| blob | 45ff3b7a11e2cce4dab32e80a960811cf89a36b5 |
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs
3 ;; Copyright (C) 2008-2015 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
32 ;; TODO:
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
40 ;;; Code:
49 ;; gnus-fallback-lib/ from gnus/lisp/gnus-fallback-lib
52 "gnus-fallback-lib/eieio"
54 load-path)))
87 "Authentication sources."
91 ;;;###autoload
93 "How many seconds passwords are cached, or nil to disable
94 expiring. Overrides `password-cache-expiry' through a
95 let-binding."
104 ;; The slots below correspond with the `auth-source-search' spec,
105 ;; so a backend with :host set, for instance, would match only
106 ;; searches for that host. Normally they are nil.
110 :type symbol
111 :custom symbol
114 :type string
115 :custom string
118 :initform t
119 :type t
120 :custom string
123 :initform t
124 :type t
125 :custom string
128 :initform t
129 :type t
130 :custom string
133 :initform nil
136 :initform ignore
137 :type function
138 :custom function
141 :initform ignore
142 :type function
143 :custom function
151 "List of authentication protocols and their names"
161 ;; Generate all the protocols in a format Customize can use.
162 ;; TODO: generate on the fly from auth-source-protocols
168 p)))
169 auth-source-protocols))
172 ;; FIXME: AFAICT this is not set (or let-bound) anywhere!
181 "If set, auth-source will respect it for save behavior."
190 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car epa-file-auto-mode-alist-entry) "\\.gpg\\'") never) (t gpg)))
191 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
194 "Set this to tell auth-source when to create GPG password
195 tokens in netrc files. It's either an alist or `never'.
196 Note that if EPA/EPG is not available, this should NOT be used."
218 "Whether auth-source should cache information with `password-cache'."
224 "Whether auth-source should log debug messages.
226 If the value is nil, debug messages are not logged.
228 If the value is t, debug messages are logged with `message'. In
229 that case, your authentication data will be in the clear (except
230 for passwords).
232 If the value is a function, debug messages are logged by calling
233 that function using the same arguments as `message'."
240 trivia)
245 "List of authentication sources.
246 Each entry is the authentication type with optional properties.
247 Entries are tried in the order in which they appear.
248 See Info node `(auth)Help for users' for details.
251 EPA/EPG set up, the file will be encrypted and decrypted
252 automatically. See Info node `(epa)Encrypting/decrypting gpg files'
253 for details.
256 can get pretty complex."
267 macos-keychain-internet)
270 macos-keychain-generic)
324 "List of recipient keys that `authinfo.gpg' encrypted to.
325 If the value is not a list, symmetric encryption will be used."
332 ;; temp for debugging
333 ;; (unintern 'auth-source-protocols)
334 ;; (unintern 'auth-sources)
335 ;; (customize-variable 'auth-sources)
336 ;; (setq auth-sources nil)
337 ;; (format "%S" auth-sources)
338 ;; (customize-variable 'auth-source-protocols)
339 ;; (setq auth-source-protocols nil)
340 ;; (format "%S" auth-source-protocols)
341 ;; (auth-source-pick nil :host "a" :port 'imap)
342 ;; (auth-source-user-or-password "login" "imap.myhost.com" 'imap)
343 ;; (auth-source-user-or-password "password" "imap.myhost.com" 'imap)
344 ;; (auth-source-user-or-password-imap "login" "imap.myhost.com")
345 ;; (auth-source-user-or-password-imap "password" "imap.myhost.com")
346 ;; (auth-source-protocol-defaults 'imap)
348 ;; (let ((auth-source-debug 'debug)) (auth-source-do-debug "hello"))
349 ;; (let ((auth-source-debug t)) (auth-source-do-debug "hello"))
350 ;; (let ((auth-source-debug nil)) (auth-source-do-debug "hello"))
362 ;; set logger to either the function in auth-source-debug or 'message
363 ;; note that it will be 'message if auth-source-debug is nil
365 auth-source-debug
367 msg))
370 ;; (auth-source-read-char-choice "enter choice? " '(?a ?b ?q))
372 "Read one of CHOICES by `read-char-choice', or `read-char'.
