summary refs log tree commit diff
path: root/synapse/config/key.py
diff options
context:
space:
mode:
authorV02460 <git@kaialexhiller.de>2024-12-17 01:01:33 +0100
committerGitHub <noreply@github.com>2024-12-16 18:01:33 -0600
commit57bf44941e52f09dc7ea21acdbe20633b7449f5a (patch)
treed27643103f2f20f06f62380ba60c357a4f075598 /synapse/config/key.py
parentAdd `last_seen_ts` to query user example (#17976) (diff)
downloadsynapse-57bf44941e52f09dc7ea21acdbe20633b7449f5a.tar.xz
Add `macaroon_secret_key_path` config option (#17983)
Another config option on my quest to a `*_path` variant for every
secret. This time it’s `macaroon_secret_key_path`.

Reading secrets from files has the security advantage of separating the secrets from the config. It also simplifies secrets management in Kubernetes. Also useful to NixOS users.
Diffstat (limited to 'synapse/config/key.py')
-rw-r--r--synapse/config/key.py21
1 files changed, 16 insertions, 5 deletions
diff --git a/synapse/config/key.py b/synapse/config/key.py

index bc96888967..01aae09c13 100644
--- a/synapse/config/key.py
+++ b/synapse/config/key.py
@@ -43,7 +43,7 @@ from unpaddedbase64 import decode_base64
 from synapse.types import JsonDict
 from synapse.util.stringutils import random_string, random_string_with_symbols
 
-from ._base import Config, ConfigError
+from ._base import Config, ConfigError, read_file
 
 if TYPE_CHECKING:
     from signedjson.key import VerifyKeyWithExpiry
@@ -91,6 +91,11 @@ To suppress this warning and continue using 'matrix.org', admins should set
 'suppress_key_server_warning' to 'true' in homeserver.yaml.
 --------------------------------------------------------------------------------"""
 
+CONFLICTING_MACAROON_SECRET_KEY_OPTS_ERROR = """\
+Conflicting options 'macaroon_secret_key' and 'macaroon_secret_key_path' are
+both defined in config file.
+"""
+
 logger = logging.getLogger(__name__)
 
 
@@ -166,10 +171,16 @@ class KeyConfig(Config):
             )
         )
 
-        macaroon_secret_key: Optional[str] = config.get(
-            "macaroon_secret_key", self.root.registration.registration_shared_secret
-        )
-
+        macaroon_secret_key = config.get("macaroon_secret_key")
+        macaroon_secret_key_path = config.get("macaroon_secret_key_path")
+        if macaroon_secret_key_path:
+            if macaroon_secret_key:
+                raise ConfigError(CONFLICTING_MACAROON_SECRET_KEY_OPTS_ERROR)
+            macaroon_secret_key = read_file(
+                macaroon_secret_key_path, "macaroon_secret_key_path"
+            ).strip()
+        if not macaroon_secret_key:
+            macaroon_secret_key = self.root.registration.registration_shared_secret
         if not macaroon_secret_key:
             # Unfortunately, there are people out there that don't have this
             # set. Lets just be "nice" and derive one from their secret key.
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-06-30 10:45:09 +0000