From 1df040228adc027a42e2d4ef92b33e0157c9af0c Mon Sep 17 00:00:00 2001
From: "J. Cliff Dyer" <cdyer@edx.org>
Date: Mon, 1 Feb 2016 20:36:35 +0000
Subject: [PATCH] Configure LMS to select oauth2 providing library.

Available backends:

* django-oauth-toolkit (DOT)
* django-oauth2-provider (DOP)

* Use provided client ID to select backend for
  * AccessToken requests
  * third party auth-token exchange
* Create adapters to isolate library-dependent functionality
* Handle django-oauth-toolkit tokens in edX DRF authenticator class

MA-1998
MA-2000
---
 cms/envs/common.py                            |   5 +-
 common/djangoapps/auth_exchange/forms.py      |  10 +-
 .../djangoapps/auth_exchange/tests/mixins.py  | 111 ++++++++
 .../auth_exchange/tests/test_forms.py         |  60 ++++-
 .../auth_exchange/tests/test_views.py         |  86 ++++--
 .../djangoapps/auth_exchange/tests/utils.py   |  15 +-
 common/djangoapps/auth_exchange/views.py      | 110 +++++++-
 .../third_party_auth/tests/utils.py           |  23 +-
 common/test/db_cache/lettuce.db               | Bin 1396736 -> 1420288 bytes
 lms/djangoapps/oauth_dispatch/__init__.py     |   0
 .../oauth_dispatch/adapters/__init__.py       |   7 +
 lms/djangoapps/oauth_dispatch/adapters/dop.py |  70 +++++
 lms/djangoapps/oauth_dispatch/adapters/dot.py |  73 +++++
 .../oauth_dispatch/tests/__init__.py          |   0
 .../oauth_dispatch/tests/constants.py         |   5 +
 lms/djangoapps/oauth_dispatch/tests/mixins.py |   3 +
 .../oauth_dispatch/tests/test_dop_adapter.py  |  77 ++++++
 .../oauth_dispatch/tests/test_dot_adapter.py  |  76 ++++++
 .../oauth_dispatch/tests/test_views.py        | 251 ++++++++++++++++++
 lms/djangoapps/oauth_dispatch/urls.py         |  25 ++
 lms/djangoapps/oauth_dispatch/views.py        |  89 +++++++
 lms/djangoapps/support/tests/test_programs.py |   2 +-
 lms/envs/common.py                            |   5 +-
 lms/urls.py                                   |  19 +-
 .../programs/tasks/v1/tests/test_tasks.py     |   2 +-
 openedx/core/lib/api/authentication.py        |  40 ++-
 .../core/lib/api/tests/test_authentication.py |  35 ++-
 pavelib/prereqs.py                            |   2 +-
 requirements/edx/base.txt                     |   5 +-
 29 files changed, 1114 insertions(+), 92 deletions(-)
 create mode 100644 common/djangoapps/auth_exchange/tests/mixins.py
 create mode 100644 lms/djangoapps/oauth_dispatch/__init__.py
 create mode 100644 lms/djangoapps/oauth_dispatch/adapters/__init__.py
 create mode 100644 lms/djangoapps/oauth_dispatch/adapters/dop.py
 create mode 100644 lms/djangoapps/oauth_dispatch/adapters/dot.py
 create mode 100644 lms/djangoapps/oauth_dispatch/tests/__init__.py
 create mode 100644 lms/djangoapps/oauth_dispatch/tests/constants.py
 create mode 100644 lms/djangoapps/oauth_dispatch/tests/mixins.py
 create mode 100644 lms/djangoapps/oauth_dispatch/tests/test_dop_adapter.py
 create mode 100644 lms/djangoapps/oauth_dispatch/tests/test_dot_adapter.py
 create mode 100644 lms/djangoapps/oauth_dispatch/tests/test_views.py
 create mode 100644 lms/djangoapps/oauth_dispatch/urls.py
 create mode 100644 lms/djangoapps/oauth_dispatch/views.py

diff --git a/cms/envs/common.py b/cms/envs/common.py
index 954ae13380..2beb6e6925 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -864,11 +864,14 @@ INSTALLED_APPS = (
     # Self-paced course configuration
     'openedx.core.djangoapps.self_paced',
 
-    # OAuth2 Provider
+    # django-oauth2-provider (deprecated)
     'provider',
     'provider.oauth2',
     'edx_oauth2_provider',
 
+    # django-oauth-toolkit
+    'oauth2_provider',
+
     # These are apps that aren't strictly needed by Studio, but are imported by
     # other apps that are.  Django 1.8 wants to have imported models supported
     # by installed apps.
diff --git a/common/djangoapps/auth_exchange/forms.py b/common/djangoapps/auth_exchange/forms.py
index 81cd9da183..8caf61799d 100644
--- a/common/djangoapps/auth_exchange/forms.py
+++ b/common/djangoapps/auth_exchange/forms.py
@@ -8,6 +8,7 @@ import provider.constants
 from provider.forms import OAuthForm, OAuthValidationError
 from provider.oauth2.forms import ScopeChoiceField, ScopeMixin
 from provider.oauth2.models import Client
+from oauth2_provider.models import Application
 from requests import HTTPError
 from social.backends import oauth as social_oauth
 from social.exceptions import AuthException
@@ -21,9 +22,10 @@ class AccessTokenExchangeForm(ScopeMixin, OAuthForm):
     scope = ScopeChoiceField(choices=SCOPE_NAMES, required=False)
     client_id = CharField(required=False)
 
-    def __init__(self, request, *args, **kwargs):
+    def __init__(self, request, oauth2_adapter, *args, **kwargs):
         super(AccessTokenExchangeForm, self).__init__(*args, **kwargs)
         self.request = request
+        self.oauth2_adapter = oauth2_adapter
 
     def _require_oauth_field(self, field_name):
         """
@@ -68,15 +70,15 @@ class AccessTokenExchangeForm(ScopeMixin, OAuthForm):
 
         client_id = self.cleaned_data["client_id"]
         try:
-            client = Client.objects.get(client_id=client_id)
-        except Client.DoesNotExist:
+            client = self.oauth2_adapter.get_client(client_id=client_id)
+        except (Client.DoesNotExist, Application.DoesNotExist):
             raise OAuthValidationError(
                 {
                     "error": "invalid_client",
                     "error_description": "{} is not a valid client_id".format(client_id),
                 }
             )
-        if client.client_type != provider.constants.PUBLIC:
+        if client.client_type not in [provider.constants.PUBLIC, Application.CLIENT_PUBLIC]:
             raise OAuthValidationError(
                 {
                     # invalid_client isn't really the right code, but this mirrors
diff --git a/common/djangoapps/auth_exchange/tests/mixins.py b/common/djangoapps/auth_exchange/tests/mixins.py
new file mode 100644
index 0000000000..450f789657
--- /dev/null
+++ b/common/djangoapps/auth_exchange/tests/mixins.py
@@ -0,0 +1,111 @@
+"""
+Mixins to facilitate testing OAuth connections to Django-OAuth-Toolkit or
+Django-OAuth2-Provider.
+"""
+
+# pylint: disable=protected-access
+
+from unittest import skip, expectedFailure
+from django.test.client import RequestFactory
+
+from lms.djangoapps.oauth_dispatch import adapters
+from lms.djangoapps.oauth_dispatch.tests.constants import DUMMY_REDIRECT_URL
+
+from ..views import DOTAccessTokenExchangeView
+
+
+class DOPAdapterMixin(object):
+    """
+    Mixin to rewire existing tests to use django-oauth2-provider (DOP) backend
+
+    Overwrites self.client_id, self.access_token, self.oauth2_adapter
+    """
+    client_id = 'dop_test_client_id'
+    access_token = 'dop_test_access_token'
+    oauth2_adapter = adapters.DOPAdapter()
+
+    def create_public_client(self, user, client_id=None):
+        """
+        Create an oauth client application that is public.
+        """
+        return self.oauth2_adapter.create_public_client(
+            name='Test Public Client',
+            user=user,
+            client_id=client_id,
+            redirect_uri=DUMMY_REDIRECT_URL,
+        )
+
+    def create_confidential_client(self, user, client_id=None):
+        """
+        Create an oauth client application that is confidential.
+        """
+        return self.oauth2_adapter.create_confidential_client(
+            name='Test Confidential Client',
+            user=user,
+            client_id=client_id,
+            redirect_uri=DUMMY_REDIRECT_URL,
+        )
+
+    def get_token_response_keys(self):
+        """
+        Return the set of keys provided when requesting an access token
+        """
+        return {'access_token', 'token_type', 'expires_in', 'scope'}
+
+
+class DOTAdapterMixin(object):
+    """
+    Mixin to rewire existing tests to use django-oauth-toolkit (DOT) backend
+
+    Overwrites self.client_id, self.access_token, self.oauth2_adapter
+    """
+
+    client_id = 'dot_test_client_id'
+    access_token = 'dot_test_access_token'
+    oauth2_adapter = adapters.DOTAdapter()
+
+    def create_public_client(self, user, client_id=None):
+        """
+        Create an oauth client application that is public.
+        """
+        return self.oauth2_adapter.create_public_client(
+            name='Test Public Application',
+            user=user,
+            client_id=client_id,
+            redirect_uri=DUMMY_REDIRECT_URL,
+        )
+
+    def create_confidential_client(self, user, client_id=None):
+        """
+        Create an oauth client application that is confidential.
+        """
+        return self.oauth2_adapter.create_confidential_client(
+            name='Test Confidential Application',
+            user=user,
+            client_id=client_id,
+            redirect_uri=DUMMY_REDIRECT_URL,
+        )
+
+    def get_token_response_keys(self):
+        """
+        Return the set of keys provided when requesting an access token
+        """
+        return {'access_token', 'refresh_token', 'token_type', 'expires_in', 'scope'}
+
+    def test_get_method(self):
+        # Dispatch routes all get methods to DOP, so we test this on the view
+        request_factory = RequestFactory()
+        request = request_factory.get('/oauth2/exchange_access_token/')
+        request.session = {}
+        view = DOTAccessTokenExchangeView.as_view()
+        response = view(request, backend='facebook')
+        self.assertEqual(response.status_code, 400)
+
+    @expectedFailure
+    def test_single_access_token(self):
+        # TODO: Single access tokens not supported yet for DOT (See MA-2122)
+        super(DOTAdapterMixin, self).test_single_access_token()
+
+    @skip("Not supported yet (See MA-2123)")
+    def test_scopes(self):
+        super(DOTAdapterMixin, self).test_scopes()
diff --git a/common/djangoapps/auth_exchange/tests/test_forms.py b/common/djangoapps/auth_exchange/tests/test_forms.py
index ffeffb4e22..490628f868 100644
--- a/common/djangoapps/auth_exchange/tests/test_forms.py
+++ b/common/djangoapps/auth_exchange/tests/test_forms.py
@@ -12,10 +12,12 @@ import httpretty
 from provider import scope
 import social.apps.django_app.utils as social_utils
 
-from auth_exchange.forms import AccessTokenExchangeForm
-from auth_exchange.tests.utils import AccessTokenExchangeTestMixin
 from third_party_auth.tests.utils import ThirdPartyOAuthTestMixinFacebook, ThirdPartyOAuthTestMixinGoogle
 
+from ..forms import AccessTokenExchangeForm
+from .utils import AccessTokenExchangeTestMixin
+from .mixins import DOPAdapterMixin, DOTAdapterMixin
+
 
 class AccessTokenExchangeFormTest(AccessTokenExchangeTestMixin):
     """
@@ -31,7 +33,7 @@ class AccessTokenExchangeFormTest(AccessTokenExchangeTestMixin):
         self.request.backend = social_utils.load_backend(self.request.social_strategy, self.BACKEND, redirect_uri)
 
     def _assert_error(self, data, expected_error, expected_error_description):
-        form = AccessTokenExchangeForm(request=self.request, data=data)
+        form = AccessTokenExchangeForm(request=self.request, oauth2_adapter=self.oauth2_adapter, data=data)
         self.assertEqual(
             form.errors,
             {"error": expected_error, "error_description": expected_error_description}
@@ -39,7 +41,7 @@ class AccessTokenExchangeFormTest(AccessTokenExchangeTestMixin):
         self.assertNotIn("partial_pipeline", self.request.session)
 
     def _assert_success(self, data, expected_scopes):
-        form = AccessTokenExchangeForm(request=self.request, data=data)
+        form = AccessTokenExchangeForm(request=self.request, oauth2_adapter=self.oauth2_adapter, data=data)
         self.assertTrue(form.is_valid())
         self.assertEqual(form.cleaned_data["user"], self.user)
         self.assertEqual(form.cleaned_data["client"], self.oauth_client)
@@ -49,13 +51,15 @@ class AccessTokenExchangeFormTest(AccessTokenExchangeTestMixin):
 # This is necessary because cms does not implement third party auth
 @unittest.skipUnless(settings.FEATURES.get("ENABLE_THIRD_PARTY_AUTH"), "third party auth not enabled")
 @httpretty.activate
-class AccessTokenExchangeFormTestFacebook(
+class DOPAccessTokenExchangeFormTestFacebook(
+        DOPAdapterMixin,
         AccessTokenExchangeFormTest,
         ThirdPartyOAuthTestMixinFacebook,
-        TestCase
+        TestCase,
 ):
     """
-    Tests for AccessTokenExchangeForm used with Facebook
+    Tests for AccessTokenExchangeForm used with Facebook, tested against
+    django-oauth2-provider (DOP).
     """
     pass
 
@@ -63,12 +67,46 @@ class AccessTokenExchangeFormTestFacebook(
 # This is necessary because cms does not implement third party auth
 @unittest.skipUnless(settings.FEATURES.get("ENABLE_THIRD_PARTY_AUTH"), "third party auth not enabled")
 @httpretty.activate
-class AccessTokenExchangeFormTestGoogle(
+class DOTAccessTokenExchangeFormTestFacebook(
+        DOTAdapterMixin,
         AccessTokenExchangeFormTest,
-        ThirdPartyOAuthTestMixinGoogle,
-        TestCase
+        ThirdPartyOAuthTestMixinFacebook,
+        TestCase,
 ):
     """
-    Tests for AccessTokenExchangeForm used with Google
+    Tests for AccessTokenExchangeForm used with Facebook, tested against
+    django-oauth-toolkit (DOT).
+    """
+    pass
+
+
+# This is necessary because cms does not implement third party auth
+@unittest.skipUnless(settings.FEATURES.get("ENABLE_THIRD_PARTY_AUTH"), "third party auth not enabled")
+@httpretty.activate
+class DOPAccessTokenExchangeFormTestGoogle(
+        DOPAdapterMixin,
+        AccessTokenExchangeFormTest,
+        ThirdPartyOAuthTestMixinGoogle,
+        TestCase,
+):
+    """
+    Tests for AccessTokenExchangeForm used with Google, tested against
+    django-oauth2-provider (DOP).
+    """
+    pass
+
+
+# This is necessary because cms does not implement third party auth
+@unittest.skipUnless(settings.FEATURES.get("ENABLE_THIRD_PARTY_AUTH"), "third party auth not enabled")
+@httpretty.activate
+class DOTAccessTokenExchangeFormTestGoogle(
+        DOTAdapterMixin,
+        AccessTokenExchangeFormTest,
+        ThirdPartyOAuthTestMixinGoogle,
+        TestCase,
+):
+    """
+    Tests for AccessTokenExchangeForm used with Google, tested against
+    django-oauth-toolkit (DOT).
     """
     pass
diff --git a/common/djangoapps/auth_exchange/tests/test_views.py b/common/djangoapps/auth_exchange/tests/test_views.py
index 5c0b7503f9..60c687960c 100644
--- a/common/djangoapps/auth_exchange/tests/test_views.py
+++ b/common/djangoapps/auth_exchange/tests/test_views.py
@@ -1,25 +1,30 @@
-# pylint: disable=no-member
 """
 Tests for OAuth token exchange views
 """
+
+# pylint: disable=no-member
+
 from datetime import timedelta
 import json
 import mock
 import unittest
 
+import ddt
 from django.conf import settings
 from django.core.urlresolvers import reverse
 from django.test import TestCase
 import httpretty
 import provider.constants
-from provider import scope
 from provider.oauth2.models import AccessToken, Client
+from rest_framework.test import APIClient
 
-from auth_exchange.tests.utils import AccessTokenExchangeTestMixin
 from student.tests.factories import UserFactory
 from third_party_auth.tests.utils import ThirdPartyOAuthTestMixinFacebook, ThirdPartyOAuthTestMixinGoogle
+from .mixins import DOPAdapterMixin, DOTAdapterMixin
+from .utils import AccessTokenExchangeTestMixin
 
 
+@ddt.ddt
 class AccessTokenExchangeViewTest(AccessTokenExchangeTestMixin):
     """
     Mixin that defines test cases for AccessTokenExchangeView
@@ -27,33 +32,34 @@ class AccessTokenExchangeViewTest(AccessTokenExchangeTestMixin):
     def setUp(self):
         super(AccessTokenExchangeViewTest, self).setUp()
         self.url = reverse("exchange_access_token", kwargs={"backend": self.BACKEND})
+        self.csrf_client = APIClient(enforce_csrf_checks=True)
 
     def _assert_error(self, data, expected_error, expected_error_description):
-        response = self.client.post(self.url, data)
+        response = self.csrf_client.post(self.url, data)
         self.assertEqual(response.status_code, 400)
         self.assertEqual(response["Content-Type"], "application/json")
         self.assertEqual(
             json.loads(response.content),
-            {"error": expected_error, "error_description": expected_error_description}
+            {u"error": expected_error, u"error_description": expected_error_description}
         )
         self.assertNotIn("partial_pipeline", self.client.session)
 
     def _assert_success(self, data, expected_scopes):
-        response = self.client.post(self.url, data)
+        response = self.csrf_client.post(self.url, data)
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response["Content-Type"], "application/json")
         content = json.loads(response.content)
-        self.assertEqual(set(content.keys()), {"access_token", "token_type", "expires_in", "scope"})
+        self.assertEqual(set(content.keys()), self.get_token_response_keys())
         self.assertEqual(content["token_type"], "Bearer")
         self.assertLessEqual(
             timedelta(seconds=int(content["expires_in"])),
             provider.constants.EXPIRE_DELTA_PUBLIC
         )
-        self.assertEqual(content["scope"], " ".join(expected_scopes))
-        token = AccessToken.objects.get(token=content["access_token"])
+        self.assertEqual(content["scope"], self.oauth2_adapter.normalize_scopes(expected_scopes))
+        token = self.oauth2_adapter.get_access_token(token_string=content["access_token"])
         self.assertEqual(token.user, self.user)
-        self.assertEqual(token.client, self.oauth_client)
-        self.assertEqual(scope.to_names(token.scope), expected_scopes)
+        self.assertEqual(self.oauth2_adapter.get_client_for_token(token), self.oauth_client)
+        self.assertEqual(self.oauth2_adapter.get_token_scope_names(token), expected_scopes)
 
     def test_single_access_token(self):
         def extract_token(response):
@@ -64,16 +70,15 @@ class AccessTokenExchangeViewTest(AccessTokenExchangeTestMixin):
 
         self._setup_provider_response(success=True)
         for single_access_token in [True, False]:
-            with mock.patch(
-                "auth_exchange.views.constants.SINGLE_ACCESS_TOKEN",
-                single_access_token
-            ):
+            with mock.patch("auth_exchange.views.constants.SINGLE_ACCESS_TOKEN", single_access_token):
                 first_response = self.client.post(self.url, self.data)
                 second_response = self.client.post(self.url, self.data)
-                self.assertEqual(
-                    extract_token(first_response) == extract_token(second_response),
-                    single_access_token
-                )
+            self.assertEqual(first_response.status_code, 200)
+            self.assertEqual(second_response.status_code, 200)
+            self.assertEqual(
+                extract_token(first_response) == extract_token(second_response),
+                single_access_token
+            )
 
     def test_get_method(self):
         response = self.client.get(self.url, self.data)
@@ -95,10 +100,11 @@ class AccessTokenExchangeViewTest(AccessTokenExchangeTestMixin):
 # This is necessary because cms does not implement third party auth
 @unittest.skipUnless(settings.FEATURES.get("ENABLE_THIRD_PARTY_AUTH"), "third party auth not enabled")
 @httpretty.activate
-class AccessTokenExchangeViewTestFacebook(
+class DOPAccessTokenExchangeViewTestFacebook(
+        DOPAdapterMixin,
         AccessTokenExchangeViewTest,
         ThirdPartyOAuthTestMixinFacebook,
-        TestCase
+        TestCase,
 ):
     """
     Tests for AccessTokenExchangeView used with Facebook
@@ -106,16 +112,48 @@ class AccessTokenExchangeViewTestFacebook(
     pass
 
 
+@unittest.skipUnless(settings.FEATURES.get("ENABLE_THIRD_PARTY_AUTH"), "third party auth not enabled")
+@httpretty.activate
+class DOTAccessTokenExchangeViewTestFacebook(
+        DOTAdapterMixin,
+        AccessTokenExchangeViewTest,
+        ThirdPartyOAuthTestMixinFacebook,
+        TestCase,
+):
+    """
+    Rerun AccessTokenExchangeViewTestFacebook tests against DOT backend
+    """
+    pass
+
+
 # This is necessary because cms does not implement third party auth
 @unittest.skipUnless(settings.FEATURES.get("ENABLE_THIRD_PARTY_AUTH"), "third party auth not enabled")
 @httpretty.activate
-class AccessTokenExchangeViewTestGoogle(
+class DOPAccessTokenExchangeViewTestGoogle(
+        DOPAdapterMixin,
         AccessTokenExchangeViewTest,
         ThirdPartyOAuthTestMixinGoogle,
-        TestCase
+        TestCase,
 ):
     """
-    Tests for AccessTokenExchangeView used with Google
+    Tests for AccessTokenExchangeView used with Google using
+    django-oauth2-provider backend.
+    """
+    pass
+
+
+# This is necessary because cms does not implement third party auth
+@unittest.skipUnless(settings.FEATURES.get("ENABLE_THIRD_PARTY_AUTH"), "third party auth not enabled")
+@httpretty.activate
+class DOTAccessTokenExchangeViewTestGoogle(
+        DOTAdapterMixin,
+        AccessTokenExchangeViewTest,
+        ThirdPartyOAuthTestMixinGoogle,
+        TestCase,
+):
+    """
+    Tests for AccessTokenExchangeView used with Google using
+    django-oauth-toolkit backend.
     """
     pass
 
diff --git a/common/djangoapps/auth_exchange/tests/utils.py b/common/djangoapps/auth_exchange/tests/utils.py
index 60608f292f..2629557c08 100644
--- a/common/djangoapps/auth_exchange/tests/utils.py
+++ b/common/djangoapps/auth_exchange/tests/utils.py
@@ -1,9 +1,8 @@
 """
 Test utilities for OAuth access token exchange
 """
-import provider.constants
-from social.apps.django_app.default.models import UserSocialAuth
 
+from social.apps.django_app.default.models import UserSocialAuth
 from third_party_auth.tests.utils import ThirdPartyOAuthTestMixin
 
 
@@ -37,6 +36,12 @@ class AccessTokenExchangeTestMixin(ThirdPartyOAuthTestMixin):
         """
         raise NotImplementedError()
 
+    def _create_client(self):
+        """
+        Create an oauth2 client application using class defaults.
+        """
+        return self.create_public_client(self.user, self.client_id)
+
     def test_minimal(self):
         self._setup_provider_response(success=True)
         self._assert_success(self.data, expected_scopes=[])
@@ -61,12 +66,12 @@ class AccessTokenExchangeTestMixin(ThirdPartyOAuthTestMixin):
         )
 
     def test_confidential_client(self):
-        self.oauth_client.client_type = provider.constants.CONFIDENTIAL
-        self.oauth_client.save()
+        self.data['client_id'] += '_confidential'
+        self.oauth_client = self.create_confidential_client(self.user, self.data['client_id'])
         self._assert_error(
             self.data,
             "invalid_client",
-            "test_client_id is not a public client"
+            "{}_confidential is not a public client".format(self.client_id),
         )
 
     def test_inactive_user(self):
diff --git a/common/djangoapps/auth_exchange/views.py b/common/djangoapps/auth_exchange/views.py
index abd31de9ec..6669e489c5 100644
--- a/common/djangoapps/auth_exchange/views.py
+++ b/common/djangoapps/auth_exchange/views.py
@@ -1,4 +1,3 @@
-# pylint: disable=abstract-method
 """
 Views to support exchange of authentication credentials.
 The following are currently implemented:
@@ -7,36 +6,52 @@ The following are currently implemented:
     2. LoginWithAccessTokenView:
        1st party (open-edx) OAuth 2.0 access token -> session cookie
 """
+
+# pylint: disable=abstract-method
+
 from django.conf import settings
 from django.contrib.auth import login
 import django.contrib.auth as auth
 from django.http import HttpResponse
 from django.utils.decorators import method_decorator
 from django.views.decorators.csrf import csrf_exempt
+from edx_oauth2_provider.constants import SCOPE_VALUE_DICT
+from oauth2_provider.settings import oauth2_settings
+from oauth2_provider.views.base import TokenView as DOTAccessTokenView
+from oauthlib.oauth2.rfc6749.tokens import BearerToken
 from provider import constants
-from provider.oauth2.views import AccessTokenView as AccessTokenView
+from provider.oauth2.views import AccessTokenView as DOPAccessTokenView
 from rest_framework import permissions
+from rest_framework.response import Response
 from rest_framework.views import APIView
 import social.apps.django_app.utils as social_utils
 
 from auth_exchange.forms import AccessTokenExchangeForm
+from lms.djangoapps.oauth_dispatch import adapters
 from openedx.core.lib.api.authentication import OAuth2AuthenticationAllowInactiveUser
 
 
-class AccessTokenExchangeView(AccessTokenView):
+class AccessTokenExchangeBase(APIView):
     """
-    View for token exchange from 3rd party OAuth access token to 1st party OAuth access token
+    View for token exchange from 3rd party OAuth access token to 1st party
+    OAuth access token.
     """
     @method_decorator(csrf_exempt)
     @method_decorator(social_utils.strategy("social:complete"))
     def dispatch(self, *args, **kwargs):
-        return super(AccessTokenExchangeView, self).dispatch(*args, **kwargs)
+        return super(AccessTokenExchangeBase, self).dispatch(*args, **kwargs)
 
     def get(self, request, _backend):  # pylint: disable=arguments-differ
-        return super(AccessTokenExchangeView, self).get(request)
+        """
+        Pass through GET requests without the _backend
+        """
+        return super(AccessTokenExchangeBase, self).get(request)
 
     def post(self, request, _backend):  # pylint: disable=arguments-differ
-        form = AccessTokenExchangeForm(request=request, data=request.POST)
+        """
+        Handle POST requests to get a first-party access token.
+        """
+        form = AccessTokenExchangeForm(request=request, oauth2_adapter=self.oauth2_adapter, data=request.POST)  # pylint: disable=no-member
         if not form.is_valid():
             return self.error_response(form.errors)
 
@@ -44,12 +59,89 @@ class AccessTokenExchangeView(AccessTokenView):
         scope = form.cleaned_data["scope"]
         client = form.cleaned_data["client"]
 
+        return self.exchange_access_token(request, user, scope, client)
+
+    def exchange_access_token(self, request, user, scope, client):
+        """
+        Exchange third party credentials for an edx access token, and return a
+        serialized access token response.
+        """
         if constants.SINGLE_ACCESS_TOKEN:
-            edx_access_token = self.get_access_token(request, user, scope, client)
+            edx_access_token = self.get_access_token(request, user, scope, client)  # pylint: disable=no-member
         else:
             edx_access_token = self.create_access_token(request, user, scope, client)
+        return self.access_token_response(edx_access_token)  # pylint: disable=no-member
 
-        return self.access_token_response(edx_access_token)
+
+class DOPAccessTokenExchangeView(AccessTokenExchangeBase, DOPAccessTokenView):
+    """
+    View for token exchange from 3rd party OAuth access token to 1st party
+    OAuth access token.  Uses django-oauth2-provider (DOP) to manage access
+    tokens.
+    """
+
+    oauth2_adapter = adapters.DOPAdapter()
+
+
+class DOTAccessTokenExchangeView(AccessTokenExchangeBase, DOTAccessTokenView):
+    """
+    View for token exchange from 3rd party OAuth access token to 1st party
+    OAuth access token.  Uses django-oauth-toolkit (DOT) to manage access
+    tokens.
+    """
+
+    oauth2_adapter = adapters.DOTAdapter()
+
+    def get(self, request, _backend):
+        return Response(status=400, data={
+            'error': 'invalid_request',
+            'error_description': 'Only POST requests allowed.',
+        })
+
+    def get_access_token(self, request, user, scope, client):
+        """
+        TODO: MA-2122: Reusing access tokens is not yet supported for DOT.
+        Just return a new access token.
+        """
+        return self.create_access_token(request, user, scope, client)
+
+    def create_access_token(self, request, user, scope, client):
+        """
+        Create and return a new access token.
+        """
+        _days = 24 * 60 * 60
+        token_generator = BearerToken(
+            expires_in=settings.OAUTH_EXPIRE_PUBLIC_CLIENT_DAYS * _days,
+            request_validator=oauth2_settings.OAUTH2_VALIDATOR_CLASS(),
+        )
+        self._populate_create_access_token_request(request, user, scope, client)
+        return token_generator.create_token(request, refresh_token=True)
+
+    def access_token_response(self, token):
+        """
+        Wrap an access token in an appropriate response
+        """
+        return Response(data=token)
+
+    def _populate_create_access_token_request(self, request, user, scope, client):
+        """
+        django-oauth-toolkit expects certain non-standard attributes to
+        be present on the request object.  This function modifies the
+        request object to match these expectations
+        """
+        request.user = user
+        request.scopes = [SCOPE_VALUE_DICT[scope]]
+        request.client = client
+        request.state = None
+        request.refresh_token = None
+        request.extra_credentials = None
+        request.grant_type = client.authorization_grant_type
+
+    def error_response(self, form_errors):
+        """
+        Return an error response consisting of the errors in the form
+        """
+        return Response(status=400, data=form_errors)
 
 
 class LoginWithAccessTokenView(APIView):
diff --git a/common/djangoapps/third_party_auth/tests/utils.py b/common/djangoapps/third_party_auth/tests/utils.py
index cce2edd59b..588d23dce9 100644
--- a/common/djangoapps/third_party_auth/tests/utils.py
+++ b/common/djangoapps/third_party_auth/tests/utils.py
@@ -22,23 +22,30 @@ class ThirdPartyOAuthTestMixin(ThirdPartyAuthTestMixin):
     USER_URL: The URL of the endpoint that the backend retrieves user data from
     UID_FIELD: The field in the user data that the backend uses as the user id
     """
+    social_uid = "test_social_uid"
+    access_token = "test_access_token"
+    client_id = "test_client_id"
+
     def setUp(self, create_user=True):
         super(ThirdPartyOAuthTestMixin, self).setUp()
-        self.social_uid = "test_social_uid"
-        self.access_token = "test_access_token"
-        self.client_id = "test_client_id"
-        self.oauth_client = Client.objects.create(
-            client_id=self.client_id,
-            client_type=PUBLIC
-        )
         if create_user:
             self.user = UserFactory()
             UserSocialAuth.objects.create(user=self.user, provider=self.BACKEND, uid=self.social_uid)
+        self.oauth_client = self._create_client()
         if self.BACKEND == 'google-oauth2':
             self.configure_google_provider(enabled=True)
         elif self.BACKEND == 'facebook':
             self.configure_facebook_provider(enabled=True)
 
