Prior to this commit, while searching for the most applicable entry
password-store entries were decrypted and parsed to ensure they were
valid. The entries were parsed in the order they were found on the
filesystem and all applicable entries would be decrypted and parsed,
which varied based on the contents of the password-store and the entry
to be found.
This is fine when the GPG key is cached and each entry can be
decrypted without user interaction. However, for security some people
have their GPG on a hardware token like a Yubikey setup so that they
have to touch a sensor on the toke for every cryptographic operation,
in which case it becomes inconvenient as each attempt to find an entry
requires a variable number of touches of the hardware token.
The implementation already assumes that names which contain more of
the information in the search key should be preferred so there is an
ordering of preference of applicable entries. If the decrypt and
parsing is removed from the initial identification of applicable
entries in the store then in most cases a single decrypt and parse of
the most preferred entry will suffice, improving the experience for
hardware token users that require interaction with the token.
This commit implements that strategy. It is in spirit a refactor of
the existing code.
* lisp/auth-source-pass.el (auth-source-pass--matching-entries): New
function, generate an ordered list of regular expression matchers for
all possible names that could be in the password-store for the entry
to be found and then makes a pass over the password-store entry names
accumulating the matching entries in a list after the regexp that
matched. This implementation ensures the password-store entry list
still only has to be scanned once.
(auth-source-pass--find-match-unambiguous): Use it to obtain candidate
entries and then parse them one by one until an entry containing the
desired information is located. When complete, return the parsed data
of the entry instead of the entry name so that the information can be
used directly to construct the auth-source response.
(auth-source-pass--build-result): Update accordingly.
(auth-source-pass--find-match): Update docstring accordingly.
(auth-source-pass--select-one-entry)
(auth-source-pass--entry-valid-p)
(auth-source-pass--find-all-by-entry-name)
(auth-source-pass--find-one-by-entry-name): Remove.
(auth-source-pass--select-from-entries)
(auth-source-pass--accumulate-matches)
(auth-source-pass--entry-reducer)
(auth-source-pass--generate-entry-suffixes)
(auth-source-pass--domains)
(auth-source-pass--name-port-user-suffixes): New functions.
* test/lisp/auth-source-pass-tests.el: One test case was added to the
test suite to verify that only the minimal number of entries are
parsed in common cases. The
auth-source-pass-only-return-entries-that-can-be-open test case had to
be re-implemented because the function it was used eliminated as the
functionality is provided elsewhere. All the other fairly substantial
changes to the test suite are the result of mechanical changes that
were required to adapt to auth-source-pass--find-match returning the
data from a parsed password-store entry instead of the entry name.
auth-source-pass supports entries with username either prefixed to the
hostname with an @ as separator or in a subdirectory under the
hostname. This was true when there was no port or service included in
the name, but got broken with the introduction of
auth-source-pass-port-separator.
* lisp/auth-source-pass.el (auth-source-pass--find-match-unambiguous): Fix
to match hostname:port/username.
* test/lisp/auth-source-pass-tests.el: Add corresponding tests.
* lisp/auth-source-pass.el (auth-source-pass-port-separator): New
option to specify separator between host and port, default to
colon (":").
(auth-source-pass--find-match-unambiguous): Adapt to make use of the
new variable.
* test/lisp/auth-source-pass-tests.el: Add corresponding tests.
* lisp/auth-source-pass.el (auth-source-pass-search): If there is no
matching entry, auth-source-pass-search should return nil, not (nil).
This lets auth-source fall back to other backends in the auth-sources
list.
* test/lisp/auth-source-pass-tests.el: Add corresponding test.
Copyright-paperwork-exempt: yes
* lisp/auth-source-pass.el (auth-source-pass-search): Warn when
passing multiple hosts in SPEC. Early return and warn when passing a
wildcard as host in SPEC. Early return when host is nil.
* test/lisp/auth-source-pass-tests.el (auth-source-pass-any-host,
auth-source-pass-undefined-host): Add corresponding tests.
* lisp/auth-source-pass.el (auth-source-pass--find-match): Add PORT
parameter and reorganize code by extracting `find-match-unambiguous'.
(auth-source-pass--find-match-unambiguous): New function.
(auth-source-pass--build-result): Fix the call to `find-match'.
(auth-source-pass--hostname, auth-source-pass--hostname-with-user,
auth-source-pass--user): Remove functions.
* test/lisp/auth-source-pass-tests.el: Fix the calls to `find-match'.
(auth-source-pass-find-host-without-port) Add corresponding test.
* test/lisp/auth-source-pass-tests.el
(auth-source-pass-build-result-passes-full-host-to-find-match): Add
test making sure find-match is called with full host.
63b04c11d5 Fix copyright years by hand
5c7dd8a783 Update copyright year to 2018
220a9ecba1 Merge from Gnulib
312c565566 Don't add empty keyboard macro to macro ring (Bug#24992)
39ca289a7a Allow customization of decoding of "man" command
f8240815ea * etc/NEWS: Add security consideration note on passphrase ...
0c78822c70 Fix subtle problem with scroll-down when scroll-margin is ...
acd289c5a4 Fix problems with indexing in User manual
b240c7846b * lisp/help.el (describe-key): Only (copy-sequence elt) wh...
e879a5444a * src/buffer.c (Frestore_buffer_modified_p): Fix bug#29846
81b1028b63 Improve documentation of 'inhibit-modification-hooks' and ...
7175496d7a Fix doc string of 'enable-recursive-minibuffers'
5b38406491 Fix documentation of delsel and of killing text
# Conflicts:
# etc/NEWS
# etc/refcards/ru-refcard.tex
* lisp/auth-source-pass.el (auth-source-pass--user): New function.
(auth-source-pass--find-match): Use it. When the user is not
explicitly specified and no entry is found, extract the user from
the host and then search again. (Bug#29045)
* test/lisp/auth-source-pass-tests.el
(auth-source-pass-find-match-matching-extracting-user-from-host):
Add a new test case.
Copyright-paperwork-exempt: yes
Most of this change is to boilerplate commentary such as license URLs.
This change was prompted by ftp://ftp.gnu.org's going-away party,
planned for November. Change these FTP URLs to https://ftp.gnu.org
instead. Make similar changes for URLs to other organizations moving
away from FTP. Also, change HTTP to HTTPS for URLs to gnu.org and
fsf.org when this works, as this will further help defend against
man-in-the-middle attacks (for this part I omitted the MS-DOS and
MS-Windows sources and the test tarballs to keep the workload down).
HTTPS is not fully working to lists.gnu.org so I left those URLs alone
for now.
* doc/misc/auth.texi: Document new integration with Pass. Use @itemize
instead of @enumerate.
* lisp/auth-source-pass.el: Fix indentation.
(auth-source-pass--remove-directory-name): Remove.
* test/lisp/auth-source-pass-tests.el: Adjust test macros.
