From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Akib Azmain Turja via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#58985: 29.0.50; Have auth-source-pass behave more like other back ends Date: Fri, 11 Nov 2022 20:45:53 +0600 Message-ID: <87tu35eehq.fsf__23405.6613336847$1668188200$gmane$org@disroot.org> References: <87wn8cb0ym.fsf@neverwas.me> <874jvdardn.fsf__3771.40490324877$1667692584$gmane$org@neverwas.me> <87pme09vis.fsf@gmx.de> <87a653z7dl.fsf@neverwas.me> <878rkjl1vd.fsf@disroot.org> <877d026uym.fsf@neverwas.me> Reply-To: Akib Azmain Turja Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="15967"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Damien Cassou , =?UTF-8?Q?Bj=C3=B6rn?= Bidar , emacs-erc@gnu.org, Michael Albinus , 58985@debbugs.gnu.org To: "J.P." Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri Nov 11 18:36:31 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1otXx9-0003vK-9G for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 11 Nov 2022 18:36:31 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1otXwl-0005j8-0a; Fri, 11 Nov 2022 12:36:07 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1otXwh-0005iP-EA for bug-gnu-emacs@gnu.org; Fri, 11 Nov 2022 12:36:03 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1otXwg-0001ru-SX for bug-gnu-emacs@gnu.org; Fri, 11 Nov 2022 12:36:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1otXwg-0005Gg-Nr for bug-gnu-emacs@gnu.org; Fri, 11 Nov 2022 12:36:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Akib Azmain Turja Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 11 Nov 2022 17:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 58985 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 58985-submit@debbugs.gnu.org id=B58985.166818811420181 (code B ref 58985); Fri, 11 Nov 2022 17:36:02 +0000 Original-Received: (at 58985) by debbugs.gnu.org; 11 Nov 2022 17:35:14 +0000 Original-Received: from localhost ([127.0.0.1]:46664 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1otXvu-0005FQ-6h for submit@debbugs.gnu.org; Fri, 11 Nov 2022 12:35:14 -0500 Original-Received: from knopi.disroot.org ([178.21.23.139]:55108) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1otXvs-0005FG-Bz for 58985@debbugs.gnu.org; Fri, 11 Nov 2022 12:35:13 -0500 Original-Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id B62DD406CC; Fri, 11 Nov 2022 18:35:11 +0100 (CET) X-Virus-Scanned: SPAM Filter at disroot.org Original-Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nfejr1pIsOyP; Fri, 11 Nov 2022 18:35:10 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1668188110; bh=Us8ybIiP30fvZ0WESydOjMcxsdRzlrOW0ucmFxtgu9o=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=UbrM99I9pcW1ZnvuwfZstTx6iVNiuNY39TED3yna4pYGR0pBLmUfB/vf3wxhE4uf8 W7poSQBvW86JjalFKYEseaNMFD4gmpcMUqYcPaUckFt4cWxGOaiGoS1TF9cIhRzdn/ KE2xw3mlZFoWWYTf0wRwbHPLHBiXMkYisJTaP5DjMrp63n4tCrL93qjclTO7OyxXQ9 h1YMam8oRzudo3GP1rClW0sZhoTrGLIOGMpHgx75W0unS5uWcXn9lf9x2RoB5deMwu DaXcumX6IXZ6pRLQnWvlYCP+FBLRzQBsPAJTk05HS7zLYE+NtUH0ChNerPOQ0zoiBJ vYWoGE3GviwCw== In-Reply-To: <877d026uym.fsf@neverwas.me> (J. P.'s message of "Thu, 10 Nov 2022 19:17:21 -0800") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:247608 Archived-At: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable "J.P." writes: >>> + (if (eq auth-source-pass-extra-query-keywords 'test) >>> + (reverse rv) >> >> The value `test' is not documented. Is it used in tests? If it is, I >> think an internal variable would be better. > > I got rid of the `test' stuff completely, so