From 75326e397c619a2b58963d3fd9fc1a1a5eda13a0 Mon Sep 17 00:00:00 2001
From: Jin <qinjin@google.com>
Date: Thu, 6 Oct 2022 09:52:56 -0700
Subject: [PATCH] fix: adding one more pattern to relax the regex check for sts
 and impersonation url endpoints (#1158)

* fix: relax regex for sts and impersonation url with one more pattern

* adding more testcases for invalid url

* chore: update token
---
 google/auth/external_account.py |   2 ++
 system_tests/secrets.tar.enc    | Bin 10324 -> 10324 bytes
 tests/test_external_account.py  |  20 ++++++++++++++++++++
 3 files changed, 22 insertions(+)

diff --git a/google/auth/external_account.py b/google/auth/external_account.py
index a87f92ea4..eb216fb72 100644
--- a/google/auth/external_account.py
+++ b/google/auth/external_account.py
@@ -443,6 +443,7 @@ def validate_token_url(token_url):
             "^sts\\.googleapis\\.com$",
             "^sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$",
             "^[^\\.\\s\\/\\\\]+\\-sts\\.googleapis\\.com$",
+            "^sts\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$",
         ]
 
         if not Credentials.is_valid_url(_TOKEN_URL_PATTERNS, token_url):
@@ -455,6 +456,7 @@ def validate_service_account_impersonation_url(url):
             "^iamcredentials\\.googleapis\\.com$",
             "^iamcredentials\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$",
             "^[^\\.\\s\\/\\\\]+\\-iamcredentials\\.googleapis\\.com$",
+            "^iamcredentials\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$",
         ]
 
         if not Credentials.is_valid_url(
diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index 2bef7d971ed407a5c67431d403624e65b2c28877..78f7254cb92a2cbd1bdb0b492bb9168b9fe9ff68 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTEJdB@TmuReiXBq3L?~*709=*oKQlai!e(>Z1k*vS$*iPyni{
zhrCLxGYotSes)LNKEcTGo+A~c=&)CV&{*pttenk|#tE_%9sVyD-MFJ9aqML{9FwA5
z0@wso8t-<+lM(*7O;gYnTFKS;pE`PE*kXcJ-O(V>w8rG{IV!Gxg*lKWjf~u$XdnoR
z(FpB(Nre(WHtlqt`lTc_yWE7ToU3=o1gp_WP<qRz_lRf9V(+MPkt65+t(&cJ)Mb1x
zV3o>{%4!i+F9t?qHg%cH<3~8to?lnaj{?>Z8mkWMZ;D4E*f?ISyH;ENEm+0qBH-A(
ztCY^|RIToqYzJVb{tVI>dG#~CiW7g`kS$)`{f*sm-xNXOr7uoF%X8!8jbTVaMn@0|
z(4HTr)?rh9iEq0Z&LX{IV2zGf8;U6V$_CW+I80qwP6&El^}QPTc@K$)%wh~EC#~TB
zRT<aA1lqHo5#&Q??B=w(1zl269f-y)ok*xG@;*W!Dx*P<2+U3=Z6y5TP13cm9(zg*
zp;En!nH<xl7oCSgX5d|jWmZEtC`Cq%{Wm3}+4$!(8H8(GX_=e%xe>cyo7}M3YtetA
z)P>ZESjC4D_Y~fCXL=c}9k~qN>)GeFt792I=y$1dp_k;P+}bdseX8aBc;AV)x#W`0
zb&ZKR>jVRm(%G!(j}ixJ?<P=+T@+7UQ2ZBpbdDL^q=hzME{a?M-LyFr08@Ucr*Wq;
z6c4&DU>z0=%R}<Kj^CSuaj(#<A7{K=clxUZ9@t+!F#EV3=pV&Dvr>9huU)?C)=nW%
zGq>?~jyG!J`fo`q9(wPtWigN^WV2GS=#aAJ+`Sm|Q1SN(UvH$>yOiT7(sOa`aAYYn
zzzlht0=P>rL~k&aC%)Eubr7O(QGcSckVw1oG>_bKNkTlzbixmiXC$7RQCy0j%Ls~u
zk)fV76(VcCeWjmQv5UOdjW(**HH-0ujiM`k*&vfbeOWEDi1`ipNQoYH_0jMGjW~OJ
z%`i0Yfxsq-ZyU^@2V7jg@q_5^)maO^F^t@}q}!Ni_S&95Rod`&=}>8K>Mem5E&R~I
zZus_3#4#zK@I0*r19NNyv?Z_`xcs}69ki9riXj%IIC}D!@V9JxcaGF3W(nmKFY4Q8
zc|i1WKaZUK+h+kLz4)<f`(y@PU~K{CNZ-KNGMGaryliS2rNwdmR&A2%U|4lV+OqkZ
z2`3N-IFZbs0YUC_DvweB+wtEAey0fpXov`JK1I8z14?q;=4BY%5b)2G?Krbq*Km_(
z-K*W@!IUrwuz#L6GW=LQ-}AyGs1@}hy0IA{f1_a!OoJQZCj8TEjD!uvrq68RNNNEs
zL@f78nE+*eB&z3*v<G&g)7e4*&ZN90OsKV-&Mid|^rCu0&sjN*oleRtXQDjDK>0By
z$r5eyf=AZcSSWU6u!9{D6{oo$i%}Jpe<UETjEIfWls(VU<qHQ0^N78t+NdEe87n5q
zgG3%P1Xdx8o=~x9=LW@#bzMQyHE=J6I=D&wO?k+#iIsCl1(;yF{kDTXwNWK><+vyx
z$*M{5>i~R1tFo`BL#Xa699FkHoP_;9iu9eabY$=#lYRC(yR0&P+R{M@YZG5(BaI{{
zcG(AdUxFihGsVrxbvQdzt3Vy-zq@bOUfs<s38^3%TC<gloH>Ae_vSlOug0-L@QJ%;
zejIJ-w}aDt)#IqZZM#st?Mz4#T=%?Kf76{Xz0A1a0QU7^{usw|en^K8j2@0)Gq9~u
zBOAl4L}v680<sYtw_tJ-Oo2>0>rFa>S>HI1HafEh=kt<5{M}YY1>o)J3Ga$bSl;81
ztR(V8FvTzsFYyW#MpYu|k4$P~F~Yh)IhJoEPu4l-85MQm>tyqnsb79qM7*Q#&%<|;
zHC-z*D4PrhS%>t;T&0G=Ahwes%JYWvFm%~tBKzr7F0l537U6Y4V+}+|LNgJ43js)f
zr((5n2`q(Ljb1l5372y!laYg~oICtc`m9Za1hn(=HG7XGk=Sh>$C%l;$&@y<ZNx!9
z>4|HA+bFukFE=ol&mjKAy*tBku(7L%+@I7JZeu*%KmJ;cRXGwZ^>j4Wl!F|EkY*dm
z3>`SHtZfQA$s4kuNL^_dFClZ7Gt~;_3!!>G2Dm9<(hTM;{XsNqNEhTPidfF+tFS9t
z3`ROHG)<{fI&Qq01oN|FX$j?QFma0ec*&k>xn4t(BqjqQ@(-Gnf`;rls~QFnD0Z#f
zS8<`{(U;DXjx=Kh$&FNPP`QSc_mvjKG0XrvVEn~$?!Fnb_QYM-p&<D`vd8ijj;&)f
z?qF?or@KqqmKe#3*y8$Mf^9O=6q$(}<cs6*_Y4@`w?QIVF#r-7OwCp<rVx)h8u!nA
z4un#NO>`f{8A3Lp8G}~_aUZlp)#HDez$!44Pq$uum?US_ghp?%=Su&qXOAc1DM@vH
z%;PVFR@8YGw7iU2xD%)GnuH_@X<0amy?<fdE`lYLJG<IBjqDE{^Do|Pr7@4zqLU@j
zw>nR-7r^SV+olO_2o;sv7@aQ7uhnPk?)|uMy4ltMCcmsjf+QwtK*MFtewOQYTe!n(
zmQ;rUrMLEL6ut<p?eBvaR4g=Ft15=d+YUq47*<iOf!!kqSFs6IS7=)qp_n}iM|if}
zunXkJ2j3t*;Ow2X%54m$YdxUbT>U_;Kd*dQf2)jwAVk)^cp238=X5p|kxIZfN9Jm#
z<o}joz6ClGJ^t}6m;BAN-tE1<DvSm?V})2tL}FSNcH?ul37l(}jdT=T=uNt#{OHa9
zTf&OukqCa8?)jMAv%8|=1r=`cL@|;_qxcS0V=8VOUJfqXA(Px!71T{?`T{eJZx(R#
zQma)kVl&)^#%9!C@pikxIycN{nX&<0*Pc37$08=4nnZ%*I`eLCQl2#838WKc%#RA=
zgRr6H2GfGG3;-r=v#BC0J*zoH@c-KoZkYMsZO+wY^e9<syU-$mXq#}iA-yQ$GULN+
z45W(xpplPeiHsEZZ9x>fRcXot!BLIJrQBp^&B`HqvZYLUV191}-QAwkGkEa@YVzMV
z>F>CtMt3~qo=xFq)K6#sl&;!dg&N(Z8cllT(!E7Qa}F2Qx~*x)?{$BiAHxJCqd!iH
zbG3g_uG%lS+y-qpQA)B}a}}uBhyVQ`)Ozk0`YTqtNWS3IWsF3Q3mExL+q9|!l|*22
zFGYHs`VoH3L#kZzSS>I@!a5yNGDnJF;`XUaaVSn3yb%akf_0BUP)vmDKUjI&N}>b?
zF>x1J*f1n<bJVB6R|a6}|7i;VFQ_!OmOx9xqM4B|9qGbGj65+=>>!s76;ULUJ#nAl
zswc$iX$xupm8)#uR2#{Py!yRWYo#C7q5k@=P5zET<Iz5AC&e{k-=TduG+ECFoCrCc
zUj&O-VVf;a*8u6QiLKyV#@NtkuNq|=JN|!&m=h($n}`xn>#+)+B<AILdv|bkT;w#I
z2iUuWS87{UobrLm7<(s|qR1M*^zoBrB>ayukf3xO<B%#2sU&Chb7<N9=OQbm3?+tT
zm8=tLaxbY_$H|#-Tsb1r&5i^$i3wsR;X}k<XPWK|*sK&yH^}3e45geRfBTi~OB!%E
zo9Hijvt3UI3?><Z^#;|S`SGbZ<F_M%4^=XZ-Q@nN(>F(Q|Bs!OzdBfh<IV+7o)PTE
z=IG9Y7-11^Ju1v*Qe;V<9i3qUyfqK(Z<{U<VsaE$Y>A(fyD|t58!E6Bw5N`ypSpd6
z_M;W|YBKHHwa~5amwUA=EBU80SEpuhXy<`8vJCmxsdaS%>Yh2!e65-_mCp_^+M&Qa
z-5|4ms-qMhzr&1tX$(LR$D%Vn+k{pLGW+(59;Tjrg^;!v&HZvcraKomO{VDtwc?=f
zaDsO%AY#%obw=#HrqxFxqmrG(Im7JUxn63Ak<qcTCg8Lyk>NB=$Z3lzdiC+qR^?ah
z9M@>-5`Lku&*FRbAzoMBUS<T=N*@WlnLR?wk+TJ_jL|%9h{ZSKK?Pm62Xi?l;l*XV
zyKE!PRO8snPXNg?de2}b?|Xo7YnU_i_n`{$5FVYeD^3sU&t<J9VA-lk1fu1F&!mG~
z?!|hhn{YSMcPOq?;`<@|vNPx3^LkH<?Xkp!?ZIf@CvKIv3_xn_iC(nJBtMv{ZJU_f
zVgq>O)L|2bFU`3Jo<LLPBiDPRoJssVq)PI|aZEU(?O{WJ>^)-v<t*(|=LB;;f^*Wn
zz!;8{0SV(kEU?u){PDlb8eGz%05GcDcXu)9W=Qr)>!9I?CByCPQLL{V#uBFH{g7g8
zXRiRd2dRX6#3Xl?$+&nyR0eC&(_}Frxti`}@s%6o>Xf#@)AX#vN}_n<dit*ic@Y7R
zA?ztDLbzRIF?*m{TcBjlqYyr)T7zCNH$80~=K;f0d9fCUCSehnIKM%G<VL7?aTksY
zUW&lBB2k;RK3<8t$co=Tg3=|)U=wk$qZN8EHPCSK)qYr)^sMl**PBqT09{$T^(d09
z);F%JZwl<Ulqd(qFj@7NoVe5046f>w?f?TWYmNNzha;%vXB06??_AS?Sva{r6%n9F
zMQ!K^*?)i}vs?PhF-=A|$lWM?we0aHW}BJ+mA;1cI~1rrD&5Kji_i-Ya|KK1Y%1Th
zo~CMq<L_=6Dvzq37HHdP#stD#NuzqZn9`B_pj-1HcV-K)y$uy$c5g<OnSIiYo|6)K
z&)5*)9ACVYv9*Sq)$vAFA{Ow)=C)Y$Q5^!0GiUSCf`dT-95NxE1J_M<oA_#;Oi4vz
zR;>hP$>H4A*-AuTQXz$Ecw~N;oIEe1Q(P5xw#l<!WbR^170~C(@^fApLjmue15pud
z_qdyZXIW7mb+$E@U20b2K~UkpDD02~4PD2@`BUJ-0)uy1$o3<Ya~bE`{fUIE31_xb
zXnAk|flkpctEzW&>6u?d_EhlUMn?Y(2>P6dh#!tV4Rky2eCWq<@Y2CS3!vwVr3{)`
zM+J8o(NFvdzrwiBgU`#=cShyj62o{iaXRLs|7XH9^9}v$5nG`8`+r#vGQr<V`Z#~o
zC|d2!s@?{OIT?3)WinQx&%Z^z31j|ag=&U<OhT$&2Uw;-Mg1a_8iED}`4kVrLH<7u
zsIRTO<>zzpHdg@F3SBeYMiE`y2|YtD9OkAlw41phXpYV=Zd=fUR=m%Kp4(0WU9aTo
z0GiLwzuRkTn5_B5F!E48`PN$(@A#;KNwv&xA4YN80n)gHy@*m;Otji+G!@gs<ouRd
zDWOue+|Dt#sB<)o@3~6fu0@o*Vq{TT8?LQAI@Q!J{zfsp8?J8*GYVu-bk-@Bd`7Q(
z8Qlt1ZIp(9#=D1^`}m2Xr`VRqxS$^aiu#~iv~vU|@%cGyM}3Nb2rsh@xo=TRH7rm)
zJ8%=wcyVeetX6^52+#u1O2yDOj>q_g3^_BOux~x7o|3(yNz^q&7UrqG{D|*JIwXjh
zpNBTjq<1`;Mt-xt<>Y_kK^?QCxVPXN2p_uvgl}x>=QDq6Azl${&FT}u$V&*m;ww4Y
zY0Mcqr~GM=0un?_eCb+I!ZFeU1KBH`yHTl&vpq~Y{5+u_<IeR^JWPZeZWq)x;Q*YI
zoTI?LVgQUD&Q|ugPQ`HY_c-R1+;Lt)PxXgiOOeS<=s=7H1dM7c$E#r-^$`?HoGxF!
