| blob | 78eeb9fc62f1d27c45ad0b3d3c714e716df3312a |
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs
3 ;; Copyright (C) 2008-2015 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
32 ;; TODO:
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
40 ;;; Code:
49 ;; gnus-fallback-lib/ from gnus/lisp/gnus-fallback-lib
52 "gnus-fallback-lib/eieio"
54 load-path)))
87 "Authentication sources."
91 ;;;###autoload
93 "How many seconds passwords are cached, or nil to disable
94 expiring. Overrides `password-cache-expiry' through a
95 let-binding."
104 ;; The slots below correspond with the `auth-source-search' spec,
105 ;; so a backend with :host set, for instance, would match only
106 ;; searches for that host. Normally they are nil.
110 :type symbol
111 :custom symbol
114 :type string
115 :custom string
118 :initform t
119 :type t
120 :custom string
123 :initform t
124 :type t
125 :custom string
128 :initform t
129 :type t
130 :custom string
133 :initform nil
136 :initform ignore
137 :type function
138 :custom function
141 :initform ignore
142 :type function
143 :custom function
151 "List of authentication protocols and their names"
161 ;; Generate all the protocols in a format Customize can use.
162 ;; TODO: generate on the fly from auth-source-protocols
168 p)))
169 auth-source-protocols))
180 "If set, auth-source will respect it for save behavior."
189 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") never) (t gpg)))
190 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
193 "Set this to tell auth-source when to create GPG password
194 tokens in netrc files. It's either an alist or `never'.
195 Note that if EPA/EPG is not available, this should NOT be used."
218 "Whether auth-source should cache information with `password-cache'."
224 "Whether auth-source should log debug messages.
226 If the value is nil, debug messages are not logged.
228 If the value is t, debug messages are logged with `message'. In
229 that case, your authentication data will be in the clear (except
230 for passwords).
232 If the value is a function, debug messages are logged by calling
233 that function using the same arguments as `message'."
240 trivia)
245 "List of authentication sources.
246 Each entry is the authentication type with optional properties.
247 Entries are tried in the order in which they appear.
248 See Info node `(auth)Help for users' for details.
251 EPA/EPG set up, the file will be encrypted and decrypted
252 automatically. See Info node `(epa)Encrypting/decrypting gpg files'
253 for details.
256 can get pretty complex."
267 macos-keychain-internet)
270 macos-keychain-generic)
324 "List of recipient keys that `authinfo.gpg' encrypted to.
325 If the value is not a list, symmetric encryption will be used."
332 ;; temp for debugging
333 ;; (unintern 'auth-source-protocols)
334 ;; (unintern 'auth-sources)
335 ;; (customize-variable 'auth-sources)
336 ;; (setq auth-sources nil)
337 ;; (format "%S" auth-sources)
338 ;; (customize-variable 'auth-source-protocols)
339 ;; (setq auth-source-protocols nil)
340 ;; (format "%S" auth-source-protocols)
341 ;; (auth-source-pick nil :host "a" :port 'imap)
342 ;; (auth-source-user-or-password "login" "imap.myhost.com" 'imap)
343 ;; (auth-source-user-or-password "password" "imap.myhost.com" 'imap)
344 ;; (auth-source-user-or-password-imap "login" "imap.myhost.com")
345 ;; (auth-source-user-or-password-imap "password" "imap.myhost.com")
346 ;; (auth-source-protocol-defaults 'imap)
348 ;; (let ((auth-source-debug 'debug)) (auth-source-do-debug "hello"))
349 ;; (let ((auth-source-debug t)) (auth-source-do-debug "hello"))
350 ;; (let ((auth-source-debug nil)) (auth-source-do-debug "hello"))
362 ;; set logger to either the function in auth-source-debug or 'message
363 ;; note that it will be 'message if auth-source-debug is nil
365 auth-source-debug
367 msg))
370 ;; (auth-source-read-char-choice "enter choice? " '(?a ?b ?q))
372 "Read one of CHOICES by `read-char-choice', or `read-char'.
