register_new_matrix_user: add password-file flag (#17294)

Co-authored-by: Andrew Morgan <[email protected]>
Co-authored-by: Andrew Morgan <[email protected]>

Author: Mic92

changelog.d/17294.feature

@@ -0,0 +1,2 @@
+`register_new_matrix_user` now supports a --password-file flag, which
+is useful for scripting.

debian/changelog

@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.109.0+nmu1) UNRELEASED; urgency=medium
+
+  * `register_new_matrix_user` now supports a --password-file flag.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 18 Jun 2024 13:29:36 +0100
+
 matrix-synapse-py3 (1.109.0) stable; urgency=medium
 
   * New synapse release 1.109.0.

debian/register_new_matrix_user.ronn

@@ -31,8 +31,12 @@ A sample YAML file accepted by `register_new_matrix_user` is described below:
     Local part of the new user. Will prompt if omitted.
 
   * `-p`, `--password`:
-    New password for user. Will prompt if omitted. Supplying the password
-    on the command line is not recommended. Use the STDIN instead.
+    New password for user. Will prompt if this option and `--password-file` are omitted.
+    Supplying the password on the command line is not recommended.
+
+  * `--password-file`:
+    File containing the new password for user. If set, overrides `--password`.
+    This is a more secure alternative to specifying the password on the command line.
 
   * `-a`, `--admin`:
     Register new user as an admin. Will prompt if omitted.

synapse/_scripts/register_new_matrix_user.py

@@ -173,11 +173,18 @@ def main() -> None:
         default=None,
         help="Local part of the new user. Will prompt if omitted.",
     )
-    parser.add_argument(
+    password_group = parser.add_mutually_exclusive_group()
+    password_group.add_argument(
         "-p",
         "--password",
         default=None,
-        help="New password for user. Will prompt if omitted.",
+        help="New password for user. Will prompt for a password if "
+        "this flag and `--password-file` are both omitted.",
+    )
+    password_group.add_argument(
+        "--password-file",
+        default=None,
+        help="File containing the new password for user. If set, will override `--password`.",
     )
     parser.add_argument(
         "-t",
@@ -247,6 +254,11 @@ def main() -> None:
             print(_NO_SHARED_SECRET_OPTS_ERROR, file=sys.stderr)
             sys.exit(1)
 
+    if args.password_file:
+        password = _read_file(args.password_file, "password-file").strip()
+    else:
+        password = args.password
+
     if args.server_url:
         server_url = args.server_url
     elif config is not None:
@@ -269,9 +281,7 @@ def main() -> None:
     if args.admin or args.no_admin:
         admin = args.admin
 
-    register_new_user(
-        args.user, args.password, server_url, secret, admin, args.user_type
-    )
+    register_new_user(args.user, password, server_url, secret, admin, args.user_type)
 
 
 def _read_file(file_path: Any, config_path: str) -> str: