search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
* calc/calc-misc.el (calc-help): Avoid wrapping help message.
[emacs.git] / lisp / gnus / auth-source.el
blob4269b79a6a7abbbc48f7d73ea5f58d8380277dec
1 ;;; auth-source.el --- authentication sources for Gnus and Emacs
2
3 ;; Copyright (C) 2008-2011 Free Software Foundation, Inc.
4
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
6 ;; Keywords: news
7
8 ;; This file is part of GNU Emacs.
9
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
14
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
19
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
22
23 ;;; Commentary:
24
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
29
30 ;; See the auth.info Info documentation for details.
31
32 ;; TODO:
33
34 ;; - never decode the backend file unless it's necessary
35 ;; - a more generic way to match backends and search backend contents
36 ;; - absorb netrc.el and simplify it
37 ;; - protect passwords better
38 ;; - allow creating and changing netrc lines (not files) e.g. change a password
39
40 ;;; Code:
41
42 (require 'password-cache)
43 (require 'mm-util)
44 (require 'gnus-util)
45 (require 'assoc)
46
47 (eval-when-compile (require 'cl))
48 (require 'eieio)
49
50 (autoload 'secrets-create-item "secrets")
51 (autoload 'secrets-delete-item "secrets")
52 (autoload 'secrets-get-alias "secrets")
53 (autoload 'secrets-get-attributes "secrets")
54 (autoload 'secrets-get-secret "secrets")
55 (autoload 'secrets-list-collections "secrets")
56 (autoload 'secrets-search-items "secrets")
57
58 (autoload 'rfc2104-hash "rfc2104")
59
60 (autoload 'plstore-open "plstore")
61 (autoload 'plstore-find "plstore")
62 (autoload 'plstore-put "plstore")
63 (autoload 'plstore-delete "plstore")
64 (autoload 'plstore-save "plstore")
65 (autoload 'plstore-get-file "plstore")
66
67 (autoload 'epg-make-context "epg")
68 (autoload 'epg-context-set-passphrase-callback "epg")
69 (autoload 'epg-decrypt-string "epg")
70 (autoload 'epg-context-set-armor "epg")
71 (autoload 'epg-encrypt-string "epg")
72
73 (autoload 'help-mode "help-mode" nil t)
74
75 (defvar secrets-enabled)
76
77 (defgroup auth-source nil
78 "Authentication sources."
79 :version "23.1" ;; No Gnus
80 :group 'gnus)
81
82 ;;;###autoload
83 (defcustom auth-source-cache-expiry 7200
84 "How many seconds passwords are cached, or nil to disable
85 expiring. Overrides `password-cache-expiry' through a
86 let-binding."
87 :group 'auth-source
88 :type '(choice (const :tag "Never" nil)
89 (const :tag "All Day" 86400)
90 (const :tag "2 Hours" 7200)
91 (const :tag "30 Minutes" 1800)
92 (integer :tag "Seconds")))
93
94 ;;; The slots below correspond with the `auth-source-search' spec,
95 ;;; so a backend with :host set, for instance, would match only
96 ;;; searches for that host. Normally they are nil.
97 (defclass auth-source-backend ()
98 ((type :initarg :type
99 :initform 'netrc
100 :type symbol
101 :custom symbol
102 :documentation "The backend type.")
103 (source :initarg :source
104 :type string
105 :custom string
106 :documentation "The backend source.")
107 (host :initarg :host
108 :initform t
109 :type t
110 :custom string
111 :documentation "The backend host.")
112 (user :initarg :user
113 :initform t
114 :type t
115 :custom string
116 :documentation "The backend user.")
117 (port :initarg :port
118 :initform t
119 :type t
120 :custom string
121 :documentation "The backend protocol.")
122 (data :initarg :data
123 :initform nil
124 :documentation "Internal backend data.")
125 (create-function :initarg :create-function
126 :initform ignore
127 :type function
128 :custom function
129 :documentation "The create function.")
130 (search-function :initarg :search-function
131 :initform ignore
132 :type function
133 :custom function
134 :documentation "The search function.")))
135
136 (defcustom auth-source-protocols '((imap "imap" "imaps" "143" "993")
137 (pop3 "pop3" "pop" "pop3s" "110" "995")
138 (ssh "ssh" "22")
139 (sftp "sftp" "115")
140 (smtp "smtp" "25"))
141 "List of authentication protocols and their names"
142
143 :group 'auth-source
144 :version "23.2" ;; No Gnus
145 :type '(repeat :tag "Authentication Protocols"
146 (cons :tag "Protocol Entry"
147 (symbol :tag "Protocol")
148 (repeat :tag "Names"
149 (string :tag "Name")))))
150
151 ;;; generate all the protocols in a format Customize can use
152 ;;; TODO: generate on the fly from auth-source-protocols
153 (defconst auth-source-protocols-customize
154 (mapcar (lambda (a)
155 (let ((p (car-safe a)))
156 (list 'const
157 :tag (upcase (symbol-name p))
158 p)))
159 auth-source-protocols))
160
161 (defvar auth-source-creation-defaults nil
162 "Defaults for creating token values. Usually let-bound.")
163
164 (defvar auth-source-creation-prompts nil
165 "Default prompts for token values. Usually let-bound.")
166
167 (make-obsolete 'auth-source-hide-passwords nil "Emacs 24.1")
168
169 (defcustom auth-source-save-behavior 'ask
170 "If set, auth-source will respect it for save behavior."
171 :group 'auth-source
172 :version "23.2" ;; No Gnus
173 :type `(choice
174 :tag "auth-source new token save behavior"
175 (const :tag "Always save" t)
176 (const :tag "Never save" nil)
177 (const :tag "Ask" ask)))
178
179 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") never) (t gpg)))
180 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
181
182 (defcustom auth-source-netrc-use-gpg-tokens 'never
183 "Set this to tell auth-source when to create GPG password
184 tokens in netrc files. It's either an alist or `never'.
185 Note that if EPA/EPG is not available, this should NOT be used."
186 :group 'auth-source
187 :version "23.2" ;; No Gnus
188 :type `(choice
189 (const :tag "Always use GPG password tokens" (t gpg))
190 (const :tag "Never use GPG password tokens" never)
191 (repeat :tag "Use a lookup list"
192 (list
193 (choice :tag "Matcher"
194 (const :tag "Match anything" t)
195 (const :tag "The EPA encrypted file extensions"
196 ,(if (boundp 'epa-file-auto-mode-alist-entry)
197 (car (symbol-value
198 'epa-file-auto-mode-alist-entry))
199 "\\.gpg\\'"))
200 (regexp :tag "Regular expression"))
201 (choice :tag "What to do"
202 (const :tag "Save GPG-encrypted password tokens" gpg)
203 (const :tag "Don't encrypt tokens" never))))))
204
205 (defvar auth-source-magic "auth-source-magic ")
206
207 (defcustom auth-source-do-cache t
208 "Whether auth-source should cache information with `password-cache'."
209 :group 'auth-source
210 :version "23.2" ;; No Gnus
211 :type `boolean)
212
213 (defcustom auth-source-debug nil
214 "Whether auth-source should log debug messages.
215
216 If the value is nil, debug messages are not logged.
217
218 If the value is t, debug messages are logged with `message'. In
219 that case, your authentication data will be in the clear (except
220 for passwords).
221
222 If the value is a function, debug messages are logged by calling
223 that function using the same arguments as `message'."
224 :group 'auth-source
225 :version "23.2" ;; No Gnus
226 :type `(choice
227 :tag "auth-source debugging mode"
228 (const :tag "Log using `message' to the *Messages* buffer" t)
229 (const :tag "Log all trivia with `message' to the *Messages* buffer"
230 trivia)
231 (function :tag "Function that takes arguments like `message'")
232 (const :tag "Don't log anything" nil)))
233
234 (defcustom auth-sources '("~/.authinfo" "~/.authinfo.gpg" "~/.netrc")
235 "List of authentication sources.
236
237 The default will get login and password information from
238 \"~/.authinfo.gpg\", which you should set up with the EPA/EPG
239 packages to be encrypted. If that file doesn't exist, it will
240 try the unencrypted version \"~/.authinfo\" and the famous
241 \"~/.netrc\" file.
242
243 See the auth.info manual for details.
244
245 Each entry is the authentication type with optional properties.
246
247 It's best to customize this with `M-x customize-variable' because the choices
248 can get pretty complex."
