2018-11-11 12:41:48 +00:00
|
|
|
|
"""Wrapper for ldap3 to easily manage user"""
|
2020-09-21 09:04:26 +00:00
|
|
|
|
from enum import IntFlag
|
|
|
|
|
|
from re import split
|
2019-10-11 10:53:48 +00:00
|
|
|
|
from typing import Any, Dict, Optional
|
2018-11-11 12:41:48 +00:00
|
|
|
|
|
|
|
|
|
|
import ldap3
|
|
|
|
|
|
import ldap3.core.exceptions
|
2020-02-19 15:20:33 +00:00
|
|
|
|
from django.db.utils import IntegrityError
|
2020-02-20 16:23:05 +00:00
|
|
|
|
from structlog import get_logger
|
2018-11-11 12:41:48 +00:00
|
|
|
|
|
2020-02-18 09:13:05 +00:00
|
|
|
|
from passbook.core.exceptions import PropertyMappingExpressionException
|
2019-10-11 10:53:48 +00:00
|
|
|
|
from passbook.core.models import Group, User
|
2020-02-18 09:13:05 +00:00
|
|
|
|
from passbook.sources.ldap.models import LDAPPropertyMapping, LDAPSource
|
2018-11-11 12:41:48 +00:00
|
|
|
|
|
2019-10-04 08:08:53 +00:00
|
|
|
|
LOGGER = get_logger()
|
2018-11-11 12:41:48 +00:00
|
|
|
|
|
2020-09-21 09:04:26 +00:00
|
|
|
|
NON_ALPHA = r"~!@#$%^&*_-+=`|\(){}[]:;\"'<>,.?/"
|
|
|
|
|
|
RE_DISPLAYNAME_SEPARATORS = r",\.–—_\s#\t"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class PwdProperties(IntFlag):
|
|
|
|
|
|
"""Possible values for the pwdProperties attribute"""
|
|
|
|
|
|
|
|
|
|
|
|
DOMAIN_PASSWORD_COMPLEX = 1
|
|
|
|
|
|
DOMAIN_PASSWORD_NO_ANON_CHANGE = 2
|
|
|
|
|
|
DOMAIN_PASSWORD_NO_CLEAR_CHANGE = 4
|
|
|
|
|
|
DOMAIN_LOCKOUT_ADMINS = 8
|
|
|
|
|
|
DOMAIN_PASSWORD_STORE_CLEARTEXT = 16
|
|
|
|
|
|
DOMAIN_REFUSE_PASSWORD_CHANGE = 32
|
|
|
|
|
|
|
2018-11-11 12:41:48 +00:00
|
|
|
|
|
2019-10-10 15:36:09 +00:00
|
|
|
|
class Connector:
|
2018-11-26 17:12:04 +00:00
|
|
|
|
"""Wrapper for ldap3 to easily manage user authentication and creation"""
|
2018-11-11 12:41:48 +00:00
|
|
|
|
|
2019-10-10 15:36:09 +00:00
|
|
|
|
_source: LDAPSource
|
2018-11-11 12:41:48 +00:00
|
|
|
|
|
2018-11-26 17:12:04 +00:00
|
|
|
|
def __init__(self, source: LDAPSource):
|
|
|
|
|
|
self._source = source
|
2018-11-11 12:41:48 +00:00
|
|
|
|
|
2019-10-11 10:53:48 +00:00
|
|
|
|
@property
|
|
|
|
|
|
def base_dn_users(self) -> str:
|
|
|
|
|
|
"""Shortcut to get full base_dn for user lookups"""
|
2020-05-23 20:01:38 +00:00
|
|
|
|
if self._source.additional_user_dn:
|
|
|
|
|
|
return f"{self._source.additional_user_dn},{self._source.base_dn}"
|
|
|
|
|
|
return self._source.base_dn
|
2019-10-11 10:53:48 +00:00
|
|
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
|
def base_dn_groups(self) -> str:
|
|
|
|
|
|
"""Shortcut to get full base_dn for group lookups"""
|
2020-05-23 20:01:38 +00:00
|
|
|
|
if self._source.additional_group_dn:
|
|
|
|
|
|
return f"{self._source.additional_group_dn},{self._source.base_dn}"
|
|
|
|
|
|
return self._source.base_dn
|
2019-10-11 10:53:48 +00:00
