Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Hide other sensitive cfg values #194

Merged
merged 6 commits into from
Nov 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ docker-build:
@docker build -t ghcr.io/layr-labs/eigenda-proxy:dev .

run-memstore-server:
./bin/eigenda-proxy --memstore.enabled
./bin/eigenda-proxy --memstore.enabled --eigenda.cert-verification-disabled --eigenda.eth-rpc http://localhost:8545 --eigenda.svc-manager-addr 0x123

disperse-test-blob:
curl -X POST -d my-blob-content http://127.0.0.1:3100/put/
Expand Down
11 changes: 7 additions & 4 deletions cmd/server/entrypoint.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,17 +73,20 @@ func StartProxySvr(cliCtx *cli.Context) error {
}

// TODO: we should probably just change EdaClientConfig struct definition in eigenda-client
// to have a `json:"-"` tag on the SignerPrivateKeyHex field, to prevent the privateKey from being marshaled at all
func prettyPrintConfig(cliCtx *cli.Context, log log.Logger) error {
// we read a new config which we modify to hide private info in order to log the rest
cfg := server.ReadCLIConfig(cliCtx)
cfg.EigenDAConfig.EdaClientConfig.SignerPrivateKeyHex = "HIDDEN"
cfg.EigenDAConfig.VerifierConfig.RPCURL = "HIDDEN"
if cfg.EigenDAConfig.EdaClientConfig.SignerPrivateKeyHex != "" {
cfg.EigenDAConfig.EdaClientConfig.SignerPrivateKeyHex = "*****" // marshaling defined in client config
}
if cfg.EigenDAConfig.EdaClientConfig.EthRpcUrl != "" {
cfg.EigenDAConfig.EdaClientConfig.EthRpcUrl = "*****" // hiding as RPC providers typically use sensitive API keys within
}

configJSON, err := json.MarshalIndent(cfg, "", " ")
if err != nil {
return fmt.Errorf("failed to marshal config: %w", err)
}
log.Info(fmt.Sprintf("Initializing EigenDA proxy server with config: %v", string(configJSON)))
log.Info(fmt.Sprintf("Initializing EigenDA proxy server with config (\"*****\" fields are hidden): %v", string(configJSON)))
return nil
}
1 change: 0 additions & 1 deletion e2e/setup.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,6 @@ func createRedisConfig(eigendaCfg server.Config) server.CLIConfig {
Password: "",
DB: 0,
Eviction: 10 * time.Minute,
Profile: true,
}
return server.CLIConfig{
EigenDAConfig: eigendaCfg,
Expand Down
15 changes: 14 additions & 1 deletion store/precomputed_key/redis/redis.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package redis

import (
"context"
"encoding/json"
"errors"
"fmt"
"time"
Expand All @@ -16,7 +17,19 @@ type Config struct {
Password string
DB int
Eviction time.Duration
Profile bool
}

// Custom MarshalJSON function to control what gets included in the JSON output.
// TODO: Probably best would be to separate config from secrets everywhere.
// Then we could just log the config and not worry about secrets.
func (c Config) MarshalJSON() ([]byte, error) {
type Alias Config // Use an alias to avoid recursion with MarshalJSON
aux := (Alias)(c)
// Conditionally include a masked password if it is set
if aux.Password != "" {
aux.Password = "*****"
}
return json.Marshal(aux)
}

// Store ... Redis storage backend implementation
Expand Down
14 changes: 14 additions & 0 deletions store/precomputed_key/s3/s3.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"bytes"
"context"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
"io"
Expand Down Expand Up @@ -47,6 +48,19 @@ type Config struct {
Path string
}

// Custom MarshalJSON function to control what gets included in the JSON output
// TODO: Probably best would be to separate config from secrets everywhere.
// Then we could just log the config and not worry about secrets.
func (c Config) MarshalJSON() ([]byte, error) {
type Alias Config // Use an alias to avoid recursion with MarshalJSON
aux := (Alias)(c)
// Conditionally include a masked password if it is set
if aux.AccessKeySecret != "" {
aux.AccessKeySecret = "*****"
}
return json.Marshal(aux)
}

// Store ... S3 store
// client safe for concurrent use: https://github.com/minio/minio-go/issues/598#issuecomment-569457863
type Store struct {
Expand Down
12 changes: 12 additions & 0 deletions verify/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package verify

import (
"context"
"encoding/json"
"fmt"
"math/big"

Expand All @@ -28,6 +29,17 @@ type Config struct {
WaitForFinalization bool
}

// Custom MarshalJSON function to control what gets included in the JSON output
func (c Config) MarshalJSON() ([]byte, error) {
type Alias Config // Use an alias to avoid recursion with MarshalJSON
aux := (Alias)(c)
// Conditionally include a masked password if it is set
if aux.RPCURL != "" {
aux.RPCURL = "*****"
}
return json.Marshal(aux)
}

// TODO: right now verification and confirmation depth are tightly coupled. we should decouple them
type Verifier struct {
// kzgVerifier is needed to commit blobs to the memstore
Expand Down
Loading