Store Hashed Password to Wallet Path (#7295)

* store wallet pass on creation
* store wallet hash
* save hash to wallet dir
* initialize wallet hash
* gaz
* imports spacing
* remove mentions of hashed pass from db schema
* simplify the wallet hash code
* comment removal
* Merge branch 'master' into fix-password-override
* pass tests
* test fix
* Merge branch 'fix-password-override' of github.com:prysmaticlabs/prysm into fix-password-override
* remove extraneous printfs
* tests passing
* require auth for create wallet
* gaz
* fix signup logic
* Merge refs/heads/master into fix-password-override
* Merge refs/heads/master into fix-password-override
* Merge refs/heads/master into fix-password-override
* Merge refs/heads/master into fix-password-override
* Merge branch 'master' into fix-password-override

Author: rauljordan

validator/accounts/v2/accounts_create_test.go

@@ -80,7 +80,7 @@ func (p *passwordReader) passwordReaderFunc(file *os.File) ([]byte, error) {
 func Test_KeysConsistency_Direct(t *testing.T) {
 	walletDir, passwordsDir, walletPasswordFile := setupWalletAndPasswordsDir(t)
 
-	//Specify the 'initial'/correct password locally to this file for convenience.
+	// Specify the 'initial'/correct password locally to this file for convenience.
 	require.NoError(t, ioutil.WriteFile(walletPasswordFile, []byte("Pa$sW0rD0__Fo0xPr"), os.ModePerm))
 
 	cliCtx := setupWalletCtx(t, &testWalletConfig{
@@ -106,7 +106,10 @@ func Test_KeysConsistency_Direct(t *testing.T) {
 
 	// Now we change the password to "SecoNDxyzPass__9!@#"
 	require.NoError(t, ioutil.WriteFile(walletPasswordFile, []byte("SecoNDxyzPass__9!@#"), os.ModePerm))
-	// OpenWalletOrElseCli() doesn't really 'challenge' the wrong password
+	w, err = wallet.OpenWalletOrElseCli(cliCtx, CreateAndSaveWalletCli)
+	require.ErrorContains(t, "wrong password for wallet", err)
+
+	require.NoError(t, ioutil.WriteFile(walletPasswordFile, []byte("Pa$sW0rD0__Fo0xPr"), os.ModePerm))
 	w, err = wallet.OpenWalletOrElseCli(cliCtx, CreateAndSaveWalletCli)
 	require.NoError(t, err)
 

validator/accounts/v2/accounts_exit_test.go

@@ -125,5 +125,5 @@ func TestPrepareWallet_EmptyWalletReturnsError(t *testing.T) {
 	})
 	require.NoError(t, err)
 	_, _, err = prepareWallet(cliCtx)
-	assert.ErrorContains(t, "wallet is empty, no accounts to perform voluntary exit", err)
+	assert.ErrorContains(t, "please recreate your wallet", err)
 }

validator/accounts/v2/accounts_import.go

@@ -90,6 +90,10 @@ func ImportAccountsCli(cliCtx *cli.Context) error {
 		if err = createDirectKeymanagerWallet(cliCtx.Context, w); err != nil {
 			return nil, errors.Wrap(err, "could not create keymanager")
 		}
+		// We store the hashed password to disk.
+		if err := w.SaveHashedPassword(cliCtx.Context); err != nil {
+			return nil, err
+		}
 		log.WithField("wallet-path", cfg.WalletCfg.WalletDir).Info(
 			"Successfully created new wallet",
 		)

validator/accounts/v2/wallet/BUILD.bazel

@@ -21,6 +21,7 @@ go_library(
         "@com_github_pkg_errors//:go_default_library",
         "@com_github_sirupsen_logrus//:go_default_library",
         "@com_github_urfave_cli_v2//:go_default_library",
+        "@org_golang_x_crypto//bcrypt:go_default_library",
     ],
 )
 