|
|
|
|
|
|
|
|
|
|
def sync_groups(self):
|
|
|
|
|
|
"""Iterate over all LDAP Groups and create passbook_core.Group instances"""
|
2019-10-11 11:41:12 +00:00
|
|
|
|
if not self._source.sync_groups:
|
2020-05-23 20:01:38 +00:00
|
|
|
|
LOGGER.warning("Group syncing is disabled for this Source")
|
2019-10-11 11:41:12 +00:00
|
|
|
|
return
|
2020-05-23 20:01:38 +00:00
|
|
|
|
groups = self._source.connection.extend.standard.paged_search(
|
2019-10-11 10:53:48 +00:00
|
|
|
|
search_base=self.base_dn_groups,
|
|
|
|
|
|
search_filter=self._source.group_object_filter,
|
|
|
|
|
|
search_scope=ldap3.SUBTREE,
|
2019-12-31 11:51:16 +00:00
|
|
|
|
attributes=ldap3.ALL_ATTRIBUTES,
|
|
|
|
|
|
)
|
2019-10-11 10:53:48 +00:00
|
|
|
|
for group in groups:
|
2019-12-31 11:51:16 +00:00
|
|
|
|
attributes = group.get("attributes", {})
|
2020-07-10 18:10:51 +00:00
|
|
|
|
if self._source.object_uniqueness_field not in attributes:
|
|
|
|
|
|
LOGGER.warning(
|
|
|
|
|
|
"Cannot find uniqueness Field in attributes", user=attributes.keys()
|
|
|
|
|
|
)
|
|
|
|
|
|
continue
|
|
|
|
|
|
uniq = attributes[self._source.object_uniqueness_field]
|
2019-10-11 10:53:48 +00:00
|
|
|
|
_, created = Group.objects.update_or_create(
|
2020-07-10 18:10:51 +00:00
|
|
|
|
attributes__ldap_uniq=uniq,
|
2019-10-11 11:41:12 +00:00
|
|
|
|
parent=self._source.sync_parent_group,
|
|
|
|
|
|
defaults={
|
2019-12-31 11:51:16 +00:00
|
|
|
|
"name": attributes.get("name", ""),
|
|
|
|
|
|
"attributes": {
|
2020-07-10 18:10:51 +00:00
|
|
|
|
"ldap_uniq": uniq,
|
2019-12-31 11:51:16 +00:00
|
|
|
|
"distinguishedName": attributes.get("distinguishedName"),
|
|
|
|
|
|
},
|
|
|
|
|
|
},
|
|
|
|
|
|
)
|
|
|
|
|
|
LOGGER.debug(
|
|
|
|
|
|
"Synced group", group=attributes.get("name", ""), created=created
|
2019-10-11 10:53:48 +00:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
def sync_users(self):
|
|
|
|
|
|
"""Iterate over all LDAP Users and create passbook_core.User instances"""
|
2020-05-23 20:01:38 +00:00
|
|
|
|
if not self._source.sync_users:
|
|
|
|
|
|
LOGGER.warning("User syncing is disabled for this Source")
|
|
|
|
|
|
return
|
|
|
|
|
|
users = self._source.connection.extend.standard.paged_search(
|
2019-10-11 10:53:48 +00:00
|
|
|
|
search_base=self.base_dn_users,
|
|
|
|
|
|
search_filter=self._source.user_object_filter,
|
|
|
|
|
|
search_scope=ldap3.SUBTREE,
|
2019-12-31 11:51:16 +00:00
|
|
|
|
attributes=ldap3.ALL_ATTRIBUTES,
|
|
|
|
|
|
)
|
2019-10-11 10:53:48 +00:00
|
|
|
|
for user in users:
|
2019-12-31 11:51:16 +00:00
|
|
|
|
attributes = user.get("attributes", {})
|
2020-07-10 18:10:51 +00:00
|
|
|
|
if self._source.object_uniqueness_field not in attributes:
|
|
|
|
|
|
LOGGER.warning(
|
|
|
|
|
|
"Cannot find uniqueness Field in attributes", user=user.keys()
