Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add config option turn_shared_secret_path #17690

Merged
merged 2 commits into from
Sep 10, 2024
Merged

Add config option turn_shared_secret_path #17690

merged 2 commits into from
Sep 10, 2024

Conversation

V02460
Copy link
Contributor

@V02460 V02460 commented Sep 10, 2024

Add the config option turn_shared_secret_path and accompanying docs. The config allows Synapse to read the TURN shared secret from a file. The code was shamelessly adapted from the implementation of registration_shared_secret_path.

Reading secrets from files has the security advantage of separating the secrets from the config. It also simplifies secrets management in Kubernetes.

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct
    (run the linters)

@V02460 V02460 requested a review from a team as a code owner September 10, 2024 16:33
@github-actions github-actions bot deployed to PR Documentation Preview September 10, 2024 16:34 Active
anoadragon453
anoadragon453 approved these changes Sep 10, 2024
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks!

(This will also be useful to NixOS users 😊)

@anoadragon453 anoadragon453 enabled auto-merge (squash) September 10, 2024 17:05
@github-actions github-actions bot deployed to PR Documentation Preview September 10, 2024 17:06 Active
@anoadragon453 anoadragon453 merged commit e06e3c4 into element-hq:develop Sep 10, 2024
41 checks passed
devonh pushed a commit that referenced this pull request Feb 25, 2025
@V02460
Add --no-secrets-in-config command line option (#18092)
2159b38 
Adds the `--no-secrets-in-config` command line option that makes Synapse
reject all configurations containing keys with in-line secret values.
Currently this rejects

- `turn_shared_secret`
- `registration_shared_secret`
- `macaroon_secret_key`
- `recaptcha_private_key`
- `recaptcha_public_key`
- `experimental_features.msc3861.client_secret`
- `experimental_features.msc3861.jwk`
- `experimental_features.msc3861.admin_token`
- `form_secret`
- `redis.password`
- `worker_replication_secret`

> [!TIP]
> Hey, you! Yes, you! 😊 If you think this list is missing an item,
please leave a comment below. Thanks :)

This PR complements my other PRs[^1] that add the corresponding `_path`
variants for this class of config options. It enables admins to enforce
a policy of no secrets in configuration files and guards against
accident and malice.

Because I consider the flag `--no-secrets-in-config` to be
security-relevant, I did not add a corresponding `--secrets-in-config`
flag; this way, if Synapse command line options are appended at various
places, there is no way to weaken the once-set setting with a succeeding
flag.

[^1]: [#17690](#17690),
[#17717](#17717),
[#17983](#17983),
[#17984](#17984),
[#18004](#18004),
[#18090](#18090)


### Pull Request Checklist

<!-- Please read
https://element-hq.github.io/synapse/latest/development/contributing_guide.html
before submitting your pull request -->

* [x] Pull request is based on the develop branch
* [x] Pull request includes a [changelog
file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog).
The entry should:
- Be a short description of your change which makes sense to users.
"Fixed a bug that prevented receiving messages from other servers."
instead of "Moved X method from `EventStore` to `EventWorkerStore`.".
  - Use markdown where necessary, mostly for `code blocks`.
  - End with either a period (.) or an exclamation mark (!).
  - Start with a capital letter.
- Feel free to credit yourself, by adding a sentence "Contributed by
@github_username." or "Contributed by [Your Name]." to the end of the
entry.
* [x] [Code
style](https://element-hq.github.io/synapse/latest/code_style.html) is
correct
(run the
[linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@anoadragon453 anoadragon453 anoadragon453 approved these changes

Assignees
No one assigned
Labels
A-Config
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@V02460 @anoadragon453 @MadLittleMods