| blob | a58d023163fd0be5378b63aea65c22cce33aafc6 |
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs
3 ;; Copyright (C) 2008-2013 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
32 ;; TODO:
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
40 ;;; Code:
77 "Authentication sources."
81 ;;;###autoload
83 "How many seconds passwords are cached, or nil to disable
84 expiring. Overrides `password-cache-expiry' through a
85 let-binding."
94 ;; The slots below correspond with the `auth-source-search' spec,
95 ;; so a backend with :host set, for instance, would match only
96 ;; searches for that host. Normally they are nil.
100 :type symbol
101 :custom symbol
104 :type string
105 :custom string
108 :initform t
109 :type t
110 :custom string
113 :initform t
114 :type t
115 :custom string
118 :initform t
119 :type t
120 :custom string
123 :initform nil
126 :initform ignore
127 :type function
128 :custom function
131 :initform ignore
132 :type function
133 :custom function
141 "List of authentication protocols and their names"
151 ;; Generate all the protocols in a format Customize can use.
152 ;; TODO: generate on the fly from auth-source-protocols
158 p)))
159 auth-source-protocols))
170 "If set, auth-source will respect it for save behavior."
179 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") never) (t gpg)))
180 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
183 "Set this to tell auth-source when to create GPG password
184 tokens in netrc files. It's either an alist or `never'.
185 Note that if EPA/EPG is not available, this should NOT be used."
208 "Whether auth-source should cache information with `password-cache'."
214 "Whether auth-source should log debug messages.
216 If the value is nil, debug messages are not logged.
218 If the value is t, debug messages are logged with `message'. In
219 that case, your authentication data will be in the clear (except
220 for passwords).
222 If the value is a function, debug messages are logged by calling
223 that function using the same arguments as `message'."
230 trivia)
235 "List of authentication sources.
237 The default will get login and password information from
239 packages to be encrypted. If that file doesn't exist, it will
243 See the auth.info manual for details.
245 Each entry is the authentication type with optional properties.
247 It's best to customize this with `M-x customize-variable' because the choices
248 can get pretty complex."
259 macos-keychain-internet)
262 macos-keychain-generic)
316 "List of recipient keys that `authinfo.gpg' encrypted to.
317 If the value is not a list, symmetric encryption will be used."
324 ;; temp for debugging
325 ;; (unintern 'auth-source-protocols)
326 ;; (unintern 'auth-sources)
327 ;; (customize-variable 'auth-sources)
328 ;; (setq auth-sources nil)
329 ;; (format "%S" auth-sources)
330 ;; (customize-variable 'auth-source-protocols)
331 ;; (setq auth-source-protocols nil)
332 ;; (format "%S" auth-source-protocols)
333 ;; (auth-source-pick nil :host "a" :port 'imap)
334 ;; (auth-source-user-or-password "login" "imap.myhost.com" 'imap)
335 ;; (auth-source-user-or-password "password" "imap.myhost.com" 'imap)
336 ;; (auth-source-user-or-password-imap "login" "imap.myhost.com")
337 ;; (auth-source-user-or-password-imap "password" "imap.myhost.com")
338 ;; (auth-source-protocol-defaults 'imap)
340 ;; (let ((auth-source-debug 'debug)) (auth-source-do-debug "hello"))
341 ;; (let ((auth-source-debug t)) (auth-source-do-debug "hello"))
342 ;; (let ((auth-source-debug nil)) (auth-source-do-debug "hello"))
354 ;; set logger to either the function in auth-source-debug or 'message
355 ;; note that it will be 'message if auth-source-debug is nil
357 auth-source-debug
359 msg))
362 ;; (auth-source-read-char-choice "enter choice? " '(?a ?b ?q))
364 "Read one of CHOICES by `read-char-choice', or `read-char'.
365 `dropdown-list' support is disabled because it doesn't work reliably.
