-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: wallet password change #5175
feat: wallet password change #5175
Conversation
af6509e
to
c34af83
Compare
c34af83
to
57ce3c0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, I tested the password change functionality from the command line, and it works as expected.
I have some comments regarding the atomicity below.
5fd8c25
to
cab86e4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utACK
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK
|
||
let passphrase = prompt_password("New wallet password: ")?; | ||
let new = prompt_password("New wallet password: ")?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: while not a reserved word in rust, it does seem strange to see new
as a variable
let conn = database_connection.get_pooled_connection()?; | ||
|
||
// Fetch the database fields used for encryption, if they exist | ||
let secondary_key_version = WalletSettingSql::get(&DbKey::SecondaryKeyVersion, &conn)?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should technically also be in a transaction since it could change half way through reading
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would using a transaction catch this edge case? Even if not, I don't think it's a practical problem here. In the event that the fields were to be only partially updated when the reads happen, the subsequent key derivation will fail and return an error. The user can then simply try again to load the wallet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will address in this issue.
Description --- Refactors key-related database field operations to be atomic. Closes [issue 5177](#5177). Motivation and Context --- Key-related database fields always travel together. We need a consistent set of secondary key version identifier, secondary key salt, and encrypted main key in order to set up the `XChaCha20-Poly1305` cipher used for database encryption operations and passphrase changes. While a [recent PR](#5175) ensures that write operations for these fields are done atomically via a write transaction, there is no corresponding read transaction. It's therefore possible that those fields are inconsistent. While this should only result in an error and require the user to load their wallet again, it seemed like a smart idea to ensure that reads are consistent for any future use cases. This PR refactors the handling of those fields to reduce redundancy and ensure atomicity for reads and writes. It introduces a new `DatabaseKeyFields` struct that handles reads and writes, and additionally takes care of encoding and decoding of the underlying data. It also makes the handling of the three fields more consistent. Previously, individual reads and writes required the use of a complex `match` to handle different states. This functionality has been mostly moved into `DatabaseKeyFields` to make these states more apparent. How Has This Been Tested? --- Existing unit tests pass. Manually tested the following operations: - setting up a new wallet and successfully loading it with the correct passphrase - setting up a new wallet and unsuccessfully loading it with an incorrect passphrase - setting up a new wallet and unsuccessfully loading it due to a simulated read transaction failure - failing to set up a new wallet due to a simulated write transaction failure - failing to set up a new wallet due to a simulated read transaction failure - a successful passphrase change via CLI - an unsuccessful passphrase change via CLI due to an incorrect existing passphrase - an unsuccessful passphrase change via CLI due to a mismatched new passphrase - an unsuccessful passphrase change via CLI due to a simulated write transaction failure - an unsuccessful passphrase change via CLI due to a simulated read transaction failure It does not seem possible to directly test read operation inconsistency caused by a simultaneous write operation.
Description --- Improves the flow for setting or changing a passphrase. Closes [issue 5127](#5127). Motivation and Context --- When setting or [changing](#5175) a wallet passphrase, the console wallet provides [feedback](#5111) on the strength of the provided passphrase. In the case of a weak passphrase, it does not prompt the user to choose a better one. This PR implements a better flow for this process, as shown in [this flowchart](#5127 (comment)). How Has This Been Tested? --- Tested manually. What process can a PR reviewer use to test or verify this change? --- Testing needs to be done manually to assert that the process represented by the linked flowchart is implemented. Manual testing should cover the entire flow for these two operations: - Setting the passphrase for a new wallet - Changing the passphrase for an existing wallet Breaking Changes --- None.
Description --- Improves the flow for setting or changing a passphrase. Closes [issue 5127](tari-project#5127). Motivation and Context --- When setting or [changing](tari-project#5175) a wallet passphrase, the console wallet provides [feedback](tari-project#5111) on the strength of the provided passphrase. In the case of a weak passphrase, it does not prompt the user to choose a better one. This PR implements a better flow for this process, as shown in [this flowchart](tari-project#5127 (comment)). How Has This Been Tested? --- Tested manually. What process can a PR reviewer use to test or verify this change? --- Testing needs to be done manually to assert that the process represented by the linked flowchart is implemented. Manual testing should cover the entire flow for these two operations: - Setting the passphrase for a new wallet - Changing the passphrase for an existing wallet Breaking Changes --- None.
Description
Adds functionality to change wallet passphrase, updating to the latest encryption version parameters at the same time. Minor refactoring of database main and secondary key operations.
Removes unneeded functionality that tried to assert any cipher seed was encrypted (and associated tests).
Closes issue 5003.
Motivation and Context
Currently, wallet passphrases cannot be changed; there is a CLI flow, but it is non-functional.
This PR continues the work started in PR 5154, which refactors wallet database encryption. When the user wishes to change their passphrase, we do the following:
The update operations are done in a single transaction to mitigate the (unlikely) risk of database corruption. There isn't an included test for this, but you can simulate a failure by having the transaction closure return an error, after which the existing wallet passphrase should continue to work.
How Has This Been Tested?
Existing unit tests pass. A new unit test passes. Manually tested a successful passphrase change. Manually tested a failed passphrase change. Manually tested a simulated database transaction failure.