Python passlib.context.CryptContext() Examples

def _get_pwd_context(app):
    pw_hash = cv("PASSWORD_HASH", app=app)
    schemes = cv("PASSWORD_SCHEMES", app=app)
    deprecated = cv("DEPRECATED_PASSWORD_SCHEMES", app=app)
    if pw_hash not in schemes:
        allowed = ", ".join(schemes[:-1]) + " and " + schemes[-1]
        raise ValueError(
            "Invalid password hashing scheme %r. Allowed values are %s"
            % (pw_hash, allowed)
        )
    cc = CryptContext(
        schemes=schemes,
        default=pw_hash,
        deprecated=deprecated,
        **cv("PASSWORD_HASH_PASSLIB_OPTIONS", app=app),
    )
    return cc 

def test_22_to_string(self):
        """test to_string() method"""
        pa = CryptPolicy(**self.sample_config_5pd)
        s = pa.to_string() # NOTE: can't compare string directly, ordering etc may not match
        pb = CryptPolicy.from_string(s)
        self.assertEqual(pb.to_dict(), self.sample_config_5pd)

        s = pa.to_string(encoding="latin-1")
        self.assertIsInstance(s, bytes)

    #===================================================================
    #
    #===================================================================

#=============================================================================
# CryptContext
#============================================================================= 

def test_01_replace(self):
        """test replace()"""

        cc = CryptContext(["md5_crypt", "bsdi_crypt", "des_crypt"])
        self.assertIs(cc.policy.get_handler(), hash.md5_crypt)

        cc2 = cc.replace()
        self.assertIsNot(cc2, cc)
        # NOTE: was not able to maintain backward compatibility with this...
        ##self.assertIs(cc2.policy, cc.policy)

        cc3 = cc.replace(default="bsdi_crypt")
        self.assertIsNot(cc3, cc)
        # NOTE: was not able to maintain backward compatibility with this...
        ##self.assertIs(cc3.policy, cc.policy)
        self.assertIs(cc3.policy.get_handler(), hash.bsdi_crypt) 

def test_12_hash_needs_update(self):
        """test hash_needs_update() method"""
        cc = CryptContext(**self.sample_policy_1)

        # check deprecated scheme
        self.assertTrue(cc.hash_needs_update('9XXD4trGYeGJA'))
        self.assertFalse(cc.hash_needs_update('$1$J8HC2RCr$HcmM.7NxB2weSvlw2FgzU0'))

        # check min rounds
        self.assertTrue(cc.hash_needs_update('$5$rounds=1999$jD81UCoo.zI.UETs$Y7qSTQ6mTiU9qZB4fRr43wRgQq4V.5AAf7F97Pzxey/'))
        self.assertFalse(cc.hash_needs_update('$5$rounds=2000$228SSRje04cnNCaQ$YGV4RYu.5sNiBvorQDlO0WWQjyJVGKBcJXz3OtyQ2u8'))

        # check max rounds
        self.assertFalse(cc.hash_needs_update('$5$rounds=3000$fS9iazEwTKi7QPW4$VasgBC8FqlOvD7x2HhABaMXCTh9jwHclPA9j5YQdns.'))
        self.assertTrue(cc.hash_needs_update('$5$rounds=3001$QlFHHifXvpFX4PLs$/0ekt7lSs/lOikSerQ0M/1porEHxYq7W/2hdFpxA3fA'))

    #===================================================================
    # border cases
    #=================================================================== 

def __init__(self, app):
        """
        Create a passlib CryptContext.

        Args:
            password_hash(str): The name of a valid passlib password hash.
                Examples: ``'bcrypt', 'pbkdf2_sha512', 'sha512_crypt' or 'argon2'``.

        Example:
            ``password_manager = PasswordManager('bcrypt')``
        """

        self.app = app
        self.user_manager = app.user_manager

        # Create a passlib CryptContext
        self.password_crypt_context = CryptContext(
            schemes=self.user_manager.USER_PASSLIB_CRYPTCONTEXT_SCHEMES,
            **self.user_manager.USER_PASSLIB_CRYPTCONTEXT_KEYWORDS) 

def get_user_category(self, user):
        """
        Helper for hashing passwords per-user --
        figure out the CryptContext category for specified Django user object.
        .. note::
            This may be overridden via PASSLIB_GET_CATEGORY django setting
        """
        if user.is_superuser:
            return "superuser"
        elif user.is_staff:
            return "staff"
        else:
            return None

    #=============================================================================
    # patch control
    #============================================================================= 

def hash(self, password):
        """
        Hash the password to store it. If not configured for hashes, this is a no-op.

