| blob | cef88e95b926a684582636a5e07ab4195f867f00 |
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs
3 ;; Copyright (C) 2008-2014 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
32 ;; TODO:
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
40 ;;; Code:
77 "Authentication sources."
81 ;;;###autoload
83 "How many seconds passwords are cached, or nil to disable
84 expiring. Overrides `password-cache-expiry' through a
85 let-binding."
94 ;; The slots below correspond with the `auth-source-search' spec,
95 ;; so a backend with :host set, for instance, would match only
96 ;; searches for that host. Normally they are nil.
100 :type symbol
101 :custom symbol
104 :type string
105 :custom string
108 :initform t
109 :type t
110 :custom string
113 :initform t
114 :type t
115 :custom string
118 :initform t
119 :type t
120 :custom string
123 :initform nil
126 :initform ignore
127 :type function
128 :custom function
131 :initform ignore
132 :type function
133 :custom function
141 "List of authentication protocols and their names"
151 ;; Generate all the protocols in a format Customize can use.
152 ;; TODO: generate on the fly from auth-source-protocols
158 p)))
159 auth-source-protocols))
170 "If set, auth-source will respect it for save behavior."
179 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") never) (t gpg)))
180 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
183 "Set this to tell auth-source when to create GPG password
184 tokens in netrc files. It's either an alist or `never'.
185 Note that if EPA/EPG is not available, this should NOT be used."
208 "Whether auth-source should cache information with `password-cache'."
214 "Whether auth-source should log debug messages.
216 If the value is nil, debug messages are not logged.
218 If the value is t, debug messages are logged with `message'. In
219 that case, your authentication data will be in the clear (except
220 for passwords).
222 If the value is a function, debug messages are logged by calling
223 that function using the same arguments as `message'."
230 trivia)
235 "List of authentication sources.
237 The default will get login and password information from
239 packages to be encrypted. If that file doesn't exist, it will
243 See the auth.info manual for details.
245 Each entry is the authentication type with optional properties.
247 It's best to customize this with `M-x customize-variable' because the choices
248 can get pretty complex."
259 macos-keychain-internet)
262 macos-keychain-generic)
316 "List of recipient keys that `authinfo.gpg' encrypted to.
317 If the value is not a list, symmetric encryption will be used."
324 ;; temp for debugging
325 ;; (unintern 'auth-source-protocols)
326 ;; (unintern 'auth-sources)
327 ;; (customize-variable 'auth-sources)
328 ;; (setq auth-sources nil)
329 ;; (format "%S" auth-sources)
330 ;; (customize-variable 'auth-source-protocols)
331 ;; (setq auth-source-protocols nil)
332 ;; (format "%S" auth-source-protocols)
333 ;; (auth-source-pick nil :host "a" :port 'imap)
334 ;; (auth-source-user-or-password "login" "imap.myhost.com" 'imap)
335 ;; (auth-source-user-or-password "password" "imap.myhost.com" 'imap)
336 ;; (auth-source-user-or-password-imap "login" "imap.myhost.com")
337 ;; (auth-source-user-or-password-imap "password" "imap.myhost.com")
338 ;; (auth-source-protocol-defaults 'imap)
340 ;; (let ((auth-source-debug 'debug)) (auth-source-do-debug "hello"))
341 ;; (let ((auth-source-debug t)) (auth-source-do-debug "hello"))
342 ;; (let ((auth-source-debug nil)) (auth-source-do-debug "hello"))
354 ;; set logger to either the function in auth-source-debug or 'message
355 ;; note that it will be 'message if auth-source-debug is nil
357 auth-source-debug
359 msg))
362 ;; (auth-source-read-char-choice "enter choice? " '(?a ?b ?q))
364 "Read one of CHOICES by `read-char-choice', or `read-char'.
365 `dropdown-list' support is disabled because it doesn't work reliably.
366 Only one of CHOICES will be returned. The PROMPT is augmented
374 k)
382 k)))
384 ;; (auth-source-pick nil :host "any" :port 'imap :user "joe")
385 ;; (auth-source-pick t :host "any" :port 'imap :user "joe")
386 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
387 ;; (:source (:secrets "session") :host t :port t :user "joe")
388 ;; (:source (:secrets "Login") :host t :port t)
389 ;; (:source "~/.authinfo.gpg" :host t :port t)))
391 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
392 ;; (:source (:secrets "session") :host t :port t :user "joe")
393 ;; (:source (:secrets "Login") :host t :port t)
394 ;; ))
396 ;; (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
398 ;; (auth-source-backend-parse "myfile.gpg")
399 ;; (auth-source-backend-parse 'default)
400 ;; (auth-source-backend-parse "secrets:Login")
401 ;; (auth-source-backend-parse 'macos-keychain-internet)
402 ;; (auth-source-backend-parse 'macos-keychain-generic)
403 ;; (auth-source-backend-parse "macos-keychain-internet:/path/here.keychain")
404 ;; (auth-source-backend-parse "macos-keychain-generic:/path/here.keychain")
407 "Creates an auth-source-backend from an ENTRY in `auth-sources'."
409 entry
411 ;; take 'default and recurse to get it as a Secrets API default collection
412 ;; matching any user, host, and protocol
415 ;; take secrets:XYZ and recurse to get it as Secrets API collection "XYZ"
416 ;; matching any user, host, and protocol
420 ;; take 'macos-keychain-internet and recurse to get it as a Mac OS
421 ;; Keychain collection matching any user, host, and protocol
424 ;; take 'macos-keychain-generic and recurse to get it as a Mac OS
425 ;; Keychain collection matching any user, host, and protocol
428 ;; take macos-keychain-internet:XYZ and recurse to get it as MacOS
429 ;; Keychain "XYZ" matching any user, host, and protocol
431 entry))
434 ;; take macos-keychain-generic:XYZ and recurse to get it as MacOS
435 ;; Keychain "XYZ" matching any user, host, and protocol
437 entry))
441 ;; take just a file name and recurse to get it as a netrc file
442 ;; matching any user, host, and protocol
446 ;; a file name with parameters
463 ;; the MacOS Keychain
474 'macos-keychain-generic
477 :macos-keychain-generic
485 :source source
486 :type keychain-type
490 ;; the Secrets API. We require the package, in order to have a
491 ;; defined value for `secrets-enabled'.
498 ;; the source is either the :secrets key in ENTRY or
499 ;; if that's missing or nil, it's "session"
503 ;; if the source is a symbol, we look for the alias named so,
504 ;; and if that alias is missing, we use "Login"
512 :source source
523 ;; none of them
528 "Empty"
533 "Fills in the extra auth-source-backend parameters of ENTRY.
534 Using the plist ENTRY, get the :host, :port, and :user search
535 parameters."
537 nil
538 entry))
539 val)
546 backend)
548 ;; (mapcar 'auth-source-backend-parse auth-sources)
551 &key type max host user port secret
552 require create delete
554 "Search or modify authentication backends according to SPEC.
556 This function parses `auth-sources' for matches of the SPEC
557 plist. It can optionally create or update an authentication
558 token if requested. A token is just a standard Emacs property
559 list with a :secret property that can be a function; all the
560 other properties will always hold scalar values.
562 Typically the :secret property, if present, contains a password.
564 Common search keys are :max, :host, :port, and :user. In
565 addition, :create specifies how tokens will be or created.
566 Finally, :type can specify which backend types you want to check.
568 A string value is always matched literally. A symbol is matched
569 as its string value, literally. All the SPEC values can be
570 single values (symbol or string) or lists thereof (in which case
571 any of the search terms matches).
573 :create t means to create a token if possible.
575 A new token will be created if no matching tokens were found.
576 The new token will have only the keys the backend requires. For
577 the netrc backend, for instance, that's the user, host, and
578 port keys.
580 Here's an example:
586 :create t))
588 which says:
591 'netrc', maximum one result.
593 Create a new entry if you found none. The netrc backend will
594 automatically require host, user, and port. The host will be
595 'mine'. We prompt for the user with default 'defaultUser' and
596 for the port without a default. We will not prompt for A, Q,
597 or P. The resulting token will only have keys user, host, and
600 :create '(A B C) also means to create a token if possible.
602 The behavior is like :create t but if the list contains any
603 parameter, that parameter will be required in the resulting
604 token. The value for that parameter will be obtained from the
605 search parameters or from user input. If any queries are needed,
606 the alist `auth-source-creation-defaults' will be checked for the
607 default value. If the user, host, or port are missing, the alist
608 `auth-source-creation-prompts' will be used to look up the
609 prompts IN THAT ORDER (so the 'user prompt will be queried first,
610 then 'host, then 'port, and finally 'secret). Each prompt string
611 can use %u, %h, and %p to show the user, host, and port.
