hash passwords and API keys in main config

[uruwhy]

Description

• Addresses the security issue where user passwords and primary API keys were stored in plaintext in the main caldera. config
• Overwrites the configuration file on startup with hashed user passwords and red/blue API keys
• Any newly created configuration files will have hashed passwords and API keys
• password and API key checks are performed by comparing hashes instead of plaintext comparisons
• hashing is done via Argon2 per OWASP recommendations
• LDAP login handler is not affected since Caldera does not manage LDAP credentials or directly perform LDAP authentication
• update to fieldmanual documentation will require a separate PR for that plugin repo

Type of change

• Bug fix (non-breaking change which fixes an issue)
• This change requires a documentation update

How Has This Been Tested?

• unit tests
• tested user login for red and blue groups
• tested API key usage
• interacted with UI
• tested updating password in config file
• tested adding new users in config file
• tested creating a new local.yml config file
• tested creating a new config file on startup using server.py's -E argument

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[sonarqubecloud]

Quality Gate failed

Failed conditions
64.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate failed

Failed conditions
70.3% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
92.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud