| blob | 8ef5f7140ac08e7e6990e66adde4338d63eada1d |
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs -*- lexical-binding: t -*-
3 ;; Copyright (C) 2008-2018 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <https://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
32 ;; TODO:
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
40 ;;; Code:
76 "Authentication sources."
80 ;;;###autoload
82 "How many seconds passwords are cached, or nil to disable
83 expiring. Overrides `password-cache-expiry' through a
84 let-binding."
93 ;; The slots below correspond with the `auth-source-search' spec,
94 ;; so a backend with :host set, for instance, would match only
95 ;; searches for that host. Normally they are nil.
99 :type symbol
100 :custom symbol
103 :type string
104 :custom string
107 :initform t
108 :type t
109 :custom string
112 :initform t
113 :type t
114 :custom string
117 :initform t
118 :type t
119 :custom string
122 :initform nil
125 :initform ignore
126 :type function
127 :custom function
130 :initform ignore
131 :type function
132 :custom function
140 "List of authentication protocols and their names"
150 ;; Generate all the protocols in a format Customize can use.
151 ;; TODO: generate on the fly from auth-source-protocols
157 p)))
158 auth-source-protocols))
161 ;; FIXME: AFAICT this is not set (or let-bound) anywhere!
170 "If set, auth-source will respect it for save behavior."
179 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car epa-file-auto-mode-alist-entry) "\\.gpg\\'") never) (t gpg)))
180 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
183 "Set this to tell auth-source when to create GPG password
184 tokens in netrc files. It's either an alist or `never'.
185 Note that if EPA/EPG is not available, this should NOT be used."
205 "Whether auth-source should cache information with `password-cache'."
211 "Whether auth-source should log debug messages.
213 If the value is nil, debug messages are not logged.
215 If the value is t, debug messages are logged with `message'. In
216 that case, your authentication data will be in the clear (except
217 for passwords).
219 If the value is a function, debug messages are logged by calling
220 that function using the same arguments as `message'."
227 trivia)
232 "List of authentication sources.
233 Each entry is the authentication type with optional properties.
234 Entries are tried in the order in which they appear.
235 See Info node `(auth)Help for users' for details.
238 EPA/EPG set up, the file will be encrypted and decrypted
239 automatically. See Info node `(epa)Encrypting/decrypting gpg files'
240 for details.
243 can get pretty complex."
254 macos-keychain-internet)
257 macos-keychain-generic)
311 "List of recipient keys that `authinfo.gpg' encrypted to.
312 If the value is not a list, symmetric encryption will be used."
330 ;; set logger to either the function in auth-source-debug or 'message
331 ;; note that it will be 'message if auth-source-debug is nil
333 auth-source-debug
335 msg))
338 "Read one of CHOICES by `read-char-choice', or `read-char'.
339 `dropdown-list' support is disabled because it doesn't work reliably.
340 Only one of CHOICES will be returned. The PROMPT is augmented
348 k)
352 k)))
355 "List of auth-source parser functions.
356 Each function takes an entry from `auth-sources' as parameter and
357 returns a backend or nil if the entry is not supported. Add a
358 parser function to this list with `add-hook'. Searching for a
359 backend starts with the first element on the list and stops as
363 "Create an auth-source-backend from an ENTRY in `auth-sources'."
371 ;; none of the parsers worked
380 ;; take just a file name use it as a netrc/plist file
381 ;; matching any user, host, and protocol
397 source
398 :source source
405 source
406 :source source
411 source
412 :source source
417 ;; Note this function should be last in the parser functions, so we add it first
421 ;; take macos-keychain-{internet,generic}:XYZ and use it as macOS
422 ;; Keychain "XYZ" matching any user, host, and protocol
424 entry))
428 entry))
431 ;; take 'macos-keychain-internet or generic and use it as a Mac OS
432 ;; Keychain collection matching any user, host, and protocol
438 ;; the macOS Keychain
449 'macos-keychain-generic
452 :macos-keychain-generic
460 :source source
461 :type keychain-type
468 ;; take secrets:XYZ and use it as Secrets API collection "XYZ"
469 ;; matching any user, host, and protocol
472 ;; take 'default and use it as a Secrets API default collection
473 ;; matching any user, host, and protocol
477 ;; the Secrets API. We require the package, in order to have a
478 ;; defined value for `secrets-enabled'.
