From 2041a7c3c2768f22a4b8c08b775cb18591a85069 Mon Sep 17 00:00:00 2001 From: ThilinaManamgoda Date: Tue, 21 Nov 2023 14:16:33 +0530 Subject: [PATCH] Initial Helm chart resources for version 7.0.0 --- .helmignore | 25 + CHANGELOG.md | 14 +- Chart.yaml | 22 + README.md | 570 ++- advanced/databases/mysql-is/Chart.yaml | 19 - advanced/databases/mysql-is/requirements.yaml | 17 - advanced/databases/mysql-is/values.yaml | 2089 ----------- advanced/is-pattern-1/Chart.yaml | 20 - advanced/is-pattern-1/README.md | 295 -- advanced/is-pattern-1/auth.json | 10 - advanced/is-pattern-1/requirements.yaml | 19 - advanced/is-pattern-1/templates/NOTES.txt | 32 - advanced/is-pattern-1/templates/_helpers.tpl | 82 - .../wso2is-pattern-1-identity-server-bin.yaml | 356 -- ...wso2is-pattern-1-identity-server-conf.yaml | 99 - ...2is-pattern-1-identity-server-ingress.yaml | 42 - ...pattern-1-identity-server-statefulset.yaml | 235 -- ...ttern-1-identity-server-volume-claims.yaml | 45 - .../is/wso2is-pattern-1-identity-service.yaml | 40 - .../wso2is-pattern-1-c4-logstash-conf.yaml | 72 - ...attern-1-logstash-elasticsearch-creds.yaml | 25 - .../wso2is-pattern-1-logstash-yml.yaml | 25 - ...ntity-server-conf-prometheus-exporter.yaml | 28 - ...r-prometheus-blackbox-service-monitor.yaml | 56 - ...tity-server-prometheus-serviceMonitor.yaml | 36 - .../templates/wso2is-pattern-1-rbac.yaml | 39 - .../templates/wso2is-pattern-1-secrets.yaml | 30 - .../wso2is-pattern-1-service-account.yaml | 19 - advanced/is-pattern-1/values.yaml | 155 - confs/auth.json | 10 + confs/deployment.toml | 372 ++ confs/log4j2.properties | 403 +++ confs/secret-conf.properties | 29 + confs/thrift-authentication.xml | 45 + images/architecture.png | Bin 0 -> 33120 bytes simple/README.md | 51 - simple/basic-k8s/namespace.yaml | 9 - simple/basic-k8s/secret.yaml | 10 - simple/basic-k8s/svcaccount.yaml | 7 - simple/create.sh | 95 - simple/deployment-scripts/wso2is-latest.sh | 3117 ----------------- simple/eulatxt | 534 --- simple/funcs | 303 -- simple/funcs4opensource | 239 -- simple/is-k8s/identity-server-conf.yaml | 48 - simple/is-k8s/identity-server-deployment.yaml | 109 - simple/is-k8s/identity-server-service.yaml | 27 - simple/mysql-k8s/mysql-conf-db.yaml | 1933 ---------- simple/mysql-k8s/mysql-deployment.yaml | 60 - simple/mysql-k8s/mysql-service.yaml | 16 - simple/wso2is-simplified.png | Bin 149775 -> 0 bytes templates/NOTES.txt | 5 + templates/_helpers.tpl | 69 + templates/cm-deployment-toml.yaml | 23 + templates/cm-entrypoint.yaml | 64 + templates/cm-log4j2-properties.yaml | 23 + templates/cm-secret-config-properties.yaml | 25 + templates/cm-thrift-authentication-xml.yaml | 23 + templates/deployment.yaml | 235 ++ templates/hpa.yaml | 32 + templates/ingress.yaml | 42 + templates/pdb.yaml | 28 + templates/pv.yaml | 43 + templates/pvc.yaml | 33 + templates/rbac.yaml | 49 + templates/secret-image-pull.yaml | 33 + templates/secret-provider-class.yaml | 38 + templates/svc.yaml | 29 + values.yaml | 481 +++ 69 files changed, 2737 insertions(+), 10471 deletions(-) create mode 100644 .helmignore create mode 100644 Chart.yaml delete mode 100755 advanced/databases/mysql-is/Chart.yaml delete mode 100644 advanced/databases/mysql-is/requirements.yaml delete mode 100644 advanced/databases/mysql-is/values.yaml delete mode 100755 advanced/is-pattern-1/Chart.yaml delete mode 100644 advanced/is-pattern-1/README.md delete mode 100644 advanced/is-pattern-1/auth.json delete mode 100644 advanced/is-pattern-1/requirements.yaml delete mode 100644 advanced/is-pattern-1/templates/NOTES.txt delete mode 100644 advanced/is-pattern-1/templates/_helpers.tpl delete mode 100644 advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-bin.yaml delete mode 100644 advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-conf.yaml delete mode 100644 advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-ingress.yaml delete mode 100755 advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-statefulset.yaml delete mode 100644 advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-volume-claims.yaml delete mode 100644 advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-service.yaml delete mode 100644 advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-c4-logstash-conf.yaml delete mode 100644 advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-logstash-elasticsearch-creds.yaml delete mode 100644 advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-logstash-yml.yaml delete mode 100644 advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-conf-prometheus-exporter.yaml delete mode 100644 advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-prometheus-blackbox-service-monitor.yaml delete mode 100644 advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-prometheus-serviceMonitor.yaml delete mode 100644 advanced/is-pattern-1/templates/wso2is-pattern-1-rbac.yaml delete mode 100644 advanced/is-pattern-1/templates/wso2is-pattern-1-secrets.yaml delete mode 100644 advanced/is-pattern-1/templates/wso2is-pattern-1-service-account.yaml delete mode 100644 advanced/is-pattern-1/values.yaml create mode 100644 confs/auth.json create mode 100644 confs/deployment.toml create mode 100644 confs/log4j2.properties create mode 100644 confs/secret-conf.properties create mode 100644 confs/thrift-authentication.xml create mode 100644 images/architecture.png delete mode 100644 simple/README.md delete mode 100644 simple/basic-k8s/namespace.yaml delete mode 100644 simple/basic-k8s/secret.yaml delete mode 100644 simple/basic-k8s/svcaccount.yaml delete mode 100755 simple/create.sh delete mode 100755 simple/deployment-scripts/wso2is-latest.sh delete mode 100644 simple/eulatxt delete mode 100644 simple/funcs delete mode 100644 simple/funcs4opensource delete mode 100644 simple/is-k8s/identity-server-conf.yaml delete mode 100644 simple/is-k8s/identity-server-deployment.yaml delete mode 100644 simple/is-k8s/identity-server-service.yaml delete mode 100644 simple/mysql-k8s/mysql-conf-db.yaml delete mode 100644 simple/mysql-k8s/mysql-deployment.yaml delete mode 100644 simple/mysql-k8s/mysql-service.yaml delete mode 100644 simple/wso2is-simplified.png create mode 100644 templates/NOTES.txt create mode 100644 templates/_helpers.tpl create mode 100644 templates/cm-deployment-toml.yaml create mode 100644 templates/cm-entrypoint.yaml create mode 100644 templates/cm-log4j2-properties.yaml create mode 100644 templates/cm-secret-config-properties.yaml create mode 100644 templates/cm-thrift-authentication-xml.yaml create mode 100644 templates/deployment.yaml create mode 100644 templates/hpa.yaml create mode 100644 templates/ingress.yaml create mode 100644 templates/pdb.yaml create mode 100644 templates/pv.yaml create mode 100644 templates/pvc.yaml create mode 100644 templates/rbac.yaml create mode 100644 templates/secret-image-pull.yaml create mode 100644 templates/secret-provider-class.yaml create mode 100644 templates/svc.yaml create mode 100644 values.yaml diff --git a/.helmignore b/.helmignore new file mode 100644 index 00000000..34a88700 --- /dev/null +++ b/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +*.md +*.png diff --git a/CHANGELOG.md b/CHANGELOG.md index e8dde6ac..68cc15ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,19 +1,11 @@ # Changelog -All notable changes to Kubernetes and Helm resources for WSO2 IAM version `6.1.x` in each resource release, will be documented in this file. +All notable changes to Kubernetes and Helm resources for WSO2 IAM version `7.0.x` in each resource release, will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) -## [v6.1.0.1] - 2023-02-01 +## [v7.0.0-1] - 2024-03-12 ### Added -- Introduce Kubernetes resources for simplified deployment of WSO2 Identity Server version `6.1.0`. - -### Changed - -- User store is changed from `read_write_ldap_unique_id` to `database_unique_id`. - -### Removed - -- The open source image is not offered anymore. +- Introduce Helm resources for WSO2 Identity Server version `7.0.0`. diff --git a/Chart.yaml b/Chart.yaml new file mode 100644 index 00000000..92f9fcba --- /dev/null +++ b/Chart.yaml @@ -0,0 +1,22 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: v2 +name: identity-server +description: A Helm chart for WSO2 Identity server +type: application +version: 7.0.0-1 +appVersion: "7.0.0" diff --git a/README.md b/README.md index 5b874abb..097f9592 100644 --- a/README.md +++ b/README.md @@ -1,31 +1,567 @@ -#### ⚠️ DISCLAIMER +# identity-server -Use these artefacts as a reference to build your deployment artefacts. Existing artefacts only developed to demonstrate a reference deployment and should not be used as is in production +A Helm chart for WSO2 Identity server. This Helm chart can be used to deploy highly available and scalable WSO2 identity server deployment. +___ +From this Helm chart, WSO2 Identity server pods are deployed and exposed through Kubernetes ingress resource. Also in advanced setup, you can configure, Kubernetes persistence volume for sharing runtime artifacts, Kubernetes secret provider class for securing secrets, +Kubernetes horizontal pod autoscaling(HPA) and Kubernetes pod disruption budget(PDB). Additionally, pod affinity is configured to increase the high availability. ------------------------------------------------------------------- +![](images/architecture.png) +___ -# Kubernetes and Helm Resources for WSO2 Identity And Access Management +## Required permission +User or service principle who installs the Helm chart, needs to possess actions `"create", "get", "list", "update", "delete"` on following K8s kinds, -*Kubernetes and Helm Resources for container-based deployments of WSO2 Identity Server deployment patterns.* +| Kind | API Version | +|-------------------------|----------------------------------| +| ConfigMap | v1 | +| Deployment | apps/v1 | +| HorizontalPodAutoscaler | autoscaling/v1 | +| Ingress | networking.k8s.io/v1 | +| PersistentVolume | v1 | +| PersistentVolumeClaim | v1 | +| PodDisruptionBudget | policy/v1 | +| Role | rbac.authorization.k8s.io/v1 | +| RoleBinding | rbac.authorization.k8s.io/v1 | +| SecretProviderClass | secrets-store.csi.x-k8s.io/v1 | +| Service | v1 | +| ServiceAccount | v1 | +| Secret | v1 | -* A clustered deployment of WSO2 Identity Server -## Deploy Kubernetes resources +# Quick Start Guide -In order to deploy Kubernetes resources for each deployment pattern, follow the **Quick Start Guide** for each deployment pattern -given below: +--- +### Prerequisites +* Kubernetes ingress controller. Default integration is [Kubernetes Nginx ingress controller](https://github.com/kubernetes/ingress-nginx). +* An active [WSO2 Subscription](https://wso2.com/subscription). +--- -### Simple +1. Add the WSO2 Helm chart repository. -* [A Simplified Setup for WSO2 Identity Server](simple/README.md) +```shell +helm repo add wso2 https://helm.wso2.com && helm repo update +``` -## Deploy Helm resources +2. Set up environment variables -In order to deploy Helm resources for each deployment pattern, follow the **Quick Start Guide** for each deployment pattern -given below: +```shell +export NAMESPACE= +export RELEASE_NAME= +export WSO2_USERNAME= +export WSO2_PASSWORD= +``` +3. Create Kubernetes namespace -* [A clustered deployment of WSO2 Identity Server](advanced/is-pattern-1/README.md) +```shell +kubectl get namespace ${NAMESPACE} || kubectl create namespace ${NAMESPACE} +``` +4. Install Helm chart from Helm repository -## Changelog +```shell + helm install "$RELEASE_NAME" wso2/identity-server --version 7.0.0-1 -n "${NAMESPACE}" \ + --set wso2.subscription.username="$WSO2_USERNAME" \ + --set wso2.subscription.password="$WSO2_PASSWORD" +``` -**Change log** from previous release: [View Here](CHANGELOG.md) +#### Install Chart From Source + +>In the context of this document,
+>* `KUBERNETES_HOME` will refer to a local copy of the [`wso2/kubernetes-is`](https://github.com/wso2/kubernetes-is/) + Git repository.
+ +##### Clone the Helm Resources for WSO2 Identity Server Git repository. + +``` +git clone https://github.com/wso2/kubernetes-is.git +``` + +```shell + helm install "$RELEASE_NAME" -n "${NAMESPACE}" . \ + --set wso2.subscription.username="$WSO2_USERNAME" \ + --set wso2.subscription.password="$WSO2_PASSWORD" +``` + + +5. Obtain the external IP + +Obtain the external IP (`EXTERNAL-IP`) of the Identity Server Ingress resource, by listing down the Kubernetes Ingresses. + +``` +kubectl get ing -n "$NAMESPACE" +``` + +The output under the relevant column stands for the following. + +- NAME: Metadata name of the Kubernetes Ingress resource +- HOSTS: Hostname of the WSO2 Identity service +- ADDRESS: External IP (`EXTERNAL-IP`) exposing the Identity service to outside of the Kubernetes environment +- PORTS: Externally exposed service ports of the Identity service + +6. Add a DNS record mapping the hostname and the external IP + +If the defined hostname (in the previous step) is backed by a DNS service, add a DNS record mapping the hostname and +the external IP (`EXTERNAL-IP`) in the relevant DNS service. + +If the defined hostname is not backed by a DNS service, for the purpose of evaluation you may add an entry mapping the +hostname and the external IP in the `/etc/hosts` file at the client-side. + +``` + +``` + +### 4. Access Management Console, Console and My Account + +- Identity Server's Carbon Management Console: `https:///carbon` +- Identity Server's Console: `https:///console` +- Identity Server's My Account: `https:///myaccount` + + +# Advance setup + +## Install Helm chart on Azure Kubernetes service(AKS) + +--- +### Prerequisites +* [Azure Kubernetes Service(AKS) with ACR integration](https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli). +* Kubernetes ingress controller. Default integration is [Kubernetes Nginx ingress controller](https://github.com/kubernetes/ingress-nginx). +* [Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/introduction) and [secrets-store-csi-driver-provider-azure](https://github.com/Azure/secrets-store-csi-driver-provider-azure) to integrate secure vault. +* If artifact persistence is enabled; [Azure Storage account](https://learn.microsoft.com/en-us/azure/aks/azure-csi-files-storage-provision) to cater persistence volume type `ReadWriteMany` [access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) and a share `is-share` under the Azure storage account. +* [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/overview) to integrate secure vault. +* Pre-configured RDBMS. Please refer to [documentation](https://is.docs.wso2.com/en/latest/deploy/set-up-separate-databases-for-clustering/#!) on setting up databases. In the following guide uses Azure MSQL database server. +* [Azure container registry](https://azure.microsoft.com/en-us/products/container-registry) where the identity server Docker image is hosted. + +> To set up the infrastructure layer you can use [WSO2 Terraform modules](https://github.com/wso2/iac-azure-wso2-products) +--- + +1. Create Kubernetes namespace + +```shell +export NAMESPACE= +``` +```shell +kubectl get namespace ${NAMESPACE} || kubectl create namespace ${NAMESPACE} +``` + +3. Create a Kubernetes TLS secret for SSL termination at ingress controller. For this you need possess the SSL certificate and the key, + +```shell +kubectl create secret tls is-tls \ +--cert=path/to/cert/file \ +--key=path/to/key/file \ +-n ${NAMESPACE} +``` + +4. Create a Kubernetes secret for keystore files. It is required to have four Java keystore files for the deployment. Please refer to the [documentation](https://is.docs.wso2.com/en/latest/deploy/security/configure-keystores-in-wso2-products/#configure-keystores) for more details and how to create key stores. + + * Internal keystore(internal.jks): The key store which is used for encrypting/decrypting internal data + * Primary keystore(primary.jks): Certificates used for signing messages that are communicated with external parties(such SAML, OIDC id_token signing) + * TLS keystore(tls.jks): The key store which is used for tls communication. + * Client truststore(client-truststore.jks): Certificates of trusted third parties + +```shell +kubectl create secret generic keystores \ +--from-file=internal.jks \ +--from-file=primary.jks \ +--from-file=tls.jks \ +--from-file=client-truststore.jks \ +-n ${NAMESPACE} +``` + +5. Create [Azure storage account secret](https://learn.microsoft.com/en-us/azure/aks/azure-csi-files-storage-provision#create-a-kubernetes-secret) for persistence volume. + + Replace `` with Azure storage account name and `` with Azure storage account access key. + +```shell +export AZURE_STORAGE_NAME='' +export AZURE_STORAGE_KEY='' +``` + +```shell +kubectl create secret generic azure-storage-csi \ +--from-literal=azurestorageaccountname="${AZURE_STORAGE_NAME}" \ +--from-literal=azurestorageaccountkey="${AZURE_STORAGE_KEY}" \ +-n ${NAMESPACE} +``` + +6. Configure Azure key vault + + - Add `internal.jks` keystore password as the secret with the name `INTERNAL-KEYSTORE-PASSWORD-DECRYPTED`. Replace `` with Azure Key vault name, `` with Azure subscription ID and `` with internal keystore(`internal.jks`) password. + + ```shell + export AZURE_KEY_VAULT_NAME='' + export AZURE_SUBSCRIPTION_ID='' + export INTERNAL_KEYSTORE_PASSWORD_DECRYPTED='' + ``` + + ```shell + az login + az account set -s "${AZURE_SUBSCRIPTION_ID}" + az keyvault secret set --vault-name "${AZURE_KEY_VAULT_NAME}" --name "INTERNAL-KEYSTORE-PASSWORD-DECRYPTED" --value "${INTERNAL_KEYSTORE_PASSWORD_DECRYPTED}" + ``` + + - Create a Kubernetes secret to hold service principal credentials to access keyvault for [secrets-store-csi-driver-provider-azure](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/identity-access-modes/service-principal-mode/). + + Replace `` with Azure active directory service principle application ID and `` with Azure active directory service principle application secret + + ```shell + export AZURE_KEY_VAULT_SP_APP_ID='' + export AZURE_KEY_VAULT_SP_APP_SECRET='' + ``` + + ```shell + kubectl create secret generic azure-kv-secret-store-sp \ + --from-literal=clientid="${AZURE_KEY_VAULT_SP_APP_ID}" \ + --from-literal=clientsecret="${AZURE_KEY_VAULT_SP_APP_SECRET}" \ + -n ${NAMESPACE} + ``` + +7. Encrypt secrets using WSO2 secure vault encryption + + Following set of secure vault encrypted secrets are required for the deployment, please follow the [guideline](https://is.docs.wso2.com/en/latest/deploy/security/encrypt-passwords-with-cipher-tool/) to encrypt secrets using WSO2 secure vault encryption. Make sure to use previously created `internal.jks` keystore for the WSO2 secure vault encryption. + +```shell +export DATABASE_IDENTITY_ENCRYPTED_USER='' +export DATABASE_IDENTITY_ENCRYPTED_PASSWORD='' +export DATABASE_SHARED_ENCRYPTED_USER='' +export DATABASE_SHARED_ENCRYPTED_PASSWORD='' +export DATABASE_USER_ENCRYPTED_USER='' +export DATABASE_USER_ENCRYPTED_PASSWORD='' +export DATABASE_CONSENT_ENCRYPTED_USER='' +export DATABASE_CONSENT_ENCRYPTED_PASSWORD='' +export KEYSTORE_INTERNAL_ENCRYPTED_PASSWORD='' +export KEYSTORE_INTERNAL_ENCRYPTED_KEY_PASSWORD='' +export KEYSTORE_PRIMARY_ENCRYPTED_PASSWORD='' +export KEYSTORE_PRIMARY_ENCRYPTED_KEY_PASSWORD='' +export KEYSTORE_TLS_ENCRYPTED_PASSWORD='' +export KEYSTORE_TLS_ENCRYPTED_KEY_PASSWORD='' +export SUPER_ADMIN_ENCRYPTED_USERNAME='' +export SUPER_ADMIN_ENCRYPTED_PASSWORD='' +export TRUSTSTORE_ENCRYPTED_PASSWORD='' +export IDENTITY_AUTH_FRAMEWORK_ENDPOINT_ENCRYPTED_APP_PASSWORD='' +export SYMMETRIC_ENCRYPTED_KEY='' +``` + +8. Install Helm chart + +Add the WSO2 Helm chart repository. + +```shell +helm repo add wso2 https://helm.wso2.com && helm repo update +``` + +Replace `<>` places holders with values as below, + +* ****: Azure container register(ACR) hostname +* ****: Azure container register(ACR) identity server image repository name +* ****: Azure container register(ACR) identity server image digest +* ****: Azure tenant ID of Azure Key vault +* ****: Azure Key vault name +* ****: Azure resource group name of Key vault +* ****: Azure application ID created under step 6 +* ****: Identity database JDBC URL +* ****: Shared database JDBC URL +* ****: User database JDBC URL +* ****: Consent database JDBC URL +* ****: Identity server public hostname +* ****: Hash value of app password +* ****: Azure subscription ID +* ****: Helm release name for the deployment + + ```shell +export IMAGE_REGISTRY_HOSTNAME='' +export IMAGE_REPOSITORY_NAME='' +export IMAGE_DIGEST='' +export AZURE_TENANT_ID='' +export AZURE_KEY_VAULT_NAME='' +export AZURE_KEY_VAULT_RG='' +export AZURE_KEY_VAULT_SP_APP_ID='' +export DATABASE_IDENTITY_URL='' +export DATABASE_SHARED_URL='' +export DATABASE_USER_URL='' +export DATABASE_CONSENT_URL='' +export IS_HOSTNAME='' +export ACCOUNT_RECOVERY_ENDPOINT_AUTH_HASH='' +export NAMESPACE='' +export AZURE_SUBSCRIPTION_ID='' +export RELEASE_NAME='' +``` + +```shell +helm install "$RELEASE_NAME" wso2/identity-server --version 7.0.0-1 -n "${NAMESPACE}" \ +--set deployment.image.registry="${IMAGE_REGISTRY_HOSTNAME}" \ +--set deployment.image.repository="${IMAGE_REPOSITORY_NAME}" \ +--set deployment.image.digest="${IMAGE_DIGEST}" \ +--set deployment.ingress.hostName="${IS_HOSTNAME}" \ +--set deploymentToml.account.recovery.endpoint.auth.hash="${ACCOUNT_RECOVERY_ENDPOINT_AUTH_HASH}" \ +--set deploymentToml.database.identity.url="${DATABASE_IDENTITY_URL}" \ +--set deploymentToml.database.identity.driver="com.microsoft.sqlserver.jdbc.SQLServerDriver" \ +--set deploymentToml.database.identity.type="mssql" \ +--set deploymentToml.database.identity.username="${DATABASE_IDENTITY_ENCRYPTED_USER}" \ +--set deploymentToml.database.identity.password="${DATABASE_IDENTITY_ENCRYPTED_PASSWORD}" \ +--set deploymentToml.database.shared.url="${DATABASE_SHARED_URL}" \ +--set deploymentToml.database.shared.driver="com.microsoft.sqlserver.jdbc.SQLServerDriver" \ +--set deploymentToml.database.shared.type="mssql" \ +--set deploymentToml.database.shared.username="${DATABASE_SHARED_ENCRYPTED_USER}" \ +--set deploymentToml.database.shared.password="${DATABASE_SHARED_ENCRYPTED_PASSWORD}" \ +--set deploymentToml.database.user.url="${DATABASE_USER_URL}" \ +--set deploymentToml.database.user.driver="com.microsoft.sqlserver.jdbc.SQLServerDriver" \ +--set deploymentToml.database.user.type="mssql" \ +--set deploymentToml.database.user.username="${DATABASE_USER_ENCRYPTED_USER}" \ +--set deploymentToml.database.user.password="${DATABASE_USER_ENCRYPTED_PASSWORD}" \ +--set deploymentToml.database.consent.url="${DATABASE_CONSENT_URL}" \ +--set deploymentToml.database.consent.driver="com.microsoft.sqlserver.jdbc.SQLServerDriver" \ +--set deploymentToml.database.consent.type="msql" \ +--set deploymentToml.database.consent.username="${DATABASE_CONSENT_ENCRYPTED_USER}" \ +--set deploymentToml.database.consent.password="${DATABASE_CONSENT_ENCRYPTED_PASSWORD}" \ +--set deployment.externalJKS.enabled=true \ +--set deploymentToml.keystore.internal.fileName="internal.jks" \ +--set deploymentToml.keystore.internal.password="${KEYSTORE_INTERNAL_ENCRYPTED_PASSWORD}" \ +--set deploymentToml.keystore.internal.keyPassword="${KEYSTORE_INTERNAL_ENCRYPTED_KEY_PASSWORD}" \ +--set deploymentToml.keystore.primary.fileName="primary.jks" \ +--set deploymentToml.keystore.primary.password="${KEYSTORE_PRIMARY_ENCRYPTED_PASSWORD}" \ +--set deploymentToml.keystore.primary.keyPassword="${KEYSTORE_PRIMARY_ENCRYPTED_KEY_PASSWORD}" \ +--set deploymentToml.keystore.tls.fileName="tls.jks" \ +--set deploymentToml.keystore.tls.password="${KEYSTORE_TLS_ENCRYPTED_PASSWORD}" \ +--set deploymentToml.keystore.tls.keyPassword="${KEYSTORE_TLS_ENCRYPTED_KEY_PASSWORD}" \ +--set deploymentToml.superAdmin.password="${SUPER_ADMIN_ENCRYPTED_PASSWORD}" \ +--set deploymentToml.superAdmin.username="${SUPER_ADMIN_ENCRYPTED_USERNAME}" \ +--set deploymentToml.truststore.password="${TRUSTSTORE_ENCRYPTED_PASSWORD}" \ +--set deploymentToml.identity.authFramework.endpoint.appPassword="${IDENTITY_AUTH_FRAMEWORK_ENDPOINT_ENCRYPTED_APP_PASSWORD}" \ +--set deploymentToml.encryption.key="${SYMMETRIC_ENCRYPTED_KEY}" \ +--set deployment.secretStore.enabled=true \ +--set deployment.secretStore.azure.keyVault.name="${AZURE_KEY_VAULT_NAME}" \ +--set deployment.secretStore.azure.keyVault.resourceGroup="${AZURE_KEY_VAULT_RG}" \ +--set deployment.secretStore.azure.keyVault.resourceGroup="${AZURE_KEY_VAULT_RG}" \ +--set deployment.secretStore.azure.keyVault.servicePrincipalAppID="${AZURE_KEY_VAULT_SP_APP_ID}" \ +--set deployment.secretStore.azure.keyVault.subscriptionId="${AZURE_SUBSCRIPTION_ID}" \ +--set deployment.secretStore.azure.keyVault.tenantId="${AZURE_TENANT_ID}" \ +--set deployment.persistence.enabled=true +``` + + > If it is required to add additional configuration other than what are parameterised in `deployment.toml` file, you can override the Helm value `deploymentToml.extraConfigs` +## Compatibility + +| Kubernetes Version | Helm Version | Secrets Store CSI Driver Version | Compatibility Notes | +|--------------------|--------------|----------------------------------|--------------------------------------| +| v1.27.x | v3.xx | v1.3.0 | Fully compatible. | + +## Values + + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| deployment.apparmor.profile | string | `"runtime/default"` | Apparmor profile | +| deployment.buildVersion | string | `"7.0.0"` | Product version | +| deployment.enableCorrelationLogs | bool | `false` | Enable correlation logs | +| deployment.externalJKS.enabled | bool | `false` | Mount external keystore and trustores | +| deployment.externalJKS.secretName | string | `"keystores"` | K8s secret name which contains JKS files | +| deployment.extraVolumeMounts | list | `[]` | Additional volumeMounts to the pods. All the configuration mounts should be done under the path "/home/wso2carbon/wso2-config-volume/" | +| deployment.extraVolumes | list | `[]` | Additional volumes to the pod. | +| deployment.hpa.averageUtilizationCPU | int | `65` | Average CPU utilization for HPA | +| deployment.hpa.averageUtilizationMemory | int | `75` | averageUtilizationMemory parameter should be greater than 75 if not un expected scaling will happen during rolling update. | +| deployment.hpa.enabled | bool | `false` | Enable HPA for the deployment | +| deployment.hpa.maxReplicas | int | `2` | Max replica count for HPA(Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | +| deployment.image.digest | string | `""` | Container image digest | +| deployment.image.imagePullSecret | string | `""` | image pull secret name | +| deployment.image.pullPolicy | string | `"Always"` | Refer to the Kubernetes documentation on updating images (Ref: https://kubernetes.io/docs/concepts/containers/images/#updating-images) | +| deployment.image.registry | string | `"docker.wso2.com"` | Container image registry host name | +| deployment.image.repository | string | `"wso2is"` | Container image repository name | +| deployment.image.tag | string | `"7.0.0"` | Container image tag. Either "tag" or "digest" should defined | +| deployment.ingress.annotations."nginx.ingress.kubernetes.io/affinity" | string | `"cookie"` | | +| deployment.ingress.annotations."nginx.ingress.kubernetes.io/backend-protocol" | string | `"HTTPS"` | | +| deployment.ingress.annotations."nginx.ingress.kubernetes.io/force-ssl-redirect" | string | `"true"` | | +| deployment.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffer-size" | string | `"64k"` | | +| deployment.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffering" | string | `"on"` | | +| deployment.ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none" | string | `"true"` | | +| deployment.ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-hash" | string | `"sha1"` | | +| deployment.ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-name" | string | `"paf"` | | +| deployment.ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-path" | string | `"/"` | | +| deployment.ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-samesite" | string | `"None"` | | +| deployment.ingress.enableNginxRateLimit | bool | `false` | Enable Nginx rate limiting | +| deployment.ingress.hostName | string | `"wso2is.com"` | Host name of the Identity server as Key Manager | +| deployment.ingress.ingressClassName | string | `"nginx"` | Ingress class name | +| deployment.ingress.tlsSecretsName | string | `"is-tls"` | K8s TLS secret for configured hostname | +| deployment.livenessProbe | object | `{"periodSeconds":10}` | Indicates whether the container is running | +| deployment.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the probe | +| deployment.pdb.minAvailable | string | `"50%"` | Minimum availability for PDB | +| deployment.persistence.azure.enabled | bool | `true` | Enable persistence for artifact sharing using Azure file share | +| deployment.persistence.azure.fileShare | string | `"is-share"` | Names of Azure File shares for persisted data | +| deployment.persistence.azure.secretName | string | `"azure-storage-csi"` | K8s secret name for the Azure file share CI driver | +| deployment.persistence.capacity | string | `"100Gi"` | Define capacity for persistent runtime artifacts which are shared between instances of the Identity Server profile | +| deployment.persistence.enabled | bool | `false` | Enable persistence for artifact sharing | +| deployment.persistence.subPaths.tenants | string | `"tenants"` | Azure storage account tenants file share path | +| deployment.persistence.subPaths.userstores | string | `"userstores"` | Azure storage account userstores file share path | +| deployment.preStopHookWaitSeconds | int | `10` | preStopHookWaitInSeconds waits before calling server stop in the pre stop hook. | +| deployment.productPackName | string | `"wso2is"` | Product pack name | +| deployment.progressDeadlineSeconds | int | `600` | Progress deadline seconds where the Deployment controller waits before indicating (in the Deployment status) that the Deployment progress has stalled. | +| deployment.readinessProbe | object | `{"initialDelaySeconds":60,"periodSeconds":10}` | Indicates whether the container is ready to service requests | +| deployment.readinessProbe.initialDelaySeconds | int | `60` | Number of seconds after the container has started before readiness probes are initiated | +| deployment.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the probe | +| deployment.replicas | int | `1` | Number of deployment replicas | +| deployment.resources.jvm.javaOpts | string | `"-Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.rejectClientInitiatedRenegotiation=true -Dhttpclient.hostnameVerifier=Strict -Djdk.tls.client.protocols=TLSv1.2 -Djava.util.prefs.systemRoot=/home/wso2carbon/.java -Djava.util.prefs.userRoot=/home/wso2carbon/.java/.userPrefs"` | JVM parameters | +| deployment.resources.jvm.memOpts | string | `"-Xms2048m -Xmx2048m"` | JVM memory options | +| deployment.resources.limits.cpu | string | `"3"` | The maximum amount of CPU that should be allocated for a Pod | +| deployment.resources.limits.memory | string | `"4Gi"` | The maximum amount of memory that should be allocated for a Pod | +| deployment.resources.requests | object | `{"cpu":"2","memory":"2Gi"}` | as per official documentation (Ref: https://is.docs.wso2.com/en/latest/setup/installation-prerequisites/) | +| deployment.resources.requests.cpu | string | `"2"` | The minimum amount of CPU that should be allocated for a Pod | +| deployment.resources.requests.memory | string | `"2Gi"` | The minimum amount of memory that should be allocated for a Pod | +| deployment.secretStore.azure.enabled | bool | `true` | Enable Azure Key Vault integration. | +| deployment.secretStore.azure.keyVault.name | string | `""` | Name of the target Azure Key Vault instance | +| deployment.secretStore.azure.keyVault.resourceGroup | string | `""` | Name of the Azure Resource Group to which the target Azure Key Vault belongs | +| deployment.secretStore.azure.keyVault.secretName | string | `"INTERNAL-KEYSTORE-PASSWORD-DECRYPTED"` | Azure Key Vault secret name of the internal keystore password | +| deployment.secretStore.azure.keyVault.servicePrincipalAppID | string | `""` | Service Principal created for transacting with the target Azure Key Vault Ref: https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/docs/service-principal-mode.md | +| deployment.secretStore.azure.keyVault.subscriptionId | string | `""` | Subscription ID of the target Azure Key Vault | +| deployment.secretStore.azure.keyVault.tenantId | string | `""` | Azure Active Directory tenant ID of the target Key Vault | +| deployment.secretStore.azure.nodePublishSecretRef | string | `"azure-kv-secret-store-sp"` | The name of the Kubernetes secret that contains the service principal credentials to access Azure Key Vault. Ref: https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/identity-access-modes/service-principal-mode/#configure-service-principal-to-access-keyvault | +| deployment.secretStore.enabled | bool | `false` | Enable secure vault with secret store CSI driver | +| deployment.securityContext.runAsUser | int | `802` | Run as user ID | +| deployment.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | Seccomp profile type | +| deployment.startupProbe | object | `{"failureThreshold":30,"initialDelaySeconds":60,"periodSeconds":5}` | Startup probe executed prior to Liveness Probe taking over | +| deployment.startupProbe.failureThreshold | int | `30` | Number of attempts | +| deployment.startupProbe.initialDelaySeconds | int | `60` | Number of seconds after the container has started before startup probes are initiated | +| deployment.startupProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe | +| deployment.strategy.rollingUpdate.maxSurge | int | `1` | The maximum number of pods that can be scheduled above the desired number of pods | +| deployment.strategy.rollingUpdate.maxUnavailable | int | `0` | The maximum number of pods that can be unavailable during the update | +| deployment.terminationGracePeriodSeconds | int | `40` | Pod termination grace period. K8s API server waits this period after pre stop hook and sending TERM signal | +| deploymentToml.account.recovery.endpoint.auth.hash | string | `"66cd9688a2ae068244ea01e70f0e230f5623b7fa4cdecb65070a09ec06452262"` | Configure client authentication app password hash. Ref https://is.docs.wso2.com/en/latest/deploy/security/product-level-security-guidelines/#configure-client-authentication | +| deploymentToml.clustering.domain | string | `"wso2.is.domain"` | Cluster domain | +| deploymentToml.clustering.enabled | bool | `true` | Enable clustering. Ref: https://is.docs.wso2.com/en/latest/deploy/configure-hazelcast/ | +| deploymentToml.clustering.localMemberPort | string | `"4001"` | This defines local member port | +| deploymentToml.clustering.membershipScheme | string | `"kubernetes"` | This defines membership schema type | +| deploymentToml.database.consent.driver | string | `"org.h2.Driver"` | The database JDBC driver | +| deploymentToml.database.consent.password | string | `"wso2carbon"` | The database password | +| deploymentToml.database.consent.poolOptions | string | `nil` | The database pool options | +| deploymentToml.database.consent.type | string | `"h2"` | The SQL server type(ex: mysql, mssql) | +| deploymentToml.database.consent.url | string | `"jdbc:h2:./repository/database/WSO2IDENTITY_DB;DB_CLOSE_ON_EXIT=FALSE"` | The database JDBC URL | +| deploymentToml.database.consent.username | string | `"wso2carbon"` | The database username | +| deploymentToml.database.identity.driver | string | `"org.h2.Driver"` | The database JDBC driver | +| deploymentToml.database.identity.password | string | `"wso2carbon"` | The password | +| deploymentToml.database.identity.poolOptions | string | `nil` | The database pool options | +| deploymentToml.database.identity.type | string | `"h2"` | The SQL server type(ex: mysql, mssql) | +| deploymentToml.database.identity.url | string | `"jdbc:h2:./repository/database/WSO2IDENTITY_DB;DB_CLOSE_ON_EXIT=FALSE"` | The database JDBC URL | +| deploymentToml.database.identity.username | string | `"wso2carbon"` | The database username | +| deploymentToml.database.shared.driver | string | `"org.h2.Driver"` | The database JDBC driver | +| deploymentToml.database.shared.password | string | `"wso2carbon"` | The database password | +| deploymentToml.database.shared.poolOptions | string | `nil` | The database pool options | +| deploymentToml.database.shared.type | string | `"h2"` | The SQL server type(ex: mysql, mssql) | +| deploymentToml.database.shared.url | string | `"jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000"` | The database JDBC URL | +| deploymentToml.database.shared.username | string | `"wso2carbon"` | The database username | +| deploymentToml.database.user.driver | string | `"org.h2.Driver"` | The database JDBC driver | +| deploymentToml.database.user.password | string | `"wso2carbon"` | The database password | +| deploymentToml.database.user.poolOptions | string | `nil` | The database pool options | +| deploymentToml.database.user.type | string | `"h2"` | The SQL server type(ex: mysql, mssql) | +| deploymentToml.database.user.url | string | `"jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000"` | The database JDBC URL | +| deploymentToml.database.user.username | string | `"wso2carbon"` | The database username | +| deploymentToml.encryption.key | string | `"3cc0481b70794667b5bee7e2beed2de4"` | Configure symmetric key encryption key. Ref https://is.docs.wso2.com/en/latest/deploy/security/symmetric-encryption/use-symmetric-encryption/ | +| deploymentToml.extraConfigs | string | `nil` | Add custom configurations to deployment.toml. | +| deploymentToml.identity.authFramework.endpoint.appPassword | string | `"dashboard"` | Configure client authentication encrypted app password. Ref https://is.docs.wso2.com/en/latest/deploy/security/product-level-security-guidelines/#configure-client-authentication | +| deploymentToml.keystore.internal.alias | string | `"wso2carbon"` | | +| deploymentToml.keystore.internal.fileName | string | `"wso2carbon.jks"` | | +| deploymentToml.keystore.internal.keyPassword | string | `"wso2carbon"` | | +| deploymentToml.keystore.internal.password | string | `"wso2carbon"` | | +| deploymentToml.keystore.internal.type | string | `"JKS"` | | +| deploymentToml.keystore.primary.alias | string | `"wso2carbon"` | | +| deploymentToml.keystore.primary.fileName | string | `"wso2carbon.jks"` | | +| deploymentToml.keystore.primary.keyPassword | string | `"wso2carbon"` | | +| deploymentToml.keystore.primary.password | string | `"wso2carbon"` | | +| deploymentToml.keystore.primary.type | string | `"JKS"` | | +| deploymentToml.keystore.tls.alias | string | `"wso2carbon"` | | +| deploymentToml.keystore.tls.fileName | string | `"wso2carbon.jks"` | | +| deploymentToml.keystore.tls.keyPassword | string | `"wso2carbon"` | | +| deploymentToml.keystore.tls.password | string | `"wso2carbon"` | | +| deploymentToml.keystore.tls.type | string | `"JKS"` | | +| deploymentToml.oauth.tokenCleanup | bool | `false` | Enable/Disable the internal token cleanup process. Ref: https://is.docs.wso2.com/en/6.0.0/deploy/remove-unused-tokens-from-the-database/#! | +| deploymentToml.oauth.tokenGeneration.includeUsernameInAccessToken | bool | `false` | Add UserName Assertions in Access Tokens. Ref: https://is.docs.wso2.com/en/6.0.0/deploy/enable-assertions-in-access-tokens/ | +| deploymentToml.otp.email.addressRequestPage | string | `"https://localhost:9443/emailotpauthenticationendpoint/emailAddress.jsp"` | | +| deploymentToml.otp.email.authenticationEndpointErrorPage | string | `"https://localhost:9443/emailotpauthenticationendpoint/emailotpError.jsp"` | Error page that will be displayed in case of an authentication failure. | +| deploymentToml.otp.email.authenticationEndpointURL | string | `"https://localhost:9443/emailotpauthenticationendpoint/emailotp.jsp"` | Authentication endpoint URL of the authenticator. | +| deploymentToml.otp.email.captureAndUpdateEmailAddress | bool | `true` | | +| deploymentToml.otp.email.emailAddressRegex | string | `"(?<=.{1}).(?=.*@)"` | | +| deploymentToml.otp.email.enableByUserClaim | bool | `true` | | +| deploymentToml.otp.email.enabled | bool | `false` | Enable email OTP. Ref: https://is.docs.wso2.com/en/latest/guides/mfa/email-otp-config-advanced/#email-otp-configurations | +| deploymentToml.otp.email.federatedEmailAttributeKey | string | `"email"` | | +| deploymentToml.otp.email.mandatory | bool | `false` | This parmeter defines whether email OTP is enforced as the second step of the 2FA/MFA or not. | +| deploymentToml.otp.email.secondaryUserstore | string | `"primary"` | You can define multiple user stores per tenant as comma separated values. | +| deploymentToml.otp.email.sendOTPToFederatedEmailAttribute | bool | `false` | | +| deploymentToml.otp.email.showEmailAddressInUI | bool | `true` | | +| deploymentToml.otp.email.tokenExpirationTime | int | `300000` | | +| deploymentToml.otp.email.useEventHandlerBasedEmailSender | bool | `true` | | +| deploymentToml.otp.email.usecase | string | `"local"` | This parameter defines how the email ID will be retrieved. | +| deploymentToml.otp.email.userAccountLockEnabled | bool | `false` | Enable account locking by email OTP. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-accounts-by-failed-otp-attempts/ | +| deploymentToml.otp.sms.authenticationEndpointErrorPage | string | `"/smsotpauthenticationendpoint/smsotpError.jsp"` | | +| deploymentToml.otp.sms.authenticationEndpointURL | string | `"/smsotpauthenticationendpoint/smsotp.jsp"` | | +| deploymentToml.otp.sms.backupCode | bool | `true` | | +| deploymentToml.otp.sms.captureAndUpdateMobileNumber | bool | `true` | | +| deploymentToml.otp.sms.directlyToMobile | bool | `false` | | +| deploymentToml.otp.sms.enableByUserClaim | bool | `true` | | +| deploymentToml.otp.sms.enabled | bool | `false` | Enable SMS OTP. Ref: https://is.docs.wso2.com/en/latest/guides/mfa/sms-otp-config-advanced/ | +| deploymentToml.otp.sms.federatedMobile | bool | `false` | | +| deploymentToml.otp.sms.federatedMobileAttributeKey | string | `"mobile"` | | +| deploymentToml.otp.sms.mandatory | bool | `false` | | +| deploymentToml.otp.sms.mobileNumberRegPage | string | `"/smsotpauthenticationendpoint/mobile.jsp"` | | +| deploymentToml.otp.sms.redirectToMultiOptionPageOnFailure | bool | `false` | | +| deploymentToml.otp.sms.resendEnable | bool | `true` | | +| deploymentToml.otp.sms.retryEnable | bool | `true` | | +| deploymentToml.otp.sms.secondaryUserstore | string | `"primary"` | | +| deploymentToml.otp.sms.usecase | string | `"local"` | | +| deploymentToml.otp.sms.userAccountLockEnabled | bool | `false` | Enable account locking by email OTP. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-accounts-by-failed-otp-attempts/ | +| deploymentToml.outputAdapter.email.enableAuthentication | bool | `true` | | +| deploymentToml.outputAdapter.email.enableStartTls | bool | `true` | | +| deploymentToml.outputAdapter.email.enabled | bool | `false` | Enable the email sender. Ref: https://is.docs.wso2.com/en/latest/deploy/configure-email-sending/#configure-the-email-sender-globally | +| deploymentToml.outputAdapter.email.fromAddress | string | `""` | | +| deploymentToml.outputAdapter.email.hostname | string | `""` | | +| deploymentToml.outputAdapter.email.password | string | `""` | | +| deploymentToml.outputAdapter.email.port | int | `587` | | +| deploymentToml.outputAdapter.email.username | string | `""` | | +| deploymentToml.recaptcha.apiUrl | string | `""` | | +| deploymentToml.recaptcha.enabled | bool | `false` | Enable reCAPTCHA. Ref: https://is.docs.wso2.com/en/latest/deploy/configure-recaptcha/ | +| deploymentToml.recaptcha.secretKey | string | `""` | | +| deploymentToml.recaptcha.siteKey | string | `""` | | +| deploymentToml.recaptcha.verifyUrl | string | `""` | | +| deploymentToml.server.offset | string | `"0"` | Change default ports(Ref: https://is.docs.wso2.com/en/latest/references/default-ports-of-wso2-products/#:~:text=For%20each%20additional%20WSO2%20product,to%20the%20server%20during%20startup.) | +| deploymentToml.superAdmin.createAdminAccount | bool | `true` | Create Carbon console admin account | +| deploymentToml.superAdmin.password | string | `"admin"` | Carbon console admin account password | +| deploymentToml.superAdmin.username | string | `"admin"` | Carbon console admin account username | +| deploymentToml.totp.authenticationEndpointEnableTOTPPage | string | `"authenticationendpoint/totp_enroll.do"` | | +| deploymentToml.totp.authenticationEndpointErrorPage | string | `"authenticationendpoint/totp_error.do"` | | +| deploymentToml.totp.authenticationEndpointURL | string | `"authenticationendpoint/totp.do"` | | +| deploymentToml.totp.authenticationMandatory | bool | `true` | | +| deploymentToml.totp.enabled | bool | `false` | | +| deploymentToml.totp.encodingMethod | string | `"Base32"` | | +| deploymentToml.totp.enrolUserInAuthenticationFlow | bool | `true` | | +| deploymentToml.totp.issuer | string | `"WSO2"` | | +| deploymentToml.totp.secondaryUserstore | string | `"primary"` | | +| deploymentToml.totp.timeStepSize | string | `"30"` | | +| deploymentToml.totp.useCommonIssuer | bool | `true` | | +| deploymentToml.totp.usecase | string | `"local"` | | +| deploymentToml.totp.userAccountLockEnabled | bool | `false` | Enable account locking by OTP. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-accounts-by-failed-otp-attempts/ | +| deploymentToml.totp.windowSize | string | `"3"` | | +| deploymentToml.transport.https.properties.server | string | `"WSO2 Carbon Server"` | Server name in HTTP response headers. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#change-the-server-name-in-http-response-headers | +| deploymentToml.transport.https.sslHostConfig.properties.ciphers | string | `"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"` | Configure TSL ciphers in the HTTPS transport. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#disable-weak-ciphers | +| deploymentToml.transport.https.sslHostConfig.properties.protocols | string | `"+TLSv1, +TLSv1.1, +TLSv1.2, +TLSv1.3"` | Enabling SSL protocols in the HTTPS transport. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#enabling-ssl-protocols-in-the-wso2-is | +| deploymentToml.transport.thrift.ciphers | string | `"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA"` | Configure TSL ciphers in ThriftAuthenticationService. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#enable-ssl-protocols-and-ciphers-in-thriftauthenticationservice | +| deploymentToml.transport.thrift.protocols | string | `"TLSv1,TLSv1.1,TLSv1.2"` | Enabling SSL protocols in ThriftAuthenticationService. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#enable-ssl-protocols-and-ciphers-in-thriftauthenticationservice | +| deploymentToml.truststore.fileName | string | `"client-truststore.jks"` | | +| deploymentToml.truststore.password | string | `"wso2carbon"` | | +| deploymentToml.truststore.type | string | `"JKS"` | | +| deploymentToml.userAccountLock.enabled | bool | `true` | Enable user account lock. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-account/ | +| deploymentToml.userAccountLock.loginAttempts.allowedFailedAttempts | int | `5` | This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. If the value you specify is 2, the account gets locked if the login attempt fails twice. | +| deploymentToml.userAccountLock.loginAttempts.autoUnlockAfter | int | `5` | The time specified here is in minutes. Authentication can be attempted once this time has passed. | +| deploymentToml.userAccountLock.loginAttempts.autoUnlockTimeIncrementRatio | int | `2` | This indicates how much the account unlock timeout is incremented by after each failed login attempt | +| deploymentToml.userStore.type | string | `"database_unique_id"` | | +| k8sKindAPIVersions | object | `{"configMap":"v1","deployment":"apps/v1","horizontalPodAutoscaler":"autoscaling/v1","ingress":"networking.k8s.io/v1","persistentVolume":"v1","persistentVolumeClaim":"v1","podDisruptionBudget":"policy/v1","role":"rbac.authorization.k8s.io/v1","roleBinding":"rbac.authorization.k8s.io/v1","secret":"v1","secretProviderClass":"secrets-store.csi.x-k8s.io/v1","service":"v1","serviceAccount":"v1"}` | K8s API versions for K8s kinds | +| k8sKindAPIVersions.configMap | string | `"v1"` | K8s API version for kind ConfigMap | +| k8sKindAPIVersions.deployment | string | `"apps/v1"` | K8s API version for kind Deployment | +| k8sKindAPIVersions.horizontalPodAutoscaler | string | `"autoscaling/v1"` | K8s API version for kind HorizontalPodAutoscaler | +| k8sKindAPIVersions.ingress | string | `"networking.k8s.io/v1"` | K8s API version for kind Ingress | +| k8sKindAPIVersions.persistentVolume | string | `"v1"` | K8s API version for kind PersistentVolume | +| k8sKindAPIVersions.persistentVolumeClaim | string | `"v1"` | K8s API version for kind PersistentVolumeClaim | +| k8sKindAPIVersions.podDisruptionBudget | string | `"policy/v1"` | K8s API version for kind PodDisruptionBudget | +| k8sKindAPIVersions.role | string | `"rbac.authorization.k8s.io/v1"` | K8s API version for kind Role | +| k8sKindAPIVersions.roleBinding | string | `"rbac.authorization.k8s.io/v1"` | K8s API version for kind RoleBinding | +| k8sKindAPIVersions.secret | string | `"v1"` | K8s API version for kind Secret | +| k8sKindAPIVersions.secretProviderClass | string | `"secrets-store.csi.x-k8s.io/v1"` | K8s API version for kind SecretProviderClass | +| k8sKindAPIVersions.service | string | `"v1"` | K8s API version for kind Service | +| k8sKindAPIVersions.serviceAccount | string | `"v1"` | K8s API version for kind ServiceAccount | +| wso2.subscription.password | string | `""` | WSO2 account password | +| wso2.subscription.username | string | `""` | WSO2 account username | diff --git a/advanced/databases/mysql-is/Chart.yaml b/advanced/databases/mysql-is/Chart.yaml deleted file mode 100755 index 5e19fa68..00000000 --- a/advanced/databases/mysql-is/Chart.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v1 -appVersion: "5.7" -description: A Helm chart for MySQL based deployment of WSO2 Identity And Access Management Datasources -name: mysql-is -version: 6.1.0-1 -icon: https://wso2.cachefly.net/wso2/sites/all/images/wso2logo.svg diff --git a/advanced/databases/mysql-is/requirements.yaml b/advanced/databases/mysql-is/requirements.yaml deleted file mode 100644 index 46807f6f..00000000 --- a/advanced/databases/mysql-is/requirements.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -dependencies: - - name: mysql - version: "1.6.9" - repository: "https://helm.wso2.com" diff --git a/advanced/databases/mysql-is/values.yaml b/advanced/databases/mysql-is/values.yaml deleted file mode 100644 index d3e80784..00000000 --- a/advanced/databases/mysql-is/values.yaml +++ /dev/null @@ -1,2089 +0,0 @@ -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -mysql: - imageTag: "5.7.31" - mysqlRootPassword: root - mysqlUser: wso2carbon - mysqlPassword: wso2carbon - fullnameOverride: "wso2is-mysql-db-service" - livenessProbe: - initialDelaySeconds: 120 - readinessProbe: - initialDelaySeconds: 120 - configurationFiles: - mysql.cnf: |- - [mysqld] - max_connections = 10000 - initializationFiles: - init.sql: |- - DROP DATABASE IF EXISTS WSO2IS_SHARED_DB; - DROP DATABASE IF EXISTS WSO2IS_IDENTITY_DB; - - CREATE DATABASE WSO2IS_SHARED_DB; - CREATE DATABASE WSO2IS_IDENTITY_DB; - - GRANT ALL ON WSO2IS_SHARED_DB.* TO 'wso2carbon'@'%' IDENTIFIED BY 'wso2carbon'; - GRANT ALL ON WSO2IS_IDENTITY_DB.* TO 'wso2carbon'@'%' IDENTIFIED BY 'wso2carbon'; - - USE WSO2IS_SHARED_DB; - - CREATE TABLE IF NOT EXISTS REG_CLUSTER_LOCK ( - REG_LOCK_NAME VARCHAR (20), - REG_LOCK_STATUS VARCHAR (20), - REG_LOCKED_TIME TIMESTAMP, - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (REG_LOCK_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_LOG ( - REG_LOG_ID INTEGER AUTO_INCREMENT, - REG_PATH VARCHAR (750), - REG_USER_ID VARCHAR (255) NOT NULL, - REG_LOGGED_TIME TIMESTAMP NOT NULL, - REG_ACTION INTEGER NOT NULL, - REG_ACTION_DATA VARCHAR (500), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (REG_LOG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX REG_LOG_IND_BY_REGLOG USING HASH ON REG_LOG(REG_LOGGED_TIME, REG_TENANT_ID); - - -- The REG_PATH_VALUE should be less than 767 bytes, and hence was fixed at 750. - -- See CARBON-5917. - - CREATE TABLE IF NOT EXISTS REG_PATH( - REG_PATH_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_PATH_VALUE VARCHAR(750) CHARACTER SET latin1 COLLATE latin1_general_cs NOT NULL, - REG_PATH_PARENT_ID INTEGER, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_PATH PRIMARY KEY(REG_PATH_ID, REG_TENANT_ID), - CONSTRAINT UNIQUE_REG_PATH_TENANT_ID UNIQUE (REG_PATH_VALUE,REG_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX REG_PATH_IND_BY_PATH_PARENT_ID USING HASH ON REG_PATH(REG_PATH_PARENT_ID, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_CONTENT ( - REG_CONTENT_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_CONTENT_DATA LONGBLOB, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_CONTENT PRIMARY KEY(REG_CONTENT_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_CONTENT_HISTORY ( - REG_CONTENT_ID INTEGER NOT NULL, - REG_CONTENT_DATA LONGBLOB, - REG_DELETED SMALLINT, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_CONTENT_HISTORY PRIMARY KEY(REG_CONTENT_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE ( - REG_PATH_ID INTEGER NOT NULL, - REG_NAME VARCHAR(256), - REG_VERSION INTEGER NOT NULL AUTO_INCREMENT, - REG_MEDIA_TYPE VARCHAR(500), - REG_CREATOR VARCHAR(255) NOT NULL, - REG_CREATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_LAST_UPDATOR VARCHAR(255), - REG_LAST_UPDATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_DESCRIPTION VARCHAR(1000), - REG_CONTENT_ID INTEGER, - REG_TENANT_ID INTEGER DEFAULT 0, - REG_UUID VARCHAR(100) NOT NULL, - CONSTRAINT PK_REG_RESOURCE PRIMARY KEY(REG_VERSION, REG_TENANT_ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE ADD CONSTRAINT REG_RESOURCE_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE ADD CONSTRAINT REG_RESOURCE_FK_BY_CONTENT_ID FOREIGN KEY (REG_CONTENT_ID, REG_TENANT_ID) REFERENCES REG_CONTENT (REG_CONTENT_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_IND_BY_NAME USING HASH ON REG_RESOURCE(REG_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_IND_BY_PATH_ID_NAME USING HASH ON REG_RESOURCE(REG_PATH_ID, REG_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_IND_BY_UUID USING HASH ON REG_RESOURCE(REG_UUID); - CREATE INDEX REG_RESOURCE_IND_BY_TENAN USING HASH ON REG_RESOURCE(REG_TENANT_ID, REG_UUID); - CREATE INDEX REG_RESOURCE_IND_BY_TYPE USING HASH ON REG_RESOURCE(REG_TENANT_ID, REG_MEDIA_TYPE); - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_HISTORY ( - REG_PATH_ID INTEGER NOT NULL, - REG_NAME VARCHAR(256), - REG_VERSION INTEGER NOT NULL, - REG_MEDIA_TYPE VARCHAR(500), - REG_CREATOR VARCHAR(255) NOT NULL, - REG_CREATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_LAST_UPDATOR VARCHAR(255), - REG_LAST_UPDATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_DESCRIPTION VARCHAR(1000), - REG_CONTENT_ID INTEGER, - REG_DELETED SMALLINT, - REG_TENANT_ID INTEGER DEFAULT 0, - REG_UUID VARCHAR(100) NOT NULL, - CONSTRAINT PK_REG_RESOURCE_HISTORY PRIMARY KEY(REG_VERSION, REG_TENANT_ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_HISTORY ADD CONSTRAINT REG_RESOURCE_HIST_FK_BY_PATHID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_HISTORY ADD CONSTRAINT REG_RESOURCE_HIST_FK_BY_CONTENT_ID FOREIGN KEY (REG_CONTENT_ID, REG_TENANT_ID) REFERENCES REG_CONTENT_HISTORY (REG_CONTENT_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_HISTORY_IND_BY_NAME USING HASH ON REG_RESOURCE_HISTORY(REG_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_HISTORY_IND_BY_PATH_ID_NAME USING HASH ON REG_RESOURCE(REG_PATH_ID, REG_NAME, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_COMMENT ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_COMMENT_TEXT VARCHAR(500) NOT NULL, - REG_USER_ID VARCHAR(255) NOT NULL, - REG_COMMENTED_TIME TIMESTAMP NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_COMMENT PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_COMMENT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_COMMENT_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_COMMENT ADD CONSTRAINT REG_RESOURCE_COMMENT_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_COMMENT ADD CONSTRAINT REG_RESOURCE_COMMENT_FK_BY_COMMENT_ID FOREIGN KEY (REG_COMMENT_ID, REG_TENANT_ID) REFERENCES REG_COMMENT (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_COMMENT_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_COMMENT(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_COMMENT_IND_BY_VERSION USING HASH ON REG_RESOURCE_COMMENT(REG_VERSION, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_RATING ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_RATING INTEGER NOT NULL, - REG_USER_ID VARCHAR(255) NOT NULL, - REG_RATED_TIME TIMESTAMP NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_RATING PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_RATING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_RATING_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_RATING ADD CONSTRAINT REG_RESOURCE_RATING_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_RATING ADD CONSTRAINT REG_RESOURCE_RATING_FK_BY_RATING_ID FOREIGN KEY (REG_RATING_ID, REG_TENANT_ID) REFERENCES REG_RATING (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_RATING_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_RATING(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_RATING_IND_BY_VERSION USING HASH ON REG_RESOURCE_RATING(REG_VERSION, REG_TENANT_ID); - - - CREATE TABLE IF NOT EXISTS REG_TAG ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_TAG_NAME VARCHAR(500) NOT NULL, - REG_USER_ID VARCHAR(255) NOT NULL, - REG_TAGGED_TIME TIMESTAMP NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_TAG PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_TAG ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_TAG_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_TAG ADD CONSTRAINT REG_RESOURCE_TAG_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_TAG ADD CONSTRAINT REG_RESOURCE_TAG_FK_BY_TAG_ID FOREIGN KEY (REG_TAG_ID, REG_TENANT_ID) REFERENCES REG_TAG (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_TAG_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_TAG(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_TAG_IND_BY_VERSION USING HASH ON REG_RESOURCE_TAG(REG_VERSION, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_PROPERTY ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_NAME VARCHAR(100) NOT NULL, - REG_VALUE VARCHAR(1000), - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_PROPERTY PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_PROPERTY ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_PROPERTY_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_PROPERTY ADD CONSTRAINT REG_RESOURCE_PROPERTY_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_PROPERTY ADD CONSTRAINT REG_RESOURCE_PROPERTY_FK_BY_TAG_ID FOREIGN KEY (REG_PROPERTY_ID, REG_TENANT_ID) REFERENCES REG_PROPERTY (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_PROPERTY_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_PROPERTY(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_PROPERTY_IND_BY_VERSION USING HASH ON REG_RESOURCE_PROPERTY(REG_VERSION, REG_TENANT_ID); - - -- CREATE TABLE IF NOT EXISTS REG_ASSOCIATIONS ( - -- SRC_PATH_ID INTEGER, - -- SRC_RESOURCE_NAME VARCHAR(256), - -- SRC_VERSION INTEGER, - -- TGT_PATH_ID INTEGER, - -- TGT_RESOURCE_NAME VARCHAR(256), - -- TGT_VERSION INTEGER - -- )ENGINE INNODB; - -- - -- ALTER TABLE REG_ASSOCIATIONS ADD CONSTRAINT REG_ASSOCIATIONS_FK_BY_SRC_PATH_ID FOREIGN KEY (SRC_PATH_ID) REFERENCES REG_PATH (PATH_ID); - -- ALTER TABLE REG_ASSOCIATIONS ADD CONSTRAINT REG_ASSOCIATIONS_FK_BY_TGT_PATH_ID FOREIGN KEY (TGT_PATH_ID) REFERENCES REG_PATH (PATH_ID); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_SRC_VERSION ON REG_ASSOCIATIONS(SRC_VERSION); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_TGT_VERSION ON REG_ASSOCIATIONS(TGT_VERSION); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_SRC_RESOURCE_NAME ON REG_ASSOCIATIONS(SRC_RESOURCE_NAME); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_TGT_RESOURCE_NAME ON REG_ASSOCIATIONS(TGT_RESOURCE_NAME); - - - - CREATE TABLE IF NOT EXISTS REG_ASSOCIATION ( - REG_ASSOCIATION_ID INTEGER AUTO_INCREMENT, - REG_SOURCEPATH VARCHAR (750) NOT NULL, - REG_TARGETPATH VARCHAR (750) NOT NULL, - REG_ASSOCIATION_TYPE VARCHAR (2000) NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (REG_ASSOCIATION_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_SNAPSHOT ( - REG_SNAPSHOT_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_PATH_ID INTEGER NOT NULL, - REG_RESOURCE_NAME VARCHAR(255), - REG_RESOURCE_VIDS LONGBLOB NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_SNAPSHOT PRIMARY KEY(REG_SNAPSHOT_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX REG_SNAPSHOT_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_SNAPSHOT(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - - ALTER TABLE REG_SNAPSHOT ADD CONSTRAINT REG_SNAPSHOT_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - - - -- ################################ - -- USER MANAGER TABLES - -- ################################ - - CREATE TABLE UM_TENANT ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_TENANT_UUID VARCHAR(36) NOT NULL, - UM_DOMAIN_NAME VARCHAR(255) NOT NULL, - UM_EMAIL VARCHAR(255), - UM_ACTIVE BOOLEAN DEFAULT FALSE, - UM_CREATED_DATE TIMESTAMP NOT NULL, - UM_USER_CONFIG LONGBLOB, - UM_ORG_UUID VARCHAR(36) DEFAULT NULL, - PRIMARY KEY (UM_ID), - UNIQUE(UM_DOMAIN_NAME), - UNIQUE(UM_TENANT_UUID) - )ENGINE INNODB; - - CREATE TABLE UM_DOMAIN( - UM_DOMAIN_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DOMAIN_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_DOMAIN_ID, UM_TENANT_ID), - UNIQUE(UM_DOMAIN_NAME,UM_TENANT_ID) - )ENGINE INNODB; - - CREATE UNIQUE INDEX INDEX_UM_TENANT_UM_DOMAIN_NAME - ON UM_TENANT (UM_DOMAIN_NAME); - - CREATE TABLE UM_USER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_ID VARCHAR(255) NOT NULL, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_USER_PASSWORD VARCHAR(255) NOT NULL, - UM_SALT_VALUE VARCHAR(31), - UM_REQUIRE_CHANGE BOOLEAN DEFAULT FALSE, - UM_CHANGED_TIME TIMESTAMP NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_USER_ID), - UNIQUE(UM_USER_NAME, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE UNIQUE INDEX INDEX_UM_USERNAME_UM_TENANT_ID ON UM_USER(UM_USER_NAME, UM_TENANT_ID); - - CREATE TABLE UM_SYSTEM_USER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_USER_PASSWORD VARCHAR(255) NOT NULL, - UM_SALT_VALUE VARCHAR(31), - UM_REQUIRE_CHANGE BOOLEAN DEFAULT FALSE, - UM_CHANGED_TIME TIMESTAMP NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_USER_NAME, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_ROLE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_SHARED_ROLE BOOLEAN DEFAULT FALSE, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_ROLE_NAME, UM_TENANT_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_MODULE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_MODULE_NAME VARCHAR(100), - UNIQUE(UM_MODULE_NAME), - PRIMARY KEY(UM_ID) - )ENGINE INNODB; - - CREATE TABLE UM_MODULE_ACTIONS( - UM_ACTION VARCHAR(255) NOT NULL, - UM_MODULE_ID INTEGER NOT NULL, - PRIMARY KEY(UM_ACTION, UM_MODULE_ID), - FOREIGN KEY (UM_MODULE_ID) REFERENCES UM_MODULE(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE UM_PERMISSION ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_RESOURCE_ID VARCHAR(255) NOT NULL, - UM_ACTION VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_MODULE_ID INTEGER DEFAULT 0, - UNIQUE(UM_RESOURCE_ID,UM_ACTION, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX INDEX_UM_PERMISSION_UM_RESOURCE_ID_UM_ACTION ON UM_PERMISSION (UM_RESOURCE_ID, UM_ACTION, UM_TENANT_ID); - - CREATE TABLE UM_ROLE_PERMISSION ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_PERMISSION_ID INTEGER NOT NULL, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_IS_ALLOWED SMALLINT NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_DOMAIN_ID INTEGER, - UNIQUE (UM_PERMISSION_ID, UM_ROLE_NAME, UM_TENANT_ID, UM_DOMAIN_ID), - FOREIGN KEY (UM_PERMISSION_ID, UM_TENANT_ID) REFERENCES UM_PERMISSION(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - -- REMOVED UNIQUE (UM_PERMISSION_ID, UM_ROLE_ID) - CREATE TABLE UM_USER_PERMISSION ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_PERMISSION_ID INTEGER NOT NULL, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_IS_ALLOWED SMALLINT NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY (UM_PERMISSION_ID, UM_TENANT_ID) REFERENCES UM_PERMISSION(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - -- REMOVED UNIQUE (UM_PERMISSION_ID, UM_USER_ID) - CREATE TABLE UM_USER_ROLE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_ID INTEGER NOT NULL, - UM_USER_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE (UM_USER_ID, UM_ROLE_ID, UM_TENANT_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_ROLE(UM_ID, UM_TENANT_ID), - FOREIGN KEY (UM_USER_ID, UM_TENANT_ID) REFERENCES UM_USER(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_SHARED_USER_ROLE( - ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_ID INTEGER NOT NULL, - UM_USER_ID INTEGER NOT NULL, - UM_USER_TENANT_ID INTEGER NOT NULL, - UM_ROLE_TENANT_ID INTEGER NOT NULL, - UNIQUE(UM_USER_ID,UM_ROLE_ID,UM_USER_TENANT_ID, UM_ROLE_TENANT_ID), - FOREIGN KEY(UM_ROLE_ID,UM_ROLE_TENANT_ID) REFERENCES UM_ROLE(UM_ID,UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY(UM_USER_ID,UM_USER_TENANT_ID) REFERENCES UM_USER(UM_ID,UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY(ID) - )ENGINE INNODB; - - CREATE TABLE UM_ACCOUNT_MAPPING( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER NOT NULL, - UM_USER_STORE_DOMAIN VARCHAR(100), - UM_ACC_LINK_ID INTEGER NOT NULL, - UNIQUE(UM_USER_NAME, UM_TENANT_ID, UM_USER_STORE_DOMAIN, UM_ACC_LINK_ID), - FOREIGN KEY (UM_TENANT_ID) REFERENCES UM_TENANT(UM_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_USER_ATTRIBUTE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ATTR_NAME VARCHAR(255) NOT NULL, - UM_ATTR_VALUE VARCHAR(1024), - UM_PROFILE_ID VARCHAR(255), - UM_USER_ID INTEGER, - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY (UM_USER_ID, UM_TENANT_ID) REFERENCES UM_USER(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX UM_USER_ID_INDEX ON UM_USER_ATTRIBUTE(UM_USER_ID); - - CREATE INDEX UM_ATTR_NAME_VALUE_INDEX ON UM_USER_ATTRIBUTE(UM_ATTR_NAME, UM_ATTR_VALUE(512)); - - CREATE TABLE UM_DIALECT( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DIALECT_URI VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE(UM_DIALECT_URI, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_CLAIM( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DIALECT_ID INTEGER NOT NULL, - UM_CLAIM_URI VARCHAR(255) NOT NULL, - UM_DISPLAY_TAG VARCHAR(255), - UM_DESCRIPTION VARCHAR(255), - UM_MAPPED_ATTRIBUTE_DOMAIN VARCHAR(255), - UM_MAPPED_ATTRIBUTE VARCHAR(255), - UM_REG_EX VARCHAR(255), - UM_SUPPORTED SMALLINT, - UM_REQUIRED SMALLINT, - UM_DISPLAY_ORDER INTEGER, - UM_CHECKED_ATTRIBUTE SMALLINT, - UM_READ_ONLY SMALLINT, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE(UM_DIALECT_ID, UM_CLAIM_URI, UM_TENANT_ID,UM_MAPPED_ATTRIBUTE_DOMAIN), - FOREIGN KEY(UM_DIALECT_ID, UM_TENANT_ID) REFERENCES UM_DIALECT(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_PROFILE_CONFIG( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DIALECT_ID INTEGER NOT NULL, - UM_PROFILE_NAME VARCHAR(255), - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY(UM_DIALECT_ID, UM_TENANT_ID) REFERENCES UM_DIALECT(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_CLAIM_BEHAVIOR( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_PROFILE_ID INTEGER, - UM_CLAIM_ID INTEGER, - UM_BEHAVIOUR SMALLINT, - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY(UM_PROFILE_ID, UM_TENANT_ID) REFERENCES UM_PROFILE_CONFIG(UM_ID,UM_TENANT_ID), - FOREIGN KEY(UM_CLAIM_ID, UM_TENANT_ID) REFERENCES UM_CLAIM(UM_ID,UM_TENANT_ID), - PRIMARY KEY(UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_HYBRID_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_ROLE_NAME,UM_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX UM_ROLE_NAME_IND ON UM_HYBRID_ROLE(UM_ROLE_NAME); - - CREATE TABLE UM_HYBRID_USER_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255), - UM_ROLE_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_DOMAIN_ID INTEGER, - UNIQUE (UM_USER_NAME, UM_ROLE_ID, UM_TENANT_ID, UM_DOMAIN_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_HYBRID_ROLE(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_HYBRID_GROUP_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_GROUP_NAME VARCHAR(255), - UM_ROLE_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_DOMAIN_ID INTEGER, - UNIQUE (UM_GROUP_NAME, UM_ROLE_ID, UM_TENANT_ID, UM_DOMAIN_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_HYBRID_ROLE(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_SYSTEM_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_ROLE_NAME,UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_SYSTEM_USER_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255), - UM_ROLE_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE (UM_USER_NAME, UM_ROLE_ID, UM_TENANT_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_SYSTEM_ROLE(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_HYBRID_REMEMBER_ME( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_COOKIE_VALUE VARCHAR(1024), - UM_CREATED_TIME TIMESTAMP, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_UUID_DOMAIN_MAPPER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_ID VARCHAR(255) NOT NULL, - UM_DOMAIN_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID), - UNIQUE (UM_USER_ID), - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE INDEX UUID_DM_UID_TID ON UM_UUID_DOMAIN_MAPPER(UM_USER_ID, UM_TENANT_ID); - - CREATE TABLE IF NOT EXISTS UM_GROUP_UUID_DOMAIN_MAPPER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_GROUP_ID VARCHAR(255) NOT NULL, - UM_DOMAIN_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID), - UNIQUE (UM_GROUP_ID), - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE INDEX GRP_UUID_DM_GRP_ID_TID ON UM_GROUP_UUID_DOMAIN_MAPPER(UM_GROUP_ID, UM_TENANT_ID); - - -- ################################ - -- ORGANIZATION MANAGEMENT TABLES - -- ################################ - - SET SQL_MODE='ALLOW_INVALID_DATES'; - - CREATE TABLE IF NOT EXISTS UM_ORG ( - UM_ID VARCHAR(36) NOT NULL, - UM_ORG_NAME VARCHAR(255) NOT NULL, - UM_ORG_DESCRIPTION VARCHAR(1024), - UM_CREATED_TIME TIMESTAMP NOT NULL, - UM_LAST_MODIFIED TIMESTAMP NOT NULL, - UM_STATUS VARCHAR(255) DEFAULT 'ACTIVE' NOT NULL, - UM_PARENT_ID VARCHAR(36), - UM_ORG_TYPE VARCHAR(100) NOT NULL, - PRIMARY KEY (UM_ID), - FOREIGN KEY (UM_PARENT_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - INSERT IGNORE INTO UM_ORG (UM_ID, UM_ORG_NAME, UM_ORG_DESCRIPTION, UM_CREATED_TIME, UM_LAST_MODIFIED, UM_STATUS, UM_ORG_TYPE) - VALUES ('10084a8d-113f-4211-a0d5-efe36b082211', 'Super', 'This is the super organization.', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'ACTIVE', 'TENANT'); - - CREATE TABLE IF NOT EXISTS UM_ORG_ATTRIBUTE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ORG_ID VARCHAR(36) NOT NULL, - UM_ATTRIBUTE_KEY VARCHAR(255) NOT NULL, - UM_ATTRIBUTE_VALUE VARCHAR(512), - PRIMARY KEY (UM_ID), - UNIQUE (UM_ORG_ID, UM_ATTRIBUTE_KEY), - FOREIGN KEY (UM_ORG_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE ( - UM_ROLE_ID VARCHAR(255) NOT NULL, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_ORG_ID VARCHAR(36) NOT NULL, - PRIMARY KEY(UM_ROLE_ID), - CONSTRAINT FK_UM_ORG_ROLE_UM_ORG FOREIGN KEY (UM_ORG_ID) REFERENCES UM_ORG (UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_PERMISSION( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_RESOURCE_ID VARCHAR(255) NOT NULL, - UM_ACTION VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE_USER ( - UM_USER_ID VARCHAR(255) NOT NULL, - UM_ROLE_ID VARCHAR(255) NOT NULL, - CONSTRAINT FK_UM_ORG_ROLE_USER_UM_ORG_ROLE FOREIGN KEY (UM_ROLE_ID) REFERENCES UM_ORG_ROLE(UM_ROLE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE_GROUP( - UM_GROUP_ID VARCHAR(255) NOT NULL, - UM_ROLE_ID VARCHAR(255) NOT NULL, - CONSTRAINT FK_UM_ORG_ROLE_GROUP_UM_ORG_ROLE FOREIGN KEY (UM_ROLE_ID) REFERENCES UM_ORG_ROLE(UM_ROLE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE_PERMISSION( - UM_PERMISSION_ID INTEGER NOT NULL, - UM_ROLE_ID VARCHAR(255) NOT NULL, - CONSTRAINT FK_UM_ORG_ROLE_PERMISSION_UM_ORG_ROLE FOREIGN KEY (UM_ROLE_ID) REFERENCES UM_ORG_ROLE(UM_ROLE_ID) ON DELETE CASCADE, - CONSTRAINT FK_UM_ORG_ROLE_PERMISSION_UM_ORG_PERMISSION FOREIGN KEY (UM_PERMISSION_ID) REFERENCES UM_ORG_PERMISSION(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_HIERARCHY ( - UM_PARENT_ID VARCHAR(36) NOT NULL, - UM_ID VARCHAR(36) NOT NULL, - DEPTH INTEGER, - PRIMARY KEY (UM_PARENT_ID, UM_ID), - FOREIGN KEY (UM_PARENT_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - INSERT IGNORE INTO UM_ORG_HIERARCHY (UM_PARENT_ID, UM_ID, DEPTH) - VALUES ('10084a8d-113f-4211-a0d5-efe36b082211', '10084a8d-113f-4211-a0d5-efe36b082211', 0); - - USE WSO2IS_IDENTITY_DB; - - CREATE TABLE IF NOT EXISTS IDN_BASE_TABLE ( - PRODUCT_NAME VARCHAR(20), - PRIMARY KEY (PRODUCT_NAME) - )ENGINE INNODB; - - INSERT INTO IDN_BASE_TABLE values ('WSO2 Identity Server'); - - CREATE TABLE IF NOT EXISTS IDN_OAUTH_CONSUMER_APPS ( - ID INTEGER NOT NULL AUTO_INCREMENT, - CONSUMER_KEY VARCHAR(255), - CONSUMER_SECRET VARCHAR(2048), - USERNAME VARCHAR(255), - TENANT_ID INTEGER DEFAULT 0, - USER_DOMAIN VARCHAR(50), - APP_NAME VARCHAR(255), - OAUTH_VERSION VARCHAR(128), - CALLBACK_URL VARCHAR(2048), - GRANT_TYPES VARCHAR (1024), - PKCE_MANDATORY CHAR(1) DEFAULT '0', - PKCE_SUPPORT_PLAIN CHAR(1) DEFAULT '0', - APP_STATE VARCHAR (25) DEFAULT 'ACTIVE', - USER_ACCESS_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600, - APP_ACCESS_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600, - REFRESH_TOKEN_EXPIRE_TIME BIGINT DEFAULT 84600, - ID_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600, - CONSTRAINT CONSUMER_KEY_CONSTRAINT UNIQUE (CONSUMER_KEY), - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE_VALIDATORS ( - APP_ID INTEGER NOT NULL, - SCOPE_VALIDATOR VARCHAR (128) NOT NULL, - PRIMARY KEY (APP_ID,SCOPE_VALIDATOR), - FOREIGN KEY (APP_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH1A_REQUEST_TOKEN ( - REQUEST_TOKEN VARCHAR(255), - REQUEST_TOKEN_SECRET VARCHAR(512), - CONSUMER_KEY_ID INTEGER, - CALLBACK_URL VARCHAR(2048), - SCOPE VARCHAR(2048), - AUTHORIZED VARCHAR(128), - OAUTH_VERIFIER VARCHAR(512), - AUTHZ_USER VARCHAR(512), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (REQUEST_TOKEN), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH1A_ACCESS_TOKEN ( - ACCESS_TOKEN VARCHAR(255), - ACCESS_TOKEN_SECRET VARCHAR(512), - CONSUMER_KEY_ID INTEGER, - SCOPE VARCHAR(2048), - AUTHZ_USER VARCHAR(512), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ACCESS_TOKEN), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN ( - TOKEN_ID VARCHAR (255), - ACCESS_TOKEN VARCHAR(2048), - REFRESH_TOKEN VARCHAR(2048), - CONSUMER_KEY_ID INTEGER, - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - USER_TYPE VARCHAR (25), - GRANT_TYPE VARCHAR (50), - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REFRESH_TOKEN_TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - VALIDITY_PERIOD BIGINT, - REFRESH_TOKEN_VALIDITY_PERIOD BIGINT, - TOKEN_SCOPE_HASH VARCHAR(32), - TOKEN_STATE VARCHAR(25) DEFAULT 'ACTIVE', - TOKEN_STATE_ID VARCHAR (128) DEFAULT 'NONE', - SUBJECT_IDENTIFIER VARCHAR(255), - ACCESS_TOKEN_HASH VARCHAR(512), - REFRESH_TOKEN_HASH VARCHAR(512), - IDP_ID INTEGER DEFAULT -1 NOT NULL, - TOKEN_BINDING_REF VARCHAR (32) DEFAULT 'NONE', - CONSENTED_TOKEN VARCHAR(6), - PRIMARY KEY (TOKEN_ID), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE, - CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH, - TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_TOKEN_BINDING ( - TOKEN_ID VARCHAR (255), - TOKEN_BINDING_TYPE VARCHAR (32), - TOKEN_BINDING_REF VARCHAR (32), - TOKEN_BINDING_VALUE VARCHAR (1024), - TENANT_ID INTEGER DEFAULT -1, - UNIQUE (TOKEN_ID,TOKEN_BINDING_TYPE,TOKEN_BINDING_VALUE), - FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE - )ENGINE INNODB; - - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN_AUDIT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TOKEN_ID VARCHAR (255), - ACCESS_TOKEN VARCHAR(2048), - REFRESH_TOKEN VARCHAR(2048), - CONSUMER_KEY_ID INTEGER, - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - USER_TYPE VARCHAR (25), - GRANT_TYPE VARCHAR (50), - TIME_CREATED TIMESTAMP NULL, - REFRESH_TOKEN_TIME_CREATED TIMESTAMP NULL, - VALIDITY_PERIOD BIGINT, - REFRESH_TOKEN_VALIDITY_PERIOD BIGINT, - TOKEN_SCOPE_HASH VARCHAR(32), - TOKEN_STATE VARCHAR(25), - TOKEN_STATE_ID VARCHAR (128) , - SUBJECT_IDENTIFIER VARCHAR(255), - ACCESS_TOKEN_HASH VARCHAR(512), - REFRESH_TOKEN_HASH VARCHAR(512), - INVALIDATED_TIME TIMESTAMP NULL, - IDP_ID INTEGER DEFAULT -1 NOT NULL, - PRIMARY KEY(ID) - ); - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_AUTHORIZATION_CODE ( - CODE_ID VARCHAR (255), - AUTHORIZATION_CODE VARCHAR(2048), - CONSUMER_KEY_ID INTEGER, - CALLBACK_URL VARCHAR(2048), - SCOPE VARCHAR(2048), - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - VALIDITY_PERIOD BIGINT, - STATE VARCHAR (25) DEFAULT 'ACTIVE', - TOKEN_ID VARCHAR(255), - SUBJECT_IDENTIFIER VARCHAR(255), - PKCE_CODE_CHALLENGE VARCHAR(255), - PKCE_CODE_CHALLENGE_METHOD VARCHAR(128), - AUTHORIZATION_CODE_HASH VARCHAR(512), - IDP_ID INTEGER DEFAULT -1 NOT NULL, - PRIMARY KEY (CODE_ID), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_AUTHZ_CODE_SCOPE( - CODE_ID VARCHAR(255), - SCOPE VARCHAR(60), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (CODE_ID, SCOPE), - FOREIGN KEY (CODE_ID) REFERENCES IDN_OAUTH2_AUTHORIZATION_CODE (CODE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_DEVICE_FLOW ( - CODE_ID VARCHAR(255), - DEVICE_CODE VARCHAR(255), - USER_CODE VARCHAR(25), - QUANTIFIER INTEGER NOT NULL DEFAULT 0, - CONSUMER_KEY_ID INTEGER, - LAST_POLL_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - EXPIRY_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - POLL_TIME BIGINT, - STATUS VARCHAR (25) DEFAULT 'PENDING', - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - IDP_ID INTEGER, - PRIMARY KEY (DEVICE_CODE), - UNIQUE (CODE_ID), - CONSTRAINT USRCDE_QNTFR_CONSTRAINT UNIQUE (USER_CODE, QUANTIFIER), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_DEVICE_FLOW_SCOPES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SCOPE_ID VARCHAR(255), - SCOPE VARCHAR(255), - PRIMARY KEY (ID), - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_DEVICE_FLOW(CODE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN_SCOPE ( - TOKEN_ID VARCHAR (255), - TOKEN_SCOPE VARCHAR (60), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (TOKEN_ID, TOKEN_SCOPE), - FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE ( - SCOPE_ID INTEGER NOT NULL AUTO_INCREMENT, - NAME VARCHAR(255) NOT NULL, - DISPLAY_NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(512), - TENANT_ID INTEGER NOT NULL DEFAULT -1, - SCOPE_TYPE VARCHAR(255) NOT NULL, - PRIMARY KEY (SCOPE_ID), - UNIQUE (NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE_BINDING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SCOPE_ID INTEGER NOT NULL, - SCOPE_BINDING VARCHAR(255) NOT NULL, - BINDING_TYPE VARCHAR(255) NOT NULL, - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE (SCOPE_ID) ON DELETE CASCADE, - UNIQUE (SCOPE_ID, SCOPE_BINDING, BINDING_TYPE), - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_RESOURCE_SCOPE ( - RESOURCE_PATH VARCHAR(255) NOT NULL, - SCOPE_ID INTEGER NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (RESOURCE_PATH), - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE (SCOPE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_SCIM_GROUP ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - ROLE_NAME VARCHAR(255) NOT NULL, - ATTR_NAME VARCHAR(1024) NOT NULL, - ATTR_VALUE VARCHAR(1024), - UNIQUE(TENANT_ID, ROLE_NAME, ATTR_NAME), - PRIMARY KEY (ID) - )ENGINE INNODB; - - - - CREATE TABLE IF NOT EXISTS IDN_OPENID_REMEMBER_ME ( - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT 0, - COOKIE_VALUE VARCHAR(1024), - CREATED_TIME TIMESTAMP, - PRIMARY KEY (USER_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OPENID_USER_RPS ( - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT 0, - RP_URL VARCHAR(255) NOT NULL, - TRUSTED_ALWAYS VARCHAR(128) DEFAULT 'FALSE', - LAST_VISIT DATE NOT NULL, - VISIT_COUNT INTEGER DEFAULT 0, - DEFAULT_PROFILE_NAME VARCHAR(255) DEFAULT 'DEFAULT', - PRIMARY KEY (USER_NAME, TENANT_ID, RP_URL) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OPENID_ASSOCIATIONS ( - HANDLE VARCHAR(255) NOT NULL, - ASSOC_TYPE VARCHAR(255) NOT NULL, - EXPIRE_IN TIMESTAMP NOT NULL, - MAC_KEY VARCHAR(255) NOT NULL, - ASSOC_STORE VARCHAR(128) DEFAULT 'SHARED', - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (HANDLE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_STS_STORE ( - ID INTEGER AUTO_INCREMENT, - TOKEN_ID VARCHAR(255) NOT NULL, - TOKEN_CONTENT BLOB(1024) NOT NULL, - CREATE_DATE TIMESTAMP NOT NULL, - EXPIRE_DATE TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - STATE INTEGER DEFAULT 0, - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_IDENTITY_USER_DATA ( - TENANT_ID INTEGER DEFAULT -1234, - USER_NAME VARCHAR(255) NOT NULL, - DATA_KEY VARCHAR(255) NOT NULL, - DATA_VALUE VARCHAR(2048), - PRIMARY KEY (TENANT_ID, USER_NAME, DATA_KEY) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_IDENTITY_META_DATA ( - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT -1234, - METADATA_TYPE VARCHAR(255) NOT NULL, - METADATA VARCHAR(255) NOT NULL, - VALID VARCHAR(255) NOT NULL, - PRIMARY KEY (TENANT_ID, USER_NAME, METADATA_TYPE,METADATA) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_THRIFT_SESSION ( - SESSION_ID VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - CREATED_TIME VARCHAR(255) NOT NULL, - LAST_MODIFIED_TIME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (SESSION_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_STORE ( - SESSION_ID VARCHAR (100) NOT NULL, - SESSION_TYPE VARCHAR(100) NOT NULL, - OPERATION VARCHAR(10) NOT NULL, - SESSION_OBJECT BLOB, - TIME_CREATED BIGINT, - TENANT_ID INTEGER DEFAULT -1, - EXPIRY_TIME BIGINT, - PRIMARY KEY (SESSION_ID, SESSION_TYPE, TIME_CREATED, OPERATION) - )ENGINE INNODB; - - - - - CREATE TABLE IF NOT EXISTS IDN_AUTH_TEMP_SESSION_STORE ( - SESSION_ID VARCHAR (100) NOT NULL, - SESSION_TYPE VARCHAR(100) NOT NULL, - OPERATION VARCHAR(10) NOT NULL, - SESSION_OBJECT BLOB, - TIME_CREATED BIGINT, - TENANT_ID INTEGER DEFAULT -1, - EXPIRY_TIME BIGINT, - PRIMARY KEY (SESSION_ID, SESSION_TYPE, TIME_CREATED, OPERATION) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_AUTH_USER ( - USER_ID VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - DOMAIN_NAME VARCHAR(255) NOT NULL, - IDP_ID INTEGER NOT NULL, - PRIMARY KEY (USER_ID), - CONSTRAINT USER_STORE_CONSTRAINT UNIQUE (USER_NAME, TENANT_ID, DOMAIN_NAME, IDP_ID)); - - CREATE TABLE IF NOT EXISTS IDN_AUTH_USER_SESSION_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - USER_ID VARCHAR(255) NOT NULL, - SESSION_ID VARCHAR(255) NOT NULL, - CONSTRAINT USER_SESSION_STORE_CONSTRAINT UNIQUE (USER_ID, SESSION_ID), - PRIMARY KEY (ID)); - - CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_APP_INFO ( - SESSION_ID VARCHAR (100) NOT NULL, - SUBJECT VARCHAR (100) NOT NULL, - APP_ID INTEGER NOT NULL, - INBOUND_AUTH_TYPE VARCHAR (255) NOT NULL, - PRIMARY KEY (SESSION_ID, SUBJECT, APP_ID, INBOUND_AUTH_TYPE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_META_DATA ( - SESSION_ID VARCHAR (100) NOT NULL, - PROPERTY_TYPE VARCHAR (100) NOT NULL, - VALUE VARCHAR (255) NOT NULL, - PRIMARY KEY (SESSION_ID, PROPERTY_TYPE, VALUE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS SP_APP ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - APP_NAME VARCHAR (255) NOT NULL , - USER_STORE VARCHAR (255) NOT NULL, - USERNAME VARCHAR (255) NOT NULL , - DESCRIPTION VARCHAR (1024), - ROLE_CLAIM VARCHAR (512), - AUTH_TYPE VARCHAR (255) NOT NULL, - PROVISIONING_USERSTORE_DOMAIN VARCHAR (512), - IS_LOCAL_CLAIM_DIALECT CHAR(1) DEFAULT '1', - IS_SEND_LOCAL_SUBJECT_ID CHAR(1) DEFAULT '0', - IS_SEND_AUTH_LIST_OF_IDPS CHAR(1) DEFAULT '0', - IS_USE_TENANT_DOMAIN_SUBJECT CHAR(1) DEFAULT '1', - IS_USE_USER_DOMAIN_SUBJECT CHAR(1) DEFAULT '1', - ENABLE_AUTHORIZATION CHAR(1) DEFAULT '0', - SUBJECT_CLAIM_URI VARCHAR (512), - IS_SAAS_APP CHAR(1) DEFAULT '0', - IS_DUMB_MODE CHAR(1) DEFAULT '0', - UUID CHAR(36), - IMAGE_URL VARCHAR(1024), - ACCESS_URL VARCHAR(1024), - IS_DISCOVERABLE CHAR(1) DEFAULT '0', - - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_APP ADD CONSTRAINT APPLICATION_NAME_CONSTRAINT UNIQUE(APP_NAME, TENANT_ID); - ALTER TABLE SP_APP ADD CONSTRAINT APPLICATION_UUID_CONSTRAINT UNIQUE(UUID); - - CREATE TABLE IF NOT EXISTS SP_METADATA ( - ID INTEGER AUTO_INCREMENT, - SP_ID INTEGER, - NAME VARCHAR(255) NOT NULL, - VALUE VARCHAR(255) NOT NULL, - DISPLAY_NAME VARCHAR(255), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ID), - CONSTRAINT SP_METADATA_CONSTRAINT UNIQUE (SP_ID, NAME), - FOREIGN KEY (SP_ID) REFERENCES SP_APP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS SP_INBOUND_AUTH ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - INBOUND_AUTH_KEY VARCHAR (255), - INBOUND_AUTH_TYPE VARCHAR (255) NOT NULL, - INBOUND_CONFIG_TYPE VARCHAR (255) NOT NULL, - PROP_NAME VARCHAR (255), - PROP_VALUE VARCHAR (1024) , - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_INBOUND_AUTH ADD CONSTRAINT APPLICATION_ID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_AUTH_STEP ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - STEP_ORDER INTEGER DEFAULT 1, - APP_ID INTEGER NOT NULL , - IS_SUBJECT_STEP CHAR(1) DEFAULT '0', - IS_ATTRIBUTE_STEP CHAR(1) DEFAULT '0', - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_AUTH_STEP ADD CONSTRAINT APPLICATION_ID_CONSTRAINT_STEP FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_FEDERATED_IDP ( - ID INTEGER NOT NULL, - TENANT_ID INTEGER NOT NULL, - AUTHENTICATOR_ID INTEGER NOT NULL, - PRIMARY KEY (ID, AUTHENTICATOR_ID) - )ENGINE INNODB; - - ALTER TABLE SP_FEDERATED_IDP ADD CONSTRAINT STEP_ID_CONSTRAINT FOREIGN KEY (ID) REFERENCES SP_AUTH_STEP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_CLAIM_DIALECT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - SP_DIALECT VARCHAR (512) NOT NULL, - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID)); - - ALTER TABLE SP_CLAIM_DIALECT ADD CONSTRAINT DIALECTID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_CLAIM_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - IDP_CLAIM VARCHAR (512) NOT NULL , - SP_CLAIM VARCHAR (512) NOT NULL , - APP_ID INTEGER NOT NULL, - IS_REQUESTED VARCHAR(128) DEFAULT '0', - IS_MANDATORY VARCHAR(128) DEFAULT '0', - DEFAULT_VALUE VARCHAR(255), - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_CLAIM_MAPPING ADD CONSTRAINT CLAIMID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_ROLE_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - IDP_ROLE VARCHAR (255) NOT NULL , - SP_ROLE VARCHAR (255) NOT NULL , - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_ROLE_MAPPING ADD CONSTRAINT ROLEID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_REQ_PATH_AUTHENTICATOR ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - AUTHENTICATOR_NAME VARCHAR (255) NOT NULL , - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_REQ_PATH_AUTHENTICATOR ADD CONSTRAINT REQ_AUTH_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_PROVISIONING_CONNECTOR ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - IDP_NAME VARCHAR (255) NOT NULL , - CONNECTOR_NAME VARCHAR (255) NOT NULL , - APP_ID INTEGER NOT NULL, - IS_JIT_ENABLED CHAR(1) NOT NULL DEFAULT '0', - BLOCKING CHAR(1) NOT NULL DEFAULT '0', - RULE_ENABLED CHAR(1) NOT NULL DEFAULT '0', - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_PROVISIONING_CONNECTOR ADD CONSTRAINT PRO_CONNECTOR_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE SP_AUTH_SCRIPT ( - ID INTEGER AUTO_INCREMENT NOT NULL, - TENANT_ID INTEGER NOT NULL, - APP_ID INTEGER NOT NULL, - TYPE VARCHAR(255) NOT NULL, - CONTENT BLOB DEFAULT NULL, - IS_ENABLED CHAR(1) NOT NULL DEFAULT '0', - PRIMARY KEY (ID)); - - CREATE TABLE IF NOT EXISTS SP_TEMPLATE ( - ID INTEGER AUTO_INCREMENT NOT NULL, - TENANT_ID INTEGER NOT NULL, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023), - CONTENT BLOB DEFAULT NULL, - PRIMARY KEY (ID), - CONSTRAINT SP_TEMPLATE_CONSTRAINT UNIQUE (TENANT_ID, NAME)); - - CREATE TABLE IF NOT EXISTS IDN_AUTH_WAIT_STATUS ( - ID INTEGER AUTO_INCREMENT NOT NULL, - TENANT_ID INTEGER NOT NULL, - LONG_WAIT_KEY VARCHAR(255) NOT NULL, - WAIT_STATUS CHAR(1) NOT NULL DEFAULT '1', - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - EXPIRE_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - PRIMARY KEY (ID), - CONSTRAINT IDN_AUTH_WAIT_STATUS_KEY UNIQUE (LONG_WAIT_KEY)); - - CREATE TABLE IF NOT EXISTS IDP ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - NAME VARCHAR(254) NOT NULL, - IS_ENABLED CHAR(1) NOT NULL DEFAULT '1', - IS_PRIMARY CHAR(1) NOT NULL DEFAULT '0', - HOME_REALM_ID VARCHAR(254), - IMAGE MEDIUMBLOB, - CERTIFICATE BLOB, - ALIAS VARCHAR(254), - INBOUND_PROV_ENABLED CHAR (1) NOT NULL DEFAULT '0', - INBOUND_PROV_USER_STORE_ID VARCHAR(254), - USER_CLAIM_URI VARCHAR(254), - ROLE_CLAIM_URI VARCHAR(254), - DESCRIPTION VARCHAR (1024), - DEFAULT_AUTHENTICATOR_NAME VARCHAR(254), - DEFAULT_PRO_CONNECTOR_NAME VARCHAR(254), - PROVISIONING_ROLE VARCHAR(128), - IS_FEDERATION_HUB CHAR(1) NOT NULL DEFAULT '0', - IS_LOCAL_CLAIM_DIALECT CHAR(1) NOT NULL DEFAULT '0', - DISPLAY_NAME VARCHAR(255), - IMAGE_URL VARCHAR(1024), - UUID CHAR(36) NOT NULL, - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, NAME), - UNIQUE (UUID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_ROLE ( - ID INTEGER AUTO_INCREMENT, - IDP_ID INTEGER, - TENANT_ID INTEGER, - ROLE VARCHAR(254), - PRIMARY KEY (ID), - UNIQUE (IDP_ID, ROLE), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_ROLE_MAPPING ( - ID INTEGER AUTO_INCREMENT, - IDP_ROLE_ID INTEGER, - TENANT_ID INTEGER, - USER_STORE_ID VARCHAR (253), - LOCAL_ROLE VARCHAR(253), - PRIMARY KEY (ID), - UNIQUE (IDP_ROLE_ID, TENANT_ID, USER_STORE_ID, LOCAL_ROLE), - FOREIGN KEY (IDP_ROLE_ID) REFERENCES IDP_ROLE(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_CLAIM ( - ID INTEGER AUTO_INCREMENT, - IDP_ID INTEGER, - TENANT_ID INTEGER, - CLAIM VARCHAR(254), - PRIMARY KEY (ID), - UNIQUE (IDP_ID, CLAIM), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_CLAIM_MAPPING ( - ID INTEGER AUTO_INCREMENT, - IDP_CLAIM_ID INTEGER, - TENANT_ID INTEGER, - LOCAL_CLAIM VARCHAR(253), - DEFAULT_VALUE VARCHAR(255), - IS_REQUESTED VARCHAR(128) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (IDP_CLAIM_ID, TENANT_ID, LOCAL_CLAIM), - FOREIGN KEY (IDP_CLAIM_ID) REFERENCES IDP_CLAIM(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_AUTHENTICATOR ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - IDP_ID INTEGER, - NAME VARCHAR(255) NOT NULL, - IS_ENABLED CHAR (1) DEFAULT '1', - DISPLAY_NAME VARCHAR(255), - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, IDP_ID, NAME), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_METADATA ( - ID INTEGER AUTO_INCREMENT, - IDP_ID INTEGER, - NAME VARCHAR(255) NOT NULL, - VALUE VARCHAR(255) NOT NULL, - DISPLAY_NAME VARCHAR(255), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ID), - CONSTRAINT IDP_METADATA_CONSTRAINT UNIQUE (IDP_ID, NAME), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_AUTHENTICATOR_PROPERTY ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - AUTHENTICATOR_ID INTEGER, - PROPERTY_KEY VARCHAR(255) NOT NULL, - PROPERTY_VALUE VARCHAR(2047), - IS_SECRET CHAR (1) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, AUTHENTICATOR_ID, PROPERTY_KEY), - FOREIGN KEY (AUTHENTICATOR_ID) REFERENCES IDP_AUTHENTICATOR(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_PROVISIONING_CONFIG ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - IDP_ID INTEGER, - PROVISIONING_CONNECTOR_TYPE VARCHAR(255) NOT NULL, - IS_ENABLED CHAR (1) DEFAULT '0', - IS_BLOCKING CHAR (1) DEFAULT '0', - IS_RULES_ENABLED CHAR (1) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, IDP_ID, PROVISIONING_CONNECTOR_TYPE), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_PROV_CONFIG_PROPERTY ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - PROVISIONING_CONFIG_ID INTEGER, - PROPERTY_KEY VARCHAR(255) NOT NULL, - PROPERTY_VALUE VARCHAR(2048), - PROPERTY_BLOB_VALUE BLOB, - PROPERTY_TYPE CHAR(32) NOT NULL, - IS_SECRET CHAR (1) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, PROVISIONING_CONFIG_ID, PROPERTY_KEY), - FOREIGN KEY (PROVISIONING_CONFIG_ID) REFERENCES IDP_PROVISIONING_CONFIG(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_PROVISIONING_ENTITY ( - ID INTEGER AUTO_INCREMENT, - PROVISIONING_CONFIG_ID INTEGER, - ENTITY_TYPE VARCHAR(255) NOT NULL, - ENTITY_LOCAL_USERSTORE VARCHAR(255) NOT NULL, - ENTITY_NAME VARCHAR(255) NOT NULL, - ENTITY_VALUE VARCHAR(255), - TENANT_ID INTEGER, - ENTITY_LOCAL_ID VARCHAR(255), - PRIMARY KEY (ID), - UNIQUE (ENTITY_TYPE, TENANT_ID, ENTITY_LOCAL_USERSTORE, ENTITY_NAME, PROVISIONING_CONFIG_ID), - UNIQUE (PROVISIONING_CONFIG_ID, ENTITY_TYPE, ENTITY_VALUE), - FOREIGN KEY (PROVISIONING_CONFIG_ID) REFERENCES IDP_PROVISIONING_CONFIG(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_LOCAL_CLAIM ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - IDP_ID INTEGER, - CLAIM_URI VARCHAR(255) NOT NULL, - DEFAULT_VALUE VARCHAR(255), - IS_REQUESTED VARCHAR(128) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, IDP_ID, CLAIM_URI), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_ASSOCIATED_ID ( - ID INTEGER AUTO_INCREMENT, - IDP_USER_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT -1234, - IDP_ID INTEGER NOT NULL, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - ASSOCIATION_ID CHAR(36) NOT NULL, - PRIMARY KEY (ID), - UNIQUE(IDP_USER_ID, TENANT_ID, IDP_ID), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_USER_ACCOUNT_ASSOCIATION ( - ASSOCIATION_KEY VARCHAR(255) NOT NULL, - TENANT_ID INTEGER, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - PRIMARY KEY (TENANT_ID, DOMAIN_NAME, USER_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS FIDO_DEVICE_STORE ( - TENANT_ID INTEGER, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(45) NOT NULL, - TIME_REGISTERED TIMESTAMP, - KEY_HANDLE VARCHAR(200) NOT NULL, - DEVICE_DATA VARCHAR(2048) NOT NULL, - PRIMARY KEY (TENANT_ID, DOMAIN_NAME, USER_NAME, KEY_HANDLE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS FIDO2_DEVICE_STORE ( - TENANT_ID INTEGER, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(45) NOT NULL, - TIME_REGISTERED TIMESTAMP, - USER_HANDLE VARCHAR(64) NOT NULL, - CREDENTIAL_ID VARCHAR(200) NOT NULL, - PUBLIC_KEY_COSE VARCHAR(1024) NOT NULL, - SIGNATURE_COUNT BIGINT, - USER_IDENTITY VARCHAR(512) NOT NULL, - DISPLAY_NAME VARCHAR(255), - IS_USERNAMELESS_SUPPORTED CHAR(1) DEFAULT '0', - PRIMARY KEY (CREDENTIAL_ID, USER_HANDLE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_REQUEST ( - UUID VARCHAR (45), - CREATED_BY VARCHAR (255), - TENANT_ID INTEGER DEFAULT -1, - OPERATION_TYPE VARCHAR (50), - CREATED_AT TIMESTAMP, - UPDATED_AT TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - STATUS VARCHAR (30), - REQUEST BLOB, - PRIMARY KEY (UUID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_BPS_PROFILE ( - PROFILE_NAME VARCHAR(45), - HOST_URL_MANAGER VARCHAR(255), - HOST_URL_WORKER VARCHAR(255), - USERNAME VARCHAR(100), - PASSWORD VARCHAR(1023), - CALLBACK_HOST VARCHAR (45), - CALLBACK_USERNAME VARCHAR (100), - CALLBACK_PASSWORD VARCHAR (255), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (PROFILE_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW( - ID VARCHAR (45), - WF_NAME VARCHAR (45), - DESCRIPTION VARCHAR (255), - TEMPLATE_ID VARCHAR (45), - IMPL_ID VARCHAR (45), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW_ASSOCIATION( - ID INTEGER NOT NULL AUTO_INCREMENT, - ASSOC_NAME VARCHAR (45), - EVENT_ID VARCHAR(45), - ASSOC_CONDITION VARCHAR (2000), - WORKFLOW_ID VARCHAR (45), - IS_ENABLED CHAR (1) DEFAULT '1', - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY(ID), - FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW_CONFIG_PARAM( - WORKFLOW_ID VARCHAR (45), - PARAM_NAME VARCHAR (45), - PARAM_VALUE VARCHAR (1000), - PARAM_QNAME VARCHAR (45), - PARAM_HOLDER VARCHAR (45), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (WORKFLOW_ID, PARAM_NAME, PARAM_QNAME, PARAM_HOLDER), - FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_REQUEST_ENTITY_RELATIONSHIP( - REQUEST_ID VARCHAR (45), - ENTITY_NAME VARCHAR (255), - ENTITY_TYPE VARCHAR (50), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY(REQUEST_ID, ENTITY_NAME, ENTITY_TYPE, TENANT_ID), - FOREIGN KEY (REQUEST_ID) REFERENCES WF_REQUEST(UUID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW_REQUEST_RELATION( - RELATIONSHIP_ID VARCHAR (45), - WORKFLOW_ID VARCHAR (45), - REQUEST_ID VARCHAR (45), - UPDATED_AT TIMESTAMP, - STATUS VARCHAR (30), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (RELATIONSHIP_ID), - FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE, - FOREIGN KEY (REQUEST_ID) REFERENCES WF_REQUEST(UUID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_RECOVERY_DATA ( - USER_NAME VARCHAR(255) NOT NULL, - USER_DOMAIN VARCHAR(127) NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - CODE VARCHAR(255) NOT NULL, - SCENARIO VARCHAR(255) NOT NULL, - STEP VARCHAR(127) NOT NULL, - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REMAINING_SETS VARCHAR(2500) DEFAULT NULL, - PRIMARY KEY(USER_NAME, USER_DOMAIN, TENANT_ID, SCENARIO,STEP), - UNIQUE(CODE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA ( - ID INTEGER NOT NULL AUTO_INCREMENT, - USER_NAME VARCHAR(255) NOT NULL, - USER_DOMAIN VARCHAR(127) NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - SALT_VALUE VARCHAR(255), - HASH VARCHAR(255) NOT NULL, - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - PRIMARY KEY(ID), - UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_DIALECT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - DIALECT_URI VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - CONSTRAINT DIALECT_URI_CONSTRAINT UNIQUE (DIALECT_URI, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM ( - ID INTEGER NOT NULL AUTO_INCREMENT, - DIALECT_ID INTEGER NOT NULL, - CLAIM_URI VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (DIALECT_ID) REFERENCES IDN_CLAIM_DIALECT(ID) ON DELETE CASCADE, - CONSTRAINT CLAIM_URI_CONSTRAINT UNIQUE (DIALECT_ID, CLAIM_URI, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_MAPPED_ATTRIBUTE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - LOCAL_CLAIM_ID INTEGER, - USER_STORE_DOMAIN_NAME VARCHAR (255) NOT NULL, - ATTRIBUTE_NAME VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - CONSTRAINT USER_STORE_DOMAIN_CONSTRAINT UNIQUE (LOCAL_CLAIM_ID, USER_STORE_DOMAIN_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_PROPERTY ( - ID INTEGER NOT NULL AUTO_INCREMENT, - LOCAL_CLAIM_ID INTEGER, - PROPERTY_NAME VARCHAR (255) NOT NULL, - PROPERTY_VALUE VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - CONSTRAINT PROPERTY_NAME_CONSTRAINT UNIQUE (LOCAL_CLAIM_ID, PROPERTY_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - EXT_CLAIM_ID INTEGER NOT NULL, - MAPPED_LOCAL_CLAIM_ID INTEGER NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (EXT_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - FOREIGN KEY (MAPPED_LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - CONSTRAINT EXT_TO_LOC_MAPPING_CONSTRN UNIQUE (EXT_CLAIM_ID, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_SAML2_ASSERTION_STORE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SAML2_ID VARCHAR(255) , - SAML2_ISSUER VARCHAR(255) , - SAML2_SUBJECT VARCHAR(255) , - SAML2_SESSION_INDEX VARCHAR(255) , - SAML2_AUTHN_CONTEXT_CLASS_REF VARCHAR(255) , - SAML2_ASSERTION VARCHAR(4096) , - ASSERTION BLOB , - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IDN_SAML2_ARTIFACT_STORE ( - ID INT(11) NOT NULL AUTO_INCREMENT, - SOURCE_ID VARCHAR(255) NOT NULL, - MESSAGE_HANDLER VARCHAR(255) NOT NULL, - AUTHN_REQ_DTO BLOB NOT NULL, - SESSION_ID VARCHAR(255) NOT NULL, - EXP_TIMESTAMP TIMESTAMP NOT NULL, - INIT_TIMESTAMP TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - ASSERTION_ID VARCHAR(255), - PRIMARY KEY (`ID`) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_JTI ( - JWT_ID VARCHAR(255) NOT NULL, - EXP_TIME TIMESTAMP NOT NULL , - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP , - PRIMARY KEY (JWT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_PROPERTY ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER, - CONSUMER_KEY VARCHAR(255) , - PROPERTY_KEY VARCHAR(255) NOT NULL, - PROPERTY_VALUE VARCHAR(2047) , - PRIMARY KEY (ID), - FOREIGN KEY (CONSUMER_KEY) REFERENCES IDN_OAUTH_CONSUMER_APPS(CONSUMER_KEY) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJECT_REFERENCE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - CONSUMER_KEY_ID INTEGER , - CODE_ID VARCHAR(255) , - TOKEN_ID VARCHAR(255) , - SESSION_DATA_KEY VARCHAR(255), - PRIMARY KEY (ID), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE, - FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE, - FOREIGN KEY (CODE_ID) REFERENCES IDN_OAUTH2_AUTHORIZATION_CODE(CODE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJECT_CLAIMS ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REQ_OBJECT_ID INTEGER, - CLAIM_ATTRIBUTE VARCHAR(255) , - ESSENTIAL CHAR(1) NOT NULL DEFAULT '0' , - VALUE VARCHAR(255) , - IS_USERINFO CHAR(1) NOT NULL DEFAULT '0', - PRIMARY KEY (ID), - FOREIGN KEY (REQ_OBJECT_ID) REFERENCES IDN_OIDC_REQ_OBJECT_REFERENCE (ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJ_CLAIM_VALUES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REQ_OBJECT_CLAIMS_ID INTEGER , - CLAIM_VALUES VARCHAR(255) , - PRIMARY KEY (ID), - FOREIGN KEY (REQ_OBJECT_CLAIMS_ID) REFERENCES IDN_OIDC_REQ_OBJECT_CLAIMS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CERTIFICATE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - NAME VARCHAR(100), - CERTIFICATE_IN_PEM BLOB, - TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID), - CONSTRAINT CERTIFICATE_UNIQUE_KEY UNIQUE (NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_SCOPE_CLAIM_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SCOPE_ID INTEGER NOT NULL, - EXTERNAL_CLAIM_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE(SCOPE_ID) ON DELETE CASCADE, - FOREIGN KEY (EXTERNAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - UNIQUE (SCOPE_ID, EXTERNAL_CLAIM_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_FUNCTION_LIBRARY ( - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023), - TYPE VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - DATA BLOB NOT NULL, - PRIMARY KEY (TENANT_ID,NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_CIBA_AUTH_CODE ( - AUTH_CODE_KEY CHAR (36), - AUTH_REQ_ID CHAR (36), - ISSUED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - CONSUMER_KEY VARCHAR(255), - LAST_POLLED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - POLLING_INTERVAL INTEGER, - EXPIRES_IN INTEGER, - AUTHENTICATED_USER_NAME VARCHAR(255), - USER_STORE_DOMAIN VARCHAR(100), - TENANT_ID INTEGER, - AUTH_REQ_STATUS VARCHAR (100) DEFAULT 'REQUESTED', - IDP_ID INTEGER, - UNIQUE(AUTH_REQ_ID), - PRIMARY KEY (AUTH_CODE_KEY), - FOREIGN KEY (CONSUMER_KEY) REFERENCES IDN_OAUTH_CONSUMER_APPS(CONSUMER_KEY) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_CIBA_REQUEST_SCOPES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - AUTH_CODE_KEY CHAR (36), - SCOPE VARCHAR (255), - FOREIGN KEY (AUTH_CODE_KEY) REFERENCES IDN_OAUTH2_CIBA_AUTH_CODE(AUTH_CODE_KEY) ON DELETE CASCADE, - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_FED_AUTH_SESSION_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - IDP_SESSION_ID VARCHAR(255) NOT NULL, - SESSION_ID VARCHAR(255) NOT NULL, - IDP_NAME VARCHAR(255) NOT NULL, - AUTHENTICATOR_ID VARCHAR(255), - PROTOCOL_TYPE VARCHAR(255), - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - TENANT_ID INTEGER NOT NULL DEFAULT 0, - PRIMARY KEY (ID), - UNIQUE (IDP_SESSION_ID, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_TYPE ( - ID VARCHAR(255) NOT NULL, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023) NULL, - PRIMARY KEY (ID), - CONSTRAINT TYPE_NAME_CONSTRAINT UNIQUE (NAME) - )ENGINE INNODB; - - INSERT INTO IDN_CONFIG_TYPE (ID, NAME, DESCRIPTION) VALUES - ('9ab0ef95-13e9-4ed5-afaf-d29bed62f7bd', 'IDP_TEMPLATE', 'Template type to uniquely identify IDP templates'), - ('3c4ac3d0-5903-4e3d-aaca-38df65b33bfd', 'APPLICATION_TEMPLATE', 'Template type to uniquely identify Application templates'), - ('8ec6dbf1-218a-49bf-bc34-0d2db52d151c', 'CORS_CONFIGURATION', 'A resource type to keep the tenant CORS configurations'), - ('669b99ca-cdb0-44a6-8cae-babed3b585df', 'Publisher', 'A resource type to keep the event publisher configurations'), - ('73f6d9ca-62f4-4566-bab9-2a930ae51ba8', 'BRANDING_PREFERENCES', 'A resource type to keep the tenant branding preferences'), - ('899c69b2-8bf7-46b5-9666-f7f99f90d6cc', 'fido-config', 'A resource type to store FIDO authenticator related preferences'), - ('7f24050f-3e3d-4a00-b10f-fd5450d6523e', 'input-validation-configurations', 'A resource type to store input validation related configurations'); - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_RESOURCE ( - ID VARCHAR(255) NOT NULL, - TENANT_ID INT NOT NULL, - NAME VARCHAR(255) NOT NULL, - CREATED_TIME TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - LAST_MODIFIED TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - HAS_FILE tinyint(1) NOT NULL, - HAS_ATTRIBUTE tinyint(1) NOT NULL, - TYPE_ID VARCHAR(255) NOT NULL, - PRIMARY KEY (ID), - CONSTRAINT NAME_TENANT_TYPE_CONSTRAINT UNIQUE (NAME, TENANT_ID, TYPE_ID) - )ENGINE INNODB; - ALTER TABLE IDN_CONFIG_RESOURCE ADD CONSTRAINT TYPE_ID_FOREIGN_CONSTRAINT FOREIGN KEY (TYPE_ID) REFERENCES - IDN_CONFIG_TYPE (ID) ON DELETE CASCADE ON UPDATE CASCADE; - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_ATTRIBUTE ( - ID VARCHAR(255) NOT NULL, - RESOURCE_ID VARCHAR(255) NOT NULL, - ATTR_KEY VARCHAR(255) NOT NULL, - ATTR_VALUE VARCHAR(1023) NULL, - PRIMARY KEY (ID), - CONSTRAINT RESOURCE_KEY_VAL_CONSTRAINT UNIQUE (RESOURCE_ID(64), ATTR_KEY(255)) - )ENGINE INNODB; - ALTER TABLE IDN_CONFIG_ATTRIBUTE ADD CONSTRAINT RESOURCE_ID_ATTRIBUTE_FOREIGN_CONSTRAINT FOREIGN KEY (RESOURCE_ID) - REFERENCES IDN_CONFIG_RESOURCE (ID) ON DELETE CASCADE ON UPDATE CASCADE; - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_FILE ( - ID VARCHAR(255) NOT NULL, - VALUE BLOB NULL, - RESOURCE_ID VARCHAR(255) NOT NULL, - NAME VARCHAR(255) NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - ALTER TABLE IDN_CONFIG_FILE ADD CONSTRAINT RESOURCE_ID_FILE_FOREIGN_CONSTRAINT FOREIGN KEY (RESOURCE_ID) REFERENCES - IDN_CONFIG_RESOURCE (ID) ON DELETE CASCADE ON UPDATE CASCADE; - - CREATE TABLE IDN_REMOTE_FETCH_CONFIG ( - ID VARCHAR(255) NOT NULL, - TENANT_ID INT NOT NULL, - IS_ENABLED CHAR(1) NOT NULL, - REPO_MANAGER_TYPE VARCHAR(255) NOT NULL, - ACTION_LISTENER_TYPE VARCHAR(255) NOT NULL, - CONFIG_DEPLOYER_TYPE VARCHAR(255) NOT NULL, - REMOTE_FETCH_NAME VARCHAR(255), - REMOTE_RESOURCE_URI VARCHAR(255) NOT NULL, - ATTRIBUTES_JSON MEDIUMTEXT NOT NULL, - PRIMARY KEY (ID), - CONSTRAINT UC_REMOTE_RESOURCE_TYPE UNIQUE (TENANT_ID, CONFIG_DEPLOYER_TYPE) - )ENGINE INNODB; - - CREATE TABLE IDN_REMOTE_FETCH_REVISIONS ( - ID VARCHAR(255) NOT NULL, - CONFIG_ID VARCHAR(255) NOT NULL, - FILE_PATH VARCHAR(255) NOT NULL, - FILE_HASH VARCHAR(255), - DEPLOYED_DATE TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - LAST_SYNC_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - DEPLOYMENT_STATUS VARCHAR(255), - ITEM_NAME VARCHAR(255), - DEPLOY_ERR_LOG MEDIUMTEXT, - PRIMARY KEY (ID), - FOREIGN KEY (CONFIG_ID) REFERENCES IDN_REMOTE_FETCH_CONFIG(ID) ON DELETE CASCADE, - CONSTRAINT UC_REVISIONS UNIQUE (CONFIG_ID, ITEM_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_USER_FUNCTIONALITY_MAPPING ( - ID VARCHAR(255) NOT NULL, - USER_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - FUNCTIONALITY_ID VARCHAR(255) NOT NULL, - IS_FUNCTIONALITY_LOCKED BOOLEAN NOT NULL, - FUNCTIONALITY_UNLOCK_TIME BIGINT NOT NULL, - FUNCTIONALITY_LOCK_REASON VARCHAR(1023), - FUNCTIONALITY_LOCK_REASON_CODE VARCHAR(255), - PRIMARY KEY (ID), - CONSTRAINT IDN_USER_FUNCTIONALITY_MAPPING_CONSTRAINT UNIQUE (USER_ID, TENANT_ID, FUNCTIONALITY_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_USER_FUNCTIONALITY_PROPERTY ( - ID VARCHAR(255) NOT NULL, - USER_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - FUNCTIONALITY_ID VARCHAR(255) NOT NULL, - PROPERTY_NAME VARCHAR(255), - PROPERTY_VALUE VARCHAR(255), - PRIMARY KEY (ID), - CONSTRAINT IDN_USER_FUNCTIONALITY_PROPERTY_CONSTRAINT UNIQUE (USER_ID, TENANT_ID, FUNCTIONALITY_ID, PROPERTY_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CORS_ORIGIN ( - ID INT NOT NULL AUTO_INCREMENT, - TENANT_ID INT NOT NULL, - ORIGIN VARCHAR(2048) NOT NULL, - UUID CHAR(36) NOT NULL, - - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, ORIGIN), - UNIQUE (UUID) - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CORS_ASSOCIATION ( - IDN_CORS_ORIGIN_ID INT NOT NULL, - SP_APP_ID INT NOT NULL, - - PRIMARY KEY (IDN_CORS_ORIGIN_ID, SP_APP_ID), - FOREIGN KEY (IDN_CORS_ORIGIN_ID) REFERENCES IDN_CORS_ORIGIN (ID) ON DELETE CASCADE, - FOREIGN KEY (SP_APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_USER_CONSENT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - USER_ID VARCHAR(255) NOT NULL, - APP_ID CHAR(36) NOT NULL, - TENANT_ID INTEGER NOT NULL DEFAULT -1, - CONSENT_ID VARCHAR(255) NOT NULL, - - PRIMARY KEY (ID), - FOREIGN KEY (APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE, - UNIQUE (USER_ID, APP_ID, TENANT_ID), - UNIQUE (CONSENT_ID) - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_USER_CONSENTED_SCOPES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - CONSENT_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL DEFAULT -1, - SCOPE VARCHAR(255) NOT NULL, - CONSENT BOOLEAN NOT NULL DEFAULT 1, - - PRIMARY KEY (ID), - FOREIGN KEY (CONSENT_ID) REFERENCES IDN_OAUTH2_USER_CONSENT(CONSENT_ID) ON DELETE CASCADE, - UNIQUE (CONSENT_ID, SCOPE) - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_SECRET_TYPE ( - ID VARCHAR(255) NOT NULL, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023) NULL, - PRIMARY KEY (ID), - CONSTRAINT SECRET_TYPE_NAME_CONSTRAINT UNIQUE (NAME) - )ENGINE INNODB; - - INSERT INTO IDN_SECRET_TYPE (ID, NAME, DESCRIPTION) VALUES - ('1358bdbf-e0cc-4268-a42c-c3e0960e13f0', 'ADAPTIVE_AUTH_CALL_CHOREO', 'Secret type to uniquely identify secrets relevant to callChoreo adaptive auth function'); - - CREATE TABLE IF NOT EXISTS IDN_SECRET ( - ID VARCHAR(255) NOT NULL, - TENANT_ID INT NOT NULL, - SECRET_NAME VARCHAR(255) NOT NULL, - SECRET_VALUE VARCHAR(8000) NOT NULL, - CREATED_TIME TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - LAST_MODIFIED TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - TYPE_ID VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023) NULL, - PRIMARY KEY (ID), - FOREIGN KEY (TYPE_ID) REFERENCES IDN_SECRET_TYPE(ID) ON DELETE CASCADE, - UNIQUE (SECRET_NAME, TENANT_ID, TYPE_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS SP_SHARED_APP ( - ID INTEGER NOT NULL AUTO_INCREMENT, - MAIN_APP_ID CHAR(36) NOT NULL, - OWNER_ORG_ID CHAR(36) NOT NULL, - SHARED_APP_ID CHAR(36) NOT NULL, - SHARED_ORG_ID CHAR(36) NOT NULL, - SHARE_WITH_ALL_CHILDREN BOOLEAN DEFAULT FALSE, - PRIMARY KEY (ID), - FOREIGN KEY (MAIN_APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE, - FOREIGN KEY (SHARED_APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE, - UNIQUE (MAIN_APP_ID, OWNER_ORG_ID, SHARED_ORG_ID), - UNIQUE (SHARED_APP_ID) - )ENGINE INNODB; - - -- --------------------------- INDEX CREATION ----------------------------- - -- IDN_OAUTH2_ACCESS_TOKEN -- - CREATE INDEX IDX_TC ON IDN_OAUTH2_ACCESS_TOKEN(TIME_CREATED); - CREATE INDEX IDX_ATH ON IDN_OAUTH2_ACCESS_TOKEN(ACCESS_TOKEN_HASH); - CREATE INDEX IDX_AT_TI_UD ON IDN_OAUTH2_ACCESS_TOKEN(AUTHZ_USER, TENANT_ID, TOKEN_STATE, USER_DOMAIN); - CREATE INDEX IDX_AT_RTH ON IDN_OAUTH2_ACCESS_TOKEN(REFRESH_TOKEN_HASH); - CREATE INDEX IDX_AT_CKID_AU_TID_UD_TSH_TS ON IDN_OAUTH2_ACCESS_TOKEN(CONSUMER_KEY_ID, AUTHZ_USER, TENANT_ID, USER_DOMAIN, TOKEN_SCOPE_HASH, TOKEN_STATE); - - -- IDN_OAUTH2_AUTHORIZATION_CODE -- - CREATE INDEX IDX_AUTHORIZATION_CODE_HASH ON IDN_OAUTH2_AUTHORIZATION_CODE (AUTHORIZATION_CODE_HASH, CONSUMER_KEY_ID); - CREATE INDEX IDX_AUTHORIZATION_CODE_AU_TI ON IDN_OAUTH2_AUTHORIZATION_CODE (AUTHZ_USER, TENANT_ID, USER_DOMAIN, STATE); - CREATE INDEX IDX_AC_CKID ON IDN_OAUTH2_AUTHORIZATION_CODE(CONSUMER_KEY_ID); - CREATE INDEX IDX_AC_TID ON IDN_OAUTH2_AUTHORIZATION_CODE(TOKEN_ID); - - -- IDN_SCIM_GROUP -- - CREATE INDEX IDX_IDN_SCIM_GROUP_TI_RN ON IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME); - CREATE INDEX IDX_IDN_SCIM_GROUP_TI_RN_AN ON IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME, ATTR_NAME(500)); - - -- IDN_AUTH_SESSION_STORE -- - CREATE INDEX IDX_IDN_AUTH_SESSION_TIME ON IDN_AUTH_SESSION_STORE (TIME_CREATED); - CREATE INDEX IDX_IDN_AUTH_SSTR_ST_OP_ID_TM ON IDN_AUTH_SESSION_STORE (OPERATION, SESSION_TYPE, SESSION_ID, TIME_CREATED); - CREATE INDEX IDX_IDN_AUTH_SSTR_ET_ID ON IDN_AUTH_SESSION_STORE (EXPIRY_TIME, SESSION_ID); - - -- IDN_AUTH_TEMP_SESSION_STORE -- - CREATE INDEX IDX_IDN_AUTH_TMP_SESSION_TIME ON IDN_AUTH_TEMP_SESSION_STORE (TIME_CREATED); - - -- IDN_OIDC_SCOPE_CLAIM_MAPPING -- - CREATE INDEX IDX_AT_SI_ECI ON IDN_OIDC_SCOPE_CLAIM_MAPPING(SCOPE_ID, EXTERNAL_CLAIM_ID); - - -- IDN_OAUTH2_SCOPE -- - CREATE INDEX IDX_SC_TID ON IDN_OAUTH2_SCOPE(TENANT_ID); - - -- IDN_OAUTH2_SCOPE_BINDING -- - CREATE INDEX IDX_SB_SCPID ON IDN_OAUTH2_SCOPE_BINDING(SCOPE_ID); - - -- IDN_OIDC_REQ_OBJECT_REFERENCE -- - CREATE INDEX IDX_OROR_TID ON IDN_OIDC_REQ_OBJECT_REFERENCE(TOKEN_ID); - - -- IDN_OAUTH2_ACCESS_TOKEN_SCOPE -- - CREATE INDEX IDX_ATS_TID ON IDN_OAUTH2_ACCESS_TOKEN_SCOPE(TOKEN_ID); - - -- SP_TEMPLATE -- - CREATE INDEX IDX_SP_TEMPLATE ON SP_TEMPLATE (TENANT_ID, NAME); - - -- IDN_AUTH_USER -- - CREATE INDEX IDX_AUTH_USER_UN_TID_DN ON IDN_AUTH_USER (USER_NAME, TENANT_ID, DOMAIN_NAME); - CREATE INDEX IDX_AUTH_USER_DN_TOD ON IDN_AUTH_USER (DOMAIN_NAME, TENANT_ID); - - -- IDN_AUTH_USER_SESSION_MAPPING -- - CREATE INDEX IDX_USER_ID ON IDN_AUTH_USER_SESSION_MAPPING (USER_ID); - CREATE INDEX IDX_SESSION_ID ON IDN_AUTH_USER_SESSION_MAPPING (SESSION_ID); - - -- IDN_AUTH_SESSION_APP_INFO -- - CREATE INDEX IDX_AUTH_SAI_UN_AID_SID ON IDN_AUTH_SESSION_APP_INFO (APP_ID, SUBJECT, SESSION_ID); - - -- IDN_OAUTH_CONSUMER_APPS -- - CREATE INDEX IDX_OCA_UM_TID_UD_APN ON IDN_OAUTH_CONSUMER_APPS(USERNAME,TENANT_ID,USER_DOMAIN, APP_NAME); - - -- IDX_SPI_APP -- - CREATE INDEX IDX_SPI_APP ON SP_INBOUND_AUTH(APP_ID); - - -- IDN_OIDC_PROPERTY -- - CREATE INDEX IDX_IOP_CK ON IDN_OIDC_PROPERTY(CONSUMER_KEY); - - -- IDN_FIDO2_PROPERTY -- - CREATE INDEX IDX_FIDO2_STR ON FIDO2_DEVICE_STORE(USER_NAME, TENANT_ID, DOMAIN_NAME, CREDENTIAL_ID, USER_HANDLE); - - -- IDN_ASSOCIATED_ID -- - CREATE INDEX IDX_AI_DN_UN_AI ON IDN_ASSOCIATED_ID(DOMAIN_NAME, USER_NAME, ASSOCIATION_ID); - - -- IDN_OAUTH2_TOKEN_BINDING -- - CREATE INDEX IDX_IDN_AUTH_BIND ON IDN_OAUTH2_TOKEN_BINDING (TOKEN_BINDING_REF); - CREATE INDEX IDX_TK_VALUE_TYPE ON IDN_OAUTH2_TOKEN_BINDING (TOKEN_BINDING_VALUE, TOKEN_BINDING_TYPE); - - -- IDN_FED_AUTH_SESSION_MAPPING -- - CREATE INDEX IDX_FEDERATED_AUTH_SESSION_ID ON IDN_FED_AUTH_SESSION_MAPPING (SESSION_ID); - - -- IDN_REMOTE_FETCH_REVISIONS -- - CREATE INDEX IDX_REMOTE_FETCH_REVISION_CONFIG_ID ON IDN_REMOTE_FETCH_REVISIONS (CONFIG_ID); - - -- IDN_CORS_ASSOCIATION -- - CREATE INDEX IDX_CORS_SP_APP_ID ON IDN_CORS_ASSOCIATION (SP_APP_ID); - - -- IDN_CORS_ASSOCIATION -- - CREATE INDEX IDX_CORS_ORIGIN_ID ON IDN_CORS_ASSOCIATION (IDN_CORS_ORIGIN_ID); - - CREATE TABLE CM_PII_CATEGORY ( - ID INTEGER AUTO_INCREMENT, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023), - DISPLAY_NAME VARCHAR(255), - IS_SENSITIVE INTEGER NOT NULL, - TENANT_ID INTEGER DEFAULT '-1234', - UNIQUE KEY (NAME, TENANT_ID), - PRIMARY KEY (ID) - ); - - CREATE TABLE CM_RECEIPT ( - CONSENT_RECEIPT_ID VARCHAR(255) NOT NULL, - VERSION VARCHAR(255) NOT NULL, - JURISDICTION VARCHAR(255) NOT NULL, - CONSENT_TIMESTAMP TIMESTAMP NOT NULL, - COLLECTION_METHOD VARCHAR(255) NOT NULL, - LANGUAGE VARCHAR(255) NOT NULL, - PII_PRINCIPAL_ID VARCHAR(255) NOT NULL, - PRINCIPAL_TENANT_ID INTEGER DEFAULT '-1234', - POLICY_URL VARCHAR(255) NOT NULL, - STATE VARCHAR(255) NOT NULL, - PII_CONTROLLER VARCHAR(2048) NOT NULL, - PRIMARY KEY (CONSENT_RECEIPT_ID) - ); - - CREATE TABLE CM_PURPOSE ( - ID INTEGER AUTO_INCREMENT, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023), - PURPOSE_GROUP VARCHAR(255) NOT NULL, - GROUP_TYPE VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT '-1234', - UNIQUE KEY (NAME, TENANT_ID, PURPOSE_GROUP, GROUP_TYPE), - PRIMARY KEY (ID) - ); - - CREATE TABLE CM_PURPOSE_CATEGORY ( - ID INTEGER AUTO_INCREMENT, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023), - TENANT_ID INTEGER DEFAULT '-1234', - UNIQUE KEY (NAME, TENANT_ID), - PRIMARY KEY (ID) - ); - - CREATE TABLE CM_RECEIPT_SP_ASSOC ( - ID INTEGER AUTO_INCREMENT, - CONSENT_RECEIPT_ID VARCHAR(255) NOT NULL, - SP_NAME VARCHAR(255) NOT NULL, - SP_DISPLAY_NAME VARCHAR(255), - SP_DESCRIPTION VARCHAR(1024), - SP_TENANT_ID INTEGER DEFAULT '-1234', - UNIQUE KEY (CONSENT_RECEIPT_ID, SP_NAME, SP_TENANT_ID), - PRIMARY KEY (ID) - ); - - CREATE TABLE CM_SP_PURPOSE_ASSOC ( - ID INTEGER AUTO_INCREMENT, - RECEIPT_SP_ASSOC INTEGER NOT NULL, - PURPOSE_ID INTEGER NOT NULL, - CONSENT_TYPE VARCHAR(255) NOT NULL, - IS_PRIMARY_PURPOSE INTEGER NOT NULL, - TERMINATION VARCHAR(255) NOT NULL, - THIRD_PARTY_DISCLOSURE INTEGER NOT NULL, - THIRD_PARTY_NAME VARCHAR(255), - UNIQUE KEY (RECEIPT_SP_ASSOC, PURPOSE_ID), - PRIMARY KEY (ID) - ); - - CREATE TABLE CM_SP_PURPOSE_PURPOSE_CAT_ASSC ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SP_PURPOSE_ASSOC_ID INTEGER NOT NULL, - PURPOSE_CATEGORY_ID INTEGER NOT NULL, - UNIQUE KEY (SP_PURPOSE_ASSOC_ID, PURPOSE_CATEGORY_ID), - PRIMARY KEY (ID) - ); - - CREATE TABLE CM_PURPOSE_PII_CAT_ASSOC ( - ID INTEGER NOT NULL AUTO_INCREMENT, - PURPOSE_ID INTEGER NOT NULL, - CM_PII_CATEGORY_ID INTEGER NOT NULL, - IS_MANDATORY INTEGER NOT NULL, - UNIQUE KEY (PURPOSE_ID, CM_PII_CATEGORY_ID), - PRIMARY KEY (ID) - ); - - CREATE TABLE CM_SP_PURPOSE_PII_CAT_ASSOC ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SP_PURPOSE_ASSOC_ID INTEGER NOT NULL, - PII_CATEGORY_ID INTEGER NOT NULL, - VALIDITY VARCHAR(1023), - IS_CONSENTED BOOLEAN DEFAULT TRUE, - UNIQUE KEY (SP_PURPOSE_ASSOC_ID, PII_CATEGORY_ID), - PRIMARY KEY (ID) - ); - - CREATE TABLE CM_CONSENT_RECEIPT_PROPERTY ( - ID INTEGER NOT NULL AUTO_INCREMENT, - CONSENT_RECEIPT_ID VARCHAR(255) NOT NULL, - NAME VARCHAR(255) NOT NULL, - VALUE VARCHAR(1023) NOT NULL, - UNIQUE KEY (CONSENT_RECEIPT_ID, NAME), - PRIMARY KEY (ID) - ); - - ALTER TABLE CM_RECEIPT_SP_ASSOC - ADD CONSTRAINT CM_RECEIPT_SP_ASSOC_fk0 FOREIGN KEY (CONSENT_RECEIPT_ID) REFERENCES CM_RECEIPT (CONSENT_RECEIPT_ID); - - ALTER TABLE CM_SP_PURPOSE_ASSOC - ADD CONSTRAINT CM_SP_PURPOSE_ASSOC_fk0 FOREIGN KEY (RECEIPT_SP_ASSOC) REFERENCES CM_RECEIPT_SP_ASSOC (ID); - - ALTER TABLE CM_SP_PURPOSE_ASSOC - ADD CONSTRAINT CM_SP_PURPOSE_ASSOC_fk1 FOREIGN KEY (PURPOSE_ID) REFERENCES CM_PURPOSE (ID); - - ALTER TABLE CM_SP_PURPOSE_PURPOSE_CAT_ASSC - ADD CONSTRAINT CM_SP_P_P_CAT_ASSOC_fk0 FOREIGN KEY (SP_PURPOSE_ASSOC_ID) REFERENCES CM_SP_PURPOSE_ASSOC (ID); - - ALTER TABLE CM_SP_PURPOSE_PURPOSE_CAT_ASSC - ADD CONSTRAINT CM_SP_P_P_CAT_ASSOC_fk1 FOREIGN KEY (PURPOSE_CATEGORY_ID) REFERENCES CM_PURPOSE_CATEGORY (ID); - - ALTER TABLE CM_SP_PURPOSE_PII_CAT_ASSOC - ADD CONSTRAINT CM_SP_P_PII_CAT_ASSOC_fk0 FOREIGN KEY (SP_PURPOSE_ASSOC_ID) REFERENCES CM_SP_PURPOSE_ASSOC (ID); - - ALTER TABLE CM_SP_PURPOSE_PII_CAT_ASSOC - ADD CONSTRAINT CM_SP_P_PII_CAT_ASSOC_fk1 FOREIGN KEY (PII_CATEGORY_ID) REFERENCES CM_PII_CATEGORY (ID); - - ALTER TABLE CM_CONSENT_RECEIPT_PROPERTY - ADD CONSTRAINT CM_CONSENT_RECEIPT_PRT_fk0 FOREIGN KEY (CONSENT_RECEIPT_ID) REFERENCES CM_RECEIPT (CONSENT_RECEIPT_ID); - - INSERT INTO CM_PURPOSE (NAME, DESCRIPTION, PURPOSE_GROUP, GROUP_TYPE, TENANT_ID) VALUES ('DEFAULT', 'For core functionalities of the product', 'DEFAULT', 'SP', '-1234'); - - INSERT INTO CM_PURPOSE_CATEGORY (NAME, DESCRIPTION, TENANT_ID) VALUES ('DEFAULT','For core functionalities of the product', '-1234'); - diff --git a/advanced/is-pattern-1/Chart.yaml b/advanced/is-pattern-1/Chart.yaml deleted file mode 100755 index 66c2e248..00000000 --- a/advanced/is-pattern-1/Chart.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright (c) 2018, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -appVersion: "6.1.0" -description: A Helm chart for the deployment of WSO2 Identity And Access Management pattern 1 -name: is-pattern-1 -version: 6.1.0-1 -icon: https://wso2.cachefly.net/wso2/sites/all/images/wso2logo.svg diff --git a/advanced/is-pattern-1/README.md b/advanced/is-pattern-1/README.md deleted file mode 100644 index 5c2be198..00000000 --- a/advanced/is-pattern-1/README.md +++ /dev/null @@ -1,295 +0,0 @@ -# Helm Chart for a clustered deployment of WSO2 Identity Server - -Resources for building a Helm chart for a clustered deployment of WSO2 Identity Server. - -![A clustered deployment of WSO2 Identity Server](https://is.docs.wso2.com/en/latest/assets/img/setup/component-diagram.png) - -For advanced details on the deployment pattern, please refer the official -[documentation](https://is.docs.wso2.com/en/latest/setup/deployment-guide/#deployment-patterns). - -## Contents - -* [Prerequisites](#prerequisites) -* [Quick Start Guide](#quick-start-guide) -* [Configuration](#configuration) -* [Runtime Artifact Persistence and Sharing](#runtime-artifact-persistence-and-sharing) -* [Managing Java Keystores and Truststores](#managing-java-keystores-and-truststores) -* [Centralized Logging](#centralized-logging) - -## Prerequisites - -* WSO2 product Docker images used for the Kubernetes deployment. - - From Identity Server 6.0.0 onwards, WSO2 product Docker images are no longer available at [DockerHub](https://hub.docker.com/u/wso2/). - - For a production grade deployment of the desired WSO2 product-version, it is highly recommended to use the relevant - Docker image which packages WSO2 Updates, available at [WSO2 Private Docker Registry](https://docker.wso2.com/). In order - to use these images, you need an active [WSO2 Subscription](https://wso2.com/subscription). -

- -* Install [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git), [Helm](https://helm.sh/docs/intro/install/) - and [Kubernetes client](https://kubernetes.io/docs/tasks/tools/install-kubectl/) in order to run the steps provided in the - following quick start guide.

- -* An already setup [Kubernetes cluster](https://kubernetes.io/docs/setup).

- -* Ensure Kubernetes cluster has enough resources - -* Install [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx/deploy/).

- -* Add the WSO2 Helm chart repository. - - ``` - helm repo add wso2 https://helm.wso2.com && helm repo update - ``` - -## Quick Start Guide - -### 1. Install the Helm Chart - -You can install the relevant Helm chart either from [WSO2 Helm Chart Repository](https://artifacthub.io/packages/search?page=1&repo=wso2) or by source. - -**Note:** - -* `NAMESPACE` should be the Kubernetes Namespace in which the resources are deployed. - -#### Install Chart From [WSO2 Helm Chart Repository](https://artifacthub.io/packages/search?page=1&repo=wso2) - - **Helm version 2** - - ``` - helm install --name wso2/is-pattern-1 --version 6.1.0-1 --namespace --set wso2.subscription.username= --set wso2.subscription.password= - ``` - - **Helm version 3** - - - Create the Kubernetes Namespace. - - ``` - kubectl create ns - ``` - - - Deploy the Kubernetes resources using the Helm Chart - - ``` - helm install wso2/is-pattern-1 --version 6.1.0-1 --namespace --set wso2.subscription.username= --set wso2.subscription.password= - ``` - -Please provide your WSO2 Subscription Credentials via input values (using `--set` argument). - -#### Install Chart From Source - ->In the context of this document,
->* `KUBERNETES_HOME` will refer to a local copy of the [`wso2/kubernetes-is`](https://github.com/wso2/kubernetes-is/) -Git repository.
->* `HELM_HOME` will refer to `/advanced`.
- -##### Clone the Helm Resources for WSO2 Identity Server Git repository. - -``` -git clone https://github.com/wso2/kubernetes-is.git -``` - -##### Update dependencies of mysql-is chart -``` -helm dependency update /databases/mysql-is -``` - -##### Update dependencies of is-pattern-1 chart -``` -helm dependency update /is-pattern-1 -``` - -##### Deploy Helm chart for a clustered deployment of WSO2 Identity Server. - - **Helm version 2** - - ``` - helm install --name /is-pattern-1 --namespace --set wso2.subscription.username= --set wso2.subscription.password= - ``` - - **Helm version 3** - - - Create the Kubernetes Namespace to which you desire to deploy the Kubernetes resources. - - ``` - kubectl create ns - ``` - - - Deploy the Kubernetes resources using the Helm Chart - - ``` - helm install /is-pattern-1 --namespace --set wso2.subscription.username= --set wso2.subscription.password= - ``` - -### 2. Obtain the external IP - -Obtain the external IP (`EXTERNAL-IP`) of the Identity Server Ingress resource, by listing down the Kubernetes Ingresses. - -``` -kubectl get ing -n -``` - -The output under the relevant column stands for the following. - -- NAME: Metadata name of the Kubernetes Ingress resource (defaults to `wso2is-pattern-1-identity-server-ingress`) -- HOSTS: Hostname of the WSO2 Identity service (``) -- ADDRESS: External IP (`EXTERNAL-IP`) exposing the Identity service to outside of the Kubernetes environment -- PORTS: Externally exposed service ports of the Identity service - -### 3. Add a DNS record mapping the hostname and the external IP - -If the defined hostname (in the previous step) is backed by a DNS service, add a DNS record mapping the hostname and -the external IP (`EXTERNAL-IP`) in the relevant DNS service. - -If the defined hostname is not backed by a DNS service, for the purpose of evaluation you may add an entry mapping the -hostname and the external IP in the `/etc/hosts` file at the client-side. - -``` - -``` - -### 4. Access Management Console, Console and My Account - -- Identity Server's Carbon Management Console: `https:///carbon` -- Identity Server's Console: `https:///console` -- Identity Server's My Account: `https:///myaccount` - -## Configuration - -The following tables lists the configurable parameters of the chart and their default values. - -###### WSO2 Subscription Configurations - -| Parameter | Description | Default Value | -|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|-----------------------------| -| `wso2.subscription.username` | Your WSO2 Subscription username | - | -| `wso2.subscription.password` | Your WSO2 Subscription password | - | - -> If you do not have an active WSO2 subscription, **do not change** the parameters `wso2.subscription.username` and `wso2.subscription.password`. - -###### Chart Dependencies - -| Parameter | Description | Default Value | -|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|-----------------------------| -| `wso2.deployment.dependencies.mysql.enabled` | Enable the deployment and usage of WSO2 IAM MySQL based Helm Chart | true | - -> We recommend you to persist the database data of the Kubernetes based MySQL deployment using an appropriate [Kubernetes StorageClass](https://kubernetes.io/docs/concepts/storage/storage-classes/). -> You can achieve this by setting the property `mysql-is.mysql.persistence.storageClass` to the desired StorageClass. - -> **Important:** In a production grade deployment, it is highly recommended to host the product databases in an external database server. - -###### Persistent Runtime Artifact Configurations - -| Parameter | Description | Default Value | -|---------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|-----------------------------| -| `wso2.deployment.persistentRuntimeArtifacts.storageClass` | Appropriate Kubernetes Storage Class | - | -| `wso2.deployment.persistentRuntimeArtifacts.sharedArtifacts.enabled` | Enable persistence/sharing of runtime artifacts between instances of the Identity Server profile | false | -| `wso2.deployment.persistentRuntimeArtifacts.sharedArtifacts.capacity.tenants` | Capacity for tenant data between Identity Server instances | 100M | -| `wso2.deployment.persistentRuntimeArtifacts.sharedArtifacts.capacity.userstores` | Capacity for secondary user stores between Identity Server instances | 50M | - -> Please refer to the section [Runtime Artifact Persistence and Sharing](#runtime-artifact-persistence-and-sharing) for details. - -###### Identity Server Configurations - -| Parameter | Description | Default Value | -|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|-----------------------------| -| `wso2.deployment.wso2is.dockerRegistry` | Registry location of the Docker image to be used to create Identity Server instances | - | -| `wso2.deployment.wso2is.imageName` | Name of the Docker image to be used to create Identity Server instances | `wso2is` | -| `wso2.deployment.wso2is.imageTag` | Tag of the image used to create Identity Server instances | `5.11.0` | -| `wso2.deployment.wso2is.imagePullPolicy` | Refer to [doc](https://kubernetes.io/docs/concepts/containers/images#updating-images) | `Always` | -| `wso2.deployment.wso2is.replicas` | Number of replicas for IS node | 2 | -| `wso2.deployment.wso2is.startupProbe.initialDelaySeconds` | Initial delay for the startup probe for IS node | 60 | -| `wso2.deployment.wso2is.startupProbe.periodSeconds` | Period of the startup probe for IS node | 5 | -| `wso2.deployment.wso2is.startupProbe.failureThreshold` | Failed attempt count threshold of startup probe for IS node | 30 | -| `wso2.deployment.wso2is.livenessProbe.periodSeconds` | Period of the live-ness probe for IS node | 10 | -| `wso2.deployment.wso2is.readinessProbe.initialDelaySeconds` | Initial delay for the readiness probe for IS node | 60 | -| `wso2.deployment.wso2is.readinessProbe.periodSeconds` | Period of the readiness probe for IS node | 10 | -| `wso2.deployment.wso2is.resources.requests.memory` | The minimum amount of memory that should be allocated for a Pod | 2Gi | -| `wso2.deployment.wso2is.resources.requests.cpu` | The minimum amount of CPU that should be allocated for a Pod | 1000m | -| `wso2.deployment.wso2is.resources.limits.memory` | The maximum amount of memory that should be allocated for a Pod | 4Gi | -| `wso2.deployment.wso2is.resources.limits.cpu` | The maximum amount of CPU that should be allocated for a Pod | 2000m | -| `wso2.deployment.wso2is.resources.jvm.heap.memory.xms` | The initial memory allocation for JVM Heap | 1024m | -| `wso2.deployment.wso2is.resources.jvm.heap.memory.xmx` | The maximum memory allocation for JVM Heap | 2048m | -| `wso2.deployment.wso2is.config` | Custom deployment configuration file (`/repository/conf/deployment.toml`) | - | -| `wso2.deployment.wso2is.ingress.className` | Name of the Kubernetes IngressClass resource to use | - | -| `wso2.deployment.wso2is.ingress.identity.hostname` | Hostname for for Identity service | `identity.wso2.com` | -| `wso2.deployment.wso2is.ingress.identity.annotations` | Ingress resource annotations for Identity service | Community NGINX Ingress controller annotations | - -> The above referenced default, minimum resource amounts for running WSO2 Identity Server profiles are based on its [official documentation](https://is.docs.wso2.com/en/latest/setup/installation-prerequisites/). - -> The above referenced JVM settings are based on its [official documentation](https://is.docs.wso2.com/en/latest/setup/performance-tuning-recommendations/#jvm-settings). - -###### Centralized Logging Configurations - -| Parameter | Description | Default Value | -|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|-----------------------------| -| `wso2.centralizedLogging.enabled` | Enable Centralized logging for WSO2 components | false | -| `wso2.centralizedLogging.logstash.imageTag` | Logstash Sidecar container image tag | `7.8.1` | -| `wso2.centralizedLogging.logstash.elasticsearch.username` | Elasticsearch username | `elastic` | -| `wso2.centralizedLogging.logstash.elasticsearch.password` | Elasticsearch password | `changeme` | - -###### Monitoring Configurations - -| Parameter | Description | Default Value | -|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|-----------------------------| -| `wso2.monitoring.enabled` | Enable Prometheus monitoring | false | -| `wso2.monitoring.prometheus.jmxJobName` | Prometheus job name | `jmx` | -| `wso2.monitoring.prometheus.serviceMonitor.labels` | Prometheus labels for identifying Service Monitor | `release: monitoring` | -| `wso2.monitoring.prometheus.serviceMonitor.blackBoxNamespace` | Prometheus blackbox exporter namespace | | - -## Runtime Artifact Persistence and Sharing - -* In a production grade deployment, it is highly recommended to enable persistence and sharing of runtime artifacts such as, user stores and tenant data - between instances of the Identity Server profile (i.e. set `wso2.deployment.persistentRuntimeArtifacts.sharedArtifacts.enabled` to true). - -* It is **mandatory** to set an appropriate Kubernetes StorageClass when you enable this feature. Only persistent storage solutions supporting - `ReadWriteMany` [access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) - are applicable for `wso2.deployment.persistentRuntimeArtifacts.storageClass`. - -* Please refer to the [official WSO2 container guide](https://github.com/wso2/container-guide/blob/master/store/Persisting_And_Sharing.md#recommended-storage-options-for-wso2-products) - for advanced details with regard to WSO2 recommended, storage options. - -## Managing Java Keystores and Truststores - -For advanced details with regard to managing Java keystores and truststores in a container based WSO2 product deployment -please refer to the [official WSO2 container guide](https://github.com/wso2/container-guide/blob/master/deploy/Managing_Keystores_And_Truststores.md). - -## Centralized Logging - -* Centralized logging with Logstash and Elasticsearch is disabled, by default. - -* However, if it is required to be enabled, the following steps should be adopted. - -1. Set `wso2.centralizedLogging.enabled` to `true` in the [values.yaml](values.yaml) file. - -2. Add Elasticsearch Helm repository to download sub-charts required for centralized logging. - - ``` - helm repo add elasticsearch https://helm.elastic.co - ``` - -3. Add the following dependencies in the [requirements.yaml](requirements.yaml) file. - - ``` - dependencies: - - name: kibana - version: "7.8.1" - repository: "https://helm.elastic.co" - condition: wso2.centralizedLogging.enabled - - name: elasticsearch - version: "7.8.1" - repository: "https://helm.elastic.co" - condition: wso2.centralizedLogging.enabled - - ``` - -4. Add override configurations for Elasticsearch in the [values.yaml](values.yaml) file. - - ``` - wso2: - ( ... ) - - elasticsearch: - clusterName: wso2-elasticsearch - ``` diff --git a/advanced/is-pattern-1/auth.json b/advanced/is-pattern-1/auth.json deleted file mode 100644 index ba7779b5..00000000 --- a/advanced/is-pattern-1/auth.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "auths": { - "reg.id": { - "username": "reg.username", - "password": "reg.password", - "email": "reg.email", - "auth": "reg.auth" - } - } -} diff --git a/advanced/is-pattern-1/requirements.yaml b/advanced/is-pattern-1/requirements.yaml deleted file mode 100644 index d53e0011..00000000 --- a/advanced/is-pattern-1/requirements.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -dependencies: - - name: mysql-is - version: "6.1.0-1" - repository: "file://../databases/mysql-is" - condition: wso2.deployment.dependencies.mysql.enabled diff --git a/advanced/is-pattern-1/templates/NOTES.txt b/advanced/is-pattern-1/templates/NOTES.txt deleted file mode 100644 index 4c69bce2..00000000 --- a/advanced/is-pattern-1/templates/NOTES.txt +++ /dev/null @@ -1,32 +0,0 @@ -Thank you for installing WSO2 Identity Server. - -Please follow these steps to access the Management Console. - -1. Obtain the external IP (`EXTERNAL-IP`) of the Identity service Ingress resource, by listing down the Kubernetes Ingresses. - - kubectl get ing -n {{ .Release.Namespace }} - - The output under the relevant column stands for the following. - - - NAME: Metadata name of the Kubernetes Ingress resource (defaults to {{ template "is-pattern-1.resource.prefix" . }}-identity-server-ingress) - - HOSTS: Hostname of the WSO2 Identity service ({{ .Values.wso2.deployment.wso2is.ingress.identity.hostname }}) - - ADDRESS: External IP (`EXTERNAL-IP`) exposing the Identity service to outside of the Kubernetes environment - - PORTS: Externally exposed service ports of the Identity service - -2. Add a DNS record mapping the Identity service hostname and the external IP. - - If the defined hostname (i.e. {{ .Values.wso2.deployment.wso2is.ingress.identity.hostname }}) is backed by a DNS service, add a DNS record mapping the hostname and - the external IP (`EXTERNAL-IP`) in the relevant DNS service. - - If the defined hostname is not backed by a DNS service, for the purpose of evaluation you may add an entry mapping the - hostname and the external IP in the `/etc/hosts` file at the client-side. - - {{ .Values.wso2.deployment.wso2is.ingress.identity.hostname }} - -3. Navigate to Management Console, Console and My Account URLs in your browser of choice. - - - Mgt Console: https://{{ .Values.wso2.deployment.wso2is.ingress.identity.hostname }}/carbon - - Console: https://{{ .Values.wso2.deployment.wso2is.ingress.identity.hostname }}/console - - My Account: https://{{ .Values.wso2.deployment.wso2is.ingress.identity.hostname }}/myaccount - -Please refer the official documentation at https://is.docs.wso2.com/en/latest for additional information on WSO2 Identity Server. diff --git a/advanced/is-pattern-1/templates/_helpers.tpl b/advanced/is-pattern-1/templates/_helpers.tpl deleted file mode 100644 index 4d6301e5..00000000 --- a/advanced/is-pattern-1/templates/_helpers.tpl +++ /dev/null @@ -1,82 +0,0 @@ -{{/* -Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at -http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "is-pattern-1.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "is-pattern-1.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "is-pattern-1.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "is-pattern-1.labels" -}} -app.kubernetes.io/name: {{ include "is-pattern-1.name" . }} -helm.sh/chart: {{ include "is-pattern-1.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Common prefix prepended to Kubernetes resources of this chart -*/}} -{{- define "is-pattern-1.resource.prefix" -}} -{{- "wso2is-pattern-1" }} -{{- end -}} - -{{- define "image" -}} -{{- $imageName := .deployment.imageName }} -{{- $imageTag := .deployment.imageTag | default "" }} -{{- if or (eq .Values.wso2.subscription.username "") (eq .Values.wso2.subscription.password "") -}} -{{- $dockerRegistry := .deployment.dockerRegistry | default "wso2" }} -image: {{ $dockerRegistry }}/{{ $imageName }}{{- if not (eq $imageTag "") }}{{- printf ":%s" $imageTag -}}{{- end }} -{{- else }} -{{- $dockerRegistry := .deployment.dockerRegistry | default "docker.wso2.com" }} -{{- $parts := len (split "." $imageTag) }} -{{- if eq $parts 3 }} -image: {{ $dockerRegistry }}/{{ $imageName }}{{- if not (eq $imageTag "") }}:{{ $imageTag }}.0{{- end }} -{{- else }} -image: {{ $dockerRegistry }}/{{ $imageName }}{{- if not (eq $imageTag "") }}:{{ $imageTag }}{{- end }} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-bin.yaml b/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-bin.yaml deleted file mode 100644 index b876ee5e..00000000 --- a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-bin.yaml +++ /dev/null @@ -1,356 +0,0 @@ -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-bin - namespace : {{ .Release.Namespace }} -data: - wso2server.sh: |- - #!/bin/sh - # ---------------------------------------------------------------------------- - # Copyright 2005-2012 WSO2, Inc. http://www.wso2.org - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. - - # ---------------------------------------------------------------------------- - # Main Script for the WSO2 Carbon Server - # - # Environment Variable Prequisites - # - # CARBON_HOME Home of WSO2 Carbon installation. If not set I will try - # to figure it out. - # - # JAVA_HOME Must point at your Java Development Kit installation. - # - # JAVA_OPTS (Optional) Java runtime options used when the commands - # is executed. - # - # NOTE: Borrowed generously from Apache Tomcat startup scripts. - # ----------------------------------------------------------------------------- - - # OS specific support. $var _must_ be set to either true or false. - #ulimit -n 100000 - - cygwin=false; - darwin=false; - os400=false; - mingw=false; - case "`uname`" in - CYGWIN*) cygwin=true;; - MINGW*) mingw=true;; - OS400*) os400=true;; - Darwin*) darwin=true - if [ -z "$JAVA_VERSION" ] ; then - JAVA_VERSION="CurrentJDK" - else - echo "Using Java version: $JAVA_VERSION" - fi - if [ -z "$JAVA_HOME" ] ; then - JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/${JAVA_VERSION}/Home - fi - ;; - esac - - # resolve links - $0 may be a softlink - PRG="$0" - - while [ -h "$PRG" ]; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '.*/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`/"$link" - fi - done - - # Get standard environment variables - PRGDIR=`dirname "$PRG"` - - # Only set CARBON_HOME if not already set - [ -z "$CARBON_HOME" ] && CARBON_HOME=`cd "$PRGDIR/.." ; pwd` - - # Set AXIS2_HOME. Needed for One Click JAR Download - AXIS2_HOME="$CARBON_HOME" - - # For Cygwin, ensure paths are in UNIX format before anything is touched - if $cygwin; then - [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"` - [ -n "$CARBON_HOME" ] && CARBON_HOME=`cygpath --unix "$CARBON_HOME"` - [ -n "$AXIS2_HOME" ] && CARBON_HOME=`cygpath --unix "$CARBON_HOME"` - fi - - # For OS400 - if $os400; then - # Set job priority to standard for interactive (interactive - 6) by using - # the interactive priority - 6, the helper threads that respond to requests - # will be running at the same priority as interactive jobs. - COMMAND='chgjob job('$JOBNAME') runpty(6)' - system $COMMAND - - # Enable multi threading - QIBM_MULTI_THREADED=Y - export QIBM_MULTI_THREADED - fi - - # For Migwn, ensure paths are in UNIX format before anything is touched - if $mingw ; then - [ -n "$CARBON_HOME" ] && - CARBON_HOME="`(cd "$CARBON_HOME"; pwd)`" - [ -n "$JAVA_HOME" ] && - JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`" - [ -n "$AXIS2_HOME" ] && - CARBON_HOME="`(cd "$CARBON_HOME"; pwd)`" - # TODO classpath? - fi - - if [ -z "$JAVACMD" ] ; then - if [ -n "$JAVA_HOME" ] ; then - if [ -x "$JAVA_HOME/jre/sh/java" ] ; then - # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" - else - JAVACMD="$JAVA_HOME/bin/java" - fi - else - JAVACMD=java - fi - fi - - if [ ! -x "$JAVACMD" ] ; then - echo "Error: JAVA_HOME is not defined correctly." - echo " CARBON cannot execute $JAVACMD" - exit 1 - fi - - # if JAVA_HOME is not set we're not happy - if [ -z "$JAVA_HOME" ]; then - echo "You must set the JAVA_HOME variable before running CARBON." - exit 1 - fi - - if [ -e "$CARBON_HOME/wso2carbon.pid" ]; then - PID=`cat "$CARBON_HOME"/wso2carbon.pid` - fi - - # ----- Process the input command ---------------------------------------------- - args="" - for c in $* - do - if [ "$c" = "--debug" ] || [ "$c" = "-debug" ] || [ "$c" = "debug" ]; then - CMD="--debug" - continue - elif [ "$CMD" = "--debug" ]; then - if [ -z "$PORT" ]; then - PORT=$c - fi - elif [ "$c" = "--stop" ] || [ "$c" = "-stop" ] || [ "$c" = "stop" ]; then - CMD="stop" - elif [ "$c" = "--start" ] || [ "$c" = "-start" ] || [ "$c" = "start" ]; then - CMD="start" - elif [ "$c" = "--version" ] || [ "$c" = "-version" ] || [ "$c" = "version" ]; then - CMD="version" - elif [ "$c" = "--restart" ] || [ "$c" = "-restart" ] || [ "$c" = "restart" ]; then - CMD="restart" - elif [ "$c" = "--test" ] || [ "$c" = "-test" ] || [ "$c" = "test" ]; then - CMD="test" - else - args="$args $c" - fi - done - - if [ "$CMD" = "--debug" ]; then - if [ "$PORT" = "" ]; then - echo " Please specify the debug port after the --debug option" - exit 1 - fi - if [ -n "$JAVA_OPTS" ]; then - echo "Warning !!!. User specified JAVA_OPTS will be ignored, once you give the --debug option." - fi - CMD="RUN" - JAVA_OPTS="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=$PORT" - echo "Please start the remote debugging client to continue..." - elif [ "$CMD" = "start" ]; then - if [ -e "$CARBON_HOME/wso2carbon.pid" ]; then - if ps -p $PID > /dev/null ; then - echo "Process is already running" - exit 0 - fi - fi - export CARBON_HOME="$CARBON_HOME" - # using nohup sh to avoid erros in solaris OS.TODO - nohup sh "$CARBON_HOME"/bin/wso2server.sh $args > /dev/null 2>&1 & - exit 0 - elif [ "$CMD" = "stop" ]; then - export CARBON_HOME="$CARBON_HOME" - kill -term `cat "$CARBON_HOME"/wso2carbon.pid` - exit 0 - elif [ "$CMD" = "restart" ]; then - export CARBON_HOME="$CARBON_HOME" - kill -term `cat "$CARBON_HOME"/wso2carbon.pid` - process_status=0 - pid=`cat "$CARBON_HOME"/wso2carbon.pid` - while [ "$process_status" -eq "0" ] - do - sleep 1; - ps -p$pid 2>&1 > /dev/null - process_status=$? - done - - # using nohup sh to avoid erros in solaris OS.TODO - nohup sh "$CARBON_HOME"/bin/wso2server.sh $args > /dev/null 2>&1 & - exit 0 - elif [ "$CMD" = "test" ]; then - JAVACMD="exec "$JAVACMD"" - elif [ "$CMD" = "version" ]; then - cat "$CARBON_HOME"/bin/version.txt - cat "$CARBON_HOME"/bin/wso2carbon-version.txt - exit 0 - fi - - # ---------- Handle the SSL Issue with proper JDK version -------------------- - java_version=$("$JAVACMD" -version 2>&1 | awk -F '"' '/version/ {print $2}') - java_version_formatted=$(echo "$java_version" | awk -F. '{printf("%02d%02d",$1,$2);}') - if [ $java_version_formatted -lt 1100 ] || [ $java_version_formatted -gt 1700 ]; then - echo " Starting WSO2 Carbon (in unsupported JDK)" - echo " [ERROR] CARBON is supported only between JDK 11 and JDK 17" - fi - - CARBON_XBOOTCLASSPATH="" - for f in "$CARBON_HOME"/lib/xboot/*.jar - do - if [ "$f" != "$CARBON_HOME/lib/xboot/*.jar" ];then - CARBON_XBOOTCLASSPATH="$CARBON_XBOOTCLASSPATH":$f - fi - done - - - CARBON_CLASSPATH="" - if [ -e "$JAVA_HOME/lib/tools.jar" ]; then - CARBON_CLASSPATH="$JAVA_HOME/lib/tools.jar" - fi - for f in "$CARBON_HOME"/bin/*.jar - do - if [ "$f" != "$CARBON_HOME/bin/*.jar" ];then - if [ -z "$CARBON_CLASSPATH" ];then - CARBON_CLASSPATH=$f - else - CARBON_CLASSPATH="$CARBON_CLASSPATH":$f - fi - fi - done - for t in "$CARBON_HOME"/lib/*.jar - do - CARBON_CLASSPATH="$CARBON_CLASSPATH":$t - done - - - # For Cygwin, switch paths to Windows format before running java - if $cygwin; then - JAVA_HOME=`cygpath --absolute --windows "$JAVA_HOME"` - CARBON_HOME=`cygpath --absolute --windows "$CARBON_HOME"` - AXIS2_HOME=`cygpath --absolute --windows "$CARBON_HOME"` - CLASSPATH=`cygpath --path --windows "$CLASSPATH"` - CARBON_CLASSPATH=`cygpath --path --windows "$CARBON_CLASSPATH"` - CARBON_XBOOTCLASSPATH=`cygpath --path --windows "$CARBON_XBOOTCLASSPATH"` - fi - - # ----- Execute The Requested Command ----------------------------------------- - - echo JAVA_HOME environment variable is set to $JAVA_HOME - echo CARBON_HOME environment variable is set to "$CARBON_HOME" - - cd "$CARBON_HOME" - - TMP_DIR="$CARBON_HOME"/tmp - if [ -d "$TMP_DIR" ]; then - rm -rf "$TMP_DIR"/* - fi - - START_EXIT_STATUS=121 - status=$START_EXIT_STATUS - - if [ -z "$JVM_MEM_OPTS" ]; then - java_version=$("$JAVACMD" -version 2>&1 | awk -F '"' '/version/ {print $2}') - JVM_MEM_OPTS="-Xms256m -Xmx1024m" - if [ "$java_version" \< "1.8" ]; then - JVM_MEM_OPTS="$JVM_MEM_OPTS -XX:MaxPermSize=256m" - fi - fi - echo "Using Java memory options: $JVM_MEM_OPTS" - - #To monitor a Carbon server in remote JMX mode on linux host machines, set the below system property. - # -Djava.rmi.server.hostname="your.IP.goes.here" - - JAVA_VER_BASED_OPTS="--add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens java.rmi/sun.rmi.transport=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xerces.internal.dom=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED" - - if [ $java_version_formatted -ge 1700 ]; then - JAVA_VER_BASED_OPTS=$JAVA_VER_BASED_OPTS" --add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED" - fi - - - while [ "$status" = "$START_EXIT_STATUS" ] - do - $JAVACMD \ - -Xbootclasspath/a:"$CARBON_XBOOTCLASSPATH" \ - $JVM_MEM_OPTS \ - -XX:+HeapDumpOnOutOfMemoryError \ - -XX:HeapDumpPath="$CARBON_HOME/repository/logs/heap-dump.hprof" \ - $JAVA_OPTS \ - -Dcom.sun.management.jmxremote \ - -classpath "$CARBON_CLASSPATH" \ - $JAVA_VER_BASED_OPTS \ - -Djava.io.tmpdir="$CARBON_HOME/tmp" \ - -Dcatalina.base="$CARBON_HOME/lib/tomcat" \ - -Dwso2.server.standalone=true \ - -Dcarbon.registry.root=/ \ - -Djava.command="$JAVACMD" \ - -Dcarbon.home="$CARBON_HOME" \ - -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ - -Dcarbon.config.dir.path="$CARBON_HOME/repository/conf" \ - -Djava.util.logging.config.file="$CARBON_HOME/repository/conf/etc/logging-bridge.properties" \ - -Dcomponents.repo="$CARBON_HOME/repository/components/plugins" \ - -Dconf.location="$CARBON_HOME/repository/conf"\ - -Dcom.atomikos.icatch.file="$CARBON_HOME/lib/transactions.properties" \ - -Dcom.atomikos.icatch.hide_init_file_path=true \ - -Dorg.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false \ - -Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true \ - -Dcom.sun.jndi.ldap.connect.pool.authentication=simple \ - -Dcom.sun.jndi.ldap.connect.pool.timeout=3000 \ - -Dorg.terracotta.quartz.skipUpdateCheck=true \ - -Djava.security.egd=file:/dev/./urandom \ - -Dfile.encoding=UTF8 \ - -Djava.net.preferIPv4Stack=true \ - -Dcom.ibm.cacheLocalHost=true \ - -DworkerNode=false \ - -DenableCorrelationLogs=false \ - -Dhttpclient.hostnameVerifier="DefaultAndLocalhost" \ - -Dorg.apache.xml.security.ignoreLineBreaks=false \ - -Dcarbon.new.config.dir.path="$CARBON_HOME/repository/resources/conf" \ - org.wso2.carbon.bootstrap.Bootstrap $* - status=$? - done - diff --git a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-conf.yaml b/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-conf.yaml deleted file mode 100644 index ac61851f..00000000 --- a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-conf.yaml +++ /dev/null @@ -1,99 +0,0 @@ -# Copyright (c) 2018, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-conf - namespace : {{ .Release.Namespace }} - {{ if .Values.wso2.deployment.wso2is.config }} - -data: - {{- range $index, $content := .Values.wso2.deployment.wso2is.config }} - {{ $index }}: |- - {{ tpl $content $ | indent 4 }} - {{- end }} - - {{ else }} -data: - deployment.toml: |- - # Deployment config for Identity Server deployment - [server] - hostname = "{{ .Values.wso2.deployment.wso2is.ingress.identity.hostname }}" - node_ip = "$env{NODE_IP}" - base_path = "https://$ref{server.hostname}" - - [super_admin] - username = "admin" - password = "admin" - create_admin_account = true - - [user_store] - type = "database_unique_id" - - [database.identity_db] - type = "mysql" - url = "jdbc:mysql://wso2is-mysql-db-service:3306/WSO2IS_IDENTITY_DB?autoReconnect=true&useSSL=false" - username = "wso2carbon" - password = "wso2carbon" - driver = "com.mysql.cj.jdbc.Driver" - [database.identity_db.pool_options] - validationQuery = "SELECT 1" - - [database.shared_db] - type = "mysql" - url = "jdbc:mysql://wso2is-mysql-db-service:3306/WSO2IS_SHARED_DB?autoReconnect=true&useSSL=false" - username = "wso2carbon" - password = "wso2carbon" - driver = "com.mysql.cj.jdbc.Driver" - [database.shared_db.pool_options] - validationQuery = "SELECT 1" - - [transport.https.properties] - proxyPort="443" - - [truststore] - file_name="client-truststore.jks" - password="wso2carbon" - type="JKS" - - [account_recovery.endpoint.auth] - hash= "66cd9688a2ae068244ea01e70f0e230f5623b7fa4cdecb65070a09ec06452262" - - [identity.auth_framework.endpoint] - app_password= "dashboard" - - [keystore.primary] - name = "wso2carbon.jks" - password = "wso2carbon" - - [clustering] - membership_scheme = "kubernetes" - domain = "wso2.carbon.domain" - properties.membershipSchemeClassName = "org.wso2.carbon.membership.scheme.kubernetes.KubernetesMembershipScheme" - properties.KUBERNETES_NAMESPACE = "{{ .Release.Namespace }}" - properties.KUBERNETES_SERVICES = "{{ template "is-pattern-1.resource.prefix" . }}-identity-service" - properties.KUBERNETES_MASTER_SKIP_SSL_VERIFICATION = "true" - properties.USE_DNS = "false" - - [carbon_health_check] - enable= true - health_checker.super_tenant_health_checker.properties.'monitored.user.stores' = "primary" - health_checker.data_source_health_checker.properties.'monitored.datasources' = "jdbc/WSO2CarbonDB,jdbc/WSO2USER_DB,jdbc/SHARED_DB,jdbc/WSO2ConsentDS,jdbc/WSO2IdentityDB" - - {{ if .Values.wso2.monitoring.enabled }} - [monitoring.jmx] - rmi_server_start = true - {{- end }} - {{- end }} diff --git a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-ingress.yaml b/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-ingress.yaml deleted file mode 100644 index abd2fe24..00000000 --- a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-ingress.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-ingress - namespace : {{ .Release.Namespace }} -{{- if .Values.wso2.deployment.wso2is.ingress.identity.annotations }} - annotations: -{{ toYaml .Values.wso2.deployment.wso2is.ingress.identity.annotations | indent 4 }} -{{- end }} -spec: - {{- if .Values.wso2.deployment.wso2is.ingress.className }} - ingressClassName: {{ .Values.wso2.deployment.wso2is.ingress.className }} - {{- end }} - tls: - - hosts: - - {{ .Values.wso2.deployment.wso2is.ingress.identity.hostname }} - rules: - - host: {{ .Values.wso2.deployment.wso2is.ingress.identity.hostname }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-service - port: - number: 9443 diff --git a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-statefulset.yaml b/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-statefulset.yaml deleted file mode 100755 index d08f0cdf..00000000 --- a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-statefulset.yaml +++ /dev/null @@ -1,235 +0,0 @@ -# Copyright (c) 2018, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-statefulset - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - deployment: wso2is - monitoring: {{ .Values.wso2.monitoring.prometheus.jmxJobName }} - replicas: {{ .Values.wso2.deployment.wso2is.replicas }} - serviceName: {{ template "is-pattern-1.resource.prefix" . }}-identity-service - template: - metadata: - annotations: - checksum.is.bin: {{ include (print $.Template.BasePath "/is/wso2is-pattern-1-identity-server-bin.yaml") . | sha256sum }} - checksum.is.conf: {{ include (print $.Template.BasePath "/is/wso2is-pattern-1-identity-server-conf.yaml") . | sha256sum }} - {{ if .Values.wso2.centralizedLogging.enabled }} - checksum.is.log.conf: {{ include (print $.Template.BasePath "/logstash/wso2is-pattern-1-c4-logstash-conf.yaml") . | sha256sum }} - {{ end }} - labels: - deployment: wso2is - monitoring: {{ .Values.wso2.monitoring.prometheus.jmxJobName }} - spec: - initContainers: - {{ if .Values.wso2.deployment.dependencies.mysql }} - - name: init-is-db - image: busybox:1.31 - command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z wso2is-mysql-db-service 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL Server has started";'] - - name: init-mysql-connector-download - image: busybox:1.32 - command: - - /bin/sh - - "-c" - - | - set -e - connector_version=8.0.17 - wget https://repo1.maven.org/maven2/mysql/mysql-connector-java/${connector_version}/mysql-connector-java-${connector_version}.jar -P /mysql-connector-jar/ - volumeMounts: - - name: mysql-connector-jar - mountPath: /mysql-connector-jar - {{ end }} - {{ if .Values.wso2.centralizedLogging.enabled }} - - name: init-elasticsearch - image: busybox:1.31 - command: ['sh', '-c', 'echo -e "Checking for the availability of ElasticSearch Server deployment"; while ! nc -z {{ .Values.wso2.centralizedLogging.logstash.elasticsearch.host }} 9200; do sleep 1; printf "-"; done; echo -e " >> Elasticsearch server has started";'] - {{ end }} - {{ if .Values.wso2.monitoring.enabled }} - - name: init-jmx-exporter - image: busybox:1.31 - command: - - /bin/sh - - "-c" - - | - set -e - wget https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.12.0/jmx_prometheus_javaagent-0.12.0.jar -P /jmx-jar/ - volumeMounts: - - name: shared-prometheus-jmx-jar - mountPath: /jmx-jar - {{ end }} - containers: - - name: identity-server -{{- include "image" (dict "Values" .Values "deployment" .Values.wso2.deployment.wso2is) | indent 10 }} - imagePullPolicy: {{ .Values.wso2.deployment.wso2is.imagePullPolicy }} - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: JVM_MEM_OPTS - value: "-Xms{{ .Values.wso2.deployment.wso2is.resources.jvm.heap.memory.xms }} -Xmx{{ .Values.wso2.deployment.wso2is.resources.jvm.heap.memory.xmx }}" - startupProbe: - exec: - command: - - /bin/sh - - -c - - nc -z localhost 9443 - initialDelaySeconds: {{ .Values.wso2.deployment.wso2is.startupProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.wso2.deployment.wso2is.startupProbe.periodSeconds }} - failureThreshold: {{ .Values.wso2.deployment.wso2is.startupProbe.failureThreshold }} - livenessProbe: - httpGet: - path: /carbon/admin/login.jsp - port: 9443 - scheme: HTTPS - periodSeconds: {{ .Values.wso2.deployment.wso2is.livenessProbe.periodSeconds }} - readinessProbe: - httpGet: - path: /api/health-check/v1.0/health - port: 9443 - scheme: HTTPS - initialDelaySeconds: {{ .Values.wso2.deployment.wso2is.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.wso2.deployment.wso2is.readinessProbe.periodSeconds }} - lifecycle: - preStop: - exec: - command: ['sh', '-c', '${WSO2_SERVER_HOME}/bin/wso2server.sh stop'] - resources: - requests: - memory: {{ .Values.wso2.deployment.wso2is.resources.requests.memory }} - cpu: {{ .Values.wso2.deployment.wso2is.resources.requests.cpu }} - limits: - memory: {{ .Values.wso2.deployment.wso2is.resources.limits.memory }} - cpu: {{ .Values.wso2.deployment.wso2is.resources.limits.cpu }} - securityContext: - runAsUser: 802 - ports: - - containerPort: 9763 - protocol: TCP - - containerPort: 9443 - protocol: TCP - {{ if .Values.wso2.monitoring.enabled }} - - containerPort: 2222 - protocol: TCP - name: metrics - {{ end }} - volumeMounts: - - name: identity-server-conf - mountPath: /home/wso2carbon/wso2-config-volume/repository/conf/deployment.toml - subPath: deployment.toml - - name: identity-server-bin - mountPath: /home/wso2carbon/wso2-config-volume/bin - {{ if .Values.wso2.deployment.dependencies.mysql }} - - name: mysql-connector-jar - mountPath: /home/wso2carbon/wso2-artifact-volume/repository/components/dropins - {{ end }} - {{ if .Values.wso2.deployment.persistentRuntimeArtifacts.sharedArtifacts.enabled }} - - name: identity-server-volume-claim-tenants-storage - mountPath: /home/wso2carbon/wso2is-5.11.0/repository/tenants - - name: identity-server-volume-claim-userstores-storage - mountPath: /home/wso2carbon/wso2is-5.11.0/repository/deployment/server/userstores - {{ end }} - {{ if .Values.wso2.monitoring.enabled }} - - name: shared-prometheus-jmx-jar - mountPath: /home/wso2carbon/prometheus - - name: identity-server-prometheus-exporter-conf - mountPath: /home/wso2carbon/prometheus/config.yaml - subPath: config.yaml - {{ end }} - {{ if .Values.wso2.centralizedLogging.enabled }} - - name: shared-logs - mountPath: /home/wso2carbon/wso2is-5.11.0/repository/logs/ - - name: wso2is-logstash - image: docker.elastic.co/logstash/logstash:{{ .Values.wso2.centralizedLogging.logstash.imageTag }} - volumeMounts: - - name: shared-logs - mountPath: /usr/share/logstash/wso2-logs/ - - name: logstash-yml - mountPath: /usr/share/logstash/config/logstash.yml - subPath: logstash.yml - - name: c4-logstash-conf - mountPath: /usr/share/logstash/pipeline/logstash.conf - subPath: logstash.conf - - name: shared-plugins - mountPath: /usr/share/logstash/plugins/ - env: - - name: NODE_ID - value: {{ .Release.Name }}-is-node - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: ELASTICSEARCH_USERNAME - valueFrom: - secretKeyRef: - name: {{ template "is-pattern-1.resource.prefix" . }}-logstash-elasticsearch-creds - key: username - - name: ELASTICSEARCH_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "is-pattern-1.resource.prefix" . }}-logstash-elasticsearch-creds - key: password - - name: ELASTICSEARCH_HOST - value: {{ .Values.wso2.centralizedLogging.logstash.elasticsearch.host }} - {{ end }} - serviceAccountName: {{ .Values.kubernetes.serviceAccount }} - {{- if .Values.wso2.deployment.wso2is.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.wso2.deployment.wso2is.imagePullSecrets }} - {{- else if and (not (eq .Values.wso2.subscription.username "")) (not (eq .Values.wso2.subscription.password "")) }} - imagePullSecrets: - - name: {{ template "is-pattern-1.resource.prefix" . }}-wso2-private-registry-creds - {{ end }} - volumes: - - name: identity-server-conf - configMap: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-conf - - name: identity-server-bin - configMap: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-bin - {{ if .Values.wso2.deployment.persistentRuntimeArtifacts.sharedArtifacts.enabled }} - - name: identity-server-volume-claim-tenants-storage - persistentVolumeClaim: - claimName: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-shared-tenants-volume-claim - - name: identity-server-volume-claim-userstores-storage - persistentVolumeClaim: - claimName: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-shared-userstores-volume-claim - {{ end }} - {{ if .Values.wso2.centralizedLogging.enabled }} - - name: shared-logs - emptyDir: {} - - name: logstash-yml - configMap: - name: {{ template "is-pattern-1.resource.prefix" . }}-logstash-yml-conf - - name: c4-logstash-conf - configMap: - name: {{ template "is-pattern-1.resource.prefix" . }}-c4-logstash-conf - - name: shared-plugins - emptyDir: {} - {{ end }} - {{ if .Values.wso2.monitoring.enabled }} - - name: shared-prometheus-jmx-jar - emptyDir: {} - - name: identity-server-prometheus-exporter-conf - configMap: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-conf-prometheus-exporter - {{ end }} - {{ if .Values.wso2.deployment.dependencies.mysql }} - - name: mysql-connector-jar - emptyDir: {} - {{ end }} diff --git a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-volume-claims.yaml b/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-volume-claims.yaml deleted file mode 100644 index 6588f4a8..00000000 --- a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-server-volume-claims.yaml +++ /dev/null @@ -1,45 +0,0 @@ - {{ if .Values.wso2.deployment.persistentRuntimeArtifacts.sharedArtifacts.enabled }} -# Copyright (c) 2020, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-shared-tenants-volume-claim - namespace : {{ .Release.Namespace }} -spec: - accessModes: - - ReadWriteMany - volumeMode: Filesystem - resources: - requests: - storage: {{ .Values.wso2.deployment.persistentRuntimeArtifacts.sharedArtifacts.capacity.tenants }} - storageClassName: {{ .Values.wso2.deployment.persistentRuntimeArtifacts.storageClass }} - ---- - -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-shared-userstores-volume-claim - namespace : {{ .Release.Namespace }} -spec: - accessModes: - - ReadWriteMany - volumeMode: Filesystem - resources: - requests: - storage: {{ .Values.wso2.deployment.persistentRuntimeArtifacts.sharedArtifacts.capacity.userstores }} - storageClassName: {{ .Values.wso2.deployment.persistentRuntimeArtifacts.storageClass }} - {{ end }} diff --git a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-service.yaml b/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-service.yaml deleted file mode 100644 index 2b7b45a2..00000000 --- a/advanced/is-pattern-1/templates/is/wso2is-pattern-1-identity-service.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Service -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-service - namespace : {{ .Release.Namespace }} - labels: - deployment: wso2is - monitoring: {{ .Values.wso2.monitoring.prometheus.jmxJobName }} -spec: - selector: - deployment: wso2is - ports: - - name: servlet-http - port: 9763 - targetPort: 9763 - protocol: TCP - - name: servlet-https - port: 9443 - targetPort: 9443 - protocol: TCP - {{ if .Values.wso2.monitoring.enabled }} - - name: metrics - port: 2222 - targetPort: 2222 - protocol: TCP - {{ end }} diff --git a/advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-c4-logstash-conf.yaml b/advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-c4-logstash-conf.yaml deleted file mode 100644 index e480d3ee..00000000 --- a/advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-c4-logstash-conf.yaml +++ /dev/null @@ -1,72 +0,0 @@ - {{ if .Values.wso2.centralizedLogging.enabled }} -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-c4-logstash-conf - namespace : {{ .Release.Namespace }} -data: - logstash.conf: |- - # Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. - - input { - file { - add_field => { - instance_name => "${NODE_ID}" - instance_IP => "${NODE_IP}" - } - type => "wso2" - path => [ '/usr/share/logstash/wso2-logs/wso2carbon.log' ] - codec => multiline { - pattern => "^TID" - negate => true - what => "previous" - } - } - } - - filter { - if [type] == "wso2" { - grok { - match => [ "message", "TID:%{SPACE}\[%{INT:tenant_id}\]%{SPACE}\[.*\]%{SPACE}\[%{TIMESTAMP_ISO8601:timestamp}\]%{SPACE}\[\]%{SPACE}%{SPACE}%{LOGLEVEL:level}%{SPACE}{%{JAVACLASS:java_class}}%{SPACE}-%{SPACE}%{JAVALOGMESSAGE:log_message}" ] - } - date { - match => [ "timestamp", "ISO8601" ] - } - } - } - - output { - elasticsearch { - hosts => "${ELASTICSEARCH_HOST}" - user => "${ELASTICSEARCH_USERNAME}" - password => "${ELASTICSEARCH_PASSWORD}" - index => "${NODE_ID}-${NODE_IP}-%{+YYYY.MM.dd}" - } - } - {{ end }} diff --git a/advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-logstash-elasticsearch-creds.yaml b/advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-logstash-elasticsearch-creds.yaml deleted file mode 100644 index 9ef6dd90..00000000 --- a/advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-logstash-elasticsearch-creds.yaml +++ /dev/null @@ -1,25 +0,0 @@ - {{ if .Values.wso2.centralizedLogging.enabled }} -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-logstash-elasticsearch-creds - namespace : {{ .Release.Namespace }} -type: Opaque -data: - username: {{ .Values.wso2.centralizedLogging.logstash.elasticsearch.username | b64enc }} - password: {{ .Values.wso2.centralizedLogging.logstash.elasticsearch.password | b64enc }} - {{ end }} diff --git a/advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-logstash-yml.yaml b/advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-logstash-yml.yaml deleted file mode 100644 index 2f5e1d07..00000000 --- a/advanced/is-pattern-1/templates/logstash/wso2is-pattern-1-logstash-yml.yaml +++ /dev/null @@ -1,25 +0,0 @@ - {{ if .Values.wso2.centralizedLogging.enabled }} -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-logstash-yml-conf - namespace : {{ .Release.Namespace }} -data: - logstash.yml: |- - http.host: "0.0.0.0" - path.config: /usr/share/logstash/pipeline - {{ end }} diff --git a/advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-conf-prometheus-exporter.yaml b/advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-conf-prometheus-exporter.yaml deleted file mode 100644 index b5e99b29..00000000 --- a/advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-conf-prometheus-exporter.yaml +++ /dev/null @@ -1,28 +0,0 @@ - {{ if .Values.wso2.monitoring.enabled }} -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-conf-prometheus-exporter - namespace : {{ .Release.Namespace }} -data: - config.yaml: | - startDelaySeconds: 0 - jmxurl: service:jmx:rmi://localhost:11111/jndi/rmi://localhost:9999/jmxrmi - ssl: false - rules: - - pattern: ".*" - {{ end }} diff --git a/advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-prometheus-blackbox-service-monitor.yaml b/advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-prometheus-blackbox-service-monitor.yaml deleted file mode 100644 index ff6ea874..00000000 --- a/advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-prometheus-blackbox-service-monitor.yaml +++ /dev/null @@ -1,56 +0,0 @@ - {{ if .Values.wso2.monitoring.enabled }} -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-prometheus-blackbox-monitoring - namespace: {{ if .Values.wso2.monitoring.prometheus.serviceMonitor.blackBoxNamespace }}{{ .Values.wso2.monitoring.prometheus.serviceMonitor.blackBoxNamespace }}{{ else }}{{ .Release.Namespace }}{{ end }} - labels: - {{- range $key, $value := .Values.wso2.monitoring.prometheus.serviceMonitor.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - namespaceSelector: - matchNames: - {{- if .Values.wso2.monitoring.prometheus.serviceMonitor.blackBoxNamespace }} - - {{ .Values.wso2.monitoring.prometheus.serviceMonitor.blackBoxNamespace }} - {{- else }} - - {{ .Release.Namespace }} - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: prometheus-blackbox-exporter - endpoints: - - interval: 30s - metricRelabelings: - - sourceLabels: - - __address__ - targetLabel: __param_target - - sourceLabels: - - __param_target - targetLabel: instance - - replacement: https://{{ template "is-pattern-1.resource.prefix" . }}-identity-service.{{ .Release.Namespace }}.svc.cluster.local:9443/carbon/admin/login.jsp - targetLabel: target - params: - module: - - http_2xx - target: - - https://{{ template "is-pattern-1.resource.prefix" . }}-identity-service.{{ .Release.Namespace }}.svc.cluster.local:9443/carbon/admin/login.jsp - path: /probe - port: http - scheme: http - scrapeTimeout: 30s - {{ end }} diff --git a/advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-prometheus-serviceMonitor.yaml b/advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-prometheus-serviceMonitor.yaml deleted file mode 100644 index ae2a1b37..00000000 --- a/advanced/is-pattern-1/templates/prometheus/wso2is-pattern-1-identity-server-prometheus-serviceMonitor.yaml +++ /dev/null @@ -1,36 +0,0 @@ - {{ if .Values.wso2.monitoring.enabled }} -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-identity-server-prometheus-monitoring - namespace: {{ .Release.Namespace }} - labels: - {{- range $key, $value := .Values.wso2.monitoring.prometheus.serviceMonitor.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - jobLabel: monitoring - selector: - matchLabels: - deployment: wso2is - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - endpoints: - - port: metrics - interval: 1s - path: /metrics - {{ end }} diff --git a/advanced/is-pattern-1/templates/wso2is-pattern-1-rbac.yaml b/advanced/is-pattern-1/templates/wso2is-pattern-1-rbac.yaml deleted file mode 100644 index 0bb6cdba..00000000 --- a/advanced/is-pattern-1/templates/wso2is-pattern-1-rbac.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright (c) 2018, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: {{ .Release.Namespace }} - name: {{ template "is-pattern-1.resource.prefix" . }}-endpoints-reader-role -rules: -- apiGroups: [""] - verbs: ["get", "list"] - resources: ["endpoints"] - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-endpoints-reader-role-wso2-binding - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "is-pattern-1.resource.prefix" . }}-endpoints-reader-role -subjects: - - kind: ServiceAccount - name: {{ .Values.kubernetes.serviceAccount }} - namespace: {{ .Release.Namespace }} diff --git a/advanced/is-pattern-1/templates/wso2is-pattern-1-secrets.yaml b/advanced/is-pattern-1/templates/wso2is-pattern-1-secrets.yaml deleted file mode 100644 index 1cf8f8cb..00000000 --- a/advanced/is-pattern-1/templates/wso2is-pattern-1-secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ - {{ if and (not (eq .Values.wso2.subscription.username "")) (not (eq .Values.wso2.subscription.password "")) }} -# Copyright (c) 2018, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -{{- $username := .Values.wso2.subscription.username }} -{{- $password := .Values.wso2.subscription.password }} -{{- $email := .Values.wso2.subscription.username }} -{{- $regId := default "docker.wso2.com" .Values.wso2.dockerRegistry }} -{{- $auth := printf "%s:%s" $username $password | b64enc }} -{{- $files := .Files }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "is-pattern-1.resource.prefix" . }}-wso2-private-registry-creds - namespace: {{ .Release.Namespace }} -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: {{ $files.Get "auth.json" | replace "reg.id" $regId | replace "reg.username" $username | replace "reg.password" $password | replace "reg.email" $email | replace "reg.auth" $auth | b64enc }} - {{ end }} diff --git a/advanced/is-pattern-1/templates/wso2is-pattern-1-service-account.yaml b/advanced/is-pattern-1/templates/wso2is-pattern-1-service-account.yaml deleted file mode 100644 index ddcfede5..00000000 --- a/advanced/is-pattern-1/templates/wso2is-pattern-1-service-account.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright (c) 2018, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Values.kubernetes.serviceAccount }} - namespace : {{ .Release.Namespace }} diff --git a/advanced/is-pattern-1/values.yaml b/advanced/is-pattern-1/values.yaml deleted file mode 100644 index cdf32321..00000000 --- a/advanced/is-pattern-1/values.yaml +++ /dev/null @@ -1,155 +0,0 @@ -# Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -wso2: - # WSO2 Subscription parameters (https://wso2.com/subscription/) - # If provided, these parameters will be used to obtain official WSO2 product Docker images available at WSO2 Private Docker Registry (https://docker.wso2.com/) - # for this deployment - subscription: - username: "" - password: "" - - deployment: - dependencies: - mysql: - # The configuration should be set to be 'true' if a MySQL database should be spawned as a pod within the cluster - enabled: true - - # Persisted and shared runtime artifacts for Identity Server - # See official documentation (from https://is.docs.wso2.com/en/latest/setup/deployment-guide/#enabling-artifact-synchronization) - persistentRuntimeArtifacts: - # Kubernetes Storage Class to be used to dynamically provision the relevant Persistent Volumes - # Only persistent storage solutions supporting ReadWriteMany access mode are applicable (https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) - # Mandatory to set if artifact persistence and sharing is enabled (i.e. wso2 -> deployment -> persistentRuntimeArtifacts -> sharedArtifacts -> enabled) - storageClass: "-" - - # Define configurations for persistent runtime artifacts which are shared between instances of the Identity Server profile - sharedArtifacts: - # Enable/Disable persistence and sharing of runtime artifacts between instances of the Identity Server profile - enabled: false - # Define capacities for persistent runtime artifacts which are shared between instances of the Identity Server profile - capacity: - # For tenant data shared between the Identity Server profile instances - tenants: 100M - # For secondary user stores shared between the Identity Server profile instances - userstores: 50M - - wso2is: - # Container image configurations - # If a custom image must be used, provide its value - dockerRegistry: "docker.wso2.com" - imageName: "wso2is" - imageTag: "6.1.0.0" - # Refer to the Kubernetes documentation on updating images (https://kubernetes.io/docs/concepts/containers/images/#updating-images) - imagePullPolicy: Always - - # Number of deployment replicas - replicas: 2 - - # Kubernetes Probes - # Startup probe executed prior to Liveness Probe taking over - startupProbe: - # Number of seconds after the container has started before startup probes are initiated - initialDelaySeconds: 60 - # How often (in seconds) to perform the probe - periodSeconds: 5 - # Number of attempts - failureThreshold: 30 - # Indicates whether the container is running - livenessProbe: - # How often (in seconds) to perform the probe - periodSeconds: 10 - # Indicates whether the container is ready to service requests - readinessProbe: - # Number of seconds after the container has started before readiness probes are initiated - initialDelaySeconds: 60 - # How often (in seconds) to perform the probe - periodSeconds: 10 - - resources: - # These are the minimum resource recommendations for running WSO2 Identity and Access Management product profiles - # as per official documentation (https://is.docs.wso2.com/en/latest/setup/installation-prerequisites/) - requests: - # The minimum amount of memory that should be allocated for a Pod - memory: "2Gi" - # The minimum amount of CPU that should be allocated for a Pod - cpu: "1000m" - limits: - # The maximum amount of memory that should be allocated for a Pod - memory: "4Gi" - # The maximum amount of CPU that should be allocated for a Pod - cpu: "2000m" - # JVM settings - # These are the resource allocation configurations associated with the JVM - # Refer to the official documentation for advanced details (https://is.docs.wso2.com/en/latest/setup/performance-tuning-recommendations/#jvm-settings) - jvm: - # Resource allocation for the Java Heap - heap: - memory: - # Initial and minimum Heap size - xms: "1024m" - # Maximum Heap size - xmx: "2048m" - - # If the deployment configurations for the WSO2 Identity Server v5.11.0 (/repository/conf/deployment.toml), - # add the customized configuration file under (wso2 -> deployment -> wso2is -> config -> deployment.toml) -# config: "" -# deployment.toml: |- -# # Deployment configurations for Identity Server deployment -# # /repository/conf/deployment.toml)> - - # Configure Ingresses - ingress: - className: "" - identity: - # Hostname for Identity Server - hostname: "identity.wso2.com" - # Annotations for the Identity service Ingress - annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - nginx.ingress.kubernetes.io/affinity: "cookie" - nginx.ingress.kubernetes.io/session-cookie-name: "route" - nginx.ingress.kubernetes.io/session-cookie-hash: "sha1" - - # Configurations for the logstash container image and elasticsearch authorization credentials - # Centralized logging is disabled by default. If it is required to enable centralized logging, please follow the instructions - # provided in the documentation (https://github.com/wso2/kubernetes-is/tree/master/advanced/helm/is-pattern-1#enabling-centralized-logging) - centralizedLogging: - enabled: false - logstash: - imageTag: 7.8.1 - elasticsearch: - host: wso2-elasticsearch-master - username: "elastic" - password: "changeme" - - # Configurations for Prometheus monitoring - monitoring: - # Enable Prometheus monitoring. This will start Prometheus exporter on port 2222 and deploy Service monitors - # for JVM, JMX and Blackbox exporter for Login calls - enabled: false - prometheus: - serviceMonitor: - # If the black box exporter is deployed in a different Namespace -# blackBoxNamespace: - # Prometheus Operator labels to identify Service monitors - labels: - release: monitoring - # Job name of the JMX events - jmxJobName: "jmx" - -kubernetes: - # Name of Kubernetes service account - serviceAccount: "wso2is-pattern-1-svc-account" diff --git a/confs/auth.json b/confs/auth.json new file mode 100644 index 00000000..8625d154 --- /dev/null +++ b/confs/auth.json @@ -0,0 +1,10 @@ +{ + "auths": { + "reg.id": { + "username": "reg.username", + "password": "reg.password", + "email": "reg.email", + "auth": "reg.auth" + } + } +} diff --git a/confs/deployment.toml b/confs/deployment.toml new file mode 100644 index 00000000..8027546a --- /dev/null +++ b/confs/deployment.toml @@ -0,0 +1,372 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +[server] +hostname = {{ .Values.deployment.ingress.hostName | quote }} +node_ip = "$env{NODE_IP}" +base_path = "https://$ref{server.hostname}:${carbon.management.port}" +offset = {{ .Values.deploymentToml.server.offset | quote }} + +[transport.https.properties] +proxyPort = 443 +server = {{ .Values.deploymentToml.transport.https.properties.server | quote }} + +[transport.https.sslHostConfig.properties] +protocols={{ .Values.deploymentToml.transport.https.sslHostConfig.properties.protocols | quote }} +ciphers={{ .Values.deploymentToml.transport.https.sslHostConfig.properties.ciphers | quote }} + +[super_admin] +{{- if .Values.deployment.secretStore.enabled }} +username = "$secret{super_admin_username}" +password = "$secret{super_admin_password}" +{{- else }} +username = {{ .Values.deploymentToml.superAdmin.username | quote }} +password = {{ .Values.deploymentToml.superAdmin.password | quote }} +{{- end }} +create_admin_account = {{ .Values.deploymentToml.superAdmin.createAdminAccount }} + +[user_store] +type = {{ .Values.deploymentToml.userStore.type | quote }} + +[database.identity_db] +type = {{ .Values.deploymentToml.database.identity.type | quote }} +url = {{ .Values.deploymentToml.database.identity.url | quote }} +{{- if .Values.deployment.secretStore.enabled }} +username = "$secret{database_identity_username}" +password = "$secret{database_identity_password}" +{{- else }} +username = {{ .Values.deploymentToml.database.identity.username | quote }} +password = {{ .Values.deploymentToml.database.identity.password | quote }} +{{- end }} +driver = {{ .Values.deploymentToml.database.identity.driver | quote }} +{{- if .Values.deploymentToml.database.identity.poolOptions }} +[database.identity_db.pool_options] +{{- range $key, $value := .Values.deploymentToml.database.identity.poolOptions }} +{{ $key }} = {{ $value | quote }} +{{- end }} +{{- end }} + +[database.shared_db] +type = {{ .Values.deploymentToml.database.shared.type | quote }} +url = {{ .Values.deploymentToml.database.shared.url | quote }} +{{- if .Values.deployment.secretStore.enabled }} +username = "$secret{database_shared_username}" +password = "$secret{database_shared_password}" +{{- else }} +username = {{ .Values.deploymentToml.database.shared.username | quote }} +password = {{ .Values.deploymentToml.database.shared.password | quote }} +{{- end }} +driver = {{ .Values.deploymentToml.database.shared.driver | quote }} +{{- if .Values.deploymentToml.database.shared.poolOptions }} +[database.shared_db.pool_options] +{{- range $key, $value := .Values.deploymentToml.database.shared.poolOptions }} +{{ $key }} = {{ $value | quote }} +{{- end }} +{{- end }} + +[datasource.WSO2ConsentDS] +id="WSO2CONSENT_DB" +url = {{ .Values.deploymentToml.database.consent.url | quote }} +type = {{ .Values.deploymentToml.database.consent.type | quote }} +{{- if .Values.deployment.secretStore.enabled }} +username = "$secret{database_consent_username}" +password = "$secret{database_consent_password}" +{{- else }} +username = {{ .Values.deploymentToml.database.consent.username | quote }} +password = {{ .Values.deploymentToml.database.consent.password | quote }} +{{- end }} +driver = {{ .Values.deploymentToml.database.consent.driver | quote }} +jmx_enable=false +{{- if .Values.deploymentToml.database.consent.poolOptions }} +[datasource.WSO2ConsentDS.pool_options] +{{- range $key, $value := .Values.deploymentToml.database.consent.poolOptions }} +{{ $key }} = {{ $value | quote }} +{{- end }} +{{- end }} + +[authentication.consent] +data_source="jdbc/WSO2CONSENT_DB" + +[realm_manager] +data_source = "WSO2USER_DB" + +[database.user] +type = {{ .Values.deploymentToml.database.user.type | quote }} +url = {{ .Values.deploymentToml.database.user.url | quote }} +{{- if .Values.deployment.secretStore.enabled }} +username = "$secret{database_user_username}" +password = "$secret{database_user_password}" +{{- else }} +username = {{ .Values.deploymentToml.database.user.username | quote }} +password = {{ .Values.deploymentToml.database.user.password | quote }} +{{- end }} +driver = {{ .Values.deploymentToml.database.user.driver | quote }} +{{- if .Values.deploymentToml.database.user.poolOptions }} +[database.user.pool_options] +{{- range $key, $value := .Values.deploymentToml.database.user.poolOptions }} +{{ $key }} = {{ $value | quote }} +{{- end }} +{{- end }} + +[keystore.tls] +file_name = {{ .Values.deploymentToml.keystore.tls.fileName | quote }} +type = {{ .Values.deploymentToml.keystore.tls.type | quote }} +{{- if .Values.deployment.secretStore.enabled }} +password = "$secret{keystore_tls_password}" +{{- else }} +password = {{ .Values.deploymentToml.keystore.tls.password | quote }} +{{- end }} +alias = {{ .Values.deploymentToml.keystore.tls.alias | quote }} +{{- if .Values.deployment.secretStore.enabled }} +key_password = "$secret{keystore_tls_key_password}" +{{- else }} +key_password = {{ .Values.deploymentToml.keystore.tls.keyPassword | quote }} +{{- end }} + +[keystore.primary] +file_name = {{ .Values.deploymentToml.keystore.primary.fileName | quote }} +type = {{ .Values.deploymentToml.keystore.primary.type | quote }} +{{- if .Values.deployment.secretStore.enabled }} +password = "$secret{keystore_primary_password}" +{{- else }} +password = {{ .Values.deploymentToml.keystore.primary.password | quote }} +{{- end }} +alias = {{ .Values.deploymentToml.keystore.primary.alias | quote }} +{{- if .Values.deployment.secretStore.enabled }} +key_password = "$secret{keystore_primary_key_password}" +{{- else }} +key_password = {{ .Values.deploymentToml.keystore.primary.keyPassword | quote }} +{{- end }} + +[keystore.internal] +file_name = {{ .Values.deploymentToml.keystore.internal.fileName | quote }} +type = {{ .Values.deploymentToml.keystore.internal.type | quote }} +{{- if .Values.deployment.secretStore.enabled }} +password = "$secret{keystore_internal_password}" +{{- else }} +password = {{ .Values.deploymentToml.keystore.internal.password | quote }} +{{- end }} +alias = {{ .Values.deploymentToml.keystore.internal.alias | quote }} +{{- if .Values.deployment.secretStore.enabled }} +key_password = "$secret{keystore_internal_key_password}" +{{- else }} +key_password ={{ .Values.deploymentToml.keystore.internal.keyPassword | quote }} +{{- end }} + +[truststore] +file_name = {{ .Values.deploymentToml.truststore.fileName | quote }} +type = {{ .Values.deploymentToml.truststore.type | quote }} +{{- if .Values.deployment.secretStore.enabled }} +password = "$secret{keystore_truststore_password}" +{{- else }} +password = {{ .Values.deploymentToml.truststore.password | quote }} +{{- end }} +[account_recovery.endpoint.auth] +hash= {{ .Values.deploymentToml.account.recovery.endpoint.auth.hash | quote }} + +[identity.auth_framework.endpoint] +{{- if .Values.deployment.secretStore.enabled }} +app_password= "$secret{app_password}" +{{- else }} +app_password= {{ .Values.deploymentToml.identity.authFramework.endpoint.appPassword | quote }} +{{- end }} + +{{- if .Values.deploymentToml.clustering.enabled }} +[clustering] +membership_scheme={{.Values.deploymentToml.clustering.membershipScheme | quote }} +domain= {{.Values.deploymentToml.clustering.domain | quote }} +local_member_port={{.Values.deploymentToml.clustering.localMemberPort | quote }} +properties.KUBERNETES_NAMESPACE={{ .Release.Namespace | quote }} +properties.KUBERNETES_SERVICES={{ include "..fullname" . | quote }} +{{- end }} + +[oauth.token_cleanup] +enable = {{.Values.deploymentToml.oauth.tokenCleanup }} + +[oauth.token_generation] +include_username_in_access_token = {{.Values.deploymentToml.oauth.tokenGeneration.includeUsernameInAccessToken }} + +# Block all unused fileupload with super tenant permissions (SECURITYINTERNAL-1738) +[[resource.access_control]] +context="(.*)/fileupload/service(.*)" +secure=true +http_method = "all" +permissions = ["/permission/admin/manage/identity/applicationmgt/create"] + +[[resource.access_control]] +context="(.*)/fileupload(.*)" +secure=true +http_method = "all" +permissions = ["/permission/protected/manage/monitor/tenants"] + +{{- if .Values.deploymentToml.recaptcha.enabled }} +#Google reCAPTCHA settings. + +[recaptcha] +enabled = true +api_url = {{ .Values.deploymentToml.recaptcha.apiUrl | quote }} +verify_url = {{ .Values.deploymentToml.recaptcha.verifyUrl | quote }} +{{- if .Values.deployment.secretStore.enabled }} +site_key = "$secret{recaptcha_site_key}" +secret_key = "$secret{recaptcha_secret_key}" +{{- else }} +site_key = {{ .Values.deploymentToml.recaptcha.siteKey | quote }} +secret_key = {{ .Values.deploymentToml.recaptcha.secretKey | quote }} +{{- end }} + +{{- end }} + +{{- if .Values.deploymentToml.outputAdapter.email.enabled }} +# SMTP email sender settings. +[output_adapter.email] +from_address= {{ .Values.deploymentToml.outputAdapter.email.fromAddress | quote }} +username= {{ .Values.deploymentToml.outputAdapter.email.username | quote }} +{{- if .Values.deployment.secretStore.enabled }} +password= "$secret{output_adapter_email_password}" +{{- else }} +password= {{ .Values.deploymentToml.outputAdapter.email.password | quote }} +{{- end }} +hostname= {{ .Values.deploymentToml.outputAdapter.email.hostname | quote }} +port= {{ .Values.deploymentToml.outputAdapter.email.port }} +enable_start_tls= {{ .Values.deploymentToml.outputAdapter.email.enableStartTls }} +enableAuthentication= {{ .Values.deploymentToml.outputAdapter.email.enableAuthentication }} +{{- end }} + +# Configuring user account locking. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-account/ +{{- if .Values.deploymentToml.userAccountLock.enabled }} +[event.default_listener.identity_mgt] +priority= "50" +enable = false +[event.default_listener.governance_identity_mgt] +priority= "95" +enable = true + +[identity_mgt.account_locking] +allowed_failed_attempts={{ .Values.deploymentToml.userAccountLock.loginAttempts.allowedFailedAttempts }} +auto_unlock_time_increment_ratio={{ .Values.deploymentToml.userAccountLock.loginAttempts.autoUnlockTimeIncrementRatio }} +auto_unlock_after={{ .Values.deploymentToml.userAccountLock.loginAttempts.autoUnlockAfter }} +enable_account_locking=true +{{- end }} + +[authentication.authenticator.email_otp] +enable={{ .Values.deploymentToml.otp.email.enabled }} + +[authentication.authenticator.email_otp.parameters] +EMAILOTPAuthenticationEndpointURL = {{ .Values.deploymentToml.otp.email.authenticationEndpointURL | quote }} +EmailOTPAuthenticationEndpointErrorPage = {{ .Values.deploymentToml.otp.email.authenticationEndpointErrorPage | quote }} +EmailAddressRequestPage = {{ .Values.deploymentToml.otp.email.addressRequestPage | quote }} +usecase = {{ .Values.deploymentToml.otp.email.usecase | quote }} +secondaryUserstore = {{ .Values.deploymentToml.otp.email.secondaryUserstore | quote }} +EMAILOTPMandatory = {{ .Values.deploymentToml.otp.email.mandatory }} +sendOTPToFederatedEmailAttribute = {{ .Values.deploymentToml.otp.email.sendOTPToFederatedEmailAttribute }} +federatedEmailAttributeKey = {{ .Values.deploymentToml.otp.email.federatedEmailAttributeKey | quote }} +EmailOTPEnableByUserClaim = {{ .Values.deploymentToml.otp.email.enableByUserClaim }} +CaptureAndUpdateEmailAddress = {{ .Values.deploymentToml.otp.email.captureAndUpdateEmailAddress }} +showEmailAddressInUI = {{ .Values.deploymentToml.otp.email.showEmailAddressInUI }} +useEventHandlerBasedEmailSender = {{ .Values.deploymentToml.otp.email.useEventHandlerBasedEmailSender }} +emailAddressRegex = {{ .Values.deploymentToml.otp.email.emailAddressRegex | squote }} +tokenExpirationTime = {{ .Values.deploymentToml.otp.email.tokenExpirationTime }} +EnableAccountLockingForFailedAttempts = {{ .Values.deploymentToml.otp.email.userAccountLockEnabled }} + +[authentication.authenticator.sms_otp] +enable={{ .Values.deploymentToml.otp.sms.enabled }} + +[authentication.authenticator.sms_otp.parameters] +SMSOTPAuthenticationEndpointURL= {{ .Values.deploymentToml.otp.sms.authenticationEndpointURL | quote }} +SMSOTPAuthenticationEndpointErrorPage= {{ .Values.deploymentToml.otp.sms.authenticationEndpointErrorPage | quote }} +MobileNumberRegPage = {{ .Values.deploymentToml.otp.sms.mobileNumberRegPage | quote }} +RetryEnable = {{ .Values.deploymentToml.otp.sms.retryEnable }} +ResendEnable = {{ .Values.deploymentToml.otp.sms.resendEnable }} +BackupCode = {{ .Values.deploymentToml.otp.sms.backupCode }} +SMSOTPEnableByUserClaim = {{ .Values.deploymentToml.otp.sms.enableByUserClaim }} +usecase = {{ .Values.deploymentToml.otp.sms.usecase | quote }} +secondaryUserstore = {{ .Values.deploymentToml.otp.sms.secondaryUserstore | quote }} +SMSOTPMandatory = {{ .Values.deploymentToml.otp.sms.mandatory }} +SendOtpToFederatedMobile = {{ .Values.deploymentToml.otp.sms.federatedMobile }} +federatedMobileAttributeKey = {{ .Values.deploymentToml.otp.sms.federatedMobileAttributeKey | quote }} +CaptureAndUpdateMobileNumber = {{ .Values.deploymentToml.otp.sms.captureAndUpdateMobileNumber }} +SendOTPDirectlyToMobile = {{ .Values.deploymentToml.otp.sms.directlyToMobile }} +redirectToMultiOptionPageOnFailure = {{ .Values.deploymentToml.otp.sms.redirectToMultiOptionPageOnFailure }} +EnableAccountLockingForFailedAttempts = {{ .Values.deploymentToml.otp.sms.userAccountLockEnabled }} + +[authentication.authenticator.totp] +enable={{ .Values.deploymentToml.totp.enabled }} + +[authentication.authenticator.totp.parameters] +encodingMethod={{ .Values.deploymentToml.totp.encodingMethod | quote }} +timeStepSize={{ .Values.deploymentToml.totp.timeStepSize | quote }} +windowSize={{ .Values.deploymentToml.totp.windowSize | quote }} +authenticationMandatory={{ .Values.deploymentToml.totp.authenticationMandatory }} +enrolUserInAuthenticationFlow={{ .Values.deploymentToml.totp.enrolUserInAuthenticationFlow }} +usecase={{ .Values.deploymentToml.totp.usecase | quote }} +secondaryUserstore={{ .Values.deploymentToml.totp.secondaryUserstore | quote }} +TOTPAuthenticationEndpointURL={{ .Values.deploymentToml.totp.authenticationEndpointURL | quote }} +TOTPAuthenticationEndpointErrorPage={{ .Values.deploymentToml.totp.authenticationEndpointErrorPage | quote }} +TOTPAuthenticationEndpointEnableTOTPPage={{ .Values.deploymentToml.totp.authenticationEndpointEnableTOTPPage | quote }} +Issuer={{ .Values.deploymentToml.totp.issuer | quote }} +UseCommonIssuer={{ .Values.deploymentToml.totp.useCommonIssuer }} +EnableAccountLockingForFailedAttempts = {{ .Values.deploymentToml.totp.userAccountLockEnabled }} + +{{- if .Values.deploymentToml.extraConfigs }} +{{ .Values.deploymentToml.extraConfigs }} +{{- end }} + +[encryption] +{{- if .Values.deployment.secretStore.enabled }} +key= "$secret{symmetric_key}" +{{- else }} +key= {{ .Values.deploymentToml.encryption.key | quote }} +{{- end }} + +{{- if .Values.deployment.secretStore.enabled }} +# Secure vault encryted secrets +[secrets] +# Super admin creds +super_admin_username = {{ .Values.deploymentToml.superAdmin.username | quote }} +super_admin_password = {{ .Values.deploymentToml.superAdmin.password | quote }} +# Database creds +database_identity_username = {{ .Values.deploymentToml.database.identity.username | quote }} +database_identity_password = {{ .Values.deploymentToml.database.identity.password | quote }} +database_shared_username = {{ .Values.deploymentToml.database.shared.username | quote }} +database_shared_password = {{ .Values.deploymentToml.database.shared.password | quote }} +database_user_username = {{ .Values.deploymentToml.database.user.username | quote }} +database_user_password = {{ .Values.deploymentToml.database.user.password | quote }} +database_consent_username = {{ .Values.deploymentToml.database.consent.username | quote }} +database_consent_password = {{ .Values.deploymentToml.database.consent.password | quote }} +# Keystores +keystore_tls_password = {{ .Values.deploymentToml.keystore.tls.password | quote }} +keystore_tls_key_password = {{ .Values.deploymentToml.keystore.tls.keyPassword | quote }} +keystore_primary_password = {{ .Values.deploymentToml.keystore.primary.password | quote }} +keystore_primary_key_password = {{ .Values.deploymentToml.keystore.primary.keyPassword | quote }} +keystore_internal_password = {{ .Values.deploymentToml.keystore.internal.password | quote }} +keystore_internal_key_password = {{ .Values.deploymentToml.keystore.internal.keyPassword | quote }} +# Truststore +keystore_truststore_password = {{ .Values.deploymentToml.truststore.password | quote }} +# App password +app_password = {{ .Values.deploymentToml.identity.authFramework.endpoint.appPassword | quote }} +# Symmetric key +symmetric_key = {{ .Values.deploymentToml.encryption.key | quote }} +{{- if .Values.deploymentToml.recaptcha.enabled }} +# Recaptcha creds +recaptcha_site_key = {{ .Values.deploymentToml.recaptcha.siteKey | quote }} +recaptcha_secret_key = {{ .Values.deploymentToml.recaptcha.secretKey | quote }} +{{- end }} + +{{- if .Values.deploymentToml.outputAdapter.email.enabled }} +output_adapter_email_password = {{ .Values.deploymentToml.outputAdapter.email.password | quote }} +{{- end }} + +{{- end }} diff --git a/confs/log4j2.properties b/confs/log4j2.properties new file mode 100644 index 00000000..51a360a0 --- /dev/null +++ b/confs/log4j2.properties @@ -0,0 +1,403 @@ +# +# Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# list of all appenders +#add entry "syslog" to use the syslog appender +appenders = CARBON_CONSOLE, AUDIT_CONSOLE, ATOMIKOS_CONSOLE, CARBON_TRACE_CONSOLE, CORRELATION_CONSOLE, DELETE_EVENT_CONSOLE, TRANSACTION_CONSOLE, osgi, DIAGNOSTICS_CONSOLE +#, syslog + +# CARBON_CONSOLE is set to be a ConsoleAppender using a PatternLayout. +appender.CARBON_CONSOLE.type = Console +appender.CARBON_CONSOLE.name = CARBON_CONSOLE +appender.CARBON_CONSOLE.layout.type = PatternLayout +appender.CARBON_CONSOLE.layout.pattern = TID: [%X{tenantId}] Tenant: [%X{tenantDomain}] [%d] [%X{Correlation-ID}] : carbon : %5p {%c} - %replace{%mm}{\n}{|}%xThrowable{separator(|)}%n +appender.CARBON_CONSOLE.filter.threshold.type = ThresholdFilter +appender.CARBON_CONSOLE.filter.threshold.level = DEBUG + +# AUDIT_CONSOLE is set to be a ConsoleAppender using a PatternLayout. +appender.AUDIT_CONSOLE.type = Console +appender.AUDIT_CONSOLE.name = AUDIT_CONSOLE +appender.AUDIT_CONSOLE.layout.type = PatternLayout +appender.AUDIT_CONSOLE.layout.pattern = TID: [%X{tenantId}] Tenant: [%X{tenantDomain}] [%d] [%X{Correlation-ID}] : audit : %5p {%c} - %replace{%mm}{\n}{|}%xThrowable{separator(|)}%n +appender.AUDIT_CONSOLE.filter.threshold.type = ThresholdFilter +appender.AUDIT_CONSOLE.filter.threshold.level = INFO + +# ATOMIKOS_CONSOLE is set to be a ConsoleAppender using a PatternLayout. +appender.ATOMIKOS_CONSOLE.type = Console +appender.ATOMIKOS_CONSOLE.name = ATOMIKOS_CONSOLE +appender.ATOMIKOS_CONSOLE.layout.type = PatternLayout +appender.ATOMIKOS_CONSOLE.layout.pattern = [%d] [%X{Correlation-ID}] %5p {%c} - %mm%ex%n +appender.ATOMIKOS_CONSOLE.filter.threshold.type = ThresholdFilter +appender.ATOMIKOS_CONSOLE.filter.threshold.level = INFO + +# ATOMIKOS_CONSOLE is set to be a ConsoleAppender using a PatternLayout. +appender.CARBON_TRACE_CONSOLE.type = Console +appender.CARBON_TRACE_CONSOLE.name = CARBON_TRACE_CONSOLE +appender.CARBON_TRACE_CONSOLE.layout.type = PatternLayout +appender.CARBON_TRACE_CONSOLE.layout.pattern = [%d] [%X{Correlation-ID}] %5p {%c} - %mm%ex%n +appender.CARBON_TRACE_CONSOLE.filter.threshold.type = ThresholdFilter +appender.CARBON_TRACE_CONSOLE.filter.threshold.level = INFO + +# CORRELATION_CONSOLE is set to be a ConsoleAppender using a PatternLayout. +appender.CORRELATION_CONSOLE.type = Console +appender.CORRELATION_CONSOLE.name = CORRELATION_CONSOLE +appender.CORRELATION_CONSOLE.layout.type = PatternLayout +appender.CORRELATION_CONSOLE.layout.pattern = %d{yyyy-MM-dd HH:mm:ss,SSS}|%X{Correlation-ID} : correlation : |%t|%mm%n +appender.CORRELATION_CONSOLE.filter.threshold.type = ThresholdFilter +appender.CORRELATION_CONSOLE.filter.threshold.level = INFO + + +# DIAGNOSTICS_CONSOLE is set to be a ConsoleAppender using a PatternLayout. +appender.DIAGNOSTICS_CONSOLE.type = Console +appender.DIAGNOSTICS_CONSOLE.name = DIAGNOSTICS_CONSOLE +appender.DIAGNOSTICS_CONSOLE.layout.type = PatternLayout +appender.DIAGNOSTICS_CONSOLE.layout.pattern = [%d] [%X{Correlation-ID}] %5p {%c} - %mm%ex%n +appender.DIAGNOSTICS_CONSOLE.filter.threshold.type = ThresholdFilter +appender.DIAGNOSTICS_CONSOLE.filter.threshold.level = INFO + +# DELETE_EVENT_CONSOLE is set to be a ConsoleAppender using a PatternLayout. +appender.DELETE_EVENT_CONSOLE.type = Console +appender.DELETE_EVENT_CONSOLE.name = DELETE_EVENT_CONSOLE +appender.DELETE_EVENT_CONSOLE.layout.type = PatternLayout +appender.DELETE_EVENT_CONSOLE.layout.pattern = [%d] [%X{Correlation-ID}] %5p {%c} - %mm%ex%n +appender.DELETE_EVENT_CONSOLE.filter.threshold.type = ThresholdFilter +appender.DELETE_EVENT_CONSOLE.filter.threshold.level = INFO + +# TRANSACTION_CONSOLE is set to be a ConsoleAppender using a PatternLayout. +appender.TRANSACTION_CONSOLE.type = Console +appender.TRANSACTION_CONSOLE.name = TRANSACTION_CONSOLE +appender.TRANSACTION_CONSOLE.layout.type = PatternLayout +appender.TRANSACTION_CONSOLE.layout.pattern = TID: [%X{tenantId}] [%d] [%X{Correlation-ID}] : transaction : {%c} - %mm %n +appender.TRANSACTION_CONSOLE.filter.threshold.type = ThresholdFilter +appender.TRANSACTION_CONSOLE.filter.threshold.level = INFO + +# Uncomment the below lines to use the Syslog Appender +#appender.syslog.type = Syslog +#appender.syslog.name = Syslog +#appender.syslog.host = localhost +#appender.syslog.port = 514 +#appender.syslog.protocol = UDP +#appender.syslog.layout.type = PatternLayout +#appender.syslog.layout.pattern = [%d] [%tenantId] %5p {%c} - %mm%ex%n +#appender.syslog.filter.threshold.type = ThresholdFilter +#appender.syslog.filter.threshold.level = DEBUG + +appender.osgi.type = PaxOsgi +appender.osgi.name = PaxOsgi +appender.osgi.filter = * + +loggers = AUDIT_LOG, trace-messages, diagnostics, org-apache-coyote, com-hazelcast, javax-mail, Owasp-CsrfGuard, org-apache-axis2-wsdl-codegen-writer-PrettyPrinter, org-apache-axis2-clustering, org-apache-catalina, org-apache-tomcat, org-apache-axis2-description, org-wso2-carbon-apacheds, org-apache-directory-server-ldap, org-apache-directory-server-core-event, com-atomikos, org-quartz, org-apache-jackrabbit-webdav, org-apache-juddi, org-apache-commons-digester-Digester, org-apache-jasper-compiler-TldLocationsCache, org-apache-qpid, org-apache-qpid-server-Main, qpid-message, qpid-message-broker-listening, org-apache-tiles, org-apache-commons-httpclient, org-apache-solr, me-prettyprint-cassandra-hector-TimingLogger, org-apache-axis-enterprise, org-apache-directory-shared-ldap, org-apache-directory-server-ldap-handlers, org-apache-directory-shared-ldap-entry-DefaultServerAttribute, org-apache-directory-server-core-DefaultDirectoryService, org-apache-directory-shared-ldap-ldif-LdifReader, org-apache-directory-server-ldap-LdapProtocolHandler, org-apache-directory-server-core, org-apache-directory-server-ldap-LdapSession, DataNucleus, Datastore, Datastore-Schema, JPOX-Datastore, JPOX-Plugin, JPOX-MetaData, JPOX-Query, JPOX-General, JPOX-Enhancer, org-apache-hadoop-hive, hive, ExecMapper, ExecReducer, net-sf-ehcache, axis2Deployment, equinox, tomcat2, StAXDialectDetector, org-apache-directory-api, org-apache-directory-api-ldap-model-entry, TRANSACTION_LOGGER, DELETE_EVENT_LOGGER, org-springframework, org-opensaml-xml-security-credential-criteria, org-wso2-carbon-user-core, org-wso2-carbon-identity, org-wso2-carbon-identity-sso-saml, org-wso2-carbon-identity-application, org-wso2-carbon-identity-application-authentication-framework, org-wso2-carbon-identity-oauth2, org-wso2-carbon-identity-oauth, org-wso2-carbon-identity-application-authenticator, org-wso2-carbon-identity-scim, org-wso2-carbon-identity-scim2, org-wso2-charon-core, org-wso2-charon3-core, org-eclipse-jetty + +logger.AUDIT_LOG.name = AUDIT_LOG +logger.AUDIT_LOG.level = INFO +logger.AUDIT_LOG.appenderRef.AUDIT_CONSOLE.ref = AUDIT_CONSOLE +logger.AUDIT_LOG.additivity = false + +logger.trace-messages.name = trace.messages +logger.trace-messages.level = TRACE +logger.trace-messages.appenderRef.CARBON_TRACE_CONSOLE.ref = CARBON_TRACE_CONSOLE + +logger.org-apache-coyote.name = org.apache.coyote +logger.org-apache-coyote.level = WARN + +logger.org-apache-axis2-description.name = org.apache.axis2.description +logger.org-apache-axis2-description.level = ERROR + +logger.com-hazelcast.name = com.hazelcast +logger.com-hazelcast.level = ERROR + +logger.javax-mail.name = javax.mail +logger.javax-mail.level = ERROR + +logger.org-eclipse-jetty.name = org.eclipse.jetty +logger.org-eclipse-jetty.level = ERROR + +logger.Owasp-CsrfGuard.name = Owasp.CsrfGuard +logger.Owasp-CsrfGuard.level = WARN + +logger.org-apache-axis2-wsdl-codegen-writer-PrettyPrinter.name = org.apache.axis2.wsdl.codegen.writer.PrettyPrinter +logger.org-apache-axis2-wsdl-codegen-writer-PrettyPrinter.level = ERROR +logger.org-apache-axis2-wsdl-codegen-writer-PrettyPrinter.