zS<O6ynISHOdKQFy{{K=qvDBv{T=fBYCh+G*xvG#+4lGi^Lhh8YW#<_^qyptP6o`4B
zc;(}CZ#IHYgnDTLcf2C>Cx+0@K32HOijaK{$eIA96!>4rE4`!MybcS^6`+(T<yW-j
zC%H{jgW#BxkAht2unGpI$b~1XYnNK`+p%kVMB{-_pcANX$1Y`HT8g@=EoPFOz5wwK
z{2bi?Q3~IqmvIAwi@Nx*3EfPaJSSE6$i5i16bmo19+zpB^DK(o!gb?WZQ8oJ@9q3x
z$CMs%S6W{tAzoM)EZSY~2IH%yORiL4h{&Yb|LA#JuJdA!5l&N4mv>at^FMx@R?tlg
zQ26@RIImb;nKUQ(b`E_kdzyH(6s6DRT}D0K<3x-l!fqIRpBT2`;xV`4a)LYPJP{14
zU@JNrAhyp4Llj~5izwfnvNIH1b^9bQfe*Y6F0=jwK-Uc4m~6Gy<WBS@kMve!wnXtv
zxa^%G)pr^NZZ#Ymp@+6h)9yD`+=S%3L3rXC<SwAG2`)wR{1;k{dsFglJVgJX%GImN
z{gh4WvjPi9(qBorjb6#k2t+RO#d#qqnBAuBhM*pkc7h(r10fkf1ZVe2mS**Z<<ie|
z-h=Nhc81_*EJ0;Qfd5^=(AwEBcTw&Ab%mO)I+89GFjH8SYE}=vajE$?cgG%h(nL0z
zx%VqTq!@`Dq5>NCmZj>xwe6H1zc8BKJ`M{TE|??WZ<(#kBhiWmBum(1jflRGs&#{b
zcj#O^%{o1F$8-Z^C^(h1R%1Ny->ahls{k;mMnB*l;>LA$d~y7O*lr&YsI~otVROd8
z%*^6;Jvq{rj!5runT?iaGyW98&fX-blNil^jeoPawZ%KTvhMCG{jeavg9VG6%XOv<
zb=<dTTAl|Nx~a`bVUuSb`lUXorq^Y(<^LD!R2QfFA47=;1Gzv#qmFsRT}RI7VzH%t
z6<6Y}dU)>RBn|h%(BS4Q{N6PvF-|EEC-j`u04dLAIqvL@LHdG%>YRn$A?yllaV<_G
zKWnf^nETKuW;xA=$5!0s5QeDxhv3T=MYcm?DMa*0b+Oz(&2!1tR6R?$?zC_&y;B2f
zZ)?}<TP*9Z<Eh#@Ke9!iyXBvT#-cLLN@7mdsZ&~2p?!<ep+!B>orL#8YRQ}S3kot8
z$%44VsU6GhwOiWARHj8_1_v~@>V2C2ml$Y6CE!Oql?t4L<1H)nLP<-amq~i;=QH$2
zHNK>t7s)%QKPy&_uVI@~)C12E9vL=UMg*<g*g*8u{tGJB9q9}x{VG>Gvos1>@h2~|
zbn%ix`K2tDI*y-<%$3k5=g-BOnBnmJ*6hUI(45Msw&gEIBk{9|dJ>ivGgW8X`)c|7
z`#g@|9aBSntj*000%Ucgs59^BObGe=>Jg6zg$>4-wNX03v@HNj*gsc6-X}`&L%>W+
zJuN{}s@LNr$X|H>dFX08)c6(PpqPN+1{t<h_N}}3O{dSCDv;j@_g&cP?~LgN=VL$y
zEB4QtXwOj@Rfsx?P_u1&B0t+0&c_0tEiuC8QKL-vqk3xX)(H@RWely!^30!f#(Y0u
z&a7D_JIxluD@)SK6X%^3^L-CSPR^ufoHKQ+NVX(4h0EW|oWBX%-|_`arfXZubT)-l
zb%+R?J62+w8&2)=*<g)l4FD+-eUNk<APx@eaM|l1Ah8>&elKeUIvi2nh$*Y}(X%Yh
zkFv9fJLHc@%OsDi+u1$)U3obhR;P;mCoNdmEgOep`B_>4*AxdrK1E$~vv-P0?nuOG
zE<t&p-Xl$u^x>~y>WjlbxqeL#!k9L$sn8cEYR)>b8W(=rk;%4ZY*?%}YicAh8LUGt
zMGsR!N(@(U6Z;G}ogZf0Lxf{RJW6E7;fVerz?a@R`P)*}F*>BU8Eud9#J=!V7sdoh
zz51{D<P#_-rwvw*sR)mAt#QhJ(^t$YXl5Q<1c}W`;FD^Il-*EEk*>1K)O|^ZXBR{d
zo@zA`3~WJJt{UIWo{Wf{PFY#W<K&DCWt+*MUypdQgqtHET-<UrgS0Fhhj91TL-3gv
z3^yAW=iZ<b|FAPi5jCNd5^Ezl$~4;53_5Y~Tm89j0&KRGQj$)KK8|-|2^DN{W^^3J
z!!|b$n9nxt4(novx&g@5$R@1Js^M9m99VWZ3`w=pM`;PzxF-`UiWapDH4ixpp%J<N
zSrJ$TTk1^B+g<3P|2Xx9mK_R#2xbcJOgoj=vE90p3mt&9jY&Xc2M^_t`xW(-sN+7C
z(jl8Gl65k%1EjCI)ge(VAxkiLRktS;5THv9-MlAZF<M8wIj@ffq$ET4$f|>VOF172
zpdBdqfyUOr<kKtWZl;nW^whaLe6qV(Ee){uz#};hv>1HyhqQd~UklTCjI4@0kawac
z@x{Ip{7!8&oA0Yu2t*#+P+CUA+YF6B!No%!(ZZ^C*g1uSZ~R$Wvy-z&mp1c+AmTA0
zn}tT5NLV5diOo!x#;Ba$D*`?k{#hr#2YKp8{%16ka@sI#@na*Dr6SO+kR92-a`nmd
zPg8}ttwdx|ZMqm_?s+q>*8f$~=DP5k&3=sy*?rFCz=<8s#Z?T`MSR<IvI&@anG!%<
zfW(MD4jp=?zJ@k4Sf@Kq3%OppCOP<*x-KfSS90t{SPN5~=IC`ZKm4_XWYj0kgQYO|
z-=*tPwLV+e*rkmDT#Oi&FD`Z5Q>@|b&q;wY5Y6Bi)d32H3fC!RrcLPwlqH6yUa<^T
zk8q3u|5Hk?9KY5>m^W-TR{g|uSDx`~)p1xsBg#_52}(ZkwnBEc{}K5KJccb0k#Q>j
z-Jfqu0QAD{>8IdR>A$a7#8#}-NEBq8$056=umd1NM>-;SKLE9rN~TM$hN>EFm$3?X
zGSlrC1=$N0!sJ8rDNC)5PyHgLe5AK+^RtRz)nUblS{<c>sf<)L_6WMzO-1f~>^(4)
z+)r8_o9Yg!c_HPy$4EDK8)cB=cH9(gpnyN*$BPVDlYoePJ44P|2bEFG^2=Y8Pw=sK
zE>r!gDx{4~90!C%Vvt?v^~jxhoDUz2Q|@?k)F(X<j$iQ3wpg6%Vkn|#=EM0uY8`;!
zajD9~+5cnN`McQ6p~#a#L^lk6rH$aj1R27YR3kFW^i-uB3qrJ4MKk^>og8dwUQH^Y
z*%f1IXV~Jc(<U0^eA`jd1)Our7VH01U~ab_dIu{nUj}KV1YhT)E_)bRM-0kY0F6K1
zCBz%dhSFp}cL-FWU_4jQErUrXjt{aI(^<~Q41DTk%taKIps|W_-Z78?6@~GRWbfwp
zz=1VdAO}d^UM6;p@^%m8(lq)N!BUzFn5mPHY^Q{v_}gb%295g7Ay+`3XtT8&`2wdC
z)`d$wvrahiLmsTiUyjNI_w8D4e0~1rj_8?8k{pAB2OGT7MwyBZg|jB1Miv)l6M+{t
z?ojx}5!1(;l#hO`ICjjjByAx`l_T3RnYn*qmn21pJ&Pj~NdNiB_VUOsO+;o$bV~As
zHOC6+!A?gu84U4*Eq+PW5IC7H5C$V}&GVU~50|NhOzmGoKW~{U`4mo4DFF!Y17yQ5
z@a@ZUXqka$aK!%Ddx7WU@ncBmhT}T!uWQ39DvpUg;#*nU8tHVlyN#i%8|JE>!npjB
zccuP{@Dig~j@k-SZk<^n@K=?{YPLtHfSDklu!6UiB_tK%=gX)Jy7rRQV?`)Fi7dqS
zR-%?44%p6*72)DoaK!VmE>A<ULT3U*etwSNG#>7=mNFLBm0BYzNoA1JCaY%(9wAzx
zx&*_E><ml?%=7(hC0Tni5JlQ3Emd_oD3`0two;;CvG<y2(V+P~W3If%TG+gx|0CEF
zf2qWZy|C()7*idT&vlnV&&52%*h4eQ7@7qu=;L9L=$5QX!T!)8WbvD9SU4e5W|<N0
zGG=f_R({vJ@)yLBpze$@t)M2jwm8eVO-@76^KYxE>M3gX4T3s;q$RDmShAyd#JyNk