249 :group 'auth-source
250 :version "24.1" ;; No Gnus
251 :type `(repeat :tag "Authentication Sources"
252 (choice
253 (string :tag "Just a file")
254 (const :tag "Default Secrets API Collection" 'default)
255 (const :tag "Login Secrets API Collection" "secrets:Login")
256 (const :tag "Temp Secrets API Collection" "secrets:session")
257 (list :tag "Source definition"
258 (const :format "" :value :source)
259 (choice :tag "Authentication backend choice"
260 (string :tag "Authentication Source (file)")
261 (list
262 :tag "Secret Service API/KWallet/GNOME Keyring"
263 (const :format "" :value :secrets)
264 (choice :tag "Collection to use"
265 (string :tag "Collection name")
266 (const :tag "Default" 'default)
267 (const :tag "Login" "Login")
268 (const
269 :tag "Temporary" "session"))))
270 (repeat :tag "Extra Parameters" :inline t
271 (choice :tag "Extra parameter"
272 (list
273 :tag "Host"
274 (const :format "" :value :host)
275 (choice :tag "Host (machine) choice"
276 (const :tag "Any" t)
277 (regexp
278 :tag "Regular expression")))
279 (list
280 :tag "Protocol"
281 (const :format "" :value :port)
282 (choice
283 :tag "Protocol"
284 (const :tag "Any" t)
285 ,@auth-source-protocols-customize))
286 (list :tag "User" :inline t
287 (const :format "" :value :user)
288 (choice
289 :tag "Personality/Username"
290 (const :tag "Any" t)
291 (string
292 :tag "Name")))))))))
293
294 (defcustom auth-source-gpg-encrypt-to t
295 "List of recipient keys that `authinfo.gpg' encrypted to.
296 If the value is not a list, symmetric encryption will be used."
297 :group 'auth-source
298 :version "24.1" ;; No Gnus
299 :type '(choice (const :tag "Symmetric encryption" t)
300 (repeat :tag "Recipient public keys"
301 (string :tag "Recipient public key"))))
302
303 ;; temp for debugging
304 ;; (unintern 'auth-source-protocols)
305 ;; (unintern 'auth-sources)
306 ;; (customize-variable 'auth-sources)
307 ;; (setq auth-sources nil)
308 ;; (format "%S" auth-sources)
309 ;; (customize-variable 'auth-source-protocols)
310 ;; (setq auth-source-protocols nil)
311 ;; (format "%S" auth-source-protocols)
312 ;; (auth-source-pick nil :host "a" :port 'imap)
313 ;; (auth-source-user-or-password "login" "imap.myhost.com" 'imap)
314 ;; (auth-source-user-or-password "password" "imap.myhost.com" 'imap)
315 ;; (auth-source-user-or-password-imap "login" "imap.myhost.com")
316 ;; (auth-source-user-or-password-imap "password" "imap.myhost.com")
317 ;; (auth-source-protocol-defaults 'imap)
318
319 ;; (let ((auth-source-debug 'debug)) (auth-source-do-debug "hello"))
320 ;; (let ((auth-source-debug t)) (auth-source-do-debug "hello"))
321 ;; (let ((auth-source-debug nil)) (auth-source-do-debug "hello"))
322 (defun auth-source-do-debug (&rest msg)
323 (when auth-source-debug
324 (apply 'auth-source-do-warn msg)))
325
326 (defun auth-source-do-trivia (&rest msg)
327 (when (or (eq auth-source-debug 'trivia)
328 (functionp auth-source-debug))
329 (apply 'auth-source-do-warn msg)))
330
331 (defun auth-source-do-warn (&rest msg)
332 (apply
333 ;; set logger to either the function in auth-source-debug or 'message
334 ;; note that it will be 'message if auth-source-debug is nil
335 (if (functionp auth-source-debug)
336 auth-source-debug
337 'message)
338 msg))
339
340
341 ;;; (auth-source-read-char-choice "enter choice? " '(?a ?b ?q))
342 (defun auth-source-read-char-choice (prompt choices)
343 "Read one of CHOICES by `read-char-choice', or `read-char'.
344 `dropdown-list' support is disabled because it doesn't work reliably.
345 Only one of CHOICES will be returned. The PROMPT is augmented
346 with \"[a/b/c] \" if CHOICES is '\(?a ?b ?c\)."
347 (when choices
348 (let* ((prompt-choices
349 (apply 'concat (loop for c in choices
350 collect (format "%c/" c))))
351 (prompt-choices (concat "[" (substring prompt-choices 0 -1) "] "))
352 (full-prompt (concat prompt prompt-choices))
353 k)
354
355 (while (not (memq k choices))
356 (setq k (cond
357 ((fboundp 'read-char-choice)
358 (read-char-choice full-prompt choices))
359 (t (message "%s" full-prompt)
360 (setq k (read-char))))))
361 k)))
362
363 ;; (auth-source-pick nil :host "any" :port 'imap :user "joe")
364 ;; (auth-source-pick t :host "any" :port 'imap :user "joe")
365 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
366 ;; (:source (:secrets "session") :host t :port t :user "joe")
367 ;; (:source (:secrets "Login") :host t :port t)
368 ;; (:source "~/.authinfo.gpg" :host t :port t)))
369
370 ;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
371 ;; (:source (:secrets "session") :host t :port t :user "joe")
372 ;; (:source (:secrets "Login") :host t :port t)
373 ;; ))
374
375 ;; (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
376
377 ;; (auth-source-backend-parse "myfile.gpg")
378 ;; (auth-source-backend-parse 'default)
379 ;; (auth-source-backend-parse "secrets:Login")
380
381 (defun auth-source-backend-parse (entry)
382 "Creates an auth-source-backend from an ENTRY in `auth-sources'."
383 (auth-source-backend-parse-parameters
384 entry
385 (cond
386 ;; take 'default and recurse to get it as a Secrets API default collection
387 ;; matching any user, host, and protocol
388 ((eq entry 'default)
389 (auth-source-backend-parse '(:source (:secrets default))))
390 ;; take secrets:XYZ and recurse to get it as Secrets API collection "XYZ"
391 ;; matching any user, host, and protocol
392 ((and (stringp entry) (string-match "^secrets:\\(.+\\)" entry))
393 (auth-source-backend-parse `(:source (:secrets ,(match-string 1 entry)))))
394 ;; take just a file name and recurse to get it as a netrc file
395 ;; matching any user, host, and protocol
396 ((stringp entry)
397 (auth-source-backend-parse `(:source ,entry)))
398
399 ;; a file name with parameters
400 ((stringp (plist-get entry :source))
401 (if (equal (file-name-extension (plist-get entry :source)) "plist")
402 (auth-source-backend
403 (plist-get entry :source)
404 :source (plist-get entry :source)
405 :type 'plstore
406 :search-function 'auth-source-plstore-search
407 :create-function 'auth-source-plstore-create
408 :data (plstore-open (plist-get entry :source)))
409 (auth-source-backend
410 (plist-get entry :source)
411 :source (plist-get entry :source)
412 :type 'netrc
413 :search-function 'auth-source-netrc-search
414 :create-function 'auth-source-netrc-create)))
415
416 ;; the Secrets API. We require the package, in order to have a
417 ;; defined value for `secrets-enabled'.
418 ((and
419 (not (null (plist-get entry :source))) ; the source must not be nil
420 (listp (plist-get entry :source)) ; and it must be a list
421 (require 'secrets nil t) ; and we must load the Secrets API
422 secrets-enabled) ; and that API must be enabled
423
424 ;; the source is either the :secrets key in ENTRY or
425 ;; if that's missing or nil, it's "session"
426 (let ((source (or (plist-get (plist-get entry :source) :secrets)
427 "session")))
428
429 ;; if the source is a symbol, we look for the alias named so,
430 ;; and if that alias is missing, we use "Login"
431 (when (symbolp source)
432 (setq source (or (secrets-get-alias (symbol-name source))
433 "Login")))
434
435 (if (featurep 'secrets)
436 (auth-source-backend
437 (format "Secrets API (%s)" source)
438 :source source
439 :type 'secrets
440 :search-function 'auth-source-secrets-search
441 :create-function 'auth-source-secrets-create)
442 (auth-source-do-warn
443 "auth-source-backend-parse: no Secrets API, ignoring spec: %S" entry)
444 (auth-source-backend
445 (format "Ignored Secrets API (%s)" source)
446 :source ""
447 :type 'ignore))))
448
449 ;; none of them
450 (t
451 (auth-source-do-warn
452 "auth-source-backend-parse: invalid backend spec: %S" entry)
453 (auth-source-backend
454 "Empty"
455 :source ""
456 :type 'ignore)))))
457
458 (defun auth-source-backend-parse-parameters (entry backend)
459 "Fills in the extra auth-source-backend parameters of ENTRY.
460 Using the plist ENTRY, get the :host, :port, and :user search
461 parameters."
462 (let ((entry (if (stringp entry)
463 nil
464 entry))
465 val)
466 (when (setq val (plist-get entry :host))
467 (oset backend host val))
468 (when (setq val (plist-get entry :user))
469 (oset backend user val))
470 (when (setq val (plist-get entry :port))
471 (oset backend port val)))
472 backend)
473
474 ;; (mapcar 'auth-source-backend-parse auth-sources)
475
476 (defun* auth-source-search (&rest spec
477 &key type max host user port secret
478 require create delete
479 &allow-other-keys)
480 "Search or modify authentication backends according to SPEC.
481
482 This function parses `auth-sources' for matches of the SPEC
483 plist. It can optionally create or update an authentication
484 token if requested. A token is just a standard Emacs property
485 list with a :secret property that can be a function; all the
486 other properties will always hold scalar values.
487
488 Typically the :secret property, if present, contains a password.
489
490 Common search keys are :max, :host, :port, and :user. In
491 addition, :create specifies how tokens will be or created.
492 Finally, :type can specify which backend types you want to check.
493
494 A string value is always matched literally. A symbol is matched
495 as its string value, literally. All the SPEC values can be
496 single values (symbol or string) or lists thereof (in which case
497 any of the search terms matches).
498
499 :create t means to create a token if possible.
500
501 A new token will be created if no matching tokens were found.
502 The new token will have only the keys the backend requires. For
503 the netrc backend, for instance, that's the user, host, and
504 port keys.
505
506 Here's an example:
507
508 \(let ((auth-source-creation-defaults '((user . \"defaultUser\")
509 (A . \"default A\"))))
510 (auth-source-search :host \"mine\" :type 'netrc :max 1
511 :P \"pppp\" :Q \"qqqq\"
512 :create t))
513
514 which says:
515
516 \"Search for any entry matching host 'mine' in backends of type
517 'netrc', maximum one result.
518
519 Create a new entry if you found none. The netrc backend will
520 automatically require host, user, and port. The host will be
521 'mine'. We prompt for the user with default 'defaultUser' and
522 for the port without a default. We will not prompt for A, Q,
523 or P. The resulting token will only have keys user, host, and
524 port.\"
525
526 :create '(A B C) also means to create a token if possible.
527
528 The behavior is like :create t but if the list contains any
529 parameter, that parameter will be required in the resulting
530 token. The value for that parameter will be obtained from the
531 search parameters or from user input. If any queries are needed,
532 the alist `auth-source-creation-defaults' will be checked for the
533 default value. If the user, host, or port are missing, the alist
534 `auth-source-creation-prompts' will be used to look up the
535 prompts IN THAT ORDER (so the 'user prompt will be queried first,
536 then 'host, then 'port, and finally 'secret). Each prompt string
537 can use %u, %h, and %p to show the user, host, and port.
538
539 Here's an example:
540
541 \(let ((auth-source-creation-defaults '((user . \"defaultUser\")
542 (A . \"default A\")))
543 (auth-source-creation-prompts
544 '((password . \"Enter IMAP password for %h:%p: \"))))
545 (auth-source-search :host '(\"nonesuch\" \"twosuch\") :type 'netrc :max 1
546 :P \"pppp\" :Q \"qqqq\"
547 :create '(A B Q)))
548
549 which says:
550
551 \"Search for any entry matching host 'nonesuch'
552 or 'twosuch' in backends of type 'netrc', maximum one result.
553
554 Create a new entry if you found none. The netrc backend will
555 automatically require host, user, and port. The host will be
556 'nonesuch' and Q will be 'qqqq'. We prompt for the password
557 with the shown prompt. We will not prompt for Q. The resulting
558 token will have keys user, host, port, A, B, and Q. It will not
559 have P with any value, even though P is used in the search to
560 find only entries that have P set to 'pppp'.\"
561
562 When multiple values are specified in the search parameter, the
563 user is prompted for which one. So :host (X Y Z) would ask the
564 user to choose between X, Y, and Z.
565
566 This creation can fail if the search was not specific enough to
567 create a new token (it's up to the backend to decide that). You
568 should `catch' the backend-specific error as usual. Some
569 backends (netrc, at least) will prompt the user rather than throw
570 an error.
571
572 :require (A B C) means that only results that contain those
573 tokens will be returned. Thus for instance requiring :secret
574 will ensure that any results will actually have a :secret
575 property.
576
577 :delete t means to delete any found entries. nil by default.
578 Use `auth-source-delete' in ELisp code instead of calling
579 `auth-source-search' directly with this parameter.
580
581 :type (X Y Z) will check only those backend types. 'netrc and
582 'secrets are the only ones supported right now.
583
584 :max N means to try to return at most N items (defaults to 1).
585 When 0 the function will return just t or nil to indicate if any
586 matches were found. More than N items may be returned, depending
587 on the search and the backend.
588
589 :host (X Y Z) means to match only hosts X, Y, or Z according to
590 the match rules above. Defaults to t.
591
592 :user (X Y Z) means to match only users X, Y, or Z according to
593 the match rules above. Defaults to t.
594
595 :port (P Q R) means to match only protocols P, Q, or R.
596 Defaults to t.
597
598 :K (V1 V2 V3) for any other key K will match values V1, V2, or
599 V3 (note the match rules above).
600
601 The return value is a list with at most :max tokens. Each token
602 is a plist with keys :backend :host :port :user, plus any other
603 keys provided by the backend (notably :secret). But note the
604 exception for :max 0, which see above.
605
606 The token can hold a :save-function key. If you call that, the
607 user will be prompted to save the data to the backend. You can't
608 request that this should happen right after creation, because
609 `auth-source-search' has no way of knowing if the token is
610 actually useful. So the caller must arrange to call this function.
611
612 The token's :secret key can hold a function. In that case you
613 must call it to obtain the actual value."
614 (let* ((backends (mapcar 'auth-source-backend-parse auth-sources))
615 (max (or max 1))
616 (ignored-keys '(:require :create :delete :max))
617 (keys (loop for i below (length spec) by 2
618 unless (memq (nth i spec) ignored-keys)
619 collect (nth i spec)))
620 (cached (auth-source-remembered-p spec))
621 ;; note that we may have cached results but found is still nil
622 ;; (there were no results from the search)
623 (found (auth-source-recall spec))
624 filtered-backends accessor-key backend)
625
626 (if (and cached auth-source-do-cache)
627 (auth-source-do-debug
628 "auth-source-search: found %d CACHED results matching %S"
629 (length found) spec)
630
631 (assert
632 (or (eq t create) (listp create)) t
633 "Invalid auth-source :create parameter (must be t or a list): %s %s")
634
635 (assert
636 (listp require) t
637 "Invalid auth-source :require parameter (must be a list): %s")
638
639 (setq filtered-backends (copy-sequence backends))
640 (dolist (backend backends)
641 (dolist (key keys)
642 ;; ignore invalid slots
643 (condition-case signal
644 (unless (eval `(auth-source-search-collection
645 (plist-get spec key)
646 (oref backend ,key)))
647 (setq filtered-backends (delq backend filtered-backends))
648 (return))
649 (invalid-slot-name))))
650
651 (auth-source-do-trivia
652 "auth-source-search: found %d backends matching %S"
653 (length filtered-backends) spec)
654
655 ;; (debug spec "filtered" filtered-backends)
656 ;; First go through all the backends without :create, so we can
657 ;; query them all.
658 (setq found (auth-source-search-backends filtered-backends
659 spec
660 ;; to exit early
661 max
662 ;; create is always nil here
663 nil delete
664 require))
665
666 (auth-source-do-debug
667 "auth-source-search: found %d results (max %d) matching %S"
668 (length found) max spec)
669
670 ;; If we didn't find anything, then we allow the backend(s) to
671 ;; create the entries.
672 (when (and create
673 (not found))
674 (setq found (auth-source-search-backends filtered-backends
675 spec
676 ;; to exit early
677 max
678 create delete
679 require))
680 (auth-source-do-debug
681 "auth-source-search: CREATED %d results (max %d) matching %S"
682 (length found) max spec))
683
684 ;; note we remember the lack of result too, if it's applicable
685 (when auth-source-do-cache
686 (auth-source-remember spec found)))
687
688 found))
689
690 (defun auth-source-search-backends (backends spec max create delete require)
691 (let (matches)
692 (dolist (backend backends)
693 (when (> max (length matches)) ; when we need more matches...
694 (let* ((bmatches (apply
695 (slot-value backend 'search-function)
696 :backend backend
697 ;; note we're overriding whatever the spec
698 ;; has for :require, :create, and :delete
699 :require require
700 :create create
701 :delete delete
702 spec)))
703 (when bmatches
704 (auth-source-do-trivia
705 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
706 (length bmatches) max
707 (slot-value backend :type)
708 (slot-value backend :source)
709 spec)
710 (setq matches (append matches bmatches))))))
711 matches))
712
713 ;;; (auth-source-search :max 1)
714 ;;; (funcall (plist-get (nth 0 (auth-source-search :max 1)) :secret))
715 ;;; (auth-source-search :host "nonesuch" :type 'netrc :K 1)
716 ;;; (auth-source-search :host "nonesuch" :type 'secrets)
717
718 (defun* auth-source-delete (&rest spec
719 &key delete
720 &allow-other-keys)
721 "Delete entries from the authentication backends according to SPEC.
722 Calls `auth-source-search' with the :delete property in SPEC set to t.
723 The backend may not actually delete the entries.
724
725 Returns the deleted entries."
726 (auth-source-search (plist-put spec :delete t)))
727
728 (defun auth-source-search-collection (collection value)
729 "Returns t is VALUE is t or COLLECTION is t or contains VALUE."
730 (when (and (atom collection) (not (eq t collection)))
731 (setq collection (list collection)))
732
733 ;; (debug :collection collection :value value)
734 (or (eq collection t)
735 (eq value t)
736 (equal collection value)
737 (member value collection)))
738
739 (defvar auth-source-netrc-cache nil)
740
741 (defun auth-source-forget-all-cached ()
742 "Forget all cached auth-source data."
743 (interactive)
744 (loop for sym being the symbols of password-data
745 ;; when the symbol name starts with auth-source-magic
746 when (string-match (concat "^" auth-source-magic)
747 (symbol-name sym))
748 ;; remove that key
749 do (password-cache-remove (symbol-name sym)))
750 (setq auth-source-netrc-cache nil))
751
752 (defun auth-source-format-cache-entry (spec)
753 "Format SPEC entry to put it in the password cache."
754 (concat auth-source-magic (format "%S" spec)))
755
756 (defun auth-source-remember (spec found)
757 "Remember FOUND search results for SPEC."
758 (let ((password-cache-expiry auth-source-cache-expiry))
759 (password-cache-add
760 (auth-source-format-cache-entry spec) found)))
761
762 (defun auth-source-recall (spec)
763 "Recall FOUND search results for SPEC."
764 (password-read-from-cache (auth-source-format-cache-entry spec)))
765
766 (defun auth-source-remembered-p (spec)
767 "Check if SPEC is remembered."
768 (password-in-cache-p
769 (auth-source-format-cache-entry spec)))
770
771 (defun auth-source-forget (spec)
772 "Forget any cached data matching SPEC exactly.
773
774 This is the same SPEC you passed to `auth-source-search'.
775 Returns t or nil for forgotten or not found."
776 (password-cache-remove (auth-source-format-cache-entry spec)))
777
778 ;;; (loop for sym being the symbols of password-data when (string-match (concat "^" auth-source-magic) (symbol-name sym)) collect (symbol-name sym))
779
780 ;;; (auth-source-remember '(:host "wedd") '(4 5 6))
781 ;;; (auth-source-remembered-p '(:host "wedd"))
782 ;;; (auth-source-remember '(:host "xedd") '(1 2 3))
783 ;;; (auth-source-remembered-p '(:host "xedd"))
784 ;;; (auth-source-remembered-p '(:host "zedd"))
785 ;;; (auth-source-recall '(:host "xedd"))
786 ;;; (auth-source-recall '(:host t))
787 ;;; (auth-source-forget+ :host t)
788
789 (defun* auth-source-forget+ (&rest spec &allow-other-keys)
790 "Forget any cached data matching SPEC. Returns forgotten count.
791
792 This is not a full `auth-source-search' spec but works similarly.
793 For instance, \(:host \"myhost\" \"yourhost\") would find all the
794 cached data that was found with a search for those two hosts,
795 while \(:host t) would find all host entries."
796 (let ((count 0)
797 sname)
798 (loop for sym being the symbols of password-data
799 ;; when the symbol name matches with auth-source-magic
800 when (and (setq sname (symbol-name sym))
801 (string-match (concat "^" auth-source-magic "\\(.+\\)")
802 sname)
803 ;; and the spec matches what was stored in the cache
804 (auth-source-specmatchp spec (read (match-string 1 sname))))
805 ;; remove that key
806 do (progn
807 (password-cache-remove sname)
808 (incf count)))
809 count))
810
811 (defun auth-source-specmatchp (spec stored)
812 (let ((keys (loop for i below (length spec) by 2
813 collect (nth i spec))))
814 (not (eq
815 (dolist (key keys)
816 (unless (auth-source-search-collection (plist-get stored key)
817 (plist-get spec key))
818 (return 'no)))
819 'no))))
820
821 ;;; (auth-source-pick-first-password :host "z.lifelogs.com")
822 ;;; (auth-source-pick-first-password :port "imap")
823 (defun auth-source-pick-first-password (&rest spec)
824 "Pick the first secret found from applying SPEC to `auth-source-search'."
825 (let* ((result (nth 0 (apply 'auth-source-search (plist-put spec :max 1))))
826 (secret (plist-get result :secret)))
827
828 (if (functionp secret)
829 (funcall secret)
830 secret)))
831
832 ;; (auth-source-format-prompt "test %u %h %p" '((?u "user") (?h "host")))
833 (defun auth-source-format-prompt (prompt alist)
834 "Format PROMPT using %x (for any character x) specifiers in ALIST."
835 (dolist (cell alist)
836 (let ((c (nth 0 cell))
837 (v (nth 1 cell)))
838 (when (and c v)
839 (setq prompt (replace-regexp-in-string (format "%%%c" c)
840 (format "%s" v)
841 prompt)))))
842 prompt)
843
844 (defun auth-source-ensure-strings (values)
845 (unless (listp values)
846 (setq values (list values)))
847 (mapcar (lambda (value)
848 (if (numberp value)
849 (format "%s" value)
850 value))
851 values))
852
853 ;;; Backend specific parsing: netrc/authinfo backend
854
855 ;;; (auth-source-netrc-parse "~/.authinfo.gpg")
856 (defun* auth-source-netrc-parse (&rest
857 spec
858 &key file max host user port delete require
859 &allow-other-keys)
860 "Parse FILE and return a list of all entries in the file.
861 Note that the MAX parameter is used so we can exit the parse early."
862 (if (listp file)
863 ;; We got already parsed contents; just return it.
864 file
865 (when (file-exists-p file)
866 (setq port (auth-source-ensure-strings port))
867 (with-temp-buffer
868 (let* ((tokens '("machine" "host" "default" "login" "user"
869 "password" "account" "macdef" "force"
870 "port" "protocol"))
871 (max (or max 5000)) ; sanity check: default to stop at 5K
872 (modified 0)
873 (cached (cdr-safe (assoc file auth-source-netrc-cache)))
874 (cached-mtime (plist-get cached :mtime))
875 (cached-secrets (plist-get cached :secret))
876 alist elem result pair)
877
878 (if (and (functionp cached-secrets)
879 (equal cached-mtime
880 (nth 5 (file-attributes file))))
881 (progn
882 (auth-source-do-trivia
883 "auth-source-netrc-parse: using CACHED file data for %s"
884 file)
885 (insert (funcall cached-secrets)))
886 (insert-file-contents file)
887 ;; cache all netrc files (used to be just .gpg files)
888 ;; Store the contents of the file heavily encrypted in memory.
889 ;; (note for the irony-impaired: they are just obfuscated)
890 (aput 'auth-source-netrc-cache file
891 (list :mtime (nth 5 (file-attributes file))
892 :secret (lexical-let ((v (mapcar '1+ (buffer-string))))
893 (lambda () (apply 'string (mapcar '1- v)))))))
894 (goto-char (point-min))
895 ;; Go through the file, line by line.
896 (while (and (not (eobp))
897 (> max 0))
898
899 (narrow-to-region (point) (point-at-eol))
900 ;; For each line, get the tokens and values.
901 (while (not (eobp))
902 (skip-chars-forward "\t ")
903 ;; Skip lines that begin with a "#".
904 (if (eq (char-after) ?#)
905 (goto-char (point-max))
906 (unless (eobp)
907 (setq elem
908 (if (= (following-char) ?\")
909 (read (current-buffer))
910 (buffer-substring
911 (point) (progn (skip-chars-forward "^\t ")
912 (point)))))
913 (cond
914 ((equal elem "macdef")
915 ;; We skip past the macro definition.
916 (widen)
917 (while (and (zerop (forward-line 1))
918 (looking-at "$")))
919 (narrow-to-region (point) (point)))
920 ((member elem tokens)
921 ;; Tokens that don't have a following value are ignored,
922 ;; except "default".
923 (when (and pair (or (cdr pair)
924 (equal (car pair) "default")))
925 (push pair alist))
926 (setq pair (list elem)))
927 (t
928 ;; Values that haven't got a preceding token are ignored.
929 (when pair
930 (setcdr pair elem)
931 (push pair alist)
932 (setq pair nil)))))))
933
934 (when (and alist
935 (> max 0)
936 (auth-source-search-collection
937 host
938 (or
939 (aget alist "machine")
940 (aget alist "host")
941 t))
942 (auth-source-search-collection
943 user
944 (or
945 (aget alist "login")
946 (aget alist "account")
947 (aget alist "user")
948 t))
949 (auth-source-search-collection
950 port
951 (or
952 (aget alist "port")
953 (aget alist "protocol")
954 t))
955 (or
956 ;; the required list of keys is nil, or
957 (null require)
958 ;; every element of require is in the normalized list
959 (let ((normalized (nth 0 (auth-source-netrc-normalize
960 (list alist) file))))
961 (loop for req in require
962 always (plist-get normalized req)))))
963 (decf max)
964 (push (nreverse alist) result)
965 ;; to delete a line, we just comment it out
966 (when delete
967 (goto-char (point-min))
968 (insert "#")
969 (incf modified)))
970 (setq alist nil
971 pair nil)
972 (widen)
973 (forward-line 1))
974
975 (when (< 0 modified)
976 (when auth-source-gpg-encrypt-to
977 ;; (see bug#7487) making `epa-file-encrypt-to' local to
978 ;; this buffer lets epa-file skip the key selection query
979 ;; (see the `local-variable-p' check in
980 ;; `epa-file-write-region').
981 (unless (local-variable-p 'epa-file-encrypt-to (current-buffer))
982 (make-local-variable 'epa-file-encrypt-to))
983 (if (listp auth-source-gpg-encrypt-to)
984 (setq epa-file-encrypt-to auth-source-gpg-encrypt-to)))
985
986 ;; ask AFTER we've successfully opened the file
987 (when (y-or-n-p (format "Save file %s? (%d deletions)"
988 file modified))
989 (write-region (point-min) (point-max) file nil 'silent)
990 (auth-source-do-debug
991 "auth-source-netrc-parse: modified %d lines in %s"
992 modified file)))
993
994 (nreverse result))))))
995
996 (defvar auth-source-passphrase-alist nil)
997
998 (defun auth-source-token-passphrase-callback-function (context key-id file)
999 (let* ((file (file-truename file))
1000 (entry (assoc file auth-source-passphrase-alist))
1001 passphrase)
1002 ;; return the saved passphrase, calling a function if needed
1003 (or (copy-sequence (if (functionp (cdr entry))
1004 (funcall (cdr entry))
1005 (cdr entry)))
1006 (progn
1007 (unless entry
1008 (setq entry (list file))
1009 (push entry auth-source-passphrase-alist))
1010 (setq passphrase
1011 (read-passwd
1012 (format "Passphrase for %s tokens: " file)
1013 t))
1014 (setcdr entry (lexical-let ((p (copy-sequence passphrase)))
1015 (lambda () p)))
1016 passphrase))))
1017
1018 ;; (auth-source-epa-extract-gpg-token "gpg:LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tClZlcnNpb246IEdudVBHIHYxLjQuMTEgKEdOVS9MaW51eCkKCmpBMEVBd01DT25qMjB1ak9rZnRneVI3K21iNm9aZWhuLzRad3cySkdlbnVaKzRpeEswWDY5di9icDI1U1dsQT0KPS9yc2wKLS0tLS1FTkQgUEdQIE1FU1NBR0UtLS0tLQo=" "~/.netrc")
1019 (defun auth-source-epa-extract-gpg-token (secret file)
1020 "Pass either the decoded SECRET or the gpg:BASE64DATA version.
1021 FILE is the file from which we obtained this token."
1022 (when (string-match "^gpg:\\(.+\\)" secret)
1023 (setq secret (base64-decode-string (match-string 1 secret))))
1024 (let ((context (epg-make-context 'OpenPGP))
1025 plain)
1026 (epg-context-set-passphrase-callback
1027 context
1028 (cons #'auth-source-token-passphrase-callback-function
1029 file))
1030 (epg-decrypt-string context secret)))
1031
1032 ;; (insert (auth-source-epa-make-gpg-token "mysecret" "~/.netrc"))
1033 (defun auth-source-epa-make-gpg-token (secret file)
1034 (let ((context (epg-make-context 'OpenPGP))
1035 (pp-escape-newlines nil)
1036 cipher)
1037 (epg-context-set-armor context t)
1038 (epg-context-set-passphrase-callback
1039 context
1040 (cons #'auth-source-token-passphrase-callback-function
1041 file))
1042 (setq cipher (epg-encrypt-string context secret nil))
1043 (with-temp-buffer
1044 (insert cipher)
1045 (base64-encode-region (point-min) (point-max) t)
1046 (concat "gpg:" (buffer-substring-no-properties
1047 (point-min)
1048 (point-max))))))
1049
1050 (defun auth-source-netrc-normalize (alist filename)
1051 (mapcar (lambda (entry)
1052 (let (ret item)
1053 (while (setq item (pop entry))
1054 (let ((k (car item))
1055 (v (cdr item)))
1056
1057 ;; apply key aliases
1058 (setq k (cond ((member k '("machine")) "host")
1059 ((member k '("login" "account")) "user")
1060 ((member k '("protocol")) "port")
1061 ((member k '("password")) "secret")
1062 (t k)))
1063
1064 ;; send back the secret in a function (lexical binding)
1065 (when (equal k "secret")
1066 (setq v (lexical-let ((lexv v)
1067 (token-decoder nil))
1068 (when (string-match "^gpg:" lexv)
1069 ;; it's a GPG token: create a token decoder
1070 ;; which unsets itself once
1071 (setq token-decoder
1072 (lambda (val)
1073 (prog1
1074 (auth-source-epa-extract-gpg-token
1075 val
1076 filename)
1077 (setq token-decoder nil)))))
1078 (lambda ()
1079 (when token-decoder
1080 (setq lexv (funcall token-decoder lexv)))
1081 lexv))))
1082 (setq ret (plist-put ret
1083 (intern (concat ":" k))
1084 v))))
1085 ret))
1086 alist))
1087
1088 ;;; (setq secret (plist-get (nth 0 (auth-source-search :host t :type 'netrc :K 1 :max 1)) :secret))
1089 ;;; (funcall secret)
1090
1091 (defun* auth-source-netrc-search (&rest
1092 spec
1093 &key backend require create delete
1094 type max host user port
1095 &allow-other-keys)
1096 "Given a property list SPEC, return search matches from the :backend.
1097 See `auth-source-search' for details on SPEC."
1098 ;; just in case, check that the type is correct (null or same as the backend)
1099 (assert (or (null type) (eq type (oref backend type)))
1100 t "Invalid netrc search: %s %s")
1101
1102 (let ((results (auth-source-netrc-normalize
1103 (auth-source-netrc-parse
1104 :max max
1105 :require require
1106 :delete delete
1107 :file (oref backend source)
1108 :host (or host t)
1109 :user (or user t)
1110 :port (or port t))
1111 (oref backend source))))
1112
1113 ;; if we need to create an entry AND none were found to match
1114 (when (and create
1115 (not results))
1116
1117 ;; create based on the spec and record the value
1118 (setq results (or
1119 ;; if the user did not want to create the entry
1120 ;; in the file, it will be returned
1121 (apply (slot-value backend 'create-function) spec)
1122 ;; if not, we do the search again without :create
1123 ;; to get the updated data.