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE + +logger.org-apache-axis2-clustering.name = org.apache.axis2.clustering +logger.org-apache-axis2-clustering.level = INFO +logger.org-apache-axis2-clustering.additivity = false + +logger.org-apache.name = org.apache +logger.org-apache.level = INFO +logger.org-apache.additivity = false +logger.org-apache.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE + +logger.org-apache-catalina.name = org.apache.catalina +logger.org-apache-catalina.level = ERROR + +logger.org-apache-tomcat.name = org.apache.tomcat +logger.org-apache-tomcat.level = INFO + +logger.org-wso2-carbon-apacheds.name = org.wso2.carbon.apacheds +logger.org-wso2-carbon-apacheds.level = WARN + +logger.org-apache-directory-server-ldap.name = org.apache.directory.server.ldap +logger.org-apache-directory-server-ldap.level = ERROR + +logger.org-apache-directory-server-core-event.name = org.apache.directory.server.core.event +logger.org-apache-directory-server-core-event.level = WARN + +logger.com-atomikos.name = com.atomikos +logger.com-atomikos.level = INFO +logger.com-atomikos.additivity = false +logger.com-atomikos.appenderRef.ATOMIKOS_CONSOLE.ref = ATOMIKOS_CONSOLE + +logger.org-quartz.name = org.quartz +logger.org-quartz.level = WARN + +logger.org-apache-jackrabbit-webdav.name = org.apache.jackrabbit.webdav +logger.org-apache-jackrabbit-webdav.level = WARN + +logger.org-apache-juddi.name = org.apache.juddi +logger.org-apache-juddi.level = ERROR + +logger.org-apache-commons-digester-Digester.name = org.apache.commons.digester.Digester +logger.org-apache-commons-digester-Digester.level = WARN + +logger.org-apache-jasper-compiler-TldLocationsCache.name = org.apache.jasper.compiler.TldLocationsCache +logger.org-apache-jasper-compiler-TldLocationsCache.level = WARN + +logger.org-apache-qpid.name = org.apache.qpid +logger.org-apache-qpid.level = WARN + +logger.org-apache-qpid-server-Main.name = org.apache.qpid.server.Main +logger.org-apache-qpid-server-Main.level = INFO + +logger.qpid-message.name = qpid.message +logger.qpid-message.level = WARN + +logger.qpid-message-broker-listening.name = qpid.message.broker.listening +logger.qpid-message-broker-listening.level = INFO + +logger.org-apache-tiles.name = org.apache.tiles +logger.org-apache-tiles.level = WARN + +logger.org-apache-commons-httpclient.name = org.apache.commons.httpclient +logger.org-apache-commons-httpclient.level = ERROR + +logger.org-apache-solr.name = org.apache.solr +logger.org-apache-solr.level = ERROR + +logger.me-prettyprint-cassandra-hector-TimingLogger.name = me.prettyprint.cassandra.hector.TimingLogger +logger.me-prettyprint-cassandra-hector-TimingLogger.level = ERROR + +logger.org-wso2.name = org.wso2 +logger.org-wso2.level = ERROR + +logger.org-apache-axis-enterprise.name = org.apache.axis2.enterprise +logger.org-apache-axis-enterprise.level = FATAL +logger.org-apache-axis-enterprise.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE + +logger.org-apache-directory-shared-ldap.name = org.apache.directory.shared.ldap +logger.org-apache-directory-shared-ldap.level = WARN +logger.org-apache-directory-shared-ldap.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE + +logger.org-apache-directory-server-ldap-handlers.name = org.apache.directory.server.ldap.handlers +logger.org-apache-directory-server-ldap-handlers.level = WARN +logger.org-apache-directory-server-ldap-handlers.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE + +#Following are to remove false error messages from startup (IS) +logger.org-apache-directory-shared-ldap-entry-DefaultServerAttribute.name = org.apache.directory.shared.ldap.entry.DefaultServerAttribute +logger.org-apache-directory-shared-ldap-entry-DefaultServerAttribute.level = FATAL +logger.org-apache-directory-shared-ldap-entry-DefaultServerAttribute.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE + +logger.org-apache-directory-server-core-DefaultDirectoryService.name = org.apache.directory.server.core.DefaultDirectoryService +logger.org-apache-directory-server-core-DefaultDirectoryService.level = ERROR +logger.org-apache-directory-server-core-DefaultDirectoryService.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE + +logger.org-apache-directory-shared-ldap-ldif-LdifReader.name = org.apache.directory.shared.ldap.ldif.LdifReader +logger.org-apache-directory-shared-ldap-ldif-LdifReader.level = ERROR +logger.org-apache-directory-shared-ldap-ldif-LdifReader.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE + +logger.org-apache-directory-server-ldap-LdapProtocolHandler.name = org.apache.directory.server.ldap.LdapProtocolHandler +logger.org-apache-directory-server-ldap-LdapProtocolHandler.level = ERROR +logger.org-apache-directory-server-ldap-LdapProtocolHandler.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE + +logger.org-apache-directory-server-core.name = org.apache.directory.server.core +logger.org-apache-directory-server-core.level = ERROR +logger.org-apache-directory-server-core.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE + +logger.org-apache-directory-server-ldap-LdapSession.name = org.apache.directory.server.ldap.LdapSession +logger.org-apache-directory-server-ldap-LdapSession.level = Error +logger.org-apache-directory-server-ldap-LdapSession.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE + +logger.correlation.name = correlation +logger.correlation.level = INFO +logger.correlation.appenderRef.CORRELATION_CONSOLE.ref = CORRELATION_CONSOLE +logger.correlation.additivity = false + +logger.diagnostics.name = diagnostics +logger.diagnostics.level = INFO +logger.diagnostics.appenderRef.DIAGNOSTICS_CONSOLE.ref = DIAGNOSTICS_CONSOLE +logger.diagnostics.additivity = false + +#Hive Related Log configurations +logger.DataNucleus.name = DataNucleus +logger.DataNucleus.level = ERROR + +logger.Datastore.name = Datastore +logger.Datastore.level = ERROR + +logger.Datastore-Schema.name = Datastore.Schema +logger.Datastore-Schema.level = ERROR + +logger.JPOX-Datastore.name = JPOX.Datastore +logger.JPOX-Datastore.level = ERROR + +logger.JPOX-Plugin.name = JPOX.Plugin +logger.JPOX-Plugin.level = ERROR + +logger.JPOX-MetaData.name = JPOX.MetaData +logger.JPOX-MetaData.level = ERROR + +logger.JPOX-Query.name = JPOX.Query +logger.JPOX-Query.level = ERROR + +logger.JPOX-General.name = JPOX.General +logger.JPOX-General.level = ERROR + +logger.JPOX-Enhancer.name = JPOX.Enhancer +logger.JPOX-Enhancer.level = ERROR + +logger.org-apache-hadoop-hive.name = org.apache.hadoop.hive +logger.org-apache-hadoop-hive.level = WARN + +logger.hive.name = hive +logger.hive.level = WARN + +logger.ExecMapper.name = ExecMapper +logger.ExecMapper.level = WARN + +logger.ExecReducer.name = ExecReducer +logger.ExecReducer.level = WARN + +logger.net-sf-ehcache.name = net.sf.ehcache +logger.net-sf-ehcache.level = ERROR + +logger.axis2Deployment.name = org.apache.axis2.deployment +logger.axis2Deployment.level = WARN + +logger.equinox.name = org.eclipse.equinox +logger.equinox.level = FATAL + +logger.tomcat2.name = tomcat +logger.tomcat2.level = FATAL + +logger.StAXDialectDetector.name = org.apache.axiom.util.stax.dialect.StAXDialectDetector +logger.StAXDialectDetector.level = ERROR + + +# root loggers +#uncomment the last line to add syslog appender to the root loggers +rootLogger.level = INFO +rootLogger.appenderRef.CARBON_CONSOLE.ref = CARBON_CONSOLE +rootLogger.appenderRef.PaxOsgi.ref = PaxOsgi +#rootLogger.appenderRef.syslog.ref = Syslog + + +logger.org-apache-directory-api.name=org.apache.directory.api +logger.org-apache-directory-api.level=ERROR + +logger.org-apache-directory-api-ldap-model-entry.name=org.apache.directory.api.ldap.model.entry +logger.org-apache-directory-api-ldap-model-entry.level=FATAL + +logger.org-springframework.name=org.springframework +logger.org-springframework.level=WARN + +logger.org-opensaml-xml-security-credential-criteria.name=org.opensaml.xml.security.credential.criteria +logger.org-opensaml-xml-security-credential-criteria.level=WARN + +logger.org-wso2-carbon-user-core.name=org.wso2.carbon.user.core +logger.org-wso2-carbon-user-core.level=INFO + +logger.org-wso2-carbon-identity.name=org.wso2.carbon.identity +logger.org-wso2-carbon-identity.level=INFO + +logger.org-wso2-carbon-identity-sso-saml.name=org.wso2.carbon.identity.sso.saml +logger.org-wso2-carbon-identity-sso-saml.level=INFO + +logger.org-wso2-carbon-identity-application.name=org.wso2.carbon.identity.application +logger.org-wso2-carbon-identity-application.level=INFO + +logger.org-wso2-carbon-identity-application-authentication-framework.name=org.wso2.carbon.identity.application.authentication.framework +logger.org-wso2-carbon-identity-application-authentication-framework.level=INFO + +#logger.org-wso2-carbon-identity-mgt.name=org.wso2.carbon.identity.mgt +#logger.org-wso2-carbon-identity-mgt.level=DEBUG + +logger.org-wso2-carbon-identity-oauth2.name=org.wso2.carbon.identity.oauth2 +logger.org-wso2-carbon-identity-oauth2.level=INFO + +logger.org-wso2-carbon-identity-oauth.name=org.wso2.carbon.identity.oauth +logger.org-wso2-carbon-identity-oauth.level=INFO + +logger.org-wso2-carbon-identity-oidc.name=org.wso2.carbon.identity.oidc +logger.org-wso2-carbon-identity-oidc.level=INFO + +logger.org-wso2-carbon-identity-application-authenticator.name=org.wso2.carbon.identity.application.authenticator +logger.org-wso2-carbon-identity-application-authenticator.level=INFO + +logger.org-wso2-carbon-identity-scim.name=org.wso2.carbon.identity.scim +logger.org-wso2-carbon-identity-scim.level=INFO + +logger.org-wso2-carbon-identity-scim2.name=org.wso2.carbon.identity.scim2 +logger.org-wso2-carbon-identity-scim2.level=INFO + +logger.org-wso2-charon-core.name=org.wso2.charon.core +logger.org-wso2-charon-core.level=INFO + +logger.org-wso2-charon3-core.name=org.wso2.charon3.core +logger.org-wso2-charon3-core.level=INFO + +#logger.org-wso2-carbon-identity-mgt.name=org.wso2.carbon.identity.mgt +#logger.org-wso2-carbon-identity-mgt.level=DEBUG + +#logger.org-wso2-carbon-idp-mgt.name=org.wso2.carbon.idp.mgt +#logger.org-wso2-carbon-idp-mgt.level=DEBUG + +#logger.org-wso2-carbon-identity-provisioning.name=org.wso2.carbon.identity.provisioning +#logger.org-wso2-carbon-identity-provisioning.level=DEBUG + +#logger.org-wso2-carbon-identity-user-account-association.name=org.wso2.carbon.identity.user.account.association +#logger.org-wso2-carbon-identity-user-account-association.level=DEBUG + +#logger.org-wso2-carbon-identity-user-profile-mgt.name=org.wso2.carbon.identity.user.profile.mgt +#logger.org-wso2-carbon-identity-user-profile-mgt.level=DEBUG + +#logger.org-wso2-carbon-security.name=org.wso2.carbon.security +#logger.org-wso2-carbon-security.level=DEBUG + +#logger.org-wso2-carbon-identity-sso-agent.name=org.wso2.carbon.identity.sso.agent +#logger.org-wso2-carbon-identity-sso-agent.level=DEBUG + +#logger.org-wso2-carbon-identity-core.name=org.wso2.carbon.identity.core +#logger.org-wso2-carbon-identity-core.level=DEBUG + +logger.TRANSACTION_LOGGER.name=TRANSACTION_LOGGER +logger.TRANSACTION_LOGGER.level=INFO +logger.TRANSACTION_LOGGER.appenderRef.TRANSACTION_CONSOLE.ref = TRANSACTION_CONSOLE + +logger.DELETE_EVENT_LOGGER.name=DELETE_EVENT_LOGGER +logger.DELETE_EVENT_LOGGER.level=INFO +logger.DELETE_EVENT_LOGGER.appenderRef.TRANSACTION_CONSOLE.ref = TRANSACTION_CONSOLE diff --git a/confs/secret-conf.properties b/confs/secret-conf.properties new file mode 100644 index 00000000..6f3e5e92 --- /dev/null +++ b/confs/secret-conf.properties @@ -0,0 +1,29 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +keystore.identity.location=/home/wso2carbon/{{ .Values.deployment.productPackName }}-{{ .Values.deployment.buildVersion }}/repository/resources/security/{{ .Values.deploymentToml.keystore.internal.fileName }} +keystore.identity.type=JKS +keystore.identity.alias={{ .Values.deploymentToml.keystore.internal.alias }} +keystore.identity.store.password=identity.store.password +keystore.identity.key.password=identity.key.password + +carbon.secretProvider=org.wso2.securevault.secret.handler.SecretManagerSecretCallbackHandler +secVault.enabled=true +secretRepositories=file +secretRepositories.file.provider=org.wso2.securevault.secret.repository.FileBaseSecretRepositoryProvider +secretRepositories.file.location=repository/conf/security/cipher-text.properties +keystore.identity.store.secretProvider=org.wso2.carbon.securevault.DefaultSecretCallbackHandler +keystore.identity.key.secretProvider=org.wso2.carbon.securevault.DefaultSecretCallbackHandler diff --git a/confs/thrift-authentication.xml b/confs/thrift-authentication.xml new file mode 100644 index 00000000..185f131e --- /dev/null +++ b/confs/thrift-authentication.xml @@ -0,0 +1,45 @@ + + + + + + + + + + jdbc/WSO2IdentityDB + + + + + + org.wso2.carbon.identity.thrift.authentication.dao.DBThriftSessionDAO + + + 30000 + + + 10711 + + + 1800000 + + {{ .Values.deploymentToml.transport.thrift.protocols }} + {{ .Values.deploymentToml.transport.thrift.ciphers }} + + diff --git a/images/architecture.png b/images/architecture.png new file mode 100644 index 0000000000000000000000000000000000000000..e50ec22b34bf92fed3d1d9005dacaed16dbc0fd9 GIT binary patch literal 33120 zcmeEuWmuG5+b$p?Sfn5g!w`~6N=ghcq)19Dg3?Ggh^TbTP|_$cG$`Gn2o6ZY(4nA6 zOP9c2V?Dml_wFD2=RS__kBl?-z4D6lx~_Ar5Dj(33ukH0;^5$1P=doWad1u{ad2?o z5)y!KbR}4=z#m*^O+{Ip;%>SH92_PbC76u1hskp4ndcPmcB+UK!ZYw*!ZlSnm^jU( ziC&sqQsubc@FiUIOf#L#HM1SB3(qe(<9*=3!!v{3xkbV9Twr>a>!gc5esppnaUpGS zwJQAqqia>&8}Iyfzj?mKIhAgNSKIVvBI@aMND2`yp)?L&8d+`-+>3@f>2yFLX*B#IeNu(VfGJ^CAkMCX z*e5t26Amun6Q)P-XOG_Hkvx)qg6}~RLBcC9$7F^#(L{O*<$-PFm{b~i6h_4JSX!9q z8>O^}vz~$;`2uBHhAid?uU#5_}Rg$*b#^@JNEAafn}%zR9*EgsDC{6ftY2AO^!| zzJV8<<$vvkJjr`DTn1PfwYyj9MbQ32FiQh=QY4RYAk=u2IkGr-q+~NPg0j^V7XpHb z9-b(ifBuOXjBrm82eHM+R!)dF3T+Ow6rNQt8IS?((>rESk$@ItNu;52&7ZUhrI}>$ z>VtTHHNb@YA2R^Gf%c$bIFQ6bk3IwJ>@2|a<8dMK;3Kvzel;A#2baAC34Eq#HN0SR zY-iXpfS*6JfG49^S!KYJa6()dKXbs#MC?1DO$VY^ZKLD8y;rdh-U17j2~nx}^&9pp z>_<&y9E7UXodwDtgZT9&Sif9CCgd$dw$bnButNmDUSWL%M+v@iIrrn`UtfYv(gw?& z`(BgxU#-NFNkg@0Zr7gv@$#RpnK;2Dw9T(j{i_vaA|~XO3*3{Br9TmVW2kL?8crbh zbC^ug#^4pVdpCQSXQ%?+UKF4e8!Qp-qxole0rmJKN(2P>OfzS2Vf|6pd(Zy)O#=rP zR*C~p!NVnNmBvAY>_Ii<3RM8 zziFQXAHibtLz$wDfS{lw=y`&$(hmiV!yg(E;1b3r0!gzVPY*a`=Nq%fk5 zUAAUoAgGLv8JEE75x)!vf|3B*cDkq7i5(n;5)Oi!j4lCezXcl*!^8khI(#!|^ARnJ zZT@30yuViC(V1IqIQU2v(00x1%+J`}2!%d^QxZjXg30rf&q%ub9z2Blf4+|02x%v< zME_;xKbEuk1c(^*S!}!fKsi1by$CcFMMBhVJjnowR)(l|DBIB@gE=tc46 zJB)sNFB&#FxG<#_o%JjGTLU+XJU74Wbn-RbK04UGXSeClbadZ+(lue_bvr}xN;U)8 z`!L?x_uZoNDW390wTt;~^QrD*sAPKsmv!PB-(OWYOi$?=+EqO6)G&n3uQi=C7S()7 z5;AfB_>^kQd#z!9>^<(UJ!pOm^hV)_F()LVd)SPt-d5bOW5AAR@Y*iT&*!8Sb;=@t zmlUZSI#)IAXTw$a>ap+6=mTEo+l$v8&Pdm-)-EjvoMCvyYg{{0s9(1H_#E#m@zv_L zQpbDuZ2Gg5Zt1vu?QQ86TjCzKtC~F9C`F>A^vS@cNN3j7dU_5Wld9qTTmFF76JSNJ zRhfwdt-@Q=>b1LSXX>|~-SF+rIZU~g)^Mc%$>DV6;cDG@<+%OQv3Jwaj`Iy9T?new zLuBG%ppflIuf?|8s0Ee#RI)>(6?>`+()U}-naVEV@sXL9z|`-PZsT_L2f5IP2zkoa z+ry^QM|FO?%Vj-d1hlp@_{EO1Z9DI%Oh>>fFJ$!1a8$|E+Jk|3{qHc*vgJ(Evj|yKyxwscx>rzG8hU|VOwi#l=sdOAe7b+5xS}t{wdN?kIy9m9rooru=CVJg?b;M&f!dL`|kQ-G3qyP6luzif;hs$Ngs@H#M zx)qbO0{?|uS;WAOR^dZ$l2M05!eFECCseaqSNCS4++V(sJMkT}${A%#w*Ax{Qw{HC z@SG!MXKSI63;BAjo$elxg92l(h3p+L_;IiXbNKMbY&Egp;DliCMq0WWFI@(2Db_G5 zsm*t%re>r$bzD)m=WE@w+x;$D&UxIszV9u^- z&d_e$|Kw=pJxi3!o9E*W7GgIg)?w^1`KFL7Rx8s@ClUy{8-DdGHS=k1@0o+Hdr~PD zjZ-WcA!2X4En&J+*+2R$=H;j!k(Cuyj&-sL&bax+tc&67vn{$e8*|SKrkw z6NfWA7l2>EE+qx9l-xLEIarD2h<}7Hi&x!7V^i&lU{87YxYO*kqA_HD!nsGkCrxq% zXr&u}&iP@WuQMIdv7CqOFSH0Yfsj=h+Sj~8haDShvN+OQGkX$4OaCCn@tIn>)MUlI zw--cQ%*OI{xBxIL?nH9NA=#n-zSmj{Ku5D=h`f2jneARhnt|Gw_|B}Xo z{N(QZ<@r#q;^$PEV_CwD#|KNRYX(gm`%u%MPyAAek%7_-y${XMW%hq zVyw1B-optX`%5KFW1qtKR?VB_!zk^~mR>)jWyl(Zlzkm9xK_8;Xupz=saA$wBDOG2 z_dBp^m(%2H(S4@5y{Ms}J8JkY^wdw=9ZdjS3(ZS7BUmK|A~@94dqs$yevD3G;6|KP zjL||aFS6sqm9k6bP$3>oEk0MGC#yu#f&S6+>y9tUQzt5X$&`q4Q2vY2AHo?V z$1FZUC5NKG=%$WUBMj#^#pBaSeSY2V#0 zawVlq3@%tbhmluz)t%Bjzfg*NewRnUs?38x$8cIVeD6hT`KMnER`xsOgp347} zjEtbUz(zfFMA810?bXKrK8} znDn4S@1--KQAwd!MElfVCLQd}1QL(6oMDtmhg%=LH2(t3K;3)H1s)N`=q&-xqFq@u6@|ADN@NY~sE0IqT+Uc(vdq z-6c93nlD-Zs)^(GVpIG$@b4EoL5^m?x`rm*5 z4JxIXHo+=W<9Ys@ zAe#72g7Y6=f{^7Qn9;-f>;FdKUqFnK$cTsYpN%k)M1t5NlIp?li1Jt0?TWxc)Y88P2?pN^8$OFlC(Ae&OKvyQ{KH%B(J8Pn5q{l<-R{u}GFA85UY z3o4jtmxY>zN6P#o=IecXq`ePUafOakmyW(r4RgStvk-bMNiy^cxqJEH)_NQOu~r-8ea;hw4}^i70OixJ=`a!{|9f(se;Sdd z1Ge!xht?TLV(GOEA=q7v1gh}R<;o?U`9C+tCxr=Nz!{BHM`sn$+=#7F%AR=RO7fb!39K-%pQPTiy)j+joo zDu`mJnNR=qn{=qK(r{?YES)|*rPM}{k7wgkcF0+4ry`{bnI#B|96S>@$9)n z=i6mQ-`GlpP#yg$2i2m~_|pYe$^z){8qHHk(Xkg)VEh)i+2Vf-7)UOjx&?$QlTCI1 z@9%TzaQTsO_tF=W25Jv)=Lagx|6V?WM^62lhrF1Ca9`dy^sb(!Q z2)z92ub1CL1Ikz3qTu(PuD4HF!T8XZjN2#ea1PzY2u1r6qIW62K_B68M6DVU!FqAYsZHIo;*h;D=1<;5S(D5l<5QB$A{@e03WTF-@NuO` zepX3-4whf-(L72u=*H_*MJPF~SQBmcnU~Y+FI<0b)1KU;c{YDD8I`kOj+EV@0&*lX zr>^01t3UlU45k6lMTg5C`M4*H|MiQ_x{v>32qP;~>9>24ZvaeuTK4I~Kb4|?wulG- zQ8w;7N>;p(#8`Nr`XA9Dxqyq+ZnZUzp@hASgQ(aD`F{y26BO5!Uza(#YvETTu0m9Z z!Y~s5f6V9t8z`cPH#TlvL~OB=Sy-Qe=(9yr{8qI;`C>AREsXyzZb3oKvXm|r^YL#Z zgM;4>>OrdRKE4a|kOdW}<*zvB=L&XUGd-tZp}8?YK-eMb|4a&-z6X{a9ioFY4283a zdX>}vaR)%Ahrn;=L#~5=9W_wD5(GaNwG|lb-ScgOlOJ?uReVU%A1+9Wo&QH*!R|xj zei&~4JeFX$zceQn_GofdQP=yHLzh29F1`KwJ zMkJkRKM1!i4j!x`4yPw;U7h{U9_RV5O*i>FiRs@_Aw}cKIMV!MxpDAcg0h){OofES zm(a{(W2fBoV&l4QJ(*%b0?jKQ&qspv+Xr{M)&0*_R^PLMixbFE__MKK5+A^(ABbFr z2A(=|F=hCw1%*mn)1oG4jj9uh46)@f(GU6O>45VfJUAk9E0&IzW3XA&XUapOv(B2v5I(M~PDTr)Qx4NF>G%6p838uG$|7 zX2$P7n3z*(%P+pml&Gcqur-*J^`>c2LGc)WtWvi+<@lPDQ4l;n@THLbdL}8BpFD`46w21T1vP!fZB&#jH*x*4H3}MQ)#1MUmH19tOMZ`Xn31{OO zXr~yib-;s_+AD;JokFN;S6lw$*g3?pn)`hGb(T3xpzt9#66=Jx4~q;(@kr4f8#!)& z#)}hhnh2@}4b*$QS6Np0{s8Hy0M&BKVF7NDoW?^AFGd<^ufQ>>uw)6X7G-kk%y^8HZhw2=2Q~PFH@8h$#$zswBzoX2Z3v zFWo}PV$N=qq|lc=MSAv@UIfOOo^s=UF}fj^0uicIKh{%4h(yVP^>BA>P3YT<4r`;j z-8O5ZIkbVHP4MDRsk|fneaLEOIeDPabKqHJUo8(E^1d3)qc$zPbYIc-isj9cFC#W< zs#QheRi#tOkl3_mTyb3+toL+`p>dO&zD4G%Y~qcpV~d>`@=)Ip{FPq@ZI1b>$B4(_ zrbC(fQl&HlxtQ#fUscBuT=JN<^{KQwYUYi?Oi0kYJE0J^atcd<89*D(dlPbNvx zwN~=}3I_81z^!~yc%^aW+!IY|*`ruFPUp|BE6O}XENq(4$olyO*IRnqp#JG zbogc3cUU*^Efi;orQxjND6PQUYJxtyzFYpgOYfbv94A6+I16Kyj)B+sEIij2g}F)) zG^eS!>Y|+*<2`3$SQz`v&iR^AXiZy!u_r0o?B)ErkPnj=9bFO@9cD=5Wrt>!nq;!8 zyI1&%*{BCpI2laf8Ix}b2RS**%t;kKYnKhq`E{t+Ug zrpTVAqW}ioJ`<=g9QQ_fcVuC*NGU4uvTUa5H zB_-rSBHsfIG?;g*=Y>*O65nLlw2$KnP;H~6PD}0xG|*DrY>;B9a)Fgf6zZI%MsK{% z%A&*bVdAI5stq(<`Z59}hW+^waPtk8lbgg0evU7TCQF$IjP4O~)J-OwDTS4K@2=X* zr6f(A3W3K52|@IwB4f2901S@CYHzd;-d&ic_@kY1o6R}*B!&+x85J?aQa1upjj72) zAib~eDbj)hn2od43mCMMN}V71`JR%JD2U6RodQ-WV2+$a8;Vw7yMYnfp7}_{HWF!U zFrLIigQ|+z;^xPT^XSPaMT)Q0mvyB{dYd#kJtaeMn^tp?PWu!+h%nzbTa;G{&Z4@T zL5f`vWr#*D+}aKbB>u_RcvxH<-L6R-{j|HJ!#MoyOID4ehTyx_-rvJlF-vbq@ABqt z8Z{)mE@s&^j;fho+&xGXcegi|_t@Trb~vQqkfN_!wQEp8s85;aV`oZo4M1|UW+Dy~ zh^U)WT>fSr8it`2MI&p4OY({$6Ui0FI#z1qGO0H^II<*>(>{3N@OUALDT-%s zFY?e0L3{)^v7#~-W@{+nJq?8}v2amme_hh`DUoWd=O^(k$ZHAW*3HKB>LggADp7}i zAhM-2bpsGynrkGLn$hR(y|iR==aV#>vi!#4J1V)g!gySjmgd`({5BX=p50c7TeC7z zKs8KLzod^mN8CESJ1K_DYhg)YDULP?X=EelU^(vaMx4zz>Y=W@(@b-K{XzakpzXe~ z@j1T1=APFz&*E#!-Pwv+8yTTuH_VJnC=*^f+H5YB)e`ppCe%Fbv)+RuC~Hc&w-&YE zidpN!h&c?m41eh_#v_99Ajh&4@oG9kFHF#=(03&Xa=da)p%lUWpL#+6gk;-72Rh_n zazbjBku{?Y<3BBvb&iCCDj=xDv-|k_tb@(K3)YR>yt&sB1T4(rhD@EVjc180<(ny( zVisRgDB1O92C8{=(3IXj=Y2TIS?H6`8^$hU7pJ^F9kI>)S6PSENP0S$*gabn~&Pn0s06#)ib-o0V~ zWz=l*{_RAZDE62b;|y5z4W)f%$lRKt|7wx>>OmgSPA75GSpL$+!$f5C*w+VbhG9Z_ zW=S@(r)ZwSH@eYJE?(yz*OEpCoIp!)^TeYpf(?hw>c@pE^AYh2fJ$yPwS&f zQ?@A$<1xP0>|>-X3KWJg^I>Kr;zjlyP$D>wYxim(-_BWhnCKJ_^E@Y)sNKf-@%^tw zWc_AI)Fd2LKeaQ<+2_hHZ^TDydx`ub$5c}U{7V$9AB%S7HkQT%;0KhXW2XYb$viCI zJ7c_zVf+yv6X5Epf^Xdxf&e~j3^wnF=+^8gL)+DhOUd07p3Ya=~hh$Ji1LbPNN{oR`BEFb%NKt|B zcY3_Lgt45+4liFp`}~59_*0`F1Ph zr-o3X1Bs7jS}X>sBhAPizNs5r>l{6RHdnnCBgdchd9o42*M%=DeaY@(OvcTPT zrMC8`t@%RcNB@_hiPsCyxJ%<*i%(bo<86$UV1%g`DwlYJoz4)jNK3j&Hf6ZVstp zO@{+`GL?4KAD``fPB1k9CDF<4s!6xxrND!iwl5E|H;xadPm)k*dq6z`bb*A?>;w~Q zEIk9u!YV#)2|P0nNKJNt>*PAT+^{>f1Gp2l{D3IrQwIb(wUEKFmDFvkPf<~-`z459 zHx#sF>nc$2!8?UO_W&!MR6r*e+_k(#}wPF*kFf2XM8%!b-Jr z)ZM-$J{V((k}w0buDTc@i#3e?1A4%Hn6-_P+3eBRSxM9Jn0@2^ zeUTk?@fE?tk3ozntvnTjnw5avGBTuRY6mnl-6}K>)y+9D0>~*#!zJnDqcJz7MwQIe zrlE7>=ySZ)&FCfJaobt`2xJog3}X=@Q(rMs)@KWzcucwuSERa)p^t(CpX`BscOxs> ze4JNgojm3U*hAN^O}S6|u7K8FV~S4D6EIiUdcb8J!z;tYcz5MB$!cT=KHF|bN<7~q zZTVyvpi0@pyU4}G^9O$Myjx@w`(M-XX2TioS!eJ|KVPwC|f!FA~k=j z)X8^eL(3OWjcUl6yHmxJG2Y71xVYHsTmoKL7Lus;4d`3sD6!Puoiw<8?E(tWDfto* zL(D{RmP=zCQ5;evnYMfudTBr4p)Nh#{PV1CF=e>l{rZaA&a9}K_;Z$t9eG(;uf~76 zFVpNF*tppW4F%cf(pN2v@3V;4;?I|6Dcx?;zdY&D%^3#Q)zPWRdm#pm&Qy#NR!W3z zv@`m1f{au+ppZ`Gw+`+fv8uN&#`w1;nq?2~Mx5#PUNMir_h z3$Kbz=FYZ9xhGG-HRJLIUmS=`dCc}g@~-4#*^69qTJ~{DLt?!a@%n8?tF7cWxo<;( zDfLXa7Wb&l6T7Vs4)eJDe&SYp|2w;Tv`P^O(%vz&NE%&xcQJyLw|GW56e?a%NhOe8 z(m#eilb+t(T@0edx7z%ocbai_wel`_JQhO4*#^1?TzMs9L8?^5bsqInmr999|CQk) zU_n{FeRiP?Y|T5O42;ksmR*FUOBQ(#GHJT;k!Yzg$GH$d62&D2NtD!*=|${QlBEjd z_^W%Q4r8InvAAs@xUaze4jWY3TKOLCxDGg;>w;US-UqCRi7|D0V#%%O3d_DXMP1<= zAd8-r++BL^l2R#RA-w5uV`X8zQmJIyHcluBz-Xc+{cIT0*8B~Da_|?a?{DzOU#r*{ zmYq(1`PnS&Q%y*?d2qn~3Ar4ICAntFI+)H;4=&8wNWDRXpDe$Z--y*xceLREJQn*Z zd(BZri(`sHz}M-oby@g?k#7XVI{Stfs7e#Zcb9g)Z}!yXWgBdI%pnvpoJg<9XRRxJ zij1x$Ms0?4HJ{O#}#r$~BnOog6}*ieEjs&Y}xZg3Njb!xjFmsf7Q zCB9J(6kf8QLlNwjRp6ESPxxmqDHTPSJEw*QaUlsnEc**sK(3_Az9r9%{Ru3dMCp+g zYv?*nc!{~&W5UjGz$M_X^w3=DuVZQE19s*-otUr%m~#1bCGddfhyixiK^(7xmT$0ER4Kz zf9$o`@`Vw{cKTH9XQb$JeD%FWVdqV(UUoUVO}gsorMbBcEy)i0S!h-qYo3qY)}Aic z)l3|o5JCdvQ8bR$A>(*Dj2+gv<>p3D_q11)JY?yOkOR zSCAL3`}_~kaaNR}sGE#IaIZ*#So`9ObSJn)u|&SBRADD~1d>sYiWPY`nHSw3i2@YK zEuVz$6wv{@q_Q#Vf*L)0{2<{keJByHs(a6Ouc;>scP$Q=IH)DZKk$mj+|Q2~Bh_8m zTP!G1wPD;2MaU8pIRZAM?dx}xTw6$Fw;WXEO#(U$NE${FY! zvOg~v12iKK9SGp0Zjgq?kg}&6guo9dB04HgBMRvbeS}z$e(zX#ie#X(Az8#fa<83A z5*|&N9p|&I=`j@Ce9EIIT$bX?p{M^N4X6i`ymAK1xgoL!8kTWKegs4pveohw5pYV} z2$e-ZlgEVQa`hS@B|l;mx&w+&3o;}UmLU5nL*kSKvecKN%F785;p`v*B#}~P zbPkgE`Rjl?p$7~Qhd3@@vONpYm)Y~oSAZUcDjFCBf~J-JYI;E&-wZ-xn_9HXI^@EH zymtESrZpHc-jn}p!>#ZPKwv_-7cL&D>^}i>x^|gC?RO5SnU4=!*z#fXz z3fn$6_Fk!|1kinKrE1z_X+;RwksqK3xb@(yAVwJYN9KhR2?slF7k4$FlZ-~p+9~<*=`v?m}@*uo&f%>06+8!IQizvDKDG4y-#5)083N>SXAo_R^T47 z#5d`w%_Je4`yFsUK$mdNl;LmOoj`dj4;yJ zP~}157cwBFFU9v7*D;QEU;}fZO+vv?hN+BrR7pXB!&7Rv1Q3bgFzdB%swUO7FWImgq( zXHbsPz{Ae!>+LJ^p8J3}yA-yH<)GKPtyquUHTkp)yqqXC9dQ5HgBkJS72D$uO-1Vx zAzAzg0EcUB4gltRkdx|`L@te<1;+~J7h?ngiM0`XYNNXJaA(Daum0O(J7A#g=^tR@ zh(SXO#e)3&384<<;tGtx&i;J5c+1=#BQ6ZthZ7J^erFgHPW{wb&_lcHtYlxlj=>_}7pql%bHKpyWkD7UKRtLs1hby#8a8hfgi)1L{Hu^=1kA8530f^~dm zAaJG6d--*{k+9Q;=huKLEQzky0o+1Gf(~Nzt8UwbB3Bc?94t-Vs0fL|NKJuN#-P+_ z*~2=dl#Rq)zRtj$FopV+Kz-_d(VbIsIm!2dIjLUGiM(;V_g3xc&_TyLO2fivL!J$1 zpAbH3^m{pahts!~r6?VUb9wARfqbI%sE`=3CBPdP6j61FR_GO|bi5yLz6xSl&sulu zd+A-zznJr9b7)UhY^2(pPA0cz_7B z#`wNY8zhXIjJ=j-Y2&lx3y^eu`@$yzoVRP|=VAp8GsI=(2nIc(KZ8WaB?-Q|FviOf z^EA}-;Z$--M5(XasFTTqf^!xxKJTl9#Sbaq01w0E7^LkVHP=S#U<)L=&bufmGEv|` zt+956lx7fr+*pN9q7wQJIDk?Ff^lK9)?k{Rfus%)NRDGU%X$hx`d7fA7dIQ4iok*= z+Chujm0EQz%6Gsa9XV{$WpYs0ICJ^yMkn8z@KWEjtDseXD;kwGm~aYPs=s1`!pYB6TBzN#Y1d~!;`)oEPu7CvGk;niJ;88BR^QUoZ{Ve? z5U3ZEDw(cD);Q1Cy31Eu4|P}^eff|$TZ$YT)fq4qx};O8H}1KZ>=ro0C0*Xeze_&` zPUbv(Ts^3%QscbEB05y7Qj|DoBb)D##qxS+OHVDL$h4_Z?<5+kpEXFii)ob>@Cxu>MI1~uN{vj3}webp7dMN99-6%FM2ZHw4yla-z=!8)LNr44zD7k^0Y(brI(MID*s^wphLIoXN~+pEjfV4H zR!mFozgAg>IS1pnA&tsw@?mPj7n2_X6r!{DiHv2SDv$J9RL)$Wby%vhyS2n6J6JCb zEouC2R5y!a-Z@GcEgmXF6yEv9sUZZZVRCV+D`}R_>OcZ!1}jU}BOjo}ZSuE)Cfqh# zkYEHuF*-9XG9^}QTn#4}g}d3Q-LF@%1Jwminc|>d$1J03b(xTP=d9-FWuYvJDZyt+ z(6A>~0Sb*GzLgjJUGrD!Ee;LDnF4Y}oLlR;&DGe;M%DS-WnL61K+mzpec!}#ls1$O zMo;}H(0`|6l&?CA;HELY&j-*5?ZLiSB%IBi&N9_JJ#ED%b;=-@iPFo&$;zVcGdQ05 zX${~K@z%0YEkFu!R0MhW-pjQBec_1W>M$XR2sJOL4Hn2urAv*wE%p_+sZ($UKTS(8 zG8nZNg(Rl#u^>l7Tv@$C;krmad{-7EskE9W0x)t;8Qs|>0b~bHudx~6;@>G;C>*He z*{FP_A;Y~Tar0Vlp%^fAqtp;E1T$lF8Uz`a#V9igED7#lEL8{`CDDA^jTpgA65F1m z#HMH6-z;odm!V3D?S1|lL6Yt{P^A!mdkXPEy^srxy%f2XM~lY*thyxO<1=d5KeE(G z8CJzTk!kmn-7KxRgzRUOZ82Fb^~3&yI;SD}R4>d==n<-J-`|uoAkNE$IfsE0l9Vcu zOH9#ZVEdHu^vy&_&}6t?Zu_&q97jo|+BwfBsip4sh_f7mvS(@$C|bi}zXE0%EQn8g zmK3c~eZ2+_UPa7QpU1NTR6G$XUgl6P+R#u; zBwUxme=e@+Z<$9fd2ncuQw2fxz1qzl^xe5JGUfASCsgo3v76tYU>OR@N!bAvz>)Ow(VV#OY#^U)rk&W}ZB_`io*<_dU|3MEI%4wm0_$)1 zR;~nPxx*EU1I+0yRFFlC%vgZQ-lJiiKW&heJ{{ z>{-Q(0t@nVrt((Ee>gB=7=Pc#qO$eixyQlp;TTcd>n(ENjPnn4`(6weJ?ErGGm`Jg zz)y;HiMj~mpIq-+Ni}!MX1ib;Sb44k3Q1gbd<2Ie7Z^T{0tQrK>g@q7LTKnCR86F> zV`)*v$9&8yrBlOh4K(&WF+(|KzUxgRu(aF1Wg&kYDf| zAX&BIQ?BpX3@m5fe2}~&lPKm~xg^unAbj)AO-m={AI><7Z;hJU+{j7Y1Fx|)Vc7pk zRO+za)#2%-Z_rxDvC&HiRTn}VI|)eQ)X1}iL^n5i=vxvMObyUuSU<=DmadW*(8hy^ zIR5$kJPR`I3`a|s_mA4fg#YM~$OO2PN9;Stj$gZT!H_aPT0M z|Dzf=>X^2TcYVVEk7)tJoe%9$`aFo+F zB%7+Ldz^HjytRDL@9PlL+Rb!3@oh^z>sv-^L;+RodZU_QLuFIR@6sc-jG+Uy;|(Q{ zh0TPspKFbU-s$j*0_dV`VYIm}1ML*DmiU>RxMKedqbz*;u0E)9T7-HhMii?hUY%Uz ztEjf?PhRL44fgohKqp~aUo?^%;A&7M|B=cOm4Gjp?TUW4I2vip$%1GM%Sw>plFRg= zKyw2cRBv7hnKIfu323B6pFEb0d$W!u(WqGIlwn+u>P;4H@3Qim?sh=Vxo@Xiu7-FI zYr7h$pz_OwgsHZ*)J?crI;U2#>5MLdVvzc!SU9Y70>M)#@q=q+V6o6&$yc&a2lX*tI>{H()z(k;g8(?POxU>v+wNPmexUO9~IENbjJY0?spc zy|xpp%76bwY{)zI=|cGDFf%WejGk^jOtw8_LCfn=9gLNDK6BsEWb z&>w-b6QQ{s9c&bEaz$s;;{PI8QYbNXoLPh0;?R(pGC0Z=WL!!&c7uCn8;x8@&`yXfI=~>N#RIk0 zGVF0;8WDS2aL{rCW!xw@2WnL1@|60m31506$%sH9P^7X~_S`7QG$d4IP5YlrqSRBZ z)sh7B)>AZ-zJYW_vY!u)R@3*5FyF(KDiDX2Y1V%ETp_hld@imH-87;kI0;%H^(OW8bD=BUPw+q;*##|7AbH` zfCm2oh||V*#vL4h6f_t=Y&k9Lxna(p^^U>o+i>79NV3mEHGH-F!3^#Xx62a4N;Nds z)2l#5+%Sxi$4J$68N`t4G^|ml2+lujS^}(BrAPu|hUG@-XgIh<0Kt3cwo)-X1~&K8 zaRZ1aK@KZ98DGI^tkKsyS>QpWvCsOuRl1O5*!{o@!dESFZ%XZ((~7$la_LcbgBq=$ z6i$Wj#aK?^w?V}2vj$Fue1U?MpzL(7^T_u_U-Y;9bh&5eUmt8Q)$zBkg9R-0KUy+< zN~yK8DX1d5?gi2hh0gQcJD}V(g1vG8r0il3kyb?&7|!Z$O;0MLThuqV_5)}T+&426 zBk2|zxBBOG)Pj0uGbAX!@Ufl)CL{B*Xe?0x1?hX=M|5H?x#XN`F4T#mao__n}YjTqr| zrxD!tFd3^YxwQjaY}@p_8Rn$9)^+JVxHsU~hx$^5%8D*Vo;dy>=h%>%$wF#S*mp#w zKemBd&@#HSISr%@P>oA1#wUS;fqMcy68AveJCGh*eBS?@Fb>MTpBUb3Go654tqYRb zmQQ?<1k?11l-#+kcR%PN{e+w^2=3`i7E_!K*%7hN^Nm|x10}5W_XSco@z%1@4c}j{ ziOR&|?owZ7P=OY|0r?umg=v_pykpIJ8*Qq_LMO4Bj*f!U*4Mt(G@{aYP(qEu7S$^c z77NCK#(izey{MGAN*!^}*YWj`u3^n#soi+x=5>x$vJYRnlE-!Qj4il|t3TEADLocr zz1!h7&rp+o>Y(%sU^qDIH^uW9)-GfsMJ%8;G}G2iQpDKWb=?9gc|y=Iq-1ezv@FMW z1I^AGSYrEO2+N$x_pHf1vCeIwnfS50^ruD$5M9 z=)t3+!u-_%o8p=_!OaZeDeNUIG539sm&*s#SCcFfj4^eNYn!J)5Z(B(zt+_zS=cV= z@Weyv#g->sY}A_*I!1;R2jomERP1QP6DcJ3fTPB7NZs9 z@*=bT$)IN^cUd_3UA4?O)q+BS?(1(uPz>E5xpt2ojV;q%j?-BBxQ?ww62I~Kme8w~ za@|o%{ZpDZ9Lh>ymV3s}BC1uBcmk|^dWF>hn}hgZkZzHIC|b|Z^$2M10<4s6s>Vo5 zFt%YWbTv^;c(nE1Jh&IfbyrJAC$3X-@f@{eh7!}Z2vH0wWAPYiq$J^zetHSYSGUYR zAjy2C$PYdUg^>*sk+WTI>3_j@7h90uwTNoGo~H!emXG51KcI`AP(H?9;NcDKg0Z2S zzSkD+IIB0maE@5g(%Lv@)p=3?Td5}(ve0rhRetZ}&vzGl?}k#VOKu6ci{mpMae;Nh z>L$4HqjR#P)Xil@2i5dVTZR>_j1{Y0~R59L89omi|824wJR}@ z*Mo0Y&BA!TG`=1_WmpXN0~H2!x2UWS(UN!WsFiniPV_k6U z3ure&77Wk~FG6fCHkD9?*Y&HI1teAp+~48V97Fh(S>GuqNKrDD^WMwS?T2&^^QVFq zZJ^uk77E+nIGJ}1N*g-hMlBCJUP>T zj<+a2C6_gPr`!{apuMjQGxMM$xO1tFk8taA@T$&a*bwn#3C)=fpVNx3gl`QPGY+4? z^XaiB;*%_1X64rrpmGy8dL%YK(6qaQOCeI=i&F;RdYZ|G0dPr*``VoP-7aI6#6xe3 z^V|9v;W<(w(Ej}=db7r+cp=HF59sst^e3cS&()l?nk34F6n%PmsQr>>v}j>dWt&qx zw})TJX_YkCe09yGhs%V_(Knvcq=n+U^y2nDr)XEZ;cf;0n}ZFNbVcie#_JtbZ9o{KY`eyT;gVH34<-abh2n)@AqO_Zs zr5c2;6=4YaUttZP`J;_&}e_oeYrzVF*5Eh0o4vcw2Ogh|2t^5|Toem|+On8I64ph4hUwDP-RgN_L4Mgy+0Pzwht=eE#pAH_xk8TZ{W>&WCIf7iIDtlE)=pYNmBJTYypas zrxa-%64D9fs;dg-FEYpIl_U;09DIggupBo_D6J=>TF&|?UxmM>XlY)XwRFPGDqi22awt6yEQLvCevgUHvL!;5qjid1DwnmTcTuJ{RDpQcj0AVo?S9eOQ`PoG2>SRIkmIq5Dn z@qWLOaZ#9KK`J+Ip=#V$^-<||4#)Ra-~6bbna&iUcXy^u#3w|g5uT*`q=x~L&wtK$9WnP^;vO3z5Y|_hwM9v2*I!+pUf?zX z9RPq$DQhO^!s>z+t~M*wRQj=vxezN)8&j=a0RWkzd={&tt(r=U>9}~sm$IPwNv3xD zB+4Grel!i%>3_#-n|L@hw)v?fi5_r2z2A7|}oAMXCtyntF# z_lipmDK=VI;@ni4fn&j9RMvDBJ{iqKu=nz&El@&ndJ%7qUo)ZUlfmn?yK>e$WUQv{ z_f<+MZ1OxM+dRTOdUhmbj}Gvm2R+FW$@{xzX9=f9vQI?BvDh29?nk z@UVRT?5<|1uTz9`rABEL&L61tY>lH$=;FDib<9L~cTBnNF)fQ$?hJyePmzswyI6Un zI>RlqT)sMdbU`j};&$~CUYf|#StfTJ+w_DCaS*&5ZD`~IxlQn@S>bV#1 zneP znJjlnXR5!dP8})NSCP%83KmUj+mp$1L*yHuSd1VA{^mrQ-bi+^mRfncRA8_TE@RqO zt*(%TO~R8`IEPR5reaT7+6OunzG0S3&f)c2R3TM7^#?6H)d3JCo;%hw}%CLcE7vXtJ2{vDv0tLi&@&LN_FKrJ4nm9TnpdOFt$Hyg~hguW90 za&4||=uxmAtExu6WbA#Oj`}&0waSkRsXoRQuN4z+k5kglgygjZBs4z%T7DYy^nx3{ zzsgXjNaQi33)X$lM(8akm29kZ`Q@B3UdWvidBOJUq}DzICK`KsLeX-{q)wN4Db?ia z@0=Om;(FcA1R-oSD~U5w@=E6oU-Jn!RSR@Sqsel`2%$x5zP%*y>O$r(1?NGL6+V5f zOXpVxhN?64elu(V05-3k_$DTe3S-SSHKIiJ&Ti^}>I35edQ2wV|77tb(Ot~n)Cyu7 z^5(^551w{U?oyvPbxsWRwC{-AR2u4z`?{n>|Kh7N_8oh!lH%^=`Vt%MblBAP@ZLTX zwt6D3CdWLx*0uuHu<*tsL z_B^CmyEMfZamQLkWW8p!@q9yBp|^yHuiw%4!j1cKnt3fv;}Oy>PdDyDE_& zQb`QvUAYLTVKSV=v8Phq!(ZoFNV9k7Yt6ztS!MMpg0!Wy5QW{vYJ8l-YBv7IEmRm1 zACknrGxn#9klAjeRqL%+8l zoPFaeSV$>eB*xOSv%n;c6gCEy)HX3wTZN61rUQF{#Ln+kSj+|YIXcaQCCO- z;(QLQS~mH04;$GWP1C0fw?s5r+giL3g3~tFF%6kY=4!!C{t&=BZQV)Q1#=MdAk7U8 zf%~qnEcmF>12O`lAfCx2cwHVfa~Z`^ublR;HY5-KFv?5!1ZL!V{@2PVMP+u*XnQFX z=3@FJFMIsbVfoGNA49&=Y+DR`L8esVC#BQ4EEOMpp-Djixt+g3*yb7{)08Spp6>UI zKg$H6*}S&MRZV&zl*5xUY@)ltn+_C$h7hZjQH4kU>O(Rl(j_PrA0~3NF`m78Z|#x8 zq%CLliM+6I%T<2B0v*ud+8Hve)jUYU7`k$$mq?%HG*e0$LkCbjt`w!0MbQg3M|Z#D z2AUMhUgI4y`#k}8{1?YCP_?Hft5CpB&~i^2BMrUqn3?Q5o=v-kEYo39E7edX_t)yUxPR#$sni`QCLDN zav8RDpcn`C)V|%>$AHn#$C#9ITwy+7+*ZT>=$|owxQXPY>ElD*1$@T?5Onwnn5Zg+ z1K&CT4WZimD`aGkpmoTOQp2mMiP#5Rl4NjlLUyhpG644Muu<-2Wm&SE;Kp?* zvxN@M`a%~_d!(o#H+wS1GH(wi{IICr76VoKI>oOaMJa}!=U(cQNrs=1$I38*7PAmF zQLrmOvGG7+&erN+D<;3|*`vXCiE*}OOI0FB`5ZX_VAvVd?(*uR*^LAjb^p8&3V`aJ z<~F2oL|abz?@ko73=#o2#xaY#^A9e!&5dmlv)5U;(oBLCgA^L~ZVfIC?=`^%m4)ADi8xBX_W+COLJ^> z^pzVl<-?LneqLb8atdc)Ui{(w(15w;@ZNrKX`M#iJo13JSw9jgAiwqN$FRqM>)YNK z9v!-q--x2j$i#Pau{6wD5*}WD`)A~(a_1|kc5R(zpZ zcyP_ev0C!EFQAMPeL?ZD-~$4nwIE{A>VIJXMa=!{_a1NVu7zN2pHh0}FNE9!B%D5l z@DnhkpJAXf>>+CPj@AT#o=H}$2&}M?!L}zojNf4^kTr-fff&!(X|_f@_}`}GFy{Br z3C$qQUJ2_{QtOL4Tq?wKvjA^eP;Kue;wV7K+23$HtGe&z zIDlq7Iv<6Vq+CZ~bdN1S;^WRUrUMu%kbm0Ilej0n0;eZJ@?D^Rx7zb*QBCc#UWHch zg9*^2b=SV&*u|%_Bw)x<1$hjU9idcH>$zCdTS`pAHsR6I6oY1W2ET3K355wa(DgA- zCdKC8&^trI!<|8$;wiP74=xo1A}1orD^}Co6Cq+e`_f_)Vh8GqbCsji1{Ebi2@1KY zc52c?5;Uw%R6pH7Y=) zpSU?1Ddhwb)`+}vcjFh$eY!d>qzsE0oDWi|R4K*dI%SNk>%TE#C(kKk}h?U%QG{eWWj>0g@1adaT?UCQqq1`{sZauepN+zAM;)F`pX1iB5T|&r~zJED+uWf2nbv z;_9vbQ`lPh`yM;@GA+~A?KQ=Bv{P~W_QD-eQlr;XP@lt4Q9C~n25Tpp3e7=KH3Rm| zV8S~jm}(Smw-?GZcy z4=SJui5rZnNu9=*o6E9n*tfz#b zBFo@;n(ztamUF!dcT;TO-NTJ(81md>?yW;$RQ-2ZZ3$kku(!1et@E^Qb&_{k!}{c% zK6|d{H_8W1%It=P(qxP-YSg*3<3GGCPwbr1?DamQRMhS`J49JkTe15Bl=gTY5H+b; zq3x{xPk_=mOMd3hWn3}LmG1-zb(96 zh9QRv)2vxEf&OF5u;r2?G8$bH_DQjiO)*rWBdtRhN)UOwD=%>?9WjP#ww+~0H7&&z z%{CXk%~s4oOFwe=nH>ujs()ZFH)SFsK9#IBb?V|W4iUHw@u=pIMA>;3#3($tPfZEY z8+AREQNLp_9+8udKd5AR)2@`p`9Yd$W+s-y2SMgEJY|WC1c4;USo4@8a7UZp4p-P- zGs>vcyswb8o&GAg%*JHI-a~GYtdCg)kA;GT(fs@%!nZc3iT)802FBN2-b%7R6Z3^D zVA2TKRDO*-1^Qsxy-`qiy)5v8^s9)sa2yC9Oo3W=+3-|{|0u`=P|-h2#-W(vhwHD} zY}sqQEIO`>EQkfRZwfK%0#8i*@trcCNJk-0j<6l?DF+)6kbuK(#%(Z)^fuRP&gAL8 zq#uZFPq7;LeP+`p1w2nq1Br8sQ&(wtQ*RiaeQo4wbASxG5cDirXY1T$vn03K{25Ur zJW6^)^8TGj?_3kn$C)$e=C{)5F<#`K-Z$-I34ujfly9W>&wfD1Nd=iNv4zse3y3Rc z{IQUj$O4nadyNZMjFN5nY22U>XvF@COyCNNl3Z`Nown)V{(F;_pa#_#bTK)U zw#idWhjOb2zhTKRwAew*!=?_Pjz}P{lH`FdX3FQh@=yTpF+k7lk06y5)No+X_yVI9 zi!-L&La1sSgtf_oNl)5dn;HP_n%tY9@3#nvSRMPn{gvA6t!FMLO{R zsFAQgTqqUmCejK8BIJfWd~n-Yg@cB+3H#&dT|suEvpJ#3sN4b72@{-f zaO<7#B17cM8tEZc@cU^-&kVpP{GW2W`T=KwV|y#?3eeq}eGYabzmITcF>O6^7-L1X zb1X;6g8Ohu2B)~OzCf%J;vo3aZ|80u`DO1x(Z-}pmO>sK{3MS97bf?Zr z0iWUUj_#c_8u8a29LDfTf#BqCRUScaXksy3*hmgI1lDw@q%FF%hBvd#k6g-&lELLKN|SR3HE* zND9aZMAj4?sAGn6d4k7$AsZ2d?hRR}G>Y=x8=lAa01}Bh*+vU{HpJ@Oe7+$e z#HyiHM-chhW(YiuQb@q2wRH%%H%ETA3Ebn_$e5@Z*sf%wxBqO{c-XE&ukRm(24BBX zqE(cDeMLG|pt>KTFE_LGk%x>Q?r(j4jnjzsEI}0A}jS@Y5W{N?@jcXxUxL<`)9;V>otEVMmb*SUMRdT z-k{{rzh*0Z1@Y@aX)nIHvdv+ud-tSIQ&62a`w9}|Vuf>vVULtX@gVYK8$xbf+2$wY zJNuEE8LYmGS`pt6wA1Ii3u@rS4JsEDJ|VMdesb-Maaj>~P6Ob%t$AGz2hyu(&(%FX zKuK~QjX3|&WHHv{hCO%@am=?{Wg2uph#;?j40^{vwR7>If}|0Q5O_gF2zjU+DVN|O z`y4Pd{lNV&x+R6s#(low44lADDFcX$kc$`KRGyDM7XOG>jn}^A+iGuCZp8fuF>a-OWLpygFW}KBHY4rEnO@tJ zr0y{w@^-09t=~p4GwUEyfuI|D0MFzC>E<$oi*L=h37Q)HR?%wHAsmm3fTuKoRPjhW zXOBGu%=FKGYtH@l*-6t0js?Xa?>bS+-;(TDObd}m_ ztbL8v$kRxXTmn{04}5U#EsIZH1n3D~yghz3&h*wJcPO8NILe5O22vxZ+@SY00*yj| zXW)D%F$4SuK_M7st0zr&=xCJZKmXk42b8^+GleXv2>nGJYIdxFQEQs$uE+<77#I2s zr1DK?;m^ev2+s_ux}&3@%}z)`fT+}nBe4zzOS&?y&~&pXtpbf`oX7&ne9}yRcQN8m zn@K=AI3bRrW__vO8HjMRtB{I(`%!Yu$;1kCnNB#_&aR9cp(m8pG~bxmf)iWaq59;u zz3S@8QA$AF#nQ7dgY#WXUjk5+K5&Yx5hhr)V$)MRVHN;7>OsK5z79QoW{=*2_GDfe zafcBjaJuiAs^3|FC8W;Asl5q`RJ*&1S4V%faL?!-d??$i62>FKX>3DfmXP@-Q?tyF zSf;8ZXvcB+;AW6M#sRC!{V68~lh2orwd25O25sK;7j8-FCe`{FDwQ*I?ZG%EDD=$affoJbmP`=>BNMw&bwTYOyv zi%4=VtqO^6zYYQ|ghy{_n}EK>44~L<8}VAyzKp9>KGKO4F*<(Qx($Uz@5Sln8!$N&4+{)b{?arQvS8JhXIr2v@rHzfzG(;x@KRF6P|dL^I^F|XUX7; zJ0|d_6T(irJ)s?E_^8kr_Iu6r?dhIkeS$V8Qia8K@15C!2`sv)?U$8^o(y zTX8;Nv{17yr~9RstB)fZfB(d$Bmoygb5^$4%PMy4aPjw#e~zAj9@?npXR5a$JjPNg z6pm#m2T-{YNIxzogeeQ-@?#YFEoui!Z5@dF(BcFj(8tJhkYp6Jvr^GvIBD=`-y-3u z8lUBg4hbywe1t`j(y{JBi@Dc~)0Qz-TNR!>(HOlY4eKl!UOqo-K1$I+li)FKaYD1* z^6a1ly;1S?%W-Y*`Cl{(V2O>OhGilHW&{L>7EYTxH-_gsWYhj4+b z&k}ejv-z@09?~@(<<&QY{p$oyq`6-X)mLzYM|wrq&3$P0Ul)NYj_weNY0&iw_*N#xoe*Y2v+ooMm)MgW2%E zD_MCXJk))Z%I`smKb~2@TaFC}I&2F_@Ews2l*W)Bq*pS_le>n}>HD5dm4edP|BBlr z4x||Lf|i*1&0qGEM#%KymsIz$69T=<<}|xqdP^G61_e&l>Z1;qnqrrZITVik82-m> ztStDffIth)&o;vedF|ldGRN+Zg*r_$5S(0RK}R}&e(BZst6W3SOvk7|*~Q&VQ#Q9I zocIc=y3Dxhik5(41%F+DB08Gz(-_ykG|~Q+hBD#oHCcUjLQO_O#*)2q_|c4#N(klh z-(sF9;sR@qi;S!R(E(0jHrR$N-wL{?uBEq6kkrxD(d1~6PSgb%p(+3TTdKH+vAhN! zFW>q`#F^(1@K{}3aLzgXHEzB8-k{R+z3z&3uWFJNqZMPPMepTDnaWD;5leddN3|kd8v$5$A?Y~V-K+T zrajx3$Ov$aCh!0AZa|#w;XUd?trY^%l+*s92rh8)%M(b|;Aimbez^vPOIRIibRgbG zF_WxGH=ZCA+Gj~<*I3T7r&1y)J8)JLEax15$IoVTCvhhqJc^zc@tYL!whm1wiEgm( zyTcQN-cw*u_?cya`=e)-_aXN9T;7(KDuG~KF&^PKr=YFD8b*6vc1Pct?G!l{jn#tt zN0ue}of-#vDojyfwvF3JT4`ODkKt&+e`QL_$;4R{{~eGa*hs@7vHf$dTGCW$2-}zokzp;KFgDT zJ@V!M>c&$Ki~s6|0_wk-fF1G)dZ=VE95n`M2J+$<`~P4 zU5Rw7M}s^axB%m9wJPDESxMswdCago-z0an>nl{&-~+Uf7ijE zW)395`(34@{o@n-{fz)mFv~~F&E=td=->ZDnz;>r*tm-H|13K*0s*n`ZtufqcGmFr zt=bBcveWr@k6!^sUbPOANB5@rGtd8hl$#S8ytuVxM1 zU5H46nvh7n!o-X2If(CIAAA>3*Xz{~@D}SgiLKm(zt};N$IGvoli>&C6@ osldG zX{x*BqWh%o*VgMDU`>fnWJZThCl&<$+Cq$jZ*gqOd#8NSS0R|t?X8?fr+5@prCY@3 zE+N)D^W7iy43?BSsBDdt8{kzW`U1v{(}pVmOpt^cu;>v#sRt+=EdbtjM$QBU-1-3Qgfk1zE`W+OyNWcs zSG(HzDsqJJP;qzV7GkKrUF){+Ul~&BbLcK`2Dh~& zyDj$<(grYU(YohC4*yr`98l;jgpJDA5Z!K(Es;E zYiiD1!nf*p`CGFCRUY#V$9+zsvv4R$$d5|;<93G`fZcvKx!dec(jYiC6=3w0t?Qy8 zccj+t&zTB&!pAKJ_b>Qw{Qe#O6-t|aG8cFx3Ho~_Bbh7h+jo=_?Ellg593)O2W~`0 zr!+$!^OX+_0Kl}{%=DG_+hStu^zsbbV)@M`8ESC627TaI+w0}%7SE5qT@wR{Z@9$I zcO3ljbWN#Ni?FF&Ww2#D3su(dkFf$o?I^z=u@ABSh2x3Jpv&;eTFrG|Rz4k3bv;H9 z_l%%h4mCeTT|Qqze8ZVmIhqd^k*e%fc5Uo)xhU* zeeQ^Q_Z;Mt?qGg{mch(Zw~xi(DD;CO%Jj)|&r{1p+DRiuC)Me8RP))IU?HFi`Q4C( zpavS^CDtlF6IpS2V6gDJ6P0t$m0VT$31>nPq$WkBI3S<(RZ)#I1uMU9#83@lBi@l- zyp&b0qY85w^Ed*Pyta=pr@jLnFD_nL*8Pb_Jw9&`2nSIDSfZiLWVX{Jtdkisqil6% zDd}ubjPaq02WVmk@yVnc?m3eBLPQC@MfGMNBR-^p5++f~YyZ9vR*n$Z=d=5n_Oi!M z0D!&p+mRTCE33OvV%s(>1%#qF@4d}J&PrujHc}BY4nMi5_2>gA9xhxKqJ6@qay+I& zx#0dDm)i9ulU$SM1#`K&N_M~knug`O+!~X$285kUK3o{xF}2QlxJQa>c6~8Whij z68jvzKv^R}QYWbNs)CSC9e{gZfz$Rg+$u{M_tMm0lzeAAx@ocxv6mQ4w=anhq$b%< z75RH$eP~l0xx4-rs`5^zqcH8mXX#jGoOQ?MAQVHA2q*ZUNUM~OMuDIwS<;6K8i#A!shCb_NO02A}Y-sQ`F*1J)4&wl{V=% zNTLny&~KRh>2TqX?<_t_qd>*QeQ4p?KLIg^I$7R5q&)8Jl}p`#i2|%~fx$ilc5%-i zSEZa37usdS;#Vi!a21nmr_4A`=`9&t&*O830&E4xO>h->`li=n^N(9HH*&4bw{9|8 z#H=`mY_SLOsi}%+DvC^M0;Uo~G8=_m9I&iSR~;0zN3tYh=@gj#G7N&pHCaG9rAbHU znAY{2XbVnk-xZ@ezx8m2CQg;u%3V2kb+fB->|3%*GB1jFK#d6gK(txs=O)#4SWXgi ztT7qNQGvdRyJv6DVPbl~3w>|={Km{6>Md4V1h8GQ?=v7rHdxdnvI8Fo4PNQhoXO|o#$I+kIDr|d*uIt50fsZ+@~rAGVogm` z*cE0b$P=zYk~MD5=+f{5dQ-YU{7(nsm0F=l?+oV);^fii_AGRUIJ^UY^$>!Z=Ndrga*M9|R{NocJKgD=ietjja)|{; zJyKp@Z#lO)@-c2|`?zw2+82%2a3P1cqOPHrrMYTy%0$G5D+~i~BHi0EKYYL#@#5b4 z2f%R3q;xo6U+hmWH{P{t*QAoXjIL_%o||+pnpLT`8j*!2gLWmE{0~bf1SzlmG55;! lpGo*@*ZlwSc);eK>M?=XypMYvVbr^nF00EI$X>nwe*jLJYCr%0 literal 0 HcmV?d00001 diff --git a/simple/README.md b/simple/README.md deleted file mode 100644 index 1183ceaf..00000000 --- a/simple/README.md +++ /dev/null @@ -1,51 +0,0 @@ -# Kubernetes Resources for a Simplified WSO2 Identity Server Deployment - -![Simplified WSO2 Identity Server Deployment](wso2is-simplified.png) - -## Contents - -* Prerequisites -* Quick Start Guide - -## Prerequisites - -* Install [Kubernetes Client](https://kubernetes.io/docs/tasks/tools/install-kubectl/) in order to run the steps - provided in the following **Quick Start Guide**. - -* An already setup [Kubernetes cluster](https://kubernetes.io/docs/setup). - -* Ensure Kubernetes cluster has enough resources - -* WSO2 product Docker images used for the Kubernetes deployment. - - For a production grade deployment of the desired WSO2 product-version, it is highly recommended to use the relevant - Docker image which packages WSO2 Updates, available at [WSO2 Private Docker Registry](https://docker.wso2.com/). In order - to use these images, you need an active [WSO2 Subscription](https://wso2.com/subscription). -

- -## Quick Start Guide - -1. Download resources for deploying the simplified Kubernetes setup for WSO2 Identity Server ([`deployment-scripts`](deployment-scripts)). - -2. Move into the directory, where you have downloaded the aforementioned resources in step 1. - -3. Deploy WSO2 Identity Server in your Kubernetes cluster. - - * Deploy WSO2 Identity Server using Docker images from WSO2 Private Docker Registry. - - ``` - ./wso2is-latest.sh --deploy - ``` - **Note**: When using images from WSO2 Private Docker Registry, you will be prompted for your WSO2 Subscription credentials. - -4. Try navigating to Management Console, Console and My Account URLs from your favourite browser using credentials `admin`/`admin`. -`https://:30443/carbon/` your favourite browser using credentials `admin`/`admin`. - - - * Management Console: `https://:30443/carbon/` - * Console: `https://:30443/console/` - * My Account: `https://:30443/myaccount/` - - Your `` will be provided at the end of the deployment. - -5. Try out WSO2 Identity Server by following **[WSO2 Identity Server - Quick Start Guide](https://is.docs.wso2.com/en/6.1.0/get-started/quick-start-guide/)**. diff --git a/simple/basic-k8s/namespace.yaml b/simple/basic-k8s/namespace.yaml deleted file mode 100644 index 22ac39f2..00000000 --- a/simple/basic-k8s/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ - -apiVersion: v1 -kind: Namespace -metadata: - name: wso2 -spec: - finalizers: - - kubernetes ---- diff --git a/simple/basic-k8s/secret.yaml b/simple/basic-k8s/secret.yaml deleted file mode 100644 index afa8506e..00000000 --- a/simple/basic-k8s/secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ - -apiVersion: v1 -data: - .dockerconfigjson: "$string.&.secret.auth.data" -kind: Secret -metadata: - name: wso2is-deployment-creds - namespace: wso2 -type: kubernetes.io/dockerconfigjson ---- diff --git a/simple/basic-k8s/svcaccount.yaml b/simple/basic-k8s/svcaccount.yaml deleted file mode 100644 index 6e46eb26..00000000 --- a/simple/basic-k8s/svcaccount.yaml +++ /dev/null @@ -1,7 +0,0 @@ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: wso2svc-account - namespace : wso2 ---- diff --git a/simple/create.sh b/simple/create.sh deleted file mode 100755 index fc0016ea..00000000 --- a/simple/create.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash -SCRIPT="deployment-scripts/wso2is-latest.sh" - -cat > $SCRIPT << "EOF" -#!/bin/bash - -#------------------------------------------------------------------------------- -# Copyright (c) 2019, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -#-------------------------------------------------------------------------------- - -set -e -EOF - -cat >> $SCRIPT << "EOF" -# bash variables -k8s_obj_file="deployment.yaml"; NODE_IP=''; str_sec="" -license_text="LICENSE.txt" - -# wso2 image variables -EOF - -echo 'IMG_DEST="docker.wso2.com"' >> $SCRIPT -echo 'IMG_TAG="6.1.0.0"' >> $SCRIPT - -cat >> $SCRIPT << "EOF" - - -: ${NP_1:=30443}; - -EOF - -echo "function createLicenseText(){" >> $SCRIPT -echo 'cat > ${license_text} << "EOF"' >> $SCRIPT -cat eulatxt >> $SCRIPT -echo "EOF" >> $SCRIPT; echo "" >> $SCRIPT -echo "viewLicenseText" >> $SCRIPT; echo "}" >> $SCRIPT - -echo "function create_yaml(){" >> $SCRIPT -echo "" >> $SCRIPT -echo 'cat > $k8s_obj_file << "EOF"' >> $SCRIPT -cat ./basic-k8s/namespace.yaml >> $SCRIPT -echo -e "EOF">> $SCRIPT - -echo 'cat >> $k8s_obj_file << "EOF"' >> $SCRIPT -cat ./basic-k8s/svcaccount.yaml >> $SCRIPT -cat ./basic-k8s/secret.yaml >> $SCRIPT -cat ./is-k8s/identity-server-conf.yaml >> $SCRIPT -#cat ./is-k8s/identity-server-conf-entrypoint.yaml >> $SCRIPT -cat ./mysql-k8s/mysql-conf-db.yaml >> $SCRIPT - -cat ./mysql-k8s/mysql-service.yaml >> $SCRIPT -cat ./mysql-k8s/mysql-deployment.yaml >> $SCRIPT -cat ./is-k8s/identity-server-service.yaml >> $SCRIPT -cat ./is-k8s/identity-server-deployment.yaml >> $SCRIPT -echo 'EOF' >> $SCRIPT -echo "}" >> $SCRIPT - -cat funcs >> $SCRIPT - -cat >> $SCRIPT << "EOF" -arg=$1 -if [[ -z $arg ]] -then - echoBold "Expected parameter is missing\n" - usage -else - case $arg in - -d|--deploy) - deploy - ;; - -u|--undeploy) - undeploy - ;; - -h|--help) - usage - ;; - *) - echoBold "Invalid parameter\n" - usage - ;; - esac -fi -EOF diff --git a/simple/deployment-scripts/wso2is-latest.sh b/simple/deployment-scripts/wso2is-latest.sh deleted file mode 100755 index b240f9a7..00000000 --- a/simple/deployment-scripts/wso2is-latest.sh +++ /dev/null @@ -1,3117 +0,0 @@ -#!/bin/bash - -#------------------------------------------------------------------------------- -# Copyright (c) 2019, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -#-------------------------------------------------------------------------------- - -set -e -# bash variables -k8s_obj_file="deployment.yaml"; NODE_IP=''; str_sec="" -license_text="LICENSE.txt" - -# wso2 image variables -IMG_DEST="docker.wso2.com" -IMG_TAG="6.1.0.0" - - -: ${NP_1:=30443}; - -function createLicenseText(){ -cat > ${license_text} << "EOF" -WSO2 SOFTWARE LICENSE AGREEMENT -This WSO2 Software License Agreement (the "Agreement") is entered into by you and the applicable WSO2 entity, as -described below. If you are an individual accepting this Agreement on behalf of a company or other legal entity, you -represent that you are authorized to bind the entity to the terms of this Agreement and "You" or "Your" will refer -to the entity bound to this Agreement, not to you as an individual. -By using or accessing the Software, signing this Agreement or any document that references this Agreement (such as -an Order), or by clicking "I agree to the Terms" (or similar button or checkbox) upon downloading or installing the -Software, You indicate Your assent to be bound by this Agreement. If You do not agree to this Agreement, do not use -or access the Software. -1. Definitions -a) "Order" is a document signed by You authorizing the purchase of the Products requested by You, the -Support Plan, associated fees, and any additional terms offered by WSO2. -b) "Products" means collectively Software, Support and/or other Services obtained by You from WSO2 subject to -the terms of this Agreement. -c) "Software" means the computer programs developed and owned by WSO2 to which this License Agreement is -attached, however you obtain or access them. Software includes security patches, updates, or other -modifications to the Software supplied by WSO2. -d) "Services" means training, consulting and other services, other than Support, specified in an Order. -e) "Support" means support provided by WSO2 to a Subscriber for the Software according to the terms of the WSO2 -Support Services described in Section 5.1 -f) "Support Plan" means the service level specified in an Order, from among the levels defined in the Support -Services Policy. -g) "Subscription" is a commercial offering from WSO2 consisting of a license to use, and access to Support for, -the Software, for a specific period of time. -h) "Subscription Period" is the commencement date and duration of a Subscription, as specified in an Order. -2. License Grant -2.1 Free License for Non-commercial, Educational, or Trial use. WSO2 hereby grants You a worldwide, -non-exclusive, royalty-free, non-transferable, non-sublicensable, terminable license to use the Software -for Non-commercial, Educational, or Trial purposes. Non-commercial, as used in this Agreement, means -personal use whereby no commercial advantage or monetary compensation is sought or received for use of the -Software or for works, data or services that use the Software. Educational or Trial purposes, as used in -this Agreement, means use for the purpose of learning to use the Software, teaching others to use the -Software, evaluating or demonstrating Software capabilities, or for scholarly or artistic purposes. -2.2 License for commercial use. If You purchase a Subscription from WSO2 or one of its authorized Resellers, -WSO2 hereby grants to You, as "Subscriber", a worldwide, non-exclusive, non-transferable, -non-sublicensable, renewable license to use the specific Software configuration defined in the Order for -the duration of the Subscription Period. The Order will specify the scope of the Subscription purchased by -Subscriber, including: (a) all production or non-production use, not just a representative subset; (b) usage -limits (e.g. cores or transaction limits) (c) any other license parameters; and (d) any other terms -and conditions mutually agreed for the purchased Subscription. -3. Copyright. All right, title and interest, including but not limited to intellectual property rights such as -copyrights, in and to the Software and any copies thereof, are owned by WSO2 or its suppliers. All right, title -and interest, including but not limited to intellectual property rights such as copyrights, in and to the content -which may be accessed through use of the Software is the property of the respective content owner and may be -protected by applicable copyright or other intellectual property laws and treaties. All rights not expressly -granted are reserved by WSO2. -4. Conditions of Use. A license granted to You by this Agreement is valid only if You adhere to the following -conditions. -4.1 Maintenance of Copyright Notices. You shall not remove or alter any copyright or license notices that appear -in or on the Software. -4.2 Modification. You shall not modify, alter, decompile, decrypt, disassemble, translate, or reverse engineer -the Software. -4.3 Distribution. You shall not sublicense, transfer, lease, rent, or otherwise distribute or make available the -Software to any third party. -4.4 SaaS. Unless authorized by WSO2, You shall not make the Software available as commercial -Software-as-a-Service. -4.5 Compliance with Applicable Laws. You shall comply with all applicable laws regarding use of the Software. -5. Subscription Terms and Conditions. If You purchase a Subscription, the following terms and conditions apply. -5.1 Support. WSO2 will provide Subscriber with Support for the Software during the Subscription Period -according to the Support Plan indicated in the applicable Order, and subject to the WSO2 Support Policy -set forth at https://wso2.com/licenses/support-policy. Each Subscription includes Query Support subject to -a maximum-hours limit as indicated in the Order. Limits can be increased subject to additional fees. The -maximum hours limit is reset upon renewal for a subsequent annual period; unused hours cannot be rolled over -into the next annual period. All instances of Software in production and otherwise must be identified in the -Order. -5.2 Increases in Software Use. Subscriber may increase its use of the Software during the Subscription Period -beyond the scope specified in the applicable Orders, provided that Subscriber promptly notifies WSO2 of the -additional use and pays the applicable Fees. -5.3 Bursting Use. Subscriber may temporarily exceed the Subscription limits, at no extra Fee, within the -bursting limits for the Product ("Authorized Bursting Use"). If Subscriber increases its use beyond -Authorized Bursting Use, it must notify WSO2, increase the allowed usage limits retroactively to the period -where limits were exceeded, and pay the applicable Fees. For products limited to a maximum number of cores, -Authorized Bursting Use allows up to 3 days (discrete 24-hour periods) within an annual Subscription period -during which the core count may exceed the Subscription limit by no more than 25%. For products limited to a -maximum number of monthly transactions, Authorized Bursting Use allows transactions up to 25% over the -monthly cap, within a single calendar month per annual Subscription period. -5.4 Subscription Renewal. Subscriptions automatically renew for additional periods equal to one year using -WSO2's then current pricing unless Subscriber notifies WSO2 in writing that it wishes either to renew for a -longer period, or to end the Subscription at least 90 days prior to the end of the Subscription Period. Fees -for renewal are due according to the Fees and Payment terms of this Agreement. -5.5 Termination for Change in Services. WSO2 may change the terms of Support or Services from time to time and -these changes are effective when made, without affecting the validity of this Agreement. In the event of any -material changes, WSO2 will attempt to provide Subscriber notice by sending an email to the point of contact -address provided by Subscriber. In the event of a material and adverse change to the terms of Support or -Services, Subscriber has the right to terminate this Agreement upon 30 days' prior written notice to WSO2 at -the following email address: support@wso2.com. In the event of such termination, WSO2 shall reimburse -Subscriber a pro rata amount of any fees actually prepaid by Subscriber. -5.6 Audit. Upon WSO2's request with reasonable notice, Subscriber will permit technical and operational audits -of Subscriber related to the subject matter of this Agreement. Audits may include verifying Subscriber's -usage of the Software conforms to the usage limits purchased by Subscriber. Audits shall be carried out -within Subscriber's regular business hours and WSO2 will honor confidentiality and data protection -requirements. If non-compliance is discovered in an audit, Subscriber will be responsible for all costs -associated with carrying out such audit. In addition, where such audit reveals Subscriber has exceeded the -usage subscribed-for, Subscriber shall pay WSO2 prorated fees for the excess usage at the same rate(s) -designated in the most proximate Order. If the date excess usage began cannot be determined to WSO2's -satisfaction, excess usage shall be deemed to have commenced on the start date of the Subscription. -6. WSO2 Consulting Services. QuickStarts, Training, Technical Account Management, Managed Services, and other -services WSO2 may offer to Subscriber are subject to the following terms. -6.1 Consulting Services Terms. WSO2 provides on-site and remote consulting services according to the -Consulting Service Terms at https://wso2.com/licenses/consulting-terms, as updated or amended from time to -time. -6.2 Managed Services Terms. WSO2 provides Managed Services according to the WSO2 Managed Services Terms and -Service Level Agreement at https://wso2.com/licenses/managed-services-terms. -6.3 Cloud Services Terms. WSO2 provides Cloud Services according to the WSO2 Cloud Services Terms and Service -Level Agreement at https://wso2.com/licenses/cloud-services-terms/3.0/. -6.4 Independent Contractor. The relationship of the parties is that of independent contractors. Neither party, -nor any partner, agent or employee of either party, has authority to enter into contracts that bind the -other or create obligations on the part of the other without the prior written authorization of such party -6.5 Non-solicitation. During the term of this Agreement and for a period of one (1) year after its termination, -neither party will directly or indirectly (a) solicit for hire or engagement any of the other party's -personnel who were involved in the provision or receipt of Services under this Agreement or (b) hire or -engage any person or entity who is or was employed or engaged by the other party and who was involved in the -provision or receipt of Services under this Agreement until one hundred eighty (180) calendar days following -the termination of the person's or entity's employment or engagement with the other party. For purposes -herein, "solicit" does not include broad-based recruiting efforts, including without limitation help wanted -advertising and posting of open positions on a party's internet site. If You hire or engage directly or -indirectly any personnel of WSO2 in violation of this section, You will pay WSO2 a contractual penalty equal -to three times the monthly billing rate (assuming 168 hours per month) for such personnel. -7. Reseller Orders. This Section applies if You purchase Subscription through an authorized reseller of WSO2 -("Reseller"). -7.1 Instead of paying WSO2, You will pay the applicable amounts to the Reseller, as agreed between You and the -Reseller. WSO2 may suspend or terminate Your Subscription if WSO2 does not receive the corresponding -payment from the Reseller. -7.2 Instead of an Order submitted to WSO2, Your order details will be as stated in the order placed with WSO2 -by the Reseller on Your behalf, and the Reseller is responsible for the accuracy of any such order as -communicated to WSO2. -7.3 If You are entitled to a refund under this Agreement, then unless otherwise specified by WSO2, WSO2 will -refund any applicable fees to the Reseller and the Reseller will be solely responsible for refunding the -appropriate amounts to You. -7.4 Resellers are not authorized to modify this Agreement or make any promises or commitments on WSO2's -behalf, and WSO2 is not bound by any obligations to You other than as set forth in this Agreement. -7.5 The amount paid or payable by the Reseller to WSO2 for Your use of the applicable Software under this -Agreement will be deemed the amount actually paid or payable by You to WSO2 under this Agreement for -purposes of calculating the liability cap in Section 13. -8. Publicity and Feedback -8.1 WSO2 Logos. WSO2 products may include features for theming the product user interfaces. You will retain the -"WSO2" or "powered by WSO2" logos in conformance with WSO2 Logo Usage Guidelines at https://wso2.com/brand. -8.2 Publicity. You may state publicly that You are a user of the Products. Any identification or use of a -party's brand, logo, or trademark shall conform with the trademark use guidelines provided by one party to -the other. WSO2 may reference you as a customer and display Your logo for marketing purposes. You will -participate in a success story/case study related to WSO2. We may in consultation with you, issue a media -release concerning your engagement as a customer of WSO2. -8.3 Feedback. If You provide any suggestions, corrections, or feedback regarding the Products, WSO2 may use -that information without obligation to You, and You hereby irrevocably assign to WSO2 all right, title, -and interest in the suggestions, corrections, or feedback. -9. Fees and Payment -9.1 Fees. After You authorize an Order, upon renewal of a Subscription, or for other fees due to WSO2, WSO2 will -send you an invoice. You will pay all fees specified in invoices. All payments are due within 30 calendar -days of receipt of an invoice from WSO2 and are non-refundable. WSO2 may suspend or cancel performance of -all or part of the Subscription or Services and may change its credit terms (after notifying You) if actual -payment is not received within 60 calendar days of Your receipt of WSO2's invoice. Payments past due 60 -calendar days will incur interest at the rate of 1.5% per month or the highest rate permitted by law, -whichever is less. You will also pay all costs incurred by WSO2 to collect undisputed amounts due, including -legal fees, whether or not litigation is commenced. -9.2 Taxes. All fees are exclusive of any applicable Taxes. You will pay to WSO2 an amount equal to any taxes -arising from or relating to this Agreement, including without limitation, sales, service, use or value -added taxes, which are paid by or are payable by WSO2. "Taxes" means any form of taxation, levy, duty, -customs fee, charge, contribution or impost of whatever nature and by whatever authority imposed -(including without limitation any fine, penalty, surcharge or interest), excluding, however, any taxes -based solely on the net income of WSO2. If You are required under any applicable law or regulation, -domestic or foreign, to withhold or deduct any portion of the payments due to WSO2, then the sum payable -to WSO2 will be increased by the amount necessary so that WSO2 receives an amount equal to the sum it -would have received had Subscriber made no withholdings or deductions. -9.3 Purchase Orders. Any pre-printed terms on any purchase order that is issued by You that are in addition to -or in conflict with the terms of this Agreement are null and void. -10. Term & Termination -10.1 Termination. This Agreement terminates when: -a. Your Subscription terminates, -b. when You cease using the Software, or -c. if You do not have an active Subscription, 90 days after WSO2 notifies You that it wishes to terminate -the Agreement. -10.2 Termination for Cause. Either party may terminate this Agreement on written notice to the other if the other -party fails to comply with this Agreement after it has been notified in writing of the nature of the failure -and been provided with 30 days after receiving the written notice to cure the failure. -10.3 Effect of Termination. Upon termination of this Agreement: -a. the rights granted by one party to the other immediately cease; -b. all fees owed by Subscriber are immediately due upon receipt of the final invoice; and -c. You will delete the Software immediately from Your systems and records. -10.4 Survival. Sections 6.5, 9.1, 11.2, 13, and 16.10, and those provisions intended by their nature to survive -termination of this Agreement survive termination. Section 14 will survive termination of this Agreement for -3 years. -11. Limited Warranties. -11.1 Warranties for Subscriber. If You are a Subscriber, WSO2 warrants that: -a. the Software will perform substantially in accordance with its documentation (located at -https://docs.wso2.com); -b. it will perform Support and Consulting Services in a diligent and workmanlike manner consistent with -industry standards; and -c. to its knowledge, the Software does not, at the time of delivery to you, include malicious mechanisms -or code for the purpose of damaging or corrupting the Software. -SUBSCRIBER'S EXCLUSIVE REMEDY FOR WSO2'S MATERIAL BREACH OF WARRANTY IS TO (I) DELIVER TO SUBSCRIBER A CORRECTED -VERSION WHICH ALLOWS FOR PROPER INSTALLATION AS PROVIDED IN THE WSO2 SUPPORT SERVICES POLICY OR (II) IF OPTION -(I) IS NOT RELEVANT OR IS DEEMED NOT TO BE COMMERCIALLY FEASIBLE BY WSO2, TERMINATE THIS AGREEMENT AND REFUND A -PRO RATA PORTION OF THE FEES PAID BY SUBSCRIBER UPON SUBSCRIBER'S DELETION OF THE SOFTWARE. -11.2 EXCEPT AS PROVIDED IN THE AGREEMENT, WSO2 MAKES NO WARRANTIES, EXPRESS OR IMPLIED, UNDER THIS AGREEMENT; -ALL SERVICES, SOFTWARE, AND SUPPORT ARE PROVIDED BY WSO2 "AS IS.". -12. Indemnification. -If You are a Subscriber, the provisions of this section apply to You. -12.1 Subject to the provisions of this Section 12, and commencing from the start of the Subscription Period, -WSO2 will defend at its expense any suit brought against Subscriber, and will pay any settlement WSO2 -makes or approves, or any direct damages (excluding amounts awarded for reputation harm or -business impact) finally awarded in such suit, insofar as such suit is based on a claim by any third party -alleging that the Products misappropriate any trade secret recognized under the Uniform Trade Secrets Act -or infringe any copyright or United States patent valid within the Subscription Period (an "IP Claim"). -WSO2's indemnification obligations are limited to US $7,000,000. -12.2 If any portion of the Software or the Services becomes, or in WSO2's opinion is likely to become, the -subject of an IP Claim, WSO2 may, at WSO2's option: (i) procure for Subscriber the right to continue using -the Products; (ii) replace the Products with non-infringing software or services which do not materially -impair the functionality of the Products; (iii) modify the Products so that it becomes non-infringing; or -(iv) terminate this Agreement and refund any fees actually paid by Subscriber to WSO2 for the remainder of -the Subscription Period then in effect, and upon such termination, Subscriber will immediately cease all use -of the Software, documentation, and Services. -12.3 Notwithstanding anything to the contrary herein, WSO2 has no obligation with respect to any IP Claim based -upon (i) any open source software components included in the Software; (ii) any use of the Software or the -Services not in accordance with this Agreement or as specified in the documentation; (iii) any use of the -Software in combination with other products, equipment, software or data not supplied by WSO2; or (iv) any -modification of the Software by any person other than WSO2 or its authorized agents. This Section states -the sole and exclusive remedy of Subscriber and the entire liability of WSO2, or any of the officers, -directors, employees, shareholders, contractors or representatives of either party, for IP Claims. -12.4 Subscriber shall indemnify WSO2 for all losses and liabilities incurred due to Subscriber's breach of -section 16.5. -12.5 The indemnifying party's obligations as set forth above are expressly conditioned upon complying with each -of the following: (i) the indemnified party must promptly notify the indemnifying party in writing of any -threatened or actual claim or suit; (ii) the indemnifying party will have sole control of the defense or -settlement of any claim or suit; and (iii) the indemnified party must cooperate with the indemnifying party -to facilitate the settlement or defense of any claim or suit. -13. Limitations of Liability. -13.1 EXCEPT FOR DAMAGES FOR BODILY INJURY (INCLUDING DEATH), WSO2'S TOTAL AGGREGATE LIABILITY UNDER THIS -AGREEMENT IS LIMITED TO THE AMOUNT OF FEES PAID BY YOU DURING THE PERIOD OF A MATERIAL BREACH UP TO A -MAXIMUM OF ONE YEAR. IF YOU HAVE PAID NO FEES, OR ARE A NON-COMMERCIAL, EDUCATIONAL, OR TRIAL LICENSEE, -WSO2'S MAXIMUM AGGREGATE LIABILITY TO YOU IS $100. -13.2 Waiver of Consequential Damages. IN NO EVENT WILL EITHER PARTY OR ITS RESPECTIVE AFFILIATES BE LIABLE FOR -ANY INCIDENTAL INDIRECT, SPECIAL, OR CONSEQUENTIAL COSTS OR DAMAGES INCLUDING, WITHOUT LIMITATION, DOWNTIME -COSTS; LOST BUSINESS, REVENUES, GOODWILL, OR PROFITS; FAILURE TO REALIZE EXPECTED SAVINGS; LOSS OF OR DAMAGE -TO DATA; OR SOFTWARE RESTORATION, REGARDLESS OF WHETHER ANY OF THE FOREGOING ARE FORESEEABLE, AND REGARDLESS -OF WHETHER EITHER PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY OF ANY OF THE FOREGOING. THESE LIMITATIONS -APPLY REGARDLESS OF THE BASIS OF LIABILITY; INCLUDING NEGLIGENCE; MISREPRESENTATION; BREACH; LIBEL; -INFRINGEMENT OF PUBLICITY, PRIVACY, OR INTELLECTUAL PROPERTY RIGHTS; OR ANY OTHER CONTRACT OR TORT CLAIM. -14. Confidentiality. -14.1 Definition. "Confidential Information" means any information, documentation, system, or process disclosed -by a party or a party's Affiliate that is: -a. designated as confidential (or a similar designation) at the time of disclosure; -b. disclosed in circumstances of confidence; or -c. understood by the parties, exercising reasonable business judgment, to be confidential. -Confidential Information expressly includes proposals or price quotes created by WSO2 for You, Orders, and -any changes or amendments to this Agreement. "Affiliate" means any entity that directly or indirectly -controls, is controlled by, or is under common control with a party to this Agreement. -14.2 Exclusions. Confidential Information does not include information that: -a. was lawfully known or received by the receiving party prior to disclosure; -b. is or becomes part of the public domain other than as a result of a breach of this Agreement; -c. was disclosed to the receiving party by a third party, provided such third party, or any other party -from whom such third party receives such information, is not in breach of any confidentiality -obligation in respect to such information; or d. is independently developed by the receiving party as -evidenced by independent written materials. -14.3 Nondisclosure. Each party shall treat as confidential all Confidential Information of the other party, -shall not use Confidential Information except as set forth in this Agreement, and shall use best efforts -not to disclose Confidential Information to any third party. A party may disclose such information to its -directors, officers, and employees, provided they are made aware of the party's obligation under this -Agreement and are bound by the same degree of confidentiality. Without limiting the foregoing, each of the -parties shall use at least the same degree of care that it uses to prevent the disclosure of its own -Confidential Information of like importance to prevent the disclosure of Confidential Information -disclosed to it by the other party under this Agreement. Each party shall promptly notify the other party -of any actual or suspected misuse or unauthorized disclosure of the other party's Confidential Information. -Notwithstanding the foregoing, either Party may disclose the terms and conditions of this Agreement pursuant -to the due diligence requests of a proposed merger, acquisition, financing or securities transaction so long -as such parties receiving such Confidential Information are subject to confidentiality obligations no less -stringent than the terms of this Agreement. -14.4 Return of Confidential Information. Upon expiration or termination of this Agreement, each party shall -return or destroy all Confidential Information received from the other party. -14.5 Remedies. Any breach of the restrictions contained in this section is a breach of this Agreement that may -cause irreparable harm to the non-breaching party. Any such breach shall entitle the non-breaching party -to injunctive relief in addition to all other legal remedies. -15. Data Privacy -Any personal information received or provided pursuant to the Services will be handled by WSO2 in accordance with -this Agreement and all applicable privacy laws. Such privacy laws include the California Civil Code Sec. 1798.100 -et seq. ("CCPA" ), the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and the Brazil General -Data Protection Law, Law 13,709/2018 ("LGPD"), as applicable; WSO2 shall act exclusively as a Service Provider (as -defined by CCPA), Data Processor (as defined in GDPR/UK GDPR) and, Processor (as defined in LGPD) and shall -retain, use, disclose and process Your personal information solely for the purpose of providing and enhancing the -Software and Services on Your behalf. We will take all necessary technical and organizational measures to ensure -compliance with all applicable laws (including in respect of security, confidentiality and availability) in regard -to the protection of Your personal information. For the purposes of this section: (a) Your personal information -shall mean personal data or information however it is defined by applicable law; and (b) UK GDPR means GDPR as it -forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 and -as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations -2019). -16. General -16.1 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be -contrary to law, such provision shall be changed and interpreted so as to best accomplish the objectives -of the original provision to the fullest extent allowed by law and the remaining provisions of this -Agreement shall remain in full force and effect. -16.2 Force Majeure. Neither party will be liable for performance delays or for non-performance due to causes -beyond its reasonable control; however, this provision will not apply to Subscriber's payment obligations. -16.3 Headings. The headings in this Agreement are inserted for convenience only and do not affect its -interpretation. -16.4 Assignment. You may not assign this Agreement, whether by operation of law, merger or reorganization or -otherwise, without the prior written consent of WSO2; any attempted assignment in violation of the -foregoing will be void. WSO2 may assign its rights and delegate its duties under this Agreement without -Your written consent in connection with a reorganization, reincorporation, merger, or sale of all, or -substantially all of the shares or assets of WSO2 or the business of WSO2 to which this Agreement relates. -16.5 Export Compliance / Sanctions. The Software may be subject to export laws and regulations of the United -States and other jurisdictions. The parties represent that each of them is not named on any U.S. -Government denied-party list. You will not use the Software in violation of any U.S. export law or -regulation of the United States and other jurisdictions. -16.6 Complete Agreement. This Agreement, and any terms, policies, or writings referenced within it, constitutes -the final and complete agreement between the parties with respect to the Products, and supersedes any -prior or contemporaneous representations or agreements, whether written or oral. -16.7 Modification; Waiver. No amendment of this agreement will be effective unless it is in writing and signed by -the parties. No wavier under this agreement will be effective unless it is in writing and signed by the -party granting the waiver. A waiver granted on one occasion will not operate as a waver on other occasions. -16.8 Notices. Notice may be directed to WSO2 at legal@wso2.com. -16.9 WSO2 Contracting Entity, Governing Law, and Venue. The WSO2 entity entering into this Agreement, the law -that will apply in any dispute arising out of this Agreement, and the venue for any dispute depend on -where You are domiciled. -+--------------------------+---------------------------+--------------------+---------------------------------+ -| If You are domiciled in: | The WSO2 entity entering | Governing law is: | Method of dispute resolution | -| | into this Agreement is: | | is: | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| USA, Canada, any | WSO2 LLC a Limited | California | Arbitration in Santa Clara, | -| country not listed | Liability Company in | without giving | California in accordance | -| below | Delaware | effect to the | with the rules of the | -| | | principles of | American Arbitration | -| | | conflict of | Association ("AAA") | -| | | laws | | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| United Kingdom, Europe | WSO2 UK Limited, a | English | Arbitration in London, | -| (except for Germany), | company incorporated | | United Kingdom, in | -| Mongolia, Azerbaijan | under the laws of | | accordance with the | -| | England | | rules of the International | -| | | | Chamber of Commerce ("ICC") | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| Sri Lanka, Malaysia, | WSO2 LANKA (PRIVATE) | Sri Lanka | Arbitration in Colombo, | -| Mauritius, Macau | LIMITED, a company | | Sri Lanka in accordance | -| | incorporated under | | with the rules of the | -| | the laws of Sri Lanka | | Arbitration Act No 11 | -| | | | of 1995 | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| South America, Belize, | WSO2 BRASIL TECNOLOGIA | Brazil | Arbitration in Sao Paulo, | -| Costa Rica, | E SOFTWARE EIRELI, | | Brazil in accordance with | -| El Salvador, | a company incorporated | | the rules of the | -| Guatemala, Honduras, | in Brazil | | International Chamber of | -| Nicaragua, Panama. | | | Commerce ("ICC") | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| Australia or | WSO2 Australia Pty | New South Wales, | Each party submits to the | -| New Zealand | Limited, ABN 90 623 | Australia without | exclusive jurisdiction of the | -| | 