488 ;; the source is either the :secrets key in ENTRY or
489 ;; if that's missing or nil, it's "session"
492 ;; if the source is a symbol, we look for the alias named so,
493 ;; and if that alias is missing, we use "Login"
501 :source source
515 "Fills in the extra auth-source-backend parameters of ENTRY.
516 Using the plist ENTRY, get the :host, :port, and :user search
517 parameters."
519 nil
520 entry))
521 val)
528 backend)
530 ;; (mapcar 'auth-source-backend-parse auth-sources)
533 &key max require create delete
535 "Search or modify authentication backends according to SPEC.
537 This function parses `auth-sources' for matches of the SPEC
538 plist. It can optionally create or update an authentication
539 token if requested. A token is just a standard Emacs property
540 list with a :secret property that can be a function; all the
541 other properties will always hold scalar values.
543 Typically the :secret property, if present, contains a password.
545 Common search keys are :max, :host, :port, and :user. In
546 addition, :create specifies if and how tokens will be created.
547 Finally, :type can specify which backend types you want to check.
549 A string value is always matched literally. A symbol is matched
550 as its string value, literally. All the SPEC values can be
551 single values (symbol or string) or lists thereof (in which case
552 any of the search terms matches).
554 :create t means to create a token if possible.
556 A new token will be created if no matching tokens were found.
557 The new token will have only the keys the backend requires. For
558 the netrc backend, for instance, that's the user, host, and
559 port keys.
561 Here's an example:
567 :create t))
569 which says:
572 `netrc', maximum one result.
574 Create a new entry if you found none. The netrc backend will
575 automatically require host, user, and port. The host will be
576 `mine'. We prompt for the user with default `defaultUser' and
577 for the port without a default. We will not prompt for A, Q,
578 or P. The resulting token will only have keys user, host, and
583 The behavior is like :create t but if the list contains any
584 parameter, that parameter will be required in the resulting
585 token. The value for that parameter will be obtained from the
586 search parameters or from user input. If any queries are needed,
587 the alist `auth-source-creation-defaults' will be checked for the
588 default value. If the user, host, or port are missing, the alist
589 `auth-source-creation-prompts' will be used to look up the
590 prompts IN THAT ORDER (so the `user' prompt will be queried first,
591 then `host', then `port', and finally `secret'). Each prompt string
592 can use %u, %h, and %p to show the user, host, and port.
594 Here's an example:
598 (auth-source-creation-prompts
604 which says:
607 or `twosuch' in backends of type `netrc', maximum one result.
609 Create a new entry if you found none. The netrc backend will
610 automatically require host, user, and port. The host will be
611 `nonesuch' and Q will be `qqqq'. We prompt for the password
612 with the shown prompt. We will not prompt for Q. The resulting
613 token will have keys user, host, port, A, B, and Q. It will not
614 have P with any value, even though P is used in the search to
617 When multiple values are specified in the search parameter, the
618 user is prompted for which one. So :host (X Y Z) would ask the
619 user to choose between X, Y, and Z.
621 This creation can fail if the search was not specific enough to
622 create a new token (it's up to the backend to decide that). You
623 should `catch' the backend-specific error as usual. Some
624 backends (netrc, at least) will prompt the user rather than throw
625 an error.
627 :require (A B C) means that only results that contain those
628 tokens will be returned. Thus for instance requiring :secret
629 will ensure that any results will actually have a :secret
630 property.
632 :delete t means to delete any found entries. nil by default.
633 Use `auth-source-delete' in ELisp code instead of calling
634 `auth-source-search' directly with this parameter.
636 :type (X Y Z) will check only those backend types. `netrc' and
637 `secrets' are the only ones supported right now.
639 :max N means to try to return at most N items (defaults to 1).
640 More than N items may be returned, depending on the search and
641 the backend.
643 When :max is 0 the function will return just t or nil to indicate
644 if any matches were found.
646 :host (X Y Z) means to match only hosts X, Y, or Z according to
647 the match rules above. Defaults to t.
649 :user (X Y Z) means to match only users X, Y, or Z according to
650 the match rules above. Defaults to t.
652 :port (P Q R) means to match only protocols P, Q, or R.
653 Defaults to t.
655 :K (V1 V2 V3) for any other key K will match values V1, V2, or
656 V3 (note the match rules above).
658 The return value is a list with at most :max tokens. Each token
659 is a plist with keys :backend :host :port :user, plus any other
660 keys provided by the backend (notably :secret). But note the
661 exception for :max 0, which see above.
