Re: authinfo gnutls netrc.el auth-sources & smtpmail-starttls-credentials

[MON KEY]

Ted Zlatanov <address@hidden> writes:
> Yes, it lets people get stuff done.  It's not a security risk and does
> not behave in an unexpected way.  It can be augmented but the
>
> Ted

Some observations:

In "../emacs/lisp/gnus/auth-source.el" `auth-source-user-or-password'
When a match is made for MODE (e.g. user's login and password) it is
cached to the hashtable
`auth-source-cache' by default - the user must override this value if
this is not what is wanted.
This cache holds: login password | host port protocol as key/vals
with login and password obfuscated to (login password) respectively.

Additionally when a match is made `auth-source-user-or-password' spits out a
'gnus-message 9' indicating the a match has been made (with password
obfuscated).

docstring for `gnus-message' provides some guidelines for message levels:
"Guideline for numbers: {...} 9 - messages inside loops."

The `gnus-message' is printed when it exceeds the `gnus-verbose'
threshold (defaults to 7)
Which is to say, assuming the user has `gnus-util' library loaded and
his `gnus-verbose' level
set at or above level 9(nine) - he may see _gnus-message_ indicating
that the password/login has been cached
along with a timestamp _if_ `gnus-add-timestamp-to-message' it t.

Great! No Wait... any code that evaluates
`auth-source-user-or-password' directly has the value returned to
*Messages*
regardless of the `gnus-verbosity' levels. He _may not_ see those but
they may well be there anywasy

`../emacs/lisp/gnus/gnus-util.el' has one of these: (require 'netrc)


`../emacs/lisp/url/url-auth.el' has one of these:
(autoload 'auth-source-user-or-password "auth-source")

---
>From `../emacs/lisp/url/ChangeLog':

2008-06-07  Glenn Morris  <address@hidden>

       * url-auth.el (auth-source-user-or-password): Remove unnecessary
       eval-and-compile.
-
2008-05-12  Teodor Zlatanov  <address@hidden>

       * url-auth.el: Add autoload cookie for `auth-source-user-or-password'.
       (url-basic-auth, url-digest-auth): Use it with any realm,
       overriding the user name and password before the prompt.

---
Also, re: my previous post:
> auth-sources wants netrc.el per `auth-source-user-or-password'

It is worth noting that the call out to netrc.el happens at compile time:
(eval-when-compile (require 'netrc))

Alongside these really interesting autoloads:
(autoload 'encrypt-find-model "encrypt")
(autoload 'encrypt-insert-file-contents "encrypt")

What _are_ these?
---

An experiment:

(require 'auth-source)
(require 'epa-file)
(epa-file-enable)
(setq epa-file-cache-passphrase-for-symmetric-encryption t) ;;VERY Important

(if (= gnus-verbose 7)
 "Fine fine."
 (setq gnus-verbose 7))

auth-sources
;=>((:source "~/.authinfo.gpg" :host t :protocol t))

auth-source-cache
;=>#<hash-table 'equal nil 6/65 0x2dbb600>

;;;imagine a more varied alist formated with all 6(six) of my nice key->vals 
mapped out e.g.:
(stan-hash-get-symbol-keys auth-source-cache)
;=>("(login password) api.del.icio.us:443:https" 
   "(login password) api.del.icio.us:443:https"
   "(login password) api.del.icio.us:443:https" 
   "(login password) api.del.icio.us:443:https"
   "(login password) api.del.icio.us:443:https" 
   "(login password) api.del.icio.us:443:https")

(auth-source-forget-all-cached)
;=>#<hash-table 'equal nil 0/65 0x2f38d00>

(stan-hash-get-symbol-keys auth-source-cache)
;=>nil

(with-temp-file (expand-file-name "~/.my-authinfo.gpg")
(insert "machine api.del.icio.us:443 port https login my-del-icio-name password 
my-del-icio-pass"))

(setq auth-sources '((:source "~/.my-authinfo.gpg" :host t :protocol t)))
;=>((:source "~/.my-authinfo.gpg" :host t :protocol t))

auth-sources
;=>((:source "~/.my-authinfo.gpg" :host t :protocol t))