z9lr8qrq-Y&er*USj~_YD%@O|=2$%rO7+B{?Q=|UIMIlp?<x2Ed7B7qFX@<}XE+OAI
zETd>D&p8=l1>##`*u7NaOvpq;MtAyi>6Axs*ps(!O4_dfyjP7ZZXmL7whn`dKO`{D
z&<KBfmym2^Hh?WjXCudH{PAI-qgIhgNvkD6Vsf-fy10V7z?3_z;#Ew&R`QH@%}{1<
zOOZujOBm{ursWW_)%0DX(Y=tPVg+2n(cW9gn)6AB*9*r&Q)frPu+8mZ9u+D10M8Z{
z61p~xGksk~w5eT2xYdW?#R7M&$pmflbiuZt<5<72U?(M(16w7AiIKm)R3_NbrXJp(
z8}?j_Jl)-T1`(N-zrvT|Cyf5X=um~lcy?n7Yh`0f&`@waW~h@JSUpK7|4$CfBzFjg
zH@?W?q`~A-r`>u}8Z+0EVZk%AH&;pZ?f>{kbtxF8E3uwNGX5!ZbJluaa_X)YZ@{kV
zWU0MUF&mCV-W7v5_36l2Vb^|kST+6g>Siyllw>M&fi$MK@aMepOXHma(2>0&a1KWu
z+WUk`LkTv}=9MC;?ERE77M(|&%j%07s+|YiwC`6H-5`zysCaA59Oo&ypqKao*Gg)g
z1R(jgJSvIWBK#iKP}H7NUwa)6gfb~xxNBAqan_lDvp&8EDDP#(Awz#&BcQta?&n|s
zSqk*RjxxXrT8^zf7{4-wDt5zArrHvE+f>_SCeX5hZHGf_iRAcaVS!+VG-aq&!D!DC
zl9#c(gb|+$)H}NCQCS+C(S^GQ3qE|$6y(DmRcd3q8&-D>7U-OlAi9awv=?9v;@o+5
zUD3~l&>}co!FB(4O}7D9^8%AQT)nWORp*wA#HIQwqDC4+yu-S9@ErF>|D^Nc3mJPC
zcUM48F>`y7{YDITj@7*H9jU@_VUQbzRn>y`fWs;TsH7ar8<KvNuiCU_c+l}X-l>hy
zt;AF}+0$t%V04&Y3oZNnyBu91ru>{r@v;}$@4Rb4<koGXiMdsWsE|%hHJKt0%#|Z<
zM8r%iPp)X+$G+UarqVNreJbt9)j#(-d(|a5Ucp6VphiYT6|$$$JF!r;#@a#wsV1H0
zqSli#w4SvdaATlsUJVgkmPCs7Q*Ri`Bnlb(+}{pQ&P{eg48f*y4?~*_x8i}<C3^U_
z{vYZ1%(QiPR#p+7vlxQQ!6?6G4d#tedFO(M_ZVZjz6l!Dq*W5(enx^hB1uuTCTRn5
zG!RbH{jmjwUi|pP{GPsMNiwTDJ@%(&P4{d>t--)m958i-QTitHGm2?Y^j~V8(h%LK
z^ob&A1;=3}wlmZy5NF|#V>3zue1x4vwH<Cs;H6ZM{b=IyRgv2x_;3EwYia+SAoz&K
zY%iKYEiy>)j&>!r0F#_ac<yoQb<R1T5JJ3cJq+k|Y<4DTYOP|h`q(osau6SHn|%ai
zoA&B4(-A+#ugL+9(1kEhV-t3q8h6<186<QP1<u>@Hv4E9`|{Egir(t+DYqY3hJw5O
zt9%PEm<E>hdo^#qL>qQRaJI}X)lM#2k;hkMIp<fv<UVnaJ%!&m_1Qyu1biW5!wKQb
zwb0?3&p+S9lF|Jn<GJGl<+G<KQ|=f<n{k|xU{bPR0ju$rjq8al8QC!?-%d)cq{1pO
z8?9OFE%oZ1ct!;Os=b+h_p$!U0$EkbzfPjb6}x6LaHkB-$Tc?XBZPH0XP$D#wKPHi
z@zo(WUqQ6FJo>f#$b}j<c5BuScpUi<kKSqDkS02ty#XAUfTzTvF~I2+WP^|G(34u3
zNI0f&Eg66X5m?bV0H`S%#Ov)kt9bA4*(lg-Zxdtuj4oj_c>V}a1nmHbIw$HM^^~wJ
zdmhqfAKb<cGiFeJdt}DX3c^W~J7~HD9W(QAhGC9<l?vU%V#|LCKMRZ=A9JJw6PLiR
zju!7N9^g2Jrs%{y4FFPawo$!yHx$p+3LUjWt6><I??;g)emA{+Bi|N-Px18U3sq(0
zEv)zF45qgtuVo=4+Y?CkdUmeAK8=A_GodlvOAZ=D1f614Q`ktmgoEpIf`w$Xgs|j!
z<}6j?f<n8m5Y7j|ZW8yZ)}9PNfjML$n0dh7o;x$X3Fc;F-0vvpZ>-bYIN8Y~*aPha
z^@CFMV#g8tyKRdzPkKo5WVNk#$L~HJMtI%Uo}lNjq1T2KOl7l&wZ~T?p89U0dr<_t
zAZ1wwkUi)HN{~bS`@I+mNR`H>-V-xjj0^9K41-*+iHDewvFkl}JX?51Zt!D*3elL<
z8GN5H4NU;pmM!t*vnHTr4}V>4Tpq`tc$C|5SV00IN8g@f@dlmQcp!1E_(iw;z7$p2
z!8kz)8|DtbiP6HO!aEt+JiUz!Ke}M3H{B2iZd+l8Wfy?UPQ_K~VI+7>$po-mVPq_n
z0NnfL$3%Qtcnj2}5EosTm>pKTmUEKVp7Eat7P;^_kesAw?aq67OGR7G!~V+p5ML8(
zi*mHn_kGt+GwgdhTI5KRWYp=?H~lVdGTHUOf*1?MEV}^osan1*QsVGv1MQNV@hY+h
zAC6B?17w{%Ile@IPmz+sh5Rj_lsQ}}A|i8_J12{*!-&0w3I5>|xozCpfJpFb<=2z~
zg!)Zatej8LsktWtNO!`nUor;g%?<{lEBxpDEUEko5@Sp!^-MqTxQFL8F5&G2pzb(t
zjQ%tEwFT^KetZ4RhePy8*;jV)qIU<diW%qQdKf5N4PDG-#gRL+sh@lYCO)5$2~WZx
z0)hjReTi5SmOR{4i<N19FAX_hoE#Y-{s1Jd%k{3!A<}B9E(9ghMWiN^j%w+qh^>TW
zFj^h4o@dyaysh3h>vRQ>-WKp%7YqZKfSIPAv(B^pgsadc6#W1uK)od!u3h<5>2?!%
zu^rPNj_8wj?x%SrH|fU{QpW-H|5h^w{p11WL55N`mgDQjgSv4?TW~A1)A(Gl0V-KZ
zGg+mZwi6GO%@N$1gqGnJv3Q@o{#<rb9|lxVK6`Mt1aM^pI{CE47qx{2GtC83gVCf#
zyTw$T6kuzIMnLhDX%c6&hbWJ}DXqu=CD;`TWrG%~wj8b|;NG_FIHVWH!mAL8vrUz8
zWg}=9I)4ZLJf7yd=`db=L=ee8MKZp%qsi?P*hO7NQ0>VbMQ9(zCIlfKoVx0N&uA?s
zQ6f_g8pImu-qJltdr;2)_DMvDLOhI9K2GWKT7ShooA;e|#-C>mW5o13e}6d-O{^dx
zIJ|WX!^=p{H5Lx9`BlMUv}5K+a<}q6DjCU&dyk4PjNkWKVJEs~ce+NvoeUhjux$*O
zu>1+|IW$wMThnpXqYuKE=~KF9Gv(+4Zl^W5wFfmBaVp1Vt8U=X>Aq`O$!y^Ixq9LD
z;z&fC9f4)8xu|h~GgpoqF#u(>IPaard=x+|6NX^0c%R#b2QZYEPxfGBIbAd0Gu<^{
zy#d8HB%`>6$Cr^cU`r7@gRll|-pvFO^Zoo9_iGZtZ#aPUbIc-x);Ow0QlD7q)nW~Q
z`5ey_5kD0D$JJK(DQhP$p=c-ztSx){%F6?AI~jrE&{vEgFyNNg8c7|2vt_Cvv{G5R
z;q_xIK&y44jfU3wXl>q)OgE=dLH5Nc>0SB6Ut(H!=3G}?tmj*P&`}7zaJbFB(hP=t
z0}?;ycsS|XOFG6q9Yo%_=a)Hv*^R*Tzi@?mFy8mU8S>JWYk)CN5}RW#aNt}ujlh)J
zNmXC+kd=^fi?#6+!qKr`X=#d7GOxv~ZNfhcpa5MyRYMYg9e|>#4wf51eRkd<@FCSc
zt-7Jsp>6Fgippr$2cqmG!^Pa;ZA(W~;Gx3WT0*DbyWZx-9Rt?(ebiz~r(kE#m=q8M
zJYg7v7ZZeK6nXC#;(>HEzkZ_BPWEnGy91dCj)02U!}CC0krL}{i#R}ja-@TPo1;c0
m(FEmGkUwT^F)4XOoasezkp<DRBvcJ$Sm=TmwVF3=3J|~^O8cS!

