From: Akib Azmain Turja via "Bug reports for GNU Emacs, the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
To: "J.P." <jp@neverwas.me>
Cc: "Damien Cassou" <damien@cassou.me>,
"Björn Bidar" <bjorn.bidar@thaodan.de>,
emacs-erc@gnu.org, "Michael Albinus" <michael.albinus@gmx.de>,
58985@debbugs.gnu.org
Subject: bug#58985: 29.0.50; Have auth-source-pass behave more like other back ends
Date: Fri, 11 Nov 2022 20:45:53 +0600 [thread overview]
Message-ID: <87tu35eehq.fsf__23405.6613336847$1668188200$gmane$org@disroot.org> (raw)
In-Reply-To: <877d026uym.fsf@neverwas.me> (J. P.'s message of "Thu, 10 Nov 2022 19:17:21 -0800")
[-- Attachment #1: Type: text/plain, Size: 7794 bytes --]
"J.P." <jp@neverwas.me> writes:
>>> + (if (eq auth-source-pass-extra-query-keywords 'test)
>>> + (reverse rv)
>>
>> The value `test' is not documented. Is it used in tests? If it is, I
>> think an internal variable would be better.
>
> I got rid of the `test' stuff completely, so this function now always
> wraps secrets.
That looks good.
>
>
> From 8870cb62be1ad3ac5b9e5553e52a7f6ed7533c2f Mon Sep 17 00:00:00 2001
> From: "F. Jason Park" <jp@neverwas.me>
> Date: Tue, 1 Nov 2022 22:46:24 -0700
> Subject: [PATCH 1/2] [POC] Make auth-source-pass behave more like other
> backends
>
> * lisp/auth-source-pass.el (auth-source-pass-extra-query-keywords): Add
> new option to bring search behavior more in line with other backends.
> (auth-source-pass-search): Add new keyword params `max' and `require'
> and consider new option `auth-source-pass-extra-query-keywords' for
> dispatch.
> (auth-source-pass--match-regexp, auth-source-pass--retrieve-parsed,
> auth-source-pass--match-parts): Add supporting variable and helpers.
> (auth-source-pass--build-result-many,
> auth-source-pass--find-match-many): Add "-many" variants for existing
> workhorse functions.
> * test/lisp/auth-source-pass-tests.el
> (auth-source-pass-extra-query-keywords--wild-port-miss-netrc,
> auth-source-pass-extra-query-keywords--wild-port-miss,
> auth-source-pass-extra-query-keywords--wild-port-hit-netrc,
> auth-source-pass-extra-query-keywords--wild-port-hit,
> auth-source-pass-extra-query-keywords--wild-port-req-miss-netrc,
> auth-source-pass-extra-query-keywords--wild-port-req-miss,
> auth-source-pass-extra-query-keywords--netrc-akib,
> auth-source-pass-extra-query-keywords--akib,
> auth-source-pass-extra-query-keywords--netrc-host,
> auth-source-pass-extra-query-keywords--host,
> auth-source-pass-extra-query-keywords--baseline,
> auth-source-pass-extra-query-keywords--port-type,
> auth-source-pass-extra-query-keywords--hosts-first): Add juxtaposed
> netrc and extra-query-keywords pairs to demo optional extra-compliant
> behavior.
> * doc/misc/auth.texi: Add option
> `auth-source-pass-extra-query-keywords' to auth-source-pass section.
> * etc/NEWS: Mention `auth-source-pass-extra-query-keywords' in Emacs
> 29.1 package changes section. Bug#58985.
> ---
> doc/misc/auth.texi | 11 ++
> etc/NEWS | 8 ++
> lisp/auth-source-pass.el | 105 +++++++++++++++-
> test/lisp/auth-source-pass-tests.el | 184 ++++++++++++++++++++++++++++
> 4 files changed, 307 insertions(+), 1 deletion(-)
>
[...]
> +(defun auth-source-pass--build-result-many (hosts ports users require max)
> + "Return multiple `auth-source-pass--build-result' values."
> + (unless (listp hosts) (setq hosts (list hosts)))
> + (unless (listp users) (setq users (list users)))
> + (unless (listp ports) (setq ports (list ports)))
> + (let* ((auth-source-pass--match-regexp (auth-source-pass--match-regexp
> + auth-source-pass-port-separator))
> + (rv (auth-source-pass--find-match-many hosts users ports
> + require (or max 1))))
> + (when auth-source-debug
> + (auth-source-pass--do-debug "final result: %S" rv))
> + (let (out)
> + (dolist (e rv out)
> + (when-let* ((s (plist-get e :secret)) ; s not captured by closure
> + (v (auth-source--obfuscate s)))
> + (setf (plist-get e :secret)
> + (lambda () (auth-source--deobfuscate v))))
Why the closure doesn't capture "s"? For me, the following code
captures "s" (obviously with lexical binding): (just let-wrapped version
of your code)
--8<---------------cut here---------------start------------->8---
(let ((e '(:secret "topsecret")))
(when-let* ((s (plist-get e :secret)) ; s not captured by closure
(v (auth-source--obfuscate s)))
(setf (plist-get e :secret)
(lambda () (auth-source--deobfuscate v))))
e)
;; => (:secret
;; (closure
;; ((p #1)
;; (v . "XIcHKKIKtavKgK8J6zXP1w==-N/XAaAOqAtGcCzKGKX71og==")
;; (s . "topsecret") ;; LEAKED!!!
;; (e :secret #1)
;; t)
;; nil
;; (auth-source--deobfuscate v)))
--8<---------------cut here---------------end--------------->8---
> + (push e out)))))
[...]
> +(defun auth-source-pass--retrieve-parsed (seen path port-number-p)
> + (when-let ((m (string-match auth-source-pass--match-regexp path)))
Why do you let-bound "m"? I can't find any use of it in the body.
> + (puthash path
> + (list :host (or (match-string 10 path) (match-string 11 path))
> + :user (or (match-string 20 path) (match-string 21 path))
> + :port (and-let* ((p (or (match-string 30 path)
> + (match-string 31 path)))
> + (n (string-to-number p)))
> + (if (or (zerop n) (not port-number-p))
> + (format "%s" p)
> + n)))
> + seen)))
[...]
> +(defun auth-source-pass--find-match-many (hosts users ports require max)
> + "Return plists for valid combinations of HOSTS, USERS, PORTS.
> +Each plist contains, at the very least, a host and a secret."
> + (let ((seen (make-hash-table :test #'equal))
> + (entries (auth-source-pass-entries))
> + out)
> + (catch 'done
> + (dolist (host hosts out)
> + (pcase-let ((`(,_ ,u ,p) (auth-source-pass--disambiguate host)))
> + (unless (or (not (equal "443" p)) (string-prefix-p "https://" host))
> + (setq p nil))
> + (dolist (user (or users (list u)))
> + (dolist (port (or ports (list p)))
> + (dolist (e entries)
> + (when-let*
> + ((m (or (gethash e seen) (auth-source-pass--retrieve-parsed
> + seen e (integerp port))))
> + ((equal host (plist-get m :host)))
> + ((auth-source-pass--match-parts m :port port require))
> + ((auth-source-pass--match-parts m :user user require))
> + (parsed (auth-source-pass-parse-entry e))
> + ;; For now, ignore body-content pairs, if any,
> + ;; from `auth-source-pass--parse-data'.
> + (secret (or (auth-source-pass--get-attr 'secret parsed)
> + (not (memq :secret require)))))
> + (push
> + `( :host ,host ; prefer user-provided :host over h
> + ,@(and-let* ((u (plist-get m :user))) (list :user u))
> + ,@(and-let* ((p (plist-get m :port))) (list :port p))
> + ,@(and secret (not (eq secret t)) (list :secret secret)))
> + out)
> + (when (or (zerop (cl-decf max))
> + (null (setq entries (remove e entries))))
Remove will create a lot of garbage, e.g. (let ((x '(1 2 3 4 5)))
(eq (remove 6 x) x)) and (let ((x '(1 2 3 4 5))) (eq (remove 1 x)
(cdr x))) both returns nil.
If you think delete is OK, go ahead and use it. If you think remove is
better, keep it. Do whatever you think right.
> + (throw 'done out)))))))))))
> +
[...]
--
Akib Azmain Turja, GPG key: 70018CE5819F17A3BBA666AFE74F0EFA922AE7F5
Fediverse: akib@hostux.social
Codeberg: akib
emailselfdefense.fsf.org | "Nothing can be secure without encryption."
