| blob | eb262a13df4f812477d14db288e9d8e924199c1d |
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs -*- lexical-binding: t -*-
3 ;; Copyright (C) 2008-2018 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <https://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
32 ;; TODO:
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
40 ;;; Code:
76 "Authentication sources."
80 ;;;###autoload
82 "How many seconds passwords are cached, or nil to disable
83 expiring. Overrides `password-cache-expiry' through a
84 let-binding."
93 ;; The slots below correspond with the `auth-source-search' spec,
94 ;; so a backend with :host set, for instance, would match only
95 ;; searches for that host. Normally they are nil.
99 :type symbol
100 :custom symbol
103 :type string
104 :custom string
107 :initform t
108 :type t
109 :custom string
112 :initform t
113 :type t
114 :custom string
117 :initform t
118 :type t
119 :custom string
122 :initform nil
125 :initform ignore
126 :type function
127 :custom function
130 :initform ignore
131 :type function
132 :custom function
140 "List of authentication protocols and their names"
150 ;; Generate all the protocols in a format Customize can use.
151 ;; TODO: generate on the fly from auth-source-protocols
157 p)))
158 auth-source-protocols))
161 ;; FIXME: AFAICT this is not set (or let-bound) anywhere!
170 "If set, auth-source will respect it for save behavior."
179 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car epa-file-auto-mode-alist-entry) "\\.gpg\\'") never) (t gpg)))
180 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
183 "Set this to tell auth-source when to create GPG password
184 tokens in netrc files. It's either an alist or `never'.
185 Note that if EPA/EPG is not available, this should NOT be used."
205 "Whether auth-source should cache information with `password-cache'."
211 "Whether auth-source should log debug messages.
213 If the value is nil, debug messages are not logged.
215 If the value is t, debug messages are logged with `message'. In
216 that case, your authentication data will be in the clear (except
217 for passwords).
219 If the value is a function, debug messages are logged by calling
220 that function using the same arguments as `message'."
227 trivia)
232 "List of authentication sources.
233 Each entry is the authentication type with optional properties.
234 Entries are tried in the order in which they appear.
235 See Info node `(auth)Help for users' for details.
238 EPA/EPG set up, the file will be encrypted and decrypted
239 automatically. See Info node `(epa)Encrypting/decrypting gpg files'
240 for details.
243 can get pretty complex."
254 macos-keychain-internet)
257 macos-keychain-generic)
312 "List of recipient keys that `authinfo.gpg' encrypted to.
313 If the value is not a list, symmetric encryption will be used."
331 ;; set logger to either the function in auth-source-debug or 'message
332 ;; note that it will be 'message if auth-source-debug is nil
334 auth-source-debug
336 msg))
339 "Read one of CHOICES by `read-char-choice', or `read-char'.
340 `dropdown-list' support is disabled because it doesn't work reliably.
341 Only one of CHOICES will be returned. The PROMPT is augmented
349 k)
353 k)))
356 "List of auth-source parser functions.
357 Each function takes an entry from `auth-sources' as parameter and
358 returns a backend or nil if the entry is not supported. Add a
359 parser function to this list with `add-hook'. Searching for a
360 backend starts with the first element on the list and stops as
364 "Create an auth-source-backend from an ENTRY in `auth-sources'."
372 ;; none of the parsers worked
381 ;; take just a file name use it as a netrc/plist file
382 ;; matching any user, host, and protocol
398 source
399 :source source
406 source
407 :source source
412 source
413 :source source
418 ;; Note this function should be last in the parser functions, so we add it first
422 ;; take macos-keychain-{internet,generic}:XYZ and use it as macOS
423 ;; Keychain "XYZ" matching any user, host, and protocol
425 entry))
429 entry))
432 ;; take 'macos-keychain-internet or generic and use it as a Mac OS
433 ;; Keychain collection matching any user, host, and protocol
439 ;; the macOS Keychain
450 'macos-keychain-generic
453 :macos-keychain-generic
461 :source source
462 :type keychain-type
469 ;; take secrets:XYZ and use it as Secrets API collection "XYZ"
470 ;; matching any user, host, and protocol
473 ;; take 'default and use it as a Secrets API default collection
474 ;; matching any user, host, and protocol
478 ;; the Secrets API. We require the package, in order to have a
479 ;; defined value for `secrets-enabled'.
