| blob | 6e6c74509f09c93dce1a6d9b4d4b1c4c1cda8f8c |
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs
3 ;; Copyright (C) 2008-2013 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
32 ;; TODO:
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
40 ;;; Code:
77 "Authentication sources."
81 ;;;###autoload
83 "How many seconds passwords are cached, or nil to disable
84 expiring. Overrides `password-cache-expiry' through a
85 let-binding."
94 ;; The slots below correspond with the `auth-source-search' spec,
95 ;; so a backend with :host set, for instance, would match only
96 ;; searches for that host. Normally they are nil.
100 :type symbol
101 :custom symbol
104 :type string
105 :custom string
108 :initform t
109 :type t
110 :custom string
113 :initform t
114 :type t
115 :custom string
118 :initform t
119 :type t
120 :custom string
123 :initform nil
126 :initform ignore
127 :type function
128 :custom function
131 :initform ignore
132 :type function
133 :custom function
141 "List of authentication protocols and their names"
151 ;; Generate all the protocols in a format Customize can use.
152 ;; TODO: generate on the fly from auth-source-protocols
158 p)))
159 auth-source-protocols))
170 "If set, auth-source will respect it for save behavior."
179 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") never) (t gpg)))
180 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
183 "Set this to tell auth-source when to create GPG password
184 tokens in netrc files. It's either an alist or `never'.
185 Note that if EPA/EPG is not available, this should NOT be used."
208 "Whether auth-source should cache information with `password-cache'."
214 "Whether auth-source should log debug messages.
216 If the value is nil, debug messages are not logged.
218 If the value is t, debug messages are logged with `message'. In
219 that case, your authentication data will be in the clear (except
220 for passwords).
222 If the value is a function, debug messages are logged by calling
223 that function using the same arguments as `message'."
230 trivia)
235 "List of authentication sources.
237 The default will get login and password information from
239 packages to be encrypted. If that file doesn't exist, it will
243 See the auth.info manual for details.
245 Each entry is the authentication type with optional properties.
247 It's best to customize this with `M-x customize-variable' because the choices
248 can get pretty complex."
259 macos-keychain-internet)
262 macos-keychain-generic)
316 "List of recipient keys that `authinfo.gpg' encrypted to.
317 If the value is not a list, symmetric encryption will be used."
324 ;; temp for debugging
325 ;; (unintern 'auth-source-protocols)
326 ;; (unintern 'auth-sources)
327 ;; (customize-variable 'auth-sources)
328 ;; (setq auth-sources nil)
329 ;; (format "%S" auth-sources)
330 ;; (customize-variable 'auth-source-protocols)
331 ;; (setq auth-source-protocols nil)
332 ;; (format "%S" auth-source-protocols)
333 ;; (auth-source-pick nil :host "a" :port 'imap)
334 ;; (auth-source-user-or-password "login" "imap.myhost.com" 'imap)
335 ;; (auth-source-user-or-password "password" "imap.myhost.com" 'imap)
336 ;; (auth-source-user-or-password-imap "login" "imap.myhost.com")
337 ;; (auth-source-user-or-password-imap "password" "imap.myhost.com")
338 ;; (auth-source-protocol-defaults 'imap)
340 ;; (let ((auth-source-debug 'debug)) (auth-source-do-debug "hello"))
341 ;; (let ((auth-source-debug t)) (auth-source-do-debug "hello"))
342 ;; (let ((auth-source-debug nil)) (auth-source-do-debug "hello"))
354 ;; set logger to either the function in auth-source-debug or 'message
355 ;; note that it will be 'message if auth-source-debug is nil
357 auth-source-debug
359 msg))
362 ;; (auth-source-read-char-choice "enter choice? " '(?a ?b ?q))
364 "Read one of CHOICES by `read-char-choice', or `read-char'.
365 `dropdown-list' support is disabled because it doesn't work reliably.
