Draft: Added support for the different SecretFormat within the Vault

• Adapted vault items filename to "{address}-{secret_format}" for new entries
• Kept backward compatibility to still read "substrate" vault items from disk (without the SecretFormat in the filename)
• Refactored methods in keys.rs and vault.rs to accommodate for the changes without duplicating code (i.e. for the secret prompts)
• for "vault import" command, kept SecretFormat.Substrate as default so it's not mandatory to give the "-S" parameter

---

Performed manual tests using accounts:

• 5Funkng8dL397H9ZEJ9sXDjFhStCqRYUj1a62ngcrEMy7ivn
  • Identity: Nicolas80
  • Kept as "old" vault entry ~/.local/share/gcli/5Funkng8dL397H9ZEJ9sXDjFhStCqRYUj1a62ngcrEMy7ivn
• 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6-substrate
  • Identity: Nicolas80-GDev
• 5GhAZBagx87sTGfMppfPPcWhxCKGWE8zDi1oHp7YiKosD9KZ-cesium
  • (old G1v1 for which I moved identity to 5Funkng8dL397H9ZEJ9sXDjFhStCqRYUj1a62ngcrEMy7ivn)
• 5GNadia4kktgt3Zg3QgTKL8Lse78XXMcisnRhkPKA4ombYDm-seed
  • New test account without Identity and created from seed only
• 5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY
  • predefined Alice key

Saving the different key types in the vault

gcli vault list
available keys:
5Funkng8dL397H9ZEJ9sXDjFhStCqRYUj1a62ngcrEMy7ivn


gcli vault import --help
Import key from (substrate)mnemonic or other format with interactive prompt

Usage: gcli vault import [OPTIONS]

Options:
  -S, --secret-format <SECRET_FORMAT>  Secret key format (substrate, seed, cesium) [default: substrate]
  -h, --help                           Print help

# Using default "substrate" secret format
gcli vault import
Mnemonic: 
Enter password to protect the key
Password: 
Stored secret for 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6

gcli vault import -S cesium
Cesium id: 
Cesium password: 
Enter password to protect the key
Password: 
Stored secret for 5GhAZBagx87sTGfMppfPPcWhxCKGWE8zDi1oHp7YiKosD9KZ

gcli vault import -S seed  
Seed: 
Enter password to protect the key
Password: 
Stored secret for 5GNadia4kktgt3Zg3QgTKL8Lse78XXMcisnRhkPKA4ombYDm

# Just for reference, also work for predefined key - but probably not useful
# Using "Alice" as derivation here
gcli vault import -S predefined
Enter derivation path: 
Enter password to protect the key
Password: 
Stored secret for 5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY

gcli vault list
available keys:
5Funkng8dL397H9ZEJ9sXDjFhStCqRYUj1a62ngcrEMy7ivn
5GNadia4kktgt3Zg3QgTKL8Lse78XXMcisnRhkPKA4ombYDm-seed
5GhAZBagx87sTGfMppfPPcWhxCKGWE8zDi1oHp7YiKosD9KZ-cesium
5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6-substrate
5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY-predefined

Using the different vaults for transfers

# Using -a to select the source address for all commands
gcli -a 5Funkng8dL397H9ZEJ9sXDjFhStCqRYUj1a62ngcrEMy7ivn account transfer 101 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6
Enter password to unlock account 5Funkng8dL397H9ZEJ9sXDjFhStCqRYUj1a62ngcrEMy7ivn
Password: 
transaction submitted to the network, waiting 6 seconds...
transfered 1.01 ĞD (5Funkng8dL397H9ZEJ9sXDjFhStCqRYUj1a62ngcrEMy7ivn → 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6)

gcli -a 5GNadia4kktgt3Zg3QgTKL8Lse78XXMcisnRhkPKA4ombYDm account transfer 101 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6
Enter password to unlock account 5GNadia4kktgt3Zg3QgTKL8Lse78XXMcisnRhkPKA4ombYDm
Password: 
transaction submitted to the network, waiting 6 seconds...
transfered 1.01 ĞD (5GNadia4kktgt3Zg3QgTKL8Lse78XXMcisnRhkPKA4ombYDm → 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6)

gcli -a 5GhAZBagx87sTGfMppfPPcWhxCKGWE8zDi1oHp7YiKosD9KZ account transfer 101 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6
Enter password to unlock account 5GhAZBagx87sTGfMppfPPcWhxCKGWE8zDi1oHp7YiKosD9KZ
Password: 
transaction submitted to the network, waiting 6 seconds...
transfered 1.01 ĞD (5GhAZBagx87sTGfMppfPPcWhxCKGWE8zDi1oHp7YiKosD9KZ → 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6)

gcli -a 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6 account transfer 101 5GNadia4kktgt3Zg3QgTKL8Lse78XXMcisnRhkPKA4ombYDm
Enter password to unlock account 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6
Password: 
transaction submitted to the network, waiting 6 seconds...
transfered 1.01 ĞD (5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6 → 5GNadia4kktgt3Zg3QgTKL8Lse78XXMcisnRhkPKA4ombYDm)

# Using the address of the predefined key actually doesn't request the password (it's not even searching in the vault)
gcli -a 5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY account transfer 101 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6
transaction submitted to the network, waiting 6 seconds...
transfered 1.01 ĞD (5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY → 5HE6gH87fVuGj6akXneNceBtgEiaUZua43TJbVBRQTT77gp6)

---

I'm still new to rust, so don't hesitate to give suggestions

src/commands/vault.rs

 use crate::*;
 use age::secrecy::Secret;
 use std::io::{Read, Write};
+use std::path::PathBuf;
 
 /// define universal dividends subcommands
 #[derive(Clone, Default, Debug, clap::Parser)]
@@ -12,8 +13,18 @@ pub enum Subcommand {
 	Where,
 	/// Generate a mnemonic
 	Generate,
-	/// Import mnemonic with interactive prompt
-	Import,
+	/// Import key from (substrate)mnemonic or other format with interactive prompt
+	Import {
+		/// Secret key format (substrate, seed, cesium)
+		#[clap(short = 'S', long, required = false, default_value = SecretFormat::Substrate)]
+		secret_format: SecretFormat,
+	},
+}
+
+struct VaultItem {
+	secret_format: SecretFormat,
+	secret: keys::Secret,
+	keypair: KeyPair,
 }
 
 // encrypt input with passphrase
@@ -62,11 +73,14 @@ pub fn handle_command(data: Data, command: Subcommand) -> Result<(), GcliError>
 			let mnemonic = bip39::Mnemonic::generate(12).unwrap();
 			println!("{mnemonic}");
 		}
-		Subcommand::Import => {
-			let mnemonic = rpassword::prompt_password("Mnemonic: ")?;
+		Subcommand::Import {
+			secret_format,
+		} => {
+			let vault_item = prompt_secret_and_compute_vault_item(secret_format)?;
+
 			println!("Enter password to protect the key");
 			let password = rpassword::prompt_password("Password: ")?;
-			let address = store_mnemonic(&data, &mnemonic, password)?;
+			let address = store_vault_item(&data, vault_item, password)?;
 			println!("Stored secret for {address}");
 		}
 	};
@@ -74,34 +88,120 @@ pub fn handle_command(data: Data, command: Subcommand) -> Result<(), GcliError>
 	Ok(())
 }
 
-/// store mnemonic protected with password
-pub fn store_mnemonic(
+fn create_vault_item<F, P>(secret_format: SecretFormat, prompt_fn: F) -> Result<VaultItem, GcliError>
+where
+	F: Fn() -> (keys::Secret, P),
+	P: Into<KeyPair>,
+{
+	let (secret, pair) = prompt_fn();
+	Ok(VaultItem {
+		secret_format,
+		secret,
+		keypair: pair.into(),
+	})
+}
+
+fn prompt_secret_and_compute_vault_item(secret_format: SecretFormat) -> Result<VaultItem, GcliError> {
+	match secret_format {
+		SecretFormat::Substrate =>
+			create_vault_item(secret_format, prompt_secret_substrate_and_compute_keypair),
+		SecretFormat::Seed =>
+			create_vault_item(secret_format, prompt_seed_and_compute_keypair),
+		SecretFormat::Cesium =>
+			create_vault_item(secret_format, prompt_secret_cesium_and_compute_keypair),
+		SecretFormat::Predefined =>
+			create_vault_item(secret_format, prompt_predefined_and_compute_keypair),
+	}
+}
+
+/// store VaultItem protected with password
+fn store_vault_item(
 	data: &Data,
-	mnemonic: &str,
+	vault_item: VaultItem,
 	password: String,
 ) -> Result<AccountId, GcliError> {
-	// check validity by deriving keypair
-	let keypair = pair_from_str(mnemonic)?;
-	let address = keypair.public();
-	// write encrypted mnemonic in file identified by pubkey
-	let path = data.project_dir.data_dir().join(address.to_string());
+	let keypair = vault_item.keypair;
+	let address = keypair.address();
+	// write encrypted secret in file identified by address pubkey and secret_format
+	let path = get_vault_key_path(data, vault_item.secret_format, address.to_string());
 	let mut file = std::fs::File::create(path)?;
-	file.write_all(&encrypt(mnemonic.as_bytes(), password).map_err(|e| anyhow!(e))?[..])?;
-	Ok(keypair.public().into())
+	
+	match vault_item.secret {
+		keys::Secret::SimpleSecret(secret) => {
+			file.write_all(&encrypt(secret.as_bytes(), password).map_err(|e| anyhow!(e))?[..])?;
+		}
+		keys::Secret::DualSecret(id, pwd) => {
+			//Making a simple separation of the 2 parts with a newline character
+			let secret = format!("{id}\n{pwd}");
+			file.write_all(&encrypt(secret.as_bytes(), password).map_err(|e| anyhow!(e))?[..])?;
+		}
+	}
+	
+	Ok(address)
 }
 