373 `dropdown-list' support is disabled because it doesn't work reliably.
374 Only one of CHOICES will be returned. The PROMPT is augmented
382 k)
390 k)))
392 ;; (auth-source-pick nil :host "any" :port 'imap :user "joe")
393 ;; (auth-source-pick t :host "any" :port 'imap :user "joe")
394 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
395 ;; (:source (:secrets "session") :host t :port t :user "joe")
396 ;; (:source (:secrets "Login") :host t :port t)
397 ;; (:source "~/.authinfo.gpg" :host t :port t)))
399 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
400 ;; (:source (:secrets "session") :host t :port t :user "joe")
401 ;; (:source (:secrets "Login") :host t :port t)
402 ;; ))
404 ;; (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
406 ;; (auth-source-backend-parse "myfile.gpg")
407 ;; (auth-source-backend-parse 'default)
408 ;; (auth-source-backend-parse "secrets:Login")
409 ;; (auth-source-backend-parse 'macos-keychain-internet)
410 ;; (auth-source-backend-parse 'macos-keychain-generic)
411 ;; (auth-source-backend-parse "macos-keychain-internet:/path/here.keychain")
412 ;; (auth-source-backend-parse "macos-keychain-generic:/path/here.keychain")
415 "Creates an auth-source-backend from an ENTRY in `auth-sources'."
417 entry
419 ;; take 'default and recurse to get it as a Secrets API default collection
420 ;; matching any user, host, and protocol
423 ;; take secrets:XYZ and recurse to get it as Secrets API collection "XYZ"
424 ;; matching any user, host, and protocol
428 ;; take 'macos-keychain-internet and recurse to get it as a Mac OS
429 ;; Keychain collection matching any user, host, and protocol
432 ;; take 'macos-keychain-generic and recurse to get it as a Mac OS
433 ;; Keychain collection matching any user, host, and protocol
436 ;; take macos-keychain-internet:XYZ and recurse to get it as MacOS
437 ;; Keychain "XYZ" matching any user, host, and protocol
439 entry))
442 ;; take macos-keychain-generic:XYZ and recurse to get it as MacOS
443 ;; Keychain "XYZ" matching any user, host, and protocol
445 entry))
449 ;; take just a file name and recurse to get it as a netrc file
450 ;; matching any user, host, and protocol
454 ;; a file name with parameters
471 ;; the MacOS Keychain
482 'macos-keychain-generic
485 :macos-keychain-generic
493 :source source
494 :type keychain-type
498 ;; the Secrets API. We require the package, in order to have a
499 ;; defined value for `secrets-enabled'.
506 ;; the source is either the :secrets key in ENTRY or
507 ;; if that's missing or nil, it's "session"
511 ;; if the source is a symbol, we look for the alias named so,
512 ;; and if that alias is missing, we use "Login"
520 :source source
531 ;; none of them
536 "Empty"
541 "Fills in the extra auth-source-backend parameters of ENTRY.
542 Using the plist ENTRY, get the :host, :port, and :user search
543 parameters."
545 nil
546 entry))
547 val)
554 backend)
556 ;; (mapcar 'auth-source-backend-parse auth-sources)
559 &key type max host user port secret
560 require create delete
562 "Search or modify authentication backends according to SPEC.
564 This function parses `auth-sources' for matches of the SPEC
565 plist. It can optionally create or update an authentication
566 token if requested. A token is just a standard Emacs property
567 list with a :secret property that can be a function; all the
568 other properties will always hold scalar values.
570 Typically the :secret property, if present, contains a password.
572 Common search keys are :max, :host, :port, and :user. In
573 addition, :create specifies how tokens will be or created.
574 Finally, :type can specify which backend types you want to check.
576 A string value is always matched literally. A symbol is matched
577 as its string value, literally. All the SPEC values can be
578 single values (symbol or string) or lists thereof (in which case
579 any of the search terms matches).
