hSrSSKJr SSKJr SSKJr SSKJr SSKrSSKrSSKrSSK r SSK r SSK r SSK r SSK Jr SSKJr SS KJr SS KJr SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSKJr SSK J!r! SSK J"r" SSK#J$r$ SSK%J&r& SSK'J(r( SSK'J)r) SSK*J+r+ SSK,J-r- SSK,J.r. SSK,J/r/ SSK,J0r0 SSK1J2r3 SSK4J5r5 SSK6J7r7 SS K8J9r9 SS!K8J:r: SS"K4J;r; SS#Kr> SS%Kz8Implementation of IAM policy management command for GCS.)absolute_import)print_function)division)unicode_literalsN)zip) protojson) DecodeError)config)ArgumentException)PreconditionException)ServiceException)Command)GetFailureCount)CommandArgument) ApiSelector)CommandException)&IamChOnResourceWithConditionsException)CreateHelpText)LogCommandParams)NameExpansionIterator)SeekAheadNameExpansionIterator)PluralityCheckableIterator)GetSchemeFromUrlString)IsKnownUrlScheme)StorageUrlFromString)UrlsAreMixOfBucketsAndObjects)storage_v1_messages) shim_util)GetCloudApiInstance)IAM_POLICY_VERSION)NO_MAX) iam_helper)BindingStringToTuple) BindingsTuple)DeserializeBindingsTuple)IsEqualBindings) PatchBindings)SerializeBindingsTuple)Retry)GcloudStorageMap)GcloudStorageFlagz3 gsutil iam set [-afRr] [-e ] file url ... z gsutil iam get url a gsutil iam ch [-fRr] binding ... url where each binding is of the form: [-d] ("user"|"serviceAccount"|"domain"|"group"):id:role[,...] [-d] ("allUsers"|"allAuthenticatedUsers"):role[,...] -d ("user"|"serviceAccount"|"domain"|"group"):id -d ("allUsers"|"allAuthenticatedUsers") NOTE: The "iam ch" command does not support changing Cloud IAM policies with bindings that contain conditions. As such, "iam ch" cannot be used to add conditions to a policy or to change the policy of a resource that already contains conditions. See additional details below. NOTE: The "gsutil iam" command does not allow you to add convenience values (projectOwner, projectEditor, projectViewer), but you can remove existing ones. a GET The ``iam get`` command gets the Cloud IAM policy for a bucket or object, which you can save and edit for use with the ``iam set`` command. The following examples save the bucket or object's Cloud IAM policy to a text file: gsutil iam get gs://example > bucket_iam.txt gsutil iam get gs://example/important.txt > object_iam.txt The Cloud IAM policy returned by ``iam get`` includes an etag. The etag is used in the precondition check for ``iam set`` unless you override it using ``iam set -e``. a SET The ``iam set`` command sets a Cloud IAM policy on one or more buckets or objects, replacing the existing policy on those buckets or objects. For an example of the correct formatting for a Cloud IAM policy, see the output of the ``iam get`` command. You can use the ``iam ch`` command to edit an existing policy, even in the presence of concurrent updates. You can also edit the policy concurrently using the ``-e`` flag to override the Cloud IAM policy's etag. Specifying ``-e`` with an empty string (i.e. ``gsutil iam set -e '' ...