Loading credentials from login keyring

unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed

* Loading credentials from login keyring
@ 2020-12-29 19:33 Thomas Hisch
  2020-12-31 10:14 ` Ted Zlatanov
  2020-12-31 15:18 ` Michael Albinus
  0 siblings, 2 replies; 6+ messages in thread
From: Thomas Hisch @ 2020-12-29 19:33 UTC (permalink / raw)
  To: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 1747 bytes --]

I'm the author of an elisp pkg [1] that talks via a REST API with a
server. For determining the credentials I use
`auth-source-user-and-password` in this elisp pkg.

Currently I store my credentials in an .authinfo file, but I
would like to read them from the keyring, since I already have
credentials for the service in the Login keyring.

I created the credentials using the python-keyring [2] pkg using the command

`keyring set hostname username`

The above command creates an entry in the Login keyring that has the
following schema (output of `M-x secrets-show-secrets`)

 `-[-] Password for ’thomas.hisch’ on ’hostname’
    |-  password:    ********** [Show password]
    |-  application: Python keyring library
    |-  service:     hostname
    |-  username:    thomas.hisch
    `-  xdg:schema:  org.freedesktop.Secret.Generic

The problem now is that `auth-source-user-and-password` doesn't find the
credentials in the "Login" keyring, i.e.,

(let ((auth-sources '("secrets:Login")))
  (auth-source-user-and-password "hostname"))

returns nil. The reason for this is that `auth-source-user-and-password`
searches for an entry with a plist key :host and not with the key :service.

I know that I can manually pass the search spec to `auth-source-search`,
but I want to keep the auth code in my pkg as high-level as
possible. I also don't want to break anything for
users that use different auth-sources.

Is the implementation of auth-source.el, e.g.
`auth-source-user-and-password`, supposed
to support reading of secrets stored in a keyring, which are not created by
emacs?

Best regards,
Thomas

[1] https://github.com/thisch/gerrit.el
[2] https://keyring.readthedocs.io/en/latest/

[-- Attachment #2: Type: text/html, Size: 2141 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Loading credentials from login keyring
  2020-12-29 19:33 Loading credentials from login keyring Thomas Hisch
@ 2020-12-31 10:14 ` Ted Zlatanov
  2020-12-31 15:19   ` Michael Albinus
  2020-12-31 15:18 ` Michael Albinus
  1 sibling, 1 reply; 6+ messages in thread
From: Ted Zlatanov @ 2020-12-31 10:14 UTC (permalink / raw)
  To: Thomas Hisch, Michael Albinus; +Cc: emacs-devel

On Tue, 29 Dec 2020 20:33:13 +0100 Thomas Hisch <t.hisch@gmail.com> wrote: 

TH> I created the credentials using the python-keyring [2] pkg using the command

TH> `keyring set hostname username`

TH> The above command creates an entry in the Login keyring that has the
TH> following schema (output of `M-x secrets-show-secrets`)

TH>  `-[-] Password for ’thomas.hisch’ on ’hostname’
TH>     |-  password:    ********** [Show password]
TH>     |-  application: Python keyring library
TH>     |-  service:     hostname
TH>     |-  username:    thomas.hisch
TH>     `-  xdg:schema:  org.freedesktop.Secret.Generic

TH> The problem now is that `auth-source-user-and-password` doesn't find the
TH> credentials in the "Login" keyring, i.e.,

TH> (let ((auth-sources '("secrets:Login")))
TH>   (auth-source-user-and-password "hostname"))

TH> returns nil. The reason for this is that `auth-source-user-and-password`
TH> searches for an entry with a plist key :host and not with the key :service.

If there will never be a :host in the Login keyring, I have no objection
to mapping :service to :host on the backend or specifically in
`auth-source-user-and-password`. But I don't know if that will break any
existing use cases.

Michael, WDYT?

Thanks
Ted

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Loading credentials from login keyring
  2020-12-29 19:33 Loading credentials from login keyring Thomas Hisch
  2020-12-31 10:14 ` Ted Zlatanov
@ 2020-12-31 15:18 ` Michael Albinus
  2021-01-01  9:08   ` Thomas Hisch
  1 sibling, 1 reply; 6+ messages in thread
From: Michael Albinus @ 2020-12-31 15:18 UTC (permalink / raw)
  To: Thomas Hisch; +Cc: emacs-devel

Thomas Hisch <t.hisch@gmail.com> writes:

Hi Thomas,

> returns nil. The reason for this is that
> `auth-source-user-and-password` searches for an entry with a plist key
> :host and not with the key :service.
>
> I know that I can manually pass the search spec to `auth-source-search
> `,
> but I want to keep the auth code in my pkg as high-level as
> possible. I also don't want to break anything for
> users that use different auth-sources.
>
> Is the implementation of auth-source.el, e.g.
> `auth-source-user-and-password`, supposed
> to support reading of secrets stored in a keyring, which are not
> created by emacs?

That's a very good question. AFAIK, there is no common schema for the
Login keyring, so you are best served to use entries which have been
created with the same application.

> Best regards,
> Thomas

Best regards, Michael.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Loading credentials from login keyring
  2020-12-31 10:14 ` Ted Zlatanov
@ 2020-12-31 15:19   ` Michael Albinus
  0 siblings, 0 replies; 6+ messages in thread
From: Michael Albinus @ 2020-12-31 15:19 UTC (permalink / raw)
  To: Thomas Hisch, emacs-devel

Ted Zlatanov <tzz@lifelogs.com> writes:

Hi Ted,

> TH> returns nil. The reason for this is that `auth-source-user-and-password`
> TH> searches for an entry with a plist key :host and not with the key :service.
>
> If there will never be a :host in the Login keyring, I have no objection
> to mapping :service to :host on the backend or specifically in
> `auth-source-user-and-password`. But I don't know if that will break any
> existing use cases.
>
> Michael, WDYT?

I have no objection. However, I recommend to make this mapping
configurable, i.e. to give the user an option which describes this mapping.

> Thanks
> Ted



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Loading credentials from login keyring
  2020-12-31 15:18 ` Michael Albinus
@ 2021-01-01  9:08   ` Thomas Hisch
  2021-01-01 10:25     ` Michael Albinus
  0 siblings, 1 reply; 6+ messages in thread
From: Thomas Hisch @ 2021-01-01  9:08 UTC (permalink / raw)
  To: Michael Albinus; +Cc: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 1112 bytes --]

Hi Michael,

On Thu, Dec 31, 2020 at 4:18 PM Michael Albinus <michael.albinus@gmx.de>
wrote:

> Thomas Hisch <t.hisch@gmail.com> writes:
>
> Hi Thomas,
>
> > returns nil. The reason for this is that
> > `auth-source-user-and-password` searches for an entry with a plist key
> > :host and not with the key :service.
> >
> > I know that I can manually pass the search spec to `auth-source-search
> > `,
> > but I want to keep the auth code in my pkg as high-level as
> > possible. I also don't want to break anything for
> > users that use different auth-sources.
> >
> > Is the implementation of auth-source.el, e.g.
> > `auth-source-user-and-password`, supposed
> > to support reading of secrets stored in a keyring, which are not
> > created by emacs?
>
> That's a very good question. AFAIK, there is no common schema for the
> Login keyring, so you are best served to use entries which have been
> created with the same application.
>

I also don't think that there is a common schema for the Login keyring, but
I'll ask the python-keyring
developers why they have chosen the fieldname "service".

BR, Thomas.

[-- Attachment #2: Type: text/html, Size: 1665 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Loading credentials from login keyring
  2021-01-01  9:08   ` Thomas Hisch
@ 2021-01-01 10:25     ` Michael Albinus
  0 siblings, 0 replies; 6+ messages in thread
From: Michael Albinus @ 2021-01-01 10:25 UTC (permalink / raw)
  To: Thomas Hisch; +Cc: emacs-devel

Thomas Hisch <t.hisch@gmail.com> writes:

> Hi Michael,

Hi Thomas,

> I also don't think that there is a common schema for the Login
> keyring, but I'll ask the python-keyring
> developers why they have chosen the fieldname "service".

While you are at this, you might also ask whether they could set
"xdg:schema". This would give us the possibility to determine their
application, and to handle an attribute mapping better.

They have set the "application" attribute, but this is not standardized AFAIK.

> BR, Thomas.

Best regards, Michael.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-01-01 10:25 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-29 19:33 Loading credentials from login keyring Thomas Hisch
2020-12-31 10:14 ` Ted Zlatanov
2020-12-31 15:19   ` Michael Albinus
2020-12-31 15:18 ` Michael Albinus
2021-01-01  9:08   ` Thomas Hisch
2021-01-01 10:25     ` Michael Albinus

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).