489 ;; the source is either the :secrets key in ENTRY or
490 ;; if that's missing or nil, it's "session"
493 ;; if the source is a symbol, we look for the alias named so,
494 ;; and if that alias is missing, we use "Login"
502 :source source
516 "Fills in the extra auth-source-backend parameters of ENTRY.
517 Using the plist ENTRY, get the :host, :port, and :user search
518 parameters."
520 nil
521 entry))
522 val)
529 backend)
531 ;; (mapcar 'auth-source-backend-parse auth-sources)
534 &key max require create delete
536 "Search or modify authentication backends according to SPEC.
538 This function parses `auth-sources' for matches of the SPEC
539 plist. It can optionally create or update an authentication
540 token if requested. A token is just a standard Emacs property
541 list with a :secret property that can be a function; all the
542 other properties will always hold scalar values.
544 Typically the :secret property, if present, contains a password.
546 Common search keys are :max, :host, :port, and :user. In
547 addition, :create specifies if and how tokens will be created.
548 Finally, :type can specify which backend types you want to check.
550 A string value is always matched literally. A symbol is matched
551 as its string value, literally. All the SPEC values can be
552 single values (symbol or string) or lists thereof (in which case
553 any of the search terms matches).
555 :create t means to create a token if possible.
557 A new token will be created if no matching tokens were found.
558 The new token will have only the keys the backend requires. For
559 the netrc backend, for instance, that's the user, host, and
560 port keys.
562 Here's an example:
568 :create t))
570 which says:
573 `netrc', maximum one result.
575 Create a new entry if you found none. The netrc backend will
576 automatically require host, user, and port. The host will be
577 `mine'. We prompt for the user with default `defaultUser' and
578 for the port without a default. We will not prompt for A, Q,
579 or P. The resulting token will only have keys user, host, and
584 The behavior is like :create t but if the list contains any
585 parameter, that parameter will be required in the resulting
586 token. The value for that parameter will be obtained from the
587 search parameters or from user input. If any queries are needed,
588 the alist `auth-source-creation-defaults' will be checked for the
589 default value. If the user, host, or port are missing, the alist
590 `auth-source-creation-prompts' will be used to look up the
591 prompts IN THAT ORDER (so the `user' prompt will be queried first,
592 then `host', then `port', and finally `secret'). Each prompt string
593 can use %u, %h, and %p to show the user, host, and port.
595 Here's an example:
599 (auth-source-creation-prompts
605 which says:
608 or `twosuch' in backends of type `netrc', maximum one result.
610 Create a new entry if you found none. The netrc backend will
611 automatically require host, user, and port. The host will be
612 `nonesuch' and Q will be `qqqq'. We prompt for the password
613 with the shown prompt. We will not prompt for Q. The resulting
614 token will have keys user, host, port, A, B, and Q. It will not
615 have P with any value, even though P is used in the search to
618 When multiple values are specified in the search parameter, the
619 user is prompted for which one. So :host (X Y Z) would ask the
620 user to choose between X, Y, and Z.
622 This creation can fail if the search was not specific enough to
623 create a new token (it's up to the backend to decide that). You
624 should `catch' the backend-specific error as usual. Some
625 backends (netrc, at least) will prompt the user rather than throw
626 an error.
628 :require (A B C) means that only results that contain those
629 tokens will be returned. Thus for instance requiring :secret
630 will ensure that any results will actually have a :secret
631 property.
633 :delete t means to delete any found entries. nil by default.
634 Use `auth-source-delete' in ELisp code instead of calling
635 `auth-source-search' directly with this parameter.
637 :type (X Y Z) will check only those backend types. `netrc' and
638 `secrets' are the only ones supported right now.
640 :max N means to try to return at most N items (defaults to 1).
641 More than N items may be returned, depending on the search and
642 the backend.
644 When :max is 0 the function will return just t or nil to indicate
645 if any matches were found.
