Add insecure password for automated testing.

Fix checkDataDir to run before setupLogging.
This commit is contained in:
cheatfate 2020-08-25 13:16:31 +03:00 committed by zah
parent e43af4e978
commit e1182f8000
4 changed files with 102 additions and 51 deletions

View File

@ -900,7 +900,7 @@ proc createPidFile(filename: string) =
proc checkDataDir(conf: BeaconNodeConf) =
## Checks `conf.dataDir`.
## If folder exists, prcoedure will check it for access and
## If folder exists, procedure will check it for access and
## permissions `0750 (rwxr-x---)`, if folder do not exists it will be created
## with permissions `0750 (rwxr-x---)`.
let dataDir = string(conf.dataDir)
@ -1136,6 +1136,8 @@ programMain:
# This is ref so we can mutate it (to erase it) after the initial loading.
stateSnapshotContents: ref string
checkDataDir(config)
setupLogging(config.logLevel, config.logFile)
if config.eth2Network.isSome:
@ -1173,8 +1175,6 @@ programMain:
case config.cmd
of createTestnet:
checkDataDir(config)
let launchPadDeposits = try:
Json.loadFile(config.testnetDepositsFile.string, seq[LaunchPadDeposit])
except SerializationError as err:
@ -1235,8 +1235,6 @@ programMain:
cmdParams = commandLineParams(),
config
checkDataDir(config)
createPidFile(config.dataDir.string / "beacon_node.pid")
config.createDumpDirs()

View File

@ -224,6 +224,12 @@ type
"(random|<path>) (default: random)"
name: "netkey-file" }: string
netKeyInsecurePassword* {.
defaultValue: false,
desc: "Use pre-generated INSECURE password for network private key " &
"file (default: false)"
name: "insecure-netkey-password" }: bool
of createTestnet:
testnetDepositsFile* {.
desc: "A LaunchPad deposits file for the genesis state validators"
@ -275,6 +281,12 @@ type
desc: "Output file with network private key for the network"
name: "netkey-file" }: OutFile
outputNetKeyInsecurePassword* {.
defaultValue: false,
desc: "Use pre-generated INSECURE password for network private key " &
"file (default: false)"
name: "insecure-netkey-password" }: bool
of wallets:
case walletsCmd* {.command.}: WalletsCmd
of WalletsCmd.create:

View File

@ -272,6 +272,9 @@ const
when libp2p_pki_schemes != "secp256k1":
{.fatal: "Incorrect building process, please use -d:\"libp2p_pki_schemes=secp256k1\"".}
const
NetworkInsecureKeyPassword = "INSECUREPASSWORD"
template libp2pProtocol*(name: string, version: int) {.pragma.}
func shortLog*(peer: Peer): string = shortLog(peer.info.peerId)
@ -1221,7 +1224,15 @@ proc getPersistentNetKeys*(rng: var BrHmacDrbgContext,
if fileAccessible(keyPath, {AccessFlags.Find}):
info "Network key storage is present, unlocking", key_path = keyPath
let res = loadNetKeystore(keyPath)
# Insecure password used only for automated testing.
let insecurePassword =
if conf.netKeyInsecurePassword:
some(NetworkInsecureKeyPassword)
else:
none[string]()
let res = loadNetKeystore(keyPath, insecurePassword)
if res.isNone():
fatal "Could not load network key file"
quit QuitFailure
@ -1242,7 +1253,14 @@ proc getPersistentNetKeys*(rng: var BrHmacDrbgContext,
let privKey = rres.get()
let pubKey = privKey.getKey().tryGet()
let sres = saveNetKeystore(rng, keyPath, privKey)
# Insecure password used only for automated testing.
let insecurePassword =
if conf.netKeyInsecurePassword:
some(NetworkInsecureKeyPassword)
else:
none[string]()
let sres = saveNetKeystore(rng, keyPath, privKey, insecurePassword)
if sres.isErr():
fatal "Could not create network key file", key_path = keyPath
quit QuitFailure
@ -1267,7 +1285,14 @@ proc getPersistentNetKeys*(rng: var BrHmacDrbgContext,
let privKey = rres.get()
let pubKey = privKey.getKey().tryGet()
let sres = saveNetKeystore(rng, keyPath, privKey)
# Insecure password used only for automated testing.
let insecurePassword =
if conf.outputNetKeyInsecurePassword:
some(NetworkInsecureKeyPassword)
else:
none[string]()
let sres = saveNetKeystore(rng, keyPath, privKey, insecurePassword)
if sres.isErr():
fatal "Could not create network key file"
quit QuitFailure

View File

@ -131,7 +131,8 @@ type
FailedToCreateSecretFile
FailedToCreateKeystoreFile
proc loadNetKeystore*(keyStorePath: string): Option[lcrypto.PrivateKey] =
proc loadNetKeystore*(keyStorePath: string,
insecurePwd: Option[string]): Option[lcrypto.PrivateKey] =
when defined(windows):
# Windows do not support per-user permissions, skiping verification part.
discard
@ -167,6 +168,15 @@ proc loadNetKeystore*(keyStorePath: string): Option[lcrypto.PrivateKey] =
error "Invalid network keystore", err = err.formatMsg(keystorePath)
return
if insecurePwd.isSome():
warn "Using insecure password to unlock networking key"
let decrypted = decryptNetKeystore(keystore, KeystorePass insecurePwd.get())
if decrypted.isOk:
return some(decrypted.get())
else:
error "Network keystore decryption failed", key_store = keyStorePath
return
else:
var remainingAttempts = 3
var counter = 0
var prompt = "Please enter passphrase to unlock networking key: "
@ -188,8 +198,13 @@ proc loadNetKeystore*(keyStorePath: string): Option[lcrypto.PrivateKey] =
error "Network keystore decryption failed", key_store = keyStorePath
proc saveNetKeystore*(rng: var BrHmacDrbgContext, keyStorePath: string,
netKey: lcrypto.PrivateKey): Result[void, KeystoreGenerationError] =
netKey: lcrypto.PrivateKey, insecurePwd: Option[string]
): Result[void, KeystoreGenerationError] =
var password, confirmedPassword: TaintedString
if insecurePwd.isSome():
warn "Using insecure password to lock networking key"
password = insecurePwd.get()
else:
while true:
let prompt = "Please enter NEW password to lock network key storage: "
@ -205,13 +220,14 @@ proc saveNetKeystore*(rng: var BrHmacDrbgContext, keyStorePath: string,
" characters"
continue
elif password in mostCommonPasswords:
echo80 "The entered password is too commonly used and it would be easy " &
"to brute-force with automated tools."
echo80 "The entered password is too commonly used and it would be " &
"easy to brute-force with automated tools."
continue
confirmedPassword =
try:
readPasswordFromStdin("Please confirm, network key storage password: ")
readPasswordFromStdin("Please confirm, network key storage " &
"password: ")
except IOError:
error "Could not read password from stdin"
return err(FailedToCreateKeystoreFile)