663 The token can hold a :save-function key. If you call that, the
664 user will be prompted to save the data to the backend. You can't
665 request that this should happen right after creation, because
666 `auth-source-search' has no way of knowing if the token is
667 actually useful. So the caller must arrange to call this function.
669 The token's :secret key can hold a function. In that case you
670 must call it to obtain the actual value."
678 ;; note that we may have cached results but found is still nil
679 ;; (there were no results from the search)
681 filtered-backends)
685 "auth-source-search: found %d CACHED results matching %S"
699 ;; ignore invalid slots
709 "auth-source-search: found %d backends matching %S"
712 ;; (debug spec "filtered" filtered-backends)
713 ;; First go through all the backends without :create, so we can
714 ;; query them all.
716 spec
717 ;; to exit early
718 max
719 ;; create is always nil here
720 nil delete
721 require))
724 "auth-source-search: found %d results (max %d) matching %S"
727 ;; If we didn't find anything, then we allow the backend(s) to
728 ;; create the entries.
732 spec
733 ;; to exit early
734 max
735 create delete
736 require))
738 "auth-source-search: CREATED %d results (max %d) matching %S"
741 ;; note we remember the lack of result too, if it's applicable
747 found)))
751 matches)
756 :backend backend
758 ;; note we're overriding whatever the spec
759 ;; has for :max, :require, :create, and :delete
760 :max max
761 :require require
762 :create create
763 :delete delete
764 spec)))
767 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
771 spec)
773 matches))
776 "Delete entries from the authentication backends according to SPEC.
777 Calls `auth-source-search' with the :delete property in SPEC set to t.
778 The backend may not actually delete the entries.
780 Returns the deleted entries."
784 "Returns t is VALUE is t or COLLECTION is t or COLLECTION contains VALUE."
788 ;; (debug :collection collection :value value)
797 "Forget all cached auth-source data."
801 ;; remove that key
803 password-data)
807 "Format SPEC entry to put it in the password cache."
811 "Remember FOUND search results for SPEC."
817 "Recall FOUND search results for SPEC."
821 "Check if SPEC is remembered."
826 "Forget any cached data matching SPEC exactly.
828 This is the same SPEC you passed to `auth-source-search'.
829 Returns t or nil for forgotten or not found."
833 "Forget any cached data matching SPEC. Returns forgotten count.
835 This is not a full `auth-source-search' spec but works similarly.
837 cached data that was found with a search for those two hosts,
838 while \(:host t) would find all host entries."
843 ;; and the spec matches what was stored in the cache
845 ;; remove that key
848 password-data)
849 count))
862 "Pick the first secret found from applying SPEC to `auth-source-search'."
868 secret)))
871 "Format PROMPT using %x (for any character x) specifiers in ALIST."
878 prompt nil t)))))
879 prompt)
883 values
889 value))
890 values)))
892 ;;; Backend specific parsing: netrc/authinfo backend
909 ;; (auth-source-netrc-parse :file "~/.authinfo.gpg")
912 "Parse FILE and return a list of all entries in the file.
913 Note that the MAX parameter is used so we can exit the parse early."
915 ;; We got already parsed contents; just return it.
916 file
928 host
932 t))
934 user
939 t))
941 port
945 t))
947 ;; the required list of keys is nil, or
949 ;; every element of require is in n (normalized)
954 result)
961 "auth-source-netrc-parse: using CACHED file data for %s"
962 file)
965 ;; cache all netrc files (used to be just .gpg files)
966 ;; Store the contents of the file heavily encrypted in memory.
967 ;; (note for the irony-impaired: they are just obfuscated)
969 auth-source-netrc-cache file
975 alist)
981 ;; (see bug#7487) making `epa-file-encrypt-to' local to
982 ;; this buffer lets epa-file skip the key selection query
983 ;; (see the `local-variable-p' check in
984 ;; `epa-file-write-region').
990 ;; ask AFTER we've successfully opened the file
992 file modified))
995 "auth-source-netrc-parse: modified %d lines in %s"
996 modified file)))
1001 "Advance to the next interesting position in the current buffer."
1002 ;; If we're looking at a comment or are at the end of the line, move forward
1010 "Read one thing from the current buffer."
1020 ;; with thanks to org-mode
1024 ;; works also in narrowed buffer, because we start at 1, not point-min
1028 "Parse up to MAX netrc entries, passed by CHECK, from the current buffer."
1031 alist
1035 all))
1036 item item2 all alist default)
1039 ;; We're starting a new machine. Save the old one.