373 `dropdown-list' support is disabled because it doesn't work reliably.
374 Only one of CHOICES will be returned. The PROMPT is augmented
382 k)
390 k)))
392 ;; (auth-source-pick nil :host "any" :port 'imap :user "joe")
393 ;; (auth-source-pick t :host "any" :port 'imap :user "joe")
394 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
395 ;; (:source (:secrets "session") :host t :port t :user "joe")
396 ;; (:source (:secrets "Login") :host t :port t)
397 ;; (:source "~/.authinfo.gpg" :host t :port t)))
399 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
400 ;; (:source (:secrets "session") :host t :port t :user "joe")
401 ;; (:source (:secrets "Login") :host t :port t)
402 ;; ))
404 ;; (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
406 ;; (auth-source-backend-parse "myfile.gpg")
407 ;; (auth-source-backend-parse 'default)
408 ;; (auth-source-backend-parse "secrets:Login")
409 ;; (auth-source-backend-parse 'macos-keychain-internet)
410 ;; (auth-source-backend-parse 'macos-keychain-generic)
411 ;; (auth-source-backend-parse "macos-keychain-internet:/path/here.keychain")
412 ;; (auth-source-backend-parse "macos-keychain-generic:/path/here.keychain")
415 "Creates an auth-source-backend from an ENTRY in `auth-sources'."
417 entry
419 ;; take 'default and recurse to get it as a Secrets API default collection
420 ;; matching any user, host, and protocol
423 ;; take secrets:XYZ and recurse to get it as Secrets API collection "XYZ"
424 ;; matching any user, host, and protocol
428 ;; take 'macos-keychain-internet and recurse to get it as a Mac OS
429 ;; Keychain collection matching any user, host, and protocol
432 ;; take 'macos-keychain-generic and recurse to get it as a Mac OS
433 ;; Keychain collection matching any user, host, and protocol
436 ;; take macos-keychain-internet:XYZ and recurse to get it as MacOS
437 ;; Keychain "XYZ" matching any user, host, and protocol
439 entry))
442 ;; take macos-keychain-generic:XYZ and recurse to get it as MacOS
443 ;; Keychain "XYZ" matching any user, host, and protocol
445 entry))
449 ;; take just a file name and recurse to get it as a netrc file
450 ;; matching any user, host, and protocol
454 ;; a file name with parameters
471 ;; the MacOS Keychain
482 'macos-keychain-generic
485 :macos-keychain-generic
493 :source source
494 :type keychain-type
498 ;; the Secrets API. We require the package, in order to have a
499 ;; defined value for `secrets-enabled'.
506 ;; the source is either the :secrets key in ENTRY or
507 ;; if that's missing or nil, it's "session"
511 ;; if the source is a symbol, we look for the alias named so,
512 ;; and if that alias is missing, we use "Login"
520 :source source
531 ;; none of them
540 "Fills in the extra auth-source-backend parameters of ENTRY.
541 Using the plist ENTRY, get the :host, :port, and :user search
542 parameters."
544 nil
545 entry))
546 val)
553 backend)
555 ;; (mapcar 'auth-source-backend-parse auth-sources)
558 &key max
559 require create delete
561 "Search or modify authentication backends according to SPEC.
563 This function parses `auth-sources' for matches of the SPEC
564 plist. It can optionally create or update an authentication
565 token if requested. A token is just a standard Emacs property
566 list with a :secret property that can be a function; all the
567 other properties will always hold scalar values.
569 Typically the :secret property, if present, contains a password.
571 Common search keys are :max, :host, :port, and :user. In
572 addition, :create specifies if and how tokens will be created.