        :param password:
        :return:
        """
        logger.info('Checking hash on password')

        if self.do_hash:
            logger.info('Hashing password prior to storage')
            context = dict(schemes=['argon2'])
            cc = CryptContext(**context)
            password = cc.hash(password)
        else:
            logger.info('No hash requirement set in config')

        return password 

def __init__(self, context=None, get_user_category=None, **kwds):

        # init log
        self.log = logging.getLogger(__name__ + ".DjangoContextAdapter")

        # init parent, filling in default context object
        if context is None:
            context = CryptContext()
        super(DjangoContextAdapter, self).__init__(context=context, **kwds)

        # setup user category
        if get_user_category:
            assert callable(get_user_category)
            self.get_user_category = get_user_category

        # install lru cache wrappers
        from django.utils.lru_cache import lru_cache
        self.get_hashers = lru_cache()(self.get_hashers)

        # get copy of original make_password
        from django.contrib.auth.hashers import make_password
        if make_password.__module__.startswith("passlib."):
            make_password = _PatchManager.peek_unpatched_func(make_password)
        self._orig_make_password = make_password

        # get other django helpers
        from django.contrib.auth.hashers import is_password_usable
        self.is_password_usable = is_password_usable

        # init manager
        mlog = logging.getLogger(__name__ + ".DjangoContextAdapter._manager")
        self._manager = _PatchManager(log=mlog) 

def check_password(self, user, realm=None, password=_UNSET):
        """Verify password for specified user + realm.

        If ``self.default_realm`` has been set, this may be called
        with the syntax ``check_password(user, password)``,
        otherwise it must be called with all three arguments:
        ``check_password(user, realm, password)``.

        :returns:
            * ``None`` if user or realm not found.
            * ``False`` if user found, but password does not match.
            * ``True`` if user found and password matches.

        .. versionchanged:: 1.6
            This method was previously called ``verify``, it was renamed
            to prevent ambiguity with the :class:`!CryptContext` method.
            The old alias is deprecated, and will be removed in Passlib 1.8.
        """
        if password is _UNSET:
            # called w/ two args - (user, password), use default realm
            realm, password = None, realm
        user = self._encode_user(user)
        realm = self._encode_realm(realm)
        hash = self._records.get((user,realm))
        if hash is None:
            return None
        return htdigest.verify(password, hash, user, realm,
                               encoding=self.encoding) 

def _init_htpasswd_context():

    # start with schemes built into apache
    schemes = [
        # builtin support added in apache 2.4
        # (https://bz.apache.org/bugzilla/show_bug.cgi?id=49288)
        "bcrypt",

        # support not "builtin" to apache, instead it requires support through host's crypt().
        # adding them here to allow editing htpasswd under windows and then deploying under unix.
        "sha256_crypt",
        "sha512_crypt",
        "des_crypt",

        # apache default as of 2.2.18, and still default in 2.4
        "apr_md5_crypt",

        # NOTE: apache says ONLY intended for transitioning htpasswd <-> ldap
        "ldap_sha1",

        # NOTE: apache says ONLY supported on Windows, Netware, TPF
        "plaintext"
    ]

    # apache can verify anything supported by the native crypt(),
    # though htpasswd tool can only generate a limited set of hashes.
    # (this list may overlap w/ builtin apache schemes)
    schemes.extend(registry.get_supported_os_crypt_schemes())

    # hack to remove dups and sort into preferred order
    preferred = schemes[:3] + ["apr_md5_crypt"] + schemes
    schemes = sorted(set(schemes), key=preferred.index)

    # NOTE: default will change to "portable" in passlib 2.0
    return CryptContext(schemes, default=htpasswd_defaults['portable_apache_22'])

#: CryptContext configured to match htpasswd 

def test_is_crypt_context(self):
        """test is_crypt_context()"""
        from passlib.utils import is_crypt_context
        from passlib.context import CryptContext
        cc = CryptContext(["des_crypt"])
        self.assertTrue(is_crypt_context(cc))
        self.assertFalse(not is_crypt_context(cc)) 

def setUp(self):
        TestCase.setUp(self)

