From fb27576deb5ea4897cfdd1d91a027ba620653440 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Mon, 23 Sep 2019 16:14:56 +0100 Subject: [PATCH 01/10] Explicitly log when a homeserver does not have the 'trusted_key_servers' config field configured. --- changelog.d/6090.doc | 1 + synapse/config/key.py | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 changelog.d/6090.doc diff --git a/changelog.d/6090.doc b/changelog.d/6090.doc new file mode 100644 index 000000000000..a6da448a1a7a --- /dev/null +++ b/changelog.d/6090.doc @@ -0,0 +1 @@ +Explicitly log when a homeserver does not have the 'trusted_key_servers' config field configured. diff --git a/synapse/config/key.py b/synapse/config/key.py index ba2199bcebea..53f9c81ca00b 100644 --- a/synapse/config/key.py +++ b/synapse/config/key.py @@ -95,6 +95,24 @@ def read_config(self, config, config_dir_path, **kwargs): # if neither trusted_key_servers nor perspectives are given, use the default. if "perspectives" not in config and "trusted_key_servers" not in config: + logger.warn( + """ + Synapse requires that a notary homeserver is configured to + verify keys of other servers in the federation. This homeserver + does not have a notary server configured in homeserver.yaml and + will fall back to the default of 'matrix.org'. + + Notary servers should be long lived, stable and trusted which + makes matrix.org a good choice for many admins, but some may + wish to choose another. To suppress this warning, the admin + should set 'trusted_key_servers' in homeserver.yaml to their + desired notary server. + + In a future release the software defined default will be + removed entirely and the notary server will be defined + exclusively by the value of 'trust_key_servers'. + """ + ) key_servers = [{"server_name": "matrix.org"}] else: key_servers = config.get("trusted_key_servers", []) From ccd9b8f59b1161f57f8991df518694a8fb28cb99 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Mon, 23 Sep 2019 17:53:07 +0100 Subject: [PATCH 02/10] add further warning for setting trusted_key_servers --- docs/sample_config.yaml | 13 +++++++---- synapse/config/key.py | 52 +++++++++++++++++++++++++++++------------ 2 files changed, 45 insertions(+), 20 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 61d9f09a9966..6c92edae5ec9 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1084,12 +1084,15 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key" # verify_keys: # "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" # - server_name: "my_other_trusted_server.example.com" + +trusted_key_servers: + - server_name: "matrix.org" + +# 'trusted_key_servers' defaults to matrix.org, but using it will generate a +# warning on start up to suppress this warning set 'suppress_key_server_warning' +# to True. # -# The default configuration is: -# -#trusted_key_servers: -# - server_name: "matrix.org" -# +#suppress_key_server_warning: True # The signing keys to use when acting as a trusted key server. If not specified # defaults to the server signing key. diff --git a/synapse/config/key.py b/synapse/config/key.py index 53f9c81ca00b..f1e80fb03e6c 100644 --- a/synapse/config/key.py +++ b/synapse/config/key.py @@ -84,7 +84,7 @@ def read_config(self, config, config_dir_path, **kwargs): self.key_refresh_interval = self.parse_duration( config.get("key_refresh_interval", "1d") ) - + suppress_key_server_warning = config.get("suppress_key_server_warning", False) key_server_signing_keys_path = config.get("key_server_signing_keys_path") if key_server_signing_keys_path: self.key_server_signing_keys = self.read_signing_keys( @@ -97,25 +97,44 @@ def read_config(self, config, config_dir_path, **kwargs): if "perspectives" not in config and "trusted_key_servers" not in config: logger.warn( """ - Synapse requires that a notary homeserver is configured to - verify keys of other servers in the federation. This homeserver - does not have a notary server configured in homeserver.yaml and - will fall back to the default of 'matrix.org'. + Synapse requires that a list of trusted key servers are + specified in order to provide signing keys for other servers in + the federation. + + This homeserver does not have a trusted key server configured in + homeserver.yaml and will fall back to the default of + 'matrix.org'. - Notary servers should be long lived, stable and trusted which - makes matrix.org a good choice for many admins, but some may + Trusted key servers should be long lived and stable which + makes matrix.org a good choice for many admins, but some admins may wish to choose another. To suppress this warning, the admin should set 'trusted_key_servers' in homeserver.yaml to their - desired notary server. + desired key server. In a future release the software defined default will be - removed entirely and the notary server will be defined - exclusively by the value of 'trust_key_servers'. + removed entirely and the trusted key server will be defined + exclusively by the value of 'trusted_key_servers'. """ ) key_servers = [{"server_name": "matrix.org"}] else: key_servers = config.get("trusted_key_servers", []) + for server in key_servers: + if server['server_name'] == 'matrix.org' and not suppress_key_server_warning: + logger.warn( + """ + This server is configured to use 'matrix.org' as its + trusted key server via the 'trusted_key_servers' config + option. 'Matrix.org' is a good choice for a key server + since it is long lived, stable and trusted. However, some + admins may wish to use another server for this purpose. + + To suppress this warning and continue using + 'matrix.org', admins should set + 'suppress_key_server_warning' to 'True' in + homeserver.yaml. + """ + ) if not isinstance(key_servers, list): raise ConfigError( @@ -231,13 +250,16 @@ def generate_config_section( # verify_keys: # "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" # - server_name: "my_other_trusted_server.example.com" + + trusted_key_servers: + - server_name: "matrix.org" + + # 'trusted_key_servers' defaults to matrix.org, but using it will generate a + # warning on start up to suppress this warning set 'suppress_key_server_warning' + # to True. # - # The default configuration is: - # - #trusted_key_servers: - # - server_name: "matrix.org" + #suppress_key_server_warning: True # - # The signing keys to use when acting as a trusted key server. If not specified # defaults to the server signing key. # From 1759f8f3e591593244a2785994e14288bbc2f85e Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Mon, 23 Sep 2019 17:59:59 +0100 Subject: [PATCH 03/10] update sample config --- docs/sample_config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 6c92edae5ec9..121025b537c5 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1086,14 +1086,14 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key" # - server_name: "my_other_trusted_server.example.com" trusted_key_servers: - - server_name: "matrix.org" +- server_name: "matrix.org" # 'trusted_key_servers' defaults to matrix.org, but using it will generate a # warning on start up to suppress this warning set 'suppress_key_server_warning' # to True. # #suppress_key_server_warning: True - +# # The signing keys to use when acting as a trusted key server. If not specified # defaults to the server signing key. # From 890bd6b66f00b4efbc4a30941a5827a9953292df Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Mon, 23 Sep 2019 18:01:16 +0100 Subject: [PATCH 04/10] black --- synapse/config/key.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/synapse/config/key.py b/synapse/config/key.py index f1e80fb03e6c..e6133faf779d 100644 --- a/synapse/config/key.py +++ b/synapse/config/key.py @@ -120,7 +120,10 @@ def read_config(self, config, config_dir_path, **kwargs): else: key_servers = config.get("trusted_key_servers", []) for server in key_servers: - if server['server_name'] == 'matrix.org' and not suppress_key_server_warning: + if ( + server["server_name"] == "matrix.org" + and not suppress_key_server_warning + ): logger.warn( """ This server is configured to use 'matrix.org' as its From 13f6a879914b847509dc437ae6e68d46cc7306df Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Wed, 25 Sep 2019 10:26:36 +0100 Subject: [PATCH 05/10] improve clarity --- synapse/config/key.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/config/key.py b/synapse/config/key.py index e6133faf779d..e581cff1ab9a 100644 --- a/synapse/config/key.py +++ b/synapse/config/key.py @@ -109,7 +109,7 @@ def read_config(self, config, config_dir_path, **kwargs): makes matrix.org a good choice for many admins, but some admins may wish to choose another. To suppress this warning, the admin should set 'trusted_key_servers' in homeserver.yaml to their - desired key server. + desired key server and 'suppress_key_server_warning' to 'True'. In a future release the software defined default will be removed entirely and the trusted key server will be defined From 5871b6e34739a8f740a5b0b988ba13256c39f50e Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Wed, 25 Sep 2019 13:27:38 +0100 Subject: [PATCH 06/10] Apply suggestions from code review Clarity Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- synapse/config/key.