573 Finally, :type can specify which backend types you want to check.
575 A string value is always matched literally. A symbol is matched
576 as its string value, literally. All the SPEC values can be
577 single values (symbol or string) or lists thereof (in which case
578 any of the search terms matches).
580 :create t means to create a token if possible.
582 A new token will be created if no matching tokens were found.
583 The new token will have only the keys the backend requires. For
584 the netrc backend, for instance, that's the user, host, and
585 port keys.
587 Here's an example:
593 :create t))
595 which says:
598 `netrc', maximum one result.
600 Create a new entry if you found none. The netrc backend will
601 automatically require host, user, and port. The host will be
602 `mine'. We prompt for the user with default `defaultUser' and
603 for the port without a default. We will not prompt for A, Q,
604 or P. The resulting token will only have keys user, host, and
609 The behavior is like :create t but if the list contains any
610 parameter, that parameter will be required in the resulting
611 token. The value for that parameter will be obtained from the
612 search parameters or from user input. If any queries are needed,
613 the alist `auth-source-creation-defaults' will be checked for the
614 default value. If the user, host, or port are missing, the alist
615 `auth-source-creation-prompts' will be used to look up the
616 prompts IN THAT ORDER (so the `user' prompt will be queried first,
617 then `host', then `port', and finally `secret'). Each prompt string
618 can use %u, %h, and %p to show the user, host, and port.
620 Here's an example:
624 (auth-source-creation-prompts
630 which says:
633 or `twosuch' in backends of type `netrc', maximum one result.
635 Create a new entry if you found none. The netrc backend will
636 automatically require host, user, and port. The host will be
637 `nonesuch' and Q will be `qqqq'. We prompt for the password
638 with the shown prompt. We will not prompt for Q. The resulting
639 token will have keys user, host, port, A, B, and Q. It will not
640 have P with any value, even though P is used in the search to
643 When multiple values are specified in the search parameter, the
644 user is prompted for which one. So :host (X Y Z) would ask the
645 user to choose between X, Y, and Z.
647 This creation can fail if the search was not specific enough to
648 create a new token (it's up to the backend to decide that). You
649 should `catch' the backend-specific error as usual. Some
650 backends (netrc, at least) will prompt the user rather than throw
651 an error.
653 :require (A B C) means that only results that contain those
654 tokens will be returned. Thus for instance requiring :secret
655 will ensure that any results will actually have a :secret
656 property.
658 :delete t means to delete any found entries. nil by default.
659 Use `auth-source-delete' in ELisp code instead of calling
660 `auth-source-search' directly with this parameter.
662 :type (X Y Z) will check only those backend types. `netrc' and
663 `secrets' are the only ones supported right now.
665 :max N means to try to return at most N items (defaults to 1).
666 More than N items may be returned, depending on the search and
667 the backend.
669 When :max is 0 the function will return just t or nil to indicate
670 if any matches were found.
672 :host (X Y Z) means to match only hosts X, Y, or Z according to
673 the match rules above. Defaults to t.
675 :user (X Y Z) means to match only users X, Y, or Z according to
676 the match rules above. Defaults to t.
678 :port (P Q R) means to match only protocols P, Q, or R.
679 Defaults to t.
681 :K (V1 V2 V3) for any other key K will match values V1, V2, or
682 V3 (note the match rules above).
684 The return value is a list with at most :max tokens. Each token
685 is a plist with keys :backend :host :port :user, plus any other
686 keys provided by the backend (notably :secret). But note the
687 exception for :max 0, which see above.
689 The token can hold a :save-function key. If you call that, the
690 user will be prompted to save the data to the backend. You can't
691 request that this should happen right after creation, because
692 `auth-source-search' has no way of knowing if the token is
693 actually useful. So the caller must arrange to call this function.
695 The token's :secret key can hold a function. In that case you
696 must call it to obtain the actual value."
