[DEVOPS-834] Use a file to read the recaptcha secret from a file

* Config parameter has changed to "recaptcha-secret-file"
* The actual secret is now a field in FaucetEnv

Author: Ben Ford

.gitignore

@@ -215,3 +215,4 @@ venv.bak/
 /faucet/generated-wallet-details.json
 /faucet/default.nix
 /faucet/shell.nix
+/faucet/recaptcha-secret.txt

faucet/src/Cardano/Faucet.hs

@@ -52,7 +52,7 @@ faucetServerAPI = Proxy
 withdraw :: (MonadFaucet c m) => WithdrawalRequest -> m WithdrawalResult
 withdraw wr = withSublogger (LoggerName "withdraw") $ do
     logInfo "Attempting to send ADA"
-    mCaptchaSecret <- view (feFaucetConfig . fcRecaptchaSecret)
+    mCaptchaSecret <- view feRecaptchaSecret
     forM_ mCaptchaSecret $ \captchaSecret -> do
         let cr = CaptchaRequest captchaSecret (wr ^. gRecaptchaResponse)
         logInfo "Found a secret for recaptcha in config, attempting validation"

faucet/src/Cardano/Faucet/Init.hs

@@ -40,8 +40,8 @@ import           Network.Connection (TLSSettings (..))
 import           Network.HTTP.Client (Manager, newManager)
 import           Network.HTTP.Client.TLS (mkManagerSettings)
 import           Network.TLS (ClientParams (..), credentialLoadX509FromMemory,
-                     defaultParamsClient, onCertificateRequest,
-                     onServerCertificate, supportedCiphers)
+                              defaultParamsClient, onCertificateRequest,
+                              onServerCertificate, supportedCiphers)
 import           Network.TLS.Extra.Cipher (ciphersuite_strong)
 import           Servant.Client.Core (BaseUrl (..), Scheme (..))
 import           System.Directory (createDirectoryIfMissing)
@@ -50,23 +50,27 @@ import           System.IO.Error (isDoesNotExistError)
 import           System.Metrics (Store, createCounter, createGauge)
 import qualified System.Metrics.Gauge as Gauge
 import           System.Wlog (CanLog, HasLoggerName, LoggerNameBox (..),
-                     liftLogIO, logError, logInfo, withSublogger)
+                              liftLogIO, logError, logInfo, withSublogger)
 
 import           Cardano.Wallet.API.V1.Types (Account (..), Address,
-                     AssuranceLevel (NormalAssurance), NewWallet (..),
-                     NodeInfo (..), Payment (..), PaymentDistribution (..),
-                     PaymentSource (..), SyncPercentage, V1 (..), Wallet (..),
-                     WalletAddress (..), WalletId,
-                     WalletOperation (CreateWallet), mkSyncPercentage,
-                     txAmount, unV1)
+                                              AssuranceLevel (NormalAssurance),
+                                              NewWallet (..), NodeInfo (..),
+                                              Payment (..),
+                                              PaymentDistribution (..),
+                                              PaymentSource (..),
+                                              SyncPercentage, V1 (..),
+                                              Wallet (..), WalletAddress (..),
+                                              WalletId,
+                                              WalletOperation (CreateWallet),
+                                              mkSyncPercentage, txAmount, unV1)
 import           Cardano.Wallet.Client (ClientError (..), WalletClient (..),
-                     WalletResponse (..), liftClient)
+                                        WalletResponse (..), liftClient)
 import           Cardano.Wallet.Client.Http (mkHttpClient)
 import           Pos.Core (Coin (..))
 import           Pos.Util.Mnemonic (Mnemonic, entropyToMnemonic, genEntropy)
 
 import           Cardano.Faucet.Types
-
+import           Cardano.Faucet.Types.Recaptcha
 
 --------------------------------------------------------------------------------
 -- | Parses a 'SourceWalletConfig' from a file containing JSON
@@ -362,6 +366,7 @@ initEnv fc store = do
       logInfo "Initializing wallet"
       initialWallet <- makeInitializedWallet fc (liftClient client)
       pmtQ <- liftIO $ TBQ.newTBQueueIO 10
+      mRecaptchaSecret <- liftIO $ traverse readCaptchaSecret (fc ^. fcRecaptchaSecretFile)
       case initialWallet of
           Left err -> do
               logError ( "Error initializing wallet. Exiting: "
@@ -378,6 +383,7 @@ initEnv fc store = do
                           fc
                           client
                           pmtQ
+                          mRecaptchaSecret
 
 
 -- | Makes a http client 'Manager' for communicating with the wallet node

faucet/src/Cardano/Faucet/Types/Config.hs

@@ -33,7 +33,7 @@ import           Control.Concurrent.STM.TMVar (TMVar)
 import           Control.Exception (Exception)
 import           Control.Lens hiding ((.=))
 import           Data.Aeson (FromJSON (..), ToJSON (..), object, withObject,
-                     (.:), (.:?), (.=))
+                             (.:), (.:?), (.=))
 import           Data.Int (Int64)
 import           Data.Text (Text)
 import           Data.Typeable (Typeable)
@@ -44,7 +44,8 @@ import           System.Metrics.Gauge (Gauge)
 import           System.Remote.Monitoring.Statsd (StatsdOptions (..))
 