+    def _create_client(self):
+        """
+        Create an OAuth2 client application
+        """
+        return Client.objects.create(
+            client_id=self.client_id,
+            client_type=PUBLIC,
+        )
+
     def _setup_provider_response(self, success=False, email=''):
         """
         Register a mock response for the third party user information endpoint;
@@ -65,7 +72,7 @@ class ThirdPartyOAuthTestMixin(ThirdPartyAuthTestMixin):
             self.USER_URL,
             body=body,
             status=status,
-            content_type="application/json"
+            content_type="application/json",
         )
 
 
diff --git a/common/test/db_cache/lettuce.db b/common/test/db_cache/lettuce.db
index 9a9cf041058658e49a9c0102fee21f7b73347ac9..c90f206e8615a6d655cfb7187591eaab8875e7d7 100644
GIT binary patch
delta 47636
zcmb5X2VhiH);Rv|eQ#PaeO@x@l_Z3;>60OZ5JCtwp%ZEdNeF>7Qs@vS0n)xz5an1`
zT<l#~8C|9AuB&SUb?r1)QBhHJZEJ!5x$jL1F5iCtAI3X#%Dwm8cJ8_7mf5y%?zVU4
z?TR+JI8L#e8~mrt+@0wpt|yk=!dn_Sj!xaqDUhh<-@#D$_Mlcc!7G#2avVQn&j+ee
z<g0^P^#{C0(E1I?{dV2K??c13ld6N-UH9>;%T+w3+(+~=%wwwb{W&@dzZXc~?<L>i
zcf0hxhuntWQ<OZRE6Hg58pgg(;@-lqqJk$RwV8>b;a|m2v5Nnh|DOMv|APORKgYkv
z|AT+^psD--KV7lNzZvPX{nZ#w@|R#Z)}M}{!*9kgbv*`=^D!{6JoE{azQk$B&qf41
z^n3C%eT0vqep*R$_>DXy_K3*`6Uq-0s?fo1ooEw~Z!YXC5;K)MD1ILUFNKChE2{A8
zNO<y;n3zsDK9>D)il|5-GL2TX)Ku5C$ze;)n)aI3HtsloJD0J?RGv;1T2Q=eNnpuN
zf%xaeRQAmc_3K1?$j$h5VXP3HL*T@RmIy@>|11~1yD&!0|C39^|6?(QL=v~VFlz4v
zUU^V?d!K6L+?IK5tIH<MnP1&Hb#?CCxvM?1s=dq0N~g}5J8fRuB<F+)EgL8M*3|5I
zYX2CW+dJBoo9)WAdt5$UfVhlTEQjXk6hfEc*>1(NB%pYfUMW)B=qIekSKp-Nms0u(
zR`V9xp{U!*ieI~94Td#4SY=o5Sb$;Wj_DXK+resg>5fbcm+XkcaKR2ehV!;>!f?*^
zIt*uSXZ$m^PsXrxJL8|eJp;qZ+hZ^+*&c#naTjZ^qOMvD$9FBna9r0^3_J3>3h-le
zmlH!@S2Bj)t}qOpT`CN1ovj#VcP_;+t8)s58J)Qpj_PEbX`LnvlRH_dlKj~76$ySO
zO1ys(hOvGhhB1C7dW1h7L#v<hTl}nP%<C{PuB^u}bRGs8*1^<Fcm<0<Bd}JuC=L_i
z6f5};`6v0k{5rmrkD>pj@6l)J-E<SJrsJued`$jKeowZM*~CqviNKxW9^tl15iu_N
zr&wVZXa(hdfaB?5BAhG;3)fyi^zu;xok_W`W%P+}H3q}mh^~;)pH@~^!)suPH_|^L
zc5$*mizs(i!WPqr<@8R(&NmA*k#cV$wxXqdc}rat^&@&#m_XAg_Yy-l)YW58ZECEc
ztZ$b^3N(ju#~J0Su1t%OI&Gvtr&I2!>YDnRwi>vrN)c5?S#?a5qdiu&va+$ZrlPgI
zWo^xd6-_M-l#RCu@dC}G+}(1tiWbZdC26avu4-y;X{{lbkf%`QxgFy7ixJv)5R)gD
z=teN?5o1h85tExE&_$H%m(qdPc8bXp?m@IGR-j(Wbp<o8Yh2q@S5>pJ4olUtf&340
z<d_ALOxFkVZ)|F-A*^9DM+l^Z*2CBH#JD`xCDJVdNuiZe;hP#;+Z$?HNDAUdL<+=C
z=Lh3gR#nxsV&bc78i^9AiEu{A$B{VrRmmrjXh=};c3rrXwnLT);&+;?O713PHo+zp
zA4?S>aI5sGf~Qq{rb?lVz$^%?dD>#>zM|p-S5(5xaiMJBdb92JT$>LTO%jT=4B^T4
z*_<Aa10J3vWCSs}?p%-82Omxn(t{X}$L?|aAY!sGDu{8rF&zh#P8Pf&ayl-X#|_s{
z7Dfj-TsFJi>wz~X3!Wgx>G8TSj&+LQ8^Ab`%Lj|62xA8@HoM2?g?ooE4o|Mr=7LL8
z1bdLjp6m2_T#z+Y$cT{hw!3{!pWDVOIBQB_WpzVcBiuDrh_W!MJKN@RJDs*1s^G#>
z3ZX1h9VaE^%J%tkolXZlKUK&Yz&PxVT*uyNLb-&<&CYe(+zt;^PZP3(7_ZH3b9vzR
z(*$o2<Mv=Nyzs#^VSEtd@;Pi?H{?tg@&_>PT&K?m>!%BogBWM7+wFG2E7OJC0gOA>
z?X!WYbTA!<$A`s&iqc?><!0M+9axEQcd0Nl7|ZUoJAED?Wx+xqkIkLyvcu>y!6xx|
zvz<1(H`fJg%LG>t<FGlsE*Bgs3)Vb#46h^C={mGsC8z^Jy^*Q|%4Ndu^Hh`Ojh|lZ
ztb&Jb6Go^i9pxJe=dXdcZWH2E<Lj!|%=fJg{Ct~GZW@rr;quyCfr>|j(hnKR?Z6)A
z^I~^;dY58M5M%Q>Tv$-DTQO+><90dS9+<mZQ8a*Ycsy=5+`U^NHM`rMo$K>Bu@io<
zTOm~#!`SUES1zR75X9KB-9E(Fpl%q(<IS}>;gKPX%j0s}9q{!HiWyQ~wrrQvgS7$E
z_b8-(;6{wio9pzz&OHjL*%5;s#pQFuu{{d83Vqpjm(AvLA2J%K5TG|JdT*Cf%gx5l
z;Bz<tT*{F_jNRqQb@|{Wmr@!WZfp>r)8+Aj$*q(I6vKG%pA$;l$}}mKH{0fP+Ffqg
z=vHQ$SxvgL?H;Gk=9uSHa0QdW=uyVPn{K5vM%}LL++1vSJA`<GnYgmOZX0F;GdxOZ
zWFwCoYscY&ZjaI-W#Y(o+TC^>0?&Dr1C8VGx*a|z=)B5lK_2XdSZ7e<RSq<c!{hL{
zo$yDma$Jzd?)G@S?nCF4N+F;eqx|6u%B$eYNL9FUV}yct6Yx(YBIKm2zM+H!l1Hgd
zwlhnD6+GALu-Qql<K3^S+pcxzj<$QU9WI;GZi5Y(YF8-3VEJ8MtdOTN)mUakV41NA
zY`JhTQ;j+XG0tqS-Rp8XAty_X)hJ;+xpuEJ7nWzKvGOGhO7FnYa6e+Cgq_(o8_EwC
zv($?u7Du+*g9^n1bF$SrL5veMp34E(XREROb4S~-GI0c>f;*8dXN4HM&FRSX0nJf6
zB_8biE^jVYU15$I`w_;nXJa*ay>{4?Ba3Xqp5^tRPJzQYYOho!*n_;NZEa{=Z5Mds
zLE#eBb}Oghc$}tD+)i!|Xg}4|@g2=*OOM*Q0mJNWf}y(`EnVK%t-;XNt;I0E8*OX8
zu-k&+#BM8wQ@f)uEbC6kaCUbVhV!}|7%u7dVp!RY<_=%oosVH{_gD-Yy2oMI(mesg
z_1!qD@teBQlHxnMOIZe8-SaWr*<H8u3(ejyLX`0fIR5YaE`BLm!!OYrX$kq393Y#>
zWTN9<<@Ru3`bFiUx%1(zFG4c)SRYPDHjXow&E=a1#)~0Yvt*pdVaG<ypR3?9G76h2
z+uK$;Dw<oG*49<mv|xifDr~tG?akGdZ8fdfbv#)%XO_*I;INNo(e0?ou+BZB=U{Zy
z_qS%t-Nk7`f(JD|OuiVB%38zW&Gx#yKD!q-T@1k?f*70*U0x@S%mWugq%MURJ9Y)^
zQr}(-DUo>G**>PH-B9vnNZ|m+frHfvH+~sR$Bo0$>%*@3(w8AcW|lHeLq41_bH`6p
zaCs^4+Ls~GkoQ%HRZ75>?R2~B4ks-ADkz#A$Eq{eW`kW{g`iTx1nk)^mm8HU{QWCA
z6C5I5p9fXxy*HZ0L+6Z44XH!vj7*W_a3qH;BEKVlAkUCD$R|`uV`u?gKsVDT=}&w*
zKcDyW_wz6C|HRe6mB7;S(AVgp#i7a9r^=%Gn5J?5N8Mr}kb-k9O#VD{PSyag%i&~0
z`093$cwKI<cSU>sin{uGnDKdNX5jnJL(SVlxN<s+9^*&yH)8e^1IkA2PXumm&^Cgt
zLAw(ETCc5#atsc=Oo$lI{SQaE1ddCfb?iT8<qrP`H+F05(aI*LF|qlSY(Ho!-$s^n
zS#~z7tX?nOQPftsyuRi)-Ke6rrLwW@nn*saXjXCIoZ^Hzh2y6cCnQ~i2|k!-_JQH3
zdIg9Vl}2S{b8~%N6>K}A9SPa5sFkLH-dZ73D%;?RQcD6fKcPzrTxrr0<AFJXRx5DF
zIqo=ZqA&8xQ1~ZmyGHF?qp}tk(;aiKDRfKC3N(0EO6KBk#TriINB-9$z}A=5m5{wQ
z1Xc9QYIn+zv_sZtQo_ijy6U9#%!H)>m(mI8<vUy8y6;Re9sf<h3j2Sf^67r_&h;wm
zWH0sS)HPPutp6>y)Or<Fb|>1DKG!v=l()m<r_^C^_&c?x<LU@W31y|%Y}m#&R_>~%
z>YAi<f6UGevJ6H4MF!9EDqE$iX8AQ`;2ptsfWRrWUXo<2EXhE$|3i|2?o-#)SixEY
z=Y$s&f;NN{aioZxqSy0auNI>M3FVe(5*M~}qb#udS^|UqggV?f*w&I9ymP3IVB86H
zbmP@@RvYcDH7!!+{+ykgRMz>$)Ia@N>El{#sCQQQT$Q%m>dOD#&aR={JFXe~+SN0h
zl}RX#2W+t1ottI(D*kWz1{z?X-NJ+O%T=Y|J^!141JVEg3HaM)^xJoCktLn^e@j}E
z>$TY{tKp8bYPEH+d4|^k?;R3T6(qnbXVuZM*JK}P)WFYsLPLd+ogCdpYPg+TC+eVf
zh2US*t%W$W!bl#>*{;2hc89{R3>*#49oi3RcL+r6)aH?#z?_}hapc}+t<k9C@8AS(
z21lOa?<0hp0md6c#?AC+bt_cXxkdk5hZ$Zi!BYOmSRTg1j~FVZ!0<3*wK*Klol>hh
z1`9fjf1sRl=XG`qvMdX(S>?mxRrsns9&eT7KgRSh9zHoZvL}~LC@xQc!>810S<?(-
z8cgWgy<`|C6Sb<ouBNfAqO}HnC2dLRU6tKbWi2YAJ4>!P7YvI%(1%$UcB73nIP0L=
z;4}W~R1jnZ0>WseECGyDg^bWL2V_f4Ra-@SOC3Bx)S^NX4{lFY#aWn1*3?qBv9gUR
zCP|Y>1c*GMPJ_#*RdKr3)pgAk1AOr4zl~N{)~z*5Q=lI0PYykG_)nPE&BO60bTN6u
z3-OyW{O4>jtnhqhNPrlXyjCx8D_K{5jYQ&?YV6E&69nvnn*Y)Tq4%shCVZ&#49$Oh
z)=+1I=g+DWhjp<buB*G4t6MGSwdmSiY$#sEfd2T8QV;R)ssBqCTRF^WG?>u;(#3|7
zW1<eLHhEBFbgN{ECtpiqXgc%1)lSN=+G#$c7Q?QYKfH2AZLR6t+^v*)^7bv)?#V+!
z{<rGL{jVJvrkqx9|9`Q@3IkU%bPDu!+!#s)P~NQVpxp-OzF9k#6hOy=+E|#eL#u#K
zZ`QhKw;tkd(M}*^Wx}>wwE47K2S;x~tvDv|-7VTvdfIJ)H}2OKk_oWyuy$l1{{bx_
zwA&2h9>f%jSj0KB+XQbia6AK(!TXTbLA#Bx`XR)PlW>7o9@2K1G~Hn;>-6b#hZEkr
zUmFicU)L&O>tSsoDG6Zeb1>m>IGU=C0rOF95$;%|c3WZLQSB5`4A;GZM(DPqT20`s
zquNhRv^xThy@r&@GR672Hjj2kLi6j|d1MO1<-i@UYt?Z1b*)#^9i_5XOsD=eP<a&d
z{pxkC3J$-4)cQ9t^JxKOUyD^XNrQ_G<vDE;A?YyX11$B-!2f)pT~Ct?+;onAiSOjc
z(=X|M+CV+H-hYMMNM;Z%_b&H)ZaR+3G+MR-UOA;L(z|`59l5xk^5L@1R|9dUwOK)&
z6Ma}7o4pzqoYtmDICN3DT(~A0Uj-*mYem?1TAL&haEXTA8K-yraz^k-ICnO#^6d_X
zw-UrN+6)QjLbr|$mwS$7F#U`+mEml-0QKZz{>}>UpV6jCi_+X|o5Nv4&)ZTsbVi#l
z;k>vo#6@4OYYALDqa7K<q4NQ~Qj-@$@>y-Zgu?}-6WuPJS&N|Ytaf4$=R!ZD+ctI~
z{Q0cbA>nW(<wIwvqhtY;e-V-=;n0DAE+$;}mBU?Mgh>7ir!(8*wj<}EWfr9xl$W%-
zNfz9ENn1wd1U|i_#XdF)zWW-RcRGywMq5iV;Qnv0SxVuHZ?uO=rleZoZ~xNz=q$7y
z>x~Lb<QMIABpYt}MO#kh!k52j+er>o|Ef(V^WnN*wbv6H#9h|r3FTY5?Xcvs)<G7)
zuFKl#!~tgzPZq-0qjcc`+ZFBSk;Dmx9~3e0m0qugagn-ovgqKr+wDZ?tnBu}ol&|n
zvJ5_WRTl%tqV*wgY>lW1#6|0R3?vus8>O2}mIpAgZ#2XQAGvh%NtKi~{OHofLc&p<
z0Nb7rR>K*$ZZ*k=DIQ$~se|Jm>#We@(Ivo=r%la)nO@yJp*S*s7_ak^)iU*dh29AB
z4-<Q!yGVB^3<vbs1-cS~-gzeZ?F)2siEf<AnwLkr?2<}?rV_ms!WQWwNTV#mx)Qws
z?ssV1fu2RWb`vRt%k{cK(j-$~n5Z|yj1s*7^$ohe;CQw*>ShbgbGnPzH!mD%)Ws;)
zbS8FBfU}Ld0@5ny>~7NiI~>Po&Q9G-MVo(3_e9vSQ<p>9;mMttObHz6)@8$e-8ze~
zc6|3F1{TtF*l?nSHQX-U1RTawcj>aohQNkhy4e&*@Qf67%%0OnHSo<1x+uj)e^d8V
zFzwOhlg;qN<GLt#Y`I<=Xy2nV>&Z0exl89JTVz6CrCtjj-e`xgKj_|K9q4;iuqBQA
zb;*jY{z=`Xkh>qNbsLM3yth&>1Yp1JO)V*dhR1b9#2-Msfsh%jpUqWt`s2H2LG%F>
zb0wHQ)`dglL7fT49nh)Zx&v6w*>HprcSytl5+By6m#VClWlZA~ex!?obC)e@C_Svx
zz%S40lE@8=Gi?w%kyOA<hjp{ajdJpr59=0S2P;3KTSjh@6FqT6_qsvTV^Uf3^Xc}f
zVBf5_!1ecF=X?HDT_m|KfW2{k813O;^hdfmm>y=34TnF{jn?!Km37Hf>aS#?q`>C$
zIyGdS*Cmka8B-2yIj_s7Jrtfjj}dn>+$!3`!<LV+CZ1s(?-SZ1u$mYFuYRJllV|UJ
znTUr*P&RM{y@#xVd_ljG+$9ML&kFh`?5~*${W!8;M%|~->tL5c@4}w?oI*c?+%4lX
zmHKkh06Ub3x<^KR!BCA*tU}bi5-RYpN`F?MJqq}pRzHnwm-#Mf^>b*C5+>^OW#ow5
z3m?|$QwZ%*!S4%{QiB&Oj`~Y_)ZjB<qBU~Ff}Q$knDo6t580`D6*TSC#|FML=$&fX
ztAkMy`kCaIJQVsf^--`d$ru5nBNeG|`GP?O%hFU@u<7+m*!v(R6Bnuf7wy$T#eK+n
z?pa+3Y>U!sU|f_wlKc<LE|noXv^R7Z%dS+t2`)zIO{8CDL4*dfqxD&|Hw2bM>nD<>
zG9fM%$L^SDeOTc8X#E=~pdMZtp<hT=$R*jAh9b;Q(T~>j8dTP*nbh9^iJAIzNMHqf
zF-4zDZX4u`Vc2oB*9cLWdK-MjSZ+y0mfMH1Aa*S6H9<}q=JI=q5Wrm43$)kF;w>b1
z4&%NrQ(r)m;gd{#KJmhp8;tQ__{yLPOwH1V5i$ZQv-M@#T>psP6qU6spZZJSiS5R4
zi3i@z)+dn^IDWS=8pdVmLm??gKboY%k{m2PYWD$r;KdyMYa(fb+b3X0dt^`I8y46+
z5y$s86R<b6!Xw4{SlCjGN_tu`*671S42aAjEsViK9vVXP6ZP3@^hFh9QGYaK7wf~J
zY$7(-g99vH(hPr`sGmX}kc)~MF&b<odIze=suKMKa-Uo;M@sZhN2r5-i5!^Ofo!Lj
zp&)-)rVl57lp~*5rXNc-fW8tx4$7#iN_{a|4-ZsgK@Z5Nhn8cHc(oGa#xK`rlXXzK
z9End15+{(gaA`S~<M9C@wV<m)_R=c79d+!sDx^I+M7slNfiqS5sS#u=jM}W9N}e7z
zSDibLT5JDi{d=SXzJ65*YQ`VW<K*-77JZTeH_ExE(U^HM6xSH&caWC3tbB=J?7&R_
zzEvMX0)yq#gYke)0mrstC%#3Y*TdUb6B^kH_jGT9DIGXypZpDb;8=%#GmdEuoZO+$
zfrjn+bh20Gk;W$?RB&QD4xOG5#*z)Yc3{@|JFwTlAYT;2j-@@JjHR61A`t?Z!11s{
z`_P*d5boATqe3u4;yu_E_xNLbEOJ-$F->Rz+r8NHZoNmJNEWlWI7aS6#E19j?X*W^
zLotf6WRmV-)b01`y|f3tZ}(yw^$ZeFfrhg|K9Tee;z9$j+^4^hsC%p`tJ6t$z}Fgs
z1;&mxD53KKy-0os9~{xg!84-`A%UY0=nLtga+N}h2Tk;wslF!?mG%<aStZZoyB{%x
zL(cmKHIy}qArLr%HTG8)|6$q_1=k<dH`C{W>&1ZZvi>Ah$EvI|XVR_$I3gNQJEa+P
zz@NYY|92KE8oqp09|l+M5gs^nQvbey8}q0Bp?8y)Wa6dI_4+{GoBB`{iHDL?`Xchm
zAVCGqIj9OR<roz3h(lw83#as*BoXRQV@EqVjP24=LulaqY5ikFousnb?ezM1DBNeT
z!ojmRbtR29#K4SDgBHF#izD|9X`c*)PxW^zW~i)FeNcAR5C%u~8$#gaPxWzB5P&Q-
zM8k~FaLPlB8X_;~M=NGZyv<nyyw6@hO2-9#I2Dw`A|TqWp2c{n-v^I>s*i!N&seIe
zL8h@di(mg4>axQ_We9xrnSPZHb=krn^|j<JnQ-nQY>JIV*b2Y?s9&c<?dI3j!UsPJ
z5%BO)oapZSH_lye2QK|ve}i6^Cb_-0PnKKpt~M<6Lux}Td5@(Pv$q}Rp?|3jKcMRS
zTw_>7-U;Tt)({ui7Gm&(pcxzx4PJ6aCSa?n!5n6I5Z5P%!whxgG|aqUu*1ndtm~?9
z!~F&{qqV7qG2|a|!KB`nk!sLDYpNj?&Es1c@xx)nA5#svXad{Q3=7F8GG6K%6=@hL
z_J~ducsb2*rvfeF`Ygj(a)GfV!7EvYT(wJOEpb!78@4SqL_%t|Ar5YM2urvu8}o3(
z9odFy<a3!H`-~dI977)Qz>FNke=&$R22SJ{sx<031Ji_*+U-8<u*-agNOD5vM8sIM
zqu=)#O30_IHsbc4MV8XhhM&~cD(iw0>R$kNr5YmO@iT@{XwAdo{)I)2W<$;xcrMSd
zIssjO_Qi&3@(n!EZt%d%iw(2T{TIK)Fq(WV^J4!}K>iXed)E@fNVMM{USgO-E-~Ud
zH10PnMd&LAWy3E^4dZa;%darZfj{iWa^tYUfw9z}4IHa5{6oZZedtwY9XT9~y#@mq
z+OZOjyoYW6Serpl`5)vgm-QNqj5Y?XeU#1x+u98_@;wu=2bTw<*BYwfwzDk#wK$R+
z)}m~u*BU0M$Ed6gi>SW?3fCI4;P5(3eCaxr`Cn4u0*J^psc|{LJlj)Q)mWGqF7o4G
zwk7I9nY?<CY=GB#4JqWOK^`L{^<kAyfK`2l7V@i%&v_Kf#5x^B_8ZF3@~`X1y0|P8
zStkv=(r>62(fA&{&yY(6wcLHNay4-70-D>m?=z%Pb*Vfe(ap<7WafS>!B>Ak4e=ox
zC(=kqoD;3`W%~_<RN&?G86oh(enXrBP5w{rH{?+v3`RU)Sb$4|tq&L+dciW>r2@7G
zP&;_u4rzk%4;ucZMqhu;Z0g4$`>i1zRy<_LpaLhSZ2KNFf9@f}r)bkY`mkX!d0|*_
zPd|(m|3U@UB9=Z1S{^Z&)vM*STEYG)ruF0_hD`GDuqc*C4aMqunWstS>3x*try0id
z$)koMw1P7pGc2NlZio<g`Y}UE#G%L4g4PyJ#&TpVslX$0_maPn&#9I=@!VSj?Wd2?
zcj>phg&)H&;#>LM{G+)2dG?^GJcLY$U(FYh|8PA?dwP<GlZ&sv7Q>L+iW|`Y_C=v7
zLK|O5fPABkQgX>_`Kbgho!7<lT>Lt?eNkuv+B1h2g{BG{`FuPOagRPi$wh7EeFSEP
z8N!uZ%oc`UQ(+L{>{kYbGSN@?5(4(ohFBGs=BNB@0yw`VCvg#e9?w*?wpF&Zw^qmp
z-x}~3S!Hbv7vmRLDwuDCic9q?_?eh|rano96cwW!&(=r8b76iBpF>*Pmp9b4wxSca
zwW77EsilUC_J{C!7-Ox`s^X&jp-j3Dx{cuihuRyi`_f>I75#cXi?r2LHVov=zH@PY
z11tQRkBw1*D`%A|bP&B`s3*F1+>)A1yApppKi~1L0p}G3>+qRy;a$UBXub8nhkEAy
z!KT&7GkM7Sh61$qro4~DpMOIP{QZ5y^Ar~?yU!SAkdI_4(_^4JYskkXz|^ybGAe`&
zBRqfB;5(otY9ODY5~zbwpJE4oelXo|c<NKb1X2sXerlLS1!Djwj!9IpQfb{VdvNx`
zLH#hQr}sWLjG%()&?UpW0@(=feTymmBBvw`k-F~;rE1(nWaDU!JdQs74*UMuL7s)!
zC;Go<8HLJ2A7{-d2oEzX4mAH@&}zumo3<FsNcc^!7{AkX1eeN^uNH{ODBkpyQ3scZ
zF@r=vj>(ub0BfN10W>}qQKMVm%b@@@bbGAa0vIh5UZln>5{Zc>!8s!?-PouP+{GJX
zb+nhjF{81OM6m?>XfF@Xn2d!a7JfAuKc&3_d}21bNn9Y-VjQ8<_u>Z6>_Y0FE6enO
z$ruH73C0m52ChpmuAse2_&&inmL$L{iN<6oPc*t{FM0zK5tqnt4YXGcW0H*dxI~g1
zMJInSnBcQ{=2>v%0$PB-SxOG<A*4Y~vT-u))i9fN6kI-!i^`9ZjnQ;O$U&mz)gz4D
zJdS^bzmA{BTj*=__q3kokYC9QI6O;<g?okT=H{XGo=tPs!izn|M5AN0%{JQY#4|;1
zuP=8(I~4ZfD(o*eC=z6not;&2Io!?(ZH(j@#Nz1{Tdv*L3f;ZNj35>dYdGw91f-+|
z{@iOs_nwcP-^z9P@Yr<D8VKz(CI@kNR>kJ^IGbTipAp@U$cG2F@Z1yrYl1a>#t{tX
za%Fq)be_YW*9iOjj5$G^+v&~4Q)mrv4*4RH&xx+fTs+d{wAU-R$dp3)?5uPal0|Xi
zITNqT=gl3r8jAakE(zzvvnS}+bQi9I?tbhpjL(^kry%j9ho=r+>^F`I;_N6xt}}ln
zEIOsNOE?D}XYx6Gc6%+{dP<w3V{!3V9v+3UxzTIIjxXIOY{xMqyi9(v9H_@5V5H3$
zK-=c&HY0PVOAFY7c4G*fYBOpev)yPzgJ?-R5_5(Tx3wejWIOg*7hGmU*D&JBwZ>eu
zy6#$QoQ59*OJV_<*BL`0Vx4ic+A**?lNQ#9&p~tXDn?7-^>rv0nmv6RjN^%&QB&ZN
z4MsKmw87{?>mp|(#>#+-jm8&IZgkAWz{E|)6h$E}1KBZ_U57qZFh|dJ<9;+PAKZ>I
zWev-N?l5}PnJQ~x4zmMM4lB&xVT?k1c1VuhJ1|lPyvROQ4Z|nxG&<FzRMwmvx|6_{
znfeH5-)S_GG})POIZLk!JiOCbP6C3_aG3|X%UFs<n7IopBz;&qQiZ&*3kP!!gzPrv
zkufZRXgG17(F8wzh6~JP%R}Pf*ly$f=mVDgx?8f*P+z(hEAoyTjFF1`&f?x|c;*IU
z5g8r8xLZwV6>hy7Ys|*-S&U|2+&u_oL*+fjrDz5oW6(%OOM#L18trHXF1*+1Lx(KO
zIq=xM#xFIvIr96*jZQL=Rc<t#J8ldK{P4JOHbGnJ>;Yo}tUh3jLCgE`gQ%?@Jb<lH
z%<yB->nfqH9KcqZc+i-MDXch-{Cf@}|AYV%pVXmG6>(!Qip2Zeag<>i{BRt*()2*e
zpN(bA_F^tnc;OSH5$<}+Xc0=s^_C99eZ+8OTYJmk=eLX=G6^322wgZc-$tc71Gc=4
zsL2v4@W$K5{aQ7yw3yQ*8J_sb7zQtYggy86kBlbt)MC6+G7EnF2&2rDQ<;6<=*9IE
zrV<PHpEpJ#8MzYRpXX6O&Vj^_jfJ||R~cz|>m(-7|FJQFpz|Jm&640=I!97_Mi729
zCacS(C2da)j0-n~!>=hO6P(pxz`jvoKAcvY;w2#P;E%>D1pWRG{$!j&=CQov;MmXD
z+;Kl+C!ELdX|VNYV=|d45d%m(ro}A)zuL42KQN_}xIOTw#x$Rl%jsUym_(LtG=YRT
zQ%Yb%sOe}3Sp>dt(@gx3@;(-05@46lq=VQDT~lC`)ihUuzJ+ZurrBi4Ad6W}CV<K4
zmFVWp8DUz6E1O*-Oq<bf+vGFhoRnfR!;&&nWUy?@8C5EqghtoT12~7gSQaciT+B0B
z1b=DoQaG1lT1YAf*`uH>)s(MZf@`ZXx*dI!;U;tjOgCxaY^o^<vy<e$lxi~WnH}#A
ztVlC?Oa#wl<eC<vuUpC#3uT6vb4?m>`AnlxP?T^X+7Sapsl?&%*D_PIT=wa|YQ>O>
z-sRHrq?5pF)3CKFMw?2|Y>^`2_jouz+Ek#fR9Wlh(*Yh<#jv;xCB$!GC<b!7STzhU
zuhb4$-cv>t@Wp8+=0TQHWrcuQ(@o=1w#rgdHpG=;#FwUHG3$qM#Fm<hP!QxOM>q9Q
z%<D?Agx{2632Pv$42xeU6Q$y#P?G7P3}Bu2n2|PnxhaP<2D+A;oFOPdpx%^+ZpunO
zR)W64^aA>@B}G%P$E4faXd0ntM}2w+>eE{Ue`Iev{H@V60hcR}?~(aKz}94PsMq4|
zXdd<F!z+#030`eN`LAy>Mc^`LkTLK|lc~alW@DD$<Rl#d%yBG1V{2chsaUbiuj$<Y
zpLLqXkTony5=`zgWuXO!s04s6Qw(||89wk<m+1(heH8ZYFij&}@Zk>AO4>(Y`cAB!
zt+0Ei=^wO@gW7Ja&b4yxU+yx622OUHj;hgfxN8>@S_cW^Fiy^HL^ThhLI8G~Y*@w@
zcAI>}FINqwp@GyJOus0$D6JKE=$&~@u#R%Hoqk;}uFQ&^)Sm@kcVf@qvj@f97(j80
zv}{(E3=Nyz;UPE$yNo=}zK@#%YT75j;ipVBWG6g6&m0>V_q3@>r|CocZOt0mRRKnY
zS%hPMGtEOc9%EqNlV#7>3#L^VT?O?gO?9MCrY0ns<Kfa}9LFIb*aIc6nQm0kK3s9X
zW7<NlV?0hMC^1`L-$Zke=dE{5*+kVBf{vi%Epm}gE6oP5O*D^!#qXO&3)f@ggXvpU
z{GNpJl0&=n0xGmGOk<RNIyNprr!ZT=_AU;}b92o~X!-)X>>id?x{Ubqbt*iS`x<ud
zeJKh9gk3b9(e#;B)^#<sGj^{N%V+%3G#f^&Hpj7Vsc_$yrV`p`flFVSHsL0KziFV@
zl2Zq%;h_5pd%?vjg%#bTznCr)O`oW;ZmOf5@tB|s3ND+x<PJF|R!IUwsNvbmriq$9
z+`}Kncm)}MKb-LjW4vOTpv80B+<fvqh6*0E<>sb>ll)u!DgK}Qr~J2c8{J6TXd_)o
zm-9c-#dIE>L362tX3|ueK*!PvG>VG+mvjo%Q#GaJ7xF!>YR8fe;c~x-2W<Y`kJqMz
z@B8t<w(zfhHHP2xbzpe1uMNXb`tTgNaJp|fhHv*(V0fZ$E`~4nm0}p^!)tKDxjwu}
zCw$bm3d4(ico$E&y)O^L1ATaETzI0-jo~AGc&0~qpf4W7yZi7ip3t$cF9JXI_Jv`1
zLmxYYet$P+$v@V;5yL~>C<MQ&2T$(uxAve|{8K&bOnF}q-kal(_k?5k=N?Rf|630x
z$G_Nvw<GzNd+=Hy|7uSXhHv)Zbt?Ydo-_<k^^C&sTn{_U{?8r{hF^B{pp5*tJp~y4
zyQdh#D?McxzSc7v!}C4WD3+mT1%~DxJXDNc_67{~J?k(Odr(Ay^lZV<+KUY%ME9bg
zLVT|V<KEG$!*E|O6Z8+gsfhRW;#qnjuh)*DyBD(;#`SiL#t%;~+J{0>??ensdZ%GH
zt#<~7GkRGi&+RS8a6#`v3>Wt<!f<KtVhoq{F2k^<mx;KlcO`~Ry{z(Ede>sOu9pe7
zsTb={Sl@?N2ZbGdOt_vtyg(-O_u*Ye;j_MVti6BN$HH6svJPbuB_47S%xP%(W(($J
zxbG(Qb{tK3FiSAw1R$96(fZUV%yV(?M$!QK)#fnR@`gzTIuNqqTs5D}_V*GXZ@xJc
zR$esqz=;#M%WIgZ(()_&a6d|Eu2mfJ&+f~DER}gF?#W7-uyg`PROa#Oz0=f6P&S+G
z>Rgp|LoMx$mWE~78dN4N&1Mho3Sf*eaK71Gs`kk&DFZBX$;~pgaSh6QVU2mJdNi&+
zXVdNJvi6$MV$Q|=BS|52v>;Ey8q_^UTFmb&@`jf0lFmU^5#DVzr;?`+jS&Pb2npsZ
zn!X5m$R<l;dt9Q~Oa34i0mt@8IGkvnr0K(53O1}GC7$s~$a9y>W3-zS;i)9^6ir|F
zRYN}+dF~uc2X#cUSsi#5v8aEeho@$<Bj>$?sf~nX?11AjhdBwZTW!{acJh6AK!@d?
zCFP#wK>m9MQ%;0zhgk&=I?U5)UnKn7VQ#^#WvL06ZVEi$G)J1$@v;}8N~+c&ZF*^f
zIfFbTb6<tkz?@=inK<Y#Hg}T;gB%mhx1mqq<%x*8e-Je)a9fFagbr8x$L5&J$-}=*
z?cyA>26n8%UNw}%`nl$CbOl^L7b86S+X&Cj#Rv)W%wEMvbimGs<4<9C#kk?nI}h9L
zkF2fFE7FzLE%S#@D6CVzGaozqlZR$dq79Ih<_iQ@C7;(}r+iG#MC#m|SD7cPb5z#a
zx#*z53JC+lYU~)_uQF$o$A|a=^H-a1Cb(?9RBx^&yX4V<oi=W;hv7EZV|Wh}y%jFl
z_n1NzxYS^dC%D`(Hkq4oGaehED<HUdVg$uD^LAYG^ldXcaS#2-HghK~Tnhc>MBJ#V
z@|%B$D~zxGW;^*CBzKz6;NpUInRC#?>gY1RdT6^K$V+NmSF6<f1+9_&e^Ai=stS;I
z%zq|msQ>j{a|(Ge@Y%cO(*zegXId<YaN&Kd<(Fi)*GJ~5xOT`sZ;pf&ADP3*n{b!H
z5)JSX*618K@)4H(9}E=(n)BunxI97DZ1RT8wf;O->nzxJ9*5fN3}p#?ao#+IM?=bc
z!8`%ox(o-`Uog*Aw+xtRV=v(N4*kp=hdUAjWLz8lfM)soMV4^b@R?bQR?^PTunT?;
zzmBuS!imq!-=Lv*y@rp0GoNGSd?B5tIEE+BfC`qMadGmR(h><)g(VDkoG?{9uAs1_
z>*nLFj}+?H$quQ<kgQ)<x4I6`vDP<NwyhN2VZ7sYxJF`ZR+%kP`CGPk<s`F}mP}mW
zEK*vsaW6{B<sPLa1D8ISdp7zi87dI1vZ%szXvnio;95CJQ!Gj}CB~9MPBA76gvVk@
zZ;7##;IiX`7|S&B+%Ww7Sj!moGU=3L&l33hJ5$8oSUd^yOspjay@he#n-V4XtM5@6
zKdk1n!8qM=ArK#L`6v1@zcodnr5^LGshIqkb*Mzx<+W(wlGlQ3j&DuBqM?sBGUh9u
z@6`8I!)M>2LHq$r^D{Kz(H@S0lpjp#rhodg`l^DSl3_*I_=710x7CJ<@b@3kl0nmQ
zjKHH!<g)ZoH1mJwv6SNZ5{c_8k7Y4BFs6ACb$$>P5%`<e@{<~m2OJ+~$s-p6*vu6a
z4dEq4mI=7iCPl?=V+p)aWcibt`HkIf+ACj#fqkVG5%y2RwmuGVYb;UlRTo;0tR@0j
z69$ULcS4z^MDZ8D*tZVq%PeEbpX4NWEwC5^ua;SwG-&;gU4VpF2MJ|p=AUDz*9K9z
zgk#<E(=Ie!S1z<@aZ%8|&|)WF%GqA`JuX^bU1+(7Y=X8$meF_;NfI1$L9gcbCS~Bn
zB8x*v=Rf64<Sa)c@izHPwBB~%HU3ZdXug;)$0s6g<`42O^B2k2gzZ2)Nx}^NQG7C~
zUWGT_n<`rC@J@M(KOLrhVMtL%`;E*aPZ~^C=7cvv96I6oD8CuVmxd@l-fw}k7Y*^s
zbbmNMpFrZfrW6%7(r@MG61cL;JVM3U{ZV`^fpKfhS!^F6n(ZSLwwRNnIHNy?Pa(sH
z2N&;;$Gr|<y;p_10ZA<HuP>N!Hz2~F%r0`WmPp{j{Udn09J8{et*)xRrn$Zydp;NG
zPvN~7WtAlijW;xDF_V!4nFLt_S1K(3QtR;01iPP=Ec>Nd3=r!q;kbz?weXSE7EPeE
z&N7OyMbHwwV9gdms0);PTP;fXbrp8;2Up<}7hn4$`nJOJt1RQlQ^Q&V<A*@zYKupW
zesgw}s2E;dg=2EZYD*mM?hiE^GLGNdZ26w{E8xdw9I&qhPyk%^^(&e3^a|g#^kd_;
zqPB6gVh`Lc$35AK1GK8ul1}^8jGB#yz@$Wx;11<g9RCczlb^<`u!(=5v}hxAJ!Wys
z4q{xRdGO$=+m*WkUU<whY7mPTMtxqlb3M%HF{T8ucrFx=qvqO+*1?V*^w17?s(tK+
zy(?(iwOPVxKi=DDvn(P%z^QgiIy}D3qJ>L<N`NiV;G;In0ot#Do7*i#<k<kSv|<rM
zVCFi@T;cG%{!sQU7yh}<5=)OV@2!eggRspKqv<!wE(#rNxe0HvVY*?kbem-)?se?j
zYw^J0ZI)@Y-vFV0)M`I7Tsq9Vml$A|-!h8!>)}~O_(>)_*N+6%UTlcPofZ@A*FjUK
zWh!pAGMNJ(by{|rX}<;5-ej4LH}>T?cid#b4ZppXT-tAjyuFrca)lAL(tZ;p0D`|V
z&=YtDER(hO34gQ*0pWhjpRjmVIQD>LK2;Eie9+QH`@`Y-2Q8&kAq37oh%LQem?PXL
zJY|WQkib=P+;!Yt+!5{!;Yc#>B36<<@&Ne@`H*t>@I@}JytdK@>5I6Jc#-~$JBiu+
zbiM(vyFP@k%e3(yah1CZBQ0hjGLlwRt*>foltb=Uc=jDjr2QAOV2vfx;{^3hwRqE`
zWkY+6kcdx2w6@~jT?1k&aU3C3x1z45h5IL5`iCVR6}9nAOQQ0lBq7mGVbs6H7$x^%
zl#rMR$KJGrQSKdRe$$eqcz>jjm@lDV#!sSJ-PFvkW^nJpvu|Q=e;3|=(-Mi(<acjc
z;+1bp*+TqJVz`Psl^`T$Q3;4ez0<&*4i^$5hY2M=^})RftKPE2qCW3=%aVpu(&KO8
zEO-u1y@fKKfnVOTOp19fN{COU%bS{3H&nK)Ze72;zNu<;Rb|!68t!kf>}|`wJzH-L
zpAjus>{11_<FgkH^5!MJ?om^{p8Gij6-GFB3x|Jy=DsJRNI5paLGlizbR?ZdTj?$I
zFulMl`5b-<-^K%fh(CkAq8i0WAqDkRf2f!onEoyr2Y8Ze^81!Gs1Kfb-x7t#u-<y#
zl1?7jbLrM(7^xHM4xO?HnfTt$R8Xl!Psa{!HHY__ga6{@3tUF>Z}x+S-MNUEhji<2
z=+Y&axVhJgIkb^HVvfK$)3B%&SH%uIs}?8m*<suV9R6J<=vXH0<R0=m`3XB-F>YP$
zqL1Jv){lGw>XRPax_+KNkL7+0j_br2Jf3<+CuX8r3e}4v&^oo@hw?y<kX1n8=m{|n
zuJ<ZKRos)ALY8j`qX=oOY2*HwCS>KvNCoO)?jXFU7gNb0AO`V@B11?lCUD1TOR6$F
zPbes+VDcy<@i1jr4CQ`;-BZF+qF#&;B2%t<ut;uG?in~aB`lU4g)gUsMUg)pGKxY1
zAI6Obl}$|TxSMO`#t+o^z-M+R&KJb)n>+A2%23r6RW>Hb*o0xXShD>ca)jV}EyGAG
zf{Yy=VWfX6M#yj`&t(s@{DvJ-!+8TIY@(Z=lFYr#;ooOOO(IDaDa20MLjH%`P5y*e
ztG^(ZsRcWy58tw>r0eMo^kMo}dKNEPTd<Q(<(KoD@iCwKa4I;#e~eAGHSml}?4TXt
z0?DAim4Uk~y$v(>KMTWMktzRKFN8A+B%aP=#gY0TA=1M$^MZ-UI4a|U(Q8{gc=?&|
zk`VKyiWoY}Km_@LngJn(Q51)AMK$kRLc-ZATT6&l{)k{7OG%{s5hZ^_vyTcABY(t7
zA5fSlF2qws84Ri>nbHS5h{%bF+%k?oi!UGjj$gr#<0DbU{)0Y4@1#5FD!jK|fX=Qk
zav9%0I!T@)H<Mm$f~90UiN`mP&U1g`4sthgP295Gh2bXMdNh;5*t<NfEJ$7lAC19b
zu@*G>Vw~8H#MrBpaBLgoAqAHo3-KeNMc~q6gN7K!uUoMJhe=yqV{L2V8YE>wLB1Hd
zxNSpoO;oeMh1r?$RN2;sT8?S(mYTJ7>^OzF32BK})501Nm&R~)4R}&xfK}IkXzL(4
zt{!w_#dvhNXN?uD9jlO-!icSP4b1~aR(Ks^(;2p<roENjZkLU(u$2QjTxF9PY7rgH
z*n?{z>k33<Fhr1VK$eIaBxDUE#GqzwTD}VJ0UD|Y5(&nMs)Dm)#c0KHflIgUx$8Dd
zTvR1~jg>Up;ByT)4N6ZRS(kyWK#Yj1VBA-;G~!HIGis^8W%+=t6;o--61c8FOjRsK
zR2FPrD<;sCMeu%sn4(Nwh&VgL#X$2~QAtNGfGuiq<g)m3)VwKIY1NvRmSGo?(PhV(
zI1k5vz(0!<$7<fkt8ga2hpwTc$Z4{ROyYjx9_HGRW!S&GP7|t&{E|g*Vv-mEr~e^_
z!j6fes4^njTet|l+oD}%K%k&zA-pqDEYa#^KpH-9dLqVB6pQg;vkRwBOPE|eBfYp&
zhaA3&g*fiu%tX-&*OiEPULKJ}6${|m5^;iNN@r*gT;>&{p~5DPQg?<RDu2NO*liQX
zYV4gF1fBWi&}J7i)t%}fbiV|t5X$nF!zsI%s_s-GWY3!qAr6*|A_$F<AOWEa_k3t{
zh$GaU_<#~g$(jeZI>cCYCz@XpbQGcTPJ&Q;+K`@M`jsh6Nx`s*JCdv6@UNSD5_M%F
znU9yg{zk6g3t%hIZUXucJw{*0HIS0e;3x6b(kkdrJbSbuLy;(?r%_mw7KUq%FSCSn
zoVXB3Q*mFpg!Jh$0EW35m5RIM5z=SMynBqd>fua57-D~L3+ZKpSdnty?YVTz80GhN
zA-zOK!==<PH9UToMy=xhl`Evr{Vf`r?qunIn<Jzb4bk)}?(3l(St4Ok+&5MsGMVBu
zzP7Snp6uAuBuyNi;XETo%>2S4L`Db6c(oK?zo_9Zh(cs+5QnF(+UnX6dC??9T7yVA
zh0jDG8lyHWuWYGp!lap%$lU|0&Y*(27kba2BD)VBJ%f|}AK;}kVzhOCm=KNW$`R_C
zF|RhX9q)%<&xo<)ZiqfB))qg(S|^Tsio?H?+~-6|Qt?TadNi#bA}^B*R72Cz$f%}W
zbRV|SIiB)qXl5+o*YG>|Tlfe0<NTZa7uZg1bF2c%qUCJD7(TR!DoP+uS{|G+t|F;r
zQgGtAilm7bNIsSNbA+0NBnhMlA=cs5Bs2)&Xoy}(w6Oy5Q8r*IS}Pms2d?X)Zdp-R
zOLPeWDWD63xnF}pFEa#XxCVnEMj&1)4dyU4F-metBR*1P3IbnE5+haSXo0xtVlYe=
z!&H_yf#f0Zc(G_rBccplBM*G0rjmq7IV=Htu^2XzgiDDo2})ewR`;6{S!FuhH9^Fh
ziAWSkAzca;6T~PqL8Q0fmcsEe9HJyD2<fJXaUIc;B~ZbtNz$n#Mw<02g89g}SQ!@-
zRK~?gxMgy?w&FW_RW&3@N=(Ax$-w3s5-(W`%LW@c$d@d~Mf5W1wLXbALFOH7^&syE
znRlR)B-TWxn9XQ?^MB_1@y$aMJwdx^0Up(Qk~H8^t#oOIKgQk0tp!`P7`=OjQZuqM
znW-)3GMHZ~j>t@s^wd@24=5*mEk!C$QfH#f1oxGSajJwM@G=A95r|J)249zo5vn+e
zg1ez*NQn&swj*N9$e7L;iE*fY2QrZ=vA8oD$t5$F0=7jg>@5>VsG@=xY^wrIL1!d_
zg;S-5%u_`mkiTdNYhyfH90V>fARGbjT&b_*>B11mD_Ja88C=5d1J@Oc(JE2Kv)<=X
zSrBj+E{2Q6qD^H+fK6D~V<X_A5+|&ZiK01=RdX2Uz-=@BaU9nR`8+<HeobG+8E`Z1
zB5KLI_*hU48OeRi{fXPgE#@3)ow=A)y0aE?W{JrvF9OL~wXk587_0Ii;44}ITV{z)
zl{*Lo7~n#{nZE+Qo+W0f@TD@89-WLz9&c#P7UNZpAZGb&l-rJgyRZiCoQ-nZ5U|d#
zhPP&mqcl04IS5A1u7;{<VumUkf!Nw=xM`Z`Rb?TNju(U9m?kEvGK0V`2#m@=AUUI&
z_2ZzCGSEapFsXACvZQ1!he^}1eba+L0|Kcd5r|J)&LT_ii3~)QfRUYPNX~Fp!V}Z6
zVN-*^DF&oSsZ@fBb*2##Wf^3aib>O$-c913;PCGS?ksnS2qc1J5FaVSnr<PT_>|{i
za*F&w!|;^yMBLkL!E?&@(ZA5sxPGuoi`*K%gTI}BntvblZ;iZaKvPqC7<0h1BB|17
zs|*gSL3Ellf`<x3MoPnPc`&+EE+W5DxjYzG#*LC*xEx-MBts{VNZL`&yc4yJBqvND
z>9jhSQm}GKri=}yHGs|13dBmQ<#mY7AdpyE-GC45wBYkyBwNy`HN#qL(BLF?Nu|~d
z%S1#s;}G2;(^=<=P&uV}M(TE!4uY?E;)JncSX7KTVB`|FOubspL8?b8eJv9yXf6}4
zRIu7$as$|085>My0PBkoI!F#(Ijl&saZW}{WnFo-P(fOrOuJg7AZ?7a9;;&sUTyA^
zd}&sx3#K?o1j9^Gkx$0T)L@!}RLM<C3Z$ug6-#vZ%7ToO>TwnBxrySKLKz6Aa24Np
zNvPGbQ1Y55C~lFI?P_SAhwh~bK>%Mx#hJBOn#t<n(n2<qO_b)Ydd3*WHaD_Ji98pS
zaCrRTUcQ+h&8z82dNZy7J$SI;B(D3Gky!2@Tt8Qj$3*TXF`A^#Dbna`fT)Ey`X(a~
zpVj~c3sIF%LZD=}^df64Y+5L$s7ivEfgItl3_B6Ah0`Ue#;A%B@D{FS&$x!cwnd@<
z(-vV`6M|?Klc8fmiV$PZV-)~v7Ks*kdJ)<L;}Pl1Uj=V25;M?5FARb;Gf)?fLm<n$
z3T~N!)_ws3-oiR~eg-Zd#s+~a49G{oo>vFnnW*>1AmA=o33W5Y993QrxRU{+5y<ha
zgg0l3=_(%rOiwFjiHXIm4n=MZ$G?w`$#%W~)%+*)DKx>y;`;ebycV&J%pz&rFWd?4
zcCHQ?hy5GXxfGMia<_qMshFx-f`Bux6<kZjOx5BbP|JWt5?d?W%Geenkl}2B=a-^3
zTo44lVL&+oDOoKLTY-%;AA!7#HE`Dwtgg8gSY7jim^BsRNEN>JN8BlEfK-ZN*r4*o
zb#{IyzT`&=CO5;mWnv`!6VuY<cg_ytHYxc?SW_-0gv>&Wuc(=|h+oND;L&oNsAeKE
z$J+$2mtz()f&f{7Kp6t*_9n0`z-gou0e3+oELebbJ3R<o&wyzxj;|4(TOg))Ohq6i
zt06cbq-8vlRE85InCbjv^he;|U%7X<FNgxyLizY$b3NHX_LIMo^OWGZodP-=yR{!3
zntw!t=M%KKV|hESiz@ggd_3bOY`VYlr}>M++6KSwi7%huA!+pnHt?kU$Ye>YHw2Y{
zjGH3khRaE&;-kPhv~e)vpu(Fb>7K^n2@KMv%d}w$EgsUNrIG?{Vkr)JKuDRCPt$;!
z8+47388RW5*02~eC4D^5aH49KWUn^^Hf@w@b`Zd}k5bK%#F6?)m};)1|JUG!8PTdH
z^Ma7nyUHp>MaO)p5?Yve11=m=E=`p!LE#3`3uJUqv_bSjNlCU!DYP$dt!k;0yy|3;
zq!(KUQW;KKER!%Lc%xD@#V?VPXk$r8-lV!J=|&M*D)F^3;Vo)X5rmlV9b}m#csq+T
zuv0)PB?;SuSq`F?%jlrsgXk)0nqA9MXlbgiA=T2Hwl)}BLe<EqU`z?MLTb;Bbu3zQ
zO-t}*5UG{gZCx<(Fv3ci5KLkip-#$veX!6qWR;ZH`d|voD@Rt#_UH<BN8?s><xj%L
z&aco@^l2Ko3mvHr^!9y2PLR8B4d5dx)K$Q(KoiKN$?j}rBQkFj=vRoNR4oX23pYZ+
z3e=rzg1|Zk;KTo@NH@Y`D^QU(A>hp403WPCP23m+!fFv{Kp@Mz0VdaqX`|{9NX{7k
zw)e2%&E!t#TrIP}t+iszh*b#0rVJKzKx;A1%+5L_=6Kh^d$nS!CbM&85L~$!l}{}K
z>GpMSE?`N}By_GoFgar_99t~Ll+?(;u*PEP%3uO(sHo0rWQk1~Y~O)=88N-H3W*u+
zc1T`=liTtjP{x2t1X6O^Vbc<{#Fru9%xh!nI8#*-1Xy>3PnL+*Ln}o=$c^F}IXr~;
zGXDfR0y_CxT%V=$q4aHfi2jZ)qa}0%`I)?pn`CRr9Fj>)xOh0h{ef%5mU8fR+@k(h
zz35b!1P<R}HR{E1cu}o1s*?Oh#Ml`oP8H=hAb@w~k*tdF<0D=vu`q7DDDo+I;p~Y9
zF^y>9-3Bp{gu>4aqJxA$cB7a@G_bf)OvYPW+Zx4@3Kd4nf~G<-h7b2E;pIj#LZLuh
zA@mpF43+8^5b(jWMx4Ggnnb<Q&m$rob~j;p9~&>KRCYh!ZcM=&ltC69Y-<v=)KB1d
zO}OXg$LH-(WQqTa@nR^ocHp^VF~YeO@$s!Io0^-^M_h$QZ&M4}wrnRYYzvaC|3M1h
z42@$%t74PD#iqfDwPF~J+6Z@z5u@=i!eOLjqox<R+3YFZ8?eefyn=pAkJH=n6zD`6
zLB2zu&3>{Hr|^%tr}5Q3Fd5Y&LTp_s1xM|9oF8H~is=ZW*H4B^89b^B{eCpVjr46B
z#pIB&UFi9v1(UgL@bE^_i!eU`e}S+rw+p?0)K|o9!%+;om*Q>C@tedLbr*93rrSGU
z#U?RP-Ngl=>o?&f%C=&XGdkcYWK^+jmMrg9cz=_aqRHso5(MW|i)lHV5lFLdW%^;T
zwg&pJgh*iZm(;ll`BJjBz=PG;Q8osF69}YkKp;MC%U}vu#m??rkK~-Z&0wiP6|pV|
zOkluT1k&A`p}hvplXe8$g_~es4X!`ig23A~V)jHfi^roo82|o?E4QDBh!5(Ql3LP5
z?nKALtK<{%Bi=1dpl;mvslk1p>+nY!{zA|5Dn1^~*13Ea|3_(yZiP>p05&j5Tbprr
zcV*CP)gY<-4Z%@<6{%4sF=b^bAWf2`y^$rrUgB&<9~w@<=rSkGl5xE;n8a_0Yh)r*
zjA8ktMN-w91`?5-mTi@_q*a<xHw{Z;h}I_4SoMe<q+OaFHV-7x)Kbghuay$sJS={Y
zuudifCkG~6kg#4dV1}BGY>=kAEx{zD_9q)<Trf7`I`G#MHi-gBqgQtuvRSI%t;1up
z&O^4y_@NZ!K}ohsb5RE?M)1cSNQXS{1(O)SZj-UW1S|t+f1H4ueM7@SPdXC?H0QW&
zQhaz~qbO=fR}jYrS7ajDZWU+-<^02Pm4w_8B~Ux!!M;_rB<~DD!7PJ0N{roE0-aB}
zPB^{+hZE_s33Leqmu(P7YDn(@xT^zQPwcw+BGM-()-^24fnTxcXT3X``#Xn!|HQs+
zB{nhzPdjvyedv#PmwbaB;dm_43hC6+hkU4HnJ(ow;H~LL_*YQ5_d`i5Ugdio&bEpP
z<R5!B-WH4J1GVkwmp%#U?P7G)YtpW;eE(1mD;rzap=<haSlTXzTOSJ(tcg^*L>%mJ
z><;mtp}!sXzWxFawTr3BCFw#IdpTY$j=&>$zqE@P%B88eT}|L@0nP`DplmJ94hv!3
zS}`SJakvm4P1{zsH!N?gtgBzWmi=N!4fl8W<66-cxydTTCKBl-+sfv;q29O|eqD=-
zcOyiu6K5Iru!^ygEYw`+pt(MvejJ5?->(z#Koh*RPE04a?6KeKRNgR3NXMP@=6Z1i
z<!*v6pAbhXZ%h@^@qh;6q9R+Ri`m>>qYxG?oskOqLaL$cfEXE36E1|M4adtX=asPS
zfEW?B!Xktv%G5#Ixd|RQAV#M(>xD3@M3T(>hQV|saKLD9gs%>W*2p@m5SA`64-n*R
zRzv(jELJ@f92CRCR}IP-bYRpb2(fnPKPX01?qldaC}t`?9U;W}B$TqXt)`j#1l~O;
zrn>&hOgKH4&hdBSYk%kPghCt5BR`NwNENYi&*A?5OeC^@DP8Esq-i<aPWaI;Cg5A5
zc%UX7p@dF!1fchlmM!9TK(>-kgsM(4U5!3W8FjitOoS&96>37%<hk4q?9Wgcf{#@Q
zUAVV}+i<jGHn$z5o`0?j*Xuj46ZLTG2GJB!(q$MR<2Z>0iF`*F&Re)gM+>K8G#pNN
z&8rJnkDe|aBE5xN7c5yX<{*qaax#1qgKb^7CC4VzE_h`<PN)@KxF1KCG~gf{9CeVk
zL9`(Sx8`IDW?LSzpbIzW==@rF^v=p<oh*Voz~SFX?q7JOpn$Bv{l`DyGl?IPf75Vu
zcFdz2aO?Xy`XMjyDR|0gJ-?qniQ{f#O7Q1tu2vBP1N(PL0xhJ$Vrj^ADFT{k2(r>^
z$n^st${QEDD^;MA=}>)Y$nJE3mLUeP(v#FT3_#c_NgaFS-~QRjv<Z&a=B7q+qx`!+
zJA-O7h`lL@4GI{<?u`*}rsTSZqT_j=ng)3_1@f=;bYGRwF#65$f`a|zPdCK-MXQF~
zBA2oU?%XLxX~?Z|v3g+lHZfLDZVQ5v0PJ^tA~fW7xz>8&_zp2#eMf>o^C{O0XLpE^
z>faAQGy53pooND{O1VBr+=(4^pZxPkeT+3idQnJ2?i#>hgd`35L#9CI;_nDCX;Ret
zgTE>y2_rpzlS=NE$4NfNzr){!8=q<PLtOTkQ4x=i+(5>2UvPW5d^|c9GOr7_HR#+b
zIk6FNtQWg;LLZKYB*f3GM5!>(QZ;U6$dDw}(LT|m#tjWRb&)J~JjC>49NgBR`BSl&
ztYA>nkKG<OH)PcR*Vc7_S5b8B-PxPu-c%sFsiY@_5JCtYB7{&xL_q9_2nbOTqzU?2
zKEjm*@t3ONK>-0lMG&N@Q~?VrAWftRC_zPv6bmAP@V{qf_U3|Lo;=x{GrP01Q_h?@
z@0m05!MB(Nh(k2*h`UfV4jp^au0;)Au)||IjRo4lLu-6>MbdyV_(Z@QlFy&m&I^cx
zN0Mp`IzI+I2QY^y?x>opsTVkhqVDtCO}zj*MAH(az3R6My+AsYRM_daQ|ody)i6p7
zR8l)D3Rp2=9K>M9{u@|c+-#;9XN->wzfm%^G(Nm!ET9EZ(#4oUsZ(JTikyUR0k$Ao
zb_DC{6f8BmOtMqGMPL=SG$zyVNvIM)42pV#DIg3YuQAegPqMSTfEYx6V`CCsnFJ)f
zz@_R<1_h8o<P;$7uF1#~D1+$O-Iz$*o?|bBWFRc_Cff;7fEFZQ=>h)90PaWMXou0s
z$#xv{Yk&=`Z%?Fd<L#DSpbe~DPoScBtUwNr$9?aNM|T9wp!of2DSmoH9k3d=HYTv-
z+d1C0srK`BToh0T(Q9DP`Bj;!zdSs~PD3mKJ0kqPu>d3FJ=MLD?`hDAB~YUAnt|UB
zjXlO6W}I0J)9NT381bgL&fIIB6EV<BZpY5E`9O&Hz=(UG(Jr&ThYaeQmFxjrA<NUJ
ze;J&AA7rCOnbcF>Qrgi3;^IfL9`?4&;SY^r&H|+yP2}$>-4PuZZN8K30RU}G4AdM(
z`9jU(T23inWP3!8Feb4888CE+vZ1`Iw5my3a0K{^HDAl10DnoG2S~RuSxX_D7RES)
z`JOs&Y;v{yaZ{G+lmUtIj50UU3O}?=eU|KN@!sX?lVoR1@~&{HWfSehNb`LqX{Yk{
zZt#ZI_I{v5D<Vivv@?9>hc3B(f}Ig*uFUtK=8YHm_FdSu<1<$^@W2Jic##&*fF;3P
z?UJ{Gj5OCMdGr$BZ(<)+jJZ}Ri!Z4Ul1!huPBUrai<mb*Qc~|_I`g8P*m^y8h$Q1h
z1HVg+EpQPi!~%0Nl)($|yXuPYInRk@FjJltS1bq40WGXsVV$1>*MP0o&*&0&(Zxe{
zN;16Ha*_q$?11+V{%2jwG->}KJ3ZuTdrxssDh+oMsP8N2-ff3Q#D*HPT6l`v2e`?h
z#_T$tVuU~ocQQha83mr=0{K52eeJMNV`fWFaYw~?${!IcjMu4kxYNL#LxaPeIyu|Z
zJQ?{Sa1I@yYd#e&KpWc<JsD}VE8KyP$X41G4i)Jux)2UO#U12CIB7K&MtkBNlPx&X
zee6HfA;P(>Jk67zWnSl96yy<l_y0_<c3!+Q(UTv4{qqtLyDQz3pL2amu$#m^$)3EF
zf$EMxy}B4*zXVU7&Nq-I(da%bOe2j3hP57U9H}^sXQYUSit!+#FfWH@#x{napLSyb
zNQm}bjhFd=ykz?RRmgF`5~6h{u+T>mD0PPIrM%Z*Y6U_e?(T2A#62m89(~O&hz3p}
zSwTIH^N66@XJRAhFrJDi#w|U18-Z@h8P@Xx#t=OpLf1xLzSG;%rO?rDkGf+l@Mm#*
zzv`ht|2F}?P5`1s_uj@-!g%T81rn_&45ls-O+j_O+i=HPGL8Duj-hjtFp=Ig(XNGg
z1NgL>H!wI`G~;TDH|}67<b14eZo|Pv$HjX1!8{2qAWR0XE;Borxn_iM8rJ;Pa5Efj
z+<`8i8kXzNgEMad9XuGDWySjIQsFe)3CZ;s$;C7Y{yJf`{dGVTB8a-3kWkB?10wla
z&z@v|HoZO#jyhSiZW@*$nY4eJT^rs|Mp_|VX$ymQeSf;gC@!Rov*GcS7Vh|{)hl**
zNE(>!6%zv~1$*;GzhbuxNddcOfUU+?SiZkD*abmZU?BNIlEF-?W?ISqB<exPE0Knh
