refactor(sdk): store passwords in Zeroizing<String>

dashpay · Oct 9, 2024 · f58e08c · f58e08c
1 parent f5aa584
commit f58e08c
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 11 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/packages/rs-sdk/Cargo.toml b/packages/rs-sdk/Cargo.toml
@@ -36,6 +36,7 @@ derive_more = { version = "1.0", features = ["from"] }
 dashcore-rpc = { git = "https://github.com/dashpay/rust-dashcore-rpc", tag = "v0.15.4" }
 lru = { version = "0.12.3", optional = true }
 bip37-bloom-filter = { git = "https://github.com/dashpay/rs-bip37-bloom-filter", branch = "develop" }
+zeroize = { version = "1.8", features = ["derive"] }
 
 [dev-dependencies]
 tokio = { version = "1.40", features = ["macros", "rt-multi-thread"] }
@@ -69,6 +70,7 @@ mocks = [
   "dep:dotenvy",
   "dep:envy",
   "dep:lru",
+  "zeroize/serde",
 ]
 
 # Run integration tests using test vectors from `tests/vectors/` instead of connecting to live Dash Platform.

diff --git a/packages/rs-sdk/examples/read_contract.rs b/packages/rs-sdk/examples/read_contract.rs
@@ -4,6 +4,7 @@ use clap::Parser;
 use dash_sdk::{mock::provider::GrpcContextProvider, platform::Fetch, Sdk, SdkBuilder};
 use dpp::prelude::{DataContract, Identifier};
 use rs_dapi_client::AddressList;
+use zeroize::Zeroizing;
 
 #[derive(clap::Parser, Debug)]
 #[command(version)]
@@ -22,7 +23,7 @@ pub struct Config {
 
     // Dash Core RPC password
     #[arg(short = 'p', long)]
-    pub core_password: String,
+    pub core_password: Zeroizing<String>,
 
     /// Dash Platform DAPI port
     #[arg(short = 'd', long)]
@@ -86,7 +87,7 @@ fn setup_sdk(config: &Config) -> Sdk {
     .expect("parse uri");
 
     // Now, we create the Sdk with the wallet and context provider.
-    let mut sdk = SdkBuilder::new(AddressList::from_iter([uri]))
+    let sdk = SdkBuilder::new(AddressList::from_iter([uri]))
         .build()
         .expect("cannot build sdk");
 

diff --git a/packages/rs-sdk/src/core/dash_core_client.rs b/packages/rs-sdk/src/core/dash_core_client.rs
@@ -14,6 +14,7 @@ use dpp::dashcore::ProTxHash;
 use dpp::prelude::CoreBlockHeight;
 use drive_proof_verifier::error::ContextProviderError;
 use std::{fmt::Debug, sync::Mutex};
+use zeroize::Zeroizing;
 
 /// Core RPC client that can be used to retrieve quorum keys from core.
 ///
@@ -22,7 +23,7 @@ pub struct LowLevelDashCoreClient {
     core: Mutex<Client>,
     server_address: String,
     core_user: String,
-    core_password: String,
+    core_password: Zeroizing<String>,
     core_port: u16,
 }
 
@@ -75,7 +76,7 @@ impl LowLevelDashCoreClient {
             core: Mutex::new(core),
             server_address: server_address.to_string(),
             core_user: core_user.to_string(),
-            core_password: core_password.to_string(),
+            core_password: core_password.to_string().into(),
             core_port,
         })
     }

diff --git a/packages/rs-sdk/src/sdk.rs b/packages/rs-sdk/src/sdk.rs
@@ -41,6 +41,7 @@ use std::time::{SystemTime, UNIX_EPOCH};
 #[cfg(feature = "mocks")]
 use tokio::sync::{Mutex, MutexGuard};
 use tokio_util::sync::{CancellationToken, WaitForCancellationFuture};
+use zeroize::Zeroizing;
 
 /// How many data contracts fit in the cache.
 pub const DEFAULT_CONTRACT_CACHE_SIZE: usize = 100;
@@ -584,7 +585,7 @@ pub struct SdkBuilder {
     core_ip: String,
     core_port: u16,
     core_user: String,
-    core_password: String,
+    core_password: Zeroizing<String>,
 
     /// If true, request and verify proofs of the responses.
     proofs: bool,
@@ -620,7 +621,7 @@ impl Default for SdkBuilder {
             network: Network::Dash,
             core_ip: "".to_string(),
             core_port: 0,
-            core_password: "".to_string(),
+            core_password: "".to_string().into(),
             core_user: "".to_string(),
 
             proofs: true,
@@ -743,7 +744,7 @@ impl SdkBuilder {
         self.core_ip = ip.to_string();
         self.core_port = port;
         self.core_user = user.to_string();
-        self.core_password = password.to_string();
+        self.core_password = Zeroizing::from(password.to_string());
 
         self
     }

diff --git a/packages/rs-sdk/tests/fetch/config.rs b/packages/rs-sdk/tests/fetch/config.rs
@@ -11,6 +11,7 @@ use dpp::{
 use rs_dapi_client::AddressList;
 use serde::Deserialize;
 use std::{path::PathBuf, str::FromStr};
+use zeroize::Zeroizing;
 
 /// Existing document ID
 ///
@@ -43,7 +44,7 @@ pub struct Config {
     pub core_user: String,
     /// Password for Dash Core RPC interface
     #[serde(default)]
-    pub core_password: String,
+    pub core_password: Zeroizing<String>,
     /// When true, use SSL for the Dash Platform node grpc interface
     #[serde(default)]
     pub platform_ssl: bool,
@@ -141,14 +142,14 @@ impl Config {
     /// ## Feature flags
     ///
     /// * `offline-testing` is not set - connect to Platform and generate
-    /// new test vectors during execution
+    ///   new test vectors during execution
     /// * `offline-testing` is set - use mock implementation and
-    /// load existing test vectors from disk
+    ///   load existing test vectors from disk
     ///
     /// ## Arguments
     ///
     /// * namespace - namespace to use when storing mock expectations; this is used to separate
-    /// expectations from different tests.
+    ///   expectations from different tests.
     ///
     /// When empty string is provided, expectations are stored in the root of the dump directory.
     pub async fn setup_api(&self, namespace: &str) -> dash_sdk::Sdk {