| blob | 66e1897b8777e7c4b2fd262ae47659f6b172ef77 |
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs -*- lexical-binding: t -*-
3 ;; Copyright (C) 2008-2018 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <https://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
32 ;; TODO:
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
40 ;;; Code:
76 "Authentication sources."
80 ;;;###autoload
82 "How many seconds passwords are cached, or nil to disable
83 expiring. Overrides `password-cache-expiry' through a
84 let-binding."
93 ;; The slots below correspond with the `auth-source-search' spec,
94 ;; so a backend with :host set, for instance, would match only
95 ;; searches for that host. Normally they are nil.
99 :type symbol
100 :custom symbol
103 :type string
104 :custom string
107 :initform t
108 :type t
109 :custom string
112 :initform t
113 :type t
114 :custom string
117 :initform t
118 :type t
119 :custom string
122 :initform nil
125 :initform ignore
126 :type function
127 :custom function
130 :initform ignore
131 :type function
132 :custom function
140 "List of authentication protocols and their names"
150 ;; Generate all the protocols in a format Customize can use.
151 ;; TODO: generate on the fly from auth-source-protocols
157 p)))
158 auth-source-protocols))
161 ;; FIXME: AFAICT this is not set (or let-bound) anywhere!
170 "If set, auth-source will respect it for save behavior."
179 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car epa-file-auto-mode-alist-entry) "\\.gpg\\'") never) (t gpg)))
180 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
183 "Set this to tell auth-source when to create GPG password
184 tokens in netrc files. It's either an alist or `never'.
185 Note that if EPA/EPG is not available, this should NOT be used."
205 "Whether auth-source should cache information with `password-cache'."
211 "Whether auth-source should log debug messages.
213 If the value is nil, debug messages are not logged.
215 If the value is t, debug messages are logged with `message'. In
216 that case, your authentication data will be in the clear (except
217 for passwords).
219 If the value is a function, debug messages are logged by calling
220 that function using the same arguments as `message'."
227 trivia)
232 "List of authentication sources.
233 Each entry is the authentication type with optional properties.
234 Entries are tried in the order in which they appear.
235 See Info node `(auth)Help for users' for details.
238 EPA/EPG set up, the file will be encrypted and decrypted
239 automatically. See Info node `(epa)Encrypting/decrypting gpg files'
240 for details.
243 can get pretty complex."
254 macos-keychain-internet)
257 macos-keychain-generic)
311 "List of recipient keys that `authinfo.gpg' encrypted to.
312 If the value is not a list, symmetric encryption will be used."
330 ;; set logger to either the function in auth-source-debug or 'message
331 ;; note that it will be 'message if auth-source-debug is nil
333 auth-source-debug
335 msg))
338 "Read one of CHOICES by `read-char-choice', or `read-char'.
339 `dropdown-list' support is disabled because it doesn't work reliably.
340 Only one of CHOICES will be returned. The PROMPT is augmented
348 k)
352 k)))
355 "List of auth-source parser functions.
356 Each function takes an entry from `auth-sources' as parameter and
357 returns a backend or nil if the entry is not supported. Add a
358 parser function to this list with `add-hook'. Searching for a
359 backend starts with the first element on the list and stops as
363 "Create an auth-source-backend from an ENTRY in `auth-sources'."
371 ;; none of the parsers worked
380 ;; take just a file name use it as a netrc/plist file
381 ;; matching any user, host, and protocol
397 source
398 :source source
405 source
406 :source source
411 source
412 :source source
417 ;; Note this function should be last in the parser functions, so we add it first
421 ;; take macos-keychain-{internet,generic}:XYZ and use it as macOS
422 ;; Keychain "XYZ" matching any user, host, and protocol
424 entry))
428 entry))
431 ;; take 'macos-keychain-internet or generic and use it as a Mac OS
432 ;; Keychain collection matching any user, host, and protocol
438 ;; the macOS Keychain
449 'macos-keychain-generic
452 :macos-keychain-generic
460 :source source
461 :type keychain-type
468 ;; take secrets:XYZ and use it as Secrets API collection "XYZ"
469 ;; matching any user, host, and protocol
472 ;; take 'default and use it as a Secrets API default collection
473 ;; matching any user, host, and protocol
477 ;; the Secrets API. We require the package, in order to have a
478 ;; defined value for `secrets-enabled'.
488 ;; the source is either the :secrets key in ENTRY or
489 ;; if that's missing or nil, it's "session"
492 ;; if the source is a symbol, we look for the alias named so,
493 ;; and if that alias is missing, we use "Login"
501 :source source
515 "Fills in the extra auth-source-backend parameters of ENTRY.
516 Using the plist ENTRY, get the :host, :port, and :user search
517 parameters."
519 nil
520 entry))
521 val)
528 backend)
530 ;; (mapcar 'auth-source-backend-parse auth-sources)
533 &key max require create delete
535 "Search or modify authentication backends according to SPEC.
537 This function parses `auth-sources' for matches of the SPEC
538 plist. It can optionally create or update an authentication
539 token if requested. A token is just a standard Emacs property
540 list with a :secret property that can be a function; all the
541 other properties will always hold scalar values.
543 Typically the :secret property, if present, contains a password.
545 Common search keys are :max, :host, :port, and :user. In
546 addition, :create specifies if and how tokens will be created.
547 Finally, :type can specify which backend types you want to check.
549 A string value is always matched literally. A symbol is matched
550 as its string value, literally. All the SPEC values can be
551 single values (symbol or string) or lists thereof (in which case
552 any of the search terms matches).
554 :create t means to create a token if possible.
556 A new token will be created if no matching tokens were found.
557 The new token will have only the keys the backend requires. For
558 the netrc backend, for instance, that's the user, host, and
559 port keys.
561 Here's an example:
567 :create t))
569 which says:
572 `netrc', maximum one result.
574 Create a new entry if you found none. The netrc backend will
575 automatically require host, user, and port. The host will be
576 `mine'. We prompt for the user with default `defaultUser' and
577 for the port without a default. We will not prompt for A, Q,
578 or P. The resulting token will only have keys user, host, and
583 The behavior is like :create t but if the list contains any
584 parameter, that parameter will be required in the resulting
585 token. The value for that parameter will be obtained from the
586 search parameters or from user input. If any queries are needed,
587 the alist `auth-source-creation-defaults' will be checked for the
588 default value. If the user, host, or port are missing, the alist
589 `auth-source-creation-prompts' will be used to look up the
590 prompts IN THAT ORDER (so the `user' prompt will be queried first,
591 then `host', then `port', and finally `secret'). Each prompt string
592 can use %u, %h, and %p to show the user, host, and port.
594 Here's an example:
598 (auth-source-creation-prompts
604 which says:
607 or `twosuch' in backends of type `netrc', maximum one result.
609 Create a new entry if you found none. The netrc backend will
610 automatically require host, user, and port. The host will be
611 `nonesuch' and Q will be `qqqq'. We prompt for the password
612 with the shown prompt. We will not prompt for Q. The resulting
613 token will have keys user, host, port, A, B, and Q. It will not
614 have P with any value, even though P is used in the search to
617 When multiple values are specified in the search parameter, the
618 user is prompted for which one. So :host (X Y Z) would ask the
619 user to choose between X, Y, and Z.
621 This creation can fail if the search was not specific enough to
622 create a new token (it's up to the backend to decide that). You
623 should `catch' the backend-specific error as usual. Some
624 backends (netrc, at least) will prompt the user rather than throw
625 an error.
627 :require (A B C) means that only results that contain those
628 tokens will be returned. Thus for instance requiring :secret
629 will ensure that any results will actually have a :secret
630 property.
632 :delete t means to delete any found entries. nil by default.
633 Use `auth-source-delete' in ELisp code instead of calling
634 `auth-source-search' directly with this parameter.
636 :type (X Y Z) will check only those backend types. `netrc' and
637 `secrets' are the only ones supported right now.
639 :max N means to try to return at most N items (defaults to 1).
640 More than N items may be returned, depending on the search and
641 the backend.
643 When :max is 0 the function will return just t or nil to indicate
644 if any matches were found.
646 :host (X Y Z) means to match only hosts X, Y, or Z according to
647 the match rules above. Defaults to t.
649 :user (X Y Z) means to match only users X, Y, or Z according to
650 the match rules above. Defaults to t.
652 :port (P Q R) means to match only protocols P, Q, or R.
653 Defaults to t.
655 :K (V1 V2 V3) for any other key K will match values V1, V2, or
656 V3 (note the match rules above).
658 The return value is a list with at most :max tokens. Each token
659 is a plist with keys :backend :host :port :user, plus any other
660 keys provided by the backend (notably :secret). But note the
661 exception for :max 0, which see above.
663 The token can hold a :save-function key. If you call that, the
664 user will be prompted to save the data to the backend. You can't
665 request that this should happen right after creation, because
666 `auth-source-search' has no way of knowing if the token is
667 actually useful. So the caller must arrange to call this function.
669 The token's :secret key can hold a function. In that case you
670 must call it to obtain the actual value."
678 ;; note that we may have cached results but found is still nil
679 ;; (there were no results from the search)
681 filtered-backends)
685 "auth-source-search: found %d CACHED results matching %S"
699 ;; ignore invalid slots
709 "auth-source-search: found %d backends matching %S"
712 ;; (debug spec "filtered" filtered-backends)
713 ;; First go through all the backends without :create, so we can
714 ;; query them all.
716 spec
717 ;; to exit early
718 max
719 ;; create is always nil here
720 nil delete
721 require))
724 "auth-source-search: found %d results (max %d) matching %S"
727 ;; If we didn't find anything, then we allow the backend(s) to
728 ;; create the entries.
732 spec
733 ;; to exit early
734 max
735 create delete
736 require))
738 "auth-source-search: CREATED %d results (max %d) matching %S"
741 ;; note we remember the lack of result too, if it's applicable
747 found)))
751 matches)
756 :backend backend
758 ;; note we're overriding whatever the spec
759 ;; has for :max, :require, :create, and :delete
760 :max max
761 :require require
762 :create create
763 :delete delete
764 spec)))
767 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
771 spec)
773 matches))
776 "Delete entries from the authentication backends according to SPEC.
777 Calls `auth-source-search' with the :delete property in SPEC set to t.
778 The backend may not actually delete the entries.
780 Returns the deleted entries."
784 "Returns t is VALUE is t or COLLECTION is t or COLLECTION contains VALUE."
788 ;; (debug :collection collection :value value)
797 "Forget all cached auth-source data."
801 ;; remove that key
803 password-data)
807 "Format SPEC entry to put it in the password cache."
811 "Remember FOUND search results for SPEC."
817 "Recall FOUND search results for SPEC."
821 "Check if SPEC is remembered."
826 "Forget any cached data matching SPEC exactly.
828 This is the same SPEC you passed to `auth-source-search'.
829 Returns t or nil for forgotten or not found."
833 "Forget any cached data matching SPEC. Returns forgotten count.
835 This is not a full `auth-source-search' spec but works similarly.
837 cached data that was found with a search for those two hosts,
838 while \(:host t) would find all host entries."
843 ;; and the spec matches what was stored in the cache
845 ;; remove that key
848 password-data)
849 count))
862 "Pick the first secret found from applying SPEC to `auth-source-search'."
868 secret)))
871 "Format PROMPT using %x (for any character x) specifiers in ALIST."
878 prompt nil t)))))
879 prompt)
883 values
889 value))
890 values)))
892 ;;; Backend specific parsing: netrc/authinfo backend
909 ;; (auth-source-netrc-parse :file "~/.authinfo.gpg")
912 "Parse FILE and return a list of all entries in the file.
913 Note that the MAX parameter is used so we can exit the parse early."
915 ;; We got already parsed contents; just return it.
916 file
928 host
932 t))
934 user
939 t))
941 port
945 t))
947 ;; the required list of keys is nil, or
949 ;; every element of require is in n (normalized)
954 result)
961 "auth-source-netrc-parse: using CACHED file data for %s"
962 file)
965 ;; cache all netrc files (used to be just .gpg files)
966 ;; Store the contents of the file heavily encrypted in memory.
967 ;; (note for the irony-impaired: they are just obfuscated)
969 auth-source-netrc-cache file
975 alist)
981 ;; (see bug#7487) making `epa-file-encrypt-to' local to
982 ;; this buffer lets epa-file skip the key selection query
983 ;; (see the `local-variable-p' check in
984 ;; `epa-file-write-region').
990 ;; ask AFTER we've successfully opened the file
992 file modified))
995 "auth-source-netrc-parse: modified %d lines in %s"
996 modified file)))
1001 "Advance to the next interesting position in the current buffer."
1002 ;; If we're looking at a comment or are at the end of the line, move forward
1010 "Read one thing from the current buffer."
1020 ;; with thanks to org-mode
1024 ;; works also in narrowed buffer, because we start at 1, not point-min
1028 "Parse up to MAX netrc entries, passed by CHECK, from the current buffer."
1031 alist
1035 all))
1036 item item2 all alist default)
1039 ;; We're starting a new machine. Save the old one.
1043 ;; (auth-source-do-trivia
1044 ;; "auth-source-netrc-parse-entries: got entry %S" alist)
1046 alist nil))
1047 ;; In default entries, we don't have a next token.
1048 ;; We store them as ("machine" . t)
1051 ;; Not a default entry. Grab the next item.
1053 ;; Did we get a "machine" value?
1056 "%s: Unexpected `machine' token at line %d"
1057 "auth-source-netrc-parse-entries"
1061 ;; Clean up: if there's an entry left over, use it.
1064 ;; (auth-source-do-trivia
1065 ;; "auth-source-netrc-parse-entries: got2 entry %S" alist)
1066 )
1074 passphrase)
1075 ;; return the saved passphrase, calling a function if needed
1086 t))
1089 passphrase))))
1092 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1093 FILE is the file from which we obtained this token."
1098 context
1100 file))
1108 cipher)
1111 context
1113 file))
1132 ;; apply key aliases
1139 ;; send back the secret in a function (lexical binding)
1144 ;; it's a GPG token: create a token decoder
1145 ;; which unsets itself once
1150 val
1151 filename)
1156 lexv))))
1159 v))))
1160 ret))
1161 alist))
1164 &key backend require create
1165 type max host user port
1167 "Given a property list SPEC, return search matches from the :backend.
1168 See `auth-source-search' for details on SPEC."
1169 ;; just in case, check that the type is correct (null or same as the backend)
1175 :max max
1176 :require require
1183 ;; if we need to create an entry AND none were found to match
1187 ;; create based on the spec and record the value
1189 ;; if the user did not want to create the entry
1190 ;; in the file, it will be returned
1192 ;; if not, we do the search again without :create
1193 ;; to get the updated data.
1195 ;; the result will be returned, even if the search fails
1198 results))
1203 v))
1205 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1206 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1209 &key backend host port create
1212 ;; we know (because of an assertion in auth-source-search) that the
1213 ;; :create parameter is either t or a list (which includes nil)
1216 :host host
1221 ;; `valist' is an alist
1222 valist
1223 ;; `artificial' will be returned if no creation is needed
1224 artificial)
1226 ;; only for base required elements (defined as function parameters):
1227 ;; fill in the valist with whatever data we may have from the search
1228 ;; we complete the first value if it's a list and use the value otherwise
1233 ;; all-accepting choice (predicate is t)
1235 ;; just the value otherwise
1240 ;; for extra required elements, see if the spec includes a value for them
1248 ;; for each required element
1251 ;; take the first element if the data is a list
1255 ;; this is the default to be offered
1257 auth-source-creation-defaults r))
1258 ;; the default supplementals are simple:
1259 ;; for the user, try `given-default' and then (user-login-name);
1260 ;; otherwise take `given-default'
1292 prompt
1297 ;; Store the data, prompting for the password if needed.
1300 ;; Special case prompt for passwords.
1301 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car epa-file-auto-mode-alist-entry) "\\.gpg\\'") nil) (t gpg)))
1302 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1310 auth-source-netrc-use-gpg-tokens))
1311 item ret)
1318 ret))
1321 ;; ask if we don't know what to do (in which case
1322 ;; auth-source-netrc-use-gpg-tokens must be a list)
1325 ;; TODO: save the defcustom now? or ask?
1328 auth-source-netrc-use-gpg-tokens)))
1331 plain))
1337 nil nil default)
1346 data))))
1348 ;; When r is not an empty string...
1351 ;; this function is not strictly necessary but I think it
1352 ;; makes the code clearer -tzz
1354 ;; append the key (the symbol name of r)
1355 ;; and the value in r
1357 ;; prepend a space
1359 ;; remap auth-source tokens to netrc
1368 data)))))
1372 artificial
1373 :save-function
1381 "Save a line ADD in FILE, prompting along the way.
1382 Respects `auth-source-save-behavior'. Uses
1383 `auth-source-netrc-cache' to avoid prompting more than once."
1389 "auth-source-netrc-saver: found previous run for key %s, returning"
1390 key)
1395 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1396 ;; this buffer lets epa-file skip the key selection query
1397 ;; (see the `local-variable-p' check in
1398 ;; `epa-file-write-region').
1403 ;; we want the new data to be found first, so insert at beginning
1406 ;; Ask AFTER we've successfully opened the file.
1410 k)
1423 ;; Why? Doesn't with-output-to-temp-buffer already do
1424 ;; the exact same thing anyway? --Stef
1428 done t))
1429 (?N
1431 done t)
1439 ;; Make sure the info is not saved.
1449 ;; Make the .authinfo file non-world-readable.
1452 "auth-source-netrc-create: wrote 1 new line to %s"
1453 file)
1455 nil))))
1458 ;;; Backend specific parsing: Secrets API backend
1461 "Convert a pattern with lists to a list of string patterns.
1466 only string values for patterns, so this routine returns a list
1467 of patterns that is equivalent to the single original pattern
1468 when interpreted such that if a secret matches any pattern in the
1469 list, it matches the original pattern."
1482 &key backend create delete label max
1484 "Search the Secrets API; spec is like `auth-source'.
1486 The :label key specifies the item's label. It is the only key
1487 that can specify a substring. Any :label value besides a string
1488 will allow any label.
1490 All other search keys must match exactly. If you need substring
1491 matching, do a wider search and narrow it down yourself.
1493 You'll get back all the properties of the token as a plist.
1495 Here's an example that looks for the first item in the `Login'
1496 Secrets collection:
1499 (auth-source-search :max 1)
1501 Here's another that looks for the first item in the `Login'
1502 Secrets collection whose label contains `gnus':
1507 And this one looks for the first item in the `Login' Secrets
1508 collection that's a Google Chrome entry for the git.gnus.org site
1509 authentication tokens:
1513 "
1515 ;; TODO
1518 ;; TODO
1519 ;; (secrets-delete-item coll elt)
1529 ;; build a search spec without the ignored keys
1530 ;; if a search key is nil or t (match anything), we skip it
1536 nil
1538 search-keys))))
1539 ;; needed keys (always including host, login, port, and secret)
1542 search-keys)))
1545 for search-spec in search-specs
1546 nconc
1550 collect item)))
1551 ;; TODO: respect max in `secrets-search-items', not after the fact
1553 ;; convert the item name to a full plist
1556 ;; make an entry for the secret (password) element
1558 :secret
1561 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1566 items))
1567 ;; ensure each item has each key in `returned-keys'
1573 nil
1575 returned-keys))
1576 plist))
1577 items)))
1578 items))
1581 ;; TODO
1582 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1585 ;;; Backend specific parsing: Mac OS Keychain (using /usr/bin/security) backend
1588 &key backend create delete type max
1590 "Search the macOS Keychain; spec is like `auth-source'.
1592 All search keys must match exactly. If you need substring
1593 matching, do a wider search and narrow it down yourself.
1595 You'll get back all the properties of the token as a plist.
1597 The :type key is either `macos-keychain-internet' or
1598 `macos-keychain-generic'.
1600 For the internet keychain type, the :label key searches the
1604 \(note PROT has to be a 4-character string).
1606 For the generic keychain type, the :label key searches the item's
1611 Here's an example that looks for the first item in the default
1612 generic macOS Keychain:
1615 (auth-source-search :max 1)
1617 Here's another that looks for the first item in the internet
1618 macOS Keychain collection whose label is `gnus':
1623 And this one looks for the first item in the internet keychain
1624 entries for git.gnus.org:
1628 "
1629 ;; TODO
1632 ;; TODO
1633 ;; (macos-keychain-delete-item coll elt)
1639 ;; Filter out ignored keys from the spec
1641 ;; Build a search spec without the ignored keys
1642 ;; FIXME make this loop a function? it's used in at least 3 places
1646 ;; If a search key value is nil or t (match anything), we skip it
1651 nil
1653 search-keys)))
1654 ;; needed keys (always including host, login, port, and secret)
1657 search-keys)))
1658 ;; Extract host and port from spec
1663 ;; Loop through all combinations of host/port and pass each of these to
1664 ;; auth-source-macos-keychain-search-items
1670 coll
1671 type
1672 max
1673 host port
1674 search-spec)))
1678 ;; ensure each item has each key in `returned-keys'
1684 nil
1686 returned-keys))
1687 plist))
1688 items)))
1689 items))
1704 else
1705 collect var))
1709 &key label type user
1713 "find-generic-password"
1729 port)))))
1741 ret
1742 keychain-generic
1743 "secret"
1747 ;; TODO: check if this is really the label
1748 ;; match 0x00000007 <blob>="AppleID"
1752 ret
1753 keychain-generic
1754 "label"
1756 ;; match "crtr"<uint32>="aapl"
1757 ;; match "svce"<blob>="AppleID"
1761 ret
1762 keychain-generic
1766 ;; return `ret' iff it has the :secret key
1774 ;; for generic keychains, creator is host, service is port
1777 ;; for internet keychains, protocol is port, server is host
1781 result))
1784 ;; TODO
1787 ;;; Backend specific parsing: PLSTORE backend
1790 &key backend create delete max
1792 "Search the PLSTORE; spec is like `auth-source'."
