrate how to use some features concretely:
+
+* [Building a Reactive RESTful Web Service](https://spring.io/guides/gs/reactive-rest-service/)
+* [How to use Spring Boot Starter with Azure Cosmos DB SQL API](https://aka.ms/spring/msdocs/cosmos)
+* [Building a RESTful Web Service with Spring Boot Actuator](https://spring.io/guides/gs/actuator-service/)
+
+### Additional Links
+These additional references should also help you:
+
+* [Gradle Build Scans – insights for your project's build](https://scans.gradle.com#gradle)
+* [Configure AOT settings in Build Plugin](https://docs.spring.io/spring-boot/3.3.5/how-to/aot.html)
+* [Azure Cosmos DB Sample](https://aka.ms/spring/samples/latest/cosmos)
+
+## GraalVM Native Support
+
+This project has been configured to let you generate either a lightweight container or a native executable.
+It is also possible to run your tests in a native image.
+
+### Lightweight Container with Cloud Native Buildpacks
+If you're already familiar with Spring Boot container images support, this is the easiest way to get started.
+Docker should be installed and configured on your machine prior to creating the image.
+
+To create the image, run the following goal:
+
+```
+$ ./gradlew bootBuildImage
+```
+
+Then, you can run the app like any other container:
+
+```
+$ docker run --rm rtp-activator:0.0.1-SNAPSHOT
+```
+
+### Executable with Native Build Tools
+Use this option if you want to explore more options such as running your tests in a native image.
+The GraalVM `native-image` compiler should be installed and configured on your machine.
+
+NOTE: GraalVM 22.3+ is required.
+
+To create the executable, run the following goal:
+
+```
+$ ./gradlew nativeCompile
+```
+
+Then, you can run the app as follows:
+```
+$ build/native/nativeCompile/rtp-activator
+```
+
+You can also run your existing tests suite in a native image.
+This is an efficient way to validate the compatibility of your application.
+
+To run your existing tests in a native image, run the following goal:
+
+```
+$ ./gradlew nativeTest
+```
+
+### Gradle Toolchain support
+
+There are some limitations regarding Native Build Tools and Gradle toolchains.
+Native Build Tools disable toolchain support by default.
+Effectively, native image compilation is done with the JDK used to execute Gradle.
+You can read more about [toolchain support in the Native Build Tools here](https://graalvm.github.io/native-build-tools/latest/gradle-plugin.html#configuration-toolchains).
+
diff --git a/build.gradle b/build.gradle
new file mode 100644
index 0000000..5e4d7e7
--- /dev/null
+++ b/build.gradle
@@ -0,0 +1,43 @@
+plugins {
+	id 'java'
+	id 'org.springframework.boot' version '3.3.5'
+	id 'io.spring.dependency-management' version '1.1.6'
+	id 'org.graalvm.buildtools.native' version '0.10.3'
+}
+
+group = 'it.gov.pagopa'
+version = '0.0.1-SNAPSHOT'
+
+java {
+	toolchain {
+		languageVersion = JavaLanguageVersion.of(21)
+	}
+}
+
+repositories {
+	mavenCentral()
+}
+
+//ext {
+//	set('springCloudAzureVersion', "5.18.0")
+//}
+
+dependencies {
+	implementation 'org.springframework.boot:spring-boot-starter-actuator'
+	implementation 'org.springframework.boot:spring-boot-starter-webflux'
+//	implementation 'com.azure.spring:spring-cloud-azure-starter-actuator'
+//	implementation 'com.azure.spring:spring-cloud-azure-starter-data-cosmos'
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'io.projectreactor:reactor-test'
+	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
+}
+
+dependencyManagement {
+	imports {
+//		mavenBom "com.azure.spring:spring-cloud-azure-dependencies:${springCloudAzureVersion}"
+	}
+}
+
+tasks.named('test') {
+	useJUnitPlatform()
+}
diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
new file mode 100644
index 0000000000000000000000000000000000000000..a4b76b9530d66f5e68d973ea569d8e19de379189
GIT binary patch
literal 43583
zcma&N1CXTcmMvW9vTb(Rwr$&4wr$(C?dmSu>@vG-+vuvg^_??!{yS%8zW-#zn-LkA
z5&1^$^{lnmUON?}LBF8_K|(?T0Ra(xUH{($5eN!MR#ZihR#HxkUPe+_R8Cn`RRs(P
z_^*#_XlXmGv7!4;*Y%p4nw?{bNp@UZHv1?Um8r6)Fei3p@ClJn0ECfg1hkeuUU@Or
zDaPa;U3fE=3L}DooL;8f;P0ipPt0Z~9P0)lbStMS)ag54=uL9ia-Lm3nh|@(Y?B`;
zx_#arJIpXH!U{fbCbI^17}6Ri*H<>OLR%c|^mh8+)*h~K8Z<V--Q23O4&HBVn~<)q
zmUaP7+TjluBM%#s1Ki#^GurGElkc7{cc6Skz+1nDVk%wAAQYx1^*wA%KSY>!9)DPf
zR2h?lbDZQ`p9P;&DQ4F0sur@TMa!Y}S8irn(%d-gi0*WxxCSk*A?3lGh=gcYN?FGl
z7D=Js!i~0=u3rox^e<cs4tSN~YA?c-d185$YFNA$Eq1&U{wh#b^OveuKoBPy0oYZ4
zAY2?B=x8yX9}pVM=cLrvugywt!e@Y3lH)i?7fvT*a`O;c)CJQ>O3i@$0=n{K1lPNU
zwmfjRVmLOCRfe=seV&P*1Iq=^i`502keY8Uy-WNPwVNNtJFx?IwA<BCEY82WDKJP<
zB^CxjFxi=mg*OyI?K3GoDfk;?-K<Z#JoxhYNeEUf896)l%7gL``44}zn)7|Rf;)SC
z_EfJr4I+3i(GiHN`R+vHqf}1wXtH?65<wKlxV1BU(#3XgtH<$Fir3S(7QeRA3)u89
zID&66K{&mq$DsB}s&o?H60{cskfh*hvn8hQW#~Q!qM04QtZvx3JEpqeKWE6|+OZW=
z(LB7}flr|t7va%>yR<KG!FYzS$bs7qXcpM&wV@~>PZo2<wCq%CszVO$mosTTuv*Mz
zOLoi?e^7B~xS22~QW8Rmnt{(AtL<HGi<_P9`0pH;3)@S9Eg`gt2X<om7C^q}pKX|*
zTy3X{nOr-xyt4=Qx1IjrzGb!_SyAv^SZcf;air&-;Ua+)5k0z=#R7@UW%)3oEjGA|
zZ#DE3px@h1k7w%|4rVIO=0Aid2A%?nBZrupg^_z5J-$$YKeDZ&q8+k7zccb<dc4D;
zz}+UYkl_eUNL3PW+reZ6UUB}=sHp~$z%Q}gZ-#ow+ffQIj|A3`B9LO*6%t@)0PV!x
ziJ=9fw_>Wo1+S(xF37LJZ~%i)kpFQ3Fw=mXfd@>%+)RpYQLnr}B~~zoof(JVm^^&f
zxKV^+3D3$A1G;qh4gPVjhrC8e(VYUHv#dy^)(RoUFM?o%W-EHxufuWf(l*@-l+7vt
z=l`qmR56K~F|v<^Pd*p~1_y^P0P^aPC##d8+HqX4IR1gu+7w#~TBFphJxF)T$2WEa
zxa?H&6=Qe7d(#tha?_1uQys2KtHQ{)Qco)qwGjrdNL7thd^G5i8Os)CHqc>iOidS}
z%nFEDdm=GXBw=yXe1W-ShHHFb?Cc70+$W~z_+}nAoHFYI1MV1wZegw*0y^tC*s%3h
zhD3tN8b=Gv&rj}!SUM6|ajSPp*58KR7MPpI{oAJCtY~JECm)*m_x>AZEu>DFgUcby
z1Qaw8lU4jZpQ_$;*7RME+gq1Ky<fW-rh4ehZ;%u960Gt5OF)<y$00S=6tVE=%Pt~(
z!&BP&2I%`@>SGG#Wql>aL~k9tLrSO()LWn*q&YxHE<sT^`N@Q|)S3y<ZACaLXO56z
zncP$~M5K!npWqz?)C50MMw=XqFtDO!3JHI*t-^8Ga&lGPHX2F0pIGdZ3w5ewE+{kf
z-&Ygi?@-h(ADD|ljIBw%VHHf1xuQ~}IeIQ5JqlA4#*Nlvd`IfDYzFa?PB=RCcFpZ4
z|HFmPZM=;^DQ_z<IPz$$+yG(H4803QQAA7vQF7;_gv|AD1bH*R-CP3f<<utDpH)Ht
zI@{uO12adp{;132YoKPx?C9{&;MtHdHb*0F0;Z~D42}#*l+WD2u?r>uzmwd1?aAtI
zBJ>P=&$=l1efe1CDU;`Fd+_;&wI07?V0aAIgc(<VS*?#8Zt!w88FJrjasA1!6>!{a
z0Jg6Y=inXc3^n!U0Atk`iCFIQooHqcWhO(qrieUOW8X(x?(RD}iYDLMjSwffH2~tB
z)oDgNBLB^AJBM1M^c5HdRx6fBfka`(LD-qrlh5jqH~);#nw|iyp)()xVYak3;Ybik
z0j`(+69aK*B>)e_p%=wu8XC&9e{AO4c~O1U`5X9}?0mrd*m$_EUek{R?DNSh(=br#
z#Q61gBzEpmy`$pA<eVn3dnmk^xq`=o2)~2c0ywsuTQsC?1WZZehsJYfK@LQ>*6!87
zSDD+=@fTY7<4A?GLqpA?Pb2z$pbCc4B4zL{BeZ?F-8`s$?>*lXXtn*NC61>|*w7J*
z$?!iB{6R-0=KFmyp1nnEmLsA-H0a6l+1uaH^g%c(p{iT&YFrbQ$&PRb8Up#X3@Zsk
zD^^&LK~111%cqlP%!_gFNa^dTYT?rhkGl}5=fL{a`UViaXWI$k-UcHJwmaH1s=S$4
z%4)PdWJX;hh5UoK?6aWoyLxX&NhNRqKam7tcOkLh{%j3K^4Mgx1@i|Pi&}<^5>hs5
zm8?uOS>%)NzT(%PjVPGa?X%`N2TQCKbeH2l;cTnHiHppPSJ<7y-yEIiC!P*ikl&!B
z%+?>VttCOQM@ShFguHVjxX^?mHX^hSaO_;pnyh^v9EumqSZTi+#f&_Vaija0Q-e*|
z7ulQj6Fs*bbmsWp{`auM04gGwsYYdNNZcg|ph0OgD>7O}Asn7^<IivRZw`Wa$`V6)
zgX@^QL9j}-Od{q5<J*k0+1U=R5+PCYj(U}4VpX+BjfI~+dttS?HJ6uZSGH#H-twTo
zaptG40+PAc$fs*zLFkOfGfc+xGs<T?rLGIA%SU7c%jh!E1SNN~*-`ccW8wo4gv2Sj
zhify^C(ygi)uGwqXDLqVbH>Z=eI>`$2*v78;sj-}oMoEj&@)9+ycEOo92xSyY344^
z11Hb8^kdOvbf^GNAK++bYioknrpdN>+u8R?JxG=!2Kd9r=YWCOJYXYuM0cOq^FhEd
zBg2puKy__7VT3-r*dG4c62Wgxi52EMCQ`bKgf*#*ou(D4-ZN$+m<X+=`m<r!lO%3T
zMp}MJd(WDoQ2&6(LClZxpv<vZPPM3Ngkye2VhB=i|B12g5ouw(%`gbWtRq8~sU|o*
z$kQ8Jb~6&{ak;r$7@?#t*q9RfAOj=^uAf1z5Y8`N%M`oM@?!~VqN{g%-u$XR1u1Im
zGE&AzFpIcER(5jtCPR%RZ)!+|*rU~jZBiOKdqYjO(%yK3Lz;{##(@QEVo>g&7$u!!
z-^<eVk1WtrWdvAzoBMHoB$s2RXJCv}%muyVFFJ``?>+Z%;-3IDwqZ|K=ah85OLwkO
zKxNBh+4QHh)u9D?MFtpbl)<T1$eOrb4-+U|WDC2BesgFRlgt`klbeQ^1S`7`r+uZ8
zH&U=geA}Si;CUcKvBA&^@<o1GQ7`{1Y(cCHZv|73JIJOvVwLOMZP%Q|)y@^j2e<+z
zWVo=#FL!4XNKS~-_1`gw*qi$0j6P7ym_LTvG>us}9+V!D%w9jfAMYEb>%$A;u)rrI
zuBudh;5PN}_6J_}l55P3l_)&RMlH{m!)ai-i$g)&*M`eN$XQMw{v^r@-125^RRCF0
z^2>|DxhQw(mtNEI2Kj(;<s2pnue6O@?^QaAp;Ze6z9nX*w}4h7342+0lU$@;Knnve
zqqY2Ci=`)@>KblC7x=JlK$@78`O~>V!`|1Lm-^JR$-5pUANAnb(5}B}JGjBsliK4&
zk6y(;$e&h)lh2)L=bvZKbvh@>vLlreBdH8No2>$#%_Wp1U0N7Ank!6$dFSi#xzh|(
zRi{U<eziQYNZ-=4ReK3@^LFvNQI~(Pdvp+X@J@g#bd~m0wFc+sW3Xf5tyA3xKp;T3
zy14<o-`F}$ET-DQ;B;yNy?d>w%-4W!{IXZ)fWx@XX6;&(m_F%c6~X8hx=BN1&q}*(
zoaNjWabE{oUPb!Bt$eyd#$5j9rItB-h*5JiNi(v^e|XKAj*8(k<5-2$&ZBR5fF|JA
z9&m4fbzNQnAU}r8ab>fFV%J0z5awe#UZ|bz?Ur)U9bCIKWEzi2%A+5CLqh?}K4JHi
z4vtM;+u<SJ)DEVF_yZnTw01M`(s#^BNx+c|MQ6ogb50Jjul0L;!#OmrYCs)iE)7(t
z?%I~O!zVNt#Bf3#O2WXsGz!B}&s@MfyDeaoqqf=GELN3g$+DA`&&GKy(`Ya~A@6vK
zn|WZ-+tB`DH^+SjI&K3KekF%-QIP%R{F)inWc~@cEO-=3Or<lm9g9}|`|ky#v{5*;
zKA5d<ecC{<o9p<U4UUK$m|+q#@(>PsVz{Lfr;78W78gC;z*yTch~4YkLr&m-7%-xc
ztw6Mh2<b07B|^BQBjvq{FXx?kyJ);`+G*=&9PMD`1uf<{+pNnnsIQx~kaB?*5<-7a
zqY)GyF_w$>d>_iO<o;tRi5=dcnU&wcur@4T5Z=-$xFUEsp-yX${|jSF|HMDPq3?MS
zw;p9zjR`yYJOfJZsK~C-S=JQ?nX{z_y@06JFIpheAo-rOG|5&Gxv)%95gpu@ESfi|
z7Auc&hjVL;&81Pc#L`^d9gJb`wEtLVH8q|h{>*$Rd8(-Cr1_V8EO1f*^@wRoSozS)
zy1UoC@pruAaC8Z_7~_w4Q6n*&B0AjOmMWa;s<dwKr_&w<X$Z*rmLmKUI3S>Iav&gu
z|J5&|{=a@vR!~k-OjKEgPFCzcJ>#A1uL&7xTDn;{X<DkOU(-L87#5hf4{m?aj!I6-
zPEt$K07IXK8mI0TYf-jhke2QjQw3v?qN5h0-#Fel0)Krq1f)#^AFsfd|K$I={`Xs9
z{JIr8M>BdeM}V=l3B8fE1--DHjSaxoSjNKEM9|U9#m2<eS=8Og#NOG$&X&%|8sOyg
zpZ6&%KPd&uh?v{hRMVvQjUL}gY3)Mk3{XQXF{><3>n{Iuo`r3UZp;>GkT2YBNAh|b
z^jTq-hJp(ebZh#Lk8hVBP%qXwv-@vbvoREX$TqRGTgEi$%_F9tZES@z8Bx}$#5eeG
zk^UsLBH{bc2VBW)*EdS({yw=?qmevwi?BL6*=12k9zM5gJv1>y#ML4!)iiPzVaH9%
zgSImetD@dam~e>{LvVh!phhzpW+iFvWpGT#CVE5TQ40n%F|p(sP5mXxna+Ev7PDwA
zamaV4m*^~*xV+&p;W749xhb_X=$|LD;FHuB&JL5?*Y2-oIT(wYY2;73<^#46S~Gx|
z^cez%V7x$81}UWqS13Gz80379Rj;6~WdiXWOSsdmzY39L;Hg3MH43o*y8ib<ko|2T
z<o~B%-$Y4Q9z_t97c`{g0veSfFt63Osbpe2Osn@<=nrAVk_JfMGt&lMGw9leshc#5
z*hkn0u>NBBH`(av4|u;YPq%{R;IuYow<+GEsf@R?=@tT@!}?#>zIIn0CoyV!hq3mw
zHj>OOjfJM3F{RG#6ujzo?y32m^tgSXf@v=J$ELdJ+=5j|=F-~hP$G&}tDZsZE?5rX
ztGj`!S>)CFmdkccxM9eGIcGnS2AfK#gXwj%esuIBNJQP1WV~b~+D7PJTmWGTSDrR`
zEAu4B8l>NPuhsk5a`rReSya2nfV<T&F{)-N{)9$`9a!^D!-03RDN<TPH!aW46TC4L
z>1EK01+G!x8aBdTs3Io$u5!6n6KX%uv@DxAp3F@{4UYg4SWJtQ-W~0MDb|j-$lwVn
znAm*Pl!?Ps&3wO=R115RWKb*JKoexo*)uhhHBncEDMSVa_PyA>k{Zm2(wMQ(5NM3#
z)jkza|GoWEQo4^s*wE(gHz?Xsg4`}HUAcs42cM1-qq_=+=!Gk^y710j=66(cSWqUe
zklbm8+zB_<cF$~mH3zum`PN7rn^cr1XvcjzxFO{ms_482AyMFYi+#o7!*vecrNhft
z48z<2q#fIw=ce!MXuptfT4+M8FP&|QfB3H@2)dceSR<*e5@hq<#7<$5tC^!RO8Zi<
zd_Wl!>syQv5A2rj!Vbw8;|$@C!vfNmNV!yJ<MblqN@23-5g1<aeoul%Um5K((_QY}
ze%_@BuNzay69}2PhmC<;m}2=FevDzrp!V!u4u|#h@B=rfKt+v!U`0k7>IWDQ>{+2x
zKjuFX`~~HKG~^6h5FntRpnnHt=D&rq0>IJ9#F0eM)Y-)GpRjiN7gkA8wvnG#K=q{q
z9dBn8_~wm4J<3J_vl|9H{7q6u2A!cW{bp#r*-f{gOV^e=8S{nc1DxMHFwuM$;aVI^
zz6A*}m8N-&x8;aunp1w7_vtB*pa+OYBw=TMc6Q<xVqo{NJ3h9-a)s5XuYMqZ=Y{7{
z$O63J`)FM-y*mko#!-UBa!3~eYtX1hjRQY2jMxAx=q5uKNm#uaKIak>K=mbA-|Cf*
zvyh8D4LRJImooUaSb7t*fVfih<97Gf@VE0|z>NcBwBQze);Rh!k3K_sfunToZY;f2
z^HmC4KjHRVg+eKYj;PRN^|E0>Gj_zagfRbrki68I^#~6-HaHg3BUW%<xsJq4AotN+
zH6twFV=)FlAbs*F6vGws^==x5Tl0AIbcP{&2yxB=)*u+bvK^L6$Vp}U2{9nj{bK~d
zee7tC)@DR<dI`D%cA(%7M9Ui3a)^iG?m=oJO0E^``<|5il2sf1fZHvy=D@e0<I)<l
zI!|d{`X3u}lz2(4Vn>+clM1<yhZZgPANro5CwhUb>xQEdPYt_g<2K+z!$>*$9nQ>;
zf9Bei{?zY^-e{q_*|W#2rJG`2fy@{%6u0i_VEWTq$*(ZN37|8lFFFt)nCG({r!q#9
z5VK_kkS<W$zJN%xs9<lngf<utn=i|I;bCdr-Lr<EzK)tkE-pYh-fc0wqKz?&U8TTN
zh_eAdl<>J3?zOH)OezMT{!YkCuSSn!<oaxO4?NS?VufjhPn>K#-Rhl$uUM(bq*jY?
zi1xbMVthJ`E>d>(f3)~fozjg^@eheMF6<)I`oeJYx4*+M&%c9VArn(OM-wp%M<-`x
z7sLP1&3^%Nld9Dhm@$3f2}87!quhI<BVn6Upp<cc;cU|)&2W%nk!Ak8tXK8aT!m*5
z^9zmeeS|PCG$hgM&Uh}0wp+#$jK3YCwOT&nx$??=a@_oQemQ~hS6nx6fB5r~bFSPp
z`alXuTYys4S5dCK)KDGR@7`I-JV^ewQ_BGM^o>@nwd@3~fZl_3LYW-B?Ia>ui`ELg
z&Qfe!7<FViITCBP{rA>m6ze=mZ<W0bN&bq-0D3>`Ia9$z|ARSw|IdMpooY4YiPN8K
z4B(ts3p%<w%rbophph+BzYj>2i(Td=<hfIaF6Ll8+9!48Ti=xpXB{FgJbk;>tgEHX
z0UQ_>URBtG+-?0E;E7Ld^dyZ;jjw0}XZ(}-QzC6+NN=40oDb2^v!L1g9xRvE#@IBR
zO!b-2N7wVfLV;mhEaXQ9XAU+>=XVA6f&T4Z-@AX!leJ8obP^P^wP0aICND?~w&N<u
ztispy>ykJ#54x3_@r7IDMdRNy4Hh;h*!u(Ol(#0bJdwEo$5437-UBjQ+j=Ic>Q2z`
zJNDf0yO6@mr6y1#n3)s(W|$iE_i8r@Gd@!DWD<Q)gT}bxTg_YpJQ5s|m8}+B)KBN6
zYnlzh>qZ7J&~gAm1#~maIGJ<sH@F<m!Fuh_fvrMbcDJNJ5~Yg;LF}NFN}&Y&LL76S
zv)~8W2?_rx`P;4LB-=JqsI{I~4U8DnSSIHWU2rHf%vWsA2-d=78An8z4q|lvgQ2iB
zhUUI!H+|C+_qp(Tjzu5usOu}cEoivZK&XA==sh0cD|Eg7eERXx?KwHI=}A9S_rx8S
zd)VLh_s!Juqi^!0xv7jH)UdSkEY~N|;QMWvs;HN`dMsdK=Dw2mtAHHcK8_+kS%a_V
zGgeQoaMM>1sls^gxL9LLG_Nh<XXk<>U!pTGty!TbhzQnu)I*S^54U6Yu%ZeCg`R>Q
zhBv$n5j<?~h)Y%y=zErI?{tl!(JWSDXxco7X8WI-6K;9Z-h&~kIv?$!6<k(g(xee?
z53>0v%O_j{QYWG!R9W?5_b&67KB$t}&e2LdMvd(PxN6Ir!H4>PNlerpBL>Zvyy!yw
z-SOo8caEpDt(}|gKPBd$qND5#a5nju^O>V&;f890?yEOfkSG^HQVmEbM3Ugzu+UtH
zC(INPDdraBN?P%kE;*Ae%Wto&sgw(crfZ#Qy(<4nk;S|hD3j{IQRI6Yq|f^basLY;
z-HB&Je%Gg}Jt@={_C{L$!RM;$$|<j7k-g{75e!h)4SlFvEZ*AkqrJI;EWu$Zx+OwM
zm{5Yk>iD6vu#3w?v?*;&()uB|I-XqEKqZPS!reW9JkLewLb!70T7n`i!gNtb1%vN-
zySZj{8-1>6E%H&=V}LM#xmt`J3XQoaD|@XygXjdZ1+P77-=;=eYpoEQ01B@L*a(uW
zrZeZz?HJsw_4g0vhUgkg@VF8<-X$B8pOqCuWAl28uB|@r`19DTUQQsb^pfqB6QtiT
z*`_UZ`fT}vtUY#%sq2{rchyfu*pCg;uec2$-$N_xgjZcoumE5vSI{+s@iLWoz^Mf;
zuI8kDP{!XY6OP~q5}%1&L}CtfH^N<3o4L@J@zg1-mt{9L`s^z$Vgb|mr{@WiwAqKg
zp#t-lhrU>F8o0s1q_9y`gQNf~Vb!F%70f}$>i7o4ho<sjDlFD=G`r<7$U?bJN+x5S
z@0&tQ=-XO1uDq(HCa$X)-l<u1!s<!W`30F78UcZaZKc8)G0af1Dsh%OOWh5)q+Q+n
zySBnE+3;9^#)U#Gq);&Cu=mtjNpsS~S0yjE@m4{Kq525G&cO_+b-_B$LeXWt_@XTq
z`)(;=^RDS@oh5dPjKyGAP?-Dbh507E5zZ=D2_C*6s^HXiA)B3f=65_M+rC&rMIUP6
zi4@u>$`uciNf=xgJ>&!gSt0g;M>*x4-`U)ysFW&Vs^Vk6m%?iuWU+o&m(2Jm26<Ea
z?or_^bK_`R)hBTfrBqA3Y^o7$K~Nzo)sh-vT%yWcc1I5wF1nkvk%!X_Vl_MK1IHC=
zt}Dt+sOmg0sH-?}kqNB|M_}ZXui7H;?;?xCCSIPSHh8@h^K8WU5X(!3W|>Y(3%TL;
zA7T)BP{WS!&xmxNw%J=$MPfn(9*^*TV;$JwRy8Zl*yUZi8jWYF>==j~&S|Xinsb%c
z2?B+kpet*muEW7@AzjBA^wAJBY8i|#C{WtO_or&Nj2{=6JTTX05}|H>N2B|Wf!*3_
z7hW*j6p3TvpghEc6-wufFiY!%-GvOx*bZrhZu+7?iSrZL5q9}igiF^*R3%DE4aCHZ
zqu>xS8LkW+Auv%z-<1Xs92u23R$nk@Pk}MU5!gT|c7vGlEA%G^2th&Q*zfg%-D^=f
z&J_}jskj|Q;73NP4<UD^T*M!yxMr=U!@&!rJfydk7CE7PGb<{)^=nM9Le#FQ=GkV~
z)_A$YPAn35??iNa@`g-wBX><4k*Y%pXPU2Thoqr+5uH1yEYM|VtBPW6lXaetokD0u
z9qVek6Q&wk)tFbQ8(^HGf3Wp16gKmr>G;#G(HRBx?F`9AIRboK+;OfHaLJ(P>IP0w
zyTbTkx_THEOs%Q&aPrxbZrJlio+hCC_HK<4%f3ZoSAyG7Dn`=X=&h@m*|UYO-4Hq0
z-Bq&+Ie!S##4A6OGoC~>ZW`Y5J)*ouaFl_e9GA*VSL!O_@xGiBw!AF}1{tB)z(w%c
zS1Hmrb9OC8>0a_$BzeiN?rkPLc9%&;1CZW*4}CDDNr2gcl_3z+WC15&H1Zc2{o~i)
z)LLW=WQ{?ricmC`G1GfJ0Yp4Dy~Ba;j6ZV4r{8xRs`13{dD!xXmr^Aga|C=iSmor%
z8hi|pTXH)5Yf&v~exp3o+sY4B^^b*eYkkCYl*T{*=-0HniSA_1F53eCb{x~1k3*`W
zr~};p1A`k{1DV9=UPnLDgz{aJH=-LQo<5%+Em!DNN252xwIf*wF_zS^!(XSm(9eoj
z=*dXG&n0>)_)N5<wxn0{TP0tnD=JAzVUcIUoR85Xt>oc6v!>-bd(2ragD8O=M|wGW
z!xJQS<)u70m&6OmrF0WSsr@I%T*c#Qo#Ha4d3COcX+9}hM5!7JIGF>7<~C(Ear^Sn
zm^ZFkV6~Ula6+8S?oOROOA6$C&q&dp`>oR-2Ym3(HT@O7Sd5c~+kjrmM)YmgPH*tL
zX+znN>`tv;5eOfX?h{AuX^LK~V#gPCu=)Tigtq9&?7Xh$qN|%A$?V*v=&-2F$zTUv
z`C#WyIrChS5|Kgm_GeudCFf;)!WH7FI60j^0o#65o6`w*S7R@)88n$1nrgU(oU0M9
zx+EuMkC>(4j1;m6N<sS-ys^qbJhGY7%0ZoC7dK=j7bGdau`J`{>oGqEkpJYJ?vc|B
zOlwT3<tNmX!mXZdsEW2s2`|?DC8;N?2tT*Lfq)F*|4vf>t&UgL!pX_P*6g36`ZXQ;
z9~Cv}ANFnJGp(;ZhS(@FT;3e)0)Kp;h^x;$*xZn*k0U6-&Fw<BqOnDKEdld8!Qk{Z
zjI1+R_ciEqL3CLOv$+J~YVpzIy`S&V{koIi$Lj}ZFEMN=!rL1?_EjSryIV+OBiiJ-
zIqT$oSMA>I=uOGaODdrsp-!K$Ac32^c{+FhI-HkYd5v=`PGsg%6I`4d9Jy)uW0y%)
zm&j^9WBAp*P8#kGJUhB!L?a%h$hJgQrx!6KCB_TRo%9{t0J7KW8!o1B!NC)VGLM5!
zpZy5Jc{`r{1e(jd%jsG7k%I+m#C<kI0i<ajCqQC!(pKlSsMl7M2N^mP%W`BGKb?hm
zBK`pddcg5+WhE#$46+K<Z!1CW-hZdo7hAw13ZUVqwW*}&ujL=eh{m~phuOy=JiBMN
z7FaCUn6boJ!M=6PtLN6%cveGkd12|1B{)kEYGTx#IiMN&re0`}NP-_{E-#FxOo3*P
zkAXSt{et292KfgGN`AR|C`p{MRpxF-I?+`ZY1Vsv>GS*BPA65ZVW~fLYw0dA-H_}O
zrkGFL&P1PG9p2(%Qi<evvBkNEkQkM%A>EWm6x;U-U&I#;Em$nx-_I^wtgw3xUPVVu
zqSuKnx&dIT-XT+T10p;yjo1Y)z(x1fb8Dzfn8e&#9yu?e%!_ptzGB|8GrCfu%p?(_
zQccdaaVK$5bz;*rnyK{_SQYM>;aES6Qs^lj9lEs6_J+%nIiuQC*fN;z8md>r_~Mfl
zU%p5Dt_YT>gQqfr@`cR!$NWr~+`CZb%dn;WtzrAOI>P_JtsB76<bUr7Lsb65vEd}g
z5JhMCmn#UeH#6Cew?bxogM)$x5ed{E)%2nWY5rb@Clvh$(JzQ#!CsQ(2I4QnhDDJ^
zYL%2bf8?`y)Ro=x{(dw<4^)(H^z7~3nfYFh-r7yBBb=l3V8dE-Dr&a%qs<OYcajo2
z(4Nw|k5_OQ@6zHmcIK%waj!yoZT(S1YlEFN?8-_lp9nf>PYe*<%H(y>qx-`Kq!X_;
z<{RpAqYhE=L1r*M<cT6p|4(5fVa-WIh|@AphR|cJ1`?N>)gNF3B8r(<%8mo*SR2hu
zccLRZwGARt)H<F*kMvg%oJV~29ud_q>lo1euqTyM>^!HK*!Q2P;4UYry<i)yWXzKa
zM^_qppY~vnIrhL_!;Z9msXMZTTwR{e`yH5t=HdD1Pni7?LqOpLoX}u5n5RfkGBvQ1
z@cdMeR4T6rp^S~>sje@;(<|$&%vQekbn|0Ruu_Io(w4#%p6ld2Yp7tlA`Y$cciThP
zKzNGIMPXX%&Ud0uQh!uQZz|FB`4KGD?3!ND?wQt6!n*f4EmCoJUh&b?;B{|lxs#F-
z31~HQ`SF4x$&v00@(P+j1pAaj5!s`)b2RDBp*PB=2IB>oBF!*6vwr7Dp%zpAx*dPr
zb@Zjq^XjN?O4QcZ*O+8>)|HlrR>oD*?WQl5ri3R#2?*W6iJ>>kH%KnnME&TT<gNU{
zn$Veg044#l=Z-&wsmEZhnw7IwT7Cd}hiZ%ke)-GzAR-Dt6)8Cb6>@Z<Y-SEE^OC5H
z=$M0HjdWR5p?n;s9OTXrEa1eGt}G;Eu)ifSop!$z#6V<>zrHS$Q%LC?n|e>V+D+8D
zYc4)QddFz7I8#}y#Wj6>4P%34dZH<AWj}HgE@5&D9Ra@o(Km_Gm}5Zb61p%9mDz1%
zya$Vd!_U~pDN*Y5%lo}-K~}4&F)rTjJ7uGyV@~kB-XNrIGRiB=UrNxJtX;JHb(EyQ
z{!R%v{vC7m|L3bx6lCRb7!mP~Is!r!q&OXpE5nKnH3@l({o}PrL`o>~OUDb?uP%-E
zwjXM(?Sg~1!|wI(RVu<h{6ESg9k500(D<HXwz52OGq(JEKS2CJR}8N&E-#%vhhaRN
zL#Q6%yUcel+!a#~g&e7w4$3s62d$Dv;SxCxhT}>xbu)-rH+O=igSho_pDCw(c6b=P
zKk4ATlB?bj9+HHlh<_!&z0rx13K3ZrAR8W)!@Y}o`?a*JJsD+twZIv`W)@Y?Amu_u
zz``@-e2X}27$i(2=9rvIu5uTUOVhzwu%mNazS|lZb&PT;XE2|B&W1>=B58#*!~D&)
zfVmJGg8UdP*fx(>Cj^?yS^zH#o-$Q-*$SnK(ZVFkw+er=>N^7!)FtP3y~Xxnu^nzY
zikgB>Nj0%;WOltWIob|}%lo?_C7<``a5hEkx&1ku$|)i>Rh6@3h*`slY=9U}(Ql_<
zaNG*J8vb&@zpdhAvv`?{=zDedJ23TD&Zg__snRAH4eh~^oawdYi6A3w8<<tS1{)`*
zH!u#2_lf&B)x2)tE$?4|aMAYUFZ{|Se7->Ozh@Kw)<E~4fKYaJ{OS+>#bdktM^GVb
zrG08?0bG?|NG+w^&JvD*7LAbjED{_Zkc`3H!My>0u5Q}m!+6VokMLXxl`Mkd=g&Xx
z-a>m*#G3SLlhbKB!)tnzfWOBV;u;ftU}S!NdD5+YtOjLg?X}dl>7m^gOpihrf1;PY
zvll&>dIuUGs{Q<Ww4SS<E23Sm*si$^C!!snD|AFym<+q$`*o0wokE?J{^g?f3>nd-
zwIR3oIrct8Va^Tm0t#(bJD7c$Z7DO9*7NnRZorrSm`b`cxz>OI<bVZt$VQ!oMxCu0
zbb7D5OIXV5Ynn@Y6)HLT=1`a=nh7{ee{vr<=$>C;jSE3DO8`hX955ui`s%||YQtt2
z5DNA&pG-V+4oI2s*x^>-$6J?p=I>C|9wZF8z;VjR??Icg?1w2v5Me+FgAeGGa8(3S
z4vg*$>zC-WIVZtJ7}o9{D-7d>zCe|z#<9>CFve-OPAYsneTb^JH!Enaza#j}^mXy1
z+ULn^10<XTm*l1Jg2Z;UvGEN!6Wq%I@OP4p{k`RNRKlKFWPt_of11^Gr%_Mg*mVP3
zm?)&3I719~aYcs)TY&q^$zmQ=xoC++VJH@~YG6>+rWLF6j2>Ya@@Kq?26>AqK{A_|
zQKb*~F1>sE*=d?A?W7N2j?L09_7n+H<SF8|SM#pTc9|9|rf1w*m4Y0Vdj643qA#D|
z!hJzb_-}IrrhkWr{zk_YC%(c-)UJl6Ma!mcbvj&~#yN-UhH?ZQ3TPq4hTVQ$(?eJ6
zNfJ_K+VJDBXN=l!7{2}lq?-$`fq|e&PEONfZDU<_SM+s2_3$vT_yqV<R&KG=K{zS}
zKQF$?mYsg%vV|E_E=a*SL!`7*AeN6GMVDXC59yPgi$F2!7&8e}EyHVLwCm{i%<pN!
zdc`SbZK}JQj7?6K&|261iHrsnVjdhxu_l_NKs&yy#;#^%8?Jlg`wcTlNZ3urUtEYd
zsFE!K0}Eg39)z+J6mLW)#Kn<ok4*6AAE=n*vh*;TpgGnnM|npykFpO|a0`4#SjP^b
z2<JG#Qk^#3FeFS`0eooK9|wEmCcvRKI*~6mamFTd^UW9Eg4!J4N9qz*C$3a#F;Sad
zi#o9LaqNG5TsiT<`SDtY^`)zkYx$(C5;&K9#(Zj}HolT_st~#C`VS8q%#q1)HN+hT
zz9IjVUdZNIp@;b88oR`~DvQL_zmsBy>Gi{VY;MoTGr_)G9)ot$p!-UY5zZ2Xtbm=t
z@dpPSGw<TLTZo~Zyx(+AKWvR~{L4S^5I;5+QT9bcQ-4cC{QnLfRBf&Pov~kv@`W6V
zA|h{EGx|7msvR1t`a-jF$JZ>gH=QtIcEulQNI>S-#ifbnO5EWkI;$A|pxJd885oM+
zGZ0_0gDvG8q2xebj+fbCHYfAXuZStH2j~|d^sBAzo46(K8n59+T6rzBwK)^rfPT+B