1043 ;; (auth-source-do-trivia
1044 ;; "auth-source-netrc-parse-entries: got entry %S" alist)
1046 alist nil))
1047 ;; In default entries, we don't have a next token.
1048 ;; We store them as ("machine" . t)
1051 ;; Not a default entry. Grab the next item.
1053 ;; Did we get a "machine" value?
1056 "%s: Unexpected `machine' token at line %d"
1057 "auth-source-netrc-parse-entries"
1061 ;; Clean up: if there's an entry left over, use it.
1064 ;; (auth-source-do-trivia
1065 ;; "auth-source-netrc-parse-entries: got2 entry %S" alist)
1066 )
1074 passphrase)
1075 ;; return the saved passphrase, calling a function if needed
1086 t))
1089 passphrase))))
1092 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1093 FILE is the file from which we obtained this token."
1098 context
1100 file))
1108 cipher)
1111 context
1113 file))
1132 ;; apply key aliases
1139 ;; send back the secret in a function (lexical binding)
1144 ;; it's a GPG token: create a token decoder
1145 ;; which unsets itself once
1150 val
1151 filename)
1156 lexv))))
1159 v))))
1160 ret))
1161 alist))
1164 &key backend require create
1165 type max host user port
1167 "Given a property list SPEC, return search matches from the :backend.
1168 See `auth-source-search' for details on SPEC."
1169 ;; just in case, check that the type is correct (null or same as the backend)
1175 :max max
1176 :require require
1183 ;; if we need to create an entry AND none were found to match
1187 ;; create based on the spec and record the value
1189 ;; if the user did not want to create the entry
1190 ;; in the file, it will be returned
1192 ;; if not, we do the search again without :create
1193 ;; to get the updated data.
1195 ;; the result will be returned, even if the search fails
1198 results))
1203 v))
1205 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1206 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1209 &key backend host port create
1212 ;; we know (because of an assertion in auth-source-search) that the
1213 ;; :create parameter is either t or a list (which includes nil)
1216 :host host
1221 ;; `valist' is an alist
1222 valist
1223 ;; `artificial' will be returned if no creation is needed
1224 artificial)
1226 ;; only for base required elements (defined as function parameters):
1227 ;; fill in the valist with whatever data we may have from the search
1228 ;; we complete the first value if it's a list and use the value otherwise
1233 ;; all-accepting choice (predicate is t)
1235 ;; just the value otherwise
1240 ;; for extra required elements, see if the spec includes a value for them
1248 ;; for each required element
1251 ;; take the first element if the data is a list
1255 ;; this is the default to be offered
1257 auth-source-creation-defaults r))
1258 ;; the default supplementals are simple:
1259 ;; for the user, try `given-default' and then (user-login-name);
1260 ;; otherwise take `given-default'
1292 prompt
1297 ;; Store the data, prompting for the password if needed.
1300 ;; Special case prompt for passwords.
1301 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car epa-file-auto-mode-alist-entry) "\\.gpg\\'") nil) (t gpg)))
1302 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1310 auth-source-netrc-use-gpg-tokens))
1311 item ret)
1318 ;; FIXME: `ret' unused.
1319 ;; Should we return it here?
1320 ))
1323 ;; ask if we don't know what to do (in which case
1324 ;; auth-source-netrc-use-gpg-tokens must be a list)
1327 ;; TODO: save the defcustom now? or ask?
1330 auth-source-netrc-use-gpg-tokens)))
1333 plain))
1339 nil nil default)
1348 data))))
1350 ;; When r is not an empty string...
1353 ;; this function is not strictly necessary but I think it
1354 ;; makes the code clearer -tzz
1356 ;; append the key (the symbol name of r)
1357 ;; and the value in r
1359 ;; prepend a space
1361 ;; remap auth-source tokens to netrc
1370 data)))))
1374 artificial
1375 :save-function
1383 "Save a line ADD in FILE, prompting along the way.
1384 Respects `auth-source-save-behavior'. Uses
1385 `auth-source-netrc-cache' to avoid prompting more than once."
1391 "auth-source-netrc-saver: found previous run for key %s, returning"
1392 key)
1397 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1398 ;; this buffer lets epa-file skip the key selection query
1399 ;; (see the `local-variable-p' check in
1400 ;; `epa-file-write-region').
1405 ;; we want the new data to be found first, so insert at beginning
1408 ;; Ask AFTER we've successfully opened the file.
1412 k)
1425 ;; Why? Doesn't with-output-to-temp-buffer already do
1426 ;; the exact same thing anyway? --Stef
1430 done t))
1431 (?N
1433 done t)
1441 ;; Make sure the info is not saved.
