fix: default hash method for Werkzeug < 3.0.0

Follow up after dpgaspar#2306. Later configuration was added in dpgaspar#2332 that
added default configuration for hash method and also there
scrypt was set as default, however Werkzeug < 3.0.0 does not
support it.

This PR retrieves the default method properly, depending on
installed Werkzeug version.

Author: potiuk

bin/hash_db_password.py

@@ -4,7 +4,7 @@
 from werkzeug.security import generate_password_hash
 
 from flask_appbuilder.security.sqla.models import User
-
+from flask_appbuilder.security.utils import get_default_hash_method
 
 try:
     from app import app, db
@@ -36,11 +36,13 @@
     log.error("Config db key {}".format(app.config['SQLALCHEMY_DATABASE_URI']))
     exit()
 
+
 for user in users:
     log.info("Hashing password for {0}".format(user.username))
+
     user.password = generate_password_hash(
         password=user.password,
-        method=app.config.get('FAB_PASSWORD_HASH_METHOD', 'scrypt'),
+        method=get_default_hash_method(app),
         salt_length=app.config.get('FAB_PASSWORD_HASH_SALT_LENGTH', 16),
     )
     try:
@@ -49,5 +51,5 @@
     except Exception as e:
         db.session.rollback()
         log.error("Error updating password for {0}: {1}".format(user.full_name, str(e)))
-        
+
 

flask_appbuilder/security/manager.py

@@ -22,6 +22,7 @@
     RegisterUserOAuthView,
     RegisterUserOIDView,
 )
+from .utils import get_default_hash_method
 from .views import (
     AuthDBView,
     AuthLDAPView,
@@ -63,7 +64,6 @@
 
 log = logging.getLogger(__name__)
 
-
 class AbstractSecurityManager(BaseManager):
     """
     Abstract SecurityManager class, declares all methods used by the
@@ -238,13 +238,16 @@ def __init__(self, appbuilder):
 
         # Werkzeug prior to 3.0.0 does not support scrypt
         parsed_werkzeug_version = Version(importlib.metadata.version("werkzeug"))
+
         if parsed_werkzeug_version < Version("3.0.0"):
+            app.config.setdefault("FAB_PASSWORD_HASH_METHOD", "pbkdf2:sha256")
             app.config.setdefault(
                 "AUTH_DB_FAKE_PASSWORD_HASH_CHECK",
                 "pbkdf2:sha256:150000$Z3t6fmj2$22da622d94a1f8118"
                 "c0976a03d2f18f680bfff877c9a965db9eedc51bc0be87c",
             )
         else:
+            app.config.setdefault("FAB_PASSWORD_HASH_METHOD", "pbkdf2:sha256")
             app.config.setdefault(
                 "AUTH_DB_FAKE_PASSWORD_HASH_CHECK",
                 "scrypt:32768:8:1$wiDa0ruWlIPhp9LM$6e40"
@@ -952,9 +955,7 @@ def reset_password(self, userid, password):
         user = self.get_user_by_id(userid)
         user.password = generate_password_hash(
             password=password,
-            method=self.appbuilder.get_app.config.get(
-                "FAB_PASSWORD_HASH_METHOD", "scrypt"
-            ),
+            method=get_default_hash_method(),
             salt_length=self.appbuilder.get_app.config.get(
                 "FAB_PASSWORD_HASH_SALT_LENGTH", 16
             ),

flask_appbuilder/security/sqla/apis/user/api.py

@@ -11,10 +11,13 @@
     UserPutSchema,
 )
 from flask_appbuilder.security.sqla.models import Group, Role, User
+from flask_appbuilder.security.utils import get_default_hash_method
 from marshmallow import ValidationError
 from sqlalchemy.exc import IntegrityError
 from werkzeug.security import generate_password_hash
 
+# Werkzeug prior to 3.0.0 does not support scrypt
+parsed_werkzeug_version = Version(importlib.metadata.version("werkzeug"))
 
 class UserApi(ModelRestApi):
     resource_name = "security/users"
@@ -74,9 +77,7 @@ def pre_update(self, item, data):
         if "password" in data and data["password"]:
             item.password = generate_password_hash(
                 password=data["password"],
-                method=self.appbuilder.get_app.config.get(
-                    "FAB_PASSWORD_HASH_METHOD", "scrypt"
-                ),
+                method=get_default_hash_method(self.appbuilder.get_app),
                 salt_length=self.appbuilder.get_app.config.get(
                     "FAB_PASSWORD_HASH_SALT_LENGTH", 16
                 ),

flask_appbuilder/security/utils.py

@@ -1,9 +1,21 @@
+import importlib
 from random import SystemRandom
 import string
 
+from packaging.version import Version
 LETTERS_AND_DIGITS = string.ascii_letters + string.digits
 
 
 def generate_random_string(length=30):
     rand = SystemRandom()
     return "".join(rand.choice(LETTERS_AND_DIGITS) for _ in range(length))
+
+def get_default_hash_method(app):
+    """
+    Returns the default password hash method based on the Werkzeug version.
+    """
+    parsed_werkzeug_version = Version(importlib.metadata.version("werkzeug"))
+    if parsed_werkzeug_version < Version("3.0.0"):
+        return app.config.get('FAB_PASSWORD_HASH_METHOD', 'pbkdf2:sha256')
+    else:
+        return app.config.get('FAB_PASSWORD_HASH_METHOD', 'scrypt')

flask_appbuilder/security/views.py

@@ -22,7 +22,7 @@
     roles_or_groups_required,
     UserInfoEdit,
 )
-from flask_appbuilder.security.utils import generate_random_string
+from flask_appbuilder.security.utils import generate_random_string, get_default_hash_method
 from flask_appbuilder.utils.base import get_safe_redirect, lazy_formatter_gettext
 from flask_appbuilder.validators import PasswordComplexityValidator
 from flask_appbuilder.views import expose, ModelView, SimpleFormView
@@ -38,7 +38,6 @@
 
 log = logging.getLogger(__name__)
 
-
 class PermissionModelView(ModelView):
     route_base = "/permissions"
     base_permissions = ["can_list"]
@@ -448,9 +447,7 @@ def pre_update(self, item: Any) -> None:
     def pre_add(self, item: Any) -> None:
         item.password = generate_password_hash(
             password=item.password,
-            method=self.appbuilder.get_app.config.get(
-                "FAB_PASSWORD_HASH_METHOD", "scrypt"
-            ),
+            method=get_default_hash_method(self.appbuilder.get_app),
             salt_length=self.appbuilder.get_app.config.get(
                 "FAB_PASSWORD_HASH_SALT_LENGTH", 16
             ),