Fix comment typo
[emacs.git] / lisp / net / secrets.el
blobb4e51348ddef62e8519dc5186b965297494aa997
1 ;;; secrets.el --- Client interface to gnome-keyring and kwallet.
3 ;; Copyright (C) 2010-2013 Free Software Foundation, Inc.
5 ;; Author: Michael Albinus <michael.albinus@gmx.de>
6 ;; Keywords: comm password passphrase
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This package provides an implementation of the Secret Service API
26 ;; <http://www.freedesktop.org/wiki/Specifications/secret-storage-spec>.
27 ;; This API is meant to make GNOME-Keyring- and KWallet-like daemons
28 ;; available under a common D-BUS interface and thus increase
29 ;; interoperability between GNOME, KDE and other applications having
30 ;; the need to securely store passwords and other confidential
31 ;; information.
33 ;; In order to activate this package, you must add the following code
34 ;; into your .emacs:
36 ;; (require 'secrets)
38 ;; Afterwards, the variable `secrets-enabled' is non-nil when there is
39 ;; a daemon providing this interface.
41 ;; The atomic objects to be managed by the Secret Service API are
42 ;; secret items, which are something an application wishes to store
43 ;; securely. A good example is a password that an application needs
44 ;; to save and use at a later date.
46 ;; Secret items are grouped in collections. A collection is similar
47 ;; in concept to the terms 'keyring' or 'wallet'. A common collection
48 ;; is called "login". A collection is stored permanently under the
49 ;; user's permissions, and can be accessed in a user session context.
51 ;; A collection can have an alias name. The use case for this is to
52 ;; set the alias "default" for a given collection, making it
53 ;; transparent for clients, which collection is used. Other aliases
54 ;; are not supported (yet). Since an alias is visible to all
55 ;; applications, this setting shall be performed with care.
57 ;; A list of all available collections is available by
59 ;; (secrets-list-collections)
60 ;; => ("session" "login" "ssh keys")
62 ;; The "default" alias could be set to the "login" collection by
64 ;; (secrets-set-alias "login" "default")
66 ;; An alias can also be dereferenced
68 ;; (secrets-get-alias "default")
69 ;; => "login"
71 ;; Collections can be created and deleted. As already said,
72 ;; collections are used by different applications. Therefore, those
73 ;; operations shall also be performed with care. Common collections,
74 ;; like "login", shall not be changed except adding or deleting secret
75 ;; items.
77 ;; (secrets-delete-collection "my collection")
78 ;; (secrets-create-collection "my collection")
80 ;; There exists a special collection called "session", which has the
81 ;; lifetime of the corresponding client session (aka Emacs's
82 ;; lifetime). It is created automatically when Emacs uses the Secret
83 ;; Service interface, and it is deleted when Emacs is killed.
84 ;; Therefore, it can be used to store and retrieve secret items
85 ;; temporarily. This shall be preferred over creation of a persistent
86 ;; collection, when the information shall not live longer than Emacs.
87 ;; The session collection can be addressed either by the string
88 ;; "session", or by `nil', whenever a collection parameter is needed.
90 ;; As already said, a collection is a group of secret items. A secret
91 ;; item has a label, the "secret" (which is a string), and a set of
92 ;; lookup attributes. The attributes can be used to search and
93 ;; retrieve a secret item at a later date.
95 ;; A list of all available secret items of a collection is available by
97 ;; (secrets-list-items "my collection")
98 ;; => ("this item" "another item")
100 ;; Secret items can be added or deleted to a collection. In the
101 ;; following examples, we use the special collection "session", which
102 ;; is bound to Emacs's lifetime.
104 ;; (secrets-delete-item "session" "my item")
105 ;; (secrets-create-item "session" "my item" "geheim"
106 ;; :user "joe" :host "remote-host")
108 ;; The string "geheim" is the secret of the secret item "my item".
109 ;; The secret string can be retrieved from items:
111 ;; (secrets-get-secret "session" "my item")
112 ;; => "geheim"
114 ;; The lookup attributes, which are specified during creation of a
115 ;; secret item, must be a key-value pair. Keys are keyword symbols,
116 ;; starting with a colon; values are strings. They can be retrieved
117 ;; from a given secret item:
119 ;; (secrets-get-attribute "session" "my item" :host)
120 ;; => "remote-host"
122 ;; (secrets-get-attributes "session" "my item")
123 ;; => ((:user . "joe") (:host ."remote-host"))
125 ;; The lookup attributes can be used for searching of items. If you,
126 ;; for example, are looking for all secret items for the user "joe",
127 ;; you would perform
129 ;; (secrets-search-items "session" :user "joe")
130 ;; => ("my item" "another item")
132 ;; Interactively, collections, items and their attributes could be
133 ;; inspected by the command `secrets-show-secrets'.