literal 10324
zcmV-aD67{BB>?tKRTFk_w18kmI}y6zOFeg-{S?R+ixu?HNaQlJZHoE6!Qv9CPyni{
zhrF?}jX2I^-%CD~_{MTdln;ysuG!I1$1mI*hedJVkS5(9k4~5XLnMpVs7McE21T$E
zPkfM$FKVuwuyAIFdLw*^1g6PlJ;Gi@|IVX+L!6~s*>^WY^+f!dbA@YT`+8~R+h>1&
zH{e#7zIl0pflh!qv!dgpfCw>fHE?cxj5z#JASSy^5Qd+!uvxVQ1j&QGVz@-!=BsGG
z7z0LVB*5=KD%GSWlua3adV@#L&+M$#Lm<F}A{!IGQHb|gYJ1na)<Asb0YsKe`(}ba
zIZ%G6q!iJoLJ&w~0?Ezw8RILOmz44O$h}2NypL~q<M3{D0F?wh*ew;}>}yxJ^Q<3K
zXN;o&(Pw`cO8647BE7bJ4)D#}Gea9Gyj~TNIbYtRtUo8FWk7*WObE866%{nX^3n-4
z<eR$zXy=JR7rtL$hpRp^7?f7vDZ|ZtuuOexr-G!&ev?NvZ>aQGQLSMIiqO@jnFi0I
zo2{a00Gu-jo~2U~U%A!5Vk_@#u-kVTpJZ~?&IBE8<83HRqK|8EptRE8kfJ34aO${7
zt5~q?eQSH|5*aKCP4Da)MPL!`b;}=cLUe-Vp#bBY<ke*wlogyq#5chotjewFc#$ux
zktJxa0N&!pN<56{abzem*a4a1c|tE~{bIZJRtai==l^KL835o@ONRIM%~TUfiW^)%
za7i>6=y{OMs}u~ELIa+@Bf$%!uX{RRthDJ!q2K9H(mv>1^JPg|jc&8k=Ea=hhB!}h
zDG|jCVK95Y_d`DlaFf4OCZ2DkuXmX`PQgQhq`aHMr%gizDxP8#T|l<~VCk6~SAM?A
zY4OTOV>E-GmIUK;GudckAoDF2a=jjsf;fEaonmm7R3=?>;lA~gzN&Dw$Z};5?6pD1
zXR%lkG;3=uz05!+jKw7h%@fOjhf@R_bJ>O7m1Z+DMM{y>)%<EVk`+M`1)<*x${<t2
z&Q9ObfEc4r#p};qebB}{*$(z?m^-ulNl|FmYx1{Hg;as%Wb;;_-1%OG#G%Asnky0I
z;RHM>d_w7GcNr|z6#e-w$Rk2nQ=k}?OzGXZH;ez+6&FxD|2?V$68*62Yt~e%E7~Ho
z6|d|$P_eT!LX|}xNaHcTN`OgIZ~$6(xjfW-SE5B8QM88^SM02J_aFf2y}X!{ti_w@
zswtLF`xNhGYE<nvxb)KUPhp}?!VpKHn7U|LP+m7pAs5)GpYlzPQ5CaOyAPQHyXYcL
z<p1m-_fUP!1Mt1=RG@|D0aIfz6~~Z~#tG#e9=?B(G{KOMr}W+_$C1+ZG+N=nziutM
zaX>KG5piO2Ikv-LV!@603mLt_2e^z39|epp8rA4l$^mBlrU)8r*gT))?7{^TFD^c+
z29kHHO$NMCnQ<4N!`DI2&bZ1`OWB|d#>)s3?N{c5*;YlN1d%)NfQ5j&<dXR}p%hNJ
zJo&9t*W95kc=>ly$A#-jj$F8zFHMzSf;QL{e0l?pUe%<nQKU`XaBsezhtA1<hhK1v
zoZ`HT-zuO#FD{N0lNDhK!;LoKAji${;hJ}_dQsM45-A_7`XL}Mbp*3HMV2|%BIoac
znV2W?W^y|MBlU~s8Ql6hhl{}^BAwc|OwTmUL_W4BM0j@XRRbkeE^INY=QR`#G76DU
zpwNUB>3$-K({OJlbVXC3iN}kz15R6qS>0-=r3!)@S$n<pKZn3faNHTkO?N^9w@PQe
z+B+9(Oz1mgYsfdU9O~APg(xdVw}SEWUd-!V9T*S^EcZm`M%{<;#|T7|8wBMjUWi+h
zaLz-*)TvCJ+Qg?w4xvy&0>|D@thNnFcnVPig4uCG%?toi*2-5X>XNtfO527&I+7F0
z2yIo&3MvRCy30WdCU#q%j@o4paXhm{Na(!oS)2fL#sG<XnW6qoh;UU51j1{Wylmzc
z-9WkaCF{C2P=8=gI|4aPY&99-S`=UNJ~(@gY(fil8$hYt-N6SEw=w@UH#yFOJKmmD
z=-yc{4d*cC6u{N}W%9(@*tx;WiyQukgjw}m0lWcCN3A`v66njG&5<JYUh5E`^j3&7
z=_nqD*tW<iwOZ<EknuGJ^im;^?@S&Xi{G^2KM6#r0P2D5O>PfW;V`*LD49S@48%w9
ztqq@`=_4df4%;~wd|St>xX&Ea<v?c7XCYv{NWwi-9Hq33q(Lktc0kWFYU8&SIP@V&
zmzL5x%tiL$^I)dy^;R479P}v-53UA~<d;Em$#bN?q8C=^FWF?vfT&o0kPHTX88M9c
z9Yh+G$469&;JW4Uf66O;^bH259?Kl8vaqH&-p;!UXw=^h#Zn^a_bL_C0N6^{%IP$3
zb@gmSv^rHmya#j=tiy71C%0CrA(w{!`l)BePy$%~TE<<X4Itg^^DH~jo~(c1m(1J^
z++2mOakg{FlO;&oIBD1v17kT#Xv}J6GbDHIS*(cO>O>s?oSUkDY|JKJO2to*NN;z7
zUTAJG_-*umn2UtP0xt>y*Q^taD168wi1b=-<{|=xB&A1*x43q9kfE;g=D<<u*Jx}^
z>3ML<@<Q#QW7-e0;Q{jyNamcs{ZsJoVi2m%xXjC+(4Vk8yRR857tfMF{7V3K|LhbS
z8-B&%O>f0V2CyMWnHUt^${A_IQ#aTBita!i*!)_;u{>VI6Ou1)1Hp)%N7_T=P$vik
z8|-c$d!@k!hC8b=wEYOh8T*eBL3)k~3X$N>)DcKEccqtZ0}ot)*B4HoeO42ky>cYR
zc9w}%G{&m{L6Qfq*kRsjSDDDCE13G&fB)?ln;FK*gW@$9LnI|bAMFl*y#x!rVIA6F
zb{?=Yk#RJv&zVW+iDCC;8ociGg*}D;q_q|Ui2-=RIb_59hUM?%mmAbbg|ln+D6H%#
zE{r0n1|DV+j-!!oArxy3X7@2hw@=jV05oA>amE%QSZM}(ZeB`2q@{qz<d*?fmw&z@
z^sC?GEEU4^5hddqN9oN_PhT!6wC3p&#jWhAeX7JMecMpprHMc|>;8n3p=`QNDfTSE
z^HfoOqPCM<WZDfKtoO9;Qr*FEGmP!AaaJvyohlyB{<LE;GJHU2TbOuNyZ4=FnP`4Y
z2tty&|L*fIN8ai8P@!BZfE=fT*AFh4QCz9%<boLdl?jjMD5_a*4r?EoJdM2%eyf%e
zck=tNx&Bj7Gu%MG>D4MY<uZe@#Yw<7tjdH|n1fmVL9Z@WmbJAeiFmkyPVm~NCJ-g1
zXUVmKffe2YgYqkdzEz#L$Lm&^eo>-t5^JrPg+o*A5KV&2T&_h%(frx!9~%B(c#MhL
z*80N;VK-|@Y21k#6es087~&B%vOF&1NoG)ZNuBQqLOwBa7z`u&-o%3ww@>Z)!W)`b
zr5atZ5A1(iYyb7GboVfvx2@|`sO>Z@Y?q<Yj`%UdcjuG8L~3~rZW}|&h_JD+1A|8I
z3!U$1I^YEY?gWqS)(9;q=c;Ll+&^MRFR=9gT1ZnnixLhMz#&F6SkF$$B;cPRcRyru
zT`Tm@s@|}%x8xPP<Y?@P0IXR|)EOZDSFR%&Gkig10#SLyC{v%i2zYYprWLg<UX00x
zc>5R^Vc~)I8~4m1jq0WPuSR#zQM`Fl)pa{6H!)6AM&G-yjLIO6ZE)<<#*&CI{~DoY
zmW`%0H!j?OvYJJR{0>NlSfcvW>)eY(0_+3<m|XPnY<OvuH?LH2B1sLDi+f<1jQK>|
zL|~7>0CIo&fALZ{&r7^#-4hTV2kU=_XD{Ar#hPzb1PAYVA6Q}Il?0TY5+~L3#A<!!