581 :create t means to create a token if possible.
583 A new token will be created if no matching tokens were found.
584 The new token will have only the keys the backend requires. For
585 the netrc backend, for instance, that's the user, host, and
586 port keys.
588 Here's an example:
594 :create t))
596 which says:
599 `netrc', maximum one result.
601 Create a new entry if you found none. The netrc backend will
602 automatically require host, user, and port. The host will be
603 `mine'. We prompt for the user with default `defaultUser' and
604 for the port without a default. We will not prompt for A, Q,
605 or P. The resulting token will only have keys user, host, and
610 The behavior is like :create t but if the list contains any
611 parameter, that parameter will be required in the resulting
612 token. The value for that parameter will be obtained from the
613 search parameters or from user input. If any queries are needed,
614 the alist `auth-source-creation-defaults' will be checked for the
615 default value. If the user, host, or port are missing, the alist
616 `auth-source-creation-prompts' will be used to look up the
617 prompts IN THAT ORDER (so the `user' prompt will be queried first,
618 then `host', then `port', and finally `secret'). Each prompt string
619 can use %u, %h, and %p to show the user, host, and port.
621 Here's an example:
625 (auth-source-creation-prompts
631 which says:
634 or `twosuch' in backends of type `netrc', maximum one result.
636 Create a new entry if you found none. The netrc backend will
637 automatically require host, user, and port. The host will be
638 `nonesuch' and Q will be `qqqq'. We prompt for the password
639 with the shown prompt. We will not prompt for Q. The resulting
640 token will have keys user, host, port, A, B, and Q. It will not
641 have P with any value, even though P is used in the search to
644 When multiple values are specified in the search parameter, the
645 user is prompted for which one. So :host (X Y Z) would ask the
646 user to choose between X, Y, and Z.
648 This creation can fail if the search was not specific enough to
649 create a new token (it's up to the backend to decide that). You
650 should `catch' the backend-specific error as usual. Some
651 backends (netrc, at least) will prompt the user rather than throw
652 an error.
654 :require (A B C) means that only results that contain those
655 tokens will be returned. Thus for instance requiring :secret
656 will ensure that any results will actually have a :secret
657 property.
659 :delete t means to delete any found entries. nil by default.
660 Use `auth-source-delete' in ELisp code instead of calling
661 `auth-source-search' directly with this parameter.
663 :type (X Y Z) will check only those backend types. `netrc' and
664 `secrets' are the only ones supported right now.
666 :max N means to try to return at most N items (defaults to 1).
667 More than N items may be returned, depending on the search and
668 the backend.
670 When :max is 0 the function will return just t or nil to indicate
671 if any matches were found.
673 :host (X Y Z) means to match only hosts X, Y, or Z according to
674 the match rules above. Defaults to t.
676 :user (X Y Z) means to match only users X, Y, or Z according to
677 the match rules above. Defaults to t.
679 :port (P Q R) means to match only protocols P, Q, or R.
680 Defaults to t.
682 :K (V1 V2 V3) for any other key K will match values V1, V2, or
683 V3 (note the match rules above).
685 The return value is a list with at most :max tokens. Each token
686 is a plist with keys :backend :host :port :user, plus any other
687 keys provided by the backend (notably :secret). But note the
688 exception for :max 0, which see above.
690 The token can hold a :save-function key. If you call that, the
691 user will be prompted to save the data to the backend. You can't
692 request that this should happen right after creation, because
693 `auth-source-search' has no way of knowing if the token is
694 actually useful. So the caller must arrange to call this function.
696 The token's :secret key can hold a function. In that case you
697 must call it to obtain the actual value."
705 ;; note that we may have cached results but found is still nil
706 ;; (there were no results from the search)
708 filtered-backends accessor-key backend)
712 "auth-source-search: found %d CACHED results matching %S"
726 ;; ignore invalid slots
736 "auth-source-search: found %d backends matching %S"
739 ;; (debug spec "filtered" filtered-backends)
740 ;; First go through all the backends without :create, so we can
741 ;; query them all.