1451 ;; Make the .authinfo file non-world-readable.
1454 "auth-source-netrc-create: wrote 1 new line to %s"
1455 file)
1457 nil))))
1460 ;;; Backend specific parsing: Secrets API backend
1463 "Convert a pattern with lists to a list of string patterns.
1468 only string values for patterns, so this routine returns a list
1469 of patterns that is equivalent to the single original pattern
1470 when interpreted such that if a secret matches any pattern in the
1471 list, it matches the original pattern."
1484 &key backend create delete label max
1486 "Search the Secrets API; spec is like `auth-source'.
1488 The :label key specifies the item's label. It is the only key
1489 that can specify a substring. Any :label value besides a string
1490 will allow any label.
1492 All other search keys must match exactly. If you need substring
1493 matching, do a wider search and narrow it down yourself.
1495 You'll get back all the properties of the token as a plist.
1497 Here's an example that looks for the first item in the `Login'
1498 Secrets collection:
1501 (auth-source-search :max 1)
1503 Here's another that looks for the first item in the `Login'
1504 Secrets collection whose label contains `gnus':
1509 And this one looks for the first item in the `Login' Secrets
1510 collection that's a Google Chrome entry for the git.gnus.org site
1511 authentication tokens:
1515 "
1517 ;; TODO
1520 ;; TODO
1521 ;; (secrets-delete-item coll elt)
1531 ;; build a search spec without the ignored keys
1532 ;; if a search key is nil or t (match anything), we skip it
1538 nil
1540 search-keys))))
1541 ;; needed keys (always including host, login, port, and secret)
1544 search-keys)))
1547 for search-spec in search-specs
1548 nconc
1552 collect item)))
1553 ;; TODO: respect max in `secrets-search-items', not after the fact
1555 ;; convert the item name to a full plist
1558 ;; make an entry for the secret (password) element
1560 :secret
1563 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1568 items))
1569 ;; ensure each item has each key in `returned-keys'
1575 nil
1577 returned-keys))
1578 plist))
1579 items)))
1580 items))
1583 ;; TODO
1584 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1587 ;;; Backend specific parsing: Mac OS Keychain (using /usr/bin/security) backend
1590 &key backend create delete type max
1592 "Search the macOS Keychain; spec is like `auth-source'.
1594 All search keys must match exactly. If you need substring
1595 matching, do a wider search and narrow it down yourself.
1597 You'll get back all the properties of the token as a plist.
1599 The :type key is either `macos-keychain-internet' or
1600 `macos-keychain-generic'.
1602 For the internet keychain type, the :label key searches the
1606 \(note PROT has to be a 4-character string).
1608 For the generic keychain type, the :label key searches the item's
1613 Here's an example that looks for the first item in the default
1614 generic macOS Keychain:
1617 (auth-source-search :max 1)
1619 Here's another that looks for the first item in the internet
1620 macOS Keychain collection whose label is `gnus':
1625 And this one looks for the first item in the internet keychain
1626 entries for git.gnus.org:
1630 "
1631 ;; TODO
1634 ;; TODO
1635 ;; (macos-keychain-delete-item coll elt)
1641 ;; Filter out ignored keys from the spec
1643 ;; Build a search spec without the ignored keys
1644 ;; FIXME make this loop a function? it's used in at least 3 places
1648 ;; If a search key value is nil or t (match anything), we skip it
1653 nil
1655 search-keys)))
1656 ;; needed keys (always including host, login, port, and secret)
1659 search-keys)))
1660 ;; Extract host and port from spec
1665 ;; Loop through all combinations of host/port and pass each of these to
1666 ;; auth-source-macos-keychain-search-items
1672 coll
1673 type
1674 max
1675 host port
1676 search-spec)))
1680 ;; ensure each item has each key in `returned-keys'
1686 nil
1688 returned-keys))
1689 plist))
1690 items)))
1691 items))
1706 else
1707 collect var))
1711 &key label type user
1715 "find-generic-password"
1731 port)))))
1743 ret
1744 keychain-generic
1745 "secret"
1749 ;; TODO: check if this is really the label
1750 ;; match 0x00000007 <blob>="AppleID"
1754 ret
1755 keychain-generic
1756 "label"
1758 ;; match "crtr"<uint32>="aapl"
1759 ;; match "svce"<blob>="AppleID"
1763 ret
1764 keychain-generic
1768 ;; return `ret' iff it has the :secret key
1776 ;; for generic keychains, creator is host, service is port
1779 ;; for internet keychains, protocol is port, server is host
1783 result))
1786 ;; TODO
1789 ;;; Backend specific parsing: PLSTORE backend
1792 &key backend create delete max
1794 "Search the PLSTORE; spec is like `auth-source'."
