Add --no-secrets-in-config command line option

[V02460]

Adds the --no-secrets-in-config command line option that makes Synapse reject all configurations containing keys with in-line secret values. Currently this rejects

• turn_shared_secret
• registration_shared_secret
• macaroon_secret_key
• recaptcha_private_key
• recaptcha_public_key
• experimental_features.msc3861.client_secret
• experimental_features.msc3861.jwk
• experimental_features.msc3861.admin_token
• form_secret
• redis.password
• worker_replication_secret

Tip

Hey, you! Yes, you! 😊 If you think this list is missing an item, please leave a comment below. Thanks :)

This PR complements my other PRs¹ that add the corresponding _path variants for this class of config options. It enables admins to enforce a policy of no secrets in configuration files and guards against accident and malice.

Because I consider the flag --no-secrets-in-config to be security-relevant, I did not add a corresponding --secrets-in-config flag; this way, if Synapse command line options are appended at various places, there is no way to weaken the once-set setting with a succeeding flag.

Pull Request Checklist

• Pull request is based on the develop branch
• Pull request includes a changelog file. The entry should:
  • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
  • Use markdown where necessary, mostly for code blocks.
  • End with either a period (.) or an exclamation mark (!).
  • Start with a capital letter.
  • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
• Code style is correct
  (run the linters)

Footnotes

1. #17690, #17717, #17983, #17984, #18004, #18090 ↩

[devonh]

Overall the changes look good. Just a few small things I think need adjusting.