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/synapse/config/key.py b/synapse/config/key.py index e581cff1ab9a..1d253328ff55 100644 --- a/synapse/config/key.py +++ b/synapse/config/key.py @@ -105,13 +105,13 @@ def read_config(self, config, config_dir_path, **kwargs): homeserver.yaml and will fall back to the default of 'matrix.org'. - Trusted key servers should be long lived and stable which + Trusted key servers should be long-lived and stable which makes matrix.org a good choice for many admins, but some admins may wish to choose another. To suppress this warning, the admin should set 'trusted_key_servers' in homeserver.yaml to their - desired key server and 'suppress_key_server_warning' to 'True'. + desired key server and 'suppress_key_server_warning' to 'true'. - In a future release the software defined default will be + In a future release the software-defined default will be removed entirely and the trusted key server will be defined exclusively by the value of 'trusted_key_servers'. """ @@ -128,13 +128,13 @@ def read_config(self, config, config_dir_path, **kwargs): """ This server is configured to use 'matrix.org' as its trusted key server via the 'trusted_key_servers' config - option. 'Matrix.org' is a good choice for a key server - since it is long lived, stable and trusted. However, some + option. 'matrix.org' is a good choice for a key server + since it is long-lived, stable and trusted. However, some admins may wish to use another server for this purpose. To suppress this warning and continue using 'matrix.org', admins should set - 'suppress_key_server_warning' to 'True' in + 'suppress_key_server_warning' to 'true' in homeserver.yaml. """ ) From 5be727ff3e8f5568836397849c2826dc1cf45db9 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Wed, 25 Sep 2019 13:46:20 +0100 Subject: [PATCH 07/10] clarity and refactor --- synapse/config/key.py | 88 ++++++++++++++++++++----------------------- 1 file changed, 41 insertions(+), 47 deletions(-) diff --git a/synapse/config/key.py b/synapse/config/key.py index 1d253328ff55..10bb989562be 100644 --- a/synapse/config/key.py +++ b/synapse/config/key.py @@ -50,6 +50,31 @@ If you are *sure* you want to do this, set 'accept_keys_insecurely' on the trusted_key_server configuration.""" +TRUSTED_KEY_SERVER_NOT_CONFIGURED_WARN = """\ +Synapse requires that a list of trusted key servers are specified in order to +provide signing keys for other servers in the federation. + +This homeserver does not have a trusted key server configured in +homeserver.yaml and will fall back to the default of 'matrix.org'. + +Trusted key servers should be long-lived and stable which makes matrix.org a +good choice for many admins, but some admins may wish to choose another. To +suppress this warning, the admin should set 'trusted_key_servers' in +homeserver.yaml to their desired key server and 'suppress_key_server_warning' +to 'true'. + +In a future release the software-defined default will be removed entirely and +the trusted key server will be defined exclusively by the value of +'trusted_key_servers'.""" + +TRUSTED_KEY_SERVER_CONFIGURED_AS_M_ORG_WARN = """\ +This server is configured to use 'matrix.org' as its trusted key server via the +'trusted_key_servers' config option. 'matrix.org' is a good choice for a key +server since it is long-lived, stable and trusted. However, some admins may +wish to use another server for this purpose. + +To suppress this warning and continue using 'matrix.org', admins should set +'suppress_key_server_warning' to 'true' in homeserver.yaml.""" logger = logging.getLogger(__name__) @@ -84,6 +109,7 @@ def read_config(self, config, config_dir_path, **kwargs): self.key_refresh_interval = self.parse_duration( config.get("key_refresh_interval", "1d") ) + suppress_key_server_warning = config.get("suppress_key_server_warning", False) key_server_signing_keys_path = config.get("key_server_signing_keys_path") if key_server_signing_keys_path: @@ -95,49 +121,10 @@ def read_config(self, config, config_dir_path, **kwargs): # if neither trusted_key_servers nor perspectives are given, use the default. if "perspectives" not in config and "trusted_key_servers" not in config: - logger.warn( - """ - Synapse requires that a list of trusted key servers are - specified in order to provide signing keys for other servers in - the federation. - - This homeserver does not have a trusted key server configured in - homeserver.yaml and will fall back to the default of - 'matrix.org'. - - Trusted key servers should be long-lived and stable which - makes matrix.org a good choice for many admins, but some admins may - wish to choose another. To suppress this warning, the admin - should set 'trusted_key_servers' in homeserver.yaml to their - desired key server and 'suppress_key_server_warning' to 'true'. - - In a future release the software-defined default will be - removed entirely and the trusted key server will be defined - exclusively by the value of 'trusted_key_servers'. - """ - ) + logger.warn(TRUSTED_KEY_SERVER_NOT_CONFIGURED_WARN) key_servers = [{"server_name": "matrix.org"}] else: key_servers = config.get("trusted_key_servers", []) - for server in key_servers: - if ( - server["server_name"] == "matrix.org" - and not suppress_key_server_warning - ): - logger.warn( - """ - This server is configured to use 'matrix.org' as its - trusted key server via the 'trusted_key_servers' config - option. 