From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: netrc field encryption in auth-source Date: Fri, 17 Jun 2011 05:21:28 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <878vt04v2v.fsf@lifelogs.com> References: <87liyndz5l.fsf@lifelogs.com> <8739jogwf9.fsf@lifelogs.com> <87lix9eknu.fsf_-_@lifelogs.com> <878vt52ykv.fsf@lifelogs.com> <878vt25tbf.fsf@lifelogs.com> <87boxxx5k4.fsf@lifelogs.com> <87d3ic4xc5.fsf@lifelogs.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: dough.gmane.org 1308325208 9625 80.91.229.12 (17 Jun 2011 15:40:08 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Fri, 17 Jun 2011 15:40:08 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Jun 17 17:40:04 2011 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1QXb9M-0007vN-9J for ged-emacs-devel@m.gmane.org; Fri, 17 Jun 2011 17:40:00 +0200 Original-Received: from localhost ([::1]:41799 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QXb9K-0003wS-Jy for ged-emacs-devel@m.gmane.org; Fri, 17 Jun 2011 11:39:58 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:40828) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QXZlf-0002sB-V6 for emacs-devel@gnu.org; Fri, 17 Jun 2011 10:11:30 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QXZlc-0002MV-RD for emacs-devel@gnu.org; Fri, 17 Jun 2011 10:11:27 -0400 Original-Received: from lo.gmane.org ([80.91.229.12]:56971) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QXZlc-0002M0-4c for emacs-devel@gnu.org; Fri, 17 Jun 2011 10:11:24 -0400 Original-Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1QXWBM-0002OC-1y for emacs-devel@gnu.org; Fri, 17 Jun 2011 12:21:44 +0200 Original-Received: from c-67-186-102-106.hsd1.il.comcast.net ([67.186.102.106]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 17 Jun 2011 12:21:44 +0200 Original-Received: from tzz by c-67-186-102-106.hsd1.il.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 17 Jun 2011 12:21:44 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 142 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: c-67-186-102-106.hsd1.il.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.50 (gnu/linux) Cancel-Lock: sha1:THhq65xnwhNaHq8LQTE2JqOm57I= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 80.91.229.12 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:140607 Archived-At: --=-=-= Content-Type: text/plain On Fri, 17 Jun 2011 04:32:42 -0500 Ted Zlatanov wrote: TZ> But wait, we can do better if it's an alist... Let's use the EPA TZ> file pattern! The default can then be: TZ> `((,(car epa-file-auto-mode-alist-entry) nil) TZ> (t ask)) TZ> ...and when the user says "yes, use GPG tokens for file xyz" we'd add TZ> '("xyz" gpg) to the head of the alist and offer to save the defcustom. TZ> We have to make the "never ask to add" choice 'never, because nil is now TZ> a valid alist for the value. So it could only be 'never or a valid TZ> alist. Yes, that would work. This made sense so I implemented a patch, replacing `auth-source-save-secrets' with `auth-source-netrc-use-gpg-tokens' as described above. It uses `epa-file-auto-mode-alist-entry' if it's bound. I am not sure if I should just save the defcustom at the time the user confirms or prompt instead. Please take a look. It makes sense to me and the Customize interface looks nice. Ted --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=auth-source-gpg-tokens2.patch diff --git a/lisp/auth-source.el b/lisp/auth-source.el index 83e12d6..17be7d5 100644 --- a/lisp/auth-source.el +++ b/lisp/auth-source.el @@ -164,15 +164,30 @@ let-binding." (const :tag "Never save" nil) (const :tag "Ask" ask))) -(defcustom auth-source-save-secrets nil - "If set, auth-source will respect it for password