lisp/auth-source-pass.el

   1 ;;; auth-source-pass.el --- Integrate auth-source with password-store -*- lexical-binding: t -*-
   2
   3 ;; Copyright (C) 2015, 2017 Free Software Foundation, Inc.
   4
   5 ;; Author: Damien Cassou <damien@cassou.me>,
   6 ;;         Nicolas Petton <nicolas@petton.fr>
   7 ;; Version: 2.0.0
   8 ;; Package-Requires: ((emacs "24.4")
   9 ;; Created: 07 Jun 2015
  10 ;; Keywords: pass password-store auth-source username password login
  11
  12 ;; This file is part of GNU Emacs.
  13
  14 ;; GNU Emacs is free software: you can redistribute it and/or modify
  15 ;; it under the terms of the GNU General Public License as published by
  16 ;; the Free Software Foundation, either version 3 of the License, or
  17 ;; (at your option) any later version.
  18
  19 ;; GNU Emacs is distributed in the hope that it will be useful,
  20 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
  21 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  22 ;; GNU General Public License for more details.
  23
  24 ;; You should have received a copy of the GNU General Public License
  25 ;; along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.
  26
  27 ;;; Commentary:
  28
  29 ;; Integrates password-store (http://passwordstore.org/) within
  30 ;; auth-source.
  31
  32 ;;; Code:
  33
  34 (require 'seq)
  35 (eval-when-compile (require 'subr-x))
  36 (eval-when-compile
  37   (require 'cl-lib))
  38 (require 'auth-source)
  39 (require 'url-parse)
  40
  41 (cl-defun auth-source-pass-search (&rest spec
  42                                          &key backend type host user port
  43                                          &allow-other-keys)
  44   "Given a property list SPEC, return search matches from the :backend.
  45 See `auth-source-search' for details on SPEC."
  46   (cl-assert (or (null type) (eq type (oref backend type)))
  47              t "Invalid password-store search: %s %s")
  48   (when (listp host)
  49     ;; Take the first non-nil item of the list of hosts
  50     (setq host (seq-find #'identity host)))
  51   (list (auth-source-pass--build-result host port user)))
  52
  53 (defun auth-source-pass--build-result (host port user)
  54   "Build auth-source-pass entry matching HOST, PORT and USER."
  55   (let ((entry (auth-source-pass--find-match host user)))
  56     (when entry
  57       (let ((retval (list
  58                      :host host
  59                      :port (or (auth-source-pass-get "port" entry) port)
  60                      :user (or (auth-source-pass-get "user" entry) user)
  61                      :secret (lambda () (auth-source-pass-get 'secret entry)))))
  62         (auth-source-pass--do-debug "return %s as final result (plus hidden password)"
  63                                     (seq-subseq retval 0 -2)) ;; remove password
  64         retval))))
  65
  66 ;;;###autoload
  67 (defun auth-source-pass-enable ()
  68   "Enable auth-source-password-store."
  69   ;; To add password-store to the list of sources, evaluate the following:
  70   (add-to-list 'auth-sources 'password-store)
  71   ;; clear the cache (required after each change to #'auth-source-pass-search)
  72   (auth-source-forget-all-cached))
  73
  74 (defvar auth-source-pass-backend
  75   (auth-source-backend
  76    (format "Password store")
  77    :source "." ;; not used
  78    :type 'password-store
  79    :search-function #'auth-source-pass-search)
  80   "Auth-source backend for password-store.")
  81
  82 (defun auth-source-pass-backend-parse (entry)
  83   "Create a password-store auth-source backend from ENTRY."
  84   (when (eq entry 'password-store)
  85     (auth-source-backend-parse-parameters entry auth-source-pass-backend)))
  86
  87 (add-hook 'auth-source-backend-parser-functions #'auth-source-pass-backend-parse)
  88
  89 \f
  90 (defun auth-source-pass-get (key entry)
  91   "Return the value associated to KEY in the password-store entry ENTRY.
