Chia-Network/chia-blockchain
1
0
Fork 0
mirror of https://github.com/Chia-Network/chia-blockchain.git synced 2024-09-20 08:05:33 +03:00
Code Issues Packages Projects Releases Wiki Activity
325d7f8245
chia-blockchain/chia/cmds/start_funcs.py
Jeff Cruikshank 325d7f8245
Keyring passphrase protection (#7249) 
* Moved keyring handling into a KeyringWrapper class

* Update click to 8.0.x for prompt_required support

* Renamed KeyringWrapper to _KeyringWrapper

* Expose password management options on Linux

* CLI support for setting/removing a password

* Global option for specifying the master password

* Cache the password instead of setting on the context

* Password bootstrapping during chia init

* Tidying up _KeyringWraper's interface

* Initial pass migrating the legacy keyring contents

* Encryption/decryption of keyring.yaml contents

* FileKeyring backend encrypts with ChaCha20Poly1305

* Tightened up keyring migration and initialization

* Fixed issues identified by linters

* Remove root_path from Keychain

* Prevent double-migration if setting master passwd

* KeyringWrapper tests are mostly complete

* FileKeyring will now honor the service param

* Tests for get/set/delete password

* Formatting/commenting updates

* Writer lock support with tests - WIP

* keyring.yaml is now watched for modifications

* Reader/Writer lock for get/delete password

* Fixed linter issues

* Reader lock tests

* Formatting update

* Hook up CHIA_ROOT support for KeychainWrapper

* Quick fix to address test failures

* Fixed failures when existing legacy keyring exists

* Fixed test failures caused by reusing the same temp dir

* keyring.yaml now lives in ~/.chia_keys by default. Can be overridden with CHIA_KEYS_ROOT or --keys-root-path

* Fixed migration failure when setting a password (not using the default)

* KeyringWrapper now uses supports_keyring_password to determine if a FileKeyring should be used. Patched tests to work regardless of whether supports_keyring_password return False

* The daemon now takes a --have-gui option that will prevent calling check_keys() during startup. If the keyring is locked, we want the GUI to prompt for the password.

* Added is_keyring_locked RPC call

* Added 'unlock_keyring' RPC command

* Added KeychainProxy and KeychainServer to handle RPC messages related to keyring operations. WalletNode no longer directly accesses the Keychain class.

* Turn on macOS support for testing keyring passwords

* Fixed get_key_for_fingerprint to use the ocal keychain if the platform doesn't need to remotely access the daemon's keychain.

Fixed key reconstruction when sent over RPC.

* Farmer now accesses the keychain over RPC

* Fixes for linter issues and some restructuring to support tests that use setup_nodes.py

* Couple of fixes to unblock the GUI from launching when a keyring password is set

* Added a keychain RPC call for add_private_key()

* Added remaining keychain proxy RPC calls for delete_key_by_fingerprint and delete_all_keys

* Check for None when inspecting request arguments

* Run check_keys after unlocking the keyring when the daemon is launched via GUI

* Added check_keys RPC method.
Fixed deserialization of key entropy in get_all_private_keys. This was preventing the GUI from being able to show key details.

* Added get_first_private_key to keychain_server/proxy.
create_plots now uses the keychain proxy when launched from the daemon.

* Added a comment about KeychainProxy in chia plots check

* Workaround import conflict  when importing from 'tests.*' due to fasteners name conflict

* Simulator now uses KeychainProxy if launched by the daemon.
KeychainServer/Proxy now takes keychain user/testing params for testing scenarios.

* Added "set_keyring_passphrase" RPC message

* Reworking KeychainProxy usage to handle local keychain tests and RPC keychain tests.

* Replace my prior usage of asyncio.run() with asyncio.get_event_loop().run_until_complete()

* Silencing file_keyring logging for the moment.

* Updated tests to use test keychains and appropriate BlockTools construction

BlockTools should now be created with create_block_tools(_async) to handle async scenarios.

Updated block_tools to be async compatible

Updated fasteners to fix installation of top-level 'tests' in site-packages

* Added 'remove_keyring_passphrase' RPC message to the daemon

Minor tweak to TempKeyring to default to some test params

* Fixed linter issues

* Remove flake8 ignore statement now that the fasteners module has been updated

* Some initial renaming changes: password -> passphrase

* Fixed wallet RPC issue where get_key_for_fingerprint wasn't awaited-upon.

Fixed legacy keyring initialization (for migration scenarios)

* Fixed improperly merged file

* Fixed linter issues.
More renaming.

* Updated spots that were still using an incorrect keychain call

* Renamed use_password_cache, obtain_current_password

* Renamed supports_keyring_password

* Renamed has_master_password

* Renamed has_cached_password, get_cached_master_password

* Linter fixes

* Renamed master_password_is_valid

* Renamed set_cached_master_password

* Renamed set_master_password

* Renamed remove_master_password

* Renamed has_cached_master_password

* Renaming in file_keyring and keyring_wrapper

Updated default keyring payload used for tests

* Renamed get_password
Other renaming updates

* Renamed set_password
Other renaming updates

* Renamed remaining password occurrences (where appropriate)

* password -> passphrase

* Added tests for setting an emoji and Japanese master passphrase

* Attempt to notify the daemon when a keyring passphrase is set/updated/removed

* Missed one password -> passphrase replacement.

* Fixed some file synchronization issues found when running tests on macOS

* Adjusted timeout values for test_writer_lock_reacquisition_failure for macOS.