'matrix.org' is a good choice for a key server - since it is long-lived, stable and trusted. However, some - admins may wish to use another server for this purpose. - - To suppress this warning and continue using - 'matrix.org', admins should set - 'suppress_key_server_warning' to 'true' in - homeserver.yaml. - """ - ) if not isinstance(key_servers, list): raise ConfigError( @@ -145,6 +132,13 @@ def read_config(self, config, config_dir_path, **kwargs): % (type(key_servers).__name__,) ) + for server in key_servers: + if ( + server["server_name"] == "matrix.org" + and not suppress_key_server_warning + ): + logger.warn(TRUSTED_KEY_SERVER_CONFIGURED_AS_M_ORG_WARN) + # merge the 'perspectives' config into the 'trusted_key_servers' config. key_servers.extend(_perspectives_to_key_servers(config)) @@ -230,6 +224,10 @@ def generate_config_section( # This setting supercedes an older setting named `perspectives`. The old format # is still supported for backwards-compatibility, but it is deprecated. # + # 'trusted_key_servers' defaults to matrix.org, but using it will generate a + # warning on start up to suppress this warning set 'suppress_key_server_warning' + # to true. + # # Options for each entry in the list include: # # server_name: the name of the server. required. @@ -253,15 +251,11 @@ def generate_config_section( # verify_keys: # "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" # - server_name: "my_other_trusted_server.example.com" - + # trusted_key_servers: - - server_name: "matrix.org" - - # 'trusted_key_servers' defaults to matrix.org, but using it will generate a - # warning on start up to suppress this warning set 'suppress_key_server_warning' - # to True. + - server_name: "matrix.org" # - #suppress_key_server_warning: True + #suppress_key_server_warning: true # # The signing keys to use when acting as a trusted key server. If not specified # defaults to the server signing key. From bdc578f59ae1ef42c24d214f964d0685c2b20bfd Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Wed, 25 Sep 2019 15:55:17 +0100 Subject: [PATCH 08/10] Update sample config --- docs/sample_config.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 121025b537c5..422c25065eb8 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1061,6 +1061,10 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key" # This setting supercedes an older setting named `perspectives`. The old format # is still supported for backwards-compatibility, but it is deprecated. # +# 'trusted_key_servers' defaults to matrix.org, but using it will generate a +# warning on start up to suppress this warning set 'suppress_key_server_warning' +# to true. +# # Options for each entry in the list include: # # server_name: the name of the server. required. @@ -1084,15 +1088,11 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key" # verify_keys: # "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" # - server_name: "my_other_trusted_server.example.com" - +# trusted_key_servers: -- server_name: "matrix.org" - -# 'trusted_key_servers' defaults to matrix.org, but using it will generate a -# warning on start up to suppress this warning set 'suppress_key_server_warning' -# to True. + - server_name: "matrix.org" # -#suppress_key_server_warning: True +#suppress_key_server_warning: true # # The signing keys to use when acting as a trusted key server. If not specified # defaults to the server signing key. From e2de7bbaa036f143164505f0072109c20aee0abb Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Thu, 26 Sep 2019 11:46:14 +0100 Subject: [PATCH 09/10] Review comments and warning formatting --- docs/sample_config.yaml | 9 ++++++--- synapse/config/key.py | 27 +++++++++++++++------------ synapse/config/server.py | 16 ++++++++-------- 3 files changed, 29 insertions(+), 23 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 422c25065eb8..29c7514f325c 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1062,8 +1062,8 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key" # is still supported for backwards-compatibility, but it is deprecated. # # 'trusted_key_servers' defaults to matrix.org, but using it will generate a -# warning on start up