From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Andrew Cohen Newsgroups: gmane.emacs.bugs Subject: bug#54758: auth-source plstore encryption Date: Thu, 07 Apr 2022 08:02:41 +0800 Message-ID: <87tub57obi.fsf@ust.hk> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="35290"; mail-complaints-to="usenet@ciao.gmane.io" To: 54758@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Apr 07 02:09:13 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ncFi3-0008wh-Rb for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 07 Apr 2022 02:09:12 +0200 Original-Received: from localhost ([::1]:39700 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ncFi2-0007cP-Nq for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 06 Apr 2022 20:09:10 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:57380) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ncFhu-0007bx-IT for bug-gnu-emacs@gnu.org; Wed, 06 Apr 2022 20:09:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:37203) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ncFhu-0001aY-73 for bug-gnu-emacs@gnu.org; Wed, 06 Apr 2022 20:09:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ncFht-0002L3-VK for bug-gnu-emacs@gnu.org; Wed, 06 Apr 2022 20:09:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Andrew Cohen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 07 Apr 2022 00:09:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 54758 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.16492900828894 (code B ref -1); Thu, 07 Apr 2022 00:09:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 7 Apr 2022 00:08:02 +0000 Original-Received: from localhost ([127.0.0.1]:59330 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ncFgv-0002JD-Fx for submit@debbugs.gnu.org; Wed, 06 Apr 2022 20:08:02 -0400 Original-Received: from lists.gnu.org ([209.51.188.17]:55436) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ncFgu-0002Iy-0f for submit@debbugs.gnu.org; Wed, 06 Apr 2022 20:08:00 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:57280) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ncFgt-0007YE-9n for bug-gnu-emacs@gnu.org; Wed, 06 Apr 2022 20:07:59 -0400 Original-Received: from mail-os0jpn01on20708.outbound.protection.outlook.com ([2a01:111:f403:700c::708]:40871 helo=JPN01-OS0-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ncFgq-0001Sw-J9 for bug-gnu-emacs@gnu.org; Wed, 06 Apr 2022 20:07:58 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ph44slmYEEkz1CukQb84LH4x5l2QB7MAlJgCVUcPU4na4A2+7EnIwXRibeYhIT/vnKCScKJVAIMzk/PL1knESc60dwHlvwZOPOhRurvJKPjTzPMdYbpu7c6mz5LbVxkqYm7ebXtT/1znFtPYlgj8LiopGnMbLr3d3w1Z1nCt1Q6+KxylxRhK9K0w9IUbjCfIYtK6sVK4pApxTPrW4ZgdQYWOenZPfTZxUvXNGG5ram9n/1jz1NhXUsBIHhD7/VRI/epJI4az4M+q33UYjp0xja8TXSccJHiBoeMZ7Q1hyRqIYvWkwRjiZkEGvslFn5fYdSXG1rT576ZzRPcHyH/4Ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/IK/PYktxGzUhZ/K7BdZaTXQG1NIHl+klM6rTTbJ/Jw=; b=adSbdu2YAwQAOehj/lZKvt3uzhhbZ2FwiX2hj953ONV/MpC1MhG6OHrgwqbh2kJCEv9S7qlrMSmZiAr9YjovYODiWX00btV/eTpcNUxL2fYbEpMRdOJZi90vNpsHr8TPv4kcP73/nSaS3uqzISNvcC1cH+qVtXdCSlKFpl+V9xC/xG8SKHBaO/92XF2o+U1Ic9F8NsvkV3T4JFwZzHfUuhs9y99OsDRwhnTsBWb0GFR+aO4tnXUctYY/E6ndYSaZPr+Wc5pBEc+/W2nDKGUfGcRGUuN6zdxbAXZjcXrAm2PkzWqe9tByiQ2rzdZ3hqxruvaUqOSoiHtyI9exd3Lj+w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ust.hk; dmarc=pass action=none header.from=ust.hk; dkim=pass header.d=ust.hk; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ust.hk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/IK/PYktxGzUhZ/K7BdZaTXQG1NIHl+klM6rTTbJ/Jw=; b=kt26xyeEs/wiG9UBsrGbjtR1IbMf5NHO3a8UE9BEr2rgFUTopcIIhlSE1nVwXDbw9JPBuu/ZzO7NFHC1iDjPPnsQULBsQTjKc8II62punJQPVmErylpVe9uQNp5lT3mjn4dXuFGYNQDu6JkP8x8Onb9ntR1f39D4x3IU7kiB74zZhlqoNYRfscEBwYgY34h/y7fOmHdq2hcA07Bvd/UDgHzrvb0VEbePVtfa2CZg+8AwdhDrxbDLUXdjBxrORDwIeN4VyKpLWeaLGdahTdVFHlb3JKhpYoldvYgr4/NHjBREcAVDLX2MVyRtwPp8FDmFolxWPqsWSqmIafmcShQQxw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ust.hk; Original-Received: from OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM (2603:1096:604:1bf::11) by OS0P286MB0401.JPNP286.PROD.OUTLOOK.COM (2603:1096:604:aa::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.21; Thu, 