| blob | 52765ce6b314d466e94d145db443b512b57e2e30 |
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs
3 ;; Copyright (C) 2008-2016 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
32 ;; TODO:
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
40 ;;; Code:
77 "Authentication sources."
81 ;;;###autoload
83 "How many seconds passwords are cached, or nil to disable
84 expiring. Overrides `password-cache-expiry' through a
85 let-binding."
94 ;; The slots below correspond with the `auth-source-search' spec,
95 ;; so a backend with :host set, for instance, would match only
96 ;; searches for that host. Normally they are nil.
100 :type symbol
101 :custom symbol
104 :type string
105 :custom string
108 :initform t
109 :type t
110 :custom string
113 :initform t
114 :type t
115 :custom string
118 :initform t
119 :type t
120 :custom string
123 :initform nil
126 :initform ignore
127 :type function
128 :custom function
131 :initform ignore
132 :type function
133 :custom function
141 "List of authentication protocols and their names"
151 ;; Generate all the protocols in a format Customize can use.
152 ;; TODO: generate on the fly from auth-source-protocols
158 p)))
159 auth-source-protocols))
162 ;; FIXME: AFAICT this is not set (or let-bound) anywhere!
171 "If set, auth-source will respect it for save behavior."
180 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car epa-file-auto-mode-alist-entry) "\\.gpg\\'") never) (t gpg)))
181 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
184 "Set this to tell auth-source when to create GPG password
185 tokens in netrc files. It's either an alist or `never'.
186 Note that if EPA/EPG is not available, this should NOT be used."
208 "Whether auth-source should cache information with `password-cache'."
214 "Whether auth-source should log debug messages.
216 If the value is nil, debug messages are not logged.
218 If the value is t, debug messages are logged with `message'. In
219 that case, your authentication data will be in the clear (except
220 for passwords).
222 If the value is a function, debug messages are logged by calling
223 that function using the same arguments as `message'."
230 trivia)
235 "List of authentication sources.
236 Each entry is the authentication type with optional properties.
237 Entries are tried in the order in which they appear.
238 See Info node `(auth)Help for users' for details.
241 EPA/EPG set up, the file will be encrypted and decrypted
242 automatically. See Info node `(epa)Encrypting/decrypting gpg files'
243 for details.
246 can get pretty complex."
257 macos-keychain-internet)
260 macos-keychain-generic)
314 "List of recipient keys that `authinfo.gpg' encrypted to.
315 If the value is not a list, symmetric encryption will be used."
322 ;; temp for debugging
323 ;; (unintern 'auth-source-protocols)
324 ;; (unintern 'auth-sources)
325 ;; (customize-variable 'auth-sources)
326 ;; (setq auth-sources nil)
327 ;; (format "%S" auth-sources)
328 ;; (customize-variable 'auth-source-protocols)
329 ;; (setq auth-source-protocols nil)
330 ;; (format "%S" auth-source-protocols)
331 ;; (auth-source-pick nil :host "a" :port 'imap)
332 ;; (auth-source-user-or-password "login" "imap.myhost.com" 'imap)
333 ;; (auth-source-user-or-password "password" "imap.myhost.com" 'imap)
334 ;; (auth-source-user-or-password-imap "login" "imap.myhost.com")
335 ;; (auth-source-user-or-password-imap "password" "imap.myhost.com")
336 ;; (auth-source-protocol-defaults 'imap)
338 ;; (let ((auth-source-debug 'debug)) (auth-source-do-debug "hello"))
339 ;; (let ((auth-source-debug t)) (auth-source-do-debug "hello"))
340 ;; (let ((auth-source-debug nil)) (auth-source-do-debug "hello"))
352 ;; set logger to either the function in auth-source-debug or 'message
353 ;; note that it will be 'message if auth-source-debug is nil
355 auth-source-debug
357 msg))
360 ;; (auth-source-read-char-choice "enter choice? " '(?a ?b ?q))
362 "Read one of CHOICES by `read-char-choice', or `read-char'.
363 `dropdown-list' support is disabled because it doesn't work reliably.
364 Only one of CHOICES will be returned. The PROMPT is augmented
372 k)
380 k)))
382 ;; (auth-source-pick nil :host "any" :port 'imap :user "joe")
383 ;; (auth-source-pick t :host "any" :port 'imap :user "joe")
384 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
385 ;; (:source (:secrets "session") :host t :port t :user "joe")
386 ;; (:source (:secrets "Login") :host t :port t)
387 ;; (:source "~/.authinfo.gpg" :host t :port t)))
389 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
390 ;; (:source (:secrets "session") :host t :port t :user "joe")
391 ;; (:source (:secrets "Login") :host t :port t)
392 ;; ))
394 ;; (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
396 ;; (auth-source-backend-parse "myfile.gpg")
397 ;; (auth-source-backend-parse 'default)
398 ;; (auth-source-backend-parse "secrets:Login")
399 ;; (auth-source-backend-parse 'macos-keychain-internet)
400 ;; (auth-source-backend-parse 'macos-keychain-generic)
401 ;; (auth-source-backend-parse "macos-keychain-internet:/path/here.keychain")
402 ;; (auth-source-backend-parse "macos-keychain-generic:/path/here.keychain")
405 "Creates an auth-source-backend from an ENTRY in `auth-sources'."
407 entry
409 ;; take 'default and recurse to get it as a Secrets API default collection
410 ;; matching any user, host, and protocol
413 ;; take secrets:XYZ and recurse to get it as Secrets API collection "XYZ"
414 ;; matching any user, host, and protocol
418 ;; take 'macos-keychain-internet and recurse to get it as a Mac OS
419 ;; Keychain collection matching any user, host, and protocol
422 ;; take 'macos-keychain-generic and recurse to get it as a Mac OS
423 ;; Keychain collection matching any user, host, and protocol
426 ;; take macos-keychain-internet:XYZ and recurse to get it as MacOS
427 ;; Keychain "XYZ" matching any user, host, and protocol
429 entry))
432 ;; take macos-keychain-generic:XYZ and recurse to get it as MacOS
433 ;; Keychain "XYZ" matching any user, host, and protocol
435 entry))
439 ;; take just a file name and recurse to get it as a netrc file
440 ;; matching any user, host, and protocol
444 ;; a file name with parameters
461 ;; the MacOS Keychain
472 'macos-keychain-generic
475 :macos-keychain-generic
483 :source source
484 :type keychain-type
488 ;; the Secrets API. We require the package, in order to have a
489 ;; defined value for `secrets-enabled'.
496 ;; the source is either the :secrets key in ENTRY or
497 ;; if that's missing or nil, it's "session"
501 ;; if the source is a symbol, we look for the alias named so,
502 ;; and if that alias is missing, we use "Login"
510 :source source
521 ;; none of them
530 "Fills in the extra auth-source-backend parameters of ENTRY.
531 Using the plist ENTRY, get the :host, :port, and :user search
532 parameters."
534 nil
535 entry))
536 val)
543 backend)
545 ;; (mapcar 'auth-source-backend-parse auth-sources)
548 &key max
549 require create delete
551 "Search or modify authentication backends according to SPEC.
553 This function parses `auth-sources' for matches of the SPEC
554 plist. It can optionally create or update an authentication
555 token if requested. A token is just a standard Emacs property
556 list with a :secret property that can be a function; all the
557 other properties will always hold scalar values.
559 Typically the :secret property, if present, contains a password.
561 Common search keys are :max, :host, :port, and :user. In
562 addition, :create specifies if and how tokens will be created.
563 Finally, :type can specify which backend types you want to check.
565 A string value is always matched literally. A symbol is matched
566 as its string value, literally. All the SPEC values can be
567 single values (symbol or string) or lists thereof (in which case
568 any of the search terms matches).
570 :create t means to create a token if possible.
572 A new token will be created if no matching tokens were found.
573 The new token will have only the keys the backend requires. For
574 the netrc backend, for instance, that's the user, host, and
575 port keys.
577 Here's an example:
583 :create t))
585 which says:
588 `netrc', maximum one result.
590 Create a new entry if you found none. The netrc backend will
591 automatically require host, user, and port. The host will be
592 `mine'. We prompt for the user with default `defaultUser' and
593 for the port without a default. We will not prompt for A, Q,
594 or P. The resulting token will only have keys user, host, and
599 The behavior is like :create t but if the list contains any
600 parameter, that parameter will be required in the resulting
601 token. The value for that parameter will be obtained from the
602 search parameters or from user input. If any queries are needed,
603 the alist `auth-source-creation-defaults' will be checked for the
604 default value. If the user, host, or port are missing, the alist
605 `auth-source-creation-prompts' will be used to look up the
606 prompts IN THAT ORDER (so the `user' prompt will be queried first,
607 then `host', then `port', and finally `secret'). Each prompt string
608 can use %u, %h, and %p to show the user, host, and port.
610 Here's an example:
614 (auth-source-creation-prompts
620 which says:
623 or `twosuch' in backends of type `netrc', maximum one result.
625 Create a new entry if you found none. The netrc backend will
626 automatically require host, user, and port. The host will be
627 `nonesuch' and Q will be `qqqq'. We prompt for the password
628 with the shown prompt. We will not prompt for Q. The resulting
629 token will have keys user, host, port, A, B, and Q. It will not
630 have P with any value, even though P is used in the search to
633 When multiple values are specified in the search parameter, the
634 user is prompted for which one. So :host (X Y Z) would ask the
635 user to choose between X, Y, and Z.
637 This creation can fail if the search was not specific enough to
638 create a new token (it's up to the backend to decide that). You
639 should `catch' the backend-specific error as usual. Some
640 backends (netrc, at least) will prompt the user rather than throw
641 an error.
643 :require (A B C) means that only results that contain those
644 tokens will be returned. Thus for instance requiring :secret
645 will ensure that any results will actually have a :secret
646 property.
648 :delete t means to delete any found entries. nil by default.
649 Use `auth-source-delete' in ELisp code instead of calling
650 `auth-source-search' directly with this parameter.
652 :type (X Y Z) will check only those backend types. `netrc' and
653 `secrets' are the only ones supported right now.
655 :max N means to try to return at most N items (defaults to 1).
656 More than N items may be returned, depending on the search and
657 the backend.
659 When :max is 0 the function will return just t or nil to indicate
660 if any matches were found.
662 :host (X Y Z) means to match only hosts X, Y, or Z according to
663 the match rules above. Defaults to t.
665 :user (X Y Z) means to match only users X, Y, or Z according to
666 the match rules above. Defaults to t.
668 :port (P Q R) means to match only protocols P, Q, or R.
669 Defaults to t.
671 :K (V1 V2 V3) for any other key K will match values V1, V2, or
672 V3 (note the match rules above).
674 The return value is a list with at most :max tokens. Each token
675 is a plist with keys :backend :host :port :user, plus any other
676 keys provided by the backend (notably :secret). But note the
677 exception for :max 0, which see above.
679 The token can hold a :save-function key. If you call that, the
680 user will be prompted to save the data to the backend. You can't
681 request that this should happen right after creation, because
682 `auth-source-search' has no way of knowing if the token is
683 actually useful. So the caller must arrange to call this function.
685 The token's :secret key can hold a function. In that case you
686 must call it to obtain the actual value."
694 ;; note that we may have cached results but found is still nil
695 ;; (there were no results from the search)
697 filtered-backends)
701 "auth-source-search: found %d CACHED results matching %S"
715 ;; ignore invalid slots
725 "auth-source-search: found %d backends matching %S"
728 ;; (debug spec "filtered" filtered-backends)
729 ;; First go through all the backends without :create, so we can
730 ;; query them all.
732 spec
733 ;; to exit early
734 max
735 ;; create is always nil here
736 nil delete
737 require))
740 "auth-source-search: found %d results (max %d) matching %S"
743 ;; If we didn't find anything, then we allow the backend(s) to
744 ;; create the entries.
748 spec
749 ;; to exit early
750 max
751 create delete
752 require))
754 "auth-source-search: CREATED %d results (max %d) matching %S"
757 ;; note we remember the lack of result too, if it's applicable
763 found)))
767 matches)
772 :backend backend
774 ;; note we're overriding whatever the spec
775 ;; has for :max, :require, :create, and :delete
776 :max max
777 :require require
778 :create create
779 :delete delete
780 spec)))
783 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
787 spec)
789 matches))
791 ;; (auth-source-search :max 0)
792 ;; (auth-source-search :max 1)
793 ;; (funcall (plist-get (nth 0 (auth-source-search :max 1)) :secret))
794 ;; (auth-source-search :host "nonesuch" :type 'netrc :K 1)
795 ;; (auth-source-search :host "nonesuch" :type 'secrets)
798 "Delete entries from the authentication backends according to SPEC.
799 Calls `auth-source-search' with the :delete property in SPEC set to t.
800 The backend may not actually delete the entries.
802 Returns the deleted entries."
806 "Returns t is VALUE is t or COLLECTION is t or COLLECTION contains VALUE."
810 ;; (debug :collection collection :value value)
819 "Forget all cached auth-source data."
822 ;; when the symbol name starts with auth-source-magic
825 ;; remove that key
830 "Format SPEC entry to put it in the password cache."
834 "Remember FOUND search results for SPEC."
840 "Recall FOUND search results for SPEC."
844 "Check if SPEC is remembered."
849 "Forget any cached data matching SPEC exactly.
851 This is the same SPEC you passed to `auth-source-search'.
852 Returns t or nil for forgotten or not found."
855 ;; (loop for sym being the symbols of password-data when (string-match (concat "^" auth-source-magic) (symbol-name sym)) collect (symbol-name sym))
857 ;; (auth-source-remember '(:host "wedd") '(4 5 6))
858 ;; (auth-source-remembered-p '(:host "wedd"))
859 ;; (auth-source-remember '(:host "xedd") '(1 2 3))
860 ;; (auth-source-remembered-p '(:host "xedd"))
861 ;; (auth-source-remembered-p '(:host "zedd"))
862 ;; (auth-source-recall '(:host "xedd"))
863 ;; (auth-source-recall '(:host t))
864 ;; (auth-source-forget+ :host t)
867 "Forget any cached data matching SPEC. Returns forgotten count.
869 This is not a full `auth-source-search' spec but works similarly.
871 cached data that was found with a search for those two hosts,
872 while \(:host t) would find all host entries."
874 sname)
876 ;; when the symbol name matches with auth-source-magic
879 sname)
880 ;; and the spec matches what was stored in the cache
882 ;; remove that key
886 count))
898 ;; (auth-source-pick-first-password :host "z.lifelogs.com")
899 ;; (auth-source-pick-first-password :port "imap")
901 "Pick the first secret found from applying SPEC to `auth-source-search'."
907 secret)))
909 ;; (auth-source-format-prompt "test %u %h %p" '((?u "user") (?h "host")))
911 "Format PROMPT using %x (for any character x) specifiers in ALIST."
918 prompt nil t)))))
919 prompt)
923 values
929 value))
930 values)))
932 ;;; Backend specific parsing: netrc/authinfo backend
949 ;; (auth-source-netrc-parse :file "~/.authinfo.gpg")
952 "Parse FILE and return a list of all entries in the file.
953 Note that the MAX parameter is used so we can exit the parse early."
955 ;; We got already parsed contents; just return it.
