1 ;;; auth-source.el --- authentication sources for Gnus and Emacs
3 ;; Copyright (C) 2008, 2009, 2010 Free Software Foundation, Inc.
5 ;; Author: Ted Zlatanov <tzz@lifelogs.com>
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
25 ;; This is the auth-source.el package. It lets users tell Gnus how to
26 ;; authenticate in a single place. Simplicity is the goal. Instead
27 ;; of providing 5000 options, we'll stick to simple, easy to
28 ;; understand options.
30 ;; See the auth.info Info documentation for details.
36 (eval-when-compile (require 'cl))
37 (autoload 'netrc-machine-user-or-password "netrc")
38 (autoload 'secrets-create-item "secrets")
39 (autoload 'secrets-delete-item "secrets")
40 (autoload 'secrets-get-alias "secrets")
41 (autoload 'secrets-get-attribute "secrets")
42 (autoload 'secrets-get-secret "secrets")
43 (autoload 'secrets-list-collections "secrets")
44 (autoload 'secrets-search-items "secrets")
46 (defgroup auth-source nil
47 "Authentication sources."
48 :version "23.1" ;; No Gnus
51 (defcustom auth-source-protocols '((imap "imap" "imaps" "143" "993")
52 (pop3 "pop3" "pop" "pop3s" "110" "995")
56 "List of authentication protocols and their names"
59 :version "23.2" ;; No Gnus
60 :type '(repeat :tag "Authentication Protocols"
61 (cons :tag "Protocol Entry"
62 (symbol :tag "Protocol")
64 (string :tag "Name")))))
66 ;;; generate all the protocols in a format Customize can use
67 ;;; TODO: generate on the fly from auth-source-protocols
68 (defconst auth-source-protocols-customize
70 (let ((p (car-safe a)))
72 :tag (upcase (symbol-name p))
74 auth-source-protocols))
76 (defvar auth-source-cache (make-hash-table :test 'equal)
77 "Cache for auth-source data")
79 (defcustom auth-source-do-cache t
80 "Whether auth-source should cache information."
82 :version "23.2" ;; No Gnus
85 (defcustom auth-source-debug nil
86 "Whether auth-source should log debug messages.
87 Also see `auth-source-hide-passwords'.
89 If the value is nil, debug messages are not logged.
90 If the value is t, debug messages are logged with `message'.
91 In that case, your authentication data will be in the
92 clear (except for passwords, which are always stripped out).
93 If the value is a function, debug messages are logged by calling
94 that function using the same arguments as `message'."
96 :version "23.2" ;; No Gnus
98 :tag "auth-source debugging mode"
99 (const :tag "Log using `message' to the *Messages* buffer" t)
100 (function :tag "Function that takes arguments like `message'")
101 (const :tag "Don't log anything" nil)))
103 (defcustom auth-source-hide-passwords t
104 "Whether auth-source should hide passwords in log messages.
105 Only relevant if `auth-source-debug' is not nil."
107 :version "23.2" ;; No Gnus
110 (defcustom auth-sources '((:source "~/.authinfo.gpg")
111 (:source "~/.authinfo"))
112 "List of authentication sources.
114 The default will get login and password information from a .gpg
115 file, which you should set up with the EPA/EPG packages to be
116 encrypted. See the auth.info manual for details.
118 Each entry is the authentication type with optional properties.
120 It's best to customize this with `M-x customize-variable' because the choices
121 can get pretty complex."
