From: Michael Albinus <michael.albinus@gmx.de>
To: "Philipp Uhl" <git@ph-uhl.com>
Cc: 62952@debbugs.gnu.org
Subject: bug#62952: 28.2.50; secrets.el unlocking items
Date: Thu, 20 Apr 2023 13:23:34 +0200 [thread overview]
Message-ID: <87fs8u6bm1.fsf@gmx.de> (raw)
In-Reply-To: <b1f522ed-072c-4df7-bc5c-9051c7447bd4@app.fastmail.com> (Philipp Uhl's message of "Wed, 19 Apr 2023 14:23:17 +0200")
"Philipp Uhl" <git@ph-uhl.com> writes:
Hi Philipp,
> The secrets.el implementation lacks support for unlocking specific
> items. It only unlocks collections. This does not work well with certain
> password managers (e.g. in my case KeepassXC, accessed through secret
> service). When receiving a secret through
>
> (secrets-get-secret "MyPws" "MyEntry")
>
> with the setting "Confirm when passwords are retrieved by clients"
> turned on in KeepassXC, secrets-get-secret will just say IsLocked.
Thanks for the report.
> Instead, secrets-get-secret should try to unlock the entry itself before
> retrieving.
>
> Here is a proof of concept:
>
> + ;; New function, analogously to secrets-unlock-collection, that
> + ;; specifically unlocks the item
> + (defun secrets-unlock-item (collection item)
> + "Unlock item labeled ITEM from collection labeled COLLECTION.
> + If successful, return the object path of the item."
> + (let ((item-path (secrets-item-path collection item)))
> + (unless (secrets-empty-path item-path)
> + (secrets-prompt
> + (cadr
> + (dbus-call-method
> + :session secrets-service secrets-path secrets-interface-service
> + "Unlock" `(:array :object-path ,item-path)))))
> + item-path))
>
> (defun secrets-get-secret (collection item)
> "Return the secret of item labeled ITEM in COLLECTION.
> If there are several items labeled ITEM, it is undefined which
> one is returned. If there is no such item, return nil.
>
> ITEM can also be an object path, which is used if contained in COLLECTION."
> - (let ((item-path (secrets-item-path collection item)))
> + (let ((item-path (secrets-unlock-item collection item)))
> (unless (secrets-empty-path item-path)
> (dbus-byte-array-to-string
> (nth 2
> (dbus-call-method
> :session secrets-service item-path secrets-interface-item
> "GetSecret" :object-path secrets-session-path))))))
>
> To make this function a bit more similar to how it was before, one could
> concider to explicitly wait for the IsLocked event before unlocking the
> item. That way, if the password manager does not support unlocking of
> items, this would not be braking.
LGTM. Well, I don't know how relevant it is to wait for the IsLocked
event. If you have use cases where it is needed, we shall do.
When we add secrets-unlock-item, we should also add secrets-lock-item as
counterpart. Like we have done it with secrets-(un)?lock-collection.
Would you like to add this function? Bonus points for respective tests
in secrets-tests.el.
All these changes exceed the limit for tiny changes in Emacs, which
could be submitted w/o legal work. Would you like to sign FSF copyright
papers in order to contribute to Emacs? See
<https://git.savannah.gnu.org/cgit/gnulib.git/plain/doc/Copyright/conditions.text>
which explains the reasons.
> Cheers,
> Philipp Uhl
Best regards, Michael.
next prev parent reply other threads:[~2023-04-20 11:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-19 12:23 bug#62952: 28.2.50; secrets.el unlocking items Philipp Uhl
2023-04-20 11:23 ` Michael Albinus [this message]
2023-05-02 10:05 ` Philipp Uhl
2023-05-02 11:44 ` Michael Albinus
2023-05-08 11:42 ` Michael Albinus
2023-05-09 8:15 ` Philipp Uhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fs8u6bm1.fsf@gmx.de \
--to=michael.albinus@gmx.de \
--cc=62952@debbugs.gnu.org \
--cc=git@ph-uhl.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).