7 Apr 2022 00:02:49 +0000 Original-Received: from OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM ([fe80::a56a:7be5:b7e9:d3de]) by OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM ([fe80::a56a:7be5:b7e9:d3de%5]) with mapi id 15.20.5144.021; Thu, 7 Apr 2022 00:02:49 +0000 X-ClientProxiedBy: HK2PR04CA0055.apcprd04.prod.outlook.com (2603:1096:202:14::23) To OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM (2603:1096:604:1bf::11) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1227a12d-7e33-4533-2e19-08da1829f404 X-MS-TrafficTypeDiagnostic: OS0P286MB0401:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: gcYyrhR2Np87yBvpZG8tOl8HTz4yxww4tcaAUvI+bZwTyYlJeNR8AoHpCuD9JtkCrnPUAnuoEBWguPIDx8e1/XENoTkM0FE8XdM81JDWZRw7nQ6Di070bn9DMWaCCd8D0IWFPqnpi0Sz3m91yJv1Avwj3NtqAHv47HbyhhhavR5Xv2Atsn+lPZiz6Qahcn2MKVvGo+2j1TBimnmlzG08uhqENUEr3KRVdq4w/BmRnQKzyZ8HA/Oz0y7LTZTcDWU2IGkUIu273/fQ9ipLaGMUOnr12A99gg7aFu32klRTQ3DXSAKpeVlrqMCKmgE0Yh97HJI36jVnP76kiPAVmPE9z4cpaowp1h1S+BAD6b+cH1GbOLbqNt8RlIOinayHCWUk65FfSmeiUVfMTZvSvx8KpXs4cRadFqy6kclE5yBotNRbKq3bDWaOta01cmjg7Ju+Uok+RMG606xqCdNZG+oIZaMcry933GXtLRHN1Ml/EUq1CYCTi0XnJNQphDKKFSQ/KcikPN3Pql6i/3HeLzv0hgwHmhPnGzSHharI0xbeMKDrIdWMdaScct/Ios/beMiUfL2tqUIR2ng5sy6lGDEzTd39aYFS2AdABsK3aT009sln+r1+dsxnDYqmexGw9csIJtWS44OIyxXQL7SfXssNBA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(2616005)(8936002)(235185007)(86362001)(5660300002)(83380400001)(186003)(26005)(36756003)(6506007)(6512007)(786003)(6916009)(2906002)(316002)(508600001)(8676002)(66556008)(6666004)(6486002)(66946007)(3480700007)(66476007)(38100700002); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 8J7NJMb+RNhYc9iRSEwP14Dy+obCQEs3nBHjn8sAE0EL2aMEnhZo6t+v3Z8vT1Wu/2tZFXPGqtAa8PkYaBgOPaqSK4SzpYCPs74L0M2YOT0DmMOaNJ8Sbe9/ousAPdZt5pNeTydTwbCq9pojlQrv25td4lc8T/7XBa10L6Es8OMeVZP50H+aYdCavYHTsSfgMK6MjOaDxkV9irtESFabnWLCh0M0s56vSyoGpLeHwJ8W3UFJddO2BnFrFHG79n60++HQv9/bTBinSUSEYer8BSPsTDItj24xdE74I8yqu2DYODvbpKYg8MXABbfpc9F69Mv7qYDtC/+ZrF0UGWrWyY5ijuYvczYHCBX/ZD/LodDwjVPOpWMXCQljekCUnC/9SjvzM8JqzyX7QjWLWiPjPBZf28z37WzDfBH1kIavZIrsgvYB/IMONotgAJvnF1D1k42P5t9fzF2iYBVR3nAjcIuKLvonQAPN1exHhSOaRYCn21aGSff1ISHIAt3DckVtE7iGNX9vcruF98EdPB7g2YR2GuDWDXs8JJxSBYRp+T1AWIhgvc7W68bDe9U+JMe0G/qhGPN/1WL+GBWzB8GvRfAWXNOtJnTGOkfyRyjKVXPVDZT99jp2SIPUZyuLeakOGBvwczRp8kiKsCEQBYrAigr2gXM0NkAsC0sf75hRiNksjZIZw8Ps+tDRhiCqAG7la4YtOB+KSg0QyGNvUgR8bE4ozKMYiEpS6V4vR84u/gUH05e3FrwuUHNXAK GlXB4u+GWROYidEfbYI3J2qd3ms60w127SYLLBGB9nhIvnbrBfkbKgqz+uY0gEAptuc5YnEl0+hhi4WkcloK1cm+Ef5ohAAUkU X-OriginatorOrg: ust.hk X-MS-Exchange-CrossTenant-Network-Message-Id: 1227a12d-7e33-4533-2e19-08da1829f404 X-MS-Exchange-CrossTenant-AuthSource: OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Apr 2022 00:02:49.8313 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: c917f3e2-9322-4926-9bb3-daca730413ca X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 6ayHmDykv+99GBvZNmG+d2w/yJXCje4OllPymZBt6Nv7bJpcwV3gOZI7To9rdpp9 X-MS-Exchange-Transport-CrossTenantHeadersStamped: OS0P286MB0401 Received-SPF: pass client-ip=2a01:111:f403:700c::708; envelope-from=acohen@ust.hk; helo=JPN01-OS0-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:229508 Archived-At: --=-=-= Content-Type: text/plain Tags: patch In the plstore backend in auth-source all tokens are stored unencrypted with the exception of the "secret". But it is necessary/convenient to store other items encrypted as well (especially for use with oauth2) such as the client-secret, and the refresh and access tokens. This small patch adds the ability to specify which tokens should be stored in encrypted fashion. In GNU Emacs 29.0.50 (build 11, x86_64-pc-linux-gnu, GTK+ Version 3.24.33, cairo version 1.16.0) of 2022-04-05 built on clove Repository revision: 5a509be81c89d7afeb56b3faefd43fee00f1fb90 Repository branch: scratch/local System Description: Debian GNU/Linux bookworm/sid Configured using: 'configure --with-x-toolkit=gtk3 --with-native-compilation --with-pgtk --with-xwidgets' --=-=-= Content-Type: text/patch Content-Disposition: attachment; filename=patch.diff >From 611185f7170db15dc5d036c53fd9c8f4fa1ff04d Mon Sep 