135 ;;; Code:
137 ;; It has been tested with GNOME Keyring 2.29.92. An implementation
138 ;; for KWallet will be available at
139 ;; svn://anonsvn.kde.org/home/kde/trunk/playground/base/ksecretservice;
140 ;; not tested yet.
142 ;; Pacify byte-compiler. D-Bus support in the Emacs core can be
143 ;; disabled with configuration option "--without-dbus". Declare used
144 ;; subroutines and variables of `dbus' therefore.
145 (eval-when-compile (require 'cl-lib))
147 (defvar dbus-debug)
149 (require 'dbus)
151 (autoload 'tree-widget-set-theme "tree-widget")
152 (autoload 'widget-create-child-and-convert "wid-edit")
153 (autoload 'widget-default-value-set "wid-edit")
154 (autoload 'widget-field-end "wid-edit")
155 (autoload 'widget-member "wid-edit")
156 (defvar tree-widget-after-toggle-functions)
158 (defvar secrets-enabled nil
159 "Whether there is a daemon offering the Secret Service API.")
161 (defvar secrets-debug t
162 "Write debug messages")
164 (defconst secrets-service "org.freedesktop.secrets"
165 "The D-Bus name used to talk to Secret Service.")
167 (defconst secrets-path "/org/freedesktop/secrets"
168 "The D-Bus root object path used to talk to Secret Service.")
170 (defconst secrets-empty-path "/"
171 "The D-Bus object path representing an empty object.")
173 (defsubst secrets-empty-path (path)
174 "Check, whether PATH is a valid object path.
175 It returns t if not."
176 (or (not (stringp path))
177 (string-equal path secrets-empty-path)))
179 (defconst secrets-interface-service "org.freedesktop.Secret.Service"
180 "The D-Bus interface managing sessions and collections.")
182 ;; <interface name="org.freedesktop.Secret.Service">
183 ;; <property name="Collections" type="ao" access="read"/>
184 ;; <method name="OpenSession">
185 ;; <arg name="algorithm" type="s" direction="in"/>
186 ;; <arg name="input" type="v" direction="in"/>
187 ;; <arg name="output" type="v" direction="out"/>
188 ;; <arg name="result" type="o" direction="out"/>
189 ;; </method>
190 ;; <method name="CreateCollection">
191 ;; <arg name="props" type="a{sv}" direction="in"/>
192 ;; <arg name="collection" type="o" direction="out"/>
193 ;; <arg name="prompt" type="o" direction="out"/>
194 ;; </method>
195 ;; <method name="SearchItems">
196 ;; <arg name="attributes" type="a{ss}" direction="in"/>
197 ;; <arg name="unlocked" type="ao" direction="out"/>
198 ;; <arg name="locked" type="ao" direction="out"/>
199 ;; </method>
200 ;; <method name="Unlock">
201 ;; <arg name="objects" type="ao" direction="in"/>
202 ;; <arg name="unlocked" type="ao" direction="out"/>
203 ;; <arg name="prompt" type="o" direction="out"/>
204 ;; </method>
205 ;; <method name="Lock">
206 ;; <arg name="objects" type="ao" direction="in"/>
207 ;; <arg name="locked" type="ao" direction="out"/>
208 ;; <arg name="Prompt" type="o" direction="out"/>
209 ;; </method>
210 ;; <method name="GetSecrets">
211 ;; <arg name="items" type="ao" direction="in"/>
212 ;; <arg name="session" type="o" direction="in"/>
213 ;; <arg name="secrets" type="a{o(oayays)}" direction="out"/>
214 ;; </method>
215 ;; <method name="ReadAlias">
216 ;; <arg name="name" type="s" direction="in"/>
217 ;; <arg name="collection" type="o" direction="out"/>
218 ;; </method>
219 ;; <method name="SetAlias">
220 ;; <arg name="name" type="s" direction="in"/>
221 ;; <arg name="collection" type="o" direction="in"/>
222 ;; </method>
223 ;; <signal name="CollectionCreated">
224 ;; <arg name="collection" type="o"/>
225 ;; </signal>
226 ;; <signal name="CollectionDeleted">
227 ;; <arg name="collection" type="o"/>
228 ;; </signal>
229 ;; </interface>
231 (defconst secrets-interface-collection "org.freedesktop.Secret.Collection"
232 "A collection of items containing secrets.")