743 spec
744 ;; to exit early
745 max
746 ;; create is always nil here
747 nil delete
748 require))
751 "auth-source-search: found %d results (max %d) matching %S"
754 ;; If we didn't find anything, then we allow the backend(s) to
755 ;; create the entries.
759 spec
760 ;; to exit early
761 max
762 create delete
763 require))
765 "auth-source-search: CREATED %d results (max %d) matching %S"
768 ;; note we remember the lack of result too, if it's applicable
774 found)))
778 matches)
783 :backend backend
785 ;; note we're overriding whatever the spec
786 ;; has for :max, :require, :create, and :delete
787 :max max
788 :require require
789 :create create
790 :delete delete
791 spec)))
794 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
798 spec)
800 matches))
802 ;; (auth-source-search :max 0)
803 ;; (auth-source-search :max 1)
804 ;; (funcall (plist-get (nth 0 (auth-source-search :max 1)) :secret))
805 ;; (auth-source-search :host "nonesuch" :type 'netrc :K 1)
806 ;; (auth-source-search :host "nonesuch" :type 'secrets)
809 &key delete
811 "Delete entries from the authentication backends according to SPEC.
812 Calls `auth-source-search' with the :delete property in SPEC set to t.
813 The backend may not actually delete the entries.
815 Returns the deleted entries."
819 "Returns t is VALUE is t or COLLECTION is t or COLLECTION contains VALUE."
823 ;; (debug :collection collection :value value)
832 "Forget all cached auth-source data."
835 ;; when the symbol name starts with auth-source-magic
838 ;; remove that key
843 "Format SPEC entry to put it in the password cache."
847 "Remember FOUND search results for SPEC."
853 "Recall FOUND search results for SPEC."
857 "Check if SPEC is remembered."
862 "Forget any cached data matching SPEC exactly.
864 This is the same SPEC you passed to `auth-source-search'.
865 Returns t or nil for forgotten or not found."
868 ;; (loop for sym being the symbols of password-data when (string-match (concat "^" auth-source-magic) (symbol-name sym)) collect (symbol-name sym))
870 ;; (auth-source-remember '(:host "wedd") '(4 5 6))
871 ;; (auth-source-remembered-p '(:host "wedd"))
872 ;; (auth-source-remember '(:host "xedd") '(1 2 3))
873 ;; (auth-source-remembered-p '(:host "xedd"))
874 ;; (auth-source-remembered-p '(:host "zedd"))
875 ;; (auth-source-recall '(:host "xedd"))
876 ;; (auth-source-recall '(:host t))
877 ;; (auth-source-forget+ :host t)
880 "Forget any cached data matching SPEC. Returns forgotten count.
882 This is not a full `auth-source-search' spec but works similarly.
884 cached data that was found with a search for those two hosts,
885 while \(:host t) would find all host entries."
887 sname)
889 ;; when the symbol name matches with auth-source-magic
892 sname)
893 ;; and the spec matches what was stored in the cache
895 ;; remove that key
899 count))
911 ;; (auth-source-pick-first-password :host "z.lifelogs.com")
912 ;; (auth-source-pick-first-password :port "imap")
914 "Pick the first secret found from applying SPEC to `auth-source-search'."
920 secret)))
922 ;; (auth-source-format-prompt "test %u %h %p" '((?u "user") (?h "host")))
924 "Format PROMPT using %x (for any character x) specifiers in ALIST."
931 prompt nil t)))))
932 prompt)
940 value))
941 values))
943 ;;; Backend specific parsing: netrc/authinfo backend
960 ;; (auth-source-netrc-parse :file "~/.authinfo.gpg")
962 spec
963 &key file max host user port delete require
965 "Parse FILE and return a list of all entries in the file.
