[FEATURE] Support Argon2id password hasing and improved entropy (#679)

* [FEATURE] Support Argon2id Passwords

- Updated go module github.com/simia-tech/crypt
- Added Argon2id support for file based authentication backend
- Made it the default method
- Made it so backwards compatibility with SHA512 exists
- Force seeding of the random string generator used for salts to ensure they are all different
- Added command params to the authelia hash-password command
- Automatically remove {CRYPT} from hashes as they are updated
- Automatically change hashes when they are updated to the configured algorithm
- Made the hashing algorithm parameters completely configurable
- Added reasonably comprehensive test suites
- Updated docs
- Updated config template

* Adjust error output

* Fix unit test

* Add unit tests and argon2 version check

* Fix new unit tests

* Update docs, added tests

* Implement configurable values and more comprehensive testing

* Added cmd params to hash_password, updated docs, misc fixes

* More detailed error for cmd, fixed a typo

* Fixed cmd flag error, minor refactoring

* Requested Changes and Minor refactoring

* Increase entropy

* Update docs for entropy changes

* Refactor to reduce nesting and easier code maintenance

* Cleanup Errors (uniformity for the function call)

* Check salt length, fix docs

* Add Base64 string validation for argon2id

* Cleanup and Finalization
- Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go
- Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len
- Fixed an error in validator that would allow a zero salt length
- Added a test to verify the upstream crypt module supports our defined random salt chars
- Updated docs
- Removed unused "HashingAlgorithm" string type

* Update crypt go mod, support argon2id key length and major refactor

* Config Template Update, Final Tests

* Use schema defaults for hash-password cmd

* Iterations check

* Docs requested changes

* Test Coverage, suggested edits

* Wording edit

* Doc changes

* Default sanity changes

* Default sanity changes - docs

* CI Sanity changes

* Memory in MB

1 files changed, 28 insertions, 12 deletions

diff --git a/internal/authentication/file_user_provider.go b/internal/authentication/file_user_provider.go
index e8969e900..1c6c47094 100644
--- a/internal/authentication/file_user_provider.go
+++ b/internal/authentication/file_user_provider.go
@@ -1,21 +1,22 @@
 package authentication
 
 import (
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"strings"
 	"sync"
 
 	"github.com/asaskevich/govalidator"
-
+	"github.com/authelia/authelia/internal/configuration/schema"
 	"gopkg.in/yaml.v2"
 )
 
 // FileUserProvider is a provider reading details from a file.
 type FileUserProvider struct {
-	path     *string
-	database *DatabaseModel
-	lock     *sync.Mutex
+	configuration *schema.FileAuthenticationBackendConfiguration
+	database      *DatabaseModel
+	lock          *sync.Mutex
 }
 
 // UserDetailsModel is the model of user details in the file database.
@@ -31,8 +32,8 @@ type DatabaseModel struct {
 }
 
 // NewFileUserProvider creates a new instance of FileUserProvider.
-func NewFileUserProvider(filepath string) *FileUserProvider {
-	database, err := readDatabase(filepath)
+func NewFileUserProvider(configuration *schema.FileAuthenticationBackendConfiguration) *FileUserProvider {
+	database, err := readDatabase(configuration.Path)
 	if err != nil {
 		// Panic since the file does not exist when Authelia is starting.
 		panic(err.Error())
@@ -45,9 +46,9 @@ func NewFileUserProvider(filepath string) *FileUserProvider {
 	}
 
 	return &FileUserProvider{
-		path:     &filepath,
-		database: database,
-		lock:     &sync.Mutex{},
+		configuration: configuration,
+		database:      database,
+		lock:          &sync.Mutex{},
 	}
 }
 
@@ -114,9 +115,24 @@ func (p *FileUserProvider) UpdatePassword(username string, newPassword string) e
 		return fmt.Errorf("User '%s' does not exist in database", username)
 	}
 
-	hash := HashPassword(newPassword, "")
-	details.HashedPassword = fmt.Sprintf("{CRYPT}%s", hash)
+	var algorithm string
+	if p.configuration.PasswordHashing.Algorithm == "argon2id" {
+		algorithm = HashingAlgorithmArgon2id
+	} else if p.configuration.PasswordHashing.Algorithm == "sha512" {
+		algorithm = HashingAlgorithmSHA512
+	} else {
+		return errors.New("Invalid algorithm in configuration. It should be `argon2id` or `sha512`")
+	}
+
+	hash, err := HashPassword(
+		newPassword, "", algorithm, p.configuration.PasswordHashing.Iterations,
+		p.configuration.PasswordHashing.Memory*1024, p.configuration.PasswordHashing.Parallelism,
+		p.configuration.PasswordHashing.KeyLength, p.configuration.PasswordHashing.SaltLength)
 
+	if err != nil {
+		return err
+	}
+	details.HashedPassword = hash
 	p.lock.Lock()
 	p.database.Users[username] = details
 
@@ -125,7 +141,7 @@ func (p *FileUserProvider) UpdatePassword(username string, newPassword string) e
 		p.lock.Unlock()
 		return err
 	}
-	err = ioutil.WriteFile(*p.path, b, 0644)
+	err = ioutil.WriteFile(p.configuration.Path, b, 0644)
 	p.lock.Unlock()
 	return err
 }