From d9bd10debf6c3930669aedb896026f9f19b54466 Mon Sep 17 00:00:00 2001
From: "F. Jason Park" <jp@neverwas.me>
Date: Mon, 12 Aug 2024 07:00:23 -0700
Subject: [PATCH 0/2] *** NOT A PATCH ***

*** BLURB HERE ***

F. Jason Park (2):
  Fix deviations in auth-source-pass behavior WRT netrc
  [POC] Match attrs with auth-source-pass-extra-query-keywords

 lisp/auth-source-pass.el            | 146 ++++++++++++++++++++--------
 test/lisp/auth-source-pass-tests.el | 138 +++++++++++++++++++++++++-
 2 files changed, 237 insertions(+), 47 deletions(-)

Interdiff:
diff --git a/lisp/auth-source-pass.el b/lisp/auth-source-pass.el
index 0df7817f501..a52dafc5ab2 100644
--- a/lisp/auth-source-pass.el
+++ b/lisp/auth-source-pass.el
@@ -266,9 +266,10 @@ auth-source-pass--cast-port
 
 (defun auth-source-pass--match-parts (cache key reference require)
   (let ((value (plist-get cache key)))
-    (if (memq key require)
-        (if reference (equal value reference) value)
-      (or (null reference) (null value) (equal value reference)))))
+    (cond ((memq key require)
+           (if reference (equal value reference) value))
+          ((and value reference) (equal value reference))
+          (t))))
 
 (defvar auth-source-pass-check-attrs-with-extra-query-keywords t
   "When non-nil, decrypt files to find attributes matching parameters.
diff --git a/test/lisp/auth-source-pass-tests.el b/test/lisp/auth-source-pass-tests.el
index c6662cd8b42..695635299f9 100644
--- a/test/lisp/auth-source-pass-tests.el
+++ b/test/lisp/auth-source-pass-tests.el
@@ -548,6 +548,44 @@ auth-source-pass-extra-query-keywords--wild-port-hit
                      '((:host "x.com" :secret "a")
                        (:host "x.com" :port 42 :secret "b")))))))
 
+;; The query requires a user and doesn't specify a user to match against.
+;; The only entry matching the host lacks a user, so the search fails.
+
+(ert-deftest auth-source-pass-extra-query-keywords--req-noparam-miss-netrc ()
+  (ert-with-temp-file netrc-file
+    :text "machine foo password a\n"
+    (let ((auth-sources (list netrc-file))
+          (auth-source-do-cache nil))
+      (should-not (auth-source-search :host "foo" :require '(:user) :max 2)))))
+
+(ert-deftest auth-source-pass-extra-query-keywords--req-noparam-miss ()
+  (let ((auth-source-pass-extra-query-keywords t))
+    (auth-source-pass--with-store '(("foo" (secret . "a")))
+      (auth-source-pass-enable)
+      (should-not (auth-source-search :host "foo" :require '(:user) :max 2)))))
+
+;; The query requires a user but does not provide a reference value to
+;; match against.  An entry matching the host that specifies a user is
+;; selected because any user will do.
+(ert-deftest auth-source-pass-extra-query-keywords--req-param-netrc ()
+  (ert-with-temp-file netrc-file
+    :text "machine foo login bob password a\n"
+    (let* ((auth-sources (list netrc-file))
+           (auth-source-do-cache nil)
+           (results (auth-source-search :host "foo" :require '(:user))))
+      (dolist (result results)
+        (setf (plist-get result :secret) (auth-info-password result)))
+      (should (equal results '((:host "foo" :user "bob" :secret "a")))))))
+
+(ert-deftest auth-source-pass-extra-query-keywords--req-param ()
+  (let ((auth-source-pass-extra-query-keywords t))
+    (auth-source-pass--with-store '(("foo/bob" (secret . "a")))
+      (auth-source-pass-enable)
+      (let ((results (auth-source-search :host "foo" :require '(:user))))
+        (dolist (result results)
+          (setf (plist-get result :secret) (auth-info-password result)))
+        (should (equal results '((:host "foo" :user "bob" :secret "a"))))))))
+
 ;; No entry has the requested port, but :port is required, so search fails.
 
 (ert-deftest auth-source-pass-extra-query-keywords--wild-port-req-miss-netrc ()
@@ -601,7 +639,7 @@ auth-source-pass-extra-query-keywords--akib
       (should (equal results
                      '((:host "disroot.org" :user "akib" :secret "b")))))))
 
-(ert-deftest auth-source-pass-extra-query-keywords--akib/attr ()
+(ert-deftest auth-source-pass-extra-query-keywords--akib-attr ()
   (auth-source-pass--with-store '(("x.com" (secret . "a"))
                                   ("disroot.org" (secret . "b")
                                    ("user" . "akib") ("port" . "42"))
@@ -638,23 +676,7 @@ auth-source-pass-extra-query-keywords--akib/attr
                      '(( :host "disroot.org" :user "akib"
                          :port 42 :secret "b")))))))
 
-(ert-deftest auth-source-pass-extra-query-keywords--netrc-akib/require ()
-  (ert-with-temp-file netrc-file
-    :text "\
-machine x.com password a
-machine disroot.org user akib password b
-machine z.com password c
-"
-    (let* ((auth-sources (list netrc-file))
-           (auth-source-do-cache nil)
-           (results (auth-source-search :host "disroot.org"
-                                        :require '(:user) :max 2)))
-      (dolist (result results)
-        (setf (plist-get result :secret) (auth-info-password result)))
-      (should (equal results
-                     '((:host "disroot.org" :user "akib" :secret "b")))))))
-
-(ert-deftest auth-source-pass-extra-query-keywords--akib/attr/require ()
+(ert-deftest auth-source-pass-extra-query-keywords--akib-attr-req ()
   (auth-source-pass--with-store '(("x.com" (secret . "a"))
                                   ("disroot.org" (secret . "b")
                                    ("user" . "akib"))
@@ -668,7 +690,23 @@ auth-source-pass-extra-query-keywords--akib/attr/require
       (should (equal results
                      '((:host "disroot.org" :user "akib" :secret "b")))))))
 
-(ert-deftest auth-source-pass-extra-query-keywords--akib/attr/extras ()
+(ert-deftest auth-source-pass-extra-query-keywords--akib-attr-extras-netrc ()
+  (ert-with-temp-file netrc-file
+    :text "\
+machine x.com password a
+machine disroot.org user akib port 42 password b foo 1 bar 2
+machine z.com password c
+"
+    (let* ((auth-sources (list netrc-file))
+           (auth-source-do-cache nil)
+           (results (auth-source-search :host "disroot.org" :max 2)))
+      (dolist (result results)
+        (setf (plist-get result :secret) (auth-info-password result)))
+      (should (equal results
+                     '((:host "disroot.org" :user "akib" :port "42"
+                              :secret "b" :foo "1" :bar "2")))))))
+
+(ert-deftest auth-source-pass-extra-query-keywords--akib-attr-extras ()
   (auth-source-pass--with-store '(("x.com" (secret . "a"))
                                   ("disroot.org" (secret . "b")
                                    ("user" . "akib")
@@ -713,8 +751,8 @@ auth-source-pass-extra-query-keywords--host
                      '((:host "Libera.Chat" :secret "b")))))))
 
 
-;; A retrieved store entry mustn't be nil regardless of whether its
-;; path contains port or user components.
+;; An effectively empty entry in the store returns nothing but the
+;; :host field matching the given host parameter.
 
 (ert-deftest auth-source-pass-extra-query-keywords--netrc-baseline ()
   (ert-with-temp-file netrc-file
-- 
2.46.0