956 file
968 host
972 t))
974 user
979 t))
981 port
985 t))
987 ;; the required list of keys is nil, or
989 ;; every element of require is in n(ormalized)
994 result)
1001 "auth-source-netrc-parse: using CACHED file data for %s"
1002 file)
1005 ;; cache all netrc files (used to be just .gpg files)
1006 ;; Store the contents of the file heavily encrypted in memory.
1007 ;; (note for the irony-impaired: they are just obfuscated)
1009 auth-source-netrc-cache file
1015 alist)
1021 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1022 ;; this buffer lets epa-file skip the key selection query
1023 ;; (see the `local-variable-p' check in
1024 ;; `epa-file-write-region').
1030 ;; ask AFTER we've successfully opened the file
1032 file modified))
1035 "auth-source-netrc-parse: modified %d lines in %s"
1036 modified file)))
1041 "Advance to the next interesting position in the current buffer."
1042 ;; If we're looking at a comment or are at the end of the line, move forward
1050 "Read one thing from the current buffer."
1060 ;; with thanks to org-mode
1064 ;; works also in narrowed buffer, because we start at 1, not point-min
1068 "Parse up to MAX netrc entries, passed by CHECK, from the current buffer."
1071 alist
1075 all))
1076 item item2 all alist default)
1079 ;; We're starting a new machine. Save the old one.
1083 ;; (auth-source-do-trivia
1084 ;; "auth-source-netrc-parse-entries: got entry %S" alist)
1086 alist nil))
1087 ;; In default entries, we don't have a next token.
1088 ;; We store them as ("machine" . t)
1091 ;; Not a default entry. Grab the next item.
1093 ;; Did we get a "machine" value?
1097 "%s: Unexpected `machine' token at line %d"
1098 "auth-source-netrc-parse-entries"
1103 ;; Clean up: if there's an entry left over, use it.
1106 ;; (auth-source-do-trivia
1107 ;; "auth-source-netrc-parse-entries: got2 entry %S" alist)
1108 )
1116 passphrase)
1117 ;; return the saved passphrase, calling a function if needed
1128 t))
1131 passphrase))))
1133 ;; (auth-source-epa-extract-gpg-token "gpg:LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tClZlcnNpb246IEdudVBHIHYxLjQuMTEgKEdOVS9MaW51eCkKCmpBMEVBd01DT25qMjB1ak9rZnRneVI3K21iNm9aZWhuLzRad3cySkdlbnVaKzRpeEswWDY5di9icDI1U1dsQT0KPS9yc2wKLS0tLS1FTkQgUEdQIE1FU1NBR0UtLS0tLQo=" "~/.netrc")
1135 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1136 FILE is the file from which we obtained this token."
1141 context
1143 file))
1148 ;; (insert (auth-source-epa-make-gpg-token "mysecret" "~/.netrc"))
1152 cipher)
1155 context
1157 file))
1176 ;; apply key aliases
1183 ;; send back the secret in a function (lexical binding)
1188 ;; it's a GPG token: create a token decoder
1189 ;; which unsets itself once
1194 val
1195 filename)
1200 lexv))))
1203 v))))
1204 ret))
1205 alist))
1207 ;; (setq secret (plist-get (nth 0 (auth-source-search :host t :type 'netrc :K 1 :max 1)) :secret))
1208 ;; (funcall secret)
1211 spec
1212 &key backend require create
1213 type max host user port
1215 "Given a property list SPEC, return search matches from the :backend.
1216 See `auth-source-search' for details on SPEC."
1217 ;; just in case, check that the type is correct (null or same as the backend)
1223 :max max
1224 :require require
1231 ;; if we need to create an entry AND none were found to match
1235 ;; create based on the spec and record the value
1237 ;; if the user did not want to create the entry
1238 ;; in the file, it will be returned
1240 ;; if not, we do the search again without :create
1241 ;; to get the updated data.