647 :host (X Y Z) means to match only hosts X, Y, or Z according to
648 the match rules above. Defaults to t.
650 :user (X Y Z) means to match only users X, Y, or Z according to
651 the match rules above. Defaults to t.
653 :port (P Q R) means to match only protocols P, Q, or R.
654 Defaults to t.
656 :K (V1 V2 V3) for any other key K will match values V1, V2, or
657 V3 (note the match rules above).
659 The return value is a list with at most :max tokens. Each token
660 is a plist with keys :backend :host :port :user, plus any other
661 keys provided by the backend (notably :secret). But note the
662 exception for :max 0, which see above.
664 The token can hold a :save-function key. If you call that, the
665 user will be prompted to save the data to the backend. You can't
666 request that this should happen right after creation, because
667 `auth-source-search' has no way of knowing if the token is
668 actually useful. So the caller must arrange to call this function.
670 The token's :secret key can hold a function. In that case you
671 must call it to obtain the actual value."
679 ;; note that we may have cached results but found is still nil
680 ;; (there were no results from the search)
682 filtered-backends)
686 "auth-source-search: found %d CACHED results matching %S"
700 ;; ignore invalid slots
710 "auth-source-search: found %d backends matching %S"
713 ;; (debug spec "filtered" filtered-backends)
714 ;; First go through all the backends without :create, so we can
715 ;; query them all.
717 spec
718 ;; to exit early
719 max
720 ;; create is always nil here
721 nil delete
722 require))
725 "auth-source-search: found %d results (max %d) matching %S"
728 ;; If we didn't find anything, then we allow the backend(s) to
729 ;; create the entries.
733 spec
734 ;; to exit early
735 max
736 create delete
737 require))
739 "auth-source-search: CREATED %d results (max %d) matching %S"
742 ;; note we remember the lack of result too, if it's applicable
748 found)))
752 matches)
757 :backend backend
759 ;; note we're overriding whatever the spec
760 ;; has for :max, :require, :create, and :delete
761 :max max
762 :require require
763 :create create
764 :delete delete
765 spec)))
768 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
772 spec)
774 matches))
777 "Delete entries from the authentication backends according to SPEC.
778 Calls `auth-source-search' with the :delete property in SPEC set to t.
779 The backend may not actually delete the entries.
781 Returns the deleted entries."
785 "Returns t is VALUE is t or COLLECTION is t or COLLECTION contains VALUE."
789 ;; (debug :collection collection :value value)
798 "Forget all cached auth-source data."
802 ;; remove that key
804 password-data)
808 "Format SPEC entry to put it in the password cache."
812 "Remember FOUND search results for SPEC."
818 "Recall FOUND search results for SPEC."
822 "Check if SPEC is remembered."
827 "Forget any cached data matching SPEC exactly.
829 This is the same SPEC you passed to `auth-source-search'.
830 Returns t or nil for forgotten or not found."
834 "Forget any cached data matching SPEC. Returns forgotten count.
836 This is not a full `auth-source-search' spec but works similarly.
838 cached data that was found with a search for those two hosts,
839 while \(:host t) would find all host entries."
844 ;; and the spec matches what was stored in the cache
846 ;; remove that key
849 password-data)
850 count))
863 "Pick the first secret found from applying SPEC to `auth-source-search'."
869 secret)))
872 "Format PROMPT using %x (for any character x) specifiers in ALIST."
879 prompt nil t)))))
880 prompt)
884 values
890 value))
891 values)))
893 ;;; Backend specific parsing: netrc/authinfo backend
910 ;; (auth-source-netrc-parse :file "~/.authinfo.gpg")
913 "Parse FILE and return a list of all entries in the file.
914 Note that the MAX parameter is used so we can exit the parse early."
916 ;; We got already parsed contents; just return it.
917 file
929 host
933 t))
935 user
940 t))
942 port
946 t))
948 ;; the required list of keys is nil, or
950 ;; every element of require is in n (normalized)
955 result)
963 "auth-source-netrc-parse: using CACHED file data for %s"
964 file)
967 ;; cache all netrc files (used to be just .gpg files)
968 ;; Store the contents of the file heavily encrypted in memory.
