passlib-werkzeug/passlib_werkzeug/__init__.py

"""Passlib module to understand hashed password format of Werkzeug
"""

__version__ = '0.1.0'

from base64 import b64encode

from passlib.crypto.digest import pbkdf2_hmac
from passlib.exc import InvalidHashError
from passlib.registry import register_crypt_handler_path
import passlib.utils.handlers as uh
from passlib.utils.binary import AB64_CHARS, ab64_decode, ab64_encode
from passlib.utils.compat import u

SALT_CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"


class werkzeug_pbkdf2_sha256(uh.HasSalt, uh.HasRounds, uh.GenericHandler):
    # pylint: disable=invalid-name
    """Passlib handler for Werkzeug’s PBKDF2:SHA-256 passwords
    """

    checksum_chars = '0123456789abcdef'
    checksum_size = 64
    default_rounds = 150000
    default_salt_chars = SALT_CHARS
    default_salt_size = 8
    _digest = 'sha256'
    ident = u('pbkdf2:sha256')
    min_salt_size = 1
    name = 'werkzeug_pbkdf2_sha256'
    salt_chars = SALT_CHARS

    # pylint: disable=arguments-differ
    @classmethod
    def from_string(cls, password_hash, **context):
        """Create a new hash object from a string
        """

        try:
            full_method, salt, checksum = password_hash.split('$')
        except ValueError as exc:
            raise InvalidHashError(cls) from exc

        method, digest, rounds = full_method.split(':')

        if ':'.join((method, digest)) != cls.ident:
            raise InvalidHashError(cls)

        if checksum:
            bytes.fromhex(checksum)

        return cls(salt=salt, checksum=checksum, rounds=int(rounds))

    def to_string(self):
        full_method = ':'.join((self.ident, str(self.rounds)))

        return '$'.join((full_method, self.salt, self.checksum))

    def _calc_checksum(self, secret):
        checksum = pbkdf2_hmac(self._digest, secret, self.salt, self.rounds)

        return checksum.hex()


register_crypt_handler_path('werkzeug_pbkdf2_sha256', 'passlib_werkzeug')