123 :version "23.2" ;; No Gnus
124 :type `(repeat :tag "Authentication Sources"
125 (list :tag "Source definition"
126 (const :format "" :value :source)
127 (choice :tag "Authentication backend choice"
128 (string :tag "Authentication Source (file)")
129 (list :tag "secrets.el (Secret Service API/KWallet/GNOME Keyring)"
130 (const :format "" :value :secrets)
131 (choice :tag "Collection to use"
132 (string :tag "Collection name")
133 (const :tag "Default" 'default)
134 (const :tag "Login" "login")
135 (const :tag "Temporary" "session"))))
136 (repeat :tag "Extra Parameters" :inline t
137 (choice :tag "Extra parameter"
138 (list :tag "Host (omit to match as a fallback)"
139 (const :format "" :value :host)
140 (choice :tag "Host (machine) choice"
142 (regexp :tag "Host (machine) regular expression")))
143 (list :tag "Protocol (omit to match as a fallback)"
144 (const :format "" :value :protocol)
145 (choice :tag "Protocol"
147 ,@auth-source-protocols-customize))
148 (list :tag "User (omit to match as a fallback)" :inline t
149 (const :format "" :value :user)
150 (choice :tag "Personality or username"
152 (string :tag "Specific user name"))))))))
154 ;; temp for debugging
155 ;; (unintern 'auth-source-protocols)
156 ;; (unintern 'auth-sources)
157 ;; (customize-variable 'auth-sources)
158 ;; (setq auth-sources nil)
159 ;; (format "%S" auth-sources)
160 ;; (customize-variable 'auth-source-protocols)
161 ;; (setq auth-source-protocols nil)
162 ;; (format "%S" auth-source-protocols)
163 ;; (auth-source-pick nil :host "a" :port 'imap)
164 ;; (auth-source-user-or-password "login" "imap.myhost.com" 'imap)
165 ;; (auth-source-user-or-password "password" "imap.myhost.com" 'imap)
166 ;; (auth-source-user-or-password-imap "login" "imap.myhost.com")
167 ;; (auth-source-user-or-password-imap "password" "imap.myhost.com")
168 ;; (auth-source-protocol-defaults 'imap)
170 ;; (let ((auth-source-debug 'debug)) (auth-source-debug "hello"))
171 ;; (let ((auth-source-debug t)) (auth-source-debug "hello"))
172 ;; (let ((auth-source-debug nil)) (auth-source-debug "hello"))
173 (defun auth-source-do-debug (&rest msg)
174 ;; set logger to either the function in auth-source-debug or 'message
175 ;; note that it will be 'message if auth-source-debug is nil, so
176 ;; we also check the value
177 (when auth-source-debug
178 (let ((logger (if (functionp auth-source-debug)
181 (apply logger msg))))
183 ;; (auth-source-pick nil :host "any" :protocol 'imap :user "joe")
184 ;; (auth-source-pick t :host "any" :protocol 'imap :user "joe")
185 ;; (setq auth-sources '((:source (:secrets default) :host t :protocol t :user "joe")
186 ;; (:source (:secrets "session") :host t :protocol t :user "joe")
187 ;; (:source (:secrets "login") :host t :protocol t)
188 ;; (:source "~/.authinfo.gpg" :host t :protocol t)))
190 ;; (setq auth-sources '((:source (:secrets default) :host t :protocol t :user "joe")
191 ;; (:source (:secrets "session") :host t :protocol t :user "joe")
192 ;; (:source (:secrets "login") :host t :protocol t)
195 ;; (setq auth-sources '((:source "~/.authinfo.gpg" :host t :protocol t)))
197 (defun auth-get-source (entry)
198 "Return the source string of ENTRY, which is one entry in `auth-sources'.
199 If it is a Secret Service API, return the collection name, otherwise
201 (let ((source (plist-get entry :source)))
204 ;; Secret Service API.
205 (setq source (plist-get source :secrets))
206 (when (eq source 'default)
207 (setq source (or (secrets-get-alias "default") "login")))
208 (or source "session"))))
210 (defun auth-source-pick (&rest spec)
211 "Parse `auth-sources' for matches of the SPEC plist.
213 Common keys are :host, :protocol, and :user. A value of t in
214 SPEC means to always succeed in the match. A string value is
216 (let ((keys (loop for i below (length spec) by 2 collect (nth i spec)))
218 (dolist (choice (copy-tree auth-sources) choices)
219 (let ((source (plist-get choice :source))
223 ;; Check existence of source.