 import           Cardano.Wallet.API.V1.Types (AccountIndex, Payment,
-                     PaymentSource (..), V1, WalletId (..))
+                                              PaymentSource (..), V1,
+                                              WalletId (..))
 import           Cardano.Wallet.Client (ClientError (..), WalletClient (..))
 import           Pos.Core (Address (..))
 import           Pos.Util.Mnemonic (Mnemonic)
@@ -173,8 +174,10 @@ data FaucetConfig = FaucetConfig {
   , _fcPubCertFile         :: !FilePath
     -- | TLS private key
   , _fcPrivKeyFile         :: !FilePath
-    -- | Recapctch sectret key. Absence indicates not to use recaptcha
-  , _fcRecaptchaSecret     :: !(Maybe CaptchaSecret)
+    -- | File path containing recapctch sectret key.
+    --
+    -- Absence indicates not to use recaptcha
+  , _fcRecaptchaSecretFile :: !(Maybe FilePath)
   }
 
 makeClassy ''FaucetConfig
@@ -191,7 +194,7 @@ instance FromJSON FaucetConfig where
           <*> v .: "logging-config"
           <*> v .: "public-certificate"
           <*> v .: "private-key"
-          <*> (fmap CaptchaSecret <$> v .:? "recaptcha-secret")
+          <*> v .:? "recaptcha-secret-file"
 
 --------------------------------------------------------------------------------
 -- | Details of a wallet created by the faucet at run time if 'Generate' is used
@@ -257,23 +260,25 @@ makeLenses ''ProcessorPayload
 -- | Run time environment for faucet's reader Monad
 data FaucetEnv = FaucetEnv {
     -- | Counter for total amount withdawn from a wallet while faucet is running
-    _feWithdrawn     :: !Counter
+    _feWithdrawn       :: !Counter
     -- | Counter for number of withdrawals made
-  , _feNumWithdrawn  :: !Counter
+  , _feNumWithdrawn    :: !Counter
     -- | Gauge for wallet balance
-  , _feWalletBalance :: !Gauge
+  , _feWalletBalance   :: !Gauge
     -- | Metrics store
-  , _feStore         :: !Store
+  , _feStore           :: !Store
     -- | Config for source of funds
-  , _feSourceWallet  :: !SourceWalletConfig
+  , _feSourceWallet    :: !SourceWalletConfig
     -- | Return address for sending ADA back to the faucet
-  , _feReturnAddress :: !(V1 Address)
+  , _feReturnAddress   :: !(V1 Address)
     -- | Original static config object
-  , _feFaucetConfig  :: !FaucetConfig
+  , _feFaucetConfig    :: !FaucetConfig
     -- | Client for communicating with wallet API
-  , _feWalletClient  :: !(WalletClient IO)
+  , _feWalletClient    :: !(WalletClient IO)
     -- | Lock to ensure only one withdrawal at a time
-  , _feWithdrawalQ   :: !(TBQueue ProcessorPayload)
+  , _feWithdrawalQ     :: !(TBQueue ProcessorPayload)
+    -- | Recaptcha secret read from 'fcRecaptchaSecretFile'
+  , _feRecaptchaSecret :: !(Maybe CaptchaSecret)
   }
 
 makeClassy ''FaucetEnv

faucet/src/Cardano/Faucet/Types/Recaptcha.hs

@@ -12,7 +12,9 @@ module Cardano.Faucet.Types.Recaptcha
     ( CaptchaSecret(..)
     , CaptchaRequest(..), secret, response
     , CaptchaResponse(..), success, challengeTS, hostname, errorCodes
-    , captchaRequest) where
+    , readCaptchaSecret
+    , captchaRequest
+    ) where
 
 import           Control.Lens hiding ((.=))
 import           Data.Maybe
@@ -22,6 +24,7 @@ import qualified Network.Wreq as Wreq
 -- import Data.Proxy
 import           Data.Aeson
 import           Data.Text (Text)
+import qualified Data.Text.IO as Text
 import           Data.Time.Clock (UTCTime)
 import           GHC.Generics (Generic)
 
@@ -69,6 +72,9 @@ instance FromJSON CaptchaResponse where
       <*> v .:? "hostname"
       <*> (fromMaybe [] <$> v .:? "error-codes")
 
+-- | Reads a CaptchaSecret out of a file
+readCaptchaSecret :: FilePath -> IO CaptchaSecret
+readCaptchaSecret = fmap CaptchaSecret . Text.readFile
 
 -- | Makes the 'CaptchaRequest' to google
 captchaRequest :: CaptchaRequest -> IO CaptchaResponse

faucet/test-config.json.template

@@ -18,5 +18,5 @@
 , "logging-config": "./logging.cfg"
 , "public-certificate": "./tls/ca.crt"
 , "private-key": "./tls/server.key"
-, "recaptcha-secret": "XXX"
+, "recaptcha-secret-file": "recaptcha-secret.txt"
 }