366 Only one of CHOICES will be returned. The PROMPT is augmented
374 k)
382 k)))
384 ;; (auth-source-pick nil :host "any" :port 'imap :user "joe")
385 ;; (auth-source-pick t :host "any" :port 'imap :user "joe")
386 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
387 ;; (:source (:secrets "session") :host t :port t :user "joe")
388 ;; (:source (:secrets "Login") :host t :port t)
389 ;; (:source "~/.authinfo.gpg" :host t :port t)))
391 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
392 ;; (:source (:secrets "session") :host t :port t :user "joe")
393 ;; (:source (:secrets "Login") :host t :port t)
394 ;; ))
396 ;; (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
398 ;; (auth-source-backend-parse "myfile.gpg")
399 ;; (auth-source-backend-parse 'default)
400 ;; (auth-source-backend-parse "secrets:Login")
401 ;; (auth-source-backend-parse 'macos-keychain-internet)
402 ;; (auth-source-backend-parse 'macos-keychain-generic)
403 ;; (auth-source-backend-parse "macos-keychain-internet:/path/here.keychain")
404 ;; (auth-source-backend-parse "macos-keychain-generic:/path/here.keychain")
407 "Creates an auth-source-backend from an ENTRY in `auth-sources'."
409 entry
411 ;; take 'default and recurse to get it as a Secrets API default collection
412 ;; matching any user, host, and protocol
415 ;; take secrets:XYZ and recurse to get it as Secrets API collection "XYZ"
416 ;; matching any user, host, and protocol
420 ;; take 'macos-keychain-internet and recurse to get it as a Mac OS
421 ;; Keychain collection matching any user, host, and protocol
424 ;; take 'macos-keychain-generic and recurse to get it as a Mac OS
425 ;; Keychain collection matching any user, host, and protocol
428 ;; take macos-keychain-internet:XYZ and recurse to get it as MacOS
429 ;; Keychain "XYZ" matching any user, host, and protocol
431 entry))
434 ;; take macos-keychain-generic:XYZ and recurse to get it as MacOS
435 ;; Keychain "XYZ" matching any user, host, and protocol
437 entry))
441 ;; take just a file name and recurse to get it as a netrc file
442 ;; matching any user, host, and protocol
446 ;; a file name with parameters
463 ;; the MacOS Keychain
474 'macos-keychain-generic
477 :macos-keychain-generic
485 :source source
486 :type keychain-type
490 ;; the Secrets API. We require the package, in order to have a
491 ;; defined value for `secrets-enabled'.
498 ;; the source is either the :secrets key in ENTRY or
499 ;; if that's missing or nil, it's "session"
503 ;; if the source is a symbol, we look for the alias named so,
504 ;; and if that alias is missing, we use "Login"
512 :source source
523 ;; none of them
528 "Empty"
533 "Fills in the extra auth-source-backend parameters of ENTRY.
534 Using the plist ENTRY, get the :host, :port, and :user search
535 parameters."
537 nil
538 entry))
539 val)
546 backend)
548 ;; (mapcar 'auth-source-backend-parse auth-sources)
551 &key type max host user port secret
552 require create delete
554 "Search or modify authentication backends according to SPEC.
556 This function parses `auth-sources' for matches of the SPEC
557 plist. It can optionally create or update an authentication
558 token if requested. A token is just a standard Emacs property
559 list with a :secret property that can be a function; all the
560 other properties will always hold scalar values.
562 Typically the :secret property, if present, contains a password.
564 Common search keys are :max, :host, :port, and :user. In
565 addition, :create specifies how tokens will be or created.
566 Finally, :type can specify which backend types you want to check.
568 A string value is always matched literally. A symbol is matched
569 as its string value, literally. All the SPEC values can be
570 single values (symbol or string) or lists thereof (in which case
571 any of the search terms matches).
573 :create t means to create a token if possible.
575 A new token will be created if no matching tokens were found.
576 The new token will have only the keys the backend requires. For
577 the netrc backend, for instance, that's the user, host, and
578 port keys.
580 Here's an example:
586 :create t))
588 which says:
591 'netrc', maximum one result.
593 Create a new entry if you found none. The netrc backend will
594 automatically require host, user, and port. The host will be
595 'mine'. We prompt for the user with default 'defaultUser' and
596 for the port without a default. We will not prompt for A, Q,
597 or P. The resulting token will only have keys user, host, and
600 :create '(A B C) also means to create a token if possible.
602 The behavior is like :create t but if the list contains any
603 parameter, that parameter will be required in the resulting
604 token. The value for that parameter will be obtained from the
605 search parameters or from user input. If any queries are needed,
606 the alist `auth-source-creation-defaults' will be checked for the
607 default value. If the user, host, or port are missing, the alist
608 `auth-source-creation-prompts' will be used to look up the
609 prompts IN THAT ORDER (so the 'user prompt will be queried first,
610 then 'host, then 'port, and finally 'secret). Each prompt string
611 can use %u, %h, and %p to show the user, host, and port.
