summary refs log tree commit diff
path: root/tests/config/test_load.py
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--tests/config/test_load.py194
1 files changed, 186 insertions, 8 deletions
diff --git a/tests/config/test_load.py b/tests/config/test_load.py

index 479d2aab91..e06a961b16 100644
--- a/tests/config/test_load.py
+++ b/tests/config/test_load.py
@@ -19,17 +19,33 @@
 # [This file includes modifications made by New Vector Limited]
 #
 #
+import tempfile
+from typing import Callable
+from unittest import mock
+
 import yaml
+from parameterized import parameterized
 
 from synapse.config import ConfigError
+from synapse.config._base import RootConfig
 from synapse.config.homeserver import HomeServerConfig
 
 from tests.config.utils import ConfigFileTestCase
 
+try:
+    import authlib
+except ImportError:
+    authlib = None
+
+try:
+    import hiredis
+except ImportError:
+    hiredis = None  # type: ignore
+
 
 class ConfigLoadingFileTestCase(ConfigFileTestCase):
     def test_load_fails_if_server_name_missing(self) -> None:
-        self.generate_config_and_remove_lines_containing("server_name")
+        self.generate_config_and_remove_lines_containing(["server_name"])
         with self.assertRaises(ConfigError):
             HomeServerConfig.load_config("", ["-c", self.config_file])
         with self.assertRaises(ConfigError):
@@ -66,7 +82,7 @@ class ConfigLoadingFileTestCase(ConfigFileTestCase):
             )
 
     def test_load_succeeds_if_macaroon_secret_key_missing(self) -> None:
-        self.generate_config_and_remove_lines_containing("macaroon")
+        self.generate_config_and_remove_lines_containing(["macaroon"])
         config1 = HomeServerConfig.load_config("", ["-c", self.config_file])
         config2 = HomeServerConfig.load_config("", ["-c", self.config_file])
         config3 = HomeServerConfig.load_or_generate_config("", ["-c", self.config_file])
@@ -101,18 +117,180 @@ class ConfigLoadingFileTestCase(ConfigFileTestCase):
         self.assertTrue(config3.registration.enable_registration)
 
     def test_stats_enabled(self) -> None:
-        self.generate_config_and_remove_lines_containing("enable_metrics")
+        self.generate_config_and_remove_lines_containing(["enable_metrics"])
         self.add_lines_to_config(["enable_metrics: true"])
 
         # The default Metrics Flags are off by default.
         config = HomeServerConfig.load_config("", ["-c", self.config_file])
         self.assertFalse(config.metrics.metrics_flags.known_servers)
 
