Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ scrypt = "0.11.0"
subtle = "2.6"
unicode-normalization = "0.1.25"
zeroize = "1.8.2"
secrecy = "0.8"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please bump to the latest version

Suggested change
secrecy = "0.8"
secrecy = "0.10"

uuid = { version = "1.19", features = ["serde", "v4"] }
unsigned-varint = { version = "0.8", features = ["futures"] }
serde_with = { version = "3.16", features = ["hex", "base64"] }
Expand Down
25 changes: 23 additions & 2 deletions crates/dkg/src/dkg.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use std::{collections::HashMap, ffi::OsStr, num::TryFromIntError, path, time::Duration};
use std::{collections::HashMap, ffi::OsStr, fmt, num::TryFromIntError, path, time::Duration};

use bon::Builder;
use futures::StreamExt;
Expand Down Expand Up @@ -219,14 +219,23 @@ pub enum DkgError {
}

/// Keymanager configuration accepted by the entrypoint.
#[derive(Debug, Clone, Default, Builder)]
#[derive(Clone, Default, Builder)]
pub struct KeymanagerConfig {
/// The keymanager URL.
pub address: String,
/// Bearer token used for authentication.
pub auth_token: String,
}

impl fmt::Debug for KeymanagerConfig {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("KeymanagerConfig")
.field("address", &self.address)
.field("auth_token", &"<redacted>")
.finish()
}
}

/// Publish configuration accepted by the entrypoint.
#[derive(Debug, Clone, Builder)]
pub struct PublishConfig {
Expand Down Expand Up @@ -1286,4 +1295,16 @@ mod tests {
DkgError::Disk(crate::disk::DiskError::MissingRequiredFiles { .. })
));
}

#[test]
fn keymanager_config_debug_redacts_auth_token() {
let cfg = KeymanagerConfig::builder()
.address("https://keymanager.example".to_string())
.auth_token("super-secret-token".to_string())
.build();
let rendered = format!("{cfg:?}");
assert!(!rendered.contains("super-secret-token"), "token leaked in Debug: {rendered}");
assert!(rendered.contains("<redacted>"), "expected <redacted> marker in Debug: {rendered}");
assert!(rendered.contains("https://keymanager.example"), "address should be visible");
}
}
1 change: 1 addition & 0 deletions crates/eth2util/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ pbkdf2.workspace = true
scrypt.workspace = true
unicode-normalization.workspace = true
zeroize.workspace = true
secrecy.workspace = true
pluto-k1util.workspace = true
chrono.workspace = true
regex.workspace = true
Expand Down
15 changes: 12 additions & 3 deletions crates/eth2util/src/keymanager.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
//! (https://ethereum.github.io/keymanager-APIs/) functionalities.

use crate::keystore::Keystore;
use secrecy::{ExposeSecret, Secret};
use url::Url;

/// Errors that can occur when using the keymanager client.
Expand Down Expand Up @@ -63,7 +64,7 @@ pub type Result<T> = std::result::Result<T, KeymanagerError>;
#[derive(Debug, Clone)]
pub struct Client {
base_url: Url,
auth_token: String,
auth_token: Secret<String>,
http_client: reqwest::Client,
}

Expand All @@ -80,7 +81,7 @@ impl Client {
};
Ok(Self {
base_url: Url::parse(&normalized)?,
auth_token: auth_token.as_ref().to_owned(),
auth_token: Secret::new(auth_token.as_ref().to_owned()),
http_client: reqwest::Client::new(),
})
}
Expand Down Expand Up @@ -143,7 +144,7 @@ impl Client {
.http_client
.post(addr)
.header("Content-Type", "application/json")
.header("Authorization", format!("Bearer {}", self.auth_token))
.header("Authorization", format!("Bearer {}", self.auth_token.expose_secret()))
.body(req_bytes)
.timeout(timeout)
.send()
Expand Down Expand Up @@ -338,4 +339,12 @@ mod tests {
let err = Client::new(input, AUTH_TOKEN).unwrap_err();
assert!(matches!(err, KeymanagerError::ParseUrl(_)));
}

#[test]
fn client_debug_redacts_auth_token() {
let client = Client::new("http://localhost:9999", "super-secret-token").unwrap();
let rendered = format!("{client:?}");
assert!(!rendered.contains("super-secret-token"), "token leaked in Debug: {rendered}");
assert!(rendered.contains("REDACTED"), "expected REDACTED marker in Debug: {rendered}");
}
}
46 changes: 44 additions & 2 deletions crates/p2p/src/bootnode.rs
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ use libp2p::Multiaddr;
use pluto_eth2util::enr::Record;
use tokio_util::sync::CancellationToken;
use tracing::{info, warn};
use url::Url;

use crate::peer::{
AddrInfo, MutablePeer, Peer, PeerError, addr_infos_from_p2p_addrs, peer_id_from_key,
Expand Down Expand Up @@ -147,6 +148,21 @@ pub async fn new_relays(
Ok(resp)
}

/// Strips embedded userinfo (basic-auth credentials) from a URL string before
/// it is passed to a log field so tokens and passwords cannot appear in logs.
fn redact_url(raw: &str) -> String {
let Ok(mut url) = Url::parse(raw) else {
return raw.to_owned();
};
if url.username().is_empty() && url.password().is_none() {
return raw.to_owned();
}
if url.set_username("").is_err() || url.set_password(None).is_err() {
return "<redacted>".to_owned();
}
url.to_string()
}
Comment on lines +153 to +164

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Relays do not carry credentials and we do not intend to support such feature. For reference check Charon v1.7.1: https://github.com/ObolNetwork/charon/blob/749d2d7ab0b8ace34f2e686a5af5910c8adb4dc0/p2p/bootnode.go#L155.


/// Continuously resolves relay multiaddrs from an HTTP URL and updates the
/// MutablePeer.
///
Expand All @@ -169,7 +185,7 @@ async fn resolve_relay(
{
Ok(addrs) => addrs,
Err(e) => {
tracing::error!(err = %e, url = %raw_url, "Failed resolving relay addresses from URL");
tracing::error!(err = %e, url = %redact_url(&raw_url), "Failed resolving relay addresses from URL");
return;
}
};
Expand All @@ -193,7 +209,7 @@ async fn resolve_relay(
let peer = Peer::new_relay_peer(&infos[0]);
info!(
peer = %peer.name,
url = %raw_url,
url = %redact_url(&raw_url),
addrs = ?peer.addresses,
"Resolved new relay"
);
Expand Down Expand Up @@ -348,3 +364,29 @@ fn addr_info_from_p2p_addr(addr: &Multiaddr) -> std::result::Result<AddrInfo, Pe

infos.pop().ok_or(PeerError::MissingPeerIdInMultiaddr)
}

#[cfg(test)]
mod tests {
use super::redact_url;

#[test]
fn redact_url_strips_basic_auth_credentials() {
let raw = "https://user:s3cr3t@relay.example.com/path";
let result = redact_url(raw);
assert!(!result.contains("user"), "username leaked: {result}");
assert!(!result.contains("s3cr3t"), "password leaked: {result}");
assert!(result.contains("relay.example.com"), "host should remain: {result}");
}

#[test]
fn redact_url_is_noop_when_no_credentials() {
let raw = "https://relay.example.com/path";
assert_eq!(redact_url(raw), raw);
}

#[test]
fn redact_url_returns_original_for_unparseable_input() {
let raw = "not a url %%";
assert_eq!(redact_url(raw), raw);
}
}