|
|
|
|
|
|
)
|
2020-02-19 15:20:33 +00:00
|
|
|
|
continue
|
2020-07-10 18:10:51 +00:00
|
|
|
|
uniq = attributes[self._source.object_uniqueness_field]
|
2020-02-19 15:20:33 +00:00
|
|
|
|
try:
|
2020-05-23 20:01:38 +00:00
|
|
|
|
defaults = self._build_object_properties(attributes)
|
2020-02-19 15:20:33 +00:00
|
|
|
|
user, created = User.objects.update_or_create(
|
2020-05-23 20:01:38 +00:00
|
|
|
|
attributes__ldap_uniq=uniq, defaults=defaults,
|
2020-02-19 15:20:33 +00:00
|
|
|
|
)
|
|
|
|
|
|
except IntegrityError as exc:
|
|
|
|
|
|
LOGGER.warning("Failed to create user", exc=exc)
|
|
|
|
|
|
LOGGER.warning(
|
|
|
|
|
|
(
|
|
|
|
|
|
"To merge new User with existing user, set the User's "
|
|
|
|
|
|
f"Attribute 'ldap_uniq' to '{uniq}'"
|
|
|
|
|
|
)
|
|
|
|
|
|
)
|
|
|
|
|
|
else:
|
|
|
|
|
|
if created:
|
|
|
|
|
|
user.set_unusable_password()
|
|
|
|
|
|
user.save()
|
|
|
|
|
|
LOGGER.debug(
|
|
|
|
|
|
"Synced User", user=attributes.get("name", ""), created=created
|
|
|
|
|
|
)
|
2019-10-11 10:53:48 +00:00
|
|
|
|
|
|
|
|
|
|
def sync_membership(self):
|
|
|
|
|
|
"""Iterate over all Users and assign Groups using memberOf Field"""
|
2020-05-23 20:01:38 +00:00
|
|
|
|
users = self._source.connection.extend.standard.paged_search(
|
2019-10-11 11:41:12 +00:00
|
|
|
|
search_base=self.base_dn_users,
|
|
|
|
|
|
search_filter=self._source.user_object_filter,
|
|
|
|
|
|
search_scope=ldap3.SUBTREE,
|
|
|
|
|
|
attributes=[
|
|
|
|
|
|
self._source.user_group_membership_field,
|
2019-12-31 11:51:16 +00:00
|
|
|
|
self._source.object_uniqueness_field,
|
|
|
|
|
|
],
|
|
|
|
|
|
)
|
2019-10-11 11:41:12 +00:00
|
|
|
|
group_cache: Dict[str, Group] = {}
|
|
|
|
|
|
for user in users:
|
2019-12-31 11:51:16 +00:00
|
|
|
|
member_of = user.get("attributes", {}).get(
|
|
|
|
|
|
self._source.user_group_membership_field, []
|
|
|
|
|
|
)
|
|
|
|
|
|
uniq = user.get("attributes", {}).get(
|
|
|
|
|
|
self._source.object_uniqueness_field, []
|
|
|
|
|
|
)
|
2019-10-11 11:41:12 +00:00
|
|
|
|
for group_dn in member_of:
|
|
|
|
|
|
# Check if group_dn is within our base_dn_groups, and skip if not
|
|
|
|
|
|
if not group_dn.endswith(self.base_dn_groups):
|
|
|
|
|
|
continue
|
|
|
|
|
|
# Check if we fetched the group already, and if not cache it for later
|
|
|
|
|
|
if group_dn not in group_cache:
|
2019-12-31 11:51:16 +00:00
|
|
|
|
groups = Group.objects.filter(
|
|
|
|
|
|
attributes__distinguishedName=group_dn
|
|
|
|
|
|
)
|
2019-10-11 11:41:12 +00:00
|
|
|
|
if not groups.exists():
|
2019-12-31 11:51:16 +00:00
|
|
|
|
LOGGER.warning(
|
|
|
|
|
|
"Group does not exist in our DB yet, run sync_groups first.",
|
|
|
|
|
|
group=group_dn,
|
|
|
|
|
|
)
|
2019-10-11 11:41:12 +00:00
|
|
|
|
return
|
|
|
|
|
|
group_cache[group_dn] = groups.first()
