Skip to content

Commit

Permalink
Merge branch 'master' into update-frontend-templates
Browse files Browse the repository at this point in the history
  • Loading branch information
dfx-json authored Nov 20, 2024
2 parents d5e15c9 + 06afa6f commit 47be031
Show file tree
Hide file tree
Showing 10 changed files with 44 additions and 36 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@

# UNRELEASED

### feat: error when using insecure identity on mainnet

This used to be a warning. A hard error can abort the command so that no insecure state will be on the mainnet.

Users can surpress this error by setting `export DFX_WARNING=-mainnet_plaintext_identity`.

The warning won't display when executing commands like `dfx deploy --playground`.

# 0.24.3

### feat: Bitcoin support in PocketIC
Expand Down
1 change: 0 additions & 1 deletion Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions e2e/tests-dfx/canister_url.bash
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ load ../utils/_

setup() {
standard_setup

# some of the tests run on mainnet with default plaintext identity
# so we need to set this to avoid the error
export DFX_WARNING=-mainnet_plaintext_identity
dfx_new_assets hello
}

Expand Down Expand Up @@ -58,7 +60,7 @@ teardown() {
echo "{}" > canister_ids.json
jq '.hello_frontend.ic = "qsgof-4qaaa-aaaan-qekqq-cai"' canister_ids.json | sponge canister_ids.json
frontend_id=$(dfx canister id hello_frontend --ic)

assert_command dfx canister url hello_frontend --ic
assert_match "https://${frontend_id}.icp0.io"

Expand Down
2 changes: 2 additions & 0 deletions e2e/tests-dfx/fabricate_cycles.bash
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ teardown() {

@test "ledger fabricate-cycles fails on real IC" {
install_asset greet
# without DFX_WARNING, the command would fail with different error (Failed to create AgentEnvironment...)
export DFX_WARNING=-mainnet_plaintext_identity
assert_command_fail dfx ledger fabricate-cycles --all --network ic
assert_match "Cannot run this on the real IC."
assert_command_fail dfx ledger fabricate-cycles --all --ic
Expand Down
12 changes: 6 additions & 6 deletions e2e/tests-dfx/identity.bash
Original file line number Diff line number Diff line change
Expand Up @@ -186,15 +186,15 @@ teardown() {
assert_eq '(blob "hello")' "$stdout"
}

@test "using an unencrypted identity on mainnet provokes a warning" {
assert_command dfx ledger balance --network ic
assert_match "WARN: The default identity is not stored securely." "$stderr"
@test "using an unencrypted identity on mainnet provokes a hard error which can be suppressed" {
assert_command_fail dfx ledger balance --network ic
assert_match "The default identity is not stored securely." "$stderr"
assert_command "${BATS_TEST_DIRNAME}/../assets/expect_scripts/init_alice_with_pw.exp"
assert_command "${BATS_TEST_DIRNAME}/../assets/expect_scripts/get_ledger_balance.exp"
dfx identity new bob --storage-mode plaintext
assert_command dfx ledger balance --network ic --identity bob
assert_match "WARN: The bob identity is not stored securely." "$stderr"

assert_command_fail dfx ledger balance --network ic --identity bob
assert_match "The bob identity is not stored securely." "$stderr"
# can suppress the error
export DFX_WARNING=-mainnet_plaintext_identity
assert_command dfx ledger balance --network ic --identity bob
assert_not_contains "not stored securely" "$stderr"
Expand Down
8 changes: 4 additions & 4 deletions e2e/tests-dfx/network.bash
Original file line number Diff line number Diff line change
Expand Up @@ -99,13 +99,13 @@ teardown() {

assert_command_fail dfx diagnose --network ic
assert_contains "The test_id identity is not stored securely."
assert_contains "use it in mainnet-facing commands"
assert_contains "No wallet found; nothing to do"
assert_contains "in mainnet-facing commands"
assert_contains "you can suppress this warning"

assert_command_fail dfx diagnose --ic
assert_contains "The test_id identity is not stored securely."
assert_contains "use it in mainnet-facing commands"
assert_contains "No wallet found; nothing to do"
assert_contains "in mainnet-facing commands"
assert_contains "you can suppress this warning"

assert_command dfx diagnose
assert_not_contains "identity is not stored securely"
Expand Down
3 changes: 2 additions & 1 deletion e2e/tests-dfx/sign_send.bash
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ teardown() {
cd "$E2E_TEMP_DIR"
mkdir not-a-project-dir
cd not-a-project-dir