311 348 | giving effect to | courts of New South Wales, | -| | | the principles of | Australia (and any relevant | -| | | conflict of laws. | appellate courts). Each | -| | | | party's designated | -| | | | representatives will meet | -| | | | within ten (10) days following | -| | | | receipt of notice of the | -| | | | dispute and will attempt to | -| | | | resolve the dispute within | -| | | | 15 days. If the parties agree | -| | | | in writing, a dispute may be | -| | | | mediated or arbitrated. If any | -| | | | dispute is not resolved | -| | | | informally or referred to | -| | | | mediation or arbitration, | -| | | | either party may commence legal | -| | | | proceedings in respect of the | -| | | | dispute in a court of competent | -| | | | jurisdiction. If the parties | -| | | | agree in writing to arbitrate a | -| | | | dispute, such dispute shall be | -| | | | referred to the Australian | -| | | | Disputes Centre ("ADC") for | -| | | | resolution by binding | -| | | | arbitration in Sydney, New | -| | | | South Wales in accordance with | -| | | | the ADC's Conciliation Rules. | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| Germany | WSO2 Germany GmbH | The laws of | Arbitration in Germany in | -| | | Germany with the | accordance with the rules of | -| | | exception of | the International Chamber | -| | | United Nations | of Commerce ("ICC") | -| | | Convention on | | -| | | the International | | -| | | Sale of Goods | | -| | | (CISG) | | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| United Arab Emirates | WSO2 Middle East FZ-LLC | The governing law | Any dispute arising out of or | -| (including but not | | of the Agreement | in connection with this | -| limited to any of its | | shall be the | contract, including any | -| free zones) | | substantive law of | question regarding its | -| | | Dubai | existence, validity or | -| | | International | termination, shall be referred | -| | | Financial Centre. | to and finally resolved by | -| | | | arbitration under the | -| | | | Arbitration Rules of the DIFC - | -| | | | LCIA Arbitration Centre, which | -| | | | Rules are deemed to be | -| | | | incorporated by reference into | -| | | | this clause. The number of | -| | | | arbitrators shall be one. The | -| | | | seat, or legal place, of | -| | | | arbitration shall be Dubai | -| | | | International Financial Centre. | -| | | | The language to be used in the | -| | | | arbitration shall be English. | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| India | WSO2 India Private | India | By arbitration administered by | -| | Limited, a company | | the Singapore International | -| | incorporated under the | | Arbitration Centre (SIAC), | -| | laws of India | | India Office in Mumbai in | -| | | | accordance with the Arbitration | -| | | | Rules of the Singapore | -| | | | International Arbitration | -| | | | Centre Rules ("SIAC Rules") for | -| | | | the time being in force, which | -| | | | rules are deemed to be | -| | | | incorporated by reference in | -| | | | this clause. | -| | | | The seat of the arbitration | -| | | | shall be Mumbai. | -| | | | The arbitral tribunal shall | -| | | | consist of one arbitrator | -| | | | jointly appointed by the | -| | | | Parties. | -| | | | The substantive law governing | -| | | | the arbitration shall be the | -| | | | Indian Arbitration and | -| | | | Conciliation Act, 1996. | -+--------------------------+---------------------------+--------------------+---------------------------------+ -16.10 Agreement to Governing Law and Dispute Resolution. Each party agrees to the applicable governing law above, -and to the exclusive method of dispute resolution. Where the applicable dispute resolution procedure is -arbitration, the award rendered by the arbitrator shall be final and binding on the parties, and judgment -may be entered in any court of competent jurisdiction. Nothing in the above provision prevents either party -from applying to a court of competent jurisdiction for equitable or injunctive relief. Any dispute or other -action arising out of this Agreement must be brought within one year of the date the cause of action accrued -. An action for nonpayment may be brought within two years of the date of last payment. -16.11 Regional Agreement Variations: WSO2 Australia Pty Limited. Based upon the above, If You enter into this -Agreement with WSO2 Australia Pty Limited, Sections 9.2, and 13 are replaced with the following: -9.2 Taxes. All fees are exclusive of any applicable Taxes. You will pay to WSO2 an amount equal to any -taxes arising from or relating to this Agreement, including without limitation, GST, use or value -added taxes, which are paid by or are payable by WSO2. "Taxes" means any form of taxation, levy, -duty, customs fee, charge, contribution or impost of whatever nature and by whatever authority -imposed (including without limitation any fine, penalty, surcharge or interest), excluding, however, -any taxes based solely on the net income of WSO2. If You are required under any applicable law or -regulation, domestic or foreign, to withhold or deduct any portion of the payments due to WSO2, then -the sum payable to WSO2 will be increased by the amount necessary so that WSO2 receives an amount -equal to the sum it would have received had Subscriber made no withholdings or deductions. -Where a supply under this Agreement is a taxable supply, all amounts payable or other consideration -provided must be increased by the amount of GST payable in relation to the supply. All GST must be -paid at the time any payment for any supply to which it relates is payable (provided a valid tax -invoice has been issued for the supply). In this Section, "GST", "tax invoice" and "taxable supply" -have the meanings given to them in the A New Tax Systems (Goods and Services Tax) Act 1999 (Cth). -13. Limitation of Liability. EXCEPT FOR LIABILITY DAMAGES FOR BODILY INJURY (INCLUDING DEATH) WHICH SHALL -BE UNLIMITED, WSO2'S TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS ARISING OUT OF OR IN CONNECTION WITH -THIS AGREEMENT, REGARDLESS OF THE FORM OF ACTION (INCLUDING NEGLIGENCE), IS LIMITED IN ANY CALENDAR -YEAR TO THE AMOUNT PAID BY SUBSCRIBER FOR SERVICES DURING THAT CALENDAR YEAR. IF YOU HAVE PAID NO -FEES, OR ARE A NON-COMMERCIAL, EDUCATIONAL, OR TRIAL LICENSEE, WSO2'S MAXIMUM AGGREGATE LIABILITY TO -YOU IS $100. -NO EVENT WILL WSO2 BE LIABLE FOR ANY "INDIRECT LOSSES" BEING: (A) DOWNTIME COSTS, LOST BUSINESS, -REVENUES, OR PROFITS, FAILURE TO REALIZE EXPECTED SAVINGS OR OPPORTUNITY, LOSS OF OR DAMAGE TO DATA, -LOSS OF GOODWILL OR REPUTATION, COSTS OF SOFTWARE RESTORATION; AND (B) ANY LOSS THAT DOES NOT ARISE -NATURALLY OR ACCORDING TO THE USUAL COURSE OF THINGS FROM A BREACH, ACT OR OMISSION RELATING TO THIS -AGREEMENT REGARDLESS OF WHETHER ANY OF THE FOREGOING ARE FORESEEABLE, AND REGARDLESS OF WHETHER WSO2 -HAS BEEN NOTIFIED OF THE POSSIBILITY OF ANY OF THE FOREGOING. THESE LIMITATIONS WILL APPLY REGARDLESS -OF THE BASIS OF LIABILITY, INCLUDING NEGLIGENCE, MISREPRESENTATION, BREACH, DEFAMATION, INFRINGEMENT -OF PUBLICITY, PRIVACY, OR INTELLECTUAL PROPERTY RIGHTS, OR ANY OTHER CONTRACT OR TORT CLAIM. -16.12 Regional Agreement Variations: WSO2 Germany GmbH. Based upon the above, If You enter into this Agreement -with WSO2 Germany GmbH, Sections 6.5, 9.1, and 9.2 are replaced with the following: -6.5 Non-solicitation. During the term of this Agreement and for a period of one (1) year after its -termination, neither party will directly (a) solicit for hire or engagement any of the other party's -personnel who were involved in the provision or receipt of Services under this Agreement or (b) hire -or engage any person or entity who is or was employed or engaged by the other party and who was -involved in the provision or receipt of Services under this Agreement until one hundred eighty (180) -calendar days following the termination of the person's or entity's employment or engagement with -the other party. -For purposes herein, "solicit" does not include broad-based recruiting efforts, including without -limitation help wanted advertising and posting of open positions on a party's internet site. If You -hire or engage directly or indirectly any personnel of WSO2 in violation of this section, You will pay -WSO2 a contractual penalty equal to three times the monthly billing rate (assuming 168 hours per -month) for such personnel. -9.1 Fees. After You sign an Order, or upon renewal of a Subscription, WSO2 will send you an invoice. You -will pay all fees specified in invoices. All payments are due within thirty (30) calendar days of -receipt of an invoice from WSO2 and are non-refundable. WSO2 may suspend or cancel performance of -all or part of the Subscription or Services and may change its credit terms (after notifying You) if -actual payment is not received within sixty (60) calendar days of Your receipt of WSO2's invoice. -Payments past due sixty (60) calendar days will incur interest at the rate of 9 percentage points -above the ECB basic interest rate per year. In addition, Subscriber has to pay 40 EUR in recovering -charges. In any proceeding brought by WSO2 to collect amounts due, WSO2 will also receive its actual -costs of collection, including reasonable attorneys' fees. -9.2 Taxes. All fees are exclusive of any applicable Taxes. You will pay to WSO2 an amount equal to any -taxes arising from or relating to this Agreement, including without limitation, VAT which is paid by -or is payable by WSO2. "Taxes" means any form of taxation, levy, duty, customs fee, charge, -contribution or impost of whatever nature and by whatever authority imposed (including without -limitation any fine, penalty, surcharge or interest), excluding, however, any taxes based solely on -the net income of WSO2. If You are required under any applicable law or regulation, domestic or -foreign, to withhold or deduct any portion of the payments due to WSO2, then the sum payable to WSO2 -will be increased by the amount necessary so that WSO2 receives an amount equal to the sum it would -have received had Subscriber made no withholdings or deductions. -16.13 Regional Agreement Variations: WSO2 Middle East FZ- LLC. Based upon the above, If You enter into this -Agreement with WSO2 Middle East FZ- LLC, Section 1.1 is replaced with the following: -1.1 Remedies. WSO2'S SOLE OBLIGATION AND SUBSCRIBER'S SOLE REMEDY FOR WSO2'S BREACH OF ANY -REPRESENTATIONS, WARRANTIES OR OBLIGATIONS OF THIS AGREEMENT IS TO (I) IN THE CASE OF A DEFECTIVE OR -FAULTY BUG FIX, PATCH OR THE LIKE, DELIVER TO SUBSCRIBER A CORRECTED VERSION WHICH ALLOWS FOR PROPER -INSTALLATION; OR (II) IF OPTION (I) IS NOT RELEVANT OR IS DEEMED NOT TO BE COMMERCIALLY FEASIBLE BY -WSO2, TERMINATE THIS AGREEMENT (WITHOUT THE REQUIREMENT OF A COURT ORDER) AND REFUND A PRO RATA -PORTION OF THE FEES PAID BY SUBSCRIBER. -16.14 Regional Agreement Variations: WSO2 India (Private) Limited. Based upon the above, If You enter into this -Agreement with WSO2 India (Private) Limited, Section 6.5, 9.2 and 16.1 are replaced with the following: -6.5 Non-solicitation. During the term of this Agreement and for a period of one (1) year after its -termination, neither party will directly or indirectly (a) solicit for hire or engagement any of the -other party's personnel who were involved in the provision or receipt of Services under this Agreement -or (b) hire or engage any person or entity who is or was employed or engaged by the other party and -who was involved in the provision or receipt of Services under this Agreement until one hundred eighty -(180) calendar days following the termination of the person's or entity's employment or engagement -with the other party. For purposes herein, "solicit" does not include broad-based recruiting efforts, -including without limitation help wanted advertising and posting of open positions on a party's -internet site. If You hire or engage directly or indirectly any personnel of WSO2 in violation of this -section, You will pay WSO2 as liquidated damages an amount equal to three times the monthly billing -rate (assuming 168 hours per month) for such personnel. You agree that the said amount is a genuine -pre-estimate of the damages that WSO2 will suffer on account of such breach and are not by way of -penalty. -9.2 Taxes. All fees are exclusive of any applicable Taxes. You will pay to WSO2 an amount equal to any -taxes arising from or relating to this Agreement, including without limitation, sales, service, use or -value added taxes, which are paid by or are payable by WSO2. "Taxes" means any form of taxation, levy, -duty, customs fee, charge, contribution or impost of whatever nature and by whatever authority imposed -(including without limitation any fine, penalty, surcharge or interest), excluding, however, any taxes -based solely on the net income of WSO2. If You are required under any applicable law or regulation, -domestic or foreign, to withhold or deduct any portion of the payments due to WSO2, then the sum -payable to WSO2 will be increased by the amount necessary so that WSO2 receives an amount equal to the -sum it would have received had Subscriber made no withholdings or deductions. In such cases You shall -also deposit with the tax authorities and within the time required under law, the withheld or deducted -amount and shall provide WSO2 with the relevant certificates in relation thereto. -16.1 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be -contrary to law, in whole or in part, this Agreement will be interpreted and construed as if such -provision had never been included herein. The remaining part of such provision and all other -provisions of this Agreement shall remain in full force and effect. In such event, the parties -undertake to endeavor in good faith to replace the said provision by a valid, legal, and enforceable -provision which contains, as nearly as possible, the rights and obligations contained in the provision -to be replaced. -EOF - -viewLicenseText -} -function create_yaml(){ - -cat > $k8s_obj_file << "EOF" - -apiVersion: v1 -kind: Namespace -metadata: - name: wso2 -spec: - finalizers: - - kubernetes ---- -EOF -cat >> $k8s_obj_file << "EOF" - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: wso2svc-account - namespace : wso2 ---- - -apiVersion: v1 -data: - .dockerconfigjson: "$string.&.secret.auth.data" -kind: Secret -metadata: - name: wso2is-deployment-creds - namespace: wso2 -type: kubernetes.io/dockerconfigjson ---- - -apiVersion: v1 -kind: ConfigMap -metadata: - name: identity-server-conf - namespace : wso2 -data: - deployment.toml: |- - [server] - hostname = "$env{HOST_NAME}" - node_ip = "$env{NODE_IP}" - # base_path = "https://$ref{server.hostname}:${carbon.management.port}" - - [super_admin] - username = "admin" - password = "admin" - create_admin_account = true - - [user_store] - type = "database_unique_id" - - [database.identity_db] - type = "mysql" - url = "jdbc:mysql://wso2is-rdbms-service-mysql:3306/WSO2IS_IDENTITY_DB?autoReconnect=true&useSSL=false" - username = "wso2carbon" - password = "wso2carbon" - driver = "com.mysql.cj.jdbc.Driver" - [database.identity_db.pool_options] - validationQuery = "SELECT 1" - - - [database.shared_db] - type = "mysql" - url = "jdbc:mysql://wso2is-rdbms-service-mysql:3306/WSO2IS_SHARED_DB?autoReconnect=true&useSSL=false" - username = "wso2carbon" - password = "wso2carbon" - driver = "com.mysql.cj.jdbc.Driver" - [database.shared_db.pool_options] - validationQuery = "SELECT 1" - - [keystore.primary] - file_name = "wso2carbon.jks" - password = "wso2carbon" ---- - -apiVersion: v1 -data: - init.sql: |- - DROP DATABASE IF EXISTS WSO2IS_SHARED_DB; - DROP DATABASE IF EXISTS WSO2IS_IDENTITY_DB; - - CREATE DATABASE WSO2IS_SHARED_DB; - CREATE DATABASE WSO2IS_IDENTITY_DB; - - GRANT ALL ON WSO2IS_SHARED_DB.* TO 'wso2carbon'@'%' IDENTIFIED BY 'wso2carbon'; - GRANT ALL ON WSO2IS_IDENTITY_DB.* TO 'wso2carbon'@'%' IDENTIFIED BY 'wso2carbon'; - - USE WSO2IS_SHARED_DB; - - CREATE TABLE IF NOT EXISTS REG_CLUSTER_LOCK ( - REG_LOCK_NAME VARCHAR (20), - REG_LOCK_STATUS VARCHAR (20), - REG_LOCKED_TIME TIMESTAMP, - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (REG_LOCK_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_LOG ( - REG_LOG_ID INTEGER AUTO_INCREMENT, - REG_PATH VARCHAR (750), - REG_USER_ID VARCHAR (255) NOT NULL, - REG_LOGGED_TIME TIMESTAMP NOT NULL, - REG_ACTION INTEGER NOT NULL, - REG_ACTION_DATA VARCHAR (500), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (REG_LOG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX REG_LOG_IND_BY_REGLOG USING HASH ON REG_LOG(REG_LOGGED_TIME, REG_TENANT_ID); - - -- The REG_PATH_VALUE should be less than 767 bytes, and hence was fixed at 750. - -- See CARBON-5917. - - CREATE TABLE IF NOT EXISTS REG_PATH( - REG_PATH_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_PATH_VALUE VARCHAR(750) CHARACTER SET latin1 COLLATE latin1_general_cs NOT NULL, - REG_PATH_PARENT_ID INTEGER, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_PATH PRIMARY KEY(REG_PATH_ID, REG_TENANT_ID), - CONSTRAINT UNIQUE_REG_PATH_TENANT_ID UNIQUE (REG_PATH_VALUE,REG_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX REG_PATH_IND_BY_PATH_PARENT_ID USING HASH ON REG_PATH(REG_PATH_PARENT_ID, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_CONTENT ( - REG_CONTENT_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_CONTENT_DATA LONGBLOB, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_CONTENT PRIMARY KEY(REG_CONTENT_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_CONTENT_HISTORY ( - REG_CONTENT_ID INTEGER NOT NULL, - REG_CONTENT_DATA LONGBLOB, - REG_DELETED SMALLINT, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_CONTENT_HISTORY PRIMARY KEY(REG_CONTENT_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE ( - REG_PATH_ID INTEGER NOT NULL, - REG_NAME VARCHAR(256), - REG_VERSION INTEGER NOT NULL AUTO_INCREMENT, - REG_MEDIA_TYPE VARCHAR(500), - REG_CREATOR VARCHAR(255) NOT NULL, - REG_CREATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_LAST_UPDATOR VARCHAR(255), - REG_LAST_UPDATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_DESCRIPTION VARCHAR(1000), - REG_CONTENT_ID INTEGER, - REG_TENANT_ID INTEGER DEFAULT 0, - REG_UUID VARCHAR(100) NOT NULL, - CONSTRAINT PK_REG_RESOURCE PRIMARY KEY(REG_VERSION, REG_TENANT_ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE ADD CONSTRAINT REG_RESOURCE_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE ADD CONSTRAINT REG_RESOURCE_FK_BY_CONTENT_ID FOREIGN KEY (REG_CONTENT_ID, REG_TENANT_ID) REFERENCES REG_CONTENT (REG_CONTENT_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_IND_BY_NAME USING HASH ON REG_RESOURCE(REG_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_IND_BY_PATH_ID_NAME USING HASH ON REG_RESOURCE(REG_PATH_ID, REG_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_IND_BY_UUID USING HASH ON REG_RESOURCE(REG_UUID); - CREATE INDEX REG_RESOURCE_IND_BY_TENAN USING HASH ON REG_RESOURCE(REG_TENANT_ID, REG_UUID); - CREATE INDEX REG_RESOURCE_IND_BY_TYPE USING HASH ON REG_RESOURCE(REG_TENANT_ID, REG_MEDIA_TYPE); - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_HISTORY ( - REG_PATH_ID INTEGER NOT NULL, - REG_NAME VARCHAR(256), - REG_VERSION INTEGER NOT NULL, - REG_MEDIA_TYPE VARCHAR(500), - REG_CREATOR VARCHAR(255) NOT NULL, - REG_CREATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_LAST_UPDATOR VARCHAR(255), - REG_LAST_UPDATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_DESCRIPTION VARCHAR(1000), - REG_CONTENT_ID INTEGER, - REG_DELETED SMALLINT, - REG_TENANT_ID INTEGER DEFAULT 0, - REG_UUID VARCHAR(100) NOT NULL, - CONSTRAINT PK_REG_RESOURCE_HISTORY PRIMARY KEY(REG_VERSION, REG_TENANT_ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_HISTORY ADD CONSTRAINT REG_RESOURCE_HIST_FK_BY_PATHID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_HISTORY ADD CONSTRAINT REG_RESOURCE_HIST_FK_BY_CONTENT_ID FOREIGN KEY (REG_CONTENT_ID, REG_TENANT_ID) REFERENCES REG_CONTENT_HISTORY (REG_CONTENT_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_HISTORY_IND_BY_NAME USING HASH ON REG_RESOURCE_HISTORY(REG_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_HISTORY_IND_BY_PATH_ID_NAME USING HASH ON REG_RESOURCE(REG_PATH_ID, REG_NAME, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_COMMENT ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_COMMENT_TEXT VARCHAR(500) NOT NULL, - REG_USER_ID VARCHAR(255) NOT NULL, - REG_COMMENTED_TIME TIMESTAMP NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_COMMENT PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_COMMENT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_COMMENT_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_COMMENT ADD CONSTRAINT REG_RESOURCE_COMMENT_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_COMMENT ADD CONSTRAINT REG_RESOURCE_COMMENT_FK_BY_COMMENT_ID FOREIGN KEY (REG_COMMENT_ID, REG_TENANT_ID) REFERENCES REG_COMMENT (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_COMMENT_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_COMMENT(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_COMMENT_IND_BY_VERSION USING HASH ON REG_RESOURCE_COMMENT(REG_VERSION, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_RATING ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_RATING INTEGER NOT NULL, - REG_USER_ID VARCHAR(255) NOT NULL, - REG_RATED_TIME TIMESTAMP NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_RATING PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_RATING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_RATING_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_RATING ADD CONSTRAINT REG_RESOURCE_RATING_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_RATING ADD CONSTRAINT REG_RESOURCE_RATING_FK_BY_RATING_ID FOREIGN KEY (REG_RATING_ID, REG_TENANT_ID) REFERENCES REG_RATING (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_RATING_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_RATING(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_RATING_IND_BY_VERSION USING HASH ON REG_RESOURCE_RATING(REG_VERSION, REG_TENANT_ID); - - - CREATE TABLE IF NOT EXISTS REG_TAG ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_TAG_NAME VARCHAR(500) NOT NULL, - REG_USER_ID VARCHAR(255) NOT NULL, - REG_TAGGED_TIME TIMESTAMP NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_TAG PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_TAG ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_TAG_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_TAG ADD CONSTRAINT REG_RESOURCE_TAG_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_TAG ADD CONSTRAINT REG_RESOURCE_TAG_FK_BY_TAG_ID FOREIGN KEY (REG_TAG_ID, REG_TENANT_ID) REFERENCES REG_TAG (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_TAG_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_TAG(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_TAG_IND_BY_VERSION USING HASH ON REG_RESOURCE_TAG(REG_VERSION, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_PROPERTY ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_NAME VARCHAR(100) NOT NULL, - REG_VALUE VARCHAR(1000), - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_PROPERTY PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_PROPERTY ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_PROPERTY_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_PROPERTY ADD CONSTRAINT REG_RESOURCE_PROPERTY_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_PROPERTY ADD CONSTRAINT REG_RESOURCE_PROPERTY_FK_BY_TAG_ID FOREIGN KEY (REG_PROPERTY_ID, REG_TENANT_ID) REFERENCES REG_PROPERTY (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_PROPERTY_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_PROPERTY(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_PROPERTY_IND_BY_VERSION USING HASH ON REG_RESOURCE_PROPERTY(REG_VERSION, REG_TENANT_ID); - - -- CREATE TABLE IF NOT EXISTS REG_ASSOCIATIONS ( - -- SRC_PATH_ID INTEGER, - -- SRC_RESOURCE_NAME VARCHAR(256), - -- SRC_VERSION INTEGER, - -- TGT_PATH_ID INTEGER, - -- TGT_RESOURCE_NAME VARCHAR(256), - -- TGT_VERSION INTEGER - -- )ENGINE INNODB; - -- - -- ALTER TABLE REG_ASSOCIATIONS ADD CONSTRAINT REG_ASSOCIATIONS_FK_BY_SRC_PATH_ID FOREIGN KEY (SRC_PATH_ID) REFERENCES REG_PATH (PATH_ID); - -- ALTER TABLE REG_ASSOCIATIONS ADD CONSTRAINT REG_ASSOCIATIONS_FK_BY_TGT_PATH_ID FOREIGN KEY (TGT_PATH_ID) REFERENCES REG_PATH (PATH_ID); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_SRC_VERSION ON REG_ASSOCIATIONS(SRC_VERSION); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_TGT_VERSION ON REG_ASSOCIATIONS(TGT_VERSION); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_SRC_RESOURCE_NAME ON REG_ASSOCIATIONS(SRC_RESOURCE_NAME); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_TGT_RESOURCE_NAME ON REG_ASSOCIATIONS(TGT_RESOURCE_NAME); - - - - CREATE TABLE IF NOT EXISTS REG_ASSOCIATION ( - REG_ASSOCIATION_ID INTEGER AUTO_INCREMENT, - REG_SOURCEPATH VARCHAR (750) NOT NULL, - REG_TARGETPATH VARCHAR (750) NOT NULL, - REG_ASSOCIATION_TYPE VARCHAR (2000) NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (REG_ASSOCIATION_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_SNAPSHOT ( - REG_SNAPSHOT_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_PATH_ID INTEGER NOT NULL, - REG_RESOURCE_NAME VARCHAR(255), - REG_RESOURCE_VIDS LONGBLOB NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_SNAPSHOT PRIMARY KEY(REG_SNAPSHOT_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX REG_SNAPSHOT_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_SNAPSHOT(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - - ALTER TABLE REG_SNAPSHOT ADD CONSTRAINT REG_SNAPSHOT_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - - - -- ################################ - -- USER MANAGER TABLES - -- ################################ - - CREATE TABLE UM_TENANT ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_TENANT_UUID VARCHAR(36) NOT NULL, - UM_DOMAIN_NAME VARCHAR(255) NOT NULL, - UM_EMAIL VARCHAR(255), - UM_ACTIVE BOOLEAN DEFAULT FALSE, - UM_CREATED_DATE TIMESTAMP NOT NULL, - UM_USER_CONFIG LONGBLOB, - UM_ORG_UUID VARCHAR(36) DEFAULT NULL, - PRIMARY KEY (UM_ID), - UNIQUE(UM_DOMAIN_NAME), - UNIQUE(UM_TENANT_UUID) - )ENGINE INNODB; - - CREATE TABLE UM_DOMAIN( - UM_DOMAIN_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DOMAIN_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_DOMAIN_ID, UM_TENANT_ID), - UNIQUE(UM_DOMAIN_NAME,UM_TENANT_ID) - )ENGINE INNODB; - - CREATE UNIQUE INDEX INDEX_UM_TENANT_UM_DOMAIN_NAME - ON UM_TENANT (UM_DOMAIN_NAME); - - CREATE TABLE UM_USER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_ID VARCHAR(255) NOT NULL, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_USER_PASSWORD VARCHAR(255) NOT NULL, - UM_SALT_VALUE VARCHAR(31), - UM_REQUIRE_CHANGE BOOLEAN DEFAULT FALSE, - UM_CHANGED_TIME TIMESTAMP NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_USER_ID), - UNIQUE(UM_USER_NAME, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE UNIQUE INDEX INDEX_UM_USERNAME_UM_TENANT_ID ON UM_USER(UM_USER_NAME, UM_TENANT_ID); - - CREATE TABLE UM_SYSTEM_USER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_USER_PASSWORD VARCHAR(255) NOT NULL, - UM_SALT_VALUE VARCHAR(31), - UM_REQUIRE_CHANGE BOOLEAN DEFAULT FALSE, - UM_CHANGED_TIME TIMESTAMP NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_USER_NAME, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_ROLE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_SHARED_ROLE BOOLEAN DEFAULT FALSE, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_ROLE_NAME, UM_TENANT_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_MODULE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_MODULE_NAME VARCHAR(100), - UNIQUE(UM_MODULE_NAME), - PRIMARY KEY(UM_ID) - )ENGINE INNODB; - - CREATE TABLE UM_MODULE_ACTIONS( - UM_ACTION VARCHAR(255) NOT NULL, - UM_MODULE_ID INTEGER NOT NULL, - PRIMARY KEY(UM_ACTION, UM_MODULE_ID), - FOREIGN KEY (UM_MODULE_ID) REFERENCES UM_MODULE(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE UM_PERMISSION ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_RESOURCE_ID VARCHAR(255) NOT NULL, - UM_ACTION VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_MODULE_ID INTEGER DEFAULT 0, - UNIQUE(UM_RESOURCE_ID,UM_ACTION, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX INDEX_UM_PERMISSION_UM_RESOURCE_ID_UM_ACTION ON UM_PERMISSION (UM_RESOURCE_ID, UM_ACTION, UM_TENANT_ID); - - CREATE TABLE UM_ROLE_PERMISSION ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_PERMISSION_ID INTEGER NOT NULL, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_IS_ALLOWED SMALLINT NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_DOMAIN_ID INTEGER, - UNIQUE (UM_PERMISSION_ID, UM_ROLE_NAME, UM_TENANT_ID, UM_DOMAIN_ID), - FOREIGN KEY (UM_PERMISSION_ID, UM_TENANT_ID) REFERENCES UM_PERMISSION(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - -- REMOVED UNIQUE (UM_PERMISSION_ID, UM_ROLE_ID) - CREATE TABLE UM_USER_PERMISSION ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_PERMISSION_ID INTEGER NOT NULL, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_IS_ALLOWED SMALLINT NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY (UM_PERMISSION_ID, UM_TENANT_ID) REFERENCES UM_PERMISSION(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - -- REMOVED UNIQUE (UM_PERMISSION_ID, UM_USER_ID) - CREATE TABLE UM_USER_ROLE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_ID INTEGER NOT NULL, - UM_USER_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE (UM_USER_ID, UM_ROLE_ID, UM_TENANT_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_ROLE(UM_ID, UM_TENANT_ID), - FOREIGN KEY (UM_USER_ID, UM_TENANT_ID) REFERENCES UM_USER(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_SHARED_USER_ROLE( - ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_ID INTEGER NOT NULL, - UM_USER_ID INTEGER NOT NULL, - UM_USER_TENANT_ID INTEGER NOT NULL, - UM_ROLE_TENANT_ID INTEGER NOT NULL, - UNIQUE(UM_USER_ID,UM_ROLE_ID,UM_USER_TENANT_ID, UM_ROLE_TENANT_ID), - FOREIGN KEY(UM_ROLE_ID,UM_ROLE_TENANT_ID) REFERENCES UM_ROLE(UM_ID,UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY(UM_USER_ID,UM_USER_TENANT_ID) REFERENCES UM_USER(UM_ID,UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY(ID) - )ENGINE INNODB; - - CREATE TABLE UM_ACCOUNT_MAPPING( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER NOT NULL, - UM_USER_STORE_DOMAIN VARCHAR(100), - UM_ACC_LINK_ID INTEGER NOT NULL, - UNIQUE(UM_USER_NAME, UM_TENANT_ID, UM_USER_STORE_DOMAIN, UM_ACC_LINK_ID), - FOREIGN KEY (UM_TENANT_ID) REFERENCES UM_TENANT(UM_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_USER_ATTRIBUTE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ATTR_NAME VARCHAR(255) NOT NULL, - UM_ATTR_VALUE VARCHAR(1024), - UM_PROFILE_ID VARCHAR(255), - UM_USER_ID INTEGER, - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY (UM_USER_ID, UM_TENANT_ID) REFERENCES UM_USER(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX UM_USER_ID_INDEX ON UM_USER_ATTRIBUTE(UM_USER_ID); - - CREATE INDEX UM_ATTR_NAME_VALUE_INDEX ON UM_USER_ATTRIBUTE(UM_ATTR_NAME, UM_ATTR_VALUE(512)); - - CREATE TABLE UM_DIALECT( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DIALECT_URI VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE(UM_DIALECT_URI, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_CLAIM( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DIALECT_ID INTEGER NOT NULL, - UM_CLAIM_URI VARCHAR(255) NOT NULL, - UM_DISPLAY_TAG VARCHAR(255), - UM_DESCRIPTION VARCHAR(255), - UM_MAPPED_ATTRIBUTE_DOMAIN VARCHAR(255), - UM_MAPPED_ATTRIBUTE VARCHAR(255), - UM_REG_EX VARCHAR(255), - UM_SUPPORTED SMALLINT, - UM_REQUIRED SMALLINT, - UM_DISPLAY_ORDER INTEGER, - UM_CHECKED_ATTRIBUTE SMALLINT, - UM_READ_ONLY SMALLINT, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE(UM_DIALECT_ID, UM_CLAIM_URI, UM_TENANT_ID,UM_MAPPED_ATTRIBUTE_DOMAIN), - FOREIGN KEY(UM_DIALECT_ID, UM_TENANT_ID) REFERENCES UM_DIALECT(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_PROFILE_CONFIG( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DIALECT_ID INTEGER NOT NULL, - UM_PROFILE_NAME VARCHAR(255), - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY(UM_DIALECT_ID, UM_TENANT_ID) REFERENCES UM_DIALECT(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_CLAIM_BEHAVIOR( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_PROFILE_ID INTEGER, - UM_CLAIM_ID INTEGER, - UM_BEHAVIOUR SMALLINT, - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY(UM_PROFILE_ID, UM_TENANT_ID) REFERENCES UM_PROFILE_CONFIG(UM_ID,UM_TENANT_ID), - FOREIGN KEY(UM_CLAIM_ID, UM_TENANT_ID) REFERENCES UM_CLAIM(UM_ID,UM_TENANT_ID), - PRIMARY KEY(UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_HYBRID_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_ROLE_NAME,UM_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX UM_ROLE_NAME_IND ON UM_HYBRID_ROLE(UM_ROLE_NAME); - - CREATE TABLE UM_HYBRID_USER_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255), - UM_ROLE_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_DOMAIN_ID INTEGER, - UNIQUE (UM_USER_NAME, UM_ROLE_ID, UM_TENANT_ID, UM_DOMAIN_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_HYBRID_ROLE(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_HYBRID_GROUP_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_GROUP_NAME VARCHAR(255), - UM_ROLE_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_DOMAIN_ID INTEGER, - UNIQUE (UM_GROUP_NAME, UM_ROLE_ID, UM_TENANT_ID, UM_DOMAIN_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_HYBRID_ROLE(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_SYSTEM_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_ROLE_NAME,UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_SYSTEM_USER_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255), - UM_ROLE_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE (UM_USER_NAME, UM_ROLE_ID, UM_TENANT_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_SYSTEM_ROLE(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_HYBRID_REMEMBER_ME( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_COOKIE_VALUE VARCHAR(1024), - UM_CREATED_TIME TIMESTAMP, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_UUID_DOMAIN_MAPPER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_ID VARCHAR(255) NOT NULL, - UM_DOMAIN_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID), - UNIQUE (UM_USER_ID), - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE INDEX UUID_DM_UID_TID ON UM_UUID_DOMAIN_MAPPER(UM_USER_ID, UM_TENANT_ID); - - CREATE TABLE IF NOT EXISTS UM_GROUP_UUID_DOMAIN_MAPPER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_GROUP_ID VARCHAR(255) NOT NULL, - UM_DOMAIN_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID), - UNIQUE (UM_GROUP_ID), - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE INDEX GRP_UUID_DM_GRP_ID_TID ON UM_GROUP_UUID_DOMAIN_MAPPER(UM_GROUP_ID, UM_TENANT_ID); - - -- ################################ - -- ORGANIZATION MANAGEMENT TABLES - -- ################################ - - SET SQL_MODE='ALLOW_INVALID_DATES'; - - CREATE TABLE IF NOT EXISTS UM_ORG ( - UM_ID VARCHAR(36) NOT NULL, - UM_ORG_NAME VARCHAR(255) NOT NULL, - UM_ORG_DESCRIPTION VARCHAR(1024), - UM_CREATED_TIME TIMESTAMP NOT NULL, - UM_LAST_MODIFIED TIMESTAMP NOT NULL, - UM_STATUS VARCHAR(255) DEFAULT 'ACTIVE' NOT NULL, - UM_PARENT_ID VARCHAR(36), - UM_ORG_TYPE VARCHAR(100) NOT NULL, - PRIMARY KEY (UM_ID), - FOREIGN KEY (UM_PARENT_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - INSERT IGNORE INTO UM_ORG (UM_ID, UM_ORG_NAME, UM_ORG_DESCRIPTION, UM_CREATED_TIME, UM_LAST_MODIFIED, UM_STATUS, UM_ORG_TYPE) - VALUES ('10084a8d-113f-4211-a0d5-efe36b082211', 'Super', 'This is the super organization.', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'ACTIVE', 'TENANT'); - - CREATE TABLE IF NOT EXISTS UM_ORG_ATTRIBUTE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ORG_ID VARCHAR(36) NOT NULL, - UM_ATTRIBUTE_KEY VARCHAR(255) NOT NULL, - UM_ATTRIBUTE_VALUE VARCHAR(512), - PRIMARY KEY (UM_ID), - UNIQUE (UM_ORG_ID, UM_ATTRIBUTE_KEY), - FOREIGN KEY (UM_ORG_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE ( - UM_ROLE_ID VARCHAR(255) NOT NULL, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_ORG_ID VARCHAR(36) NOT NULL, - PRIMARY KEY(UM_ROLE_ID), - CONSTRAINT FK_UM_ORG_ROLE_UM_ORG FOREIGN KEY (UM_ORG_ID) REFERENCES UM_ORG (UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_PERMISSION( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_RESOURCE_ID VARCHAR(255) NOT NULL, - UM_ACTION VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE_USER ( - UM_USER_ID VARCHAR(255) NOT NULL, - UM_ROLE_ID VARCHAR(255) NOT NULL, - CONSTRAINT FK_UM_ORG_ROLE_USER_UM_ORG_ROLE FOREIGN KEY (UM_ROLE_ID) REFERENCES UM_ORG_ROLE(UM_ROLE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE_GROUP( - UM_GROUP_ID VARCHAR(255) NOT NULL, - UM_ROLE_ID VARCHAR(255) NOT NULL, - CONSTRAINT FK_UM_ORG_ROLE_GROUP_UM_ORG_ROLE FOREIGN KEY (UM_ROLE_ID) REFERENCES UM_ORG_ROLE(UM_ROLE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE_PERMISSION( - UM_PERMISSION_ID INTEGER NOT NULL, - UM_ROLE_ID VARCHAR(255) NOT NULL, - CONSTRAINT FK_UM_ORG_ROLE_PERMISSION_UM_ORG_ROLE FOREIGN KEY (UM_ROLE_ID) REFERENCES UM_ORG_ROLE(UM_ROLE_ID) ON DELETE CASCADE, - CONSTRAINT FK_UM_ORG_ROLE_PERMISSION_UM_ORG_PERMISSION FOREIGN KEY (UM_PERMISSION_ID) REFERENCES UM_ORG_PERMISSION(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_HIERARCHY ( - UM_PARENT_ID VARCHAR(36) NOT NULL, - UM_ID VARCHAR(36) NOT NULL, - DEPTH INTEGER, - PRIMARY KEY (UM_PARENT_ID, UM_ID), - FOREIGN KEY (UM_PARENT_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - INSERT IGNORE INTO UM_ORG_HIERARCHY (UM_PARENT_ID, UM_ID, DEPTH) - VALUES ('10084a8d-113f-4211-a0d5-efe36b082211', '10084a8d-113f-4211-a0d5-efe36b082211', 0); - - USE WSO2IS_IDENTITY_DB; - - CREATE TABLE IF NOT EXISTS IDN_BASE_TABLE ( - PRODUCT_NAME VARCHAR(20), - PRIMARY KEY (PRODUCT_NAME) - )ENGINE INNODB; - - INSERT INTO IDN_BASE_TABLE values ('WSO2 Identity Server'); - - CREATE TABLE IF NOT EXISTS IDN_OAUTH_CONSUMER_APPS ( - ID INTEGER NOT NULL AUTO_INCREMENT, - CONSUMER_KEY VARCHAR(255), - CONSUMER_SECRET VARCHAR(2048), - USERNAME VARCHAR(255), - TENANT_ID INTEGER DEFAULT 0, - USER_DOMAIN VARCHAR(50), - APP_NAME VARCHAR(255), - OAUTH_VERSION VARCHAR(128), - CALLBACK_URL VARCHAR(2048), - GRANT_TYPES VARCHAR (1024), - PKCE_MANDATORY CHAR(1) DEFAULT '0', - PKCE_SUPPORT_PLAIN CHAR(1) DEFAULT '0', - APP_STATE VARCHAR (25) DEFAULT 'ACTIVE', - USER_ACCESS_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600, - APP_ACCESS_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600, - REFRESH_TOKEN_EXPIRE_TIME BIGINT DEFAULT 84600, - ID_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600, - CONSTRAINT CONSUMER_KEY_CONSTRAINT UNIQUE (CONSUMER_KEY), - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE_VALIDATORS ( - APP_ID INTEGER NOT NULL, - SCOPE_VALIDATOR VARCHAR (128) NOT NULL, - PRIMARY KEY (APP_ID,SCOPE_VALIDATOR), - FOREIGN KEY (APP_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH1A_REQUEST_TOKEN ( - REQUEST_TOKEN VARCHAR(255), - REQUEST_TOKEN_SECRET VARCHAR(512), - CONSUMER_KEY_ID INTEGER, - CALLBACK_URL VARCHAR(2048), - SCOPE VARCHAR(2048), - AUTHORIZED VARCHAR(128), - OAUTH_VERIFIER VARCHAR(512), - AUTHZ_USER VARCHAR(512), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (REQUEST_TOKEN), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH1A_ACCESS_TOKEN ( - ACCESS_TOKEN VARCHAR(255), - ACCESS_TOKEN_SECRET VARCHAR(512), - CONSUMER_KEY_ID INTEGER, - SCOPE VARCHAR(2048), - AUTHZ_USER VARCHAR(512), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ACCESS_TOKEN), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN ( - TOKEN_ID VARCHAR (255), - ACCESS_TOKEN VARCHAR(2048), - REFRESH_TOKEN VARCHAR(2048), - CONSUMER_KEY_ID INTEGER, - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - USER_TYPE VARCHAR (25), - GRANT_TYPE VARCHAR (50), - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REFRESH_TOKEN_TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - VALIDITY_PERIOD BIGINT, - REFRESH_TOKEN_VALIDITY_PERIOD BIGINT, - TOKEN_SCOPE_HASH VARCHAR(32), - TOKEN_STATE VARCHAR(25) DEFAULT 'ACTIVE', - TOKEN_STATE_ID VARCHAR (128) DEFAULT 'NONE', - SUBJECT_IDENTIFIER VARCHAR(255), - ACCESS_TOKEN_HASH VARCHAR(512), - REFRESH_TOKEN_HASH VARCHAR(512), - IDP_ID INTEGER DEFAULT -1 NOT NULL, - TOKEN_BINDING_REF VARCHAR (32) DEFAULT 'NONE', - CONSENTED_TOKEN VARCHAR(6), - PRIMARY KEY (TOKEN_ID), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE, - CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH, - TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_TOKEN_BINDING ( - TOKEN_ID VARCHAR (255), - TOKEN_BINDING_TYPE VARCHAR (32), - TOKEN_BINDING_REF VARCHAR (32), - TOKEN_BINDING_VALUE VARCHAR (1024), - TENANT_ID INTEGER DEFAULT -1, - UNIQUE (TOKEN_ID,TOKEN_BINDING_TYPE,TOKEN_BINDING_VALUE), - FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE - )ENGINE INNODB; - - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN_AUDIT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TOKEN_ID VARCHAR (255), - ACCESS_TOKEN VARCHAR(2048), - REFRESH_TOKEN VARCHAR(2048), - CONSUMER_KEY_ID INTEGER, - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - USER_TYPE VARCHAR (25), - GRANT_TYPE VARCHAR (50), - TIME_CREATED TIMESTAMP NULL, - REFRESH_TOKEN_TIME_CREATED TIMESTAMP NULL, - VALIDITY_PERIOD BIGINT, - REFRESH_TOKEN_VALIDITY_PERIOD BIGINT, - TOKEN_SCOPE_HASH VARCHAR(32), - TOKEN_STATE VARCHAR(25), - TOKEN_STATE_ID VARCHAR (128) , - SUBJECT_IDENTIFIER VARCHAR(255), - ACCESS_TOKEN_HASH VARCHAR(512), - REFRESH_TOKEN_HASH VARCHAR(512), - INVALIDATED_TIME TIMESTAMP NULL, - IDP_ID INTEGER DEFAULT -1 NOT NULL, - PRIMARY KEY(ID) - ); - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_AUTHORIZATION_CODE ( - CODE_ID VARCHAR (255), - AUTHORIZATION_CODE VARCHAR(2048), - CONSUMER_KEY_ID INTEGER, - CALLBACK_URL VARCHAR(2048), - SCOPE VARCHAR(2048), - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - VALIDITY_PERIOD BIGINT, - STATE VARCHAR (25) DEFAULT 'ACTIVE', - TOKEN_ID VARCHAR(255), - SUBJECT_IDENTIFIER VARCHAR(255), - PKCE_CODE_CHALLENGE VARCHAR(255), - PKCE_CODE_CHALLENGE_METHOD VARCHAR(128), - AUTHORIZATION_CODE_HASH VARCHAR(512), - IDP_ID INTEGER DEFAULT -1 NOT NULL, - PRIMARY KEY (CODE_ID), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_AUTHZ_CODE_SCOPE( - CODE_ID VARCHAR(255), - SCOPE VARCHAR(60), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (CODE_ID, SCOPE), - FOREIGN KEY (CODE_ID) REFERENCES IDN_OAUTH2_AUTHORIZATION_CODE (CODE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_DEVICE_FLOW ( - CODE_ID VARCHAR(255), - DEVICE_CODE VARCHAR(255), - USER_CODE VARCHAR(25), - QUANTIFIER INTEGER NOT NULL DEFAULT 0, - CONSUMER_KEY_ID INTEGER, - LAST_POLL_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - EXPIRY_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - POLL_TIME BIGINT, - STATUS VARCHAR (25) DEFAULT 'PENDING', - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - IDP_ID INTEGER, - PRIMARY KEY (DEVICE_CODE), - UNIQUE (CODE_ID), - CONSTRAINT USRCDE_QNTFR_CONSTRAINT UNIQUE (USER_CODE, QUANTIFIER), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_DEVICE_FLOW_SCOPES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SCOPE_ID VARCHAR(255), - SCOPE VARCHAR(255), - PRIMARY KEY (ID), - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_DEVICE_FLOW(CODE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN_SCOPE ( - TOKEN_ID VARCHAR (255), - TOKEN_SCOPE VARCHAR (60), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (TOKEN_ID, TOKEN_SCOPE), - FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE ( - SCOPE_ID INTEGER NOT NULL AUTO_INCREMENT, - NAME VARCHAR(255) NOT NULL, - DISPLAY_NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(512), - TENANT_ID INTEGER NOT NULL DEFAULT -1, - SCOPE_TYPE VARCHAR(255) NOT NULL, - PRIMARY KEY (SCOPE_ID), - UNIQUE (NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE_BINDING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SCOPE_ID INTEGER NOT NULL, - SCOPE_BINDING VARCHAR(255) NOT NULL, - BINDING_TYPE VARCHAR(255) NOT NULL, - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE (SCOPE_ID) ON DELETE CASCADE, - UNIQUE (SCOPE_ID, SCOPE_BINDING, BINDING_TYPE), - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_RESOURCE_SCOPE ( - RESOURCE_PATH VARCHAR(255) NOT NULL, - SCOPE_ID INTEGER NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (RESOURCE_PATH), - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE (SCOPE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_SCIM_GROUP ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - ROLE_NAME VARCHAR(255) NOT NULL, - ATTR_NAME VARCHAR(1024) NOT NULL, - ATTR_VALUE VARCHAR(1024), - UNIQUE(TENANT_ID, ROLE_NAME, ATTR_NAME), - PRIMARY KEY (ID) - )ENGINE INNODB; - - - - CREATE TABLE IF NOT EXISTS IDN_OPENID_REMEMBER_ME ( - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT 0, - COOKIE_VALUE VARCHAR(1024), - CREATED_TIME TIMESTAMP, - PRIMARY KEY (USER_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OPENID_USER_RPS ( - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT 0, - RP_URL VARCHAR(255) NOT NULL, - TRUSTED_ALWAYS VARCHAR(128) DEFAULT 'FALSE', - LAST_VISIT DATE NOT NULL, - VISIT_COUNT INTEGER DEFAULT 0, - DEFAULT_PROFILE_NAME VARCHAR(255) DEFAULT 'DEFAULT', - PRIMARY KEY (USER_NAME, TENANT_ID, RP_URL) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OPENID_ASSOCIATIONS ( - HANDLE VARCHAR(255) NOT NULL, - ASSOC_TYPE VARCHAR(255) NOT NULL, - EXPIRE_IN TIMESTAMP NOT NULL, - MAC_KEY VARCHAR(255) NOT NULL, - ASSOC_STORE VARCHAR(128) DEFAULT 'SHARED', - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (HANDLE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_STS_STORE ( - ID INTEGER AUTO_INCREMENT, - TOKEN_ID VARCHAR(255) NOT NULL, - TOKEN_CONTENT BLOB(1024) NOT NULL, - CREATE_DATE TIMESTAMP NOT NULL, - EXPIRE_DATE TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - STATE INTEGER DEFAULT 0, - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_IDENTITY_USER_DATA ( - TENANT_ID INTEGER DEFAULT -1234, - USER_NAME VARCHAR(255) NOT NULL, - DATA_KEY VARCHAR(255) NOT NULL, - DATA_VALUE VARCHAR(2048), - PRIMARY KEY (TENANT_ID, USER_NAME, DATA_KEY) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_IDENTITY_META_DATA ( - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT -1234, - METADATA_TYPE VARCHAR(255) NOT NULL, - METADATA VARCHAR(255) NOT NULL, - VALID VARCHAR(255) NOT NULL, - PRIMARY KEY (TENANT_ID, USER_NAME, METADATA_TYPE,METADATA) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_THRIFT_SESSION ( - SESSION_ID VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - CREATED_TIME VARCHAR(255) NOT NULL, - LAST_MODIFIED_TIME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (SESSION_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_STORE ( - SESSION_ID VARCHAR (100) NOT NULL, - SESSION_TYPE VARCHAR(100) NOT NULL, - OPERATION VARCHAR(10) NOT NULL, - SESSION_OBJECT BLOB, - TIME_CREATED BIGINT, - TENANT_ID INTEGER DEFAULT -1, - EXPIRY_TIME BIGINT, - PRIMARY KEY (SESSION_ID, SESSION_TYPE, TIME_CREATED, OPERATION) - )ENGINE INNODB; - - - - - CREATE TABLE IF NOT EXISTS IDN_AUTH_TEMP_SESSION_STORE ( - SESSION_ID VARCHAR (100) NOT NULL, - SESSION_TYPE VARCHAR(100) NOT NULL, - OPERATION VARCHAR(10) NOT NULL, - SESSION_OBJECT BLOB, - TIME_CREATED BIGINT, - TENANT_ID INTEGER DEFAULT -1, - EXPIRY_TIME BIGINT, - PRIMARY KEY (SESSION_ID, SESSION_TYPE, TIME_CREATED, OPERATION) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_AUTH_USER ( - USER_ID VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - DOMAIN_NAME VARCHAR(255) NOT NULL, - IDP_ID INTEGER NOT NULL, - PRIMARY KEY (USER_ID), - CONSTRAINT USER_STORE_CONSTRAINT UNIQUE (USER_NAME, TENANT_ID, DOMAIN_NAME, IDP_ID)); - - CREATE TABLE IF NOT EXISTS IDN_AUTH_USER_SESSION_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - USER_ID VARCHAR(255) NOT NULL, - SESSION_ID VARCHAR(255) NOT NULL, - CONSTRAINT USER_SESSION_STORE_CONSTRAINT UNIQUE (USER_ID, SESSION_ID), - PRIMARY KEY (ID)); - - CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_APP_INFO ( - SESSION_ID VARCHAR (100) NOT NULL, - SUBJECT VARCHAR (100) NOT NULL, - APP_ID INTEGER NOT NULL, - INBOUND_AUTH_TYPE VARCHAR (255) NOT NULL, - PRIMARY KEY (SESSION_ID, SUBJECT, APP_ID, INBOUND_AUTH_TYPE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_META_DATA ( - SESSION_ID VARCHAR (100) NOT NULL, - PROPERTY_TYPE VARCHAR (100) NOT NULL, - VALUE VARCHAR (255) NOT NULL, - PRIMARY KEY (SESSION_ID, PROPERTY_TYPE, VALUE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS SP_APP ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - APP_NAME VARCHAR (255) NOT NULL , - USER_STORE VARCHAR (255) NOT NULL, - USERNAME VARCHAR (255) NOT NULL , - DESCRIPTION VARCHAR (1024), - ROLE_CLAIM VARCHAR (512), - AUTH_TYPE VARCHAR (255) NOT NULL, - PROVISIONING_USERSTORE_DOMAIN VARCHAR (512), - IS_LOCAL_CLAIM_DIALECT CHAR(1) DEFAULT '1', - IS_SEND_LOCAL_SUBJECT_ID CHAR(1) DEFAULT '0', - IS_SEND_AUTH_LIST_OF_IDPS CHAR(1) DEFAULT '0', - IS_USE_TENANT_DOMAIN_SUBJECT CHAR(1) DEFAULT '1', - IS_USE_USER_DOMAIN_SUBJECT CHAR(1) DEFAULT '1', - ENABLE_AUTHORIZATION CHAR(1) DEFAULT '0', - SUBJECT_CLAIM_URI VARCHAR (512), - IS_SAAS_APP CHAR(1) DEFAULT '0', - IS_DUMB_MODE CHAR(1) DEFAULT '0', - UUID CHAR(36), - IMAGE_URL VARCHAR(1024), - ACCESS_URL VARCHAR(1024), - IS_DISCOVERABLE CHAR(1) DEFAULT '0', - - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_APP ADD CONSTRAINT APPLICATION_NAME_CONSTRAINT UNIQUE(APP_NAME, TENANT_ID); - ALTER TABLE SP_APP ADD CONSTRAINT APPLICATION_UUID_CONSTRAINT UNIQUE(UUID); - - CREATE TABLE IF NOT EXISTS SP_METADATA ( - ID INTEGER AUTO_INCREMENT, - SP_ID INTEGER, - NAME VARCHAR(255) NOT NULL, - VALUE VARCHAR(255) NOT NULL, - DISPLAY_NAME VARCHAR(255), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ID), - CONSTRAINT SP_METADATA_CONSTRAINT UNIQUE (SP_ID, NAME), - FOREIGN KEY (SP_ID) REFERENCES SP_APP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS SP_INBOUND_AUTH ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - INBOUND_AUTH_KEY VARCHAR (255), - INBOUND_AUTH_TYPE VARCHAR (255) NOT NULL, - INBOUND_CONFIG_TYPE VARCHAR (255) NOT NULL, - PROP_NAME VARCHAR (255), - PROP_VALUE VARCHAR (1024) , - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_INBOUND_AUTH ADD CONSTRAINT APPLICATION_ID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_AUTH_STEP ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - STEP_ORDER INTEGER DEFAULT 1, - APP_ID INTEGER NOT NULL , - IS_SUBJECT_STEP CHAR(1) DEFAULT '0', - IS_ATTRIBUTE_STEP CHAR(1) DEFAULT '0', - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_AUTH_STEP ADD CONSTRAINT APPLICATION_ID_CONSTRAINT_STEP FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_FEDERATED_IDP ( - ID INTEGER NOT NULL, - TENANT_ID INTEGER NOT NULL, - AUTHENTICATOR_ID INTEGER NOT NULL, - PRIMARY KEY (ID, AUTHENTICATOR_ID) - )ENGINE INNODB; - - ALTER TABLE SP_FEDERATED_IDP ADD CONSTRAINT STEP_ID_CONSTRAINT FOREIGN KEY (ID) REFERENCES SP_AUTH_STEP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_CLAIM_DIALECT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - SP_DIALECT VARCHAR (512) NOT NULL, - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID)); - - ALTER TABLE SP_CLAIM_DIALECT ADD CONSTRAINT DIALECTID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_CLAIM_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - IDP_CLAIM VARCHAR (512) NOT NULL , - SP_CLAIM VARCHAR (512) NOT NULL , - APP_ID INTEGER NOT NULL, - IS_REQUESTED VARCHAR(128) DEFAULT '0', - IS_MANDATORY VARCHAR(128) DEFAULT '0', - DEFAULT_VALUE VARCHAR(255), - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_CLAIM_MAPPING ADD CONSTRAINT CLAIMID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_ROLE_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - IDP_ROLE VARCHAR (255) NOT NULL , - SP_ROLE VARCHAR (255) NOT NULL , - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_ROLE_MAPPING ADD CONSTRAINT ROLEID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_REQ_PATH_AUTHENTICATOR ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - AUTHENTICATOR_NAME VARCHAR (255) NOT NULL , - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_REQ_PATH_AUTHENTICATOR ADD CONSTRAINT REQ_AUTH_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_PROVISIONING_CONNECTOR ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - IDP_NAME VARCHAR (255) NOT NULL , - CONNECTOR_NAME VARCHAR (255) NOT NULL , - APP_ID INTEGER NOT NULL, - IS_JIT_ENABLED CHAR(1) NOT NULL DEFAULT '0', - BLOCKING CHAR(1) NOT NULL DEFAULT '0', - RULE_ENABLED CHAR(1) NOT NULL DEFAULT '0', - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_PROVISIONING_CONNECTOR ADD CONSTRAINT PRO_CONNECTOR_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE SP_AUTH_SCRIPT ( - ID INTEGER AUTO_INCREMENT NOT NULL, - TENANT_ID INTEGER NOT NULL, - APP_ID INTEGER NOT NULL, - TYPE VARCHAR(255) NOT NULL, - CONTENT BLOB DEFAULT NULL, - IS_ENABLED CHAR(1) NOT NULL DEFAULT '0', - PRIMARY KEY (ID)); - - CREATE TABLE IF NOT EXISTS SP_TEMPLATE ( - ID INTEGER AUTO_INCREMENT NOT NULL, - TENANT_ID INTEGER NOT NULL, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023), - CONTENT BLOB DEFAULT NULL, - PRIMARY KEY (ID), - CONSTRAINT SP_TEMPLATE_CONSTRAINT UNIQUE (TENANT_ID, NAME)); - - CREATE TABLE IF NOT EXISTS IDN_AUTH_WAIT_STATUS ( - ID INTEGER AUTO_INCREMENT NOT NULL, - TENANT_ID INTEGER NOT NULL, - LONG_WAIT_KEY VARCHAR(255) NOT NULL, - WAIT_STATUS CHAR(1) NOT NULL DEFAULT '1', - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - EXPIRE_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - PRIMARY KEY (ID), - CONSTRAINT IDN_AUTH_WAIT_STATUS_KEY UNIQUE (LONG_WAIT_KEY)); - - CREATE TABLE IF NOT EXISTS IDP ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - NAME VARCHAR(254) NOT NULL, - IS_ENABLED CHAR(1) NOT NULL DEFAULT '1', - IS_PRIMARY CHAR(1) NOT NULL DEFAULT '0', - HOME_REALM_ID VARCHAR(254), - IMAGE MEDIUMBLOB, - CERTIFICATE BLOB, - ALIAS VARCHAR(254), - INBOUND_PROV_ENABLED CHAR (1) NOT NULL DEFAULT '0', - INBOUND_PROV_USER_STORE_ID VARCHAR(254), - USER_CLAIM_URI VARCHAR(254), - ROLE_CLAIM_URI VARCHAR(254), - DESCRIPTION VARCHAR (1024), - DEFAULT_AUTHENTICATOR_NAME VARCHAR(254), - DEFAULT_PRO_CONNECTOR_NAME VARCHAR(254), - PROVISIONING_ROLE VARCHAR(128), - IS_FEDERATION_HUB CHAR(1) NOT NULL DEFAULT '0', - IS_LOCAL_CLAIM_DIALECT CHAR(1) NOT NULL DEFAULT '0', - DISPLAY_NAME VARCHAR(255), - IMAGE_URL VARCHAR(1024), - UUID CHAR(36) NOT NULL, - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, NAME), - UNIQUE (UUID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_ROLE ( - ID INTEGER AUTO_INCREMENT, - IDP_ID INTEGER, - TENANT_ID INTEGER, - ROLE VARCHAR(254), - PRIMARY KEY (ID), - UNIQUE (IDP_ID, ROLE), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_ROLE_MAPPING ( - ID INTEGER AUTO_INCREMENT, - IDP_ROLE_ID INTEGER, - TENANT_ID INTEGER, - USER_STORE_ID VARCHAR (253), - LOCAL_ROLE VARCHAR(253), - PRIMARY KEY (ID), - UNIQUE (IDP_ROLE_ID, TENANT_ID, USER_STORE_ID, LOCAL_ROLE), - FOREIGN KEY (IDP_ROLE_ID) REFERENCES IDP_ROLE(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_CLAIM ( - ID INTEGER AUTO_INCREMENT, - IDP_ID INTEGER, - TENANT_ID INTEGER, - CLAIM VARCHAR(254), - PRIMARY KEY (ID), - UNIQUE (IDP_ID, CLAIM), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_CLAIM_MAPPING ( - ID INTEGER AUTO_INCREMENT, - IDP_CLAIM_ID INTEGER, - TENANT_ID INTEGER, - LOCAL_CLAIM VARCHAR(253), - DEFAULT_VALUE VARCHAR(255), - IS_REQUESTED VARCHAR(128) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (IDP_CLAIM_ID, TENANT_ID, LOCAL_CLAIM), - FOREIGN KEY (IDP_CLAIM_ID) REFERENCES IDP_CLAIM(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_AUTHENTICATOR ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - IDP_ID INTEGER, - NAME VARCHAR(255) NOT NULL, - IS_ENABLED CHAR (1) DEFAULT '1', - DISPLAY_NAME VARCHAR(255), - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, IDP_ID, NAME), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_METADATA ( - ID INTEGER AUTO_INCREMENT, - IDP_ID INTEGER, - NAME VARCHAR(255) NOT NULL, - VALUE VARCHAR(255) NOT NULL, - DISPLAY_NAME VARCHAR(255), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ID), - CONSTRAINT IDP_METADATA_CONSTRAINT UNIQUE (IDP_ID, NAME), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_AUTHENTICATOR_PROPERTY ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - AUTHENTICATOR_ID INTEGER, - PROPERTY_KEY VARCHAR(255) NOT NULL, - PROPERTY_VALUE VARCHAR(2047), - IS_SECRET CHAR (1) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, AUTHENTICATOR_ID, PROPERTY_KEY), - FOREIGN KEY (AUTHENTICATOR_ID) REFERENCES IDP_AUTHENTICATOR(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_PROVISIONING_CONFIG ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - IDP_ID INTEGER, - PROVISIONING_CONNECTOR_TYPE VARCHAR(255) NOT NULL, - IS_ENABLED CHAR (1) DEFAULT '0', - IS_BLOCKING CHAR (1) DEFAULT '0', - IS_RULES_ENABLED CHAR (1) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, IDP_ID, PROVISIONING_CONNECTOR_TYPE), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_PROV_CONFIG_PROPERTY ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - PROVISIONING_CONFIG_ID INTEGER, - PROPERTY_KEY VARCHAR(255) NOT NULL, - PROPERTY_VALUE VARCHAR(2048), - PROPERTY_BLOB_VALUE BLOB, - PROPERTY_TYPE CHAR(32) NOT NULL, - IS_SECRET CHAR (1) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, PROVISIONING_CONFIG_ID, PROPERTY_KEY), - FOREIGN KEY (PROVISIONING_CONFIG_ID) REFERENCES IDP_PROVISIONING_CONFIG(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_PROVISIONING_ENTITY ( - ID INTEGER AUTO_INCREMENT, - PROVISIONING_CONFIG_ID INTEGER, - ENTITY_TYPE VARCHAR(255) NOT NULL, - ENTITY_LOCAL_USERSTORE VARCHAR(255) NOT NULL, - ENTITY_NAME VARCHAR(255) NOT NULL, - ENTITY_VALUE VARCHAR(255), - TENANT_ID INTEGER, - ENTITY_LOCAL_ID VARCHAR(255), - PRIMARY KEY (ID), - UNIQUE (ENTITY_TYPE, TENANT_ID, ENTITY_LOCAL_USERSTORE, ENTITY_NAME, PROVISIONING_CONFIG_ID), - UNIQUE (PROVISIONING_CONFIG_ID, ENTITY_TYPE, ENTITY_VALUE), - FOREIGN KEY (PROVISIONING_CONFIG_ID) REFERENCES IDP_PROVISIONING_CONFIG(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_LOCAL_CLAIM ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - IDP_ID INTEGER, - CLAIM_URI VARCHAR(255) NOT NULL, - DEFAULT_VALUE VARCHAR(255), - IS_REQUESTED VARCHAR(128) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, IDP_ID, CLAIM_URI), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_ASSOCIATED_ID ( - ID INTEGER AUTO_INCREMENT, - IDP_USER_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT -1234, - IDP_ID INTEGER NOT NULL, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - ASSOCIATION_ID CHAR(36) NOT NULL, - PRIMARY KEY (ID), - UNIQUE(IDP_USER_ID, TENANT_ID, IDP_ID), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_USER_ACCOUNT_ASSOCIATION ( - ASSOCIATION_KEY VARCHAR(255) NOT NULL, - TENANT_ID INTEGER, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - PRIMARY KEY (TENANT_ID, DOMAIN_NAME, USER_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS FIDO_DEVICE_STORE ( - TENANT_ID INTEGER, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(45) NOT NULL, - TIME_REGISTERED TIMESTAMP, - KEY_HANDLE VARCHAR(200) NOT NULL, - DEVICE_DATA VARCHAR(2048) NOT NULL, - PRIMARY KEY (TENANT_ID, DOMAIN_NAME, USER_NAME, KEY_HANDLE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS FIDO2_DEVICE_STORE ( - TENANT_ID INTEGER, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(45) NOT NULL, - TIME_REGISTERED TIMESTAMP, - USER_HANDLE VARCHAR(64) NOT NULL, - CREDENTIAL_ID VARCHAR(200) NOT NULL, - PUBLIC_KEY_COSE VARCHAR(1024) NOT NULL, - SIGNATURE_COUNT BIGINT, - USER_IDENTITY VARCHAR(512) NOT NULL, - DISPLAY_NAME VARCHAR(255), - IS_USERNAMELESS_SUPPORTED CHAR(1) DEFAULT '0', - PRIMARY KEY (CREDENTIAL_ID, USER_HANDLE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_REQUEST ( - UUID VARCHAR (45), - CREATED_BY VARCHAR (255), - TENANT_ID INTEGER DEFAULT -1, - OPERATION_TYPE VARCHAR (50), - CREATED_AT TIMESTAMP, - UPDATED_AT TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - STATUS VARCHAR (30), - REQUEST BLOB, - PRIMARY KEY (UUID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_BPS_PROFILE ( - PROFILE_NAME VARCHAR(45), - HOST_URL_MANAGER VARCHAR(255), - HOST_URL_WORKER VARCHAR(255), - USERNAME VARCHAR(100), - PASSWORD VARCHAR(1023), - CALLBACK_HOST VARCHAR (45), - CALLBACK_USERNAME VARCHAR (100), - CALLBACK_PASSWORD VARCHAR (255), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (PROFILE_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW( - ID VARCHAR (45), - WF_NAME VARCHAR (45), - DESCRIPTION VARCHAR (255), - TEMPLATE_ID VARCHAR (45), - IMPL_ID VARCHAR (45), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW_ASSOCIATION( - ID INTEGER NOT NULL AUTO_INCREMENT, - ASSOC_NAME VARCHAR (45), - EVENT_ID VARCHAR(45), - ASSOC_CONDITION VARCHAR (2000), - WORKFLOW_ID VARCHAR (45), - IS_ENABLED CHAR (1) DEFAULT '1', - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY(ID), - FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW_CONFIG_PARAM( - WORKFLOW_ID VARCHAR (45), - PARAM_NAME VARCHAR (45), - PARAM_VALUE VARCHAR (1000), - PARAM_QNAME VARCHAR (45), - PARAM_HOLDER VARCHAR (45), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (WORKFLOW_ID, PARAM_NAME, PARAM_QNAME, PARAM_HOLDER), - FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_REQUEST_ENTITY_RELATIONSHIP( - REQUEST_ID VARCHAR (45), - ENTITY_NAME VARCHAR (255), - ENTITY_TYPE VARCHAR (50), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY(REQUEST_ID, ENTITY_NAME, ENTITY_TYPE, TENANT_ID), - FOREIGN KEY (REQUEST_ID) REFERENCES WF_REQUEST(UUID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW_REQUEST_RELATION( - RELATIONSHIP_ID VARCHAR (45), - WORKFLOW_ID VARCHAR (45), - REQUEST_ID VARCHAR (45), - UPDATED_AT TIMESTAMP, - STATUS VARCHAR (30), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (RELATIONSHIP_ID), - FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE, - FOREIGN KEY (REQUEST_ID) REFERENCES WF_REQUEST(UUID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_RECOVERY_DATA ( - USER_NAME VARCHAR(255) NOT NULL, - USER_DOMAIN VARCHAR(127) NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - CODE VARCHAR(255) NOT NULL, - SCENARIO VARCHAR(255) NOT NULL, - STEP VARCHAR(127) NOT NULL, - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REMAINING_SETS VARCHAR(2500) DEFAULT NULL, - PRIMARY KEY(USER_NAME, USER_DOMAIN, TENANT_ID, SCENARIO,STEP), - UNIQUE(CODE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA ( - ID INTEGER NOT NULL AUTO_INCREMENT, - USER_NAME VARCHAR(255) NOT NULL, - USER_DOMAIN VARCHAR(127) NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - SALT_VALUE VARCHAR(255), - HASH VARCHAR(255) NOT NULL, - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - PRIMARY KEY(ID), - UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_DIALECT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - DIALECT_URI VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - CONSTRAINT DIALECT_URI_CONSTRAINT UNIQUE (DIALECT_URI, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM ( - ID INTEGER NOT NULL AUTO_INCREMENT, - DIALECT_ID INTEGER NOT NULL, - CLAIM_URI VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (DIALECT_ID) REFERENCES IDN_CLAIM_DIALECT(ID) ON DELETE CASCADE, - CONSTRAINT CLAIM_URI_CONSTRAINT UNIQUE (DIALECT_ID, CLAIM_URI, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_MAPPED_ATTRIBUTE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - LOCAL_CLAIM_ID INTEGER, - USER_STORE_DOMAIN_NAME VARCHAR (255) NOT NULL, - ATTRIBUTE_NAME VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - CONSTRAINT USER_STORE_DOMAIN_CONSTRAINT UNIQUE (LOCAL_CLAIM_ID, USER_STORE_DOMAIN_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_PROPERTY ( - ID INTEGER NOT NULL AUTO_INCREMENT, - LOCAL_CLAIM_ID INTEGER, - PROPERTY_NAME VARCHAR (255) NOT NULL, - PROPERTY_VALUE VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - CONSTRAINT PROPERTY_NAME_CONSTRAINT UNIQUE (LOCAL_CLAIM_ID, PROPERTY_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - EXT_CLAIM_ID INTEGER NOT NULL, - MAPPED_LOCAL_CLAIM_ID INTEGER NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (EXT_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - FOREIGN KEY (MAPPED_LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - CONSTRAINT EXT_TO_LOC_MAPPING_CONSTRN UNIQUE (EXT_CLAIM_ID, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_SAML2_ASSERTION_STORE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SAML2_ID VARCHAR(255) , - SAML2_ISSUER VARCHAR(255) , - SAML2_SUBJECT VARCHAR(255) , - SAML2_SESSION_INDEX VARCHAR(255) , - SAML2_AUTHN_CONTEXT_CLASS_REF VARCHAR(255) , - SAML2_ASSERTION VARCHAR(4096) , - ASSERTION BLOB , - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IDN_SAML2_ARTIFACT_STORE ( - ID INT(11) NOT NULL AUTO_INCREMENT, - SOURCE_ID VARCHAR(255) NOT NULL, - MESSAGE_HANDLER VARCHAR(255) NOT NULL, - AUTHN_REQ_DTO BLOB NOT NULL, - SESSION_ID VARCHAR(255) NOT NULL, - EXP_TIMESTAMP TIMESTAMP NOT NULL, - INIT_TIMESTAMP TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - ASSERTION_ID VARCHAR(255), - PRIMARY KEY (`ID`) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_JTI ( - JWT_ID VARCHAR(255) NOT NULL, - EXP_TIME TIMESTAMP NOT NULL , - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP , - PRIMARY KEY (JWT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_PROPERTY ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER, - CONSUMER_KEY VARCHAR(255) , - PROPERTY_KEY VARCHAR(255) NOT NULL, - PROPERTY_VALUE VARCHAR(2047) , - PRIMARY KEY (ID), - FOREIGN KEY (CONSUMER_KEY) REFERENCES IDN_OAUTH_CONSUMER_APPS(CONSUMER_KEY) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJECT_REFERENCE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - CONSUMER_KEY_ID INTEGER , - CODE_ID VARCHAR(255) , - TOKEN_ID VARCHAR(255) , - SESSION_DATA_KEY VARCHAR(255), - PRIMARY KEY (ID), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE, - FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE, - FOREIGN KEY (CODE_ID) REFERENCES IDN_OAUTH2_AUTHORIZATION_CODE(CODE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJECT_CLAIMS ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REQ_OBJECT_ID INTEGER, - CLAIM_ATTRIBUTE VARCHAR(255) , - ESSENTIAL CHAR(1) NOT NULL DEFAULT '0' , - VALUE VARCHAR(255) , - IS_USERINFO CHAR(1) NOT NULL DEFAULT '0', - PRIMARY KEY (ID), - FOREIGN KEY (REQ_OBJECT_ID) REFERENCES IDN_OIDC_REQ_OBJECT_REFERENCE (ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJ_CLAIM_VALUES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REQ_OBJECT_CLAIMS_ID INTEGER , - CLAIM_VALUES VARCHAR(255) , - PRIMARY KEY (ID), - FOREIGN KEY (REQ_OBJECT_CLAIMS_ID) REFERENCES IDN_OIDC_REQ_OBJECT_CLAIMS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CERTIFICATE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - NAME VARCHAR(100), - CERTIFICATE_IN_PEM BLOB, - TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID), - CONSTRAINT CERTIFICATE_UNIQUE_KEY UNIQUE (NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_SCOPE_CLAIM_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SCOPE_ID INTEGER NOT NULL, - EXTERNAL_CLAIM_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE(SCOPE_ID) ON DELETE CASCADE, - FOREIGN KEY (EXTERNAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - UNIQUE (SCOPE_ID, EXTERNAL_CLAIM_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_FUNCTION_LIBRARY ( - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023), - TYPE VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - DATA BLOB NOT NULL, - PRIMARY KEY (TENANT_ID,NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_CIBA_AUTH_CODE ( - AUTH_CODE_KEY CHAR (36), - AUTH_REQ_ID CHAR (36), - ISSUED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - CONSUMER_KEY VARCHAR(255), - LAST_POLLED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - POLLING_INTERVAL INTEGER, - EXPIRES_IN INTEGER, - AUTHENTICATED_USER_NAME VARCHAR(255), - USER_STORE_DOMAIN VARCHAR(100), - TENANT_ID INTEGER, - AUTH_REQ_STATUS VARCHAR (100) DEFAULT 'REQUESTED', - IDP_ID INTEGER, - UNIQUE(AUTH_REQ_ID), - PRIMARY KEY (AUTH_CODE_KEY), - FOREIGN KEY (CONSUMER_KEY) REFERENCES IDN_OAUTH_CONSUMER_APPS(CONSUMER_KEY) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_CIBA_REQUEST_SCOPES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - AUTH_CODE_KEY CHAR (36), - SCOPE VARCHAR (255), - FOREIGN KEY (AUTH_CODE_KEY) REFERENCES IDN_OAUTH2_CIBA_AUTH_CODE(AUTH_CODE_KEY) ON DELETE CASCADE, - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_FED_AUTH_SESSION_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - IDP_SESSION_ID VARCHAR(255) NOT NULL, - SESSION_ID VARCHAR(255) NOT NULL, - IDP_NAME VARCHAR(255) NOT NULL, - AUTHENTICATOR_ID VARCHAR(255), - PROTOCOL_TYPE VARCHAR(255), - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - TENANT_ID INTEGER NOT NULL DEFAULT 0, - PRIMARY KEY (ID), - UNIQUE (IDP_SESSION_ID, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_TYPE ( - ID VARCHAR(255) NOT NULL, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023) NULL, - PRIMARY KEY (ID), - CONSTRAINT TYPE_NAME_CONSTRAINT UNIQUE (NAME) - )ENGINE INNODB; - - INSERT INTO IDN_CONFIG_TYPE (ID, NAME, DESCRIPTION) VALUES - ('9ab0ef95-13e9-4ed5-afaf-d29bed62f7bd', 'IDP_TEMPLATE', 'Template type to uniquely identify IDP templates'), - ('3c4ac3d0-5903-4e3d-aaca-38df65b33bfd', 'APPLICATION_TEMPLATE', 'Template type to uniquely identify Application templates'), - ('8ec6dbf1-218a-49bf-bc34-0d2db52d151c', 'CORS_CONFIGURATION', 'A resource type to keep the tenant CORS configurations'), - ('669b99ca-cdb0-44a6-8cae-babed3b585df', 'Publisher', 'A resource type to keep the event publisher configurations'), - ('73f6d9ca-62f4-4566-bab9-2a930ae51ba8', 'BRANDING_PREFERENCES', 'A resource type to keep the tenant branding preferences'), - ('899c69b2-8bf7-46b5-9666-f7f99f90d6cc', 'fido-config', 'A resource type to store FIDO authenticator related preferences'), - ('7f24050f-3e3d-4a00-b10f-fd5450d6523e', 'input-validation-configurations', 'A resource type to store input validation related configurations'); - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_RESOURCE ( - ID VARCHAR(255) NOT NULL, - TENANT_ID INT NOT NULL, - NAME VARCHAR(255) NOT NULL, - CREATED_TIME TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - LAST_MODIFIED TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - HAS_FILE tinyint(1) NOT NULL, - HAS_ATTRIBUTE tinyint(1) NOT NULL, - TYPE_ID VARCHAR(255) NOT NULL, - PRIMARY KEY (ID), - CONSTRAINT NAME_TENANT_TYPE_CONSTRAINT UNIQUE (NAME, TENANT_ID, TYPE_ID) - )ENGINE INNODB; - ALTER TABLE IDN_CONFIG_RESOURCE ADD CONSTRAINT TYPE_ID_FOREIGN_CONSTRAINT FOREIGN KEY (TYPE_ID) REFERENCES - IDN_CONFIG_TYPE (ID) ON DELETE CASCADE ON UPDATE CASCADE; - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_ATTRIBUTE ( - ID VARCHAR(255) NOT NULL, - RESOURCE_ID VARCHAR(255) NOT NULL, - ATTR_KEY VARCHAR(255) NOT NULL, - ATTR_VALUE VARCHAR(1023) NULL, - PRIMARY KEY (ID), - CONSTRAINT RESOURCE_KEY_VAL_CONSTRAINT UNIQUE (RESOURCE_ID(64), ATTR_KEY(255)) - )ENGINE INNODB; - ALTER TABLE IDN_CONFIG_ATTRIBUTE ADD CONSTRAINT RESOURCE_ID_ATTRIBUTE_FOREIGN_CONSTRAINT FOREIGN KEY (RESOURCE_ID) - REFERENCES IDN_CONFIG_RESOURCE (ID) ON DELETE CASCADE ON UPDATE CASCADE; - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_FILE ( - ID VARCHAR(255) NOT NULL, - VALUE BLOB NULL, - RESOURCE_ID VARCHAR(255) NOT NULL, - NAME VARCHAR(255) NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - ALTER TABLE IDN_CONFIG_FILE ADD CONSTRAINT RESOURCE_ID_FILE_FOREIGN_CONSTRAINT FOREIGN KEY (RESOURCE_ID) REFERENCES - IDN_CONFIG_RESOURCE (ID) ON DELETE CASCADE ON UPDATE CASCADE; - - CREATE TABLE IDN_REMOTE_FETCH_CONFIG ( - ID VARCHAR(255) NOT NULL, - TENANT_ID INT NOT NULL, - IS_ENABLED CHAR(1) NOT NULL, - REPO_MANAGER_TYPE VARCHAR(255) NOT NULL, - ACTION_LISTENER_TYPE VARCHAR(255) NOT NULL, - CONFIG_DEPLOYER_TYPE VARCHAR(255) NOT NULL, - REMOTE_FETCH_NAME VARCHAR(255), - REMOTE_RESOURCE_URI VARCHAR(255) NOT NULL, - ATTRIBUTES_JSON MEDIUMTEXT NOT NULL, - PRIMARY KEY (ID), - CONSTRAINT UC_REMOTE_RESOURCE_TYPE UNIQUE (TENANT_ID, CONFIG_DEPLOYER_TYPE) - )ENGINE INNODB; - - CREATE TABLE IDN_REMOTE_FETCH_REVISIONS ( - ID VARCHAR(255) NOT NULL, - CONFIG_ID VARCHAR(255) NOT NULL, - FILE_PATH VARCHAR(255) NOT NULL, - FILE_HASH VARCHAR(255), - DEPLOYED_DATE TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - LAST_SYNC_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - DEPLOYMENT_STATUS VARCHAR(255), - ITEM_NAME VARCHAR(255), - DEPLOY_ERR_LOG MEDIUMTEXT, - PRIMARY KEY (ID), - FOREIGN KEY (CONFIG_ID) REFERENCES IDN_REMOTE_FETCH_CONFIG(ID) ON DELETE CASCADE, - CONSTRAINT UC_REVISIONS UNIQUE (CONFIG_ID, ITEM_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_USER_FUNCTIONALITY_MAPPING ( - ID VARCHAR(255) NOT NULL, - USER_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - FUNCTIONALITY_ID VARCHAR(255) NOT NULL, - IS_FUNCTIONALITY_LOCKED BOOLEAN NOT NULL, - FUNCTIONALITY_UNLOCK_TIME BIGINT NOT NULL, - FUNCTIONALITY_LOCK_REASON VARCHAR(1023), - FUNCTIONALITY_LOCK_REASON_CODE VARCHAR(255), - PRIMARY KEY (ID), - CONSTRAINT IDN_USER_FUNCTIONALITY_MAPPING_CONSTRAINT UNIQUE (USER_ID, TENANT_ID, FUNCTIONALITY_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_USER_FUNCTIONALITY_PROPERTY ( - ID VARCHAR(255) NOT NULL, - USER_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - FUNCTIONALITY_ID VARCHAR(255) NOT NULL, - PROPERTY_NAME VARCHAR(255), - PROPERTY_VALUE VARCHAR(255), - PRIMARY KEY (ID), - CONSTRAINT IDN_USER_FUNCTIONALITY_PROPERTY_CONSTRAINT UNIQUE (USER_ID, TENANT_ID, FUNCTIONALITY_ID, PROPERTY_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CORS_ORIGIN ( - ID INT NOT NULL AUTO_INCREMENT, - TENANT_ID INT NOT NULL, - ORIGIN VARCHAR(2048) NOT NULL, - UUID CHAR(36) NOT NULL, - - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, ORIGIN), - UNIQUE (UUID) - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CORS_ASSOCIATION ( - IDN_CORS_ORIGIN_ID INT NOT NULL, - SP_APP_ID INT NOT NULL, - - PRIMARY KEY (IDN_CORS_ORIGIN_ID, SP_APP_ID), - FOREIGN KEY (IDN_CORS_ORIGIN_ID) REFERENCES IDN_CORS_ORIGIN (ID) ON DELETE CASCADE, - FOREIGN KEY (SP_APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_USER_CONSENT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - USER_ID VARCHAR(255) NOT NULL, - APP_ID CHAR(36) NOT NULL, - TENANT_ID INTEGER NOT NULL DEFAULT -1, - CONSENT_ID VARCHAR(255) NOT NULL, - - PRIMARY KEY (ID), - FOREIGN KEY (APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE, - UNIQUE (USER_ID, APP_ID, TENANT_ID), - UNIQUE (CONSENT_ID) - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_USER_CONSENTED_SCOPES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - CONSENT_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL DEFAULT -1, - SCOPE VARCHAR(255) NOT NULL, - CONSENT BOOLEAN NOT NULL DEFAULT 1, - - PRIMARY KEY (ID), - FOREIGN KEY (CONSENT_ID) REFERENCES IDN_OAUTH2_USER_CONSENT(CONSENT_ID) ON DELETE CASCADE, - UNIQUE (CONSENT_ID, SCOPE) - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_SECRET_TYPE ( - ID VARCHAR(255) NOT NULL, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023) NULL, - PRIMARY KEY (ID), - CONSTRAINT SECRET_TYPE_NAME_CONSTRAINT UNIQUE (NAME) - )ENGINE INNODB; - - INSERT INTO IDN_SECRET_TYPE (ID, NAME, DESCRIPTION) VALUES - ('1358bdbf-e0cc-4268-a42c-c3e0960e13f0', 'ADAPTIVE_AUTH_CALL_CHOREO', 'Secret type to uniquely identify secrets relevant to callChoreo adaptive auth function'); - - CREATE TABLE IF NOT EXISTS IDN_SECRET ( - ID VARCHAR(255) NOT NULL, - TENANT_ID INT NOT NULL, - SECRET_NAME VARCHAR(255) NOT NULL, - SECRET_VALUE VARCHAR(8000) NOT NULL, - CREATED_TIME TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - LAST_MODIFIED TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - TYPE_ID VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023) NULL, - PRIMARY KEY (ID), - FOREIGN KEY (TYPE_ID) REFERENCES IDN_SECRET_TYPE(ID) ON DELETE CASCADE, - UNIQUE (SECRET_NAME, TENANT_ID, TYPE_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS SP_SHARED_APP ( - ID INTEGER NOT NULL AUTO_INCREMENT, - MAIN_APP_ID CHAR(36) NOT NULL, - OWNER_ORG_ID CHAR(36) NOT NULL, - SHARED_APP_ID CHAR(36) NOT NULL, - SHARED_ORG_ID CHAR(36) NOT NULL, - SHARE_WITH_ALL_CHILDREN BOOLEAN DEFAULT FALSE, - PRIMARY KEY (ID), - FOREIGN KEY (MAIN_APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE, - FOREIGN KEY (SHARED_APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE, - UNIQUE (MAIN_APP_ID, OWNER_ORG_ID, SHARED_ORG_ID), - UNIQUE (SHARED_APP_ID) - )ENGINE INNODB; - - -- --------------------------- INDEX CREATION ----------------------------- - -- IDN_OAUTH2_ACCESS_TOKEN -- - CREATE INDEX IDX_TC ON IDN_OAUTH2_ACCESS_TOKEN(TIME_CREATED); - CREATE INDEX IDX_ATH ON IDN_OAUTH2_ACCESS_TOKEN(ACCESS_TOKEN_HASH); - CREATE INDEX IDX_AT_TI_UD ON IDN_OAUTH2_ACCESS_TOKEN(AUTHZ_USER, TENANT_ID, TOKEN_STATE, USER_DOMAIN); - CREATE INDEX IDX_AT_RTH ON IDN_OAUTH2_ACCESS_TOKEN(REFRESH_TOKEN_HASH); - CREATE INDEX IDX_AT_CKID_AU_TID_UD_TSH_TS ON IDN_OAUTH2_ACCESS_TOKEN(CONSUMER_KEY_ID, AUTHZ_USER, TENANT_ID, USER_DOMAIN, TOKEN_SCOPE_HASH, TOKEN_STATE); - - -- IDN_OAUTH2_AUTHORIZATION_CODE -- - CREATE INDEX IDX_AUTHORIZATION_CODE_HASH ON IDN_OAUTH2_AUTHORIZATION_CODE (AUTHORIZATION_CODE_HASH, CONSUMER_KEY_ID); - CREATE INDEX IDX_AUTHORIZATION_CODE_AU_TI ON IDN_OAUTH2_AUTHORIZATION_CODE (AUTHZ_USER, TENANT_ID, USER_DOMAIN, STATE); - CREATE INDEX IDX_AC_CKID ON IDN_OAUTH2_AUTHORIZATION_CODE(CONSUMER_KEY_ID); - CREATE INDEX IDX_AC_TID ON IDN_OAUTH2_AUTHORIZATION_CODE(TOKEN_ID); - - -- IDN_SCIM_GROUP -- - CREATE INDEX IDX_IDN_SCIM_GROUP_TI_RN ON IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME); - CREATE INDEX IDX_IDN_SCIM_GROUP_TI_RN_AN ON IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME, ATTR_NAME(500)); - - -- IDN_AUTH_SESSION_STORE -- - CREATE INDEX IDX_IDN_AUTH_SESSION_TIME ON IDN_AUTH_SESSION_STORE (TIME_CREATED); - CREATE INDEX IDX_IDN_AUTH_SSTR_ST_OP_ID_TM ON IDN_AUTH_SESSION_STORE (OPERATION, SESSION_TYPE, SESSION_ID, TIME_CREATED); - CREATE INDEX IDX_IDN_AUTH_SSTR_ET_ID ON IDN_AUTH_SESSION_STORE (EXPIRY_TIME, SESSION_ID); - - -- IDN_AUTH_TEMP_SESSION_STORE -- - CREATE INDEX IDX_IDN_AUTH_TMP_SESSION_TIME ON IDN_AUTH_TEMP_SESSION_STORE (TIME_CREATED); - - -- IDN_OIDC_SCOPE_CLAIM_MAPPING -- - CREATE INDEX IDX_AT_SI_ECI ON IDN_OIDC_SCOPE_CLAIM_MAPPING(SCOPE_ID, EXTERNAL_CLAIM_ID); - - -- IDN_OAUTH2_SCOPE -- - CREATE INDEX IDX_SC_TID ON IDN_OAUTH2_SCOPE(TENANT_ID); - - -- IDN_OAUTH2_SCOPE_BINDING -- - CREATE INDEX IDX_SB_SCPID ON IDN_OAUTH2_SCOPE_BINDING(SCOPE_ID); - - -- IDN_OIDC_REQ_OBJECT_REFERENCE -- - CREATE INDEX IDX_OROR_TID ON IDN_OIDC_REQ_OBJECT_REFERENCE(TOKEN_ID); - - -- IDN_OAUTH2_ACCESS_TOKEN_SCOPE -- - CREATE INDEX IDX_ATS_TID ON IDN_OAUTH2_ACCESS_TOKEN_SCOPE(TOKEN_ID); - - -- SP_TEMPLATE -- - CREATE INDEX IDX_SP_TEMPLATE ON SP_TEMPLATE (TENANT_ID, NAME); - - -- IDN_AUTH_USER -- - CREATE INDEX IDX_AUTH_USER_UN_TID_DN ON IDN_AUTH_USER (USER_NAME, TENANT_ID, DOMAIN_NAME); - CREATE INDEX IDX_AUTH_USER_DN_TOD ON IDN_AUTH_USER (DOMAIN_NAME, TENANT_ID); - - -- IDN_AUTH_USER_SESSION_MAPPING -- - CREATE INDEX IDX_USER_ID ON IDN_AUTH_USER_SESSION_MAPPING (USER_ID); - CREATE INDEX IDX_SESSION_ID ON IDN_AUTH_USER_SESSION_MAPPING (SESSION_ID); - - -- IDN_AUTH_SESSION_APP_INFO -- - CREATE INDEX IDX_AUTH_SAI_UN_AID_SID ON IDN_AUTH_SESSION_APP_INFO (APP_ID, SUBJECT, SESSION_ID); - - -- IDN_OAUTH_CONSUMER_APPS -- - CREATE INDEX IDX_OCA_UM_TID_UD_APN ON IDN_OAUTH_CONSUMER_APPS(USERNAME,TENANT_ID,USER_DOMAIN, APP_NAME); - - -- IDX_SPI_APP -- - CREATE INDEX IDX_SPI_APP ON SP_INBOUND_AUTH(APP_ID); - - -- IDN_OIDC_PROPERTY -- - CREATE INDEX IDX_IOP_CK ON IDN_OIDC_PROPERTY(CONSUMER_KEY); - - -- IDN_FIDO2_PROPERTY -- - CREATE INDEX IDX_FIDO2_STR ON FIDO2_DEVICE_STORE(USER_NAME, TENANT_ID, DOMAIN_NAME, CREDENTIAL_ID, USER_HANDLE); - - -- IDN_ASSOCIATED_ID -- - CREATE INDEX IDX_AI_DN_UN_AI ON IDN_ASSOCIATED_ID(DOMAIN_NAME, USER_NAME, ASSOCIATION_ID); - - -- IDN_OAUTH2_TOKEN_BINDING -- - CREATE INDEX IDX_IDN_AUTH_BIND ON IDN_OAUTH2_TOKEN_BINDING (TOKEN_BINDING_REF); - CREATE INDEX IDX_TK_VALUE_TYPE ON IDN_OAUTH2_TOKEN_BINDING (TOKEN_BINDING_VALUE, TOKEN_BINDING_TYPE); - - -- IDN_FED_AUTH_SESSION_MAPPING -- - CREATE INDEX IDX_FEDERATED_AUTH_SESSION_ID ON IDN_FED_AUTH_SESSION_MAPPING (SESSION_ID); - - -- IDN_REMOTE_FETCH_REVISIONS -- - CREATE INDEX IDX_REMOTE_FETCH_REVISION_CONFIG_ID ON IDN_REMOTE_FETCH_REVISIONS (CONFIG_ID); - - -- IDN_CORS_ASSOCIATION -- - CREATE INDEX IDX_CORS_SP_APP_ID ON IDN_CORS_ASSOCIATION (SP_APP_ID); - - -- IDN_CORS_ASSOCIATION -- - CREATE INDEX IDX_CORS_ORIGIN_ID ON IDN_CORS_ASSOCIATION (IDN_CORS_ORIGIN_ID); -kind: ConfigMap -metadata: - name: mysql-dbscripts - namespace: wso2 ---- - -apiVersion: v1 -kind: Service -metadata: - name: wso2is-rdbms-service-mysql - namespace: wso2 -spec: - type: ClusterIP - selector: - deployment: wso2is-mysql - ports: - - name: mysql-port - port: 3306 - targetPort: 3306 - protocol: TCP ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: wso2is-mysql-deployment - namespace: wso2 -spec: - replicas: 1 - selector: - matchLabels: - deployment: wso2is-mysql - pod: wso2is - template: - metadata: - labels: - deployment: wso2is-mysql - pod: wso2is - spec: - containers: - - name: wso2is-mysql - image: mysql:5.7 - livenessProbe: - exec: - command: - - sh - - -c - - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}" - initialDelaySeconds: 60 - periodSeconds: 10 - readinessProbe: - exec: - command: - - sh - - -c - - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}" - initialDelaySeconds: 60 - periodSeconds: 10 - imagePullPolicy: IfNotPresent - securityContext: - runAsUser: 999 - env: - - name: MYSQL_ROOT_PASSWORD - value: root - - name: MYSQL_USER - value: wso2carbon - - name: MYSQL_PASSWORD - value: wso2carbon - ports: - - containerPort: 3306 - protocol: TCP - volumeMounts: - - name: mysql-dbscripts - mountPath: /docker-entrypoint-initdb.d - args: ["--max-connections", "10000"] - volumes: - - name: mysql-dbscripts - configMap: - name: mysql-dbscripts - serviceAccountName: "wso2svc-account" ---- - -apiVersion: v1 -kind: Service -metadata: - name: wso2is-service - namespace : wso2 - labels: - deployment: wso2is - app: wso2is - monitoring: jmx - pod: wso2is -spec: - selector: - deployment: wso2is - app: wso2is - type: NodePort - ports: - - name: servlet-http - port: 9763 - targetPort: 9763 - protocol: TCP - - name: servlet-https - port: 9443 - targetPort: 9443 - protocol: TCP - nodePort: "$nodeport.k8s.