zyIFw)9YC-V^rhtK`!3jrhmW-sTmM+tPH+;nwjL#-SjQPUZ53L@A>y*rt(#M(qsiB2
zx6B)dI}6Wlsw%bJ8h|(lhkJVogQZA&n<jl%@&gd%^X|lsDQwDHEiKLCz}r`kC^h0t
z(!vYS%C)Ku?w$ti5R##9jSkNC#5)Juc{8XfEhczdGQy8yNrZL6+d0~%V=N|iF{V)E
zLT(gH!$j8Mf(1>{?Vgs6gNSXzuZpEyu*xySy8ro07QZ7Vk1!3tJphN_5V7qOiyK8p
z#@jcDD8nmtYi1^l8ml;AF<#IPK?!pqf9D4moYk>d99Im}Jtwj6c#+A;f)CQ*f-hZ<
z=p_T86jog%!p)D&5g9taSwYi&e<jP@@Q_fbXtVO&n9{e#)jg+D#~q=hoZ<9PIa)>P
z#JuEK%+NULWus;0w32-SYFku#i}d~+{Pkho&^{;RxzP&0!RCm3-9K6`>KZpnzS6?L
z^H^V*s!8<>x8bomvD%rh>Zp3>Db%kyin;qtl+jAv8Oo~1g~mqGAC&Qi_wy|xEt2iz
zWAJEfTV%cl2Cs<1L&DLRVVH05EDq`pH7Oh7sR<WSzBWU(MxAIA&4v~INVdLKA><BK
zwCgTxJU0mM{;1UV<^ZRk0SQNNN(;SRZsH7^EDWVUu%^mFfvW{m5jOQuQWSy`f586I
zTj}Z4e5WsvkNmBd`TJdfe=^>`NNkL%wi}8n>IXcO40hp+J+sC!W?!krJf!GJNE8uj
zg-y~Ns-<~D?yqbzVRB}G>0A^f0!^N7l=$m0OdZuqA<e9rzV|ixGyk9uS=Vov2_ECA
z^Sd0M$B)O&tv@%@UmTb%ngcl58ED9TyFp$y4JjFU+g+9EWUl?am<e#4uCGy9Tmt)z
z2Y|kWUahugFHsF<J6o!<?X(Ncsy&Wg9<QLPD}g-`PWGHWDY5P6;<Y+5J1vz2Z|PSy
zBN?Q^NkxnWq>OQq<EC8_d&#T2smn`YINd-HF@)Op)pBRHnx+Q|Hsv_BpWAPsT1>Lc
zX?AEGr1Ht+inZ-Qiwnl@Z0qukd__a!C*CKuGdy5#nD7VUBM^6OCpxCa2A(X;e0&V4
zM&WR8+wErQ7UIc6LY~Q9x%Sn*Tn>>P`^t&idaOEnOd(Ufw#>NoR^1QdhJ8s`h^|R_
zXX`c5*O~Xdvh%q;7L!_!ohf$NfEBmCde|#uVZvEo>OfEq%+Ns7&_f$OR9xsihRpBb
z+cjk8LyDm@U{YN>+r46?nn{7Gh(;WhFw6GAxtcKD+YWV?uge>;+q#Xx4!GpRkVZYu
zzsF}1)7$?%s9g9CH=Zs+B%M_)+~*j3L0&Q9u7!|+T`^O{xE6qvAP?XWv9_MrZKdo&
z%IyU)$Q95AB4!#hT!_dA>4e@zjOBD*Y=XjtMm)V|+IXzjuM;(l+8aA5#Kaz_$rR6!
zj>#&^DidYD$nUY(D$mH`9eb|dtV0b{S>H6FBfq>t5`;OxA4Nn{J(+XihF(stSch<f
zIn>e7$es&~N$epi&PDM_N`As;*9D^L==2Q7Z2zD+CiU(|+-kL*VG+&9!Yb3LgPy?A
zm<g7T4Wx!m(zMlVE_2jX$1$$5DcfL6>7Z&^qRG_JIxK7-FBzZI3Q<;{`DIxtc48k>
zc|0dmX;Z=W$+)qE)~`yn6MdoJ4co;%!`ddy+FV538Y)j(vg}5*k(WK)KWZ3WaOG!8
z!syGn=s{H$odtpqFrT#JGM*utN7B((abXnpDM6w56nhw}OY}0TiTG1#f*VFZr+^-g
zbP10`$LPq_;PvrA1XXlyx2uM^mrjTzX}w{yuLo-cOClE8MMk47T25G8M!9Z5ypOSV
zAJUBGEg5L2fY)ZGJb^E34R2z<C?_X1)4xsl9%Z|w&L9k!F(V>J?}Vf>{~gB!8=5Z)
z9y$>5c)=;o0HeHHSuE4U)#vG&KF|I%-cF6f$~pdYJWk_dD}iOA>iA$O$+4%@>JU08
zS`ep)$XLPJ+n0_i@PkF#ri6T8?ZeAot$6JIYHm&P6EB=BiaNY|aA$W0I+nz*zkz_z
zkEru!tj!QUffq%)8y0y`T&`fuus-1p>=^hnBiBqD^hXrPs`PY9tU3m0np~rISY09>
z`P3s=-kt_cYcxWd{de@}TwSqg<T-v~${38)1dqT{JCO5}Gk$$yZP*X!5)RaGFqqkZ
zeHhqUgXb37$91~LS-3Zi29CKKki0sBTh7unqEK$%FG?oo$Sp>*xVhp;E9zCsnXo6z
z?f&Sv^U7n4`xr=mXle94HzOdN!2kB~4=%)u&N!+2;z6UYKUDqi-s6AZ!haB;@&B`?
z_TRX0%@suz^TRdCb?!vNJYPY8L_}&07uySH9%W^Tc&1pia6y1q#?*Drf}GjGbPjBS
zbOPcUY#*$3sL2x4v_i*Y=N7E<UbOmi3K%)5<dOJui+{^+b*shA_w8&X4_Icv*!}kT
zW@BG{C%f{(K^kE?tjU`Led*kAj6wB_3f*UyIEV0T9TyMo4`NS;oA7Ec+71eFa;K|G
zCyaKKi1bvX9fTLQ+uAgF*@ZR8fB%|JlT8A-jK$7FMyxW>$mR}J%|GUI(>WEr+28+V
z%v5{#e!UF*6~G&%;l*q*$V?&r$Pp^sE^i-0$+RH3ERUUdQ0>rAq2(2QAbG}$y{de(
z>{qD~GGuO<V3ijl7+~xmS#nUvH{qF0*%7G(r|}BSXsu}HwrFbXWzcYJouIY*34axA
z(n@XsPrv%6;|GSbkH9Og>k559Y@%$?N^1ApVL_a704>8OD%8Y%8B;FCt%AoPu8*D1
zLB5X>b}Syz81pn;xnB}%0FnwazlWfUV<Vu@5P52pgIa+J{M)H4nAC<>)Z-~rZg6~b
z6!9J$EcE&sEbzcy?CI~=boWA&eeIa%z(7SE^qgVLz??1Vbc1*aRvc%Mri)AJaAG!p
z$X!_9Ds;Zz)f+;%s&d<S0a>RcJt2==P{^j3bf0M=nJd&xwUGlUFn?H=2W(*2I2Gdu
zv!gYCwM10aeus)`RIZSrCK=&oKaO_Ry~D1B5!y0R=%!i2*KfXGYX&gNv_u+n9wiR5
z*e$Zjju&ODRW3phN925%S(jL+bCHv6rZtc?!*`1<n2%>TyYXT6%Ju=|X;6D@lq$8T
zW{Y|e39ioPez(pBH%k)HzFITXHvnD6hw^lIoUMA;qAJ^CU?top1fo@s7xT13Fvn1H
z6JWa-6+FJF#x>~+A;D~;VDs2<i>6>^oH0EI`IYT2iagy23?nyJ==i{g4%HrAf1-*v
zK1)~@&(KkwR7TL}L(A@C_S0G;-GMDy=MJn2$FP5s<%wC)4jC5PXoxrQBFZ_k0P<n-
z??iM<JF!BTjD>{{s@<jPT1+pTPdk3<izB+}jAtjokIz)aPR$L&4%}45Et}?jz0w{(
zC4G}+Nu0D*w=ay`v91hMo+V&V8q(a!`~K-2<yR0H)sK+mcY?TAaSS8F<Q+!pSc;`*
z*c@5)+ZpT%-!K3O=Z0(hI8LH7KqK>sz+gX`-!=T8rcB(=7vW}^K6oLWMmp(rwDh}b
zwaGGd>yEy6fHv%jM$yJXo5oMAQ>c9j`**}F?MCry;T@47@r?&sKHgVe$MCqk#Z_3S
z1GZI~nOEN*P~+UaFGnj{{Jo@16`(qVNtbU>O0Hf57-P>x8Jikp=`s8xWs^dAJ9lCQ
z)GFm+=OV%AMVqVATtN@|vp61VVAHRn87}%PC^RAzJ%JngmZTasWBAWsoAqBU+8L8u
z4A&Pe?fmTm0?mK-BL9t+{y7o(7jm+RpOhL9Kn<D3v{}Wpv2i&ghEZe;t&DmOA_QYc
zM+NIUU}=*bkxOJsLKV3e^oGG8rufTpa8R~7Iki1y+fC(UT;;{l19@qfxO@0^!xMA?
z#|<YBZ6;vAb>Y#E&qu^}B6=K_dB}*VlSEiC9fn)+V=J;OnN)Ta5v66ic1rG+dGAJ1
z1%Zb_+!$=tQ~lxQrzv3x#CPb?CekEkA}0MYSgx$Jdd}q8+R=ma$|&1a#)TQ=l$1tQ
z=tL9&_^vJ)Pk}EDO-va`UCT1m#Uty1{v^A3P~83_#v^ozH}6*9mIjIr;t3Uv%@VeW
zGL6(CwCUp)Jq%G0bIG%?{_*Y#5IHf*5M@wPo6A{$Um++Co$wLC=J1aoG93&T7Ho}P
z=mGEPP7Gb<mBTnJH7dKM2CB)0*o-AW2E4i5R+rHU%4A2BTVwOqj4zmJqsb|5^*{DT
zv^HFARK6@^_1|vU{>voG!uD$k(H3A$Z))+i{Hy?QHdk>3xSBXR0j!11O^mEe9RH<y
zF3MI;^J1vHI9U>mw!pvzv?Ua~2_l2Yh~_!s1qS`|0~0)<BWX>YsbHSz8!mG)WiJE|
z2<APmuYD%tKwB@0u<C~CKyaC}XX{?mylzkDSuLMkAoj?zp*zFF7q515SrGD~s}ATn
z`Ded41yk>f($6TQtt6L_f~ApQYQKSb=`053LgrQq7G@98#igV>y#i==-nEjQ!XNu9
z<h*hnP2Pol+z>~;mE+gtj4IDDNQJ~JVk5Ux6&LCSFL!y=>79kE9=V}J7tD==Ga+IW
zX)r7>VZ9dY=V&}DR))xUoV!u(Z|%3ciQi_2jl}3=$Agc<a_3#EUXJj<z2jVv6VHGT
zV^v1FiRwA!kPmt}m$qdr&9#-6{QeZqtM3|tRl$sws3Gy`no`Kj@X-)O(^sv>(`RPb
z8kEBpvY>1FGQ9W$n>Cq=DIpski};nE)`p3IUw1Oz0|wxll^)4dq3;CCY@RyJgFgc#
zKouFh!`?Xuo{IMz^xi-h=StCis_M7y<P{h0$_I#EukRYag9%BMRXh|%Xl7C<>q$u)
z?XHvw*HP0VgR+KR6wI)jEMX|ssqYvSf*_3W8zVTQzD?3>H!#>InzpSO)@SC8q*ii-
z%%h}_#0{4JG;Jm`4zg};BPTGkYamx$Xo#O~lBirRY)q=5M45n{GCfV<Kqrcu9<z@R
zSE>7h9qwyu1NxOMoP4)jjZMxmT|IQQh0U7C$EbnMN<3)Kk?fFHYq$d|ICu>KbY_hO
zTZM+uKHe(cIZfEqyzyYSUBZa8;Fcut-GN!HSA9ius`lt<SmSV9vasBl&hE7ciOunD
z?%e1Hl-5B3e+<+8CD{j5U*D3h89nV<zn^0g+t=uRKgZiGu)3h;vu#^y`HqWe_=jGm
zW2p}*n<!QH%pQ2EV`&z|LD#BOpj0QS9R5#$q}3&-+@GL4F^wO-bcSo|J^I_{LATPF
z2$`fUCOO=XxYVD!<7Yz4te$d-_>NebF46ZX_BbZNU}}ZOm{M2&nAN<H$fJIKS=j8q
zwXlN!l^_4>L9@0qvih15(|`S~z}m&h!u4x~(%MAO$jHRWNfuxWF#B)E&g3ghSQ9|>
z(MFaLQj)NE0lowyjvg8z0#m6FIuKE9lDO~Glg}nSb7`~^&#(Lw{}GVOS>U)m8bF}x
zVjbXljBm<v)#bs=9p`s>34Cs-yM6TVusr+3kYFjr28STT3g056y3cH5Tmge~ASxBj
z%|yb>$eF;WgrcOZf569sDZOVwoo%8>XO>XQOX1OyN9I-SQgrm;U;+#3OI(zrWyow3
zk==|{<m8xZ#>lt2xrQ%FIXOTejR>;wv(Pb8u8}BUpx?yd(Abh<shPyABw|Ens8m6@
zIg($GO4)<g4x5icbki?U&2%56@tYd`zRs}Nk6R~4!AjVAihB3r8oDhQ8f)v^r}|(y
z4B&Q<ARRqYXKQGAeJa_KHe`)04jUO~B=%q#SUlU@pU?apz0v{Al@s`Cvzo)u;2>6?
zsoO3VYWkeLnF43&@*#MQ9-i-d0t*xN-UEyNKeyNMHw|A(k(_6QKO=nKMCxD(W(Yop
zsRQ)QeL4X3Lxp^L%wzi2-WVSsf61dqliPUM7srDB?Wm6Lzn0&{*}|IsKQW;02(Y&|
zaTKv|`U(pSzuvR6Rduu$wzK_W-Y-7>7s?G$)U}&uK;<>vU}^^ns@Z!p+9?St1s)dG
zK%y6xkPyyS1$~&6v{kl?Md6gwM|>mt6Upm>oa8RLD^8T{0?HC!Z>;(Bob7el(DV6x
zi`I)$&E&ngwFS@bi4^xFLAn`=fzTC;aimE^!cMI2n@Vo%Ae-ne`RF((&5y6xsjjAZ
zVguVoQ?Z9uk$2ON;ersE%PU*xGO@T*;j1BO5#TuZKEf(mB7|g7pcEA=nYJ{s3vlbg
zd4-DUlD{*6o%Gc^N!Nptgay>j6E5;3psI+C3Q!1ZIbeCubW%w4pq9)MSDyB{HLm|k
zxv-{$$A*pS@csolri$Ge<4VZ}e~78JOL-EVyrbxKra^d{?|NnPp86!q>t<&IP07?Z
z^>~IK^k#OEKgRH+LjllZXk7iA>2cfH6+(e&9ku5poo~6y{GC5>(bRK7hwjiurqAiZ
zg*DmtgY}v83IjE&AbiWgMyFbaRUPZ{lYiz$U^&Zt2YjG<%m((&_JUbZcfJ22(>bi5
z!J?<7AySj0JZ&<-qXX;mcV!f~>G=sB0KnjWca4}vrtunD^1TrpfeS^4dvFr!65knK
zZh`d;*VOkPs4*-9kL>$GP0`<?hW@{z#_gXtp%=2VbN+$~z+M($Vf(dl@)t-*82<$(
zHi{FrD1wO9L~*Rc0{A2WU%f?ar(T9V1JpQ?M0Q|&{UES|#Z~k2-mj@z)8Rw^(XeYc
zomT(B0EF!##4dQq_*NN<%Bo5)&+gCXSGZo`b>(M!j~B;#x?Ba<KDM~HJ!|Zzy=p2e
z8;av`GLw{_*RgO(W|UK-<iDeT!t_x1c=M3%wGk|fDk<e0lLe8-5ga6apKYJD`*a3G
zBl?Ps)hDb7X`7bW5S=IHr0Mm?fr|$zCf+gmZUrit$5n+)JZG>~&s6CopvO86oM?-?
zOw#dIRc;6A<R&%m3DDJhF+|tb*0Yw8mV{a-bf^E~gh66MdsMHkog<r9`fVIVE+h@O
zi)iM`rmA-Fs^c=>6T?B`Qp%^<<Dyu<%Kg0H=lq;E!p&UHzSpD1)q%^v)Y8yQkp>U5
z19x(ywSH$_N+Io!6;e?`tWaM$`=D<O;$E>b!gzx|lQ${DG!zb1Zl&|{kX0y6xvO1o
z220r<-oaS^^R2pEyY;=Qllqpmue|5yI~D|iI!IGt@iod{Opz@*ml^w2bNs)p`M(Io
z|E;;m*Xpjd9l)4G#KaWfV(t8YUn@A;nK^#xgv=LtnArX|vWQVuw3}B${h+frU2>9^
z!l6)!Uo4`5k`<<;E(ido7M6lKTgWezNLq>U*=uz<KVOwgK<qq^3FEy1LAV}ep3|Zt
z>&s=cc$1%>VrAeOoUtA|T6gO4>UNqsdK=NF*8|~*sl&wI=x9-EGiq*aqV!(VVXA57
zw9*o6Ir8Lj1npUXvlevtn(_+^X5rzdR>#(}4YcB9O50q97%rW2me5_L=%ffYPUSRc
z!vv?Kv>dH994Qi>U(a<0KF6NH5b16enCp+mw^Hb3Xs1^tThFpz!3QuN#}KBbww`(h
z7GO)1olDqy6?T$()R7y%NYx*B0k_2IBiZ14&8|JPFxeMF{vW>HF-Vi3+ZOI=+qP}n
zw(+!WcTd~4ZJX1!ZM&y!+uyt=&i!+~d(V%GjH;-NsEEv6nS1TERt|RHh!0>W4+4pp
z1-*EzAM~i`+1f(VEHI8So`S`akPfPTfq*`l{Fz`hS%k#JS0cjT2mS0#QLGf<qk6YP
z4Er$vWjm9AtrmaEcJtwQPu$b|CILfR!BT!3=m=0Uak0Q;VGQ0gEM~G39Hp3;#AakH
z>=J?1`he3W*;m4)ce8*WFq1sdP=~$<O3ReQ51n^2?wBcx4J{H~K59j4Qm0vhJ-n@m
zHBMJ|T;;f3zj(Uyi)llm@?gt0n0w!f8n()c99xBcdSOxn@j!L)jwK%4`?=H_q?MBp
z^QQh#^;N*P5@#PmXt<?Q+Lm$P5_(9b2seQ@#UslmPW-%=P%J~U3fLRt83J5N*lBqC
zY$EfyGO&90Gq$$|<KSW0kWuMHIjN5lQ<I);A*RCO{?oF!aQ;(kWjh8r*}5ulFL)Vb
zTtg3jbL+;~@7u|Y;ZPGCpJj_r6f>5RlH1EdWm|~dCvKOi4*I_96{^95p#B<(n!d?B
z=o`0{t+&OMwKcxiBECznJcfH!fL(z3OvmxP#oWd48|mMjpE||zdiTBdWelj8&Qosv
zZFp@&UgXuvJw5y=q6*28AtxZzo-UUpkRW%ne+Ylf!V-0+uQXBW=5S1o#6LXNtY5!I
z%Rkz#(S8Pjz*P7bqB6L<Vk~pjchG@}qdN#@wtSW<TMz{!1u}v!swzUaA7F&@sFu3N
zjK(L;!X^C;`_w7K{}ngRs_X~yp8)k=Bm<}VSAjkJUw3k>|M#Er{|QLae-Y{KA>`^}
z@lPjeX>90X|34S-7}ZVXe{wEei1<{*e8T-Nbj8JmD4iwcE+Hg_zhkPVm#=@b$;)h6
z<<6y`nPa`f3I6`!28d@kdM{uJOgM%`EvlQ5B2bL)Sl=|y@YB3KeOzz=9cUW3clPAU
z^sYc}xf9{4Oj?L5MOlYxR{+>w=vJjvbyO5}ptT(o6dR|ygO$)nVCvNGnq(6;bHlBd
zl?w-|plD8spjDF03<K+#yS4SJ*V)0km=&VI5X(%sge51blw8Cl<Ju^5<>g5ip;W3Z
z><0{BCq!Dw;h5~#1BuQilq*TwEu)qy50@+BE4bX28+7erX{BD4H)N+7U`AVEuREE8
z;X?~fyhF-x_sRfHIj~6f(+^@H)D=ngP;mwJjxhQUbUdzk8f94Ab%59-eRIq?ZKrwD
z(BFI=)xrUlgu(b|hAysqK<}8bslmNNeD=#JW*}^~Nrswn^xw<P9O3CCOGFfUE5Q<h
z1T|`wz@Em2i=pC~@r%^(MvQYV;f5vxXhgVXob}0Gx1_TUzP+Rpj@2*{4qZ~TIcEo3
z#39(j%E7l3j?{>*nL@Tx!49bfJecV&KC2G4q5a!NSv)06A_5N3Y?veAz;Gv+@U3R%
z)~UA8-0LvVE{}8LVDOHzp~2twReqf}ODIyXMM6=W>kL|OHcx9P%+aJGYi_Om)b!xe
zF40Vntn0+VP>o<$AtP&JANjXBn7$}C@{+@3I@cqlwR2MdwGhVPxlTIcRVu@Ho-wO`
z_~Or~IMG)A_`6-p)KPS@cT9mu9RGA>dVh5wY$NM9-^c@N=hcNaw4ITjm;iWSP^ZX|
z)_XpaI61<+La<UOuY!W@V|9Mkiq|8%=#8z5hS3|`W2~?EAxL1Az-d#EmITDc8NIP9
ztj|z{8|BEoYj#D_4?j^O6raGm4aht<G6)sm9P=m81*eB3srLs&r9pje8GUX*!3ADN
ze{E=*S7~Y(%I(9)2E=XG-qKL}($?bVzv9WQsD=FK-(rXKzp|@{{`YwLAKRJ|4JdD1
zHLRar6OKRIb~25&ATpMCBErsBr5J2-`E$h@V?tx(6*5t-jUSB}W^QH~8Ph@~_~97&
z`${rusCAKr?7|#yNaX;)Fo+VblG0rdf@)X!Zq~XS$2j)K;^+OQea}CIiu>+U&&%2a
z0za$)-wZP@mwSELo#3!PGTt$uy0C(nTT@9NX*r3Ctw6J~7A(m#8fE)0RBd`TdKfAT
zCf@$MAxjP`O(u9s@c0Fd@|}UQ6qp)O5Q5DPCeE6mSIh|Rj{$cAVIWsA=xPKVKxdhg
zLzPZ`3CS+KIO;T}0Ip!fAUaNU>++ZJZRk@I(h<)RsJUhZ&Ru9*!4Ptn;gX^<l^v_i
zqC|6W?GR}jrt}L9iL{9D{65?&{N;&~j4+gllyKZ=yU-^d7^ury)bvm`^J81T+#eA(
zx>~4E8W^TSR&~3BAZc#HquXn)OW|TJ`CTahk+{qe`5+ixON^zA9IFd8)kc%*!AiLu
z>`SFoZ5bW-%7}xZ>gpJcx_hpF$2l+533{gW{a7ce^B9sIdmLrI0)4yivZ^(Vh@-1q
zFT!NQK$Iz^xu%|EOK=n>ug;(7J4OnS$;yWmq>A;hsD_0oAbLYhW^1Vdt9>;(JIYjf
zdb+&f&D4@4AS?!*XpH>8egQvSVX`36jMd>$+RgI|pEg))^djhGSo&#lhS~9%NuWfX
zDDH;3T*GzRT@5=7ibO<WzoGW!nNc52nrC(cymgy1Lz%-9op$(?L%Tk422ve)uZV7a
zsp5771}9L~!~`m&sgd(H^64_vrcS77VrmV>>N-6_XPBYxno@mD_3I#rDD?iADxX`!
zh*v8^i*JEMzyN#bGEBz7;UYXki*Xr(9xXax(_1qVW=Ml)kSuvK$coq2A(5ZGhs_pF
z$*w}FbN6+QDseuB9=fdp_MTs)nQf!2SlROQ!gBJBCXD&@-VurqHj0wm@LWX-TDmS=
z71M__vAok|@!qgi#H&H%Vg-((ZfxPAL8AI{x|VV!9)ZE}_l>iWk8UPTGHs*?u7RfP
z5MC&<!h(=@IG4-0X2tnigfo9~%TLVoosSMBfl=G*mZw4{Zua5kXdy3I7p<Xy+8}($
zhLvoK3s(sydD^%uJ}IUZMoWj=*qlU40O;)bVi#tp{1ux3_@3jm^2j~vj%1GASfg@5
zGNfnTI2^*1*7ks%yk(@Y4r|6FG^%_*GuH5$QM5s}XH~rYF%4%QB7k!9ggpP0l|u!h
zGIy~gC#YvDD##t|sXilU#?S{%SChQ8kxdkTTxL^C+cuzXq(*Nma5Y|#4Bc8umW{g;
z9n<Rg(1(9zzS0`I-Jd;?lX-*7gwjiL^p}0QD;0M`vI9>=c6X;XlUzrz5q?(!eO@~*
zoh2I*%J7dF!!_!vXoSIn5o|wj1#_>K*&CIn{qSaRc&iFVxt*^20ngCL;QonIS>I5^
zMw8HXm>W0PGd*}Ko)f|~dDd%;Wu_RWI_d;&2g6R3S63Uzjd7dn%Svu-OKpx*o|N>F
zZg=-~<CUMsZy=MLYXhx$6Ezl(Wb9PjoV#|)EKT+}6Qe}84fqt}B`P>qLb~VRLpv`k
zWSdfHh@?dp=s_X`{yxOlxE$4iuyS;Z-x<z@U4S3P>!*E6eqmEm*j2bE@=ZI0YZ5<B
ziu=C@#BMievAp7JPV$P@fr0dUNvi3Gx;Pj4gW>%Yj29!5+J$4h{s($nakA`xgbO8w
zi=*r}PWz#lTL_DSAu1?f%-2OjD}NHXp4pXOsCW;DS@BC3h-q4_l`<))8WgzkdXg3!
zs1WMt32kS2E#L0p_|x+x**TFV=gn`m9BWlzF{b%6j-odf4{7a4y4Uaef@YaeuPhU8
zHB<k@dqe3LhnH`J^UJOd90Ox@obYaLr`@$-=nrU6zI=GPf#UGJRytEPM{67L(=r^c
z^3n10M$|<;{(uM3vPXxEBu32nR}KqrqRKRksB|r7a1C?yimB*Dy3>vRqN^;$Jizy+
z=zW{E5<>2gp$pH{M@S*!sJVQU)b*J5*bX4h>5VJve#Q6ga}cQ&iL#<n)GXz#1c<<(
z)>=(u+KroWrxa%8&~p{WEUF0il=db;-$=A;&9M{Rq`ouZ5m%BHT6%st%saG<NKro#
z@Q{g@pPU`$<e5UmDn9S+_cJu6pkYhpl6*&!LvF)bN+){V;z%0^o1y!i&{B)Lj0FjV
zYYp-rmqYj!QuF~3zGYt|Qq~nsCzjRB{(R{ty`1&yQx$=`l2m9qGgk_JV~mw&a6Q|<
zc1lM3&EalKN6_t1KC)j(Q$V!M(_DL07kS7QQWU|M8Wk4TF*B{N#~(}MEO<-Q2dm3K
z8NXr}ekjWF3by^mo+Q3XYGVviQ)x>sD6)fQgLN}x@d3q>FC;=f%O3Cyg=Ke@Gh`XW
za@RajqOE9UB6eE=zhG%|dYS)IW)&y&Id2n7r)6p_)vl<ng|pu2hODuSH@fnEV39NO
zEa|mP`g<9Fl&vbZh$P6G!sc4+bi`HbS{o8YqRR?<FFZb8$d9L}J7EUaZY{B2CQAoP
zG;0eBmOW)@Ww{Qz4ftAcoOH?fY7sN`HK{pClFtZ6OV%DFh*#N6L_mG5K6^(3xOT`2
zXQFK>RP7NJL(x4UbhlcFXWT8?K=%s7;z?Vjts?y2+r|uk8Wt(DM*73^W%pAkZa1Jd
zNoE)8FvQA>Z`eR5Z@Ig6kS5?0<D?<!n}@f|qPQY>h;`Y&OL2D&xnnAUzQz{YSdh0k
zB3exx%A2TyI)M*EM6htrxS<tv!Edgia|5gcd)~ip*3<ew;`$^STiylI`z5{ztT8_E
zz7=GR1{89$qD3=xzAIqy@BBJmiMI0ki{$Knumb#c#N3P5enJ?LK<vaPmBAGd)gnQo
zINHDTC;w*AY<*a~K{duN*{|U_y!Fz#=S`fLYNgV#k5=Li&i{#9U0nggJ79U;3r1-&
z&(5bC_;o)|^$FU#7Y~PUV2864^kKs(<coBxWYsDLnpdnx`B%k#BXst!77q6}Ls?(}
zb?GN{VITSdSDPl&{KTz_%@p`6W7qG-E&4{ewx1KOmsXg|G_Gn9gWeg#9N-UI_zUE<
zo7oV#e7|g=?GpSw806m8iho~kvv%|&vxWzo2C8F7^%vgDYOsXNbx*m1|I&|M(Fyox
zN==RF3%%g=zf>lep!Kk(P(VP`$p0G~f$smld6W1r_Z+o<z7~@9wx+W7_SUWr|6?N;
z^M5$dG~2%Uno5eQCTf&Wn=$($Vn%_=e+$4D0VsKyXV+K1&wNdPw}$@5)dI#iQ2f6s
z&=%4AK@2R;v)Rr!?QX}LFSGi;wniiSIu8zhAH?jWt%L(>?=IB@^weq>5VYsYZZR@`
z&XJFxd5{|KPZmVOSxc@^%71C@;z}}<y7D=}>WhbF9p!%yLj3j%YOlPL5s>7I3vj25
z@xmf=*z%Wb4;Va6SDk9cv|r*lhZ`(y_*M@>q;wrn)oQx%B(2A$9(74>;$zmQ!4fN;
z>XurIk-7@wZys<+7XL@0Fhe-f%*=(weaQEdR9Eh6>Kl-EcI({qoZqyzziG<swkun|
zz9QhYhE~<?Mav;|ewGy6Y~<x|NE!uh-`J1|c<Yr?P+t8bg{Fv<zLV)d!x`rU#nMKo
zD7y~u8QWpi`5aU`p_CtE_?sxWUU1kB-JW+SX;AWeWqd=cJaDp2c>wpg-GM#251sK_
z=3|kitS!<yV_xifsX8xKeGo1-@iv*7QRBn>j%;fpc@oWn65SEL73^N&t>Ix37xgs=
zYG%eQDJc|rqHFia0!_sm7`@lvcv)gfy(+KXA@E{3t1DaZ$DijWAcA)E0@X?2ziJ{v
z&KOYZ|DdkM{}t+@{@*6ge}m%xfjIxi%qh`=^2Rwz@w0cCvZ&Tc#UmCDbVwABrON^x
zEBK43FO@weA8s7zggCOWhMvGGE`baZ62cC)VHyy!5Zbt%ieH+XN|OLbAFPZWyC6)p
z4P3%8sq9HdS3=ih^0OOlqTPbKuzQ?lBEI{w^ReUO{V?@`ARsL|S*%yOS=Z%sF)>-y
z(LAQdhgAcuF6LQjRYfdbD1g4o%tV4EiK&ElLB&^VZHbrV1K>tHTO{#XTo>)2UMm`2
z^t4s;vnMQgf-njU-RVBRw0P0-m#d-u`(kq7NL&2T)TjI_@iK<Yl@Cqk*~m37SNedq
zx~`h1%FdLq@}}y&UU;hbH}<-!s6Iy2g)B^rs=bfBbkxYx`xjMBufD=^9fzM?t8cS)
zL$U1d(u_2VkEZvw)XSRPEuRSd@v%dbMvD4b*3DiP)|TB2B-!fP9)HV`H7jQwnKD!5
z4Bl=}Gnt7oe@IOmCR%K@Z>uPAK-@oH(J8?%(e!0Ir$yG32@CGUPn5w4)+9@8c&pGx
z+K3GKESI4*`tY<Qi4rZ<epYj8$_z7>lmMHt@br;jBWTei&(a=iYslc^c#RU3Q&sYp
zSG){)V<(g7+8W!Wxeb5zJb4XE{I|&Y4U<YEr@blpS4m(aRaC`M>rFWr%LHkdQ;~XU
zgy^dH-Z3lmY+0G~?DrC_S4@=>0oM8Isw%g(id10gWkoz2Q%7W$bFk@mIzTCcIB(K8
zc<5h&ZzCdT=9n-D>&a8vl+=ZF*`uTvQviG_bLde*k>{^)&0o*b05x$MO3gVLUx`xZ
z43j+>!u?XV)Yp@MmG%Y`+COH2?nQcMrQ%k~6#<!a&35z3p3DcO>O%PeD_WvFO~Kct
za4XoCM_X!c5vhRkIdV=xUB3xI2NNStK*8_Zl!cFjOvp-AY=D;5{uXj}GV{LK1~IE2
z|KffUiBaStRr;10R~K2VVtf{TzM7FaPm;Y(zQjILn+tIPSrJh&EMf6evaBKIvi<yK
z#RB{W*oF07TSG5RJBQ_^g55O+JVKqJ`<PhMC|G*bU6n?G-P$xU{#c-T{;Xu*PvKnV
zyuH|XWFi(ZE1SlO<(wqK6SUpCJY^6V-6C0iNb31Cd48ZR$k%O|R>42-WYU9Vhj~3<
zZSM-<FUSd*KTLc@iqJH4(EY)tX8|ta3ZTISXd9!f+oVa;L;Ft!n%L_%K*8rrEc`HY
zX)ocw^5zdFAJ2MXFq%F-J$3DK80Hc&5j)``0(=0xRT`^QE?Dy6=Vy}CsjCVeROW4g
z{IsuKjfkViXE7DY?EaXa7#12bFna0eXqK&rV+BU3LburO;nEt55)>B;E`g_<F%yqW
zl=jgB;B?y%j;0;(THB3Q9hQAYXtBuDp*E}Uj$5N=C<9X8uE<0-laKa@eX5W;R<VA(
zt<&PXc4W?o?GbkBXX5W}<aNEQ(MNw;D_!_}l$Q$UNNXPm^OVm3@2rdW2+*M+a-MMs
zjRWm0n>o8_XTM9IzEL=9Lb^SPhe(f(-`Yh=X6O7+6ALXnTcUFpI>ekl6v)ZQeNCg2
z<E^>^H|{SKXHU*%nBQ@I3It0m^h+6tvI@FS=MYS$ZpBaG7j#V@P2Zu<MHh7FYbiW#
z92Ygt@PECqm2My`r9GWaSztN%GJLWXz`0z!=1kbkc)5?8!2Z52gHY{=!#7C;{uL6-
z2*!WgHi8eCJ}bct7Xienl_OBRz{m$%0}9N;V6~=OG{<pEQedj6vuNk3>YySbp@hA#
ze(kc;P4i_-_UDP?%<<P3orxZa7U@-N674Sn%1SYZY+uLA*0XfQ^(5KJZx8Q`Tygfv
zKQy0(Okhy6k9nXB!#dt!xoT%v@ATzwvoabdPwR@Uq6H`U3!2Q81Z!I$3_<rBTaP}T
zLZ{~t18JM3$|ne5V}1ovY>6>%tTRih6VBgScKU^BV6Aoeg6Uh(W^#J^V$Xo^4#Ekp
ztqQVK^g9gKMTHvV7nb64UU7p~!B?>Y0oFH5T7#BSW#YfSB@5PtE~#SCCg3p^o=N<F
zOIO82TuHtV7O7CgEGI_xm6ZJaV)lc8USp)~BUgr~-fu{)Eb@zARpJARd&>kMk$<8-
z6PT*yIKGrvne7+y3}_!AC8NNeI?iTY(&nakN>>U-zT0wzZf-RuyZk^X9H-DT_*wk=
z;&0}6LsGtfVa1q)CEUPlx#(ED@<R%-$Z>-?H<1_FrHU#z5^P3lEB|qsxEyn%FOpjx
z3S?~gvoXy~L(Q{Jh6*i~=f%9kM1>RGjBzQh_SaIDfSU_9!<>*Pm>l)cJD@wlyxpBV
z4Fmhc2q=R_wHCEK69<*wG%}mgD1=FHi4h!98B-*vMu4ZGW~%IrYSLGU{^TuseqVgV
zLP<%wirIL`VLyJv9XG_p8w@Q4HzNt-o;U@Au{7%Ji;53!7V8Rv0^Lu^Vf*sL>R(;c
zQG_ZuFl)Mh-xEIkGu}?_(HwkB2jS;HdPLSxVU&Jxy9*XRG~^HY(f0g8Q}iqnVmgjI
zfd=<H;-i%#%U^8-(Z{Z4b>``2&8GsycjR?<a&U|nts04(0ihI)2!9?v1T?nCCI(9r
zpdN)6%kf_@sPS;86J@yRo$(Ot`8RM_BRe*|Q<$R1O-;4dm(aGGe|)WtWy)O@G|Vqn
z_;A=;TRYm3YVhigO6Nz~<ymK3%?_sMR-!XnXMuDcij{$qdtz6k*4BU;QD#-$No-&n
zJ)QEhM9>M%(zM<lMq^mJGAsjn-C?tg9{)Zt8QiLul98br55J^m*$NU4C!D)yxk52I
z`rTJ7m%K~&__tPV4Pz9N(K=d<onE1ZT_Tp4hYcUmr?}nQF}>jn;tn9agcq;&rR!Hp
z$B*gzHsQ~aXw8c|a(L^LW(|`yGc!qOnV(ZjU_Q-4z1&0;jG&vAKuNG=F|H?@m5^N@
zq{E!1n;)kNTJ>|Hb2ODt-7U~-MOIFo%9I)_@7fnX+eMMNh>)V$IXesJpBn|uo8<!Q
zy$D5)r&io45LrvXm~vJ*1u}8aJ)|XWG|rzRx7nuN!$Z2be^-#jZzi6>f~#aOFytCT
zf9&%MCLf8mp4kwHTcojWmM3LU=#|{3L>E}SKw<F*FiG2?-z5s1VW-snjmt-h7!eIx
z&uIpXoS|F?y%PG#rXK+?EA;j*5>Od?%{HogCZ_Z1BSA}P#O(%H$;z7XyJ^sjGX;j5
zrzp>|Ud;*&VAU3x#f{CKwY7Vc{%TKKqmB@oTHA9;>?!nvMA;8+Jh=cambHz#J18x~
zs!dF>$*AnsQ{{82r5Aw&^7eRCdvcgyxH?*DV5(I$qXh^zS>us*I66_MbL8y4d3ULj
z{S(ipo+T3Ag!+5`NU2sc+@*m{_X|&p#O-SAqF&g_n7ObB82~$p%fXA5GLHMC+#qqL
zdt`sJC&6C2)=juQ_!NeD>U8lDVpAOkW*khf7MCcs$A(wiIl#B9HM%~GtQ^}yBPjT@
z+E=|A!Z?A(rwzZ;T}o6pOVqHzTr*i;Wrc%&36kc@jXq~+w8kVrs;<?N6^ISl4!Z9~
z3H7NeM`>%=IFdACoLAcCAmhFNpbP8;s`zG|HC2Gv?I~w4ITy=g$`0qMQ<L5=NnfW-
zg{GqAs=rbBj@&~(5JRvPTR2SbUf=%t)J-w@#*YSI#9gYrdT6pVa6}sJOfzVD5U5CM
z!FKyXe+4H9quh&F;}wlo7^AkDC1D+oJ5CSDq$g*_*zj7hLnb7{$2~k{aoF`(1Z38Y
zO1=ee_zVE?hcLNJ0j<VtTax5XpQf7Xv(=%$QBe2Nb|8>dkijLSOtX6xW%<qYBBH&g
z!6W;bvDP#r^}cEvKKpmH7G`2YO(q`uP#Sl|D}SJUH&57yXI4Y2Jz0(y$1*#H`fVNA
z3<2b_*e8PoU3-sqp_X=8rg@0Ur_$*UWvvK7sl+-mBAeDAwgv9<RDGj%%>Z9Nw<;M-
zMN`c7=$QxN00DiSjbVt9Mi6-pjv*j(_8PyV-il8Q-&TwBwH1gz1uoxs6~uU}PrgWB
zIAE_I-a1EqlIaGQNbcp@iI8W1sm9fBBNOk(k&iLBe%MCo#?xI$%ZmGA?=)M9D=0t7
zc)Q0LnI)kCy{`jCGy9lYX%mUsDWwsY`;jE(;Us@gmWPqjmXL+Hu#^;k%eT>{nMtzj
zsV`Iy6leTA8-PndszF;N^X@CJrTw5IIm!GPeu)H2#FQitR{1p;MasQVAG3*+=9FYK
zw*k!HT(YQorfQj+1*mCV458(T5=fH`um$gS38hw(OqVMyunQ;rW5aPbF##A3fGH6h
z@W)i9Uff?qz`YbK4c}JzQpuxuE3pcQO)%xBRZp{zJ^-*|oryTxJ-rR+MXJ)!f=+pp
z10H|DdGd2exhi+hftcYbM0_}C0ZI-2vh+$fU1acsB-YXid7O|=9L!3e@$H*6?G*Zp
z%qFB(sgl=FcC=E4CYGp4CN>=M8#5r!RU!u+FJVlH6=gI5xHVD&k;Ta*M28BsxfMV~
zLz+@6TxnfLhF@5=yQo^1&S}cmTN@m!7*c6z;}~*!hNBjuE>NLVl2EwN!F+)0$R1S!
zR|lF%n<Z;3@QYn3!QXr}w{~b2!0#&RhtQVWc+f3LI)E%uRJsv*AbN^=z5ui!ge)I%
zD^_`CW{mnHj8Q^}OH9sOV*MC5m`xMj4NVNzK1NE#4~~!Nsf_i{LKv7+J}YXZ!8b$I
zuKSZ>!9fkZ@gPW|x|B={V6x3`=jS*$Pu0+5OWf?wnIy>Y1MbbGSncpKO0qE(qO=ts
z!~@&!N`10S593p<N-}Sr%Ku9LOog5tCN!E>VQu4FzpOh!tvg}p%zCU(aV5=~K#bKi
zHdJ1>tQSrhW%KOky;iW+O_n;`l9~omqM%sdxdLtI`TrJzN6BQz+7xOl*rM>xVI2~#
z)7FJ^Dc{DC<%~VS?@WXzuOG$YPLC;>#vUJ^MmtbSL`_yXtNKa$Hk+l-c!aC7gn(Cg
ze?YPYZ(2Jw{SF6MiO5(%_pTo7j@&DHNW`|lD`~{iH+_eSTS&OC*2WTT*a`?|9w1dh
zh1nh@$a}T#WE5$7Od~NvSEU)T(W$p$s5fe^GpG+7fdJ9=enRT9$wEk+ZaB>G3$KQO