        # make sure this isn't registered before OR after
        unload_handler_name("dummy_2")
        self.addCleanup(unload_handler_name, "dummy_2")

        # silence some warnings
        warnings.filterwarnings("ignore",
                                r"CryptContext\(\)\.replace\(\) has been deprecated")
        warnings.filterwarnings("ignore", ".*(CryptPolicy|context\.policy).*(has|have) been deprecated.*") 

def test_30_nonstring_hash(self):
        """test non-string hash values cause error"""
        warnings.filterwarnings("ignore", ".*needs_update.*'scheme' keyword is deprecated.*")

        #
        # test hash=None or some other non-string causes TypeError
        # and that explicit-scheme code path behaves the same.
        #
        cc = CryptContext(["des_crypt"])
        for hash, kwds in [
                (None, {}),
                # NOTE: 'scheme' kwd is deprecated...
                (None, {"scheme": "des_crypt"}),
                (1, {}),
                ((), {}),
                ]:

            self.assertRaises(TypeError, cc.hash_needs_update, hash, **kwds)

        cc2 = CryptContext(["mysql323"])
        self.assertRaises(TypeError, cc2.hash_needs_update, None)

    #===================================================================
    # eoc
    #===================================================================

#=============================================================================
# LazyCryptContext
#============================================================================= 

def password_is_legal(pw: str) -> bool:
    if not pw:
        return False
    schemes = ['bcrypt', 'des_crypt', 'pbkdf2_sha256', 'pbkdf2_sha512', 'sha256_crypt', 'sha512_crypt', 'plaintext']
    ctx = CryptContext(schemes=schemes)
    return ctx.identify(pw) == 'plaintext' 

def test_00_constructor(self):
        """test constructor"""
        # create crypt context using handlers
        cc = CryptContext([hash.md5_crypt, hash.bsdi_crypt, hash.des_crypt])
        c,b,a = cc.policy.iter_handlers()
        self.assertIs(a, hash.des_crypt)
        self.assertIs(b, hash.bsdi_crypt)
        self.assertIs(c, hash.md5_crypt)

        # create context using names
        cc = CryptContext(["md5_crypt", "bsdi_crypt", "des_crypt"])
        c,b,a = cc.policy.iter_handlers()
        self.assertIs(a, hash.des_crypt)
        self.assertIs(b, hash.bsdi_crypt)
        self.assertIs(c, hash.md5_crypt)

        # policy kwd
        policy = cc.policy
        cc = CryptContext(policy=policy)
        self.assertEqual(cc.to_dict(), policy.to_dict())

        cc = CryptContext(policy=policy, default="bsdi_crypt")
        self.assertNotEqual(cc.to_dict(), policy.to_dict())
        self.assertEqual(cc.to_dict(), dict(schemes=["md5_crypt","bsdi_crypt","des_crypt"],
                                            default="bsdi_crypt"))

        self.assertRaises(TypeError, setattr, cc, 'policy', None)
        self.assertRaises(TypeError, CryptContext, policy='x') 

def setUp(self):
        TestCase.setUp(self)
        warnings.filterwarnings("ignore",
                                r"CryptContext\(\)\.replace\(\) has been deprecated.*")
        warnings.filterwarnings("ignore",
                                r"The CryptContext ``policy`` keyword has been deprecated.*")
        warnings.filterwarnings("ignore", ".*(CryptPolicy|context\.policy).*(has|have) been deprecated.*")
        warnings.filterwarnings("ignore",
                                r"the method.*hash_needs_update.*is deprecated")

    #===================================================================
    # constructor
    #=================================================================== 

def _get_hashing_context(app):
    schemes = cv("HASHING_SCHEMES", app=app)
    deprecated = cv("DEPRECATED_HASHING_SCHEMES", app=app)
    return CryptContext(schemes=schemes, deprecated=deprecated) 

def test_95_context_algs(self):
        """test handling of 'algs' in context object"""
        handler = self.handler
        from passlib.context import CryptContext
        c1 = CryptContext(["scram"], scram__algs="sha1,md5")

        h = c1.hash("dummy")
        self.assertEqual(handler.extract_digest_algs(h), ["md5", "sha-1"])
        self.assertFalse(c1.needs_update(h))

        c2 = c1.copy(scram__algs="sha1")
        self.assertFalse(c2.needs_update(h))

        c2 = c1.copy(scram__algs="sha1,sha256")
        self.assertTrue(c2.needs_update(h)) 

def _get_weak_hash(self, plaintext):
        """Create a weaker CryptContext and hash plaintext.