234 ;; <interface name="org.freedesktop.Secret.Collection">
235 ;; <property name="Items" type="ao" access="read"/>
236 ;; <property name="Label" type="s" access="readwrite"/>
237 ;; <property name="Locked" type="b" access="read"/>
238 ;; <property name="Created" type="t" access="read"/>
239 ;; <property name="Modified" type="t" access="read"/>
240 ;; <method name="Delete">
241 ;; <arg name="prompt" type="o" direction="out"/>
242 ;; </method>
243 ;; <method name="SearchItems">
244 ;; <arg name="attributes" type="a{ss}" direction="in"/>
245 ;; <arg name="results" type="ao" direction="out"/>
246 ;; </method>
247 ;; <method name="CreateItem">
248 ;; <arg name="props" type="a{sv}" direction="in"/>
249 ;; <arg name="secret" type="(oayays)" direction="in"/>
250 ;; <arg name="replace" type="b" direction="in"/>
251 ;; <arg name="item" type="o" direction="out"/>
252 ;; <arg name="prompt" type="o" direction="out"/>
253 ;; </method>
254 ;; <signal name="ItemCreated">
255 ;; <arg name="item" type="o"/>
256 ;; </signal>
257 ;; <signal name="ItemDeleted">
258 ;; <arg name="item" type="o"/>
259 ;; </signal>
260 ;; <signal name="ItemChanged">
261 ;; <arg name="item" type="o"/>
262 ;; </signal>
263 ;; </interface>
265 (defconst secrets-session-collection-path
266 "/org/freedesktop/secrets/collection/session"
267 "The D-Bus temporary session collection object path.")
269 (defconst secrets-interface-prompt "org.freedesktop.Secret.Prompt"
270 "A session tracks state between the service and a client application.")
272 ;; <interface name="org.freedesktop.Secret.Prompt">
273 ;; <method name="Prompt">
274 ;; <arg name="window-id" type="s" direction="in"/>
275 ;; </method>
276 ;; <method name="Dismiss"></method>
277 ;; <signal name="Completed">
278 ;; <arg name="dismissed" type="b"/>
279 ;; <arg name="result" type="v"/>
280 ;; </signal>
281 ;; </interface>
283 (defconst secrets-interface-item "org.freedesktop.Secret.Item"
284 "A collection of items containing secrets.")
286 ;; <interface name="org.freedesktop.Secret.Item">
287 ;; <property name="Locked" type="b" access="read"/>
288 ;; <property name="Attributes" type="a{ss}" access="readwrite"/>
289 ;; <property name="Label" type="s" access="readwrite"/>
290 ;; <property name="Created" type="t" access="read"/>
291 ;; <property name="Modified" type="t" access="read"/>
292 ;; <method name="Delete">
293 ;; <arg name="prompt" type="o" direction="out"/>
294 ;; </method>
295 ;; <method name="GetSecret">
296 ;; <arg name="session" type="o" direction="in"/>
297 ;; <arg name="secret" type="(oayays)" direction="out"/>
298 ;; </method>
299 ;; <method name="SetSecret">
300 ;; <arg name="secret" type="(oayays)" direction="in"/>
301 ;; </method>
302 ;; </interface>
304 ;; STRUCT secret
305 ;; OBJECT PATH session
306 ;; ARRAY BYTE parameters
307 ;; ARRAY BYTE value
308 ;; STRING content_type ;; Added 2011/2/9
310 (defconst secrets-interface-item-type-generic "org.freedesktop.Secret.Generic"
311 "The default item type we are using.")
313 ;; We cannot use introspection, because some servers, like
314 ;; mate-keyring-daemon, don't provide relevant data. Once the dust
315 ;; has settled, we shall assume the new interface, and get rid of the test.
316 (defconst secrets-struct-secret-content-type
317 (ignore-errors
318 (let ((content-type "text/plain")
319 (path (cadr
320 (dbus-call-method
321 :session secrets-service secrets-path
322 secrets-interface-service
323 "OpenSession" "plain" '(:variant ""))))
324 result)
325 ;; Create a dummy item.
326 (setq result
327 (dbus-call-method
328 :session secrets-service secrets-session-collection-path
329 secrets-interface-collection "CreateItem"
330 ;; Properties.