* Removed logging statements previously added for debugging

* Prompt for keyring passphrase up-front when launching a service.

Changed --have-gui flag to --wait-for-unlock

* Updated set_keyring_passphrase RPC message to fix optional current_passphrase param when the keyring is using the default passphrase.

* Minor test cleanup to deduplicate some code.

* Fixed regression when setting a new master passphrase

* Minor refactoring and docs/commenting updates

* Renaming password -> passphrase went too far. Keyring backends use password terminology for compatibility with third party backends.

* Disabling macOS support (previously added for testing only)

* Disabling passphrase support in preparation for sending out the PR

* Fixed improper merge (vscode didn't save changes during rebase)

* Update chia/cmds/init_funcs.py

Co-authored-by: Adam Kelly <338792+aqk@users.noreply.github.com>

* skip_check_keys -> should_check_keys

* Shuffling some imports around to break cycles reported by LGTM

* Handle unlocking the daemon if it's already launched and waiting for unlock.

* Replaced uses_keychain_proxy decorator in farmer.py. Fixed async usage of get_reward_targets.

Linter/reformatting fixes

* Replaced uses_keychain_proxy decorator with a clearer method.

* Cleanup the temp keyring dir using shutil.rmtree()

* Restored self._root_path (had been changed to self.root_path)

* Minor cleanup

* ensure_keychain_proxy() now throws if connect_to_keychain_and_validate() fails

* Plot key resolution now yields a PlotKeys object which can be passed into create_plots.

De-indented test_invalid_icc_sub_slot_vdf to keep git blame tidy.

* Added 'keyring_status' daemon RPC message to support the GUI

* Minor changes relating to PR feedback

* Addressed more PR feedback (mostly type annotations)

* Commented-out macOS file keyring usage. This can be re-enabled for testing purposes.

* Addressed test failures that require multiple keyrings in the same process. Each TempKeyring will now set a custom KeyringWrapper instance.

* Fixed logic for communicating user_passphrase_is_set in the keyring_status RPC response.

* Updated type annotations and method signature for set_passphrase to expect a string instead of bytes.

* Fixed Wallet RPC tests

* Fixed full_node_store tests. BlockTools should be created using the create_block_tools(_async) function(s)

* Fixed test failures in test_pool_rpc

* Fixed test_daemon. After BlockTools.setup_plots is run, the config file needs to be re-read to refresh stale plot_directories.

* Suppressing LGTM false positives regarding passphrase leakage in CLI error output. Seems that LGTM sees MIN_PASSPHRASE_LEN as sensitive data.

* Second attempt at suppressing LGTM false positives

* Third attempt at addressing LGTM false positives

* Removed test_keyring_wrapper param from Keychain ctor. Test setup now sets the keyring_wrapper property directly.

* Reformatting

* More targeted update of the test config to refresh just the "plot_directories" value

* More LGTM suppressions

Co-authored-by: Adam Kelly <338792+aqk@users.noreply.github.com>
Co-authored-by: wjblanke <wjb98672@gmail.com>
2021-08-04 12:46:55 -07:00

84 lines
2.8 KiB
Python
Raw Blame History

import asyncio
import os
import subprocess
import sys
from pathlib import Path
from typing import Optional
from chia.cmds.passphrase_funcs import get_current_passphrase
from chia.daemon.client import DaemonProxy, connect_to_daemon_and_validate
from chia.util.keychain import KeyringMaxUnlockAttempts
from chia.util.service_groups import services_for_groups
def launch_start_daemon(root_path: Path) -> subprocess.Popen:
os.environ["CHIA_ROOT"] = str(root_path)
# TODO: use startupinfo=subprocess.DETACHED_PROCESS on windows
chia = sys.argv[0]
process = subprocess.Popen(f"{chia} run_daemon --wait-for-unlock".split(), stdout=subprocess.PIPE)
return process
async def create_start_daemon_connection(root_path: Path) -> Optional[DaemonProxy]:
connection = await connect_to_daemon_and_validate(root_path)
if connection is None:
print("Starting daemon")
# launch a daemon
process = launch_start_daemon(root_path)
# give the daemon a chance to start up
if process.stdout:
process.stdout.readline()
await asyncio.sleep(1)
# it prints "daemon: listening"
connection = await connect_to_daemon_and_validate(root_path)
if connection:
passphrase = None
if await connection.is_keyring_locked():
passphrase = get_current_passphrase()
if passphrase:
print("Unlocking daemon keyring")
await connection.unlock_keyring(passphrase)
return connection
return None
async def async_start(root_path: Path, group: str, restart: bool) -> None:
try:
daemon = await create_start_daemon_connection(root_path)
except KeyringMaxUnlockAttempts:
print("Failed to unlock keyring")
return None
if daemon is None:
print("Failed to create the chia daemon")
return None
for service in services_for_groups(group):
if await daemon.is_running(service_name=service):
print(f"{service}: ", end="", flush=True)
if restart:
if not await daemon.is_running(service_name=service):
print("not running")
elif await daemon.stop_service(service_name=service):
print("stopped")
else:
print("stop failed")
else:
print("Already running, use `-r` to restart")
continue
print(f"{service}: ", end="", flush=True)
msg = await daemon.start_service(service_name=service)
success = msg and msg["data"]["success"]
if success is True:
print("started")
else:
error = "no response"
if msg:
error = msg["data"]["error"]
print(f"{service} failed to start. Error: {error}")
await daemon.close()
Reference in New Issue View Git Blame Copy Permalink