Added more encryption libraries

Author: ¨eadwinCode¨

docs/security/csrf.md

@@ -29,3 +29,8 @@ class Development(BaseConfig):
     ]
 
 ```
+
+## **CORS**
+Cross-origin resource sharing (CORS) is a mechanism that allows resources to be requested from another domain. 
+Under the hood, Ellar registers CORS Middleware and provides CORS options in application for CORS customization.
+See how to configure **CORS** [here](../overview/middleware.md#corsmiddleware)

ellar/core/security/__init__.py

@@ -1,11 +0,0 @@
-from .hashers.base import (
-    BasePasswordHasher,
-    PBKDF2PasswordHasher,
-    PBKDF2SHA1PasswordHasher,
-)
-
-__all__ = [
-    "BasePasswordHasher",
-    "PBKDF2PasswordHasher",
-    "PBKDF2SHA1PasswordHasher",
-]

ellar/core/security/constants.py

@@ -0,0 +1,134 @@
+import typing as t
+
+from .argon2 import Argon2PasswordHasher
+from .base import BasePasswordHasher, EncodingType, get_random_string, must_update_salt
+from .bcrypt import BCryptPasswordHasher, BCryptSHA256PasswordHasher
+from .md5 import MD5PasswordHasher
+from .pbkdf import PBKDF2PasswordHasher, PBKDF2SHA1PasswordHasher
+from .scrypt import ScryptPasswordHasher
+
+# This will never be a valid encoded hash
+_UNUSABLE_PASSWORD_PREFIX = "!"
+_UNUSABLE_PASSWORD_SUFFIX_LENGTH = (
+    40  # number of random chars to add after UNUSABLE_PASSWORD_PREFIX
+)
+__HASHERS_DICT: t.Dict[str, t.Type["BasePasswordHasher"]] = {}
+
+
+def add_hasher(*hashers: t.Type["BasePasswordHasher"]) -> None:
+    for hasher in hashers:
+        __HASHERS_DICT.update({hasher.algorithm: hasher})
+
+
+def get_hasher(algorithm: str = "pbkdf2_sha256") -> "BasePasswordHasher":
+    try:
+        hasher_type = __HASHERS_DICT[algorithm]
+        return hasher_type()
+    except KeyError as kex:
+        raise ValueError(
+            f"Unknown password hashing algorithm '{algorithm}'. "
+            f"Please use `add_hasher` in `ellar.core.security.hashers` package to add implementation for '{algorithm}'"
+        ) from kex
+
+
+def identify_hasher(encoded: str) -> "BasePasswordHasher":
+    possible_hashers = [v for k, v in __HASHERS_DICT.items() if v.identity(encoded)]
+    if possible_hashers:
+        return possible_hashers[0]()
+    raise ValueError("Unable to identify Hasher")
+
+
+def is_password_usable(encoded: t.Optional[str]) -> bool:
+    """
+    Return True if this password wasn't generated by
+    User.set_unusable_password(), i.e. make_password(None).
+    """
+    return encoded is None or not encoded.startswith(_UNUSABLE_PASSWORD_PREFIX)
+
+
+def make_password(
+    password: t.Optional[EncodingType],
+    algorithm: str = "pbkdf2_sha256",
+    salt: t.Optional[str] = None,
+) -> str:
+    """
+    Turn a plain-text password into a hash for database storage
+
+    Same as encode() but generate a new random salt. If password is None then
+    return a concatenation of UNUSABLE_PASSWORD_PREFIX and a random string,
+    which disallows logins. Additional random string reduces chances of gaining
+    access to staff or superuser accounts. See ticket #20079 for more info.
+    """
+    if password is None:
+        return _UNUSABLE_PASSWORD_PREFIX + get_random_string(
+            _UNUSABLE_PASSWORD_SUFFIX_LENGTH
+        )
+    if not isinstance(password, (bytes, str)):
+        raise TypeError(
+            "Password must be a string or bytes, got %s." % type(password).__qualname__
+        )
+
+    hasher = get_hasher(algorithm)
+    # Passlib includes salt in almost every hash
+    return hasher.encode(password, salt=salt)
