TRAMP, auth-source and Secret Service API "label" prompt

[Gustavo Barros]

Hi All,

This is a follow-up report, from a discussion which started between 
Michael Albinus and me at Reddit (https://redd.it/l2dw9j).

The behavior I met, which I thought was somehow "normal" and was trying 
to disable, was that, whenever I tried to use TRAMP's sudo method (I 
haven't tested others), I was first prompted for a password, as 
expected, but after entering the password, I received a second prompt 
"Enter label for root@localhost (default root@localhost):". I just 
accepted the default, and the authentication succeeded. And this 
happened even though I have set `auth-source-save-behavior' to nil.

Well, Michael told me at Reddit this is not expected behavior, so I 
started playing with my settings in the area, and found the culprit to 
be my `auth-sources' setting, which was:

#+begin_src emacs-lisp
(setq auth-sources '(default
                    "secrets:session"
                    "secrets:Login"
                    "~/.authinfo.gpg"))
#+end_src

Being `auth-source-save-behavior' and `auth-sources' the only options 
from `auth-source.el' which I (knowingly, deliberately) configure in my 
init file.  That setting for `auth-sources' is literally given as 
example in (info "(auth) Secret Service API").

It turns out that, if a source which is not from the Secret Service API 
(`secrets.el') has the highest priority there, the prompt is gone.  So I 
went with:

#+begin_src emacs-lisp
(setq auth-sources '("~/.authinfo.gpg"
                    default
                    "secrets:session"
                    "secrets:Login"))
#+end_src

Michael found it strange, as I did, and suggested this should probably 
be reported to `report-emacs-bug'.  So I tried to generate a 
reproduction recipe starting from `emacs -Q' which, unfortunately, I 
could not.  There is some interaction with something in my init which I 
could not pin down.

Nevertheless, this bothered me now, so I tried to understand why this 
was happening.  I started following the code trail.  The prompt itself 
is from `auth-source-secrets-create' (in `auth-source.el'), and going up 
from there I eventually came to `auth-source-search' which is called by 
`tramp-read-passwd' in the following manner:

#+begin_src emacs-lisp
(auth-source-search
:max 1
(and user :user)
(if domain
    (concat
     user tramp-prefix-domain-format domain)
  user)
:host
(if port
    (concat
     host tramp-prefix-port-format port)
  host)
:port method
:require (cons :secret (and user '(:user)))
:create t)
#+end_src

And, indeed, `tramp-read-passwd' is asking auth-source to create a new 
entry if one does not exist with `:create t'.

What particularly bothered me in this prompt was the fact of being 
prompted for a "label" to save a password which was never meant to be 
saved in the first place, since I set `auth-source-save-behavior' to 
nil.  And it appears "create" and "save" are indeed two separate 
operations for `auth-source', the docstring for `auth-source-search' 
implies that in: "The token can hold a :save-function key.  If you call 
that, the user will be prompted to save the data to the backend.  You 
can't request that this should happen right after creation, because 
`auth-source-search' has no way of knowing if the token is actually 
useful.  So the caller must arrange to call this function."

My first thought was thus to condition directly to 
`auth-source-save-behavior', and I've suggested Michael at Reddit it 
might be interesting to use `:create (if auth-source-save-behavior t)', 
so that `tramp-read-passwd' never tried to create the `auth-source' 
entry if none was found, and none was meant to be saved.

I did test this, and it does work, in the sense that when 
`auth-source-save-behavior' is set to nil, regardless of the order of 
the sources in `auth-sources', that prompt does not occur.

But, since then I had what I regard a better idea: why not provide the 
label?  This is pretty much standard behavior for applications which 
store passwords in the Login keyring.  And it is not specially 
complicated, as the label must exist, but does not have to be unique. 
The docstring for `secrets-create-item' states this explicitly: "The 
label ITEM does not have to be unique in COLLECTION."

So, `tramp-read-passwd' could go with something like:

#+begin_src emacs-lisp
:label (concat "Tramp password"
              (when (or user host) " for ")
              (when user (format "%s" user))
              (when host (format "@%s" host)))
#+end_src

keeping the current value of `:create t'.

That would automatically generate a label "Tramp password for 
root@localhost" for the case at hand.  I've tested this, and the prompt 
is gone for all cases, regardless of the order of entries in 
`auth-sources'.  When `auth-source-save-behavior' is nil, it works as 
expected (no prompt).  And there is a change in behavior when 
`auth-source-save-behavior' is non-nil, the prompt is also gone, and the 
password is saved according to the relevant settings with that label 
(and answer in case of 'ask).

A couple of caveats.  First, I really don't know well `auth-sources.el' 
and just tried to figure out what was happening in this case.  As far as 
I understand the `:label' key will just be ignored by other backends of 
`auth-source' where it is not meaningful.  But someone more acquainted 
with `auth-source' should probably judge.  Second, I'm not sure that 
particular label I suggested is general enough to cover all relevant 
TRAMP methods, some further polishing there by someone more experienced 
in the ways of TRAMP might be needed.

And, well, third, I understand, of course, that the fact I could not 
generate a clean reproduction recipe with `emacs -Q' does beg the 
question of whether any change is granted at all, because we really 
don't know how relevant the "issue" is.  So, feel free to disregard the 
suggestion.

Still, I hope this is somehow useful.

Best regards,
Gustavo.

PS: Please keep me CC's, as I'm not subscribed to the list.