613 Here's an example:
617 (auth-source-creation-prompts
621 :create '(A B Q)))
623 which says:
626 or 'twosuch' in backends of type 'netrc', maximum one result.
628 Create a new entry if you found none. The netrc backend will
629 automatically require host, user, and port. The host will be
630 'nonesuch' and Q will be 'qqqq'. We prompt for the password
631 with the shown prompt. We will not prompt for Q. The resulting
632 token will have keys user, host, port, A, B, and Q. It will not
633 have P with any value, even though P is used in the search to
636 When multiple values are specified in the search parameter, the
637 user is prompted for which one. So :host (X Y Z) would ask the
638 user to choose between X, Y, and Z.
640 This creation can fail if the search was not specific enough to
641 create a new token (it's up to the backend to decide that). You
642 should `catch' the backend-specific error as usual. Some
643 backends (netrc, at least) will prompt the user rather than throw
644 an error.
646 :require (A B C) means that only results that contain those
647 tokens will be returned. Thus for instance requiring :secret
648 will ensure that any results will actually have a :secret
649 property.
651 :delete t means to delete any found entries. nil by default.
652 Use `auth-source-delete' in ELisp code instead of calling
653 `auth-source-search' directly with this parameter.
655 :type (X Y Z) will check only those backend types. 'netrc and
656 'secrets are the only ones supported right now.
658 :max N means to try to return at most N items (defaults to 1).
659 When 0 the function will return just t or nil to indicate if any
660 matches were found. More than N items may be returned, depending
661 on the search and the backend.
663 :host (X Y Z) means to match only hosts X, Y, or Z according to
664 the match rules above. Defaults to t.
666 :user (X Y Z) means to match only users X, Y, or Z according to
667 the match rules above. Defaults to t.
669 :port (P Q R) means to match only protocols P, Q, or R.
670 Defaults to t.
672 :K (V1 V2 V3) for any other key K will match values V1, V2, or
673 V3 (note the match rules above).
675 The return value is a list with at most :max tokens. Each token
676 is a plist with keys :backend :host :port :user, plus any other
677 keys provided by the backend (notably :secret). But note the
678 exception for :max 0, which see above.
680 The token can hold a :save-function key. If you call that, the
681 user will be prompted to save the data to the backend. You can't
682 request that this should happen right after creation, because
683 `auth-source-search' has no way of knowing if the token is
684 actually useful. So the caller must arrange to call this function.
686 The token's :secret key can hold a function. In that case you
687 must call it to obtain the actual value."
695 ;; note that we may have cached results but found is still nil
696 ;; (there were no results from the search)
698 filtered-backends accessor-key backend)
702 "auth-source-search: found %d CACHED results matching %S"
716 ;; ignore invalid slots
726 "auth-source-search: found %d backends matching %S"
729 ;; (debug spec "filtered" filtered-backends)
730 ;; First go through all the backends without :create, so we can
731 ;; query them all.
733 spec
734 ;; to exit early
735 max
736 ;; create is always nil here
737 nil delete
738 require))
741 "auth-source-search: found %d results (max %d) matching %S"
744 ;; If we didn't find anything, then we allow the backend(s) to
745 ;; create the entries.
749 spec
750 ;; to exit early
751 max
752 create delete
753 require))
755 "auth-source-search: CREATED %d results (max %d) matching %S"
758 ;; note we remember the lack of result too, if it's applicable
762 found))
770 :backend backend
772 ;; note we're overriding whatever the spec
773 ;; has for :require, :create, and :delete
774 :require require
775 :create create
776 :delete delete
777 spec)))
780 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
784 spec)
786 matches))
788 ;; (auth-source-search :max 1)
789 ;; (funcall (plist-get (nth 0 (auth-source-search :max 1)) :secret))
790 ;; (auth-source-search :host "nonesuch" :type 'netrc :K 1)
791 ;; (auth-source-search :host "nonesuch" :type 'secrets)
794 &key delete
796 "Delete entries from the authentication backends according to SPEC.
797 Calls `auth-source-search' with the :delete property in SPEC set to t.
798 The backend may not actually delete the entries.
800 Returns the deleted entries."
804 "Returns t is VALUE is t or COLLECTION is t or COLLECTION contains VALUE."
808 ;; (debug :collection collection :value value)
817 "Forget all cached auth-source data."
