Add macaroon_secret_key_path config option#17983
Merged
MadLittleMods merged 5 commits intoelement-hq:developfrom Dec 17, 2024
Merged
Add macaroon_secret_key_path config option#17983MadLittleMods merged 5 commits intoelement-hq:developfrom
macaroon_secret_key_path config option#17983MadLittleMods merged 5 commits intoelement-hq:developfrom
Conversation
MadLittleMods
changed the title
macaroon_secret_key_path config option
MadLittleMods
approved these changes
Dec 16, 2024
Contributor
|
Thanks for continuing down the path @V02460 🐡 |
13 tasks
Contributor
|
This is great, the only one left in my config is |
Contributor
Author
|
Thanks @remram44, I didn’t caught that one yet! Out of curiosity: What is you usecase? Why are you interested in this? |
Contributor
|
I maintain a helm chart for Kubernetes: https://github.com/remram44/matrix-helm The secret values are generated automatically and stored separately (as Kubernetes Secrets) so they need to be injected into the config before Synapse starts. I was able to remove some code from the injection script thanks to your efforts: remram44/matrix-helm@3569d57 |
3 tasks
yingziwu
added a commit
to yingziwu/synapse
that referenced
this pull request
Jan 16, 2025
Please note that this version of Synapse drops support for PostgreSQL 11 and 12. The minimum version of PostgreSQL supported is now version 13. No significant changes since 1.122.0rc1. - Remove support for PostgreSQL 11 and 12. Contributed by @clokep. ([\#18034](element-hq/synapse#18034)) - Added the `email.tlsname` config option. This allows specifying the domain name used to validate the SMTP server's TLS certificate separately from the `email.smtp_host` to connect to. ([\#17849](element-hq/synapse#17849)) - Module developers will have access to the user ID of the requester when adding `check_username_for_spam` callbacks to `spam_checker_module_callbacks`. Contributed by Wilson@Pangea.chat. ([\#17916](element-hq/synapse#17916)) - Add endpoints to the Admin API to fetch the number of invites the provided user has sent after a given timestamp, fetch the number of rooms the provided user has joined after a given timestamp, and get report IDs of event reports against a provided user (i.e. where the user was the sender of the reported event). ([\#17948](element-hq/synapse#17948)) - Support stable account suspension from [MSC3823](matrix-org/matrix-spec-proposals#3823). ([\#17964](element-hq/synapse#17964)) - Add `macaroon_secret_key_path` config option. ([\#17983](element-hq/synapse#17983)) - Fix bug when rejecting withdrew invite with a `third_party_rules` module, where the invite would be stuck for the client. ([\#17930](element-hq/synapse#17930)) - Properly purge state groups tables when purging a room with the Admin API. ([\#18024](element-hq/synapse#18024)) - Fix a bug preventing the admin redaction endpoint from working on messages from remote users. ([\#18029](element-hq/synapse#18029), [\#18043](element-hq/synapse#18043)) - Update `synapse.app.generic_worker` documentation to only recommend `GET` requests for stream writer routes by default, unless the worker is also configured as a stream writer. Contributed by @evoL. ([\#17954](element-hq/synapse#17954)) - Add documentation for the previously-undocumented `last_seen_ts` query parameter to the query user Admin API. ([\#17976](element-hq/synapse#17976)) - Improve documentation for the `TaskScheduler` class. ([\#17992](element-hq/synapse#17992)) - Fix example in reverse proxy docs to include server port. ([\#17994](element-hq/synapse#17994)) - Update Alpine Linux Synapse Package Maintainer within the installation instructions. ([\#17846](element-hq/synapse#17846)) - Add `RoomID` & `EventID` rust types. ([\#17996](element-hq/synapse#17996)) - Fix various type errors across the codebase. ([\#17998](element-hq/synapse#17998)) - Disable DB statement timeout when doing a room purge since it can be quite long. ([\#18017](element-hq/synapse#18017)) - Remove some remaining uses of `twisted.internet.defer.returnValue`. Contributed by Colin Watson. ([\#18020](element-hq/synapse#18020)) - Refactor `get_profile` to no longer include fields with a value of `None`. ([\#18063](element-hq/synapse#18063)) * Bump anyhow from 1.0.93 to 1.0.95. ([\#18012](element-hq/synapse#18012), [\#18045](element-hq/synapse#18045)) * Bump authlib from 1.3.2 to 1.4.0. ([\#18048](element-hq/synapse#18048)) * Bump dawidd6/action-download-artifact from 6 to 7. ([\#17981](element-hq/synapse#17981)) * Bump http from 1.1.0 to 1.2.0. ([\#18013](element-hq/synapse#18013)) - Bump mypy from 1.11.2 to 1.12.1. ([\#17999](element-hq/synapse#17999)) * Bump mypy-zope from 1.0.8 to 1.0.9. ([\#18047](element-hq/synapse#18047)) * Bump pillow from 10.4.0 to 11.0.0. ([\#18015](element-hq/synapse#18015)) * Bump pydantic from 2.9.2 to 2.10.3. ([\#18014](element-hq/synapse#18014)) * Bump pyicu from 2.13.1 to 2.14. ([\#18060](element-hq/synapse#18060)) * Bump pyo3 from 0.23.2 to 0.23.3. ([\#18001](element-hq/synapse#18001)) * Bump python-multipart from 0.0.16 to 0.0.18. ([\#17985](element-hq/synapse#17985)) * Bump sentry-sdk from 2.17.0 to 2.19.2. ([\#18061](element-hq/synapse#18061)) * Bump serde from 1.0.215 to 1.0.217. ([\#18031](element-hq/synapse#18031), [\#18059](element-hq/synapse#18059)) * Bump serde_json from 1.0.133 to 1.0.134. ([\#18044](element-hq/synapse#18044)) * Bump twine from 5.1.1 to 6.0.1. ([\#18049](element-hq/synapse#18049)) **Changelogs for older versions can be found [here](docs/changelogs/).**
devonh
pushed a commit
that referenced
this pull request
Feb 25, 2025
Adds the `--no-secrets-in-config` command line option that makes Synapse reject all configurations containing keys with in-line secret values. Currently this rejects - `turn_shared_secret` - `registration_shared_secret` - `macaroon_secret_key` - `recaptcha_private_key` - `recaptcha_public_key` - `experimental_features.msc3861.client_secret` - `experimental_features.msc3861.jwk` - `experimental_features.msc3861.admin_token` - `form_secret` - `redis.password` - `worker_replication_secret` > [!TIP] > Hey, you! Yes, you! 😊 If you think this list is missing an item, please leave a comment below. Thanks :) This PR complements my other PRs[^1] that add the corresponding `_path` variants for this class of config options. It enables admins to enforce a policy of no secrets in configuration files and guards against accident and malice. Because I consider the flag `--no-secrets-in-config` to be security-relevant, I did not add a corresponding `--secrets-in-config` flag; this way, if Synapse command line options are appended at various places, there is no way to weaken the once-set setting with a succeeding flag. [^1]: [#17690](#17690), [#17717](#17717), [#17983](#17983), [#17984](#17984), [#18004](#18004), [#18090](#18090) ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [x] Pull request is based on the develop branch * [x] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [x] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))
devonh
pushed a commit
that referenced
this pull request
Feb 25, 2025
I [was told](#17983 (comment)) about another config option with a secret, so I got `form_secret` a companion: `form_secret_path` This PR makes NixOS and Kubernetes users a little bit happy. Includes docs and tests. ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [x] Pull request is based on the develop branch * [x] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [x] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Another config option on my quest to a
*_pathvariant for every secret. This time it’smacaroon_secret_key_path.Slightly modified the tests to accommodate for this option (see 9367d18, 087ec0f), hopefully self-explanatory.
Reading secrets from files has the security advantage of separating the secrets from the config. It also simplifies secrets management in Kubernetes. Also useful to NixOS users.
Pull Request Checklist
EventStoretoEventWorkerStore.".code blocks.(run the linters)