|
|
|
|
|
|
group = group_cache[group_dn]
|
|
|
|
|
|
users = User.objects.filter(attributes__ldap_uniq=uniq)
|
2020-09-15 20:37:31 +00:00
|
|
|
|
group.users.add(*list(users))
|
2019-10-11 11:41:12 +00:00
|
|
|
|
# Now that all users are added, lets write everything
|
|
|
|
|
|
for _, group in group_cache.items():
|
|
|
|
|
|
group.save()
|
|
|
|
|
|
LOGGER.debug("Successfully updated group membership")
|
2019-10-11 10:53:48 +00:00
|
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
|
def _build_object_properties(
|
|
|
|
|
|
self, attributes: Dict[str, Any]
|
|
|
|
|
|
) -> Dict[str, Dict[Any, Any]]:
|
|
|
|
|
|
properties = {"attributes": {}}
|
2019-10-11 10:53:48 +00:00
|
|
|
|
for mapping in self._source.property_mappings.all().select_subclasses():
|
2020-02-19 15:20:33 +00:00
|
|
|
|
if not isinstance(mapping, LDAPPropertyMapping):
|
|
|
|
|
|
continue
|
2020-02-17 16:55:48 +00:00
|
|
|
|
mapping: LDAPPropertyMapping
|
2020-02-18 09:13:05 +00:00
|
|
|
|
try:
|
2020-06-05 10:00:27 +00:00
|
|
|
|
value = mapping.evaluate(user=None, request=None, ldap=attributes)
|
|
|
|
|
|
if value is None:
|
|
|
|
|
|
continue
|
2020-09-15 19:08:10 +00:00
|
|
|
|
object_field = mapping.object_field
|
|
|
|
|
|
if object_field.startswith("attributes."):
|
|
|
|
|
|
properties["attributes"][
|
|
|
|
|
|
object_field.replace("attributes.", "")
|
|
|
|
|
|
] = value
|
|
|
|
|
|
else:
|
|
|
|
|
|
properties[object_field] = value
|
2020-02-18 09:13:05 +00:00
|
|
|
|
except PropertyMappingExpressionException as exc:
|
2020-02-19 15:20:33 +00:00
|
|
|
|
LOGGER.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
|
2020-02-18 09:13:05 +00:00
|
|
|
|
continue
|
2019-10-11 11:41:12 +00:00
|
|
|
|
if self._source.object_uniqueness_field in attributes:
|
2019-12-31 11:51:16 +00:00
|
|
|
|
properties["attributes"]["ldap_uniq"] = attributes.get(
|
|
|
|
|
|
self._source.object_uniqueness_field
|
|
|
|
|
|
)
|
|
|
|
|
|
properties["attributes"]["distinguishedName"] = attributes.get(
|
|
|
|
|
|
"distinguishedName"
|
|
|
|
|
|
)
|
2019-10-11 10:53:48 +00:00
|
|
|
|
return properties
|
|
|
|
|
|
|
2020-07-10 18:10:51 +00:00
|
|
|
|
def auth_user(self, password: str, **filters: str) -> Optional[User]:
|
2018-11-11 12:41:48 +00:00
|
|
|
|
"""Try to bind as either user_dn or mail with password.
|
|
|
|
|
|
Returns True on success, otherwise False"""
|
2019-10-11 10:53:48 +00:00
|
|
|
|
users = User.objects.filter(**filters)
|
|
|
|
|
|
if not users.exists():
|
2018-11-26 17:12:04 +00:00
|
|
|
|
return None
|
2019-10-12 12:00:34 +00:00
|
|
|
|
user: User = users.first()
|
2019-12-31 11:51:16 +00:00
|
|
|
|
if "distinguishedName" not in user.attributes:
|
|
|
|
|
|
LOGGER.debug(
|
|
|
|
|
|
"User doesn't have DN set, assuming not LDAP imported.", user=user
|
|
|
|
|
|
)
