Allow VC to create password files via HTTP API

2026-03-22 06:14:38 +00:00 · 2022-08-29 15:30:02 +10:00
parent be8463770f
commit 2abde0b666
15 changed files with 189 additions and 47 deletions
--- a/common/account_utils/src/validator_definitions.rs
+++ b/common/account_utils/src/validator_definitions.rs
@@ -49,6 +49,16 @@ pub enum Error {
    KeystoreWithoutPassword,
 }

+/// Defines how a password for a validator keystore will be persisted.
+pub enum PasswordStorage {
+    /// Store the password in the `validator_definitions.yml` file.
+    ValidatorDefinitions(ZeroizeString),
+    /// Store the password in a separate, dedicated file (likely in the "secrets" directory).
+    File(PathBuf),
+    /// Don't store the password at all.
+    None,
+}
+
 #[derive(Clone, PartialEq, Serialize, Deserialize, Hash, Eq)]
 pub struct Web3SignerDefinition {
    pub url: String,
@@ -151,7 +161,7 @@ impl ValidatorDefinition {
    /// This function does not check the password against the keystore.
    pub fn new_keystore_with_password<P: AsRef<Path>>(
        voting_keystore_path: P,
-        voting_keystore_password: Option<ZeroizeString>,
+        voting_keystore_password_storage: PasswordStorage,
        graffiti: Option<GraffitiString>,
        suggested_fee_recipient: Option<Address>,
        gas_limit: Option<u64>,
@@ -161,6 +171,12 @@ impl ValidatorDefinition {
        let keystore =
            Keystore::from_json_file(&voting_keystore_path).map_err(Error::UnableToOpenKeystore)?;
        let voting_public_key = keystore.public_key().ok_or(Error::InvalidKeystorePubkey)?;
+        let (voting_keystore_password_path, voting_keystore_password) =
+            match voting_keystore_password_storage {
+                PasswordStorage::ValidatorDefinitions(password) => (None, Some(password)),
+                PasswordStorage::File(path) => (Some(path), None),
+                PasswordStorage::None => (None, None),
+            };

        Ok(ValidatorDefinition {
            enabled: true,
@@ -172,7 +188,7 @@ impl ValidatorDefinition {
            builder_proposals,
            signing_definition: SigningDefinition::LocalKeystore {
                voting_keystore_path,
-                voting_keystore_password_path: None,
+                voting_keystore_password_path,
                voting_keystore_password,
            },
        })
--- a/common/validator_dir/src/builder.rs
+++ b/common/validator_dir/src/builder.rs
@@ -78,6 +78,13 @@ impl<'a> Builder<'a> {
        self
    }

+    /// Optionally supply a directory in which to store the passwords for the validator keystores.
+    /// If `None` is provided, do not store the password.
+    pub fn password_dir_opt(mut self, password_dir_opt: Option<PathBuf>) -> Self {
+        self.password_dir = password_dir_opt;
+        self
+    }
+
    /// Build the `ValidatorDir` use the given `keystore` which can be unlocked with `password`.
    ///
    /// The builder will not necessarily check that `password` can unlock `keystore`.
@@ -234,7 +241,7 @@ impl<'a> Builder<'a> {
                if self.store_withdrawal_keystore {
                    // Write the withdrawal password to file.
                    write_password_to_file(
-                        password_dir.join(withdrawal_keypair.pk.as_hex_string()),
+                        keystore_password_path(&password_dir, &withdrawal_keystore),
                        withdrawal_password.as_bytes(),
                    )?;

@@ -250,7 +257,7 @@ impl<'a> Builder<'a> {
        if let Some(password_dir) = self.password_dir.as_ref() {
            // Write the voting password to file.
            write_password_to_file(
-                password_dir.join(format!("0x{}", voting_keystore.pubkey())),
+                keystore_password_path(&password_dir, &voting_keystore),
                voting_password.as_bytes(),
            )?;
        }
@@ -262,6 +269,12 @@ impl<'a> Builder<'a> {
    }
 }

+pub fn keystore_password_path<P: AsRef<Path>>(password_dir: P, keystore: &Keystore) -> PathBuf {
+    password_dir
+        .as_ref()
+        .join(format!("0x{}", keystore.pubkey()))
+}
+
 /// Writes a JSON keystore to file.
 fn write_keystore_to_file(path: PathBuf, keystore: &Keystore) -> Result<(), Error> {
    if path.exists() {
--- a/common/validator_dir/src/lib.rs
+++ b/common/validator_dir/src/lib.rs
@@ -15,6 +15,6 @@ pub use crate::validator_dir::{
    ETH1_DEPOSIT_TX_HASH_FILE,
 };
 pub use builder::{
-    Builder, Error as BuilderError, ETH1_DEPOSIT_DATA_FILE, VOTING_KEYSTORE_FILE,
-    WITHDRAWAL_KEYSTORE_FILE,
+    keystore_password_path, Builder, Error as BuilderError, ETH1_DEPOSIT_DATA_FILE,
+    VOTING_KEYSTORE_FILE, WITHDRAWAL_KEYSTORE_FILE,
 };
--- a/common/validator_dir/src/validator_dir.rs
+++ b/common/validator_dir/src/validator_dir.rs
@@ -1,5 +1,5 @@
 use crate::builder::{
-    ETH1_DEPOSIT_AMOUNT_FILE, ETH1_DEPOSIT_DATA_FILE, VOTING_KEYSTORE_FILE,
+    keystore_password_path, ETH1_DEPOSIT_AMOUNT_FILE, ETH1_DEPOSIT_DATA_FILE, VOTING_KEYSTORE_FILE,
    WITHDRAWAL_KEYSTORE_FILE,
 };
 use deposit_contract::decode_eth1_tx_data;
@@ -219,9 +219,7 @@ pub fn unlock_keypair<P: AsRef<Path>>(
    )
    .map_err(Error::UnableToReadKeystore)?;

-    let password_path = password_dir
-        .as_ref()
-        .join(format!("0x{}", keystore.pubkey()));
+    let password_path = keystore_password_path(password_dir, &keystore);
    let password: PlainText = read(&password_path)
        .map_err(|_| Error::UnableToReadPassword(password_path))?
        .into();