&.1.wso2is" ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: wso2is-deployment - namespace : wso2 -spec: - replicas: 1 - minReadySeconds: 30 - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - selector: - matchLabels: - deployment: wso2is - app: wso2is - monitoring: jmx - pod: wso2is - template: - metadata: - labels: - deployment: wso2is - app: wso2is - monitoring: jmx - pod: wso2is - spec: - hostAliases: - - ip: "127.0.0.1" - hostnames: - - "wso2is" - initContainers: - - name: init-is-db - image: busybox:1.31 - command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z wso2is-rdbms-service-mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL Server has started";'] - - name: init-mysql-connector-download - image: busybox:1.32 - command: - - /bin/sh - - "-c" - - | - set -e - connector_version=8.0.17 - wget https://repo1.maven.org/maven2/mysql/mysql-connector-java/${connector_version}/mysql-connector-java-${connector_version}.jar -P /mysql-connector-jar/ - volumeMounts: - - name: mysql-connector-jar - mountPath: /mysql-connector-jar - containers: - - name: wso2is - image: "$image.pull.@.wso2"/wso2is:"$image.tag.wso2is" - livenessProbe: - exec: - command: - - /bin/sh - - -c - - nc -z localhost 9443 - initialDelaySeconds: 250 - periodSeconds: 10 - readinessProbe: - exec: - command: - - /bin/sh - - -c - - nc -z localhost 9443 - initialDelaySeconds: 250 - periodSeconds: 10 - imagePullPolicy: Always - resources: - requests: - memory: "2Gi" - cpu: "2000m" - limits: - memory: "4Gi" - cpu: "4000m" - lifecycle: - preStop: - exec: - command: ['sh', '-c', '${WSO2_SERVER_HOME}/bin/wso2server.sh stop'] - securityContext: - runAsUser: 802 - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: HOST_NAME - value: wso2is - ports: - - containerPort: 9763 - protocol: TCP - - containerPort: 9443 - protocol: TCP - volumeMounts: - - name: identity-server-conf - mountPath: /home/wso2carbon/wso2-config-volume/repository/conf/deployment.toml - subPath: deployment.toml - - name: mysql-connector-jar - mountPath: /home/wso2carbon/wso2-artifact-volume/repository/components/dropins - serviceAccountName: "wso2svc-account" - imagePullSecrets: - - name: wso2is-deployment-creds - volumes: - - name: identity-server-conf - configMap: - name: identity-server-conf - - name: mysql-connector-jar - emptyDir: {} ---- -EOF -} -function usage(){ - echo "Usage: " - echo -e "-d, --deploy Deploy WSO2 Identity Server" - echo -e "-u, --undeploy Undeploy WSO2 Identity Server" - echo -e "-h, --help Display usage instrusctions" -} -function undeploy(){ - echo "Undeploying WSO2 Identity Server ..." - kubectl delete ns wso2 - echo "Done." - exit 0 -} -function echoBold () { - echo -en $'\e[1m'"${1}"$'\e[0m' -} - -function display_msg(){ - msg=$@ - echoBold "${msg}" - exit 1 -} - -function viewLicenseText(){ - - echo "PLEASE READ THE BELOW \"WSO2 SOFTWARE LICENSE AGREEMENT\" CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AND USING THE SOFTWARE." - - sleep 2s - - less ${license_text} - - while [[ -z ${isAgree} ]] - do - read -p "Do you accept license terms ? (Y|n): " isAgree - if [[ ${isAgree} == Y || ${isAgree} == y ]]; then - echo "Continuing with installation ..." - elif [[ ${isAgree} == N || ${isAgree} == n ]]; then - echo "Installation aborted since you didn't accept the license terms" - echo "Aborting Installation ..." - sleep 1s - exit 0 - else - echo "Please enter Y or N to continue" - isAgree="" - fi - done - -} - -function st(){ - cycles=${1} - i=0 - while [[ i -lt $cycles ]] - do - echoBold "* " - let "i=i+1" - done -} -function sp(){ - cycles=${1} - i=0 - while [[ i -lt $cycles ]] - do - echoBold " " - let "i=i+1" - done -} -function product_name(){ - #wso2is - echo -e "\n" - st 1; sp 8; st 1; sp 2; sp 1; st 3; sp 3; sp 2; st 3; sp 4; sp 1; st 3; sp 3; sp 8; st 5; sp 2; sp 1; st 3; sp 3; echo "" - st 1; sp 8; st 1; sp 2; st 1; sp 4; st 1; sp 2; st 1; sp 6; st 1; sp 2; st 1; sp 4; st 1; sp 2; sp 8; sp 4; st 1; sp 4; sp 2; st 1; sp 4; st 1; echo "" - st 1; sp 3; st 1; sp 3; st 1; sp 2; st 1; sp 8; st 1; sp 6; st 1; sp 2; sp 6; st 1; sp 2; sp 8; sp 4; st 1; sp 4; sp 2; st 1; sp 8; echo "" - st 1; sp 2; st 1; st 1; sp 2; st 1; sp 2; sp 1; st 3; sp 3; st 1; sp 6; st 1; sp 2; sp 4; st 1; sp 4; st 3; sp 2; sp 4; st 1; sp 4; sp 2; sp 1; st 3; sp 1; echo "" - st 1; sp 1; st 1; sp 2; st 1; sp 1; st 1; sp 2; sp 6; st 1; sp 2; st 1; sp 6; st 1; sp 2; sp 2; st 1; sp 6; sp 8; sp 4; st 1; sp 4; sp 2; sp 6; st 1; echo "" - st 2; sp 4; st 2; sp 2; st 1; sp 4; st 1; sp 2; st 1; sp 6; st 1; sp 2; st 1; sp 8; sp 8; sp 4; st 1; sp 4; sp 2; st 1; sp 4; st 1; echo "" - st 1; sp 8; st 1; sp 2; sp 1; st 3; sp 3; sp 2; st 3; sp 4; st 4; sp 2; sp 8; st 5; sp 2; sp 1; st 3; sp 1; echo -e "\n" -} -function display_msg(){ - msg=$@ - echoBold "${msg}" - exit 1 -} -function get_creds(){ - while [[ -z "$WSO2_SUBSCRIPTION_USERNAME" ]] - do - read -p "$(echoBold "Enter your WSO2 subscription username: ")" WSO2_SUBSCRIPTION_USERNAME - if [[ -z "$WSO2_SUBSCRIPTION_USERNAME" ]] - then - echo "wso2-subscription-username cannot be empty" - fi - done - - while [[ -z "$WSO2_SUBSCRIPTION_PASSWORD" ]] - do - read -sp "$(echoBold "Enter your WSO2 subscription password: ")" WSO2_SUBSCRIPTION_PASSWORD - echo "" - if [[ -z "$WSO2_SUBSCRIPTION_PASSWORD" ]] - then - echo "wso2-subscription-password cannot be empty" - fi - done -} -function validate_ip(){ - ip_check=$1 - if [[ $ip_check =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then - IFS='.' - ip=$ip_check - set -- $ip - if [[ $1 -le 255 ]] && [[ $2 -le 255 ]] && [[ $3 -le 255 ]] && [[ $4 -le 255 ]]; then - IFS='' - NODE_IP=$ip_check - else - IFS='' - echo "Invalid IP. Please try again." - NODE_IP="" - fi - else - echo "Invalid IP. Please try again." - NODE_IP="" - fi -} -function get_node_ip(){ - NODE_IP=$(kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}') - - if [[ -z $NODE_IP ]] - then - if [[ $(kubectl config current-context)="minikube" ]] - then - NODE_IP=$(minikube ip) - else - echo "We could not find your cluster node-ip." - while [[ -z "$NODE_IP" ]] - do - read -p "$(echo "Enter one of your cluster Node IPs to provision instant access to server: ")" NODE_IP - if [[ -z "$NODE_IP" ]] - then - echo "cluster node ip cannot be empty" - else - validate_ip $NODE_IP - fi - done - fi - fi - set -- $NODE_IP; NODE_IP=$1 -} - -function progress_bar(){ - dep_status=$(kubectl get deployments -n wso2 -o jsonpath='{.items[?(@.spec.selector.matchLabels.pod=="wso2is")].status.conditions[?(@.type=="Available")].status}') - pod_status=$(kubectl get pods -n wso2 -o jsonpath='{.items[?(@.metadata.labels.pod=="wso2is")].status.conditions[*].status}') - - num_true_const=0; progress_unit="";time_proc=0; - - arr_dep=($dep_status); arr_pod=($pod_status) - - let "length_total= ${#arr_pod[@]} + ${#arr_dep[@]}"; - - echo "" - - while [[ $num_true -lt $length_total ]] - do - sleep 4 - num_true=0 - dep_status=$(kubectl get deployments -n wso2 -o jsonpath='{.items[?(@.spec.selector.matchLabels.pod=="wso2is")].status.conditions[?(@.type=="Available")].status}') - pod_status=$(kubectl get pods -n wso2 -o jsonpath='{.items[?(@.metadata.labels.pod=="wso2is")].status.conditions[*].status}') - - arr_dep=($dep_status); arr_pod=($pod_status); let "length_total= ${#arr_pod[@]} + ${#arr_dep[@]}"; - - for ele_dep in $dep_status - do - if [ "$ele_dep" = "True" ] - then - let "num_true=num_true+1" - fi - done - - for ele_pod in $pod_status - do - if [ "$ele_pod" = "True" ] - then - let "num_true=num_true+1" - fi - done - - printf "Processing WSO2 Identity Server ... |" - - printf "%-$((5 * ${length_total-1}))s| $(($num_true_const * 100/ $length_total))"; echo -en ' %\r' - - printf "Processing WSO2 Identity Server ... |" - s=$(printf "%-$((5 * ${num_true_const}))s" "H") - echo -en "${s// /H}" - - printf "%-$((5 * $(($length_total - $num_true_const))))s| $((100 * $(($num_true_const))/ $length_total))"; echo -en ' %\r ' - - if [ $num_true -ne $num_true_const ] - then - i=0 - while [[ $i -lt $((5 * $((${num_true} - ${num_true_const})))) ]] - do - let "i=i+1" - progress_unit=$progress_unit"H" - printf "Processing WSO2 Identity Server ... |" - echo -n $progress_unit - printf "%-$((5 * $((${length_total} - ${num_true_const})) - $i))s| $(($(( 100 * $(($num_true_const))/ $length_total)) + 2 * $i ))"; echo -en ' %\r ' - sleep 0.25 - done - num_true_const=$num_true - time_proc=0 - else - let "time_proc=time_proc + 5" - fi - printf "Processing WSO2 Identity Server ... |" - - printf "%-$((5 * ${length_total-1}))s| $(($num_true_const * 100/ $length_total))"; echo -en ' %\r ' - - printf "Processing WSO2 Identity Server ... |" - s=$(printf "%-$((5 * ${num_true_const}))s" "H") - echo -en "${s// /H}" - - printf "%-$((5 * $(($length_total - $num_true_const))))s| $((100 * $(($num_true_const))/ $length_total))"; echo -en ' % \r' - - sleep 1 - - if [[ $time_proc -gt 250 ]] - then - echoBold "\nSomething went wrong! Please Follow \"https://wso2.com/products/install/faq/#Kubernetes\" for more information\n" - exit 2 - fi - done - - echo -e "\n" - -} -function deploy(){ - - #checking for required tools - if [[ ! $(which kubectl) ]] - then - display_msg "Please install Kubernetes command-line tool (kubectl) before you start with the setup\n" - fi - - if [[ ! $(which base64) ]] - then - display_msg "Please install base64 before you start with the setup\n" - fi - - echoBold "Checking for an enabled cluster... Your patience is appreciated..." - cluster_isReady=$(kubectl cluster-info) > /dev/null 2>&1 || true - - if [[ ! $cluster_isReady == *"DNS"* ]] - then - echoBold "Done.\n" - display_msg "\nPlease enable your cluster before running the setup.\n\nIf you don't have a kubernetes cluster, follow: https://kubernetes.io/docs/setup/\n\n" - fi - echoBold "Done.\n" - - #displaying wso2 product name - product_name - - #create and view EULA text - createLicenseText - - get_creds # get wso2 subscription parameters - - # getting cluster node ip - get_node_ip - - # create and encode username/password secret - kubectl delete secret wso2-reg-creds --ignore-not-found=true - kubectl create secret docker-registry wso2-reg-creds --docker-server="docker.wso2.com" --docker-username="$WSO2_SUBSCRIPTION_USERNAME" --docker-password="$WSO2_SUBSCRIPTION_PASSWORD" --docker-email="$WSO2_SUBSCRIPTION_USERNAME" - str_sec=`kubectl get secret wso2-reg-creds --output="jsonpath={.data.\.dockerconfigjson}"`; - kubectl delete secret wso2-reg-creds; - - #create kubernetes object yaml - create_yaml - - # replace placeholders - sed -i.bak 's|"$string.&.secret.auth.data"|'$str_sec'|g' $k8s_obj_file - sed -i.bak 's|"$nodeport.k8s.&.1.wso2is"|'$NP_1'|g' $k8s_obj_file - sed -i.bak 's|"$image.pull.@.wso2"|'$IMG_DEST'|g' $k8s_obj_file - sed -i.bak 's|"$image.tag.wso2is"|'$IMG_TAG'|g' $k8s_obj_file - rm "$k8s_obj_file.bak" - - echoBold "\nDeploying WSO2 Identity Server...\n" - - # create kubernetes deployment - kubectl create -f ${k8s_obj_file} - - # waiting until deployment is ready - progress_bar - - echoBold "Successfully deployed WSO2 Identity Server.\n\n" - - echoBold "1. Try navigating to Management Console, Console and My Account URLs from your favourite browser using given credentials \n" - echoBold "\tMgt Console URL : https://$NODE_IP:30443/carbon/\n" - echoBold "\tConsole URL : https://$NODE_IP:30443/console\n" - echoBold "\tMy Account URL : https://$NODE_IP:30443/myaccount\n" - - echoBold "\Credentials\n" - echoBold "\tusername: admin\n" - echoBold "\tpassword: admin\n" - - echoBold "3. Follow \"https://is.docs.wso2.com/en/6.1.0/\" to start using WSO2 Identity Server.\n\n" -} -arg=$1 -if [[ -z $arg ]] -then - echoBold "Expected parameter is missing\n" - usage -else - case $arg in - -d|--deploy) - deploy - ;; - -u|--undeploy) - undeploy - ;; - -h|--help) - usage - ;; - *) - echoBold "Invalid parameter\n" - usage - ;; - esac -fi diff --git a/simple/eulatxt b/simple/eulatxt deleted file mode 100644 index 0f55bc8a..00000000 --- a/simple/eulatxt +++ /dev/null @@ -1,534 +0,0 @@ -WSO2 SOFTWARE LICENSE AGREEMENT -This WSO2 Software License Agreement (the "Agreement") is entered into by you and the applicable WSO2 entity, as -described below. If you are an individual accepting this Agreement on behalf of a company or other legal entity, you -represent that you are authorized to bind the entity to the terms of this Agreement and "You" or "Your" will refer -to the entity bound to this Agreement, not to you as an individual. -By using or accessing the Software, signing this Agreement or any document that references this Agreement (such as -an Order), or by clicking "I agree to the Terms" (or similar button or checkbox) upon downloading or installing the -Software, You indicate Your assent to be bound by this Agreement. If You do not agree to this Agreement, do not use -or access the Software. -1. Definitions -a) "Order" is a document signed by You authorizing the purchase of the Products requested by You, the -Support Plan, associated fees, and any additional terms offered by WSO2. -b) "Products" means collectively Software, Support and/or other Services obtained by You from WSO2 subject to -the terms of this Agreement. -c) "Software" means the computer programs developed and owned by WSO2 to which this License Agreement is -attached, however you obtain or access them. Software includes security patches, updates, or other -modifications to the Software supplied by WSO2. -d) "Services" means training, consulting and other services, other than Support, specified in an Order. -e) "Support" means support provided by WSO2 to a Subscriber for the Software according to the terms of the WSO2 -Support Services described in Section 5.1 -f) "Support Plan" means the service level specified in an Order, from among the levels defined in the Support -Services Policy. -g) "Subscription" is a commercial offering from WSO2 consisting of a license to use, and access to Support for, -the Software, for a specific period of time. -h) "Subscription Period" is the commencement date and duration of a Subscription, as specified in an Order. -2. License Grant -2.1 Free License for Non-commercial, Educational, or Trial use. WSO2 hereby grants You a worldwide, -non-exclusive, royalty-free, non-transferable, non-sublicensable, terminable license to use the Software -for Non-commercial, Educational, or Trial purposes. Non-commercial, as used in this Agreement, means -personal use whereby no commercial advantage or monetary compensation is sought or received for use of the -Software or for works, data or services that use the Software. Educational or Trial purposes, as used in -this Agreement, means use for the purpose of learning to use the Software, teaching others to use the -Software, evaluating or demonstrating Software capabilities, or for scholarly or artistic purposes. -2.2 License for commercial use. If You purchase a Subscription from WSO2 or one of its authorized Resellers, -WSO2 hereby grants to You, as "Subscriber", a worldwide, non-exclusive, non-transferable, -non-sublicensable, renewable license to use the specific Software configuration defined in the Order for -the duration of the Subscription Period. The Order will specify the scope of the Subscription purchased by -Subscriber, including: (a) all production or non-production use, not just a representative subset; (b) usage -limits (e.g. cores or transaction limits) (c) any other license parameters; and (d) any other terms -and conditions mutually agreed for the purchased Subscription. -3. Copyright. All right, title and interest, including but not limited to intellectual property rights such as -copyrights, in and to the Software and any copies thereof, are owned by WSO2 or its suppliers. All right, title -and interest, including but not limited to intellectual property rights such as copyrights, in and to the content -which may be accessed through use of the Software is the property of the respective content owner and may be -protected by applicable copyright or other intellectual property laws and treaties. All rights not expressly -granted are reserved by WSO2. -4. Conditions of Use. A license granted to You by this Agreement is valid only if You adhere to the following -conditions. -4.1 Maintenance of Copyright Notices. You shall not remove or alter any copyright or license notices that appear -in or on the Software. -4.2 Modification. You shall not modify, alter, decompile, decrypt, disassemble, translate, or reverse engineer -the Software. -4.3 Distribution. You shall not sublicense, transfer, lease, rent, or otherwise distribute or make available the -Software to any third party. -4.4 SaaS. Unless authorized by WSO2, You shall not make the Software available as commercial -Software-as-a-Service. -4.5 Compliance with Applicable Laws. You shall comply with all applicable laws regarding use of the Software. -5. Subscription Terms and Conditions. If You purchase a Subscription, the following terms and conditions apply. -5.1 Support. WSO2 will provide Subscriber with Support for the Software during the Subscription Period -according to the Support Plan indicated in the applicable Order, and subject to the WSO2 Support Policy -set forth at https://wso2.com/licenses/support-policy. Each Subscription includes Query Support subject to -a maximum-hours limit as indicated in the Order. Limits can be increased subject to additional fees. The -maximum hours limit is reset upon renewal for a subsequent annual period; unused hours cannot be rolled over -into the next annual period. All instances of Software in production and otherwise must be identified in the -Order. -5.2 Increases in Software Use. Subscriber may increase its use of the Software during the Subscription Period -beyond the scope specified in the applicable Orders, provided that Subscriber promptly notifies WSO2 of the -additional use and pays the applicable Fees. -5.3 Bursting Use. Subscriber may temporarily exceed the Subscription limits, at no extra Fee, within the -bursting limits for the Product ("Authorized Bursting Use"). If Subscriber increases its use beyond -Authorized Bursting Use, it must notify WSO2, increase the allowed usage limits retroactively to the period -where limits were exceeded, and pay the applicable Fees. For products limited to a maximum number of cores, -Authorized Bursting Use allows up to 3 days (discrete 24-hour periods) within an annual Subscription period -during which the core count may exceed the Subscription limit by no more than 25%. For products limited to a -maximum number of monthly transactions, Authorized Bursting Use allows transactions up to 25% over the -monthly cap, within a single calendar month per annual Subscription period. -5.4 Subscription Renewal. Subscriptions automatically renew for additional periods equal to one year using -WSO2's then current pricing unless Subscriber notifies WSO2 in writing that it wishes either to renew for a -longer period, or to end the Subscription at least 90 days prior to the end of the Subscription Period. Fees -for renewal are due according to the Fees and Payment terms of this Agreement. -5.5 Termination for Change in Services. WSO2 may change the terms of Support or Services from time to time and -these changes are effective when made, without affecting the validity of this Agreement. In the event of any -material changes, WSO2 will attempt to provide Subscriber notice by sending an email to the point of contact -address provided by Subscriber. In the event of a material and adverse change to the terms of Support or -Services, Subscriber has the right to terminate this Agreement upon 30 days' prior written notice to WSO2 at -the following email address: support@wso2.com. In the event of such termination, WSO2 shall reimburse -Subscriber a pro rata amount of any fees actually prepaid by Subscriber. -5.6 Audit. Upon WSO2's request with reasonable notice, Subscriber will permit technical and operational audits -of Subscriber related to the subject matter of this Agreement. Audits may include verifying Subscriber's -usage of the Software conforms to the usage limits purchased by Subscriber. Audits shall be carried out -within Subscriber's regular business hours and WSO2 will honor confidentiality and data protection -requirements. If non-compliance is discovered in an audit, Subscriber will be responsible for all costs -associated with carrying out such audit. In addition, where such audit reveals Subscriber has exceeded the -usage subscribed-for, Subscriber shall pay WSO2 prorated fees for the excess usage at the same rate(s) -designated in the most proximate Order. If the date excess usage began cannot be determined to WSO2's -satisfaction, excess usage shall be deemed to have commenced on the start date of the Subscription. -6. WSO2 Consulting Services. QuickStarts, Training, Technical Account Management, Managed Services, and other -services WSO2 may offer to Subscriber are subject to the following terms. -6.1 Consulting Services Terms. WSO2 provides on-site and remote consulting services according to the -Consulting Service Terms at https://wso2.com/licenses/consulting-terms, as updated or amended from time to -time. -6.2 Managed Services Terms. WSO2 provides Managed Services according to the WSO2 Managed Services Terms and -Service Level Agreement at https://wso2.com/licenses/managed-services-terms. -6.3 Cloud Services Terms. WSO2 provides Cloud Services according to the WSO2 Cloud Services Terms and Service -Level Agreement at https://wso2.com/licenses/cloud-services-terms/3.0/. -6.4 Independent Contractor. The relationship of the parties is that of independent contractors. Neither party, -nor any partner, agent or employee of either party, has authority to enter into contracts that bind the -other or create obligations on the part of the other without the prior written authorization of such party -6.5 Non-solicitation. During the term of this Agreement and for a period of one (1) year after its termination, -neither party will directly or indirectly (a) solicit for hire or engagement any of the other party's -personnel who were involved in the provision or receipt of Services under this Agreement or (b) hire or -engage any person or entity who is or was employed or engaged by the other party and who was involved in the -provision or receipt of Services under this Agreement until one hundred eighty (180) calendar days following -the termination of the person's or entity's employment or engagement with the other party. For purposes -herein, "solicit" does not include broad-based recruiting efforts, including without limitation help wanted -advertising and posting of open positions on a party's internet site. If You hire or engage directly or -indirectly any personnel of WSO2 in violation of this section, You will pay WSO2 a contractual penalty equal -to three times the monthly billing rate (assuming 168 hours per month) for such personnel. -7. Reseller Orders. This Section applies if You purchase Subscription through an authorized reseller of WSO2 -("Reseller"). -7.1 Instead of paying WSO2, You will pay the applicable amounts to the Reseller, as agreed between You and the -Reseller. WSO2 may suspend or terminate Your Subscription if WSO2 does not receive the corresponding -payment from the Reseller. -7.2 Instead of an Order submitted to WSO2, Your order details will be as stated in the order placed with WSO2 -by the Reseller on Your behalf, and the Reseller is responsible for the accuracy of any such order as -communicated to WSO2. -7.3 If You are entitled to a refund under this Agreement, then unless otherwise specified by WSO2, WSO2 will -refund any applicable fees to the Reseller and the Reseller will be solely responsible for refunding the -appropriate amounts to You. -7.4 Resellers are not authorized to modify this Agreement or make any promises or commitments on WSO2's -behalf, and WSO2 is not bound by any obligations to You other than as set forth in this Agreement. -7.5 The amount paid or payable by the Reseller to WSO2 for Your use of the applicable Software under this -Agreement will be deemed the amount actually paid or payable by You to WSO2 under this Agreement for -purposes of calculating the liability cap in Section 13. -8. Publicity and Feedback -8.1 WSO2 Logos. WSO2 products may include features for theming the product user interfaces. You will retain the -"WSO2" or "powered by WSO2" logos in conformance with WSO2 Logo Usage Guidelines at https://wso2.com/brand. -8.2 Publicity. You may state publicly that You are a user of the Products. Any identification or use of a -party's brand, logo, or trademark shall conform with the trademark use guidelines provided by one party to -the other. WSO2 may reference you as a customer and display Your logo for marketing purposes. You will -participate in a success story/case study related to WSO2. We may in consultation with you, issue a media -release concerning your engagement as a customer of WSO2. -8.3 Feedback. If You provide any suggestions, corrections, or feedback regarding the Products, WSO2 may use -that information without obligation to You, and You hereby irrevocably assign to WSO2 all right, title, -and interest in the suggestions, corrections, or feedback. -9. Fees and Payment -9.1 Fees. After You authorize an Order, upon renewal of a Subscription, or for other fees due to WSO2, WSO2 will -send you an invoice. You will pay all fees specified in invoices. All payments are due within 30 calendar -days of receipt of an invoice from WSO2 and are non-refundable. WSO2 may suspend or cancel performance of -all or part of the Subscription or Services and may change its credit terms (after notifying You) if actual -payment is not received within 60 calendar days of Your receipt of WSO2's invoice. Payments past due 60 -calendar days will incur interest at the rate of 1.5% per month or the highest rate permitted by law, -whichever is less. You will also pay all costs incurred by WSO2 to collect undisputed amounts due, including -legal fees, whether or not litigation is commenced. -9.2 Taxes. All fees are exclusive of any applicable Taxes. You will pay to WSO2 an amount equal to any taxes -arising from or relating to this Agreement, including without limitation, sales, service, use or value -added taxes, which are paid by or are payable by WSO2. "Taxes" means any form of taxation, levy, duty, -customs fee, charge, contribution or impost of whatever nature and by whatever authority imposed -(including without limitation any fine, penalty, surcharge or interest), excluding, however, any taxes -based solely on the net income of WSO2. If You are required under any applicable law or regulation, -domestic or foreign, to withhold or deduct any portion of the payments due to WSO2, then the sum payable -to WSO2 will be increased by the amount necessary so that WSO2 receives an amount equal to the sum it -would have received had Subscriber made no withholdings or deductions. -9.3 Purchase Orders. Any pre-printed terms on any purchase order that is issued by You that are in addition to -or in conflict with the terms of this Agreement are null and void. -10. Term & Termination -10.1 Termination. This Agreement terminates when: -a. Your Subscription terminates, -b. when You cease using the Software, or -c. if You do not have an active Subscription, 90 days after WSO2 notifies You that it wishes to terminate -the Agreement. -10.2 Termination for Cause. Either party may terminate this Agreement on written notice to the other if the other -party fails to comply with this Agreement after it has been notified in writing of the nature of the failure -and been provided with 30 days after receiving the written notice to cure the failure. -10.3 Effect of Termination. Upon termination of this Agreement: -a. the rights granted by one party to the other immediately cease; -b. all fees owed by Subscriber are immediately due upon receipt of the final invoice; and -c. You will delete the Software immediately from Your systems and records. -10.4 Survival. Sections 6.5, 9.1, 11.2, 13, and 16.10, and those provisions intended by their nature to survive -termination of this Agreement survive termination. Section 14 will survive termination of this Agreement for -3 years. -11. Limited Warranties. -11.1 Warranties for Subscriber. If You are a Subscriber, WSO2 warrants that: -a. the Software will perform substantially in accordance with its documentation (located at -https://docs.wso2.com); -b. it will perform Support and Consulting Services in a diligent and workmanlike manner consistent with -industry standards; and -c. to its knowledge, the Software does not, at the time of delivery to you, include malicious mechanisms -or code for the purpose of damaging or corrupting the Software. -SUBSCRIBER'S EXCLUSIVE REMEDY FOR WSO2'S MATERIAL BREACH OF WARRANTY IS TO (I) DELIVER TO SUBSCRIBER A CORRECTED -VERSION WHICH ALLOWS FOR PROPER INSTALLATION AS PROVIDED IN THE WSO2 SUPPORT SERVICES POLICY OR (II) IF OPTION -(I) IS NOT RELEVANT OR IS DEEMED NOT TO BE COMMERCIALLY FEASIBLE BY WSO2, TERMINATE THIS AGREEMENT AND REFUND A -PRO RATA PORTION OF THE FEES PAID BY SUBSCRIBER UPON SUBSCRIBER'S DELETION OF THE SOFTWARE. -11.2 EXCEPT AS PROVIDED IN THE AGREEMENT, WSO2 MAKES NO WARRANTIES, EXPRESS OR IMPLIED, UNDER THIS AGREEMENT; -ALL SERVICES, SOFTWARE, AND SUPPORT ARE PROVIDED BY WSO2 "AS IS.". -12. Indemnification. -If You are a Subscriber, the provisions of this section apply to You. -12.1 Subject to the provisions of this Section 12, and commencing from the start of the Subscription Period, -WSO2 will defend at its expense any suit brought against Subscriber, and will pay any settlement WSO2 -makes or approves, or any direct damages (excluding amounts awarded for reputation harm or -business impact) finally awarded in such suit, insofar as such suit is based on a claim by any third party -alleging that the Products misappropriate any trade secret recognized under the Uniform Trade Secrets Act -or infringe any copyright or United States patent valid within the Subscription Period (an "IP Claim"). -WSO2's indemnification obligations are limited to US $7,000,000. -12.2 If any portion of the Software or the Services becomes, or in WSO2's opinion is likely to become, the -subject of an IP Claim, WSO2 may, at WSO2's option: (i) procure for Subscriber the right to continue using -the Products; (ii) replace the Products with non-infringing software or services which do not materially -impair the functionality of the Products; (iii) modify the Products so that it becomes non-infringing; or -(iv) terminate this Agreement and refund any fees actually paid by Subscriber to WSO2 for the remainder of -the Subscription Period then in effect, and upon such termination, Subscriber will immediately cease all use -of the Software, documentation, and Services. -12.3 Notwithstanding anything to the contrary herein, WSO2 has no obligation with respect to any IP Claim based -upon (i) any open source software components included in the Software; (ii) any use of the Software or the -Services not in accordance with this Agreement or as specified in the documentation; (iii) any use of the -Software in combination with other products, equipment, software or data not supplied by WSO2; or (iv) any -modification of the Software by any person other than WSO2 or its authorized agents. This Section states -the sole and exclusive remedy of Subscriber and the entire liability of WSO2, or any of the officers, -directors, employees, shareholders, contractors or representatives of either party, for IP Claims. -12.4 Subscriber shall indemnify WSO2 for all losses and liabilities incurred due to Subscriber's breach of -section 16.5. -12.5 The indemnifying party's obligations as set forth above are expressly conditioned upon complying with each -of the following: (i) the indemnified party must promptly notify the indemnifying party in writing of any -threatened or actual claim or suit; (ii) the indemnifying party will have sole control of the defense or -settlement of any claim or suit; and (iii) the indemnified party must cooperate with the indemnifying party -to facilitate the settlement or defense of any claim or suit. -13. Limitations of Liability. -13.1 EXCEPT FOR DAMAGES FOR BODILY INJURY (INCLUDING DEATH), WSO2'S TOTAL AGGREGATE LIABILITY UNDER THIS -AGREEMENT IS LIMITED TO THE AMOUNT OF FEES PAID BY YOU DURING THE PERIOD OF A MATERIAL BREACH UP TO A -MAXIMUM OF ONE YEAR. IF YOU HAVE PAID NO FEES, OR ARE A NON-COMMERCIAL, EDUCATIONAL, OR TRIAL LICENSEE, -WSO2'S MAXIMUM AGGREGATE LIABILITY TO YOU IS $100. -13.2 Waiver of Consequential Damages. IN NO EVENT WILL EITHER PARTY OR ITS RESPECTIVE AFFILIATES BE LIABLE FOR -ANY INCIDENTAL INDIRECT, SPECIAL, OR CONSEQUENTIAL COSTS OR DAMAGES INCLUDING, WITHOUT LIMITATION, DOWNTIME -COSTS; LOST BUSINESS, REVENUES, GOODWILL, OR PROFITS; FAILURE TO REALIZE EXPECTED SAVINGS; LOSS OF OR DAMAGE -TO DATA; OR SOFTWARE RESTORATION, REGARDLESS OF WHETHER ANY OF THE FOREGOING ARE FORESEEABLE, AND REGARDLESS -OF WHETHER EITHER PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY OF ANY OF THE FOREGOING. THESE LIMITATIONS -APPLY REGARDLESS OF THE BASIS OF LIABILITY; INCLUDING NEGLIGENCE; MISREPRESENTATION; BREACH; LIBEL; -INFRINGEMENT OF PUBLICITY, PRIVACY, OR INTELLECTUAL PROPERTY RIGHTS; OR ANY OTHER CONTRACT OR TORT CLAIM. -14. Confidentiality. -14.1 Definition. "Confidential Information" means any information, documentation, system, or process disclosed -by a party or a party's Affiliate that is: -a. designated as confidential (or a similar designation) at the time of disclosure; -b. disclosed in circumstances of confidence; or -c. understood by the parties, exercising reasonable business judgment, to be confidential. -Confidential Information expressly includes proposals or price quotes created by WSO2 for You, Orders, and -any changes or amendments to this Agreement. "Affiliate" means any entity that directly or indirectly -controls, is controlled by, or is under common control with a party to this Agreement. -14.2 Exclusions. Confidential Information does not include information that: -a. was lawfully known or received by the receiving party prior to disclosure; -b. is or becomes part of the public domain other than as a result of a breach of this Agreement; -c. was disclosed to the receiving party by a third party, provided such third party, or any other party -from whom such third party receives such information, is not in breach of any confidentiality -obligation in respect to such information; or d. is independently developed by the receiving party as -evidenced by independent written materials. -14.3 Nondisclosure. Each party shall treat as confidential all Confidential Information of the other party, -shall not use Confidential Information except as set forth in this Agreement, and shall use best efforts -not to disclose Confidential Information to any third party. A party may disclose such information to its -directors, officers, and employees, provided they are made aware of the party's obligation under this -Agreement and are bound by the same degree of confidentiality. Without limiting the foregoing, each of the -parties shall use at least the same degree of care that it uses to prevent the disclosure of its own -Confidential Information of like importance to prevent the disclosure of Confidential Information -disclosed to it by the other party under this Agreement. Each party shall promptly notify the other party -of any actual or suspected misuse or unauthorized disclosure of the other party's Confidential Information. -Notwithstanding the foregoing, either Party may disclose the terms and conditions of this Agreement pursuant -to the due diligence requests of a proposed merger, acquisition, financing or securities transaction so long -as such parties receiving such Confidential Information are subject to confidentiality obligations no less -stringent than the terms of this Agreement. -14.4 Return of Confidential Information. Upon expiration or termination of this Agreement, each party shall -return or destroy all Confidential Information received from the other party. -14.5 Remedies. Any breach of the restrictions contained in this section is a breach of this Agreement that may -cause irreparable harm to the non-breaching party. Any such breach shall entitle the non-breaching party -to injunctive relief in addition to all other legal remedies. -15. Data Privacy -Any personal information received or provided pursuant to the Services will be handled by WSO2 in accordance with -this Agreement and all applicable privacy laws. Such privacy laws include the California Civil Code Sec. 1798.100 -et seq. ("CCPA" ), the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and the Brazil General -Data Protection Law, Law 13,709/2018 ("LGPD"), as applicable; WSO2 shall act exclusively as a Service Provider (as -defined by CCPA), Data Processor (as defined in GDPR/UK GDPR) and, Processor (as defined in LGPD) and shall -retain, use, disclose and process Your personal information solely for the purpose of providing and enhancing the -Software and Services on Your behalf. We will take all necessary technical and organizational measures to ensure -compliance with all applicable laws (including in respect of security, confidentiality and availability) in regard -to the protection of Your personal information. For the purposes of this section: (a) Your personal information -shall mean personal data or information however it is defined by applicable law; and (b) UK GDPR means GDPR as it -forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 and -as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations -2019). -16. General -16.1 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be -contrary to law, such provision shall be changed and interpreted so as to best accomplish the objectives -of the original provision to the fullest extent allowed by law and the remaining provisions of this -Agreement shall remain in full force and effect. -16.2 Force Majeure. Neither party will be liable for performance delays or for non-performance due to causes -beyond its reasonable control; however, this provision will not apply to Subscriber's payment obligations. -16.3 Headings. The headings in this Agreement are inserted for convenience only and do not affect its -interpretation. -16.4 Assignment. You may not assign this Agreement, whether by operation of law, merger or reorganization or -otherwise, without the prior written consent of WSO2; any attempted assignment in violation of the -foregoing will be void. WSO2 may assign its rights and delegate its duties under this Agreement without -Your written consent in connection with a reorganization, reincorporation, merger, or sale of all, or -substantially all of the shares or assets of WSO2 or the business of WSO2 to which this Agreement relates. -16.5 Export Compliance / Sanctions. The Software may be subject to export laws and regulations of the United -States and other jurisdictions. The parties represent that each of them is not named on any U.S. -Government denied-party list. You will not use the Software in violation of any U.S. export law or -regulation of the United States and other jurisdictions. -16.6 Complete Agreement. This Agreement, and any terms, policies, or writings referenced within it, constitutes -the final and complete agreement between the parties with respect to the Products, and supersedes any -prior or contemporaneous representations or agreements, whether written or oral. -16.7 Modification; Waiver. No amendment of this agreement will be effective unless it is in writing and signed by -the parties. No wavier under this agreement will be effective unless it is in writing and signed by the -party granting the waiver. A waiver granted on one occasion will not operate as a waver on other occasions. -16.8 Notices. Notice may be directed to WSO2 at legal@wso2.com. -16.9 WSO2 Contracting Entity, Governing Law, and Venue. The WSO2 entity entering into this Agreement, the law -that will apply in any dispute arising out of this Agreement, and the venue for any dispute depend on -where You are domiciled. -+--------------------------+---------------------------+--------------------+---------------------------------+ -| If You are domiciled in: | The WSO2 entity entering | Governing law is: | Method of dispute resolution | -| | into this Agreement is: | | is: | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| USA, Canada, any | WSO2 LLC a Limited | California | Arbitration in Santa Clara, | -| country not listed | Liability Company in | without giving | California in accordance | -| below | Delaware | effect to the | with the rules of the | -| | | principles of | American Arbitration | -| | | conflict of | Association ("AAA") | -| | | laws | | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| United Kingdom, Europe | WSO2 UK Limited, a | English | Arbitration in London, | -| (except for Germany), | company incorporated | | United Kingdom, in | -| Mongolia, Azerbaijan | under the laws of | | accordance with the | -| | England | | rules of the International | -| | | | Chamber of Commerce ("ICC") | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| Sri Lanka, Malaysia, | WSO2 LANKA (PRIVATE) | Sri Lanka | Arbitration in Colombo, | -| Mauritius, Macau | LIMITED, a company | | Sri Lanka in accordance | -| | incorporated under | | with the rules of the | -| | the laws of Sri Lanka | | Arbitration Act No 11 | -| | | | of 1995 | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| South America, Belize, | WSO2 BRASIL TECNOLOGIA | Brazil | Arbitration in Sao Paulo, | -| Costa Rica, | E SOFTWARE EIRELI, | | Brazil in accordance with | -| El Salvador, | a company incorporated | | the rules of the | -| Guatemala, Honduras, | in Brazil | | International Chamber of | -| Nicaragua, Panama. | | | Commerce ("ICC") | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| Australia or | WSO2 Australia Pty | New South Wales, | Each party submits to the | -| New Zealand | Limited, ABN 90 623 | Australia without | exclusive jurisdiction of the | -| | 311 348 | giving effect to | courts of New South Wales, | -| | | the principles of | Australia (and any relevant | -| | | conflict of laws. | appellate courts). Each | -| | | | party's designated | -| | | | representatives will meet | -| | | | within ten (10) days following | -| | | | receipt of notice of the | -| | | | dispute and will attempt to | -| | | | resolve the dispute within | -| | | | 15 days. If the parties agree | -| | | | in writing, a dispute may be | -| | | | mediated or arbitrated. If any | -| | | | dispute is not resolved | -| | | | informally or referred to | -| | | | mediation or arbitration, | -| | | | either party may commence legal | -| | | | proceedings in respect of the | -| | | | dispute in a court of competent | -| | | | jurisdiction. If the parties | -| | | | agree in writing to arbitrate a | -| | | | dispute, such dispute shall be | -| | | | referred to the Australian | -| | | | Disputes Centre ("ADC") for | -| | | | resolution by binding | -| | | | arbitration in Sydney, New | -| | | | South Wales in accordance with | -| | | | the ADC's Conciliation Rules. | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| Germany | WSO2 Germany GmbH | The laws of | Arbitration in Germany in | -| | | Germany with the | accordance with the rules of | -| | | exception of | the International Chamber | -| | | United Nations | of Commerce ("ICC") | -| | | Convention on | | -| | | the International | | -| | | Sale of Goods | | -| | | (CISG) | | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| United Arab Emirates | WSO2 Middle East FZ-LLC | The governing law | Any dispute arising out of or | -| (including but not | | of the Agreement | in connection with this | -| limited to any of its | | shall be the | contract, including any | -| free zones) | | substantive law of | question regarding its | -| | | Dubai | existence, validity or | -| | | International | termination, shall be referred | -| | | Financial Centre. | to and finally resolved by | -| | | | arbitration under the | -| | | | Arbitration Rules of the DIFC - | -| | | | LCIA Arbitration Centre, which | -| | | | Rules are deemed to be | -| | | | incorporated by reference into | -| | | | this clause. The number of | -| | | | arbitrators shall be one. The | -| | | | seat, or legal place, of | -| | | | arbitration shall be Dubai | -| | | | International Financial Centre. | -| | | | The language to be used in the | -| | | | arbitration shall be English. | -+--------------------------+---------------------------+--------------------+---------------------------------+ -| India | WSO2 India Private | India | By arbitration administered by | -| | Limited, a company | | the Singapore International | -| | incorporated under the | | Arbitration Centre (SIAC), | -| | laws of India | | India Office in Mumbai in | -| | | | accordance with the Arbitration | -| | | | Rules of the Singapore | -| | | | International Arbitration | -| | | | Centre Rules ("SIAC Rules") for | -| | | | the time being in force, which | -| | | | rules are deemed to be | -| | | | incorporated by reference in | -| | | | this clause. | -| | | | The seat of the arbitration | -| | | | shall be Mumbai. | -| | | | The arbitral tribunal shall | -| | | | consist of one arbitrator | -| | | | jointly appointed by the | -| | | | Parties. | -| | | | The substantive law governing | -| | | | the arbitration shall be the | -| | | | Indian Arbitration and | -| | | | Conciliation Act, 1996. | -+--------------------------+---------------------------+--------------------+---------------------------------+ -16.10 Agreement to Governing Law and Dispute Resolution. Each party agrees to the applicable governing law above, -and to the exclusive method of dispute resolution. Where the applicable dispute resolution procedure is -arbitration, the award rendered by the arbitrator shall be final and binding on the parties, and judgment -may be entered in any court of competent jurisdiction. Nothing in the above provision prevents either party -from applying to a court of competent jurisdiction for equitable or injunctive relief. Any dispute or other -action arising out of this Agreement must be brought within one year of the date the cause of action accrued -. An action for nonpayment may be brought within two years of the date of last payment. -16.11 Regional Agreement Variations: WSO2 Australia Pty Limited. Based upon the above, If You enter into this -Agreement with WSO2 Australia Pty Limited, Sections 9.2, and 13 are replaced with the following: -9.2 Taxes. All fees are exclusive of any applicable Taxes. You will pay to WSO2 an amount equal to any -taxes arising from or relating to this Agreement, including without limitation, GST, use or value -added taxes, which are paid by or are payable by WSO2. "Taxes" means any form of taxation, levy, -duty, customs fee, charge, contribution or impost of whatever nature and by whatever authority -imposed (including without limitation any fine, penalty, surcharge or interest), excluding, however, -any taxes based solely on the net income of WSO2. If You are required under any applicable law or -regulation, domestic or foreign, to withhold or deduct any portion of the payments due to WSO2, then -the sum payable to WSO2 will be increased by the amount necessary so that WSO2 receives an amount -equal to the sum it would have received had Subscriber made no withholdings or deductions. -Where a supply under this Agreement is a taxable supply, all amounts payable or other consideration -provided must be increased by the amount of GST payable in relation to the supply. All GST must be -paid at the time any payment for any supply to which it relates is payable (provided a valid tax -invoice has been issued for the supply). In this Section, "GST", "tax invoice" and "taxable supply" -have the meanings given to them in the A New Tax Systems (Goods and Services Tax) Act 1999 (Cth). -13. Limitation of Liability. EXCEPT FOR LIABILITY DAMAGES FOR BODILY INJURY (INCLUDING DEATH) WHICH SHALL -BE UNLIMITED, WSO2'S TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS ARISING OUT OF OR IN CONNECTION WITH -THIS AGREEMENT, REGARDLESS OF THE FORM OF ACTION (INCLUDING NEGLIGENCE), IS LIMITED IN ANY CALENDAR -YEAR TO THE AMOUNT PAID BY SUBSCRIBER FOR SERVICES DURING THAT CALENDAR YEAR. IF YOU HAVE PAID NO -FEES, OR ARE A NON-COMMERCIAL, EDUCATIONAL, OR TRIAL LICENSEE, WSO2'S MAXIMUM AGGREGATE LIABILITY TO -YOU IS $100. -NO EVENT WILL WSO2 BE LIABLE FOR ANY "INDIRECT LOSSES" BEING: (A) DOWNTIME COSTS, LOST BUSINESS, -REVENUES, OR PROFITS, FAILURE TO REALIZE EXPECTED SAVINGS OR OPPORTUNITY, LOSS OF OR DAMAGE TO DATA, -LOSS OF GOODWILL OR REPUTATION, COSTS OF SOFTWARE RESTORATION; AND (B) ANY LOSS THAT DOES NOT ARISE -NATURALLY OR ACCORDING TO THE USUAL COURSE OF THINGS FROM A BREACH, ACT OR OMISSION RELATING TO THIS -AGREEMENT REGARDLESS OF WHETHER ANY OF THE FOREGOING ARE FORESEEABLE, AND REGARDLESS OF WHETHER WSO2 -HAS BEEN NOTIFIED OF THE POSSIBILITY OF ANY OF THE FOREGOING. THESE LIMITATIONS WILL APPLY REGARDLESS -OF THE BASIS OF LIABILITY, INCLUDING NEGLIGENCE, MISREPRESENTATION, BREACH, DEFAMATION, INFRINGEMENT -OF PUBLICITY, PRIVACY, OR INTELLECTUAL PROPERTY RIGHTS, OR ANY OTHER CONTRACT OR TORT CLAIM. -16.12 Regional Agreement Variations: WSO2 Germany GmbH. Based upon the above, If You enter into this Agreement -with WSO2 Germany GmbH, Sections 6.5, 9.1, and 9.2 are replaced with the following: -6.5 Non-solicitation. During the term of this Agreement and for a period of one (1) year after its -termination, neither party will directly (a) solicit for hire or engagement any of the other party's -personnel who were involved in the provision or receipt of Services under this Agreement or (b) hire -or engage any person or entity who is or was employed or engaged by the other party and who was -involved in the provision or receipt of Services under this Agreement until one hundred eighty (180) -calendar days following the termination of the person's or entity's employment or engagement with -the other party. -For purposes herein, "solicit" does not include broad-based recruiting efforts, including without -limitation help wanted advertising and posting of open positions on a party's internet site. If You -hire or engage directly or indirectly any personnel of WSO2 in violation of this section, You will pay -WSO2 a contractual penalty equal to three times the monthly billing rate (assuming 168 hours per -month) for such personnel. -9.1 Fees. After You sign an Order, or upon renewal of a Subscription, WSO2 will send you an invoice. You -will pay all fees specified in invoices. All payments are due within thirty (30) calendar days of -receipt of an invoice from WSO2 and are non-refundable. WSO2 may suspend or cancel performance of -all or part of the Subscription or Services and may change its credit terms (after notifying You) if -actual payment is not received within sixty (60) calendar days of Your receipt of WSO2's invoice. -Payments past due sixty (60) calendar days will incur interest at the rate of 9 percentage points -above the ECB basic interest rate per year. In addition, Subscriber has to pay 40 EUR in recovering -charges. In any proceeding brought by WSO2 to collect amounts due, WSO2 will also receive its actual -costs of collection, including reasonable attorneys' fees. -9.2 Taxes. All fees are exclusive of any applicable Taxes. You will pay to WSO2 an amount equal to any -taxes arising from or relating to this Agreement, including without limitation, VAT which is paid by -or is payable by WSO2. "Taxes" means any form of taxation, levy, duty, customs fee, charge, -contribution or impost of whatever nature and by whatever authority imposed (including without -limitation any fine, penalty, surcharge or interest), excluding, however, any taxes based solely on -the net income of WSO2. If You are required under any applicable law or regulation, domestic or -foreign, to withhold or deduct any portion of the payments due to WSO2, then the sum payable to WSO2 -will be increased by the amount necessary so that WSO2 receives an amount equal to the sum it would -have received had Subscriber made no withholdings or deductions. -16.13 Regional Agreement Variations: WSO2 Middle East FZ- LLC. Based upon the above, If You enter into this -Agreement with WSO2 Middle East FZ- LLC, Section 1.1 is replaced with the following: -1.1 Remedies. WSO2'S SOLE OBLIGATION AND SUBSCRIBER'S SOLE REMEDY FOR WSO2'S BREACH OF ANY -REPRESENTATIONS, WARRANTIES OR OBLIGATIONS OF THIS AGREEMENT IS TO (I) IN THE CASE OF A DEFECTIVE OR -FAULTY BUG FIX, PATCH OR THE LIKE, DELIVER TO SUBSCRIBER A CORRECTED VERSION WHICH ALLOWS FOR PROPER -INSTALLATION; OR (II) IF OPTION (I) IS NOT RELEVANT OR IS DEEMED NOT TO BE COMMERCIALLY FEASIBLE BY -WSO2, TERMINATE THIS AGREEMENT (WITHOUT THE REQUIREMENT OF A COURT ORDER) AND REFUND A PRO RATA -PORTION OF THE FEES PAID BY SUBSCRIBER. -16.14 Regional Agreement Variations: WSO2 India (Private) Limited. Based upon the above, If You enter into this -Agreement with WSO2 India (Private) Limited, Section 6.5, 9.2 and 16.1 are replaced with the following: -6.5 Non-solicitation. During the term of this Agreement and for a period of one (1) year after its -termination, neither party will directly or indirectly (a) solicit for hire or engagement any of the -other party's personnel who were involved in the provision or receipt of Services under this Agreement -or (b) hire or engage any person or entity who is or was employed or engaged by the other party and -who was involved in the provision or receipt of Services under this Agreement until one hundred eighty -(180) calendar days following the termination of the person's or entity's employment or engagement -with the other party. For purposes herein, "solicit" does not include broad-based recruiting efforts, -including without limitation help wanted advertising and posting of open positions on a party's -internet site. If You hire or engage directly or indirectly any personnel of WSO2 in violation of this -section, You will pay WSO2 as liquidated damages an amount equal to three times the monthly billing -rate (assuming 168 hours per month) for such personnel. You agree that the said amount is a genuine -pre-estimate of the damages that WSO2 will suffer on account of such breach and are not by way of -penalty. -9.2 Taxes. All fees are exclusive of any applicable Taxes. You will pay to WSO2 an amount equal to any -taxes arising from or relating to this Agreement, including without limitation, sales, service, use or -value added taxes, which are paid by or are payable by WSO2. "Taxes" means any form of taxation, levy, -duty, customs fee, charge, contribution or impost of whatever nature and by whatever authority imposed -(including without limitation any fine, penalty, surcharge or interest), excluding, however, any taxes -based solely on the net income of WSO2. If You are required under any applicable law or regulation, -domestic or foreign, to withhold or deduct any portion of the payments due to WSO2, then the sum -payable to WSO2 will be increased by the amount necessary so that WSO2 receives an amount equal to the -sum it would have received had Subscriber made no withholdings or deductions. In such cases You shall -also deposit with the tax authorities and within the time required under law, the withheld or deducted -amount and shall provide WSO2 with the relevant certificates in relation thereto. -16.1 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be -contrary to law, in whole or in part, this Agreement will be interpreted and construed as if such -provision had never been included herein. The remaining part of such provision and all other -provisions of this Agreement shall remain in full force and effect. In such event, the parties -undertake to endeavor in good faith to replace the said provision by a valid, legal, and enforceable -provision which contains, as nearly as possible, the rights and obligations contained in the provision -to be replaced. diff --git a/simple/funcs b/simple/funcs deleted file mode 100644 index 1fa4e5ef..00000000 --- a/simple/funcs +++ /dev/null @@ -1,303 +0,0 @@ -function usage(){ - echo "Usage: " - echo -e "-d, --deploy Deploy WSO2 Identity Server" - echo -e "-u, --undeploy Undeploy WSO2 Identity Server" - echo -e "-h, --help Display usage instrusctions" -} -function undeploy(){ - echo "Undeploying WSO2 Identity Server ..." - kubectl delete ns wso2 - echo "Done." - exit 0 -} -function echoBold () { - echo -en $'\e[1m'"${1}"$'\e[0m' -} - -function display_msg(){ - msg=$@ - echoBold "${msg}" - exit 1 -} - -function viewLicenseText(){ - - echo "PLEASE READ THE BELOW \"WSO2 SOFTWARE LICENSE AGREEMENT\" CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AND USING THE SOFTWARE." - - sleep 2s - - less ${license_text} - - while [[ -z ${isAgree} ]] - do - read -p "Do you accept license terms ? (Y|n): " isAgree - if [[ ${isAgree} == Y || ${isAgree} == y ]]; then - echo "Continuing with installation ..." - elif [[ ${isAgree} == N || ${isAgree} == n ]]; then - echo "Installation aborted since you didn't accept the license terms" - echo "Aborting Installation ..." - sleep 1s - exit 0 - else - echo "Please enter Y or N to continue" - isAgree="" - fi - done - -} - -function st(){ - cycles=${1} - i=0 - while [[ i -lt $cycles ]] - do - echoBold "* " - let "i=i+1" - done -} -function sp(){ - cycles=${1} - i=0 - while [[ i -lt $cycles ]] - do - echoBold " " - let "i=i+1" - done -} -function product_name(){ - #wso2is - echo -e "\n" - st 1; sp 8; st 1; sp 2; sp 1; st 3; sp 3; sp 2; st 3; sp 4; sp 1; st 3; sp 3; sp 8; st 5; sp 2; sp 1; st 3; sp 3; echo "" - st 1; sp 8; st 1; sp 2; st 1; sp 4; st 1; sp 2; st 1; sp 6; st 1; sp 2; st 1; sp 4; st 1; sp 2; sp 8; sp 4; st 1; sp 4; sp 2; st 1; sp 4; st 1; echo "" - st 1; sp 3; st 1; sp 3; st 1; sp 2; st 1; sp 8; st 1; sp 6; st 1; sp 2; sp 6; st 1; sp 2; sp 8; sp 4; st 1; sp 4; sp 2; st 1; sp 8; echo "" - st 1; sp 2; st 1; st 1; sp 2; st 1; sp 2; sp 1; st 3; sp 3; st 1; sp 6; st 1; sp 2; sp 4; st 1; sp 4; st 3; sp 2; sp 4; st 1; sp 4; sp 2; sp 1; st 3; sp 1; echo "" - st 1; sp 1; st 1; sp 2; st 1; sp 1; st 1; sp 2; sp 6; st 1; sp 2; st 1; sp 6; st 1; sp 2; sp 2; st 1; sp 6; sp 8; sp 4; st 1; sp 4; sp 2; sp 6; st 1; echo "" - st 2; sp 4; st 2; sp 2; st 1; sp 4; st 1; sp 2; st 1; sp 6; st 1; sp 2; st 1; sp 8; sp 8; sp 4; st 1; sp 4; sp 2; st 1; sp 4; st 1; echo "" - st 1; sp 8; st 1; sp 2; sp 1; st 3; sp 3; sp 2; st 3; sp 4; st 4; sp 2; sp 8; st 5; sp 2; sp 1; st 3; sp 1; echo -e "\n" -} -function display_msg(){ - msg=$@ - echoBold "${msg}" - exit 1 -} -function get_creds(){ - while [[ -z "$WSO2_SUBSCRIPTION_USERNAME" ]] - do - read -p "$(echoBold "Enter your WSO2 subscription username: ")" WSO2_SUBSCRIPTION_USERNAME - if [[ -z "$WSO2_SUBSCRIPTION_USERNAME" ]] - then - echo "wso2-subscription-username cannot be empty" - fi - done - - while [[ -z "$WSO2_SUBSCRIPTION_PASSWORD" ]] - do - read -sp "$(echoBold "Enter your WSO2 subscription password: ")" WSO2_SUBSCRIPTION_PASSWORD - echo "" - if [[ -z "$WSO2_SUBSCRIPTION_PASSWORD" ]] - then - echo "wso2-subscription-password cannot be empty" - fi - done -} -function validate_ip(){ - ip_check=$1 - if [[ $ip_check =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then - IFS='.' - ip=$ip_check - set -- $ip - if [[ $1 -le 255 ]] && [[ $2 -le 255 ]] && [[ $3 -le 255 ]] && [[ $4 -le 255 ]]; then - IFS='' - NODE_IP=$ip_check - else - IFS='' - echo "Invalid IP. Please try again." - NODE_IP="" - fi - else - echo "Invalid IP. Please try again." - NODE_IP="" - fi -} -function get_node_ip(){ - NODE_IP=$(kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}') - - if [[ -z $NODE_IP ]] - then - if [[ $(kubectl config current-context)="minikube" ]] - then - NODE_IP=$(minikube ip) - else - echo "We could not find your cluster node-ip." - while [[ -z "$NODE_IP" ]] - do - read -p "$(echo "Enter one of your cluster Node IPs to provision instant access to server: ")" NODE_IP - if [[ -z "$NODE_IP" ]] - then - echo "cluster node ip cannot be empty" - else - validate_ip $NODE_IP - fi - done - fi - fi - set -- $NODE_IP; NODE_IP=$1 -} - -function progress_bar(){ - dep_status=$(kubectl get deployments -n wso2 -o jsonpath='{.items[?(@.spec.selector.matchLabels.pod=="wso2is")].status.conditions[?(@.type=="Available")].status}') - pod_status=$(kubectl get pods -n wso2 -o jsonpath='{.items[?(@.metadata.labels.pod=="wso2is")].status.conditions[*].status}') - - num_true_const=0; progress_unit="";time_proc=0; - - arr_dep=($dep_status); arr_pod=($pod_status) - - let "length_total= ${#arr_pod[@]} + ${#arr_dep[@]}"; - - echo "" - - while [[ $num_true -lt $length_total ]] - do - sleep 4 - num_true=0 - dep_status=$(kubectl get deployments -n wso2 -o jsonpath='{.items[?(@.spec.selector.matchLabels.pod=="wso2is")].status.conditions[?(@.type=="Available")].status}') - pod_status=$(kubectl get pods -n wso2 -o jsonpath='{.items[?(@.metadata.labels.pod=="wso2is")].status.conditions[*].status}') - - arr_dep=($dep_status); arr_pod=($pod_status); let "length_total= ${#arr_pod[@]} + ${#arr_dep[@]}"; - - for ele_dep in $dep_status - do - if [ "$ele_dep" = "True" ] - then - let "num_true=num_true+1" - fi - done - - for ele_pod in $pod_status - do - if [ "$ele_pod" = "True" ] - then - let "num_true=num_true+1" - fi - done - - printf "Processing WSO2 Identity Server ... |" - - printf "%-$((5 * ${length_total-1}))s| $(($num_true_const * 100/ $length_total))"; echo -en ' %\r' - - printf "Processing WSO2 Identity Server ... |" - s=$(printf "%-$((5 * ${num_true_const}))s" "H") - echo -en "${s// /H}" - - printf "%-$((5 * $(($length_total - $num_true_const))))s| $((100 * $(($num_true_const))/ $length_total))"; echo -en ' %\r ' - - if [ $num_true -ne $num_true_const ] - then - i=0 - while [[ $i -lt $((5 * $((${num_true} - ${num_true_const})))) ]] - do - let "i=i+1" - progress_unit=$progress_unit"H" - printf "Processing WSO2 Identity Server ... |" - echo -n $progress_unit - printf "%-$((5 * $((${length_total} - ${num_true_const})) - $i))s| $(($(( 100 * $(($num_true_const))/ $length_total)) + 2 * $i ))"; echo -en ' %\r ' - sleep 0.25 - done - num_true_const=$num_true - time_proc=0 - else - let "time_proc=time_proc + 5" - fi - printf "Processing WSO2 Identity Server ... |" - - printf "%-$((5 * ${length_total-1}))s| $(($num_true_const * 100/ $length_total))"; echo -en ' %\r ' - - printf "Processing WSO2 Identity Server ... |" - s=$(printf "%-$((5 * ${num_true_const}))s" "H") - echo -en "${s// /H}" - - printf "%-$((5 * $(($length_total - $num_true_const))))s| $((100 * $(($num_true_const))/ $length_total))"; echo -en ' % \r' - - sleep 1 - - if [[ $time_proc -gt 250 ]] - then - echoBold "\nSomething went wrong! Please Follow \"https://wso2.com/products/install/faq/#Kubernetes\" for more information\n" - exit 2 - fi - done - - echo -e "\n" - -} -function deploy(){ - - #checking for required tools - if [[ ! $(which kubectl) ]] - then - display_msg "Please install Kubernetes command-line tool (kubectl) before you start with the setup\n" - fi - - if [[ ! $(which base64) ]] - then - display_msg "Please install base64 before you start with the setup\n" - fi - - echoBold "Checking for an enabled cluster... Your patience is appreciated..." - cluster_isReady=$(kubectl cluster-info) > /dev/null 2>&1 || true - - if [[ ! $cluster_isReady == *"DNS"* ]] - then - echoBold "Done.\n" - display_msg "\nPlease enable your cluster before running the setup.\n\nIf you don't have a kubernetes cluster, follow: https://kubernetes.io/docs/setup/\n\n" - fi - echoBold "Done.\n" - - #displaying wso2 product name - product_name - - #create and view EULA text - createLicenseText - - get_creds # get wso2 subscription parameters - - # getting cluster node ip - get_node_ip - - # create and encode username/password secret - kubectl delete secret wso2-reg-creds --ignore-not-found=true - kubectl create secret docker-registry wso2-reg-creds --docker-server="docker.wso2.com" --docker-username="$WSO2_SUBSCRIPTION_USERNAME" --docker-password="$WSO2_SUBSCRIPTION_PASSWORD" --docker-email="$WSO2_SUBSCRIPTION_USERNAME" - str_sec=`kubectl get secret wso2-reg-creds --output="jsonpath={.data.\.dockerconfigjson}"`; - kubectl delete secret wso2-reg-creds; - - #create kubernetes object yaml - create_yaml - - # replace placeholders - sed -i.bak 's|"$string.&.secret.auth.data"|'$str_sec'|g' $k8s_obj_file - sed -i.bak 's|"$nodeport.k8s.&.1.wso2is"|'$NP_1'|g' $k8s_obj_file - sed -i.bak 's|"$image.pull.@.wso2"|'$IMG_DEST'|g' $k8s_obj_file - sed -i.bak 's|"$image.tag.wso2is"|'$IMG_TAG'|g' $k8s_obj_file - rm "$k8s_obj_file.bak" - - echoBold "\nDeploying WSO2 Identity Server...\n" - - # create kubernetes deployment - kubectl create -f ${k8s_obj_file} - - # waiting until deployment is ready - progress_bar - - echoBold "Successfully deployed WSO2 Identity Server.\n\n" - - echoBold "1. Try navigating to Management Console, Console and My Account URLs from your favourite browser using given credentials \n" - echoBold "\tMgt Console URL : https://$NODE_IP:30443/carbon/\n" - echoBold "\tConsole URL : https://$NODE_IP:30443/console\n" - echoBold "\tMy Account URL : https://$NODE_IP:30443/myaccount\n" - - echoBold "\Credentials\n" - echoBold "\tusername: admin\n" - echoBold "\tpassword: admin\n" - - echoBold "3. Follow \"https://is.docs.wso2.com/en/6.1.0/\" to start using WSO2 Identity Server.\n\n" -} diff --git a/simple/funcs4opensource b/simple/funcs4opensource deleted file mode 100644 index 9789851b..00000000 --- a/simple/funcs4opensource +++ /dev/null @@ -1,239 +0,0 @@ -function usage(){ - echo "Usage: " - echo -e "-d, --deploy Deploy WSO2 Identity Server" - echo -e "-u, --undeploy Undeploy WSO2 Identity Server" - echo -e "-h, --help Display usage instrusctions" -} -function undeploy(){ - echo "Undeploying WSO2 Identity Server ..." - kubectl delete ns wso2 - echo "Done." - exit 0 -} -function echoBold () { - echo -en $'\e[1m'"${1}"$'\e[0m' -} - -function st(){ - cycles=${1} - i=0 - while [[ i -lt $cycles ]] - do - echoBold "* " - let "i=i+1" - done -} -function sp(){ - cycles=${1} - i=0 - while [[ i -lt $cycles ]] - do - echoBold " " - let "i=i+1" - done -} -function product_name(){ - #wso2is - echo -e "\n" - st 1; sp 8; st 1; sp 2; sp 1; st 3; sp 3; sp 2; st 3; sp 4; sp 1; st 3; sp 3; sp 8; st 5; sp 2; sp 1; st 3; sp 3; echo "" - st 1; sp 8; st 1; sp 2; st 1; sp 4; st 1; sp 2; st 1; sp 6; st 1; sp 2; st 1; sp 4; st 1; sp 2; sp 8; sp 4; st 1; sp 4; sp 2; st 1; sp 4; st 1; echo "" - st 1; sp 3; st 1; sp 3; st 1; sp 2; st 1; sp 8; st 1; sp 6; st 1; sp 2; sp 6; st 1; sp 2; sp 8; sp 4; st 1; sp 4; sp 2; st 1; sp 8; echo "" - st 1; sp 2; st 1; st 1; sp 2; st 1; sp 2; sp 1; st 3; sp 3; st 1; sp 6; st 1; sp 2; sp 4; st 1; sp 4; st 3; sp 2; sp 4; st 1; sp 4; sp 2; sp 1; st 3; sp 1; echo "" - st 1; sp 1; st 1; sp 2; st 1; sp 1; st 1; sp 2; sp 6; st 1; sp 2; st 1; sp 6; st 1; sp 2; sp 2; st 1; sp 6; sp 8; sp 4; st 1; sp 4; sp 2; sp 6; st 1; echo "" - st 2; sp 4; st 2; sp 2; st 1; sp 4; st 1; sp 2; st 1; sp 6; st 1; sp 2; st 1; sp 8; sp 8; sp 4; st 1; sp 4; sp 2; st 1; sp 4; st 1; echo "" - st 1; sp 8; st 1; sp 2; sp 1; st 3; sp 3; sp 2; st 3; sp 4; st 4; sp 2; sp 8; st 5; sp 2; sp 1; st 3; sp 1; echo -e "\n" -} -function display_msg(){ - msg=$@ - echoBold "${msg}" - exit 1 -} -function validate_ip(){ - ip_check=$1 - if [[ $ip_check =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then - IFS='.' - ip=$ip_check - set -- $ip - if [[ $1 -le 255 ]] && [[ $2 -le 255 ]] && [[ $3 -le 255 ]] && [[ $4 -le 255 ]]; then - IFS='' - NODE_IP=$ip_check - else - IFS='' - echo "Invalid IP. Please try again." - NODE_IP="" - fi - else - echo "Invalid IP. Please try again." - NODE_IP="" - fi -} -function get_node_ip(){ - NODE_IP=$(kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}') - - if [[ -z $NODE_IP ]] - then - if [[ $(kubectl config current-context)="minikube" ]] - then - NODE_IP=$(minikube ip) - else - echo "We could not find your cluster node-ip." - while [[ -z "$NODE_IP" ]] - do - read -p "$(echo "Enter one of your cluster Node IPs to provision instant access to server: ")" NODE_IP - if [[ -z "$NODE_IP" ]] - then - echo "cluster node ip cannot be empty" - else - validate_ip $NODE_IP - fi - done - fi - fi - set -- $NODE_IP; NODE_IP=$1 -} - -function progress_bar(){ - dep_status=$(kubectl get deployments -n wso2 -o jsonpath='{.items[?(@.spec.selector.matchLabels.pod=="wso2is")].status.conditions[?(@.type=="Available")].status}') - pod_status=$(kubectl get pods -n wso2 -o jsonpath='{.items[?(@.metadata.labels.pod=="wso2is")].status.conditions[*].status}') - - num_true_const=0; progress_unit="";time_proc=0; - - arr_dep=($dep_status); arr_pod=($pod_status) - - let "length_total= ${#arr_pod[@]} + ${#arr_dep[@]}"; - - echo "" - - while [[ $num_true -lt $length_total ]] - do - sleep 4 - num_true=0 - dep_status=$(kubectl get deployments -n wso2 -o jsonpath='{.items[?(@.spec.selector.matchLabels.pod=="wso2is")].status.conditions[?(@.type=="Available")].status}') - pod_status=$(kubectl get pods -n wso2 -o jsonpath='{.items[?(@.metadata.labels.pod=="wso2is")].status.conditions[*].status}') - - arr_dep=($dep_status); arr_pod=($pod_status); let "length_total= ${#arr_pod[@]} + ${#arr_dep[@]}"; - - for ele_dep in $dep_status - do - if [ "$ele_dep" = "True" ] - then - let "num_true=num_true+1" - fi - done - - for ele_pod in $pod_status - do - if [ "$ele_pod" = "True" ] - then - let "num_true=num_true+1" - fi - done - - printf "Processing WSO2 Identity Server ... |" - - printf "%-$((5 * ${length_total-1}))s| $(($num_true_const * 100/ $length_total))"; echo -en ' %\r' - - printf "Processing WSO2 Identity Server ... |" - s=$(printf "%-$((5 * ${num_true_const}))s" "H") - echo -en "${s// /H}" - - printf "%-$((5 * $(($length_total - $num_true_const))))s| $((100 * $(($num_true_const))/ $length_total))"; echo -en ' %\r ' - - if [ $num_true -ne $num_true_const ] - then - i=0 - while [[ $i -lt $((5 * $((${num_true} - ${num_true_const})))) ]] - do - let "i=i+1" - progress_unit=$progress_unit"H" - printf "Processing WSO2 Identity Server ... |" - echo -n $progress_unit - printf "%-$((5 * $((${length_total} - ${num_true_const})) - $i))s| $(($(( 100 * $(($num_true_const))/ $length_total)) + 2 * $i ))"; echo -en ' %\r ' - sleep 0.25 - done - num_true_const=$num_true - time_proc=0 - else - let "time_proc=time_proc + 5" - fi - printf "Processing WSO2 Identity Server ... |" - - printf "%-$((5 * ${length_total-1}))s| $(($num_true_const * 100/ $length_total))"; echo -en ' %\r ' - - printf "Processing WSO2 Identity Server ... |" - s=$(printf "%-$((5 * ${num_true_const}))s" "H") - echo -en "${s// /H}" - - printf "%-$((5 * $(($length_total - $num_true_const))))s| $((100 * $(($num_true_const))/ $length_total))"; echo -en ' % \r' - - sleep 1 - - if [[ $time_proc -gt 250 ]] - then - echoBold "\nSomething went wrong! Please Follow \"https://wso2.com/products/install/faq/#Kubernetes\" for more information\n" - exit 2 - fi - done - - echo -e "\n" - -} -function deploy(){ - - #checking for required tools - if [[ ! $(which kubectl) ]] - then - display_msg "Please install Kubernetes command-line tool (kubectl) before you start with the setup\n" - fi - - if [[ ! $(which base64) ]] - then - display_msg "Please install base64 before you start with the setup\n" - fi - - echoBold "Checking for an enabled cluster... Your patience is appreciated..." - cluster_isReady=$(kubectl cluster-info) > /dev/null 2>&1 || true - - if [[ ! $cluster_isReady == *"DNS"* ]] - then - echoBold "Done.