|
2018-11-11 12:41:48 +00:00
|
|
|
|
return None
|
2019-10-12 12:00:34 +00:00
|
|
|
|
# Either has unusable password,
|
|
|
|
|
|
# or has a password, but couldn't be authenticated by ModelBackend.
|
|
|
|
|
|
# This means we check with a bind to see if the LDAP password has changed
|
|
|
|
|
|
if self.auth_user_by_bind(user, password):
|
|
|
|
|
|
# Password given successfully binds to LDAP, so we save it in our Database
|
|
|
|
|
|
LOGGER.debug("Updating user's password in DB", user=user)
|
2020-09-21 09:04:26 +00:00
|
|
|
|
user.set_password(password, signal=False)
|
2019-10-12 12:00:34 +00:00
|
|
|
|
user.save()
|
|
|
|
|
|
return user
|
|
|
|
|
|
# Password doesn't match
|
|
|
|
|
|
LOGGER.debug("Failed to bind, password invalid")
|
|
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
|
|
def auth_user_by_bind(self, user: User, password: str) -> Optional[User]:
|
|
|
|
|
|
"""Attempt authentication by binding to the LDAP server as `user`. This
|
|
|
|
|
|
method should be avoided as its slow to do the bind."""
|
2018-11-11 12:41:48 +00:00
|
|
|
|
# Try to bind as new user
|
2019-10-11 10:53:48 +00:00
|
|
|
|
LOGGER.debug("Attempting Binding as user", user=user)
|
2018-11-11 12:41:48 +00:00
|
|
|
|
try:
|
2019-12-31 11:51:16 +00:00
|
|
|
|
temp_connection = ldap3.Connection(
|
2020-05-23 20:01:38 +00:00
|
|
|
|
self._source.connection.server,
|
2019-12-31 11:51:16 +00:00
|
|
|
|
user=user.attributes.get("distinguishedName"),
|
|
|
|
|
|
password=password,
|
|
|
|
|
|
raise_exceptions=True,
|
|
|
|
|
|
)
|
2018-11-26 17:12:04 +00:00
|
|
|
|
temp_connection.bind()
|
2019-10-11 10:53:48 +00:00
|
|
|
|
return user
|
2018-11-11 12:41:48 +00:00
|
|
|
|
except ldap3.core.exceptions.LDAPInvalidCredentialsResult as exception:
|
2019-12-31 11:45:29 +00:00
|
|
|
|
LOGGER.debug("LDAPInvalidCredentialsResult", user=user, error=exception)
|
2018-11-11 12:41:48 +00:00
|
|
|
|
except ldap3.core.exceptions.LDAPException as exception:
|
|
|
|
|
|
LOGGER.warning(exception)
|
|
|
|
|
|
return None
|
2020-09-21 09:04:26 +00:00
|
|
|
|
|
|
|
|
|
|
def get_domain_root_dn(self) -> str:
|
|
|
|
|
|
"""Attempt to get root DN via MS specific fields or generic LDAP fields"""
|
|
|
|
|
|
info = self._source.connection.server.info
|
|
|
|
|
|
if "rootDomainNamingContext" in info.other:
|
|
|
|
|
|
return info.other["rootDomainNamingContext"][0]
|
|
|
|
|
|
naming_contexts = info.naming_contexts
|
|
|
|
|
|
naming_contexts.sort(key=len)
|
|
|
|
|
|
return naming_contexts[0]
|
|
|
|
|
|
|
|
|
|
|
|
def check_ad_password_complexity_enabled(self) -> bool:
|
|
|
|
|
|
"""Check if DOMAIN_PASSWORD_COMPLEX is enabled"""
|
|
|
|
|
|
root_dn = self.get_domain_root_dn()
|
|
|
|
|
|
root_attrs = self._source.connection.extend.standard.paged_search(
|
|
|
|
|
|
search_base=root_dn,
|
|
|
|
|
|
search_filter="(objectClass=*)",
|
|
|
|
|
|
search_scope=ldap3.BASE,
|
|
|
|
|
|
attributes=["pwdProperties"],
|
|
|
|
|
|
)
|
|
|
|
|
|
root_attrs = list(root_attrs)[0]
|
|
|
|
|
|
pwd_properties = PwdProperties(root_attrs["attributes"]["pwdProperties"])
|
|
|
|
|
|
if PwdProperties.DOMAIN_PASSWORD_COMPLEX in pwd_properties:
|
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
def change_password(self, user: User, password: str):
|
|
|
|
|
|
"""Change user's password"""
|
|
|
|
|
|
user_dn = user.attributes.get("distinguishedName", None)
|
|
|
|
|
|
if not user_dn:
|
|
|
|
|
|
raise AttributeError("User has no distinguishedName set.")