        (Weaker as in weaker than default context)
        """
        weak_context = CryptContext(
            schemes=["pbkdf2_sha256"],
            pbkdf2_sha256__default_rounds=5,
        )

        return weak_context.hash(plaintext) 

def verify_password(self, password, password_hash):
        """Verify plaintext ``password`` against ``hashed password``.

        Args:
            password(str): Plaintext password that the user types in.
            password_hash(str): Password hash generated by a previous call to ``hash_password()``.
        Returns:
            | True when ``password`` matches ``password_hash``.
            | False otherwise.
        Example:

            ::

                if verify_password('mypassword', user.password):
                    login_user(user)
        """

        # Print deprecation warning if called with (password, user) instead of (password, user.password)
        if isinstance(password_hash, self.user_manager.db_manager.UserClass):
            print(
                'Deprecation warning: verify_password(password, user) has been changed'\
                ' to: verify_password(password, password_hash). The user param will be deprecated.'\
                ' Please change your call with verify_password(password, user) into'\
                ' a call with verify_password(password, user.password)'
                ' as soon as possible.')
            password_hash = password_hash.password   # effectively user.password

        # Use passlib's CryptContext to verify a password
        return self.password_crypt_context.verify(password, password_hash) 

def hash_password(self, password):
        """Hash plaintext ``password`` using the ``password_hash`` specified in the constructor.

        Args:
            password(str): Plaintext password that the user types in.
        Returns:
            hashed password.
        Example:
            ``user.password = hash_password('mypassword')``
        """

        # Use passlib's CryptContext to hash a password
        password_hash = self.password_crypt_context.hash(password)

        return password_hash 

def __init__(self, secret: str, tokenUrl: str, algorithm="HS256"):
        """
        :param str secret: Secret key used to sign and decrypt the JWT
        :param str algorithm: Should be "HS256" or "RS256" used to decrypt the JWT
        :param str tokenUrl: the url where the user can login to get the token
        """
        self.secret = Secret(secret)
        self._user_callback = None
        self.algorithm = algorithm
        self.pwd_context = CryptContext(schemes=["bcrypt"])
        # this is not mandatory as they user may want to user their own
        # function to get the token and pass it to the get_current_user method
        self.tokenUrl = tokenUrl
        self.oauth_scheme = None
        self._not_authenticated_exception = None 

def _get_pwd_context(self, app: FlaskUnchained) -> CryptContext:
        """
        Get the password hashing context.
        """
        pw_hash = app.config.SECURITY_PASSWORD_HASH
        schemes = app.config.SECURITY_PASSWORD_SCHEMES
        if pw_hash not in schemes:
            allowed = (', '.join(schemes[:-1]) + ' and ' + schemes[-1])
            raise ValueError(f'Invalid password hashing scheme {pw_hash}. '
                             f'Allowed values are {allowed}.')
        return CryptContext(schemes=schemes, default=pw_hash,
                            deprecated=app.config.SECURITY_DEPRECATED_PASSWORD_SCHEMES) 

def _get_hashing_context(self, app: FlaskUnchained) -> CryptContext:
        """
        Get the token hashing (and verifying) context.
        """
        return CryptContext(schemes=app.config.SECURITY_HASHING_SCHEMES,
                            deprecated=app.config.SECURITY_DEPRECATED_HASHING_SCHEMES) 

def get_crypt_context():
        "Return the default signac crypto context."
        return CryptContext(schemes=('bcrypt', )) 

def _verify_password(self, password):
        userctx = CryptContext(schemes=["sha256_crypt", "md5_crypt"])
        return userctx.verify(password, self.password) 

def _hash_password(self, password):
        userctx = CryptContext(schemes=["sha256_crypt", "md5_crypt"])
        self.password = userctx.hash(password) 

def crypt_context():
    return CryptContext(schemes=['sha256_crypt']) 

def create_password_crypt_context(self, authc_settings):
        context = dict(schemes=[authc_settings.preferred_algorithm])
        context.update(authc_settings.preferred_algorithm_context)
        return CryptContext(**context) 

def create_password_crypt_context(self, authc_settings):
        context = dict(schemes=[authc_settings.preferred_algorithm])
        context.update(authc_settings.preferred_algorithm_context)
        return CryptContext(**context)