Add insecure password for automated testing.
Fix checkDataDir to run before setupLogging.
This commit is contained in:
parent
e43af4e978
commit
e1182f8000
|
@ -900,7 +900,7 @@ proc createPidFile(filename: string) =
|
||||||
|
|
||||||
proc checkDataDir(conf: BeaconNodeConf) =
|
proc checkDataDir(conf: BeaconNodeConf) =
|
||||||
## Checks `conf.dataDir`.
|
## Checks `conf.dataDir`.
|
||||||
## If folder exists, prcoedure will check it for access and
|
## If folder exists, procedure will check it for access and
|
||||||
## permissions `0750 (rwxr-x---)`, if folder do not exists it will be created
|
## permissions `0750 (rwxr-x---)`, if folder do not exists it will be created
|
||||||
## with permissions `0750 (rwxr-x---)`.
|
## with permissions `0750 (rwxr-x---)`.
|
||||||
let dataDir = string(conf.dataDir)
|
let dataDir = string(conf.dataDir)
|
||||||
|
@ -1136,6 +1136,8 @@ programMain:
|
||||||
# This is ref so we can mutate it (to erase it) after the initial loading.
|
# This is ref so we can mutate it (to erase it) after the initial loading.
|
||||||
stateSnapshotContents: ref string
|
stateSnapshotContents: ref string
|
||||||
|
|
||||||
|
checkDataDir(config)
|
||||||
|
|
||||||
setupLogging(config.logLevel, config.logFile)
|
setupLogging(config.logLevel, config.logFile)
|
||||||
|
|
||||||
if config.eth2Network.isSome:
|
if config.eth2Network.isSome:
|
||||||
|
@ -1173,8 +1175,6 @@ programMain:
|
||||||
|
|
||||||
case config.cmd
|
case config.cmd
|
||||||
of createTestnet:
|
of createTestnet:
|
||||||
checkDataDir(config)
|
|
||||||
|
|
||||||
let launchPadDeposits = try:
|
let launchPadDeposits = try:
|
||||||
Json.loadFile(config.testnetDepositsFile.string, seq[LaunchPadDeposit])
|
Json.loadFile(config.testnetDepositsFile.string, seq[LaunchPadDeposit])
|
||||||
except SerializationError as err:
|
except SerializationError as err:
|
||||||
|
@ -1235,8 +1235,6 @@ programMain:
|
||||||
cmdParams = commandLineParams(),
|
cmdParams = commandLineParams(),
|
||||||
config
|
config
|
||||||
|
|
||||||
checkDataDir(config)
|
|
||||||
|
|
||||||
createPidFile(config.dataDir.string / "beacon_node.pid")
|
createPidFile(config.dataDir.string / "beacon_node.pid")
|
||||||
|
|
||||||
config.createDumpDirs()
|
config.createDumpDirs()
|
||||||
|
|
|
@ -224,6 +224,12 @@ type
|
||||||
"(random|<path>) (default: random)"
|
"(random|<path>) (default: random)"
|
||||||
name: "netkey-file" }: string
|
name: "netkey-file" }: string
|
||||||
|
|
||||||
|
netKeyInsecurePassword* {.
|
||||||
|
defaultValue: false,
|
||||||
|
desc: "Use pre-generated INSECURE password for network private key " &
|
||||||
|
"file (default: false)"
|
||||||
|
name: "insecure-netkey-password" }: bool
|
||||||
|
|
||||||
of createTestnet:
|
of createTestnet:
|
||||||
testnetDepositsFile* {.
|
testnetDepositsFile* {.
|
||||||
desc: "A LaunchPad deposits file for the genesis state validators"
|
desc: "A LaunchPad deposits file for the genesis state validators"
|
||||||
|
@ -275,6 +281,12 @@ type
|
||||||
desc: "Output file with network private key for the network"
|
desc: "Output file with network private key for the network"
|
||||||
name: "netkey-file" }: OutFile
|
name: "netkey-file" }: OutFile
|
||||||
|
|
||||||
|
outputNetKeyInsecurePassword* {.