331 `(:array
332 (:dict-entry ,(concat secrets-interface-item ".Label")
333 (:variant "dummy"))
334 (:dict-entry ,(concat secrets-interface-item ".Type")
335 (:variant ,secrets-interface-item-type-generic)))
336 ;; Secret.
337 `(:struct :object-path ,path
338 (:array :signature "y")
339 ,(dbus-string-to-byte-array " ")
340 :string ,content-type)
341 ;; Don't replace.
342 nil))
343 ;; Remove it.
344 (dbus-call-method
345 :session secrets-service (car result)
346 secrets-interface-item "Delete")
347 ;; Result.
348 `(,content-type)))
349 "The content_type of a secret struct.
350 It must be wrapped as list, because we add it via `append'. This
351 is an interface introduced in 2011.")
353 (defconst secrets-interface-session "org.freedesktop.Secret.Session"
354 "A session tracks state between the service and a client application.")
356 ;; <interface name="org.freedesktop.Secret.Session">
357 ;; <method name="Close"></method>
358 ;; </interface>
360 ;;; Sessions.
362 (defvar secrets-session-path secrets-empty-path
363 "The D-Bus session path of the active session.
364 A session path `secrets-empty-path' indicates there is no open session.")
366 (defun secrets-close-session ()
367 "Close the secret service session, if any."
368 (dbus-ignore-errors
369 (dbus-call-method
370 :session secrets-service secrets-session-path
371 secrets-interface-session "Close"))
372 (setq secrets-session-path secrets-empty-path))
374 (defun secrets-open-session (&optional reopen)
375 "Open a new session with \"plain\" algorithm.
376 If there exists another active session, and REOPEN is nil, that
377 session will be used. The object path of the session will be
378 returned, and it will be stored in `secrets-session-path'."
379 (when reopen (secrets-close-session))
380 (when (secrets-empty-path secrets-session-path)
381 (setq secrets-session-path
382 (cadr
383 (dbus-call-method
384 :session secrets-service secrets-path
385 secrets-interface-service "OpenSession" "plain" '(:variant "")))))
386 (when secrets-debug
387 (message "Secret Service session: %s" secrets-session-path))
388 secrets-session-path)
390 ;;; Prompts.
392 (defvar secrets-prompt-signal nil
393 "Internal variable to catch signals from `secrets-interface-prompt'.")
395 (defun secrets-prompt (prompt)
396 "Handle the prompt identified by object path PROMPT."
397 (unless (secrets-empty-path prompt)
398 (let ((object
399 (dbus-register-signal
400 :session secrets-service prompt
401 secrets-interface-prompt "Completed" 'secrets-prompt-handler)))
402 (dbus-call-method
403 :session secrets-service prompt
404 secrets-interface-prompt "Prompt" (frame-parameter nil 'window-id))
405 (unwind-protect
406 (progn
407 ;; Wait until the returned prompt signal has put the
408 ;; result into `secrets-prompt-signal'.
409 (while (null secrets-prompt-signal)
410 (read-event nil nil 0.1))
411 ;; Return the object(s). It is a variant, so we must use a car.
412 (car secrets-prompt-signal))
413 ;; Cleanup.
414 (setq secrets-prompt-signal nil)
415 (dbus-unregister-object object)))))
417 (defun secrets-prompt-handler (&rest args)
418 "Handler for signals emitted by `secrets-interface-prompt'."
419 ;; An empty object path is always identified as `secrets-empty-path'
420 ;; or `nil'. Either we set it explicitly, or it is returned by the
421 ;; "Completed" signal.
422 (if (car args) ;; dismissed
423 (setq secrets-prompt-signal (list secrets-empty-path))
424 (setq secrets-prompt-signal (cadr args))))
426 ;;; Collections.
428 (defvar secrets-collection-paths nil
429 "Cached D-Bus object paths of available collections.")
431 (defun secrets-collection-handler (&rest args)
432 "Handler for signals emitted by `secrets-interface-service'."
433 (cond
434 ((string-equal (dbus-event-member-name last-input-event) "CollectionCreated")
435 (add-to-list 'secrets-collection-paths (car args)))
436 ((string-equal (dbus-event-member-name last-input-event) "CollectionDeleted")
437 (setq secrets-collection-paths
438 (delete (car args) secrets-collection-paths)))))
440 (defun secrets-get-collections ()
441 "Return the object paths of all available collections."
