[EVM-370] Added --insecure flag to both ibft and polybft

command/cli_output.go

@@ -20,7 +20,8 @@ func (cli *cliOutput) WriteOutput() {
 	if cli.errorOutput != nil {
 		_, _ = fmt.Fprintln(os.Stderr, cli.getErrorOutput())
 
-		return
+		// return proper error exit code for cli error output
+		os.Exit(1)
 	}
 
 	_, _ = fmt.Fprintln(os.Stdout, cli.getCommandOutput())

command/polybftsecrets/params.go

@@ -23,13 +23,19 @@ const (
 
 	// maxInitNum is the maximum value for "num" flag
 	maxInitNum = 30
+
+	insecureLocalStore = "insecure"
 )
 
 var (
-	errInvalidNum      = fmt.Errorf("num flag value should be between 1 and %d", maxInitNum)
-	errInvalidConfig   = errors.New("invalid secrets configuration")
-	errInvalidParams   = errors.New("no config file or data directory passed in")
-	errUnsupportedType = errors.New("unsupported secrets manager")
+	errInvalidNum                     = fmt.Errorf("num flag value should be between 1 and %d", maxInitNum)
+	errInvalidConfig                  = errors.New("invalid secrets configuration")
+	errInvalidParams                  = errors.New("no config file or data directory passed in")
+	errUnsupportedType                = errors.New("unsupported secrets manager")
+	errSecureLocalStoreNotImplemented = errors.New(
+		"use a secrets backend, or supply an --insecure flag " +
+			"to store the private keys locally on the filesystem, " +
+			"avoid doing so in production")
 )
 
 type initParams struct {
@@ -42,6 +48,8 @@ type initParams struct {
 	printPrivateKey bool
 
 	numberOfSecrets int
+
+	insecureLocalStore bool
 }
 
 func (ip *initParams) validateFlags() error {
@@ -106,6 +114,13 @@ func (ip *initParams) setFlags(cmd *cobra.Command) {
 		false,
 		"the flag indicating whether Private key is printed",
 	)
+
+	cmd.Flags().BoolVar(
+		&ip.insecureLocalStore,
+		insecureLocalStore,
+		false,
+		"the flag indicating should the secrets stored on the local storage be encrypted",
+	)
 }
 
 func (ip *initParams) Execute() (Results, error) {
@@ -122,7 +137,7 @@ func (ip *initParams) Execute() (Results, error) {
 			configDir = fmt.Sprintf("%s%d", ip.configPath, i+1)
 		}
 
-		secretManager, err := getSecretsManager(dataDir, configDir)
+		secretManager, err := getSecretsManager(dataDir, configDir, ip.insecureLocalStore)
 		if err != nil {
 			return results, err
 		}
@@ -197,10 +212,12 @@ func (ip *initParams) getResult(secretsManager secrets.SecretsManager) (command.
 		}
 	}
 
+	res.Insecure = ip.insecureLocalStore
+
 	return res, nil
 }
 
-func getSecretsManager(dataPath, configPath string) (secrets.SecretsManager, error) {
+func getSecretsManager(dataPath, configPath string, insecureLocalStore bool) (secrets.SecretsManager, error) {
 	if configPath != "" {
 		secretsConfig, readErr := secrets.ReadConfig(configPath)
 		if readErr != nil {
@@ -214,5 +231,12 @@ func getSecretsManager(dataPath, configPath string) (secrets.SecretsManager, err
 		return helper.InitCloudSecretsManager(secretsConfig)
 	}
 
+	//Storing secrets on a local file system should only be allowed with --insecure flag,
+	//to raise awareness that it should be only used in development/testing environments.
+	//Production setups should use one of the supported secrets managers
+	if !insecureLocalStore {
+		return nil, errSecureLocalStoreNotImplemented
+	}
+
 	return helper.SetupLocalSecretsManager(dataPath)
 }

command/polybftsecrets/result.go

@@ -27,6 +27,7 @@ type SecretsInitResult struct {
 	BLSPubkey  string        `json:"bls_pubkey"`
 	NodeID     string        `json:"node_id"`
 	PrivateKey string        `json:"private_key"`
+	Insecure   bool          `json:"insecure"`
 }
 
 func (r *SecretsInitResult) GetOutput() string {
@@ -55,6 +56,10 @@ func (r *SecretsInitResult) GetOutput() string {
 
 	vals = append(vals, fmt.Sprintf("Node ID|%s", r.NodeID))
 