zgq?-rZZnIv!p#>Ty~}c*Lb_jxJg$eGM*XwHUwuQ|o^}b3^T6Bxx{!?va8aC@-xK*H
ztJBFvF<Pib!UnGu#KYqKrd=TzpEnL0gJH#*@ED-E8J}0-de@s{a{t7?6tKTujrhud
z<MMQD2dV}=jia5D4*N2CxQf92(j>fsSWu89%@b^l3-B~O!CXs)I6Y}y#0C0U0R0WG
zybjroj$io0j}3%P7zADXOwHwafT#uu*zfM!oD$6aJx7+WL%t-@6^rD_a_M?S^>c;z
zMK580bZXo1f*L$CuMeM4Mp!;P@}b~$cd(s5*q~FP+NHSq;nw3fbWyH)i2)-;gQl{S
zZ<MGOIR=>O!T}A}fC}vUdskGSq&{`oxt~0i?0xhr6I47_tBc`fqaSrMOzR4>0H^;A
zF)hX1nfHs)%Zb-(YGX;=#2R6C{BG;k=?FfP?9{_uFLri~-~AJ;jw({4MU7e*d)?P@
zXX*GkNY9ItFjhwgAIWq7Y!ksbMzfqpG)IrqKx9q{zu%Mdl+{Dis#p9q`02pr1LG8R
z@As?e<Q+6)P&pQ<Pq0P^Uzcb2ET2_(Em9qV!^3ZcR(NNe8E)|u;wHjG5KcXc!!rLc
z4mjsg)J~QuG>G!>IoROgS!@J*to<27coFc1zpkh?w=)h9CbYe%^Q!Ui46Y*HO0mr%
zEff-*$ndMNw}H2a5@BsGj5oFfd!T(F&0$<{GO!Qdd?McKkorh=5{EIjDTHU`So>8V
zBA-fqVLb2;u7UhDV1xMI?y>fe3~4urv3%PX)lDw+HYa;HFkaLqi4c~VtCm&Ca+9C~
zge+67hp#R9`+Euq59WhHX&7~RlXn=--m8$iZ~~1C8cv^2(qO#X0?vl91gzUKBeR1J
z^p4!!&7)3#@@X&2aF2-)1Ffcc^F8r|RtdL2X%HgN&XU-KH2SLCbpw?J5xJ*!F-ypZ
zMG%AJ!Pr&}`LW?E!K~=(NJxuSVTRCGJ$2a*Ao=uUDSys!OFYu!Vs2IT;xQ6EubLIl
z+?+nMGeQQhh~??0!s4iQ#gm3!BpMp<uE*}8S{E1m>nY?04<yW_?_zEz4Fj}0M+XJa
z3q}R#{(fCjx;Y>kK375e((Uc7B3RMj;wE?BCoQGu=UlZt!EZ1Q*auI)dj3Jj{Ujgt
zW5hd~-HWBL<R`{s-5K1~dR*!^jDV2ZK1|^O_h466g}C(k?2!w)yq_37Ey>I_3HuO)
zNrb^XzPsTIb=*a69wAAA3J6AAZZ1VsYbIG}a`=d6?PjM)3EPaDpW2YP$|GrBX{q*!
z$KBHNif)OKMBCFP5>!1d=DK>8u+Upm-{hj5o|Wn$vh1&K!lVfDB&47lw$tJ?d5|=B
z^(_9=(1T3Fte)z^>|3**n}mIX;mMN5v2F#l(q*CvU{Ga`@VMp#%rQkDBy7kYbmb-q
z<5!4iuB#Q_lLZ8}h|hPO<Ht1(OGn{bUSM8Q`ddT$%K;CN*lIJA+6r*T9snG0=^c25
z5_3XaQLxf6@JgUvU>DI^U6`gzLJre9u3k3c#%86IKI*^H-@I48Bi*@avYm4v!n0+v
zWu{M{&F8#p9cx+gF0yTB_<2QUrjMPo9*7^-uP#~gG<Xmu<lOOHc1#9#_q*hHkI37%
zz3mcsrp?o~toa!d>W~y3nfPAoV%amgr>PSyVAd@l)}<t7QAjA@@*mov`DUk2U9U+~
z6y?uo4okf(u(xFv&$u#$80KWvEz#3d+8^2OB@t9YT#~6vMlD-x@pFtG=5aTP?>8#X
zR5zV6t*uKJZL}?NYvPVK6J0v4iVpwiN|>+t3aYiZSp;m0!(1`bHO}TEtWR1tY%BPB
z(W!0DmXbZAsT$iC13p4f>u*ZAy@JoLAkJhzFf1#4;#1deO8#8d&8<JXo#K9YHQ|!H
zK#vLo&LHQgM>9}en&z!W&A3++^1(;>0SB1*54d@y&9Pn;^IAf3GiXbfT`_>{R+Xv;
zQvgL>+0#8-laO!j#-WB~(I>l0NCMt_;@Gp_f0#^c)t?&#Xh1-7RR0@zPyBz!U#0Av
zT?}n({(p?p7!4S2ZBw)#KdCG)uPnZe+U<qz4!fXQ+YLU=^#RQ2SgDfa2D{{X!*)5l
z#ZIzzvKO;$K}0kpBv7O!+cBBq!g7CI0HranNuQzvG-Wt^KM{0!cpx$J>|0{BW!m)9
zi_9$F?m<`2!`JNFv+w8MK_K)<HQ-H#PMhgOnaa+`IdT&GT6op4j;f0)5%ucT=<`_1
z;V&i{n>qJ^aO@7-Ig>cM4-r0bi=>?B_2mFNJ}aE3<!&TD*_)><+QCzRr*NA!QjHw#
z`1OsvcoD0?%jq{*7b!l|L1+Tw0TTAM4XMq7*ntc-Ived>Sj_ZtS|uVdpfg1_I9knY
z2{GM_j5sDC7(W&}#s{jqbybqJWyn?{PW*&cQIU|*v8YGOKKlGl@?c#TCnmnAkAzV-
zmK={|1G90zz=YUvC}+fMqts0d4vgA%t6Jhjv?d;(Z}(Ep8fTZfHA9``fdUHkA+z3+
zhh{ohP%Bj?T~{i0sYCQ}uC#5BwN`skI7`|c%kqkyWIQ;!ysvA8H`b-t()n6><Hpfb
z)@#PwiGQ~=`lZV*1B)Z)2sk2h{`bj2<1wDxA=4)3jShpfA|O~e*{h%+y_ei;PtNbH
z3p4EQlWjQ)Dt%0U5p0XCs}7chjj|k>GJj6xlYDu~8qX{AFo$Cm3d|XFL=4uvc?Keb
zzb0ZmMoXca6Mob>JqkNuoP>B2Z>D`Q(TvrG6m`j}-1rGP!g|qoL=$FVQYxJQj<!01
zc$z6Z4D6FFjDgqNUK}k#(?6uz7Kv-uz*f0IQ_!{gk(xo?1k6>Fn33lODt3Wb1j8VR
zlR++vIT6^DtYxAv_hxupbLLN3e0%A%a+hWTKDV3!Fjr^cWJ{scsAdfhpI)`Bms^M6
zQG$waKgFr=c|p9Piug=fcJvZ1ThMnNhQvBAg-8~b1?6wL*WyqXhtj^g(Ke}mEfZVM
zJuLNTU<Y;z6CCxpz=-FX7ULn*>Vh#WsE*a6uqiz`b#9ZYg3+<SW=)OY-`O&5UD_N)
z<H3&T!$NV26UoOi=?{n|wkIgche+iHAY{4>2%=C(6AvZGc=u&<6??!slB1a9K)=VL
zY9E<GDLqaxvx+)wlOmO*XduQxLAJd+iQj@!Z<uKq$J2FGt#9Tr=<Tc&M!MF9@NGf2
zm1{PQ6xp*C<NBt$&N4$VpNZk45bDyp7+d0PHlsv0V3@nTL9?@JERq+}n>L^mfyKnD
zSJyYBc_>G;5RRnrNgzJz#Rkn3S1`mZgO`(r5;Hw6MveN(URf_XS-r58Cn80K)ArH4
z#Rrd~LG1W&@ttw85cjp8xV&>$b%nSXH_*W}7Ch2pg$$c0BdEo-HWRTZcxngIBJad>
z<lyo6>;C>b{jIXjb_9Jis?NZJsdm^EG}e*pR&DAy0EaSGi3XWTa(>C%tz1n$u?5Fb
z1qtl?;_yjYo<O>)(gB^iQq?=jusF%kywm?CJP~zEHi0NbZ);$(H$<Ci|13DUx!yz;
z+M(KR6wmu~m;82Snu4KcaM^(5dZN&iTm{uTO>w(Hy@{i>$wcVRD_X|w-~(0Z9BJyh
zhNh;+eQ9BEIs;tPz%jSVnfCP!<TL*21Ig5x*|%YRb7J^Ma@~83X~Ui1`Xoj`9wUa;
z_gZ!{qp$&7dj}IuWQY`2czqfaX<4EcZ9Qv$I0(~>3L&9YtEP;svoj_bNzeGSQIAjd
zBss@A;)R^WAu-37RQrM%{DfBNRx>v!G31Z}8-El9IOJlb_MSoMu2}GDYycNaf>uny
z+8xykD-7ONCM!APry_Lw6-yT>5!tR}W;W`C)1>pxSs5o1z#j7%m=&=7O4hz+Lsqm`
z*><Gr$}*-ppL1G4JXetI6OhQSP-=!E(qBh;-Lhj_ErXakU5*7JVQl=3thaJ&{b?r4
zHLLetl=`rHKmC^DZ=rZc%_Tv<sm?1X-jh0v)$VMoFmNu@n(6m9(}Xi)VQ&}*Hw5IB
zWZh;R&hcDO^)o`6+gyEscoY}7^&qxlo-k==U=w?}+^rFfK1LyXt@ynTxYqS5tWs?T
z_sSc?k6~c<cIR}1@`(DC0_#w-Mx8(n#uFqOGns~@PKe;IKK9ON?|3&q3x3PH4cbqE
zq>{+xsabZPr&X=}G@obTb{nPTkccJX8w3CG7X+1+t{JcMab<p3e{zB@Dy5xNBVUe#
zv-HzkrwCd|ur>v~UNv+G?txRqXib~c^Mo}`q{$`;EBNJ;#F*{gvS<LN1an2JB&QCp
zlkPO7z&H(gctlrYu-&@hVkG4O;%Vuh$VreV3pza|dTLfCDcMph;nE`=mX0B=ZJX<_
z2k5-=Lpc=*G-hP%MZB<_yxIt?#=KnX*_f)p9^P#ybpx$jR)F77HUV8at47p1srHm1
zn2h)l)DefSwHU4fP_Bn=N!ZBm#WSTuHiadtLh&UftOEG(_ga&>12kV?AZ%O0SFB$^
zn+}!HbmEj}w{Vq(G)OGAzH}R~kS^;(-s&=ectz8vN!_)Yl$$U@HNTI-pV`LSj7Opu
zTZ5zZ)-S_{GcEQPIQXLQ#oMS`HPu{`SQiAZ)m1at*Hy%3xma|>o`h%E%8BEbi9p0r
zVjcsh<{NBKQ4eKlXU|}@XJ#@uQw*$4BxKn6#W~I4T<^f99~(=}a`&3(ur8R9t+|AQ
zWkQx7l}wa48-jO@ft2h+7qn%SJtL%~890FG0s5g*kNbL3I&@brh&f6)TlM`K^(bhr
zJWM6N6x3flOw$@|C@kPi7yP&SP?bzP-E|HSXQXG>7gk|R9BTj`e=4de9C6+H7H7n#
z#GJeVs1mtHhLDmVO?LkYRQc`DVOJ_vdl8VUihO-j#t=0T3%Fc1f9F73ufJz*adn*p
zc%&vi(4NqHu^R>sAT_0EDjVR8bc%wTz#$;%NU-kbDyL_dg0%T<S*i*u3Hs6+lgqYq
z=U+X6sPy+}rGITC?hxtW%fBoPzZ(q%eG*;pyhqF65AF>FafZwZ?5KZpcuaO54Z9hX
zD$u>q!-9`U6-D`E#`W~fIfiIF5_m6{fvM)b1NG3xf4Auw;Go~Fu7cth#DlUn{@~yu
z=B;RT*dp?bO}o%4x7k9v{r=Y@^YQ^UUm(Qmliw8brO^=NP+UOohLYiaEB3^DB56&V
zK?4jV61B|1Uj_5<ls`VDjV2#nriOpH?2Y9gq*|Aq_a|{C0GK&?yC1IWVE!*7J_QU!
zL)l}65HCx(xyl-bqKf-Y8F;d9lVe|`H*b9>fBKW;8LdwOFZKWp)g{B%7g1~DgO&N&
z#lisxf?R~Z@?3E$Mms$$JK8oe@X`5m98V*aV6Ua}8Xs2#A!{x?IP|N(%nxsH?^c{&
z@vY&R1QmQs83BW28qAmJfS7MYi=h(Y<K@6de|}v(%PBod?sFh>K??@EhjL-t*5W!p
z<w%(*m8qPx>^gYX!Q6-vBqcv~ruw@oMaU&qp0Fb(dbVzm5xJN%0o_^<c3zq66m&UQ
zXFe#1m|fn2{5-vMM7v9BUDJ~>@fWq$oa3X?9s%+b)x4w-q5Koe(@j6Ez7V@~NRFvd
zfBH~)U5!ix3isg`6be__wBJp=1@yfsCMw1C@y+9WYD9_C%{Q~7^0AF2KFryfLlUP#
zwrtJEcH)jm48!6tUcxiurAMaiD04C&tPe6DI0#aoqz#Bt0_7_*X*TsF7u*zv(iEfA
z;$@?XVu~oX#1YXtceQL{dSneL&*nDug^OW$DSLF0M1Im|sSX8R26&)<Cw?RzB80c5
zchov=pW;)fO9DtUb$N7JrE{qsTHCLac~y=-bU_l$CqDBpgvMD+ebX+G{x#oBt0@0@
zs8XvzI-C6VRm<_8rd9XmKmBgn`Q!if6L7)!cXxM<><0Fbh^*l6!5wfSu8MpMoh=2l
z^^0Sr$UpZp<Z<TluQc!;PX0bU@N!&!1R5oI{8J?4NCf6cXR2|aH63{ey<h}Qu(AfI
zX{`*?csKabHH_jOykTP}gvwUdUuSLQIBnqWkN-*@I39xF4q<?Re*Ps8|8F0X{|EEu
z|0ECp-Ts$q{D1H_OcVaghc5I-vl%dI)or^K6R6GuuZR8=h$DoGDkS8PF_SG{lmRo|
zL@!D()apPK2t&{phCHh(CJKL;{cytLCw%{X_YQ6V;tU*zfN(O+(@GYEBQ5MU3b$c5
z2)Dqg0yw6Y>*9oqa23fcCfm7`ya2<4wzJ`Axt7<ql7Zuh>e4jJrRFVf?nY~2&tRL*
zd;6_njcz01c>$IvN=?K}9ie%Z(BO@JG2J}fT#BJQ+f5LFSgup7i!xWRKw6)iITjZU
z%l6hPZia>R!`aZj<ax(KfQmt5tY~l#crLCpMSe4{v4*~94qd;o{-lgquk&0mS3Sr0
z?xbxhS<n?JGpUJAPv?GfZ6Ax;WM=CsLr%GYp{4y{dqr4f0F$14l7WD)L`!DcGXO0r
z!W5ns0y7q4qhoaMs|$9uoA_h_DgS5B)*QG;%ZVHPz&*LmD~;PXG_kx4L#~m>wCp}I
zg)%20;}f+&@t;(%5;RHL>K_&7<lpuG9!<jkH5L3H16ZO7<&HDz>MH^S+7<|(SZH!u
zznW|jz$uA`P9@ZWtJgv$EFp>)K&Gt+4C6#*khZQXS*S~6N%JDT$r`aJDs9|uXWdbg
zBwho$phWx}x!qy8&}6y5Vr$G{yGSE<GpO{<0VEj@depRBhVX~w!R&b2>*r$^r{}pw
zVTZKvikRZ`J_IJrjc=X1uw?estdwm&bEahku&D04HD+0Bm~q#YGS6gp!KLf$A{%Qd
z&&yX@Hp>~(wU{|(#U&Bf92+<Cu;IS-m+vuQ`^8NBx8TZ-npPg&p%bRVNYg7jI+FyP
z%Bt-k?(nJB_HPID5jWS%(>1i&Q*-S+=y=3pSZy$#8Uc$#7oiJUuO{cE6=tsPhwPe|
zxQpK>`Dbka`V)$}e6_OXKLB%i76~4N*zA?X+PrhH<&)}prET;kel24kW%+9))G^JI
zsq7L{P}^#<HT~SsQ|>QsZViX%KgxBvE&#Xeugr>ZmFqe^oAg?{EI=&_O#e)F3V#rc
z8$4}0Zr19qd3tE4#$3_f=Bbx9oV6VO!d3(R===i-7p=Vj`520w0D3W6lQfY48}!D*
z&)lZMG;~er2qBoI2gsX+Ts-hnpS~NYRDtPd^FPzn!^&yxRy#CSz(b&E*tL|jIkq|l
zf%>)7Dtu>jCf`-7R#*GhGn4FkYf;B$+9IxmqH|lf6$4irg{0ept__%)V*R_OK=T06
zyT_m-o@Kp6U{l5h>W1hGq*X#8*y@<;vsOFqEjTQXFEotR+{3}ODDnj;o0@!bB5x=N
z394FojuGOtVKBlVRLtHp%EJv_G5q=AgF)SKyRN5=cGBjDWv4LDn$IL`*=~J7u&Dy5
zrMc83y+w^F&{?X(KOOAl-sWZDb{9X9#jrQtmrEXD?;h-}SYT7yM(X_6qksM=K_a;Z
z3u0qT0<b<{d*Rqdi6!;Ay!5Eja?*uuP?gOY*oZ6#cKb{bVkWMr$Xs<*`A=wu($fQA
zV_L3!)9i?x8+eI@Az9}8S%p9+q4}~4JnI^s0emO|n?r{dt@xLxVu7!x<Xq|vqL42(
zY7^CGYIyP<Yw;YvH1s|92ucU&v_U-loDlmik?2$6F^%?gfFmv2k6-h)Aud$YpHYZS
z3~f?LiBrm|0nm6Bao|Vz5vWJoI>TtaNvDER_8x*rxXw&C^|h{P1qxK|@pS7vdlZ#P
z7PdB7MmC2}%sdzAxt>;WM1s0??`1983O4n<p3HnUNdocTg~EP5M_Z&8=5Wbf%_zS<
z_QJgOH{E`NLBi`Wh~e_-*2B3KIt!e_M6dn>FK|hVAbHcZ3x{PzytQLkCVk7hA!Lo`
zEJH?4qw|}WH{dc4z%aB=0XqsFW?^p=X}4xnCJXK%c#ItOSjdSO`UXJyuc8bh^Cf}8
z@Ht|vXd^6{Fgai8*tmyRGmD_s_n<?IT$A%bkGk0exSr7aSQQNHpfXS3XS$DesbANT
zD{36qbeQe1<{>v~r^Fy7j`Bu`6=G)5H$i7Q7lvQnmea&TGvJp9a|qOrUymZ$6G|Ly
z#zOCg++$3iB$!6!>215A4!iryregKuUT344X)jQb3|9qY>c0LO{6Vby05n~VFzd?q
zgGZv&FGlkiH*`fTurp>B8v&nSxNz)=5IF$=@rgND4d`!Aaa<Y=2iKW7A<tO1HBkYo
z^Yb{S>X;_lK~)-U8la_Wa8i?NJC@BURO*sUW)E9oyv3RG^YGfN%BmxzjlT)bp*$<|
zX3tt?EA<bRJf-cg^UHM0QDLL3paTv>y<&K+bhIuMs-g#=d1}N_?isY)6Ay$mDOKRh
z4v1asEGWoAp=srraLW^h&_Uw|6O+r;wns=uwYm=JN4Q!quD8SQRSeEcGh|Eb5Jg8m
zOT}u;N|x@a<TPYf!pbsP>q)=&;wufCc^#)5U^VcZw;d_wwaoh9$p@Xrc{DD6GZUqZ
ziC6OT^zSq@-lhbgR8B+e;7_Giv;DK5gn^$bs<6~SUadiosfewWDJu`XsBfOd1|p=q
zE>m=zF}!l<cZunW1;`Sdxca_lfSvj1ac8QYf_WmDibHu*B3U7hlR%zl)2ai^XyV`c
zd?WZr>ObA%ePey~gqU8S6h-^J2Y?>7)L2+%8kV}Gp=h`Xm_}rlm)SyUS=`=S7msKu
zC|T<?u^C}Jwo`XP;8j?s?-^z{>!gPiI1rWGb1z$Md<e@<8fbuT7j-(kBkcn1WWTz!
zb2Tvs{=D6#ooQ%(Y9wf&Tk-+1QG7mL%wYz20iDrH);aX~hU$Se&}s=fTM#s``5s%8
zBnCp=awyqy1JuF!Z^%w_Z^AS45AEm8(L7^(vlPT*H1Y(3uz}pZa*+Rc|8miE6t*YI
zI&v4#bf~%?xPj^@+K_uN_tP(6XwVmS&aFYG6uCe^eJB1RqL#=2GB*cv4NYp6(`cXi
zqz(D_Wcq^Yd{)>?0YJQ;%>uPLOXf1Z>N~`~JHJ!^@D5kSXQ4ugnFZ>^`zH8CAiZmp
z6Ms|#2gcGsQ{{u7+Nb9sA?U>(0e$5V1|WVwY`Kn)rsnnZ4=1u=7u!4WexZD^IQ1Jk
zfF#NLe>W$3m&C<Judi^~2Jd~{D8jZ-m3<I?QHUG~oc2~GJ@x-nBoK@h4GcSLxGfsX
zfTdP+=13qQO!NU_uMh&%<XRtv_0a6}72WoHf#VTfqhb7)R+(a%=?T4o^!?D#Ac6^+
zXKeLSeCL7ISoGpHLi2eBVVW{_;UZ0m%OS;R_2V7Vs;8=uYc-)LBGghwH9Zu1Edt+b
zT^}79&kIY&N#S+q0I2h{D^vQZk5N28O2y<eE@o#5;KI7~zIO0DH7FNoNXR&XzubAB
ztYQ<csr+w+x=K`8G~U#&JD1GDQ60<LqUZufO;K($=noZL@LXLw%~5&4#b^`*&g2~U
z<3^4g1e??#E#^yo8^E-=I=nF1z^NNWj)tNkrW3(#0*44U#6*z{kwPr%f4C<3ok69B
zsr@mA4HSpOBtTrwMQi)Gj*865x(w;jhuIr)Ue*HmikShWv`DBtGAj9{&3k0VdY48S
z+YZO&yo1BtNhQDvmqGzy;~&S}phy625Jv|8IOR-3eQbc_afy=qy=|cc5<<8hEhBC%
zuWct|>^ULjdw+5|)-BSHwpegdyt9NYC{3@QtMfd8GrIWDu`gd0nv-3LpGCh@wgBaG
z176tikL!_NXM+Bv#7q^cyn9$XSeZR6#<HnyuRVd+K|W`3ILQ8$LF4+uY4&mX$W{#x
zu#si~$C=ovXgD-<_<;elHvd+vrclEER*zIZu0{1RxK<|EkW_xHjsv-B>!B4JE@GVH
zoo<m!UF_*7SK*!d!(q;|za&iL7JlU)TEGOGaM%tpjC3|!gdvPpQ{XrkGTL7``@EE2
zShcd)rM~&`1oKxUU1+u<>bHZN_*RF#@_SVYKkQ_igme-Y5U}cV(hkR#k1c{bQNMji
zU7aE`?dHyx=1`kOYZo_8U7?3-7vHOp`Qe%Z*i+FX!s?6huNp0iCEW-Z7E&jRWmUW_
z67j>)Ew!yq)hhG4o?^z}HWH-e=es#xJUhDRc4B51M<k=%yr}nRlwZh{3yHihxqRno
z$nCrF@gloq?NMAJRBy`0^RVxSLbE(c79Vft;5O2vBgas$@`@3JpdoMdD$sHCNZIl4
zx@1Q$6fbNBUQ1P}u`H$K=1CNvkwc2^KRb&!PDyEADc|GD66@wBPUUW#mk^(9@<{94
zo8Q9|#3X3ba>4~E-l5VZ!&zQq`gWe`?}#b~7w1LH4Xa-UCT5LXkXQWheBa2YJYbyQ
zl1pXR%b(KCXMO0OsXgl0P0Og<{(@&z1aokU-Pq`e<w28r6ESFC>Qq*JYgt8xdFQ6S
z6Z3IFSua8W&M#`~*L#r>Jfd6*BzJ?JFdBR#bDv$_0N!_5vnmo@!>vULcDm`MFU823
zpG9pqjqz^FE5zMDoGqhs5OMmC{Y3iVcl>F}5Rs24Y5B^mYQ;1T&ks@pIApHOdrzXF
z-SdX}Hf{X;TaSxG_T$0~#RhqKISGKNK47}0*x&nRIPtmdwxc&QT3$8&!3fWu1eZ_P
zJveQj^hJL#Sn!*4k<RKkGxZHPY@fG!i6S>`3}(d(aasl&7G0j0-*_2xtAnoX1@9+h
zO#c>YQg60Z;o{Bi=3i7S`Ic+ZE>K{(u|#)9y}q*j8uKQ1^>+(BI}m%1v3$=4ojGBc
zm+o1*!T&b}-lVvZqIUBc8V}QyFEgm#oyIuC{8WqUNV{Toz`oxhYpP!_p2oHH<H{!F
zJwbjb?7O`v1Cw^r|5cS4>h5P@iB*NVo~2=GQm+8Yrkm2Xjc_VyHg1c0>+o~@>*Qzo
zHVBJS>$$}$_4EniTI;b1WShX<5-p#TPB&!;lP!lBVBbLOOxh6FuYloD%m<kfPShB=
zMSXoayzt^$rSSi+wDW+5Yis*BBEi+`h%Qm0juIgV88UjW6B(lS-X%JNDAA)u)I@X<
zL5N<XgoFqYj85cg(IOJxnS1lThU<!Vea~8Bt(j##|Fcio=j>;n{r|;MU3<T=$+3Hj
z37gt__wHV6*TjAp<Mn*GeGRIp4C`HCj@^mpf`TFu$c#H>!q4AVkua~fiee<BD8eJ4
z8UhKS+0aRjbX;4|S?+I5=IXaUD%5=LT3d%a)9k(AAOEB+JlnEpq3kC{8f_1&_!pJf
z)$m}|@FJ*MnJ&4nI~T^f+1AtHPD@$%+CD`GqPq6d72$}xDwNPKsl$2{+g%gO*>Wu2
zQAQ$ue(IklX6+V;F1vCu-&V?I3d42FgWgsb_e^29ol}HYft?{SLf>DrmOp9o!t>I^
zY7fBCk+E8n_|apgM|-;^=#B?6RnFKlN`oR)`e$+;D=yO-(U^jV;rft^G_zl`n7qnM
z<xiQyn!Qt<2_mB8gx{p=cZ8gZZoWG6p|p`moI0#L{{r9qy=mR1aj{U(^P`0Bc2v>L
z*-Y4Phq+ZI1$j$F-f;`CD#|`-T~OM5Q>x}a>B~Gb3-+9i>Lfr|Ca6S^8g*{*?_5!x
zH_N!SoRP=gX1?)q%>QTY!r77e2j9W(I!uAz{T`NdNmPBBUzi2{`XMB^zJGGwFWeA9
z{fk33#*9SO0)DjROug+(M)I-pKA!CX;IY(#gE!UxXVsa)X!UftIN98{pt#4MJHOhY
zM$_l}-TJlxY?LS6Nuz1T<44m<4i^8k@<PPhprF+u6Qm1L98xdws3<<%x&_l|Bu=Cu
zA7~BERW~7&saLKF{j=Gi%Yd)FlXz11>D$zuCPrkmz@sdv+{ciyFJG2Zwy&<FJWP@F
z^ZRkG3{MleF*BpQ7;lg?#QcrW=T_C$rqI|QuO3Wy4dZ#Y;M26O#lYi8*Gx5KLf*41
z@hQBLn;1{BzhQHy`-=F809|6xXH^E_&$o&Q73cSSr)ucJQr``$kxjUJXZNq!-Dl9G
zeg^7LT)MTyngi+Boma;VaOIJciZBr2#p6DgW%n`5w%XJe*Q^kl1sEWtNfEYSY2vKI
zQcE`MzH0yQFM>%c7;atIeTdh<yu@ooO-X%KfiC=P>!a(R^QXnu1Oq1b42*OQFWnyQ
zWeQrdvP|w_idy53Wa<{QH^lFmEd+VlJkyiC>6B#s)F;w-{c;aKIm;Kp50HnA-o3lY
z9B~F$gJ@yYE#g#X&3ADx&tO+P_@mnQTz9gv30_sTsaGXkfNYXY{$(>*PEN3QL>I!k
zp)KibPhrfX3%Z$H6SY`rXGYS~143wZrG2;=FLj50+VM6soI~up_>fU(2Wl@{BRsMi
zO%sL3x?2l1cXTF)k&moNsHfQrQ+wu(gBt{sk#CU=UhrvJIncy@tJX5klLjgMn>~h=
zg|FR&;@eh|C7`>s_9c~0-{IAPV){l|Ts`i=)AW;d9&KPc3fMe<n?sqL(RS@HXUMm6
z=Ay&F%?}=oc5VksTNoOZ-7blGVGv1-nbYO5z=%2_^|xL)hykmt7*6yoIbs^@@ykdG
zW$*}baWS(qw*7~5kalz*;LAzUZlS#2st3)uKBCE`EL|L05zZ9I4pCq5d7c8SR=#2+
zT#WOKc<PoXnfPC>oTS%8@V~D8*h;&(^>yjT84MM}=%#LS7shLAuuj(0VAYoozhWjq
z4LEr?wUe2^WGwdTIgWBkDUJa>YP@5d9^Rs$kCXmMRxuF*YMVrn?0NFyPl}>`&dqZb
z<5eqR=ZG3>n2{6<aJ&`LlXW1C4w*KhV5y$#li)j-9%^jHYQPmmaQ~0AkbKH}?W=FY
z%Wu$*-{Y)xCHe}>v6BvJ`YBZeeTtB88TAY(x0a58EWyuf>+^|x8Qa6wA|1Nb_p|nA
zWWa}|z8a)--Wj`LqyFk_a3gN2>5{Rl_wbW?#by7&i*^hRknK%jwIH6=dQ8*-_{<S6
z!2;CQP&KxHudneP-y>*x0j^DUfMX0`|K@6C<|1cgZ~D(e5vBFFm;HTZF(<N$iUcVN
zJWLyVz{{SH#}hLGnCBr>!vT8=T$K+|F)x3kqzBV4-=p1V(lzi(<?hj2N2U?if1}+4
z4f$w%d;&@`FYf92w&k<pkTJ3Ub5<84so!wed)@S9b!>s7jdu0>LD#N=$Lk#3HkG!a
zIF<7>%B7sRNzJ66KrFV76J<2bdYhxll0y2^_rdG=I%AgW4~)1Nvz=$1UkE^J%BxLo
z+lUci`UcU062os*=`-j4IfSQA{w@y|3}Vk?i;&SSdh8n+$iHA#%ERL{;EpXl6u&8@
zzg}?hkEOUOJt?ZL=pWZFJ19mI1@P=$U5<lUhw%|e&e*&{I#wCL3dAXNGL6EFDtH5f
zbO`1LzFxB%<$7u;nDVEISXp{A-8L=$E1?$0J(8yo3+fu{TK84{mg}M};QJ!?7sDnA
zLp&Q)30rclzmK-XeEuOK!&fjZqQduZ*rhHhDI{LBJuz?1SCzHuJyBNx#jE_u%a7go
zz8R1?EXpD6Lc*rkI9u|sJ(l?XXjx38u$krjIi8NMP&y86DXe*pN$s_2ZY;{&26pV;
z)-_(Xgvq-E9b5M<n^I@HGqDhhzjk!auv?^5A#(2Qh(R>*Im1e_8Z${JsM>Ov?nh8Z
zP5QvI!{Jy@&BP48%P2{Jr_VgzW;P@7)M9n|lDT|Ep#}<nn`M;BJh$R(ED&D!efW8C
zNdQ~Xcg&=K24kFxYbJ{=67RJn+bl#Sn%qJ@{BUpcOKgVKxSA4WnCMtd<Qj-ofV%i&
zb0|9K6ckoj)0eEV$QN5?8AbxUxSu}bj$<ZF&GHPM+;?@Oz0JW37G&AV?Y0vxOEcbz
zW!3u}*Y9W%n&tCY-(gfmyLjrFUg=GaYbkICT;co$xhYedq`B8L&$jd^Ztp89-gT`n
zH90$>7C$&ud&6>C^5ZiwKIg2McPU(4jhM!BD@@L(Gd*Nu$ji(ljZ<{FIeW<jSU$J=
zIS+CFQ)U{kGf_}0`)1DMMFqbQ(e$5<B=Y{fwjh3&`XFKHNIPS`?N<>_1Mmf;76{LU
z-ywN~=uNN)Xi6$<12A9y)K%X|(W0p|&>>4OXB?IiYr||WKDOJPxiSe01NSV-h24^L
z_>m$;|C+q!Mj**-qQ$L-*++en(g|hw;M!^%_h-iDjFHLo-n3JpB;p?+o2;`*jpvJU
zLY^lt)Un4joij^^)O(CKs@7E%*!w>!HA4Q?0}oBJ7Nr8NQ7QmY^4~jvf0-`%waOLn
zdNjAPaC0_7c|RVhw)+71NWjRi!y>C+Bl;Z`NiL^zn2*0kmj5gyhCLCxts*cWCdRI|
zjsd=sT5BVJc^$GxP~YF$-U{-?kW6r@^vHXB%{CqYzU@1>dzf#3SYedJG-Rm6^RB7s
zGM5PR(yKPKR)>?~vpUIeTP7A1sc8-knnJk*9)3t^e%izbdm>Y=W{$wm(cy1RB-19i
za#828DMBY+ps#7Y8^6t)=Ea@%Nkt)O6JCx|ybC;Ap}Z@Zw~*}3P>MZLPb4Enxz9Wf
zssobT^(R@KuShj8>@!1<hFRAn#JTEe!9Hu`z2_XzT;Z-Q&S$+@u-JR;Zj&^Vr^?dh
z$7<RN^fP@on>M7tm|2%-pYYDxz-5`rCbaT<l<3X3bz-ff93}(sg17h0x>CG5{;Uxm
z<R+)KPwz@x+?&!U(P2jVfOU(NK0U9%gs*7~fXBNipS)MXGL3GOOXqZsO|{KqeVbKc
zxDkAPCAFw)PBdT{wkPM$OuZEZvY*y5FctRL^5`RSsU3Nqgj4G7!^i2*Xuk;|jwD_1
zP-xq>*g=+H1X8{NUvFGzz~wXa%Eo};I;~`37*WrRU&K0dPSB$yk(Z*@K&+mFal^?c
zurbqB-+|Kb5|sznT;?Pj!+kgFY1#Dr;_%A(GIQC{3ct|{*Bji%FNa6c-thbpBkA;U
zURV!Dr&X{0J}iht#-Qp2=xzuh(fM>zRoiGrYl5ttw2#r34gC41CCOC31m~^UPTK@s
z6;A@)7O7_%C)>bnAXerYuAHdE93>j2N}H${zEc6&SbZ|-fiG*-qtGuy-qDelH(|u$
zorf8_T6Zqe#Ub!+e3oSyrskt_HyW_^5lrWt#30l)tHk|j$@YyE<QW0E^u$@S_!}(s
zkeLYjM~DPk2B+1IlAY?HzL(R}L=r3EV3D0{v3ev@v1BJWNYbf;olbl@Tvc?ZTufpS
z$yN3_P}Qfh#b&kQOthf~oj3gz`0CRj$slFnPxjp7ihJ&m?Z2+5Ia2J`%czy(CtgvP
zj=!b;x}u<-W+raOc(3Vv`wI*6NS{m!M$<(^lhc1inZ_L-0M7L*2-8q$28${K<n#Cx
z5kV__+~q&Qzbmv+o>kXUOV;6B51L;M@=NIWZXU;GrAa(LGxO%|im%7F<-6N;en0Cr
zLH>l*y?pMwt`1*cH~LdBPFY_l;~`N!Clyfr;7w<^X;&(ZiVdF1S5e(+Q%60zgh)s4
zn2yj$+mE=miVERP(g8}G4<85^-5f@qxh2ec?n+$A_`?qN=iyT1?U@t?V6DM~BIlBB
z>u~eXm-aE>R0sQy!-I4xtCNi!!qh?R1!kKf6BoH2GG{L4%PAz0{Sh6xpuyI%*~u)s
z%rLuFl)uQUCBQAtMyN;%)zFMx4loh7uTfKeB2Xif`lN?2gq6NhWhfz0u5WP9J>=V2
zo{mLtS<Rsf#!58ros^ZkI6^}1k4#%VcPp>y&BA!mSzs&CrKWq^y40JF5a&GSXIi2=
z{EYb59J4}VwikL4P=>+mc6{($FNE@e=VUwG+KV21;<@lrN`mnz5jYGASyvz7BOG<h
z0BuiW66>_6(p^eTxD-4O#lROgon;R35=|nj#eHIf<BG_ttk251?l(w5IlkORQ$*=6
zij`YEa&ZwZMDGil!}OAQWqDmq#NO1Bw`*ihPDi<<FfOj|(-t?eDRgQkBP_G-1}ATD
zey5X#i1Ixn{gDe4vJWHVXU%7>JBYPWG>H<YmOU~GXj0@B7#vKpj;OI~Wm8A=CKzVR
zy-a))LmSP<t&pfkif>>`dHKCDZ3`R{-?HO0mE~(5_WYcFmp8sU?wr*UkAQiNDGc6T
zA%}GOLXlOWqL?WwfHO8MB#8M8*~Y*gz;1rWWoVSXP&IbKxbQ8+s%4Jnt?kDsq7btI
zCDr0PZ)b;B%!lu&CT#RJzm{l{2fq|BcY85`w~3LSK<><@(2EdzFLt9Y_`;WXL6x`0
zDoQ?=?I@Hbr;*VVll1Gmd8<V1aY2m9&0+(1II64#%zyIQ-?!ZD_r2QtqR5KztvgtQ
znnF}S+RUdm*|I67Gjhu_3K%sdJgwlo9MHvA#MF($3RRI~%WzkC)!+856v6E1lg(Vg
z#1%<Q{wA4n-ZDN(oes20o~wTe;-DkMkvf*+^vEgo{a1plD?EiPdj;mZ(44jTnzV-g
z@E`K}ir<%psNIz9AM!4)s;KLG#_sBB3=G8G^mU+HPWI(WkOYILDTxi53kjO`Cyc)1
zxY^yH$=sUUSp0BJ1R-oW4blpKC*ECFQ9WN#m{KG!^D@DGvRI1vbrnm;+$h7t7O_F?
z?lCgnSF)z~?UsxnB=mtD7b8-dc)UaQTc?6Hd?z@Iv&7Q4+n0?uP1Wg9Dm=TQz~1{!
zStY#il3#s232%ex@W|tDp{%UkKQ5MEU0|H*_>*%tiXggMK81a+T(5Gx6;eNb8=uYn
z5BG-0g>pP21NPn>$ntBh>`*})Fl|38oC^9Qz>~MAazH<hOt&qXU^z0ER*S;rL5Q5}
z5~uGLl6_AKLC4#$2@qqEvv=RH?y*Vj)UgEXDCbyE+C`@gvVI|P7JMEI33a3+XMpVl
zDNM+ya&c<o)B)UpMa+^F&?xEBVr0!ifNlVd)7pS;RP~mfyed{4FG(!y`hGlyi_uw5
ztF4uGLlZuV$fy?Kdmmv%HgpjV#*50_4fhhM7{sF^CJjZde3h;4$7ZNho3LWOkwMFC
zyCyVXc=zc<vkBEl?^>%3Q~Qb!ALMf$srexgPZ2@&c~+hxRi1;}+)-06)!#Mq<6GhP
z-Q?qmgo${aFBApb5p}$1OJKTClfi8%PpnczyVKkoHw7Ml9e7ikrF0d~UB}i3vizos
zXW4DN$SiEV9{faLt5bHy2a>33K%7Td-n5C*N;f&ZqAg#2hIqEb(y<&f4u5BWJ>2^4
z414GosL=Aom#m&=x_v<0-fp1r%oVJ{T-(xnomNJ(<D8_vMLEqL%zEb|ck8Wk>Dryv
zh?vj+%=II_nV+@NR+(!fZZVM&(W6{6%9cm+o+Z6}KqzLw{(>E86uA1`_K$HqINlb1
zKelh3-jr2I9V?ych`{hta9wQ2c<TM)3$`z!#*$hXGMy-2(+47CE-+UXuk#ip=^EgV
zLA4h?e&*MDwrK0BA!H{YHSn4wzxat`a{8{%(;Z^eAdvK?(Sjy$w`wCmJp*E5QD9JD
z;Nk)t9}H%UvZ@@0MM4aWdUgy965yV7IFzAU5FU9I8L*PPG*m?ss;zYv0~ksEGmYId
ziEGz^-z9+$#i2BOKt1ZeX_O%<@-k3OEna1re@zu{cn8J|h&Tct{zIv1fm9C87GR6N
z{CmJAwpL&?tPsFAce4XrO#z#FGsk0|RFAg2C5bG>9=MM`2cC{m6^MhlL2{DLv7C^j
z$xXBCnDl_;l|bPGMX@*tV)B!c|4oZyftUlP*?$YU9C_eAsuVHJ58?)zpbr30P*C`T
z7y#ao`uE-SOG(Pi+`$=e^mle~)pRrdwL5<!iB70TfxHjG`TQv)6;DHaJlafjtoY$(
zwlSSTQ`ySJ1z;Hby-R^J1@I+zHTz97(ecZNn;CrZ6q3KRPNtV1Z6-S57X@}ch(5Mc
zYyN#`Pt!yyG_vdA(-e8>)N;o{gpW21of(QE#U6w%*C~`v-z0QqBML!!5EeYA5IQB0
z^l0<Y>1c;L6E(iytN!LhL}wfwP7W9PNAkb+)Cst?qg#$n;z41O4&v+8-zPs+XNb-q
zIeeBCh#ivnFLUCwfS;p{LC0O7tm+Sf9Jn)~b%uwP{%69;QC)Ok0t%*a5M+=;y8j=v
z#!*pp$9@!x;UMIs4~hP#pnfVc!%-D<+wsG@R2+J&%73lK|2G!EQC)O<W|XP<L5#_r
ztovJw^P^JeW`Zcc=Y!x;I#KF3*Dbow9IC>05TCV=&3g)C!lT=czLpZ@Sa%TYuoE<X
z)gg}YuRAJ${=PM8N#;T1*&QqJpLeW}B0r8MMt}A9@ZOp6Ix+DHFK-{!K%Wpry+nKv
z<#$ig_|1VupVmUnrlLi}v1yN;TRpn5=yNrPyZP9tW3!$#L3T7bdL0-w-E$CR(Z?n~
z-Q>?v8T8`V;e$#Zf2_<YO3X(!(1$aqGTT9zJvd3@Uy5#Oif4hb5o#>Nj6nvBgh1)2
GZ~q4|mN%#X