366 Only one of CHOICES will be returned. The PROMPT is augmented
374 k)
382 k)))
384 ;; (auth-source-pick nil :host "any" :port 'imap :user "joe")
385 ;; (auth-source-pick t :host "any" :port 'imap :user "joe")
386 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
387 ;; (:source (:secrets "session") :host t :port t :user "joe")
388 ;; (:source (:secrets "Login") :host t :port t)
389 ;; (:source "~/.authinfo.gpg" :host t :port t)))
391 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
392 ;; (:source (:secrets "session") :host t :port t :user "joe")
393 ;; (:source (:secrets "Login") :host t :port t)
394 ;; ))
396 ;; (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
398 ;; (auth-source-backend-parse "myfile.gpg")
399 ;; (auth-source-backend-parse 'default)
400 ;; (auth-source-backend-parse "secrets:Login")
401 ;; (auth-source-backend-parse 'macos-keychain-internet)
402 ;; (auth-source-backend-parse 'macos-keychain-generic)
403 ;; (auth-source-backend-parse "macos-keychain-internet:/path/here.keychain")
404 ;; (auth-source-backend-parse "macos-keychain-generic:/path/here.keychain")
407 "Creates an auth-source-backend from an ENTRY in `auth-sources'."
409 entry
411 ;; take 'default and recurse to get it as a Secrets API default collection
412 ;; matching any user, host, and protocol
415 ;; take secrets:XYZ and recurse to get it as Secrets API collection "XYZ"
416 ;; matching any user, host, and protocol
420 ;; take 'macos-keychain-internet and recurse to get it as a Mac OS
421 ;; Keychain collection matching any user, host, and protocol
424 ;; take 'macos-keychain-generic and recurse to get it as a Mac OS
425 ;; Keychain collection matching any user, host, and protocol
428 ;; take macos-keychain-internet:XYZ and recurse to get it as MacOS
429 ;; Keychain "XYZ" matching any user, host, and protocol
431 entry))
434 ;; take macos-keychain-generic:XYZ and recurse to get it as MacOS
435 ;; Keychain "XYZ" matching any user, host, and protocol
437 entry))
441 ;; take just a file name and recurse to get it as a netrc file
442 ;; matching any user, host, and protocol
446 ;; a file name with parameters
463 ;; the MacOS Keychain
474 'macos-keychain-generic
477 :macos-keychain-generic
485 :source source
486 :type keychain-type
490 ;; the Secrets API. We require the package, in order to have a
491 ;; defined value for `secrets-enabled'.
498 ;; the source is either the :secrets key in ENTRY or
499 ;; if that's missing or nil, it's "session"
503 ;; if the source is a symbol, we look for the alias named so,
504 ;; and if that alias is missing, we use "Login"
512 :source source
523 ;; none of them
528 "Empty"
533 "Fills in the extra auth-source-backend parameters of ENTRY.
534 Using the plist ENTRY, get the :host, :port, and :user search
535 parameters."
537 nil
538 entry))
539 val)
546 backend)
548 ;; (mapcar 'auth-source-backend-parse auth-sources)
551 &key type max host user port secret
552 require create delete
554 "Search or modify authentication backends according to SPEC.
556 This function parses `auth-sources' for matches of the SPEC
557 plist. It can optionally create or update an authentication
558 token if requested. A token is just a standard Emacs property
559 list with a :secret property that can be a function; all the
560 other properties will always hold scalar values.
562 Typically the :secret property, if present, contains a password.
564 Common search keys are :max, :host, :port, and :user. In
565 addition, :create specifies how tokens will be or created.
566 Finally, :type can specify which backend types you want to check.
568 A string value is always matched literally. A symbol is matched
569 as its string value, literally. All the SPEC values can be
570 single values (symbol or string) or lists thereof (in which case
571 any of the search terms matches).
573 :create t means to create a token if possible.
575 A new token will be created if no matching tokens were found.
576 The new token will have only the keys the backend requires. For
577 the netrc backend, for instance, that's the user, host, and
578 port keys.
580 Here's an example:
586 :create t))
588 which says:
591 'netrc', maximum one result.
593 Create a new entry if you found none. The netrc backend will
594 automatically require host, user, and port. The host will be
595 'mine'. We prompt for the user with default 'defaultUser' and
596 for the port without a default. We will not prompt for A, Q,
597 or P. The resulting token will only have keys user, host, and
600 :create '(A B C) also means to create a token if possible.