|
||||||
|
defaultValue: false,
|
||||||
|
desc: "Use pre-generated INSECURE password for network private key " &
|
||||||
|
"file (default: false)"
|
||||||
|
name: "insecure-netkey-password" }: bool
|
||||||
|
|
||||||
of wallets:
|
of wallets:
|
||||||
case walletsCmd* {.command.}: WalletsCmd
|
case walletsCmd* {.command.}: WalletsCmd
|
||||||
of WalletsCmd.create:
|
of WalletsCmd.create:
|
||||||
|
|
|
@ -272,6 +272,9 @@ const
|
||||||
when libp2p_pki_schemes != "secp256k1":
|
when libp2p_pki_schemes != "secp256k1":
|
||||||
{.fatal: "Incorrect building process, please use -d:\"libp2p_pki_schemes=secp256k1\"".}
|
{.fatal: "Incorrect building process, please use -d:\"libp2p_pki_schemes=secp256k1\"".}
|
||||||
|
|
||||||
|
const
|
||||||
|
NetworkInsecureKeyPassword = "INSECUREPASSWORD"
|
||||||
|
|
||||||
template libp2pProtocol*(name: string, version: int) {.pragma.}
|
template libp2pProtocol*(name: string, version: int) {.pragma.}
|
||||||
|
|
||||||
func shortLog*(peer: Peer): string = shortLog(peer.info.peerId)
|
func shortLog*(peer: Peer): string = shortLog(peer.info.peerId)
|
||||||
|
@ -1221,7 +1224,15 @@ proc getPersistentNetKeys*(rng: var BrHmacDrbgContext,
|
||||||
|
|
||||||
if fileAccessible(keyPath, {AccessFlags.Find}):
|
if fileAccessible(keyPath, {AccessFlags.Find}):
|
||||||
info "Network key storage is present, unlocking", key_path = keyPath
|
info "Network key storage is present, unlocking", key_path = keyPath
|
||||||
let res = loadNetKeystore(keyPath)
|
|
||||||
|
# Insecure password used only for automated testing.
|
||||||
|
let insecurePassword =
|
||||||
|
if conf.netKeyInsecurePassword:
|
||||||
|
some(NetworkInsecureKeyPassword)
|
||||||
|
else:
|
||||||
|
none[string]()
|
||||||
|
|
||||||
|
let res = loadNetKeystore(keyPath, insecurePassword)
|
||||||
if res.isNone():
|
if res.isNone():
|
||||||
fatal "Could not load network key file"
|
fatal "Could not load network key file"
|
||||||
quit QuitFailure
|
quit QuitFailure
|
||||||
|
@ -1242,7 +1253,14 @@ proc getPersistentNetKeys*(rng: var BrHmacDrbgContext,
|
||||||
let privKey = rres.get()
|
let privKey = rres.get()
|
||||||
let pubKey = privKey.getKey().tryGet()
|
let pubKey = privKey.getKey().tryGet()
|
||||||
|
|
||||||
let sres = saveNetKeystore(rng, keyPath, privKey)
|
# Insecure password used only for automated testing.
|
||||||
|
let insecurePassword =
|
||||||
|
if conf.netKeyInsecurePassword:
|
||||||
|
some(NetworkInsecureKeyPassword)
|
||||||
|
else:
|
||||||
|
none[string]()
|
||||||
|
|
||||||
|
let sres = saveNetKeystore(rng, keyPath, privKey, insecurePassword)
|
||||||
if sres.isErr():
|
if sres.isErr():
|
||||||
fatal "Could not create network key file", key_path = keyPath
|
fatal "Could not create network key file", key_path = keyPath
|
||||||
quit QuitFailure
|
quit QuitFailure
|
||||||
|
@ -1267,7 +1285,14 @@ proc getPersistentNetKeys*(rng: var BrHmacDrbgContext,
|
||||||
let privKey = rres.get()
|
let privKey = rres.get()
|
||||||
let pubKey = privKey.getKey().tryGet()
|
let pubKey = privKey.getKey().tryGet()
|
||||||
|
|
||||||
let sres = saveNetKeystore(rng, keyPath, privKey)