``) instructs gsutil to skip the precondition check when setting the Cloud IAM policy. When you set a Cloud IAM policy on a large number of objects, you should use the gsutil ``-m`` option for concurrent processing. The following command applies ``iam.txt`` to all objects in the ``dogs`` bucket: gsutil -m iam set -r iam.txt gs://dogs Note that only object-level operations are parallelized; setting a Cloud IAM policy on a large number of buckets with the ``-m`` flag does not improve performance. SET OPTIONS The ``set`` sub-command has the following options: -R, -r Performs ``iam set`` recursively on all objects under the specified bucket. This flag can only be set if the policy exclusively uses ``roles/storage.legacyObjectReader`` or ``roles/storage.legacyObjectOwner``. This flag cannot be used if the bucket is configured for uniform bucket-level access. -a Performs ``iam set`` on all object versions. -e Performs the precondition check on each object with the specified etag before setting the policy. You can retrieve the policy's etag using ``iam get``. -f The default gsutil error-handling mode is fail-fast. This flag changes the request to fail-silent mode. This option is implicitly set when you use the gsutil ``-m`` option. av CH The ``iam ch`` command incrementally updates Cloud IAM policies. You can specify multiple access grants or removals in a single command. The access changes are applied as a batch to each url in the order in which they appear in the command line arguments. Each access change specifies a principal and a role that is either granted or revoked. You can use gsutil ``-m`` to handle object-level operations in parallel. NOTE: The ``iam ch`` command cannot be used to change the Cloud IAM policy of a resource that contains conditions in its policy bindings. Attempts to do so result in an error. To change the Cloud IAM policy of such a resource, you can perform a read-modify-write operation by saving the policy to a file using ``iam get``, editing the file, and setting the updated policy using ``iam set``. CH EXAMPLES Examples for the ``ch`` sub-command: To grant a single role to a single principal for some targets: gsutil iam ch user:john.doe@example.com:objectCreator gs://ex-bucket To make a bucket's objects publicly readable: gsutil iam ch allUsers:objectViewer gs://ex-bucket To grant multiple bindings to a bucket: gsutil iam ch user:john.doe@example.com:objectCreator \ domain:www.my-domain.org:objectViewer gs://ex-bucket To specify more than one role for a particular principal: gsutil iam ch user:john.doe@example.com:objectCreator,objectViewer \ gs://ex-bucket To specify a custom role for a particular principal: gsutil iam ch user:john.doe@example.com:roles/customRoleName gs://ex-bucket To apply a grant and simultaneously remove a binding to a bucket: gsutil iam ch -d group:readers@example.com:legacyBucketReader \ group:viewers@example.com:objectViewer gs://ex-bucket To remove a user from all roles on a bucket: gsutil iam ch -d user:john.doe@example.com gs://ex-bucket CH OPTIONS The ``ch`` sub-command has the following options: -d Removes roles granted to the specified principal. -R, -r Performs ``iam ch`` recursively to all objects under the specified bucket. This flag can only be set if the policy exclusively uses ``roles/storage.legacyObjectReader`` or ``roles/storage.legacyObjectOwner``. This flag cannot be used if the bucket is configured for uniform bucket-level access. -f The default gsutil error-handling mode is fail-fast. This flag changes the request to fail-silent mode. This is implicitly set when you invoke the gsutil ``-m`` option.  z a7 Cloud Identity and Access Management (Cloud IAM) allows you to control who has access to the resources in your Google Cloud project. For more information, see `Cloud Identity and Access Management `_. The iam command has three sub-commands: z [a-z]+://.+zTo change the IAM policy of a resource that has bindings containing conditions, perform a read-modify-write operation using "iam get" and "iam set".cJ[U5(aU(d [S5egg)Nz/Cannot operate on a mix of buckets and objects.)rr)urlsrecursion_requesteds %platform/gsutil/gslib/commands/iam.py*_RaiseErrorIfUrlsAreMixOfBucketsAndObjectsr1s%"4((1D L MM2E(c ~Uup4URURUVs/sHn[U5PM snUS9$s snfN thread_state)PatchIamHelperexpanded_storage_urlr%)cls iter_resultr6serialized_bindings_tuplesexpansion_resultts r0_PatchIamWrapperr>sO3>0  ++,FG,Fq",FG  !!Hs: cUup4URUR[R"[R U5US9$r4) SetIamHelperr8rdecode_messageapitools_messagesPolicy)r9r:r6serialized_policyr<s r0_SetIamWrapperrE sG*5'  ++0779JK  !!r2cLURR[U55 gNloggererrorstrr9es r0_SetIamExceptionHandlerrN**3q6r2cLURR[U55 grGrHrLs r0_PatchIamExceptionHandlerrQrOr2c^\rSrSrSr\R "S\S\SSSS\ R/\ R\ R"S5/\ R"S5\ R"5/\ R"5\ R"5/S .S 9 r\R""S/S S \\\\S .S 9rSrU4SjrSrSrS!SjrU4SjrS!SjrS!SjrS!SjrS!Sjr S!Sjr!\""\#SSS9S!Sj5r$Sr%Sr&Sr'S r(U=r)$)" IamCommandiz%Implementation of gsutil iam command.iamzafRrd:e:TF)getsetch) usage_synopsismin_argsmax_argssupported_sub_args file_url_okprovider_url_okurls_start_arggs_api_supportgs_default_apiargparse_arguments command_helpz9Get, set, or change bucket and/or object IAM permissions.) help_namehelp_name_aliases help_typehelp_one_line_summary help_textsubcommand_help_textcXUR(dUSR5(agg)Nrobjectsbuckets)r/IsObject)self url_patternss r0_get_resource_typeIamCommand._get_resource_typeDs# <?#;#;#=#=  r2c f>URRS5UlURS:Xa@[URS5R 5(aSnOSn[ SUSS/0S9nGOURS :XGa-[ /S Q[ S 5[ S 5[ S 5[ S5[ S5[ S5S.S9nUR5 URSSn[[[U55nSn[UR5H1unupxUS;aSnMUS:XdMUS:XdM"SURU'M3 [XE5 U(dUSR 5(aSURS'OSURS'X0RSS-UlOtURS:Xad[R"[ R""SSS55[RR$LaUR&R)S5 /$[*T U]YW5$)NrrWrlrmstorageget-iam-policy --format=json)gcloud_commandflag_maprX)rtNset-iam-policyrvz--all-versionsz--etagz--etag=z--continue-on-errorz --recursive)-a-e _empty_etag-f-R-rrVFrr~Tr{)r|rrYGSUtilhidden_shim_modenonez|The shim maps iam ch commands to several gcloud storage commands, which cannot be determined without running gcloud storage.)argspop sub_commandrrnr*r+ ParseSubOptslistmap enumeratesub_optsr1rwrHIDDEN_SHIM_MODEr rWDRY_RUNrIwarningsuperget_gcloud_storage_args) ro command_groupgcloud_storage_map url_strings url_objectsrecurseiflag_key flag_value __class__s r0r"IamCommand.get_gcloud_storage_argsJsyy}}Q'D 5 diil + 4 4 6 6! ! + ]$4o<689   U "+M%&67%h/.y9%&;<%m4%m4    IIabMk1;?@kg'0'? #! #h | #'  *"20$--  (@ 1F KN++--/8))!,/8))!, "1 -di  T !  # # **X1  !*!;!;!C!C D  J Ki 7 *+= >>r2cUR5(aQSUR-n[UR5R[S55(aUS- n[ U5eg)NzInvalid Cloud URL "%s".z-Rrfzz This resource handle looks like a flag, which must appear before all bindings. See "gsutil help iam ch" for more details.) IsFileUrl object_namerXissubsetr)rourl error_msgs r0_RaiseIfInvalidUrlIamCommand._RaiseIfInvalidUrls\ }}+coo=i S__  & &s6{ 3 3 O P  Y '' r2c :SUlSUl/nUR(aVURHFup#US;a SUlMUS:Xa SUlM#US:XdM+UR[ SU55 MH /n[ UR 5nUHn[RU5(a,[[U55(aURU5 OLUS:Xa'UR[ S[U555 MvUR[ SU55 M U(d [S5eUHnURU5 M [[[ U55n[#UUR5 X4$![a [S5ef=f)NFrTr}z-dz?A -d flag is missing an argument specifying bindings to remove.z"Must specify at least one binding.)continue_on_errorr/rappendr#iterrSTORAGE_URI_REGEXmatchrrnext StopIterationrrrrr1)ropatch_bindings_tuplesoaurl_pattern_stringsittokenrs r0_GetSettingsAndDiffsIamCommand._GetSettingsAndDiffss"D$D }}--$! %)$ " $Y#'$ $Y  & &';E1'E F   diiB  ! !% ( ( 1%8 9 9""5) $ Q  & &';E48'L M $$%9$%FG ! A BB  's/1DEFK.{/3/G/GI ! --! Q OQ Q Qs !$FFc lURU5up4[R"UUR5U[R[RSS9nUR S:waMUR (a'URRUR5 U$[UR5eU$)NT)envinputstderrstdouttextr) ._get_full_gcloud_storage_execution_information subprocessrun'_get_shim_command_environment_variablesPIPE returncoderrIrJrr)rorstdin_commandprocesss r0_run_ch_subprocessIamCommand._run_ch_subprocesssDDTJJAnn  8 8 :  GQ   '..) Nw~~.. Nr2c >URS:wa[TU] 5$UR5 UR 5upUR U5n/nUR (aURS5 SnUGHnURU5 US:XayUR/SQU-[U5/-5nUR(aSnMS[R"UR5nUV s/sHn U SS:XdMU S PM n n O [U5/n U GH"n URS US U S /5n U R(aSnM/[R"U R5n [R "U S 5nUH)unn[R "U5n[#UUU5nM+ [%[&R("U55VVs/sHunnU[%[+U55S.PM snnU S 'URS USU S/[R,"U SS9S9nUR(dGM SnGM% GM U$s sn fs snnf)NrYrrrl)rtlsz--jsonrVtype cloud_objectrrtrurvbindingsrolemembersry-T) sort_keys)r)rrrun_gcloud_storagerrrqr/rrrrKrjsonloadsrr"BindingsDictToUpdateDictr'sortedsix iteritemsrdumps)robindings_tuplespatterns resource_type list_settings return_code url_pattern ls_process ls_outputresourcer.r get_processpolicyris_grantdiff diff_dictrm set_processrs r0rIamCommand.run_gcloud_storages[ 4 W ' )) $ 9 9 ;O++H5MM 4 K  k* ) #,,-H-:.;>A+>N=O.PQ  + JJz001 & %>1 HUO%   K !#--  '7o NP  ! !+ K../66vj7IJ / Xt 99$?)"8YA(!0S]]84576dad1g 67z --  '7c B**Vt4.6   ! ! !+-' V A *7s2 I  I $I c[XS9nUR5(a)URURURSS/S9nU$UR URUR URURSS/S9nU$)aGets an IAM policy for a single, resolved bucket / object URL. Args: storage_url: A CloudUrl instance with no wildcards, pointing to a specific bucket or object. thread_state: CloudApiDelegator instance which is passed from command.WorkerThread.__init__() if the global -m flag is specified. Will use self.gsutil_api if thread_state is set to None. Returns: Policy instance. r5retag)providerfields) generationrr)rIsBucketGetBucketIamPolicy bucket_nameschemeGetObjectIamPolicyrr)ro storage_urlr6 gsutil_apirs r0 GetIamHelperIamCommand.GetIamHelpers%TEJ,,  ! !%%f%-f M,,  ! !  ! ! ++%%f% -f Mr2cURSn[URU5RS/S95nUR 5(a[ SU-5eUR 5(a[ U<SUR<S35e[[U5SR5nURXAS9n[R"[R"U55n[R "USS S S 9n[#U5 g ) z,Gets IAM policy for single bucket or object.rname)bucket_listing_fieldsz%s matched no URLsz8 matched more than one URL, which is not allowed by the z commandr5T),z: rU)r separatorsindentN)rrWildcardIteratorIterAllIsEmptyr HasPlurality command_namerr url_stringrrrrencode_messagerprint)ror6patternmatchesrr policy_json policy_strs r0_GetIamIamCommand._GetIam)siilG( g&..fX.NPG 1G; <<  1 1 3 44'tG}Q'7'B'BCK   {  FF**Y55f=>K J  *r2c[XS9nUR5(a&URURUURS9 gUR URUR UURURS9 g)a$Sets IAM policy for a single, resolved bucket / object URL. Args: storage_url: A CloudUrl instance with no wildcards, pointing to a specific bucket or object. policy: A Policy object to set on the bucket / object. thread_state: CloudApiDelegator instance which is passed from command.WorkerThread.__init__() if the -m flag is specified. Will use self.gsutil_api if thread_state is set to None. Raises: ServiceException passed from the API call if an HTTP error was returned. r5)r)rrN)rrSetBucketIamPolicyrrSetObjectIamPolicyrr)rorrr6rs r0_SetIamHelperInternal IamCommand._SetIamHelperInternalBs(%TEJ##K$;$;$*-8-?-?$A##K$;$;$/$;$;$*/:/E/E-8-?-? $Ar2cxURXUS9 g![a UR(a SUlgef=f)zDHandles the potential exception raised by the internal set function.r5FN)rr reverything_set_okay)rorrr6s r0r@IamCommand.SetIamHelpercs=   < P   #(  s "99cPURUUUS9 g![a UR(a SUlge[acnUR(a8SUlSUlUR RUR5 SnAg[UR5eSnAff=f)aPatches an IAM policy for a single, resolved bucket / object URL. The patch is applied by altering the policy from an IAM get request, and setting the new IAM with the specified etag. Because concurrent IAM set requests may alter the etag, we may need to retry this operation several times before success. Args: storage_url: A CloudUrl instance with no wildcards, pointing to a specific bucket or object. bindings_tuples: A list of BindingsTuple instances. thread_state: CloudApiDelegator instance which is passed from command.WorkerThread.__init__() if the -m flag is specified. Will use self.gsutil_api if thread_state is set to None. r5FTN) _PatchIamHelperInternalr rrr$tried_ch_on_resource_with_conditionsrIdebugmessager)rorrr6rMs r0r7IamCommand.PatchIamHelperms"* "";#20<#>   #(  1*  #( 481 !))$$qyy)) *s!"B% B%AB  B  B%g?)tries timeout_secsc URXS9nURURpeUHXnUR(dMSU-nUS- nUSR [ R "S[-55- n[U5e [U5n UHup[R"U5n [R"U 5n [XU 5n[R"U5VVs/sH-unn[R R#U[U5S9PM/ nnnM [%Xi5(aUR&R)SU5 g[R "XeS9nUR+XUS9 gs snnf)Nr5z"Could not patch IAM policy for %s.r,zfThe resource had conditions present in its IAM policy bindings, which is not supported by "iam ch". %srzNo changes made to %s)rr)rrr conditionjointextwrapwrap IAM_CH_CONDITIONS_WORKAROUND_MSGrrr"BindingsMessageToUpdateDictr'rrrBrCBindingsValueListEntryr&rIinfor)rorrr6rrrbindingr orig_bindingsrr bindings_dictrnew_bindings_dictrrs r0r"IamCommand._PatchIamHelperInternalst   {  FF V__8     6D4499 MM901 23 3 5W==NM+ <i' (K &789fq!  " " 9 9qBFq' : K8h ,x// kk. <  % %x CF  {Ns(4E5c UR5up/nUH]upE/nUH8n[RRUSUSS9nUR U5 M: UR [ XFS95 M_ SUlSUl/n UH|n U R5(aHUR(a$SU l U R U R5 MNURX5 MaU R U R5 M~ U (Ga3[UR UR"UR$UR&U URUR(UR*=(d UR,S/S 9 n [/UR UR"UR15U URUR(S 9n [2R4"UV s/sHn [7U 5PM sn 5nUR9[:[=X5[>UR*(+U S 9 U=R [A5S :+-slUR (dRS nUR(a4US- nUSRC[DRF"S[H-55- n[KU5eg![a URU 5 GM>f=fs sn f)Nrr)rr)rrTF*r all_versionsrrr. fail_on_errorseek_ahead_iteratorrz'Some IAM policies could not be patched.r,zjSome resources had conditions present in their IAM policy bindings, which is not supported by "iam ch". %s)&rrBrCr$rr$rrrr/objectrr7AttributeErrorrrrrrIrr.rparallel_operationsrGetSeekAheadGsutilApi itertoolsrepeatr(Applyr>rrQrrr r!r"r)roraw_bindings_tuplesrprrrbindings_messagesr&bindings_messagethreaded_wildcardssurlname_expansion_iteratorr2r=serialized_bindings_tuples_itmsgs r0 _PatchIamIamCommand._PatchIams(,(A(A(C%1',33JJI&WV_K>  !12""  FH 2 $D05D- & ==??  % %DK  % %doo 6    <  # #DOO 4 5    ** ++ //   " "(( 22Nd6N6N!' !*;    **  $ $ &   " "(( *'0&6&6.C D.C !! $.C D'F# jj!2L*#'#9#99%8 :  o&7!";;  # # 5c 2 2 t  tyy MMC13 45 5 S !! $E& %%&0 Es%AJ)J)+J)K )K K c SUlSUlSUlSnSnUR(agURHWup4US;a SUlMUS:Xa SUlM#US:Xa SUlM2US:Xa[ U5nSnMGUR 5 MY UR SnUR S S n[US 5n[R"UR55nS S S 5 WR!S/5n U(dUR!SS5n[R""U U[$S.5n [&R("[*R,U 5nSUl/n [3[5[6U55n [9XR5 U Hn[;UR<5 UR?5(aHUR(a$SUl U RCUR<5 MbUREX5 MuU RCUR<5 M U (Ga.[GURHURURURJU URURUR=(d URLS/S9 n[OURHURURQ5U URURS9n[RRT"[&RV"U55nURY[Z[]UU5[^UR(+US9 U=R0[a5S:+-slUR0(d [cS5eg !,(df  GN=f![a [S U-5e[a/n URRS U 5 [SU-5eS n A ff=f![.a [SU<SU<S35ef=f)z7Set IAM policy for given wildcards on the command line.FrrTr}rzr{rrVNrz.Specified IAM policy file "%s" does not exist.z'Invalid IAM policy file, ValueError: %szInvalid IAM policy file "%s".rr)rrversionzInvalid IAM policy file "z " or etag "z".r,rr-r/r0z#Some IAM policies could not be set.)2rr/r.rrKRaiseInvalidArgumentExceptionropenrrreadIOErrorr ValueErrorrIrrWrr rrArBrCr rrrrr1rrrrrr@rrrr5rr6r7r8rr9rErrNrr)ro force_etagrrargfile_urlrfprrMrrr=surlsr>r?r2 policy_its r0_SetIamIamCommand._SetIamsp#D$DDJ D }}MM&! %)$ " $Y#'$ $Y"$  $YS$*  , , ."yy|Hyy}HJ # "BGGI& zz*b)H  ZZ #d**%K 0''(9(@(@+Nf $D )84 5E.u6N6NO DOO   # # $   # #DOO 4   D )!!$//2" 5    ** ++ //   " "(( 22Nd6N6N!' !*;    **  $ $ &   " "(( *""9#;#;F#CDi jjY 78(#'#9#99%8 :  o&7!";;  # # B CC $_   ( N&' (( J kkBAF =H IIJ 0 '/ 000sB1 N =%M9"N 4%O9 NN N !O,*OOO=cURRS5nURSS9 [URS9 SUlUS:Xa[U/S9 UR 5 gUS:Xa[U/S9 UR5 gUS :Xa[U/S9 UR5 g[S U<S UR<S 35e) z(Command entry point for the acl command.rT) check_args)rFrW) subcommandsrXrYzInvalid subcommand "z " for the z command. See "gsutil help iam".) rrrrrdef_aclr rQrBrr)roaction_subcommands r0 RunCommandIamCommand.RunCommandvs a(&dmm,DLE!$5#67 lln  e #$5#67 lln  d "$5#67 nn /1B1BD EEr2)r.rrrVrr/rrrG)*__name__ __module__ __qualname____firstlineno____doc__rCreateCommandSpec _SYNOPSISr!rJSONrMakeNCloudURLsArgumentMakeNFileURLsArgumentMakeZeroOrMoreCloudURLsArgumentMakeOneOrMoreBindingsArgument command_specHelpSpec_DETAILED_HELP_TEXT_get_help_text_set_help_text _ch_help_text help_specrqrrrrrrr rr@r7r)r rrBrQrX__static_attributes__ __classcell__)rs@r0rSrSsC-** #!&&' %%!88;=33A6==? ;;===? ,0 E# ) 6?p(/.b$8tB2AB *D ac:,0-O;-O^E"RlD\  r2rS)_r^ __future__rrrrr7rosrerr r six.movesrapitools.base.protorpcliter#apitools.base.protorpclite.messagesr botor gslib.cloud_apir r r gslib.commandrrgslib.command_argumentrgslib.cs_api_maprgslib.exceptionrrgslib.help_providerr gslib.metricsrgslib.name_expansionrr"gslib.plurality_checkable_iteratorrgslib.storage_urlrrrr"gslib.third_party.storage_apitoolsrrB gslib.utilsrgslib.utils.cloud_api_helperrgslib.utils.constantsr r!r"gslib.utils.iam_helperr#r$r%r&r'r(gslib.utils.retry_utilr)gslib.utils.shim_utilr*r+ _SET_SYNOPSIS _GET_SYNOPSIS _CH_SYNOPSIS_GET_DESCRIPTION_SET_DESCRIPTION_CH_DESCRIPTIONlstripr`r _DESCRIPTIONrhrirjrkcompilerr"r1r>rErNrQrSr2r0rs?&%'  0;-1,!)2(,B.*6?I4.2;W!<4("70;209(23   * )VCJ]11$7 7   &')/0  ii!#3_EFG %Y = /?@ /?@|_= JJ~.! N !!p  p  r2