fix(crypt): Add salt to passlib calls

[holmanb]

Proposed Commit Message

fix(crypt): Add salt to passlib calls

- Refactor multiple crypt callsites to a single Python module.
- Add tests to verify standardized behavior between passlib and crypt.

[1] https://github.com/canonical/cloud-init/issues/4791

Additional Context

It would be trivial to add openssl support as well, but this isn't a dependency in minimal images currently so probably not worth it.

In the standard library hashlib.sha512() also exists, but this isn't in the right format and I couldn't find documentation to make this compatible with crypt.

Merge type

• Squash merge using "Proposed Commit Message"
• Rebase and merge unique commits. Requires commit messages per-commit each referencing the pull request number (#<PR_NUM>)

[TheRealFalcon]

Nice refactor, but is there a reason to provide our own salt? Passlib will automatically provide a salt by default.

[TheRealFalcon]

Doesn't BSD require bcrypt rather than sha512_crypt?

Also, this method of calling hash is deprecated. I think it should instead look something like

passlib.hash.sha512_crypt.using(salt=salt, rounds=5000).hash(secret)

[holmanb]

Nice refactor, but is there a reason to provide our own salt? Passlib will automatically provide a salt by default.

I guess not really then - the idea of making sure that the behavior "matches" was appealing from a testing perspective, but so long as passlib actually has a future, then I guess library defaults might be better.

Aside: before I pushed this PR I actually had an openssl implementation that also matched the passlib and crypt output, but I deleted it because I didn't want cloud-init to pull it into minimal images.

[holmanb]

Doesn't BSD require bcrypt rather than sha512_crypt?

Ugh, you're right. I'm going to close this PR since there isn't much benefit to it as is, and there really isn't much code to share between the two call sites.