From acd98b366bf1c96e983a8aa34ed946cd24ff8f65 Mon Sep 17 00:00:00 2001
From: Victor Yves Crispim <rotcivyves@hotmail.com>
Date: Thu, 25 Jan 2024 15:35:09 -0300
Subject: [PATCH] fix(authority-claimer): redact mnemonic from logs

---
 CHANGELOG.md                                    | 4 ++++
 offchain/Cargo.lock                             | 1 +
 offchain/authority-claimer/Cargo.toml           | 1 +
 offchain/authority-claimer/src/config/cli.rs    | 5 +++--
 offchain/authority-claimer/src/config/mod.rs    | 3 ++-
 offchain/authority-claimer/src/signer/signer.rs | 5 +++--
 6 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9943fef27..b3ba80c87 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Removed concurrent block fetch in foldable `InputBox`.
 - Removed snapshot-saving feature. Now, the node will always start from the beginning.
 
+### Fixed
+
+- Fixed mnemonic leaking through log entries.
+
 ## [1.2.0]
 
 ### Added
diff --git a/offchain/Cargo.lock b/offchain/Cargo.lock
index ed69ac893..99b1c6f85 100644
--- a/offchain/Cargo.lock
+++ b/offchain/Cargo.lock
@@ -480,6 +480,7 @@ dependencies = [
  "ethers-signers",
  "http-server",
  "log 1.2.0",
+ "redacted",
  "rollups-events",
  "rusoto_core",
  "rusoto_kms",
diff --git a/offchain/authority-claimer/Cargo.toml b/offchain/authority-claimer/Cargo.toml
index 18cc5d4aa..0b589d166 100644
--- a/offchain/authority-claimer/Cargo.toml
+++ b/offchain/authority-claimer/Cargo.toml
@@ -15,6 +15,7 @@ http-server = { path = "../http-server" }
 log = { path = "../log" }
 rollups-events = { path = "../rollups-events" }
 types = { path = "../types" }
+redacted = { path = "../redacted" }
 
 async-trait.workspace = true
 clap = { workspace = true, features = ["derive", "env"] }
diff --git a/offchain/authority-claimer/src/config/cli.rs b/offchain/authority-claimer/src/config/cli.rs
index 8e066c758..f0d71e469 100644
--- a/offchain/authority-claimer/src/config/cli.rs
+++ b/offchain/authority-claimer/src/config/cli.rs
@@ -7,6 +7,7 @@ use eth_tx_manager::{
     Priority,
 };
 use log::{LogConfig, LogEnvCliConfig};
+use redacted::Redacted;
 use rollups_events::{BrokerCLIConfig, BrokerConfig};
 use rusoto_core::Region;
 use snafu::ResultExt;
@@ -118,7 +119,7 @@ impl TryFrom<TxSigningCLIConfig> for TxSigningConfig {
         let account_index = cli.tx_signing_mnemonic_account_index;
         if let Some(mnemonic) = cli.tx_signing_mnemonic {
             Ok(TxSigningConfig::Mnemonic {
-                mnemonic,
+                mnemonic: Redacted::new(mnemonic),
                 account_index,
             })
         } else if let Some(path) = cli.tx_signing_mnemonic_file {
@@ -127,7 +128,7 @@ impl TryFrom<TxSigningCLIConfig> for TxSigningConfig {
                 .trim()
                 .to_string();
             Ok(TxSigningConfig::Mnemonic {
-                mnemonic,
+                mnemonic: Redacted::new(mnemonic),
                 account_index,
             })
         } else {
diff --git a/offchain/authority-claimer/src/config/mod.rs b/offchain/authority-claimer/src/config/mod.rs
index c08d16f53..25c171c52 100644
--- a/offchain/authority-claimer/src/config/mod.rs
+++ b/offchain/authority-claimer/src/config/mod.rs
@@ -12,6 +12,7 @@ use cli::AuthorityClaimerCLI;
 use eth_tx_manager::{config::TxManagerConfig, Priority};
 use http_server::HttpServerConfig;
 use log::LogConfig;
+use redacted::Redacted;
 use rollups_events::BrokerConfig;
 use rusoto_core::Region;
 
@@ -35,7 +36,7 @@ pub struct AuthorityClaimerConfig {
 #[derive(Debug, Clone)]
 pub enum TxSigningConfig {
     Mnemonic {
-        mnemonic: String,
+        mnemonic: Redacted<String>,
         account_index: Option<u32>,
     },
 
diff --git a/offchain/authority-claimer/src/signer/signer.rs b/offchain/authority-claimer/src/signer/signer.rs
index ce384b129..8a9deeca0 100644
--- a/offchain/authority-claimer/src/signer/signer.rs
+++ b/offchain/authority-claimer/src/signer/signer.rs
@@ -50,7 +50,7 @@ impl ConditionalSigner {
                 const DEFAULT_ACCOUNT_INDEX: u32 = 0;
                 let index = account_index.unwrap_or(DEFAULT_ACCOUNT_INDEX);
                 let wallet = MnemonicBuilder::<English>::default()
-                    .phrase(mnemonic.as_str())
+                    .phrase(mnemonic.inner().as_str())
                     .index(index)
                     .context(LocalWalletSnafu)?
                     .build()
@@ -153,6 +153,7 @@ mod tests {
         Address, Eip1559TransactionRequest,
     };
     use ethers_signers::Signer;
+    use redacted::Redacted;
 
     use crate::{config::TxSigningConfig, signer::ConditionalSigner};
 
@@ -191,7 +192,7 @@ mod tests {
 
     async fn local_wallet_conditional_signer() -> ConditionalSigner {
         let tx_signing_config = TxSigningConfig::Mnemonic {
-            mnemonic: MNEMONIC.to_string(),
+            mnemonic: Redacted::new(MNEMONIC.to_string()),
             account_index: Some(1),
         };
         ConditionalSigner::new(CHAIN_ID, &tx_signing_config)