# suppress the error
export DFX_WARNING=-mainnet_plaintext_identity
assert_command dfx canister sign --query rwlgt-iiaaa-aaaaa-aaaaa-cai read --network ic
assert_match "Query message generated at \[message.json\]"
}
Expand Down
1 change: 0 additions & 1 deletion src/dfx/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,6 @@ shell-words = "1.1.0"
slog = { workspace = true, features = ["max_level_trace"] }
slog-async.workspace = true
slog-term.workspace = true
socket2 = "0.5.5"
supports-color = "2.1.0"
sysinfo = "0.28.4"
tar.workspace = true
Expand Down
22 changes: 17 additions & 5 deletions src/dfx/src/lib/environment.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,12 @@ use crate::config::dfx_version;
use crate::lib::error::DfxResult;
use crate::lib::progress_bar::ProgressBar;
use crate::lib::warning::{is_warning_disabled, DfxWarning::MainnetPlainTextIdentity};
use anyhow::anyhow;
use anyhow::{anyhow, bail};
use candid::Principal;
use dfx_core::config::cache::Cache;
use dfx_core::config::model::canister_id_store::CanisterIdStore;
use dfx_core::config::model::dfinity::{Config, NetworksConfig};
use dfx_core::config::model::network_descriptor::NetworkDescriptor;
use dfx_core::config::model::network_descriptor::{NetworkDescriptor, NetworkTypeDescriptor};
use dfx_core::error::canister_id_store::CanisterIdStoreError;
use dfx_core::error::identity::NewIdentityManagerError;
use dfx_core::error::load_dfx_config::LoadDfxConfigError;
Expand All @@ -17,7 +17,7 @@ use dfx_core::identity::identity_manager::{IdentityManager, InitializeIdentity};
use fn_error_context::context;
use ic_agent::{Agent, Identity};
use semver::Version;
use slog::{warn, Logger, Record};
use slog::{Logger, Record};
use std::borrow::Cow;
use std::cell::RefCell;
use std::path::PathBuf;
Expand Down Expand Up @@ -288,11 +288,23 @@ impl<'a> AgentEnvironment<'a> {
identity_manager.instantiate_selected_identity(&logger)?
};
if network_descriptor.is_ic
&& !matches!(
network_descriptor.r#type,
NetworkTypeDescriptor::Playground { .. }
)
&& identity.insecure
&& !is_warning_disabled(MainnetPlainTextIdentity)
{
warn!(logger, "The {} identity is not stored securely. Do not use it to control a lot of cycles/ICP. Create a new identity with `dfx identity new` \
and use it in mainnet-facing commands with the `--identity` flag", identity.name());
bail!(
"The {} identity is not stored securely. Do not use it to control a lot of cycles/ICP.
- For enhanced security, create a new identity using the command:
dfx identity new
Then, specify the new identity in mainnet-facing commands with the `--identity` flag.
- If you understand the risks and still wish to use the insecure plaintext identity, you can suppress this warning by running:
export DFX_WARNING=-mainnet_plaintext_identity
After setting this environment variable, re-run the command.",
identity.name()
);
}
let url = network_descriptor.first_provider()?;
let effective_canister_id = if let Some(d) = &network_descriptor.local_server_descriptor {
Expand Down
17 changes: 1 addition & 16 deletions src/dfx/src/util/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ use idl2json::{idl2json, Idl2JsonOptions};
use num_traits::FromPrimitive;
use reqwest::{Client, StatusCode, Url};
use rust_decimal::Decimal;
use socket2::{Domain, Socket};
use std::collections::BTreeMap;
use std::io::{stderr, stdin, stdout, IsTerminal, Read};
use std::net::{IpAddr, SocketAddr, TcpListener};
Expand All @@ -35,22 +34,8 @@ const DECIMAL_POINT: char = '.';
// thus, we need to recreate SocketAddr with the kernel-provided dynamically allocated port here.
#[context("Failed to find available socket address")]
pub fn get_reusable_socket_addr(ip: IpAddr, port: u16) -> DfxResult<SocketAddr> {
let socket = if ip.is_ipv4() {
Socket::new(Domain::IPV4, socket2::Type::STREAM, None)
.context("Failed to create IPv4 socket.")?
} else {
Socket::new(Domain::IPV6, socket2::Type::STREAM, None)
.context("Failed to create IPv6 socket.")?
};
socket
.set_linger(Some(Duration::from_secs(10)))
.context("Failed to set linger duration of tcp listener.")?;
socket
.bind(&SocketAddr::new(ip, port).into())
let listener = TcpListener::bind(SocketAddr::new(ip, port))
.with_context(|| format!("Failed to bind socket to {}:{}.", ip, port))?;
socket.listen(128).context("Failed to listen on socket.")?;

let listener: TcpListener = socket.into();
listener
.local_addr()
.context("Failed to fetch local address.")
Expand Down

0 comments on commit 47be031

Please sign in to comment.