[audit] Secrets appear in environment variables and command line arguments (#1201)

* accept secret as a file too

* run pre-commit

* address feedback

fortuna/.gitignore

@@ -1,2 +1,3 @@
 /target
 config.yaml
+*secret*

fortuna/Cargo.lock

@@ -381,19 +381,19 @@ dependencies = [
 
 [[package]]
 name = "borsh"
-version = "0.9.3"
+version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "15bf3650200d8bffa99015595e10f1fbd17de07abbc25bb067da79e769939bfa"
+checksum = "4114279215a005bc675e386011e594e1d9b800918cea18fcadadcce864a2046b"
 dependencies = [
  "borsh-derive",
- "hashbrown 0.11.2",
+ "hashbrown 0.12.3",
 ]
 
 [[package]]
 name = "borsh-derive"
-version = "0.9.3"
+version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6441c552f230375d18e3cc377677914d2ca2b0d36e52129fe15450a2dce46775"
+checksum = "0754613691538d51f329cce9af41d7b7ca150bc973056f1156611489475f54f7"
 dependencies = [
  "borsh-derive-internal",
  "borsh-schema-derive-internal",
@@ -404,9 +404,9 @@ dependencies = [
 
 [[package]]
 name = "borsh-derive-internal"
-version = "0.9.3"
+version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5449c28a7b352f2d1e592a8a28bf139bc71afb0764a14f3c02500935d8c44065"
+checksum = "afb438156919598d2c7bad7e1c0adf3d26ed3840dbc010db1a882a65583ca2fb"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -415,9 +415,9 @@ dependencies = [
 
 [[package]]
 name = "borsh-schema-derive-internal"
-version = "0.9.3"
+version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cdbd5696d8bfa21d53d9fe39a714a18538bad11492a42d066dbbc395fb1951c0"
+checksum = "634205cc43f74a1b9046ef87c4540ebda95696ec0f315024860cad7c5b0f5ccd"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1486,7 +1486,7 @@ dependencies = [
 
 [[package]]
 name = "fortuna"
-version = "3.0.1"
+version = "3.0.2"
 dependencies = [
  "anyhow",
  "axum",
@@ -1731,19 +1731,13 @@ dependencies = [
 
 [[package]]
 name = "hashbrown"
-version = "0.11.2"
+version = "0.12.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e"
+checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
 dependencies = [
  "ahash",
 ]
 
-[[package]]
-name = "hashbrown"
-version = "0.12.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
-
 [[package]]
 name = "hashbrown"
 version = "0.14.1"
@@ -2825,7 +2819,6 @@ dependencies = [
 [[package]]
 name = "pythnet-sdk"
 version = "2.0.0"
-source = "git+https://github.com/pyth-network/pyth-crosschain#d87cd7c5fdcf371837b7aa41dee35a04cdd6731d"
 dependencies = [
  "bincode",
  "borsh",

fortuna/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name    = "fortuna"
-version = "3.0.1"
+version = "3.0.2"
 edition = "2021"
 
 [dependencies]

fortuna/src/command/register_provider.rs

@@ -31,13 +31,14 @@ pub async fn register_provider(opts: &RegisterProviderOptions) -> Result<()> {
 
     // Create a new random hash chain.
     let random = rand::random::<[u8; 32]>();
+    let secret = match opts.randomness.load_secret() {
+        Ok(loaded_secret) => loaded_secret,
+        Err(_err) => opts.randomness.secret_file.clone(),
+    };
+
     let commitment_length = opts.randomness.chain_length;
-    let mut chain = PebbleHashChain::from_config(
-        &opts.randomness.secret,
-        &opts.chain_id,
-        &random,
-        commitment_length,
-    )?;
+    let mut chain =
+        PebbleHashChain::from_config(&secret, &opts.chain_id, &random, commitment_length)?;
 
     // Arguments to the contract to register our new provider.
     let fee_in_wei = opts.fee;

fortuna/src/command/run.rs

@@ -47,6 +47,12 @@ pub async fn run(opts: &RunOptions) -> Result<()> {
     struct ApiDoc;
 
     let config = Config::load(&opts.config.config)?;
+    let secret: String;
+    match opts.randomness.load_secret() {
+        Ok(loaded_secret) => secret = loaded_secret,
+        Err(_err) => secret = opts.randomness.secret_file.clone(),
+    }
+
 
     let mut chains = HashMap::new();
     for (chain_id, chain_config) in &config.chains {
@@ -64,7 +70,7 @@ pub async fn run(opts: &RunOptions) -> Result<()> {
             bincode::deserialize::<CommitmentMetadata>(&provider_info.commitment_metadata)?;
 
         let hash_chain = PebbleHashChain::from_config(
-            &opts.randomness.secret,
+            &secret,
             &chain_id,
             &metadata.seed,
             metadata.chain_length,

fortuna/src/config.rs

@@ -76,10 +76,12 @@ pub struct ConfigOptions {
 #[command(next_help_heading = "Randomness Options")]
 #[group(id = "Randomness")]
 pub struct RandomnessOptions {
-    /// A secret used for generating new hash chains. A 64-char hex string.
+    /// Path to file containing a secret which is a 64-char hex string.
+    /// The secret is used for generating new hash chains
+    /// Or the secret itself. TODO: this will be removed in another PR.
     #[arg(long = "secret")]
     #[arg(env = "FORTUNA_SECRET")]
-    pub secret: String,
+    pub secret_file: String,
 
     /// The length of the hash chain to generate.
     #[arg(long = "chain-length")]
@@ -88,6 +90,12 @@ pub struct RandomnessOptions {
     pub chain_length: u64,
 }
 
+impl RandomnessOptions {
+    pub fn load_secret(&self) -> Result<String> {
+        return Ok((fs::read_to_string(&self.secret_file))?);
+    }
+}
+
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
 pub struct Config {
     pub chains: HashMap<ChainId, EthereumConfig>,

hermes/Cargo.lock

@@ -2848,7 +2848,7 @@ name = "pythnet-sdk"
 version = "2.0.0"
 dependencies = [
  "bincode",
- "borsh 0.9.3",
+ "borsh 0.10.3",
  "bytemuck",
  "byteorder",
  "fast-math",