  92
  93 ENTRY is the name of a password-store entry.
  94 The key used to retrieve the password is the symbol `secret'.
  95
  96 The convention used as the format for a password-store file is
  97 the following (see http://www.passwordstore.org/#organization):
  98
  99 secret
 100 key1: value1
 101 key2: value2"
 102   (let ((data (auth-source-pass-parse-entry entry)))
 103     (or (cdr (assoc key data))
 104         (and (string= key "user")
 105              (cdr (assoc "username" data))))))
 106
 107 (defun auth-source-pass--read-entry (entry)
 108   "Return a string with the file content of ENTRY."
 109   (with-temp-buffer
 110     (insert-file-contents (expand-file-name
 111                            (format "%s.gpg" entry)
 112                            "~/.password-store"))
 113     (buffer-substring-no-properties (point-min) (point-max))))
 114
 115 (defun auth-source-pass-parse-entry (entry)
 116   "Return an alist of the data associated with ENTRY.
 117
 118 ENTRY is the name of a password-store entry."
 119   (let ((file-contents (ignore-errors (auth-source-pass--read-entry entry))))
 120     (and file-contents
 121          (cons `(secret . ,(auth-source-pass--parse-secret file-contents))
 122                (auth-source-pass--parse-data file-contents)))))
 123
 124 (defun auth-source-pass--parse-secret (contents)
 125   "Parse the password-store data in the string CONTENTS and return its secret.
 126 The secret is the first line of CONTENTS."
 127   (car (split-string contents "\\\n" t)))
 128
 129 (defun auth-source-pass--parse-data (contents)
 130   "Parse the password-store data in the string CONTENTS and return an alist.
 131 CONTENTS is the contents of a password-store formatted file."
 132   (let ((lines (split-string contents "\\\n" t "\\\s")))
 133     (seq-remove #'null
 134                 (mapcar (lambda (line)
 135                           (let ((pair (mapcar (lambda (s) (string-trim s))
 136                                               (split-string line ":"))))
 137                             (when (> (length pair) 1)
 138                               (cons (car pair)
 139                                     (mapconcat #'identity (cdr pair) ":")))))
 140                         (cdr lines)))))
 141
 142 (defun auth-source-pass--hostname (host)
 143   "Extract hostname from HOST."
 144   (let ((url (url-generic-parse-url host)))
 145     (or (url-host url) host)))
 146
 147 (defun auth-source-pass--hostname-with-user (host)
 148   "Extract hostname and user from HOST."
 149   (let* ((url (url-generic-parse-url host))
 150          (user (url-user url))
 151          (hostname (url-host url)))
 152     (cond
 153      ((and user hostname) (format "%s@%s" user hostname))
 154      (hostname hostname)
 155      (t host))))
 156
 157 (defun auth-source-pass--user (host)
 158   "Extract user from HOST and return it.
 159 Return nil if no match was found."
 160   (url-user (url-generic-parse-url host)))
 161
 162 (defun auth-source-pass--do-debug (&rest msg)
 163   "Call `auth-source-do-debug` with MSG and a prefix."
 164   (apply #'auth-source-do-debug
 165          (cons (concat "auth-source-password-store: " (car msg))
 166                (cdr msg))))
 167
 168 (defun auth-source-pass--select-one-entry (entries user)
 169   "Select one entry from ENTRIES by searching for a field matching USER."
 170   (let ((number (length entries))
 171         (entry-with-user
 172          (and user
 173               (seq-find (lambda (entry)
 174                           (string-equal (auth-source-pass-get "user" entry) user))
 175                         entries))))
 176     (auth-source-pass--do-debug "found %s matches: %s" number
 177                                 (mapconcat #'identity entries ", "))
 178     (if entry-with-user
 179         (progn
 180           (auth-source-pass--do-debug "return %s as it contains matching user field"
 181                                       entry-with-user)
 182           entry-with-user)
 183       (auth-source-pass--do-debug "return %s as it is the first one" (car entries))
 184       (car entries))))
 185
 186 (defun auth-source-pass--entry-valid-p (entry)
 187   "Return t iff ENTRY can be opened.
