EVM-370 Added insecure flag for local store. (#1159)

* added insecure flag for local store * added --insecure flag to docker script
0xPolygon · Feb 2, 2023 · 9eccd18 · 9eccd18
1 parent 9e25218
commit 9eccd18
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 22 deletions.
diff --git a/command/secrets/init/params.go b/command/secrets/init/params.go
@@ -9,26 +9,32 @@ import (
 )
 
 const (
-	dataDirFlag = "data-dir"
-	configFlag  = "config"
-	ecdsaFlag   = "ecdsa"
-	blsFlag     = "bls"
-	networkFlag = "network"
-	numFlag     = "num"
+	dataDirFlag            = "data-dir"
+	configFlag             = "config"
+	ecdsaFlag              = "ecdsa"
+	blsFlag                = "bls"
+	networkFlag            = "network"
+	numFlag                = "num"
+	insecureLocalStoreFlag = "insecure"
 )
 
 var (
-	errInvalidConfig   = errors.New("invalid secrets configuration")
-	errInvalidParams   = errors.New("no config file or data directory passed in")
-	errUnsupportedType = errors.New("unsupported secrets manager")
+	errInvalidConfig                  = errors.New("invalid secrets configuration")
+	errInvalidParams                  = errors.New("no config file or data directory passed in")
+	errUnsupportedType                = errors.New("unsupported secrets manager")
+	errSecureLocalStoreNotImplemented = errors.New(
+		"use a secrets backend, or supply an --insecure flag " +
+			"to store the private keys locally on the filesystem, " +
+			"avoid doing so in production")
 )
 
 type initParams struct {
-	dataDir          string
-	configPath       string
-	generatesECDSA   bool
-	generatesBLS     bool
-	generatesNetwork bool
+	dataDir            string
+	configPath         string
+	generatesECDSA     bool
+	generatesBLS       bool
+	generatesNetwork   bool
+	insecureLocalStore bool
 
 	secretsManager secrets.SecretsManager
 	secretsConfig  *secrets.SecretsManagerConfig
@@ -89,6 +95,14 @@ func (ip *initParams) parseConfig() error {
 }
 
 func (ip *initParams) initLocalSecretsManager() error {
+	if !ip.insecureLocalStore {
+		//Storing secrets on a local file system should only be allowed with --insecure flag,
+		//to raise awareness that it should be only used in development/testing environments.
+		//Production setups should use one of the supported secrets managers
+		return errSecureLocalStoreNotImplemented
+	}
+
+	// setup local secrets manager
 	local, err := helper.SetupLocalSecretsManager(ip.dataDir)
 	if err != nil {
 		return err
@@ -146,5 +160,7 @@ func (ip *initParams) getResult() (command.CommandResult, error) {
 		return nil, err
 	}
 
+	res.Insecure = ip.insecureLocalStore
+
 	return res, nil
 }
diff --git a/command/secrets/init/result.go b/command/secrets/init/result.go
@@ -26,6 +26,7 @@ type SecretsInitResult struct {
 	Address   types.Address `json:"address"`
 	BLSPubkey string        `json:"bls_pubkey"`
 	NodeID    string        `json:"node_id"`
+	Insecure  bool          `json:"insecure"`
 }
 
 func (r *SecretsInitResult) GetOutput() string {
@@ -47,6 +48,10 @@ func (r *SecretsInitResult) GetOutput() string {
 
 	vals = append(vals, fmt.Sprintf("Node ID|%s", r.NodeID))
 
+	if r.Insecure {
+		buffer.WriteString("\n[WARNING: INSECURE LOCAL SECRETS - SHOULD NOT BE RUN IN PRODUCTION]\n")
+	}
+
 	buffer.WriteString("\n[SECRETS INIT]\n")
 	buffer.WriteString(helper.FormatKV(vals))
 	buffer.WriteString("\n")

diff --git a/command/secrets/init/secrets_init.go b/command/secrets/init/secrets_init.go
@@ -84,6 +84,13 @@ func setFlags(cmd *cobra.Command) {
 		true,
 		"the flag indicating whether new BLS key is created",
 	)
+
+	cmd.Flags().BoolVar(
+		&basicParams.insecureLocalStore,
+		insecureLocalStoreFlag,
+		false,
+		"the flag indicating should the secrets stored on the local storage be encrypted",
+	)
 }
 
 func runPreRun(_ *cobra.Command, _ []string) error {
@@ -131,10 +138,11 @@ func newParamsList(params initParams, num int) []initParams {
 	paramsList := make([]initParams, num)
 	for i := 1; i <= num; i++ {
 		paramsList[i-1] = initParams{
-			dataDir:          fmt.Sprintf("%s%d", params.dataDir, i),
-			generatesECDSA:   params.generatesECDSA,
-			generatesBLS:     params.generatesBLS,
-			generatesNetwork: params.generatesNetwork,
+			dataDir:            fmt.Sprintf("%s%d", params.dataDir, i),
+			generatesECDSA:     params.generatesECDSA,
+			generatesBLS:       params.generatesBLS,
+			generatesNetwork:   params.generatesNetwork,
+			insecureLocalStore: params.insecureLocalStore,
 		}
 	}
 

diff --git a/command/secrets/output/result.go b/command/secrets/output/result.go
@@ -7,19 +7,19 @@ import (
 	"github.com/0xPolygon/polygon-edge/command/helper"
 )
 
-// SecretsOutputAllResults for default output case
+// SecretsOutputAllResult for default output case
 type SecretsOutputAllResult struct {
 	Address   string `json:"address"`
 	BLSPubkey string `json:"bls"`
 	NodeID    string `json:"node_id"`
 }
 
-// SecretsOutputNodeIDResults for `--node` output case
+// SecretsOutputNodeIDResult for `--node` output case
 type SecretsOutputNodeIDResult struct {
 	NodeID string `json:"node_id"`
 }
 
-// SecretsOutputBLSResults for `--bls` output case
+// SecretsOutputBLSResult for `--bls` output case
 type SecretsOutputBLSResult struct {
 	BLSPubkey string `json:"bls"`
 }

diff --git a/docker/local/polygon-edge.sh b/docker/local/polygon-edge.sh
@@ -12,7 +12,7 @@ case "$1" in
           echo "Secrets have already been generated."
       else
           echo "Generating secrets..."
-          secrets=$("$POLYGON_EDGE_BIN" secrets init --num 4 --data-dir /data/data- --json)
+          secrets=$("$POLYGON_EDGE_BIN" secrets init --num 4 --data-dir /data/data- --insecure --json)
           echo "Secrets have been successfully generated"
 
           echo "Generating genesis file..."