820 ;; when the symbol name starts with auth-source-magic
823 ;; remove that key
828 "Format SPEC entry to put it in the password cache."
832 "Remember FOUND search results for SPEC."
838 "Recall FOUND search results for SPEC."
842 "Check if SPEC is remembered."
847 "Forget any cached data matching SPEC exactly.
849 This is the same SPEC you passed to `auth-source-search'.
850 Returns t or nil for forgotten or not found."
853 ;; (loop for sym being the symbols of password-data when (string-match (concat "^" auth-source-magic) (symbol-name sym)) collect (symbol-name sym))
855 ;; (auth-source-remember '(:host "wedd") '(4 5 6))
856 ;; (auth-source-remembered-p '(:host "wedd"))
857 ;; (auth-source-remember '(:host "xedd") '(1 2 3))
858 ;; (auth-source-remembered-p '(:host "xedd"))
859 ;; (auth-source-remembered-p '(:host "zedd"))
860 ;; (auth-source-recall '(:host "xedd"))
861 ;; (auth-source-recall '(:host t))
862 ;; (auth-source-forget+ :host t)
865 "Forget any cached data matching SPEC. Returns forgotten count.
867 This is not a full `auth-source-search' spec but works similarly.
869 cached data that was found with a search for those two hosts,
870 while \(:host t) would find all host entries."
872 sname)
874 ;; when the symbol name matches with auth-source-magic
877 sname)
878 ;; and the spec matches what was stored in the cache
880 ;; remove that key
884 count))
896 ;; (auth-source-pick-first-password :host "z.lifelogs.com")
897 ;; (auth-source-pick-first-password :port "imap")
899 "Pick the first secret found from applying SPEC to `auth-source-search'."
905 secret)))
907 ;; (auth-source-format-prompt "test %u %h %p" '((?u "user") (?h "host")))
909 "Format PROMPT using %x (for any character x) specifiers in ALIST."
916 prompt nil t)))))
917 prompt)
925 value))
926 values))
928 ;;; Backend specific parsing: netrc/authinfo backend
945 ;; (auth-source-netrc-parse :file "~/.authinfo.gpg")
947 spec
948 &key file max host user port delete require
950 "Parse FILE and return a list of all entries in the file.
951 Note that the MAX parameter is used so we can exit the parse early."
953 ;; We got already parsed contents; just return it.
954 file
966 host
970 t))
972 user
977 t))
979 port
983 t))
985 ;; the required list of keys is nil, or
987 ;; every element of require is in n(ormalized)
992 result)
999 "auth-source-netrc-parse: using CACHED file data for %s"
1000 file)
1003 ;; cache all netrc files (used to be just .gpg files)
1004 ;; Store the contents of the file heavily encrypted in memory.
1005 ;; (note for the irony-impaired: they are just obfuscated)
1007 auth-source-netrc-cache file
1013 alist)
1019 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1020 ;; this buffer lets epa-file skip the key selection query
1021 ;; (see the `local-variable-p' check in
1022 ;; `epa-file-write-region').
1028 ;; ask AFTER we've successfully opened the file
1030 file modified))
1033 "auth-source-netrc-parse: modified %d lines in %s"
1034 modified file)))
1039 "Advance to the next interesting position in the current buffer."
1040 ;; If we're looking at a comment or are at the end of the line, move forward
1048 "Read one thing from the current buffer."
1058 ;; with thanks to org-mode
1062 ;; works also in narrowed buffer, because we start at 1, not point-min
1066 "Parse up to MAX netrc entries, passed by CHECK, from the current buffer."
1069 alist
1073 all))
1074 item item2 all alist default)
1077 ;; We're starting a new machine. Save the old one.
1081 ;; (auth-source-do-trivia
1082 ;; "auth-source-netrc-parse-entries: got entry %S" alist)
1084 alist nil))
1085 ;; In default entries, we don't have a next token.
1086 ;; We store them as ("machine" . t)
1089 ;; Not a default entry. Grab the next item.
1091 ;; Did we get a "machine" value?
1095 "%s: Unexpected 'machine' token at line %d"
1096 "auth-source-netrc-parse-entries"
1101 ;; Clean up: if there's an entry left over, use it.
