2159b3852e
Adds the `--no-secrets-in-config` command line option that makes Synapse reject all configurations containing keys with in-line secret values. Currently this rejects - `turn_shared_secret` - `registration_shared_secret` - `macaroon_secret_key` - `recaptcha_private_key` - `recaptcha_public_key` - `experimental_features.msc3861.client_secret` - `experimental_features.msc3861.jwk` - `experimental_features.msc3861.admin_token` - `form_secret` - `redis.password` - `worker_replication_secret` > [!TIP] > Hey, you! Yes, you! 😊 If you think this list is missing an item, please leave a comment below. Thanks :) This PR complements my other PRs[^1] that add the corresponding `_path` variants for this class of config options. It enables admins to enforce a policy of no secrets in configuration files and guards against accident and malice. Because I consider the flag `--no-secrets-in-config` to be security-relevant, I did not add a corresponding `--secrets-in-config` flag; this way, if Synapse command line options are appended at various places, there is no way to weaken the once-set setting with a succeeding flag. [^1]: [#17690](https://github.com/element-hq/synapse/pull/17690), [#17717](https://github.com/element-hq/synapse/pull/17717), [#17983](https://github.com/element-hq/synapse/pull/17983), [#17984](https://github.com/element-hq/synapse/pull/17984), [#18004](https://github.com/element-hq/synapse/pull/18004), [#18090](https://github.com/element-hq/synapse/pull/18090) ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [x] Pull request is based on the develop branch * [x] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [x] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))
67 lines
2.4 KiB
Python
67 lines
2.4 KiB
Python
#
|
|
# This file is licensed under the Affero General Public License (AGPL) version 3.
|
|
#
|
|
# Copyright 2014-2016 OpenMarket Ltd
|
|
# Copyright (C) 2023 New Vector, Ltd
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
#
|
|
# See the GNU Affero General Public License for more details:
|
|
# <https://www.gnu.org/licenses/agpl-3.0.html>.
|
|
#
|
|
# Originally licensed under the Apache License, Version 2.0:
|
|
# <http://www.apache.org/licenses/LICENSE-2.0>.
|
|
#
|
|
# [This file includes modifications made by New Vector Limited]
|
|
#
|
|
#
|
|
|
|
from typing import Any
|
|
|
|
from synapse.types import JsonDict
|
|
|
|
from ._base import Config, ConfigError
|
|
|
|
|
|
class CaptchaConfig(Config):
|
|
section = "captcha"
|
|
|
|
def read_config(
|
|
self, config: JsonDict, allow_secrets_in_config: bool, **kwargs: Any
|
|
) -> None:
|
|
recaptcha_private_key = config.get("recaptcha_private_key")
|
|
if recaptcha_private_key and not allow_secrets_in_config:
|
|
raise ConfigError(
|
|
"Config options that expect an in-line secret as value are disabled",
|
|
("recaptcha_private_key",),
|
|
)
|
|
if recaptcha_private_key is not None and not isinstance(
|
|
recaptcha_private_key, str
|
|
):
|
|
raise ConfigError("recaptcha_private_key must be a string.")
|
|
self.recaptcha_private_key = recaptcha_private_key
|
|
|
|
recaptcha_public_key = config.get("recaptcha_public_key")
|
|
if recaptcha_public_key and not allow_secrets_in_config:
|
|
raise ConfigError(
|
|
"Config options that expect an in-line secret as value are disabled",
|
|
("recaptcha_public_key",),
|
|
)
|
|
if recaptcha_public_key is not None and not isinstance(
|
|
recaptcha_public_key, str
|
|
):
|
|
raise ConfigError("recaptcha_public_key must be a string.")
|
|
self.recaptcha_public_key = recaptcha_public_key
|
|
|
|
self.enable_registration_captcha = config.get(
|
|
"enable_registration_captcha", False
|
|
)
|
|
self.recaptcha_siteverify_api = config.get(
|
|
"recaptcha_siteverify_api",
|
|
"https://www.recaptcha.net/recaptcha/api/siteverify",
|
|
)
|
|
self.recaptcha_template = self.read_template("recaptcha.html")
|