literal 0
HcmV?d00001

diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
new file mode 100644
index 0000000..df97d72
--- /dev/null
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,7 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
diff --git a/gradlew b/gradlew
new file mode 100755
index 0000000..f5feea6
--- /dev/null
+++ b/gradlew
@@ -0,0 +1,252 @@
+#!/bin/sh
+
+#
+# Copyright © 2015-2021 the original authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+##############################################################################
+#
+#   Gradle start up script for POSIX generated by Gradle.
+#
+#   Important for running:
+#
+#   (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+#       noncompliant, but you have some other compliant shell such as ksh or
+#       bash, then to run this script, type that shell name before the whole
+#       command line, like:
+#
+#           ksh Gradle
+#
+#       Busybox and similar reduced shells will NOT work, because this script
+#       requires all of these POSIX shell features:
+#         * functions;
+#         * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+#           «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+#         * compound commands having a testable exit status, especially «case»;
+#         * various built-in commands including «command», «set», and «ulimit».
+#
+#   Important for patching:
+#
+#   (2) This script targets any POSIX shell, so it avoids extensions provided
+#       by Bash, Ksh, etc; in particular arrays are avoided.
+#
+#       The "traditional" practice of packing multiple parameters into a
+#       space-separated string is a well documented source of bugs and security
+#       problems, so this is (mostly) avoided, by progressively accumulating
+#       options in "$@", and eventually passing that to Java.
+#
+#       Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+#       and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+#       see the in-line comments for details.
+#
+#       There are tweaks for specific operating systems such as AIX, CygWin,
+#       Darwin, MinGW, and NonStop.
+#
+#   (3) This script is generated from the Groovy template
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       within the Gradle project.
+#
+#       You can find Gradle at https://github.com/gradle/gradle/.
+#
+##############################################################################
+
+# Attempt to set APP_HOME
+
+# Resolve links: $0 may be a link
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
+    [ -h "$app_path" ]
+do
+    ls=$( ls -ld "$app_path" )
+    link=${ls#*' -> '}
+    case $link in             #(
+      /*)   app_path=$link ;; #(
+      *)    app_path=$APP_HOME$link ;;
+    esac
+done
+
+# This is normally unused
+# shellcheck disable=SC2034
+APP_BASE_NAME=${0##*/}
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
+' "$PWD" ) || exit
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD=maximum
+
+warn () {
+    echo "$*"
+} >&2
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+} >&2
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "$( uname )" in                #(
+  CYGWIN* )         cygwin=true  ;; #(
+  Darwin* )         darwin=true  ;; #(
+  MSYS* | MINGW* )  msys=true    ;; #(
+  NONSTOP* )        nonstop=true ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD=$JAVA_HOME/jre/sh/java
+    else
+        JAVACMD=$JAVA_HOME/bin/java
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD=java
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+fi
+
+# Increase the maximum file descriptors if we can.
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+    case $MAX_FD in #(
+      max*)
+        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        MAX_FD=$( ulimit -H -n ) ||
+            warn "Could not query maximum file descriptor limit"
+    esac
+    case $MAX_FD in  #(
+      '' | soft) :;; #(
+      *)
+        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        ulimit -n "$MAX_FD" ||
+            warn "Could not set maximum file descriptor limit to $MAX_FD"
+    esac
+fi
+
+# Collect all arguments for the java command, stacking in reverse order:
+#   * args from the command line
+#   * the main class name
+#   * -classpath
+#   * -D...appname settings
+#   * --module-path (only if needed)
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if "$cygwin" || "$msys" ; then
+    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+    JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    for arg do
+        if
+            case $arg in                                #(
+              -*)   false ;;                            # don't mess with options #(
+              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
+                    [ -e "$t" ] ;;                      #(
+              *)    false ;;
+            esac
+        then
+            arg=$( cygpath --path --ignore --mixed "$arg" )
+        fi
+        # Roll the args list around exactly as many times as the number of
+        # args, so each arg winds up back in the position where it started, but
+        # possibly modified.
+        #
+        # NB: a `for` loop captures its iteration list before it begins, so
+        # changing the positional parameters here affects neither the number of
+        # iterations, nor the values presented in `arg`.
+        shift                   # remove old arg
+        set -- "$@" "$arg"      # push replacement arg
+    done
+fi
+
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
+
+set -- \
+        "-Dorg.gradle.appname=$APP_BASE_NAME" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
+        "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+#   readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+#   set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+        printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+        xargs -n1 |
+        sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+        tr '\n' ' '
+    )" '"$@"'
+
+exec "$JAVACMD" "$@"
diff --git a/gradlew.bat b/gradlew.bat
new file mode 100644
index 0000000..9d21a21
--- /dev/null
+++ b/gradlew.bat
@@ -0,0 +1,94 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+@rem SPDX-License-Identifier: Apache-2.0
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega
diff --git a/settings.gradle b/settings.gradle
new file mode 100644
index 0000000..6e5c1a8
--- /dev/null
+++ b/settings.gradle
@@ -0,0 +1 @@
+rootProject.name = 'rtp-activator'
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/RtpActivatorApplication.java b/src/main/java/it/gov/pagopa/rtp/activator/RtpActivatorApplication.java
new file mode 100644
index 0000000..d258f9d
--- /dev/null
+++ b/src/main/java/it/gov/pagopa/rtp/activator/RtpActivatorApplication.java
@@ -0,0 +1,13 @@
+package it.gov.pagopa.rtp.activator;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class RtpActivatorApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(RtpActivatorApplication.class, args);
+	}
+
+}
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
new file mode 100644
index 0000000..cc8af0e
--- /dev/null
+++ b/src/main/resources/application.properties
@@ -0,0 +1 @@
+spring.application.name=rtp-activator
diff --git a/src/test/java/it/gov/pagopa/rtp/activator/RtpActivatorApplicationTests.java b/src/test/java/it/gov/pagopa/rtp/activator/RtpActivatorApplicationTests.java
new file mode 100644
index 0000000..3d0b211
--- /dev/null
+++ b/src/test/java/it/gov/pagopa/rtp/activator/RtpActivatorApplicationTests.java
@@ -0,0 +1,13 @@
+package it.gov.pagopa.rtp.activator;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+
+@SpringBootTest
+class RtpActivatorApplicationTests {
+
+	@Test
+	void contextLoads() {
+	}
+
+}