zW0$0CS8$bGsJf-__oJz~K|!;<G2R*q{{&T>SEuFb*MVeNlk?~Z(&=++?{5mRGD~&o
zL<lMTRX&&@y+`l7qrz@>m#p4=Y+0y}k2jizf_T@J?9!%9LTXg&kmkaQh$RRv3M#LT
z1g6VF5D-IyF!m9@zZ6CP(d`%)QPXayit@{%(N^D>;<4?lC7Uh)Z<KGstH*ZCdrRGe
zSjhde7-~k8AO|l{a`TFp<o<2#S|?;T2JX?pZE|N6ZiD46={JVK3S~%2Z_|vo{(Z1o
zG|NUdH6p7xAu7fWdL9wXs0w@Wa=xe$)rI#}K?03c^<6ci6h}<ZeG#)NPMHy^_pMz+
z$K7qP*5H=~i$m(4`H_7y%ChPFHKwYva5{!CCM$h(^2*_8IH2mhBp8io$Eui&r4*}4
zZy$E@HKX^m#NuG_z05k~$6?a}G5wPHR3SS7vG^_g&{dMiM1+x$)W1u>E*(f0w)S$^
zv|i^Z$Yk<@BEiH#9*^L$h_G%!U8h_}3dX6e#YEXqs*3<uy1N5?>eK`_#kSWmA#P3*
z<B7`y6?Er*4>l1u@^;-=bAxw>IN5o|#&I{2@7P&hFnuPRB4yl89=mYdNl2+kn7<Rf
zBwE1t4Stjz9z_@koGB`X0@is)*?F3UJNEG-+lOfgB<Wy~aEzehB_<p`C2yAH^_~VJ
zT?$Bj25=!rZ>6dq=zEkr&xz+`@v${TpIlHu#dKC*pRzWfNJ*N69Bl&AjLp0U{kj{U
zDZ^X@CoI>3kcFO<;6?glpSt_y&EqT&W8v1=WY^`>e(@+kDLs$no{S%uWI?HRfJGLr
z&${XSG23b&*2Mu&cJ99|O{I0*2~mA6%_`xn?aRg<=50fbfGZMmYq;McmeX|c&s$ei
z*8gQ{&=kVm$;#hU+EOV_X14QXc)7ST=Fn5T#py}ih~C`yHyB_z{eFG%`d`h0X}JW6
zUZ~8@*?9m3-*GQgDPIgPG9PB_fkCoL4Q0Jb*j4+0Qjt}ju=NVfy(c;{5@0?aXJOJ&
z(kgkp!w?nW=-_`s4Exu1z4zCj^->}iDu$O3s9{rYR)DK2{`GCxqVX6&EJ9o?>P#s!
zQqR^9KIp=Au^A`9(S-n(tSETj<t+@cPI!Oq3`nC8^TKI+Z~OiemBN}kq%13>PyY${
zpRKg}kx<MfN@9An=txA>9VmWUu9J}j<n|X@a7lir-YpYfsH}gxHPI|+8#5XBufc4m
z%+72XCaz7-h^?Ph^i%w*Bt&dQgGc|(-QtHqTiu*n%24%K<XsIM2kc#mKrF_JgNgnh
zE7wzAMQSa7tiX8Bqfya~GR;?1eJCxW<h8NOf^Y4(aIo&w6_WanGCSB47g%)gweE|?
z$|Rx5ET4fx4+j-`ZL#}s#AtRKKDX6v-N6*Ruag8&xmFA;3nm|bh&xL23Q1vOQ6=pz
zfLR0<rjj_n%SqMiG-@-<`V1OrExTYi`Qo}qy=<8z=cJ}y>B;EJPrs95d;aQ=U9XL-
zKa_$k`_zP7?Q_`{W9$?N?5ftm-mNcx#+mrAV(rOH=`#@_A`}FfPwb4dZoPma2t(~U
z*_yZqWsa@v`#7>fz{gzA+`Y@}ov%2Pmj!&!G`D9Fiho{yz<%c+Gls%u<Cadei)Tmm
z)wMLxy+&r=WUiLDPs>PXQEA?j-*P6dh1=&7BtM}%<y((TWKQmv6RKE|1|)2SwHLFR
z`j6QXt-{ExBt{|0zu)@e(pIBaa5S=q*p8EftV|Xb;E^!|(-;VCfVKyoM-6NcXZqRl
z<s>|cO*H{B3N6=!jGuOUVWR~+rk!lCDCayh&QBa*^@xa>-e;DME33ISgl1v)pCX-f
zr7&B!%x%P3@?MK0XZkd*d8>?Jwsj2!t;x^G)Dc6>M<diZ>CyWx1EnInjQIp~dYKh3
zrM-cc=SLHqk$o+#McQiz{kz%(Zb$!gCrh`|W7)xAgsJ{fN0%Rs((!G1Fk2`dCYKmp
z8@+Cy#IVnIvLKg26D%X(`3|*d|AGjy>Tku`gnw4Hjqxr)NFd8`k?ml(&_Ixj4rkQr
z77bBdhKQd3AN{Y``~(EWq+8-??Hd5edR&@72a$=XrwmmBwtu6H1Wu2B4l}xeT*6jM
zl8(Asacd7DG*m@2Pe<kp4Km;h7ME{|Yyre8!Xvhn^&!sE4@<~Df)domq7eGmp`BE@
zJsAd#S#|MHj#1RMj$=RV-=dkCArInHSdN-zIlpMhUMUJL0&W$^k4{2qWkq<Qfk{yw
z{d7C7TaY_&AD(+ZUtZf~P1!^tp2&a(zoA%!;0&0I9$CiH_RYxm;F;&vG`U}4^U5mf
z%gfB7g^_r(-t9uSbb(OP5;aZOGMDY1T#Zu~R?!87h3*LV?Mj88nn<^#?4020+A;Bw
zB`1zu09nMwq_<Xl8X8WRz%6$tnqAp?ykeEOE_kI8^CkQwFX&q}T^6IG*Kqi`L4e}X
z1eJ2Wp+X!H(2cKtm&UzE)s6?LZ<qV#9yjdmV{?WapDgy$^596V!|8G)8>c^un&LkI
zwk!p^V;`G8KeUZ-HZTathC0oTm$y;S>jMu|-216b6C&Fr9=C7qSpaW%*>YaQSfGKj
z_REV1jC@r16inqdUDT1o!2U34czKL;3d$W{&NfEsf`ki3K2SK(;CE*mr92tY02xKw
z=wqt^{zZ*(+pc|<;G?69MuxU=WADrPIL<`*++&NVsN&=cWoc^RmYeffoYH%?SnB&{
zz%(RY2MHJ`i;?rPcCg@I@g95!00osbgwZi|@`CdD?!$5lYrCi{v9<e9j5F}_VUNz`
zJ<mGgZe0i-)-(7;P2_tJyNA6+5#inG0NdesrEU@a9ZpeLb4#>tJ`cCx1X0!`%Y_H{
z|1s!6aJBm9XJK(R64s5OVv?<cgRheqwuQ4)|4g9AQAivvGHt10p^;AmWJXK*M*s!C
z)A~m+U0JycYr}m6U%02v@<5W)TGvb<DbW$KNCj=g#ZCcp%+<t(`Z5?b{Y@UwXIQBA
zNNm*DzGM%02v~)W{8<8~tre5I=>a{c(XBToDqd#i!)8N+Q~osV*C3VM;7n@-3A)H$
z_X0YXvh=s>!RRVPU|4Rr1~5(4GzG6gp~Wsm%OxMUV6?t7?_Wg>WiI23U*kmlnmo2C
z(iedZ4e|`phZ&r@6Esy!C9(rK1T*NRG@_nD^%cgLze?v->151;Rh2pQuLX~9$M0#m
zb+i5ROQGHK+51_`6|~t|!#~nNCWYtn+Ik`VZc?V<Z?c6B%R14j1<8>;#lk3^le&kL
z`t}(BXnEZDAXp2I(V&=N7=rk-u==B$y32ufdI8Yvi?2)_)WM`;K682z*Et;#;Ahrp
zWHpJXO-0K_rRiIg2pl{UF5bXRld3G^%-KZjr{~{8&LznFPiWXD4%Smjq$2wLO-MZY
zq%{#?%+ddI-y=W1vbHI(4STuKG=9Q7H}!r1y9+ntx;&VP{TcNR#Y9jZ6-b`3qKTqK
zqCzFB?@9}#qSg?$aP{+SlEh!;tIuN)tEHBk7Qx1i2``+hBC$>mZdL}ZeGO0cSMv>Y
z@!VW>WvIAhI=twNCrX{mkDo~m#%0@e#B99%Tb$*}!gg_ga;9mZrt6hy)<9M~y<zL(
zWzsj?4??3}GSPG1S}c~qvpLDbQOTNLOwj#(fr|d_kAuRnlA*BDO^;_ldZH#{4{B68
zQ{7f14%BpZMuvao-F|OPJCRem>i0P=apT|R{#mmf$`~YCbwE&ywSL|=Q;DkY;06h;
z=;<d^YKRvc&_R5>X0+r#f<IvIeVbZrEz<E87ph~=2BJ5+M3=GO@Q9o-%l8&DlUUmp
z6GV;sdw9Cv_@GJ{jKbTxttsx4U;Yj&W2$80VUM!OO`VI1tj@`UkkO#U!^sA0j(Lp;
zoL)vBWvOKb0rq<^ZZZ7x;4RCxb$iLBG@VN-?H|mbDdc>j$>Z=Ym@FIEB3J%a6;x<;
zsxH#_?6j$jCV-JO?8||e!z@}WHU`t(wcaICHA;;$hUzxauH&l_t?(`2;ZwDce$E4>
znZ^xkM#N(g4rC7!E#Z%w3rO>lxmzc8sTD|Z?!+}D-Au*Xp<pw1gej%0gAa!o(5%L@
