matrix_encryption_disabler support

[spantaleev]

matrix_encryption_disabler allows homeserver administrators to force-disable E2EE for rooms hosted on their server.

Related to matrix-org/synapse#4401

[digitalentity]

digitalentity/matrix_encryption_disabler#1 has been fixed, the plugin now supports new Synapse Module API.

[spantaleev]

Thanks! We can now easily install your plugin and auto-enable it for the homeserver domain with a single configuration line:

matrix_synapse_ext_encryption_disabler_enabled: true

# We apply these defaults, but users can customize these settings too.
# matrix_synapse_ext_encryption_disabler_deny_encryption_for_users_of: ["{{ matrix_domain }}"]
# matrix_synapse_ext_encryption_disabler_deny_encryption_for_rooms_of: ["{{ matrix_domain }}"]

---

I've tested it and it seems to work well! It prevents enabling encryption both during initial room creation and with a subsequent attempt to encrypt the room. Thank you for creating this plugin! 🙇

Until now, I've been using matrix-corporal to deny encryption creation attempts with the following configuration:

# When matrix-corporal is acting as the primary authentication provider,
# you need to set up the REST authentication password provider module
# to make Interactive User Authentication work.
# This is necessary for certain user actions (like E2EE, device management, etc).
#
# See configuring-playbook-rest-auth.md
matrix_synapse_ext_password_provider_rest_auth_enabled: true
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal:41080/_matrix/corporal"

matrix_corporal_enabled: true

# See matrix_aux_file_definitions
matrix_corporal_policy_provider_config: |
  {
    "Type": "static_file",
    "Path": "/etc/matrix-corporal/policy.json"
  }

# If you need to change matrix-corporal's user id from the default (matrix-corporal).
# In any case, you need to make sure this Matrix user is created on your server.
matrix_corporal_corporal_user_id_local_part: "matrix-corporal"

matrix_aux_file_definitions:
  - dest: "{{ matrix_corporal_config_dir_path }}/policy.json"
    content: |
      {
        "schemaVersion": 1,
        "identificationStamp": "stamp-1",
        "flags": {
          "allowCustomUserDisplayNames": false,
          "allowCustomUserAvatars": false,
          "forbidRoomCreation": false,
          "forbidEncryptedRoomCreation": true,
          "forbidUnencryptedRoomCreation": false,
          "allowCustomPassthroughUserPasswords": true,
          "allowUnauthenticatedPasswordResets": false,
          "allow3pidLogin": false
        },
        "managedCommunityIds": [],
        "managedRoomIds": [],
        "users": []
      }

This is more complicated, but also worked well for denying /createRoom requests and subsequent attempts to enable encryption.

What matrix_encryption_disabler does better than matrix-corporal with regards to this is that:

• /createRoom requests that try to enable encryption are not denied, but rather modified so that the encryption part is stripped away. This works around clients like Fluffychat, which try to force you into using encryption and don't let you avoid it
• using a Synapse plugin is a simpler and more lightweight solution for disabling encryption than installing a gateway/firewalling system like matrix-corporal

[digitalentity]

/createRoom requests that try to enable encryption are not denied, but rather modified so that the encryption part is stripped away. This works around clients like Fluffychat, which try to force you into using encryption and don't let you avoid it

Exactly my motivation for creating this plugin. I like FluffyChat for UI/UX, but it doesn't have an option to opt out of e2ee which makes a solution with matrix-corporal not functional. Plugin is totally transparent for the user during room creation and is a minor annoyance ("denied" error message) when trying to enable encryption.

Thanks for considering my plugin for your deployment!