Doc fix for window-scroll-functions.
[emacs.git] / lisp / gnus / auth-source.el
blob4269b79a6a7abbbc48f7d73ea5f58d8380277dec
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs
3 ;; Copyright (C) 2008-2011 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
32 ;; TODO:
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
40 ;;; Code:
42 (require 'password-cache)
43 (require 'mm-util)
44 (require 'gnus-util)
45 (require 'assoc)
47 (eval-when-compile (require 'cl))
48 (require 'eieio)
50 (autoload 'secrets-create-item "secrets")
51 (autoload 'secrets-delete-item "secrets")
52 (autoload 'secrets-get-alias "secrets")
53 (autoload 'secrets-get-attributes "secrets")
54 (autoload 'secrets-get-secret "secrets")
55 (autoload 'secrets-list-collections "secrets")
56 (autoload 'secrets-search-items "secrets")
58 (autoload 'rfc2104-hash "rfc2104")
60 (autoload 'plstore-open "plstore")
61 (autoload 'plstore-find "plstore")
62 (autoload 'plstore-put "plstore")
63 (autoload 'plstore-delete "plstore")
64 (autoload 'plstore-save "plstore")
65 (autoload 'plstore-get-file "plstore")
67 (autoload 'epg-make-context "epg")
68 (autoload 'epg-context-set-passphrase-callback "epg")
69 (autoload 'epg-decrypt-string "epg")
70 (autoload 'epg-context-set-armor "epg")
71 (autoload 'epg-encrypt-string "epg")
73 (autoload 'help-mode "help-mode" nil t)
75 (defvar secrets-enabled)
77 (defgroup auth-source nil
78 "Authentication sources."
79 :version "23.1" ;; No Gnus
80 :group 'gnus)
82 ;;;###autoload
83 (defcustom auth-source-cache-expiry 7200
84 "How many seconds passwords are cached, or nil to disable
85 expiring. Overrides `password-cache-expiry' through a
86 let-binding."
87 :group 'auth-source
88 :type '(choice (const :tag "Never" nil)
89 (const :tag "All Day" 86400)
90 (const :tag "2 Hours" 7200)
91 (const :tag "30 Minutes" 1800)
92 (integer :tag "Seconds")))
94 ;;; The slots below correspond with the `auth-source-search' spec,
95 ;;; so a backend with :host set, for instance, would match only
96 ;;; searches for that host. Normally they are nil.
97 (defclass auth-source-backend ()
98 ((type :initarg :type
99 :initform 'netrc
100 :type symbol
101 :custom symbol
102 :documentation "The backend type.")
103 (source :initarg :source
104 :type string
105 :custom string
106 :documentation "The backend source.")
107 (host :initarg :host
108 :initform t
109 :type t
110 :custom string
111 :documentation "The backend host.")
112 (user :initarg :user
113 :initform t
114 :type t
115 :custom string
116 :documentation "The backend user.")
117 (port :initarg :port
118 :initform t
119 :type t
120 :custom string
121 :documentation "The backend protocol.")
122 (data :initarg :data
123 :initform nil
124 :documentation "Internal backend data.")
125 (create-function :initarg :create-function
126 :initform ignore
127 :type function
128 :custom function
129 :documentation "The create function.")
130 (search-function :initarg :search-function
131 :initform ignore
132 :type function
133 :custom function
134 :documentation "The search function.")))
136 (defcustom auth-source-protocols '((imap "imap" "imaps" "143" "993")
137 (pop3 "pop3" "pop" "pop3s" "110" "995")
138 (ssh "ssh" "22")
139 (sftp "sftp" "115")
140 (smtp "smtp" "25"))
141 "List of authentication protocols and their names"
143 :group 'auth-source
144 :version "23.2" ;; No Gnus
145 :type '(repeat :tag "Authentication Protocols"
146 (cons :tag "Protocol Entry"
147 (symbol :tag "Protocol")
148 (repeat :tag "Names"
149 (string :tag "Name")))))
151 ;;; generate all the protocols in a format Customize can use
152 ;;; TODO: generate on the fly from auth-source-protocols
153 (defconst auth-source-protocols-customize
154 (mapcar (lambda (a)
155 (let ((p (car-safe a)))
156 (list 'const
157 :tag (upcase (symbol-name p))
158 p)))
159 auth-source-protocols))
161 (defvar auth-source-creation-defaults nil
162 "Defaults for creating token values. Usually let-bound.")
164 (defvar auth-source-creation-prompts nil
165 "Default prompts for token values. Usually let-bound.")
167 (make-obsolete 'auth-source-hide-passwords nil "Emacs 24.1")
169 (defcustom auth-source-save-behavior 'ask
170 "If set, auth-source will respect it for save behavior."
171 :group 'auth-source
172 :version "23.2" ;; No Gnus
173 :type `(choice
174 :tag "auth-source new token save behavior"
175 (const :tag "Always save" t)
176 (const :tag "Never save" nil)
177 (const :tag "Ask" ask)))
179 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") never) (t gpg)))
180 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
182 (defcustom auth-source-netrc-use-gpg-tokens 'never
183 "Set this to tell auth-source when to create GPG password
184 tokens in netrc files. It's either an alist or `never'.
185 Note that if EPA/EPG is not available, this should NOT be used."
186 :group 'auth-source
187 :version "23.2" ;; No Gnus
188 :type `(choice
189 (const :tag "Always use GPG password tokens" (t gpg))
190 (const :tag "Never use GPG password tokens" never)
191 (repeat :tag "Use a lookup list"
192 (list
193 (choice :tag "Matcher"
194 (const :tag "Match anything" t)
195 (const :tag "The EPA encrypted file extensions"
196 ,(if (boundp 'epa-file-auto-mode-alist-entry)
197 (car (symbol-value
198 'epa-file-auto-mode-alist-entry))
199 "\\.gpg\\'"))
200 (regexp :tag "Regular expression"))
201 (choice :tag "What to do"
202 (const :tag "Save GPG-encrypted password tokens" gpg)
203 (const :tag "Don't encrypt tokens" never))))))
205 (defvar auth-source-magic "auth-source-magic ")
207 (defcustom auth-source-do-cache t
208 "Whether auth-source should cache information with `password-cache'."
209 :group 'auth-source
210 :version "23.2" ;; No Gnus
211 :type `boolean)
213 (defcustom auth-source-debug nil
214 "Whether auth-source should log debug messages.
216 If the value is nil, debug messages are not logged.
218 If the value is t, debug messages are logged with `message'. In
219 that case, your authentication data will be in the clear (except
220 for passwords).
222 If the value is a function, debug messages are logged by calling
223 that function using the same arguments as `message'."
224 :group 'auth-source
225 :version "23.2" ;; No Gnus
226 :type `(choice
227 :tag "auth-source debugging mode"
228 (const :tag "Log using `message' to the *Messages* buffer" t)
229 (const :tag "Log all trivia with `message' to the *Messages* buffer"
230 trivia)
231 (function :tag "Function that takes arguments like `message'")
232 (const :tag "Don't log anything" nil)))
234 (defcustom auth-sources '("~/.authinfo" "~/.authinfo.gpg" "~/.netrc")
235 "List of authentication sources.
237 The default will get login and password information from
238 \"~/.authinfo.gpg\", which you should set up with the EPA/EPG
239 packages to be encrypted. If that file doesn't exist, it will
240 try the unencrypted version \"~/.authinfo\" and the famous
241 \"~/.netrc\" file.
243 See the auth.info manual for details.
245 Each entry is the authentication type with optional properties.
247 It's best to customize this with `M-x customize-variable' because the choices
248 can get pretty complex."