zt{i1J4Q+h7S1!m>+6w`9vS12yqX;;&$&$N4X4E;RPk(o@u^*dV&Vcq)5#wq$Qss_a
zc@J=u?eAmiw8f4{p3e!`@ZiFDwDZ!skV|;BJLNP*PI=rivxly7z>yG8t^fRjXTm`j
z;veDMqfmcN{+LD~9EPXh7-fuRNT3PO&DlJ8@VpB(QYZ3U8q|b{B8V3P4a-%5<3=t0
zS3PR8yci-!J|OK!v64VAs041)m1ffP(jHW^PeZ?$kH=@IZG$P@d1X#3%))=ZEBTg0
zi5A)DEx+Gg;4w*k_?XCYJd~t#l87{K<&pVG0OGi$!={1=ZAnh@=JMQ^bpH-rkPCs<
zsF;WH(5AJQ8*712F)N12H0v9NabF)Ayz|4uk*^*!y?{3h{r@)Q1WP);GI~V8Ii8H^
ze;~0Rn#n);&WYYv6N|$t><Uv->G>!k{djVS?(O2Zq=9uQD8_eKQe5;RB^l2Nc;0rL
z4hNzhBxY_83zM0w)RKzSki0=r#~-%TNd0-`8xQ$k4R9kTj-s<vx@2V$%|cxcGyydW
zaO;BJm;y)H9l+hkGi^Rd{gD6nF3u(JHx+zI<rkzbnk0e^ZKcw}YC^cEZ%w!#7HZkp
z#m)lP6-psketQ0dAzU0a3b&{!%l5)$i{p+W$zwk3wIxIv_JNa>6K35dUn6#Z2L7n&
z5ZEYlj?7zZ5-#_QL7QV<O;9N+b3xYhs*i;?Y0svRguQ;n-a(hIm5yQ_#!aqN@0Cu|
z484J8NpjZOGXL8ceB@2s;93A#vsx#gTqWQ$>u;nm^SUz2h}cL9<S<ej#rzVIF}jTv
z4P=R@EIkDrvSBRhZdrN3d1lr~H0+@i!jc8K%wX^%j&s=mnIhf0)2gJI`zL*rfb_Z8
zb?+*_J3c%rD2e^iLh`eJ#VG)FoFQ=D%aP2ugES{_rmq)taO@E6MNqGSw^18dk6Fa{
zi*}NL_`UULu3g)~=ztvV0X);ydm-tTCNwZo0C(+v<ErhyesnBxN5QZEx8`ell!ZtL
zOn4A~bz!8~7~e9w<m?9?f5T$i8-dpm&g%{R!>L(}Y*;S(oZIaAfn60RhK$a0-no3S
z<W3*Y{7y)g6h}hsp0u%L7L;G&)T7lbQT*+r^%-zBL29nUIT0+QlN|h~zE^FL!b7D|
zV(@*B-?fGjI{yL2J!Z)2*9~%SEV<sXentETphbOrC?e$ab_VC0=L=l~W{Qrcb(W(y
z3>^o37)|kD8@V84340;|!!Gfl_21R1H0g!Iu;)Ai4=2Y?MdmD>Q4|sKcN&PLIX7hR
z9eV6>F%b=SOHk$K;{%Gk!WGvfDqqlBm)!57Zx^pdg5GU$OjZ^)+)mPY*b<sJbQs(b
zV{Nt6`4{In_WbX6DA@$0PCB6ED@V8IzZG(CmAeEBbms|JnU9-u37{h(a8=So0&=2>
zl9lJu8_qbTKVO*AT%$f{VT2$IdhI;V7XEawWa{UL8cbvX4fvLJmna7Zgy?}#>e>*2
zY{pTwRA4`3pl87`(+iC?lL(e95Lh3*m%|9bLKdaJ!q+CkfSRwRt=sWo`u;ZXJp3$2
zHY{Mw=jtyy{i8q55(FZzyz0~fg--HlACBOC@71#hCKZH{<U}E})Gc!@4#Drw&mKX0
zX3VT-0TX1xHp*S{aRvgtg>?`cZ9Lw1F@c0wGu!<SL)=+w7hT!S5qM6?W(bhE<ipp?
zt!*{QcnQV@JpNFc+HhKy>#=ka{Xg}t8Zj48CL!f1$R~f^2;eq?ZWJ(f*DkX>*gW0R
z=B7uvhV%>?d6I|^B341WITNTdgYNpL(L$8xboKv#u2oxXwMwWk>n4_T-F3<1#SmrO
zwV4tLSj*X>%J97^l|G;Znqlm=*<=LC=0D@)%g%-N`gs-2-{6#{A5o1B?8rB$mFN+^
zC6jUbY?(9w)9*&ORHWRQBDY%8wFybBuyLDN*tci1WoV&=LG$IjFn>7}&&>J3kWN^~
ze3BH>GP^3jWt5l5T|pddrZc85axF2fDMvCGbr1H=<GF$bphN4s=CN$@jm96~=q~}V
zr6rRs3@W3u{jg4Ljg*3!Q;bh$|0hil+L?xhF8=z!!<&~55=<k05;Yag75{~h8>>Vm
zPxrhEeA8EUCN5jKrwr}&$%o1KxpmUomOPJD8d+K;w0;EgB?|%pB1UC15*hqeXZ9SX
z+AUTZ{SUvo+r(rhLjVk%xGV_~t|eMO_a-ohtEWzn(;AH7kVpzacG-~~3MNIkhA`7k
zqO#8MP&6SdEQg;PZcY{Xy;0c<(}C2>r5N>gu@)MLow8BWBs`Vw;O+XB_E-7-rOhox
z!|P9PvpLG|I9vEljk?Z|FrAI<Jt-hcQyYXEs9i5MaJU3kQb=GlDb0wSRMzex`kuk9
zYd*4sYS9yt)Jbo-f(p^4zrBuAiw9(`gZMwpnpz(2;kZ2yf$DqzHLg<4PK2AToOolE
zhp$msU2J!06`_e6glxAWhS3Z$9+G9@lxt@WQDJp~K>pg6m%HDj?;S>peFyr)^^J4p
z$5R8M@HzEh2z9I{tP|H*?1BZf-l4`un}^fW_X*#B-#Qf|90gPOyVz<jMqn*djBVzt
z24b8ScICEXI<`QMg)>7u{209@hAr0k|7{Z;lNLn-J$3#$db>3rb$tjpQR|yd-Y%0N
zJCLoJQ>5sk!9f!ps@=aghb|)!nV_-k*?rQzjQZp5g(6PY0n7?xw~n3z5Lu*q1Atn-
z-4_#hBx%u~G=1P|eXl`c+c9k!r<I8zX@*?b{q#Fodz^FospH<ohd^8s?(+C51|wsW
zVP|wrd_fmoeP8a&j|kkaw!^#&=~L!cHCXQAJO~~zH6IcXEu$DN8;$30K1VOSm-`sM
z?VW?6RcMaXccjuZsx-wQT%~p9o(%IWo9j`O58K}<fI%Ck`W?51T11ONpwd?>9|b=3
z^vs~b$m&QxX8S_r7QOPu0r5aAq2he)X>mrf2)Hbw@A;_p=g;;ZfbE+=kzX(wF(@+|
zPD<@{*fXf8=tpVfa4@r%c``magq?J^=&F}23iRY)yqacd;Y6Fp7BtwCm>SUMDyVeE
zka3+M<%Mb&!%w&wP8Dw(#``OYGG43us>E!8$QKbWlgF{+PPGyZEA7?5-=7j)gH`x+
zE5MTZV=LfsJac;3C02pk(RJ*s@but9kh+9X@mxiXpYdm4RvVdkm9&8-tHGoK)koPx
zb704{X<NXkp#3{qI51?bgRczc!&EG*)|~ZaCgG9OdH|jnbbQ<{fSyW|1ZY50WGWkF
zlAy%iD;qOuoI@w0r<zlKQtAziC-TMl-0ts?fWr;Pn#s;uY5714v?oU7MZ6L`#>r{+
zDZZ1_Y4zCYv@pZj@IPVw=$&Nf@d#ADxj&8rU*^GIJx{YvS5&99vrE6{p0VbNO=V{{
zclCV-Q|lA5Teo}KxBcke&h;<+D}vUc#G>YY=FzV?0<EDX*3$V~+k$zQuQo7&tM8*8
z@?;5<=$9XwXIuNL;1c2HJGHf1c4ztPY1Er((bww**=F{EL+O2U`0KwTS3v#Sv+_+J
zPrikR16Tf&q~kPMPSH*qxcFFg!Eip#^%qK3d_#oYBxe_O{v0grZ-HT!3I&L2lCxcZ
zFKju?s`!8k<#XfYzXo;TB9izB@szEeDZTPIQdv*a+;d&PGoVa=WTz`N%B2`60R9{)
zFL`GP!meYY_43^Y3H{W~Cya^z=L?d2i4=nqzLJHxrKa90%&L9&|LkvP{k*}rWYhYm
zIfY9i4$=cURQq~Pf_7y<bTDk_1;kJko+2aEtNNChK7v0#hnZYK2Tov4N-1$l*3@AO
z>Fp`N3~io!zDt}|WK03m9KHw0(U;re<BY>_kY2hTO5^$efu<<zQ6Vb>P8UPqViTuk
zyrUG?t<tU<r=&GZTZYhobe?F1HFC`00MA)pwY^-HUUv^P!9#rP*IGIagjFGuB{SeG
zb#F)2jUe~oq56eSjUs`G5?ik_(LLY7vD1Dw`28as=$qrjWyR9C>c#K^%7hJLGNY6=
z{<pq)%>*;a9!o!^1}Gdh#CVe8j#ypb$e=`)PB9#2ybxl9!#i7m)2P{a+26*emEF>Y
zIkbkRUNn|}+bgMWmR=H&4M=9Pk*CosYw9}h6P!}Zov=I!r9KE4?OG+$m$-9Ck(Pi!
