feat: allow importing hmac hashed passwords

[tristankenney]

Hello folks!

I've had a crack at implementing hmac support for password imports

I've followed the approach of base64 encoding and delimiting the string with $ as seems to be the convention.

The basic format is $hmac-<hashfunction>$<base64 encoded hash>$<base64 encoded key> e.g.:

# password = test; key=key; hash function=sha
$hmac-sha1$NjcxZjU0Y2UwYzU0MGY3OGZmZTFlMjZkY2Y5YzJhMDQ3YWVhNGZkYQ==$a2V5

I yoinked a subset of the digests from Auth0

NB: This is my first time writing any Go, so please point out areas for improvement

Related issue(s)

• Review and add more commonly used password hashing algorithms for importing users #2422

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

[aeneasr]

Very nice! This looks very good for your first time writing Go! We'll need to do another pass on the security aspects but I doN't see any big blockers. @jonas-jonas WDYT?

[aeneasr]

Oh and could you please add docs for this here: https://github.com/ory/docs/edit/master/docs/kratos/manage-identities/25_import-user-accounts-identities.mdx

[jonas-jonas]

Very nice changes! Thanks for the patch!

[codecov]

Codecov Report

Merging #3544 (2e20489) into master (33fc930) will decrease coverage by 0.08%.
Report is 3 commits behind head on master.
The diff coverage is 73.21%.

❗ Current head 2e20489 differs from pull request most recent head a26b9ad. Consider uploading reports for the commit a26b9ad to get more accurate results

@@            Coverage Diff             @@
##           master    #3544      +/-   ##
==========================================
- Coverage   78.20%   78.12%   -0.08%     
==========================================
  Files         341      341              
  Lines       22830    22870      +40     
==========================================
+ Hits        17855    17868      +13     
- Misses       3632     3654      +22     
- Partials     1343     1348       +5     

Files	Coverage Δ
selfservice/flow/login/handler.go	78.83% <22.22%> (+1.10%)	⬆️
hash/hash_comparator.go	86.15% <82.97%> (-0.48%)	⬇️

... and 2 files with indirect coverage changes

[tristankenney]

Oh wow! You move quick, @aeneasr – I was coming back to add in the documentation now

[aeneasr]

Would still appreciate it if you could add a PR for docs :) Thanks so much!

[tristankenney]

Done, @aeneasr – ory/docs#1580