1104 ;; (auth-source-do-trivia
1105 ;; "auth-source-netrc-parse-entries: got2 entry %S" alist)
1106 )
1114 passphrase)
1115 ;; return the saved passphrase, calling a function if needed
1126 t))
1129 passphrase))))
1131 ;; (auth-source-epa-extract-gpg-token "gpg:LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tClZlcnNpb246IEdudVBHIHYxLjQuMTEgKEdOVS9MaW51eCkKCmpBMEVBd01DT25qMjB1ak9rZnRneVI3K21iNm9aZWhuLzRad3cySkdlbnVaKzRpeEswWDY5di9icDI1U1dsQT0KPS9yc2wKLS0tLS1FTkQgUEdQIE1FU1NBR0UtLS0tLQo=" "~/.netrc")
1133 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1134 FILE is the file from which we obtained this token."
1138 plain)
1140 context
1142 file))
1145 ;; (insert (auth-source-epa-make-gpg-token "mysecret" "~/.netrc"))
1149 cipher)
1152 context
1154 file))
1170 ;; apply key aliases
1177 ;; send back the secret in a function (lexical binding)
1182 ;; it's a GPG token: create a token decoder
1183 ;; which unsets itself once
1188 val
1189 filename)
1194 lexv))))
1197 v))))
1198 ret))
1199 alist))
1201 ;; (setq secret (plist-get (nth 0 (auth-source-search :host t :type 'netrc :K 1 :max 1)) :secret))
1202 ;; (funcall secret)
1205 spec
1206 &key backend require create delete
1207 type max host user port
1209 "Given a property list SPEC, return search matches from the :backend.
1210 See `auth-source-search' for details on SPEC."
1211 ;; just in case, check that the type is correct (null or same as the backend)
1217 :max max
1218 :require require
1219 :delete delete
1226 ;; if we need to create an entry AND none were found to match
1230 ;; create based on the spec and record the value
1232 ;; if the user did not want to create the entry
1233 ;; in the file, it will be returned
1235 ;; if not, we do the search again without :create
1236 ;; to get the updated data.
1238 ;; the result will be returned, even if the search fails
1241 results))
1246 v))
1248 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1249 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1252 &key backend
1253 secret host user port create
1256 ;; we know (because of an assertion in auth-source-search) that the
1257 ;; :create parameter is either t or a list (which includes nil)
1260 :host host
1265 ;; `valist' is an alist
1266 valist
1267 ;; `artificial' will be returned if no creation is needed
1268 artificial)
1270 ;; only for base required elements (defined as function parameters):
1271 ;; fill in the valist with whatever data we may have from the search
1272 ;; we complete the first value if it's a list and use the value otherwise
1276 ;; all-accepting choice (predicate is t)
1278 ;; just the value otherwise
1283 ;; for extra required elements, see if the spec includes a value for them
1292 ;; for each required element
1295 ;; take the first element if the data is a list
1299 ;; this is the default to be offered
1301 auth-source-creation-defaults r))
1302 ;; the default supplementals are simple:
1303 ;; for the user, try `given-default' and then (user-login-name);
1304 ;; otherwise take `given-default'
1336 prompt
1341 ;; Store the data, prompting for the password if needed.
1344 ;; Special case prompt for passwords.
1345 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") nil) (t gpg)))
1346 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1354 auth-source-netrc-use-gpg-tokens))
1355 item ret)
1364 ;; ask if we don't know what to do (in which case
1365 ;; auth-source-netrc-use-gpg-tokens must be a list)
1368 ;; TODO: save the defcustom now? or ask?
1371 auth-source-netrc-use-gpg-tokens)))
1374 plain))
1380 nil nil default)
1389 data))))
1391 ;; When r is not an empty string...
1394 ;; this function is not strictly necessary but I think it
1395 ;; makes the code clearer -tzz
1397 ;; append the key (the symbol name of r)
1398 ;; and the value in r
1400 ;; prepend a space
1402 ;; remap auth-source tokens to netrc
1411 data)))))
1415 artificial
1416 :save-function
1423 ;;(funcall (plist-get (nth 0 (auth-source-search :host '("nonesuch2") :user "tzz" :port "imap" :create t :max 1)) :save-function))
1425 "Save a line ADD in FILE, prompting along the way.
1426 Respects `auth-source-save-behavior'. Uses
1427 `auth-source-netrc-cache' to avoid prompting more than once."
1433 "auth-source-netrc-saver: found previous run for key %s, returning"
1434 key)
1439 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1440 ;; this buffer lets epa-file skip the key selection query
1441 ;; (see the `local-variable-p' check in
1442 ;; `epa-file-write-region').
