Allow secrets to be provided from a file or environment variable#5177
Allow secrets to be provided from a file or environment variable#5177sisuresh wants to merge 3 commits intostellar:masterfrom
Conversation
docs/stellar-core_example.cfg
Outdated
| @@ -333,6 +333,13 @@ KNOWN_PEERS=[ | |||
| # This example also adds a common name to NODE_NAMES list named `self` with the | |||
| # public key associated to this seed | |||
| NODE_SEED="SBI3CZU7XZEWVXU7OZLW5MMUQAP334JFOPXSLTPOH43IRTEQ2QYXU5RG self" | |||
| # | |||
| # You can also load the seed from an environment variable: | |||
| # NODE_SEED="$ENV:STELLAR_NODE_SEED" | |||
There was a problem hiding this comment.
We could remove this and only introduce the file based approach if there are any security concerns.
There was a problem hiding this comment.
I agree that env variables are a bit less secure. But at the same time I think they can be adequate for non-production environments and it would be convenient to allow their use.
Perhaps we can support them but call out files on disk as best practice in the docs or in the config comment?
There was a problem hiding this comment.
I ended up simplifying this PR for your use case. We can expand it later if needed.
Introduce SecretManager utility that resolves config values from external file references using the $FILE:/path prefix convention. Files are read with trailing whitespace trimming. Values without a prefix are returned unchanged (backward compatible). Apply secret resolution to NODE_SEED parsing in Config.cpp so that operators can keep seeds out of the config file. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add checkFilePermissions() using std::filesystem::perms to reject secret files that are readable by group or others. This follows the SSH model of requiring restrictive permissions (0600 or stricter) without platform-specific preprocessor guards. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a post-parse check that rejects $FILE: secret references when NETWORK_PASSPHRASE matches the public network. This restricts the feature to testnets and private networks. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds support for resolving sensitive config values (currently NODE_SEED) from external secret sources, primarily via $FILE: references, and documents / tests the behavior.
Changes:
- Introduce
util/SecretManagerfor resolving$FILE:-prefixed config values with permission checks and whitespace trimming. - Update config parsing to allow
NODE_SEEDto be read from a$FILE:reference and reject such references on public network config. - Add unit tests and update the example config documentation for
$FILE:usage.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| src/util/SecretManager.h | New API for resolving config secrets (e.g., $FILE:). |
| src/util/SecretManager.cpp | Implements file-based secret resolution and permission validation. |
| src/main/Config.cpp | Uses SecretManager when parsing NODE_SEED; rejects external secrets on pubnet. |
| src/main/test/ConfigTests.cpp | Adds tests for secret resolution and config integration. |
| docs/stellar-core_example.cfg | Documents $FILE: usage for NODE_SEED. |
You can also share your feedback on Copilot code review. Take the survey.
Description
Resolves #1316
Checklist
clang-formatv8.0.0 (viamake formator the Visual Studio extension)