1243 ;; the result will be returned, even if the search fails
1246 results))
1251 v))
1253 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1254 ;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1257 &key backend
1258 host port create
1261 ;; we know (because of an assertion in auth-source-search) that the
1262 ;; :create parameter is either t or a list (which includes nil)
1265 :host host
1270 ;; `valist' is an alist
1271 valist
1272 ;; `artificial' will be returned if no creation is needed
1273 artificial)
1275 ;; only for base required elements (defined as function parameters):
1276 ;; fill in the valist with whatever data we may have from the search
1277 ;; we complete the first value if it's a list and use the value otherwise
1282 ;; all-accepting choice (predicate is t)
1284 ;; just the value otherwise
1289 ;; for extra required elements, see if the spec includes a value for them
1297 ;; for each required element
1300 ;; take the first element if the data is a list
1304 ;; this is the default to be offered
1306 auth-source-creation-defaults r))
1307 ;; the default supplementals are simple:
1308 ;; for the user, try `given-default' and then (user-login-name);
1309 ;; otherwise take `given-default'
1341 prompt
1346 ;; Store the data, prompting for the password if needed.
1349 ;; Special case prompt for passwords.
1350 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car epa-file-auto-mode-alist-entry) "\\.gpg\\'") nil) (t gpg)))
1351 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1359 auth-source-netrc-use-gpg-tokens))
1360 item ret)
1367 ;; FIXME: `ret' unused.
1368 ;; Should we return it here?
1369 ))
1372 ;; ask if we don't know what to do (in which case
1373 ;; auth-source-netrc-use-gpg-tokens must be a list)
1376 ;; TODO: save the defcustom now? or ask?
1379 auth-source-netrc-use-gpg-tokens)))
1382 plain))
1388 nil nil default)
1397 data))))
1399 ;; When r is not an empty string...
1402 ;; this function is not strictly necessary but I think it
1403 ;; makes the code clearer -tzz
1405 ;; append the key (the symbol name of r)
1406 ;; and the value in r
1408 ;; prepend a space
1410 ;; remap auth-source tokens to netrc
1419 data)))))
1423 artificial
1424 :save-function
1431 ;;(funcall (plist-get (nth 0 (auth-source-search :host '("nonesuch2") :user "tzz" :port "imap" :create t :max 1)) :save-function))
1433 "Save a line ADD in FILE, prompting along the way.
1434 Respects `auth-source-save-behavior'. Uses
1435 `auth-source-netrc-cache' to avoid prompting more than once."
1441 "auth-source-netrc-saver: found previous run for key %s, returning"
1442 key)
1447 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1448 ;; this buffer lets epa-file skip the key selection query
1449 ;; (see the `local-variable-p' check in
1450 ;; `epa-file-write-region').
1455 ;; we want the new data to be found first, so insert at beginning
1458 ;; Ask AFTER we've successfully opened the file.
1462 k)
1475 ;; Why? Doesn't with-output-to-temp-buffer already do
1476 ;; the exact same thing anyway? --Stef
1480 done t))
1481 (?N
1483 done t)
1491 ;; Make sure the info is not saved.
1501 ;; Make the .authinfo file non-world-readable.
1504 "auth-source-netrc-create: wrote 1 new line to %s"
1505 file)
1507 nil))))
1510 ;;; Backend specific parsing: Secrets API backend
1512 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :create t))
1513 ;; (let ((auth-sources '(default))) (auth-source-search :max 1 :delete t))
1514 ;; (let ((auth-sources '(default))) (auth-source-search :max 1))
1515 ;; (let ((auth-sources '(default))) (auth-source-search))
1516 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1))
1517 ;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1 :signon_realm "https://git.gnus.org/Git"))
1520 "Convert a pattern with lists to a list of string patterns.
1525 only string values for patterns, so this routine returns a list
1526 of patterns that is equivalent to the single original pattern
1527 when interpreted such that if a secret matches any pattern in the
1528 list, it matches the original pattern."
1538 for h in heads
1539 nconc
1541 for tl in tails
1545 spec
1546 &key backend create delete label max
1548 "Search the Secrets API; spec is like `auth-source'.