1447 ;; we want the new data to be found first, so insert at beginning
1450 ;; Ask AFTER we've successfully opened the file.
1454 k)
1467 ;; Why? Doesn't with-output-to-temp-buffer already do
1468 ;; the exact same thing anyway? --Stef
1472 done t))
1473 (?N
1475 done t)
1483 ;; Make sure the info is not saved.
1493 ;; Make the .authinfo file non-world-readable.
1496 "auth-source-netrc-create: wrote 1 new line to %s"
1497 file)
1499 nil))))
1502 ;;; Backend specific parsing: Secrets API backend
1504 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :create t))
1505 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :delete t))
1506 ;; (let ((auth-sources '(default))) (auth-source-search :max 1))
1507 ;; (let ((auth-sources '(default))) (auth-source-search))
1508 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1))
1509 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1 :signon_realm "https://git.gnus.org/Git"))
1512 spec
1513 &key backend create delete label
1514 type max host user port
1516 "Search the Secrets API; spec is like `auth-source'.
1518 The :label key specifies the item's label. It is the only key
1519 that can specify a substring. Any :label value besides a string
1520 will allow any label.
1522 All other search keys must match exactly. If you need substring
1523 matching, do a wider search and narrow it down yourself.
1525 You'll get back all the properties of the token as a plist.
1527 Here's an example that looks for the first item in the 'Login'
1528 Secrets collection:
1531 (auth-source-search :max 1)
1533 Here's another that looks for the first item in the 'Login'
1534 Secrets collection whose label contains 'gnus':
1539 And this one looks for the first item in the 'Login' Secrets
1540 collection that's a Google Chrome entry for the git.gnus.org site
1541 authentication tokens:
1545 "
1547 ;; TODO
1550 ;; TODO
1551 ;; (secrets-delete-item coll elt)
1561 ;; build a search spec without the ignored keys
1562 ;; if a search key is nil or t (match anything), we skip it
1567 nil
1569 search-keys)))
1570 ;; needed keys (always including host, login, port, and secret)
1573 search-keys)))
1577 collect item))
1578 ;; TODO: respect max in `secrets-search-items', not after the fact
1580 ;; convert the item name to a full plist
1583 ;; make an entry for the secret (password) element
1585 :secret
1588 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1593 items))
1594 ;; ensure each item has each key in `returned-keys'
1600 nil
1602 returned-keys))
1603 plist))
1604 items)))
1605 items))
1608 spec
1609 &key backend type max host user port
1611 ;; TODO
1612 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1615 ;;; Backend specific parsing: Mac OS Keychain (using /usr/bin/security) backend
1617 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :create t))
1618 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :delete t))
1619 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1))
1620 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search))
1622 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :create t))
1623 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :delete t))
1624 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1))
1625 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search))
1627 ;; (let ((auth-sources '("macos-keychain-internet:/Users/tzz/Library/Keychains/login.keychain"))) (auth-source-search :max 1))
1628 ;; (let ((auth-sources '("macos-keychain-generic:Login"))) (auth-source-search :max 1 :host "git.gnus.org"))
1631 spec
1632 &key backend create delete label
1633 type max host user port
1635 "Search the MacOS Keychain; spec is like `auth-source'.
1637 All search keys must match exactly. If you need substring
1638 matching, do a wider search and narrow it down yourself.
1640 You'll get back all the properties of the token as a plist.
1642 The :type key is either 'macos-keychain-internet or
1643 'macos-keychain-generic.
1645 For the internet keychain type, the :label key searches the
1649 (note PROT has to be a 4-character string).