613 Here's an example:
617 (auth-source-creation-prompts
621 :create '(A B Q)))
623 which says:
626 or 'twosuch' in backends of type 'netrc', maximum one result.
628 Create a new entry if you found none. The netrc backend will
629 automatically require host, user, and port. The host will be
630 'nonesuch' and Q will be 'qqqq'. We prompt for the password
631 with the shown prompt. We will not prompt for Q. The resulting
632 token will have keys user, host, port, A, B, and Q. It will not
633 have P with any value, even though P is used in the search to
636 When multiple values are specified in the search parameter, the
637 user is prompted for which one. So :host (X Y Z) would ask the
638 user to choose between X, Y, and Z.
640 This creation can fail if the search was not specific enough to
641 create a new token (it's up to the backend to decide that). You
642 should `catch' the backend-specific error as usual. Some
643 backends (netrc, at least) will prompt the user rather than throw
644 an error.
646 :require (A B C) means that only results that contain those
647 tokens will be returned. Thus for instance requiring :secret
648 will ensure that any results will actually have a :secret
649 property.
651 :delete t means to delete any found entries. nil by default.
652 Use `auth-source-delete' in ELisp code instead of calling
653 `auth-source-search' directly with this parameter.
655 :type (X Y Z) will check only those backend types. 'netrc and
656 'secrets are the only ones supported right now.
658 :max N means to try to return at most N items (defaults to 1).
659 When 0 the function will return just t or nil to indicate if any
660 matches were found. More than N items may be returned, depending
661 on the search and the backend.
663 :host (X Y Z) means to match only hosts X, Y, or Z according to
664 the match rules above. Defaults to t.
666 :user (X Y Z) means to match only users X, Y, or Z according to
667 the match rules above. Defaults to t.
669 :port (P Q R) means to match only protocols P, Q, or R.
670 Defaults to t.
672 :K (V1 V2 V3) for any other key K will match values V1, V2, or
673 V3 (note the match rules above).
675 The return value is a list with at most :max tokens. Each token
676 is a plist with keys :backend :host :port :user, plus any other
677 keys provided by the backend (notably :secret). But note the
678 exception for :max 0, which see above.
680 The token can hold a :save-function key. If you call that, the
681 user will be prompted to save the data to the backend. You can't
682 request that this should happen right after creation, because
683 `auth-source-search' has no way of knowing if the token is
684 actually useful. So the caller must arrange to call this function.
686 The token's :secret key can hold a function. In that case you
687 must call it to obtain the actual value."
695 ;; note that we may have cached results but found is still nil
696 ;; (there were no results from the search)
698 filtered-backends accessor-key backend)
702 "auth-source-search: found %d CACHED results matching %S"
716 ;; ignore invalid slots
726 "auth-source-search: found %d backends matching %S"
729 ;; (debug spec "filtered" filtered-backends)
730 ;; First go through all the backends without :create, so we can
731 ;; query them all.
733 spec
734 ;; to exit early
735 max
736 ;; create is always nil here
737 nil delete
738 require))
741 "auth-source-search: found %d results (max %d) matching %S"
744 ;; If we didn't find anything, then we allow the backend(s) to
745 ;; create the entries.
749 spec
750 ;; to exit early
751 max
752 create delete
753 require))
755 "auth-source-search: CREATED %d results (max %d) matching %S"
758 ;; note we remember the lack of result too, if it's applicable
762 found))
770 :backend backend
772 ;; note we're overriding whatever the spec
773 ;; has for :require, :create, and :delete
774 :require require
775 :create create
776 :delete delete
777 spec)))
780 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
784 spec)
786 matches))
788 ;; (auth-source-search :max 1)
789 ;; (funcall (plist-get (nth 0 (auth-source-search :max 1)) :secret))
790 ;; (auth-source-search :host "nonesuch" :type 'netrc :K 1)
791 ;; (auth-source-search :host "nonesuch" :type 'secrets)
794 &key delete
796 "Delete entries from the authentication backends according to SPEC.
797 Calls `auth-source-search' with the :delete property in SPEC set to t.
798 The backend may not actually delete the entries.
800 Returns the deleted entries."
804 "Returns t is VALUE is t or COLLECTION is t or COLLECTION contains VALUE."
808 ;; (debug :collection collection :value value)
817 "Forget all cached auth-source data."
820 ;; when the symbol name starts with auth-source-magic
823 ;; remove that key
828 "Format SPEC entry to put it in the password cache."
832 "Remember FOUND search results for SPEC."
838 "Recall FOUND search results for SPEC."
842 "Check if SPEC is remembered."
847 "Forget any cached data matching SPEC exactly.
849 This is the same SPEC you passed to `auth-source-search'.
850 Returns t or nil for forgotten or not found."
853 ;; (loop for sym being the symbols of password-data when (string-match (concat "^" auth-source-magic) (symbol-name sym)) collect (symbol-name sym))
855 ;; (auth-source-remember '(:host "wedd") '(4 5 6))
856 ;; (auth-source-remembered-p '(:host "wedd"))
857 ;; (auth-source-remember '(:host "xedd") '(1 2 3))
858 ;; (auth-source-remembered-p '(:host "xedd"))
859 ;; (auth-source-remembered-p '(:host "zedd"))
860 ;; (auth-source-recall '(:host "xedd"))
861 ;; (auth-source-recall '(:host t))
862 ;; (auth-source-forget+ :host t)
865 "Forget any cached data matching SPEC. Returns forgotten count.
867 This is not a full `auth-source-search' spec but works similarly.
869 cached data that was found with a search for those two hosts,
870 while \(:host t) would find all host entries."
872 sname)
874 ;; when the symbol name matches with auth-source-magic
877 sname)
878 ;; and the spec matches what was stored in the cache
880 ;; remove that key
884 count))
896 ;; (auth-source-pick-first-password :host "z.lifelogs.com")
897 ;; (auth-source-pick-first-password :port "imap")
899 "Pick the first secret found from applying SPEC to `auth-source-search'."
905 secret)))
907 ;; (auth-source-format-prompt "test %u %h %p" '((?u "user") (?h "host")))
909 "Format PROMPT using %x (for any character x) specifiers in ALIST."
916 prompt nil t)))))
917 prompt)
925 value))
926 values))
928 ;;; Backend specific parsing: netrc/authinfo backend
945 ;; (auth-source-netrc-parse :file "~/.authinfo.gpg")
947 spec
948 &key file max host user port delete require
950 "Parse FILE and return a list of all entries in the file.
951 Note that the MAX parameter is used so we can exit the parse early."
953 ;; We got already parsed contents; just return it.
954 file
966 host
970 t))
972 user
977 t))
979 port
983 t))
985 ;; the required list of keys is nil, or
987 ;; every element of require is in n(ormalized)
992 result)
999 "auth-source-netrc-parse: using CACHED file data for %s"
1000 file)
1003 ;; cache all netrc files (used to be just .gpg files)
1004 ;; Store the contents of the file heavily encrypted in memory.
1005 ;; (note for the irony-impaired: they are just obfuscated)
1007 auth-source-netrc-cache file
1013 alist)
1019 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1020 ;; this buffer lets epa-file skip the key selection query
1021 ;; (see the `local-variable-p' check in
1022 ;; `epa-file-write-region').
1028 ;; ask AFTER we've successfully opened the file
1030 file modified))
1033 "auth-source-netrc-parse: modified %d lines in %s"
1034 modified file)))
1039 "Advance to the next interesting position in the current buffer."
1040 ;; If we're looking at a comment or are at the end of the line, move forward
1048 "Read one thing from the current buffer."
1058 ;; with thanks to org-mode
1062 ;; works also in narrowed buffer, because we start at 1, not point-min
1066 "Parse up to MAX netrc entries, passed by CHECK, from the current buffer."
1069 alist
1073 all))
1074 item item2 all alist default)
1077 ;; We're starting a new machine. Save the old one.
1084 alist nil))
1085 ;; In default entries, we don't have a next token.
1086 ;; We store them as ("machine" . t)
1089 ;; Not a default entry. Grab the next item.
1091 ;; Did we get a "machine" value?
1095 "%s: Unexpected 'machine' token at line %d"
1096 "auth-source-netrc-parse-entries"
1101 ;; Clean up: if there's an entry left over, use it.