+
+
+def check_password(
+    password: EncodingType,
+    encoded: str,
+    setter: t.Optional[t.Callable[..., t.Any]] = None,
+    preferred_algorithm: str = "pbkdf2_sha256",
+) -> bool:
+    """
+    Return a boolean of whether the raw password matches the three
+    part encoded digest.
+
+    If setter is specified, it'll be called when you need to
+    regenerate the password.
+    """
+
+    if password is None or not is_password_usable(encoded):
+        return False
+
+    preferred = get_hasher(preferred_algorithm)
+    try:
+        hasher = identify_hasher(encoded)
+    except ValueError:
+        # encoded is gibberish or uses a hasher that's no longer installed.
+        return False
+
+    hasher_changed = hasher.algorithm != preferred.algorithm
+    must_update: bool = hasher_changed or preferred.must_update(encoded)
+    is_correct: bool = hasher.verify(password, encoded)
+
+    if setter and is_correct and must_update:
+        setter(password)
+    return is_correct
+
+
+add_hasher(
+    PBKDF2PasswordHasher,
+    PBKDF2SHA1PasswordHasher,
+    Argon2PasswordHasher,
+    BCryptSHA256PasswordHasher,
+    BCryptPasswordHasher,
+    ScryptPasswordHasher,
+    MD5PasswordHasher,
+)
+
+__all__ = [
+    "PBKDF2PasswordHasher",
+    "PBKDF2SHA1PasswordHasher",
+    "Argon2PasswordHasher",
+    "BCryptSHA256PasswordHasher",
+    "BCryptPasswordHasher",
+    "ScryptPasswordHasher",
+    "MD5PasswordHasher",
+    "must_update_salt",
+    "make_password",
+    "check_password",
+    "is_password_usable",
+    "get_hasher",
+    "identify_hasher",
+    "add_hasher",
+]

ellar/core/security/hashers/__init__.py

@@ -0,0 +1,57 @@
+import typing as t
+
+from passlib.hash import argon2
+
+from .base import BasePasswordHasher, EncodingSalt, EncodingType, must_update_salt
+
+
+class Argon2PasswordHasher(BasePasswordHasher):
+    """
+    Secure password hashing using the argon2 algorithm.
+
+    This is the winner of the Password Hashing Competition 2013-2015
+    (https://password-hashing.net). It requires the argon2-cffi library which
+    depends on native C code and might cause portability issues.
+    """
+
+    algorithm = "argon2"
+    hasher = argon2
+
+    time_cost = 2
+    memory_cost = argon2.memory_cost
+    parallelism = argon2.parallelism
+
+    def _get_using_kwargs(self) -> dict:
+        return {
+            "time_cost": self.time_cost,
+            "memory_cost": self.memory_cost,
+            "parallelism": self.parallelism,
+        }
+
+    def encode(
+        self, password: EncodingType, salt: EncodingSalt = None
+    ) -> t.Union[str, t.Any]:
+        salt = bytes(salt, "utf-8") if salt else salt  # type:ignore[arg-type]
+        return super().encode(password, salt)
+
+    def decode(self, encoded: str) -> dict:
+        argon_2 = t.cast(t.Any, self.hasher.from_string(encoded))
+        return {
+            "algorithm": self.algorithm,
+            "memory_cost": argon_2.memory_cost,
+            "parallelism": argon_2.parallelism,
+            "salt": argon_2.salt,
+            "time_cost": argon_2.rounds,
+            "hash": argon_2.data,
+        }
+
+    def must_update(self, encoded: str) -> bool:
+        decoded = self.decode(encoded)
+
+        update_salt = must_update_salt(decoded["salt"], self.salt_entropy)
+        if update_salt:
+            return update_salt
+
+        if decoded["time_cost"] != self.time_cost:
+            return True
+        return self.hasher.needs_update(encoded)  # type:ignore[no-any-return]