zOxO%Ed<ZI*8%|cre|G;K`pGV8jOXUaQHM*yGa8^D5%za-Fjtcw6kDF~8@3uvjXTxY
zMzUblhXe|{KVg_WLTPpNmg8U2biJSswatuj#gPU_D~n|rMec-qc&956GnQS1Wqlkz
zC;fSdapH9?d)L6;XJlq3;bwE$O#pV&Z(X-LvKo_onO95)F+7F$D=wbnmh7Aya84Oz
zhNbpHpNi_z3>3`PTSc>25)<)`SQz2HkFR|{uuRPPIwbaAPoIC;S2JmnfB2W5_gh*e
zjZ^MzH-#Ax|F0fv?&ekG*^o1KmU(%GTpM9#(J44%tsJ$`C$_k%#TmI%Ag!m2ER3*b
z7x$&&Rx9k7`aC%jX>0aZra8d~Rd|2^aoWX&WXi;wq9Z0prGEcTv`cOpKxAUK0EmWF
zfVQglqm|^MC;;ZW?EB7oa{3SvXR~=jf0xUu+alu>_Dr3n0A8`0l&@`AjX%wmr93!F
z2L_$19N(<_5FOS9+y8vmR+t;*;>?v6h0U20PgXq~H4{JfF&}t{ib=PM$B>!RLqy$6
zR0DS1Jo13i9tQW30Ct(5^h+KR<$mZ%UbeNd;vsWW?_wX1mYRFqW)NYz8XGfGzg!c_
zXtHI2?#o_T&vhyYbu<2EQiz5fOuZf!X7%nfNo)ywD{ac3bz+e@%8-^&?t8wLzTrl|
z&|9QktxM?(Bc%3G0u-t*e&eN2q9D#E8q4%bZA1utiVgX&TAgQgID~p<%>bv`J;p86
z3{}6)qYqvZ29x3Q9cbf=IO}ch_bL5iY?Npu63tKY=M*X4<uK#%Do8kQj-fu--@kK4
zW+ck;Yf_#V0}GgUI*~hCNrIup6oc;zuua<#D(+LgZhWT}{$|Uk)9Kpy8_>$M%Wi0~
z-#}1dT%LW<D2Ext@W#KAWa@*=v!n9{`Hdf-^VhWAk1#ApoLSeU+J+|BsYHhVBB;<G
zSqnb6Vdl{#)UHbGqIjmuCv}~ZkBQBNf^^{h!{lHTkQ^~>PnmM#>Jw_vLM462P~xKR
zNS&HxzKQeZf?kJ}vIzCQhGpHWJBVXD)sD`nS~UHRy&qk=aC)rA{5UjP7{mtlN!uxn
zzy240|4rW^%v-}@gCTPGSd~EWJ3?*QDv4XjA)Tl&YeIY~FBF!xydWlA^v{m4W0}-r
zoQ#_a<E*njKsRxLNO(nA6~e}rsK3z6a&gpwHTGpI!7+U$fC7o31pSqbvcJK|cItdN
z9?X_0&6@b`0C6R=rCuj}IJ65+>7+k2W2ol0K>R1^J!L!fN9h8V*Dr(UVfT!(mmq^3
zA_9)pdb;qlZ&0o;R~UH!2sfinORU?XL0-<Pg4*4&kCjY`1FKH&sQ5EY0@vY673kqm
zMgs8JcxN-O*r1Div*?d4a=8wpiSGvl;d*Y#$+YK0mRc^08lm#P3NC}GY#+|JH5DHd
m&ObF%dEF$+FWh>^-+5=<TwR_47^&zpSF)X6t{<&CK!`8<HYl3_

diff --git a/tests/test_external_account.py b/tests/test_external_account.py
index a289b5df9..920aa34ea 100644
--- a/tests/test_external_account.py
+++ b/tests/test_external_account.py
@@ -289,6 +289,7 @@ def test_valid_token_url_shall_pass_validation(self):
             "https://us-east-1-sts.googleapis.com",
             "https://US-WEST-1-sts.googleapis.com",
             "https://us-west-1-sts.googleapis.com/path?query",
+            "https://sts-us-east-1.p.googleapis.com",
         ]
 
         for url in valid_urls:
@@ -316,6 +317,15 @@ def test_invalid_token_url_shall_throw_exceptions(self):
             "https://us- -1.sts.googleapis.com",
             "https://-sts.googleapis.com",
             "https://us-east-1.sts.googleapis.com.evil.com",
+            "https://sts.pgoogleapis.com",
+            "https://p.googleapis.com",
+            "https://sts.p.com",
+            "http://sts.p.googleapis.com",
+            "https://xyz-sts.p.googleapis.com",
+            "https://sts-xyz.123.p.googleapis.com",
+            "https://sts-xyz.p1.googleapis.com",
+            "https://sts-xyz.p.foo.com",
+            "https://sts-xyz.p.foo.googleapis.com",
         ]
 
         for url in invalid_urls:
@@ -335,6 +345,7 @@ def test_valid_service_account_impersonation_url_shall_pass_validation(self):
             "https://us-east-1-iamcredentials.googleapis.com",
             "https://US-WEST-1-iamcredentials.googleapis.com",
             "https://us-west-1-iamcredentials.googleapis.com/path?query",
+            "https://iamcredentials-us-east-1.p.googleapis.com",
         ]
 
         for url in valid_urls:
@@ -362,6 +373,15 @@ def test_invalid_service_account_impersonate_url_shall_throw_exceptions(self):
             "https://us- -1.iamcredentials.googleapis.com",
             "https://-iamcredentials.googleapis.com",
             "https://us-east-1.iamcredentials.googleapis.com.evil.com",
+            "https://iamcredentials.pgoogleapis.com",
+            "https://p.googleapis.com",
+            "https://iamcredentials.p.com",
+            "http://iamcredentials.p.googleapis.com",
+            "https://xyz-iamcredentials.p.googleapis.com",
+            "https://iamcredentials-xyz.123.p.googleapis.com",
+            "https://iamcredentials-xyz.p1.googleapis.com",
+            "https://iamcredentials-xyz.p.foo.com",
+            "https://iamcredentials-xyz.p.foo.googleapis.com",
         ]
 
         for url in invalid_urls: