From 04fea4e7cd9f34a7bac010382ab96016b11175a7 Mon Sep 17 00:00:00 2001
From: Holger Frey <mail@holgerfrey.de>
Date: Sat, 24 Mar 2018 09:25:41 +0100
Subject: [PATCH] included passlib for password hashing

---
 development.ini  |  9 +++++++++
 ordr/security.py | 36 ++++++++++++++++++++++++++++++++++++
 setup.py         |  1 +
 3 files changed, 46 insertions(+)
 create mode 100644 ordr/security.py

diff --git a/development.ini b/development.ini
index 46e3730..771602d 100644
--- a/development.ini
+++ b/development.ini
@@ -19,6 +19,15 @@ sqlalchemy.url = sqlite:///%(here)s/ordr.sqlite
 
 retry.attempts = 3
 
+# passlib settings
+# setup the context to support only argon2 for the moment
+passlib.schemes = argon2, bcrypt
+# default encryption scheme is argon2
+passlib.default = argon2
+# flag every encryption method as deprecated except the first one
+passlib.deprecated = auto
+
+
 # By default, the toolbar only appears for clients from IP addresses
 # '127.0.0.1' and '::1'.
 # debugtoolbar.hosts = 127.0.0.1 ::1
diff --git a/ordr/security.py b/ordr/security.py
new file mode 100644
index 0000000..0b48234
--- /dev/null
+++ b/ordr/security.py
@@ -0,0 +1,36 @@
+from passlib.context import CryptContext
+from pyramid.settings import aslist, asbool
+
+
+password_context = CryptContext()
+
+
+def crypt_context_settings_to_string(settings, prefix='passlib.'):
+    ''' returns a passlib context setting as a INI-formatted content
+    
+    :param dict settings: settings for the crypt context
+    :param str prefix: prefix of the settings keys
+    :rtype: (str) config string in INI format for CryptContext.load()
+    
+    This looks at first like a dump hack, but the parsing of all possible
+    context settings is quite a task. Since passlib has a context parser 
+    included, this seems the most reliable way to do it.
+    '''
+    config_lines = ['[passlib]']
+    for ini_key, value in settings.items():
+        if ini_key.startswith(prefix):
+            context_key = ini_key.replace(prefix, '')
+            config_lines.append(f'{context_key} = {value}')
+    return '\n'.join(config_lines)
+    
+
+def includeme(config):
+    ''' initializing authentication, authorization and password hash settings
+
+    Activate this setup using ``config.include('ordr2.security')``.
+    '''
+    settings = config.get_settings()
+
+    # configure the passlib context manager for hashing user passwords
+    config_str = crypt_context_settings_to_string(settings, prefix='passlib.')
+    password_context.load(config_str)
diff --git a/setup.py b/setup.py
index 05b18fc..cf2bff3 100644
--- a/setup.py
+++ b/setup.py
@@ -9,6 +9,7 @@ with open(os.path.join(here, 'CHANGES.txt')) as f:
     CHANGES = f.read()
 
 requires = [
+    'passlib',
     'plaster_pastedeploy',
     'pyramid >= 1.9a',
     'pyramid_debugtoolbar',