704 ;; note that we may have cached results but found is still nil
705 ;; (there were no results from the search)
707 filtered-backends)
711 "auth-source-search: found %d CACHED results matching %S"
725 ;; ignore invalid slots
735 "auth-source-search: found %d backends matching %S"
738 ;; (debug spec "filtered" filtered-backends)
739 ;; First go through all the backends without :create, so we can
740 ;; query them all.
742 spec
743 ;; to exit early
744 max
745 ;; create is always nil here
746 nil delete
747 require))
750 "auth-source-search: found %d results (max %d) matching %S"
753 ;; If we didn't find anything, then we allow the backend(s) to
754 ;; create the entries.
758 spec
759 ;; to exit early
760 max
761 create delete
762 require))
764 "auth-source-search: CREATED %d results (max %d) matching %S"
767 ;; note we remember the lack of result too, if it's applicable
773 found)))
777 matches)
782 :backend backend
784 ;; note we're overriding whatever the spec
785 ;; has for :max, :require, :create, and :delete
786 :max max
787 :require require
788 :create create
789 :delete delete
790 spec)))
793 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
797 spec)
799 matches))
801 ;; (auth-source-search :max 0)
802 ;; (auth-source-search :max 1)
803 ;; (funcall (plist-get (nth 0 (auth-source-search :max 1)) :secret))
804 ;; (auth-source-search :host "nonesuch" :type 'netrc :K 1)
805 ;; (auth-source-search :host "nonesuch" :type 'secrets)
808 "Delete entries from the authentication backends according to SPEC.
809 Calls `auth-source-search' with the :delete property in SPEC set to t.
810 The backend may not actually delete the entries.
812 Returns the deleted entries."
816 "Returns t is VALUE is t or COLLECTION is t or COLLECTION contains VALUE."
820 ;; (debug :collection collection :value value)
829 "Forget all cached auth-source data."
832 ;; when the symbol name starts with auth-source-magic
835 ;; remove that key
840 "Format SPEC entry to put it in the password cache."
844 "Remember FOUND search results for SPEC."
850 "Recall FOUND search results for SPEC."
854 "Check if SPEC is remembered."
859 "Forget any cached data matching SPEC exactly.
861 This is the same SPEC you passed to `auth-source-search'.
862 Returns t or nil for forgotten or not found."
865 ;; (loop for sym being the symbols of password-data when (string-match (concat "^" auth-source-magic) (symbol-name sym)) collect (symbol-name sym))
867 ;; (auth-source-remember '(:host "wedd") '(4 5 6))
868 ;; (auth-source-remembered-p '(:host "wedd"))
869 ;; (auth-source-remember '(:host "xedd") '(1 2 3))
870 ;; (auth-source-remembered-p '(:host "xedd"))
871 ;; (auth-source-remembered-p '(:host "zedd"))
872 ;; (auth-source-recall '(:host "xedd"))
873 ;; (auth-source-recall '(:host t))
874 ;; (auth-source-forget+ :host t)
877 "Forget any cached data matching SPEC. Returns forgotten count.
879 This is not a full `auth-source-search' spec but works similarly.
881 cached data that was found with a search for those two hosts,
882 while \(:host t) would find all host entries."
884 sname)
886 ;; when the symbol name matches with auth-source-magic
889 sname)
890 ;; and the spec matches what was stored in the cache
892 ;; remove that key
896 count))
908 ;; (auth-source-pick-first-password :host "z.lifelogs.com")
909 ;; (auth-source-pick-first-password :port "imap")
911 "Pick the first secret found from applying SPEC to `auth-source-search'."
917 secret)))
919 ;; (auth-source-format-prompt "test %u %h %p" '((?u "user") (?h "host")))
921 "Format PROMPT using %x (for any character x) specifiers in ALIST."
928 prompt nil t)))))
929 prompt)
933 values
939 value))
940 values)))
942 ;;; Backend specific parsing: netrc/authinfo backend
959 ;; (auth-source-netrc-parse :file "~/.authinfo.gpg")
962 "Parse FILE and return a list of all entries in the file.
963 Note that the MAX parameter is used so we can exit the parse early."
965 ;; We got already parsed contents; just return it.
966 file
978 host
982 t))
984 user
989 t))
991 port
995 t))
997 ;; the required list of keys is nil, or
999 ;; every element of require is in n(ormalized)
1004 result)
1011 "auth-source-netrc-parse: using CACHED file data for %s"
1012 file)
1015 ;; cache all netrc files (used to be just .gpg files)
1016 ;; Store the contents of the file heavily encrypted in memory.
1017 ;; (note for the irony-impaired: they are just obfuscated)
1019 auth-source-netrc-cache file
1025 alist)
1031 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1032 ;; this buffer lets epa-file skip the key selection query
1033 ;; (see the `local-variable-p' check in
1034 ;; `epa-file-write-region').
1040 ;; ask AFTER we've successfully opened the file
1042 file modified))
1045 "auth-source-netrc-parse: modified %d lines in %s"
1046 modified file)))
1051 "Advance to the next interesting position in the current buffer."
1052 ;; If we're looking at a comment or are at the end of the line, move forward
1060 "Read one thing from the current buffer."
1070 ;; with thanks to org-mode
1074 ;; works also in narrowed buffer, because we start at 1, not point-min
1078 "Parse up to MAX netrc entries, passed by CHECK, from the current buffer."
1081 alist
1085 all))
1086 item item2 all alist default)
1089 ;; We're starting a new machine. Save the old one.
1093 ;; (auth-source-do-trivia
1094 ;; "auth-source-netrc-parse-entries: got entry %S" alist)
1096 alist nil))
1097 ;; In default entries, we don't have a next token.
1098 ;; We store them as ("machine" . t)
1101 ;; Not a default entry. Grab the next item.
1103 ;; Did we get a "machine" value?
1107 "%s: Unexpected `machine' token at line %d"
1108 "auth-source-netrc-parse-entries"
1113 ;; Clean up: if there's an entry left over, use it.
1116 ;; (auth-source-do-trivia
1117 ;; "auth-source-netrc-parse-entries: got2 entry %S" alist)
1118 )
1126 passphrase)
1127 ;; return the saved passphrase, calling a function if needed
1138 t))
1141 passphrase))))
1143 ;; (auth-source-epa-extract-gpg-token "gpg:LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tClZlcnNpb246IEdudVBHIHYxLjQuMTEgKEdOVS9MaW51eCkKCmpBMEVBd01DT25qMjB1ak9rZnRneVI3K21iNm9aZWhuLzRad3cySkdlbnVaKzRpeEswWDY5di9icDI1U1dsQT0KPS9yc2wKLS0tLS1FTkQgUEdQIE1FU1NBR0UtLS0tLQo=" "~/.netrc")
1145 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1146 FILE is the file from which we obtained this token."
1151 context
1153 file))
1158 ;; (insert (auth-source-epa-make-gpg-token "mysecret" "~/.netrc"))
1162 cipher)
1165 context
1167 file))
1186 ;; apply key aliases
1193 ;; send back the secret in a function (lexical binding)
1198 ;; it's a GPG token: create a token decoder
1199 ;; which unsets itself once
1204 val
1205 filename)
1210 lexv))))
1213 v))))
1214 ret))
1215 alist))
1217 ;; (setq secret (plist-get (nth 0 (auth-source-search :host t :type 'netrc :K 1 :max 1)) :secret))
1218 ;; (funcall secret)
1221 spec
1222 &key backend require create
1223 type max host user port
1225 "Given a property list SPEC, return search matches from the :backend.
1226 See `auth-source-search' for details on SPEC."
1227 ;; just in case, check that the type is correct (null or same as the backend)
1233 :max max
1234 :require require
1241 ;; if we need to create an entry AND none were found to match
1245 ;; create based on the spec and record the value
1247 ;; if the user did not want to create the entry
1248 ;; in the file, it will be returned
1250 ;; if not, we do the search again without :create
1251 ;; to get the updated data.
1253 ;; the result will be returned, even if the search fails
1256 results))
1261 v))
1263 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1264 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1267 &key backend
1268 host port create
1271 ;; we know (because of an assertion in auth-source-search) that the
1272 ;; :create parameter is either t or a list (which includes nil)
1275 :host host
1280 ;; `valist' is an alist
1281 valist
1282 ;; `artificial' will be returned if no creation is needed
1283 artificial)
1285 ;; only for base required elements (defined as function parameters):
1286 ;; fill in the valist with whatever data we may have from the search
1287 ;; we complete the first value if it's a list and use the value otherwise
1292 ;; all-accepting choice (predicate is t)
1294 ;; just the value otherwise
1299 ;; for extra required elements, see if the spec includes a value for them
1307 ;; for each required element
1310 ;; take the first element if the data is a list
1314 ;; this is the default to be offered
1316 auth-source-creation-defaults r))
1317 ;; the default supplementals are simple:
1318 ;; for the user, try `given-default' and then (user-login-name);
1319 ;; otherwise take `given-default'
1351 prompt
1356 ;; Store the data, prompting for the password if needed.
1359 ;; Special case prompt for passwords.
1360 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car epa-file-auto-mode-alist-entry) "\\.gpg\\'") nil) (t gpg)))
1361 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1369 auth-source-netrc-use-gpg-tokens))
1370 item ret)
1377 ;; FIXME: `ret' unused.
1378 ;; Should we return it here?
1379 ))
1382 ;; ask if we don't know what to do (in which case
1383 ;; auth-source-netrc-use-gpg-tokens must be a list)
1386 ;; TODO: save the defcustom now? or ask?
1389 auth-source-netrc-use-gpg-tokens)))
1392 plain))
1398 nil nil default)
1407 data))))
1409 ;; When r is not an empty string...
1412 ;; this function is not strictly necessary but I think it
1413 ;; makes the code clearer -tzz
1415 ;; append the key (the symbol name of r)
1416 ;; and the value in r
1418 ;; prepend a space
1420 ;; remap auth-source tokens to netrc
1429 data)))))
1433 artificial
1434 :save-function
1441 ;;(funcall (plist-get (nth 0 (auth-source-search :host '("nonesuch2") :user "tzz" :port "imap" :create t :max 1)) :save-function))
1443 "Save a line ADD in FILE, prompting along the way.
1444 Respects `auth-source-save-behavior'. Uses
1445 `auth-source-netrc-cache' to avoid prompting more than once."
1451 "auth-source-netrc-saver: found previous run for key %s, returning"
1452 key)
1457 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1458 ;; this buffer lets epa-file skip the key selection query
1459 ;; (see the `local-variable-p' check in
1460 ;; `epa-file-write-region').
1465 ;; we want the new data to be found first, so insert at beginning
1468 ;; Ask AFTER we've successfully opened the file.
1472 k)
1485 ;; Why? Doesn't with-output-to-temp-buffer already do
1486 ;; the exact same thing anyway? --Stef
1490 done t))
1491 (?N
1493 done t)
1501 ;; Make sure the info is not saved.
1511 ;; Make the .authinfo file non-world-readable.
1514 "auth-source-netrc-create: wrote 1 new line to %s"
1515 file)
1517 nil))))
1520 ;;; Backend specific parsing: Secrets API backend
1522 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :create t))
1523 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :delete t))
1524 ;; (let ((auth-sources '(default))) (auth-source-search :max 1))
1525 ;; (let ((auth-sources '(default))) (auth-source-search))
1526 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1))
1527 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1 :signon_realm "https://git.gnus.org/Git"))
1530 "Convert a pattern with lists to a list of string patterns.
1535 only string values for patterns, so this routine returns a list
1536 of patterns that is equivalent to the single original pattern
1537 when interpreted such that if a secret matches any pattern in the
1538 list, it matches the original pattern."