1113 passphrase)
1114 ;; return the saved passphrase, calling a function if needed
1125 t))
1128 passphrase))))
1130 ;; (auth-source-epa-extract-gpg-token "gpg:LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tClZlcnNpb246IEdudVBHIHYxLjQuMTEgKEdOVS9MaW51eCkKCmpBMEVBd01DT25qMjB1ak9rZnRneVI3K21iNm9aZWhuLzRad3cySkdlbnVaKzRpeEswWDY5di9icDI1U1dsQT0KPS9yc2wKLS0tLS1FTkQgUEdQIE1FU1NBR0UtLS0tLQo=" "~/.netrc")
1132 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1133 FILE is the file from which we obtained this token."
1137 plain)
1139 context
1141 file))
1144 ;; (insert (auth-source-epa-make-gpg-token "mysecret" "~/.netrc"))
1148 cipher)
1151 context
1153 file))
1169 ;; apply key aliases
1176 ;; send back the secret in a function (lexical binding)
1181 ;; it's a GPG token: create a token decoder
1182 ;; which unsets itself once
1187 val
1188 filename)
1193 lexv))))
1196 v))))
1197 ret))
1198 alist))
1200 ;; (setq secret (plist-get (nth 0 (auth-source-search :host t :type 'netrc :K 1 :max 1)) :secret))
1201 ;; (funcall secret)
1204 spec
1205 &key backend require create delete
1206 type max host user port
1208 "Given a property list SPEC, return search matches from the :backend.
1209 See `auth-source-search' for details on SPEC."
1210 ;; just in case, check that the type is correct (null or same as the backend)
1216 :max max
1217 :require require
1218 :delete delete
1225 ;; if we need to create an entry AND none were found to match
1229 ;; create based on the spec and record the value
1231 ;; if the user did not want to create the entry
1232 ;; in the file, it will be returned
1234 ;; if not, we do the search again without :create
1235 ;; to get the updated data.
1237 ;; the result will be returned, even if the search fails
1240 results))
1245 v))
1247 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1248 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1251 &key backend
1252 secret host user port create
1255 ;; we know (because of an assertion in auth-source-search) that the
1256 ;; :create parameter is either t or a list (which includes nil)
1259 :host host
1264 ;; `valist' is an alist
1265 valist
1266 ;; `artificial' will be returned if no creation is needed
1267 artificial)
1269 ;; only for base required elements (defined as function parameters):
1270 ;; fill in the valist with whatever data we may have from the search
1271 ;; we complete the first value if it's a list and use the value otherwise
1275 ;; all-accepting choice (predicate is t)
1277 ;; just the value otherwise
1282 ;; for extra required elements, see if the spec includes a value for them
1291 ;; for each required element
1294 ;; take the first element if the data is a list
1298 ;; this is the default to be offered
1300 auth-source-creation-defaults r))
1301 ;; the default supplementals are simple:
1302 ;; for the user, try `given-default' and then (user-login-name);
1303 ;; otherwise take `given-default'
1335 prompt
1340 ;; Store the data, prompting for the password if needed.
1343 ;; Special case prompt for passwords.
1344 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") nil) (t gpg)))
1345 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1353 auth-source-netrc-use-gpg-tokens))
1354 item ret)
1363 ;; ask if we don't know what to do (in which case
1364 ;; auth-source-netrc-use-gpg-tokens must be a list)
1367 ;; TODO: save the defcustom now? or ask?
1370 auth-source-netrc-use-gpg-tokens)))
1373 plain))
1379 nil nil default)
1388 data))))
1390 ;; When r is not an empty string...
1393 ;; this function is not strictly necessary but I think it
1394 ;; makes the code clearer -tzz
1396 ;; append the key (the symbol name of r)
1397 ;; and the value in r
1399 ;; prepend a space
1401 ;; remap auth-source tokens to netrc
1410 data)))))
1414 artificial
1415 :save-function
1422 ;;(funcall (plist-get (nth 0 (auth-source-search :host '("nonesuch2") :user "tzz" :port "imap" :create t :max 1)) :save-function))
1424 "Save a line ADD in FILE, prompting along the way.
1425 Respects `auth-source-save-behavior'. Uses
1426 `auth-source-netrc-cache' to avoid prompting more than once."
1432 "auth-source-netrc-saver: found previous run for key %s, returning"
1433 key)
1438 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1439 ;; this buffer lets epa-file skip the key selection query
1440 ;; (see the `local-variable-p' check in
1441 ;; `epa-file-write-region').