969 ;; (note for the irony-impaired: they are just obfuscated)
971 auth-source-netrc-cache file
978 alist)
984 ;; (see bug#7487) making `epa-file-encrypt-to' local to
985 ;; this buffer lets epa-file skip the key selection query
986 ;; (see the `local-variable-p' check in
987 ;; `epa-file-write-region').
993 ;; ask AFTER we've successfully opened the file
995 file modified))
998 "auth-source-netrc-parse: modified %d lines in %s"
999 modified file)))
1004 "Advance to the next interesting position in the current buffer."
1006 ;; If we're looking at a comment or are at the end of the line, move forward
1014 "Read one thing from the current buffer."
1025 ;; with thanks to org-mode
1029 ;; works also in narrowed buffer, because we start at 1, not point-min
1033 "Parse up to MAX netrc entries, passed by CHECK, from the current buffer."
1036 alist
1040 all))
1041 item item2 all alist default)
1044 ;; We're starting a new machine. Save the old one.
1048 ;; (auth-source-do-trivia
1049 ;; "auth-source-netrc-parse-entries: got entry %S" alist)
1051 alist nil))
1052 ;; In default entries, we don't have a next token.
1053 ;; We store them as ("machine" . t)
1056 ;; Not a default entry. Grab the next item.
1058 ;; Did we get a "machine" value?
1061 "%s: Unexpected `machine' token at line %d"
1062 "auth-source-netrc-parse-entries"
1066 ;; Clean up: if there's an entry left over, use it.
1069 ;; (auth-source-do-trivia
1070 ;; "auth-source-netrc-parse-entries: got2 entry %S" alist)
1071 )
1079 passphrase)
1080 ;; return the saved passphrase, calling a function if needed
1091 t))
1094 passphrase))))
1097 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1098 FILE is the file from which we obtained this token."
1103 context
1105 file))
1113 cipher)
1116 context
1118 file))
1137 ;; apply key aliases
1144 ;; send back the secret in a function (lexical binding)
1149 ;; it's a GPG token: create a token decoder
1150 ;; which unsets itself once
1155 val
1156 filename)
1161 lexv))))
1164 v))))
1165 ret))
1166 alist))
1169 &key backend require create
1170 type max host user port
1172 "Given a property list SPEC, return search matches from the :backend.
1173 See `auth-source-search' for details on SPEC."
1174 ;; just in case, check that the type is correct (null or same as the backend)
1180 :max max
1181 :require require
1188 ;; if we need to create an entry AND none were found to match
1192 ;; create based on the spec and record the value
1194 ;; if the user did not want to create the entry
1195 ;; in the file, it will be returned
1197 ;; if not, we do the search again without :create
1198 ;; to get the updated data.
1200 ;; the result will be returned, even if the search fails
1203 results))
1208 v))
1210 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1211 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1214 &key backend host port create
1217 ;; we know (because of an assertion in auth-source-search) that the
1218 ;; :create parameter is either t or a list (which includes nil)
1221 :host host
1226 ;; `valist' is an alist
1227 valist
1228 ;; `artificial' will be returned if no creation is needed
1229 artificial)
1231 ;; only for base required elements (defined as function parameters):
1232 ;; fill in the valist with whatever data we may have from the search
1233 ;; we complete the first value if it's a list and use the value otherwise
1238 ;; all-accepting choice (predicate is t)
1240 ;; just the value otherwise
1245 ;; for extra required elements, see if the spec includes a value for them
1253 ;; for each required element
1256 ;; take the first element if the data is a list
1260 ;; this is the default to be offered
1262 auth-source-creation-defaults r))
1263 ;; the default supplementals are simple:
1264 ;; for the user, try `given-default' and then (user-login-name);
1265 ;; otherwise take `given-default'
1297 prompt
1302 ;; Store the data, prompting for the password if needed.
1305 ;; Special case prompt for passwords.
1306 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car epa-file-auto-mode-alist-entry) "\\.gpg\\'") nil) (t gpg)))
1307 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1315 auth-source-netrc-use-gpg-tokens))
1316 item ret)
1323 ret))
1326 ;; ask if we don't know what to do (in which case
1327 ;; auth-source-netrc-use-gpg-tokens must be a list)
1330 ;; TODO: save the defcustom now? or ask?
1333 auth-source-netrc-use-gpg-tokens)))
1336 plain))
1342 nil nil default)
1351 data))))
1353 ;; When r is not an empty string...
1356 ;; this function is not strictly necessary but I think it
1357 ;; makes the code clearer -tzz
1359 ;; append the key (the symbol name of r)
1360 ;; and the value in r
1362 ;; prepend a space
1364 ;; remap auth-source tokens to netrc
1373 data)))))
1377 artificial
1378 :save-function
1386 "Save a line ADD in FILE, prompting along the way.
1387 Respects `auth-source-save-behavior'. Uses
1388 `auth-source-netrc-cache' to avoid prompting more than once."
1394 "auth-source-netrc-saver: found previous run for key %s, returning"
1395 key)
1400 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1401 ;; this buffer lets epa-file skip the key selection query
1402 ;; (see the `local-variable-p' check in
1403 ;; `epa-file-write-region').
1408 ;; we want the new data to be found first, so insert at beginning
1411 ;; Ask AFTER we've successfully opened the file.
1415 k)
1428 ;; Why? Doesn't with-output-to-temp-buffer already do
1429 ;; the exact same thing anyway? --Stef
1433 done t))
1434 (?N
1436 done t)
1444 ;; Make sure the info is not saved.
1454 ;; Make the .authinfo file non-world-readable.
1457 "auth-source-netrc-create: wrote 1 new line to %s"
1458 file)
1460 nil))))
1463 ;;; Backend specific parsing: Secrets API backend
1466 "Convert a pattern with lists to a list of string patterns.
1471 only string values for patterns, so this routine returns a list
1472 of patterns that is equivalent to the single original pattern
1473 when interpreted such that if a secret matches any pattern in the
1474 list, it matches the original pattern."
1487 &key backend create delete label max
1489 "Search the Secrets API; spec is like `auth-source'.
1491 The :label key specifies the item's label. It is the only key
1492 that can specify a substring. Any :label value besides a string
1493 will allow any label.
1495 All other search keys must match exactly. If you need substring
1496 matching, do a wider search and narrow it down yourself.
1498 You'll get back all the properties of the token as a plist.
1500 Here's an example that looks for the first item in the `Login'
1501 Secrets collection:
1504 (auth-source-search :max 1))
1506 Here's another that looks for the first item in the `Login'
1507 Secrets collection whose label contains `gnus':
1512 And this one looks for the first item in the `Login' Secrets
1513 collection that's a Google Chrome entry for the git.gnus.org site
1514 authentication tokens:
1518 "
1520 ;; TODO
1521 ;; (secrets-delete-item coll elt)
1531 ;; build a search spec without the ignored keys
1532 ;; if a search key is nil or t (match anything), we skip it
1538 nil
1540 search-keys))))
1541 ;; needed keys (always including host, login, port, and secret)
1544 search-keys)))
1547 for search-spec in search-specs
1548 nconc
1552 collect item)))
1553 ;; TODO: respect max in `secrets-search-items', not after the fact
1555 ;; convert the item name to a full plist
1558 ;; make an entry for the secret (password) element
1560 :secret
1563 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1568 items))
1569 ;; ensure each item has each key in `returned-keys'
1575 nil
1577 returned-keys))
1578 plist))
1579 items)))
1581 ;; if we need to create an entry AND none were found to match
1585 ;; create based on the spec and record the value
1587 ;; if the user did not want to create the entry
1588 ;; in the file, it will be returned
1590 ;; if not, we do the search again without :create
1591 ;; to get the updated data.
1593 ;; the result will be returned, even if the search fails
1596 items))
1599 &key backend host port create
1602 ;; we know (because of an assertion in auth-source-search) that the
1603 ;; :create parameter is either t or a list (which includes nil)
1606 :host host
1610 ;; `args' are the arguments for `secrets-create-item'.