From 12f7bc615bf47c7dfbf7583f7dc3bdbe8b662406 Mon Sep 17 00:00:00 2001
From: Andrea Morabito <andrea.morabito@pagopa.it>
Date: Wed, 13 Nov 2024 10:01:36 +0100
Subject: [PATCH 02/17] add codeowners

---
 CODEOWNERS | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 CODEOWNERS

diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 0000000..486d887
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1,3 @@
+# see https://help.github.com/en/articles/about-code-owners#example-of-a-codeowners-file
+
+* @pagopa/rtp-team-admin @pagopa/rtp-team
\ No newline at end of file

From 48c526b6c5d135d65f6cbc917d4fe747378e3c06 Mon Sep 17 00:00:00 2001
From: Andrea Morabito <andrea.morabito@pagopa.it>
Date: Wed, 13 Nov 2024 13:43:56 +0100
Subject: [PATCH 03/17] add dockerfile

---
 build.gradle               |  2 +-
 gradle.properties          |  1 +
 src/main/docker/Dockerfile | 20 ++++++++++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 gradle.properties
 create mode 100644 src/main/docker/Dockerfile

diff --git a/build.gradle b/build.gradle
index 5e4d7e7..90c9256 100644
--- a/build.gradle
+++ b/build.gradle
@@ -6,7 +6,7 @@ plugins {
 }
 
 group = 'it.gov.pagopa'
-version = '0.0.1-SNAPSHOT'
+version = project.version
 
 java {
 	toolchain {
diff --git a/gradle.properties b/gradle.properties
new file mode 100644
index 0000000..16a4327
--- /dev/null
+++ b/gradle.properties
@@ -0,0 +1 @@
+version = '0.0.1'
\ No newline at end of file
diff --git a/src/main/docker/Dockerfile b/src/main/docker/Dockerfile
new file mode 100644
index 0000000..b22eb93
--- /dev/null
+++ b/src/main/docker/Dockerfile
@@ -0,0 +1,20 @@
+FROM ghcr.io/graalvm/graalvm-community:21.0.2-ol9-20240116@sha256:6e46c711c90bdbc24e23ccdb6e3fba837d660e68dd4ffeb87abbd3d08e115653 AS builder
+
+WORKDIR /build
+COPY . .
+
+RUN chmod +x ./gradlew && ./gradlew :nativeCompile
+
+FROM ubuntu:noble-20241011@sha256:99c35190e22d294cdace2783ac55effc69d32896daaa265f0bbedbcde4fbe3e5 AS cve
+COPY --from=builder /build/target/rtd-ms-file-register*.jar .
+
+FROM ubuntu:noble-20241011@sha256:99c35190e22d294cdace2783ac55effc69d32896daaa265f0bbedbcde4fbe3e5 AS runtime
+
+EXPOSE 8080
+
+RUN useradd --uid 10000 runner
+USER 10000
+
+COPY --from=builder /build/target/rtd-ms-file-register .
+
+ENTRYPOINT ["./rtd-ms-file-register"]
\ No newline at end of file

From 46c97c00b4eeb52b178b58567ff57bc5444b86ff Mon Sep 17 00:00:00 2001
From: Andrea Morabito <andrea.morabito@pagopa.it>
Date: Wed, 13 Nov 2024 13:44:09 +0100
Subject: [PATCH 04/17] add CI CD

---
 .github/workflows/build-n-push-main.yml |  88 ++++++++
 .github/workflows/post-merge.yml        | 266 ++++++++++++++++++++++++
 .github/workflows/pr-validation.yml     |  25 +++
 3 files changed, 379 insertions(+)
 create mode 100644 .github/workflows/build-n-push-main.yml
 create mode 100644 .github/workflows/post-merge.yml
 create mode 100644 .github/workflows/pr-validation.yml

diff --git a/.github/workflows/build-n-push-main.yml b/.github/workflows/build-n-push-main.yml
new file mode 100644
index 0000000..4514eaf
--- /dev/null
+++ b/.github/workflows/build-n-push-main.yml
@@ -0,0 +1,88 @@
+name: Build, push and update
+
+on:
+  workflow_dispatch:
+    inputs:
+      skip-unit-test:
+        type: boolean
+        required: true
+        description: Skip unit-test
+
+jobs:
+  build_push_update:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      packages: write
+      contents: write
+
+    steps:
+      #
+      # Checkout the source code.
+      #
+      - name: Checkout the source code
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        with:
+          token: ${{ secrets.GIT_PAT }}
+          fetch-depth: 0
+
+      #
+      # Setup JDK. todo
+      #
+      - name: Setup JDK
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2
+        with:
+          distribution: "jdkfile"
+          jdkFile: "${{ runner.temp }}/jdk_setup.tar.gz"
+          java-version: "21"
+          cache: maven
+
+      #
+      # Build native executable. todo skip test
+      #
+      - name: Build native executable
+#        run: ${{ runner.temp }}/maven/bin/mvn clean package -Pnative -Dmaven.test.skip=${{ github.event.inputs.skip-unit-test }} -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel-builder-image@sha256:05baf3fd2173f6f25ad35216b6b066c35fbfb97f06daba75efb5b22bc0a85b9c -s ${{ runner.temp }}/settings.xml --no-transfer-progress
+        run: ./gradlew nativeCompile
+
+      #
+      # Build Docker image. todo replace da build and push docker
+      #
+      - name: Build Docker image
+        run: |
+          BRANCH_NAME="${GITHUB_REF////_}"
+          docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:$BRANCH_NAME .
+
+      #
+      # Push Docker image. todo replace da build and push docker
+      #
+      - name: Push Docker image
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+          docker push -a ghcr.io/${{ github.repository }}
+
+      #
+      # Get Docker image with sha256. todo remove, prendere output da action precedente
+      #
+      - name: Get Docker image with sha256
+        run: echo "image_sha256=$(docker image inspect -f '{{index .RepoDigests 0}}' ghcr.io/${{ github.repository }}:$BRANCH_NAME)" >> "$GITHUB_ENV"
+
+      #
+      # Login to Azure.
+      #
+      - name: Login to Azure
+        uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      #
+      # Update Container App.
+      #
+      - name: Update Container App
+        uses: azure/CLI@fa0f960f00db49b95fdb54328a767aee31e80105
+        with:
+          inlineScript: |
+            az config set extension.use_dynamic_install=yes_without_prompt
+            az containerapp update -n ${{ secrets.AZURE_CONTAINER_APP_NAME }} -g ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} -i ${{ env.image_sha256 }}
\ No newline at end of file
diff --git a/.github/workflows/post-merge.yml b/.github/workflows/post-merge.yml
new file mode 100644
index 0000000..7c675d9
--- /dev/null
+++ b/.github/workflows/post-merge.yml
@@ -0,0 +1,266 @@
+name: Post-merge/release workflow
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+
+jobs:
+  post_merge:
+    if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
+
+    runs-on: ubuntu-22.04
+
+    environment: cstar-d-rtp
+
+    permissions:
+      id-token: write # Get OIDC token to authenticate to Azure.
+      packages: write # Push container imaged to GHCR.
+      contents: write # Create a new release.
+
+    outputs:
+      new_release_published: ${{ steps.semantic.outputs.new_release_published }}
+      image: ${{ steps.stable_image.outputs.image }}
+
+    steps:
+      #
+      # Checkout the source code.
+      #
+      - name: Checkout the source code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        with:
+          token: ${{ secrets.GIT_PAT }}
+          fetch-depth: 0
+
+      #
+      # Install Node.
+      #
+      - name: Install Node
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+        with:
+          node-version: "20.18.0"
+
+      #
+      # Calculate of the new version (dry-run).
+      #
+      - name: Calculate of the new version (dry-run)
+        uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2 # 4.1.1
+        id: semantic
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          semantic_version: 21.1.1
+          branch: main
+          extra_plugins: |
+            @semantic-release/release-notes-generator@14.0.1 # 44c780c6f9c1bf2643fe48b6718bd9a84b820132
+            @semantic-release/git@10.0.1 # 3e934d45f97fd07a63617c0fc098c9ed3e67d97a
+          dry_run: true
+
+      #
+      # Setup Java
+      #
+      - name: Setup Java
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
+        with:
+          distribution: ‘corretto’
+          java-version: ‘21’
+          cache: ‘gradle’
+
+      #
+      # RELEASE CANDIDATE - Update of pom.xml and openapi.yaml with the RC new version.
+      #
+      - name: RELEASE CANDIDATE - Update of pom.xml and openapi.yaml with the new version
+        if: steps.semantic.outputs.new_release_published == 'true'
+        run: |
+          yq -i ".info.version = \"${{ steps.semantic.outputs.new_release_version }}-RC\"" "src/main/resources/META-INF/openapi.yaml"
+          sed -i -e "s/version=.*/version=${{ steps.semantic.outputs.new_release_version }}-RC/g" gradle.properties
+
+# todo sonar
+      #
+      # RELEASE CANDIDATE - Build and push native container image.
+      #
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: https://ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+
+      - name: Build the app image
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        with:
+          push: true
+          context: .
+          file: src/main/docker/Dockerfile
+          platforms: linux/amd64
+          tags: ghcr.io/${{ github.repository }}:latest, ghcr.io/${{ github.repository }}:${{ steps.semantic.outputs.new_release_version }}-RC
+          secrets: |
+            "gh_token=${{ secrets.GIT_PAT }}"
+
+      #
+      # Setup Terraform
+      #
+      - name: Setup Terraform
+        if: steps.semantic.outputs.new_release_published == 'true'
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        with:
+          terraform_version: 1.9.7
+
+      #
+      # RELEASE CANDIDATE - Update Container App.
+      #
+      - name: RELEASE CANDIDATE - Update Container App
+        if: steps.semantic.outputs.new_release_published == 'true'
+        shell: bash
+        working-directory: src/main/terraform
+        env:
+          ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
+          ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+          ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
+        run: |
+          terraform init -backend-config="env/dev-cd/backend.tfvars" -reconfigure
+          terraform apply -var-file="env/dev-cd/terraform.tfvars" -var="rtp_activator_image=${{ steps.rc_image.outputs.image }}" -auto-approve -lock-timeout=300s
+
+      #
+      # Install Newman.
+      #
+      - name: Install Newman
+        if: steps.semantic.outputs.new_release_published == 'true'
+        run: npm install -g newman
+
+      #
+      # Run Postman collection.
+      #
+      - name: Run Postman collection
+        if: steps.semantic.outputs.new_release_published == 'true'
+        run: |
+          newman run src/test/postman/mil-auth.postman_collection.json \
+            -e src/test/postman/dev.postman_environment.json \
+            --env-var "correctPassword=${{ secrets.NEWMAN_IT__CORRECTPASSWORD }}" \
+            --env-var "correctClientSecret=${{ secrets.NEWMAN_IT__CORRECTCLIENTSECRET }}" \
+            --env-var "correctClientSecretForVasLayer=${{ secrets.NEWMAN_IT__CORRECTCLIENTSECRETFORVASLAYER }}" \
+            --env-var "clientSecretForMilDebtPosition=${{ secrets.NEWMAN_IT__CLIENTSECRETFORMILDEBTPOSITION }}"
+
+      #
+      # STABLE - Update of pom.xml and openapi.yaml with the new version.
+      #
+      - name: STABLE - Update of pom.xml and openapi.yaml with the new version
+        if: steps.semantic.outputs.new_release_published == 'true'
+        run: |
+          ${{ runner.temp }}/maven/bin/mvn versions:set -DnewVersion=${{ steps.semantic.outputs.new_release_version }} -s ${{ runner.temp }}/settings.xml --no-transfer-progress
+          yq -i ".info.version = \"${{ steps.semantic.outputs.new_release_version }}\"" "src/main/resources/META-INF/openapi.yaml"
+          git config user.name "GitHub Workflow"
+          git config user.email "<>"
+          git add pom.xml
+          git add src/main/resources/META-INF/openapi.yaml
+          git commit -m "Updated with new version ${{ steps.semantic.outputs.new_release_version }}"
+          git push origin main
+
+      #
+      # Calculation of the new version (again) with tagging + releasing + etc.
+      #
+      - name: Calculation of the new version (w/o dry_run) and put tag
+        if: steps.semantic.outputs.new_release_published == 'true'
+        uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2 # 4.1.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          semantic_version: 21.1.1
+          branch: main
+          extra_plugins: |
+            @semantic-release/release-notes-generator@14.0.1 # 44c780c6f9c1bf2643fe48b6718bd9a84b820132
+            @semantic-release/git@10.0.1 # 3e934d45f97fd07a63617c0fc098c9ed3e67d97a
+          dry_run: false
+
+      #
+      # STABLE - Build and push native container image.
+      #
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: https://ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+
+      - name: Build the app image
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        with:
+          push: true
+          context: .
+          file: src/main/docker/Dockerfile
+          platforms: linux/amd64
+          tags: ghcr.io/${{ github.repository }}:latest, ghcr.io/${{ github.repository }}:${{ steps.semantic.outputs.new_release_version }}-RC
+          secrets: |
+            "gh_token=${{ secrets.GIT_PAT }}"
+
+      #
+      # STABLE - Update Container App.
+      #
+      - name: STABLE - Update Container App
+        if: steps.semantic.outputs.new_release_published == 'true'
+        shell: bash
+        working-directory: src/main/terraform
+        env:
+          ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
+          ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+          ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
+        run: |
+          terraform init -backend-config="env/dev-cd/backend.tfvars" -reconfigure
+          terraform apply -var-file="env/dev-cd/terraform.tfvars" -var="rtp_activator_image=${{ steps.stable_image.outputs.image }}" -auto-approve -lock-timeout=300s
+
+
+  uat_deployment:
+    needs: post_merge
+
+    if: needs.post_merge.outputs.new_release_published == 'true'
+
+    runs-on: ubuntu-22.04
+
+    environment: cstar-u-rtp
+
+    permissions:
+      id-token: write
+
+    steps:
+      #
+      # Checkout the source code.
+      #
+      - name: Checkout the source code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+
+      #
+      # Setup Terraform
+      #
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        with:
+          terraform_version: 1.9.7
+
+      #
+      # Update Container App.
+      #
+      - name: STABLE - Update Container App
+        shell: bash
+        working-directory: src/main/terraform
+        env:
+          ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
+          ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+          ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
+        run: |
+          terraform init -backend-config="env/uat-cd/backend.tfvars" -reconfigure
+          terraform apply -var-file="env/uat-cd/terraform.tfvars" -var="rtp_activator_image=${{ needs.post_merge.outputs.image }}" -auto-approve -lock-timeout=300s
\ No newline at end of file
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
new file mode 100644
index 0000000..c8d8317
--- /dev/null
+++ b/.github/workflows/pr-validation.yml
@@ -0,0 +1,25 @@
+name: Pull request validation
+
+on:
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  pr-validation:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout the source code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+
+      - name: PR validation
+        uses: pagopa/mil-actions/pr-validation@63477e234c35c65476a37982635cd524aa71193c # 1.1.3
+        with:
+          gh_user: ${{ secrets.GIT_USER }}
+          gh_token: ${{ secrets.GIT_PAT }}
+          sonar_token: ${{ secrets.SONAR_TOKEN }}

From 9c75365b742335de6c40be7545ec5f382499aa58 Mon Sep 17 00:00:00 2001
From: Andrea Morabito <andrea.morabito@pagopa.it>
Date: Wed, 13 Nov 2024 13:44:23 +0100
Subject: [PATCH 05/17] add terraform script to deploy

---
 src/main/terraform/container_app.tf           |  60 +++++
 src/main/terraform/data.tf                    |   7 +
 .../terraform/env/cstar-d-rtp/backend.ini     |   1 +
 .../terraform/env/cstar-d-rtp/backend.tfvars  |   4 +
 .../env/cstar-d-rtp/terraform.tfvars          |  40 ++++
 .../terraform/env/cstar-p-rtp/backend.ini     |   1 +
 .../terraform/env/cstar-p-rtp/backend.tfvars  |   4 +
 .../env/cstar-p-rtp/terraform.tfvars          |  41 ++++
 .../terraform/env/cstar-u-rtp/backend.ini     |   1 +
 .../terraform/env/cstar-u-rtp/backend.tfvars  |   4 +
 .../env/cstar-u-rtp/terraform.tfvars          |  41 ++++
 src/main/terraform/locals.tf                  |   6 +
 src/main/terraform/main.tf                    |  30 +++
 src/main/terraform/terraform.sh               |  42 ++++
 src/main/terraform/variables.tf               | 226 ++++++++++++++++++
 15 files changed, 508 insertions(+)
 create mode 100644 src/main/terraform/container_app.tf
 create mode 100644 src/main/terraform/data.tf
 create mode 100644 src/main/terraform/env/cstar-d-rtp/backend.ini
 create mode 100644 src/main/terraform/env/cstar-d-rtp/backend.tfvars
 create mode 100644 src/main/terraform/env/cstar-d-rtp/terraform.tfvars
 create mode 100644 src/main/terraform/env/cstar-p-rtp/backend.ini
 create mode 100644 src/main/terraform/env/cstar-p-rtp/backend.tfvars
 create mode 100644 src/main/terraform/env/cstar-p-rtp/terraform.tfvars
 create mode 100644 src/main/terraform/env/cstar-u-rtp/backend.ini
 create mode 100644 src/main/terraform/env/cstar-u-rtp/backend.tfvars
 create mode 100644 src/main/terraform/env/cstar-u-rtp/terraform.tfvars
 create mode 100644 src/main/terraform/locals.tf
 create mode 100644 src/main/terraform/main.tf
 create mode 100755 src/main/terraform/terraform.sh
 create mode 100644 src/main/terraform/variables.tf

diff --git a/src/main/terraform/container_app.tf b/src/main/terraform/container_app.tf
new file mode 100644
index 0000000..d254243
--- /dev/null
+++ b/src/main/terraform/container_app.tf
@@ -0,0 +1,60 @@
+# ------------------------------------------------------------------------------
+# Container app.
+# ------------------------------------------------------------------------------
+resource "azurerm_container_app" "rtp-activator" {
+  name                         = "${local.project}-auth-ca"
+  container_app_environment_id = data.azurerm_container_app_environment.rtp-cae.id
+  resource_group_name          = data.azurerm_container_app_environment.rtp-cae.resource_group_name
+  revision_mode                = "Single"
+
+  template {
+    container {
+      name   = "rtp-activator"
+      image  = var.mil_auth_image
+      cpu    = var.mil_auth_cpu
+      memory = var.mil_auth_memory
+
+      env {
+        name  = "TZ"
+        value = "Europe/Rome"
+      }
+
+      env {
+        name  = "auth.app-log-level"
+        value = var.mil_auth_app_log_level
+      }
+
+      env {
+        name        = "IDENTITY_CLIENT_ID"
+        secret_name = "identity-client-id"
+      }
+    }
+
+    max_replicas = var.mil_auth_max_replicas
+    min_replicas = var.mil_auth_min_replicas
+  }
+
+  secret {
+    name  = "identity-client-id"
+    value = "${data.azurerm_user_assigned_identity.auth.client_id}"
+  }
+
+  identity {
+    type = "UserAssigned"
+    identity_ids = [data.azurerm_user_assigned_identity.auth.id]
+  }
+
+  ingress {
+    external_enabled = true
+    target_port      = 8080
+    transport        = "http"
+
+    traffic_weight {
+      latest_revision = true
+      percentage      = 100
+      #revision_suffix = formatdate("YYYYMMDDhhmmssZZZZ", timestamp())
+    }
+  }
+
+  tags = var.tags
+}
\ No newline at end of file
diff --git a/src/main/terraform/data.tf b/src/main/terraform/data.tf
new file mode 100644
index 0000000..1a64620
--- /dev/null
+++ b/src/main/terraform/data.tf
@@ -0,0 +1,7 @@
+# ------------------------------------------------------------------------------
+# Container Apps Environment.
+# ------------------------------------------------------------------------------
+data "azurerm_container_app_environment" "rtp-cae" {
+  name                = var.cae_name
+  resource_group_name = var.cae_resource_group_name
+}
diff --git a/src/main/terraform/env/cstar-d-rtp/backend.ini b/src/main/terraform/env/cstar-d-rtp/backend.ini
new file mode 100644
index 0000000..5d2d018
--- /dev/null
+++ b/src/main/terraform/env/cstar-d-rtp/backend.ini
@@ -0,0 +1 @@
+subscription=DEV-CSTAR
\ No newline at end of file
diff --git a/src/main/terraform/env/cstar-d-rtp/backend.tfvars b/src/main/terraform/env/cstar-d-rtp/backend.tfvars
new file mode 100644
index 0000000..2c9b70d
--- /dev/null
+++ b/src/main/terraform/env/cstar-d-rtp/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name  = "terraform-state-rg"
+storage_account_name = "tfappdevcstar"
+container_name       = "terraform-state"
+key                  = "rtp-activator.tfstate"
\ No newline at end of file
diff --git a/src/main/terraform/env/cstar-d-rtp/terraform.tfvars b/src/main/terraform/env/cstar-d-rtp/terraform.tfvars
new file mode 100644
index 0000000..9d95851
--- /dev/null
+++ b/src/main/terraform/env/cstar-d-rtp/terraform.tfvars
@@ -0,0 +1,40 @@
+# ------------------------------------------------------------------------------
+# General variables.
+# ------------------------------------------------------------------------------
+prefix         = "cstar"
+env_short      = "d"
+env            = "dev"
+location       = "westeurope" # this will be "italynorth"
+location_short = "weu"        # this will be "itn"
+domain         = "rtp"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "dev"
+  Owner       = "cstar"
+  Source      = "https://github.com/pagopa/rtp-activator/tree/main/src/main/terraform"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+  Domain      = "rtp"
+}
+
+# ------------------------------------------------------------------------------
+# External resources.
+# ------------------------------------------------------------------------------
+cae_name                       = "cstar-d-tier-0-cae"
+cae_resource_group_name        = "cstar-d-tier-0-app-rg"
+
+# ------------------------------------------------------------------------------
+# Names of key vault secrets.
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Configuration of the microservice.
+# ------------------------------------------------------------------------------
+rtp_activator_app_log_level                     = "DEBUG"
+rtp_activator_image                             = "ghcr.io/pagopa/rtp-activator:latest"
+rtp_activator_cpu                               = 0.1
+rtp_activator_memory                            = "300Mi"
+rtp_activator_max_replicas                      = 5
+rtp_activator_min_replicas                      = 1
+rtp_activator_base_url                          = "https://mil-d-apim.azure-api.net/rtp-activator"
\ No newline at end of file
diff --git a/src/main/terraform/env/cstar-p-rtp/backend.ini b/src/main/terraform/env/cstar-p-rtp/backend.ini
new file mode 100644
index 0000000..18b0a97
--- /dev/null
+++ b/src/main/terraform/env/cstar-p-rtp/backend.ini
@@ -0,0 +1 @@
+subscription=PROD-CSTAR
\ No newline at end of file
diff --git a/src/main/terraform/env/cstar-p-rtp/backend.tfvars b/src/main/terraform/env/cstar-p-rtp/backend.tfvars
new file mode 100644
index 0000000..17e13ee
--- /dev/null
+++ b/src/main/terraform/env/cstar-p-rtp/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name  = "terraform-state-rg"
+storage_account_name = "tfappprodcstar"
+container_name       = "terraform-state"
+key                  = "rtp-activator.tfstate"
\ No newline at end of file
diff --git a/src/main/terraform/env/cstar-p-rtp/terraform.tfvars b/src/main/terraform/env/cstar-p-rtp/terraform.tfvars
new file mode 100644
index 0000000..cee307d
--- /dev/null
+++ b/src/main/terraform/env/cstar-p-rtp/terraform.tfvars
@@ -0,0 +1,41 @@
+# ------------------------------------------------------------------------------
+# General variables.
+# ------------------------------------------------------------------------------
+prefix         = "cstar"
+env_short      = "p"
+env            = "prod"
+location       = "westeurope" # this will be "italynorth"
+location_short = "weu"        # this will be "itn"
+domain         = "rtp"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "prod"
+  Owner       = "cstar"
+  Source      = "https://github.com/pagopa/rtp_activator/tree/main/src/main/terraform"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+  Domain      = "rtp"
+}
+
+# ------------------------------------------------------------------------------
+# External resources.
+# ------------------------------------------------------------------------------
+cae_name                       = "cstar-p-rtp-cae"
+cae_resource_group_name        = "cstar-p-rtp-app-rg"
+
+
+# ------------------------------------------------------------------------------
+# Names of key vault secrets.
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Configuration of the microservice.
+# ------------------------------------------------------------------------------
+rtp_activator_app_log_level                     = "DEBUG"
+rtp_activator_image                             = "ghcr.io/pagopa/rtp-activator:latest"
+rtp_activator_cpu                               = 0.1
+rtp_activator_memory                            = "300Mi"
+rtp_activator_max_replicas                      = 5
+rtp_activator_min_replicas                      = 1
+rtp_activator_base_url                          = "https://mil-d-apim.azure-api.net/rtp_activator"
\ No newline at end of file
diff --git a/src/main/terraform/env/cstar-u-rtp/backend.ini b/src/main/terraform/env/cstar-u-rtp/backend.ini
new file mode 100644
index 0000000..4ec6fba
--- /dev/null
+++ b/src/main/terraform/env/cstar-u-rtp/backend.ini
@@ -0,0 +1 @@
+subscription=UAT-CSTAR
\ No newline at end of file
diff --git a/src/main/terraform/env/cstar-u-rtp/backend.tfvars b/src/main/terraform/env/cstar-u-rtp/backend.tfvars
new file mode 100644
index 0000000..74e2edd
--- /dev/null
+++ b/src/main/terraform/env/cstar-u-rtp/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name  = "terraform-state-rg"
+storage_account_name = "tfappuatcstar"
+container_name       = "terraform-state"
+key                  = "rtp-activator.tfstate"
\ No newline at end of file
diff --git a/src/main/terraform/env/cstar-u-rtp/terraform.tfvars b/src/main/terraform/env/cstar-u-rtp/terraform.tfvars
new file mode 100644
index 0000000..5589708
--- /dev/null
+++ b/src/main/terraform/env/cstar-u-rtp/terraform.tfvars
@@ -0,0 +1,41 @@
+# ------------------------------------------------------------------------------
+# General variables.
+# ------------------------------------------------------------------------------
+prefix         = "cstar"
+env_short      = "u"
+env            = "uat"
+location       = "westeurope" # this will be "italynorth"
+location_short = "weu"        # this will be "itn"
+domain         = "rtp"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "uat"
+  Owner       = "cstar"
+  Source      = "https://github.com/pagopa/rtp-activator/tree/main/src/main/terraform"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+  Domain      = "rtp"
+}
+
+# ------------------------------------------------------------------------------
+# External resources.
+# ------------------------------------------------------------------------------
+cae_name                       = "cstar-u-rtp-cae"
+cae_resource_group_name        = "cstar-u-rtp-app-rg"
+
+
+# ------------------------------------------------------------------------------
+# Names of key vault secrets.
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Configuration of the microservice.
+# ------------------------------------------------------------------------------
+rtp_activator_app_log_level                     = "DEBUG"
+rtp_activator_image                             = "ghcr.io/pagopa/rtp-activator:latest"
+rtp_activator_cpu                               = 0.1
+rtp_activator_memory                            = "300Mi"
+rtp_activator_max_replicas                      = 5
+rtp_activator_min_replicas                      = 1
+rtp_activator_base_url                          = "https://mil-d-apim.azure-api.net/rtp-activator"
\ No newline at end of file
diff --git a/src/main/terraform/locals.tf b/src/main/terraform/locals.tf
new file mode 100644
index 0000000..dea9445
--- /dev/null
+++ b/src/main/terraform/locals.tf
@@ -0,0 +1,6 @@
+locals {
+  #
+  # Project label.
+  #
+  project = var.domain == "" ? "${var.prefix}-${var.env_short}" : "${var.prefix}-${var.env_short}-${var.domain}"
+}
\ No newline at end of file
diff --git a/src/main/terraform/main.tf b/src/main/terraform/main.tf
new file mode 100644
index 0000000..e26dfb6
--- /dev/null
+++ b/src/main/terraform/main.tf
@@ -0,0 +1,30 @@
+terraform {
+  required_version = ">= 1.3.5"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "= 3.99.0"
+    }
+  }
+
+  backend "azurerm" {
+    use_oidc = true
+  }
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy = false
+    }
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+
+  use_oidc = true
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
\ No newline at end of file
diff --git a/src/main/terraform/terraform.sh b/src/main/terraform/terraform.sh
new file mode 100755
index 0000000..55ffc26
--- /dev/null
+++ b/src/main/terraform/terraform.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -e
+
+action=$1
+env=$2
+
+if [ -z "$action" ]; then
+  echo "Usage: ./terraform.sh ACTION ENV [PARAMS]"
+  echo "Missed action: init, apply, plan"
+  exit 0
+fi
+
+if [ -z "$env" ]; then
+  echo "Usage: ./terraform.sh ACTION ENV [PARAMS]"
+  echo "env should be: dev, uat or prod."
+  exit 0
+fi
+
+shift 2
+other=$@
+
+source "./env/$env/backend.ini"
+az account set -s "${subscription}"
+
+if echo "init plan apply refresh import output state taint destroy console" | grep -w $action > /dev/null; then
+  if [ $action = "init" ]; then
+    terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+    # terraform $action -backend-config="./env/$env/backend.tfvars" $other
+  elif [ $action = "output" ] || [ $action = "state" ] || [ $action = "taint" ]; then
+    # init terraform backend
+    terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+    terraform $action $other
+  else
+    # init terraform backend
+    terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+    terraform $action -var-file="./env/$env/terraform.tfvars" $other
+  fi
+else
+    echo "Action not allowed."
+    exit 1
+fi
\ No newline at end of file
diff --git a/src/main/terraform/variables.tf b/src/main/terraform/variables.tf
new file mode 100644
index 0000000..f846e74
--- /dev/null
+++ b/src/main/terraform/variables.tf
@@ -0,0 +1,226 @@
+# ------------------------------------------------------------------------------
+# Generic variables definition.
+# ------------------------------------------------------------------------------
+variable "prefix" {
+  type = string
+  validation {
+    condition = (
+      length(var.prefix) <= 6
+    )
+    error_message = "Max length is 6 chars."
+  }
+}
+
+variable "env" {
+  type = string
+  validation {
+    condition = (
+      length(var.env) <= 4
+    )
+    error_message = "Max length is 4 chars."
+  }
+}
+
+variable "env_short" {
+  type = string
+  validation {
+    condition = (
+      length(var.env_short) <= 1
+    )
+    error_message = "Max length is 1 chars."
+  }
+}
+
+variable "location" {
+  type    = string
+  default = "westeurope"
+}
+
+variable "location_short" {
+  type        = string
+  description = "Location short like eg: neu, weu."
+}
+
+variable "tags" {
+  type = map(any)
+}
+
+variable "domain" {
+  type    = string
+  default = ""
+}
+
+# ------------------------------------------------------------------------------
+# Container Apps Environment.
+# ------------------------------------------------------------------------------
+variable "cae_name" {
+  type = string
+}
+
+variable "cae_resource_group_name" {
+  type = string
+}
+
+# ------------------------------------------------------------------------------
+# Identity for this Container App.
+# ------------------------------------------------------------------------------
+variable "id_name" {
+  type = string
+}
+
+variable "id_resource_group_name" {
+  type = string
+}
+
+# ------------------------------------------------------------------------------
+# General purpose key vault used to protect secrets.
+# ------------------------------------------------------------------------------
+variable "general_kv_name" {
+  type = string
+}
+
+variable "general_kv_resource_group_name" {
+  type = string
+}
+
+# ------------------------------------------------------------------------------
+# Key vault for cryptographics operations.
+# ------------------------------------------------------------------------------
+variable "auth_kv_name" {
+  type = string
+}
+
+variable "auth_kv_resource_group_name" {
+  type = string
+}
+
+# ------------------------------------------------------------------------------
+# Storage account containing configuration files.
+# ------------------------------------------------------------------------------
+variable "auth_st_name" {
+  type = string
+}
+
+variable "auth_st_resource_group_name" {
+  type = string
+}
+
+# ------------------------------------------------------------------------------
+# Names of key vault secrets.
+# ------------------------------------------------------------------------------
+variable "cosmosdb_account_primary_mongodb_connection_string_kv_secret" {
+  type = string
+}
+
+variable "cosmosdb_account_secondary_mongodb_connection_string_kv_secret" {
+  type = string
+}
+
+variable "storage_account_primary_blob_endpoint_kv_secret" {
+  type = string
+}
+
+variable "key_vault_auth_vault_uri_kv_secret" {
+  type = string
+}
+
+variable "application_insigths_connection_string_kv_secret" {
+  type = string
+}
+
+# ------------------------------------------------------------------------------
+# Specific to auth microservice.
+# ------------------------------------------------------------------------------
+variable "mil_auth_quarkus_log_level" {
+  type    = string
+  default = "ERROR"
+}
+
+variable "mil_auth_app_log_level" {
+  type    = string
+  default = "DEBUG"
+}
+
+variable "mil_auth_json_log" {
+  type    = bool
+  default = true
+}
+
+variable "mil_auth_quarkus_rest_client_logging_scope" {
+  description = "Scope for Quarkus REST client logging. Allowed values are: all, request-response, none."
+  type        = string
+  default     = "all"
+}
+
+variable "mil_auth_cryptoperiod" {
+  type    = number
+  default = 86400000
+}
+
+variable "mil_auth_keysize" {
+  type    = number
+  default = 4096
+}
+
+variable "mil_auth_access_duration" {
+  type    = number
+  default = 900
+}
+
+variable "mil_auth_refresh_duration" {
+  type    = number
+  default = 3600
+}
+
+variable "mil_auth_image" {
+  type = string
+}
+
+variable "mil_auth_cpu" {
+  type    = number
+  default = 1
+}
+
+variable "mil_auth_memory" {
+  type    = string
+  default = "2Gi"
+}
+
+variable "mil_auth_max_replicas" {
+  type    = number
+  default = 10
+}
+
+variable "mil_auth_min_replicas" {
+  type    = number
+  default = 1
+}
+
+variable "mil_auth_keyvault_maxresults" {
+  type    = number
+  default = 20
+}
+
+variable "mil_auth_keyvault_backoff_num_of_attempts" {
+  type    = number
+  default = 3
+}
+
+variable "mil_auth_mongodb_connect_timeout" {
+  type    = string
+  default = "5s"
+}
+
+variable "mil_auth_mongodb_read_timeout" {
+  type    = string
+  default = "10s"
+}
+
+variable "mil_auth_mongodb_server_selection_timeout" {
+  type    = string
+  default = "5s"
+}
+
+variable "mil_auth_base_url" {
+  type = string
+}
\ No newline at end of file