249 :group 'auth-source
250 :version "24.1" ;; No Gnus
251 :type `(repeat :tag "Authentication Sources"
252 (choice
253 (string :tag "Just a file")
254 (const :tag "Default Secrets API Collection" 'default)
255 (const :tag "Login Secrets API Collection" "secrets:Login")
256 (const :tag "Temp Secrets API Collection" "secrets:session")
257 (list :tag "Source definition"
258 (const :format "" :value :source)
259 (choice :tag "Authentication backend choice"
260 (string :tag "Authentication Source (file)")
261 (list
262 :tag "Secret Service API/KWallet/GNOME Keyring"
263 (const :format "" :value :secrets)
264 (choice :tag "Collection to use"
265 (string :tag "Collection name")
266 (const :tag "Default" 'default)
267 (const :tag "Login" "Login")
268 (const
269 :tag "Temporary" "session"))))
270 (repeat :tag "Extra Parameters" :inline t
271 (choice :tag "Extra parameter"
272 (list
273 :tag "Host"
274 (const :format "" :value :host)
275 (choice :tag "Host (machine) choice"
276 (const :tag "Any" t)
277 (regexp
278 :tag "Regular expression")))
279 (list
280 :tag "Protocol"
281 (const :format "" :value :port)
282 (choice
283 :tag "Protocol"
284 (const :tag "Any" t)
285 ,@auth-source-protocols-customize))
286 (list :tag "User" :inline t
287 (const :format "" :value :user)
288 (choice
289 :tag "Personality/Username"
290 (const :tag "Any" t)
291 (string
292 :tag "Name")))))))))
294 (defcustom auth-source-gpg-encrypt-to t
295 "List of recipient keys that `authinfo.gpg' encrypted to.
296 If the value is not a list, symmetric encryption will be used."
297 :group 'auth-source
298 :version "24.1" ;; No Gnus
299 :type '(choice (const :tag "Symmetric encryption" t)
300 (repeat :tag "Recipient public keys"
301 (string :tag "Recipient public key"))))
303 ;; temp for debugging
304 ;; (unintern 'auth-source-protocols)
305 ;; (unintern 'auth-sources)
306 ;; (customize-variable 'auth-sources)
307 ;; (setq auth-sources nil)
308 ;; (format "%S" auth-sources)
309 ;; (customize-variable 'auth-source-protocols)
310 ;; (setq auth-source-protocols nil)
311 ;; (format "%S" auth-source-protocols)
312 ;; (auth-source-pick nil :host "a" :port 'imap)
313 ;; (auth-source-user-or-password "login" "imap.myhost.com" 'imap)
314 ;; (auth-source-user-or-password "password" "imap.myhost.com" 'imap)
315 ;; (auth-source-user-or-password-imap "login" "imap.myhost.com")
316 ;; (auth-source-user-or-password-imap "password" "imap.myhost.com")
317 ;; (auth-source-protocol-defaults 'imap)
319 ;; (let ((auth-source-debug 'debug)) (auth-source-do-debug "hello"))
320 ;; (let ((auth-source-debug t)) (auth-source-do-debug "hello"))
321 ;; (let ((auth-source-debug nil)) (auth-source-do-debug "hello"))
322 (defun auth-source-do-debug (&rest msg)
323 (when auth-source-debug
324 (apply 'auth-source-do-warn msg)))
326 (defun auth-source-do-trivia (&rest msg)
327 (when (or (eq auth-source-debug 'trivia)
328 (functionp auth-source-debug))
329 (apply 'auth-source-do-warn msg)))
331 (defun auth-source-do-warn (&rest msg)
332 (apply
333 ;; set logger to either the function in auth-source-debug or 'message
334 ;; note that it will be 'message if auth-source-debug is nil
335 (if (functionp auth-source-debug)
336 auth-source-debug
337 'message)
338 msg))
341 ;;; (auth-source-read-char-choice "enter choice? " '(?a ?b ?q))
342 (defun auth-source-read-char-choice (prompt choices)
343 "Read one of CHOICES by `read-char-choice', or `read-char'.
344 `dropdown-list' support is disabled because it doesn't work reliably.
345 Only one of CHOICES will be returned. The PROMPT is augmented
346 with \"[a/b/c] \" if CHOICES is '\(?a ?b ?c\)."
347 (when choices
348 (let* ((prompt-choices
349 (apply 'concat (loop for c in choices
350 collect (format "%c/" c))))
351 (prompt-choices (concat "[" (substring prompt-choices 0 -1) "] "))
352 (full-prompt (concat prompt prompt-choices))
355 (while (not (memq k choices))
356 (setq k (cond
357 ((fboundp 'read-char-choice)
358 (read-char-choice full-prompt choices))
359 (t (message "%s" full-prompt)
360 (setq k (read-char))))))
361 k)))
363 ;; (auth-source-pick nil :host "any" :port 'imap :user "joe")
364 ;; (auth-source-pick t :host "any" :port 'imap :user "joe")
365 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
366 ;; (:source (:secrets "session") :host t :port t :user "joe")
367 ;; (:source (:secrets "Login") :host t :port t)
368 ;; (:source "~/.authinfo.gpg" :host t :port t)))
370 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
371 ;; (:source (:secrets "session") :host t :port t :user "joe")
372 ;; (:source (:secrets "Login") :host t :port t)
373 ;; ))
375 ;; (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
377 ;; (auth-source-backend-parse "myfile.gpg")
378 ;; (auth-source-backend-parse 'default)
379 ;; (auth-source-backend-parse "secrets:Login")
381 (defun auth-source-backend-parse (entry)
382 "Creates an auth-source-backend from an ENTRY in `auth-sources'."
383 (auth-source-backend-parse-parameters
384 entry
385 (cond
386 ;; take 'default and recurse to get it as a Secrets API default collection
387 ;; matching any user, host, and protocol
388 ((eq entry 'default)
389 (auth-source-backend-parse '(:source (:secrets default))))
390 ;; take secrets:XYZ and recurse to get it as Secrets API collection "XYZ"
391 ;; matching any user, host, and protocol
392 ((and (stringp entry) (string-match "^secrets:\\(.+\\)" entry))
393 (auth-source-backend-parse `(:source (:secrets ,(match-string 1 entry)))))
394 ;; take just a file name and recurse to get it as a netrc file
395 ;; matching any user, host, and protocol
396 ((stringp entry)
397 (auth-source-backend-parse `(:source ,entry)))
399 ;; a file name with parameters
400 ((stringp (plist-get entry :source))
401 (if (equal (file-name-extension (plist-get entry :source)) "plist")
402 (auth-source-backend
403 (plist-get entry :source)
404 :source (plist-get entry :source)
405 :type 'plstore
406 :search-function 'auth-source-plstore-search
407 :create-function 'auth-source-plstore-create
408 :data (plstore-open (plist-get entry :source)))
409 (auth-source-backend
410 (plist-get entry :source)
411 :source (plist-get entry :source)
412 :type 'netrc
413 :search-function 'auth-source-netrc-search
414 :create-function 'auth-source-netrc-create)))
416 ;; the Secrets API. We require the package, in order to have a
417 ;; defined value for `secrets-enabled'.
418 ((and
419 (not (null (plist-get entry :source))) ; the source must not be nil
420 (listp (plist-get entry :source)) ; and it must be a list
421 (require 'secrets nil t) ; and we must load the Secrets API
422 secrets-enabled) ; and that API must be enabled
424 ;; the source is either the :secrets key in ENTRY or
425 ;; if that's missing or nil, it's "session"
426 (let ((source (or (plist-get (plist-get entry :source) :secrets)
427 "session")))
429 ;; if the source is a symbol, we look for the alias named so,
430 ;; and if that alias is missing, we use "Login"
431 (when (symbolp source)
432 (setq source (or (secrets-get-alias (symbol-name source))
433 "Login")))
435 (if (featurep 'secrets)
436 (auth-source-backend
437 (format "Secrets API (%s)" source)
438 :source source
439 :type 'secrets
440 :search-function 'auth-source-secrets-search
441 :create-function 'auth-source-secrets-create)
442 (auth-source-do-warn
443 "auth-source-backend-parse: no Secrets API, ignoring spec: %S" entry)
444 (auth-source-backend
445 (format "Ignored Secrets API (%s)" source)
446 :source ""
447 :type 'ignore))))
449 ;; none of them
451 (auth-source-do-warn
452 "auth-source-backend-parse: invalid backend spec: %S" entry)
453 (auth-source-backend
454 "Empty"
455 :source ""
456 :type 'ignore)))))
458 (defun auth-source-backend-parse-parameters (entry backend)
459 "Fills in the extra auth-source-backend parameters of ENTRY.
460 Using the plist ENTRY, get the :host, :port, and :user search
461 parameters."
462 (let ((entry (if (stringp entry)
464 entry))
465 val)
466 (when (setq val (plist-get entry :host))
467 (oset backend host val))
468 (when (setq val (plist-get entry :user))
469 (oset backend user val))
470 (when (setq val (plist-get entry :port))
471 (oset backend port val)))
472 backend)
474 ;; (mapcar 'auth-source-backend-parse auth-sources)
476 (defun* auth-source-search (&rest spec
477 &key type max host user port secret
478 require create delete
479 &allow-other-keys)
480 "Search or modify authentication backends according to SPEC.
482 This function parses `auth-sources' for matches of the SPEC
483 plist. It can optionally create or update an authentication
484 token if requested. A token is just a standard Emacs property
485 list with a :secret property that can be a function; all the
486 other properties will always hold scalar values.
488 Typically the :secret property, if present, contains a password.
490 Common search keys are :max, :host, :port, and :user. In
491 addition, :create specifies how tokens will be or created.
492 Finally, :type can specify which backend types you want to check.
494 A string value is always matched literally. A symbol is matched
495 as its string value, literally. All the SPEC values can be
496 single values (symbol or string) or lists thereof (in which case
497 any of the search terms matches).
499 :create t means to create a token if possible.
501 A new token will be created if no matching tokens were found.
502 The new token will have only the keys the backend requires. For
503 the netrc backend, for instance, that's the user, host, and
504 port keys.
506 Here's an example:
508 \(let ((auth-source-creation-defaults '((user . \"defaultUser\")
509 (A . \"default A\"))))
510 (auth-source-search :host \"mine\" :type 'netrc :max 1
511 :P \"pppp\" :Q \"qqqq\"
512 :create t))
514 which says:
516 \"Search for any entry matching host 'mine' in backends of type
517 'netrc', maximum one result.
519 Create a new entry if you found none. The netrc backend will
520 automatically require host, user, and port. The host will be
521 'mine'. We prompt for the user with default 'defaultUser' and
522 for the port without a default. We will not prompt for A, Q,
523 or P. The resulting token will only have keys user, host, and
524 port.\"
526 :create '(A B C) also means to create a token if possible.
528 The behavior is like :create t but if the list contains any
529 parameter, that parameter will be required in the resulting
530 token. The value for that parameter will be obtained from the
531 search parameters or from user input. If any queries are needed,
532 the alist `auth-source-creation-defaults' will be checked for the
533 default value. If the user, host, or port are missing, the alist
534 `auth-source-creation-prompts' will be used to look up the
535 prompts IN THAT ORDER (so the 'user prompt will be queried first,
536 then 'host, then 'port, and finally 'secret). Each prompt string
537 can use %u, %h, and %p to show the user, host, and port.
539 Here's an example:
541 \(let ((auth-source-creation-defaults '((user . \"defaultUser\")
542 (A . \"default A\")))
543 (auth-source-creation-prompts
544 '((password . \"Enter IMAP password for %h:%p: \"))))
545 (auth-source-search :host '(\"nonesuch\" \"twosuch\") :type 'netrc :max 1
546 :P \"pppp\" :Q \"qqqq\"
547 :create '(A B Q)))
549 which says:
551 \"Search for any entry matching host 'nonesuch'
552 or 'twosuch' in backends of type 'netrc', maximum one result.
554 Create a new entry if you found none. The netrc backend will
555 automatically require host, user, and port. The host will be
556 'nonesuch' and Q will be 'qqqq'. We prompt for the password
557 with the shown prompt. We will not prompt for Q. The resulting
558 token will have keys user, host, port, A, B, and Q. It will not
559 have P with any value, even though P is used in the search to
560 find only entries that have P set to 'pppp'.\"
562 When multiple values are specified in the search parameter, the
563 user is prompted for which one. So :host (X Y Z) would ask the
564 user to choose between X, Y, and Z.
566 This creation can fail if the search was not specific enough to
567 create a new token (it's up to the backend to decide that). You
568 should `catch' the backend-specific error as usual. Some
569 backends (netrc, at least) will prompt the user rather than throw
570 an error.
572 :require (A B C) means that only results that contain those
573 tokens will be returned. Thus for instance requiring :secret
574 will ensure that any results will actually have a :secret
575 property.
577 :delete t means to delete any found entries. nil by default.
578 Use `auth-source-delete' in ELisp code instead of calling
579 `auth-source-search' directly with this parameter.
581 :type (X Y Z) will check only those backend types. 'netrc and
582 'secrets are the only ones supported right now.
584 :max N means to try to return at most N items (defaults to 1).
585 When 0 the function will return just t or nil to indicate if any
586 matches were found. More than N items may be returned, depending
587 on the search and the backend.
589 :host (X Y Z) means to match only hosts X, Y, or Z according to
590 the match rules above. Defaults to t.
592 :user (X Y Z) means to match only users X, Y, or Z according to
593 the match rules above. Defaults to t.
595 :port (P Q R) means to match only protocols P, Q, or R.
596 Defaults to t.
598 :K (V1 V2 V3) for any other key K will match values V1, V2, or
599 V3 (note the match rules above).
601 The return value is a list with at most :max tokens. Each token
602 is a plist with keys :backend :host :port :user, plus any other
603 keys provided by the backend (notably :secret). But note the
604 exception for :max 0, which see above.
606 The token can hold a :save-function key. If you call that, the
607 user will be prompted to save the data to the backend. You can't
608 request that this should happen right after creation, because
609 `auth-source-search' has no way of knowing if the token is
610 actually useful. So the caller must arrange to call this function.
612 The token's :secret key can hold a function. In that case you
613 must call it to obtain the actual value."
614 (let* ((backends (mapcar 'auth-source-backend-parse auth-sources))
615 (max (or max 1))
616 (ignored-keys '(:require :create :delete :max))
617 (keys (loop for i below (length spec) by 2
618 unless (memq (nth i spec) ignored-keys)
619 collect (nth i spec)))
620 (cached (auth-source-remembered-p spec))
621 ;; note that we may have cached results but found is still nil
622 ;; (there were no results from the search)
623 (found (auth-source-recall spec))
624 filtered-backends accessor-key backend)
626 (if (and cached auth-source-do-cache)
627 (auth-source-do-debug
628 "auth-source-search: found %d CACHED results matching %S"
629 (length found) spec)
631 (assert
632 (or (eq t create) (listp create)) t
633 "Invalid auth-source :create parameter (must be t or a list): %s %s")
635 (assert
636 (listp require) t
637 "Invalid auth-source :require parameter (must be a list): %s")
639 (setq filtered-backends (copy-sequence backends))
640 (dolist (backend backends)
641 (dolist (key keys)
642 ;; ignore invalid slots
643 (condition-case signal
644 (unless (eval `(auth-source-search-collection
645 (plist-get spec key)
646 (oref backend ,key)))
647 (setq filtered-backends (delq backend filtered-backends))
648 (return))
649 (invalid-slot-name))))
651 (auth-source-do-trivia
652 "auth-source-search: found %d backends matching %S"
653 (length filtered-backends) spec)
655 ;; (debug spec "filtered" filtered-backends)
656 ;; First go through all the backends without :create, so we can
657 ;; query them all.
658 (setq found (auth-source-search-backends filtered-backends
659 spec
660 ;; to exit early
662 ;; create is always nil here
663 nil delete
664 require))
666 (auth-source-do-debug
667 "auth-source-search: found %d results (max %d) matching %S"
668 (length found) max spec)
670 ;; If we didn't find anything, then we allow the backend(s) to
671 ;; create the entries.
672 (when (and create
673 (not found))
674 (setq found (auth-source-search-backends filtered-backends
675 spec
676 ;; to exit early
678 create delete
679 require))
680 (auth-source-do-debug
681 "auth-source-search: CREATED %d results (max %d) matching %S"
682 (length found) max spec))
684 ;; note we remember the lack of result too, if it's applicable
685 (when auth-source-do-cache
686 (auth-source-remember spec found)))
688 found))
690 (defun auth-source-search-backends (backends spec max create delete require)
691 (let (matches)
692 (dolist (backend backends)
693 (when (> max (length matches)) ; when we need more matches...
694 (let* ((bmatches (apply
695 (slot-value backend 'search-function)
696 :backend backend
697 ;; note we're overriding whatever the spec
698 ;; has for :require, :create, and :delete
699 :require require
700 :create create
701 :delete delete
702 spec)))
703 (when bmatches
704 (auth-source-do-trivia
705 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
706 (length bmatches) max
707 (slot-value backend :type)
708 (slot-value backend :source)
709 spec)
710 (setq matches (append matches bmatches))))))
711 matches))
713 ;;; (auth-source-search :max 1)
714 ;;; (funcall (plist-get (nth 0 (auth-source-search :max 1)) :secret))
715 ;;; (auth-source-search :host "nonesuch" :type 'netrc :K 1)
716 ;;; (auth-source-search :host "nonesuch" :type 'secrets)
718 (defun* auth-source-delete (&rest spec
719 &key delete
720 &allow-other-keys)
721 "Delete entries from the authentication backends according to SPEC.
722 Calls `auth-source-search' with the :delete property in SPEC set to t.
723 The backend may not actually delete the entries.
725 Returns the deleted entries."
726 (auth-source-search (plist-put spec :delete t)))
728 (defun auth-source-search-collection (collection value)
729 "Returns t is VALUE is t or COLLECTION is t or contains VALUE."
730 (when (and (atom collection) (not (eq t collection)))
731 (setq collection (list collection)))
733 ;; (debug :collection collection :value value)
734 (or (eq collection t)
735 (eq value t)
736 (equal collection value)
737 (member value collection)))
739 (defvar auth-source-netrc-cache nil)
741 (defun auth-source-forget-all-cached ()
742 "Forget all cached auth-source data."
743 (interactive)
744 (loop for sym being the symbols of password-data
745 ;; when the symbol name starts with auth-source-magic
746 when (string-match (concat "^" auth-source-magic)
747 (symbol-name sym))
748 ;; remove that key
749 do (password-cache-remove (symbol-name sym)))
750 (setq auth-source-netrc-cache nil))
752 (defun auth-source-format-cache-entry (spec)
753 "Format SPEC entry to put it in the password cache."
754 (concat auth-source-magic (format "%S" spec)))
756 (defun auth-source-remember (spec found)
757 "Remember FOUND search results for SPEC."
758 (let ((password-cache-expiry auth-source-cache-expiry))
759 (password-cache-add
760 (auth-source-format-cache-entry spec) found)))
762 (defun auth-source-recall (spec)
763 "Recall FOUND search results for SPEC."
764 (password-read-from-cache (auth-source-format-cache-entry spec)))
766 (defun auth-source-remembered-p (spec)
767 "Check if SPEC is remembered."
768 (password-in-cache-p
769 (auth-source-format-cache-entry spec)))
771 (defun auth-source-forget (spec)
772 "Forget any cached data matching SPEC exactly.
774 This is the same SPEC you passed to `auth-source-search'.
775 Returns t or nil for forgotten or not found."
776 (password-cache-remove (auth-source-format-cache-entry spec)))
778 ;;; (loop for sym being the symbols of password-data when (string-match (concat "^" auth-source-magic) (symbol-name sym)) collect (symbol-name sym))
780 ;;; (auth-source-remember '(:host "wedd") '(4 5 6))
781 ;;; (auth-source-remembered-p '(:host "wedd"))
782 ;;; (auth-source-remember '(:host "xedd") '(1 2 3))
783 ;;; (auth-source-remembered-p '(:host "xedd"))
784 ;;; (auth-source-remembered-p '(:host "zedd"))
785 ;;; (auth-source-recall '(:host "xedd"))
786 ;;; (auth-source-recall '(:host t))
787 ;;; (auth-source-forget+ :host t)
789 (defun* auth-source-forget+ (&rest spec &allow-other-keys)
790 "Forget any cached data matching SPEC. Returns forgotten count.
792 This is not a full `auth-source-search' spec but works similarly.
793 For instance, \(:host \"myhost\" \"yourhost\") would find all the
794 cached data that was found with a search for those two hosts,
795 while \(:host t) would find all host entries."
796 (let ((count 0)
797 sname)
798 (loop for sym being the symbols of password-data
799 ;; when the symbol name matches with auth-source-magic
800 when (and (setq sname (symbol-name sym))
801 (string-match (concat "^" auth-source-magic "\\(.+\\)")
802 sname)
803 ;; and the spec matches what was stored in the cache
804 (auth-source-specmatchp spec (read (match-string 1 sname))))
805 ;; remove that key
806 do (progn
807 (password-cache-remove sname)
808 (incf count)))
809 count))
811 (defun auth-source-specmatchp (spec stored)
812 (let ((keys (loop for i below (length spec) by 2
813 collect (nth i spec))))
814 (not (eq
815 (dolist (key keys)
816 (unless (auth-source-search-collection (plist-get stored key)
817 (plist-get spec key))
818 (return 'no)))
819 'no))))
821 ;;; (auth-source-pick-first-password :host "z.lifelogs.com")
822 ;;; (auth-source-pick-first-password :port "imap")
823 (defun auth-source-pick-first-password (&rest spec)
824 "Pick the first secret found from applying SPEC to `auth-source-search'."
825 (let* ((result (nth 0 (apply 'auth-source-search (plist-put spec :max 1))))
826 (secret (plist-get result :secret)))
828 (if (functionp secret)
829 (funcall secret)
830 secret)))
832 ;; (auth-source-format-prompt "test %u %h %p" '((?u "user") (?h "host")))
833 (defun auth-source-format-prompt (prompt alist)
834 "Format PROMPT using %x (for any character x) specifiers in ALIST."
835 (dolist (cell alist)
836 (let ((c (nth 0 cell))
837 (v (nth 1 cell)))
838 (when (and c v)
839 (setq prompt (replace-regexp-in-string (format "%%%c" c)
840 (format "%s" v)
841 prompt)))))
842 prompt)
844 (defun auth-source-ensure-strings (values)
845 (unless (listp values)
846 (setq values (list values)))
847 (mapcar (lambda (value)
848 (if (numberp value)
849 (format "%s" value)
850 value))
851 values))
853 ;;; Backend specific parsing: netrc/authinfo backend
855 ;;; (auth-source-netrc-parse "~/.authinfo.gpg")
856 (defun* auth-source-netrc-parse (&rest
857 spec
858 &key file max host user port delete require
859 &allow-other-keys)
860 "Parse FILE and return a list of all entries in the file.
861 Note that the MAX parameter is used so we can exit the parse early."
862 (if (listp file)
863 ;; We got already parsed contents; just return it.
864 file
865 (when (file-exists-p file)
866 (setq port (auth-source-ensure-strings port))
867 (with-temp-buffer
868 (let* ((tokens '("machine" "host" "default" "login" "user"
869 "password" "account" "macdef" "force"
870 "port" "protocol"))
871 (max (or max 5000)) ; sanity check: default to stop at 5K
872 (modified 0)
873 (cached (cdr-safe (assoc file auth-source-netrc-cache)))
874 (cached-mtime (plist-get cached :mtime))
875 (cached-secrets (plist-get cached :secret))
876 alist elem result pair)
878 (if (and (functionp cached-secrets)
879 (equal cached-mtime
880 (nth 5 (file-attributes file))))
881 (progn
882 (auth-source-do-trivia
883 "auth-source-netrc-parse: using CACHED file data for %s"
884 file)
885 (insert (funcall cached-secrets)))
886 (insert-file-contents file)
887 ;; cache all netrc files (used to be just .gpg files)
888 ;; Store the contents of the file heavily encrypted in memory.
889 ;; (note for the irony-impaired: they are just obfuscated)
890 (aput 'auth-source-netrc-cache file
891 (list :mtime (nth 5 (file-attributes file))
892 :secret (lexical-let ((v (mapcar '1+ (buffer-string))))
893 (lambda () (apply 'string (mapcar '1- v)))))))
894 (goto-char (point-min))
895 ;; Go through the file, line by line.
896 (while (and (not (eobp))
897 (> max 0))
899 (narrow-to-region (point) (point-at-eol))
900 ;; For each line, get the tokens and values.