1611 args
1612 ;; `valist' is an alist
1613 valist
1614 ;; `artificial' will be returned if no creation is needed
1615 artificial)
1617 ;; only for base required elements (defined as function parameters):
1618 ;; fill in the valist with whatever data we may have from the search
1619 ;; we complete the first value if it's a list and use the value otherwise
1624 ;; all-accepting choice (predicate is t)
1626 ;; just the value otherwise
1631 ;; for extra required elements, see if the spec includes a value for them
1639 ;; for each required element
1642 ;; take the first element if the data is a list
1646 ;; this is the default to be offered
1648 auth-source-creation-defaults r))
1649 ;; the default supplementals are simple:
1650 ;; for the user, try `given-default' and then (user-login-name);
1651 ;; for the label, try `given-default' and then user@host;
1652 ;; otherwise take `given-default'
1699 prompt
1704 ;; Store the data, prompting for the password if needed.
1713 nil nil default)
1722 data))))
1724 ;; When r is not an empty string...
1728 ;; append the key (the symbol name of r)
1729 ;; and the value in r
1733 artificial
1734 :save-function
1745 "Wrapper around `secrets-create-item', prompting along the way.
1746 Respects `auth-source-save-behavior'."
1751 k)
1763 ;; Why? Doesn't with-output-to-temp-buffer already do
1764 ;; the exact same thing anyway? --Stef
1779 ;;; Backend specific parsing: Mac OS Keychain (using /usr/bin/security) backend
1782 &key backend create delete type max
1784 "Search the macOS Keychain; spec is like `auth-source'.
1786 All search keys must match exactly. If you need substring
1787 matching, do a wider search and narrow it down yourself.
1789 You'll get back all the properties of the token as a plist.
1791 The :type key is either `macos-keychain-internet' or
1792 `macos-keychain-generic'.
1794 For the internet keychain type, the :label key searches the
1798 \(note PROT has to be a 4-character string).
1800 For the generic keychain type, the :label key searches the item's
1805 Here's an example that looks for the first item in the default
1806 generic macOS Keychain:
1809 (auth-source-search :max 1)
1811 Here's another that looks for the first item in the internet
1812 macOS Keychain collection whose label is `gnus':
1817 And this one looks for the first item in the internet keychain
1818 entries for git.gnus.org:
1822 "
1823 ;; TODO
1826 ;; TODO
1827 ;; (macos-keychain-delete-item coll elt)
1833 ;; Filter out ignored keys from the spec
1835 ;; Build a search spec without the ignored keys
1836 ;; FIXME make this loop a function? it's used in at least 3 places
1840 ;; If a search key value is nil or t (match anything), we skip it
1845 nil
1847 search-keys)))
1848 ;; needed keys (always including host, login, port, and secret)
1851 search-keys)))
1852 ;; Extract host and port from spec
1857 ;; Loop through all combinations of host/port and pass each of these to
1858 ;; auth-source-macos-keychain-search-items
1864 coll
1865 type
1866 max
1867 host port
1868 search-spec)))
1872 ;; ensure each item has each key in `returned-keys'
1878 nil
1880 returned-keys))
1881 plist))
1882 items)))
1883 items))
1898 else
1899 collect var))
1903 &key label type user
1907 "find-generic-password"
1923 port)))))
1935 ret
1936 keychain-generic
1937 "secret"
1941 ;; TODO: check if this is really the label
1942 ;; match 0x00000007 <blob>="AppleID"
1946 ret
1947 keychain-generic
1948 "label"
1950 ;; match "crtr"<uint32>="aapl"
1951 ;; match "svce"<blob>="AppleID"
1955 ret
1956 keychain-generic
1960 ;; return `ret' iff it has the :secret key
1968 ;; for generic keychains, creator is host, service is port
1971 ;; for internet keychains, protocol is port, server is host
1975 result))
1978 ;; TODO
1981 ;;; Backend specific parsing: PLSTORE backend
1984 &key backend create delete max
1986 "Search the PLSTORE; spec is like `auth-source'."
