-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(crypto/keyring): add Linux's keyctl support #21653
Conversation
WalkthroughWalkthroughThe changes introduce enhancements to the Cosmos SDK's keyring functionality. A new CLI command, Changes
Possibly related PRs
Recent review detailsConfiguration used: .coderabbit.yml Files selected for processing (1)
Files skipped from review as they are similar to previous changes (1)
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
Documentation and Community
|
81065eb
to
533ad0e
Compare
keyctl is a Linux kernel's interface to help protect cryptohtaphic data from a whole class of potential security vulnerabilities. The Keyctl backend leverages such Linux's kernel feature to store keys in memory securely. For more information, please see: https://docs.kernel.org/security/keys/core.html The keyctl backend is available on Linux platforms only.
533ad0e
to
f1d40b0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Please take a look at the failing tests. Thanks
crypto/keyring/keyring_linux.go
Outdated
AllowedBackends: []keyring.BackendType{keyring.KeyCtlBackend}, | ||
ServiceName: appName, | ||
KeyCtlScope: "user", | ||
KeyCtlPerm: 0x3f3f0000, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a clarification on which are the granted permissions here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am doing more work to provide users with sensible perms/scope options
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By default, user
and session
keyring give access to the owner (i.e. the creator) only
Signed-off-by: Alessio Treglia <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
Outside diff range and nitpick comments (1)
crypto/keyring/keyring_linux_test.go (1)
17-51
: LGTM! Consider adding more test cases.The test function
TestNewKeyctlKeyring
is well-structured and follows the table-driven approach. It covers the happy path scenario of creating a new keyring with thekeyctl
backend.Suggestions for improvement:
- Consider adding more test cases to cover error scenarios, such as passing an invalid backend or an invalid directory.
- Consider adding test cases to cover edge cases, such as passing an empty app name or an empty user input.
These additional test cases will help improve the test coverage and ensure the robustness of the
New
function.
Review details
Configuration used: .coderabbit.yml
Review profile: CHILL
Files selected for processing (2)
- crypto/keyring/keyring_linux.go (1 hunks)
- crypto/keyring/keyring_linux_test.go (1 hunks)
Files skipped from review as they are similar to previous changes (1)
- crypto/keyring/keyring_linux.go
Additional context used
Path-based instructions (1)
crypto/keyring/keyring_linux_test.go (2)
Pattern
**/*.go
: Review the Golang code for conformity with the Uber Golang style guide, highlighting any deviations.
Pattern
**/*_test.go
: "Assess the unit test code assessing sufficient code coverage for the changes associated in the pull request"
Ciao! gosec and repo_analysis failures seem odd. Any help is appreciated. Thanks! |
Those can be safely ignored 👍🏾 |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utACK
Correct, it should be fixed now, could you merge main? |
Hello again, gals and lads! Can we have this backported to v0.52.x and v0.50.0x, please? Thanks for considering. |
As it is not API breaking let's do it 👌🏾 |
Should I reopen this PR? |
@Mergifyio backport release/v0.52.x |
@Mergifyio backport release/v0.50.x |
✅ Backports have been created
|
✅ Backports have been created
|
Signed-off-by: Alessio Treglia <[email protected]> Co-authored-by: Alessio Treglia <[email protected]> Co-authored-by: Matt Kocubinski <[email protected]> Co-authored-by: Julien Robert <[email protected]> Co-authored-by: Marko <[email protected]> (cherry picked from commit c0eced8) # Conflicts: # CHANGELOG.md
Signed-off-by: Alessio Treglia <[email protected]> Co-authored-by: Alessio Treglia <[email protected]> Co-authored-by: Matt Kocubinski <[email protected]> Co-authored-by: Julien Robert <[email protected]> Co-authored-by: Marko <[email protected]> (cherry picked from commit c0eced8) # Conflicts: # CHANGELOG.md
…21839) Co-authored-by: Alessio Treglia <[email protected]> Co-authored-by: marbar3778 <[email protected]>
…21840) Co-authored-by: Alessio Treglia <[email protected]> Co-authored-by: marbar3778 <[email protected]> Co-authored-by: Julien Robert <[email protected]>
Description
Supersedes #17607
Author Checklist
All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.
I have...
!
in the type prefix if API or client breaking changeCHANGELOG.md
Reviewers Checklist
All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.
Please see Pull Request Reviewer section in the contributing guide for more information on how to review a pull request.
I have...
Summary by CodeRabbit
New Features
bulk-add-genesis-account
command in the CLI for easier management of multiple genesis accounts.Improvements