-/// try get secret in keystore
-pub fn try_fetch_secret(data: &Data, address: AccountId) -> Result<Option<String>, GcliError> {
-	let path = data.project_dir.data_dir().join(address.to_string());
+fn get_vault_key_path(data: &Data, secret_format: SecretFormat, address: String) -> PathBuf {
+	let format_str: &'static str = From::from(secret_format);
+	data.project_dir.data_dir().join(format!("{}-{}", address, format_str))
+}
+
+/// look for different possible paths for vault keys and return both format and path
+fn find_vault_key(data: &Data, address: String) -> Result<Option<(SecretFormat, PathBuf)>, GcliError> {
+	let mut secret_format = SecretFormat::Substrate;
+	let mut path = get_vault_key_path(data, secret_format, address.to_string());
+	//Also checking for old file name without secret_format which would be for (default) substrate key
+	if !path.exists() {
+		path = data.project_dir.data_dir().join(address.to_string());
+	}
+	if !path.exists() {
+		secret_format = SecretFormat::Seed;
+		path = get_vault_key_path(data, secret_format, address.to_string());
+	}
+	if !path.exists() {
+		secret_format = SecretFormat::Cesium;
+		path = get_vault_key_path(data, secret_format, address.to_string());
+	}
+	if !path.exists() {
+		secret_format = SecretFormat::Predefined;
+		path = get_vault_key_path(data, secret_format, address.to_string());
+	}
 	if path.exists() {
+		Ok(Some((secret_format, path)))
+	} else {
+		Ok(None)
+	}
+}
+
+/// try to get secret in keystore, prompt for the password and compute the keypair
+pub fn try_fetch_key_pair(data: &Data, address: AccountId) -> Result<Option<KeyPair>, GcliError> {
+	if let Some((secret_format, path)) = find_vault_key(data, address.to_string())? {
 		println!("Enter password to unlock account {address}");
 		let password = rpassword::prompt_password("Password: ")?;
 		let mut file = std::fs::OpenOptions::new().read(true).open(path)?;
 		let mut cypher = vec![];
 		file.read_to_end(&mut cypher)?;
-		let secret = decrypt(&cypher, password).map_err(|e| GcliError::Input(e.to_string()))?;
-		let secretstr = String::from_utf8(secret).map_err(|e| anyhow!(e))?;
-		Ok(Some(secretstr))
+		let secret_vec = decrypt(&cypher, password).map_err(|e| GcliError::Input(e.to_string()))?;
+		let secret = String::from_utf8(secret_vec).map_err(|e| anyhow!(e))?;
+		
+		//Still need to handle different secret formats
+		match secret_format {
+			SecretFormat::Substrate => {
+				Ok(Some(pair_from_str(&secret)?.into()))
+			}
+			SecretFormat::Seed => {
+				Ok(Some(pair_from_seed(&secret)?.into()))
+			}
+			SecretFormat::Cesium => {
+				let mut lines = secret.lines();
+				//Un-wrapping the 2 secrets from each line
+				let id = lines.next().unwrap();
+				let pwd = lines.next().unwrap();
+				Ok(Some(pair_from_cesium(id.to_string(), pwd.to_string()).into()))
+			}
+			SecretFormat::Predefined => {
+				Ok(Some(pair_from_predefined(&secret)?.into()))
+			}
+		}
 	} else {
 		Ok(None)
 	}

[Hugo Trentesaux]

Having the format inside the file would prevent from having to pass the format here as an argument. And note that "address" is a string, so you could simply wrap this function by giving format!("{}-{}", address, format_str) as an argument to get_vault_key_path function, allowing to use the same function if the filename is something like alice.json or so.