 188 Also displays a warning if not.  This function is slow, don't call it too
 189 often."
 190   (if (auth-source-pass-parse-entry entry)
 191       t
 192     (auth-source-pass--do-debug "entry '%s' is not valid" entry)
 193     nil))
 194
 195 ;; TODO: add tests for that when `assess-with-filesystem' is included
 196 ;; in Emacs
 197 (defun auth-source-pass-entries ()
 198   "Return a list of all password store entries."
 199   (let ((store-dir (expand-file-name "~/.password-store/")))
 200     (mapcar
 201      (lambda (file) (file-name-sans-extension (file-relative-name file store-dir)))
 202      (directory-files-recursively store-dir "\.gpg$"))))
 203
 204 (defun auth-source-pass--find-all-by-entry-name (entryname user)
 205   "Search the store for all entries either matching ENTRYNAME/USER or ENTRYNAME.
 206 Only return valid entries as of `auth-source-pass--entry-valid-p'."
 207   (seq-filter (lambda (entry)
 208                 (and
 209                  (or
 210                   (let ((components-host-user
 211                          (member entryname (split-string entry "/"))))
 212                     (and (= (length components-host-user) 2)
 213                          (string-equal user (cadr components-host-user))))
 214                   (string-equal entryname (file-name-nondirectory entry)))
 215                  (auth-source-pass--entry-valid-p entry)))
 216               (auth-source-pass-entries)))
 217
 218 (defun auth-source-pass--find-one-by-entry-name (entryname user)
 219   "Search the store for an entry matching ENTRYNAME.
 220 If USER is non nil, give precedence to entries containing a user field
 221 matching USER."
 222   (auth-source-pass--do-debug "searching for '%s' in entry names (user: %s)"
 223                               entryname
 224                               user)
 225   (let ((matching-entries (auth-source-pass--find-all-by-entry-name entryname user)))
 226     (pcase (length matching-entries)
 227       (0 (auth-source-pass--do-debug "no match found")
 228          nil)
 229       (1 (auth-source-pass--do-debug "found 1 match: %s" (car matching-entries))
 230          (car matching-entries))
 231       (_ (auth-source-pass--select-one-entry matching-entries user)))))
 232
 233 (defun auth-source-pass--find-match (host user)
 234   "Return a password-store entry name matching HOST and USER.
 235 If many matches are found, return the first one.  If no match is
 236 found, return nil."
 237   (or
 238    (if (auth-source-pass--user host)
 239        ;; if HOST contains a user (e.g., "user@host.com"), <HOST>
 240        (auth-source-pass--find-one-by-entry-name (auth-source-pass--hostname-with-user host) user)
 241      ;; otherwise, if USER is provided, search for <USER>@<HOST>
 242      (when (stringp user)
 243        (auth-source-pass--find-one-by-entry-name (concat user "@" (auth-source-pass--hostname host)) user)))
 244    ;; if that didn't work, search for HOST without its user component, if any
 245    (auth-source-pass--find-one-by-entry-name (auth-source-pass--hostname host) user)
 246    ;; if that didn't work, search for HOST with user extracted from it
 247    (auth-source-pass--find-one-by-entry-name
 248     (auth-source-pass--hostname host) (auth-source-pass--user host))
 249    ;; if that didn't work, remove subdomain: foo.bar.com -> bar.com
 250    (let ((components (split-string host "\\.")))
 251      (when (= (length components) 3)
 252        ;; start from scratch
 253        (auth-source-pass--find-match (mapconcat 'identity (cdr components) ".") user)))))
 254
 255 (provide 'auth-source-pass)
 256 ;;; auth-source-pass.el ends here