442 (setq secrets-collection-paths
443 (or secrets-collection-paths
444 (dbus-get-property
445 :session secrets-service secrets-path
446 secrets-interface-service "Collections"))))
448 (defun secrets-get-collection-properties (collection-path)
449 "Return all properties of collection identified by COLLECTION-PATH."
450 (unless (secrets-empty-path collection-path)
451 (dbus-get-all-properties
452 :session secrets-service collection-path
453 secrets-interface-collection)))
455 (defun secrets-get-collection-property (collection-path property)
456 "Return property PROPERTY of collection identified by COLLECTION-PATH."
457 (unless (or (secrets-empty-path collection-path) (not (stringp property)))
458 (dbus-get-property
459 :session secrets-service collection-path
460 secrets-interface-collection property)))
462 (defun secrets-list-collections ()
463 "Return a list of collection names."
464 (mapcar
465 (lambda (collection-path)
466 (if (string-equal collection-path secrets-session-collection-path)
467 "session"
468 (secrets-get-collection-property collection-path "Label")))
469 (secrets-get-collections)))
471 (defun secrets-collection-path (collection)
472 "Return the object path of collection labeled COLLECTION.
473 If COLLECTION is nil, return the session collection path.
474 If there is no such COLLECTION, return nil."
476 ;; The "session" collection.
477 (if (or (null collection) (string-equal "session" collection))
478 secrets-session-collection-path)
479 ;; Check for an alias.
480 (let ((collection-path
481 (dbus-call-method
482 :session secrets-service secrets-path
483 secrets-interface-service "ReadAlias" collection)))
484 (unless (secrets-empty-path collection-path)
485 collection-path))
486 ;; Check the collections.
487 (catch 'collection-found
488 (dolist (collection-path (secrets-get-collections) nil)
489 (when (string-equal
490 collection
491 (secrets-get-collection-property collection-path "Label"))
492 (throw 'collection-found collection-path))))))
494 (defun secrets-create-collection (collection)
495 "Create collection labeled COLLECTION if it doesn't exist.
496 Return the D-Bus object path for collection."
497 (let ((collection-path (secrets-collection-path collection)))
498 ;; Create the collection.
499 (when (secrets-empty-path collection-path)
500 (setq collection-path
501 (secrets-prompt
502 (cadr
503 ;; "CreateCollection" returns the prompt path as second arg.
504 (dbus-call-method
505 :session secrets-service secrets-path
506 secrets-interface-service "CreateCollection"
507 `(:array (:dict-entry "Label" (:variant ,collection))))))))
508 ;; Return object path of the collection.
509 collection-path))
511 (defun secrets-get-alias (alias)
512 "Return the collection name ALIAS is referencing to.
513 For the time being, only the alias \"default\" is supported."
514 (secrets-get-collection-property
515 (dbus-call-method
516 :session secrets-service secrets-path
517 secrets-interface-service "ReadAlias" alias)
518 "Label"))
520 (defun secrets-set-alias (collection alias)
521 "Set ALIAS as alias of collection labeled COLLECTION.
522 For the time being, only the alias \"default\" is supported."
523 (let ((collection-path (secrets-collection-path collection)))
524 (unless (secrets-empty-path collection-path)
525 (dbus-call-method
526 :session secrets-service secrets-path
527 secrets-interface-service "SetAlias"
528 alias :object-path collection-path))))
530 (defun secrets-delete-alias (alias)
531 "Delete ALIAS, referencing to a collection."
532 (dbus-call-method
533 :session secrets-service secrets-path
534 secrets-interface-service "SetAlias"
535 alias :object-path secrets-empty-path))
537 (defun secrets-unlock-collection (collection)
538 "Unlock collection labeled COLLECTION.
539 If successful, return the object path of the collection."
540 (let ((collection-path (secrets-collection-path collection)))
541 (unless (secrets-empty-path collection-path)
542 (secrets-prompt
543 (cadr
544 (dbus-call-method
545 :session secrets-service secrets-path secrets-interface-service
546 "Unlock" `(:array :object-path ,collection-path)))))
547 collection-path))
549 (defun secrets-delete-collection (collection)
550 "Delete collection labeled COLLECTION."
551 (let ((collection-path (secrets-collection-path collection)))
552 (unless (secrets-empty-path collection-path)
553 (secrets-prompt
554 (dbus-call-method
555 :session secrets-service collection-path
556 secrets-interface-collection "Delete")))))
558 ;;; Items.
560 (defun secrets-get-items (collection-path)
561 "Return the object paths of all available items in COLLECTION-PATH."
562 (unless (secrets-empty-path collection-path)
563 (secrets-open-session)
564 (dbus-get-property
565 :session secrets-service collection-path
566 secrets-interface-collection "Items")))
568 (defun secrets-get-item-properties (item-path)
569 "Return all properties of item identified by ITEM-PATH."
570 (unless (secrets-empty-path item-path)
571 (dbus-get-all-properties
572 :session secrets-service item-path
573 secrets-interface-item)))
575 (defun secrets-get-item-property (item-path property)
576 "Return property PROPERTY of item identified by ITEM-PATH."
577 (unless (or (secrets-empty-path item-path) (not (stringp property)))
578 (dbus-get-property
579 :session secrets-service item-path
580 secrets-interface-item property)))
582 (defun secrets-list-items (collection)
583 "Return a list of all item labels of COLLECTION."
584 (let ((collection-path (secrets-unlock-collection collection)))
585 (unless (secrets-empty-path collection-path)
586 (mapcar
587 (lambda (item-path)
588 (secrets-get-item-property item-path "Label"))
589 (secrets-get-items collection-path)))))
591 (defun secrets-search-items (collection &rest attributes)
592 "Search items in COLLECTION with ATTRIBUTES.
593 ATTRIBUTES are key-value pairs. The keys are keyword symbols,
594 starting with a colon. Example:
596 \(secrets-create-item \"Tramp collection\" \"item\" \"geheim\"
597 :method \"sudo\" :user \"joe\" :host \"remote-host\"\)
599 The object paths of the found items are returned as list."
600 (let ((collection-path (secrets-unlock-collection collection))
601 result props)
602 (unless (secrets-empty-path collection-path)
603 ;; Create attributes list.
604 (while (consp (cdr attributes))
605 (unless (keywordp (car attributes))
606 (error 'wrong-type-argument (car attributes)))
607 (setq props (add-to-list
608 'props
609 (list :dict-entry
610 (substring (symbol-name (car attributes)) 1)
611 (cadr attributes))
612 'append)
613 attributes (cddr attributes)))
614 ;; Search. The result is a list of two lists, the object paths
615 ;; of the unlocked and the locked items.
616 (setq result
617 (dbus-call-method
618 :session secrets-service collection-path
619 secrets-interface-collection "SearchItems"
620 (if props
621 (cons :array props)
622 '(:array :signature "{ss}"))))
623 ;; Return the found items.
624 (mapcar
625 (lambda (item-path) (secrets-get-item-property item-path "Label"))
626 (append (car result) (cadr result))))))
628 (defun secrets-create-item (collection item password &rest attributes)
629 "Create a new item in COLLECTION with label ITEM and password PASSWORD.
630 ATTRIBUTES are key-value pairs set for the created item. The
631 keys are keyword symbols, starting with a colon. Example:
633 \(secrets-create-item \"Tramp collection\" \"item\" \"geheim\"
634 :method \"sudo\" :user \"joe\" :host \"remote-host\"\)
636 The object path of the created item is returned."
637 (unless (member item (secrets-list-items collection))
638 (let ((collection-path (secrets-unlock-collection collection))
639 result props)
640 (unless (secrets-empty-path collection-path)
641 ;; Create attributes list.
642 (while (consp (cdr attributes))
643 (unless (keywordp (car attributes))
644 (error 'wrong-type-argument (car attributes)))
645 (setq props (add-to-list
646 'props
647 (list :dict-entry
648 (substring (symbol-name (car attributes)) 1)
649 (cadr attributes))
650 'append)
651 attributes (cddr attributes)))
652 ;; Create the item.
653 (setq result
654 (dbus-call-method
655 :session secrets-service collection-path
656 secrets-interface-collection "CreateItem"
657 ;; Properties.
658 (append
659 `(:array
660 (:dict-entry ,(concat secrets-interface-item ".Label")
661 (:variant ,item))
662 (:dict-entry ,(concat secrets-interface-item ".Type")
663 (:variant ,secrets-interface-item-type-generic)))
664 (when props
665 `((:dict-entry ,(concat secrets-interface-item ".Attributes")
666 (:variant ,(append '(:array) props))))))
667 ;; Secret.
668 (append
669 `(:struct :object-path ,secrets-session-path
670 (:array :signature "y") ;; No parameters.
671 ,(dbus-string-to-byte-array password))
672 ;; We add the content_type. In backward compatibility
673 ;; mode, nil is appended, which means nothing.