225 ;; Secret Service API.
226 (member (auth-get-source choice) (secrets-list-collections))
228 (file-exists-p source))
231 (dolist (k keys match)
232 (let* ((v (plist-get spec k))
233 (choicev (if (plist-member choice k)
234 (plist-get choice k) t)))
238 ;; source always matches spec key
240 ;; source key gives regex to match against spec
241 (and (stringp choicev) (string-match choicev v))
242 ;; source key gives symbol to match against spec
243 (and (symbolp choicev) (eq choicev v))))))))
245 (add-to-list 'choices choice 'append))))))
247 (defun auth-source-retrieve (mode entry &rest spec)
248 "Retrieve MODE credentials according to SPEC from ENTRY."
250 (let ((host (plist-get spec :host))
251 (user (plist-get spec :user))
252 (prot (plist-get spec :protocol))
253 (source (plist-get entry :source))
256 ;; Secret Service API.
258 (let ((coll (auth-get-source entry))
260 ;; Loop over candidates with a matching host attribute.
261 (dolist (elt (secrets-search-items coll :host host) item)
262 (when (and (or (not user)
264 user (secrets-get-attribute coll elt :user)))
267 prot (secrets-get-attribute coll elt :protocol))))
274 (if (string-equal "password" m)
275 (or (secrets-get-secret coll item)
276 ;; When we do not find a password,
277 ;; we return nil anyway.
278 (throw 'no-password nil))
279 (or (secrets-get-attribute coll item :user)
281 (if (consp mode) mode (list mode)))))
282 (if (consp mode) result (car result))))
283 ;; Anything else is netrc.
285 (let ((search (list source (list host) (list (format "%s" prot))
286 (auth-source-protocol-defaults prot))))
289 (if (string-equal "password" m)
291 'netrc-machine-user-or-password m search)
292 ;; When we do not find a password, we
293 ;; return nil anyway.
294 (throw 'no-password nil))
296 'netrc-machine-user-or-password m search)
298 (if (consp mode) mode (list mode)))))
299 (if (consp mode) result (car result)))))))
301 (defun auth-source-create (mode entry &rest spec)
302 "Create interactively credentials according to SPEC in ENTRY.
303 Return structure as specified by MODE."
304 (let* ((host (plist-get spec :host))
305 (user (plist-get spec :user))
306 (prot (plist-get spec :protocol))
307 (source (plist-get entry :source))
308 (name (concat (if user (format "%s@" user))
310 (if prot (format ":%s" prot))))
316 ((equal "password" m)
317 (let ((passwd (read-passwd
318 (format "Password for %s on %s: " prot host))))
320 ;; Secret Service API.
324 (auth-get-source entry) name passwd spec))
325 (t)) ;; netrc not implemented yes.
329 (read-string (format "User name for %s on %s: " prot host))))
332 (if (consp mode) mode (list mode))))
333 (if (consp mode) result (car result))))
335 (defun auth-source-delete (entry &rest spec)
336 "Delete credentials according to SPEC in ENTRY."
337 (let ((host (plist-get spec :host))
338 (user (plist-get spec :user))
339 (prot (plist-get spec :protocol))
340 (source (plist-get entry :source)))
342 ;; Secret Service API.
344 (let ((coll (auth-get-source entry)))
345 ;; Loop over candidates with a matching host attribute.
346 (dolist (elt (secrets-search-items coll :host host))
347 (when (and (or (not user)
349 user (secrets-get-attribute coll elt :user)))
352 prot (secrets-get-attribute coll elt :protocol))))
353 (secrets-delete-item coll elt)))))
354 (t)))) ;; netrc not implemented yes.
356 (defun auth-source-forget-user-or-password
357 (mode host protocol &optional username)
358 "Remove cached authentication token."
