HCoop / bpt / emacs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add the new `sendmail-query-once' function to sendmail.el.
[bpt/emacs.git] / lisp / gnus / auth-source.el
CommitLineData
8f7abae3
MB		 1;;; auth-source.el --- authentication sources for Gnus and Emacs
2
73b0cd50 3;; Copyright (C) 2008-2011 Free Software Foundation, Inc.
8f7abae3
MB		 4
5;; Author: Ted Zlatanov <tzz@lifelogs.com>
6;; Keywords: news
7
8;; This file is part of GNU Emacs.
9
5e809f55 10;; GNU Emacs is free software: you can redistribute it and/or modify
8f7abae3 11;; it under the terms of the GNU General Public License as published by
5e809f55
GM		 12;; the Free Software Foundation, either version 3 of the License, or
13;; (at your option) any later version.
8f7abae3
MB		 14
15;; GNU Emacs is distributed in the hope that it will be useful,
16;; but WITHOUT ANY WARRANTY; without even the implied warranty of
5e809f55 17;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
8f7abae3
MB		 18;; GNU General Public License for more details.
19
20;; You should have received a copy of the GNU General Public License
5e809f55 21;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
8f7abae3
MB		 22
23;;; Commentary:
24
25;; This is the auth-source.el package. It lets users tell Gnus how to
26;; authenticate in a single place. Simplicity is the goal. Instead
27;; of providing 5000 options, we'll stick to simple, easy to
28;; understand options.
d55fe5bb 29
554a69b8 30;; See the auth.info Info documentation for details.
4079589f 31
cbabe91f
TZ		 32;; TODO:
33
34;; - never decode the backend file unless it's necessary
35;; - a more generic way to match backends and search backend contents
36;; - absorb netrc.el and simplify it
37;; - protect passwords better
38;; - allow creating and changing netrc lines (not files) e.g. change a password
39
8f7abae3
MB		 40;;; Code:
41
b8e0f0cd 42(require 'password-cache)
d638ac9e 43(require 'mm-util)
e952b711 44(require 'gnus-util)
b8e0f0cd 45(require 'assoc)
8f7abae3 46(eval-when-compile (require 'cl))
f3b54b0e 47(require 'eieio)
b8e0f0cd 48
0e4966fb
MA		 49(autoload 'secrets-create-item "secrets")
50(autoload 'secrets-delete-item "secrets")
ec7995fa 51(autoload 'secrets-get-alias "secrets")
b8e0f0cd 52(autoload 'secrets-get-attributes "secrets")
fb178e4c 53(autoload 'secrets-get-secret "secrets")
0e4966fb
MA		 54(autoload 'secrets-list-collections "secrets")
55(autoload 'secrets-search-items "secrets")
8f7abae3 56
4248cca2
TZ		 57(autoload 'rfc2104-hash "rfc2104")
58
b8e0f0cd
G		 59(defvar secrets-enabled)
60
8f7abae3
MB		 61(defgroup auth-source nil
62 "Authentication sources."
9b3ebcb6 63 :version "23.1" ;; No Gnus
8f7abae3
MB		 64 :group 'gnus)
65
584c9d3f
G		 66;;;###autoload
67(defcustom auth-source-cache-expiry 7200
68 "How many seconds passwords are cached, or nil to disable
69expiring. Overrides `password-cache-expiry' through a
70let-binding."
71 :group 'auth-source
72 :type '(choice (const :tag "Never" nil)
73 (const :tag "All Day" 86400)
74 (const :tag "2 Hours" 7200)
75 (const :tag "30 Minutes" 1800)
76 (integer :tag "Seconds")))
77
b8e0f0cd
G		 78(defclass auth-source-backend ()
79 ((type :initarg :type
80 :initform 'netrc
81 :type symbol
82 :custom symbol
83 :documentation "The backend type.")
84 (source :initarg :source
85 :type string
86 :custom string
87 :documentation "The backend source.")
88 (host :initarg :host
89 :initform t
90 :type t
91 :custom string
92 :documentation "The backend host.")
93 (user :initarg :user
94 :initform t
95 :type t
96 :custom string
97 :documentation "The backend user.")
35123c04
TZ		 98 (port :initarg :port
99 :initform t
100 :type t
101 :custom string
102 :documentation "The backend protocol.")
b8e0f0cd
G		 103 (create-function :initarg :create-function
104 :initform ignore
105 :type function
106 :custom function
107 :documentation "The create function.")
108 (search-function :initarg :search-function
109 :initform ignore
110 :type function
111 :custom function
112 :documentation "The search function.")))
113
9b3ebcb6 114(defcustom auth-source-protocols '((imap "imap" "imaps" "143" "993")
cbabe91f
TZ		 115 (pop3 "pop3" "pop" "pop3s" "110" "995")
116 (ssh "ssh" "22")
117 (sftp "sftp" "115")
118 (smtp "smtp" "25"))
9b3ebcb6
MB		 119 "List of authentication protocols and their names"
120
121 :group 'auth-source
ec7995fa 122 :version "23.2" ;; No Gnus
9b3ebcb6 123 :type '(repeat :tag "Authentication Protocols"
cbabe91f
TZ		 124 (cons :tag "Protocol Entry"
125 (symbol :tag "Protocol")
126 (repeat :tag "Names"
127 (string :tag "Name")))))
9b3ebcb6
MB		 128
129;;; generate all the protocols in a format Customize can use
fb178e4c 130;;; TODO: generate on the fly from auth-source-protocols
9b3ebcb6
MB		 131(defconst auth-source-protocols-customize
132 (mapcar (lambda (a)
cbabe91f
TZ		 133 (let ((p (car-safe a)))
134 (list 'const
135 :tag (upcase (symbol-name p))
136 p)))
137 auth-source-protocols))
9b3ebcb6 138
b8e0f0cd
G		 139(defvar auth-source-creation-defaults nil
140 "Defaults for creating token values. Usually let-bound.")
141
003522ce
G		 142(defvar auth-source-creation-prompts nil
143 "Default prompts for token values. Usually let-bound.")
144
b8e0f0cd
G		 145(make-obsolete 'auth-source-hide-passwords nil "Emacs 24.1")
146
003522ce
G		 147(defcustom auth-source-save-behavior 'ask
148 "If set, auth-source will respect it for save behavior."
149 :group 'auth-source
150 :version "23.2" ;; No Gnus
151 :type `(choice
152 :tag "auth-source new token save behavior"
153 (const :tag "Always save" t)
154 (const :tag "Never save" nil)
155 (const :tag "Ask" ask)))
156
61e6a0ac
TZ		 157;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") never) (t gpg)))
158;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
159
160(defcustom auth-source-netrc-use-gpg-tokens 'never
161 "Set this to tell auth-source when to create GPG password
162tokens in netrc files. It's either an alist or `never'."
2b8c5660
TZ		 163 :group 'auth-source
164 :version "23.2" ;; No Gnus
165 :type `(choice
61e6a0ac
TZ		 166 (const :tag "Always use GPG password tokens" (t gpg))
167 (const :tag "Never use GPG password tokens" never)
168 (repeat :tag "Use a lookup list"
169 (list
170 (choice :tag "Matcher"
171 (const :tag "Match anything" t)
172 (const :tag "The EPA encrypted file extensions"
173 ,(if (boundp 'epa-file-auto-mode-alist-entry)
174 (car (symbol-value
175 'epa-file-auto-mode-alist-entry))
176 "\\.gpg\\'"))
177 (regexp :tag "Regular expression"))
178 (choice :tag "What to do"
179 (const :tag "Save GPG-encrypted password tokens" gpg)
180 (const :tag "Don't encrypt tokens" never))))))
2b8c5660 181
b8e0f0cd 182(defvar auth-source-magic "auth-source-magic ")
ed778fad
MB		 183
184(defcustom auth-source-do-cache t
b8e0f0cd 185 "Whether auth-source should cache information with `password-cache'."
ed778fad 186 :group 'auth-source
ec7995fa 187 :version "23.2" ;; No Gnus
ed778fad
MB		 188 :type `boolean)
189
a202ff49 190(defcustom auth-source-debug nil
554a69b8 191 "Whether auth-source should log debug messages.
554a69b8
KY		 192
193If the value is nil, debug messages are not logged.
ca6ddb88
TZ		 194
195If the value is t, debug messages are logged with `message'. In
196that case, your authentication data will be in the clear (except
197for passwords).
198
554a69b8
KY		 199If the value is a function, debug messages are logged by calling
200 that function using the same arguments as `message'."