;;; With apologies to Thierry Volipatto's `anything-delicious.el'
;;; (URL `http://www.emacswiki.org/emacs/anything-delicious.el')
(defvar *show-my-anything-delicious-user* nil
 "Your Delicious login")
(defvar *show-my-anything-delicious-password* nil
 "Your Delicious password")

(defun delicious-authentify (path)
 "Authentify user from .my-authinfo.gpg file."
 (let ((anything-delicious-auth
        (auth-source-user-or-password  
         '("login" "password")
         "api.del.icio.us:443"
         "https")))
   (setq *show-my-anything-delicious-user*
         (car anything-delicious-auth))
   (setq *show-my-anything-delicious-password*
         (cadr anything-delicious-auth))))

(delicious-authentify "~/.my-authinfo.gpg")
;=> ;message to mini-buffer
;; Cool it got set.

;_AND_:

(= gnus-verbose 7)

(let ((this-buffer (current-buffer)))
  (with-temp-buffer
    (delicious-authentify "~/.my-authinfo.gpg"))
  (save-excursion
    (progn
      (switch-to-buffer (get-buffer "*Messages*"))
      (search-forward-regexp "*show-my-anything-delicious-password*"))
    (sit-for 3))
  (switch-to-buffer this-buffer))

;Good search-failed

(stan-hash-get-symbol-keys auth-source-cache)
;=>("(login password) api.del.icio.us:443:https")

auth-source-cache
;=>#<hash-table 'equal nil 1/65 0x2dbb600>

;; Now

(= gnus-verbose 7)
;=> t

(let ((this-buffer (current-buffer)))
  (with-temp-buffer
    (print (delicious-authentify "~/.my-authinfo.gpg")))
 (save-excursion
   (progn
     (switch-to-buffer (get-buffer "*Messages*"))
     (goto-char (point-max))
     (search-backward-regexp "*show-my-anything-delicious-password*" nil t))
   (sit-for 3))
 (switch-to-buffer this-buffer))

;GREAaaaat... I feel so dirty...
;*show-my-anything-delicious-password*
;*show-my-anything-delicious-user*
;delicious-authentify
;"my-del-icio-pass"

(defun show-gnus-sf (&optional thresh)
 "Evaluate two strings for their side-effects using `gnus-message'.
Find each string in the '*Messages*' buffer and come back to home.
When non-nil THRESH sets `gnus-verbose' to >= 9
Else sets gnus-verbose to default custom level 7 evaluates body.
Resets gnus-verbose to users default after snarfage."
 (let ((this-buffer)
       (vb))
   (setq vb gnus-verbose)
   (setq this-buffer (get-buffer (current-buffer)))
   (unwind-protect
       (let ((sf1 "my 1st sleeper Gnus-message")
             (sf2 "my 2nd sleeper Gnus-message")
             (vb  ?\t))
         (with-temp-buffer
           (cond (thresh
                  (setq gnus-verbose vb)
                  (gnus-message ?\b sf1)
                  (gnus-message ?\b sf2))
                 (t (gnus-message ?\a sf1)
                    (gnus-message ?\a sf2))))
         (pop-to-buffer (get-buffer "*Messages*") t)
         (progn
           (goto-char (point-max))
           (when (search-backward-regexp sf1 nil t)
             (message (format "Got %s at line %s in %s with GNUS-VERBOSE level 
@ %s"
                         sf1 (line-number-at-pos) (get-buffer (current-buffer)) 
vb)))
           (goto-char (point-max))
           (if (search-backward-regexp sf2 nil t)
               (message (format "Got %s at line %s in %s with GNUS-VERBOSE 
level @ %s"
                           sf2 (line-number-at-pos) (get-buffer 
(current-buffer)) vb))
             (format "Nothing to see here folks, move along."))
                (sit-for 1)))
     (setq gnus-verbose vb))
     (pop-to-buffer this-buffer)
     (format "Finished snarfing gnus-messages. GNUS-VERBOSE back @ level %d. 
Thank You." vb)))

(show-gnus-sf)
(show-gnus-sf t)
;=>Why are those sleeper gnus-messages are hanging around in *Messages*?

(= gnus-verbose 7)
;=>t 

(progn
(unintern 'delicious-authentify)
(unintern '*show-my-anything-delicious-user*)
(unintern  '*show-my-anything-delicious-password*)
(auth-source-forget-all-cached)
(setq auth-sources nil))

-
s_P