[cli] Support interactive aquisition of ssh private key passphrase

Author: paolino

cli/README.md

@@ -86,27 +86,42 @@ export ANTI_WALLET_FILE=wallet.json
 
 Optionally you can provide a passphrase to encrypt the mnemonic phrase in the wallet file:
 
+> Setting a passphrase is highly recommended to protect your wallet
+
+A less secure way to provide the passphrase is to set the `ANTI_WALLET_PASSPHRASE` environment variable:
+
 ```bash
 read -s -p "Enter your wallet passphrase: " ANTI_WALLET_PASSPHRASE
 export ANTI_WALLET_PASSPHRASE
 ```
-
 You can create a wallet file with the `anti wallet create` command:
 
 ```bash
 antij wallet create
 ```
 
-It will fail to re-create the file if it already exists. You can review this wallet info anytime with
+A more secure way is to let the CLI prompt you for the passphrase when needed.
+
+```bash
+antij wallet create --ask-passphrase
+```
+
+If you set the `ANTI_INTERACTIVE_PASSWORD` environment variable to any value, the CLI will prompt you for the passphrase every time it needs it.
+
+```bash
+export ANTI_INTERACTIVE_PASSWORD=1
+```
+
+You can review this wallet info anytime with
 
 ```bash
 antij wallet info
 ```
 
-Remember to read your wallet passphrase into the `ANTI_WALLET_PASSPHRASE` environment variable before running any command that requires the wallet.
+>  Store a copy of your encrypted/plaintext wallet file in a password manager. Think twice before storing a plaintext wallet file. Store your passphrase in a password manager too. ATM we do not support hardware wallets like Ledger or Trezor.
 
 > Fund your wallet with some tAda tokens on preprod, for example using the [Cardano Testnet Faucet](https://docs.cardano.org/cardano-testnets/tools/faucet/).
->
+
 
 ### Antithesis token
 

cli/docs/requester-role.md

@@ -111,14 +111,23 @@ Before proceding be careful to set the necessary signing assets in your environm
 
   Path to the SSH private key file
   env: ANTI_SSH_FILE FILEPATH
+```
+
+As with the wallet passphrase you can set the password in the environment variable
 
-  Password to the decrypt the SSH private key
-  env: ANTI_SSH_PASSWORD STRING
+```bash
+read -s -p "Enter password to decrypt the SSH private key: " ANTI_INTERACTIVE_PASSWORD
+export ANTI_INTERACTIVE_PASSWORD
 ```
 
-The file at ANTI_SSH_FILE FILEPATH is the encrypted ssh private key matching the user registration.
+Or better paste it from a password manager each time you need it using the 'ask-password' option
+
+Or set the `ANTI_INTERACTIVE_PASSWORD` environment variable to any value.
+
+> The file at ANTI_SSH_FILE path has to be the encrypted ssh private key matching the user registration [see above](#registering-a-user-public-key).
 
 To request a test-run, you can use the `antij requester create-test` command.
+
 ```bash
 antij requester create-test --platform github --username alice --repository yourorg/yourrepo --directory ./path/to/your/test/directory --commit your_commit_hash --try 1 --duration 2
 ```
@@ -132,5 +141,3 @@ You can check the status of your test-run requests with the `antij facts test-ru
 ```bash
 antij facts test-run pending
 ```
-
-

cli/src/Core/Types/Mnemonics/Options.hs

@@ -2,6 +2,7 @@ module Core.Types.Mnemonics.Options
     ( mnemonicsParser
     , walletPassphraseCommon
     , walletFileOption
+    , queryConsole
     ) where
 
 import Control.Exception (try)
@@ -12,6 +13,7 @@ import Data.Aeson
     )
 import Data.Aeson qualified as Aeson
 import Data.ByteString.Lazy qualified as BL
+import Data.Functor (($>))
 import Data.Text (Text)
 import Data.Text qualified as T
 import OptEnvConf
@@ -30,7 +32,6 @@ import OptEnvConf
     , setting
     , short
     , str
-    , switch
     , withConfig
     )
 import System.Console.Haskeline
@@ -56,8 +57,12 @@ walletPassphraseCommon =
     mapIO id
         $ setting
             [ help "Prompt for the passphrase for the encrypted mnemonics"
-            , long "interactive-wallet-passphrase"
-            , switch $ queryConsole "Enter passphrase for encrypted mnemonics"
+            , env "ANTI_INTERACTIVE_PASSWORD"
+            , metavar "NONE"
+            , long "ask-passphrase"
+            , option
+            , reader
+                $ str @String $> queryConsole "Enter passphrase for encrypted mnemonics"
             ]
         <|> setting
             [ env "ANTI_WALLET_PASSPHRASE"

cli/src/User/Requester/Options.hs

@@ -19,7 +19,10 @@ import Core.Options
     , usernameOption
     , walletOption
     )
+import Core.Types.Mnemonics.Options (queryConsole)
 import Core.Types.Tx (TxHash, WithTxHash)
+import Data.Functor (($>))
+import Data.Text qualified as T
 import Lib.Box (Box (..))
 import Lib.SSH.Private (SSHClient (..))
 import OptEnvConf
@@ -28,10 +31,14 @@ import OptEnvConf
     , commands
     , env
     , help
+    , long
+    , mapIO
     , metavar
+    , option
     , reader
     , setting
     , str
+    , (<|>)
     )
 import Oracle.Validate.Requests.RegisterRole
     ( RegisterRoleFailure
@@ -150,12 +157,25 @@ keyFileOption =
 
 keyPasswordOption :: Parser String
 keyPasswordOption =
-    setting
-        [ env "ANTI_SSH_PASSWORD"
-        , help "Password to the decrypt the SSH private key"
-        , metavar "STRING"
-        , reader str
-        ]
+    mapIO id
+        $ setting
+            [ help "Prompt for the password to decrypt the SSH private key"
+            , env "ANTI_INTERACTIVE_PASSWORD"
+            , metavar "NONE"
+            , long "ask-password"
+            , option
+            , reader
+                $ str @String
+                    $> ( T.unpack
+                            <$> queryConsole "Enter password for SSH private key"
+                       )
+            ]
+        <|> setting
+            [ env "ANTI_SSH_PASSWORD"
+            , help "Password to the decrypt the SSH private key"
+            , metavar "STRING"
+            , reader (pure <$> str)
+            ]
 
 requestTestOptions
     :: Parser