Add form_secret_path config option

element-hq · Jan 15, 2025 · 9441339 · 9441339
1 parent 39bd6e2
commit 9441339
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 1 deletion.
diff --git a/changelog.d/18090.feature b/changelog.d/18090.feature
@@ -0,0 +1 @@
+Add `form_secret_path` config option.
diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md
@@ -3120,6 +3120,22 @@ Example configuration:
 ```yaml
 form_secret: <PRIVATE STRING>
 ```
+---
+### `form_secret_path`
+
+An alternative to [`form_secret`](#form_secret):
+allows the secret to be specified in an external file.
+
+The file should be a plain text file, containing only the secret.
+Synapse reads the secret from the given file once at startup.
+
+Example configuration:
+```yaml
+form_secret_path: /path/to/secrets/file
+```
+
+_Added in Synapse 1.123.0._
+
 ---
 ## Signing Keys
 Config options relating to signing keys

diff --git a/synapse/config/key.py b/synapse/config/key.py
@@ -96,6 +96,11 @@
 both defined in config file.
 """
 
+CONFLICTING_FORM_SECRET_OPTS_ERROR = """\
+Conflicting options 'form_secret' and 'form_secret_path' are both defined in
+config file.
+"""
+
 logger = logging.getLogger(__name__)
 
 
@@ -193,6 +198,11 @@ def read_config(
         # a secret which is used to calculate HMACs for form values, to stop
         # falsification of values
         self.form_secret = config.get("form_secret", None)
+        form_secret_path = config.get("form_secret_path", None)
+        if form_secret_path:
+            if self.form_secret:
+                raise ConfigError(CONFLICTING_FORM_SECRET_OPTS_ERROR)
+            self.form_secret = read_file(form_secret_path, "form_secret_path").strip()
 
     def generate_config_section(
         self,

diff --git a/tests/config/test_load.py b/tests/config/test_load.py
@@ -132,6 +132,7 @@ def test_depreciated_identity_server_flag_throws_error(self) -> None:
             "turn_shared_secret_path: /does/not/exist",
             "registration_shared_secret_path: /does/not/exist",
             "macaroon_secret_key_path: /does/not/exist",
+            "form_secret_path: /does/not/exist",
             *["redis:\n  enabled: true\n  password_path: /does/not/exist"]
             * (hiredis is not None),
         ]
@@ -157,6 +158,10 @@ def test_secret_files_missing(self, config_str: str) -> None:
                 "macaroon_secret_key_path: {}",
                 lambda c: c.key.macaroon_secret_key,
             ),
+            (
+                "form_secret_path: {}",
+                lambda c: c.key.form_secret.encode("utf-8"),
+            ),
             *[
                 (
                     "redis:\n  enabled: true\n  password_path: {}",
@@ -170,7 +175,7 @@ def test_secret_files_existing(
         self, config_line: str, get_secret: Callable[[RootConfig], str]
     ) -> None:
         self.generate_config_and_remove_lines_containing(
-            ["registration_shared_secret", "macaroon_secret_key"]
+            ["form_secret", "macaroon_secret_key", "registration_shared_secret"]
         )
         with tempfile.NamedTemporaryFile(buffering=0) as secret_file:
             secret_file.write(b"53C237")