201 :group 'auth-source
ec7995fa 202 :version "23.2" ;; No Gnus
cbabe91f
TZ		 203 :type `(choice
204 :tag "auth-source debugging mode"
205 (const :tag "Log using `message' to the *Messages* buffer" t)
4a3988d5
G		 206 (const :tag "Log all trivia with `message' to the *Messages* buffer"
207 trivia)
cbabe91f
TZ		 208 (function :tag "Function that takes arguments like `message'")
209 (const :tag "Don't log anything" nil)))
554a69b8 210
6a6e4d93 211(defcustom auth-sources '("~/.authinfo" "~/.authinfo.gpg" "~/.netrc")
8f7abae3
MB		 212 "List of authentication sources.
213
b8e0f0cd
G		 214The default will get login and password information from
215\"~/.authinfo.gpg\", which you should set up with the EPA/EPG
216packages to be encrypted. If that file doesn't exist, it will
4a3988d5
G		 217try the unencrypted version \"~/.authinfo\" and the famous
218\"~/.netrc\" file.
b8e0f0cd
G		 219
220See the auth.info manual for details.
fb178e4c 221
ec7995fa
KY		 222Each entry is the authentication type with optional properties.
223
224It's best to customize this with `M-x customize-variable' because the choices
225can get pretty complex."
8f7abae3 226 :group 'auth-source
b8e0f0cd 227 :version "24.1" ;; No Gnus
9b3ebcb6 228 :type `(repeat :tag "Authentication Sources"
b8e0f0cd
G		 229 (choice
230 (string :tag "Just a file")
231 (const :tag "Default Secrets API Collection" 'default)
5415d076 232 (const :tag "Login Secrets API Collection" "secrets:Login")
b8e0f0cd
G		 233 (const :tag "Temp Secrets API Collection" "secrets:session")
234 (list :tag "Source definition"
235 (const :format "" :value :source)
236 (choice :tag "Authentication backend choice"
237 (string :tag "Authentication Source (file)")
238 (list
239 :tag "Secret Service API/KWallet/GNOME Keyring"
240 (const :format "" :value :secrets)
241 (choice :tag "Collection to use"
242 (string :tag "Collection name")
243 (const :tag "Default" 'default)
5415d076 244 (const :tag "Login" "Login")
b8e0f0cd
G		 245 (const
246 :tag "Temporary" "session"))))
247 (repeat :tag "Extra Parameters" :inline t
248 (choice :tag "Extra parameter"
249 (list
250 :tag "Host"
251 (const :format "" :value :host)
252 (choice :tag "Host (machine) choice"
253 (const :tag "Any" t)
254 (regexp
255 :tag "Regular expression")))
256 (list
257 :tag "Protocol"
35123c04 258 (const :format "" :value :port)
b8e0f0cd
G		 259 (choice
260 :tag "Protocol"
261 (const :tag "Any" t)
262 ,@auth-source-protocols-customize))
263 (list :tag "User" :inline t
264 (const :format "" :value :user)
61e6a0ac
TZ		 265 (choice
266 :tag "Personality/Username"
b8e0f0cd 267 (const :tag "Any" t)
61e6a0ac
TZ		 268 (string
269 :tag "Name")))))))))
8f7abae3 270
549c9aed
G		 271(defcustom auth-source-gpg-encrypt-to t
272 "List of recipient keys that `authinfo.gpg' encrypted to.
273If the value is not a list, symmetric encryption will be used."
274 :group 'auth-source
b8e0f0cd 275 :version "24.1" ;; No Gnus
549c9aed 276 :type '(choice (const :tag "Symmetric encryption" t)
b8e0f0cd
G		 277 (repeat :tag "Recipient public keys"
278 (string :tag "Recipient public key"))))
549c9aed 279
8f7abae3 280;; temp for debugging
9b3ebcb6
MB		 281;; (unintern 'auth-source-protocols)
282;; (unintern 'auth-sources)
283;; (customize-variable 'auth-sources)
284;; (setq auth-sources nil)
285;; (format "%S" auth-sources)
286;; (customize-variable 'auth-source-protocols)
287;; (setq auth-source-protocols nil)
288;; (format "%S" auth-source-protocols)
fb178e4c 289;; (auth-source-pick nil :host "a" :port 'imap)
9b3ebcb6
MB		 290;; (auth-source-user-or-password "login" "imap.myhost.com" 'imap)
291;; (auth-source-user-or-password "password" "imap.myhost.com" 'imap)
292;; (auth-source-user-or-password-imap "login" "imap.myhost.com")
293;; (auth-source-user-or-password-imap "password" "imap.myhost.com")
294;; (auth-source-protocol-defaults 'imap)
295
ca6ddb88
TZ		 296;; (let ((auth-source-debug 'debug)) (auth-source-do-debug "hello"))
297;; (let ((auth-source-debug t)) (auth-source-do-debug "hello"))
298;; (let ((auth-source-debug nil)) (auth-source-do-debug "hello"))
554a69b8 299(defun auth-source-do-debug (&rest msg)
554a69b8 300 (when auth-source-debug
ca6ddb88
TZ		 301 (apply 'auth-source-do-warn msg)))
302
4a3988d5
G		 303(defun auth-source-do-trivia (&rest msg)
304 (when (or (eq auth-source-debug 'trivia)
305 (functionp auth-source-debug))
306 (apply 'auth-source-do-warn msg)))
307
ca6ddb88
TZ		 308(defun auth-source-do-warn (&rest msg)
309 (apply
310 ;; set logger to either the function in auth-source-debug or 'message
311 ;; note that it will be 'message if auth-source-debug is nil
312 (if (functionp auth-source-debug)
313 auth-source-debug
314 'message)
315 msg))
316
554a69b8 317
733afdf4
TZ		 318;;; (auth-source-read-char-choice "enter choice? " '(?a ?b ?q))
319(defun auth-source-read-char-choice (prompt choices)
320 "Read one of CHOICES by `read-char-choice', or `read-char'.
321`dropdown-list' support is disabled because it doesn't work reliably.
322Only one of CHOICES will be returned. The PROMPT is augmented
323with \"[a/b/c] \" if CHOICES is '\(?a ?b ?c\)."
324 (when choices
325 (let* ((prompt-choices
326 (apply 'concat (loop for c in choices
327 collect (format "%c/" c))))
328 (prompt-choices (concat "[" (substring prompt-choices 0 -1) "] "))
329 (full-prompt (concat prompt prompt-choices))
330 k)
331
332 (while (not (memq k choices))
333 (setq k (cond
733afdf4
TZ		 334 ((fboundp 'read-char-choice)
335 (read-char-choice full-prompt choices))
336 (t (message "%s" full-prompt)
337 (setq k (read-char))))))
338 k)))
339
35123c04
TZ		 340;; (auth-source-pick nil :host "any" :port 'imap :user "joe")
341;; (auth-source-pick t :host "any" :port 'imap :user "joe")
342;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
343;; (:source (:secrets "session") :host t :port t :user "joe")
344;; (:source (:secrets "Login") :host t :port t)
345;; (:source "~/.authinfo.gpg" :host t :port t)))
fb178e4c 346
35123c04
TZ		 347;; (setq auth-sources '((:source (:secrets default) :host t :port t :user "joe")
348;; (:source (:secrets "session") :host t :port t :user "joe")
349;; (:source (:secrets "Login") :host t :port t)
cbabe91f 350;; ))
fb178e4c 351
35123c04 352;; (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
fb178e4c 353
b8e0f0cd
G		 354;; (auth-source-backend-parse "myfile.gpg")
355;; (auth-source-backend-parse 'default)
5415d076 356;; (auth-source-backend-parse "secrets:Login")
b8e0f0cd
G		 357
358(defun auth-source-backend-parse (entry)
359 "Creates an auth-source-backend from an ENTRY in `auth-sources'."
360 (auth-source-backend-parse-parameters
361 entry
362 (cond
363 ;; take 'default and recurse to get it as a Secrets API default collection
364 ;; matching any user, host, and protocol
365 ((eq entry 'default)
366 (auth-source-backend-parse '(:source (:secrets default))))
367 ;; take secrets:XYZ and recurse to get it as Secrets API collection "XYZ"
368 ;; matching any user, host, and protocol
369 ((and (stringp entry) (string-match "^secrets:\\(.+\\)" entry))
370 (auth-source-backend-parse `(:source (:secrets ,(match-string 1 entry)))))
371 ;; take just a file name and recurse to get it as a netrc file
372 ;; matching any user, host, and protocol
373 ((stringp entry)
374 (auth-source-backend-parse `(:source ,entry)))
375
376 ;; a file name with parameters
377 ((stringp (plist-get entry :source))
378 (auth-source-backend
379 (plist-get entry :source)
380 :source (plist-get entry :source)
381 :type 'netrc
382 :search-function 'auth-source-netrc-search
383 :create-function 'auth-source-netrc-create))
384
385 ;; the Secrets API. We require the package, in order to have a
386 ;; defined value for `secrets-enabled'.
387 ((and
388 (not (null (plist-get entry :source))) ; the source must not be nil
389 (listp (plist-get entry :source)) ; and it must be a list
390 (require 'secrets nil t) ; and we must load the Secrets API
391 secrets-enabled) ; and that API must be enabled
392
393 ;; the source is either the :secrets key in ENTRY or
394 ;; if that's missing or nil, it's "session"
395 (let ((source (or (plist-get (plist-get entry :source) :secrets)
396 "session")))
397
398 ;; if the source is a symbol, we look for the alias named so,
5415d076 399 ;; and if that alias is missing, we use "Login"
b8e0f0cd
G		 400 (when (symbolp source)
401 (setq source (or (secrets-get-alias (symbol-name source))
5415d076 402 "Login")))
b8e0f0cd 403
ca6ddb88
TZ		 404 (if (featurep 'secrets)
405 (auth-source-backend
406 (format "Secrets API (%s)" source)
407 :source source
408 :type 'secrets
409 :search-function 'auth-source-secrets-search
410 :create-function 'auth-source-secrets-create)
411 (auth-source-do-warn
412 "auth-source-backend-parse: no Secrets API, ignoring spec: %S" entry)
413 (auth-source-backend
414 (format "Ignored Secrets API (%s)" source)
415 :source ""
416 :type 'ignore))))
b8e0f0cd
G		 417
418 ;; none of them
419 (t
ca6ddb88 420 (auth-source-do-warn
b8e0f0cd
G		 421 "auth-source-backend-parse: invalid backend spec: %S" entry)
422 (auth-source-backend
423 "Empty"
424 :source ""
425 :type 'ignore)))))
426
427(defun auth-source-backend-parse-parameters (entry backend)
428 "Fills in the extra auth-source-backend parameters of ENTRY.
35123c04
TZ		 429Using the plist ENTRY, get the :host, :port, and :user search
430parameters."
e45de620
TZ		 431 (let ((entry (if (stringp entry)
432 nil
433 entry))
434 val)
b8e0f0cd
G		 435 (when (setq val (plist-get entry :host))
436 (oset backend host val))
437 (when (setq val (plist-get entry :user))
438 (oset backend user val))
35123c04
TZ		 439 (when (setq val (plist-get entry :port))
440 (oset backend port val)))
b8e0f0cd
G		 441 backend)
442
443;; (mapcar 'auth-source-backend-parse auth-sources)
444
445(defun* auth-source-search (&rest spec
35123c04 446 &key type max host user port secret
733afdf4 447 require create delete
b8e0f0cd
G		 448 &allow-other-keys)
449 "Search or modify authentication backends according to SPEC.
450
451This function parses `auth-sources' for matches of the SPEC
452plist. It can optionally create or update an authentication
453token if requested. A token is just a standard Emacs property
454list with a :secret property that can be a function; all the
455other properties will always hold scalar values.
456
457Typically the :secret property, if present, contains a password.
458
35123c04 459Common search keys are :max, :host, :port, and :user. In
b8e0f0cd
G		 460addition, :create specifies how tokens will be or created.
461Finally, :type can specify which backend types you want to check.
462
463A string value is always matched literally. A symbol is matched
464as its string value, literally. All the SPEC values can be
465single values (symbol or string) or lists thereof (in which case
466any of the search terms matches).
467
468:create t means to create a token if possible.
469
470A new token will be created if no matching tokens were found.
471The new token will have only the keys the backend requires. For
472the netrc backend, for instance, that's the user, host, and
35123c04 473port keys.
b8e0f0cd
G		 474
475Here's an example:
476
477\(let ((auth-source-creation-defaults '((user . \"defaultUser\")
478 (A . \"default A\"))))
479 (auth-source-search :host \"mine\" :type 'netrc :max 1
480 :P \"pppp\" :Q \"qqqq\"
481 :create t))
482
483which says:
484
485\"Search for any entry matching host 'mine' in backends of type
486 'netrc', maximum one result.
487
488 Create a new entry if you found none. The netrc backend will
35123c04 489 automatically require host, user, and port. The host will be
b8e0f0cd 490 'mine'. We prompt for the user with default 'defaultUser' and
35123c04 491 for the port without a default. We will not prompt for A, Q,
b8e0f0cd 492 or P. The resulting token will only have keys user, host, and
35123c04 493 port.\"
b8e0f0cd
G		 494
495:create '(A B C) also means to create a token if possible.
496
497The behavior is like :create t but if the list contains any
498parameter, that parameter will be required in the resulting
499token. The value for that parameter will be obtained from the
500search parameters or from user input. If any queries are needed,
501the alist `auth-source-creation-defaults' will be checked for the
003522ce
G		 502default value. If the user, host, or port are missing, the alist
503`auth-source-creation-prompts' will be used to look up the
504prompts IN THAT ORDER (so the 'user prompt will be queried first,
505then 'host, then 'port, and finally 'secret). Each prompt string
506can use %u, %h, and %p to show the user, host, and port.
b8e0f0cd
G		 507
508Here's an example:
509
510\(let ((auth-source-creation-defaults '((user . \"defaultUser\")
003522ce
G		 511 (A . \"default A\")))
512 (auth-source-creation-prompts
513 '((password . \"Enter IMAP password for %h:%p: \"))))
b8e0f0cd
G		 514 (auth-source-search :host '(\"nonesuch\" \"twosuch\") :type 'netrc :max 1
515 :P \"pppp\" :Q \"qqqq\"
516 :create '(A B Q)))
517
518which says:
519
520\"Search for any entry matching host 'nonesuch'
521 or 'twosuch' in backends of type 'netrc', maximum one result.
522
523 Create a new entry if you found none. The netrc backend will
35123c04 524 automatically require host, user, and port. The host will be
003522ce
G		 525 'nonesuch' and Q will be 'qqqq'. We prompt for the password
526 with the shown prompt. We will not prompt for Q. The resulting
527 token will have keys user, host, port, A, B, and Q. It will not
528 have P with any value, even though P is used in the search to
529 find only entries that have P set to 'pppp'.\"
b8e0f0cd
G		 530
531When multiple values are specified in the search parameter, the
7ba93e94
G		 532user is prompted for which one. So :host (X Y Z) would ask the
533user to choose between X, Y, and Z.
b8e0f0cd
G		 534
535This creation can fail if the search was not specific enough to
536create a new token (it's up to the backend to decide that). You
537should `catch' the backend-specific error as usual. Some
538backends (netrc, at least) will prompt the user rather than throw
539an error.
540
733afdf4
TZ		 541:require (A B C) means that only results that contain those
542tokens will be returned. Thus for instance requiring :secret
543will ensure that any results will actually have a :secret
544property.
545
b8e0f0cd
G		 546:delete t means to delete any found entries. nil by default.
547Use `auth-source-delete' in ELisp code instead of calling
548`auth-source-search' directly with this parameter.
549
550:type (X Y Z) will check only those backend types. 'netrc and
551'secrets are the only ones supported right now.
552
553:max N means to try to return at most N items (defaults to 1).
554When 0 the function will return just t or nil to indicate if any
555matches were found. More than N items may be returned, depending
556on the search and the backend.
557
558:host (X Y Z) means to match only hosts X, Y, or Z according to
559the match rules above. Defaults to t.
560
561:user (X Y Z) means to match only users X, Y, or Z according to
562the match rules above. Defaults to t.
563
35123c04 564:port (P Q R) means to match only protocols P, Q, or R.
b8e0f0cd
G		 565Defaults to t.
566
567:K (V1 V2 V3) for any other key K will match values V1, V2, or
568V3 (note the match rules above).
569
570The return value is a list with at most :max tokens. Each token
35123c04 571is a plist with keys :backend :host :port :user, plus any other
b8e0f0cd
G		 572keys provided by the backend (notably :secret). But note the
573exception for :max 0, which see above.
574
733afdf4
TZ		 575The token can hold a :save-function key. If you call that, the
576user will be prompted to save the data to the backend. You can't
577request that this should happen right after creation, because
578`auth-source-search' has no way of knowing if the token is
579actually useful. So the caller must arrange to call this function.
580
b8e0f0cd
G		 581The token's :secret key can hold a function. In that case you
582must call it to obtain the actual value."
583 (let* ((backends (mapcar 'auth-source-backend-parse auth-sources))
584 (max (or max 1))
733afdf4 585 (ignored-keys '(:require :create :delete :max))
b8e0f0cd
G		 586 (keys (loop for i below (length spec) by 2
587 unless (memq (nth i spec) ignored-keys)
588 collect (nth i spec)))
61e9662e
TZ		 589 (cached (auth-source-remembered-p spec))
590 ;; note that we may have cached results but found is still nil
591 ;; (there were no results from the search)
b8e0f0cd 592 (found (auth-source-recall spec))
4a3988d5 593 filtered-backends accessor-key backend)
b8e0f0cd 594
61e9662e 595 (if (and cached auth-source-do-cache)
b8e0f0cd
G		 596 (auth-source-do-debug
597 "auth-source-search: found %d CACHED results matching %S"
598 (length found) spec)
599
600 (assert
601 (or (eq t create) (listp create)) t
4a3988d5 602 "Invalid auth-source :create parameter (must be t or a list): %s %s")
b8e0f0cd 603
733afdf4
TZ		 604 (assert
605 (listp require) t
606 "Invalid auth-source :require parameter (must be a list): %s")
607
6ce6c742 608 (setq filtered-backends (copy-sequence backends))
b8e0f0cd
G		 609 (dolist (backend backends)
610 (dolist (key keys)
611 ;; ignore invalid slots
612 (condition-case signal
613 (unless (eval `(auth-source-search-collection
614 (plist-get spec key)
615 (oref backend ,key)))
616 (setq filtered-backends (delq backend filtered-backends))
617 (return))
618 (invalid-slot-name))))
619
4a3988d5 620 (auth-source-do-trivia
b8e0f0cd
G		 621 "auth-source-search: found %d backends matching %S"
622 (length filtered-backends) spec)
623
624 ;; (debug spec "filtered" filtered-backends)
1d2c4a49
LI		 625 ;; First go through all the backends without :create, so we can
626 ;; query them all.
4a3988d5
G		 627 (setq found (auth-source-search-backends filtered-backends
628 spec
629 ;; to exit early
630 max
733afdf4
TZ		 631 ;; create is always nil here
632 nil delete
633 require))
4a3988d5
G		 634
635 (auth-source-do-debug
636 "auth-source-search: found %d results (max %d) matching %S"
637 (length found) max spec)
638
1d2c4a49
LI		 639 ;; If we didn't find anything, then we allow the backend(s) to
640 ;; create the entries.
38046520 641 (when (and create
4a3988d5
G		 642 (not found))
643 (setq found (auth-source-search-backends filtered-backends
644 spec
645 ;; to exit early
646 max
733afdf4
TZ		 647 create delete
648 require))
649 (auth-source-do-debug
4a3988d5
G		 650 "auth-source-search: CREATED %d results (max %d) matching %S"
651 (length found) max spec))
652
61e9662e
TZ		 653 ;; note we remember the lack of result too, if it's applicable
654 (when auth-source-do-cache
4a3988d5
G		 655 (auth-source-remember spec found)))
656
657 found))
658
733afdf4 659(defun auth-source-search-backends (backends spec max create delete require)
4a3988d5
G		 660 (let (matches)
661 (dolist (backend backends)
662 (when (> max (length matches)) ; when we need more matches...
733afdf4
TZ		 663 (let* ((bmatches (apply
664 (slot-value backend 'search-function)
665 :backend backend
666 ;; note we're overriding whatever the spec
667 ;; has for :require, :create, and :delete
668 :require require
669 :create create
670 :delete delete
671 spec)))
4a3988d5
G		 672 (when bmatches
673 (auth-source-do-trivia
674 "auth-source-search-backend: got %d (max %d) in %s:%s matching %S"
675 (length bmatches) max
676 (slot-value backend :type)
677 (slot-value backend :source)
678 spec)
679 (setq matches (append matches bmatches))))))
680 matches))
b8e0f0cd
G		 681
682;;; (auth-source-search :max 1)
683;;; (funcall (plist-get (nth 0 (auth-source-search :max 1)) :secret))
684;;; (auth-source-search :host "nonesuch" :type 'netrc :K 1)
685;;; (auth-source-search :host "nonesuch" :type 'secrets)
686
687(defun* auth-source-delete (&rest spec
688 &key delete
689 &allow-other-keys)
690 "Delete entries from the authentication backends according to SPEC.
691Calls `auth-source-search' with the :delete property in SPEC set to t.
692The backend may not actually delete the entries.
693
694Returns the deleted entries."
695 (auth-source-search (plist-put spec :delete t)))
696
697(defun auth-source-search-collection (collection value)
698 "Returns t is VALUE is t or COLLECTION is t or contains VALUE."
699 (when (and (atom collection) (not (eq t collection)))
700 (setq collection (list collection)))
701
702 ;; (debug :collection collection :value value)
703 (or (eq collection t)
704 (eq value t)
705 (equal collection value)
706 (member value collection)))
ed778fad 707
74e8193b
KY		 708(defvar auth-source-netrc-cache nil)
709
3b36c17e 710(defun auth-source-forget-all-cached ()
b8e0f0cd 711 "Forget all cached auth-source data."
3b36c17e 712 (interactive)
b8e0f0cd
G		 713 (loop for sym being the symbols of password-data
714 ;; when the symbol name starts with auth-source-magic
715 when (string-match (concat "^" auth-source-magic)
716 (symbol-name sym))
717 ;; remove that key
ddb7ffee
LMI		 718 do (password-cache-remove (symbol-name sym)))
719 (setq auth-source-netrc-cache nil))
b8e0f0cd
G		 720
721(defun auth-source-remember (spec found)
722 "Remember FOUND search results for SPEC."
584c9d3f
G		 723 (let ((password-cache-expiry auth-source-cache-expiry))
724 (password-cache-add
725 (concat auth-source-magic (format "%S" spec)) found)))
b8e0f0cd
G		 726
727(defun auth-source-recall (spec)
728 "Recall FOUND search results for SPEC."
729 (password-read-from-cache
730 (concat auth-source-magic (format "%S" spec))))
731
61e9662e
TZ		 732(defun auth-source-remembered-p (spec)
733 "Check if SPEC is remembered."
734 (password-in-cache-p
735 (concat auth-source-magic (format "%S" spec))))
736
b8e0f0cd
G		 737(defun auth-source-forget (spec)
738 "Forget any cached data matching SPEC exactly.
739
740This is the same SPEC you passed to `auth-source-search'.
741Returns t or nil for forgotten or not found."
742 (password-cache-remove (concat auth-source-magic (format "%S" spec))))
743
744;;; (loop for sym being the symbols of password-data when (string-match (concat "^" auth-source-magic) (symbol-name sym)) collect (symbol-name sym))
745
746;;; (auth-source-remember '(:host "wedd") '(4 5 6))
61e9662e 747;;; (auth-source-remembered-p '(:host "wedd"))
b8e0f0cd 748;;; (auth-source-remember '(:host "xedd") '(1 2 3))
61e9662e
TZ		 749;;; (auth-source-remembered-p '(:host "xedd"))
750;;; (auth-source-remembered-p '(:host "zedd"))
b8e0f0cd
G		 751;;; (auth-source-recall '(:host "xedd"))
752;;; (auth-source-recall '(:host t))
753;;; (auth-source-forget+ :host t)
754
755(defun* auth-source-forget+ (&rest spec &allow-other-keys)
756 "Forget any cached data matching SPEC. Returns forgotten count.
757
758This is not a full `auth-source-search' spec but works similarly.
759For instance, \(:host \"myhost\" \"yourhost\") would find all the
760cached data that was found with a search for those two hosts,
761while \(:host t) would find all host entries."
762 (let ((count 0)
763 sname)
764 (loop for sym being the symbols of password-data
765 ;; when the symbol name matches with auth-source-magic
766 when (and (setq sname (symbol-name sym))
767 (string-match (concat "^" auth-source-magic "\\(.+\\)")
768 sname)
769 ;; and the spec matches what was stored in the cache
770 (auth-source-specmatchp spec (read (match-string 1 sname))))
771 ;; remove that key
772 do (progn
773 (password-cache-remove sname)
774 (incf count)))
775 count))
776
777(defun auth-source-specmatchp (spec stored)
778 (let ((keys (loop for i below (length spec) by 2
779 collect (nth i spec))))
780 (not (eq
781 (dolist (key keys)
782 (unless (auth-source-search-collection (plist-get stored key)
783 (plist-get spec key))
784 (return 'no)))
785 'no))))
786
f3b54b0e
TZ		 787;;; (auth-source-pick-first-password :host "z.lifelogs.com")
788;;; (auth-source-pick-first-password :port "imap")
789(defun auth-source-pick-first-password (&rest spec)
790 "Pick the first secret found from applying SPEC to `auth-source-search'."