1446 ;; we want the new data to be found first, so insert at beginning
1449 ;; Ask AFTER we've successfully opened the file.
1453 k)
1466 ;; Why? Doesn't with-output-to-temp-buffer already do
1467 ;; the exact same thing anyway? --Stef
1471 done t))
1472 (?N
1474 done t)
1482 ;; Make sure the info is not saved.
1492 ;; Make the .authinfo file non-world-readable.
1495 "auth-source-netrc-create: wrote 1 new line to %s"
1496 file)
1498 nil))))
1501 ;;; Backend specific parsing: Secrets API backend
1503 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :create t))
1504 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :delete t))
1505 ;; (let ((auth-sources '(default))) (auth-source-search :max 1))
1506 ;; (let ((auth-sources '(default))) (auth-source-search))
1507 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1))
1508 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1 :signon_realm "https://git.gnus.org/Git"))
1511 spec
1512 &key backend create delete label
1513 type max host user port
1515 "Search the Secrets API; spec is like `auth-source'.
1517 The :label key specifies the item's label. It is the only key
1518 that can specify a substring. Any :label value besides a string
1519 will allow any label.
1521 All other search keys must match exactly. If you need substring
1522 matching, do a wider search and narrow it down yourself.
1524 You'll get back all the properties of the token as a plist.
1526 Here's an example that looks for the first item in the 'Login'
1527 Secrets collection:
1530 (auth-source-search :max 1)
1532 Here's another that looks for the first item in the 'Login'
1533 Secrets collection whose label contains 'gnus':
1538 And this one looks for the first item in the 'Login' Secrets
1539 collection that's a Google Chrome entry for the git.gnus.org site
1540 authentication tokens:
1544 "
1546 ;; TODO
1549 ;; TODO
1550 ;; (secrets-delete-item coll elt)
1560 ;; build a search spec without the ignored keys
1561 ;; if a search key is nil or t (match anything), we skip it
1566 nil
1568 search-keys)))
1569 ;; needed keys (always including host, login, port, and secret)
1572 search-keys)))
1576 collect item))
1577 ;; TODO: respect max in `secrets-search-items', not after the fact
1579 ;; convert the item name to a full plist
1582 ;; make an entry for the secret (password) element
1584 :secret
1587 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1592 items))
1593 ;; ensure each item has each key in `returned-keys'
1599 nil
1601 returned-keys))
1602 plist))
1603 items)))
1604 items))
1607 spec
1608 &key backend type max host user port
1610 ;; TODO
1611 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1614 ;;; Backend specific parsing: Mac OS Keychain (using /usr/bin/security) backend
1616 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :create t))
1617 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :delete t))
1618 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1))
1619 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search))
1621 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :create t))
1622 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :delete t))
1623 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1))
1624 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search))
1626 ;; (let ((auth-sources '("macos-keychain-internet:/Users/tzz/Library/Keychains/login.keychain"))) (auth-source-search :max 1))
1627 ;; (let ((auth-sources '("macos-keychain-generic:Login"))) (auth-source-search :max 1 :host "git.gnus.org"))
1630 spec
1631 &key backend create delete label
1632 type max host user port
1634 "Search the MacOS Keychain; spec is like `auth-source'.
1636 All search keys must match exactly. If you need substring
1637 matching, do a wider search and narrow it down yourself.
1639 You'll get back all the properties of the token as a plist.
1641 The :type key is either 'macos-keychain-internet or
1642 'macos-keychain-generic.
1644 For the internet keychain type, the :label key searches the
1648 (note PROT has to be a 4-character string).