zofnb-N4-uo{0TeXYU+=ttz<V1%l0D<R9=x><oMJgr>@_j!GrC3AvRK)$`m^MBD_Q!
zVqeO}!FIzB=fjX#JCf^oE%ewz*s>M@`N%W3V2Nem_)4zLCeVF=t+4Jho&G!5&Q_jw
zS+Cof5diqOfv2;4n>)+Sq%mP=&Bu}C1>7h44K;}7yl(gQ0`F7Q={a^io|ipp{%tke
zt{Va9kEcT7Tz>t$X0}R~S-pyM?~O>u?EDJ-5&}Hw=xjR`Q#Qar#cVJgQ#LR_o|<2w
zq0{ZgUf_SCQxB~E=DdWZMU7YSwyo3c^yqe)uZKd>L2N}tYIX#`KvCMon8qb=xgNUr
zRk-m08dQU?{8hVHuMZX&#sYX9pEVuK&G(wmz*k^9kfSEze)tHi!m*%Nt!#jMy{)IQ
zDqm=QY8^p64hwV7xkOIMk>*CFDhJ*fV}7jE<7q*~^O>J$CVxw+_fs{s$?uHwnV+fI
z>=i;KB>K!vE{TdtiuhdVyMb!;nO`*Wz<!T5K`Z2YzjUeexpscUW;N5fO_}O5w<zsd
zHhPYCt4qz8WoJj4U#VBU$~9IqtQHi7ZAvM4RhFK1&E)04cFm*IH|&(G9m?$S8lLGh
z0J{(d!&O3C+;*x}z-x5>8(0PGa;cq*Y^U7(TCH1V@N<t2>_1|t+=R6|!6OQUF+<f>
zP{KDlL8}<mPwY`Eotf9<<F3#4>T^l2&+cKWG0zTbwvVMzjFE4^U;IHUP3(vE^@wOF
zyymy&yU@;B7?-eA$d_{a;jutn#Y3ZvS+w;XyT7+5C=7*JR5A~pzwbiyP=K$jdCOB!
z<7xRqG%X-l#k%?i{7%n;6#)#EHF7R6&0UB!K*1u&_&dQZXll%$TNXiE0RF0|r<elr
z%3AvjTCfO9B%rRMd3)nELOnJNZ$7q%OW!}!ZsY~xDvDYob^1(5Za}WAA-~E^Rhy2_
zw6mfByh>J}MU$!VEITa%7%UIHK-<$}v+y#2u}VgugLJ=vt1F6Knx<JDp_{xay1@D{
z&wRwp$C_%nF#<`~{j?qn;6=3VY|N#3i|rQP2VLq1rU1O~r_80SB`7*D7M}j*Q12yn
zb1y&@Ma^XD0lu>oX$P0sMc#g(FtyF5j1M55&Mko`X!V|5CmINg<g4bUnp-0fnvzo|
zA=L}WMRd6vPoc#iB0j+MibO9xj7Eruo(yC0$g<nV0+1KC_c2~q%dn3_tW?BlL>@0J
zuyeft=w%|U3&GZW$^U(!U6W=mu<h`!V*%NVu05e4)p*Cg$=eH*>@X;1lGMG_6Pr%Q
z)}m<ig=W(HWxQ|T_h&N&nDsN}0`nX5GS2tCO$-xL#d5e~{A$&bJD&zy&slG3xidOU
zjdR)k@}mzl^@xXrF-w2Ad2d9n&-_+1xt7%HeI|A-LA_K3gra*$slKoC=VV76)>Poj
z)4boQ)p>QD`J%s9>hEm*u3hg#o*vOWepOaPl^W@DxQ9>u0C4M3rToqzv?Z4OKe!|s
zIw8{hQQbb5Z~qmyNByMI=gK$GxesjHdrY(F)CYEA`Oj)W^ahW4J;9f`#}OY_!t@PQ
zyniL1(8*ekT>tb*CC%ntlQU1eW#%bW%z6DErm-KQNWW;BW`AhMm7i8(Xg)s(AINKu
zNIs*)(0pB{f2E)0fmPFJ$p?8%0hW;|PKc$@h;A^ing`8g=5uCO9O$?W*b@%DzUJrV
zu|Qs+fC=MmK%3Zkv}`qcDF7JJz6Y~b+a+EgFgya^qTDqYbE919A*O)A@Cba1-d=+d
z2%uNw6~X<vY7HiPAiau;SZin29}X%j-*}Th5IR2lNxK-3CR>dK0?g8GKJ{E{H;n=W
zEGgBD_pgPCpzC5RyH~BXV<P|wvlQg|qCRUO1yA7*Y=A(Ad7#hZT6O5*cY%NbBUUUw
zv*t1jm@r!g=h3Ej?fhtf!mKB}q1u#&FUFF+)?zy`8i24&Q1z}7P=rJ;pkZF&zd=J5
z+xZ%M+F%$PjNS00H?hg3Ev)mEm;-j3$FUbN0k*U|#VCx&rC5}mw7gawEXlfJuhCNw
zg-fNs_6cYMPu>#i5n1AzN-}>{i{LkP<Lk;Yf75K;5ncB0s#m?m^)h!Q2E!k!=f9<D
zan4Hgyz`nxGgjhT{!|)>Z0uy8c|k3HWp_yP{^e3rL#(t%E~-WS0&YXsb=~}1E#4RC
z@&)*pG+!4mz`v||`a8NKV6iu%Y{aM`YLNV+dip!meU%*_WnR%F=Rs9tLhSZe)zDqY
zPd_^J0eI>I9#Hy%Fx1#ws7rEvvZ<3Pb%Pz3Erc4Xi#R7<^FB7T|G<8O`2Z}q_IUVA
z@kO+BJyZ?h(WL&8>uv^G4)Dczm-CTJIT5O=>0Mn8#e@#b29bAlCW`4*b+nkDg{LN$
zfOmlkpDNp8&Y>Jfst2cq>olEFa8g7Kk4O>563&i~L==&#KP}NEkvtq#!hLLseqQpT
zRcCsSA5`EEyfz;dF)UZ=)H3cju>E}kT%8(;zp*WTw75w`!n<##`G8s1^a7Gv2OD1c
zl#nLjg%xaMFKTHlrn&X)y5V^hY+8qzZZUoLk)7qMV9PozbMLahcJ1)2iZGXk%XUg$
zMJUL$+@Q*IWrVD+<`s;IL*6W+$Jg6Mz6yrKC5eUt$%r_Vmqm1PJ>2;!1W1?{7jlC)
z_EnfJc`wMw3LxR4af!h_iTZB9kYBvPj*kQ+E{Z!D?{MwV++iWH^uq=_CA@en;BlG2
zJ+qk?=(uQFYP>@eSJ@4{fX5lBUqG8y!QT3`OZ~<aP;ik`h_tlTcAED|P+0E1O&Cw9
zG+?!z(}U|c)wmhKkl;bK43P%L!K3UhtFaZ0mDg(Vym$bZK&tt-`8{^$EHIxk?=oAM
zHugUK2&8+KQE5DahviR-zY|;(3hBGHc4D&x|BYCcX8o_ty^g;ll2QUm?myZ74s`Q2
zY$k0_!?yu(YDZJI*-mn)$4Jb@5qARyj#Pg~lnoz+DJsL?mOkEQXXTaPhQi<*$_5X7
zXduSsz>!a8_}d`0Sf$di31RVA-?j#;J5B21<hDxo-*ElYoIUo*@$S4he=$;Xg7b!;
zgUCqmx1tH#?Igsne0w{*N^oxPc6gOE_ZV4-hj}p8wzB=rC}syXr8UI{w3480we|c>
z<jysBqpjRlo8xZ`W}&<-6x(Vu{f%ht4#1d2bYzE}-Z9SKkPGr}c+~b6A|WF<frn0v
zzX7ZV&VaH9`;8hrlE+vaqQA|0*-o(QBOzWV$X=c3&!^2V+sQZA^B5WVN@`)F>%i;e
z7x$A|yy<c~W{e5e!&Yl6QXItY)h9$d5n_H~mYcUAPVTqH9D~oMZ4%zPf)N4C+$(7K
z7R-D#wqWx7b~C2GWbiR;R?wBrn6;CbDm9kV&=AX^u3K<JqRYaAMG_IfY`L5kZovwX
z5rLAf#xgp*#V(eJfTYs5+QktL(pq*hmhqVS^>}zJJ-HQ~p3y_hmP={QR=Yr=hmzW}
z)y@yEU%}8}L35<uvks~UqlU2mzemrlgT=pwORZvx!9m#n-=h=j?5z3>2|}R=mSZd|
zlvqpWD$l53gplu{79ZKQ>o7i;l2a`nUD?9-7FI~KkOkK;2(BBXfz`AO(}Fi>M{^+J
zd9WAB5%YIg+MB@MJ3>s8v-xjU4AAy&)?kd=xz<W+r!=sBk(%O3EWBoubx^l9)=_B}
zCo5!qmM5{8CU$X>Lol9<jr4pMr@;J(R(5exdcBt5NzM|wqXbELV{uJSvg0Oj*^MQ&
zJjw9bSDj7vDdXK_Pcj_-73<m=3-YnSCTuu=BGuE}F)0e$V?!TL_2lN5a;q$2_)Oho
zXC@C%^5mwt5l&!U4cb^s!#BYgJgBve7(gq}Y_f~YXs)mO%yh#{$CS`;rFXtv%Us#^
zfW1+8!z>|;&qOzx6XGPa;Tw~Uc?NzzGWHt3nbE-RyPLzYL3<&fqhlfro3p!MlP4i^
zz%f*AJ|YL;^mGWuW!64)?6PuY<bO|3U_tX$O|{5hT0M;^9|nPaV2pq))$^cwM5o2-
zv}>}{Y1kyjz9Zb9`>5y${T>@gmyU;rdmUx#SVrjhi9QkMk{A_<*&<#|(#!clC9#G+
zUN++Kfn`sK1f@+ZmxIzL5?vCbFV35!s1>wiCrlp6N>S6}cjHdm<E`zo<Y1Mo6lF7d
zpKzd1vNu(khTf;5U9cadxs<#;eV6TvNLQ>6c#QfRg(mq#hFa8pz>g%+jz*!OK9TA2
z<bzWhg+}BEjU#<n{ZUw_jOssf)QB>Xt!nB+s`)jn5jif^5Y+8;l&NN=dTzvH4B`wH
zxvH^N26PiQp{`EQ4T325`iVSM@>N{&x&1>>@_MS2tLUSz?Tn`REFxo!dWN+TMz)6H
zC-Iu-Z2pCSAmgzB$~Mkp-}%!>#!t5j1_itJGUTJ_%6hqJ56mkJ3U<2F2)u-bypA<~
zjlHN$1_U9gR#LOQkW>r^N~(;hTu`}1NPBrNfK5gKv7-2p@cnVLdoPx_4F5?MDkzSk
z_kooS79`<^)Oa7{B16e2&<9EkbB)vZeUN$#B}=|+ouOaic$UNaV2HV?A_FNXYM>?A
zc3wv!%izAR@<Ee(X(RI)UY301gIJ+o!Xy#18Ot=rm`l6kesrHC#lL$qq&5T1a`KQp
zKu#X7ZMKtIs!A?ISV(IKpmFU+0)=oNaNmJuJ>!%y#VF)TmOuAbv_eL`2N@sH)MG#@
zb}k5udZh|4UsYunM6^WO-DSo{+@wWSb{&d43Xp+e1Xyy`QP(2?GWs4xX&6J0tPMXY
zmWOgq0{h-}#14yUR>7bG=CE~~Pq(9};O~!OCnkdnsNl79^(ZR1iAy#40Tjd0Xuh>H
z@CP&>Bhh$%4Nd<66CQ)mlG^nHJCam11dR!B4R!j)&W~ak8b-0zvVYR>+d|^iuD!Y6
z;FXL@b0U5G4VKP~O2a6&nqqbX^Oij+Z;zc2&G<BTKGnr#XI6QP++)|)_GG#H_gmwt
znGJuF-saQToxK#Eq$foLB8lD$oANsB{0)O;=N81YnPe@u4nR1L2~%=NzA?#LpiHf+
zsc5&I64gLc)dkNMg-TGZkz-Tpc<$C#(NM{vHH2EgDyT@4?y$V}=0<AJuC2~Ti9OL+
ziPyF6Fjsn{RN_Pvopw!@`Z?_R;x!nzXdmc*@z6elW>C>g$-#BR{lO=iyCnCRNYO%J
zr?OksTo{(=6D^g;T~H^C7OgZ-)yLE-3@TBqR>SN0wNhR6i5t`!cs;)=&D+|g@TOFs
zXrqd`fp(p;ooG>_%CSLyE%i8t)plFWqFavHi4mnL|Bc9>mdyx5(c7sEH}ddEi)yc_
zK$+s&LNyQ_)Tk>mtl3si_*#67V+}itaO_U`k69m9=Fg0Y#sdbTnFf9uR4~{ARq7LZ
z>IB3HgDp^=KA}Y?;5^X@6wD_d)7}$s>tHNJQc)*CF^GcaKBf*Q?YyWCpy0-}vARGs
z1$+soFrPj?X?KWV5T$*0Bk);N_Y~ez3N8li2LAK}8gvTZ$H)n@0u>ZX3&Hm?oQWYP
z>#;Dra|L6W$bLPGfDRJDloXmERZ5SwM}RclfSd4EZY-L81Qu#f6<$#cF3X!hiF0Wv
zqy*hxWoPGdJ=VZ(G(>lqY<0FQ@tG(Wt>D^o9DWp&fZNo8Df(UbXpgZvLWAy!ydVU>
zpyj7w?P3GHq^ACg?+HHx12-G!p-O*2jm|)oX4^a#pr6y=Gq9esO<q!Sn7RX0esiRK
zb4J_bu`J$1;w=1C*d{Nj228O<9&6-HbnjWrI=6y?eEy8aoV8m=vqhdMHJqsQI12K^
zS*%cRs9?){acA7v<~S_gY>!9Xd`ka4Znu$kcuCFv88Z00<FK+ae20(ulq;|35+dJc
zoWS=mcqcne=M#2rJ66_GjM)Z$*WobWb7nZC5o^N};WW4ty08}>)h!U;co4$A%!mKm
zF$<^EzydkY8iSY}tE@wiNxjRJ#pmN|M1WpIiW_yJY^^dL>UyMex9_Cv5})vBRC0kG
zP{mD31N_9zP)ZY-(pjgtxyh6$nRK%nho92upJDatqQ>E;gbJzcy~U+aS;;=pRhgY+
zO~%KFZc4!ls&m^Xx@#skOH#SGRhf4-aY^0vwCJJCJDYSl1N_@GUzak#zg_V^=S+fv
zafv&Wkp5if6P$FXOe!`$*Lek}-KAvH7n~iW`a>gd08q8H>~2*bUl2NTV%|NP(%Jm`
z_MYl{zoa3j?WAaNuhPZ7ltrS9-%zE!G>dBgW~X+$PnnrE^UJkwujs9sbF=;qmwmrx
z>vy~CKB`DtI0u@0vt!o~eN{Vc(HTgtPxRAVYIDI(ZZ96-F`i=dM5t+mD42<DF!#XP
zT2uTk_KGz);<{1{0EW?6#6mSZfH`%dISdPsLTp+(XspG7*H2^gUk*z^pvD2@xd^}I
z{#56pooPNmoe|6pu|OZZXs3nr#bUiZP27u6ts6hXaeFy_M9Rs)Y7U&R6hETlWaLxT
z-q^&jRDW*}1uA?SJ6$FD@1x|u;Wy9=e4Jde2az%n11>xSv2qX-&ZWIkDkfZQe^2mn
zF36tP1Z=oL+#JM`<D0A$|J}6yZ&+&XqVN8OpE81(Wh7#$sH4-VKya!4J1FK7yuNRz
zhL_+ja2s{IWXGlSfT;v#i@<SG)&C~>ZzcaFd}()j9S?+bL#{1pc({|EmE!LTB0u1r
zbG^4tuKyP5{*|4V+y%F#Ro@o)FUx;3z4R5lzdOSMm3+PPceei~+WD28tvw6d7}h##
zgjE+(dOw_%9~HS~mATq{0oqWk@hO~Q+8}&Xc%uq7(?iYMMl;Ssv18jjFto2|=Xqdg
z54lwOpP(2%gp1@?H0)2fLNa^^%ycWQ`4bX(fJ+@`is3_GrduiQ0;D3thY+7zxQDfg
zVfc`#;9f|xFW6a;3?M?LR(DxCdI63Jbt@P<#O%A7`uu`<ks(4!{U4|T#ssqpjNp;t
zS|$cPo-V!OJ5}6=n^5vEd2ppDT~S~lM)lJCz&O+~k8VMt_g*Bz*Hez!R@#YhsR55M
zY$GrQ7V0-aluv;R;TPr+VF5I}6Sm#uVw*T`MMI2tMdd#aHyhqS@Oa|?@LZB{M*6-q
zb4EhQ18FcI&@i~b2;(mr+}6%9FVcaw=$l{A#kS~ub7^^7m=?dJq*A*Xf|>UywG+&7
z^hha2)^jwm6h^$~X;~>Yiotoe6t=vI#vbhMnpz5F9vi@-<Sq#Tm+azpc2dZsTu)AO
zDrpC^*3fo#v^kMRx3d#M%hNqMc_L_&m@ziRlanPm2#D&>_T<3jKd>h((HIlw$%!}r
zwdL!-6w@BYMI18Q9y<lbH}d2lrqR_$?fM1A3oKn~8NCc^ll6brjp8yY%#T?9u?Tgx
z!W;wZY#rlI7&ev~IAx;d(x`?oaj``hYmMEs;vYM=!Be0xy??F69V&4|S&-#Q(peR3
zDdxM#dj(1Wqja!~e@zXpV3EQ2Tw!x#7j?S=PZ-AMBsH2T#^->+?V=@Du(%ru3M-eL
zwEqfBcZ|<TD&i_A#^+$Q-brn)!cNWj9CW}PH0UaHz+o<xVLCQ_col{PhU1_a?4Scz
z?cDHA6^y{4M{b{1<)qLfe;^CS-Xv!&IFFyl>g@ABfZj6xhF-Xxs{XKVkkA{}!P_Y3
zJX{_$^tO%qp0|s%y0IF^^cr8orx9lrVP`_Q47zbdgksrqqv((06{d?7aB}?#4mF9e
z4z-24F$7KV7KD8jdg>Dh=)gW8TlMe^$R063C+Lc=PAF3|mlO*rKJlQkDttwd8R<Up
zkV`_Kr00l-)uLq^PfJQCsm^GivU|wSiK{Cf(WHLi^>+_aQ|fjyL#$-)U{#3i)7Cnv
z-bY=c%1O-}qLi8){6;qARljejQl54Yn#n20_A++b-=SZ3?XAO=Zn2Xyd2HmU0kE#~
zTqH&)-D0P%t>C1`bduXqgPt0xrtDoZH$91z1GpNcin`0qEik``$90OES#`=23PAf>
z=EZ|S{6{HMU%R<T=98M~W+0hQsV3dc&vum~2f^zQ%=Ag|v}&f^!Fjl8&*-$^tlYH!
zs<dy&FC5!DTD9OeG)p+~-g1|E{jwcbLyY-fMo)s#Gi2qa5T{sMJ`al-G_093y#Wi3
zSaz%1iU5=StUBV9*evD(rtcxLut{_y0OOm@bmN?{5sNu?va1u`tdgzVSQj0@5r2+D
zUq?B$y=>IRC_X@cMmhOjHfm$^@29+IC)ZcWR%}W3lq92ZkOuqd`DiD@SIJ-;2H!qf
z5$!bcRWcYS$up7+1BrQbALYe3^?j9$#bJ8fOZUe(IlfAU-Xu9ek{*zlAotRm7$>b~
zB|~o@_vk8Bsz;DiQ;eKS#^m@u-7MAjDMq?tq*XFlhaE?I=$XqfuU0Zxhmw9nsQJcT
z2I(YqfGI}iP;A*^v6TA{CO(Gez}iin|A9vEj7yFF$IfrWjpmqL46_SXdm|8{WV3k`
zetIcb1>P;5MuU7N&R900E%n0WHxE+2YDLX^5=~lxeaYDH`z<an#m^{O`P(oXk;1uA
z6BxZa3KV}Pkh@-3RTfzZ&{?V=rbdfyaO3?6o&b+yTfC4^=@?^xi`e1ez)!sY8IKW*
zBk1<W##)K~rztfDxWH2$qoiXXh-+%dlL%>9M8h$$LditnOia2U60IiwCumn4C!KDs
z<3y<#d#(JB!^N|=jM9h5d&yQ~|0rr$$7vce68t+QzdFdCjHYK5`X8g&b(|s`Fpu1t
zg&=}v9?(F<`QtmI!y5S!Lo=_d4E87E`&s$^q4a33QxGx)3Ayst@>+g`$V^O8@%G%{
zd2#;14529|w!^{*JV3_KbNqvlkoB+Vd@+8+(oBq3e0gV0KjLU6CMyn>C>*G-o*ywZ
zQ#wB}bi|+s2M>LMwO^XP!cMX>{SVQczwGRg2a#Sx6Tk~g_9I?q2J8WQW8?K~BlV%r
zjYB{pBCxn^i=${qo72qq&@FyM6ytR4b9fX`&-++B{AJa&3eda{0_t&Rn<3bX3dQNV
z4lSP5+-rt|7^}E@Sy~}B1p@yu*k7S!*j_y(suL=8g3hEmVVsgt`#7J309&mV#B)kW
z?W55aMAmqhngwde^Ga;*=Lf6T2{?MhgQ$<jeqDl~loxc0E<#Ys1T{GvxHhX{*f=RB
zs&%K7S#jP;F7;gvC(b)r*&x5A;WeGO7+vHk%1i89%Bbn2d#Ae8oJc3lCtg%vaFCyf
z_r9d;n+N$;z%DPlB<@Wt7t>UY9pXX_D=Qn}_6qTes<A`*3$IBdou<F>nzZR^N<Dmi
zhH~nBRhbD6yP4h*^hSBZYx;)&k+V#nq2Bx*=RR^ozkx##k)Z59{Wxx{n5jPdJ9@nq
zK6{o+O>vyKR^oLQJ2iN>z!yNqim*Rz0sQysz?<?DENAb;Zq5V7e8dXUy9QcRvXLJW
z^E<-xjiqT{Qph`wsvIXJqPCKeTol^nK<7(|Lu)Zm3~z|TR2=6ti(;UdDfzuPa1YPE
z9OooQFj@>}2(Bb5jl(pxBhE>Xs4-;lAvzo96iC!qQrYpK;_w6%;zQIk-pTbcY78s+
zLE=WFx$)=&w#(vXrlavrYIuvvSTIp+*%RXE=}0F<?mLA~=C}OljS@VT6rM_>s3_#k
z2y(|BxPki{-4^B4lQ6QJQY)gI!fdX|Xh>vh4YbHiu^S>g&-~q734{ABsK=wmTgCv)
z#cjh&D%om}9c({PdI}1)({`}g&vC+NLn5k*@uZd=k!YsiMKbY1qLbuhJP99uloFHh
z;S3>3svA=pLOM!glTg%Ll|vP6@K|y5WfIgti6eD1s_0CT(?mi@@K~v$ddW@$i5~Un
zV;rHmu}&sEn+#omAtYwK66@epNLVFkU$T=IbxS2<NL_jwN4SOhZ4$NVS=*^Aw<W@=
z`aS26%0*V-5wm0t?iXf8Fm{9$@AtBIbQB5d`v#)p6!UbN1fK)^eqo%!#<Ws%Fz~jw
z;jHq#c}c`$bL>6XmNp%(EZ^cd@0!vTbtqim-?w09i7X3K25)|2ns<&SWQlxYu95^t
zs9P-h#2d;<wEF9OVxDI4{aM-b)o`jpDf<LR=0|uS@unI;vL@qvLT`JMbsgXHZ6!92
zUjLw2pmIFw3dW#t|Kc5;=8DGPw1w(zvNObc7bzhn`%O~xyP8tZy;OQ7)+ZJ#8Tlin
zB|45zEK!!PAL;u92MED?E;$=yU!ga-{luk(*W7~-2Bh3FC9Qta#l1FhxlYvOy*6=$
zD)2Gcz|Y2_Nbjp+9-}E4ENDM)$u^lzVx;&`EnR-r_s9FhO0{D7S>7MT+s?%*mxX6i
z>WI~9s6E45oGPpimIs4vrYIBj%oFfy8ek@2cl9$EYWGC-sBFbOxwmm#=1;L{6q$*U
z%V;4Mm_HLTY$s7dNpT5jZl;qL!6+e?nt@``FPToJ+;If?a*Q8Kq+wYYw{ONfwQ9Nb
z)~1qyLV1VG3U{POFj@#<6Q~jO-100ZQ9_4UD*r^gvz&tPCY1~xO1gQ1Q|Rts{fUMo
zIBEwgEJ8mL+OCD%!73><Yzv7M0y~hc-YBYo%K+&j+lS^PV$a>$1Sg!vBsw+q+5rb-
zzXiCjuDF6&>+d6k$-~%Y?Uga&hMPB-amGm;hA~kdlU*0(>Z;0hhDuvOphwnol0$C+
ztFR^2Y~*0GQ9Vd$Mgf34oTk3@oNQ_Rm(&EN7(jvv;xw(Q2U)}b5=7T8^j$rOE(VY!
z6`K!=0VK%tU+AWM2r>qcus}IQPvk==F@Pkgg-o>v1*5|$I-KuhHO#7H;0W(Hse7eV
z^MaNQlFq7RAc^my|D>ZNj3L1oa*|$8#}_bigeA@iTAz-#X52_p$3fL^4GR80CwQo6
zebF_oY4Yw$29dBk?zrq7uVgwks80qOuGnRxOWfL)rCe?7<-qS}&=f=AY~RGZ(d-4&
z@p$ZDSP$@<9fPvP4dM<Q9`pj{<L%-CPJifX{TCrP_Mlte6{bMR<2*ugd_r&f)bCAm
zqRQ7PlX-Ay#YakGJK^dWO6e8rHCtDk{ur@AEu~NL_sXgh8`Y}$q<&s8Ki16PN*AA$
zD+|FXez?B`PSo9>DoyW{&LTMJGo7R}3QpRjWa=-RTd=k-K38({7oA;o+9PE{#TPnJ
zXIPzxG<Ynq2kmLj(Op!C&8pC+b#4Lv7R}cg1^8Q~LMsP=Pkg0Bq8cDRvCSnv&U1k9
zY**szER{5HU=`Y-%s^+=Xd2VNiS&t`E{~re#oML!M4jWua=c%w{Z{7!PuU^6nMG$?
zJMsL49r}%&<!CMs(w%?!qC@uZtVTWBKmsuB+snQ09<!}Mar5o@k=W_m7e`v$3hQlK
z^sDh~aq!ePO)HE&t#A$1*ARI%ERVjzTL9^XC8$Po=Uh2c#u>3)UeAgh`npqJcggEH
z@wLA0*4J<3^;fY+U-#<kK6(93?AO-=`ueTB{w@yc>mhwDKP><GLwu*N-|OoUc|9+x
z^!2E|{vfY^iXZj$Cw)C8uNTD6`g&YnPsr<E;-tQw($`<)^<ud=t^N^b^!2Q~{w>bw
z>#zFyo4j5Uzw7HC`g&eoFN;6*^@6_sC9nU8i~9PvzFv~oE8?=e-g`y-qZwD^^{Tk4
zu9l&%*tEf$g5hhk*&1yXAllxuA`>e9(`Ex4JM#h(uKnp*$#`|2K9tcCooiSTI?(gQ
zPE9)9$cc2)^`^GlD;dV_+0*z91Bv<-Il0uj5u`mM**&@&zmn|BJJ9jyg+@+RC}Y|^
zx>HFjWQpz=Mf;h{*mjrBfleDmnT?(FP{z1>4We_cp#r0C$5KU+lSF;;oTysv>w8z;
zE^jibheRw@7Gu?LZyx4k_qMw$856&=47Xt%Vb^V4sJsk}!)@lQDk2Xz`lBvnHACc*
zFDE+5@0bTZgXM5}QX`mN%7cQ-AUWphGn_?1D%Wp>(Ut?^+;7zqpTq4i&RlEuG5$gL
zavofnQTJ3bFjRK8@h4Z;uWcM0)727_90NoMCUahuWoL;KO;d7wp%m82X(aI?nTP`2
z8^L%HqRE`+42mZDGU>}!&=VLd>fh7&LuJrswlALQ6+<g$s7UhhtV4Zg`{HQff3P!q
zN->scj2!j8-S~sE>M`4wLx+o<EN|yZ#*pspOl{kvk<Jx{#n9Y_(3lxCy0f$KI}0C2
z@lS&v(F^?U?Tz0#m#V_BRBBe_q=eoJF87@h)puIgW3f{c!Nu`=!c2w>-4o_~a~F&v
z&9KXHI*gZp10;F~9x2;VQ&YlKlmpqTmK8eLq5F$GqK{C0abuz5gdAW7rI(;vG9B@)
z+FcqbhEE(+vNNc_Vd9YFRexHfIIR43+)Ak9{jRYGzyPY!t+IIU_byBJX4Gy%#1S?B
z2AaVqs#Hej`MJ72anvQ{Gj5ZHMf}jj12r|!0qS{wZ0>=_gYl<)j&_drh55u!F0cCG
z^g+I;NO4Tn%LU!~I2^OY@p^xjm1A7sEHWi4>p1tuD5EL+__Ps65am6=JZXN2C|}*7
z+8s6~7)_^^#)jWf$xsb;+5b($KgFSJ+e<MF#+9PyFld8e@Hh3{8k@lUA_>}*v@|Z#
z)NW9H)7wE`V%$cu+P1?DkAiC17&qM74PzEJc<7~ePE85gG%f~|hX-S6Lp!LwgK(>4
z9cky(m&gsw!GDq69>a<u*giw?IqugxG^jl+4GhLgzWbSBw4=RK6xFMef!Uq|jcckU
zjQ+2M(@>(cgL<QS-OQqitCGi^ht9Xa>lnF}cW}eW22hE2wREyOaJNl0#v5=}$%5-#
zFKn5Z2@UOM9Q#y)&Ddka8)5?ve7cHlk#(&$*lIBx?(}cN(E9`Q=Pd}ZGTRuB4&4F4
z+Yx=lG_?w$Lt|KBnyobsmmMmVHxuW@AqcFBqG4g%KNNJ+&^f>X12#|C&=8TGcQ;rb
zovyRGF1=)=Who`<FU}Ov`1%bQ_>|fpbW-U_f9WT$Njs&}WYhV?FKTHgTR7f(TCL+Q
zB4Q^m>(00&nmNgPR;e@99mwkw=hUXo>dxkk7Qbqq{4T2M=A=dZrrvUidwGw(9vtxb
zyUO~KDxzlop_!^iB(q$cS9;fF{z@Fdhr{#+4`6rc5jdko{Hbhcm-UzaEB%5_*LD1_
z^uJUftbcUo*eWJ2Dl_aqD$8<yC$s<7?CPADtGBUT;pfq=U;!yA8zC+$)%S`nS8&ol
zI!R{~oODGcUFF<{j>5)}N6Tse(R+Mg|1xn^83C@6zpLZqT81WdF8XeLvt`OUGY#t7
z(Xl&Pf@O!?0s0P3O5%W3i(s}c6ros{EP%dnlj*>e^^P&@UpqjXjAKZqX^G0Jfo~im
zFEEc?CF<xj^o?WWMUq@9`l%xTD289KqPt4I8?mArt*9$>15=E=AnghbWr~p(toE+Z
z8#h81ei~G6YaFk*<3>!NPr1|;rWo$dXpXdkPELk|yJ2a(Om}s1nn}1@QZF;ba5t=t
zm+9+HPJ<eyl?-^7bT=-kdXim=j<kiO=+o9oi)H|vQ-gY;N}Y$)2nNJkb~XaNmXp$>
z7#L^yDs$xSol5zoPQ6-O$062m!#WM`!6i8SWcZ4j_w=z+;-AHlCppPz=Riys{Lk=f
z`m+X2&UP|G%5g&;9X=#62#!FDbJ-8s@i{g8h&h{>sCuCKtKJe}V5jytz=X}L2)yN@
z2(LSi@wvRlh|M#ogOlkS$M~EiUy&r^b6EvQ{kVfu+c%E!x#Es!)ngr;Ccbfu&q*??
Iqtp2R0bIWiv;Y7A