1550 The :label key specifies the item's label. It is the only key
1551 that can specify a substring. Any :label value besides a string
1552 will allow any label.
1554 All other search keys must match exactly. If you need substring
1555 matching, do a wider search and narrow it down yourself.
1557 You'll get back all the properties of the token as a plist.
1559 Here's an example that looks for the first item in the `Login'
1560 Secrets collection:
1563 (auth-source-search :max 1)
1565 Here's another that looks for the first item in the `Login'
1566 Secrets collection whose label contains `gnus':
1571 And this one looks for the first item in the `Login' Secrets
1572 collection that's a Google Chrome entry for the git.gnus.org site
1573 authentication tokens:
1577 "
1579 ;; TODO
1582 ;; TODO
1583 ;; (secrets-delete-item coll elt)
1593 ;; build a search spec without the ignored keys
1594 ;; if a search key is nil or t (match anything), we skip it
1600 nil
1602 search-keys))))
1603 ;; needed keys (always including host, login, port, and secret)
1606 search-keys)))
1609 nconc
1613 collect item)))
1614 ;; TODO: respect max in `secrets-search-items', not after the fact
1616 ;; convert the item name to a full plist
1619 ;; make an entry for the secret (password) element
1621 :secret
1624 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1629 items))
1630 ;; ensure each item has each key in `returned-keys'
1636 nil
1638 returned-keys))
1639 plist))
1640 items)))
1641 items))
1644 ;; TODO
1645 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1648 ;;; Backend specific parsing: Mac OS Keychain (using /usr/bin/security) backend
1650 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :create t))
1651 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1 :delete t))
1652 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1))
1653 ;; (let ((auth-sources '(macos-keychain-internet))) (auth-source-search))
1655 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :create t))
1656 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1 :delete t))
1657 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1))
1658 ;; (let ((auth-sources '(macos-keychain-generic))) (auth-source-search))
1660 ;; (let ((auth-sources '("macos-keychain-internet:/Users/tzz/Library/Keychains/login.keychain"))) (auth-source-search :max 1))
1661 ;; (let ((auth-sources '("macos-keychain-generic:Login"))) (auth-source-search :max 1 :host "git.gnus.org"))
1662 ;; (let ((auth-sources '("macos-keychain-generic:Login"))) (auth-source-search :max 1))
1665 spec
1666 &key backend create delete
1667 type max
1669 "Search the MacOS Keychain; spec is like `auth-source'.
1671 All search keys must match exactly. If you need substring
1672 matching, do a wider search and narrow it down yourself.
1674 You'll get back all the properties of the token as a plist.
1676 The :type key is either `macos-keychain-internet' or
1677 `macos-keychain-generic'.
1679 For the internet keychain type, the :label key searches the
1683 \(note PROT has to be a 4-character string).
1685 For the generic keychain type, the :label key searches the item's
1690 Here's an example that looks for the first item in the default
1691 generic MacOS Keychain:
1694 (auth-source-search :max 1)
1696 Here's another that looks for the first item in the internet
1697 MacOS Keychain collection whose label is `gnus':
1702 And this one looks for the first item in the internet keychain
1703 entries for git.gnus.org:
1707 "
1708 ;; TODO
1711 ;; TODO
1712 ;; (macos-keychain-delete-item coll elt)
1722 ;; build a search spec without the ignored keys
1723 ;; if a search key is nil or t (match anything), we skip it
1728 nil
1730 search-keys)))
1731 ;; needed keys (always including host, login, port, and secret)
1734 search-keys)))
1736 coll
1737 type
1738 max
1739 search-spec))
1741 ;; ensure each item has each key in `returned-keys'
1747 nil
1749 returned-keys))
1750 plist))
1751 items)))
1752 items))
1755 &key label type
1756 host user port
1761 "find-generic-password"
1777 port)))))
1789 ret
1790 keychain-generic
1791 "secret"
1794 ;; TODO: check if this is really the label
1795 ;; match 0x00000007 <blob>="AppleID"
1798 ret
1799 keychain-generic
1800 "label"
1802 ;; match "crtr"<uint32>="aapl"
1803 ;; match "svce"<blob>="AppleID"
1806 ret
1807 keychain-generic
1811 ;; return `ret' iff it has the :secret key
1819 ;; for generic keychains, creator is host, service is port
1822 ;; for internet keychains, protocol is port, server is host
1826 result))
1829 ;; TODO
1832 ;;; Backend specific parsing: PLSTORE backend
1835 spec
1836 &key backend create delete
1837 max
1839 "Search the PLSTORE; spec is like `auth-source'."