791 (let* ((result (nth 0 (apply 'auth-source-search (plist-put spec :max 1))))
792 (secret (plist-get result :secret)))
793
794 (if (functionp secret)
795 (funcall secret)
796 secret)))
797
798;; (auth-source-format-prompt "test %u %h %p" '((?u "user") (?h "host")))
799(defun auth-source-format-prompt (prompt alist)
800 "Format PROMPT using %x (for any character x) specifiers in ALIST."
801 (dolist (cell alist)
802 (let ((c (nth 0 cell))
803 (v (nth 1 cell)))
804 (when (and c v)
4248cca2
TZ		 805 (setq prompt (replace-regexp-in-string (format "%%%c" c)
806 (format "%s" v)
807 prompt)))))
f3b54b0e 808 prompt)
b8e0f0cd 809
8e22bee0
G		 810(defun auth-source-ensure-strings (values)
811 (unless (listp values)
812 (setq values (list values)))
813 (mapcar (lambda (value)
814 (if (numberp value)
815 (format "%s" value)
816 value))
817 values))
818
f3b54b0e
TZ		 819;;; Backend specific parsing: netrc/authinfo backend
820
b8e0f0cd
G		 821;;; (auth-source-netrc-parse "~/.authinfo.gpg")
822(defun* auth-source-netrc-parse (&rest
823 spec
733afdf4 824 &key file max host user port delete require
b8e0f0cd
G		 825 &allow-other-keys)
826 "Parse FILE and return a list of all entries in the file.
827Note that the MAX parameter is used so we can exit the parse early."
828 (if (listp file)
829 ;; We got already parsed contents; just return it.
830 file
831 (when (file-exists-p file)
8e22bee0 832 (setq port (auth-source-ensure-strings port))
b8e0f0cd 833 (with-temp-buffer
4a3988d5
G		 834 (let* ((tokens '("machine" "host" "default" "login" "user"
835 "password" "account" "macdef" "force"
836 "port" "protocol"))
837 (max (or max 5000)) ; sanity check: default to stop at 5K
838 (modified 0)
839 (cached (cdr-safe (assoc file auth-source-netrc-cache)))
840 (cached-mtime (plist-get cached :mtime))
841 (cached-secrets (plist-get cached :secret))
842 alist elem result pair)
843
844 (if (and (functionp cached-secrets)
845 (equal cached-mtime
846 (nth 5 (file-attributes file))))
847 (progn
848 (auth-source-do-trivia
849 "auth-source-netrc-parse: using CACHED file data for %s"
850 file)
851 (insert (funcall cached-secrets)))
852 (insert-file-contents file)
853 ;; cache all netrc files (used to be just .gpg files)
854 ;; Store the contents of the file heavily encrypted in memory.
855 ;; (note for the irony-impaired: they are just obfuscated)
856 (aput 'auth-source-netrc-cache file
857 (list :mtime (nth 5 (file-attributes file))
858 :secret (lexical-let ((v (rot13-string
859 (base64-encode-string
860 (buffer-string)))))
861 (lambda () (base64-decode-string
862 (rot13-string v)))))))
b8e0f0cd
G		 863 (goto-char (point-min))
864 ;; Go through the file, line by line.
865 (while (and (not (eobp))
866 (> max 0))
867
868 (narrow-to-region (point) (point-at-eol))
869 ;; For each line, get the tokens and values.
870 (while (not (eobp))
871 (skip-chars-forward "\t ")
872 ;; Skip lines that begin with a "#".
873 (if (eq (char-after) ?#)
874 (goto-char (point-max))
875 (unless (eobp)
876 (setq elem
877 (if (= (following-char) ?\")
878 (read (current-buffer))
879 (buffer-substring
880 (point) (progn (skip-chars-forward "^\t ")
881 (point)))))
882 (cond
883 ((equal elem "macdef")
884 ;; We skip past the macro definition.
885 (widen)
886 (while (and (zerop (forward-line 1))
887 (looking-at "$")))
888 (narrow-to-region (point) (point)))
889 ((member elem tokens)
890 ;; Tokens that don't have a following value are ignored,
891 ;; except "default".
892 (when (and pair (or (cdr pair)
893 (equal (car pair) "default")))
894 (push pair alist))
895 (setq pair (list elem)))
896 (t
897 ;; Values that haven't got a preceding token are ignored.
898 (when pair
899 (setcdr pair elem)
900 (push pair alist)
901 (setq pair nil)))))))
902
903 (when (and alist
904 (> max 0)
905 (auth-source-search-collection
906 host
907 (or
908 (aget alist "machine")
35123c04
TZ		 909 (aget alist "host")
910 t))
b8e0f0cd
G		 911 (auth-source-search-collection
912 user
913 (or
914 (aget alist "login")
915 (aget alist "account")
35123c04
TZ		 916 (aget alist "user")
917 t))
b8e0f0cd 918 (auth-source-search-collection
35123c04 919 port
b8e0f0cd
G		 920 (or
921 (aget alist "port")
35123c04 922 (aget alist "protocol")
733afdf4
TZ		 923 t))
924 (or
925 ;; the required list of keys is nil, or
926 (null require)
927 ;; every element of require is in the normalized list
928 (let ((normalized (nth 0 (auth-source-netrc-normalize
2b8c5660 929 (list alist) file))))
733afdf4
TZ		 930 (loop for req in require
931 always (plist-get normalized req)))))
b8e0f0cd
G		 932 (decf max)
933 (push (nreverse alist) result)
934 ;; to delete a line, we just comment it out
935 (when delete
936 (goto-char (point-min))
937 (insert "#")
938 (incf modified)))
939 (setq alist nil
940 pair nil)
941 (widen)
942 (forward-line 1))
943
944 (when (< 0 modified)
945 (when auth-source-gpg-encrypt-to
946 ;; (see bug#7487) making `epa-file-encrypt-to' local to
947 ;; this buffer lets epa-file skip the key selection query
948 ;; (see the `local-variable-p' check in
949 ;; `epa-file-write-region').
950 (unless (local-variable-p 'epa-file-encrypt-to (current-buffer))
951 (make-local-variable 'epa-file-encrypt-to))
952 (if (listp auth-source-gpg-encrypt-to)
953 (setq epa-file-encrypt-to auth-source-gpg-encrypt-to)))
954
955 ;; ask AFTER we've successfully opened the file
733afdf4 956 (when (y-or-n-p (format "Save file %s? (%d deletions)"
b8e0f0cd
G		 957 file modified))
958 (write-region (point-min) (point-max) file nil 'silent)
959 (auth-source-do-debug
960 "auth-source-netrc-parse: modified %d lines in %s"
961 modified file)))
962
963 (nreverse result))))))
964
2b8c5660
TZ		 965(defmacro with-auth-source-epa-overrides (&rest body)
966 `(let ((file-name-handler-alist
967 ',(if (boundp 'epa-file-handler)
968 (remove (symbol-value 'epa-file-handler)
969 file-name-handler-alist)
970 file-name-handler-alist))
61e6a0ac
TZ		 971 (,(if (boundp 'find-file-hook) 'find-file-hook 'find-file-hooks)
972 ',(remove
973 'epa-file-find-file-hook
60a0884e
G		 974 (if (boundp 'find-file-hook)
975 (symbol-value 'find-file-hook)
976 (symbol-value 'find-file-hooks))))
2b8c5660
TZ		 977 (auto-mode-alist
978 ',(if (boundp 'epa-file-auto-mode-alist-entry)
979 (remove (symbol-value 'epa-file-auto-mode-alist-entry)
980 auto-mode-alist)
981 auto-mode-alist)))
982 ,@body))
983
984(defun auth-source-epa-make-gpg-token (secret file)
985 (require 'epa nil t)
986 (unless (featurep 'epa)
987 (error "EPA could not be loaded."))