966 Note that the MAX parameter is used so we can exit the parse early."
968 ;; We got already parsed contents; just return it.
969 file
981 host
985 t))
987 user
992 t))
994 port
998 t))
1000 ;; the required list of keys is nil, or
1002 ;; every element of require is in n(ormalized)
1007 result)
1014 "auth-source-netrc-parse: using CACHED file data for %s"
1015 file)
1018 ;; cache all netrc files (used to be just .gpg files)
1019 ;; Store the contents of the file heavily encrypted in memory.
1020 ;; (note for the irony-impaired: they are just obfuscated)
1022 auth-source-netrc-cache file
1028 alist)
1034 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1035 ;; this buffer lets epa-file skip the key selection query
1036 ;; (see the `local-variable-p' check in
1037 ;; `epa-file-write-region').
1043 ;; ask AFTER we've successfully opened the file
1045 file modified))
1048 "auth-source-netrc-parse: modified %d lines in %s"
1049 modified file)))
1054 "Advance to the next interesting position in the current buffer."
1055 ;; If we're looking at a comment or are at the end of the line, move forward
1063 "Read one thing from the current buffer."
1073 ;; with thanks to org-mode
1077 ;; works also in narrowed buffer, because we start at 1, not point-min
1081 "Parse up to MAX netrc entries, passed by CHECK, from the current buffer."
1084 alist
1088 all))
1089 item item2 all alist default)
1092 ;; We're starting a new machine. Save the old one.
1096 ;; (auth-source-do-trivia
1097 ;; "auth-source-netrc-parse-entries: got entry %S" alist)
1099 alist nil))
1100 ;; In default entries, we don't have a next token.
1101 ;; We store them as ("machine" . t)
1104 ;; Not a default entry. Grab the next item.
1106 ;; Did we get a "machine" value?
1110 "%s: Unexpected ‘machine’ token at line %d"
1111 "auth-source-netrc-parse-entries"
1116 ;; Clean up: if there's an entry left over, use it.
1119 ;; (auth-source-do-trivia
1120 ;; "auth-source-netrc-parse-entries: got2 entry %S" alist)
1121 )
1129 passphrase)
1130 ;; return the saved passphrase, calling a function if needed
1141 t))
1144 passphrase))))
1146 ;; (auth-source-epa-extract-gpg-token "gpg:LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tClZlcnNpb246IEdudVBHIHYxLjQuMTEgKEdOVS9MaW51eCkKCmpBMEVBd01DT25qMjB1ak9rZnRneVI3K21iNm9aZWhuLzRad3cySkdlbnVaKzRpeEswWDY5di9icDI1U1dsQT0KPS9yc2wKLS0tLS1FTkQgUEdQIE1FU1NBR0UtLS0tLQo=" "~/.netrc")
1148 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1149 FILE is the file from which we obtained this token."
1153 plain)
1155 context
1157 file))
1160 ;; (insert (auth-source-epa-make-gpg-token "mysecret" "~/.netrc"))
1164 cipher)
1167 context
1169 file))
1185 ;; apply key aliases
1192 ;; send back the secret in a function (lexical binding)
1197 ;; it's a GPG token: create a token decoder
1198 ;; which unsets itself once
1203 val
1204 filename)
1209 lexv))))
1212 v))))
1213 ret))
1214 alist))
1216 ;; (setq secret (plist-get (nth 0 (auth-source-search :host t :type 'netrc :K 1 :max 1)) :secret))
1217 ;; (funcall secret)
1220 spec
1221 &key backend require create delete
1222 type max host user port
1224 "Given a property list SPEC, return search matches from the :backend.
1225 See `auth-source-search' for details on SPEC."
1226 ;; just in case, check that the type is correct (null or same as the backend)
1232 :max max
1233 :require require
1234 :delete delete
1241 ;; if we need to create an entry AND none were found to match
1245 ;; create based on the spec and record the value
1247 ;; if the user did not want to create the entry
1248 ;; in the file, it will be returned
1250 ;; if not, we do the search again without :create
1251 ;; to get the updated data.