359 (interactive "slogin/password: \nsHost: \nsProtocol: \n") ;for testing
362 (format "%s %s:%s %s" mode host protocol username)
363 (format "%s %s:%s" mode host protocol))
366 (defun auth-source-forget-all-cached ()
367 "Forget all cached auth-source authentication tokens."
369 (setq auth-source-cache (make-hash-table :test 'equal)))
372 ;; (auth-source-forget-all-cached)
374 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" "other")
375 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" "other" "tzz")
376 ;; (auth-source-user-or-password '("login" "password") "imap.myhost.com" "other" "joe")))
378 (defun auth-source-user-or-password
379 (mode host protocol &optional username create-missing delete-existing)
380 "Find MODE (string or list of strings) matching HOST and PROTOCOL.
382 USERNAME is optional and will be used as \"login\" in a search
383 across the Secret Service API (see secrets.el) if the resulting
384 items don't have a username. This means that if you search for
385 username \"joe\" and it matches an item but the item doesn't have
386 a :user attribute, the username \"joe\" will be returned.
388 A non nil DELETE-EXISTING means deleting any matching password
389 entry in the respective sources. This is useful only when
390 CREATE-MISSING is non nil as well; the intended use case is to
391 remove wrong password entries.
393 If no matching entry is found, and CREATE-MISSING is non nil,
394 the password will be retrieved interactively, and it will be
395 stored in the password database which matches best (see
398 MODE can be \"login\" or \"password\"."
399 (auth-source-do-debug
400 "auth-source-user-or-password: get %s for %s (%s) + user=%s"
401 mode host protocol username)
402 (let* ((listy (listp mode))
403 (mode (if listy mode (list mode)))
405 (format "%s %s:%s %s" mode host protocol username)
406 (format "%s %s:%s" mode host protocol)))
407 (search (list :host host :protocol protocol))
408 (search (if username (append search (list :user username)) search))
409 (found (if (not delete-existing)
410 (gethash cname auth-source-cache)
411 (remhash cname auth-source-cache)
415 (auth-source-do-debug
416 "auth-source-user-or-password: cached %s=%s for %s (%s) + %s"
418 ;; don't show the password
419 (if (and (member "password" mode) auth-source-hide-passwords)
422 host protocol username)
423 found) ; return the found data
424 ;; else, if not found
425 (let ((choices (apply 'auth-source-pick search)))
426 (dolist (choice choices)
428 (apply 'auth-source-delete choice search)
429 (setq found (apply 'auth-source-retrieve mode choice search)))
430 (and found (return found)))
432 ;; We haven't found something, so we will create it interactively.
433 (when (and (not found) create-missing)
434 (setq found (apply 'auth-source-create
435 mode (car auth-sources) search)))
439 (auth-source-do-debug
440 "auth-source-user-or-password: found %s=%s for %s (%s) + %s"
442 ;; don't show the password
443 (if (and (member "password" mode) auth-source-hide-passwords)
445 host protocol username)
446 (setq found (if listy found (car-safe found)))
447 (when auth-source-do-cache
448 (puthash cname found auth-source-cache)))
452 (defun auth-source-protocol-defaults (protocol)
453 "Return a list of default ports and names for PROTOCOL."
454 (cdr-safe (assoc protocol auth-source-protocols)))
456 (defun auth-source-user-or-password-imap (mode host)
457 (auth-source-user-or-password mode host 'imap))
459 (defun auth-source-user-or-password-pop3 (mode host)
460 (auth-source-user-or-password mode host 'pop3))
462 (defun auth-source-user-or-password-ssh (mode host)
463 (auth-source-user-or-password mode host 'ssh))
465 (defun auth-source-user-or-password-sftp (mode host)
466 (auth-source-user-or-password mode host 'sftp))
468 (defun auth-source-user-or-password-smtp (mode host)
469 (auth-source-user-or-password mode host 'smtp))
471 (provide 'auth-source)
473 ;;; auth-source.el ends here
projects / gnus / blob