988 (let* ((base (file-name-sans-extension file))
989 (passkey (format "gpg:-%s" base))
990 (stash (concat base ".gpg"))
991 ;; temporarily disable EPA
992 (stashfile
993 (with-auth-source-epa-overrides
994 (make-temp-file "gpg-token" nil
995 stash)))
996 (epa-file-passphrase-alist
997 `((,stashfile
998 . ,(password-read
999 (format
1000 "token pass for %s? "
1001 file)
1002 passkey)))))
1003 (write-region secret nil stashfile)
1004 ;; temporarily disable EPA
1005 (unwind-protect
1006 (with-auth-source-epa-overrides
1007 (with-temp-buffer
1008 (insert-file-contents stashfile)
1009 (base64-encode-region (point-min) (point-max) t)
1010 (concat "gpg:"
1011 (buffer-substring-no-properties
1012 (point-min)
1013 (point-max)))))
1014 (delete-file stashfile))))
1015
1016(defun auth-source-netrc-normalize (alist filename)
b8e0f0cd
G		 1017 (mapcar (lambda (entry)
1018 (let (ret item)
1019 (while (setq item (pop entry))
1020 (let ((k (car item))
1021 (v (cdr item)))
1022
1023 ;; apply key aliases
1024 (setq k (cond ((member k '("machine")) "host")
1025 ((member k '("login" "account")) "user")
1026 ((member k '("protocol")) "port")
1027 ((member k '("password")) "secret")
1028 (t k)))
1029
1030 ;; send back the secret in a function (lexical binding)
1031 (when (equal k "secret")
2b8c5660
TZ		 1032 (setq v (lexical-let ((v v)
1033 (filename filename)
1034 (base (file-name-nondirectory
1035 filename))
1036 (token-decoder nil)
1037 (gpgdata nil)
1038 (stash nil))
1039 (setq stash (concat base ".gpg"))
1040 (when (string-match "gpg:\\(.+\\)" v)
1041 (require 'epa nil t)
1042 (unless (featurep 'epa)
1043 (error "EPA could not be loaded."))
1044 (setq gpgdata (base64-decode-string
1045 (match-string 1 v)))
1046 ;; it's a GPG token
1047 (setq
1048 token-decoder
1049 (lambda (gpgdata)
1050;;; FIXME: this relies on .gpg files being handled by EPA/EPG
1051 (let* ((passkey (format "gpg:-%s" base))
1052 ;; temporarily disable EPA
1053 (stashfile
1054 (with-auth-source-epa-overrides
1055 (make-temp-file "gpg-token" nil
1056 stash)))
1057 (epa-file-passphrase-alist
1058 `((,stashfile
1059 . ,(password-read
1060 (format
1061 "token pass for %s? "
1062 filename)
1063 passkey)))))
1064 (unwind-protect
1065 (progn
1066 ;; temporarily disable EPA
1067 (with-auth-source-epa-overrides
1068 (write-region gpgdata
1069 nil
1070 stashfile))
1071 (setq
1072 v
1073 (with-temp-buffer
1074 (insert-file-contents stashfile)
1075 (buffer-substring-no-properties
1076 (point-min)
1077 (point-max)))))
1078 (delete-file stashfile)))
1079 ;; clear out the decoder at end
1080 (setq token-decoder nil
1081 gpgdata nil))))
1082 (lambda ()
1083 (when token-decoder
1084 (funcall token-decoder gpgdata))
1085 v))))
1086 (setq ret (plist-put ret
1087 (intern (concat ":" k))
1088 v))))
1089 ret))
1090 alist))
b8e0f0cd
G		 1091
1092;;; (setq secret (plist-get (nth 0 (auth-source-search :host t :type 'netrc :K 1 :max 1)) :secret))
1093;;; (funcall secret)
1094
1095(defun* auth-source-netrc-search (&rest
1096 spec
733afdf4 1097 &key backend require create delete
35123c04 1098 type max host user port
b8e0f0cd
G		 1099 &allow-other-keys)
1100"Given a property list SPEC, return search matches from the :backend.
1101See `auth-source-search' for details on SPEC."
1102 ;; just in case, check that the type is correct (null or same as the backend)
1103 (assert (or (null type) (eq type (oref backend type)))
d5e9a4e9 1104 t "Invalid netrc search: %s %s")
b8e0f0cd
G		 1105
1106 (let ((results (auth-source-netrc-normalize
1107 (auth-source-netrc-parse
1108 :max max
733afdf4 1109 :require require
b8e0f0cd
G		 1110 :delete delete
1111 :file (oref backend source)
1112 :host (or host t)
1113 :user (or user t)
2b8c5660
TZ		 1114 :port (or port t))
1115 (oref backend source))))
b8e0f0cd
G		 1116
1117 ;; if we need to create an entry AND none were found to match
1118 (when (and create
4a3988d5 1119 (not results))
b8e0f0cd 1120
584c9d3f
G		 1121 ;; create based on the spec and record the value
1122 (setq results (or
1123 ;; if the user did not want to create the entry
1124 ;; in the file, it will be returned
1125 (apply (slot-value backend 'create-function) spec)
1126 ;; if not, we do the search again without :create
1127 ;; to get the updated data.
1128
1129 ;; the result will be returned, even if the search fails
1130 (apply 'auth-source-netrc-search
1131 (plist-put spec :create nil)))))
b8e0f0cd
G		 1132 results))
1133
fa41748c
G		 1134(defun auth-source-netrc-element-or-first (v)
1135 (if (listp v)
1136 (nth 0 v)
1137 v))
1138
b8e0f0cd
G		 1139;;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t)
1140;;; (auth-source-search :host "nonesuch" :type 'netrc :max 1 :create t :create-extra-keys '((A "default A") (B)))
1141
1142(defun* auth-source-netrc-create (&rest spec
1143 &key backend
35123c04 1144 secret host user port create
b8e0f0cd 1145 &allow-other-keys)
35123c04 1146 (let* ((base-required '(host user port secret))
b8e0f0cd
G		 1147 ;; we know (because of an assertion in auth-source-search) that the
1148 ;; :create parameter is either t or a list (which includes nil)
1149 (create-extra (if (eq t create) nil create))
ddb7ffee
LMI		 1150 (current-data (car (auth-source-search :max 1
1151 :host host
1152 :port port)))
b8e0f0cd
G		 1153 (required (append base-required create-extra))
1154 (file (oref backend source))
1155 (add "")
1156 ;; `valist' is an alist
584c9d3f
G		 1157 valist
1158 ;; `artificial' will be returned if no creation is needed
1159 artificial)
b8e0f0cd
G		 1160
1161 ;; only for base required elements (defined as function parameters):
1162 ;; fill in the valist with whatever data we may have from the search
7ba93e94 1163 ;; we complete the first value if it's a list and use the value otherwise
b8e0f0cd
G		 1164 (dolist (br base-required)
1165 (when (symbol-value br)
7ba93e94
G		 1166 (let ((br-choice (cond
1167 ;; all-accepting choice (predicate is t)
1168 ((eq t (symbol-value br)) nil)
1169 ;; just the value otherwise
1170 (t (symbol-value br)))))
1171 (when br-choice
1172 (aput 'valist br br-choice)))))
b8e0f0cd
G		 1173
1174 ;; for extra required elements, see if the spec includes a value for them
1175 (dolist (er create-extra)
1176 (let ((name (concat ":" (symbol-name er)))
1177 (keys (loop for i below (length spec) by 2
1178 collect (nth i spec))))
1179 (dolist (k keys)
1180 (when (equal (symbol-name k) name)
1181 (aput 'valist er (plist-get spec k))))))
1182
1183 ;; for each required element
1184 (dolist (r required)
1185 (let* ((data (aget valist r))
4a3988d5 1186 ;; take the first element if the data is a list
ddb7ffee
LMI		 1187 (data (or (auth-source-netrc-element-or-first data)
1188 (plist-get current-data
1189 (intern (format ":%s" r) obarray))))
4a3988d5 1190 ;; this is the default to be offered
b8e0f0cd 1191 (given-default (aget auth-source-creation-defaults r))
733afdf4
TZ		 1192 ;; the default supplementals are simple:
1193 ;; for the user, try `given-default' and then (user-login-name);
1194 ;; otherwise take `given-default'
b8e0f0cd 1195 (default (cond
733afdf4
TZ		 1196 ((and (not given-default) (eq r 'user))
1197 (user-login-name))
003522ce
G		 1198 (t given-default)))
1199 (printable-defaults (list
1200 (cons 'user
1201 (or
1202 (auth-source-netrc-element-or-first
1203 (aget valist 'user))
1204 (plist-get artificial :user)
1205 "[any user]"))
1206 (cons 'host
1207 (or
1208 (auth-source-netrc-element-or-first
1209 (aget valist 'host))
1210 (plist-get artificial :host)
1211 "[any host]"))
1212 (cons 'port
1213 (or
1214 (auth-source-netrc-element-or-first
1215 (aget valist 'port))
1216 (plist-get artificial :port)
1217 "[any port]"))))
1218 (prompt (or (aget auth-source-creation-prompts r)
1219 (case r
733afdf4
TZ		 1220 (secret "%p password for %u@%h: ")
1221 (user "%p user name for %h: ")
1222 (host "%p host name for user %u: ")
1223 (port "%p port for %u@%h: "))
003522ce
G		 1224 (format "Enter %s (%%u@%%h:%%p): " r)))
1225 (prompt (auth-source-format-prompt
1226 prompt
1227 `((?u ,(aget printable-defaults 'user))
1228 (?h ,(aget printable-defaults 'host))
1229 (?p ,(aget printable-defaults 'port))))))
4a3988d5 1230
aa2ebce9 1231 ;; Store the data, prompting for the password if needed.