|
# Insecure password used only for automated testing.
|
||||||
|
let insecurePassword =
|
||||||
|
if conf.outputNetKeyInsecurePassword:
|
||||||
|
some(NetworkInsecureKeyPassword)
|
||||||
|
else:
|
||||||
|
none[string]()
|
||||||
|
|
||||||
|
let sres = saveNetKeystore(rng, keyPath, privKey, insecurePassword)
|
||||||
if sres.isErr():
|
if sres.isErr():
|
||||||
fatal "Could not create network key file"
|
fatal "Could not create network key file"
|
||||||
quit QuitFailure
|
quit QuitFailure
|
||||||
|
|
|
@ -131,7 +131,8 @@ type
|
||||||
FailedToCreateSecretFile
|
FailedToCreateSecretFile
|
||||||
FailedToCreateKeystoreFile
|
FailedToCreateKeystoreFile
|
||||||
|
|
||||||
proc loadNetKeystore*(keyStorePath: string): Option[lcrypto.PrivateKey] =
|
proc loadNetKeystore*(keyStorePath: string,
|
||||||
|
insecurePwd: Option[string]): Option[lcrypto.PrivateKey] =
|
||||||
when defined(windows):
|
when defined(windows):
|
||||||
# Windows do not support per-user permissions, skiping verification part.
|
# Windows do not support per-user permissions, skiping verification part.
|
||||||
discard
|
discard
|
||||||
|
@ -167,6 +168,15 @@ proc loadNetKeystore*(keyStorePath: string): Option[lcrypto.PrivateKey] =
|
||||||
error "Invalid network keystore", err = err.formatMsg(keystorePath)
|
error "Invalid network keystore", err = err.formatMsg(keystorePath)
|
||||||
return
|
return
|
||||||
|
|
||||||
|
if insecurePwd.isSome():
|
||||||
|
warn "Using insecure password to unlock networking key"
|
||||||
|
let decrypted = decryptNetKeystore(keystore, KeystorePass insecurePwd.get())
|
||||||
|
if decrypted.isOk:
|
||||||
|
return some(decrypted.get())
|
||||||
|
else:
|
||||||
|
error "Network keystore decryption failed", key_store = keyStorePath
|
||||||
|
return
|
||||||
|
else:
|
||||||
var remainingAttempts = 3
|
var remainingAttempts = 3
|
||||||
var counter = 0
|
var counter = 0
|
||||||
var prompt = "Please enter passphrase to unlock networking key: "
|
var prompt = "Please enter passphrase to unlock networking key: "
|
||||||
|
@ -188,8 +198,13 @@ proc loadNetKeystore*(keyStorePath: string): Option[lcrypto.PrivateKey] =
|
||||||
error "Network keystore decryption failed", key_store = keyStorePath
|
error "Network keystore decryption failed", key_store = keyStorePath
|
||||||
|
|
||||||
proc saveNetKeystore*(rng: var BrHmacDrbgContext, keyStorePath: string,
|
proc saveNetKeystore*(rng: var BrHmacDrbgContext, keyStorePath: string,
|
||||||
netKey: lcrypto.PrivateKey): Result[void, KeystoreGenerationError] =
|
netKey: lcrypto.PrivateKey, insecurePwd: Option[string]
|
||||||
|
): Result[void, KeystoreGenerationError] =
|
||||||
var password, confirmedPassword: TaintedString
|
var password, confirmedPassword: TaintedString
|
||||||
|
if insecurePwd.isSome():
|
||||||
|
warn "Using insecure password to lock networking key"
|
||||||
|
password = insecurePwd.get()
|
||||||
|
else:
|
||||||
while true:
|
while true:
|
||||||
let prompt = "Please enter NEW password to lock network key storage: "
|
let prompt = "Please enter NEW password to lock network key storage: "
|
||||||
|
|
||||||
|
@ -205,13 +220,14 @@ proc saveNetKeystore*(rng: var BrHmacDrbgContext, keyStorePath: string,
|
||||||
" characters"
|
" characters"
|
||||||
continue
|
continue
|
||||||
elif password in mostCommonPasswords:
|
elif password in mostCommonPasswords:
|
||||||
echo80 "The entered password is too commonly used and it would be easy " &
|
echo80 "The entered password is too commonly used and it would be " &
|
||||||
"to brute-force with automated tools."
|
"easy to brute-force with automated tools."
|
||||||
continue
|
continue
|
||||||
|
|
||||||
confirmedPassword =
|
confirmedPassword =
|
||||||
try:
|
try:
|
||||||
readPasswordFromStdin("Please confirm, network key storage password: ")
|
readPasswordFromStdin("Please confirm, network key storage " &
|
||||||
|
"password: ")
|
||||||
except IOError:
|
except IOError:
|
||||||
error "Could not read password from stdin"
|
error "Could not read password from stdin"
|
||||||
return err(FailedToCreateKeystoreFile)
|
return err(FailedToCreateKeystoreFile)
|
||||||
|
|
Loading…
Reference in New Issue