From 784f7d462803c0d8e96b93845798d6fb2425a136 Mon Sep 17 00:00:00 2001
From: Andrea Morabito <andrea.morabito@pagopa.it>
Date: Wed, 13 Nov 2024 13:59:23 +0100
Subject: [PATCH 06/17] update terraform script

---
 src/main/terraform/.terraform.lock.hcl        |  22 +++
 src/main/terraform/container_app.tf           |  16 +-
 src/main/terraform/data.tf                    |   8 +
 .../env/{cstar-d-rtp => dev}/backend.ini      |   0
 .../env/{cstar-d-rtp => dev}/backend.tfvars   |   0
 .../env/{cstar-d-rtp => dev}/terraform.tfvars |   2 +
 .../env/{cstar-p-rtp => prod}/backend.ini     |   0
 .../env/{cstar-p-rtp => prod}/backend.tfvars  |   0
 .../{cstar-p-rtp => prod}/terraform.tfvars    |   7 +-
 .../env/{cstar-u-rtp => uat}/backend.ini      |   0
 .../env/{cstar-u-rtp => uat}/backend.tfvars   |   0
 .../env/{cstar-u-rtp => uat}/terraform.tfvars |   7 +-
 src/main/terraform/variables.tf               | 141 ++----------------
 13 files changed, 60 insertions(+), 143 deletions(-)
 create mode 100644 src/main/terraform/.terraform.lock.hcl
 rename src/main/terraform/env/{cstar-d-rtp => dev}/backend.ini (100%)
 rename src/main/terraform/env/{cstar-d-rtp => dev}/backend.tfvars (100%)
 rename src/main/terraform/env/{cstar-d-rtp => dev}/terraform.tfvars (93%)
 rename src/main/terraform/env/{cstar-p-rtp => prod}/backend.ini (100%)
 rename src/main/terraform/env/{cstar-p-rtp => prod}/backend.tfvars (100%)
 rename src/main/terraform/env/{cstar-p-rtp => prod}/terraform.tfvars (87%)
 rename src/main/terraform/env/{cstar-u-rtp => uat}/backend.ini (100%)
 rename src/main/terraform/env/{cstar-u-rtp => uat}/backend.tfvars (100%)
 rename src/main/terraform/env/{cstar-u-rtp => uat}/terraform.tfvars (87%)

diff --git a/src/main/terraform/.terraform.lock.hcl b/src/main/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..50dff81
--- /dev/null
+++ b/src/main/terraform/.terraform.lock.hcl
@@ -0,0 +1,22 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "3.99.0"
+  constraints = "3.99.0"
+  hashes = [
+    "h1:dawmYJUMGlL3t1mKDyaLJc08uSxPaUBoCAb/YCbVxPM=",
+    "zh:20581c1f4c586a37af45ed4c2a86ff4d868cee79139a755bd29750d804cee3ef",
+    "zh:28b3cc4e5f8bc65a595eab011d5965203a39e92aa9e26df842ffc979305ac823",
+    "zh:4cb167f8bb82f9065b7b50d012be3045fce3c699b0ea0e257ad1995441227f72",
+    "zh:6fa5c6fa430921a4e0fe8d44eaf12210fb90afdf3f83cedfde1c691ae36e953c",
+    "zh:75eff5b0ea9fca46ed5a0425c5e33fbda470e6448917817e80ae898688568665",
+    "zh:9af0aeaa74bfc764c60eec7d212d31deb70e03e970d22449f11170f75108f9cf",
+    "zh:b5055767199a2927d41b543a16e905c1e0b209f14a2144c756786194e133b41d",
+    "zh:c3e30b0eed068a148498ac78a9e013bc2eef0eb3cc3b4484f77421d64a797dc2",
+    "zh:ce87cd35cef9e5805f921978a91a7a4e139e8cbc7674a94076cb1a20a0c2feb1",
+    "zh:d87b84f144c865145bd10093ead99b653ea363fd4e7315675727659ca78544d0",
+    "zh:ee5900a50d69e046aab6581f6d888014b3f8d543e5b17c50761579d3370935f2",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
diff --git a/src/main/terraform/container_app.tf b/src/main/terraform/container_app.tf
index d254243..55a4337 100644
--- a/src/main/terraform/container_app.tf
+++ b/src/main/terraform/container_app.tf
@@ -10,9 +10,9 @@ resource "azurerm_container_app" "rtp-activator" {
   template {
     container {
       name   = "rtp-activator"
-      image  = var.mil_auth_image
-      cpu    = var.mil_auth_cpu
-      memory = var.mil_auth_memory
+      image  = var.rtp_activator_image
+      cpu    = var.rtp_activator_cpu
+      memory = var.rtp_activator_memory
 
       env {
         name  = "TZ"
@@ -21,7 +21,7 @@ resource "azurerm_container_app" "rtp-activator" {
 
       env {
         name  = "auth.app-log-level"
-        value = var.mil_auth_app_log_level
+        value = var.rtp_activator_app_log_level
       }
 
       env {
@@ -30,18 +30,18 @@ resource "azurerm_container_app" "rtp-activator" {
       }
     }
 
-    max_replicas = var.mil_auth_max_replicas
-    min_replicas = var.mil_auth_min_replicas
+    max_replicas = var.rtp_activator_max_replicas
+    min_replicas = var.rtp_activator_min_replicas
   }
 
   secret {
     name  = "identity-client-id"
-    value = "${data.azurerm_user_assigned_identity.auth.client_id}"
+    value = "${data.azurerm_user_assigned_identity.rtp-activator.client_id}"
   }
 
   identity {
     type = "UserAssigned"
-    identity_ids = [data.azurerm_user_assigned_identity.auth.id]
+    identity_ids = [data.azurerm_user_assigned_identity.rtp-activator.id]
   }
 
   ingress {
diff --git a/src/main/terraform/data.tf b/src/main/terraform/data.tf
index 1a64620..b11a715 100644
--- a/src/main/terraform/data.tf
+++ b/src/main/terraform/data.tf
@@ -5,3 +5,11 @@ data "azurerm_container_app_environment" "rtp-cae" {
   name                = var.cae_name
   resource_group_name = var.cae_resource_group_name
 }
+
+# ------------------------------------------------------------------------------
+# Identity for this Container App.
+# ------------------------------------------------------------------------------
+data "azurerm_user_assigned_identity" "rtp-activator" {
+  name                = var.id_name
+  resource_group_name = var.id_resource_group_name
+}
diff --git a/src/main/terraform/env/cstar-d-rtp/backend.ini b/src/main/terraform/env/dev/backend.ini
similarity index 100%
rename from src/main/terraform/env/cstar-d-rtp/backend.ini
rename to src/main/terraform/env/dev/backend.ini
diff --git a/src/main/terraform/env/cstar-d-rtp/backend.tfvars b/src/main/terraform/env/dev/backend.tfvars
similarity index 100%
rename from src/main/terraform/env/cstar-d-rtp/backend.tfvars
rename to src/main/terraform/env/dev/backend.tfvars
diff --git a/src/main/terraform/env/cstar-d-rtp/terraform.tfvars b/src/main/terraform/env/dev/terraform.tfvars
similarity index 93%
rename from src/main/terraform/env/cstar-d-rtp/terraform.tfvars
rename to src/main/terraform/env/dev/terraform.tfvars
index 9d95851..d8a2492 100644
--- a/src/main/terraform/env/cstar-d-rtp/terraform.tfvars
+++ b/src/main/terraform/env/dev/terraform.tfvars
@@ -22,6 +22,8 @@ tags = {
 # ------------------------------------------------------------------------------
 cae_name                       = "cstar-d-tier-0-cae"
 cae_resource_group_name        = "cstar-d-tier-0-app-rg"
+id_name                        = "cstar-d-tier-0-auth-id"
+id_resource_group_name         = "cstar-d-tier-0-identity-rg"
 
 # ------------------------------------------------------------------------------
 # Names of key vault secrets.
diff --git a/src/main/terraform/env/cstar-p-rtp/backend.ini b/src/main/terraform/env/prod/backend.ini
similarity index 100%
rename from src/main/terraform/env/cstar-p-rtp/backend.ini
rename to src/main/terraform/env/prod/backend.ini
diff --git a/src/main/terraform/env/cstar-p-rtp/backend.tfvars b/src/main/terraform/env/prod/backend.tfvars
similarity index 100%
rename from src/main/terraform/env/cstar-p-rtp/backend.tfvars
rename to src/main/terraform/env/prod/backend.tfvars
diff --git a/src/main/terraform/env/cstar-p-rtp/terraform.tfvars b/src/main/terraform/env/prod/terraform.tfvars
similarity index 87%
rename from src/main/terraform/env/cstar-p-rtp/terraform.tfvars
rename to src/main/terraform/env/prod/terraform.tfvars
index cee307d..1cbfef3 100644
--- a/src/main/terraform/env/cstar-p-rtp/terraform.tfvars
+++ b/src/main/terraform/env/prod/terraform.tfvars
@@ -20,9 +20,10 @@ tags = {
 # ------------------------------------------------------------------------------
 # External resources.
 # ------------------------------------------------------------------------------
-cae_name                       = "cstar-p-rtp-cae"
-cae_resource_group_name        = "cstar-p-rtp-app-rg"
-
+cae_name                       = "cstar-p-tier-0-cae"
+cae_resource_group_name        = "cstar-p-tier-0-app-rg"
+id_name                        = "cstar-p-tier-0-auth-id"
+id_resource_group_name         = "cstar-p-tier-0-identity-rg"
 
 # ------------------------------------------------------------------------------
 # Names of key vault secrets.
diff --git a/src/main/terraform/env/cstar-u-rtp/backend.ini b/src/main/terraform/env/uat/backend.ini
similarity index 100%
rename from src/main/terraform/env/cstar-u-rtp/backend.ini
rename to src/main/terraform/env/uat/backend.ini
diff --git a/src/main/terraform/env/cstar-u-rtp/backend.tfvars b/src/main/terraform/env/uat/backend.tfvars
similarity index 100%
rename from src/main/terraform/env/cstar-u-rtp/backend.tfvars
rename to src/main/terraform/env/uat/backend.tfvars
diff --git a/src/main/terraform/env/cstar-u-rtp/terraform.tfvars b/src/main/terraform/env/uat/terraform.tfvars
similarity index 87%
rename from src/main/terraform/env/cstar-u-rtp/terraform.tfvars
rename to src/main/terraform/env/uat/terraform.tfvars
index 5589708..673d52f 100644
--- a/src/main/terraform/env/cstar-u-rtp/terraform.tfvars
+++ b/src/main/terraform/env/uat/terraform.tfvars
@@ -20,9 +20,10 @@ tags = {
 # ------------------------------------------------------------------------------
 # External resources.
 # ------------------------------------------------------------------------------
-cae_name                       = "cstar-u-rtp-cae"
-cae_resource_group_name        = "cstar-u-rtp-app-rg"
-
+cae_name                       = "cstar-u-tier-0-cae"
+cae_resource_group_name        = "cstar-u-tier-0-app-rg"
+id_name                        = "cstar-u-tier-0-auth-id"
+id_resource_group_name         = "cstar-u-tier-0-identity-rg"
 
 # ------------------------------------------------------------------------------
 # Names of key vault secrets.
diff --git a/src/main/terraform/variables.tf b/src/main/terraform/variables.tf
index f846e74..14caa68 100644
--- a/src/main/terraform/variables.tf
+++ b/src/main/terraform/variables.tf
@@ -73,154 +73,37 @@ variable "id_resource_group_name" {
 }
 
 # ------------------------------------------------------------------------------
-# General purpose key vault used to protect secrets.
+# Specific to rtp-activator microservice.
 # ------------------------------------------------------------------------------
-variable "general_kv_name" {
-  type = string
-}
-
-variable "general_kv_resource_group_name" {
-  type = string
-}
-
-# ------------------------------------------------------------------------------
-# Key vault for cryptographics operations.
-# ------------------------------------------------------------------------------
-variable "auth_kv_name" {
-  type = string
-}
-
-variable "auth_kv_resource_group_name" {
-  type = string
-}
-
-# ------------------------------------------------------------------------------
-# Storage account containing configuration files.
-# ------------------------------------------------------------------------------
-variable "auth_st_name" {
-  type = string
-}
-
-variable "auth_st_resource_group_name" {
-  type = string
-}
-
-# ------------------------------------------------------------------------------
-# Names of key vault secrets.
-# ------------------------------------------------------------------------------
-variable "cosmosdb_account_primary_mongodb_connection_string_kv_secret" {
-  type = string
-}
-
-variable "cosmosdb_account_secondary_mongodb_connection_string_kv_secret" {
-  type = string
-}
-
-variable "storage_account_primary_blob_endpoint_kv_secret" {
-  type = string
-}
-
-variable "key_vault_auth_vault_uri_kv_secret" {
-  type = string
-}
-
-variable "application_insigths_connection_string_kv_secret" {
-  type = string
-}
-
-# ------------------------------------------------------------------------------
-# Specific to auth microservice.
-# ------------------------------------------------------------------------------
-variable "mil_auth_quarkus_log_level" {
-  type    = string
-  default = "ERROR"
-}
-
-variable "mil_auth_app_log_level" {
+variable "rtp_activator_app_log_level" {
   type    = string
   default = "DEBUG"
 }
 
-variable "mil_auth_json_log" {
-  type    = bool
-  default = true
-}
-
-variable "mil_auth_quarkus_rest_client_logging_scope" {
-  description = "Scope for Quarkus REST client logging. Allowed values are: all, request-response, none."
-  type        = string
-  default     = "all"
-}
-
-variable "mil_auth_cryptoperiod" {
-  type    = number
-  default = 86400000
-}
-
-variable "mil_auth_keysize" {
-  type    = number
-  default = 4096
-}
-
-variable "mil_auth_access_duration" {
-  type    = number
-  default = 900
-}
-
-variable "mil_auth_refresh_duration" {
-  type    = number
-  default = 3600
-}
-
-variable "mil_auth_image" {
-  type = string
-}
-
-variable "mil_auth_cpu" {
-  type    = number
-  default = 1
-}
-
-variable "mil_auth_memory" {
-  type    = string
-  default = "2Gi"
-}
-
-variable "mil_auth_max_replicas" {
+variable "rtp_activator_max_replicas" {
   type    = number
   default = 10
 }
 
-variable "mil_auth_min_replicas" {
+variable "rtp_activator_min_replicas" {
   type    = number
   default = 1
 }
 
-variable "mil_auth_keyvault_maxresults" {
-  type    = number
-  default = 20
+variable "rtp_activator_base_url" {
+  type = string
 }
 
-variable "mil_auth_keyvault_backoff_num_of_attempts" {
+variable "rtp_activator_cpu" {
   type    = number
-  default = 3
-}
-
-variable "mil_auth_mongodb_connect_timeout" {
-  type    = string
-  default = "5s"
-}
-
-variable "mil_auth_mongodb_read_timeout" {
-  type    = string
-  default = "10s"
+  default = 1
 }
 
-variable "mil_auth_mongodb_server_selection_timeout" {
+variable "rtp_activator_memory" {
   type    = string
-  default = "5s"
+  default = "1Gi"
 }
 
-variable "mil_auth_base_url" {
+variable "rtp_activator_image" {
   type = string
-}
\ No newline at end of file
+}

From 48dfdf3241e6351ea3ed86bcbc38879b5b09216b Mon Sep 17 00:00:00 2001
From: Andrea Morabito <andrea.morabito@pagopa.it>
Date: Wed, 13 Nov 2024 14:10:21 +0100
Subject: [PATCH 07/17] update CI CD

---
 .github/workflows/build-n-push-main.yml | 95 ++++++++++---------------
 .github/workflows/post-merge.yml        | 38 +++++-----
 .github/workflows/pr-validation.yml     | 23 ++++--
 3 files changed, 74 insertions(+), 82 deletions(-)

diff --git a/.github/workflows/build-n-push-main.yml b/.github/workflows/build-n-push-main.yml
index 4514eaf..ef5b8e6 100644
--- a/.github/workflows/build-n-push-main.yml
+++ b/.github/workflows/build-n-push-main.yml
@@ -2,87 +2,66 @@ name: Build, push and update
 
 on:
   workflow_dispatch:
-    inputs:
-      skip-unit-test:
-        type: boolean
-        required: true
-        description: Skip unit-test
+#    inputs:
+#      skip-unit-test:
+#        type: boolean
+#        required: true
+#        description: Skip unit-test
 
 jobs:
   build_push_update:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
+
+    environment: dev-cd
 
     permissions:
       id-token: write
       packages: write
-      contents: write
 
     steps:
       #
       # Checkout the source code.
       #
       - name: Checkout the source code
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
-        with:
-          token: ${{ secrets.GIT_PAT }}
-          fetch-depth: 0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
 
       #
-      # Setup JDK. todo
+      # Build and push native container image.
       #
-      - name: Setup JDK
-        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
-          distribution: "jdkfile"
-          jdkFile: "${{ runner.temp }}/jdk_setup.tar.gz"
-          java-version: "21"
-          cache: maven
-
-      #
-      # Build native executable. todo skip test
-      #
-      - name: Build native executable
-#        run: ${{ runner.temp }}/maven/bin/mvn clean package -Pnative -Dmaven.test.skip=${{ github.event.inputs.skip-unit-test }} -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel-builder-image@sha256:05baf3fd2173f6f25ad35216b6b066c35fbfb97f06daba75efb5b22bc0a85b9c -s ${{ runner.temp }}/settings.xml --no-transfer-progress
-        run: ./gradlew nativeCompile
-
-      #
-      # Build Docker image. todo replace da build and push docker
-      #
-      - name: Build Docker image
-        run: |
-          BRANCH_NAME="${GITHUB_REF////_}"
-          docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:$BRANCH_NAME .
+          registry: https://ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      #
-      # Push Docker image. todo replace da build and push docker
-      #
-      - name: Push Docker image
-        run: |
-          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-          docker push -a ghcr.io/${{ github.repository }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
 
-      #
-      # Get Docker image with sha256. todo remove, prendere output da action precedente
-      #
-      - name: Get Docker image with sha256
-        run: echo "image_sha256=$(docker image inspect -f '{{index .RepoDigests 0}}' ghcr.io/${{ github.repository }}:$BRANCH_NAME)" >> "$GITHUB_ENV"
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
 
-      #
-      # Login to Azure.
-      #
-      - name: Login to Azure
-        uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
+      - name: Build the app image
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
         with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          push: true
+          context: .
+          file: src/main/docker/Dockerfile
+          platforms: linux/amd64
+          tags: ghcr.io/${{ github.repository }}:latest, ghcr.io/${{ github.repository }}:${{ steps.semantic.outputs.new_release_version }}-RC
+          secrets: |
+            "gh_token=${{ secrets.GIT_PAT }}"
 
       #
       # Update Container App.
       #
       - name: Update Container App
-        uses: azure/CLI@fa0f960f00db49b95fdb54328a767aee31e80105
-        with:
-          inlineScript: |
-            az config set extension.use_dynamic_install=yes_without_prompt
-            az containerapp update -n ${{ secrets.AZURE_CONTAINER_APP_NAME }} -g ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} -i ${{ env.image_sha256 }}
\ No newline at end of file
+        shell: bash
+        working-directory: src/main/terraform
+        env:
+          ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
+          ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+          ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
+        run: |
+          terraform init -backend-config="env/dev-cd/backend.tfvars" -reconfigure
+          terraform apply -var-file="env/dev-cd/terraform.tfvars" -var="rtp_activator_image=${{ steps.build_image.outputs.image }}" -auto-approve -lock-timeout=300s
diff --git a/.github/workflows/post-merge.yml b/.github/workflows/post-merge.yml
index 7c675d9..288bbe4 100644
--- a/.github/workflows/post-merge.yml
+++ b/.github/workflows/post-merge.yml
@@ -130,25 +130,25 @@ jobs:
           terraform init -backend-config="env/dev-cd/backend.tfvars" -reconfigure
           terraform apply -var-file="env/dev-cd/terraform.tfvars" -var="rtp_activator_image=${{ steps.rc_image.outputs.image }}" -auto-approve -lock-timeout=300s
 
-      #
-      # Install Newman.
-      #
-      - name: Install Newman
-        if: steps.semantic.outputs.new_release_published == 'true'
-        run: npm install -g newman
-
-      #
-      # Run Postman collection.
-      #
-      - name: Run Postman collection
-        if: steps.semantic.outputs.new_release_published == 'true'
-        run: |
-          newman run src/test/postman/mil-auth.postman_collection.json \
-            -e src/test/postman/dev.postman_environment.json \
-            --env-var "correctPassword=${{ secrets.NEWMAN_IT__CORRECTPASSWORD }}" \
-            --env-var "correctClientSecret=${{ secrets.NEWMAN_IT__CORRECTCLIENTSECRET }}" \
-            --env-var "correctClientSecretForVasLayer=${{ secrets.NEWMAN_IT__CORRECTCLIENTSECRETFORVASLAYER }}" \
-            --env-var "clientSecretForMilDebtPosition=${{ secrets.NEWMAN_IT__CLIENTSECRETFORMILDEBTPOSITION }}"
+#      #
+#      # Install Newman.
+#      #
+#      - name: Install Newman
+#        if: steps.semantic.outputs.new_release_published == 'true'
+#        run: npm install -g newman
+#
+#      #
+#      # Run Postman collection.
+#      #
+#      - name: Run Postman collection
+#        if: steps.semantic.outputs.new_release_published == 'true'
+#        run: |
+#          newman run src/test/postman/mil-auth.postman_collection.json \
+#            -e src/test/postman/dev.postman_environment.json \
+#            --env-var "correctPassword=${{ secrets.NEWMAN_IT__CORRECTPASSWORD }}" \
+#            --env-var "correctClientSecret=${{ secrets.NEWMAN_IT__CORRECTCLIENTSECRET }}" \
+#            --env-var "correctClientSecretForVasLayer=${{ secrets.NEWMAN_IT__CORRECTCLIENTSECRETFORVASLAYER }}" \
+#            --env-var "clientSecretForMilDebtPosition=${{ secrets.NEWMAN_IT__CLIENTSECRETFORMILDEBTPOSITION }}"
 
       #
       # STABLE - Update of pom.xml and openapi.yaml with the new version.
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
index c8d8317..48cb345 100644
--- a/.github/workflows/pr-validation.yml
+++ b/.github/workflows/pr-validation.yml
@@ -17,9 +17,22 @@ jobs:
       - name: Checkout the source code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
 
-      - name: PR validation
-        uses: pagopa/mil-actions/pr-validation@63477e234c35c65476a37982635cd524aa71193c # 1.1.3
+      - name: PR title validation
+        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # 5.5.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          gh_user: ${{ secrets.GIT_USER }}
-          gh_token: ${{ secrets.GIT_PAT }}
-          sonar_token: ${{ secrets.SONAR_TOKEN }}
+          types: |
+            docs
+            refactor
+            chore
+            fix
+            feat
+            breaking
+          requireScope: false
+          subjectPattern: ^[A-Z].+$
+          subjectPatternError: |
+            The subject "{subject}" found in the pull request title "{title}"
+            doesn't match the configured pattern. Please ensure that the subject
+            starts with an uppercase character.
+          wip: false

From 12efad2c0b100009bd8b18f8d4510cedfc488384 Mon Sep 17 00:00:00 2001
From: Andrea Morabito <andrea.morabito@pagopa.it>
Date: Wed, 13 Nov 2024 14:10:35 +0100
Subject: [PATCH 08/17] update dockerfile

---
 src/main/docker/Dockerfile | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/main/docker/Dockerfile b/src/main/docker/Dockerfile
index b22eb93..f02f2a1 100644
--- a/src/main/docker/Dockerfile
+++ b/src/main/docker/Dockerfile
@@ -1,6 +1,6 @@
 FROM ghcr.io/graalvm/graalvm-community:21.0.2-ol9-20240116@sha256:6e46c711c90bdbc24e23ccdb6e3fba837d660e68dd4ffeb87abbd3d08e115653 AS builder
 
-WORKDIR /build
+WORKDIR /code
 COPY . .
 
 RUN chmod +x ./gradlew && ./gradlew :nativeCompile
@@ -10,11 +10,15 @@ COPY --from=builder /build/target/rtd-ms-file-register*.jar .
 
 FROM ubuntu:noble-20241011@sha256:99c35190e22d294cdace2783ac55effc69d32896daaa265f0bbedbcde4fbe3e5 AS runtime
 
-EXPOSE 8080
+WORKDIR /work/
+RUN chown 1001 /work \
+    && chmod "g+rwX" /work \
+    && chown 1001:root /work
+COPY --from=builder --chown=1001:root --chmod=0755 /code/build/*-runner /work/application
 
 RUN useradd --uid 10000 runner
 USER 10000
 
-COPY --from=builder /build/target/rtd-ms-file-register .
+EXPOSE 8080
 
-ENTRYPOINT ["./rtd-ms-file-register"]
\ No newline at end of file
+ENTRYPOINT ["./application"]

From c7c6bd214187a94fea7a5e97bd6bca495694636e Mon Sep 17 00:00:00 2001
From: Andrea Morabito <andrea.morabito@pagopa.it>
Date: Wed, 13 Nov 2024 14:12:31 +0100
Subject: [PATCH 09/17] remove terraform lock file

---
 src/main/terraform/.terraform.lock.hcl | 22 ----------------------
 1 file changed, 22 deletions(-)
 delete mode 100644 src/main/terraform/.terraform.lock.hcl

diff --git a/src/main/terraform/.terraform.lock.hcl b/src/main/terraform/.terraform.lock.hcl
deleted file mode 100644
index 50dff81..0000000
--- a/src/main/terraform/.terraform.lock.hcl
+++ /dev/null
@@ -1,22 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.99.0"
-  constraints = "3.99.0"
-  hashes = [
-    "h1:dawmYJUMGlL3t1mKDyaLJc08uSxPaUBoCAb/YCbVxPM=",
-    "zh:20581c1f4c586a37af45ed4c2a86ff4d868cee79139a755bd29750d804cee3ef",
-    "zh:28b3cc4e5f8bc65a595eab011d5965203a39e92aa9e26df842ffc979305ac823",
-    "zh:4cb167f8bb82f9065b7b50d012be3045fce3c699b0ea0e257ad1995441227f72",
-    "zh:6fa5c6fa430921a4e0fe8d44eaf12210fb90afdf3f83cedfde1c691ae36e953c",
-    "zh:75eff5b0ea9fca46ed5a0425c5e33fbda470e6448917817e80ae898688568665",
-    "zh:9af0aeaa74bfc764c60eec7d212d31deb70e03e970d22449f11170f75108f9cf",
-    "zh:b5055767199a2927d41b543a16e905c1e0b209f14a2144c756786194e133b41d",
-    "zh:c3e30b0eed068a148498ac78a9e013bc2eef0eb3cc3b4484f77421d64a797dc2",
-    "zh:ce87cd35cef9e5805f921978a91a7a4e139e8cbc7674a94076cb1a20a0c2feb1",
-    "zh:d87b84f144c865145bd10093ead99b653ea363fd4e7315675727659ca78544d0",
-    "zh:ee5900a50d69e046aab6581f6d888014b3f8d543e5b17c50761579d3370935f2",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-  ]
-}

From 62bdb758e588d4190635308eb5863eb2b93df242 Mon Sep 17 00:00:00 2001
From: Andrea Morabito <andrea.morabito@pagopa.it>
Date: Wed, 13 Nov 2024 14:12:45 +0100
Subject: [PATCH 10/17] fix resource allocation for aca

---
 src/main/terraform/env/dev/terraform.tfvars  | 4 ++--
 src/main/terraform/env/prod/terraform.tfvars | 4 ++--
 src/main/terraform/env/uat/terraform.tfvars  | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/main/terraform/env/dev/terraform.tfvars b/src/main/terraform/env/dev/terraform.tfvars
index d8a2492..86443b0 100644
--- a/src/main/terraform/env/dev/terraform.tfvars
+++ b/src/main/terraform/env/dev/terraform.tfvars
@@ -35,8 +35,8 @@ id_resource_group_name         = "cstar-d-tier-0-identity-rg"
 # ------------------------------------------------------------------------------
 rtp_activator_app_log_level                     = "DEBUG"
 rtp_activator_image                             = "ghcr.io/pagopa/rtp-activator:latest"
-rtp_activator_cpu                               = 0.1
-rtp_activator_memory                            = "300Mi"
+rtp_activator_cpu                               = 0.25
+rtp_activator_memory                            = "0.5Gi"
 rtp_activator_max_replicas                      = 5
 rtp_activator_min_replicas                      = 1
 rtp_activator_base_url                          = "https://mil-d-apim.azure-api.net/rtp-activator"
\ No newline at end of file
diff --git a/src/main/terraform/env/prod/terraform.tfvars b/src/main/terraform/env/prod/terraform.tfvars
index 1cbfef3..b3e1949 100644
--- a/src/main/terraform/env/prod/terraform.tfvars
+++ b/src/main/terraform/env/prod/terraform.tfvars
@@ -35,8 +35,8 @@ id_resource_group_name         = "cstar-p-tier-0-identity-rg"
 # ------------------------------------------------------------------------------
 rtp_activator_app_log_level                     = "DEBUG"
 rtp_activator_image                             = "ghcr.io/pagopa/rtp-activator:latest"
-rtp_activator_cpu                               = 0.1
-rtp_activator_memory                            = "300Mi"
+rtp_activator_cpu                               = 0.25
+rtp_activator_memory                            = "0.5Gi"
 rtp_activator_max_replicas                      = 5
 rtp_activator_min_replicas                      = 1
 rtp_activator_base_url                          = "https://mil-d-apim.azure-api.net/rtp_activator"
\ No newline at end of file
diff --git a/src/main/terraform/env/uat/terraform.tfvars b/src/main/terraform/env/uat/terraform.tfvars
index 673d52f..c8545ad 100644
--- a/src/main/terraform/env/uat/terraform.tfvars
+++ b/src/main/terraform/env/uat/terraform.tfvars
@@ -35,8 +35,8 @@ id_resource_group_name         = "cstar-u-tier-0-identity-rg"
 # ------------------------------------------------------------------------------
 rtp_activator_app_log_level                     = "DEBUG"
 rtp_activator_image                             = "ghcr.io/pagopa/rtp-activator:latest"
-rtp_activator_cpu                               = 0.1
-rtp_activator_memory                            = "300Mi"
+rtp_activator_cpu                               = 0.25
+rtp_activator_memory                            = "0.5Gi"
 rtp_activator_max_replicas                      = 5
 rtp_activator_min_replicas                      = 1
-rtp_activator_base_url                          = "https://mil-d-apim.azure-api.net/rtp-activator"
\ No newline at end of file
+rtp_activator_base_url                          = "https://mil-d-apim.azure-api.net/rtp-activator"

From 5be130e371a7237520dc4df4d6dc9d54b892a233 Mon Sep 17 00:00:00 2001
From: Andrea Morabito <andrea.morabito@pagopa.it>
Date: Wed, 13 Nov 2024 14:12:52 +0100
Subject: [PATCH 11/17] update gitignore

---
 .gitignore | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 572ccc0..2fe54cc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -145,4 +145,11 @@ Desktop.ini
 ######################
 # ESLint
 ######################
-.eslintcache
\ No newline at end of file
+.eslintcache
+
+#
+# Terraform
+#
+src/main/terraform/identity/.terraform/
+src/main/terraform/.terraform/
+.terraform.lock.hcl

From b9872dd8f9c8de8a332eae43c5cf7d488cb02d2a Mon Sep 17 00:00:00 2001
From: petretiandrea <petretiandrea@gmail.com>
Date: Fri, 15 Nov 2024 09:06:25 +0100
Subject: [PATCH 12/17] added role verification configuration + example
 controller

---
 build.gradle                                  |  8 +++
 .../rtp/activator/PlaygroundController.java   | 37 ++++++++++++
 .../configuration/NoSignatureJwtDecoder.java  | 45 ++++++++++++++
 .../configuration/SecurityConfig.java         | 60 +++++++++++++++++++
 src/main/resources/application.properties     |  9 +++
 5 files changed, 159 insertions(+)
 create mode 100644 src/main/java/it/gov/pagopa/rtp/activator/PlaygroundController.java
 create mode 100644 src/main/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoder.java
 create mode 100644 src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java

diff --git a/build.gradle b/build.gradle
index 90c9256..6aebc3d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -25,6 +25,14 @@ repositories {
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-actuator'
 	implementation 'org.springframework.boot:spring-boot-starter-webflux'
+
+	// spring security + oauth2 resource server
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+	implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
+	implementation 'org.springframework.security:spring-security-oauth2-jose'
+
+	implementation("org.springframework.boot:spring-boot-starter-actuator")
+
 //	implementation 'com.azure.spring:spring-cloud-azure-starter-actuator'
 //	implementation 'com.azure.spring:spring-cloud-azure-starter-data-cosmos'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/PlaygroundController.java b/src/main/java/it/gov/pagopa/rtp/activator/PlaygroundController.java
new file mode 100644
index 0000000..d05fbc0
--- /dev/null
+++ b/src/main/java/it/gov/pagopa/rtp/activator/PlaygroundController.java
@@ -0,0 +1,37 @@
+package it.gov.pagopa.rtp.activator;
+
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import reactor.core.publisher.Mono;
+
+import java.security.Principal;
+
+// Controller to play with role and authorization
+// TODO: remove me
+@RestController
+public class PlaygroundController {
+
+    @PreAuthorize("hasRole('mil-auth-admin')")
+    @GetMapping("/test")
+    public Mono<ResponseEntity<String>> trySomething(
+            Principal principal
+    ) {
+        return Mono.just(
+                ResponseEntity.ok("Ciao " + principal.getName())
+        );
+    }
+
+    @PreAuthorize("hasRole('mil-auth-admin')")
+    @GetMapping("/test2")
+    public Mono<ResponseEntity<String>> trySomething2(
+            Authentication authentication
+    ) {
+        return Mono.just(
+                ResponseEntity.ok("Ciao " + authentication.getName() + " " + authentication.getAuthorities())
+        );
+    }
+
+}
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoder.java b/src/main/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoder.java
new file mode 100644
index 0000000..a7ea6ce
--- /dev/null
+++ b/src/main/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoder.java
@@ -0,0 +1,45 @@
+package it.gov.pagopa.rtp.activator.configuration;
+
+import com.nimbusds.jwt.JWTParser;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jwt.*;
+
+import java.text.ParseException;
+import java.util.Objects;
+
+import static java.util.Collections.emptyMap;
+
+public class NoSignatureJwtDecoder implements JwtDecoder {
+
+    private final OAuth2TokenValidator<Jwt> verifier = JwtValidators.createDefault();
+    private final MappedJwtClaimSetConverter claimMapper = MappedJwtClaimSetConverter.withDefaults(emptyMap());
+
+    @Override
+    public Jwt decode(String token) throws JwtException {
+        try {
+            final var parsedToken = JWTParser.parse(token);
+            // convert nimbus token to spring Jwt
+            final var convertedClaims = claimMapper.convert(parsedToken.getJWTClaimsSet().toJSONObject());
+
+            final var jwt = Jwt.withTokenValue(parsedToken.getParsedString())
+                    .headers(headers -> headers.putAll(parsedToken.getHeader().toJSONObject()))
+                    .claims(claims -> claims.putAll(convertedClaims))
+                    .build();
+
+            final var validation = verifier.validate(jwt);
+            if (validation.hasErrors()) {
+                final var description = validation.getErrors().stream()
+                        .filter(it -> Objects.nonNull(it) && !it.getDescription().isEmpty())
+                        .map(OAuth2Error::getDescription)
+                        .findFirst()
+                        .orElse("Invalid jwt token");
+                throw new JwtValidationException(description, validation.getErrors());
+            }
+
+            return jwt;
+        } catch (ParseException e) {
+            throw new BadJwtException(e.getMessage());
+        }
+    }
+}
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java b/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java
new file mode 100644
index 0000000..b51373c
--- /dev/null
+++ b/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java
@@ -0,0 +1,60 @@
+package it.gov.pagopa.rtp.activator.configuration;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
+import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
+import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverter;
+import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtGrantedAuthoritiesConverterAdapter;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import reactor.core.publisher.Mono;
+
+
+@Configuration
+@EnableWebFluxSecurity
+@EnableReactiveMethodSecurity // allows to use @PreAuthorize with roles
+public class SecurityConfig {
+
+    @Bean
+    SecurityWebFilterChain securityWebFilterChain(
+            ServerHttpSecurity http,
+            ReactiveJwtAuthenticationConverter jwtConverter
+    ) {
+        return http
+                .csrf(ServerHttpSecurity.CsrfSpec::disable)
+                .logout(ServerHttpSecurity.LogoutSpec::disable)
+                .authorizeExchange(it -> it
+                        .pathMatchers("/actuator/**")
+                        .permitAll()
+                        .anyExchange()
+                        .authenticated()
+                )
+                .oauth2ResourceServer(oauth2 ->
+                        oauth2.jwt(it -> it.jwtAuthenticationConverter(jwtConverter))
+                )
+                .build();
+    }
+
+    @Bean
+    ReactiveJwtAuthenticationConverter jwtAuthenticationConverter() {
+        final var authoritiesConverter = new JwtGrantedAuthoritiesConverter();
+        authoritiesConverter.setAuthoritiesClaimName("groups"); // Map "groups" claim to authorities
+        authoritiesConverter.setAuthorityPrefix("ROLE_"); // Add "ROLE_" prefix for Spring Security
+
+        final var reactiveConverter = new ReactiveJwtAuthenticationConverter();
+        reactiveConverter.setJwtGrantedAuthoritiesConverter(
+                new ReactiveJwtGrantedAuthoritiesConverterAdapter(authoritiesConverter)
+        );
+        return reactiveConverter;
+    }
+
+    @Bean
+    ReactiveJwtDecoder jwtDecoder() {
+        final var decoder = new NoSignatureJwtDecoder();
+        return token -> Mono.fromSupplier(() -> decoder.decode(token));
+    }
+
+}
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index cc8af0e..bc924fc 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1 +1,10 @@
+logging.level.root=INFO
+
 spring.application.name=rtp-activator
+
+# enable spring boot actuator health endpoint
+management.endpoints.enabled-by-default=false
+management.endpoints.web.exposure.include=health
+management.endpoint.health.enabled=true
+management.endpoint.health.probes.enabled=true
+

From 0619313cbccf2a1c00da664acb1112b991b65554 Mon Sep 17 00:00:00 2001
From: Luca Consalvi <luca.consalvi@pagopa.it>
Date: Tue, 19 Nov 2024 16:47:56 +0100
Subject: [PATCH 13/17] setup controller and model generation

---
 build.gradle                                  |  41 +
 openapi/activation.openapi.yaml               | 864 ++++++++++++++++++
 .../ActivationAPIControllerImpl.java          |  25 +
 3 files changed, 930 insertions(+)
 create mode 100644 openapi/activation.openapi.yaml
 create mode 100644 src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java

diff --git a/build.gradle b/build.gradle
index 90c9256..03c8de8 100644
--- a/build.gradle
+++ b/build.gradle
@@ -3,6 +3,7 @@ plugins {
 	id 'org.springframework.boot' version '3.3.5'
 	id 'io.spring.dependency-management' version '1.1.6'
 	id 'org.graalvm.buildtools.native' version '0.10.3'
+	id("org.openapi.generator") version "7.5.0"
 }
 
 group = 'it.gov.pagopa'
@@ -27,6 +28,10 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-webflux'
 //	implementation 'com.azure.spring:spring-cloud-azure-starter-actuator'
 //	implementation 'com.azure.spring:spring-cloud-azure-starter-data-cosmos'
+	implementation("io.swagger.core.v3:swagger-annotations:2.2.8")
+	implementation("org.openapitools:jackson-databind-nullable:0.2.6")
+	implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
+	implementation("org.springframework.boot:spring-boot-starter-validation")
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 	testImplementation 'io.projectreactor:reactor-test'
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
@@ -41,3 +46,39 @@ dependencyManagement {
 tasks.named('test') {
 	useJUnitPlatform()
 }
+
+tasks.compileJava {
+	dependsOn("openApiGenerate")
+}
+
+sourceSets {
+    main {
+        java {
+            srcDir("$projectDir/build/generated/src/main/java")
+        }
+    }
+}
+
+openApiGenerate {
+	generatorName.set("spring")
+	inputSpec.set("$rootDir/openapi/activation.openapi.yaml")
+	outputDir.set("$projectDir/build/generated")
+	apiPackage.set("it.gov.pagopa.rtp.activator.controller.generated")
+	modelPackage.set("it.gov.pagopa.rtp.activator.model.generated")
+	modelNameSuffix.set("Dto")
+    configOptions.set([
+        "dateLibrary"                         : "java8",
+        "requestMappingMode"                  : "api_interface",
+        "useSpringBoot3"                      : "true",
+        "interfaceOnly"                       : "true",
+        "useTags"                             : "true",
+		"useSwaggerUI"                        : "false",
+		"reactive"							  : "true",
+		"swaggerAnnotations"				  : "false",
+		"skipDefaultInterface"				  : "true",
+    ])
+    typeMappings.set([
+        "DateTime"        : "java.time.LocalDateTime",
+        "zoned-date-time" : "java.time.ZonedDateTime"
+    ])
+}
diff --git a/openapi/activation.openapi.yaml b/openapi/activation.openapi.yaml
new file mode 100644
index 0000000..6561e35
--- /dev/null
+++ b/openapi/activation.openapi.yaml
@@ -0,0 +1,864 @@
+openapi: 3.0.3
+
+info:
+  title: RTP Activation API.
+  version: 1.0.0
+  description: |
+    API to handle RTP activations initiated by the Payer's RTP Service Provider.
+  contact:
+    name: PagoPA S.p.A.
+    email: rtp@pagopa.it
+
+servers:
+  - description: Development/Test
+    url: https://rtp.dev.cstar.pagopa.it
+    x-internal: true
+  - description: User Acceptance Test
+    url: https://rtp.uat.cstar.pagopa.it
+    x-internal: false
+  - description: Production
+    url: https://rtp.cstar.pagopa.it
+    x-internal: false
+    
+tags:
+  - name: create
+    description: Create operation.
+  - name: read
+    description: Read operation.
+  - name: update
+    description: Update operation.
+  - name: delete
+    description: Delete operation.
+
+paths:
+  /activations:
+    post:
+      operationId: activate
+      summary: RTP activation initiated by the Payer's RTP Service Provider.
+      description: |
+        The operation is used by Payer's RTP Service Provider to enable the
+        Payee's RTP Service Provider to send RTP messages to the Payer's RTP
+        Service Provider.
+        
+        When the operation is used by not-admin subject, the system verifies
+        that the Payer's RTP Service Provider ID matches the subject claim of
+        the access token. `403 Forbidden` is returned on mismatch.
+        
+        `409 Conflict` is returned if an activation with the same Payer's ID
+        already exists.
+      tags: [create]
+      security:
+        - oAuth2: [admin_rtp_activations, write_rtp_activations]
+      parameters:
+        - $ref: '#/components/parameters/RequestId'
+        - $ref: '#/components/parameters/Version'
+      requestBody:
+        $ref: '#/components/requestBodies/CreateOrUpdateActivation'
+      responses:
+        "201":
+          #description: Created.
+          $ref: '#/components/responses/CreateActivation'
+        "400":
+          #description: Bad request.
+          $ref: '#/components/responses/Error'
+        "401":
+          #description: Wrong credentials.
+          $ref: '#/components/responses/Error'
+        "403":
+          #description: Forbidden
+          $ref: '#/components/responses/Error'
+        "406":
+          #description: Not acceptable. Did you require application/json?
+          $ref: '#/components/responses/Error'
+        "409":
+          #description: Conflict.
+          $ref: '#/components/responses/Error'
+        "415":
+          #description: Unsupported media type. Did you provide application/json?
+          $ref: '#/components/responses/Error'
+        "429":
+          #description: Too many request.
+          $ref: '#/components/responses/Error'
+        "500":
+          #description: Server error.
+          $ref: '#/components/responses/Error'
+        default:
+          #description: Unexpected error.
+          $ref: '#/components/responses/Error'
+
+    get:
+      operationId: getActivations
+      summary: Returns RTP activations.
+      description: |
+        The operation returns all the RTP activations stored by the system.
+        
+        When the operation is used by not-admin subject, the system returns
+        the RTP activations which have the Payer's RTP Service Provider ID that
+        matches the subject claim of the access token.
+      tags: [read]
+      security:
+        - oAuth2: [admin_rtp_activations, read_rtp_activations]
+      parameters:
+        - $ref: '#/components/parameters/RequestId'
+        - $ref: '#/components/parameters/Version'
+        - $ref: '#/components/parameters/PageNumber'
+        - $ref: '#/components/parameters/PageSize'
+      responses:
+        "200":
+          #description: Ok.
+          $ref: '#/components/responses/PageOfActivations'
+        "400":
+          #description: Bad request.
+          $ref: '#/components/responses/Error'
+        "401":
+          #description: Access token is missing or invalid.
+          $ref: '#/components/responses/Error'
+        "403":
+          #description: Forbidden.
+          $ref: '#/components/responses/Error'
+        "406":
+          #description: Not acceptable. Did you require application/json?
+          $ref: '#/components/responses/Error'
+        "429":
+          #description: Too many request.
+          $ref: '#/components/responses/Error'
+        "500":
+          #description: Server error.
+          $ref: '#/components/responses/Error'
+        default:
+          #description: Unexpected error.
+          $ref: '#/components/responses/Error'
+
+  /activations/{activationId}:
+    get:
+      operationId: getActivation
+      summary: Returns a RTP activation.
+      description: |
+        The operation finds a RTP activation by its ID.
+        
+        When the operation is used by not-admin subject, the system returns
+        the RTP activation only if its Payer's RTP Service Provider ID matches
+        the subject claim of the access token, otherwise `404 Not Found` is
+        returned.
+      tags: [read]
+      security:
+        - oAuth2: [admin_rtp_activations, read_rtp_activations]
+      parameters:
+        - $ref: '#/components/parameters/RequestId'
+        - $ref: '#/components/parameters/Version'
+        - $ref: '#/components/parameters/ActivationId'
+      responses:
+        "200":
+          #description: Found.
+          $ref: '#/components/responses/Activation'
+        "400":
+          #description: Bad request.
+          $ref: '#/components/responses/Error'
+        "401":
+          #description: Access token is missing or invalid.
+          $ref: '#/components/responses/Error'
+        "403":
+          #description: Forbidden.
+          $ref: '#/components/responses/Error'
+        "404":
+          #description: Not found.
+          $ref: '#/components/responses/Error'
+        "406":
+          #description: Not acceptable. Did you require application/json?
+          $ref: '#/components/responses/Error'
+        "429":
+          #description: Too many request.
+          $ref: '#/components/responses/Error'
+        "500":
+          #description: Server error.
+          $ref: '#/components/responses/Error'
+        default:
+          #description: Unexpected error.
+          $ref: '#/components/responses/Error'
+
+    put:
+      operationId: updateActivation
+      summary: Updates a RTP activation.
+      description: |
+        The operation updates a RTP actviation searching it by its ID.
+        
+        When the operation is used by not-admin subject:
+          - the system returns `404 Not Found` if the Payer's RTP Service
+            Provider ID of the activation doesn't match the subject claim of
+            the access token;
+          - the system returns `403 Forbidden` if the provided value of Payer's
+            RTP Service doesn't match the subject claim of the access token.
+      tags: [update]
+      security:
+        - oAuth2: [admin_rtp_activations, write_rtp_activations]
+      parameters:
+        - $ref: '#/components/parameters/RequestId'
+        - $ref: '#/components/parameters/Version'
+        - $ref: '#/components/parameters/ActivationId'
+      requestBody:
+        $ref: '#/components/requestBodies/CreateOrUpdateActivation'
+      responses:
+        "204":
+          #description: No content
+          $ref: '#/components/responses/NoContent'
+        "400":
+          #description: Bad request
+          $ref: '#/components/responses/Error'
+        "401":
+          #description: Wrong credentials
+          $ref: '#/components/responses/Error'
+        "403":
+          #description: Forbidden
+          $ref: '#/components/responses/Error'
+        "404":
+          #description: Not found
+          $ref: '#/components/responses/Error'
+        "406":
+          #description: Not acceptable. Did you require application/json?
+          $ref: '#/components/responses/Error'
+        "415":
+          #description: Unsupported media type. Did you provide application/json?
+          $ref: '#/components/responses/Error'
+        "429":
+          #description: Too many request
+          $ref: '#/components/responses/Error'
+        "500":
+          #description: Server error
+          $ref: '#/components/responses/Error'
+        default:
+          #description: Unexpected error
+          $ref: '#/components/responses/Error'
+
+    delete:
+      operationId: deleteActivation
+      summary: Deletes a RTP activation.
+      description: |
+        The operation deletes a RTP actviation searching it by its ID.
+        
+        When the operation is used by not-admin subject, the system returns
+        `404 Not Found` if the Payer's RTP Service Provider ID of the activation
+        doesn't match the subject claim of the access token.
+      tags: [delete]
+      security:
+        - oAuth2: [admin_rtp_activations, write_rtp_activations]
+      parameters:
+        - $ref: '#/components/parameters/RequestId'
+        - $ref: '#/components/parameters/Version'
+        - $ref: '#/components/parameters/ActivationId'
+      responses:
+        "204":
+          #description: No content
+          $ref: '#/components/responses/NoContent'
+        "400":
+          #description: Bad request
+          $ref: '#/components/responses/Error'
+        "401":
+          #description: Access token is missing or invalid
+          $ref: '#/components/responses/Error'
+        "403":
+          #description: Forbidden
+          $ref: '#/components/responses/Error'
+        "404":
+          #description: Not found
+          $ref: '#/components/responses/Error'
+        "406":
+          #description: Not acceptable. Did you require application/json?
+          $ref: '#/components/responses/Error'
+        "429":
+          #description: Too many request
+          $ref: '#/components/responses/Error'
+        "500":
+          #description: Server error
+          $ref: '#/components/responses/Error'
+        default:
+          #description: Unexpected error
+          $ref: '#/components/responses/Error'
+
+  /activations/findByPayerId:
+    get:
+      operationId: findActivationsByPayerId
+      summary: Finds a RTP activation by Payer ID.
+      description: |
+        The operation finds RTP activations by Payer ID.
+        
+        When the operation is used by not-admin subject, the system returns
+        the RTP activations with the Payer's RTP Service Provider ID that
+        matches the subject claim of the access token.
+      tags: [read]
+      security:
+        - oAuth2: [admin_rtp_activations, read_rtp_activations]
+      parameters:
+        - $ref: '#/components/parameters/RequestId'
+        - $ref: '#/components/parameters/Version'
+        - $ref: '#/components/parameters/PageNumber'
+        - $ref: '#/components/parameters/PageSize'
+        - $ref: '#/components/parameters/PayerId'
+      responses:
+        "200":
+          #description: Ok.
+          $ref: '#/components/responses/PageOfActivations'
+        "400":
+          #description: Bad request.
+          $ref: '#/components/responses/Error'
+        "401":
+          #description: Access token is missing or invalid.
+          $ref: '#/components/responses/Error'
+        "403":
+          #description: Forbidden.
+          $ref: '#/components/responses/Error'
+        "406":
+          #description: Not acceptable. Did you require application/json?
+          $ref: '#/components/responses/Error'
+        "429":
+          #description: Too many request.
+          $ref: '#/components/responses/Error'
+        "500":
+          #description: Server error.
+          $ref: '#/components/responses/Error'
+        default:
+          #description: Unexpected error.
+          $ref: '#/components/responses/Error'
+
+components:
+  # ============================================================================
+  # Schemas.
+  # ============================================================================
+  schemas:
+    # --------------------------------------------------------------------------
+    # Basic types for CORS stuff.
+    # --------------------------------------------------------------------------
+    AccessControlAllowOrigin:
+      description: |
+        Indicates whether the response can be shared with requesting code from
+        the given origin.
+      type: string
+      pattern: "^[ -~]{1,2048}$"
+      minLength: 1
+      maxLength: 2048
+
+    # --------------------------------------------------------------------------
+    # Basic types for rate limit handling.
+    # --------------------------------------------------------------------------
+    RateLimitLimit:
+      description: The number of allowed requests in the current period.
+      type: integer
+      format: int32
+      minimum: 1
+      maximum: 240
+
+    RateLimitReset:
+      description: The number of seconds left in the current period.
+      type: integer
+      format: int32
+      minimum: 1
+      maximum: 60
+
+    RetryAfter:
+      description: |
+        The number of seconds to wait before allowing a follow-up request.
+      type: integer
+      format: int32
+      minimum: 1
+      maximum: 240
+
+    # --------------------------------------------------------------------------
+    # Basic types for paging.
+    # --------------------------------------------------------------------------
+    PageNumber:
+      description: Number of the page.
+      type: integer
+      format: int32
+      minimum: 0
+      maximum: 2147483647
+      example: 1
+
+    PageSize:
+      description: Size of the page.
+      type: integer
+      format: int32
+      minimum: 1
+      maximum: 128
+      example: 20
+
+    TotalElements:
+      description: Total elements.
+      type: integer
+      format: int64
+      minimum: 0
+      maximum: 9223372036854775807
+      example: 20
+
+    TotalPages:
+      description: Total pages.
+      type: integer
+      format: int64
+      minimum: 0
+      maximum: 9223372036854775807
+      example: 20
+
+    # --------------------------------------------------------------------------
+    # Basic types for error handling.
+    # --------------------------------------------------------------------------
+    ErrorCode:
+      description: Error code.
+      type: string
+      pattern: "^[A-F0-9]{9}$"
+      minLength: 9
+      maxLength: 9
+      example: "01000000F"
+
+    ErrorDescription:
+      description: Error description.
+      type: string
+      pattern: "^[ -~]{0,256}$"
+      minLength: 0
+      maxLength: 256
+      example: "Wrong party identifier"
+
+    # --------------------------------------------------------------------------
+    # Basic types for technical stuff.
+    # --------------------------------------------------------------------------
+    ActivationId:
+      description: Identifier of the RTP activation resource.
+      type: string
+      format: uuid
+      pattern: "^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$"
+      minLength: 36
+      maxLength: 36
+      example: "d0d654e6-97da-4848-b568-99fedccb642b"
+
+    ActivationLocation:
+      description: URL of the RTP activation resource.
+      type: string
+      format: uri
+      pattern: "^[ -~]{1,2048}$"
+      minLength: 1
+      maxLength: 2048
+      example: "https://rtp.cstar.pagopa.it/activations/d0d654e6-97da-4848-b568-99fedccb642b"
+
+    RequestId:
+      description: Identifier of the request.
+      type: string
+      format: uuid
+      pattern: "^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$"
+      minLength: 36
+      maxLength: 36
+      example: "bd615b4a-066d-443e-8dd2-a28a39931fef"
+
+    Version:
+      description: Version of the required API.
+      type: string
+      pattern: "^[ -~]{1,64}$"
+      minLength: 1
+      maxLength: 64
+      example: "1.0.0-alpha-a.b-c-somethinglong+build.1-aef.1-its-okay"
+
+    # --------------------------------------------------------------------------
+    # Domain specific basic types.
+    # --------------------------------------------------------------------------
+    EffectiveActivationDate:
+      description: |
+        Effective activation date (B035).
+                
+        Date and time at which activation has been stored.
+      type: string
+      format: date-time
+      example: "2024-10-30T16:39:34+01:00"
+
+    FiscalCode:
+      description: |
+        Fiscal (or tax) code.
+        
+        It is used as identifier of the Payer (P009) and of the Payee (E005).
+      type: string
+      pattern: "^(([A-Z]{6}\\d{2}[A-Z]\\d{2}[A-Z]\\d{3}[A-Z])|(\\d{11}))$"
+      minLength: 11
+      maxLength: 16
+      example: "RSSMRA85T10A562S"
+
+    PartyId:
+      description: |
+        Unique and unambiguous identification of a party.
+        
+        It is used as identifier of the Payer’s RTP Service Provider (N001) and
+        for Payee’s RTP Service Provider (N002).
+      type: string
+      pattern: "^[ -~]{1,35}$"
+      minLength: 1
+      maxLength: 35
+      example: "12345678901"
+
+    # --------------------------------------------------------------------------
+    # Complex types for paging.
+    # --------------------------------------------------------------------------
+    PageMetadata:
+      description: Metadata of a page of data.
+      type: object
+      additionalProperties: false
+      properties:
+        totalElements:
+          $ref: '#/components/schemas/TotalElements'
+        totalPages:
+          $ref: '#/components/schemas/TotalPages'
+        page:
+          $ref: '#/components/schemas/PageNumber'
+        size:
+          $ref: '#/components/schemas/PageSize'
+      required:
+        - totalElements
+        - totalPages
+        - page
+        - size
+      example:
+        totalElements: 198
+        totalPages: 10
+        page: 5
+        size: 20
+
+    # --------------------------------------------------------------------------
+    # Complex type for error handling.
+    # --------------------------------------------------------------------------
+    Error:
+      description: Error details.
+      type: object
+      additionalProperties: false
+      properties:
+        code:
+          $ref: '#/components/schemas/ErrorCode'
+        description:
+          $ref: '#/components/schemas/ErrorDescription'
+      required:
+        - code
+        - description
+      example:
+        code: "01000000F"
+        description: "Wrong party identifier"
+
+    Errors:
+      description: List of errors.
+      type: object
+      additionalProperties: false
+      properties:
+        errors:
+          type: array
+          minItems: 1
+          maxItems: 32
+          items:
+            $ref: '#/components/schemas/Error'
+      required:
+        - errors
+      example:
+        errors:
+          - code: "01000000F"
+            description: "Wrong party identifier"
+      
+    # ------------------------------------------------------
+    # Domain specific complex types.
+    # ------------------------------------------------------
+    Activation:
+      allOf:
+        - type: object
+          properties:
+            id:
+              $ref: '#/components/schemas/ActivationId'
+            effectiveActivationDate:
+              $ref: '#/components/schemas/EffectiveActivationDate'
+          required:
+            - id
+            - effectiveActivationDate
+        - $ref: '#/components/schemas/ActivationReq'
+      example:
+        id: "d0d654e6-97da-4848-b568-99fedccb642b"
+        effectiveActivationDate: "2024-10-30T16:39:34+01:00"
+        payer:
+          fiscalCode: "RSSMRA85T10A562S"
+          rtpSpId: "10987654321"
+
+    Activations:
+      description: List of RTP activations.
+      type: array
+      minItems: 0
+      maxItems: 128
+      items:
+        $ref: '#/components/schemas/Activation'
+      example:
+        - id: "d0d654e6-97da-4848-b568-99fedccb642b"
+          effectiveActivationDate: "2024-10-30T16:39:34+01:00"
+          payer:
+            fiscalCode: "RSSMRA85T10A562S"
+            rtpSpId: "10987654321"
+
+    ActivationReq:
+      description: |
+        Data of a RTP activation.
+      type: object
+      additionalProperties: true # It's extended by another object.
+      properties:
+        payer:
+          $ref: '#/components/schemas/Payer'
+      required:
+        - payer
+      example:
+        payer:
+          fiscalCode: "RSSMRA85T10A562S"
+          rtpSpId: "10987654321"
+  
+    PageOfActivations:
+      description: Page of RTP activations.
+      type: object
+      additionalProperties: false
+      properties:
+        activations:
+          $ref: '#/components/schemas/Activations'
+        page:
+          $ref: '#/components/schemas/PageMetadata'
+      required:
+        - activations
+        - page
+      example:
+        activations:
+          - id: "d0d654e6-97da-4848-b568-99fedccb642b"
+            effectiveActivationDate: "2024-10-30T16:39:34+01:00"
+            payer:
+              fiscalCode: "RSSMRA85T10A562S"
+              rtpSpId: "10987654321"
+        page:
+          totalElements: 2
+          totalPages: 2
+          page: 1
+          size: 1
+
+    Payer:
+      description: |
+        Payer data.
+      type: object
+      additionalProperties: false
+      properties:
+        fiscalCode:
+          $ref: '#/components/schemas/FiscalCode'
+        rtpSpId:
+          $ref: '#/components/schemas/PartyId'
+      required:
+        - fiscalCode
+        - rtpSpId
+      example:
+        fiscalCode: "RSSMRA85T10A562S"
+        rtpSpId: "10987654321"
+
+  # ============================================================================
+  # Request bodies.
+  # ============================================================================
+  requestBodies:
+    CreateOrUpdateActivation:
+      description: Request to create or update a RTP activation.
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/ActivationReq'
+
+  # ============================================================================
+  # Parameters.
+  # ============================================================================
+  parameters:
+    ActivationId:
+      name: activationId
+      in: path
+      description: Identifier of the RTP activation resource.
+      required: true
+      schema:
+        $ref: '#/components/schemas/ActivationId'
+
+    PageNumber:
+      name: page
+      in: query
+      description: Number of the requested page of data.
+      required: true
+      schema:
+        $ref: '#/components/schemas/PageNumber'
+
+    PageSize:
+      name: size
+      in: query
+      description: Size of the requested page of data.
+      required: true
+      schema:
+        $ref: '#/components/schemas/PageSize'
+
+    PayerId:
+      name: PayerId
+      in: header
+      description: Identifier of the Payer.
+      required: true
+      schema:
+        $ref: '#/components/schemas/FiscalCode'
+
+    RequestId:
+      name: RequestId
+      in: header
+      description: Identifier of the request.
+      required: true
+      schema:
+        $ref: '#/components/schemas/RequestId'
+
+    Version:
+      name: Version
+      in: header
+      description: Version of the required API.
+      required: false
+      schema:
+        $ref: '#/components/schemas/Version'
+
+  # ============================================================================
+  # Responses
+  # ============================================================================
+  responses:
+    Activation:
+      description: Response returned when RTP activation data is requested.
+      headers:
+        Access-Control-Allow-Origin:
+          description: |
+            Indicates whether the response can be shared with requesting code
+            from the given origin.
+          required: false
+          schema:
+            $ref: '#/components/schemas/AccessControlAllowOrigin'
+        RateLimit-Limit:
+          description: The number of allowed requests in the current period
+          required: false
+          schema:
+            $ref: '#/components/schemas/RateLimitLimit'
+        RateLimit-Reset:
+          description: The number of seconds left in the current period
+          required: false
+          schema:
+            $ref: '#/components/schemas/RateLimitReset'
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Activation'
+
+    CreateActivation:
+      description: Response returned when a RTP activation is requested.
+      headers:
+        Access-Control-Allow-Origin:
+          description: |
+            Indicates whether the response can be shared with requesting code
+            from the given origin.
+          required: false
+          schema:
+            $ref: '#/components/schemas/AccessControlAllowOrigin'
+        RateLimit-Limit:
+          description: The number of allowed requests in the current period.
+          required: false
+          schema:
+            $ref: '#/components/schemas/RateLimitLimit'
+        RateLimit-Reset:
+          description: The number of seconds left in the current period.
+          required: false
+          schema:
+            $ref: '#/components/schemas/RateLimitReset'
+        Location:
+          description: URL of the activation resource.
+          required: true
+          schema:
+            $ref: '#/components/schemas/ActivationLocation'
+
+    Error:
+      description: Error response.
+      headers:
+        Access-Control-Allow-Origin:
+          description: |
+            Indicates whether the response can be shared with requesting code
+            from the given origin.
+          required: false
+          schema:
+            $ref: '#/components/schemas/AccessControlAllowOrigin'
+        RateLimit-Limit:
+          description: The number of allowed requests in the current period.
+          required: false
+          schema:
+            $ref: '#/components/schemas/RateLimitLimit'
+        RateLimit-Reset:
+          description: The number of seconds left in the current period
+          required: false
+          schema:
+            $ref: '#/components/schemas/RateLimitReset'
+        Retry-After:
+          description: |
+            The number of seconds to wait before allowing a follow-up request.
+          required: false
+          schema:
+            $ref: '#/components/schemas/RetryAfter'
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Errors'
+        text/*:
+          schema:
+            type: string
+            pattern: "^[ -~]{0,65535}$"
+            maxLength: 65535
+
+    NoContent:
+      description: No content response.
+      headers:
+        Access-Control-Allow-Origin:
+          description: |
+            Indicates whether the response can be shared with requesting code
+            from the given origin.
+          required: false
+          schema:
+            $ref: '#/components/schemas/AccessControlAllowOrigin'
+        RateLimit-Limit:
+          description: The number of allowed requests in the current period.
+          required: false
+          schema:
+            $ref: '#/components/schemas/RateLimitLimit'
+        RateLimit-Reset:
+          description: The number of seconds left in the current period.
+          required: false
+          schema:
+            $ref: '#/components/schemas/RateLimitReset'
+
+    PageOfActivations:
+      description: Response to the request to get RTP activations.
+      headers:
+        Access-Control-Allow-Origin:
+          description: |
+            Indicates whether the response can be shared with requesting code
+            from the given origin.
+          required: false
+          schema:
+            $ref: '#/components/schemas/AccessControlAllowOrigin'
+        RateLimit-Limit:
+          description: The number of allowed requests in the current period.
+          required: false
+          schema:
+            $ref: '#/components/schemas/RateLimitLimit'
+        RateLimit-Reset:
+          description: The number of seconds left in the current period.
+          required: false
+          schema:
+            $ref: '#/components/schemas/RateLimitReset'
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/PageOfActivations'
+
+  # ============================================================================
+  # Security schemes.
+  # ============================================================================
+  securitySchemes:
+    oAuth2:
+      description: |
+        A bearer token in the format of a JWS and conforms to the specifications
+        included in RFC8725.
+      type: oauth2
+      flows:
+        clientCredentials:
+          tokenUrl: /token
+          refreshUrl: /token
+          scopes:
+            admin_rtp_activations: Admin RPT activation.
+            write_rtp_activations: Create, update or delete RTP activation.
+            read_rtp_activations: Read RTP activation.
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java b/src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java
new file mode 100644
index 0000000..c1d9c4a
--- /dev/null
+++ b/src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java
@@ -0,0 +1,25 @@
+package it.gov.pagopa.rtp.activator.controller;
+
+import java.util.UUID;
+
+import org.springframework.http.ResponseEntity;
+import org.springframework.validation.annotation.Validated;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.server.ServerWebExchange;
+
+import it.gov.pagopa.rtp.activator.controller.generated.CreateApi;
+import it.gov.pagopa.rtp.activator.model.generated.ActivationReqDto;
+import reactor.core.publisher.Mono;
+
+@RestController
+@Validated
+public class ActivationAPIControllerImpl implements CreateApi {
+
+    @Override
+    public Mono<ResponseEntity<Void>> activate(UUID requestId, String version, Mono<ActivationReqDto> activationReqDto,
+            ServerWebExchange exchange) {
+        // TODO Auto-generated method stub
+        throw new UnsupportedOperationException("Unimplemented method 'activate'");
+    }
+
+}