4a3988d5
G		 1232 (setq data
1233 (cond
1234 ((and (null data) (eq r 'secret))
aa2ebce9 1235 ;; Special case prompt for passwords.
61e6a0ac
TZ		 1236;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") nil) (t gpg)))
1237;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never)
1238 (let* ((ep (format "Use GPG password tokens in %s?" file))
2b8c5660 1239 (gpg-encrypt
61e6a0ac
TZ		 1240 (cond
1241 ((eq auth-source-netrc-use-gpg-tokens 'never)
1242 'never)
1243 ((listp auth-source-netrc-use-gpg-tokens)
1244 (let ((check (copy-sequence
1245 auth-source-netrc-use-gpg-tokens))
1246 item ret)
1247 (while check
1248 (setq item (pop check))
1249 (when (or (eq (car item) t)
1250 (string-match (car item) file))
1251 (setq ret (cdr item))
1252 (setq check nil)))))
1253 (t 'never)))
2b8c5660 1254 (plain (read-passwd prompt)))
61e6a0ac
TZ		 1255 ;; ask if we don't know what to do (in which case
1256 ;; auth-source-netrc-use-gpg-tokens must be a list)
1257 (unless gpg-encrypt
1258 (setq gpg-encrypt (if (y-or-n-p ep) 'gpg 'never))
1259 ;; TODO: save the defcustom now? or ask?
1260 (setq auth-source-netrc-use-gpg-tokens
1261 (cons `(,file ,gpg-encrypt)
1262 auth-source-netrc-use-gpg-tokens)))
1263 (if (eq gpg-encrypt 'gpg)
2b8c5660
TZ		 1264 (auth-source-epa-make-gpg-token plain file)
1265 plain)))
003522ce 1266 ((null data)
67613d31 1267 (when default
aa2ebce9
SM		 1268 (setq prompt
1269 (if (string-match ": *\\'" prompt)
1270 (concat (substring prompt 0 (match-beginning 0))
1271 " (default " default "): ")
1272 (concat prompt "(default " default ") "))))
4248cca2 1273 (read-string prompt nil nil default))
fa41748c 1274 (t (or data default))))
b8e0f0cd 1275
584c9d3f
G		 1276 (when data
1277 (setq artificial (plist-put artificial
1278 (intern (concat ":" (symbol-name r)))
1279 (if (eq r 'secret)
1280 (lexical-let ((data data))
1281 (lambda () data))
1282 data))))
1283
aa2ebce9 1284 ;; When r is not an empty string...
b8e0f0cd
G		 1285 (when (and (stringp data)
1286 (< 0 (length data)))
4a3988d5
G		 1287 ;; this function is not strictly necessary but I think it
1288 ;; makes the code clearer -tzz
1289 (let ((printer (lambda ()
7ba93e94
G		 1290 ;; append the key (the symbol name of r)
1291 ;; and the value in r
6a6e4d93 1292 (format "%s%s %s"
7ba93e94
G		 1293 ;; prepend a space
1294 (if (zerop (length add)) "" " ")
1295 ;; remap auth-source tokens to netrc
1296 (case r
0adf5618
SM		 1297 (user "login")
1298 (host "machine")
1299 (secret "password")
1300 (port "port") ; redundant but clearer
b8e0f0cd 1301 (t (symbol-name r)))
6a6e4d93
LMI		 1302 (if (string-match "[\" ]" data)
1303 (format "%S" data)
1304 data)))))
4a3988d5 1305 (setq add (concat add (funcall printer)))))))
b8e0f0cd 1306
733afdf4
TZ		 1307 (plist-put
1308 artificial
1309 :save-function
1310 (lexical-let ((file file)
1311 (add add))
1312 (lambda () (auth-source-netrc-saver file add))))
1313
1314 (list artificial)))
1315
4248cca2 1316;;(funcall (plist-get (nth 0 (auth-source-search :host '("nonesuch2") :user "tzz" :port "imap" :create t :max 1)) :save-function))
733afdf4
TZ		 1317(defun auth-source-netrc-saver (file add)
1318 "Save a line ADD in FILE, prompting along the way.
4248cca2
TZ		 1319Respects `auth-source-save-behavior'. Uses
1320`auth-source-netrc-cache' to avoid prompting more than once."
1321 (let* ((key (format "%s %s" file (rfc2104-hash 'md5 64 16 file add)))
1322 (cached (assoc key auth-source-netrc-cache)))
1323
1324 (if cached
1325 (auth-source-do-trivia
1326 "auth-source-netrc-saver: found previous run for key %s, returning"
1327 key)
1328 (with-temp-buffer
1329 (when (file-exists-p file)
1330 (insert-file-contents file))
1331 (when auth-source-gpg-encrypt-to
1332 ;; (see bug#7487) making `epa-file-encrypt-to' local to
1333 ;; this buffer lets epa-file skip the key selection query
1334 ;; (see the `local-variable-p' check in
1335 ;; `epa-file-write-region').
1336 (unless (local-variable-p 'epa-file-encrypt-to (current-buffer))
1337 (make-local-variable 'epa-file-encrypt-to))
1338 (if (listp auth-source-gpg-encrypt-to)
1339 (setq epa-file-encrypt-to auth-source-gpg-encrypt-to)))
1340 ;; we want the new data to be found first, so insert at beginning
1341 (goto-char (point-min))
1342
aa2ebce9 1343 ;; Ask AFTER we've successfully opened the file.
4248cca2
TZ		 1344 (let ((prompt (format "Save auth info to file %s? " file))
1345 (done (not (eq auth-source-save-behavior 'ask)))
1346 (bufname "*auth-source Help*")
1347 k)
1348 (while (not done)
1349 (setq k (auth-source-read-char-choice prompt '(?y ?n ?N ?e ??)))
1350 (case k
1351 (?y (setq done t))
1352 (?? (save-excursion
1353 (with-output-to-temp-buffer bufname
1354 (princ
1355 (concat "(y)es, save\n"
1356 "(n)o but use the info\n"
1357 "(N)o and don't ask to save again\n"
1358 "(e)dit the line\n"
1359 "(?) for help as you can see.\n"))
aa2ebce9
SM		 1360 ;; Why? Doesn't with-output-to-temp-buffer already do
1361 ;; the exact same thing anyway? --Stef
4248cca2
TZ		 1362 (set-buffer standard-output)
1363 (help-mode))))
1364 (?n (setq add ""
1365 done t))
1366 (?N (setq add ""
1367 done t
1368 auth-source-save-behavior nil))
1369 (?e (setq add (read-string "Line to add: " add)))
1370 (t nil)))
1371
1372 (when (get-buffer-window bufname)
1373 (delete-window (get-buffer-window bufname)))
1374
aa2ebce9 1375 ;; Make sure the info is not saved.
4248cca2
TZ		 1376 (when (null auth-source-save-behavior)
1377 (setq add ""))
1378
1379 (when (< 0 (length add))
1380 (progn
1381 (unless (bolp)
1382 (insert "\n"))
1383 (insert add "\n")
1384 (write-region (point-min) (point-max) file nil 'silent)
1385 (auth-source-do-debug
1386 "auth-source-netrc-create: wrote 1 new line to %s"
1387 file)
1388 (message "Saved new authentication information to %s" file)
1389 nil))))
1390 (aput 'auth-source-netrc-cache key "ran"))))
b8e0f0cd
G		 1391
1392;;; Backend specific parsing: Secrets API backend
1393
1394;;; (let ((auth-sources '(default))) (auth-source-search :max 1 :create t))
1395;;; (let ((auth-sources '(default))) (auth-source-search :max 1 :delete t))
1396;;; (let ((auth-sources '(default))) (auth-source-search :max 1))
1397;;; (let ((auth-sources '(default))) (auth-source-search))
5415d076
G		 1398;;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1))
1399;;; (let ((auth-sources '("secrets:Login"))) (auth-source-search :max 1 :signon_realm "https://git.gnus.org/Git"))
b8e0f0cd
G		 1400
1401(defun* auth-source-secrets-search (&rest
1402 spec
1403 &key backend create delete label
35123c04 1404 type max host user port
b8e0f0cd
G		 1405 &allow-other-keys)
1406 "Search the Secrets API; spec is like `auth-source'.