1650 For the generic keychain type, the :label key searches the item's
1655 Here's an example that looks for the first item in the default
1656 generic MacOS Keychain:
1658 \(let ((auth-sources '(macos-keychain-generic)))
1659 (auth-source-search :max 1)
1661 Here's another that looks for the first item in the internet
1662 MacOS Keychain collection whose label is 'gnus':
1664 \(let ((auth-sources '(macos-keychain-internet)))
1667 And this one looks for the first item in the internet keychain
1668 entries for git.gnus.org:
1672 "
1673 ;; TODO
1676 ;; TODO
1677 ;; (macos-keychain-delete-item coll elt)
1687 ;; build a search spec without the ignored keys
1688 ;; if a search key is nil or t (match anything), we skip it
1693 nil
1695 search-keys)))
1696 ;; needed keys (always including host, login, port, and secret)
1699 search-keys)))
1701 coll
1702 type
1703 max
1704 search-spec))
1706 ;; ensure each item has each key in `returned-keys'
1712 nil
1714 returned-keys))
1715 plist))
1716 items)))
1717 items))
1720 &rest spec
1721 &key label type
1722 host user port
1727 "find-generic-password"
1743 port)))))
1755 ret
1756 keychain-generic
1757 "secret"
1760 ;; TODO: check if this is really the label
1761 ;; match 0x00000007 <blob>="AppleID"
1764 ret
1765 keychain-generic
1766 "label"
1768 ;; match "crtr"<uint32>="aapl"
1769 ;; match "svce"<blob>="AppleID"
1772 ret
1773 keychain-generic
1777 ;; return `ret' iff it has the :secret key
1784 ;; for generic keychains, creator is host, service is port
1787 ;; for internet keychains, protocol is port, server is host
1795 spec
1796 &key backend type max host user port
1798 ;; TODO
1801 ;;; Backend specific parsing: PLSTORE backend
1804 spec
1805 &key backend create delete label
1806 type max host user port
1808 "Search the PLSTORE; spec is like `auth-source'."
1815 ;; build a search spec without the ignored keys
1816 ;; if a search key is nil or t (match anything), we skip it
1822 nil
1826 search-keys)))
1827 ;; needed keys (always including host, login, port, and secret)
1830 search-keys)))
1834 ;; convert the item to a full plist
1843 plist))
1844 items))
1845 ;; ensure each item has each key in `returned-keys'
1851 nil
1853 returned-keys))
1854 plist))
1855 items)))
1857 ;; if we need to create an entry AND none were found to match
1861 ;; create based on the spec and record the value
1863 ;; if the user did not want to create the entry
1864 ;; in the file, it will be returned
1866 ;; if not, we do the search again without :create
1867 ;; to get the updated data.
1869 ;; the result will be returned, even if the search fails
1873 item-names)
1877 items))
1880 &key backend
1881 secret host user port create
1885 ;; we know (because of an assertion in auth-source-search) that the
1886 ;; :create parameter is either t or a list (which includes nil)
1889 :host host
1894 ;; `valist' is an alist
1895 valist
1896 ;; `artificial' will be returned if no creation is needed
1897 artificial
1898 secret-artificial)
1900 ;; only for base required elements (defined as function parameters):
1901 ;; fill in the valist with whatever data we may have from the search
1902 ;; we complete the first value if it's a list and use the value otherwise
1906 ;; all-accepting choice (predicate is t)
1908 ;; just the value otherwise
1913 ;; for extra required elements, see if the spec includes a value for them
1922 ;; for each required element
1925 ;; take the first element if the data is a list
1929 ;; this is the default to be offered
1931 auth-source-creation-defaults r))
1932 ;; the default supplementals are simple:
1933 ;; for the user, try `given-default' and then (user-login-name);
1934 ;; otherwise take `given-default'
1966 prompt
1971 ;; Store the data, prompting for the password if needed.
1981 nil nil default)
1989 data))
1992 data))))))
1998 artificial secret-artificial)
2003 ;;; older API
2005 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
2007 ;; deprecate the old interface
2015 "Find MODE (string or list of strings) matching HOST and PORT.
2017 DEPRECATED in favor of `auth-source-search'!
2020 across the Secret Service API (see secrets.el) if the resulting
2021 items don't have a username. This means that if you search for
2025 A non nil DELETE-EXISTING means deleting any matching password
2026 entry in the respective sources. This is useful only when
2027 CREATE-MISSING is non nil as well; the intended use case is to
2028 remove wrong password entries.
2030 If no matching entry is found, and CREATE-MISSING is non nil,
2031 the password will be retrieved interactively, and it will be
2032 stored in the password database which matches best (see
2033 `auth-sources').
2037 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
2038 mode host port username)
2049 search))
2052 search))
2053 ;; (found (if (not delete-existing)
2054 ;; (gethash cname auth-source-cache)
2055 ;; (remhash cname auth-source-cache)
2056 ;; nil)))
2061 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
2062 mode
2063 ;; don't show the password
2065 "SECRET"
2066 found)
2067 host port username)
2069 ;; else, if not found, search with a max of 1
2084 found))
2090 :host host
2096 :host host
2108 ;;; auth-source.el ends here