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2022-11-11 14:45 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87wn8cb0ym.fsf@neverwas.me>
2022-11-05 23:55 ` bug#58985: 29.0.50; Have auth-source-pass behave more like other back ends J.P.
2022-11-06 11:23 ` Michael Albinus
[not found] ` <87pme09vis.fsf@gmx.de>
2022-11-07 5:00 ` J.P.
[not found] ` <87a653z7dl.fsf@neverwas.me>
2022-11-07 10:33 ` Michael Albinus
[not found] ` <874jvbnje1.fsf@gmx.de>
2022-11-08 13:56 ` J.P.
2022-11-10 0:39 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-11-10 5:25 ` J.P.
[not found] ` <875yfnnzy6.fsf@neverwas.me>
2022-11-10 13:40 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-11-10 14:40 ` J.P.
[not found] ` <87pmduc1pz.fsf@neverwas.me>
2022-11-15 3:45 ` J.P.
2022-11-09 18:25 ` Akib Azmain Turja via Bug reports for GNU Emacs, the Swiss army knife of text editors
[not found] ` <874jv8ouh9.fsf@disroot.org>
2022-11-10 5:26 ` J.P.
2022-11-10 7:12 ` Akib Azmain Turja via Bug reports for GNU Emacs, the Swiss army knife of text editors
[not found] ` <878rkjl1vd.fsf@disroot.org>
2022-11-10 14:38 ` J.P.
2022-11-11 3:17 ` J.P.
[not found] ` <877d026uym.fsf@neverwas.me>
2022-11-11 14:45 ` Akib Azmain Turja via Bug reports for GNU Emacs, the Swiss army knife of text editors [this message]
[not found] ` <87tu35eehq.fsf@disroot.org>
2022-11-12 4:30 ` J.P.
[not found] ` <87bkpcu74w.fsf@neverwas.me>
2022-11-12 15:24 ` Akib Azmain Turja via Bug reports for GNU Emacs, the Swiss army knife of text editors
[not found] ` <875yfkdwlm.fsf@disroot.org>
2022-11-13 7:26 ` Akib Azmain Turja
2022-11-13 15:29 ` J.P.
[not found] ` <875yfiq3d8.fsf@neverwas.me>
2022-11-14 6:50 ` Akib Azmain Turja via Bug reports for GNU Emacs, the Swiss army knife of text editors
[not found] ` <87mt8uvxkp.fsf@disroot.org>
2022-11-14 15:12 ` J.P.
2022-11-14 17:49 ` Akib Azmain Turja via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-11-15 3:32 ` J.P.
[not found] ` <87a64s99ka.fsf@neverwas.me>
2022-11-18 14:14 ` J.P.
2022-11-18 23:25 ` Kai Tetzlaff
2022-11-19 0:35 ` J.P.
2022-11-19 1:02 ` Kai Tetzlaff
2022-11-19 3:39 ` J.P.
2022-11-19 4:08 ` J.P.
2022-11-19 14:59 ` Akib Azmain Turja via Bug reports for GNU Emacs, the Swiss army knife of text editors
[not found] ` <87bkp4z6xg.fsf@neverwas.me>
2022-12-07 14:30 ` J.P.
2022-11-09 18:21 ` Akib Azmain Turja via Bug reports for GNU Emacs, the Swiss army knife of text editors
[not found] ` <878rkkoup4.fsf@disroot.org>
2022-11-10 5:23 ` J.P.
2022-11-10 7:12 ` Akib Azmain Turja
[not found] ` <87a64zo01q.fsf@neverwas.me>
2022-11-10 8:11 ` Akib Azmain Turja via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-11-06 14:39 ` Damien Cassou
2022-11-07 4:59 ` J.P.
2022-11-03 13:51 J.P.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='87tu35eehq.fsf__23405.6613336847$1668188200$gmane$org@disroot.org' \
--to=bug-gnu-emacs@gnu.org \
--cc=58985@debbugs.gnu.org \
--cc=akib@disroot.org \
--cc=bjorn.bidar@thaodan.de \
--cc=damien@cassou.me \
--cc=emacs-erc@gnu.org \
--cc=jp@neverwas.me \
--cc=michael.albinus@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).