bug#67937: 30.0.50; auth-source-pass relies on epa-file being enabled

[Arsen Arsenović]

Eli Zaretskii <eliz@gnu.org> writes:

> Thanks.  So it sounds like you are asking for a feature that currently
> doesn't exist, AFAIU.

I'm not sure I'd classify it as a new feature.  An existing interface is
broken under some conditions.

> I added a couple of people to this discussion who were involved with
> auth-source-pass, in the hope that they will have suggestions and
> comments.

Thank you.

Now, onto why I don't think this is a new feature:

Here's an example auth-source-search invocation that can demonstrate the
problem (assuming that the user has these a dev.gentoo.org secret on
port imaps with user arsen):

  (auth-info-password (car (auth-source-search :host "dev.gentoo.org"
                                               :port "imaps"
                                               :user "arsen")))

Following M-x epa-file-disable RET M-x auth-source-forget-all-cached RET
the above returns an encrypted string rather than its actual password.

This means that a current feature (auth-source-search) breaks under some
conditions.

I've worked out a fix, tested with the following:

  (require 'auth-source-pass)
  (setq auth-sources '(password-store))
  (auth-info-password (car (auth-source-search :host "dev.gentoo.org"
                                               :port "imaps"
                                               :user "arsen")))

I've attached the patch, though it lacks a regression test.  The reason
for this is that I want to spare the auth-source-pass developers some
triage, and that there's currently no regression tests for --read-entry.

From 43e98821aa1f02abbfeea8b0b08ec6f4e31d8e9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arsen=20Arsenovi=C4=87?= <arsen@aarsen.me>
Date: Thu, 21 Dec 2023 12:29:55 +0100
Subject: [PATCH] auth-source-pass: don't rely on epa-file (bug#67937)

* lisp/auth-source-pass.el (epg): Require epg.
(auth-source-pass--read-entry): Use epg-decrypt-file instead of relying
on epa-file decrypting files read via insert-file-contents.
---
 lisp/auth-source-pass.el | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/lisp/auth-source-pass.el b/lisp/auth-source-pass.el
index 0f51755a250..0322de9f313 100644
--- a/lisp/auth-source-pass.el
+++ b/lisp/auth-source-pass.el
@@ -34,6 +34,7 @@
 (require 'cl-lib)
 (require 'auth-source)
 (require 'url-parse)
+(require 'epg)
 ;; Use `eval-when-compile' after the other `require's to avoid spurious
 ;; "might not be defined at runtime" warnings.
 (eval-when-compile (require 'subr-x))
@@ -194,11 +195,11 @@ auth-source-pass--get-attr
 
 (defun auth-source-pass--read-entry (entry)
   "Return a string with the file content of ENTRY."
-  (with-temp-buffer
-    (insert-file-contents (expand-file-name
-                           (format "%s.gpg" entry)
-                           auth-source-pass-filename))
-    (buffer-substring-no-properties (point-min) (point-max))))
+  (let ((context (epg-make-context 'OpenPGP))
+       (file (expand-file-name
+              (format "%s.gpg" entry)
+              auth-source-pass-filename)))
+    (epg-decrypt-file context file nil)))
 
 (defun auth-source-pass-parse-entry (entry)
   "Return an alist of the data associated with ENTRY.
-- 
2.43.0

Have a lovely day!
--
Arsen Arsenović

signature.asc
Description: PGP signature