From 658f8e3b4e3e0b6ad6e21367e56587b9cb722d5c Mon Sep 17 00:00:00 2001
From: petretiandrea <petretiandrea@gmail.com>
Date: Wed, 20 Nov 2024 13:54:44 +0100
Subject: [PATCH 14/17] remove playground controller + add jwt test utils

---
 build.gradle                                  |  1 +
 .../rtp/activator/PlaygroundController.java   | 37 --------------
 .../pagopa/rtp/activator/JwtTestUtils.java    | 50 +++++++++++++++++++
 .../NoSignatureJwtDecoderTest.java            | 21 ++++++++
 src/test/resources/application.properties     |  1 +
 5 files changed, 73 insertions(+), 37 deletions(-)
 delete mode 100644 src/main/java/it/gov/pagopa/rtp/activator/PlaygroundController.java
 create mode 100644 src/test/java/it/gov/pagopa/rtp/activator/JwtTestUtils.java
 create mode 100644 src/test/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoderTest.java
 create mode 100644 src/test/resources/application.properties

diff --git a/build.gradle b/build.gradle
index b5a4584..3d3cf19 100644
--- a/build.gradle
+++ b/build.gradle
@@ -41,6 +41,7 @@ dependencies {
 	implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
 	implementation("org.springframework.boot:spring-boot-starter-validation")
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
 	testImplementation 'io.projectreactor:reactor-test'
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
 }
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/PlaygroundController.java b/src/main/java/it/gov/pagopa/rtp/activator/PlaygroundController.java
deleted file mode 100644
index d05fbc0..0000000
--- a/src/main/java/it/gov/pagopa/rtp/activator/PlaygroundController.java
+++ /dev/null
@@ -1,37 +0,0 @@
-package it.gov.pagopa.rtp.activator;
-
-import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.security.core.Authentication;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RestController;
-import reactor.core.publisher.Mono;
-
-import java.security.Principal;
-
-// Controller to play with role and authorization
-// TODO: remove me
-@RestController
-public class PlaygroundController {
-
-    @PreAuthorize("hasRole('mil-auth-admin')")
-    @GetMapping("/test")
-    public Mono<ResponseEntity<String>> trySomething(
-            Principal principal
-    ) {
-        return Mono.just(
-                ResponseEntity.ok("Ciao " + principal.getName())
-        );
-    }
-
-    @PreAuthorize("hasRole('mil-auth-admin')")
-    @GetMapping("/test2")
-    public Mono<ResponseEntity<String>> trySomething2(
-            Authentication authentication
-    ) {
-        return Mono.just(
-                ResponseEntity.ok("Ciao " + authentication.getName() + " " + authentication.getAuthorities())
-        );
-    }
-
-}
diff --git a/src/test/java/it/gov/pagopa/rtp/activator/JwtTestUtils.java b/src/test/java/it/gov/pagopa/rtp/activator/JwtTestUtils.java
new file mode 100644
index 0000000..e0d1ab6
--- /dev/null
+++ b/src/test/java/it/gov/pagopa/rtp/activator/JwtTestUtils.java
@@ -0,0 +1,50 @@
+package it.gov.pagopa.rtp.activator;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.crypto.MACSigner;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+
+import java.util.Date;
+import java.util.stream.Collectors;
+import java.util.stream.IntStream;
+
+public final class JwtTestUtils {
+
+    public static String generateToken(String subject, String... roles) throws JOSEException {
+        return generateToken(subject, new Date(new Date().getTime() + 60 * 60 * 1000), roles); // 1 hour
+    }
+
+    public static String generateExpiredToken(String subject, String... roles) throws JOSEException {
+        return generateToken(subject, new Date(new Date().getTime() - 60 * 60 * 1000), roles); // 1 hour ago
+    }
+
+    private static String generateToken(String subject, Date expirationTime, String... roles) throws JOSEException {
+        // Create HMAC signer
+        JWSSigner signer = new MACSigner(
+                IntStream.range(0, 256).mapToObj(Integer::toString).collect(Collectors.joining())
+        );
+
+        // Prepare JWT with claims set
+        JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
+                .subject(subject)
+                .claim("groups", roles)
+                .issuer("pagopa.it")
+                .expirationTime(expirationTime) // 1 hour expiration
+                .build();
+
+        SignedJWT signedJWT = new SignedJWT(
+                new JWSHeader(JWSAlgorithm.HS256),
+                claimsSet);
+
+        // Apply the HMAC signature
+        signedJWT.sign(signer);
+
+        // Serialize to compact form
+        return signedJWT.serialize();
+    }
+
+}
diff --git a/src/test/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoderTest.java b/src/test/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoderTest.java
new file mode 100644
index 0000000..4429bfe
--- /dev/null
+++ b/src/test/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoderTest.java
@@ -0,0 +1,21 @@
+package it.gov.pagopa.rtp.activator.configuration;
+
+import com.nimbusds.jose.JOSEException;
+import it.gov.pagopa.rtp.activator.JwtTestUtils;
+import org.hamcrest.Matchers;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+
+class NoSignatureJwtDecoderTest {
+
+
+    @Test
+    void givenSignedTokenMustDecodeWithoutVerifySignature() throws JOSEException {
+        final var decoder = new NoSignatureJwtDecoder();
+        final var token = JwtTestUtils.generateToken("me", "none");
+        assertThat(decoder.decode(token), Matchers.notNullValue());
+    }
+
+}
+
diff --git a/src/test/resources/application.properties b/src/test/resources/application.properties
new file mode 100644
index 0000000..1060f52
--- /dev/null
+++ b/src/test/resources/application.properties
@@ -0,0 +1 @@
+logging.level.org.springframework.security=DEBUG
\ No newline at end of file

From 3db7bbc2c01506244b36d899eac29c12bd8d7dc3 Mon Sep 17 00:00:00 2001
From: petretiandrea <petretiandrea@gmail.com>
Date: Wed, 20 Nov 2024 17:59:27 +0100
Subject: [PATCH 15/17] added authorization tests

---
 build.gradle                                  |  7 +-
 .../configuration/SecurityConfig.java         |  2 +-
 .../ActivationAPIControllerImpl.java          |  5 +-
 .../NoSignatureJwtDecoderTest.java            | 13 +++-
 .../ActivationAPIControllerImplTest.java      | 71 +++++++++++++++++++
 .../JwtUtils.java}                            | 11 +--
 .../gov/pagopa/rtp/activator/utils/Users.java | 17 +++++
 src/test/resources/application.properties     |  2 +-
 8 files changed, 112 insertions(+), 16 deletions(-)
 create mode 100644 src/test/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImplTest.java
 rename src/test/java/it/gov/pagopa/rtp/activator/{JwtTestUtils.java => utils/JwtUtils.java} (83%)
 create mode 100644 src/test/java/it/gov/pagopa/rtp/activator/utils/Users.java

diff --git a/build.gradle b/build.gradle
index 3d3cf19..1d35c96 100644
--- a/build.gradle
+++ b/build.gradle
@@ -75,9 +75,13 @@ openApiGenerate {
 	apiPackage.set("it.gov.pagopa.rtp.activator.controller.generated")
 	modelPackage.set("it.gov.pagopa.rtp.activator.model.generated")
 	modelNameSuffix.set("Dto")
+	generateApiTests.set(false)
+	generateApiDocumentation.set(false)
+	generateApiTests.set(false)
+	generateModelTests.set(false)
+	library.set("spring-boot")
     configOptions.set([
         "dateLibrary"                         : "java8",
-        "requestMappingMode"                  : "api_interface",
         "useSpringBoot3"                      : "true",
         "interfaceOnly"                       : "true",
         "useTags"                             : "true",
@@ -85,6 +89,7 @@ openApiGenerate {
 		"reactive"							  : "true",
 		"swaggerAnnotations"				  : "false",
 		"skipDefaultInterface"				  : "true",
+		"openApiNullable" 					  : "true",
     ])
     typeMappings.set([
         "DateTime"        : "java.time.LocalDateTime",
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java b/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java
index b51373c..ffb7a17 100644
--- a/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java
+++ b/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java
@@ -15,7 +15,7 @@
 
 @Configuration
 @EnableWebFluxSecurity
-@EnableReactiveMethodSecurity // allows to use @PreAuthorize with roles
+@EnableReactiveMethodSecurity(proxyTargetClass = true) // allows to use @PreAuthorize with roles
 public class SecurityConfig {
 
     @Bean
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java b/src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java
index 558b867..7ee2e15 100644
--- a/src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java
+++ b/src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java
@@ -1,5 +1,6 @@
 package it.gov.pagopa.rtp.activator.controller;
 
+import java.net.URI;
 import java.util.UUID;
 
 import org.springframework.http.ResponseEntity;
@@ -16,8 +17,8 @@
 @Validated
 public class ActivationAPIControllerImpl implements CreateApi {
 
-    @PreAuthorize("hasRole('write_rtp_activations')")
     @Override
+    @PreAuthorize("hasRole('write_rtp_activations')")
     public Mono<ResponseEntity<Void>> activate(
             UUID requestId,
             String version,
@@ -25,7 +26,7 @@ public Mono<ResponseEntity<Void>> activate(
             ServerWebExchange exchange
     ) {
         return activationReqDto.flatMap(
-                request -> Mono.just(ResponseEntity.ok().build())
+                request -> Mono.just(ResponseEntity.created(URI.create("http://localhost")).build())
         );
     }
 }
diff --git a/src/test/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoderTest.java b/src/test/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoderTest.java
index 4429bfe..d55a84e 100644
--- a/src/test/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoderTest.java
+++ b/src/test/java/it/gov/pagopa/rtp/activator/configuration/NoSignatureJwtDecoderTest.java
@@ -1,21 +1,28 @@
 package it.gov.pagopa.rtp.activator.configuration;
 
 import com.nimbusds.jose.JOSEException;
-import it.gov.pagopa.rtp.activator.JwtTestUtils;
+import it.gov.pagopa.rtp.activator.utils.JwtUtils;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.Test;
+import org.springframework.security.oauth2.jwt.JwtValidationException;
 
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 class NoSignatureJwtDecoderTest {
 
-
     @Test
     void givenSignedTokenMustDecodeWithoutVerifySignature() throws JOSEException {
         final var decoder = new NoSignatureJwtDecoder();
-        final var token = JwtTestUtils.generateToken("me", "none");
+        final var token = JwtUtils.generateToken("me", "none");
         assertThat(decoder.decode(token), Matchers.notNullValue());
     }
 
+    @Test
+    void givenExpiredTokenMustThrowError() throws JOSEException {
+        final var decoder = new NoSignatureJwtDecoder();
+        final var token = JwtUtils.generateExpiredToken("me", "none");
+        assertThrows(JwtValidationException.class, () -> decoder.decode(token));
+    }
 }
 
diff --git a/src/test/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImplTest.java b/src/test/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImplTest.java
new file mode 100644
index 0000000..8e754e7
--- /dev/null
+++ b/src/test/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImplTest.java
@@ -0,0 +1,71 @@
+package it.gov.pagopa.rtp.activator.controller;
+
+import it.gov.pagopa.rtp.activator.configuration.SecurityConfig;
+import it.gov.pagopa.rtp.activator.model.generated.ActivationReqDto;
+import it.gov.pagopa.rtp.activator.model.generated.PayerDto;
+import it.gov.pagopa.rtp.activator.utils.Users;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.reactive.WebFluxTest;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Import;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.reactive.server.WebTestClient;
+
+import java.util.UUID;
+
+import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.springSecurity;
+
+
+@ExtendWith(SpringExtension.class)
+@WebFluxTest(controllers = {ActivationAPIControllerImpl.class})
+@Import(SecurityConfig.class)
+class ActivationAPIControllerImplTest {
+    @Autowired
+    ApplicationContext context;
+
+    WebTestClient web;
+
+    @BeforeEach
+    public void setup() {
+        web = WebTestClient
+                .bindToApplicationContext(this.context)
+                .apply(springSecurity())
+                .configureClient()
+                .build();
+    }
+
+    @Test
+    @Users.RtpWriter
+    void shouldCreateNewActivation() {
+        web.post()
+                .uri("/activations")
+                .header("RequestId", UUID.randomUUID().toString())
+                .header("Version", "v1")
+                .bodyValue(generateActivationRequest())
+                .exchange()
+                .expectStatus().isEqualTo(HttpStatus.CREATED)
+                .expectHeader().exists(HttpHeaders.LOCATION);
+    }
+
+    @Test
+    @WithMockUser
+    void userWithoutEnoughPermissionShouldNotCreateNewActivation() {
+        web.post()
+                .uri("/activations")
+                .header("RequestId", UUID.randomUUID().toString())
+                .header("Version", "v1")
+                .bodyValue(generateActivationRequest())
+                .exchange()
+                .expectStatus().isEqualTo(HttpStatus.FORBIDDEN);
+    }
+
+    private ActivationReqDto generateActivationRequest() {
+        return new ActivationReqDto(new PayerDto("RSSMRA85T10A562S", "134"));
+    }
+}
\ No newline at end of file
diff --git a/src/test/java/it/gov/pagopa/rtp/activator/JwtTestUtils.java b/src/test/java/it/gov/pagopa/rtp/activator/utils/JwtUtils.java
similarity index 83%
rename from src/test/java/it/gov/pagopa/rtp/activator/JwtTestUtils.java
rename to src/test/java/it/gov/pagopa/rtp/activator/utils/JwtUtils.java
index e0d1ab6..951cbb5 100644
--- a/src/test/java/it/gov/pagopa/rtp/activator/JwtTestUtils.java
+++ b/src/test/java/it/gov/pagopa/rtp/activator/utils/JwtUtils.java
@@ -1,4 +1,4 @@
-package it.gov.pagopa.rtp.activator;
+package it.gov.pagopa.rtp.activator.utils;
 
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
@@ -12,7 +12,7 @@
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
-public final class JwtTestUtils {
+public final class JwtUtils {
 
     public static String generateToken(String subject, String... roles) throws JOSEException {
         return generateToken(subject, new Date(new Date().getTime() + 60 * 60 * 1000), roles); // 1 hour
@@ -23,27 +23,22 @@ public static String generateExpiredToken(String subject, String... roles) throw
     }
 
     private static String generateToken(String subject, Date expirationTime, String... roles) throws JOSEException {
-        // Create HMAC signer
         JWSSigner signer = new MACSigner(
                 IntStream.range(0, 256).mapToObj(Integer::toString).collect(Collectors.joining())
         );
 
-        // Prepare JWT with claims set
         JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
                 .subject(subject)
                 .claim("groups", roles)
                 .issuer("pagopa.it")
-                .expirationTime(expirationTime) // 1 hour expiration
+                .expirationTime(expirationTime)
                 .build();
 
         SignedJWT signedJWT = new SignedJWT(
                 new JWSHeader(JWSAlgorithm.HS256),
                 claimsSet);
 
-        // Apply the HMAC signature
         signedJWT.sign(signer);
-
-        // Serialize to compact form
         return signedJWT.serialize();
     }
 
diff --git a/src/test/java/it/gov/pagopa/rtp/activator/utils/Users.java b/src/test/java/it/gov/pagopa/rtp/activator/utils/Users.java
new file mode 100644
index 0000000..bdabc68
--- /dev/null
+++ b/src/test/java/it/gov/pagopa/rtp/activator/utils/Users.java
@@ -0,0 +1,17 @@
+package it.gov.pagopa.rtp.activator.utils;
+
+import org.springframework.security.test.context.support.WithMockUser;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+public class Users {
+
+    @Retention(RetentionPolicy.RUNTIME)
+    @WithMockUser(value = "writer", roles = "write_rtp_activations")
+    public @interface RtpWriter { }
+
+    @Retention(RetentionPolicy.RUNTIME)
+    @WithMockUser(value = "reader", roles = "read_rtp_activations")
+    public @interface RtpReader { }
+}
diff --git a/src/test/resources/application.properties b/src/test/resources/application.properties
index 1060f52..cf39e7e 100644
--- a/src/test/resources/application.properties
+++ b/src/test/resources/application.properties
@@ -1 +1 @@
-logging.level.org.springframework.security=DEBUG
\ No newline at end of file
+logging.level.org.springframework.security=DEBUG

From fd98434ef13cc95179e6a527c07f87408a4b8cf4 Mon Sep 17 00:00:00 2001
From: petretiandrea <petretiandrea@gmail.com>
Date: Thu, 21 Nov 2024 10:54:47 +0100
Subject: [PATCH 16/17] add method to check authenticated user against request

---
 .../ActivationAPIControllerImpl.java          | 18 +++----
 .../rtp/activator/utils/Authorizations.java   | 48 +++++++++++++++++++
 .../ActivationAPIControllerImplTest.java      | 15 +++++-
 .../gov/pagopa/rtp/activator/utils/Users.java |  9 +++-
 4 files changed, 78 insertions(+), 12 deletions(-)
 create mode 100644 src/main/java/it/gov/pagopa/rtp/activator/utils/Authorizations.java

diff --git a/src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java b/src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java
index 7ee2e15..c14d83a 100644
--- a/src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java
+++ b/src/main/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImpl.java
@@ -1,18 +1,19 @@
 package it.gov.pagopa.rtp.activator.controller;
 
-import java.net.URI;
-import java.util.UUID;
-
+import it.gov.pagopa.rtp.activator.controller.generated.CreateApi;
+import it.gov.pagopa.rtp.activator.model.generated.ActivationReqDto;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.server.ServerWebExchange;
-
-import it.gov.pagopa.rtp.activator.controller.generated.CreateApi;
-import it.gov.pagopa.rtp.activator.model.generated.ActivationReqDto;
 import reactor.core.publisher.Mono;
 
+import java.net.URI;
+import java.util.UUID;
+
+import static it.gov.pagopa.rtp.activator.utils.Authorizations.verifySubjectRequest;
+
 @RestController
 @Validated
 public class ActivationAPIControllerImpl implements CreateApi {
@@ -25,8 +26,7 @@ public Mono<ResponseEntity<Void>> activate(
             Mono<ActivationReqDto> activationReqDto,
             ServerWebExchange exchange
     ) {
-        return activationReqDto.flatMap(
-                request -> Mono.just(ResponseEntity.created(URI.create("http://localhost")).build())
-        );
+        return verifySubjectRequest(activationReqDto, it -> it.getPayer().getRtpSpId())
+                .map(request -> ResponseEntity.created(URI.create("http://localhost")).build());
     }
 }
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/utils/Authorizations.java b/src/main/java/it/gov/pagopa/rtp/activator/utils/Authorizations.java
new file mode 100644
index 0000000..4997d9a
--- /dev/null
+++ b/src/main/java/it/gov/pagopa/rtp/activator/utils/Authorizations.java
@@ -0,0 +1,48 @@
+package it.gov.pagopa.rtp.activator.utils;
+
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.ReactiveSecurityContextHolder;
+import reactor.core.publisher.Mono;
+
+import java.util.function.BiPredicate;
+import java.util.function.Function;
+
+public final class Authorizations {
+
+    private Authorizations(){}
+
+    /**
+     * Verifies that the subject in the request matches the authenticated user's subject.
+     * It uses the provided {@code extractSubject} function to extract the subject from the request object,
+     * and compares it with the authenticated user's name.
+     *
+     * @param <T> The type of the request body.
+     * @param requestBody A {@link Mono} containing the request body that needs to be verified.
+     * @param extractSubject A function that extracts the subject (e.g., user identifier) from the request body.
+     * @return A {@link Mono} containing the request body if the subjects match, or an error if they don't.
+     */
+    public static <T> Mono<T> verifySubjectRequest(Mono<T> requestBody, Function<T, String> extractSubject) {
+        return verifyRequestBody(requestBody, (request, auth) -> extractSubject.apply(request).equals(auth.getName()));
+    }
+
+    /**
+     * Verifies that the request body passes a custom verification function that involves the authenticated user.
+     * This method takes a {@link Mono} of the request body and checks the provided {@code verify} predicate to ensure
+     * the request meets the security requirements. If the predicate fails, an {@link AccessDeniedException} is thrown.
+     *
+     * @param <T> The type of the request body.
+     * @param requestBody A {@link Mono} containing the request body that needs to be verified.
+     * @param verify A {@link BiPredicate} that performs a custom verification on the request body and the authenticated user.
+     * @return A {@link Mono} containing the request body if the verification succeeds.
+     */
+    public static <T> Mono<T> verifyRequestBody(Mono<T> requestBody, BiPredicate<T, Authentication> verify) {
+        return ReactiveSecurityContextHolder.getContext().flatMap(securityContext ->
+            requestBody.flatMap(request -> verify.test(request, securityContext.getAuthentication()) ?
+                    Mono.just(request) :
+                    Mono.error(new AccessDeniedException("Authenticated user doesn't have permission to perform this action."))
+            )
+        );
+    }
+
+}
diff --git a/src/test/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImplTest.java b/src/test/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImplTest.java
index 8e754e7..46178e9 100644
--- a/src/test/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImplTest.java
+++ b/src/test/java/it/gov/pagopa/rtp/activator/controller/ActivationAPIControllerImplTest.java
@@ -19,6 +19,7 @@
 
 import java.util.UUID;
 
+import static it.gov.pagopa.rtp.activator.utils.Users.SERVICE_PROVIDER_ID;
 import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.springSecurity;
 
 
@@ -53,6 +54,18 @@ void shouldCreateNewActivation() {
                 .expectHeader().exists(HttpHeaders.LOCATION);
     }
 
+    @Test
+    @WithMockUser(value = "another", roles = Users.ACTIVATION_WRITE_ROLE)
+    void authorizedUserShouldNotActivateForAnotherServiceProvider() {
+        web.post()
+                .uri("/activations")
+                .header("RequestId", UUID.randomUUID().toString())
+                .header("Version", "v1")
+                .bodyValue(generateActivationRequest())
+                .exchange()
+                .expectStatus().isEqualTo(HttpStatus.FORBIDDEN);
+    }
+
     @Test
     @WithMockUser
     void userWithoutEnoughPermissionShouldNotCreateNewActivation() {
@@ -66,6 +79,6 @@ void userWithoutEnoughPermissionShouldNotCreateNewActivation() {
     }
 
     private ActivationReqDto generateActivationRequest() {
-        return new ActivationReqDto(new PayerDto("RSSMRA85T10A562S", "134"));
+        return new ActivationReqDto(new PayerDto("RSSMRA85T10A562S", SERVICE_PROVIDER_ID));
     }
 }
\ No newline at end of file
diff --git a/src/test/java/it/gov/pagopa/rtp/activator/utils/Users.java b/src/test/java/it/gov/pagopa/rtp/activator/utils/Users.java
index bdabc68..3ef1898 100644
--- a/src/test/java/it/gov/pagopa/rtp/activator/utils/Users.java
+++ b/src/test/java/it/gov/pagopa/rtp/activator/utils/Users.java
@@ -7,11 +7,16 @@
 
 public class Users {
 
+    public static final String SERVICE_PROVIDER_ID = "1234";
+
+    public static final String ACTIVATION_WRITE_ROLE = "write_rtp_activations";
+    public static final String ACTIVATION_READ_ROLE = "read_rtp_activations";
+
     @Retention(RetentionPolicy.RUNTIME)
-    @WithMockUser(value = "writer", roles = "write_rtp_activations")
+    @WithMockUser(value = SERVICE_PROVIDER_ID, roles = ACTIVATION_WRITE_ROLE)
     public @interface RtpWriter { }
 
     @Retention(RetentionPolicy.RUNTIME)
-    @WithMockUser(value = "reader", roles = "read_rtp_activations")
+    @WithMockUser(value = SERVICE_PROVIDER_ID, roles = ACTIVATION_READ_ROLE)
     public @interface RtpReader { }
 }

From a18c9bc0d3f4bb99f4e86a15323b2aa3e6fece37 Mon Sep 17 00:00:00 2001
From: petretiandrea <petretiandrea@gmail.com>
Date: Thu, 21 Nov 2024 11:00:12 +0100
Subject: [PATCH 17/17] change default version

---
 openapi/activation.openapi.yaml                                 | 2 +-
 .../it/gov/pagopa/rtp/activator/RtpActivatorApplication.java    | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/openapi/activation.openapi.yaml b/openapi/activation.openapi.yaml
index da37f83..403e49e 100644
--- a/openapi/activation.openapi.yaml
+++ b/openapi/activation.openapi.yaml
@@ -445,7 +445,7 @@ components:
       pattern: "^[ -~]{1,64}$"
       minLength: 1
       maxLength: 64
-      example: "1.0.0-alpha-a.b-c-somethinglong+build.1-aef.1-its-okay"
+      example: "v1"
 
     # --------------------------------------------------------------------------
     # Domain specific basic types.
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/RtpActivatorApplication.java b/src/main/java/it/gov/pagopa/rtp/activator/RtpActivatorApplication.java
index d258f9d..46fd9e2 100644
--- a/src/main/java/it/gov/pagopa/rtp/activator/RtpActivatorApplication.java
+++ b/src/main/java/it/gov/pagopa/rtp/activator/RtpActivatorApplication.java
@@ -2,11 +2,13 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import reactor.core.publisher.Hooks;
 
 @SpringBootApplication
 public class RtpActivatorApplication {
 
 	public static void main(String[] args) {
+		Hooks.enableAutomaticContextPropagation();
 		SpringApplication.run(RtpActivatorApplication.class, args);
 	}