+	if r.Insecure {
+		buffer.WriteString("\n[WARNING: INSECURE LOCAL SECRETS - SHOULD NOT BE RUN IN PRODUCTION]\n")
+	}
+
 	buffer.WriteString("\n[SECRETS INIT]\n")
 	buffer.WriteString(helper.FormatKV(vals))
 	buffer.WriteString("\n")

command/secrets/init/params.go

@@ -9,26 +9,32 @@ import (
 )
 
 const (
-	dataDirFlag = "data-dir"
-	configFlag  = "config"
-	ecdsaFlag   = "ecdsa"
-	blsFlag     = "bls"
-	networkFlag = "network"
-	numFlag     = "num"
+	dataDirFlag        = "data-dir"
+	configFlag         = "config"
+	ecdsaFlag          = "ecdsa"
+	blsFlag            = "bls"
+	networkFlag        = "network"
+	numFlag            = "num"
+	insecureLocalStore = "insecure"
 )
 
 var (
-	errInvalidConfig   = errors.New("invalid secrets configuration")
-	errInvalidParams   = errors.New("no config file or data directory passed in")
-	errUnsupportedType = errors.New("unsupported secrets manager")
+	errInvalidConfig                  = errors.New("invalid secrets configuration")
+	errInvalidParams                  = errors.New("no config file or data directory passed in")
+	errUnsupportedType                = errors.New("unsupported secrets manager")
+	errSecureLocalStoreNotImplemented = errors.New(
+		"use a secrets backend, or supply an --insecure flag " +
+			"to store the private keys locally on the filesystem, " +
+			"avoid doing so in production")
 )
 
 type initParams struct {
-	dataDir          string
-	configPath       string
-	generatesECDSA   bool
-	generatesBLS     bool
-	generatesNetwork bool
+	dataDir            string
+	configPath         string
+	generatesECDSA     bool
+	generatesBLS       bool
+	generatesNetwork   bool
+	insecureLocalStore bool
 
 	secretsManager secrets.SecretsManager
 	secretsConfig  *secrets.SecretsManagerConfig
@@ -89,6 +95,14 @@ func (ip *initParams) parseConfig() error {
 }
 
 func (ip *initParams) initLocalSecretsManager() error {
+	if !ip.insecureLocalStore {
+		//Storing secrets on a local file system should only be allowed with --insecure flag,
+		//to raise awareness that it should be only used in development/testing environments.
+		//Production setups should use one of the supported secrets managers
+		return errSecureLocalStoreNotImplemented
+	}
+
+	// setup local secrets manager
 	local, err := helper.SetupLocalSecretsManager(ip.dataDir)
 	if err != nil {
 		return err
@@ -146,5 +160,7 @@ func (ip *initParams) getResult() (command.CommandResult, error) {
 		return nil, err
 	}
 
+	res.Insecure = ip.insecureLocalStore
+
 	return res, nil
 }

command/secrets/init/result.go

@@ -12,6 +12,7 @@ type SecretsInitResult struct {
 	Address   types.Address `json:"address"`
 	BLSPubkey string        `json:"bls_pubkey"`
 	NodeID    string        `json:"node_id"`
+	Insecure  bool          `json:"insecure"`
 }
 
 func (r *SecretsInitResult) GetOutput() string {
@@ -33,6 +34,10 @@ func (r *SecretsInitResult) GetOutput() string {
 
 	vals = append(vals, fmt.Sprintf("Node ID|%s", r.NodeID))
 
+	if r.Insecure {
+		buffer.WriteString("\n[WARNING: INSECURE LOCAL SECRETS - SHOULD NOT BE RUN IN PRODUCTION]\n")
+	}
+
 	buffer.WriteString("\n[SECRETS INIT]\n")
 	buffer.WriteString(helper.FormatKV(vals))
 	buffer.WriteString("\n")

command/secrets/init/secrets_init.go

@@ -84,6 +84,13 @@ func setFlags(cmd *cobra.Command) {
 		true,
 		"the flag indicating whether new BLS key is created",
 	)
+
+	cmd.Flags().BoolVar(
+		&basicParams.insecureLocalStore,
+		insecureLocalStore,
+		false,
+		"the flag indicating should the secrets stored on the local storage be encrypted",
+	)
 }
 
 func runPreRun(_ *cobra.Command, _ []string) error {
@@ -131,11 +138,12 @@ func getParamsList() []initParams {
 	paramsList := make([]initParams, initNumber)
 	for i := 1; i <= initNumber; i++ {
 		paramsList[i-1] = initParams{
-			dataDir:          fmt.Sprintf("%s%d", basicParams.dataDir, i),
-			configPath:       basicParams.configPath,
-			generatesECDSA:   basicParams.generatesECDSA,
-			generatesBLS:     basicParams.generatesBLS,
-			generatesNetwork: basicParams.generatesNetwork,
+			dataDir:            fmt.Sprintf("%s%d", basicParams.dataDir, i),
+			configPath:         basicParams.configPath,
+			generatesECDSA:     basicParams.generatesECDSA,
+			generatesBLS:       basicParams.generatesBLS,
+			generatesNetwork:   basicParams.generatesNetwork,
+			insecureLocalStore: basicParams.insecureLocalStore,
 		}
 	}
 

command/secrets/output/result.go

@@ -7,19 +7,19 @@ import (
 	"github.com/0xPolygon/polygon-edge/command/helper"
 )
 