delta 44290
zcmZsE2Ygh;_Wzx^ce9(a{cbkBl7x`9o6YVfgaDz1-g^%rKp-R`2~{9$C@CsMlw%ic
z_|&H&!afxceS%%YUJ+2A*s=R8@c-U>HzB_Nk54{x_mt^p&YU?@*!1qyO?#*8jJM_p
zf^M?V{V&Y8E7!wv4$Qwvv@a6`K5C1g1JNM9i%|OdV3c%93`<`n2x9T>bNW8)%Y#vd
zb7HvoXCM>Y@2o!fOQd598+$Nn=YFwfkY40m_=w+vJpAhKXZcwC?xX&`m;H?2@#^n(
zrtp}<M8=n}zR2ma@^iTGHhx~xiHv17XvKIF#n6ou{}6u>zZbt2|0A9i-xuFJXr2Cq
zI6^ldun5$mz;J|_fn0<M0UJWgS_I-$r1f7V?cY*3Uo1qhuQ||pd>#K<e2qT^@Otq^
z(JrpyWPQw>a4=>1L8jLg_LH*ba2i<S@P!FKAVL!DcuV%gZRc<Ew*`B5!*%_TexX+j
z<Y)spi!-ItWP17=In^T&;7K+q-pLnMFRENw+gw*)S5+<CCk_{)yP|e|ffJ-(so5i^
zi-<;4?I@JQLqh(p^0+#D3%eM#uP!lBO3&a;D;F%UX=<veuWM?ms&A}rTDg3AW#d}m
z6p|PmBV{{TedWsLCG#2@>sQq*tZr<sUshc=7fHk`$)sy(rD&gG?W2<@WwD(5=&d{T
zy$27QI$=`%qA9*b^^2Fz9N9c<rq^3OdEMY;BNjC_FIX{j@uDe(6&}y@-T%6)pRv%>
z*Ik@n?8ZNzF~}tSW&7cFy-wP!JJO~*!h*UZ{PJK!0sjX1=qBC}CC)_;Zsjey30rG`
z8Mk#7!ZBMXARM)I7{U=-eF!VILdbN(wxY#!L$>M>4&1T|VgD@)5cb<L31R7$K?qB>
zppkUGExizWwm1;FwuB)p*xZOPcXK7eoXryv_TD@cVb<mnge|=`D?*dLIT2y%W(&gP
z%?x2&>k5Q1t+Nq2TPqMcTD=J6R<xVW)@np(474DO3SiXeA_6lIhO2_84=728sp7~3
z$@t9zR&?-R0SV!ss}cOZ1i{Z!g$082BNCT>P^9!b6h-<r1~Mwd2}6{Ink;@I9uoJ6
ztHrTm0{<_6pFhs`@D+RlPv?4ejvZjz*g`ghB?`X??+A|xHwX*Wh)Ue?@e=oN;U@~*
z=CB+2$3TtFmG~4cd`BtQIeO*t*MJ%xCvi6yKCfC*S+}@)URC|d#-?gTTI%_~KpvVT
z@e&MZdT6b~nWK!@axKDJl?xZnt88kjZfaUyUDw=D+1ShjAeW^{yqpU!()ekPI6I#Y
zR9_8sT+4z^4|2$Pd@u-Jt%Sja)wR{l$h)z6VNJ7E0-g=JJ5l0(E<8jB@*L4oCSdY2
zB|d@+chS*!N0OaEm~`1W5}(9{o4Zoq9ho?eodzKzRpJA<a9t?%Rn?6(i)yMWo0Z|x
zT-m&`i9G?XG^fOKxX>A@|HAq@m4odAEhSsx<G2u@4e!dSg{%#z*m#L~`RY)bE1Rkt
zwemJsE@p}xN2f?^0I%&T%#C(?6jOx9o+PnSUP<nM$j&U51&k>{VtzhNX~w3?<+WAy
zb&F~iuWZzEhn(ml=}efI#0>OTn3%?Nl%f~iMxmF)DtKWi{p2%NXBawNkp7^n^kO2H
zexjSz@Ave$Ud+`?7h@#mX0*a8+uJVd#o%SVG+|(*GFbijURPmp5zQJd4UN(eg~cvU
zv6~(oF6DG#JRV<>hdvoDWrr{>x6kJ*q?i#>9~I-vFD~&G7y4=J2+1Fzq~pu?7y4ba
zV}#T<#NjV=6?u#3tr3zhgz*)-z(mfGQb`xa<MkI6((I8^{}9Go;&Y=k_x8YeeQvj(
zE{>GkA)X>Hs^F)*QBqEfmUofIUFh<;M4jNwD6d?&yrz!!jgsQ*3e}rm=yAD<y#-t+
zI5Ns<T&^KWO~{+?_Lr1+OX#^#QeFt-Dk&~<dG?H!rmKjOe0Q<e>n^5+qow>1#^v#s
z_)6&Z(UM=qK>wBa{3RYbH(DChg(-9u7kj8+j8qoF_=}4QeJ)xvMjFwDaeIo~ZhB>m
zR2;(iiv5MYVzQ3yPRHjiL}h8-*iefV=X;9^kr3TIR+<os<#iRgTt&pjg(^{;U*s=Q
zTE6c%$))o6^L@o0m)}dP#z{pXjJMeD_j>8@xKPVOFudL(m-p~^>F!bb;+4K(YyHLa
zz%5cQ{qQkM+@6UpdixeBNngEuX;E>dH~7ab(sXO61VtsqKDR$O@1N4xPZU(4JKtRd
zsVbt!ck23eVG4^}J`{78Zg>def($_%rtH!U?!x%I{^CNqdzVh_>Oxn3Ns(V^fOETa
zY9j%IHY#%aDC4?rjNe~W<SnL}9vE+-8!7+u3dZO4mY_V}U#A<d=H<%w75a;di)qYm
zo!a+E*<0du`HN`VZk^iI3dUXHcYEmgZk^U_CHX}~KouRnUU&6gH63O0EAqQtL`7k}
zLl~dS<0<seOGRPoP$=~0qxFl6U1ar!slx{t2wsuTPZi#<EH#!NomQlD>^g5)u1#q}
zFS^?2^%YO`=!5|y$l?o2q_@0b>WBmpg5vf2DZ&@Z1j6j``aEtL?+a7MabXdf3UcYC
zHeXnwnu$B#Q{?lY8BX}Zy1K;!bx`6aqd#nPh^Mf`=RxCD`@_1r1sp|1Mf8|IY@jmZ
zE8Sb{hI~f^SxUGh1$F(xe*2p9Kj?CAeRSBG7@g>46d1;2D#+IVz=gkp>3#ICtyJTp
zF$&%2E(Sr93_<BWea#jn<02n=1kL85wYi2OMOPJh^L?ITPa*v)*PzxK2#>eKUF4>3
zat*3ZDJse@bQk+wUMk2ls0|5>ySNBCgcjr()aEbpps|bmXqo$fQ4{v$Lw6N=>6<*m
zEH!VB(s+<!nw)PaP%(x1B}&71X-B?6?RyUzxXAA>E}>KTT2`K-e80D(u+UAsz~E70
zc@PVl)8(S_0)r|;z<7N{P&0H@fmY<g62$VjJ$^b`VDPI=0vYnUJubI#KYNW?g6u<`
z7}X|?M&pbQ*Wb#v1fwp5*N83ku*I{s!K@K;w!s(@UE9_n^lsaLu%s;tVObk28F646
z%pkF%Ee_$RHW+>4*tQge6WUS{PHTfDBhGHaWF#(V!=gZ}Zp%kl)8<CFybTtK*w8i_
zVQbq2gx9rALwHl$9GE`h-Zt1@;<~oQu=REt(S5p~!r5;rQw8w_ai=&}jN>oy>v;wH
zi9O1$Vk4MIcvHATn7Z3K-Nh@W(Ut+mQd413Uza<-sKn!e1Wlz^1{kwKIHeC<Ma5HS
z*4GiaF$$kDN?mBclF2$DJEL5+YiV!3Aw5c?LYkr2X~Z`XnM(V6{rM$@Zhx_luKFfI
z9R$E&<|@HxeDs?LRb;%re2>rXFLBXN-$YcXv3&V%F9gj;72igbhcK>^B1Jn~|7|E8
zU%m?(6YBb<ZzBdP<I@XaL^l??294GUr5SYk+lY87{Vu|(CQy_Q&8^7g-0wm~bLab%
z>9B})eixxC9Irdy>+yI|{1?8{GATk~U4E#bd;gRyhwtXh5M+i(aeQ%{0P}sW&?y`d
zP77Z$&Z3!@jbe4Iojt%l<=K2X-^L%|@9<wmt5_gT5m$;gi%*K@(e7!%f*Fygxvtkz
zaSXfRV`CiMk!LYTE5vd}Y@{(ROh|7MM=`osW=a-?<YtTsOA1>_rhH4Lv|22~IA-RU
z;N@A7y>?_O)kZ@Uqalh5VG`uIJb5mEN};=NH>Cu_YQ$HOlk>VTJ`eQw|H<pa)VpY9
z?V_66S{naVWNz@6uOe-mB6t|Pk-3Cth3P2%FuJ}zs+M{y!STANB{Z=vsxCOaHtKhF
zZ+n#G@YlL9DJD)3ujjJxUzpEWFsT2ez^rZc)OjSz%QEQrk*NLQ+v@aAua|EgN4t(h
z$@J94C>?bijdHMF3O!LnTo(|%bo^z5j{Z0r)fT>Ox!ze?%C{P|IGetYGSL2GQ86q%
zc>Gw@Kt?HBqG}n&!g%R&<l*1Ku#D1OjM~JvHB#HfsQxUQ_PrKmr=y}VLQDU`#i$~_
zZ3QKLA2o#a?m<P;Wqex$J@q|GoT-)QA~))S&L5(lF!61xZg|63&hlxm!`M4m#*B>d
zZ7XRYH}+?F-N{(!jgJj>`txE`1SyfNX(_$a6k~N>&BC<ofNfhdy`{v+?GeK-8VmWh
zCR!$f&_^W%QQqCw@NH}K&M{;7R?iLZ8<Xj&KE^QG=rE=-cMye`jQrQqQ<;VYvN?@|
zb%lY<ZR=>J(>Rh9(Doc-Z`$NEh6mqv8ZTJ+wyWrPHYgsA;^|{7<=fU%Lm%T*R;1tx
z=(ava16}H4^oMWTpm)w2!via*(usV(>toc@(Hu}~bC9_&2=-NmRI@Nc5RZ$sVk-ZN
zKgL`5C~jk~vQ9RQB?vDGHwt9^Q(wf(7SYZ&i(Anzif&Nsq#}1UoocgWs5p#ae=(;0
zaSLf&KjUB(SD0Vy@?rFrRMFmk#=H=&&;@g*#Jzw%=x5a8y7LQF%WF_2naYelmCu#$
zDe<{nu0iu@VhC3Ro55EE1@E6nd&-PC3SSY-ILytSqQbd!s?3-f4_qM(=n|L5<@3zZ
z35gly$`VUiv#55g63K;`4dxQeq1ja2-<Tc3xqQluSTu|3`x|?!I8T0IvDf8ukC;jK
z^f#7u;oK;id*Teb*xxuz#i62@20i}%(`m>6BP;~uf$0jibxHBzV&e$LqG)6Z#IA4f
zniAt0zF+!K7e&%=<8Ef58;2XmvHrme!;Mjl8R_Q{=wCk#9BEw4OmyE!<6u@wUyn2%
zWoCLh+>}5kM;S|aKMa+xxz0dgla1S%m2Q}9oX!T&x08)4nT-}sF=n%J+CIg&gV`x*
zs<BiWw4qI=Ia7^=Y%uMdY8=BHbOv}fguZVzMh9Kfj9<mFXfpq*OQ7!-nG7^=1=1LL
zaNw<OCbd?!LEAN=oFnO6CdzQU$rM2!PnE-iNlnIfGmEGFt*GYcAQJl_oF&kw*BGa<
zF>2cM+cm~SN^zPb+H^o#MrW=yE@LS)a=URJn?z6dH#w<&yD^34SZxi#2|JAUM6y)+
z^=6}=P0^_L%`sVM+EEObwp)yc9W0IdA23$1sanZzJz$)|jOnU++3aqvTu@t0^>-jq
z$3bHZo30gM^&KWN-B%dy4YnUNuCzi^U3wPXF+-z1f4j*><L^KLYfl*e4K?RFX`Cd@
zoZObF{PNSWlg0$ytk%@FEc*DQaR8g6<?MaV_}^&go`N&R3A(v~6>ZtH^^CEA&7(tS
zkW3#s_OUUa_J3@&OY;Y{<tSh|t2}(8Eezdu!8iokW7Gv>9;*tjy<nWgp?=0^7!r1W
z^i(+g@TD<Mw=huOmQU8NjAd*Q9Wa>U=;0?!QNfj88Eq!$hW7s&y=<{Y=zQE1MZQ@U
zH#vSczRg@T@E3ikA1!|v({)P%!`s|c{0AC!sS+c7&*LU3NPigLieiPd++Z5amIZ+~
zGpH6w*%V!EAi2#;@e!sWY$93vo1!T;(qyH95hgutk1!Q5A01PO^(rw4;)CIaa=o*1
zoT6~b`<asH>{Qu6V;!b&`cpQgvGodPRyTGS8$>raOcU8gE%{3h(+tSw^k~z3)}keP
zD%$kAIlQe|?<_0hTSk%lO_QB=FmnVwmuZS+Yl4u)X%602MSc63CbJPrtb97!&(t@(
zZK2*dXA}=qDn-el^<|LgyfRY?TdOb?(1tQo8E>nmBV~wqm4aK!+ZNG={%DDN6tVl9
zw=Gs$q8Gh7z~pB4-W$W^!*3dtuA6Q0LA1+eo0hPv)q>KI*`|6nmU8Eq2C{24)c!dp
zBki1HDq`d4#2nLjwq3*L&NWSE<7w+$pmu1euNBk;8afZCohmB$;5^gE5^q~V*Df@T
zW_23h#f7HHysd_YRh!1K{hACuSZ&H+ylpAnJ|Il(@S(c<0u^n`sAMq`9j8ScaK;o*
z!^c`ol)n+(SAWKo82ov$$z$N{4b-Q>G=cp?8wgi#fspN8XNjS{vARsUG}NM}`C0lX
zaxF52(Vj4KJSD9#{m9$vX`X0~qq8#9z@|p@@W4iN$SNhfOa<ZN?R7m^c5Z~|eA8&M
z!W>drfC#7jCQ}}7UruwHOvBi4jgYhvBe!3Z$r1de$@B&axPo3<Z<>h~L%e9(+k%=*
z+kg&kZ`3=hCh)*=O5I}0rWB=OFK#fU6OTj+;7d?&19^KB#ceUU=sShsrj4d_wyirU
zG}uN{f8O3q1ue*<T_pq&ca6l`S1R#lvW_0y`?r_|urT_3i>V9>?DChEWZJ&Xqz{hT
zYH~29r^;=naZ#y(UL6L#b6gn@RM3I5mS}~?K<{rer9z)S{ih|K25vP)Qd*m-FAJwR
zZK%BC3O@K^o9VR7rqQjpLd<A)>Kk@ie>+C^54S>=rqVxeGbPf7+mPbu+t8kSt}p;u
z0F?;_AG_fSTD;wqZ<wri4#?wyc*?&GtvK#>bk_A<EPiO=$8I-`WV^MhLL0`D>kd;P
z27c8YrXgg3iVhyT!}NHJVUFH8!p{Q*G~pdEee^FB<IaDXqS@_Q)KmX5^=Grm^f*4Z
zX{f5lO+(o%`p4s_=B*m)fhQmhuRe~r$xoQ_*-RSy1c<kE6Nf-AUwi_!xVfu{QDl4)
z>|>wANSscao&@d2E414{3!Zt>G%AKwQlB?Xqu5<NW~sAf==i(dG`-Ij(D$!OA+7jZ
z8KmU#w@hieyJ6)%4*U2}WFW6?p58fSFb|AT>X%BEcaZ4|Z<`X>zV7;&$P!`F(ebw-
zz&Fh?ndlv~M7U-a`r78w$agSc@Ax0~;PH1%>oJ~d>9vobe3pM`%4VB19(8O2p{G+H
zV%W4TS6K3C=SRr8>?5enKsR5Ug6+@S>J*mgY_m!TB7vtJhh3s%I3$_lp$k@0Dl?CZ
z+7L)=TcyciiJ}DU<l^Q?x|x|%*)Sz428am6C(P{TZL5`07^kr0vK2k3Te#WJ+t$!g
zZXU)Oy9v;pYnAamj5T%RB7?7p=IfcEZJplf@$jwmeWlq>{jW2JQLD}@v(<Di+MGmB
zUT2O7KBY64^TTINk|ij~<_+A`wjTO=4sWf}Ch%Q4jGF?##XzQWas&mV&DrcBCH{lF
zZ3FFanj84TaG6Xti%~(Tm-#hr5cJLo6Zqx<bgWiUOf6<3iCN}!c2J2GPv2&m9d!8~
z=^uxCn?H~kqYrb<UUo<$UL0&T1xxeHk$T3dqR2d$1-l7)YG^a->0+B%NB=AgchMI`
z=2iwv!D}AHp6J1L@vu2E_?g%IFf-`%PPd!yNT%}N%uYJ!H{00}jdOgJIf}mZo2~4q
z>a-zgp!sf{NADa}LgPv;4m$P+X1A9Inv=NrEwRHW`S?K^#z3*<=DxZjmA7Fls-yBA
zDK{IarQ94%mk*f}HE!U%2Cu@%110pxKyv~)1}RB?-<@QC%-=f(nakLNSE>;FZjgDY
z5qfOqc=KX*TqB$n(Gz!^Kqve)-n=>tnk`^lOy_=+V(3998u^Y1=JD+5;Kd2%>rBQ7
zy>sYLzGZ~giThqg#t+O#sm?~56ZgDgHqnps&A&qFeN}0m#hwY}{Hi%AxM_je7Xjlp
zSZnsP=QRSl%s{r~=KEnhA6;&)Vb9Top|EgXJCBC0sx#kbhVdM=(cF(6)2gM4TFypu
zI5llFXTm7HSs}jCgZSG<b1{^yyTv?{o!0QGV9aYlq{L{b@|Ro8cj#aT*KRfUXKyGh
zY4plgbFsmxcUE|Lz)PDBn`0?+n>mTSsgW0NgCxb!ZQIPF*;^V4B4Z%A&0NZ2X?z>-
zZ+GJ@!BcJKs&Iq9Yl=|QyLA_ua{exJEPGtz1foBN=?A;a73_7TJ(Bj6T8uRII`i*_
z3cYhi1rN-ieH+a&^hjSzBsJ|uh5xBUjaNpTC3s@Dd07feBKKqFh3rE*@QT?-FF$6U
z$Py{}khw4WK;wmQ>8R`wYQOoAxi{?g2M?Jiv-cI^Y8drv4+DBnf%56k!{&i3j>>{S
zy`!Rn$AjiKWnG%yIc=ySz0qVjXEu}h6;%G157x%RFQdzKe?S1{pEFw&LO+=HC{ht^
zdd2KwXO(ibV=C?Ys(B&FV=W1E@l}l8<*%YZAH8ZGVo26Im(SvX7Ak+$oJU7bA?3NJ
zP|%Om8U=wUwi;mjPaDbuqm=frD`hBR=e6n~+X_Q3jl8UzY^Kxa%o%j9uSF3`Go_tJ
zBWKal^X5kOxfZb?47E`NjbcABkAsb0^9gEyK_e=H8GPjvbFB<RyYFx2VlMumi7c8k
zoX(b;rQof<nX|aTt&KsyHU@M5K=Hr(-Rxv9X$h%A8(0r)@cDn3%V}pYG=ziC|6xwj
zvH3TAZYkyBW$MK&GqA4M$Sj2>@vp%Xhn7zsnlib3(CDG$Vo)2tcOvR(5V!njn5%bI
zPvQX#(b1M{S|nO>xcH@(oolScNhd_h1z4{SNtW5{(H@okNV0^}^FcHq>K;dpI*ZLP
zR!ggi+(VGoA)O_cz1Aa&J<KxHFizvC*LXU@l>C0`!Ss2UWiYI_9KB^07k{}z2tKa2
zRKy&PVagOxWT|7u>98$E@Xe|JI|JP2wLo=!r?hY`ec`q2gL!bZ&oYsn=uRzMn=2yx
zmH{v)M*2bg?0<;C7yOpzILypleJ$hJs~S}qDr79Rlws{Ks?;)$i$C`uJXdNdIV|ho
zm6sl~UlNHAv1GB))Mp5q?m&0)(e$q&mLXUe|24!ik&C|vp`?a$-Ka3<+DYAd62c^5
zK)hdJ=`}(8FZ{nkk}yILKNU}kcZuu7dE!9P$$#T#`7`_;el>5#hOC#zvrFtl_6Xa`
zCa^3f<0QqK!sEhTVT-T=kp&@7$OvSL;~0GtA*VV8OCUqcV5@7E)y%_Qa!pljwGbOf
zqf<}XW0Ru;siOODw1(Q1i)-qHm_UlM!?5>WyQ~-D1Ic13qwmY?PQ8#ENDv1zvaYbl
zD{04erM<GTwxP0liI5eDp`<76Sz+#gQ(Vkw;Bs4@B=iozA^3#7cUX47E>2^V>b7M_
zNXtSip0Fo}#Rbe_38QlttkHVG88C?+MyKDm+LgSGO5W^*6?rEGq7<*{ivHHPctH+C
zig~QLx^j6_Xm?%tjo1-%puplpng%t^Pb^3?KA=~Unee*BnIJd<VPXO6amZtyddfpc
z2uL)bz>*M_8Q|gsaBnfC>49a6lNRpV7zynn(1-b!7+qG2IEfML5u7VY-ALQ>EvY<V
z9o6Ss5_EBEm5e7WH%A9ACx`1L3L9;C1Kxr6M_XpoIUUrQI^=4`SjHM=YvW{vHZCuW
z!B~1hlOgcTgoS+dSVeq()D#J3-8hO~Zk`=%7-xwJhh4j2x@8;_=#}Y~pN$Jb%j}xE
zh1F|_)mUWuZaQX%i!&@auwV*mENR_{a2m_7ikmgl;x)Bbp%B%4OQJT!5HXitoN38p
zqLOYJon3;JpQ1{F`({}Zjl6v!9bbZ>DJe;I^7cjaWR0a92Et!8mJ7UnF@3(&;)QEH
zahau;(bT>~@0?W515>nOovT3=YSvhKVa2q4jb#yUuc2SoSo*UFdS$I8ou;p~6!G?@
zw0$jbkqT}(Z(m0J)?qY8Y4-bT<1AMC@=@DFx;)ep_P;C9+^a0DyuDVjcKgt!GOR>D
zy~+~LjQ2|VlzZ>y@}0F^3-;G6k76Qz{58uE;+N1X15R5a=)>2b@N!RET$sD(oW=-_
z(H3DUanorKUptMaandD)nAn53<aJ9iOoV-}TSjBX>{`)D)bIvo;+QuqeGQJTWrVu^
z1HJ%mxW6&lgRj4V{VB}Qoo`tNVO|9_gZ}vzEZ*PWvJ_!XEO;BSWSaN3<wZ=I@Es-4
zuy-sO684$klC6!Z*qt(c<fF1=AnB~-9+*P+pH+)>B^!Ru;xm}_&hi4qZb4C;H0_)v
zPVpm#R-qE@I)_LmdQtgI?txD`Z}Aw6dS^ia-^S?MEv6V+dER0{HtMqX(pK0?51zM7
zXXzGUtROxwZWRZM7Ji2B<Mq5R4`;`rwgzA$;dx;*ikr)`xMvl$pR#9Iu*Ko)TL|~4
zzXY2;gI8i&w|iqXEOx1Va0R;yn$-gaiZTm%Z4m`TH;CRLO>}CDVwG;Oq$sI*`+7>?
zE%st7bV#E@@`bS24J<519wjTtvDK0j!uql8f^AH9MFWlBYQZj=S4rCM@|1YI1@&~(
zR!e#a=fkEL{_5z(trqO8d6ffNCD^mUPTF$1yw%c6#lchUFDWeYl-81ao24LxD@5gd
zZr3uZ+otisAzWPKb`^TuOKI=6kk?$<1^0Q2JOgX!jct}9#hL7dN89Jco^<&Va<pO8
zYB+4EV#n0Cn5MT``WQ8wr`T8GDTF6@I>#907c65TFcU67ENwlyQWeYRFJR!>DB=rC
zDK<sWhw*gkGDg?$gUkgqe?det9sj~|AEZ=u0B_g^=hfWTA<nmbX^GWkwGQpD(vx3e
zChrwQ+>KU@hmC(iZex{vW@8j2{RPNLm48|0!frgSKvsp8LA@_o+>q~?mn<dN#Zht&
zK77gYZ8(Z?yTR&#2?Y_4r?auvh~TdV>m&wK?BfV)3N4GUCLpaxBCTn3e}uINRv7U8
z;5AiImm{nO8Ww5IMXHNp!M{5a{P{r;4;kTn1+E{wq$=-;SgRYqe~q=~F@G>4&N@yp
z-4t&tJwL!|p?&#QyHq@|16%&xxK9;a$;OUC`Xk@!gN61`KWj2gD6r<hMY^E?D36K?
zzENPkE6RX%nc`tdrvnqM4tlwtHJonkXSHHi2Jyx+Fa6aIQA)K`CY4$JSb!mwM7poc
z8q4}A_!K%{X6+B(e`<egxv}hTRvw#VO$c7y-<rZ$vEr0g3-0Iru?Q}L2}Qc`)-*$@
zx(05qrh#?VX!>h|)k+^%B2a#DshmEVj~XaI@c!}E%Z&A<`zKmQvVltGNpyUYHIkAh
zS&LbTg3qFjldS0|xIzqqcsz=gQDDAx7WNE~(rZegE3MPu##Ph3SZS4&bmOs?x5}Ck
zTw7&*DuVT=k~-@IHdNy|-fWd<=Ps*}5;q&`gMI3)Q*_w1*wl<}ujpp6X~_hUj42E*
z;ez$n`7l{`uD7m7X7#(!XsCpZ=Ipn|hUzw2p{jLL(Qp+pOc*cj4^^JN*^SN&jO{3=
zvm2~4*{E*zIBMQ#Ei(+nYHS?e0zYP*72bn;tWoswMr#_(LalBat(M)BlD)x2Emofu
zMZImObvE2%YNn`^jb7e~4lmke?TbYlN;nh#+%BS8<7j$zzcpT~`<N+4IbvSNP<3t7
z3IphF^wzxVtQD}6)kyfAOrKq69bg!uch*efT|7z?)9n2yA$~dFa0Yjg(hNQ8tM&ux
z`=JHZeDQAUbodh0R4<|uH1QtmAlRyv_geEQ>0U&9=^j*bY7dUYd#!^}Z*WY9H}Oi$
z?f0UFKirEN4yU~RsQx64s8%0^QVor;Alkg$1}k~e6V?JYJ-GP^t0w~W3O;KsWpk<W
zJv4&pg!Or}kE&?~d}TH6Ice>sn}=x)E<?$3vl!bkolc&#4#BR+BVTF!5#)N#T4<Po
zebiDOD5F<SLI_@c4&~qRoHYi!Al;0?SDv%ZvtkvH_a2l>O%OTuXE3k!zHc3>TN()O
zm`z{456v)3iIPSmK7dM?qo7iVK7azLQt`pJKd>HSyrY`-d}JNXmeVI6S(osRg*4_2
zT4xFEI%9p4cT~~hkI|g-wcNkGV2upE_ObOT13Zm8FMu$on=lX-T)`JW&Fn@+5Pe~F
zVNv(|7uFKCOlumX5l)$3TL09|4|C2d(bf-Wqk^c~fUyH>yP+N)$fNJyhve`63dLO*
zL^TFSMQM{5PQ4WudV`mLwH}G#9gFFx#a7K4=#fWliNS$ZTa_`q14i146@2qNvQ*k+
zI-X>k3V)x%p!`nPTx2P>r3T)ylxln1YFM*IP1#^eri)W;5=D^Y4pwB_uGjO9TKdRk
z+rZW+JRTZwm(5Ol@9g4v+ilBd`VQ>;2hulaRrzRv%}lO4ZGC9A$JSTE8FLs1Kk1WU
z%T%cDK$3>o`h|5gDC3cgl{P22+_oq>d%zY(^+RlFY=e?jwuX3SyWUGEiG}uN=*%?h
zSX3mX47I%x-my~eTwTpu6Zh;uB`w2jli)24Jcml+cP8y0W~<;GtLWk|+f}sbIU97J
zQg_u01X?s1D{N`OZ>n^5Y0r9lJVrypdizlLSB|}FOQoGV?BR5AhaKa3z5Oo?rtKT-
z({zuvnmQ}!%MEr9R`*F8?O$S;K;{xCqs5+WeL0ZVIV@xpYUZ)BuA+4<_6#fo_RX-{
zDSCxHnqFwJ`$J34$+k-@ykoWAc~uQ>O-4nEXuwpPAKMpdMbIB93c^4~rrL&uci@OY
z55{R=Z0pH5O<|m78*=Y&sMCB~9(-;2^KJ97WuvBsMt0Kt`Cxi!zO4)fVR)r&3O1uu
z!7%;X=AaEZHa!_h%BQmn#dKwBD1}N7+9GMmP+L2l%EGpSd6+&*T+#{ia)E8JZf{^x
zr-kyWY;&=lr)Hw06FgRB8)Ue%*0SeDtP8@{+x`mgxJoN}x?0D98&LGCyNlkNj&86G
z5AT3aS*c#E$}?yqcsey6%eCl|e{Hml4DVR`w<c%-PkVPdXsZ^RA$SB>41$e4Q*&Jl
z&K=#U^``m%h6o(rZcC%>|F(rkwu&7%NTKAOr{<ow9sJw7Q%<G)?P!|&x7)_>j`j54
z?Y2gCO*b_q_>Ud7SgV0+OSUScAomdIi+gQ3?0Sv+il74<PLuc9eDG6Wz0cN$of)l{
z?zG*4HQ>v40=26f)hBq%UAA6EEaHwoVw=ux_}|pNc?79#eFlAaC5JT!Y|$_ocN{>3
z8~-=Lkpqa3@~F+Pi-hZJ8a-{%hG8^yJZj6tUJs<=GhI}ebHlWrqgoN6cMsaKjCUy4
zPA1|Q5sp=VMN!jj^+j)s=fw-+x8hIY?|hT^A?}Yf^Ey72kLM%#5Z<59<_mZ+FT|aa
zB|MjB@)RD&gVs%v5`$)_YLWiashs&g*V%;dOec=-Ngs9M(tz|qCr;5xPj=#9opibr
zcNwJTJ8?HbdZrUM8l)#WaVbLzcH%gmw68M{;l|F92w&|SgYcbB90ikZ>r6s;YbTEQ
zNw;*yAl%cb900ttO*tgk+}4b+<^DEkD)E7~s}MfYhC2)5W9_J&c(|P*{8u|FEI!q4
zK=|+W2!towl_P#HwkxLxUv7^@_-;G05zn-zA^fDhH^ML4aos|EvfYR9R6CBii@&wQ
zt0Vr=uACVBx_vytU)yIQywuV@2cNIn=c9D2y$YeOeKErD_FCZE+8YpdwksvQrXw8q
zv<@6zlrlQd15#24vX}aF;ChCX+|dhRUPm@UcSiw2Uxx=_-wvgn26U7n9NbZca9Brw
zgu^=qARO6Ihr0&SxDJ$2n%pr8;fxNY0cUs2Kv>y<!b#N~N=Gc{s76@dp%kvMqXyy1
zj-?3S>_k1J)g4O5wRS3nTi=0mm(r$=H3&O8(5}+89cWkSx=tQ(7ke-&$d22-U|2(Z
z^)wX7O`3?RifH{awh;!K-nn=R4jN!MImrBPjHzFqvE@_MFz9ks%}o2Z?M8;>$;D@F
zi`hC&kBwUnYRYm<Psi#IW6s062*syRM0+3B>4O(f*pe9*DwgML4cKwVfZI$`t<7VI
z*E`oP=B@GS&_x=_)L4t5*`%=aqt9w>V+{!!OGX#V6ztlm)Vk$Rsb4I&jWQ&{IWmcF
z$=2rG@pZOhcBeL#wbX&9t5_fClCC%o)!7oPGQC%C%j9=qrFSF@2ZzGmwQa`osq<Z%
zhdrQ7O08G}mA_|8We-!;d$wy?4t@Wg%?&4I`unysSTOMqYz5c}EBwIrs&d9IhKq7g
zdX4>MR?gdrmb;`VIAIg)Pg!v;?%6!dNr!@8=Gi}DSTmh@(Vj|Q6xgHL;YXuzmx2}B
zM_~z)Ut*7?Ma6ap_K7fk#S<0VGqH3zR&38_PbsJb3NNwu!YT)>`PiaSxz?1}v#_Mt
zTVgL}N7Z>R_;rbWqzK=Gzsx=a?qzi@+)-wqVwlop?Da3RCsSm9dlGg+y2w~!wb-rn
z!7Z3H*Y?L9k*Tz;zdZ*VFn`@>Poz`*?LWZo-4QM((3t`DRQ9%de&gLpj&<^M`yW{1
zoSumqIA@>+PitixKEs}E?5lVBGkCzLP0|m8Y*Ia{A+M+OZ-sY|5i2c)&8e}a&ir4t
zXSF2rXWDbIOqw+lEpS3Z-7^!VEK_pNXD3xuFn*R@?=WIHplm(EDXTd3RP$hD1G?fl
zg(+kn+|*#N!0PK<gMBo6qz8W53VT1pV7+tjVBU_yNgM1jdsf&D^yCVA0(()hMp9My
zyNz}|J!lZ~$#ReVi(qn-{XEXa4!7x|f??O#w{e*5*KW6u#c2>V%kQ?^XJg$pdIwOa
zx=}H~lRNCc8?gF$`bK*xdn1SjpU1Hpm~#s{@D+^@9cT|ee~bMIgW}f5VbP8$n$J;j
zG}B#oqtzdzq!;XQ^xX%r2$eDgQ6@8oZ$D+fy+Zd;K<=DLwfpV;aU4f2&CUaMOYqhG
z_WE$x?)?vd@OU?291b0vRZvH|QCN~G0&?L4n50V{g@DYVm5<up>|HI}{P%1|di7EJ
zJy?`9AGG&ncX!9s6Nq8KQwQyZ(n0o<a>nji``1Ps4e<N<)^x2N-=DNQNIrpK@t&68
zvFGgJ!LcXoeVAgp&+%(BBV;dZ&r9|&`s*Z&#`{m&V|4EaVmd47xs&#RICs=lGd&@G
z1m!+w_Zb#wXDo)&t0yt8wmt{Bf9&s!gANZdhQZtXy!|5YTtdG+4>9>y5Y34tOJ|KT
zWc|{Ijh*nVz62RBd<m_+RZHQummn5ZFWIws=Q4$w&+hFecuDuB-N`%aDd|o7EcP*d
z_?A7Jb}n-m>5(_>|KXjrbmLq0!EApJgeK&)9H%7gQ>6Q*cGfAsis}42_C$U^6bzJ#
z;+C{0gm*S+t6U>(_}QL9kDNub%{^=H%|4~Qzu0|r^sId}?`)*Va}eoI6kIk<y%#RZ
zo#*U*c;^Z_q7cq&gcDbTp#KG}GW)#U$~zmV{yenNS+%6WPtV(T+IZ(GTJ^Ji5|=J$
zac=wBZY1`Ly_k2dq|#sP3$ewATsHE~W=i=L;AaZx3qJX)eMD3k6TcP2Zx33he=6F{
zfh;kdEnJFgef9I2YMQIrVS}u+@H#pkE>Gjq7Ze*IH}lT5v?D?u%cXCEA4kX;%)rF}
zOaL)}WLAoN@EQt-gHv%n!iQOuU*y7_Cx7v38hgs#$E;yJ%GDPfzem%pXQH%Ul4JxH
zIiX*Ia9qIO8^T3qVTEi8Yhb(C5%vN5nLBtPwuzSVcAQuLkpC%0ipgT0I8>Z3wupC#
z&xjx4P|GH}O>!nO^%_@g{bJlRY+Sp7_T|b6><k^tm6NfPdL~y+WoP%~$!TF9$4RNF
zoX(DL$Xs}n`U8i(-pV|=ci7uWQfjtJikTt26)UAC^DCDZs~XWfjW}Z~yq+wj=KNoj
z`Ud6Rpzub5l$z0l-cViLxVpY^*`nI|)xx`b^5ql^sMLHpnw_TNd^s`fT$Yqt%E>gs
zk;;V+Xk)&dgZ=FL^HKEo>BW3`c-Yf%QgS+{6$whApP~E$d2bPnFdSe%BH-_B;RmK;
z8Eh<TWruOZKN@!$7xL{m>ijOhEM|x!aK!&Q9Pxh}&DE}pmF#((CM<E--NJA2lHJX#
zs@7DkY-+AwuH92yglobJ*9gDbq}W)MhC9jNK-K=c`}dnuf;YM3bdG~1M+@Z@7`Fu;
zISw=LNROP&?m1i}OSxi#Fp2c@Wgou^YhQ~&=9yDz2gzCRwggG;9lU40JWuRnXT1g1
zn^mxSwu?Q@&hSX?!qwBQ{89eC$WZRlVuN_CctCs?<^EllBxPkVnzKNTr9&Qh)b7hS
zx#-+Nbo148X`!5pQ;9j%axW}Q#^V$AP=S;;fYZ(-N48!#kSpbta4dlxnR?-oEGe%*
zr6lQ~>4b;r_i8y4JH@Gs<jaSb$Wn?Z3#FuQmouI10u09Pe<K4eI)M$IH-&Qd$?=qM
zlbmiFSB~4$*+T*wK`EOt1y?nxd^g;q-`p#wglWX!sdm{b4oelD6!7<+@GCR01m;4;
zE7?_$^?$HuAno69&YiqB?}rt`VjkeP@PqtS{)NcJB(bkJQ`{i#6_1G@qbXJdU%p0e
z;o->=E92cc8iY$}5*y65!Wo3iA!yt_IYBQZO00xWr3p9T4mxA%1yp#%_Q`R29s&*k
zVB+DOGPW9LvuNd_{cPscJ~7H?4vW=3aoQ(d`OIYr+9y%{pziWaa}~=`pemNDe&~K6
zThfIog7}_zP`n1iw?fPpZMdua5q}xIeG>-w3O<7m#x2`O_9y#{oo0vFb!;`8&PrG&
z(+lUJ9-hSIpe;fzlF|M-)=EN#vuR0vLqkp7;wo$i*Eiw<d-NJfNK92PGE_FyDBt?V
z#m$vTi(^-VkkymWeJwX`6+CTneD9T#5S!7|P+QrwL<_YWx5j2ka60Pho2#3YAiarJ
zTn|ZWq&?TmN%9I16aS`u5*z4wP;hYgb9@r&Bq1v?q+}7lX3^TF>gHyYxhWM#J8zKF
zrqxP<!>t%$mCenSRZEo1(v7%atsLpMEdwp}?=;6!;Ib54&GO2{)m^N{8laus=%gid
z^9^!x#bRKy6>Jxuwl6L(0zN~*H`Od}sIAtp(bZSDS2igp%{9DZ;hsHmbWRnh@k*SK
zvFKa?M2><8?Z<cJ5rb37d*oQ#{H_QgdfYs!-6O}x&6R{~=l}8YK-?VK2Re+MqkH6-
zxLN-{oBBdRpPBUC9;nF~6i;%dZn`Ao<<Zlx%QF4>x@?G8SlL{eF%8H91({l==*oDA
zj&L1<_poL6D2rnSICHR+U5oqiA9DjQ#ZrAECm!T)^4~<W*hicsZiBQwBa(G8?ws%m
zj*QHolc9q+<f*c*W}S9RyeA<1lqsb`&zv3QNYM+=CQFIXGZPXVv0V5!4WHmh!HLnG
z6CA#{_82K6miH80h++d2Y%86e;7AMGoGxV`>LVxQM7^*zPs$jq0$F-tTW=`?Ie_Az
z`iTxx*rq}$1Lq^U5JvS#k8Wd}l#xiMCpsLswob21bYvxWAkTQ#GtZj3RrNJh)mJ4;
z8QF}Eo|NO#TN0#<^#6+qli%_UC>8FByPlJi{OhBo4Cmh%)xozG`6mDWXeIVKrQ~#a
zk|Ui9Tj-TZ4qTSs?YTJ@>&Q{nj!YbzZp5b-yb6Lzz#YMZ;xb%TKZP!t!Q<JdY(F}y
zw{RA>b(9-|g;4`qjZnGeqh=~9ckXpoC#Bpgr|P2=Jv?g$4Zl||*GGncod6;t0QjfO
zP}s-bE8~dp&2oZq^yCrQeOtppDy^7K(1CV%{^j&2gN9M>&{Oh$us80P<0JGyd&{RQ
zX{78&7d*IMj?sq!S%wRX<~!vW`t~z9lD^$9+rmp*bs@rl8)bil1i)Xe+~ud!N_v~-
z$r9asqb%!j51kFDo~q;?ORwH2=j(CzT*W{^$12lIzMcV7GEY_D<$AomqRv84?eR*4
z^s(ARqlkH$@PdH9FIYGXf+4JmZDM<|Q+=N6;dLs*qY%}6E$_r0_93X=v-~I6RB56I
z3VD`TC$5K?aG!XH@)zP<i8{SZqwi1#y)Fcxin01I^?ifsRB)$^`BZ(hV0!3j1m%^2
zu9rlVLC6dmS#8;D6%($$X`pn&yxQiPE@n;9vIsSw8H5gt$zhQi6naSE|L2ZMl~_4f
z1;BI{I>M+vd@z%a-6JO&m?;G1-6bcrm@N`Z=ChPsRRzK<c8O*1S)p=kIBcLPxKMr?
z&ZgpKD-rQ{3SPdbs%Ft@Vk!=&Z5pbXJz8Qpe0C_YZa$|L7w8t{-3*Oa)_6mibo0h&
zydkv4>QHfWl)TYCc)6vzk;SUf=Y+EAM#pLBQ1oteyjs$^l`Tj@ec6R2sA<j(#n*6&
z8ZH!B!zI}ymd@uZd52UtOEyX@7ARabTU^J|9TLmt^Fs-B@uX<jP*Ppk)B#ZvbMpC%
z8!PLYSueB168Ze)^_Z<IvF1oq<*BkqR<J<p7c8x=YGxUsH!<q)CWen?D%v4hm<fj@
zOv4FcuBhi1_`mt>km<2J9f!%@VE3^OJa;kxH~W4RUKFkoW<pzJh8MJ^W6;D-noo}V
z<s5w)fW*b~sp5XwuTKS#?Ve9t@0Zi`DIwq?0DY1Hr04W(gu#_{DJW=4sAg%cNnpvy
zn@hjnFDK~}LqPHaa#CgjfaI*XO10D`?TV@by<6i!&hgBlst4p=`nV9VT>)a%ROZm*
zNJSr`QfAYc2jsNy-mT6MIQeccMyrgospW1tDc7L^Jq1X~QG-)dfl6zYLor@J480vd
za@K76_HK+Fn@X8Q#(O}qhJdeQ90|P>S}iK$mBG_h6Lo|PZ8d{jF#+3=cgeT}cQ4c$
z-6N;yO(8T!<A7YH<7~ogL3{--)y%*<H5d3paFCDZnXva>W_#FtmXG&ojtM)3+2}A=
zxVzPh_#WKJ9Pp@|r!NAK=U+rkkIGqkym0_kT21>NmEHQn5b&M?xB<9JtI2v0o$LbO
z9k7rFACwF91tDP9LogDqJt)WP^MNTSSx65bl(Y4D0J1$*^zlJCH9V^|Hw2d6C#Sn}
z0Ho(tDIFOyd%7B6%EZwr%1J?gYaj5G3|^qM_MU$rkGt-ZV~yDwS{o!P`XiwAy@B?W
zEug>dL)EeXlvb$EzWDT+Apr93(`NwimRHgP|Bzk!UI3ia=F|Cq$bE(>nm$>0PQc%J
zCa@&D-%`QmuvIXcA7an5&#;z=!|}@TSUb1zyZK4}m1q%DMK6|u3&f4M@BIkw;43%2
z1F3Nm^Y8^d249y6$9k)a29)xjva=;y1O7g+yIK3F+M;I@u^d$sRE6|IsNq<yh7Bdt
zh0VhYGzENNk3wixC(Bn=!@{a1wEH31KC?gr|6Yg?t1A|-*zjs4jmGMprYm!+Gfs7=
zB>zJ!)QE~KIZBzwDX~1hNJ*rpRm_UiR$3HF;%_9cMxyZ#%W|quEyQB25SjrWDxP1>
z2WOTamK_<aSc5_p>1xIhYl%9oEup6#hLrYIXR#$pyd-0(258af`v$wSh4oWae2tQ&
zx*A|*sy43)l~u#_*KncyG~58S(U*2d>?#EtsJ8Obo(Xi*$~9VdLUVhpKiD9(bC)S8
zURlU6yfTK)T^35N2Vsat2&L77FjSSbTBJj#@j6mI8>Xp`aoB2t>@E=d@Xw+1r*I#)
zvajJQ+Q!D?y`<k@_v{eHL8{ZuWvvw$F9SyOd}WE|AC^-hh5=tPxI1x5IShrh?=VK?
zP*4i|%joIDa&P^R5O7fe1_Q`;FQeojW{5!myaSff@F3Jmc?j6300WgcB}?hCpq!mM
z06<0_9?4SQtx}u3hdx%}wATI_6ODfa8oUfZa@Lie?9wtS@37W>AXiLUq9v$yJ`Fs8
zvLAW`W^buRRKz4vLtj$ReSt0?ql!|Tf=<(y0OK!TOf?6fE{j9JJ_YataF;Ho_YOdJ
z`T!`(H}X+A2QNwqf<u_6+@U9NiC7}a{0n}J@8WZL4(8mK@B~968^+><zl8UNps*cI
zpJ%Q4;km7|kxGHTiIyHiBhCVl?QWv8dO4*frFAC2^c<|%)%IzuudVLUJPMf7IzwX#
zNlq7w2Bs)rT<dhOBxW=!BG*O7Z<UzcIt|1e?}|_sUCu!z8!CQEw&|y8beiy#oS~lr
zAfsRfZFovfwoV4%DQyVF#G;+feJ{(33!wXbFjwm&jfviVO70Whr*$I0JZ}RHeN4{O
zPf%&~)cBa3s~;Z%?oohoDqB6htFVm)kb~2gx<i=G$Akcv0^pqxh)*5OI)wRn6oAs4
z<+SM#+HqtEcvt~O0Ptokr!$A-G~;jp5c!aVC__h)?xc~*Y>|qt!QUUu$$ap!*04=D
ziT*Hq5zdyscnltat3YqAg!Ao2{s4a(kI4Nfiej{wEtZS3@wD77@geag@l%Ygol&a8
zsAn#{*l<-XELXarXB#!Ig>gJWHQ|;M%Ih?+ks%0Gf$|!q>ZLj*UYAdVjaE(Bx=^oo
zqsM6IP?vP0$Eq5;UQJ=;f+o0WRWB?Xr>f=pu2g!G#%rX7)h(*%;qd&GXcN@r8veH;
zY@!;cA(ULtI<iR`>58m$iwK*nR&RxpT9@>(DQZ1dC@HmIQP7Q_s^LS)bfc%K#&WlS
zv+3$g+ZZZ{BJ*s9h6=@0Q8QId+@xgOP~8}M0Fup86>d`~ZbNlTH)Xa)2_?}Z${aQO
z=1_Z7v$<+s%~#r?n$6QtSL$EQ=Bur^Qi;{mkH#w1rdk<_-2~rKWz&+-(r<xA3nlZn
zXjSU0x=Kk-ao;sGRxg6n3lC+oh3Y)IDwN>=5UVvJ?L8tpYS<#RimSU4>Gu7x#j5PC
z?vch7+7eCmjS|Gu;$s*Db-2Y61+V(OINIUkIy@pmtd^Cs2;nQ?q_9s|D~#Gz9vhz1
zx&lKn&%chwy$E|1kCd`3_d43}qMVvr4<I9NZK$5A*QAHyQ{lAMI*o~5d=aC6Ie_G>
zwe;PKu+wV+6qK$Z(@Sz6{jv}+KmnEl$o8(GhL@l|Y5;i4SJN#o!E{^_0$zVf&JWLT
zU984hP4!0*YY_l{`6{K6-1_Pe@U8+Z1mG@RMV6zO52^ro%2v{#qp(;Pgn(5FPzfN<
zzmo1hiki*`ke<^_?;eHId0q(kLjmRjNX%%aq+@cl9*>r&^Frw{IrH#wS(1jv3WEgk
zGfeOIiC2r$#bVLS&+`}1&KuzV$zi{-w_(`shJibQ^%5=$M}_N!8bk^G>lLuUQRt>k
zzshmpP3psqy#rQS|Et_bX8{FQ8bKlB+i-5X0%m&cSJ@@H114JWtnASl;YThfS2dh6
zPdzJRs~E6bfs^!cfk*(UDlsW05CI^urwgs?Daecf?q{9A28V&Boxom`p4Og_3vvAG
z!4q<xPKRhXrVVeNn2CEimrlsNag-_Rq@0$-L5l5}B4iJaz&-&6Liz6En==tbpq(d?
zb_+dzQcl)w1ZCV6hu@y(<R}~&G(Cr%koDMJmD925I{rC1X6!mJCihHR6)wdWr%VX3
z%CogUut?SiQ@7$Kx*L<hH`szG!`{&rc;#Q_--;2K04l`!;u`S=%FneN3%*e8@bldp
zZ%LvTUXuxz%qmaIDc;wV1fyA$z@ivlRAF=3N_I6~n|hu7i5-n`d^Nufn^7<F&-h<r
zEbNC`@pg4H>RsA<8pVE@j-Hm|D_)6_VwDGL8&_4Y)xyfUrq$Jr!h_LLZ0g?#a1bmP
z9&kv`RIc8d3XNFh($q0ZejPh!Ptkza<;<`d*-{=Ze?3WZFXgE3>+l)RR45Kgc>}i7
zCX$W1Y1j~Q({Tj}@3BcYHA8|oxeGSv6t~rMa=(EcyAw404cQgD+9@TbvYuNB>K?=5
zHMHvuIImaHKi`lihV5`m*%h3=`$fj%q1RL1Te2U=+^XM_v$Jnd^om88EQqg*55vzq
zM@;9R@Vn4ZL%E&(i%r8?_*pnFCS$_Q4fk$V+<*S^78?4#TmVoAfg2UDpjFwGa+kJH
z@O?Qud~U0<6*Xu1MoRezwxD{$^RaWN+a2%8CL92kjbPajVj2B`JUx7R>w19G7H=f>
zK1PWe<BbpGJfwV;n(_vk^E^^6Xk8ZqcPe0Z>so+0-VOBc=jHV9veq>K2aH%x7oV5?
z09S`V_Y1N=%HO&QV9DV1(7&|nFz#TszaS?VT2}&_?Y@d0d_hh%v^IyJw_bpy+5{jy
z=PJ4cMtvgyMW3d=C}#{(q%Bc+Sis*2;Y{~_+EA>3SK^hk+u37~ydSxY?WCc69>0bk
z!CTH@Vmg#}mDqs>S2jYIx2SXEnyv{!>p`|uohH`wm<>XNWf~!*x0SvR5o*;1*jgnW
zb%3$u>a4#ul!S(>({MetehaIYC6>k4b;neOCTmdV&UHOwtN0ZfzGn(5zEPciuTl~T
zIrLeRTC=M{NpxYGHEbw>nmUW>{bwuH#a4H}7}zS+zFSY|w^##P9fHuQu_bJcYNTxF
zk(pYCwdw@D;qMu$lyw?~%1_C5{Z+XVo5p*HnSre@kk}lcAc(yUY(og@mfSgPqnbcV
zj~tiOV5_=uEyG>~9>;C@d!}8)O&YPgvT9wshym@f;Z3T%hqKlU3D&Q$Nhw5PINRI>
zq7+GnE!u0s0ZM&OP6}sRyPo?!h39^Ivu(;aHVb8fctmUzd*hHoCk}Z=vv1i+wu4P%
z4m`ovCY0?ecSclfh8vAnOv2{J=+7}QkDrJBS$7^{Z|=fxI-}t;BH=sZ<zs{`s5VU)
zgIjGXcjPB15OzIy=}=)axj&J;hNv#6PJyuB!My{7&3n$k0rk`;a{P2`dho0Qp*7SH
z+U(N9-p~*ko5MqVq1L>@ry)`_MDk|ri}2KJ>{HEpSB^920gaobJ$^jW5Y`2uZAKcf
z`N2m_0Syf|#DLuorS6+FrPTSJoM8~VP)f7Yn+gj19!j;<j_KQ1o2ArY{*3Uh@Ga)5
z9Q7f?>)8|RUG`tNxCZg%Sg@SnKjXAOIp(PraUYJQe1+k?a+poxI8V{4NRC!|*6xsS
zNl$3~TP0aX2>Z7tVx0*R9B67&It*7QOV}Vpo1>MT;q00&5MAJmV%KWo)ZJO(Y`Z2x
zTL?XxWZ2OKDg7SBc4{wHZ&mu%`mt;`>`IX^=?YuvqjPdhIJ>S3+<R65cV|g>uTI!T
zxgX0ZhU@!C*uw#&@TxC|gtHsEaEOo=#r9|qc(*C(ANU;ZOhyF~pT&hXr8tS|OBdnn
z#x5KRl@-oz(w^CFr+pV>*>JP=qIWx0F2#n}YZq_@^Oi2uzW>P4;p|rJ;p`5Y{~tLv
zoZZ$-f~pldDDew9(R6zV(pr?tv&_*Y><(Gt8Q6_f`lHKiVtbYGW5jdh;t6q!IGFzk
zL!knrX9wPN`~!!AwhBYgmuV6GH^a5g2aG@t$gso!-#RZDETFjmk#T&r3sQ^w-G9(d
zaHw-nnZj@ZHR$s>gf$kZSv6<{)OeZ!esvA%ZWDU_b2;BQbu(P-d`gwj)qWXNe^$;m
zz}L<vRHEV0$YTv~wrfyVH~0*2t@BZ{z%crpJlp`^IxicAK2<uAF#o0+;9=KLh*M&K
zi=F$2f+6X=>{j<R%)%T&d>m?Iw3xzwg7JGJ&Vl5xFR=4D6GtE(6Xu{P{1KBk!#T|-
zRSMf_;}7yU1H99G+#KOrdf-brmG&pdHZuGu#~9#|*6;xZKjKHZPh>VwBc=)0s*>>~
z_6~3QQO+{K8O;Zb60QmL)`TB)b~^W?oNO7eIV(ic1`MgB1)s{Pk(nTr3>B_XQc|(|
zK82veU(E|jgsbVfPtjt%x}e__C>>C?2ej<Z<a7h}UwDoOTho(2lY1Gk0i!{i6etBy
zMjmJnekLcGum!`1juSe1$PzU)VUM-$Gd#W4@gF?THDoh3VN@nX{1OzhM7RAV>uDfl
zbx*S#R*2`%ZxH?olj@A{8$2K-Y!;46J;>gMpWMyo<2i!I`RAem`$^-)Ch;cmDe(;2
zdd~9DyYC^*&@HuhMoV}`Rk&IaWvCWBhOg{pvAbd=UI6qJ_0mPTJ46X3)FaM4+OX<w
zNHe=v8(G)%Xmc~$A42x%qbPQtHZ^s1XM*7$+T?UCq07?@_jf@MjI_uHv?uVlD?N4^
z7i+@VgZUEHRuCihm7HbxXBXsBpocV-vV$7Fm(xt_;XH{?<H8QLO!V|c8POjJ;poUk
zIm5^fXj*Hh(k8^-mgR8vXu5<WJ;F}<UMD6P4u+r`9(E)|KBlS6T}o-(9vgJ(Ax%l{
zQkd~T2XjOk4tJq0UXl}gv!K>g*C{#t9}o5aOKYO*sFFG2${tq~OPnxWxwpLs>y5Eu
z7LFSo;#XnHu(Kc7TkLUm3;f25*&vq7I1U({6b=eE3+;G#V*0M~gqG+)u6h{g|67g7
zfgBK0doELy)rdLJM-t*4q5sCC3i1#g$Oa}ogu$+9eHG64;7E@p&>IA2&;RiwHjo8W
zb_fOIvanHQuT}nUj>JHwB&6mnuU}A8TRjhlnzUc|p}9`70(gJIlSku}{~5#{=tY5_
zWCu$p`bqAEmn4t;Bqv3uBKi30<qIks7uQ4lltYs7ffTy<lbpzs$@H@vkMngxd=6ek
z!}>fakcby83TVs(N1Q%4kRS=A1(f<-gp(flMh>TIewHJ2@jwpNkfXkl<3)b}ONXE3
z5}Yp-N@sKv>@=`G(k|xUDUGqeU@hzfHTg<fsqukmWQC&vjmzfM;vA~-L-}@94e!SN
zf`f%Jef5j%#^vqAUuAE;Hf!_}@UqA-{sR<ce|8x*!Ae#rd?D-=ss&sE>A$%IS^-mr
zDiN`C?IlbLaCj^8#&vY)66Otfym`e0VHZKb$_;RNYfzU2M$pvDa<51)@a3a~Zds*U
zFGHJSLy`|3BkY7Y<7W3|Y%C1gjD1NJr^v91#2XynLk-Qn2+t?>DS251M#F}SvfqG>
zN<OVh*rAM`iAL;Hs!;d%>ZL@?HWUCqVGg)33`ZNVVaaDK#(>2T&7?2CmkSKow$xCm
zKgg3(lxB%i7L`wl^Z6h6Pe2B<FLAVTJPQ||fmdExOcq)Eo3YQq{ey))Aq{gN%weZ%
z!yK`OAt1QRggx|7m?PIT7!Wk?4I!Olt-_VDOJR<512#ZZ0-fWI1p4ABDC6;ZM~ne`
zAxeASKn;3FiD4ihOrzJ+0li~f#MI5$57FScf65agvGJkIPS-06V3TsC<)c|p=V$+f
zw!t<CudEk#hw}YC$<|BL_yhjJ8Uec?DwXR0lIQ%twypy_s-kP(JG%+H34s7RNj5zs
z5JC%~1tgS!NEeVMB0>nENDC0K8<!;d6{U!BKsr`L1uWpFB47a(X-W}AiXcV0qA1Ge
z|DKt-n+@O3!^7pAGk13Glrv|}duArG9VpD{^En$QAy)MqTI2dJQUm|cU7*E(eYqxN
zc7tVYuuj>2yEoiP&*KpFpW*b#gMOPK=8M%hp5{9QfW^TDH37!tLDbo-2yH6`f5mIR
z-`p(<gf*W_(XgidfgwYRT;1NJ^>6SKz4nLNGJA$l1sPs@vqPeWKyJ|rOjRFDs;%0H
zdX{TBsm4c!3Tcc|`(u60$^zDiRmY9}i8eA#8{aJb)JS!1H%qr^gP1tmN#hHrO;M5I
z+vD7#iLglb8VJTXlFy99<W~90=h}u|SS2H85%z^Pq8A49Gub)v9Y#(&!(4HmFLezs
zq7`o0&};8(<%V%&Eh0NY0@#9v@!Go_-ttJ<#B1+v;1+#w=L_|Xl&Qkrv*CC68Iz+p
zcw`&gPsOgzu1Eyf&J&Fhdpy_<x7Mjpkv0(n%7EmE0VDA0+9;V$Uq;GE`XN##M-M0i
ztfM4m=<LNsGL#r88+icnh(1I0uXXnT;}K(Lpm-=sLBzN+z&x4`7MI_Oq)BeP3fPBx
zwEDE+9^gK_yj#eh9ZQK}GT8(4N3%MI$yOe~KfK0UNTp#i+tUM7lU5edhA>&*0{}=<
zCqcFD1`2Dxs_n>YKeR_`u$6MlZbLfO2c~Z+eJ~(g#u}>>hd8~7)A}RCUhy=d@%{E8
zdl4dRvaE{;$(?2Ozz9i?Xk7+Bu*l7~meYH+WsV1qU`_qP6g<HqryXRC>)?ao3T7p|
zj7HRvEj;iAYw9^rkw6UDZeNBX(uz9LN9XZRMEkN~;J5FA?elpa*~SCxP*V>xH53%e
zzmz`k$mTVH2(q4CVtONe=!KH<d!^3<I8aHbl~?9^0RC|amr#ipB^(3_nsza_SUhcB
z6zQSeUfIwCAW-wsa=kr3{6w!INQGV)t5cOk$a)@Lsru}Xt&KJI!S#s!oJ+zQy0Z|c
z3Ab~Gzyxz~KlT^Qt?$mtQM`D+c2ZkUN4sT$I<(3J6pf_52Ymjxf*7~V4CU+40O-mC
zzBoCmj$5W_X)s=R0=<5~mykKJ21=$x3N;=d%tw(9jDIg(I^c`-7sa||mP+gh^v{f?
zl!N$=an$jkPsWT1meGW36sEe9a_HX&eF?Ce=!t{A#$hKj+(~T}D|~uMQL%M`4juH>
z@3@64Cc#>4;qP|q5`u2K!qr@Ezi5AqZ3<ynpLc?P?m<l88^qT@9P79;T^(>E!F1O%
zxYFtn+u+sA)lEDWGdy4E#c)Uic<ryXt-6?XL0zxC&mn^?S!(as`ff=TMFeLX@F&Ed
z9nhxhlAASAFu_5S;ARCEOz@4)e<|mG-#9qFCc;NmG<w=}Scy3D|B!xvsrmuR_ef}~
zZw-$-blk1>cY6KJ{eFZo(~3sxb%K3Z8@|g-`EC|}Z^S&DVlwO_dQw<kB`5A~MfOo$
z%;hw@ri>{)W+?Mj!EANf<63vG;A{}2STb#VA->3z=m)KvSC|t0kNkv@o2>swezJ~R
zlp+pzCFgF;QTs=|s#<9>b=ap2+vMf2PwUdJ3dy0Mun@=KPn!Wq^o*|ERaNr}NpLn5
zJqb>iRaLVMN%50juRKq4qh*5EKBpI3&(o7qrZhUwrdBPhD_>>uq^qy15w<%VgzsXw
zNCHyzPdg8uzcWyeWmeaD`3Vv2%HY2i?Ydbn(zbZn+5>b@w8{tNPLRz!fCojRR@MuY
zmjGP?d{9&4nF0_f>SaT=AVH>hfCTaaUR`b0C8B2;z(7r-P{}kj3{%R)Xqo5%E-1S6
zM>>?fqX)nsYs*!1FdEu&yhFv-0tIN0b>}J?QcE`Xj0KgIW38llwPan-7>9ZvRAXR+
zBE3<SCUfQz(<Zl+jYb+wUMt93TegZSG?Z!ts!?0UP(f`OA2|wq%wXKLsAg>`X)*rE
z<{I_!L0cc8M*AVe<QUMuiJ~{Q%3Jn6dlj~Y-C;Kc(t6Z-!+Jy=xRnyoxSXAiO>(W*
zXhU6@shp1RK&+u3>&h(UbW~JKIw%)X!UM5}x~0qX$pREU=ha~Qj}DDL;q_ZuIZzjs
zCfJK~8co6_I=U#K98io%s%O2b`=L&N|0`*BSt+DBZLQT*T<&WSkzEF8M$;>q&ME^A
z!=8`T^jw@w_m({j60VO|=tj9OF(SR}A%{jFW>Que;1`jSX}!X~rD89g22ez9*#nTH
zF<+*dv8dH<ewpYk11O_;S7N{mC?1d*w)0=6m;ADkw+zS(J9A#5Z~d}Gjj|br)XjF(
zkJp;TOMmsU5(rv!v|i$NJLbpSJU(8=RtHR@dNx-itt^J~XnDL$>du-!)q2yy-|c9!
zYqk%kI1NN2&H<47xqTYiKNb<``EWs$h&f^f@WIc-QSk@nfX1%wuF<YC*Nd+0Dn{|%
z-r9Be0)O}TVq5`(op|;|?VNeRG)|Cz$?#3X2Kkq@LVJ-?P!XOhT0^}^c`-7s`p<?^
z-*Eh~Fkk5}S|9Vbj<{*LZC}+2_a*boH;aEYVpD*d#lLC&{4(dvC{pD*-@c}G+RF%c
z{3V7biQf%FHE5~*M=iHV5h3kwU)MGBiYbcf2lk(aX$qj3f9Yyj%|9FBi?DC#;;c3~
zgo^%aL?)loP}$$nZjmG^yS=cW(xK5`HTm%15Vql&3=~gjb-sqnp?xUqJrOSLAzNc!
z50SWyWOQ>KDHb9M(+iK+D)Z8SvA_-mzSi<J3e=T#>WONGH097an55XCz?WCPPBrVw
z7_ac^McC`~Wt#NY5D|t{Z_?g0iG6pGx?0}gUxns_k8cXxQ8ULE-6yK+_Ie{&300&~
zJSO6-?<~7E6xjg8%*_K*x!b-dYKf+Z)tv-C<cnepZjikMv@!+zT*tbewZ3zGf!Bh6
z<|o}rl)Vft-Ocs9QS}O^Oyb>Q7W!*KmZ<a}g>);{2lZt}z3IvBT<L7~HSggACQX_$
znPY~g>HU>oKI8L;7uR)XHnEBSPjl-_cjBaYcV?3Fu8MvN?qQou>*`DFb=$bRzRa=b
zCoiramgdgN6nr;sLN)8BChjck!(@V1+$*bBv(B}2XZ5M%)DhNsN?Yn{RsRZ40X2CF
z*r9^NV_*}mz%s8XZU}qZF0r$%lhz`o__HFqmrLlKZiB4#l-(4z`0nQ6;k30m)<8bZ
zU&j}MN}Ag|JdC_8WL6FK$Rqta-8K|x9`2)o5GcQVeqU=HXM`(YTEN4>&Uwt3Yjqw+
zTgbGC_T>!UDdvSHGLB}Y%2b8iLE)~Y-TYgdQ)QBekvl9a)P1Cq{z%1a%!r+0C8c4d
z!H6B!LT}LEG}$PM5xb6ktk;7bERJ4E!<vtAJLYpgZ0GTUYTHeB(pDbE;IKw|je6IW
zO%w*FDD?G4eYpw~t=^XFdu)-I3%I)l;+3vIwZ0(!DT>7%0?QHm2m3=rd(6g_VBN3_
z&Szb<cETkx*P4kJL;hq2y3?>;GAp4Q+>a@f;Cuw|I=N_i@PFxn+h}<&Sud_DTzCm3
z<7P}6HMwB?#0fJQpe@P>+)9Ug$qZLgpbPa$lqopbZc?I*_va&Z(x@p@Cg39C3Dceb
zWCS|VibQM#>qy&?IJSe^icPyIxFZ(lqTRrLy0ARBVB1k3NydkxPzix{)GkRTh25gq
zYm?9+if2~~hu5(!J(47w;53glkhjWZm#(=&Hsm7NxIk+NvO)#UzNEAOjx|h@={V#t
zEm=0efrvemWqeq3x0T(9{x0&Rx|#%X=*eW6jnfuCNS2MmvemXj>^n{l$L`{~0bFmB
zA~SIFP3shyn#U?2-g?=>-%sI$s)p#BesDuAu|I_xhybe49buUFiMd!19R(oK5VmEB
zYmV!66MQ+Ln$|F?$HjPRYBP5&?qP%bF502E=U2y%i(1;vuDW(Y4IER<ICtm>sE#;F
zQOEErM~q_oG&^K~)f7@YRo0t9w6dv8@WdFNetlh2S-nfFR=96gsz@v#W)zmpm{ug>
zw8DL}ijJ%l`;8dKP|DZ=@!A#jmd<F}bjDdGiUh6q-wI~o2ojCJD0<v?ZQe-I-|{x{
zp_PSU@m`UvOZ_$-$(CuJ6o<Me%$4Rz)mr}@+T2FQd(yP)?HxMaMkYnoHIyE(Q|}0i
zEfwi{M%bWAsrr@EeME+CuMJL7t4iw`sZ-vn()#*qHdbb<ryG%}t9PSmh10EY&zoqV
zwI@Om*1}tpB`#wB_`d-AHpUgub8$}Xe-W8otV0o+l`}R6CA5JywuTZ)2L(^>JC)z0
zw=verg;%$(5mHVr))EZW!N;qr#;={Wi#Qd7c729fZxbpoRlj{QS0+Z>UY_DeP|>N>
zCl_m!5zS<BBx82a$H6AinY{{;hp}GR^l#CgX0YiK9qMnU5<q3<K-M$|?Zz-KTuE<o
zZ;7E}Inqs2b1-rH4d2wzo*Y=KuR)+-UuerWX=e^}Cqum`_4;7XkJJEaatm3Ljy9L!
z(YKc~@XKjTR+u;9=^CS~<DEpx{d1??$=Vp*Kt{9sr@_Y5EV)IP2!_SjxP$90XW^R5
zv%*HyLQ}wEgRnK{pV$Mn16vtxxDs6LT_de`urqnF^$kql?Qne*(7N+JT=acoe#LVL
zWcZ7|IPXi%_%jJRbOrW825)S~|DFAQ)^#0nhS?TZpDY9Pux_Q-Q_Z^6#+@}tO}Qa#
zTp{MICalZ!_flWBeSwXN)_z#k{&a!kA7&Qdx@k6F)IHzUX?k>-FK+OeI&Oc05u=a8
z6fd%V^tt^>hKE?{lJO;Ao~`Bf#~P;2;grvvfLE(PP}a(1cLFv#Z@J1Jx{AV=1F?FZ
z8ZGxFwpgYt8pkW4Un?4|oD<e^=}y2;YNli1W0Cyea==+DXyJ0-*s#~TxB)|Ly#V+f
z_>_jB*khc1!Ph2zF%Om+Ru>CPjM+GwzM=RPL1K>pM>>IaN`s9yhf=%y(jt14Gj4-8
zmiMSeJFKzKc7Tb&;EiHkX$wn$XBukNQPz)S7^h2L>pj*odpn>BW_84(JsaHN6RiKx
zv39V5_PkOpigSsi!yRQt#69JV>L_u+EwTX>w3IoKjOq+2vi`&Q)OxjAUE17IHuW&<
z569-aT#z`5YK5#B`&TSgklxH<*dNBmyEMHOjEyW%=<XZowN~ivjPxt&I8&LRFv>Pk
zOlyp*`ue>M)U`F<V<aEBY@kP5%WTt)af{Fkz>!YaZo4_Wc+VhA@u&!gLD5x=fu>oH
zu;`z$alSE5$sUd!0}EXrxQ?M4-)ofIyOnBeTG7-QIE{b}SJ6;UTJI7*!S8A0Q2dS6
zMPrRI2P?uWnly96$%4v6ZDo0yI#jS~tBY*yw{aRF&MTT}*UfwU6S}#)BFEw3hf*dq
z*LwK<$|AypH+DSm*6}3|h!(m~?^n^`p$S@=1Xa{{Xo6O{OdoKAu3uaYWooT|{{#Mx
zgzB(iM6ScZx1^M|(W{<Kl_laz<8*EHI(Ac)(m29fjIc^c9AP`X^!iZcsm3;&S0YdU
z)Q3)nENN7vMD2~p$*%IH4*HWf^B3g|s3pCkqyEOt)VnKe-cAlx%v8Q!UvHsZon>q%
z(V0hIwAGSF-#@S=(S=hNCg4bQ7j}ZKgo~h~^*3&Tn2rP?fAY#Zqf@r)VX0hl721fw
zwwdq?3Dlqq%yxzx6$?d3pvhoGb_5GXd$63ez6<PjMjzoA`j8HFk(m)q%NcT1bh|wC
zsyt9|6n#h&^N?vfQ1Di5BFY2a!hoWpb}`jfzqg6P+T%S2m!TFu;DMe@E81f+TAL@U
z(TMi2k{D}NLT+$c%IO(!MsYu&UF~HD55vqD%ZOC&0Cb|ILk(bxfn^NG_vz^lGP@zy
zUM)UN<$c#oc*-(xtHu`qdq;@|_8Dw{9*vDyd#p9qW7Z%HzeW)a${Du62YpH#Z^s8Q
zx}~Tem|{dLy$NJdePP`&jD;}0PqZZv=nEZo&ooRUclCuK)Yk|px|_s>M}6^qOZ#GJ
z#OM~H_C6^XO@DWfiepJC)=P|Qq3S=TFK@%Jo83vKMlra>EY;O$?`;5{cY&`EF07+I
zrr$cj3&{u<+*2P>vwYcDAzX?Y%@iYCjdCGdm=8tVjj0yaR@#;iaNstF`k5(4x#3IO
zO39sNat(&IvB=w^dou0qj3Qy7Rg*S!mNlX~mowPSay<yN{H!Ba3NR5%B>X*uIK*&l
zxNVJ{2orII>>BjhOE{>i9m3qlU<O$R0QnS-s**V2W}xd4%DYoO9Hq_hkROK|;a2UX
z*~+8QSp$i#+Do(5jKv`THp4dqG05+x`5$p6_m7%5rEo$a&W|Y)-L*yfk;x}i)I*6<
zt&dDzp|YM@4}Q#}dOcbvs+S(-l?~?e^foMRR==l@{<Kf%!foi}w`()|6Ye3&QGE>+
z>`ZaJL_h5k`jiW7)`_CO)=Qt7!aD3b4BM2`VGq#1zm1l4!|xB&dS)Bt+%6Mpib00d
z@6gI_GN#{Py@uG%KN(!QiXqy#-fn)hQgEjcn4hf_4Ar0W871|RNnUZ6UNU?}JA2Di
zuNdZ#`9oz|#@*UN|D1nQn^Bed4A(21&uRA%8PiqVV@UIRH>Vz<&3afWTX2g`ORVOP
z;4ri?h%w#<_t9WG!8(Z8KiDcM5#7q!vyS2W1x4M35&G&7S)0xcMl&)t%Y5~*v~@6s
z_1Ph^20buD){4k4AIY7+4_@mxMCK{57B=<g^vn>zvj(hHrOk<GUe0hWY>3aPdvDkf
zcY^}#{Tbn_Q)y{$*}yZ*VWD2SE2I{`tSYT@&7qJ1t=?|Fl~xXszB<90X;jYGEz9ZI
zKC*r@#%qCJS8X`Q<sE#hOF1LC(4*VvTp#FBMsgK}9?>CkASh^@ZQP@;^pQAH{B{{%
z%5|D-^|V~a5OBE|8{$W~df{NX>aYU86Ys<66u>3vtwfxC%|3`tl4US=ZnM*E+d2UQ
zXepLacjIOCr)B`hDEVWx!K@73T7e>P5;Vuy$PELdarRUX=M*@4=AbXxRX0#b%O}W;
zFr1+TJoU+gIE*VHPyk;`Cbe(si*=<0M$+Bgf%M{5tnRWdj&WSsT_)m`#}B*1nSvuB
zy30m5C^Djl%nZ8=uQj5zO@03S<iJo6P2jBs8pbwO=mB&blpi0!c}Z#Y{{IB20i31Z
zL)Hx&j5O`lIeE0B2bML1=x`6295xW_G{uHrX8^_Ylqm^!fR|F4UGS(pU!Xtr>nUS!
zIR4n4IQ^(E{iCN$io4xyrN@R`S%kAGrWN@EeP~lpfZ@IAP*0hd-V1qV1{--gd&+}U
zMxZC8ZK=^k_+OF&J*ZtTnbeFM)yIvx8@6WwhKh~wju(I~+$u7#OZgjnHGGI20U+(h
z=CNs3&w2Ur5%tO${6Ht$OKU~}*DGi61M%&9dEic)F$$=s)8RDLro03xFg*6qucI(L
z82wOGvqDge@?mi7p$UZ;9E|dT+D-F@VWNAh5K|~aeTuceP&NX3H3c+m@ZD52P-Zq&
zU|$n!ml+<aUijxV&1ZN_D@reC5D*jFE_!bu*2)Y40u$Or#|B~<&cI)GuC;T)AdE!D
z{g|L;Ofl{UY;Pxx90Y8SaX&Z!zNCK*LPQ4Reu~<})EH2}Bfq4}gMdIX?gxu!2PF-L
z#lr}nq6RX>2p{aG9rW+PGSfglZ(9ge{uYN)#M`+5d?wmY0K5AS4raMv|BWp<SqQ+q
z2ax{)1Y_<~Yu`H9W7ZkR58Vf+?>pE5cnVg_#OhkvR%$HR%ms$W+AX<sl(tQGa7$I`
z9imVh!8?p<uPVfjQI6~1Vd}W55CIX`Gh}_qc}_2xF&cx12aFh_r_(P@jw~v5WMhrY
zX|#~n#_1Vsr^;@|D6<V$jMpXK>Eu=^xz|XXyecIVH1xAeWySqqoS3K$h+R%L%oURi
z)5$?GC+jI~ckpE#B?RB=17eDvrgn#B;mC@OjC-#yW2&b11hXiZ3>ZL#vkD*w4592H
zjDeU^0h~dRp+yKuU8478gp4pTL(kBAO)>OH6Eh9h<YTz^Y3^5Ckf5Rw_v<hGs&HIy
z#Euq)NFFc}lS}0*59%-ax=Kd+2v6~l{)De-P62<>!-l*$50m;4-OT$qr%Ej-uycvS
z!S|W33Xzl=iODZS@)-Mvd)q549NP5??!|i-M|V++2J!-&N-GFXrLcrgMBi#IA*@eC
zKlS`n^f%8tHl_}jokU~Kqqe=@viA!YVjLzStnn?eQ(S{h+RAk+M%pCIcnc8JwZnD#
zty*`kwrS1<UlSaXzv%+Pcb{wOMzHVJ3qY6>FCvP23Dv)d<1xRWJ{J)a^f^ts=<|nd
z&vK`Aq^TFN&1m^WUoG5cy8a?uFFR;A5=FmM!yPMa^bdVrVhR2CqVEpcamkmEGCa<m
z6>C>L_)h_p!xG$CNj4SZltIjQ>-x#KhIi|Q&M+J;kMn9~!JJMJClR4p3R61;=YG6p
zKZt<elhy)YLY^AUquNwdgFb>bK8Ti}y&Nt4*)%{h;ou@_>i{*I1_NOEbQwX>)3Njk
zbNEw({CmKUbc5fuzjc6f$)65GYV~xiQ8;`6Yq0&ace>1uXkEbp1d6_ABpfCjDgX_-
zpJ*gBs09j|cOQK*Qf7L~ISN3L*A>Y@0MNwys9}Lj^OkcA01Evz4J?q&z2zJOph)yR
zkPm^xjPW&nQ6L+8%Q*x97SdPrcY&<uEoa1EkxfQ1$zVSwv#)3vCbQw?jPvu{R%HZ*
zOelItad+`!y^X&ItzV(GJL9Cie_~;?(>{g$5y@EE3`5*J0g~7cd_EN$f~UBi<1^yQ
zjB98A|8((UgtOsp61T_|y2fO6QKmiTPPO{IqC8V=Z8|_s1B81;g~M|iE4;dRT#rB1
ztXn4|lJ5!apg*Wy^ooBtB)?Nv;G{#2RQ-m>W2o&T{-uZfH<UJ&Vc~xp(o|2Cq)+N;
z;t=(lf@p!KwEqIf_D+?tUNPGtpPC}$istBSzU7}QnN~1<GEVj^y1#(W)D&}d$-gxf
zbhCJ#5t|a+EPh(AX1-J1xvRhwIA1%7zN4fEWU^O0<B+@Vmno6Y>Z&`;$qPOeiC(cl
z$HE=v<mn!AD5OrN=m%t2#zI~8@44&+xK9(R2&Y#dC;_n0B3-!eY3mFblPR9l3z4B5
zUH&Lwsd((>ejPXA<=B5Afc9~?zpq-aU?l!ktz}g23ig`!8fpd0LVwMK4Z@f$oFLzk
zDnZZt3|y;N{6(|?tVl*`VZjGKn~vTm)1uo{)CM0T<6B)@w7wWl{X2@`?Ps`_1-h2C
z;3)_^4B2Avd`oW>!yc;%3NcuR2+bBt*NfpTWwchY(6Fr)P>ZlE)#x}$bf)ysLsQY+
z7_vn+-w;hjHVoM+ihB_qoeHy#(OQ^s-;g~Gu2e>Afsq_!ebZK<wTeO~&&}mZjK;O5
zt~IW~*yeRoyn>_aZWT3QAI-D-B5G_uHY$xq0{+vog1xdZw~o_GkHXwyuPn^1<MjQb
za33*-gQd+e+VUWr8K}%i-1>~p%4m+_FK7M}C0OT`l*-x)$bpmP7zG{#Sp9q{G^0Xu
zdRa$l#Dma`DvR@_h_~%nk%~;PDeNdsE|Ir*7{h7X71X*C+0w(v4JzOWoi9OkFj%9g
zv>BibSaXC1&oE#O-us^3cmVKBG-h;KJ_GfoU>oM6YqeAx^AK0`J>8fAH+LNJ>p#Le
ztoz88PjH<9nkte;&V&+Xz(xttTX1FGOqtb*)mNgm+QQ$Du)XU#0{h!xBlttWR5xMu
zb``-D&47ECK!I%%CtNjLd9HiWfuD7~hU1jKcAbH>IX+cuj3YM>1F=Mpk0XSSgT`2D
zNHbnTM~qmehl{Es1d=S*I!RR^RNV@PL`}zgR%*?tnj*%tN_#Yp5gN?zdETMWto{*Z
z=h$&B8L*ErW1Kalcu{Mp<3_bq6~1JIrl3`YFYA*2z<Ofu4|VEz#VfjWKhU}|iNdaS
z$m0(o?n}I?eLN>P{nm%D%2=Zf@e?X}6bJl@*BlmJNsfG7Ynqel7s}CYZ)ivUNq(cA
zSD5`|Cy9T6Pt31gD%NSw(2xA3X4x#(Ys>0K^NkMsO~W={=dj<>Hu5RXK`q6_+u9mF
zW!~4!cMQ|Kt(o~7wCR7EUk(Aj#6~@0yK|)HY*!!n2tLC(!7c4$P<f4Q4|?3&SWZs1
zx}zVZHcPKyr!H1!r$TcNnR3;yrB|@Cms8QgSy;odvlnZ)Q}p31)Gj-FVIKTQM`mH6
z#_*G(JY@*NWaJ4^i=ma|tWQlX45?rg3R{apDwiHA!_Z_LO7YPK{i6C;Fz|$scil+W
zaR10F4<q26u_riePH@vC(Y1%M0%YJxvAB0o`$wRA7<hum=mbrE1Rf*CoS@=<(9OBy
z5i~dhPl~19ss5-;jb!u*S~}S6sOO_lL5xBv4L9Xc*`zgBb}Sa>xJhZZ>piUF?}f=4
zhIRZBQ7D?&m$8ssWKYM!G6Bw*i*R$V#UUBfQ1y99v4KZ$-bunu$SAMxQUedu?3dv{
zd5G4(EK{5FxhUy3rE?I}=m1U?_xtsE_xj)1!2Q%`ob;#R{O~$C%=@3S^4kVxx~+~~
zssC6U^qwA=L7T_nkiQc8ahyyEn~no$`f~tOR)mSVx+O4;^2W=&FdQA8)t5!tuGWEK
zT036037Z05H|B*vwbfb%aEQ3hC6W3q^Z5{Vg1ag1McBzi3fwDOhE0IHV@Q})N&tt1
zXJsnR<k|ro4en3UJ}C#IjR}kcvz}(+G$n*qj8@%K2F5~=t_2}uL63xD3tDpp)({<B
zUaa8X5VLS{c0KIb-iWn+0*+iQMsswJ7*fIR_(4So?ppgedQ#0nUZBylq2Spu4?z7K
z?Rgp#__3!XZu^;oKE*D2#UJ^Y!ym$YcFiMD;GE9q#W^q<7zskB`AKJSdXDr*w5-T?
zn0P;1VL_NHe<FGec`ytFpx`Wh_86c6hJO@wl_>^)Fc!~JY5-%A!5>U#XXv&7#!Neh
zdWb0oe=yCTp>+XFZVdjw<UdVE12Fj+{83cxS)ds0feYm{b)6;CTk{kZi)e8CJ%C*h
zk+|wSPq{`O$NsY|u(E67(1;@OEDkcbfSqSuum}7Fbw)`=sdg@$HrgblF~ooLoOOm3
zR%q*q_w*!n#wfiiviFV5<X1)Zf!2#>IYXz93=o^NUOekeGX~%n9~!>N$$3F+)@$3J
zI2Wj-LXHH(Z9l*nx9B<PC*t<?imeXG-M}k8(i4bk<z&yt+M9k(rB!{zD?V{}!G7Zv
zpXx1im3_?P*`_z^oe#c>`E9$yb6y4SGi@zjpsmly6tDPPPgxh}@-x^)BEE1)ypc%j
zGQ8D1JM<3ei~K^S=gS;7wyszgIeo+Mor<Epb71CNegYQPv1g>mvrF#)yu@!{np^4h
zChz7!6bWn-L#PvWB)^7Cy!Pt=lOnCnu$~Wl21oR$U{G#Q59<>5?_1U0GDW36Ei<Uo
ze5hB3;`(+$0w-q=^WF5+eCZEoJZ{8@kizVlFPlXStzbZI#0XvFEE+Hy(T)#4DQl@M
zXG4dAkId@R`%l79?}eoO`&t*c0P6F@De5UKAsCude6A(Bi&;Iu>eT~D@pcNm@DxhN
zAl<MD82L_h->Q&0#ZrU2(`?yUMa_(~aXaSS4dm!yxD{_CobLS)0M`klp&8DNO2xT^
z(Kwpl!tr010c{?G4|fkvx7`A_$U3-3R^Z&pxj66VG5dai#^dafxGtif-QDhFx54ci
z4eV4q4mZkpZ0Mu5%6C$FL;R_HB{#%%^ZY|S{}R8O=QZ>EO+Eh<znbS&^ZZ3UuZy3}
z^NM+1R?k1gCG)&!o)^^fcX6JdrPlA_oMHT=p4Y@#^E_jor`7W}amqY@G|!Xj`Kvf#
zo<Er9arL|^j+y6C^E{%SzliV6^Dv&J!umygrx-trZ_V?Nd48jwSHwZ{JYb&t)$_90
zXP#f1=U3`^N$fSxJ?6PvJuiw~>Ul&gG0&ydT=d`w`M5{XC&gMS{-?a0$m1b`H)XDI
z^#lB}NaSK~{)4vPdRJ}7><}@mVi>y9(DBwUG<5-bn0K+v4ZjPl3BxJ%SuEr_J>{)K
z#f#yDVR&i6aO-EnK#@T{B5f8U(&o+zMwg0)Kx~t2Of%<V6f?v$e3EsA_AEf~&Ca<%
zp9edv%1pB7fzP<okg-ULQq-f_^DxISxKub45me~s87iELF3-d0VZ2@Ok;MRow+|nH
zRFz|uBd<8An_hlereyH^P{ST-*+XGeZnV!K$iEMa%(ddAD-m9=GPuRrQP;|@rq!L&
z3mIOqSBJmcl(Q%7s}^oiNd2Ec<uscwqq$_Bu&)&}P?fol?Q&ZGgsCpC*srs^Qdxyw
zalqlBlCnGpTe>k<=~`^!`6kzm(2XipzUNVIwQzBW1(fnEmY}MEH1}K9q169b{d-Z-
z#vl^kX>IyT@MkMUhaC}qz3y$!3*YP6?<!9-IEO2EABQ-?9jb=a#&Rve7VZcH)31V)
zqP2Yk$9)V!5abr?VXMu&d|yO<1tTII`&!rN!YUZCjEE>I=XseI$%shX9@aJFPyI)_
z>(IZSNBjaKBRF~GH#O<e);GgrXxH<ydBng9MoCygQxkBm${Pz|)Qnk(uE2N+jGEtQ
zWI6)Tz|X0{ph?HJ)~|Zzr2N>ZItv!T?q~3p`4m_x{ouH%{UYg$WbC$W3+q=diAn3G
z>5HJZ8MbZF&bmrZE<$9)2#3P!b?ECwSV}T>3-91ny1EEP6C<}HreGLxMe;C;#1$Cm
z#f;%9zSH5OwD8vXvKCEwN`}$r&&gPGf_niUsPQixQIn1%YCgrr%_7kpXD@8SJt~7S
zXb&UE^hv7#8n;zMgNlccGa^lHkX(Z~wSs+@itMCF_FW?K<OWSxgN;fR?7M8&6=9Bh
zm!RLiyapJ11v@Ym?+WuyA|33!nP9^B`-{4)kWIZ6jM%{s`zJlPLN@bOFg&Now^l$S
zFgypV>`yws0#+HrbD*wM%1TfS&nfB-rWl!n#de)4R$|G+xLjs?>koQ!CA0+Na*8_6
z6ytAcxsXM#LIf(~Z}1@fPHk7o)=`YVF{P{}>aYstz|*T_LL@_R@GSk#jo5J&djC#{
z>hidc5`!?;V;lNLu?Gh(dT~l!zN-kQ)NOR_SJ$+)5Y&6DuburH{bMYyUfV`*jP=EZ
zZ%lIg5jfcqq3%i6`|)mnmiYg|*R2in*FWbE-=tG>V7x$RU|Kzy9{ygs+mBnvIEFp~
zab?yAP2B#ziq7QtI;tm=CN79`C!{;OO5huGPB5`n*TT+4N5Crw>s9TC*@PY^dSEjD
z7fhS|xW%gp`pRVNM0g!1|MTgRHV!n}1=syTDEYeq$EG0G>zuXE+JrvyNDsZRzhR6@
ztkHP=CjK;RV}m;E>)K;*gLQzz`$M~CbuaRY-yM=WP^q}4ZO*^=4ctY61rIws$4*v}
zh`(v4%%A4Rr_3mUvMIvv&%`A;;#VUzWw=RtRom%*a>h4_e$k@qqs?){D5<m96h9kT
z<%b1DSG0Y7-F#e-e_7*Sf0$D0C91e&xF#dRy{N7It0rw+6-9YWdx3&_#Vd|$w~tal
z@il%hlzv&M9<Ml|ZE&N`9v$oRc*RM*L))l6=G72C8lHMtD@qnr7pL^E2KA~}oYuc{
zji7hodphHgP|E&k;;e2l9ylZLRq#zu9L?LUrj5t`vY&M8>d^+!?`HWqBd@Hhs_&oI
NP~;ybbJVf8@PDS9I!pin

