-
- Downloads
Add --no-secrets-in-config command line option (#18092)
Adds the `--no-secrets-in-config` command line option that makes Synapse reject all configurations containing keys with in-line secret values. Currently this rejects - `turn_shared_secret` - `registration_shared_secret` - `macaroon_secret_key` - `recaptcha_private_key` - `recaptcha_public_key` - `experimental_features.msc3861.client_secret` - `experimental_features.msc3861.jwk` - `experimental_features.msc3861.admin_token` - `form_secret` - `redis.password` - `worker_replication_secret` > [!TIP] > Hey, you! Yes, you!If you think this list is missing an item, please leave a comment below. Thanks :) This PR complements my other PRs[^1] that add the corresponding `_path` variants for this class of config options. It enables admins to enforce a policy of no secrets in configuration files and guards against accident and malice. Because I consider the flag `--no-secrets-in-config` to be security-relevant, I did not add a corresponding `--secrets-in-config` flag; this way, if Synapse command line options are appended at various places, there is no way to weaken the once-set setting with a succeeding flag. [^1]: [#17690](https://github.com/element-hq/synapse/pull/17690), [#17717](https://github.com/element-hq/synapse/pull/17717), [#17983](https://github.com/element-hq/synapse/pull/17983), [#17984](https://github.com/element-hq/synapse/pull/17984), [#18004](https://github.com/element-hq/synapse/pull/18004), [#18090](https://github.com/element-hq/synapse/pull/18090) ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [x] Pull request is based on the develop branch * [x] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [x] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))
Showing
- changelog.d/18092.feature 1 addition, 0 deletionschangelog.d/18092.feature
- synapse/config/_base.py 29 additions, 3 deletionssynapse/config/_base.py
- synapse/config/_base.pyi 5 additions, 1 deletionsynapse/config/_base.pyi
- synapse/config/captcha.py 13 additions, 1 deletionsynapse/config/captcha.py
- synapse/config/experimental.py 27 additions, 3 deletionssynapse/config/experimental.py
- synapse/config/key.py 15 additions, 1 deletionsynapse/config/key.py
- synapse/config/redis.py 8 additions, 1 deletionsynapse/config/redis.py
- synapse/config/registration.py 8 additions, 1 deletionsynapse/config/registration.py
- synapse/config/voip.py 8 additions, 1 deletionsynapse/config/voip.py
- synapse/config/workers.py 8 additions, 1 deletionsynapse/config/workers.py
- tests/config/test_load.py 104 additions, 0 deletionstests/config/test_load.py
- tests/config/test_workers.py 1 addition, 1 deletiontests/config/test_workers.py
Loading
Please register or sign in to comment