17 00:00:00 2001 From: Andrew G Cohen Date: Tue, 22 Mar 2022 13:04:58 +0800 Subject: [PATCH] Encrypt some parameters in auth-source plstore backend The auth-source plstore backend allows a list of extra parameters but currently stores them all unencrypted. This allows a plist with :unencrypted and :encrypted keys to specify which extra parameters to encrypt in the plstore file. * lisp/auth-source.el (auth-source-plstore-create): Allow specifying both unencrypted and encrypted extra parameters. --- lisp/auth-source.el | 45 ++++++++++++++++++++++++++++----------------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/lisp/auth-source.el b/lisp/auth-source.el index cb528cebdc..cd135bd2e2 100644 --- a/lisp/auth-source.el +++ b/lisp/auth-source.el @@ -573,19 +573,24 @@ auth-source-search or P. The resulting token will only have keys user, host, and port.\" -:create \\='(A B C) also means to create a token if possible. +:create \\='(A B C) or +:create \\='(:unencrypted A B :encrypted C) +also means to create a token if possible. The behavior is like :create t but if the list contains any parameter, that parameter will be required in the resulting -token. The value for that parameter will be obtained from the -search parameters or from user input. If any queries are needed, -the alist `auth-source-creation-defaults' will be checked for the -default value. If the user, host, or port are missing, the alist -`auth-source-creation-prompts' will be used to look up the -prompts IN THAT ORDER (so the `user' prompt will be queried first, -then `host', then `port', and finally `secret'). Each prompt string -can use %u, %h, and %p to show the user, host, and port. The prompt -is formatted with `format-prompt', a trailing \": \" is removed. +token (the second form is used only with the plstore backend and +specifies if any of the extra parameters should be stored in +encrypted format.) The value for that parameter will be obtained +from the search parameters or from user input. If any queries +are needed, the alist `auth-source-creation-defaults' will be +checked for the default value. If the user, host, or port are +missing, the alist `auth-source-creation-prompts' will be used to +look up the prompts IN THAT ORDER (so the `user' prompt will be +queried first, then `host', then `port', and finally `secret'). +Each prompt string can use %u, %h, and %p to show the user, host, +and port. The prompt is formatted with `format-prompt', a +trailing \": \" is removed. Here's an example: @@ -2131,12 +2136,17 @@ auth-source-plstore-create (let* ((base-required '(host user port secret)) (base-secret '(secret)) ;; we know (because of an assertion in auth-source-search) that the - ;; :create parameter is either t or a list (which includes nil) - (create-extra (if (eq t create) nil create)) + ;; :create parameter is either t, or a list (which includes nil + ;; or a plist) + (create-extra-secret (plist-get create :encrypted)) + (create-extra (if (eq t create) nil + (or (append (plist-get create :unencrypted) + create-extra-secret) create))) (current-data (car (auth-source-search :max 1 :host host :port port))) (required (append base-required create-extra)) + (required-secret (append base-secret create-extra-secret)) ;; `valist' is an alist valist ;; `artificial' will be returned if no creation is needed @@ -2158,10 +2168,11 @@ auth-source-plstore-create (auth-source--aput valist br br-choice)))))) ;; for extra required elements, see if the spec includes a value for them - (dolist (er create-extra) - (let ((k (auth-source--symbol-keyword er)) - (keys (cl-loop for i below (length spec) by 2 - collect (nth i spec)))) + (let ((keys (cl-loop for i below (length spec) by 2 + collect (nth i spec))) + k) + (dolist (er create-extra) + (setq k (auth-source--symbol-keyword er)) (when (memq k keys) (auth-source--aput valist er (plist-get spec k))))) @@ -2225,7 +2236,7 @@ auth-source-plstore-create (eval default))))) (when data - (if (member r base-secret) + (if (member r required-secret) (setq secret-artificial (plist-put secret-artificial (auth-source--symbol-keyword r) -- 2.34.1.575.g55b058a8bb --=-=-=--