mirror of
https://github.com/element-hq/synapse.git
synced 2026-05-25 16:24:06 +00:00
V02460
2159b3852e
Adds the `--no-secrets-in-config` command line option that makes Synapse reject all configurations containing keys with in-line secret values. Currently this rejects - `turn_shared_secret` - `registration_shared_secret` - `macaroon_secret_key` - `recaptcha_private_key` - `recaptcha_public_key` - `experimental_features.msc3861.client_secret` - `experimental_features.msc3861.jwk` - `experimental_features.msc3861.admin_token` - `form_secret` - `redis.password` - `worker_replication_secret` > [!TIP] > Hey, you! Yes, you! 😊 If you think this list is missing an item, please leave a comment below. Thanks :) This PR complements my other PRs[^1] that add the corresponding `_path` variants for this class of config options. It enables admins to enforce a policy of no secrets in configuration files and guards against accident and malice. Because I consider the flag `--no-secrets-in-config` to be security-relevant, I did not add a corresponding `--secrets-in-config` flag; this way, if Synapse command line options are appended at various places, there is no way to weaken the once-set setting with a succeeding flag. [^1]: [#17690](https://github.com/element-hq/synapse/pull/17690), [#17717](https://github.com/element-hq/synapse/pull/17717), [#17983](https://github.com/element-hq/synapse/pull/17983), [#17984](https://github.com/element-hq/synapse/pull/17984), [#18004](https://github.com/element-hq/synapse/pull/18004), [#18090](https://github.com/element-hq/synapse/pull/18090) ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [x] Pull request is based on the develop branch * [x] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [x] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))
75 lines
2.6 KiB
Python
75 lines
2.6 KiB
Python
#
|
|
# This file is licensed under the Affero General Public License (AGPL) version 3.
|
|
#
|
|
# Copyright 2020 The Matrix.org Foundation C.I.C.
|
|
# Copyright (C) 2023 New Vector, Ltd
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
#
|
|
# See the GNU Affero General Public License for more details:
|
|
# <https://www.gnu.org/licenses/agpl-3.0.html>.
|
|
#
|
|
# Originally licensed under the Apache License, Version 2.0:
|
|
# <http://www.apache.org/licenses/LICENSE-2.0>.
|
|
#
|
|
# [This file includes modifications made by New Vector Limited]
|
|
#
|
|
#
|
|
|
|
from typing import Any
|
|
|
|
from synapse.config._base import Config, ConfigError, read_file
|
|
from synapse.types import JsonDict
|
|
from synapse.util.check_dependencies import check_requirements
|
|
|
|
CONFLICTING_PASSWORD_OPTS_ERROR = """\
|
|
You have configured both `redis.password` and `redis.password_path`.
|
|
These are mutually incompatible.
|
|
"""
|
|
|
|
|
|
class RedisConfig(Config):
|
|
section = "redis"
|
|
|
|
def read_config(
|
|
self, config: JsonDict, allow_secrets_in_config: bool, **kwargs: Any
|
|
) -> None:
|
|
redis_config = config.get("redis") or {}
|
|
self.redis_enabled = redis_config.get("enabled", False)
|
|
|
|
if not self.redis_enabled:
|
|
return
|
|
|
|
check_requirements("redis")
|
|
|
|
self.redis_host = redis_config.get("host", "localhost")
|
|
self.redis_port = redis_config.get("port", 6379)
|
|
self.redis_path = redis_config.get("path", None)
|
|
self.redis_dbid = redis_config.get("dbid", None)
|
|
self.redis_password = redis_config.get("password")
|
|
if self.redis_password and not allow_secrets_in_config:
|
|
raise ConfigError(
|
|
"Config options that expect an in-line secret as value are disabled",
|
|
("redis", "password"),
|
|
)
|
|
redis_password_path = redis_config.get("password_path")
|
|
if redis_password_path:
|
|
if self.redis_password:
|
|
raise ConfigError(CONFLICTING_PASSWORD_OPTS_ERROR)
|
|
self.redis_password = read_file(
|
|
redis_password_path,
|
|
(
|
|
"redis",
|
|
"password_path",
|
|
),
|
|
).strip()
|
|
|
|
self.redis_use_tls = redis_config.get("use_tls", False)
|
|
self.redis_certificate = redis_config.get("certificate_file", None)
|
|
self.redis_private_key = redis_config.get("private_key_file", None)
|
|
self.redis_ca_file = redis_config.get("ca_file", None)
|
|
self.redis_ca_path = redis_config.get("ca_path", None)
|