602 The behavior is like :create t but if the list contains any
603 parameter, that parameter will be required in the resulting
604 token. The value for that parameter will be obtained from the
605 search parameters or from user input. If any queries are needed,
606 the alist `auth-source-creation-defaults' will be checked for the
607 default value. If the user, host, or port are missing, the alist
608 `auth-source-creation-prompts' will be used to look up the
609 prompts IN THAT ORDER (so the 'user prompt will be queried first,
610 then 'host, then 'port, and finally 'secret). Each prompt string
611 can use %u, %h, and %p to show the user, host, and port.
613 Here's an example:
617 (auth-source-creation-prompts
621 :create '(A B Q)))
623 which says:
626 or 'twosuch' in backends of type 'netrc', maximum one result.
628 Create a new entry if you found none. The netrc backend will
629 automatically require host, user, and port. The host will be
630 'nonesuch' and Q will be 'qqqq'. We prompt for the password
631 with the shown prompt. We will not prompt for Q. The resulting
632 token will have keys user, host, port, A, B, and Q. It will not
633 have P with any value, even though P is used in the search to
636 When multiple values are specified in the search parameter, the
637 user is prompted for which one. So :host (X Y Z) would ask the
638 user to choose between X, Y, and Z.
640 This creation can fail if the search was not specific enough to
641 create a new token (it's up to the backend to decide that). You
642 should `catch' the backend-specific error as usual. Some
643 backends (netrc, at least) will prompt the user rather than throw
644 an error.
646 :require (A B C) means that only results that contain those
647 tokens will be returned. Thus for instance requiring :secret
648 will ensure that any results will actually have a :secret
649 property.
651 :delete t means to delete any found entries. nil by default.
652 Use `auth-source-delete' in ELisp code instead of calling
653 `auth-source-search' directly with this parameter.
655 :type (X Y Z) will check only those backend types. 'netrc and
656 'secrets are the only ones supported right now.
658 :max N means to try to return at most N items (defaults to 1).
659 When 0 the function will return just t or nil to indicate if any
660 matches were found. More than N items may be returned, depending
661 on the search and the backend.
663 :host (X Y Z) means to match only hosts X, Y, or Z according to
664 the match rules above. Defaults to t.
666 :user (X Y Z) means to match only users X, Y, or Z according to
667 the match rules above. Defaults to t.
669 :port (P Q R) means to match only protocols P, Q, or R.
670 Defaults to t.
672 :K (V1 V2 V3) for any other key K will match values V1, V2, or
673 V3 (note the match rules above).
675 The return value is a list with at most :max tokens. Each token
676 is a plist with keys :backend :host :port :user, plus any other
677 keys provided by the backend (notably :secret). But note the
678 exception for :max 0, which see above.
680 The token can hold a :save-function key. If you call that, the
681 user will be prompted to save the data to the backend. You can't
682 request that this should happen right after creation, because
683 `auth-source-search' has no way of knowing if the token is
684 actually useful. So the caller must arrange to call this function.
686 The token's :secret key can hold a function. In that case you
687 must call it to obtain the actual value."
695 ;; note that we may have cached results but found is still nil
696 ;; (there were no results from the search)
698 filtered-backends accessor-key backend)
702 "auth-source-search: found %d CACHED results matching %S"
716 ;; ignore invalid slots
726 "auth-source-search: found %d backends matching %S"
729 ;; (debug spec "filtered" filtered-backends)
730 ;; First go through all the backends without :create, so we can
731 ;; query them all.
733 spec
734 ;; to exit early
735 max
736 ;; create is always nil here
737 nil delete
738 require))
741 "auth-source-search: found %d results (max %d) matching %S"
744 ;; If we didn't find anything, then we allow the backend(s) to
745 ;; create the entries.
749 spec
750 ;; to exit early
751 max
752 create delete
753 require))
755 "auth-source-search: CREATED %d results (max %d) matching %S"
758 ;; note we remember the lack of result too, if it's applicable
762 found))
770 :backend backend
772 ;; note we're overriding whatever the spec
773 ;; has for :require, :create, and :delete
774 :require require
775 :create create
776 :delete delete
777 spec)))
780 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
784 spec)
786 matches))
788 ;; (auth-source-search :max 1)
789 ;; (funcall (plist-get (nth 0 (auth-source-search :max 1)) :secret))
790 ;; (auth-source-search :host "nonesuch" :type 'netrc :K 1)
791 ;; (auth-source-search :host "nonesuch" :type 'secrets)
794 &key delete
796 "Delete entries from the authentication backends according to SPEC.
