sftpgo: replace deprecated "crypt" with "passlib"

TODO.md

@@ -27,7 +27,6 @@
   - `dmesg | grep 'hid_bpf: error while preloading HID BPF dispatcher: -22'`
 
 ## REFACTORING:
-- REMOVE DEPRECATED `crypt` from sftpgo_auth_hook
 - add import checks to my Python nix-shell scripts
 - consolidate ~/dev and ~/ref
   - ~/dev becomes a link to ~/ref/cat/mine

hosts/by-name/servo/services/export/sftpgo/default.nix

@@ -12,6 +12,7 @@ let
   external_auth_hook = pkgs.static-nix-shell.mkPython3Bin {
     pname = "external_auth_hook";
     srcRoot = ./.;
+    pyPkgs = [ "passlib" ];
   };
   # Client initiates a FTP "control connection" on port 21.
   # - this handles the client -> server commands, and the server -> client status, but not the actual data

hosts/by-name/servo/services/export/sftpgo/external_auth_hook

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])"
+#!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.passlib ])"
 # vim: set filetype=python :
 #
 # available environment variables:
@@ -37,9 +37,9 @@
 # - it seems (empirically) that a user can't cd above their home directory.
 #   though i don't have a reference for that in the docs.
 
-import crypt
 import json
 import os
+import passlib.hosts
 
 from hmac import compare_digest
 
@@ -112,10 +112,8 @@ def isWireguard(ip: str) -> bool:
 
 def isTrustedCred(password: str) -> bool:
   for cred in TRUSTED_CREDS:
-    _, method, salt, hash_ = cred.split("$")
-    # assert method == "6", f"unrecognized crypt entry: {cred}"
-    if crypt.crypt(password, f"${method}${salt}") == cred:
-        return True
+    if passlib.hosts.linux_context.verify(password, cred):
+      return True
 
   return False