674 secrets-struct-secret-content-type)
675 ;; Do not replace. Replace does not seem to work.
676 nil))
677 (secrets-prompt (cadr result))
678 ;; Return the object path.
679 (car result)))))
681 (defun secrets-item-path (collection item)
682 "Return the object path of item labeled ITEM in COLLECTION.
683 If there is no such item, return nil."
684 (let ((collection-path (secrets-unlock-collection collection)))
685 (catch 'item-found
686 (dolist (item-path (secrets-get-items collection-path))
687 (when (string-equal item (secrets-get-item-property item-path "Label"))
688 (throw 'item-found item-path))))))
690 (defun secrets-get-secret (collection item)
691 "Return the secret of item labeled ITEM in COLLECTION.
692 If there is no such item, return nil."
693 (let ((item-path (secrets-item-path collection item)))
694 (unless (secrets-empty-path item-path)
695 (dbus-byte-array-to-string
696 (cl-caddr
697 (dbus-call-method
698 :session secrets-service item-path secrets-interface-item
699 "GetSecret" :object-path secrets-session-path))))))
701 (defun secrets-get-attributes (collection item)
702 "Return the lookup attributes of item labeled ITEM in COLLECTION.
703 If there is no such item, or the item has no attributes, return nil."
704 (unless (stringp collection) (setq collection "default"))
705 (let ((item-path (secrets-item-path collection item)))
706 (unless (secrets-empty-path item-path)
707 (mapcar
708 (lambda (attribute)
709 (cons (intern (concat ":" (car attribute))) (cadr attribute)))
710 (dbus-get-property
711 :session secrets-service item-path
712 secrets-interface-item "Attributes")))))
714 (defun secrets-get-attribute (collection item attribute)
715 "Return the value of ATTRIBUTE of item labeled ITEM in COLLECTION.
716 If there is no such item, or the item doesn't own this attribute, return nil."
717 (cdr (assoc attribute (secrets-get-attributes collection item))))
719 (defun secrets-delete-item (collection item)
720 "Delete ITEM in COLLECTION."
721 (let ((item-path (secrets-item-path collection item)))
722 (unless (secrets-empty-path item-path)
723 (secrets-prompt
724 (dbus-call-method
725 :session secrets-service item-path
726 secrets-interface-item "Delete")))))
728 ;;; Visualization.
730 (define-derived-mode secrets-mode nil "Secrets"
731 "Major mode for presenting password entries retrieved by Security Service.
732 In this mode, widgets represent the search results.
734 \\{secrets-mode-map}"
735 ;; Keymap.
736 (setq secrets-mode-map (copy-keymap special-mode-map))
737 (set-keymap-parent secrets-mode-map widget-keymap)
738 (define-key secrets-mode-map "z" 'kill-this-buffer)
740 ;; When we toggle, we must set temporary widgets.
741 (set (make-local-variable 'tree-widget-after-toggle-functions)
742 '(secrets-tree-widget-after-toggle-function))
744 (when (not (called-interactively-p 'interactive))
745 ;; Initialize buffer.
746 (setq buffer-read-only t)
747 (let ((inhibit-read-only t))
748 (erase-buffer))))
750 ;; It doesn't make sense to call it interactively.
751 (put 'secrets-mode 'disabled t)
753 ;; The very first buffer created with `secrets-mode' does not have the
754 ;; keymap etc. So we create a dummy buffer. Stupid.
755 (with-temp-buffer (secrets-mode))
757 ;; We autoload `secrets-show-secrets' only on systems with D-Bus support.
758 ;;;###autoload(when (featurep 'dbusbind)
759 ;;;###autoload (autoload 'secrets-show-secrets "secrets" nil t))
761 (defun secrets-show-secrets ()
762 "Display a list of collections from the Secret Service API.
763 The collections are in tree view, that means they can be expanded
764 to the corresponding secret items, which could also be expanded
765 to their attributes."
766 (interactive)
768 ;; Check, whether the Secret Service API is enabled.
769 (if (null secrets-enabled)
770 (message "Secret Service not available")
772 ;; Create the search buffer.
773 (with-current-buffer (get-buffer-create "*Secrets*")
774 (switch-to-buffer-other-window (current-buffer))
775 ;; Initialize buffer with `secrets-mode'.
776 (secrets-mode)
777 (secrets-show-collections))))
779 (defun secrets-show-collections ()
780 "Show all available collections."