901 (while (not (eobp))
902 (skip-chars-forward "\t ")
903 ;; Skip lines that begin with a "#".
904 (if (eq (char-after) ?#)
905 (goto-char (point-max))
906 (unless (eobp)
907 (setq elem
908 (if (= (following-char) ?\")
909 (read (current-buffer))
910 (buffer-substring
911 (point) (progn (skip-chars-forward "^\t ")
912 (point)))))
913 (cond
914 ((equal elem "macdef")
915 ;; We skip past the macro definition.
916 (widen)
917 (while (and (zerop (forward-line 1))
918 (looking-at "$")))
919 (narrow-to-region (point) (point)))
920 ((member elem tokens)
921 ;; Tokens that don't have a following value are ignored,
922 ;; except "default".
923 (when (and pair (or (cdr pair)
924 (equal (car pair) "default")))
925 (push pair alist))
926 (setq pair (list elem)))
928 ;; Values that haven't got a preceding token are ignored.
929 (when pair
930 (setcdr pair elem)
931 (push pair alist)
932 (setq pair nil)))))))
934 (when (and alist
935 (> max 0)
936 (auth-source-search-collection
937 host
939 (aget alist "machine")
940 (aget alist "host")
942 (auth-source-search-collection
943 user
945 (aget alist "login")
946 (aget alist "account")
947 (aget alist "user")
949 (auth-source-search-collection
950 port
952 (aget alist "port")
953 (aget alist "protocol")
956 ;; the required list of keys is nil, or
957 (null require)
958 ;; every element of require is in the normalized list
959 (let ((normalized (nth 0 (auth-source-netrc-normalize
960 (list alist) file))))
961 (loop for req in require
962 always (plist-get normalized req)))))
963 (decf max)
964 (push (nreverse alist) result)
965 ;; to delete a line, we just comment it out
966 (when delete
967 (goto-char (point-min))
968 (insert "#")
969 (incf modified)))
970 (setq alist nil
971 pair nil)
972 (widen)
973 (forward-line 1))
975 (when (< 0 modified)
976 (when auth-source-gpg-encrypt-to
977 ;; (see bug#7487) making `epa-file-encrypt-to' local to
978 ;; this buffer lets epa-file skip the key selection query
979 ;; (see the `local-variable-p' check in
980 ;; `epa-file-write-region').
981 (unless (local-variable-p 'epa-file-encrypt-to (current-buffer))
982 (make-local-variable 'epa-file-encrypt-to))
983 (if (listp auth-source-gpg-encrypt-to)
984 (setq epa-file-encrypt-to auth-source-gpg-encrypt-to)))
986 ;; ask AFTER we've successfully opened the file
987 (when (y-or-n-p (format "Save file %s? (%d deletions)"
988 file modified))
989 (write-region (point-min) (point-max) file nil 'silent)
990 (auth-source-do-debug
991 "auth-source-netrc-parse: modified %d lines in %s"
992 modified file)))
994 (nreverse result))))))
996 (defvar auth-source-passphrase-alist nil)
998 (defun auth-source-token-passphrase-callback-function (context key-id file)
999 (let* ((file (file-truename file))
1000 (entry (assoc file auth-source-passphrase-alist))
1001 passphrase)
1002 ;; return the saved passphrase, calling a function if needed
1003 (or (copy-sequence (if (functionp (cdr entry))
1004 (funcall (cdr entry))
1005 (cdr entry)))
1006 (progn
1007 (unless entry
1008 (setq entry (list file))
1009 (push entry auth-source-passphrase-alist))
1010 (setq passphrase
1011 (read-passwd
1012 (format "Passphrase for %s tokens: " file)
1014 (setcdr entry (lexical-let ((p (copy-sequence passphrase)))
1015 (lambda () p)))
1016 passphrase))))
1018 ;; (auth-source-epa-extract-gpg-token "gpg:LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tClZlcnNpb246IEdudVBHIHYxLjQuMTEgKEdOVS9MaW51eCkKCmpBMEVBd01DT25qMjB1ak9rZnRneVI3K21iNm9aZWhuLzRad3cySkdlbnVaKzRpeEswWDY5di9icDI1U1dsQT0KPS9yc2wKLS0tLS1FTkQgUEdQIE1FU1NBR0UtLS0tLQo=" "~/.netrc")
1019 (defun auth-source-epa-extract-gpg-token (secret file)
1020 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1021 FILE is the file from which we obtained this token."
1022 (when (string-match "^gpg:\\(.+\\)" secret)
1023 (setq secret (base64-decode-string (match-string 1 secret))))
1024 (let ((context (epg-make-context 'OpenPGP))
1025 plain)
1026 (epg-context-set-passphrase-callback
1027 context
1028 (cons #'auth-source-token-passphrase-callback-function
1029 file))
1030 (epg-decrypt-string context secret)))
1032 ;; (insert (auth-source-epa-make-gpg-token "mysecret" "~/.netrc"))
1033 (defun auth-source-epa-make-gpg-token (secret file)
1034 (let ((context (epg-make-context 'OpenPGP))
1035 (pp-escape-newlines nil)
1036 cipher)
1037 (epg-context-set-armor context t)
1038 (epg-context-set-passphrase-callback
1039 context
1040 (cons #'auth-source-token-passphrase-callback-function
1041 file))
1042 (setq cipher (epg-encrypt-string context secret nil))
1043 (with-temp-buffer
1044 (insert cipher)
1045 (base64-encode-region (point-min) (point-max) t)
1046 (concat "gpg:" (buffer-substring-no-properties
1047 (point-min)
1048 (point-max))))))
1050 (defun auth-source-netrc-normalize (alist filename)
1051 (mapcar (lambda (entry)
1052 (let (ret item)
1053 (while (setq item (pop entry))
1054 (let ((k (car item))
1055 (v (cdr item)))
1057 ;; apply key aliases
1058 (setq k (cond ((member k '("machine")) "host")
1059 ((member k '("login" "account")) "user")
1060 ((member k '("protocol")) "port")
1061 ((member k '("password")) "secret")
1062 (t k)))
1064 ;; send back the secret in a function (lexical binding)
1065 (when (equal k "secret")
1066 (setq v (lexical-let ((lexv v)
1067 (token-decoder nil))
1068 (when (string-match "^gpg:" lexv)
1069 ;; it's a GPG token: create a token decoder
1070 ;; which unsets itself once
1071 (setq token-decoder
1072 (lambda (val)
1073 (prog1
1074 (auth-source-epa-extract-gpg-token
1076 filename)
1077 (setq token-decoder nil)))))
1078 (lambda ()
1079 (when token-decoder
1080 (setq lexv (funcall token-decoder lexv)))
1081 lexv))))
1082 (setq ret (plist-put ret
1083 (intern (concat ":" k))
1084 v))))
1085 ret))
1086 alist))
1088 ;;; (setq secret (plist-get (nth 0 (auth-source-search :host t :type 'netrc :K 1 :max 1)) :secret))
1089 ;;; (funcall secret)
1091 (defun* auth-source-netrc-search (&rest
1092 spec
1093 &key backend require create delete
1094 type max host user port
1095 &allow-other-keys)
1096 "Given a property list SPEC, return search matches from the :backend.
1097 See `auth-source-search' for details on SPEC."
1098 ;; just in case, check that the type is correct (null or same as the backend)
1099 (assert (or (null type) (eq type (oref backend type)))
1100 t "Invalid netrc search: %s %s")
1102 (let ((results (auth-source-netrc-normalize
1103 (auth-source-netrc-parse
1104 :max max
1105 :require require
1106 :delete delete
1107 :file (oref backend source)
1108 :host (or host t)
1109 :user (or user t)
1110 :port (or port t))
1111 (oref backend source))))
1113 ;; if we need to create an entry AND none were found to match
1114 (when (and create
1115 (not results))
1117 ;; create based on the spec and record the value
1118 (setq results (or
1119 ;; if the user did not want to create the entry
1120 ;; in the file, it will be returned
1121 (apply (slot-value backend 'create-function) spec)
1122 ;; if not, we do the search again without :create
1123 ;; to get the updated data.