-// SecretsOutputAllResults for default output case
+// SecretsOutputAllResult for default output case
 type SecretsOutputAllResult struct {
 	Address   string `json:"address"`
 	BLSPubkey string `json:"bls"`
 	NodeID    string `json:"node_id"`
 }
 
-// SecretsOutputNodeIDResults for `--node` output case
+// SecretsOutputNodeIDResult for `--node` output case
 type SecretsOutputNodeIDResult struct {
 	NodeID string `json:"node_id"`
 }
 
-// SecretsOutputBLSResults for `--bls` output case
+// SecretsOutputBLSResult for `--bls` output case
 type SecretsOutputBLSResult struct {
 	BLSPubkey string `json:"bls"`
 }

docker/local/polygon-edge.sh

@@ -19,7 +19,7 @@ case "$1" in
       case "$2" in 
          "ibft")
               echo "Generating secrets..."
-              secrets=$("$POLYGON_EDGE_BIN" secrets init --num 4 --data-dir /data/data- --json)
+              secrets=$("$POLYGON_EDGE_BIN" secrets init --insecure --num 4 --data-dir /data/data- --json)
               echo "Secrets have been successfully generated"
               echo "Generating IBFT Genesis file..."
               cd /data && /polygon-edge/polygon-edge genesis  $CHAIN_CUSTOM_OPTIONS \
@@ -32,7 +32,7 @@ case "$1" in
               ;;
           "polybft")
               echo "Generating PolyBFT secrets..."
-              secrets=$("$POLYGON_EDGE_BIN" polybft-secrets init --num 4 --data-dir /data/data- --json)
+              secrets=$("$POLYGON_EDGE_BIN" polybft-secrets init --insecure --num 4 --data-dir /data/data- --json)
               echo "Secrets have been successfully generated"
 
               echo "Generating manifest..."

e2e-polybft/framework/test-cluster.go

@@ -563,6 +563,7 @@ func (c *TestCluster) InitSecrets(prefix string, count int) ([]types.Address, er
 		"polybft-secrets",
 		"--data-dir", path.Join(c.Config.TmpDir, prefix),
 		"--num", strconv.Itoa(count),
+		"--insecure",
 	}
 	stdOut := c.Config.GetStdout("polybft-secrets", &b)
 

e2e/framework/testserver.go

@@ -195,6 +195,7 @@ func (t *TestServer) SecretsInit() (*InitIBFTResult, error) {
 	commandSlice := strings.Split(fmt.Sprintf("secrets %s", secretsInitCmd.Use), " ")
 	args = append(args, commandSlice...)
 	args = append(args, "--data-dir", filepath.Join(t.Config.IBFTDir, "tmp"))
+	args = append(args, "--insecure")
 
 	cmd := exec.Command(resolveBinary(), args...) //nolint:gosec
 	cmd.Dir = t.Config.RootDir

scripts/cluster

@@ -2,10 +2,10 @@
 
 function initIbftConsensus() {
     echo "Running with ibft consensus"
-    ./polygon-edge secrets init --data-dir test-chain- --num 4
+    ./polygon-edge secrets init --insecure --data-dir test-chain- --num 4
 
-    node1_id=$(polygon-edge secrets output --data-dir test-chain-1 | grep Node | head -n 1 | awk -F ' ' '{print $4}')
-    node2_id=$(polygon-edge secrets output --data-dir test-chain-2 | grep Node | head -n 1 | awk -F ' ' '{print $4}')
+    node1_id=$(./polygon-edge secrets output --data-dir test-chain-1 | grep Node | head -n 1 | awk -F ' ' '{print $4}')
+    node2_id=$(./polygon-edge secrets output --data-dir test-chain-2 | grep Node | head -n 1 | awk -F ' ' '{print $4}')
 
     genesis_params="--consensus ibft --ibft-validators-prefix-path test-chain- \
     --bootnode /ip4/127.0.0.1/tcp/30301/p2p/$node1_id \
@@ -15,7 +15,7 @@ function initIbftConsensus() {
 function initPolybftConsensus() {
     echo "Running with polybft consensus"
     genesis_params="--consensus polybft --validator-set-size=4 --bridge-json-rpc http://127.0.0.1:8545"
-    ./polygon-edge polybft-secrets --data-dir test-chain- --num 4
+    ./polygon-edge polybft-secrets --insecure --data-dir test-chain- --num 4
     ./polygon-edge manifest
 }