Generate shared secrets if not defined in the environment

1 files changed, 11 insertions, 4 deletions

diff --git a/contrib/docker/start.py b/contrib/docker/start.py
index e50d23be5f..7057f85f61 100755
--- a/contrib/docker/start.py
+++ b/contrib/docker/start.py
@@ -5,10 +5,11 @@ import os
 import sys
 import subprocess
 
-convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ))
+convert = lambda src, dst, environ: open(dst, "w").write(jinja2.Template(open(src).read()).render(**environ))
 mode = sys.argv[1] if len(sys.argv) > 1 else None
+environ = os.environ.copy()
 
-if "SYNAPSE_SERVER_NAME" not in os.environ:
+if "SYNAPSE_SERVER_NAME" not in environ:
     print("Environment variable SYNAPSE_SERVER_NAME is mandatory, exiting.")
     sys.exit(2)
 
@@ -17,10 +18,16 @@ args = ["python", "-m", "synapse.app.homeserver",
         "--report-stats", os.environ.get("SYNAPSE_REPORT_STATS", "no"),
         "--config-path", os.environ.get("SYNAPSE_CONFIG_PATH", "/compiled/homeserver.yaml")]
 
+# Generate any missing shared secret
+for secret in ("SYNAPSE_REGISTRATION_SHARED_SECRET", "SYNAPSE_MACAROON_SECRET_KEY"):
+    if secret not in environ:
+        print("Generating a random secret for {}".format(secret))
+        environ[secret] = os.urandom(32).encode("hex")
+
 # Parse the configuration file
 if not os.path.exists("/compiled"): os.mkdir("/compiled")
-convert("/conf/homeserver.yaml", "/compiled/homeserver.yaml")
-convert("/conf/log.config", "/compiled/%s.log.config" % os.environ.get("SYNAPSE_SERVER_NAME"))
+convert("/conf/homeserver.yaml", "/compiled/homeserver.yaml", environ)
+convert("/conf/log.config", "/compiled/%s.log.config" % environ.get("SYNAPSE_SERVER_NAME"), environ)
 
 # In generate mode, generate a configuration, missing keys, then exit
 if mode == "generate":