1993 ;; build a search spec without the ignored keys
1994 ;; if a search key is nil or t (match anything), we skip it
2000 nil
2004 search-keys)))
2005 ;; needed keys (always including host, login, port, and secret)
2008 search-keys)))
2012 ;; convert the item to a full plist
2021 plist))
2022 items))
2023 ;; ensure each item has each key in `returned-keys'
2029 nil
2031 returned-keys))
2032 plist))
2033 items)))
2035 ;; if we need to create an entry AND none were found to match
2039 ;; create based on the spec and record the value
2041 ;; if the user did not want to create the entry
2042 ;; in the file, it will be returned
2044 ;; if not, we do the search again without :create
2045 ;; to get the updated data.
2047 ;; the result will be returned, even if the search fails
2051 item-names)
2055 items))
2058 &key backend host port create
2062 ;; we know (because of an assertion in auth-source-search) that the
2063 ;; :create parameter is either t or a list (which includes nil)
2066 :host host
2069 ;; `valist' is an alist
2070 valist
2071 ;; `artificial' will be returned if no creation is needed
2072 artificial
2073 secret-artificial)
2075 ;; only for base required elements (defined as function parameters):
2076 ;; fill in the valist with whatever data we may have from the search
2077 ;; we complete the first value if it's a list and use the value otherwise
2082 ;; all-accepting choice (predicate is t)
2084 ;; just the value otherwise
2089 ;; for extra required elements, see if the spec includes a value for them
2097 ;; for each required element
2100 ;; take the first element if the data is a list
2104 ;; this is the default to be offered
2106 auth-source-creation-defaults r))
2107 ;; the default supplementals are simple:
2108 ;; for the user, try `given-default' and then (user-login-name);
2109 ;; otherwise take `given-default'
2141 prompt
2146 ;; Store the data, prompting for the password if needed.
2156 nil nil default)
2164 data))
2167 data))))))
2173 artificial secret-artificial)
2178 ;;; Backend specific parsing: JSON backend
2179 ;;; (auth-source-search :max 1 :machine "imap.gmail.com")
2180 ;;; (auth-source-search :max 1 :host '("my-gmail" "imap.gmail.com") :port '(993 "imaps" "imap" "993" "143") :user nil :require '(:user :secret))
2189 t))
2196 t))
2202 t))
2204 ;; the required list of keys is nil, or
2206 ;; every element of require is in
2211 &key backend require
2212 type max host user port
2214 "Given a property list SPEC, return search matches from the :backend.
2215 See `auth-source-search' for details on SPEC."
2216 ;; just in case, check that the type is correct (null or same as the backend)
2220 ;; Hide the secrets early to avoid accidental exposure.
2233 ;; send back the secret in a function (lexical binding)
2238 ret))
2241 all)
2249 ;;; older API
2251 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
2253 ;; deprecate the old interface
2261 "Find MODE (string or list of strings) matching HOST and PORT.
2263 DEPRECATED in favor of `auth-source-search'!
2266 across the Secret Service API (see secrets.el) if the resulting
2267 items don't have a username. This means that if you search for
2271 A non nil DELETE-EXISTING means deleting any matching password
2272 entry in the respective sources. This is useful only when
2273 CREATE-MISSING is non nil as well; the intended use case is to
2274 remove wrong password entries.
2276 If no matching entry is found, and CREATE-MISSING is non nil,
2277 the password will be retrieved interactively, and it will be
2278 stored in the password database which matches best (see
2279 `auth-sources').
2283 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
2284 mode host port username)
2288 ;; (cname (if username
2289 ;; (format "%s %s:%s %s" mode host port username)
2290 ;; (format "%s %s:%s" mode host port)))
2295 search))
2298 search))
2299 ;; (found (if (not delete-existing)
2300 ;; (gethash cname auth-source-cache)
2301 ;; (remhash cname auth-source-cache)
2302 ;; nil)))
2307 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
2308 mode
2309 ;; don't show the password
2311 "SECRET"
2312 found)
2313 host port username)
2315 ;; else, if not found, search with a max of 1
2330 found))
2336 :host host
2337 :user user
2342 :host host
2354 ;;; auth-source.el ends here