797 Calls `auth-source-search' with the :delete property in SPEC set to t.
798 The backend may not actually delete the entries.
800 Returns the deleted entries."
804 "Returns t is VALUE is t or COLLECTION is t or contains VALUE."
808 ;; (debug :collection collection :value value)
817 "Forget all cached auth-source data."
820 ;; when the symbol name starts with auth-source-magic
823 ;; remove that key
828 "Format SPEC entry to put it in the password cache."
832 "Remember FOUND search results for SPEC."
838 "Recall FOUND search results for SPEC."
842 "Check if SPEC is remembered."
847 "Forget any cached data matching SPEC exactly.
849 This is the same SPEC you passed to `auth-source-search'.
850 Returns t or nil for forgotten or not found."
853 ;; (loop for sym being the symbols of password-data when (string-match (concat "^" auth-source-magic) (symbol-name sym)) collect (symbol-name sym))
855 ;; (auth-source-remember '(:host "wedd") '(4 5 6))
856 ;; (auth-source-remembered-p '(:host "wedd"))
857 ;; (auth-source-remember '(:host "xedd") '(1 2 3))
858 ;; (auth-source-remembered-p '(:host "xedd"))
859 ;; (auth-source-remembered-p '(:host "zedd"))
860 ;; (auth-source-recall '(:host "xedd"))
861 ;; (auth-source-recall '(:host t))
862 ;; (auth-source-forget+ :host t)
865 "Forget any cached data matching SPEC. Returns forgotten count.
867 This is not a full `auth-source-search' spec but works similarly.
869 cached data that was found with a search for those two hosts,
870 while \(:host t) would find all host entries."
872 sname)
874 ;; when the symbol name matches with auth-source-magic
877 sname)
878 ;; and the spec matches what was stored in the cache
880 ;; remove that key
884 count))
896 ;; (auth-source-pick-first-password :host "z.lifelogs.com")
897 ;; (auth-source-pick-first-password :port "imap")
899 "Pick the first secret found from applying SPEC to `auth-source-search'."
905 secret)))
907 ;; (auth-source-format-prompt "test %u %h %p" '((?u "user") (?h "host")))
909 "Format PROMPT using %x (for any character x) specifiers in ALIST."
916 prompt)))))
917 prompt)
925 value))
926 values))
928 ;;; Backend specific parsing: netrc/authinfo backend
945 ;; (auth-source-netrc-parse "~/.authinfo.gpg")
947 spec
948 &key file max host user port delete require
950 "Parse FILE and return a list of all entries in the file.
951 Note that the MAX parameter is used so we can exit the parse early."
953 ;; We got already parsed contents; just return it.
954 file
966 alist elem result pair)
973 "auth-source-netrc-parse: using CACHED file data for %s"
974 file)
977 ;; cache all netrc files (used to be just .gpg files)
978 ;; Store the contents of the file heavily encrypted in memory.
979 ;; (note for the irony-impaired: they are just obfuscated)
981 auth-source-netrc-cache file
986 ;; Go through the file, line by line.
991 ;; For each line, get the tokens and values.
994 ;; Skip lines that begin with a "#".
1006 ;; We skip past the macro definition.
1012 ;; Tokens that don't have a following value are ignored,
1013 ;; except "default".
1019 ;; Values that haven't got a preceding token are ignored.
1028 host
1032 t))
1034 user
1039 t))
1041 port
1045 t))
1047 ;; the required list of keys is nil, or
1049 ;; every element of require is in the normalized list
1056 ;; to delete a line, we just comment it out
1062 pair nil)
1068 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1069 ;; this buffer lets epa-file skip the key selection query
1070 ;; (see the `local-variable-p' check in
1071 ;; `epa-file-write-region').
1077 ;; ask AFTER we've successfully opened the file
1079 file modified))
1082 "auth-source-netrc-parse: modified %d lines in %s"
1083 modified file)))
1092 passphrase)
1093 ;; return the saved passphrase, calling a function if needed
1104 t))
1107 passphrase))))
1109 ;; (auth-source-epa-extract-gpg-token "gpg:LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tClZlcnNpb246IEdudVBHIHYxLjQuMTEgKEdOVS9MaW51eCkKCmpBMEVBd01DT25qMjB1ak9rZnRneVI3K21iNm9aZWhuLzRad3cySkdlbnVaKzRpeEswWDY5di9icDI1U1dsQT0KPS9yc2wKLS0tLS1FTkQgUEdQIE1FU1NBR0UtLS0tLQo=" "~/.netrc")
1111 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1112 FILE is the file from which we obtained this token."
1116 plain)
1118 context
1120 file))
1123 ;; (insert (auth-source-epa-make-gpg-token "mysecret" "~/.netrc"))
1127 cipher)
1130 context
1132 file))
1148 ;; apply key aliases
1155 ;; send back the secret in a function (lexical binding)
1160 ;; it's a GPG token: create a token decoder
1161 ;; which unsets itself once
1166 val
1167 filename)
1172 lexv))))
1175 v))))
1176 ret))
1177 alist))
1179 ;; (setq secret (plist-get (nth 0 (auth-source-search :host t :type 'netrc :K 1 :max 1)) :secret))
1180 ;; (funcall secret)
1183 spec
1184 &key backend require create delete
1185 type max host user port
1187 "Given a property list SPEC, return search matches from the :backend.
1188 See `auth-source-search' for details on SPEC."
1189 ;; just in case, check that the type is correct (null or same as the backend)
1195 :max max
1196 :require require
1197 :delete delete
1204 ;; if we need to create an entry AND none were found to match
1208 ;; create based on the spec and record the value
1210 ;; if the user did not want to create the entry
1211 ;; in the file, it will be returned
1213 ;; if not, we do the search again without :create
1214 ;; to get the updated data.
1216 ;; the result will be returned, even if the search fails
1219 results))
1224 v))
1226 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1227 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1230 &key backend
1231 secret host user port create
1234 ;; we know (because of an assertion in auth-source-search) that the
1235 ;; :create parameter is either t or a list (which includes nil)
1238 :host host
1243 ;; `valist' is an alist
1244 valist
1245 ;; `artificial' will be returned if no creation is needed
1246 artificial)
1248 ;; only for base required elements (defined as function parameters):
1249 ;; fill in the valist with whatever data we may have from the search
1250 ;; we complete the first value if it's a list and use the value otherwise
1254 ;; all-accepting choice (predicate is t)
1256 ;; just the value otherwise
1261 ;; for extra required elements, see if the spec includes a value for them
1270 ;; for each required element
1273 ;; take the first element if the data is a list
1277 ;; this is the default to be offered
1279 auth-source-creation-defaults r))
1280 ;; the default supplementals are simple:
1281 ;; for the user, try `given-default' and then (user-login-name);
1282 ;; otherwise take `given-default'
1314 prompt
1319 ;; Store the data, prompting for the password if needed.
1322 ;; Special case prompt for passwords.
1323 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") nil) (t gpg)))
1324 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1332 auth-source-netrc-use-gpg-tokens))
1333 item ret)
1342 ;; ask if we don't know what to do (in which case
1343 ;; auth-source-netrc-use-gpg-tokens must be a list)
1346 ;; TODO: save the defcustom now? or ask?
1349 auth-source-netrc-use-gpg-tokens)))
1352 plain))
1358 nil nil default)
1367 data))))
1369 ;; When r is not an empty string...
1372 ;; this function is not strictly necessary but I think it
1373 ;; makes the code clearer -tzz
1375 ;; append the key (the symbol name of r)
1376 ;; and the value in r
1378 ;; prepend a space
1380 ;; remap auth-source tokens to netrc
1389 data)))))
1393 artificial
1394 :save-function
1401 ;;(funcall (plist-get (nth 0 (auth-source-search :host '("nonesuch2") :user "tzz" :port "imap" :create t :max 1)) :save-function))
1403 "Save a line ADD in FILE, prompting along the way.
1404 Respects `auth-source-save-behavior'. Uses
1405 `auth-source-netrc-cache' to avoid prompting more than once."
1411 "auth-source-netrc-saver: found previous run for key %s, returning"
1412 key)
1417 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1418 ;; this buffer lets epa-file skip the key selection query
1419 ;; (see the `local-variable-p' check in
1420 ;; `epa-file-write-region').
1425 ;; we want the new data to be found first, so insert at beginning
1428 ;; Ask AFTER we've successfully opened the file.