1846 ;; build a search spec without the ignored keys
1847 ;; if a search key is nil or t (match anything), we skip it
1853 nil
1857 search-keys)))
1858 ;; needed keys (always including host, login, port, and secret)
1861 search-keys)))
1865 ;; convert the item to a full plist
1874 plist))
1875 items))
1876 ;; ensure each item has each key in `returned-keys'
1882 nil
1884 returned-keys))
1885 plist))
1886 items)))
1888 ;; if we need to create an entry AND none were found to match
1892 ;; create based on the spec and record the value
1894 ;; if the user did not want to create the entry
1895 ;; in the file, it will be returned
1897 ;; if not, we do the search again without :create
1898 ;; to get the updated data.
1900 ;; the result will be returned, even if the search fails
1904 item-names)
1908 items))
1911 &key backend
1912 host port create
1916 ;; we know (because of an assertion in auth-source-search) that the
1917 ;; :create parameter is either t or a list (which includes nil)
1920 :host host
1923 ;; `valist' is an alist
1924 valist
1925 ;; `artificial' will be returned if no creation is needed
1926 artificial
1927 secret-artificial)
1929 ;; only for base required elements (defined as function parameters):
1930 ;; fill in the valist with whatever data we may have from the search
1931 ;; we complete the first value if it's a list and use the value otherwise
1936 ;; all-accepting choice (predicate is t)
1938 ;; just the value otherwise
1943 ;; for extra required elements, see if the spec includes a value for them
1951 ;; for each required element
1954 ;; take the first element if the data is a list
1958 ;; this is the default to be offered
1960 auth-source-creation-defaults r))
1961 ;; the default supplementals are simple:
1962 ;; for the user, try `given-default' and then (user-login-name);
1963 ;; otherwise take `given-default'
1995 prompt
2000 ;; Store the data, prompting for the password if needed.
2010 nil nil default)
2018 data))
2021 data))))))
2027 artificial secret-artificial)
2032 ;;; older API
2034 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
2036 ;; deprecate the old interface
2044 "Find MODE (string or list of strings) matching HOST and PORT.
2046 DEPRECATED in favor of `auth-source-search'!
2049 across the Secret Service API (see secrets.el) if the resulting
2050 items don't have a username. This means that if you search for
2054 A non nil DELETE-EXISTING means deleting any matching password
2055 entry in the respective sources. This is useful only when
2056 CREATE-MISSING is non nil as well; the intended use case is to
2057 remove wrong password entries.
2059 If no matching entry is found, and CREATE-MISSING is non nil,
2060 the password will be retrieved interactively, and it will be
2061 stored in the password database which matches best (see
2062 `auth-sources').
2066 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
2067 mode host port username)
2071 ;; (cname (if username
2072 ;; (format "%s %s:%s %s" mode host port username)
2073 ;; (format "%s %s:%s" mode host port)))
2078 search))
2081 search))
2082 ;; (found (if (not delete-existing)
2083 ;; (gethash cname auth-source-cache)
2084 ;; (remhash cname auth-source-cache)
2085 ;; nil)))
2090 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
2091 mode
2092 ;; don't show the password
2094 "SECRET"
2095 found)
2096 host port username)
2098 ;; else, if not found, search with a max of 1
2113 found))
2119 :host host
2125 :host host
2137 ;;; auth-source.el ends here