* bug#54758: auth-source plstore encryption
@ 2022-04-07 0:02 Andrew Cohen
2022-04-07 11:18 ` Lars Ingebrigtsen
0 siblings, 1 reply; 2+ messages in thread
From: Andrew Cohen @ 2022-04-07 0:02 UTC (permalink / raw)
To: 54758
[-- Attachment #1: Type: text/plain, Size: 769 bytes --]
Tags: patch
In the plstore backend in auth-source all tokens are stored unencrypted
with the exception of the "secret". But it is necessary/convenient to
store other items encrypted as well (especially for use with oauth2)
such as the client-secret, and the refresh and access tokens. This small
patch adds the ability to specify which tokens should be stored in
encrypted fashion.
In GNU Emacs 29.0.50 (build 11, x86_64-pc-linux-gnu, GTK+ Version 3.24.33, cairo version 1.16.0)
of 2022-04-05 built on clove
Repository revision: 5a509be81c89d7afeb56b3faefd43fee00f1fb90
Repository branch: scratch/local
System Description: Debian GNU/Linux bookworm/sid
Configured using:
'configure --with-x-toolkit=gtk3 --with-native-compilation --with-pgtk
--with-xwidgets'
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: patch.diff --]
[-- Type: text/patch, Size: 4801 bytes --]
From 611185f7170db15dc5d036c53fd9c8f4fa1ff04d Mon Sep 17 00:00:00 2001
From: Andrew G Cohen <cohen@andy.bu.edu>
Date: Tue, 22 Mar 2022 13:04:58 +0800
Subject: [PATCH] Encrypt some parameters in auth-source plstore backend
The auth-source plstore backend allows a list of extra parameters but
currently stores them all unencrypted. This allows a plist with
:unencrypted and :encrypted keys to specify which extra parameters to
encrypt in the plstore file.
* lisp/auth-source.el (auth-source-plstore-create): Allow specifying
both unencrypted and encrypted extra parameters.
---
lisp/auth-source.el | 45 ++++++++++++++++++++++++++++-----------------
1 file changed, 28 insertions(+), 17 deletions(-)
diff --git a/lisp/auth-source.el b/lisp/auth-source.el
index cb528cebdc..cd135bd2e2 100644
--- a/lisp/auth-source.el
+++ b/lisp/auth-source.el
@@ -573,19 +573,24 @@ auth-source-search
or P. The resulting token will only have keys user, host, and
port.\"
-:create \\='(A B C) also means to create a token if possible.
+:create \\='(A B C) or
+:create \\='(:unencrypted A B :encrypted C)
+also means to create a token if possible.
The behavior is like :create t but if the list contains any
parameter, that parameter will be required in the resulting
-token. The value for that parameter will be obtained from the
-search parameters or from user input. If any queries are needed,
-the alist `auth-source-creation-defaults' will be checked for the
-default value. If the user, host, or port are missing, the alist
-`auth-source-creation-prompts' will be used to look up the
-prompts IN THAT ORDER (so the `user' prompt will be queried first,
-then `host', then `port', and finally `secret'). Each prompt string
-can use %u, %h, and %p to show the user, host, and port. The prompt
-is formatted with `format-prompt', a trailing \": \" is removed.
+token (the second form is used only with the plstore backend and
+specifies if any of the extra parameters should be stored in
+encrypted format.) The value for that parameter will be obtained
+from the search parameters or from user input. If any queries
+are needed, the alist `auth-source-creation-defaults' will be
+checked for the default value. If the user, host, or port are
+missing, the alist `auth-source-creation-prompts' will be used to
+look up the prompts IN THAT ORDER (so the `user' prompt will be
+queried first, then `host', then `port', and finally `secret').
+Each prompt string can use %u, %h, and %p to show the user, host,
+and port. The prompt is formatted with `format-prompt', a
+trailing \": \" is removed.
Here's an example:
@@ -2131,12 +2136,17 @@ auth-source-plstore-create
(let* ((base-required '(host user port secret))
(base-secret '(secret))
;; we know (because of an assertion in auth-source-search) that the
- ;; :create parameter is either t or a list (which includes nil)
- (create-extra (if (eq t create) nil create))
+ ;; :create parameter is either t, or a list (which includes nil
+ ;; or a plist)
+ (create-extra-secret (plist-get create :encrypted))
+ (create-extra (if (eq t create) nil
+ (or (append (plist-get create :unencrypted)
+ create-extra-secret) create)))
(current-data (car (auth-source-search :max 1
:host host
:port port)))
(required (append base-required create-extra))
+ (required-secret (append base-secret create-extra-secret))
;; `valist' is an alist
valist
;; `artificial' will be returned if no creation is needed
@@ -2158,10 +2168,11 @@ auth-source-plstore-create
(auth-source--aput valist br br-choice))))))
;; for extra required elements, see if the spec includes a value for them
- (dolist (er create-extra)
- (let ((k (auth-source--symbol-keyword er))
- (keys (cl-loop for i below (length spec) by 2
- collect (nth i spec))))
+ (let ((keys (cl-loop for i below (length spec) by 2
+ collect (nth i spec)))
+ k)
+ (dolist (er create-extra)
+ (setq k (auth-source--symbol-keyword er))
(when (memq k keys)
(auth-source--aput valist er (plist-get spec k)))))
@@ -2225,7 +2236,7 @@ auth-source-plstore-create
(eval default)))))
(when data
- (if (member r base-secret)
+ (if (member r required-secret)
(setq secret-artificial
(plist-put secret-artificial
(auth-source--symbol-keyword r)
--
2.34.1.575.g55b058a8bb
^ permalink raw reply related [flat|nested] 2+ messages in thread
* bug#54758: auth-source plstore encryption
2022-04-07 0:02 bug#54758: auth-source plstore encryption Andrew Cohen
@ 2022-04-07 11:18 ` Lars Ingebrigtsen
0 siblings, 0 replies; 2+ messages in thread
From: Lars Ingebrigtsen @ 2022-04-07 11:18 UTC (permalink / raw)
To: Andrew Cohen; +Cc: 54758
Andrew Cohen <acohen@ust.hk> writes:
> In the plstore backend in auth-source all tokens are stored unencrypted
> with the exception of the "secret". But it is necessary/convenient to
> store other items encrypted as well (especially for use with oauth2)
> such as the client-secret, and the refresh and access tokens. This small
> patch adds the ability to specify which tokens should be stored in
> encrypted fashion.
Makes sense to me; pushed to Emacs 29.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-04-07 11:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-07 0:02 bug#54758: auth-source plstore encryption Andrew Cohen
2022-04-07 11:18 ` Lars Ingebrigtsen
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).