tokens behavior." +;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") never) (t gpg))) +;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never) + +(defcustom auth-source-netrc-use-gpg-tokens 'never + "Set this to tell auth-source when to create GPG password +tokens in netrc files. It's either an alist or `never'." :group 'auth-source :version "23.2" ;; No Gnus :type `(choice - :tag "auth-source new password token behavior" - (const :tag "Use GPG tokens" gpg) - (const :tag "Save unencrypted" nil) - (const :tag "Ask" ask))) + (const :tag "Always use GPG password tokens" (t gpg)) + (const :tag "Never use GPG password tokens" never) + (repeat :tag "Use a lookup list" + (list + (choice :tag "Matcher" + (const :tag "Match anything" t) + (const :tag "The EPA encrypted file extensions" + ,(if (boundp 'epa-file-auto-mode-alist-entry) + (car (symbol-value + 'epa-file-auto-mode-alist-entry)) + "\\.gpg\\'")) + (regexp :tag "Regular expression")) + (choice :tag "What to do" + (const :tag "Save GPG-encrypted password tokens" gpg) + (const :tag "Don't encrypt tokens" never)))))) (defvar auth-source-magic "auth-source-magic ") @@ -257,9 +272,11 @@ can get pretty complex." ,@auth-source-protocols-customize)) (list :tag "User" :inline t (const :format "" :value :user) - (choice :tag "Personality/Username" + (choice + :tag "Personality/Username" (const :tag "Any" t) - (string :tag "Name"))))))))) + (string + :tag "Name"))))))))) (defcustom auth-source-gpg-encrypt-to t "List of recipient keys that `authinfo.gpg' encrypted to. @@ -960,7 +977,7 @@ Note that the MAX parameter is used so we can exit the parse early." (remove (symbol-value 'epa-file-handler) file-name-handler-alist) file-name-handler-alist)) - (find-file-hook + (,(if (boundp 'find-file-hook) 'find-file-hook 'find-file-hooks) ',(remove 'epa-file-find-file-hook find-file-hook)) (auto-mode-alist ',(if (boundp 'epa-file-auto-mode-alist-entry) @@ -1216,19 +1233,33 @@ See `auth-source-search' for details on SPEC." (cond ((and (null data) (eq r 'secret)) ;; Special case prompt for passwords. - ;; Respect `auth-source-save-secrets' - (let* ((ep (format "Do you want GPG password tokens? (%s)" - "see `auth-source-save-secrets'")) +;; TODO: make the default (setq auth-source-netrc-use-gpg-tokens `((,(if (boundp 'epa-file-auto-mode-alist-entry) (car (symbol-value 'epa-file-auto-mode-alist-entry)) "\\.gpg\\'") nil) (t gpg))) +;; TODO: or maybe leave as (setq auth-source-netrc-use-gpg-tokens 'never) + (let* ((ep (format "Use GPG password tokens in %s?" file)) (gpg-encrypt -;;; FIXME: this relies on .gpg files being handled by EPA/EPG - ;; don't put GPG tokens in GPG-encrypted files - (and (not (equal "gpg" (file-name-extension file))) - (or (eq auth-source-save-secrets 'gpg) - (and (eq auth-source-save-secrets 'ask) - (setq auth-source-save-secrets - (and (y-or-n-p ep) 'gpg)))))) + (cond + ((eq auth-source-netrc-use-gpg-tokens 'never) + 'never) + ((listp auth-source-netrc-use-gpg-tokens) + (let ((check (copy-sequence + auth-source-netrc-use-gpg-tokens)) + item ret) + (while check + (setq item (pop check)) + (when (string-match (car item) file) + (setq ret (cdr item)) + (setq check nil))))) + (t 'never))) (plain (read-passwd prompt))) - (if (eq auth-source-save-secrets 'gpg) + ;; ask if we don't know what to do (in which case + ;; auth-source-netrc-use-gpg-tokens must be a list) + (unless gpg-encrypt + (setq gpg-encrypt (if (y-or-n-p ep) 'gpg 'never)) + ;; TODO: save the defcustom now? or ask? + (setq auth-source-netrc-use-gpg-tokens + (cons `(,file ,gpg-encrypt) + auth-source-netrc-use-gpg-tokens))) + (if (eq gpg-encrypt 'gpg) (auth-source-epa-make-gpg-token plain file) plain))) ((null data) --=-=-=--