From e5f908e56e4066180dd3dff49048145876eaa66f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Tue, 12 Nov 2019 21:59:46 +0100 Subject: [PATCH] Let's manage the macaroon secret with the package --- scripts/config | 9 +++++++++ scripts/install | 3 +++ scripts/upgrade | 10 ++++++++++ 3 files changed, 22 insertions(+) diff --git a/scripts/config b/scripts/config index e648149..bbfe181 100644 --- a/scripts/config +++ b/scripts/config @@ -111,6 +111,15 @@ apply_config() { ynh_replace_string --match_string __FORM_SECRET__ --replace_string "$form_secret" --target_file "$homeserver_config_path" ynh_replace_string --match_string __REPORT_STATS__ --replace_string "$report_stats" --target_file "$homeserver_config_path" ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path" + if [ -n $macaroon_secret_key ]; then + # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice. + # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !! + # So for the old install we just leave this as it is. And for the new install we use a real macaroon. + # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ + ynh_replace_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path" + else + ynh_replace_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path" + fi if [ "$is_public" = "0" ] then diff --git a/scripts/install b/scripts/install index 5043327..f11091a 100644 --- a/scripts/install +++ b/scripts/install @@ -222,10 +222,12 @@ deactivate ynh_print_OFF registration_shared_secret=$(egrep "^registration_shared_secret" homeserver.yml | cut -d'"' -f2) form_secret=$(egrep "^form_secret" homeserver.yml | cut -d'"' -f2) +macaroon_secret_key=$(egrep "^macaroon_secret_key" homeserver.yml | cut -d'"' -f2) # store in yunohost settings ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret" ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret" +ynh_app_setting_set --app=$app --key=macaroon_secret_key --value="$macaroon_secret_key" ynh_print_ON #================================================= @@ -282,6 +284,7 @@ ynh_replace_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_d ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path" ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path" ynh_replace_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path" +ynh_replace_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path" ynh_print_ON ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml" diff --git a/scripts/upgrade b/scripts/upgrade index f832d9d..574956b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -35,6 +35,7 @@ synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd) turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd) registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret) form_secret=$(ynh_app_setting_get --app=$app --key=form_secret) +macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key) ynh_print_ON #================================================= @@ -212,6 +213,15 @@ ynh_replace_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_d ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path" ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path" ynh_replace_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path" +if [ -n $macaroon_secret_key ]; then + # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice. + # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ + # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !! + # So for the old install we just leave this as it is. And for the new install we use a real macaroon. + ynh_replace_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path" +else + ynh_replace_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path" +fi ynh_print_ON ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml"