| blob | d502a3b3904a56ecb7bc020ba41c1aa3e4e0d6dd |
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs
3 ;; Copyright (C) 2008-2015 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
32 ;; TODO:
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
40 ;;; Code:
77 "Authentication sources."
81 ;;;###autoload
83 "How many seconds passwords are cached, or nil to disable
84 expiring. Overrides `password-cache-expiry' through a
85 let-binding."
94 ;; The slots below correspond with the `auth-source-search' spec,
95 ;; so a backend with :host set, for instance, would match only
96 ;; searches for that host. Normally they are nil.
100 :type symbol
101 :custom symbol
104 :type string
105 :custom string
108 :initform t
109 :type t
110 :custom string
113 :initform t
114 :type t
115 :custom string
118 :initform t
119 :type t
120 :custom string
123 :initform nil
126 :initform ignore
127 :type function
128 :custom function
131 :initform ignore
132 :type function
133 :custom function
141 "List of authentication protocols and their names"
151 ;; Generate all the protocols in a format Customize can use.
152 ;; TODO: generate on the fly from auth-source-protocols
158 p)))
159 auth-source-protocols))
170 "If set, auth-source will respect it for save behavior."
179 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") never) (t gpg)))
180 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
183 "Set this to tell auth-source when to create GPG password
184 tokens in netrc files. It's either an alist or `never'.
185 Note that if EPA/EPG is not available, this should NOT be used."
208 "Whether auth-source should cache information with `password-cache'."
214 "Whether auth-source should log debug messages.
216 If the value is nil, debug messages are not logged.
218 If the value is t, debug messages are logged with `message'. In
219 that case, your authentication data will be in the clear (except
220 for passwords).
222 If the value is a function, debug messages are logged by calling
223 that function using the same arguments as `message'."
230 trivia)
235 "List of authentication sources.
236 Each entry is the authentication type with optional properties.
237 Entries are tried in the order in which they appear.
238 See Info node `(auth)Help for users' for details.
241 EPA/EPG set up, the file will be encrypted and decrypted
242 automatically. See Info node `(epa)Encrypting/decrypting gpg files'
243 for details.
245 It's best to customize this with `M-x customize-variable' because the choices
246 can get pretty complex."
257 macos-keychain-internet)
260 macos-keychain-generic)
314 "List of recipient keys that `authinfo.gpg' encrypted to.
315 If the value is not a list, symmetric encryption will be used."
322 ;; temp for debugging
323 ;; (unintern 'auth-source-protocols)
324 ;; (unintern 'auth-sources)
325 ;; (customize-variable 'auth-sources)
326 ;; (setq auth-sources nil)
327 ;; (format "%S" auth-sources)
328 ;; (customize-variable 'auth-source-protocols)
329 ;; (setq auth-source-protocols nil)
330 ;; (format "%S" auth-source-protocols)
331 ;; (auth-source-pick nil :host "a" :port 'imap)
332 ;; (auth-source-user-or-password "login" "imap.myhost.com" 'imap)
333 ;; (auth-source-user-or-password "password" "imap.myhost.com" 'imap)
334 ;; (auth-source-user-or-password-imap "login" "imap.myhost.com")
335 ;; (auth-source-user-or-password-imap "password" "imap.myhost.com")
336 ;; (auth-source-protocol-defaults 'imap)
338 ;; (let ((auth-source-debug 'debug)) (auth-source-do-debug "hello"))
339 ;; (let ((auth-source-debug t)) (auth-source-do-debug "hello"))
340 ;; (let ((auth-source-debug nil)) (auth-source-do-debug "hello"))
352 ;; set logger to either the function in auth-source-debug or 'message
353 ;; note that it will be 'message if auth-source-debug is nil
355 auth-source-debug
357 msg))
360 ;; (auth-source-read-char-choice "enter choice? " '(?a ?b ?q))
362 "Read one of CHOICES by `read-char-choice', or `read-char'.
363 `dropdown-list' support is disabled because it doesn't work reliably.
364 Only one of CHOICES will be returned. The PROMPT is augmented
372 k)
380 k)))
382 ;; (auth-source-pick nil :host "any" :port 'imap :user "joe")
383 ;; (auth-source-pick t :host "any" :port 'imap :user "joe")
384 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
385 ;; (:source (:secrets "session") :host t :port t :user "joe")
386 ;; (:source (:secrets "Login") :host t :port t)
387 ;; (:source "~/.authinfo.gpg" :host t :port t)))
389 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
390 ;; (:source (:secrets "session") :host t :port t :user "joe")
391 ;; (:source (:secrets "Login") :host t :port t)
392 ;; ))
394 ;; (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
396 ;; (auth-source-backend-parse "myfile.gpg")
397 ;; (auth-source-backend-parse 'default)
398 ;; (auth-source-backend-parse "secrets:Login")
399 ;; (auth-source-backend-parse 'macos-keychain-internet)
400 ;; (auth-source-backend-parse 'macos-keychain-generic)
401 ;; (auth-source-backend-parse "macos-keychain-internet:/path/here.keychain")
402 ;; (auth-source-backend-parse "macos-keychain-generic:/path/here.keychain")
405 "Creates an auth-source-backend from an ENTRY in `auth-sources'."
407 entry
409 ;; take 'default and recurse to get it as a Secrets API default collection
410 ;; matching any user, host, and protocol
413 ;; take secrets:XYZ and recurse to get it as Secrets API collection "XYZ"
414 ;; matching any user, host, and protocol
418 ;; take 'macos-keychain-internet and recurse to get it as a Mac OS
419 ;; Keychain collection matching any user, host, and protocol
422 ;; take 'macos-keychain-generic and recurse to get it as a Mac OS
423 ;; Keychain collection matching any user, host, and protocol
426 ;; take macos-keychain-internet:XYZ and recurse to get it as MacOS
427 ;; Keychain "XYZ" matching any user, host, and protocol
429 entry))
432 ;; take macos-keychain-generic:XYZ and recurse to get it as MacOS
433 ;; Keychain "XYZ" matching any user, host, and protocol
435 entry))
439 ;; take just a file name and recurse to get it as a netrc file
440 ;; matching any user, host, and protocol
444 ;; a file name with parameters
461 ;; the MacOS Keychain
472 'macos-keychain-generic
475 :macos-keychain-generic
483 :source source
484 :type keychain-type
488 ;; the Secrets API. We require the package, in order to have a
489 ;; defined value for `secrets-enabled'.
496 ;; the source is either the :secrets key in ENTRY or
497 ;; if that's missing or nil, it's "session"
501 ;; if the source is a symbol, we look for the alias named so,
502 ;; and if that alias is missing, we use "Login"
510 :source source
521 ;; none of them
526 "Empty"
531 "Fills in the extra auth-source-backend parameters of ENTRY.
532 Using the plist ENTRY, get the :host, :port, and :user search
533 parameters."
535 nil
536 entry))
537 val)
544 backend)
546 ;; (mapcar 'auth-source-backend-parse auth-sources)
549 &key type max host user port secret
550 require create delete
552 "Search or modify authentication backends according to SPEC.
554 This function parses `auth-sources' for matches of the SPEC
555 plist. It can optionally create or update an authentication
556 token if requested. A token is just a standard Emacs property
557 list with a :secret property that can be a function; all the
558 other properties will always hold scalar values.
560 Typically the :secret property, if present, contains a password.
562 Common search keys are :max, :host, :port, and :user. In
563 addition, :create specifies how tokens will be or created.
564 Finally, :type can specify which backend types you want to check.
566 A string value is always matched literally. A symbol is matched
567 as its string value, literally. All the SPEC values can be
568 single values (symbol or string) or lists thereof (in which case
569 any of the search terms matches).
571 :create t means to create a token if possible.
573 A new token will be created if no matching tokens were found.
574 The new token will have only the keys the backend requires. For
575 the netrc backend, for instance, that's the user, host, and
576 port keys.
578 Here's an example:
584 :create t))
586 which says:
589 'netrc', maximum one result.
591 Create a new entry if you found none. The netrc backend will
592 automatically require host, user, and port. The host will be
593 'mine'. We prompt for the user with default 'defaultUser' and
594 for the port without a default. We will not prompt for A, Q,
595 or P. The resulting token will only have keys user, host, and
598 :create '(A B C) also means to create a token if possible.
600 The behavior is like :create t but if the list contains any
601 parameter, that parameter will be required in the resulting
602 token. The value for that parameter will be obtained from the
603 search parameters or from user input. If any queries are needed,
604 the alist `auth-source-creation-defaults' will be checked for the
605 default value. If the user, host, or port are missing, the alist
606 `auth-source-creation-prompts' will be used to look up the
607 prompts IN THAT ORDER (so the 'user prompt will be queried first,
608 then 'host, then 'port, and finally 'secret). Each prompt string
609 can use %u, %h, and %p to show the user, host, and port.
611 Here's an example:
615 (auth-source-creation-prompts
619 :create '(A B Q)))
621 which says:
624 or 'twosuch' in backends of type 'netrc', maximum one result.
626 Create a new entry if you found none. The netrc backend will
627 automatically require host, user, and port. The host will be
628 'nonesuch' and Q will be 'qqqq'. We prompt for the password
629 with the shown prompt. We will not prompt for Q. The resulting
630 token will have keys user, host, port, A, B, and Q. It will not
631 have P with any value, even though P is used in the search to
634 When multiple values are specified in the search parameter, the
635 user is prompted for which one. So :host (X Y Z) would ask the
636 user to choose between X, Y, and Z.
638 This creation can fail if the search was not specific enough to
639 create a new token (it's up to the backend to decide that). You
640 should `catch' the backend-specific error as usual. Some
641 backends (netrc, at least) will prompt the user rather than throw
642 an error.
644 :require (A B C) means that only results that contain those
645 tokens will be returned. Thus for instance requiring :secret
646 will ensure that any results will actually have a :secret
647 property.
649 :delete t means to delete any found entries. nil by default.
650 Use `auth-source-delete' in ELisp code instead of calling
651 `auth-source-search' directly with this parameter.
653 :type (X Y Z) will check only those backend types. 'netrc and
654 'secrets are the only ones supported right now.
656 :max N means to try to return at most N items (defaults to 1).
657 More than N items may be returned, depending on the search and
658 the backend.
660 When :max is 0 the function will return just t or nil to indicate
661 if any matches were found.
663 :host (X Y Z) means to match only hosts X, Y, or Z according to
664 the match rules above. Defaults to t.
666 :user (X Y Z) means to match only users X, Y, or Z according to
667 the match rules above. Defaults to t.
669 :port (P Q R) means to match only protocols P, Q, or R.
670 Defaults to t.
672 :K (V1 V2 V3) for any other key K will match values V1, V2, or
673 V3 (note the match rules above).
675 The return value is a list with at most :max tokens. Each token
676 is a plist with keys :backend :host :port :user, plus any other
677 keys provided by the backend (notably :secret). But note the
678 exception for :max 0, which see above.
680 The token can hold a :save-function key. If you call that, the
681 user will be prompted to save the data to the backend. You can't
682 request that this should happen right after creation, because
683 `auth-source-search' has no way of knowing if the token is
684 actually useful. So the caller must arrange to call this function.
686 The token's :secret key can hold a function. In that case you
687 must call it to obtain the actual value."
695 ;; note that we may have cached results but found is still nil
696 ;; (there were no results from the search)
698 filtered-backends accessor-key backend)
702 "auth-source-search: found %d CACHED results matching %S"
716 ;; ignore invalid slots
726 "auth-source-search: found %d backends matching %S"
729 ;; (debug spec "filtered" filtered-backends)
730 ;; First go through all the backends without :create, so we can
731 ;; query them all.
733 spec
734 ;; to exit early
735 max
736 ;; create is always nil here
737 nil delete
738 require))
741 "auth-source-search: found %d results (max %d) matching %S"
744 ;; If we didn't find anything, then we allow the backend(s) to
745 ;; create the entries.
749 spec
750 ;; to exit early
751 max
752 create delete
753 require))
755 "auth-source-search: CREATED %d results (max %d) matching %S"
758 ;; note we remember the lack of result too, if it's applicable
764 found)))
768 matches)
773 :backend backend
775 ;; note we're overriding whatever the spec
776 ;; has for :max, :require, :create, and :delete
777 :max max
778 :require require
779 :create create
780 :delete delete
781 spec)))
784 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
788 spec)
790 matches))
792 ;; (auth-source-search :max 0)
793 ;; (auth-source-search :max 1)
794 ;; (funcall (plist-get (nth 0 (auth-source-search :max 1)) :secret))
795 ;; (auth-source-search :host "nonesuch" :type 'netrc :K 1)
796 ;; (auth-source-search :host "nonesuch" :type 'secrets)
799 &key delete
801 "Delete entries from the authentication backends according to SPEC.
802 Calls `auth-source-search' with the :delete property in SPEC set to t.
803 The backend may not actually delete the entries.
805 Returns the deleted entries."
809 "Returns t is VALUE is t or COLLECTION is t or COLLECTION contains VALUE."
813 ;; (debug :collection collection :value value)
822 "Forget all cached auth-source data."
825 ;; when the symbol name starts with auth-source-magic
828 ;; remove that key
833 "Format SPEC entry to put it in the password cache."
837 "Remember FOUND search results for SPEC."
843 "Recall FOUND search results for SPEC."
847 "Check if SPEC is remembered."
852 "Forget any cached data matching SPEC exactly.
854 This is the same SPEC you passed to `auth-source-search'.
855 Returns t or nil for forgotten or not found."
858 ;; (loop for sym being the symbols of password-data when (string-match (concat "^" auth-source-magic) (symbol-name sym)) collect (symbol-name sym))
860 ;; (auth-source-remember '(:host "wedd") '(4 5 6))
861 ;; (auth-source-remembered-p '(:host "wedd"))
862 ;; (auth-source-remember '(:host "xedd") '(1 2 3))
863 ;; (auth-source-remembered-p '(:host "xedd"))
864 ;; (auth-source-remembered-p '(:host "zedd"))
865 ;; (auth-source-recall '(:host "xedd"))
866 ;; (auth-source-recall '(:host t))
867 ;; (auth-source-forget+ :host t)
870 "Forget any cached data matching SPEC. Returns forgotten count.
872 This is not a full `auth-source-search' spec but works similarly.
874 cached data that was found with a search for those two hosts,
875 while \(:host t) would find all host entries."
877 sname)
879 ;; when the symbol name matches with auth-source-magic
882 sname)
883 ;; and the spec matches what was stored in the cache
885 ;; remove that key
889 count))
901 ;; (auth-source-pick-first-password :host "z.lifelogs.com")
902 ;; (auth-source-pick-first-password :port "imap")
904 "Pick the first secret found from applying SPEC to `auth-source-search'."
910 secret)))
912 ;; (auth-source-format-prompt "test %u %h %p" '((?u "user") (?h "host")))
914 "Format PROMPT using %x (for any character x) specifiers in ALIST."
921 prompt nil t)))))
922 prompt)
930 value))
931 values))
933 ;;; Backend specific parsing: netrc/authinfo backend
950 ;; (auth-source-netrc-parse :file "~/.authinfo.gpg")
952 spec
953 &key file max host user port delete require
955 "Parse FILE and return a list of all entries in the file.
956 Note that the MAX parameter is used so we can exit the parse early."
958 ;; We got already parsed contents; just return it.
959 file
971 host
975 t))
977 user
982 t))
984 port
988 t))
990 ;; the required list of keys is nil, or
992 ;; every element of require is in n(ormalized)
997 result)
1004 "auth-source-netrc-parse: using CACHED file data for %s"
1005 file)
1008 ;; cache all netrc files (used to be just .gpg files)
1009 ;; Store the contents of the file heavily encrypted in memory.
1010 ;; (note for the irony-impaired: they are just obfuscated)
1012 auth-source-netrc-cache file
1018 alist)
1024 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1025 ;; this buffer lets epa-file skip the key selection query
1026 ;; (see the `local-variable-p' check in
1027 ;; `epa-file-write-region').
1033 ;; ask AFTER we've successfully opened the file
1035 file modified))
1038 "auth-source-netrc-parse: modified %d lines in %s"
1039 modified file)))
1044 "Advance to the next interesting position in the current buffer."
1045 ;; If we're looking at a comment or are at the end of the line, move forward
1053 "Read one thing from the current buffer."
1063 ;; with thanks to org-mode
1067 ;; works also in narrowed buffer, because we start at 1, not point-min
1071 "Parse up to MAX netrc entries, passed by CHECK, from the current buffer."
1074 alist
1078 all))
1079 item item2 all alist default)
1082 ;; We're starting a new machine. Save the old one.
1086 ;; (auth-source-do-trivia
1087 ;; "auth-source-netrc-parse-entries: got entry %S" alist)
1089 alist nil))
1090 ;; In default entries, we don't have a next token.
1091 ;; We store them as ("machine" . t)
1094 ;; Not a default entry. Grab the next item.
1096 ;; Did we get a "machine" value?
1100 "%s: Unexpected 'machine' token at line %d"
1101 "auth-source-netrc-parse-entries"
1106 ;; Clean up: if there's an entry left over, use it.
1109 ;; (auth-source-do-trivia
1110 ;; "auth-source-netrc-parse-entries: got2 entry %S" alist)
1111 )
1119 passphrase)
1120 ;; return the saved passphrase, calling a function if needed
1131 t))
1134 passphrase))))
1136 ;; (auth-source-epa-extract-gpg-token "gpg:LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tClZlcnNpb246IEdudVBHIHYxLjQuMTEgKEdOVS9MaW51eCkKCmpBMEVBd01DT25qMjB1ak9rZnRneVI3K21iNm9aZWhuLzRad3cySkdlbnVaKzRpeEswWDY5di9icDI1U1dsQT0KPS9yc2wKLS0tLS1FTkQgUEdQIE1FU1NBR0UtLS0tLQo=" "~/.netrc")
1138 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1139 FILE is the file from which we obtained this token."
1143 plain)
1145 context
1147 file))
1150 ;; (insert (auth-source-epa-make-gpg-token "mysecret" "~/.netrc"))
1154 cipher)
1157 context
1159 file))
1175 ;; apply key aliases
1182 ;; send back the secret in a function (lexical binding)
1187 ;; it's a GPG token: create a token decoder
1188 ;; which unsets itself once
1193 val
1194 filename)
1199 lexv))))
1202 v))))
1203 ret))
1204 alist))
1206 ;; (setq secret (plist-get (nth 0 (auth-source-search :host t :type 'netrc :K 1 :max 1)) :secret))
1207 ;; (funcall secret)
1210 spec
1211 &key backend require create delete
1212 type max host user port
1214 "Given a property list SPEC, return search matches from the :backend.
1215 See `auth-source-search' for details on SPEC."
1216 ;; just in case, check that the type is correct (null or same as the backend)
1222 :max max
1223 :require require
1224 :delete delete
1231 ;; if we need to create an entry AND none were found to match
1235 ;; create based on the spec and record the value
1237 ;; if the user did not want to create the entry
1238 ;; in the file, it will be returned
1240 ;; if not, we do the search again without :create
1241 ;; to get the updated data.
1243 ;; the result will be returned, even if the search fails
1246 results))
1251 v))
1253 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1254 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1257 &key backend
1258 secret host user port create
1261 ;; we know (because of an assertion in auth-source-search) that the
1262 ;; :create parameter is either t or a list (which includes nil)
1265 :host host
1270 ;; `valist' is an alist
1271 valist
1272 ;; `artificial' will be returned if no creation is needed
1273 artificial)
1275 ;; only for base required elements (defined as function parameters):
1276 ;; fill in the valist with whatever data we may have from the search
1277 ;; we complete the first value if it's a list and use the value otherwise
1281 ;; all-accepting choice (predicate is t)
1283 ;; just the value otherwise
1288 ;; for extra required elements, see if the spec includes a value for them
1297 ;; for each required element
1300 ;; take the first element if the data is a list
1304 ;; this is the default to be offered
1306 auth-source-creation-defaults r))
1307 ;; the default supplementals are simple:
1308 ;; for the user, try `given-default' and then (user-login-name);
1309 ;; otherwise take `given-default'
1341 prompt
1346 ;; Store the data, prompting for the password if needed.
1349 ;; Special case prompt for passwords.
1350 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") nil) (t gpg)))
1351 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1359 auth-source-netrc-use-gpg-tokens))
1360 item ret)
1369 ;; ask if we don't know what to do (in which case
1370 ;; auth-source-netrc-use-gpg-tokens must be a list)
1373 ;; TODO: save the defcustom now? or ask?
1376 auth-source-netrc-use-gpg-tokens)))
1379 plain))
1385 nil nil default)
1394 data))))
1396 ;; When r is not an empty string...
1399 ;; this function is not strictly necessary but I think it
1400 ;; makes the code clearer -tzz
1402 ;; append the key (the symbol name of r)
1403 ;; and the value in r
1405 ;; prepend a space
1407 ;; remap auth-source tokens to netrc
1416 data)))))
1420 artificial
1421 :save-function
1428 ;;(funcall (plist-get (nth 0 (auth-source-search :host '("nonesuch2") :user "tzz" :port "imap" :create t :max 1)) :save-function))
1430 "Save a line ADD in FILE, prompting along the way.
1431 Respects `auth-source-save-behavior'. Uses
1432 `auth-source-netrc-cache' to avoid prompting more than once."
1438 "auth-source-netrc-saver: found previous run for key %s, returning"
1439 key)
1444 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1445 ;; this buffer lets epa-file skip the key selection query
1446 ;; (see the `local-variable-p' check in
1447 ;; `epa-file-write-region').
1452 ;; we want the new data to be found first, so insert at beginning
1455 ;; Ask AFTER we've successfully opened the file.
1459 k)
1472 ;; Why? Doesn't with-output-to-temp-buffer already do
1473 ;; the exact same thing anyway? --Stef
1477 done t))
1478 (?N
1480 done t)
1488 ;; Make sure the info is not saved.
1498 ;; Make the .authinfo file non-world-readable.
1501 "auth-source-netrc-create: wrote 1 new line to %s"
1502 file)
1504 nil))))
1507 ;;; Backend specific parsing: Secrets API backend
1509 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :create t))
1510 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :delete t))
1511 ;; (let ((auth-sources '(default))) (auth-source-search :max 1))
1512 ;; (let ((auth-sources '(default))) (auth-source-search))
1513 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1))
1514 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1 :signon_realm "https://git.gnus.org/Git"))
1517 "Convert a pattern with lists to a list of string patterns.
1522 only string values for patterns, so this routine returns a list
1523 of patterns that is equivalent to the single original pattern
1524 when interpreted such that if a secret matches any pattern in the
1525 list, it matches the original pattern."
1535 for h in heads
1536 nconc
1538 for tl in tails
1542 spec
1543 &key backend create delete label
1544 type max host user port
1546 "Search the Secrets API; spec is like `auth-source'.
1548 The :label key specifies the item's label. It is the only key
1549 that can specify a substring. Any :label value besides a string
1550 will allow any label.
1552 All other search keys must match exactly. If you need substring
1553 matching, do a wider search and narrow it down yourself.
1555 You'll get back all the properties of the token as a plist.
1557 Here's an example that looks for the first item in the 'Login'
1558 Secrets collection:
1561 (auth-source-search :max 1)
1563 Here's another that looks for the first item in the 'Login'
1564 Secrets collection whose label contains 'gnus':
1569 And this one looks for the first item in the 'Login' Secrets
1570 collection that's a Google Chrome entry for the git.gnus.org site
1571 authentication tokens:
1575 "
1577 ;; TODO
1580 ;; TODO
1581 ;; (secrets-delete-item coll elt)
1591 ;; build a search spec without the ignored keys
1592 ;; if a search key is nil or t (match anything), we skip it
1598 nil
1600 search-keys))))
1601 ;; needed keys (always including host, login, port, and secret)
1604 search-keys)))
1607 nconc
1611 collect item)))
1612 ;; TODO: respect max in `secrets-search-items', not after the fact
1614 ;; convert the item name to a full plist
1617 ;; make an entry for the secret (password) element
1619 :secret
1622 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1627 items))
1628 ;; ensure each item has each key in `returned-keys'
1634 nil
1636 returned-keys))
1637 plist))
1638 items)))
1639 items))
1642 spec
1643 &key backend type max host user port
1645 ;; TODO
1646 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1649 ;;; Backend specific parsing: Mac OS Keychain (using /usr/bin/security) backend
1651 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :create t))
1652 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :delete t))
1653 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1))
1654 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search))
1656 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :create t))
1657 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :delete t))
1658 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1))
1659 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search))
1661 ;; (let ((auth-sources '("macos-keychain-internet:/Users/tzz/Library/Keychains/login.keychain"))) (auth-source-search :max 1))
1662 ;; (let ((auth-sources '("macos-keychain-generic:Login"))) (auth-source-search :max 1 :host "git.gnus.org"))
1663 ;; (let ((auth-sources '("macos-keychain-generic:Login"))) (auth-source-search :max 1))
1666 spec
1667 &key backend create delete label
1668 type max host user port
1670 "Search the MacOS Keychain; spec is like `auth-source'.
1672 All search keys must match exactly. If you need substring
1673 matching, do a wider search and narrow it down yourself.
1675 You'll get back all the properties of the token as a plist.
1677 The :type key is either 'macos-keychain-internet or
1678 'macos-keychain-generic.
1680 For the internet keychain type, the :label key searches the
1684 (note PROT has to be a 4-character string).
1686 For the generic keychain type, the :label key searches the item's
1691 Here's an example that looks for the first item in the default
1692 generic MacOS Keychain:
1694 \(let ((auth-sources '(macos-keychain-generic)))
1695 (auth-source-search :max 1)
1697 Here's another that looks for the first item in the internet
1698 MacOS Keychain collection whose label is 'gnus':
1700 \(let ((auth-sources '(macos-keychain-internet)))
1703 And this one looks for the first item in the internet keychain
1704 entries for git.gnus.org:
1708 "
1709 ;; TODO
1712 ;; TODO
1713 ;; (macos-keychain-delete-item coll elt)
1723 ;; build a search spec without the ignored keys
1724 ;; if a search key is nil or t (match anything), we skip it
1729 nil
1731 search-keys)))
1732 ;; needed keys (always including host, login, port, and secret)
1735 search-keys)))
1737 coll
1738 type
1739 max
1740 search-spec))
1742 ;; ensure each item has each key in `returned-keys'
1748 nil
1750 returned-keys))
1751 plist))
1752 items)))
1753 items))
1756 &rest spec
1757 &key label type
1758 host user port
1763 "find-generic-password"
1779 port)))))
1791 ret
1792 keychain-generic
1793 "secret"
1796 ;; TODO: check if this is really the label
1797 ;; match 0x00000007 <blob>="AppleID"
1800 ret
1801 keychain-generic
1802 "label"
1804 ;; match "crtr"<uint32>="aapl"
1805 ;; match "svce"<blob>="AppleID"
1808 ret
1809 keychain-generic
1813 ;; return `ret' iff it has the :secret key
1820 ;; for generic keychains, creator is host, service is port
1823 ;; for internet keychains, protocol is port, server is host
1831 spec
1832 &key backend type max host user port
1834 ;; TODO
1837 ;;; Backend specific parsing: PLSTORE backend
1840 spec
1841 &key backend create delete label
1842 type max host user port
1844 "Search the PLSTORE; spec is like `auth-source'."
