Severe limitations in auth-source-macos-keychain-search

Severe limitations in auth-source-macos-keychain-search

[Nikolai Weibull]

Hi!

Is anyone actually using auth-source-macos-keychain-search (with Gnus)?

If so, how do you get it to work?  As far as I can tell, this function
doesn’t take into account that spec may contain keys that are lists,
for example, host and port.

Furthermore, in auth-source-macos-keychain-search-items, if called for
macos-keychain-generic, should probably validate that -c and -r only
receive four-letter values, as that’s what security(1) requires them
to be.

Re: Severe limitations in auth-source-macos-keychain-search

[Ted Zlatanov]

On Fri, 8 Jan 2016 09:36:56 +0100 Nikolai Weibull <now@disu.se> wrote: 

NW> Is anyone actually using auth-source-macos-keychain-search (with Gnus)?

Not with Gnus.

NW> If so, how do you get it to work?  As far as I can tell, this function
NW> doesn’t take into account that spec may contain keys that are lists,
NW> for example, host and port.

NW> Furthermore, in auth-source-macos-keychain-search-items, if called for
NW> macos-keychain-generic, should probably validate that -c and -r only
NW> receive four-letter values, as that’s what security(1) requires them
NW> to be.

Can you either try to write a patch against auth-source.el, or explain
in more detail how it should operate?

I have access to a Mac OS X machine, but I don't know enough about the
keychain to understand exactly what needs to be done.

Thanks
Ted

Re: Severe limitations in auth-source-macos-keychain-search

[Jeff Bellegarde]

Nikolai Weibull <now@disu.se> writes:

> Hi!
>
> Is anyone actually using auth-source-macos-keychain-search (with Gnus)?
>

I just finished hacking something into shape. I added the following to my
.gnus. I doubt it's the best solution but it appears to work on my machine.


;; 1. spec contains lists for `host' and `port'. I use `first' to arbitrarily search for only the first key.
;; 2. Use -P to search for port instead of -r. -r requires a 4 character term and disallows a term like 'https'.
;;    -P seems to work for strings and port numbers.
(eval-when-compile (require 'cl))
(defun* auth-source-macos-keychain-search-items (coll type max
                                                      &rest spec
                                                      &key label type
                                                      host user port
                                                      &allow-other-keys)
  (let* ((keychain-generic (eq type 'macos-keychain-generic))
         (args `(,(if keychain-generic
                      "find-generic-password"
                    "find-internet-password")
                 "-g"))
         (ret (list :type type)))
    (when label
      (setq args (append args (list "-l" label))))
    (when host
      (setq args (append args (list (if keychain-generic "-c" "-s") (first host)))))
    (when user
      (setq args (append args (list "-a" user))))

    (when port
      (let ((port (first port)))
        (if keychain-generic
            (setq args (append args (list "-s" port)))
          (setq args (append args (list
                                   ;; (if (string-match "[0-9]+" port) "-P" "-r")
                                   "-P"
                                   port))))))

      (unless (equal coll "default")
        (setq args (append args (list coll))))

      (with-temp-buffer
        (message "Calling security with '%s'" args)
        (apply 'call-process "/usr/bin/security" nil t nil args)
        (goto-char (point-min))
        (while (not (eobp))
          (cond
           ((looking-at "^password: \"\\(.+\\)\"$")
            (setq ret (auth-source-macos-keychain-result-append
                       ret
                       keychain-generic
                       "secret"
                       (lexical-let ((v (match-string 1)))
                         (lambda () v)))))
           ;; TODO: check if this is really the label
           ;; match 0x00000007 <blob>="AppleID"
           ((looking-at "^[ ]+0x00000007 <blob>=\"\\(.+\\)\"")
            (setq ret (auth-source-macos-keychain-result-append
                       ret
                       keychain-generic
                       "label"
                       (match-string 1))))
           ;; match "crtr"<uint32>="aapl"
           ;; match "svce"<blob>="AppleID"
           ((looking-at "^[ ]+\"\\([a-z]+\\)\"[^=]+=\"\\(.+\\)\"")
            (setq ret (auth-source-macos-keychain-result-append
                       ret
                       keychain-generic
                       (match-string 1)
                       (match-string 2)))))
          (forward-line)))
      ;; return `ret' iff it has the :secret key
      (and (plist-get ret :secret) (list ret))))

Re: Severe limitations in auth-source-macos-keychain-search

[Lars Ingebrigtsen]

Jeff Bellegarde <bellegar@gmail.com> writes:

> I just finished hacking something into shape. I added the following to my
> .gnus. I doubt it's the best solution but it appears to work on my machine.
>
> ;; 1. spec contains lists for `host' and `port'. I use `first' to arbitrarily search for only the first key.
> ;; 2. Use -P to search for port instead of -r. -r requires a 4 character term and disallows a term like 'https'.
> ;;    -P seems to work for strings and port numbers.
> (eval-when-compile (require 'cl))
> (defun* auth-source-macos-keychain-search-items (coll type max
>                                                       &rest spec

Could you submit at patch for auth-source?  I'm sure other people would
also find this useful...

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no