1432 k)
1445 ;; Why? Doesn't with-output-to-temp-buffer already do
1446 ;; the exact same thing anyway? --Stef
1450 done t))
1451 (?N
1453 done t)
1461 ;; Make sure the info is not saved.
1471 ;; Make the .authinfo file non-world-readable.
1474 "auth-source-netrc-create: wrote 1 new line to %s"
1475 file)
1477 nil))))
1480 ;;; Backend specific parsing: Secrets API backend
1482 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :create t))
1483 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :delete t))
1484 ;; (let ((auth-sources '(default))) (auth-source-search :max 1))
1485 ;; (let ((auth-sources '(default))) (auth-source-search))
1486 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1))
1487 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1 :signon_realm "https://git.gnus.org/Git"))
1490 spec
1491 &key backend create delete label
1492 type max host user port
1494 "Search the Secrets API; spec is like `auth-source'.
1496 The :label key specifies the item's label. It is the only key
1497 that can specify a substring. Any :label value besides a string
1498 will allow any label.
1500 All other search keys must match exactly. If you need substring
1501 matching, do a wider search and narrow it down yourself.
1503 You'll get back all the properties of the token as a plist.
1505 Here's an example that looks for the first item in the 'Login'
1506 Secrets collection:
1509 (auth-source-search :max 1)
1511 Here's another that looks for the first item in the 'Login'
1512 Secrets collection whose label contains 'gnus':
1517 And this one looks for the first item in the 'Login' Secrets
1518 collection that's a Google Chrome entry for the git.gnus.org site
1519 authentication tokens:
1523 "
1525 ;; TODO
1528 ;; TODO
1529 ;; (secrets-delete-item coll elt)
1539 ;; build a search spec without the ignored keys
1540 ;; if a search key is nil or t (match anything), we skip it
1545 nil
1547 search-keys)))
1548 ;; needed keys (always including host, login, port, and secret)
1551 search-keys)))
1555 collect item))
1556 ;; TODO: respect max in `secrets-search-items', not after the fact
1558 ;; convert the item name to a full plist
1561 ;; make an entry for the secret (password) element
1563 :secret
1566 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1571 items))
1572 ;; ensure each item has each key in `returned-keys'
1578 nil
1580 returned-keys))
1581 plist))
1582 items)))
1583 items))
1586 spec
1587 &key backend type max host user port
1589 ;; TODO
1590 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1593 ;;; Backend specific parsing: Mac OS Keychain (using /usr/bin/security) backend
1595 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :create t))
1596 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :delete t))
1597 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1))
1598 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search))
1600 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :create t))
1601 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :delete t))
1602 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1))
1603 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search))
1605 ;; (let ((auth-sources '("macos-keychain-internet:/Users/tzz/Library/Keychains/login.keychain"))) (auth-source-search :max 1))
1606 ;; (let ((auth-sources '("macos-keychain-generic:Login"))) (auth-source-search :max 1 :host "git.gnus.org"))
1609 spec
1610 &key backend create delete label
1611 type max host user port
1613 "Search the MacOS Keychain; spec is like `auth-source'.
1615 All search keys must match exactly. If you need substring
1616 matching, do a wider search and narrow it down yourself.
1618 You'll get back all the properties of the token as a plist.
1620 The :type key is either 'macos-keychain-internet or
1621 'macos-keychain-generic.
1623 For the internet keychain type, the :label key searches the
1627 (note PROT has to be a 4-character string).