1851 ;; build a search spec without the ignored keys
1852 ;; if a search key is nil or t (match anything), we skip it
1858 nil
1862 search-keys)))
1863 ;; needed keys (always including host, login, port, and secret)
1866 search-keys)))
1870 ;; convert the item to a full plist
1879 plist))
1880 items))
1881 ;; ensure each item has each key in `returned-keys'
1887 nil
1889 returned-keys))
1890 plist))
1891 items)))
1893 ;; if we need to create an entry AND none were found to match
1897 ;; create based on the spec and record the value
1899 ;; if the user did not want to create the entry
1900 ;; in the file, it will be returned
1902 ;; if not, we do the search again without :create
1903 ;; to get the updated data.
1905 ;; the result will be returned, even if the search fails
1909 item-names)
1913 items))
1916 &key backend
1917 secret host user port create
1921 ;; we know (because of an assertion in auth-source-search) that the
1922 ;; :create parameter is either t or a list (which includes nil)
1925 :host host
1930 ;; `valist' is an alist
1931 valist
1932 ;; `artificial' will be returned if no creation is needed
1933 artificial
1934 secret-artificial)
1936 ;; only for base required elements (defined as function parameters):
1937 ;; fill in the valist with whatever data we may have from the search
1938 ;; we complete the first value if it's a list and use the value otherwise
1942 ;; all-accepting choice (predicate is t)
1944 ;; just the value otherwise
1949 ;; for extra required elements, see if the spec includes a value for them
1958 ;; for each required element
1961 ;; take the first element if the data is a list
1965 ;; this is the default to be offered
1967 auth-source-creation-defaults r))
1968 ;; the default supplementals are simple:
1969 ;; for the user, try `given-default' and then (user-login-name);
1970 ;; otherwise take `given-default'
2002 prompt
2007 ;; Store the data, prompting for the password if needed.
2017 nil nil default)
2025 data))
2028 data))))))
2034 artificial secret-artificial)
2039 ;;; older API
2041 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
2043 ;; deprecate the old interface
2051 "Find MODE (string or list of strings) matching HOST and PORT.
2053 DEPRECATED in favor of `auth-source-search'!
2056 across the Secret Service API (see secrets.el) if the resulting
2057 items don't have a username. This means that if you search for
2061 A non nil DELETE-EXISTING means deleting any matching password
2062 entry in the respective sources. This is useful only when
2063 CREATE-MISSING is non nil as well; the intended use case is to
2064 remove wrong password entries.
2066 If no matching entry is found, and CREATE-MISSING is non nil,
2067 the password will be retrieved interactively, and it will be
2068 stored in the password database which matches best (see
2069 `auth-sources').
2073 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
2074 mode host port username)
2085 search))
2088 search))
2089 ;; (found (if (not delete-existing)
2090 ;; (gethash cname auth-source-cache)
2091 ;; (remhash cname auth-source-cache)
2092 ;; nil)))
2097 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
2098 mode
2099 ;; don't show the password
2101 "SECRET"
2102 found)
2103 host port username)
2105 ;; else, if not found, search with a max of 1
2120 found))
2126 :host host
2132 :host host
2144 ;;; auth-source.el ends here