1125 ;; the result will be returned, even if the search fails
1126 (apply 'auth-source-netrc-search
1127 (plist-put spec :create nil)))))
1128 results))
1130 (defun auth-source-netrc-element-or-first (v)
1131 (if (listp v)
1132 (nth 0 v)
1135 ;;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1136 ;;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1138 (defun* auth-source-netrc-create (&rest spec
1139 &key backend
1140 secret host user port create
1141 &allow-other-keys)
1142 (let* ((base-required '(host user port secret))
1143 ;; we know (because of an assertion in auth-source-search) that the
1144 ;; :create parameter is either t or a list (which includes nil)
1145 (create-extra (if (eq t create) nil create))
1146 (current-data (car (auth-source-search :max 1
1147 :host host
1148 :port port)))
1149 (required (append base-required create-extra))
1150 (file (oref backend source))
1151 (add "")
1152 ;; `valist' is an alist
1153 valist
1154 ;; `artificial' will be returned if no creation is needed
1155 artificial)
1157 ;; only for base required elements (defined as function parameters):
1158 ;; fill in the valist with whatever data we may have from the search
1159 ;; we complete the first value if it's a list and use the value otherwise
1160 (dolist (br base-required)
1161 (when (symbol-value br)
1162 (let ((br-choice (cond
1163 ;; all-accepting choice (predicate is t)
1164 ((eq t (symbol-value br)) nil)
1165 ;; just the value otherwise
1166 (t (symbol-value br)))))
1167 (when br-choice
1168 (aput 'valist br br-choice)))))
1170 ;; for extra required elements, see if the spec includes a value for them
1171 (dolist (er create-extra)
1172 (let ((name (concat ":" (symbol-name er)))
1173 (keys (loop for i below (length spec) by 2
1174 collect (nth i spec))))
1175 (dolist (k keys)
1176 (when (equal (symbol-name k) name)
1177 (aput 'valist er (plist-get spec k))))))
1179 ;; for each required element
1180 (dolist (r required)
1181 (let* ((data (aget valist r))
1182 ;; take the first element if the data is a list
1183 (data (or (auth-source-netrc-element-or-first data)
1184 (plist-get current-data
1185 (intern (format ":%s" r) obarray))))
1186 ;; this is the default to be offered
1187 (given-default (aget auth-source-creation-defaults r))
1188 ;; the default supplementals are simple:
1189 ;; for the user, try `given-default' and then (user-login-name);
1190 ;; otherwise take `given-default'
1191 (default (cond
1192 ((and (not given-default) (eq r 'user))
1193 (user-login-name))
1194 (t given-default)))
1195 (printable-defaults (list
1196 (cons 'user
1198 (auth-source-netrc-element-or-first
1199 (aget valist 'user))
1200 (plist-get artificial :user)
1201 "[any user]"))
1202 (cons 'host
1204 (auth-source-netrc-element-or-first
1205 (aget valist 'host))
1206 (plist-get artificial :host)
1207 "[any host]"))
1208 (cons 'port
1210 (auth-source-netrc-element-or-first
1211 (aget valist 'port))
1212 (plist-get artificial :port)
1213 "[any port]"))))
1214 (prompt (or (aget auth-source-creation-prompts r)
1215 (case r
1216 (secret "%p password for %u@%h: ")
1217 (user "%p user name for %h: ")
1218 (host "%p host name for user %u: ")
1219 (port "%p port for %u@%h: "))
1220 (format "Enter %s (%%u@%%h:%%p): " r)))
1221 (prompt (auth-source-format-prompt
1222 prompt
1223 `((?u ,(aget printable-defaults 'user))
1224 (?h ,(aget printable-defaults 'host))
1225 (?p ,(aget printable-defaults 'port))))))
1227 ;; Store the data, prompting for the password if needed.
1228 (setq data (or data
1229 (if (eq r 'secret)
1230 ;; Special case prompt for passwords.
1231 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") nil) (t gpg)))
1232 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1233 (let* ((ep (format "Use GPG password tokens in %s?" file))
1234 (gpg-encrypt
1235 (cond
1236 ((eq auth-source-netrc-use-gpg-tokens 'never)
1237 'never)
1238 ((listp auth-source-netrc-use-gpg-tokens)
1239 (let ((check (copy-sequence
1240 auth-source-netrc-use-gpg-tokens))
1241 item ret)
1242 (while check
1243 (setq item (pop check))
1244 (when (or (eq (car item) t)
1245 (string-match (car item) file))
1246 (setq ret (cdr item))
1247 (setq check nil)))))
1248 (t 'never)))
1249 (plain (or (eval default) (read-passwd prompt))))
1250 ;; ask if we don't know what to do (in which case
1251 ;; auth-source-netrc-use-gpg-tokens must be a list)
1252 (unless gpg-encrypt
1253 (setq gpg-encrypt (if (y-or-n-p ep) 'gpg 'never))
1254 ;; TODO: save the defcustom now? or ask?
1255 (setq auth-source-netrc-use-gpg-tokens
1256 (cons `(,file ,gpg-encrypt)
1257 auth-source-netrc-use-gpg-tokens)))
1258 (if (eq gpg-encrypt 'gpg)
1259 (auth-source-epa-make-gpg-token plain file)
1260 plain))
1261 (if (stringp default)
1262 (read-string (if (string-match ": *\\'" prompt)
1263 (concat (substring prompt 0 (match-beginning 0))
1264 " (default " default "): ")
1265 (concat prompt "(default " default ") "))
1266 nil nil default)
1267 (eval default)))))
1269 (when data
1270 (setq artificial (plist-put artificial
1271 (intern (concat ":" (symbol-name r)))
1272 (if (eq r 'secret)
1273 (lexical-let ((data data))
1274 (lambda () data))
1275 data))))
1277 ;; When r is not an empty string...
1278 (when (and (stringp data)
1279 (< 0 (length data)))
1280 ;; this function is not strictly necessary but I think it
1281 ;; makes the code clearer -tzz
1282 (let ((printer (lambda ()
1283 ;; append the key (the symbol name of r)
1284 ;; and the value in r
1285 (format "%s%s %s"
1286 ;; prepend a space
1287 (if (zerop (length add)) "" " ")
1288 ;; remap auth-source tokens to netrc
1289 (case r
1290 (user "login")
1291 (host "machine")
1292 (secret "password")
1293 (port "port") ; redundant but clearer
1294 (t (symbol-name r)))
1295 (if (string-match "[\" ]" data)
1296 (format "%S" data)
1297 data)))))
1298 (setq add (concat add (funcall printer)))))))
1300 (plist-put
1301 artificial
1302 :save-function
1303 (lexical-let ((file file)
1304 (add add))
1305 (lambda () (auth-source-netrc-saver file add))))
1307 (list artificial)))
1309 ;;(funcall (plist-get (nth 0 (auth-source-search :host '("nonesuch2") :user "tzz" :port "imap" :create t :max 1)) :save-function))
1310 (defun auth-source-netrc-saver (file add)
1311 "Save a line ADD in FILE, prompting along the way.
1312 Respects `auth-source-save-behavior'. Uses
1313 `auth-source-netrc-cache' to avoid prompting more than once."
1314 (let* ((key (format "%s %s" file (rfc2104-hash 'md5 64 16 file add)))
1315 (cached (assoc key auth-source-netrc-cache)))
1317 (if cached
1318 (auth-source-do-trivia
1319 "auth-source-netrc-saver: found previous run for key %s, returning"
1320 key)
1321 (with-temp-buffer
1322 (when (file-exists-p file)
1323 (insert-file-contents file))
1324 (when auth-source-gpg-encrypt-to
1325 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1326 ;; this buffer lets epa-file skip the key selection query
1327 ;; (see the `local-variable-p' check in
1328 ;; `epa-file-write-region').
1329 (unless (local-variable-p 'epa-file-encrypt-to (current-buffer))
1330 (make-local-variable 'epa-file-encrypt-to))
1331 (if (listp auth-source-gpg-encrypt-to)
1332 (setq epa-file-encrypt-to auth-source-gpg-encrypt-to)))
1333 ;; we want the new data to be found first, so insert at beginning
1334 (goto-char (point-min))
1336 ;; Ask AFTER we've successfully opened the file.