1801 ;; build a search spec without the ignored keys
1802 ;; if a search key is nil or t (match anything), we skip it
1808 nil
1812 search-keys)))
1813 ;; needed keys (always including host, login, port, and secret)
1816 search-keys)))
1820 ;; convert the item to a full plist
1829 plist))
1830 items))
1831 ;; ensure each item has each key in `returned-keys'
1837 nil
1839 returned-keys))
1840 plist))
1841 items)))
1843 ;; if we need to create an entry AND none were found to match
1847 ;; create based on the spec and record the value
1849 ;; if the user did not want to create the entry
1850 ;; in the file, it will be returned
1852 ;; if not, we do the search again without :create
1853 ;; to get the updated data.
1855 ;; the result will be returned, even if the search fails
1859 item-names)
1863 items))
1866 &key backend host port create
1870 ;; we know (because of an assertion in auth-source-search) that the
1871 ;; :create parameter is either t or a list (which includes nil)
1874 :host host
1877 ;; `valist' is an alist
1878 valist
1879 ;; `artificial' will be returned if no creation is needed
1880 artificial
1881 secret-artificial)
1883 ;; only for base required elements (defined as function parameters):
1884 ;; fill in the valist with whatever data we may have from the search
1885 ;; we complete the first value if it's a list and use the value otherwise
1890 ;; all-accepting choice (predicate is t)
1892 ;; just the value otherwise
1897 ;; for extra required elements, see if the spec includes a value for them
1905 ;; for each required element
1908 ;; take the first element if the data is a list
1912 ;; this is the default to be offered
1914 auth-source-creation-defaults r))
1915 ;; the default supplementals are simple:
1916 ;; for the user, try `given-default' and then (user-login-name);
1917 ;; otherwise take `given-default'
1949 prompt
1954 ;; Store the data, prompting for the password if needed.
1964 nil nil default)
1972 data))
1975 data))))))
1981 artificial secret-artificial)
1986 ;;; Backend specific parsing: JSON backend
1987 ;;; (auth-source-search :max 1 :machine "imap.gmail.com")
1988 ;;; (auth-source-search :max 1 :host '("my-gmail" "imap.gmail.com") :port '(993 "imaps" "imap" "993" "143") :user nil :require '(:user :secret))
1997 t))
2004 t))
2010 t))
2012 ;; the required list of keys is nil, or
2014 ;; every element of require is in
2019 &key backend require
2020 type max host user port
2022 "Given a property list SPEC, return search matches from the :backend.
2023 See `auth-source-search' for details on SPEC."
2024 ;; just in case, check that the type is correct (null or same as the backend)
2028 ;; Hide the secrets early to avoid accidental exposure.
2041 ;; send back the secret in a function (lexical binding)
2046 ret))
2049 all)
2057 ;;; older API
2059 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
2061 ;; deprecate the old interface
2069 "Find MODE (string or list of strings) matching HOST and PORT.
2071 DEPRECATED in favor of `auth-source-search'!
2074 across the Secret Service API (see secrets.el) if the resulting
2075 items don't have a username. This means that if you search for
2079 A non nil DELETE-EXISTING means deleting any matching password
2080 entry in the respective sources. This is useful only when
2081 CREATE-MISSING is non nil as well; the intended use case is to
2082 remove wrong password entries.
2084 If no matching entry is found, and CREATE-MISSING is non nil,
2085 the password will be retrieved interactively, and it will be
2086 stored in the password database which matches best (see
2087 `auth-sources').
2091 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
2092 mode host port username)
2096 ;; (cname (if username
2097 ;; (format "%s %s:%s %s" mode host port username)
2098 ;; (format "%s %s:%s" mode host port)))
2103 search))
2106 search))
2107 ;; (found (if (not delete-existing)
2108 ;; (gethash cname auth-source-cache)
2109 ;; (remhash cname auth-source-cache)
2110 ;; nil)))
2115 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
2116 mode
2117 ;; don't show the password
2119 "SECRET"
2120 found)
2121 host port username)
2123 ;; else, if not found, search with a max of 1
2138 found))
2144 :host host
2145 :user user
2150 :host host
2162 ;;; auth-source.el ends here