|
|
|
|
|
|
self._source.connection.extend.microsoft.modify_password(user_dn, password)
|
|
|
|
|
|
|
|
|
|
|
|
def _ad_check_password_existing(self, password: str, user_dn: str) -> bool:
|
|
|
|
|
|
"""Check if a password contains sAMAccount or displayName"""
|
|
|
|
|
|
users = self._source.connection.extend.standard.paged_search(
|
|
|
|
|
|
search_base=user_dn,
|
|
|
|
|
|
search_filter="(objectClass=*)",
|
|
|
|
|
|
search_scope=ldap3.BASE,
|
|
|
|
|
|
attributes=["displayName", "sAMAccountName"],
|
|
|
|
|
|
)
|
|
|
|
|
|
if len(users) != 1:
|
|
|
|
|
|
raise AssertionError()
|
|
|
|
|
|
user = users[0]
|
|
|
|
|
|
# If sAMAccountName is longer than 3 chars, check if its contained in password
|
|
|
|
|
|
if len(user.sAMAccountName.value) >= 3:
|
|
|
|
|
|
if password.lower() in user.sAMAccountName.value.lower():
|
|
|
|
|
|
return False
|
|
|
|
|
|
display_name_tokens = split(RE_DISPLAYNAME_SEPARATORS, user.displayName.value)
|
|
|
|
|
|
for token in display_name_tokens:
|
|
|
|
|
|
# Ignore tokens under 3 chars
|
|
|
|
|
|
if len(token) < 3:
|
|
|
|
|
|
continue
|
|
|
|
|
|
if token.lower() in password.lower():
|
|
|
|
|
|
return False
|
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
def ad_password_complexity(
|
|
|
|
|
|
self, password: str, user: Optional[User] = None
|
|
|
|
|
|
) -> bool:
|
|
|
|
|
|
"""Check if password matches Active direcotry password policies
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/en-us/windows/security/threat-protection/
|
|
|
|
|
|
security-policy-settings/password-must-meet-complexity-requirements
|
|
|
|
|
|
"""
|
|
|
|
|
|
if user:
|
|
|
|
|
|
# Check if password contains sAMAccountName or displayNames
|
|
|
|
|
|
if "distinguishedName" in user.attributes:
|
|
|
|
|
|
existing_user_check = self._ad_check_password_existing(
|
|
|
|
|
|
password, user.attributes.get("distinguishedName")
|
|
|
|
|
|
)
|
|
|
|
|
|
if not existing_user_check:
|
|
|
|
|
|
LOGGER.debug("Password failed name check", user=user)
|
|
|
|
|
|
return existing_user_check
|
|
|
|
|
|
|
|
|
|
|
|
# Step 2, match at least 3 of 5 categories
|
|
|
|
|
|
matched_categories = 0
|
|
|
|
|
|
required = 3
|
|
|
|
|
|
for letter in password:
|
|
|
|
|
|
# Only match one category per letter,
|
|
|
|
|
|
if letter.islower():
|
|
|
|
|
|
matched_categories += 1
|
|
|
|
|
|
elif letter.isupper():
|
|
|
|
|
|
matched_categories += 1
|
|
|
|
|
|
elif not letter.isascii() and letter.isalpha():
|
|
|
|
|
|
# Not exactly matching microsoft's policy, but count it as "Other unicode" char
|
|
|
|
|
|
# when its alpha and not ascii
|
|
|
|
|
|
matched_categories += 1
|
|
|
|
|
|
elif letter.isnumeric():
|
|
|
|
|
|
matched_categories += 1
|
|
|
|
|
|
elif letter in NON_ALPHA:
|
|
|
|
|
|
matched_categories += 1
|
|
|
|
|
|
if matched_categories < required:
|
|
|
|
|
|
LOGGER.debug(
|
|
|
|
|
|
"Password didn't match enough categories",
|
|
|
|
|
|
has=matched_categories,
|
|
|
|
|
|
must=required,
|
|
|
|
|
|
)
|
|
|
|
|
|
return False
|
|
|
|
|
|
LOGGER.debug(
|
|
|
|
|
|
"Password matched categories", has=matched_categories, must=required
|
|
|
|
|
|
)
|
|
|
|
|
|
return True
|