1337 (let ((prompt (format "Save auth info to file %s? " file))
1338 (done (not (eq auth-source-save-behavior 'ask)))
1339 (bufname "*auth-source Help*")
1341 (while (not done)
1342 (setq k (auth-source-read-char-choice prompt '(?y ?n ?N ?e ??)))
1343 (case k
1344 (?y (setq done t))
1345 (?? (save-excursion
1346 (with-output-to-temp-buffer bufname
1347 (princ
1348 (concat "(y)es, save\n"
1349 "(n)o but use the info\n"
1350 "(N)o and don't ask to save again\n"
1351 "(e)dit the line\n"
1352 "(?) for help as you can see.\n"))
1353 ;; Why? Doesn't with-output-to-temp-buffer already do
1354 ;; the exact same thing anyway? --Stef
1355 (set-buffer standard-output)
1356 (help-mode))))
1357 (?n (setq add ""
1358 done t))
1360 (setq add ""
1361 done t)
1362 (customize-save-variable 'auth-source-save-behavior nil))
1363 (?e (setq add (read-string "Line to add: " add)))
1364 (t nil)))
1366 (when (get-buffer-window bufname)
1367 (delete-window (get-buffer-window bufname)))
1369 ;; Make sure the info is not saved.
1370 (when (null auth-source-save-behavior)
1371 (setq add ""))
1373 (when (< 0 (length add))
1374 (progn
1375 (unless (bolp)
1376 (insert "\n"))
1377 (insert add "\n")
1378 (write-region (point-min) (point-max) file nil 'silent)
1379 ;; Make the .authinfo file non-world-readable.
1380 (set-file-modes file #o600)
1381 (auth-source-do-debug
1382 "auth-source-netrc-create: wrote 1 new line to %s"
1383 file)
1384 (message "Saved new authentication information to %s" file)
1385 nil))))
1386 (aput 'auth-source-netrc-cache key "ran"))))
1388 ;;; Backend specific parsing: Secrets API backend
1390 ;;; (let ((auth-sources '(default))) (auth-source-search :max 1 :create t))
1391 ;;; (let ((auth-sources '(default))) (auth-source-search :max 1 :delete t))
1392 ;;; (let ((auth-sources '(default))) (auth-source-search :max 1))
1393 ;;; (let ((auth-sources '(default))) (auth-source-search))
1394 ;;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1))
1395 ;;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1 :signon_realm "https://git.gnus.org/Git"))
1397 (defun* auth-source-secrets-search (&rest
1398 spec
1399 &key backend create delete label
1400 type max host user port
1401 &allow-other-keys)
1402 "Search the Secrets API; spec is like `auth-source'.
1404 The :label key specifies the item's label. It is the only key
1405 that can specify a substring. Any :label value besides a string
1406 will allow any label.
1408 All other search keys must match exactly. If you need substring
1409 matching, do a wider search and narrow it down yourself.
1411 You'll get back all the properties of the token as a plist.
1413 Here's an example that looks for the first item in the 'Login'
1414 Secrets collection:
1416 \(let ((auth-sources '(\"secrets:Login\")))
1417 (auth-source-search :max 1)
1419 Here's another that looks for the first item in the 'Login'
1420 Secrets collection whose label contains 'gnus':
1422 \(let ((auth-sources '(\"secrets:Login\")))
1423 (auth-source-search :max 1 :label \"gnus\")
1425 And this one looks for the first item in the 'Login' Secrets
1426 collection that's a Google Chrome entry for the git.gnus.org site
1427 authentication tokens:
1429 \(let ((auth-sources '(\"secrets:Login\")))
1430 (auth-source-search :max 1 :signon_realm \"https://git.gnus.org/Git\"))
1433 ;; TODO
1434 (assert (not create) nil
1435 "The Secrets API auth-source backend doesn't support creation yet")
1436 ;; TODO
1437 ;; (secrets-delete-item coll elt)
1438 (assert (not delete) nil
1439 "The Secrets API auth-source backend doesn't support deletion yet")
1441 (let* ((coll (oref backend source))
1442 (max (or max 5000)) ; sanity check: default to stop at 5K
1443 (ignored-keys '(:create :delete :max :backend :label))
1444 (search-keys (loop for i below (length spec) by 2
1445 unless (memq (nth i spec) ignored-keys)
1446 collect (nth i spec)))
1447 ;; build a search spec without the ignored keys
1448 ;; if a search key is nil or t (match anything), we skip it
1449 (search-spec (apply 'append (mapcar
1450 (lambda (k)
1451 (if (or (null (plist-get spec k))
1452 (eq t (plist-get spec k)))
1454 (list k (plist-get spec k))))
1455 search-keys)))
1456 ;; needed keys (always including host, login, port, and secret)
1457 (returned-keys (mm-delete-duplicates (append
1458 '(:host :login :port :secret)
1459 search-keys)))
1460 (items (loop for item in (apply 'secrets-search-items coll search-spec)
1461 unless (and (stringp label)
1462 (not (string-match label item)))
1463 collect item))
1464 ;; TODO: respect max in `secrets-search-items', not after the fact
1465 (items (butlast items (- (length items) max)))
1466 ;; convert the item name to a full plist
1467 (items (mapcar (lambda (item)
1468 (append
1469 ;; make an entry for the secret (password) element
1470 (list
1471 :secret
1472 (lexical-let ((v (secrets-get-secret coll item)))
1473 (lambda () v)))
1474 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1475 (apply 'append
1476 (mapcar (lambda (entry)
1477 (list (car entry) (cdr entry)))
1478 (secrets-get-attributes coll item)))))
1479 items))
1480 ;; ensure each item has each key in `returned-keys'
1481 (items (mapcar (lambda (plist)
1482 (append
1483 (apply 'append
1484 (mapcar (lambda (req)
1485 (if (plist-get plist req)
1487 (list req nil)))
1488 returned-keys))
1489 plist))
1490 items)))
1491 items))
1493 (defun* auth-source-secrets-create (&rest
1494 spec
1495 &key backend type max host user port
1496 &allow-other-keys)
1497 ;; TODO
1498 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1499 (debug spec))
1501 ;;; Backend specific parsing: PLSTORE backend
1503 (defun* auth-source-plstore-search (&rest
1504 spec
1505 &key backend create delete label
1506 type max host user port
1507 &allow-other-keys)
1508 "Search the PLSTORE; spec is like `auth-source'."
1509 (let* ((store (oref backend data))
1510 (max (or max 5000)) ; sanity check: default to stop at 5K
1511 (ignored-keys '(:create :delete :max :backend :require))
1512 (search-keys (loop for i below (length spec) by 2
1513 unless (memq (nth i spec) ignored-keys)
1514 collect (nth i spec)))
1515 ;; build a search spec without the ignored keys
1516 ;; if a search key is nil or t (match anything), we skip it
1517 (search-spec (apply 'append (mapcar
1518 (lambda (k)
1519 (let ((v (plist-get spec k)))
1520 (if (or (null v)
1521 (eq t v))
1523 (if (stringp v)
1524 (setq v (list v)))
1525 (list k v))))
1526 search-keys)))
1527 ;; needed keys (always including host, login, port, and secret)
1528 (returned-keys (mm-delete-duplicates (append
1529 '(:host :login :port :secret)
1530 search-keys)))
1531 (items (plstore-find store search-spec))
1532 (item-names (mapcar #'car items))
1533 (items (butlast items (- (length items) max)))
1534 ;; convert the item to a full plist
1535 (items (mapcar (lambda (item)
1536 (let* ((plist (copy-tree (cdr item)))
1537 (secret (plist-member plist :secret)))
1538 (if secret
1539 (setcar
1540 (cdr secret)
1541 (lexical-let ((v (car (cdr secret))))
1542 (lambda () v))))
1543 plist))
1544 items))
1545 ;; ensure each item has each key in `returned-keys'
1546 (items (mapcar (lambda (plist)
1547 (append
1548 (apply 'append
1549 (mapcar (lambda (req)
1550 (if (plist-get plist req)
1552 (list req nil)))
1553 returned-keys))
1554 plist))
1555 items)))
1556 (cond
1557 ;; if we need to create an entry AND none were found to match
1558 ((and create
1559 (not items))
1561 ;; create based on the spec and record the value
1562 (setq items (or
1563 ;; if the user did not want to create the entry
1564 ;; in the file, it will be returned
1565 (apply (slot-value backend 'create-function) spec)
1566 ;; if not, we do the search again without :create
1567 ;; to get the updated data.