\n" - display_msg "\nPlease enable your cluster before running the setup.\n\nIf you don't have a kubernetes cluster, follow: https://kubernetes.io/docs/setup/\n\n" - fi - echoBold "Done.\n" - - #displaying wso2 product name - product_name - - # getting cluster node ip - get_node_ip - - #create kubernetes object yaml - create_yaml - - # replace placeholders - sed -i.bak 's|"$nodeport.k8s.&.1.wso2is"|'$NP_1'|g' $k8s_obj_file - sed -i.bak 's|"$image.pull.@.wso2"|'$IMG_DEST'|g' $k8s_obj_file - sed -i.bak 's|"$image.tag.wso2is"|'$IMG_TAG'|g' $k8s_obj_file - rm "$k8s_obj_file.bak" - - echoBold "\nDeploying WSO2 Identity Server...\n" - - # create kubernetes deployment - kubectl create -f ${k8s_obj_file} - - # waiting until deployment is ready - progress_bar - - echoBold "Successfully deployed WSO2 Identity Server.\n\n" - - echoBold "1. Try navigating to Management Console, Console and My Account URLs from your favourite browser using credentials \n" - echoBold "\tMgt Console URL : https://$NODE_IP:30443/carbon/\n" - echoBold "\tConsole URL : https://$NODE_IP:30443/console\n" - echoBold "\tMy Account URL : https://$NODE_IP:30443/myaccount\n" - - echoBold "\Credentials\n" - echoBold "\tusername: admin\n" - echoBold "\tpassword: admin\n" - - echoBold "3. Follow \"https://is.docs.wso2.com/en/6.1.0/\" to start using WSO2 Identity Server.\n\n" -} diff --git a/simple/is-k8s/identity-server-conf.yaml b/simple/is-k8s/identity-server-conf.yaml deleted file mode 100644 index f885f68f..00000000 --- a/simple/is-k8s/identity-server-conf.yaml +++ /dev/null @@ -1,48 +0,0 @@ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: identity-server-conf - namespace : wso2 -data: - deployment.toml: |- - [server] - hostname = "$env{HOST_NAME}" - node_ip = "$env{NODE_IP}" - # base_path = "https://$ref{server.hostname}:${carbon.management.port}" - - [super_admin] - username = "admin" - password = "admin" - create_admin_account = true - - [user_store] - type = "read_write_ldap_unique_id" - connection_url = "ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}" - connection_name = "uid=admin,ou=system" - connection_password = "admin" - base_dn = "dc=wso2,dc=org" #refers the base dn on which the user and group search bases will be generated - - [database.identity_db] - type = "mysql" - url = "jdbc:mysql://wso2is-rdbms-service-mysql:3306/WSO2IS_IDENTITY_DB?autoReconnect=true&useSSL=false" - username = "wso2carbon" - password = "wso2carbon" - driver = "com.mysql.cj.jdbc.Driver" - [database.identity_db.pool_options] - validationQuery = "SELECT 1" - - - [database.shared_db] - type = "mysql" - url = "jdbc:mysql://wso2is-rdbms-service-mysql:3306/WSO2IS_SHARED_DB?autoReconnect=true&useSSL=false" - username = "wso2carbon" - password = "wso2carbon" - driver = "com.mysql.cj.jdbc.Driver" - [database.shared_db.pool_options] - validationQuery = "SELECT 1" - - [keystore.primary] - file_name = "wso2carbon.jks" - password = "wso2carbon" ---- diff --git a/simple/is-k8s/identity-server-deployment.yaml b/simple/is-k8s/identity-server-deployment.yaml deleted file mode 100644 index 64687673..00000000 --- a/simple/is-k8s/identity-server-deployment.yaml +++ /dev/null @@ -1,109 +0,0 @@ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: wso2is-deployment - namespace : wso2 -spec: - replicas: 1 - minReadySeconds: 30 - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - selector: - matchLabels: - deployment: wso2is - app: wso2is - monitoring: jmx - pod: wso2is - template: - metadata: - labels: - deployment: wso2is - app: wso2is - monitoring: jmx - pod: wso2is - spec: - hostAliases: - - ip: "127.0.0.1" - hostnames: - - "wso2is" - initContainers: - - name: init-is-db - image: busybox:1.31 - command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z wso2is-rdbms-service-mysql 3306; do sleep 1; printf "-"; done; echo -e " >> MySQL Server has started";'] - - name: init-mysql-connector-download - image: busybox:1.32 - command: - - /bin/sh - - "-c" - - | - set -e - connector_version=8.0.17 - wget https://repo1.maven.org/maven2/mysql/mysql-connector-java/${connector_version}/mysql-connector-java-${connector_version}.jar -P /mysql-connector-jar/ - volumeMounts: - - name: mysql-connector-jar - mountPath: /mysql-connector-jar - containers: - - name: wso2is - image: "$image.pull.@.wso2"/wso2is:"$image.tag.wso2is" - livenessProbe: - exec: - command: - - /bin/sh - - -c - - nc -z localhost 9443 - initialDelaySeconds: 250 - periodSeconds: 10 - readinessProbe: - exec: - command: - - /bin/sh - - -c - - nc -z localhost 9443 - initialDelaySeconds: 250 - periodSeconds: 10 - imagePullPolicy: Always - resources: - requests: - memory: "2Gi" - cpu: "2000m" - limits: - memory: "4Gi" - cpu: "4000m" - lifecycle: - preStop: - exec: - command: ['sh', '-c', '${WSO2_SERVER_HOME}/bin/wso2server.sh stop'] - securityContext: - runAsUser: 802 - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: HOST_NAME - value: wso2is - ports: - - containerPort: 9763 - protocol: TCP - - containerPort: 9443 - protocol: TCP - volumeMounts: - - name: identity-server-conf - mountPath: /home/wso2carbon/wso2-config-volume/repository/conf/deployment.toml - subPath: deployment.toml - - name: mysql-connector-jar - mountPath: /home/wso2carbon/wso2-artifact-volume/repository/components/dropins - serviceAccountName: "wso2svc-account" - imagePullSecrets: - - name: wso2is-deployment-creds - volumes: - - name: identity-server-conf - configMap: - name: identity-server-conf - - name: mysql-connector-jar - emptyDir: {} ---- diff --git a/simple/is-k8s/identity-server-service.yaml b/simple/is-k8s/identity-server-service.yaml deleted file mode 100644 index 3cf3b760..00000000 --- a/simple/is-k8s/identity-server-service.yaml +++ /dev/null @@ -1,27 +0,0 @@ - -apiVersion: v1 -kind: Service -metadata: - name: wso2is-service - namespace : wso2 - labels: - deployment: wso2is - app: wso2is - monitoring: jmx - pod: wso2is -spec: - selector: - deployment: wso2is - app: wso2is - type: NodePort - ports: - - name: servlet-http - port: 9763 - targetPort: 9763 - protocol: TCP - - name: servlet-https - port: 9443 - targetPort: 9443 - protocol: TCP - nodePort: "$nodeport.k8s.&.1.wso2is" ---- diff --git a/simple/mysql-k8s/mysql-conf-db.yaml b/simple/mysql-k8s/mysql-conf-db.yaml deleted file mode 100644 index 66a042d3..00000000 --- a/simple/mysql-k8s/mysql-conf-db.yaml +++ /dev/null @@ -1,1933 +0,0 @@ - -apiVersion: v1 -data: - init.sql: |- - DROP DATABASE IF EXISTS WSO2IS_SHARED_DB; - DROP DATABASE IF EXISTS WSO2IS_IDENTITY_DB; - - CREATE DATABASE WSO2IS_SHARED_DB; - CREATE DATABASE WSO2IS_IDENTITY_DB; - - GRANT ALL ON WSO2IS_SHARED_DB.* TO 'wso2carbon'@'%' IDENTIFIED BY 'wso2carbon'; - GRANT ALL ON WSO2IS_IDENTITY_DB.* TO 'wso2carbon'@'%' IDENTIFIED BY 'wso2carbon'; - - USE WSO2IS_SHARED_DB; - - CREATE TABLE IF NOT EXISTS REG_CLUSTER_LOCK ( - REG_LOCK_NAME VARCHAR (20), - REG_LOCK_STATUS VARCHAR (20), - REG_LOCKED_TIME TIMESTAMP, - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (REG_LOCK_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_LOG ( - REG_LOG_ID INTEGER AUTO_INCREMENT, - REG_PATH VARCHAR (750), - REG_USER_ID VARCHAR (255) NOT NULL, - REG_LOGGED_TIME TIMESTAMP NOT NULL, - REG_ACTION INTEGER NOT NULL, - REG_ACTION_DATA VARCHAR (500), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (REG_LOG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX REG_LOG_IND_BY_REGLOG USING HASH ON REG_LOG(REG_LOGGED_TIME, REG_TENANT_ID); - - -- The REG_PATH_VALUE should be less than 767 bytes, and hence was fixed at 750. - -- See CARBON-5917. - - CREATE TABLE IF NOT EXISTS REG_PATH( - REG_PATH_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_PATH_VALUE VARCHAR(750) CHARACTER SET latin1 COLLATE latin1_general_cs NOT NULL, - REG_PATH_PARENT_ID INTEGER, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_PATH PRIMARY KEY(REG_PATH_ID, REG_TENANT_ID), - CONSTRAINT UNIQUE_REG_PATH_TENANT_ID UNIQUE (REG_PATH_VALUE,REG_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX REG_PATH_IND_BY_PATH_PARENT_ID USING HASH ON REG_PATH(REG_PATH_PARENT_ID, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_CONTENT ( - REG_CONTENT_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_CONTENT_DATA LONGBLOB, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_CONTENT PRIMARY KEY(REG_CONTENT_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_CONTENT_HISTORY ( - REG_CONTENT_ID INTEGER NOT NULL, - REG_CONTENT_DATA LONGBLOB, - REG_DELETED SMALLINT, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_CONTENT_HISTORY PRIMARY KEY(REG_CONTENT_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE ( - REG_PATH_ID INTEGER NOT NULL, - REG_NAME VARCHAR(256), - REG_VERSION INTEGER NOT NULL AUTO_INCREMENT, - REG_MEDIA_TYPE VARCHAR(500), - REG_CREATOR VARCHAR(255) NOT NULL, - REG_CREATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_LAST_UPDATOR VARCHAR(255), - REG_LAST_UPDATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_DESCRIPTION VARCHAR(1000), - REG_CONTENT_ID INTEGER, - REG_TENANT_ID INTEGER DEFAULT 0, - REG_UUID VARCHAR(100) NOT NULL, - CONSTRAINT PK_REG_RESOURCE PRIMARY KEY(REG_VERSION, REG_TENANT_ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE ADD CONSTRAINT REG_RESOURCE_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE ADD CONSTRAINT REG_RESOURCE_FK_BY_CONTENT_ID FOREIGN KEY (REG_CONTENT_ID, REG_TENANT_ID) REFERENCES REG_CONTENT (REG_CONTENT_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_IND_BY_NAME USING HASH ON REG_RESOURCE(REG_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_IND_BY_PATH_ID_NAME USING HASH ON REG_RESOURCE(REG_PATH_ID, REG_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_IND_BY_UUID USING HASH ON REG_RESOURCE(REG_UUID); - CREATE INDEX REG_RESOURCE_IND_BY_TENAN USING HASH ON REG_RESOURCE(REG_TENANT_ID, REG_UUID); - CREATE INDEX REG_RESOURCE_IND_BY_TYPE USING HASH ON REG_RESOURCE(REG_TENANT_ID, REG_MEDIA_TYPE); - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_HISTORY ( - REG_PATH_ID INTEGER NOT NULL, - REG_NAME VARCHAR(256), - REG_VERSION INTEGER NOT NULL, - REG_MEDIA_TYPE VARCHAR(500), - REG_CREATOR VARCHAR(255) NOT NULL, - REG_CREATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_LAST_UPDATOR VARCHAR(255), - REG_LAST_UPDATED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REG_DESCRIPTION VARCHAR(1000), - REG_CONTENT_ID INTEGER, - REG_DELETED SMALLINT, - REG_TENANT_ID INTEGER DEFAULT 0, - REG_UUID VARCHAR(100) NOT NULL, - CONSTRAINT PK_REG_RESOURCE_HISTORY PRIMARY KEY(REG_VERSION, REG_TENANT_ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_HISTORY ADD CONSTRAINT REG_RESOURCE_HIST_FK_BY_PATHID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_HISTORY ADD CONSTRAINT REG_RESOURCE_HIST_FK_BY_CONTENT_ID FOREIGN KEY (REG_CONTENT_ID, REG_TENANT_ID) REFERENCES REG_CONTENT_HISTORY (REG_CONTENT_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_HISTORY_IND_BY_NAME USING HASH ON REG_RESOURCE_HISTORY(REG_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_HISTORY_IND_BY_PATH_ID_NAME USING HASH ON REG_RESOURCE(REG_PATH_ID, REG_NAME, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_COMMENT ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_COMMENT_TEXT VARCHAR(500) NOT NULL, - REG_USER_ID VARCHAR(255) NOT NULL, - REG_COMMENTED_TIME TIMESTAMP NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_COMMENT PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_COMMENT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_COMMENT_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_COMMENT ADD CONSTRAINT REG_RESOURCE_COMMENT_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_COMMENT ADD CONSTRAINT REG_RESOURCE_COMMENT_FK_BY_COMMENT_ID FOREIGN KEY (REG_COMMENT_ID, REG_TENANT_ID) REFERENCES REG_COMMENT (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_COMMENT_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_COMMENT(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_COMMENT_IND_BY_VERSION USING HASH ON REG_RESOURCE_COMMENT(REG_VERSION, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_RATING ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_RATING INTEGER NOT NULL, - REG_USER_ID VARCHAR(255) NOT NULL, - REG_RATED_TIME TIMESTAMP NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_RATING PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_RATING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_RATING_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_RATING ADD CONSTRAINT REG_RESOURCE_RATING_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_RATING ADD CONSTRAINT REG_RESOURCE_RATING_FK_BY_RATING_ID FOREIGN KEY (REG_RATING_ID, REG_TENANT_ID) REFERENCES REG_RATING (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_RATING_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_RATING(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_RATING_IND_BY_VERSION USING HASH ON REG_RESOURCE_RATING(REG_VERSION, REG_TENANT_ID); - - - CREATE TABLE IF NOT EXISTS REG_TAG ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_TAG_NAME VARCHAR(500) NOT NULL, - REG_USER_ID VARCHAR(255) NOT NULL, - REG_TAGGED_TIME TIMESTAMP NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_TAG PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_TAG ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_TAG_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_TAG ADD CONSTRAINT REG_RESOURCE_TAG_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_TAG ADD CONSTRAINT REG_RESOURCE_TAG_FK_BY_TAG_ID FOREIGN KEY (REG_TAG_ID, REG_TENANT_ID) REFERENCES REG_TAG (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_TAG_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_TAG(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_TAG_IND_BY_VERSION USING HASH ON REG_RESOURCE_TAG(REG_VERSION, REG_TENANT_ID); - - CREATE TABLE IF NOT EXISTS REG_PROPERTY ( - REG_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_NAME VARCHAR(100) NOT NULL, - REG_VALUE VARCHAR(1000), - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_PROPERTY PRIMARY KEY(REG_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_RESOURCE_PROPERTY ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REG_PROPERTY_ID INTEGER NOT NULL, - REG_VERSION INTEGER, - REG_PATH_ID INTEGER, - REG_RESOURCE_NAME VARCHAR(256), - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID) - )ENGINE INNODB; - - ALTER TABLE REG_RESOURCE_PROPERTY ADD CONSTRAINT REG_RESOURCE_PROPERTY_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - ALTER TABLE REG_RESOURCE_PROPERTY ADD CONSTRAINT REG_RESOURCE_PROPERTY_FK_BY_TAG_ID FOREIGN KEY (REG_PROPERTY_ID, REG_TENANT_ID) REFERENCES REG_PROPERTY (REG_ID, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_PROPERTY_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_RESOURCE_PROPERTY(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - CREATE INDEX REG_RESOURCE_PROPERTY_IND_BY_VERSION USING HASH ON REG_RESOURCE_PROPERTY(REG_VERSION, REG_TENANT_ID); - - -- CREATE TABLE IF NOT EXISTS REG_ASSOCIATIONS ( - -- SRC_PATH_ID INTEGER, - -- SRC_RESOURCE_NAME VARCHAR(256), - -- SRC_VERSION INTEGER, - -- TGT_PATH_ID INTEGER, - -- TGT_RESOURCE_NAME VARCHAR(256), - -- TGT_VERSION INTEGER - -- )ENGINE INNODB; - -- - -- ALTER TABLE REG_ASSOCIATIONS ADD CONSTRAINT REG_ASSOCIATIONS_FK_BY_SRC_PATH_ID FOREIGN KEY (SRC_PATH_ID) REFERENCES REG_PATH (PATH_ID); - -- ALTER TABLE REG_ASSOCIATIONS ADD CONSTRAINT REG_ASSOCIATIONS_FK_BY_TGT_PATH_ID FOREIGN KEY (TGT_PATH_ID) REFERENCES REG_PATH (PATH_ID); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_SRC_VERSION ON REG_ASSOCIATIONS(SRC_VERSION); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_TGT_VERSION ON REG_ASSOCIATIONS(TGT_VERSION); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_SRC_RESOURCE_NAME ON REG_ASSOCIATIONS(SRC_RESOURCE_NAME); - -- CREATE INDEX REG_ASSOCIATIONS_IND_BY_TGT_RESOURCE_NAME ON REG_ASSOCIATIONS(TGT_RESOURCE_NAME); - - - - CREATE TABLE IF NOT EXISTS REG_ASSOCIATION ( - REG_ASSOCIATION_ID INTEGER AUTO_INCREMENT, - REG_SOURCEPATH VARCHAR (750) NOT NULL, - REG_TARGETPATH VARCHAR (750) NOT NULL, - REG_ASSOCIATION_TYPE VARCHAR (2000) NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (REG_ASSOCIATION_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS REG_SNAPSHOT ( - REG_SNAPSHOT_ID INTEGER NOT NULL AUTO_INCREMENT, - REG_PATH_ID INTEGER NOT NULL, - REG_RESOURCE_NAME VARCHAR(255), - REG_RESOURCE_VIDS LONGBLOB NOT NULL, - REG_TENANT_ID INTEGER DEFAULT 0, - CONSTRAINT PK_REG_SNAPSHOT PRIMARY KEY(REG_SNAPSHOT_ID, REG_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX REG_SNAPSHOT_IND_BY_PATH_ID_AND_RESOURCE_NAME USING HASH ON REG_SNAPSHOT(REG_PATH_ID, REG_RESOURCE_NAME, REG_TENANT_ID); - - ALTER TABLE REG_SNAPSHOT ADD CONSTRAINT REG_SNAPSHOT_FK_BY_PATH_ID FOREIGN KEY (REG_PATH_ID, REG_TENANT_ID) REFERENCES REG_PATH (REG_PATH_ID, REG_TENANT_ID); - - - -- ################################ - -- USER MANAGER TABLES - -- ################################ - - CREATE TABLE UM_TENANT ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_TENANT_UUID VARCHAR(36) NOT NULL, - UM_DOMAIN_NAME VARCHAR(255) NOT NULL, - UM_EMAIL VARCHAR(255), - UM_ACTIVE BOOLEAN DEFAULT FALSE, - UM_CREATED_DATE TIMESTAMP NOT NULL, - UM_USER_CONFIG LONGBLOB, - UM_ORG_UUID VARCHAR(36) DEFAULT NULL, - PRIMARY KEY (UM_ID), - UNIQUE(UM_DOMAIN_NAME), - UNIQUE(UM_TENANT_UUID) - )ENGINE INNODB; - - CREATE TABLE UM_DOMAIN( - UM_DOMAIN_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DOMAIN_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_DOMAIN_ID, UM_TENANT_ID), - UNIQUE(UM_DOMAIN_NAME,UM_TENANT_ID) - )ENGINE INNODB; - - CREATE UNIQUE INDEX INDEX_UM_TENANT_UM_DOMAIN_NAME - ON UM_TENANT (UM_DOMAIN_NAME); - - CREATE TABLE UM_USER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_ID VARCHAR(255) NOT NULL, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_USER_PASSWORD VARCHAR(255) NOT NULL, - UM_SALT_VALUE VARCHAR(31), - UM_REQUIRE_CHANGE BOOLEAN DEFAULT FALSE, - UM_CHANGED_TIME TIMESTAMP NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_USER_ID), - UNIQUE(UM_USER_NAME, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE UNIQUE INDEX INDEX_UM_USERNAME_UM_TENANT_ID ON UM_USER(UM_USER_NAME, UM_TENANT_ID); - - CREATE TABLE UM_SYSTEM_USER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_USER_PASSWORD VARCHAR(255) NOT NULL, - UM_SALT_VALUE VARCHAR(31), - UM_REQUIRE_CHANGE BOOLEAN DEFAULT FALSE, - UM_CHANGED_TIME TIMESTAMP NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_USER_NAME, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_ROLE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_SHARED_ROLE BOOLEAN DEFAULT FALSE, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_ROLE_NAME, UM_TENANT_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_MODULE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_MODULE_NAME VARCHAR(100), - UNIQUE(UM_MODULE_NAME), - PRIMARY KEY(UM_ID) - )ENGINE INNODB; - - CREATE TABLE UM_MODULE_ACTIONS( - UM_ACTION VARCHAR(255) NOT NULL, - UM_MODULE_ID INTEGER NOT NULL, - PRIMARY KEY(UM_ACTION, UM_MODULE_ID), - FOREIGN KEY (UM_MODULE_ID) REFERENCES UM_MODULE(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE UM_PERMISSION ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_RESOURCE_ID VARCHAR(255) NOT NULL, - UM_ACTION VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_MODULE_ID INTEGER DEFAULT 0, - UNIQUE(UM_RESOURCE_ID,UM_ACTION, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX INDEX_UM_PERMISSION_UM_RESOURCE_ID_UM_ACTION ON UM_PERMISSION (UM_RESOURCE_ID, UM_ACTION, UM_TENANT_ID); - - CREATE TABLE UM_ROLE_PERMISSION ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_PERMISSION_ID INTEGER NOT NULL, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_IS_ALLOWED SMALLINT NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_DOMAIN_ID INTEGER, - UNIQUE (UM_PERMISSION_ID, UM_ROLE_NAME, UM_TENANT_ID, UM_DOMAIN_ID), - FOREIGN KEY (UM_PERMISSION_ID, UM_TENANT_ID) REFERENCES UM_PERMISSION(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - -- REMOVED UNIQUE (UM_PERMISSION_ID, UM_ROLE_ID) - CREATE TABLE UM_USER_PERMISSION ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_PERMISSION_ID INTEGER NOT NULL, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_IS_ALLOWED SMALLINT NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY (UM_PERMISSION_ID, UM_TENANT_ID) REFERENCES UM_PERMISSION(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - -- REMOVED UNIQUE (UM_PERMISSION_ID, UM_USER_ID) - CREATE TABLE UM_USER_ROLE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_ID INTEGER NOT NULL, - UM_USER_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE (UM_USER_ID, UM_ROLE_ID, UM_TENANT_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_ROLE(UM_ID, UM_TENANT_ID), - FOREIGN KEY (UM_USER_ID, UM_TENANT_ID) REFERENCES UM_USER(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_SHARED_USER_ROLE( - ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_ID INTEGER NOT NULL, - UM_USER_ID INTEGER NOT NULL, - UM_USER_TENANT_ID INTEGER NOT NULL, - UM_ROLE_TENANT_ID INTEGER NOT NULL, - UNIQUE(UM_USER_ID,UM_ROLE_ID,UM_USER_TENANT_ID, UM_ROLE_TENANT_ID), - FOREIGN KEY(UM_ROLE_ID,UM_ROLE_TENANT_ID) REFERENCES UM_ROLE(UM_ID,UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY(UM_USER_ID,UM_USER_TENANT_ID) REFERENCES UM_USER(UM_ID,UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY(ID) - )ENGINE INNODB; - - CREATE TABLE UM_ACCOUNT_MAPPING( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER NOT NULL, - UM_USER_STORE_DOMAIN VARCHAR(100), - UM_ACC_LINK_ID INTEGER NOT NULL, - UNIQUE(UM_USER_NAME, UM_TENANT_ID, UM_USER_STORE_DOMAIN, UM_ACC_LINK_ID), - FOREIGN KEY (UM_TENANT_ID) REFERENCES UM_TENANT(UM_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_USER_ATTRIBUTE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ATTR_NAME VARCHAR(255) NOT NULL, - UM_ATTR_VALUE VARCHAR(1024), - UM_PROFILE_ID VARCHAR(255), - UM_USER_ID INTEGER, - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY (UM_USER_ID, UM_TENANT_ID) REFERENCES UM_USER(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX UM_USER_ID_INDEX ON UM_USER_ATTRIBUTE(UM_USER_ID); - - CREATE INDEX UM_ATTR_NAME_VALUE_INDEX ON UM_USER_ATTRIBUTE(UM_ATTR_NAME, UM_ATTR_VALUE(512)); - - CREATE TABLE UM_DIALECT( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DIALECT_URI VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE(UM_DIALECT_URI, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_CLAIM( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DIALECT_ID INTEGER NOT NULL, - UM_CLAIM_URI VARCHAR(255) NOT NULL, - UM_DISPLAY_TAG VARCHAR(255), - UM_DESCRIPTION VARCHAR(255), - UM_MAPPED_ATTRIBUTE_DOMAIN VARCHAR(255), - UM_MAPPED_ATTRIBUTE VARCHAR(255), - UM_REG_EX VARCHAR(255), - UM_SUPPORTED SMALLINT, - UM_REQUIRED SMALLINT, - UM_DISPLAY_ORDER INTEGER, - UM_CHECKED_ATTRIBUTE SMALLINT, - UM_READ_ONLY SMALLINT, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE(UM_DIALECT_ID, UM_CLAIM_URI, UM_TENANT_ID,UM_MAPPED_ATTRIBUTE_DOMAIN), - FOREIGN KEY(UM_DIALECT_ID, UM_TENANT_ID) REFERENCES UM_DIALECT(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_PROFILE_CONFIG( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_DIALECT_ID INTEGER NOT NULL, - UM_PROFILE_NAME VARCHAR(255), - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY(UM_DIALECT_ID, UM_TENANT_ID) REFERENCES UM_DIALECT(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_CLAIM_BEHAVIOR( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_PROFILE_ID INTEGER, - UM_CLAIM_ID INTEGER, - UM_BEHAVIOUR SMALLINT, - UM_TENANT_ID INTEGER DEFAULT 0, - FOREIGN KEY(UM_PROFILE_ID, UM_TENANT_ID) REFERENCES UM_PROFILE_CONFIG(UM_ID,UM_TENANT_ID), - FOREIGN KEY(UM_CLAIM_ID, UM_TENANT_ID) REFERENCES UM_CLAIM(UM_ID,UM_TENANT_ID), - PRIMARY KEY(UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_HYBRID_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_ROLE_NAME,UM_TENANT_ID) - )ENGINE INNODB; - - CREATE INDEX UM_ROLE_NAME_IND ON UM_HYBRID_ROLE(UM_ROLE_NAME); - - CREATE TABLE UM_HYBRID_USER_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255), - UM_ROLE_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_DOMAIN_ID INTEGER, - UNIQUE (UM_USER_NAME, UM_ROLE_ID, UM_TENANT_ID, UM_DOMAIN_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_HYBRID_ROLE(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_HYBRID_GROUP_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_GROUP_NAME VARCHAR(255), - UM_ROLE_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UM_DOMAIN_ID INTEGER, - UNIQUE (UM_GROUP_NAME, UM_ROLE_ID, UM_TENANT_ID, UM_DOMAIN_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_HYBRID_ROLE(UM_ID, UM_TENANT_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_SYSTEM_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID), - UNIQUE(UM_ROLE_NAME,UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE UM_SYSTEM_USER_ROLE( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255), - UM_ROLE_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - UNIQUE (UM_USER_NAME, UM_ROLE_ID, UM_TENANT_ID), - FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_SYSTEM_ROLE(UM_ID, UM_TENANT_ID), - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - - CREATE TABLE UM_HYBRID_REMEMBER_ME( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_NAME VARCHAR(255) NOT NULL, - UM_COOKIE_VALUE VARCHAR(1024), - UM_CREATED_TIME TIMESTAMP, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID, UM_TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_UUID_DOMAIN_MAPPER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_USER_ID VARCHAR(255) NOT NULL, - UM_DOMAIN_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID), - UNIQUE (UM_USER_ID), - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE INDEX UUID_DM_UID_TID ON UM_UUID_DOMAIN_MAPPER(UM_USER_ID, UM_TENANT_ID); - - CREATE TABLE IF NOT EXISTS UM_GROUP_UUID_DOMAIN_MAPPER ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_GROUP_ID VARCHAR(255) NOT NULL, - UM_DOMAIN_ID INTEGER NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID), - UNIQUE (UM_GROUP_ID), - FOREIGN KEY (UM_DOMAIN_ID, UM_TENANT_ID) REFERENCES UM_DOMAIN(UM_DOMAIN_ID, UM_TENANT_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE INDEX GRP_UUID_DM_GRP_ID_TID ON UM_GROUP_UUID_DOMAIN_MAPPER(UM_GROUP_ID, UM_TENANT_ID); - - -- ################################ - -- ORGANIZATION MANAGEMENT TABLES - -- ################################ - - SET SQL_MODE='ALLOW_INVALID_DATES'; - - CREATE TABLE IF NOT EXISTS UM_ORG ( - UM_ID VARCHAR(36) NOT NULL, - UM_ORG_NAME VARCHAR(255) NOT NULL, - UM_ORG_DESCRIPTION VARCHAR(1024), - UM_CREATED_TIME TIMESTAMP NOT NULL, - UM_LAST_MODIFIED TIMESTAMP NOT NULL, - UM_STATUS VARCHAR(255) DEFAULT 'ACTIVE' NOT NULL, - UM_PARENT_ID VARCHAR(36), - UM_ORG_TYPE VARCHAR(100) NOT NULL, - PRIMARY KEY (UM_ID), - FOREIGN KEY (UM_PARENT_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - INSERT IGNORE INTO UM_ORG (UM_ID, UM_ORG_NAME, UM_ORG_DESCRIPTION, UM_CREATED_TIME, UM_LAST_MODIFIED, UM_STATUS, UM_ORG_TYPE) - VALUES ('10084a8d-113f-4211-a0d5-efe36b082211', 'Super', 'This is the super organization.', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'ACTIVE', 'TENANT'); - - CREATE TABLE IF NOT EXISTS UM_ORG_ATTRIBUTE ( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_ORG_ID VARCHAR(36) NOT NULL, - UM_ATTRIBUTE_KEY VARCHAR(255) NOT NULL, - UM_ATTRIBUTE_VALUE VARCHAR(512), - PRIMARY KEY (UM_ID), - UNIQUE (UM_ORG_ID, UM_ATTRIBUTE_KEY), - FOREIGN KEY (UM_ORG_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE ( - UM_ROLE_ID VARCHAR(255) NOT NULL, - UM_ROLE_NAME VARCHAR(255) NOT NULL, - UM_ORG_ID VARCHAR(36) NOT NULL, - PRIMARY KEY(UM_ROLE_ID), - CONSTRAINT FK_UM_ORG_ROLE_UM_ORG FOREIGN KEY (UM_ORG_ID) REFERENCES UM_ORG (UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_PERMISSION( - UM_ID INTEGER NOT NULL AUTO_INCREMENT, - UM_RESOURCE_ID VARCHAR(255) NOT NULL, - UM_ACTION VARCHAR(255) NOT NULL, - UM_TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY (UM_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE_USER ( - UM_USER_ID VARCHAR(255) NOT NULL, - UM_ROLE_ID VARCHAR(255) NOT NULL, - CONSTRAINT FK_UM_ORG_ROLE_USER_UM_ORG_ROLE FOREIGN KEY (UM_ROLE_ID) REFERENCES UM_ORG_ROLE(UM_ROLE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE_GROUP( - UM_GROUP_ID VARCHAR(255) NOT NULL, - UM_ROLE_ID VARCHAR(255) NOT NULL, - CONSTRAINT FK_UM_ORG_ROLE_GROUP_UM_ORG_ROLE FOREIGN KEY (UM_ROLE_ID) REFERENCES UM_ORG_ROLE(UM_ROLE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_ROLE_PERMISSION( - UM_PERMISSION_ID INTEGER NOT NULL, - UM_ROLE_ID VARCHAR(255) NOT NULL, - CONSTRAINT FK_UM_ORG_ROLE_PERMISSION_UM_ORG_ROLE FOREIGN KEY (UM_ROLE_ID) REFERENCES UM_ORG_ROLE(UM_ROLE_ID) ON DELETE CASCADE, - CONSTRAINT FK_UM_ORG_ROLE_PERMISSION_UM_ORG_PERMISSION FOREIGN KEY (UM_PERMISSION_ID) REFERENCES UM_ORG_PERMISSION(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS UM_ORG_HIERARCHY ( - UM_PARENT_ID VARCHAR(36) NOT NULL, - UM_ID VARCHAR(36) NOT NULL, - DEPTH INTEGER, - PRIMARY KEY (UM_PARENT_ID, UM_ID), - FOREIGN KEY (UM_PARENT_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE, - FOREIGN KEY (UM_ID) REFERENCES UM_ORG(UM_ID) ON DELETE CASCADE - )ENGINE INNODB; - - INSERT IGNORE INTO UM_ORG_HIERARCHY (UM_PARENT_ID, UM_ID, DEPTH) - VALUES ('10084a8d-113f-4211-a0d5-efe36b082211', '10084a8d-113f-4211-a0d5-efe36b082211', 0); - - USE WSO2IS_IDENTITY_DB; - - CREATE TABLE IF NOT EXISTS IDN_BASE_TABLE ( - PRODUCT_NAME VARCHAR(20), - PRIMARY KEY (PRODUCT_NAME) - )ENGINE INNODB; - - INSERT INTO IDN_BASE_TABLE values ('WSO2 Identity Server'); - - CREATE TABLE IF NOT EXISTS IDN_OAUTH_CONSUMER_APPS ( - ID INTEGER NOT NULL AUTO_INCREMENT, - CONSUMER_KEY VARCHAR(255), - CONSUMER_SECRET VARCHAR(2048), - USERNAME VARCHAR(255), - TENANT_ID INTEGER DEFAULT 0, - USER_DOMAIN VARCHAR(50), - APP_NAME VARCHAR(255), - OAUTH_VERSION VARCHAR(128), - CALLBACK_URL VARCHAR(2048), - GRANT_TYPES VARCHAR (1024), - PKCE_MANDATORY CHAR(1) DEFAULT '0', - PKCE_SUPPORT_PLAIN CHAR(1) DEFAULT '0', - APP_STATE VARCHAR (25) DEFAULT 'ACTIVE', - USER_ACCESS_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600, - APP_ACCESS_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600, - REFRESH_TOKEN_EXPIRE_TIME BIGINT DEFAULT 84600, - ID_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600, - CONSTRAINT CONSUMER_KEY_CONSTRAINT UNIQUE (CONSUMER_KEY), - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE_VALIDATORS ( - APP_ID INTEGER NOT NULL, - SCOPE_VALIDATOR VARCHAR (128) NOT NULL, - PRIMARY KEY (APP_ID,SCOPE_VALIDATOR), - FOREIGN KEY (APP_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH1A_REQUEST_TOKEN ( - REQUEST_TOKEN VARCHAR(255), - REQUEST_TOKEN_SECRET VARCHAR(512), - CONSUMER_KEY_ID INTEGER, - CALLBACK_URL VARCHAR(2048), - SCOPE VARCHAR(2048), - AUTHORIZED VARCHAR(128), - OAUTH_VERIFIER VARCHAR(512), - AUTHZ_USER VARCHAR(512), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (REQUEST_TOKEN), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH1A_ACCESS_TOKEN ( - ACCESS_TOKEN VARCHAR(255), - ACCESS_TOKEN_SECRET VARCHAR(512), - CONSUMER_KEY_ID INTEGER, - SCOPE VARCHAR(2048), - AUTHZ_USER VARCHAR(512), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ACCESS_TOKEN), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN ( - TOKEN_ID VARCHAR (255), - ACCESS_TOKEN VARCHAR(2048), - REFRESH_TOKEN VARCHAR(2048), - CONSUMER_KEY_ID INTEGER, - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - USER_TYPE VARCHAR (25), - GRANT_TYPE VARCHAR (50), - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REFRESH_TOKEN_TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - VALIDITY_PERIOD BIGINT, - REFRESH_TOKEN_VALIDITY_PERIOD BIGINT, - TOKEN_SCOPE_HASH VARCHAR(32), - TOKEN_STATE VARCHAR(25) DEFAULT 'ACTIVE', - TOKEN_STATE_ID VARCHAR (128) DEFAULT 'NONE', - SUBJECT_IDENTIFIER VARCHAR(255), - ACCESS_TOKEN_HASH VARCHAR(512), - REFRESH_TOKEN_HASH VARCHAR(512), - IDP_ID INTEGER DEFAULT -1 NOT NULL, - TOKEN_BINDING_REF VARCHAR (32) DEFAULT 'NONE', - CONSENTED_TOKEN VARCHAR(6), - PRIMARY KEY (TOKEN_ID), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE, - CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH, - TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_TOKEN_BINDING ( - TOKEN_ID VARCHAR (255), - TOKEN_BINDING_TYPE VARCHAR (32), - TOKEN_BINDING_REF VARCHAR (32), - TOKEN_BINDING_VALUE VARCHAR (1024), - TENANT_ID INTEGER DEFAULT -1, - UNIQUE (TOKEN_ID,TOKEN_BINDING_TYPE,TOKEN_BINDING_VALUE), - FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE - )ENGINE INNODB; - - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN_AUDIT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TOKEN_ID VARCHAR (255), - ACCESS_TOKEN VARCHAR(2048), - REFRESH_TOKEN VARCHAR(2048), - CONSUMER_KEY_ID INTEGER, - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - USER_TYPE VARCHAR (25), - GRANT_TYPE VARCHAR (50), - TIME_CREATED TIMESTAMP NULL, - REFRESH_TOKEN_TIME_CREATED TIMESTAMP NULL, - VALIDITY_PERIOD BIGINT, - REFRESH_TOKEN_VALIDITY_PERIOD BIGINT, - TOKEN_SCOPE_HASH VARCHAR(32), - TOKEN_STATE VARCHAR(25), - TOKEN_STATE_ID VARCHAR (128) , - SUBJECT_IDENTIFIER VARCHAR(255), - ACCESS_TOKEN_HASH VARCHAR(512), - REFRESH_TOKEN_HASH VARCHAR(512), - INVALIDATED_TIME TIMESTAMP NULL, - IDP_ID INTEGER DEFAULT -1 NOT NULL, - PRIMARY KEY(ID) - ); - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_AUTHORIZATION_CODE ( - CODE_ID VARCHAR (255), - AUTHORIZATION_CODE VARCHAR(2048), - CONSUMER_KEY_ID INTEGER, - CALLBACK_URL VARCHAR(2048), - SCOPE VARCHAR(2048), - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - VALIDITY_PERIOD BIGINT, - STATE VARCHAR (25) DEFAULT 'ACTIVE', - TOKEN_ID VARCHAR(255), - SUBJECT_IDENTIFIER VARCHAR(255), - PKCE_CODE_CHALLENGE VARCHAR(255), - PKCE_CODE_CHALLENGE_METHOD VARCHAR(128), - AUTHORIZATION_CODE_HASH VARCHAR(512), - IDP_ID INTEGER DEFAULT -1 NOT NULL, - PRIMARY KEY (CODE_ID), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_AUTHZ_CODE_SCOPE( - CODE_ID VARCHAR(255), - SCOPE VARCHAR(60), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (CODE_ID, SCOPE), - FOREIGN KEY (CODE_ID) REFERENCES IDN_OAUTH2_AUTHORIZATION_CODE (CODE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_DEVICE_FLOW ( - CODE_ID VARCHAR(255), - DEVICE_CODE VARCHAR(255), - USER_CODE VARCHAR(25), - QUANTIFIER INTEGER NOT NULL DEFAULT 0, - CONSUMER_KEY_ID INTEGER, - LAST_POLL_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - EXPIRY_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - POLL_TIME BIGINT, - STATUS VARCHAR (25) DEFAULT 'PENDING', - AUTHZ_USER VARCHAR (100), - TENANT_ID INTEGER, - USER_DOMAIN VARCHAR(50), - IDP_ID INTEGER, - PRIMARY KEY (DEVICE_CODE), - UNIQUE (CODE_ID), - CONSTRAINT USRCDE_QNTFR_CONSTRAINT UNIQUE (USER_CODE, QUANTIFIER), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_DEVICE_FLOW_SCOPES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SCOPE_ID VARCHAR(255), - SCOPE VARCHAR(255), - PRIMARY KEY (ID), - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_DEVICE_FLOW(CODE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN_SCOPE ( - TOKEN_ID VARCHAR (255), - TOKEN_SCOPE VARCHAR (60), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (TOKEN_ID, TOKEN_SCOPE), - FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE ( - SCOPE_ID INTEGER NOT NULL AUTO_INCREMENT, - NAME VARCHAR(255) NOT NULL, - DISPLAY_NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(512), - TENANT_ID INTEGER NOT NULL DEFAULT -1, - SCOPE_TYPE VARCHAR(255) NOT NULL, - PRIMARY KEY (SCOPE_ID), - UNIQUE (NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE_BINDING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SCOPE_ID INTEGER NOT NULL, - SCOPE_BINDING VARCHAR(255) NOT NULL, - BINDING_TYPE VARCHAR(255) NOT NULL, - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE (SCOPE_ID) ON DELETE CASCADE, - UNIQUE (SCOPE_ID, SCOPE_BINDING, BINDING_TYPE), - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_RESOURCE_SCOPE ( - RESOURCE_PATH VARCHAR(255) NOT NULL, - SCOPE_ID INTEGER NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (RESOURCE_PATH), - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE (SCOPE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_SCIM_GROUP ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - ROLE_NAME VARCHAR(255) NOT NULL, - ATTR_NAME VARCHAR(1024) NOT NULL, - ATTR_VALUE VARCHAR(1024), - UNIQUE(TENANT_ID, ROLE_NAME, ATTR_NAME), - PRIMARY KEY (ID) - )ENGINE INNODB; - - - - CREATE TABLE IF NOT EXISTS IDN_OPENID_REMEMBER_ME ( - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT 0, - COOKIE_VALUE VARCHAR(1024), - CREATED_TIME TIMESTAMP, - PRIMARY KEY (USER_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OPENID_USER_RPS ( - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT 0, - RP_URL VARCHAR(255) NOT NULL, - TRUSTED_ALWAYS VARCHAR(128) DEFAULT 'FALSE', - LAST_VISIT DATE NOT NULL, - VISIT_COUNT INTEGER DEFAULT 0, - DEFAULT_PROFILE_NAME VARCHAR(255) DEFAULT 'DEFAULT', - PRIMARY KEY (USER_NAME, TENANT_ID, RP_URL) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OPENID_ASSOCIATIONS ( - HANDLE VARCHAR(255) NOT NULL, - ASSOC_TYPE VARCHAR(255) NOT NULL, - EXPIRE_IN TIMESTAMP NOT NULL, - MAC_KEY VARCHAR(255) NOT NULL, - ASSOC_STORE VARCHAR(128) DEFAULT 'SHARED', - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (HANDLE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_STS_STORE ( - ID INTEGER AUTO_INCREMENT, - TOKEN_ID VARCHAR(255) NOT NULL, - TOKEN_CONTENT BLOB(1024) NOT NULL, - CREATE_DATE TIMESTAMP NOT NULL, - EXPIRE_DATE TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - STATE INTEGER DEFAULT 0, - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_IDENTITY_USER_DATA ( - TENANT_ID INTEGER DEFAULT -1234, - USER_NAME VARCHAR(255) NOT NULL, - DATA_KEY VARCHAR(255) NOT NULL, - DATA_VALUE VARCHAR(2048), - PRIMARY KEY (TENANT_ID, USER_NAME, DATA_KEY) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_IDENTITY_META_DATA ( - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT -1234, - METADATA_TYPE VARCHAR(255) NOT NULL, - METADATA VARCHAR(255) NOT NULL, - VALID VARCHAR(255) NOT NULL, - PRIMARY KEY (TENANT_ID, USER_NAME, METADATA_TYPE,METADATA) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_THRIFT_SESSION ( - SESSION_ID VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - CREATED_TIME VARCHAR(255) NOT NULL, - LAST_MODIFIED_TIME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (SESSION_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_STORE ( - SESSION_ID VARCHAR (100) NOT NULL, - SESSION_TYPE VARCHAR(100) NOT NULL, - OPERATION VARCHAR(10) NOT NULL, - SESSION_OBJECT BLOB, - TIME_CREATED BIGINT, - TENANT_ID INTEGER DEFAULT -1, - EXPIRY_TIME BIGINT, - PRIMARY KEY (SESSION_ID, SESSION_TYPE, TIME_CREATED, OPERATION) - )ENGINE INNODB; - - - - - CREATE TABLE IF NOT EXISTS IDN_AUTH_TEMP_SESSION_STORE ( - SESSION_ID VARCHAR (100) NOT NULL, - SESSION_TYPE VARCHAR(100) NOT NULL, - OPERATION VARCHAR(10) NOT NULL, - SESSION_OBJECT BLOB, - TIME_CREATED BIGINT, - TENANT_ID INTEGER DEFAULT -1, - EXPIRY_TIME BIGINT, - PRIMARY KEY (SESSION_ID, SESSION_TYPE, TIME_CREATED, OPERATION) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_AUTH_USER ( - USER_ID VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - DOMAIN_NAME VARCHAR(255) NOT NULL, - IDP_ID INTEGER NOT NULL, - PRIMARY KEY (USER_ID), - CONSTRAINT USER_STORE_CONSTRAINT UNIQUE (USER_NAME, TENANT_ID, DOMAIN_NAME, IDP_ID)); - - CREATE TABLE IF NOT EXISTS IDN_AUTH_USER_SESSION_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - USER_ID VARCHAR(255) NOT NULL, - SESSION_ID VARCHAR(255) NOT NULL, - CONSTRAINT USER_SESSION_STORE_CONSTRAINT UNIQUE (USER_ID, SESSION_ID), - PRIMARY KEY (ID)); - - CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_APP_INFO ( - SESSION_ID VARCHAR (100) NOT NULL, - SUBJECT VARCHAR (100) NOT NULL, - APP_ID INTEGER NOT NULL, - INBOUND_AUTH_TYPE VARCHAR (255) NOT NULL, - PRIMARY KEY (SESSION_ID, SUBJECT, APP_ID, INBOUND_AUTH_TYPE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_META_DATA ( - SESSION_ID VARCHAR (100) NOT NULL, - PROPERTY_TYPE VARCHAR (100) NOT NULL, - VALUE VARCHAR (255) NOT NULL, - PRIMARY KEY (SESSION_ID, PROPERTY_TYPE, VALUE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS SP_APP ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - APP_NAME VARCHAR (255) NOT NULL , - USER_STORE VARCHAR (255) NOT NULL, - USERNAME VARCHAR (255) NOT NULL , - DESCRIPTION VARCHAR (1024), - ROLE_CLAIM VARCHAR (512), - AUTH_TYPE VARCHAR (255) NOT NULL, - PROVISIONING_USERSTORE_DOMAIN VARCHAR (512), - IS_LOCAL_CLAIM_DIALECT CHAR(1) DEFAULT '1', - IS_SEND_LOCAL_SUBJECT_ID CHAR(1) DEFAULT '0', - IS_SEND_AUTH_LIST_OF_IDPS CHAR(1) DEFAULT '0', - IS_USE_TENANT_DOMAIN_SUBJECT CHAR(1) DEFAULT '1', - IS_USE_USER_DOMAIN_SUBJECT CHAR(1) DEFAULT '1', - ENABLE_AUTHORIZATION CHAR(1) DEFAULT '0', - SUBJECT_CLAIM_URI VARCHAR (512), - IS_SAAS_APP CHAR(1) DEFAULT '0', - IS_DUMB_MODE CHAR(1) DEFAULT '0', - UUID CHAR(36), - IMAGE_URL VARCHAR(1024), - ACCESS_URL VARCHAR(1024), - IS_DISCOVERABLE CHAR(1) DEFAULT '0', - - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_APP ADD CONSTRAINT APPLICATION_NAME_CONSTRAINT UNIQUE(APP_NAME, TENANT_ID); - ALTER TABLE SP_APP ADD CONSTRAINT APPLICATION_UUID_CONSTRAINT UNIQUE(UUID); - - CREATE TABLE IF NOT EXISTS SP_METADATA ( - ID INTEGER AUTO_INCREMENT, - SP_ID INTEGER, - NAME VARCHAR(255) NOT NULL, - VALUE VARCHAR(255) NOT NULL, - DISPLAY_NAME VARCHAR(255), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ID), - CONSTRAINT SP_METADATA_CONSTRAINT UNIQUE (SP_ID, NAME), - FOREIGN KEY (SP_ID) REFERENCES SP_APP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS SP_INBOUND_AUTH ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - INBOUND_AUTH_KEY VARCHAR (255), - INBOUND_AUTH_TYPE VARCHAR (255) NOT NULL, - INBOUND_CONFIG_TYPE VARCHAR (255) NOT NULL, - PROP_NAME VARCHAR (255), - PROP_VALUE VARCHAR (1024) , - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_INBOUND_AUTH ADD CONSTRAINT APPLICATION_ID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_AUTH_STEP ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - STEP_ORDER INTEGER DEFAULT 1, - APP_ID INTEGER NOT NULL , - IS_SUBJECT_STEP CHAR(1) DEFAULT '0', - IS_ATTRIBUTE_STEP CHAR(1) DEFAULT '0', - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_AUTH_STEP ADD CONSTRAINT APPLICATION_ID_CONSTRAINT_STEP FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_FEDERATED_IDP ( - ID INTEGER NOT NULL, - TENANT_ID INTEGER NOT NULL, - AUTHENTICATOR_ID INTEGER NOT NULL, - PRIMARY KEY (ID, AUTHENTICATOR_ID) - )ENGINE INNODB; - - ALTER TABLE SP_FEDERATED_IDP ADD CONSTRAINT STEP_ID_CONSTRAINT FOREIGN KEY (ID) REFERENCES SP_AUTH_STEP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_CLAIM_DIALECT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - SP_DIALECT VARCHAR (512) NOT NULL, - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID)); - - ALTER TABLE SP_CLAIM_DIALECT ADD CONSTRAINT DIALECTID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_CLAIM_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - IDP_CLAIM VARCHAR (512) NOT NULL , - SP_CLAIM VARCHAR (512) NOT NULL , - APP_ID INTEGER NOT NULL, - IS_REQUESTED VARCHAR(128) DEFAULT '0', - IS_MANDATORY VARCHAR(128) DEFAULT '0', - DEFAULT_VALUE VARCHAR(255), - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_CLAIM_MAPPING ADD CONSTRAINT CLAIMID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_ROLE_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - IDP_ROLE VARCHAR (255) NOT NULL , - SP_ROLE VARCHAR (255) NOT NULL , - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_ROLE_MAPPING ADD CONSTRAINT ROLEID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_REQ_PATH_AUTHENTICATOR ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - AUTHENTICATOR_NAME VARCHAR (255) NOT NULL , - APP_ID INTEGER NOT NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_REQ_PATH_AUTHENTICATOR ADD CONSTRAINT REQ_AUTH_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE IF NOT EXISTS SP_PROVISIONING_CONNECTOR ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER NOT NULL, - IDP_NAME VARCHAR (255) NOT NULL , - CONNECTOR_NAME VARCHAR (255) NOT NULL , - APP_ID INTEGER NOT NULL, - IS_JIT_ENABLED CHAR(1) NOT NULL DEFAULT '0', - BLOCKING CHAR(1) NOT NULL DEFAULT '0', - RULE_ENABLED CHAR(1) NOT NULL DEFAULT '0', - PRIMARY KEY (ID) - )ENGINE INNODB; - - ALTER TABLE SP_PROVISIONING_CONNECTOR ADD CONSTRAINT PRO_CONNECTOR_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE; - - CREATE TABLE SP_AUTH_SCRIPT ( - ID INTEGER AUTO_INCREMENT NOT NULL, - TENANT_ID INTEGER NOT NULL, - APP_ID INTEGER NOT NULL, - TYPE VARCHAR(255) NOT NULL, - CONTENT BLOB DEFAULT NULL, - IS_ENABLED CHAR(1) NOT NULL DEFAULT '0', - PRIMARY KEY (ID)); - - CREATE TABLE IF NOT EXISTS SP_TEMPLATE ( - ID INTEGER AUTO_INCREMENT NOT NULL, - TENANT_ID INTEGER NOT NULL, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023), - CONTENT BLOB DEFAULT NULL, - PRIMARY KEY (ID), - CONSTRAINT SP_TEMPLATE_CONSTRAINT UNIQUE (TENANT_ID, NAME)); - - CREATE TABLE IF NOT EXISTS IDN_AUTH_WAIT_STATUS ( - ID INTEGER AUTO_INCREMENT NOT NULL, - TENANT_ID INTEGER NOT NULL, - LONG_WAIT_KEY VARCHAR(255) NOT NULL, - WAIT_STATUS CHAR(1) NOT NULL DEFAULT '1', - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - EXPIRE_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - PRIMARY KEY (ID), - CONSTRAINT IDN_AUTH_WAIT_STATUS_KEY UNIQUE (LONG_WAIT_KEY)); - - CREATE TABLE IF NOT EXISTS IDP ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - NAME VARCHAR(254) NOT NULL, - IS_ENABLED CHAR(1) NOT NULL DEFAULT '1', - IS_PRIMARY CHAR(1) NOT NULL DEFAULT '0', - HOME_REALM_ID VARCHAR(254), - IMAGE MEDIUMBLOB, - CERTIFICATE BLOB, - ALIAS VARCHAR(254), - INBOUND_PROV_ENABLED CHAR (1) NOT NULL DEFAULT '0', - INBOUND_PROV_USER_STORE_ID VARCHAR(254), - USER_CLAIM_URI VARCHAR(254), - ROLE_CLAIM_URI VARCHAR(254), - DESCRIPTION VARCHAR (1024), - DEFAULT_AUTHENTICATOR_NAME VARCHAR(254), - DEFAULT_PRO_CONNECTOR_NAME VARCHAR(254), - PROVISIONING_ROLE VARCHAR(128), - IS_FEDERATION_HUB CHAR(1) NOT NULL DEFAULT '0', - IS_LOCAL_CLAIM_DIALECT CHAR(1) NOT NULL DEFAULT '0', - DISPLAY_NAME VARCHAR(255), - IMAGE_URL VARCHAR(1024), - UUID CHAR(36) NOT NULL, - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, NAME), - UNIQUE (UUID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_ROLE ( - ID INTEGER AUTO_INCREMENT, - IDP_ID INTEGER, - TENANT_ID INTEGER, - ROLE VARCHAR(254), - PRIMARY KEY (ID), - UNIQUE (IDP_ID, ROLE), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_ROLE_MAPPING ( - ID INTEGER AUTO_INCREMENT, - IDP_ROLE_ID INTEGER, - TENANT_ID INTEGER, - USER_STORE_ID VARCHAR (253), - LOCAL_ROLE VARCHAR(253), - PRIMARY KEY (ID), - UNIQUE (IDP_ROLE_ID, TENANT_ID, USER_STORE_ID, LOCAL_ROLE), - FOREIGN KEY (IDP_ROLE_ID) REFERENCES IDP_ROLE(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_CLAIM ( - ID INTEGER AUTO_INCREMENT, - IDP_ID INTEGER, - TENANT_ID INTEGER, - CLAIM VARCHAR(254), - PRIMARY KEY (ID), - UNIQUE (IDP_ID, CLAIM), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_CLAIM_MAPPING ( - ID INTEGER AUTO_INCREMENT, - IDP_CLAIM_ID INTEGER, - TENANT_ID INTEGER, - LOCAL_CLAIM VARCHAR(253), - DEFAULT_VALUE VARCHAR(255), - IS_REQUESTED VARCHAR(128) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (IDP_CLAIM_ID, TENANT_ID, LOCAL_CLAIM), - FOREIGN KEY (IDP_CLAIM_ID) REFERENCES IDP_CLAIM(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_AUTHENTICATOR ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - IDP_ID INTEGER, - NAME VARCHAR(255) NOT NULL, - IS_ENABLED CHAR (1) DEFAULT '1', - DISPLAY_NAME VARCHAR(255), - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, IDP_ID, NAME), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_METADATA ( - ID INTEGER AUTO_INCREMENT, - IDP_ID INTEGER, - NAME VARCHAR(255) NOT NULL, - VALUE VARCHAR(255) NOT NULL, - DISPLAY_NAME VARCHAR(255), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ID), - CONSTRAINT IDP_METADATA_CONSTRAINT UNIQUE (IDP_ID, NAME), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_AUTHENTICATOR_PROPERTY ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - AUTHENTICATOR_ID INTEGER, - PROPERTY_KEY VARCHAR(255) NOT NULL, - PROPERTY_VALUE VARCHAR(2047), - IS_SECRET CHAR (1) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, AUTHENTICATOR_ID, PROPERTY_KEY), - FOREIGN KEY (AUTHENTICATOR_ID) REFERENCES IDP_AUTHENTICATOR(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_PROVISIONING_CONFIG ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - IDP_ID INTEGER, - PROVISIONING_CONNECTOR_TYPE VARCHAR(255) NOT NULL, - IS_ENABLED CHAR (1) DEFAULT '0', - IS_BLOCKING CHAR (1) DEFAULT '0', - IS_RULES_ENABLED CHAR (1) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, IDP_ID, PROVISIONING_CONNECTOR_TYPE), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_PROV_CONFIG_PROPERTY ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - PROVISIONING_CONFIG_ID INTEGER, - PROPERTY_KEY VARCHAR(255) NOT NULL, - PROPERTY_VALUE VARCHAR(2048), - PROPERTY_BLOB_VALUE BLOB, - PROPERTY_TYPE CHAR(32) NOT NULL, - IS_SECRET CHAR (1) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, PROVISIONING_CONFIG_ID, PROPERTY_KEY), - FOREIGN KEY (PROVISIONING_CONFIG_ID) REFERENCES IDP_PROVISIONING_CONFIG(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_PROVISIONING_ENTITY ( - ID INTEGER AUTO_INCREMENT, - PROVISIONING_CONFIG_ID INTEGER, - ENTITY_TYPE VARCHAR(255) NOT NULL, - ENTITY_LOCAL_USERSTORE VARCHAR(255) NOT NULL, - ENTITY_NAME VARCHAR(255) NOT NULL, - ENTITY_VALUE VARCHAR(255), - TENANT_ID INTEGER, - ENTITY_LOCAL_ID VARCHAR(255), - PRIMARY KEY (ID), - UNIQUE (ENTITY_TYPE, TENANT_ID, ENTITY_LOCAL_USERSTORE, ENTITY_NAME, PROVISIONING_CONFIG_ID), - UNIQUE (PROVISIONING_CONFIG_ID, ENTITY_TYPE, ENTITY_VALUE), - FOREIGN KEY (PROVISIONING_CONFIG_ID) REFERENCES IDP_PROVISIONING_CONFIG(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDP_LOCAL_CLAIM ( - ID INTEGER AUTO_INCREMENT, - TENANT_ID INTEGER, - IDP_ID INTEGER, - CLAIM_URI VARCHAR(255) NOT NULL, - DEFAULT_VALUE VARCHAR(255), - IS_REQUESTED VARCHAR(128) DEFAULT '0', - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, IDP_ID, CLAIM_URI), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_ASSOCIATED_ID ( - ID INTEGER AUTO_INCREMENT, - IDP_USER_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER DEFAULT -1234, - IDP_ID INTEGER NOT NULL, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - ASSOCIATION_ID CHAR(36) NOT NULL, - PRIMARY KEY (ID), - UNIQUE(IDP_USER_ID, TENANT_ID, IDP_ID), - FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_USER_ACCOUNT_ASSOCIATION ( - ASSOCIATION_KEY VARCHAR(255) NOT NULL, - TENANT_ID INTEGER, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(255) NOT NULL, - PRIMARY KEY (TENANT_ID, DOMAIN_NAME, USER_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS FIDO_DEVICE_STORE ( - TENANT_ID INTEGER, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(45) NOT NULL, - TIME_REGISTERED TIMESTAMP, - KEY_HANDLE VARCHAR(200) NOT NULL, - DEVICE_DATA VARCHAR(2048) NOT NULL, - PRIMARY KEY (TENANT_ID, DOMAIN_NAME, USER_NAME, KEY_HANDLE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS FIDO2_DEVICE_STORE ( - TENANT_ID INTEGER, - DOMAIN_NAME VARCHAR(255) NOT NULL, - USER_NAME VARCHAR(45) NOT NULL, - TIME_REGISTERED TIMESTAMP, - USER_HANDLE VARCHAR(64) NOT NULL, - CREDENTIAL_ID VARCHAR(200) NOT NULL, - PUBLIC_KEY_COSE VARCHAR(1024) NOT NULL, - SIGNATURE_COUNT BIGINT, - USER_IDENTITY VARCHAR(512) NOT NULL, - DISPLAY_NAME VARCHAR(255), - IS_USERNAMELESS_SUPPORTED CHAR(1) DEFAULT '0', - PRIMARY KEY (CREDENTIAL_ID, USER_HANDLE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_REQUEST ( - UUID VARCHAR (45), - CREATED_BY VARCHAR (255), - TENANT_ID INTEGER DEFAULT -1, - OPERATION_TYPE VARCHAR (50), - CREATED_AT TIMESTAMP, - UPDATED_AT TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - STATUS VARCHAR (30), - REQUEST BLOB, - PRIMARY KEY (UUID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_BPS_PROFILE ( - PROFILE_NAME VARCHAR(45), - HOST_URL_MANAGER VARCHAR(255), - HOST_URL_WORKER VARCHAR(255), - USERNAME VARCHAR(100), - PASSWORD VARCHAR(1023), - CALLBACK_HOST VARCHAR (45), - CALLBACK_USERNAME VARCHAR (100), - CALLBACK_PASSWORD VARCHAR (255), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (PROFILE_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW( - ID VARCHAR (45), - WF_NAME VARCHAR (45), - DESCRIPTION VARCHAR (255), - TEMPLATE_ID VARCHAR (45), - IMPL_ID VARCHAR (45), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW_ASSOCIATION( - ID INTEGER NOT NULL AUTO_INCREMENT, - ASSOC_NAME VARCHAR (45), - EVENT_ID VARCHAR(45), - ASSOC_CONDITION VARCHAR (2000), - WORKFLOW_ID VARCHAR (45), - IS_ENABLED CHAR (1) DEFAULT '1', - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY(ID), - FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW_CONFIG_PARAM( - WORKFLOW_ID VARCHAR (45), - PARAM_NAME VARCHAR (45), - PARAM_VALUE VARCHAR (1000), - PARAM_QNAME VARCHAR (45), - PARAM_HOLDER VARCHAR (45), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (WORKFLOW_ID, PARAM_NAME, PARAM_QNAME, PARAM_HOLDER), - FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_REQUEST_ENTITY_RELATIONSHIP( - REQUEST_ID VARCHAR (45), - ENTITY_NAME VARCHAR (255), - ENTITY_TYPE VARCHAR (50), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY(REQUEST_ID, ENTITY_NAME, ENTITY_TYPE, TENANT_ID), - FOREIGN KEY (REQUEST_ID) REFERENCES WF_REQUEST(UUID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS WF_WORKFLOW_REQUEST_RELATION( - RELATIONSHIP_ID VARCHAR (45), - WORKFLOW_ID VARCHAR (45), - REQUEST_ID VARCHAR (45), - UPDATED_AT TIMESTAMP, - STATUS VARCHAR (30), - TENANT_ID INTEGER DEFAULT -1, - PRIMARY KEY (RELATIONSHIP_ID), - FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE, - FOREIGN KEY (REQUEST_ID) REFERENCES WF_REQUEST(UUID)ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_RECOVERY_DATA ( - USER_NAME VARCHAR(255) NOT NULL, - USER_DOMAIN VARCHAR(127) NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - CODE VARCHAR(255) NOT NULL, - SCENARIO VARCHAR(255) NOT NULL, - STEP VARCHAR(127) NOT NULL, - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - REMAINING_SETS VARCHAR(2500) DEFAULT NULL, - PRIMARY KEY(USER_NAME, USER_DOMAIN, TENANT_ID, SCENARIO,STEP), - UNIQUE(CODE) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA ( - ID INTEGER NOT NULL AUTO_INCREMENT, - USER_NAME VARCHAR(255) NOT NULL, - USER_DOMAIN VARCHAR(127) NOT NULL, - TENANT_ID INTEGER DEFAULT -1, - SALT_VALUE VARCHAR(255), - HASH VARCHAR(255) NOT NULL, - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - PRIMARY KEY(ID), - UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_DIALECT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - DIALECT_URI VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - CONSTRAINT DIALECT_URI_CONSTRAINT UNIQUE (DIALECT_URI, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM ( - ID INTEGER NOT NULL AUTO_INCREMENT, - DIALECT_ID INTEGER NOT NULL, - CLAIM_URI VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (DIALECT_ID) REFERENCES IDN_CLAIM_DIALECT(ID) ON DELETE CASCADE, - CONSTRAINT CLAIM_URI_CONSTRAINT UNIQUE (DIALECT_ID, CLAIM_URI, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_MAPPED_ATTRIBUTE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - LOCAL_CLAIM_ID INTEGER, - USER_STORE_DOMAIN_NAME VARCHAR (255) NOT NULL, - ATTRIBUTE_NAME VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - CONSTRAINT USER_STORE_DOMAIN_CONSTRAINT UNIQUE (LOCAL_CLAIM_ID, USER_STORE_DOMAIN_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_PROPERTY ( - ID INTEGER NOT NULL AUTO_INCREMENT, - LOCAL_CLAIM_ID INTEGER, - PROPERTY_NAME VARCHAR (255) NOT NULL, - PROPERTY_VALUE VARCHAR (255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - CONSTRAINT PROPERTY_NAME_CONSTRAINT UNIQUE (LOCAL_CLAIM_ID, PROPERTY_NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CLAIM_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - EXT_CLAIM_ID INTEGER NOT NULL, - MAPPED_LOCAL_CLAIM_ID INTEGER NOT NULL, - TENANT_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (EXT_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - FOREIGN KEY (MAPPED_LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - CONSTRAINT EXT_TO_LOC_MAPPING_CONSTRN UNIQUE (EXT_CLAIM_ID, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_SAML2_ASSERTION_STORE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SAML2_ID VARCHAR(255) , - SAML2_ISSUER VARCHAR(255) , - SAML2_SUBJECT VARCHAR(255) , - SAML2_SESSION_INDEX VARCHAR(255) , - SAML2_AUTHN_CONTEXT_CLASS_REF VARCHAR(255) , - SAML2_ASSERTION VARCHAR(4096) , - ASSERTION BLOB , - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IDN_SAML2_ARTIFACT_STORE ( - ID INT(11) NOT NULL AUTO_INCREMENT, - SOURCE_ID VARCHAR(255) NOT NULL, - MESSAGE_HANDLER VARCHAR(255) NOT NULL, - AUTHN_REQ_DTO BLOB NOT NULL, - SESSION_ID VARCHAR(255) NOT NULL, - EXP_TIMESTAMP TIMESTAMP NOT NULL, - INIT_TIMESTAMP TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - ASSERTION_ID VARCHAR(255), - PRIMARY KEY (`ID`) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_JTI ( - JWT_ID VARCHAR(255) NOT NULL, - EXP_TIME TIMESTAMP NOT NULL , - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP , - PRIMARY KEY (JWT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_PROPERTY ( - ID INTEGER NOT NULL AUTO_INCREMENT, - TENANT_ID INTEGER, - CONSUMER_KEY VARCHAR(255) , - PROPERTY_KEY VARCHAR(255) NOT NULL, - PROPERTY_VALUE VARCHAR(2047) , - PRIMARY KEY (ID), - FOREIGN KEY (CONSUMER_KEY) REFERENCES IDN_OAUTH_CONSUMER_APPS(CONSUMER_KEY) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJECT_REFERENCE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - CONSUMER_KEY_ID INTEGER , - CODE_ID VARCHAR(255) , - TOKEN_ID VARCHAR(255) , - SESSION_DATA_KEY VARCHAR(255), - PRIMARY KEY (ID), - FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE, - FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE, - FOREIGN KEY (CODE_ID) REFERENCES IDN_OAUTH2_AUTHORIZATION_CODE(CODE_ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJECT_CLAIMS ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REQ_OBJECT_ID INTEGER, - CLAIM_ATTRIBUTE VARCHAR(255) , - ESSENTIAL CHAR(1) NOT NULL DEFAULT '0' , - VALUE VARCHAR(255) , - IS_USERINFO CHAR(1) NOT NULL DEFAULT '0', - PRIMARY KEY (ID), - FOREIGN KEY (REQ_OBJECT_ID) REFERENCES IDN_OIDC_REQ_OBJECT_REFERENCE (ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJ_CLAIM_VALUES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - REQ_OBJECT_CLAIMS_ID INTEGER , - CLAIM_VALUES VARCHAR(255) , - PRIMARY KEY (ID), - FOREIGN KEY (REQ_OBJECT_CLAIMS_ID) REFERENCES IDN_OIDC_REQ_OBJECT_CLAIMS(ID) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CERTIFICATE ( - ID INTEGER NOT NULL AUTO_INCREMENT, - NAME VARCHAR(100), - CERTIFICATE_IN_PEM BLOB, - TENANT_ID INTEGER DEFAULT 0, - PRIMARY KEY(ID), - CONSTRAINT CERTIFICATE_UNIQUE_KEY UNIQUE (NAME, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OIDC_SCOPE_CLAIM_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - SCOPE_ID INTEGER NOT NULL, - EXTERNAL_CLAIM_ID INTEGER NOT NULL, - PRIMARY KEY (ID), - FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE(SCOPE_ID) ON DELETE CASCADE, - FOREIGN KEY (EXTERNAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE, - UNIQUE (SCOPE_ID, EXTERNAL_CLAIM_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_FUNCTION_LIBRARY ( - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023), - TYPE VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - DATA BLOB NOT NULL, - PRIMARY KEY (TENANT_ID,NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_CIBA_AUTH_CODE ( - AUTH_CODE_KEY CHAR (36), - AUTH_REQ_ID CHAR (36), - ISSUED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - CONSUMER_KEY VARCHAR(255), - LAST_POLLED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - POLLING_INTERVAL INTEGER, - EXPIRES_IN INTEGER, - AUTHENTICATED_USER_NAME VARCHAR(255), - USER_STORE_DOMAIN VARCHAR(100), - TENANT_ID INTEGER, - AUTH_REQ_STATUS VARCHAR (100) DEFAULT 'REQUESTED', - IDP_ID INTEGER, - UNIQUE(AUTH_REQ_ID), - PRIMARY KEY (AUTH_CODE_KEY), - FOREIGN KEY (CONSUMER_KEY) REFERENCES IDN_OAUTH_CONSUMER_APPS(CONSUMER_KEY) ON DELETE CASCADE - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_CIBA_REQUEST_SCOPES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - AUTH_CODE_KEY CHAR (36), - SCOPE VARCHAR (255), - FOREIGN KEY (AUTH_CODE_KEY) REFERENCES IDN_OAUTH2_CIBA_AUTH_CODE(AUTH_CODE_KEY) ON DELETE CASCADE, - PRIMARY KEY (ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_FED_AUTH_SESSION_MAPPING ( - ID INTEGER NOT NULL AUTO_INCREMENT, - IDP_SESSION_ID VARCHAR(255) NOT NULL, - SESSION_ID VARCHAR(255) NOT NULL, - IDP_NAME VARCHAR(255) NOT NULL, - AUTHENTICATOR_ID VARCHAR(255), - PROTOCOL_TYPE VARCHAR(255), - TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - TENANT_ID INTEGER NOT NULL DEFAULT 0, - PRIMARY KEY (ID), - UNIQUE (IDP_SESSION_ID, TENANT_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_TYPE ( - ID VARCHAR(255) NOT NULL, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023) NULL, - PRIMARY KEY (ID), - CONSTRAINT TYPE_NAME_CONSTRAINT UNIQUE (NAME) - )ENGINE INNODB; - - INSERT INTO IDN_CONFIG_TYPE (ID, NAME, DESCRIPTION) VALUES - ('9ab0ef95-13e9-4ed5-afaf-d29bed62f7bd', 'IDP_TEMPLATE', 'Template type to uniquely identify IDP templates'), - ('3c4ac3d0-5903-4e3d-aaca-38df65b33bfd', 'APPLICATION_TEMPLATE', 'Template type to uniquely identify Application templates'), - ('8ec6dbf1-218a-49bf-bc34-0d2db52d151c', 'CORS_CONFIGURATION', 'A resource type to keep the tenant CORS configurations'), - ('669b99ca-cdb0-44a6-8cae-babed3b585df', 'Publisher', 'A resource type to keep the event publisher configurations'), - ('73f6d9ca-62f4-4566-bab9-2a930ae51ba8', 'BRANDING_PREFERENCES', 'A resource type to keep the tenant branding preferences'), - ('899c69b2-8bf7-46b5-9666-f7f99f90d6cc', 'fido-config', 'A resource type to store FIDO authenticator related preferences'), - ('7f24050f-3e3d-4a00-b10f-fd5450d6523e', 'input-validation-configurations', 'A resource type to store input validation related configurations'); - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_RESOURCE ( - ID VARCHAR(255) NOT NULL, - TENANT_ID INT NOT NULL, - NAME VARCHAR(255) NOT NULL, - CREATED_TIME TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - LAST_MODIFIED TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - HAS_FILE tinyint(1) NOT NULL, - HAS_ATTRIBUTE tinyint(1) NOT NULL, - TYPE_ID VARCHAR(255) NOT NULL, - PRIMARY KEY (ID), - CONSTRAINT NAME_TENANT_TYPE_CONSTRAINT UNIQUE (NAME, TENANT_ID, TYPE_ID) - )ENGINE INNODB; - ALTER TABLE IDN_CONFIG_RESOURCE ADD CONSTRAINT TYPE_ID_FOREIGN_CONSTRAINT FOREIGN KEY (TYPE_ID) REFERENCES - IDN_CONFIG_TYPE (ID) ON DELETE CASCADE ON UPDATE CASCADE; - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_ATTRIBUTE ( - ID VARCHAR(255) NOT NULL, - RESOURCE_ID VARCHAR(255) NOT NULL, - ATTR_KEY VARCHAR(255) NOT NULL, - ATTR_VALUE VARCHAR(1023) NULL, - PRIMARY KEY (ID), - CONSTRAINT RESOURCE_KEY_VAL_CONSTRAINT UNIQUE (RESOURCE_ID(64), ATTR_KEY(255)) - )ENGINE INNODB; - ALTER TABLE IDN_CONFIG_ATTRIBUTE ADD CONSTRAINT RESOURCE_ID_ATTRIBUTE_FOREIGN_CONSTRAINT FOREIGN KEY (RESOURCE_ID) - REFERENCES IDN_CONFIG_RESOURCE (ID) ON DELETE CASCADE ON UPDATE CASCADE; - - CREATE TABLE IF NOT EXISTS IDN_CONFIG_FILE ( - ID VARCHAR(255) NOT NULL, - VALUE BLOB NULL, - RESOURCE_ID VARCHAR(255) NOT NULL, - NAME VARCHAR(255) NULL, - PRIMARY KEY (ID) - )ENGINE INNODB; - ALTER TABLE IDN_CONFIG_FILE ADD CONSTRAINT RESOURCE_ID_FILE_FOREIGN_CONSTRAINT FOREIGN KEY (RESOURCE_ID) REFERENCES - IDN_CONFIG_RESOURCE (ID) ON DELETE CASCADE ON UPDATE CASCADE; - - CREATE TABLE IDN_REMOTE_FETCH_CONFIG ( - ID VARCHAR(255) NOT NULL, - TENANT_ID INT NOT NULL, - IS_ENABLED CHAR(1) NOT NULL, - REPO_MANAGER_TYPE VARCHAR(255) NOT NULL, - ACTION_LISTENER_TYPE VARCHAR(255) NOT NULL, - CONFIG_DEPLOYER_TYPE VARCHAR(255) NOT NULL, - REMOTE_FETCH_NAME VARCHAR(255), - REMOTE_RESOURCE_URI VARCHAR(255) NOT NULL, - ATTRIBUTES_JSON MEDIUMTEXT NOT NULL, - PRIMARY KEY (ID), - CONSTRAINT UC_REMOTE_RESOURCE_TYPE UNIQUE (TENANT_ID, CONFIG_DEPLOYER_TYPE) - )ENGINE INNODB; - - CREATE TABLE IDN_REMOTE_FETCH_REVISIONS ( - ID VARCHAR(255) NOT NULL, - CONFIG_ID VARCHAR(255) NOT NULL, - FILE_PATH VARCHAR(255) NOT NULL, - FILE_HASH VARCHAR(255), - DEPLOYED_DATE TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - LAST_SYNC_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - DEPLOYMENT_STATUS VARCHAR(255), - ITEM_NAME VARCHAR(255), - DEPLOY_ERR_LOG MEDIUMTEXT, - PRIMARY KEY (ID), - FOREIGN KEY (CONFIG_ID) REFERENCES IDN_REMOTE_FETCH_CONFIG(ID) ON DELETE CASCADE, - CONSTRAINT UC_REVISIONS UNIQUE (CONFIG_ID, ITEM_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_USER_FUNCTIONALITY_MAPPING ( - ID VARCHAR(255) NOT NULL, - USER_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - FUNCTIONALITY_ID VARCHAR(255) NOT NULL, - IS_FUNCTIONALITY_LOCKED BOOLEAN NOT NULL, - FUNCTIONALITY_UNLOCK_TIME BIGINT NOT NULL, - FUNCTIONALITY_LOCK_REASON VARCHAR(1023), - FUNCTIONALITY_LOCK_REASON_CODE VARCHAR(255), - PRIMARY KEY (ID), - CONSTRAINT IDN_USER_FUNCTIONALITY_MAPPING_CONSTRAINT UNIQUE (USER_ID, TENANT_ID, FUNCTIONALITY_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_USER_FUNCTIONALITY_PROPERTY ( - ID VARCHAR(255) NOT NULL, - USER_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL, - FUNCTIONALITY_ID VARCHAR(255) NOT NULL, - PROPERTY_NAME VARCHAR(255), - PROPERTY_VALUE VARCHAR(255), - PRIMARY KEY (ID), - CONSTRAINT IDN_USER_FUNCTIONALITY_PROPERTY_CONSTRAINT UNIQUE (USER_ID, TENANT_ID, FUNCTIONALITY_ID, PROPERTY_NAME) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CORS_ORIGIN ( - ID INT NOT NULL AUTO_INCREMENT, - TENANT_ID INT NOT NULL, - ORIGIN VARCHAR(2048) NOT NULL, - UUID CHAR(36) NOT NULL, - - PRIMARY KEY (ID), - UNIQUE (TENANT_ID, ORIGIN), - UNIQUE (UUID) - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_CORS_ASSOCIATION ( - IDN_CORS_ORIGIN_ID INT NOT NULL, - SP_APP_ID INT NOT NULL, - - PRIMARY KEY (IDN_CORS_ORIGIN_ID, SP_APP_ID), - FOREIGN KEY (IDN_CORS_ORIGIN_ID) REFERENCES IDN_CORS_ORIGIN (ID) ON DELETE CASCADE, - FOREIGN KEY (SP_APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_USER_CONSENT ( - ID INTEGER NOT NULL AUTO_INCREMENT, - USER_ID VARCHAR(255) NOT NULL, - APP_ID CHAR(36) NOT NULL, - TENANT_ID INTEGER NOT NULL DEFAULT -1, - CONSENT_ID VARCHAR(255) NOT NULL, - - PRIMARY KEY (ID), - FOREIGN KEY (APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE, - UNIQUE (USER_ID, APP_ID, TENANT_ID), - UNIQUE (CONSENT_ID) - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_OAUTH2_USER_CONSENTED_SCOPES ( - ID INTEGER NOT NULL AUTO_INCREMENT, - CONSENT_ID VARCHAR(255) NOT NULL, - TENANT_ID INTEGER NOT NULL DEFAULT -1, - SCOPE VARCHAR(255) NOT NULL, - CONSENT BOOLEAN NOT NULL DEFAULT 1, - - PRIMARY KEY (ID), - FOREIGN KEY (CONSENT_ID) REFERENCES IDN_OAUTH2_USER_CONSENT(CONSENT_ID) ON DELETE CASCADE, - UNIQUE (CONSENT_ID, SCOPE) - ) ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS IDN_SECRET_TYPE ( - ID VARCHAR(255) NOT NULL, - NAME VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023) NULL, - PRIMARY KEY (ID), - CONSTRAINT SECRET_TYPE_NAME_CONSTRAINT UNIQUE (NAME) - )ENGINE INNODB; - - INSERT INTO IDN_SECRET_TYPE (ID, NAME, DESCRIPTION) VALUES - ('1358bdbf-e0cc-4268-a42c-c3e0960e13f0', 'ADAPTIVE_AUTH_CALL_CHOREO', 'Secret type to uniquely identify secrets relevant to callChoreo adaptive auth function'); - - CREATE TABLE IF NOT EXISTS IDN_SECRET ( - ID VARCHAR(255) NOT NULL, - TENANT_ID INT NOT NULL, - SECRET_NAME VARCHAR(255) NOT NULL, - SECRET_VALUE VARCHAR(8000) NOT NULL, - CREATED_TIME TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - LAST_MODIFIED TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - TYPE_ID VARCHAR(255) NOT NULL, - DESCRIPTION VARCHAR(1023) NULL, - PRIMARY KEY (ID), - FOREIGN KEY (TYPE_ID) REFERENCES IDN_SECRET_TYPE(ID) ON DELETE CASCADE, - UNIQUE (SECRET_NAME, TENANT_ID, TYPE_ID) - )ENGINE INNODB; - - CREATE TABLE IF NOT EXISTS SP_SHARED_APP ( - ID INTEGER NOT NULL AUTO_INCREMENT, - MAIN_APP_ID CHAR(36) NOT NULL, - OWNER_ORG_ID CHAR(36) NOT NULL, - SHARED_APP_ID CHAR(36) NOT NULL, - SHARED_ORG_ID CHAR(36) NOT NULL, - SHARE_WITH_ALL_CHILDREN BOOLEAN DEFAULT FALSE, - PRIMARY KEY (ID), - FOREIGN KEY (MAIN_APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE, - FOREIGN KEY (SHARED_APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE, - UNIQUE (MAIN_APP_ID, OWNER_ORG_ID, SHARED_ORG_ID), - UNIQUE (SHARED_APP_ID) - )ENGINE INNODB; - - -- --------------------------- INDEX CREATION ----------------------------- - -- IDN_OAUTH2_ACCESS_TOKEN -- - CREATE INDEX IDX_TC ON IDN_OAUTH2_ACCESS_TOKEN(TIME_CREATED); - CREATE INDEX IDX_ATH ON IDN_OAUTH2_ACCESS_TOKEN(ACCESS_TOKEN_HASH); - CREATE INDEX IDX_AT_TI_UD ON IDN_OAUTH2_ACCESS_TOKEN(AUTHZ_USER, TENANT_ID, TOKEN_STATE, USER_DOMAIN); - CREATE INDEX IDX_AT_RTH ON IDN_OAUTH2_ACCESS_TOKEN(REFRESH_TOKEN_HASH); - CREATE INDEX IDX_AT_CKID_AU_TID_UD_TSH_TS ON IDN_OAUTH2_ACCESS_TOKEN(CONSUMER_KEY_ID, AUTHZ_USER, TENANT_ID, USER_DOMAIN, TOKEN_SCOPE_HASH, TOKEN_STATE); - - -- IDN_OAUTH2_AUTHORIZATION_CODE -- - CREATE INDEX IDX_AUTHORIZATION_CODE_HASH ON IDN_OAUTH2_AUTHORIZATION_CODE (AUTHORIZATION_CODE_HASH, CONSUMER_KEY_ID); - CREATE INDEX IDX_AUTHORIZATION_CODE_AU_TI ON IDN_OAUTH2_AUTHORIZATION_CODE (AUTHZ_USER, TENANT_ID, USER_DOMAIN, STATE); - CREATE INDEX IDX_AC_CKID ON IDN_OAUTH2_AUTHORIZATION_CODE(CONSUMER_KEY_ID); - CREATE INDEX IDX_AC_TID ON IDN_OAUTH2_AUTHORIZATION_CODE(TOKEN_ID); - - -- IDN_SCIM_GROUP -- - CREATE INDEX IDX_IDN_SCIM_GROUP_TI_RN ON IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME); - CREATE INDEX IDX_IDN_SCIM_GROUP_TI_RN_AN ON IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME, ATTR_NAME(500)); - - -- IDN_AUTH_SESSION_STORE -- - CREATE INDEX IDX_IDN_AUTH_SESSION_TIME ON IDN_AUTH_SESSION_STORE (TIME_CREATED); - CREATE INDEX IDX_IDN_AUTH_SSTR_ST_OP_ID_TM ON IDN_AUTH_SESSION_STORE (OPERATION, SESSION_TYPE, SESSION_ID, TIME_CREATED); - CREATE INDEX IDX_IDN_AUTH_SSTR_ET_ID ON IDN_AUTH_SESSION_STORE (EXPIRY_TIME, SESSION_ID); - - -- IDN_AUTH_TEMP_SESSION_STORE -- - CREATE INDEX IDX_IDN_AUTH_TMP_SESSION_TIME ON IDN_AUTH_TEMP_SESSION_STORE (TIME_CREATED); - - -- IDN_OIDC_SCOPE_CLAIM_MAPPING -- - CREATE INDEX IDX_AT_SI_ECI ON IDN_OIDC_SCOPE_CLAIM_MAPPING(SCOPE_ID, EXTERNAL_CLAIM_ID); - - -- IDN_OAUTH2_SCOPE -- - CREATE INDEX IDX_SC_TID ON IDN_OAUTH2_SCOPE(TENANT_ID); - - -- IDN_OAUTH2_SCOPE_BINDING -- - CREATE INDEX IDX_SB_SCPID ON IDN_OAUTH2_SCOPE_BINDING(SCOPE_ID); - - -- IDN_OIDC_REQ_OBJECT_REFERENCE -- - CREATE INDEX IDX_OROR_TID ON IDN_OIDC_REQ_OBJECT_REFERENCE(TOKEN_ID); - - -- IDN_OAUTH2_ACCESS_TOKEN_SCOPE -- - CREATE INDEX IDX_ATS_TID ON IDN_OAUTH2_ACCESS_TOKEN_SCOPE(TOKEN_ID); - - -- SP_TEMPLATE -- - CREATE INDEX IDX_SP_TEMPLATE ON SP_TEMPLATE (TENANT_ID, NAME); - - -- IDN_AUTH_USER -- - CREATE INDEX IDX_AUTH_USER_UN_TID_DN ON IDN_AUTH_USER (USER_NAME, TENANT_ID, DOMAIN_NAME); - CREATE INDEX IDX_AUTH_USER_DN_TOD ON IDN_AUTH_USER (DOMAIN_NAME, TENANT_ID); - - -- IDN_AUTH_USER_SESSION_MAPPING -- - CREATE INDEX IDX_USER_ID ON IDN_AUTH_USER_SESSION_MAPPING (USER_ID); - CREATE INDEX IDX_SESSION_ID ON IDN_AUTH_USER_SESSION_MAPPING (SESSION_ID); - - -- IDN_AUTH_SESSION_APP_INFO -- - CREATE INDEX IDX_AUTH_SAI_UN_AID_SID ON IDN_AUTH_SESSION_APP_INFO (APP_ID, SUBJECT, SESSION_ID); - - -- IDN_OAUTH_CONSUMER_APPS -- - CREATE INDEX IDX_OCA_UM_TID_UD_APN ON IDN_OAUTH_CONSUMER_APPS(USERNAME,TENANT_ID,USER_DOMAIN, APP_NAME); - - -- IDX_SPI_APP -- - CREATE INDEX IDX_SPI_APP ON SP_INBOUND_AUTH(APP_ID); - - -- IDN_OIDC_PROPERTY -- - CREATE INDEX IDX_IOP_CK ON IDN_OIDC_PROPERTY(CONSUMER_KEY); - - -- IDN_FIDO2_PROPERTY -- - CREATE INDEX IDX_FIDO2_STR ON FIDO2_DEVICE_STORE(USER_NAME, TENANT_ID, DOMAIN_NAME, CREDENTIAL_ID, USER_HANDLE); - - -- IDN_ASSOCIATED_ID -- - CREATE INDEX IDX_AI_DN_UN_AI ON IDN_ASSOCIATED_ID(DOMAIN_NAME, USER_NAME, ASSOCIATION_ID); - - -- IDN_OAUTH2_TOKEN_BINDING -- - CREATE INDEX IDX_IDN_AUTH_BIND ON IDN_OAUTH2_TOKEN_BINDING (TOKEN_BINDING_REF); - CREATE INDEX IDX_TK_VALUE_TYPE ON IDN_OAUTH2_TOKEN_BINDING (TOKEN_BINDING_VALUE, TOKEN_BINDING_TYPE); - - -- IDN_FED_AUTH_SESSION_MAPPING -- - CREATE INDEX IDX_FEDERATED_AUTH_SESSION_ID ON IDN_FED_AUTH_SESSION_MAPPING (SESSION_ID); - - -- IDN_REMOTE_FETCH_REVISIONS -- - CREATE INDEX IDX_REMOTE_FETCH_REVISION_CONFIG_ID ON IDN_REMOTE_FETCH_REVISIONS (CONFIG_ID); - - -- IDN_CORS_ASSOCIATION -- - CREATE INDEX IDX_CORS_SP_APP_ID ON IDN_CORS_ASSOCIATION (SP_APP_ID); - - -- IDN_CORS_ASSOCIATION -- - CREATE INDEX IDX_CORS_ORIGIN_ID ON IDN_CORS_ASSOCIATION (IDN_CORS_ORIGIN_ID); -kind: ConfigMap -metadata: - name: mysql-dbscripts - namespace: wso2 ---- diff --git a/simple/mysql-k8s/mysql-deployment.yaml b/simple/mysql-k8s/mysql-deployment.yaml deleted file mode 100644 index 2af4320f..00000000 --- a/simple/mysql-k8s/mysql-deployment.yaml +++ /dev/null @@ -1,60 +0,0 @@ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: wso2is-mysql-deployment - namespace: wso2 -spec: - replicas: 1 - selector: - matchLabels: - deployment: wso2is-mysql - pod: wso2is - template: - metadata: - labels: - deployment: wso2is-mysql - pod: wso2is - spec: - containers: - - name: wso2is-mysql - image: mysql:5.7 - livenessProbe: - exec: - command: - - sh - - -c - - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}" - initialDelaySeconds: 60 - periodSeconds: 10 - readinessProbe: - exec: - command: - - sh - - -c - - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}" - initialDelaySeconds: 60 - periodSeconds: 10 - imagePullPolicy: IfNotPresent - securityContext: - runAsUser: 999 - env: - - name: MYSQL_ROOT_PASSWORD - value: root - - name: MYSQL_USER - value: wso2carbon - - name: MYSQL_PASSWORD - value: wso2carbon - ports: - - containerPort: 3306 - protocol: TCP - volumeMounts: - - name: mysql-dbscripts - mountPath: /docker-entrypoint-initdb.d - args: ["--max-connections", "10000"] - volumes: - - name: mysql-dbscripts - configMap: - name: mysql-dbscripts - serviceAccountName: "wso2svc-account" ---- diff --git a/simple/mysql-k8s/mysql-service.yaml b/simple/mysql-k8s/mysql-service.yaml deleted file mode 100644 index c0a49553..00000000 --- a/simple/mysql-k8s/mysql-service.yaml +++ /dev/null @@ -1,16 +0,0 @@ - -apiVersion: v1 -kind: Service -metadata: - name: wso2is-rdbms-service-mysql - namespace: wso2 -spec: - type: ClusterIP - selector: - deployment: wso2is-mysql - ports: - - name: mysql-port - port: 3306 - targetPort: 3306 - protocol: TCP ---- diff --git a/simple/wso2is-simplified.png b/simple/wso2is-simplified.png deleted file mode 100644 index 63ca69b98104bf9a7b126271c2f08a5ec8a89326..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 149775 zcmV(lK=i+fP)nf@x9uJ{K6`Y~_HrpW(+*?%Ai0zmSA0Qi4E(go0eVCugw{~`eEvf$PD@Nz}UZVc4Hph^`HtNGfd4jvt5>{W8@1jclHj=5P1V&Rr$C+2a{{{xS*P$& z_j@--E0gk0;=Zqdc(*Ux;21~VThDlFfyy_INr));4M!f`;zXiDQLZJc4e!PIe;}G= z%7@Zy@8=vEwOkmn@SI5Q9b@=qicbR(;>MztAjy>-na|B#mfMMtFo64nX*SSM=HU$f3nTW6Nr|-KV+{w~FZ@`1=_XzqP5~ug#^cN-s`At7} zEqD6<28cpZ&kNJrpB~Ghx@>Q-@gTWF%JD@5L7WMB?gv;B1)e^HmvIqJ0)d5!R*A70 zxj+4&;|*^j;0dnA(n14Iyw{;AfKQQqPRn!{li)HgoJ3s|D7vd z_6*b_X~1`=6!wtDKAsSp(Rn#e{r!qtPB;#dnV#~yPf+CZw!@#XP~O26e!=ySq_g&{ z52GS-AEt(#`p+S|7EsF_d!vlL+?-pU31{YE-Mf?QLV zVc>CFUv?!9QGUW)clIx8-WV7>*v>mx_%aI%P*JbxE(ej3Z3i$7Xz@c`37HAeh0pjL zZ|_TSgSz_l;WS*!ILxQ&ii82B*xF%zS*#C~&lhSFQGYoZNUl%T3hjgD<|!4DUWL zFxa2Kj@^P08WB<`nQ_UXe0kMsiN-|~TASHJ)r0li9af{{}*OX?UbYeXLC2xI>%fY_|__VN^AeO*6_d{VuLN?~C(%pb?wyVpw0g zvNQ$7I$sm5W1cP;s;vv%1BMBPt@`OFP!i@9miMi#53F9J#u2-VVO+RruEHR8;JFdJbJxk zlVCO$mA{yj`_%Tj4a|O?IKu~ko0c9y^&vH(y=$Ed)iIz&PT$PF!`r__*af(t-pb9l zIB9G>{lXXR8(jV2oUK*l>6;W-+97&F&qBSpPaAZcDF=|PiH3AGk$Jm`GBQH>w-;nL zs+z;rdWmJDJ~-=Nz~#ginV{$lc5{}e2)ckz1Zt=!TMiwaxrO6!O{+Y{1raHn3_i%s z^k)91EkJLruyDO_7bEXl+PvYZ2l$uC6!TSQCmV!oEP5%5g;$dC<8;|G^QlQsf6f4m(cQj^G$9F9+yqDA=BQK5!fwW!)s%?#S zr{V(<*uG}aBeAFT9FS#MfF&ZBe!4;3~+r20z)7`D`BhT=vQZI7hCtfCL&xY;`!vnThz zRlBRGIaW@IiX11ae=TmPVzUKAVE*7m_K|m%VtP|5ZB!tQEZrD`$@(V;|Q- zAAuJ(>0x3+u4#GMQGlcsZN_@bDNn<@?4=8BQUU&a5!I#O=ESnFou~(Bc+F=ifgnOK zZln9K;b0Pxff8zh;Ke~y$~JOr2f1Z!oRLg?8H9a(Cy3rnBOOdnTu5~v3*Ybq2(Y%N zb`ycW^S~R%dVRpdzGVE6We_ApsTFe6#HI^4T$B7G0t^2OKjPIDc&R0%e{gTrral0_ z$pl_3ujuDa#EVSl(39Rp6!