this function now always > wraps secrets. That looks good. > > > From 8870cb62be1ad3ac5b9e5553e52a7f6ed7533c2f Mon Sep 17 00:00:00 2001 > From: "F. Jason Park" > Date: Tue, 1 Nov 2022 22:46:24 -0700 > Subject: [PATCH 1/2] [POC] Make auth-source-pass behave more like other > backends > > * lisp/auth-source-pass.el (auth-source-pass-extra-query-keywords): Add > new option to bring search behavior more in line with other backends. > (auth-source-pass-search): Add new keyword params `max' and `require' > and consider new option `auth-source-pass-extra-query-keywords' for > dispatch. > (auth-source-pass--match-regexp, auth-source-pass--retrieve-parsed, > auth-source-pass--match-parts): Add supporting variable and helpers. > (auth-source-pass--build-result-many, > auth-source-pass--find-match-many): Add "-many" variants for existing > workhorse functions. > * test/lisp/auth-source-pass-tests.el > (auth-source-pass-extra-query-keywords--wild-port-miss-netrc, > auth-source-pass-extra-query-keywords--wild-port-miss, > auth-source-pass-extra-query-keywords--wild-port-hit-netrc, > auth-source-pass-extra-query-keywords--wild-port-hit, > auth-source-pass-extra-query-keywords--wild-port-req-miss-netrc, > auth-source-pass-extra-query-keywords--wild-port-req-miss, > auth-source-pass-extra-query-keywords--netrc-akib, > auth-source-pass-extra-query-keywords--akib, > auth-source-pass-extra-query-keywords--netrc-host, > auth-source-pass-extra-query-keywords--host, > auth-source-pass-extra-query-keywords--baseline, > auth-source-pass-extra-query-keywords--port-type, > auth-source-pass-extra-query-keywords--hosts-first): Add juxtaposed > netrc and extra-query-keywords pairs to demo optional extra-compliant > behavior. > * doc/misc/auth.texi: Add option > `auth-source-pass-extra-query-keywords' to auth-source-pass section. > * etc/NEWS: Mention `auth-source-pass-extra-query-keywords' in Emacs > 29.1 package changes section. Bug#58985. > --- > doc/misc/auth.texi | 11 ++ > etc/NEWS | 8 ++ > lisp/auth-source-pass.el | 105 +++++++++++++++- > test/lisp/auth-source-pass-tests.el | 184 ++++++++++++++++++++++++++++ > 4 files changed, 307 insertions(+), 1 deletion(-) > [...] > +(defun auth-source-pass--build-result-many (hosts ports users require ma= x) > + "Return multiple `auth-source-pass--build-result' values." > + (unless (listp hosts) (setq hosts (list hosts))) > + (unless (listp users) (setq users (list users))) > + (unless (listp ports) (setq ports (list ports))) > + (let* ((auth-source-pass--match-regexp (auth-source-pass--match-regexp > + auth-source-pass-port-separato= r)) > + (rv (auth-source-pass--find-match-many hosts users ports > + require (or max 1)))) > + (when auth-source-debug > + (auth-source-pass--do-debug "final result: %S" rv)) > + (let (out) > + (dolist (e rv out) > + (when-let* ((s (plist-get e :secret)) ; s not captured by closure > + (v (auth-source--obfuscate s))) > + (setf (plist-get e :secret) > + (lambda () (auth-source--deobfuscate v)))) Why the closure doesn't capture "s"? For me, the following code captures "s" (obviously with lexical binding): (just let-wrapped version of your code) =2D-8<---------------cut here---------------start------------->8--- (let ((e '(:secret "topsecret"))) (when-let* ((s (plist-get e :secret)) ; s not captured by closure (v (auth-source--obfuscate s))) (setf (plist-get e :secret) (lambda () (auth-source--deobfuscate v)))) e) ;; =3D> (:secret ;; (closure ;; ((p #1) ;; (v . "XIcHKKIKtavKgK8J6zXP1w=3D=3D-N/XAaAOqAtGcCzKGKX71og=3D=3D= ") ;; (s . "topsecret") ;; LEAKED!!! ;; (e :secret #1) ;; t) ;; nil ;; (auth-source--deobfuscate v))) =2D-8<---------------cut here---------------end--------------->8--- > + (push e out))))) [...] > +(defun auth-source-pass--retrieve-parsed (seen path port-number-p) > + (when-let ((m (string-match auth-source-pass--match-regexp path))) Why do you let-bound "m"? I can't find any use of it in the body. > + (puthash path > + (list :host (or (match-string 10 path) (match-string 11 pat= h)) > + :user (or (match-string 20 path) (match-string 21 pat= h)) > + :port (and-let* ((p (or (match-string 30 path) > + (match-string 31 path))) > + (n (string-to-number p))) > + (if (or (zerop n) (not port-number-p)) > + (format "%s" p) > + n))) > + seen))) [...] > +(defun auth-source-pass--find-match-many (hosts users ports require max) > + "Return plists for valid combinations of HOSTS, USERS, PORTS. > +Each plist contains, at the very least, a host and a secret." > + (let ((seen (make-hash-table :test #'equal)) > + (entries (auth-source-pass-entries)) > + out) > + (catch 'done > + (dolist (host hosts out) > + (pcase-let ((`(,_ ,u ,p) (auth-source-pass--disambiguate host))) > + (unless (or (not (equal "443" p)) (string-prefix-p "https://" = host)) > + (setq p nil)) > + (dolist (user (or users (list u))) > + (dolist (port (or ports (list p))) > + (dolist (e entries) > + (when-let* > + ((m (or (gethash e seen) (auth-source-pass--retrieve= -parsed > + seen e (integerp port)))) > + ((equal host (plist-get m :host))) > + ((auth-source-pass--match-parts m :port port requir= e)) > + ((auth-source-pass--match-parts m :user user requir= e)) > + (parsed (auth-source-pass-parse-entry e)) > + ;; For now, ignore body-content pairs, if any, > + ;; from `auth-source-pass--parse-data'. > + (secret (or (auth-source-pass--get-attr 'secret par= sed) > + (not (memq :secret require))))) > + (push > + `( :host ,host ; prefer user-provided :host over h > + ,@(and-let* ((u (plist-get m :user))) (list :user = u)) > + ,@(and-let* ((p (plist-get m :port))) (list :port = p)) > + ,@(and secret (not (eq secret t)) (list :secret se= cret))) > + out) > + (when (or (zerop (cl-decf max)) > + (null (setq entries (remove e entries)))) Remove will create a lot of garbage, e.g. (let ((x '(1 2 3 4 5))) (eq (remove 6 x) x)) and (let ((x '(1 2 3 4 5))) (eq (remove 1 x) (cdr x))) both returns nil. If you think delete is OK, go ahead and use it. If you think remove is better, keep it. Do whatever you think right. > + (throw 'done out))))))))))) > + [...] =2D-=20 Akib Azmain Turja, GPG key: 70018CE5819F17A3BBA666AFE74F0EFA922AE7F5 Fediverse: akib@hostux.social Codeberg: akib emailselfdefense.fsf.org | "Nothing can be secure without encryption." --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEyVTKmrtL6kNBe3FRVTX89U2IYWsFAmNuYCIACgkQVTX89U2I YWs9KBAAlrXAXpWRUi15waWQG0opGBOPpCiluhKzn7RzYAYhV3T6AIHhIFpBFT20 SlPLDfcyhLcGPyBRSDxxCEA2BtLztkCJGV9KNSRZXky0y/zVYU9NE/NYc0uOZevN vNHAQZH6Kspds2EIy0QinS7gOpo2ct++77/Ns3k8R4fejL8J2dB3Rddx7yCE4i+j BX+aOFzUrlNq5V0AgGVD22uIjZUoK+vGPEJxZBVD5+YOocKFXPGTvdGlJzh0VPNb x1jkoxEs+0t5jzTbS6l+C3SzYLL3puVIgIZp07hGtj55ErRrn/ODAG7NaWUKM90s BASutyCkibtUhENWP5ze91aLbYaE4qvnTnTGI8+hIfVKj5Im51GwDLW64KB2IEcz 8nqKnFKEpWHMjQFOpA/Kvd0446FZaIDh4M6+VzzbGgyejvXJTCpd3tZUU0NtLoVj Jvm2Ylg2ZSIgRo8UN8f4tI/S0UokwUeXo2RfTYIrz8YwufLxyx/yejHb2hX4VkTE RxbkcZMH3aPtw2qN9lfgK7NA31Y4mb74ZSsdLFLbRxq5d8hsxdw2IKjx/sRGeYUZ o3/kC9MXuUIoi2tmRjjIkGC1y/z32msqmtyOMySu0A7YjtODIQgaMZxBVZ7YQ2Qe QtU9r8woXU/npOzBUq1rgdZ3JGnNoahGEhcgmXtMmxZvQUF6aCw= =RBav -----END PGP SIGNATURE----- --=-=-=--