1124
1125 ;; the result will be returned, even if the search fails
1126 (apply 'auth-source-netrc-search
1127 (plist-put spec :create nil)))))
1128 results))
1129
1130 (defun auth-source-netrc-element-or-first (v)
1131 (if (listp v)
1132 (nth 0 v)
1133 v))
1134
1135 ;;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1136 ;;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1137
1138 (defun* auth-source-netrc-create (&rest spec
1139 &key backend
1140 secret host user port create
1141 &allow-other-keys)
1142 (let* ((base-required '(host user port secret))
1143 ;; we know (because of an assertion in auth-source-search) that the
1144 ;; :create parameter is either t or a list (which includes nil)
1145 (create-extra (if (eq t create) nil create))
1146 (current-data (car (auth-source-search :max 1
1147 :host host
1148 :port port)))
1149 (required (append base-required create-extra))
1150 (file (oref backend source))
1151 (add "")
1152 ;; `valist' is an alist
1153 valist
1154 ;; `artificial' will be returned if no creation is needed
1155 artificial)
1156
1157 ;; only for base required elements (defined as function parameters):
1158 ;; fill in the valist with whatever data we may have from the search
1159 ;; we complete the first value if it's a list and use the value otherwise
1160 (dolist (br base-required)
1161 (when (symbol-value br)
1162 (let ((br-choice (cond
1163 ;; all-accepting choice (predicate is t)
1164 ((eq t (symbol-value br)) nil)
1165 ;; just the value otherwise
1166 (t (symbol-value br)))))
1167 (when br-choice
1168 (aput 'valist br br-choice)))))
1169
1170 ;; for extra required elements, see if the spec includes a value for them
1171 (dolist (er create-extra)
1172 (let ((name (concat ":" (symbol-name er)))
1173 (keys (loop for i below (length spec) by 2
1174 collect (nth i spec))))
1175 (dolist (k keys)
1176 (when (equal (symbol-name k) name)
1177 (aput 'valist er (plist-get spec k))))))
1178
1179 ;; for each required element
1180 (dolist (r required)
1181 (let* ((data (aget valist r))
1182 ;; take the first element if the data is a list
1183 (data (or (auth-source-netrc-element-or-first data)
1184 (plist-get current-data
1185 (intern (format ":%s" r) obarray))))
1186 ;; this is the default to be offered
1187 (given-default (aget auth-source-creation-defaults r))
1188 ;; the default supplementals are simple:
1189 ;; for the user, try `given-default' and then (user-login-name);
1190 ;; otherwise take `given-default'
1191 (default (cond
1192 ((and (not given-default) (eq r 'user))
1193 (user-login-name))
1194 (t given-default)))
1195 (printable-defaults (list
1196 (cons 'user
1197 (or
1198 (auth-source-netrc-element-or-first
1199 (aget valist 'user))
1200 (plist-get artificial :user)
1201 "[any user]"))
1202 (cons 'host
1203 (or
1204 (auth-source-netrc-element-or-first
1205 (aget valist 'host))
1206 (plist-get artificial :host)
1207 "[any host]"))
1208 (cons 'port
1209 (or
1210 (auth-source-netrc-element-or-first
1211 (aget valist 'port))
1212 (plist-get artificial :port)
1213 "[any port]"))))
1214 (prompt (or (aget auth-source-creation-prompts r)
1215 (case r
1216 (secret "%p password for %u@%h: ")
1217 (user "%p user name for %h: ")
1218 (host "%p host name for user %u: ")
1219 (port "%p port for %u@%h: "))
1220 (format "Enter %s (%%u@%%h:%%p): " r)))
1221 (prompt (auth-source-format-prompt
1222 prompt
1223 `((?u ,(aget printable-defaults 'user))
1224 (?h ,(aget printable-defaults 'host))
1225 (?p ,(aget printable-defaults 'port))))))
1226
1227 ;; Store the data, prompting for the password if needed.
1228 (setq data (or data
1229 (if (eq r 'secret)
1230 ;; Special case prompt for passwords.
1231 ;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") nil) (t gpg)))
1232 ;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1233 (let* ((ep (format "Use GPG password tokens in %s?" file))
1234 (gpg-encrypt
1235 (cond
1236 ((eq auth-source-netrc-use-gpg-tokens 'never)
1237 'never)
1238 ((listp auth-source-netrc-use-gpg-tokens)
1239 (let ((check (copy-sequence
1240 auth-source-netrc-use-gpg-tokens))
1241 item ret)
1242 (while check
1243 (setq item (pop check))
1244 (when (or (eq (car item) t)
1245 (string-match (car item) file))
1246 (setq ret (cdr item))
1247 (setq check nil)))))
1248 (t 'never)))
1249 (plain (or (eval default) (read-passwd prompt))))
1250 ;; ask if we don't know what to do (in which case
1251 ;; auth-source-netrc-use-gpg-tokens must be a list)
1252 (unless gpg-encrypt
1253 (setq gpg-encrypt (if (y-or-n-p ep) 'gpg 'never))
1254 ;; TODO: save the defcustom now? or ask?
1255 (setq auth-source-netrc-use-gpg-tokens
1256 (cons `(,file ,gpg-encrypt)
1257 auth-source-netrc-use-gpg-tokens)))
1258 (if (eq gpg-encrypt 'gpg)
1259 (auth-source-epa-make-gpg-token plain file)
1260 plain))
1261 (if (stringp default)
1262 (read-string (if (string-match ": *\\'" prompt)
1263 (concat (substring prompt 0 (match-beginning 0))
1264 " (default " default "): ")
1265 (concat prompt "(default " default ") "))
1266 nil nil default)
1267 (eval default)))))
1268
1269 (when data
1270 (setq artificial (plist-put artificial
1271 (intern (concat ":" (symbol-name r)))
1272 (if (eq r 'secret)
1273 (lexical-let ((data data))
1274 (lambda () data))
1275 data))))
1276
1277 ;; When r is not an empty string...
1278 (when (and (stringp data)
1279 (< 0 (length data)))
1280 ;; this function is not strictly necessary but I think it
1281 ;; makes the code clearer -tzz
1282 (let ((printer (lambda ()
1283 ;; append the key (the symbol name of r)
1284 ;; and the value in r
1285 (format "%s%s %s"
1286 ;; prepend a space
1287 (if (zerop (length add)) "" " ")
1288 ;; remap auth-source tokens to netrc
1289 (case r
1290 (user "login")
1291 (host "machine")
1292 (secret "password")
1293 (port "port") ; redundant but clearer
1294 (t (symbol-name r)))
1295 (if (string-match "[\" ]" data)
1296 (format "%S" data)
1297 data)))))
1298 (setq add (concat add (funcall printer)))))))
1299
1300 (plist-put
1301 artificial
1302 :save-function
1303 (lexical-let ((file file)
1304 (add add))
1305 (lambda () (auth-source-netrc-saver file add))))
1306
1307 (list artificial)))
1308
1309 ;;(funcall (plist-get (nth 0 (auth-source-search :host '("nonesuch2") :user "tzz" :port "imap" :create t :max 1)) :save-function))
1310 (defun auth-source-netrc-saver (file add)
1311 "Save a line ADD in FILE, prompting along the way.
1312 Respects `auth-source-save-behavior'. Uses
1313 `auth-source-netrc-cache' to avoid prompting more than once."
1314 (let* ((key (format "%s %s" file (rfc2104-hash 'md5 64 16 file add)))
1315 (cached (assoc key auth-source-netrc-cache)))
1316
1317 (if cached
1318 (auth-source-do-trivia
1319 "auth-source-netrc-saver: found previous run for key %s, returning"
1320 key)
1321 (with-temp-buffer
1322 (when (file-exists-p file)
1323 (insert-file-contents file))
1324 (when auth-source-gpg-encrypt-to
1325 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1326 ;; this buffer lets epa-file skip the key selection query
1327 ;; (see the `local-variable-p' check in
1328 ;; `epa-file-write-region').
1329 (unless (local-variable-p 'epa-file-encrypt-to (current-buffer))
1330 (make-local-variable 'epa-file-encrypt-to))
1331 (if (listp auth-source-gpg-encrypt-to)
1332 (setq epa-file-encrypt-to auth-source-gpg-encrypt-to)))
1333 ;; we want the new data to be found first, so insert at beginning
1334 (goto-char (point-min))
1335
1336 ;; Ask AFTER we've successfully opened the file.
1337 (let ((prompt (format "Save auth info to file %s? " file))
1338 (done (not (eq auth-source-save-behavior 'ask)))
1339 (bufname "*auth-source Help*")
1340 k)
1341 (while (not done)
1342 (setq k (auth-source-read-char-choice prompt '(?y ?n ?N ?e ??)))
1343 (case k
1344 (?y (setq done t))
1345 (?? (save-excursion
1346 (with-output-to-temp-buffer bufname
1347 (princ
1348 (concat "(y)es, save\n"
1349 "(n)o but use the info\n"
1350 "(N)o and don't ask to save again\n"
1351 "(e)dit the line\n"
1352 "(?) for help as you can see.\n"))
1353 ;; Why? Doesn't with-output-to-temp-buffer already do
1354 ;; the exact same thing anyway? --Stef
1355 (set-buffer standard-output)
1356 (help-mode))))
1357 (?n (setq add ""
1358 done t))
1359 (?N
1360 (setq add ""
1361 done t)
1362 (customize-save-variable 'auth-source-save-behavior nil))
1363 (?e (setq add (read-string "Line to add: " add)))
1364 (t nil)))
1365
1366 (when (get-buffer-window bufname)
1367 (delete-window (get-buffer-window bufname)))
1368
1369 ;; Make sure the info is not saved.
1370 (when (null auth-source-save-behavior)
1371 (setq add ""))
1372
1373 (when (< 0 (length add))
1374 (progn
1375 (unless (bolp)
1376 (insert "\n"))
1377 (insert add "\n")
1378 (write-region (point-min) (point-max) file nil 'silent)
1379 ;; Make the .authinfo file non-world-readable.
1380 (set-file-modes file #o600)
1381 (auth-source-do-debug
1382 "auth-source-netrc-create: wrote 1 new line to %s"
1383 file)
1384 (message "Saved new authentication information to %s" file)
1385 nil))))
1386 (aput 'auth-source-netrc-cache key "ran"))))
1387
1388 ;;; Backend specific parsing: Secrets API backend
1389
1390 ;;; (let ((auth-sources '(default))) (auth-source-search :max 1 :create t))
1391 ;;; (let ((auth-sources '(default))) (auth-source-search :max 1 :delete t))
1392 ;;; (let ((auth-sources '(default))) (auth-source-search :max 1))
1393 ;;; (let ((auth-sources '(default))) (auth-source-search))
1394 ;;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1))
1395 ;;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1 :signon_realm "https://git.gnus.org/Git"))
1396
1397 (defun* auth-source-secrets-search (&rest
1398 spec
1399 &key backend create delete label
1400 type max host user port
1401 &allow-other-keys)
1402 "Search the Secrets API; spec is like `auth-source'.
1403
1404 The :label key specifies the item's label. It is the only key
1405 that can specify a substring. Any :label value besides a string
1406 will allow any label.
1407
1408 All other search keys must match exactly. If you need substring
1409 matching, do a wider search and narrow it down yourself.
1410
1411 You'll get back all the properties of the token as a plist.
1412
1413 Here's an example that looks for the first item in the 'Login'
1414 Secrets collection:
1415
1416 \(let ((auth-sources '(\"secrets:Login\")))
1417 (auth-source-search :max 1)
1418
1419 Here's another that looks for the first item in the 'Login'
1420 Secrets collection whose label contains 'gnus':
1421
1422 \(let ((auth-sources '(\"secrets:Login\")))
1423 (auth-source-search :max 1 :label \"gnus\")
1424
1425 And this one looks for the first item in the 'Login' Secrets
1426 collection that's a Google Chrome entry for the git.gnus.org site
1427 authentication tokens:
1428
1429 \(let ((auth-sources '(\"secrets:Login\")))
1430 (auth-source-search :max 1 :signon_realm \"https://git.gnus.org/Git\"))
1431 "
1432
1433 ;; TODO
1434 (assert (not create) nil
1435 "The Secrets API auth-source backend doesn't support creation yet")
1436 ;; TODO
1437 ;; (secrets-delete-item coll elt)
1438 (assert (not delete) nil
1439 "The Secrets API auth-source backend doesn't support deletion yet")
1440
1441 (let* ((coll (oref backend source))
1442 (max (or max 5000)) ; sanity check: default to stop at 5K
1443 (ignored-keys '(:create :delete :max :backend :label))
1444 (search-keys (loop for i below (length spec) by 2
1445 unless (memq (nth i spec) ignored-keys)
1446 collect (nth i spec)))
1447 ;; build a search spec without the ignored keys
1448 ;; if a search key is nil or t (match anything), we skip it
1449 (search-spec (apply 'append (mapcar
1450 (lambda (k)
1451 (if (or (null (plist-get spec k))
1452 (eq t (plist-get spec k)))
1453 nil
1454 (list k (plist-get spec k))))
1455 search-keys)))
1456 ;; needed keys (always including host, login, port, and secret)
1457 (returned-keys (mm-delete-duplicates (append
1458 '(:host :login :port :secret)
1459 search-keys)))
1460 (items (loop for item in (apply 'secrets-search-items coll search-spec)
1461 unless (and (stringp label)
1462 (not (string-match label item)))
1463 collect item))
1464 ;; TODO: respect max in `secrets-search-items', not after the fact
1465 (items (butlast items (- (length items) max)))
1466 ;; convert the item name to a full plist
1467 (items (mapcar (lambda (item)
1468 (append
1469 ;; make an entry for the secret (password) element
1470 (list
1471 :secret
1472 (lexical-let ((v (secrets-get-secret coll item)))
1473 (lambda () v)))
1474 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
1475 (apply 'append
1476 (mapcar (lambda (entry)
1477 (list (car entry) (cdr entry)))
1478 (secrets-get-attributes coll item)))))
1479 items))
1480 ;; ensure each item has each key in `returned-keys'
1481 (items (mapcar (lambda (plist)
1482 (append
1483 (apply 'append
1484 (mapcar (lambda (req)
1485 (if (plist-get plist req)
1486 nil
1487 (list req nil)))
1488 returned-keys))
1489 plist))
1490 items)))
1491 items))
1492
1493 (defun* auth-source-secrets-create (&rest
1494 spec
1495 &key backend type max host user port
1496 &allow-other-keys)
1497 ;; TODO
1498 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1499 (debug spec))
1500
1501 ;;; Backend specific parsing: PLSTORE backend
1502
1503 (defun* auth-source-plstore-search (&rest
1504 spec
1505 &key backend create delete label
1506 type max host user port
1507 &allow-other-keys)
1508 "Search the PLSTORE; spec is like `auth-source'."
1509 (let* ((store (oref backend data))
1510 (max (or max 5000)) ; sanity check: default to stop at 5K
1511 (ignored-keys '(:create :delete :max :backend :require))
1512 (search-keys (loop for i below (length spec) by 2
1513 unless (memq (nth i spec) ignored-keys)
1514 collect (nth i spec)))
1515 ;; build a search spec without the ignored keys
1516 ;; if a search key is nil or t (match anything), we skip it
1517 (search-spec (apply 'append (mapcar
1518 (lambda (k)
1519 (let ((v (plist-get spec k)))
1520 (if (or (null v)
1521 (eq t v))
1522 nil
1523 (if (stringp v)
1524 (setq v (list v)))
1525 (list k v))))
1526 search-keys)))
1527 ;; needed keys (always including host, login, port, and secret)
1528 (returned-keys (mm-delete-duplicates (append
1529 '(:host :login :port :secret)
1530 search-keys)))
1531 (items (plstore-find store search-spec))
1532 (item-names (mapcar #'car items))
1533 (items (butlast items (- (length items) max)))
1534 ;; convert the item to a full plist
1535 (items (mapcar (lambda (item)
1536 (let* ((plist (copy-tree (cdr item)))
1537 (secret (plist-member plist :secret)))
1538 (if secret
1539 (setcar
1540 (cdr secret)
1541 (lexical-let ((v (car (cdr secret))))
1542 (lambda () v))))
1543 plist))
1544 items))
1545 ;; ensure each item has each key in `returned-keys'
1546 (items (mapcar (lambda (plist)
1547 (append
1548 (apply 'append
1549 (mapcar (lambda (req)
1550 (if (plist-get plist req)
1551 nil
1552 (list req nil)))
1553 returned-keys))
1554 plist))
1555 items)))
1556 (cond
1557 ;; if we need to create an entry AND none were found to match
1558 ((and create
1559 (not items))
1560
1561 ;; create based on the spec and record the value
1562 (setq items (or
1563 ;; if the user did not want to create the entry
1564 ;; in the file, it will be returned
1565 (apply (slot-value backend 'create-function) spec)
1566 ;; if not, we do the search again without :create
1567 ;; to get the updated data.