1407
1408The :label key specifies the item's label. It is the only key
1409that can specify a substring. Any :label value besides a string
1410will allow any label.
1411
1412All other search keys must match exactly. If you need substring
1413matching, do a wider search and narrow it down yourself.
1414
1415You'll get back all the properties of the token as a plist.
1416
5415d076 1417Here's an example that looks for the first item in the 'Login'
b8e0f0cd
G		 1418Secrets collection:
1419
5415d076 1420 \(let ((auth-sources '(\"secrets:Login\")))
b8e0f0cd
G		 1421 (auth-source-search :max 1)
1422
5415d076 1423Here's another that looks for the first item in the 'Login'
b8e0f0cd
G		 1424Secrets collection whose label contains 'gnus':
1425
5415d076 1426 \(let ((auth-sources '(\"secrets:Login\")))
b8e0f0cd
G		 1427 (auth-source-search :max 1 :label \"gnus\")
1428
5415d076 1429And this one looks for the first item in the 'Login' Secrets
b8e0f0cd 1430collection that's a Google Chrome entry for the git.gnus.org site
5415d076 1431authentication tokens:
b8e0f0cd 1432
5415d076 1433 \(let ((auth-sources '(\"secrets:Login\")))
b8e0f0cd
G		 1434 (auth-source-search :max 1 :signon_realm \"https://git.gnus.org/Git\"))
1435"
1436
1437 ;; TODO
1438 (assert (not create) nil
1439 "The Secrets API auth-source backend doesn't support creation yet")
1440 ;; TODO
1441 ;; (secrets-delete-item coll elt)
1442 (assert (not delete) nil
1443 "The Secrets API auth-source backend doesn't support deletion yet")
1444
1445 (let* ((coll (oref backend source))
1446 (max (or max 5000)) ; sanity check: default to stop at 5K
1447 (ignored-keys '(:create :delete :max :backend :label))
1448 (search-keys (loop for i below (length spec) by 2
1449 unless (memq (nth i spec) ignored-keys)
1450 collect (nth i spec)))
1451 ;; build a search spec without the ignored keys
1452 ;; if a search key is nil or t (match anything), we skip it
5415d076
G		 1453 (search-spec (apply 'append (mapcar
1454 (lambda (k)
1455 (if (or (null (plist-get spec k))
1456 (eq t (plist-get spec k)))
1457 nil
1458 (list k (plist-get spec k))))
1459 search-keys)))
35123c04 1460 ;; needed keys (always including host, login, port, and secret)
d638ac9e 1461 (returned-keys (mm-delete-duplicates (append
35123c04 1462 '(:host :login :port :secret)
d638ac9e 1463 search-keys)))
b8e0f0cd
G		 1464 (items (loop for item in (apply 'secrets-search-items coll search-spec)
1465 unless (and (stringp label)
1466 (not (string-match label item)))
1467 collect item))
1468 ;; TODO: respect max in `secrets-search-items', not after the fact
5415d076 1469 (items (butlast items (- (length items) max)))
b8e0f0cd
G		 1470 ;; convert the item name to a full plist
1471 (items (mapcar (lambda (item)
1472 (append
1473 ;; make an entry for the secret (password) element
1474 (list
1475 :secret
1476 (lexical-let ((v (secrets-get-secret coll item)))
1477 (lambda () v)))
1478 ;; rewrite the entry from ((k1 v1) (k2 v2)) to plist
5415d076
G		 1479 (apply 'append
1480 (mapcar (lambda (entry)
1481 (list (car entry) (cdr entry)))
1482 (secrets-get-attributes coll item)))))
b8e0f0cd
G		 1483 items))
1484 ;; ensure each item has each key in `returned-keys'
1485 (items (mapcar (lambda (plist)
1486 (append
5415d076
G		 1487 (apply 'append
1488 (mapcar (lambda (req)
1489 (if (plist-get plist req)
1490 nil
1491 (list req nil)))
1492 returned-keys))
b8e0f0cd
G		 1493 plist))
1494 items)))
1495 items))
1496
1497(defun* auth-source-secrets-create (&rest
1498 spec
35123c04 1499 &key backend type max host user port
b8e0f0cd
G		 1500 &allow-other-keys)
1501 ;; TODO
1502 ;; (apply 'secrets-create-item (auth-get-source entry) name passwd spec)
1503 (debug spec))
1504
1505;;; older API
1506
1507;;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" t "tzz")
1508
1509;; deprecate the old interface
1510(make-obsolete 'auth-source-user-or-password
1511 'auth-source-search "Emacs 24.1")
1512(make-obsolete 'auth-source-forget-user-or-password
1513 'auth-source-forget "Emacs 24.1")
fb178e4c 1514
0e4966fb 1515(defun auth-source-user-or-password
35123c04
TZ		 1516 (mode host port &optional username create-missing delete-existing)
1517 "Find MODE (string or list of strings) matching HOST and PORT.
fb178e4c 1518
b8e0f0cd
G		 1519DEPRECATED in favor of `auth-source-search'!
1520
fb178e4c
KY		 1521USERNAME is optional and will be used as \"login\" in a search
1522across the Secret Service API (see secrets.el) if the resulting
1523items don't have a username. This means that if you search for
1524username \"joe\" and it matches an item but the item doesn't have
1525a :user attribute, the username \"joe\" will be returned.
1526
0e4966fb
MA		 1527A non nil DELETE-EXISTING means deleting any matching password
1528entry in the respective sources. This is useful only when
1529CREATE-MISSING is non nil as well; the intended use case is to
1530remove wrong password entries.
1531
1532If no matching entry is found, and CREATE-MISSING is non nil,
1533the password will be retrieved interactively, and it will be
1534stored in the password database which matches best (see
1535`auth-sources').
1536
1537MODE can be \"login\" or \"password\"."
554a69b8 1538 (auth-source-do-debug
b8e0f0cd 1539 "auth-source-user-or-password: DEPRECATED get %s for %s (%s) + user=%s"
35123c04 1540 mode host port username)
b8e0f0cd 1541
3b36c17e 1542 (let* ((listy (listp mode))
cbabe91f
TZ		 1543 (mode (if listy mode (list mode)))
1544 (cname (if username
35123c04
TZ		 1545 (format "%s %s:%s %s" mode host port username)
1546 (format "%s %s:%s" mode host port)))
1547 (search (list :host host :port port))
cbabe91f 1548 (search (if username (append search (list :user username)) search))
b8e0f0cd
G		 1549 (search (if create-missing
1550 (append search (list :create t))
1551 search))
1552 (search (if delete-existing
1553 (append search (list :delete t))
1554 search))
1555 ;; (found (if (not delete-existing)
1556 ;; (gethash cname auth-source-cache)
1557 ;; (remhash cname auth-source-cache)
1558 ;; nil)))
1559 (found nil))
ed778fad 1560 (if found
cbabe91f
TZ		 1561 (progn
1562 (auth-source-do-debug
b8e0f0cd 1563 "auth-source-user-or-password: DEPRECATED cached %s=%s for %s (%s) + %s"
cbabe91f
TZ		 1564 mode
1565 ;; don't show the password
b8e0f0cd 1566 (if (and (member "password" mode) t)
cbabe91f
TZ		 1567 "SECRET"
1568 found)
35123c04 1569 host port username)
cbabe91f 1570 found) ; return the found data
b8e0f0cd
G		 1571 ;; else, if not found, search with a max of 1
1572 (let ((choice (nth 0 (apply 'auth-source-search
1573 (append '(:max 1) search)))))
1574 (when choice
1575 (dolist (m mode)
1576 (cond
1577 ((equal "password" m)
1578 (push (if (plist-get choice :secret)
1579 (funcall (plist-get choice :secret))
1580 nil) found))
1581 ((equal "login" m)
1582 (push (plist-get choice :user) found)))))
1583 (setq found (nreverse found))
1584 (setq found (if listy found (car-safe found)))))
9b3ebcb6 1585
b8e0f0cd 1586 found))
8f7abae3
MB		 1587
1588(provide 'auth-source)
1589
8f7abae3 1590;;; auth-source.el ends here
Unnamed repository; edit this file 'description' to name the repository.