1253 ;; the result will be returned, even if the search fails
1256 results))
1261 v))
1263 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1264 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1267 &key backend
1268 secret host user port create
1271 ;; we know (because of an assertion in auth-source-search) that the
1272 ;; :create parameter is either t or a list (which includes nil)
1275 :host host
1280 ;; `valist' is an alist
1281 valist
1282 ;; `artificial' will be returned if no creation is needed
1283 artificial)
1285 ;; only for base required elements (defined as function parameters):
1286 ;; fill in the valist with whatever data we may have from the search
1287 ;; we complete the first value if it's a list and use the value otherwise
1291 ;; all-accepting choice (predicate is t)
1293 ;; just the value otherwise
1298 ;; for extra required elements, see if the spec includes a value for them
1307 ;; for each required element
1310 ;; take the first element if the data is a list
1314 ;; this is the default to be offered
1316 auth-source-creation-defaults r))
1317 ;; the default supplementals are simple:
1318 ;; for the user, try `given-default' and then (user-login-name);
1319 ;; otherwise take `given-default'
1351 prompt
1356 ;; Store the data, prompting for the password if needed.
1359 ;; Special case prompt for passwords.
1360 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") nil) (t gpg)))
1361 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1369 auth-source-netrc-use-gpg-tokens))
1370 item ret)
1379 ;; ask if we don't know what to do (in which case
1380 ;; auth-source-netrc-use-gpg-tokens must be a list)
1383 ;; TODO: save the defcustom now? or ask?
1386 auth-source-netrc-use-gpg-tokens)))
1389 plain))
1395 nil nil default)
1404 data))))
1406 ;; When r is not an empty string...
1409 ;; this function is not strictly necessary but I think it
1410 ;; makes the code clearer -tzz
1412 ;; append the key (the symbol name of r)
1413 ;; and the value in r
1415 ;; prepend a space
1417 ;; remap auth-source tokens to netrc
1426 data)))))
1430 artificial
1431 :save-function
1438 ;;(funcall (plist-get (nth 0 (auth-source-search :host '("nonesuch2") :user "tzz" :port "imap" :create t :max 1)) :save-function))
1440 "Save a line ADD in FILE, prompting along the way.
1441 Respects `auth-source-save-behavior'. Uses
1442 `auth-source-netrc-cache' to avoid prompting more than once."
1448 "auth-source-netrc-saver: found previous run for key %s, returning"
1449 key)
1454 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1455 ;; this buffer lets epa-file skip the key selection query
1456 ;; (see the `local-variable-p' check in
1457 ;; `epa-file-write-region').
1462 ;; we want the new data to be found first, so insert at beginning
1465 ;; Ask AFTER we've successfully opened the file.
1469 k)
1482 ;; Why? Doesn't with-output-to-temp-buffer already do
1483 ;; the exact same thing anyway? --Stef
1487 done t))
1488 (?N
1490 done t)
1498 ;; Make sure the info is not saved.
1508 ;; Make the .authinfo file non-world-readable.
1511 "auth-source-netrc-create: wrote 1 new line to %s"
1512 file)
1514 nil))))
1517 ;;; Backend specific parsing: Secrets API backend
1519 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :create t))
1520 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :delete t))
1521 ;; (let ((auth-sources '(default))) (auth-source-search :max 1))
1522 ;; (let ((auth-sources '(default))) (auth-source-search))
1523 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1))
1524 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1 :signon_realm "https://git.gnus.org/Git"))
1527 "Convert a pattern with lists to a list of string patterns.
1532 only string values for patterns, so this routine returns a list
1533 of patterns that is equivalent to the single original pattern
1534 when interpreted such that if a secret matches any pattern in the
1535 list, it matches the original pattern."
1545 for h in heads
1546 nconc
1548 for tl in tails
1552 spec
1553 &key backend create delete label
1554 type max host user port
1556 "Search the Secrets API; spec is like `auth-source'.
1558 The :label key specifies the item's label. It is the only key
1559 that can specify a substring. Any :label value besides a string
1560 will allow any label.
1562 All other search keys must match exactly. If you need substring
1563 matching, do a wider search and narrow it down yourself.
1565 You'll get back all the properties of the token as a plist.
1567 Here's an example that looks for the first item in the `Login'
1568 Secrets collection:
1571 (auth-source-search :max 1)
1573 Here's another that looks for the first item in the `Login'
1574 Secrets collection whose label contains `gnus':
1579 And this one looks for the first item in the `Login' Secrets
1580 collection that's a Google Chrome entry for the git.gnus.org site
1581 authentication tokens:
1585 "
1587 ;; TODO
1590 ;; TODO
1591 ;; (secrets-delete-item coll elt)
1601 ;; build a search spec without the ignored keys
1602 ;; if a search key is nil or t (match anything), we skip it
1608 nil
1610 search-keys))))
1611 ;; needed keys (always including host, login, port, and secret)
1614 search-keys)))
1617 nconc
1621 collect item)))
1622 ;; TODO: respect max in `secrets-search-items', not after the fact
1624 ;; convert the item name to a full plist
1627 ;; make an entry for the secret (password) element
1629 :secret
1632 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1637 items))
1638 ;; ensure each item has each key in `returned-keys'
1644 nil
1646 returned-keys))
1647 plist))
1648 items)))
1649 items))
1652 spec
1653 &key backend type max host user port
1655 ;; TODO
1656 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1659 ;;; Backend specific parsing: Mac OS Keychain (using /usr/bin/security) backend
1661 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :create t))
1662 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :delete t))
1663 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1))
1664 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search))
1666 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :create t))
1667 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :delete t))
1668 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1))
1669 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search))
1671 ;; (let ((auth-sources '("macos-keychain-internet:/Users/tzz/Library/Keychains/login.keychain"))) (auth-source-search :max 1))
1672 ;; (let ((auth-sources '("macos-keychain-generic:Login"))) (auth-source-search :max 1 :host "git.gnus.org"))
1673 ;; (let ((auth-sources '("macos-keychain-generic:Login"))) (auth-source-search :max 1))
1676 spec
1677 &key backend create delete label
1678 type max host user port
1680 "Search the MacOS Keychain; spec is like `auth-source'.
1682 All search keys must match exactly. If you need substring
1683 matching, do a wider search and narrow it down yourself.
1685 You'll get back all the properties of the token as a plist.
1687 The :type key is either `macos-keychain-internet' or
1688 `macos-keychain-generic'.
1690 For the internet keychain type, the :label key searches the
1694 (note PROT has to be a 4-character string).
1696 For the generic keychain type, the :label key searches the item's
1701 Here's an example that looks for the first item in the default
1702 generic MacOS Keychain:
1705 (auth-source-search :max 1)
1707 Here's another that looks for the first item in the internet
1708 MacOS Keychain collection whose label is `gnus':
1713 And this one looks for the first item in the internet keychain
1714 entries for git.gnus.org:
1718 "
1719 ;; TODO
1722 ;; TODO
1723 ;; (macos-keychain-delete-item coll elt)
1733 ;; build a search spec without the ignored keys
1734 ;; if a search key is nil or t (match anything), we skip it
1739 nil
1741 search-keys)))
1742 ;; needed keys (always including host, login, port, and secret)
1745 search-keys)))
1747 coll
1748 type
1749 max
1750 search-spec))
1752 ;; ensure each item has each key in `returned-keys'
1758 nil
1760 returned-keys))
1761 plist))
1762 items)))
1763 items))
1766 &rest spec
1767 &key label type
1768 host user port
1773 "find-generic-password"
1789 port)))))
1801 ret
1802 keychain-generic
1803 "secret"
1806 ;; TODO: check if this is really the label
1807 ;; match 0x00000007 <blob>="AppleID"
1810 ret
1811 keychain-generic
1812 "label"
1814 ;; match "crtr"<uint32>="aapl"
1815 ;; match "svce"<blob>="AppleID"
1818 ret
1819 keychain-generic
1823 ;; return `ret' iff it has the :secret key
1830 ;; for generic keychains, creator is host, service is port
1833 ;; for internet keychains, protocol is port, server is host
1841 spec
1842 &key backend type max host user port
1844 ;; TODO
1847 ;;; Backend specific parsing: PLSTORE backend
1850 spec
1851 &key backend create delete label
1852 type max host user port
1854 "Search the PLSTORE; spec is like `auth-source'."
