register_new_matrix_user: add password-file flag

Mic92 · anoadragon453 · Mic92 · commit 00c8888e4f38 · 2024-06-11T14:49:37.000+02:00
getpass in python exist on stdin to be a tty, hence we cannot just pipe
into register_new_matrix_user. --password-file instead works better and
it would also allow the use of stdin if /dev/stdin is passed.

Co-authored-by: Andrew Morgan &lt;1342360+anoadragon453@users.noreply.github.com&gt;
Signed-off-by: Jörg Thalheim &lt;joerg@thalheim.io&gt;
diff --git a/changelog.d/17294.feature b/changelog.d/17294.feature
@@ -0,0 +1,2 @@
+`register_new_matrix_user` now supports a --password-file flag, which
+is useful for scripting.
diff --git a/debian/register_new_matrix_user.ronn b/debian/register_new_matrix_user.ronn
@@ -31,8 +31,13 @@ A sample YAML file accepted by `register_new_matrix_user` is described below:
     Local part of the new user. Will prompt if omitted.
 
   * `-p`, `--password`:
-    New password for user. Will prompt if omitted. Supplying the password
-    on the command line is not recommended. Use the STDIN instead.
+    New password for user. Will prompt if this option and `--password-file` are omitted.
+    Supplying the password
+    on the command line is not recommended. Use `--password-file` if possible.
+
+  * `--password-file`:
+    File containing the new password for user. If set, overrides `--password`.
+    This is a more secure alternative to specifying the password on the command line.
 
   * `-a`, `--admin`:
     Register new user as an admin. Will prompt if omitted.
diff --git a/synapse/_scripts/register_new_matrix_user.py b/synapse/_scripts/register_new_matrix_user.py
@@ -173,11 +173,19 @@ def main() -> None:
         default=None,
         help="Local part of the new user. Will prompt if omitted.",
     )
-    parser.add_argument(
+    password_group = parser.add_mutually_exclusive_group()
+    password_group.add_argument(
         "-p",
         "--password",
         default=None,
-        help="New password for user. Will prompt if omitted.",
+        help="New password for user. Will prompt for a password if "
+        "this flag and `--password-file` are both omitted.",
+    )
+    password_group.add_argument(
+        "--password-file",
+        default=None,
+        help="File containing the new password for user. If set, will
+        override `--password`.",
     )
     parser.add_argument(
         "-t",
@@ -247,6 +255,11 @@ def main() -> None:
             print(_NO_SHARED_SECRET_OPTS_ERROR, file=sys.stderr)
             sys.exit(1)
 
+    if args.password_file:
+        password = _read_file(args.password_file, "password-file").strip()
+    else:
+        password = args.password
+
     if args.server_url:
         server_url = args.server_url
     elif config is not None:
@@ -270,7 +283,7 @@ def main() -> None:
         admin = args.admin
 
     register_new_user(
-        args.user, args.password, server_url, secret, admin, args.user_type
+        args.user, password, server_url, secret, admin, args.user_type
     )
 
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+`register_new_matrix_user` now supports a --password-file flag, which
	`2`	`+is useful for scripting.`