1629 For the generic keychain type, the :label key searches the item's
1634 Here's an example that looks for the first item in the default
1635 generic MacOS Keychain:
1637 \(let ((auth-sources '(macos-keychain-generic)))
1638 (auth-source-search :max 1)
1640 Here's another that looks for the first item in the internet
1641 MacOS Keychain collection whose label is 'gnus':
1643 \(let ((auth-sources '(macos-keychain-internet)))
1646 And this one looks for the first item in the internet keychain
1647 entries for git.gnus.org:
1651 "
1652 ;; TODO
1655 ;; TODO
1656 ;; (macos-keychain-delete-item coll elt)
1666 ;; build a search spec without the ignored keys
1667 ;; if a search key is nil or t (match anything), we skip it
1672 nil
1674 search-keys)))
1675 ;; needed keys (always including host, login, port, and secret)
1678 search-keys)))
1680 coll
1681 type
1682 max
1683 search-spec))
1685 ;; ensure each item has each key in `returned-keys'
1691 nil
1693 returned-keys))
1694 plist))
1695 items)))
1696 items))
1699 &rest spec
1700 &key label type
1701 host user port
1706 "find-generic-password"
1722 port)))))
1734 ret
1735 keychain-generic
1736 "secret"
1739 ;; TODO: check if this is really the label
1740 ;; match 0x00000007 <blob>="AppleID"
1743 ret
1744 keychain-generic
1745 "label"
1747 ;; match "crtr"<uint32>="aapl"
1748 ;; match "svce"<blob>="AppleID"
1751 ret
1752 keychain-generic
1756 ;; return `ret' iff it has the :secret key
1763 ;; for generic keychains, creator is host, service is port
1766 ;; for internet keychains, protocol is port, server is host
1774 spec
1775 &key backend type max host user port
1777 ;; TODO
1780 ;;; Backend specific parsing: PLSTORE backend
1783 spec
1784 &key backend create delete label
1785 type max host user port
1787 "Search the PLSTORE; spec is like `auth-source'."
1794 ;; build a search spec without the ignored keys
1795 ;; if a search key is nil or t (match anything), we skip it
1801 nil
1805 search-keys)))
1806 ;; needed keys (always including host, login, port, and secret)
1809 search-keys)))
1813 ;; convert the item to a full plist
1822 plist))
1823 items))
1824 ;; ensure each item has each key in `returned-keys'
1830 nil
1832 returned-keys))
1833 plist))
1834 items)))
1836 ;; if we need to create an entry AND none were found to match
1840 ;; create based on the spec and record the value
1842 ;; if the user did not want to create the entry
1843 ;; in the file, it will be returned
1845 ;; if not, we do the search again without :create
1846 ;; to get the updated data.
1848 ;; the result will be returned, even if the search fails
1852 item-names)
1856 items))
1859 &key backend
1860 secret host user port create
1864 ;; we know (because of an assertion in auth-source-search) that the
1865 ;; :create parameter is either t or a list (which includes nil)
1868 :host host
1873 ;; `valist' is an alist
1874 valist
1875 ;; `artificial' will be returned if no creation is needed
1876 artificial
1877 secret-artificial)
1879 ;; only for base required elements (defined as function parameters):
1880 ;; fill in the valist with whatever data we may have from the search
1881 ;; we complete the first value if it's a list and use the value otherwise
1885 ;; all-accepting choice (predicate is t)
1887 ;; just the value otherwise
1892 ;; for extra required elements, see if the spec includes a value for them
1901 ;; for each required element
1904 ;; take the first element if the data is a list
1908 ;; this is the default to be offered
1910 auth-source-creation-defaults r))
1911 ;; the default supplementals are simple:
1912 ;; for the user, try `given-default' and then (user-login-name);
1913 ;; otherwise take `given-default'
1945 prompt
1950 ;; Store the data, prompting for the password if needed.
1960 nil nil default)
1968 data))
1971 data))))))
1977 artificial secret-artificial)
1982 ;;; older API
1984 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
1986 ;; deprecate the old interface
1994 "Find MODE (string or list of strings) matching HOST and PORT.
1996 DEPRECATED in favor of `auth-source-search'!
1999 across the Secret Service API (see secrets.el) if the resulting
2000 items don't have a username. This means that if you search for
2004 A non nil DELETE-EXISTING means deleting any matching password
2005 entry in the respective sources. This is useful only when
2006 CREATE-MISSING is non nil as well; the intended use case is to
2007 remove wrong password entries.
2009 If no matching entry is found, and CREATE-MISSING is non nil,
2010 the password will be retrieved interactively, and it will be
2011 stored in the password database which matches best (see
2012 `auth-sources').
2016 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
2017 mode host port username)
2028 search))
2031 search))
2032 ;; (found (if (not delete-existing)
2033 ;; (gethash cname auth-source-cache)
2034 ;; (remhash cname auth-source-cache)
2035 ;; nil)))
2040 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
2041 mode
2042 ;; don't show the password
2044 "SECRET"
2045 found)
2046 host port username)
2048 ;; else, if not found, search with a max of 1
2063 found))
2069 :host host
2075 :host host
2087 ;;; auth-source.el ends here