From abe4fefda43eda4b4956a41bedd115ebef08a9e3 Mon Sep 17 00:00:00 2001 From: Will Hunt Date: Thu, 5 Jan 2023 16:25:48 +0000 Subject: [PATCH] Mark encryption as experimental (#610) * Update config to mark encryption support as experimental * Mention encryption as experimental in docs * changelog * Hide empty values from config * transmuate snakes into camels --- changelog.d/610.misc | 1 + config.sample.yml | 5 ----- docs/advanced/encryption.md | 9 +++++++-- package.json | 1 - src/Config/Config.ts | 15 ++++++++++++--- src/Config/Defaults.ts | 9 +++++---- 6 files changed, 25 insertions(+), 15 deletions(-) create mode 100644 changelog.d/610.misc diff --git a/changelog.d/610.misc b/changelog.d/610.misc new file mode 100644 index 00000000..ebdcb896 --- /dev/null +++ b/changelog.d/610.misc @@ -0,0 +1 @@ +Mark encryption feature as experimental (config option is now `experimentalEncryption`). \ No newline at end of file diff --git a/config.sample.yml b/config.sample.yml index 383c6476..a16400c6 100644 --- a/config.sample.yml +++ b/config.sample.yml @@ -113,11 +113,6 @@ queue: monolithic: true port: 6379 host: localhost -encryption: - # (Optional) Configuration for encryption support in the bridge. - # If omitted, encryption support will be disabled. - # - storagePath: ./data/encryption logging: # (Optional) Logging settings. You can have a severity debug,info,warn,error # diff --git a/docs/advanced/encryption.md b/docs/advanced/encryption.md index e466525e..8db6dae2 100644 --- a/docs/advanced/encryption.md +++ b/docs/advanced/encryption.md @@ -1,12 +1,17 @@ Encryption -======= +========== + +
+Encryption support is HIGHLY EXPERIMENTAL AND SUBJECT TO CHANGE. It should not be enabled for production workloads. +For more details, see issue 594. +
Hookshot supports end-to-bridge encryption via [MSC3202](https://github.com/matrix-org/matrix-spec-proposals/pull/3202). As such, encryption requires hookshot to be connected to a homeserver that supports that MSC, such as [Synapse](#running-with-synapse). ## Enabling encryption in Hookshot In order for hookshot to use encryption, it must be configured as follows: -- The `encryption.storagePath` setting must point to a directory that hookshot has permissions to write files into. If running with Docker, this path should be within a volume (for persistency). +- The `experimentalEncryption.storagePath` setting must point to a directory that hookshot has permissions to write files into. If running with Docker, this path should be within a volume (for persistency). - [Redis](./workers.md) must be enabled. Note that worker mode is not yet supported with encryption, so `queue.monolithic` must be set to `true`. If you ever reset your homeserver's state, ensure you also reset hookshot's encryption state. This includes clearing the `encryption.storagePath` directory and all worker state stored in your redis instance. Otherwise, hookshot may fail on start up with registration errors. diff --git a/package.json b/package.json index 8694d790..f5a17a37 100644 --- a/package.json +++ b/package.json @@ -6,7 +6,6 @@ "repository": "https://github.com/matrix-org/matrix-hookshot", "author": "matrix.org", "license": "Apache-2.0", - "private": false, "napi": { "name": "matrix-hookshot-rs" }, diff --git a/src/Config/Config.ts b/src/Config/Config.ts index ae251d1c..bd9aa4de 100644 --- a/src/Config/Config.ts +++ b/src/Config/Config.ts @@ -426,7 +426,7 @@ export interface BridgeConfigMetrics { export interface BridgeConfigRoot { bot?: BridgeConfigBot; bridge: BridgeConfigBridge; - encryption?: BridgeConfigEncryption; + experimentalEncryption?: BridgeConfigEncryption; figma?: BridgeConfigFigma; feeds?: BridgeConfigFeedsYAML; generic?: BridgeGenericWebhooksConfigYAML; @@ -448,7 +448,9 @@ export class BridgeConfig { @configKey("Basic homeserver configuration") public readonly bridge: BridgeConfigBridge; @configKey(`Configuration for encryption support in the bridge. - If omitted, encryption support will be disabled.`, true) + If omitted, encryption support will be disabled. + This feature is HIGHLY EXPERIMENTAL AND SUBJECT TO CHANGE. + For more details, see https://github.com/matrix-org/matrix-hookshot/issues/594.`, true) public readonly encryption?: BridgeConfigEncryption; @configKey(`Message queue / cache configuration options for large scale deployments. For encryption to work, must be set to monolithic mode and have a host & port specified.`, true) @@ -515,7 +517,8 @@ export class BridgeConfig { this.queue = configData.queue || { monolithic: true, }; - this.encryption = configData.encryption; + this.encryption = configData.experimentalEncryption; + this.logging = configData.logging || { level: "info", @@ -528,6 +531,12 @@ export class BridgeConfig { if (!ValidLogLevelStrings.includes(this.logging.level)) { throw new ConfigError("logging.level", `Logging level is not valid. Must be one of ${ValidLogLevelStrings.join(', ')}`) } + if (this.encryption) { + log.warn(` +You have enabled encryption support in the bridge. This feature is HIGHLY EXPERIMENTAL AND SUBJECT TO CHANGE. +For more details, see https://github.com/matrix-org/matrix-hookshot/issues/594. + `) + } this.permissions = configData.permissions || [{ actor: this.bridge.domain, diff --git a/src/Config/Defaults.ts b/src/Config/Defaults.ts index d7d292b7..e4498329 100644 --- a/src/Config/Defaults.ts +++ b/src/Config/Defaults.ts @@ -134,10 +134,7 @@ export const DefaultConfig = new BridgeConfig({ bindAddress: '0.0.0.0', resources: ['widgets'], } - ], - encryption: { - storagePath: "./data/encryption" - } + ] }, {}); function renderSection(doc: YAML.Document, obj: Record, parentNode?: YAMLSeq) { @@ -147,6 +144,10 @@ function renderSection(doc: YAML.Document, obj: Record, parentN return; } + if (value === undefined || value === null) { + return; + } + let newNode: Node; if (typeof value === "object" && !Array.isArray(value)) { newNode = YAML.createNode({});