1569 ;; the result will be returned, even if the search fails
1570 (apply 'auth-source-plstore-search
1571 (plist-put spec :create nil)))))
1572 ((and delete
1573 item-names)
1574 (dolist (item-name item-names)
1575 (plstore-delete store item-name))
1576 (plstore-save store)))
1577 items))
1579 (defun* auth-source-plstore-create (&rest spec
1580 &key backend
1581 secret host user port create
1582 &allow-other-keys)
1583 (let* ((base-required '(host user port secret))
1584 (base-secret '(secret))
1585 ;; we know (because of an assertion in auth-source-search) that the
1586 ;; :create parameter is either t or a list (which includes nil)
1587 (create-extra (if (eq t create) nil create))
1588 (current-data (car (auth-source-search :max 1
1589 :host host
1590 :port port)))
1591 (required (append base-required create-extra))
1592 (file (oref backend source))
1593 (add "")
1594 ;; `valist' is an alist
1595 valist
1596 ;; `artificial' will be returned if no creation is needed
1597 artificial
1598 secret-artificial)
1600 ;; only for base required elements (defined as function parameters):
1601 ;; fill in the valist with whatever data we may have from the search
1602 ;; we complete the first value if it's a list and use the value otherwise
1603 (dolist (br base-required)
1604 (when (symbol-value br)
1605 (let ((br-choice (cond
1606 ;; all-accepting choice (predicate is t)
1607 ((eq t (symbol-value br)) nil)
1608 ;; just the value otherwise
1609 (t (symbol-value br)))))
1610 (when br-choice
1611 (aput 'valist br br-choice)))))
1613 ;; for extra required elements, see if the spec includes a value for them
1614 (dolist (er create-extra)
1615 (let ((name (concat ":" (symbol-name er)))
1616 (keys (loop for i below (length spec) by 2
1617 collect (nth i spec))))
1618 (dolist (k keys)
1619 (when (equal (symbol-name k) name)
1620 (aput 'valist er (plist-get spec k))))))
1622 ;; for each required element
1623 (dolist (r required)
1624 (let* ((data (aget valist r))
1625 ;; take the first element if the data is a list
1626 (data (or (auth-source-netrc-element-or-first data)
1627 (plist-get current-data
1628 (intern (format ":%s" r) obarray))))
1629 ;; this is the default to be offered
1630 (given-default (aget auth-source-creation-defaults r))
1631 ;; the default supplementals are simple:
1632 ;; for the user, try `given-default' and then (user-login-name);
1633 ;; otherwise take `given-default'
1634 (default (cond
1635 ((and (not given-default) (eq r 'user))
1636 (user-login-name))
1637 (t given-default)))
1638 (printable-defaults (list
1639 (cons 'user
1641 (auth-source-netrc-element-or-first
1642 (aget valist 'user))
1643 (plist-get artificial :user)
1644 "[any user]"))
1645 (cons 'host
1647 (auth-source-netrc-element-or-first
1648 (aget valist 'host))
1649 (plist-get artificial :host)
1650 "[any host]"))
1651 (cons 'port
1653 (auth-source-netrc-element-or-first
1654 (aget valist 'port))
1655 (plist-get artificial :port)
1656 "[any port]"))))
1657 (prompt (or (aget auth-source-creation-prompts r)
1658 (case r
1659 (secret "%p password for %u@%h: ")
1660 (user "%p user name for %h: ")
1661 (host "%p host name for user %u: ")
1662 (port "%p port for %u@%h: "))
1663 (format "Enter %s (%%u@%%h:%%p): " r)))
1664 (prompt (auth-source-format-prompt
1665 prompt
1666 `((?u ,(aget printable-defaults 'user))
1667 (?h ,(aget printable-defaults 'host))
1668 (?p ,(aget printable-defaults 'port))))))
1670 ;; Store the data, prompting for the password if needed.
1671 (setq data (or data
1672 (if (eq r 'secret)
1673 (or (eval default) (read-passwd prompt))
1674 (if (stringp default)
1675 (read-string (if (string-match ": *\\'" prompt)
1676 (concat (substring prompt 0 (match-beginning 0))
1677 " (default " default "): ")
1678 (concat prompt "(default " default ") "))
1679 nil nil default)
1680 (eval default)))))
1682 (when data
1683 (if (member r base-secret)
1684 (setq secret-artificial
1685 (plist-put secret-artificial
1686 (intern (concat ":" (symbol-name r)))
1687 data))
1688 (setq artificial (plist-put artificial
1689 (intern (concat ":" (symbol-name r)))
1690 data))))))
1691 (plstore-put (oref backend data)
1692 (sha1 (format "%s@%s:%s"
1693 (plist-get artificial :user)
1694 (plist-get artificial :host)
1695 (plist-get artificial :port)))
1696 artificial secret-artificial)
1697 (if (y-or-n-p (format "Save auth info to file %s? "
1698 (plstore-get-file (oref backend data))))
1699 (plstore-save (oref backend data)))))
1701 ;;; older API
1703 ;;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
1705 ;; deprecate the old interface
1706 (make-obsolete 'auth-source-user-or-password
1707 'auth-source-search "Emacs 24.1")
1708 (make-obsolete 'auth-source-forget-user-or-password
1709 'auth-source-forget "Emacs 24.1")
1711 (defun auth-source-user-or-password
1712 (mode host port &optional username create-missing delete-existing)
1713 "Find MODE (string or list of strings) matching HOST and PORT.
1715 DEPRECATED in favor of `auth-source-search'!
1717 USERNAME is optional and will be used as \"login\" in a search
1718 across the Secret Service API (see secrets.el) if the resulting
1719 items don't have a username. This means that if you search for
1720 username \"joe\" and it matches an item but the item doesn't have
1721 a :user attribute, the username \"joe\" will be returned.
1723 A non nil DELETE-EXISTING means deleting any matching password
1724 entry in the respective sources. This is useful only when
1725 CREATE-MISSING is non nil as well; the intended use case is to
1726 remove wrong password entries.
1728 If no matching entry is found, and CREATE-MISSING is non nil,
1729 the password will be retrieved interactively, and it will be
1730 stored in the password database which matches best (see
1731 `auth-sources').
1733 MODE can be \"login\" or \"password\"."
1734 (auth-source-do-debug
1735 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
1736 mode host port username)
1738 (let* ((listy (listp mode))
1739 (mode (if listy mode (list mode)))
1740 (cname (if username
1741 (format "%s %s:%s %s" mode host port username)
1742 (format "%s %s:%s" mode host port)))
1743 (search (list :host host :port port))
1744 (search (if username (append search (list :user username)) search))
1745 (search (if create-missing
1746 (append search (list :create t))
1747 search))
1748 (search (if delete-existing
1749 (append search (list :delete t))
1750 search))
1751 ;; (found (if (not delete-existing)
1752 ;; (gethash cname auth-source-cache)
1753 ;; (remhash cname auth-source-cache)
1754 ;; nil)))
1755 (found nil))
1756 (if found
1757 (progn
1758 (auth-source-do-debug
1759 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
1760 mode
1761 ;; don't show the password
1762 (if (and (member "password" mode) t)
1763 "SECRET"
1764 found)
1765 host port username)
1766 found) ; return the found data
1767 ;; else, if not found, search with a max of 1
1768 (let ((choice (nth 0 (apply 'auth-source-search
1769 (append '(:max 1) search)))))
1770 (when choice
1771 (dolist (m mode)
1772 (cond
1773 ((equal "password" m)
1774 (push (if (plist-get choice :secret)
1775 (funcall (plist-get choice :secret))
1776 nil) found))
1777 ((equal "login" m)
1778 (push (plist-get choice :user) found)))))
1779 (setq found (nreverse found))
1780 (setq found (if listy found (car-safe found)))))
1782 found))
1784 (provide 'auth-source)
1786 ;;; auth-source.el ends here