1799 ;; build a search spec without the ignored keys
1800 ;; if a search key is nil or t (match anything), we skip it
1806 nil
1810 search-keys)))
1811 ;; needed keys (always including host, login, port, and secret)
1814 search-keys)))
1818 ;; convert the item to a full plist
1827 plist))
1828 items))
1829 ;; ensure each item has each key in `returned-keys'
1835 nil
1837 returned-keys))
1838 plist))
1839 items)))
1841 ;; if we need to create an entry AND none were found to match
1845 ;; create based on the spec and record the value
1847 ;; if the user did not want to create the entry
1848 ;; in the file, it will be returned
1850 ;; if not, we do the search again without :create
1851 ;; to get the updated data.
1853 ;; the result will be returned, even if the search fails
1857 item-names)
1861 items))
1864 &key backend host port create
1868 ;; we know (because of an assertion in auth-source-search) that the
1869 ;; :create parameter is either t or a list (which includes nil)
1872 :host host
1875 ;; `valist' is an alist
1876 valist
1877 ;; `artificial' will be returned if no creation is needed
1878 artificial
1879 secret-artificial)
1881 ;; only for base required elements (defined as function parameters):
1882 ;; fill in the valist with whatever data we may have from the search
1883 ;; we complete the first value if it's a list and use the value otherwise
1888 ;; all-accepting choice (predicate is t)
1890 ;; just the value otherwise
1895 ;; for extra required elements, see if the spec includes a value for them
1903 ;; for each required element
1906 ;; take the first element if the data is a list
1910 ;; this is the default to be offered
1912 auth-source-creation-defaults r))
1913 ;; the default supplementals are simple:
1914 ;; for the user, try `given-default' and then (user-login-name);
1915 ;; otherwise take `given-default'
1947 prompt
1952 ;; Store the data, prompting for the password if needed.
1962 nil nil default)
1970 data))
1973 data))))))
1979 artificial secret-artificial)
1984 ;;; Backend specific parsing: JSON backend
1985 ;;; (auth-source-search :max 1 :machine "imap.gmail.com")
1986 ;;; (auth-source-search :max 1 :host '("my-gmail" "imap.gmail.com") :port '(993 "imaps" "imap" "993" "143") :user nil :require '(:user :secret))
1995 t))
2002 t))
2008 t))
2010 ;; the required list of keys is nil, or
2012 ;; every element of require is in
2017 &key backend require
2018 type max host user port
2020 "Given a property list SPEC, return search matches from the :backend.
2021 See `auth-source-search' for details on SPEC."
2022 ;; just in case, check that the type is correct (null or same as the backend)
2026 ;; Hide the secrets early to avoid accidental exposure.
2039 ;; send back the secret in a function (lexical binding)
2044 ret))
2047 all)
2055 ;;; older API
2057 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
2059 ;; deprecate the old interface
2067 "Find MODE (string or list of strings) matching HOST and PORT.
2069 DEPRECATED in favor of `auth-source-search'!
2072 across the Secret Service API (see secrets.el) if the resulting
2073 items don't have a username. This means that if you search for
2077 A non nil DELETE-EXISTING means deleting any matching password
2078 entry in the respective sources. This is useful only when
2079 CREATE-MISSING is non nil as well; the intended use case is to
2080 remove wrong password entries.
2082 If no matching entry is found, and CREATE-MISSING is non nil,
2083 the password will be retrieved interactively, and it will be
2084 stored in the password database which matches best (see
2085 `auth-sources').
2089 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
2090 mode host port username)
2094 ;; (cname (if username
2095 ;; (format "%s %s:%s %s" mode host port username)
2096 ;; (format "%s %s:%s" mode host port)))
2101 search))
2104 search))
2105 ;; (found (if (not delete-existing)
2106 ;; (gethash cname auth-source-cache)
2107 ;; (remhash cname auth-source-cache)
2108 ;; nil)))
2113 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
2114 mode
2115 ;; don't show the password
2117 "SECRET"
2118 found)
2119 host port username)
2121 ;; else, if not found, search with a max of 1
2136 found))
2142 :host host
2143 :user user
2148 :host host
2160 ;;; auth-source.el ends here