diff --git a/lms/djangoapps/oauth_dispatch/__init__.py b/lms/djangoapps/oauth_dispatch/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/lms/djangoapps/oauth_dispatch/adapters/__init__.py b/lms/djangoapps/oauth_dispatch/adapters/__init__.py
new file mode 100644
index 0000000000..1f6227b50a
--- /dev/null
+++ b/lms/djangoapps/oauth_dispatch/adapters/__init__.py
@@ -0,0 +1,7 @@
+"""
+Adapters to provide a common interface to django-oauth2-provider (DOP) and
+django-oauth-toolkit (DOT).
+"""
+
+from .dop import DOPAdapter
+from .dot import DOTAdapter
diff --git a/lms/djangoapps/oauth_dispatch/adapters/dop.py b/lms/djangoapps/oauth_dispatch/adapters/dop.py
new file mode 100644
index 0000000000..b12994b96f
--- /dev/null
+++ b/lms/djangoapps/oauth_dispatch/adapters/dop.py
@@ -0,0 +1,70 @@
+"""
+Adapter to isolate django-oauth2-provider dependencies
+"""
+
+from provider.oauth2 import models
+from provider import constants, scope
+
+
+class DOPAdapter(object):
+    """
+    Standard interface for working with django-oauth2-provider
+    """
+
+    backend = object()
+
+    def create_confidential_client(self, name, user, redirect_uri, client_id=None):
+        """
+        Create an oauth client application that is confidential.
+        """
+        return models.Client.objects.create(
+            name=name,
+            user=user,
+            client_id=client_id,
+            redirect_uri=redirect_uri,
+            client_type=constants.CONFIDENTIAL,
+        )
+
+    def create_public_client(self, name, user, redirect_uri, client_id=None):
+        """
+        Create an oauth client application that is public.
+        """
+        return models.Client.objects.create(
+            name=name,
+            user=user,
+            client_id=client_id,
+            redirect_uri=redirect_uri,
+            client_type=constants.PUBLIC,
+        )
+
+    def get_client(self, **filters):
+        """
+        Get the oauth client application with the specified filters.
+
+        Wraps django's queryset.get() method.
+        """
+        return models.Client.objects.get(**filters)
+
+    def get_client_for_token(self, token):
+        """
+        Given an AccessToken object, return the associated client application.
+        """
+        return token.client
+
+    def get_access_token(self, token_string):
+        """
+        Given a token string, return the matching AccessToken object.
+        """
+        return models.AccessToken.objects.get(token=token_string)
+
+    def normalize_scopes(self, scopes):
+        """
+        Given a list of scopes, return a space-separated list of those scopes.
+        """
+        return ' '.join(scopes)
+
+    def get_token_scope_names(self, token):
+        """
+        Given an access token object, return its scopes.
+        """
+        return scope.to_names(token.scope)
diff --git a/lms/djangoapps/oauth_dispatch/adapters/dot.py b/lms/djangoapps/oauth_dispatch/adapters/dot.py
new file mode 100644
index 0000000000..84dcb7ece4
--- /dev/null
+++ b/lms/djangoapps/oauth_dispatch/adapters/dot.py
@@ -0,0 +1,73 @@
+"""
+Adapter to isolate django-oauth-toolkit dependencies
+"""
+
+from oauth2_provider import models
+
+
+class DOTAdapter(object):
+    """
+    Standard interface for working with django-oauth-toolkit
+    """
+
+    backend = object()
+
+    def create_confidential_client(self, name, user, redirect_uri, client_id=None):
+        """
+        Create an oauth client application that is confidential.
+        """
+        return models.Application.objects.create(
+            name=name,
+            user=user,
+            client_id=client_id,
+            client_type=models.Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=models.Application.GRANT_AUTHORIZATION_CODE,
+            redirect_uris=redirect_uri,
+        )
+
+    def create_public_client(self, name, user, redirect_uri, client_id=None):
+        """
+        Create an oauth client application that is public.
+        """
+        return models.Application.objects.create(
+            name=name,
+            user=user,
+            client_id=client_id,
+            client_type=models.Application.CLIENT_PUBLIC,
+            authorization_grant_type=models.Application.GRANT_PASSWORD,
+            redirect_uris=redirect_uri,
+        )
+
+    def get_client(self, **filters):
+        """
+        Get the oauth client application with the specified filters.
+
+        Wraps django's queryset.get() method.
+        """
+        return models.Application.objects.get(**filters)
+
+    def get_client_for_token(self, token):
+        """
+        Given an AccessToken object, return the associated client application.
+        """
+        return token.application
+
+    def get_access_token(self, token_string):
+        """
+        Given a token string, return the matching AccessToken object.
+        """
+        return models.AccessToken.objects.get(token=token_string)
+
+    def normalize_scopes(self, scopes):
+        """
+        Given a list of scopes, return a space-separated list of those scopes.
+        """
+        if not scopes:
+            scopes = ['default']
+        return ' '.join(scopes)
+
+    def get_token_scope_names(self, token):
+        """
+        Given an access token object, return its scopes.
+        """
+        return list(token.scopes)
diff --git a/lms/djangoapps/oauth_dispatch/tests/__init__.py b/lms/djangoapps/oauth_dispatch/tests/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/lms/djangoapps/oauth_dispatch/tests/constants.py b/lms/djangoapps/oauth_dispatch/tests/constants.py
new file mode 100644
index 0000000000..b38868bcfb
--- /dev/null
+++ b/lms/djangoapps/oauth_dispatch/tests/constants.py
@@ -0,0 +1,5 @@
+"""
+Constants for testing purposes
+"""
+
+DUMMY_REDIRECT_URL = u'https://example.edx/redirect'
diff --git a/lms/djangoapps/oauth_dispatch/tests/mixins.py b/lms/djangoapps/oauth_dispatch/tests/mixins.py
new file mode 100644
index 0000000000..8b16c53fc2
--- /dev/null
+++ b/lms/djangoapps/oauth_dispatch/tests/mixins.py
@@ -0,0 +1,3 @@
+"""
+OAuth Dispatch test mixins
+"""
diff --git a/lms/djangoapps/oauth_dispatch/tests/test_dop_adapter.py b/lms/djangoapps/oauth_dispatch/tests/test_dop_adapter.py
new file mode 100644
index 0000000000..6dfe9ac9d4
--- /dev/null
+++ b/lms/djangoapps/oauth_dispatch/tests/test_dop_adapter.py
@@ -0,0 +1,77 @@
+"""
+Tests for DOP Adapter
+"""
+
+from datetime import timedelta
+
+import ddt
+from django.test import TestCase
+from django.utils.timezone import now
+from provider.oauth2 import models
+from provider import constants
+
+from student.tests.factories import UserFactory
+
+from ..adapters import DOPAdapter
+from .constants import DUMMY_REDIRECT_URL
+
+
+@ddt.ddt
+class DOPAdapterTestCase(TestCase):
+    """
+    Test class for DOPAdapter.
+    """
+
+    adapter = DOPAdapter()
+
+    def setUp(self):
+        super(DOPAdapterTestCase, self).setUp()
+        self.user = UserFactory()
+        self.public_client = self.adapter.create_public_client(
+            name='public client',
+            user=self.user,
+            redirect_uri=DUMMY_REDIRECT_URL,
+            client_id='public-client-id',
+        )
+        self.confidential_client = self.adapter.create_confidential_client(
+            name='confidential client',
+            user=self.user,
+            redirect_uri=DUMMY_REDIRECT_URL,
+            client_id='confidential-client-id',
+        )
+
+    @ddt.data(
+        ('confidential', constants.CONFIDENTIAL),
+        ('public', constants.PUBLIC),
+    )
+    @ddt.unpack
+    def test_create_client(self, client_name, client_type):
+        client = getattr(self, '{}_client'.format(client_name))
+        self.assertIsInstance(client, models.Client)
+        self.assertEqual(client.client_id, '{}-client-id'.format(client_name))
+        self.assertEqual(client.client_type, client_type)
+
+    def test_get_client(self):
+        client = self.adapter.get_client(client_type=constants.CONFIDENTIAL)
+        self.assertIsInstance(client, models.Client)
+        self.assertEqual(client.client_type, constants.CONFIDENTIAL)
+
+    def test_get_client_not_found(self):
+        with self.assertRaises(models.Client.DoesNotExist):
+            self.adapter.get_client(client_id='not-found')
+
+    def test_get_client_for_token(self):
+        token = models.AccessToken(
+            user=self.user,
+            client=self.public_client,
+        )
+        self.assertEqual(self.adapter.get_client_for_token(token), self.public_client)
+
+    def test_get_access_token(self):
+        token = models.AccessToken.objects.create(
+            token='token-id',
+            client=self.public_client,
+            user=self.user,
+            expires=now() + timedelta(days=30),
+        )
+        self.assertEqual(self.adapter.get_access_token(token_string='token-id'), token)
diff --git a/lms/djangoapps/oauth_dispatch/tests/test_dot_adapter.py b/lms/djangoapps/oauth_dispatch/tests/test_dot_adapter.py
new file mode 100644
index 0000000000..a623e8cc6d
--- /dev/null
+++ b/lms/djangoapps/oauth_dispatch/tests/test_dot_adapter.py
@@ -0,0 +1,76 @@
+"""
+Tests for DOT Adapter
+"""
+
+from datetime import timedelta
+
+import ddt
+from django.test import TestCase
+from django.utils.timezone import now
+from oauth2_provider import models
+
+from student.tests.factories import UserFactory
+
+from ..adapters import DOTAdapter
+from .constants import DUMMY_REDIRECT_URL
+
+
+@ddt.ddt
+class DOTAdapterTestCase(TestCase):
+    """
+    Test class for DOTAdapter.
+    """
+
+    adapter = DOTAdapter()
+
+    def setUp(self):
+        super(DOTAdapterTestCase, self).setUp()
+        self.user = UserFactory()
+        self.public_client = self.adapter.create_public_client(
+            name='public app',
+            user=self.user,
+            redirect_uri=DUMMY_REDIRECT_URL,
+            client_id='public-client-id',
+        )
+        self.confidential_client = self.adapter.create_confidential_client(
+            name='confidential app',
+            user=self.user,
+            redirect_uri=DUMMY_REDIRECT_URL,
+            client_id='confidential-client-id',
+        )
+
+    @ddt.data(
+        ('confidential', models.Application.CLIENT_CONFIDENTIAL),
+        ('public', models.Application.CLIENT_PUBLIC),
+    )
+    @ddt.unpack
+    def test_create_client(self, client_name, client_type):
+        client = getattr(self, '{}_client'.format(client_name))
+        self.assertIsInstance(client, models.Application)
+        self.assertEqual(client.client_id, '{}-client-id'.format(client_name))
+        self.assertEqual(client.client_type, client_type)
+
+    def test_get_client(self):
+        client = self.adapter.get_client(client_type=models.Application.CLIENT_CONFIDENTIAL)
+        self.assertIsInstance(client, models.Application)
+        self.assertEqual(client.client_type, models.Application.CLIENT_CONFIDENTIAL)
+
+    def test_get_client_not_found(self):
+        with self.assertRaises(models.Application.DoesNotExist):
+            self.adapter.get_client(client_id='not-found')
+
+    def test_get_client_for_token(self):
+        token = models.AccessToken(
+            user=self.user,
+            application=self.public_client,
+        )
+        self.assertEqual(self.adapter.get_client_for_token(token), self.public_client)
+
+    def test_get_access_token(self):
+        token = models.AccessToken.objects.create(
+            token='token-id',
+            application=self.public_client,
+            user=self.user,
+            expires=now() + timedelta(days=30),
+        )
+        self.assertEqual(self.adapter.get_access_token(token_string='token-id'), token)
diff --git a/lms/djangoapps/oauth_dispatch/tests/test_views.py b/lms/djangoapps/oauth_dispatch/tests/test_views.py
new file mode 100644
index 0000000000..b8fb7435ff
--- /dev/null
+++ b/lms/djangoapps/oauth_dispatch/tests/test_views.py
@@ -0,0 +1,251 @@
+"""
+Tests for Blocks Views
+"""
+
+import json
+
+import ddt
+from django.test import RequestFactory, TestCase
+from django.core.urlresolvers import reverse
+import httpretty
+
+from student.tests.factories import UserFactory
+from third_party_auth.tests.utils import ThirdPartyOAuthTestMixin, ThirdPartyOAuthTestMixinGoogle
+
+from .. import adapters
+from .. import views
+from .constants import DUMMY_REDIRECT_URL
+
+
+class _DispatchingViewTestCase(TestCase):
+    """
+    Base class for tests that exercise DispatchingViews.
+    """
+    dop_adapter = adapters.DOPAdapter()
+    dot_adapter = adapters.DOTAdapter()
+
+    view_class = None
+    url = None
+
+    def setUp(self):
+        super(_DispatchingViewTestCase, self).setUp()
+        self.user = UserFactory()
+        self.dot_app = self.dot_adapter.create_public_client(
+            name='test dot application',
+            user=self.user,
+            redirect_uri=DUMMY_REDIRECT_URL,
+            client_id='dot-app-client-id',
+        )
+        self.dop_client = self.dop_adapter.create_public_client(
+            name='test dop client',
+            user=self.user,
+            redirect_uri=DUMMY_REDIRECT_URL,
+            client_id='dop-app-client-id',
+        )
+
+    def _post_request(self, user, client):
+        """
+        Call the view with a POST request objectwith the appropriate format,
+        returning the response object.
+        """
+        return self.client.post(self.url, self._post_body(user, client))
+
+    def _post_body(self, user, client):
+        """
+        Return a dictionary to be used as the body of the POST request
+        """
+        raise NotImplementedError()
+
+
+@ddt.ddt
+class TestAccessTokenView(_DispatchingViewTestCase):
+    """
+    Test class for AccessTokenView
+    """
+
+    view_class = views.AccessTokenView
+    url = reverse('access_token')
+
+    def _post_body(self, user, client):
+        """
+        Return a dictionary to be used as the body of the POST request
+        """
+        return {
+            'client_id': client.client_id,
+            'grant_type': 'password',
+            'username': user.username,
+            'password': 'test',
+        }
+
+    @ddt.data('dop_client', 'dot_app')
+    def test_access_token_fields(self, client_attr):
+        client = getattr(self, client_attr)
+        response = self._post_request(self.user, client)
+        self.assertEqual(response.status_code, 200)
+        data = json.loads(response.content)
+        self.assertIn('access_token', data)
+        self.assertIn('expires_in', data)
+        self.assertIn('scope', data)
+        self.assertIn('token_type', data)
+
+    def test_dot_access_token_provides_refresh_token(self):
+        response = self._post_request(self.user, self.dot_app)
+        self.assertEqual(response.status_code, 200)
+        data = json.loads(response.content)
+        self.assertIn('refresh_token', data)
+
+    def test_dop_public_client_access_token(self):
+        response = self._post_request(self.user, self.dop_client)
+        self.assertEqual(response.status_code, 200)
+        data = json.loads(response.content)
+        self.assertNotIn('refresh_token', data)
+
+
+@ddt.ddt
+@httpretty.activate
+class TestAccessTokenExchangeView(ThirdPartyOAuthTestMixinGoogle, ThirdPartyOAuthTestMixin, _DispatchingViewTestCase):
+    """
+    Test class for AccessTokenExchangeView
+    """
+
+    view_class = views.AccessTokenExchangeView
+    url = reverse('exchange_access_token', kwargs={'backend': 'google-oauth2'})
+
+    def _post_body(self, user, client):
+        return {
+            'client_id': client.client_id,
+            'access_token': self.access_token,
+        }
+
+    @ddt.data('dop_client', 'dot_app')
+    def test_access_token_exchange_calls_dispatched_view(self, client_attr):
+        client = getattr(self, client_attr)
+        self.oauth_client = client
+        self._setup_provider_response(success=True)
+        response = self._post_request(self.user, client)
+        self.assertEqual(response.status_code, 200)
+
+
+@ddt.ddt
+class TestAuthorizationView(TestCase):
+    """
+    Test class for AuthorizationView
+    """
+
+    dop_adapter = adapters.DOPAdapter()
+
+    def setUp(self):
+        super(TestAuthorizationView, self).setUp()
+        self.user = UserFactory()
+        self.dop_client = self._create_confidential_client(user=self.user, client_id='dop-app-client-id')
+
+    def _create_confidential_client(self, user, client_id):
+        """
+        Create a confidential client suitable for testing purposes.
+        """
+        return self.dop_adapter.create_confidential_client(
+            name='test_app',
+            user=user,
+            client_id=client_id,
+            redirect_uri=DUMMY_REDIRECT_URL
+        )
+
+    def test_authorization_view(self):
+        self.client.login(username=self.user.username, password='test')
+        response = self.client.post(
+            '/oauth2/authorize/',
+            {
+                'client_id': self.dop_client.client_id,  # TODO: DOT is not yet supported (MA-2124)
+                'response_type': 'code',
+                'state': 'random_state_string',
+                'redirect_uri': DUMMY_REDIRECT_URL,
+            },
+            follow=True,
+        )
+
+        self.assertEqual(response.status_code, 200)
+
+        # check form is in context and form params are valid
+        context = response.context  # pylint: disable=no-member
+        self.assertIn('form', context)
+        self.assertIsNone(context['form']['authorize'].value())
+
+        self.assertIn('oauth_data', context)
+        oauth_data = context['oauth_data']
+        self.assertEqual(oauth_data['redirect_uri'], DUMMY_REDIRECT_URL)
+        self.assertEqual(oauth_data['state'], 'random_state_string')
+
+
+class TestViewDispatch(TestCase):
+    """
+    Test that the DispatchingView dispatches the right way.
+    """
+
+    dop_adapter = adapters.DOPAdapter()
+    dot_adapter = adapters.DOTAdapter()
+
+    def setUp(self):
+        super(TestViewDispatch, self).setUp()
+        self.user = UserFactory()
+        self.view = views._DispatchingView()  # pylint: disable=protected-access
+        self.dop_adapter.create_public_client(
+            name='',
+            user=self.user,
+            client_id='dop-id',
+            redirect_uri=DUMMY_REDIRECT_URL
+        )
+        self.dot_adapter.create_public_client(
+            name='',
+            user=self.user,
+            client_id='dot-id',
+            redirect_uri=DUMMY_REDIRECT_URL
+        )
+
+    def assert_is_view(self, view_candidate):
+        """
+        Assert that a given object is a view.  That is, it is callable, and
+        takes a request argument.  Note: while technically, the request argument
+        could take any name, this assertion requires the argument to be named
+        `request`.  This is good practice.  You should do it anyway.
+        """
+        _msg_base = u'{view} is not a view: {reason}'
+        msg_not_callable = _msg_base.format(view=view_candidate, reason=u'it is not callable')
+        msg_no_request = _msg_base.format(view=view_candidate, reason=u'it has no request argument')
+        self.assertTrue(hasattr(view_candidate, '__call__'), msg_not_callable)
+        args = view_candidate.func_code.co_varnames
+        self.assertTrue(args, msg_no_request)
+        self.assertEqual(args[0], 'request')
+
+    def _get_request(self, client_id):
+        """
+        Return a request with the specified client_id in the body
+        """
+        return RequestFactory().post('/', {'client_id': client_id})
+
+    def test_dispatching_to_dot(self):
+        request = self._get_request('dot-id')
+        self.assertEqual(self.view.select_backend(request), self.dot_adapter.backend)
+
+    def test_dispatching_to_dop(self):
+        request = self._get_request('dop-id')
+        self.assertEqual(self.view.select_backend(request), self.dop_adapter.backend)
+
+    def test_dispatching_with_no_client(self):
+        request = self._get_request(None)
+        self.assertEqual(self.view.select_backend(request), self.dop_adapter.backend)
+
+    def test_dispatching_with_invalid_client(self):
+        request = self._get_request('abcesdfljh')
+        self.assertEqual(self.view.select_backend(request), self.dop_adapter.backend)
+
+    def test_get_view_for_dot(self):
+        view_object = views.AccessTokenView()
+        self.assert_is_view(view_object.get_view_for_backend(self.dot_adapter.backend))
+
+    def test_get_view_for_dop(self):
+        view_object = views.AccessTokenView()
+        self.assert_is_view(view_object.get_view_for_backend(self.dop_adapter.backend))
+
+    def test_get_view_for_no_backend(self):
+        view_object = views.AccessTokenView()
+        self.assertRaises(KeyError, view_object.get_view_for_backend, None)
diff --git a/lms/djangoapps/oauth_dispatch/urls.py b/lms/djangoapps/oauth_dispatch/urls.py
new file mode 100644
index 0000000000..59e9068bdb
--- /dev/null
+++ b/lms/djangoapps/oauth_dispatch/urls.py
@@ -0,0 +1,25 @@
+"""
+OAuth2 wrapper urls
+"""
+
+from django.conf import settings
+from django.conf.urls import patterns, url
+from django.views.decorators.csrf import csrf_exempt
+
+from . import views
+
+
+urlpatterns = patterns(
+    '',
+    # TODO: authorize/ URL not yet supported for DOT (MA-2124)
+    url(r'^access_token/?$', csrf_exempt(views.AccessTokenView.as_view()), name='access_token'),
+)
+
+if settings.FEATURES.get('ENABLE_THIRD_PARTY_AUTH'):
+    urlpatterns += (
+        url(
+            r'^exchange_access_token/(?P<backend>[^/]+)/$',
+            csrf_exempt(views.AccessTokenExchangeView.as_view()),
+            name='exchange_access_token',
+        ),
+    )
diff --git a/lms/djangoapps/oauth_dispatch/views.py b/lms/djangoapps/oauth_dispatch/views.py
new file mode 100644
index 0000000000..22652f127b
--- /dev/null
+++ b/lms/djangoapps/oauth_dispatch/views.py
@@ -0,0 +1,89 @@
+"""
+Views that dispatch processing of OAuth requests to django-oauth2-provider or
+django-oauth-toolkit as appropriate.
+"""
+
+from __future__ import unicode_literals
+
+from django.views.generic import View
+from edx_oauth2_provider import views as dop_views  # django-oauth2-provider views
+from oauth2_provider import models as dot_models, views as dot_views  # django-oauth-toolkit
+
+from auth_exchange import views as auth_exchange_views
+
+from . import adapters
+
+
+class _DispatchingView(View):
+    """
+    Base class that route views to the appropriate provider view.  The default
+    behavior routes based on client_id, but this can be overridden by redefining
+    `select_backend()` if particular views need different behavior.
+    """
+    # pylint: disable=no-member
+
+    dot_adapter = adapters.DOTAdapter()
+    dop_adapter = adapters.DOPAdapter()
+
+    def dispatch(self, request, *args, **kwargs):
+        """
+        Dispatch the request to the selected backend's view.
+        """
+        backend = self.select_backend(request)
+        view = self.get_view_for_backend(backend)
+        return view(request, *args, **kwargs)
+
+    def select_backend(self, request):
+        """
+        Given a request that specifies an oauth `client_id`, return the adapter
+        for the appropriate OAuth handling library.  If the client_id is found
+        in a django-oauth-toolkit (DOT) Application, use the DOT adapter,
+        otherwise use the django-oauth2-provider (DOP) adapter, and allow the
+        calls to fail normally if the client does not exist.
+        """
+
+        if dot_models.Application.objects.filter(client_id=self._get_client_id(request)).exists():
+            return self.dot_adapter.backend
+        else:
+            return self.dop_adapter.backend
+
+    def get_view_for_backend(self, backend):
+        """
+        Return the appropriate view from the requested backend.
+        """
+        if backend == self.dot_adapter.backend:
+            return self.dot_view.as_view()
+        elif backend == self.dop_adapter.backend:
+            return self.dop_view.as_view()
+        else:
+            raise KeyError('Failed to dispatch view. Invalid backend {}'.format(backend))
+
+    def _get_client_id(self, request):
+        """
+        Return the client_id from the provided request
+        """
+        return request.POST.get('client_id')
+
+
+class AccessTokenView(_DispatchingView):
+    """
+    Handle access token requests.
+    """
+    dot_view = dot_views.TokenView
+    dop_view = dop_views.AccessTokenView
+
+
+class AuthorizationView(_DispatchingView):
+    """
+    Part of the authorization flow.
+    """
+    dop_view = dop_views.Capture
+    dot_view = dot_views.AuthorizationView
+
+
+class AccessTokenExchangeView(_DispatchingView):
+    """
+    Exchange a third party auth token.
+    """
+    dop_view = auth_exchange_views.DOPAccessTokenExchangeView
+    dot_view = auth_exchange_views.DOTAccessTokenExchangeView
diff --git a/lms/djangoapps/support/tests/test_programs.py b/lms/djangoapps/support/tests/test_programs.py
index 9d2356e40f..2bad288ddf 100644
--- a/lms/djangoapps/support/tests/test_programs.py
+++ b/lms/djangoapps/support/tests/test_programs.py
@@ -2,7 +2,7 @@
 from django.core.urlresolvers import reverse
 from django.test import TestCase
 import mock
-from oauth2_provider.tests.factories import AccessTokenFactory, ClientFactory
+from edx_oauth2_provider.tests.factories import AccessTokenFactory, ClientFactory
 
