apollo_network: Sensitive secret_key (#10399)

Author: victorkstarkware

crates/apollo_config/src/converters.rs

@@ -33,6 +33,8 @@ use serde::de::Error;
 use serde::{Deserialize, Deserializer, Serialize};
 use url::Url;
 
+use crate::secrets::Sensitive;
+
 /// Deserializes milliseconds to duration object.
 pub fn deserialize_milliseconds_to_duration<'de, D>(de: D) -> Result<Duration, D::Error>
 where
@@ -310,3 +312,14 @@ where
     }
     Ok(Some(output))
 }
+
+/// Deserializes a sensitive `Vec<u8>` from hex string structure.
+pub fn deserialize_optional_sensitive_vec_u8<'de, D>(
+    de: D,
+) -> Result<Option<Sensitive<Vec<u8>>>, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    let optional_vec = deserialize_optional_vec_u8(de)?;
+    Ok(optional_vec.map(Sensitive::new))
+}

crates/apollo_config/src/validators.rs

@@ -4,6 +4,7 @@ use std::path::Path;
 
 use validator::{Validate, ValidationError, ValidationErrors, ValidationErrorsKind};
 
+use crate::secrets::Sensitive;
 use crate::ConfigError;
 
 /// Custom validation for ASCII string.
@@ -34,6 +35,13 @@ pub fn validate_vec_u256(vec: &[u8]) -> Result<(), ValidationError> {
     Ok(())
 }
 
+/// Validates a sensitive `Vec<u8>` to ensure it's 32 bytes.
+pub fn validate_optional_sensitive_vec_u256(
+    secret_key: &Sensitive<Vec<u8>>,
+) -> Result<(), ValidationError> {
+    validate_vec_u256(secret_key.as_ref())
+}
+
 /// Struct for parsing a validation error.
 #[derive(Debug)]
 pub struct ParsedValidationError {

crates/apollo_network/src/bin/broadcast_network_stress_test_node/main.rs

@@ -186,7 +186,7 @@ async fn main() {
 
     let mut network_config = NetworkConfig {
         port: args.p2p_port,
-        secret_key: Some(peer_private_key.to_vec()),
+        secret_key: Some(peer_private_key.to_vec().into()),
         ..Default::default()
     };
     if let Some(peer) = &args.bootstrap {

crates/apollo_network/src/bin/broadcast_network_stress_test_node/utils.rs

@@ -83,7 +83,7 @@ impl TestConfig {
         let _ = TestConfig {
             network_config: NetworkConfig {
                 port: 10000,
-                secret_key: Some(secret_key),
+                secret_key: Some(secret_key.into()),
                 ..Default::default()
             },
             ..Default::default()

crates/apollo_network/src/lib.rs

@@ -25,7 +25,7 @@ use std::time::Duration;
 
 use apollo_config::converters::{
     deserialize_comma_separated_str,
-    deserialize_optional_vec_u8,
+    deserialize_optional_sensitive_vec_u8,
     deserialize_seconds_to_duration,
     serialize_optional_comma_separated,
     serialize_optional_vec_u8,
@@ -36,7 +36,8 @@ use apollo_config::dumping::{
     ser_param,
     SerializeConfig,
 };
-use apollo_config::validators::validate_vec_u256;
+use apollo_config::secrets::Sensitive;
+use apollo_config::validators::validate_optional_sensitive_vec_u256;
 use apollo_config::{ParamPath, ParamPrivacyInput, SerializedParam};
 use discovery::DiscoveryConfig;
 use libp2p::swarm::dial_opts::DialOpts;
@@ -61,9 +62,9 @@ pub struct NetworkConfig {
     #[serde(deserialize_with = "deserialize_comma_separated_str")]
     #[validate(custom(function = "validate_bootstrap_peer_multiaddr_list"))]
     pub bootstrap_peer_multiaddr: Option<Vec<Multiaddr>>,
-    #[validate(custom(function = "validate_vec_u256"))]
-    #[serde(deserialize_with = "deserialize_optional_vec_u8")]
-    pub secret_key: Option<Vec<u8>>,
+    #[validate(custom(function = "validate_optional_sensitive_vec_u256"))]
+    #[serde(deserialize_with = "deserialize_optional_sensitive_vec_u8")]
+    pub secret_key: Option<Sensitive<Vec<u8>>>,
     pub advertised_multiaddr: Option<Multiaddr>,
     pub chain_id: ChainId,
     pub discovery_config: DiscoveryConfig,
@@ -140,7 +141,7 @@ impl SerializeConfig for NetworkConfig {
         ));
         config.extend([ser_param(
             "secret_key",
-            &serialize_optional_vec_u8(&self.secret_key),
+            &serialize_optional_vec_u8(&self.secret_key.as_ref().map(|s| s.as_ref().clone())),
             "The secret key used for building the peer id. If it's an empty string a random one \
              will be used.",
             ParamPrivacyInput::Private,

crates/apollo_network/src/network_manager/mod.rs

@@ -716,9 +716,10 @@ impl NetworkManager {
         debug!("Creating swarm with listen address: {listen_address:?}");
 
         let key_pair = match secret_key {
-            Some(secret_key) => {
-                Keypair::ed25519_from_bytes(secret_key).expect("Error while parsing secret key")
-            }
+            Some(secret_key) => Keypair::ed25519_from_bytes(secret_key.as_ref().clone())
+                .expect("Error while parsing secret key"), // TODO(victork): make sure we're
+            // allowed to expose the secret key
+            // here
             None => Keypair::generate_ed25519(),
         };
         let mut swarm = SwarmBuilder::with_existing_identity(key_pair)

crates/apollo_network/src/network_manager/test_utils.rs

@@ -184,7 +184,7 @@ pub fn create_connected_network_configs(ports: Vec<u16>) -> Vec<NetworkConfig> {
         .map(|(port, private_key)| NetworkConfig {
             port,
             bootstrap_peer_multiaddr: Some(nodes_addresses.clone()),
-            secret_key: Some(private_key.to_vec()),
+            secret_key: Some(private_key.to_vec().into()),
             ..Default::default()
         })
         .collect()