781 (let ((inhibit-read-only t)
782 (alias (secrets-get-alias "default")))
783 (erase-buffer)
784 (tree-widget-set-theme "folder")
785 (dolist (coll (secrets-list-collections))
786 (widget-create
787 `(tree-widget
788 :tag ,coll
789 :collection ,coll
790 :open nil
791 :sample-face bold
792 :expander secrets-expand-collection)))))
794 (defun secrets-expand-collection (widget)
795 "Expand items of collection shown as WIDGET."
796 (let ((coll (widget-get widget :collection)))
797 (mapcar
798 (lambda (item)
799 `(tree-widget
800 :tag ,item
801 :collection ,coll
802 :item ,item
803 :open nil
804 :sample-face bold
805 :expander secrets-expand-item))
806 (secrets-list-items coll))))
808 (defun secrets-expand-item (widget)
809 "Expand password and attributes of item shown as WIDGET."
810 (let* ((coll (widget-get widget :collection))
811 (item (widget-get widget :item))
812 (attributes (secrets-get-attributes coll item))
813 ;; padding is needed to format attribute names.
814 (padding
815 (apply
816 'max
817 (cons
818 (1+ (length "password"))
819 (mapcar
820 ;; Attribute names have a leading ":", which will be suppressed.
821 (lambda (attribute) (length (symbol-name (car attribute))))
822 attributes)))))
823 (cons
824 ;; The password widget.
825 `(editable-field :tag "password"
826 :secret ?*
827 :value ,(secrets-get-secret coll item)
828 :sample-face widget-button-pressed
829 ;; We specify :size in order to limit the field.
830 :size 0
831 :format ,(concat
832 "%{%t%}:"
833 (make-string (- padding (length "password")) ? )
834 "%v\n"))
835 (mapcar
836 (lambda (attribute)
837 (let ((name (substring (symbol-name (car attribute)) 1))
838 (value (cdr attribute)))
839 ;; The attribute widget.
840 `(editable-field :tag ,name
841 :value ,value
842 :sample-face widget-documentation
843 ;; We specify :size in order to limit the field.
844 :size 0
845 :format ,(concat
846 "%{%t%}:"
847 (make-string (- padding (length name)) ? )
848 "%v\n"))))
849 attributes))))
851 (defun secrets-tree-widget-after-toggle-function (widget &rest ignore)
852 "Add a temporary widget to show the password."
853 (dolist (child (widget-get widget :children))
854 (when (widget-member child :secret)
855 (goto-char (widget-field-end child))
856 (widget-insert " ")
857 (widget-create-child-and-convert
858 child 'push-button
859 :notify 'secrets-tree-widget-show-password
860 "Show password")))
861 (widget-setup))
863 (defun secrets-tree-widget-show-password (widget &rest ignore)
864 "Show password, and remove temporary widget."
865 (let ((parent (widget-get widget :parent)))
866 (widget-put parent :secret nil)
867 (widget-default-value-set parent (widget-get parent :value))
868 (widget-setup)))
870 ;;; Initialization.
872 (when (dbus-ping :session secrets-service 100)
874 ;; We must reset all variables, when there is a new instance of the
875 ;; "org.freedesktop.secrets" service.
876 (dbus-register-signal
877 :session dbus-service-dbus dbus-path-dbus
878 dbus-interface-dbus "NameOwnerChanged"
879 (lambda (&rest args)
880 (when secrets-debug (message "Secret Service has changed: %S" args))
881 (setq secrets-session-path secrets-empty-path
882 secrets-prompt-signal nil
883 secrets-collection-paths nil))
884 secrets-service)
886 ;; We want to refresh our cache, when there is a change in
887 ;; collections.
888 (dbus-register-signal
889 :session secrets-service secrets-path
890 secrets-interface-service "CollectionCreated"
891 'secrets-collection-handler)
893 (dbus-register-signal
894 :session secrets-service secrets-path
895 secrets-interface-service "CollectionDeleted"
896 'secrets-collection-handler)
898 ;; We shall inform, whether the secret service is enabled on this
899 ;; machine.
900 (setq secrets-enabled t))
902 (provide 'secrets)
904 ;;; TODO:
906 ;; * secrets-debug should be structured like auth-source-debug to
907 ;; prevent leaking sensitive information. Right now I don't see
908 ;; anything sensitive though.
909 ;; * Check, whether the dh-ietf1024-aes128-cbc-pkcs7 algorithm can be
910 ;; used for the transfer of the secrets. Currently, we use the
911 ;; plain algorithm.