validator/accounts/v2/wallet/wallet.go

@@ -23,13 +23,16 @@ import (
 	"github.com/prysmaticlabs/prysm/validator/keymanager/v2/remote"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
+	"golang.org/x/crypto/bcrypt"
 )
 
 var log = logrus.WithField("prefix", "wallet")
 
 const (
 	// KeymanagerConfigFileName for the keymanager used by the wallet: direct, derived, or remote.
 	KeymanagerConfigFileName = "keymanageropts.json"
+	// HashedPasswordFileName for the wallet.
+	HashedPasswordFileName = "hash"
 	// DirectoryPermissions for directories created under the wallet path.
 	DirectoryPermissions = os.ModePerm
 	// NewWalletPasswordPromptText for wallet creation.
@@ -38,6 +41,7 @@ const (
 	WalletPasswordPromptText = "Wallet password"
 	// ConfirmPasswordPromptText for confirming a wallet password.
 	ConfirmPasswordPromptText = "Confirm password"
+	hashCost                  = 8
 )
 
 var (
@@ -136,6 +140,16 @@ func OpenWalletOrElseCli(cliCtx *cli.Context, otherwise func(cliCtx *cli.Context
 		false, /* Do not confirm password */
 		ValidateExistingPass,
 	)
+	if fileutil.FileExists(filepath.Join(walletDir, HashedPasswordFileName)) {
+		hashedPassword, err := fileutil.ReadFileAsBytes(filepath.Join(walletDir, HashedPasswordFileName))
+		if err != nil {
+			return nil, err
+		}
+		// Compare the wallet password here.
+		if err := bcrypt.CompareHashAndPassword(hashedPassword, []byte(walletPassword)); err != nil {
+			return nil, errors.Wrap(err, "wrong password for wallet")
+		}
+	}
 	return OpenWallet(cliCtx.Context, &Config{
 		WalletDir:      walletDir,
 		WalletPassword: walletPassword,
@@ -217,6 +231,18 @@ func (w *Wallet) InitializeKeymanager(
 		if err != nil {
 			return nil, errors.Wrap(err, "could not initialize direct keymanager")
 		}
+		if !fileutil.FileExists(filepath.Join(w.walletDir, HashedPasswordFileName)) {
+			keys, err := keymanager.FetchValidatingPublicKeys(ctx)
+			if err != nil {
+				return nil, err
+			}
+			if keys == nil || len(keys) == 0 {
+				return nil, errors.New("please recreate your wallet with wallet-v2 create")
+			}
+			if err := w.SaveHashedPassword(ctx); err != nil {
+				return nil, errors.Wrap(err, "could not save hashed password to disk")
+			}
+		}
 	case v2keymanager.Derived:
 		opts, err := derived.UnmarshalOptionsFile(configFile)
 		if err != nil {
@@ -230,6 +256,11 @@ func (w *Wallet) InitializeKeymanager(
 		if err != nil {
 			return nil, errors.Wrap(err, "could not initialize derived keymanager")
 		}
+		if !fileutil.FileExists(filepath.Join(w.walletDir, HashedPasswordFileName)) {
+			if err := w.SaveHashedPassword(ctx); err != nil {
+				return nil, errors.Wrap(err, "could not save hashed password to disk")
+			}
+		}
 	case v2keymanager.Remote:
 		opts, err := remote.UnmarshalOptionsFile(configFile)
 		if err != nil {
@@ -375,6 +406,20 @@ func (w *Wallet) WriteEncryptedSeedToDisk(ctx context.Context, encoded []byte) e
 	return nil
 }
 