1568
1569 ;; the result will be returned, even if the search fails
1570 (apply 'auth-source-plstore-search
1571 (plist-put spec :create nil)))))
1572 ((and delete
1573 item-names)
1574 (dolist (item-name item-names)
1575 (plstore-delete store item-name))
1576 (plstore-save store)))
1577 items))
1578
1579 (defun* auth-source-plstore-create (&rest spec
1580 &key backend
1581 secret host user port create
1582 &allow-other-keys)
1583 (let* ((base-required '(host user port secret))
1584 (base-secret '(secret))
1585 ;; we know (because of an assertion in auth-source-search) that the
1586 ;; :create parameter is either t or a list (which includes nil)
1587 (create-extra (if (eq t create) nil create))
1588 (current-data (car (auth-source-search :max 1
1589 :host host
1590 :port port)))
1591 (required (append base-required create-extra))
1592 (file (oref backend source))
1593 (add "")
1594 ;; `valist' is an alist
1595 valist
1596 ;; `artificial' will be returned if no creation is needed
1597 artificial
1598 secret-artificial)
1599
1600 ;; only for base required elements (defined as function parameters):
1601 ;; fill in the valist with whatever data we may have from the search
1602 ;; we complete the first value if it's a list and use the value otherwise
1603 (dolist (br base-required)
1604 (when (symbol-value br)
1605 (let ((br-choice (cond
1606 ;; all-accepting choice (predicate is t)
1607 ((eq t (symbol-value br)) nil)
1608 ;; just the value otherwise
1609 (t (symbol-value br)))))
1610 (when br-choice
1611 (aput 'valist br br-choice)))))
1612
1613 ;; for extra required elements, see if the spec includes a value for them
1614 (dolist (er create-extra)
1615 (let ((name (concat ":" (symbol-name er)))
1616 (keys (loop for i below (length spec) by 2
1617 collect (nth i spec))))
1618 (dolist (k keys)
1619 (when (equal (symbol-name k) name)
1620 (aput 'valist er (plist-get spec k))))))
1621
1622 ;; for each required element
1623 (dolist (r required)
1624 (let* ((data (aget valist r))
1625 ;; take the first element if the data is a list
1626 (data (or (auth-source-netrc-element-or-first data)
1627 (plist-get current-data
1628 (intern (format ":%s" r) obarray))))
1629 ;; this is the default to be offered
1630 (given-default (aget auth-source-creation-defaults r))
1631 ;; the default supplementals are simple:
1632 ;; for the user, try `given-default' and then (user-login-name);
1633 ;; otherwise take `given-default'
1634 (default (cond
1635 ((and (not given-default) (eq r 'user))
1636 (user-login-name))
1637 (t given-default)))
1638 (printable-defaults (list
1639 (cons 'user
1640 (or
1641 (auth-source-netrc-element-or-first
1642 (aget valist 'user))
1643 (plist-get artificial :user)
1644 "[any user]"))
1645 (cons 'host
1646 (or
1647 (auth-source-netrc-element-or-first
1648 (aget valist 'host))
1649 (plist-get artificial :host)
1650 "[any host]"))
1651 (cons 'port
1652 (or
1653 (auth-source-netrc-element-or-first
1654 (aget valist 'port))
1655 (plist-get artificial :port)
1656 "[any port]"))))
1657 (prompt (or (aget auth-source-creation-prompts r)
1658 (case r
1659 (secret "%p password for %u@%h: ")
1660 (user "%p user name for %h: ")
1661 (host "%p host name for user %u: ")
1662 (port "%p port for %u@%h: "))
1663 (format "Enter %s (%%u@%%h:%%p): " r)))
1664 (prompt (auth-source-format-prompt
1665 prompt
1666 `((?u ,(aget printable-defaults 'user))
1667 (?h ,(aget printable-defaults 'host))
1668 (?p ,(aget printable-defaults 'port))))))
1669
1670 ;; Store the data, prompting for the password if needed.
1671 (setq data (or data
1672 (if (eq r 'secret)
1673 (or (eval default) (read-passwd prompt))
1674 (if (stringp default)
1675 (read-string (if (string-match ": *\\'" prompt)
1676 (concat (substring prompt 0 (match-beginning 0))
1677 " (default " default "): ")
1678 (concat prompt "(default " default ") "))
1679 nil nil default)
1680 (eval default)))))
1681
1682 (when data
1683 (if (member r base-secret)
1684 (setq secret-artificial
1685 (plist-put secret-artificial
1686 (intern (concat ":" (symbol-name r)))
1687 data))
1688 (setq artificial (plist-put artificial
1689 (intern (concat ":" (symbol-name r)))
1690 data))))))
1691 (plstore-put (oref backend data)
1692 (sha1 (format "%s@%s:%s"
1693 (plist-get artificial :user)
1694 (plist-get artificial :host)
1695 (plist-get artificial :port)))
1696 artificial secret-artificial)
1697 (if (y-or-n-p (format "Save auth info to file %s? "
1698 (plstore-get-file (oref backend data))))
1699 (plstore-save (oref backend data)))))
1700
1701 ;;; older API
1702
1703 ;;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
1704
1705 ;; deprecate the old interface
1706 (make-obsolete 'auth-source-user-or-password
1707 'auth-source-search "Emacs 24.1")
1708 (make-obsolete 'auth-source-forget-user-or-password
1709 'auth-source-forget "Emacs 24.1")
1710
1711 (defun auth-source-user-or-password
1712 (mode host port &optional username create-missing delete-existing)
1713 "Find MODE (string or list of strings) matching HOST and PORT.
1714
1715 DEPRECATED in favor of `auth-source-search'!
1716
1717 USERNAME is optional and will be used as \"login\" in a search
1718 across the Secret Service API (see secrets.el) if the resulting
1719 items don't have a username. This means that if you search for
1720 username \"joe\" and it matches an item but the item doesn't have
1721 a :user attribute, the username \"joe\" will be returned.
1722
1723 A non nil DELETE-EXISTING means deleting any matching password
1724 entry in the respective sources. This is useful only when
1725 CREATE-MISSING is non nil as well; the intended use case is to
1726 remove wrong password entries.
1727
1728 If no matching entry is found, and CREATE-MISSING is non nil,
1729 the password will be retrieved interactively, and it will be
1730 stored in the password database which matches best (see
1731 `auth-sources').
1732
1733 MODE can be \"login\" or \"password\"."
1734 (auth-source-do-debug
1735 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
1736 mode host port username)
1737
1738 (let* ((listy (listp mode))
1739 (mode (if listy mode (list mode)))
1740 (cname (if username
1741 (format "%s %s:%s %s" mode host port username)
1742 (format "%s %s:%s" mode host port)))
1743 (search (list :host host :port port))
1744 (search (if username (append search (list :user username)) search))
1745 (search (if create-missing
1746 (append search (list :create t))
1747 search))
1748 (search (if delete-existing
1749 (append search (list :delete t))
1750 search))
1751 ;; (found (if (not delete-existing)
1752 ;; (gethash cname auth-source-cache)
1753 ;; (remhash cname auth-source-cache)
1754 ;; nil)))
1755 (found nil))
1756 (if found
1757 (progn
1758 (auth-source-do-debug
1759 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
1760 mode
1761 ;; don't show the password
1762 (if (and (member "password" mode) t)
1763 "SECRET"
1764 found)
1765 host port username)
1766 found) ; return the found data
1767 ;; else, if not found, search with a max of 1
1768 (let ((choice (nth 0 (apply 'auth-source-search
1769 (append '(:max 1) search)))))
1770 (when choice
1771 (dolist (m mode)
1772 (cond
1773 ((equal "password" m)
1774 (push (if (plist-get choice :secret)
1775 (funcall (plist-get choice :secret))
1776 nil) found))
1777 ((equal "login" m)
1778 (push (plist-get choice :user) found)))))
1779 (setq found (nreverse found))
1780 (setq found (if listy found (car-safe found)))))
1781
1782 found))
1783
1784 (provide 'auth-source)
1785
1786 ;;; auth-source.el ends here
Emacs repository mirror