-SLyJpRR77BfU9dbG3odwX5)PA9fFfy;@5)oM{-Cb5R z{7i)8V|5m2VqESQo1#J22WzL!WRvmB7rbb{{vN2y7U*OY*US|oTj4K+B3`yWt#~gN ztb(h2)S)D#d+xClLXXuWt7QYP7nJVqc#MR51%pjEzU2|Zj5hI*>SGdpLngI?*@~^) zdrn)%<6$Nqxw)1#m$xp9$r^?oB`hK_4jr>CoxANxP3T{BtGh&xXmiFxsEyGeF#0Gb z^1YRMBFIW$?7oV*6@>26!GfHNgq<0zKueLVa>IMETi`7g90nPCPyyR?tl;{LVy6XC z5vAqCFl`-?*34Ii0*ry@>}5=U6LXLmJ54YNg&C;p@fSSwSo~i8*7+cM92f3mm|%Zc zKh4z0ThcgXiabp?r0!c4;=d6Vo%JIGuW)$sJ1XaF7OfU$>rSBxqYAyA3_~8{vSb&cX%KhZmczI7pU7 zCq4HG)$rkpyB0%-w#vwAK%Ml^WGX zbaIo)2rrTCV-3BN;0F>q5SsD(n8(Qqa3Z!nWu&EQq=2Y>;$-)X67!-Qslq`5c&0~W zz7qG$9zWCBXfKNrl>j5;+H00cwG5My9Apf_0A%W(X20??C(rs&ATaDP4uUxzn;)vx`LlW-@$lQHvytccK&opRLhw`z&XwZ)C3 zUG{NXl06245>L!QOBTu@p+(g_aEvL?3V$dQ`R7@_QW&bd|0s($BEI6c}> zC$ePMWsVIe1+6Y0cU}!CiA#hY2h2KjfLXmqy+gb#jrzdYEY z?^}S8q7qRFw(HEa94)zI=^wQdZQV4Y>q;EeQVkrkMc0m{chqU`)9v)7hGao}L5_K; zn7ML8-R6mVF{jt3VOAzqLPQv)#x$x-C*aH5OebdA~(@M5LW_ z=oRBHTCr!%2{j`MH(eNKfttUvILbfth)2OAOO89zUnI;`cPZdAIv}e7CbFw>u#V|9 zN_0f&G&EPvg^t7{R2}CT95xs#hI&*W=rkC7NJJUeP&pElSnkN2_cvS+Me_{$N_NLW z^ydkQeVwwZtc1lDlo}w14sHW@^H?%IYf|$)kt*!XC7v)ue@f~Wi%t-XwOoPfzCrg2 z%nh*{C=Gb5Us)bhXhkmzs*PmZTZrbM@J+KHP-I0mssp{0?i<2qI6K3@5TZ3}ArQu(C=34bx4&NIk! z|3+^aEoOC~d#GxXwfS@F`!{oGMQJ28%|>~bnq9EBwl95nexZ>qw*NNPAx@m_UzR~$1wpdDUqB># zA*zTz>^8qIg+2YlOhcS-%d7R&!~?iGeB~4*D9z)qHd;>Q!sP3ztwf}oUVj$r66_KE?Y|IyoQkSir{gvCT!a9fds9bHt2kq&0C&1XDWmD8>o zbPL9M7IVFeeuVx23s;Ya+Vx~&D+ZtYVvRe`B8tACSndQr&npYolWIyG|9~!WX;$ro zWB#PKRu>?16g!}NNzjcZd)C9Vz_O#F+E3*@Y#5H=fYwBDbFtMh)c!&8pFmGi#3}Be^lC-f?(B{q3d~>uopNq2omI_PSp4tn zu>$t9<;3D=5Sf<^A@5{}=1ZMPmJ54|mia0X0(q>RZt<5qlXCDEj2uzFedrCM#(l^+oI=Spi#tHi1^L^vT~J#7U&xxHmv16GN3ob_4xF0*X) zWHIp!EbuF)1k}NQR(y$HZ0B2>!ID}?6b`^$_kgZ&sDq^9nw~`C8q7!c6yFjx)MJItsSC7Uh@eyR$*IEwD%te{CRr_w=&}6e-4#%G%0b4 zBwXXUuHchcHkkl>wAt)&2qYTQ!0cj}T{5?cVu%YH9)%p89_TKj!W&ConfmAnb-q*A zGYkeUJ?iX=+|>Q+ioZp!%FUAwq!buGj_6(f&fqN0c4|PjlR6CL-kL8r+kvjJ+aVyk zc#M_qW;*EkxK?2Klk5yw$D1sUcOKt-QpJym0GrEI#%3CKZ}+q@)c7l`D8H<5aF17hz{tzPyG>Dboy2y&@E--*>;Ti~!cdeFT=Qe3o-;l$1UCY;tt zP7~9*7R6Q6ixk~ax*r?c@^c?C+~;fwXWO4*oA=t_>z3Q78(pO5Rcb{ZkX$R;3+SHI zlg%AgxLs%YWAk?>p_kS!3P}Y`NUqvgSir|t zlz| zXu5eiGAZ(rltq7D6>zzbTE#op#nQM#O2Bx(w9_3^4^tDwej)!Wep34x&{+#;J3J~V zN&T2;6J-6-BBfYrmdQSaC`1f(852uHdM%ymO_4;JZzqR7_79b?pH8!e0GjY1pA-`7 zCY|JeW&<#b74}98P=wHD)8<7kBzQBoh3w09s*kE6ko+bMpTT@c7|k(^o^+hDIzaoP ztdWh8T>JrwIDra?xE9E8)`!V^tZw)S@Q1e|qLvfN@tTB+x(;E}>= z*k*{itPDQIHSvmy-@?zLQ346XFF3(P4^)b2w7AUxD+$LSFEp}sns6M1a?d1mv7(Et z6bWL^%$PT#<1Orr^t^eytaEFXKP}90zZn$v6~`uZ0jc%RD@=0y1c1E<9wkyacC?V< zW*v1&=+cS?MU0}<@g}2+TA@?FWY0s`KVQKmGPLAtxs0@Lzqbp_I{Su6C!cC-<%(dZ z`Mn9c_NJt8(=M=Qd*^h9a)vF;9sq6ww&;s^_-8`aavCMWP};7Sihj=%g|8we>~XJZ z?0UYsNyNy2tRg*A*d30M-1H%ioR)buC7OR0w7`@)Tp^{i4uL97 zCrgi|&ExkK23XqRGvF4WJp5p+)wJXKDF{DQQij?DoM>uelQ#g5V%83(&g7kI#Fha# z+UY&YY;tM?h}<4A5^CalriC0K3`*U6m7(8xbk}@l0-?m#!0_89psx1#D{4xHldgz= zvg>kGwppF@#@GlG*Yp-+47(s36U*W)r;ac4gM*Xm25|=z$N$j$lXn(9(BSi}-f*183+4+v0lzSe!v&^9s8EUp%z2x_E z+6r7i%G}Fri6=QgS*B1E_)ST0_6E^6`CpD7!@I(pRqI%GtlX+c@2=dsf#r(z0TQ=| z5+j&K#7i}LLM@|%;6K%mO$4Qc zm_-6m^m22$zCI^jglTY-qtFNF__LIU#t}#Vy4v%`&KP%(-$zm48a9>1&D_v{DD?}> zWC7*@_6S|wWzs?6MZaT{!|CpX+NXYMyZ=qx>Rx8=d)ue}xmYSCNIgCr0o6Rp*k30q zi?FADM_`!H93#a8;B;>CG?mKyra5IIjB%Ilr*MS}WxAhJPi-DFWxS>egaU;9QE2e1 zu(|_bde2H~dKVrSS$a=lDf{zic>U3*U^}i?<76uK=dC)`XI;PQaYs94$44SbyJ{v{ z>ax={;8RDsNsf&%E$&pi*QyVn-Ef?^BK_@kb;0dRFh4~i1c{JYvV4+RV>?Z$oy;`3 zz>4kIEPD?Zl1xasVhBrm#linlftSae0^$z^p~qTG#A({t_k+0SQm0R)bQZVc_OwDJWH zFL5z`g0vl8S(0#OIIlJ^v~zq=*569qK-e+%V_;ow=UNCx`;q0sOUo~6fb@E7?MTs@ zxzpr}GMMBdQJQc!he^!h&|ElAUwCLgS3^PIO^Hw^63nn8{o7ii9}*zR2?$-FxSYEv z8?^;I9KB~k|MBuAH9VA^dc6LY^2hWMNp7^$>4C~1x|>*&9AbDQvep-Mp%o0R_tELc z=yTfLfEOCaRhMhSJ{~ux8EMvphLJU{9GSTOF3)L(`A0zgq-wYU*S-OKBB|X=0SvR^ zGkU*$1@{FWXp)C_U6`k9{;mvvrKlToL22W~kO@<={jq`Xj%b``Objp9F!@cl%l(d^ zCKjLbB}?xfH(Rz+_=%zB6vev2rBq2`QJP?p^>G62^A^}F+YWu($azYdiq_O=KdxuR z{`Tb}4(@XfSDehm1kzrOYRqrvKuXLtGe8_L9N)EkZjAxN+{Od(ek zb!??1`YI+tYEL;T#CtZ^igR4xBdDr$*!TV_P!0b#s&dYztmayd~EQ?JIPr3pj5fH2v!WzGiNt!ynWW|-marz{c?aXU2_-!&vN4^<+NxAmIBie zA}UMox5^)~9);M!v9LE=opW2)99##Jorvjpb$0srMDx&A0m4J_*bkt!_iw`Gf(AX8JQsGO8_)E z<6Q2K3Eg}@(u99ivkXxCWme=MD~-gvI2k+x;vF3LD$jueUX%*}%>pkXHN}59^WyW- zwA*K*2@az_2A+4kIFV~9GcH3|#*`byt?!??Ngsmnw^s&izkI&Ei`?c!I{~=oF8S+9 zU)y9a9G^a2LH8x>uKI~EtW}WT8sBimg!HSmli1N(#6Vg{3~%jelOZZ1PTSf~xSOBx zlFpyQ`lTA#uNuzZmLp_(a93SfWF{B&@9n20KHGqD)#5Xf>1Hx=KPgzAHlMOA!j@GlNx&28m-J+Yo)ci-&v3Ap5)@`HbIsn(62Wd?83MMYc zzSF4paerLHLS182r;hAZ`ZBW2UA6@pB&^(HW0rWg!*)c4Jr`nPvpl<;EbxZ{9{81r z;dychG$2c41n=S^09(Ftz2+i1!J){BZabdpSXQ);$;D!=8au>8rPk{gsx-5GRp*nX zjjQ`g4gEN{Gui;geigFzp&1LV34F5t>Io??uWHFsRm+8~AZfC^sp#0e>4{bWv7c-5 zMlWcQ=S2C(4PPa)Hmo#_ODDbnW%eq6wp}rd?LN7~Zk5Juf%ccb^Qvn(a|V&L3%-*2 z!&GSj1K_a4K^hh>jVH~ubtG1bSN1-Wyz#pXhXb8JX9wulAP`Kz13zlf*P5@cgvRnJ zmo#YEyaH9GCE9HOI#ItJM?!KxSKiaX;;*S&d;OaQR)FKlFu@D3r=wI=NrMNS;b3ui zP)r0ALBo6&lHQe zfyhKc#UDbh5Ldc>LwBg#m@Ds}?pMm^K3;Mblyg;rNUU;zzTlgMy&t^qZ zF#!aoIKCw%ZbtyUj`L&YEj_!xt*~9L(Bgx(L2>oXo{1Q2}`idjc4zpzQ z!EwNSK-b#Z`(_+@Z>)AD-6QC*0f@;1p!{k*FV#Z=VF?0aW9dmOn5B;qZ^_f)#8H=I zFE<|JGNUSO6}OkyWNWQ;$|Cy%8HrSNbmU0=HyG{g{b<%R3W_Y#RLbuUHFuYM8SuBFqgl&h_$JH%RVocghC2e-`u8d5U^W zS}Wy?`qeEjhs+cWcYOrp;=Ew2N%h~zey+d6RP9eMY@L5}(^%JN^@kvJh=m!<9s%Z> z;EfiE4+Fl_D=eZ(w74ykEc@1PeW}!O*S$%OBf+>k<=x%Fk)uY%l(OK9?HhE)e7< z8qw(uQ)8%P0$|}wbjlqESz9AdBGu`%Y}0iD>DZU{dNQ?cqW`R@VdBzIX6ETx1$s3G zHKnot`?f|nMtoA+F(Qpp+WyB-LRd`4Sfa~rd1;eeCsO71PD`D1;xqK>-)eJ*z{UQW z-QU4h!L89Py?QF&#=k8bx}YALih`fb13m9>DnA2mYgv!JSUiL5RJNgJjWNPtAWE$? zR(FK-k9Xdh6Gmvym?ygJK)#46aKx65?`@@&UojBeU6$-C_6X>TG#w?b4@Zu*O8bG& z$T_o5Gf0@90F2&Y3(_G6m74pU({JAg{tCoHDST8^7@s|jyTz@ipguEDa(=%jN&P58 zF7Kmsccr<9v>ijfgLZKym-P$NpDgWl1G18{B2EM6Bd;$~>T3b8dRg=%vjGMpm}>gU zM-X%T?Y{T0uHCKNl^P2~=D#*9%2k&tE0$CyRq_oey7kvuXw_cKUXQE@KmD&(-B@?d z-(_;4hjELY<=1D=k{0_E4qM&JjI2M*K*>=U-W(%P`)aCbD33Ke;<=Fd^MX}K-4#z@ zHKb#Ef2wdUAH~Lu;UM@~NAuBHEXf2~>;vEx7nqKJ`aU~5m$D8@}H zSeG{2KbQ^Km*hOdo!1dboVL!y_BtcnJR44(mQ8Byb=aRw8Ud>)$k1&CbhxndV zTz^}%7ar+}P&ZJ6<>xRQ6h$hliHmjWh6rY$;ne)GdUM3L}eGfHcWZ<0YLEzV0O% z7!94b(XB`mRA%oism>uR9%~71muP6#xCNBt(pexr_OoFR&NciU9K+6Ac@%W9KFaupZO=>1Ie;3H8m}F1I(o}ikj1E z03;TlZ#Dy$3(K+((t|+qHwe@%M>Eo!z|PNP3c_(;ZP|R*6+Lw>5kctG6S3TBkT3lx zW9gJ9o#U+7pQ4tvYiRq>b<7oBJpWbv@&;xbDtk^dpswM7xL1F$ukFO8H%QzQ7K0O zaIR-lc?hvBeMV^MEF0?+>$1m^gcmE;abi}Ge~A)7>L_1V`57A4Ti5Z4!o2v?unB01 zpR;^N^2J0J3twt>1eaof8sIzn%w}9V;&j_CQ@MKE${*VlKjMULg^43RZ)2m#t=;de z=E+u>$AoVHqHvAzf-mCbCb?CSEO?e1HF=$_-0Htg$UOhxe21O<(E|!=8Q70?^(jbM zx|=CX(o=}G;iZ4r7lh^QjC6BYq*jAFS@1>xXe&{GqHnQ_U$H-Lkc{a~lYWGBPJq+MvAIs3~Wc2l1b_ItJ| z+#BYW3v}iNG>7xqGp5z~YBOjSK~)Be%Q9RXdAiU-t9Vhk1noz$`J<>89HYfbbOza(&w_|DVwZ!3>b0-d@!qd|&a zMZV9DM6C|;3L$V~$uX;MKNlsrzvM1{!~kTF_Ki)v_hgi>NBVQ8Y+{zvyL~y?892Oi zkUbK?^9vBzr}O3OtBuh&zAeXUEl^NvUY#2wv#ru|^norcVcjSl1Rr2z z&sjyDnK%SH(Pp!4Z+%p#Ljf#`>XH+$@%E>S{nyFi#XKS``LGEl&c9sEi5S~wai9l> zL;)h*oK1Eq_Iucj_EzSd*l%q^e%a5iWo3+CUO9?ca3A#YnH!+8BW~`uTTAL?3ZwnE z0W|dVT^>IEK)6xKs^({#noaxneAwCxKVcg`MWGzxSqPJVx@F+AV{kiSLl3Sz++%nR zVoio))I&I^k0txoSGJ64wSA=TW%%5vd^qra{2XdN z_^crMN!V}U=5}(t7Q#kL2hs3e&4B@1dXP}iS*4{iH@7AQ0TE)Mrmv_Dj=rh7VUGI*hRj3I7)DprXAgxT!I0^AF4`dCsM>HStc;2p@I@8V&tF%cGb+4VF?;q3>+;B&{BQjEvW5?R%1VZm9i!>Cyo? z-AjEdExL|5`)>EKIF^D|@1w%yTQR;FBRZvWZl+8cu*sg|fU=-U6Yn{5;46dHD>bcS zz}>vkk^9fh=}W%+r2{*z;_VCvw<&0K6ix#=-gA5#DBt_v`Y(IzF5#dDw69XE9q375 z{(+4m)CbP;h>0W-_G87f9Q3+bxUw9ki;nU-Zss3^h;1J?r3e2c$Ybq@awGk>KoGt3XWg`KVR( zYN?$^Q<6A@Z^k$#x>E^Qm=9=>BL923?!vXyU+%8`_iA6-M^wAgA{VjCvZe_fCNbF6S0k zKIctn@%e%-^6f_0h2Ww1Y zkSHIIsB~GY>+Hbrs{Q?AB1aETK%gv+l<6&&Q`?XP1Uhv7r zY0%77w!7N@t4>qhsD|bPcM{yN?8Ae1C01j_xV&s=@|A!u)?G~6^aA~o0}iB|{MNeY zo=cl#g7B3AaIBvC{vPKQbj>Z#FFkqL!5rkc^F3_7Lg}66n9LLRvYEw1k71O&!F}y-@Yx%v)P6{l!e!rFA3e z?!U*9GFq{?Jns;D+61;3=C5pP9zj`>h=KkS=qc}_vN@EuM_Oxuq25;jlFNknd@X{^ zW3w~3SsNMXZ$+9f{p(UOq(=069s$+d_Q{O-o%?9f@|%`LQLQ|()5v#c(Uun?R`v9A z;juEmDwHNPbuh_X|8v`)GDL{xGlu(Cs=vgb!C&%YJ0s~*uMPdhKnYy%q^3CbM4HZu zs8=a7Q1kHI`q%PW1nK85zCHanUeHZSUy;uWp)D1`!#dpjOoPkx`7FCOs0Bvj`Tebv z-1);F6cDOb{RMYn*P`lhPW@vrO^v;9U{v$hK?^>psJ_ixAY>s$@l)$_*BC}Qm{-$U zFVX$h&()YvzL)lXeA(UPx3~FWAn(x7K7b}d7%Ondxi5?@)zPyg!-ZFtY{NTJyO4O( zoRrHU7ibtq@+h)!{jKEaT#WGR!76X4Y?dj2gkSL)9@(@CZv$9i-@gP&p^Lc_3j?Vx zPH*`Z@;4Ok=#FNjEbnx`l$A%8F{?-HkIFJpvoa$K8$7ALtZFFo_r3w-$KFg&^< zWZ?KAq(QhP*VWG;ILM%Okzy^Fpj|#hHKvsf7+;5Q{VFrqb%LKwLM}eD$k*#gl)#P` zQx%zl1#Xi`nmdX%YbWv3QB#%svlC+S=%3ny9ZI+@R74##9NI~+-6JP4T@eQEPiIy6 zgNsP1CBNUbry?cv-Zt5!_A*odOWI(#EQ(Ex9|?=XuWyj&E23{p)+`lTy3za1?2`>Z zQn&aD83jt}&EQgV*j%PR11^nu-`lw>pR;iMW(&LCo@{7^yc2mIS^M=t@N)hDr!$Up zf>~gYcN`{XKdKVg>W?_yaJQpMx3fLoxZ_J+Sl*W#oS(Gjg4&)5fG{JgAPLJfkkaua z6dQeWOJY7o~Z!Jr3y~UMYNgZy*A_e zIt19nfx{q3pcg5OubrZ&>R)7CE<>X`< zKQ)}0@mFPPGV_k+bqOk;jt^HTvG&3`jcp>|@>Nd1d_5R_@Kkef86O8AZM+tLU93;y zUA0bJuIoJuP|5!qnMKSH9F9eo(^sm479Cjk87i0pYtLago<6P>G$7w@kzmu655Axa zscLX=LEu|1gaBUVLTx-KVt6#-=VdxG!aJ~Pfh$z@G)UK8jcOkscNsqxdB3@wB5kjhrT+UrVjy8QcJl|EkPG%s?dP)__BDYMans-W*5S3g6Z*GughA_)24ZStr1Mz55&;7rM|ZxzU{cQ4rz; zZ3w-zD*8n4U;i~ipDj>l-kdua72#{kSJFJJeA(s&mrZ+B7*((@9S3>uE7PMPxv!HtYOa=~yE6^uz&w#GMU&f91Wn@fHkNXvER#G2`L6 zZm||1RJKA)Xl~O|6jP39?;FbYrc+e}Q~U2=c{_Y9bMrFan3!Q$WTf(AN zCbX$A=7@h(tw>@1BdOu>S$Mxkk7n7|VJ{@3l&IW`Fy=ICJWRLm2eXwOyiVEGQ9aw; zb0Cys&58c3SX|du(hhdVN1|2gu$K5THsv9I{1cL1Jh@121xWwTFMbc2aTa%7=o$ya zvwiZ+$xw<5FG;CwI?UgAqcVv5$x101^HgR3nyW}k5D&L?M_IIx#%D4u{>IM}k@~A>!E6_C9zWH0khj^P zUHmMsjlkeeu4Emv{*K*dKM)(~HuIK7? zvD}*lw=6IAK>@JECW*B-p{921I-E=0X>PV4QD>Jc6Uq#t!Kx(Nx} z{uo-$HA@12bGcrWawJOOeTJT*jK4Q*VVND~NF?t#)d;I3`R@~^&NG(!qt>mI?j7p!+=i%5B$Hnq z*Z}cd+o7h-FAoBFOkHagL4*SX z-vpWzj_laQ{>St`qiG4{>zC)}rAI)1aP$0)nd|Ss*?JlTQVe7b$Ze&M?o$1!D}*8W zH}iFM#+dNeA>5(G$sweP5DjstPQDo+`ztzgVMfvypr>f~_%!xz&yuq?8qEM{WuL3X z`4i>JH{Z#(!YRv4e)a-n01hT?`!6J?XWM_XLT)4w4jUw_eUx}!6!h}>`QHxv6o>Fi zRZ&rQ@{dG=HYp%F%y4?8Yp#9dvTNm*{Eh6+=0|DNN$@H9tt8AY=3|ayGs#PkP5)CT zO56g>wBR5Z6~9wRpUZbB%7w)N&FPgN3qNsFCf0nBi(he}t6a(Ak^Ms8TITGg_;_@} z9nZgq13Qs(k2LK&r`c*ZqL-~Pc}ju4kfTPIU-EY@U7Oy={MwZ3_xYPk(*p)H=vxA! z9wEDKEZrYI8i+}%H1e7%O9dDJajW19ex(gI1K+UUUXuEhk_s8;xMrNcun(laI$vI| z8i~T%wGBSWe*H`UJF3rAjG6WG3Bf_p4oCJMFw*CBDs%6kB_$`y0}U6?vS1Q*A=nqP zRFQr}rus|uTnDmpg4R1p7^Dq}S<0hhK2ihG>mP!hhYUi+ydX+>K0EoujWhWpYfgQc zOp$3gdWW@&<<8y6`pwz$My4f2-b|azIW|fEN++UOH%!)M*{H%rv}yzjsf6O&EcfVp zOVX6@3B(rp$jC1FNmA2j&87lJ`9OBHeq#yH4S;gCJL9MM7Whwu$|`e7re%JoX5OjW zFzFc=@KuIk8Q+>H_luKMtu0~`zU(S<=K08a!V#ifdro0ZQxH+kzoB)0H!RWi_pYkp z#K#!~*vJd}dl|(9eFDKnu$)(+8tXFz!D8GDC6e^p_kYd$HC(UDeXiX%V6@2XvxNdW zyo~Z$W+3IQ4E;@E7d|i$$gt?sTfk7eaCiSS6y%n_&v6l0w7Qqh_oRK2Pz|R^w+zLxGh=XiIaopC2DF9l6Y7hWDrHtMe{T_!P!QApU0U zQpO8?%B5GUJ(;Tw{)Rqs2D2R^#z zRlkV`7&Y)Wun*YUIA!RvRqHS_m&lg{EP91(Ma@~x2eswZh6mNrl=}QVAv#8q@LMAv z69tI$8SC$s7JWsSAvlC-0y#>GvsF$Lce?*{G)&Iz0`*CvT~v4@GldfuQi#T##(of1 zhBSU|+Q^pSFMm@q1GT?AwVgIasqu<~R&&`0TaU)@_;NX-AEckBv@5~_Xt&F(G!vBT z_=MwMGfBhmAq3tXXhNI}=p+ggc(@WpRHV3j)H+d)84(;Hm!E5J8PkvJtK5~gt2bSP z7^mlBU{&Gma6B!;Qx$Tey?%fF^bV|NRK=5Yd>)0dOYqvy7cJxqAHv?9WCP(&5dUin z6Ds1+3~M4i6)_+`U7!1=M0l?~r-9m%Dw6(9QV7BbXTj3EVa2{ZP3GTdo86;FE4axx zn@)h5Ma2a&tLjoG-IDFkR|e-^8TsmWv63na zgIH;i;mS_T60Ks{hhGmFUS7VIw>bD^|I!ff1$R0wUk&>TTswqbo`jS+xp_%(<&Zhj zZs|yBmgI zsS=Q1WMbFRj(U*G*h32a_ET_;T^cvlLCnz;J-U zKF1~JUYAMn^)4=9z2r2q;veZ-n&EU=)Q3i-gszcPO_!8yIQEN3jhj28rr#sjifO{3 zynY?O*5`96_{;zeVImJ&;%&;oH-!KtK-#~+ix*IK`bgc@Lu+3n3#aAG>l^jxDj1t4 z)qfbz3QA)7{z3qpR0|r-J3|K|YBhWjU&=czf+d0z=FPKD;rmyn7cek9AsC7jXDN98 z*k8k}?C}N8EX#%4{S&Y2a=#OaJb$NvTOO^tU)$TTPe6Iuc5|)UK_es=DxWU>1zt%! zHyT?qz%>;dozsFbh$SmOn7-KdG$0%me^(GgJdrtRraduDL^fzb!b)*h7YcP&Gi86} zC5UKgg(HYCzl8ofthE<3!sw_=sV#M!sG~;W2U}gy$bjUw{PLE}gaHcFAGFM#f>ex; zq&iXksJM~7bF2=BgXi8C0jS4FsV#i+J4!fnnA&yOMAhhO0{06ha@RKQu@_au?x2(c z5JnFcKEt(E28QDX%c3AEgrHev@*Px9QyutsppisHR<;Ac6PSL=reTeVEp!Dh#{z4Z z#MT!oxDtLVHA6U=*ubc}vnJU|)*EEQAu>!0A+BM7vVy&~|yh9k_s4mg^qukF)z^+W(|fk7#;WQd$Yo*jSRXgR7PM zgjhp4Ba1_{kNXGc1j}>rt#*og?H(hHnMJ=0kvj9eHNK4YvhVZ!t{i!VqXip?5}mOQ zADye>8r74+CPDW&($8aEr&fREc{;Y%r5IumZ=b2!fJTar?frhA@EY_6 zY9b~07jN?TLFt zhWy=yYBBtAk}8r`of9^rJ(_8Xno;>thu?bbUbx6!y3|&=oP3-@Cr~-f8ruE3Omdd^ zQ5IXvoD?GqgnKhuc%L6uCQA_SgXWg74yjsoj$G3u5^uam$bxc)@} zA(`^#LIpN;Y7>5aA%YIGTxDAERH$w8%fKFYDqL)*lbx;4L$h6jcoWb-=nw6f^(W3F zZUEj$7?9p=8TYgED#dXj_oFQ2v=OmBW3iTN_%JXI7YTRfna_MkKUaX8EXtAE!1+n# zlGj3_Az)6F#w!Yy%@9UtDOJ+BDFR$zIA~3o?7k!LsWUPJjZyg z7p4gH{F1SpbwHz?eUyJwkT-|C@hveN2KQV=soYY=Y$JL7+kE6|H<02f)UF~IXslUQ zn<7MdiUau1srQuQ7UP0#r~h}P<<}4600zSeRX9{w_0iq7CAxVSDhfv3ft1*jX*4Sj znW34+`}edt6f2!iz4+2z+_Dl;G%bNon8u5li3c@e!3t(?geMZ0Zj$4Ruj@T*TPdUx z7WcC1Id%?gkrmtPUT5b=y+y_)DSzLPv$}Zru2iYyo47E?;VXZK*ffID z{T5Dc|Nx;^@V1CWC0Lo3{MX0d>mn({^SYSpQOzVZWTX)X4M$ zxVhp-*T}UF>sP^REBLWW$vEE^T?CkDfSp+_yeH)sZ%c`)T21(ID+fyX$D#f#*Cmae`B<{M^<0S0Ky4**p>WWo@GX2Nt9w5IDB@cM-3b|%C>jcos z<2p`m9Lw?U*B9oRd|-LGue^s z!M~vkPK$_YZwE)m>|S$i)<&51`{ESHa*j2tt3hpT@F+f;;RXYX&q%{x>3m(sIw`62 z@LUw@eP6lzq4tJbEYz}ceeKFbE9bTChsd}A4jA05RG8R?$#E_az&gcq61wHH*}^qH z+Bh{#ZOt4JeJpN_ct4)Id^I~Qh0EE*0!3u6h4BS~ai&2OaeoAm`iJgs_>^;HaWfbE!iwkz`%xUm_ z%5i@m(IppI;@y><2}&VVM0-9B2jp(fS}Hq6v0p6Jbtyyiet8UHgh6$vwLJIz z+q9Q)uW?^5NV0Aq0BL^h>dqWTq7zac`jQN1etgtaTJ&3-bHT`l1BD~D{3Y}vUIjA+y= z*%!7k($8|?Y2@^#FsJ0ndl0veZC)?jF}O$`wpE_3`$uI#ABiG1jtBmx*U2VZhxS1z ziU;c|?*$a)J&Mf|Zv4Y%E*x^oSNt@>V%KWWE5tW$trCxdMf{0-ysM?;rCZcKvgpl{ z@ALxGaCwJi{(iG;97nUOel%*Q0;n}{(cZ7=Am~Cr+?$i|>C3ffen4sQoVg^)9U}-) z#+Bc#&3?O%fV9b<$ ziYjo`7+k_4O8a=9`MofM5wm{>;uNd{=LN(C-5K@q;qONS9W0zvP*PH>)Hpq6-kW{J zaR(T+EaO#3>9w^i-$ z&V=o-$4W#-C1$q^B&v7@0Y62@fk6erk6R83I6~Y;@=gFOk+H_)! zip>397)wAHB5lRDn>~dTdI90MYKl#g7m_4+RY* zKYpIFU0S5(SQ}L1XWgX%Hu=H|rD}Z_vz? z#6?((n*98F;a{Ka;p*Zq@FHVmo|n>Aiu%l#lp=n7JYlU?pd*Usk>Dg?w<$Lh*fK>% zELX!bMq_;Vd=xRDgS7Y}B{&($+RTixI$_eoOg%aiUODrIE+CbUBAx0MnaVo*DO;XR z2r^C-;*Q`&h0GGzm3PtlQKq-$dBbB<8$6iD4bYf2RLfK)#o7W~mU3 zGJZ!_N!gyN8mLW;K&l1(e=Z+*BH>zl*Z;nsc>GQL^K=h!!UY{6r6*V2L2(7MjBdu9 zdEb^Mc}cZ$@?9Ko=;v@w^#>$E7^tsvO6%k@Vr(q~sgUIa*SS9t`!~x4gRHHyf4%#) zsrr}g)#pS*$39zC*E6zl{w8dW{bgRTx9ju5)P=?Xq%Tvs=_HVk5vUetmSEUu_PI&g z+Q4r%whj-<5}W};Sv<;kgI8eH7{)L`8u5K(FBKXVv!Yq`t5XfcVIUY{!j4ao;M_d5 z#@o9b%I`B?h@^=PdcpqaJ#FvcNd)^dHIrnH$-v=CJ31jVVkWE!h|wMOV-{*oU^CF%_s2uDv$ z!wS&N)?EzXjg0%z=)0`dNRJf%E9$%q=4V&7Bn<>M2{gjLp_4fghPb+FOw4&;<;zHZ zqW}Cn^JZ`OHFu9rL;I;tme^WSN!FZaERp59O?CAc7v|_uvW9 zKaJ{5uUE2bJYMqU5;P$iHSkAIOL0gm>x))L{RVHJ7$2FTjBoVv2T(4I z;Z$Y4q;cRrxJ~xEFhUM;y2q!gUz}kTAMbwua2{!Kf|Skx(RrUJIitlJ*-8(()!M>R z`Kn3u(1x&Q{sBzCKqxCNcw#eCWmX3>@XSlFe4`{LEcP+Y6D#;28(p;6&R&D+Qw4L) z+>-<{V*8T$CRui!To0X9aC~bb|4Rl)_+<8;!_DJiU0+9jZ#8;2R@hKSn|~_^PBr8W zMT^Dow0Ie!2)*-@2HVPy z;wE9bLT_C!P6V4}RbxtsXQAQ)xW}*T($k9jtk`{L^#icz{3d4AhTinC4Se|tO9;P) zC84Kcm}=tiSS$LJ?1w{%xc`=(h^JY1>=};VaEUH&Z0-yMp+1{704Ev!ZXxu~o7#md ztkI5(skOx&i)G&T2x68bXMl|;Nsu4^}uPhLF`5{0F`Ik+zIsVMaN#|Vs=;!n;F6InwqFLp-7$WKn?RHSQs;Jh} zWJvrV)Stw5@bQV4Ij3@rp|Q}LkN(Pfe;F|%OpsZLCSeh& zP|`7z{5RG0PQfC$8lo$THymGRvT>*Gl3rj>zEk5fxIjmBQ=9xHD~4GbqNGLi)qQ@( zXW%k?ZPWGNZ?wAP01?g1(&{3U79ze;yn9MLf0j+F3hshvC1 zT4^!!FA(MJ`arZp?2!Jt*Js0-8HNGOfjrgd?#u+)^n47|19Naotc)C{=Ue3ung9p? zWYg=U!c+6qSG80s(<1G5%d?SM?r1UApuo#oRF+Z-lNf-RCw*iAV2+AK4UT|Zi$K%c zZpE|G=m zd6ryT3^_wDH#Y)9CuVPPPGqWgoHb)Z(@q6TwmAYSi3b}WZ!wpTIbJ|&C%(ruY^^#Gu%v+u zTVONL5xl0uliz}K*qF~>97g}<=+08*f1({zp+CIe8@LKYs=-uI3tUV<#G_)sUE4=; z2a=Yu9_0`RddpJ8!nmKxXW7={v@r+=6819z~F>R^p zp3t324@zK-UYHoDrI&SRkibF>%?S1WEMXnfztdQnG{Y2(5FdQoH5jeWm_l z^X$A&<&0z(Hx^s#Ci(j^M${Tb`3l79-0%;>k=-~;OP|>o1|_H?v=I?i(IVoTD{!6{ z$E*reuCx3ebV3_9$A6wQiX$mJbH2VP@|!KB(z3K72yCmsHbZx%gt{^eJD}M< zoRw{lLRiY+c9w{%hFIrtMs{*3OnC92sBPv+0KTWrVZ&gHFE6q0i{WSF*43^~rdD{g zvS?wYD;DavgHTl7Uq5)Fu6CXcpq_YiP@+Q+3@6v7Z<|>k3Ge+xAKjPihUdj*CZ2mC8?s+lvyamJtHs!#0mG`RM0Z{W zA+j_n?eDY+8h^i+ljqP?aa#yU?GQ)M98^NsaB!$2H~m~@C}}W`n-##%z*(aib?WSX|7C1hy3*Q{Z~`&MGp7-ha_&zv&HVm-ER2#nT-#qHq1BpFRgJ|G`-K) zlX4xTEq=zHaQL?m_U+BQzK9dNBei<{c+R$B@l&oxfn@C8JmNjLHc;3SY4g03#FjMm zY!TmD>=}(f-Qu+2#X~_8>Xtz;7fAJt)Jc&o*bhN?^kbYeGy1xv#+`Y4nU(Q!clEjY z2y^}Ut{xQcvCUi=Z;Y7}+Eqiw4Xf+|c8IfJ&I%>)PbXYcs3LVY<9lkxq7Z#SWW&n4 zYx8zjmapND;Ch-DdjQs&boWGq1fq~Y@p8BZ(X{I<&?1H>vluqC?!j)(AF#%CGUm=E z0%93)8*O2*90VI`Qtw|LL*{ z211#~8zPf)T=z7k?HU9c!BrS>JHK=G#z``e*g6y8sA?+ekguOYE{^trGUh_AL;V^* zpYUthcd}3`rd*x>D(bSy{K}!-;n=`od`zeVjzOa0{TJt@2&kFmI}8@I@w8XTuJNI> z7_DkU(G6|x%>1VA!#ln`DaAjRl|awMZ6mvln%VQsWBrIJW?pB0xAA+ff8K|P%bGG< zV*ouUEJM{^J^Si%y(qXD$zRA=*hW{`vkum`;EK*D&IDoC)(cis;f5+FWN3+U{!ROVLu|*-q zQV@ucoR|-Ka~3*9>#_#+C$1(adBm#c#zpd7;-_~rD;i0mP94-{IF)sl*1xWS36=3R z;hy({ya8R|!o~WqJ@6ruQw1r{c@;1~HCpEu>wYG}XwTTvuzH+^x0HN#{w!T_!&&Or z83VR;0tkaClfrj7VxgNtv>Wtm^1bl_^mCa&9tm~rv+=+B&AKSJ575fLA+^AS`LPIe zX?m!xwDPZcGT+B`Qf0r*&5dVEvo0V0uKn}$yz7D6z=D5IQ0 zntd$3D!1rwI;sw1j@lmDStuinRL_@AU8ID0b2oL=b8U3u!wOE6p?wrVdv`9fYHO|V zgzM!mNyXQUvZ*mtya)n6&eI9HA4$4(o)X^{z`vKrtuXT6t++9~5)$o)%x-a% zo0O4S?vGal?>knnApiPer6F=3ye|bCg7$uMQ|kOpz>`@AjO7#8VR!SuH`E@m+$4oY zbWOa<6aXUFbOKAzX>4rr_#4XNPMKiUebwB^<~lU=S{os70Nlnctj~~=B{QfzMEuEU zX*!PrIorSe-H7Z9IMJ0LTE#i#brYq9VMHI9E!i0;JNC*x!efB z7ie8bzhB{q8i|M>V+%&*w(hPF`d=1lG?X1&1Z{S9hMTW_k;z#uF%R6XfW@n{c(G&) zNabCeL}@K6uM zV^dD$GG&m}YQcNN*zA5udl%KF2AWo_4^aaHxB{LzfV{5#V|E}-{7uDov|5~r$KDm4Q^~)}m?h{hQ1BFKbS`8XEzSL1pC#{N zwMXM)O>qT%KY&g&Ap3%s?4enYLYO|DuCWuUSP+@8UfQ8!%=&lx@k{8(bD6Z^{`-w1 zSB5FWRL!xJo!~YnoFEbhXskSI$rl#yZ$hR<65Ohx1)56D zuJa!u_B~y?x@(YuTFjsRMzG!_6E5sE@f=&zw<0D$0$r1>?F0a)iwJY<{E*3lD4lhiUc%>5y2Y^2pQf2D+8KFT_&rGcF zI!2U--X*Dax{dzbJ=g?P%5Wh`@|p9Z1Hr?h-v+kwumnF3%PBS1=_3__?56FQ>=hnX zJ+CyXC1N$@r2^w+PP$;6aiA}jhT!5^9|+$JCh4kb%34P1NrO^boO=IxH6YdxO?Eex zR~NQ07?4T-Pjv`&{~>%%#CdtxXiA8GP>1T4F5&v?D_oNzp!JxCP6iHRhHQV@p{zRpaMf3Fw#R(C3Q5C2{rJDJ2r0~P&i&o;MUQ*9l zTGDC%9d+wM9XBBmjbiXhdTA(A3_PTIh^7<$A{xWYszHo=`S1j;s&z{(wBFAJpdRzz zMKkXo>Yf>S*ZPKKTSs;72qi`Bw6~+?8~g)Rr=|)HFXzHN zL6VZU9si*H77_nkOGq+{S|Cyqs1Z+Qkr%_H*Hw+2yq?i=Dv2m1Krzy=P~RG`x&-4*3|DMUDf?&{ZwcNd|3a6q5b)1gOWW*GVq*IsD1^F zzipOqzr^~d(>6Hx7;D#uR}<4Sz>`)Zmc)4mvCGNR5q@{t^{|ru;#IM6nPK6#BnDpg znQk{QIo)Jc;JTQzf|3sopFyogrUM#y;q+%mVZ82fz8bTh=<;JpG~=xa6N;KDh{qrxJsq{ce$+n%brXxDm`7NMM$7Zdv z-cq;CNSVzcQ1=I3U!X}gQZ-qOFYM=-!%yu^eP3u(38CXZ^q`5B+e>Hsn1PqAN^YxN z;}$*h*;gffMw+g=r}@lHHI^zanJrLv^%ElBJU_tA!f?p>g>_03DtqF>#!1a=)vXBm zvM{a8T`Lv8#(HSC41mP|Vvt&O>zPFOCA}zk_=I^j0x$20lR5bweu0GKoj!K`ASPC{ z#d;saZ$|6hbR04t{0ry;ImC<;Cc|f3jsSz8z~y2Jk*%xijBU!DL+(Ozt`rh6@c9_@ z!}-RF2j?W^(bsc=SgVubzF7MBx)T81V6V!*xzkW~W9RUBuGY1~1T8n#{!wxw`ImSM z*p41vdMFIDvYpaiK{SgOMCh8+pD3>v(T=__i$sCIj$Np7I~X7hh!+;ui>kHef!MN1 z28`BdJI`1H^19u%>bN`}h8>h+M0d_GJfe?^B~nSi>oAHhxFLy@*=vzr&Tx>(;E0+U zS%J0sNOW#Vefm)#?9QqQAEhclRV)PlVcb`3WL(GeqNo%I#_HV;y!3^Vei`Yro(5MI zRnMS#mj>!ZA`(KnNSE@1R!$*{af~|@822Fxkm53X;Otg_IxWuY9vDF^PI>E_iFKz( zAFc(6651&qu2~Q#U8BP&suVxl+X}0GHBmr0mc=Smna1K8-)^nLfiu(}58s+BsSNt@ z1?7(%W#&$NtLH*~aI=Enfip%3_9E0jpRctUfl56rkd=t~m%RjMQ`mdLKtpiE_T0Ir4@1Zn}~a9#$x4 z1N0%K`%U65!GQzp;%Tm|iC^t-{6O15%O5i{uRf?cC-YFgcIx1{k9#+hvDY^Nq*1JY zFZhhr%lObAQwCi}l?*c}%=Z@a`8#d-ZQF$V@B(YsBthkD=mtOC>C?)%rYvb*~&V#=o5x)C|kFKtPou%9<`12-xMrMrAc3Vg1M)p+vWnL z@g&wpP}M~xV43F4Y}FDH1JqT2ry>&lIb0Vzw8h?uUnM0XPj1pOeovFS7~s1q^mt~# zt;X^>-mhUzVH>R~UXOw(_`f;f-P~7C;5L`}p{R56;*K5 zn-?8U<4w1BKgni(t!d-(m*UxcNelfk7#j}!^9vxG$9wtTz$cWVYwlMTb1zZQgK1#4 znI4+NR9vV#536+}lj+9*IycFQe}?6evsm&Y{9VI=9i-lWuzV0qarmGA8_tyBN=IR+ zOwa96@!J!v;$9l(54klS75L)MlQDH9iT@|&5Szz9+Xyk}y+Y6TfhP^>bYQDr^}29t79 z41XtY?F%RyjG$=Y*E-RT*Z(e1D_aRzEDL^#s?xvkLsgUm!o1ay`WNjS0c>~;fT%d| zg~g@>7ksJq@9-OxaPl$@?m}Mp+NAVLy;4RJUT_Pj;om(OJ0$~E5g&NVvA;TV72$uR zVy05)YA-@{?fJ!;&-T}39sp=!cpX&{b9P(HWt)$&F;!6pN3UlR3M`sl(^EIU-G!0< zzx8#IiCohp%5_nKZr`j*xSy2=7Z-vCk7*;Vs?3DqGVck5?=Pd@9z**ilmlbMUUVs6 z*q^1c;z$KI$6`+#fvEFDwI#o2l7i<@FHt{mjt# z$3N!vZ;{(bKkOO3)LRhHK(xV_Ow^Eyig`NzMf&ohk(f%S5c{rwe!w|wk;LzVk#ca* zNJZt7to-EqT?Zx$&7Myss!LTze%*aH5-=)4#5Xizq^$DPzj`{@pYqw50yocgt_kdX zf9ib{>%KY@wBw0xCNF-)&@w1E6*c$-?l9u1`w-l%H+ug%Gp>_X`BNB8(y+3%s}$J- z5wpEXXhf#oVqK>q8a0KCOP?d1=xHzf=bJP}g7ouy>BL`A{KF5GO6&I*lPzFc4*+c| zm_x~WDFCDo(2K+w7_yL|L-|Wf*sd!Pn%gZ5O7NLmttSyP!ITtn26>wW_ze~l;qS9Z zT@Lq$RnZ|^)((U|QPLk!5R%XtiX$$vI`07MRYsbHK;a&c$O!Zh&?9uBMX+(@i=oOF z_EZ>09|QOeR*D&q`98!q@kNXo5E#dfKMPcUZ0_1;iBL7B<5(W~jb?Ci3klB(Bue^s z0iuf_f6BV+DnBN7hJ11at~`N-s(1RWA#a7jis1ZyL&%#*p(&8ku6ZN<8;0mU%kI06Z{Y(~pBxDcFC9LP-SMyEOxV3C zqVoH&v&y{u6ehBVQLs>f@v57DR$2ebr7fmIH|J(&tFngk@rW*2hV=XMu_7%y98kv+ zv7P6Y*K{2kF8?tnSgee=;=!tMPE}c+GV=daT9AR*^I0UN%9hPOm%kn$zzNTds<_{e zUlRS@q?K4UvprKR*@A!{iqRJLg30I?rH_=ZQ9;X2S)i5M2#-t z>xe-d0Dof?5WVg65V!zvt|_FAe3mT>Ro>IYsf#khZ<#hQfLy>H^!*uogohh zS{qEl_Y?meQ9MENpXc#|KoamNq{U^9SX23GUU z8TaX=r2=W#MoCk4W7!&&y4vK6q?|`*Ns8ZlpD+ywfmx1O#z{=21xk;nYOT%y%}CGZj&-8P5r7>q8Y zzZ==NBpo=@Cny4$0 zb4ivFKeX%1@eERcPeD)}#IVIUAjzJ%{o|m&fiNWM*3lTjAaNfVB%b{<5)2`QoVWkY za^5RW5OZfYGHe%Q^LgMNtIT^4`kx&rzrXaji+N+!JN14L_AKgeV#y#qs|k#j$gUli zaeyHloM^IA+VxwrgFjpN7|##fUo94}i*e-nTa!RT@#&<+kxj3Yq8spj3U-;C5u#s| z@jKU62%*pP)uZ%3=t9T)H>RueCp~2ThduULyYK0dJ?-ZH?rFwrCs<&|H(}KZ9AiSAV_f6isGI~@muWnj` z_w~OlUDcA~ND%xbF+55ZGt--x*%p2Msb?>4BQADk$78FjvoZ@EqXagF{FRB53673o z2N0x?(0}g_y3?(VJCo&8!H(;{1)CE{vz474w)#Z%FyT0v&Jp}(zsDhxl&Z84rYfkP zZaH^d2S}`Sl)(29?Qg$X7Y?kG2XOC&_p~t@xQEJz7jV3j?~hU9e*-`m4f!~hOY#3= z*`~5v2?tV}b=RjKG)U|u-6ul$)aaR{y7l_OzkN(}?+gl`;%GN_oBijszA{BV*(k!5 z9W!w)4?chYu!H=5-I;E3YJ5%qDV8sd_#6U%+p4v`3@Axpzt>)nwUqsqz0ULEFRvm% z>B|+^w!sM}D9hyD+W&ps1fJzk$Wd>|_wt#+b~6Bbj-Ne#&1Jf8Qqpq)v)^cfrmxw< zDNa)gmb#7$4@Yj%2usv{&ntw~z=TEO6!Q^HB&tdlYOp^RL(e>h6S--*qJ;^;Xv_lL zBwZQIe6=C4A+iY$(h!gyN!1BjwghncuX8fN|M_0R*X~F9Ect=1@Mg)$!s?V~^v@$T z3-EJ1cH%qp*}mu1Rk<>!d06O^oclQcL3OT|)?pUL8DrMJ1 zhN3uLp8Td<(Fua1Yrn@z+JH2Pf$c#etapA%3$oIOBv#=)v}2~>$OTcl>5pXAyom(^ zA&)b1=WMNp-_Eqs(d0CbL{^`{h&;aj3t9jU@Hoz3y3er@cwmc!B|?5K>p9)R_AMaH zA_e({i1&NvDX9%+nnqOm>d{~KBgPWtySDrE^;v_YAOqY_Q+Y_eNe(6$Fg}bXmT?hc zbWONpy%f}@_|qmQQ}Gd4=u(MY@hu2Z_79M`l5ac+cg=)%`r+q2?*?mrCl?VcPKXoK!H4p_xKVC#`#AJ!{NNvxM_0ldBTMp; z_m%#1V^=fQ$pu{r$@7n(4q1GkUEgf33Z8{V%DxGzlrRWlKF@hLcgOTJw&&tptd>F} z-*Huf2i)G$-6vS#{ZtyGEU#lm-{-Q0?Sq(U@@fwMy;i2q#=aC%=Lc7ek~^V52K{w( zQS$Al@A@R@g7t4!@d0AE8@3OZl$7+OjEq`V)I^F_s7fMCM)^kyeqpY#=p__3iF^>- zJE1?(O#Thz7@4$fgwtZ_zW*^;jvDK8?DO_G1qYwjWccH$zFwwx@?Qk!4^N>n`w49& zgM%tb>dsxg;4C7pDFnXe$M?$GYT_$T2jR5q0Ke|lJRcCV#x*~0YkSjVFFy4Y=qE!=g$nWjr7Dk_z;9I>&&WP<@>qe927s%!eUa$T>8wfuxwU9 z%#PMN9Rs0?esGAe8sd{?O~csJk&1W5ztpIXcST?mRv60m@fQR_$En+LFU3Ff`&SbB z(J~0TX_L77pr%<&6@}V*i+AUbJ zj))B*+|jgnbvY{~s{SulKa$*T5#}+9Cnb(_SSD{kk;5*|Q4{3N1O|L2c|Z}~Pl$pyjv&0%$CD-*k8G0h}zY5DxVIZW5@@dGA7ho{LE z_WWUsMAhcun5tjKl?@%D=;WH#5hTXa#62WVCs{<{IbB?#9iQ#=B>5Z-*twx&{X*m_ z(hT(DA~z_VpD44No}=ZxPdq})*3&AlQjvcj%hllzJT0kIzud>+4h9vQGm#&IOzAIk zrv{S?L(K3~cC&4m1~#Yc^#pN4$9tBQe*kuW%#St0)kLO%n>b>D{jCKur=wA%dOH@& z*FJ4l`bG(oGqcw#vV?#CcFI**?m2;>Y^_KDL8yJ7o8?u7y~o zfd-FZw@h#%mNi+2UdR55v2W_mqIx_?brw3?^GV0Rm*H=dc@$w+{Sug>cj1;*Ou?vW z44?q4vk-dTs9qw|fkz}fH(r(uw#5f!-6Fj|uhw{UijTB1QB7bc&xBmwTqM89c+7By zP~ONU0fwmXbEeDES*JTNYFNrCOkI%KvF9#kqa+~!RN9x-p+dOooY`ya_wQ>di?0n= zN3a8OU7WyZ=CCaca$ZFIX)Lg$@0s{}s1yI_h}TO44mdi5xtuQwI1(iBvrN}Ds#u6vud5}4*E?m`;1a$vC*-m0=uq@ek#h=5gAfCCua(g! zha2CBuM#fHwli8?E%UY2(H9Npl82aU8$U+P{Za63ZNnZFVBb-Jju1PlMH&x%jK`KI z3;6(?a+vM@QXT!sxaS0SwdLO{)hX@qtJIW>EvJBevM$uWv@`D$L1ku*I(b_~Ux6Jz z*`kz(?W##SLY=^#NYApPE6oP%!OOyrE$|{^HL%N10v{VBUs>n2KHXxGq6Yyd`z;sK zKsuL`x(5W576rsLp*ZrnQ0}~+fz(K7?2IaoJ>I*>S(-Ut6p*QZ=MCbZF;sU16*4hJ z{v`DKi5Z3tj&b?UL$BR7jd&$9ZWij06CG-9lNI8uvKN5`dbnW;LY-xSn%e^CN~WaG zynE3^p}ODTeJU2yih|pFRoeMC{*dP_f%>(fq-<&|hZc!~lh>>ujhvSr$Xfv4RrX6? z1%)a#O%De7r=N8Ga26YmL}6ZMRShJdx!T7SVIph9Nktoj+G1<^UX>R<@O$pie*TG? zh^6!KK;glp%V+VluT`B${v_=H^J?fZdXWd1jRVQ~&HiRFQ*kG0+Z>=(kb)!JA9MNJ zF)gRwbeJhk*V|`^f{WIdvE2qb)gvELG@#3^Wdo8c8mx9Da4(~e*F@SyhfKmZL~i#~ zRj~mi87eMzgf-%rr_nt`ShjP2GzoADKy;CEhK&E)_Tm=@W2m$VFv;=dd zEqsRpLVWvm#$;iUVOp*yCpdK4tMDc;`vKV5W zQ2G&H9w3!8ZZ!syNL*gD*iM?q@_fh+rIc&u3zd$3HIaHTd=BpaJ0jShu(h5;0&9z% zrxVH-IS<0?Uao4?_)dBo25g2>ef#0L3BCg6$=d0+L?6ZzZ;B@_qVw*<*aQpBQzfF2 zN|I;Z>|<1au3`M8PjO8wS^9`Cx?`eU-w!Q$n%R^peAh`mF7&r1{}#810Ca34`Ll)S zM^8V*Tw34Q7e3=YH{ZU(ODy+l!h5uD3YI5Y64v|W)n+94(bnFuk1+`ZV=C+qiaEWw zhNsoykfnBRMO7OEpWBA{d_VQ(b?l`1lCCNR57LPtM`160YvlOso+|(qUAvg4v*|T5 zM2qmqStY`uPkTTUn4`sB(3kt279iEKus7s|xRS7T;{>u5X2xN;R2$s78OBhiWT)Mi zMfRAA$RNGR`V!>*m7d%r;#$7?dDRApQe<$IUA(z&#CNiHAeZcF?@-~Fc&9YQuZUHc zc~sn@bna)@d;@Cl_yuX!GuK41C&``O^AWjU?{d?DX`mO#Z8+anbNjA?uk|S>OB3gr z7YltwzCk1s%|U%*F0>quE&~R+Xx#9&v<;GLAHR`chWiGt!1w%kDrMX*cXs*Yr<3h=+fI>+TBrmb50Bop)=5b zC9pU+{|*7cCN}(-$ck|Wm)UN3lp5)F(Gu>v?Fb*$?>Jt>78XcJa`M#D5LDDa= zvdoV>x62$!W+{vs6_ZhMGDq@bB0F>Y#_Z+m(y$*S^^2i&jCT( zs;%J}*ZJ;mH8{d(Q;uad40z}W*}#{EppTB_Ow4HB3&m5a0FSuE77UdA>EsMeIe0WW zOe3Q0^ZG4=F<T~?sOOXb)PPJ0oZ`V92m|EHAivF;%*Xrm zp?4U=IVYR3)QvS4FV0;A3RypCTK-l4~^OWb&U`p z*~21&a&AIdemQT#7c|qw#wcnIf5qO9PYyBX^M*_=5Gq!=L_qPdkMM>@<|pRrcs2fv zcuCK5Q@2l5$jd&+!!-MdnigJdpv<^PMeSkWAwhmY7L_=H<(Mti`i7(D@|w!d$9#@UfBoIw3mVzf>u zi?YJD`hOzpxaq!U(ph`{^;scOkC+5>L!kdzzz3kzK4^OhZGn?JKGwnm|Bdk^3Au2< z*~3}Y1|!w2-ORtIYr7w(^t4CT#oV-~Ko07xt$(q7K>f!Sep(89)AiL7!TE@I>EPu0 zL|!@C+vl^*c7t=jwfPs>FJ0nu;OIo=9ov);qmxDdAZxu-55Of)*QJbvq zm7hKCj+MWB{{4Kvz1_NVE?>8WmzKRE!7s?nBKgaghxSHLHSSVkEABj5k8sv;TT$TM zQmCx2n!1m2d6qe^DGYjm&3UbzY)jUr5_)(x;D`jK^Rm2lYSdQkV^<@M#5wcu5o=Rp zSim}VNYfe{>HB#RU>{hpeq>taE-7p z2N-L3)nltvgzd?{J&LRd@20;z$rZxhk86xmS&(bzZ_2rC3K`p8){Nw8exbeTFT0TY z(L$@Pc4t4&@)DgE4NXjxQsRyvkVJZsjwD-KbAijpP3sIhp(s7DXL%lL6m_?|MddH1 zE^c{lvD>0~AC>d>Eq%pW5lVT|i}=P`Kj!#|{uZNG9H-+W3^eMZKR*wR%E&jaU=(Af z4S8@<_*)tG%kgblHj#55JUf3B8LPpCRP;L$@bAjt!}rna-1KX#wXvK1sB={-5NU6b z-efG~*9mt#xQ4|B@^z;FTjT4V=cOUJV{=jJwyxx)UH3`l8dT>Ozo?di6sLl7oL!Y0 zTAfCd{+sSUFpnfWvX?&Fh`BdAH4*vsK!9ctjhS&8CKKvWJkJji(T&CTgf*Gigv*|W za94&wi0h=nu!7u7`5~Attx674?5Awyr2na~EwC4N!sfsd4fNxP*>x~0iPw@8h?VY9 z01XE_u*Zx-c8uGaqfakGoVmpC*&}7duT(o*Rpp#PPXUgQ!^h69pBO8|#4IR zk((2-Omsx%2>z0KT1bX#WvFVrHJA`S$S55%w7IC%!HBqRf|)_N8JwQCFU6O^V>N*M z2i49{seh;hIaqVEe+>muq`ExxmpHV~a<`z*D_2moKTXQCKhwh*M1}mkGz*B7+$Ica zJ_J_hy?;wTt)IbQhbLD607pQ$zuC@onPDDP2G0vXRfS`y`i=LYGZPo;xFkMjR2BC_ zj>50w>T1KyfCxw_HsDMn5`Qm(H;`O;57Xdd-Y0m<7u$nV()`Rf=4(ShDmrIRwLa*U2&X$b?Ptr{k%gE+gm6%X02 ze_4=xnDU=#F}n7C)k(C&SJ7xJsz}``jtl`_>hy{QV#EDaxwBh*PN*YtM8e5fyk2wT zBNiBzz_xHqsd1*2l0;7_@p6ym-^`HQMvmf(i&tVtCbk@&{FJr{*|`tAI3Zgz+ikSZ zqiPej=eJJ*|AE3`+tDbo8HOZ&M;bVZf%r$d3M4N~L-uz9SgpdTAt4sit|Xc9jnPn% z(uJI&&Phfnp@_6EpP=}-9;cI4EbZf5vXa)I%n^q4fwsS5I`55E!FZlwU4Xgx<+lRg zK|IRfG!A?vIk1njl!cYj(Io8a=yy5Mo6Dg`-ay^B!Fj6Ya1OM~MRrlWSj zsWlfg=0ZGnHr$4%vO=zNaZ}jH*yhb9q6Y1keWKBBeJPZ1=lw&cB){)eO}Zh81y89X zMPhDvrFqjrnRTo6e*@rzk>PocIGWF67<!?3TsDW1`QBb56xrG`9tP^n*8= zgwGwG6eMXT8UOZO_dR-?$f(swzk=ud%IAe)b3qGrQ_%Dkk+Ot>L<3|CwUYL0ICdbu z;iT0G?O!bO{1BChi>r%Qsw(ly%QS^#J)+u2pTgDs%FRTi3o-1oE?%h9h5$P!(of0X z8*kaC*f}AY3HQ(Vpa~Yp>~{dskoY%!9OU=%24zEuA)5Wz{VgU!N#YTf)5$lFb4I~7 zcisZglpU2l71FZC&R#6uJV+9FFQUO|9}pB~JaHGw4suNrf3%k-W2%ExWw35n#0 zaX}Fj5)jFfy?mw4wLDa{fliG62M^1l^v5!O8vm#6@V;|p79rsowZ)|WYx{t)aR4EJ za6_QH^G_Nj^GK0 zDUQ3VMId1-D9K6p^fd(?(X=!z_xx7L^5O%Yp{(H);+SjXPi4pbK05U;jh_tm+GG)r zzmXT0Y@OgaIKq&SQ=_s*CuipNY9*Z@qb$Vkfp8_(wYfGXZ_VmT&6#IrlrEI9Zs(>@ z^}4>FVKV70h)BjEM)gqh^{;f1&7g2L`A|?Xv^nuKd2cmjYgA`rmb72n^a)<+Z|Xy5 z?LQeCme+Q{C2awnjubE0ju<3{>nF&Y!Pk!|e6PjDTtLr-*`1;(HDOQQ!rgFCr6lWN zNd9_^fat@8uvxCc1Zduw_|~yp*`Epv_*FHqBqdB;eFrj)#DzIdclb`9pLY~bvqjzR3lQ}X1u zuRw#IkiKP(h+JY>#&*65!UJ;zR_3qn}QfxKtRN-w&1IF07vvH5H*s=oG=~eXn*1e0ee;t)h z$`cjrzUsbOxp@-(Xc`a1di}Fh4ZMlEvdnSktBfx-eh#deq`T6hfQFtAxMt+)$;MGo zTlq>OmQ@qd!o6lF>Z?UD@zYtvPoXy}zwyNP03R4Rc?2r<=Ozilh-S~kdR)s;5Cfgj z=ga}c<#?3Kf+T+#jg}Ipzx{EbcVWIZos0$D@(E=9T)ejm8AB=bk}m9vxvepv12e9E z>4e}MnDOs${dwQ`a0EqD%^GE$rnvjpJI0x{CN~qvAs3B)) z%XozcqV@5pB@}(72(w`JKYg5G!K;A4Xno0**^8vmk;J}g!M{Q2p_f(9u5zR!iPh?_R{Xp6iLAgBx|z820Z@hFv08ToXx>I)%3IgzBp0#YKZ zf?XspQoIGbi~N&y+^$Q60Aam9&We@#fMcBQZp|@&y{d9n8le5}laZIpzW-K|Vp|Qd z;C42dSGeJ*Z}Ua%Rh%SyDcr4TBVC;=Xp3)LMhCU+PYZO}DX!Iy@lq}ZP$w)^^S z08sf9?DR$dxny10xnH`?pqTFdEH|eD%0F9wrSj1zwHVlMrU&;q>TT3yzKIaw34xA3 zcC6D^_IKcwzuP^PBmWHa=MrDcxUS@H6#up}f2D-EwOPwa!PK^#`qW9u;5~X+(q3is zJsA^TBh`M(*b-h=sTp<}YOgNIvYCX9d#&wSrA*FlHw;Vpe_7l$Qb2{#&0gx+DZdy+B--I6(0|J5vMri9^bMoc6K2v0KlU{&9JK+Wmd$rt3Wk7@fG_38!!w z@=ac3L{lcN=(*)95sYAke0N4LAM3$kCB*sij+HCI`tic3(keX7dUM?_v^0aXnE_9> zx-eCGi4d1OzlkMoOq!YyxfT^eKDK8-{Oj=SN7mQ2Ntj*c zHN2HF6umB>o!=wqJczg#vAIKh(2ZDKqQVDqKVDuN273PV8C7I%X!ufl01&@mgNM)^ zQt1r@DZn>&M@|g8IOlu5Zq4sz)G(!=?ekR<@0-6>JHg0GV?9?uTkS+aP;J&$oZ zO!YL<aojeE;+T&D;j_Sbxu+oeV@AhVY$}ah%!c^QbS275dIb`6ofT2g`N4b4h zHqC55*b$1;F(6@A(H(PyCt$CBo3IoTQG0Lo28Ze3!Mb!8P0jfce>!wpZHlhj70fZQba|FX|_*6>|K1Xd~Q&_shB$@{G>Xoh5dzj@(w^K zg)I+nvUl~6{osN&G4Z_bLdVkL))%nn99%=Akd(N$Q1?2D6p0)vgD%x&HHSoBU+nBz zxS$e95DY7H6YcfEdc6cj=jhH~I#uW%h7GFOk`6SgIf!%?BuE8>#Qbuu*XahRmB&~} z3OCK!#CdXmnV$BSp)+BZL>Eu|$Wtwgruip{Z(N5J!e#!hoYK*f#t=M5O+D zoXBtE0@Nj$w(HQi+l|VF$t+%@f&gd!@$Xm4I)4x@pp&A3U2d!%{4RMY_m=@xLAl)D zyktrm9jbi5i$gB8i$8p*gi!eILu=g}pv>QEE>7(-pJq$na+&{aYKlGNS?_I-LIeG) zqzd`hAL)?DAm}l0sU`1R~}3b zOa-OqNQJ{+Kj@09cyx|dF9PPG(9U*pPw+QlM6!*disoWYflt=rPc{$UMrrawi>7zu zwO_Ux%JIC?4xVfEX>s_ddVf>J6VQF^miVQQeZ9qf5tQM!ZXT~i(hoh??{yNgU2K^T znep!y%xr||k!5LOfp#PXy%ETkEux2T!^_iv?)owH_qnL3m%pG&O7QXs*2bcD8(4&b zFV!`#4kmqX@^r<#yq_a{L@ZB*%%GFj`iQxNCCYbT>2EoXfq;!q?-(!fVA&7L7e%Uc zoc2Oz3E`)FWSyoMQdDsqM)_jt&F z5LVq3_~57I`)vGR*hQ1xze(Mg7F5fhY&kq=DD>~&jxFzEPN5e!PizX@ZmU~N`Do00 zen*|I)1C^HviKi&LWx(jL*>=6TN`_R&0}Guw=%g&tdt&q$(xs)IRQ-)SB|E}{!RGZ zx%-j8kPY`Vf~@$F7%EM>Q4I>j*9Q^Cbe}ccFNnW5HcElas2g36k!$4~2AE+FQ~W8~ z&@e7k=`sY78lFyxQsD>%aCehuuvAD3*#2Ei|BdH54D6fO4p{zw3wY zU|Zh!B~zRsWi;zRxO43MA8=Asyni>|am_gNQ!-gI}(%2_iZ4abce`mtHKrex6k?>xo6?e6itwB&p z+3sLdx5re@HW7buFJIn@crc=onP}%}ubi@c&=iR7QPG!wjr*?EQqvfmWIQ(I6(5X~ z5nQWQb$`PO+HGZ+|#!iuz`y* zow>A-E1mF5E^ZwQ!31PMlb%Ndb&LX1rFO#TF!LVcYMK$%ek!(3+c@pb$EOLlwhM9# zlHiBG#F_4x`>c+Ywe~6MY8+lTr12Tzc9Ip>WiZ)_9p|!W2Qoe!%8!IhFbR^G0PB1V zwJ2JykxlDlY{Xlb(%FJi0uSQ&2D*Wj$MAUu zL5hRbDnBZ3n@Zi5iz+tiP?WHm&ls5!Wt@}D5?#xCm=P1F0{ud7#~urYrJC`> zNiimO5$d=VLXe9W2Ic!Qg#olM3UI#r53_x{Dn|F&ALp1tOk_-73dXYE31%pHh(A~N z{o8AKc`uR@$+Qm050~wG#l9Yq+xgiM(|BXD3wxv-|COW&Cvly~T26`LPAeJAHCa>q z$O6V#yecglr79cm!W7OL`3@P#QL#Z@s`t{Y60JT8czba_$9f?Nm9fB^kRpSm0flTPO7o=f$c=OcYar?1HFju zE8oG>0WK^qw+lx5pW$vZPtv~Pd3if62JVeCS4fgTkL$*5)O+KGT;FkN>eLZBVD!0z zJ)BusCsTSch3WInh&55VD}^HYstH{0o-`~cI#xo+UamZB1qLNc<_4kXK)V85;#4A@ zJPLVVNs=Z6{<%RhX;iSa207+j&A!B<5r@r2AbKFnIOQrCsV`h-xU-bAr(7rkc`#fx zvGk;j_PwSUx!2_6TkwLGo)KT_N<$Qu3~}-M7D5&$3vYh1ht_Z#jM)?-9@Wd3$tte~ zA&?({=WUwd3-i#A)`*kmOx3lZl&l2Nev^nDn>aBu-^`!kJ5N2gyX`MG4A4W;2F+F7 z0F}vY1$zE^KPw-nHRcOu=;=EeEONHItnhlAJH(YU06sVS=#T@JNDJT2 z3-GyYu|5wX?87&I<3;Rdrk!C-se*8;@6hb?Hx#Sq`zNDQLR}yzlo6~J6C)EXk*|tI z%+jxJJEiy z*-zYCNhsflqzG_Ny9ku)(lQU_&|4JUqa%>Gj+2274kzPPgZ`}o(c`nM0i#u}6$X*h z*o1~%9x==xEyVb3`1XwkH!~{|J}hU)x+e*vBG<6J4^4g}il_Z0A`*qoc+uDQIhAf$ zsM3}dfjgu@N8m#d!xA~>zw-9?h+bvif(GkDDq8d&1!LuTn9qck>)}TE&5Fk|^l??_ zW91@QY~Q&k=#L^l;7Z7uSt4!7#S&aBuR2Hy3BPuPVF(%+2I-RxG+LbMIU9RBE3!dW zn)ZU9e_xe_($p`tMrsKts;P|L6q+AiryC)2TbGbB2;I>0OR_%e9^NW*dk)uqP*N2W zwF=Mq%0OJv^_?_bnudDKZv8k|*&Rt$&$2m*fm)*9@G8@-3E?g;lRS$J($lk6oYvwc z2{2lw8seh~{jtI5&nu_QSb!!1Bb>;CKzlfiOr2sm33JDuP)vI6a_F_?YDA-R67v%D zx0yOeFa@m0>g+okBTdIyc!eZT%|N0BD@AHZXBogv?TPLYPp&Sk#ZRIHH*@3`!pKgTqyW80y1p=|kN?h3yf3=Xmk)=b^lHrFHrABsr@3D2dXQu~IlnPBU z7RS7NCQ|3#f9~IA;u+MJJ0NXv{##JPp3;TJ1Clndj6INbH?A4!8fYfjATEEfxlstY z2oEncUuL|Ya+>V1{yNi^Ruj`I?z^m5ac#3o!fN$%WyYOzL*!A6_qtmCrIN2-A}!>; zt+7@viJ|E56balviJ!`@n!X(<+vBLin)^#TM5y`o$S+kPhoiO{-tVR8x@J4QRFh); z!mwVFr#fJudpBwHr>0Z>-VT}%3-PDGMp-*8kt%~eEpF_Bp7~fCuv8el7|}3mnZx@Y})WaUCuL;Y?_}I|=i(+Mc z+EQaMYF2sE6QhljIlK|Q9vDbd$J=8VZW4%f64Zu?O~0Z*wZu0D*~owBqvhaoAz3*M z0+@}^*q8)bC)ux$XX_A=GbMR1cyW$NIvaF7-EFlB6g8Lrc|Vv`gU6#Mp`gNh$B^N( zk|ZJz&i;vD8nVYIT$`0Ngyn3~;|ehaujb39DT?+;>I;mz;o&lAsgj=7P?s&D?;nEd zIY6VEP@B3A%K3ihq%0*+H#a5d`?DtjmAPa|`q&$qDj)wJC?^{>8OGSg{N4^?rIy4XO zKfeIpDo;h#WhO@2?wb-3bJ#LS1V(?lFW7=={&2#TySEiLX zo#Ocv{WXaKg{-fLi`lO-djI|$MQ8ln69~cp35Lr2>nG^UwiX2AFJtjjI%IDK$xGCf zQ+W_=`zt2>Qh1wtzH}-5A z-Uz95dkKcjfI<2esgp`TjXch{v$U?ZVL)qGXn>}z_N1BWqJCDt+zm7SoNE<##sMv-CDUNfKnHYyWyQGdXL_ppSB7Z zN+%D9R+MwHv}B4e{qVj$4i&9c?-VdwD~7+hB?^Hox-Z=K*gA$so`OdX{DkRiLD`*F zxh>J(%62jDUc*(2gS6`J=ExPI4t>9lgD9vFs>Q4cI$5nE0Y_CFjQ9)XnJr(3w@xL~ zZp|jYJk0A*lD7`g4vJK=r_J5HPl3_|2^44<6lT_5W?18b(YJ=(hJ6^Zk$m)dC` zg@g1R9C;{UCITPOyHt(Sd!d$_xn`Fp(9r*zK834C&`ZC&0UK3b^QeDxYR0`_nu;#o zZsl!BSdcRD1XQD<=I7JLtP!fsU#{B5egd^1!y=TFTS1wBH`caEsJ4ct-8CXyeFg(N z?`Z$pcS}Ut>&5t(?;b8f18i`p&o{s8s6A|&`LjuZUfMz=Ig5@+|2X;mU?DK9ZFRCp5XNZ4$4ON)7;{Ju0 zds0NL@OYpQbOJ=y|Jp#8M%bga-h%P?xB|A@-+B9RY|MjDp>7N!dljYi^@+b#EX%J& z2wubdLI&S2zTHd26y|jLG=fV+lRrrJBFnyKs%~i%uv)*63SQD9HFKRu3Vs3%Ij@P6 z&dz>bR$eze@^$w-nD}x;`rR_2DDW1b=)G%*lixjse>aa6|D;cl>szuw#s8p3 z%yw5?pRFOSp#xldDD!7eOB6y0Fh*e~v{#UDcZbWyh82{_Fyg)%G!2+V#j3wkNj$zv z8#LVN?Gmj$Q+~$!QB~qBre*pX=%JevHL{Y^)W~w@!%uuUKJhJ7qI8S^{$*WL(h3>G z1Nr<-F_c^=3XS(r8IT(Waj+7`jpSl~NUb?+TM|z+o}2z?4;X&Wa`^Q(`3Dk5mWo01 zK~o%CZ&1HJD_&8sqCto(e`!ZJVZpLFAx)W}{+_d2AIT1MjDL3QZMjrMRH+(-t7|Z4 zG=a4xEPh%srInpJ$%Ic9kg%Rx8j%GqHIeD~Lz0!`1@m8oG)n^XG&%QlmshzKE63=B z#TCjGW;_{M=&jEL)W!c8%^6o8-^e9=6*zm(lG?r;!>=jzL7o@joZMW9WQ{tXKE} zpjB(r?nHAmneP!NM73H4qap46TuKd^5>1;^g^RQamCI4A`tpL^+Pcwem~Uyfef4r% z=hcQc>PqcNo6O81*BAA`N~+<-%#t)MFIpgmV2<>Gz^FIn#qWuK@R4yQwnK=8>jRt@ zd%r*k%yY#ySq^IUpsHus-3R$4kqLcGYGuqpza>~-Iq67o!LOAA1Pvu~2bp~aXTR0t zpn*+g8;@i&S}#Anuoa_zU&ll@dmECM)UIk9V(yKqa)|pw1md#pzcn8SBFdrb_l>R+w&){VviCJp znA|eZ%hkbPRH}5UrIGLy9KY{h-@oV21}!>(Lc|IUhnMglP1ms|snRQ-=I#p*OHARt zhaH~6d-wF0>^c8pzA-)Bm5@p)LQ;lMIa+;}FL48>&ML~1_Cc1E^w8*%y80xNkhA4z zO03tD-u4T$&J;e;nzc;h{a0{d|sPZ?EJ4_y72k1eAqs2RCMwI?05xSYUY7&c& zsxi(9t2c_hem6~}uS1VJ6H>)QY9eAn)BT)75gLq7%wN!)Vd!))zz_qZ#4DvI^Pec> z<~6=37MX9ks}h|^ukR(VUWimI0$g$?dtpdKpHK~mzYZ!cFU<>&&aG++?q$dzT{y~z z)BB=>V754T)%-qeJ;m z=j7$Y%PA5S&Cm3!QgJdbnSc@cIOT(nnk2ik{qtVYIp&#$% zl-h%sMSU12-F%`rJG55AKjhr<8d7k=Cp@Z{lOS9+Z^oC$WCAGG-bry|4F{QF!wzI7 zVea)4Yw-7mK7+&%z%E};zVlN-K!5dWw&d5XBno9u%7@fOAMRClWG<6{pVM%0zjzqeL1Dpezw;bk; zbP3rHasx~+^i06?aP@EKk@$>cAK=BgfZD@vHFkcey2A|P^ZDnK!v0wIklIfVI87wn z2LF#My?-g(uhAf2w@eH|!`r3S3T$7xfDzKU`#jqL4>b76<-3{6pCGH=qaYNtq2)e} z7GEV`I*(Wb{Br*3bz0a3>ZzbL>^RcpT<(l0NR@on;!G%?$NqFc&kIHFSr2aCAh#&O z`gyAVdf*uPf{?$`bx=2!>=LQFSLRhxencVEz@0wdu#> z#@qB7DX&_09PJQh2WZ^Sx-xW>YR8D}0Mdhgc2Ro4mFKwki#GtPufS#0{8H#g!P5UE zH0Sb9h75kZg!7a9Pp~fNkx5XEzd>g5M}8>}$4sjYUOZ4OWXivR>3BB$v%w#{jQZjQ zor((}`>!CU2NwG$s|g@Up+e02A!ZfYPY z_<}J*4ALk?sHmI)>qR@MWwOzwx#~m-4hDJssZ9#Fo>Sa!)<0pEEv|^A`xXo#LLipe zhzkOz`|xLWD)l$M!QRB?cwK4W?Lzq{L<=gq5fUDwh(Y`=Zv{>e{|#2`So2(p&Y#cY zQ>YBBLA@qpmZo?jd(~$_?!lVWf@|Ud*pAo%VE}1$!sv9Y5qcTT%B(b?N{_*=wDBrI zxvd^O=Ky3Kg1L4Kv!unQhzg=u*=t8PGG}sGGiQSorzXeQ3rqhdtC9os8(CNnIWJ(z z;Dijt7Pn4%w&?lz8oh_s6YlY9DAXzA)%WmHNE-gUdRGK1RhB0kBICa&`%g$yDK${d z!J+t?`Ejm3bcXzCSLdMB?Mc5dLB5DH8h935a&wGy8=zMIR(hcp&!~NX4+6(-K>o&s zcmiJe`2jlknLd>M7*q(1&)yVmnl;T^U$7P3xvAod0m^gev!eskm|3 zA2p>7)C&T4|CYuk=u%&F67SM3bZ53ME){O_`zW+lD!b9jfx)#zLVn3VJxo#>rIhm& zj*tIX5;tN}qf(I8*%0@gYE6tcp4&BT?2dNA zB)&iRgh2^-xR$1a1xh_+J=USlCT4-rF~FoF2tDzuGcqYBsvC=I7{zWCAl;qH$%rUv zcn~RwkLexAfHEPR)4h2nAUefM-M=6N2 zg6fU^o9#d1#~h*wN#==4{uo(!rFs2yMXd@{8 z#3E9o$WDA9%*KP7vX%mKGadYKM!Hwg{%>3XM!#=~Y2kV*N;5o3XWM#978#V|llDXb zC1)i6!RUQim+OhtkyeE(Xaf&BPT2S8#bD7J9^xaTPqqX=L%g-}LDBrH{k1#rT*lJ) zYUwo*DtAP^v>_uPY!+|J#k}K;2{nO$$vUcRQO-9|m3@5jh$3a@-($+tD8l+$-{zN# z5d0%x0kTy7QXm8m$M$m>dpvhcf*3P8lI?IAgg8x`>PBWlf9{5)51Swd;BtIpwo7>G zBuQ-N2&^v|4;u~enxty`yP6KcX=N(RkCI`kZ@;1Uj(@KckI?9Q>UT5DnDANWW^PUF zoBU;#cYn7$*Hw_J(x-6X8-vTgO+w${94l(=^*2G$)z5x zqzBIO+16U2loqIs!0&&0-KeN>4cY}N>J-28I{iy^2sgabRm-rHs0mrxE6m)ZwpJ5U z7@Er6YJXVjZG1f&AX0wR9WG&bCG2xbdL*$Ms^wARsLI057yfjWM1JO>_H=HGmF;jt zN9=^246P_C8CRg%z#vQS>$``Eq-h@ITMa4b8bC;J#T^92TI=X7o2)9y!tjLXUla^5 z=M(llYUY++A7!*V=*GWVDh|UywvD(cJ0TM-r=3L{2UYp$?-xGFTh&{l?Bd_A6Ay{j zkSdzK8_wp!1U#B@OGS|_H*^@k`mk`vmtfG$%pV1TZZ93J?Mk+5BG%-Fbco8=^S&J* z^o7bsxo@fFP}UgRu8n?B(WT)72iT4#tDVDSb*4fh(=@$Vy4o8)(ZmddPqKp0&rPm= z7kLLym9~HNei7JhAYW<1+Ojr$W10?ZSyh#9XY;)1dxF{rvulgR$DSkW^QN@)c9 zQLZ!|_j0iL`fN!MYsE&Y2h{`-%{4}S^(Z?wnGMVGinAHg6=sJ0^*AroOLi46mz=&e zd`!ZURVWqIifnHtO=!>guecK~Du;efx~}Z6BuZw{+9hR(bFB#R#YA7G>@dJm*o>pQV%FzafN>>uOQ&OAxVHPt?C_%jI1rpL4k zk-hMy@%IEA_&@tYh6LSbf#RnvzITm}qQ11ny=un2)ehN}vZ^6)6YHCq^bd(({o>Z__fdA;+*if^0M_gum@wk1~f z*d%YG078>~mMth0(P{#Gs0L8K`;()O2w~Muf)y-)P%6)|RR%Azngo4u4C4IMOWW32 z_fkF-L+5z}UrW^5tWSh89zGH@uC^ur=#t>^HcgZ;js2($>9K!9TBOCL&b%h zkp}f5OwwTj&tbb1kv0U#c9c)z?>hQx5qr`dkaEfcL3@erd5NIYlh9YGb{bi|$=0#C zPv%Sd>l{+cQzUq_wh!qkk=ov%sUCrG_*9z|GxH9~aE(F#f&6u8UzGoz4VOBPB6)r~ zXxJdb8_jE{!uVRn;rs8dFkT7Y?Y!1#7nzOcIllO$$Ao$62Ho_-+dMSpiSH_k%OQ_R z)(#it;$4|&PyStIJ2mQa?On|twqWlI^~LE$^<3%9NE>&1h)L>8#K@h-4IJ;-`=4ndu~QK&ti*;l51=3cA)2VaIo%oJlI zInQ2wz|^U~#>4sQ8c*S6W!1tX+UW}wq0?5K?Sj&9<=ZM}MmVqmcC^+{UCfWq@W@3` zoae&EKB)KnSV4Dx8IK}hqL<|+eYfvlKp5SatxrxZbU==ZfY*MixX!fn{RW1!#S8dn z<$LYh)7-c&{@g1b8Lm7ok($LO+PE5s8_!^nD^<+xeo`68eZQw9$TU79g5jA zef0}i`M<;nGf_sTjH_>eG6z3<82v}TnSal=jh;au=C~+tNR`s#^GEE(q1o0=sUe$g ze~ut%xkSlQTDoeQ8S;b8S~;?u=g*-qwnqYMh1c@)FKE1)(M%EdEAk{P2M~|y69>yIAx%RCT&7I1`zbEX*n{9o{PXW#E$$*Y0wq`+X9C}Y znz1V{=78PXDLY$Hh_kj^81^?81jHU_veqP3EHNx(o%7EPNgjqJ^L@jl@gRAF<~q@= z(YEzX+%dWQV`PkcUnwn`c9f!N^!vyzr#U^EoKs?~=pqB&0I+zY;bf5HHVLxJT-MYt z{P&EHC{deJp*Yg(yt@DLW9%t<4PbCyuep|}rd?nLW3TvqkGKD;AaZEPy|#q0uk+ko zAVgJAHTu_+&3rvMW(b)Y9agto*cG=<(|*o_RK5-OsrX0iJXb-fXnf`hv4b#DGjSr! zJVSYcoW-nTXnWPkGe|_4Zcc^2jRO1@e}gbv}YTb1RKAFFZ9!OUo@!6Ds*f zo1u%5Me?Z`nwMpsX@N5rX^OyCGJH>&Z=PUe7bAEEJUfiK(m%Jnmm|x~=|sW{#Y=zn z3?SIUha1)F@_0d5{F0Gx)(yLqW>aX&5C&23Ov`NBOF>Xrm1bXQk)Ata*xp92@E2m! z`=5Lqv!inQkx`>6JAcK`aIv@ zH#kn54ft-Y+jEHogsQlQkx7ydh1XSDa`Kd_kit=I zCdg4eUwe-MFc^R0VWo={X5Gf@CxUolPRBTF4kHx~%`bl4)z{G<2uEJhe&KY3$-jaF zdooa6P=cN-lQnzU(y;TR>>-ok-|cV9%jZH;?v(PBtM!OugcWlsxn}(3ZFVqh}6IMZf+!fUsj#&+A9n4|iE;9TU+^$Cmi zA`QaM_5no?17#O#F{rFlz50N;DM0w}u;{cA&~@L-_%G{-?3@#@*>&aI~^g)4><-6xBSP0qA=!2Q)9)BjXIq56%=aN>dmo&9X`l#`}K+b?E zz4(Y)Db9y!YPY_RdBdX8a%<7_qOsO^0G5N&IK!VZiSe?SalH3jWZn;qyynqLx57P3 zm}~fA$gVYCIs5ZzXx$b>#5x0AOraEG8zz!mk-8Bs>ribd@eWs2Ei5{ITO2DV<$PNi z3$(kGJ1Dj$7^;_vV_~wLPG>Q{KQ4QYB23|3x;~1QM^Q0X`SnBNZ<~@2M&E$(1L{1Ct-b62QP=N-vAf<=N=(Izh(cJJmM9jxDdMX6Gev(rV4d03 zyvqyJFmAzbkQam`=M|LXMtGsF^TnbdyJHsV&Y+U@UH5GdlPc5x5{mCrzY(p=#at!e zUx4*jljBrLV}d-k)?c;k`eomkAke+3Ulzv_Uv=XRaLdk>HB8iu^x9FE38+icPSBkJ zJ*7R6hDRBssMubutsEpny!IlxJ_^(RuTC@CSI8S=>Avj+qDr zI*-uj>sNf@U@UM6 z_fS~yUN(rP(%srjp@O%m%mAED93t$RQ}CM?6W{sp;jSvJnW_c!3poctg*EAJGDQ`7`96ok}7;Z7v+vmQ2)Kc^}SzZaSw z>fdN}oBK~f`O4+P$rD=UNsz7)5{pX|Q={)V)$zYeg6^L*hZlHw=o+4Ch;f|eW2cr?7=Kju++fuglHy!WxoYOx7sj^NnxGk zs(I0dk#V)PFe~)>2m0Q?_lutt`!??`u=FFDqR|Q9a9-fXB5&7cFoc9f;m%ZmR~JI4 zL4jJ1Hx6}ASivG6 zw;REK^H^v815U%lp$RuDMui)Dj-()V1Xg4)CdnMIAq~-r`h6bD?I^K*3rF}!N;njS z6OU6`2AHA(!&K2zl3&3?$<(O(b7COt;konDrxVGRsa7q7p6s8s^5yblUH2eRoq5+_ z9U{B$u*TOTzaiY(Zz*FTIDa_n0pZJcT?KgV_vwM8uM{<8T+{ajoaCPf_q1qx?=Btl zmtXB*^K&YJ+K!61+)DfD@{(+Yjc40R$b#|eG22uz}f_krF1Fz-K2^ytA!(Q229Y?vxP zwH85Eck4`eaK_7hbfkWm)sAIk!lmdfx34BAVGqbxeSR+ps(bPd)Qvoy%^M}KoFscoQn}K6$ zGoZC7H^B)$4FCh>aa0~rvo4}Sh!7@R2$6AxVxDV5-tv83avAD(IFS}#u)i;dh&$AkcsNR5zg=5UQ1U!v`E8UA`pK?$_8$0 zujz{IT7I7d?Yv9@y+K>c?{d3O%ip*VCmoyg*S*vTc%*QXXU$aaTgSFuGt+pWG3$fx zAD4=HH#5rV6V!VrDq2}xnquNQKnQmkBKE^w<`7wAY&&{WcA~sSk!qF&j0q^l|8-}O zsFj@ma=Zr~?dgZR^TX4TZQGg73q8o*`IO1TU0gKHYjc1>EF?bQzu=S?T6>eo&F`4b zh*|OZB+q~uro&rSe(;RA{BDWP=Q+10SSOEBM6be1RDSa76QpEYPS~WxW`Gy6oYXJ& zZ}=N2EjBn*@U&_6g$8&VM8sKbFT6h3db}w`ZmF<7F(DtHNBuHsUp1mNwO&lK=4M~+ z#_&y#Oh~H>^oa60=;LLauY-3@TkNtkZ}1!Y+UTxObKsmhsJlBQ{<)Ax@FKOcG2k<|FbV#ir|)E zCFKF><55*8PXD`+@h88o7IB?Un@qJ6@HSCgP7qYRz-IxgXI8N^Qs7}pk_yby6Kz5CfKlNEod-^mW??9s9(LU8B!pcC zhw9Ky?578Lx;$Dg@sM;zgB5jDM83gTPf39Q+4#qXj z^{>)NUD(LWJCN=PSc#dRuyvny`5y3`ovi3_5}X@tc+}BS;W8bIQx#%tO2M9e{^dUE zSUsdK5)Xn7n{jgL{=5ZoVbl<5Bf9zBaSXN4A!{ce zGqIUPVw~m6*e^XEU$85#MMCKPjYB2+JGF?rs-r2WGu);nZc~Fc*xLL4^1P#7Perdh z=pr$ZG^dTNRekg>Vw%vlY!CDDP`+6P)25p(N_B}y>~0B>_HlYThV=Q9a&-ycc`2qD zE)x(Xf{BkjDJp4&_O#FX2V4Xa-Cw#VBdA>Sdi*D#34Rf!bTTx4VrAu*P>3dUh+Fdx zB@}y51+dl8`Kce{s`R%6g0fmcw~R4C z+bVpP)N4??v9BGZ7!n?<4j*1l$g2F$L6YqY1`x*j>sN0@chD6(I8DxT4-6uIJ!N|a zr&Wj#QP0K5)<;GGis{9Q!r#t*b;2WC7`AE43a7Kl&Y3pL$T`5<7d(;r z_)=F#6Csk!qo%~C`$=lsppdAtU91Y){agOJmfNw}pyV)p zBqq+|r<9)HnES&GFQm#;T%QJ^87$*iq5$eS{^Ld4^e1yS2db_AZC=}A&BGO6MR~E) zvG*DBlC0DKz8ui9Z!83tvrbeyP!x(d*b;j@+v5{+37Rg08FI|SLUeqS1ujMi zH{sgTgNCoZ!O;uF1b-M{ws3Je!+%;S3pgHPycT@*dgHpU(BHk#Xj0MO+N3oti()pZ zFqz7{HaQrzso?EG7q$eN%cw^$HVW;cE@n7r?xh98cgRYl>3K-Da*+s$Npb5Stxm@3 zp~vPyqqE(9+7~`UVHmRdS6i!nqYW&}X7WvU1aTCt6>?Jj(+X>}hA<9u2!);ijdXx` zyrvs}nNPKYi!e9yr?3JVb^bJ6&jb81hOVCFrtfV2)tD{Oz`L04K@uVNF+FD=r6I~8 zYNk%HkKcM4*;5P0U{m|!^-nY0z=S1E7i)9ZjF6H3!Li@3&ELaYx`f!)}=Ug z^(^U*Y(i&}+I)$iRrm}Hu0*S2Mr99lX104#b>A7_@VL7!-c9F}NcRhm1wOrIVGm;j zul|~O3%2dC()0{U#6)9%!)JRZ+>W(4Y_J6wL&dvr@m&x#;Vm4?ROK(NHn~7=*`1`A zB0!@+2hWe7&z(tS;&ztd-{d+?b&p6&A01oU!%0^Q>JLXuKv11-C7&DZ{OFp}U4YPC ze8=m%1zKe@%hFil!$f8{NMvj`^`1$@m{+{T=wgsQnx!plZ*GRm%I&&2oVwd1JByI#OP*v5H+1 za)EykiF@ydaDLFp=vE;OHx;TW`r8&IS0eq-pgv{mQ*1=bsM^H_0_GVrc4#orR)1ag z4x_zr={a6hNV{*@`#P(5(j8VAinR~K)%)5fKf%t%X%)sF*^;-z;aR-5r(yHLhV>xW zLg$dwbV&RipF*%Qgx%e-1Azcul=$Sc5<%gnj`%J-?P zO7)JM^2aQbdc;}>Dj&vuJJ<&MoSK*2|Hu~H^%zn8^_rnbK5b-I7&8Ngrh>0JNw(RG zvu*9>p=~pMUor-)DMU4ECb|*r@EGr-QgGw3E_e5%m2)TMO$6Y<$L}$LFuvWIoKDe1Haf%)kt5& zT*(vmHxhtI34_!tPXT=dAYU9=AF{x@yoGieS}Brn;!j3*kCaFP1DeP8TbG507NIA) zp5N)iITa3&n|Vt4rYj!iV|138lrDEz^Np>@cjjc^H$Q%Ew|e7gS(lL zQWq^?LKUIULr7W=r3ufo8}yw#j*nYWcMAmi8iWrq8NT3tMTi)pytH~iL`RrXj^1Qa zL4)Ngf!I(^-d&r5i9pQXMFNX@PqXqgwe*8t%ihz^9(WFGb89R@`)?!FLqdRF!rQefkQ6Vy6;2gXbq{CPCCOlZCi{78su<7 z;`F2n1GUjXCV6BF;K?~Shf&fW?F1}Ty6PWH9Q{^$J{JGraFG`KgtoJ>0C!B+5Quc~?eIaq zPKAQx9kU`0DfLz+CSQ;t@I9?{8TAC1mA7BuU68bw!$;#$zQl{)9+#M=X+OpIT)5=9 z&XN0&1oGAAUsF*nokKB_Ku&NFNO!w`Ca`7@Y(_#dq~Rj>)ph@cbEz{>_4L-96RCL# zf;utFUbTgBmiC@9@eQ~Y_pM3-dj>W||0c_Gz1o<0lb6?59E(2xH zol2xAjjqVi-A};%CajGhVM6^CWUvlDz+(S*;p*=qWo)t7N=~SDyGmO2I-^SJZ$Vjo zT$Zm({AQE0MYugp-<84{t_W>#UxMSc4_%%#wJd2xLe(pAJ zE9Y}UHf0T%cY{L;RAL$AYl-t}EHz$SSzIas;9x*5p&P$k1o6R z5Hj{PvHJcN%I!)Kc(*a6Zp1mCv*EQMc6i?u+?wKHwk?WMfx;03Cj?qb3-K2xu2}vi zUMuOwrPEQ&&&Khgx4$b%+slQS?Dba&E{UWlag2UIR=lI$H^4%zXAgOgK0d=&xMs+{lw9H|q^&1ICcZ|WsE&}b|d zBa|^8A%bb%6G*W!cLN7h_^B}*PV1wLLr_eJV27V`C@oH$Z4U6s(%fkV+KfgB)D|6ba^STXpX@>-d3oJ|3& zsVqe;ebNJbE$1u$XW8(kge+)2)eoLZ9=>{Rga}arTFCr{i!EZ8&c8)iMMjqq{}`qR zNv}11%`JVfLi=kCQj8p9FX|0&cub@;2{k@w_F^!=eP-J-jI#g0EO>g1l?!3qVHN`I zp)T+tjpei@RbgF)AAbvHj%eVTuQL2**4oKu4iE`HcZSuezc>F(C#W}md_T5kyHl{N zxvV{$*6(LO+&TcRJx??I;WbIFhu4OIqlONTIHzt8Xk~_!ro0i(Wis+v*0pPYN%{Qs zb#>tyDp++lD>%e)4VSW7d_r608wDXrhMbp6VxTb9(%&i+Z06=6NyQi9+2qPn z{a=H4KM?I-e%Mvrygfd`K^Pb;({{qXkrl-JJ9B6`@Ss0MI}IuRvOJA=-o>f@I8ug4 zP)~r#@BnB8#y{cJEhdI{hm~f&;GLtn$9jq<2vtUWkGZ&|G>3f1AmxCyot@S?Ag{j^ zIIBNw&zZ;AF{T&;_s*22YK$O=eDxu1z|$vX!T#T;fT~lA4VH|I2a0ow>~B8*}ogkMmpK0$B$bE}q}sCQcLXIQSqkT@XN zr+ge&Xbwa+xy@IQuy{W7u|uHrF-0Hufb`15w;@s;`Rf=?g8mJuKOri)jMVM7FZ9_` zkR-du>wr+N!uZdI0-}#IKC@-u(Gn7pBdVQ$zIG`e=0Kd@9H=uHxO_a3)v@1i6m1LX>D1f@?fbiWSGep0 z+z2zc1ggkRb z>_gWu2?vcXd|`#i`}ua=f!ZaZEWD)@mjGNjuwKSOlei&52GF$MsN4d`vg17y z!dHsYb_NBdsf#Ddm0VhHw;Z&-tXj~E8uKMI?LU0q^_ zSPhafv-Esp8+citU*OkGps@f(+T8G?^z>a=rV|XT&=V$>mt=H*=5=Def0O9=<*!{R zEi8^3226vX5d$ua-+gXS3O?E47nzwd(12%5V{5>qG-iiPe8PfJ={9hxV<#j^Kx05F z;q4V7SJ22}R;3AVa`RhNPUHii@W^*CLLu%3!CH|@jx$3gZqn86F*sHYc`@u7Mk~bM z&_v*>r)M~*g%858h>pe5NlGxIc5yNFD8m*45S1r;j}(wP)ABM{f1n3wKw#Nx%zs@L zJfs@1&m)}#$N15{fF05JzQ2=SC@K59#^fmpH6+$- z&OYRF;of@1{G9?57lrxrND!l`0GiQgD)Xb2sn3zWa3QVB=N1dm?r}D~cyCDf9&O_w zHt-HooOJ!|IX2fHmc?|8);2CD53I@5IyMZ-3Ow+N+jh-p!!NamY>W*HE2NNpW2mXZ z+1cxcmxR5P^+wv#a`8F9kX| zDn-gDf|U~vn$20%>|m4Qv-)h;nU&_nSD;_lD%Gka{3b5?99GZhVke{#Hh+H%2+>6I zH}>x3Y*=Za4~iM}Nh|eB&?W$?554^-4pXWCH1eO{#+v^C~)OUA@KWeEI_{ z!yu-)_w1c|eMo7pnz+G4sKNGK{;fA~I1u}%S}L+IBV6HWP@*+J9Vb33>9NBhkT4+O|~nQCK-Ld2DS{xft``pbPVEMDwVN*K3pClS~qVbQ)UtR3}`1aeqMZuMrJ< z)UK07q-3qx*Ab^7Bc`Y0-Bxp*G^o1CD<#iwpzh_B{5)Ns!%OtSXIaO-LGdNymsy~A zH08B9wuf~Sk^nd1(LN)LGZqB!`lNW;)@c93P!?0a9wTtA0zH^6!+lmV2sRwp)Qsu9 z<0WJZ*u;$d-!I6i@q5r*c9R*r{T18}OhSh@woH~0tOEB~m%E=bjd|PVtKYo_gMV0u zugPi}BFm~n2s8aj)GJId)Z@JG@>@l2vUU3Y*gBn zp!m$`J-u-J15#h?RF5;#;vh2!SUyQuQM`ZP8}zJDxT$@yjn?|{^mIQ~`Xu1WSrx}4hYnB=xDCd+| zt0ws0*m6XX?XcT;&IkocMVY%?HVsUQ>5cUW3Xs<(HJgkDm6p%Ey|GlGktcuG#kJG1X5V8QA`1!EO}poA?riXB^R5 zbWrS3zo75xO4XoiXHsSG3G$_-)yiHlCKtE?csP@eHm3+<=D4FzrRQ4RP;j_xU{ni@ zzsM7R1r3e;HPr>0eaz}w;<$9PJ~Q=Ezyi(a%1~PNBwkf(30V62Q*AFv+X5et|36Jv zjo>8eLt+>Ql|z|ma01b!Y@+4uDgo^c_=F#10G{1CLeFV-QSTH0P@KHTlYoGoRZa$ea(oJpA31h6U@ zKX*`f1NpbY=AXR(bc~^^RvZ8H z%*c|>GFVB$(h((iLHPP=j;Gy-btHAVQll}>hE6t zA2ho>^i1I&SR&B6!)~;J-b{oZ2el77h6z)27h z{ZSe9gz?D4K3=*qDa;~4LH-5Rnk!5%Q7gs7PU!U%XgTDoSM)j)5F3l!g&{NXA3g1y z?NL_M(wX|lrQX68R{95XN6@p$vhrU+nZ^44#8XkfHmuty)apH9I+_zRZ0A%jom=BQ zY)?~O&0pr4in5}-!|LkG%q8{+U1WuIt2e%|fjb$S@7_H*6cyS3N7T&%8w z)kfH0cyn>39ar>A)$!H<`5aQTR;u%B_LcwXh~aN`7)Nfmtwj2psNwaaeeB6JR&O1# zB;<0%Zd?j2li7Zviu~|fILR9N`x(=L2pGjX4q-kqjd1bl-w%zehR8pXGOOFqNTR#N zQ0w?b*&)tKdM7u~ob=wXNC>-t8yA17gSe5c{GeAKUShY$@AdYMDw5KxIx6Cc)!cex@oL8KOZJ+Ld;bfy=#ON2k#RKd?&<7aiFlJ0 zp#hb`O5R#`rr5azA4lc!y@C_S0Edhn(hu4KtcHLk{DDOdfQxz1gnNaU`B*nDgh1h`sy zh;#v(;mV_QZ^1Z+eT^*Y-QG9YczdYTd8@0cob*kS)t zrou&pUVBhaRtXt}j*aP}P^_&~(t`lQs?B%*u+@=;tM(+~ExR)B1}>gfkn_H}kI^F} zaC-@|T1+pP_URlw2t-spu{H{_zH#YU9jG8G3sNEu7n5f(lQVh4^v$qT!*#P0b+&3T zp@@2;51)DB%yAP4)|q={fTwIVJ^GttEfVMomn*yl+Z+?K>CayY4p^lfoU}d1ZF!1? zJ<`e^Z;6f1;tP#gIqR!Y&W9-s*!?!+Zgmzz7sr7`^kZH2w#-u9s~{Kz_NuUs>9r!^ z2BWKC%hY_HkPb&Txseo*Y2bJrOH*C*FF%*bK`vQYz*yBxUDAg7>Zrr2j3ncJK|Ck+>iwtnBSl8vzn>y zrSJEP%1gl9_ou=%%^VAxQ~Dc$$4r~y6Qhbhi*2W4%Acj5VL2k@181jR!MujbjbE0! z9o)1qQ{5Cf)eeID2GmxAHSS!hn?*@Mhq6*xUy8N)vCfF+Ks`BoOj6`U-%ccd8fI1y zdhlQ74mI+EAu&=aMiagl@iU+~aDkz~Klp^%{E0yvNZjn#@G*SpY@gymw}i2LLKvy3 zfp4NmuvB4`b7gTD%tRmIkBtBeA-O#CQvp)Pm7IIrzge*7!gJ+_@4oe&WEzK;w+u8X zq^;Zen|qm*WLzx)J_E(D+(iqnb-xVMo*owa@qIh_8_}7vaV&~u$h(oF{Gc~Tzx~7# z#Ex#xcrL@HRuFUQf!8|9ERqbt&T-FFV6-4EpHdU>gf6O~A O5++h%8YOr%(UUg zM(AaJs=0D`y9lfYk%m>!LPkQcuS{P*a7WVa={~5bhM-Bq^2CNL%&PxLqCPPt`*p0) ztUm5qe+jqK2H*SJufo(?u1F^-9>|JhWlAYE`B<2;pkTfX`+l!-{j_WiAcC6G4A)|{}mE^~I{1RfKFX7mmvh~D7} zV?lGw&+j{((5ITsGMS~vDNNpg0GN&f083;HXr;2B`y+@WMY9c}UjBD}C9J2HjQVFf{<>$O!_=^sfGpw?L0fI-q+y8_ zTZHYFXM_`EOAftJtu)qiHw{^YCC_AW()RFE(6U-jL{Xot+=OH1XSDB$pSx_C7_Z&5 zu?!H@HQy>18h3Ip;j36Tr(%m?$VaaQ*>(NRLcN5&0d{jWd{_M4J)+4cf;k28v$GUN z8ZAxj-JwX3xohFhGVZ)m5N$(C5(^T?=?jk;5d*9-o7`_A3wQ<6?XN^!Mb5~I_&b~A z$dVeKHpkYY)b#0k=UAPG)2Bn2_GUi_&W6QB5dkMx2V-b_@i>bg9`lh z4rkacGRL}7$I3ZV4Z~qCiWwt%0?GpT>H{}J-9p`i$nf-!VtB=Ulc9XF{_%dHE|pG1 zO@#GEn)rco^>4Pc9@?6F5m@ip0vP>!q6UTuC%l1N+=p-Uw1XMDOyun6q-Ex|3yPF# z`26udhXfLJhPOm{jqpP#2U=2xTCe>MhrxP=U*0s7kKsPb8zYXaYuzv?nAXX_%+v_E zp5;nZ7)$yEk;V6{%>IMZU-Tq!f^FY(zk^hI zUJ2GVcZ{ZFztYT=SmdnyzX8WQq5nVzLf`a{19^pom|Ygf<6~@gAQ_!ZZu*Oo{qM)n zry#9{965H;fo$LPbd<7*jCLv2{?G$VVRL!LpZkbqUo-%|DRD06A-J>6eW|fxGoJU--ofHb!UwZGc3pDwD7Ur{^S69i{gCbQM6~JPp z#Q+OYoQ;}}mU-@xIaPwns8vObddVMjbY0!U9FOySWhe|YP7Up{gua9%`X_#8Aydzl zn16%L;3w@Rq0~ntJi7kKC45o7@9<+TE(^Kx%#P;%0KueeH?VP#RR1b)0wRdyMkZ4Q z{Z+JZu3K6Ys}^tS64voueZBNid!S~U1kKfKWGEg(=(NdiGH4lM8Tb^~usih8(sQaH z-zDaQF+>r5%D(imu7l{rS9aL*40_VUr;o<7$PadAu!*IYzVMT{X2$3j4!LTX8YQmnIy=)E2 zc|I}bVsug09dZe|o&<&x=*}%rft>iojB}b-=mIH%QK0TtgDP2aToqE@d73QSytci^ z^GUpDQx^XUGoUtZuq1yY;D4OY4Eda`@gM4zy~Qj|A+LGpcg=89pB|mxDvAQe?iPNF z{0{UMYeS<>8afyyNwj zZS8MA?$EL!=@SDE66u?8UT~`H`*Fo&UgG9<9()uSXXEA!$}@Q+16>(8HpjgDGgRnqA@UJ?Ii{kRrE35{O0;==4+$%UePYwLh=}WP*K<#}Zl> zgSHYHxJ$%>D>QRhtB70OK+;nh1k87U0A+eHn3NCQL92C!ePCOsA$JmB&>zZ4_rI8` z6ig=!7Bz@pu@vy%<$Vpf-w%Y>O4Nj|9`$j)yC?+z7GwM{HSrvM-<&379BpKIhnD*g z7uJ@4fVjkIV{qUyQkW-R!X&ph1-<9GYVq`}RaS0qfqeoc!vBsRhjd#4*H3{Oo zwo$bj*@k_A9s!@$K01OKn{o;puD@w(u)ND2>WlWL$$U9E_@4+2JyZwq0J6UHkwRX2 zGW@ctP;^t5I+RdS=L@0SGx`A7w@+%1OOmv;?B++pX9-JR3k{)xLs;7!-4h-~;4nXKPd6Vq3Cx(ND z&DQcNHE5OUZ*CXw$ugk;LuPb@1A@Q+0jE-EHqx#rjo;kPeqyKm5{O@WuZOtJvr)3o z>`O&`xQ@~Qxzqdo9yr&duK_mZC!8EwJeT>rtRX+#b2zFm(coNq9_7Rl-?=e)B%+~{ zkVpAWvv7CQnmU7T*sPd9ZAm{SP=TYXR8M&8{y2!}CgsdA{;?NdC=Eidg~&HaaEV~7YTb;+>@)My@=h9Khx5lZXsfMtmYDT& zU(|k`wQ?3s&-f!-Gx3Bu-^j4c?y|?^E6O@{1-!J;W1`qQU&Z(b8 z{6RdeCFsUBH2>%j+29JD=0|C~okKw=d5~r!0oHQVbK0t!XYlvs`RSA~1u36??zvWk zw`OCSH$|k=#KNv@)RWL@jY;BD&_P5u#$#N(Arr3>8<~PJ0|&tb!6KipEJ9EGx?E0R zx|cyh9~YryD>8#;-e07PeVR#KTy=it{93%+xvA>2X}Uiy8DWF;*S`LZOYcq)JWFoj z#|c~MB^bp+-ng6(@jR;7X|xo_Cdu81K{OzY(7-kws_d_)4hp(LRLtNv@ zhQn-gJ`DP}SqN6!&wM9<&F5#vatY1IZvR8f@ccYEhStm)PM?Y4JHn=7y(n&rKKO%qJ~hBkvhI+9=eL=BUs$zKwtMf(%Qh zryY_|<*faZUNRO@^GS$TCy|=RA5~RE&QjamEaz0SL?9)=qFx*y_I`E;f6XsM5XbP0 z56xVALjH-K_6Ja90ft_pah48Zh^(7xle8f4Yzvb{UCJI8f>@JrJ@2T4ohUce7thyEVrMK5zjGeSlXD)Xi@TI0s zbv}b)4>a1Y0niX4bDY9S%b2d2d1^*205 z^=v@U!F6mjxrM_X=Y=U$lzTm1k`l^e(b2;AKae`Eng~h6P6tB_Zku#1ZxBZQB5=j< z9debY@*#YtJ@Ux0&eIT{D9@@Q^4rc&t{<@nu(O9&UiP5|7=j3I8R6^K_NQ2Tid$*m zeb8EjmvE8Ds#mz5KdkAuTka%XEDLIR6HJmAIN>a^I{G-=o7YwPNv8KhE!l=ta8S;n zdCKIak=kgV=Ar2l){S%lQk1E|bF8b>g9y@j{oKR%ThdcVR}h>`)^%@lusKGVTEIuk z;NTcJFRd&7e&5C><(6RmypXvB`*sucd6Vx;SxTXR{#LOa2+*#dEpjA^cB_}Fz<79a z)gQ6<6u6b=BVBak&;9d+;qN^)w~NRHt2oU#{GAl!iGwI)$J8*OyF1Bq5TcX_HkCpo z^t}Zcv(Ib7piKT_;0qzdP&`gDY1TyYgHdJ>2nL=!a$V+@XzLAYr4;J!)&U(3sI zbOZY8mrP3^qok_ffybWsxy~0|n$IpiC(7&50q$qGkKU_r!k=y9D!*SR5z-Lak#Ry~ zrdHp*54^F}Xo7LAX)qe(HEFW*vQia$*p2@`F^>ri3XS_kv&&4U~W)%#Gi{~A;zR+YI#2Wj@4R#vNhEOy`3sVKz=|4 z`9wci&Po%bfnV81$RV?{yKk7GPtnw-G z0vNZa7|yV&T@psT(Q9-QpKm^t0?~Jh?F~T>40-)Yg<*BZZAG9M7N@xEcKlTqf+b{8 zm1`5Z3JC$Axg$xTvXpxaZe`tpSk_;It?e&Wyfu_e0eis7ViWw&&PEgiZr}+>5J-7! z9!4tjVl`fewzRsMMFI+wH{kn}MDwb{?~bRu?02`4sXSqo{u{jp>mDhU7W5_TtM#l2G{ji9RBO(K zEWCq-0P<(#E_gN_^UmuSbecF{frTQG^7nK$&K7Nd6ljsIJ#*kV)_#QX$@|<~B}=Mx zIlTolY2_FyY#bHE(=OeRRC27P-3NE|k5cw@IyN-LOYNkxH3@b0AbQvcZ6ckm>I6ps z20{21VO}h3+ioAup~saDZ*G6}zH4pJ_SMB6qPmhW`KEz!^uB)X=;~Aad$qxS#%{hu zdCPp4-^GsL^X#9A<>p5&gf=SPxekB{=$nhjfq`uDT1NgR)|6=vO@>Cq!2-}~&fm3g zF_qiSq4lB_ooKt-otVwIJy@yD(rdi?I84@x-=KKcIOcNTATXc_$fmpPcsL63Dv&6W zKj)>l$}OEij#^ZVxjIa;b>5|Jk@zZ^4Lsiq^b&os^OmeKVi+k&L)WZB-Islily~@t%nU+>G6@|8l(Li0J{)>5M-jOuvDk9pW0kqikV|*+lcwr0 z12mHOhNQf~XKqD$6R9uua}l`DC*XAvMYCroTSy76Vm8ZqbI{7y` zZ8qG8M#k-Ormtg*I`_)W_u$=Vtay15%ts9P%i4a|?fwuxi72JqgKE9Mt>(?bU*=SI zTR_t}GW}(@xj1uUsFRf+LW=2luKJuK*u>)x~OaXD};pHyZpKCb>1fP1ov5RD*pbYFI%lvhlg~O3(G`a zfqIs5HK}7KG%89R5t)AJxH*Ze7h7V2RplI~gn)=9B>9xLAe?EbR@mE5Q~B|jGDOY) zoEzVljo{h|FV_T+we)xk*f182X;XR*;T@^FCKK`>-S68tf1ga|?YTG04}gC_3w97U z{pnV0fi8A7IzGw0--C1>FVtuGH0JFtd>Wl?`vJfmF_)AFtcU@~S6z#rjV*5>YE#y3 zVHx*4(vlF%C$%IsJ~<K^X`7!27@d}nGB=nv^oI&0Sh zazIV?v_{)FoJFjD?Svl2TqaeMZD)fdOTv%4t5T@^9F)oc*iL-HFW=PaM&kMQ*_I&e z8On>Q80{d7VRKpup}6GVk}Su+u~1qGrH?Ha%{4+AUH`8=WwxhvTyM%5@%m>aduN`d z@_T~1f##0B(sP79#!o_nsgcqqXs$Whhm<~cr0}2-*UIecqw%Syos>trn0LabW*;F+ za7XhcdA{-p>=QFHVlP{QP7&#TPomO6>Eti4TpCD(0Ia`G&qUDQV{}MtxwJ%-vE|L-DuK zAHRg*zdA+!joQitD~*>D{c!9X0rY%OOg?8J*#m%1l)tH zZfG$1q0!gElTGX3B<0-S_U8_=SZC_*BieNZH-gGIW2XtElzJft(LAzGOL~+lTF-w( z|FP4Rxcz?v=0*D!`pLFEIQ$VYQDBnzdx+ zIjVR8Uz!bg)tFrSDAzT=Y$%pbkfa5W&ZqztR@Q=W6Dl%4$qITdyV!khLC{fojr{K6 zf6w7DAjoRWKSb@>Kd#ysp`JJl-Y}S+KNKX}Vqsc*pBK?9$*n!0w?MgqMW3QGAWmmu zC`C#$%HcWyANZt~Xkx8Y{D29bBJ=$W%tgZoub&mueaHOYIEQR$5=czpes_@yor8{V zcIU}zBD35(X9txyl;2UZ>Gz&K+|t>g13L_MF6!q2Cz9{d4A5h{)n-@1_Tq3@#hl-mAF8CB-py;WT3 z7|MhAV^qNCJk;2T2>D;;x5`wrQo#Cf`v-ls$FKC-&h5d(+g zV^xv5py--Izqk_m8zRJ=+djIr(SJUPOt!mXpnnl_=8+}J;J=zFg?poT4aL5w&?_AW z?71A-=HJTXW|cYO8+jNdIopFaQP0PMGNNv?{@eqIV@>NLYnF&9&9RRf^R@d_2cp96 z{!kmLtfNs(Hpmp<6l~BspF>+{E_M-py-38#$Y1^HJzT8k+04Jw z2MNEVbiYFcQXm0JPEV=^XGR;C&f6R{f0L88D-l|4vyeLNz$x^@|5YCeuvv|oJCuL* zsJUuee3d&d|5Y|%+BMGQGY~sF+KB(M21|5mJvr5+B-cT_(lx+?e49))D_UOcAz|O< z-z4uqZBKw|j358`-jF|FS~iyP9zVz@#;L18@dfhT?rRbNM?r($G5 z5prh7wLI^@yNZ|;QW133vx!65lcmOr1C4Llqcm0H528Ew{CdK%V-1V%s&mHVxt*;k8FIPo9x4* zebS+8$V0Lk{z9FfH zMhv3ZtRIYNgu!2l$O9IeObw}Mi7HMTr9O}?sKjbpv0Z%}nmhQI&m^dUgdwY)sHrdsl}5P*LzLm>q0u@e`TRP)^&;T zH}_#rTmk*%kLh&_&>am5Eh0x*%hj`D_nab6hsuwEd4{>tc;GFLDySx*6QEX4K=9&k zmwk$|7Ph$buKq>mBIL)q@vOJE{;K(^$9{Bi?%fMkWXU_Hi<5ODwSW{0`h`9p{?ohA z*E>sV;gL$sEBFUp-7X88i1~mLF2w?SMA^Hm@bE7rd-1HyKrNI>S_oNrblw$RY~y@9 zo)4D4h|bDnOhU`19O&hbb88o2g~-09H0RsAPLiOq*~}VNpg!#Ek*ZQVtBbSO>)`7- zsMc#ALc#!3K&-##9{+n|XWBXAN=OC*<|2JZcL3)x8=rnCoQWSt0-{ob`1C|&aX5_| z$>_2#7Ubkec!q!)#!JKAG4Z46XHY9N+_crp!qa@K4P?CnB3l~NjC^L!w$O^9g$U{j zQ|l0`XXHyxaF0>w5|_SZTOPx72`IzvPs7H!#LJY+m59`MCjblPD>A5}X35{;>Sy9Q zh#J|CYQ%-K>U)-7KQ*)V1R_cR|3BEg2I<#v_`^TD`D)BSWb2K~zoK_-PSYYSVUL5j z6GaktM0`1a07IIhB)y^Kb*paf0FlO%Kw@R}Q83$yI3c)`qMMt0Dl=PN6w5kjr0j)*3kan*eaQfS?D;UMIuPL`#Sq)rv9!d4{)6ll zP?mTm3p|zF20zw9#EYSck5CaW?fp`@T20rn6xXn4DfaMG^>TMI(HBK{-j9_5I8)Y7 z)BUWp=6#^SzoNQ8E*wF;{_%Z1`jK{gIge4s$QfnTM$I$?Jg#}BYgw)XbDoSrZh=|O zku(wp>@&Q@?(H-;2s^y$mp(!(RSXIaaacBk-D&aqwurXb1bzc#`HHh{^{bF}zvb-nKzf4RGkK#{0?USOZU zUz@V6KkV?cXtuR+KhYN*j-WS)0D0IfyGWDZOd&1AF*?uS~es5!gF>%YH)Kofu(rC9Yz+V^0wOl#^^_pBYE^BZ9-goo+>@1?F~I{*4`TKTxzlLBlLR|5xvjz zBx2?Xd$m>S3%Ra420A(h)ulkY>ctaMA$!G_>&VXMrO$?^uj7!foedW3{Y*NEP_S=b zI29`MMNf`h>e$b;TB_ViWX!P4N|`!my;!rLmn9eOYY-|$bMcs0NZL3^J0zkb{Kq5a_AaGuhI{Pc)Y1dX{{piJ_R1@Q7?JdUmH3oD#b4+1G*NF2*V=Yarn zOX?*bG1ci2q(8P7CuGNHPFmpj86b#~&;ZS? zrV%py&+~_Ll~nkyxpW# z^^iSXdg9}dAHQ=nl=q9`KllPa#pXlo{gdMLr*?2%R^07QeJiZO#rNB+bJy1FpliV| zl46nxf3QPN#!W3>mIKp&hg+u*$QiB@+w}+X!;Ej)NZllwK-WHdt+4yH8zaQiyH=mmy z{IBGcHn;7lx=Wox6TSJShuUeu?C}qz zvsKpxjBSmz{OW1%k$(f7G~H#3UVAwL?umZ8!s%FUHz694 zO5@#$b%~D*dgLYKvb$jxBtlhJ60njWI=p*E>hBK}X&y$(7GHt{eRLwgSL311cl4M` zfbGDE#|97ycCR-o;Br4aNqlC+jUg9~KQE}!PjaGXTyQQGbbyngUEmUyHdg_}wa*^0 zr<5oVEoy!=vhK0zwIX7tCtt%$^RHP+Fy)c9e9Moykjcs3Gfo@8I{U(mah)_74xgm1NE^Aa?^Vv4PBe0xWJg`{jholy zvEUg)r;_Dwnj_eyC35(DYDbY4J(8WqN~ud<;lxvV;|1^G5&cbB+D5RnUL=L0N0C;+ zaPA}>6-z*lyVU;5vdU;NK8&wKB4sX9B&sB9rfQD!#M2bwn&Xh_ktatw$kLxb?ncE< zofeL@dH$$s{kxU>*isW#{V1-*C7>`|6jjl0(S6#YJ0v`1!U$I@WH(q#Y(PFu2l@?8 zvIz2q@l?If*v++rH@YpD_y!k3Ez@6pF#z7hykeQr(mf{5pM+erLR^T!`WeA}oGAeM zKN)k^Jhd3rG%NHtjLt){tO?#tvFy`7GWfM>96kp$s8m>PoEFazd)))>fpA+4deg+2 zC5Wni&EVqse6GGO{qG%eYF+v;P_h_@IX6i6{qkoqlZhGvjx|o~; z7`FP;HT~AgRg8!>v{$jbh84+xm3d)O=&G*9@`PF=vZs>2iT4RGSN@N;bwBPD=*eRJ z&7U{&u{i18zU?YGZHmHUKvwAwR@CV+M^+6eE+o((+H~#!e?8()V~N}THx=-&%Sc({ z^J0<$7*djkUyscRh^t>HDVCF7Uj#mlunUE-*f@Np2Yau z0G*#i4jP~b@-HXZ{}hKdKzJxCt@4UYdbH~DMG0DbFX$B)7yfZ8pvnZKS{lk85wePa z=Yr!nGg8alzg?d7{I3`qmZWGkz43F0YjGBe;F56FNS%fCe-z`0?3N|QTD|c?RvKa_$ztH3tgVv5q*eb zn)8JeiWEQS-Hr@+H&y>l{ZjbsPD_Twclxz`W4TR_VcPI_j|Z?F>LqfUsrz^Gq1GQo zQB%hV^qav^rJjFm#8adkgHPL94w_%Vnwqn74R#tvI@oA@N+4+|7%&Pt7g!6asJRXkK2s3@pMvL?@PoN)Q5J%Oy_X_p@!b@i+LzfBi4Y4at#} zu!daNK8(w}pC}ZlEXY|sR`sUX+M;1S!mkWzW~qLX9MSRKrUgr~IG)uTBvVU+-+=p= z)9g{Z@8Oz@q}7J_RKnI5F=acTO%w=8v8zRU;uusp7}RLQjT?)n)9cu(5oq>d>1k1I z?E?S5Z66XpNARQ$f)d8(WE+nEk|wwmfpNsi%@CklbXU$~ptNCKIIYxH!;fYJg(_Vs zZ!UC%hurixpm2z~RQijO`;F(mbKCn4Xr5zFnaUfDFMHC|K=n9emZ+XHDLtYzOObGu zlAl%LhX~yQUKZ<+0Q%Zv=xzd=)$E-{prAw;vf9i}D41v4IdGl18?z~OMi~-+Zc7+Y zx8c0c*F>k7Dq8H)gsoEQnwWqZj%f-MH-#i7o2wfyInm`Kfnb zT4`n0z=%8+xDWMf4|-Gx9#TZ&cZpOJO-gtqHrb;_|Hs+3vPcFV>Cpsl5NOYsBjPyi zTZgTlCj7eZ78XgL4=Gs*ujXrQeeQ=%MGjy=p*6g66u-fJ6xBeu+t#T0C*N&m=S&ev zX8x%)+4>M^sZz+{*C>dMgNzjz>A;?rsy3{(vD(*wM|cnO z{A#0`1v=ZTn&*qX@Ui0n`z2vr4l`SpUYT8A`pzySod23EPxhHx$1WY<1agc@Lnujq zw#34XzhLjv(zN|^t&*7-E=9Y^Yzm)+Hwn3eMunroYsPK$N{H6Vx@P?AdNwgMYqBb6 zD(S%C-&rJ8Yuk~CDHq=mwCF~R!UUCF8)P7nR_e;w5T!J_`Q|F*Agru#iqINNp{WTQ^Tk@jWlRimv8O3)6YAo@>D z>R(MY=Y9XAkI{DN`q$JjPG#Tb9m{#SzIJmN?C>~5RWi?w@A&R09Ar~Vp%)1|oZb=w zBe(iS`;_1tFkIRPLH4VkQ*COx=ZE{8yc5p`I2eWs*BJxw=oIf97`R*gF_Ld1)wTQ~ zf(VU1!1oBwusAu3dqEd_#bLU+JXueIvlA?W`^$4!U+ihpBz~*v6KUb=tk&|bton5N z&QnaR4o1QH>$iml^^1?7)BFdYzhB_S-8~4D<~3mZ8Da1kN4lZ}(*0XdFG#ySTki(K z+z@nqwMR;*;r!pfzKmNrjGX||8HBTYGR8=@MDYnjwuC-Gj}vtv$ZmcEX85 z5rB;tJTb#4p5jYrg`}zVw+kp+>{$&^Ah#QRkAJZTa2q)&5QZ`n8}+v4VOpl`qGbm^ zPNqMG74S*jey@Njd`7vVCCGZ%k^7 z5Gl=~CD4{;T2FQ1^jSc;>Dc*&w2}0Nom3S;@ueJUI0V1*0&o6RhDIf$UBrFBr{WI^ z?p&k*v{(_nE$DjuY!bjU95EgQR|>k0@Hwl3-z(8rcmj1teHWYhPYqzt znHRb#a2OlpE|1fc7k46dGU79_32+6Lc0=MFmJcLI=6Y>AUZ%10!fsKi#9D` zies*=mn%W!Z0JzGsE#3LD`FF2iFPALrk*dGpF9pI)IxbQoHw42wGYj6Nw7R!Rip!y z<@Ow~EM`T>!I-=Rc&tVzGH=G)vpJ}R(3CnryE!&hnh|}I86q%39MkmUN{O&U{|@r! zcdT4q4;M2P$_tv(khswK>plgDl%CPcG7gc_@ASt>J#5>SJM?=LO6#BgD`3z=SMEfj z4#uDe#tC_T!KKM;$XksPyG;r>HGBtHedcr6B#rPBUy*+7|H~VImxeeU1FtMzv^ev$ z{39s$D7B&wubr`3|5i{8CxT1!v@pa@JTAai*ETHN?+dc^Hw+|ntv63Yo1Z3bO5R#K zSCxoenES{q#XL3yMbZIOkz09$FofaF#$IM`c!?`L4a*9qs#l!Mm?4HPDKuYp*eFVP zd!j79uA=kI295fB0k|Cf>ltsDhqk`pxq6zg$&(}E#|2zNt?vMDIfDf**CNIORcYE} zyDw-M#%0%$PYXnC@?-mi`9&1^D;$>&OYU&T36Riup;hda{t5uPu&bDZjA$Y+$0En) z@aZDHV){7FxwGb`?JKmV1xYyW6H@_U3jTh**7^~?tY#iZLZ$Wi=6=w+pUc++p7)9> z=+bXE*OzxCBF_xCEZt&j@T^*HOgX4KFe+$mMVQl~zH3cHkirumneEkXpy_{A-kiWv z32~!_1S@8lAA*GU&0Z{0F(_aN)4-YB7=GVqbJUC`2mAA^Cqm+hYkQ!oJ?`bLm1)Ob zjTQNezdZSe?h7L$^t1E7hr?sBvPuDH!T?bZaC8G~Fc<8Z zh%)``kB>U?t;rYJ9%Px8(r^UA>55jLDG_8m)(81^3eoN4%ylNg6h4)$dYI0Sj6w8x zy{KKTNxR27H#VhNEy&)O_Avv|;Z*h-1YNBRvBhBvr=sKt50lzIkvMpa$Gc>8;v`RN zxrZ8I*tssLu9b35eYvwAJ#P{ALeYlrULS-JKx0mSllX)d5ix()8m&35 zZ|j9L+bilqQ#4Jw4#fw{of1(|Y?QyID!mzByxq~UI6dR+=XbNN)!fyH8DLPvh^`kp z3Ju-3c=aGClceeU)472P-Xf?p;Y&ZhX4#R}HDy7prRRIshe1?^m^C?-m`$U?fv=kk zuP1Sqib}F4+R}_ya|e6>UC*V2xh7uC2NFBtnt+l)L zW+E`iuS7f4XYTHy8vDddZTjo(`?b3re8%#b@B-fXp{r*R+Iq@-wxeA7;`VgQI{%5O8n0@ zgvMXr9pIwLwsBzgW+s9n?A(9<76)RGrDGu&M9O5&E{<>%jNgRi2*Yk(fsy2(`~Ge5 zHh~kN|AOi2{UgQVU<7|V59O9>G_cz=$c!slb_qE>ym@KrJj^WuU=Z^FQ9RXf#8#Nx zR|X$V_mK&KJ$R61zR;p5WcY6@8K7$K1`m8SNwEiyahu*P6IIc`(e!?#CWV&ru^9Inci^x@F?O?8Z{|o74-0#*^fnB1au61LYLw_0EQt#Q939y{y`0-&s5#qgh+uz6W zV{#o*>pqi4Lj)jQ{AQ*-Nl>=lb%3Wpqxc_%?i2wZf834RcR4>~@q-_qA5F36c?Xyk z0f37hC4By@rqjmy&61V$7g)*dLQ4tV&Xtx#Y@yqzApEIJ#Wg7tyVr6|an`zz5VP*& zs;7h+rC_8UIHNNvDRn9|^RYri{bb*DEFpXC{4=NZ zUDxw(GID>L3GvpD^w$oUUK+||w4kh)ql{T$XSv5f6{Xfww4V!*6Gc_cMXRtiw+-)v zq_5ar4@0>{H#DC$6LVo<7SD}x@-Y4Pl6RWH4XJ(0hAzzoecSSHZ=mhSKh^vj@DD)$ z((Qx_FVZ>N5d!g5d4rMcLhQxRj1t$N{?R|B?1GjYd*iTRh#ad+HyIe$^>FSAg!VjW z3cskQPEBQK;l@6RPf|t5s9_cb!qSvgV8ut+9~Z&0wsd zo7^7^3;FmaA2Lfc1O!<$i&|RC(Qy){TTYLIFA}=3&yi~vL&;BobpNvYE2nZkQ+xY$ zR-9dukEzdMO+P2J!5Wg_+%<_0b5k{%4c?=wV-7k`{&epl%5nM&9R5f)Q0&J{RoJT~ zSoPfUHoKIn5++W=>M?#Ew+YRzZ9l!$)5K8(TxLh%a)ZA1deg6PVuz_Qqo-F_!l666 zk(8CeYHYqOYlC}erMfz1lh0CqTX)HoQ(9kpbHxt20yTs4U?i*N*j=8AUnsBb*E_Wc z8C!)^thj@I2B}^{ia2sE@C`+vk6KIZiXns_9E0Q6>Euf|+@$|GU&{!CocolzSMy~m zR7VvVI9-xW->gJ>^@2Yu!mcsM6(Qo47IZ=V4NorUYY{IueL{L`n}E{+B`nWD`cZ#X z8r5}Gh1$QjA>zGG;w7m|Dt(L-G6koYv6Fpzuq=*P4%is(dJ!Pl8~&p$TdAx;1RFlG zKPu=0%l74y#8i$E-R3VWHW=+jDtm{KZFUj9gYkZ92$ZdgZ>e|Y$LleTL3>#RKy9J$U zD)-C&*m|j%5A2i1DB0!b8(?46=y}&P4;$mvy3e-CQlh7Rn*?~25n;X)>0tBc{&;=2 z&N`ZWv3jn+=9l`JIV1K9YV<~Goc{)-GR|c^gTohl| zMW|`|>&z+zzZ>M6T(Q_FCvpGaF30Zi;!FeuNpBq~E$!rO6#1stalk-*c0XM5hzLj@ z82hw5Ah*!Y4;`;5vBW4gS9n)DJ>hYk9%Zw+Kzw5K7Ko0=ot}c(`T}}wNKqdsSui2g zi>i@JXzWWMrP>mX@)>STJL6DNk?=E3G6D>@=6;Dx|2|6Scbyb-?T~ zX8o%js$ue={8?3VQ?+AXt^;0aa)>5Z<28LyzU%+gN!@I_0nS5 zS283L#CCPe7&eWIEsSH@HI^arZ*1a}uj+EEs&VyfZk6s9!26p#e{+i@M=!E$BU-lT zC^Zs42jC7{oX0h<3;ke=6gfM4<*i$pJa>j>6HyRPP%$G7W(|KgzMJDyRra^6$}O1Z zXViu&=vi}EO8BqC*h@&GW7*p&PoeM{bCZu1^EV;hYUjY^N0+U;{(Pv9t^Kt{b%wN* zK)0B`nPwxe({i>&uq7^kjU<#$Lb#ZVU$SE&HRL$6?l=sAn~VHHf)+fRMWd{}+qW>A zumXzxYnf*^ky^3lnYJdgb3AgTp-Q34Elx7WQ+hy480Z6meZq+6C-WOZvNke$ zs@*nBpkBJ_B>_YM84Z^<~kNCY+LSSvGuCfp`QZEw0p;F5{i z?TC^x5Y*Rh0v3g_=xgK)%4N1l{oA26MV^;G)dl%Z%Ss|YHxOz`Dm|#~mku@%x)qfvV#o4?}}_B{oysK)U9+>Ekis? z1|x$7lT1BBVYy;Z51*MxNKBlqoJjm_=w7p{6g`mt>WS^;O1b9# z@pKbvBPY9p$ZA9W(@e9S)QNKwh!4=N1POIBdutJ^njpD<_p)(Jxl>0>>Gl>i7(f`M z>{O4`3izjEYEgA(gMHg1GPoUk^B)W^Hsm`l{zL|8ZIw4snH-wrBNhi%G&*eUi1zTj ze{)8iPP(eT9I%(Q4aCx8T6;lRM(9W!^2QFuk%q{guMPDvXKPFQJSqzWo`Y^vAmpIg zaZwxEceZovL=N03o!D1f+O6s4O9_c?H`g@Bl>s)12|nV~@Q+hgFulMUN4{Jz)1`Bh z*gn*8_P1T#aBT)k#7y*c;~w4)nkKW~4wEy#9;=0r4Gn*L-LbC3S?W?W3YNIqkQ?}h zN|Bf^O67pSZqj**vY19PbObz|ArGYmS9CF#O6L@!1(1WQ6sS`wGhF~906Gx-Oh-7D z=ek!R+8&o~0>qR-q`TT+_F05fVzm^hwE9Gh)6M3jKPgR%hQn&mbCK!9U_S`0n2t5d zt{+qBSEBay$Y+d>r9u|eDf)Kb0!>giYeF{xVIt3|U8agy1bA#DvXyiPp4y0tW)LQ4 z!wY3td4U=Fw(Cz14WpM;y^+C({ys*xmcJb(XYScnSmqT&U&Ls5I-6P`IJ&!@Z8@F>YNrHN{15@!kL+j1nF zVXh~o0{plBd4yrN_a!ZMHCbNdgOs+v=@{1VnN*vT=^Y|Pmh|*pi4RfYelTa|mZ}rg z*FKKbZ5St1+o_(ft(Ym|QfH1kNFZm5gWfRV-+<6Zt>1v%lKNzygRVM^ddiCJNykBW$K7g5d|$=&rnwSo@wm0E z>oqEw1|}aU@;TrUrV_XyH=-vTFD}@6(~!&-f&B2 zj3ST9n9V`PHTe?4U$Q|il(DU&cS7wwDi z)9NSM@AufhlWtjkqK}aB1Qv8d@n4K20ci8Ri-^UY-7K-cjD%P#{E2v*FxrpmURjs_ zMB7EM&=mwmCHMs8pm_-dr7>Zfip6lkXG1pc?HxPPfhvF_@+?S&Cq+fWzcTZg30}y| z_#9GZ3X+7#U(8|0Fsv;Hf5fshh#uv|bzD&o4@>sO0%ZOhqiSx~?Vj!Xg>O}Qzu0ZT zpE$7dQh(iBUqo6^jI{jjP;uNjHXh!eZbOqDp$|VBW?nE6#D;lU6IChwg^%hqDj<{k z$)cDb`|3_zV`e?B0>1XIcdQ2#Zg^VUuSw+tgx>p0!#-Gy!dX=P3|sf;&5r=Iq5lG0 zdalXT=FC^LNmQ~F_iyUqXIV|-_V9!?c~s0^X8H7f((=3b`l~|g?^VfI$MPb(Lx1gh zpGW2|e+>-d#~56Pm1hKpe^_?5P=$opbt!1-LqQ%C))`+q)GUTtWi*`6MAd;1#Sekh zLPh2pIJzP$`D7$bo#L|2dH!da7GKfK#vBpCqt(PC=YC?~yRo z4mTPL%hK;eb)hEuWB0)`&{iYx$M^GTh6pR*wE63GlE9carWOKDsI6W`ZIw=kHNub2 zf&edu^i`|`*^c*kNO(v6lD>ZGsy}?c=8`dYhva0jvhfNE4=Cc)nsdISN~{t*9PL~+ zs~LLcwEfHLwla$|71-NAiS%8%m`zwX;RTmY_n}dY1TKBtM8n(ICS|$%b}|jkF}=hDW;|kD^Ks-~>in;)BCBCoP`OZ*n}toVPb!UR z6~+c6in)KZ8}E^f)NWrpA$-|Fw<-AXokQ`=FV`C$y<9cVJG86vDRQl!Df6H>ZG`=& zFM{*eknpg8;=7Yz@*|j zc-V*LxQB$+lS#}*=5d<+d<9)`OAGO=$cy3KtTwbRq22zn=xX4*@__FJKlBUU)SiZq zmJ_obU~nAYZaCO~OIrLvp`jgFEitA-0WXe0S4ReZKGY^etx_@pOD2qA@{JCa?!gq) ztp&e7&GXPB-_x4Rdb-ANIBYh~vOl5iQAV@c1-W?DNjeYy;L%dvf4hUVe_0fojA2td zW($Pb4gJzrQJSEQayO^tnjptWj?7Xve^CtnaZo2TGouw}$(zLM`(@7F)4#X6sr-p%k5mM5zoOGzJ*S#_r?sA*bKf4S9xc^!)JQzTX;8Q_416 zLnZ@{MS#BaPrWze|vr%sw zH=uYp8Tla}z@01+tLT$iRyW~z;!@SY$?ZWxjH zugEs-P^%k{(wD>jEUWs?{UROsf@@7-F)mK4qD`yjmD$fc$oKBnko?mRY=~zj%3M~B z%Esie;`h$spGvtu0Jr|mtJQRc*GBsTzn;qMB^Ts6klnVnfEK;o4@vjfX_99+ezx+a z;h(Ad;fqoM6V4f?b5s0qyYPqFsGI#UEor3>Q~!pMBbiBfA~p3$#rMbN28Z%lQd3&i zz<(fGriFS=+2)?H|MEw`SJSL1MHnV$49Ksc2WBKQ!r>PMKkZ}9XB(n$R2e)qC5xfL z6q4hCPgP+iw74e0Td32j19fWqx9ZL4KUWmkJ`QK4;YZJV-QBL2pMhA4Mi#3q<$l0u zK^?hJX~KPVD%M^6;#}*|-VMti-kBJeL;MJn?jo5oG}2pwxJC#PsWm$NB@=?;I591M zqsjI19|jaZJpaXhA6!%x)HX7a3W&NuJYZzuPJkHeJj<%t)#l0o=#F60im!ea-p6=+ zs%^b>`f{FQ$az>~w7;RP_;gopg?1DtNqQ*{I@O+sgsg-ru=7(ei#HeR>(pf2OucyTz7jL!GCq|iW{jd z!uec4F|K=Y7b|WqqDv~9jakzh`Hv-P>DtAddB^9{HtW>5P3P;Li+EE5o%s#h?mT#G zXF7l;C;_4>-}3<|SQwHv3Q2gwK-|yFkhYXdM*Y;*19^|YL87t6;|jp1a%)5ERr65E zMN|IOvbQT8byD9%&eF;3n)WjdyhZCZ?ICe3ony&23K4kmGQs*`e5Gq6N@;iKMefQj z;UDD$B|Csc3XXI9@R2_jAT2+r8VJ9$)mn9zNk5L+?TFYNp2y z=fS+h6gh_Nj_S{i?20`9<>Oo$wd*jZV~;Ps%2TTZtgTGpCQ2P8zJ-E9FaM$T^sfT- zypW16GQBJ9N#2iJeu=O89mS)wq#N`mX*TzRSs)`#Cr!p@LeS_Q4R^}<)j}4-DAXG# zdgF&5LsB{D%oMCJ@${zaGSn>r2;3SM%6Weuk)CeY3K>60Y<+o$e3BmJ!}cjFl_DSkncj!uyh8et3O zH<}lL!G1q4z5tt~q8(|K)`tc?q=m-gLA;#7K=;Q_WUB}DK0sWlk^3PdGeS)t5y_T+InIwNv~Kq7vZ%o0`i3f`hYzIc`1G=A-N%G{5|TOPDYV?A!15_Qu-#wl zq>9jsW>kBi`+b9#S=fTZG-zr2YhfGhl@jfMCg#R2Jtiv2O|6MuhYxjrCf~e<>J_{S z#Ds_qB{*d5Xc&M&!sN{f-J1IX1m2Msj1JNax2SQYyN66CfPAZa$L&(I&l z={KiOw((d`R1dVYnqdNiAy)dXV99_m2@8{*tHB#545q zHV$<`Mw}Qf^Z9s zS5)BKiwLeIEKN$`?I*Cd0a88)u9cP$#t zkszd5OH$w9DR;cTE?G-eQhcw3kF6o6l%I*LNIbr&VU#nk{1<;De)^__NW!6UQFDbJ z$mNTrg|lP!H}r=5pacY5zZwj}-;{AL`GOuCru6I|vUH`D6QvhWH3vG9eK4ke9n)ehW!f`l z+F|_RdGzOEw;v-N)aoorp-qv0vVy*Pew!4Xp$UaG{9XG98>>j3b=2HMo|G2($WTqj zY(GT!1%sA{(-*~2R2I=bQl>_ILubWwpSqQZG+%MXGOk!b)R~uQq(~s@m$~BF{;7ud zNCDe?b;GNf$0Zdb7V0Ax;U!#& zL@HTA2@t{{Eq7*CUP;SlK*okE7|wJ)>E8>D&9I*fZH z5IQb%hG}qlU;c52tM2PKD>ZZjGaLjt)D4tu5mX=8@&s9F{eH^a42hab;~$JS9Ho%p zDpb7f=b-JAx!_$hO=-^_7p<8kpR$9sQAGaecZ~0)c6PUTa#1VouoM zvuOmJO4hWMZ(i`L0nL=Av%M%g(p9d^=zRB9KVwnCxysKlpvCzlYwr3Ztb7^vpnZgi zp`pT|dyebe`0(!5eRzMIKZ<{*F6G|PnI?WRJa0`u21sW@yPZpa`%lqlaVDm2_7*;& z)fY06)tn2;}J3k{!#bSQK8>9Hdb!s8qtK<(_92cv9;zuRb z3W8z=)8c7aExgB~&J2ntzx|tHIBTG}=}kja9`%b|q1g7pM4avTr$6<;d2Fi91zz8Z zoi|N7Gs-R*s6&mgB}H>$sDs;~&sRmIiy@(-pdo!#!ITT(uZn8hLA_sTE7>wvd+y8z zMAHOR=1tkvE?-ysipu0<;&qM#+VK;|wlv}@XeFjuBzjNg2X*}Pty@MBz4dBhv*kAD z1uh(axEWH8D{MW?{FK$+`d@nD`TIm6lW?SIt4-BJVS4)Ec#vE9Jqq@%j0$GQG;Mgi zZ0OD;46*@|)s8(Cf%H3L+4|I(HpvBGhvOXi>JSyOZyCDLeUVA1 zHI27sZmdQ|izJkVzg={fGB1q|t|27hBo9GF9&TD8-kQS3k1(y(3?;pe4C@2>K_UiVAQ6SSnMe;MzPi=8tEH< zZ`~WQ`qK|;a@1|$5vpzFjgDg4b(|q(JmJ*QZ9FKYF4&YTEw=c>h1M%b#le6ZS2Ehs zAT7RsI4I4pcJP@WILPFctOui?7Mp1~`1v6;%?$nA=>0@GIlE9Kpl#n8l(^j#cJzHF-GWkD^>;ke@-i&lPmF4iZ!#I~6l| z`_5h6kmjixrhz=jW+2;An$k=$@OC>-vYfS9svBRsUgRil?zfnogk7dZOG-C(WVh(u zopZNVXeyn(V%3#oJ_?zRG+T1F;JKHePW6Bo`e)yJ`v|FXS@Vb{j?UU^9fi z%gRz$rJ>qU(fuXEK|tk#AE(~Pt?>CQ_+W2N3d{jO6Y;hHumuySet>>n;RBlS1&hGR zl%&uCh134D>MBM}xy`BT4TqlB_!$gmVs-DzV>Fj@tbsO})=VN=&mL99C-CY4E&t|% zk=Utxajh?~pP^(Al~nXoemjc!pyt{@>o;>-dc(e@`_q)U=dc8%S^q5M<_m7&!2UOPdS_y2Zui9YgjA`yVcIi@~~VwH%Nk*or!5a6&`@KaZhs z(eH~TvxpB?`t(rNOEbJ(8P}`icRlJ zM@(yCm$1jFRBMAzuo%)=KU$O{DbM7BMGo*%M&#EzCR$c>di~T)_P(fianI^IQgjlV zXHhmMtX#!liG31gt^@dantE4!iO~2wqk5sOYjddDxOMqgB`EULM+~nKB5_qM>%JFY zumewkJPX;svVd8AZ8Y3i*ArW_ARL>;-TGPVMGVxu*NWuxso$hsI3F`x;e)QGo#FO1 z;pQ&wRxdHtlaYDHzJSH5HOPT@{#r?Er5n4ApU)xJb*&CP#opBDC&83{KLrB2?1_C* z`_rSI3$5(_*SgYaW*EsYPJZXd3lu3Y5hX}xiSU|0H7X%k-BV&Z$2Q#8sMOiutC^dl z)p&R-*IwV9%PCg-(ht-h^>15v`8ce{Sfs*p)L}iXs9*$L0MS!Vh+z@r_69BMXP9-i z<7KeJ{xPSoh2*WFM>k>78S%3%N;N*<_00JG^1E1b{niWn!5ge#+R$p0Uv=tv0TSY8 z{mIQE77)iqMLFiO00ETzS(Aq5l01VUL%M9V7yc#@)rl%Lf*5e5Cmz=aD+s2>LYz+X zAH)lUP+NU|f(B*e29R9dT1`&VY?(fU@{not*KUcaF^)#a-+apK30A#2sozP}uq+%V z7p&{|huJ?eRg6+HlG5gK!xX?9 z)y|@Io^c?@>+eW(#zC}qjD%ziDxCWAFpk2bdT2f2c2bFLuXvqOY`jpL5mrANdu|??`oQp{^nD zrH6ifrID!VWB$fwllJ~@>&z1L<1p9SK@&}|Q3{9zr`14s$bcR%=*=(`vfpRZ|1KE& zX}b!$g8Mr2;)lp-m|R~E#EeItY@UzFp!KqZU6+IgvV4TB(pwz$f6VJk>MmY2)Fn>e zi_vKrshj&VeTI4z=w1suC7||3d9lEprr=(+&*;GJU&iTiSnZiPUW>s=n#-+@dmjqc z947H6*D&}`rD>0HEP;&t0Qp<(2Z#XhhfMk?vT0!tMS@5K;p8%X`QxYe_PSRS@o$Us z;IZx!qrLSGk`nigrg~Wfse=COiAnSE$F5SQq=%itmY=MH0_3$!1}+@#s0q> z*yv{T(q>ehEQEzrSfbrl^&qco?cTS+SdzZCQ79|v{PYC#NtLjDAj}QmP3r(TK*ql= z7%4qvos)+UZ`K6s0U77?w~vVDep2*Aza>q-pb$(_fp=)7x%WB<-5rQ!ad#3G%^R`L z?-x+8D{$1ixvO;#4>}mokWECjv&yXwmv)RZ0d0^B?sOk;HfY`IH>Fg;qx%=R z+Kh|DP9-Q%PQc!m*~~_TOtBh%{%t51t((9y4(=|b^EFK@VsNdM#q;ZO%?<-{wJAzu z>6XUJ1XzIzj_1qF9p#{>O-rVa9|3wisd&$>;#LvqJ?!UuJBA%iWPE=9hSpr95B|wO zsgoNp2rq830toM;OvaQT!2GGzOzQ>S$!30O4ey1FThPXA@>w<5%MPsw43)-qe9mOf zcC50_Y_cp65obm^btMy2W@$%OQ8!6(`bw8wj&HtG{Ru}QXaI5we|cHl%qo-&$X3=A ztulqd*nMUt2* z$0Yb!7G7Fsa>;1}yrnhxc+gcRLEuSilo`XBr>kWkjZsAxNIAy&9Q#tB)ex993O=8# zlzk$-dl&l)#WQu<4=>}jG?(@l$n58_WBTCWqZ%GYa9<19WmTl$`bmcS`{9?Cq#+?6 zz94D}PCqOH67+HSl#_#UgpcogGSt0BY?e6U@ssSnE$YaCFgtW-` zNF$~<(DVb0(K&|XS&J$XIEcaia2GiUy;AxoS>MpZnI(FDQ0Yq&S2ul7@mqo~jbL^v zLrgVLcPF?aY8cI8^E^D($e(*QM}xrFyTEiU&$*^K!y!ju6j(Xx6Y6*dh4?WBbz^0Y zb!3b-6phD1GY%(7i!n~fev36!2_=qor`%);IAB52Z_SCdpoCtOlp~#P+r>g0ROC70 zqa)irWZ^*W>rD}#-f%OZEtCtQlwZDQrAfugLM}$@F(T{O z{h`_;pi>Krrk32wK?|(wRDMRY=?U7>f6U+-NN1?3l_ILNAa`zje3tDKtb{;_zuai6 z4}8*csp=~}&;S0v$jmd^=Wjs-h!=X)NdvkugHj~n^9fIk?7~l_b6Ti7b3Vba@iC=I zCR)dEuiaa|f=xb-S&`z5=AN~_Jt0a>E|Hd@!`*xVa9)psUsLd&WboSt7@3>B2iN;A0Yz$vmW+z|avx=_25 zMHk?Sj|~Scg~Y(OE=gX072Q4Oy|$Q7W`5k9zWY66s7wpcmeKzEnsCM)3g{n^o-#Zz z|I)||Z&^dS$);y2TneH#>fqv2E|wV!p3Ig@A_OTEY(>%{)~M-J{M($HW6`ew2z7)J z0Ix+9$Lqj|oWRH-Ks+#uq`I=lK$Ma0|E2UH>%osb*(6L@d|vhs0W}y~6Yb!J-;Sc0 zyJZDPRm#Y+J_LOtJxcLc;spi_h*)>{U|^TvPRy2Av`79m8~{A%&Mx#%?NdeZNkeVV zD8dELSH_+4*NKqegu|hVG-aB}K-VXsvC9HYG)t-rxk;2vvmmtlU zrF*H!jl7<`6>tlLQAJE=;)V;?qL8TzibGe*XyS5Q^h&8Cm#UdANhD|k;xFBq6i52^ zs-Pc4+Q2EyJ#P_riqqqSQ%}S{!9V~DH^})0>CW$?|V>K`(EsiCHFFqg0 zm)PRzozx(9aUqAC12$Ir`gbmR`=CR{kTwr5Aqs2o*s-3R5{{K5Ky=NPeNj27i z+*QnBDlS;vZ$ssec`VBu7;<~7=WpB83tXUMguCg>>2HUb0O4Fl7`U0lTlY|CYx@46 zWW^KA9kT}2p#A|UUTg;r&id9H6M|nKa246m`wjl#N%zs6WpL%^YE1mFU zTjM^Rrz9|;QX0-9fg8Ocjdx7;dPj>`5<3n9fLlCVNvXakw}` zdwUiwwoMD|+?*P0>*jycM3QPPL0xWQ8MGznIK9L8SqU?`KHrkpU7qQpRvayb0@vAN5a!q}hQAOjw$99F%sgNFp6ll>DaE{g^8rhu((^$a<(evOD6u_MFiU#wPYYB zU&O6&niuG$RhqR&^S|nPjsNB#IJK#39u6>mT$>7kgXdgWzyj}z@j^5x6Z7h1C&K8K z+&FqguAp!QO0~mgn~+c98QXp$C`!UG0wh`S*Q$BI1bsZluG77>?tUu#fz*Z-_6Kv$ z9QRUoo8)M4gOPsKxc%>exBSvXR0=xFvdouvH@^$C2N#iZr<&N;F?092c%P-k|2wID z3^*QK=7)^quMwdyX#>HqHAr);BROy>#(zHK;|yKozbI7Y62H%PXpBClI1RnflWW7# zcYb2VUKlVmxcvOJ+~-4MW3B_Y=DhTO>iWwT@eCHD`3N&tk7yn?$CLY*Q<-A**8u}C z55kx=f$2Z|)|Y*|f;05(c{kKwpVASBKV$}SUW-hjWpfGj;i{9nue27Sjzw#j#gVU5 z(7T8QF>aDPG5yR1s-t#nc|LfmkA(8DTJ;dkCr*(j|VZ@9ic zflAN*Gd!06vO(87EKp5Cu30Rgz=*&O{0+!;-yLgh+9gfk!HZN(MgDKvC`h9S`GL7g zebA@t#uq}3xXu-u?l=j_t@YdDdDe^8_Qsr@2jNt`{(R`-BsFybzwfVQar#vblijd2 zezaqXSbG_<$LoLD9NL+C)ahLMoNzKdED_D`vg1&Pao12~xj0R`g@hF?lVH}FSw9iF+zJGHu zxcTsop)DIh0T_Vz>+9U`5Z!gcUE=t~Ri|~0NX9SM2%$!GABxTu-;4w;MP;-TP!LI5 zy_1dqrp8M|2Ft&5$gZY8&UqsVnCR!_;dtBnVdrmYEB>GoqWHd=?uR$K?X~shM)fd5)P=Pk^Z&t$;i#)d-loKGFkkK1Lw?yBaZK|IrDa8Fb@QG~+NfsiaQX4txlr$w7# zwSH)hwAw>g-z_nG)w%1iJyR6PEn1igjA&}*nwJgb^i1E_Of2_q&4;0;SB`0~*8O!` zAnF(miUdS4P^el@LQhyPVCEG6#j}Bo%h!U0)&&%wuG~i(Rrp$1;)asX*Lx-8U-*Uu z&$=zgOqSFUFm+a%9~$N5N+u!$TZ~mvrLOTF)Pg~R2ngeeV&u&S!kQi1PH;@FphWy# znlyrho~e=sa*bB&rGP53!j~mkVm90E`@c@$k}4E=2z<#*!)}aWFOa?vyAN8%f58!m zX}Ed8bX=`tUFk;}Pv-D+ARAN40W}(P^ zz`Y$>boKh7IYo84oPMvi8l>3|S-piwbRlaQ{@8Qf;vWCE0-W?r&(X%~t z_=n5j^7b4nvR;&){dz(xo|!Hx1QOc8_o}6EnM{gUArc-!E&RT-c18S05x-+ zS$3(;Ai?gx`NV8|K=jO7J)eWnWtu;Ntj(2j_meFg#kYph87xKVak0~Yv?e~{8|hMx zFZl(}ZG4)@&u)wJ18_(Zf_)T|gH|~idc`3sU`?9V7h2zQ7MZ}LK90vHz?P3CKjjqR zZP}%6$@SW6DNrS%0KCr{&+{>iU)OZwQp5hzqu{Dhv6 zOW{DW1E{oijS}1h)(82Sj`%)fT$FlKp9{;aY zQ~xGTGKsvsp-|kQWb&yh-?_S7L2g9Bw8}#iyQ2LY>h<_qRpE~JWH0&;s9nFx( zdn9OWv+&DSftt;~@Nw{8GFj8&6^y`Ow6XkHV*gucYws>3~e)*Qn3 z5QH|mN&B7p7u?lOclsVAgW_hk0)zp5>3{BaEY;M5xKX-^Z*uzODG(`RUG6du_Aiby z{(&9RiTL<|YsT9N@obla$g2*kNX5UZ5LSJ;E%&doCz@_yObRRgS+Fq(m^c&lDf_26 zUy>unF07?Xv=u>1V1UjZF-q}@*ZHy-HoMOF~4!WB!f$j)cV-mZfa z!qS?@$shZ<_UXgiGSpte@{^q0+kjAwH8F@d7uTLlfOYRL8>y}&Xx2j?Ptkmj&V9>t6OAM;))!1n0$Flm1*WLjMwm! zS>QQ;1xqg6Z(Psp*NSRyh~yw_*X{r9>W@bNx9@xwImW48A$lhu&K3D)ux}wQATIMg zdNDRkOK$s$h-OW8NTLkn!R`VBRdV;2D>~YGuxUmkP$DHl{x`+y+diDWIYR0;s28+N zPz^Gcqmlc}Ewlrg4oGdEgm8|td$4LF0Ehs4wioaWt%ii))vL=269RB_l8 zf`Pn*{6{(g6D0~E}pRKkP;;Ur&=k*7py zxndTnMd}gbQbxIFh%@&u9qTA8?xV(5Y5Ucfra>qiX~5uRx~YT7lCIATVMue(w}TVR z01{==%3i;r097HfZ$E0ih5D}tXMn+s%&YGztnFUoyhyc-=oN-c!CX(0y7A3}#Lk9# z)WH2I`J4t37G>8&=%6Q~fDTVTj>P8)q$ch;!gYr<0$kTkl zB9xs{t4iMtd<85N5!{ZnWV5iwmxpfrdM0Sk8}oKOf2p4(&1oD!ir;=p_~XDq~T zm^tq*2%}{G^LfvWx&!CBb(R%*VS-7e+RFwNGI4bM`uMyDP$0Fhn|r5Tz{i;u z8D7pNgqN3FX30`lpVFKWGRMs&t}R^H;q%nePXv~Or4IBI`#XoKX>Y%@lf}|($-Lb^ zcx=A%yAN?nOt?j}wUb=qv2?D#W+cxKiVre6;j$iBCOe-1)j|Mzdt(^`dZzLeisZR7 zz(st%SPodT$Qqumsl)Nvuj3^P?vpCPR$yNmn&dA@=C&6=bl1@=*UUfg>Rc^p%w#B+N4rTK6(vQCf|s4&QvaE}aq&dpiG) zO107B*s#fFD4HE4b;$XF*+7CXXVU$34yYzDC_;RaZtYQgU4Ps2)RS$0`$iS_FSCb6 zoOuSSmBTXW=09C6V%nn0Ggaunnx`dFlyt>x7bEX$7=pH|olS|ZFIF*@FaS8t%dn?~ z&hyDL)JmRvFDi22aQVx6yA>wt&0PsvT;{1@!zxwZZaygWHKtK(UBFmhGR^b8*%~Hw z&R@zYqb@n=IMPTnn$3(Fko!e}=$nD8oJ7@lufqZVQm{1$Yb3H$qG6-tQI`Cwl)v7- ziT79bw@brK)4B%&%F#-h$*ZKlNx5`X*lrp^%P5hY`rm$-eHTfuMv^fRjPph~{HtPXdK)t-WW>gt{PsNR5=~9^x}j?qS8F5SZ3uq&PqO#Kbs}f*oT*P;KoSuGw}l-tf#dfs@N45 zhqZ0Wr?VcGJKvvdBiJPyyW|3bRzon#5ST+*B|4BRx6 zJVIBJOg%x|eRBG`fpP%;8nX_U4O1AE0flto^P_4OGD&h z0xT~L&fA4k+`PPkR1R@YHr+}X!FIUa>XfMyt>40Q%QkWsM^evWn;7Eq*O$bA1{#ef z*FSUr!blU%S%Bq%_Y13|#jW4O_}ZY;xQ5w!9IR6-K3p?)x}_vh*Iu0w?0b^;C;^^6 z*_ki+zcoDr^%5Wg(Q)Zis+C(aSk|@2&;>bw1SDE_F?L=pdq}BS^n84{y*Q)(d)g>r zB7b+LXdwYvC-BBO(S~Oc>b|F-NE94-CFa(hG&GUmd+8gceNb4Ke;r6PL({1Tuuv}U z|IJjBX(z#%{$Z~vcVd1{1UE0Z?y*V?DL&n=-E8T!xpRW@2JSG?h!tbE6@FGVgiC_QMwE6)kouV zPt{&C12thZ1;s6WZ-4D7%QEcyf_~Zf_u4;L+ov2WyF+t_`7mkH{t560>95p22}s({ zIVol?R=(O;FikG0F%s1zfC5NyHUoA_`P6DKA6Crw zj2-929`l^>bt4k@Z(xmnbn(0(?6qR`O^RcTY;;&jR#2{#xF6bcQuc$#5D-veYE!M;gZW}eFi4DRR&m=iT0 zLmop`+I56|p5n(XaD4R6RIP~Igk?>WHvRQfk2SpVCFj|9(S|eeShL=|CLj4$<`>qm zZ7XQm?v!mQlYd*=e5b$MBm8@5w*Z2>;l`wM+MykdtK~J;NkW=ftC-X?s?OdLj7#fd znLAE<=A9M<(hG1e3`s)j*Pqt9slRcor4+QGwE5v>40*;+$rqh&nlWyc(0t%W7ehC@ z22j3(MBbANC@;rlOKV|&Lz6}q-SNkjXQ3;e(RnE{noSZH$aM{_^TGgdxC-31NKg(? zin3fmzuecU=lmT%fQ$ehotG&a(+co$U)W%ljrMy#r)ED?*-nXdb=jxh0}gIgl3qni zC=fqqgx{NQGI2M-d4T&MwlJi7OVefh)w0#y?fIjRis^Ldrf37>p3r8Sc}imB3FAw; zRVxGfxIjA7)XCXJ? zCLmO+M1eArmWg^YltnIIZ=Xg@5tRH{1*3$`8Zrj#Ub7gsol>}s?Q9>~%wCFXF?eOS zLJ=&bh>(Mr^!4olSM214lmT7^(j9EyIB9G)746N#N{dCU+=M<@+ zV1_JuXI4Jy*KVfR(fq3&OpZo7;6~Ffw%Ez%GtbPu9*8Z{wk> z0nc7JpFJS-i69XXIod`h;t`@B>8GD)314X*x62r%i+h#vkE5f;quA3}Q8ttU5-}<(0Kh3+qC+|B5PsE0_r@B($HGU|>2;q9xtpCa>?i zDZdOq=+G?0cxlBuGdiQgCM1+`0@GXHZm1sV@rN2a{%JKQ$_;6Im}U?VeZI_eK$j zR8nH(ufH;_-=T0$=t*GO9xlm7?dt-vs2Ji1M@z0}L(=XNK?uf4h=-=e*UIC=31-LC z0{MU(vaF|%kIdP(M$C5FRt#ufHXW&=sg!)!LZ^{Slu4DZlFynekoaGl$G=p@4ZA$U zJP%1NZ{N>dn7~J|xL(E56hjC7szl6Q9T6GR9=UM&I^HCFv>J1N%bX3TxY(06$R}!x zjmLui0Dm3bU#bswO4rUJ=YAj{fW@U>XX5%U##F2O$_SPDu7V9spYB^FQdoR#H_+ZA z2EepeoZw?H?`lE%#qwfG*de+NpL&%F&q-)VC@N$2=!N4uu2+R+1xjaMurN4R9VX(0 zX6hNicr<0zTihnMR6?5RE2!A7kuwC~_tf+df+MlSp2s^_e;e z#^9h3FNq4m347QW&pt&7^TFC!zm`pD_DKYJ=%&jM);M1hZM3}V!S7e&U_wp5e#!2BB21xHtp!*UaYD%xt>+MlhtA zHQdv#W%zwf@pXRqY7#T2$ioYLQswp^E3nZ*Z?sOCiFKyHea9fz@&vAXoUHT$K_ZZ? z_CFGcAtaF&$pAbm%%#`n`?4n~y*1JOSY>b#bVK~5_F%FD4?gGtBVvHT!)zV~A}XTj zVyjuSSUt@g_ef|f2Z8q9_X0b=YTOmoD$el!=(h2?J;6ATrA~gPF!U1FK)ku;<3Jjf zm>Bm+x!or?3aOW^0`ls7=TPaRPK%7O_R1-IT&QWk6IOHlzEpl>3$bTi4|5xmd+oEc zKoWl&w2{U5?okZRYA=94@MbsJjJx@NWf#eQcADrr#rS14tZHHl9-%I-hNWs$FrF}WwtEe{bi2{H8V_}jbmp)_pKBcC+RSg6 zdW1e$i7%NwSF`~c+-ZlgH_*L>QTmX_Oaf8MHxRS!z3dAr!H#AD5hOg_s|UL|Lp7QN z23-~hq`p96fqLS<49QpUh>=j6KZIEsj2QF^NDnyr4Vrxw&=UaK=HPmF{^Y&IGJ_*6 z*88MnBQ?rZD*6J@%{^m;~l<790eHqCU=Wbtu|234xTSn?PlhRsTBLX0Un+gfGk_ zI2YSC{uNcV}GevS6s<8-WbZ{FL3f1;4&UX^;-oT zqqCh4q^3~WX&?79PTEhgMM)X6zi(BOC3+m%*;l5Q`Po89Y>rT>qaJy`Ta6fsE zvkygJ{RLeBz2l$Rm})UZ&F#jzG05{?58rq8XpO$8?DriB(a6_BD9WnqTU`HIgv$~4 z@OPiu*V|MxO%K^Ss^iaDG-B2kSfQ>bg}RzfC!a+`zjTm#0lvD;@+gU7(-upB+~vO> zxGn0$Dl|UY0CS5^h?5vLk5+VFy<#?J4mBm|eo%=vJ)PiJiF>iSt zTr>0KAh2JSew-Z6O$Wz6pS9waX)GO6$c~8 zLymT)#DsZ)yrr2*MUZRGI36^B%lnGVOvga2rn{rMlOli6E{LQV!Ld|bw>b$9=KD2t zhU)#+@G}t_3)mNILyyT_*1ct*a?yLVYS8bzn)B5V@K1@{2}ekXrb?!kH!u3}lMd@s z?B_Z~;hmEKVc`g;)@=S4B9g}Dib~@`x%~0s>jQpIDxF{olW4i%xQ!9!5dail;xvHK+ahw}RaBCgNj5JEQbu}9n0_9O{GutT16mK^0Xks`w<%{$ z249}fbFOFtD{00*lp#(l&CRqr;!$O{%ZO|nmV*i@k_eIxYx`Y6Q)t2vaML(kl=qT5 zK<7UwjIc7BUmeF7<9Ki9z+K#;5DNF7Me=*i3 z6796=bphMY-~DF-RZd9@-|gl9my{WX9Z{i`9un?}mLI*GP}yKFH*65yH$EtKcv{&y z7a7>XglUlV^Lg}zaIMTI$_jK%|Eo+Wr}p)MTe+8WO-V=1#B5z*zZq75_7)^@8P}0x?bNOBE}Z zc&iT8^(#0asokrgT^Iu*PEG!RPE(@fOb(CE8%tw##PG8uR2*{Y=U1WSjHP^y23ucQ z0+ML*T|=xkJRso2=J8rN-hI~6X=;KT7-z}G=@~=<>;)i^rYij<(u7e|%9*iK(#8a! zT;{b|m9BucytJ|c`v^nTz(*UV4uEG=$UxJ)2+Q1EHtAQqhHwaYrRFuISN&+#s@l!@ zYYtM4V`>x+MX;BUCO~AZShcq*e;`E{@a^-1AbTcr(mo41J@UU1DP)*h!6>F^p$iav&g z52+svh1F^{m7*-+$0AP$>WlSwK}T33Sd@cYJgQm=g{~q}wye+ruKIyywV%O)sf=@`B}+4w_ZPm(|Ahl3Xq8VI{ry?k%qBH(MkUUXaEXb zatR>X{cFsz*RcitC7;p=Dnb^C22_DPz%nfk!jkQu_8NU4+Rgs`&d+4oCGiSo9}W({ zf^~0yUX`|DH1*eVzE#7_O+l3t{BRfeCDqw}^&5l?N3!N`aUcs4g)en<6+<|*^s!;Y zvVWoh?o7e2n_|}jKub|gsd^U<82w+eaZ#5EeKh%jz)?yC`(Ghzjxq_{k{af;N{RlB zDgffNHj!E@(TMli`MUAKZ6Mfv;@Yvk8s5}g2=X-F}F9m_*pkLACMVi1-CKrjAP z$W+qbW3gqpm*V=zv1vXysL+8x4i?GNUsQf3YVe3N1c^-cPd>v(qvq7YR`~r_m&e2? zo`ZM7Z0qR%S|q5Y^H)71mFsa$3ZUa+3YL%p@r&r+QoJ7K@e=G?0t!y7Q2C%Cf)yop za_NYIHN}d?S{SO(>c{X|*z(95uF0WT23bCUpOoUbCoBT5f@2j9ypgiBR4}vrjSYB7 z%y_JaZlJ9JFGEQJvYQ)@;ZxT3C-zt9cW~?Fzd&-Hz-jo5x3j>O?s-PPsFhn0KU=mL z41@RTQ}X$e6X}KZIoe!~t=&%^8@}JpRlc>y?(S6(VVNg>=ayyF(rq1)bydTKgoGiO z9F?Kp{pM+)`ew+EX|%r5-_ZB3c{pW2H}uDP+3bifLc2D=C zA@pUl<3EiVNq5Ezi<2ND{>KB$2R~)cEXdY0Mkp4i8kB%U_XT3Xf-G z_`tb`V99{o`il&n+D;ORv;*!FBe#-A{ z=Rde3q1!ic?q!5`nZUMm;dBctq2~|;;z~*Qk(=UgdS3A-UE;Zgsf)CT^^diH?;hj7 zd9q_@oqthO`c-t8Y9FVJoiK``q;WC{31c4+tD7kM6hKXjY1hW{%FD%{rm$GPP#5vZf9}9|a3xM!y z8xPytzIzI^!#Uu|ZhXU0W=+QGrd~B%^qrKRe>SYz#sXt@t1lL@!BLHlGx6o03tza9 z&CDNdD2VF+Vz5mgDl9lhH8=QZ3T8S^dYs#S;69k*W-n#0vyX(8%rQ7E0vnYo(g!YEMBR=}1^OnZ64_rVz z@S7Soq74@PT)u3Ws1g<2Q@|ok6cE7~gQ9mW@7b{SZ@KD)5K9MuBjrXw#$UVA z@4i^e&9~SO(_zwZ#V=1%IZJAno$ENH7&MgWNf+Wd6=bKDS+Y~&k@mYiYSCImO?OKm z0Gv{r9|H}hDV+_RrZ$R=bdieamo5H_DDQ#-#2D+$P2xkrO_G-%$Wo(1t`{SQKGPi_ z`8TIfnPOv8uKQ5Ly90|9Z7okgmV?0!{yKY}H2{0&4e1y0nNDN2ykM;_>_V1$0 zl$Dvjj_+6bh&1l;-}k!{5+P^|+pJ$cV1_U=gm2RCiUhk&khUm&?Tl6GF7ne8GWgvE z&C^8Ogc>OP!J0)WAYh>th|-yMwD}&BHr1~oQ1nb(Zq>4Cnm#^&Z${OlW;sv48mz=k zi;(Oe!yHu1KC$E~6vQYoG@~Zrs-VH$NHlZ!N)4v)Iy)L-BfTnJkVg)Pz`#fi;-E~z6OotnSZp)FO}@9G{}x9JN` z4tX6tT(<)3q6NoL!J8U;vR6EELSf=F_sWhXE?sS|)?bOb< z?Fd~&p3%M6^{+&YKA-ZnlA22l$1KS%M4>v6u&6t##;Km;G8)NM1FV6GL1dwf_NM^v zigFPGUH)(ZhQi$go{rbo*+#&*Xh!(U)^Y1rz>0)>W_DCiiZsw}At7Do7sm?tX#n8=i}ID+ z*UdY3Oc2^~UprD0moVlDUm9lhY#{AC=hh0f^Eu&o#Vk_-y zkHHRt88JIka0h<~IpH;Yzd)QPG;`8QBxA=(VzZLJ_8^In^7t1N4T?LrZ)+>!v3d?j zsI$w-l4Ls9{oTg;S-SGR#IPy*P`>z z=q991;DV?B#D;#FCZD>FViFzHL!!k8=RWu z=Vc#<#Q!pqIV#anWHIQ;1l2`o(dT0l#ajiULJxIRA;%(}U%Mz`WNfK>L5f_Z!q*W_ zhoPA8&hA59Hbi$`xMBUZLIEE3gSagv?%MWCrlFhzTD-PBSk!5?J4iasSfj59e+`2c z)b00^7TO6=(m`tLcn*VWKuRc3KRQgv3W!tj^jP#&d&{SesOk4;!L*C$Z`^Dcba+*4%%>bRQLxZ~Wi@>=v9(p14wE@!oMc}O=&%fmkYk!vV z9vkn41QXQ>(-xJF$;oBw%1ES%(#I6%mtS@%Zma<_>B90?gyE;9=C1I}6tGZSKCock zu;EoYykdZCv;G^Z0ueY@e)~l?uFK%L^UF1(ULJV17qVMdH&?eBd1~k2D{l|Z~;Yo!J-G-04#z- zz}o_WN9?Irwfp zvt_RgyJ=vq#0xKXbX$(^6Duk*}^^f+x!yb0m9_&V;s-%{ds2b$&3k5;vLg$_; z7GCkHptyU;FagU6t^?eE+I%gi(g1Yd;x{V#!=y0Ni^ytH8$r>RM_<0mh$zAC=kbxf z1UgBRO})<+O$M5btSzKfPXm*pw^@%s5h!mYF@rDbgfX7`D=tGdE4$Yd%bvkfL*iw< zA$+PI0_1@y+zie`VGu(|4fA8&K%FBHBtFZotq)v6GLanwb5ulT7U>L{Zkp^TPmq)K zw1q-cKb}!Nysk)gurrY_jQ88-9E3otKC`d`agN9oQ5Bq@%xcy>i9(stj!k{iPqnn^ zq3jE&j&VrUhwW)8FVnct5&kKbWVz|U%Q%a}+*fV?E+=~L=WB5Xz|#DohDe*lqH8-< zO5UU8%M)aS-LV{oraBLH4Pks=X;6-Z(|0$2Aa-3%UUQYkQtdhw3ofX~qHNZfeJ`-< zk0xE0{)LyF4%~H+Vm9TXVt0hYwSN<*G{|#+{EdQ9W9&2h-RjHw5~mjx|5N1H1~b_+ zJ|J#{zB|P7SBY}&Fggv))@;RSk&QBKm|F}~UI#oTfe=gU8ep_2)n5%NY!V46L|Bq_ z89F+H$zS_sz!r!N;er8vw~Lhz)RCn}K^Z6hX4u!yGmUk53ya2^zq7v2q0fjTn;)x5 z{##@y|JOsRC8MLz)Cb0H8bA2z_Ih2TI3Q2)ITDm3oeNhfN%J~C7r6yvDe4! zNm@bhnwi{tHI*2No}w0&@YuweEUCsH@s&WJT5TGdl$UxYYFL+IoIgis>#7P!P1QEJ z^{F(3e$dHI?8kBmg=1}W&Aho5F2}Sni5TKhya%;fks+Cdwre+|?y9+WHD+~q08hF~ z;;_Sa$)jz&`wlDSW3X}Qng#aA-TsT2z;SKX;Ciil9^0CNT#jQNgx32`?}O^f3@dhT zCKAaLLn?bXm=O&X@?B2Y=f-={rqG9Z*MU@sKncd=?ioy6mIg#ZRMQ?+vi~tN58xN8 z{T16m?>ZM#K0c?qa}&k!>P0MCwy{+FCD=K; zajP6TfAMqQl>x`S+bCss#WW7R)_rUkQ~l7gB1OZj@o=15*N`ko-GZL+h~h2KtY0;c ziC@Hu861|E-oLs^;$$v$nhU@uR@)`$6jbn{sRH+<3Pl`0g;xeXM2>M#YO9|O45f-KRzA1v9e^vBd`=m3t99Yo{5z zQKmaL@o;~O73FVBo~=X;BWxfmzxdl#>!QTq z1ZIyoyY!}824^D9=JtVkgPOK_1(*=V>gkd~AT)nrcg8aM^*`XjMZ*+?Y#S!39Z?}$ z9m0t?eMEf7Xc$&1-_L=5kGfzti++^+VPN?F?&)N7ScB{QwR(6OPv}MzTq1!s_X%3- zL#3AAN;~2Deeq6Y1tbnT_yn1M#g=aGrrmJVW#Ut`r++#C1P=`(cY;OwEaM2Zs0L`L z`HS>r2Hh6S$JK;~cDvO&N!Z4=z}j6)BZJ+wg9JdX`s zCdi59xXHnQA1erIle^(vb#SdX!&}z{3nrn#b1#q%wFlKIC{9DpkCsO!3)}8EBis*; z1wD19nhP+F08>D$zx={Z-hB+rz%j!BX--ucQyA=3ym25I02zXafDC2NUuEX9mmr)A zc(I_|$bMahI|x%SzgA<}#=j0`_6mIZMp(*(Bd*gdD%|*+wt0AC2mZ1&H#7Bpo0qBb;8|z zgpVKHh>tB|I5W=qGl*mmKo=rKXi(e()nu@(?hD7v=npU;x1`Y&*S!4tV4#;pH2N$= z!s^>F(ig2RcEMu>{X}ih_1LGZDvh3w2pXu5R7)NC{m>@9s*!&)@%gt@w~LM+?)xB+ zGA;ClUg{L3aQ!E-E-^gXf$`%-V+Sv2cc>P!_LpMK{zxACYBpdJJNdmrJ`O;c0C!IQWiw0L z-mGE_aZyF2Ww+X}X(+<$m=gnw`6a=VKq>!ADU784_8BOVRJUX!7)b=M_o^~2Pm844 z`&h+W_&5Vik(Dv-iU*Wck<)EB`=_6Yt;q!@j9&&hus;v<8+|{d=%w!L?IfXB zw@>}phv@|m9n+s!Yf$BTEJHF*;8)!lo?U)6Hd1~N@;2Yp*AafCM*yL)tlTdWoXa4Y zU=7_A$TEePf7*XDzad}W=$`B!c;@|TbFHf_9-ehI*mHg{+VTG3nHF0GJKWMklonLx zLa1ksy~9i}MyfCzmNsenJ`UXOaDK_TT1VA~yW_spi%b6)YnH+=B(5xW4+q_3d zF~Q}E(j4=%me|T4-4L^7+Y*S$Xwa}9NK#1v0~<0{uV;{G-$dU2=ay0vS{oy~c?|7?%ZW{)GQ znZ$)J;S5EqQFa{Bcws8?kJkjG`73Ja_7&k?g1_O^BREY}4&f2MPW4T(^hXrx&!F-5 z^%c~Px3(WXPz|jFcTJuP$X|}y&L0r3#)VY88St@xLw{KWy)1v(KqJ;Q&qwr7(TavK zR_84=LwB>Ze~qeA3>RApU%Nzey4j_xa5$$t)(4`1?-ecC$Gv+_ij~VdV(rl7NM`9S zT{!50#=F;E4<8`h(*4~U_WB%MZjSJW7C|Zx2_y`5ri@7lBp9NH1x+WK0U}1Mv-1W3 zm&n&Mdo`<1joxM&x3UX8&A|Gc0VU|ypHwG7_@wc{t6!1@?`@9TVa~R$MasgZe2O5f zJ*+54TVS?&2Y9>OX0CWzlDHIXOoT@sljo57^lz4e{$ly$(vw5n%$wl^k{)LrBQk!v zqd^X?7DAvRe^P#n>s?7iO5*i{P##(*T|%Qw$1B!QO7Ma|o;ZI4>simun^1KE%1T_Z z97N~0iH8^zwN-C;adN7?U-fa2pjho+4^|Pf{S`KSnjwc!NiDNPL}F|qkWaH53k)qp zUgzWXD|@g-V{Sg6`QP}Z!^QpBO>g`$|4(WJUT41nMP3`xVcI1QlZZ;N3I@6}sQ=o- z&_VofKbCKxB(k(u@XLHRI5|+!;SgJ5_!-r9EK*O(`K6U`hIDE6eB#4huH;JNF^xZL z{M?HRXzyZq2F&+cOONFo_{hA`3rFlpk0oVjjeSraRYWOt;s{E&PFwI`+M?obL971# zmtpbno=<}0wCM8T7&CsU{#yHI55=qiz12g-%;?LGK)!9*eX@;%hPbBv z=B{lYVxz}w8+H6#;1i3#wiPe90{AO2P^D2vhMS)81fbYhg2oXxobV~yr#l;V#dj+6 z^V+6qfG`9%j6klV7eoRrdec;MMg*CF133X@Fb&m}x7x46`B&(y&>z zgoI5PR+12#fmk_N+VSn=(bt>S^3A!Qz~p)KkEsKL3+Yc}xxuN^c$FRFEMUf>|M&`O zbBXSwg|FNWmm}7?KXf~1rx=X>qY&c;vNGX;;zsWc%9{^bux%LA)`3VsETe)_k*2T> zsvkjMaQHZKC?ccaeNADKKV@-5E*2MM56$3;y7=wxu>h)c;tx*IlG0DkE&gvnmX(?k z^rG=#lY8PaX+^z;E>DT2AjPSYVX0|?)jg;7dXdrnNf{CAEbqzosl7qE7kle{+VQ(- zz5$T2{L+`->#K0n3+Pob7=;O;uQ$&adT7kmk9@WP^9mf{Xt;wvyi>+En`7>L%zHLP z6|Zd3A874*eZwUBEOX`4Q1?;HDiQb1zaBsIPwvoZh_!Qp(MV&g(lV6Vg9UWjLNIoLK{ ze_G%Gph~mR@$7PC{RfIcF=p*3^UJMV?@(_8O%%}r(1{zLXIho?%Z8uXJf4UUhvsAFG3;%lI3Q6r~JX z^coTI_+#BtfBIVti+QuX1RtQzerTfqCoQfcW4F=RgOpg9`-oB>oaQ(nWUcDPsJ9)U zX$4e`A^E#>LT%IH!|2KQ%77?GlP)5QdwvYc2rRc|wlsPz)<_=)bSkwLtjli1>Wnxlu|?X{yvd0x`+5MMjR`nB>5r?Jn?3y!DN)O#kLP<{bLrEMRlUSH5<% zu|>rkaXCSU=s_H9-HnfpOT|xwxtIm2C7b6YRf8~5ZmU*BDpnS%VMQ@&P$P98Jsc19S?J-7y|oK#U*jtP) zd^FY_Sqj7FB>_}@rYjl+$Dul`cOMgZ%|LQn{UM|~J8swzbyc%zEEfx4E5{y1Kk`F@ zmyw*<_BYSv{qrd$(vX+%=uCc2N=DPsW^J_C&C1O}jfe&7c8qo5jyW6d*GZr}Y1UXF z!J8|yySoe6_g%QbJs!wUVov<d58;Cj-wXede7FjF8tU|EYaIPPrCA!U zWc#?+Xl@Ipn8=gnW)cYJi(Q|(=wq*^JnPnHlY*RNJ*d04VD(U!ycEYd>4&*a4QB}; zIPuFWiL9R5?HLZ9%;b0WYb8{>7_9=zyzXfBMDp{_hH$~(Z~1-^QSDV6@OPu7A*aeN zapk9C5M^`~&Rh@1!8WF{g;vF&CCZp~tHDD9#(Zu;OHeGS2N|+pn0au718w6QP9-#} zko3iAbvqJz>?FlP*k7+gY4>oZakL+iTTz@KYA26>G?8Ri{X3TR#g{iNhs`C6#9FYw8%}OS8GUR=<#YaxM zP?fD0h;=GONR2lmvSqRw9SrZh)lnuuQnSqM{8;*lw@sX#MW@H+aK z8e&+rHsC(;!})=Dd3X%+YhgqU2BYl39L6k?#0~=$5gumy6C?Fmy(sacK0AH5M{css zv+l{2urN7J9(sNj_yd(p?qcQ^Zd>+g0pnFG1{H2z$LXmjCI0TMW+^BSBl8~?R&2(>^P$ge`+n`%(2XWXU_Nr@WJ z;Gwz5Uf6u2s_$uO$1WbkX!#-(&4|zfo1jzYjCXfnqeUsviP;-WhAFxtpS=A> zmA8DaH&ed4Sx9Pl+SgCCMei5gC<9_dVoO8R_<~sGP8@1Sqh~qpAyF=r^5g~`lr1i zj?(xs3Vr$2W@b(7f1(3xa)V=A4eeU#o83rFY0U-5vUQYFP^6vmKeZ1-`q-i;TQQwz z1vL!!5BsGQEC~9tJhz^8f8rZyZ0Y0WYUQqMAF1`CCWHL<*!Pb*{nQx#Dv8-LRS~HD zKn&1z?u!ji37$T(thCfG%k@wb1N*nsy&z%^6o6J2^KN?TJg`-Me*mZfwFW(m=hhHg z2NE4u+j4UQl^79FeO-`c_nH!}QLrt^ zhLOE#SVV&=M?m~n9z(=k`oU9(9if;vv6xB*N<4$j(HsF|O}r|0Q(t}6b=xYSV+z{@ zE63#X&goHqve3CApExzh?>_47y70W%>R z(^7w{_V{&{Y0OIU`N8e!lNo$yCYkGsCDM9S3IS9ow(A>(?On=4tYu}B7YT%3ENBc8 zWYsJrLzcjKJt^q7hm{EW^MY>t+qajm9ciNXs;=HSAEI@#bAJ0~Qh@!+ zH6t9%=2=%@p&dW~yXw?8=cTk&Vk02V3w>*8s0=+~-DT=`pLhl+i*Pu(ay{r#fhRbq zfPKgx*$mTorq@nf3Y=M=peD3=Ah0tN1tufZPIw84Ie$Nk#MHw3pNBil8*##N2Y2 zE&tY)UES|)G0kC)vazp6WP4EDUPy@1Gd=aNPA>d-DGOUQ1idk%Si`Ewc#Vv|;-%pF zcJ{_F8$+bZJjh6dxqab8O?y@8#zC`d^d#%P{F`Wr=-n~Jff<}c^&s&;b;NHwrE*Yt zw8$5D{Gxx;_Fva!a=nnweXI!Ya) z%RLddUebwqjTHwVa9jKB7h|ZCx$LrqmTS-7y!|i4Ur*g%Dj}Lcl`_|yURvZt2nR;9 z-RaTaFvkJhy6FHfVo|1Bxyb3RnkzlIIDZHYhZ~6%E;Ori!XSqrk zCPH1da-LrKPRaG)nK#e|@y(MjGh{rID;Fc zJV8L=pFXlI>rY6co^2a}=ve!4DMq_L93l0;G@vwk zY%fF$o!8gH4Q1x<&^M0dHBA13W(hR>iTVlOsfqbcu??c6<3;CLS(m)gujkJ|-1sMO z69E;vL0Z7W`f(HmqGUU-t+BSylUbt9Cp>%nRA}RJz@?rP+G+ginFb$D(+k`WRcTHD zNy2KNGXXI@6e3<~WPdxnpY=;`I_SCcWY>9fSSxXfcgls<*v=WYe^Pp4Vhum_(OSSO&Y%-3(mlvP1c|a^y@z~(FBFQ1)>#v9j8Ij$;QI+ zkI}YDW~&2SEBwi%c`+|HcWSn27;#ZDr`-L-wD@{SklJ`q#3bm&lJpvPatVc1Cl>S- zcJuDT3?Ys8e}~5_0A&cSWLs>VXZE>WYN+xeo;qia>=Bt{G76bktUh=-eQk`MJ8_i z{k6SUdq>-22G!suDcmdG`EcXhZwiI$P7~dJxis9Z=ruayAL^5;tWx?@bNCP0gJII* zuc>!Ijv#398Ogd6Mxo&9=^_L<&7bv2Gz^I)IjrGNpizUl{uqzhKW&|fp%zS#DDkw% zOz;blop_Zu{-nP5s-Ap~Q-bY#Xu{b-pvxa2ELu&87%PERgUTpM+nEB!+S@>X$$2Hm z{6@Vu+9Xmd;1F$n?>+sBFUv}U%soJizjgY<=u_ry1BvhboB9O~OZx zP9tuh`A$^5fJs-}deGz&k^p%0_{C7|Ks(yu%b<;8Sa!@PD;8n>Te^d>e+$++T?Oxc zF0TLuy@3FQ!YES$h>7I*+Ct6Gf0T_mr6 zHyB^w_3xW1P$D4F=b$nCSwS+J_K;EUHxjjp(HZ!z=qGr^7(V=Qa-ukDmkwj|OTL^f zavsEE-`oWx47c2H)vn){RJsYUuxMgq(jgQ?s2 zo0M#_8HsLj>KD>rmp`RSJHi1!>{zGy%Mr=Bu?OR`ouWbg)AZTT-;M4WB!ZhW)S4^v zkb;!MmMS`9>EEZicD9Am;1CgP{LMF#{=ZUG&4o11fR0ZK zIGtQHy*G%GY>V{lzb|{H*Lb5g9`-ZR zf4x;*vHCiYq>dxF73NDuwCdtpDnkx-4E81>E{IkH`v1J13aomqkc8%$LBVoIV!sI~~!fSA}RMDuPx-Da)8D7asXsU`f*Aihs5ynEr#jd?^Mvrz* z*ZLG;i70Dj#C7~dHba+P%FkwnNgxmGT5cI!@m(Q_SZ=m!ha^*I?UmXO z_PsA`liQ23_H(-^9R=dm($8NEls>OcOoneio3jwnFkd?&3Su^)8$fX_AytEBx61yQ~rYE zgE{6sNz}`)@iz_zcT0q8fmUH=2PKo;_{!LlY>&ql^f4=YSVEY)1A7)0r%D`=>ZFC}Iqkwh1L}zRKk>%Zu;v9_BD-x$NmChV z@m7X9L~f{24C$5}qlB@>%KUpu(EUmpS+_*===#AxV^J$6U>!$KcOw9A-6V8-wrKgn z@E#SA)dOpcVHz?raNPH`?}!qSIuhn-|AQtmkx42^7!;IEC^^mHCr6i7=t}pa&;^I_ zh>#3+#S~SAm%kPrd@U3rIA;3V_4Zrh<{vH|qU`+m>iR2w??e`qcQTC;{6O?b1@bAT zwr6f9n^LCdlE(zTa4jJ2#5};c&{?O+IPNvm*p(b&D1pgJqq8(>=Hr#!acc1| zPj{xItXAA?ROqtNtJ66Kf=+C;>s1~P@%dXXi0nbEkwHmu2wr8fQ78F!8b|A2JU0vS z&pd?Ex-ZWBB|Gb5iifPdQ|5b0OFe`a-t176qYW(pjnO*L!Y*tuJtmG3gED~XFe7LlJFK(@11LDmF0APbk z)a@zi=WkP7Z`v;vI0X7Kw-xswKg(L&V?$$28TlN?hqeZh>k#5Y))oU`bEq1kC$hgn z-*IF5AQcLViG}WH6$iacEaG377%eFIrmndPPILyW;BR&V>?a-{<@|Sd#H!*pRqH%V zHLow$1S3r7(7^L&OHRIM%pw2R%w^4ke-1zYLbl)Vi(V8XqZk1X2sbrUq#0WHffZf& z>l@WIMJQzrbBX*wq^NWa+d`c;2{%Z1JDLoCL2Dk=vU0XCmM&*sGhu@nQdX5w{}v$w z?nkYE3QvgGjm$Z+HLfq1wj5(aU^3U9uFk;zcJ}!F6~Pp)V^K|{8>#w6O=>{}+P;hx zDn-ab*%jYk?yPB{8YqhcXxW@5hx~(rdUh-@7Sshny$UTxH~BsuN)wgvBVy zo7BevNobsZoFObf!YonlD|RediPo%4qTYT6-T2-7Wgwg$BU90T%Zs_#6&W_R@Z|&K zET#yZrEaN_y#=Wu><$2t(<^BY_htWlLPt1KWh9aL#M4{*AYodIvUT1rOb8ZV`~F{J zU1OV<1w%~IZ~RF5Hz86B#jS6AK#$MtDRW^o%N2Spl9r*-QiX=IY^@c0K@c`R`zigC ztFX@eeYOll@V{RI&1e!x)$EsDzhs+IkxCQlCGC68e8eMv_Jn_$cLOBQHcD2phF=W+Mb_Z`|xU%ofK#fz|^D0!prTW5Et1X^eFR zFN)R#DXholuWl)TrZu~;oLTh(?!^R8k0o}3tRg|fZgtI&3mSob|)q}rhdB~pj0aU;LX_u)A@v;J^iUwh+ZNCh}vp_v0=Wo(FnxU}wLCBVB(PF=r>2WHaEiODwT9=+j zekl0ZGzT+-!*855bGi)No+opY>06BNgL(s%CuXG(#%f z2Y`@gx3VsSvOVT48+IG2H!4&({ys1BBtNzr<&6Em5jD@XFcE*oc~#sq`Fx(~??Uas z=DHg^J3(M=wZ=nqypW<($d6M~-Nm~LWEhwhx86&n*NiE3$>XZ8oUtA&Y-} zn6{DuXRGD1&Wr!$7TggBqReMF(OT1w=tn7r__yfwe&QH0%NXZ!LG7W*+u;XveF$_9 z70S*+SY#{3eV&c*`*O`n;=RWB9Wb9m?rez(J5{BnP&aoJ1^8c_vUv>mLIEl9Pl?~B z+Ql4VZwA|BU+(kmTZ611yumn-jU5k|+RHNo@k{s758Qw^yFI`t_1g()x%Sl%Q#@gi znDBcY_4hR?98t!maoMP{MuyO*NxfpEM>deX?NFs^n?O8AF@9UTckwr7KGsZCE5O~XuTez@gjFo9(SziZ=$3xH`jNc~G+Zs}tpcl*0C8sxJfiWXGt#JJy zR8bA3(DS0-)jQ}(V#98Yb2RzHnFkJ2+eEcK{fI>Qx(n8Irq<|9iQn(7!HhAMDP#z- z53=gn63VZ>!ISm;nXKf{uR*z%`&hq>*Mn}R;`P~nP-tzrKZR!7S1E)kl~_gD&RkWe zCYbCbdJtCy!5fHiBoL*ScpRmb3U|;M&vcxw@EZu@lb8aidjdoBJD=QDOqSAD?b?C4WgV z4~&y8Y=v8kKc3F`MQGJ(9-)!J+*M-w#*m2sWpf<_9ubfH9n3_msKWwc2p zba9jb!4WNhHP2|%#ARge(xUG4qbM!Ag14=Tvrwjees&L@;(GnbM9ZE&X6JUbNymJC z0PsYyrF0My8DW&QPR_DEL{D7>Kcf5#$G}ZdQH9E|3d>2Pi45TWR)!l=;y?sdqz{?3sXivT`1TxvgJfQ_WYEAt&`+oJW)Ya_4 zqF;&R{jLm%;5XW|v5%ADF(5_(;xZ(R8@OM?cau+4-qO96-%DbVZ`476kw0|M&0Khf zf$KcQ*Qr3N*4TtLI3Zr?L&Yxa<_OWwwaU*JMT}xxchy2^lUb%DG`|Z|yfOq9(e)!q zXNqeZy0%&WBzUyICQ6)!e3t-Bi-y>s_7iM-x~=>_y)1$Qh@&~1lEiy6#tZ!Or~Yde zWC-`y2G3vPfX!23FhJGcmR^LI7dO=x6kp%hUNlhKm8+T7!VuE-r{eG1S z8X)v~oWXBG8#*ujz)-lN)bQ2(7_2VF6`ohd4y~!iNW*x3M>fzx^d+0US!`4r;3q5C z0N9Xu2&IROxI;D~RFmr-h%_Z~Or&D&=MrYEfsR*zL_pfW*w5&NOeay&N-PjeATakW zR!6U-R8M0^6@6`&lEmec+GaPP&suNE8j^OZL5t1K!ECSi z%Mkbe8*-$KKDzzDBu|;sY|owLEQID0jC?JX!lKj{R13sqP@*4OoUkmix#Nm9`?WCm zoD*_vrtH?|`EQ22azxN3NMzRi%@@qS`$vd~E0ACA)GxoH!rE>kX6$88svIb4f?L(t zP2wAD(mzn}_;uPmXD-+j(tdbN%x4vIq28PzBlG1Ny7JF*#)~ig;y;vTnpYm35K&A& zJ(xDPJn>(&G~}PRJnr8u%w3RXDIOR|*2V*5PyAkC-gBzCO9lGEBAwc(>m z=U;}czJQ9U0VTDZxN8Mc#xKv&0~M(tKvAoef^GGEfjA);^@KTrO6?AAs(<60^bs_w zio$1GbfAAEC3R zi`m4A8E=d)=suvno%9qgU4`tVn++E8dkT|T-EKyt=wDmhhY2!^ioZGnh=Z$V4+6H& zv6AwGxuISKWN^6TC$(1!Sk`m9WSjw<@fno(cSABW_}{<9boGG_`e&R-_)UYTv;+NR zCsQi4d=0MsjX}XNT@dFMRM8Hu{#&V}fBpeWxK936_E-{~?|WJciCB4*55utCHuE!P zMC*(oV|B4T`S~btjG&eg7O`R*{-w@e!0qc_69lChq&&9I7Kol-ahRZvs0d!qvq#=t=g( z3STSBaA8XxeIbOnW$NTE-UY5bvYFhT=)^cPs6y(0#szc>;GwcXhk6J`uZr#VGt|>A z{%+sw_ECX<9HahEmk}NY+<_4(h@w9xVOYfh!glrXm-`%vO#63ff(>rUxL zDMJ3lNUqQ$p;#;Or}ivlsDErF>RTkHCjwO70k2Bt7gGedLJL$#9HqWRc+?#@We#%A zzyfHel8qO%O7Ryoa?&+U*N&8HQ$l?Hu$w?v*mqI?hFIV|U$b+BMSs(e;6Bh{C%}#e z8FAYt#b^0!zSUK?&it4N|DZA1Tfpq8_2QQ0*2{1{s4tTQeCge725gZYQ*9b|)oX0zQG#wke4SBNOq%SL6ksqana4|G{=k zzPep5^~{b{y-_}+n^T$ruI71x-gsfz?2~Dqz6#t!w+6Vq*D%z;Q;VZnJ!W?)tl6;J zc%cUx!pQOcktxz}s<+*rO>`3z@+*Zw>@1=*%L(@@Nf|x8>fQIqWjYtHC&_e@`v;j( zBgB@<1a@9I_n^`(-uRJ*jRlg%N)blo6O)>`^q=(;r|Oi#-oM-dAFuI{=^}azSD}y} z5iw|2>3K%ZyMYk&L|kz#`pCP>OrPSkJC@g0nR1fKqp-0S?eMk_2CUERvuP%ew6LX1 zR9nhrXuPwCILqbotEw}?&#gcoyW-jMZ!-zH<#m?ZiqUx?Zk`j^-@UPA^s(PptBN^+ z8B6(Ckg~T3A78318X>_Ra$*jmw7emvV?$$vWg~2=+k%e|W9WYaDuusGKzr(+)!s9I z#%!L@(T9gcj575+%p=d*bC#Pv6nZ;Tnekncm!<2bIWzpsKrtn>mX7S>w$A9c+(?nhyhi^u}xw|>nnZw zB(jq?{a4q2-94(blFHm7J`Jr&4*}u4Z|H9pCUAuiHsur+MHE)N_$$6)IBZTI^3+V> zZ0mCt1QLRHUNj@}4b-&m@K}#N;X3B$5p#44NmZCb%eDXd^J;vQG;;O_hFuiR8GikU zXTrA0RAYHg(a>Rurma!DwN#`-$N3gYp~bb3^KA_y7DQQ$Y74fy6OnQGqdWTdVbRcw zZrygqAF^+y9|hA6p~ah)eY>u%F&a9qB7$WeeZ9k5ajUPen!ZOnTO4IaUf|EUa*!(f zfgIJyC>edy^S>A?+sJQ4noRyWwhrm{8In;KU?ap_LRi}AhcLxcIk~`jv5-pAR;7Qw z@42?}6+G!VX(L%3CPb;z-+*(mc0KN;dD{>d4Kd033 zWz%Ql#cp8L9}|R5JVFi3xP7KNP;!!}f+($z%u93_*czmF#H{rh&1%~7 zR9aeMsV-7(|GpE2nth>mAkLN8s}hv&lzzK|`9TcHE0!blwB%Jj&O4{q=XTh{%$0%x z#>~)4kac<6_`~y_p-S*)j&7=#O9+TDA>FO$xjrA_kKTBpzjXoY4GPew%w=6=34L4c zKd6aS&OogEUS&rkZv2eZOn8=#8D`~Ggv0cvLwk!1#rEj4FHQQv0thb9{C4+jjahvfwr5V2eRtG?y|n=U19Pkr%CG?u&65nvBkIaou3r0u&CRBpm*P`hN7L*G>7xT-KjYv zeB&f_=2eDTBygu7Q}6wKWONe*@ChVpD6cq$c4$m^@3RloCUVx?&}Wsf zJvdu|6e-6{>FU^;8uPEUUxFh=tKAd@<;l6Iec+0&@$b*NCy3~pF%>NM1;5?MN@ZNa zr$@J{e%9Mcbp65Bo*%6(CXNQ=q0u@mSI#$hE+Xky<&X?eZv9Ct{tE+hug4-786+lJ zxT6^yh}goyD<2!8p^3Qz_!?sP8%6*%&9-tk)>EFbiMy+SAwDC~PgxsPg6u{|-a@`EX5E{U2sDv^uHS||qh&wy?>e%yQBRXgB^+bK zS;Ox;vKmCCFGef-1jXe@`Pfj{jG~Z1`AbQq(92S50zDw3&1oMo!dyQG4EuTGW1G<4 z4hdvO54hDHTd6bSqIzMcB+K`ENIcCUFGKUh=7|#-e#z(G!mdR3$~;vX5zrU$fP}M@WVWI0h;_za#nZT@YN)OFAi2Nue_` zP9)(O>LPa)+y%AdXD^mHf%To=thrL`{sbz*9r<2GXZZ!w;*}wToBR?BU8L-Tg z*EQJ8`&IOhEF(W6t(==`A@XIJspPSODLBqemW0<*J;B)$<}0{%Pmg18HE%S}zb#93HC6)rtp zcukz*C@nX*7M1QM)ggLWL6*6iIQ0=V_E7)WZpd~5dxpP_*vuEYi$B(IKfa8vNE62K zA}cFhoml1~=dsuxVr-x7JN})2eGZkG@&ceahPei%!;HGVOu0U&l%KxY{4zC&sUu!OtxT)H+Y+U_)V$g zg}CU#5tDb$%4V7g z*8B-E)l5Z!%Y#fsE&4$ZT(Gn*l^%#+;U{>HFk+?kw$-^SawVh+LN9_{a-=q7d(0aoq_m%@rq zEPW?kG>P8-o6$vAXbXD986fj=8Fz9pb*ew5HV&|mOQ)ibmHAz+S>QWP z7)X6o>f0BMo5aIP$TW<8m)VJQ_A}DK+OfXRb+z|5dqE2y3Xj>^CcFOo+Tz1Gn`3~U z%Cg=HoBSE};Mo?($$YWOzBCj;QhA*yK&jw`Q|wyxt|km|6d;Ivlm^Zi$;krEglq5ljTY04pfJ#y59S*tzIw73 zgUoCupRcq09E7rkAFd(^&APAezBq@zV9)<0?ypP7MeHpS|Ng0MNtFJq2i`k7->~ww zCD?rWuV6tApX|LlPO-5T6P~wJ^5s6r%V=YYYFMWLAzj0^o>MkZg2Kg< ziL_UBI$r4#-gb z^AZ*V$W3q)0=+hQsp|VYjx}vXjSJY(MjhJCl&kxWw_NP@jXdD?7kJ=KXG)s}p#qY$pUJQjT`bcOH8ugp{ zDx(8O5(bpfh69uP*F8P@K~l@>Bwylz2?Mh2Pm@gmD&~x10_UIRje$8}& zI79gx7EV5!LxHFnBnuUdZ|d>H=|K$18DU7y86ndybytEhk(EtGs;!bKGNAZ*x{nwv%WSxo2#NAY1WM@FiRy(P0 zVR1s5z{Mz2y&olp9sZKa@`uWx@E4Px<@VU54Z5!dZrga@*C)^k(RASRcbSqt!)Nu2 z&|+2HAI|pDdC-0l5vsU%k24YULtA9ca==8fW?vq#j7$K>N{V^!jqlU0FF64CR{Rd| z_$mC`y?De-;H+;mgvZ+RNzk4}$Cwjk^LMq- zQrF2#Hgw2%D2m%HUtt0TZMc_E)v(x&%@7AXPa~7ytN`2IkGpRB$yKR-ukX_g8qm8U zNW@r?_<8I4MziCed1hfXEnQ&I38T$*WrZ%{=uuIe9KO*Vfti1Elol_B5%7dt_wc-g z-RXVjpqu>+#_=~2exkpzkRF~o58xHjE~u{aheWX5k4d3}3++cu{+omsmJ^(4Z; z!Zn^RF6=|kag^ncT1gj`X)y!B?z))CO8dQyGoBh&r9$G)WTi`AU~FFIsS?&;CFCoCc)ppq5L^*dp_ ze!yzA=Dlu5rJ{oTs0-eqw(xJ~_>=$a#iJDF=4L=JU^FgiDO!?PfK140#_a%FBR=}! zIdbR;C@#s&{(X*%w#n3Ir9k{Nq^fp|N3`!PS2MFT>IOvpFo(NtCmI7e%b&g#VJWbs zEwAK4EIKi-T^CbNdnOZj^3`pK@UV%b6Jlp^Uauj{`~~f73P~addSF2&{`^7hiBO<* z;rEoJpXk?7R$NNHajtr{MOlHlpk6Y4YXt$$ea86T1dv2Dv6txLIJLg;RIZX6K%N#3 zI4VB)Jw{d<0pHPsKCoett=}n1y7j&)KmlsBkXLeq7==22Ui|)- zI|TemI#RVDGCBWVrVb$V0fMHJij5e5GW@WfDeSx<-|QOW8UdMCS@H~ikW1*9)LmnH zCePCiH+HhIZQHhO+qP}nPBzYFW81cEn|J>CJ>TMaH81AOTvgpwr_MFqU8DV#`4@M} zVXdGGe^y%vBBxSLAzN;)&JgmgrQtmYXu4aHC5Wo&6KPF@lsiD2vl*po!T;{qkqJGK z5s_tfjiDL)6jd5k_nAHd%ADA8iK02X@hyYoBHC;%@F08i>8YDQwov+zN704jBpewO z7dLDp@ni#K7lgdFlUmrZJAYK_b!n}2udi!bnk33QLb$bDPd6*(^E|8C)ALd%6El=t z6cdNedqLAh905`_c5vXv9rST>1c623{b3$F8Wq=(5kCTZ#SzKR`vBKD4tj+qCB0%{G=ZZ%lABSB-4HuXu29vF0?jX zO^nnEC@0A=_!^!tsHxWQ!1gPs*b*~V-K-v$5YIwKXQ_^W>*Wdvf>;*U z+)6n0HTK79{8r}nY&9JAVvO3POhlXEg@n3n&L{mc<3v)#$KpvFT)3r+1T$g?wX%d! zu+KffOyqx6%?%eGdnH_fRW) zbzBpCGZ!1#@cT~H$$+l07?VZM5m3a9jhmgcxy+G|hUU~IMhi`$e-O}qY*nY|IBrGH z;X#-|r-MyX2ArND0Bi!5**kBujDqwbZ2yUH8x^RrSfOU@t3Xp#2Bj5GIKz+a=?3SR z0)bUyku6A6Dd$cCRy`c|h9uS}dQ*Yw8jW{PIrBC*G2x3I(IF=#(*7C;FLZ`PY$5Z* z43W}^dyQ#As(GfkydE#^qtIV)zkQ0rR8K>+$KjDJnJLuc zEgy4Lg@3vOD9fx?KBM6-76q-_sOeT{tCp`0TZG|NcwOB;qf@*eJY}$Vf8|1Ash`d2 zizlAWV690)KoFf>@beaGdpX&Hf^g?#h8E=ML3vLM6<_htU4EE>h%HGEJ?K%P&OVny zPx$D>a}nxS>hZA}DIS3VxQO4N!QYRKOr4+ALTn zkJ5(#aFj9vq6~Y!S9lBPBl7h zTt)FY&O13n-Jb9SgoI4DgyeNKMO5FT3(0N8z|L8oOat8Yv1;_5qLRi9UXWf07D3E$ zJv))1B!8D4t@qe1^~Rq3v2P$KR0QJH%)vwtAmdnO0u@f&)la-_$(!yFsEXFgB|BFj ze5n!|tLtYc)D)2-#A4kPmA0D23xf=Nm_=k{6w~Gd9)>j=6<9GvytDA)%jfyb;@N6s ze62DR4|8@UgyWEEgZ;H|+D0zMozDzMr3e{ioQlg~JOic&C6mChn2Z9BpN=vs*m(_u z4B>5OGFc}A5}CPcAt@9v=gTAzETE&Npq?8#{sBz(hgQ|)niXl7)bl1+iZ!@&#dsBe zW^j(fwbuZZ>PP0{;Jj=A|KcmHA--}onoFtC!hnAk$A?*(n%(I!oahGzvYp^+8UWP< zy<#S6_(siqQD5}FgrDioabo&71B7J_SGpUO5V;heUveDONiT;UpfNK{X zgh-?nf(IQKJE(fO*!Cew!GPO*&X`&4)&wzOGYj&gW@W!{-jeF0Mw?BWYh)PP zxk@Jhb{^B0L65>sUhUv;&>S%wF zg`GW*-nx5|7Ci_FmWuZ~{$p)ZyW?z77TKGCqjJ;Ag@f4k=l%m&zfSEVUHXj(KCktH zO_>YTGnipDmy^#59FKIwE^L?nj_A&fep9nS+-AcbGCP#a;?heIes;w*>HXJ?@0L4? zZ-RWA_tE=Grxfm33*9JAIZB<)D1755D6@);aYm~|hQ0fNn$DB2nH<{}dt-jjg#6~8 z?IR_EdtXP^km3j)`TG@L$yfWl>JFF8V+!f7CCCUNY&7A=Z11@)|Mh)dqS zDji@svTy5Y6)8IhF4zIf&51YY^X7}2p6ADRq4GA*VkrE)YG3cEld7MjlL=QC*!<62 z*N&*4R^r?6hFk59rxARh_Om-BQWBB!VF=^wwHxBb+(jZzctmWCgh%!h0^FSjo-C2v zbd2(jJpQyWYlENafHqBD7c0X3(eab1&Ro`|tmmJZ5GQ^<(lK`)1C75dz>AOABo1TV zzRho)jEA>FF!g*-$*shno0BoOD(!kSnb1i^vJ$h8q>b?_&RlItxiVcp_KF^*=H-%E zmc;YxXxL3_kGc1qNa&*6=+G-U0gdCn|Nd?-CKskBV!B9saEM6jV;d&|v1ja+dm+%E zX1O4uLehg0dEK2G^II65rrD&3XkVvtR7N@(IByM}#5bEt^yhRl`q|42#`^CtCeN^% zJLU)&hRS@$@o_hu{HsHR(}ASG{{GezwV5*1h;vSl(+Wu6ONAX<6PyFi5={tj1xRO^ z`mzjdh#JUyC_ITNR+&Nv<>1p~midbhRUVSsfVDa?`j{uNw6u5G*)$OO)pAq$3T*p4Pyp0-m){(iOqd9sc* zhn1f7Q{Tuz!`cT}FH~u5bSzzP!8J5WsH49p$9dNJk8k{JWYVOtusW!4XAO{_nOdZUO8UlB2b5!*f$AF&2>f(6HKs~%261v`L!CgJ_}$-Xr)w7WnC!P zsj=|%7+x3<{Ck`g8s?9xr)L4&kSl$fCTR}pc|1lVZ!oe9X0+^hpvJsdo;!Ce;4ibg zIQE^2$&8rhx3YO#!wT5m|_{&)~`|0?KoHp&KHZ;2(>JK~3a4h@9+ z^SFO+0yzE||J3ptz6&cD^_9>B1BVV0=?KG(N_c@c_=#pk2Q!1s0KgPDS)}Nx+b6~g zG2{N92|;BC6(6K(cJP5v-}Y2q_;iR226mdz1Ohp?NB9q31Sjl?LzdJWJq>pkk+)c; zaeEA$*0_05FYC!Cn>|yo|4_X8F19h0Lh93r1y1hyU>N=lU_P=uKO#PkF|mnS`4X#C z0dMO+Vr#Q6LWxCM>x2_U;JCZKiGuOc!%~N@35N3{e_R+t>@?EFnevzP2Y@Drv;ri4 z)!|1OxsH#iNj=v=2(JB6gLS|sjo_@|#7*i;d%hc}Yt$z@{v$GXTU{Tca z!N`Uu)ewkNTh{~8J;hZopWPAeR*c2+O(g1BC`rtJmr8*=<< zG+|oQ1*plJKSwIT+Hgd5ZxyzxhN(r=0!o15GMl(f(V$psE=C$D?(%w;s_ysnn^H92 zk|)X7zsCu`sA)QTJlTRU&dHj8N8#~jO9srs%8#=EF}-SC$T7SnWUDZZ1v!HRXHv#p zrlm5U^qak$B}|~2qZ;?m%4qcbI^NeKexZY1XS|Ox`B$4+K+pz#_|B*uaU?sd{%o@s zcS1-ja6yfE7k1)9kUB<={R$e@DR>9ElW>;^OSQt777*+9t*u!AL<2u0S3v0u;(v>x98%z>Is{SYXsliqH12? zIm+=wducsAJlmX0OTDq(=;nlzJ%9|BrPt^V^svNAMUU8oBgoQs&3qf@S2-)c^) zDN=po4Ok3hm8QYrUQ&ncn~_hM-k)gH!&|{CESu zF4W9pf$BNxRD*?1!2ocp*klv;)iwSKXk86!EkqC>V>4@7vu>YuEG{N~rY=RcKHC01 ze6A>AVm#M2zU}0C(u37WUxqJThAXDB9k`OU$_B&tshmK&X#9(#d01rZ`maCEd%y*b8vN$)clI{M!-9pvhJg?|nXVL=#8jtxv3{qJx;?IRvg7F;CI9f%o+X z`q|3M!?2`&-^adCdNs7+8w<|z=`!m$*lTC8foGG<0KwLWTist%TkHKRu(E}R>9Jg8 zcQ4@LZybE ziRcpP9SL8ok)`X-75B?*RwCIF1`;(GgP z3F4yEeztcZ+3%1MMjo$>@uwS%s%S#-wk6g{n&)_UZ{FM>lMaQHmsZ8*SB*{2!=;v~ zJ!Zqt{317qe({{g!juX{An`9|?7QwC8UmJm1_vZfe2rGYiv?q`R+)q+);&ESVkCr7 zzHoo6#De(6+x)JFhHO!58usXaQ62uU=rE3W4>~I%*%xxQFyLAydG)&Ij(8i;{(G2N z`?iW`OSFa_BS<(_gQQ)}b6@M}>rStPMx7P+hJzIOf2%`pDlptdAQ-=o=U<739kI2N z=eh7Vh#_`&pq`u?2>sV4?j>J6hjmgcXJ##(_V(GscI7q#`;KR}-Pq-vif(TM`^z^e zj7avt(7bbAxND$B^70B> zkUJq&V1$UJo;$o=xj2SWGrRQI$N~_IHK2*y19x8Cekf$Dbe%ej6hc=t3ggm- z$nlLxtcT@2ijA}(1kfJ!&WXADDe2WY5o#=dZm{4>kj9(MpXWU;!vnV#=lh&iU)`87 zm#gu^3wr)$%t#2oO`{^2O~_MG{-Wp&)$?<1p?3;eSb%?QOL`8JwDD*!Vx-jhuzW(C zdb_v%wSmq^d*%5Ue#xHNF5O?CN6{)pQQ1L!!Jym-FDC%EU`7SKnM?(WD4GVgn)J7Z z>a8p-fX^=6ik6rEV4-bKv$}o6Q|y(~76!-Fgsb}CeB_QK!~V}Iu40E}W=wF&hrP(@ zIkkWG+&39*V5`~n;{b$r8Ty6vz8jP^>RIiLHtGJcx&|ELfX#Dq+Jy#?6P41hWMHC-$VjG=;Kwowm;8~BCTa6@SofBRK8ebU<3${n+b_Y^pOCjgn-ikz` zfKAf>%@TqzZRh5eK@Fp9Q?3&dVOjtw22mt-nlZPd<5zn=t5i3`+Oh z;-CtXc7{~y-_}KD1;D5+AvOC|GU-=Wik0lC5#bEw@24Af3FCNf{+j!LxOL=!@J^d) zU%px*Tkx+4)&v19*08*T1m_{D8#P23LaN&j_v*{%>Uo0V=kdF|PPZ;kn=yL5Hgg>| zmJ2Z{Au$4`L(L#J^&*A_75n5(s;qH>EeKKqH1u93!@`A+C}4+{euZ?cdt#(N=*Ozc z&^a0-HI@8GelAA1B#HzykZqX#SFcQIPVXGXO^AEgoW8#gw8jUE?Keu~E($|>w_Gpv zok-q*P0Fb3i4{q|Fx$Sl5{T!r2KS!H|HOst@hPsgfQp%FA`N;a-XUevKM=L+k zd-}vz;XTsEEB8;O>-3Cvxz-rTp)}<4VH5}@cCTW(5Z&!umps}xDZBc_EO;|~th)Pi zv_3j{pm5|t3TKpi=+?I3+ zB&B-&x9F@~h&~G)GalO;sfKMF^KSZUCDo5Z)MH5ka3^z(8lFDA7WP&X>lFa>od1b5 z7^Um-7gt$6;Cn{L{2RW{$11Y3Uc9-yBECBxN^X+9ac&%*baW&cBCM%;poE0WcuZx$GmZ)_;vJSWYMb?1L z;+gyOi9Zs2JE2NRx+FS8Ui6nRJFRP~T z_?|5*-X+Ye*to#NN-yrsHK9`pV4^!?d?V++3G{8q6wgGXdhHsGG4;2WVAxFY*s8Od z`BV$wWw(iV?zIP>%W`xxp@3etJ9#rEhffEqxNgfQYq~ZumDSu2#c+u98y#Lg>b_}t z{?i2zIiNTJ^o=1ntRuu|Hi!{LybW^_2;(sUv!(6}n4A&?ZaCbhL(c0n`fVR&qOlQ| z*lhkk_A=7MyCC~=P#VtP7Y{QIC6jA zF3dLeAHYkU%ICl9!%Xn@%0vAx+Jbj`$t)6rU#P!@dn5g%|AnD}DM?0963U>VO!LE8 z1oPV~dkhO%`N%zF#a`EuvV5lGmAb7}^T8H8jS>9*S%MbCPx{9>CE9a2GhPX`bPjXAz7G%O&L&E08(cNC82 z$Eg5hUzYr_?`*&~*QthYqs3jAOuA=hSHAMzc-$0?ORe-$Ma@7flW@G1Jxh44L0k&&VR%*GG`#!nMzLKBetPgc%+RN3;A|RF*Ng z56dAr)M>vgl>N&?4RGlsxJeSo8o_MS)kWHX-^J7yYKI`P5)0PSN}7 z#KG8?g3?SBwFZTt2%hnEl6jAq!RsnMct2MSRqjOMGBgt&oX02WBluSb)dGe8k-Z|W zI%ChbR#)a7z#1KwT^NRsfWfc%Z7>KNb=%ZB%>{JW;Ja4z3u$qFh7pcQ9vif8C|<`C zqS*JH1>j`BH0v{^b7U?)aR&IB_ZKNFAGy&fuJd+T=#amui)aZC*$*9aYzoRy^f^LTX$GSvR)Dt#8F)wMxY9AZiP&EGav5RdKLr4Rncxf z)%P-3%0-;Ee+nIu{p#de3!xLd?#@|6np}yU+N1qO@#4-w{|-fHz|qO)w~0Ozne9)CG; zYRdJ+#a@nk7gMBG?1hSHr5TOjIl0gJQ}@X2q}A(Dh6h%EA@RCgiR=;gRpY&tJt>ebPh{ZtmM~KimG&risZUw9%Csam>4TxVb6)_m!!SJ z82q&dQ8*`0=ssw+`#IqhfD9$~*s>qgEtLaPjWODErD)T+Jha`b&McG&#?#D#L}VW! z)vM(s7~Y195GH2^|7|*r#CM>tV;p_oa;?;N(5ioJ8kH47S2ZrV8Y2gfkKjmI06wiQm@Ojd$U;N2{aeciTPWiBRl}vQA%Vc|US5D+V4NlH)<7z4T zM1~eEGiY~fJY;?1OU(qjLt47L=EI6?F=)JqrBwuGv{Tv&PR!D3C%c)^U?n_ndTX7W zFIE|48yCtKU9$&EU986Av!dNF_S;3n1%%(#0^{mFn=&hK^CWck%%q|0-gC>^0OUYL zz~|l2%h0c8rZ|H3af9FC#P@fI9##V(A#@CExG1wx&*SR%rgEO4LZUS%^2kFzD-m#$ z#cwJ>Q7p;2kyF(%BxFR3997}{&_yFtOi^%`Qw7xG2|OnL>eG}!d7^C5MciITw>pFV zgu+|Ph)CjKt~%}=($J5*p_?)E6>g2BI`n4>9R#{}>+^ly&)i{u&nPOOlsK&oKIvuOgY1EtMlVd@?kg@Y ztpyH;nI7qpwFHWR$b`RvTZx1?CSl-a*GCJ6lA8-YHR10V*tPVXtIh4C?hJ<2R{z zFT*>?qOpQ0|0M7p!sSX!w@Vz%|KNcE$pPly7vTuG;h)4S*x=Gfy2DWFNxDbtvq;7q}>@?3A ziLj}yvM(p39@=i-pOe5S{}d_gc8cOEXe-rPI{$+UwJ-x@Y0@E%?PAvxk$Taa{6An%!|g)^V@oQJ^Hvnwv;_iXpm2 z-;DvifoOH+jdFYV7*q9Ml6vb6Bi&AHNlOI$4@&cX==>&}V-%86ZLijU6bZlD0b?so zHW0($)fxlDB89s3$)8>Q_)08V6VJ`7)S3Zao(_c*HzE%j zsSmDa$y?Qlc;+;}$@=R7uSc>H!$W{>smH!OfLnHC!eaw1%Y&vA!E5zt+X;bD00!nE zJ)I>|aL*P0XKI@528^2M7icP+`V)`ioyzSTX($eXDFY;j1DpFiMU>Sp$G$o?`OUkL zs$KM%e=GAF&zQ*8LTNTX>6Kfw!S69zwagw#-z_%s!1Klus`pB+-aGZM6?gJ7yHLWd;Z-_4?1xu2+1qm>ilszw_DV z#(yH?=^37Uk{3UwJMwI&a+_}`C8Q|Y_=Wt zuvU!!2hi&ohMvf3`%cqf7?R#$vcq1slf~#e(oiPDxc@I#WCazoyNeQa1)QaDVu$ez z#dZa@{+Ljn*i&}jb#<=@P-QeNi2vESc;2)PU-A)%5y9TJ~;gmv8@h8}>Xv zLjnkZ1!VHFlS7{D;5>YYTi+1Y09b!S9ygHWna#rY(lz^L70joJ?;8FHpmYVYux=bW zwj>69_Nw&Ik@y&PXAJV|GH`fe@0C7L^Gzd}J_@dtB%>xB6>-qReav&#%+{$OaBSs* zkTbpfTB(U)ij`KlXw~l)8rnoaTdlvmI7EbKx?Z!R?C~ON1h8S9fLk7`b7cUu91_dcqp(PD_g6HnrlDbJs4v< z*lBdA)W4ka&o!kV7nE=lf9!5J_6?m!^9dD795T?!K~ANv?rUcYmzb*NlPeW7sFqhw zyq2oIIkCsHpjzG`Z&E$cV@)YrEkSr++)5~X0|t*2oh^Qwben?;e|0MpRehEMp`;eC z>qW<&D7Hi3FEo{BVm7U0u&)+HQcTHAC-AzzW+*}mt4B3?=2>5M+CZs?B~;LQ5b^?? z7H&s@Sl2Jh-b}t#U^bTR6|=(JG6j2{*+09IeDq%(@-K;7HbK~gOJWCSfZby!W3osp zjPh8@y6%2{X9Bo`M%Oz15$x=sP5K{l z<>y$jOC$$DR@$D61zxoI(H#^ydFN|k6LY#L=M;+)u>Fep?)bsfT^{D1}D=8zlQ28ZzrDHPMQ zKlk$6n8X~VJyeY6Q^FCILgLS`eR6P@CCT`eeR7EiI1!Ulc@m!Xs8EGc4^lSHlBrys zht$=@<}Y?%n13;c8ib`ChT>MvY7AHimJIgq&K6ezjOpebGFfv z9I8NRX|CtnMmp~z20o@p+C>mT-K5Y}#_G9pt*3gQIVOsYX1G}}q*K=|gfIUTqej{U zt=%1N^zd}9EL|7Nj|Ks)=DMfQ8GjN?wvp_6FooFCHo7u#t(G)Sx?uOwW6 zdSfgRxo#TXau(E4AtG~;fs9xFS=t1SaM$fhMLkpXEzN4KbN79P2rfuia%>y?;>Y-o z`DPbLw{^pB*eY=Q9SU&mo9f_Lw)Q8<3dZkN-^-Gb? zJC>plo^RPJ_ZZ#l&*J);&LKHJr8D*mX5@|V^B*Vv;Fhew{)$2SIvo|6FC3dwBgyIs z9&a-N1i<%5pxQ8WeJNgYc^dO!3Na&}Hz;wKXJ9cy>K6U$rYO(z8;hdSUqO!QK_(p* zsB39}6> zA%+gDE;z&JrmwKfrDP+Y5(de2P(r0W7V=AuGi?7lAh1hR8T!z_Dbe#i`95(Uuu7|{ z=s3ar#*a+u69)n!0Fo3DRPoTe%7x0%QOyMGXm^$WwKqW^gn}Xo3<#k3X@|j4G#$Wv zT5%BeJ_09*Q^3sT7A|UF^0P{dGw7<~GMos^Zlah5Ns$Bur5R9dvXgx6(th!o-*TQ; zqNL)kuDa6ove|y)n^z>c(q;bU+p_bpb>s7bGlOAVAPgoV0473!1jZB9ed4J{Z=lgeZXm1o=xOQ#%*! z2gCJ)nZE&g(*Jp%A{fbgBvT6)^$*772UD^GeBSf(+9F7aM-)>#SG6C^*$+mt2XxUN z2{BLvDdCiSeDl2e2Qv>P@tEufQSnVg022ArY*;>}ZAtS7Q-bn?`GQyY78L+P78NMU zr*N+N`-71r|G~WD7677ujEnj)PVrdH{0EaH_k(%l7Wn#q;sB!3x3;#nGB%q{MJ9ux z(A0L9x3!hE^+iWVM>snROAH7DQm@C%!!V}tt8?{?iH@5B{k)jnqJ%yXLz=+j1~e1X1v;VhPymlr#RQ9CO;+x>E@j>w1)`4K6q!m*DxM(7|k@PQnmU5`!N0%c64|@G}~^tZM$vQ;()nC2+;h*nz3c` zDfZU-y4KFx8fW2;kzVrh2)r+vl`2#Z$%I&8#?=t{^q2qs{i~>~1ol7nd+qo{2;GV5 z`Lcw7qJDfXNAm<6mY0{G%*q4&-QC@f-60V0CO;2*u5K>>d73(loImr}!{qgwpPXP1|g zKCj;H2kmdZ)9u^Sc9f>=Hr#MyN<=iwYAqj(a8rBU^LS-mhyB?c^nLZFr2|?%;5ESD$`n4Tue+H@%gP-EN1E# zmXnfvMlH;Ydb%mOsRP-zhX?4M?eYG|g+sct3>c}^?O>7z!NFKn-}yM<5eR2I1~;Cp z`N=DHUH`8q?s29NI^;m0A0I&juvUnEG8*D1DDo|1+WH@O!W_>jT-cVU6{c1jjG6Jh z9v|J@Z?g?&E*w~TjvH!Ulm2n zCo=*)AC3)I>kToHblRLq^E{6;V-WAx3x&hY{G4V-r+O(n`b7048qBp@Y&X*G#yKS# z@JDc*VTa@K^P$8Wba7y%EYT-A58}9)K(R9wb~V``u>3FpgyA{lzlLA^?PA{E-=8kf zcRWvW$6qPu!?zKkI&;bZBD`pf(CC;(6bV17s9AHh zZU-B&4Qj_q=P@g$eY#Pezk&n1-DZS&zAxKD^2+?h34vhYk%1BKnNz@1s=a;%PxHv| zk^ALpB9v$>1|t!(##AOV`NQ{fWJ$&|&)Z?L$K#whGpK~J@RC9ZO%KeRzD%ffe5THAj9r|lHBWbP55@$#Y7YP3S1E>_Gt?YxFi zrTBmk!~EZc&4tO?hLVDn8XkUirmZMOyoCtKe^wO7^`}rOGx)wg%4mC0PaJ=pbkhto zU3a}~$EfpL&X*9s+mQ#3SzavH>=FzBk07MFVj2S`9y;x5wVN;RIalO)tZ0Fm;)3fFv<2%0&oqW;c!qbp=m->9KDuD0xRj~T7tp4 zY@zAv4h)0~&H2gY^L#?m^R(-($S=IlO4FGfy~FA};4Y39;2;{q@w_M&{QS~)esj;( z+dXH0J>@I31M%#8Zckye+kMt--@2aF6~Au~&DHr~pS&=*9;K@PS3i#Rd1kmL^e1VE zO;Cl+j!?0W3m{|!OEcz!o45Ie$$UU4NcP+G7`pt1zd38}@@$ zYcvosyZ80=Hg_mgM8~|AJp8bidG|AV_=hxCuAO#+(NNvd9r+Cc;~zZf$6_LU#V&O{ z&!fAavay0~yuI(K2O1h5B#Ko0qGi)cvO`_Qu-+ug2Yze0*R&uv5#r~CBFs%GBUpY* zuh~d)0LQE{Xnm^d3}m!{;eHZuyBmyP_AA2iU>FT2=N0#&yw@opgUuF8j$`@d_E9CjIL04b>U`*I%=#@um)TzsstrN6)=b zbQ>`wXZ~-Kn794@P#ApW82%#us1Q}^Ir)UXAJP(cb9Zk6c`Z5d{D(>*Co*qLiyBW4 z9-FIC8ZPTt{4y~n<27`W<19xuP_8ga@y!**Dw9Df=X z#D{21*CjS+QUO*p+jiI0{D(&hQDvV?TO7~^RHW1Cz{$-y4H!g*ZjnOy__tVEx~juZ z{?=V$b3U{6YNmCD$qFjFp<<3$aFDk??gfF=?qK^;(*=S72^U;yaaK#ny>>pl6tY^9II7)A`s z(K!b+Fgi!EKtv_WaZw)RzL4Fc+IgLH+THCByhK}^e^V)g(fm|Yq3h5Ix(*wcA1c|(JIR%EH1Y^3MEBZH z<*R0w5j3U<(c?BgMD;QoXIM(^&-Z^s!zv`7mQ;r3BahRB$S2YBxf_yU#8G%{z~pT+ zU3+Hm4iEkXL6kNEWg6x)T9ncjBXzrPFjS5VAAtkb>Sg{Tt=?9CWZS(|N*$9(0sD{C z4%x(}rKLUb&UC~04~zr(iYv@q9lSr|MNxs{!Vx$=bG}r?Oo+(`waOk%JyejQ z9eHKmaeC$K7trBfx^Ol_r_*}7tTaB?Mx;RXGY*x5MqYl>(i1N{Gv55*aYdt0(}4Y% zQkNyOqt#SON)xwOtT0`#iKa31O`kq-lpm zcx5AUU+Eovu+4^=y#9&@EMTYQ-@h)(h<24SNR9t<80N=eYTlV_xx(_@jaHA+cKe6* zv!#!{DB%gj!)O=E@8%Py-BVgQ`S3Afr4XsOhMS>hb&Enc9zoN?T&^p}T$W#>}1$Yp0CA zds+a`Y;^{I9bc1Cwr#Sft}9Wwqj*L0eUI>sy}iBNE*Nl$5D|Z@7BJAIZZ0h~tvc~6 zrqIh7EDaEK)tJd6gp1-1jlY3m$meIrO>TJgzHTEYKAn6vY(|2p`9y?!c*q=ceqJ*- z|HY#1cb)a__LZ}F^U3oz`SuK_XSU!#$U2R13l$g)|8VmGLz_C0WLa#|>yW}&R@~K< z>y3Vj7})!t>Jh$B>x21Cqk&)m0-mf%H#tYoroOFDQGE%2)DvL(*YedHUI6vt6G}@P zbEdH3p_Jx$apB+usBcW8Ilq6Z^fv~y*M;_u*8E}96x050e@h@|<@mb>n?BHlF7MyV z=@&=B3!`<41v$((rr}E~dwYC55#68Ua{`pXzHl5h*5%c!&+s z*O|_1jM2`@KUjAK#IqshW7`(PN#E>rLd*`nnU0;WYhlm`xV_b(HK%mnX@ARTc_f|f zK+9yDluJGkpL4I}OT8+AD@`kP7&JixshgZ;5M*fLT$<}@E`=9V<1LiP#P9sEy=J$U_ z-zk^4vsJ4l8*`D5Vj3WdsZ_?{#F+hSzRfwn>6272`(PQAT-cRr4*{JvquYG?w$5(0 zM#o)&N+d6zIYE`+A_PDPM&fiv`mtL!h0%g1*xdKPTYh!SzIr7Ab zRjzsBT6rP?cB8jEauc`hQd%2F5I6+j(SjlNDnfqvBL0@x_%dHs#I)IixgwotKzE1Y77RQ^X$qG zYX+U|Nzn(LNWF_DYPr!cyw@VG9j|H8|{o`n0_P?0MO;d@^;OfJO1#Xhkapjy#i z>@R?RSR20{4h4qDO8~Ijyf-#B;&sf4e!Zk+VbK4un#Wqz<#KaVlg$H}Kvi`Us@77OfyJsH7aK17ekVT~OMO&uB{k@G0 z#jff6si-&ZNL+lGpZDoKlP1V_XAzX;Usp>Lfx%}5pR1%)6t9OP3Yhs$9FSPX&;MFl z5a`OTxWvK6f8+pty3S;+wWa0SwdXcu6kq80@DZn_B*HcxY|Skx1+-QnDI&#dOoy|y z$aRcrwYlBH6~5P@;YJr?x)D72V~fqsXzJ<6B?8s()X#O*qm-rVhke6OJO^q{o%ffZ z8QB5P>A<6?V~7x;G5B5$ZT)t2hEzwG<~es!u6N$rb;D^B`8Xzde(z_(9pa241Fbx~ ze%R4B^s!AT-RRzQ12nMuiUpW%oL`R%2sOYa?7Dl0j3>wxpKQbV-^l4(gFpL_@?)yq zXZRcw{@31{heP?k|HJnfOj#p^Y?bU~O?IP@Buhz_Y(-SolASRU5>d&LZKR^emVKR( z}nx$3$u(!_@z_Njb&*cMdQ4&K^o7NbcDkBvUk3eurH3+@bU3P3E#K2T=$!qY<6sS zi8<#(rgZtOnW>x#^!r=j=6Ov96dE$+R%r2Cbl%jL7NusCOUH( zYx7J6qHC3c7r1mCDV-hFSmEZorkEiKuuqn$!7lyp)Pc;38aD%`ZUIGJ40jEx&VB2! zS~7NVY;!?LE($no&BdVj)HrnikhgrCHEg%deO^6c9RofXD4Ec@L_ghRZP;`~>GSWc zgX-IUGotdp#)%s`0sAxHz~4Pq4!SroXAS7R7_o!HaV+WK+GbAEvWllr{hOz<+z5xC zV6Pq!yN=-I;|bYEh=OcQ92+d*{ZoaXLJpHs@^`{HTi731R{lbN-r{NTw>hFxK>X1@ zu8pj@v!rkKF8T>cIC%TdYc4^+!0apTHLa_yUE0vEeCIrf|9g9j$rBI=5!5+Se5gt2 zBS&IfHl?SR>dxGXFHk59aYes8l3;Xq=u8me!46a9mjTh5kN7B@5$Y>#5Y`f_r{TZU z-oD;Esp~tTws9SUEHj4Eq<@Qoe*ay<94j~Ks4m?uSRF@`gN5z3GOyJzVBNHp6^~n!Kjf+ z2KW1mIK}W^5#NQbav5SE(#5N@Z_N5V*c^yFZst>8Gpo z#V@e=YQMF4C?7-3J|DT-HEAyt-JUm(ojN|K!kIH5x(^mkhkq2tBwuxM;)^J-_Zh`| zpMC6O)^3lPXm4-tHKQib@n~2NAw{PE; z!(AWu7D-9x9q=hN!CsfQvv~>vvg!Rt+qdl9qJu*fGkP8xj`mg3O#COeOokcGgIb?y zwG9p4p?RZ6*kGW1fM6e~yS}WL8!~*ZU9(I&f-T%aY4PzS$@0?Q6JRgfl4>Mc>3_f^UhpauFYh+dM;=g|s}bwA1(sbI=NzV#Aw`%;Kv9)>l6vmaylv6`i7=3t?{)$3it zZu&Qu#;Uboo9u1T6=KE#7@wKO>>h_@ui50A&L485n9IM2{Nmb_RIz~8JEnCTF1yK@ zfIoL)TpL+&2_CkSdvocXRCs|_@)0sB4NIK`&k@4~H zpO#uvpN4IM9~!xXrDIzza4Z~Q81(b8R>j@ww%fMBVDIg-47Qj1?d)ANr>U(60ny4+*kQGFSKw6m&h8vI z9<)VJo+GB~(SZ=DDSwZ?>yX>cfPfhEguru`SY@Huqkv6IX1B8}aS5N#=pOz4-FZHI zTJN!1zYt1UqR)okV<+TQ`t3hK&!ewtCyLdo+9pn%SX2Eh&Q3YmsSD8eMtyyKh}rnr z;e2sm^}ojG4+}1B0yg_i0nufTyL>!GAuoj*)QeQ^EAA_Zoe~e}HC_4i7w|W6D%ZET zyDw6t$iII#-I}QP+n5A}ft?0Efj#kHPlfvYudLyjJ9x9v;o;~{BGl7(s%%Y0NawzV zwKQ=Z^^xt#v!?kU2M!o3tWTnzUbVREcx$GU3{iq0<`$)sAGrf~o1V_J9-F=8_C*+* z&I$j9`g%U{%8KEH2o(m{jD%hls$PW#-qNJ;EPs}-O)IuhEPh;DC}LrHsD?NVYY)YT z?Q%oyfGh0+ERDUeebInmY!Az`W_lmD@BslMI5gB+^Rw!A>K#0_7}hsOQ(uivh-ehj z=rrtEjCqr!@Mluoi@MM+T1~XD2mO%DrTpLb=)zEYO$?JE*G?a<{5AnB=qd0wX7{K1 z&$9^Ye2v*g4Td?c>?8n`ZBa(j$5U*%8O3>O$EF&79vF9sX4wr z<%M_14xe|Hp(jGC4ZU)K*E6q)M{H)A^GSdHjX75`)Nn62cUu9#9Hq|w2@`dcU<=8`QyY#Q|M2IW zb??+fmc=pE%bibn<-C3m2Gwkc2NYCCM3A>(OY9UQP#b9g9CrOVN1dlR7c(}_7!_4s zeI?JyFUS{P(|GSbF}ww)y2|JRJL9gH(Ognq?)UDDw&~O*U4^4SUmxPS zYn{j+dX>e7zkXH4Q(NszF1<@nQ5yn;#vb?AYQ@SLuqV-5@Hfg`gNw$;WzmVaSv`+pBU#RM% zNX;`0DEghuw^C_Z|KX$M^PAn9Y^`}=R$>Z%TCkD!%_5hR_t42x8Rsp*gH8u@?hg?S zB~a&EN5nn7x5Hi65%H_(eu19U6FrqDNN8;BZan5_0ke8$g3A3M^V{caD?GJc%wq)Z z&|AfeCc@sY{Qm6-%0X`Jvk77%-v$rqoSwd*sAt2rMuT_dj(u#iP-&~J29CnP&+o*L zp&3lO82qPR&FhhxSCnGLp@5Xx^pE@S)I-`@`#4X`L=qRP^X|=aUlLl+0QMpSEgIk_ zKJOdoh(m0wdV6^Mlq^r)pK#-{nFCPpYfr7h420dH?o54sX}riP|7oFqua2%vwKTi~ z^+X3SeXdoBT;To2;$p97YF>f}E<80`;k$dvY@rP~T(Yw4=VV9;P3wPp0brE?FMSs2 z)M5YZEfPR1%`kvS)#Q_(eL*Ghm0E%ngDJ~kr`!c$hJZBENmStR?G_+g~LKA6BiAl!~FA7%p;^S!L9`jhHmJJ#QykQODukA1Q1 ztQ!13V}DBbJVdifbo}54XaoSi?)UT!wqrF49HTcQ{_Phy4SwCLUf-<9nocl!3a%#O z-hQufc3M+y`9aPJwwFMy5>uTITuDGZe(y3fPJj9s&78kn)P(ZvG4dvm#OoWj{RujyU10ZMr$I$!#O{9&i^bi8&Q_&|n6b z^xM5^$3Ow~<=}VEaF%TU#eKhdHcil|GoTQ$o&7s)*&Hj9yV1OB0UaTXB*=zY%yvYf=)tXkbCI# z#*P723%UZGgNv}aUzb|;h%V#&igM9~fOIh2(3^|kf$^gmzK{jCGZuj(LQ%p-)&m2e%5g)F4An!W6W^Nomk=W!ghg9m4BdkSnG47ANJc3IX)g2<@IJFvJ{F z=B&a==^OrRxb-%MK|i`}%k8d<26cM3l6jUvWj<5@OqW1{$Jjg^a)RaY5?<;LmY|XO z_5(!NBo9FyV*ZKQs1xUBo`vi;u`$Bv0NAD)ItIeY?RkWH88=&i-MsdC|1L&9Kp8Cq zweu0gOdskX4)Gnv!m9S+q*3SI?Ge|FXW1kFb&yogB+go`#&4ZriYNGr+^=2@Tl|gT zB7AARdkD4z!=0U3^v+H!3TUGTY*S%71@|Mfq!j6RLleyOjub2f9;k~J4*K&e4;KlW zoMon7N1Z??ZttTu(Ba=!p;PcpA++1J^-;ApOs7x12~vNg^j#6VpbA|YYTb{+N8z*P z%++=jp@iG=2|Oh`2aU`m>Fp+%l1slt7p_g_7w9n!dW7xy1ZQZSXT-&2AyA?0D11^v z-U?zTBLXv381X9)BA`m@qT-dl@pg+{9rnyGOyW*w?}4`A()X%Ks0`7QI#cHFNwy?I zJ_2*AIym9{Sz;JIWiY15XiRovgk(We__hJlK8O=%{zezY)FS^;t&fRw%g!Hb!}0eE z2}X-4)8!#UUZJ3>Xt#Cav-+55=gIE)yqZl_^x|%i;T}R{*X8G*fNmpHgEtyKTY05!#OFw=%U%9Gi*&$sHe{0VL*Bl-mZ;YJ-x*hEqMgVd>nTr1 zaiQ#_ptGuk$NX!5@e($RBsaWP zO%A~njj3uD% z&raH1dB`p(P4_%M=qVpRcUFbD4HYcIPnqsYL+vC?kRB8* z3rDq+i1zs^bfG}K(|xgT8&V`QJ81)DK|gx-x_I&a9YONlr~L__imkGvm0AOAFI>9Se z!R4m~qeqVytqYkSep(bT{#DPgdm}{j?D#bQ$%twF_uYP`$PM)bTNK$F`~Hhk+R=eG zV!qlXPfGCbkK`_Qnme>V7@p{W^;*$CsPyT7P)Ysk9m6NmC(;w(5i|Nb5`#8zYdCXZ z?=dHu$88PG2@VjDgx?pQdVbod$c^))%TcxnY5NT$XOO%6yscBG=LCSptNF?wy|Tc^ zh~+C^VD;A&^-B>4ENDM{4eAVZfdeCrl`XI$F8>~kvK6abc->NJBNYtrKV64B1P0t} zEE|D=*vT*QlIz?tFyLsvD{p=#$v*DDa3Te))#+VvND1ImH-QwzV|Rc9NYV(eyXR2k zb|UjK@*}Grn$>W-OaxrnWm8)C-?qBp?~X|*O-I}4y=fqt{>Oli(GPUJ`zUA(vQ-gV z`>SR$^kJ`yf8|&iRG@ZQ<|9`BjQBgQ3+yZ*`kWu+b%K9E z-^J;RH~!O|cGphi2$1dp#jZ{a?1cZ=>GC~^M#oK%;zFe|P3%HL))mXc)YyG{j<;$& zIs4m5fCL^YHs-9ZF}o`ZPP82TA8;U{2Il$1Y4dj;M3*cJt5KO;AmjLY+8weCUF}ps zj^uwA`fCK>5aNvWsB9J(&{Urmjt2v@3Uj0czzik?yJaJAw}|sLqjKqBz>AQ|`>qzW zGTg&IXV`&=0!H>38HW!KRmyX$4 zeE@5v-ykdgDL27BN_kiD;2a?Bj{4f!nS(32zKXNEA3_U5_h`1RaWTqT>JG5O`JoIE z=oNGi?(kw`Dh%r9K)J;#zkPTK$Ydc?OqBr7tP*|13+}*0(1Z^DwVmFA7^6sULv#ss zAVvx;MO)johN>#kVYJJIQ;OFiATk_XV(|)KER{IJwmT7juI~DHvpMh)E<@Jq7bP2H zx0TTw+eGKR1bQoVW-mdQK}K;A+H}~MnvfYhEQ|TT=HJL@LFzmPZ9_})vxoAX0CaO} zFulMMN>$ugTMAO2Sk4C_QqUB0zvUn<5$dCMZJR)mK|cav=m2Qb8WIP{I||LL@#f@J-<*blNIM#`UcUw)DEL z2caU5!uR1qATp=wcYcm3Zh{7?@u6ikfDVe&oCG2?@Hals8cGlPsMpjmv$uU?AT}Oh z5Iz8Fo$NK}p)*IM9)xjW4pwkb0tKwOSFy`VU*X~O1L(I$iw-{t8!T}^iQ|~mng9`h zQC@=S%%QyOU6a_oqs|@&r0F3aM!B>rOB!~~p&*#=DtB!Wp88@hO%8g@(9t4x(YU8n z^8z*l2b?<)u&By3y)sVREvS7Nc|sMQw7;*-K*8irx~^l%fAIP4{&TNML%q@5Xt5}j z0;Fg~_5LCr@G56AK^G~0My0LcULS~Gvqwg#dJvu-GJ9;<0g6Eou-p#~<*wr4foV*k zkE;7Q#;txGR98V%r?G9;GUxT69XF{B7$#7A-)d5V-!+#Qvi16U%=WQOo+Q-$$5P}9 zIV;+W(?MG32KZ*S%6i)yLye~3g|%HnRMSGr20FTb&&uUSQj z^id%Rj0@f777NBIZ0ePJBlj8FRxFYcp+t_2%T$@VRTOS6>hV3)F!UGDI%* z2uBxeM8p`PnK6mXUmdXfaFI6p#LmY8iUvxOB(02uuk4O#|C zwzr@rNfkE46V}(S94I7Bk9Lvr8K~KznLpCea9jH29Z-P$InVQD@>y1}hbbn#qHh#$ zaAmuRmQt=^g~3SSW9Jl@@8a(KJyT?Thbe{pWK5olpr5)ywZd9%sYD!5=aYN2WkPX` zc{b*Cxa-H0izi)+q&R|y9go2@M4%cI1}{baf{s}L=rldqx3U>^D!Hq-UqDI3@uI^;uaP(h#+8u;ywas#!c#$nDDlO(RmDM_=53q4y#} z5Di!y?yJJ{t$CU-T#n$mp!VzD0==fsZ9LVjGe~knD{6o0nhqK1vG6NT*ab_^;=?n? z|MKJE>eul}rUe$(o40WuiWokSc}h>pc(kUhMecMC9$~8x_$O?;&qOqHNWIs8OCb>z^K=^>?#H6vzAZe=Q3qpLRu6zrN=>$4XSa*R(^le=cXO zee2&BzICUz=7%^ZaLgjl?aVm#2rVx+K$60%-;S^ywfV0T+9Q;*Ol)we-pO{b?N4Dv zCf)VYCQr8Ai0!pC3$Ie{XJtfVh9}&hu)aaS zq#XTk2K1+;z7TI-Pp>)|AHBpALjZgN79mDT^JC!_2>Xoxq#82}Ko z;ahYtiIv&^hxfJX02%yIf+UbV^3=uTf3tg4aDTY3rS2?xAP_)?8H3!nrmSK6Sir*l zrd<__B4{)NPO!l8`%%`gJ^zXJFNO2iY;vihZ0_Qavi((Y2ab@=AC{*11r@- z;7&tR3?~0;Uzc2WuuPa3=FIdSG#gS3x447XccbX+BRxdMN{2r2o58xtZTc zmoa6_{}F^C{`8O=i$xoT2XVR3jx>4*^fP~`dwX(p&(|Thy@YOvfxsn$q*Ap)^YZc? z5Q1kcTWG_jy3kM94lg;imly zspl{S%pZFQ+YpM~{Qwlf&^0NvW{Em=*f=_k@e`V!>t4LL2=h3EUggE9_2bMt(XSA& z{fA;t*BKd~hwX;F5Y^7+)Qv#*yWoE8;+{?6f+Eq65$MPHM%}Y8^c_YCY)20r3G==9 zkDUJqUqc&!T;W+)#iE0)dfMSQIanTa*t8n+jlEBbv-K7arMMbL^NLu%yWGpMycRsc zC!$|oPIe~Il0)!FDEH1on%}KciNwEi>%+;@# z)bszFAHfil8eHJj!o9E6g0eKD|+ zx4mVL!6y18U!v$ZT6AF9aVCtp?9(`o{jvO(Un17)xPG+wbwN&Mt1}}UlXa4fLA;bv z7bE*CTcV>(z>>m_+eUap6c5+eU=lbVg0cZIUPu~JRfv2XhB~~B?rf^fr>}`O^b1EV zu5XC!+))bbRU~wjC(1^K!W;MF>|yV(cv(|I9@_E>Mu(Pn?QCm7jeNMI=NsY1vAy09 zS)8BeMouc90Q5EE)aFnKA>jay+#oK<=!g6viVHL$v(sz`fOdQC#u;ApEy$le&`{3L zo1fEAPonXrpz4MDcK5iMyo7<=(I;KAaRx{9#pi>5n78XcALq zwc?faZ8ebWg^zE&$g6GpB|>0Y+Meq+2x=NC8jy@*PV9*a7p?NNE_Uf#-a3NjfJT(s z$*JW>sM?oI%l^0LK@nl!#qY2EKLiLSwd<{yWZ_M}4{%a6lnYL^3pfNG zrzG8qSnZL}=z1lSTrU=NTa7}@Pi)v?o2laL? z&g|udK5vE(6IGR{5yUIQ2X+CX?8~x}bVWp=bgSI!TX)XmEU$}V$2}=8x^Qbt_j_p@OgCii6B-bSh?VMz^W=mnw5%%wl-+5rL-dAQ#APuUm_tM<2Vq+haJ zvPePMt#(ly|JbnwVvyj*cY*(25O^y=%iylO8|E>y7%PdlSpAdabd`ni&wmqlaGX3A zfA#S6z;&;aaHJlu_ML2#7o3cgRuC?zTbH6k+yKn573#YwdR`iiuD^Hdt`l6a1hc9Bsd3FN* zLTXm+c@c(M`Eh506Y*;%m=}6N(F=bT|GQ8LNu!wg_*ewJcO$2-=gCF@tYDg#r;H<& zYMQ$Z+0qmy?G3pn=|`*ZGy8VRf@1Og+Q%nj#%@y<%$lnAsJ;_uj5tWCeibX>Vzj7E zm?*0$U|j8HYv@N5^E@N9P~{3UAArX z(u$UH%Hk#a8n{yiOmRgLxL>mFeu$b}G%|1R_fgL-J$u?#*@hK+MK1jKG>0=)pHd>> z=yB{a?S<%BYi84&zj?mhW0s~kXbu)xYrKB^#dmG@X~~D#EU^VBpfB8dR#@yq^26n2 zPN!53#tp|14T`BZtYq_D`4w7IN*BQi9dIh~Ikw^0&`=f-e?!vI zf>nu&G3^rEH8jEM`BC1L#F8uFu1H0(UT;47hc?`sq1c%G(AOo%mjc;Z>|s%Ifxa45 zEnz>qrUr|dz0kf8}P zS4E`OfZtae>N~`f@)myT9-EIYy7&+wQVuSBLH`o1((qu|Eo4=oPT*P~p|>VhsuHo{ zaAGi&SZ{Cf5zsFDxnbnLGETIOP;crY($2$BY;w<$&~ zQZmigOcu-hxEIH71(TdkxUkM=u)COwDAt1W`*9TWvAJppzPM+V)Gm8>YO97HDxoD%}>hcc(%dvak&<>scO^VT9YC-&EoeCW`N2v)*;*nT*cY9Y(hh$2LB!XaT}yS zl8c|dAG1b+GHUZH!QG;Z9H=4_WZnkk6)2lk`mly zA8W-bpQmk03r%luksoyHs%a{;ri<7LPhCtx4ZdYVUM!N*p8I77YHtPo+l$pESmc@6 zXq7?!wBYNvpONG~e>V-iT;z7L6lV=WXsUMj0gxzoQyG9CBB$Ae%~;SnJ@T`20Oh9^ zJSdSt5`L^m*)Kznm9}!__?Jn-f;Uh8T^(qvgIuvJpcgN=+yl&>=_{@slOz=3VY+>+ z2{QZ?xw2bum$4@v>?U9Xlir!LIKclE^Z&A&)dIVzl5vR*FzmFDq`19L4w5HqTie~U zjpzxs-zrDu+gWp(bXSbYJQ(>`f-}niK3O*{5q7c8bJ~V5kRH1~5mrDfpn%tcnl&at zCkQ#!@A?tC!DoVsUMy7@CdS_gS1HXrS&W__!pQ~D$^_ox6BjXjk^`+=EpWoWe+^O%-8t#>KP^@XB<~j z0`FX$Tw9l+U!0Lx8CC&yE<2FSNL7wgDuA`OeU`XcQTuCH8ZDL2CjQgmp;-~RM`F%O z4_NNl$6KH!%l$8k(1(N;HDk9QwIqn8bNYQVI-d#ZV{O)dCHN#z_f>iuzxZ)i`S_c!Ks?QKrevu%1kFh&f2tF>W9H{kT!D zZ&LeW$obpbtQbCRZjJQgVXT@Hu(gd&gP}c>M{qyA;g*_%+*tkHqW;Wmpgt?vKg{LMpq;NB42Yoi~64r#K^1@KOLO3GrlluHDpzZBO(k>Z_8w1DUi!ccPZ zZLC$#5lXu`Zo}Q4p zIj>|>ekic~PK>6G9Nl_JHEc*4=N}(JuW{)hHw`e%(lSX|9M-}dfcuaV`SFZ9#EOQc zq;!m4fw?$oV?90A?rWv6p`tl$q-K+y)@Z%zE_QCmfUdM!B{4n^_}=th^)IipT{)p% z#Mii?iTf@6iV9R}-l;O8GM&`oaka#R*}cePSSKRuWCxzs;-P-Y232o5xLzFVrk#!g3 zLOV;fH`nnQB}n)ES6pB$JpShaiL7%oaN1-1F}{x1|Av36g5~($DIMd^4R8w?)z>sL zj)FVQv3ke|&=Pgtv3IXKqj#W1BVmM%+Y6S32W1kTQZ7YMKfwClJAeh>#ANnekJGyX z-;Pk6#(p}O%@#N!Pq44#IArYlz_I{!J)p%^PZ`)o!9!=-=#o|#em@Qq(g=U!{evi(-VCmtz2)hapW_qf{Z<;?%W=NFrw$}jC3K|jE)Na~@2hs#?KQ>mtk zbZ6(~XC<+6A`b2robCtxUt8CNV&6%|F7Hrl5tSw0MlT6XMci ztB;h|fWSBTy1LA$pj}Tk`2ua~bYbS@9I$KOOn$l*0Exr^M*P1<`85C>gRSL@$two? znn`5xDTg|KfDOM6zN!oP*r=IZ(;2)jcap7}kMrzzL~a+zp*u@gOO3%=>s)rU(0igg zUK*6nI-FbRjg1aVB_t3n_C=1R0(yTl@W9Th0@>p3)9nB#q<^kp13M|pZAohx;>1p~ z*B&1Zd3Z4==DKuX*9AhSZEQzfN7#iH~bSu1J|6mbeQYwCB@rK@*)0tpE^I2{jAg>FN9Txl>t z`p&hD3g?hirf&oe2jL8IC;uHc_w_vq`&T{*b%`8XwS5Ah-bS!nb9?{}fsPiz5q2;= zXI2S0^~4z;Ks}uNUiuH{x(Ov-2|Q0L(S#ZQL7zE|@CsSc4f~b(NO}?d>QLS z>IZ|w84iN~rJ>x|)0*+TINIRfeB656iirF};I!ikOVzhQ-%u!#0Vcu*9}WEcb}89p z%gp}J=9CxVn>Sxf&@4M)s2louh#Nk27YbW^g>yx^JiN|qvxmv?oQPsDBni#)IO~xX zkHW)FM+f=um-aj-b^nwE^N|hnuWrM5IWnPz1SMu0tdWFI>_FX9q`Vo&y>@jy`D5&s z>SFtng}Z)Z`gby(-Ae3Y7+a8AL&qBn^n`tPXV`rGr6M7oO6xpLDfQ$!2hcFJmnLpS;LwPRMQ(RqSF6|nf3jDG zo|NhCj!n$qW%WRa|^Lth@KmnD^gWPYJ(&D z{pt+oDT9M7y#@g{(}Mpzgnk)pl#jS4TKGzAY?9;sGL%XFqU_mi?&Ec2b!e&=kaSXG zQjaT?!Fej!dtRqqW}lO0!qqACi<7wRj46X`&Xp;4=MS5dP+?1UVXyzIhQ>vbg-xpRe z1@~Rn&1>`Y$s#2N%)B0z2hWiY>^olk#Q_SNXzq*PjnQBzIYc}`%Wt2m_f4|O)!=nc z1lQu~U76X@G|scb!l#Tvbz26Q+}oWRHpYtEAIENW*7!`>QWC#rND&4zPKDi;Q@>TQ z;rGSg$-_-Ioy5PdLRsYnxHlGTCICb`Vu9c;eh)qcuEn)U__btlt1kX*3#>kWn)%HD zhu4BOeAzRX`x8=X2|u8YKWonbPj2z?0O<>>NPJK^Z9T7~|j2F>Dd*b}VfF0k7G>-+Ll9r5mf9AKu4A_TE`M zf5m0L&2G=o{{dn4<&dzG*S@xkZ>9 z6)%$vTP_4Ju_LeHQHlrF7RL+Pk{_~WyT3*zgc8Iu{vwH zkJtdRj`ro!zvqF4Wb)e4{2CM(QP&;?j9+P~!8as}4l10beDOBR>cEz>`8zu@EY;s1 z91E;4!A9M0{_qW?cp0)zsPLx`QCt1x45fxp(aBc9#*px>==mH2y&2^}6-;5pdsaKd zo1{$O+Obg~vCaT~faZb6*`Vfe9scXGR5PjMaR>J{8cAlamxOkfeWs3Fip>N>K%NfQ z&4ueo8OeB)7={fY_*J9|sVf>+sU_v=ajpQB^ffqw07QtDR&Ks;V~Uv&VBC}lT;v|_ z8hYfyY$Hu;2hLG+2{l7Cn7h;U{ld}8+Vn5Ca36n0k|!&*U{VoWB#N0$QafDheoi3h zb!gYqGPzlV|1yE8M6_>;Q|1_d@^R72dkDo%0LCO^TKn51xRMOr{xpZXlC60|vAz_3 zYp>C-#3R6>_%EFJ@~{5MJ&>iVgdVCz^6zXXuiR_@cH&y*Kw=4-8!|SM?YZQSYms2n z>L2w4#R4LZL&v7M<|6T4xpU`+w2qyAw}5a>vsIbiWX zo}L^k>ikzc5HB05>-IY{Pff7V&(I#=4q~hGIvg5>g;jiOwR4RE<}+1oce4Ohmu#5z z3G1#;*|qKAU;c-s!^S7xvAR!gg!8>VnZz(6%{%wLd4`PU3GBZ!AGrmZ3q*~(v{~hy zRP#K+U60%*t{ddYUn|;s-uF1ZOczVC_66Vk@_lXf$$8=0YDFiRjZ!;q{J}y@SU3Aj zkLB6=dl~+P3YK7((J{xR3$VUv9Th9S`H_5HT3*;7%k>#>gvqs|lyT9vhTpU0M!lB` zHS!I-19<~yUL@j)RxY-=iZvVlYM!<0R%*|m1*d}e7O5vg4=rHN(`>GK82Tm_q%O*i zQ6kf(`)iaOQUi|j-0OuAf@9d%>F-kFZlf^;TzyhkHlvF5U2BdjHNTOZJUoxIVjqyS zZ7yL>%kfD5$Si*dy0IS23RMzeRENTsM$I1f)*%LrWJZ*TWavx!H(&Qlw%61qSdq%my@6~x z1ZV8Nz}=GO!r-&Im0j2-+nevfFFM3f6y5zrukLGK7KoeiRcITyUa5UUn=;&ld+|z! z-laYio&h>&Dv#r1pUV#7Uux|eEU9AboOJIg{1$IlgnV+ za#`%FLo#$OKq(*KO)aKXOY=BmK1Is#9WTrM%eDC9b8wS$6q&#Dw5y z13qg(Lpd+z97W`VwuP6qTm55r(dh|r2aTNmZ> zt&f!ytN4_{>v>=&L%UA`h5j)Y{EC%d*Cd>y)z#kR2zak3e;(+!fbss_W4=Xq`wkO& zyE7z50dN|Sdf+6;1I$C!xmQ8+jp&!zrgoevY79b3QPk5Qm66xn?5>;JWX`++DgaJo6enh)E zB5e8X+(%2eX_3}l#Q7?E1>liAY=Nt+Zw$`p2-5N4vTHWC<%9`efV_A>i&{>3j}n** zt8H~HPiBxm?(WAwPf9SVal(TxpcnSZ8C}yNDM8XPJLy5|XLZSoW&iJyB)L9<={@@* zH}=<0te%n**>%l_0srN>JVyuOrrL^ln}b-IR|R6}UX3t;DZqch6kdaFoFlPTmox=; zk2$t9g7bxwe+qqe6x>ynmwV5bg!;(iY7z?gFC(tsLP@A|h3S_cn;^|clq)I)cjvU@ z?_`=Fd3yGi85jMZV$L5ZV%7|y_b0|v7rf3zU)DUbUz>O>4pA>zdb!Lup>L*(g&7>; ziCP?tc;Y}YI(4(hQ_)(r- z1KZ(3Yqi4~!<7REJppn0R(5l4K9W~Cf^D<6!gyah55Wv7uvX3d6zWn$9yp=O0U?=i z_md6umMG4^;p4z~WFOgEpc=*jZxBn|ki5Oo4V&b5ztI{|G;#$r}3wUwEa2Y2;2@; z9>y2!ao0y%!!{2q=>m5)WE*>{e{DUE-RyJ_i0;O+KugqxpTypR)vvlYt7%l zo5b@_8Z^f4Zd~`*aaZAg=r!{WsoCzoOg>0%>bCbuxL-{yw;W6p$X%ol&c zHyPaSc-9BfJd&Mo1?q(;4MHf1z5hBFN+-m#VXS{)s+AL0>%gQGoJw+luj zIbBkW&3EC{s$_3pJzDkCec|@XX0PxE2IOu4c`Zw!T*|(4-9s$_4>F}T>kb*esMw26 zZx)8aq|ga>cyZn(a4DqIHObJvc~=WQng~c*zc%xPDdy&4){S*%*sH{G2ceWTse#GR zO0nA)all{0;L0yI&q6|sr=WhSa@&Q?-Oz0$M@wjP=N{pH63)Gu2~HtNgnn+u{CH|P zxHBwUD7P))u`$C&kw-snPsEDh3_C28SvaV^60W)j>eNpmYec8_sz;#AOK z&;+s9DS(5*X9)XlvzZ9bx&WV6lN5QEA{qK#_@aew1kXV~MEg1$WuhO)c%MA;J24oQ zxqsx^af~YpfnIr-Q+8W|)!TsEqhnb$ZRi1BN)w&Ia1xx6G02*)YwtU7rs?PnOEyrz zxox{fpHlarlmpuyo(eCBUcoMuK@8V@I;Pj(}wZbFV?f3D~9nH46p<^MHkX|G4N%2T5v3*@s4Krgd5my9HDJ(2 zcS!`!^m}$9c$M&efI*a4_vkObbM--O0C2S&EP67OUeX;9k14|QGyM#hKX+hgI1IDz z-eoPA)#$glm>+JkFA5AgwZ$RQFtt;-YLo2TVee4VOinI}lp9nzWJi)yKblTnrOuxK zN9{yzGS^SI8gi&sGDVQfh}bzbImB~# z!y_IuV@n7}oq(*ksGXf$ZR|6CxmQ<-)+l+#jty?>CB>GqRSjori$HA#@CoTB5_>vB zCq|yuS`|s{4YB+8RjfhQYn+`fb^o5>dJOo3r|$M|{_Wi21rP1yq+J=SbIXLqCI9aw z|GQ&{+5T5y{{L++1Yqx%S`@+g%d95Md>j+e`#>2cuTdHgfq&+vRwfl^-0%NCj34~m diff --git a/templates/NOTES.txt b/templates/NOTES.txt new file mode 100644 index 00000000..35dcb644 --- /dev/null +++ b/templates/NOTES.txt @@ -0,0 +1,5 @@ +WSO2 Identity server {{ .Chart.AppVersion }} + +Console: https://{{ .Values.deployment.ingress.hostName }}/console +My account: https://{{ .Values.deployment.ingress.hostName }}/myaccount +Carbon console: https://{{ .Values.deployment.ingress.hostName }}/carbon \ No newline at end of file diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl new file mode 100644 index 00000000..82221d2b --- /dev/null +++ b/templates/_helpers.tpl @@ -0,0 +1,69 @@ +{{/* +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "..name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "..fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "..chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "..labels" -}} +helm.sh/chart: {{ include "..chart" . }} +{{ include "..selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "..selectorLabels" -}} +app.kubernetes.io/name: {{ include "..name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/templates/cm-deployment-toml.yaml b/templates/cm-deployment-toml.yaml new file mode 100644 index 00000000..4e390376 --- /dev/null +++ b/templates/cm-deployment-toml.yaml @@ -0,0 +1,23 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.configMap }} +kind: ConfigMap +metadata: + name: {{ template "..fullname" . }}-deployment-toml + namespace : {{ .Release.Namespace }} +data: + deployment.toml: {{ tpl (.Files.Get "confs/deployment.toml") . | quote }} diff --git a/templates/cm-entrypoint.yaml b/templates/cm-entrypoint.yaml new file mode 100644 index 00000000..7df4e735 --- /dev/null +++ b/templates/cm-entrypoint.yaml @@ -0,0 +1,64 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.configMap }} +kind: ConfigMap +metadata: + name: {{ template "..fullname" . }}-entrypoint + namespace : {{ .Release.Namespace }} +data: + docker-entrypoint.sh: |- + #!/bin/sh + # ------------------------------------------------------------------------ + # Copyright 2024 WSO2 LLC. (http://wso2.com) + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License + # ------------------------------------------------------------------------ + + set -e + + # volume mounts + config_volume=${WORKING_DIRECTORY}/wso2-config-volume + artifact_volume=${WORKING_DIRECTORY}/wso2-artifact-volume + + # check if the WSO2 non-root user home exists + test ! -d ${WORKING_DIRECTORY} && echo "WSO2 Docker non-root user home does not exist" && exit 1 + + # check if the WSO2 product home exists + test ! -d ${WSO2_SERVER_HOME} && echo "WSO2 Docker product home does not exist" && exit 1 + + # copy any configuration changes mounted to config_volume + test -d ${config_volume} && [ "$(ls -A ${config_volume})" ] && cp -RL ${config_volume}/* ${WSO2_SERVER_HOME}/ + # copy any artifact changes mounted to artifact_volume + test -d ${artifact_volume} && [ "$(ls -A ${artifact_volume})" ] && cp -RL ${artifact_volume}/* ${WSO2_SERVER_HOME}/ + + {{- if .Values.deployment.secretStore.enabled }} + # copy the decrypted internal keystore password to the password-tmp file + cp /mnt/secrets-store/INTERNAL-KEYSTORE-PASSWORD-DECRYPTED ${WSO2_SERVER_HOME}/password-tmp + {{- end }} + + # start WSO2 Carbon server + sh ${WSO2_SERVER_HOME}/bin/wso2server.sh "$@" diff --git a/templates/cm-log4j2-properties.yaml b/templates/cm-log4j2-properties.yaml new file mode 100644 index 00000000..815ce117 --- /dev/null +++ b/templates/cm-log4j2-properties.yaml @@ -0,0 +1,23 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.configMap }} +kind: ConfigMap +metadata: + name: {{ template "..fullname" . }}-log4j2-properties + namespace : {{ .Release.Namespace }} +data: + log4j2.properties: {{ tpl (.Files.Get "confs/log4j2.properties") . | quote }} diff --git a/templates/cm-secret-config-properties.yaml b/templates/cm-secret-config-properties.yaml new file mode 100644 index 00000000..a1228395 --- /dev/null +++ b/templates/cm-secret-config-properties.yaml @@ -0,0 +1,25 @@ +{{- if .Values.deployment.secretStore.enabled }} +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.configMap }} +kind: ConfigMap +metadata: + name: {{ template "..fullname" . }}-secret-config-properties + namespace : {{ .Release.Namespace }} +data: + secret-conf.properties: {{ tpl (.Files.Get "confs/secret-conf.properties") . | quote }} +{{- end }} diff --git a/templates/cm-thrift-authentication-xml.yaml b/templates/cm-thrift-authentication-xml.yaml new file mode 100644 index 00000000..837b0f38 --- /dev/null +++ b/templates/cm-thrift-authentication-xml.yaml @@ -0,0 +1,23 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.configMap }} +kind: ConfigMap +metadata: + name: {{ template "..fullname" . }}-thrift-authentication-xml + namespace : {{ .Release.Namespace }} +data: + thrift-authentication.xml: {{ tpl (.Files.Get "confs/thrift-authentication.xml") . | quote }} diff --git a/templates/deployment.yaml b/templates/deployment.yaml new file mode 100644 index 00000000..4857386a --- /dev/null +++ b/templates/deployment.yaml @@ -0,0 +1,235 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.deployment }} +kind: Deployment +metadata: + name: {{ template "..fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + progressDeadlineSeconds: {{ .Values.deployment.progressDeadlineSeconds }} + replicas: {{ .Values.deployment.replicas }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.deployment.strategy.rollingUpdate.maxSurge }} + maxUnavailable: {{ .Values.deployment.strategy.rollingUpdate.maxUnavailable }} + type: RollingUpdate + selector: + matchLabels: + {{- include "..selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "..selectorLabels" . | nindent 8 }} + annotations: + checksum.deployment.toml: {{ include (print $.Template.BasePath "/cm-deployment-toml.yaml") . | sha256sum }} + {{- if .Values.deployment.secretStore.enabled }} + checksum.secret.properties: {{ include (print $.Template.BasePath "/cm-secret-config-properties.yaml") . | sha256sum }} + {{- end }} + checksum.log4j.properties: {{ include (print $.Template.BasePath "/cm-log4j2-properties.yaml") . | sha256sum }} + checksum.entrypoint.sh: {{ include (print $.Template.BasePath "/cm-entrypoint.yaml") . | sha256sum }} + checksum.thrift-authentication.xml: {{ include (print $.Template.BasePath "/cm-thrift-authentication-xml.yaml") . | sha256sum }} + container.apparmor.security.beta.kubernetes.io/wso2is: {{ .Values.deployment.apparmor.profile }} + spec: + securityContext: + runAsUser: {{ .Values.deployment.securityContext.runAsUser }} + seccompProfile: + type: {{ .Values.deployment.securityContext.seccompProfile.type }} + terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - {{ include "..name" . }} + - key: app.kubernetes.io/instance + operator: In + values: + - {{ .Release.Name }} + topologyKey: topology.kubernetes.io/zone + containers: + - name: wso2is + {{- if .Values.deployment.image.digest }} + image: {{ .Values.deployment.image.registry }}/{{ .Values.deployment.image.repository }}@{{ .Values.deployment.image.digest }} + {{- else }} + image: {{ .Values.deployment.image.registry }}/{{ .Values.deployment.image.repository }}:{{ default "latest" .Values.deployment.image.tag }} + {{- end }} + {{- if .Values.deployment.enableCorrelationLogs }} + args: + - "-DenableCorrelationLogs=true" + {{- end }} + startupProbe: + exec: + command: + - /bin/sh + - -c + - nc -z localhost 9443 + initialDelaySeconds: {{ .Values.deployment.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.deployment.startupProbe.periodSeconds }} + failureThreshold: {{ .Values.deployment.startupProbe.failureThreshold }} + livenessProbe: + httpGet: + path: /oauth2/token/.well-known/openid-configuration + port: 9443 + scheme: HTTPS + periodSeconds: {{ .Values.deployment.livenessProbe.periodSeconds }} + readinessProbe: + httpGet: + path: /api/health-check/v1.0/health + port: 9443 + scheme: HTTPS + initialDelaySeconds: {{ .Values.deployment.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.deployment.readinessProbe.periodSeconds }} + imagePullPolicy: {{ .Values.deployment.image.pullPolicy }} + resources: + requests: + memory: {{ .Values.deployment.resources.requests.memory }} + cpu: {{ .Values.deployment.resources.requests.cpu }} + limits: + memory: {{ .Values.deployment.resources.limits.memory }} + cpu: {{ .Values.deployment.resources.limits.cpu }} + lifecycle: + preStop: + exec: + command: + - "sh" + - "-c" + - > + echo "Pre stop hook triggered"; + sleep {{ .Values.deployment.preStopHookWaitSeconds }}; + echo "Shutdown server"; + ${WSO2_SERVER_HOME}/bin/wso2server.sh stop + securityContext: + allowPrivilegeEscalation: false + # File system should be read write to cater runtime writes to the configs, DB files, etc... + readOnlyRootFilesystem: false + runAsNonRoot: true + capabilities: + drop: + - all + env: + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: JVM_MEM_OPTS + value: {{ .Values.deployment.resources.jvm.memOpts }} + - name: JAVA_OPTS + value: {{ .Values.deployment.resources.jvm.javaOpts }} + ports: + - containerPort: 9443 + protocol: TCP + volumeMounts: + - name: {{ template "..fullname" . }}-deployment-toml + mountPath: /home/wso2carbon/wso2-config-volume/repository/conf/deployment.toml + subPath: deployment.toml + - name: {{ template "..fullname" . }}-thrift-authentication-xml + mountPath: /home/wso2carbon/wso2-config-volume/repository/conf/identity/thrift-authentication.xml + subPath: thrift-authentication.xml + {{- if .Values.deployment.externalJKS.enabled }} + - name: keystores + mountPath: /home/wso2carbon/{{ .Values.deployment.productPackName }}-{{ .Values.deployment.buildVersion }}/repository/resources/security/{{ .Values.deploymentToml.truststore.fileName }} + subPath: {{ .Values.deploymentToml.truststore.fileName }} + - name: keystores + mountPath: /home/wso2carbon/{{ .Values.deployment.productPackName }}-{{ .Values.deployment.buildVersion }}/repository/resources/security/{{ .Values.deploymentToml.keystore.internal.fileName }} + subPath: {{ .Values.deploymentToml.keystore.internal.fileName }} + - name: keystores + mountPath: /home/wso2carbon/{{ .Values.deployment.productPackName }}-{{ .Values.deployment.buildVersion }}/repository/resources/security/{{ .Values.deploymentToml.keystore.tls.fileName }} + subPath: {{ .Values.deploymentToml.keystore.tls.fileName }} + - name: keystores + mountPath: /home/wso2carbon/{{ .Values.deployment.productPackName }}-{{ .Values.deployment.buildVersion }}/repository/resources/security/{{ .Values.deploymentToml.keystore.primary.fileName }} + subPath: {{ .Values.deploymentToml.keystore.primary.fileName }} + {{- end }} + - name: {{ template "..fullname" . }}-log4j2-properties + mountPath: /home/wso2carbon/wso2-config-volume/repository/conf/log4j2.properties + subPath: log4j2.properties + {{- if .Values.deployment.secretStore.enabled }} + - name: {{ template "..fullname" . }}-secret-config-properties + mountPath: /home/wso2carbon/wso2-config-volume/repository/conf/security/secret-conf.properties + subPath: secret-conf.properties + - name: secrets-volume + mountPath: /mnt/secrets-store + readOnly: true + {{- end }} + - name: {{ template "..fullname" . }}-entrypoint + mountPath: /home/wso2carbon/docker-entrypoint.sh + subPath: docker-entrypoint.sh + {{- if .Values.deployment.persistence.enabled }} + - name: runtime-persistent-data-storage + mountPath: /home/wso2carbon/{{ .Values.deployment.productPackName }}-{{ .Values.deployment.buildVersion }}/repository/tenants + subPath: {{ .Values.deployment.persistence.subPaths.tenants }} + - name: runtime-persistent-data-storage + mountPath: /home/wso2carbon/{{ .Values.deployment.productPackName }}-{{ .Values.deployment.buildVersion }}/repository/deployment/server/userstores + subPath: {{ .Values.deployment.persistence.subPaths.userstores }} + {{- end }} + {{- if .Values.deployment.extraVolumeMounts }} + {{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }} + {{- end }} + serviceAccountName: {{ template "..fullname" . }} + {{- if .Values.deployment.image.imagePullSecret }} + imagePullSecrets: + - name: { { .Values.wso2.deployment.image.imagePullSecret }} + {{- else if and (not (eq .Values.wso2.subscription.username "")) (not (eq .Values.wso2.subscription.password "")) }} + imagePullSecrets: + - name: {{ template "..fullname" . }}-wso2-private-registry-creds + {{- end }} + volumes: + {{- if .Values.deployment.extraVolumes }} + {{ toYaml .Values.deployment.extraVolumes | nindent 8 }} + {{- end }} + - name: {{ template "..fullname" . }}-deployment-toml + configMap: + name: {{ template "..fullname" . }}-deployment-toml + - name: {{ template "..fullname" . }}-thrift-authentication-xml + configMap: + name: {{ template "..fullname" . }}-thrift-authentication-xml + - name: {{ template "..fullname" . }}-log4j2-properties + configMap: + name: {{ template "..fullname" . }}-log4j2-properties + {{- if .Values.deployment.externalJKS.enabled }} + - name: keystores + secret: + secretName: {{ .Values.deployment.externalJKS.secretName }} + {{- end }} + {{- if .Values.deployment.secretStore.enabled }} + - name: {{ template "..fullname" . }}-secret-config-properties + configMap: + name: {{ template "..fullname" . }}-secret-config-properties + - name: secrets-volume + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ template "..fullname" . }} + {{- if .Values.deployment.secretStore.azure.enabled }} + nodePublishSecretRef: + name: {{ .Values.deployment.secretStore.azure.nodePublishSecretRef }} + {{- end }} + {{- end }} + - name: {{ template "..fullname" . }}-entrypoint + configMap: + name: {{ template "..fullname" . }}-entrypoint + defaultMode: 0407 + {{- if .Values.deployment.persistence.enabled }} + - name: runtime-persistent-data-storage + persistentVolumeClaim: + claimName: {{ template "..fullname" . }} + {{- end }} diff --git a/templates/hpa.yaml b/templates/hpa.yaml new file mode 100644 index 00000000..4c9468da --- /dev/null +++ b/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.deployment.hpa.enabled }} +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.horizontalPodAutoscaler }} +kind: HorizontalPodAutoscaler +metadata: + annotations: + autoscaling.alpha.kubernetes.io/metrics: '[{"type":"Resource","resource":{"name":"memory","targetAverageUtilization":{{ .Values.deployment.hpa.averageUtilizationMemory }}}}]' + name: {{ template "..fullname" . }} +spec: + maxReplicas: {{ .Values.deployment.hpa.maxReplicas }} + minReplicas: {{ .Values.deployment.replicas }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "..fullname" . }} + targetCPUUtilizationPercentage: {{ .Values.deployment.hpa.averageUtilizationCPU }} +{{- end }} diff --git a/templates/ingress.yaml b/templates/ingress.yaml new file mode 100644 index 00000000..b9fda534 --- /dev/null +++ b/templates/ingress.yaml @@ -0,0 +1,42 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.ingress }} +kind: Ingress +metadata: + annotations: + {{- if .Values.deployment.ingress.annotations }} + {{- toYaml .Values.deployment.ingress.annotations | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} + name: {{ template "..fullname" . }} +spec: + ingressClassName: {{ .Values.deployment.ingress.ingressClassName }} + rules: + - host: {{ .Values.deployment.ingress.hostName | quote }} + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: {{ template "..fullname" . }} + port: + number: 9443 + tls: + - hosts: + - {{ .Values.deployment.ingress.hostName | quote }} + secretName: {{ .Values.deployment.ingress.tlsSecretsName }} diff --git a/templates/pdb.yaml b/templates/pdb.yaml new file mode 100644 index 00000000..ad82d188 --- /dev/null +++ b/templates/pdb.yaml @@ -0,0 +1,28 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +{{ $replicas:= int .Values.deployment.replicas }} +{{- if gt $replicas 1 }} +apiVersion: {{ .Values.k8sKindAPIVersions.podDisruptionBudget }} +kind: PodDisruptionBudget +metadata: + name: {{ template "..fullname" . }} +spec: + minAvailable: {{ .Values.deployment.pdb.minAvailable | quote }} + selector: + matchLabels: + {{- include "..selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/templates/pv.yaml b/templates/pv.yaml new file mode 100644 index 00000000..48847bfb --- /dev/null +++ b/templates/pv.yaml @@ -0,0 +1,43 @@ +{{- if .Values.deployment.persistence.enabled }} +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +{{- if .Values.deployment.persistence.azure.enabled }} +apiVersion: {{ .Values.k8sKindAPIVersions.persistentVolume }} +kind: PersistentVolume +metadata: + name: {{ template "..fullname" . }} + labels: + purpose: {{ template "..fullname" . }}-identity-server-persistence +spec: + accessModes: + - ReadWriteMany + capacity: + storage: {{ .Values.deployment.persistence.capacity }} + persistentVolumeReclaimPolicy: Retain + volumeMode: Filesystem + azureFile: + secretName: {{ .Values.deployment.persistence.azure.secretName }} + secretNamespace: {{ .Release.Namespace }} + shareName: {{ .Values.deployment.persistence.azure.fileShare }} + mountOptions: + - dir_mode=0777 + - file_mode=0777 + - uid={{ .Values.deployment.securityContext.runAsUser }} + - gid={{ .Values.deployment.securityContext.runAsUser }} + - cache=strict +{{- end }} +{{- end }} diff --git a/templates/pvc.yaml b/templates/pvc.yaml new file mode 100644 index 00000000..89a11aad --- /dev/null +++ b/templates/pvc.yaml @@ -0,0 +1,33 @@ +{{- if .Values.deployment.persistence.enabled }} +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.persistentVolumeClaim }} +kind: PersistentVolumeClaim +metadata: + name: {{ template "..fullname" . }} + namespace : {{ .Release.Namespace }} +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: {{ .Values.deployment.persistence.capacity }} + selector: + matchLabels: + purpose: {{ template "..fullname" . }}-identity-server-persistence + storageClassName: "" +{{- end }} diff --git a/templates/rbac.yaml b/templates/rbac.yaml new file mode 100644 index 00000000..bcb23d69 --- /dev/null +++ b/templates/rbac.yaml @@ -0,0 +1,49 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.serviceAccount }} +kind: ServiceAccount +metadata: + name: {{ template "..fullname" . }} + namespace : {{ .Release.Namespace }} + +--- + +apiVersion: {{ .Values.k8sKindAPIVersions.role }} +kind: Role +metadata: + namespace: {{ .Release.Namespace }} + name: {{ template "..fullname" . }}-endpoints-reader-role +rules: + - apiGroups: [""] + verbs: ["get", "list"] + resources: ["endpoints"] + +--- + +apiVersion: {{ .Values.k8sKindAPIVersions.roleBinding }} +kind: RoleBinding +metadata: + name: {{ template "..fullname" . }}-endpoints-reader-role-wso2-binding + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "..fullname" . }}-endpoints-reader-role +subjects: + - kind: ServiceAccount + name: {{ template "..fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/templates/secret-image-pull.yaml b/templates/secret-image-pull.yaml new file mode 100644 index 00000000..9321fce4 --- /dev/null +++ b/templates/secret-image-pull.yaml @@ -0,0 +1,33 @@ +{{ if and (not (eq .Values.wso2.subscription.username "")) (not (eq .Values.wso2.subscription.password "")) }} +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +{{- $username := .Values.wso2.subscription.username }} +{{- $password := .Values.wso2.subscription.password }} +{{- $email := .Values.wso2.subscription.username }} +{{- $regId := "docker.wso2.com" }} +{{- $auth := printf "%s:%s" $username $password | b64enc }} +{{- $files := .Files }} + +apiVersion: {{ .Values.k8sKindAPIVersions.secret }} +kind: Secret +metadata: + name: {{ template "..fullname" . }}-wso2-private-registry-creds + namespace: {{ .Release.Namespace }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ $files.Get "confs/auth.json" | replace "reg.id" $regId | replace "reg.username" $username | replace "reg.password" $password | replace "reg.email" $email | replace "reg.auth" $auth | b64enc }} +{{ end }} diff --git a/templates/secret-provider-class.yaml b/templates/secret-provider-class.yaml new file mode 100644 index 00000000..bf5a1856 --- /dev/null +++ b/templates/secret-provider-class.yaml @@ -0,0 +1,38 @@ +{{- if and .Values.deployment.secretStore.enabled .Values.deployment.secretStore.azure.enabled }} +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.secretProviderClass }} +kind: SecretProviderClass +metadata: + name: {{ template "..fullname" . }} +spec: + provider: azure + parameters: + usePodIdentity: "false" + userAssignedIdentityID: "{{ .Values.deployment.secretStore.azure.keyVault.servicePrincipalAppID }}" + keyvaultName: "{{ .Values.deployment.secretStore.azure.keyVault.name }}" + cloudName: "" + objects: | + array: + - | + objectName: {{ .Values.deployment.secretStore.azure.keyVault.secretName }} + objectType: secret + objectVersion: "" + tenantId: "{{ .Values.deployment.secretStore.azure.keyVault.tenantId }}" + resourceGroup: "{{ .Values.deployment.secretStore.azure.keyVault.resourceGroup }}" + subscriptionId: "{{ .Values.deployment.secretStore.azure.keyVault.subscriptionId }}" +{{- end }} diff --git a/templates/svc.yaml b/templates/svc.yaml new file mode 100644 index 00000000..6981bfe3 --- /dev/null +++ b/templates/svc.yaml @@ -0,0 +1,29 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: {{ .Values.k8sKindAPIVersions.service }} +kind: Service +metadata: + name: {{ template "..fullname" . }} + namespace : {{ .Release.Namespace }} +spec: + selector: + {{- include "..selectorLabels" . | nindent 6 }} + ports: + - name: servlet-https + port: 9443 + targetPort: 9443 + protocol: TCP diff --git a/values.yaml b/values.yaml new file mode 100644 index 00000000..381915dc --- /dev/null +++ b/values.yaml @@ -0,0 +1,481 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +wso2: + subscription: + # -- WSO2 account username + username: "" + # -- WSO2 account password + password: "" + +deployment: + apparmor: + # -- Apparmor profile + profile: "runtime/default" + ingress: + # -- Host name of the Identity server as Key Manager + hostName: "wso2is.com" + # -- Ingress class name + ingressClassName: "nginx" + # -- K8s TLS secret for configured hostname + tlsSecretsName: "is-tls" + # -- Enable Nginx rate limiting + enableNginxRateLimit: false + annotations: + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/session-cookie-name: "paf" + nginx.ingress.kubernetes.io/session-cookie-hash: "sha1" + nginx.ingress.kubernetes.io/session-cookie-samesite: "None" + # Disable same site cookie. Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#session-affinity + nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + nginx.ingress.kubernetes.io/session-cookie-path: "/" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + # Enable or disable proxy buffering proxy_buffering. By default, proxy buffering is disabled in the NGINX config(Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#proxy-buffering). + nginx.ingress.kubernetes.io/proxy-buffering: "on" + # Sets the size of the buffer proxy_buffer_size used for reading the first part of the response received from the proxied server. By default proxy buffer size is set as "64k".(Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#proxy-buffer-size) + nginx.ingress.kubernetes.io/proxy-buffer-size: "64k" + + image: + # -- Container image registry host name + registry: "docker.wso2.com" + # -- Container image repository name + repository: "wso2is" + # -- Container image digest + digest: "" + # -- Container image tag. Either "tag" or "digest" should defined + tag: "7.0.0" + # -- Refer to the Kubernetes documentation on updating images (Ref: https://kubernetes.io/docs/concepts/containers/images/#updating-images) + pullPolicy: "Always" + # -- image pull secret name + imagePullSecret: "" + # -- Progress deadline seconds where the Deployment controller waits before indicating (in the Deployment status) that the Deployment progress has stalled. + progressDeadlineSeconds: 600 + # -- preStopHookWaitInSeconds waits before calling server stop in the pre stop hook. + preStopHookWaitSeconds: 10 + # -- Pod termination grace period. K8s API server waits this period after pre stop hook and sending TERM signal + terminationGracePeriodSeconds: 40 + # -- Number of deployment replicas + replicas: 1 + # -- Additional volumeMounts to the pods. All the configuration mounts should be done under the path "/home/wso2carbon/wso2-config-volume/" + extraVolumeMounts: [ ] + # - name: custom-property-file + # mountPath: /home/wso2carbon/wso2-config-volume/repository/conf/custom-property-file.properties + # subPath: custom-property-file.properties + + # -- Additional volumes to the pod. + extraVolumes: [] + # - name: custom-property-file + # configMap: + # # Provide the name of the ConfigMap containing the files you want + # # to add to the container + # name: custom-property-file + securityContext: + # -- Run as user ID + runAsUser: 802 + seccompProfile: + # -- Seccomp profile type + type: "RuntimeDefault" + hpa: + # -- Enable HPA for the deployment + enabled: false + # -- Max replica count for HPA(Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + maxReplicas: 2 + # -- Average CPU utilization for HPA + averageUtilizationCPU: 65 + # -- averageUtilizationMemory parameter should be greater than 75 if not un expected scaling will happen during rolling update. + averageUtilizationMemory: 75 + pdb: + # -- Minimum availability for PDB + minAvailable: "50%" + strategy: + rollingUpdate: + # -- The maximum number of pods that can be scheduled above the desired number of pods + maxSurge: 1 + # -- The maximum number of pods that can be unavailable during the update + maxUnavailable: 0 + # -- Kubernetes Probes + # -- Startup probe executed prior to Liveness Probe taking over + startupProbe: + # -- Number of seconds after the container has started before startup probes are initiated + initialDelaySeconds: 60 + # -- How often (in seconds) to perform the probe + periodSeconds: 5 + # -- Number of attempts + failureThreshold: 30 + # -- Indicates whether the container is running + livenessProbe: + # -- How often (in seconds) to perform the probe + periodSeconds: 10 + # -- Indicates whether the container is ready to service requests + readinessProbe: + # -- Number of seconds after the container has started before readiness probes are initiated + initialDelaySeconds: 60 + # -- How often (in seconds) to perform the probe + periodSeconds: 10 + resources: + # -- These are the minimum resource recommendations for running WSO2 Identity and Access Management product profiles + # -- as per official documentation (Ref: https://is.docs.wso2.com/en/latest/setup/installation-prerequisites/) + requests: + # -- The minimum amount of memory that should be allocated for a Pod + memory: "2Gi" + # -- The minimum amount of CPU that should be allocated for a Pod + cpu: "2" + limits: + # -- The maximum amount of memory that should be allocated for a Pod + memory: "4Gi" + # -- The maximum amount of CPU that should be allocated for a Pod + cpu: "3" + jvm: + # -- JVM memory options + memOpts: "-Xms2048m -Xmx2048m" + # -- JVM parameters + javaOpts: -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.rejectClientInitiatedRenegotiation=true + -Dhttpclient.hostnameVerifier=Strict -Djdk.tls.client.protocols=TLSv1.2 + -Djava.util.prefs.systemRoot=/home/wso2carbon/.java -Djava.util.prefs.userRoot=/home/wso2carbon/.java/.userPrefs + # -- Product version + buildVersion: "7.0.0" + # -- Product pack name + productPackName: "wso2is" + # -- Enable correlation logs + enableCorrelationLogs: false + externalJKS: + # -- Mount external keystore and trustores + enabled: false + # -- K8s secret name which contains JKS files + secretName: "keystores" + persistence: + # -- Enable persistence for artifact sharing + enabled: false + subPaths: + # -- Azure storage account tenants file share path + tenants: "tenants" + # -- Azure storage account userstores file share path + userstores: "userstores" + azure: + # -- Enable persistence for artifact sharing using Azure file share + enabled: true + # -- Azure Storage Account credentials to access the file shares + # -- Ref: https://docs.microsoft.com/en-us/azure/aks/azure-files-volume#create-a-kubernetes-secret + # -- Names of Azure File shares for persisted data + fileShare: "is-share" + # -- K8s secret name for the Azure file share CI driver + secretName: "azure-storage-csi" + # -- Define capacity for persistent runtime artifacts which are shared between instances of the Identity Server profile + capacity: 100Gi + secretStore: + # -- Enable secure vault with secret store CSI driver + enabled: false + azure: + # -- Enable Azure Key Vault integration. + enabled: true + keyVault: + # -- Name of the target Azure Key Vault instance + name: "" + # -- Subscription ID of the target Azure Key Vault + subscriptionId: "" + # -- Name of the Azure Resource Group to which the target Azure Key Vault belongs + resourceGroup: "" + # -- Service Principal created for transacting with the target Azure Key Vault + # Ref: https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/docs/service-principal-mode.md + servicePrincipalAppID: "" + # -- Azure Active Directory tenant ID of the target Key Vault + tenantId: "" + # -- Azure Key Vault secret name of the internal keystore password + secretName: "INTERNAL-KEYSTORE-PASSWORD-DECRYPTED" + # -- The name of the Kubernetes secret that contains the service principal credentials to access Azure Key Vault. Ref: https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/identity-access-modes/service-principal-mode/#configure-service-principal-to-access-keyvault + nodePublishSecretRef: "azure-kv-secret-store-sp" + +deploymentToml: + server: + # -- Change default ports(Ref: https://is.docs.wso2.com/en/latest/references/default-ports-of-wso2-products/#:~:text=For%20each%20additional%20WSO2%20product,to%20the%20server%20during%20startup.) + offset: "0" + userStore: + type: "database_unique_id" + superAdmin: + # -- Carbon console admin account username + username: "admin" + # -- Carbon console admin account password + password: "admin" + # -- Create Carbon console admin account + createAdminAccount: true + account: + recovery: + endpoint: + auth: + # -- Configure client authentication app password hash. Ref https://is.docs.wso2.com/en/latest/deploy/security/product-level-security-guidelines/#configure-client-authentication + hash: "66cd9688a2ae068244ea01e70f0e230f5623b7fa4cdecb65070a09ec06452262" + identity: + authFramework: + endpoint: + # -- Configure client authentication encrypted app password. Ref https://is.docs.wso2.com/en/latest/deploy/security/product-level-security-guidelines/#configure-client-authentication + appPassword: "dashboard" + encryption: + # -- Configure symmetric key encryption key. Ref https://is.docs.wso2.com/en/latest/deploy/security/symmetric-encryption/use-symmetric-encryption/ + key: "3cc0481b70794667b5bee7e2beed2de4" + clustering: + # -- Enable clustering. Ref: https://is.docs.wso2.com/en/latest/deploy/configure-hazelcast/ + enabled: true + # -- Cluster domain + domain: "wso2.is.domain" + # -- This defines membership schema type + membershipScheme: "kubernetes" + # -- This defines local member port + localMemberPort: "4001" + database: + identity: + # -- The SQL server type(ex: mysql, mssql) + type: "h2" + # -- The database username + username: "wso2carbon" + # -- The database JDBC URL + url: "jdbc:h2:./repository/database/WSO2IDENTITY_DB;DB_CLOSE_ON_EXIT=FALSE" + # -- The password + password: "wso2carbon" + # -- The database JDBC driver + driver: "org.h2.Driver" + # -- The database pool options + poolOptions: +# maxActive: "50" +# maxWait: "60000" +# minIdle: "10" +# validationInterval: "30000" +# defaultAutoCommit: true +# commitOnReturn: false + shared: + # -- The SQL server type(ex: mysql, mssql) + type: "h2" + # -- The database username + username: "wso2carbon" + # -- The database JDBC URL + url: "jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000" + # -- The database password + password: "wso2carbon" + # -- The database JDBC driver + driver: "org.h2.Driver" + # -- The database pool options + poolOptions: +# maxActive: "50" +# maxWait: "60000" +# minIdle: "10" +# validationInterval: "30000" +# defaultAutoCommit: true +# commitOnReturn: false + user: + # -- The SQL server type(ex: mysql, mssql) + type: "h2" + # -- The database username + username: "wso2carbon" + # -- The database JDBC URL + url: "jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000" + # -- The database password + password: "wso2carbon" + # -- The database JDBC driver + driver: "org.h2.Driver" + # -- The database pool options + poolOptions: +# maxActive: "50" +# maxWait: "60000" +# minIdle: "10" +# validationInterval: "30000" +# defaultAutoCommit: true +# commitOnReturn: false + consent: + # -- The SQL server type(ex: mysql, mssql) + type: "h2" + # -- The database username + username: "wso2carbon" + # -- The database JDBC URL + url: "jdbc:h2:./repository/database/WSO2IDENTITY_DB;DB_CLOSE_ON_EXIT=FALSE" + # -- The database password + password: "wso2carbon" + # -- The database JDBC driver + driver: "org.h2.Driver" + # -- The database pool options + poolOptions: +# maxActive: "80" +# maxWait: "60000" +# minIdle: "5" +# testOnBorrow: true +# validationQuery: "SELECT 1" +# validationInterval: "30000" +# defaultAutoCommit: false + keystore: + tls: + fileName: "wso2carbon.jks" + type: "JKS" + password: "wso2carbon" + alias: "wso2carbon" + keyPassword: "wso2carbon" + primary: + fileName: "wso2carbon.jks" + type: "JKS" + password: "wso2carbon" + alias: "wso2carbon" + keyPassword: "wso2carbon" + internal: + fileName: "wso2carbon.jks" + type: "JKS" + password: "wso2carbon" + alias: "wso2carbon" + keyPassword: "wso2carbon" + truststore: + fileName: "client-truststore.jks" + type: "JKS" + password: "wso2carbon" + recaptcha: + # -- Enable reCAPTCHA. Ref: https://is.docs.wso2.com/en/latest/deploy/configure-recaptcha/ + enabled: false + apiUrl: "" + verifyUrl: "" + siteKey: "" + secretKey: "" + outputAdapter: + email: + # -- Enable the email sender. Ref: https://is.docs.wso2.com/en/latest/deploy/configure-email-sending/#configure-the-email-sender-globally + enabled: false + fromAddress: "" + username: "" + hostname: "" + port: 587 + password: "" + enableStartTls: true + enableAuthentication: true + oauth: + # -- Enable/Disable the internal token cleanup process. Ref: https://is.docs.wso2.com/en/6.0.0/deploy/remove-unused-tokens-from-the-database/#! + tokenCleanup: false + tokenGeneration: + # -- Add UserName Assertions in Access Tokens. Ref: https://is.docs.wso2.com/en/6.0.0/deploy/enable-assertions-in-access-tokens/ + includeUsernameInAccessToken: false + transport: + https: + properties: + # -- Server name in HTTP response headers. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#change-the-server-name-in-http-response-headers + server: "WSO2 Carbon Server" + sslHostConfig: + properties: + # -- Enabling SSL protocols in the HTTPS transport. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#enabling-ssl-protocols-in-the-wso2-is + protocols: "+TLSv1, +TLSv1.1, +TLSv1.2, +TLSv1.3" + # -- Configure TSL ciphers in the HTTPS transport. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#disable-weak-ciphers + ciphers: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" + thrift: + # -- Enabling SSL protocols in ThriftAuthenticationService. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#enable-ssl-protocols-and-ciphers-in-thriftauthenticationservice + protocols: "TLSv1,TLSv1.1,TLSv1.2" + # -- Configure TSL ciphers in ThriftAuthenticationService. Ref: https://is.docs.wso2.com/en/latest/deploy/security/configure-transport-level-security/#enable-ssl-protocols-and-ciphers-in-thriftauthenticationservice + ciphers: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA" + userAccountLock: + # -- Enable user account lock. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-account/ + enabled: true + loginAttempts: + # -- This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. If the value you specify is 2, the account gets locked if the login attempt fails twice. + allowedFailedAttempts: 5 + # -- This indicates how much the account unlock timeout is incremented by after each failed login attempt + autoUnlockTimeIncrementRatio: 2 + # -- The time specified here is in minutes. Authentication can be attempted once this time has passed. + autoUnlockAfter: 5 + otp: + email: + # -- Enable email OTP. Ref: https://is.docs.wso2.com/en/latest/guides/mfa/email-otp-config-advanced/#email-otp-configurations + enabled: false + # -- Authentication endpoint URL of the authenticator. + authenticationEndpointURL: "https://localhost:9443/emailotpauthenticationendpoint/emailotp.jsp" + # -- Error page that will be displayed in case of an authentication failure. + authenticationEndpointErrorPage: "https://localhost:9443/emailotpauthenticationendpoint/emailotpError.jsp" + addressRequestPage: "https://localhost:9443/emailotpauthenticationendpoint/emailAddress.jsp" + # -- This parameter defines how the email ID will be retrieved. + usecase: "local" + # -- You can define multiple user stores per tenant as comma separated values. + secondaryUserstore: "primary" + # -- This parmeter defines whether email OTP is enforced as the second step of the 2FA/MFA or not. + mandatory: false + sendOTPToFederatedEmailAttribute: false + federatedEmailAttributeKey: "email" + enableByUserClaim: true + captureAndUpdateEmailAddress: true + showEmailAddressInUI: true + useEventHandlerBasedEmailSender: true + emailAddressRegex: '(?<=.{1}).(?=.*@)' + tokenExpirationTime: 300000 + # -- Enable account locking by email OTP. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-accounts-by-failed-otp-attempts/ + userAccountLockEnabled: false + sms: + # -- Enable SMS OTP. Ref: https://is.docs.wso2.com/en/latest/guides/mfa/sms-otp-config-advanced/ + enabled: false + authenticationEndpointURL: "/smsotpauthenticationendpoint/smsotp.jsp" + authenticationEndpointErrorPage: "/smsotpauthenticationendpoint/smsotpError.jsp" + mobileNumberRegPage: "/smsotpauthenticationendpoint/mobile.jsp" + retryEnable: true + resendEnable: true + backupCode: true + enableByUserClaim: true + usecase: "local" + secondaryUserstore: "primary" + mandatory: false + federatedMobile: false + federatedMobileAttributeKey: "mobile" + captureAndUpdateMobileNumber: true + directlyToMobile: false + redirectToMultiOptionPageOnFailure: false + # -- Enable account locking by email OTP. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-accounts-by-failed-otp-attempts/ + userAccountLockEnabled: false + totp: + enabled: false + encodingMethod: "Base32" + timeStepSize: "30" + windowSize: "3" + authenticationMandatory: true + enrolUserInAuthenticationFlow: true + usecase: "local" + secondaryUserstore: "primary" + authenticationEndpointURL: "authenticationendpoint/totp.do" + authenticationEndpointErrorPage: "authenticationendpoint/totp_error.do" + authenticationEndpointEnableTOTPPage: "authenticationendpoint/totp_enroll.do" + issuer: "WSO2" + useCommonIssuer: true + # -- Enable account locking by OTP. Ref: https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/lock-accounts-by-failed-otp-attempts/ + userAccountLockEnabled: false + # -- Add custom configurations to deployment.toml. + extraConfigs: #| + # [transport.https.properties] + # proxyPort = 443 +# -- K8s API versions for K8s kinds +k8sKindAPIVersions: + # -- K8s API version for kind Deployment + deployment: "apps/v1" + # -- K8s API version for kind ConfigMap + configMap: "v1" + # -- K8s API version for kind HorizontalPodAutoscaler + horizontalPodAutoscaler: "autoscaling/v1" + # -- K8s API version for kind Ingress + ingress: "networking.k8s.io/v1" + # -- K8s API version for kind PodDisruptionBudget + podDisruptionBudget: "policy/v1" + # -- K8s API version for kind PersistentVolumeClaim + persistentVolumeClaim: "v1" + # -- K8s API version for kind PersistentVolume + persistentVolume: "v1" + # -- K8s API version for kind ServiceAccount + serviceAccount: "v1" + # -- K8s API version for kind Role + role: "rbac.authorization.k8s.io/v1" + # -- K8s API version for kind RoleBinding + roleBinding: "rbac.authorization.k8s.io/v1" + # -- K8s API version for kind SecretProviderClass + secretProviderClass: "secrets-store.csi.x-k8s.io/v1" + # -- K8s API version for kind Secret + secret: "v1" + # -- K8s API version for kind Service + service: "v1"