 from openedx.core.djangoapps.programs.tests.mixins import ProgramsApiConfigMixin
 from student.tests.factories import UserFactory
diff --git a/lms/envs/common.py b/lms/envs/common.py
index bcb6bb156a..9b1c85f206 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -1834,11 +1834,14 @@ INSTALLED_APPS = (
     'external_auth',
     'django_openid_auth',
 
-    # OAuth2 Provider
+    # django-oauth2-provider (deprecated)
     'provider',
     'provider.oauth2',
     'edx_oauth2_provider',
 
+    # django-oauth-toolkit
+    'oauth2_provider',
+
     'third_party_auth',
 
     # We don't use this directly (since we use OAuth2), but we need to install it anyway.
diff --git a/lms/urls.py b/lms/urls.py
index 964f7a495c..18c5cb80c4 100644
--- a/lms/urls.py
+++ b/lms/urls.py
@@ -820,10 +820,19 @@ if settings.FEATURES.get('AUTH_USE_OPENID_PROVIDER'):
 
 if settings.FEATURES.get('ENABLE_OAUTH2_PROVIDER'):
     urlpatterns += (
+        # These URLs dispatch to django-oauth-toolkit or django-oauth2-provider as appropriate.
+        # Developers should use these routes, to maintain compatibility for existing client code
+        url(r'^oauth2/', include('lms.djangoapps.oauth_dispatch.urls')),
+        # These URLs contain the django-oauth2-provider default behavior.  It exists to provide
+        # URLs for django-oauth2-provider to call using reverse() with the oauth2 namespace, and
+        # also to maintain support for views that have not yet been wrapped in dispatch views.
         url(r'^oauth2/', include('edx_oauth2_provider.urls', namespace='oauth2')),
+        # The /_o/ prefix exists to provide a target for code in django-oauth-toolkit that
+        # uses reverse() with the 'oauth2_provider' namespace.  Developers should not access these
+        # views directly, but should rather use the wrapped views at /oauth2/
+        url(r'^_o/', include('oauth2_provider.urls', namespace='oauth2_provider')),
     )
 
-
 if settings.FEATURES.get('ENABLE_LMS_MIGRATION'):
     urlpatterns += (
         url(r'^migrate/modules$', 'lms_migration.migrate.manage_modulestores'),
@@ -888,14 +897,6 @@ if settings.FEATURES.get('ENABLE_THIRD_PARTY_AUTH'):
 
 # OAuth token exchange
 if settings.FEATURES.get('ENABLE_OAUTH2_PROVIDER'):
-    if settings.FEATURES.get('ENABLE_THIRD_PARTY_AUTH'):
-        urlpatterns += (
-            url(
-                r'^oauth2/exchange_access_token/(?P<backend>[^/]+)/$',
-                auth_exchange.views.AccessTokenExchangeView.as_view(),
-                name="exchange_access_token"
-            ),
-        )
     urlpatterns += (
         url(
             r'^oauth2/login/$',
diff --git a/openedx/core/djangoapps/programs/tasks/v1/tests/test_tasks.py b/openedx/core/djangoapps/programs/tasks/v1/tests/test_tasks.py
index 93cf9a5370..397bd593c1 100644
--- a/openedx/core/djangoapps/programs/tasks/v1/tests/test_tasks.py
+++ b/openedx/core/djangoapps/programs/tasks/v1/tests/test_tasks.py
@@ -12,8 +12,8 @@ from celery.exceptions import MaxRetriesExceededError
 from django.conf import settings
 from django.test import override_settings, TestCase
 from edx_rest_api_client.client import EdxRestApiClient
-
 from edx_oauth2_provider.tests.factories import ClientFactory
+
 from openedx.core.djangoapps.credentials.tests.mixins import CredentialsApiConfigMixin
 from openedx.core.djangoapps.programs.tests.mixins import ProgramsApiConfigMixin
 from openedx.core.djangoapps.programs.tasks.v1 import tasks
diff --git a/openedx/core/lib/api/authentication.py b/openedx/core/lib/api/authentication.py
index 8e773e2f84..95a296d5b4 100644
--- a/openedx/core/lib/api/authentication.py
+++ b/openedx/core/lib/api/authentication.py
@@ -2,10 +2,13 @@
 
 import logging
 
+import django.utils.timezone
 from rest_framework.authentication import SessionAuthentication
 from rest_framework import exceptions as drf_exceptions
 from rest_framework_oauth.authentication import OAuth2Authentication
-from rest_framework_oauth.compat import oauth2_provider, provider_now
+
+from provider.oauth2 import models as dop_models
+from oauth2_provider import models as dot_models
 
 from openedx.core.lib.api.exceptions import AuthenticationFailed
 
@@ -114,21 +117,44 @@ class OAuth2AuthenticationAllowInactiveUser(OAuth2Authentication):
     def authenticate_credentials(self, request, access_token):
         """
         Authenticate the request, given the access token.
-        Overrides base class implementation to discard failure if user is inactive.
+
+        Overrides base class implementation to discard failure if user is
+        inactive.
         """
-        token_query = oauth2_provider.oauth2.models.AccessToken.objects.select_related('user')
-        token = token_query.filter(token=access_token).first()
+
+        token = self.get_access_token(access_token)
         if not token:
             raise AuthenticationFailed({
                 u'error_code': OAUTH2_TOKEN_ERROR_NONEXISTENT,
                 u'developer_message': u'The provided access token does not match any valid tokens.'
             })
-        # provider_now switches to timezone aware datetime when
-        # the oauth2_provider version supports it.
-        elif token.expires < provider_now():
+        elif token.expires < django.utils.timezone.now():
             raise AuthenticationFailed({
                 u'error_code': OAUTH2_TOKEN_ERROR_EXPIRED,
                 u'developer_message': u'The provided access token has expired and is no longer valid.',
             })
         else:
             return token.user, token
+
+    def get_access_token(self, access_token):
+        """
+        Return a valid access token that exists in one of our OAuth2 libraries,
+        or None if no matching token is found.
+        """
+        return self._get_dot_token(access_token) or self._get_dop_token(access_token)
+
+    def _get_dop_token(self, access_token):
+        """
+        Return a valid access token stored by django-oauth2-provider (DOP), or
+        None if no matching token is found.
+        """
+        token_query = dop_models.AccessToken.objects.select_related('user')
+        return token_query.filter(token=access_token).first()
+
+    def _get_dot_token(self, access_token):
+        """
+        Return a valid access token stored by django-oauth-toolkit (DOT), or
+        None if no matching token is found.
+        """
+        token_query = dot_models.AccessToken.objects.select_related('user')
+        return token_query.filter(token=access_token).first()
diff --git a/openedx/core/lib/api/tests/test_authentication.py b/openedx/core/lib/api/tests/test_authentication.py
index ea572b841b..ab3f077a27 100644
--- a/openedx/core/lib/api/tests/test_authentication.py
+++ b/openedx/core/lib/api/tests/test_authentication.py
@@ -19,6 +19,7 @@ from django.utils import unittest
 from django.utils.http import urlencode
 from mock import patch
 from nose.plugins.attrib import attr
+from oauth2_provider import models as dot_models
 from rest_framework import exceptions
 from rest_framework import status
 from rest_framework.permissions import IsAuthenticated
@@ -28,6 +29,7 @@ from rest_framework.test import APIRequestFactory, APIClient
 from rest_framework.views import APIView
 from rest_framework_jwt.settings import api_settings
 
+from lms.djangoapps.oauth_dispatch import adapters
 from openedx.core.lib.api import authentication
 from openedx.core.lib.api.tests.mixins import JwtMixin
 from provider import constants, scope
@@ -84,6 +86,8 @@ class OAuth2Tests(TestCase):
 
     def setUp(self):
         super(OAuth2Tests, self).setUp()
+        self.dop_adapter = adapters.DOPAdapter()
+        self.dot_adapter = adapters.DOTAdapter()
         self.csrf_client = APIClient(enforce_csrf_checks=True)
         self.username = 'john'
         self.email = 'lennon@thebeatles.com'
@@ -95,24 +99,35 @@ class OAuth2Tests(TestCase):
         self.ACCESS_TOKEN = 'access_token'  # pylint: disable=invalid-name
         self.REFRESH_TOKEN = 'refresh_token'  # pylint: disable=invalid-name
 
-        self.oauth2_client = oauth2_provider.oauth2.models.Client.objects.create(
-            client_id=self.CLIENT_ID,
-            client_secret=self.CLIENT_SECRET,
-            redirect_uri='',
-            client_type=0,
+        self.dop_oauth2_client = self.dop_adapter.create_public_client(
             name='example',
-            user=None,
+            user=self.user,
+            client_id=self.CLIENT_ID,
+            redirect_uri='https://example.edx/redirect',
         )
 
         self.access_token = oauth2_provider.oauth2.models.AccessToken.objects.create(
             token=self.ACCESS_TOKEN,
-            client=self.oauth2_client,
+            client=self.dop_oauth2_client,
             user=self.user,
         )
         self.refresh_token = oauth2_provider.oauth2.models.RefreshToken.objects.create(
             user=self.user,
             access_token=self.access_token,
-            client=self.oauth2_client
+            client=self.dop_oauth2_client,
+        )
+
+        self.dot_oauth2_client = self.dot_adapter.create_public_client(
+            name='example',
+            user=self.user,
+            client_id='dot-client-id',
+            redirect_uri='https://example.edx/redirect',
+        )
+        self.dot_access_token = dot_models.AccessToken.objects.create(
+            user=self.user,
+            token='dot-access-token',
+            application=self.dot_oauth2_client,
+            expires=datetime.now() + timedelta(days=30),
         )
 
         # This is the a change we've made from the django-rest-framework-oauth version
@@ -182,6 +197,10 @@ class OAuth2Tests(TestCase):
         response = self.get_with_bearer_token('/oauth2-test/')
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
+    def test_get_form_passing_auth_with_dot(self):
+        response = self.get_with_bearer_token('/oauth2-test/', token=self.dot_access_token.token)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
     @unittest.skipUnless(oauth2_provider, 'django-oauth2-provider not installed')
     def test_post_form_passing_auth_url_transport(self):
         """Ensure GETing form over OAuth with correct client credentials in form data succeed"""
diff --git a/pavelib/prereqs.py b/pavelib/prereqs.py
index da314158dd..6df3eb31f3 100644
--- a/pavelib/prereqs.py
+++ b/pavelib/prereqs.py
@@ -163,6 +163,7 @@ PACKAGES_TO_UNINSTALL = [
     "edxval",                       # Because it was bork-installed somehow.
     "django-storages",
     "django-oauth2-provider",       # Because now it's called edx-django-oauth2-provider.
+    "edx-oauth2-provider",          # Because it moved from github to pypi
 ]
 
 
@@ -203,7 +204,6 @@ def uninstall_python_packages():
                 # Uninstall the pacakge
                 sh("pip uninstall --disable-pip-version-check -y {}".format(package_name))
                 uninstalled = True
-
         if not uninstalled:
             break
     else:
diff --git a/requirements/edx/base.txt b/requirements/edx/base.txt
index eb3d248b0a..d3a60a81aa 100644
--- a/requirements/edx/base.txt
+++ b/requirements/edx/base.txt
@@ -23,6 +23,7 @@ django-mako==0.1.5pre
 django-model-utils==2.3.1
 django-mptt==0.7.4
 django-oauth-plus==2.2.8
+django-oauth-toolkit==0.10.0
 django-sekizai==0.8.2
 django-ses==0.7.0
 django-simple-history==1.6.3
@@ -35,9 +36,9 @@ git+https://github.com/edx/django-rest-framework.git@3c72cb5ee5baebc432894737119
 django==1.8.11
 djangorestframework-jwt==1.7.2
 djangorestframework-oauth==1.1.0
-edx-django-oauth2-provider==0.5.0
 edx-lint==0.4.3
-edx-oauth2-provider==0.5.9
+edx-django-oauth2-provider==1.0.1
+edx-oauth2-provider==1.0.0
 edx-opaque-keys==0.2.1
 edx-organizations==0.4.0
 edx-rest-api-client==1.2.1