1548 for h in heads
1549 nconc
1551 for tl in tails
1555 spec
1556 &key backend create delete label max
1558 "Search the Secrets API; spec is like `auth-source'.
1560 The :label key specifies the item's label. It is the only key
1561 that can specify a substring. Any :label value besides a string
1562 will allow any label.
1564 All other search keys must match exactly. If you need substring
1565 matching, do a wider search and narrow it down yourself.
1567 You'll get back all the properties of the token as a plist.
1569 Here's an example that looks for the first item in the `Login'
1570 Secrets collection:
1573 (auth-source-search :max 1)
1575 Here's another that looks for the first item in the `Login'
1576 Secrets collection whose label contains `gnus':
1581 And this one looks for the first item in the `Login' Secrets
1582 collection that's a Google Chrome entry for the git.gnus.org site
1583 authentication tokens:
1587 "
1589 ;; TODO
1592 ;; TODO
1593 ;; (secrets-delete-item coll elt)
1603 ;; build a search spec without the ignored keys
1604 ;; if a search key is nil or t (match anything), we skip it
1610 nil
1612 search-keys))))
1613 ;; needed keys (always including host, login, port, and secret)
1616 search-keys)))
1619 nconc
1623 collect item)))
1624 ;; TODO: respect max in `secrets-search-items', not after the fact
1626 ;; convert the item name to a full plist
1629 ;; make an entry for the secret (password) element
1631 :secret
1634 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1639 items))
1640 ;; ensure each item has each key in `returned-keys'
1646 nil
1648 returned-keys))
1649 plist))
1650 items)))
1651 items))
1654 ;; TODO
1655 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1658 ;;; Backend specific parsing: Mac OS Keychain (using /usr/bin/security) backend
1660 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :create t))
1661 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :delete t))
1662 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1))
1663 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search))
1665 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :create t))
1666 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :delete t))
1667 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1))
1668 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search))
1670 ;; (let ((auth-sources '("macos-keychain-internet:/Users/tzz/Library/Keychains/login.keychain"))) (auth-source-search :max 1))
1671 ;; (let ((auth-sources '("macos-keychain-generic:Login"))) (auth-source-search :max 1 :host "git.gnus.org"))
1672 ;; (let ((auth-sources '("macos-keychain-generic:Login"))) (auth-source-search :max 1))
1675 spec
1676 &key backend create delete
1677 type max
1679 "Search the MacOS Keychain; spec is like `auth-source'.
1681 All search keys must match exactly. If you need substring
1682 matching, do a wider search and narrow it down yourself.
1684 You'll get back all the properties of the token as a plist.
1686 The :type key is either `macos-keychain-internet' or
1687 `macos-keychain-generic'.
1689 For the internet keychain type, the :label key searches the
1693 \(note PROT has to be a 4-character string).
1695 For the generic keychain type, the :label key searches the item's
1700 Here's an example that looks for the first item in the default
1701 generic MacOS Keychain:
1704 (auth-source-search :max 1)
1706 Here's another that looks for the first item in the internet
1707 MacOS Keychain collection whose label is `gnus':
1712 And this one looks for the first item in the internet keychain
1713 entries for git.gnus.org:
1717 "
1718 ;; TODO
1721 ;; TODO
1722 ;; (macos-keychain-delete-item coll elt)
1732 ;; build a search spec without the ignored keys
1733 ;; if a search key is nil or t (match anything), we skip it
1738 nil
1740 search-keys)))
1741 ;; needed keys (always including host, login, port, and secret)
1744 search-keys)))
1746 coll
1747 type
1748 max
1749 search-spec))
1751 ;; ensure each item has each key in `returned-keys'
1757 nil
1759 returned-keys))
1760 plist))
1761 items)))
1762 items))
1765 &key label type
1766 host user port
1771 "find-generic-password"
1787 port)))))
1799 ret
1800 keychain-generic
1801 "secret"
1804 ;; TODO: check if this is really the label
1805 ;; match 0x00000007 <blob>="AppleID"
1808 ret
1809 keychain-generic
1810 "label"
1812 ;; match "crtr"<uint32>="aapl"
1813 ;; match "svce"<blob>="AppleID"
1816 ret
1817 keychain-generic
1821 ;; return `ret' iff it has the :secret key
1829 ;; for generic keychains, creator is host, service is port
1832 ;; for internet keychains, protocol is port, server is host
1836 result))
1839 ;; TODO
1842 ;;; Backend specific parsing: PLSTORE backend
1845 spec
1846 &key backend create delete
1847 max
1849 "Search the PLSTORE; spec is like `auth-source'."
1856 ;; build a search spec without the ignored keys
1857 ;; if a search key is nil or t (match anything), we skip it
1863 nil
1867 search-keys)))
1868 ;; needed keys (always including host, login, port, and secret)
1871 search-keys)))
1875 ;; convert the item to a full plist
1884 plist))
1885 items))
1886 ;; ensure each item has each key in `returned-keys'
1892 nil
1894 returned-keys))
1895 plist))
1896 items)))
1898 ;; if we need to create an entry AND none were found to match
1902 ;; create based on the spec and record the value
1904 ;; if the user did not want to create the entry
1905 ;; in the file, it will be returned
1907 ;; if not, we do the search again without :create
1908 ;; to get the updated data.
1910 ;; the result will be returned, even if the search fails
1914 item-names)
1918 items))
1921 &key backend
1922 host port create
1926 ;; we know (because of an assertion in auth-source-search) that the
1927 ;; :create parameter is either t or a list (which includes nil)
1930 :host host
1933 ;; `valist' is an alist
1934 valist
1935 ;; `artificial' will be returned if no creation is needed
1936 artificial
1937 secret-artificial)
1939 ;; only for base required elements (defined as function parameters):
1940 ;; fill in the valist with whatever data we may have from the search
1941 ;; we complete the first value if it's a list and use the value otherwise
1946 ;; all-accepting choice (predicate is t)
1948 ;; just the value otherwise
1953 ;; for extra required elements, see if the spec includes a value for them
1961 ;; for each required element
1964 ;; take the first element if the data is a list
1968 ;; this is the default to be offered
1970 auth-source-creation-defaults r))
1971 ;; the default supplementals are simple:
1972 ;; for the user, try `given-default' and then (user-login-name);
1973 ;; otherwise take `given-default'
2005 prompt
2010 ;; Store the data, prompting for the password if needed.
2020 nil nil default)
2028 data))
2031 data))))))
2037 artificial secret-artificial)
2042 ;;; older API
2044 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
2046 ;; deprecate the old interface
2054 "Find MODE (string or list of strings) matching HOST and PORT.
2056 DEPRECATED in favor of `auth-source-search'!
2059 across the Secret Service API (see secrets.el) if the resulting
2060 items don't have a username. This means that if you search for
2064 A non nil DELETE-EXISTING means deleting any matching password
2065 entry in the respective sources. This is useful only when
2066 CREATE-MISSING is non nil as well; the intended use case is to
2067 remove wrong password entries.
2069 If no matching entry is found, and CREATE-MISSING is non nil,
2070 the password will be retrieved interactively, and it will be
2071 stored in the password database which matches best (see
2072 `auth-sources').
2076 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
2077 mode host port username)
2081 ;; (cname (if username
2082 ;; (format "%s %s:%s %s" mode host port username)
2083 ;; (format "%s %s:%s" mode host port)))
2088 search))
2091 search))
2092 ;; (found (if (not delete-existing)
2093 ;; (gethash cname auth-source-cache)
2094 ;; (remhash cname auth-source-cache)
2095 ;; nil)))
2100 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
2101 mode
2102 ;; don't show the password
2104 "SECRET"
2105 found)
2106 host port username)
2108 ;; else, if not found, search with a max of 1
2123 found))
2129 :host host
2135 :host host
2147 ;;; auth-source.el ends here