1861 ;; build a search spec without the ignored keys
1862 ;; if a search key is nil or t (match anything), we skip it
1868 nil
1872 search-keys)))
1873 ;; needed keys (always including host, login, port, and secret)
1876 search-keys)))
1880 ;; convert the item to a full plist
1889 plist))
1890 items))
1891 ;; ensure each item has each key in `returned-keys'
1897 nil
1899 returned-keys))
1900 plist))
1901 items)))
1903 ;; if we need to create an entry AND none were found to match
1907 ;; create based on the spec and record the value
1909 ;; if the user did not want to create the entry
1910 ;; in the file, it will be returned
1912 ;; if not, we do the search again without :create
1913 ;; to get the updated data.
1915 ;; the result will be returned, even if the search fails
1919 item-names)
1923 items))
1926 &key backend
1927 secret host user port create
1931 ;; we know (because of an assertion in auth-source-search) that the
1932 ;; :create parameter is either t or a list (which includes nil)
1935 :host host
1940 ;; `valist' is an alist
1941 valist
1942 ;; `artificial' will be returned if no creation is needed
1943 artificial
1944 secret-artificial)
1946 ;; only for base required elements (defined as function parameters):
1947 ;; fill in the valist with whatever data we may have from the search
1948 ;; we complete the first value if it's a list and use the value otherwise
1952 ;; all-accepting choice (predicate is t)
1954 ;; just the value otherwise
1959 ;; for extra required elements, see if the spec includes a value for them
1968 ;; for each required element
1971 ;; take the first element if the data is a list
1975 ;; this is the default to be offered
1977 auth-source-creation-defaults r))
1978 ;; the default supplementals are simple:
1979 ;; for the user, try `given-default' and then (user-login-name);
1980 ;; otherwise take `given-default'
2012 prompt
2017 ;; Store the data, prompting for the password if needed.
2027 nil nil default)
2035 data))
2038 data))))))
2044 artificial secret-artificial)
2049 ;;; older API
2051 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
2053 ;; deprecate the old interface
2061 "Find MODE (string or list of strings) matching HOST and PORT.
2063 DEPRECATED in favor of `auth-source-search'!
2066 across the Secret Service API (see secrets.el) if the resulting
2067 items don't have a username. This means that if you search for
2071 A non nil DELETE-EXISTING means deleting any matching password
2072 entry in the respective sources. This is useful only when
2073 CREATE-MISSING is non nil as well; the intended use case is to
2074 remove wrong password entries.
2076 If no matching entry is found, and CREATE-MISSING is non nil,
2077 the password will be retrieved interactively, and it will be
2078 stored in the password database which matches best (see
2079 `auth-sources').
2083 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
2084 mode host port username)
2095 search))
2098 search))
2099 ;; (found (if (not delete-existing)
2100 ;; (gethash cname auth-source-cache)
2101 ;; (remhash cname auth-source-cache)
2102 ;; nil)))
2107 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
2108 mode
2109 ;; don't show the password
2111 "SECRET"
2112 found)
2113 host port username)
2115 ;; else, if not found, search with a max of 1
2130 found))
2136 :host host
2142 :host host
2154 ;;; auth-source.el ends here