+// SaveHashedPassword to disk for the wallet.
+func (w *Wallet) SaveHashedPassword(ctx context.Context) error {
+	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(w.walletPassword), hashCost)
+	if err != nil {
+		return errors.Wrap(err, "could not generate hashed password")
+	}
+	hashFilePath := filepath.Join(w.walletDir, HashedPasswordFileName)
+	// Write the config file to disk.
+	if err := ioutil.WriteFile(hashFilePath, hashedPassword, params.BeaconIoConfig().ReadWritePermissions); err != nil {
+		return errors.Wrap(err, "could not write hashed password for wallet to disk")
+	}
+	return nil
+}
+
 func readKeymanagerKindFromWalletPath(walletPath string) (v2keymanager.Kind, error) {
 	walletItem, err := os.Open(walletPath)
 	if err != nil {

validator/accounts/v2/wallet_create.go

@@ -51,7 +51,15 @@ func CreateAndSaveWalletCli(cliCtx *cli.Context) (*wallet.Wallet, error) {
 		return nil, errors.New("a wallet of this type already exists at this location. Please input an" +
 			" alternative location for the new wallet or remove the current wallet")
 	}
-	return CreateWalletWithKeymanager(cliCtx.Context, createWalletConfig)
+	w, err := CreateWalletWithKeymanager(cliCtx.Context, createWalletConfig)
+	if err != nil {
+		return nil, errors.Wrap(err, "could not create wallet with keymanager")
+	}
+	// We store the hashed password to disk.
+	if err := w.SaveHashedPassword(cliCtx.Context); err != nil {
+		return nil, errors.Wrap(err, "could not save hashed password to database")
+	}
+	return w, nil
 }
 
 // CreateWalletWithKeymanager specified by configuration options.

validator/accounts/v2/wallet_recover.go

@@ -62,12 +62,17 @@ func RecoverWalletCli(cliCtx *cli.Context) error {
 	if err != nil {
 		return errors.Wrap(err, "could not get number of accounts to recover")
 	}
-	if _, err := RecoverWallet(cliCtx.Context, &RecoverWalletConfig{
+	w, err := RecoverWallet(cliCtx.Context, &RecoverWalletConfig{
 		WalletDir:      walletDir,
 		WalletPassword: walletPassword,
 		Mnemonic:       mnemonic,
 		NumAccounts:    numAccounts,
-	}); err != nil {
+	})
+	if err != nil {
+		return err
+	}
+	// We store the hashed password to disk.
+	if err := w.SaveHashedPassword(cliCtx.Context); err != nil {
 		return err
 	}
 	log.Infof(

validator/accounts/v2/wallet_recover_test.go

@@ -56,7 +56,8 @@ func TestRecoverDerivedWallet(t *testing.T) {
 
 	ctx := context.Background()
 	w, err := wallet.OpenWallet(cliCtx.Context, &wallet.Config{
-		WalletDir: walletDir,
+		WalletDir:      walletDir,
+		WalletPassword: password,
 	})
 	assert.NoError(t, err)
 

validator/db/iface/interface.go

@@ -25,7 +25,4 @@ type ValidatorDB interface {
 	// Attester protection related methods.
 	AttestationHistoryForPubKeys(ctx context.Context, publicKeys [][48]byte) (map[[48]byte]*slashpb.AttestationHistory, error)
 	SaveAttestationHistoryForPubKeys(ctx context.Context, historyByPubKey map[[48]byte]*slashpb.AttestationHistory) error
-	// Validator RPC authentication methods.
-	SaveHashedPasswordForAPI(ctx context.Context, hashedPassword []byte) error
-	HashedPasswordForAPI(ctx context.Context) ([]byte, error)
 }

validator/db/kv/BUILD.bazel

@@ -10,7 +10,6 @@ go_library(
         "new_proposal_history.go",
         "proposal_history.go",
         "schema.go",
-        "web_api.go",
     ],
     importpath = "github.com/prysmaticlabs/prysm/validator/db/kv",
     visibility = ["//validator:__subpackages__"],
@@ -36,7 +35,6 @@ go_test(
         "manage_test.go",
         "new_proposal_history_test.go",
         "proposal_history_test.go",
-        "web_api_test.go",
     ],
     embed = [":go_default_library"],
     deps = [