to suppress this warning set 'suppress_key_server_warning' -# to true. +# warning on start-up. To suppress this warning, set +# 'suppress_key_server_warning' to true. # # Options for each entry in the list include: # @@ -1091,9 +1091,12 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key" # trusted_key_servers: - server_name: "matrix.org" + +# Uncomment the following to disable the warning that is emitted when the +# trusted_key_servers include 'matrix.org'. See above. # #suppress_key_server_warning: true -# + # The signing keys to use when acting as a trusted key server. If not specified # defaults to the server signing key. # diff --git a/synapse/config/key.py b/synapse/config/key.py index 10bb989562be..f039f96e9c44 100644 --- a/synapse/config/key.py +++ b/synapse/config/key.py @@ -65,7 +65,8 @@ In a future release the software-defined default will be removed entirely and the trusted key server will be defined exclusively by the value of -'trusted_key_servers'.""" +'trusted_key_servers'. +--------------------------------------------------------------------------------""" TRUSTED_KEY_SERVER_CONFIGURED_AS_M_ORG_WARN = """\ This server is configured to use 'matrix.org' as its trusted key server via the @@ -74,7 +75,8 @@ wish to use another server for this purpose. To suppress this warning and continue using 'matrix.org', admins should set -'suppress_key_server_warning' to 'true' in homeserver.yaml.""" +'suppress_key_server_warning' to 'true' in homeserver.yaml. +--------------------------------------------------------------------------------""" logger = logging.getLogger(__name__) @@ -132,16 +134,14 @@ def read_config(self, config, config_dir_path, **kwargs): % (type(key_servers).__name__,) ) - for server in key_servers: - if ( - server["server_name"] == "matrix.org" - and not suppress_key_server_warning - ): - logger.warn(TRUSTED_KEY_SERVER_CONFIGURED_AS_M_ORG_WARN) - # merge the 'perspectives' config into the 'trusted_key_servers' config. key_servers.extend(_perspectives_to_key_servers(config)) + if not suppress_key_server_warning and "matrix.org" in ( + s["server_name"] for s in key_servers + ): + logger.warning(TRUSTED_KEY_SERVER_CONFIGURED_AS_M_ORG_WARN) + # list of TrustedKeyServer objects self.key_servers = list( _parse_key_servers(key_servers, self.federation_verify_certificates) @@ -225,8 +225,8 @@ def generate_config_section( # is still supported for backwards-compatibility, but it is deprecated. # # 'trusted_key_servers' defaults to matrix.org, but using it will generate a - # warning on start up to suppress this warning set 'suppress_key_server_warning' - # to true. + # warning on start-up. To suppress this warning, set + # 'suppress_key_server_warning' to true. # # Options for each entry in the list include: # @@ -254,9 +254,12 @@ def generate_config_section( # trusted_key_servers: - server_name: "matrix.org" + + # Uncomment the following to disable the warning that is emitted when the + # trusted_key_servers include 'matrix.org'. See above. # #suppress_key_server_warning: true - # + # The signing keys to use when acting as a trusted key server. If not specified # defaults to the server signing key. # diff --git a/synapse/config/server.py b/synapse/config/server.py index 7f8d315954a4..a52ce30344f0 100644 --- a/synapse/config/server.py +++ b/synapse/config/server.py @@ -48,6 +48,13 @@ "to join this room." ) +METRICS_PORT_WARNING = """\ +The metrics_port configuration option is deprecated in Synapse 0.31 in favour of +a listener. Please see +https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md +on how to configure the new listener. +--------------------------------------------------------------------------------""" + class ServerConfig(Config): def read_config(self, config, **kwargs): @@ -334,14 +341,7 @@ class LimitRemoteRoomsConfig(object): metrics_port = config.get("metrics_port") if metrics_port: - logger.warn( - ( - "The metrics_port configuration option is deprecated in Synapse 0.31 " - "in favour of a listener. Please see " - "http://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md" - " on how to configure the new listener." - ) - ) + logger.warning(METRICS_PORT_WARNING) self.listeners.append( { From 4ab95924f8fca729b89fdd979216e9fef77a91b5 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Thu, 26 Sep 2019 12:20:53 +0100 Subject: [PATCH 10/10] Rename 6090.doc to 6090.feature --- changelog.d/{6090.doc => 6090.feature} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename changelog.d/{6090.doc => 6090.feature} (100%) diff --git a/changelog.d/6090.doc b/changelog.d/6090.feature similarity index 100% rename from changelog.d/6090.doc rename to changelog.d/6090.feature