-    def test_depreciated_identity_server_flag_throws_error(self) -> None:
+    @parameterized.expand(
+        [
+            "turn_shared_secret_path: /does/not/exist",
+            "registration_shared_secret_path: /does/not/exist",
+            "macaroon_secret_key_path: /does/not/exist",
+            "form_secret_path: /does/not/exist",
+            "worker_replication_secret_path: /does/not/exist",
+            "experimental_features:\n  msc3861:\n    client_secret_path: /does/not/exist",
+            "experimental_features:\n  msc3861:\n    admin_token_path: /does/not/exist",
+            *["redis:\n  enabled: true\n  password_path: /does/not/exist"]
+            * (hiredis is not None),
+        ]
+    )
+    def test_secret_files_missing(self, config_str: str) -> None:
         self.generate_config()
-        # Needed to ensure that actual key/value pair added below don't end up on a line with a comment
-        self.add_lines_to_config([" "])
-        # Check that presence of "trust_identity_server_for_password" throws config error
-        self.add_lines_to_config(["trust_identity_server_for_password_resets: true"])
+        self.add_lines_to_config(["", config_str])
+
         with self.assertRaises(ConfigError):
             HomeServerConfig.load_config("", ["-c", self.config_file])
+
+    @parameterized.expand(
+        [
+            (
+                "turn_shared_secret_path: {}",
+                lambda c: c.voip.turn_shared_secret.encode("utf-8"),
+            ),
+            (
+                "registration_shared_secret_path: {}",
+                lambda c: c.registration.registration_shared_secret.encode("utf-8"),
+            ),
+            (
+                "macaroon_secret_key_path: {}",
+                lambda c: c.key.macaroon_secret_key,
+            ),
+            (
+                "form_secret_path: {}",
+                lambda c: c.key.form_secret.encode("utf-8"),
+            ),
+            (
+                "worker_replication_secret_path: {}",
+                lambda c: c.worker.worker_replication_secret.encode("utf-8"),
+            ),
+            (
+                "experimental_features:\n  msc3861:\n    client_secret_path: {}",
+                lambda c: c.experimental.msc3861.client_secret().encode("utf-8"),
+            ),
+            (
+                "experimental_features:\n  msc3861:\n    admin_token_path: {}",
+                lambda c: c.experimental.msc3861.admin_token().encode("utf-8"),
+            ),
+            *[
+                (
+                    "redis:\n  enabled: true\n  password_path: {}",
+                    lambda c: c.redis.redis_password.encode("utf-8"),
+                )
+            ]
+            * (hiredis is not None),
+        ]
+    )
+    def test_secret_files_existing(
+        self, config_line: str, get_secret: Callable[[RootConfig], str]
+    ) -> None:
+        self.generate_config_and_remove_lines_containing(
+            ["form_secret", "macaroon_secret_key", "registration_shared_secret"]
+        )
+        with tempfile.NamedTemporaryFile(buffering=0) as secret_file:
+            secret_file.write(b"53C237")
+
+            self.add_lines_to_config(["", config_line.format(secret_file.name)])
+            config = HomeServerConfig.load_config("", ["-c", self.config_file])
+
+            self.assertEqual(get_secret(config), b"53C237")
+
+    @parameterized.expand(
+        [
+            "turn_shared_secret: 53C237",
+            "registration_shared_secret: 53C237",
+            "macaroon_secret_key: 53C237",
+            "recaptcha_private_key: 53C237",
+            "recaptcha_public_key: ¬53C237",
+            "form_secret: 53C237",
+            "worker_replication_secret: 53C237",
+            *[
+                "experimental_features:\n"
+                "  msc3861:\n"
+                "    enabled: true\n"
+                "    client_secret: 53C237"
+            ]
+            * (authlib is not None),
+            *[
+                "experimental_features:\n"
+                "  msc3861:\n"
+                "    enabled: true\n"
+                "    client_auth_method: private_key_jwt\n"
+                '    jwk: {{"mock": "mock"}}'
+            ]
+            * (authlib is not None),
+            *[
+                "experimental_features:\n"
+                "  msc3861:\n"
+                "    enabled: true\n"
+                "    admin_token: 53C237\n"
+                "    client_secret_path: {secret_file}"
+            ]
+            * (authlib is not None),
+            *["redis:\n  enabled: true\n  password: 53C237"] * (hiredis is not None),
+        ]
+    )
+    def test_no_secrets_in_config(self, config_line: str) -> None:
+        if authlib is not None:
+            patcher = mock.patch("authlib.jose.rfc7517.JsonWebKey.import_key")
+            self.addCleanup(patcher.stop)
+            patcher.start()
+
+        with tempfile.NamedTemporaryFile(buffering=0) as secret_file:
+            # Only used for less mocking with admin_token
+            secret_file.write(b"53C237")
+
+            self.generate_config_and_remove_lines_containing(
+                ["form_secret", "macaroon_secret_key", "registration_shared_secret"]
+            )
+            # Check strict mode with no offenders.
+            HomeServerConfig.load_config(
+                "", ["-c", self.config_file, "--no-secrets-in-config"]
+            )
+            self.add_lines_to_config(
+                ["", config_line.format(secret_file=secret_file.name)]
+            )
+            # Check strict mode with a single offender.
+            with self.assertRaises(ConfigError):
+                HomeServerConfig.load_config(
+                    "", ["-c", self.config_file, "--no-secrets-in-config"]
+                )
+
+            # Check lenient mode with a single offender.
+            HomeServerConfig.load_config("", ["-c", self.config_file])
+
+    def test_no_secrets_in_config_but_in_files(self) -> None:
+        with tempfile.NamedTemporaryFile(buffering=0) as secret_file:
+            secret_file.write(b"53C237")
+
+            self.generate_config_and_remove_lines_containing(
+                ["form_secret", "macaroon_secret_key", "registration_shared_secret"]
+            )
+            self.add_lines_to_config(
+                [
+                    "",
+                    f"turn_shared_secret_path: {secret_file.name}",
+                    f"registration_shared_secret_path: {secret_file.name}",
+                    f"macaroon_secret_key_path: {secret_file.name}",
+                    f"recaptcha_private_key_path: {secret_file.name}",
+                    f"recaptcha_public_key_path: {secret_file.name}",
+                    f"form_secret_path: {secret_file.name}",
+                    f"worker_replication_secret_path: {secret_file.name}",
+                    *[
+                        "experimental_features:\n"
+                        "  msc3861:\n"
+                        "    enabled: true\n"
+                        f"    admin_token_path: {secret_file.name}\n"
+                        f"    client_secret_path: {secret_file.name}\n"
+                        # f"    jwk_path: {secret_file.name}"
+                    ]
+                    * (authlib is not None),
+                    *[f"redis:\n  enabled: true\n  password_path: {secret_file.name}"]
+                    * (hiredis is not None),
+                ]
+            )
+            HomeServerConfig.load_config(
+                "", ["-c", self.config_file, "--no-secrets-in-config"]
+            )
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-07-29 20:12:14 +0000