1651 For the generic keychain type, the :label key searches the item's
1656 Here's an example that looks for the first item in the default
1657 generic MacOS Keychain:
1659 \(let ((auth-sources '(macos-keychain-generic)))
1660 (auth-source-search :max 1)
1662 Here's another that looks for the first item in the internet
1663 MacOS Keychain collection whose label is 'gnus':
1665 \(let ((auth-sources '(macos-keychain-internet)))
1668 And this one looks for the first item in the internet keychain
1669 entries for git.gnus.org:
1673 "
1674 ;; TODO
1677 ;; TODO
1678 ;; (macos-keychain-delete-item coll elt)
1688 ;; build a search spec without the ignored keys
1689 ;; if a search key is nil or t (match anything), we skip it
1694 nil
1696 search-keys)))
1697 ;; needed keys (always including host, login, port, and secret)
1700 search-keys)))
1702 coll
1703 type
1704 max
1705 search-spec))
1707 ;; ensure each item has each key in `returned-keys'
1713 nil
1715 returned-keys))
1716 plist))
1717 items)))
1718 items))
1721 &rest spec
1722 &key label type
1723 host user port
1728 "find-generic-password"
1744 port)))))
1756 ret
1757 keychain-generic
1758 "secret"
1761 ;; TODO: check if this is really the label
1762 ;; match 0x00000007 <blob>="AppleID"
1765 ret
1766 keychain-generic
1767 "label"
1769 ;; match "crtr"<uint32>="aapl"
1770 ;; match "svce"<blob>="AppleID"
1773 ret
1774 keychain-generic
1778 ;; return `ret' iff it has the :secret key
1785 ;; for generic keychains, creator is host, service is port
1788 ;; for internet keychains, protocol is port, server is host
1796 spec
1797 &key backend type max host user port
1799 ;; TODO
1802 ;;; Backend specific parsing: PLSTORE backend
1805 spec
1806 &key backend create delete label
1807 type max host user port
1809 "Search the PLSTORE; spec is like `auth-source'."
1816 ;; build a search spec without the ignored keys
1817 ;; if a search key is nil or t (match anything), we skip it
1823 nil
1827 search-keys)))
1828 ;; needed keys (always including host, login, port, and secret)
1831 search-keys)))
1835 ;; convert the item to a full plist
1844 plist))
1845 items))
1846 ;; ensure each item has each key in `returned-keys'
1852 nil
1854 returned-keys))
1855 plist))
1856 items)))
1858 ;; if we need to create an entry AND none were found to match
1862 ;; create based on the spec and record the value
1864 ;; if the user did not want to create the entry
1865 ;; in the file, it will be returned
1867 ;; if not, we do the search again without :create
1868 ;; to get the updated data.
1870 ;; the result will be returned, even if the search fails
1874 item-names)
1878 items))
1881 &key backend
1882 secret host user port create
1886 ;; we know (because of an assertion in auth-source-search) that the
1887 ;; :create parameter is either t or a list (which includes nil)
1890 :host host
1895 ;; `valist' is an alist
1896 valist
1897 ;; `artificial' will be returned if no creation is needed
1898 artificial
1899 secret-artificial)
1901 ;; only for base required elements (defined as function parameters):
1902 ;; fill in the valist with whatever data we may have from the search
1903 ;; we complete the first value if it's a list and use the value otherwise
1907 ;; all-accepting choice (predicate is t)
1909 ;; just the value otherwise
1914 ;; for extra required elements, see if the spec includes a value for them
1923 ;; for each required element
1926 ;; take the first element if the data is a list
1930 ;; this is the default to be offered
1932 auth-source-creation-defaults r))
1933 ;; the default supplementals are simple:
1934 ;; for the user, try `given-default' and then (user-login-name);
1935 ;; otherwise take `given-default'
1967 prompt
1972 ;; Store the data, prompting for the password if needed.
1982 nil nil default)
1990 data))
1993 data))))))
1999 artificial secret-artificial)
2004 ;;; older API
2006 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
2008 ;; deprecate the old interface
2016 "Find MODE (string or list of strings) matching HOST and PORT.
2018 DEPRECATED in favor of `auth-source-search'!
2021 across the Secret Service API (see secrets.el) if the resulting
2022 items don't have a username. This means that if you search for
2026 A non nil DELETE-EXISTING means deleting any matching password
2027 entry in the respective sources. This is useful only when
2028 CREATE-MISSING is non nil as well; the intended use case is to
2029 remove wrong password entries.
2031 If no matching entry is found, and CREATE-MISSING is non nil,
2032 the password will be retrieved interactively, and it will be
2033 stored in the password database which matches best (see
2034 `auth-sources').
2038 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
2039 mode host port username)
2050 search))
2053 search))
2054 ;; (found (if (not delete-existing)
2055 ;; (gethash cname auth-source-cache)
2056 ;; (remhash cname auth-source-cache)
2057 ;; nil)))
2062 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
2063 mode
2064 ;; don't show the password
2066 "SECRET"
2067 found)
2068 host port username)
2070 ;; else, if not found, search with a max of 1
2085 found))
2091 :host host
2097 :host host
2109 ;;; auth-source.el ends here